Quantcast
Channel: KitPloit - PenTest Tools!
Viewing all 5854 articles
Browse latest View live

Dumb - A Faster And Flexible Domain Bruteforcer

March 4, 2018, 12:43 pm
$
0
0

A tool to bruteforce "dumains"!

How DUMB works:
Dumb works with a masked dumain for substitution. The dumain can have as many masks as you want as long as you pass the according wordlists. For example:

Bruteforcing subdumains:
Using the mask DUMB.dumain.com and the following wordlists:
www
ftp
backoffice
Dumb will generate the following dumains for bruteforce:
www.dumain.com
ftp.dumain.com
backoffice.dumain.com
For subdumains, you can only pass dumain.com and dumb will understand as DUMB.dumain.com.

Bruteforcing domain endings:
Using the same principle, you can pass as mask dumain.DUMB with the following wordlist:
com
net
org
Dumb will generate the following dumains for bruteforce:
dumain.com
dumain.net
dumain.org

Bruteforcing everything:
To bruteforce everything you can pass the mask as "DUMB.DUMB.DUMB" passing three wordlists:
wordlist1   wordlist2   wordlist3
www         foo         com
ftp         bar         net
Dumb will generate:
www.foo.com
ftp.foo.com
www.bar.com
ftp.bar.com
www.foo.net
ftp.foo.net
www.bar.net
ftp.bar.net

Usage:
Dumb receives the dumain mask as first parameter and the wordlists following. The number of wordlists must match the number of masks in the dumain. For example:
  • One mask:
    $ dumb "DUMB.dumain.com" wordlists/foo.txt
  • Two masks:
    $ dumb "DUMB.dumain.DUMB" wordlists/foo.txt wordlists/bar.txt
  • Several masks:
    $ dumb "DUMB-DUMB-DUMB_DUMB.DUMB.DUMB" wordlists/foo_1.txt ... wordlists/foo_6.txt

Docker:
If you don't want to build from source, you can use the docker version:
  • docker run -it giovanifss/dumb "DUMB.dumain.com" subdomains.txt
All the wordlists in wordlists/ are inside the docker container in filesystem root /, this means that you can call dumb passing the wordlists name:
  • docker run -it giovanifss/dumb "DUMB.dumain.com" (subdomains.txt|subdominios.txt|domain-endings.txt)
To work with local wordlists that aren't present inside the container, you can use docker volumes:
docker run -v local/wordlist.txt:/opt/wordlist.txt -it giovanifss/dumb "DUMB.dumain.com" /opt/wordlist.txt


Building from source:
If you want to build from source you will need stack:
  • Enter in the project directory and run $ stack build.
  • To execute: 
    $ stack exec dumb "DUMB.dumain.com" wordlists/subdomains.txt
Note that some older versions of stack have some problems to build the project (Debian stack package, for example). Make sure you get the latest stack version.

Future features:
Future planned features are:
  • Argument parser support, for better configuration of the tool execution;
  • Post analysis of found dumains, generating statistics and metrics;

Performance:
The tool performance will highly depend on your network connection. Usually, it should take less then 10 seconds to finish a subdumain burteforce with the wordlists/subdomains.txt wordlist.
If you have a good connection and think that the tool is slow, try changing the 1000 in the splitDomains function call, e.g. mapM_ (MP.mapM_ (resolve rs)) (splitDomains 1000 allDomains), to a higher value.
Alternatively, you can change mapM_ (MP.mapM_ (resolve rs)) (splitDomains 1000 allDomains) to MP.mapM_ (resolve rs) allDomains to execute all the requests in parallel.


Search

JoomScan - OWASP Joomla Vulnerability Scanner Project

March 5, 2018, 5:09 am
$
0
0

OWASP JoomScan (short for [Joom]la Vulnerability [Scan]ner) is an opensource project in perl programming language to detect Joomla CMS vulnerabilities and analysis them.

WHY OWASP JOOMSCAN ?
If you want to do a penetration test on a Joomla CMS, OWASP JoomScan is Your best shot ever! This Project is being faster than ever and updated with the latest Joomla vulnerabilities.

INSTALL
git clone https://github.com/rezasp/joomscan.git
cd joomscan
perl joomscan.pl

JOOMSCAN ARGUMENTS
Usage: joomscan.pl [options]

--url | -u <URL>                         |   The Joomla URL/domain to scan.
--enumerate-components          | -ec    |   Try to enumerate components.

--cookie <String>                       |   Set cookie.
--user-agent | -a <user-agent>   |   Use the specified User-Agent.
--random-agent | -r                   |   Use a random User-Agent.
--timeout <time-out>                  |   set timeout.
--about                                      |   About Author
--update                                    |   Update to the latest version.
--help | -h                                 |   This help screen.
--version                                   |   Output the current version and exit.

OWASP JOOMSCAN EXAMPLES
Do default checks...
perl joomscan.pl --url www.example.com
or
perl joomscan.pl -u www.example.com

Enumerate installed components...
perl joomscan.pl --url www.example.com --enumerate-components
or
perl joomscan.pl -u www.example.com --ec

Set cookie
perl joomscan.pl --url www.example.com --cookie "test=demo;"

Set user-agent
perl joomscan.pl --url www.example.com --user-agent "Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
or
perl joomscan.pl -u www.example.com -a "Googlebot/2.1 (+http://www.googlebot.com/bot.html)"

Set random user-agent
perl joomscan.pl -u www.example.com --random-agent
or
perl joomscan.pl --url www.example.com -r

Update Joomscan...
perl joomscan.pl --update

PROJECT LEADERS
  • Mohammad Reza Espargham [ reza[dot]espargham[at]owasp[dot]org ]
  • Ali Razmjoo [ ali[dot]razmjoo[at]owasp[dot]org ]

OWASP JoomScan 0.0.1 introduction (Youtube)



Aragog - Facebook Invalid Email Checker

March 5, 2018, 12:12 pm
$
0
0

Aragog is a python 2.7 script which looks for Facebook Accounts that have invalid emails on their account. This script was only created for Gmail & Hotmail to be checked, but in the future this could be further upgraded in new features.
The attack scenario through this script is if the email of the account doesn't exist, the hacker will create a new one same as the Facebook Account and do a reset password. The usage of this script is through putting all the email accounts into filename.txt then run the script and write the mail-list. And the script is going to filter invalid and only take Hotmail & Gmail Accounts.

Info
This application is only tested on Kali Linux, but with few modifications you could easy run it into Windows.

Credits
Created by florianx00


Dotdotslash - An Tool To Help You Search For Directory Traversal Vulnerabilities

March 6, 2018, 5:09 am
$
0
0

An tool to help you search for Directory Traversal Vulnerabilities

Benchmarks
Platforms that I tested to validate tool efficiency:
  • DVWA (low/medium/high)
  • bWAPP (low/medium/high)

Screenshots



Instalation
You can download the last version cloning this repository
git clone https://github.com/jcesarstef/dotdotslash/
This tool has made to work with Python3

Usage
python3 dotdotslash.py --help

usage: dotdotslash.py [-h] --url URL --string STRING [--cookie COOKIE]

optional arguments:
  -h, --help       show this help message and exit
  --url URL        Url to attack.
  --string STRING  String in --url to attack. Ex: document.pdf
  --cookie COOKIE  Document cookie.
Example:
python3 dotdotslash.py \
--url "http://192.168.58.101/bWAPP/directory_traversal_1.php?page=a.txt" \
--string "a.txt" \
--cookie "PHPSESSID=089b49151627773d699c277c769d67cb; security_level=3"

Gitleaks - Searches Full Repo History For Secrets And Keys

March 6, 2018, 12:13 pm
$
0
0

Searches Full Repo History For Secrets And Keys.

Installing
go get -u github.com/zricethezav/gitleaks

Usage and Explanation
./gitleaks [options] <url/path>
Gitleaks audits local and remote repos by running regex checks against all commits.

Options
usage: gitleaks [options] <URL>/<path_to_repo>

Options:
 -u --user              Git user mode
 -r --repo              Git repo mode
 -o --org               Git organization mode
 -l --local             Local mode, gitleaks will look for local repo in <path>
 -t --temp              Clone to temporary directory
 -v --verbose           Verbose mode, will output leaks as gitleaks finds them
 --report-path=<STR>    Save report to path, gitleaks default behavior is to save report to pwd
 --clone-path=<STR>     Gitleaks will clone repos here, default pwd
 --concurrency=<INT>    Upper bound on concurrent diffs
 --since=<STR>          Commit to stop at
 --b64Entropy=<INT>     Base64 entropy cutoff (default is 70)
 --hexEntropy=<INT>     Hex entropy cutoff (default is 40)
 -e --entropy           Enable entropy
 -h --help              Display this message
 --token=<STR>          Github API token
 --stopwords            Enables stopwords

Exit Codes
codeexplanation
0Gitleaks succeeded with no leaks
1Gitleaks failed or wasn't attempted due to execution failure
2Gitleaks succeeded and leaks were present during the audit
Use these codes to hook gitleaks into whatever pipeline you're running

Examples
gitleaks
Run audit on current working directory if .git is present
gitleaks --local $HOME/audits/some/repo
Run audit on repo located in HOME/audits/some/repo if .git is present
gitleaks https://github.com/some/repo
Run audit on github.com/some/repo.git and clone repo to
gitleaks --clone-path=$HOME/Desktop/audits https://github.com/some/repo
Run audit on github.com/some/repo.git and clone repo to $HOME/Desktop/audits
gitleaks --temp https://github.com/some/repo
Run audit on github.com/some/repo.git and clone repo to $TMPDIR (this will remove repos after audit is complete)
gitleaks --temp -u https://github.com/some-user
Run audit on all of some-user's repos. Again, --temp flag will clone all repos into $TMPDIR after be removed after audit

If you find a valid leak in a repo
Please read the Github article on removing sensitive data from a repository to remove the sensitive information from your history.

Run me with docker
Simply run 
docker run --rm --name=gitleaks zricethezav/gitleaks https://github.com/zricethezav/gitleaks
Or build the image yourself to get the latest version :
docker build -t gitleaks .
docker run --rm --name=gitleaks gitleaks https://github.com/zricethezav/gitleaks




Harpoon - CLI Tool For Open Source And Threat Intelligence

March 7, 2018, 5:11 am
$
0
0

OSINT tool, CLI Tool For Open Source And Threat Intelligence

Install
You can simply pip install the tool:
pip3 install git+http://git@github.com/Te-k/harpoon  --process-dependency-links
Optionally if you want to use the screenshot plugin, you need phantomjs and npm installed:
npm install -g phantomjs
To configure harpoon, run harpoon config and fill in the needed API keys. Then run harpoon config -u to download needed files. Check what plugins are configured with harpoon config -c.

Usage
After configuration the following plugins are available within the harpoon command:
help                Give help on an Harpoon command
safebrowsing        Check if the given domain is in Google safe Browsing list
hibp                Request Have I Been Pwned API (https://haveibeenpwned.com/)
cache               Requests webpage cache from different sources
misp                Get information from a MISP server through the API
spyonweb            Search in SpyOnWeb through the API
censys              Request information from Censys database (https://censys.io/)
shodan              Requests Shodan API
vt                  Request Virus Total API
config              Configure Harpoon
fullcontact         Requests Full Contact API (https://www.fullcontact.com/)
googl               Requests Google url shortener API
ip                  Gather information on an IP address
twitter             Requests Twitter API
asn                 Gather information on an ASN
robtex              Search in Robtex API (https://www.robtex.com/api/)
hunter              Request hunter.io information through the API
otx                 Requests information from AlienVault OTX
crtsh               Search in https://crt.sh/ (Certificate Transparency database)
github              Request Github information through the API
bitly               Request bit.ly information through the API
screenshot          Takes a screenshot of a webpage
greynoise           Request Grey Noise API
telegram            Request information from Telegram through the API
threatgrid          Request Threat Grid API
pgp                 Search for information in PGP key servers
totalhash           Request Total Hash API
dns                 Map DNS information for a domain or an IP
hybrid              Requests Hybrid Analysis platform
malshare            Requests MalShare database
You can get information on each command with harpoon help COMMAND

Access Keys

CTFR - Get subdomains of an HTTPS website abusing Certificate Transparency logs

March 7, 2018, 12:03 pm
$
0
0

Do you miss AXFR technique? This tool allows to get the subdomains from a HTTPS website in a few seconds.
How it works? CTFR does not use neither dictionary attack nor brute-force, it just abuses of Certificate Transparency logs.
For more information about CT logs, check www.certificate-transparency.org.

Getting Started
Please, follow the instructions below for installing and run CTFR.

Pre-requisites
Make sure you have installed the following tools:
Python 3.0 or later.
pip3 (sudo apt-get install python3-pip).

Installing
git clone https://github.com/UnaPibaGeek/ctfr.git
cd ctfr
pip3 install -r requirements.txt

Running
python3 ctfr.py --help

Usage
Parameters and examples of use.

Parameters
-d --domain [target_domain] (required)
-o --output [output_file] (optional)

Examples
python3 ctfr.py -d starbucks.com
python3 ctfr.py -d facebook.com -o /home/shei/subdomains_fb.txt

Screenshot


Author


Python-Rootkit - Python Remote Administration Tool (RAT) To Gain Meterpreter Session

March 8, 2018, 5:24 am
$
0
0

This is a full undetectable python RAT which can bypass almost all antivirus and open a backdoor inside any windows machine which will establish a reverse https Metasploit connection to your listening machine.

ViRu5 life cycle
  • Bypass all anti-virus.
  • Inject a malicious powershell script into memory.
  • Establish a reverse https connection to attacker machine.
  • Check every 10 seconds and make sure that the connection still exists, If not it will re-establish a new connection.
  • Add a startup register key to re-connect to the attacker after reboot.

Steps
  • Update viRu5/source.py parameters with your lhost and lport
  • Change source.py name to GoogleChromeAutoLaunch.py
  • Add GoogleChromeAutoLaunch.py, setup.py and your icon as icon.ico to c:\python27 dir
  • From cmd do

    cd c:\python27


    python setup.py py2exe

  • Find the RAT exe file in Dist dir.
  • Blind it with any photo, pdf, word or any kind of files
  • Send it to the victim
  • Use your social engineer skills to make him open the file
  • You will receive a reverse https metasoplit connection :)

Testing on
  • Windows 7 32bit
  • Windows 7 64bit
  • Windows 8 32bit
  • Windows 8 64bit
  • Windows 8.1 32bit
  • Windows 8.1 64 bit
  • Windows 10 32bit
  • Windows 10 64bit

Disclaimer
This is for Educational purposes ONLY. First of all, this code aims to alarm people about security issues infected unpatched machines.

Search

sigma - Generic Signature Format for SIEM Systems

March 8, 2018, 12:22 pm
$
0
0
Generic Signature Format for SIEM Systems.

What is Sigma?
Sigma is a generic and open signature format that allows you to describe relevant log events in a straight forward manner. The rule format is very flexible, easy to write and applicable to any type of log file. The main purpose of this project is to provide a structured form in which researchers or analysts can describe their once developed detection methods and make them shareable with others.
Sigma is for log files what Snort is for network traffic and YARA is for files.
This repository contains:
  • Sigma rule specification in the Wiki
  • Open repository for sigma signatures in the ./rulessubfolder
  • A converter that generate searches/queries for different SIEM systems [work in progress]

Hack.lu 2017 Talk

Use Cases
  • Describe your once discovered detection method in Sigma to make it sharable
  • Share the signature in the appendix of your analysis along with file hashes and C2 servers
  • Share the signature in threat intel communities - e.g. via MISP
  • Provide Sigma signatures for malicious behaviour in your own application (Error messages, access violations, manipulations)
  • Integrate a new log into your SIEM and check the Sigma repository for available rules
  • Write a rule converter for your custom log analysis tool and process new Sigma rules automatically
  • Provide a free or commercial feed for Sigma signatures

Sigma Converter
The converter is currently under development in the devel-sigmac branch of this project. It has currently the following capabilities:
  • Parsing of Sigma rule files
  • Conversion of searches into Elasticsearch and Splunk queries
Planned main features are:
  • Conversion of aggregation expressions (after the pipe character)
  • Output of Kibana JSON configurations
Support for further SIEM solutions can be added by developing an corresponsing output backend class.


Why Sigma
Today, everyone collects log data for analysis. People start working on their own, processing numerous white papers, blog posts and log analysis guidelines, extracting the necessary information and build their own searches and dashboard. Some of their searches and correlations are great and very useful but they lack a standardized format in which they can share their work with others.
Others provide excellent analyses for threat groups, sharing file indicators, C2 servers and YARA rules to detect the malicious files, but describe a certain malicious service install or remote thread injection in a separate paragraph. Security analysts, who read that paragraph then extract the necessary information and create rules in their SIEM system. The detection method never finds a way into a repository that is shared, structured and archived.
The lower layers of the OSI layer are well known and described. Every SIEM vendor has rules to detect port scans, ping sweeps and threats like the 'smurf attack'. But the higher layers contain numerous applications and protocols with special characteristics that write their own custom log files. SIEM vendors consider the signatures and correlations as their intelectual property and do not tend to share details on the coverage.
Sigma is meant to be an open standard in which detection mechanisms can be defined, shared and collected in order to improve the detection capabilities on the application layers for everyone.


Slides
See the first slide deck that I prepared for a private conference in mid January 2017.
Sigma - Make Security Monitoring Great Again

Specification
The specifications can be found in the Wiki.
The current specification is a proposal. Feedback is requested.

Examples
Windows 'Security' Eventlog: Access to LSASS Process with Certain Access Mask / Object Type (experimental)


Sysmon: Remote Thread Creation in LSASS Process


Web Server Access Logs: Web Shell Detection


Sysmon: Web Shell Detection


Windows 'Security' Eventlog: Suspicious Number of Failed Logons from a Single Source Workstation


Sigma Toolchain
Sigmac converts sigma rules into queries or inputs of the supported targets listed below. It acts as a frontend to the Sigma library that may be used to integrate Sigma support in other projects. Further, there's merge_sigma.py which merges multiple YAML documents of a Sigma rule collection into simple Sigma rules.


Supported Targets

Requirements
The usage of Sigmac or the underlying library requires Python >= 3.4 and PyYAML.

Installation
It's available on PyPI. Install with:
pip3 install sigmatools

Next Steps
  • Integration of feedback into the rule specifications
  • Integration into Threat Intel Exchanges, e.g. MISP
  • Attempts to convince others to use the rule format in their reports, threat feeds, blog posts, threat sharing platforms

Projects that use Sigma

Credits
This is a private project mainly developed by Florian Roth and Thomas Patzke with feedback from many fellow analysts and friends. Rules are our own or have been drived from blog posts, tweets or other public sources that are referenced in the rules.
Copyright for Tree Image: studiobarcelona / 123RF Stock Photo


Rop-Tool - A Tool To Help You Write Binary Exploits

March 9, 2018, 5:10 am
$
0
0
A tool to help you writing binary exploits

OPTIONS
rop-tool v2.4.1
Help you to make binary exploits.

Usage: rop-tool <cmd> [OPTIONS]

Commands :
   gadget        Search gadgets
   patch         Patch the binary
   info          Print info about binary
   heap          Display heap structure
   disassemble   Disassemble the binary
   search        Search on binary
   help          Print help
   version       Print version

Try "rop-tool help <cmd>" for more informations about a command.

GADGET COMMAND
Usage : rop-tool gadget [OPTIONS] [FILENAME]

OPTIONS:
  --arch, -A               Select an architecture (x86, x86-64, arm, arm64)
  --all, -a                Print all gadgets (even gadgets which are not uniq)
  --depth, -d         [d]  Specify the depth for gadget searching (default is 5)
  --flavor, -f        [f]  Select a flavor (att or intel)
  --no-filter, -F          Do not apply some filters on gadgets
  --help, -h               Print this help message
  --no-color, -N           Do not colorize output

SEARCH COMMAND
Usage : rop-tool search [OPTIONS] [FILENAME]

OPTIONS:
  --all-string, -a    [n]  Search all printable strings of at least [n] caracteres. (default is 6)
  --byte, -b          [b]  Search the byte [b] in binary
  --dword, -d         [d]  Search the dword [d] in binary
  --help, -h               Print this help message
  --no-color, -N           Don't colorize output
  --qword, -q         [q]  Search the qword [q] in binary
  --raw, -r                Open file in raw mode (don't considere any file format)
  --split-string, -s  [s]  Search a string "splited" in memory (which is not contiguous in memory)
  --string, -S        [s]  Search a string (a byte sequence) in binary
  --word, -w          [w]  Search the word [w] in binary

PATCH COMMAND
Usage : rop-tool patch [OPTIONS] [FILENAME]

OPTIONS:
  --address, -a       [a]  Select an address to patch
  --bytes, -b         [b]  A byte sequence (e.g. : "\xaa\xbb\xcc") to write
  --filename, -f      [f]  Specify the filename
  --help, -h               Print this help message
  --offset, -o        [o]  Select an offset to patch (from start of the file)
  --output, -O        [o]  Write to an another filename
  --raw, -r                Open file in raw mode

INFO COMMAND
Usage : rop-tool info [OPTIONS] [FILENAME]

OPTIONS:
  --all, -a                Show all infos
  --segments, -l           Show segments
  --sections, -s           Show sections
  --syms, -S               Show symbols
  --filename, -f      [f]  Specify the filename
  --help, -h               Print this help message
  --no-color, -N           Disable colors

HEAP COMMAND
Usage : rop-tool heap [OPTIONS] [COMMAND]

OPTIONS:
  --calloc, -C             Trace calloc calls
  --free, -F               Trace free calls
  --realloc, -R            Trace realloc calls
  --malloc, -M             Trace malloc calls
  --dumpdata, -d           Dump chunk's data
  --output, -O             Output in a file
  --help, -h               Print this help message
  --tmp, -t        <d>     Specify the writable directory, to dump the library (default: /tmp/)
  --no-color, -N           Do not colorize output
Small explication about output of heap command
Each line correspond to a malloc chunk, and the heap is dumped after each execution of heap functions (free, malloc, realloc, calloc)
  • addr: is the real address of the malloc chunk
  • usr_addr: is the address returned by malloc functions to user
  • size: is the size of the malloc chunk
  • flags: P is PREV_INUSE, M is IS_MAPED and A is NON_MAIN_ARENA

DISASSEMBLE COMMAND
Usage : rop-tool dis [OPTIONS] [FILENAME]

OPTIONS:
  --help, -h               Print this help message
  --no-color, -N           Do not colorize output
  --address, -a    <a>     Start disassembling at address <a>
  --offset, -o     <o>     Start disassembling at offset <o>
  --sym, -s        <s>     Disassemble symbol
  --len, -l        <l>     Disassemble only <l> bytes
  --arch, -A       <a>     Select architecture (x86, x86-64, arm, arm64)
  --flavor, -f     <f>     Change flavor (intel, att)

FEATURES
  • String searching, Gadget searching, patching, info, heap visualization, disassembling
  • Colored output
  • Intel and AT&T flavor
  • Support of ELF, PE and MACH-O binary format
  • Support of big and little endian
  • Support of x86, x86_64, ARM and ARM64 architecture

EXAMPLES
Basic gadget searching
  • rop-tool gadget ./program
Display all gadgets with AT&T syntax
  • rop-tool gadget ./program -f att -a
Search in RAW x86 file
  • rop-tool gadget ./program -A x86
Search a "splitted" string in the binary
  • rop-tool search ./program -s "/bin/sh"
Search all strings in binary
  • rop-tool search ./program -a
Patch binary at offset 0x1000, with "\xaa\xbb\xcc\xdd" and save as "patched" :
  • rop-tool patch ./program -o 0x1000 -b "\xaa\xbb\xcc\xdd" -O patched
Visualize heap allocation of /bin/ls command :
  • rop-tool heap /bin/ls
Disassemble 0x100 bytes at address 0x08048452
  • rop-tool dis /bin/ls -l 0x100 -a 0x08048452

SCREENSHOTS
rop-tool gadget /bin/ls


rop-tool search /bin/ls -a


rop-tool search /bin/ls -s "/bin/sh\x00"


rop-tool search /bin/ls -w 0x90


rop-tool heap ./a.out


rop-tool dis ./bin  # Many formats


HOW TO CONTRIBUTE
  • Programming (see TODO file if you need ideas)
  • Report bugs
  • Improve documentation
  • Submit new ideas
  • ...

DEPENDENCIES

AUTHOR
Tosh
tosh -at- t0x0sh
dotorg


Arjun - Tool To Find Hidden GET & POST Parameters

March 9, 2018, 12:12 pm
$
0
0

Arjun is a python script for finding hidden GET & POST parameters using regex and bruteforce.

Dependencies
  • requests
  • threading

Usages
Here's how you can scan a webpage for get parameters
python arjun.py -u http://example.com/index.php --get
For POST, just use the --post flag. To specify the number of threads you can use the --threads option as following:
python arjun.py -u http://example.com/index.php --get --threads 4

Here's a screenshot you can fap to:


XBruteForcer - CRM Brute Force Tool (WP, Joomla, DruPal, OpenCart, Magento)

March 10, 2018, 5:30 am
$
0
0

Brute Force Tool: WP , Joomla , DruPal , OpenCart , Magento

Simple brute force script
[1] WordPress (Auto Detect Username)
[2] Joomla
[3] DruPal
[4] OpenCart
[5] Magento
[6] All (Auto Detect CMS)

Usage
Short FormLong FormDescription
-l--listwebsites list
-p--passwordsPasswords list

Example
perl XBruteForcer.pl -l list.txt -p passwords.txt

for coloring in windows Add This Line
use Win32::Console::ANSI;


BUG ?

Installation Linux
git clone https://github.com/Moham3dRiahi/XBruteForcer.git
cd XBruteForcer
perl XBruteForcer.pl -l list.txt -p passwords.txt

Installation Android
Download Termux
cpan install LWP::UserAgent
cpan install HTTP::Request
git clone https://github.com/Moham3dRiahi/XBruteForcer.git
cd XBruteForcer
perl XBruteForcer.pl -l list.txt -p passwords.txt

Installation Windows
Download Perl
Download XBruteForcer
Extract XBruteForcer into Desktop
Open CMD and type the following commands:
cd Desktop/XBruteForcer-master/
perl XBruteForcer.pl -l list.txt -p passwords.txt

Version
Current version is 1.2What's New
• speed up
• Bug fixes
version 1.1
• Bug fixes


sub6 - Web App Scanner

March 10, 2018, 1:23 pm
$
0
0

subdomain take over detector and crawler.

Usage

 python sub6.py    -i list.txt  -o output.txt       -s phpinfo.php -x 4
<optional>           <optional>   <optional>
[+]Options
 -i      input  files                  twitterdomains.txt    #if many separate by comma
 -o      output file                   twitterResult.txt
 -p      protocol                      http or https
 -s      suffix                        phpinfo.php           #used to look for ceratin files (CTF mode)
 -t      Set time out for requests     5                     #in seconds
 -x      starting index                1:                    #if script stopped , you can resume it with this.
 -X      To use proxy                  #prompt
 -R      Follow redirects
 -H      For Host injection Testing
 -O      For open redirect  Testing


Sudohulk - Try Privilege Escalation Changing Sudo Command

March 11, 2018, 6:08 am
$
0
0
This tool change sudo command, hooking the execve syscall using ptrace, tested under bash and zsh

supported architectures:
  • x86_64
  • x86
  • arm

How use:
$ make
cc -Wall -Wextra -O2 -c -o bin/sh_remotedata.o src/sh_remotedata.c
cc -Wall -Wextra -O2 -c -o bin/sh_string.o src/sh_string.c
cc -Wall -Wextra -O2 -c -o bin/sudohulk.o src/sudohulk.c
cc -Wall -Wextra -O2 -o sudohulk bin/sh_remotedata.o bin/sh_string.o bin/sudohulk.o
$ ./sudohulk 
sudohulk [-qdk] PID COMMAND [ARGS]

Options:
   -q quit when change a command
   -d run in background
   -k keep original command line (appending to new)

NOTES:
PID = bash or zsh pid
To attach the current session use -d option, example:
$ ./sudohulk -qd $$ id
running in background, pid:20899
$ sudo ls -lah
[sudo] senha para mmxm: 
uid=0(root) gid=0(root) grupos=0(root)

Demo


CredsLeaker - Tool to Display A Powershell Credentials Box

March 11, 2018, 1:26 pm
$
0
0

This script will display a powershell credentials box that will ask the user for his credentials.

The box cannot be closed (only by killing the process) will keeps checking the credentials against the DC. When validated, it will close and leak it to a web server outside.


How To:
  1. Start a web server.
  2. Type your server IP and port in the ps1 script.
  3. Execute the batch file.

TODO:
  • Box title should be changed.
  • Different windows versions has different credential boxes. Needs to be pulled from WINAPI.

Search

TwLocation - Python Script That Gets Twitter Users' Tweets Location

March 12, 2018, 6:20 am
$
0
0

Python script that gets Twitter users' tweets location

Features
  • Gets Twitter Usernames based on a latitude and longitude
  • Profiles URLs
  • Tweet Latitude and Longitude
  • Google Maps link to Latitude and Longitude

Usage
TwLocation should work on all Linux distros running Python 2.7 First, clone it by entering the following command in the terminal
git clone https://github.com/UltimateHackers/XSStrike
Now naviagte to TwLocation directory
cd TwLocation
Now install the requirements with the following command
pip install -r requirements.txt
Edit config.txt and put your twitter app keys
cat config.txt
consumer_key = "XxXxXxxXXXxxxxXXXxXX"
consumer_secret = "xXXXXXXXXxxxxXxXXxxXxxXXxXxXxxxxXxXXxxxXXx"
access_key = "XXXXXXXX-xxXXxXXxxXxxxXxXXxXxXxXxxxXxxxxXxXXxXxxXX"
access_secret = "XxXXXXXXXXxxxXXXxXXxXxXxxXXXXXxXxxXXXXx"
Now you can run TwLocation
python TwLocation.py


E013 - WiFi Password Stealer (For Microsoft Windows)

March 12, 2018, 1:30 pm

Linkedin2Username - Generate Username Lists For Companies On LinkedIn (OSINT Tool)

March 13, 2018, 6:12 am
$
0
0

OSINT Tool: Generate username lists from companies on LinkedIn. Works with Python2.
This is a pure web-scraper, no API key required. You use your valid LinkedIn username and password to login, it will create several lists of possible username formats for all employees of a company you point it at.
Use an account with a lot of connections, otherwise you'll get crappy results.
Here's what you get:
  • first.last.txt: Usernames like Joe.Schmoe
  • flast.txt: Usernames like JSchmoe
  • firstl.txt: Usernames like JoeS
  • rawnames.txt: Full name like Joe Schmoe
Optionally, the tool will append @domain.xxx to the usernames.

Example
You'll need to provide the tool with LinkedIn's company name. You can find that by looking at the URL for the company's page. It should look something like https://linkedin.com/company/uber-com. It may or may not be as simple as the exact name of the company.
Here's an example to pull all employees of Uber:
$ python linkedin2username.py myname@email.com uber-com
Here's an example to pull a shorter list and append the domain name @uber.com to them:
$ python linkedin2username.py myname@email.com uber-com -d 5 -n 'uber.com'

Full Help
usage: linkedin2username.py [-h] [-p PASSWORD] [-n DOMAIN] [-d DEPTH]
                            [-s SLEEP]
                            username company

positional arguments:
  username              A valid LinkedIn username.
  company               Company name.

optional arguments:
  -h, --help            show this help message and exit
  -p PASSWORD, --password PASSWORD
                        Specify your password on in clear-text on the command
                        line. If not specified, will prompt and not display on
                        screen.
  -n DOMAIN, --domain DOMAIN
                        Append a domain name to username output. [example: '-n
                        uber.com' would ouput jschmoe@uber.com]
  -d DEPTH, --depth DEPTH
                        Search depth. If unset, will try to grab them all.
  -s SLEEP, --sleep SLEEP
                        Seconds to sleep between pages. defaults to 3.

Toubleshooting
Sometimes LinkedIn does weird stuff or returns weird results. Sometimes it doesn't like you logging in from new locations. If something looks off, run the tool once or twice more. If it still isn't working, please open an issue.


SpiderFoot 2.12 - Automates OSINT to find out everything possible about your target

March 13, 2018, 11:53 am
$
0
0

SpiderFoot is a reconnaissance tool that automatically queries over 100 public data sources (OSINT) to gather intelligence on IP addresses, domain names, e-mail addresses, names and more. You simply specify the target you want to investigate, pick which modules to enable and then SpiderFoot will collect data to build up an understanding of all the entities and how they relate to each other.

What is OSINT?

OSINT (Open Source Intelligence) is data available in the public domain which might reveal interesting information about your target. This includes DNS, Whois, Web pages, passive DNS, spam blacklists, file meta data, threat intelligence lists as well as services like SHODAN, HaveIBeenPwned? and more. See the full list of data sources SpiderFoot utilises.

What can I do with SpiderFoot?

The data returned from a SpiderFoot scan will reveal a lot of information about your target, providing insight into possible data leaks, vulnerabilities or other sensitive information that can be leveraged during a penetration test, red team exercise or for threat intelligence. Try it out against your own network to see what you might have exposed!

New Modules

The growing numbrs of OSINT sources out there is mind-boggling, and most remain free or at least provide API keys free of charge for low query volumes. In this release, eight new modules have been introduced:
  • SecurityTrails (sfp_securitytrails): One of my favourite recent discoveries, SecurityTrails has truly a shedload of DNS and Whois data that any threat intelligence analyst, security analyst or investigator should look into. This module will query their API for IP addresses, domain names, e-mail addresses and owned netblocks to identify co-hosted sites, domains registered under the same e-mail address and more. An API key is required, however limited free usage is provided. Check out their blog post about the integration.
  • FullContact.com (sfp_fullcontact): FullContact.com has loads of data about people and companies. This module uses their API (API key required) to look up domain names, e-mail addresses and names in an attempt to identify further e-mail addresses and names, but also physical locations and phone numbers.
  • ARIN (sfp_arin): ARIN (American Registry for Internet Numbers) is similar to RIPE (for which SpiderFoot already has a module - sfp_ripe) in that they provide an API to query information about network ranges. But more interestingly from an OSINT perspective, you can query by first and last name, and likewise query by domain name to get affiliated names. This module will take any identified domain name and return a list of human names and ARIN registry data, which will then be scanned by other modules to idenify potential e-mail addresses and hostnames. It will also look up any names to identify potential relevant data.
  • Hacked-Emails.com (sfp_hackedemails): Similar to haveibeenpwned.com, hacked-emails.com provides a free service to identify e-mail addresses mentioned in data leaks. This module will query their API for any e-mail address identified during a scan.
  • Citadel.pw (sfp_citadel): As above, citadel.pw provides a way to search a large number of leaks for mention of an e-mail address, which is what this module will do. Thanks to citadel.pw - at - protonmail.com for this contribution and for providing a public API key free of charge!
  • CIRCL.LU (sfp_circllu): CIRCL.LU (Computer Incident Response Center, Luxembourg) provide a free, however upon-request API to query their rich database of historical SSL and DNS data. This module will take hostnames, owned netblocks, IP addresses and domain names and identify further IP addresses and hostnames, plus SSL certificates and co-hosts related to your target.
  • Quad9.net (sfp_quad9): Quad9.net aggregate a number of threat intelligence data sources and integrate them into their resolver, which anyone can point to (9.9.9.9). The resolver will not resolve anything malicious according to the data feeds they have integrated. This module will attempt to resolve identified hostnames, affiliates and co-hosts using 9.9.9.9, and if they fail to resolve there but do resolve using the configured resolver, will report them as malicious.
  • RiskIQ / PassiveTotal (sfp_riskiq): RiskIQ provide a threat intelligence platform with an API (API key required) to query their passive DNS and other data. This module will query their API for any hostname, IP address, domain name or e-mail address identified, and return owned netblocks, further IP addresses, co-hosted sites and domain names also registered by the provided e-mail address (reverse Whois).

Improvements
  • Dockerfile is now using the Alpine Linux base image, plus some other improvements to bring the image down from about 500MB to 90MB. See this tutorial to try it out.
  • Stopped reporting IPv6 addresses from the sfp_ripe module, as it made the malicious modules spin forever on the huge IPv6 address spaces identified. This will be re-visited sometime when IPv6 sees wider adoption.
  • Updated the sfp_robtex module to honor throttling and be more configurable.
  • Improved sfp_ripe’s ability to identify netblocks possibly owned by the target.
  • Handle re-directions when looking for S3 buckets, which will result in many more being found as Amazon returns 30x in many cases, which before was being ignored by SpiderFoot.
  • sfp_whois will now perform Whois lookups for affiliate domains and co-hosted sites.
  • sfp_onioncity updated to use onion.link.

Enhancements / Bug fixes
  • Misc. minor bug fixes, performance improvements and tweaks.


JoomScan 0.0.5 - OWASP Joomla Vulnerability Scanner Project

March 14, 2018, 5:55 am
$
0
0

OWASP JoomScan (short for [Joom]la Vulnerability [Scan]ner) is an opensource project in perl programming language to detect Joomla CMS vulnerabilities and analysis them.

WHY OWASP JOOMSCAN ?
If you want to do a penetration test on a Joomla CMS, OWASP JoomScan is Your best shot ever! This Project is being faster than ever and updated with the latest Joomla vulnerabilities.

INSTALL
git clone https://github.com/rezasp/joomscan.git
cd joomscan
perl joomscan.pl

JOOMSCAN ARGUMENTS
Usage: joomscan.pl [options]

--url | -u <URL>                         |   The Joomla URL/domain to scan.
--enumerate-components          | -ec    |   Try to enumerate components.

--cookie <String>                       |   Set cookie.
--user-agent | -a <user-agent>   |   Use the specified User-Agent.
--random-agent | -r                   |   Use a random User-Agent.
--timeout <time-out>                  |   set timeout.
--about                                      |   About Author
--update                                    |   Update to the latest version.
--help | -h                                 |   This help screen.
--version                                   |   Output the current version and exit.

OWASP JOOMSCAN EXAMPLES
Do default checks...
perl joomscan.pl --url www.example.com
or
perl joomscan.pl -u www.example.com

Enumerate installed components...
perl joomscan.pl --url www.example.com --enumerate-components
or
perl joomscan.pl -u www.example.com --ec

Set cookie
perl joomscan.pl --url www.example.com --cookie "test=demo;"

Set user-agent
perl joomscan.pl --url www.example.com --user-agent "Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
or
perl joomscan.pl -u www.example.com -a "Googlebot/2.1 (+http://www.googlebot.com/bot.html)"

Set random user-agent
perl joomscan.pl -u www.example.com --random-agent
or
perl joomscan.pl --url www.example.com -r

Update Joomscan...
perl joomscan.pl --update

PROJECT LEADERS
  • Mohammad Reza Espargham [ reza[dot]espargham[at]owasp[dot]org ]
  • Ali Razmjoo [ ali[dot]razmjoo[at]owasp[dot]org ]

OWASP JoomScan 0.0.5 [KLOT]
  • Update components database
  • Bug fixed (updating module)
  • Allow start from any path
  • Update backup finder database
  • Update report module
  • Update validate target method 
  • HTTPS improvements
  • Fix issue #11 - Incorrect URL output for HTTPS site
  • Fix issue #12 - Components scan output issues
  • Fix issue #13 - Check a server is live or not!
  • Fix issue #9 - Disable redirectable requests for components finder module
  • A few enhancements

OWASP JoomScan 0.0.1 introduction (Youtube)



Viewing all 5854 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>