git clone https://github.com/3XPL017/netpwn.git
cd netpwn
chmod +x install
./install

• simple CLI with the ability to run pure Nmap engine
• predefined scans included in the modules
• support Nmap Scripting Engine (NSE)
• TOR support (with proxychains)
• multiple scans at one time
• at this point: 30 modules with 451scan profiles

# Clone this repository
git clone https://github.com/trimstray/sandmap

# Go into the repository
cd sandmap

# Install
./setup.sh install

# Run the app
sandmap

• symlink to bin/sandmap is placed in /usr/local/bin
• man page is placed in /usr/local/man/man8

# shellcheck shell=bash

# Specifies the default destination.
# Examples:
#   - dest="127.0.0.1,8.8.8.8"
dest="127.0.0.1"

# Specifies the extended Nmap parameters.
# Examples:
#   - params="--script ssl-ccs-injection -p 443"
params=""

# Specifies the default output type and path.
# Examples:
#   - report="xml"
report=""

# Specifies the TOR connection.
# Examples:
#   - tor="true"
tor=""

# Specifies the terminal type.
# Examples:
#   - terminal="internal"
terminal="internal"

• nmap
• xterm
• proxychains

• <script_name>.<date>.log - all _logger() function calls are saved in it
• stdout.log - a standard output and errors from the _init_cmd() function are written in it. If you want to redirect the output from command, use the following structure: your_command >>"$_log_stdout" 2>&1 &

|-- LICENSE.md                 # GNU GENERAL PUBLIC LICENSE, Version 3, 29 June 2007
|-- README.md                  # this simple documentation
|-- CONTRIBUTING.md            # principles of project support
|-- .gitignore                 # ignore untracked files
|-- .travis.yml                # continuous integration with Travis CI
|-- setup.sh                   # install sandmap on the system
|-- bin
    |-- sandmap                # main script (init)
|-- doc                        # includes documentation, images and manuals
    |-- man8
        |-- sandmap.8          # man page for sandmap
    |-- img                    # images (eg. gif)
|-- etc                        # contains configuration files
|-- lib                        # libraries, external functions
|-- log                        # contains logs, created after init
|-- modules                    # contains modules
|-- src                        # includes external project files
    |-- helpers                # contains core functions
    |-- import                 # appends the contents of the lib directory
    |-- __init__               # contains the __main__ function
    |-- settings               # contains sandmap settings
|-- templates                  # contains examples and template files
|-- tmp                        # contains temporary files (mktemp)

• Simple for anyone to use: Just type a message, click Encrypt, and go
• Handles messages and file attachments together easily
• End-to-end encryption, performed entirely on the user's machine
• No dependence on any specific intermediary channel - works with any communication method available
• Uses three strong cryptographic algorithms in combination to triple-protect data
• Optional steganography feature for embedding encrypted data within a Jpeg image
• No installation needed - fully portable application can be run from anywhere
• Unencrypted data is never written to disk - unless requested by the user
• Multiple input/output modes for convenient operation

• Open source, written in C++
• AES/Rijndael, Twofish and Serpent ciphers (256-bit keysize variants), cascaded together in CTR mode for triple-encryption of messages and files
• HMAC-SHA-256 for construction of message authentication code
• PBKDF2-HMAC-SHA256 for derivation of separate AES, Twofish and Serpent keys from user-chosen passphrase
• Cryptographically safe pseudo-random number generator ISAAC for production of Initialization Vectors (AES/Twofish/Serpent) and Salts (PBKDF2)

1. Click the button below and follow the instructions

This is the quickest way to get a running instance of Juice Shop! If you have forked this repository, the deploy button will automatically pick up your fork for deployment! As long as you do not perform any DDoS attacks you are free to use any tools or scripts to hack your Juice Shop instance on Heroku!

1. Install node.js
2. Run git clone https://github.com/bkimminich/juice-shop.git (or clone your own fork of the repository)
3. Go into the cloned folder with cd juice-shop
4. Run npm install (only has to be done before first start or when you change the source code)
5. Run npm start
6. Browse to http://localhost:3000

1. Install Docker
2. Run docker pull bkimminich/juice-shop
3. Run docker run --rm -p 3000:3000 bkimminich/juice-shop
4. Browse to http://localhost:3000 (on macOS and Windows browse to http://192.168.99.100:3000 if you are using docker-machine instead of the native docker installation)

If you want to run Juice Shop on a Raspberry Pi 3, there is an unofficial Docker image available at https://hub.docker.com/r/arclight/juice-shop_arm which is based on resin/rpi-raspbian and maintained by @battletux.

1. Install and launch Docker Toolbox
2. Search for juice-shop and click Create to download image and run container
3. Click on the Open icon next to Web Preview to browse to OWASP Juice Shop

1. Install a 64bit node.js on your Windows (or Linux) machine
2. Download juice-shop-<version>_<node-version>_<os>_x64.zip (or .tgz) attached to latest release
3. Unpack and run npm start in unpacked folder
4. Browse to http://localhost:3000

Each packaged distribution includes some binaries for SQLite bound to the OS and node.js version which npm install was executed on.

1. Setup an Amazon Linux AMI instance
2. In Step 3: Configure Instance Details unfold Advanced Details and copy the script below into User Data
3. In Step 6: Configure Security Group add a Rule that opens port 80 for HTTP
4. Launch instance
5. Browse to your instance's public DNS

#!/bin/bash
yum update -y
yum install -y docker
service docker start
docker pull bkimminich/juice-shop
docker run -d -p 80:3000 bkimminich/juice-shop

Technically Amazon could view hacking activity on any EC2 instance as an attack on their AWS infrastructure! We highly discourage aggressive scanning or automated brute force attacks! You have been warned!

1. Open your Azure CLIor login to the Azure Portal, open the CloudShell and then choose Bash (not PowerShell).
2. Create a resource group by running az group create --name <group name> --location <location name, e.g. "East US">
3. Create an app service plan by running az appservice plan create --name <plan name> --resource-group <group name> --sku S1 --is-linux
4. Create a web app with the Juice Shop Docker image by running the following (on one line in the bash shell) az webapp create --resource-group <group name> --plan <plan name>--name <app name> --deployment-container-image-name bkimminich/juice-shop

For more information please refer to the detailed walkthrough with screenshots by @JasonHaley. You can alternatively follow his guide to set up OWASP Juice Shop as an Azure Container Instance.

1. Install Vagrant and Virtualbox
2. Run git clone https://github.com/bkimminich/juice-shop.git (or clone your own fork of the repository)
3. Run cd vagrant && vagrant up
4. Browse to 192.168.33.10

To show the possible impact of XSS, assume you received and (of course) clicked this inconspicuous phishing link and login. Apart from the visual/audible effect, the attacker also installed an input logger to grab credentials! This could easily run on a 3rd party server in real life!
This feature is only available when running a Vagrant box. A recording of the effect is available on Youtube:

This is a deployment-test and sneak-peek instance only! You are not supposed to use this instance for your own hacking endeavours! No guaranteed uptime! Guaranteed stern looks if you break it!

• Björn Kimminich aka bkimminich (Project Leader)
• Jannik Hollenbach aka J12934
• Timo Pagel aka wurstbrot

• Shoeb Patel aka CaptainFreak
• m4l1c3 aka m4l1c3
• Josh Grossman aka tghosth
• Madhur Wadhwa aka madhurw7
• Omer Levi Hevroni aka omerlh
• Jln Wntr aka JlnWntr
• Aashish Singh aka Aashish683
• Greg Guthe aka g-k
• Viktor Lindström aka ViktorLindstrm
• Ingo Bente aka ingben
• Aaron Edwards aka aaron-m-edwards
• Yuvraj aka evalsocket
• Gorka Vicente aka gorkavicente
• Dinis Cruz aka DinisCruz
• Jason Haley aka JasonHaley
• Simon Basset aka simbas
• Ken Friis Larsen aka kfl
• Simon De Lang aka simondel
• battletux aka battletux
• AviD aka avidouglen
• Achim Grimm aka achimgrimm
• Christian Kühn aka cy4n
• Stuart Winter-Tear aka StuartWinterTear
• Manabu Niseki aka ninoseki
• Abhishek bundela aka abhishekbundela
• Joe Butler aka incognitjoe
• Stephen O'Brien aka wayofthepie
• Johanna aka johanna-a
• Alvaro Viebrantz aka alvarowolfx

• Fake bash_history commands (such as ssh, ftp, rsync, scp, mysql, wget, awscli)
• Fake AWS credentials and config files (you required to create fake AWS IAM users with no permissions and generate access keys for them)
• Configuration, backup and connection files such as RDP and VPN
• Fake entries in hosts, ARP table, etc.
• Fake browser history, bookmarks and saved passwords
• Injected fake credentials into LSASS
• Fake registry keys

• Creating honeyfiles and monitoring the access to these traps using go-audit or auditd
• Template based content generator for honeyfiles
• Insert honeybits into AWS config and credentials file
• Insert honeybits into /etc/hosts
• Reading config from a Remote Key/Value Store such as Consul or etcd
• Insert different honeybits into "bash_history", including the following sample commands:
  • ssh (sshpass -p '123456' ssh -p 2222 root@192.168.1.66)
  • ftp (ftp ftp://backup:b123@192.168.1.66:2121)
  • rsync (rsync -avz -e 'ssh -p 2222' root@192.168.1.66:/var/db/backup.tar.gz /tmp/backup.tar.gz)
  • scp (scp -P 2222 root@192.168.1.66:/var/db/backup.tar.gz /tmp/backup.tar.gz)
  • mysql (mysql -h 192.168.1.66 -P 3306 -u dbadmin -p12345 -e "show databases")
  • wget (wget http://192.168.1.66:8080/backup.zip)
  • any custom commands: (nano /tmp/backup/credentials.txt)
  • aws:

export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
aws ec2 describe-instances --profile devops --region us-east-2

• Go Lang 1.7+
• Viper (go get github.com/spf13/viper)
• crypt (go get github.com/xordataexchange/crypt/config)
• go-audit or auditd (if you want to monitor the honeyfiles)

$ go build
$ sudo ./honeybits 

Failed reading remote config. Reading the local config file...
Local config file loaded.

[failed] honeyfile already exists at this path: /tmp/secret.txt
[done] go-audit rule for /home/test/secret.txt is added
[done] honeyfile is created (/home/test/secret.txt)
[done] go-audit rule for /opt/secret.txt is added
[done] sshpass honeybit is inserted
[done] wget honeybit is inserted
[done] ftp honeybit is inserted
[done] rsync honeybit is inserted
[done] scp honeybit is inserted
[done] mysql honeybit is inserted
[failed] aws honeybit already exists
[done] hostsconf honeybit is inserted
[done] awsconf honeybit is inserted
[done] awscred honeybit is inserted
[done] custom honeybit is inserted

• Improve the Content generator
• More traps, including:
  • Beacon documents
  • KeePass file with entries (.kdbx)
  • Database files/backups: SQLite, MySQL
  • Fake security scan results such as Nmap output
  • Binary files with hardcoded IP / credentials
• More network traps
  • Fake PCAP / network traffic containing credentials and etc.
  • Fake ARP Table entries
  • Monitoring network traps using go-audit
• Complete the Windows version (honeybits-win)
• Documentation

• Add a "A" record for the domain "dns1.zhack.ca" that points to "192.99.55.194".
• Add a "A" record for the domain "ns1.zhack.ca" that points to "192.99.55.194".
• Add a "NS" record for the domain "d.zhack.ca" with the value "dns1.zhack.ca".
• Add a "NS" record for the domain "d.zhack.ca" with the value "ns1.zhack.ca".

forever start index.js

echo test12345 | python main.py -f- -d out -t-

python main.py -f- -d in -t TOKEN_THE_FIRST_COMMAND_GAVE_YOU

python main.py -f- -d in -t-

echo test12345 | python main.py -f- -d out -t TOKEN_THE_FIRST_COMMAND_GAVE_YOU

• Reverse Engineering
• Runtime Analysis
• Data Protection (Rest)
• Data Protection (Transit)
• Key Management
• Tampering
• Injection Flaws
• Broken Cryptography
• Memory Management
• URL Scheme Attack
• Social Engineering
• SSL Pinning
• Authentication
• Jailbreak Detection
• Side Channel Data Leaks
• Cloud Misconfiguration
• Crypto Challenges

gcc -Wall -o loader loader.c

vol.py --plugins=$PWD/plugins/ --profile=XXX -f ./vbox.dmp linux_screenshot_xwindows --out-dir /tmp/xwds/

find /tmp/xwds/ -type f -name "*.xwd" -exec convert {} {}.png \;

1. Ubuntu 14.04 LTS - X.Org X Server 1.15.1 (Release Date: 2014-04-13)
   
2. Ubuntu 16-04 LTS - X.Org X Server 1.18.4 (Release Date: 2016-07-19)
   
3. Debian 9 Testing - X.Org X Server 1.19.6 (Release Date: 2017-12-20)
   
4. Kubuntu 18.04 LTS - X.Org X Server 1.19.6 (Release Date: 2017-12-20)
   

1. In order to limit the process to only “drawable” images we select in the volatility plugin only the images with reasonable size.
   
2. This tools works only if Xorg uses software rendering. This is not usually the case on physical machines but it was used by default on the VirtualBox machines we tested.
   
3. Don't forget that you are seamlessly running code extracted from a memory dump. It is probably not difficult for an attacker to tamper the dump and gain code execution on your box. So take the necessary precautions.
   

$ apt-get install nodejs-legacy
$ pip install -r requirements.txt

python whoisleak.py -u securityattack.com.br

Eddy Oliveira
SecurityAttack

• Identify if the backdorized git hook is the pre-push hook or any other
• Drop the backdoorpayload to the specific hook
• Give execution permission

• Checking the current branch: git branch --contains HEAD
• Collecting the remote name of the branch (through git config)
• Collecting the remote url of the remote name (through git config) Then it will check if url is https or ssh.

• Ulisses Castro - 50 ton of backdoors (https://www.slideshare.net/ulissescastro/50-ton-of-backdoors)
• Giovani Silva - Wrote Infection Shell Script

[+] FILE_WITH_KEY.json (Open the Credentials tab and click Create credentials. You want the API key option. Create a server key. It will automatically download as a *.json file)
[+] KEY_FIREBASE_HERE (Open the Firebase Project and click Add Firebase to your web application)
[+] API_SHODAN_KEY

[+] index.html - MY_KEY_MAP
[+] firebase_conf.js - Open the Firebase Project and click Add Firebase to your web application

Access index.html file and run "python fireshodan.py" to fill your database. 
You can see your data now. If you remove any data your map will update automatic.
OBS: If you stop the script the data will continue there

• IDA Pro >= 6.9

• glibc <= 2.27 (x86, x64)

• Heap tracer (malloc/free/calloc/realloc)
• Malloc chunk info
• Multi-arena info (chunks, top, last-remainder)
• Bins info (fastbins, unsortedbin, smallbins y largebins)
• Tcache info (glibc >= 2.26)
• GraphView for linked lists (bins/tcache)
• Magic utils:
  • Unlink merge info
  • Fake fastbin finder
  • House of force helper
  • Useful libc offsets

$ python get_config.py
[*] config.json:

{
  "libc_offsets": {
    "32": {
      "mp_": 1921312,
      "main_arena": 1922976,
    },
    "64": {
      "mp_": 3883648,
      "main_arena": 3886144,
    }
  },
  "libc_version": "2.27"
}

$ ./main_arena_offset
[*] libc version:       2.27
[*] libc file:          /lib/i386-linux-gnu/libc-2.27.so
[*] libc address:       0xf7ceb000
[*] main_arena:         0xf7ec07a0
[*] main_arena offset:  0x1d57a0

$ LD_PRELOAD=./libc_64.so.6 ./main_arena_offset
...

• Daniel García Gutiérrez - @danigargu

• All_In_One.cna v1 - Removed and outdated
  
  • All purpose script to enhance the user's experience with cobaltstrike. Custom menu creation, Logging, Persistence, Enumeration, and 3rd party script integration.
  • Version 2 is currently in development!
• ArtifactPayloadGenerator.cna
  
  • Generates every type of Stageless/Staged Payload based off a HTTP/HTTPS Listener
    
  • Creates /opt/cobaltstrike/Staged_Payloads, /opt/cobaltstrike/Stageless_Payloads
    
• AVQuery.cna
  
  • Queries the Registry with powershell for all AV Installed on the target
    
  • Quick and easy way to get the AV you are dealing with as an attacker
    
  
  
• CertUtilWebDelivery.cna
  
  • Stageless Web Delivery using CertUtil.exe
    
  • Powerpick is used to spawn certutil.exe to download the stageless payload on target and execute with rundll32.exe
    
  
  
• RedTeamRepo.cna
  
  • A common collection of OS commands, and Red Team Tips for when you have no Google or RTFM on hand.
    
  • Script will be updated on occasion, feedback and more inputs are welcomed!
    
  
  
• ProcessColor.cna
  
  • Color coded process listing without the file requirement.
    
  • Thanks to @oldb00t for the original version: https://github.com/oldb00t/AggressorScripts/tree/master/Ps-highlight
    
  
  

• Changed the name from Autopreter to Autopwn™
• System-wide installation (just enter Autopwn in the terminal from any directory!!)
• Added eternalblue exploit

• Metasploit framework
• A linux/unix based system
• ngrok

Please note that ngrok is not not a necessity and is required only for performing over the internet (WAN) attack!

chmod +x Autopwn.sh
./Autopwn.sh

• More exploits to be added
• Windows host support to be added soon

• Homograph attack (both on single and duplicate characters)
• Bitsquat attack
• Hyphenation attack
• Omission attack
• Repetition attack
• Replacement attack
• Subdomain attack
• Transposition attack
• Vowel swap attack
• Addition attack

1. Downloading the pre-compiled binaries for your platform from the latest release page and extracting in a directory of your choosing.
   
2. Downloading and compiling the source code yourself by running the following commands:
   
   • go get -v github.com/netevert/dnsmorph
   • cd /$GOPATH/src/github.com/netevert/dnsmorph
   • go get -v ./...
   • go build

dnsmorph -d domain | -l domains_file [-girv] [-csv | -json]
  -csv
        output to csv
  -d string
        target domain
  -g    geolocate domain
  -i    include subdomain
  -json
        output to json
  -l string
        domain list filepath
  -r    resolve domain
  -v    enable verbosity

./dnsmorph -d amazon.com

./dnsmorph -l domains.txt

./dnsmorph -d staging.amazon.com -i

./dnsmorph -d amazon.com -r

./dnsmorph -d amazon.com -g

./dnsmorph -d amazon.com -r -g -csv
./dnsmorph -d amazon.com -r -g -json

./dnsmorph -d staging.amazon.com -v

READER MODE: python airpydump.py -r [/path/to/.cap/file]
STEALTH MODE: python airpydump.py -i [Monitor Interface] --live
LIVE MODE: python airpydump.py -i [Monitor Interface] --live --curses

[usage] python airpydump.py [arguments]

-h, --help                      prints help manual
-i, --interface=                Monitor Mode Interface to use
-r, --read=                     Read a captured file earlier, e.g. packets.cap
-w, --write=                    Write packets to a file.
-c, --curses                    Utilize curses library to print live packets
-i, --live                      Must be used for stealth and live modes

sudo apt update
sudo apt purge tomoyo-tools
sudo apt full-upgrade
sudo apt autoremove

• Cookies + DOM Storage (HTML 5).
• User preferences (Domain permissions, Proxy settings...).
• Downloads.
• Web forms (Searches, emails, comments..).
• Historial.
• Bookmarks.
• Cache HTML5 Visualization / Extraction (Offline cache).
• visited sites "thumbnails" Visualization / Extraction .
• Addons / Extensions and used paths or urls.
• Browser saved passwords.
• SSL Certificates added as a exception.
• Session data (Webs, reference URLs and text used in forms).
• Visualize live user surfing, Url used in each tab / window and use of forms.