• Singularity provides a complete DNS rebinding attack delivery stack:
  • Custom DNS server to rebind DNS name and IP address mapping from the attacker web server address to the target machine address
  • HTTP server to serve HTML pages and JavaScript code to targets and to manage the attacks
  • Several sample attack payloads, ranging from grabbing the home page of a target application to performing remote code execution. These payloads can be easily adapted to perform new and custom attacks.
• Supports concurrent users
• Provides several DNS rebinding strategies, including sequential mapping from the attacker to the target IP address and random mapping, to minimize the impact of IDS/IPS interfering with the attack
• A number of technical controls to maximize the reliability and speed of attacks:
  • Disabling HTTP keep alive, caching, DNS prefetching
  • Aggressive DNS response TTLs
  • Option to use DNS CNAME instead of A records to evade several DNS filtering solutions
  • Near instant rebinding for several browser and OS combinations, using multiple DNS answers and dynamic HTTP port blocking.
• Ability to allocate HTTP servers at startup or dynamically thereafter
  • A convenience feature to avoid restarting Singularity to listen on a different HTTP port.
  • To lay the ground work to attack vulnerable ports discovered after a scan.

• A DNS domain name from a domain registrar such as gandi or namecheap. You need be able to add and edit your own DNS records for your domain.
• A Linux server instance from a hosting provider such as Linode, Amazon AWS, Google Cloud, Microsoft Azure etc.

• A Name: "rebinder", IPv4: "ip.ad.dr.ss"
• NS Name: "dynamic", Hostname: "rebinder.your.domain."

$ cd ~/go/src/github.com/nccgroup/singularity/cmd/singularity-server
$ go build

• Deploy the "html" directory in let's say "~/singularity".
• Deploy the singularity-server binary in "~/singularity".

$ cd ~/
$ mkdir -p singularity/html
$ cp ~/go/src/github.com/nccgroup/singularity/cmd/singularity-server ~/singularity/
$ cp ~/go/src/github.com/nccgroup/singularity/html/* /singularity/html/*

• UDP 53 (DNS)
• TCP 8080 (configurable default port for the manager web interface)
• The port where the vulnerable application is running (e.g. port 3000 for the Ruby on Rails Web Console or port 9333 for VS Code Chrome DevTools)

• AWS: Authorizing Inbound Traffic for Your Linux Instances
• GCP: Using Firewall Rules

• Deploy a local test service with python -c 'import BaseHTTPServer as bhs, SimpleHTTPServer as shs; bhs.HTTPServer(("127.0.0.1", 8080), shs.SimpleHTTPRequestHandler).serve_forever()' from a directory containing some test data files, on your client machine.
• Browse to "http://rebinder.your.domain:8080/manager.html".
• Ensure that the following fields contain the correct information:
  • "Attack Host Domain" e.g. "dynamic.your.domain"
  • "Attack Host" e.g. "ip.ad.dr.ss"
  • "Target Port" e.g. 8080
  • "Attack Payload", "payload-simple-fetch-get.html".
• Click on "Start Attack".
• The content of your victim host directory should be displayed within a few seconds/minutes in an alert box.

• DNS rebinding strategy: DNSRebindFromQueryFirstThenSecond
• Fetch interval (Web interface): 20s
• Target: 127.0.0.1.

• -DNSRebindStrategy string : Specify how to respond to DNS queries from a victim client. The supported strategies are:
  • DNSRebindFromQueryRoundRobin
  • DNSRebindFromQueryFirstThenSecond (default)
  • DNSRebindFromQueryRandom
  • DNSRebindFromQueryMultiA (experimental, requires Linux iptables)
• -HTTPServerPort value : Specify the attacker HTTP Server port that will serve HTML/JavaScript files. Repeat this flag to listen on more than one HTTP port.
• -ResponseIPAddr string : Specify the attacker host IP address that will be rebound to the victim host address using strategy specified by flag -DNSRebingStrategy (default value is 192.168.0.1).
• -ResponseReboundIPAddr string : Specify the victim host IP address that is rebound from the attacker host address (default value is 127.0.0.1).
• -dangerousAllowDynamicHTTPServers Specify if any target can dynamically request Singularity to allocate an HTTP Server on a new port. This feature may be dangerous as it allows opening new ports via the unauthenticated web interface.
• -responseReboundIPAddrtimeOut int : Specify a delay in seconds for which we will keep responding with Rebound IP Address after the last query. After the delay, we will respond with ResponseReboundIPAddr. The default is 300 seconds.

• Basic fetch request (payload-simple-fetch-get.html): This sample payload makes a GET request to the root directory ('/') and shows the server response using the fetch API. The goal of this payload is to function as example request to make additional contributions as easy as possible.
• Basic XHR request (payload-simple-xhr-get.html): Another sample payload to make a GET request to the root directory ('/') and showing the server response using XMLHttpRequest (XHR).
• Chrome DevTools (payload-exposed-chrome-devtools.html): This payload demonstrates a remote code execution (RCE) vulnerability in Microsoft VS Code fixed in version 1.19.3. This payload can be adapted to exploit any software that exposes Chrome Dev Tools on localhost.
• etcd (payload-etcd.html): This payload retrieves the keys and values from the etcd key-value store.
• pyethapp (payload-pyethapp.html): Exploit the Python implementation of the Ethereum client Pyethapp to get the list of owned eth addresses and retrieve the balance of the first eth address.
• Rails Web Console (payload-rails-webconsole.html): Performs a remote code execution (RCE) attack on the Rails Web Console.

• Use the -DNSRebindStrategy DNSRebindFromQueryRandom DNS rebinding strategy instead of the default - DNSRebindStrategy DNSRebindFromQueryFirstThenSecond if you suspect the presence of an IDS in one or more environments that sends several DNS requests to the attack server in addition to the actual target. This will ensure that the target will eventually obtain the required IP address, albeit a bit more slowly.
• Singularity responds with a DNS CNAME instead of an A record if one specifies "localhost" as the target instead of "127.0.0.1". This may work around DNS filtering of responses containing "127.0.0.1", at least on Chrome and Firefox. Chrome & Firefox appear to look at their internal database upon reception of the CNAME record containing "localhost" instead of making another DNS lookup. Chrome populates its DNS cache with both "127.0.0.1" and "::1" in particular. Related: https://tools.ietf.org/html/draft-west-let-localhost-be-localhost-06.
• Similarly, specifying "0.0.0.0" on Mac and Linux, which corresponds to "this host, on any interface" on these platforms may work around some filters/controls.

• Cross-platform compilation: go to "~/singularity/cmd/singularity-server/" and type env GOOS=linux GOARCH=amd64 go build for a Linux build or go build from a mac OS machine for a Mac build.
• The fetch API based attack scripts in the "html" directories will stop after 5 attempts if there are network errors.
• Going to chrome://net-internals/#dns in the Chrome browser is great for debugging.
• Test dig query: dig "s-ip.ad.dr.ss-127.0.0.1-<random_number>--e.dynamic.your.domain" @ip.ad.dr.ss
• sudo ./singularity-server -HTTPServerPort 8080 -HTTPServerPort 8081 -dangerouslyAllowDynamicHTTPServers starts a server on port 8080 and 8081 and enables requesting dynamically one additional HTTP port via the Manager interface.
• Testing a service for a DNS rebinding vulnerability: In an HTTP intercepting proxy such as Portswigger's Burp Suite, replay a request to localhost, replacing the host header value e.g. "localhost" with "attacker.com". If the request is accepted, chances are that you have found a DNS rebinding vulnerability. What you can do after, the impact, depends on the vulnerable application.
• Use the DNSRebindFromQueryMultiA strategy for instant rebinding when supported by the target browser/OS combination and with the tested settings, summarized in the table above.
• The DNSRebindFromQueryMultiA rebinding strategy does not support the "localhost" target value if trying to evade IPS/IDS and DNS filters.

• URLs (in-scope & out-of-scope)
• URLs with parameters (example.com/gallery.php?id=2)
• Intel (emails, social media accounts, amazon buckets etc.)
• Files (pdf, png, xml etc.)
• Secret keys (auth/API keys & hashes)
• JavaScript files & Endpoints present in them
• Strings matching custom regex pattern
• Subdomains & DNS related data

• wayback
• dnsdumpster
• Exporter

• Report bugs
• Develop plugins
• Add more "APIs" for ninja mode
• Give suggestions to make it better
• Fix issues & submit a pull request

burpcommander VERSION: 1.0.1  -  UPDATED: 08/29/2018

 -t, --target [IP Address]           Defaults to 127.0.0.1
 -p, --port  [Port Number]           Defaults to 1337
 -k, --key [API Key]                 If you require an API key specify it here
 -i, --issue-type-id [String]        String to search for.  Example: "1048832"
 -n, --issue-name [String]           String to search for.  Example: "Command Injection"
 -D, --DESCRIPTION                   Returns the description of a requested issue
 -M, --METRICS                       Returns the scan_metrics for a given task_id
 -I, --ISSUES [Optional Number]      Returns the issue_events of a given task_id
 -s, --scan [Complete URL]           Example: https://scantarget.com
 -S, --scan-id [Number]              Returns ScanProgress for a given task_id
 -U, --username [String]             Username to supply for an authenticated scan
 -P, --password [String]             Password to supply for an authenticated scan
 -v, --verbose                       Enables verbose output

./burpcommander.rb -k [API Key] -n "command injection" -D

./burpcommander.rb -s www.youcanattackme.com -U admin -P password

I, [2018-08-29T15:27:09.310594 #18919]  INFO -- : Successfuly initiated task_id: 4 against www.youcanattackme.com

./burpcommander.rb -S 4 -M

{"crawl_requests_made"=>2264,
"crawl_requests_queued"=>0,
"audit_queue_items_completed"=>0,
"audit_queue_items_waiting"=>51,
"audit_requests_made"=>247,
"audit_network_errors"=>10,
"issue_events"=>21}

./burpcommander.rb -S 4 -I 1

{"name"=>"File upload functionality",
"type_index"=>5245312,
"serial_number"=>"6437447914508597248",
"origin"=>"http://www.youcanattackme.com",
"path"=>"/vulnerabilities/upload/",
"severity"=>"info",
"confidence"=>"certain",
"description"=>
"The page contains a form which is used to submit a user-supplied...

• Created To Help Beginners And even Professionals For a eacon Flooding Or Deauthentication Attack On Networks

sudo apt-get install git
sudo git clone https://github.com/TunisianEagles/network-attacker.git
cd network-attacker
sudo chmod +x install.sh
sudo chmod +x network_attacker.sh
./install.sh
./network_attacker.sh

• Backbox linux
• Ubuntu
• Debian
• Kali linux
• Parrot os

• Burpsuite
• Java

Download Jar 'https://github.com/d3vilbug/HackBar/releases/tag/1.0' and add in burpsuite

• Burpsuite 1.7.36
• Windows 10
• xubuntu 18.04

• Ctrl + H (shortcut)
• WAF bypass (SQLi)
• Decoder/Encoder
• Simulate Attack (Automatically test complete cheat sheet with one click)

• An0n 3xPloiTeR https://github.com/Anon-Exploiter/ for SQLi&& XSS payloads
• PayloadsAllTheThings https://github.com/swisskyrepo/PayloadsAllTheThings/

1. PHP >= 5.5.0
2. OpenSSL >= 1.0.1 (XTS support)

# 32 for AES-XTS128-PLAIN64
# 64 for AES-XTS256-PLAIN64
AES_key_length = 32 | 64

AES-password = PBKDF2(algorithm: SHA256,
                      password: user_password,
                      salt: random_salt_1,
                      iterations: 2000,
                      output_length: AES_key_length)

PBKDF2-decrypted-password = AES_decrypt(key_size: AES_key_length,
                                        mode: XTS,
                                        data: random_data
                                        password: AES-password,
                                        type: raw,
                                        iv: NULL)

Stored_hash = PBKDF2(algorithm: SHA256,
                     password: PBKDF2-decrypted-password,
                     salt: random_salt_2,
                     iterations: 2000,
                     output_length: 32)

$ php VBOXDIECracker.php
VirtualBox Disk Image Encryption cracker

Usage: VBOXDIECracker.php disk_image.vbox [wordlist]

$ php VBOXDIECracker.php Encrypted.vbox wordlist.txt
VirtualBox Disk Image Encryption cracker

[+] Reading data from: Encrypted.vbox
----------------------------------------------------------------
[+] Checking hard disk encryption for: Encrypted.vdi
[+] Hard disk is encrypted
[+] KeyStore encoded string:
        U0NORQABQUVTLVhUUzI1Ni1QTEFJTjY0AAAAAAAAAAAAAAAAAABQQktERjItU0hB
        MjU2AAAAAAAAAAAAAAAAAAAAAAAAAEAAAAASAniX2ss6TE/u9IdinWigcwAg2bXe
        dJRAjHr5mvCCiSAAAAAntQHDFvSfwpay/jKFVzUWc4GsIJ/RwMg+XkG2b/PDWtAH
        AACKj0qUg37sG7TWmi58n/rcXmWVNt9FqBxGZiz2a+leWNAHAABAAAAA6qVV8nOu
        r58RVxKP0cNRfXyu9D7JqqVAaRfNE3LFdoz4hXxWWWcxjOGBJA/BQ5VuwvrDxO8O
        YpwYgl3yKOcewg==
[+] KeyStore contents:
        Header                        454e4353 (SCNE)
        Version                       1
        Algorithm                     AES-XTS256-PLAIN64
        KDF                           PBKDF2-SHA256
        Key length                    64
        Final hash                    12027897dacb3a4c4feef487629d68a0730020d9b5de7494408c7af99af08289
        PBKDF2 2 Key length           32
        PBKDF2 2 Salt                 27b501c316f49fc296b2fe32855735167381ac209fd1c0c83e5e41b66ff3c35a
        PBKDF2 2 Iterations           2000
        PBKDF2 1 Salt                 8a8f4a94837eec1bb4d69a2e7c9ffadc5e659536df45a81c46662cf66be95e58
        PBKDF2 1 Iterations           2000
        EVP buffer length             64
        PBKDF2 2 encrypted password   eaa555f273aeaf9f1157128fd1c3517d7caef43ec9aaa5406917cd1372c5768c
                                      f8857c565967318ce181240fc143956ec2fac3c4ef0e629c18825df228e71ec2
[+] Cracking finished, measured time: 6.13035 seconds
[!] KeyStore password found: 123
----------------------------------------------------------------
[+] Checking hard disk encryption for: New_Disk.vdi
[-] Hard disk is not encrypted

[*] Exploit Title:       DVR Credentials Exposed 
[*] Date:                09/04/2018
[*] Exploit Author:      Fernandez Ezequiel
[*] DVR-Exploiter By:    Belahsan Ouerghi  
[*] Contact:             www.facebook.com/ouerghi.belahsan
[*] Youtube Tutorial:  https://www.youtube.com/watch?v=vdnATjE_4II
[*] Dorks:                        intitle:"DVR Login"
                                        html:"/login.rsp"
                                       "Server: GNU rsp/1.1"

Novo
CeNova
QSee
Pulnix
XVR 5 in 1 (title: "XVR Login")
Securus,  - Security. Never Compromise !! - 
Night OWL
DVR Login
HVR Login
MDVR Login

$ git clone https://github.com/TunisianEagles/DVR-Exploiter.git
$ cd DVR-Exploiter
$ ./DVR-Exploiter.s

• Don't Forget To Install The Plugin Of The DVR

 _____    _                          _
| ____|__| | __ _  _____      ____ _| |_ ___ _ __
|  _| / _` |/ _` |/ _ \ \ /\ / / _` | __/ _ \ '__|
| |__| (_| | (_| |  __/\ V  V / (_| | ||  __/ |
|_____\__,_|\__, |\___| \_/\_/ \__,_|\__\___|_|
            |___/
 _____    _
| ____|__| | __ _  ___ _ __ ___   __ _ _ __ ___
|  _| / _` |/ _` |/ _ \ '_ ` _ \ / _` | '__/ __|
| |__| (_| | (_| |  __/ | | | | | (_| | | | (__
|_____\__,_|\__, |\___|_| |_| |_|\__,_|_|  \___|
            |___/
 _____            _       _ _
| ____|_  ___ __ | | ___ (_) |_
|  _| \ \/ / '_ \| |/ _ \| | __|
| |___ >  <| |_) | | (_) | | |_
|_____/_/\_\ .__/|_|\___/|_|\__|
           |_|


                 Edgewater Edgemarc Exploit CVE-2017-6079
                 Coded By: Mostafa Soliman

    [USAGE] CVE-2017-6079.py [operation] [TargetIP] [AttackerIP] [FilePath]
    operation: Either read / upload
    AttackerIP: IP address to receive the connection on
    TargetIP: IP address of the target running Edgewater Edgemarc server
    FilePath:  Remote file to download in case of "read" operation
               Local file to upload in case of "upload" operation

• Version enumerator
• Vulnerability enumerator (based on version)
• Components enumerator (1209 most popular by default)
• Components vulnerability enumerator (based on version)(+1030 exploit)
• Firewall detector
• Reporting to Text & HTML output
• Finding common log files
• Finding common backup files

git clone https://github.com/rezasp/joomscan.git
cd joomscan
perl joomscan.pl

Usage: joomscan.pl [options]

--url | -u <URL>                |   The Joomla URL/domain to scan.
--enumerate-components | -ec    |   Try to enumerate components.

--cookie <String>               |   Set cookie.
--user-agent | -a <user-agent>  |   Use the specified User-Agent.
--random-agent | -r             |   Use a random User-Agent.
--timeout <time-out>            |   set timeout.
--about                         |   About Author
--update                        |   Update to the latest version.
--help | -h                     |   This help screen.
--version                       |   Output the current version and exit.

perl joomscan.pl --url www.example.com

perl joomscan.pl -u www.example.com

perl joomscan.pl --url www.example.com --enumerate-components

perl joomscan.pl -u www.example.com --ec

perl joomscan.pl --url www.example.com --cookie "test=demo;"

perl joomscan.pl --url www.example.com --user-agent "Googlebot/2.1 (+http://www.googlebot.com/bot.html)"

perl joomscan.pl -u www.example.com -a "Googlebot/2.1 (+http://www.googlebot.com/bot.html)"

perl joomscan.pl -u www.example.com --random-agent

perl joomscan.pl --url www.example.com -r

perl joomscan.pl --update

• Mohammad Reza Espargham [ reza[dot]espargham[at]owasp[dot]org ]
• Ali Razmjoo [ ali[dot]razmjoo[at]owasp[dot]org ]

• Justin Bui (@youslydawg) - For contributing the SharpSploit.Enumeration.Host.CreateProcessDump() function.
• Matt Graeber (@mattifestation), Will Schroeder (@harmj0y), and Ruben (@FuzzySec) - For their work on PowerSploit.
• Will Schroeder (@harmj0y) - For the PowerView project.
• Alexander Leary (@0xbadjuju) - For the Tokenvator project.
• James Foreshaw (@tiraniddo) - For his discovery of the token duplication UAC bypass technique documented here.
• Matt Nelson (@enigma0x3) - For his Invoke-TokenDuplication implementation of the token duplication UAC bypass, as well his C# shellcode execution method.
• Benjamin Delpy (@gentilkiwi) - For the Mimikatz project.
• Casey Smith (@subtee) - For his work on a C# PE Loader.
• Chris Ross (@xorrior) - For his implementation of a Mimikatz PE Loader found here.
• Matt Graeber (@mattifestation) - For discovery of the AMSI bypass found here.
• Lee Christensen (@tifkin_) - For the discovery of the PowerShell logging bypass found here.
• All the contributors to www.pinvoke.net - For numerous PInvoke signatures.

sudo apt-get install git
sudo git clone https://github.com/TunisianEagles/SocialBox.git
cd SocialBox
chmod +x SocialBox.sh
chmod +x install-sb.sh
./install-sb.sh
./SocialBox.sh

• Backbox linux
• Ubuntu
• Kali linux

• Contact - Belahsan Ouerghi

• facebook : Imad
• gmail : Ha3MrX
• instagram : thelinuxchoice
• Twitter : thelinuxchoice
• SocialBox : Belahsan Ouerghi

• At least the parameters --smtp-server and --to should be given for a minimal test run.
• All parameters can also be stored in configuration files without the prefix --. These configuration files can be used by invoking ./mail-tester.py @tester.conf (configuration contained in tester.conf).
• Multiple recipients can be configured with --to for testing of different filter configurations.
• Some mail filtering solutions may reject messages after a while. Use --auto-delay for automatic throttling of the mails. This can be fine-tuned with --delay-step, --delay-max and --delay.
• Some tests (Spam and Malware) require samples. Put these in directories and configure these directories with --spam-folder and --malware-folder parameters. The samples are not included in this repository (and will not be). Good places to get malware are theZoo, Das Malwerk or other collections. Spam can be exported straight from yout Spam folder, but must be in EML format.
• Blacklists can be supplied with the --blacklist parameter and are used as sender addresses.
• The Shellshock and subject XSS test cases should have a valid backconnect domain, where you are able to see any backconnects (especially DNS requests). The free Canary Tokens service can be used for this purpose. Thanks to Thinkst for providing this awesome service!
• Some neat attachment recognition evasion tricks can be enabled with --evasion content-disposition. These were used in the past to confuse AV/sandboxing solutions and let them pass malicious mails.
• Don't forget to log the test results with --log. Mail filtering providers often reject mails in the SMTP dialog, which is reflected in the generated log.
• Test cases can be dumped with --output as plain files in a directory, in MBox (--mbox) or MailDir (--maildir) format. This is useful to test mail user agents without sending any mails, to document or review generated test cases.

• MailTestBase: Test class for generic tests.
  • generateTestCases(): Yields test messages. These should be generated with the MIME* classes from the Python email.mime.* packages or with the Message class from email.message to ensure valid mail messages.
  • active: Boolean value if test should be active.
  • identifier: Short identifier of the test. This one is used to enable or disable tests in parameters.
  • name: Short test title.
  • description: Longer test description, should fit within approximately 100 characters.
  • delivery_sender and delivery_recipient: Boolean values, False by default. Normally, the sender and recipients are set in the message and the Python SMTP module takes them over from there. Sometimes it is desirable to set them explicitely in the SMTP library, which can be configured by setting this values to True.
  • finalizeMessage(msg): By default, the base test class sets the From and To headers accrodingly. This behaviour can be overridden if required for the test case.
• MailAttachmentTestBase: Test class for attachment test cases. This generates a complete valid mail with a Subject and a text part and attaches the test case to it. Derived from MailTestBase, therefore the methods/variables from it can be overridden here, too.
  • generateAttachments(): Yields test cases as (description, attachment) tuples.
  • subject: Sets the subject. The place holder {} is replaced by the description yielded by generateAttachments().
  • generateTestCases(): is already overridden with an implementation of the message generation described above, but may be further adapted if required.

• BaseEvasionFactory: Evasion factories must be based on this class. Usually, only the following class variables should be set:
  • active: Set to True if the evasion should be active.
  • identifier: Short identifier of the evasion module used for enabling it in the test configuration.
  • name: Short title of the evasion technique.
  • description: Longer description of the evasion technique. Should fit in approximately 100 characters.
  • generator_evasion: Evasion class that is instantiated if the evasion is enabled.
  • generator_default: Evasion class that is instantiated if the evasion is disabled.
• BaseEvasion: Implementation of evasions must be a subclass of this base class. The following method must be overridden:
  • __init__(): Should instantiate the class with the base message or attachment that should be manipulated with evasion techniques.
  • generate(): Apply the evasion technique to the object passed to the constructor and yield it to the caller as (description, object with evasion applied) tuple.

1. Generate the base object (mail or attachment) without consideration of the evasion.
2. Instantiate the appropriate evasion class by utilization of the evasion factory instance from self.evasions, e.g.: evasion_items = self.evasions["evasion_identifier"].getEvasionGenerator(message)
3. Iterate over the generator and yield the test cases:

for evasion_item in evasion_items:
    yield evasion_item

1. Python2.7

2. Protobuf 2.6 or greater
   
3. Pyopenssl 16.2 or greater
   
4. Twisted 10.2 or greater
   
5. Java Development Kit 1.7
   

6. Android Debug Bridge

git clone https://github.com/mwrlabs/drozer/
cd drozer
python setup.py bdist_wheel

sudo pip install drozer-2.x.x-py2-none-any.whl

git clone https://github.com/mwrlabs/drozer/
cd drozer
make deb

sudo dpkg -i drozer-2.x.x.deb

git clone https://github.com/mwrlabs/drozer/
cd drozer
make rpm

sudo rpm -I drozer-2.x.x-1.noarch.rpm

git clone https://github.com/mwrlabs/drozer/
cd drozer
python.exe setup.py bdist_msi

Run dist/drozer-2.x.x.win-x.msi 

selecting f75640f67144d9a3 (unknown sdk 4.1.1)  
dz>

• Encrypt your traffic with AES-128-CBC.
• Protect data integrity by MD5 or CRC32.
• Defense replay attack with an anti-replay window, similar to IPSec and OpenVPN.
• Authenticate mutually, no MITM attacks.

• Multiplexing One client can handle multiple UDP connections, all of which share the same raw connection.
  
• Multiple Clients One server can have multiple clients.
  
• NAT Support All of the 3 modes work in NAT environments.
  
• OpenVZ Support Tested on BandwagonHost.
  
• OpenWRT Support No dependencies, easy to build. Binary for ar71xx are included in release.
  

# Run at server side:
./udp2raw_amd64 -s -l0.0.0.0:4096 -r 127.0.0.1:7777  -a -k "passwd" --raw-mode faketcp

# Run at client side
./udp2raw_amd64 -c -l0.0.0.0:3333  -r44.55.66.77:4096 -a -k "passwd" --raw-mode faketcp

udp2raw-tunnel
version: Aug 18 2017 00:29:11
repository: https://github.com/wangyu-/udp2raw-tunnel

usage:
    run as client : ./this_program -c -l local_listen_ip:local_port -r server_ip:server_port  [options]
    run as server : ./this_program -s -l server_listen_ip:server_port -r remote_ip:remote_port  [options]

common options, these options must be same on both side:
    --raw-mode            <string>        avaliable values:faketcp(default), udp, icmp
    -k, --key              <string>        password to gen symetric key, default:"secret key"
    --cipher-mode         <string>        avaliable values:aes128cbc(default), xor, none
    --auth-mode           <string>        avaliable values:md5(default), crc32, simple, none
    -a, --auto-rule                        auto add (and delete) iptables rule
    -g, --gen-rule                         generate iptables rule then exit
    --disable-anti-replay                 disable anti-replay, not suggested
client options:
    --source-ip           <ip>            force source-ip for raw socket
    --source-port         <port>          force source-port for raw socket, tcp/udp only
                                          this option disables port changing while re-connecting
other options:
    --log-level           <number>        0:never    1:fatal   2:error   3:warn 
                                          4:info (default)     5:debug   6:trace
    --log-position                        enable file name, function name, line number in log
    --disable-color                       disable log color
    --disable-bpf                         disable the kernel space filter, most time its not necessary
                                          unless you suspect there is a bug
    --sock-buf            <number>        buf size for socket, >=10 and <=10240, unit:kbyte, default:1024
    --seqmode             <number>        seq increase mode for faketcp:
                                          0:dont increase
                                          1:increase every packet
                                          2:increase randomly,  about every 3 packets (default)
    --lower-level         <string>        send packet at OSI level 2,  format:'if_name#dest_mac_adress'
                                          ie:'eth0#00:23:45:67:89:b9'.Beta.
    -h, --help                             print this help message

iperf3 -c 10.222.2.1 -P40 
iperf3 -c 10.222.2.1 -P40 -R

• Client Vultr $2.5/monthly plan (single core 2.4GHz cpu, 512MB RAM, Tokyo, Japan)
• Server BandwagonHost $3.99/annually plan (single core 2.0GHz cpu, 128MB RAM, Los Angeles, USA)

1. bypasses UDP block/UDP QOS
   
2. no TCP ovr tcp problem (tcp over tcp problem http://sites.inka.de/bigred/devel/tcp-tcp.html , https://community.openvpn.net/openvpn/ticket/2 )
   
3. openvpn over icmp also becomes a choice
   

yaourt -S udp2raw-tunnel # or
pacaur -S udp2raw-tunnel

• ./Put2win.sh -t 192.168.1.80 -u /uploads -l 192.168.1.10
• ./Put2win.sh -t 192.168.1.80 -p 443 -u /uploads -l 192.168.1.10

• Longitude
• Latitude
• Accuracy
• Altitude - Not always available
• Direction - Only available if user is moving
• Speed - Only available if user is moving

• Operating System
• Platform
• Number of CPU Cores
• Amount of RAM - Approximate Results
• Screen Resolution
• GPU information
• Browser Name and Version
• Public IP Address

• Other tools and services offer IP Geolocation which is not very accurate and does not give location of user.
  
• Generally if a user accepts location permsission, Accuracy of the information recieved is accurate to approximately 30 meters.
  

• Kali Linux 2018.2
• Ubuntu 18.04
• Arch Linux based Distro
• Termux
• Kali Linux (WSL)

git clone https://github.com/thewhiteh4t/seeker.git
cd seeker/
chmod 777 install.sh
./install.sh

# After Installation just type seeker in console

# OR using Docker

# Install docker

curl -fsSL https://get.docker.com -o get-docker.sh
sh get-docker.sh

# Build Seeker
cd seeker/
docker build -t seeker .

# Launch seeker
docker run -t --rm seeker

# Install docker

pacman -Syy
pacman -S docker
systemctl start docker.service

# Build Seeker
cd seeker/
docker build -t seeker .

# Launch seeker
docker run -t --rm seeker

cd seeker/termux
chmod 777 install.sh
./install.sh

# After Installation just type seeker in console

If you are unable to get ngrok url that means ngrok is unable to resolve dns, switch to Mobile Data instead of WiFi and it should work, this is a problem with ngrok.

Aircrack-ng is a complete suite of tools to assess WiFi network security.

• Monitoring: Packet capture and export of data to text files for further processing by third party tools.
• Attacking: Replay attacks, deauthentication, fake access points and others via packet injection.
• Testing: Checking WiFi cards and driver capabilities (capture and injection).
• Cracking: WEP and WPA PSK (WPA 1 and 2).

All tools are command line which allows for heavy scripting. A lot of GUIs have taken advantage of this feature. It works primarily Linux but also Windows, OS X, FreeBSD, OpenBSD, NetBSD, as well as Solaris and even eComStation 2.

Aircrack-ng 1.4

It focuses a lot on code quality and adds a few visible features:

• PMKID cracking
• Crack 802.11w capture files
• Speed and memory usage improvement when loading (large) files with Aircrack-ng and Airdecap-ng
• Packages for Linux distributions and Windows
• Fix building on various platforms
• Improved and tweaked our CI/CD processes
• Using new CI/CD tools for our buildbots and packaging, PyDeployer
• Almost doubled the amount of tests

PMKID

On routers with 802.11i/p/r, the AP can cache an "ID" for the connection so roaming clients don't have to waste frames reauthenticating and just use the PMKID, which helps decrease a bit the latency (from 6 frames to only 2).

Calculation is of the PMKID is done this way:

PMKID = HMAC-SHA1-128(PMK, "PMK Name" | BSSID | STA MAC)

A big advantage here is that this PMKID is present in the first EAPoL frame of the 4-way handshake.

A few caveats about this attack:

• Sometimes APs send empty PMKID
• It doesn't work on WPA/WPA2 Enterprise networks

When loading a PCAP, Aircrack-ng will detect if it contains a PMKID. In the following screenshot, it is present for the network ogogo, notice the "with PMKID" on the same line:

When selecting the network, it will use it as if it were a regular PCAP with a handshake (and thus the wordlist requirement applies).

If you'd like to test, two capture files with PMKID are available this test files:

• test-pmkid.pcap
• test1.pcap

More details about the attack itself can be found in this post.

More info: https://aircrack-ng.blogspot.com/2018/09/aircrack-ng-14.html

Install

git clone https://github.com/aircrack-ng/aircrack-ng
cd aircrack-ng
./autogen.sh
make
make install
cd src/
aircrack-ng

Download Aircrack-ng

• Console-Based User-Interface: streamlined console interface for controlling client host machines remotely via reverse TCP shells which provide direct terminal access to the client host machines
  
• Persistent SQLite Database: lightweight database that stores identifying information about client host machines, allowing reverse TCP shell sessions to persist through disconnections of arbitrary duration and enabling long-term reconnaissance
  
• Client-Server Architecture: all python packages/modules installed locally are automatically made available for clients to remotely import without writing them to the disk of the target machines, allowing clients to use modules which require packages not installed on the target machines
  

• Remote Imports: remotely import third-party packages from the server without writing them to the disk or downloading/installing them
  
• Nothing Written To The Disk: clients never write anything to the disk - not even temporary files (zero IO system calls are made) because remote imports allow arbitrary code to be dynamically loaded into memory and directly imported into the currently running process
  
• Zero Dependencies (Not Even Python Itself): client runs with just the python standard library, remotely imports any non-standard packages/modules from the server, and can be compiled with a standalone python interpreter into a portable binary executable formatted for any platform/architecture, allowing it to run on anything, even when Python itself is missing on the target host
  
• Add New Features With Just 1 Click: any python script, module, or package you to copy to the ./byob/modules/ directory automatically becomes remotely importable & directly usable by every client while your command & control server is running
  
• Write Your Own Modules: a basic module template is provided in ./byob/modules/ directory to make writing your own modules a straight-forward, hassle-free process
  
• Run Unlimited Modules Without Bloating File Size: use remote imports to add unlimited features without adding a single byte to the client's file size
  
• Fully Updatable: each client will periodically check the server for new content available for remote import, and will dynamically update its in-memory resources if anything has been added/removed
  
• Platform Independent: everything is written in Python (a platform-agnostic language) and the clients generated can optionally be compiled into portable executable (Windows) or bundled into an standalone application (macOS)
  
• Bypass Firewalls: clients connect to the command & control server via reverse TCP connections, which will bypass most firewalls because the default filter configurations primarily block incoming connections
  
• Counter-Measure Against Antivirus: avoids being analyzed by antivirus by blocking processes with names of known antivirus products from spawning
  
• Encrypt Payloads To Prevent Analysis: the main client payload is encrypted with a random 256-bit key which exists solely in the payload stager which is generated along with it
  
• Prevent Reverse-Engineering: by default, clients will abort execution if a virtual machine or sandbox is detected
  

1. Keylogger (byob.modules.keylogger): logs the user’s keystrokes & the window name entered
2. Screenshot (byob.modules.screenshot): take a screenshot of current user’s desktop
3. Webcam (byob.modules.webcam): view a live stream or capture image/video from the webcam
4. Ransom (byob.modules.ransom): encrypt files & generate random BTC wallet for ransom payment
5. Outlook (byob.modules.outlook): read/search/upload emails from the local Outlook client
6. Packet Sniffer (byob.modules.packetsniffer): run a packet sniffer on the host network & upload .pcap file
7. Persistence (byob.modules.persistence): establish persistence on the host machine using 5 different methods
8. Phone (byob.modules.phone): read/search/upload text messages from the client smartphone
9. Escalate Privileges (byob.modules.escalate): attempt UAC bypass to gain unauthorized administrator privileges
10. Port Scanner (byob.modules.portscanner): scan the local network for other online devices & open ports
11. Process Control (byob.modules.process): list/search/kill/monitor currently running processes on the host

1. Utilities (byob.core.util): miscellaneous utility functions that are used by many modules
2. Security (byob.core.security): Diffie-Hellman IKE & 3 encryption modes (AES-256-OCB, AES-256-CBC, XOR-128)
3. Loaders (byob.core.loaders): remotely import any package/module/scripts from the server
4. Payloads (byob.core.payloads): reverse TCP shell designed to remotely import dependencies, packages & modules
5. Stagers (byob.core.stagers): generate unique payload stagers to prevent analysis & detection
6. Generators (byob.core.generators): functions which all dynamically generate code for the client generator
7. Database (byob.core.database): handles interaction between command & control server and the SQLite database