Twifo-Cli - Get User Information Of A Twitter User

January 13, 2019, 12:37 pm

≫ Next: Sitadel - Web Application Security Scanner

≪ Previous: Interlace - Easily Turn Single Threaded Command Line Applications Into Fast, Multi Threaded Ones With CIDR And Glob Support

Get user information of a Twitter user!

Install

$ npm install --global twifo-cli

OR

$ sudo npm install --global twifo-cli

Usage

$ Usage: twifo <user-name>

  Example:
    $ twifo 9gag

Related

twifo: API for this tool.
quorafy: Get user information of a Quora user.

Download Twifo-Cli

↧

Sitadel - Web Application Security Scanner

January 14, 2019, 4:13 am

≫ Next: Pe-Sieve - Recognizes And Dumps A Variety Of Potentially Malicious Implants (Replaced/Injected PEs, Shellcodes, Hooks, In-Memory Patches)

≪ Previous: Twifo-Cli - Get User Information Of A Twitter User

Sitadel is basically an update for WAScan making it compatible for python >= 3.4 It allows more flexibility for you to write new modules and implement new features :

Frontend framework detection
Content Delivery Network detection
Define Risk Level to allow for scans
Plugin system
Docker image available to build and run

Installation

$ git clone https://github.com/shenril/Sitadel.git
$ cd Sitadel
$ pip install .
$ python sitadel.py --help

Features

Fingerprints
- Server
- Web Frameworks (CakePHP,CherryPy,...)
- Frontend Frameworks (AngularJS,MeteorJS,VueJS,...)
- Web Application Firewall (Waf)
- Content Management System (CMS)
- Operating System (Linux,Unix,..)
- Language (PHP,Ruby,...)
- Cookie Security
- Content Delivery Networks (CDN)
Attacks:
- Bruteforce
  - Admin Interface
  - Common Backdoors
  - Common Backup Directory
  - Common Backup File
  - Common Directory
  - Common File
  - Log File
- Injection
  - HTML Injection
  - SQL Injection
  - LDAP Injection
  - XPath Injection
  - Cross Site Scripting (XSS)
  - Remote File Inclusion (RFI)
  - PHP Code Injection
- Other
  - HTTP Allow Methods
  - HTML Object
  - Multiple Index
  - Robots Paths
  - Web Dav
  - Cross Site Tracing (XST)
  - PHPINFO
  - .Listing
- Vulnerabilities
  - ShellShock
  - Anonymous Cipher (CVE-2007-1858)
  - Crime (SPDY) (CVE-2012-4929)
  - Struts-Shock

Example
Simple run
python sitadel http://website.com
Run with risk level at DANGEROUS and do not follow redirections
python sitadel http://website.com -r 2 --no-redirect
Run specifics modules only and full verbosity
python sitadel http://website.com -a admin backdoor -f header server -vvv

Run with docker
docker build -t sitadel .
docker run sitadel http://example.com

Download Sitadel

↧

Pe-Sieve - Recognizes And Dumps A Variety Of Potentially Malicious Implants (Replaced/Injected PEs, Shellcodes, Hooks, In-Memory Patches)

January 14, 2019, 12:39 pm

≫ Next: Malboxes - Builds Malware Analysis Windows VMs So That You Don'T Have To

≪ Previous: Sitadel - Web Application Security Scanner

PE-sieve is a light-weight tool that helps to detect malware running on the system, as well as to collect the potentially malicious material for further analysis. Recognizes and dumps variety of implants within the scanned process: replaced/injected PEs, shellcodes, hooks, and other in-memory patches.

Detects inline hooks, Process Hollowing, Process Doppelgänging, Reflective DLL Injection, etc.

uses library: https://github.com/hasherezade/libpeconv.git

Clone:
Use recursive clone to get the repo together with the submodule:

git clone --recursive https://github.com/hasherezade/pe-sieve.git

Latest builds*:
*those builds are available for testing and they may be ahead of the official release:

Download Pe-Sieve

↧

Malboxes - Builds Malware Analysis Windows VMs So That You Don'T Have To

January 15, 2019, 4:07 am

≫ Next: Snyk - CLI And Build-Time Tool To Find & Fix Known Vulnerabilities In Open-Source Dependencies

≪ Previous: Pe-Sieve - Recognizes And Dumps A Variety Of Potentially Malicious Implants (Replaced/Injected PEs, Shellcodes, Hooks, In-Memory Patches)

Builds malware analysis Windows virtual machines so that you don’t have to.

Requirements

Python 3.3+
packer: https://www.packer.io/docs/install/index.html
vagrant: https://www.vagrantup.com/downloads.html
VirtualBox or an vSphere / ESXi server

Minimum specs for the build machine

At least 5 GB of RAM
VT-X extensions strongly recommended

Fedora

dnf install ruby-devel gcc-c++ zlib-devel
vagrant plugin install winrm winrm-fs

Debian

apt install vagrant git python3-pip

Installation

Linux/Unix

Install git, vagrant and packer using your distribution’s packaging tool (packer is sometimes called packer-io)

pip install malboxes:

sudo pip3 install git+https://github.com/GoSecure/malboxes.git#egg=malboxes

Windows

Note

Starting with Windows 10 Hyper-V is always running below the operating system. Since VT-X needs to be operated exclusively by only one Hypervisor this causes VirtualBox (and malboxes) to fail. To disable Hyper-V and allow VirtualBox to run, issue the following command in an administrative command prompt then reboot: bcdedit /set hypervisorlaunchtype off

Using Chocolatey

The following steps assume that you have Chocolatey installed. Otherwise, follow the manual installation procedure.

Install dependencies:

choco install python vagrant packer git virtualbox

Refresh the console
```
refreshenv
```

Install malboxes:

pip3 install setuptools
pip3 install -U git+https://github.com/GoSecure/malboxes.git#egg=malboxes

Manually

Install VirtualBox, Vagrant and git
Install Packer, drop the packer binary in a folder in your user’s PATH like C:\Windows\System32\
Install Python 3 (make sure to add Python to your environment variables)

Open a console (Windows-Key + cmd)

pip3 install setuptools
pip3 install -U git+https://github.com/GoSecure/malboxes.git#egg=malboxes

Usage

Box creation

This creates your base box that is imported in Vagrant. Afterwards you can re-use the same box several times per sample analysis.

Run:

malboxes build <template>

You can also list all supported templates with:

malboxes list

This will build a Vagrant box ready for malware investigation you can now include it in a Vagrantfile afterwards.

For example:

malboxes build win10_64_analyst

The configuration section contains further information about what can be configured with malboxes.

Per analysis instances

malboxes spin win10_64_analyst <name>

This will create a Vagrantfile prepared to use for malware analysis. Move it into a directory of your choice and issue:

vagrant up

By default the local directory will be shared in the VM on the Desktop. This can be changed by commenting the relevant part of the Vagrantfile.

For example:

malboxes spin win7_32_analyst 20160519.cryptolocker.xyz

Configuration

Malboxes' configuration is located in a directory that follows usual operating system conventions:

Linux/Unix: ~/.config/malboxes/
Mac OS X: ~/Library/Application Support/malboxes/
Win 7+: C:\Users\<username>\AppData\Local\malboxes\malboxes\

The file is named config.js and is copied from an example file on first run. The example configuration is documented.

ESXi / vSphere support

Malboxes uses virtualbox as a back-end by default but since version 0.3.0 support for ESXi / vSphere has been added. Notes about the steps required for ESXi / vSphere support are available. Since everyone’s setup is a little bit different do not hesitate to open an issue if you encounter a problem or improve our documentation via a pull request.

Profiles

We are exploring with the concept of profiles which are stored separately than the configuration and can be used to create files, alter the registry or install additional packages. See profile-example.js for an example configuration. This new capacity is experimental and subject to change as we experiment with it.

More information

Video

Blog posts

Introductory blog post: http://gosecure.net/2017/02/16/introducing-malboxes-a-tool-to-build-malware-analysis-virtual-machines/

Presentations

malboxes was presented at NorthSec 2016 in a talk titled Applying DevOps Principles for Better Malware Analysis given by Olivier Bilodeau and Hugo Genesse

Slides (HTML, best)
Slides (PDF, degraded)
Video

Download Malboxes

↧

Snyk - CLI And Build-Time Tool To Find & Fix Known Vulnerabilities In Open-Source Dependencies

January 15, 2019, 12:38 pm

≫ Next: Shed - .NET Runtime Inspector

≪ Previous: Malboxes - Builds Malware Analysis Windows VMs So That You Don'T Have To

Snyk helps you find, fix and monitor known vulnerabilities in Node.js npm, Ruby and Java dependencies, both on an ad hoc basis and as part of your CI (Build) system.

Documentation
Full documentation is available on snyk.io

Installation

Install the Snyk utility using npm install -g snyk.
Once installed you will need to authenticate with your Snyk account: snyk auth

For more detail on how to authenticate take a look at the CLI authentication section of the Snyk documentation.

CLI

snyk [options] [command] [package]

Run snyk --help to get a quick overview of all commands or for full details on the CLI read the snyk.io CLI docs.
The package argument is optional. If no package is given, Snyk will run the command against the current working directory allowing you test you non-public applications.

Features

Find known vulnerabilities by running snyk test on a project either as a one off or as part of your CI process.
Fix vulnerabilities using snyk wizard and snyk protect.
- snyk wizard walks you through finding and fixing known vulnerabilities in your project. Remediation options include configuring your policy file to update, auto patch and ignore vulnerabilities. (npm only)
- snyk protect your code from vulnerabilities by applying patches and optionally suppressing specific vulnerabilities.
Alertsnyk monitor records the state of dependencies and any vulnerabilities on snyk.io so you can be alerted when new vulnerabilities or updates/patches are disclosed that affect your repositories.
Prevent new vulnerable dependencies from being added to your project by running snyk test as part of your CI to fail tests when vulnerable Node.js or Ruby dependencies are added.

Docker
Snyk is also provided as a set of Docker images that carry the runtime environment of each package manager. For example, the npm image will carry all of the needed setup to run npm install on the currently running container. Currently there are images for npm, Ruby, Maven, Gradle and SBT.
The images can perform snyk test by default on the specified project which is mounted to the container as a read/write volume, and snyk monitor if the MONITOR environment variable is set when running the docker container. When running snyk monitor with the GENERATE_REPORT environment variable set, an HTML file called snyk_report.html and a CSS file called snyk_report.css will be generated. The image also writes a file called snyk-res.json for internal use and snyk-error.log for errors that we can look at if something goes wrong.
The following environment variables can be used when running the container on docker:

SNYK_TOKEN - Snyk API token, obtained from https://snyk.io/account.
USER_ID - [OPTIONAL] Current user ID on the host machine. If not provided will take the user ID of the currently running user inside the container. This is used for CI builds such as Jenkins where we are running with a non-privileged user and want to allow the user to access the mounted project folder.
MONITOR - [OPTIONAL] If set, tells the image that we want to run snyk monitor after running snyk test.
PROJECT_FOLDER - [OPTIONAL] If set, this will cd to the directory inside the mounted project dir to run snyk inside it.
ENV_FLAGS - [OPTIONAL] additional environment parameters to pass to snyk test when running the container.

Docker images are tagged according to the package manager runtime they include, the package manager version and snyk version. The general format of tags is [snyk-version]-[package-manager]-[package-manager-version] or just [package-manager]-[package-manager-version] if we want to use the latest version of snyk. Please see available tags to see the available options.
[snyk-version] - The version of snyk that is installed in the image, if version is omitted it will use the latest version. [package-manager] - One of the available package managers (e.g: npm, mvn, gradle, etc...).
[package-manager-version] - The version of the package manager that is installed inside the image.
Please see the following examples on how to run Snyk inside docker:

Node.js (npm)
We will need to mount the project root folder when running the image so that Snyk can access the code within the container. The host project folder will be mounted to /project on the container and will be used to read the dependencies file and write results for CI builds. Here's an example of running snyk test and snyk monitor in the image (with the latest version of Snyk) for npm:

docker run -it
    -e "SNYK_TOKEN=<TOKEN>"
    -e "USER_ID=1234"
    -e "MONITOR=true"
    -v "<PROJECT_DIRECTORY>:/project"
  snyk/snyk-cli:npm test --org=my-org-name

RubyGems
We will need to mount the project root folder when running the image so that Snyk can access the code within the container. The host project folder will be mounted to /project on the container and will be used to read the dependencies file and write results for CI builds. Here's an example of running snyk test and snyk monitor in the image (with the latest version of Snyk) for RubyGems:

docker run -it
    -e "SNYK_TOKEN=<TOKEN>"
    -e "USER_ID=1234"
    -e "MONITOR=true"
    -v "<PROJECT_DIRECTORY>:/project"
  snyk/snyk-cli:rubygems test --org=my-org-name

Maven 3.5.4
We will need to mount the project root folder when running the image so that Snyk can access the code within the container and mount the local .m2 and .ivy2 folders. The host project folder will be mounted to /project on the container and will be used to read the dependencies file and write results for CI builds. Here's an example of running snyk test and snyk monitor in the image (with the latest version of Snyk) for Maven:

docker run -it
    -e "SNYK_TOKEN=<TOKEN>"
    -e "USER_ID=1234"
    -e "MONITOR=true"
    -v "<PROJECT_DIRECTORY>:/project"
    -v "/home/user/.m2:/home/node/.m2"
    -v "/home/user/.ivy2:/home/node/.ivy2"
  snyk/snyk-cli:maven-3.5.4 test --org=my-org-name

SBT 0.13.16 / SBT 1.0.4
We will need to mount the project root folder when running the image so that Snyk can access the code within the container and mount the local .m2 and .ivy2 folders. The host project folder will be mounted to /project on the container and will be used to read the dependencies file and write results for CI builds. Here are examples of running snyk test and snyk monitor in the image (with the latest version of Snyk) for SBT:
NOTE: the dependency-tree module is required for snyk to process Scala projects. Use version 0.8.2 for SBT 0.13.16 and version 0.9.0 for version SBT 1.0.4.

docker run -it
    -e "SNYK_TOKEN=<TOKEN>"
    -e "USER_ID=1234"
    -e "MONITOR=true"
    -v "<PROJECT_DIRECTORY>:/project"
    -v "/home/user/.m2:/home/node/.m2"
    -v "/home/user/.ivy2:/home/node/.ivy2"
  snyk/snyk-cli:sbt-0.13.16 test --org=my-org-name

docker run -it
    -e "SNYK_TOKEN=<TOKEN>"
    -e "USER_ID=1234"
    -e "MONITOR=true"
    -v "<PROJECT_DIRECTORY>:/project"
    -v "/home/user/.m2:/home/node/.m2"
    -v "/home/user/.ivy2:/home/node/.ivy2"
  snyk/snyk-cli:sbt-1.0.4 test --org=my-org-name

Gradle 2.8 / Gradle 4.4
We will need to mount the project root folder when running the image so that Snyk can access the code within the container and mount the local .m2 and .ivy2 folders. The host project folder will be mounted to /project on the container and will be used to read the dependencies file and write results for CI builds. Here's an example of running snyk test and snyk monitor in the image (with the latest version of Snyk) for Gradle:

docker run -it
    -e "SNYK_TOKEN=<TOKEN>"
    -e "USER_ID=1234"
    -e "MONITOR=true"
    -v "<PROJECT_DIRECTORY>:/project"
    -v "/home/user/.m2:/home/node/.m2"
    -v "/home/user/.ivy2:/home/node/.ivy2"
  snyk/snyk-cli:gradle-2.8 test --org=my-org-name

docker run -it
    -e "SNYK_TOKEN=<TOKEN>"
    -e "USER_ID=1234"
    -e "MONITOR=true"
    -v "<PROJECT_DIRECTORY>:/project"
    -v "/home/user/.m2:/home/node/.m2"
    -v "/home/user/.ivy2:/home/node/.ivy2"
  snyk/snyk-cli:gradle-4.4 test --org=my-org-name

Download Snyk

↧

Shed - .NET Runtime Inspector

January 16, 2019, 4:18 am

≫ Next: Stardox - Github Stargazers Information Gathering Tool

≪ Previous: Snyk - CLI And Build-Time Tool To Find & Fix Known Vulnerabilities In Open-Source Dependencies

Shed is an application that allow to inspect the .NET runtime of a program in order to extract useful information. It can be used to inspect malicious applications in order to have a first general overview of which information are stored once that the malware is executed.
Shed is able to:

Inject a .NET Assembly in a remote process (both managed and un-managed)
Extract all objects stored in the managed heap
Print strings stored in memory
Save the snapshot of the heap in a JSON format for post-processing
Dump all modules that are loaded in memory

Using Shed
Shed is a command line tool. To display all available options run:
shed.exe --help

Inspecting an already running application
In order to inspect an already running process you have to pass the pid to Shed. Example:
Shed.exe --pid 2356

Inspecting a binary
In order to inspect a binary, Shed needs to execute it and to attach to it in order to inspect the runtime. Example:
Shed.exe --exe malware.exe
You can also specify the amount of time (in milliseconds) to wait before to suspend the process. This will allow the program to have the time to initialize its properties. Example:
Shed.exe --timeout 2000 --exe malware.exe

Injecting an Assembly in a remote process
With Shed is possible to inject a .NET Assembly in a remote process thanks to the ManagedInjector Library. In order to do so, it is necessary to specify the pid of the process and the exe to inject. Once that the Assembly is injected is possible to activate it by invoking a specific method. The rules to identify the method are inherithed by the ManagedInjector project and are the following:

You must specify the full method name to invoke (eg. this.is.my.namespace.class.method)
You can inject an executable that defines an EntryPoint method to execute (like a Console project)
You can define a method with the following signatue: <public|private> static void Inject()

For example, to inject the Assembly InjectedAssembly into the process with pid 1234, you have the run Shed with the following command:
shed.exe --pid 1234 --exe InjectedAssembly.dll --inject
With the --method option you can specify a method, from InjectedAssembly.exe to invoke.
Find below an example of execution:

Dumping options
By default Shed dump both the heap and the modules. If you want only one of that specify the --dump-heap option to dump only the objects in the heap or the --dump-modules to dump only the modules.
Dumping the heap can produce a lot of information which are not strictly useful for the analysis. You can filter it by using two files:
blacklist.txt this file contains the type names prefix that must not be logged
whitelist.txt this file contains the type names prefix that must be logged even if blacklisted
For example, if you want to filter all the System.IO namespace but you are interested in logging System.IO.MemoryStream, you can add the first value to blacklist.txt and the second one to whitelist.txt.

Examples
In the Examples folder you will find three different projects that you can use in order to test Shed. Example:
Shed.exe --exe ..\Examples\ConfigurationSample\ConfigurationSample.exe
When the analysis is completed, Shed will print where you can find the result, as shown below:
[+] Result saved to C:\Shed\Result\7800

Download Shed

↧

Stardox - Github Stargazers Information Gathering Tool

January 16, 2019, 1:00 pm

≫ Next: Commix v2.7 - Automated All-in-One OS Command Injection And Exploitation Tool

≪ Previous: Shed - .NET Runtime Inspector

Stardox is an advanced github stargazers information gathering tool. It scraps Github for information and display them in list tree view.It can be used for collecting information of your's/someones repository stargazers details.

What data it fetchs :

Total repsitories
Total stars
Total Followers
Total Following

P.S: Many new things will be added soon.

Gallery

Fetching data of repository.

List tree view of fetched data.

Getting Started

Steps to setup :

git clone https://github.com/0xprateek/stardox
cd stardox
python ./setup.py install

Starting Stardox :

cd stardox/src
python3 stardox.py

Example Usage : `python3 ./stardox.py

Download Stardox

↧

Commix v2.7 - Automated All-in-One OS Command Injection And Exploitation Tool

January 17, 2019, 4:28 am

≫ Next: AutoSploit v3.0 - Automated Mass Exploiter

≪ Previous: Stardox - Github Stargazers Information Gathering Tool

Commix (short for [comm]and [i]njection e[x]ploiter) is an automated tool written by Anastasios Stasinopoulos (@ancst) that can be used from web developers, penetration testers or even security researchers in order to test web-based applications with the view to find bugs, errors or vulnerabilities related to command injection attacks. By using this tool, it is very easy to find and exploit a command injection vulnerability in a certain vulnerable parameter or HTTP header.

Requirements
Python version 2.6.x or 2.7.x is required for running this program.

Installation
Download commix by cloning the Git repository:

git clone https://github.com/commixproject/commix.git commix

Commix comes packaged on the official repositories of the following Linux distributions, so you can use the package manager to install it!

Commix also comes as a plugin, on the following penetration testing frameworks:

Supported Platforms

Linux
Mac OS X
Windows (experimental)

Usage
To get a list of all options and switches use:

python commix.py -h

Q: Where can I check all the available options and switches?
A: Check the 'usage' wiki page.

Usage Examples
Q: Can I get some basic ideas on how to use commix?
A: Just go and check the 'usage examples' wiki page, where there are several test cases and attack scenarios.

Upload Shells
Q: How easily can I upload web-shells on a target host via commix?
A: Commix enables you to upload web-shells (e.g metasploit PHP meterpreter) easily on target host. For more, check the 'upload shells' wiki page.

Modules Development
Q: Do you want to increase the capabilities of the commix tool and/or to adapt it to our needs?
A: You can easily develop and import our own modules. For more, check the 'module development' wiki page.

Command Injection Testbeds
Q: How can I test or evaluate the exploitation abilities of commix?
A: Check the 'command injection testbeds' wiki page which includes a collection of pwnable web applications and/or VMs (that include web applications) vulnerable to command injection attacks.

Exploitation Demos
Q: Is there a place where I can check for demos of commix?
A: If you want to see a collection of demos, about the exploitation abilities of commix, take a look at the 'exploitation demos' wiki page.

Bugs and Enhancements
Q: I found a bug / I have to suggest a new feature! What can I do?
A: For bug reports or enhancements, please open an issue here.

Presentations and White Papers
Q: Is there a place where I can find presentations and/or white papers regarding commix?
A: For presentations and/or white papers published in conferences, check the 'presentations' wiki page.

Download Commix

↧

AutoSploit v3.0 - Automated Mass Exploiter

January 17, 2019, 12:44 pm

≫ Next: Faraday v3.5 - Collaborative Penetration Test and Vulnerability Management Platform

≪ Previous: Commix v2.7 - Automated All-in-One OS Command Injection And Exploitation Tool

As the name might suggest AutoSploit attempts to automate the exploitation of remote hosts. Targets can be collected automatically through Shodan, Censys or Zoomeye. But options to add your custom targets and host lists have been included as well. The available Metasploit modules have been selected to facilitate Remote Code Execution and to attempt to gain Reverse TCP Shells and/or Meterpreter sessions. Workspace, local host and local port for MSF facilitated back connections are configured by filling out the dialog that comes up before the exploit component is started
Operational Security Consideration
Receiving back connections on your local machine might not be the best idea from an OPSEC standpoint. Instead consider running this tool from a VPS that has all the dependencies required, available.
The new version of AutoSploit has a feature that allows you to set a proxy before you connect and a custom user-agent.

Installation
Installing AutoSploit is very simple, you can find the latest stable release here. You can also download the master branch as a zip or tarball or follow one of the below methods;

Cloning

sudo -s << EOF
git clone https://github.com/NullArray/Autosploit.git
cd AutoSploit
chmod +x install.sh
./install.sh
python2 autosploit.py
EOF

Docker

sudo -s << EOF
git clone https://github.com/NullArray/AutoSploit.git
cd AutoSploit
chmod +x install.sh
./install.sh
cd AutoSploit/Docker
docker network create -d bridge haknet
docker run --network haknet --name msfdb -e POSTGRES_PASSWORD=s3cr3t -d postgres
docker build -t autosploit .
docker run -it --network haknet -p 80:80 -p 443:443 -p 4444:4444 autosploit
EOF

On any Linux system the following should work;

git clone https://github.com/NullArray/AutoSploit
cd AutoSploit
chmod +x install.sh
./install.sh

AutoSploit is compatible with macOS, however, you have to be inside a virtual environment for it to run successfully. In order to accomplish this employ/perform the below operations via the terminal or in the form of a shell script.

sudo -s << '_EOF'
pip2 install virtualenv --user
git clone https://github.com/NullArray/AutoSploit.git
virtualenv <PATH-TO-YOUR-ENV>
source <PATH-TO-YOUR-ENV>/bin/activate
cd <PATH-TO-AUTOSPLOIT>
pip2 install -r requirements.txt
chmod +x install.sh
./install.sh
python autosploit.py
_EOF

More information on running Docker can be found here

Usage
Starting the program with python autosploit.py will open an AutoSploit terminal session. The options for which are as follows.

1. Usage And Legal
2. Gather Hosts
3. Custom Hosts
4. Add Single Host
5. View Gathered Hosts
6. Exploit Gathered Hosts
99. Quit

Choosing option 2 will prompt you for a platform specific search query. Enter IIS or Apache in example and choose a search engine. After doing so the collected hosts will be saved to be used in the Exploit component.
As of version 2.0 AutoSploit can be started with a number of command line arguments/flags as well. Type python autosploit.py -h to display all the options available to you. I've posted the options below as well for reference.

usage: python autosploit.py -[c|z|s|a] -[q] QUERY
                            [-C] WORKSPACE LHOST LPORT [-e] [--whitewash] PATH
                            [--ruby-exec] [--msf-path] PATH [-E] EXPLOIT-FILE-PATH
                            [--rand-agent] [--proxy] PROTO://IP:PORT [-P] AGENT

optional arguments:
  -h, --help            show this help message and exit

search engines:
  possible search engines to use

  -c, --censys          use censys.io as the search engine to gather hosts
  -z, --zoomeye         use zoomeye.org as the search engine to gather hosts
  -s, --shodan          use shodan.io as the search engine to gather hosts
  -a, --all             search all available search engines to gather hosts

requests:
  arguments to edit your requests

  --proxy PROTO://IP:PORT
                        run behind a proxy while performing the searches
  --random-agent        use a random HTTP User-Agent header
  -P USER-AGENT, --personal-agent USER-AGENT
                        pass a personal User-Agent to use for HTTP requests
  -q QUERY, --query QUERY
                        pass your search query

exploits:
  arguments to edit your exploits

  -E PATH, --exploit-file PATH
                        provide a text file to convert into JSON and save for
                        later use
  -C WORKSPACE LHOST LPORT, --config WORKSPACE LHOST LPORT
                        set the configuration for MSF (IE -C default 127.0.0.1
                        8080)
  -e, --exploit         start exploiting the already gathered hosts

misc arguments:
  arguments that don't fit anywhere else

  --ruby-exec           if you need to run the Ruby executable with MSF use
                        this
  --msf-path MSF-PATH   pass the path to your framework if it is not in your
                        ENV PATH
  --whitelist PATH      only exploit hosts listed in the whitelist file

Dependencies
Note: All dependencies should be installed using the above installation method, however, if you find they are not:
AutoSploit depends on the following Python2.7 modules.

requests
psutil

Should you find you do not have these installed get them with pip like so.

pip install requests psutil

pip install -r requirements.txt

Since the program invokes functionality from the Metasploit Framework you need to have this installed also. Get it from Rapid7 by clicking here.

Download AutoSploit

↧

Faraday v3.5 - Collaborative Penetration Test and Vulnerability Management Platform

January 18, 2019, 4:38 am

≫ Next: Recaf - A Modern Java Bytecode Editor

≪ Previous: AutoSploit v3.0 - Automated Mass Exploiter

Here’s the main new features and improvements in Faraday v3.5:

New vulnerability form

We are happy to introduce our new vulnerability form which makes the creation and editing of vulnerabilities easier. The new form brings you tabs to make it smaller and group different fields.

Custom fields
Add your own custom fields to your vulnerabilities. We currently support str, int and list types. You can also use these fields in your Executive Reports.

2nd-factor authentication
We added the optional feature for 2nd-factor authentication. You can use any mobile application to use our 2nd-factor authentication.

Download Faraday v3.5

↧

Recaf - A Modern Java Bytecode Editor

January 18, 2019, 12:23 pm

≫ Next: dnSpy - .NET Debugger And Assembly Editor

≪ Previous: Faraday v3.5 - Collaborative Penetration Test and Vulnerability Management Platform

Recaf is an open-source Java bytecode editor built on top of Objectweb's ASM. ASM is a bytecode manipulation library that abstracts away the constant pool and a few other class-file attributes. Since keeping track of the constant pool and managing proper stackframes are no longer necessary, complex changes can be made with relative ease. With additional features to assist in the process of editing classes, Recaf is the most feature rich free bytecode editor available.

Useful Information

While ASM makes bytecode manipulation very simple it does not mean you should dive head-first into editing compiled java programs without understanding some basic programming concepts and the Java class file architecture. Here are some references for these topics:

For screenshots check the screenshots directory. They appear throughout the documentation as well.

Libraries used:

ASM - Class editing abilities
CFR - Decompilation
Simple-Memory-Compiler - Recompilation of decompiled code
JIMFS - Virtual file system
ControlsFX - Custom controls (Used in pretty much everything)
RichTextFX - Decompiler code highlighting
JRegex - Pattern matching for decompiler code highlighting
minimal-json - Json reading/writing for config storage
Commonmark - Markdown parsing
picocli - Command line argument parsing

Download Recaf

↧

dnSpy - .NET Debugger And Assembly Editor

January 19, 2019, 4:43 am

≫ Next: Tyton - Linux Kernel-Mode Rootkit Hunter for 4.4.0-31+

≪ Previous: Recaf - A Modern Java Bytecode Editor

dnSpy is a debugger and .NET assembly editor. You can use it to edit and debug assemblies even if you don't have any source code available.

Want to say thanks? Click the star at the top of the page. Or fork dnSpy and send a PR!

The following pictures show dnSpy in action. It shows dnSpy editing and debugging a .NET EXE file, not source code.

Features

Debug .NET Framework, .NET Core and Unity game assemblies, no source code required
Edit assemblies in C# or Visual Basic or IL, and edit all metadata
Light and dark themes
Extensible, write your own extension
High DPI support (per-monitor DPI aware)
And much more, see below

dnSpy uses the ILSpy decompiler engine and the Roslyn (C# / Visual Basic) compiler and many other open source libraries, see below for more info.

Debugger

Debug .NET Framework, .NET Core and Unity game assemblies, no source code required
Set breakpoints and step into any assembly
Locals, watch, autos windows
Variables windows supports saving variables (eg. decrypted byte arrays) to disk or view them in the hex editor (memory window)
Object IDs
Multiple processes can be debugged at the same time
Break on module load
Tracepoints and conditional breakpoints
Export/import breakpoints and tracepoints
Call stack, threads, modules, processes windows
Break on thrown exceptions (1st chance)
Variables windows support evaluating C# / Visual Basic expressions
Dynamic modules can be debugged (but not dynamic methods due to CLR limitations)
Output window logs various debugging events, and it shows timestamps by default :)
Assemblies that decrypt themselves at runtime can be debugged, dnSpy will use the in-memory image. You can also force dnSpy to always use in-memory images instead of disk files.
Public API, you can write an extension or use the C# Interactive window to control the debugger

Assembly Editor

All metadata can be edited
Edit methods and classes in C# or Visual Basic with IntelliSense, no source code required
Add new methods, classes or members in C# or Visual Basic
IL editor for low level IL method body editing
Low level metadata tables can be edited. This uses the hex editor internally.

Hex Editor

Click on an address in the decompiled code to go to its IL code in the hex editor
Reverse of above, press F12 in an IL body in the hex editor to go to the decompiled code or other high level representation of the bits. It's great to find out which statement a patch modified.
Highlights .NET metadata structures and PE structures
Tooltips shows more info about the selected .NET metadata / PE field
Go to position, file, RVA
Go to .NET metadata token, method body, #Blob / #Strings / #US heap offset or #GUID heap index
Follow references (Ctrl+F12)

Other

BAML decompiler
Blue, light and dark themes (and a dark high contrast theme)
Bookmarks
C# Interactive window can be used to script dnSpy
Search assemblies for classes, methods, strings etc
Analyze class and method usage, find callers etc
Multiple tabs and tab groups
References are highlighted, use Tab / Shift+Tab to move to next reference
Go to entry point and module initializer commands
Go to metadata token or metadata row commands
Code tooltips (C# and Visual Basic)
Export to project

List of other open source libraries used by dnSpy

ILSpy decompiler engine (C# and Visual Basic decompilers)
Roslyn (C# and Visual Basic compilers)
dnlib (.NET metadata reader/writer which can also read obfuscated assemblies)
VS MEF (Faster MEF equals faster startup)
ClrMD (Access to lower level debugging info not provided by the CorDebug API)

Credits

Download dnSpy

↧

Tyton - Linux Kernel-Mode Rootkit Hunter for 4.4.0-31+

January 19, 2019, 1:12 pm

≫ Next: Remot3d - An Simple Exploit for PHP Language

≪ Previous: dnSpy - .NET Debugger And Assembly Editor

Linux Kernel-Mode Rootkit Hunter for 4.4.0-31+.
For more information, visit Tyton's website.

Detected Attacks

Hidden Modules
Syscall Table Hooking
Network Protocol Hooking
Netfilter Hooking
Zeroed Process Inodes
Process Fops Hooking
Interrupt Descriptor Table Hooking

Additional Features
Notifications: Users (including myself) do not actively monitor their journald logs, so a userland notification daemon has been included to monitor journald logs and display them to the user using libnotify. Notifications are enabled after install by XDG autorun, so if your DM does not have /etc/xdg/autostart it will fail.
DKMS: Dynamic Kernel Module Support has been added for Arch and Fedora/CentOS (looking to expand in the near future). DKMS allows the (near) seamless upgrading of Kernel modules during kernel upgrades. This is mainly important for distributions that provide rolling releases or upgrade their kernel frequently.

Installing

Dependencies

Linux Kernel 4.4.0-31 or greater
Corresponding Linux Kernel Headers
GCC
Make
Libnotify
Libsystemd
Package Config
GTK3

From Source

Ubuntu/Debian/Kali

sudo apt install linux-headers-$(uname -r) gcc make libnotify-dev pkg-config libgtk-3-dev libsystemd-dev
git clone https://github.com/nbulischeck/tyton.git
cd tyton
make
sudo insmod tyton.ko

Note: For Ubuntu 14.04, libsystemd-dev is named libsystemd-journal-dev.

Arch

sudo pacman -S linux-headers gcc make libnotify libsystemd pkgconfig gtk3
git clone https://github.com/nbulischeck/tyton.git
cd tyton
make
sudo insmod tyton.ko

Note: It's recommended to install Tyton through the AUR so you can benefit from DKMS.

Fedora/CentOS

dnf install kernel-devel gcc make libnotify libnotify-devel systemd-devel gtk3-devel gtk3
git clone https://github.com/nbulischeck/tyton.git
cd tyton
make
sudo insmod tyton.ko

Kernel Module Arguments
The kernel module can be passed a specific timeout argument on insertion through the command line.
To do this, run the command sudo insmod tyton.ko timeout=X where X is the number of minutes you would like the kernel module to wait before executing its scan again.

AUR
Tyton is available on the AUR here.
You can install it using the AUR helper of your choice:

yaourt -S tyton-dkms-git
yay -S tyton-dkms-git
pakku -S tyton-dkms-git

Download Tyton

↧

Remot3d - An Simple Exploit for PHP Language

January 20, 2019, 4:49 am

≫ Next: Htcap - A Web Application Scanner Able To Crawl Single Page Application (SPA) In A Recursive Manner By Intercepting Ajax Calls And DOM Changes

≪ Previous: Tyton - Linux Kernel-Mode Rootkit Hunter for 4.4.0-31+

It's easy to create a backdoor in an instant, the backdoor can be used in a remote process via a Linux terminal on the server that runs the PHP Language program.
Made to bypass the system that is disabled on the server, especially for reading sensitive files that are /etc/passwd

Screenshots

List of Remot3d Functions

Create backdoor for windows or linux servers (can run php file)
Bypass disable function's with imap_open vulnerability
Bypass read file /etc/passwd with cURL or Unique Logic Script's
Generating Backdoor and can be remoted on Tools
Some other fun stuff :)

Getting Started

git clone https://github.com/KeepWannabe/Remot3d
cd Remot3d
chmod +x Remot3d.sh && ./Remot3d.sh

Linux operating systems we recommend :

Linux mint (Ubuntu Based with Mate DE)
Parrot
BackTrack
Backbox
DracOS
IbisLinux

Update Remot3d

To update remot3d go to your Remot3d folder and execute : git pull && chmod +x Remot3d.sh && ./Remot3d.sh

Download Remot3d

↧

Htcap - A Web Application Scanner Able To Crawl Single Page Application (SPA) In A Recursive Manner By Intercepting Ajax Calls And DOM Changes

January 20, 2019, 12:15 pm

≫ Next: Malice - VirusTotal Wanna Be (Now With 100% More Hipster)

≪ Previous: Remot3d - An Simple Exploit for PHP Language

Htcap is a web application scanner able to crawl single page application (SPA) in a recursive manner by intercepting ajax calls and DOM changes. Htcap is not just another vulnerability scanner since it's focused on the crawling process and it's aimed to detect and intercept ajax/fetch calls, websockets, jsonp ecc. It uses its own fuzzers plus a set of external tools to discover vulnerabilities and it's designed to be a tool for both manual and automated penetration test of modern web applications.

It also features a small but powerful framework to quickly develop custom fuzzers with less than 60 lines of python. The fuzzers can work with GET/POST data, XML and JSON payloads and switch between POST and GET. Of course, fuzzers run in parallel in a multi-threaded environment.

This is the very first release that uses headless chrome instead of phantomjs. Htcap’s Javascript crawling engine has been rewritten to take advantage of the new async/await features of ecmascript and has been converted to a nodjes module build on top of Puppetteer.

More infos at htcap.org.

SETUP

Requirements

Python 2.7
Nodejs and npm
Sqlmap (for sqlmap scanner module)
Arachni (for arachni scanner module)

Download and Run

$ git clone https://github.com/fcavallarin/htcap.git htcap
$ htcap/htcap.py

VIDEO

DOCUMENTATION
Documentation, examples and demos can be found at the official website https://htcap.org.

Download Htcap

↧

Malice - VirusTotal Wanna Be (Now With 100% More Hipster)

January 21, 2019, 4:46 am

≫ Next: WPintel - Chrome Extension Designed For WordPress Vulnerability Scanning And Information Gathering

≪ Previous: Htcap - A Web Application Scanner Able To Crawl Single Page Application (SPA) In A Recursive Manner By Intercepting Ajax Calls And DOM Changes

Malice's mission is to be a free open source version of VirusTotal that anyone can use at any scale from an independent researcher to a fortune 500 company.

Try It Out

DEMO:demo.malice.io

username: malice
password: ecilam

Requirements

Hardware

~16GB disk space
~4GB RAM

Software

Docker

Getting Started (OSX)

Install

$ brew install maliceio/tap/malice

Usage: malice [OPTIONS] COMMAND [arg...]

Open Source Malware Analysis Framework

Version: 0.3.11

Author:
  blacktop - <https://github.com/blacktop>

Options:
  --debug, -D      Enable debug mode [$MALICE_DEBUG]
  --help, -h       show help
  --version, -v    print the version

Commands:
  scan        Scan a file
  watch        Watch a folder
  lookup    Look up a file hash
  elk        Start an ELK docker container
  plugin    List, Install or Remove Plugins
  help        Shows a list of commands or help for one command

Run 'malice COMMAND --help' for more information on a command.

Scan some malware

$ malice scan evil.malware

NOTE: On the first run malice will download all of it's default plugins which can take a while to complete.

Malice will output the results as a markdown table that can be piped or copied into a results.md that will look great on Github see here

Start Malice's Web UI

$ malice elk

You can open the Kibana UI and look at the scan results here: http://localhost (assuming you are using Docker for Mac)

Type in malice as the Index name or pattern and click Create.
Now click on the Malice Tab and behold!!!

Getting Started (Docker in Docker)

Install/Update all Plugins

docker run --rm -v /var/run/docker.sock:/var/run/docker.sock malice/engine plugin update --all

Scan a file

docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \
                -v `pwd`:/malice/samples \
                -e MALICE_VT_API=$MALICE_VT_API \
                malice/engine scan SAMPLE

Documentation

Download Malice

↧

WPintel - Chrome Extension Designed For WordPress Vulnerability Scanning And Information Gathering

January 21, 2019, 12:37 pm

≫ Next: Conpot - An Open Industrial Control Honeypot

≪ Previous: Malice - VirusTotal Wanna Be (Now With 100% More Hipster)

WordPress Vulnerability Scanner - Scan for vulnerabilities, version, themes, plugins and much more!

WPintel allows you to scan self hosted WordPress sites.

With WPintel you can detect the following:

Version
Version vulnerabilities
Plugins
Themes
Users

and much more!

Although WPintel is designed for self hosted (wordpress.org) WordPress sites, some of it's functionalities still work for sites hosted on wordpress.com.

Video

Download WPintel

↧

Conpot - An Open Industrial Control Honeypot

January 22, 2019, 4:27 am

≫ Next: Beebug - A Tool For Checking Exploitability

≪ Previous: WPintel - Chrome Extension Designed For WordPress Vulnerability Scanning And Information Gathering

Conpot is an ICS honeypot with the goal to collect intelligence about the motives and methods of adversaries targeting industrial control systems

Documentation
The build of the documentations source can be found here. There you will also find the instructions on how to install conpot and the FAQ.

Easy install using Docker

Via a pre-built image

Install Docker
Run docker pull honeynet/conpot
Run docker run -it -p 80:80 -p 102:102 -p 502:502 -p 161:161/udp --network=bridge honeynet/conpot:latest /bin/sh
Finally run conpot -f --template default

Navigate to http://MY_IP_ADDRESS to confirm the setup.

Build docker image from source

Install Docker
Clone this repo with git clone https://github.com/mushorg/conpot.git and cd conpot/docker
Run docker build -t conpot .
Run docker run -it -p 80:8800 -p 102:10201 -p 502:5020 -p 161:16100/udp -p 47808:47808/udp -p 623:6230/udp -p 21:2121 -p 69:6969/udp -p 44818:44818 --network=bridge conpot

Navigate to http://MY_IP_ADDRESS to confirm the setup.

Build from source and run with docker-compose

Install docker-compose
Clone this repo with git clone https://github.com/mushorg/conpot.git and cd conpot/docker
Build the image with docker-compose build
Test if everything is running correctly with docker-compose up
Permanently run as a daemon with docker-compose up -d

Sample output
::

# conpot --template default  
                     _                                                                                                    
 ___ ___ ___ ___ ___| |_                                                                                                
|  _| . |   | . | . |  _|                                                                                               
|___|___|_|_|  _|___|_|                                                                                                 
            |_|                                                                                                         

Version 0.6.0                                                                                                           
MushMush Foundation                                                                                                     

2018-08-09 19:13:15,085 Initializing Virtual File System at ConpotTempFS/__conpot__ootc_k3j. Source specified : tar://conpot-0.6.0-py3.6/conpot/data.tar
2018-08-09 19:13:15,100 Please wait while the system copies all specified files
2018-08-09 19:13:15,172 Fetched x.x.x.x as external ip.
2018-08-09 19:13:15,175 Found and enabled ('modbus', <conpot.protocols.modbus.modbus_server.ModbusServer object at 0x7f1af52231d0>) protocol.
2018-08-09 19:13:15,177 Found and enabled ('s7comm', <conpot.protocols.s7comm.s7_server.S7Server object at 0x7f1af5ad1f60>) protocol.
2018-08-09 19:13:15,178 Found and enabled ('http', <conpot.protocols.http.web_server.HTTPServer object at 0x7f1af4fc2630>) protocol.
2018-08-09 19:13:15,179 Found and enabled ('snmp', <conpot.protocols.snmp.snmp_server.SNMPServer object at 0x7f1af4fc2710>) protocol.
2018-08-09 19:13:15,181 Found and enabled ('bacnet', <conpot.protocols.bacnet.bacnet_server.BacnetServer object at 0x7f1af4fc22e8>) protocol.
2018-08-09 19:13:15,182 Found and enabled ('ipmi', <conpot.protocols.ipmi.ipmi_server.IpmiServer object at 0x7f1af5aaa1d0>) protocol.
2018-08-09 19:13:15,185 Found and enabled ('enip', <conpot.protocols.enip.enip_server.EnipServer object at 0x7f1af5aaa0f0>) protocol.
2018-08-09 19:13:15,199 Found and enabled ('ftp', <conpot.protocols.ftp.ftp_server.FTPServer object at 0x7f1af4fcec18>) protocol.
2018-08-09 19:13:15,206 Found and enabled ('tftp', <conpot.protocols.tftp.tftp_server.TftpServer object at 0x7f1af4fcef28$) protocol.
2018-08-09 19:13:15,206 No proxy template found. Service will remain unconfigured/stopped.                                
2018-08-09 19:13:15,206 Modbus server started on: ('0.0.0.0', 5020)                                                       
2018-08-09 19:13:15,206 S7Comm server started on: ('0.0.0.0', 10201)                                                      
2018-08-09 19:13:15,207 HTTP server started on: ('0.0.0.0', 8800)                                                         
2018-08-09 19:13:15,402 SNMP server started on: ('0.0.0.0', 16100)                                                        
2018-08-09 19:13:15,403 Bacnet server started on: ('0.0.0.0', 47808)                                                      
2018-08-09 19:13:15,403 IPMI server started on: ('0.0.0.0', 6230)                                                         
2018-08-09 19:13:15,403 handle server PID [23183] running on ('0.0.0.0', 44818)                                           
2018-08-09 19:13:15,404 handle server PID [23183] responding to external done/disable signal in object 139753672309064
2018-08-09 19:13:15,404 FTP server started on: ('0.0.0.0', 2121)                                                          
2018-08-09 19:13:15,404 Starting TFTP server at ('0.0.0.0', 6969)

Intro video

Download Conpot

↧

Beebug - A Tool For Checking Exploitability

January 22, 2019, 1:12 pm

≫ Next: Jok3R - Network And Web Pentest Framework

≪ Previous: Conpot - An Open Industrial Control Honeypot

beebug is a tool that can be used to verify if a program crash could be exploitable.
This tool was presented the first time at r2con 2018 in Barcelona.
Some implemented functionality are:

Stack overflow on libc
Crash on Program Counter
Crash on branch
Crash on write memory
Heap vulnerabilities
Read access violation (some exploitable cases)
Help to analyze a crash (graph view)

Dependencies

r2pipe
pydot
graphviz
pyqtgraph

Installation

~ $ wget https://github.com/radare/radare2/archive/2.7.0.tar.gz
~ $ tar xzvf 2.7.0.tar.gz
~ $ cd radare2-2.7.0/
~/radare2-2.7.0 $ ./configure --prefix=/usr
~/radare2-2.7.0 $ make -j8
~/radare2-2.7.0 $ sudo make install
# apt-get install graphviz
# pip3 install -r requirements.txt

Usage

help

$ python3 ./beebug.py -h
usage: beebug.py [-h] [-t TARGET] [-a TARGETARGS] [-f FILE] [-g GRAPH] [-i]
                 [-r REPORT_FILE] [-v]

optional arguments:
  -h, --help            show this help message and exit
  -t TARGET, --target TARGET
                        target program to analyze
  -a TARGETARGS, --targetargs TARGETARGS
                        arguments for the target program
  -f FILE, --file FILE  input file
  -g GRAPH, --graph GRAPH
                        generate the graph
  -i, --instrumentation
                        instrumentation option
  -r REPORT_FILE, --report_file REPORT_FILE
                        DynamoRIO report file to parse

Simple usage

# python3 ./beebug.py -t tests/crash_on_pc
Process with PID 7691 started...
File dbg:///home/invictus1306/Documents/r2conf/beebug/beebug/tests/crash_on_pc  reopened in read-write mode
= attach 7691 7691
child stopped with signal 11
[+] SIGNAL 11 errno=0 addr=0x00601038 code=2 ret=0
Crash on PC - Generally it is exploitable, the PC could be tainted
backtrace
0  0x601038           sp: 0x0                 0    [??]  obj.foo obj.foo0
1  0x4004f1           sp: 0x7ffdfa75d8e8      0    [sym.main]  main+27 
2  0x7f2669d00830     sp: 0x7ffdfa75d908      32   [??]  r11+240 
3  0x7f266a0ba7cb     sp: 0x7ffdfa75d998      144  [??]  sym.dl_rtld_di_serinfo+29051 
4  0x400409           sp: 0x7ffdfa75d9c8      48   [??]  entry0+41
registers
rax = 0x00601038
rbx = 0x00000000
rcx = 0x00000000
rdx = 0x7ffdfa75d9f8
r8 = 0x00400570
r9 = 0x7f266a0baab0
r10 = 0x00000846
r11 = 0x7f2669d00740
r12 = 0x004003e0
r13 = 0x7ffdfa75d9e0
r14 = 0x00000000
r15 = 0x00000000
rsi = 0x7ffdfa75d9e8
rdi = 0x0000000a
rsp = 0x7ffdfa75d8e8
rbp = 0x7ffdfa75d900
rip = 0x00601038
rflags = 0x00010206
orax = 0xffffffffffffffff

Graph generation

# python3 ./beebug.py -t tests/crash_on_pc -g crash_on_pc
...
$ display crash_on_pc.png

Report parsing
Parse the report produced by functrace, and graph generation.

Generate report using libtrace

$ drrun -c libfunctrace.so -report_file ./tests/reports/report1 -disas_func main -- ./tests/reports/simple_test
Please enter a message: 
AAAA
Hello! This is the default message, the number is 22

Run beebug for graph generation

$ python3 beebug.py -i -r ./tests/reports/report1 -g tests/reports/report1

beebugreport

Future direction

Support different architectures
Improvement of the graph view (based on radare2)
Analyze core dumps (based on radare2)
Use instrumentation for the graph view generation

Lead Developer

Andrea Sindoni - Twitter

Download Beebug

↧

Jok3R - Network And Web Pentest Framework

January 23, 2019, 4:25 am

≫ Next: Parrot Security 4.5 - Security GNU/Linux Distribution Designed with Cloud Pentesting and IoT Security in Mind

≪ Previous: Beebug - A Tool For Checking Exploitability

Jok3r is a Python3 CLI application which is aimed at helping penetration testers for network infrastructure and web black-box security tests.
Its main goal is to save time on everything that can be automated during network/web pentest in order to enjoy more time on more interesting and challenging stuff.
To achieve that, it combines open-source Hacking tools to run various security checks against all common network services.

Main features
Toolbox management:

Install automatically all the hacking tools used by Jok3r,
Keep the toolbox up-to-date,
Easily add new tools.

Attack automation:

Target most common network services (including web),
Run security checks by chaining hacking tools, following standard process (Reconaissance, Vulnerability scanning, Exploitation, Account bruteforce, (Basic) Post-exploitation).
Let Jok3r automatically choose the checks to run according to the context and knowledge about the target,

Mission management / Local database:

Organize targets by missions in local database,
Fully manage missions and targets (hosts/services) via interactive shell (like msfconsole db),
Access results from security checks.

Jok3r has been built with the ambition to be easily and quickly customizable: Tools, security checks, supported network services... can be easily added/edited/removed by editing settings files with an easy-to-understand syntax.

Installation
The recommended way to use Jok3r is inside a Docker container so you will not have to worry about dependencies issues and installing the various hacking tools of the toolbox.

A Docker image is available on Docker Hub and automatically re-built at each update: https://hub.docker.com/r/koutto/jok3r/. It is initially based on official Kali Linux Docker image (kalilinux/kali-linux-docker).

Pull Jok3r Docker Image:

sudo docker pull koutto/jok3r

Run fresh Docker container:

sudo docker run -i -t --name jok3r-container -w /root/jok3r --net=host koutto/jok3r

Important: --net=host option is required to share host's interface. It is needed for reverse connections (e.g. Ping to container when testing for RCE, Get a reverse shell)
Jok3r and its toolbox is ready-to-use !

To re-run a stopped container:

sudo docker start -i jok3r-container

To open multiple shells inside the container:

sudo docker exec -it jok3r-container bash

For information about building your own Docker image or installing Jok3r on your system without using Docker, refer to https://jok3r.readthedocs.io/en/latest/installation.html

Quick usage examples
Show all the tools in the toolbox

python3 jok3r.py toolbox --show-all

Install all the tools in the toolbox

python3 jok3r.py toolbox --install-all --fast

Update all the tools in the toolbox

python3 jok3r.py toolbox --update-all --fast

List supported services

python3 jok3r.py info --services

Show security checks for HTTP

python3 jok3r.py info --checks http

Create a new mission in local database

python3 jok3r.py db

jok3rdb[default]> mission -a MayhemProject

[+] Mission "MayhemProject" successfully added
[*] Selected mission is now MayhemProject

jok3rdb[MayhemProject]>

Run security checks against an URL and add results to the mission

python3 jok3r.py attack -t https://www.example.com/webapp/ --add MayhemProject

Run security checks against a MSSQL service (without user-interaction) and add results to the mission

python3 jok3r.py attack -t 192.168.1.42:1433 -s mssql --add MayhemProject --fast

Import hosts/services from Nmap results into the mission scope

python3 jok3r.py db

jok3rdb[default]> mission MayhemProject

[*] Selected mission is now MayhemProject

jok3rdb[MayhemProject]> nmap results.xml

Run security checks against all services in the given mission and store results in the database

python3 jok3r.py attack -m MayhemProject --fast

Run security checks against only FTP services running on ports 21/tcp and 2121/tcp from the mission

python3 jok3r.py attack -m MayhemProject -f "port=21,2121;service=ftp" --fast

Run security checks against only FTP services running on ports 2121/tcp and all HTTP services on 192.168.1.42 from the mission

python3 jok3r.py attack -m MayhemProject -f "port=2121;service=ftp" -f "ip=192.168.1.42;service=http"

Typical usage example
You begin a pentest with several servers in the scope. Here is a typical example of usage of JoK3r:

You run Nmap scan on the servers in the scope.
You create a new mission (let's say "MayhemProject") in the local database:

python3 jok3r.py db

jok3rdb[default]> mission -a MayhemProject

[+] Mission "MayhemProject" successfully added
[*] Selected mission is now MayhemProject

jok3rdb[MayhemProject]>

You import your results from Nmap scan in the database:

jok3rdb[MayhemProject]> nmap results.xml

You can then have a quick overview of all services and hosts in the scope, add some comments, add some credentials if you already have some knowledge about the targets (grey box pentest), and so on

jok3rdb[MayhemProject]> hosts

[...]

jok3rdb[MayhemProject]> services

[...]

Now, you can run security checks against some targets in the scope. For example, if you want to run checks against all Java-RMI services in the scope, you can run the following command:

python3 jok3r.py attack -m MayhemProject -f "service=java-rmi" --fast

You can view the results from the security checks either in live when the tools are executed or later from the database using the following command:

jok3rdb[MayhemProject]> results

Full Documentation
Documentation is available at: https://jok3r.readthedocs.io/

Supported Services & Security Checks
Lots of checks remain to be implemented and services must be added !! Work in progress ...

AJP (default 8009/tcp)

+------------------------+------------+-------------------------------------------------------------------------------------------------+----------------+
| Name                   | Category   | Description                                                                                     | Tool used      |
+------------------------+------------+-------------------------------------------------------------------------------------------------+----------------+
| nmap-recon             | recon      | Recon using Nmap AJP scripts                                                                    | nmap           |
| tomcat-version         | recon      | Fingerprint Tomcat version through AJP                                                          | ajpy           |
| vuln-lookup            | vulnscan   | Vulnerability lookup in Vulners.com (NSE scripts) and exploit-db.com (lots of false positive !) | vuln-databases |
| default-creds-tomcat   | bruteforce | Check default credentials for Tomcat Application Manager                                        | ajpy           |
| deploy-webshell-tomcat | exploit    | Deploy a webshell on Tomcat through AJP                                                         | ajpy           |
+------------------------+------------+-------------------------------------------------------------------------------------------------+----------------+

FTP (default 21/tcp)

+------------------+------------+-------------------------------------------------------------------------------------------------+----------------+
| Name             | Category   | Description                                                                                     | Tool used      |
+------------------+------------+-------------------------------------------------------------------------------------------------+----------------+
| nmap-recon       | recon      | Recon using Nmap FTP scripts                                                                    | nmap           |
| nmap-vuln-lookup | vulnscan   | Vulnerability lookup in Vulners.com (NSE scripts) and exploit-db.com (lots of false positive !) | vuln-databases |
| ftpmap-scan      | vulnscan   | Identify FTP server soft/version and check for known vulns                                      | ftpmap         |
| common-creds     | bruteforce | Check common credentials on FTP server                                                          | patator        |
| bruteforce-creds | bruteforce | Bruteforce FTP accounts                                                                         | patator        |
+------------------+------------+-------------------------------------------------------------------------------------------------+----------------+

HTTP (default 80/tcp)

+--------------------------------------+-------------+--------------------------------------------------------------------------------------------------+--------------------------------+
| Name                                 | Category    | Description                                                                                      | Tool used                      |
+--------------------------------------+-------------+--------------------------------------------------------------------------------------------------+--------------------------------+
| nmap-recon                           | recon       | Recon using Nmap HTTP scripts                                                                    | nmap                           |
| load-balancing-detection             | recon       | HTTP load balancer detection                                                                     | halberd                        |
| waf-detection                        | recon       | Identify and fingerprint WAF products protecting website                                         | wafw00f                        |
| tls-probing                          | recon       | Identify the implementation in use by SSL/TLS servers (might allow server fingerprinting)        | tls-prober                     |
| fingerprinting-multi-whatweb         | recon       | Identify CMS, blogging platforms, JS libraries, Web servers                                      | whatweb                        |
| fingerprinting-app-server            | recon       | Fingerprint application server (JBoss, ColdFusion, Weblogic, Tomcat, Railo, Axis2, Glassfish)    | clusterd                       |
| fingerprinting-server-domino         | recon       | Fingerprint IBM/Lotus Domino server                                                              | domiowned                      |
| fingerprinting-cms-wig               | recon       | Identify several CMS and other administrative applications                                       | wig                            |
| fingerprinting-cms-cmseek            | recon       | Detect CMS (130+ supported), detect version on Drupal, advanced scan on Wordpress/Joomla         | cmseek                         |
| fingerprinting-cms-fingerprinter     | recon       | Fingerprint precisely CMS versions (based on files checksums)                                    | fingerprinter                  |
| fingerprinting-cms-cmsexplorer       | recon       | Find plugins and themes (using bruteforce) installed in a CMS (Wordpress, Drupal, Joomla, Mambo) | cmsexplorer                    |
| fingerprinting-drupal                | recon       | Fingerprint Drupal 7/8: users, nodes, default files, modules, themes enumeration                 | drupwn                         |
| crawling-fast                        | recon       | Crawl website quickly, analyze interesting files/directories                                     | dirhunt                        |
| crawling-fast2                       | recon       | Crawl website and extract URLs, files, intel & endpoints                                         | photon                         |
| vuln-lookup                          | vulnscan    | Vulnerability lookup in Vulners.com (NSE scripts) and exploit-db.com (lots of false positive !)  | vuln-databases                 |
| ssl-check                            | vulnscan    | Check for SSL/TLS configuration                                                                  | testssl                        |
| vulnscan-multi-nikto                 | vulnscan    | Check for multiple web vulnerabilities/misconfigurations                                         | nikto                          |
| default-creds-web-multi              | vulnscan    | Check for default credentials on various web interfaces                                          | changeme                       |
| webdav-scan-davscan                  | vulnscan    | Scan HTTP WebDAV                                                                                 | davscan                        |
| webdav-scan-msf                      | vulnscan    | Scan HTTP WebDAV                                                                                 | metasploit                     |
| webdav-internal-ip-disclosure        | vulnscan    | Check for WebDAV internal IP disclosure                                                          | metasploit                     |
| webdav-website-content               | vulnscan    | Detect webservers disclosing its content through WebDAV                                          | metasploit                     |
| http-put-check                       | vulnscan    | Detect the support of dangerous HTTP PUT method                                                  | metasploit                     |
| apache-optionsbleed-check            | vulnscan    | Test for the Optionsbleed bug in Apache httpd (CVE-2017-9798)                                    | optionsbleed                   |
| shellshock-scan                      | vulnscan    | Detect if web server is vulnerable to Shellshock (CVE-2014-6271)                                 | shocker                        |
| iis-shortname-scan                   | vulnscan    | Scan for IIS short filename (8.3) disclosure vulnerability                                       | iis-shortname-scanner          |
| iis-internal-ip-disclosure           | vulnscan    | Check for IIS internal IP disclosure                                                             | metasploit                     |
| tomcat-user-enum                     | vulnscan    | Enumerate users on Tomcat 4.1.0 - 4.1.39, 5.5.0 - 5.5.27, and 6.0.0 - 6.0.18                     | metasploit                     |
| jboss-vulnscan-multi                 | vulnscan    | Scan JBoss application server for multiple vulnerabilities                                       | metasploit                     |
| jboss-status-infoleak                | vulnscan    | Queries JBoss status servlet to collect sensitive information (JBoss 4.0, 4.2.2 and 4.2.3)       | metasploit                     |
| jenkins-infoleak                     | vulnscan    | Enumerate a remote Jenkins-CI installation in an unauthenticated manner                          | metasploit                     |
| cms-multi-vulnscan-cmsmap            | vulnscan    | Check for vulnerabilities in CMS Wordpress, Drupal, Joomla                                       | cmsmap                         |
| wordpress-vulscan                    | vulnscan    | Scan for vulnerabilities in CMS Wordpress                                                        | wpscan                         |
| wordpress-vulscan2                   | vulnscan    | Scan for vulnerabilities in CMS Wordpress                                                        | wpseku                         |
| joomla-vulnscan                      | vulnscan    | Scan for vulnerabilities in CMS Joomla                                                           | joomscan                       |
| joomla-vulnscan2                     | vulnscan    | Scan for vulnerabilities in CMS Joomla                                                           | joomlascan                     |
| joomla-vulnscan3                     | vulnscan    | Scan for vulnerabilities in CMS Joomla                                                           | joomlavs                       |
| drupal-vulnscan                      | vulnscan    | Scan for vulnerabilities in CMS Drupal                                                           | droopescan                     |
| magento-vulnscan                     | vulnscan    | Check for misconfigurations in CMS Magento                                                       | magescan                       |
| silverstripe-vulnscan                | vulnscan    | Scan for vulnerabilities in CMS Silverstripe                                                     | droopescan                     |
| vbulletin-vulnscan                   | vulnscan    | Scan for vulnerabilities in CMS vBulletin                                                        | vbscan                         |
| liferay-vulnscan                     | vulnscan    | Scan for vulnerabilities in CMS Liferay                                                          | liferayscan                    |
| angularjs-csti-scan                  | vulnscan    | Scan for AngularJS Client-Side Template Injection                                                | angularjs-csti-scanner         |
| jboss-deploy-shell                   | exploit     | Try to deploy shell on JBoss server (jmx|web|admin-console, JMXInvokerServlet)                   | jexboss                        |
| struts2-rce-cve2017-5638             | exploit     | Exploit Apache Struts2 Jakarta Multipart parser RCE (CVE-2017-5638)                              | jexboss                        |
| struts2-rce-cve2017-9805             | exploit     | Exploit Apache Struts2 REST Plugin XStream RCE (CVE-2017-9805)                                   | struts-pwn-cve2017-9805        |
| struts2-rce-cve2018-11776            | exploit     | Exploit Apache Struts2 misconfiguration RCE (CVE-2018-11776)                                     | struts-pwn-cve2018-11776       |
| tomcat-rce-cve2017-12617             | exploit     | Exploit for Apache Tomcat JSP Upload Bypass RCE (CVE-2017-12617)                                 | exploit-tomcat-cve2017-12617   |
| jenkins-cliport-deserialize          | exploit     | Exploit Java deserialization in Jenkins CLI port                                                 | jexboss                        |
| weblogic-t3-deserialize-cve2015-4852 | exploit     | Exploit Java deserialization in Weblogic T3(s) (CVE-2015-4852)                                   | loubia                         |
| weblogic-t3-deserialize-cve2017-3248 | exploit     | Exploit Java deserialization in Weblogic T3(s) (CVE-2017-3248)                                   | exploit-weblogic-cve2017-3248  |
| weblogic-t3-deserialize-cve2018-2893 | exploit     | Exploit Java deserialization in Weblogic T3(s) (CVE-2018-2893)                                   | exploit-weblogic-cve2018-2893  |
| weblogic-wls-wsat-cve2017-10271      | exploit     | Exploit WLS-WSAT in Weblogic - CVE-2017-10271                                                    | exploit-weblogic-cve2017-10271 |
| drupal-cve-exploit                   | exploit     | Check and exploit CVEs in CMS Drupal 7/8 (include Drupalgeddon2) (require user interaction)      | drupwn                         |
| bruteforce-domino                    | bruteforce  | Bruteforce against IBM/Lotus Domino server                                                       | domiowned                      |
| bruteforce-wordpress                 | bruteforce  | Bruteforce Wordpress accounts                                                                    | wpseku                         |
| bruteforce-joomla                    | bruteforce  | Bruteforce Joomla account                                                                        | xbruteforcer                   |
| bruteforce-drupal                    | bruteforce  | Bruteforce Drupal account                                                                        | xbruteforcer                   |
| bruteforce-opencart                  | bruteforce  | Bruteforce Opencart account                                                                      | xbruteforcer                   |
| bruteforce-magento                   | bruteforce  | Bruteforce Magento account                                                                       | xbruteforcer                   |
| web-path-bruteforce-targeted         | bruteforce  | Bruteforce web paths when language is known (extensions adapted) (use raft wordlist)             | dirsearch                      |
| web-path-bruteforce-blind            | bruteforce  | Bruteforce web paths when language is unknown (use raft wordlist)                                | wfuzz                          |
| web-path-bruteforce-opendoor         | bruteforce  | Bruteforce web paths using OWASP OpenDoor wordlist                                               | wfuzz                          |
| wordpress-shell-upload               | postexploit | Upload shell on Wordpress if admin credentials are known                                         | wpforce                        |
+--------------------------------------+-------------+--------------------------------------------------------------------------------------------------+--------------------------------+

Java-RMI (default 1099/tcp)

+--------------------------------+-------------+--------------------------------------------------------------------------------------------------------+----------------+
| Name                           | Category    | Description                                                                                            | Tool used      |
+--------------------------------+-------------+--------------------------------------------------------------------------------------------------------+----------------+
| nmap-recon                     | recon       | Attempt to dump all objects from Java-RMI service                                                      | nmap           |
| rmi-enum                       | recon       | Enumerate RMI services                                                                                 | barmie         |
| jmx-info                       | recon       | Get information about JMX and the MBean server                                                         | twiddle        |
| vuln-lookup                    | vulnscan    | Vulnerability lookup in Vulners.com (NSE scripts) and exploit-db.com (lots of false positive !)        | vuln-databases |
| jmx-bruteforce                 | bruteforce  | Bruteforce creds to connect to JMX registry                                                            | jmxbf          |
| exploit-rmi-default-config     | exploit     | Exploit default config in RMI Registry to load classes from any remote URL (not working against JMX)   | metasploit     |
| exploit-jmx-insecure-config    | exploit     | Exploit JMX insecure config. Auth disabled: should be vuln. Auth enabled: vuln if weak config          | metasploit     |
| jmx-auth-disabled-deploy-class | exploit     | Deploy malicious MBean on JMX service with auth disabled (alternative to msf module)                   | sjet           |
| tomcat-jmxrmi-deserialize      | exploit     | Exploit Java-RMI deserialize in Tomcat (CVE-2016-8735, CVE-2016-8735), req. JmxRemoteLifecycleListener | jexboss        |
| rmi-deserialize-all-payloads   | exploit     | Attempt to exploit Java deserialize against Java RMI Registry with all ysoserial payloads              | ysoserial      |
| tomcat-jmxrmi-manager-creds    | postexploit | Retrieve Manager creds on Tomcat JMX (req. auth disabled or creds known on JMX)                        | jmxploit       |
+--------------------------------+-------------+--------------------------------------------------------------------------------------------------------+----------------+

JDWP (default 9000/tcp)

+------------+----------+-----------------------------------------------------+-----------------+
| Name       | Category | Description                                         | Tool used       |
+------------+----------+-----------------------------------------------------+-----------------+
| nmap-recon | recon    | Recon using Nmap JDWP scripts                       | nmap            |
| jdwp-rce   | exploit  | Gain RCE on JDWP service (show OS/Java info as PoC) | jdwp-shellifier |
+------------+----------+-----------------------------------------------------+-----------------+

MSSQL (default 1433/tcp)

+-----------------------+-------------+--------------------------------------------------------------------------------------------------------------+-----------+
| Name                  | Category    | Description                                                                                                  | Tool used |
+-----------------------+-------------+--------------------------------------------------------------------------------------------------------------+-----------+
| nmap-recon            | recon       | Recon using Nmap MSSQL scripts                                                                               | nmap      |
| mssqlinfo             | recon       | Get technical information about a remote MSSQL server (use TDS protocol and SQL browser Server)              | msdat     |
| common-creds          | bruteforce  | Check common/default credentials on MSSQL server                                                             | msdat     |
| bruteforce-sa-account | bruteforce  | Bruteforce MSSQL "sa" account                                                                                | msdat     |
| audit-mssql-postauth  | postexploit | Check permissive privileges, methods allowing command execution, weak accounts after authenticating on MSSQL | msdat     |
+-----------------------+-------------+--------------------------------------------------------------------------------------------------------------+-----------+

MySQL (default 3306/tcp)

+----------------------------------+-------------+-------------------------------------------------------------------------+---------------+
| Name                             | Category    | Description                                                             | Tool used     |
+----------------------------------+-------------+-------------------------------------------------------------------------+---------------+
| nmap-recon                       | recon       | Recon using Nmap MySQL scripts                                          | nmap          |
| mysql-auth-bypass-cve2012-2122   | exploit     | Exploit password bypass vulnerability in MySQL - CVE-2012-2122          | metasploit    |
| default-creds                    | bruteforce  | Check default credentials on MySQL server                               | patator       |
| mysql-hashdump                   | postexploit | Retrieve usernames and password hashes from MySQL database (req. creds) | metasploit    |
| mysql-interesting-tables-columns | postexploit | Search for interesting tables and columns in database                   | jok3r-scripts |
+----------------------------------+-------------+-------------------------------------------------------------------------+---------------+

Oracle (default 1521/tcp)

+--------------------------+-------------+--------------------------------------------------------------------------------------------------------------+-----------+
| Name                     | Category    | Description                                                                                                  | Tool used |
+--------------------------+-------------+--------------------------------------------------------------------------------------------------------------+-----------+
| tnscmd                   | recon       | Connect to TNS Listener and issue commands Ping, Status, Version                                             | odat      |
| tnspoisoning             | vulnscan    | Test if TNS Listener is vulnerable to TNS Poisoning (CVE-2012-1675)                                          | odat      |
| common-creds             | bruteforce  | Check common/default credentials on Oracle server                                                            | odat      |
| bruteforce-creds         | bruteforce  | Bruteforce Oracle accounts (might block some accounts !)                                                     | odat      |
| audit-oracle-postauth    | postexploit | Check for privesc vectors, config leading to command execution, weak accounts after authenticating on Oracle | odat      |
| search-columns-passwords | postexploit | Search for columns storing passwords in the database                                                         | odat      |
+--------------------------+-------------+--------------------------------------------------------------------------------------------------------------+-----------+

PostgreSQL (default 5432/tcp)

+---------------+------------+------------------------------------------------+-----------+
| Name          | Category   | Description                                    | Tool used |
+---------------+------------+------------------------------------------------+-----------+
| default-creds | bruteforce | Check default credentials on PostgreSQL server | patator   |
+---------------+------------+------------------------------------------------+-----------+

RDP (default 3389/tcp)

+----------+----------+-----------------------------------------------------------------------+------------+
| Name     | Category | Description                                                           | Tool used  |
+----------+----------+-----------------------------------------------------------------------+------------+
| ms12-020 | vulnscan | Check for MS12-020 RCE vulnerability (any Windows before 13 Mar 2012) | metasploit |
+---------+----------+-----------------------------------------------------------------------+------------+

SMB (default 445/tcp)

+-----------------------------------+-------------+-------------------------------------------------------------------------------+------------+
| Name                              | Category    | Description                                                                   | Tool used  |
+-----------------------------------+-------------+-------------------------------------------------------------------------------+------------+
| nmap-recon                        | recon       | Recon using Nmap SMB scripts                                                  | nmap       |
| anonymous-enum-smb                | recon       | Attempt to perform enum (users, shares...) without account                    | nullinux   |
| nmap-vulnscan                     | vulnscan    | Check for vulns in SMB (MS17-010, MS10-061, MS10-054, MS08-067...) using Nmap | nmap       |
| detect-ms17-010                   | vulnscan    | Detect MS17-010 SMB RCE                                                       | metasploit |
| samba-rce-cve2015-0240            | vulnscan    | Detect RCE vuln (CVE-2015-0240) in Samba 3.5.x and 3.6.X                      | metasploit |
| exploit-rce-ms08-067              | exploit     | Exploit for RCE vuln MS08-067 on SMB                                          | metasploit |
| exploit-rce-ms17-010-eternalblue  | exploit     | Exploit for RCE vuln MS17-010 EternalBlue on SMB                              | metasploit |
| exploit-sambacry-rce-cve2017-7494 | exploit     | Exploit for SambaCry RCE on Samba <= 4.5.9 (CVE-2017-7494)                    | metasploit |
| auth-enum-smb                     | postexploit | Authenticated enumeration (users, groups, shares) on SMB                      | nullinux   |
| auth-shares-perm                  | postexploit | Get R/W permissions on SMB shares                                             | smbmap     |
| smb-exec                          | postexploit | Attempt to get a remote shell (psexec-like, requires Administrator creds)     | impacket   |
+-----------------------------------+-------------+-------------------------------------------------------------------------------+------------+

SMTP (default 25/tcp)

+----------------+----------+--------------------------------------------------------------------------------------------+----------------+
| Name           | Category | Description                                                                                | Tool used      |
+----------------+----------+--------------------------------------------------------------------------------------------+----------------+
| smtp-cve       | vulnscan | Scan for vulnerabilities (CVE-2010-4344, CVE-2011-1720, CVE-2011-1764, open-relay) on SMTP | nmap           |
| smtp-user-enum | vulnscan | Attempt to perform user enumeration via SMTP commands EXPN, VRFY and RCPT TO               | smtp-user-enum |
+----------------+----------+--------------------------------------------------------------------------------------------+----------------+

SNMP (default 161/udp)

+--------------------------+-------------+---------------------------------------------------------------------+------------+
| Name                     | Category    | Description                                                         | Tool used  |
+--------------------------+-------------+---------------------------------------------------------------------+------------+
| common-community-strings | bruteforce  | Check common community strings on SNMP server                       | metasploit |
| snmpv3-bruteforce-creds  | bruteforce  | Bruteforce SNMPv3 credentials                                       | snmpwn     |
| enumerate-info           | postexploit | Enumerate information provided by SNMP (and check for write access) | snmp-check |
+--------------------------+-------------+---------------------------------------------------------------------+------------+

SSH (default 22/tcp)

+--------------------------------+------------+--------------------------------------------------------------------------------------------+-----------+
| Name                           | Category   | Description                                                                                | Tool used |
+--------------------------------+------------+--------------------------------------------------------------------------------------------+-----------+
| vulns-algos-scan               | vulnscan   | Scan supported algorithms and security info on SSH server                                  | ssh-audit |
| user-enumeration-timing-attack | exploit    | Try to perform OpenSSH (versions <= 7.2 and >= 5.*) user enumeration timing attack OpenSSH | osueta    |
| default-ssh-key                | bruteforce | Try to authenticate on SSH server using known SSH keys                                     | changeme  |
| default-creds                  | bruteforce | Check default credentials on SSH                                                           | patator   |
+--------------------------------+------------+--------------------------------------------------------------------------------------------+-----------+

Telnet (default 21/tcp)

+-------------------------+------------+----------------------------------------------------------------------------------+-----------+
| Name                    | Category   | Description                                                                      | Tool used |
+-------------------------+------------+----------------------------------------------------------------------------------+-----------+
| nmap-recon              | recon      | Recon using Nmap Telnet scripts                                                  | nmap      |
| default-creds           | bruteforce | Check default credentials on Telnet (dictionary from https://cirt.net/passwords) | patator   |
| bruteforce-root-account | bruteforce | Bruteforce "root" account on Telnet                                              | patator   |
+-------------------------+------------+----------------------------------------------------------------------------------+-----------+

VNC (default 5900/tcp)

+-----------------+------------+-------------------------------------------------------------------------------------------------+----------------+
| Name            | Category   | Description                                                                                     | Tool used      |
+-----------------+------------+-------------------------------------------------------------------------------------------------+----------------+
| nmap-recon      | recon      | Recon using Nmap VNC scripts                                                                    | nmap           |
| vuln-lookup     | vulnscan   | Vulnerability lookup in Vulners.com (NSE scripts) and exploit-db.com (lots of false positive !) | vuln-databases |
| bruteforce-pass | bruteforce | Bruteforce VNC password                                                                         | patator        |
+-----------------+------------+-------------------------------------------------------------------------------------------------+----------------+

Download Jok3R

↧