Quantcast
Channel: KitPloit - PenTest Tools!
Viewing all 5854 articles
Browse latest View live

Sliver - Implant Framework

June 21, 2019, 2:49 pm
$
0
0

Sliver is a general purpose cross-platform implant framework that supports C2 over Mutual-TLS, HTTP(S), and DNS. Implants are dynamically compiled with unique X.509 certificates signed by a per-instance certificate authority generated when you first run the binary.
The server, client, and implant all support MacOS, Windows, and Linux (and possibly every Golang compiler target but we've not tested them all).

Features
  • Dynamic code generation
  • Compile-time obfuscation
  • Local and remote process injection
  • Anti-anti-anti-forensics
  • Secure C2 over mTLS, HTTP(S), and DNS
  • Windows process migration
  • Windows user token manipulation
  • Multiplayer-mode
  • Procedurally generated C2 over HTTP (work in progress)
  • Let's Encrypt integration
  • In-memory .NET assembly execution
  • DNS CanaryBlue Team Detection

Getting Started
Download the latest release and see the Sliver wiki for a quick tutorial on basic setup and usage. To get the very latest and greatest compile from source.

Compile From Source
See the wiki.

Source Code
The source code repo contains the following directories:
  • assets/ - Static assets that are embedded into the server binary, generated by go-assets.sh
  • client/ - Client code, the majority of this code is also used by the server
  • protobuf/ - Protobuf code
  • server/ - Server-side code
  • sliver/ - Implant code, rendered by the server at runtime
  • util/ - Utility functions that may be shared by the server and client



Search

Simplify - Generic Android Deobfuscator

June 22, 2019, 6:09 am
$
0
0

Simplify virtually executes an app to understand its behavior and then tries to optimize the code so that it behaves identically but is easier for a human to understand. Each optimization type is simple and generic, so it doesn't matter what the specific type of obfuscation is used.

Before and After
The code on the left is a decompilation of an obfuscated app, and the code on the right has been deobfuscated.



Overview
There are three parts to the project: smalivm, simplify, and the demo app.
  1. smalivm: Provides a virtual machine sandbox for executing Dalvik methods. After executing a method, it returns a graph containing all possible register and class values for every execution path. It works even if some values are unknown, such as file and network I/O. For example, any if or switch conditional with an unknown value results in both branches being taken.
  2. simplify: Analyzes the execution graphs from smalivm and applies optimizations such as constant propagation, dead code removal, unreflection, and some peephole optimizations. These are fairly simple, but when applied together repeatedly, they'll decrypt strings, remove reflection, and greatly simplify code. It does not rename methods and classes.
  3. demoapp: Contains simple, heavily commented examples for using smalivm in your own project. If you're building something that needs to execute Dalvik code, check it out.

Usage
usage: java -jar simplify.jar <input> [options]
deobfuscates a dalvik executable
 -et,--exclude-types <pattern>   Exclude classes and methods which include REGEX, eg: "com/android", applied after include-types
 -h,--help                       Display this message
 -ie,--ignore-errors             Ignore errors while executing and optimizing methods. This may lead to unexpected behavior.
    --include-support            Attempt to execute and optimize classes in Android support library packages, default: false
 -it,--include-types <pattern>   Limit execution to classes and methods which include REGEX, eg: ";->targetMethod\("
    --max-address-visits <N>     Give up executing a method after visiting the same address N times, limits loops, default: 10000
    --max-call-depth <N>         Do not call methods after reaching a call depth of N, limits recursion and long method chains, default: 50
    --max-executi   on-time <N>     Give up executing a method after N seconds, default: 300
    --max-method-visits <N>      Give up executing a method after executing N instructions in that method, default: 1000000
    --max-passes <N>             Do not run optimizers on a method more than N times, default: 100
 -o,--output <file>              Output simplified input to FILE
    --output-api-level <LEVEL>   Set output DEX API compatibility to LEVEL, default: 15
 -q,--quiet                      Be quiet
    --remove-weak                Remove code even if there are weak side effects, default: true
 -v,--verbose <LEVEL>            Set verbosity to LEVEL, default: 0

Building
Building requires the Java Development Kit 8 (JDK) to be installed.
Because this project contains submodules for Android frameworks, either clone with --recursive:
git clone --recursive https://github.com/CalebFenton/simplify.git
Or update submodules at any time with:
git submodule update --init --recursive
Then, to build a single jar which contains all dependencies:
./gradlew fatjar
The Simplify jar will be in simplify/build/libs/. You can test it's working by simplifying the provided obfuscated example app. Here's how you'd run it (you may need to change simplify.jar):
java -jar simplify/build/libs/simplify.jar -it 'org/cf/obfuscated' -et 'MainActivity' simplify/obfuscated-app.apk
To understand what's getting deobfuscated, check out Obfuscated App's README.

Troubleshooting
If Simplify fails, try these recommendations, in order:
  1. Only target a few methods or classes by using -it option.
  2. If failure is because of maximum visits exceeded, try using higher --max-address-visits, --max-call-depth, and --max-method-visits.
  3. Try with -v or -v 2 and report the issue with the logs and a hash of the DEX or APK.
  4. Try again, but do not break eye contact. Simplify can sense fear.
If building on Windows, and building fails with an error similar to:
Could not find tools.jar. Please check that C:\Program Files\Java\jre1.8.0_151 contains a valid JDK installation.
This means Gradle is unable to find a proper JDK path. Make sure the JDK is installed, set the JAVA_HOME environment variable to your JDK path, and make sure to close and re-open the command prompt you use to build.

Contributing
Don't be shy. I think virtual execution and deobfuscation are fascinating problems. Anyone who's interested is automatically cool and contributions are welcome, even if it's just to fix a typo. Feel free to ask questions in the issues and submit pull requests.

Reporting Issues
Please include a link to the APK or DEX and the full command you're using. This makes it much easier to reproduce (and thus fix) your issue.
If you can't share the sample, please include the file hash (SHA1, SHA256, etc).

Optimization Strategies

Constant Propagation
If an op places a value of a type which can be turned into a constant such as a string, number, or boolean, this optimization will replace that op with the constant. For example:
const-string v0, "VGVsbCBtZSBvZiB5b3VyIGhvbWV3b3JsZCwgVXN1bC4="
invoke-static {v0}, Lmy/string/Decryptor;->decrypt(Ljava/lang/String;)Ljava/lang/String;
# Decrypts to: "Tell me of your homeworld, Usul."
move-result v0
In this example, an encrypted string is decrypted and placed into v0. Since strings are "constantizable", the move-result v0 can be replaced with a const-string:
const-string v0, "VGVsbCBtZSBvZiB5b3VyIGhvbWV3b3JsZCwgVXN1bC4="
invoke-static {v0}, Lmy/string/Decryptor;->decrypt(Ljava/lang/String;)Ljava/lang/String;
const-string v0, "Tell me of your homeworld, Usul."

Dead Code Removal
Code is dead if removing it cannot possibly alter the behavior of the app. The most obvious case is if the code is unreachable, e.g. if (false) { // dead }). If code is reachable, it may be considered dead if it doesn't affect any state outside of the method, i.e. it has no side effect. For example, code may not affect the return value for the method, alter any class variables, or perform any IO. This is a difficult to determine in static analysis. Luckily, smalivm doesn't have to be clever. It just stupidly executes everything it can and assumes there are side effects if it can't be sure. Consider the example from Constant Propagation:
const-string v0, "VGVsbCBtZSBvZiB5b3VyIGhvbWV3b3JsZCwgVXN1bC4="
invoke-static {v0}, Lmy/string/Decryptor;->decrypt(Ljava/lang/String;)Ljava/lang/String;
const-string v0, "Tell me of your homeworld, Usul."
In this code, the invoke-static no longer affects the return value of the method and let's assume it doesn't do anything weird like write bytes to the file system or a network socket so it has no side effects. It can simply be removed.
const-string v0, "VGVsbCBtZSBvZiB5b3VyIGhvbWV3b3JsZCwgVXN1bC4="
const-string v0, "Tell me of your homeworld, Usul."
Finally, the first const-string assigns a value to a register, but that value is never used, i.e. the assignment is dead. It can also be removed.
const-string v0, "Tell me of your homeworld, Usul."
Huzzah!

Unreflection
One major challenge with static analysis of Java is reflection. It's just not possible to know the arguments are for reflection methods without doing careful data flow analysis. There are smart, clever ways of doing this, but smalivm does it by just executing the code. When it finds a reflected method invocation such as:
invoke-virtual {v0, v1, v2}, Ljava/lang/reflect/Method;->invoke(Ljava/lang/Object;[Ljava/lang/Object;)Ljava/lang/Object;
It can know the values of v0, v1, and v2. If it's sure what the values are, it can replace the call to Method.invoke() with an actual non-reflected method invocation. The same applies for reflected field and class lookups.

Peephole
For everything that doesn't fit cleanly into a particular category, there's peephole optimizations. This includes removing useless check-cast ops, replacing Ljava/lang/String;-><init> calls with const-string, and so on.

Deobfuscation Example

Before Optimization
.method public static test1()I
    .locals 2

    new-instance v0, Ljava/lang/Integer;
    const/4 v1, 0x1
    invoke-direct {v0, v1}, Ljava/lang/Integer;-><init>(I)V

    invoke-virtual {v0}, Ljava/lang/Integer;->intValue()I
    move-result v0

    return v0
.end method
All this does is v0 = 1.

After Constant Propagation
.method public static test1()I
    .locals 2

    new-instance v0, Ljava/lang/Integer;
    const/4 v1, 0x1
    invoke-direct {v0, v1}, Ljava/lang/Integer;-><init>(I)V

    invoke-virtual {v0}, Ljava/lang/Integer;->intValue()I
    const/4 v0, 0x1

    return v0
.end method
The move-result v0 is replaced with const/4 v0, 0x1. This is because there is only one possible return value for intValue()I and the return type can be made a constant. The arguments v0 and v1 are unambiguous and do not change. That is to say, there's a consensus of values for every possible execution path at intValue()I. Other types of values that can be turned into constants:
  • numbers - const/4, const/16, etc.
  • strings - const-string
  • classes - const-class

After Dead Code Removal
.method public static test1()I
    .locals 2

    const/4 v0, 0x1

    return v0
.end method
Because the code above const/4 v0, 0x1 does not affect state outside of the method (no side-effects), it can be removed without changing behavior. If there was a method call that wrote something to the file system or network, it couldn't be removed because it affects state outside the method. Or if test()I took a mutable argument, such as a LinkedList, any instructions that accessed it couldn't be considered dead.
Other examples of dead code:
  • unreferenced assignments - assigning registers and not using them
  • unreached / unreachable instructions - if (false) { dead_code(); }

Further Reading


BoomER - Framework For Exploiting Local Vulnerabilities

June 22, 2019, 3:10 pm
$
0
0

BoomER is an open source framework, developed in Python. The tool is focused on post-exploitation, with a main objective, the detection and exploitation of local vulnerabilities, as well as the collection of information from a system, such as the installed applications they have.
The framework allows the extension by third parties, through the development of modules, for it the developers must follow certain guidelines, among which the following stand out:
  • Type of inheritance
  • Methods or functions to be implemented
  • Required or new parameters
  • Module name
  • Location of the module within the framework

We wanted to give the tool a relationship with Metasploit, as it is the reference framework for pentesters, so from BoomER it is possible to open sessions in Metasploit.
To use BoomER, you should use command line, it is very similar to the tools that currently exist for the detection and exploitation of vulnerabilities, which helps to reduce the learning curve.

An example for DLL injection:


Our own meterpreter (based on Metasploit):



WhatBreach - OSINT Tool To Find Breached Emails And Databases

June 23, 2019, 6:30 am
$
0
0

WhatBreach is a tool to search for breached emails and their corresponding database. It takes either a single email or a list of emails and searches them leveraging haveibeenpwned.com's API, from there (if there are any breaches) it will search for the query link on Dehashed pertaining to the database, and output all breaches along with all pastes that this email is included in (if any). If you are trying to find the database, passing a certain flag will also attempt to download available freely public databases from databases.today. If the query is found within the publicly listed it will download the database for you and save it into the projects home folder which will be located under ~/.whatbre ach_home/downloads.

Examples
As an example we will use user@gmail.com as the example search:
(venv) admin@Hades:~/whatbreach$ python whatbreach.py -e "user@gmail.com"
[ i ] starting search on single email address: user@gmail.com
[ i ] searching breached accounts on HIBP related to: user@gmail.com
[ i ] searching for paste dumps on HIBP related to: user@gmail.com
[ i ] found a total of 67 database breach(es) and a total of 59 paste(s) pertaining to: user@gmail.com
------------------------------------------------------------------------------------
Breached Site:      | Database Link:
Paste#26             | https://pastebin.com/b0zdYUzc 
Paste#27             | https://pastebin.com/C6YUMUxk 
Paste#24             | https://pastebin.com/JFvBG4HW 
Paste#25             | https://pastebin.com/hi5yXRCn 
Paste#22             | https://pastebin.com/mVrrDb9d 
Paste#23             | https://pastebin.com/jBCPwT1e 
Paste#20             | https://pastebin.com/uyG5ggf8 
Paste#21             | https://pastebin.com/QrudBvXf 
Paste#28             | https://pastebin.com/6fZtANAb 
Paste#29             | https://pastebin.com/gffDmJ5X 
...                  | ...  # truncated to save space
Paste#13             | https://pastebin.com/RLVk8j3E 
Paste#12             | https://pastebin.com/zaN47ZZJ 
Paste#11             | https://pastebin.com/k193QzRG 
Paste#10             | https://pastebin.com/Qhaf51b6 
Paste#17             | http://siph0n.in/exploits.php?id=4440
Paste#16             | https://pastebin.com/j7YX2sJm 
Paste#15             | https://pastebin.com/Sin9fR7f 
Paste#14             | https://pastebin.com/jvSgnZkK 
Paste#19             | https://pastebin.com/2rVemphh 
VK                   | https://www.dehashed.com/search?query=VK
ArmyForceOnline      | https://www.dehashed.com/search?query=ArmyForceOnline
Gawker               | https://www.dehashed.com/search?query=Gawker
Paste#9              | http://www.pemiblanc.com/test.txt
Paste#8                 | https://pastebin.com/EGS77pC4 
Paste#7              | https://pastebin.com/pQdmx6mc 
Paste#6              | https://pastebin.com/ZwUh4tcG 
Paste#5              | https://pastebin.com/RkdC5arB 
MySpace              | https://www.dehashed.com/search?query=MySpace
Paste#3              | https://pastebin.com/GUV70Jqa 
Paste#2              | https://pastebin.com/2eENex9n 
Paste#1              | https://pastebin.com/rSd85uLK 
Onverse              | https://www.dehashed.com/search?query=Onverse
------------------------------------------------------------------------------------
You also have the option to suppress the discovered pastes:
(venv) admin@Hades:~/whatbreach$ python whatbreach.py -e "user@gmail.com" -nP
[ i ] starting search on single email address: user@gmail.com
[ i ] searching breached accounts on HIBP related to: user@gmail.com
[ i ] searching for paste dumps on HIBP related to: user@gmail.com
[ w ] suppressing discovered pastes
[ i ] found a total of 67 database breach(es) and a total of 0 paste(s) pertaining to: user@gmail.com
------------------------------------------------------------------------------------
Breached Site:      | Database Link:
Dropbox              | https://www.dehashed.com/search?query=Dropbox
Leet                 | https://www.dehashed.com/search?query=Leet
MySpace              | https://www.dehashed.com/search?query=MySpace
MyHeritage           | https://www.dehashed.com/search?query=MyHeritage
ArmyForceOnline      | https://www.dehashed.com/search?query=ArmyForceOnline
17Media              | https://www.dehashed.co   m/search?query=17Media
Xbox360ISO           | https://www.dehashed.com/search?query=Xbox360ISO
LinkedIn             | https://www.dehashed.com/search?query=LinkedIn
QuinStreet           | https://www.dehashed.com/search?query=QuinStreet
Bookmate             | https://www.dehashed.com/search?query=Bookmate
...                  | ... # truncated to save space
Dubsmash             | https://www.dehashed.com/search?query=Dubsmash
MangaFox             | https://www.dehashed.com/search?query=MangaFox
FashionFantasyGame   | https://www.dehashed.com/search?query=FashionFantasyGame
Trillian             | https://www.dehashed.com/search?query=Trillian
Disqus               | https://www.dehashed.com/search?query=Disqus
NemoWeb              | https://www.dehashed.com/search?query=NemoWeb
Gawker               | https://www.dehashed.com/search?query=Gawker
CashCrate            | https://www.dehashed.com/search?query=CashCrate
Tumblr                  | https://www.dehashed.com/search?query=Tumblr
PoliceOne            | https://www.dehashed.com/search?query=PoliceOne
Onverse              | https://www.dehashed.com/search?query=Onverse
Interpals            | https://www.dehashed.com/search?query=Interpals
Seedpeer             | https://www.dehashed.com/search?query=Seedpeer
HeroesOfNewerth      | https://www.dehashed.com/search?query=HeroesOfNewerth
Bell2017             | https://www.dehashed.com/search?query=Bell2017
------------------------------------------------------------------------------------
As well as the discovered databases:
(venv) admin@Hades:~/whatbreach$ python whatbreach.py -e "user@gmail.com" -nD
[ i ] starting search on single email address: user@gmail.com
[ i ] searching breached accounts on HIBP related to: user@gmail.com
[ i ] searching for paste dumps on HIBP related to: user@gmail.com
[ i ] found a total of 67 database breach(es) and a total of 59 paste(s) pertaining to: user@gmail.com
[ w ] suppressing discovered databases
-----------------------------------------------------------------------
Breached Site:      | Database Link:
Paste#26             | https://pastebin.com/b0zdYUzc 
Paste#27             | https://pastebin.com/C6YUMUxk 
Paste#24             | https://pastebin.com/JFvBG4HW 
Paste#25             | https://pastebin.com/hi5yXRCn 
Paste#22             | https://pastebin.com/mVrrDb9d 
Paste#23             | https://pastebin.com/jBCPwT1e 
...                  | ... # truncated to save space
Paste#9              |    http://www.pemiblanc.com/test.txt
Paste#8              | https://pastebin.com/EGS77pC4 
Paste#7              | https://pastebin.com/pQdmx6mc 
Paste#6              | https://pastebin.com/ZwUh4tcG 
Paste#5              | https://pastebin.com/RkdC5arB 
Paste#4              | https://pastebin.com/4qH2fRMc 
Paste#3              | https://pastebin.com/GUV70Jqa 
Paste#2              | https://pastebin.com/2eENex9n 
Paste#1              | https://pastebin.com/rSd85uLK 
Paste#52             | https://pastebin.com/ffkjfRrY 
Paste#48             | http://balockae.online/files/Lizard Stresser.txt
Paste#49             | https://pastebin.com/bUq60ZKA 
Paste#44             | http://siph0n.in/exploits.php?id=3667
Paste#45             | https://pastebin.com/MAFfXwGA 
Paste#46             | http://pxahb.xyz/emailpass/www.chocolate.at.txt
Paste#47             | https://pastebin.com/zchq7iQS 
Paste#40             | https://pastebin.com/sj9   eyM5w 
Paste#41             | https://pastebin.com/wY9ghBM9 
Paste#42             | https://pred.me/gmail.html    
Paste#43             | https://pastebin.com/AnTUDMtj 
-----------------------------------------------------------------------
I have also implemented the ability to search through a list of email addresses and check for the possibility of the email being a "Ten minute email", it will prompt you to continue if the email is found, since the possibility of using this email is next to none:
(venv) admin@Hades:~/whatbreach$ python whatbreach.py -l test.txt -cT
[ i ] parsing email file: test.txt
[ i ] starting search on a total of 3 email(s)
[ i ] searching breached accounts on HIBP related to: user@gmail.com
[ i ] searching for paste dumps on HIBP related to: user@gmail.com
[ i ] found a total of 67 database breach(es) and a total of 59 paste(s) pertaining to: user@gmail.com
------------------------------------------------------------------------------------
Breached Site:      | Database Link:
Paste#26             | https://pastebin.com/b0zdYUzc 
Paste#27             | https://pastebin.com/C6YUMUxk 
Paste#24             | https://pastebin.com/JFvBG4HW 
Paste#25             | https://pastebin.com/hi5yXRCn 
Paste#22             | https://pastebin.com/mVrrDb9d 
Paste#23             | https://pastebin.com/jBCPwT1e 
Paste#20             | https://pastebin.com/uyG5ggf8 
Paste#21             | https://paste   bin.com/QrudBvXf 
R2Games              | https://www.dehashed.com/search?query=R2Games
NemoWeb              | https://www.dehashed.com/search?query=NemoWeb
Disqus               | https://www.dehashed.com/search?query=Disqus
Adobe                | https://www.dehashed.com/search?query=Adobe
...                  | ... # truncated to save space
Paste#15             | https://pastebin.com/Sin9fR7f 
Paste#14             | https://pastebin.com/jvSgnZkK 
Paste#19             | https://pastebin.com/2rVemphh 
VK                   | https://www.dehashed.com/search?query=VK
ArmyForceOnline      | https://www.dehashed.com/search?query=ArmyForceOnline
Gawker               | https://www.dehashed.com/search?query=Gawker
Paste#9              | http://www.pemiblanc.com/test.txt
Paste#8              | https://pastebin.com/EGS77pC4 
Paste#7              | https://pastebin.com/pQdmx6mc 
Paste#6              | https://pastebin.com/ZwUh4tcG 
Paste#5              | https://pastebin.com/RkdC5arB 
MySpace              | https://www.dehashed.com/search?query=MySpace
Paste#3              | https://pastebin.com/GUV70Jqa 
Paste#2              | https://pastebin.com/2eENex9n 
Paste#1              | https://pastebin.com/rSd85uLK 
Onverse              | https://www.dehashed.com/search?query=Onverse
------------------------------------------------------------------------------------
[ w ] email: user@0815.ru0clickemail.com appears to be a ten minute email
[ ? ] would you like to process the email[y/N]: n
[ i ] searching breached accounts on HIBP related to: someuser@gmail.com
[ i ] searching for paste dumps on HIBP related to: someuser@gmail.com
[ i ] found a total of 6 database breach(es) and a total of 4 paste(s) pertaining to: someuser@gmail.com
----------------------------------------------------------------------------
Breached Site:      | Database Link:
Adobe                   | https://www.dehashed.com/search?query=Adobe
Paste#4              | http://xn--e1alhsoq4c.xn--p1ai/base/Gmail.txt
Paste#3              | https://pastebin.com/GUV70Jqa 
Paste#2              | https://pred.me/gmail.html    
Paste#1              | https://pastebin.com/VVgL8Fzp 
NemoWeb              | https://www.dehashed.com/search?query=NemoWeb
----------------------------------------------------------------------------
The program is pretty straight forward but for simplicity I have provided the acceptable arguments below:
(venv) admin@Hades:~/whatbreach$ python whatbreach.py --help
usage: whatbreach.py [-h] [-e EMAIL] [-l PATH] [-nD] [-nP] [-cT] [-d]

optional arguments:
  -h, --help            show this help message and exit

mandatory opts:
  -e EMAIL, --email EMAIL
                        Pass a single email to scan for
  -l PATH, -f PATH, --list PATH, --file PATH
                        Pass a file containing emails one per line to scan

search opts:
  -nD, --no-dehashed    Suppres dehashed output
  -nP, --no-pastebin    Suppress Pastebin output

misc opts:
  -cT, --check-ten-minute
                        Check if the provided email address is a ten minute
                        email or not
  -d, --download        Attempt to dow   nload the database if there is one
                        available

Installation
Installing is extremely easy, just run pip install -r requirements.txt


BlueGhost - A Network Tool Designed To Assist Blue Teams In Banning Attackers From Linux Servers

June 23, 2019, 3:12 pm
$
0
0

This tool utilizes various linux network tools and bash scripting to assist blue teams on defending debian and ubuntu based servers from malicious attackers.
  • Scan/Ban shows connected IPs, scans IP addresses for open ports using nmap and whois search to gather reconnaissance on connected IPs, shows activity on the system, checks abuseipdb.com for reports and offers a ban function to ban unwanted IPs using iptables.

  • UbanAnAddress A function to unban IPs.
  • ListAllBanned A function to list all banned IPs.
  • TraceRoute A function to perform traceroutes on IPs.

Installation
Enter this one liner command in terminal to install:
sudo git clone https://github.com/d4rk007/BlueGhost; cd BlueGhost; source install.sh; cd;


Vxscan - Comprehensive Scanning Tool

June 24, 2019, 5:49 am
$
0
0

Python3 comprehensive scanning tool, mainly used for sensitive file detection (directory scanning and js leak interface), WAF/CDN identification, port scanning, fingerprint/service identification, operating system identification, weak password detection, POC scanning, SQL injection, winding Pass CDN, check the next station.

Update
2019.6.18
Fixed the problem of fingerprint recognition iis website error, modified apps.json
Removed some third-party libraries and scripts that are prone to errors
Scanning is completed if it flashes, it is because the program first detects dns parsing and ping operation.
The first time you use Vxscan, fake_useragent will load the ua list of https://fake-useragent.herokuapp.com/browsers/0.1.11 here, and a load timeout error may occur.

Requirements
Python version > 3.6
requests
tqdm
pyfiglet
fake-useragent
beautifulsoup4
geoip2
tldextract
python-nmap
geoip2
tldextract
lxml
pymongo
virustotal_python
apt install libpq-dev nmap
wget https://geolite.maxmind.com/download/geoip/database/GeoLite2-City.tar.gz
After decompressing, put GeoLite2-City.mmdb inside to vxscan/db/GeoLite2-City.mmdb
wget https://geolite.maxmind.com/download/geoip/database/GeoLite2-ASN.tar.gz
After decompressing, put the GeoLite2-ASN.mmdb inside to vxscan/db/GeoLite2-ASN.mmdb
pip3 install -r requirements.txt

Features
Generate a dictionary list using Cartesian product method, support custom dictionary list
Random UserAgent, XFF, X-Real-IP
Customize 404 page recognition, access random pages and then compare the similarities through difflib to identify custom 302 jumps
When scanning the directory, first detect the http port and add multiple http ports of one host to the scan target.
Filter invalid Content-Type, invalid status?
WAF/CDN detection
Use the socket to send packets to detect common ports and send different payload detection port service fingerprints.
Hosts that encounter full port open (portspoof) automatically skip
Call wappalyzer.json and WebEye to determine the website fingerprint
It is detected that the CDN or WAF website automatically skips
Call nmap to identify the operating system fingerprint
Call weak password detection script based on port open (FTP/SSH/TELNET/Mysql/MSSQL...)
Call POC scan based on fingerprint identification or port, or click on the open WEB port of IP
Analyze sensitive asset information (domain name, mailbox, apikey, password, etc.) in the js file
Grab website connections, test SQL injection, LFI, etc.
Call some online interfaces to obtain information such as VT, www.yougetsignal.com and other websites, determine the real IP through VT pdns, and query the website by www.yougetsignal.com and api.hackertarget.com.

Usage
python3 Vxscan.py -h
optional arguments:
  -h, --help            show this help message and exit  
  -u URL, --url URL     Start scanning this url -u xxx.com  
  -i INET, --inet INET  cidr eg. 1.1.1.1 or 1.1.1.0/24  
  -f FILE, --file FILE  read the url from the file  
  -t THREADS, --threads THREADS  
                        Set scan thread, default 150  
  -e EXT, --ext EXT     Set scan suffix, -e php,asp  
  -w WORD, --word WORD  Read the dict from the file
1. Scan a website
python3 vxscan.py -u http://www.xxx.com/
2. Scan a website from a file list
python3 vxscan.py -f hosts.txt
3. cidr eg. 1.1.1.1 or 1.1.1.0/24
python3 vxscan.py -i 127.0.0.0/24
4. Set thread 100, combine only php suffix, use custom dictionary
python3 vxscan.py -u http://www.xxx.com -e php -t 100 -w ../dict.txt

Structure
/
├─Vxscan.py  main file
├─db
│  ├─apps.json  Web fingerprint information
│  ├─apps.txt  Web fingerprint information (WEBEYE)
│  ├─password.txt  password
├─report    Report directory
├─lib       
│  ├─common.py    Determine CDN, port scan, POC scan, etc.
│  ├─color.py   Terminal color output
│  ├─active.py   Judge dns parsing and ping ip survival
│  ├─save_html.py     Generate html report
│  ├─waf.py     waf rules
│  ├─osdetect.py   Operating system version identification
│  ├─random_header.py   random header
│  ├─scan_port.py        PortScan
│  ├─jsparse.py      Grab the website js connection, analyze ip address, link, email, etc.
│  &#9500   ;─settings.py      Setting
│  ├─pyh.py     Generate html
│  ├─wappalyzer.py    Fingerprint recognition script
│  ├─sql_injection.py    Grab the website connection and test the SQL injection script
├─script  
│  ├─Poc.py         Poc script
│  ├─......
├─requirements.txt
├─logo.jpg
├─error.log

Waf/CDN list
360
360wzws
Anquanbao
Armor
BaiduYunjiasu
AWS WAF
AdNovum
Airee CDN
Art of Defence HyperGuard
ArvanCloud
Barracuda NG
Beluga CDN
BinarySEC
BlockDoS
Bluedon IST
CacheFly CDN
ChinaCache CDN
Cisco ACE XML Gateway
CloudFlare CDN
Cloudfront CDN
Comodo
CompState
DenyALL WAF
DenyAll
Distil Firewall
DoSArrest Internet Security
F5 BIG-IP APM
F5 BIG-IP ASM
F5-TrafficShield
Fastly CDN
FortiWeb
FortiWeb Firewall
GoDaddy
GreyWizard Firewall
HuaweiCloudWAF
HyperGuard Firewall
IBM DataPower
ISAServer
Immunify360
Imperva SecureSphere
Incapsula CDN
Jiasule
KONA
KeyCDN
ModSecurity
NGENIX CDN
NSFOCUS
Naxsi
NetContinuum
NetContinuum WAF
Neusoft SEnginx
Newdefend
Palo Alto Firewall
PerimeterX Firewall
PowerCDN
Profense
Qiniu CDN
Reblaze Firewall
SDWAF
Safe3
Safedog
SiteLock TrueShield
SonicWALL
SonicWall
Sophos UTM Firewall
Stingray
Sucuri
Teros WAF
Usp-Sec
Varnish
Wallarm
WatchGuard
WebKnight
West263CDN
Yundun
Yunsuo
ZenEdge Firewall
aesecure
aliyun
azion CDN
cloudflare CDN
dotDefender
limelight CDN
maxcdn CDN
mod_security
yunsuo

Output
The following is the AWVS scanner test website results



[
    {
        "testphp.vulnweb.com": {
            "WAF": "NoWAF",
            "Webinfo": {
                "apps": [
                    "Nginx",
                    "PHP",
                    "DreamWeaver",
                    "php"
                ],
                "title": "Home of Acunetix Art",
                "server": "nginx/1.4.1",
                "pdns": [
                    "176.28.50.165 : 2019-06-09 02:05:52"
                ],
                "reverseip": [
                    "176.28.50.165",
                    "rs202995.rs.hosteurope.de",
                    "testhtml5.vulnweb.com",
                    "testphp.ingensec.ch",
                    "testphp.ingensec.com",
                    "testphp.ingensec.fr",
                    "testphp.vulnweb.com",
                       "vulnweb.com",
                    "www.vulnweb.com"
                ]
            },
            "Ports": [
                "IMAPS:993",
                "ssh:22",
                "imap:143",
                "http:80",
                "Unknown:8880",
                "pop:110",
                "POP3:995",
                "smtp:25",
                "Unknown:8443",
                "SMTPS:465",
                "DNS:53",
                "ftp:21"
            ],
            "Ipaddr": "176.28.50.165",
            "Address": "德国  ",
            "Vuln": [
                "http://testphp.vulnweb.com | Home of Acunetix Art",
                "MySQL SQLi:http://testphp.vulnweb.com/search.php?test=query",
                "MySQL SQLi:http://testphp.vulnweb.com/artists.php?artist=1",
                "MySQL SQLi:http://testphp.vulnweb.com/listproducts.php?cat=2"
            ],   
            "URLS": [
                {
                    "rsp_code": 200,
                    "rsp_len": 12473,
                    "title": "None",
                    "contype": "xml",
                    "url": "/.idea/workspace.xml"
                },
                {
                    "rsp_code": 200,
                    "rsp_len": 1,
                    "title": "None",
                    "contype": "plain",
                    "url": "/CVS/Root"
                },
                {
                    "rsp_code": 200,
                    "rsp_len": 4732,
                    "title": "search",
                    "contype": "html",
                    "url": "/search.php"
                },
                {
                    "rsp_code": 200,
                    "rsp_len": 1,
                    "title": "None",
                    "contype": "plain",
                       "url": "/CVS/Entries"
                },
                {
                    "rsp_code": 200,
                    "rsp_len": 3265,
                    "title": "Home of WASP Art",
                    "contype": "plain",
                    "url": "/index.bak"
                },
                {
                    "rsp_code": 200,
                    "rsp_len": 143,
                    "title": "None",
                    "contype": "xml",
                    "url": "/.idea/scopes/scope_settings.xml"
                },
                {
                    "rsp_code": 200,
                    "rsp_len": 3265,
                    "title": "Home of WASP Art",
                    "contype": "zip",
                    "url": "/index.zip"
                },
                {
                    "rsp_code": 200,
                    "rsp_len": 275,
                    "   title": "None",
                    "contype": "xml",
                    "url": "/.idea/modules.xml"
                },
                {
                    "rsp_code": 200,
                    "rsp_len": 5523,
                    "title": "login page",
                    "contype": "html",
                    "url": "/login.php"
                },
                {
                    "rsp_code": 200,
                    "rsp_len": 278,
                    "title": "Index of /admin/",
                    "contype": "html",
                    "url": "/admin/"
                },
                {
                    "rsp_code": 200,
                    "rsp_len": 224,
                    "title": "None",
                    "contype": "xml",
                    "url": "/crossdomain.xml"
                },
                {
                    "rsp_code": 302,
                       "rsp_len": 14,
                    "title": "None",
                    "contype": "html",
                    "url": "/userinfo.php"
                },
                {
                    "rsp_code": 200,
                    "rsp_len": 6,
                    "title": "None",
                    "contype": "plain",
                    "url": "/.idea/.name"
                },
                {
                    "rsp_code": 200,
                    "rsp_len": 4958,
                    "title": "Home of Acunetix Art",
                    "contype": "html",
                    "url": "/index.php"
                }
            ]
        }
    }
]

Note
Reference cnnetarmy Srchunter design ideas
Refer to the weak password module of brut3k1t:
Https://github.com/ex0dus-0x/brut3k1t
Fingerprint recognition mainly calls Wappalyzer and WebEye:
https://github.com/b4ubles/python3-Wappalyzer
https://github.com/zerokeeper/WebEye
Poc referenced:
BBscan scanner https://github.com/lijiejie/BBScan
POC-T https://github.com/Xyntax/POC-T/tree/2.0/script
Perun https://github.com/WyAtu/Perun
Refer to the anthx port scan, service judgment:
https://raw.githubusercontent.com/AnthraX1/InsightScan/master/scanner.py
Injecting the crawler reference:
DSSS https://github.com/stamparm/DSSS
Js sensitive information regular extraction reference:
https://github.com/nsonaniya2010/SubDomainizer
WAF judges the use of waf00f and whatwaf judgment rules:
https://github.com/EnableSecurity/wafw00f
https://github.com/Ekultek/WhatWaf


RedGhost - Linux Post Exploitation Framework Designed To Gain Persistence And Reconnaissance And Leave No Trace

June 24, 2019, 3:19 pm
$
0
0

Linux post exploitation framework designed to assist red teams in gaining persistence, reconnaissance and leaving no trace.
  • Payloads Function to generate various encoded reverse shells in netcat, bash, python, php, ruby, perl
  • Crontab Function to create cron job that downloads and runs payload every minute for persistence
  • Clearlogs Function to clear logs and make investigation with forensics difficult
  • MassInfoGrab Function to grab mass information on system
  • BanIp Function to BanIp


One-Lin3r v2.0 - Gives You One-Liners That Aids In Penetration Testing Operations, Privilege Escalation And More

June 25, 2019, 6:11 am
$
0
0

One-Lin3r is simple modular and light-weight framework gives you all the one-liners that you will need while penetration testing (Windows, Linux, macOS or even BSD systems) or hacking generally with a lot of new features to make all of this fully automated (ex: you won't even need to copy the one-liners).

Screenshots




It consists of various one-liners types with various functions, some of them are:
One-liner functionWhat this function refers to
Reverse ShellVarious methods and commands to give you a reverse shell.
PrivEscMany commands to help in Enumeration and Privilege Escalation
Bind ShellVarious methods and commands to give you a bind shell.
DropperMany ways to download and execute various payload types with various methods.

Features
  • A lot of liners use with different purposes, currently are more than 155 liner.
  • The auto-complete feature that has been implemented in this framework is not the usual one you always see, here are some highlights:
    • It's designed to fix typos in typed commands to the most similar command with just one tab click so seach becomes search and so on, even if you typed any random word similar to an command in this framework.
    • For you lazy-ones out there like me, it can predict what liner you are trying to use by typing any part of it. For example if you typed use capabilities and clicked tab, it would be replaced with use linux/bash/list_all_capabilities and so on. I can see your smile, You are welcome!
    • If you typed any wrong command then pressed enter, the framework will tell you what is the nearest command to what you have typed which could be the one you really wanted.
    • Some less impressive things like auto-complete for variables after set command, auto-complete for liners after use and info commands and finally it converts all uppercase to lowercase automatically just-in-case you switched cases by mistake while typing.
    • Finally, you'll find your normal auto-completion things you were using before, like commands auto-completion and persistent history, etc...
  • Automation
    • You can automatically copy the liner you want to clipboard with command copy <liner> instead of using use <liner> and then copying it which saves a lot of time, of course, if you merged it with the following features.
    • As you may noticed, you can use a resource file from command-line arguments before starting the framework itself or send commands directly.
    • Inside the framework you can use makerc command like in Metasploit but this time it only saves the correct important commands.
    • There are history and resource commands so you don't need to exit the framework.
    • You can execute as many commands as you want at the same time by splitting them with semi-colon.
    • Searching for any liner here is so easy, you can search for a liner by its name, function or even the liner author name.
  • You can add your own liners by following these steps to create a liner as a python file. After that you can make a Pull request with it then it will be added in the framework and credited with your name of course .
  • The ability to reload the database if you added any liner without restarting the framework.
  • You can add any platform to the liners database just by making a folder in liners folder and creating a ".liner" file there.
  • More...
Note: The liners database is not too big but it will get bigger with updates and contributions.

Usage

f Command-line arguments
usage: one-lin3r [-h] [-r R] [-x X] [-q]

optional arguments:
  -h, --help  show this help message and exit
  -r          Execute a resource file (history file).
  -x          Execute a specific command (use ; for multiples).
  -q          Quiet mode (no banner).

Framework commands
Command                 Description
--------                -------------
help/?                  Show this help menu.
list/show               List all one-liners in the database.
search   [Keywords..]   Search database for a specific liner by its name, author name or description.
use       <liner>       Use an available one-liner.
copy      <liner>       Use an available one-liner and copy it to clipboard automatically.
info      <liner>       Get information about an available liner.
set <variable> <value>  Sets a context-specific variable to a value to use while using one-liners.
variables               Prints all previously specified variables.
banner                  Display banner.
reload/refresh          Reload the liners database.
check                   Prints the core version and checks if you are up-to-date.
history                 Display command-line most important history from t   he beginning.
makerc                  Save command-line history to a file.
resource    <file>      Run the commands stored in a file
os         <command>    Execute a system command without closing the framework
exit/quit               Exit the framework

Prerequisites before installing
  • Python 3.x.
  • Any OS, it should work on all but it's tested on Kali 2018+, Ubuntu 18+, Windows 10, Android with termux and MacOs 10.11

Installing and running
  • Using pip (The best way to install on any OS):
pip install one-lin3r
one-lin3r -h
  • Installing it from GitHub:
    • For windows : (After downloading ZIP and upzip it)
    python -m pip install ./One-Lin3r-master
    one-lin3r -h
    • For Linux :
    git clone https://github.com/D4Vinci/One-Lin3r.git
    apt install libncurses5-dev
    pip3 install ./One-Lin3r
    one-lin3r -h

Updating the framework or the database
  • If you installed it from pip do:
pip install one-lin3r --upgrade
  • If you installed it from github do:
    • On Linux while outside the directory
    cd One-Lin3r && git pull && cd ..
    pip3 install ./One-Lin3r --upgrade
    • On Windows if you don't have git installed, redownload the framework zipped!
Note: As the liners are written as python modules, it considered as a part of the framework. So every new liner added to the framework, its version will get updated.

Contact

Credits and references


Search

Tourmaline - Telegram Bot Framework For Crystal

June 25, 2019, 3:10 pm
$
0
0

Telegram Bot (and hopefully soon Client) API framework for Crystal. Based heavily off of Telegraf this Crystal implementation allows your Telegram bot to be written in a language that's both beautiful and fast. Benchmarks coming soon.
If you want to extend your bot by using NLP, see my other library Cadmium.

Installation
Add this to your application's shard.yml:
dependencies:
  tourmaline:
    github: watzon/tourmaline
    version: ~> 0.7.0

Usage

Basic usage
require "tourmaline/bot"

alias TGBot = Tourmaline::Bot

bot = TGBot::Client.new(ENV["API_KEY"])

bot.command(["start", "help"]) do |message|
  text = "Echo bot is a sample bot created with the Tourmaline bot framework."
  bot.send_message(message.chat.id, text)
end

bot.command("echo") do |message, params|
  text = params.join(" ")
  bot.send_message(message.chat.id, text)
end

bot.poll

Listening for events
Tourmaline has a number of events that you can listen for (the same events as Telegraf actually). The full list of events is as can be found in the documentation.
bot.on(:text) do |update|
  text = update.message.not_nil!.text.not_nil!
  puts "TEXT: #{text}"
end

Adding middleware
Middleware can be created by extending the Tourmaline::Bot::Middleware class. All middleware classes need to have a call(update : Update) method. The middleware will be called on every update.
class MyMiddleware < TGBot::Middleware

  # All middlware include a reference to the parent bot.
  # @bot : Tourmaline::Bot::Client

  def call(update : Update)
    if message = update.message
      if user = message.from_user
        if text = message.text
          puts "#{user.first_name}: #{text}"
        end
      end
    end
  end

end

bot.use MyMiddleware

Webhooks
Using webhooks is easy, even locally if you use the ngrok.cr package.
# bot.poll

bot.set_webhook("https://example.com/bots/my_tg_bot")
bot.serve("0.0.0.0", 3400)

# or with ngrok.cr

require "ngrok"

Ngrok.start({ addr: "127.0.0.1:3400" }) do |ngrok|
  bot.set_webhook(ngrok.ngrok_url_https)
  bot.serve("127.0.0.1", 3400)
end

Payments
You can now accept payments with your Tourmaline app! First make sure you follow the setup instructions here so that your bot is prepared to handle payments. Then just use the send_invoice, answer_shipping_query, and answer_pre_checkout_query methods to send invoices and accept payments.
bot.command("buy") do |message, params|
  bot.send_invoice(
    message.chat.id,
    "Sample Invoice",
    "This is a test...",
    "123344232323",
    "YOUR_PROVIDER_TOKEN",
    "test1",
    "USD",
    bot.labeled_prices([{label: "Sample", amount: 299}, {label: "Another", amount: 369}]).to_json
  )
end

Games
Ability to create and run games with your Tourmaline Bot is a recent feature that hasn't been tested yet. Please use the issue tracker if you experience problems.

Kemal Middleware
Tourmaline provides middleware for Kemal, just in case you want to use Kemal as the server.
require "kemal"
require "tourmaline/kemal/tourmaline_handler"

require "./your_bot"

add_handler Kemal::TourmalineHandler.new(
  bot: YourBot.new,
  url: "https://something.com",
  path: "/bot-webhook/#{ENV["TGBOT_API_KEY"]}"
)

Kemal.run
Note: Telegram won't send webhook requests to non-ssl domains. This means that you need to be running your kemal server with ssl enabled. For local development this can be a pain, but it is made much easier with ngrok.cr.

Development
This currently supports the following features:
  • Bot API
    • Implementation examples
    • Easy command syntax
    • Robust middleware system
    • Standard API queries
    • Stickers
    • Inline mode
    • Long polling
    • Webhooks
    • Payments
    • Games
  • Client API (in development)
If you want a new feature feel free to submit an issue or open a pull request.

Contributing
  1. Fork it ( https://github.com/watzon/tourmaline/fork )
  2. Create your feature branch (git checkout -b my-new-feature)
  3. Commit your changes (git commit -am 'Add some feature')
  4. Push to the branch (git push origin my-new-feature)
  5. Create a new Pull Request

Contributors
  • watzon Chris Watson - creator, maintainer


VulnX v1.7 - An Intelligent Bot Auto Shell Injector That Detect Vulnerabilities In Multiple Types Of CMS

June 26, 2019, 6:08 am
$
0
0


Vulnx is An Intelligent Bot Auto Shell Injector that detects vulnerabilities in multiple types of Cms, fast cms detection, information gathering and vulnerability Scanning of the target like subdomains, IP addresses, country, org, timezone, region, and and more ...
Instead of injecting each and every shell manually like all the other tools do, VulnX analyses the target website checking the presence of vulnerability if so the shell will be Injected. searching URLs with dorks Tool.

Features
  • Detect cms (wordpress, joomla, prestashop, drupal, opencart, magento, lokomedia)
  • Target informations gatherings
  • Target Subdomains gathering
  • Multi-threading on demand
  • Checks for vulnerabilities
  • Auto shell injector
  • Exploit dork searcher
  • Ports Scan High Level
  • Dns-Servers Dump
  • Input multiple target to scan.
  • Dorks Listing by Name& by ExploitName.
  • Export multiple target from Dorks into a logfile.

DNS-Map-Results
To do this,run a scan with the --dns flag and -d for subdomains. To generate a map of isetso.rnu.tn, you can run the command vulnx -u isetso.rnu.tn --dns -d --output $PATHin a new terminal.
$PATH : Where the graphs results will be stored.


Let's generates an image displaying target Subdomains,MX & DNS data.


Exploits


Joomla

Wordpress

Drupal

PrestaShop

Opencart

Available command line options
READ VULNX WIKI
usage: vulnx [options]

  -u --url              url target
  -D --dorks            search webs with dorks
  -o --output           specify output directory
  -t --timeout          http requests timeout
  -c --cms-info         search cms info[themes,plugins,user,version..]
  -e --exploit          searching vulnerability & run exploits
  -w --web-info         web informations gathering
  -d --domain-info      subdomains informations gathering
  -l, --dork-list       list names of dorks exploits
  -n, --number-page     number page of search engine(Google)
  -p, --ports           ports to scan
  -i, --input           specify domains to scan from an input file 
  --threads             number of threads
  --dns                 dns informations gathering

Docker
VulnX in DOCKER !!.
$ git clone https://github.com/anouarbensaad/VulnX.git
$ cd VulnX
$ docker build -t vulnx ./docker/
$ docker run -it --name vulnx vulnx:latest -u http://exemple.com
run vulnx container in interactive mode


to view logfiles mount it in a volume like so:
$ docker run -it --name vulnx -v "$PWD/logs:/VulnX/logs" vulnx:latest -u http://exemple.com
change the mounting directory..
VOLUME [ "$PATH" ]

Install vulnx on Ubuntu
$ git clone https://github.com/anouarbensaad/vulnx.git
$ cd VulnX
$ chmod +x install.sh
$ ./install.sh
Now run vulnx

Install vulnx on Termux
$ pkg update
$ pkg install -y git
$ git clone http://github.com/anouarbensaad/vulnx
$ cd vulnx
$ chmod +x install.sh
$ ./install.sh


example command with options : settimeout=3 , cms-gathering = all , -d subdomains-gathering , run --exploits
vulnx -u http://example.com --timeout 3 -c all -d -w --exploit

example command for searching dorks : -D or --dorks , -l --list-dorks
vulnx --list-dorks return table of exploits name. vulnx -D blaze return urls found with blaze dork


Cryptr - A Simple Shell Utility For Encrypting And Decrypting Files Using OpenSSL

June 26, 2019, 2:44 pm
$
0
0

A simple shell utility for encrypting and decrypting files using OpenSSL.

Installation
git clone https://github.com/nodesocket/cryptr.git
ln -s "$PWD"/cryptr/cryptr.bash /usr/local/bin/cryptr

Bash tab completion
Add tools/cryptr-bash-completion.bash to your tab completion file directory.

API/Commands

encrypt
encrypt <file> - Encryptes file with OpenSSL AES-256 cipher block chaining. Writes an encrypted file out (ciphertext) appending .aes extension.
➜ cryptr encrypt ./secret-file
enter aes-256-cbc encryption password:
Verifying - enter aes-256-cbc encryption password:
➜ ls -alh
-rw-r--r--  1 user  group   1.0G Oct  1 13:33 secret-file
-rw-r--r--  1 user  group   1.0G Oct  1 13:34 secret-file.aes
You may optionally define the password to use when encrypting using the CRYPTR_PASSWORD environment variable. This enables non-interactive/batch operations.
➜ CRYPTR_PASSWORD=A1EO7S9SsQYcPChOr47n cryptr encrypt ./secret-file

decrypt
decrypt <file.aes> - Decrypt encrypted file using OpenSSL AES-256 cipher block chaining. Writes a decrypted file out (plaintext) removing .aes extension.
➜ ls -alh
-rw-r--r--  1 user  group   1.0G Oct  1 13:34 secret-file.aes
➜ cryptr decrypt ./secret-file.aes
enter aes-256-cbc decryption password:
➜ ls -alh
-rw-r--r--  1 user  group   1.0G Oct  1 13:35 secret-file
-rw-r--r--  1 user  group   1.0G Oct  1 13:34 secret-file.aes
You may optionally define the password to use when decrypting using the CRYPTR_PASSWORD environment variable. This enables non-interactive/batch operations.
➜ CRYPTR_PASSWORD=A1EO7S9SsQYcPChOr47n cryptr decrypt ./secret-file.aes

help
help - Displays help
➜ cryptr help
Usage: cryptr command <command-specific-options>

  encrypt <file>       Encrypt file
  decrypt <file.aes>   Decrypt encrypted file
  help                 Displays help
  version              Displays the current version

version
version - Displays the current version
➜ cryptr version
cryptr 2.1.1

default
default - Displays the current version and help
➜ cryptr
cryptr 2.1.1

Usage: cryptr command <command-specific-options>

  encrypt <file>       Encrypt file
  decrypt <file.aes>   Decrypt encrypted file
  help                 Displays help
  version              Displays the current version

Changelog
https://github.com/nodesocket/cryptr/blob/master/CHANGELOG.md

Support, Bugs, And Feature Requests
Create issues here in GitHub (https://github.com/nodesocket/cryptr/issues).

Versioning
For transparency and insight into the release cycle, and for striving to maintain backward compatibility, cryptr will be maintained under the semantic versioning guidelines.
Releases will be numbered with the follow format:
<major>.<minor>.<patch>
And constructed with the following guidelines:
  • Breaking backward compatibility bumps the major (and resets the minor and patch)
  • New additions without breaking backward compatibility bumps the minor (and resets the patch)
  • Bug fixes and misc changes bumps the patch
For more information on semantic versioning, visit http://semver.org/.


Project iKy - Tool That Collects Information From An Email And Shows Results In A Nice Visual Interface

June 27, 2019, 6:18 am
$
0
0

Project iKy is a tool that collects information from an email and shows results in a nice visual interface.

Visit the Gitlab Page of the Project

Project

First of all we want to advice you that we have changed the Frontend from AngularJS to Angular 7. For this reason we left the project with AngularJS as Frontend in the iKy-v1 branch and the documentation for its installation here.
The reason of changing the Frontend was to update the technology and get an easier way of installation.

Video


Installation

Clone repository

git clone https://gitlab.com/kennbroorg/iKy.git

Install Backend


Redis
You must install Redis
wget http://download.redis.io/redis-stable.tar.gz
tar xvzf redis-stable.tar.gz
cd redis-stable
make
sudo make install
And turn on the server in a terminal
redis-server

Python stuff and Celery
You must install the libraries inside requirements.txt
pip install -r requirements.txt
And turn on Celery in another terminal, within the directory backend
./celery.sh
Finally, again, in another terminal turn on backend app from directory backend
python app.py

Install Frontend


Node
First of all, install nodejs.

Dependencies
Inside the directory frontend install the dependencies
npm install

Turn on Frontend Server
Finally, to run frontend server, execute:
npm start

Browser

Open the browser in this url

Config API Keys

Once the application is loaded in the browser, you should go to the Api Keys option and load the values of the APIs that are needed.

  • Fullcontact: Generate the APIs from here
  • Twitter: Generate the APIs from here
  • Linkedin: Only the user and password of your account must be loaded


Lynis 2.7.5 - Security Auditing Tool for Unix/Linux Systems

June 27, 2019, 2:55 pm
$
0
0

We are excited to announce this major release of auditing tool Lynis. Several big changes have been made to core functions of Lynis. These changes are the next of simplification improvements we made. There is a risk of breaking your existing configuration.

Lynis is an open source security auditing tool. Used by system administrators, security professionals, and auditors, to evaluate the security defenses of their Linux and UNIX-based systems. It runs on the host itself, so it performs more extensive security scans than vulnerability scanners.

Supported operating systems

The tool has almost no dependencies, therefore it runs on almost all Unix-based systems and versions, including:
  • AIX
  • FreeBSD
  • HP-UX
  • Linux
  • Mac OS
  • NetBSD
  • OpenBSD
  • Solaris
  • and others
It even runs on systems like the Raspberry Pi and several storage devices!

Installation optional

Lynis is light-weight and easy to use. Installation is optional: just copy it to a system, and use "./lynis audit system" to start the security scan. It is written in shell script and released as open source software (GPL). 

How it works

Lynis performs hundreds of individual tests, to determine the security state of the system. The security scan itself consists of performing a set of steps, from initialization the program, up to the report.

Steps
  1. Determine operating system
  2. Search for available tools and utilities
  3. Check for Lynis update
  4. Run tests from enabled plugins
  5. Run security tests per category
  6. Report status of security scan
Besides the data displayed on the screen, all technical details about the scan are stored in a log file. Any findings (warnings, suggestions, data collection) are stored in a report file.

Opportunistic Scanning

Lynis scanning is opportunistic: it uses what it can find.
For example, if it sees you are running Apache, it will perform an initial round of Apache related tests. When during the Apache scan it also discovers an SSL/TLS configuration, it will perform additional auditing steps on that. While doing that, it then will collect discovered certificates so they can be scanned later as well.

In-depth security scans

By performing opportunistic scanning, the tool can run with almost no dependencies. The more it finds, the deeper the audit will be. In other words, Lynis will always perform scans which are customized to your system. No audit will be the same!

Use cases

Since Lynis is flexible, it is used for several different purposes. Typical use cases for Lynis include:
  • Security auditing
  • Compliance testing (e.g. PCI, HIPAA, SOx)
  • Vulnerability detection and scanning
  • System hardening

Resources used for testing

Many other tools use the same data files for performing tests. Since Lynis is not limited to a few common Linux distributions, it uses tests from standards and many custom ones not found in any other tool.
  • Best practices
  • CIS
  • NIST
  • NSA
  • OpenSCAP data
  • Vendor guides and recommendations (e.g. Debian Gentoo, Red Hat)

Lynis Plugins

Plugins enable the tool to perform additional tests. They can be seen as an extension (or add-on) to Lynis, enhancing its functionality. One example is the compliance checking plugin, which performs specific tests only applicable to some standard.

Changelog
Upgrade note
## Lynis 2.7.5 (2019-06-24)

### Added
- Danish translation
- Slackware end-of-life information
- Detect BSD-style (rc.d) init in Linux systems
- Detection of Bro and Suricata (IDS)

### Changed
- Corrected end-of-life entries for CentOS 5 and 6
- AUTH-9204 - change name to check in /etc/passwd file for QNAP devices
- AUTH-9268 - AIX enhancement to use correct find statement
- FILE-6310 - Filter on correct field for AIX
- NETW-3012 - set ss command as preferred option for Linux and changed output format
- List of PHP ini file locations has been extended
- Removed several pieces of the code as part of cleanup and code health
- Extended help


PivotSuite - A Network Pivoting Toolkit

June 28, 2019, 6:05 am
$
0
0

PivotSuite is a portable, platform independent and powerful network pivoting toolkit, Which helps Red Teamers / Penetration Testers to use a compromised system to move around inside a network. It is a Standalone Utility, Which can use as a Server or as a Client.

PivotSuite as a Server :
If the compromised host is directly accessable (Forward Connection) from Our pentest machine, Then we can run pivotsuite as a server on compromised machine and access the different subnet hosts from our pentest machine, Which was only accessable from compromised machine.

PivotSuite as a Client :
If the compromised host is behind a Firewall / NAT and isn't directly accessable from our pentest machine, Then we can run pivotsuite as a server on pentest machine and pivotsuite as a client on compromised machine for creating a reverse tunnel (Reverse Connection). Using this we can reach different subnet hosts from our pentest machine, which was only accessable from compromised machine.

Key Features:
  1. Supported Forward & Reverse TCP Tunneling
  2. Supported Forward & Reverse socks5 Proxy Server
  3. UDP over TCP and TCP over TCP Protocol Supported
  4. Corporate Proxy Authentication (NTLM) Supported
  5. Inbuilt Network Enumeration Functionality, Eg. Host Discovery, Port Scanning, OS Command Execution
  6. PivotSuite allows to get access to different Compromised host and their network, simultaneously (Act as C&C Server)
  7. Single Pivoting, Double Pivoting and Multi-level pivoting can perform with help of PivotSuite.
  8. PivotSuite also works as SSH Dynamic Port Forwarding but in the Reverse Direction.

Advantage Over Other tools:
  1. Doesn't required admin/root access on Compromised host
  2. PivotSuite also works when Compromised host is behind a Firewall / NAT, When Only Reverse Connection is allowed.
  3. No dependency other than python standard libraries.
  4. No Installation Required
  5. UDP Port is accessable over TCP

Installation
  1. You can download the latest version of pivotsuite by cloning the Git repository or PyPI Package.
    git clone https://github.com/RedTeamOperations/PivotSuite.git

               OR

     pip install PivotSuite
    PivotSuite works out of the box with Python version 2.7.x and 3.6.x on any platform.
  2. PivotSuite Standalone Executable Download from Github Release Section
    https://github.com/RedTeamOperations/PivotSuite/releases
    No installation require, No python interpreter require

Requirements:
a. Only Python Standard Libraries are Required
b. Compatible for both Python 2.7.x & Python 3.6.x
c. Tested on Windows and Linux.

Usages :
$ pivotsuite.py [options] SERVER-IP SERVER-PORT
Options:
 --version             show program's version number and exit

-h, --help            show this help message and exit

-S, --server          Run PivotSuite as a Server

-C, --client          Run PivotSuite as a Client

 - -server-ip=SERVER_IP

                    Server Listen/Connect IP address, Default  0.0.0.0

 --server-port=SERVER_PORT

                    Server Listen/Connect Port, Default 7777
PivotSuite Server Options:
-F, --forward-connection

                    Forward Network Traffic

--server-option=SP/PF

                    Use Server as Socks_Proxy(SP)/Port_Forward(PF),
                    Default SP

--network-protocol=T/U

                    Select Protocol For Port Forwarding TCP(T)/ UDP(U),
                    Default T

--forward-ip=Remote-Host-IP

                    Remote Host IP for Port Forwarding

--forward-port=Remote-Host-Port

                    Remote Host Port for Port Forwarding

-W, --reverse-connection

                    Reverse Network Traffic
PivotSuite Client Options:
-O SP/PF/NE, --option=SP/PF/NE
                    Use Client as Socks_Proxy(SP)/ Port_Forwarding(PF)/
                    Network_Enumeration(NE), Default SP

-L, --local-forward

                    Use Local Port Forwarding

-R, --remote-forward

                    Use Remote Port Forwarding

-P T/U, --protocol=T/U

                    Select Protocol For Port Forwarding TCP(T)/ UDP(U),
                    Default T

--local-ip=LOCAL_IP

                    Local IP For Port Forwarding

--local-port=LOCAL_PORT

                    Local Port For Port Forwarding

--remote-ip=REMOTE_IP

                    Remote IP For Port Forwarding

--remote-port=REMOTE_PORT

                    Remote Port For Port Forwardi   ng
NTLM Proxy Authentication Options:
--ntlm-proxy-ip=NTLM_PROXY_IP

                    IP address of NTLM proxy

--ntlm-proxy-port=NTLM_PROXY_PORT

                    Port of NTLM proxy

--username=USERNAME

                    Username to authenticate with NTLM proxy

--domain=DOMAIN     Domain to authenticate with NTLM proxy

--password=PASSWORD

                    Password to authenticate with NTLM proxy

--hashes=HASHES     Hashes to authenticate with instead of password.
                    Format - LMHASH:NTHASH

Documentation

Case 1 : (Forward TCP Tunneling)
IF the Compromised host is directly accessible from our pentest machine.
Then run PivotSuite as a server on the compromised machine as per our requirements:

    a. Dynamic Port Forwarding (Socks5 Proxy Server) On Compromised machine:

         $  python pivotsuite.py -S -F --server-option SP --server-ip IP --server-port PORT


    b. Single Port Forwarding (TCP/UDP Relay) On Compromised machine :

        $ python pivotsuite.py -S -F --server-option PF --network-protocol T/U --remote-ip IP --remote-port PORT 
          --server-ip IP (local-ip) --server-port PORT (local-port)

Case 2 : (Reverse TCP Tunneling)
IF the Compromised host is behind a Firewall / NAT and directly not accessible from our pentest machine.
Then run PivotSuite as a Server on pentest machine and PivotSuite as a Client on compromised machine.


  i. Run PivotSuite as a Sever On Pentest Machine :

      $ python pivotsute.py -S -W 


  ii. Run PivotSuite as a Client on Compromise Machine as per our requirements:

      a. Dynamic Port Forwarding (Socks5 Proxy Server) On Pentest Machine:

          $ python pivotsuite.py -C -O SP --server-ip IP --server-port PORT

      b. Local / Remote Port Forwarding On Pentest Machine:

           $ python pivotsuite.py -C -O PF  - L / -R (local or remote port forwarding) -P T/U  --local-ip IP 
              --local-port PORT --remote-ip IP --remote-port PORT  --server-ip IP --server-port PORT

      c. Network Enumeration of Compromised Machine:

            $ python pivotsuite.py -C -O NE --server-ip    IP --server-port PORT
IF Corportate Proxy Authentication (NTLM) required for reverse connection on Compromised Host :
  $ python pivotsuite.py -C -O SP --ntlm-proxy-ip IP --ntlm-proxy-port PORT --username USERNAME --password PASSWORD 
    --server-ip IP --server-port PORT


TwitterShadowBan - Twitter Shadowban Tests

June 28, 2019, 2:38 pm
$
0
0

One-page web app, testingTwitter users for conventional and QFD shadowbans.

Setup
Browser compatibility needs transpiling. Nothing fancy, just the usual babel magic.
git clone https://github.com/shadowban-eu/TwitterShadowBanV2 && cd TwitterShadowBanV2
npm install
Since we are using a php backend for request proxying, you will also need PHP. The gulp script uses php-cli's webserver.
[Debian]
apt-get install php7.2-cli
Finally, use the default gulp task to start the php-cli webserver and watching for file changes.
npm start

Deploy
Run npm start build! This creates an uglified script bundle and uses minified versions of 3rd party scripts. Then copy dist/'s content to your server_root.

Misc
Checking for running server (the PID differs, of course)
pgrep php -f
> 20748 php -S localhost:8080 -t ./dist/
If you need to run the php-cli webserver on another port, you will have to change it manually in gulpfile.babel.js, somewhere around line 72.
  const args = ['-S', 'localhost:8080', '-t', './dist/'];


Search

Scapy - The Python-based Interactive Packet Manipulation Program & Library

June 29, 2019, 6:30 am
$
0
0

Scapy is a powerful Python-based interactive packet manipulation program and library.
It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, store or read them using pcap files, match requests and replies, and much more. It is designed to allow fast packet prototyping by using default values that work.
It can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery (it can replace hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, wireshark, p0f, etc.). It also performs very well at a lot of other specific tasks that most other tools can't handle, like sending invalid frames, injecting your own 802.11 frames, combining techniques (VLAN hopping+ARP cache poisoning, VoIP decoding on WEP protected channel, ...), etc.
Scapy supports Python 2.7 and Python 3 (3.4 to 3.7). It's intended to be cross platform, and runs on many different platforms (Linux, OSX, *BSD, and Windows).



Getting started
Scapy is usable either as a shell or as a library. For further details, please head over to Getting started with Scapy, which is part of the documentation.

Scapy can easily be used as an interactive shell to interact with the network. The following example shows how to send an ICMP Echo Request message to github.com, then display the reply source IP address:
sudo ./run_scapy
Welcome to Scapy
>>> p = IP(dst="github.com")/ICMP()
>>> r = sr1(p)
Begin emission:
.Finished to send 1 packets.
*
Received 2 packets, got 1 answers, remaining 0 packets
>>> r[IP].src
'192.30.253.113'

Resources
The documentation contains more advanced use cases, and examples.
Other useful resources:

Installation
Scapy works without any external Python modules on Linux and BSD like operating systems. On Windows, you need to install some mandatory dependencies as described in the documentation.
On most systems, using Scapy is as simple as running the following commands:
git clone https://github.com/secdev/scapy
cd scapy
./run_scapy
To benefit from all Scapy features, such as plotting, you might want to install Python modules, such as matplotlib or cryptography. See the documentation and follow the instructions to install them.

Contributing
Want to contribute? Great! Please take a few minutes to read this!


PTF v2.3 - The Penetration Testers Framework Is A Way For Modular Support For Up-To-Date Tools

June 29, 2019, 2:53 pm
$
0
0

The PenTesters Framework (PTF) is a Python script designed for Debian/Ubuntu/ArchLinux based distributions to create a similar and familiar distribution for Penetration Testing. As pentesters, we've been accustom to the /pentest/ directories or our own toolsets that we want to keep up-to-date all of the time. We have those "go to" tools that we use on a regular basis, and using the latest and greatest is important.
PTF attempts to install all of your penetration testing tools (latest and greatest), compile them, build them, and make it so that you can install/update your distribution on any machine. Everything is organized in a fashion that is cohesive to the Penetration Testing Execution Standard (PTES) and eliminates a lot of things that are hardly used. PTF simplifies installation and packaging and creates an entire pentest framework for you. Since this is a framework, you can configure and add as you see fit. We commonly see internally developed repos that you can use as well as part of this framework. It's all up to you.
The ultimate goal is for community support on this project. We want new tools added to the github repository. Submit your modules. It's super simple to configure and add them and only takes a few minute.

Instructions:
First check out the config/ptf.config file which contains the base location of where to install everything. By default this will install in the /pentest directory. Once you have that configured, move to running PTF by typing ./ptf (or python ptf).
This will put you in a Metasploitesque type shell which has a similar look and feel for consistency. Show modules, use <modules>, etc. are all accepted commands. First things first, always type help or ? to see a full list of commands.
For a video tutorial on how to use PTF, check out our Vimeo page here: https://vimeo.com/137133837

Update EVERYTHING!
If you want to install and/or update everything, simply do the following:
./ptf
use modules/install_update_all
yes
This will install all of the tools inside of PTF. If they are already installed, this will iterate through and update everything for you automatically.
You can also individually install each module, then use the use modules/update_installed which will only update what you've previously installed.
For example:
./ptf
use modules/update_installed
This will only update previous ones you've installed.
You can also show options to change information about the modules.
If you only want to install only for example exploitation tools, you can run:
./ptf
use modules/exploitation/install_update_all
This will only install the exploitation modules. You can do this for any module category.

Customize your own installed tools
You can only install the tools you want to by going to the modules/custom_list/list.py section. Modify the list.py file and add the tools you only want to install or update.
Then when in PTF:
./ptf
use modules/custom_list/list
yes
This allows you to carry your module configuration over and only install the tools that you want and keep them updated.

Modules:
First, head over to the modules/ directory, inside of there are sub directories based on the Penetration Testing Execution Standard (PTES) phases. Go into those phases and look at the different modules. As soon as you add a new one, for example testing.py, it will automatically be imported next time you launch PTF. There are a few key components when looking at a module that must be completed.
Below is a sample module
AUTHOR="David Kennedy (ReL1K)"

DESCRIPTION="This module will install/update the Browser Exploitation Framework (BeEF)"

INSTALL_TYPE="GIT"

REPOSITORY_LOCATION="https://github.com/beefproject/beef"

X64_LOCATION="https://github.com/something_thats_x64_instead_of_x86

INSTALL_LOCATION="beef"

DEBIAN="ruby1.9.3,sqlite3,ruby-sqlite3"

ARCHLINUX = "arch-module,etc"

BYPASS_UPDATE="NO"

AFTER_COMMANDS="cd {INSTALL_LOCATION},ruby install-beef"

LAUNCHER="beef"

TOOL_DEPEND="modules/exploitation/metasploit"

Module Development:
All of the fields are pretty easy, on the repository locations, you can use GIT, SVN or FILE. Fill in the depends, and where you want the install location to be. PTF will take where the python file is located (for example exploitation) and move it to what you specify in the PTF config (located under config). By default it installs all your tools to /pentest/PTES_PHASE/TOOL_FOLDER
Note in modules, you can specify after commands {INSTALL_LOCATION}. This will append where you want the install location to go when using after commands.
You can also specify {PTF_LOCATION} which will pull the base path for your PTF installation.
You also have the ability for repository locations to specify both a 32 bit and 64 bit location. Repository location should always be the x86 download path. To add a 64 bit path for a tool, specify X64_LOCATION and give it a URL. When PTF launches it will automatically detect the architecture and attempt to use the x64 link instead of the x86.
Note that ArchLinux packages are also supported, it needs to be specified for both DEBIAN and ARCH in order for it to be properly installed on either platform in the module

GITLAB Support
You can create your own modules and also supports gitlab access. Instead of specify git, wget, etc., simply specify gitlab and point to your own internal gitlab tools for modules.

BYPASS UPDATES:
When using traditional git or svn as a main method, what will happen after a module is installed is it will just go and grab the latest version of the tool. With after commands, normally when installing, you may need to run the after commands after each time you update. If you specify bypass updates to YES (BYPASS_UPDATE="YES"), each time the tool is run, it will check out the latest version and still run after commands. If this is marked to no, it will only git pull the latest version of the system. For FILE options, it is recommended to always use BYPASS_UPDATE="YES" so that it will overwrite the files each time.

After Commands:
After commands are commands that you can insert after an installation. This could be switching to a directory and kicking off additional commands to finish the installation. For example in the BEEF scenario, you need to run ruby install-beef afterwards. Below is an example of after commands using the {INSTALL_LOCATION} flag.
AFTER_COMMANDS="cp config/dict/rockyou.txt {INSTALL_LOCATION}"
For AFTER_COMMANDS that do self install (don't need user interaction).

Automatic Launchers
The flag LAUNCHER= in modules is optional. If you add LAUNCHER="setoolkit" for example, PTF will automatically create a launcher for the tool under /usr/local/bin/. In the setoolkit example, when run - PTF will automatically create a file under /usr/local/bin/setoolkit so you can launch SET from anywhere by simply typing setoolkit. All files will still be installed under the appropriate categories, for example /pentest/exploitation/setoolkit however an automatic launcher will be created.
You can have multiple launchers for an application. For example, for Metasploit you may want msfconsole, msfvenom, etc. In order to add multiple launchers, simply put a , between them. For example LAUNCHER="msfconsole,msfvenom". This would create launchers for both.

Automatic Command Line
You can also just run ./ptf --update-all and it will automatically update everything for you without having to go into the framework.

Running Unattended
If you're running ptf in an automatic build, you can use a heredoc so you don't have to interactively type the modules you wish to install. Example:
./ptf <<EOF
use modules/exploitation/metasploit
run
use modules/password-recovery/johntheripper
run
EOF

TOOL DEPENDS
Some tools such as Veil, SET, etc. require tools such as the Metasploit Framework. You can add in the module TOOL_DEPEND="modules/exploitation/metasploit,module/exploitation/set" and multiple other tools if there is a tool required to be installed prior to installing the tool. This will force PTF to install the required tool first, then install the module that requires it. Example:
TOOL_DEPEND="modules/exploitation/metasploit"
This will install Metasploit first or ensured its installed first prior to installing the application.

IGNORE Modules or Categories
The IGNORE_THESE_MODULES= config option can be found under config/ptf.config in the PTF root directory. This will ignore modules and not install them - everything is comma separated and based on name - example: modules/exploitation/metasploit,modules/exploitation/set or entire module categories, like /modules/code-audit/*,/modules/reporting/*

IGNORE Modules from Update/Install All
The IGNORE_UPDATE_ALL_MODULES= config option can be found under config/ptf.config in the PTF root directory. This will ignore modules only when doing install_update_all which are used when you want to install all tools. This could be for large applications that take substantial time, ones that require user interaction, or open up a number of ports and protocols on the system. This works very similar in the IGNORE_THESE_MODULES, except that they can be manually installed and updated through the modules/update_installed. These are comma deliminated, so for example modules/exploitation/tool1,modules/exploitation/tool2, when running install_update_all, this would not install the tools unless you went to use modules/exploitation/tool1 and installed via that method.

INCLUDE_ONLY_THESE_MODULES
The INCLUDE_ONLY_THESE_MODULES in the config option under config/ptf.config will only install and include specific modules that is specified here. This is good for baselining your tools that you want and only install them.

Written by: David Kennedy (@HackingDave)
https://www.trustedsec.com


Spyse.Py - Python API Wrapper And Command-Line Client For The Tools Hosted On Spyse.Com

June 30, 2019, 6:38 am
$
0
0

Python API wrapper and command-line client for the tools hosted on spyse.com.
"Spyse is a developer of complete DAAS (Data-As-A-Service) solutions for Internet security professionals, corporate and remote system administrators, SSL / TLSencryption certificate providers, data centers and business analysts. All Spyse online solutions are represented by thematic services that have a single platform for collecting, processing and aggregating information." - spyse.com

Supports the following APIs:

NOTE: This API is currently under active development.

Installation
pip3 install spyse.py

Using the client

Required Arguments
  • -target
  • -param

Optional Arguments
  • -page
  • -apikey
  • --raw

The deal with parameters
Spyse allows you to search their database for IPs, IP ranges, domain names, URLs, etc. The parameter argument is meant to specify the type of your input.

List of parameters
API_TARGET_PARAMS = [
 'cidr',
 'domain',
 'ip',
 'page',
 'url',
 'hash',
 'q'
]

Example usages
spyse -target xbox.com -param domain --subdomains
spyse -target 127.0.0.1/24 -param cidr --domains-on-ip
spyse -target hotmail.com -param domain --ssl-certificates
spyse -target google.com -param domain --dns-all
spyse -target xbox.com -param domain -apikey <APIKEY> -page 2 --ssl-certificates --raw

Piping to jq


Using the library

Without API Key
from pprint import pprint
from spyse import spyse

s = spyse()
pprint(s.subdomains_aggregate("xbox.com", param="domain"))

With API Key
from spyse import spyse

s = spyse('API_TOKEN_GOES_HERE')
pprint(s.subdomains_aggregate("xbox.com", param="domain"))

Search using CIDR
from spyse import spyse
from pprint import pprint

s = spyse()
pprint(s.domains_on_ip("172.217.1.0/24", param="cidr"))

Fetch subdomains
from spyse import spyse

TARGET = "TARGET_HOST_HERE"

s = spyse()
data = s.subdomains_aggregate(TARGET, param="domain")['cidr']
keys = data.keys()
for key in keys:
 domains = data[key]['results']
 for d in domains:
  domain = d['data']['domains']
  if len(domain) > 1:
   for i in domain:
    print(i)
  else:
   print(domain[0])

Available Methods
All of the methods listed on https://api-doc.spyse.com/
 API_METHODS = {
  "DNS_PTR": "/dns-ptr",
  "DNS_SOA": "/dns-soa",
  "DNS_MX": "/dns-mx",
  "DNS_AAAA": "/dns-aaaa",
  "DNS_NS": "/dns-ns",
  "DNS_A": "/dns-a",
  "DNS_TXT": "/dns-txt",
  "domains_with_same_ns": "/domains-with-same-ns",
  "domains_using_as_mx": "/domains-using-as-mx",
  "domains_on_ip": "/domains-on-ip",
  "domains_with_same_mx": "/domains-with-same-mx",
  "domains_using_as_ns": "/domains-using-as-ns",
  "download_dns_aaaa": "/download-dns-aaaa",
  "download_dns_soa": "/download-dns-soa",
  "download_dns_ns": "/download-dns-ns",
  "download_dns_ptr": "/download-ns-ptr",
  "download_dns_mx": "/download-dns-mx",
  "download_dns_a": "/download-dns-a",
  "download_dns_txt": "/download-dns-txt",
  "download_domains_with_same_mx": "/download-domains-with-same-mx",
  "download_domains_on_ip": "/download-domains-on-ip",
  "download_domains_with_same_ns": "/download-domains   -with-same-ns",
  "download_domains_using_as_ns": "/download-domains-using-as-ns",
  "download_domains_using_as_mx": "/download-domains-using-as-mx",
  "ip_port_lookup_aggregate": "/ip-port-lookup-aggregate",
  "ip_port_lookup": "/ip-port-lookup",
  "ssl_certificates": "/ssl-certificates",
  "ssl_certificate_raw": "/ssl-certificate-raw",
  "ssl_certificates_aggregate": "ssl-certificates-aggregate",
  "ssl_certificate": "/ssl-certificate",
  "ssl_certificate_public_key": "/ssl-certificate-public-key",
  "ssl_certificate_json": "/ssl-certificate-json",
  "subdomains": "/subdomains",
  "subdomains_aggregate": "/subdomains-aggregate",
  "domains_starts_with": "/domains-starts-with",
  "domains_starts_with_aggregate": "/domains-starts-with-aggregate"
 }


Lst2X64Dbg - Extract labels from IDA .lst or Ghidra .csv file and export x64dbg database

June 30, 2019, 3:08 pm
$
0
0
This script extracts all the labels found in the LST file that is given as the script's single argument. An x64dbg database is created in the current directory based on the extracted labels.
The LST file can be generated in IDA from the File menu: Produce file -> Create LST file...

Example
$ python3 lst2x64dbg.py sample.lst

ghidra2x64dbg
This script extracts all the labels found in the CSV file that is given as the script's single argument. An x64dbg database is created in the current directory based on the extracted labels. The imagebase value must be supplied.
The CSV file can be generated in Ghidra from the Window menu by selecting Symbol Table
In the symbol table window that opens, sort the data by the Location column. Then select all symbols that are not external locations. With the desired symbols selected, right click and select: Export -> Export to CSV...


Name this file <module_name>.csv

Example
$ python3 ghidra2x64dbg.py -i 400000 sample.csv
The imagebase value can be found at the very top of the disassembly panel in the CodeBrowser window. It's part of the DOS header.


ToDo
  • Convert to package with console script


0xsp-Mongoose - Privilege Escalation Enumeration Toolkit (ELF 64/32), Fast, Intelligent Enumeration With Web API Integration

July 1, 2019, 6:06 am
$
0
0

Using 0xsp mongoose you will be able to scan a targeted operating system for any possible way for privilege escalation attacks, starting from collecting information stage until reporting information through 0xsp Web Application API.
user will be able to scan different Linux os system at the same time with high performance, without spending time looking inside the terminal or text file for what is found, mongoose shorten this way by allowing you to send this information directly into web application friendly interface through easy API endpoint.
project is divided into two sections server& agent .
server has been coded with PHP(codeigniter) you need to install this application into your preferred environment, you can use it online or on your localhost. user is free to choice .also contribution to enhancing features are most welcomed.
Agent has been coded as ELF with Lazarus Free Pascal will be released with (32, 64 bit) while executing Agent on targeted system with all required parameters. user is free to decide whether willing to communicate with Server App to store results and explore them easily . or he can also run this tool without Web API Connection.



Agent Usage
  1. make sure to give it executable permission chmod +x agent
  2. ./agent -h (display help instructions)
-k --check kernel for common used privilige escalations exploits. 
-u --Getting information about Users , groups , releated information.
-c --check cronjobs. 
-n --Retrieve Network information,interfaces ...etc.
-w --Enumerate for Writeable Files , Dirs , SUID , 
-i --Search for Bash,python,Mysql,Vim..etc History files.
-f --search for Senstive config files accessible & private stuff. 
-o --connect to 0xsp Web Application. 
-p --Show All process By running under Root,Check For Vulnerable Packages. 
-e --Kernel inspection Tool, it will help to search through tool databases for kernel vulnerabilities. 
-x --secret Key to authorize your connection with WebApp API (default is 0xsp). 
-a --Display README.

Server Web App (must be like this : http://host/0xsp/ )

  1. make sure to have at least php 5.6 or above
  2. requires mysql 5.6
  3. make sure to add Web application on root path / with folder name 0xsp as [ http://localhost/0xsp/] , Agent will not connect to it in case not configured correctly . the agent will connect only as following case :
./agent {SCAN OPTION} -o localhost -x secretkey

Examples With WebApi
./agent -c -o localhost -x 0xsp { enumerate for CRON Tasks and Transfer results into Web Api} 
./agent -e -o localhost -x 0xsp { intelligent Exploits Detector }
./agent -c -e localhost -x 0sxp { will run two scans together and send found results directly }
./agent -m -o 10.10.13.1 -x 0xsp { RUN all Scans together and export it to Web API}

Examples Without WebApi
./agent -c -k -p { this will run 3 scans at the same time with out sending results into Web Api }

Agent Features
  1. High performance , stability , Output results Generated while executing no delays
  2. Ability to execute most of functions with intelligent techniques .
  3. results are being sent to Quick Web API
  4. Exception Handling .
  5. inbuilt Json Data set for publicly disclosed Exploits .
  6. Fast As Mongoose



Viewing all 5854 articles
Browse latest View live
Search