KitPloit - PenTest Tools!

Docker for pentest is an image with the more used tools to create an pentest environment easily and quickly.

Features

OS, networking, developing and pentesting tools installed.
Connection to HTB (Hack the Box) vpn to access HTB machines.
Popular wordlists installed: SecLists, dirb, dirbuster, fuzzdb, wfuzz and rockyou.
Proxy service to send traffic from any browsers and burp suite installed in your local directory.
Exploit database installed.
Tool for cracking password.
Linux enumeration tools installed.
Tools installed to discovery services running.
Tools installed to directory fuzzing.
Monitor for linux processes without root permissions
Zsh shell installed.

Tools installed

Operative system tools

rdate
vim
zsh
oh-my-zsh
locate
cifs-utils

Network tools

traceroute
telnet
net-tools
iputils-ping
tcpdump
openvpn
whois
host
prips

Developer tools

git
curl
wget
ruby
go
python
python-pip
python3
python3-pip

Pentest tools

Port scanning

nmap
masscan
ScanPorts created by @s4vitar with some improvements

Recon

Subdomains
Subdomain takeover
- subjack
DNS Lookups
- hakrevdns
Screenshot
- gowitness
- aquatone
Crawler
Search directories
- dirsearch
Fuzzer
- wfuzz
- ffuf
Web Scanning
CMS
Search JS
- LinkFinder
- getJS

Wordlist

Git repositories

OWASP

Brute force

Cracking

OS Enumeration

htbenum
linux-smart-enumeration
linenum
enum4linux
ldapdomaindump
PEASS - Privilege Escalation Awesome Scripts SUITE
Windows Exploit Suggester - Next Generation
smbmap
pspy - unprivileged Linux process snooping
smbclient
ftp

Exploits

Windows

Reverse shell

Other resources

pentest-tools from @gwen001
qsreplace from @tomnomnom

Custom functions

NmapExtractPorts from @s4vitar

Other services

apache2
squid

Documentation
See the project's wiki for documentation.

Usage

Prerequisites

Docker service installed

You can use the docker image by the next two options:

Option 1 - Use the github repository

git clone --depth 1 https://github.com/aaaguirrep/pentest.git
cd pentest
docker build -t pentest .
docker run --rm -it --name my-pentest pentest /bin/zsh

Option 2 - Use the image from docker hub
Use image from docker hub: aaaguirrep/pentest

docker pull aaaguirrep/pentest
docker run --rm -it --name my-pentest pentest /bin/zsh

Considerations to run the container
There are differents use cases for use the image and you should know how to run the container properly.

Use the container to access HTB (Hack the Box) machines by HTB vpn.

 docker run --rm -it --cap-add=NET_ADMIN --device=/dev/net/tun --sysctl net.ipv6.conf.all.disable_ipv6=0 --name my-pentest aaaguirrep/pentest /bin/zsh

Share information from your local directory to container directory and save information on your local directory. You should save information under /pentest directory.
```
 docker run --rm -it -v /path/to/local/directory:/pentest --name my-pentest aaaguirrep/pentest /bin/zsh
```
Expose internal container services (apache, squid) for your local environment.
```
 docker run --rm -it --name my-pentest -p 80:80 -p 3128:3128 aaaguirrep/pentest /bin/zsh
```
Inside the container start apache2 and squid services by the aliases.
```
 apacheUp
 squidUp
```

Mount directories by umount command.

 docker run --rm -it --privileged --name my-pentest aaaguirrep/pentest /bin/zsh

Tools are downloaded in /tools directory.

Nice configurations
You can set up the docker image with nice configurations like as:

1. Alias to connect to HTB (Hack the Box) VPN
To use both options you should use -v option to map local directoty with /pentest container directory.

Option 1 - HTB VPN using github repository
Add the next line in step "Create shorcuts" in Dockerfile, build a new image and run a new container with the -v option.

RUN echo "alias vpnhtb=\"openvpn /pentest/path/to/ovpn/file\"" >> /root/.zshrc

Option 2 - HTB VPN using docker hub image
Create a new Dockerfile with the next steps, build a new image and run a new container with -v option.

FROM aaaguirrep/pentest

# Create a shortcut and load the ovpn file from workstation
RUN echo "alias vpnhtb=\"openvpn /pentest/path/to/ovpn/file\"" >> /root/.zshrc

2. Save and load command history in your local environment
When you delete a container all information is deleted incluide command history. The next configuration provides you an option for save the command history in your local environment and load it when you run a new container. So, you wont lose your command history when run a new container.
To use both options you should use -v option to map local directoty with /pentest container directory.

Option 1 - Command history using github repository
Add the next line in step "Create shorcuts" in Dockerfile, build a new image and run a new container.

# Save and load command history in your local environment
RUN sed -i '1i export HISTFILE="/pentest/.zsh_history"' /root/.zshrc

Option 2 - Command history using docker hub image
Create a new Dockerfile with the next steps, build a new image and run a new container.

FROM aaaguirrep/pentest

# Save and load command history in your local environment
RUN sed -i '1i export HISTFILE="/pentest/.zsh_history"' /root/.zshrc

Environment tested
The image was tested in the following environments:

Docker service for Mac: Docker version 19.03.5, build 633a0ea
Docker service for Linux instance on Google Cloud Platform: Docker version 19.03.6, build 369ce74a3c

Warning

Do not save information on container directories because it will be lost after delete the container, you should save information in your local environment using the parameter -v when you run the container. For instance:
```
docker run --rm -it -v /path/to/local/directory:/pentest --name my-pentest aaaguirrep/pentest /bin/zsh
```
The above command specify a path local directory mapped with /pentest container directory. You should save all information under /pentest directory.
Use hashcat and john the ripper on controlled environments as CTF. You can experiment issues.

Contributing
Contributing Guide

Download Pentest

Bramble software has been designed for the bramble project. It incorporates many features of pentesting and IT Security. It's easy to use and completely editable. It allows beginners to learn hacking and gives more experienced users a customisable plug and play hacking tools so they can add their own code quickly.

Contribute
Bramble is an open source project to which you can contribute ! If you develop some features, don't be shy and share it with us. We will work together in order to implement it in the platform.

How it works
Bramble is based mainly on C++. But you can adding easily some code using another language. If you don't like C++ (that would be a mistake ^^) it doesn't really matter because i offer some templates to help you and to save your time. I try to put lots of comments in my code and i add some links to online classes/articles to have a better understanding of how the code works. Finally for each features i wrote a help file to give you informations about how to use it step by step.

Menu

Currently work :

     0. Cryptography
        -Encrypt file
        -Decrypt file
     1. Steganography
        -Hide a file in a file
        -Get an hidden file
     2. Forensic Tools
        -Restore all deleted files
        -Restore specific type of files
        -Erase permently a file/folder
     3. Wifi jammer/deauther
        -Deauth user(s) from a network (connection not required, monitor mode required)
        -Deauth user(s) from your network (connection required, monitor mode not required)
     4. Evil twin
        -Fluxion custom version for bramble
     5. Key cloner
        -Copy an usb storage to another usb key
        -Copy an usb storage to internal storage
        -Copy only some types of files
     6. Gain access
        -Bruteforce ssh
        -Network backdoor
     7. Sniffer
           -Unencrypted passwords
        -Website's names
        -Detect sniffing attack (by arp poisoning)
        -Read a previous report (sniffing, scan, detection)
     8. Tools
        -Enable/Disable the web interface
        -Erase permently a file/folder
        -Password generator from file
        -Scan a network
        -ARP scanner
        -Change mac adress
     9. Settings
        -Unmount an usb device
        -Display ip adress
        -switch to ligth/classic menu

Coming soon :

     10. Wifi Attack
        -Wps attack
     11. Fake access point
        -Sniffing
        -Phishing ?
     12. Sniffer
        -Password sniffer
        -Website sniffer
        -Custom sniffer

Requirements
As of today, this software works only on the bramble enivronment. It may become compatible with others devices powered by kali linux.

Credits

App
Fluxion

Pentest
Édouard Huon

Screenshots

Download Bramble

Inputs To Mail.
Get Keyboard,Mouse,ScreenShot,Microphone Inputs and Send to your Mail. Purpose of the project is testing the security of information systems

INSTALLATION

pip install pynput

USAGE
•Set your own MAIL and PASSWORD on "keylogger.py".
•Run main.py on Target Computer
•Every 10 seconds,You Get the Data from the Target Computer
•If Target finds the Code and Open the File for Want to Learn your MAIL and Password The Program DELETE itself.

USAGE TEMP MAIL API

https://temp-mail.org/en/api/

ANTIVIRUS TEST

Download Keylogger

Lazymux tools installer is very easy to use, only provided for lazy termux users; it's huge list of Many Hacking tools and PEN TESTING! NOTE: Am not Responsible of bad use of this project.

Requirements
• Linux environment
• Python 2.x
• git

Installation and Using Lazymux

git clone https://github.com/Gameye98/Lazymux

cd Lazymux

python2 lazymux.py
# OR
python lazymux.py

Authors
• Gameye98

Contributors
• Sanix-darker

Download Lazymux

PENIOT is a penetration testing tool for Internet of Things (IoT) devices. It helps you to test/penetrate your devices by targeting their internet connectivity with different types of security attacks. In other words, you can expose your device to both active and passive security attacks. After deciding target device and necessary information (or parameters) of that device, you can perform active security attacks like altering/consuming system resources, replaying valid communication units and so on. Also, you can perform passive security attacks such as breaching of confidentiality of important information or reaching traffic analysis. Thanks to PENIOT, all those operations can be semi-automated or even fully automated. In short, PENIOT is a package/framework for targeting IoT devices with protocol based security attacks.
Also, it gives you a baseline structure for your further injections of new security attacks or new IoT protocols. One of the most important features of PENIOT is being extensible. By default, it has several common IoT protocols and numerous security attacks related to those protocols. But, it can be extended further via exporting basic structure of internally used components so that you can develop your attacks in harmony with the internal structure of the PENIOT.

Why is PENIOT required?
The IoT paradigm has experienced immense growth in the past decade, with billions of devices connected to the Internet. Most of these devices lack even basic security measures due to their capacity constraints and designs made without security in mind due to the shortness of time-to-market. Due to the high connectivity in IoT, attacks that have devastating effects in extended networks can easily be launched by hackers through vulnerable devices.
Up until now, penetration testing was done manually if it was not ignored at all. This procedure made testing phase of devices very slow. On the other hand, the firms which produce IoT devices should always be up to date on testing their devices in terms of reliability, robustness as well as their provided functionalities since being exposed to security attacks by malicious people could cause unexpected impacts on end-users. The main aim of PENIOT is to accelerate the process of security testing. It enables you to figure out security flaws on your IoT devices by automating the time consuming penetration testing phase.

What does PENIOT provide?
First of all, PENIOT provides novelty. It is one of the first examples of penetration testing tools on IoT field. There are only one or two similar tools which are specialized on IoT, but they are still on development phase, so not completed yet.
Since the number of IoT devices is increasing drastically, IoT devices become more and more common in our daily life. Smart homes, smart bicycles, medical sensors, fitness trackers, smart locks and connected factories are just a few examples of IoT products. Given this, we felt the need to choose some of the most commonly used IoT protocols to plant into PENIOT by default. We chose the following protcols as the default IoT protocols included in the PENIOT. These IoT protocols are tested with various types of security attacks such as DoS, Fuzzing, Sniffing and Replay attacks.
Following protocols are currently supported:

Advanced Message Queuing Protocol (AMQP)
Bluetooth Low Energy (BLE)
Constraint Application Protocol (CoAP)
Message Queuing Telemetry Transport (MQTT)

Moreover, it enables you to export internal mainframe of its own implemented protocol and attacks to implement your own protocols or attacks. Also, you can extend already existing protocols with your newly implemented attacks. And lastly, it provides you an easy to use, user friendly graphical user interface.

Build Instructions
Firstly, you need to have Python's setuptools module installed in your machine. Also, you need to install python-tk and bluepy before installation and build.
In short, you need the followings before running installation script.

setuptools
python-tk
bluepy

You can build project in your local by executing following codes.

$ git clone git@github.com:yakuza8/peniot.git
$ cd peniot
$ python setup.py install

Even if we try to provide you up-to-date installation script, there can be some missing parts in it since the project cannot be maintained so long. Please inform us if there is any problem with installation.
Important Note: You need to have Radamsa installed in your machine in order for generating fuzzing payloads in fuzzing attacks.

Documentation
You can find Design Overview Document and Final Design Document under the resources/documents folder. Several diagrams are attached under the resources/diagrams folder. Here is the simplest representation of how PENIOT is separated modules and how it is designed.

Testing
Most of the attacks have their own sample integration tests under their attack scripts. In order to run those tests, you need to have a running program for the target protocol. We try to provide you with example programs for each protocol where one can find server/client scripts under each protocol's examples directory.

Contributors
This project is contributed by the following project members:

Berat Cankar
Bilgehan Bingöl
Doğukan Çavdaroğlu
Ebru Çelebi

and is supervised by Pelin Angın.

Developer's Note
Firstly, let me thank you for visiting our project site. We tried to provide you how one can penetrate and hack IoT devices over the protocols they use thanks to end-to-end security attacks. Our main purpose is to hack those devices with generic security attacks. One can simply find specific attacks for any protocol, but as I said ours was to provide generic and extendable penetration framework.
Secondly, PENIOT is developed with Python2.7. And our code maybe had gone into legacy state. But nevertheless, we wanted to share it to public so that anyone could get insight and inspiration to develop their own penetration tools, that is what makes us happy if it could happen.
Thirdly, we also will try to port our tool into Python3 if we can spare necessary time for that. When it happens, we will inform it from this page as well. Thanks for your attention.
Developer: @yakuza8 (Berat Cankar)

Download Peniot

hackerEnv is an automation tool that quickly and easily sweep IPs and scan ports, vulnerabilities and exploit them. Then, it hands you an interactive shell for further testing. Also, it generates HTML and docx reports. It uses other tools such as nmap, nikto, metasploit and hydra. Works in kali linux and Parrot OS. Do not run it in Qterminal, works in gnome-terminal, terminator and tmux. I am adding features and vulnerabilities exploits consistently. Also, soon there will be a GUI version. This tool was NOT coded by a professional, "I do not know what i am doing". By running this program, you are agreeing on NOT running it against any public, corporate or unauthorized networks. Performed only when you have authorization to do. Greetz to @R2k4n

Update Kali/Parrot

apt update; apt upgrade -y

Download hackerEnv

cd /opt/
git clone https://github.com/abdulr7mann/hackerEnv.git
cd /opt/hackerEnv
chmod +x hackerEnv

If you want to use it anywhere on the system, create a shortcut using:

ln -s /opt/hackerEnv/hackerEnv /usr/local/bin/

Usage:

Usage:
    hackerEnv <flag> <argument>

Examples:
    hackerEnv -t 10.10.10.10
    hackerEnv -t "10.10.10.10\n20.20.20.20"
    hackerEnv -t 10.10.10.10 -i eth0
    hackerEnv -i eth0 -s 24
    hackerEnv -s 24

Flages:
    hackerEnv -h, --help          Display this help message.
    hackerEnv --update            Update tool.
    hackerEnv                     Scan the entire network.
    hackerEnv -t                  Pass a specific target's IP.
    hackerEnv -t                  Pass mutipule targets' IPs e.g. hackerEnv -t "10.10.10.10\n20.20.20.20"
    hackerEnv -i                  To specify an interface.
    hackerEnv -a                  Pass attacker's IP.
    hackerEnv -s                  To specify subNetwork 24 or 23 etc. exclude /
    hackerEnv -e, --aggressive    Enable aggressive port scan
    hackerEnv -oA                 genetrate report in HTML and DOCX format

in Gnome terminal

in tmux

Report

Download hackerEnv

ADB-Toolkit is a BASH Script with 28 options and an METASPLOIT Section which has 6 options which is made to do easy penetration testing in Android Device. You can do preety much any thing with this script and test your android device is it safe or not. This script is made with the help of ADB (Android Debug Bridge) it's an tool which is used for the developers for debugging the android device but as we know every thing has it's two side a good and a bad and i'm not telling you to do bad things but be don't do illegal things or FBI will find you.
Note : I'm not responsible for any thing you do to anyone with this tool this does not come under my responsibilty.
METASPLOIT SECTION :- This section consists of scripts which are related to metasploit payload and you can create an payload and install it and launch it without even touching the phone and you know the power of Metasploit.

Changelogs

Changelog v2.32

Added vesion checking code
Really big bug fixes
Wiki in made

Changelog V2.3

Added multi device support, now 3 
Added support to Arch, Fedora, Centos
Added option to restart the ADB server or not in the beginning of the script
Added Option to clear screen when a specfic option is done executing
Fix the Exit option (Not Working)
Simplified the Remote connection establishment
Fix 100's of Bugs
Specified the directories for pulling the data
Make the script executable from any where in shell (Fixed)

Changelog V2.1

Added Metasploit Section

Added option to restart the ADB server or not in the beginning of the script

Added 7 more options :-
1. COPY ALL DEVICE STORAGE
2. COPY A SPECIFIED FILE OR FOLDER
3. PUT A FILE IN VICTIMS DEVICE 
4. LAUNCH AN APPLICATION
5. CHECK IS PHONE ROOTED OR NOT
6. HANG THE PHONE ( Rooted Phone )
7. SEND SMS FROM THE PHONE

Fixed the Remote connection not establishing
Make the script executable from any where in shell

Prerequisite
Before using this tool you must enable Usb-Debugging from the devloper settings from the Android setting and then you are good to go.

1. Go to settings
2. Go to About device/tablet
3. Tap Build Number 7 times
4. Developer options will occur
5. Go to Developer options
6. Search for Usb Debugging& Install via USB 
7. Turn those settings on

Installation
guys i suggest please reinstall the toolkit or git pull it for every new releases

git clone https://github.com/ASHWIN990/ADB-Toolkit.git

cd ADB-Toolkit

sudo chmod +x install.sh

sudo ./install.sh -i "or" sudo bash install.sh -i

Usage

sudo ./ADB-Toolkit.sh 

or you can do

sudo bash ADB-Toolkit.sh

or you can also do

sudo adb-toolkit any where in shell

ADB-Toolkit Screenshot

Metasploit Section Screenshot

Contributing
Pull requests are welcome. For major changes, please open an issue first to discuss what you would like to change.

Author

ASHWINI SAHU - WHOLE WORK - (https://github.com/ASHWIN990)

Download ADB-Toolkit

A fast and flexible NTLM reconnaissance tool without external dependencies. Useful to find out information about NTLM endpoints when working with a large set of potential IP addresses and domains.
NTLMRecon is built with flexibilty in mind. Need to run recon on a single URL, an IP address, an entire CIDR range or combination of all of it all put in a single input file? No problem! NTLMRecon got you covered. Read on.

Demo

Overview
NTLMRecon looks for NTLM enabled web endpoints, sends a fake authentication request and enumerates the following information from the NTLMSSP response:

AD Domain Name
Server name
DNS Domain Name
FQDN
Parent DNS Domain

Since NTLMRecon leverages a python implementation of NTLMSSP, it eliminates the overhead of running Nmap NSE http-ntlm-info for every successful discovery.
On every successful discovery of a NTLM enabled web endpoint, the tool enumerates and saves information about the domain as follows to a CSV file :

URL	Domain Name	Server Name	DNS Domain Name	FQDN	DNS Domain
https://contoso.com/EWS/	XCORP	EXCHANGE01	xcorp.contoso.net	EXCHANGE01.xcorp.contoso.net	contoso.net

Installation

BlackArch
NTLMRecon is already packaged for BlackArch and can be installed by running pacman -S ntlmrecon

Arch
If you're on Arch Linux or any Arch linux based distribution, you can grab the latest build from the Arch User Repository.

PyPI
You can simply run pip install ntlmrecon to fetch the latest build from PyPI

Build from source

Clone the repository : git clone https://github.com/sachinkamath/ntlmrecon/
RECOMMENDED - Install virtualenv : pip install virtualenv
Start a new virtual environment : virtualenv venv and activate it with source venv/bin/activate
Run the setup file : python setup.py install
Run ntlmrecon : ntlmrecon --help

Usage


î‚° $ ntlmrecon --help                                                                                                                                                                                                                                 

         _   _ _____ _     ___  _________                     
        | \ | |_   _| |    |  \/  || ___ \                    
        |  \| | | | | |    | .  . || |_/ /___  ___ ___  _ __  
        | . ` | | | | |    | |\/| ||    // _ \/ __/ _ \| '_ \ 
        | |\  | | | | |____| |  | || |\ \  __/ (_| (_) | | | |
        \_| \_/ \_/ \_____/\_|  |_/\_| \_\___|\___\___/|_| |_|

             v.0.2 beta - Y'all still exposing NTLM endpoints?


usage: ntlmrecon [-h] [--input INPUT | --infile INFILE] [--wordlist WORDLIST] [--threads THREADS] [--output-type] [--outfile OUTFILE] [--random-user-agent] [--force-all] [--shuffle] [-f]

optional arguments:
  -h,    --help           show this help message and exit
  --input INPUT        Pass input as an IP address, URL or CIDR to enumerate NTLM endpoints
  --infile INFILE      Pass input from a local file
  --wordlist WORDLIST  Override the internal wordlist with a custom wordlist
  --threads THREADS    Set number of threads (Default: 10)
  --output-type, -o    Set output type. JSON (TODO) and CSV supported (Default: CSV)
  --outfile OUTFILE    Set output file name (Default: ntlmrecon.csv)
  --random-user-agent  TODO: Randomize user agents when sending requests (Default: False)
  --force-all          Force enumerate all endpoints even if a valid endpoint is found for a URL (Default : False)
  --shuffle            Break order of the input files
  -f, --force          Force replace output file if it already exists

Example Usage

Recon on a single URL
$ ntlmrecon --input https://mail.contoso.com --outfile ntlmrecon.csv

Recon on a CIDR range or IP address
$ ntlmrecon --input 192.168.1.1/24 --outfile ntlmrecon-ranges.csv

Recon on an input file
The tool automatically detects the type of input per line and gives you results automatically. CIDR ranges are expanded automatically even when read from a text file.
Input file can be something as mixed up as :

mail.contoso.com
CONTOSOHOSTNAME
10.0.13.2/28
192.168.222.1/24
https://mail.contoso.com

To run recon with an input file, just run :
$ ntlmrecon --infile /path/to/input/file --outfile ntlmrecon-fromfile.csv

Acknowledgements

@nyxgeek for the awesome wordlist in lyncsmash repository and for the idea behind ntlmscan.

Feedback
If you'd like to see a feature added into the tool or something doesn't work for you, please open a new issue.

Download NTLMRecon

Lazybee tool is a python based script from which you can generate random wordlist for brutefocre attacks. This tool has a unique features like wordlist generating time calculation and direct .txt saving in current directory. This tool works on both rooted Android device and Non-rooted Android device.

lazybee is available for

Termux

Installation and usage guide

$ apt-get update -y

$ apt-get upgrade -y

$ pkg install python -y

$ pkg install python2 -y

$ pkg install git -y

$ pip install requests

$ pip install random

$ ls

$ git clone https://github.com/noob-hackers/lazybee

$ ls

$ cd lazybee

$ ls

$ python2 lazybee.py

ex:- Enter the number of characters: 8
Name your wordlist wit (.txt) extensions: pass.txt
WOW... you just created wordlist in hackers way.

Warning
This tool is only for educational purpose. If you use this tool for other purposes except education we will not be responsible in such cases.

Download Lazybee

A graphical interface to use information security tools by the browser.

Getting Started
Kali Linux Tools Interface is a graphical interface to use information security tools by the browser. The project uses the Kali Linux tools as a reference because it is the distribution that has the largest package of native tools.

Prerequisites

A Debian-based distribution (preferably Kali Linux)
The information security tools installed
Apache / Nginx service running
SSH Service running
Shell In A Box (if you want to use the Terminal)
- To install Shell In A Box, use the following command: sudo apt-get install shellinabox

Installation

Extract the contents to the folder of your web server.
Create a database called kali in MySQL and import the file assets/database.sql.
Edit the file assets/includes/config.php and set yours settings.
Enjoy!

Screenshots

Dashboard

Tools list

Choose and use it!

More screenshots:
Check the documentation for more screenshots!

Built With

Contributing
Contributions are always welcome! If you would like to contribute to the project, please use the Google Forms to send me your Feedback.

Contact
Lucas Fraga - ti.lucasfraga@gmail.com
Project Link: https://github.com/lucasfrag/Kali-Linux-Tools-Interface

Download Kali-Linux-Tools-Interface

"onex a hacking tools library." Onex is a kali linux hacking tools installer for termux and other linux distribution. It's package manager for hacker's. onex manage large number's of hacking tools that can be installed on single click.Using onex, you can install all hacking tools in Termux and other Linux based distributions. onex can install more than 370+ kali linux hacking tools. use onex install [tool_name] command to install any hacking tool.

Operating System Requirements
onex works on any of the following operating systems:

Android (Using the Termux App)
Linux (Linux Based Systems)

How to Install
Open the terminal and type following commands.

apt update
apt install git
git clone https://github.com/rajkumardusad/onex.git
chmod +x onex/install
sh onex/install if not work than use ./onex/install

How to use onex ?

CLI Mode :
onex -h or onex help for help.
Options :

onex install [tool_name] install any tool.
onex -i [tool_name] install any tool.
onex search [tool_name] search any tool.
onex -s [tool_name] search any tool.
onex list list all tools.
onex list -a list all tools.
onex -l list all tools.
onex -l -a list all tools.
onex help get help.
onex -h get help.

Menu Mode :
onex start to start onex menu mode.
Enter a Number for a specific output:

(1) : To show all available tools and type the number of a tool which you want to install.
(2) : To show tools category.
(3) : If you want to update onex.
(4) : If you want to know About Us.
(5) : To exit the tool.

Warning
Please use this tool at your own risk!

Download Onex

Quiver is the tool to manage all of your tools. It's an opinionated and curated collection of commands, notes and scripts for bug bounty hunting and penetration testing.

Features

ZSH / Oh-My-ZSH shell plugin
Tab auto-completion
Global variables
Prefills the command line, doesn't hide commands from you
Built-in logbook for on-the-fly notes, saving commands
Renders markdown notes to the command line
Runs custom scripts
Modular, easy updates
Installation of all dependecies with qq-install
Bounty scope generators
Add your own custom aliases and functions in modules/qq-custom.zsh

Requirements

ZSH
oh-my-zsh
Kali Linux
Dependent packages

Installation
Clone the repo to your custom plugins folder.

git clone https://github.com/stevemcilwain/quiver.git ~/.oh-my-zsh/custom/plugins/quiver
cd ~/.oh-my-zsh/custom/plugins/quiver
git config core.fileMode false
cd -

Edit ~/.zshrc to load the plugin.


plugins=(git quiver)

Source .zshrc


source ~/.zshrc

Setting up Kali Linux Dependencies
To install dependent packages, data and tools run the included install script. This will only install the tools needed in the plugin (previous install script was too large).


qq-install

Usage
Use tab completion to view commands.


qq-<tab>

Namespaces
Quiver is organized into namespaces for easy tab navigation:

qq-install, qq-update, qq-debug, qq-status
qq-log
qq-bounty
qq-project
qq-loq: create, log and view a running logbook for your notes and commands
qq-recon
qq-recon-asns
qq-recon-cidr
qq-recon-domains
qq-recon-github
qq-recon-subs
qq-enum
qq-enum-network
qq-enum-host
qq-enum-dns
qq-enum-ftp
qq-enum-kerb
qq-enum-ldap
qq-enum-rdp
qq-enum-smb
qq-enum-web
qq-enum-web-aws
qq-enum-web-dirs
qq-enum-web-vuln
qq-enum-web-xss
qq-pivot
qq-encoding
qq-notes
qq-scripts
qq-srv
qq-vars

Quiver also sets up helpful shell aliases and functions (qq-aliases).

Notes
Specify where your markdown notes are stored by setting / exporting the __NOTES variable in your .zshrc for use with qq-notes.

Scripts
Sometimes scripts are invoked from modules and those are stored in the /scripts subfolder.

Download Quiver

Welcome to the Permission Manager!
Permission Manager is an application developed by SIGHUP that enables a super-easy and user-friendly RBAC management for Kubernetes. If you are looking for a simple and intuitive way of managing your users within a Kubernetes cluster, this is the right place.
With Permission Manager, you can create users, assign namespaces/permissions, and distribute Kubeconfig YAML files via a nice&easy web UI.

Screenshots
First Page

Creating a user

Creating a user - Summary

User's Kubeconfig*

Installation
To deploy and run the Permission Manager on your cluster, follow the installation guide

Development Setup
We love contributions from the community.
Learn how-to-contribute

FAQ

How it works
The application allows us to define and select permission standard templates (those defining who can do what, within a namespace or globally) and associate them with all the users you might want to create.
The template system is an abstraction over Cluster-Roles, RoleBinding, and ClusterRolesBindigs.
Do we plan to use CRDs and custom labels? Sure, it's in the product roadmap.

What is a template
A template is a ClusterRole with a prefix
template-namespaced-resources___
for example template-namespaced-resources___developer

Why a template is not a CRD
When we started the development of this project, a template was one-to-one to a clusterrole, the usage of a CRD looked overkill. This will obviously change in future to avoid polluting clusterroles and will allow us to have a more precise encapsulation of what is owned by the permission manager.

How to add a new template
Create a clusterrole starting with template-namespaced-resources___ and apply it.

Default templates
developer and operation default templates can be created by applying the manifest located at k8s/k8s-seeds/seed.yml

kubectl apply -f k8s/k8s-seeds

What is a user
A user is a custom resource of kind permissionmanagerusers.permissionmanager.user

Commercial & Enterprise Support
Are you using Permission Manager in your clusters and looking for commercial support? Let us know and get in touch

Download Permission-Manager

AuthMatrix is an extension to Burp Suite that provides a simple way to test authorization in web applications and web services. With AuthMatrix, testers focus on thoroughly defining tables of users, roles, and requests for their specific target application upfront. These tables are structured in a similar format to that of an access control matrix common in various threat modeling methodologies.
Once the tables have been assembled, testers can use the simple click-to-run interface to kick off all combinations of roles and requests. The results can be confirmed with an easy to read, color-coded interface indicating any authorization vulnerabilities detected in the system. Additionally, the extension provides the ability to save and load target configurations for simple regression testing.

Installation
AuthMatrix can be installed through the Burp Suite BApp Store. From within Burp Suite, select the Extender tab, select the BApp Store, select AuthMatrix, and click install.
For Manual installation, download AuthMatrix.py from this repository. Then from within Burp Suite, select the Extender tab, click the Add button, change the Extension type to Python, and select the AuthMatrix python file.

Note
AuthMatrix requires configuring Burp Suite to use Jython. Easy instructions for this are located at the following URL.
https://portswigger.net/burp/help/extender.html#options_pythonenv
Be sure to use Jython version 2.7.0 or greater to ensure compatibility.

Basic Usage

Create roles for all privilege levels within the target application. (Common roles may include User, Admin, and Anonymous)
Create enough users to fit these various roles and select the checkboxes for all roles that the user belongs to. "Single-User" roles containing just the one user will be configured automatically to assist in cross-user resource testing. If these are not needed, feel free to delete these roles by right-clicking the column in the Request Table.
Generate session tokens for each user from the Repeater tab and enter them into the relevant column within the Users Table. Cookies can be sent directly to the users via the right click menu available in Repeater. AuthMatrix will intelligently parse the cookie string from the table and substitute/add them to the requests where applicable.
- NOTE: The Cookies field is optional. If the target uses HTTP headers instead, these can be added by clicking the "New Header" button.
- For more advanced configurations, including automated refreshing of credentials, see the "Chains for Authenticating Users" example below.
From another area of Burp Suite (i.e. Target tab, Repeater Tab, etc) right click a request and select "Send to AuthMatrix."
In the Request Table of AuthMatrix, select the checkboxes for all roles that are authorized to make each HTTP request.
Customize a Response Regex based on the expected response behavior of the request to determine if the action has succeeded.
- Common regexes include HTTP Response headers, success messages within the body, or other variations within the body of the page.
- NOTE: Requests can be configured to use a Failure Regex instead through the right-click menu (i.e. Authenticated users should never receive an HTTP 303)
Click Run at the bottom to run all requests or right click several requests and select run. Observe that the adjacent table will show color-coded results.
- Green indicates no vulnerability detected
- Red indicates the request may contain a vulnerability
- Blue indicates that the result may be a false positive. (This generally means there is an invalid/expired session token or an incorrect regex)

Sample AuthMatrix Configuration

False Positives Detected (Invalid Session Tokens)

Advanced Usage

Chains
Chains provide a way to copy a static or dynamic value into the body of a request. These values can be pulled from the response of a previously run request (using a regex) or by specifing user-specific static string values.
The most common use cases for Chains are:

Populating requests with valid CSRF Tokens
Testing newly created IDs/GUIDs for cross-user authorization issues
Automating authentication and session refreshing

A Chain entry has the following values:

Chain Name: a descriptive name
Source: a static user string defined in the User Table or the ID of the source request in the Request table
Extraction Regex: a regex used to extract a value from the response of the source request. This field is only used when a Request is specified in the previous field. If used, this must contain one parenthesis grouping that is to be extracted [i.e. (.*)]
Destinations: a list of Request IDs that the source value will be replaced into.
Replacement Regex: a regex used to determine where the source value is to be inserted. This must contain one parenthesis grouping to be replaced [i.e. (.*)]
Use Values From: specify whether to use the source value obtained from one selected user (useful for cross-user resource tests) or to use the values from all users and place them into their corresponding user's destination requests (useful for automation tasks like CSRF token retrieval)

NOTE: Requests are run in order of row, however, if a chain dependency is detected, AuthMatrix will run the requests in the required order.

Chains for CSRF

Chains for Cross-User Resource Tests

Chains for Authenticating Users

Failure Regex Mode
For certain targets, it may be easier to configure AuthMatrix to detect the response condition of when a request has failed. For example, if a target site returns unique data on successful requests, but always returns an HTTP 303 when an unauthorized action is performed.
In this mode, AuthMatrix will validate this regex for all users not part of a succeeding role.
To do this, right click the request and select "Toggle Regex Mode". The regex field will be highlighted in purple to indicate that AuthMatrix will run the request in Failure Regex Mode.
NOTE: False positive detection and highlighting may not work in Failure Regex Mode

Sample Configuration with Failure Regex Mode

JSON State File
Refer to the JsonState document for details regarding the structure of state files

Download AuthMatrix

Autoenum is a recon tool which performs automatic enumeration of services discovered. I built this to save some time during CTFs and pen testing environments (i.e. HTB, VulnHub, OSCP) and draws a bit from a number of existing tools including AutoRecon (https://github.com/Tib3rius/AutoRecon), Auto-Recon (https://github.com/Knowledge-Wisdom-Understanding/Auto-Recon), and nmapautomator (https://github.com/21y4d/nmapAutomator). Could also be used in a real-life pentesting engagment. Currently has only been tested in kali. If you notice a bug or have a feature request not in to-do, please submit an issue or let know some other way(discord preferred). Thanks and enjoy autoenum!

How it Works
Autoenum first runs 2 nmap scans in tandem, one scan looks specifically for service versions to run against searchsploit and the other is a scan dependent on the argument. Every scan profile checks for services running, the type of scan is the only difference. After the scans are finished, the services/ports open and operating systems along with script output (if avaliable) is extracted and further analyzed. If a certain service is found, Autoenum will begin enumerating by firing off a number of tools and create a dir for that service (i.e detecting http starts up nikto, wafw00f, gobuster, and others). If a dependency required is not detected, that dependency will be auto installed and checked if there is a new update everytime the tool is run. Autoenum outputs this information in 2 main sections(scan type and loot dirs) with sub directories branching off depending on what is foun d.

Installation

git clone https://github.com/thatonetester/autoenum.git

Running Autoenum From Anywhere

cp ~/autoenum/autoenum.sh /usr/bin/autoenum
chmod o+x /usr/bin/autoenum

autoenum

What's new

Version 1.1

First version, HTTP and SMB enumeration added as well as functionalized mess of code it was before
Aggressive scan added, included nmap-to-searchsploit scan for version exploit searching
Added getopts for argument parsing to replace patchwork position-based conditionals

Version 1.2

Added help menu and logic to detect dependencies
Fixed terminal breaking issue (kinda, open to ideas if there is anything better than clearing terminal output).

Version 1.3

Fixed simultaneous scan issue so that both scans fire at the same time now and have a few tools for certain service enumerations to run in background as others stay in foreground to save time

Version 1.4

Added enumeration for various services including LDAP, SNMP, SMTP, oracle and FTP and banner
Added file containing all commands run in case a command failed
installs tools not detected and checks if all are up-to-date

Version 1.4.1

fixed searchsploit encoding issue where parts were being displayed as encoded when read from a text editor

Version 2.0

Autoenum now runs as a console tool similar to msfconsole.

Version 2.0.1

persistent shell command

Version 2.4 (Work in Progress)

adding vuln scan profile and combined scans
imap, mysql, redis, cups, ipp enumeration

Dependencies
Your OS may or may not have some installed by default. Not to worry, autoenum recognizes tools not installed and installs them for you, even updating if they aren't up-to-date!

nmap
nikto
gobuster
whatweb
onesixtyone
snmp-check
snmpwalk
fierce
dnsenum
dnsrecon
sslscan
uniscan
snmp-user-enum
oscanner
wafw00f
odat
searchsploit
rpcbind
tput
jq

Thanks
Dievus

Download Autoenum

reNgine is an automated reconnaissance framework meant for gathering information during penetration testing of web applications. reNgine has customizable scan engines, which can be used to scan the websites, endpoints, and gather information. The beauty of reNgine is that it gathers everything in one place. It has a pipeline of reconnaissance, which can be customized.
reNgine can be very useful when you have a domain, you want to recon the domain, gather endpoints, directory, and file search, performing visual reconnaissance, and gather the results in one place.
Suppose, if you have a domain hackerone.com, reNgine can perform the scan based on your defined scan engine, gather all the results in one place. reNgine makes it possible for use cases like, "I want to search the subdomain which has page title "Dashboard" and has page status as 200 and quickly want to have a look at the screenshot", reNgine makes it possible.
Another use-case could be, "I want to list all subdomains that use PHP and the HTTP status is 200!"
On the endpoints part, reNgine is capable of gathering the URL endpoints using tools like gau, gathers URL from many sources like common crawl, Wayback engine, etc.
reNgine makes it possible for the use case like, "search the URLs that have extension .php and HTTP status is 200!"
Also, Suppose if you are looking for open redirection, you can quickly search for =http and look for HTTP status 30X, this will give high accuracy of open redirection with minimal efforts.

What it is not
reNgine is not a:

Vulnerability scanner!
Reconnaissance with high accuracy (No! reNgine, uses other open-source tools, to make this pipeline possible. The accuracy and capability of reNgine is also dependent on those tools)
Speed oriented recon framework with immediate results

Screenshots

Scan results

Gathered Endpoints

Of course, at this point, reNgine does not give the best of the best result compared to other tools, but reNgine has certainly minimal efforts. Also, I am continuously adding new features. You may help me on this journey by creating a PR filled with new features and bug fixes. Please have a look at the Contributing section before doing so.

Flow

Getting Started
To get a local copy up and running follow these simple example steps.

git clone https://github.com/yogeshojha/rengine.git
cd rengine

Prerequisites

Docker
- Install docker based on your OS from here
docker-compose
- Installation instructions for docker-compose from here

Installation
Assuming that you have followed the above steps and inside rengine directory

docker-compose up --build

The build process may take some time.

Usage

reNgine does fingerprinting, port scanning, and banner grabbing which might be illegal in some countries. Please make sure you are authorized to perform reconnaissance on the targeted domain before using this tool.

If the installation is successful, then you can simply run reNgine by using the command

docker-compose up -d

The web application can then be accessed from http://localhost:8000

Contributing
Contributions are what make the open-source community such an amazing place to learn, inspire, and create. Any contributions you make are greatly appreciated. Your contributions could be as simple as fixing the indentations or fixing UI to as complex as bringing new modules and features.
See contributing guide to get started.

First-time Open Source contributors
Please note that reNgine is beginner-friendly. If you have never done any open-source yet, we encourage you to do so. We will be happy and proud of your first PR ever.
You can begin with resolving any open issues.

Acknowledgements and Credits
reNgine is just a pipeline of recon. reNgine would not have been possible without the following individuals/organizations.

Amass: OWASP
httpx, subfinder, naabu: ProjectDiscovery
Sublist3r: Ahmed Aboul-Ela
gau, assetfinder, hakrawler: Tom Hudson
dirsearch: maurosoria
pulsar: FooBallZ
subjack haccer

Also, some of the icons and images used herein reNgine are from Freepik and Flaticon.

Download Rengine

Search Google, Bing, Yahoo or Yandex for a search term with different websites. A default list is already provided, which contains Github, Gitlab, Surveymonkey, Trello etc etc. Currently, a default list of 231 dorkable websites is available. Current categories on file are:

analysis(10)
cloud(34)
code(35)
comm(27)
companies(3)
docs(36)
edu(2)
forms(11)
orgs(11)
other(4)
remote(1)
shortener(15)
social(39)
storage(3)

Why sitedorks?
Why wouldn't you just enter dorks for several websites manually? Because:

It's really easy to query different search engines.
Dorks can be executed per 1 or more categories.
It's easy to create different input files for different uses.
Adding new websites to your search query can be arranged by just adding them to an input file.
It already has a lot of dorkable websites included.
The list with dorkable websites is updated regularly.
Some search engines ignore too many keywords/characters in a query and with argument -count it's easy to split your dork into more queries.
It contains a list for Bugcrowd, HackerOne, Intigrity and YesWeHack. With 1 command you can search domains of programs on several bug bounty platforms :)

Install
Sitedork should be able to run with a default Kali Linux installation without installing additional Python packages. If you're running into trouble running sitedorks, please drop me an issue and I'll try to fix it :)

Usage

usage: sitedorks [-h] [-cat <category>] [-count <count>] [-engine <engine>] [-file <file>] [-query <query>]
[-site <on|off|inurl>] [-excl <domains>] [-echo]

Use your favorite search engine to search for a search term with different websites. Use single quotes around
a query with double quotes. Be sure to enclose a query with single quotes it contains shell control characters
like space or ';', '>', '|', etc.

optional arguments:
  -h, --help            Show this help message, print categories on file (add -file to check other CSV
                        file) and exit.
  -cat <category>       Choose from 1 or more categories, use ',' (comma) as delimiter. Defaults to all
                        categories.
  -count <count>        How many websites checked per query. Google has a maximum length for queries.
  -engine <engine>      Search with 'google', 'baidu'   , 'bing', 'duckduckgo' 'yahoo' or 'yandex', defaults
                        to 'google'.
  -file <file>          Enter a custom website list.
  -query <query>        Enter a mandatory search term.
  -site <on|off|inurl>  Turn the 'site:' operator 'on' or 'off', or replace it with 'inurl:' (only for
                        Google), defaults to 'on'.
  -excl <domains>       Excluded these domains from the search query.
  -echo                 Prints the search query URLs, for further use like piping or bookmarking.

usage: sitedorks [-h] [-cat <category>] [-count <count>] [-engine <engine>] [-file <file>] [-query <query>]
                 [-site <on|off|inurl>] [-excl <domains>] [-echo]

Examples
Want to look for "uber.com" with different sites containing all kinds of content using Google? Use the following command:

sitedorks -query '"uber.com"'

Want to look for "uber website" (with quotes and spaces in the query)? Use the following command:

sitedorks -query '"uber website"'

Want to search for communication invites with yandex but leave site: out of the query? Just use the following command:

sitedorks -cat comm -site disable -engine yandex -query uber

And if you want to see which categories are on file, for example with the hackerone platform:

sitedorks -file sitedorks-hackerone.csv -cats

Contribute?
Do you have some usefull additions to the script or to the list of dorkable websites, please send in a pull request to help make this script better :)

Download Sitedorks

Security Tool for Reconnaissance and Information Gathering on a website. (python 2.x & 3.x)
This script use "WafW00f" to detect the WAF in the first step (https://github.com/EnableSecurity/wafw00f)
This script use "Sublist3r" to scan subdomains (https://github.com/aboul3la/Sublist3r)
This script use "waybacktool" to check in waybackmachine (https://github.com/Rhynorater/waybacktool)

Features

URL fuzzing and dir/file detection
Test backup/old file on all the files found (index.php.bak, index.php~ ...)
Check header information
Check DNS information
Check whois information
User-agent random or personal
Extract files
Keep a trace of the scan
Check @mail in the website and check if @mails leaked
CMS detection + version and vulns
Subdomain Checker
Backup system (if the script stopped, it take again in same place)
WAF detection
Add personal prefix
Auto update script
Auto or personal output of scan (scan.txt)
Check Github
Recursif dir/file
Scan with an authenfication cookie
Option --profil to pass profil page during the scan
HTML report
Work it with py2 and py3
Add option rate-limit if app is unstable (--timesleep)
Check in waybackmachine
Response error to WAF
Check if DataBase firebaseio existe and accessible
Automatic threads depending response to website (and reconfig if WAF detected too many times). Max: 30
Search S3 buckets in source code page
Testing bypass of waf if detected

TODO
P1 is the most important

Dockerfile [P1]
JS parsing and analysis [P1]
Analyse html code webpage [P1]
On-the-fly writing report [P1]
Check HTTP headers/ssl security [P2]
Fuzzing amazonaws S3 Buckets [P2]
Anonymous routing through some proxy (http/s proxy list) [P2]
Check pastebin [P2]
Access token [P2]
Check source code and verify leak or sentsitive data in the Github [P2]
Check phpmyadmin version [P3]
Scan API endpoints/informations leaks [ASAP]

Usage

   pip(3) install -r requirements.txt 
If problem with pip3:    
   sudo python3 -m pip install -r requirements.txt

usage: hawkscan.py [-h] [-u URL] [-w WORDLIST] [-s SUBDOMAINS] [-t THREAD] [-a USER_AGENT] [--redirect] [-r] [-p PREFIX] [-o OUTPUT] [--cookie COOKIE_] [--exclude EXCLUDE] [--timesleep TS] [--auto]

optional arguments: 
  -h, --help     show this help message and exit                                                                     
  -u URL         URL to scan [required]                                                                              
  -w WORDLIST    Wordlist used for URL Fuzzing. Default: dico.txt                                                            
  -s SUBDOMAINS  subdomain tester                                                                                    
  -t THREAD      Number of threads to use for URL Fuzzing. Default: 20  
  -a USER_AGENT  choice user-agent     
  --redirect     For scan with redirect response like 301,302      
  -p PREFIX      add prefix in wordlist to scan    
  -o OUTPUT      output to site_scan.txt (default in website directory)      
  -b             Add a backup file scan like 'exemple.com/ex.php.bak...' but longer      
  -r             recursive dir/files          
  --cookie COOKIE  Scan with an authentification cookie   
  --exclude EXCLUDE  To define a page type to exclude during scan    
  --timesleep TS     To define a timesleep/rate-limit if app is unstable during scan 
  --auto          Automatic threads depending response to website. Max: 20    
  --update           For automatic update

Exemples

//Basic
python hawkscan.py -u https://www.exemple.com -w dico_extra.txt

//With redirect
python hawkscan.py -u https://www.exemple.com -w dico_extra.txt -t 5 --redirect

//With backup files scan
python hawkscan.py -u https://www.exemple.com -w dico_extra.txt -t 5 -b

//With an exclude page
python hawkscan.py -u https://www.exemple.com -w dico_extra.txt -t 5 --exclude https://www.exemple.com/profile.php?id=1

//With an exclude response code
 python hawkscan.py -u https://www.exemple.com -w dico_extra.txt -t 5 --exclude 403

Thanks
Layno (https://github.com/Clayno/)
Sanguinarius (https://twitter.com/sanguinarius_Bt)
Cyber_Ph4ntoM (https://twitter.com/__PH4NTOM__)

Download HawkScan

Yet another PoC for https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows
Blogpost: https://redteamer.tips/?p=108
To be used with a cmd that does whatever the F you want, for a dll that pops cmd, https://github.com/jfmaes/CMDLL. check the list in wietze's site to check how you should call your dll.

will automatically create c:\Windows \System32 and drop your dll and chosen binary in there, followed by execution. Clean up after yourself by running trustjack again with the -c flag.
You migh be missing fody 2.0, run nuget package restore to fix (right click Solution 'TrustJacker' and select 'restore NuGet packages')

 _______             _       _            _
|__   __|           | |     | |          | |
   | |_ __ _   _ ___| |_    | | __ _  ___| | __
   | | '__| | | / __| __|   | |/ _` |/ __| |/ /
   | | |  | |_| \__ \ || |__| | (_| | (__|   <
   |_|_|   \__,_|___/\__\____/ \__,_|\___|_|\_\


 V1.0.0 by https://twitter.com/Jean_Maes_1994
Usage:
      --dllpath=VALUE        Path to the dll on the computer
      --binary=VALUE         The binary name to pop the shell
  -c, --clean, --cleanup     Cleanup the fake folder and it's contents
  -h, -?, --help             show this help menu.

Download TrustJack

Perform automated network reconnaissance scans to gather network intelligence.
IntelSpy is a multi-threaded network intelligence spy tool which performs automated enumeration of network services. It performs live hosts detection scans, port scans, services enumeration scans, web content scans, brute-force, detailed off-line exploits searches and more.
The tool will also launch further enumeration scans for each detected service using a number of different tools.

Credits

I had started working on IntelSpy when one day I discovered AutoRecon. Instead of reinventing the wheel, IntelSpy is the result of combining/merging IntelSpy with the best features of the AutoRecon to create a network reconnaissance tool suitable for Penetration Testing engagements.

Features

Scans multiple targets in the form of IP addresses, IP ranges (CIDR notation) and resolvable hostnames.
Scans targets concurrently.
Detects live hosts in an IP range (CIDR) network.
Customizable port scanning profiles and service enumeration commands.
Creates a directory structure for results gathering.
Logs commands that were run.
Generates shell scripts with commands to be run manually.
Extracts important information in txt and markdown format.
Stores data to an SQLite database.
Generates HTML report.

Requirements

Python 3
colorama
toml (https://github.com/toml-lang/toml)
seclists
curl
enum4linux
gobuster
nbtscan
nikto
nmap
onesixtyone
oscanner
smbclient
smbmap
smtp-user-enum
snmpwalk
sslscan
svwar
tnscmd10g
whatweb
wkhtmltoimage
pandoc
hydra
medusa
wpscan
ldapsearch
patator

pip3 install -r requirements.txt
sudo apt install seclists

Usage

 ___               __        
  |  ._ _|_  _  | (_  ._     
 _|_ | | |_ (/_ | __) |_) \/ 
                      |   /  

IntelSpy v1.0 - Perform automated network reconnaissance scans to gather network intelligence.
IntelSpy is an open source tool licensed under GPLv3.
Written by: @maldevel | @LOGISEK_LTD
https://logisek.com | https://pentest-labs.com
https://github.com/maldevel/intelspy


usage: intelspy.py [-h] [-ts TARGET_FILE] -p PROJECT_NAME -w WORKING_DIR
                   [--exclude <host1[,host2][,host3],...>] [-s SPEED]
                   [-ct <number>] [-cs <number>] [--profile PROFILE_NAME]
                   [--livehost-profile LIVEHOST_PROFILE_NAME]
                   [--heartbeat HEARTBEAT] [-v]
                   [targets [targets ...]]

positional arguments:
  targets               IP addresses (e.g. 10.0.0.1), CIDR notation (e.   g.
                        10.0.0.1/24), or resolvable hostnames (e.g.
                        example.com) to scan.

optional arguments:
  -h, --help            show this help message and exit
  -ts TARGET_FILE, --targets TARGET_FILE
                        Read targets from file.
  -p PROJECT_NAME, --project-name PROJECT_NAME
                        project name
  -w WORKING_DIR, --working-dir WORKING_DIR
                        working directory
  --exclude <host1[,host2][,host3],...>
                        exclude hosts/networks
  -s SPEED, --speed SPEED
                        0-5, set timing template (higher is faster) (default:
                        4)
  -ct <number>, --concurrent-targets <number>
                        The maximum number of target hosts to scan
                        concurrently. Default: 5
  -cs <number>, --concurrent-scans <number>
                           The maximum number of scans to perform per target
                        host. Default: 10
  --profile PROFILE_NAME
                        The port scanning profile to use (defined in port-
                        scan-profiles.toml). Default: default
  --livehost-profile LIVEHOST_PROFILE_NAME
                        The live host scanning profile to use (defined in
                        live-host-scan-profiles.toml). Default: default
  --heartbeat HEARTBEAT
                        Specifies the heartbeat interval (in seconds) for task
                        status messages. Default: 60
  -v, --verbose         Enable verbose output. Repeat for more verbosity (-v,
                        -vv, -vvv).

Usage Examples
Scanning single target

sudo python3 intelspy.py -p MyProjectName -w /home/user/pt/projects/ 192.168.10.15
sudo python3 intelspy.py -p MyProjectName -w /home/user/pt/projects/ 192.168.10.15 -v
sudo python3 intelspy.py -p MyProjectName -w /home/user/pt/projects/ 192.168.10.15 -vv
sudo python3 intelspy.py -p MyProjectName -w /home/user/pt/projects/ 192.168.10.15 -vvv

Scanning a hostname

sudo python3 intelspy.py -p MyProjectName -w /home/user/pt/projects/ example.com

Scanning a network range(CIDR)

sudo python3 intelspy.py -p MyProjectName -w /home/user/pt/projects/ 192.168.10.0/24

Scanning multiple targets (comma separated)

sudo python3 intelspy.py -p MyProjectName -w /home/user/pt/projects/ 192.168.10.15 192.168.10.0/24 example.com

Scanning targets from file

sudo python3 intelspy.py -p MyProjectName -w /home/user/pt/projects/ -ts /home/user/targets.txt

Excluding one host

sudo python3 intelspy.py -p MyProjectName -w /home/user/pt/projects/ --exclude 192.168.10.9 192.168.10.0/24

Excluding many hosts

sudo python3 intelspy.py -p MyProjectName -w /home/user/pt/projects/ --exclude 192.168.10.9,192.168.10.24 192.168.10.0/24

Download Intelspy

Docker for Pentest - Image With The More Used Tools To Create A Pentest Environment Easily And Quickly

Bramble - A Hacking Open Source Suite

Keylogger - Get Keyboard, Mouse, ScreenShot, Microphone Inputs From Target Computer And Send To Your Mail

Lazymux - A Huge List Of Many Hacking Tools And PEN-TESTING Tools

PENIOT - Penetration Testing Tool for IoT

hackerEnv - An Automation Tool That Quickly And Easily Sweep IPs And Scan Ports, Vulnerabilities And Exploit Them

ADB-Toolkit - Tool for testing your Android device

NTLMRecon - A Tool To Enumerate Information From NTLM Authentication Enabled Web Endpoints

Lazybee - Wordlist Generator Tool for Termux

Kali-Linux-Tools-Interface - Graphical Web Interface Developed To Facilitate The Use Of Security Information Tools

Onex - A Library Of Hacking Tools For Termux And Other Linux Distributions

Quiver - Tool To Manage All Of Your Tools For Bug Bounty Hunting And Penetration Testing

Permission Manager - A Project That Brings Sanity To Kubernetes RBAC And Users Management, Web UI FTW

AuthMatrix - A Burp Suite Extension That Provides A Simple Way To Test Authorization

Autoenum - Automatic Service Enumeration Script

reNgine - An Automated Reconnaissance Framework Meant For Gathering Information During Penetration Testing Of Web Applications

Sitedorks - Search Google/Bing/DuckDuckGo/Yandex/Yahoo For A Search Term With Different Websites

HawkScan - Security Tool For Reconnaissance And Information Gathering On A Website

TrustJack - Yet Another PoC For Hijacking DLLs in Windows

Intelspy - Perform Automated Network Reconnaissance Scans