The program is designed to obfuscate the shellcode. Currently the tool supports 2 encryption.

1) XOR
2) AES

The tool accepts shellcode in 4 formats.

1) base64
2) hex
3) c
4) raw

Usage           Description
-----           -----------
/f              Specify the format of the shellcode
                base64
                hex
                c
                raw
/enc            Specify the encryption type (aes or xor) in which the shellcode will be encrypted
/key            Specify the key that will be used to encrypt the shellcode (default = SuperStrongKey)
/path           Specify the path of the file that contains the shellcode
/url            Specify the url where the shellcode is hosted
/o              Specify the file path to save the encrypted shellcode (default = output.bin)
/help           Show help

https://3xpl01tc0d3r.blogspot.com/2020/08/introduction-to-obfuscator.html

A tool written for cobalt-strike's execute-assembly command that allows for more efficent querying of AD.

• List all Domain Admins
• Custom LDAP Search
• Connect to LDAPS Servers
• Output JSON data from AD instances
• Retrieve custom attributes from a generic query (i.e. All computers)

ADSearch 1.0.0.0
Copyright c  2020
USAGE:
Query Active Directory remotely or locally:
  ADSearch --domain ldap.example.com --password AdminPass1 --username admin --users

  -f, --full          If set will show all attributes for the returned item.

  -o, --output        File path to output the results to.

  --json              (Default: false) Output results in json format.

  --supress-banner    When set banner will be disabled.

  -G, --groups        Enumerate and return all groups from AD.

  -U, --users         Enumerate and return all users from AD.

  -C, --computers     Enumerate and return all computers joined to the AD.

  -S, --spns          Enumerate and return all SPNS from AD.

  --attributes        (Default: cn) Attributes to be returned from the results in csv    format.

  -s, --search        Perform a custom search on the AD server.

  --domain-admins     Attempt to retreive all Domain Admin accounts.

  -u, --username      Attempts to authenticate to AD with the given username.

  -p, --password      Attempts to authenticate to AD with the given password.

  -h, --hostname      If set will attempt a remotebind to the hostname. This option requires the domain option to be set to a valid DC on the hostname. Will allow an IP address to be used as well.

  -p, --port          (Default: 636) If set will attempt a remote bind to the port based on the IP.

  -d, --domain        The domain controller we are connecting to in the FQDN format. If left blank then all other connection options are ignored and the lookups ar   e done locally.

  --insecure          (Default: false) If set will communicate over port 389 and not use SSL

  --help              Display this help screen.

  --version           Display version information.

Karkinos is a light-weight 'Swiss Army Knife' for penetration testing and/or hacking CTF's. Currently, Karkinos offers the following:

• Encoding/Decoding characters
• Encrypting/Decrypting text or files
• Reverse shell handling
• Cracking and generating hashes

• Any server capable of hosting PHP; tested with Apache Server
• Tested with PHP 7.4.9
• Python3 (in your path)
• pip3
• Raspberry Pi Zero friendly :) (crack hashes at your own risk)

This installation guide assumes you have all the dependancies.

1. git clone https://github.com/helich0pper/Karkinos.git
2. cd Karkinos
3. pip3 install -r requirements.txt
4. cd wordlists&& tar -xf passlist.zip You can also unzip it manually using file explorer if tar is not installed. Just make sure passlist.txt is in wordlists directory.
5. Add extension=php_sqlite3.dll to your php.ini file.
   If you don't know where to find this, refer to the PHP docs.
6. Thats it! Now just host it using your preferred web server or run: php -S 127.0.0.1:8888 in the Karkinos directory.

1. git clone https://github.com/helich0pper/Karkinos.git
2. cd Karkinos
3. pip3 install -r requirements.txt
4. cd wordlists && tar -xf passlist.zip
   You can also unzip it manually using file explorer if tar is not installed. Just make sure passlist.txt is in wordlists directory.
5. Add extension=php_sqlite3.dll to your php.ini file.
   If you don't know where to find this, refer to the PHP docs.
6. Thats it! Now just host it using your preferred web server or run: php -S 127.0.0.1:8888 in the Karkinos directory.

Landing page and quick access menu.

User stats are displayed here. Currently, the stats recorded are only the total hashes and hash types cracked successfully.

This page allows you to encode/decode in common formats (more may be added soon)

Encrypting and decrypting text or files is made easy and is fully trusted since it is done locally.

Reverse shells can be captured and interacted with on this page.

Karkinos can generate commonly used hashes such as:

• MD5
• SHA1
• SHA256
• SHA512
  
  

Karkinos offers the option to simultaneously crack hashes using a built-in wordlist consisting of over 15 million common and breached passwords. This list can easily be modified and/or completely replaced.

Pull requests and bug reports are always appreciated.
Below are known bugs and issues:

• Reverse shell handling server code is currently being reworked but it works fine

Twitter

HiJackThis Fork is a free utility for Microsoft Windows that scans your computer for settings changed by adware, spyware, malware and other unwanted programs.

HiJackThis Fork primarily detects hijacking methods rather than comparing items against a pre-built database. This allows it to detect new or previously unknown malware - but it also makes no distinction between safe and unsafe items. Users are expected to research all scanned items, and only remove items from their PC when absolutely appropriate.

Therefore, FALSE POSITIVES ARE LIKELY. If you are ever unsure, you should consult with a knowledgeable expert BEFORE deleting anything.

• Lists non-default settings in the registry, hard drive and memory related to autostart
• Generates organized, easily readable reports
• Does not use a database of specific malware, adware, etc
• Detects potential methods used by hijackers
• Can be configured to automatically scan at system boot up

• Short logs
• Fast scans
• No need to manually create fixing scripts
• No need for Internet access or recurring database updates
• Already familiar to many people
• Portable

• Detects several new hijacking methods
• Fully supports new Windows versions
• New and updated supplementary tools
• Improved interface, security and backups

HiJackThis also comes with several useful tools for manually removing malware from a computer:

• StartupList 2 (*new*)
• Process Manager
• Uninstall manager
• Hosts file manager
• Alternative Data Spy
• Delete file / service staff
• Digital Signature Checker (*new*)
• Registry key unlocker (*new*)
• Check Browsers' LNK & ClearLNK (as downloadable component) (*new*)

IMPORTANT: HiJackThis Fork does not make value-based calls on what is considered good or bad. You must exercise caution when using this tool. Avoid making changes to your computer settings without thoroughly studying the consequences of each change.

If you are not already an expert, we recommend submitting your case to an online help forum. Here are some suggestions:

• English: Our GitHub ; GeeksToGo ; BleepingComputer
• Russian: SafeZone ; CyberForum ; OSZone ; SoftBoard ; THG ; VirusInfo ; KasperskyClub ; Dr.Web

Note: currently, only Russian-speaking anti-malware supporting team (e.g., VIRUSNET association) can provide direct analysis of HiJackThis logs in our github 'Issues' section. Please feel free to ask help there.

• Actual short User's manual (in English)
• Actual complete User's manual (in Russian)
• Recent updates by the author (in Russian)
• Additional instructions on Wiki-pages
• Discussion and news are in this topic (in Russian) or on GeeksToGo (in English; access restricted to experts only) or on our GitHub page (for everybody).
• You can also freely ask questions, report bugs, or propose improvements by creating an issue on GitHub

Operating System

• Microsoft™ Windows™ 10 / 8.1 / 8 / 7 / Vista / XP / 2000 (32/64-bit desktop and server)

• Polshyn Stanislav { @dragokas } - author of fork (major v3 and all post-v2.0.6 updates), refactoring, additions, tools integration
• Merijn Bellekom { @mrbellek } - original author, author of the new StartupList v2 and ADS Spy
• Trend Micro { @trendmicro } - owner of the original version (2.0.5)

• regist (VIRUSNET) { @regist } - for the valuable tips and ideas, user's manual, database updates, closed and beta-testing
• Sandor (VIRUSNET) { @Sandor-Helper } - for the beta-testing, PC treatment on GitHub and forums of association
• akok (VIRUSNET) { @akokSZ } - for product promotion, providing a platform for tests and discussion, help with resolving conflicts with antiviruses
• SafeZone.cc team (general VIRUSNET community) - for promotion and support, feedback and bug reports, PC treatment on forums of association
• Fernando Mercês { @merces } (Trend Micro) - coordinator of original HJT, for the tips, suggestions and promotion
• Loucif Kharouni { @loucifkharouni } (Trend Micro) - coordinator of original HJT, for the tips & suggestions

HiJackThis Fork by Alex Dragokas is a continuation of Trend Micro HiJackThis development, based on v.2.0.6 and 100% rewritten at the moment. It was initially supported by Trend Micro, but they have since refused support and closed the GitHub repository. HiJackThis Fork is distributed under the GPLv2 license. It also includes several tools and plugins available as freeware.

Pre-built binary (release version) for Windows

Nightly build (private test version) for Windows

JavaScript AST analysis. This package has been created to export the Node-Secure AST Analysis to enable better code evolution and allow better access to developers and researchers.

The goal is to quickly identify dangerous code and patterns for developers and Security researchers. Interpreting the results of this tool will still require you to have a set of security notions.

I have no particular background in security. I'm simply becoming more and more interested and passionate about static code analysis. But I would be more than happy to learn that my work can help prevent potential future attacks (or leaks).

The objective of the project is to successfully detect all potentially suspicious JavaScript codes.. The target is obviously codes that are added or injected for malicious purposes..

Most of the time these hackers will try to hide the behaviour of their codes as much as possible to avoid being spotted or easily understood... The work of the library is to understand and analyze these patterns that will allow us to detect malicious code..

• Retrieve required dependencies and files for Node.js.
• Detect unsafe RegEx.
• Get warnings when the AST Analysis as a problem or when not able to follow a statement.
• Highlight common attack patterns and API usages.
• Capable to follow the usage of dangerous Node.js globals.
• Detect obfuscated code and when possible the tool that has been used.

This package is available in the Node Package Repository and can be easily installed with npm or yarn.

$ npm i js-x-ray
# or
$ yarn add js-x-ray

Create a local .js file with the following content:

try  {
    require("http");
}
catch (err) {
    // do nothing
}
const lib = "crypto";
require(lib);
require("util");
require(Buffer.from("6673", "hex").toString());

Then use js-x-ray to run an analysis of the JavaScript code:

const { runASTAnalysis } = require("js-x-ray");
const { readFileSync } = require("fs");

const str = readFileSync("./file.js", "utf-8");
const { warnings, dependencies } = runASTAnalysis(str);

const dependenciesName = [...dependencies];
const inTryDeps = [...dependencies.getDependenciesInTryStatement()];

console.log(dependenciesName);
console.log(inTryDeps);
console.log(warnings);

The analysis will return: http (in try), crypto, util and fs.

There is also a lot of suspicious code example in the root cases directory. Feel free to try the tool on these files.

Node-secure versions equal or lower than 0.7.0 are no longer compatible with the warnings table below.

This section describe all the possible warnings returned by JSXRay.

More details on warnings and their implementations here

interface RuntimeOptions {
    module?: boolean;
    isMinified?: boolean;
}

The method take a first argument which is the code you want to analyse. It will return a Report Object:

interface Report {
    dependencies: ASTDeps;
    warnings: Warning<BaseWarning>[];
    idsLengthAvg: number;
    stringScore: number;
    isOneLineRequire: boolean;
}

Generate a new Warning Object.

interface WarningOptions {
    location: Location;
    file?: string;
    value?: string;
}

Return a default SourceLocation with all row and column set to zero.

{ start: { line: 0, column: 0 }, end: { line: 0, column: 0 } }

This is a proof of concept of how a ransomware works, and some techniques that we usually use to hijack our files. This project is written in C# using the net-core application framework 3.1.The main idea of the code is to make it as readable as possible so that people have an idea of how this type of malware acts and works.

Baphomet features

• AES algorithm for file encryption.
• RSA encryption to encrypt key.
• Automatic propagation via USB.
• Hybrid encryption technique.
• Enumeration of processes to kill those selected.
• Internet connection test.
• victim information submissions (Public IP, Domainname, Country, OS.version, City, Machine name, etc).
• Program to decrypt the encryption key.
• Program to decrypt encrypted data.
• Hostname list to send the victim's data (redundancy).
• Doesn't detected to antivirus programs (Date: 11/30/2020 12:25pm).
• Hardcode image in base64 to change wallpaper (Baphomet image).

Dynamic settings

• List of directories we want to navigate.
• List of valid extensions.
• Host list to which we will send the data.
• List of processes that we want to stop in case they are running.
• Methods to convert base64 to image or download the image from a url.
• public key that will be hardcode to encrypt symmetric key.

Custom arrays & var

• Directories we want to encrypt > file: Program.csline: 25
• Valid extensions to encrypt > file: /Utilities/Crypt.csline: 31
• Processes that we want to stop > file: /Utilities/Diagnostics.csline: 18
• (RSA) Public key that encrypts the symmetric key > file: /Utilities/CryptRSA.csline: 14
• Hostnames where we will receive the vicma data > file: /Utilities/NetInfo.csline: 65

Projects

• Baphomet = project to encrypt files.
• BpahometDecrypt = project to decrypt files.
• rsa = here we generate rsa keys to encrypt symmetric key with which we encrypt the files, Also decrypt the symmetric key that is generated in the victim.

Static analysis to search for vulnerabilities in Wordpress plugins.

 __      ____________  ___ ___               __                
/  \    /  \______   \/   |   \ __ __  _____/  |_  ___________ 
\   \/\/   /|     ___/    ~    \  |  \/    \   __\/ __ \_  __ \
 \        / |    |   \    Y    /  |  /   |  \  | \  ___/|  | \/
  \__/\  /  |____|____\___|_  /|____/|___|  /__|  \___  >__|   
       \/       /_____/     \/            \/          \/       

|__ Author: @JosueEncinar


[*] Starting the process
[*] Total plugins 87509
[*] Starting the analisys

The tool has been uploaded without regex, for the search you need to add your regular expressions. The key to reduce false positives is here, go for it.

To know how to do this, check out modules/php/test.py and modules/js/test.py. It is not complicated.

To use the tool, follow the instructions below:

git clone https://github.com/Josue87/wp_hunter.git
cd wp_hunter
pip3 install -r requirements.txt
python3 wp_hunter.py

The tests have been carried out with the Linux operating system

With the popularity of web front-end packaging tools, have you encountered more and more websites represented by Webpack packager in daily penetration testing and security services? This type of packager will package the API and API parameters of the entire site together for centralized Web call, which is also convenient for us to quickly discover the functions and API lists of the website, but often the number of JS files generated by these packagers is unusually large and total The amount of JS code is extremely large (more than ten thousand lines), which brings great inconvenience to our manual testing, and the Packer Fuzzer software came into being.

This tool supports automatic fuzzy extraction of the API corresponding to the target site and the parameter content corresponding to the API, and supports the fuzzing and efficient fuzzing of seven vulnerabilities: unauthorized access, sensitive information leakage, CORS, SQL injection, unauthorized access, weak password, and arbitrary file upload Rapid detection. After the scan is over, this tool also supports automatic generation of scan reports. You can choose the HTML version that is easy to analyze and the more formal doc, pdf, txt versions.

And you don’t have to worry about language problems caused by internationalization. This tool comes with five major language packages (including report templates): Simplified Chinese, French, Spanish, English, and Japanese (sorted according to translation accuracy). NoProfessional team translation.

Parameter introduction

You can use the python3 PackerFuzzer.py [options] command to run this tool. The content of options is as follows:

--h (--help)

Help command, no additional parameters, view all the parameters supported by this tool and their corresponding introduction;

--u (--url)

The URL path of the website to be scanned is a required option, for example: -u https://demo.poc-sir.com;

--c (--cookie)

Additional cookies content, can be empty, if filled in, it will be passed globally, for example: -c "POC=666;SIR=233";

--d (--head)

Additional HTTP header content, which can be empty, if filled in, it will be passed in globally, the default is Cache-Control:no-cache, for example: -d "Token:3VHJ32HF0";

--l (--lang)

Language option, when it is empty, the system will automatically select the corresponding language option, if there is no corresponding language pack, it will automatically switch to the English interface. The available language packs are: Simplified Chinese (zh), French (fr), Spanish (es), English (en), Japanese (ja), for example: -l zh;

--t (--type)

It is divided into basic version and advanced version. When it is empty, the basic version is used by default. The advanced version will rescan all APIs and fuzzy extract the corresponding parameters of the API, and perform: SQL injection vulnerabilities, horizontal unauthorized vulnerabilities, weak password vulnerabilities, and arbitrary file upload vulnerabilities. You can use the adv option to enter the advanced version, for example: -t adv;

--p (--proxy)

Global proxy, can be empty, if you fill in, use proxy IP globally, for example: -p https://hack.cool:8080;

--j (--js)

Additional JS file, can be empty, when you think there are other JS files that need to be analyzed by this tool, you can use this option, for example: -j https://demo.poc-sir.com/js/index.js, https://demo.poc-sir.com/js/vue.js;

--b (--base)

Specify the middle part of the API (for example, when an API is: https://demo.poc-sir.com/v1_api/login, its basedir is: v1_api), it can be empty, when you think the automatically extracted basedir of this tool is not accurate , You can use this option, for example: -b v1_api;

--r (--report)

Specify the report format to be generated. When it is empty, HTML and DOC format reports are generated by default. Available report formats are: html, doc, pdf, txt, for example: -r html,pdf;

--e (--ext)

Whether to enable the extension plug-in option, this tool supports users to self-write plug-ins and save them in the ext directory (for how to write, please refer to the demo.py file in the corresponding directory). The default is off. When the user uses the on command to open, the tool will automatically execute the plug-ins in the corresponding directory, for example: -e on;

--f (--flag)

The SSL connection security option, when it is empty, is closed by default. In this state, all insecure connections will be blocked. If you want to ignore the SSL security status, you can use the 1 command to enable it, and all certificate errors will be ignored, for example: -f 1;

-s (--silent)

The Silent option, once enabled, all operations that ask for YES or NO will automatically be set to YES, and the content after the parameter is the name of the scan report (custom report name), which can be used for unattended, batch operations, plug-in calls, for example: -s Scan_Task_777.

Depix is a tool for recovering passwords from pixelized screenshots.

This implementation works on pixelized images that were created with a linear box filter.

In this article I cover background information on pixelization and similar research.

python depix.py -p images/testimages/testimage3_pixels.png -s images/searchimages/debruinseq_notepad_Windows10_closeAndSpaced.png -o output.png

• Cut out the pixelated blocks from the screenshot as a single rectangle.
• Paste a De Bruijn sequence with expected characters in an editor with the same font settings (text size, font, color, hsl).
• Make a screenshot of the sequence. If possible, use the same screenshot tool that was used to create the pixelized image.
• Run python depix.py -p [pixelated rectangle image] -s [search sequence image] -o output.png

The algorithm uses the fact that the linear box filter processes every block separately. For every block it pixelizes all blocks in the search image to check for direct matches.

For most pixelized images Depix manages to find single-match results. It assumes these are correct. The matches of surrounding multi-match blocks are then compared to be geometrically at the same distance as in the pixelized image. Matches are also treated as correct. This process is repeated a couple of times.

After correct blocks have no more geometrical matches, it will output all correct blocks directly. For multi-match blocks, it outputs the average of all matches.

RESTler is the first stateful REST API fuzzing tool for automatically testing cloud services through their REST APIs and finding security and reliability bugs in these services. For a given cloud service with an OpenAPI/Swagger specification, RESTler analyzes its entire specification, and then generates and executes tests that exercise the service through its REST API.

RESTler intelligently infers producer-consumer dependencies among request types from the Swagger specification. During testing, it checks for specific classes of bugs and dynamically learns how the service behaves from prior service responses. This intelligence allows RESTler to explore deeper service states reachable only through specific request sequences and to find more bugs.

RESTler is described in these peer-reviewed research papers:

1. RESTler: Stateful REST API Fuzzing (ICSE'2019)
2. Checking Security Properties of Cloud Service REST APIs (ICST'2020)
3. Differential Regression Testing for REST APIs​ (ISSTA'2020)
4. Intelligent REST API Data Fuzzing​​ (FSE'2020)

If you use RESTler in your research, please cite the (default) ICSE'2019 paper (BibTeX).

RESTler was created at Microsoft Research and is still under active development.

RESTler was designed to run on 64-bit machines with Windows or Linux.

Prerequisites: Install Python 3.8.2 and .NET core SDK 3.1, for your appropriate OS.

Create a directory where you'd like to place the RESTler binaries:

mkdir restler_bin

Switch to the repo root directory and run the following Python script:

python ./build-restler.py --dest_dir <full path to restler_bin above>

Note: if you get nuget error NU1403 when building, a quick workaround is to clear your cache with this command

dotnet nuget locals all --clear

RESTler binary drops are coming soon.

Prerequisites: Install Python 3.8.2 and .NET core SDK 3.1 or higher, for your appropriate OS.

RESTler runs in 4 main modes (in order):

1. Compile: from a Swagger JSON or YAML specification (and optionally examples), generate a RESTler grammar. See Compiling.
2. Test: execute quickly all of the endpoints+methods in a compiled RESTler grammar for debugging the test setup and compute what parts of the Swagger spec are covered. This mode is also called a smoketest. See Testing. To use custom test engine settings, see Test Engine Settings.
3. Fuzz-lean: execute once every endpoint+method in a compiled RESTler grammar with a default set of checkers to see if bugs can be found quickly. See Fuzzing.
4. Fuzz: bug hunting - explore a RESTler fuzzing grammar in smart breadth-first-search mode (deeper search mode) for finding more bugs. Warning: This type of fuzzing is more aggressive and may create outages in the service under test if the service is poorly implemented (e.g., fuzzing might create resource leaks, perf degradation, backend corruptions, etc.). See Fuzzing.

For a quick intro with simple examples, see this Tutorial.

To quickly try RESTler on your API, see Quick Start.

There are currently two categories of bugs found by RESTler.

• Error code: currently, any time a response with status code 500 ("Internal Server Error") is received, a bug is reported.
• Checkers: each checker tries to trigger specific bugs by executing targeted additional requests or sequences of requests at certain points during fuzzing, determined by context. Some checkers try to find additional 500s, while other checkers try to find specific logic bugs such as resource leaks or hierarchy violations. For a full description of checkers, see Checkers.

When a bug is found, RESTler reports bugs triaged in bug buckets, and provides a replay log that can be used to reproduce the bug (see Replay).

For tips on using RESTler effectively, please see Best Practices and Improving Swagger Coverage.

See also these Frequently Asked Questions.

If you're interested in using RESTler at scale as part of your CI/CD pipeline, check out the REST API Fuzz Testing self-hosted service.

If you have a request/suggestion/question, please file an issue. See Contributing.md for instructions.

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.microsoft.com.

When you submit a pull request, a CLA-bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repositories using our CLA.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.

For more information, see Contributing.md.

This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft's Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies.

The software may collect information about you and your use of the software and send it to Microsoft. Microsoft may use this information to provide services and improve our products and services. You may turn off the telemetry as described in the repository. There are also some features in the software that may enable you and Microsoft to collect data from users of your applications. If you use these features, you must comply with applicable law, including providing appropriate notices to users of your applications together with a copy of Microsoft's privacy statement. Our privacy statement is located at https://go.microsoft.com/fwlink/?LinkID=824704. You can learn more about data collection and use in the help documentation and our privacy statement. Your use of the software operates as your consent to these practices.

For more information, see Telemetry.md.

Security issues and bugs should be reported privately, via email, to the Microsoft Security Response Center (MSRC) at secure@microsoft.com. You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message. Further information, including the MSRC PGP key, can be found in the Security TechCenter.

For additional details, see Security.md.

https://go.microsoft.com/fwlink/?LinkId=521839

• Hacker News [thehackernews.com/]
• New Exploits [Exploit-db.com]
• Hacking Tutorials Video [youtube.com]
• The Latest Prices OF Digital Currencies [Rials , Usd]

• Bypass Cloud Flare
• Cms Detect
• Trace Toute
• Reverse IP
• Port Scan
• IP location Finder
• Show HTTP Header
• Find Shared DNS
• Whois
• DNS Lookup

• Reference exploit-db.com

[Support Ngrok]

• Get system Information with link
• Screen Captrue With Link
• Play Sound With Link

$ Download  https://github.com/Ultrasecurity/DarkSide
$ cd DarkSide
$ python -m pip install -r requirments.txt
$ Download PHP V-7 in php.net AND Add To Path php.exe
$ python run.py

Multi-threaded c2 server and reverse TCP shell client written in pure C (Windows).

Command list:

list: list available connections.

interact [id]: interact with client.

download [filename]: download a file from client.

upload [filename]: upload a file to client.

background: background client.

exit: terminate client or server.

cd [dir]: change directory on client.

GUSTAVE is a fuzzing platform for embedded OS kernels. It is based on QEMU and AFL (and all of its forkserver siblings). It allows to fuzz OS kernels like simple applications.

Thanks to QEMU, it is multi-platform. One can see GUSTAVE as a AFL forkserver implementation inside QEMU, with fine grain target inspection.

GUSTAVE has mainly been designed to target embedded OS kernels. It might not be the best tool to fuzz a large and complex Windows or Linux kernel.

However if you have a target under the hood which can be rebuilt from scratch and crafted with one or two applications to boot without any user interaction, it might be interesting to give GUSTAVE a try.

The afl-fuzz tool, from the AFL project, is used to automatically fuzz your target. However, AFL can't directly fuzz an OS kernel and expects its target to directly parse the generated test cases.

To make it short, afl-fuzz will run QEMU with GUSTAVE integration as its target. In turn, GUSTAVE will handle :

• forkserver synchronization
• generated test cases translation to target system calls
• target kernel monitoring

There exists comparable approaches, such as:

• Project Triforce
• afl-unicorn
• kAFL

GUSTAVE design choices implies the following differences:

• you need to inject AFL instrumentation shims in the target kernel
• no specific devs are needed inside the target
• really target agnostic (OS, architecture), as long as QEMU offers support
• can even use hardware-virtualization with kvm
• covers all system calls implemented in the target kernel
• you still need to implement target specific things:
  • system calls translator
  • memory guard oracles

We have implemented and tested Intel x86 and PowerPC support. The GUSTAVE implementation is architecture independent. If you can run your target with QEMU, you can fuzz it with GUSTAVE with little effort.

For now, we provide example Intel 440FX and PowerPC PREP boards with GUSTAVE integration. The implementation of your own board is really easy. Have a look at x86 board.

We also added support for x86 and PowerPC GUSTAVE instrumentation shims to afl-gcc.

We also provide POK micro-kernel target specific developments:

• system calls ABI generator for both x86/PPC
• x86 memory oracles

• prepare your target (rebuild with afl-gcc, or binary fix it)
• implement target specific translator
• build QEMU with GUSTAVE integration
• write a JSON configuration file for your target
• run it in a terminal

A step-by-step tutorial is available.

Beside a working compilation environment for both your target and QEMU, you will need the following git trees:

$ git clone -b gustave https://github.com/airbus-seclab/afl
$ git clone -b gustave https://github.com/airbus-seclab/qemu

Material from different talks on GUSTAVE can be found at https://airbus-seclab.github.io/: Slides(en), Slides(fr), Paper, Video

An burpsuite extension to bypass 403 restricted directory. By using PassiveScan (default enabled), each 403 request will be automatically scanned by this extension, so just add to burpsuite and enjoy.

Payloads: $1: HOSTNAME $2: PATH

$1/$2
$1/%2e/$2
$1/$2/.
$1//$2//
$1/./$2/./
$1/$2anything -H "X-Original-URL: /$2" 
$1/$2 -H "X-Custom-IP-Authorization: 127.0.0.1" 
$1 -H "X-Rewrite-URL: /$2"
$1/$2 -H "Referer: /$2"
$1/$2 -H "X-Originating-IP: 127.0.0.1"
$1/$2 -H "X-Forwarded-For: 127.0.0.1"
$1/$2 -H "X-Remote-IP: 127.0.0.1"
$1/$2 -H "X-Client-IP: 127.0.0.1"
$1/$2 -H "X-Host: 127.0.0.1"
$1/$2 -H "X-Forwared-Host: 127.0.0.1"
$1/$2%20/
$1/%20$2%20/
$1/$2?
$1/$2???
$1/$2//
$1/$2/
$1/$2/.randomstring
$1/$2..;/

Thanks @lohubi for contributing many payloads.

BurpSuite -> Extender -> Extensions -> Add -> Extension Type: Python -> Select file: 403bypasser.py -> Next till Finish

• https://twitter.com/iam_j0ker/status/1324354024657711106?s=20
• https://twitter.com/jae_hak99/status/1297556269960540161?s=20
• https://twitter.com/SalahHasoneh1/status/1296572143141031945
• https://twitter.com/lobuhisec/status/1329705441883017218

NAT Slipstreaming allows an attacker to remotely access any TCP/UDP services bound to a victim machine, bypassing the victim's NAT/firewall (arbitrary firewall pinhole control), just by the victim visiting a website.

Developed by: @SamyKamkar // https://samy.pl

Released: October 31, 2020

Source code: https://github.com/samyk/slipstream

  animated version here generated with my fork of draw.io, allowing exportable edge context flow & control in animations

NAT Slipstreaming exploits the user's browser in conjunction with the Application Level Gateway (ALG) connection tracking mechanism built into NATs, routers, and firewalls by chaining internal IP extraction via timing attack or WebRTC, automated remote MTU and IP fragmentation discovery, TCP packet size massaging, TURN authentication misuse, precise packet boundary control, and protocol confusion through browser abuse. As it's the NAT or firewall that opens the destination port, this bypasses any browser-based port restrictions.

This attack takes advantage of arbitrary control of the data portion of some TCP and UDP packets without including HTTP or other headers; the attack performs this new packet injection technique across all major modern (and older) browsers, and is a modernized version to my original NAT Pinning technique from 2010 (presented at DEFCON 18 + Black Hat 2010). Additionally, new techniques for local IP address discovery are included.

This attack requires the NAT/firewall to support ALG (Application Level Gateways), which are mandatory for protocols that can use multiple ports (control channel + data channel) such as SIP and H323 (VoIP protocols), FTP, IRC DCC, etc.

At a high level, NAT Slipstreaming works like so:

• victim visits malicious site (or site with malicious advertisement)
• internal IP of victim first must be extracted by browser and sent to server
  • internal IP attempted to be extracted via WebRTC data channel over https
    • some browsers (Chrome) only divulge the local IP via WebRTC over HTTPS but some of our attacks require HTTP so we first redirect to the HTTPS version of the attack software to extract the local IP
    • we then redirect to the HTTP version with the local IP included in the URL if we were able to obtain it to bypass other cross-origin protection mechanisms (the .local mDNS/Bonjour address presented will not be useful for the attack)
  • if internal IP not divulged by WebRTC (Safari) or no WebRTC (<= IE11), web-based TCP timing attack performed
    • hidden img tags to all common gateways (eg 192.168.0.1) are loaded in background
    • onerror/onsuccess events attached to img tags
    • if any TCP RST returned by gateway (or SYN + HTTP response), we've detected valid subnet
    • re-perform timing attack across all IPs on detected subnets (/24), measuring time to onerror/onsuccess firing
    • fastest response is likely internal IP, though all responses are considered victim internal IP candidates and attacked
• large TCP beacon sent via hidden form and automatic HTTP POST to attacker "HTTP server" bound to a non-standard port to force TCP segmentation and maximum MTU size discovery of the victim's IP stack
  • attacker TCP server sends Maximum Segment Size TCP Option to massage victim outbound packet sizes (RFC 793 x3.1), allowing control of how large browser TCP packets will be
• large UDP beacon sent from browser via WebRTC TURN authentication mechanism to non-standard port to attacker's server to force IP fragmentation with TURN username field stuffed
  • we perform a similar attack as our TCP segmentation, but over UDP as IP fragmentation will occur and provide different values than TCP segmentation
  • victim MTU size, IP header size, IP packet size, TCP header size, TCP segment sizes detected by server and sent back to victim's browser, used later for packet stuffing
• "SIP packet" in new hidden form generated, containing internal IP to trigger Application Level Gateway connection tracking
  • "HTTP POST" to server on TCP port 5060 (SIP port) initiated, avoiding restricted browser ports
  • POST data is "stuffed" to exact TCP segment size / packet boundary, then "SIP packet" appended and posted via web form
  • victim IP stack breaks the POST into multiple TCP packets, leaving the "SIP packet" (as part of POST data) in its own TCP packet without any accompanying HTTP headers
  • if browser alters size of multipart/form boundary (Firefox) or packet size changes for any other reason, size change is communicated back to client and client auto-resends with new size
  • when opening UDP port, SIP packet is sent over TURN protocol inside specially crafted username field forcing IP fragmentation and precise boundary control
• victim NAT sees proper SIP REGISTER packet on SIP port (with no HTTP data), triggering ALG to open any TCP/UDP port defined in packet back to victim
  • victim NAT rewrites SIP packet, replacing internal IP with public IP, hinting to attacker exploit was successful
  • even if victim NAT normally rewrites source ports, the ALG will still be forced to port forward to the attacker's port of choice as it believes victim machine opened that port and attacker sees new source port in arriving SIP packet
  • attacker can now bypass victim NAT and connect directly back to any port on victim's machine, exposing previously protected/hidden services
• to investigate...perhaps by you?
  • non-malicious usage: this technique essentially gives browsers full TCP and UDP socket capability to communicate to any protocol locally on the system; the connection can be abstracted through a cloud server that connects back but the browser just talks to the cloud server as if it's the socket and makes browsers much more powerful to communicate on non-web-friendly protocols
  • if testing in a virtual machine (VM) using shared networking (used to protect a host from attacks by routing it through the host, not letting it directly onto the network), if the packets make it out, the parent host machine is where the ports end up getting opened, not the VM ;)
  • IP fragmentation allows full control of all data in the IP data section, meaning full control of the UDP header, including source/dest ports in the overflowed packet...what else could this abuse?

Thanks for reading! You can download the proof of concept code from my NAT Slipstream github.

Point of Contact:@SamyKamkar

Find more of my projects at https://samy.pl or potentially reach me at code@samy.pl.

Stegseek is a lightning fast steghide cracker that can be used to extract hidden data from files. It is built as a fork of the original steghide project and, as a result, it is thousands of times faster than other crackers and can run through the entirety of rockyou.txt* in under 2 seconds.

Stegseek can also be used to extract steghide metadata without a password, which can be used to test whether a file contains steghide data.

* rockyou.txt is a well-known password list with over 14 million passwords.

Skip ahead to Performance for some raw numbers.

The following instructions walk you through the installation process. Alternatively, you can run Stegseek in a Docker container. Skip ahead to Docker for instructions.

On Ubuntu and other Debian-based systems, you can use the provided .deb package for installation:

1. Download the latest Stegseek release
2. Install the .deb file using sudo apt install ./stegseek_0.4-1.deb

On other systems you will have to build Stegseek yourself. See BUILD.md for more information.

Building Stegseek as a native Windows app is sadly not supported. Instead you should run Stegseek using WSL. The Ubuntu WSL distribution is recommended for optimal compatibility.
Once you have configured WSL, Stegseek can be installed using the above Linux instructions.

By default, WSL mounts the C:\ drive at /mnt/c/, which you can use to easily access your files.

The most important feature of stegseek is wordlist cracking:

stegseek [stegofile.jpg] [wordlist.txt]

This mode will simply try all passwords in the provided wordlist against the provided stegofile.

Stegseek can also be used to detect and extract any unencrypted (meta) data from a steghide image. This exploits the fact that the random number generator used in steghide only has 2^32 possible seeds, which can be bruteforced in a matter of minutes.

stegseek --seed [stegofile.jpg]

This command will tell you:

• Whether this file actually contains steghide content.
• How much hidden content the file contains.
• How the content was encrypted .

If you're (very) lucky and the file was encoded without encryption, this mode will even recover the encoded file for you!

In this demo I used a very secure random password to embed a file, but disabled encryption by passing the -e none argument to steghide. Within a few minutes, Stegseek is able to recover the embedded file.

Use stegseek --help to get the full list of available options:

Stegseek version  0.4

=== Stegseek Help ===
To crack a stegofile:
stegseek [stegofile.jpg] [wordlist.txt]

Commands:
 --crack                 Crack a stego file using a wordlist. This is the default mode.
 --seed                  Crack a stego file by attempting all embedding patterns.
                         This mode can be used to detect a file encoded by steghide.
                         In case the file was encoded without encryption, this mode will
                         even recover the embedded file.
Positional arguments:
 --crack [stegofile.jpg] [wordlist.txt] [output.txt]
 --seed  [stegofile.jpg] [output.txt]

Keyword arguments:
 -sf, --stegofile        select stego file
 -wl, --wordlist         select the wordlist file
 -xf, --extractfile      select file name for extracted data
 -t, --threads           set the number of threads. Defaults to the number of cores.
 -f, --force                overwrite existing files
 -v, --verbose           display detailed information
 -q, --quiet             hide performance metrics

Use "stegseek --help -v" to include steghide's help.

Stegseek includes nearly all of steghide's functionality, so it can also be used to embed or extract data as normal. The only catch is that commands must use the --command format.
So steghide embed [...] becomes stegseek --embed [...] .

You can also run Stegseek as Docker container:

docker run --rm -it -v "$(pwd):/steg" rickdejager/stegseek [stegofile.jpg] [wordlist.txt]

This does require that the wordlist and stegofile are located in current working directory, as that folder is mounted to /steg inside of the container.

This is where Stegseek really shines. As promised, let's start with the "rockyou.txt in just 2 seconds" claim.
All of these numbers are measured on a laptop with an Intel i7-7700HQ CPU @ 2.80GHz and 8 GB of RAM.

I picked the last password in rockyou.txt without control characters: "␣␣␣␣␣␣␣1" (7 spaces followed by '1').
This password is on line 14344383 out of 14344391

time stegseek 7spaces1.jpg rockyou.txt 
Stegseek version 0.4
[i] Read the entire wordlist (14344391 words), starting cracker
[ 14231679 / 14344391 ]  (99,21%)                 
[i] --> Found passphrase: "       1"

[i] Original filename: "secret.txt"
[i] Extracting to "7spaces1.jpg.out"

real	0m1,912s
user	0m10,355s
sys	0m0,144s

And there it is, over 14 million passwords in less than 2 seconds

To test the performance of of other tools, I created several stego files with different passwords, taken from rockyou.txt. I ran each of the tools with their default settings, except Stegbrute where I increased threading for a fair comparison.

[p] = projected time based on previous results.

To compare the speed of each tool, let's look at the last row of the table (otherwise Stegseek finishes before all threads have started).

At this scale Stegseek is over 10 000 times faster than Stegcracker and over 6000 times faster than Stegbrute.

2020-12-01
improvements:

• Added seed cracking to allow for passwordless data extraction
• Overhauled parser to allow for positional arguments
• cracks rockyou.txt in 2 seconds

2020-11-08
improvements:

• Made threading lock-free s.t. multiple threads are used more efficiently
• Added -xf argument to --crack, used to specify the location of the extracted file
• Made the .deb package compatible with Debian/Kali
• cracks rockyou.txt in 4 seconds

2020-11-05
improvements:

• Give up on a passphrase once a single bit of the magic fails to decode
• Removed costly BitString / EmbData allocations
• Improved performance of the selector
• cracks rockyou.txt in 5 seconds.

2020-11-04
Initial release, features:

• Only loads the stego file once, unlike conventional crackers
• Workpool based threading
• Attempts to crack the first 3 bytes first, before attempting full decryption
• Added .deb package and docker container
• cracks rockyou.txt in 41 seconds.

A collection of proof-of-concept source code and scripts for executing remote commands over WinRM using the WSMan.Automation COM object.

For background information, please refer to the following blog post: WS-Management COM: Another Approach for WinRM Lateral Movement

• SharpWSManWinRM.cs and CppWsManWinRM.cpp compile in Visual Studio 2019. Refer to the code comments for required imports/references/etc.
• All examples leverage the WMI Win32_Process class and WMI Create method for invocation.

 Usage: SharpWSManWinRM.exe <hostname> <command>
 Usage: SharpWSManWinRM.exe <hostname> <command> <domain\user> <password>

 Example: SharpWSManWinRM.exe host.domain.local notepad.exe
 Example: SharpWSManWinRM.exe host.domain.local "cmd /c notepad.exe" domain\joe.user P@ssw0rd

 Usage: Invoke-WSManWinRM -hostname <hostname> -command <command>
 Usage: Invoke-WSManWinRM -hostname <hostname> -command <command> -user <domain\user> -password <password>

 Example: import-module .\WSManWinRM.ps1
          Invoke-WSManWinRM -hostname MyServer.domain.local -command calc.exe
 Example: import-module .\WSManWinRM.ps1
          Invoke-WSManWinRM -hostname MyServer.domain.local -command calc.exe -user domain\joe.user -password P@ssw0rd

 Usage: cscript.exe SharpWSManWinRM.vbs <hostname> <command>
 Usage: cscript.exe SharpWSManWinRM.vbs <hostname> <command> <domain\user> <password>

 Example: cscript.exe SharpWSManWinRM.vbs host.domain.local notepad.exe
 Example: cscript.exe SharpWSManWinRM.vbs host.domain.local "cmd /c notepad.exe" domain\joe.user P@ssw0rd	

 Usage: cscript.exe SharpWSManWinRM.js <hostname> <command>
 Usage: cscript.exe SharpWSManWinRM.js <hostname> <command> <domain\user> <password>

 Example: cscript.exe SharpWSManWinRM.js host.domain.local notepad.exe
 Example: cscript.exe SharpWSManWinRM.js host.domain.local "cmd /c notepad.exe" domain\joe.user P@ssw0rd	 

 Usage: CppWSManWinRM.exe <hostname> <command>

 Example: CppWSManWinRM.exe host.domain.local notepad.exe

 Note: Username/password option does not work yet

WSMan-WinRM is designed to help security professionals perform ethical and legal security assessments and penetration tests. Do not use for nefarious purposes.

A Cross PlatformRemote Administration tool written in Go using Tor as its transport mechanism currently supporting Windows, Linux, MacOS clients.

How to use ToRat

• RPC (Remote procedure Call) based communication for easy addition of new functionallity
• Automatic upx leads to client binaries of ~6MB with embedded Tor
• the ToRAT_client communicates over TLS encrypted RPC proxied through Tor with the ToRat_server (hidden service)
  • anonymity of client and server
  • end-to-end encryption
• Cross Platform reverse shell (Windows, Linux, Mac OS)
• Windows:
  • Multiple User Account Control Bypasses (Privilege escalation)
  • Multiple Persistence methods (User, Admin)
• Linux:
  • Multiple Persistence methods (User, Admin)
• optional transport without Tor e.g. Use Tor2Web, a DNS Hostname or public/ local IP
  • smaller binary ~7MB upx'ed
  • anonymity of client and server
• embedded Tor
• Unique persistent ID for every client
  • give a client an Alias
  • all Downloads from client get saved to ./$ID/$filename
• sqlite via gorm for storing information about the clients
• client is obfuscated via garble

• Supports multiple connections
• Welcome Banner
• Colored Output
• Tab-Completion of:
  • Commands
  • Files/ Directories in the working directory of the server

• Tab-Completion of:
  • Commands
  • Files/ Directories in the working directory of the client

• Privilege escalation for Linux
• Persistence and privilege escalation for Mac OS
• Support for Android and iOS needs fix of https://github.com/ipsn/go-libtor/issues/12
• File-less Persistence on Windows

USE FOR EDUCATIONAL PURPOSES ONLY

All contributions are welcome you don't need to be an expert in Go to contribute.

• Tor
• Tor controller libary
• Python Uacbypass and Persistence Techniques
• Modern Cli
• Colored Prints
• Screenshot libary
• TLS Certificate generator
• Shred library
• Extract Text from Documents
• RPC
• UPX
• gorm
• Obfuscation

APKLab seamlessly integrates the best open-source tools: Apktool, Jadx, uber-apk-signer and more to the excellent VS Code so you can focus on app analysis and get it done without leaving the IDE.

• Decode all the resources from an APK
• Disassemble the APK to Dalvik bytecode aka Smali
• Decompile the APK to Java source
• Analyze & Hack effectively with feature-rich VS Code
• Build an APK from Smali and resources
• Rebuild an APK in Debug mode for dynamic analysis
• Sign the APK seamlessly during the build
• Install the APK directly from VS Code
• Support for Apktool-style projects (apktool.yml)
• Support for most Apktool CLI arguments
• Android resource frameworks management (Coming soon!)
• Support for user-provided keystore for APK signing
• Download and configure missing dependencies
• Excellent Smali language support with Smalise
• Supports Linux, Windows, and Mac

• Open the Command Palette (Ctrl+Shift+P) ➜ APKLab: Open an APK

  
  

• Or Just open an existing Apktool project folder

• Right-Click on or inside apktool.yml file ➜ APKLab: Rebuild the APK

  
  

• Right-Click on .apk file (in dist directory) ➜ APKLab: Install the APK

• JDK 8+

  Run java -version in your Shell, if not found download from here.

• adb

  Run adb devices in your Shell, if not found check this guide.

• Smalise (recommended)

  It makes working with smali files a breeze.

• Feimaomii for the awesome logo
• Aman Sharma for improved Windows support
• iBotPeaches, brutall and JesusFreke for Apktool & Smali
• patrickfav for uber-apk-signer
• skylot for Jadx