Quantcast
Channel: KitPloit - PenTest Tools!
Viewing all 5816 articles
Browse latest View live

Socat - Multipurpose relay (SOcket CAT)

February 3, 2015, 2:12 pm
$
0
0
Socat is a utility similar to the venerable Netcat that works over a number of protocols and through a files, pipes, devices (terminal or modem, etc.), sockets (Unix, IP4, IP6 - raw, UDP, TCP), a client for SOCKS4, proxy CONNECT, or SSL, etc. It provides forking, logging, and dumping, different modes for interprocess communication, and many more options. It can be used, for example, as a TCP relay (one-shot or daemon), as a daemon-based socksifier, as a shell interface to Unix sockets, as an IP6 relay, for redirecting TCP-oriented programs to a serial line, or to establish a relatively secure environment (su and chroot) for running client or server shell scripts with network connections.

Socat is a command line based utility that establishes two bidirectional byte streams and transfers data between them. Because the streams can be constructed from a large set of different types of data sinks and sources (see address types), and because lots of address options may be applied to the streams, socat can be used for many different purposes.

Filan is a utility that prints information about its active file descriptors to stdout. It has been written for debugging socat, but might be useful for other purposes too. Use the -h option to find more infos.

Procan is a utility that prints information about process parameters to stdout. It has been written to better understand some UNIX process properties and for debugging socat, but might be useful for other purposes too.

The life cycle of a socat instance typically consists of four phases.

In the init phase, the command line options are parsed and logging is initialized.

During the open phase, socat opens the first address and afterwards the second address. These steps are usually blocking; thus, especially for complex address types like socks, connection requests or authentication dialogs must be completed before the next step is started.

In the transfer phase, socat watches both streams' read and write file descriptors via select(), and, when data is available on one side andcan be written to the other side, socat reads it, performs newline character conversions if required, and writes the data to the write file descriptor of the other stream, then continues waiting for more data in both directions.

When one of the streams effectively reaches EOF, the closing phase begins. Socat transfers the EOF condition to the other stream, i.e. tries to shutdown only its write stream, giving it a chance to terminate gracefully. For a defined time socat continues to transfer data in the other direction, but then closes all remaining channels and terminates.

OPTIONS

Socat provides some command line options that modify the behaviour of the program. They have nothing to do with so called address options that are used as parts of address specifications.

-V
Print version and available feature information to stdout, and exit.
-h | -?
Print a help text to stdout describing command line options and available address types, and exit.
-hh | -??
Like -h, plus a list of the short names of all available address options. Some options are platform dependend, so this output is helpful for checking the particular implementation.
-hhh | -???
Like -hh, plus a list of all available address option names.
-d
Without this option, only fatal and error messages are generated; applying this option also prints warning messages. See DIAGNOSTICS for more information.
-d -d
Prints fatal, error, warning, and notice messages.
-d -d -d
Prints fatal, error, warning, notice, and info messages.
-d -d -d -d
Prints fatal, error, warning, notice, info, and debug messages.
-D
Logs information about file descriptors before starting the transfer phase.
-ly[<facility>]
Writes messages to syslog instead of stderr; severity as defined with -d option. With optional <facility>, the syslog type can be selected, default is "daemon". Third party libraries might not obey this option.
-lf<logfile>
Writes messages to <logfile> [filename] instead of stderr. Some third party libraries, in particular libwrap, might not obey this option.
-ls
Writes messages to stderr (this is the default). Some third party libraries might not obey this option, in particular libwrap appears to only log to syslog.
-lp<progname>
Overrides the program name printed in error messages and used for constructing environment variable names.
-lu
Extends the timestamp of error messages to microsecond resolution. Does not work when logging to syslog.
-lm[<facility>]
Mixed log mode. During startup messages are printed to stderr; when socat starts the transfer phase loop or daemon mode (i.e. after opening all streams and before starting data transfer, or, with listening sockets with fork option, before the first accept call), it switches logging to syslog. With optional <facility>, the syslog type can be selected, default is "daemon".
-lh
Adds hostname to log messages. Uses the value from environment variable HOSTNAME or the value retrieved with uname() if HOSTNAME is not set.
-v
Writes the transferred data not only to their target streams, but also to stderr. The output format is text with some conversions for readability, and prefixed with "> " or "< " indicating flow directions.
-x
Writes the transferred data not only to their target streams, but also to stderr. The output format is hexadecimal, prefixed with "> " or "< " indicating flow directions. Can be combined with -v.
-b<size>
Sets the data transfer block <size> [size_t]. At most <size> bytes are transferred per step. Default is 8192 bytes.
-s
By default, socat terminates when an error occurred to prevent the process from running when some option could not be applied. With this option, socat is sloppy with errors and tries to continue. Even with this option, socat will exit on fatals, and will abort connection attempts when security checks failed.
-t<timeout>
When one channel has reached EOF, the write part of the other channel is shut down. Then, socat waits <timeout> [timeval] seconds before terminating. Default is 0.5 seconds. This timeout only applies to addresses where write and read part can be closed independently. When during the timeout interval the read part gives EOF, socat terminates without awaiting the timeout.
-T<timeout>
Total inactivity timeout: when socat is already in the transfer loop and nothing has happened for <timeout> [timeval] seconds (no data arrived, no interrupt occurred...) then it terminates. Useful with protocols like UDP that cannot transfer EOF.
-u
Uses unidirectional mode. The first address is only used for reading, and the second address is only used for writing (example).
-U
Uses unidirectional mode in reverse direction. The first address is only used for writing, and the second address is only used for reading.
-g
During address option parsing, don't check if the option is considered useful in the given address environment. Use it if you want to force, e.g., appliance of a socket option to a serial device.
-L<lockfile>
If lockfile exists, exits with error. If lockfile does not exist, creates it and continues, unlinks lockfile on exit.
-W<lockfile>
If lockfile exists, waits until it disappears. When lockfile does not exist, creates it and continues, unlinks lockfile on exit.
-4
Use IP version 4 in case that the addresses do not implicitly or explicitly specify a version; this is the default.
-6
Use IP version 6 in case that the addresses do not implicitly or explicitly specify a version. 


Search

IP Thief - Simple IP Stealer in PHP

February 3, 2015, 4:23 pm
$
0
0

A simple PHP script to capture the IP address of anyone that send the "imagen.php" file with the following options:
[+] It comes with an administrator to view and delete IP
[+] You can change the redirect URL image
[+] Can you see the country of the visitor


SUMo - Software Update Monitor

February 4, 2015, 8:30 am
$
0
0

SUMo (Software Update Monitor) keeps your PC up-to-date & safe by using the most recent version of your favorite software !

Unlike built-in auto update features, SUMo tells you if updates are available before you need to use your software.

Features
  • Automatic detection of installed software
  • Detects required updates / patchs for your software
  • Detects required drivers update (requires DUMo)
  • Filter / authorize Beta versions (user setting)
  • Ignore list : only tracks software YOU want to track
  • More compatibility and less false positive than others Update Monitors (according to users feedback ;-)
  • Internationalization support.

Softavir - Antivirus for Windows based on Whitelists

February 4, 2015, 2:14 pm
$
0
0

SoftAvir is a security tool that ensures complete protection for your computer by creating a whitelist. The user select the only programs that can be run avoiding in this way the execution of any other unwanted program.

How does it work?

Softavir is the first antimalware solution that relies operation in advanced cryptographic whitelisting technology.

After installed, the user must add the programs that can be run. Softavir will not allow the execution of any program that has not been added to the list (including viruses, tojans and other malware).

Who is it for?

Softavir is recommended to Microsoft Windows users. The current version is compatible with Microsoft Windows x86 operating systems. Soon will come out a version for Microsoft Windows x64 operating systems.

Main advantages:

  • 100% protection against new threats.
  • Does not require updates.
  • Improved software management.
  • Easy maintenance of your equipment.
  • Avoids the need of regular formatting.

Dirs3arch v0.3.0 - HTTP(S) Directory/File Brute Forcer

February 7, 2015, 12:01 pm
$
0
0

dirs3arch is a simple command line tool designed to brute force hidden directories and files in websites.

It's written in python3 3 and all thirdparty libraries are included.

Operating Systems supported
  • Windows XP/7/8
  • GNU/Linux
  • MacOSX

Features
  • Multithreaded
  • Keep alive connections
  • Support for multiple extensions (-e|--extensions asp,php)
  • Reporting (plain text, JSON)
  • Detect not found web pages when 404 not found errors are masked (.htaccess, web.config, etc).
  • Recursive brute forcing
  • HTTP(S) proxy support
  • Batch processing (-L)

Examples
  • Scan www.example.com/admin/ to find php files:
    python3 dirs3arch.py -u http://www.example.com/admin/ -e php
  • Scan www.example.com to find asp and aspx files with SSL:
    python3 dirs3arch.py -u https://www.example.com/ -e asp,aspx
  • Scan www.example.com with an alternative dictionary (from DirBuster):
    python3 dirs3arch.py -u http://www.example.com/ -e php -w db/dirbuster/directory-list-2.3-small.txt
  • Scan with HTTP proxy (localhost port 8080):
    python3 dirs3arch.py -u http://www.example.com/admin/ -e php --http-proxy localhost:8080
  • Scan with custom User-Agent and custom header (Referer):
    python3 dirs3arch.py -u http://www.example.com/admin/ -e php --user-agent "My User-Agent" --header "Referer: www.google.com"
  • Scan recursively:
    python3 dirs3arch.py -u http://www.example.com/admin/ -e php -r
  • Scan recursively excluding server-status directory and 200 status codes:
    python3 dirs3arch.py -u http://www.example.com/ -e php -r --exclude-subdir "server-status" --exclude-status 200
  • Scan includes, classes directories in /admin/
    python3 dirs3arch.py -u http://www.example.com/admin/ -e php --scan-subdir "includes, classes"
  • Scan without following HTTP redirects:
    python3 dirs3arch.py -u http://www.example.com/ -e php --no-follow-redirects
  • Scan VHOST "backend" at IP 192.168.1.1:
    python3 dirs3arch.py -u http://backend/ --ip 192.168.1.1
  • Scan www.example.com to find wordpress plugins:
    python3 dirs3arch.py -u http://www.example.com/wordpress/wp-content/plugins/ -e php -w db/wordpress/plugins.txt

  • Batch processing:
    python3 dirs3arch.py -L urllist.txt -e php


Thirdparty code
  • colorama
  • oset
  • urllib3
  • sqlmap

Changelog
  • 0.3.0 - 2015.2.5 Fixed issue3, fixed timeout exception, ported to python33, other bugfixes
  • 0.2.7 - 2014.11.21 Added Url List feature (-L). Changed output. Minor Fixes
  • 0.2.6 - 2014.9.12 Fixed bug when dictionary size is greater than threads count. Fixed URL encoding bug (issue2).
  • 0.2.5 - 2014.9.2 Shows Content-Length in output and reports, added default.conf file (for setting defaults) and report auto save feature added.
  • 0.2.4 - 2014.7.17 Added Windows support, --scan-subdir|--scan-subdirs argument added, --exclude-subdir|--exclude-subdirs added, --header argument added, dirbuster dictionaries added, fixed some concurrency bugs, MVC refactoring
  • 0.2.3 - 2014.7.7 Fixed some bugs, minor refactorings, exclude status switch, "pause/next directory" feature, changed help structure, expaded default dictionary
  • 0.2.2 - 2014.7.2 Fixed some bugs, showing percentage of tested paths and added report generation feature
  • 0.2.1 - 2014.5.1 Fixed some bugs and added recursive option
  • 0.2.0 - 2014.1.31 Initial public release

Dshell - Network Forensic Analysis Framework

February 8, 2015, 10:12 am
$
0
0

An extensible network forensic analysis framework. Enables rapid development of plugins to support the dissection of network packet captures.

Key features:
  • Robust stream reassembly
  • IPv4 and IPv6 support
  • Custom output handlers
  • Chainable decoders

Prerequisites

Installation
  1. Install all of the necessary Python modules listed above. Many of them are available via pip and/or apt-get. Pygeoip is not yet available as a package and must be installed with pip or manually. All except dpkt are available with pip.
    1. sudo apt-get install python-crypto python-dpkt python-ipy python-pypcap
    2. sudo pip install pygeoip
  2. Configure pygeoip by moving the MaxMind data files (GeoIP.dat, GeoIPv6.dat, GeoIPASNum.dat, GeoIPASNumv6.dat) to /share/GeoIP/
  3. Run make. This will build Dshell.
  4. Run ./dshell. This is Dshell. If you get a Dshell> prompt, you're good to go!

Basic usage
  • decode -l
    • This will list all available decoders alongside basic information about them
  • decode -h
    • Show generic command-line flags available to most decoders
  • decode -d <decoder>
    • Display information about a decoder, including available command-line flags
  • decode -d <decoder> <pcap>
    • Run the selected decoder on a pcap file

Usage Examples

Showing DNS lookups in sample traffic
Dshell> decode -d dns ~/pcap/dns.cap
dns 2005-03-30 03:47:46    192.168.170.8:32795 ->   192.168.170.20:53    ** 39867 PTR? 66.192.9.104 / PTR: 66-192-9-104.gen.twtelecom.net **
dns 2005-03-30 03:47:46    192.168.170.8:32795 ->   192.168.170.20:53    ** 30144 A? www.netbsd.org / A: 204.152.190.12 (ttl 82159s) **
dns 2005-03-30 03:47:46    192.168.170.8:32795 ->   192.168.170.20:53    ** 61652 AAAA? www.netbsd.org / AAAA: 2001:4f8:4:7:2e0:81ff:fe52:9a6b (ttl 86400s) **
dns 2005-03-30 03:47:46    192.168.170.8:32795 ->   192.168.170.20:53    ** 32569 AAAA? www.netbsd.org / AAAA: 2001:4f8:4:7:2e0:81ff:fe52:9a6b (ttl 86340s) **
dns 2005-03-30 03:47:46    192.168.170.8:32795 ->   192.168.170.20:53    ** 36275 AAAA? www.google.com / CNAME: www.l.google.com **
dns 2005-03-30 03:47:46    192.168.170.8:32795 ->   192.168.170.20:53    ** 9837 AAAA? www.example.notginh / NXDOMAIN **
dns 2005-03-30 03:52:17    192.168.170.8:32796 <-   192.168.170.20:53    ** 23123 PTR? 127.0.0.1 / PTR: localhost **
dns 2005-03-30 03:52:25   192.168.170.56:1711  <-      217.13.4.24:53    ** 30307 A? GRIMM.utelsystems.local / NXDOMAIN **
dns 2005-03-30 03:52:17   192.168.170.56:1710  <-      217.13.4.24:53    ** 53344 A? GRIMM.utelsystems.local / NXDOMAIN **
Following and reassembling a stream in sample traffic
Dshell> decode -d followstream ~/pcap/v6-http.cap
Connection 1 (TCP)
Start: 2007-08-05 19:16:44.189852 UTC
  End: 2007-08-05 19:16:44.204687 UTC
2001:6f8:102d:0:2d0:9ff:fee3:e8de:59201 -> 2001:6f8:900:7c0::2:80 (240 bytes)
2001:6f8:900:7c0::2:80 -> 2001:6f8:102d:0:2d0:9ff:fee3:e8de:59201 (2259 bytes)

GET / HTTP/1.0
Host: cl-1985.ham-01.de.sixxs.net
Accept: text/html, text/plain, text/css, text/sgml, */*;q=0.01
Accept-Encoding: gzip, bzip2
Accept-Language: en
User-Agent: Lynx/2.8.6rel.2 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/0.9.8b

HTTP/1.1 200 OK
Date: Sun, 05 Aug 2007 19:16:44 GMT
Server: Apache
Content-Length: 2121
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
<head>
<title>Index of /</title>
</head>
<body>
<h1>Index of /</h1>
<pre><img src="/icons/blank.gif" alt="Icon "> <a href="?C=N;O=D">Name</a>                    <a href="?C=M;O=A">Last modified</a>      <a href="?C=S;O=A">Size</a>  <a href="?C=D;O=A">Description</a><hr><img src="/icons/folder.gif" alt="[DIR]"> <a href="202-vorbereitung/">202-vorbereitung/</a>       06-Jul-2007 14:31    -   
<img src="/icons/layout.gif" alt="[   ]"> <a href="Efficient_Video_on_demand_over_Multicast.pdf">Efficient_Video_on_d..&gt;</a> 19-Dec-2006 03:17  291K  
<img src="/icons/unknown.gif" alt="[   ]"> <a href="Welcome%20Stranger!!!">Welcome Stranger!!!</a>     28-Dec-2006 03:46    0   
<img src="/icons/text.gif" alt="[TXT]"> <a href="barschel.htm">barschel.htm</a>            31-Jul-2007 02:21   44K  
<img src="/icons/folder.gif" alt="[DIR]"> <a href="bnd/">bnd/</a>                    30-Dec-2006 08:59    -   
<img src="/icons/folder.gif" alt="[DIR]"> <a href="cia/">cia/</a>                    28-Jun-2007 00:04    -   
<img src="/icons/layout.gif" alt="[   ]"> <a href="cisco_ccna_640-801_command_reference_guide.pdf">cisco_ccna_640-801_c..&gt;</a> 28-Dec-2006 03:48  236K  
<img src="/icons/folder.gif" alt="[DIR]"> <a href="doc/">doc/</a>                    19-Sep-2006 01:43    -   
<img src="/icons/folder.gif" alt="[DIR]"> <a href="freenetproto/">freenetproto/</a>           06-Dec-2006 09:00    -   
<img src="/icons/folder.gif" alt="[DIR]"> <a href="korrupt/">korrupt/</a>                03-Jul-2007 11:57    -   
<img src="/icons/folder.gif" alt="[DIR]"> <a href="mp3_technosets/">mp3_technosets/</a>         04-Jul-2007 08:56    -   
<img src="/icons/text.gif" alt="[TXT]"> <a href="neues_von_rainald_goetz.htm">neues_von_rainald_go..&gt;</a> 21-Mar-2007 23:27   31K  
<img src="/icons/text.gif" alt="[TXT]"> <a href="neues_von_rainald_goetz0.htm">neues_von_rainald_go..&gt;</a> 21-Mar-2007 23:29   36K  
<img src="/icons/layout.gif" alt="[   ]"> <a href="pruef.pdf">pruef.pdf</a>               28-Dec-2006 07:48   88K  
<hr></pre>
</body></html>
Chaining decoders to view flow data for a specific country code in sample traffic (note: TCP handshakes are not included in the packet count)
Dshell> decode -d country+netflow --country_code=JP ~/pcap/SkypeIRC.cap
2006-08-25 19:32:20.651502       192.168.1.2 ->  202.232.205.123  (-- -> JP)  UDP   60583   33436     1      0       36        0  0.0000s
2006-08-25 19:32:20.766761       192.168.1.2 ->  202.232.205.123  (-- -> JP)  UDP   60583   33438     1      0       36        0  0.0000s
2006-08-25 19:32:20.634046       192.168.1.2 ->  202.232.205.123  (-- -> JP)  UDP   60583   33435     1      0       36        0  0.0000s
2006-08-25 19:32:20.747503       192.168.1.2 ->  202.232.205.123  (-- -> JP)  UDP   60583   33437     1      0       36        0  0.0000s
Collecting netflow data for sample traffic with vlan headers, then tracking the connection to a specific IP address

Dshell> decode -d netflow ~/pcap/vlan.cap
1999-11-05 18:20:43.170500    131.151.20.254 ->  255.255.255.255  (US -> --)  UDP     520     520     1      0       24        0  0.0000s
1999-11-05 18:20:42.063074     131.151.32.71 ->   131.151.32.255  (US -> US)  UDP     138     138     1      0      201        0  0.0000s
1999-11-05 18:20:43.096540     131.151.1.254 ->  255.255.255.255  (US -> --)  UDP     520     520     1      0       24        0  0.0000s
1999-11-05 18:20:43.079765     131.151.5.254 ->  255.255.255.255  (US -> --)  UDP     520     520     1      0       24        0  0.0000s
1999-11-05 18:20:41.521798    131.151.104.96 ->  131.151.107.255  (US -> US)  UDP     137     137     3      0      150        0  1.5020s
1999-11-05 18:20:43.087010     131.151.6.254 ->  255.255.255.255  (US -> --)  UDP     520     520     1      0       24        0  0.0000s
1999-11-05 18:20:43.368210   131.151.111.254 ->  255.255.255.255  (US -> --)  UDP     520     520     1      0       24        0  0.0000s
1999-11-05 18:20:43.250410    131.151.32.254 ->  255.255.255.255  (US -> --)  UDP     520     520     1      0       24        0  0.0000s
1999-11-05 18:20:43.115330    131.151.10.254 ->  255.255.255.255  (US -> --)  UDP     520     520     1      0       24        0  0.0000s
1999-11-05 18:20:43.375145   131.151.115.254 ->  255.255.255.255  (US -> --)  UDP     520     520     1      0       24        0  0.0000s
1999-11-05 18:20:43.363348   131.151.107.254 ->  255.255.255.255  (US -> --)  UDP     520     520     1      0       24        0  0.0000s
1999-11-05 18:20:40.112031      131.151.5.55 ->    131.151.5.255  (US -> US)  UDP     138     138     1      0      201        0  0.0000s
1999-11-05 18:20:43.183825     131.151.32.79 ->   131.151.32.255  (US -> US)  UDP     138     138     1      0      201        0  0.0000s


Kali Linux 1.1.0 - The Best Penetration Testing Distribution

February 9, 2015, 10:02 am
$
0
0

After almost two years of public development (and another year behind the scenes), we are proud to announce our first point release of Kali Linux – version 1.1.0. This release brings with it a mix of unprecedented hardware support as well as rock solid stability. For us, this is a real milestone as this release epitomizes the benefits of our move from BackTrack to Kali Linux over two years ago. As we look at a now mature Kali, we see a versatile, flexible Linux distribution, rich with useful security and penetration testing related features, running on all sorts of weird and wonderful ARM hardware. But enough talk, here are the goods:
  • The new release runs a 3.18 kernel, patched for wireless injection attacks.
  • Our ISO build systems are now running off live-build 4.x.
  • Improved wireless driver support, due to both kernel and firmware upgrades.
  • NVIDIA Optimus hardware support.
  • A whole bunch of fixes and updates from our bug-tracker changelog.
  • And most importantly, we changed grub screens and wallpapers!

Upgrade Kali Linux 1.1.0

If you’ve already got Kali Linux installed and running, there’s no need to re-download the image as you can simply update your existing operating system using simple apt commands:
apt-get update
apt-get dist-upgrade


WhatsSpy - Trace the moves of a WhatsApp user

February 9, 2015, 3:12 pm
$
0
0

WhatsSpy Public is an web-oriented application that tracks every move of whoever you like to follow. This application is setup as an Proof of Concept that Whatsapp is broken in terms of privacy. Once you've setup this application you can track users that you want to follow on Whatsapp. Once it's running it keeps track of the following activities:
  • Online/Offline status (even with privacy options set to "nobody")
  • Profile pictures
  • Privacy settings
  • Status messages
I made this project for you to realise how broken the privacy options actually are. It just started out as experimenting with Whatsapp to build an Bot, but I was stunned when I realised someone could abuse this "online" feauture of Whatsapp to track anyone. I could just say this in like a blog article (like I tried but got marked as spam) that the privacy options are broken, but you wouldnt realise the impact it actually has.

Requirements

Shortlist requirements:
  • Secondary Whatsapp account (phonenumber that doesn't use Whatsapp)
  • Rooted Android phone OR Jailbroken iPhone OR PHP knowledge
  • Server/RPi that runs 24/7
  • Nginx or Apache with PHP with PDO (php5-pgsql installed) (you can't host on simple webhoster, you need bash)
  • Postgresql

Notice

WhatsSpy Public requires an secondary Whatsapp account. Once the tracker is started, you will not be able to recieve any messages over Whatsapp for this phonenumber. You can either try to register an non-Whatsapp used phonenumber with for example this script or just buy an 5 euro SIM Card and use this phonenumber for the tracker.

For the tracker to work you need an secret which is retrieved from either your Phone or the register script mentioned above. In case of phone registration you need an jailbroken iPhone or rooted Android device in order to retrieve the secret.
  • Jailbroken iPhone users: You can retrieve using this script.
  • Rooted Android phones can use the following APK to retrieve the secret.
In order to retrieve the scecret you need to follow these steps:
  • Insert your (new) secondary SIM card in your phone and boot it up.
  • Re-install Whatsapp on your phone and activate it using the new phonenumber.
  • Use either the APK (Android) or the script (iPhone) to retrieve the WhatsApp secret. Write this secret down, which is required later.
  • Insert your normal SIM card and re-install WhatsApp for normal use.


Search

AppUse - Android Pentest Platform Unified Standalone Environment

February 12, 2015, 2:23 pm
$
0
0
AppUse Virtual Machine, developed by AppSec Labs, is a unique (and free) system, a platform for mobile application security testing in the android environment, and it includes unique custom-made tools.

Faster & More Powerful

The system is a blessing to security teams, who from now on can easily perform security tests on Android applications. It was created as a virtual machine targeted for penetration testing teams who are interested in a convenient, personalized platform for android application security testing, for catching security problems and analysis of the application traffic.

Now, in order to test Android applications, all you will need is to download AppUse Virtual Machine, activate it, load your application and test it.


Easy to Use

There is no need for installation of simulators and testing tools, no need for SSL certificates of the proxy software, everything comes straight out of the box pre-installed and configured for an ideal user experience.

Security experts who have seen the machine were very excited, calling it the next ‘BackTrack’ (a famous system for testing security problems), specifically adjusted for Android application security testing.

AppUse VM closes gaps in the world of security, now there is a special and customized testing environment for Android applications; an environment like this has not been available until today, certainly not with the rich format offered today by AppUse VM.

This machine is intended for the daily use of security testers everywhere for Android applications, and is a must-have tool for any security person.

We at AppSec Labs do not stagnate, specifically at a time in which so many cyber attacks take place, we consider it our duty to assist the public and enable quick and effective security testing.

As a part of AppSec Labs’ policy to promote application security in general, and specifically mobile application security, AppUse is offered as a free download on our website, in order to share the knowledge, experience and investment with the data security community.

Features
  • New Application Data Section
  •  Tree-view of the application’s folder/file structure
  •  Ability to pull files
  •  Ability to view files
  •  Ability to edit files
  •  Ability to extract databases
  •  Dynamic proxy managed via the Dashboard
  •  New application-reversing features
  •  Updated ReFrameworker tool
  •  Dynamic indicator for Android device status
  •  Bugs and functionality fixes

SNMP Brute - Fast SNMP brute force, enumeration, CISCO config downloader and password cracking script

February 12, 2015, 3:15 pm
$
0
0
SNMP brute force, enumeration, CISCO config downloader and password cracking script. Listens for any responses to the brute force community strings, effectively minimising wait time.

Requirements
  • metasploit
  • snmpwalk
  • snmpstat
  • john the ripper

Usage
python snmp-brute.py -t [IP]


Options
--help, -h show this help message and exit
--file=DICTIONARY, -f DICTIONARY Dictionary file
--target=IP, -t IP Host IP
--port=PORT, -p PORT SNMP port


Advanced
--rate=RATE, -r RATE Send rate
--timeout=TIMEOUT Wait time for UDP response (in seconds)
--delay=DELAY Wait time after all packets are send (in seconds)
--iplist=LFILE IP list file
--verbose, -v Verbose output


Automation
--bruteonly, -b Do not try to enumerate - only bruteforce
--auto, -a Non Interactive Mode
--no-colours No colour output


Operating Systems
--windows Enumerate Windows OIDs (snmpenum.pl)
--linux Enumerate Linux OIDs (snmpenum.pl)
--cisco Append extra Cisco OIDs (snmpenum.pl)


Alternative Options
--stdin, -s Read communities from stdin
--community=COMMUNITY, -c COMMUNITY Single Community String to use
--sploitego Sploitego's bruteforce method


Features
  • Brute forces both version 1 and version 2c SNMP community strings
  • Enumerates information for CISCO devices or if specified for Linux and Windows operating systems.
  • Identifies RW community strings
  • Tries to download the router config (metasploit module).
  • If the CISCO config file is downloaded, shows the plaintext passwords (metasploit module) and tries to crack hashed passords with John the Ripper


The LaZagne Project - Recover most common software passwords (Firefox, IE, Opera, Chrome, Filezilla, winscp, coreFTP, WiFi and many more)

February 18, 2015, 11:55 am
$
0
0

The LaZagne project is an open source application used to retrieve lots of passwords stored on a local computer. Each software stores its passwords using different technics (plaintext, using api, custom algorithms, etc.). This tool has been developped to find these passwords for most common softwares. At this moment, it supports 22 softwares on windows and 12 on a linux plateform.

Usage
  • Launch all modules
    • cmd: laZagne.exe all
  • Launch only a specific module
    • cmd: laZagne.exe
    • example: laZagne.exe browsers
    • help: laZagne.exe -h
  • Launch only a specific software script
    • cmd: laZagne.exe
    • example: laZagne.exe browsers -f
    • help: laZagne.exe browsers -h
  • Write all passwords found into a file (-w options)
    • cmd: laZagne.exe all -w

Supported softwares
  • Windows (tested on Windows XP, 7 and 8 - 32 and 64 bits)
    • browsers
      • firefox
      • chrome
      • opera
      • ie
    • chats
      • skype
      • pidgin
      • jitsi
    • mails
      • thunderbird
      • outlook
    • adminsys
      • filezilla
      • puttycm
      • winscp
      • cyberduck
      • coreFTP
      • FTPNavigator
    • database
      • sqldeveloper
      • squirrel
      • dbvisualizer
    • svn
      • tortoise
    • wifi
      • Wireless Network Password (Windows mechanism)
    • windows credentials
      • Domain visible network (.Net Passport)
      • Generic network credentials
  • Linux
    • browsers
      • firefox
      • opera
    • chats
      • pidgin
      • jitsi
    • mails
      • thunderbird
    • adminsys
      • filezilla
      • environment variables
    • database
      • sqldeveloper
      • squirrel
      • dbvisualizer
    • wifi
      • network manager
    • wallet
      • gnome keyring


IE Browser history

Internet Explorer passwords (from ie7 and before windows 8) can only be decrypted using the URL of the website. This one is used as an argument of the Win32CryptUnprotectData api. So to decrypt it, it is necessary to retreive the browser history of ie. To do that, I have used C code. So I used a dll (the code is on on the "browser_history_dll" directory) and it is directly embedded to the python code as a base64 string (c.f. ie.py). Once launched, the dll is written to the disk, a wrapper is used to call dll functions and then the dll file is removed from the disk.


Build your own password recovery script

It is possible to write your own script for the software of your choice.
To do that, some syntax requirements are needed:
  • Create a class using the name of the software
  • This class has to have a function called "retrieve_password" (it will be the main function)
  • The output containing all passwords has to be send to the "print_output" function - ex: print_output(, password_list)
    • password_list has to be an array of dictionnaries.
  • Optional: you could use the function "print_debug" to print your output
    • ex: print_debug("ERROR", "Failed to load ...")
  • Use an existing script to understand what I have said :)
If you want to improve this tool, you could send me your script and it will be added to this project (authors will be of course credited on each script ;)).

Requirements

To compile the source code, some external library are required.



NSEarch - Nmap Script Engine Search

February 18, 2015, 9:46 pm
$
0
0

NSEarch is a tool that helps you find scripts that are used nmap (NSE) , can be searched using the name or category , it is also possible to see the documentation of the scripts found.

USAGE:
  $ python nsearch.py

Main Menu

Initial Setup
 ================================================
    _   _  _____  _____                     _
   | \ | |/  ___||  ___|                   | |
   |  \| |\ `--. | |__    __ _  _ __   ___ | |__
   | . ` | `--. \|  __|  / _` || '__| / __|| '_ \
   | |\  |/\__/ /| |___ | (_| || |   | (__ | | | |
   \_| \_/\____/ \____/  \__,_||_|    \___||_| |_|
 ================================================
   Version 0.3     |   @jjtibaquira
 ================================================

  Creating Database :nmap_scripts.sqlite3
  Creating Table For Script ....
  Creating Table for Categories ....
  Creating Table for Scripts per Category ....
  Upload Categories to Categories Table ...

Main Console
  ================================================
    _   _  _____  _____                     _
   | \ | |/  ___||  ___|                   | |
   |  \| |\ `--. | |__    __ _  _ __   ___ | |__
   | . ` | `--. \|  __|  / _` || '__| / __|| '_  |
   | |\  |/\__/ /| |___ | (_| || |   | (__ | | | |
   \_| \_/\____/ \____/  \__,_||_|    \___||_| |_|
  ================================================
   Version 0.3     |   @jjtibaquira
  ================================================

  nsearch>

Basic Commands
  ================================================
    _   _  _____  _____                     _
   | \ | |/  ___||  ___|                   | |
   |  \| |\ `--. | |__    __ _  _ __   ___ | |__
   | . ` | `--. \|  __|  / _` || '__| / __|| '_  |
   | |\  |/\__/ /| |___ | (_| || |   | (__ | | | |
   \_| \_/\____/ \____/  \__,_||_|    \___||_| |_|
  ================================================
   Version 0.3     |   @jjtibaquira
  ================================================

  nsearch> help

  Nsearch Commands
  ================
  clear  doc  exit  help  history  last  search

  nsearch>
  ================================================
    _   _  _____  _____                     _
   | \ | |/  ___||  ___|                   | |
   |  \| |\ `--. | |__    __ _  _ __   ___ | |__
   | . ` | `--. \|  __|  / _` || '__| / __|| '_  |
   | |\  |/\__/ /| |___ | (_| || |   | (__ | | | |
   \_| \_/\____/ \____/  \__,_||_|    \___||_| |_|
  ================================================
   Version 0.3     |   @jjtibaquira
  ================================================

  nsearch> help search

  name     : Search by script's name
  category : Search by category
  Usage:
    search name:http
    search category:exploit

  nsearch>
  ================================================
    _   _  _____  _____                     _
   | \ | |/  ___||  ___|                   | |
   |  \| |\ `--. | |__    __ _  _ __   ___ | |__
   | . ` | `--. \|  __|  / _` || '__| / __|| '_  |
   | |\  |/\__/ /| |___ | (_| || |   | (__ | | | |
   \_| \_/\____/ \____/  \__,_||_|    \___||_| |_|
  ================================================
   Version 0.3     |   @jjtibaquira
  ================================================

  nsearch> search name:ssh
  1.ssh-hostkey.nse
  2.ssh2-enum-algos.nse
  3.sshv1.nse
  nsearch>
  ================================================
    _   _  _____  _____                     _
   | \ | |/  ___||  ___|                   | |
   |  \| |\ `--. | |__    __ _  _ __   ___ | |__
   | . ` | `--. \|  __|  / _` || '__| / __|| '_  |
   | |\  |/\__/ /| |___ | (_| || |   | (__ | | | |
   \_| \_/\____/ \____/  \__,_||_|    \___||_| |_|
  ================================================
   Version 0.3     |   @jjtibaquira
  ================================================

  nsearch> doc ssh <TAB>
  ssh-hostkey.nse      ssh2-enum-algos.nse  sshv1.nse
  nsearch> doc sshv1.nse
  local nmap = require "nmap"
  local shortport = require "shortport"
  local string = require "string"

  description = [[
    Checks if an SSH server supports the obsolete and less secure SSH Protocol Version 1.
  ]]
  author = "Brandon Enright"
  nsearch>


PackETH - Ethernet Packet Generator

February 19, 2015, 6:30 am
$
0
0

PackETH is GUI and CLI packet generator tool for ethernet. It allows you to create and send any possible packet or sequence of packets on the ethernet link. It is very simple to use, powerful and supports many adjustments of parameters while sending sequence of packets. And lastly, it has the most beautiful web site of all the packet generators.

Features
  • you can create and send any ethernet packet. Supported protocols:
    • ethernet II, ethernet 802.3, 802.1q, QinQ, user defined ethernet frame
    • ARP, IPv4, IPv6, user defined network layer payload
    • UDP, TCP, ICMP, ICMPv6, IGMP, user defined transport layer payload
    • RTP (payload with options to send sin wave of any frequency for G.711)
    • JUMBO frames (if network driver supports it)
  • sending sequence of packets
    • delay between packets, number of packets to send
    • sending with max speed, approaching the theoretical boundary
    • change parameters while sending (change IP & mac address, UDP payload, 2 user defined bytes, etc.)
  • saving configuration to a file and load from it - pcap format supported


CMSmap - Scanner to detect security flaws of the most popular CMSs (WordPress, Joomla and Drupal)

February 19, 2015, 10:30 am
$
0
0


CMSmap is a python open source CMS scanner that automates the process of detecting security flaws of the most popular CMSs. The main purpose of CMSmap is to integrate common vulnerabilities for different types of CMSs in a single tool.

At the moment, CMSs supported by CMSmap are WordPress, Joomla and Drupal.

Please note that this project is an early state. As such, you might find bugs, flaws or mulfunctions. Use it at your own risk!

Installation
You can download the latest version of CMSmap by cloning the GitHub repository:
git clone https://github.com/Dionach/CMSmap.git

Usage
CMSmap tool v0.3 - Simple CMS Scanner
Author: Mike Manzotti mike.manzotti@dionach.com
Usage: cmsmap.py -t <URL>
          -t, --target    target URL (e.g. 'https://abc.test.com:8080/')
          -v, --verbose   verbose mode (Default: false)
          -T, --threads   number of threads (Default: 5)
          -u, --usr       username or file 
          -p, --psw       password or file
          -i, --input     scan multiple targets listed in a given text file
          -o, --output    save output in a file
          -k, --crack     password hashes file
          -w, --wordlist  wordlist file (Default: rockyou.txt - WordPress only)       
          -a, --agent     set custom user-agent  
          -U, --update    (C)MSmap, (W)ordpress plugins and themes, (J)oomla components, (D)rupal modules
          -f, --force     force scan (W)ordpress, (J)oomla or (D)rupal
          -F, --fullscan  full scan using large plugin lists. Slow! (Default: false)
          -h, --help      show this help   

Example: cmsmap.py -t https://example.com
         cmsmap.py -t https://example.com -f W -F
         cmsmap.py -t https://example.com -i targets.txt -o output.txt
         cmsmap.py -t https://example.com -u admin -p passwords.txt
         cmsmap.py -k hashes.txt


SubBrute - Subdomain Bruteforcer

February 19, 2015, 2:30 pm
$
0
0
SubBrute is a community driven project with the goal of creating the fastest, and most accurate subdomain enumeration tool. Some of the magic behind SubBrute is that it uses open resolvers as a kind of proxy to circumvent DNS rate-limiting (https://www.us-cert.gov/ncas/alerts/TA13-088A). This design also provides a layer of anonymity, as SubBrute does not send traffic directly to the target's name servers.

Whats new in v1.1?

This version merges pull requests from the community; changes from JordanMilne, KxCode and rc0r is in this release. In SubBrute 1.1 we fixed bugs, improved accuracy, and efficiency. As requested, this project is now GPLv3.

Accuracy and better wildcard detection:
  • A new filter that can pickup Geolocation aware wildcards.
  • Filter misbehaving nameservers
Faster:
  • More than 2,000 high quality nameservers were added to resolvers.txt, these servers will resolve multiple queries in under 1 sec.
  • Nameservers are verified when they are needed. A seperate thread is responsible creating a feed of nameservers, and corresponding wildcard blacklist.
New output:
  • -a will list all addresses associated with a subdomain.
  • -v debug output, to help developers/hackers debug subbrute.
  • -o output results to file.

More Information

The 'names.txt' list was created using some creative Google hacks with additions from the community. SubBrute has a feature to build your own subdomain lists by matching sub-domains with regular expression and sorting by frequency of occurrence:
  • python subroute.py -f full.html > my_subs.txt
names.txt contains 31298 subdomains. subs_small.txt was stolen from fierce2 which contains 1896 subdomains. If you find more subdomains to add, open a bug report or pull request and I'll be happy to add them.
No install required for Windows, just cd into the 'windows' folder:
  • subbrute.exe google.com
Easy to install: You just need http://www.dnspython.org/ and python2.7 or python3. This tool should work under any operating system: bsd, osx, windows, linux...

(On a side note giving a makefile root always bothers me, it would be a great way to install a backdoor...)
Under Ubuntu/Debian all you need is:
  • sudo apt-get install python-dnspython
On other operating systems you may have to install dnspython manually:
Easy to use:
  • ./subbrute.py google.com
Tests multiple domains:
  • ./subbrute.py google.com gmail.com blogger.com
or a newline delimited list of domains:
  • ./subbrute.py -t list.txt
Also keep in mind that subdomains can have subdomains (example: _xmpp-server._tcp.gmail.com):
  • ./subbrute.py gmail.com > gmail.out
  • ./subbrute.py -t gmail.out


Search

WiFiJammer - Continuously Jam All WiFi Clients/Routers

February 20, 2015, 2:15 pm
$
0
0

Continuously jam all wifi clients and access points within range. The effectiveness of this script is constrained by your wireless card. Alfa cards seem to effectively jam within about a block radius with heavy access point saturation. Granularity is given in the options for more effective targeting.

Requires: python 2.7, python-scapy, a wireless card capable of injection

Usage

Simple
python wifijammer.py
This will find the most powerful wireless interface and turn on monitor mode. If a monitor mode interface is already up it will use the first one it finds instead. It will then start sequentially hopping channels 1 per second from channel 1 to 11 identifying all access points and clients connected to those access points. On the first pass through all the wireless channels it is only identifying targets. After that the 1sec per channel time limit is eliminated and channels are hopped as soon as the deauth packets finish sending. Note that it will still add clients and APs as it finds them after the first pass through.

Upon hopping to a new channel it will identify targets that are on that channel and send 1 deauth packet to the client from the AP, 1 deauth to the AP from the client, and 1 deauth to the AP destined for the broadcast address to deauth all clients connected to the AP. Many APs ignore deauths to broadcast addresses.
python wifijammer.py -a 00:0E:DA:DE:24:8E -c 2
Deauthenticate all devices with which 00:0E:DA:DE:24:8E communicates and skips channel hopping by setting the channel to the target AP's channel (2 in this case). This would mainly be an access point's MAC so all clients associated with that AP would be deauthenticated, but you can also put a client MAC here to target that one client and any other devices that communicate with it.

Advanced
python wifijammer.py -c 1 -p 5 -t .00001 -s DL:3D:8D:JJ:39:52 -d --world
-c, Set the monitor mode interface to only listen and deauth clients or APs on channel 1
-p, Send 5 packets to the client from the AP and 5 packets to the AP from the client along with 5 packets to the broadcast address of the AP
-t, Set a time interval of .00001 seconds between sending each deauth (try this if you get a scapy error like 'no buffer space')
-s, Do not deauth the MAC DL:3D:8D:JJ:39:52. Ignoring a certain MAC address is handy in case you want to tempt people to join your access point in cases of wanting to use LANs.py or a Pineapple on them.
-d, Do not send deauths to access points' broadcast address; this will speed up the deauths to the clients that are found
--world, Set the max channel to 13. In N. America the max channel standard is 11, but the rest of the world uses 13 channels so use this option if you're not in N. America

Walking/driving around
python wifijammer.py -m 10
The -m option sets a max number of client/AP combos that the script will attempt to deauth. When the max number is reached, it clears and repopulates its list based on what traffic it sniffs in the area. This allows you to constantly update the deauth list with client/AP combos who have the strongest signal in case you were not stationary. If you want to set a max and not have the deauth list clear itself when the max is hit, just add the -n option like: -m 10 -n

All options:
python wifijammer.py [-a AP MAC] [-c CHANNEL] [-d] [-i INTERFACE] [-m MAXIMUM] [-n] [-p PACKETS] [-s SKIP] [-t TIME INTERVAL]


Tails 1.3 - The Amnesic Incognito Live System

February 24, 2015, 4:10 pm
$
0
0

Tails is a live operating system, that you can start on almost any computer from a DVD, USB stick, or SD card. It aims at preserving your privacy and anonymity, and helps you to:
  • use the Internet anonymously and circumvent censorship;
    all connections to the Internet are forced to go through the Tor network;
  • leave no trace on the computer you are using unless you ask it explicitly;
  • use state-of-the-art cryptographic tools to encrypt your files, emails and instant messaging.   

Tails, The Amnesic Incognito Live System, version 1.3, is out.
This release fixes numerous security issues and all users must upgrade as soon as possible.

New features
  • Electrum is an easy to use bitcoin wallet. You can use the Bitcoin Client persistence feature to store your Electrum configuration and wallet.
  • The Tor Browser has additional operating system and data security. This security restricts reads and writes to a limited number of folders. Learn how to manipulate files with the new Tor Browser.
  • The obfs4 pluggable transport is now available to connect to Tor bridges. Pluggable transports transform the Tor traffic between the client and the bridge to help disguise Tor traffic from censors.
  • Keyringer lets you manage and share secrets using OpenPGP and Git from the command line.

Upgrades and changes
  • The Mac and Linux manual installation processes no longer require the isohybrid command. Removing the isohybrid command simplifies the installation.
  • The tap-to-click and two-finger scrolling trackpad settings are now enabled by default. This should be more intuitive for Mac users.
  • The Ibus Vietnamese input method is now supported.
  • Improved support for OpenPGP smartcards through the installation of GnuPG 2.

There are numerous other changes that may not be apparent in the daily operation of a typical user. Technical details of all the changes are listed in the Changelog.


Lynis 2.0.0 - Security Auditing Tool for Unix/Linux Systems

February 26, 2015, 9:02 am
$
0
0

Lynis is an open sourcesecurity auditing tool. Primary goal is to help users with auditing and hardening of Unix and Linux based systems. The software is very flexible and runs on almost every Unix based system (including Mac). Even the installation of the software itself is optional!

How it works

Lynis will perform hundreds of individual tests to determine the security state of the system. Many of these tests are also part of common security guidelines and standards. Examples include searching for installed software and determine possible configuration flaws. Lynis goes further and does also test individual software components, checks related configuration files and measures performance. After these tests, a scan report will be displayed with all discovered findings.

Typical use cases for Lynis:
  • Security auditing
  • Vulnerability scanning
  • System hardening

Requirements:
Privileged or non-privileged


Acunetix clamps down on costly website security with online solution

March 4, 2015, 2:41 pm
$
0
0

2nd March 2015 - London, UK - As cyber security continues to hit the headlines, even smaller companies can expect to be subject to scrutiny and therefore securing their website is more important than ever. In response to this, Acunetix are offering the online edition of their vulnerability scanner at a new lower entry price. This new option allows consumers to opt for the ability to scan just one target or website and is a further step in making the top of the range scanner accessible to a wider market.

A web vulnerability scanner allows the user to identify any weaknesses in their website architecture which might aid a hacker. They are then given the full details of the problem in order to fix it. While the scanner might previously have been a niche product used by penetration testers, security experts and large corporations, in our current cyber security climate, such products need to be made available to a wider market. Acunetix have recognised this which is why both the product and its pricing have become more flexible and tailored to multiple types of user, with a one scan target option now available at $345. Pricing for other options has also been reduced by around 15% to reflect the current strength of the dollar. Use of the network scanning element of the product is also currently being offered completely free.

Acunetix CEO Nicholas Galea said:‘Due to recent attacks such as the Sony hack and the Anthem Inc breach, companies are under increasing pressure to ensure their websites and networks are secure. We’ve been continuously developing our vulnerability scanner for a decade now, it’s a pioneer in the field and continues to be the tool of choice for many security experts. We feel it’s a tool which can benefit a far wider market which is why we developed the more flexible and affordable online version.’

About Acunetix Vulnerability Scanner (Online version)

User-friendly and competitively priced, Acunetix Vulnerability Scanner fully interprets and scans websites, including HTML5 and JavaScript and detects a large number of vulnerabilities, including SQL Injection and Cross Site Scripting, eliminating false positives. Acunetix beats competing products in many areas; including speed, the strongest support of modern technologies such as JavaScript, the lowest number of false positives and the ability to access restricted areas with ease. Acunetix also has the most advanced detection of WordPress vulnerabilities and a wide range of reports including HIPAA and PCI compliance.

Users can sign up for a trial of the online version of Acunetix which includes the option to run free network scans.  

Vane - WordPress Vulnerability Scanner (A GPL fork of WPScan)

March 4, 2015, 5:10 pm
$
0
0

Vane is a GPL fork of the now non-free popular WordPress vulnerability scanner WPScan.

INSTALL

Prerequisites
  • Windows not supported
  • Ruby => 1.9
  • RubyGems
  • Git

Installing on Debian/Ubuntu
sudo apt-get install libcurl4-gnutls-dev libopenssl-ruby libxml2 libxml2-dev libxslt1-dev ruby-dev
git clone https://github.com/delvelabs/vane.git
cd vane
sudo gem install bundler && bundle install --without test development

Installing on Fedora
sudo yum install libcurl-devel
git clone https://github.com/delvelabs/vane.git
cd vane
sudo gem install bundler && bundle install --without test development


Installing on Archlinux
pacman -Sy ruby
pacman -Sy libyaml

git clone https://github.com/delvelabs/vane.git
cd vane
sudo gem install bundler && bundle install --without test development

gem install typhoeus
gem install nokogiri

Installing on Mac OS X
git clone https://github.com/delvelabs/vane.git
cd vane
sudo gem install bundler && bundle install --without test development


KNOWN ISSUES

Typhoeus segmentation fault
Update cURL to version => 7.21 (may have to install from source) See http://code.google.com/p/vane/issues/detail?id=81


Proxy not working
Update cURL to version => 7.21.7 (may have to install from source).
Installation from sources :
  • Grab the sources from http://curl.haxx.se/download.html
  • Decompress the archive
  • Open the folder with the extracted files
  • Run ./configure
  • Run make
  • Run sudo make install
  • Run sudo ldconfig


cannot load such file -- readline
Run sudo aptitude install libreadline5-dev libncurses5-dev
Then, open the directory of the readline gem (you have to locate it)
cd ~/.rvm/src/ruby-1.9.2-p180/ext/readline
ruby extconf.rb
make
make install
See http://vvv.tobiassjosten.net/ruby-on-rails/fixing-readline-for-the-ruby-on-rails-console/ for more details


VANE ARGUMENTS
--update Update to the latest revision
--url | -u The WordPress URL/domain to scan.
--force | -f Forces WPScan to not check if the remote site is running WordPress.
--enumerate | -e [option(s)] Enumeration. option : u usernames from id 1 to 10 u[10-20] usernames from id 10 to 20 (you must write [] chars) p plugins vp only vulnerable plugins ap all plugins (can take a long time) tt timthumbs t themes vp only vulnerable themes at all themes (can take a long time) Multiple values are allowed : '-e tt,p' will enumerate timthumbs and plugins If no option is supplied, the default is 'vt,tt,u,vp'
--exclude-content-based '' Used with the enumeration option, will exclude all occurrences based on the regexp or string supplied You do not need to provide the regexp delimiters, but you must write the quotes (simple or double)
--config-file | -c Use the specified config file
--follow-redirection If the target url has a redirection, it will be followed without asking if you wanted to do so or not
--wp-content-dir WPScan try to find the content directory (ie wp-content) by scanning the index page, however you can specified it. Subdirectories are allowed
--wp-plugins-dir Same thing than --wp-content-dir but for the plugins directory. If not supplied, WPScan will use wp-content-dir/plugins. Subdirectories are allowed
--proxy <[protocol://]host:port> Supply a proxy (will override the one from conf/browser.conf.json). HTTP, SOCKS4 SOCKS4A and SOCKS5 are supported. If no protocol is given (format host:port), HTTP will be used
--proxy-auth username:password Supply the proxy login credentials (will override the one from conf/browser.conf.json).
--basic-auth username:password Set the HTTP Basic authentication
--wordlist | -w Supply a wordlist for the password bruter and do the brute.
--threads | -t The number of threads to use when multi-threading requests. (will override the value from conf/browser.conf.json)
--username | -U Only brute force the supplied username.
--help | -h This help screen.
--verbose | -v Verbose output.

VANE EXAMPLES
Do 'non-intrusive' checks...
ruby vane.rb --url www.example.com
Do wordlist password brute force on enumerated users using 50 threads...
ruby vane.rb --url www.example.com --wordlist darkc0de.lst --threads 50
Do wordlist password brute force on the 'admin' username only...
ruby vane.rb --url www.example.com --wordlist darkc0de.lst --username admin
Enumerate installed plugins...
ruby vane.rb --url www.example.com --enumerate p

VANETOOLS ARGUMENTS
--help    | -h   This help screen.
--Verbose | -v   Verbose output.
--update  | -u   Update to the latest revision.
--generate_plugin_list [number of pages]  Generate a new data/plugins.txt file. (supply number of *pages* to parse, default : 150)
--gpl  Alias for --generate_plugin_list
--check-local-vulnerable-files | --clvf <local directory>  Perform a recursive scan in the <local directory> to find vulnerable files or shells

VANETOOLS EXAMPLES
Generate a new 'most popular' plugin list, up to 150 pages ...
ruby vanetools.rb --generate_plugin_list 150
Locally scan a WordPress installation for vulnerable files or shells :
ruby vanetools.rb --check-local-vulnerable-files /var/www/wordpress/


Viewing all 5816 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>