1. Connects to RDP using rdesktop
2. Sends shift 5 times using xdotool to trigger sethc.exe backdoors
3. Sends Windows+u using xdotool to trigger utilman.exe backdoors
4. Takes screenshot
5. Kills RDP connection

1. Linux host running an X server
2. The following packages: xdotool imagemagick rdesktop bc
   1. Debian/Ubuntu/Kali install: apt-get install xdotool imagemagick rdesktop bc
3. Screen cannot be locked during this process or all of the screenshots will turn out black

1. Automatically analyze screenshots with OCR or image processing to identify backdoors.
2. Speed up/multithread the tool.

sudo python warberry.py -h

Parameters:
-h,  --help         [*] Print this help banner
-m,  --man          [*] Prints WarBerry's Man Page
-A,  --attack       [*] Run All Enumeration Scripts
-S,  --sniffer      [*] Run Sniffing Modules Only
-C,  --clear        [*] Clear Output Directories
-F,  --fulltcp      [*] Full TCP Port Scan
-T,  --toptcp       [*] Top Port Scan
-U,  --topudp       [*] Top UDP Port Scan

example usage: sudo python warberry.py -A
               sudo python warberry.py --attack
               sudo python warberry.py -C

• sudo apt-get install nbtscan
• sudo apt-get install python-scapy
• sudo apt-get install tcpdump
• sudo apt-get install nmap
• sudo pip install python-nmap
• sudo pip install ipaddress
• sudo apt-get install ppp
• sudo apt-get install sg3-utils
• sudo apt-get install netdiscover
• sudo apt-get install macchanger
• sudo git clone https://github.com/DanMcInerney/net-creds.git #install in /home/pi/WarBerry/Tools/

• sudo apt-get install onesixtyone
• sudo apt-get install nikto
• sudo apt-get install hydra
• sudo apt-get install john
• sudo apt-get install w3af-console
• sudo apt-get install ettercap-text-only
• sudo git clone https://github.com/stasinopoulos/commix.git
• sudo git clone https://github.com/sqlmapproject/sqlmap.git
• sudo git clone https://github.com/CoreSecurity/impacket.git
• sudo git clone https://github.com/samratashok/nishang.git
• sudo git clone https://github.com/SpiderLabs/Responder.git
• sudo git clone https://github.com/sophron/wifiphisher.git
• sudo git clone https://github.com/Dionach/CMSmap.git
• sudo git clone https://github.com/PowerShellMafia/PowerSploit.git

• sudo apt-get -y install libssl-dev
• sudo wget http://download.aircrack-ng.org/aircrack-ng-1.2-beta1.tar.gz
• sudo tar -zxvf aircrack-ng-1.2-beta1.tar.gz
• cd aircrack-ng-1.2-beta1
• sudo make
• sudo make install
• sudo airodump-ng-oui-update
• sudo apt-get -y install iw
• sudo wget https://download.sysinternals.com/files/SysinternalsSuite.zip

#!/usr/bin/env python2.7
import RPi.GPIO as GPIO
import subprocess
GPIO.setmode(GPIO.BCM)

# GPIO 23 set up as input. It is pulled up to stop false signals
GPIO.setup(23, GPIO.IN, pull_up_down=GPIO.PUD_UP)

print "it will connect GPIO port 23 (pin 16) to GND (pin 6)\n"

print "Waiting for falling edge on port 23"

try:
    GPIO.wait_for_edge(23, GPIO.FALLING)
    subprocess.call(["python /home/pi/WarBerry/warberry/warberry.py -A"])

except KeyboardInterrupt:
    GPIO.cleanup()       # clean up GPIO on CTRL+C exit
GPIO.cleanup()           # clean up GPIO on normal exit

Conflict resolution dialog in Faraday's GTK interface

Pro & Corp changes:

• Fixed a bug in report creation - removed relative paths in the generation script so it can be run from another directory

Community, Pro & Corp changes:

• Fixed bugs in plugins: Acunetix - Nmap - Nikto 
• Removed description from Hosts list in web UI
• Fixed sort in Hosts list in web UI
• Fixed ports sorting in Host view in web UI
• Added search link for OS in Hosts list in web UI
• Removed description from Services list in web UI
• Added version to Services list in web UI
• Modified false values in Hosts list in web UI
• Added search links in Services list in web UI
• Added scrollbar in Gtk Terminal
• Added workspace status in Gtk interface
• Added conflict resolution support for the Gtk interface
• Added search entry for workspaces in Gtk
• Added support for 'exit' command inside Faraday's Gtk terminal
• Improved handling of uncaught exceptions in Gtk interface
• Improved text formatting in Gtk's log console
• Fixed several small bugs in Faraday GTK
• Added support for resize workspace bar
• Added a quote for imported reports in web UI
• Added support for a new type of report in Qualysguard plugin

• Telepot
• requests

$ sudo pip install telepot
$ sudo pip install requests

$ python bt2.py

• After launching a reverse shell and exiting from it, all commands sent to the bot have duplicate responses.
• The 'kill' functionality is not working as it should.
• After successful execution of shellcode, the bot dies. Upon return it fetches the previous messages from the server and executes the shellcode again. Need to find a way to avoid fetching of previous messages.

• Julio Cesar Fort - julio at blazeinfosec dot com
• Twitter: @juliocesarfort / @blazeinfosec

• Works with the latest version of Burp Suite (tested on 1.5.21)
• Manual beautifying the requests/responses
• Automatic beautifying the responses in proxy
• Automatic beautifying the responses in all tabs
• Can support Burp suite scope
• Mimicking exact behaviour of JSBeautifier.org website by using Rhino library
• Supporting multiple file types (JS, CSS, HTML, and so on)
• Detecting packers and obfuscators (based on JSBeautifier.org)
• Syntax highlighter in the read-only editor by using Fifesoft RSyntaxTextArea library
• Open Source

• JS files of http://jsbeautifier.org/ - Written by Einar Lielmanis, einar@jsbeautifier.org
• Rhino library - http://www.mozilla.org/rhino/
• Fifesoft RSyntaxTextArea library: http://fifesoft.com/rsyntaxtextarea/

• Limitations of jsbeautifier.org
• Only support UTF-8 for texts

• Network discovery with OS detection
• Network traffic analysis
• Passwords recovery
• Files recovery

What's New

• + Updated scanning engine
• + Android 5 support
• + Portrait mode compatibility
• + Fixed sdcard issues
• + Cookie Killer
• + Forced Download
• + Fast poisoning

ScreenShots

Download Intercepter-NG

System Requirements

• Windows 10/Vista/7/8/2012 - 32-bit or 64-bit. (In previous version of Windows , there is no support for wifi monitor mode)
• Microsoft Network Monitor 3.x - You can download and install it from this Web page or from this Web page .
• Wireless network adapter and a driver that works properly in 'monitor mode' under Windows. See the remarks about that in the 'Known Problems' section below, it's very important !!

WifiChannelMonitor vs Other Tools

• Detect and show all wifi clients (Tablets, Smartphones, computers with wifi adapter, and so on... ), Including wifi clients that are not connected to any access point, but only tries to connect...
• For wifi clients that try to connect to one or more APs - WifiChannelMonitor displays the list of network names (SSIDs) that the wifi client tries to connect.
• WifiChannelMonitor can also detect clients with a wired connection to the router.
• WifiChannelMonitor shows the number of sent/received data bytes for every access point and for every wifi client connected to the access point.
• WifiChannelMonitor can show the name of hidden network. (The name is detected only when somebody connects this wireless network)

Start Using WifiChannelMonitor

Wifi Clients Modes (Lower Pane)

• Show Clients Of Selected AP:In this mode, WifiChannelMonitor only displays the wifi clients that are connected to the access point you select in the upper pane.
• Show All Clients:In this mode, WifiChannelMonitor displays all detected clients.
• Show All Clients Without AP:In this mode, WifiChannelMonitor displays all clients that are not connected to any access point.
• Show All Clients With AP:In this mode, WifiChannelMonitor displays all clients that are connected to access point.
• Show Only Clients+APs In My List:In this mode, WifiChannelMonitor displays only the clients and APs that appear in the MAC Addresses List (Ctrl+F8)

AP Columns Description

• SSID:The name of the wireless network
• MAC Address:MAC address of the access point.
• Company:Company that manufactured this access point, determined according to the MAC address.
• PHY Type:802.11g, 802.11n, and so on...
• Frequency:Channel frequency in MHz.
• Channel:Channel number.
• RSSI:Specifies the signal strength, in dBm. Some drivers don't provide the correct RSSI values in monitor mode.
• Security:None, WPA-PSK, WPA2-PSK, WPA-PSK + WPA2-PSK, WPA-EAP, WPA2-EAP, WPA-EAP + WPA2-EAP, or WEP.
• Cipher:None, WEP, TKIP, CCMP, TKIP+CCMP.
• Beacons:The total number of beacons sent by the access point. Beacon is a packet sent frequently by the access point and contains essential information that the wifi client need to identify and connect it.
• Probe Responses:The total number of times that the access point responded to a probe request sent by a wifi client.
• Data Bytes:Total number of data bytes sent and received by this access point.
• Retransmitted Data:Total number of retransmitted data bytes sent and received by this access point.
• Device Name:The name of the device. This value is displayed only for devices that support WPS.
• Device Model:The device model. This value is displayed only for devices that support WPS.
• WPS:Specifies the WPS status: No (No WPS Support), Configured, Not Configured, or Locked.
• Start Time:Displays the last time that access point was possibly started/restarted/rebooted. Be aware that some access points reset their timestamp periodically without restart/reboot action, and thus for these APs, the time value displayed on this column doesn't represent the correct start time.
• First Data Detected On:The first time that sent/received data was detected for this AP.
• Last Data Detected On:The last time that sent/received data was detected for this AP.

Wifi Client Columns Description

• MAC Address:MAC address of the wifi client.
• Company:Company that manufactured this wifi client, determined according to the MAC address. For example, if the wifi client is iPhone or iPad, you'll see 'Apple' in this column.
• RSSI:Specifies the signal strength, in dBm. Some drivers don't provide the correct RSSI values in monitor mode.
• SSID List:When wifi client tries to connect one or more access points, this field will display the list of network names (SSIDs) that this client tries to connect.
• Sent Data Bytes:Total number of data bytes sent by the client.
• Received Data Bytes:Total number of data bytes received by the client.
• Retransmitted Sent:Total number of retransmitted data bytes sent by the client.
• Retransmitted Received:Total number of retransmitted data bytes received by the client.
• Client Type:Wifi Client, Router, or Unknown. 
  Wifi Client means that this client uses wireless connection. 
  Router means that this client is the router (Yes... the router is also displayed as a client in the network). 
  Unknown means that this client uses wired connection or wireless connection.
• Device Name:The name of the device. This value is displayed only for devices that support WPS.
• Device Model:The device model. This value is displayed only for devices that support WPS.
• WPS:Specifies the WPS status: No (No WPS Support), Configured, Not Configured, or Locked.
• PHY Type:802.11g, 802.11n, and so on...
• Security:None, WPA-PSK, WPA2-PSK, WPA-EAP, WPA2-EAP, or WEP. This field is filled only when the client tries to connect the access point.
• Cipher:None, WEP, TKIP, CCMP, TKIP+CCMP. This field is filled only when the client tries to connect the access point.
• Probe Requests:Total number of probe requests sent by this client.
• First Detected On:The first date/time that this client was detected.
• Last Detected On:The last date/time that this client was detected.
• Association Status Code:Specifies the last Association Status Code that might be useful to disgnose wifi connection problems. You can find the meaning of these codes in this Web page.
• Deauthentication Code:Specifies the last Deauthentication Code that might be useful to disgnose wifi connection problems. You can find the meaning of these codes in this Web page.
• Association Requests:Specifies the number of association requests sent by the client.
• Device DescriptionIf the MAC address of the device is identical a MAC address in your MAC Addresses List (Ctrl+F8), then the description of the device in this list is displayed in this column.

Meaning of Icons

• Green Icon - The AP or wifi client sent or received data in the last 10 seconds. (You can change the number of seconds in the 'Advanced Options' window)
• Orange Icon - The AP or wifi client sent or received data in the last 60 seconds. (You can change the number of seconds in the 'Advanced Options' window)
• Red Icon - No sent/received data in the last 60 seconds.

Command-Line Options

1. NDIS 6 Support : Npcap makes use of new NDIS 6 Light-Weight Filter (LWF) API in Windows Vista and later (the legacy driver is used on XP). It's faster than the deprecated NDIS 5 API, which Microsoft could remove at any time.
2. Extra Security : Npcap can be restricted so that only Administrators can sniff packets. If a non-Admin user tries to utilize Npcap through software such as Nmap or Wireshark, the user will have to pass a User Account Control (UAC) dialog to utilize the driver. This is conceptually similar to UNIX, where root access is generally required to capture packets.
3. WinPcap Compatibility : If you choose WinPcap Compatible Mode at install-time, Npcap will use the WinPcap-style DLL directories c:\Windows\System32 and servcie name npf , allowing software built with WinPcap in mind to transparently use Npcap instead. If compatability mode is not selected, Npcap is installed in a different location C:\Windows\System32\Npcap with a different service name npcap so that both drivers can coexist on the same system. In this case, applications which only know about WinPcap will continue using that, while other applications can choose to use the newer and faster Npcap driver instead.
4. Loopback Packet Capture : Npcap is able to sniff loopback packets (transmissions between services on the same machine) by using the Windows Filtering Platform (WFP) . After installation, Npcap will create an adapter named Npcap Loopback Adapter for you. If you are a Wireshark user, choose this adapter to capture, you will see all loopback traffic the same way as other non-loopback adapters. Try it by typing in commands like ping 127.0.0.1 (IPv4) or ping ::1 (IPv6).
5. Loopback Packet Injection : Npcap is also able to send loopback packets using the Winsock Kernel (WSK) technique. User-level software such as Nping can just send the packets out using Npcap Loopback Adapter just like any other adapter. Npcap then does the magic of removing the packet's Ethernet header and injecting the payload into the Windows TCP/IP stack.
6. Raw 802.11 Packet Capture : Npcap is able to see 802.11 packets instead of fake Ethernet packets on ordinary wireless adapters. You need to select the Support raw 802.11 traffic (and monitor mode) for wireless adapters option in the installation wizard to enable this feature. When your adapter is in Monitor Mode , Npcap will supply all 802.11 data + control + management packets with radiotap headers. When your adapter is in Managed Mode , Npcap will only supply 802.11 data packets with radiotap headers. Moreover, Npcap provides the WlanHelper.exe tool to help you switch to Monitor Mode on Windows. See more details about this feature in section For softwares that use Npcap raw 802.11 feature . See more details about radiotap here: http://www.radiotap.org/

• Sends a normal HTTP request and analyses the response; this identifies a number of WAF solutions
• If that is not successful, it sends a number of (potentially malicious) HTTP requests and uses simple logic to deduce which WAF it is
• If that is also not successful, it analyses the responses previously returned and uses another simple algorithm to guess if a WAF or security solution is actively responding to our attacks

$ ./wafw00f -l

                                 ^     ^
        _   __  _   ____ _   __  _    _   ____
       ///7/ /.' \ / __////7/ /,' \ ,' \ / __/
      | V V // o // _/ | V V // 0 // 0 // _/
      |_n_,'/_n_//_/   |_n_,' \_,' \_,'/_/
<
                                 ...'

    WAFW00F - Web Application Firewall Detection Tool

    By Sandro Gauci && Wendel G. Henrique

Can test for these WAFs:

Anquanbao
Juniper WebApp Secure
IBM Web Application Security
Cisco ACE XML Gateway
F5 BIG-IP APM
360WangZhanBao
ModSecurity (OWASP CRS)
PowerCDN
Safedog
F5 FirePass
DenyALL WAF
Trustwave ModSecurity
CloudFlare
Imperva SecureSphere
Incapsula WAF
Citrix NetScaler
F5 BIG-IP LTM
Art of Defence HyperGuard
Aqtronix WebKnight
Teros WAF
eEye Digital Security SecureIIS
BinarySec
IBM DataPower
Microsoft ISA Server
NetContinuum
NSFocus
ChinaCache-CDN
West263CDN
InfoGuard Airlock
Barracuda Application Firewall
F5 BIG-IP ASM
Profense
Mission Control Application Shield
Microsoft URLScan
Applicure dotDefender
USP Secure Entry Server
F5 Trafficshield

$./wafw00f https://www.ibm.com/

                                 ^     ^
        _   __  _   ____ _   __  _    _   ____
       ///7/ /.' \ / __////7/ /,' \ ,' \ / __/
      | V V // o // _/ | V V // 0 // 0 // _/
      |_n_,'/_n_//_/   |_n_,' \_,' \_,'/_/
<
                                 ...'

    WAFW00F - Web Application Firewall Detection Tool

    By Sandro Gauci && Wendel G. Henrique

Checking https://www.ibm.com/
The site https://www.ibm.com/ is behind a Citrix NetScaler
Number of requests: 6

python setup.py install

pip install wafw00f

Who can use it

• Debian jessie core
• Custom hardened linux 4.5 kernel
• Rolling release upgrade line
• MATE desktop environment
• Lightdm Dislpay Manager
• Custom themes, icons and wallpapers

• CPU: at least 1Ghz dual core cpu
• ARCH: 32bit, 64bit and ARMhf
• RAM: 256Mb - 512Mb suggested
• GPU: No graphic acceleration required
• HDD Standard: 6Gb used - 8Gb suggested
• HDD Full: 8Gb used - 16Gb suggested
• BOOT: Legacy bios or UEFI (testing)

• Parrot Server Edition
• Parrot Cloud Controller
• Parrot VPS Service
• Custom installation script for Debian VPS

• "Forensic" boot option to avoid boot automounts
• Most famous Digital Forensic tools and frameworks out of the box
• Reliable acquisition and imaging tools
• Top class analysis softwares
• Evidence management and reporting tools
• Disabled automount
• Software blockdev write protection system

• Custom Anti Forensic tools
• Custom interfaces for GPG
• Custom interfaces for cryptsetup
• Support for LUKS, Truecrypt and VeraCrypt
• NUKE patch for cryptsetup LUKS disks
• Encrypted system installation

• AnonSurf
• Entire system anonymization
• TOR and I2P out of the box
• DNS requests anonymization
• "Change Identity" function for AnonSurf
• BleachBit system cleaner
• NoScript plugin
• UserAgentOverrider plugin
• Browser profile manager
• RAM-only browser profile
• Pandora's Box - RAM cleaner
• Hardened system behaviour

• FALCON Programming Language (1.0)
• System editor tuned for programming
• Many compilers and debuggers available
• Reverse Engineering Tools
• Programming Template Files
• Pre-installed most-used libs
• Full Qt5 development framework
• Full .net/mono development framework
• Development frameworks for embedded devices

• All Platforms
  • Update Firefox to 45.1.1esr
  • Update OpenSSL to 1.0.1t
  • Update Torbutton to 1.9.5.4
    • Bug 18466: Make Torbutton compatible with Firefox ESR 45
    • Bug 18743: Pref to hide 'Sign in to Sync' button in hamburger menu
    • Bug 18905: Hide unusable items from help menu
    • Bug 16017: Allow users to more easily set a non-tor SSH proxy
    • Bug 17599: Provide shortcuts for New Identity and New Circuit
    • Translation updates
    • Code clean-up
  • Update Tor Launcher to 0.2.9.3
    • Bug 13252: Do not store data in the application bundle
    • Bug 18947: Tor Browser is not starting on OS X if put into /Applications
    • Bug 11773: Setup wizard UI flow improvements
    • Translation updates
  • Update HTTPS-Everywhere to 5.1.9
  • Update meek to 0.22 (tag 0.22-18371-3)
    • Bug 18371: Symlinks are incompatible with Gatekeeper signing
    • Bug 18904: Mac OS: meek-http-helper profile not updated
  • Bug 15197 and child tickets: Rebase Tor Browser patches to ESR 45
  • Bug 18900: Fix broken updater on Linux
  • Bug 19121: The update.xml hash should get checked during update
  • Bug 18042: Disable SHA1 certificate support
  • Bug 18821: Disable libmdns support for desktop and mobile
  • Bug 18848: Disable additional welcome URL shown on first start
  • Bug 14970: Exempt our extensions from signing requirement
  • Bug 16328: Disable MediaDevices.enumerateDevices
  • Bug 16673: Disable HTTP Alternative-Services
  • Bug 17167: Disable Mozilla's tracking protection
  • Bug 18603: Disable performance-based WebGL fingerprinting option
  • Bug 18738: Disable Selfsupport and Unified Telemetry
  • Bug 18799: Disable Network Tickler
  • Bug 18800: Remove DNS lookup in lockfile code
  • Bug 18801: Disable dom.push preferences
  • Bug 18802: Remove the JS-based Flash VM (Shumway)
  • Bug 18863: Disable MozTCPSocket explicitly
  • Bug 15640: Place Canvas MediaStream behind site permission
  • Bug 16326: Verify cache isolation for Request and Fetch APIs
  • Bug 18741: Fix OCSP and favicon isolation for ESR 45
  • Bug 16998: Disable <link rel="preconnect"> for now
  • Bug 18898: Exempt the meek extension from the signing requirement as well
  • Bug 18899: Don't copy Torbutton, TorLauncher, etc. into meek profile
  • Bug 18890: Test importScripts() for cache and network isolation
  • Bug 18886: Hide pocket menu items when Pocket is disabled
  • Bug 18703: Fix circuit isolation issues on Page Info dialog
  • Bug 19115: Tor Browser should not fall back to Bing as its search engine
  • Bug 18915+19065: Use our search plugins in localized builds
  • Bug 19176: Zip our language packs deterministically
  • Bug 18811: Fix first-party isolation for blobs URLs in Workers
  • Bug 18950: Disable or audit Reader View
  • Bug 18886: Remove Pocket
  • Bug 18619: Tor Browser reports "InvalidStateError" in browser console
  • Bug 18945: Disable monitoring the connected state of Tor Browser users
  • Bug 18855: Don't show error after add-on directory clean-up
  • Bug 18885: Disable the option of logging TLS/SSL key material
  • Bug 18770: SVGs should not show up on Page Info dialog when disabled
  • Bug 18958: Spoof screen.orientation values
  • Bug 19047: Disable Heartbeat prompts
  • Bug 18914: Use English-only label in <isindex/> tags
  • Bug 18996: Investigate server logging in esr45-based Tor Browser
  • Bug 17790: Add unit tests for keyboard fingerprinting defenses
  • Bug 18995: Regression test to ensure CacheStorage is disabled
  • Bug 18912: Add automated tests for updater cert pinning
  • Bug 16728: Add test cases for favicon isolation
  • Bug 18976: Remove some FTE bridges
• Windows
  • Bug 13419: Support ICU in Windows builds
  • Bug 16874: Fix broken https://sports.yahoo.com/dailyfantasy page
  • Bug 18767: Context menu is broken on Windows in ESR 45 based Tor Browser
• OS X
  • Bug 6540: Support OS X Gatekeeper
  • Bug 13252: Tor Browser should not store data in the application bundle
  • Bug 18951: HTTPS-E is missing after update
  • Bug 18904: meek-http-helper profile not updated
  • Bug 18928: Upgrade is not smooth (requires another restart)
• Build System
  • All Platforms
    • Bug 18127: Add LXC support for building with Debian guest VMs
    • Bug 16224: Don't use BUILD_HOSTNAME anymore in Firefox builds
    • Bug 18919: Remove unused keys and unused dependencies
  • Windows
    • Bug 17895: Use NSIS 2.51 for installer to avoid DLL hijacking
    • Bug 18290: Bump mingw-w64 commit we use
  • OS X
    • Bug 18331: Update toolchain for Firefox 45 ESR
    • Bug 18690: Switch to Debian Wheezy guest VMs
  • Linux
    • Bug 18699: Stripping fails due to obsolete Browser/components directory
    • Bug 18698: Include libgconf2-dev for our Linux builds
    • Bug 15578: Switch to Debian Wheezy guest VMs (10.04 LTS is EOL)

New features

• We enabled the automatic account configuration of Icedove which discovers the correct parameters to connect to your email provider based on your email address. We improved it to rely only on secure protocol and we are working on sharing these improvements with Mozilla so that users of Thunderbird outside Tails can benefit from them as well.

Upgrades and changes

• Update Tor Browser to 6.0.1, based on Firefox 45.
• Remove the preconfigured #tails IRC channel. Join us on XMPP instead!
• Always display minimize and maximize buttons in titlebars. (#11270)
• Remove GNOME Tweak Tool and hledger. You can add them back using the Additional software packages persistence feature.
• Use secure HKPS OpenPGP key server in Enigmail.
• Harden our firewall by rejecting RELATED packets and restricting Tor to only send NEW TCP syn packets. (#11391)
• Harden our kernel by:
  • Setting various security-related kernel options: slab_nomerge slub_debug=FZ mce=0 vsyscall=none. (#11143)
  • Removing the .map files of the kernel. (#10951)

Fixed problems

• Update the DRM and Mesa graphical libraries. This should fix recent problems with starting Tails on some hardware. (#11303)
• Some printers that stopped working in Tails 2.0 should work again. (#10965)
• Enable Packetization Layer Path MTU Discovery for IPv4. This should make the connections to obfs4 Tor bridges more reliable. (#9268)
• Remove our custom ciphers and MACs settings for SSH. This should fix connectivity issues with other distributions such as OpenBSD. (##7315)
• Fix the translations of Tails Upgrader. (#10221)
• Fix displaying the details of a circuit in Onion Circuits when using Tor bridges. (#11195)

Known issues

• The automatic account configuration of Icedove freezes when connecting to some email providers. (#11486)
• In some cases sending an email with Icedove results in the error: "The message could not be sent using Outgoing server (SMTP) mail.riseup.net for an unknown reason." When this happens, simply click "Ok" and try again and it should work. (#10933)
• The update of the Mesa graphical library introduce new problems at least on AMD HD 7770 and nVidia GT 930M.

• Cookie Export/Import
• Cookie Manager
• Copy as Plain Text
• Crypto Fox
• CSRF-Finder
• Disable WebRTC
• FireBug
• Fireforce
• FlagFox
• Foxy Proxy
• HackBar
• Live HTTP Headers
• Multi Fox
• PassiveRecon
• Right-Click XSS
• Tamper Data
• User Agent Switcher
• Wappalyzer
• Web Developer

• Downloading Burp Suite Certificate
• Downloading a large user-agent list for User-Agent Swithcer

• x86
• x86-64
• ARM
• MIPS
• MIPSEL

- Static Analysis
    -- Basic strings extracted from binary
    -- ELF information generated by readelf commands
    -- the report.py can be modified to add more 3rd party commands to analyse the binary and add the result to DICT.

- Dynamic Analysis
    -- The captured pcaps are parsed with DPKT to extract the IOC's and readable info from the packets. 

• System packages
  
  • python 2.7
  • qemu
  • pcaputils
  • sudo
  • libcap2-bin
  • bridge-utils
• Python libraries (Preferable to use virtual environment)
  
  • pexpect
  • paramiko
  • python-magic

• Host ( The host itself can be a VM or a baremetal machine)
  • QEMU
  • dumpcap
  • DETUX Scripts

- NIC1 : This interface is for accessing the Host
- NIC2 : Interface bridged with the the QEMU Sandbox VMs. One can redirect the traffic from the interface to WHONIX or REMNUX or a custom Gateway to filter/allow internet access for the Sandboxed VMs.

#x86
wget https://people.debian.org/~aurel32/qemu/i386/debian_wheezy_i386_standard.qcow2 -P qemu/x86/1/


#x86-64
wget https://people.debian.org/~aurel32/qemu/amd64/debian_wheezy_amd64_standard.qcow2 -P qemu/x86-64/1/

#arm
wget https://people.debian.org/~aurel32/qemu/armel/debian_wheezy_armel_standard.qcow2 -P qemu/arm/1/
wget https://people.debian.org/~aurel32/qemu/armel/initrd.img-3.2.0-4-versatile -P qemu/arm/1/
wget https://people.debian.org/~aurel32/qemu/armel/vmlinuz-3.2.0-4-versatile -P qemu/arm/1/

#mips
wget https://people.debian.org/~aurel32/qemu/mips/vmlinux-3.2.0-4-4kc-malta -P qemu/mips/1/
wget https://people.debian.org/~aurel32/qemu/mips/debian_wheezy_mips_standard.qcow2 -P qemu/mips/1/

#mipsel
wget https://people.debian.org/~aurel32/qemu/mipsel/vmlinux-3.2.0-4-4kc-malta -P qemu/mipsel/1/
wget https://people.debian.org/~aurel32/qemu/mipsel/debian_wheezy_mipsel_standard.qcow2 -P qemu/mipsel/1/

Cmnd_Alias  QEMU_CMD    =   /usr/bin/qemu-*, /sbin/ip, /sbin/ifconfig, /sbin/brctl
<your detux username here> ALL = (ALL) NOPASSWD: QEMU_CMD

#! /bin/sh
# Script to bring a network (tap) device for qemu up.
# The idea is to add the tap device to the same bridge
# as we have default routing to.

# in order to be able to find brctl
PATH=$PATH:/sbin:/usr/sbin
ip=$(which ip)
ifconfig=$(which ifconfig)

echo "Starting"  $1
if [ -n "$ip" ]; then
   ip link set "$1" up
else
   brctl=$(which brctl)
   if [ ! "$ip" -o ! "$brctl" ]; then
     echo "W: $0: not doing any bridge processing: neither ip nor brctl utility not found" >&2
     exit 0
   fi
   ifconfig "$1" 0.0.0.0 up
fi

switch=$(ip route ls | \
    awk '/^default / {
          for(i=0;i<NF;i++) { if ($i == "dev") { print $(i+1); next; } }
         }'
        )
    if [ -d /sys/class/net/br0/bridge/. ]; then
        if [ -n "$ip" ]; then
          ip link set "$1" master br0
        else
          brctl addif br0 "$1"
        fi
        exit    # exit with status of the previous command
    fi

echo "W: $0: no bridge for guest interface found" >&2

auto br0
iface br0 inet dhcp
  bridge_ports eth0
  bridge_maxwait 0

<your detux folder>/qemu/arm/1/

#x86
sudo qemu-system-i386 -hda qemu/x86/1/debian_wheezy_i386_standard.qcow2 -vnc 127.0.0.1:5901 -net nic,macaddr=<MACADDR> -net tap -monitor stdio


#x86-64
sudo qemu-system-x86_64 -hda qemu/x86-64/1/debian_wheezy_amd64_standard.qcow2 -vnc 127.0.0.1:5901 -net nic,macaddr=<MACADDR> -net tap -monitor stdio

#arm
sudo qemu-system-arm -M versatilepb -kernel qemu/arm/1/vmlinuz-3.2.0-4-versatile -initrd qemu/arm/1/initrd.img-3.2.0-4-versatile -hda qemu/arm/1/debian_wheezy_armel_standard.qcow2 -append "root=/dev/sda1" -vnc 127.0.0.1:5901 -net nic,macaddr=<MACADDR> -net tap -monitor stdio

#mips
sudo qemu-system-mips -M malta -kernel qemu/mips/1/vmlinux-3.2.0-4-4kc-malta -hda qemu/mips/1/debian_wheezy_mips_standard.qcow2 -append "root=/dev/sda1 console=tty0" -vnc 127.0.0.1:5901 -net nic,macaddr=<MACADDR> -net tap -monitor stdio

#mipsel
sudo qemu-system-mipsel -M malta -kernel qemu/mipsel/1/vmlinux-3.2.0-4-4kc-malta -hda qemu/mipsel/1/debian_wheezy_mipsel_standard.qcow2 -append "root=/dev/sda1 console=tty0" -vnc 127.0.0.1:5901 -net nic,macaddr=<MACADDR> -net tap -monitor stdio

• Choose an unconfigured VM image and start it using the above listed command in a Terminal.
• Connect VM monitor. Connect a VNC client to 127.0.0.1:5901 and wait for the VM to boot completely.
• Login with the default root credentials (root/root).
• Configure the VM's network interface such that it reachable/ accessible to the host.
• Setup SSH server on the VM and anyother configuration if required for you.
• Once configured, boot to a running state that accepts network connection.
• Switch back to terminal with qemu console on, which should look like:

(qemu)

• Save the VM state typing the following qemu commands in the qemu console:

(qemu) savevm init

• Quit the QEMU console:

(qemu) q

sudo groupadd -g wireshark
sudo usermod -a -G wireshark <your user name>
sudo chmod 750 /usr/bin/dumpcap
sudo etcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap

usage: detux.py [-h] --sample SAMPLE [--cpu {x86,x86-64,arm,mips,mipsel}]
                [--int {python,perl,sh,bash}] --report REPORT

optional arguments:
  -h, --help            show this help message and exit
  --sample SAMPLE       Sample path (default: None)
  --cpu {x86,x86-64,arm,mips,mipsel}
                        CPU type (default: auto)
  --int {python,perl,sh,bash}
                        Architecture type (default: None)
  --report REPORT       JSON report output path (default: None)

python detux.py --sample test_script/example_binary1 --report reports/example_report1.json

• Short Scanning
• Comprehensive Scanning
• Finding subdomains
• Checking every input on every page

• Extract The lalin-master to your home or another folder
• chmod +x Lalin.sh
• And run the tools
• Easy to Use just input your number

$ sudo chmod +x Lalin.sh

$ sudo ./Lalin.sh

1. Miffly @Edo -m- main developer of Lalin
   
2. Bradfrea @Lazykali main developer of Lazykali
3. Daniel for lazynmap www.commonexploits.com
4. Uptodate new tools hacking visit http://www.kitploit.com
5. https://github.com/mazen160/Firefox-Security-Toolkit
6. http://www.linuxsec.org/ ( Jack Wilder )
7. Offensive Secuirty for the awesome os
8. http://www.kali.org
9. http://www.offensive-security.com

    gem install ritm   

1. Write your interception handlers
   

   require 'ritm'
   
   # A single answer for all your google searches
   Ritm.on_request do |req|
     if req.request_uri.host.start_with? 'www.google.'
       new_query_string = req.request_uri.query.gsub(/(?<=^q=|&q=)(((?!&|$).)*)(?=&|$)/, 'RubyInTheMiddle')
       req.request_uri.query = new_query_string
     end
   end
   
   my_picture = File.read('i_am_famous.jpg')
   
   # Replaces every picture on the web with my pretty face
   Ritm.on_response do |_req, res|
     if res.header['content-type'] && res.header['content-type'].start_with?('image/')
       res.header['content-type'] = 'image/jpeg'
       res.body = my_picture
     end
   end

2. Start the proxy server
   

   proxy = Ritm::Proxy::Launcher.new
   proxy.start
   
   puts 'Hit enter to finish'
   gets
   
   proxy.shutdown

3. Configure your browser
   Or whatever HTTP client you want to intercept traffic from, to connect to the proxy in localhost:8080
   
4. Browse the web!
   For the examples above, search anything in google and also visit your favorite newspaper website.
   

Client <--- SSL session ---> RITM <--- SSL session ---> Server

1. Generate a Certificate Authority PEM and Private Key files
   You can use OpenSSL or RITM to generate these two files. With OpenSSL:
   

   openssl req -new -nodes -x509 -days 365 -extensions v3_ca -keyout insecure_ca.key -out insecure_ca.crt

   Or with RITM:
   

   require 'ritm/certs/ca'
   
   ca = Ritm::CA.create common_name: 'InsecureCA'
   
   File.write('insecure_ca.crt', ca.pem)
   File.write('insecure_ca.key', ca.private_key.to_s)

2. Repeat step 2 from the previous example, this time indicating what CA should be used to sign certificates
   

   proxy = Ritm::Proxy::Launcher.new(ca_crt_path: 'path/to/insecure_ca.crt',
                                     ca_key_path: 'path/to/insecure_ca.key')
   proxy.start
   
   puts 'Hit enter to finish'
   gets
   
   proxy.shutdown

3. Trust the CA certificate into your browser or client
   I'll leave it to you to figure out how this is done in your browser or client.
   
4. Surf the web!
5. When you are done Remove the CA from your trusted authorities!
   Or take really good care of the CA private key since anyone in possession of that key will be capable of decrypting all your traffic! Also notice that when using the proxy every server will be automatically trusted even if the end server certificate is not valid.

1. Open new browser windows that can point to any website. (already built-in. See: server/modules/openURL.js ).
2. Change and read the clipboard. (already built-in. See: server/modules/readClipboard.js and server/modules/writeClipboard.js ).
3. Access cross-platform Operating System notifications and the tray on OS X and Windows.
4. Take screenshots. (already built-in. See: server/modules/screenshot.js ).
5. Execute arbitrary system commands. (already built-in. See: server/modules/execCommand.js )
6. Run at startup. (already built-in. See: client/main.js and server/modules/enableStartup.js ).

git clone https://github.com/IMcPwn/browser-backdoor
cd browser-backdoor

cd client
npm install
# Configure index.html and main.js before the next command
npm start

cd client
npm install electron-packager -g
electron-packager . --all

cd server
gem install bundler
bundle install
# Configure config.yml before the next command
ruby bbsconsole.rb

• The command line console with default configuration. 

• The help screen (text will change over time). 

• What it looks like when a session is opened (3 in this case).

• Sending a command to all sessions (as seen by session ID -1). 

• Targeting a specific session then taking a screenshot of the client.

mkdir build
cd build
cmake -DCMAKE_INSTALL_PREFIX:PATH=/usr -DCMAKE_BUILD_TYPE=Release ..

make shadowd
make install

psql -Ushadowd shadowd < /usr/share/shadowd/pgsql_layout.sql

mysql -ushadowd -p shadowd < /usr/share/shadowd/mysql_layout.sql