• Highlight SSLv2 and SSLv3 ciphers in output.
• Highlight CBC ciphers on SSLv3 (POODLE).
• Highlight 3DES and RC4 ciphers in output.
• Highlight PFS+GCM ciphers as good in output.
• Highlight NULL (0 bit), weak (<40 bit) and medium (40 < n <= 56) ciphers in output.
• Highlight anonymous (ADH and AECDH) ciphers in output (purple).
• Hide certificate information by default (display with --get-certificate ).
• Hide rejected ciphers by default (display with --failed ).
• Added TLSv1.1 and TLSv1.2 support (merged from twwbond/sslscan).
• Compiles if OpenSSL does not support SSLv2 ciphers (merged from digineo/sslscan).
• Supports IPv6 hostnames (can be forced with --ipv6 ).
• Check for TLS compression (CRIME, disable with --no-compression ).
• Disable cipher suite checking --no-ciphersuites .
• Disable coloured output --no-colour .
• Removed undocumented -p output option.
• Added check for OpenSSL HeartBleed (CVE-2014-0160, disable with --no-heartbleed ).
• Flag certificates signed with MD5 or SHA-1, or with short (<2048 bit) RSA keys.
• Support scanning RDP servers with --rdp (credit skettler).
• Added option to specify socket timeout.
• Added option for static compilation (credit dmke).
• Added --sleep option to pause between requests.
• Disable output for anything than specified checks --no-preferred .
• Determine the list of CAs acceptable for client certificates --show-client-cas .
• Experimental build support on OSX (credit MikeSchroll).
• Flag some self-signed SSL certificates.
• Experimental Windows support (credit jtesta).
• Display EC curve names and DHE key lengths with OpenSSL >= 1.0.2 --no-cipher-details .
• Flag weak DHE keys with OpenSSL >= 1.0.2 --cipher-details .
• Flag expired certificates.
• Flag TLSv1.0 ciphers in output as weak.
• Experimental OSX support (static building only).
• Support for scanning PostgreSQL servers (credit nuxi).
• Check for TLS Fallback SCSV support.
• Added StartTLS support for LDAP --starttls-ldap .
• Added SNI support --sni-name (credit Ken).

make static

apt-get install build-essential git zlib1g-dev
apt-get build-dep openssl

make static

./sslscan --version

    1.x.y-...-static
    OpenSSL 1.1.0-dev xx XXX xxxx

brew install openssl

brew install swig

env LDFLAGS="-L$(brew --prefix openssl)/lib" \
CFLAGS="-I$(brew --prefix openssl)/include" \
SWIG_FEATURES="-cpperraswarn -includeall -I$(brew --prefix openssl)/include" \

virtualenv -p /usr/bin/python2.7 lobotomy
cd lobotomy/
source bin/activate

pip install -r requirements

cd core/include/androguard
python setup.py install

python lobotomy.py


                  :                   :                  :
                 t#,                 t#,                t#,
            i   ;##W.   .           ;##W.              ;##W.
           LE  :#L:WE   Ef.        :#L:WE  GEEEEEEEL  :#L:WE             ..       : f.     ;WE.
          L#E .KG  ,#D  E#Wi      .KG  ,#D ,;;L#K;;. .KG  ,#D           ,W,     .Et E#,   i#G
         G#W. EE    ;#f E#K#D:    EE    ;#f   t#E    EE    ;#f         t##,    ,W#t E#t  f#f
        D#K. f#.     t#iE#t,E#f. f#.     t#i  t#E   f#.     t#i       L###,   j###t E#t G#i
       E#K.  :#G     GK E#WEE##Wt:#G     GK   t#E   :#G     GK      .E#j##,  G#fE#t E#jEW,
     .E#E.    ;#L   LW. E##Ei;;;;.;#L   LW.   t#E    ;#L   LW.     ;WW; ##,:K#i E#t E##E.
    .K#E       t#f f#:  E#DWWt     t#f f#:    t#E     t#f f#:     j#E.  ##f#W,  E#t E#G
   .K#D         f#D#;   E#t f#K;    f#D#;     t#E      f#D#;    .D#L    ###K:   E#t E#t
  .W#G           G#t    E#Dfff##E,   G#t      t#E       G#t    :K#t     ##D.    E#t E#t
 :W##########Wt   t     jLLLLLLLLL;   t        fE        t     ...      #G      ..  EE.
 :,,,,,,,,,,,,,.                                :                       j           t

(lobotomy)

1. Aircrack : 1:1.2-0~rc4-0parrot0
2. Lighttpd : 1.439-1
3. Hostapd : 1:2.3-2.3 If you want to compare this type dpkg -l | grep "name"

• Scan the networks.
• Capture a handshake (can't be used without a valid handshake, it's necessary to verify the password)
• Use WEB Interface *
• Launch a FakeAP instance to imitate the original access point
• Spawns a MDK3 process, which deauthenticates all users connected to the target network, so they can be lured to connect to the FakeAP and enter the WPA password.
• A fake DNS server is launched in order to capture all DNS requests and redirect them to the host running the script
• A captive portal is launched in order to serve a page, which prompts the user to enter their WPA password
• Each submitted password is verified by the handshake captured earlier
• The attack will automatically terminate, as soon as a correct password is submitted

1. Deltax - Fluxion main developer
2. Strasharo - contributor
3. l3op - contributor
4. dlinkproto - contributor
5. vk496 - developer of linset
6. ApatheticEuphoria - @WPS-SLAUGHTER,Bruteforce Script,Help with Fluxion
7. Derv82 - @Wifite/2
8. Princeofguilty - @webpages
9. Photos for wiki @ http://www.kalitutorials.net
10. Ons Ali @wallpaper

1. Wifislax
2. Kali Linux
3. linset
4. ares
5. Closeme

• This bot adopted special for deploying to Heroku
• General purposes of this got - "Be helpful for infosec community!"
• Bot use https://github.com/maddevsio/bbcrawler for fetching information
• Used heroku https://github.com/heroku/go-getting-started as a template for project
• For bot used free account on heroku.com and firebase.com

• Purposes of bot:
  • "Deliver information as fast as possible!"
  • "Be helpful for infosec community"

• For web server used GIN
  • github.com/gin-gonic/gin
• For Bot functionality used telegram-bot-api.v4
  • gopkg.in/telegram-bot-api.v4

• TELEGRAM_BBBOT_TOKEN - Telegram Api token received from @BotFather
• TELEGRAM_BBBOT_URL - Webhook url to bot public web address
• PORT - Standard heroku ENV variable for port number
• TELEGRAM_BBBOT_FIREBASE_TOKEN - Firebase database token
• TELEGRAM_BBBOT_FIREBASE_URL - Url to firebase project
• TELEGRAM_BBBOT_HO_SEARCH_URL - HackerOne search url (crawler)
• TELEGRAM_BBBOT_CHANNEL - Public channel identifier, for example @some_channel_name
• TELEGRAM_BBBOT_HOST - Public bot host url for ping purposes (for disabling sleeping functionality after 30 min of inactivity)
• TELEGRAM_BBBOT_H1_HACK_SEARCH_URL - HackerOne hacktivity url (crawler)
• TELEGRAM_BBBOT_BUGCROWD_NEW_PROG_URL - BugCrowd url for crawling new programs (crawler)

• Bot started
• Fetching data from firebase (synchronising)
• Crawling programs from hackerone.com (in parallel)
• Crawling hacktivity from hackerone.com (in parallel)
• Crawling programs from bugcrowd.com (in parallel)
• Determining new data from all crawled information (in parallel)
• Publishing data to telegram channel from ENV variable
  
• Note: If instance of bot at heroku.com restarted all data restored from firebase storage.

git clone https://github.com/commixproject/commix.git commix

• ArchStrike
• BlackArch Linux
• BackBox
• Kali Linux
• Parrot Security OS
• Weakerthan Linux

• TrustedSec's Penetration Testers Framework (PTF)
• OWASP Offensive Web Testing Framework (OWTF)
• CTF-Tools
• PentestBox
• PenBox
• Katoolin
• Aptive's Penetration Testing tools

• Linux
• Mac OS X
• Windows (experimental)

python commix.py -h

• Linux supported, and developed on/for linux
• OS X support not planned
• Windows support not planned

• apache_users
• arp_dos
• arp_spoof
• bluetooth_pod
• cloudflare_resolver
• dir_scanner
• dns_spoof
• email_bomber
• hostname_resolver
• mac_spoof
• mitm
• network_kill
• pma_scanner
• port_scanner
• proxy_scout
• whois
• web_killer
• web_scout
• wifi_jammer
• zip_cracker
• rar_cracker
• wordlist_gen

Screenshots

• Official website: http://hakkuproject.org
• Official wiki: https://github.com/4shadoww/hakkuproject/wiki/
• Github page: https://github.com/4shadoww/hakkuproject/
• SourceForge page: https://sourceforge.net/projects/hakkuproject/

• email: 4shadoww0@gmail.com
• bug reports to github or here: 4shadoww0@gmail.com

• BARF : A multiplatform open source Binary Analysis and Reverse engineering Framework
• PyAsmJIT : A JIT for the Intel x86_64 and ARM architecture.
• Tools built upon BARF :
  • BARFgadgets : Lets you search , classifiy and verify ROP gadgets inside a binary program.
  • BARFcfg : Lets you recover the control-flow graph of the functions of a binary program.
  • BARFcg : Lets you recover the call graph of the functions of a binary program.

• BARF: A multiplatform open source Binary Analysis and Reverse engineering Framework (Whitepaper) [ en ]
• BARFing Gadgets (ekoparty2014 presentation) [ es ]

All packages were tested on Ubuntu 16.04 (x86_64).

• Load binary programs in different formats ( ELF , PE , etc),
• It supports the Intel x86 architecture for 32 and 64 bits,
• It supports the ARM architecture for 32 bits,
• It operates on an intermediate language ( REIL ) thus all analysis algorithm are architecture-agnostic,
• It has integration with Z3 and CVC4 SMT solvers which means that you can express fragments of code as formulae and check restrictions on them.

• Z3 : A high-performance theorem prover being developed at Microsoft Research.
• CVC4 : An efficient open-source automatic theorem prover for satisfiability modulo theories (SMT) problems.

$ sudo python setup.py install

$ sudo python setup.py install --user

• Only one SMT solver is needed in order to work. You may choose between Z3 and CVC4 or install both. You can use the barf-install-solver.sh script which downloads and install both solver.
• To run some tests you need to install PyAsmJIT first.

from barf import BARF

# Open binary file.
barf = BARF("examples/bin/x86/branch1")

# Print assembly instruction.
for addr, asm_instr, reil_instrs in barf.translate():
    print("0x{addr:08x} {instr}".format(addr=addr, instr=asm_instr))

    # Print REIL translation.
    for reil_instr in reil_instrs:
        print("{indent:11s} {instr}".format(indent="", instr=reil_instr))

# Recover CFG.
cfg = barf.recover_cfg()

# Save CFG to a .dot file.
cfg.save("branch1_cfg")

 80483ed:       55                      push   ebp
 80483ee:       89 e5                   mov    ebp,esp
 80483f0:       83 ec 10                sub    esp,0x10
 80483f3:       8b 45 f8                mov    eax,DWORD PTR [ebp-0x8]
 80483f6:       8b 55 f4                mov    edx,DWORD PTR [ebp-0xc]
 80483f9:       01 d0                   add    eax,edx
 80483fb:       83 c0 05                add    eax,0x5
 80483fe:       89 45 fc                mov    DWORD PTR [ebp-0x4],eax
 8048401:       8b 45 fc                mov    eax,DWORD PTR [ebp-0x4]
 8048404:       c9                      leave
 8048405:       c3                      ret

from barf import BARF

# Open ELF file
barf = BARF("examples/bin/x86/constraint1")

# Add instructions to analyze.
for addr, asm_instr, reil_instrs in barf.translate(0x80483ed, 0x8048401):
    for reil_instr in reil_instrs:
        barf.code_analyzer.add_instruction(reil_instr)

# Get smt expression for eax and ebp registers
eap = barf.code_analyzer.get_register_expr("eax")
ebp = barf.code_analyzer.get_register_expr("ebp")

# Get smt expressions for memory locations (each one of 4 bytes)
a = barf.code_analyzer.get_memory_expr(ebp-0x8, 4)
b = barf.code_analyzer.get_memory_expr(ebp-0xc, 4)
c = barf.code_analyzer.get_memory_expr(ebp-0x4, 4)

# Set range for variables
barf.code_analyzer.set_preconditions([a >= 2, a <= 100])
barf.code_analyzer.set_preconditions([b >= 2, b <= 100])

# Set desired value for the result
barf.code_analyzer.set_postcondition(c == 13)

# Check satisfiability.
if barf.code_analyzer.check() == 'sat':
    print("SAT!")

    # Get concrete value for expressions.
    eax_val = barf.code_analyzer.get_expr_value(eax)
    a_val = barf.code_analyzer.get_expr_value(a)
    b_val = barf.code_analyzer.get_expr_value(b)
    c_val = barf.code_analyzer.get_expr_value(c)

    # Print values.
    print("eax : 0x{0:%08x} ({0})".format(eax_val))
    print("ebp : 0x{0:%08x} ({0})".format(ebp_val))
    print("  a : 0x{0:%08x} ({0})".format(a_val))
    print("  b : 0x{0:%08x} ({0})".format(b_val))
    print("  c : 0x{0:%08x} ({0})".format(c_val))
else:
    print("UNSAT!")

• REIL : Provides definitions for the REIL language. It, also, implements an emulator and a parser .
• SMT : Provides means to interface with Z3 SMT solver. Also, it provides functionality to translate REIL instructions to SMT expressions.
• BI : The Binary Interface module is responsible for loading binary files for processing (it uses [PEFile] and [PyELFTools].)

• Architecture : Describes the architecture, i.e., registers, memory address size.
• Translator : Provides translators to REIL for each supported instruction.
• Disassembler : Provides disassembling functionalities (it uses Capstone.)
• Parser : Transforms instruction in string to object form (provided by the Instruction module.)

barf/       Framework's main directory.
doc/        Documentation.
examples/   Basic example scripts that show various functionalities.
scripts/    Installation scripts.
tests/      BARF package tests.
tools/      Tools build upon BARF.

• No-Operation,
• Move Register,
• Load Constant,
• Arithmetic/Logical Operation,
• Load Memory,
• Store Memory,
• Arithmetic/Logical Load,
• Arithmetic/Logical Store and
• Undefined.

usage: BARFgadgets [-h] [--version] [--bdepth BDEPTH] [--idepth IDEPTH] [-u]
                   [-c] [-v] [-o OUTPUT] [-t] [--sort {addr,depth}] [--color]
                   [--show-binary] [--show-classification]
                   filename

Tool for finding, classifying and verifying ROP gadgets.

positional arguments:
  filename              Binary file name.

optional arguments:
  -h, --help            show this help message and exit
  --version             Display version.
  --bdepth BDEPTH       Gadget depth in number of bytes.
  --idepth IDEPTH       Gadget depth in number of instructions.
  -u, --unique          Remove duplicate gadgets (in all steps).
  -c, --classify        Run gadgets classification.
  -v, --verify          Run gadgets verification (includes classification).
  -o OUTPUT, --output OUTPUT
                        Save output to file.
  -t, --time            Print time of each processing step.
  --sort {addr,depth}   Sort gadgets by address or depth (number of
                        instructions) in ascending order.
  --color               Format gadgets with ANSI color sequences, for output
                        in a 256-color terminal or console.
  --show-binary         Show binary code for each gadget.
  --show-classification
                        Show classification for each gadget.

usage: BARFcfg [-h] [-s SYMBOL_FILE] [-a] [-o RECOVER_ONE] [-f {graph,text}]
               [-t] [-d OUTPUT_DIR] [-b] [-r]
               filename

Tool for recovering CFG of a binary.

positional arguments:
  filename              Binary file name.

optional arguments:
  -h, --help            show this help message and exit
  -s SYMBOL_FILE, --symbol-file SYMBOL_FILE
                        Load symbols from file.
  -a, --recover-all     Recover all functions.
  -o RECOVER_ONE, --recover-one RECOVER_ONE
                        Recover specified function.
  -f {graph,text}, --format {graph,text}
                        Output format.
  -t, --time            Print process time.
  -d OUTPUT_DIR, --output-dir OUTPUT_DIR
                        Ouput directory.
  -b, --brief           Brief output.
  -r, --show-reil       Show REIL translation.

usage: BARFcg [-h] [-s SYMBOL_FILE] [-a] [-t] filename

Tool for recovering CG of a binary.

positional arguments:
  filename              Binary file name.

optional arguments:
  -h, --help            show this help message and exit
  -s SYMBOL_FILE, --symbol-file SYMBOL_FILE
                        Load symbols from file.
  -a, --recover-all     Recover all functions.
  -t, --time            Print process time.

           _ _              ___  ______ 
          (_) |            / _ \ | ___ \
 _ __ ___  _| |_ _ __ ___ / /_\ \| |_/ /
| '_ ` _ \| | __| '_ ` _ \|  _  ||  __/ 
| | | | | | | |_| | | | | | | | || |    
|_| |_| |_|_|\__|_| |_| |_\_| |_/\_| 2.1

• SSLstrip2 for HSTS bypass
  
• Image capture with Driftnet
  
• TShark for command line .pcap capture
  

• SSLstrip2
  
• Driftnet
  
• Tshark
  
• Full featured access point, with configurable speed limit
  
• mitmproxy
  
• Wireshark
  
• DNS Spoofing
  
• Saving results to file
  

git clone https://github.com/xdavidhu/mitmAP

• Kali Linux -> "sudo python3 mitmAP.py"
  
• Raspberry PI -> "sudo python3 mitmAP_rpi.py"
  

python wifijammer.py

python wifijammer.py -a 00:0E:DA:DE:24:8E -c 2

python wifijammer.py -c 1 -p 5 -t .00001 -s DL:3D:8D:JJ:39:52 -d --world

• -c , Set the monitor mode interface to only listen and deauth clients or APs on channel 1
  
• -p , Send 5 packets to the client from the AP and 5 packets to the AP from the client along with 5 packets to the broadcast address of the AP
  
• -t , Set a time interval of .00001 seconds between sending each deauth (try this if you get a scapy error like 'no buffer space')
  
• -s , Do not deauth the MAC DL:3D:8D:JJ:39:52. Ignoring a certain MAC address is handy in case you want to tempt people to join your access point in cases of wanting to use LANs.py or a Pineapple on them.
  
• -d , Do not send deauths to access points' broadcast address; this will speed up the deauths to the clients that are found
  
• --world , Set the max channel to 13. In N. America the max channel standard is 11, but the rest of the world uses 13 channels so use this option if you're not in N. America
  

python wifijammer.py -m 10

python wifijammer.py [-a AP MAC] [-c CHANNEL] [-d] [-i INTERFACE] [-m MAXIMUM] [-n] [-p PACKETS] [-s SKIP] [-t TIME INTERVAL]

git clone https://github.com/Va5c0/Steghide-Brute-Force-Tool.git

python steg_brute.py [option] [-f file]

python steg_brute.py -h

./xsscrapy.py -u http://example.com

./xsscrapy.py -u http://example.com/login_page -l loginname

./xsscrapy.py -u http://example.com/login_page -l loginname --basic

./xsscrapy.py -u http://example.com/login_page --cookie "SessionID=abcdef1234567890"

./xsscrapy.py -u http://example.com -c 20

./xsscrapy.py -u http://example.com/ -r 60

wget -O https://bootstrap.pypa.io/get-pip.py
python get-pip.py
pip install -r requirements.txt

• Cookies
• User-Agent
• Referer
• URL variables
• End of URL
• URL path
• Forms both hidden and explicit

• If it gives an error : ImportError: cannot import name LinkExtractor . This means that you don't have the latest version of scrapy. You can install it using: sudo pip install --upgrade scrapy .
• It's called XSScrapy, so why SQL injection detection too? There is overlap between dangerous XSS chars and dangerous SQL injection characters, namely single and double quotes. Detecting SQL injection errors in a response is also simple and nonCPU-intensive. So although 99% of this script is strongly geared toward high and accurate detection of XSS adding simple SQL injection detection through error message discovery is a simple and effective addition. This script will not test for blind sql injection. Error messages it looks for come straight from w3af's sqli audit plugin.

svn checkout https://github.com/mauro-g/snuck snuck

cd snuck
ant jar

> java -jar snuck.jar
Usage: snuck [-start xmlconfigfile ] -config xmlconfigfile -report htmlreportfile [-d # ms_delay] 
[-proxy IP:port] [-chrome chromedriver ] [-ie iedriver] [-remotevectors URL] [-stop-first]
[-reflected targetURL -p parameter_toTest] [-no-multi]

Options :

  -start         path to login use case (XML file)
  -config        path to injection use case (XML file)
  -report        report file name (html extension is required)
  -d             delay (ms) between each injection
  -proxy         proxy server (IP: port)
  -chrome        perform a test with Google Chrome, instead of Firefox. It needs the path to the chromedriver
  -ie            perform a test with Internet Explorer, instead of Firefox.
                 Disable the built in XSS filter in advance
  -remotevectors use an up-to-date online attack vectors source instead of the local one
  -stop-first    stop the test upon a successful vector is detected
  -no-multi      deactivate multithreading for the reverse engineering process - a sequential approach will be adopted
  -reflected     perform a reflected XSS test (without writing the XML config file)
  -p             HTTP GET parameter to inject (useful if -reflected is set)
  -help          show this help menu 

• html_payloads. it stores HTML tags whose purpose is to generate an alert dialog window. Placeholders could be used within this set of vectors; for instance, if we have <script src=data:,%alert%></script>, then the tool will pick a javascript alert from the following attack vector set at random to be the substitute of %alert%. Something like <svg onload=%uri%> will be treated similarly, obviously the drawing will happen among the URIs vectors (see below).
• js_alert payloads it stores many javascript approaches to trigger an alert dialog window, such as alert(1) or eval(alert(2)).
• uri_payloads it stores malicious URIs, such as javascript:alert(1).
• expression_alert_payloads it stores malicious expression payloads, such as expression(URL=0); in this case it is mandatory to produce a redirect to a new URL ending with "0" in order to catch whether a vulnerability exists. Unfortunately expression(alert(1)) would flood the web browser (IE), while expression(write(1)) makes the browser freeze, finally expression(alert(URL=1)) produces multiple alert dialogs and this is annoying from the web driver's perspective.

• Install Text (V 3.0)
• Install Video (OLD)
• Binder guide
• Module guide
• Form grabber plugins
• Facebook MessengerSpy plugins
• Jabber Notifier/ Hide Panel
• Windows infection
• Rubber Ducky Payload

• pip install crxmake
• wine32

python chromebackdoor.py

• pour rappel, infiltrer, surveiller, un système informatique sans autorisation est un délit
• reminder, infiltrate, monitor, computer system without authorization is a crime

$ git clone https://github.com/k4m4/kickthemout.git

$ cd kickthemout

$ pip install -r requirements.txt

root@workstation:~/utilities# ./auto_priv_exploit.sh 
[*] Usage: ./auto_priv_exploit.sh VERSION_OF_KERNEL
root@workstation:~/utilities# ls
auto_priv_exploit.sh
root@workstation:~/utilities# ./auto_priv_exploit.sh 2.6
[*] Possible Exploit

Linux Kernel 2.4.x / 2.6.x - uselib() Local Privilege Escalation Exploit                                           | /linux/local/895.c
Linux Kernel 2.4 / 2.6 - bluez Local Root Privilege Escalation Exploit (3)                                         | /linux/local/926.c
Postfix <= 2.6-20080814 - (symlink) Local Privilege Escalation Exploit                                             | /linux/local/6337.sh
Linux Kernel < 2.6.29 - exit_notify() Local Privilege Escalation Exploit                                           | /linux/local/8369.sh
Linux Kernel 2.6 - UDEV Local Privilege Escalation Exploit                                                         | /linux/local/8478.sh
Linux Kernel 2.6 UDEV < 141 - Local Privilege Escalation Exploit                                                   | /linux/local/8572.c
Linux Kernel 2.6.x - ptrace_attach Local Privilege Escalation Exploit                                              | /linux/local/8673.c
Linux Kernel <= 2.6.34-rc3 ReiserFS xattr - Privilege Escalation                                                   | /linux/local/12130.py
Linux Kernel < 2.6.36-rc1 CAN BCM - Privilege Escalation Exploit                                                   | /linux/local/14814.c
Linux Kernel < 2.6.36-rc4-git2 - x86_64 ia32syscall Emulation Privilege Escalation                                 | /linux/local/15023.c
Linux Kernel <= 2.6.36-rc8 - RDS Protocol Local Privilege Escalation                                               | /linux/local/15285.c
Linux Kernel <= 2.6.37 - Local Privilege Escalation                                                                | /linux/local/15704.c
Linux Kernel < 2.6.37-rc2 - ACPI custom_method Privilege Escalation                                                | /linux/local/15774.c
Linux Kernel 2.6.34 - CAP_SYS_ADMIN x86 - Local Privilege Escalation Exploit                                       | /linux/local/15916.c
Linux Kernel < 2.6.34 - CAP_SYS_ADMIN x86 & x64 - Local Privilege Escalation Exploit (2)                           | /linux/local/15944.c
Linux Kernel < 2.6.36.2 - Econet Privilege Escalation Exploit                                                      | /linux/local/17787.c
Linux Kernel 2.6.17 - Sys_Tee Local Privilege Escalation Vulnerability                                             | /linux/local/29714.txt
Linux Kernel 2.6.x - Ptrace Local Privilege Escalation Vulnerability                                               | /linux/local/30604.c
Linux Kernel 2.6.x - 'pipe.c' Local Privilege Escalation Vulnerability (1)                                         | /linux/local/33321.c
Linux Kernel 2.6.x - pipe.c Local Privilege Escalation Vulnerability (2)                                           | /linux/local/33322.c
Linux Kernel 2.6.x - Ext4 - 'move extents' ioctl Local Privilege Escalation Vulnerability                          | /linux/local/33395.txt
Linux Kernel 2.6.x - 'fasync_helper()' Local Privilege Escalation Vulnerability                                    | /linux/local/33523.c
[*] Do you wish to download all the exploit script to current directory and compile if possible?
1) Yes
2) No
#? 1
[*] The base directory is /usr/share/exploitdb/platforms
[*] Do you wish to compile all the exploit script written in C?
1) Yes
2) No
#? 1
**************************************************

[*] Successfully Compiled 9 executable located in linux_2.6
[*] Do you want to make a tar ball of the linux_2.6? (For convinient file transfer)
1) Yes
2) No
#? 1
[*] Auto Privilege Exploit Summary
C file in /root/utilities/linux_2.6 has 16 files
Python file in /root/utilities/linux_2.6 has 1 files
Perl file in /root/utilities/linux_2.6 has 0 files
Ruby file in /root/utilities/linux_2.6 has 0 files
TXT file in /root/utilities/linux_2.6 has 2 files

usage: davscan.py [-h] -H HOST [-p PORT] [-a AUTH] [-u USER] [-P PASSWORD] [-o OUTFILE] [-d ] [-m ]
-H HOST, --host HOST hostname or IP address of web server; -h foo.com
optional arguments:
-h, --help show this help message and exit
-p PORT, --port PORT port to connect to the host on (defaults to port 80); -p 80
-a AUTH, --auth AUTH Basic authentication required; -a basic
-u USER, --user USER user; -u derp
-P PASSWORD, --password PASSWORD password for user; -P 'hunter2'
-o OUTFILE, --out OUTFILE output file. defaults to /tmp/davout; -o /foo/bar
-d, --no-dos exclude DoS results from searchploit.
-m, --no-msf exclude MSF modules from results.

HTTP editor, fuzzer and sniffer tools help pen testers identify vulnerabilities

“Acunetix has for the past decade been an excellent resource in the pentester’s tool kit. Prior to Acunetix v11, these Manual Pen Testing Tools were only available to Acunetix Customers. By releasing our manual tools separately, we aim to facilitate veteran testers as well as up and coming security researchers by making it easy to manually test web applications for logical flaws among others,” added Nicholas Sciberras, CTO, Acunetix.

Download the FREE Manual Pen Testing Tools

usage: java -jar cba-cli.jar [OPTIONS] -a DIRECTORY_TO_ANALYZE
 -a,--analyze <pathToAnalyze>    Path of the directory to run the
                                 analysis.
-c,--checks <checks...>          Space separated list of custom checks
                                 that are going to be run in the analysis.
 -f,--custom-file <customFile>   Specify a file in JSON format to run
                                 custom rules. Read more in GitHub.
 -h,--help                       Print this message.
 -i,--items-report <maxItems>    Max number of items per report. If the
                                 number of issues found exceeds this
                                 value, the report will be split into
                                 different files. Useful if expecting too
                                 many issues in the report. Default: 500.
 -o,--output <outputDir>         Directory to save the report. Warning -
                                 if there are already saved reports in
                                 this directory they will be overwritten.
                                 Default is "report".
 -v,--verbose-debug              Increase verbosity to debug mode.
 -vv,--verbose-trace             Increase verbosity to trace mode.

• rules : array(rule)
  • name : string
  • interfaces : array(string)
  • superClass : string
  • methods : array(method)
    • name : string
    • visibility : [public|protected|private]
    • parameter : string (only one parameter is supported at the moment)
    • report : boolean (default: true)
  • invocations : array(invocation)
    • owner : string
    • method : method
      • name : string
      • visibility : [public|protected|private]
      • parameter : string (only one parameter is supported at the moment)
    • notFrom : method
      • name : string
      • visibility : [public|protected|private]
      • parameter : string (only one parameter is supported at the moment)
    • from : method
      • name : string
      • visibility : [public|protected|private]
      • parameter : string (only one parameter is supported at the moment)
    • report : boolean (default:true)

{
    "rules": [{
        "name": "Custom deserialization",
        "methods": [{
            "name": "readObject",
            "visibility": "private",
            "parameter": "java.io.ObjectOutputStream"
        }]
    }]
}

{
    "rules": [{
        "name": "Custom serialization and deserialization",
        "methods": [{
            "name": "readObject",
            "visibility": "private",
            "parameter": "java.io.ObjectOutputStream"
        },{
            "name": "writeObject",
            "report": "false",
            "visibility": "private",
            "parameter": "java.io.ObjectOutputStream"
        }]
    }]
}

{
    "rules": [{
        "name": "Method definitions",
        "methods": [{
        }]
    }]
}

{
    "rules": [{
        "name": "String equals",
        "invocations": [{
            "owner": "java.lang.String",
            "method": {
                "name": "equals"
            }
        }]
    }]
}

{
    "rules": [{
        "name": "Method invocation by reflection",
        "invocations": [{
            "owner": "java.lang.reflect.Method",
            "method": {
                "name": "invoke"
            }
        }]
    }]
}

ObjectInputStream in = new ObjectInputStream(fileInputStream);
Object o = in.readObject();

{
    "rules": [{
        "name": "Deserialization usage",
        "invocations": [{
            "owner": "java.io.ObjectInputStream",
            "method": {
                "name": "readObject"
            },
            "notFrom": {
                "name": "readObject",
                "visibility": "private",
                "parameter": "java.io.ObjectInputStream"
            },
            "report": true
        }]
    }]
}

private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException {
      Object o = in.readObject();
}

public Object deserializeObject(ObjectInputStream in) throws IOException, ClassNotFoundException {
      Object o = in.readObject();
      return o;
}

{
        "rules": [{
                "name": "Java servlets",
                "superClass" : "javax.servlet.http.HttpServlet"
        }]
}

{
        "rules": [{
                "name": "X509TrustManager implementations",
                "interfaces" : ["javax.net.ssl.X509TrustManager"]
        }]
}

{
    "rules": [{
        "name": "Custom deserialization",
        "methods": [{
            "name": "readObject",
            "visibility": "private",
            "parameter": "java.io.ObjectOutputStream"
        }]
    },{
        "name": "Method invocation by reflection",
        "invocations": [{
            "owner": "java.lang.reflect.Method",
            "method": {
                "name": "invoke"
            }
        }]
    }]
}

java -jar cba-cli-<version>.jar -a /path/with/jars -f /path/with/json/file/rules.json

java -jar cba-cli-<version>.jar -a /path/with/jars -c DeserializationCheck

java -jar cba-cli-<version>.jar -a /path/with/jars -c DeserializationCheck InvokeMethodCheck CustomDeserializationCheck YourCustomRule

java -jar cba-cli-<version>.jar -a /path/with/jars -f /path/with/json/file/rules.json -c YourCustomRule1 YourCustomRule2

java -jar cba-cli-<version>.jar -a /path/with/jars -c YourCustomRule1 -v

java -jar cba-cli-<version>.jar -a /path/with/jars -c YourCustomRule1 -vv

git clone https://github.com/fergarrui/custom-bytecode-analyzer.git
cd custom-bytecode-analyzer
mvn clean package

                               __  _          
  ____  ____  ___  _________ _/ /_(_)   _____ 
 / __ \/ __ \/ _ \/ ___/ __ `/ __/ / | / / _ \
/ /_/ / /_/ /  __/ /  / /_/ / /_/ /| |/ /  __/
\____/ .___/\___/_/   \__,_/\__/_/ |___/\___/ 
    /_/ 

• pip install -r requirements.txt
• python operative.py

• how use fingerprint modules

• core/modules/cms_gathering
• core/modules/domain_search
• core/modules/email_to_domain
• core/modules/https_gathering
• core/modules/linkedin_search
• core/modules/reverse_ipdomain
• core/modules/search_db
• core/modules/waf_gathering
• core/modules/whois_domain
• core/modules/generate_email
• core/modules/viadeo_search

• import database in core/dbs/
• read table
• read columns
• search information with pattern