Freedom Fighting - A collection of scripts which may come in handy during your freedom fighting activities

May 9, 2017, 7:30 am

≫ Next: WarChild - Denial of Service Testing Suite

≪ Previous: Cowrie - SSH/Telnet Honeypot

Freedom Fighting scripts
This repository contains scripts which may come in handy during your freedom fighting activities. It will be updated occasionally, when I find myself in need of something I can't find online. Everything here is distributed under the terms of the GPL v3 License.

nojail.py
A log cleaner which removes incriminating entries in:

/var/run/utmp, /var/log/wtmp, /var/log/btmp (controls the output of the who, w and last commands)
/var/log/lastlog (controls the output of the lastlog command)
/var/**/*.log (.log.1, .log.2.gz, etc. included)
Any additional file or folder designated by the user

Entries are deleted based on an IP address and/or associated hostname.
Special care is taken to avoid breaking file descriptors while tampering with logs. This means logs continue to be written to after they've been tampered with, making the cleanup a lot less conspicuous. All the work takes place in a tmpfs drive and any files created are wiped securely.
Warning: The script has only been tested on Linux and will not be able to clean UTMP entries on other Unix flavors.

Usage:

usage: nojail.py [-h] [--user USER] [--ip IP] [--hostname HOSTNAME]
                    [--verbose] [--check]
                    [log_files [log_files ...]]

   Stealthy log file cleaner.

   positional arguments:
     log_files             Specify any log files to clean in addition to
                           /var/**/*.log.

   optional arguments:
     -h, --help            show this help message and exit
     --user USER, -u USER  The username to remove from the connexion logs.
     --ip IP, -i IP        The IP address to remove from the logs.
     --hostname HOSTNAME   The hostname of the user to wipe. Defaults to the rDNS
                           of the IP.
     --verbose, -v         Print debug messages.
     --check, -c           If present, the user will be asked to confirm each
                           deletion from the logs.
     --daemonize, -d       Start in the background and delete logs when the
                           current session terminates. Implies --self-delete.
     --self-delete, -s     Automatically delete the script after its execution.

By default, if no arguments are given, the script will try to determine the IP address to scrub based on the SSH_CONNECTION environment variable. Any entry matching the reverse DNS of that IP will be removed as well.

Basic example:

./nojail.py --user root --ip 151.80.119.32 /etc/app/logs/access.log --check

...will remove all entries for the user root where the IP address is 151.80.119.32 or the hostame is manalyzer.org. The user will also be prompted before deleting each record because of the --check option. Finally, the file /etc/app/logs/access.log will be processed in addition to all the default ones.
If folders are given as positional arguments (/etc/app/logs/ for instance), the script will recursively crawl them and clean any file with the .log extension (*.log.1, *.log.2.gz, etc. included).

Daemonizing the script

./nojail.py --daemonize

Assuming this is run from an SSH connexion, this command will delete all logs pertaining to the current user's activity with the detected IP address and hostname right after the connexion is closed. This script will subsequently automatically delete itself. Please bear in mind that you won't have any opportunity to receive error messages from the application. You are encouraged to try deleting the logs once before spawning the demon to make sure that the arguments you specified are correct.

Sample output:

root@proxy:~# ./nojail.py
[ ] Cleaning logs for root (XXX.XXX.XXX.XXX - domain.com).
[*] 2 entries removed from /var/run/utmp!
[*] 4 entries removed from /var/log/wtmp!
[ ] No entries to remove from /var/log/btmp.
[*] Lastlog set to 2017-01-09 17:12:49 from pts/0 at lns-bzn-37-79-250-104-19.adsl.proxad.net
[*] 4 lines removed from /var/log/nginx/error.log!
[*] 11 lines removed from /var/log/nginx/access.log!
[*] 4 lines removed from /var/log/auth.log!

Disclaimer
This script is provided without any guarantees. Don't blame me it doesn't wipe all traces of something you shouldn't have done in the first place.

share.sh
A portable and secure file sharing script. While freedom fighting, it is generally not possible to scp files into compromised machines. Alternate ways to upload files are needed, but most sharing services are either too restrictive or do not provide a way to retrieve files easily from the command line. Security considerations may also prevent people from uploading sensitive files to cloud providers for fear that they will keep a copy of it forever.
This small and portable bash script relies on transfer.sh to solve that problem. It...

Encrypts files before uploading them (symmetric AES-256-CBC).
Automatically uses torify if it is present on the system for increased anonimity.

The only dependencies needed are openssl and either curl or wget.

Usage

root@proxy:~# ./share.sh ~/file_to_share "My_Secure_Encryption_Key!"
Success! Retrieval command: ./share.sh -r file_to_share "My_Secure_Encryption_Key!" https://transfer.sh/BQPFz/28239
root@proxy:~# ./share.sh -r file_to_share "My_Secure_Encryption_Key!" https://transfer.sh/BQPFz/28239
File retrieved successfully!

Additional arguments during the upload allow you to control the maximum number of downloads allowed for the file (-m) and how many days transfer.sh will keep it (-d). The default value for both these options is 1.
Warning: Do not use spaces in the encryption key, or only the first word of your passphrase will be taken into account. This is due to the way getopts handles arguments (I think). Pull requests are welcome if anyone is interested in fixing this.

autojack.py
AutoJack is a short script leveraging EmptyMonkey's shelljack to log the terminal of any user connecting through SSH. It watches auth.log for successful connections, figures out the PID of the user's bash process,and leaves the rest to shelljack.
Launch it in a screen, and wait until other users log-in. Their session will be logged to /root/.local/sj.log.[user].[timestamp].
The script is not particularly stealthy (no attempt is made to hide the shelljack process) but it will get the job done. Note that to avoid self-incrimination, the root user is not targeted (this can be trivially commented out in the code).

Download Freedom Fighting

↧

WarChild - Denial of Service Testing Suite

May 10, 2017, 7:43 am

≫ Next: scanless - Public Port Scan Scrapper

≪ Previous: Freedom Fighting - A collection of scripts which may come in handy during your freedom fighting activities

Warchild is a denial of service testing suite made for analysing the strength of your website against different kinds of denial of service attacks you will be facing which are mainly organised by crooks to cause damage to your website.

Installation

For Installing the required modules just run the following command in your terminal :) 

                 pip install -r requirements.txt

Use

python warchild.py

Overview

This Denial Of Service suite comprises of the following features :

CloudBust :- Cloudbust a.k.a AETHON is a cloudflare resolver that looks into the cloudflare protected website for misconfigured DNS configuration basically uses dnsdumpster.com as its resolver :)and identifies the backend IP of the website. We will add more updates in upcoming time.
HTTP Flood :- HTTP Flood is a type of Denial of Service attack in which the attacker manipulates HTTP and POST unwanted requests in order to attack a web server or application. In an HTTP flood, the HTTP clients such as web browser interact with an application
or server to send HTTP requests. The aim of the attack is when to compel the server to allocate as many resources as possible to serving the attack thus denying legitimate users access to the server's resources. ALISA is a http d.o.s tool written in such a way to suck all of the website's resources and is a layer 7 D.O.S tool.
TCP SYN Flood :- A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system in
an attempt to consume enough server resources to make the system unresponsive to legitimate traffic.
UDP Flood :- A UDP flood attack is a denial-of-service (DoS) attack using the User Datagram Protocol (UDP), a sessionless/connectionless computer networking protocol.

Author
Souhardya Sardar is an independent security analyst and programmer who loves to break things in order to secure them. Github :- github.com/Souhardya

Download WarChild

↧

scanless - Public Port Scan Scrapper

May 11, 2017, 7:11 am

≫ Next: Mimir - OSINT Threat Intel Interface

≪ Previous: WarChild - Denial of Service Testing Suite

Command-line utility for using websites that can perform port scans on your behalf. Useful for early stages of a penetration test or if you'd like to run a port scan on a host and have it not come from your IP address.

scanless (adj): lacking respectable morals. That girl is scanless!

Public Port Scanners

Usage
Requires the requests and bs4 libraries to run, install with pip.

$ python scanless.py --help
usage: scanless.py [-h] [-t TARGET] [-s SCANNER] [-l] [-a]

scanless, public port scan scrapper

optional arguments:
  -h, --help            show this help message and exit
  -t TARGET, --target TARGET
                        ip or domain to scan
  -s SCANNER, --scanner SCANNER
                        scanner to use (default: yougetsignal)
  -l, --list            list scanners
  -a, --all             use all the scanners

$ python scanless.py --list
Scanner Name   | Website
---------------|------------------------------
yougetsignal   | http://www.yougetsignal.com
viewdns        | http://viewdns.info
hackertarget   | https://hackertarget.com
ipfingerprints | http://www.ipfingerprints.com
pingeu         | http://ping.eu

$ python scanless.py -s viewdns -t scanme.nmap.org
Running scanless...

------- viewdns -------
PORT     STATE  SERVICE
21/tcp   closed ftp
22/tcp   open   ssh
23/tcp   closed telnet
25/tcp   closed smtp
53/tcp   closed dns
80/tcp   open   http
110/tcp  closed pop3
139/tcp  closed netbios
143/tcp  closed imap
443/tcp  closed https
445/tcp  closed smb
1433/tcp closed mssql
1521/tcp closed oracle
3306/tcp closed mysql
3389/tcp closed rdp
-----------------------

$ python scanless.py -a -t scanme.nmap.org
Running scanless...

------- yougetsignal -------
PORT     STATE  SERVICE
21/tcp   closed ftp
22/tcp   open   ssh
23/tcp   closed telnet
25/tcp   closed smtp
53/tcp   closed dns
80/tcp   open   http
110/tcp  closed pop3
115/tcp  closed sftp
135/tcp  closed msrpc
139/tcp  closed netbios
143/tcp  closed imap
194/tcp  closed irc
443/tcp  closed https
445/tcp  closed smb
1433/tcp closed mssql
3306/tcp closed mysql
3389/tcp closed rdp
5632/tcp closed pcanywhere
5900/tcp closed vnc
6112/tcp closed wc3
----------------------------

------- viewdns -------
PORT     STATE  SERVICE
21/tcp   closed ftp
22/tcp   open   ssh
23/tcp   closed telnet
25/tcp   closed smtp
53/tcp   closed dns
80/tcp   open   http
110/tcp  closed pop3
139/tcp  closed netbios
143/tcp  closed imap
443/tcp  closed https
445/tcp  closed smb
1433/tcp closed mssql
1521/tcp closed oracle
3306/tcp closed mysql
3389/tcp closed rdp
-----------------------

------- hackertarget -------
tarting Nmap 7.01 ( https://nmap.org ) at 2017-05-06 02:31 UTC
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.065s latency).
Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
PORT     STATE  SERVICE       VERSION
21/tcp   closed ftp
22/tcp   open   ssh           OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
23/tcp   closed telnet
25/tcp   closed smtp
80/tcp   open   http          Apache httpd 2.4.7 ((Ubuntu))
110/tcp  closed pop3
143/tcp  closed imap
443/tcp  closed https
445/tcp  closed microsoft-ds
3389/tcp closed ms-wbt-server
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.05 second
----------------------------

------- ipfingerprints -------
Host is up (0.16s latency).
Not shown: 484 closed ports
PORT    STATE    SERVICE
22/tcp  open     ssh
80/tcp  open     http
111/tcp filtered rpcbind
135/tcp filtered msrpc
136/tcp filtered profile
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.11 - 3.14
Network Distance: 10 hops
------------------------------

------- pingeu -------
PORT     STATE  SERVICE
21/tcp   closed ftp
22/tcp   open   ssh
23/tcp   closed telnet
25/tcp   closed smtp
53/tcp   closed dns
80/tcp   open   http
139/tcp  closed netbios
443/tcp  closed https
445/tcp  closed smb
3389/tcp closed rdp
----------------------

Download scanless

↧

Mimir - OSINT Threat Intel Interface

May 12, 2017, 7:10 am

≫ Next: WiFi-Pumpkin v0.8.5 - Framework for Rogue Wi-Fi Access Point Attack

≪ Previous: scanless - Public Port Scan Scrapper

OSINT Threat Intel Interface - Named after the old Norse God of knowledge.
Mimir functions as a CLI to HoneyDB which in short is an OSINT aggragative threat intel pool. Starting the program brings you to a menu the options for which are as follows.

1. Fetch Threat Feed        5. Visualize Top Malicious Hosts in Browser
2. Fetch Bad Host List      6. Visualize Top Targeted Services in Browser
3. Perform WHOIS Lookup     7. Visualize Results for Single Host in Browser
4. Invoke Nmap Scan         8. Quit

The purpose of this tool is to make intelligence gathering easier by including functionality to save the Threat Feed and Bad Host lists, and invoke either an in-script WHOIS lookup or Nmap scan to learn more about the target hosts. Logs are saved in the current working directory for future reference and further processing.
HoneyDB provides a data visualization service, this can be accessed via Mimir by selecting their respective options. Selenium will then employ the Geckodriver to open the pages.

Dependencies

pycurl
selenium 
blessings
ipwhois
pprint

And the Mozilla Geckodriver

Update
Some versions of PyCurl work better with some versions of SSL than others. This is important because HoneyDB makes use of OpenSSL and having a version that does not support it makes Mimir incompatible with honeyDB. To that end I have added some logic that lets Mimir detect your version of PyCurl and automatically rebuild it from source to a version that does support OpenSSL. It does so by invoking the rebuild.sh shell script that is included in this repo.

Download Mimir

↧

WiFi-Pumpkin v0.8.5 - Framework for Rogue Wi-Fi Access Point Attack

May 13, 2017, 7:12 am

≫ Next: Pwntools - CTF Framework And Exploit Development Library

≪ Previous: Mimir - OSINT Threat Intel Interface

WiFi-Pumpkin is a very complete framework for auditing Wi-Fi security. The main feature is the ability to create a fake AP and make Man In The Middle attack, but the list of features is quite broad.

Installation

Python 2.7

 git clone https://github.com/P0cL4bs/WiFi-Pumpkin.git
 cd WiFi-Pumpkin
 ./installer.sh --install

or download .deb file to install

sudo dpkg -i wifi-pumpkin-0.8.5-all.deb
sudo apt-get -f install # force install dependencies if not install normally

refer to the wiki for Installation

Features

Rogue Wi-Fi Access Point
Deauth Attack Clients AP
Probe Request Monitor
DHCP Starvation Attack
Credentials Monitor
Transparent Proxy
Windows Update Attack
Phishing Manager
Partial Bypass HSTS protocol
Support beef hook
ARP Poison
DNS Spoof
Patch Binaries via MITM
Karma Attacks (support hostapd-mana)
LLMNR, NBT-NS and MDNS poisoner (Responder)
Pumpkin-Proxy (ProxyServer (mitmproxy API))
Capture images on the fly
TCP-Proxy (with scapy)

Plugins

Plugin	Description
dns2proxy	This tools offer a different features for post-explotation once you change the DNS server to a Victim.
sslstrip2	Sslstrip is a MITM tool that implements Moxie Marlinspike's SSL stripping attacks based version fork @LeonardoNve/@xtr4nge.
sergio-proxy	Sergio Proxy (a Super Effective Recorder of Gathered Inputs and Outputs) is an HTTP proxy that was written in Python for the Twisted framework.
BDFProxy-ng	Patch Binaries via MITM: BackdoorFactory + mitmProxy, bdfproxy-ng is a fork and review of the original BDFProxy @secretsquirrel.
Responder	Responder an LLMNR, NBT-NS and MDNS poisoner. Author: Laurent Gaffie

Transparent Proxy

Transparent proxies(mitmproxy) that you can use to intercept and manipulate HTTP traffic modifying requests and responses, that allow to inject javascripts into the targets visited. You can easily implement a module to inject data into pages creating a python file in directory "plugins/extension/" automatically will be listed on Pumpkin-Proxy tab.

Plugins Example Dev

from mitmproxy.models import decoded # for decode content html
from plugins.extension.plugin import PluginTemplate

class Nameplugin(PluginTemplate):
   meta = {
       'Name'      : 'Nameplugin',
       'Version'   : '1.0',
       'Description' : 'Brief description of the new plugin',
       'Author'    : 'by dev'
   }
   def __init__(self):
       for key,value in self.meta.items():
           self.__dict__[key] = value
       # if you want set arguments check refer wiki more info. 
       self.ConfigParser = False # No require arguments 

   def request(self, flow):
       print flow.__dict__
       print flow.request.__dict__ 
       print flow.request.headers.__dict__ # request headers
       host = flow.request.pretty_host # get domain on the fly requests 
       versionH = flow.request.http_version # get http version 

       # get redirect domains example
       # pretty_host takes the "Host" header of the request into account,
       if flow.request.pretty_host == "example.org":
           flow.request.host = "mitmproxy.org"

       # get all request Header example 
       self.send_output.emit("\n[{}][HTTP REQUEST HEADERS]".format(self.Name))
       for name, valur in flow.request.headers.iteritems():
           self.send_output.emit('{}: {}'.format(name,valur))

       print flow.request.method # show method request 
       # the model printer data
       self.send_output.emit('[NamePlugin]:: this is model for save data logging')

   def response(self, flow):
       print flow.__dict__
       print flow.response.__dict__
       print flow.response.headers.__dict__ #convert headers for python dict
       print flow.response.headers['Content-Type'] # get content type

       #every HTTP response before it is returned to the client
       with decoded(flow.response):
           print flow.response.content # content html
           flow.response.content.replace('</body>','<h1>injected</h1></body>') # replace content tag 

       del flow.response.headers["X-XSS-Protection"] # remove protection Header

       flow.response.headers["newheader"] = "foo" # adds a new header
       #and the new header will be added to all responses passing through the proxy

About plugins
plugins on the wiki

TCP-Proxy Server
A proxy that you can place between in a TCP stream. It filters the request and response streams with (scapy module) and actively modify packets of a TCP protocol that gets intercepted by WiFi-Pumpkin. this plugin uses modules to view or modify the intercepted data that possibly easiest implementation of a module, just add your custom module on "plugins/analyzers/" automatically will be listed on TCP/UDP Proxy tab.

from scapy.all import *
from scapy_http import http # for layer HTTP
from default import PSniffer # base plugin class

class ExamplePlugin(PSniffer):
    _activated     = False
    _instance      = None
    meta = {
        'Name'      : 'Example',
        'Version'   : '1.0',
        'Description' : 'Brief description of the new plugin',
        'Author'    : 'your name',
    }
    def __init__(self):
        for key,value in self.meta.items():
            self.__dict__[key] = value

    @staticmethod
    def getInstance():
        if ExamplePlugin._instance is None:
            ExamplePlugin._instance = ExamplePlugin()
        return ExamplePlugin._instance

    def filterPackets(self,pkt): # (pkt) object in order to modify the data on the fly
        if pkt.haslayer(http.HTTPRequest): # filter only http request 

            http_layer = pkt.getlayer(http.HTTPRequest) # get http fields as dict type
            ip_layer = pkt.getlayer(IP)# get ip headers fields as dict type

            print http_layer.fields['Method'] # show method http request
            # show all item in Header request http
            for item in http_layer.fields['Headers']:
                print('{} : {}'.format(item,http_layer.fields['Headers'][item]))

            print ip_layer.fields['src'] # show source ip address 
            print ip_layer.fields['dst'] # show destiny ip address 

            print http_layer # show item type dict
            print ip_layer # show item type dict

            return self.output.emit({'name_module':'send output to tab TCP-Proxy'})

Download WiFi-Pumpkin

↧

Pwntools - CTF Framework And Exploit Development Library

May 14, 2017, 8:30 am

≫ Next: NETATTACK 2 - An Advanced Wireless Network Scan and Attack Script Based on GUI

≪ Previous: WiFi-Pumpkin v0.8.5 - Framework for Rogue Wi-Fi Access Point Attack

pwntools is a CTF framework and exploit development library. Written in Python, it is designed for rapid prototyping and development, and intended to make exploit writing as simple as possible.

from pwn import *
context(arch = 'i386', os = 'linux')

r = remote('exploitme.example.com', 31337)
# EXPLOIT CODE GOES HERE
r.send(asm(shellcraft.sh()))
r.interactive()

Documentation
Our documentation is available at docs.pwntools.com
To get you started, we've provided some example solutions for past CTF challenges in our write-ups repository.

Installation
pwntools is best supported on 64-bit Ubuntu 12.04 and 14.04, but most functionality should work on any Posix-like distribution (Debian, Arch, FreeBSD, OSX, etc.). Python 2.7 is required.
Most of the functionality of pwntools is self-contained and Python-only. You should be able to get running quickly with

apt-get update
apt-get install python2.7 python-pip python-dev git libssl-dev libffi-dev build-essential
pip install --upgrade pip
pip install --upgrade pwntools

However, some of the features (assembling/disassembling foreign architectures) require non-Python dependencies. For more information, see the complete installation instructions here.

Download Pwntools

↧

NETATTACK 2 - An Advanced Wireless Network Scan and Attack Script Based on GUI

May 15, 2017, 8:30 am

≫ Next: BruteSpray - Brute-Forcing from Nmap output (Automatically attempts default creds on found services)

≪ Previous: Pwntools - CTF Framework And Exploit Development Library

NETATTACK 2 is a python script that scans and attacks local and wireless networks. Everything is super easy because of the GUI that makes it unnecessary to remember commands and parameters.

FUNCTIONS

SCAN-FUNCTIONS

Scan for Wi-Fi networks
Scan for local hosts in your network

ATTACK-FUNCTIONS

Deauthing ONE / MULTIPLE targets
Deauthing every AP in your area
Kicking (ALL) user/s off your internet ( ARP-Poisoning )

REQUIREMENTS
LINUX!

nmap
argparse (Python)
scapy (Python)
iw

Download NETATTACK 2

↧

BruteSpray - Brute-Forcing from Nmap output (Automatically attempts default creds on found services)

May 16, 2017, 8:13 am

≫ Next: Pybelt - The Hackers Tool Belt

≪ Previous: NETATTACK 2 - An Advanced Wireless Network Scan and Attack Script Based on GUI

BruteSpray takes nmap GNMAP output and automatically brute-forces services with default credentials using Medusa. BruteSpray can even find non-standard ports by using the -sV inside Nmap.

Usage
First do an nmap scan with '-oA nmap.gnmap'.
Command: python brutespray.py -h
Example: python brutespray.py --file nmap.gnmap --services all --threads 3 --hosts 5

Supported Services

ssh
ftp
telnet
vnc
mssql
mysql
postgresql
rsh
imap
nntp
pcanywhere
pop3
rexec
rlogin
smbnt
smtp
snmp
svn
vmauthd

Download BruteSpray

↧

Pybelt - The Hackers Tool Belt

May 17, 2017, 8:12 am

≫ Next: Major Update of Acunetix Online

≪ Previous: BruteSpray - Brute-Forcing from Nmap output (Automatically attempts default creds on found services)

Pybelt is an open source hackers tool belt complete with:

A port scanner
SQL injection scanner
Dork checker
Hash cracker
Hash type verification tool
Proxy finding tool
XSS scanner

It is capable of cracking hashes without prior knowledge of the algorithm, scanning ports on a given host, searching for SQLi vulnerabilities in a given URL, verifying that your Google dorks work like they should, verifying the algorithm of a given hash, scanning a URL for XSS vulnerability, and finding usable HTTP proxies.

Screenshots
SQL Injection scanning made easy, just provide a URL and watch it work

Dork checker, have some Dorks you're not sure of? Go ahead and run the Dork check with the Dork as an argument, it will pull 100 URLs and give you success rate for the Dork

Hash cracking made simple, provide the hash type at the end ":md5, :sha256, etc" for a specific hash, or ":all" for all algorithms available on your machine

And many more!

Usage

Installation
You can either clone the repository

git clone https://github.com/ekultek/pybelt.git

or download the latest release as a zip/tar ball here
Once you have the program installed cd into the directory and run the following command:

pip install -r requirements.txt

This will install all of the programs needed libraries and should be able to be run from there.
###Functionality

python pybelt.py -p 127.0.0.1

Will run a port scan on your local host

python pybelt.py -s http://example.com/php?id=2

Will run a SQLi scan on the given URL

python pybelt.py -d idea?id=55

Will run a Dork check on the given Google Dork

python pybelt.py -c 9a8b1b7eee229046fc2701b228fc2aff:all

Will attempt to crack the hash using all algorithms available on the computer

python pybelt.py -v 098f6bcd4621d373cade4e832627b4f6

Will try to verify the hash type

python pybelt.py -f

Will find usable proxies

python pybelt.py -x http://127.0.0.1/php?id=1

Will search the URL for XSS vulnerability

Download Pybelt

↧

Major Update of Acunetix Online

May 17, 2017, 4:43 pm

≫ Next: XSS'OR - Hack with JavaScript

≪ Previous: Pybelt - The Hackers Tool Belt

Acunetix Online has undergone a mammoth update, now enjoying all the features and benefits found in Acunetix On Premise, including: Integrated vulnerability management, greater manageability of threats and targets and the integration of popular WAFs and Issue Tracking systems. Acunetix Online also features a brand new UI for greater ease-of-use and manageability.

New web-based user interface

The user interface has been re-designed with a fresh new look, bringing it inline with Acunetix On Premise. The Acunetix Online UI is designed to make it easier for customers to use, by focusing on the core functionality of the product, introducing filtering options, and improving manageability of Targets.

All lists can be filtered (Targets, Scans, Vulnerabilities and Reports).
Increased configuration options (Excluded Hours, Excluded Paths, custom User Agent strings, client certificates and more).
Pre-seed crawls using a list of URLs, Acunetix Sniffer Log, Fiddler SAZ files, Burp Suite saved and state files, and HTTP Archive (HAR) files.

Targets and Vulnerabilities configured by business criticality

Business Criticality can now be assigned to Targets, enabling customers to immediately identify and address vulnerabilities on critical servers.

Vulnerabilities identified on all Targets are shown in one list
Vulnerability list can be filtered by Target, Business Criticality, Vulnerability, Vulnerability Status and CVSS.
Vulnerability can be grouped by Target Business Criticality and Vulnerability Severity.

Integration with popular WAFs and Issue Tracking Systems

Vulnerabilities can now be exported to one of the supported WAFs (F5 Big-IP ASM, Fortinet FortiWeb and Imperva SecureSphere). This allows the user to implement a virtual patch in the WAF, until a fix addressing the vulnerability is installed. Scan results can also be exported to the Acunetix generic XML for integration with other WAFs or 3rd party systems.

Acunetix Online also supports exporting vulnerabilities to either Atlassian JIRA, GitHub or Microsoft Team Foundation Server (TFS), allowing development teams to better keep track of vulnerabilities in their issue tracking systems.

Mark Vulnerabilities as Fixed or False Positives

With the ability to mark vulnerabilities as False Positive, Fixed or Ignored, users can now get rid of false positives from upcoming scans and reports. While any fixed vulnerabilities that are identified by Acunetix will be shown as Rediscovered. The user is given the option of accepting the risk of a vulnerability by marking the vulnerability as Ignored.

Custom Scan Types

Apart from using the default Scan Types included in Acunetix, Acunetix Online users are now able to choose which specific vulnerabilities to scan for. This is made possible through the creation of Custom Scan Types. For example, a Custom Scan Type can be created to scan Targets for a recently discovered vulnerability.

Enhanced Reporting

Acunetix Online now allows reports to be generated on:

Individual or multiple Scans,
Individual or multiple Targets,
Individual, multiple or all the Vulnerabilities identified by Acunetix.

There is also the introduction of a Scan Comparison report which highlights the differences between 2 scans, allowing the user to easily identify the new vulnerabilities in the latest scans, or the vulnerabilities that have not been detected, which could mean that they are fixed. Reports are now available in both PDF and HTML.

Network Security Scanning

Acunetix Online provides a comprehensive perimeter network security scanning service by integrating with the latest OpenVAS network vulnerability scanning engine (v9). Acunetix Online can now detect in excess of 50,000 network vulnerabilities.

Added functionality for Acunetix Integrators

Acunetix have added a new API that may be used by system integrators, exposing all the functionality available in Acunetix. The API is able to provide up-to-the-minute status of on-going scans together with information on vulnerabilities identified for these scans.

Try Acunetix Online

↧

XSS'OR - Hack with JavaScript

May 18, 2017, 8:12 am

≫ Next: Whitewidow - SQL Vulnerability Scanner

≪ Previous: Major Update of Acunetix Online

XSS'OR is a free online tool for hacking with JavaScript.

It contains three major modules:
1. Encode/Decode
The Encode/Decode module, including:

front-end encryption and decryption;
code compression, decompression, beautification, the implementation of testing;
character set conversion, hash generation;
and so on.

2. Codz

The Code module, including:

CSRF request code generation;
AJAX request code generation;
XSS attack Vector;
XSS attack Payload;
and so on.

3. Probe

The Probe module, in order to balance, it is the most basic probe, and each IP can generate a unique probe every day. You can use this probe to attack test (such as: XSS, phishing attacks, etc.). The probe can get the basic information of the target user, and you can dynamically inject more commands (JavaScript Codz) for “remote control” testing.

Some user experience and privacy considerations:

XSS'OR, even if your browser is accidentally closed or crashed, your records will not be lost, because the relevant records are cached to your browser local. The server will not store any of your privacy, except for the result record of the probe (only the result record) will be temporarily cached, because the design considerations, but these will be automatically cleared every day.

Try XSS'OR

↧

Whitewidow - SQL Vulnerability Scanner

May 19, 2017, 8:30 am

≫ Next: Reconnoitre - A Security Tool For Multithreaded Information Gathering And Service Enumeration

≪ Previous: XSS'OR - Hack with JavaScript

Whitewidow is an open source automated SQL vulnerability scanner, that is capable of running through a file list, or can scrape Google for potential vulnerable websites. It allows automatic file formatting, random user agents, IP addresses, server information, multiple SQL injection syntax, ability to launch sqlmap from the program, and a fun environment. This program was created for learning purposes, and is intended to teach users what vulnerability looks like.

Screenshots

Launching whitewidow displays the custom designed banner and begins searching for possible sites that could be vulnerable

Whitewidow is capable of finding vulnerabilities in websites by scraping Google using over 1,000 different queries that are carefully researched before added. It also uses multiple different SQL injection approaches

Whitewidow is also capable of spidering a single webpage for all available links, it will then search for vulnerabilities in all the links using the programs built in file feature

And when all is said and done, and you're sure that you've found some vulnerable sites, you can launch sqlmap from the program without the need of downloading another clone.

Basic Usage
ruby whitewidow.rb -d This will run whitewidow in default mode and scrape Google for possible sites using a random search query.
ruby whitewidow.rb -f path/to/file This will run whitewidow through a given file and add the SQL syntax to the URL.
ruby whitewidow.rb -h Will run the help flag along with show the help menu.
For more information about usage and more flags you can checkout the wiki functionality page here.

Dependencies

gem 'mechanize'
gem 'nokogiri'
gem 'rest-client'
gem 'webmock'
gem 'rspec'
gem 'vcr'

To install all gem dependencies, follow the following template:
cd whitewidow
bundle install
This should install all gems needed, and will allow you to run the program without trouble.

Download Whitewidow

↧

Reconnoitre - A Security Tool For Multithreaded Information Gathering And Service Enumeration

May 20, 2017, 7:45 am

≫ Next: Airachnid Burp Extension - A Burp Extension to test applications for vulnerability to the Web Cache Deception attack

≪ Previous: Whitewidow - SQL Vulnerability Scanner

A reconnaissance tool made for the OSCP labs to automate information gathering and service enumeration whilst also creating a directory structure of results for each host, recommended commands to execute and directory structures for storing loot and flags.

Usage
This tool can be used and copied for personal use freely however attribution and credit should be offered to Mike Czumak who originally started the process of automating this work.

Argument	Description
-h, --help	Display help message and exit
-t TARGET_HOSTS	Set either a target range of addresses or a single host to target. May also be a file containing hosts.
-o OUTPUT_DIRECTORY	Set the target directory where results should be written.
-w WORDLIST	Optionally specify your own wordlist to use for pre-compiled commands, or executed attacks.
--dns DNS_SERVER	Optionally specify a DNS server to use with a service scan.
--pingsweep	Write a new target.txt file in the OUTPUT_DIRECTORY by performing a ping sweep and discovering live hosts.
--dnssweep	Find DNS servers from the list of target(s).
--snmpsweep	Find hosts responding to SNMP requests from the list of target(s).
--services	Perform a service scan over the target(s) and write recommendations for further commands to execute.
--snmpwalk	SNMP walk target hosts and save results.
--hostnames	Attempt to discover target hostnames and write to hostnames.txt.
--quiet	Supress banner and headers and limit feedback to grepable results.
--execute	Execute shell commands from recommendations as they are discovered. Likely to lead to very long execution times depending on the wordlist being used and discovered vectors.
--simple_exec	Execute non-brute forcing shell comamnds only commands as they are discovered. Likely to lead to very long execution times depending on the wordlist being used and discovered vectors.
--quick	Move to the next target after performing a quick scan and writing first-round recommendations.

Usage Examples
Note that these are some examples to give you insight into potential use cases for this tool. Command lines can be added or removed based on what you wish to acomplish with your scan.

Scan a single host, create a file structure and discover services

python ./reconnoitre.py -t 192.168.1.5 -o /root/Documents/labs/ --services

An example output would look like:

root@kali:~/Documents/tools/reconnoitre/reconnoitre# python ./reconnoitre.py -t 192.168.1.5 --services -o /root/Documents/labs/
  __
|"""\-=  RECONNOITRE
(____)      An OSCP scanner

[#] Performing service scans
[*] Loaded single target: 192.168.1.5
[+] Creating directory structure for 192.168.1.5
   [>] Creating scans directory at: /root/Documents/labs/192.168.1.5/scans
   [>] Creating exploit directory at: /root/Documents/labs/192.168.1.5/exploit
   [>] Creating loot directory at: /root/Documents/labs/192.168.1.5/loot
   [>] Creating proof file at: /root/Documents/labs/192.168.1.5/proof.txt
[+] Starting quick nmap scan for 192.168.1.5
[+] Writing findings for 192.168.1.5
   [>] Found HTTP service on 192.168.1.5:80
   [>] Found MS SMB service on 192.168.1.5:445
   [>] Found RDP service on 192.168.1.5:3389
[*] TCP quick scan completed for 192.168.1.5
[+] Starting detailed TCP/UDP nmap scans for 192.168.1.5
[+] Writing findings for 192.168.1.5
   [>] Found MS SMB service on 192.168.1.5:445
   [>] Found RDP service on 192.168.1.5:3389
   [>] Found HTTP service on 192.168.1.5:80
[*] TCP/UDP Nmap scans completed for 192.168.1.5

Which would also write the following recommendations file in the scans folder for each target:

[*] Found HTTP service on 192.168.1.50:80
   [>] Use nikto & dirb / dirbuster for service enumeration, e.g
      [=] nikto -h 192.168.1.50 -p 80 > /root/Documents/labs/192.168.1.50/scans/192.168.1.50_nikto.txt
      [=] dirb http://192.168.1.50:80/ -o /root/Documents/labs/192.168.1.50/scans/192.168.1.50_dirb.txt -r -S -x ./dirb-extensions/php.ext
      [=] java -jar /usr/share/dirbuster/DirBuster-1.0-RC1.jar -H -l /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -r /root/Documents/labs/192.168.1.50/scans/192.168.1.50_dirbuster.txt -u http://192.168.1.50:80/
      [=] gobuster -w /usr/share/seclists/Discovery/Web_Content/common.txt -u http://192.168.1.50:80/ -s '200,204,301,302,307,403,500' -e > /root/Documents/labs/192.168.1.50/scans/192.168.1.50_gobuster_common.txt -t 50 
      [=] gobuster -w /usr/share/seclists/Discovery/Web_Content/cgis.txt -u http://192.168.1.50:80/ -s '200,204,301,307,403,500' -e > /root/Documents/labs/192.168.1.50/scans/192.168.1.50_gobuster_cgis.txt -t 50 
   [>] Use curl to retreive web headers and find host information, e.g
      [=] curl -i 192.168.1.50
      [=] curl -i 192.168.1.50/robots.txt -s | html2text
[*] Found MS SMB service on 192.168.1.5:445
   [>] Use nmap scripts or enum4linux for further enumeration, e.g
      [=] nmap -sV -Pn -vv -p445 --script="smb-* -oN '/root/Documents/labs/192.168.1.5/nmap/192.168.1.5_smb.nmap' -oX '/root/Documents/labs/192.168.1.5/scans/192.168.1.5_smb_nmap_scan_import.xml' 192.168.1.5
      [=] enum4linux 192.168.1.5
[*] Found RDP service on 192.168.1.5:3389
   [>] Use ncrackpassword cracking, e.g
      [=] ncrack -vv --user administrator -P /root/rockyou.txt rdp://192.168.1.5

Discover live hosts and hostnames within a range

python ./reconnoitre.py -t 192.168.1.1-252 -o /root/Documents/testing/ --pingsweep --hostnames

Discover live hosts within a range and then do a quick probe for services

python ./reconnoitre.py -t 192.168.1.1-252 -o /root/Documents/testing/ --pingsweep --services --quick

This will scan all services within a target range to create a file structure of live hosts as well as write recommendations for other commands to be executed based on the services discovered on these machines. Removing --quick will do a further probe but will greatly lengthen execution times.

Discover live hosts within a range and then do probe all ports (UDP and TCP) for services

python ./reconnoitre.py -t 192.168.1.1-252 -o /root/Documents/testing/ --pingsweep --services

Download Reconnoitre

↧

Airachnid Burp Extension - A Burp Extension to test applications for vulnerability to the Web Cache Deception attack

May 21, 2017, 7:50 am

≫ Next: Cameradar - An RTSP Surveillance Camera Access Multitool

≪ Previous: Reconnoitre - A Security Tool For Multithreaded Information Gathering And Service Enumeration

A Burp extension to test applications for vulnerability to the Web Cache Deception attack.

Once the extension has been loaded, it can be accessed in the Target - Sitemap tab and right click on the resource that should be tested. A context sensitive menu item called "Airachnid Web Cache Test" will be shown and can be used to conduct testing. If the resource is vulnerable, an Issue is created detailing the vulnerability.

The context sensitive menu item is also available for requests in the Proxy - Http History tab.

Installation

Download the Airachnid.jar file.
In Burp Suite open Extender tab. In Extensions tab, click Add button.
Choose downloaded jar file -> Next.
Check installation for no error messages.

Vulnerability

In February 2017, security researcher Omer Gil unveiled a new attack vector dubbed “Web Cache Deception” (https://omergil.blogspot.co.il/2017/02/web-cache-deception-attack.html).

The Web Cache Deception attack could be devastating in consequences, but is very simple to execute:

Attacker coerces victim to open a link on the valid application server containing the payload.
Attacker opens newly cached page on the server using the same link, to see the exact same page as the victim.

** Of course, this attack only makes sense when the vulnerable resource available to the attacker returns sensitive data.
The attack depends on a very specific set of circumstances to make the application vulnerable: 1. The application only reads the first part of the URL to determine the resource to return.
If the victim requests:

https://www.example.com/my_profile

The application returns the victim profile page. The application uses only the first part of the URL to determine that the profile page should be returned. If the application receives a request for

https://www.example.com/my_profile_test

It would still return the profile page of the victim, disregarding the added text. The same applies for other URL like

https://www.example.com/my_profile/test

2. The application stack caches resources according to their file extensions, rather than by cache header values. If the application stack has been configured to cache image files. It will cache all resources with .jpg.png or .gif extensions. That means that e.g. the image at

https://www.example.com/images/dog.jpg

Would be retrieved from the application server the first time the image is requested. All subsequent requests for the image are retrieved from cache, responding with the same resource that was initially cached (for as long as the cache timeout is set).

Attack
These preconditions can be exploited for the Web Cache Deception attack in the following manner:

Step 1: An attacker entices the victim to open a maliciously crafted link:
https://www.example.com/my_profile/test.jpg

The application ignores the 'test.jpg' part of the URL, the victim profile page is loaded.
The caching mechanism identifies the resource as an image, caching it.

Step 2: The attacker sends a GET request for the cached page:
https://www.example.com/my_profile/test.jpg

The cached resource, which is in fact the victim profile page is returned to the attacker (and to anyone else requesting it).

Download Airachnid Burp Extension

↧

Cameradar - An RTSP Surveillance Camera Access Multitool

May 22, 2017, 7:57 am

≫ Next: Cangibrina - A Fast And Powerfull Dashboard (Admin) Finder

≪ Previous: Airachnid Burp Extension - A Burp Extension to test applications for vulnerability to the Web Cache Deception attack

Cameradar hacks its way into RTSP CCTV cameras

Cameradar allows you to:

Detect open RTSP hosts on any accessible target
Get their public info (hostname, port, camera model, etc.)
Launch automated dictionary attacks to get their stream route (for example /live.sdp)
Launch automated dictionary attacks to get the username and password of the cameras
Generate thumbnails from them to check if the streams are valid and to have a quick preview of their content
Try to create a Gstreamer pipeline to check if they are properly encoded
Print a summary of all the informations Cameradar could get

And all of this in a single command-line.
Of course, you can also call for individual tasks if you plug in a Database to Cameradar using the MySQL cache manager for example. You can create your own cache manager by following the simple example of the dumb cache manager.

Quick install
The quick install uses docker to build Cameradar without polluting your machine with dependencies and makes it easy to deploy Cameradar in a few commands. However, it may require networking knowledge, as your docker containers will need access to the cameras subnetwork.

Dependencies
The only dependencies are docker, docker-tools, git and make.

Five steps guide

git clone https://github.com/EtixLabs/cameradar.git
cd cameradar/deployment
Tweak the conf/cameradar.conf.json as you need (see the configuration guide here for more information)
docker-compose build ; docker-compose up

By default, the version of the package in the deployment should be the last stable release.
If you want to scan a different target or different ports, change the values CAMERAS_TARGET and CAMERAS_PORTS in the docker-compose.yml file.
The generated thumbnails will be in the cameradar_thumbnails folder after Cameradar has finished executing.
If you want to deploy your custom version of Cameradar using the same method, you should check the advanced docker deployment tutorial here.

Manual installation
The manual installation is recommended if you want to tweak Cameradar and quickly test them using CMake and running Cameradar in command-line. If you just want to use Cameradar, it is recommended to use the quick install instead.

Dependencies
To install Cameradar you will need these packages

cmake (cmake)
git (git)
gstreamer1.x (libgstreamer1.0-dev)
ffmpeg (ffmpeg)
boost (libboost-all-dev)
libcurl (libcurl4-openssl-dev)

Steps
The simplest way would be to follow these steps :

git clone https://github.com/EtixLabs/cameradar.git
cd cameradar
mkdir build
cd build
cmake ..
make
cd cameradar_standalone
./cameradar -s the_target_you_want_to_scan

Output
For each camera, Cameradar will output these JSON objects :

{
   "address" : "173.16.100.45",
   "ids_found" : true,
   "password" : "123456",
   "path_found" : true,
   "port" : 554,
   "product" : "Vivotek FD9381-HTV",
   "protocol" : "tcp",
   "route" : "/live.sdp",
   "service_name" : "rtsp",
   "state" : "open",
   "thumbnail_path" : "/tmp/127.0.0.1/1463735257.jpg",
   "username" : "admin"
}

Check camera access
If you have VLC Media Player, you should be able to use the GUI to connect to the RTSP stream using this format : rtsp://username:password@address:port/route
With the above result, the RTSP URL would be rtsp://admin:123456@173.16.100.45:554/live.sdp
If you're still in your console however, you can go even faster by using vlc in commmand-line and just run vlc rtsp://username:password@address:port/route with the camera's info instead of the placeholders.

Command line options

"-c" : Set a custom path to the configuration file (-c /path/to/conf) <<<<<<< HEAD
"-s" : Set custom subnets (overrides configuration) : You can use this argument in many ways, using a subnet (e.g.: 172.16.100.0/24) or even an IP (e.g.: 172.16.100.10), a range of IPs (e.g.: 172.16.100.10-172.16.100.20) or a mix of all those (e.g.: 172.17.100.0/24,172.16.100.10-172.16.100.20,0.0.0.0). =======
"-s" : Set custom target (overrides configuration)
"-p" : Set custom ports (overrides configuration)
"-m" : Set number of threads (Default value : 1)
"-l" : Set log level
- "-l 1" : Log level DEBUG
  - Will print everything including debugging logs
- "-l 2" : Log level INFO
  - Prints every normal information
- "-l 4" : Log level WARNING
  - Only prints warning and errors
- "-l 5" : Log level ERROR
  - Only prints errors
- "-l 6" : Log level CRITICAL
  - Doesn't print anything since Cameradar can't have critical failures right now, however you can use this level to debug your own code easily or if you add new critical layers
"-d" : Launch the discovery tool
"-b" : Launch the dictionary attack tool on all discovered devices
- Needs either to be launched with the -d option or to use an advanced cache manager (DB, file, ...) with data already present
"-t" : Generate thumbnails from detected cameras
- Needs either to be launched with the -d option or to use an advanced cache manager (DB, file, ...) with data already present
"-g" : Check if the stream can be opened with GStreamer
- Needs either to be launched with the -d option or to use an advanced cache manager (DB, file, ...) with data already present
"-v" : Display Cameradar's version
"-h" : Display this help
"--gst-rtsp-server" : Use this option if the attack does not seem to work (only detects the username but not the path, or the opposite). This option will switch the order of the attacks to prioritize path over credentials, which is the way priority is handled for cameras that use GStreamer's RTSP server.

Download Cameradar

↧

Cangibrina - A Fast And Powerfull Dashboard (Admin) Finder

May 23, 2017, 8:01 am

≫ Next: Dagon - Advanced Hash Manipulation

≪ Previous: Cameradar - An RTSP Surveillance Camera Access Multitool

Cangibrina is a multi platform tool which aims to obtain the Dashboard of sites using brute-force over wordlist, google, nmap, and robots.txt

Requirements:

Python 2.7
mechanize
PySocks
beautifulsoup4
html5lib
Nmap (--nmap)
TOR (--tor)

Install:
Linux

 git clone http://github.com/fnk0c/cangibrina.git
 cd cangibrina
 pip install -r requirements.txt

Usage

usage: cangibrina.py [-h] -u U [-w W] [-t T] [-v] [--ext EXT] [--user-agent]
                     [--tor] [--search] [--dork DORK] [--nmap [NMAP]]

Fast and powerful admin finder

optional arguments:
  -h, --help     show this help message and exit
  -u U           target site
  -w W           set wordlist (default: wl_medium)
  -t T           set threads number (default: 5)
  -v             enable verbose
  --ext EXT      filter path by target extension
  --user-agent   modify user-agent
  --tor          set TOR proxy
  --search       use google and duckduckgo to search
  --dork DORK    set custom dork
  --nmap [NMAP]  use nmap to scan ports and services

Examples

 python cangibrina.py -u facebook.com

 python cangibrina.py -u facebook.com -v

 python cangibrina.py -u facebook.com -w /root/diretorios.txt -t 10 -v

 python cangibrina.py -u facebook.com --search -v

 python cangibrina.py -u facebook.com --search --dork 'site:facebook.com inurl:login'

 python cangibrina.py -u facebook.com -v --nmap

 python cangibrina.py -u facebook.com -v --nmap 'sudo nmap -D 127.0.0.1 -F facebook.com'

 python cangibrina.py -u facebook.com --user-agent

 python cangibrina.py -u facebook.com --ext php

  [IMPORTANT] DORK MUST BE WRITE BETWEEN QUOTES !
  [Example] 'inurl:login.php'

Download Cangibrina

↧

Dagon - Advanced Hash Manipulation

May 24, 2017, 8:30 am

≫ Next: PhishingKitHunter - Find Phishing Kits Which Use Your Brand/Organization'S Files And Image

≪ Previous: Cangibrina - A Fast And Powerfull Dashboard (Admin) Finder

Named after the prince of Hell, Dagon (day-gone) is an advanced hash cracking and manipulation system, capable of bruteforcing multiple hash types, creating bruteforce dictionaries, automatic hashing algorithm verification, random salt generation from Unicode to ASCII, and much more.

Screenshots

Bruteforcing made easy with a built in wordlist creator if you do not specify one. The wordlist will create 100,000 strings to use

Verify what algorithm was used to create that hash you're trying to crack. You can specify to view all possible algorithms by providing the -L flag (some algorithms are not implemented yet)

Random salting, unicode random salting, or you can make your own choice on the salt.

Basic usage
For full functionality of Dagon please reference the homepage here
python dagon.py -h This will run the help menu and provide a list of all possible flags
python dagon.py -c <HASH> --bruteforce This will attempt to bruteforce a given hash
python dagon.py -l <FILE-PATH> --bruteforce This will attempt to bruteforce a given file full of hashes (one per line)
python dagon.py -v <HASH> This will try to verify the algorithm used to create the hash
python dagon.py -V <FILE-PATH> This will attempt to verify each hash in a file, one per line

Installation
Dagon requires python version 2.7.x to run successfully.

git clone https://github.com/ekultek/dagon.git
cd Dagon
pip install -r requirements.txt

This should install all the dependencies that you will need to run Dagon

Contributions
All contributions are greatly appreciated and helpful. When you contribute you will get your name placed on the homepage underneath contributions with a link to your contribution. You will also get massive respect from me, and that's a pretty cool thing. What I'm looking for in contributions is some of the following:

Hashing algorithm creations, specifically; A quicker MD2 algorithm, full Tiger algorithms, Keychain algorithms for cloud and agile
More wordlists to download from, please make sure that the link is encoded
Rainbow table attack implementation
More regular expressions to verify different hash types

Download Dagon

↧

PhishingKitHunter - Find Phishing Kits Which Use Your Brand/Organization'S Files And Image

May 25, 2017, 8:43 am

≫ Next: NSEarch - Nmap Scripting Engine Search

≪ Previous: Dagon - Advanced Hash Manipulation

Find phishing kits which use your brand/organization's files and image.

PhishingKitHunter (or PKHunter) is a tool made for identifying phishing kits URLs used in phishing campains targeting your customers and using some of your own website files (as CSS, JS, ...). This tool - write in Python 3 - is based on the analysis of referer's URL which GET particular files on the legitimate website (as some style content) or redirect user after the phishing session. Log files (should) contains the referer URL where the user come from and where the phishing kit is deployed. PhishingKitHunter parse your logs file to identify particular and non-legitimate referers trying to get legitimate pages based on regular expressions you put into PhishingKitHunter's config file.

Features

find URL where a phishing kit is deployed
find if the phishing kit is still up and running
generate a JSON report usefull for external usage
use a hash of the phishing kit's page to identify the kit
use a timestamp for history
can use HTTP or SOCKS5 proxy

Usage

$ ./PhishingKitHunter-0.6.py -i LogFile2017.log -o PKHunter-report-20170502-013307.json -c conf/test.conf

  _ \  |  / |   |             |            
 |   | ' /  |   | |   | __ \  __|  _ \  __|
 ___/  . \  ___ | |   | |   | |    __/ |   
_|    _|\_\_|  _|\__,_|_|  _|\__|\___|_|   

-= Phishing Kit Hunter - v0.6b =-

[+] http://badscam.org/includes/ap/?a=2
  |   Timestamp: 01/May/2017:13:00:03
  | HTTP status: can't connect (HTTP Error 404: Not Found)
[+] http://scamme.com/aple/985884e5b60732b1245fdfaf2a49cdfe/
  |   Timestamp: 01/May/2017:13:00:49
  | HTTP status: can't connect (<urlopen error [Errno -2] Name or service not known>)
[+] http://badscam-er.com/eb/?e=4
  |   Timestamp: 01/May/2017:13:01:06
  | HTTP status: can't connect (<urlopen error [Errno -2] Name or service not known>)
[+] http://assur.cam.tech/scam/brand/new/2bd5a55bc5e768e530d8bda80a9b8593/
  |   Timestamp: 01/May/2017:13:01:14
  | HTTP status: UP
  | HTTP shash : 0032588b8d93a807cf0f48a806ccf125677503a6fabe4105a6dc69e81ace6091
[+] http://phish-other.eu/assur/big/phish/2be1c6afdbfc065c410d36ba88e7e4c9/
  |   Timestamp: 01/May/2017:13:01:15
  | HTTP status: UP
  | HTTP shash : 2a545c4d321e3b3cbb34af62e6e6fbfbdbc00a400bf70280cb00f4f6bb0eac44
697475it [06:41, 1208.14it/s]

Help

$ ./PhishingKitHunter-0.6.py --help

  _ \  |  / |   |             |            
 |   | ' /  |   | |   | __ \  __|  _ \  __|
 ___/  . \  ___ | |   | |   | |    __/ |   
_|    _|\_\_|  _|\__,_|_|  _|\__|\___|_|    

-= Phishing Kit Hunter - v0.6b =-

   -h --help   Prints this
   -i --ifile    Input logfile to analyse
   -o --ofile    Output JSON report file (default: ./PKHunter-report-'date'-'hour'.json)
   -c --config   Configuration file to use (default: ./conf/defaults.conf)

JSON report example

$ cat ./PKHunter-report-20170502-013307.json

{
    "PK_URL": "http://badscam.org/includes/ap/?a=2",
    "PK_info": {
        "Domain": "badscam.org",
        "HTTP_sha256": "",
        "HTTP_status": "can't connect (HTTP Error 404: Not Found)",
        "date": "01/May/2017:13:00:03"
    }
}{
    "PK_URL": "http://assur.cam.tech/scam/brand/new/2bd5a55bc5e768e530d8bda80a9b8593/",
    "PK_info": {
        "Domain": "assur.cam.tech",
        "HTTP_sha256": "0032588b8d93a807cf0f48a806ccf125677503a6fabe4105a6dc69e81ace6091",
        "HTTP_status": "UP",
        "date": "01/May/2017:13:01:14"
    }
}
[...]

Requirements

Python 3
requests
tqdm
json
PySocks

Install
Install the requirements

pip install -r requirements.txt

Configure
Please read the conf/default.conf file to learn how to configure PhishingKitHunter.

Download PhishingKitHunter

↧

NSEarch - Nmap Scripting Engine Search

May 26, 2017, 8:05 am

≫ Next: QuickSand.io - Tool For Scanning Streams Within Office Documents Plus Xor DB Attack

≪ Previous: PhishingKitHunter - Find Phishing Kits Which Use Your Brand/Organization'S Files And Image

Nsearch, is a tool that helps you to find scripts that are used by nmap ( nse ) , you can search the scripts using differents keyword as the name, category and author, even using all the keyword in a single query,it is also possible to see the documentation of the scripts founded.

Requeriments

$ pip install pyyaml python-i18n

Debian(Ubuntu)

# apt-get install unzip libreadline-gplv2-dev build-essential checkinstall unzip sqlite3 libsqlite3-dev -y

REDHAT(CentOS)

# yum -y install bzip2 groupinstall "Development Tools"

Installation

To install the application is necessary run as root user the installation script (install.sh), for the time, the script is only for OS based on debian and based on Red Hat (CentOS). MacOSX or other UNIX it's better do the installation for each dependency manually.

Automatic Installation

# sh install.sh

File Configuration

Find the script.db's path, use the command below

$ find /usr -type f -name "script.db" 2>/dev/null | awk 'gsub("script.db","")'

Then create a config.yaml file, on the main path of the script

config:
  scriptsPath: '/usr/local/share/nmap/scripts/'
  filePath: '/usr/local/share/nmap/scripts/script.db'
  fileBackup: 'scriptbk.db'
  scriptdb: 'nmap_scripts.sqlite3'
  categories: {"auth","broadcast","brute","default","discovery","dos","exploit","external","fuzzer","intrusive","malware","safe","version","vuln"}

USAGE:

  $ python nsearch.py

Main Menu

Initial Setup

 ================================================
    _   _  _____  _____                     _
   | \ | |/  ___||  ___|                   | |
   |  \| |\ `--. | |__    __ _  _ __   ___ | |__
   | . ` | `--. \|  __|  / _` || '__| / __|| '_  |
   | |\  |/\__/ /| |___ | (_| || |   | (__ | | | |
   \_| \_/\____/ \____/  \__,_||_|    \___||_| |_|
  ================================================
   Version 0.4b http://goo.gl/8mFHE5  @jjtibaquira
   Email: jko@dragonjar.org  |   www.dragonjar.org
  ================================================

  Creating Database :nmap_scripts.sqlite3
  Creating Table For Script ....
  Creating Table for Categories ....
  Creating Table for Scripts per Category ....
  Upload Categories to Categories Table ...

Main Console

  ================================================
    _   _  _____  _____                     _
   | \ | |/  ___||  ___|                   | |
   |  \| |\ `--. | |__    __ _  _ __   ___ | |__
   | . ` | `--. \|  __|  / _` || '__| / __|| '_  |
   | |\  |/\__/ /| |___ | (_| || |   | (__ | | | |
   \_| \_/\____/ \____/  \__,_||_|    \___||_| |_|
  ================================================
   Version 0.4b http://goo.gl/8mFHE5  @jjtibaquira
   Email: jko@dragonjar.org  |   www.dragonjar.org
  ================================================

  Cheking DB ... nmap_scripts.sqlite3
  The DB is updated nmap_scripts.sqlite3

  nsearch>

Basic Commands

  ================================================
    _   _  _____  _____                     _
   | \ | |/  ___||  ___|                   | |
   |  \| |\ `--. | |__    __ _  _ __   ___ | |__
   | . ` | `--. \|  __|  / _` || '__| / __|| '_  |
   | |\  |/\__/ /| |___ | (_| || |   | (__ | | | |
   \_| \_/\____/ \____/  \__,_||_|    \___||_| |_|
  ================================================
   Version 0.4b http://goo.gl/8mFHE5  @jjtibaquira
   Email: jko@dragonjar.org  |   www.dragonjar.org
  ================================================

  nsearch> help

  Nsearch Commands
  ================
  addfav  clear  delfav  doc  exit  help  history  last  modfav  search showfav

  nsearch>

  ================================================
    _   _  _____  _____                     _
   | \ | |/  ___||  ___|                   | |
   |  \| |\ `--. | |__    __ _  _ __   ___ | |__
   | . ` | `--. \|  __|  / _` || '__| / __|| '_  |
   | |\  |/\__/ /| |___ | (_| || |   | (__ | | | |
   \_| \_/\____/ \____/  \__,_||_|    \___||_| |_|
  ================================================
   Version 0.4b http://goo.gl/8mFHE5  @jjtibaquira
   Email: jko@dragonjar.org  |   www.dragonjar.org
  ================================================

  nsearch> help search

    name     : Search by script's name
    category : Search by category
    author   : Search by author
    Usage:
      search name:http
      search category:exploit
      search author:fyodor
      search name:http category:exploit author:fyodor

  nsearch>

  ================================================
    _   _  _____  _____                     _
   | \ | |/  ___||  ___|                   | |
   |  \| |\ `--. | |__    __ _  _ __   ___ | |__
   | . ` | `--. \|  __|  / _` || '__| / __|| '_  |
   | |\  |/\__/ /| |___ | (_| || |   | (__ | | | |
   \_| \_/\____/ \____/  \__,_||_|    \___||_| |_|
  ================================================
   Version 0.4b http://goo.gl/8mFHE5  @jjtibaquira
   Email: jko@dragonjar.org  |   www.dragonjar.org
  ================================================

  nsearch> search name:http author:calderon category:vuln
  *** Name                                     Author
  [+] http-vuln-cve2012-1823.nse               Paulino Calderon, Paul AMAR
  [+] http-phpself-xss.nse                     Paulino Calderon
  [+] http-wordpress-enum.nse                  Paulino Calderon
  [+] http-adobe-coldfusion-apsa1301.nse       Paulino Calderon
  [+] http-vuln-cve2013-0156.nse               Paulino Calderon
  [+] http-awstatstotals-exec.nse              Paulino Calderon
  [+] http-axis2-dir-traversal.nse             Paulino Calderon
  [+] http-huawei-hg5xx-vuln.nse               Paulino Calderon
  [+] http-tplink-dir-traversal.nse            Paulino Calderon
  [+] http-trace.nse                           Paulino Calderon
  [+] http-litespeed-sourcecode-download.nse   Paulino Calderon
  [+] http-majordomo2-dir-traversal.nse        Paulino Calderon
  [+] http-method-tamper.nse                   Paulino Calderon

  ================================================
    _   _  _____  _____                     _
   | \ | |/  ___||  ___|                   | |
   |  \| |\ `--. | |__    __ _  _ __   ___ | |__
   | . ` | `--. \|  __|  / _` || '__| / __|| '_  |
   | |\  |/\__/ /| |___ | (_| || |   | (__ | | | |
   \_| \_/\____/ \____/  \__,_||_|    \___||_| |_|
  ================================================
   Version 0.4b http://goo.gl/8mFHE5  @jjtibaquira
   Email: jko@dragonjar.org  |   www.dragonjar.org
  ================================================

  nsearch> doc ssh <TAB>
  ssh-hostkey.nse      ssh2-enum-algos.nse  sshv1.nse
  nsearch> doc sshv1.nse
  local nmap = require "nmap"
  local shortport = require "shortport"
  local string = require "string"

  description = [[
    Checks if an SSH server supports the obsolete and less secure SSH Protocol Version 1.
  ]]
  author = "Brandon Enright"
  nsearch>

Favorites Feature

  ================================================
    _   _  _____  _____                     _
   | \ | |/  ___||  ___|                   | |
   |  \| |\ `--. | |__    __ _  _ __   ___ | |__
   | . ` | `--. \|  __|  / _` || '__| / __|| '_  |
   | |\  |/\__/ /| |___ | (_| || |   | (__ | | | |
   \_| \_/\____/ \____/  \__,_||_|    \___||_| |_|
  ================================================
   Version 0.4b http://goo.gl/8mFHE5  @jjtibaquira
   Email: jko@dragonjar.org  |   www.dragonjar.org
  ================================================

  nsearch> addfav name:http-vuln-cve2012-1823.nse ranking:great
  [+] http-vuln-cve2012-1823.nse The Script was added successfully
  nsearch>

  ================================================
    _   _  _____  _____                     _
   | \ | |/  ___||  ___|                   | |
   |  \| |\ `--. | |__    __ _  _ __   ___ | |__
   | . ` | `--. \|  __|  / _` || '__| / __|| '_  |
   | |\  |/\__/ /| |___ | (_| || |   | (__ | | | |
   \_| \_/\____/ \____/  \__,_||_|    \___||_| |_|
  ================================================
   Version 0.4b http://goo.gl/8mFHE5  @jjtibaquira
   Email: jko@dragonjar.org  |   www.dragonjar.org
  ================================================

  nsearch> showfav
  *** Name                                     Ranking
  [+] sslv2.nse                                normal
  [+] http-vuln-cve2012-1823.nse               great
  nsearch>

  ================================================
    _   _  _____  _____                     _
   | \ | |/  ___||  ___|                   | |
   |  \| |\ `--. | |__    __ _  _ __   ___ | |__
   | . ` | `--. \|  __|  / _` || '__| / __|| '_  |
   | |\  |/\__/ /| |___ | (_| || |   | (__ | | | |
   \_| \_/\____/ \____/  \__,_||_|    \___||_| |_|
  ================================================
   Version 0.4b http://goo.gl/8mFHE5  @jjtibaquira
   Email: jko@dragonjar.org  |   www.dragonjar.org
  ================================================

  nsearch> showfav
  *** Name                                     Ranking
  [+] sslv2.nse                                normal
  [+] http-vuln-cve2012-1823.nse               great

  nsearch> modfav name:sslv2.nse newranking:great
  [+] sslv2.nse The Script was updated successfully

  nsearch> showfav
  *** Name                                     Ranking
  [+] sslv2.nse                                great
  [+] http-vuln-cve2012-1823.nse               great
  nsearch>

  ================================================
    _   _  _____  _____                     _
   | \ | |/  ___||  ___|                   | |
   |  \| |\ `--. | |__    __ _  _ __   ___ | |__
   | . ` | `--. \|  __|  / _` || '__| / __|| '_  |
   | |\  |/\__/ /| |___ | (_| || |   | (__ | | | |
   \_| \_/\____/ \____/  \__,_||_|    \___||_| |_|
  ================================================
   Version 0.4b http://goo.gl/8mFHE5  @jjtibaquira
   Email: jko@dragonjar.org  |   www.dragonjar.org
  ================================================

  nsearch> showfav
  *** Name                                     Ranking
  [+] sslv2.nse                                great
  [+] http-vuln-cve2012-1823.nse               great

  nsearch> delfav name:sslv2.nse
  [+] sslv2.nse The Script was removed successfully

  nsearch> showfav
  *** Name                                     Ranking
  [+] http-vuln-cve2012-1823.nse               great

  nsearch>

Download NSEarch

↧

QuickSand.io - Tool For Scanning Streams Within Office Documents Plus Xor DB Attack

May 27, 2017, 8:23 am

≫ Next: massExpConsole - Collection of Tools and Exploits with a CLI UI

≪ Previous: NSEarch - Nmap Scripting Engine Search

QuickSand is a compact C framework to analyze suspected malware documents to 1) identify exploits in streams of different encodings, 2) locate and extract embedded executables. By having the ability to locate embedded obfuscated executables, QuickSand could detect documents that contain zero-day or unknown obfuscated exploits.

File Formats For Exploit and Active Content Detection

doc, docx, docm, rtf, etc
ppt, pptx, pps, ppsx, etc
xls, xlsx, etc
mime mso
eml email

File Formats For Executable Detection

All of the above, plus PDF.
Any document format such as HWP.

Lite Version - Mplv2 License

Key dictionary up to 256 byte XOR
Bitwise ROL, ROR, NOT
Addition or substraction math cipher
Executable extraction: Windows, Mac, Linux, VBA
Exploit search
RTF pre processing
Hex stream extract
Base 64 Stream extract
Embedded Zip extract
ExOleObjStgCompressedAtom extract
zLib Decode
Mime Mso xml Decoding
OpenXML decode (unzip)
Yara signatures included: Executables, active content, exploits CVE 2014 and earlier

Example results and more info blog post

Full Version - Commercial License

Key cryptanalysis 1-1024 bytes factors of 2; or a specified odd size 1-1024 bytes
1 Byte zerospace not replaced brute force XOR search
XOR Look Ahead cipher
More Yara signatures included: All lite plus most recent exploits 2014-2016 for CVE identification
Try the full version online at QuickSand.io

Dependencies (not included)

Yara 3.4+
zlib 1.2.1+
libzip 1.1.1+

Distributed components under their own licensing

MD5 by RSA Data Security, Inc.
SHA1 by Paul E. Jones
SHA2 by Aaron D. Gifford
jWrite by TonyWilk for json output
tinydir by Cong Xu, Baudouin Feildel for directory processing

Quick Start

./build.sh
./quicksand.out -h
./quicksand.out malware.doc

Documentation

QuickSand.io

Download QuickSand

↧