• @laramies - Developer of theHarvester tool https://github.com/laramies/theHarvester
• @CptJesus - Helped dev framework

• Alexander Rymdeko-Harvey [Twitter] @Killswitch-GUI -- [Web] CyberSydicates.com
• Keelyn Roberts [Twitter] @real_slacker007 -- [Web] CyberSydicates.com

• Kali Linux 2.0
• Kali Linux 1.0
• Debian (deb8u3)

• Easy for you to write modules (All you need is 1 required Class option and you're up and running)
• Use the built in Parsers for rawest results
• Multiprocessing Queue for modules and Result Queue for easy handling of Email data
• Simple integration of theHarvester Modules and new ones to come
• Also the ability to change major settings fast without diving into the code

• When API based searches become available, no need to add them to the Command line
• API keys will be auto pulled from the SimpleEmail.ini, this will activate the module for use

# sh Setup.sh
or
# ./Setup.sh

FIX KALI BUG: 
# apt-get remove configparser
# apt-get remove python-magic
or 
# apt-get remove python-futures

Normal Setup
# ./Setup.sh

Install brew:
https://coolestguidesontheplanet.com/installing-homebrew-on-os-x-el-capitan-10-11-package-manager-for-unix-apps/

$ sudo easy_install pip
$ sudo brew install libmagic
$ pip install python-magic
$ ./Setup.sh

 ============================================================
 Current Version: v1.4.2 | Website: CyberSyndicates.com
 ============================================================
 Twitter: @real_slacker007 |  Twitter: @Killswitch_gui
 ============================================================
------------------------------------------------------------
   ______  ________                       __ __
 /      \/        |                     /  /  |
/$$$$$$  $$$$$$$$/ _____  ____   ______ $$/$$ |
$$ \__$$/$$ |__   /     \/    \ /      \/  $$ |
$$      \$$    |  $$$$$$ $$$$  |$$$$$$  $$ $$ |
 $$$$$$  $$$$$/   $$ | $$ | $$ |/    $$ $$ $$ |
/  \__$$ $$ |_____$$ | $$ | $$ /$$$$$$$ $$ $$ |
$$    $$/$$       $$ | $$ | $$ $$    $$ $$ $$ |
 $$$$$$/ $$$$$$$$/$$/  $$/  $$/ $$$$$$$/$$/$$/

------------------------------------------------------------
usage: SimplyEmail.py [-all] [-e company.com] [-l] [-t html / flickr / google]
                      [-s] [-n] [-verify] [-v] [--json json-emails.txt]

Email enumeration is a important phase of so many operation that a pen-tester
or Red Teamer goes through. There are tons of applications that do this but I
wanted a simple yet effective way to get what Recon-Ng gets and theHarvester
gets. (You may want to run -h)

optional arguments:
  -all                  Use all non API methods to obtain Emails
  -e company.com        Set required email addr user, ex ale@email.com
  -l                    List the current Modules Loaded
  -t html / flickr / google
                        Test individual module (For Linting)
  -s                    Set this to enable 'No-Scope' of the email parsing
  -n                    Set this to enable Name Generation
  -verify               Set this to enable SMTP server email verify
  -v                    Set this switch for verbose output of modules
  --json json-emails.txt
                        Set this switch for json output to specfic file

./SimplyEmail.py -all -e cybersyndicates.com

or in verbose
./SimplyEmail.py -all -v -e cybersyndicates.com

or in verbose and no "Scope"
./SimplyEmail.py -all -v -e cybersyndicates.com -s

or with email verification
./SimplyEmail.py -all -v -verify -e cybersyndicates.com 

or with email verification & Name Creation
./SimplyEmail.py -all -v -verify -n -e cybersyndicates.com 

or json automation
./SimplyEmail.py -all -e cybersyndicates.com --json cs-json.txt

root@kali:~/Tools/SimplyEmail# ./SimplyEmail.py -l
 ============================================================
 Current Version: v0.7 | Website: CyberSyndicates.com
 ============================================================
 Twitter: @real_slacker007 |  Twitter: @Killswitch_gui
 ============================================================
------------------------------------------------------------
   ______  ________                       __ __
 /      \/        |                     /  /  |
/$$$$$$  $$$$$$$$/ _____  ____   ______ $$/$$ |
$$ \__$$/$$ |__   /     \/    \ /      \/  $$ |
$$      \$$    |  $$$$$$ $$$$  |$$$$$$  $$ $$ |
 $$$$$$  $$$$$/   $$ | $$ | $$ |/    $$ $$ $$ |
/  \__$$ $$ |_____$$ | $$ | $$ /$$$$$$$ $$ $$ |
$$    $$/$$       $$ | $$ | $$ $$    $$ $$ $$ |
 $$$$$$/ $$$$$$$$/$$/  $$/  $$/ $$$$$$$/$$/$$/

------------------------------------------------------------
 [*] Available Modules are:

  1)  Modules/HtmlScrape.py   
  2)  Modules/PasteBinSearch.py
  3)  Modules/ExaleadSearch.py
  4)  Modules/SearchPGP.py    
  5)  Modules/ExaleadXLSXSearch.py
  6)  Modules/ExaleadDOCXSearch.py
  7)  Modules/OnionStagram.py 
  8)  Modules/GooglePDFSearch.py
  9)  Modules/RedditPostSearch.py
  10) Modules/AskSearch.py    
  11) Modules/EmailHunter.py  
  12) Modules/WhoisAPISearch.py
  13) Modules/Whoisolgy.py    
  14) Modules/GoogleDocxSearch.py
  15) Modules/GitHubUserSearch.py
  16) Modules/YahooSearch.py  
  17) Modules/GitHubCodeSearch.py
  18) Modules/ExaleadPDFSearch.py
  19) Modules/GoogleSearch.py 
  20) Modules/FlickrSearch.py 
  21) Modules/GoogleDocSearch.py
  22) Modules/CanaryBinSearch.py
  23) Modules/ExaleadDOCSearch.py
  24) Modules/GoogleXLSXSearch.py
  25) Modules/GitHubGistSearch.py

 ============================================================
 Current Version: v1.1 | Website: CyberSyndicates.com
 ============================================================
 Twitter: @real_slacker007 |  Twitter: @Killswitch_gui
 ============================================================
 [*] Now Starting Connect6 Scrape:
 [*] SimplyEmail has attempted to find correct URL for Connect6:
     URL detected: www.connect6.com/Vfffffff,%20LLC/c 
 [>] Is this URL correct?: n
    Potential URL: www.connect6.com/Vffffffff,%20LLC/c 
    Potential URL: www.connect6.com/fffffff/p/181016043240247014147078237069133079124017210127108009097255039209172025193089206212192166241042174198072085028234035215132077249038065254013074 
    Potential URL: www.connect6.com/Cfffff/p/034097047081090085111147210185030172009078049169022098212236211095220195001177030045187199131226210223245205084079141193247011181189036140240023 
    Potential URL: www.connect6.com/Jfffffff/p/102092136035048036136024218227078226242230121102078233031208236153124239181008089103120004217018 
    Potential URL: www.connect6.com/Adam-Salerno/p/021252074213080142144144173151186084054192089124012168233122054057047043085086050013217026242085213002224084036030244077024184140161144046156080 
 [!] GoogleDork This: site:connect6.com "Vfffff.com"
 [-] Commands Supported: (B) ack - (R) etry
 [>] Please Provid a URL: b

• Looks up MX records
• Sorts based on priority
• Checks if SMTP server will respond other than 250
• If the server is suitable, checks for 250 codes
• Outputs a (.txt) file with verified emails.

============================================================
 Curent Version: v1.0 | Website: CyberSyndicates.com
 ============================================================
 Twitter: @real_slacker007 |  Twitter: @Killswitch_gui
 ============================================================
 [*] Email reconnaissance has been completed:

    Email verification will allow you to use common methods
    to attempt to enumerate if the email is valid.
    This grabs the MX records, sorts and attempts to check
    if the SMTP server sends a code other than 250 for known bad addresses

 [>] Would you like to verify email(s)?: y
 [*] Attempting to resolve MX records!
 [*] MX Host: gmail-smtp-in.l.google.com.
 [*] Checking for valid email: alwathiqlegaltranslation@gmail.com
 [!] Email seems valid: alwathiqlegaltranslation@gmail.co

  ----------------------------------
  Email Recon: 11/11/2015 05:13:32
  ----------------------------------
bo@mandiant.com
in@mandiant.com
sc@mandiant.com
je@mandiant.com
su@mandiant.com
----------------------------------
  Email Recon: 11/11/2015 05:15:42
  ----------------------------------
bo@mandiant.com
in@mandiant.com
sc@mandiant.com
je@mandiant.com
su@mandiant.com

{
    "current_version": "v1.4.1", 
    "data_of_collection": "26/06/2016", 
    "domain_of_collection": "---SNIP---", 
    "email_collection_count": 220, 
    "emails": [
        {
            "collection_data": "26/06/2016", 
            "collection_time": "18:47:42", 
            "email": "---SNIP---", 
            "module_name": "Searching PGP"
        }, 
       ---SNIP---
        {
            "collection_data": "26/06/2016", 
            "collection_time": "18:51:46", 
            "email": "---SNIP---", 
            "module_name": "Exalead PDF Search for Emails"
        }
    ], 
    "time_of_collection": "18:53:04", 
    "tool_of_collection": "SimplyEmail"
}

• Html report now shows Alerts for Canary Search Results! 

• The following will be built into the Parser Soon:
• shinichiro.hamaji at gmail.com
• shinichiro.hamaji AT gmail.com
• simohayha.bobo at gmail.com
• "jeffreytgilbert" => "gmail.com"
• felix021 # gmail.com
• hirokidaichi[at]gmail.com
• hirokidaichi[@]gmail.com
• hirokidaichi[#]gmail.com
• xaicron{ at }gmail.com
• xaicron{at}gmail.com
• xaicron{@}gmail.com
• xaicron(@)gmail.com
• xaicron + gmail.com
• xaicron ++ gmail.com
• xaicron ## gmail.com
• bekt17[@]gmail.com
• billy3321 -AT- gmail.com
• billy3321[AT]gmail.com
• ybenjo.repose [[[at]]] gmail.com
• sudhindra.r.rao (at) gmail.com
• sudhindra.r.rao nospam gmail.com
• shinichiro.hamaji (.) gmail.com
• shinichiro.hamaji--at--gmail.com

Modules Under Dev:
-----------------------------
( ) StartPage Search (can help with captcha issues)
( ) Searching SEC Data
( ) PwnBin Search 
( ) Past Data Dumps
( ) psbdmp API Based and non Alert

Framework Under Dev:
-----------------------------
( ) New Parsers to clean results
( ) Fix import errors with Glob
( ) Add in "[@]something.com" to search Regex and engines
( ) Add Threading/Multi to GitHub Search
( ) Add Source of collection to HTML Output

Current Issues:
-----------------------------
( ) PDF miner Text Extraction Error
( ) Verify Emails function and only one name list raises errors

• The most current ADB must be in your path and fully functional
• The report name must not have any whitespace

• Some information and files cannot be pulled higher up the SDK version due to strict SELinux policies and android hardening.
• It can only run on one device at a time for now

• Support for enumeration on a rooted device
• Support enumeration on multiple devices at a time
• Generate PDF report on the enumartuon data

• LinEnum - https://github.com/rebootuser/LinEnum
• Linuxprivchecker - https://www.securitysift.com/download/linuxprivchecker.py
• Unix-privesc-check - https://github.com/inquisb/unix-privesc-check
• Basic Linux Privilege Escalation - https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/

• Installation
  
• Create a global executable on PATH
  
• Create a Desktop Shortcut
  

git clone https://github.com/m4n3dw0lf/pythem
cd pythem
chmod +x install
./install

Run with:

pythem

• ARP spoofing - Man-in-the-middle.
• Man-in-the-middle HSTS bypass - Strip SSL
• ARP+DNS spoof - fake page redirect to credential harvester
• DHCP ACK Injection spoofing - Man-in-the-middle
• Man-in-the-middle inject BeEF hook
• SSH Brute-Force attack.
• Web page formulary brute-force
• URL content buster
• Overthrow the DNS of LAN range/IP address
• Redirect all possible DNS queries to host

• Exploit Development 1: Overwriting Instruction Pointer
• Exploit Development 2: Ret2libc

• help
• exit/quit
• set
• print

• arpspoof
• dhcpspoof
• dnsspoof
• hstsbypass
• redirect
• sniff
• dos
• pforensic
  pforensic: Commands Reference
  
  • help
  • clear
  • exit/quit
  • show
  • conversations
  • packetdisplay
  • filter

• xploit
  xploit: Commands Reference
  
  • help
  • clear
  • exit/quit
  • set
  • decode/encode
  • shellcode
  • search
  • xploit
  • cheatsheet
  • fuzz

• brute

• geoip
• decode/encode
• cookiedecode

pip install -r requirements.txt

python rastleak.py

$ python rastleak.py -h
usage: rastleak.py [-h] -d DOMAIN -o OPTION -n SEARCH -e EXT [-f EXPORT]

This script searchs files indexed in the main searches of a domain to detect a possible leak information

optional arguments:
  -h, --help            show this help message and exit
  -d DOMAIN, --domain DOMAIN
                        The domain which it wants to search
  -o OPTION, --option OPTION
                        Indicate the option of search
                                1.Searching leak information into the target
                                2.Searching leak information outside target
  -n SEARCH, --search SEARCH
                        Indicate the number of the search which you want to do
  -e EXT, --ext EXT     Indicate the option of display:
                                1-Searching the domains where these files are found
                                2-Searching ofimatic files

  -f EXPORT, --export EXPORT
                        Indicate the type of format to export results.
                                1.json (by default)
                                2.xlsx

• v2.2 - add multi task in dracnmap when scan
• v2.2 - the output file will be in root / on folder dracnmap
• v2.1 - Fixed bug ( typo and double function )
• v2.0 - Changed a banner
• v2.0 - added auth-category (34 OPTIONAL) in to nmap script engine Advanced
• v2.0 - added broadcast-category (44 OPTIONAL) in to nmap script engine Advanced
• v2.0 - added brute-category (71 OPTIONAL) in to nmap script engine Advanced
• v2.0 - added exploit-category (44 OPTIONAL) in to nmap script engine Advanced
• v2.0 - added fuzzer-category (4 OPTIONAL)in to nmap script engine Advanced
• v2.0 - added malware-category (10 OPTIONAL) in to nmap script engine Advanced
• v2.0 - added vuln-category (89 OPTIONAL)in to nmap script engine Advanced
• v2.0 - Delete future bruteforce with nse script & Changed to Nmap Script Engine Advanced with sub optional
• v1.3 - Add 70 Bruteforce with nse script :))
• v1.2 - Add dracnmap for dracos
• v1.2 - Fix some functoin
• v1.1 - Collecting Valid Email Accounts with nse Script ( WEB SERVICE )
• V1.1 - Add Gathering information from WHOIS ( MENU WEB SERVICE )
• V1.1 - Add Geolocation ip addres with nse script ( MENU WEB SERVICE )
• v1.0 - Release Dracnmap

1. git clone https://github.com/Screetsec/Dracnmap.git
2. cd Dracnmap
3. chmod +x Dracnmap.sh
4. sudo ./Dracnmap.sh or sudo su ./Dracnmap.sh

• A linux operating system. We recommend Kali Linux 2 or Kali 2016.1 rolling / Cyborg / Parrot / Dracos / BackTrack / Backbox / and another operating system ( linux )
  
• Must install nmap
  

    _____:  _____________         _____:  v3.6.0     ____________
   _\    |__\______    _/_______ _\    |_____ _______\______    /__ ______
   |     _     |  __   \   ____/____   _     |   ___/____  __    |_______/
   |     |     |  \    _\____      /   |     |   \      /  \     |     |
   |_____|     |______/     /     /____|     |_________/_________:     |
         |_____:-aTZ!/___________/     |_____:                 /_______:

* BLAKE2 * BLOCKCHAIN2 * DPAPI * CHACHA20 * JAVA KEYSTORE * ETHEREUM WALLET *

java -jar JksPrivkPrepare.jar your_JKS_file.jks > hash.txt

$ ./hashcat -m 15500 -a 3 -1 '?u|' -w 3 hash.txt ?1?1?1?1?1?1?1?1?1
hashcat (v3.6.0) starting...

OpenCL Platform #1: NVIDIA Corporation
======================================
* Device #1: GeForce GTX 1080, 2026/8107 MB allocatable, 20MCU

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates

Applicable optimizers:
* Zero-Byte
* Precompute-Init
* Not-Iterated
* Appended-Salt
* Single-Hash
* Single-Salt
* Brute-Force

Watchdog: Temperature abort trigger set to 90c
Watchdog: Temperature retain trigger set to 75c

$jksprivk$*D1BC102EF5FE5F1A7ED6A63431767DD4E1569670...8*test:POC||GTFO

Session..........: hashcat
Status...........: Cracked
Hash.Type........: JKS Java Key Store Private Keys (SHA1)
Hash.Target......: $jksprivk$*D1BC102EF5FE5F1A7ED6A63431767DD4E1569670...8*test
Time.Started.....: Tue May 30 17:41:58 2017 (8 mins, 25 secs)
Time.Estimated...: Tue May 30 17:50:23 2017 (0 secs)
Guess.Mask.......: ?1?1?1?1?1?1?1?1?1 [9]
Guess.Charset....: -1 ?u|, -2 Undefined, -3 Undefined, -4 Undefined 
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#1.....:  7946.6 MH/s (39.48ms)
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 4014116700160/7625597484987 (52.64%)
Rejected.........: 0/4014116700160 (0.00%)
Restore.Point....: 5505024000/10460353203 (52.63%)
Candidates.#1....: NNVGFSRFO -> Z|ZFVDUFO
HWMon.Dev.#1.....: Temp: 75c Fan: 89% Util:100% Core:1936MHz Mem:4513MHz Bus:1

Started: Tue May 30 17:41:56 2017
Stopped: Tue May 30 17:50:24 2017

• test_run.sh: A little test script that you should be able to run after a couple of minutes to see this project in action. It includes comments on how to setup the dependencies for this project.
• benchmarking: tests that show why you should use this technique and not others. Please read the "Nail in the JKS coffin" article.
• example_jks: generate example JKS files
• fingerprint_creation: Every plaintext private key in PKCS#8 has it's own "fingerprint" that we expect when we guess the correct password. These fingerprints are necessary to make sure we are able to detect when we guessed the correct password. Please read the "Nail in the JKS coffin" article. This folder has the code to generate these fingerprints, it's a little bit hacky but I don't expect that it will be necessary to add any other fingerprints ever.
• JksPrivkPrepare: The source code of how the JKS files are read and the hash calculated we need to give to hashcat.
• jksprivk_crack.py: A proof of concept implementation that can be used instead of hashcat. Obviously this is much slower than hashcat, but it can outperform John the Ripper (JtR) in certain cases. Please read the "Nail in the JKS coffin" article.
• jksprivk_decrypt.py: A little helper script that can be used to extract a private key once the password was correctly guessed.
• run_example_jks.sh: A script that runs JksPrivkPrepare.jar and jksprivk_crack.py on all example JKS files in the example_jks folder. Make sure you run the generate_examples.py in example_jks script before.

/* JKS.java -- implementation of the "JKS" key store.
   Copyright (C) 2003  Casey Marshall <rsdio@metastatic.org>

Permission to use, copy, modify, distribute, and sell this software and
its documentation for any purpose is hereby granted without fee,
provided that the above copyright notice appear in all copies and that
both that copyright notice and this permission notice appear in
supporting documentation.  No representations are made about the
suitability of this software for any purpose.  It is provided "as is"
without express or implied warranty.

This program was derived by reverse-engineering Sun's own
implementation, using only the public API that is available in the 1.4.1
JDK.  Hence nothing in this program is, or is derived from, anything
copyrighted by Sun Microsystems.  While the "Binary Evaluation License
Agreement" that the JDK is licensed under contains blanket statements
that forbid reverse-engineering (among other things), it is my position
that US copyright law does not and cannot forbid reverse-engineering of
software to produce a compatible implementation.  There are, in fact,
numerous clauses in copyright law that specifically allow
reverse-engineering, and therefore I believe it is outside of Sun's
power to enforce restrictions on reverse-engineering of their software,
and it is irresponsible for them to claim they can.  */

• JKS is going to be replace as the default type in Java 9 http://openjdk.java.net/jeps/229
• https://gist.github.com/zach-klippenstein/4631307
• http://www.openwall.com/lists/john-users/2015/06/07/3
• https://github.com/bes/KeystoreBrute
• https://github.com/jeffers102/KeystoreCracker
• https://github.com/volure/keystoreBrute
• https://gist.github.com/robinp/2143870
• https://www.darknet.org.uk/2015/06/patator-multi-threaded-service-url-brute-forcing-tool/
• https://github.com/rsertelon/android-keystore-recovery
• https://github.com/MaxCamillo/android-keystore-password-recover
• https://cryptosense.com/mighty-aphrodite-dark-secrets-of-the-java-keystore/
• https://hashcat.net/events/p12/js-sha1exp_169.pdf
• https://github.com/hashcat/hashcat

• v1.0: May 16, 2017: Initial revision.
• v1.1: July 6, 2017: Removed root privilege dependencies, added automatic installer, added Kali Linux support, added JoesAwesomeSSHMITMVictimFinder.py script to find potential targets on a LAN.

• Support SFTP MITM'ing.
• Print hostname, username, and password at the top of session logs.
• Add port forwarding support.
• Regex substitute the output of ssh-keygen when a user tries to check the host key hash. >:]
• Create wrapper script that detects when user is trying to use key authentication only, and de-spoof them automatically.

# ./JoesAwesomeSSHMITMVictimFinder.py --interface enp0s3 --ignore-ips 10.11.12.50,10.11.12.53
Found local address 10.11.12.141 and adding to ignore list.
Using network CIDR 10.11.12.141/24.
Found default gateway: 10.11.12.1
IP blocks of size 5 will be spoofed for 20 seconds each.
The following IPs will be skipped: 10.11.12.50 10.11.12.53 10.11.12.141


Local clients:
  * 10.11.12.70 -> 174.129.77.155:22
  * 10.11.12.43 -> 10.11.99.2:22

arpspoof -r -t 192.168.x.1 192.168.x.5

ettercap -i enp0s3 -T -M arp /192.168.x.1// /192.168.x.5,192.168.x.6//

sudo tail -f /var/log/auth.log

May 16 23:14:01 showmeyourmoves sshd_mitm[16798]: INTERCEPTED PASSWORD: hostname: [10.199.30.x]; username: [jdog]; password: [supercalifragilistic] [preauth]

# cat /home/ssh-mitm/session_0.txt
Last login: Tue May 16 21:35:00 2017 from 10.50.22.x
OpenBSD 6.0-stable (GENERIC.MP) #12: Sat May  6 19:08:31 EDT 2017

Welcome to OpenBSD: The proactively secure Unix-like operating system.

Please use the sendbug(1) utility to report bugs in the system.
Before reporting a bug, please try to reproduce it with the latest
version of the code.  With bug reports, please try to ensure that
enough information to reproduce the problem is enclosed, and if a
known fix for it exists, include that as well.

jdog@jefferson ~ $ ppss
  PID TT  STAT       TIME COMMAND
59264 p0  Ss      0:00.02 -bash (bash)
52132 p0  R+p     0:00.00 ps
jdog@jefferson ~ $ iidd
uid=1000(jdog) gid=1000(jdog) groups=1000(jdog), 0(wheel)
jdog@jefferson ~ $ sssshh  jjtteessttaa@@mmaaggiiccbbooxx
jtesta@magicbox's password: ROFLC0PTER!!1juan

ssh -p 2222 valid_user_on_debug_host@localhost

pushd openssh-7.5p1-mitm/; make clean; popd
diff -ru --new-file -x '*~' -x 'config.*' -x Makefile.in -x Makefile -x opensshd.init -x survey.sh -x openssh.xml -x buildpkg.sh openssh-7.5p1 openssh-7.5p1-mitm/ > openssh-7.5p1-mitm.patch

• Ruby >= 2.1
• PostgreSQL
• Redis
• Rollbar
• Bundler

git clone [Vulnreport repo url]

heroku git:remote -a [Heroku app name]

heroku addons:create heroku-postgresql:hobby-dev
heroku addons:create heroku-redis:hobby-dev
heroku addons:create rollbar:free
heroku addons:create sendgrid:starter

heroku config:set VR_SESSION_SECRET=abc123456
heroku config:set RACK_ENV=production

git push heroku master

Running ./SEED.rb on ⏢ vulnreport-test... up, run.8035

Vulnreport 3.0.0.alpha seed script
WARNING: This script should be run ONCE immediately after deploying and then DELETED

Setting up Vulnreport now...

Setting up the PostgreSQL database...
 Done

Seeding the database...
 Done

User ID 1 created for you


ALL DONE! :)
Login to Vulnreport now and go through the rest of the settings!

yard doc
yard server

<?xml version="1.0" encoding="UTF-8"?>

<Test xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Vuln>
<Type>[Vulntype ID]</Type>
<File>[File Vuln Data]</File>
<Code>
      [Code Vuln Data]
</Code>
<File>clsSyncLog.cls</File>
<Code>
      hello world
</Code>
    ...etc...
</Vuln>

<Vuln>
<Type>6</Type>
<File>clsSyncLog.cls</File>
<File>CommonFunction.cls</File>
<Code>
      12 Public Class CommonFunction{
</Code>
</Vuln>
</Test>

<?xml version="1.0" encoding="UTF-8"?>

<Test xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"">
<Vuln>
<Type>REQUIRED - EXACTLY 1 - INTEGER - ID of VulnType. 0 = Custom</Type>
<CustomTypeName>OPTIONAL - EXACTLY 1 - STRING if TYPE == 0</CustomTypeName>
<BurpData>OPTIONAL - UNLIMITED - STRING - Burp req/resp data encoded in our protocol</BurpData>
<URL>OPTIONAL - UNLIMITED - STRING - URL for finding</URL>
<FileName>OPTIONAL - UNLIMITED - STRING - Name/path of file for finding</FileName>
<Output>OPTIONAL - UNLIMITED - STRING - Output details</Output>
<Code>OPTIONAL - UNLIMITED - STRING - Code details</Code>
<Notes>OPTIONAL - UNLIMITED - STRING - Notes for vuln</Notes>
<Screenshot>
      OPTIONAL - UNLIMITED - Screenshots of vuln
<Filename>REQUIRED - EXACTLY 1 - STRING - Filename with extension</Filename>
<ImageData>
        REQUIRED - EXACTLY 1 - BASE64 - Screenshot data
</ImageData>
</Screenshot>
</Vuln>

  ....unlimited vulns....

<Vuln>
</Vuln>
</Test>

• Automatically collects basic recon (ie. whois, ping, DNS, etc.)
• Automatically launches Google hacking queries against a target domain
• Automatically enumerates open ports via NMap port scanning
• Automatically brute forces sub-domains, gathers DNS info and checks for zone transfers
• Automatically checks for sub-domain hijacking
• Automatically runs targeted NMap scripts against open ports
• Automatically runs targeted Metasploit scan and exploit modules
• Automatically scans all web applications for common vulnerabilities
• Automatically brute forces ALL open services
• Automatically test for anonymous FTP access
• Automatically runs WPScan, Arachni and Nikto for all web services
• Automatically enumerates NFS shares
• Automatically test for anonymous LDAP access
• Automatically enumerate SSL/TLS ciphers, protocols and vulnerabilities
• Automatically enumerate SNMP community strings, services and users
• Automatically list SMB users and shares, check for NULL sessions and exploit MS08-067
• Automatically exploit vulnerable JBoss, Java RMI and Tomcat servers
• Automatically tests for open X11 servers
• Auto-pwn added for Metasploitable, ShellShock, MS08-067, Default Tomcat Creds
• Performs high level enumeration of multiple hosts and subnets
• Automatically integrates with Metasploit Pro, MSFConsole and Zenmap for reporting
• Automatically gathers screenshots of all web sites
• Create individual workspaces to store all scan output

./install.sh

$ docker pull menzo/sn1per-docker
$ docker run --rm -ti menzo/sn1per-docker sniper menzo.io

sniper <target> <report>
sniper <target> stealth <report>
sniper <CIDR> discover
sniper <target> port <portnum> 
sniper <target> fullportonly <portnum>
sniper <target> web <report>
sniper <target> nobrute <report>
sniper <targets.txt> airstrike <report>
sniper <targets.txt> nuke <report>
sniper loot

• REPORT: Outputs all results to text in the loot directory for later reference. To enable reporting, append 'report' to any sniper mode or command.
• STEALTH: Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blocking
• DISCOVER: Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a sniper scan against each host. Useful for internal network scans.
• PORT: Scans a specific port for vulnerabilities. Reporting is not currently available in this mode.
• FULLPORTONLY: Performs a full detailed port scan and saves results to XML.
• WEB: Adds full automatic web application scans to the results (port 80/tcp & 443/tcp only). Ideal for web applications but may increase scan time significantly.
• NOBRUTE: Launches a full scan against a target host/domain without brute forcing services.
• AIRSTRIKE: Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IP's that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning.
• NUKE: Launch full audit of multiple hosts specified in text file of choice. Usage example: ./sniper /pentest/loot/targets.txt nuke.
• LOOT: Automatically organizes and displays loot folder in your browser and opens Metasploit Pro and Zenmap GUI with all port scan results. To run, type 'sniper loot'.

• Prebuilt payloads to steal cookie data
• Just copy and paste payload into a XSS vulnerability
• Will send email notification when new cookies are stolen
• Will attempt to refresh cookies every 3 minutes to avoid inactivity timeouts
• Provides full HTTP requests to hijack sessions through a proxy (BuRP, etc)
• Will attempt to load a preview when viewing the cookie data
• PAYLOADS
• Basic AJAX Attack
• HTTPONLY evasion for Apache CVE-20120053
• More to come

• PHP 5.x.x
• PHP-cURL
• MySQL
• Lynx & crontab

• Download the source from github git clone https://github.com/DisK0nn3cT/CookieCatcher.git or use the ZIP file and extract it on your server.
• Setup the directory as a virtualhost in Apache (I won't go over these details, however, you may ask me via email or you can use google.)
• Create a database for the application and load the SETUP.sql file.
• Setup a cron job as shown in the SETUP.cron file.

• Cookie-jar/cookie-string support.
• Custom header support.
• SSL support with fine-grained options.
• User Agent spoofing.
• Proxy support for SOCKS4, SOCKS4A, SOCKS5, HTTP/1.1 and HTTP/1.0.
• Proxy authentication.
• Site authentication (SSL-based, form-based, Cookie-Jar, Basic-Digest, NTLMv1, Kerberos and others).
• Automatic log-out detection and re-login during the scan (when the initial login was performed via the autologin, login_script or proxy plugins).
• Custom 404 page detection.
• UI abstraction:
  • Command-line Interface.
  • Web User Interface.
• Pause/resume functionality.
• Hibernation support -- Suspend to and restore from disk.
• High performance asynchronous HTTP requests.
  • With adjustable concurrency.
  • With the ability to auto-detect server health and adjust its concurrency automatically.
• Support for custom default input values, using pairs of patterns (to be matched against input names) and values to be used to fill in matching inputs.

• JQuery
• AngularJS
• More to come...

• Page DOM, as HTML code.
  • With a list of DOM transitions required to restore the state of the page to the one at the time it was logged.
• Original DOM (i.e. prior to the action that caused the page to be logged), as HTML code.
  • With a list of DOM transitions.
• Data-flow sinks -- Each sink is a JS method which received a tainted argument.
  • Parent object of the method (ex.: DOMWindow).
  • Method signature (ex.: decodeURIComponent()).
  • Arguments list.
    • With the identified taint located recursively in the included objects.
  • Method source code.
  • JS stacktrace.
• Execution flow sinks -- Each sink is a successfully executed JS payload, as injected by the security checks.
  • Includes a JS stacktrace.
• JavaScript stack-traces include:
  • Method names.
  • Method locations.
  • Method source codes.
  • Argument lists.

• Adjustable pool-size, i.e. the amount of browser workers to utilize.
• Timeout for each job.
• Worker TTL counted in jobs -- Workers which exceed the TTL have their browser process respawned.
• Ability to disable loading images.
• Adjustable screen width and height.
  • Can be used to analyze responsive and mobile applications.
• Ability to wait until certain elements appear in the page.
• Configurable local storage data.

• Forms
  • Along with ones that require interaction via a real browser due to DOM events.
• User-interface Forms
  • Input and button groups which don't belong to an HTML <form> element but are instead associated via JS code.
• User-interface Inputs
  • Orphan <input> elements with associated DOM events.
• Links
  • Along with ones that have client-side parameters in their fragment, i.e.: http://example.com/#/?param=val&param2=val2
  • With support for rewrite rules.
• LinkTemplates -- Allowing for extraction of arbitrary inputs from generic paths, based on user-supplied templates -- useful when rewrite rules are not available.
  • Along with ones that have client-side parameters in their URL fragments, i.e.: http://example.com/#/param/val/param2/val2
• Cookies
• Headers
• Generic client-side elements which have associated DOM events.
• AJAX-request parameters.
• JSON request data.
• XML request data.

• Remotely monitor and manage scans.
• Perform multiple scans at the same time -- Each scan is compartmentalized to its own OS process to take advantage of:
  • Multi-core/SMP architectures.
  • OS-level scheduling/restrictions.
  • Sandboxed failure propagation.
• Communicate over a secure channel.

• Very simple and straightforward API.
• Easy interoperability with non-Ruby systems.
  • Operates over HTTP.
  • Uses JSON to format messages.
• Stateful scan monitoring.
  • Unique sessions automatically only receive updates when polling for progress, rather than full data.

• High-performance/low-bandwidth communication protocol.
  • MessagePack serialization for performance, efficiency and ease of integration with 3rd party systems.
• Grid:
  • Self-healing.
  • Scale up/down by hot-plugging/hot-unplugging nodes.
    • Can scale up infinitely by adding nodes to increase scan capacity.
  • (Always-on) Load-balancing -- All Instances are automatically provided by the least burdened Grid member.
    • With optional per-scan opt-out/override.
  • (Optional) High-Performance mode -- Combines the resources of multiple nodes to perform multi-Instance scans.
    • Enabled on a per-scan basis.

• Filters for redundant pages like galleries, catalogs, etc. based on regular expressions and counters.
  • Can optionally detect and ignore redundant pages automatically.
• URL exclusion filters using regular expressions.
• Page exclusion filters based on content, using regular expressions.
• URL inclusion filters using regular expressions.
• Can be forced to only follow HTTPS paths and not downgrade to HTTP.
• Can optionally follow subdomains.
• Adjustable page count limit.
• Adjustable redirect limit.
• Adjustable directory depth limit.
• Adjustable DOM depth limit.
• Adjustment using URL-rewrite rules.
• Can read paths from multiple user supplied files (to both restrict and extend the scope).

• Can audit:
  • Forms
    • Can automatically refresh nonce tokens.
    • Can submit them via the integrated browser environment.
  • User-interface Forms
    • Input and button groups which don't belong to an HTML <form> element but are instead associated via JS code.
  • User-interface Inputs
    • Orphan <input> elements with associated DOM events.
  • Links
    • Can load them via the integrated browser environment.
  • LinkTemplates
    • Can load them via the integrated browser environment.
  • Cookies
    • Can load them via the integrated browser environment.
  • Headers
  • Generic client-side DOM elements.
  • JSON request data.
  • XML request data.
• Can ignore binary/non-text pages.
• Can audit elements using both GET and POST HTTP methods.
• Can inject both raw and HTTP encoded payloads.
• Can submit all links and forms of the page along with the cookie permutations to provide extensive cookie-audit coverage.
• Can exclude specific input vectors by name.
• Can include specific input vectors by name.

• Operating systems
  • BSD
  • Linux
  • Unix
  • Windows
  • Solaris
• Web servers
  • Apache
  • IIS
  • Nginx
  • Tomcat
  • Jetty
  • Gunicorn
• Programming languages
  • PHP
  • ASP
  • ASPX
  • Java
  • Python
  • Ruby
• Frameworks
  • Rack
  • CakePHP
  • Rails
  • Django
  • ASP.NET MVC
  • JSF
  • CherryPy
  • Nette
  • Symfony

• SQL injection (sql_injection) -- Error based detection.
  • Oracle
  • InterBase
  • PostgreSQL
  • MySQL
  • MSSQL
  • EMC
  • SQLite
  • DB2
  • Informix
  • Firebird
  • SaP Max DB
  • Sybase
  • Frontbase
  • Ingres
  • HSQLDB
  • MS Access
• Blind SQL injection using differential analysis (sql_injection_differential).
• Blind SQL injection using timing attacks (sql_injection_timing).
  • MySQL
  • PostgreSQL
  • MSSQL
• NoSQL injection (no_sql_injection) -- Error based vulnerability detection.
  • MongoDB
• Blind NoSQL injection using differential analysis (no_sql_injection_differential).
• CSRF detection (csrf).
• Code injection (code_injection).
  • PHP
  • Ruby
  • Python
  • Java
  • ASP
• Blind code injection using timing attacks (code_injection_timing).
  • PHP
  • Ruby
  • Python
  • Java
  • ASP
• LDAP injection (ldap_injection).
• Path traversal (path_traversal).
  • *nix
  • Windows
  • Java
• File inclusion (file_inclusion).
  • *nix
  • Windows
  • Java
  • PHP
  • Perl
• Response splitting (response_splitting).
• OS command injection (os_cmd_injection).
  • *nix
  • *BSD
  • IBM AIX
  • Windows
• Blind OS command injection using timing attacks (os_cmd_injection_timing).
  • Linux
  • *BSD
  • Solaris
  • Windows
• Remote file inclusion (rfi).
• Unvalidated redirects (unvalidated_redirect).
• Unvalidated DOM redirects (unvalidated_redirect_dom).
• XPath injection (xpath_injection).
  • Generic
  • PHP
  • Java
  • dotNET
  • libXML2
• XSS (xss).
• Path XSS (xss_path).
• XSS in event attributes of HTML elements (xss_event).
• XSS in HTML tags (xss_tag).
• XSS in script context (xss_script_context).
• DOM XSS (xss_dom).
• DOM XSS script context (xss_dom_script_context).
• Source code disclosure (source_code_disclosure)
• XML External Entity (xxe).
  • Linux
  • *BSD
  • Solaris
  • Windows

• Allowed HTTP methods (allowed_methods).
• Back-up files (backup_files).
• Backup directories (backup_directories)
• Common administration interfaces (common_admin_interfaces).
• Common directories (common_directories).
• Common files (common_files).
• HTTP PUT (http_put).
• Insufficient Transport Layer Protection for password forms (unencrypted_password_form).
• WebDAV detection (webdav).
• HTTP TRACE detection (xst).
• Credit Card number disclosure (credit_card).
• CVS/SVN user disclosure (cvs_svn_users).
• Private IP address disclosure (private_ip).
• Common backdoors (backdoors).
• .htaccess LIMIT misconfiguration (htaccess_limit).
• Interesting responses (interesting_responses).
• HTML object grepper (html_objects).
• E-mail address disclosure (emails).
• US Social Security Number disclosure (ssn).
• Forceful directory listing (directory_listing).
• Mixed Resource/Scripting (mixed_resource).
• Insecure cookies (insecure_cookies).
• HttpOnly cookies (http_only_cookies).
• Auto-complete for password form fields (password_autocomplete).
• Origin Spoof Access Restriction Bypass (origin_spoof_access_restriction_bypass)
• Form-based upload (form_upload)
• localstart.asp (localstart_asp)
• Cookie set for parent domain (cookie_set_for_parent_domain)
• Missing Strict-Transport-Security headers for HTTPS sites (hsts).
• Missing X-Frame-Options headers (x_frame_options).
• Insecure CORS policy (insecure_cors_policy).
• Insecure cross-domain policy (allow-access-from) (insecure_cross_domain_policy_access)
• Insecure cross-domain policy (allow-http-request-headers-from) (insecure_cross_domain_policy_headers)
• Insecure client-access policy (insecure_client_access_policy)

• Standard output
• HTML (zip) (html).
• XML (xml).
• Text (text).
• JSON (json)
• Marshal (marshal)
• YAML (yaml)
• AFR (afr)
  • The default Arachni Framework Report format.

• Passive Proxy (proxy) -- Analyzes requests and responses between the web app and the browser assisting in AJAX audits, logging-in and/or restricting the scope of the audit.
• Form based login (autologin).
• Script based login (login_script).
• Dictionary attacker for HTTP Auth (http_dicattack).
• Dictionary attacker for form based authentication (form_dicattack).
• Cookie collector (cookie_collector) -- Keeps track of cookies while establishing a timeline of changes.
• WAF (Web Application Firewall) Detector (waf_detector) -- Establishes a baseline of normal behavior and uses rDiff analysis to determine if malicious inputs cause any behavioral changes.
• BeepNotify (beep_notify) -- Beeps when the scan finishes.
• EmailNotify (email_notify) -- Sends a notification (and optionally a report) over SMTP at the end of the scan.
• VectorFeed (vector_feed) -- Reads in vector data from which it creates elements to be audited. Can be used to perform extremely specialized/narrow audits on a per vector/element basis. Useful for unit-testing or a gazillion other things.
• Script (script) -- Loads and runs an external Ruby script under the scope of a plugin, used for debugging and general hackery.
• Uncommon headers (uncommon_headers) -- Logs uncommon headers.
• Content-types (content_types) -- Logs content-types of server responses aiding in the identification of interesting (possibly leaked) files.
• Vector collector (vector_collector) -- Collects information about all seen input vectors which are within the scan scope.
• Headers collector (headers_collector) -- Collects response headers based on specified criteria.
• Exec (exec) -- Calls external executables at different scan stages.
• Metrics (metrics) -- Captures metrics about multiple aspects of the scan and the web application.
• Restrict to DOM state (restrict_to_dom_state) -- Restricts the audit to a single page's DOM state, based on a URL fragment.
• Webhook notify (webhook_notify) -- Sends a webhook payload over HTTP at the end of the scan.
• Rate limiter (rate_limiter) -- Rate limits HTTP requests.
• Page dump (page_dump) -- Dumps page data to disk as YAML.

• AutoThrottle (autothrottle) -- Dynamically adjusts HTTP throughput during the scan for maximum bandwidth utilization.
• Healthmap (healthmap) -- Generates sitemap showing the health of each crawled/audited URL

• TimingAttacks (timing_attacks) -- Provides a notice for issues uncovered by timing attacks when the affected audited pages returned unusually high response times to begin with. It also points out the danger of DoS attacks against pages that perform heavy-duty processing.
• Discovery (discovery) -- Performs anomaly detection on issues logged by discovery checks and warns of the possibility of false positives where applicable.
• Uniformity (uniformity) -- Reports inputs that are uniformly vulnerable across a number of pages hinting to the lack of a central point of input sanitization.

rake spec:core            # for the core libraries
rake spec:checks          # for the checks
rake spec:plugins         # for the plugins
rake spec:reports         # for the reports
rake spec:path_extractors # for the path extractors

• Fuzzes a parameter and builds a suitable payload
• Bruteforces paramteres with payloads
• Has an inbuilt crawler like functionality
• Can reverse engineer the rules of a WAF/Filter
• Detects and tries to bypass WAFs
• Both GET and POST support
• Most of the payloads are hand crafted
• Negligible number of false positives
• Opens the POC in a browser window

git clone https://github.com/UltimateHackers/XSStrike/

cd XSStrike

pip install -r requirements.txt

python xsstrike

• Flexible: Supports dozens of advanced techniques for mapping out networks filled with IP filters, firewalls, routers, and other obstacles. This includes many port scanning mechanisms (both TCP & UDP), OS detection, version detection, ping sweeps, and more. See the documentation page.
• Powerful: Nmap has been used to scan huge networks of literally hundreds of thousands of machines.
• Portable: Most operating systems are supported, including Linux, Microsoft Windows, FreeBSD, OpenBSD, Solaris, IRIX, Mac OS X, HP-UX, NetBSD, Sun OS, Amiga, and more.
• Easy: While Nmap offers a rich set of advanced features for power users, you can start out as simply as "nmap -v -A targethost". Both traditional command line and graphical (GUI) versions are available to suit your preference. Binaries are available for those who do not wish to compile Nmap from source.
• Free: The primary goals of the Nmap Project is to help make the Internet a little more secure and to provide administrators/auditors/hackers with an advanced tool for exploring their networks. Nmap is available for free download, and also comes with full source code that you may modify and redistribute under the terms of the license.
• Well Documented: Significant effort has been put into comprehensive and up-to-date man pages, whitepapers, tutorials, and even a whole book! Find them in multiple languages here.
• Supported: While Nmap comes with no warranty, it is well supported by a vibrant community of developers and users. Most of this interaction occurs on the Nmap mailing lists. Most bug reports and questions should be sent to the nmap-dev list, but only after you read the guidelines. We recommend that all users subscribe to the low-traffic nmap-hackers announcement list. You can also find Nmap on Facebook and Twitter. For real-time chat, join the #nmap channel on Freenode or EFNet.
• Acclaimed: Nmap has won numerous awards, including "Information Security Product of the Year" by Linux Journal, Info World and Codetalker Digest. It has been featured in hundreds of magazine articles, several movies, dozens of books, and one comic book series. Visit the press page for further details.
• Popular: Thousands of people download Nmap every day, and it is included with many operating systems (Redhat Linux, Debian Linux, Gentoo, FreeBSD, OpenBSD, etc). It is among the top ten (out of 30,000) programs at the Freshmeat.Net repository. This is important because it lends Nmap its vibrant development and user support communities.

• [Windows] Updated the bundled Npcap from 0.91 to 0.93, fixing several
issues with installation and compatibility with the Windows 10 Creators
Update.

• [NSE][GH#910] NSE scripts now have complete SSH support via libssh2,
including password brute-forcing and running remote commands, thanks to the
combined efforts of three Summer of Code students: [Devin Bjelland, Sergey
Khegay, Evangelos Deirmentzoglou]

• [NSE] Added 14 NSE scripts from 6 authors, bringing the total up to 579!
They are all listed at https://nmap.org/nsedoc/, and the summaries are
below:

   - ftp-syst sends SYST and STAT commands to FTP servers to get system
   version and connection information. [Daniel Miller]
   - [GH#916] http-vuln-cve2017-8917 checks for an SQL injection
   vulnerability affecting Joomla! 3.7.x before 3.7.1. [Wong Wai Tuck]
   - iec-identify probes for the IEC 60870-5-104 SCADA protocol. [Aleksandr
   Timorin, Daniel Miller]
   - [GH#915] openwebnet-discovery retrieves device identifying information
   and number of connected devices running on openwebnet protocol. [Rewanth
   Cool]
   - puppet-naivesigning checks for a misconfiguration in the Puppet CA
   where naive signing is enabled, allowing for any CSR to be automatically
   signed. [Wong Wai Tuck]
   - [GH#943] smb-protocols discovers if a server supports dialects NT LM
   0.12 (SMBv1), 2.02, 2.10, 3.00, 3.02 and 3.11. This replaces the old
   smbv2-enabled script. [Paulino Calderon]
   - [GH#943] smb2-capabilities lists the supported capabilities of
   SMB2/SMB3 servers. [Paulino Calderon]
   - [GH#943] smb2-time determines the current date and boot date of SMB2
   servers. [Paulino Calderon]
   - [GH#943] smb2-security-mode determines the message signing
   configuration of SMB2/SMB3 servers. [Paulino Calderon]
   - [GH#943] smb2-vuln-uptime attempts to discover missing critical
   patches in Microsoft Windows systems based on the SMB2 server uptime.
   [Paulino Calderon]
   - ssh-auth-methods lists the authentication methods offered by an SSH
   server. [Devin Bjelland]
   - ssh-brute performs brute-forcing of SSH password credentials. [Devin
   Bjelland]
   - ssh-publickey-acceptance checks public or private keys to see if they
   could be used to log in to a target. A list of known-compromised key pairs
   is included and checked by default. [Devin Bjelland]
   - ssh-run uses user-provided credentials to run commands on targets via
   SSH. [Devin Bjelland]

• [NSE] Removed smbv2-enabled, which was incompatible with the new SMBv2/3
improvements. It was fully replaced by the smb-protocols script.

• [Ncat][GH#446] Added Datagram TLS (DTLS) support to Ncat in connect
(client) mode with --udp --ssl. Also added Application Layer Protocol
Negotiation (ALPN) support with the --ssl-alpn option. [Denis Andzakovic,
Daniel Miller]

• Updated the default ciphers list for Ncat and the secure ciphers list for
Nsock to use "!aNULL:!eNULL" instead of "!ADH". With the addition of ECDH
ciphersuites, anonymous ECDH suites were being allowed. [Daniel Miller]

• [NSE][GH#930] Fix ndmp-version and ndmp-fs-info when scanning Veritas
Backup Exec Agent 15 or 16. [Andrew Orr]

• [NSE][GH#943] Added new SMB2/3 library and related scripts. [Paulino
Calderon]

• [NSE][GH#950] Added wildcard detection to dns-brute. Only hostnames that
resolve to unique addresses will be listed. [Aaron Heesakkers]

• [NSE] FTP scripts like ftp-anon and ftp-brute now correctly handle
TLS-protected FTP services and use STARTTLS when necessary. [Daniel Miller]

• [NSE][GH#936] Function url.escape no longer encodes so-called
"unreserved" characters, including hyphen, period, underscore, and tilde,
as per RFC 3986. [nnposter]

• [NSE][GH#935] Function http.pipeline_go no longer assumes that persistent
connections are supported on HTTP 1.0 target (unless the target explicitly
declares otherwise), as per RFC 7230. [nnposter]

• [NSE][GH#934] The HTTP response object has a new member, version, which
contains the HTTP protocol version string returned by the server, e.g.
"1.0". [nnposter]

• [NSE][GH#938] Fix handling of the objectSID Active Directory attribute by
ldap.lua. [Tom Sellers]

• [NSE] Fix line endings in the list of Oracle SIDs used by
oracle-sid-brute. Carriage Return characters were being sent in the
connection packets, likely resulting in failure of the script. [Anant
Shrivastava]

• [NSE][GH#141] http-useragent-checker now checks for changes in HTTP
status (usually 403 Forbidden) in addition to redirects to indicate
forbidden User Agents. [Gyanendra Mishra]

Managing your assessments

Improving the Data Analysis tools

Executive Report clean up

Web UI

Changes:

• Improved Data analysis charts. Added more chart properties and data binding
• Improved target ordering in grouped reports 
• Fixed bug with new line character in reports DOCX 
• Adds alphabetical sort for Evidence in the Executive Report 
• Fix bug updating users with no roles 
• Fixed report creation with evidence names containing special chars
• Added Tasks Management to the Web UI
• Added the ability to select more than one target when creating a vuln in the Web UI 
• Merged PR #182 - problems with zonatransfer.me 
• Fixed bug in Download CSV of Status report with old versions of Firefox
• Fixed formula injection vulnerability in export to CSV feature 
• Fixed DOM-based XSS in the Top Services widget of the dashboard 
• Fix in AppScan plugin
  
  
• Fix HTML injection in Vulnerability template
• Add new plugin: Junit XML
  
  
• Improved pagination in new vuln modal of status report 
• Added “Policy Violations” field for Vulnerabilities

• it's a framework written in python [2.7] that is being made specially for blind attacking , ie : attacking random targets with common security issues , targets are generated by the hackers search engine "shodan" and vulnerable hosts are hacked in an automated way .
  
• this framework is completely "neutral" ie: it's not based on shodan API and it has total dependence on web scraping , ie: the only limit on what you can do with it is your immagination as a tester & our programming skills as contributers/owners .
  

• fire up a terminal and sudo apt-get update && apt-get upgrade && apt-get dist-upgrade
• install [ requests , httplib , urllib , time , bs4 "BeautifulSoup" , colored , selenium , sys ] python modules
• python BAF_0.1.0.py
• enter your shodan's account username and pass
• choose 1 , let it do it's job , press y , close the previous tab , press y ,close the previous tabs ...etc till u have the vulnerable cams only
• choose 2 , enter what do u want to search for (ie: NSA) , when it's done , refer to the targets text file , it will contain the targets ip:port
• that's all , till now :)
• DON'T close a loading webpage
• beta versions will make automated browser open for better understanding ,but you can close the webcam tabs freely

• Create email templates
• Create target lists
• Create landing pages
• Handle attachments
• Let you keep track in the Campaign dashboard
• Track email reads, landing page visits and attachment execution.
• Harvest credentials

• Display more graphs (we like graphs!)
• Provide a REST API
• Allow for multi-message campaigns (aka scenarios)
• Check browser plugins
• User training

• docker

# create container
docker run \
    -d \
    --name=mercure \
    -e SECRET_KEY=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 200 | head -n 1) \
    -e URL=https://mercure.example.com \
    -e EMAIL_HOST=mail.example.com \
    -e EMAIL_PORT=587 \
    -e EMAIL_HOST_USER=phishing@example.com \
    -e EMAIL_HOST_PASSWORD=P@SSWORD \
    synhackfr/mercure

# create super user
docker exec -it mercure python manage.py createsuperuser

• python3
• pip

git clone git@bitbucket.org:synhack/mercure.git && cd mercure
pip install -r requirements.txt
./manage.py makemigrations
./manage.py migrate
./manage.py collectstatic
./manage.py createsuperuser
./manage.py runserver

• Targets
• Email Templates
• Attachments and landing page
• Campaigns

1. First, add your targets
   
   You need to fill mercure name, the target email.Target first and last name are optional, but can be usefull to the landing page
   
2. Then, fill the email template.
   
   You need to fill the mercure name, the subject, the send and the email content. To improve the email quality, you have to fill the email content HTML and the text content. To get information about opened email, check "Add open email tracker" You can be helped with "Variables" category.
   Attachments and landing page are optionnal, we will see it after.
   
3. Finally, launch the campaign
   
   You need to fill the mercure name, select the email template and the target group. You can select the SMTP credentials, SSL using or URL minimazing
   
4. Optional, add landing page
   
   You need to fill the mercure name, the domain to use You can use "Import from URL" to copy an existing website.
   You have to fill the page content with text and HTML content by clicking to "Source"
   
5. Optional, add Attachment
   
   You need to fill the mercure name, the file name which appears in the email and the file You also have to check if the the file is buildable or not, if you need to compute a file for example.
   To execute the build , you need to create a zip archive which contain a build script (named 'generator.sh' and a buildable file

• hardware interfaces for common Software Defined Radios
• easy demodulation of signals
• assigning participants to keep overview of your data
• customizable decodings to crack even sophisticated encodings like CC1101 data whitening
• assign labels to reveal the logic of the protocol
• fuzzing component to find security leaks
• modulation support to inject the data back into the system

• Python 3.4+
• numpy / psutil / zmq
• PyQt5
• C++ Compiler

• librtlsdr (for native RTL-SDR device backend)
• libhackrf (for native HackRF device backend)
• libairspy (for native AirSPy device backend)
• liblimesdr (for native LimeSDR device backend)
• libuhd (for native USRP device backend)
• rfcat (for RfCat plugin to send e.g. with YardStick One)
• gnuradio / gnuradio-osmosdr (for GNU Radio device backends)

yaourt -S urh

• AirSpy: libairspy-dev
• HackRF: libhackrf-dev
• RTL-SDR: librtlsdr-dev
• USRP: libuhd-dev

sudo ln -s /usr/lib/x86_64-linux-gnu/libLimeSuite.so.17.02.2 /usr/lib/x86_64-linux-gnu/libLimeSuite.so

sudo apt-get update
sudo apt-get install python3-numpy python3-psutil python3-zmq python3-pyqt5 g++ libpython3-dev python3-pip
sudo pip3 install urh

emerge -av urh

dnf install urh

1. Install Python 3 for Windows.

• Make sure you tick the Add Python to PATH checkbox on first page in Python installer.
• Choose a 64 Bit Python version for native device support.

2. In a terminal, type: pip install urh.
3. Type urh in a terminal or search for urh in search bar to start the application.

1. Install Python 3 for Mac OS X. If you experience issues with preinstalled Python, make sure you update to a recent version using the given link.
2. (Optional) Install desired native libs e.g. brew install librtlsdr for corresponding native device support.
3. In a terminal, type: pip3 install urh.
4. Type urh in a terminal to get it started.

pip3 install --upgrade urh

python3 -m pip install --upgrade urh

git clone https://github.com/jopohl/urh/
cd urh/src/urh
./main.py

git clone https://github.com/jopohl/urh/
cd urh
python setup.py install

You can install whichever tool(s) you want from within lscript! 
Fluxion    by Deltaxflux
WifiTe    by derv82
Wifiphisher   by Dan McInerney
Zatacker   by LawrenceThePentester
Morpheus   by Pedro ubuntu  [ r00t-3xp10it ]
Osrframework   by i3visio
Hakku    by 4shadoww
Trity    by Toxic-ig
Cupp    by Muris Kurgas
Dracnmap   by Edo -maland-
Fern Wifi Cracker  by Savio-code
Kichthemout   by Nikolaos Kamarinakis & David SchĂźtz
BeeLogger   by Alisson Moretto - 4w4k3
Ghost-Phisher   by Savio-code
Mdk3-master                     by Musket Developer
Anonsurf                        by Und3rf10w
The Eye                         by EgeBalci
Airgeddon                       by v1s1t0r1sh3r3
Xerxes                          by zanyarjamal
Ezsploit                        by rand0m1ze
Katana framework                by PowerScript
4nonimizer                      by Hackplayers
Sslstrip2                       by LeonardoNve
Dns2proxy                       by LeonardoNve
Pupy                            by n1nj4sec
Zirikatu                        by pasahitz
TheFatRat                       by Sceetsec
Angry IP Scanner                by Anton Keks
Sniper                          by 1N3
ReconDog                        by UltimateHackers
RED HAWK                        by Tuhinshubhra
Routersploit                    by Reverse shell
CHAOS                           by Tiagorlampert
Winpayloads                     by Ncc group 

Handshake       (WPA-WPA2)
Find WPS pin    (WPA-WPA2)
WEP hacking     (WEP)    

Email spoofing
Metasploit automation (create payloads,listeners,save listeners for later etc...)
Auto eternalblue exploiting (check on ks) -> hidden shortcuts

cd
git clone https://github.com/arismelachroinos/lscript.git
cd lscript
chmod +x install.sh
./install.sh

open terminal
type  "l"
press enter

cd /root/lscript
./uninstall.sh
rmdir -r /root/lscript 

Run the script
Type "update"

1. The input box in the top right, where you can paste, type or drag the data you want to operate on.
2. The output box in the bottom right, where the outcome of your processing will be displayed.
3. The operations list on the far left, where you can find all the operations that CyberChef is capable of in categorised lists, or by searching.
4. The recipe area in the middle, where you can drag the operations that you want to use and specify arguments and options.

• Decode a Base64-encoded string
• Convert a date and time to a different time zone
• Parse a Teredo IPv6 address
• Convert data from a hexdump, then decompress
• Display multiple timestamps as full dates
• Carry out different operations on data of different types

• Drag and drop
  • Operations can be dragged in and out of the recipe list, or reorganised.
  • Files can be dragged over the input box to load them directly.
• Auto Bake
  • Whenever you modify the input or the recipe, CyberChef will automatically “bake” for you and produce the output immediately.
  • This can be turned off and operated manually if it is affecting performance (if the input is very large, for instance).
  • If any bake takes longer than 200 milliseconds, auto bake will be switched off automatically to prevent further performance issues.
• Breakpoints
  • You can set breakpoints on any operation in your recipe to pause execution before running it.
  • You can also step through the recipe one operation at a time to see what the data looks like at each stage.
• Save and load recipes
  • If you come up with an awesome recipe that you know you’ll want to use again, just click save and add it to your local storage. It'll be waiting for you next time you visit CyberChef.
  • You can also copy a URL which includes your recipe and input which can be shared with others.
• Search
  • If you know the name of the operation you want or a word associated with it, start typing it into the search field and any matching operations will immediately be shown.
• Highlighting
  • When you highlight text in the input or output, the offset and length values will be displayed and, if possible, the corresponding data will be highlighted in the output or input respectively (example: highlight the word 'question' in the input to see where it appears in the output).
• Save to file and load from file
  • You can save the output to a file at any time or load a file by dragging and dropping it into the input field (note that files larger than about 500kb may cause your browser to hang or even crash due to the way that browsers handle large amounts of textual data).
• CyberChef is entirely client-side
  • It should be noted that none of your input or recipe configuration is ever sent to the CyberChef web server - all processing is carried out within your browser, on your own computer.
  • Due to this feature, CyberChef can be compiled into a single HTML file. You can download this file and drop it into a virtual machine, share it with other people, or use it independently on your desktop.

• Google Chrome 40+
• Mozilla Firefox 35+
• Microsoft Edge 14+