Reconnoitre - A Security Tool For Multithreaded Information Gathering And Service Enumeration

A reconnaissance tool made for the OSCP labs to automate information gathering and service enumeration whilst also creating a directory structure of results for each host, recommended commands to execute and directory structures for storing loot and flags.

Usage
This tool can be used and copied for personal use freely however attribution and credit should be offered to Mike Czumak who originally started the process of automating this work.

Argument	Description
-h, --help	Display help message and exit
-t TARGET_HOSTS	Set either a target range of addresses or a single host to target. May also be a file containing hosts.
-o OUTPUT_DIRECTORY	Set the target directory where results should be written.
-w WORDLIST	Optionally specify your own wordlist to use for pre-compiled commands, or executed attacks.
--dns DNS_SERVER	Optionally specify a DNS server to use with a service scan.
--pingsweep	Write a new target.txt file in the OUTPUT_DIRECTORY by performing a ping sweep and discovering live hosts.
--dnssweep	Find DNS servers from the list of target(s).
--snmpsweep	Find hosts responding to SNMP requests from the list of target(s).
--services	Perform a service scan over the target(s) and write recommendations for further commands to execute.
--snmpwalk	SNMP walk target hosts and save results.
--hostnames	Attempt to discover target hostnames and write to hostnames.txt.
--quiet	Supress banner and headers and limit feedback to grepable results.
--execute	Execute shell commands from recommendations as they are discovered. Likely to lead to very long execution times depending on the wordlist being used and discovered vectors.
--simple_exec	Execute non-brute forcing shell comamnds only commands as they are discovered. Likely to lead to very long execution times depending on the wordlist being used and discovered vectors.
--quick	Move to the next target after performing a quick scan and writing first-round recommendations.

Usage Examples
Note that these are some examples to give you insight into potential use cases for this tool. Command lines can be added or removed based on what you wish to acomplish with your scan.

Scan a single host, create a file structure and discover services

python ./reconnoitre.py -t 192.168.1.5 -o /root/Documents/labs/ --services

An example output would look like:

root@kali:~/Documents/tools/reconnoitre/reconnoitre# python ./reconnoitre.py -t 192.168.1.5 --services -o /root/Documents/labs/
  __
|"""\-=  RECONNOITRE
(____)      An OSCP scanner

[#] Performing service scans
[*] Loaded single target: 192.168.1.5
[+] Creating directory structure for 192.168.1.5
   [>] Creating scans directory at: /root/Documents/labs/192.168.1.5/scans
   [>] Creating exploit directory at: /root/Documents/labs/192.168.1.5/exploit
   [>] Creating loot directory at: /root/Documents/labs/192.168.1.5/loot
   [>] Creating proof file at: /root/Documents/labs/192.168.1.5/proof.txt
[+] Starting quick nmap scan for 192.168.1.5
[+] Writing findings for 192.168.1.5
   [>] Found HTTP service on 192.168.1.5:80
   [>] Found MS SMB service on 192.168.1.5:445
   [>] Found RDP service on 192.168.1.5:3389
[*] TCP quick scan completed for 192.168.1.5
[+] Starting detailed TCP/UDP nmap scans for 192.168.1.5
[+] Writing findings for 192.168.1.5
   [>] Found MS SMB service on 192.168.1.5:445
   [>] Found RDP service on 192.168.1.5:3389
   [>] Found HTTP service on 192.168.1.5:80
[*] TCP/UDP Nmap scans completed for 192.168.1.5

Which would also write the following recommendations file in the scans folder for each target:

[*] Found HTTP service on 192.168.1.50:80
   [>] Use nikto & dirb / dirbuster for service enumeration, e.g
      [=] nikto -h 192.168.1.50 -p 80 > /root/Documents/labs/192.168.1.50/scans/192.168.1.50_nikto.txt
      [=] dirb http://192.168.1.50:80/ -o /root/Documents/labs/192.168.1.50/scans/192.168.1.50_dirb.txt -r -S -x ./dirb-extensions/php.ext
      [=] java -jar /usr/share/dirbuster/DirBuster-1.0-RC1.jar -H -l /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -r /root/Documents/labs/192.168.1.50/scans/192.168.1.50_dirbuster.txt -u http://192.168.1.50:80/
      [=] gobuster -w /usr/share/seclists/Discovery/Web_Content/common.txt -u http://192.168.1.50:80/ -s '200,204,301,302,307,403,500' -e > /root/Documents/labs/192.168.1.50/scans/192.168.1.50_gobuster_common.txt -t 50 
      [=] gobuster -w /usr/share/seclists/Discovery/Web_Content/cgis.txt -u http://192.168.1.50:80/ -s '200,204,301,307,403,500' -e > /root/Documents/labs/192.168.1.50/scans/192.168.1.50_gobuster_cgis.txt -t 50 
   [>] Use curl to retreive web headers and find host information, e.g
      [=] curl -i 192.168.1.50
      [=] curl -i 192.168.1.50/robots.txt -s | html2text
[*] Found MS SMB service on 192.168.1.5:445
   [>] Use nmap scripts or enum4linux for further enumeration, e.g
      [=] nmap -sV -Pn -vv -p445 --script="smb-* -oN '/root/Documents/labs/192.168.1.5/nmap/192.168.1.5_smb.nmap' -oX '/root/Documents/labs/192.168.1.5/scans/192.168.1.5_smb_nmap_scan_import.xml' 192.168.1.5
      [=] enum4linux 192.168.1.5
[*] Found RDP service on 192.168.1.5:3389
   [>] Use ncrackpassword cracking, e.g
      [=] ncrack -vv --user administrator -P /root/rockyou.txt rdp://192.168.1.5

Discover live hosts and hostnames within a range

python ./reconnoitre.py -t 192.168.1.1-252 -o /root/Documents/testing/ --pingsweep --hostnames

Discover live hosts within a range and then do a quick probe for services

python ./reconnoitre.py -t 192.168.1.1-252 -o /root/Documents/testing/ --pingsweep --services --quick

This will scan all services within a target range to create a file structure of live hosts as well as write recommendations for other commands to be executed based on the services discovered on these machines. Removing --quick will do a further probe but will greatly lengthen execution times.

Discover live hosts within a range and then do probe all ports (UDP and TCP) for services

python ./reconnoitre.py -t 192.168.1.1-252 -o /root/Documents/testing/ --pingsweep --services

Download Reconnoitre

Read More

Ad-LDAP-Enum - Active Directory LDAP Enumerator

ad-ldap-enum is a Python script that was developed to discover users and their group memberships from Active Directory. In large Active Directory environments, tools such as NBTEnum were not performing fast enough. By executing LDAP queries against a domain controller, ad-ldap-enum is able to target specific Active Directory attributes and build out group membership quickly.

ad-ldap-enum outputs three tab delimited files 'Domain Group Membership.tsv', 'Extended Domain User Information.tsv', and 'Extended Domain Computer Information.tsv'. The first file contains users, computers, groups, and their memberships. The second file contains users and extra information about the users from Active Directory (e.g. a user's home folder or email address). The third file contains devices in the Domain Computers group and extra information about them from Active Directory (e.g. operating system type and service pack version).

ad-ldap-enum supports both authenticated and unauthenticated LDAP connections. Additionally, ad-ldap-enum can process nested groups and display a user's actual group membership.

Requirements
The package python-ldap is required for the script to execute. This can be installed with the following command:

pip install python-ldap

Usage

ad-ldap-enum.py [-h] -l LDAP_SERVER -d DOMAIN [-a ALT_DOMAIN] [-e] [-n] [-u USERNAME] [-p PASSWORD] [-v]

Active Directory LDAP Enumerator

optional arguments:
  -h, --help                                        show this help message and exit
  -v, --verbose                                     Display debugging information.
  -o FILENAME_PREPEND, --prepend FILENAME_PREPEND   Prepend a string to all output file names.

Server Parameters:
  -l LDAP_SERVER, --server LDAP_SERVER              IP address of the LDAP server.
  -d DOMAIN, --domain DOMAIN                        Authentication account's FQDN. If an alternative domain is not specified this will be also used as the Base DN for searching LDAP.
  -a ALT_DOMAIN, --alt-domain ALT_DOMAIN            Alternative FQDN to use as the Base DN for searching LDAP.
  -e, --nested                                      Expand nested groups.

Authentication Parameters:
  -n, --null                                        Use a null binding to authenticate to LDAP.
  -u USERNAME, --username USERNAME                  Authentication account's username.
  -p PASSWORD, --password PASSWORD                  Authentication account's password.

Example
python ad-ldap-enum.py -d contoso.com -l 10.0.0.1 -u Administrator -p P@ssw0rd

Assorted Links

• Membership Ranges in Active Directory
• Active Directory Paging

Download Ad-LDAP-Enum

Read More

droopescan - A plugin-based scanner that aids security researchers in identifying issues with several CMSs (Drupal, Silverstripe & Wordpress)

A plugin-based scanner that aids security researchers in identifying issues with several CMS:

• Drupal.
• SilverStripe.
• Wordpress.

Partial functionality for:

• Joomla (version enumeration and interesting URLs only).
• Moodle (identification doesn't work yet. You need to force 'scan moodle')

computer:~/droopescan$ droopescan scan drupal -u http://example.org/ -t 8
[+] No themes found.

[+] Possible interesting urls found:
    Default changelog file - https://www.example.org/CHANGELOG.txt
    Default admin - https://www.example.org/user/login

[+] Possible version(s):
    7.34

[+] Plugins found:
    views https://www.example.org/sites/all/modules/views/
        https://www.example.org/sites/all/modules/views/README.txt
        https://www.example.org/sites/all/modules/views/LICENSE.txt
    token https://www.example.org/sites/all/modules/token/
        https://www.example.org/sites/all/modules/token/README.txt
        https://www.example.org/sites/all/modules/token/LICENSE.txt
    pathauto https://www.example.org/sites/all/modules/pathauto/
        https://www.example.org/sites/all/modules/pathauto/README.txt
        https://www.example.org/sites/all/modules/pathauto/LICENSE.txt
        https://www.example.org/sites/all/modules/pathauto/API.txt
    libraries https://www.example.org/sites/all/modules/libraries/
        https://www.example.org/sites/all/modules/libraries/CHANGELOG.txt
        https://www.example.org/sites/all/modules/libraries/README.txt
        https://www.example.org/sites/all/modules/libraries/LICENSE.txt
    entity https://www.example.org/sites/all/modules/entity/
        https://www.example.org/sites/all/modules/entity/README.txt
        https://www.example.org/sites/all/modules/entity/LICENSE.txt
    google_analytics https://www.example.org/sites/all/modules/google_analytics/
        https://www.example.org/sites/all/modules/google_analytics/README.txt
        https://www.example.org/sites/all/modules/google_analytics/LICENSE.txt
    ctools https://www.example.org/sites/all/modules/ctools/
        https://www.example.org/sites/all/modules/ctools/CHANGELOG.txt
        https://www.example.org/sites/all/modules/ctools/LICENSE.txt
        https://www.example.org/sites/all/modules/ctools/API.txt
    features https://www.example.org/sites/all/modules/features/
        https://www.example.org/sites/all/modules/features/CHANGELOG.txt
        https://www.example.org/sites/all/modules/features/README.txt
        https://www.example.org/sites/all/modules/features/LICENSE.txt
        https://www.example.org/sites/all/modules/features/API.txt
    [... snip for README ...]

[+] Scan finished (0:04:59.502427 elapsed)

You can get a full list of options by running:

droopescan --help
droopescan scan --help

Why not X?
Because droopescan:

• is fast
• is stable
• is up to date
• allows simultaneous scanning of multiple sites
• is 100% python

Installation
Installation is easy using pip:

apt-get install python-pip
pip install droopescan

Manual installation is as follows:

git clone https://github.com/droope/droopescan.git
cd droopescan
pip install -r requirements.txt
./droopescan scan --help

The master branch corresponds to the latest release (what is in pypi). Development branch is unstable and all pull requests must be made against it. More notes regarding installation can be found here .

Features

Scan types.
Droopescan aims to be the most accurate by default, while not overloading the target server due to excessive concurrent requests. Due to this, by default, a large number of requests will be made with four threads; change these settings by using the --number and --threads arguments respectively.
This tool is able to perform four kinds of tests. By default all tests are ran, but you can specify one of the following with the -e or --enumerate flag:

• p -- Plugin checks : Performs several thousand HTTP requests and returns a listing of all plugins found to be installed in the target host.
• t -- Theme checks : As above, but for themes.
• v -- Version checks : Downloads several files and, based on the checksums of these files, returns a list of all possible versions.
• i -- Interesting url checks : Checks for interesting urls (admin panels, readme files, etc.)

More notes regarding scanning can be found here .

Target specification.
You can specify a particular host to scan by passing the -u or --url parameter:

    droopescan scan drupal -u example.org

You can also omit the drupal argument. This will trigger “CMS identification”, like so:

    droopescan scan -u example.org

Multiple URLs may be scanned utilising the -U or --url-file parameter. This parameter should be set to the path of a file which contains a list of URLs.

    droopescan scan drupal -U list_of_urls.txt

The drupal parameter may also be ommited in this example. For each site, it will make several GET requests in order to perform CMS identification, and if the site is deemed to be a supported CMS, it is scanned and added to the output list. This can be useful, for example, to run droopescan across all your organisation's sites.

    droopescan scan -U list_of_urls.txt

The code block below contains an example list of URLs, one per line:

http://localhost/drupal/6.0/
http://localhost/drupal/6.1/
http://localhost/drupal/6.10/
http://localhost/drupal/6.11/
http://localhost/drupal/6.12/

A file containing URLs and a value to override the default host header with separated by tabs or spaces is also OK for URL files. This can be handy when conducting a scan through a large range of hosts and you want to prevent unnecessary DNS queries. To clarify, an example below:

192.168.1.1 example.org
http://192.168.1.1/ example.org
http://192.168.1.2/drupal/  example.org

It is quite tempting to test whether the scanner works for a particular CMS by scanning the official site (e.g. wordpress.org for wordpress), but the official sites rarely run vainilla installations of their respective CMS or do unorthodox things. For example, wordpress.org runs the bleeding edge version of wordpress, which will not be identified as wordpress by droopescan at all because the checksums do not match any known wordpress version.

Authentication.
The application fully supports .netrc files and http_proxy environment variables.
Use a .netrc file for basic authentication. An example netrc (a file named .netrc placed in your root home directory) file could look as follows:

machine secret.google.com
    login admin@google.com
    password Winter01

You can set the http_proxy and https_proxy variables. These allow you to set a parent HTTP proxy, in which you can handle more complex types of authentication (e.g. Fiddler, ZAP, Burp)

export http_proxy='user:password@localhost:8080'
export https_proxy='user:password@localhost:8080'
droopescan scan drupal --url http://localhost/drupal

WARNING: By design, to allow intercepting proxies and the testing of applications with bad SSL, droopescan allows self-signed or otherwise invalid certificates. ˙ ͜ʟ˙

Output.
This application supports both "standard output", meant for human consumption, or JSON, which is more suitable for machine consumption. This output is stable between major versions.
This can be controlled with the --output flag. Some sample JSON output would look as follows (minus the excessive whitespace):

{
  "themes": {
    "is_empty": true,
    "finds": [

    ]
  },
  "interesting urls": {
    "is_empty": false,
    "finds": [
      {
        "url": "https:\/\/www.drupal.org\/CHANGELOG.txt",
        "description": "Default changelog file."
      },
      {
        "url": "https:\/\/www.drupal.org\/user\/login",
        "description": "Default admin."
      }
    ]
  },
  "version": {
    "is_empty": false,
    "finds": [
      "7.29",
      "7.30",
      "7.31"
    ]
  },
  "plugins": {
    "is_empty": false,
    "finds": [
      {
        "url": "https:\/\/www.drupal.org\/sites\/all\/modules\/views\/",
        "name": "views"
      },
      [...snip...]
    ]
  }
}

Some attributes might be missing from the JSON object if parts of the scan are not ran.
This is how multi-site output looks like; each line contains a valid JSON object as shown above.

    $ droopescan scan drupal -U six_and_above.txt -e v
    {"host": "http://localhost/drupal-7.6/", "version": {"is_empty": false, "finds": ["7.6"]}}
    {"host": "http://localhost/drupal-7.7/", "version": {"is_empty": false, "finds": ["7.7"]}}
    {"host": "http://localhost/drupal-7.8/", "version": {"is_empty": false, "finds": ["7.8"]}}
    {"host": "http://localhost/drupal-7.9/", "version": {"is_empty": false, "finds": ["7.9"]}}
    {"host": "http://localhost/drupal-7.10/", "version": {"is_empty": false, "finds": ["7.10"]}}
    {"host": "http://localhost/drupal-7.11/", "version": {"is_empty": false, "finds": ["7.11"]}}
    {"host": "http://localhost/drupal-7.12/", "version": {"is_empty": false, "finds": ["7.12"]}}
    {"host": "http://localhost/drupal-7.13/", "version": {"is_empty": false, "finds": ["7.13"]}}
    {"host": "http://localhost/drupal-7.14/", "version": {"is_empty": false, "finds": ["7.14"]}}
    {"host": "http://localhost/drupal-7.15/", "version": {"is_empty": false, "finds": ["7.15"]}}
    {"host": "http://localhost/drupal-7.16/", "version": {"is_empty": false, "finds": ["7.16"]}}
    {"host": "http://localhost/drupal-7.17/", "version": {"is_empty": false, "finds": ["7.17"]}}
    {"host": "http://localhost/drupal-7.18/", "version": {"is_empty": false, "finds": ["7.18"]}}
    {"host": "http://localhost/drupal-7.19/", "version": {"is_empty": false, "finds": ["7.19"]}}
    {"host": "http://localhost/drupal-7.20/", "version": {"is_empty": false, "finds": ["7.20"]}}
    {"host": "http://localhost/drupal-7.21/", "version": {"is_empty": false, "finds": ["7.21"]}}
    {"host": "http://localhost/drupal-7.22/", "version": {"is_empty": false, "finds": ["7.22"]}}
    {"host": "http://localhost/drupal-7.23/", "version": {"is_empty": false, "finds": ["7.23"]}}
    {"host": "http://localhost/drupal-7.24/", "version": {"is_empty": false, "finds": ["7.24"]}}
    {"host": "http://localhost/drupal-7.25/", "version": {"is_empty": false, "finds": ["7.25"]}}
    {"host": "http://localhost/drupal-7.26/", "version": {"is_empty": false, "finds": ["7.26"]}}
    {"host": "http://localhost/drupal-7.27/", "version": {"is_empty": false, "finds": ["7.27"]}}
    {"host": "http://localhost/drupal-7.28/", "version": {"is_empty": false, "finds": ["7.28"]}}
    {"host": "http://localhost/drupal-7.29/", "version": {"is_empty": false, "finds": ["7.29"]}}
    {"host": "http://localhost/drupal-7.30/", "version": {"is_empty": false, "finds": ["7.30"]}}
    {"host": "http://localhost/drupal-7.31/", "version": {"is_empty": false, "finds": ["7.31"]}}
    {"host": "http://localhost/drupal-7.32/", "version": {"is_empty": false, "finds": ["7.32"]}}
    {"host": "http://localhost/drupal-7.33/", "version": {"is_empty": false, "finds": ["7.33"]}}
    {"host": "http://localhost/drupal-7.34/", "version": {"is_empty": false, "finds": ["7.34"]}}

Debug.
When things are not going exactly your way, you can check why by using the --debug-requests command.
Some output might look like this:

computer:~/droopescan# droopescan scan silverstripe -u http://localhost -n 10 -e p --debug-requests
[head] http://localhost/framework/... 403
[head] http://localhost/cms/css/layout.css... 404
[head] http://localhost/framework/css/UploadField.css... 200
[head] http://localhost/misc/test/error/404/ispresent.html... 404
[head] http://localhost/widgetextensions/... 404
[head] http://localhost/orbit/... 404
[head] http://localhost/sitemap/... 404
[head] http://localhost/simplestspam/... 404
[head] http://localhost/ecommerce_modifier_example/... 404
[head] http://localhost/silverstripe-hashpath/... 404
[head] http://localhost/timeline/... 404
[head] http://localhost/silverstripe-hiddenfields/... 404
[head] http://localhost/addressable/... 404
[head] http://localhost/silverstripe-description/... 404
[+] No plugins found.

[+] Scan finished (0:00:00.058422 elapsed)

The --debug paramter also exists and may be used to debug application internals.

Stats.
You can get an up to date report on the capabilities of the scanner by running the following command

    droopescan stats

Some sample output might look as follows:

Functionality available for ‘drupal’:
- Enumerate plugins (XXXX plugins.)
- Enumerate themes (XXXX themes.)
- Enumerate interesting urls (X urls.)
- Enumerate version (up to version X.X.X-alphaXX, X.XX, X.XX.)
Functionality available for ‘joomla’:
- Enumerate interesting urls (X urls.)
- Enumerate version (up to version XX.X, X.X.X, X.X.XX.rcX.)
Functionality available for ‘wordpress’:
- Enumerate interesting urls (X urls.)
- Enumerate version (up to version X.X.X, X.X.X, X.X.X.)
Functionality available for ‘silverstripe’:
- Enumerate plugins (XXX plugins.)
- Enumerate themes (XX themes.)
- Enumerate interesting urls (X urls.)
- Enumerate version (up to version X.X.XX, X.X.XX, X.X.XX.)

It is important to verify that the latest version available for the CMS installation is available within droopescan , as otherwise results may be inaccurate.

Contribute.

Create your own plugin.
You can add suport for your favourite CMS. The process is actually quite simple, and a lot of information can be glimpsed by viewing the example.py file in the plugins/ folder.
This file should serve well as a base for your implementation.
You can create your own plugin for Joomla and enable it as follows:

$ cp plugins/example.py plugins/joomla.py
$ cp plugins.d/example.conf plugins.d/joomla.conf

You then need to go to plugins/joomla.py and change a few things:

• The class name needs to be Joomla.
• The plugin label (located at Meta.label) needs to be changed to joomla.
• At the end of the file, the register call needs to be modified to reflect the correct class name.
• The exposed function, 'example', needs to be renamed to joomla.

    @controller.expose(help='example scanner')
    def joomla(self):
        self.plugin_init()

We also need to change the plugins.d/joomla.conf file, and change it to the following:

[joomla]
enable_plugin = true

We should now be in a state which looks as follows:

$ droopescan scan joomla
[+] --url parameter is required.

Your next step would be to generate a valid plugin wordlist, a valid theme wordlist, a versions.xml file, and optionally a list of interesting URLs, as well as replace all variables that are in joomla.py with values that are correct for your implementation.
The plugin needs to update automatically in order for a pull request to be accepted. Further documentation may be later made available, but for now, keep in mind that the update_version_check, update_version, update_plugins_check and update_plugins need to be implemented. For reference, please review the drupal.py file. This is required in order to ensure plugins are kept to date.

Issues & Pull Requests.
Pull requests that create new plugins are welcome provided that maintenance for those plugins is done automatically.
Please remember to make your pull requests against the develoment branch rather than the master. Issues can be raised on the issue tracker here on GitHub.
To run tests, some dependencies must be installed. Running the following commands will result in them being installed and the tests being ran:

    apt-get install libxslt1-dev libxml2-dev zlib1g-dev python python-pip python-dev python3 python3-pip python3-dev
    pip install -r requirements.txt -r requirements_test.txt
    pip3 install -r requirements.txt -r requirements_test.txt
    ./droopescan test

You can run individual tests with the -s flag.

./droopescan test -s test_integration_drupal

Download droopescan

Read More

SPARTA - Network Infrastructure Penetration Testing Tool

SPARTA is a python GUI application which simplifies network infrastructure penetration testing by aiding the penetration tester in the scanning and enumeration phase. It allows the tester to save time by having point-and-click access to his toolkit and by displaying all tool output in a convenient way. If little time is spent setting up commands and tools, more time can be spent focusing on analysing results. Despite the automation capabilities, the commands and tools used are fully customisable as each tester has his own methods, habits and preferences.

Requirements
It is recommended that Kali Linux is used as it already has most tools installed, however SPARTA would most likely also work in Debian based systems.
Kali (preferred):

apt-get install python-elixir

Ubuntu 12.04+ (untested)

apt-get install python-elixir python-qt4 xsltproc

Other than these, the following tools are required for SPARTA to have its minimum functionality:

• nmap (for adding hosts)
• hydra (for the brute tab)
• cutycapt (for screenshots)

In Kali Linux these can be installed with:

apt-get install nmap hydra cutycapt

In Kali, to ensure that you have all the tools used by SPARTA's default configuration use:

apt-get install ldap-utils rwho rsh-client x11-apps finger

Installation

cd /usr/share/
git clone https://github.com/secforce/sparta.git

Place the "sparta" file in /usr/bin/ and make it executable.
Type 'sparta' in any terminal to launch the application.

Source code
The source code is structured in folders as such:

• [app] - Contains the functionality (logic) as well as the models used by both the logic and gui
• [controller] - The controller interfaces between the gui and the logic (MVC design)
• [db] - Contains everything related to database, database tables, etc
• [doc] - Contains all SPARTA documentation
• [images] - Icons and images
• [parsers] - Contains nmap xml output parser files
• [scripts] - Contains custom scripts used by SPARTA
• [ui] - Contains the gui (.ui and .py generated by Qt Creator). Do not manually edit these.
• [wordlists] - Contains wordlists used by SPARTA
• README.txt - This file.
• sparta.conf - SPARTA's configuration file. Edit it to add custom tools and commands. If deleted, SPARTA will regenerate a new one.
• sparta.py - The main program. The one that needs to be executed by the user.

Demos

Known issues
SPARTA uses a third-party tool called Cutycapt to take screenshots. One of the problems with the version that is currently in Kali's repositories is that it fails to take screenshots of HTTPS pages when self-signed certificates are in use. A way around this is to compile the Cutycapt executable yourself and edit SPARTA's configuration file to specify the path to the compiled executable.
It can be compiled in Kali by following these instructions:

% sudo apt-get install subversion libqt4-webkit libqt4-dev g++
% svn co svn://svn.code.sf.net/p/cutycapt/code/ cutycapt
% cd cutycapt/CutyCapt
% qmake
% make
% ./CutyCapt --url=http://www.example.org --out=example.png

Download SPARTA

Read More

LinEnum - Local Linux Enumeration & Privilege Escalation Checks

LinEnum will automate many of the checks that I’ve documented in the Local Linux Enumeration & Privilege Escalation Cheatsheet. It’s a very basic shell script that performs over 65 checks, getting anything from kernel information to locating possible escalation points such as potentially useful SUID/GUID files and Sudo/rhost mis-configurations and more.

An additional ‘extra’ feature is that the script will also use a provided keyword to search through *.conf and *.log files. Any matches will be displayed along with the full file path and line number on which the keyword was identified.

After the scan has completed (please be aware that it make take some time) you’ll be presented with (possibly quite extensive) output, to which any key findings will be highlighted in yellow with everything else documented under the relevant headings.

Below is a high-level summary of the checks/tasks performed by LinEnum:

• Kernel and distribution release details
• System Information:
  • Hostname
  • Networking details:
    • Current IP
    • Default route details
    • DNS server information
• User Information:
  • Current user details
  • Last logged on users
  • Llist all users including uid/gid information
  • List root accounts
  • Extract full details for ‘default’ uid’s such as 0, 1000, 1001 etc
  • Attempt to read restricted files i.e. /etc/shadow
  • List current users history files (i.e .bash_history, .nano_history etc.)
• Privileged access:
  • Determine if /etc/sudoers is accessible
  • Determine if the current user has Sudo access without a password
  • Are known ‘good’ breakout binaries available via Sudo (i.e. nmap, vim etc.)
  • Is root’s home directory accessible
  • List permissions for /home/
• Environmental:
  • Display current $PATH
• Jobs/Tasks:
  • List all cron jobs
  • Locate all world-writable cron jobs
  • Locate cron jobs owned by other users of the system
• Services:
  • List network connections (TCP & UDP)
  • List running processes
  • Lookup and list process binaries and associated permissions
  • List inetd.conf/xined.conf contents and associated binary file permissions
  • List init.d binary permissions
• Version Information (of the following):
  • Sudo
  • MYSQL
  • Postgres
  • Apache
• Default/Weak Credentials:
  • Checks for default/weak Postgres accounts
  • Checks for default root/root access to local MYSQL services
• Searches:
  • Locate all SUID/GUID files
  • Locate all world-writable SUID/GUID files
  • Locate all SUID/GUID files owned by root
  • Locate ‘interesting’ SUID/GUID files (i.e. nmap, vim etc)
  • List all world-writable files
  • Find/list all accessible *.plan files and display contents
  • Find/list all accesible *.rhosts files and display contents
  • Show NFS server details
  • Locate *.conf and *.log files containing keyword supplied at script runtime
  • List all *.conf files located in /etc
  • Locate mail

Some of the above commands are privileged/and or the related task may be nonexistent and will therefore most likely fail. The user shouldn’t be alerted to failed results, just the output from successful commands should be displayed.

Download LinEnum

Read More

Host-Extract - Enumerate All IP/Host Patterns In A Web Page

This little ruby script tries to extract all IP/Host patterns in page response of a given URL and JavaScript/CSS files of that URL.

With it, you can quickly identify internal IPs/Hostnames, development IPs/ports, cdn, load balancers, additional attack entries related to your target that are revealed in inline js, css, html comment areas and js/css files.

This is unlike web crawler which looks for new links only in anchor tags (<a) or the like.

(you might miss many additional targets if you ever use such web crawler or other GUI-based tools that shows you your main target and its relationship with its linked sub/off-site domains)

In some cases, host-extract may give you false positives when there are some words like - main-site_ver_10.2.1.3.swf.

With -v option, you can ask the tool to output html view-source snippets for each IP/Domain extracted. This will shorten your manual analysis time.

USAGE:

ruby host-extract.rb URL [option]

Usage: host-extract [options]
        -a               find all ip/host patterns
        -j               scan all js files
        -c               scan all css files
        -v               append view-source html snippet for manual verification

Download Host-Extract

Read More

[DNSRecon v0.8.6] DNS Enumeration Script

Just updated DNSRecon to check if it can pull the Bind Version by doing a query for the TXT Record version.bind and it will now check if the RA Flag is set in responses from each of the NS servers it detects. If the server has recursion enabled it could be used for DDoS attacks and for performing Cache Snooping.

Example of a run where it is able to pull the Bind Version:

infidel02:dnsrecon carlos$ ./dnsrecon.py -d zonetransfer.me -x zt.xml
[*] Performing General Enumeration of Domain: zonetransfer.me
[-] DNSSEC is not configured for zonetransfer.me
[*]SOA ns16.zoneedit.com 69.64.68.41
[*]NS ns12.zoneedit.com 209.62.64.46
[*]Bind Version for 209.62.64.46 8.4.X
[*]NS ns16.zoneedit.com 69.64.68.41
[*]Bind Version for 69.64.68.41 8.4.X
[*]MX ASPMX2.GOOGLEMAIL.COM 173.194.75.27
[*]MX ASPMX3.GOOGLEMAIL.COM 173.194.66.27
[*]MX ASPMX4.GOOGLEMAIL.COM 173.194.65.26
[*]MX ASPMX5.GOOGLEMAIL.COM 173.194.70.26
[*]MX ASPMX.L.GOOGLE.COM 74.125.140.27
[*]MX ALT1.ASPMX.L.GOOGLE.COM 173.194.75.26
[*]MX ALT2.ASPMX.L.GOOGLE.COM 173.194.66.27
[*]MX ASPMX2.GOOGLEMAIL.COM 2607:f8b0:400c:c03::1a
[*]MX ASPMX3.GOOGLEMAIL.COM 2a00:1450:400c:c03::1b
[*]MX ASPMX4.GOOGLEMAIL.COM 2a00:1450:4013:c01::1b
[*]MX ASPMX5.GOOGLEMAIL.COM 2a00:1450:4001:c02::1a
[*]MX ASPMX.L.GOOGLE.COM 2607:f8b0:4002:c01::1a
[*]MX ALT1.ASPMX.L.GOOGLE.COM 2607:f8b0:400c:c01::1b
[*]MX ALT2.ASPMX.L.GOOGLE.COM 2a00:1450:400c:c03::1a
[*]A zonetransfer.me 217.147.180.162
[*]TXT zonetransfer.me Remember to call or email Pippa on +44 123 4567890 or pippa@zonetransfer.me when making DNS changes
[*]TXT zonetransfer.me google-site-verification=tyP28J7JAUHA9fw2sHXMgcCC0I6XBmmoVi04VlMewxA
[*] Enumerating SRV Records
[*]SRV _sip._tcp.zonetransfer.me www.zonetransfer.me 217.147.180.162 5060 0
[*] 1 Records Found
[*] Saving records to XML file: zt.xml

The information on version and recursion are also saved in the XML as you can see:

infidel02:dnsrecon carlos$ cat zt.xml

<?xml version="1.0" ?> <records> <record address="69.64.68.41" mname="ns16.zoneedit.com" type="SOA"/> <record Recursive="False" Version="8.4.X" address="209.62.64.46" target="ns12.zoneedit.com" type="NS"/> <record Recursive="False" Version="8.4.X" address="69.64.68.41" target="ns16.zoneedit.com" type="NS"/> <record address="173.194.75.27" exchange="ASPMX2.GOOGLEMAIL.COM" type="MX"/> <record address="173.194.66.27" exchange="ASPMX3.GOOGLEMAIL.COM" type="MX"/> <record address="173.194.65.26" exchange="ASPMX4.GOOGLEMAIL.COM" type="MX"/> <record address="173.194.70.26" exchange="ASPMX5.GOOGLEMAIL.COM" type="MX"/> <record address="74.125.140.27" exchange="ASPMX.L.GOOGLE.COM" type="MX"/> <record address="173.194.75.26" exchange="ALT1.ASPMX.L.GOOGLE.COM" type="MX"/> <record address="173.194.66.27" exchange="ALT2.ASPMX.L.GOOGLE.COM" type="MX"/> <record address="2607:f8b0:400c:c03::1a" exchange="ASPMX2.GOOGLEMAIL.COM" type="MX"/> <record address="2a00:1450:400c:c03::1b" exchange="ASPMX3.GOOGLEMAIL.COM" type="MX"/> <record address="2a00:1450:4013:c01::1b" exchange="ASPMX4.GOOGLEMAIL.COM" type="MX"/> <record address="2a00:1450:4001:c02::1a" exchange="ASPMX5.GOOGLEMAIL.COM" type="MX"/> <record address="2607:f8b0:4002:c01::1a" exchange="ASPMX.L.GOOGLE.COM" type="MX"/> <record address="2607:f8b0:400c:c01::1b" exchange="ALT1.ASPMX.L.GOOGLE.COM" type="MX"/> <record address="2a00:1450:400c:c03::1a" exchange="ALT2.ASPMX.L.GOOGLE.COM" type="MX"/> <record address="217.147.180.162" name="zonetransfer.me" type="A"/> <record name="zonetransfer.me" strings="Remember to call or email Pippa on +44 123 4567890 or pippa@zonetransfer.me when making DNS changes" type="TXT"/> <record name="zonetransfer.me" strings="google-site-verification=tyP28J7JAUHA9fw2sHXMgcCC0I6XBmmoVi04VlMewxA" type="TXT"/> <record address="217.147.180.162" name="_sip._tcp.zonetransfer.me" port="5060" target="www.zonetransfer.me" type="SRV"/> <scaninfo arguments="./dnsrecon.py -d zonetransfer.me -x zt.xml" time="2013-05-29 11:36:06.550073"/> <domain domain_name="zonetransfer.me"/> </records>

Here is an example where recursion is enabled, you will see that the message is shown differently since this information is crucial during an engagement:

infidel02:dnsrecon carlos$ ./dnsrecon.py -d acmelab.com -n 192.168.1.80
[*] Performing General Enumeration of Domain: acmelab.com
[*] DNSSEC is configured for acmelab.com
[*] DNSKEYs:
[*] NSEC KSk RSASHA256 ...
[*] NSEC ZSK RSASHA256 ...
[*] NSEC ZSK RSASHA256 ...
[*] NSEC KSk RSASHA256 ...
[*]SOA labns1.acmelab.com 192.168.1.80
[*]NS labns1.acmelab.com 192.168.1.80
[-]Recursion enabled on NS Server 192.168.1.80
[*]MX mail1.acmelab.com 192.168.1.4
[*]A acmelab.com 192.168.1.2
[*]TXT acmelab.com v=spf1 192.168.1.0/24
[*]TXT _domainkey.acmelab.com o=~; r=postmaster@acmelab.com
[*] Enumerating SRV Records
[*]SRV _finger._tcp.acmelab.com web1.acmelab.com 192.168.1.2 79 0
[*]SRV _http._tcp.acmelab.com web2.acmelab.com 192.168.1.3 80 0
[*]SRV _http._tcp.acmelab.com web1.acmelab.com 192.168.1.2 80 0
[*]SRV _sip._tls.acmelab.com chat.acmelab.com 192.168.1.5 443 0
[*]SRV _sipinternaltls._tcp.acmelab.com chat.acmelab.com 192.168.1.5 5061 0
[*]SRV _https._tcp.acmelab.com web1.acmelab.com 192.168.1.2 443 0
[*]SRV _https._tcp.acmelab.com web2.acmelab.com 192.168.1.3 443 0
[*] 7 Records Found

Download DNSRecon v0.8.6

Read More

[Pinpoint] Enumerates WebPage Components to help identify the Infected Files

Pinpoint works like wget/curl in that it just fetches a webpage without rendering any script. Pinpoint will then try to determine which links are used to make up the webpage such as Javascript, CSS, frames, and iframes and downloads those files too (some Javascript content will produce incorrect links). The list of links it finds shows up in the document tree on the main window.

At the same time, a log file is created which shows the links and in which file the link resided in. It will also download the file and calculate the “entropy”; the higher the value, the more rubbish characters it found which may help identify obfuscated Javascript.

You can of course spoof the user-agent string and referer values to ilicit a malicious response from the website. There’s also a function to clear your cookies (see Options menu item) since many exploit packs check for the presence of cookies on repeated visits. Use Tor to get another IP address since it’ll get banned usually after the first visit.

Download Pinpoint

Read More

[Kacak] Enumerate Users in Subnets

Kacak is a tool that can enumerate users specified in the configuration file for windows based networks. It uses metasploit smb_enumusers_domain module in order to achieve this via msfrpcd service. If you are wondering what the msfrpcd service is, please look at the https://github.com/rapid7/metasploit-framework/blob/master/documentation/msfrpc.txt . It also parse mimikatz results.

Download KACAK

Read More

[ipset_list] ipset set listing wrapper script

Features:

• Calculate sum of set members (and match on that count).
• List only members of a specified set.
• Choose a delimiter character for separating members.
• Show only sets containing a specific (glob matching) header.
• Arithmetic comparison on headers with an integer value.
• Match members using a globbing or regex pattern.
• Suppress listing of (glob matching) sets.
• Suppress listing of (glob matching) headers.
• Suppress listing of members matching a glob or regex pattern.
• Suppress listing of members options.
• Calculate the total size in memory of all matching sets.
• Calculate the amount of matching, excluded and traversed sets.
• Colorize the output.
• Operate on a single, selected, or all sets.
• Programmable completion is included to make usage easier and faster.

Download ipset_list

Read More

[LinEnum] Scripted Local Linux Enumeration & Privilege Escalation Checks

High-level summary of the checks/tasks performed by LinEnum:

• Kernel and distribution release details
• System Information:
  • Hostname
  • Networking details:
  • Current IP
  • Default route details
  • DNS server information
• User Information:
  • Current user details
  • Last logged on users
  • List all users including uid/gid information
  • List root accounts
  • Extract full details for ‘default’ uid’s such as 0, 1000, 1001 etc
  • Attempt to read restricted files i.e. /etc/shadow
  • List current users history files (i.e .bash_history, .nano_history etc.)
• Privileged access:
  • Determine if /etc/sudoers is accessible
  • Determine if the current user has Sudo access without a password
  • Are known ‘good’ breakout binaries available via Sudo (i.e. nmap, vim etc.)
  • Is root’s home directory accessible
  • List permissions for /home/
• Environmental:
  • Display current $PATH
• Jobs/Tasks:
  • List all cron jobs
  • Locate all world-writable cron jobs
  • Locate cron jobs owned by other users of the system
• Services:
  • List network connections (TCP & UDP)
  • List running processes
  • Lookup and list process binaries and associated permissions
  • List inetd.conf/xined.conf contents and associated binary file permissions
  • List init.d binary permissions
• Version Information (of the following):
  • Sudo
  • MYSQL
  • Postgres
  • Apache
• Default/Weak Credentials:
  • Checks for default/weak Postgres accounts
  • Checks for default root/root access to local MYSQL services
• Searches:
• Locate all SUID/GUID files
• Locate all world-writable SUID/GUID files
• Locate all SUID/GUID files owned by root
• Locate ‘interesting’ SUID/GUID files (i.e. nmap, vim etc)
• List all world-writable files
• Find/list all accessible *.plan files and display contents
• Find/list all accesible *.rhosts files and display contents
• Show NFS server details
• Locate *.conf and *.log files containing keyword supplied at script runtime
• List all *.conf files located in /etc
• Locate mail

Download LinEnum

Read More