Whitewidow - SQL Vulnerability Scanner

Whitewidow is an open source automated SQL vulnerability scanner, that is capable of running through a file list, or can scrape Google for potential vulnerable websites. It allows automatic file formatting, random user agents, IP addresses, server information, multiple SQL injection syntax, ability to launch sqlmap from the program, and a fun environment. This program was created for learning purposes, and is intended to teach users what vulnerability looks like.

Screenshots

Launching whitewidow displays the custom designed banner and begins searching for possible sites that could be vulnerable

Whitewidow is capable of finding vulnerabilities in websites by scraping Google using over 1,000 different queries that are carefully researched before added. It also uses multiple different SQL injection approaches

Whitewidow is also capable of spidering a single webpage for all available links, it will then search for vulnerabilities in all the links using the programs built in file feature

And when all is said and done, and you're sure that you've found some vulnerable sites, you can launch sqlmap from the program without the need of downloading another clone.

Basic Usage
ruby whitewidow.rb -d This will run whitewidow in default mode and scrape Google for possible sites using a random search query.
ruby whitewidow.rb -f path/to/file This will run whitewidow through a given file and add the SQL syntax to the URL.
ruby whitewidow.rb -h Will run the help flag along with show the help menu.
For more information about usage and more flags you can checkout the wiki functionality page here.

Dependencies

• gem 'mechanize'
• gem 'nokogiri'
• gem 'rest-client'
• gem 'webmock'
• gem 'rspec'
• gem 'vcr'

To install all gem dependencies, follow the following template:
cd whitewidow
bundle install
This should install all gems needed, and will allow you to run the program without trouble.

Download Whitewidow

Read More

Pybelt - The Hackers Tool Belt

Pybelt is an open source hackers tool belt complete with:

• A port scanner
• SQL injection scanner
• Dork checker
• Hash cracker
• Hash type verification tool
• Proxy finding tool
• XSS scanner

It is capable of cracking hashes without prior knowledge of the algorithm, scanning ports on a given host, searching for SQLi vulnerabilities in a given URL, verifying that your Google dorks work like they should, verifying the algorithm of a given hash, scanning a URL for XSS vulnerability, and finding usable HTTP proxies.

Screenshots
SQL Injection scanning made easy, just provide a URL and watch it work

Dork checker, have some Dorks you're not sure of? Go ahead and run the Dork check with the Dork as an argument, it will pull 100 URLs and give you success rate for the Dork

Hash cracking made simple, provide the hash type at the end ":md5, :sha256, etc" for a specific hash, or ":all" for all algorithms available on your machine

And many more!

Usage

Installation
You can either clone the repository

git clone https://github.com/ekultek/pybelt.git

or download the latest release as a zip/tar ball here
Once you have the program installed cd into the directory and run the following command:

pip install -r requirements.txt

This will install all of the programs needed libraries and should be able to be run from there.
###Functionality

python pybelt.py -p 127.0.0.1

Will run a port scan on your local host

python pybelt.py -s http://example.com/php?id=2

Will run a SQLi scan on the given URL

python pybelt.py -d idea?id=55

Will run a Dork check on the given Google Dork

python pybelt.py -c 9a8b1b7eee229046fc2701b228fc2aff:all

Will attempt to crack the hash using all algorithms available on the computer

python pybelt.py -v 098f6bcd4621d373cade4e832627b4f6

Will try to verify the hash type

python pybelt.py -f

Will find usable proxies

python pybelt.py -x http://127.0.0.1/php?id=1

Will search the URL for XSS vulnerability

Download Pybelt

Read More

Truehunter - Tool to detect TrueCrypt containers

The goal of Truehunter is to detect TrueCrypt containers using a fast and memory efficient approach. It was designed as a PoC some time ago as I couldn't find any open source tool with the same functionality.

Installation
Just use with Python 2.7, it does not need any additional libraries.

usage: truehunter.py [-h] [-D HEADERSFILE] [-m MINSIZE] [-M MAXSIZE]
[-R MAXHEADER] [-f] [-o OUTPUTFILE]
LOCATION
Checks for file size, unknown header, and entropy of files to determine if
they are encrypted containers.
positional arguments:
LOCATION Drive or directory to scan.
optional arguments:
-h, --help show this help message and exit.
-D HEADERSFILE, --database HEADERSFILE
Headers database file, default headers.db
-m MINSIZE, --minsize MINSIZE
Minimum file size in Kb, default 1Mb.
-M MAXSIZE, --maxsize MAXSIZE
Maximum file size in Kb, default 100Mb.
-R MAXHEADER, --repeatHeader MAXHEADER
Discard files with unknown headers repeated more than
N times, default 3.
-f, --fast Do not calculate entropy.
-o OUTPUTFILE, --outputfile OUTPUTFILE
Scan results file name, default scan_results.csv

Download Truehunter

Read More

inquisitor - OSINT Gathering Tool for Companies and Organizations

Inquisitor is a simple for gathering information on companies and organizations through the use of Open Source Intelligence (OSINT) sources.

The key features of Inquisitor include:

1. The ability to cascade the ownership label of an asset (e.g. if a Registrant Name is known to belong to the target organization, then the hosts and networks registered with that name shall be marked as belonging to the target organization)
2. The ability transform assets into other potentially related assets through querying open sources such as Google and Shodan
3. The ability to visualize the relationships of those assets through a zoomable pack layout

It is heavily inspired from how Maltego operates, except in this tool, all transforms are performed automatically.

Installation
To install Inquisitor, simply clone the repository, enter it, and execute the installation script.

git clone https://github.com/penafieljlm/inquisitor.git
cd inquisitor
pip install cython
pip install unqlite
python setup.py install

Usage
Inquisitor has five basic commands which include scan , status , classify , dump , and visualize .

usage: inquisitor.py [-h] {scan,status,classify,dump,visualize} ...

optional arguments:
  -h, --help            show this help message and exit

command:
  {scan,status,classify,dump,visualize}
                        The action to perform.
    scan                Search OSINT sources for intelligence based on known
                        assets belonging to the target.
    status              Prints out the current status of the specified
                        intelligence database.
    classify            Classifies an existing asset as either belonging or
                        not belonging to the target. Adds a new asset with the
                        specified classification if none is present.
    dump                Dumps the contents of the database in JSON format
    visualize           Create a D3.js visualization based on the contents of
                        the specified intelligence database.

Scan
In scan mode, the tool runs all available transforms for all the assets you have in your Intelligence Database. Make sure to create API Keys for the various OSINT sources indicated below and provide it to the script lest the transforms using those sources be skipped. Also, make sure you seed your Intelligence Database with some known owned target assets using the classify command first because if the database does not contain any owned assets, there will be nothing to transform.

usage: inquisitor.py scan [-h] [--google-dev-key GOOGLE_DEV_KEY]
                          [--google-cse-id GOOGLE_CSE_ID]
                          [--shodan-api-key SHODAN_API_KEY]
                          DATABASE

positional arguments:
  DATABASE              The path to the intelligence database to use. If
                        specified file does not exist, a new one will be
                        created.

optional arguments:
  -h, --help            show this help message and exit
  --google-dev-key GOOGLE_DEV_KEY
                        Specifies the developer key to use to query Google
                        Custom Search. Visit the Google APIs Console
                        (http://code.google.com/apis/console) to get an API
                        key. If notspecified, the script will simply skip
                        asset transforms that involve Google Search.
  --google-cse-id GOOGLE_CSE_ID
                        Specifies the custom search engine to query. Visit the
                        Google Custom Search Console
                        (https://cse.google.com/cse/all) to create your own
                        Google Custom Search Engine. If not specified, the
                        script will simply skip asset transforms that involve
                        Google Search.
  --shodan-api-key SHODAN_API_KEY
                        Specifies the API key to use to query Shodan. Log into
                        your Shodan account (https://www.shodan.io/) and look
                        at the top right corner of the page in order to view
                        your API key. If not specified, the script will simply
                        skip asset transforms that involve Shodan.

Status
In status mode, the tool simply prints out a quick summary of the status of your scan database.

usage: inquisitor.py status [-h] DATABASE

positional arguments:
  DATABASE    The path to the intelligence database to use. If specified file
              does not exist, a new one will be created.

optional arguments:
  -h, --help  show this help message and exit

Classify
In classify mode, you will be able to manually add assets and re-classify already existing assets in the Intelligence Database. You should use this command to seed your Intelligence Database with known owned target assets.

usage: inquisitor.py classify [-h] [-ar REGISTRANT [REGISTRANT ...]]
                              [-ur REGISTRANT [REGISTRANT ...]]
                              [-rr REGISTRANT [REGISTRANT ...]]
                              [-ab BLOCK [BLOCK ...]] [-ub BLOCK [BLOCK ...]]
                              [-rb BLOCK [BLOCK ...]] [-ah HOST [HOST ...]]
                              [-uh HOST [HOST ...]] [-rh HOST [HOST ...]]
                              [-ae EMAIL [EMAIL ...]] [-ue EMAIL [EMAIL ...]]
                              [-re EMAIL [EMAIL ...]]
                              DATABASE

positional arguments:
  DATABASE              The path to the intelligence database to use. If
                        specified file does not exist, a new one will be
                        created.

optional arguments:
  -h, --help            show this help message and exit
  -ar REGISTRANT [REGISTRANT ...], --accept-registrant REGISTRANT [REGISTRANT ...]
                        Specifies a registrant to classify as accepted.
  -ur REGISTRANT [REGISTRANT ...], --unmark-registrant REGISTRANT [REGISTRANT ...]
                        Specifies a registrant to classify as unmarked.
  -rr REGISTRANT [REGISTRANT ...], --reject-registrant REGISTRANT [REGISTRANT ...]
                        Specifies a registrant to classify as rejected.
  -ab BLOCK [BLOCK ...], --accept-block BLOCK [BLOCK ...]
                        Specifies a block to classify as accepted.
  -ub BLOCK [BLOCK ...], --unmark-block BLOCK [BLOCK ...]
                        Specifies a block to classify as unmarked.
  -rb BLOCK [BLOCK ...], --reject-block BLOCK [BLOCK ...]
                        Specifies a block to classify as rejected.
  -ah HOST [HOST ...], --accept-host HOST [HOST ...]
                        Specifies a host to classify as accepted.
  -uh HOST [HOST ...], --unmark-host HOST [HOST ...]
                        Specifies a host to classify as unmarked.
  -rh HOST [HOST ...], --reject-host HOST [HOST ...]
                        Specifies a host to classify as rejected.
  -ae EMAIL [EMAIL ...], --accept-email EMAIL [EMAIL ...]
                        Specifies a email to classify as accepted.
  -ue EMAIL [EMAIL ...], --unmark-email EMAIL [EMAIL ...]
                        Specifies a email to classify as unmarked.
  -re EMAIL [EMAIL ...], --reject-email EMAIL [EMAIL ...]
                        Specifies a email to classify as rejected.

Dump
In dump mode, you will be able to dump the contents of the Intelligence Database into a human-readable JSON file.

usage: inquisitor.py dump [-h] DATABASE JSON_FILE

positional arguments:
  DATABASE    The path to the intelligence database to use. If specified file
              does not exist, a new one will be created.
  JSON_FILE   The path to dump the JSON file to. Overwrites existing files.

optional arguments:
  -h, --help  show this help message and exit

Visualize
In visualize mode, you will be able to acquire a hierarchical visualization of the Intelligence Repository.

usage: inquisitor.py visualize [-h] DATABASE HTML_FILE

positional arguments:
  DATABASE    The path to the intelligence database to use. If specified file
              does not exist, a new one will be created.
  HTML_FILE   The path to dump the visualization file to. Overwrites existing
              files.

optional arguments:
  -h, --help  show this help message and exit

Download inquisitor

Read More

FalconGate - A smart gateway to stop hackers and Malware attacks

A smart gateway to stop hackers, Malware and more...

Motivation
Cyber attacks are on the raise. Hacker and cyber criminals are continuously improving their methods and building new tools and Malware with the purpose of hacking your network, spying on you and stealing valuable data. Recently a new business model has become popular among hackers: the use of Ransomware to encrypt your data and ask for a ransom to unlock it. These attacks have extended also to the Internet of Things (IoT) devices since many of them are vulnerable by design and hackers can leverage them to compromise other devices in your network or launch DDoS attacks towards other targets. Traditionally securing a network against such attacks has been an expensive item which could be afforded just by medium to large companies. With FalconGate we're aiming to change this and bring "out of the box" security for free to people, small businesses and anyone else in need.

Features
FalconGate is an open source smart gateway which can protect your home devices against hackers, Malware like Ransomeware and other threats. It detects and alerts on hacker intrusions on your home network as well as other devices misbehaving and attacking targets within your network or in the Internet.
Currently FalconGate is able to:

• Block several types of Malware based on open source blacklists (see detailed list in file intel-sources.md )
• Block Malware using the Tor network
• Detect and report potential Malware DNS requests based on VirusTotal reports
• Detect and report the presence of Malware executables and other components based on VirusTotal reports
• Detect and report Domain Generation Algorithm (DGA) Malware patterns
• Detect and report on Malware spamming activity
• Detect and report on internal and outbound port scans
• Report details of all new devices connected to your network
• Block ads based on open source lists
• Monitor a custom list of personal or family accounts used in online services for public reports of hacking

Getting Started
FalconGate was built on top of other open source software so it has multiple dependencies which must be configured correctly for it to work. The fastest way to get FalconGate up and running is to deploy one of the supported system images from our downloads page .

Supported Platforms
Currently FalconGate has been successfully tested and implemented on Raspberry Pi (RPi 2 model B) and Banana Pi (BPI-M2+) using Raspian Jessie Lite as base image.
Jessie Lite for RPi
Jessie Lite for BPi
It should be compatible with other Debian ARM images as well but this has not been tested yet.

Prerequisites
FalconGate has a number of software dependencies:

• Bro IDS
• Python 2.7
• Nginx
• Dnsmasq
• Exim
• PHP

It depends also on several Python modules (see requirements.txt file for details)

Other dependencies
The devices's malware detection can be enhanced with the utilization of VirusTotal's personal free API
Currently FalconGate uses have i been pwned public API to detect whether credentials and/or other data from personal accounts have been stolen by hackers from third party sites.

Deploying FalconGate from a supported image
This is the fastest way to get FalconGate up and running in your network.

• Download the correct system image for your device from the downloads page .
  
• Extract the image to a folder in your computer.
  
• Write the image to your SD card.
  

You can use the guides below as reference for Raspberry Pi:
Linux
Mac OS
Windows

• Insert the SD card in your device and plug it to any available ethernet port in your router.
  
• Power on your device and wait few minutes until it will acquire the correct configuration for your network.
  
• Login to your router and disable its DHCP server function
  
• Login to FalconGate's web app and configure the email address(es) to be used as recipients for alerts and your VirusTotal API key
  

https://[FalconGate IP address]
Username: admin
Password: falcongate

Usually FalconGate will assign to its administration interface an IP ending in ".2" (e.g. 192.168.0.2) which is derived from the network's gateway IP Change the default password after the first logon to the application

• Navigate to the "Configuration" page and fill in the correct fields

This configuration it's not mandatory but highly desired if you want to unleash FalconGate's full power. In order to obtain a free VirusTotal API key you must register at ( https://www.virustotal.com/ ).

Installing FalconGate from source
Follow the steps below to configure your device and install FalconGate from this repository.

• Download and install the OS image to your Raspberry Pi or Banana Pi device

This is well documented in multiple sources out there.

• Connect to your device via SSH

$ ssh pi@<IP assigned to your RPi>

• Install Git if you don't have it yet

$ sudo apt-get update
$ sudo apt-get install git

• Clone FalconGate's repository to a local folder

$ cd /opt
$ sudo git clone https://github.com/A3sal0n/FalconGate.git

• Run the installation script inside FalconGate's folder

$ cd FalconGate/
$ sudo python install.py

Now you can go for a walk and prepare a coffee or any other beverage of your choice because the installation usually takes some time. The script will print the progress to the console.
The script should finish without issues if you're using the supported platforms. If you're attempting to install FalconGate experimentally to a new hardware platform/OS and you get some errors during the installation you could try to correct the issues manually and continue to execute the steps listed in the installation script.

• Login to your router and disable its DHCP server function

FalconGate was designed to work connected to a router over ethernet. It does not replaces the functions of your router. Instead it becomes a layer of security between your devices and your router. Disabling your router's DHCP allows FalconGate to become the new gateway for all the devices connected to the same router in your VLAN.

• Reboot your device to apply all the configuration changes
  
• Login to FalconGate's web app and configure the email address(es) to be used as recipients for alerts and your VirusTotal API key
  

Deployment
Some important considerations to keep in mind when deploying FalconGate to a real environment: home or production network.

• Change the default SSH password in your Raspberry Pi or Banana Pi devices
• Regenerate the openssh-server certificates for SSH encryption

Limitations
Currently the RPi 2 model B and the Banana Pi M2+ have both a single ethernet interface so the traffic forwarding in the gateway it's done using this single interface. This has an impact in networks with fast Internet connection (e.g. > 50Mb/s). However it's still good enough for the home networks of many people's and even some small businesses.

Download FalconGate

Read More

IntelMQ - A solution for IT security teams for collecting and processing security feeds using a message queuing protocol

IntelMQ is a solution for IT security teams (CERTs, CSIRTs, abuse departments,...) for collecting and processing security feeds (such as log files) using a message queuing protocol. It's a community driven initiative called IHAP (Incident Handling Automation Project) which was conceptually designed by European CERTs/CSIRTs during several InfoSec events. Its main goal is to give to incident responders an easy way to collect & process threat intelligence thus improving the incident handling processes of CERTs.

IntelMQ's design was influenced by AbuseHelper , however it was re-written from scratch and aims at:

• Reduce the complexity of system administration
• Reduce the complexity of writing new bots for new data feeds
• Reduce the probability of events lost in all process with persistence functionality (even system crash)
• Use and improve the existing Data Harmonization Ontology
• Use JSON format for all messages
• Integration of the existing tools (AbuseHelper, CIF)
• Provide easy way to store data into Log Collectors like ElasticSearch, Splunk, databases (such as PostgreSQL)
• Provide easy way to create your own black-lists
• Provide easy communication with other systems via HTTP RESTFUL API

It follows the following basic meta-guidelines:

• Don't break simplicity - KISS
• Keep it open source - forever
• Strive for perfection while keeping a deadline
• Reduce complexity/avoid feature bloat
• Embrace unit testing
• Code readability: test with unexperienced programmers
• Communicate clearly

Table of Contents

1. How to Install
2. Developers Guide
3. IntelMQ Manager
4. Incident Handling Automation Project
5. Data Harmonization
6. How to Participate
7. Licence

How to Install

See UserGuide .

Developers Guide

See Developers Guide .

IntelMQ Manager

Check out this graphical tool and easily manage an IntelMQ system.

Incident Handling Automation Project

• URL: http://www.enisa.europa.eu/activities/cert/support/incident-handling-automation
• Mailing-list: ihap@lists.trusted-introducer.org

Data Harmonization

IntelMQ use the Data Harmonization. Check the following document .

How to participate

• Subscribe to the Intelmq-dev Mailing list: https://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev (for developers)
• Watch out for our regular developers conf call
• IRC: server: irc.freenode.net, channel: #intelmq
• Via github issues
• Via Pull requests (please do read help.github.com first)

Download IntelMQ

Read More

RogueSploit - Powerfull social engeering Wi-Fi trap!

RogueSploit is an open source automated script made to create a Fake Acces Point, with dhcpd server, dns spoofing, host redirection, browser_autopwn1 or autopwn2 or beef+mitmf.

TO DO LIST:

• Add BeEF;[DONE]
• Add MITMF;[DONE]
• Add BDFProxy;
• Add SeToolkit;
• Add Hostapd as fake ap;
• Add some features;

What you need:

• Aircrack-ng Suite [ https://github.com/aircrack-ng/aircrack-ng ]
• Dhcpd server
• Metasploit Framework [ https://github.com/rapid7/metasploit-framework ]
• Browser Exploitation Framework [ https://github.com/beefproject/beef ]
• dnsmasq
• GNU / Linux based Operating Sistem [ https://kali.org ]
• External Wireless Interface like TP-Link TL-WN722N
• Zenity
• Hostapd
• Social Engineer Toolkit [ https://github.com/trustedsec/social-engineer-toolkit ]
• MITMF [ https://github.com/byt3bl33d3r/MITMf ]

Download RogueSploit

Read More

Halcyon - IDE for Nmap Script (NSE) Development

Halcyon is the first IDE specifically focused on Nmap Script (NSE) Development. This research idea was originated while writing custom Nmap Scripts for Enterprise Penetration Testing Scenarios. The existing challenge in developing Nmap Scripts (NSE) was the lack of a development environment that gives easiness in building custom scripts for real world scanning, at the same time fast enough to develop such custom scripts. Halcyon is free to use, java based application that comes with code intelligence, code builder, auto-completion, debugging and error correction options and also a bunch of other features like other development IDE(s) has. This research was started to give better development interface/environment to researchers and thus enhance the number of NSE writers in the information security community.

Halcyon IDE can understand Nmap library as well as traditional LUA syntax. Possible repetitive codes such as web crawling, bruteforcing etc., is pre-built in the IDE and this makes easy for script writers to save their time while developing majority of test scenarios.

More documentation and presentation can be available on the official website http://halcyon-ide.org/

Download Halcyon

Read More

HERCULES - A Special Payload Generator That Can Bypass Antivirus Softwares

HERCULES is a customizable payload generator that can bypass antivirus software.

INSTALLATTION
SUPPORTED PLATFORMS:

Operative system	Version
Ubuntu	16.04 / 15.10
Kali linux	Rolling / Sana
Manjaro	*
Arch Linux	*
Black Arch	*
Parrot OS	3.1

    go get github.com/fatih/color
    go run Setup.go

WARNING: Don't change the location of the HERCULES folder.

USAGE

    HERCULES

SPECIAL FUNCTIONS

    Persistence : Persistence function adds the running binary to windows start-up registry (CurrentVersion/Run) for continious access.

    Migration : This function triggers a loop that tries to migrate to a remote process until it is successfully migrated. 

WHAT IS UPX ?

    UPX (Ultimate Packer for Executables) is a free and open source executable packer supporting a number of file formats from different operating systems. UPX simply takes the binary file and compresses it, packed binary unpack(decompress) itself at runtime to memory.

WHAT IS "AV EVASION SCORE" ?

    AV Evasion Score is a scale(1/10) for determining the effectiveness of the payloads anti virus bypassing capabilities, 1 represents low possibility to pass AV softwares.

    Using special functions and packing the payloads with upx decreases the AV Evasion Score.

COMING SOON...

• Binary infector
• Bypass AV functon
• AES payload encryption
• OSX support

Download HERCULES

Read More

Suricata IDPE 2.0.3 - Open Source Next Generation Intrusion Detection and Prevention Engine

The Suricata Engine is an Open Source Next Generation Intrusion Detection and Prevention Engine. This engine is not intended to just replace or emulate the existing tools in the industry, but will bring new ideas and technologies to the field.

OISF is part of and funded by the Department of Homeland Security's Directorate for Science and Technology HOST program (Homeland Open Security Technology), by the the Navy's Space and Naval Warfare Systems Command (SPAWAR), as well as through the very generous support of the members of the OISF Consortium. More information about the Consortium is available, as well as a list of our current Consortium Members.

The Suricata Engine and the HTP Library are available to use under the GPLv2.

The HTP Library is an HTTP normalizer and parser written by Ivan Ristic of Mod Security fame for the OISF. This integrates and provides very advanced processing of HTTP streams for Suricata. The HTP library is required by the engine, but may also be used independently in a range of applications and tools.

Download Suricata IDPE 2.0.3

Read More

[Suricata 1.4.7] Open Source Next Generation Intrusion Detection and Prevention Engine

The Suricata Engine is an Open Source Next Generation Intrusion Detection and Prevention Engine. This engine is not intended to just replace or emulate the existing tools in the industry, but will bring new ideas and technologies to the field.

OISF is part of and funded by the Department of Homeland Security's Directorate for Science and Technology HOST program (Homeland Open Security Technology), by the the Navy's Space and Naval Warfare Systems Command (SPAWAR), as well as through the very generous support of the members of the OISF Consortium. More information about the Consortium is available, as well as a list of our current Consortium Members.

The Suricata Engine and the HTP Library are available to use under the GPLv2.

The HTP Library is an HTTP normalizer and parser written by Ivan Ristic of Mod Security fame for the OISF. This integrates and provides very advanced processing of HTTP streams for Suricata. The HTP library is required by the engine, but may also be used independently in a range of applications and tools.

Download Suricata 1.4.7

Read More