Wreckuests - Tool to run DDoS atacks with HTTP-flood

Wreckuests is a script, which allows you to run DDoS attacks with HTTP-flood(GET/POST). It's written in pure Python and uses proxy-servers as "bots". OF COURSE, this script is not universal and you can't just drop Pentagon/NSA/whatever website with one mouse click. Each attack is unique, and for each website you'll gonna need to search for vulnerabilities and exult them, which might result in hardcoding, nosleeping, etc... Yeap, this is your dirty and ungrateful part of job.

⚠️ Warning: This script is published for educational purposes only! Author will accept no responsibility for any consequence, damage or loss which might result from use.

Features

• Cache bypass with random ?abcd=efg parameter
• CloudFlare detection and notification of
• Automatic gzip/deflate toggling
• HTTP Authentication bypass
• UserAgent substitution
• Referers randomizer
• HTTP proxy support

Dependencies

• Python 3.5+
• Requests 2.10.0 or higher
• netaddr (tested with 0.7.19)

Installation

This is so easy to install Wreckuests just in one command. Isn't it?

Ubuntu 16.04

apt-get update && apt-get dist-upgrade && apt-get install python3 && apt-get install python3-pip && pip3 install --upgrade pip && pip3 install requests && pip3 install netaddr

Note: pip3 may install requests 2.9.1. Just run pip3 install --upgrade requests to upgrade requests to the latest version.

Usage
Type under sudo mode:

python3 wreckuests.py -v <target url> -a <login:pass> -t <timeout>

Possible parameters:
-h or --help:
Prints a message with possible parameters.
-v or --victim:
Specifies a link to the victim's site page. It could be the website's main page, someone's profile, .php-file or even image. Everything that has a lot of weight or is hard for server to give. The choice is yours.
-a or --auth:
Parameter for bypassing authentication. You'r victim could enable basic HTTP authentication and his website will ask you to enter login and password in popup window. Victim may previously publish login and password data for his users in VK/FB/Twitter and whatever social network.
-t or --timeout(defalut: 10):
Parameter to control connection'n'read timeout. This option also controls terminating time. Note: if you set timeout=1 or somewhere about 2-3 seconds, the slow(but still working) proxies will not have any time to even connect to your victim's website and will not even hit it. If you still do not understand how it works - do not change this option. Also, this parameter regulates the intensiveness of requests you sending. So, if you sure your proxies are fast enough - you can reduce this value. Use this accordingly.

Important
A separate thread is created for each proxy address. The more proxies you use - the more threads you create. So, please, do not use way too much proxies. Otherwise, the script may exit abnormaly by meeting segmentation fault.

Download wreckuests

Read More

OpenSnitch - GNU/Linux port of the Little Snitch application firewall

OpenSnitch is a GNU/Linux port of the Little Snitch application firewall.

Requirements
You'll need a GNU/Linux distribution with iptables, NFQUEUE and ftrace kernel support.

Install

sudo apt-get install build-essential python3-dev python3-setuptools libnetfilter-queue-dev python3-pyqt5 python3-gi python3-dbus python3-pyinotify
cd opensnitch
sudo python3 setup.py install

Run

sudo -HE opensnitchd
opensnitch-qt

Known Issues / Future Improvements
Before opening an issue, keep in mind that the current implementation is just an experiment to see the doability of the project, future improvements of OpenSnitch will include:
Split the project into opensnitchd, opensnitch-ui and opensnitch-ruleman:

• opensnitchd will be a (C++ ? TBD) daemon, running as root with the main logic. It'll fix this.
• opensnitch-ui python (?) UI running as normal user, getting the daemon messages. Will fix this.
• opensnitch-ruleman python (?) UI for rule editing.

How Does It Work
OpenSnitch is an application level firewall, meaning then while running, it will detect and alert the user for every outgoing connection applications he's running are creating. This can be extremely effective to detect and block unwanted connections on your system that might be caused by a security breach, causing data exfiltration to be much harder for an attacker. In order to do that, OpenSnitch relies on NFQUEUE, an iptables target/extension which allows an userland software to intercept IP packets and either ALLOW or DROP them, once started it'll install the following iptables rules:

OUTPUT -t mangle -m conntrack --ctstate NEW -j NFQUEUE --queue-num 0 --queue-bypass

This will use conntrack iptables extension to pass all newly created connection packets to NFQUEUE number 0 (the one OpenSnitch is listening on), and then:

INPUT --protocol udp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass

This will also redirect DNS queries to OpenSnitch, allowing the software to perform and IP -> hostname resolution without performing active DNS queries itself.
Once a new connection is detected, the software relies on the ftrace kernel extension in order to track which PID (therefore which process) is creating the connection.
If ftrace is not available for your kernel, OpenSnitch will fallback using the /proc filesystem, even if this method will also work, it's vulnerable to application path manipulation as described in this issue, therefore it's highly suggested to run OpenSnitch on a ftrace enabled kernel.

Download OpenSnitch

Read More

pymultitor - Python Multi Threaded Tor Proxy

Did you ever want to be at two different places at the same time?
While performing penetration tests there are often problems caused by security devices that block the "attacking" IP.
With a large number of IP addresses performing the attacks, better results are guaranteed - especially when attempting attacks to bypass Web Application Firewalls, Brute-Force type attacks and many more.

[Blackhat Asia] https://www.blackhat.com/asia-17/arsenal.html#pymultitor
[Owasp-IL Presentation] https://www.owasp.org/images/3/3d/OWASPIL-2016-02-02_PyMultiTor_TomerZait.pdf
[DigitalWhisper Article (Hebrew)] http://www.digitalwhisper.co.il/files/Zines/0x2E/DW46-3-PyMultitor.pdf

Installation

Prerequisites

• Python 2.7+.
• A C compiler, Python headers, etc. (are needed to compile several dependencies).
  • On Ubuntu, sudo apt-get install -y build-essential libssl-dev python-setuptools python-pip python-wheel python-dev
  • On Fedora, sudo dnf install -y redhat-rpm-config gcc gcc-c++ make openssl-devel python-setuptools python-pip python-wheel python-devel
  • On Windows, install http://aka.ms/vcpython27
  • On MacOS,
    • install xcode command line tools: xcode-select --install
    • install homebrew(brew): $(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
• mitmproxy dependencies.
  • On Ubuntu, sudo apt-get install -y libffi-dev libssl-dev libxml2-dev libxslt1-dev libjpeg8-dev zlib1g-dev
  • On Fedora, sudo dnf install -y libffi-devel openssl-devel libxml2-devel libxslt-devel libpng-devel libjpeg-devel
  • On Windows,
    • download lxml: http://www.lfd.uci.edu/~gohlke/pythonlibs/#lxml
    • install lxml: pip install lxml-*-cp27-cp27m-win*.whl
  • On MacOS, brew install mitmproxy
• tor.
  • On Ubuntu, sudo apt-get install -y tor
  • On Fedora, sudo dnf install -y tor
  • On Windows,
    • download tor expert bundle: https://www.torproject.org/download/download.html.en
    • insert tor to your path environment: {tor-win32-*_path}\Tor
    • if you don't know how remember tor.exe path and use --tor-cmd argument on pymultitor (for example: pymultitor --tor-cmd "c:\Pentest\Web\tor-win32-0.2.9.9\Tor\tor.exe")
  • On MacOS, brew install tor

From pip

pip install pymultitor
# On MacOs (it's Easier To Use Python 3):
# pip3 install pymultitor

You may need to use sudo, depending on your Python installation.

From Source

git clone https://github.com/realgam3/pymultitor.git
cd pymultitor

# Install python dependencies.
# Depending on your setup, one or both of these may require sudo.
pip install -r requirements.txt
python setup.py install

# On MacOs (it's Easier To Use Python 3):
# pip3 install -r requirements.txt
# python3 setup.py install

# Confirm that everything works
pymultitor --help

Bug reports on installation issues are welcome!

Usage

Basic Usage

1. Run pymultitor --on-string "Your IP Address Blocked".
2. On your script use proxy (http://127.0.0.1:8080).
   When the string Your IP Address Blocked will present in the response content, you will exit from another IP address.

Command Line Flags
See --help for the complete list, but in short:

Usage: pymultitor [-h] [-v] [-lh LISTEN_HOST] [-lp LISTEN_PORT] [-s] [-i] [-d]
                  [-p PROCESSES] [-c CMD] [--on-count ON_COUNT]
                  [--on-string ON_STRING] [--on-regex ON_REGEX] [--on-rst]

# When To Change IP Address
--on-count    Change IP Every x Requests (Resources Also Counted).
--on-string   Change IP When String Found On The Response Content.
--on-regex    Change IP When Regex Found On The Response Content.
--on-rst      Change IP When Connection Closed With TCP RST.

Download pymultitor

Read More

portSpider - A Lightning Fast Multithreaded Network Scanner Framework With Modules

A lightning fast multithreaded network scanner framework with modules.

modules:

• http - Scan for open HTTP ports, and get the the titles.
• mysql - Scan for open MySQL servers, and try to log in with the default credentials.
• mongodb - Scan for open MongoDB instances, and check if they are password protected.
• ssh - Scan for open SSH ports.
• printer - Scan for open printer ports and websites.
• gameserver - Scan for open game server ports.
• manual - Scan custom ports.

commands:

• modules - List all modules.
• use - Use a module.
• options - Show a module's options.
• set - Set an option.
• run - Run the selected module.
• back - Go back to menu.
• exit - Shut down portSpider.

installing:

Debian based systems:

$ sudo apt-get update && sudo apt-get install python3 python3-pip -y

$ git clone https://github.com/xdavidhu/portSpider

$ cd portSpider/

$ python3 -m pip install -r requirements.txt

macOS / OSX:

$ brew install python3

$ git clone https://github.com/xdavidhu/portSpider

$ cd portSpider/

$ python3 -m pip install -r requirements.txt

NOTE: You need to have Homebrew installed before running the macOS/OSX installation.
WARNING: portSpider is only compatible with Python 3.3 & 3.4 & 3.5 & 3.6

developers:

• David Schütz (@xdavidhu)
• László Simonffy (@Letsgo00HUN) - Multithreading

Download portSpider

Read More

probeSniffer - A Tool for Sniffing Unencrypted Wireless Probe Requests from Devices

 ____  ____   ___  ____    ___ _________  ____ _____ _____  ___ ____    
|    \|    \ /   \|    \  /  _/ ___|    \|    |     |     |/  _|    \   
|  o  |  D  |     |  o  )/  [(   \_|  _  ||  ||   __|   __/  [_|  D  )  
|   _/|    /|  O  |     |    _\__  |  |  ||  ||  |_ |  |_|    _|    /   
|  |  |    \|     |  O  |   [_/  \ |  |  ||  ||   _]|   _|   [_|    \   
|  |  |  .  |     |     |     \    |  |  ||  ||  |  |  | |     |  .  \  
|__|  |__|\_|\___/|_____|_____|\___|__|__|____|__|  |__| |_____|__|\__| 
                                       v2.1 by David SchĂźtz (@xdavidhu)

A tool for sniffing unencrypted wireless probe requests from devices:

new in 2.1:

• Displaying the number of hosts
• Logging to SQLite database file
• Settable nickname for mac addresses
• Options to filter output by mac address
• Capturing 'boradcast' probe requests (without ssid)

requirements:

• Kali Linux / Raspbian with root privileges
• Python3 & PIP3 (probeSniffer will install the dependenices)
• A wireless card (capable for monitor mode) and one other internet connected interface (for vendor resolve)

options:

• -d / do not show duplicate requests
• -b / do not show broadcast requests
• -f / only show requests from the specified mac address
• --addnicks / add nicknames to mac addresses
• --flushnicks / flush nickname database
• --nosql / disable SQL logging completely
• --debug / turn debug mode on
• -h / display help menu

installing:

Kali Linux / Raspbian:

$ sudo apt-get update && sudo apt-get install python3 python3-pip -y

$ git clone https://github.com/xdavidhu/probeSniffer

$ cd probeSniffer/

$ python3 -m pip install -r requirements.txt

WARNING: probeSniffer is only compatible with Python 3.3 & 3.4 & 3.5 & 3.6

usage:
Make sure to put your interface into monitor mode before!

$ sudo python3 probeSniffer.py [monitor-mode-interface] [options]

Download probeSniffer

Read More

mimipenguin - A Tool To Dump The Login Password From The Current Linux User

A tool to dump the login password from the current linux desktop user. Adapted from the idea behind the popular Windows tool mimikatz.

Details

Takes advantage of cleartext credentials in memory by dumping the process and extracting lines that have a high probability of containing cleartext passwords. Will attempt to calculate each word's probability by checking hashes in /etc/shadow, hashes in memory, and regex searches.

Requires

• root permissions

Supported/Tested Systems

• Kali 4.3.0 (rolling) x64 (gdm3)
• Ubuntu Desktop 12.04 LTS x64 (Gnome Keyring 3.18.3-0ubuntu2)
• Ubuntu Desktop 16.04 LTS x64 (Gnome Keyring 3.18.3-0ubuntu2)
• XUbuntu Desktop 16.04 x64 (Gnome Keyring 3.18.3-0ubuntu2)
• Archlinux x64 Gnome 3 (Gnome Keyring 3.20)
• VSFTPd 3.0.3-8+b1 (Active FTP client connections)
• Apache2 2.4.25-3 (Active/Old HTTP BASIC AUTH Sessions) [Gcore dependency]
• openssh-server 1:7.3p1-1 (Active SSH connections - sudo usage)

Notes

• Password moves in memory - still honing in on 100% effectiveness
• Plan on expanding support and other credential locations
• Working on expanding to non-desktop environments
• Known bug - sometimes gcore hangs the script, this is a problem with gcore
• Open to pull requests and community research
• LDAP research (nscld winbind etc) planned for future

Development Roadmap

MimiPenguin is slowly being ported to multiple languages to support all possible post-exploit scenarios. The roadmap below was suggested by KINGSABRI to track the various versions and features. An "X" denotes full support while a "~" denotes a feature with known bugs.

Feature	.sh	.py
GDM password (Kali Desktop, Debian Desktop)	~	X
Gnome Keyring (Ubuntu Desktop, ArchLinux Desktop)	X	X
VSFTPd (Active FTP Connections)	X	X
Apache2 (Active HTTP Basic Auth Sessions)	~	~
OpenSSH (Active SSH Sessions - Sudo Usage)	~	~

Download mimipenguin

Read More

Blindy - Simple Script for running BruteForce Blind MySql Injection

Simple script for running bruteforce blind MySql injection

The script will run through queries listed in sets in provided file (default-queries.json as default) and try to bruteforce places with {} placeholder. If no {} placeholder present, the script will simply make request with current query.

command line

$ python3 blindy.py --help
usage: blindy.py [-h] [-f filename] [-m method] -p name -r regexp -u url
                 [-s set_of_queries]

Run blind sql injection using brutforce

optional arguments:
  -h, --help            show this help message and exit
  -f filename           File name for your commands in json format, defaults
                        to default-queries.json
  -m method, --method method
                        Where to inject (GET - get parameter/default, POST -
                        post parameter, HEADER - header)
  -p name               Name of parameter (for get - param name, post - param
                        name, for header - name of header). If params need to
                        have fixed value use -p submit=true
  -r regexp             Regular expression for negative pattern (script search
                        for the pattern and if present - will consider that
                        injection failed and igrone result.)
  -u url                Url to test
  -s set_of_queries, --set set_of_queries
                        Which set of queries to analyze from json file, for
                        ex. login, blind. Default to blind.

Example usage
Bruteforce inject into POST query_param

python3 blindy.py -m POST -p query_param -p submit=1 -r 'Pattern\ to\ ignore\ result' -u http://example.com/index.php -s blind

Bruteforce inject into POST query_param with placeholder

python3 blindy.py -m POST -p "query_param=login {}" -p submit=1 -r 'Pattern\ to\ ignore\ result' -u http://example.com/index.php -s blind

This will inject the queries in a place of {} parameter placeholder
Simple check a list of queries against username parameter

python3 blindy.py -m POST -p username -p submit=1 -r 'Pattern\ to\ ignore\ result' -u http://example.com/login.php -s login

Download Blindy

Read More

droopescan - A plugin-based scanner that aids security researchers in identifying issues with several CMSs (Drupal, Silverstripe & Wordpress)

A plugin-based scanner that aids security researchers in identifying issues with several CMS:

• Drupal.
• SilverStripe.
• Wordpress.

Partial functionality for:

• Joomla (version enumeration and interesting URLs only).
• Moodle (identification doesn't work yet. You need to force 'scan moodle')

computer:~/droopescan$ droopescan scan drupal -u http://example.org/ -t 8
[+] No themes found.

[+] Possible interesting urls found:
    Default changelog file - https://www.example.org/CHANGELOG.txt
    Default admin - https://www.example.org/user/login

[+] Possible version(s):
    7.34

[+] Plugins found:
    views https://www.example.org/sites/all/modules/views/
        https://www.example.org/sites/all/modules/views/README.txt
        https://www.example.org/sites/all/modules/views/LICENSE.txt
    token https://www.example.org/sites/all/modules/token/
        https://www.example.org/sites/all/modules/token/README.txt
        https://www.example.org/sites/all/modules/token/LICENSE.txt
    pathauto https://www.example.org/sites/all/modules/pathauto/
        https://www.example.org/sites/all/modules/pathauto/README.txt
        https://www.example.org/sites/all/modules/pathauto/LICENSE.txt
        https://www.example.org/sites/all/modules/pathauto/API.txt
    libraries https://www.example.org/sites/all/modules/libraries/
        https://www.example.org/sites/all/modules/libraries/CHANGELOG.txt
        https://www.example.org/sites/all/modules/libraries/README.txt
        https://www.example.org/sites/all/modules/libraries/LICENSE.txt
    entity https://www.example.org/sites/all/modules/entity/
        https://www.example.org/sites/all/modules/entity/README.txt
        https://www.example.org/sites/all/modules/entity/LICENSE.txt
    google_analytics https://www.example.org/sites/all/modules/google_analytics/
        https://www.example.org/sites/all/modules/google_analytics/README.txt
        https://www.example.org/sites/all/modules/google_analytics/LICENSE.txt
    ctools https://www.example.org/sites/all/modules/ctools/
        https://www.example.org/sites/all/modules/ctools/CHANGELOG.txt
        https://www.example.org/sites/all/modules/ctools/LICENSE.txt
        https://www.example.org/sites/all/modules/ctools/API.txt
    features https://www.example.org/sites/all/modules/features/
        https://www.example.org/sites/all/modules/features/CHANGELOG.txt
        https://www.example.org/sites/all/modules/features/README.txt
        https://www.example.org/sites/all/modules/features/LICENSE.txt
        https://www.example.org/sites/all/modules/features/API.txt
    [... snip for README ...]

[+] Scan finished (0:04:59.502427 elapsed)

You can get a full list of options by running:

droopescan --help
droopescan scan --help

Why not X?
Because droopescan:

• is fast
• is stable
• is up to date
• allows simultaneous scanning of multiple sites
• is 100% python

Installation
Installation is easy using pip:

apt-get install python-pip
pip install droopescan

Manual installation is as follows:

git clone https://github.com/droope/droopescan.git
cd droopescan
pip install -r requirements.txt
./droopescan scan --help

The master branch corresponds to the latest release (what is in pypi). Development branch is unstable and all pull requests must be made against it. More notes regarding installation can be found here .

Features

Scan types.
Droopescan aims to be the most accurate by default, while not overloading the target server due to excessive concurrent requests. Due to this, by default, a large number of requests will be made with four threads; change these settings by using the --number and --threads arguments respectively.
This tool is able to perform four kinds of tests. By default all tests are ran, but you can specify one of the following with the -e or --enumerate flag:

• p -- Plugin checks : Performs several thousand HTTP requests and returns a listing of all plugins found to be installed in the target host.
• t -- Theme checks : As above, but for themes.
• v -- Version checks : Downloads several files and, based on the checksums of these files, returns a list of all possible versions.
• i -- Interesting url checks : Checks for interesting urls (admin panels, readme files, etc.)

More notes regarding scanning can be found here .

Target specification.
You can specify a particular host to scan by passing the -u or --url parameter:

    droopescan scan drupal -u example.org

You can also omit the drupal argument. This will trigger “CMS identification”, like so:

    droopescan scan -u example.org

Multiple URLs may be scanned utilising the -U or --url-file parameter. This parameter should be set to the path of a file which contains a list of URLs.

    droopescan scan drupal -U list_of_urls.txt

The drupal parameter may also be ommited in this example. For each site, it will make several GET requests in order to perform CMS identification, and if the site is deemed to be a supported CMS, it is scanned and added to the output list. This can be useful, for example, to run droopescan across all your organisation's sites.

    droopescan scan -U list_of_urls.txt

The code block below contains an example list of URLs, one per line:

http://localhost/drupal/6.0/
http://localhost/drupal/6.1/
http://localhost/drupal/6.10/
http://localhost/drupal/6.11/
http://localhost/drupal/6.12/

A file containing URLs and a value to override the default host header with separated by tabs or spaces is also OK for URL files. This can be handy when conducting a scan through a large range of hosts and you want to prevent unnecessary DNS queries. To clarify, an example below:

192.168.1.1 example.org
http://192.168.1.1/ example.org
http://192.168.1.2/drupal/  example.org

It is quite tempting to test whether the scanner works for a particular CMS by scanning the official site (e.g. wordpress.org for wordpress), but the official sites rarely run vainilla installations of their respective CMS or do unorthodox things. For example, wordpress.org runs the bleeding edge version of wordpress, which will not be identified as wordpress by droopescan at all because the checksums do not match any known wordpress version.

Authentication.
The application fully supports .netrc files and http_proxy environment variables.
Use a .netrc file for basic authentication. An example netrc (a file named .netrc placed in your root home directory) file could look as follows:

machine secret.google.com
    login admin@google.com
    password Winter01

You can set the http_proxy and https_proxy variables. These allow you to set a parent HTTP proxy, in which you can handle more complex types of authentication (e.g. Fiddler, ZAP, Burp)

export http_proxy='user:password@localhost:8080'
export https_proxy='user:password@localhost:8080'
droopescan scan drupal --url http://localhost/drupal

WARNING: By design, to allow intercepting proxies and the testing of applications with bad SSL, droopescan allows self-signed or otherwise invalid certificates. ˙ ͜ʟ˙

Output.
This application supports both "standard output", meant for human consumption, or JSON, which is more suitable for machine consumption. This output is stable between major versions.
This can be controlled with the --output flag. Some sample JSON output would look as follows (minus the excessive whitespace):

{
  "themes": {
    "is_empty": true,
    "finds": [

    ]
  },
  "interesting urls": {
    "is_empty": false,
    "finds": [
      {
        "url": "https:\/\/www.drupal.org\/CHANGELOG.txt",
        "description": "Default changelog file."
      },
      {
        "url": "https:\/\/www.drupal.org\/user\/login",
        "description": "Default admin."
      }
    ]
  },
  "version": {
    "is_empty": false,
    "finds": [
      "7.29",
      "7.30",
      "7.31"
    ]
  },
  "plugins": {
    "is_empty": false,
    "finds": [
      {
        "url": "https:\/\/www.drupal.org\/sites\/all\/modules\/views\/",
        "name": "views"
      },
      [...snip...]
    ]
  }
}

Some attributes might be missing from the JSON object if parts of the scan are not ran.
This is how multi-site output looks like; each line contains a valid JSON object as shown above.

    $ droopescan scan drupal -U six_and_above.txt -e v
    {"host": "http://localhost/drupal-7.6/", "version": {"is_empty": false, "finds": ["7.6"]}}
    {"host": "http://localhost/drupal-7.7/", "version": {"is_empty": false, "finds": ["7.7"]}}
    {"host": "http://localhost/drupal-7.8/", "version": {"is_empty": false, "finds": ["7.8"]}}
    {"host": "http://localhost/drupal-7.9/", "version": {"is_empty": false, "finds": ["7.9"]}}
    {"host": "http://localhost/drupal-7.10/", "version": {"is_empty": false, "finds": ["7.10"]}}
    {"host": "http://localhost/drupal-7.11/", "version": {"is_empty": false, "finds": ["7.11"]}}
    {"host": "http://localhost/drupal-7.12/", "version": {"is_empty": false, "finds": ["7.12"]}}
    {"host": "http://localhost/drupal-7.13/", "version": {"is_empty": false, "finds": ["7.13"]}}
    {"host": "http://localhost/drupal-7.14/", "version": {"is_empty": false, "finds": ["7.14"]}}
    {"host": "http://localhost/drupal-7.15/", "version": {"is_empty": false, "finds": ["7.15"]}}
    {"host": "http://localhost/drupal-7.16/", "version": {"is_empty": false, "finds": ["7.16"]}}
    {"host": "http://localhost/drupal-7.17/", "version": {"is_empty": false, "finds": ["7.17"]}}
    {"host": "http://localhost/drupal-7.18/", "version": {"is_empty": false, "finds": ["7.18"]}}
    {"host": "http://localhost/drupal-7.19/", "version": {"is_empty": false, "finds": ["7.19"]}}
    {"host": "http://localhost/drupal-7.20/", "version": {"is_empty": false, "finds": ["7.20"]}}
    {"host": "http://localhost/drupal-7.21/", "version": {"is_empty": false, "finds": ["7.21"]}}
    {"host": "http://localhost/drupal-7.22/", "version": {"is_empty": false, "finds": ["7.22"]}}
    {"host": "http://localhost/drupal-7.23/", "version": {"is_empty": false, "finds": ["7.23"]}}
    {"host": "http://localhost/drupal-7.24/", "version": {"is_empty": false, "finds": ["7.24"]}}
    {"host": "http://localhost/drupal-7.25/", "version": {"is_empty": false, "finds": ["7.25"]}}
    {"host": "http://localhost/drupal-7.26/", "version": {"is_empty": false, "finds": ["7.26"]}}
    {"host": "http://localhost/drupal-7.27/", "version": {"is_empty": false, "finds": ["7.27"]}}
    {"host": "http://localhost/drupal-7.28/", "version": {"is_empty": false, "finds": ["7.28"]}}
    {"host": "http://localhost/drupal-7.29/", "version": {"is_empty": false, "finds": ["7.29"]}}
    {"host": "http://localhost/drupal-7.30/", "version": {"is_empty": false, "finds": ["7.30"]}}
    {"host": "http://localhost/drupal-7.31/", "version": {"is_empty": false, "finds": ["7.31"]}}
    {"host": "http://localhost/drupal-7.32/", "version": {"is_empty": false, "finds": ["7.32"]}}
    {"host": "http://localhost/drupal-7.33/", "version": {"is_empty": false, "finds": ["7.33"]}}
    {"host": "http://localhost/drupal-7.34/", "version": {"is_empty": false, "finds": ["7.34"]}}

Debug.
When things are not going exactly your way, you can check why by using the --debug-requests command.
Some output might look like this:

computer:~/droopescan# droopescan scan silverstripe -u http://localhost -n 10 -e p --debug-requests
[head] http://localhost/framework/... 403
[head] http://localhost/cms/css/layout.css... 404
[head] http://localhost/framework/css/UploadField.css... 200
[head] http://localhost/misc/test/error/404/ispresent.html... 404
[head] http://localhost/widgetextensions/... 404
[head] http://localhost/orbit/... 404
[head] http://localhost/sitemap/... 404
[head] http://localhost/simplestspam/... 404
[head] http://localhost/ecommerce_modifier_example/... 404
[head] http://localhost/silverstripe-hashpath/... 404
[head] http://localhost/timeline/... 404
[head] http://localhost/silverstripe-hiddenfields/... 404
[head] http://localhost/addressable/... 404
[head] http://localhost/silverstripe-description/... 404
[+] No plugins found.

[+] Scan finished (0:00:00.058422 elapsed)

The --debug paramter also exists and may be used to debug application internals.

Stats.
You can get an up to date report on the capabilities of the scanner by running the following command

    droopescan stats

Some sample output might look as follows:

Functionality available for ‘drupal’:
- Enumerate plugins (XXXX plugins.)
- Enumerate themes (XXXX themes.)
- Enumerate interesting urls (X urls.)
- Enumerate version (up to version X.X.X-alphaXX, X.XX, X.XX.)
Functionality available for ‘joomla’:
- Enumerate interesting urls (X urls.)
- Enumerate version (up to version XX.X, X.X.X, X.X.XX.rcX.)
Functionality available for ‘wordpress’:
- Enumerate interesting urls (X urls.)
- Enumerate version (up to version X.X.X, X.X.X, X.X.X.)
Functionality available for ‘silverstripe’:
- Enumerate plugins (XXX plugins.)
- Enumerate themes (XX themes.)
- Enumerate interesting urls (X urls.)
- Enumerate version (up to version X.X.XX, X.X.XX, X.X.XX.)

It is important to verify that the latest version available for the CMS installation is available within droopescan , as otherwise results may be inaccurate.

Contribute.

Create your own plugin.
You can add suport for your favourite CMS. The process is actually quite simple, and a lot of information can be glimpsed by viewing the example.py file in the plugins/ folder.
This file should serve well as a base for your implementation.
You can create your own plugin for Joomla and enable it as follows:

$ cp plugins/example.py plugins/joomla.py
$ cp plugins.d/example.conf plugins.d/joomla.conf

You then need to go to plugins/joomla.py and change a few things:

• The class name needs to be Joomla.
• The plugin label (located at Meta.label) needs to be changed to joomla.
• At the end of the file, the register call needs to be modified to reflect the correct class name.
• The exposed function, 'example', needs to be renamed to joomla.

    @controller.expose(help='example scanner')
    def joomla(self):
        self.plugin_init()

We also need to change the plugins.d/joomla.conf file, and change it to the following:

[joomla]
enable_plugin = true

We should now be in a state which looks as follows:

$ droopescan scan joomla
[+] --url parameter is required.

Your next step would be to generate a valid plugin wordlist, a valid theme wordlist, a versions.xml file, and optionally a list of interesting URLs, as well as replace all variables that are in joomla.py with values that are correct for your implementation.
The plugin needs to update automatically in order for a pull request to be accepted. Further documentation may be later made available, but for now, keep in mind that the update_version_check, update_version, update_plugins_check and update_plugins need to be implemented. For reference, please review the drupal.py file. This is required in order to ensure plugins are kept to date.

Issues & Pull Requests.
Pull requests that create new plugins are welcome provided that maintenance for those plugins is done automatically.
Please remember to make your pull requests against the develoment branch rather than the master. Issues can be raised on the issue tracker here on GitHub.
To run tests, some dependencies must be installed. Running the following commands will result in them being installed and the tests being ran:

    apt-get install libxslt1-dev libxml2-dev zlib1g-dev python python-pip python-dev python3 python3-pip python3-dev
    pip install -r requirements.txt -r requirements_test.txt
    pip3 install -r requirements.txt -r requirements_test.txt
    ./droopescan test

You can run individual tests with the -s flag.

./droopescan test -s test_integration_drupal

Download droopescan

Read More

shootback - a reverse TCP tunnel let you access target behind NAT or firewall

shootback is a reverse TCP tunnel let you access target behind NAT or firewall
Consumes less than 1% CPU and 8MB memory under 800 concurrency.
slaver is single file and only depends on python(2.7/3.4+) standard library.

How it works

Typical Scene

1. Access company/school computer(no internet IP) from home
2. Make private network/site public.
3. Help private network penetration.
4. Help CTF offline competitions.
5. Connect to device with dynamic IP, such as ADSL

Getting started

1. requirement:
   • Master: Python3.4+, OS independent
   • Slaver: Python2.7/3.4+, OS independent
   • no external dependencies, only python std lib
2. download git clone https://github.com/aploium/shootback
3. (optional) if you need a single-file slaver.py, run python3 build_singlefile_slaver.py
4. run these command
   

   # master listen :10000 for slaver, :10080 for you
   python3 master.py -m 0.0.0.0:10000 -c 127.0.0.1:10080
   
   # slaver connect to master, and use example.com as tunnel target
   # ps: you can use python2 in slaver, not only py3
   python3 slaver.py -m 127.0.0.1:10000 -t example.com:80
   
   # doing request to master
   curl -v -H "host: example.com" 127.0.0.1:10080
   # -- some HTML content from example.com --
   # -- some HTML content from example.com --
   # -- some HTML content from example.com --

5. a more reality example:
   assume your master is 22.33.44.55 (just like the graph above)
   

   # slaver_local_ssh <---> slaver <--> master(22.33.44.55) <--> You
   
   # ---- master ----
   python3 master.py -m 0.0.0.0:10000 -c 0.0.0.0:10022
   
   # ---- slaver ----
   python(or python3) slaver.py -m 22.33.44.55:10000 -t 127.0.0.1:22
   
   # ---- YOU ----
   ssh 22.33.44.55 -p 10022

6. for more help, please see python3 master.py --help and python3 slaver.py --help
   

Tips

1. run in daemon:
   nohup python(or python3) slaver.py -m host:port -t host:port -q &
   or:
   

   # screen is a linux command
   screen
   python(or python3) slaver.py -m host:port -t host:port
   # press  ctrl-a d  to detach screen
   # and if necessary, use "screen -r" to reattach

2. ANY service using TCP is shootback-able. HTTP/FTP/Proxy/SSH/VNC/...
   
3. shootback itself just do the transmission job, do not handle encrypt or proxy.
   however you can use a 3rd party proxy (eg: shadowsocks) as slaver target.
   for example:
   shadowsocks_server<-->shootback_slaver<-->shootback_master<-->shadowsocks_client(socks5)
   

Warning

1. in windows, due to the limit of CPython select.select() , shootback can NOT handle more than 512 concurrency, you may meet
   ValueError: too many file descriptors in select()
   If you have to handle such high concurrency in windows, Anaconda-Python3 is recommend, it's limit in windows is 2048

Performance

1. in my laptop of intel I7-4710MQ, win10 x64:
   • 1.6Gbits/s of loopback transfer (using iperf), with about 5% CPU occupation.
   • 800 thread ApacheBench, with less than 1% CPU and 8MB memory consume

Download shootback

Read More

wafpass - WAF Security Benchmark

                        ██╗    ██╗ █████╗ ███████╗██████╗  █████╗ ███████╗███████╗
                        ██║    ██║██╔══██╗██╔════╝██╔══██╗██╔══██╗██╔════╝██╔════╝
                        ██║ █╗ ██║███████║█████╗  ██████╔╝███████║███████╗███████╗
                        ██║███╗██║██╔══██║██╔══╝  ██╔═══╝ ██╔══██║╚════██║╚════██║
                        ╚███╔███╔╝██║  ██║██║     ██║     ██║  ██║███████║███████║
                         ╚══╝╚══╝ ╚═╝  ╚═╝╚═╝     ╚═╝     ╚═╝  ╚═╝╚══════╝╚══════╝

                            WAFPASS - Copyright (c) 2017 Hamed Izadi (@hezd). 

WAFPASS Analysing parameters with all payloads' bypass methods, aiming at benchmarking security solutions like WAF.
Today a great number of website owners around the globe use “Web Application Firewalls” to improve their security. However, these security applications suffer from many deficits such as poor performance, lack of updates, and so forth. Thus, they are hindered from working effectively against everyday attacks that are equipped with cutting edge technological innovations. This vulnerability can cause various issues and even lead to security failures.
WAFPASS’s ultimate goal is to present a solution for promoting security systems like WAF in addition to providing a general overview of the security solutions.
WAFPASS supports HTTP,HTTPS connections, GET and POST requests and the use of Cookies in order to access pages restricted to authenticated users. Also, an intercepting proxy can be set up.

Requirements:
Python version 3.4.x is required for running this program.

Disclaimer:
This tool is only for testing and academic purposes and can only be used where strict consent has been given. Do not use it for illegal purposes!

Installation:
Download WAFPASS by cloning the Git repository:

  $ git clone https://github.com/wafpassproject/wafpass.git

Supported Platforms:

• Linux
• Mac OS X
• Windows

Usage:
To get a list of all options and switches use:

  $ python3 wapfass.py -h

You can add your payloads in /payloads/payloads.csv like this:

  payload@description

Support:
WAFPASS is the project of many hours of work and total personal dedication.
Please help us to improve this project.

Download wafpass

Read More

ScratchABit - Easily retargetable and hackable interactive disassembler with IDAPython-compatible plugin API

ScratchABit is an interactive incremental disassembler with data/control flow analysis capabilities. ScratchABit is dedicated to the efforts of the OpenSource reverse engineering community (reverse engineering to produce OpenSource drivers/firmware for hardware not properly supported by vendors).
ScratchABit supports well-known in the community IDAPython API to write disassembly/extension modules.
ScratchABit is a work in progress, features are added on as needed basis, contributions are welcome.
ScratchABit is released under the terms of GNU General Public License v3 (GPLv3).

Requirements/manifesto

1. Should not be written in an obfuscated language. These includes languages which are too low-level, which allow to access non-initialized variables, which don't differentiate between variables and functions/procedures, which start array indexes from arbitrary numbers, etc., etc. ScratchABit is written in Python (modern version, Python3) for your pleasure and sanity.
   
2. User interface framework should allow user interaction of the needed level, not add dependencies, bloat, issues, and incompatibilities between framework's versions. ScratchABit currently uses simple (no color even) full-screen text user interface, using ANSI/VT100 terminal escape sequences (yes, even curses library was deemed too bloat a dependency to force upon users).
   
3. Should leverage easy to use text formats to store "database", to facilitate easy reuse and tool writing, and storage in version control systems.
   

Quick start
To use ScratchABit, you need Python3 installed and VT100 (minimum) or XTerm (recommended) terminal or terminal emulator (any Unix system should be compliant, like Linux/BSD/etc., see FAQ below for more).
Clone the code using:

git clone --recursive https://github.com/pfalcon/ScratchABit

If you cloned code without --recursive , run git submodule update --init .
If you want to disassemble a file in self-describing executable format (like ELF), just pass it as an argument to ScratchABit.py . The repository includes example-elf (x86 32bit) for quick start:

python3 ScratchABit.py example-elf

Alternatively, if you want to disassemble a raw binary file, you need to create a .def (definition) file, to specify what memory areas are defined for the code, at which address to load binary file, etc. (Note: a .def file may be useful for .elf and similar files too.) The repository includes a simple x86_64 raw binary code, and the corresponding .def file:

python3 ScratchABit.py example.def

Press F1 if in doubt what to do next (ScratchABit works similarly to other interactive dissamblers; some previous experience or background reading may be helpful). Press F9 to access menus (mouse works too in XTerm-compatible terminals).

Using Plugins
IDAPython processor plugins can be loaded from anywhere on the Python module path. Alternatively, you can symlink the plugin .py file into the plugins/cpu/ subdirectory.
After the plugin is made available, create a new definition file based on example.def that sets the plugin module name in the cpu xxx line.
For a very simple example that uses an external plugin, see this esp8266.def file that works with the xtensa.py plugin from the ida-xtensa2 repository .

TODO/Things to decide

• Currently uses multiple files for "database", each storing particular type of information. Switch to a single YAML file instead?
• Add color (low priority, (unbloated!) patches welcome).
• Few important UI commands to implement yet for comfortable work. ( All the most important commands should be there, other functionality is expected to be implemented using plugins).
• Offer to save DB on quit if modified.
• Git integration for DB saving.
• Improve robustness (add exception handler at the main loop level, don't abort the application, show to user/log and continue).
• Try to deal with code flow inconsistencies (e.g. within an instruction
  • low priority for intended usage) and data access inconsistencies (e.g. accessing individual bytes of previosly detected word - higher priority). (Improved in 1.4.)
• See how to support other types of IDAPython plugins besides just processor modules.
• Parse and use debugging information (e.g. DWARF) present in ELF (etc.) files.

FAQ

Q: What processors/architectures are supported?

A: ScratchABit doesn't support any processor architectures on its own, it is fully retargettable using IDAPython API plugins. Many plugins are available, writing a new plugin is easy. To let users test-drive ScratchABit, a very simple (!) X86 processor plugin is included in the distribution, using Pymsasid disassembler under the hood.

Q: I'm not on Linux, how can I run ScratchABit?

A: Install Linux in an emulator/VM on your system and rejoice.

Download ScratchABit

Read More