Wreckuests - Tool to run DDoS atacks with HTTP-flood

Wreckuests is a script, which allows you to run DDoS attacks with HTTP-flood(GET/POST). It's written in pure Python and uses proxy-servers as "bots". OF COURSE, this script is not universal and you can't just drop Pentagon/NSA/whatever website with one mouse click. Each attack is unique, and for each website you'll gonna need to search for vulnerabilities and exult them, which might result in hardcoding, nosleeping, etc... Yeap, this is your dirty and ungrateful part of job.

⚠️ Warning: This script is published for educational purposes only! Author will accept no responsibility for any consequence, damage or loss which might result from use.

Features

• Cache bypass with random ?abcd=efg parameter
• CloudFlare detection and notification of
• Automatic gzip/deflate toggling
• HTTP Authentication bypass
• UserAgent substitution
• Referers randomizer
• HTTP proxy support

Dependencies

• Python 3.5+
• Requests 2.10.0 or higher
• netaddr (tested with 0.7.19)

Installation

This is so easy to install Wreckuests just in one command. Isn't it?

Ubuntu 16.04

apt-get update && apt-get dist-upgrade && apt-get install python3 && apt-get install python3-pip && pip3 install --upgrade pip && pip3 install requests && pip3 install netaddr

Note: pip3 may install requests 2.9.1. Just run pip3 install --upgrade requests to upgrade requests to the latest version.

Usage
Type under sudo mode:

python3 wreckuests.py -v <target url> -a <login:pass> -t <timeout>

Possible parameters:
-h or --help:
Prints a message with possible parameters.
-v or --victim:
Specifies a link to the victim's site page. It could be the website's main page, someone's profile, .php-file or even image. Everything that has a lot of weight or is hard for server to give. The choice is yours.
-a or --auth:
Parameter for bypassing authentication. You'r victim could enable basic HTTP authentication and his website will ask you to enter login and password in popup window. Victim may previously publish login and password data for his users in VK/FB/Twitter and whatever social network.
-t or --timeout(defalut: 10):
Parameter to control connection'n'read timeout. This option also controls terminating time. Note: if you set timeout=1 or somewhere about 2-3 seconds, the slow(but still working) proxies will not have any time to even connect to your victim's website and will not even hit it. If you still do not understand how it works - do not change this option. Also, this parameter regulates the intensiveness of requests you sending. So, if you sure your proxies are fast enough - you can reduce this value. Use this accordingly.

Important
A separate thread is created for each proxy address. The more proxies you use - the more threads you create. So, please, do not use way too much proxies. Otherwise, the script may exit abnormaly by meeting segmentation fault.

Download wreckuests

Read More

explo - Human And Machine Readable Web Vulnerability Testing Format

explo is a simple tool to describe web security issues in a human and machine readable format. By defining a request/condition workflow, explo is able to exploit security issues without the need of writing a script. This allows to share complex vulnerabilities in a simple readable and executable format.

Example for extracting a csrf token and using this in a form:

name: get_csrf
description: extract csrf token
module: http
parameter:
    url: http://example.com/contact
    method: GET
    header:
        user-agent: Mozilla/5.0
    extract:
        csrf: [CSS, "#csrf"]
---
name: exploit
description: exploits sql injection vulnerability with valid csrf token
module: http
parameter:
    url: http://example.com/contact
    method: POST
    body:
        csrf: "{{get_csrf.extracted.csrf}}"
        username: "' SQL INJECTION"
    find: You have an error in your SQL syntax

In this example definition file the security issue is tested by executing two steps which are run from top to bottom. The last step returns a success or failure, depending on the string 'You have an error in your SQL syntax' to be found.

Installation

Install via PyPI

pip install explo

Install via source

git clone https://github.com/dtag-dev-sec/explo
cd explo
python setup.py install

Usage

explo [--verbose|-v] testcase.yaml
explo [--verbose|-v] examples/*.yaml

There are a few example testcases in the examples/ folder.

$ explo examples/SQLI_simple_testphp.vulnweb.com.yaml

You can also include explo as a python lib:

from explo.core import from_content as explo_from_content
from explo.core import ExploException, ProxyException

def save_log(msg):
    print(msg)

try:
    result = explo_from_content(explo_yaml_file, save_log)
except ExploException as err:
    print(err)

Modules
Modules can be added to improve functionality and classes of security issues.

http (basic)
The http modules allows to make a http request, extract content and search/verify content.
The following data is made available for following steps:

• the http response body: stepname.response.content
• the http response cookies: stepname.response.cookies
• extracted content: response.extracted.variable_name

If a find_regex parameter is set, a regular expression match is executed on the response body. If this fails, this module returns a failure and thus stopping the executing of the current workflow (and all steps).
When extracting by regular expressions, use the match group extract to mark the value to extract (view below for an example).
For referencing cookies, reference the name of the previous step where cookies should be taken from (cookies: the_other_step.response.cookies).
Parameter examples:

parameter:
    url: http://example.com
    method: GET
    allow_redirects: True
    headers:
        User-Agent: explo
        Content-Type: abc
    cookies: stepname.response.cookies
    body:
        key: value
    find: search for string
    find_regex: search for (reg|ular)expression
    find_in_headers: searchstring in headers
    extract:
        variable1: [CSS, '#csrf']
        variable2: [REGEX, '<input(.*?)value="(?P<extract>.*?)"']

http_header
The http header module allows to check if a response misses a specified set of headers (and values). All other parameters are identical to the http module.
The following data is made available for other modules:

• the http response body: stepname.response.content
• the http response cookies: stepname.response.cookies

Parameter examples:

parameter:
    url: http://example.com
    method: GET
    allow_redirects: True
    headers:
        User-Agent: explo
        Content-Type: abc
    body:
        key: value
    headers_required:
        X-XSS-Protection: 1
        Server: .               # all values are valid

sqli_blind
The sqli_blind module is able to identify time based blind sql injections.
The following data is made available for other modules:

• the http response body: stepname.response.content
• the http response cookies: stepname.response.cookies

Parameter examples:

parameter:
    url: http://example.com/vulnerable.php?id=1' waitfor delay '00:00:5'--
    method: GET
    delay_seconds: 5

If the threshold of 5 seconds (delay_seconds) is exceeded, the check returns true (and thus resulting in a success).

Download explo

Read More

Whitewidow - SQL Vulnerability Scanner

Whitewidow is an open source automated SQL vulnerability scanner, that is capable of running through a file list, or can scrape Google for potential vulnerable websites. It allows automatic file formatting, random user agents, IP addresses, server information, multiple SQL injection syntax, ability to launch sqlmap from the program, and a fun environment. This program was created for learning purposes, and is intended to teach users what vulnerability looks like.

Screenshots

Launching whitewidow displays the custom designed banner and begins searching for possible sites that could be vulnerable

Whitewidow is capable of finding vulnerabilities in websites by scraping Google using over 1,000 different queries that are carefully researched before added. It also uses multiple different SQL injection approaches

Whitewidow is also capable of spidering a single webpage for all available links, it will then search for vulnerabilities in all the links using the programs built in file feature

And when all is said and done, and you're sure that you've found some vulnerable sites, you can launch sqlmap from the program without the need of downloading another clone.

Basic Usage
ruby whitewidow.rb -d This will run whitewidow in default mode and scrape Google for possible sites using a random search query.
ruby whitewidow.rb -f path/to/file This will run whitewidow through a given file and add the SQL syntax to the URL.
ruby whitewidow.rb -h Will run the help flag along with show the help menu.
For more information about usage and more flags you can checkout the wiki functionality page here.

Dependencies

• gem 'mechanize'
• gem 'nokogiri'
• gem 'rest-client'
• gem 'webmock'
• gem 'rspec'
• gem 'vcr'

To install all gem dependencies, follow the following template:
cd whitewidow
bundle install
This should install all gems needed, and will allow you to run the program without trouble.

Download Whitewidow

Read More

Pybelt - The Hackers Tool Belt

Pybelt is an open source hackers tool belt complete with:

• A port scanner
• SQL injection scanner
• Dork checker
• Hash cracker
• Hash type verification tool
• Proxy finding tool
• XSS scanner

It is capable of cracking hashes without prior knowledge of the algorithm, scanning ports on a given host, searching for SQLi vulnerabilities in a given URL, verifying that your Google dorks work like they should, verifying the algorithm of a given hash, scanning a URL for XSS vulnerability, and finding usable HTTP proxies.

Screenshots
SQL Injection scanning made easy, just provide a URL and watch it work

Dork checker, have some Dorks you're not sure of? Go ahead and run the Dork check with the Dork as an argument, it will pull 100 URLs and give you success rate for the Dork

Hash cracking made simple, provide the hash type at the end ":md5, :sha256, etc" for a specific hash, or ":all" for all algorithms available on your machine

And many more!

Usage

Installation
You can either clone the repository

git clone https://github.com/ekultek/pybelt.git

or download the latest release as a zip/tar ball here
Once you have the program installed cd into the directory and run the following command:

pip install -r requirements.txt

This will install all of the programs needed libraries and should be able to be run from there.
###Functionality

python pybelt.py -p 127.0.0.1

Will run a port scan on your local host

python pybelt.py -s http://example.com/php?id=2

Will run a SQLi scan on the given URL

python pybelt.py -d idea?id=55

Will run a Dork check on the given Google Dork

python pybelt.py -c 9a8b1b7eee229046fc2701b228fc2aff:all

Will attempt to crack the hash using all algorithms available on the computer

python pybelt.py -v 098f6bcd4621d373cade4e832627b4f6

Will try to verify the hash type

python pybelt.py -f

Will find usable proxies

python pybelt.py -x http://127.0.0.1/php?id=1

Will search the URL for XSS vulnerability

Download Pybelt

Read More

Leviathan - Wide Range Mass Audit Toolkit

Leviathan is a mass audit toolkit which has wide range service discovery, brute force, SQL injection detection and running custom exploit capabilities. It consists open source tools such masscan, ncrack, dsss and gives you the flexibility of using them with a combination.

The main goal of this project is auditing as many system as possible in country-wide or in a wide IP range.

Main Features

Discovery: Discover FTP, SSH, Telnet, RDP, MYSQL services running inside a specific country or in an IP range via Shodan, Censys. It's also possible to manually discover running services on a IP range by integrated “masscan” tool.

Short Demo: https://asciinema.org/a/617bsxl1y84bav9f5bcwllx7r

Brute Force: You can brute force the discovered services with integrated “ncrack” tool. It has wordlists which includes most popular combinations and default passwords for specific services.

Short Demo: https://asciinema.org/a/43y2j38zu7hbnuahrj233d5r0

Remote Command Execution: You can run system commands remotely on compromised devices.

Short Demo: https://asciinema.org/a/0xcrhd12f2lpkbktjldwtab16

SQL Injection Scanner: Discover SQL injection vulnerabilities on websites with specific country extension or with your custom Google Dork.

Short Demo: https://asciinema.org/a/2mwfmd9afsuyg5p0vzcq5e6si

Exploit Specific Vulnerabilities: Discover vulnerable targets with Shodan, Censys or masscan and mass exploit them by providing your own exploit or using preincluded exploits.

Short Demo: https://asciinema.org/a/9uqsjvnru780h0ue6ok9j9ktb

Integrated Tools

Masscan: It’s a very fast TCP port scanner by Robert David Graham. Leviathan uses masscan for detecting services on a huge IP range. https://github.com/robertdavidgraham/masscan

Ncrack: Ncrack is a high-speed network authentication cracking tool. Leviathan uses ncrack to brute force services such as FTP, SSH, RDP, Telnet, MYSQL etc. https://github.com/nmap/ncrack

DSSS (Damn Small SQLi Scanner): DSSS is a fully functional and minimal SQL injection vulnerability scanner by Miroslav Stampar. Leviathan uses DSSS to identify SQL Injection vulnerabilities on specific URLs. https://github.com/stamparm/DSSS

Installation
For detailed installiation, please visit our wiki page.

Kali Linux:
Download leviathan by cloning the Git repository:
git clone https://github.com/leviathan-framework/leviathan.git
Go inside the folder
cd leviathan
Install Python libraries:
pip install -r requirements.txt
It's done!

Debian/Ubuntu:
Download leviathan by cloning the Git repository:
git clone https://github.com/leviathan-framework/leviathan.git
Go inside the folder
cd leviathan
Run installiation script. It will setup required tools (ncrack, masscan) and python libraries.
bash scripts/debian_install.sh
It's done!

macOS:
If homebrew is not installed on your system, please install it first:
/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
Download leviathan by cloning the Git repository:
git clone https://github.com/leviathan-framework/leviathan.git
Go inside the folder
cd leviathan
Run installiation script. It will setup required tools (ncrack, masscan) and python libraries.
bash scripts/macos_install.sh
It's done!

Requirements
Python version 2.7.x is required for running this program.
Supported platforms: Linux (Kali Linux, Debian, Ubuntu), macOS

Usage
Run the program with following command:
python leviathan.py
You can get basic usage information inside the menus. For detailed usage manual, visit our wiki page.

Screenshots

Download Leviathan

Read More

Blindy - Simple Script for running BruteForce Blind MySql Injection

Simple script for running bruteforce blind MySql injection

The script will run through queries listed in sets in provided file (default-queries.json as default) and try to bruteforce places with {} placeholder. If no {} placeholder present, the script will simply make request with current query.

command line

$ python3 blindy.py --help
usage: blindy.py [-h] [-f filename] [-m method] -p name -r regexp -u url
                 [-s set_of_queries]

Run blind sql injection using brutforce

optional arguments:
  -h, --help            show this help message and exit
  -f filename           File name for your commands in json format, defaults
                        to default-queries.json
  -m method, --method method
                        Where to inject (GET - get parameter/default, POST -
                        post parameter, HEADER - header)
  -p name               Name of parameter (for get - param name, post - param
                        name, for header - name of header). If params need to
                        have fixed value use -p submit=true
  -r regexp             Regular expression for negative pattern (script search
                        for the pattern and if present - will consider that
                        injection failed and igrone result.)
  -u url                Url to test
  -s set_of_queries, --set set_of_queries
                        Which set of queries to analyze from json file, for
                        ex. login, blind. Default to blind.

Example usage
Bruteforce inject into POST query_param

python3 blindy.py -m POST -p query_param -p submit=1 -r 'Pattern\ to\ ignore\ result' -u http://example.com/index.php -s blind

Bruteforce inject into POST query_param with placeholder

python3 blindy.py -m POST -p "query_param=login {}" -p submit=1 -r 'Pattern\ to\ ignore\ result' -u http://example.com/index.php -s blind

This will inject the queries in a place of {} parameter placeholder
Simple check a list of queries against username parameter

python3 blindy.py -m POST -p username -p submit=1 -r 'Pattern\ to\ ignore\ result' -u http://example.com/login.php -s login

Download Blindy

Read More

SSLsplit - transparent SSL/TLS interception

SSLsplit is a tool for man-in-the-middle attacks against SSL/TLS encrypted network connections. It is intended to be useful for network forensics, application security analysis and penetration testing.

SSLsplit is designed to transparently terminate connections that are redirected to it using a network address translation engine. SSLsplit then terminates SSL/TLS and initiates a new SSL/TLS connection to the original destination address, while logging all data transmitted. Besides NAT based operation, SSLsplit also supports static destinations and using the server name indicated by SNI as upstream destination. SSLsplit is purely a transparent proxy and cannot act as a HTTP or SOCKS proxy configured in a browser.

SSLsplit supports plain TCP, plain SSL, HTTP and HTTPS connections over both IPv4 and IPv6. SSLsplit fully supports Server Name Indication (SNI) and is able to work with RSA, DSA and ECDSA keys and DHE and ECDHE cipher suites. Depending on the version of OpenSSL built against, SSLsplit supports SSL 3.0, TLS 1.0, TLS 1.1 and TLS 1.2, and optionally SSL 2.0 as well.

For SSL and HTTPS connections, SSLsplit generates and signs forged X509v3 certificates on-the-fly, mimicking the original server certificate's subject DN, subjectAltName extension and other characteristics. SSLsplit has the ability to use existing certificates of which the private key is available, instead of generating forged ones. SSLsplit supports NULL-prefix CN certificates but otherwise does not implement exploits against specific certificate verification vulnerabilities in SSL/TLS stacks.

SSLsplit implements a number of defences against mechanisms which would normally prevent MitM attacks or make them more difficult. SSLsplit can deny OCSP requests in a generic way. For HTTP and HTTPS connections, SSLsplit removes response headers for HPKP in order to prevent public key pinning, for HSTS to allow the user to accept untrusted certificates, and Alternate Protocols to prevent switching to QUIC/SPDY. HTTP compression, encodings and keep-alive are disabled to make the logs more readable.

As an experimental feature, SSLsplit supports STARTTLS and similar mechanisms, where a protocol starts on a plain text TCP connection and is later upgraded to SSL/TLS through protocol-specific means, such as the STARTTLS command in SMTP. SSLsplit supports generic upgrading of TCP connections to SSL.

See the manual page sslsplit(1) for details on using SSLsplit and setting up the various NAT engines.

Requirements

SSLsplit depends on the OpenSSL and libevent 2.x libraries. The build depends on GNU make and a POSIX.2 environment in PATH . If available, pkg-config is used to locate and configure the dependencies. The optional unit tests depend on the check library.

SSLsplit currently supports the following operating systems and NAT mechanisms:

• FreeBSD: pf rdr and divert-to, ipfw fwd, ipfilter rdr
• OpenBSD: pf rdr-to and divert-to
• Linux: netfilter REDIRECT and TPROXY
• Mac OS X: pf rdr and ipfw fwd

Support for local process information ( -i ) is currently available on Mac OS X and FreeBSD.

SSL/TLS features and compatibility greatly depend on the version of OpenSSL linked against; for optimal results, use a recent release of OpenSSL proper. OpenSSL forks like LibreSSL and BoringSSL may or may not work.

Installation
With OpenSSL, libevent 2.x, pkg-config and check available, run:

make
make test       # optional unit tests
make install    # optional install

Dependencies are autoconfigured using pkg-config. If dependencies are not picked up and fixing PKG_CONFIG_PATH does not help, you can specify their respective locations manually by setting OPENSSL_BASE , LIBEVENT_BASE and/or CHECK_BASE to the respective prefixes.
You can override the default install prefix ( /usr/local ) by setting PREFIX . For more build options see GNUmakefile .

Download SSLsplit

Read More

BruteXSS - Tool to find XSS vulnerabilities in web application

BruteXSS is a tool written in python simply to find XSS vulnerabilities in web application.

This tool was originally developed by Shawar Khan in CLI. I just redesigned it and made it GUI for more convienience.

This tool is developed in Python, so obviously cross platform, you just need Python installed in your machine.

Steps

1. Just download your tool & run brutexss.py (Everything this tool needed is provided to it)

Screenshots

Download BruteXSS

Read More

ansvif - An Advanced Fuzzing Framework Designed To Find Vulnerabilities In C/C++ Code.

ansvif, written primarily in C++, is designed to find code bugs by throwing garbage input at programs to see how they react. This is great for finding bugs, because not every type of input is always handled, and buffers are not always checked, etc. It also comes in handy when writing (and protecting against), buffer overflow exploitation, as well as string input validation vulnerabilities (the %s bug).

Dependancies:
automake autoconf-archive zlib1g-dev libcrypto++ g++ gcc

Compliation:
Linux:

$ aclocal && autoconf && automake -a && ./configure && make

Or, if you would like to play with the syscall fuzzer:

$ aclocal && autoconf && automake -a && ./configure --enable-syscalls && make

OpenBSD:

$ AUTOMAKE_VERSION=`ls /usr/local/bin/automake-* | head -n 1 | sed -e 's/.*-//'`\
AUTOCONF_VERSION=`ls /usr/local/bin/autoconf-* | head -n 1 | sed -e 's/.*-//'`\
aclocal && AUTOMAKE_VERSION=`ls /usr/local/bin/automake-* | head -n 1 | sed -e 's/.*-//'`\
AUTOCONF_VERSION=`ls /usr/local/bin/autoconf-* | head -n 1 | sed -e 's/.*-//'`\
autoconf && AUTOMAKE_VERSION=`ls /usr/local/bin/automake-* | head -n 1 | sed -e 's/.*-//'`\
AUTOCONF_VERSION=`ls /usr/local/bin/autoconf-* | head -n 1 | sed -e 's/.*-//'` automake -a\
&& CXX=eg++ ./configure && make

Windows:
Windows binaries are now desgined to be compiled with MinGW-W64 (since we use threading download a version of MinGW-W64 g++ with seh).

(Go to where you installed MinGW-W64 and click mingw-64.bat)
g++.exe src/common.cpp src/win/bin2hex.cpp src/win/bin2hex_pc.cpp src/win/popen2.cpp src/win/main.cpp src/win/help.cpp src/match_seg.cpp src/win/sys_string.cpp src/win/sys_string_pc.cpp src/win/man_read.cpp src/randomizer.cpp src/trash.cpp -I./ -I./include -std=c++11 -lstdc++ -lpthread -O2 -o ansvif.exe -static -static-libgcc -static-libstdc++
gcc src/win/printf.c -o printf.exe

Note: cygwin .dll external files are no longer required as we now compile with g++ from MinGW. In Windows 7 Powershell v2 is installed by default, however, this program requires atleast Powershell v5. Windows 10 includes powershell v5. You can go to Microsoft's site and download the Windows Management Framework (which includes newer Versions of Powershell here:
https://www.microsoft.com/en-us/download/details.aspx?id=50395

Testing:
If you would like to try out the example code, you can compile faulty.c with:

$ gcc faulty.c -o faulty

Using the example code: You can point the memory back at address \xff\x05\x40\x00\x00\x00\x00\x00 (the subroutine containing the code that spawns bash) with: $ ./faulty -a $(perl -e 'print "A"x24;print "\x00\xff\x05\x40\x00\x00\x00\x00\x00"') The address may be a little different under your distro, check gdb if you really want to try it out. The code above /should/ drop you at a bash prompt. If the code is set to a mode where all are able to execute as another user, it will attempt to spawn a root shell. or simply run make test .

Usage:
Important note: Windows users will have to run ansvif.exe from Powershell for it to work!

$ ./find_suid /usr/bin/ /bin/ /sbin/
$ ./ansvif -[tm] [template/manpage] -c /path/to/executable -b buffersize

Examples:
Linux/BSD:

$ echo "Marshall" ./ansvif -t examples/template -c ./faulty -b 64
$ ./ansvif -m mount -c /bin/mount -e examples/mount_e.txt -x examples/mount_o.txt\
-f 8 -b 2048
$ ./ansvif -t examples/blank.txt -F tmp/tmphtml -x examples/htmltags.txt -c /usr/bin/iceweasel -b\
128 -A "file:///home/username/src/ansvif/tmp/tmphtml"  -f 2 -n -R "sleep 3 && killall\
iceweasel" -S ">"
$ cat examples/linux_syscalls_implemented.list | xargs -P \
`cat examples/linux_syscalls_implemented.list | wc -l` -I {calls} ./ansvif -t examples/space.txt \
-B "{calls} " -c ./syscalls -o syscall_crash -f 1 -z -d -b 16

Windows:

PS C:\ansvif\bin\ansvif_win> .\ansvif -t ..\..\examples\space -F ..\..\tmp\tmphtml -x `
..\..\examples\htmltags -c `
'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' `
-b 128 -A "file:///C:\\Users\marsh\OneDrive\Documents\Code\ansvif\tmp\tmphtml" `
-f 2 -n -S ">" -R "sleep 2 ; Stop-Process -Name chrome"

Options:

  -t This file should hold line by line command arguments as shown in the example file.
  -e This file should hold line by line environment variables as shown in the example
     file.  You can usually get these by doing something like:
     $ strings /bin/mount | perl -ne 'print if /[A-Z]=$/' > mount_envs
  -c Specifies the command path.
  -p Specifies the manpage location (as an integer, usually 1 or 8)
  -m Specifies the commands manpage.
  -D Dumps whats found in the manpage.
  -f Number of threads to use.  Default is 2.
  -b Specifies the buffer size to fuzz with.  256-2048 Is usually sufficient.
  -r Uses only random garbage data.
  -o Writes output to log file.
  -z Randomize the buffer size from 1 to what is specified by -b.
  -x Other junk to put in.  Usernames and such can go here.
  -S Seperator between options.
  -s Omitted character specification.  Defaults are <>\\n |&\[]\()\{}:;\ and newline is mandatory.
  -T Timeout for threads.
  -W Timeout for threads.
  -L Unpriviledged user to run as if root.
  -A Always put whats after this after command to run.
  -B Always put whats after this before the command to run.
  -F File to feed into the program that -x along with normal fuzzing data will be put in.
  -n Never use random data in the fuzz.
  -R Run this command after each fuzz.
  -C A Non standard error code to detect.
  -V Use Valgrind if installed.
  -1 Try to make it fault once, if it doesn't happen, throw error code 64.  Useful for scripting.
  -P Use % to represent binary in fuzz.
  -M Max arguments to use in the fuzz.
  -y Short for -b 0 and usually only useful with -A or -B
  -K Keep fuzzing after a crash in the target.
  -v Verbose.
  -d Debug data.
  -h Shows the help page.

Recommendations: It is recommended that if you are doing long fuzzes or file fuzzing, if possible put the files (including the binary you are fuzzing if possible) in memory. This means, put them somewhere like /var/run/shm where disk thrash will be minimal, and fuzzing will be somewhat faster, especially if large files are being handled. Be warned however: You will lose your fuzzed files if they are in shm and you reboot the machine!

DO NOT RUN THIS CODE IN A PRODUCTION ENVIRONMENT! If you try setting faulty.c's output to suid(0) then PLEASE do it in a virtual machine. or atleast a machine that you don't care about. Other than that, just play around and have fun!

Notes:
Windows users must have ansvif running from Powershell. Linux and Windows code should be relatively stable. Syscall fuzzing under linux is under heavy development.

Download ansvif

Read More

mongoaudit - A Powerful MongoDB Auditing and Pentesting Tool

mongoaudit is a CLI tool for auditing MongoDB servers, detecting poor security settings and performing automated penetration testing.

Installing with pip

This is the recommended installation method in case you have python and pip .

pip install mongoaudit

Alternative installer

Use this if and only if python and pip are not available on your platform.

curl -s https://mongoaud.it/install | bash

^{works on Mac OS X, GNU/Linux and Bash for Windows 10}
If you are serious about security you should always use the PIP installer or, better yet, follow best security practices: clone this repository, check the source code and only then run it with python mongoaudit .

Introduction

It is widely known that there are quite a few holes in MongoDB's default configuration settings. This fact, combined with abundant lazy system administrators and developers, has led to what the press has called the MongoDB apocalypse .
mongoaudit not only detects misconfigurations, known vulnerabilities and bugs but also gives you advice on how to fix them, recommends best practices and teaches you how to DevOp like a pro!
This is how the actual app looks like:

Yep, that's material design on a console line interface. (Powered by urwid )

Supported tests

• MongoDB listens on a port different to default one
• Server only accepts connections from whitelisted hosts / networks
• MongoDB HTTP status interface is not accessible on port 28017
• MongoDB is not exposing its version number
• MongoDB version is newer than 2.4
• TLS/SSL encryption is enabled
• Authentication is enabled
• SCRAM-SHA-1 authentication method is enabled
• Server-side Javascript is forbidden
• Roles granted to the user only permit CRUD operations *
• The user has permissions over a single database *
• Security bug CVE-2015-7882
• Security bug CVE-2015-2705
• Security bug CVE-2014-8964
• Security bug CVE-2015-1609
• Security bug CVE-2014-3971
• Security bug CVE-2014-2917
• Security bug CVE-2013-4650
• Security bug CVE-2013-3969
• Security bug CVE-2012-6619
• Security bug CVE-2013-1892
• Security bug CVE-2013-2132

Tests marked with an asterisk ( * ) require valid authentication credentials.

How can I best secure my MongoDB?

Once you run any of the test suites provided by mongoaudit , it will offer you to receive a fully detailed report via email. This personalized report links to a series of useful guides on how to fix every specific issue and how to harden your MongoDB deployments.
For your convenience, we have also published the mongoaudit guides in our Medium publication .

Disclaimer

"With great power comes great responsibility"

• Never use this tool on servers you don't own. Unauthorized access to strangers' computer systems is a crime in many countries.
• Please use this tool is at your own risk. We will accept no liability for any loss or damage which you may incur no matter how caused.
• Don't be evil!

Download mongoaudit

Read More

vsaudit - VOIP Security Audit Framework

This is an opensource tool to perform attacks to general voip services It allows to scans the whole network or single host to do the gathering phase, then it is able to search for most known vulnerabilities on the founds alive hosts and try to exploit them.

Install dependencies
To start using vsaudit you must install the 'bundler' package that will be used to install the requireds gem dependencies through the Gemfile.
Download directly from website:

http://bundler.io/

Or install with 'gem' (ruby package manager) with:

deftcode ~ $ gem install bundler

After that the installation has been completed, run (in the directory where is located vsaudit):

deftcode vsaudit $ bundle

Now you can start vsaudit with:

deftcode vsaudit $ ruby vsaudit.rb

NOTE: If you get an error with gem, you need to install the libssl-dev package (kali-linux: apt install libssl-dev).

Environment commands

• Display the available options that can be set
• List the environment variables
• Get the value of environment variable
• Set or change the environment variables

Audit commands

• Check mistakes in the local configuration files
• Scan a local o remote network
• Enumerate the extensions
• Bruteforce extensions
• Get the live network traffic
• Intercept the network traffic by custom bpf

Informations commands

• Get informations about modules or address
• Show the report list
• Show the extensions list

Global commands

• Display the help message
• Quit from the framework

Screenshots

Reference

• Manual: http://deftcode.ninja/post/vsaudit-voip-security-audit-framework
• RFC-3261 (SIP - Session Initiation Protocol): https://www.ietf.org/rfc/rfc3261.txt

Download vsaudit

Read More

[Nessus 5.2] Nessus Vulnerability Scanner

New release of the Nessus vulnerability scanner! This is a major release (moving from 5.0.3 to 5.2.0) and includes several new features and enhancements, including:

• IPv6 is now supported on all platforms (including Windows)
• Nessus server support for Windows 8 and Windows 2012
• Add attachments within scan result reports
• Mac OS X preference pane
• Digitally-signed Nessus RPM packages for supporting distributions
• Smaller memory footprint and reduced disk space usage
• Faster, more responsive web interface (uses less bandwidth)
• No longer need to visit the Tenable website for an activation code!

Several key features are described in detail below, including examples of the new MAC OS X preference pane and the new attachments feature:

Add Attachments to Scan Results

Information collected during the scan can now be included in the results as an attachment. The first iteration of attachments will be screenshots, but any attachment type can be included.

Remote Desktop Protocol (RDP)

If Nessus discovers Remote Desktop Protocol on a target, a screenshot is taken. This can reveal information such as the operating system version and the currently-logged-on user.

VNC

If Nessus discovers a target is running VNC without a password to restrict access, a screenshot is included in the results. The above example shows the system using a web browser to visit the www.tenable.com website.

Websites

For Internet-connected web servers, Nessus will take a screenshot of the website as if you visited the website using a web browser. This feature is useful to identify the applications you are testing, including making sure you are testing the correct virtual host.

Mac OS X Preference Pane

The addition of a Nessus server preference pane in OS X allows the user to stop and start the Nessus server process and configure whether or not Nessus is started at boot time.

Getting Nessus 5.2

New users may download and evaluate Nessus free of charge by visiting the Nessus home page. Current customers can download 5.2 from the Tenable Support Portal. Detailed instructions and notes on upgrading are located in the Nessus 5.2 Installation and Configuration Guide.

Nessus ProfessionalFeed and Perimeter Service customers: Please contact Tenable Support (support -at- tenable.com) with any questions regarding the upgrade to Nessus 5.2.0. Users may also visit the Tenable Discussion Portal for more information.

Download Nessus 5.2

Read More

[Vega v1.0] Web Application Security Scanner

Vega is an open source platform to test the security of web applications. Vega can help you find and validate SQL Injections, Cross-Site Scripting (XSS), inadvertently disclosed sensitive information, and other vulnerabilities. It is written in Java, GUI based, and runs on Linux, OS X, and Windows.

Vega includes an automated scanner for quick tests and an intercepting proxy for tactical inspection. Vega can be extended using a powerful API in the language of the web: Javascript.

Vega was developed by Subgraph in Montreal.

Features

• Automated Crawler and Vulnerability Scanner
• Consistent UI
• Website Crawler
• Intercepting Proxy
• SSL MITM
• Content Analysis
• Extensibility through a Powerful Javascript Module API
• Customizable alerts
• Database and Shared Data Model

Some of the features in the 1.0 release include:

• Active proxy scanner
• Greatly improved detections
• Greatly improved support for authenticated scanning
• API enhancements
• HTTP message viewer enhancements

Modules

• Cross Site Scripting (XSS)
• SQL Injection
• Directory Traversal
• URL Injection
• Error Detection
• File Uploads
• Sensitive Data Discovery

Download Vega v1.0 RC84

Read More

[ExploitSearch.net] Exploit / Vulnerability Search Engine

Exploitsearch.net, is an attempt at cross referencing/correlating exploits and vulnerability data from various sources and making the resulting database available to everyone. 

Unlike other exploit search engines which are simply custom google searches, this site actually crawls the source databases/websites and parses the contained data. Once the data is collected and parsed, it is inserted into the www.exploitsearch.net database and becomes available for searching. 

ExploitSearch.net

Read More

[ExploitShield Browser Edition] Forget about browser vulnerabilities

ExploitShield Browser Edition protects against all known and unknown 0-day day vulnerability exploits, protecting users where traditional antivirus and security products fail. It consists of an innovative patent-pending vulnerability-agnostic application shielding technology that prevents malicious vulnerability exploits from compromising computers.

Includes "shields" for all major browsers (IE, Firefox, Chrome, Opera) and browser all components such as Java, Adobe Reader, Flash, Shockwave. Blocks all exploit kits such as Blackhole, Sakura, Phoenix, Incognito without requiring any signature updates.

No need to train or configure, ExploitShield is 100% install-and-forget anti-exploit solution. Read more: ExploitShield Browser Edition. The ZeroVulnerabilityLabs website maintains a realtime list of detected threats and their VirusTotal results.

Download

Read More

[Burp Suite] Free Edition v1.5

Burp Suite helps you secure your web applications by finding the vulnerabilities they contain.  Burp Suite is an integrated platform for attacking web applications. It contains all of the Burp tools with numerous interfaces between them designed to facilitate and speed up the process of attacking an application. All tools share the same robust framework for handling HTTP requests, persistence, authentication, upstream proxies, logging, alerting and extensibility.

Burp Suite allows you to combine manual and automated techniques to enumerate, analyse, scan, attack and exploit web applications. The various Burp tools work together effectively to share information and allow findings identified within one tool to form the basis of an attack using another.

User Interface:

• Burp's UI has been completely overhauled, to improve looks and usability:
• Fonts are now available throughout the UI, with corresponding resizing of all UI elements (tables, dialogs, buttons, etc.).
• There are configurable hotkeys for all common functions.
• Intruder and Repeater now have smart tabs, which you can drag to reorder, and click to create, close or rename.
• Tables are natively sortable everywhere, except where the row ordering is part of the options you are configuring.
• Text fields now have context-aware auto-complete memory.

Burp now implements sslstrip-style functionality, allowing you to use non-SSL-capable tools against HTTPS applications, or to perform active MITM attacks against users who begin browsing using HTTP.

Download Burp Suite Free Edition v1.5

Read More