Network Protocol Analyzer - Wireshark 2.0.5

If you've ever wondered just how your network is being used, Wireshark may be the tool you have been looking for. Network analysers are nothing new, but they have a tendency to be impenetrable programs reliant on command line operations and provide information in a text based form which can be difficult to interpret. Wireshark boasts a graphical front end which makes it easy to analyse all traffic which travels over a network using a variety of protocols.

Data packets can be captured from both wired and wireless network and this information can be viewed live as it is captured or analysed at a later date. The wealth of information that the program can reveal about network usage is staggering, and support for plugins means that the tool can be extended to add new protocols and features further down the line. Wireshark is available for Windows, Linux and Mac, making it ideal for mixed platform networks .

As well as working with data that has been captured directly through Wireshark itself, it is also possible to analyse data that has been captured with the likes of Aircrack, tcpdump and CA NetMaster. Easy to configure colouring and filtering makes it simple to make sense of complex data, and while this is not a tool for the average home user, it remain powerful yet approachable.

OffSec

Download Wireshark

Read More

Deepmagic Information Gathering Tool - DMitry

DMitry (Deepmagic Information Gathering Tool) is a UNIX/(GNU) Linux Command Line Application coded in C language.

DMitry has the ability to gather as much information as possible about a host. Base functionality is able to gather possible subdomains, email addresses, uptime information, tcp port scan, whois lookups, and more. The information are gathered with following methods:

• Perform an Internet Number whois lookup.
• Retrieve possible uptime data, system and server data.
• Perform a SubDomain search on a target host.
• Perform an E-Mail address search on a target host.
• Perform a TCP Portscan on the host target.
• A Modular program allowing user specified modules

Download and installation

DMitry can be downloaded by issuing following commands:

$ cd /data/src/
$ wget http://mor-pah.net/code/DMitry-1.3a.tar.gz

For installation, issue following commands:

$ tar xzvf DMitry-1.3a.tar.gz
$ cd DMitry-1.3a/
$ ./configure
$ make
$ sudo make install

Then optionally create a symbolic link to your /pentest/ directory:

$ mkdir -p /pentest/enumeration/dmitry/
$ ln -s /usr/local/bin/dmitry /pentest/enumeration/dmitry/dmitry

Use

help
DMitry help can be displayed by issuing:

$ dmitry --help

Download DMitry

Read More

A DNS Reconnaissance Tool for Locating Non-Contiguous IP Space - Fierce

First, credit where credit is due, fierce was originally written by RSnake along with others at http://ha.ckers.org/ . This is simply a conversion to Python 3 to simplify and modernize the codebase.

The original description was very apt, so I'll include it here:

Fierce is a semi-lightweight scanner that helps locate non-contiguous IP space and hostnames against specified domains. It's really meant as a pre-cursor to nmap, unicornscan, nessus, nikto, etc, since all of those require that you already know what IP space you are looking for. This does not perform exploitation and does not scan the whole internet indiscriminately. It is meant specifically to locate likely targets both inside and outside a corporate network. Because it uses DNS primarily you will often find mis-configured networks that leak internal address space. That's especially useful in targeted malware.

Installing

$ pip3 install fierce
$ fierce -h

OR

$ git clone https://github.com/mschwager/fierce.git
$ cd fierce
$ pip3 install -r requirements.txt
$ python3 fierce.py -h

Using
Let's start with something basic:

$ fierce --domain google.com --subdomains accounts admin ads

Traverse IPs near discovered domains to search for contiguous blocks with the --traverse flag:

$ fierce --domain facebook.com --subdomains admin --traverse 10

Limit nearby IP traversal to certain domains with the --search flag:

$ fierce --domain facebook.com --subdomains admin --search fb.com fb.net

Attempt an HTTP connection on domains discovered with the --connect flag:

$ fierce --domain stackoverflow.com --subdomains mail --connect

Exchange speed for breadth with the --wide flag, which looks for nearby domains on all IPs of the /24 of a discovered domain:

$ fierce --domain facebook.com --wide

Zone transfers are rare these days, but they give us the keys to the DNS castle. zonetransfer.me is a very useful service for testing for and learning about zone transfers:

$ fierce --domain zonetransfer.me

To save the results to a file for later use we can simply redirect output:

$ fierce --domain zonetransfer.me > output.txt

Internal networks will often have large blocks of contiguous IP space assigned. We can scan those as well:

$ fierce --dns-servers 10.0.0.1 --range 10.0.0.0/24

Check out --help for further information:

$ fierce --help

Download Fierce

Read More

the Nmap Project's packet sniffing library for Windows - Npcap

Npcap is an update of WinPcap to NDIS 6 Light-Weight Filter (LWF) technique. It supports Windows Vista, 7, 8 and 10 . It is sponsored by the Nmap Project and developed by Yang Luo under Google Summer of Code 2013 and 2015 . It also received many helpful tests from Wireshark and NetScanTools .

Features

1. NDIS 6 Support : Npcap makes use of new NDIS 6 Light-Weight Filter (LWF) API in Windows Vista and later (the legacy driver is used on XP). It's faster than the deprecated NDIS 5 API, which Microsoft could remove at any time.
2. Extra Security : Npcap can be restricted so that only Administrators can sniff packets. If a non-Admin user tries to utilize Npcap through software such as Nmap or Wireshark, the user will have to pass a User Account Control (UAC) dialog to utilize the driver. This is conceptually similar to UNIX, where root access is generally required to capture packets.
3. WinPcap Compatibility : If you choose WinPcap Compatible Mode at install-time, Npcap will use the WinPcap-style DLL directories c:\Windows\System32 and servcie name npf , allowing software built with WinPcap in mind to transparently use Npcap instead. If compatability mode is not selected, Npcap is installed in a different location C:\Windows\System32\Npcap with a different service name npcap so that both drivers can coexist on the same system. In this case, applications which only know about WinPcap will continue using that, while other applications can choose to use the newer and faster Npcap driver instead.
4. Loopback Packet Capture : Npcap is able to sniff loopback packets (transmissions between services on the same machine) by using the Windows Filtering Platform (WFP) . After installation, Npcap will create an adapter named Npcap Loopback Adapter for you. If you are a Wireshark user, choose this adapter to capture, you will see all loopback traffic the same way as other non-loopback adapters. Try it by typing in commands like ping 127.0.0.1 (IPv4) or ping ::1 (IPv6).
5. Loopback Packet Injection : Npcap is also able to send loopback packets using the Winsock Kernel (WSK) technique. User-level software such as Nping can just send the packets out using Npcap Loopback Adapter just like any other adapter. Npcap then does the magic of removing the packet's Ethernet header and injecting the payload into the Windows TCP/IP stack.
6. Raw 802.11 Packet Capture : Npcap is able to see 802.11 packets instead of fake Ethernet packets on ordinary wireless adapters. You need to select the Support raw 802.11 traffic (and monitor mode) for wireless adapters option in the installation wizard to enable this feature. When your adapter is in Monitor Mode , Npcap will supply all 802.11 data + control + management packets with radiotap headers. When your adapter is in Managed Mode , Npcap will only supply 802.11 data packets with radiotap headers. Moreover, Npcap provides the WlanHelper.exe tool to help you switch to Monitor Mode on Windows. See more details about this feature in section For softwares that use Npcap raw 802.11 feature . See more details about radiotap here: http://www.radiotap.org/

Documentation

Npcap Users' Guide

Build

Run installer\Build.bat : build all DLLs and the driver. The DLLs need to be built using Visual Studio 2013 . And the driver needs to be built using Visual Studio 2015 with Windows SDK 10 10586 & Windows Driver Kit 10 10586 .

Packaging

Run installer\Deploy.bat : copy the files from build directories to deployment directories and sign the files. Generate an installer named npcap-nmap-%VERSION%.exe using NSIS large strings build with the SysRestore plug-in (special build for Npcap) and sign the installer.

Generating debug symbols (optional)

Run installer\Deploy_Symbols.bat : copy the debug symbol files (.PDB) from build directories to deployment directories and package them into a zip file named npcap-nmap-<VERSION>-DebugSymbols.zip using 7-Zip .

Download Npcap

Read More

Script to collect information to the client side - GetDataReport

Script in PHP+JS for get information of target through a web application, use $_SERVER functions and JS functions for get information of our client.

Plugin (WEBApps)

in some web applications need to collect information from the client to perform tasks with this plugin will be easier to work with the variables you need.

<?php

include("GetdataReport.Plugin.php");
$data = new GetDataPlugin();

echo "<br>IP               ".$data->ip();
echo "<br>Operative System ".$data->os();
echo "<br>Browser          ".$data->browser();
echo "<br>Screen height    ".$data->height();
echo "<br>Screen width     ".$data->width();
echo "<br>Java enabled     ".$data->javaenabled();
echo "<br>Cookie enabled   ".$data->cookieenabled();
echo "<br>Language         ".$data->language();
echo "<br>Architecture     ".$data->architecture();
echo "<br>Device           ".$data->device();
echo "<br>Country          ".$data->geo('country');
echo "<br>Region           ".$data->geo('region');
echo "<br>Continent        ".$data->geo('continent');
echo "<br>City             ".$data->geo('city');
echo "<br>Logitude         ".$data->geo('logitude');
echo "<br>Latitude         ".$data->geo('latitude');
echo "<br>Currency         ".$data->geo('currency');
echo "<br>Provetor         ".$data->provetor();
echo "<br>Agent            ".$data->agent();
echo "<br>Referer          ".$data->referer();
echo "<br>Date             ".$data->getdate();


 ?>

Hack (Social engineering)

With this script we can collect information from a target performing a routing and generating an html page report.

        HTTP://127.0.0.1/GetdataReport.php?id=any&j=yes&url=google.com

Download GetDataReport

Read More

Security Intelligence Collector - Machinae

Machinae is a tool for collecting intelligence from public sites/feeds about various security-related pieces of data: IP addresses, domain names, URLs, email addresses, file hashes and SSL fingerprints. It was inspired by Automater , another excellent tool for collecting information. The Machinae project was born from wishing to improve Automater in 4 areas:

1. Codebase - Bring Automater to python3 compatibility while making the code more pythonic
2. Configuration - Use a more human readable configuration format (YAML)
3. Inputs - Support JSON parsing out-of-the-box without the need to write regular expressions, but still support regex scraping when needed
4. Outputs - Support additional output types, including JSON, while making extraneous output optional

Installation

Machinae can be installed using pip3:

pip3 install machinae

Or, if you're feeling adventurous, can be installed directly from github:

pip3 install git+https://github.com/HurricaneLabs/machinae.git

You will need to have whatever dependencies are required on your system for compiling Python modules (on Debian based systems, python3-dev ), as well as the libyaml development package (on Debian based systems, libyaml-dev ).
You'll also want to grab the latest configuration file and place it in /etc/machinae.yml.

Configuration File

Machinae supports a simple configuration merging system to allow you to make adjustments to the configuration without modifying the machinae.yml we provide you, making configuration updates a snap. This is done by finding a system-wide default configuration (default /etc/machinae.yml ), merging into that a system-wide local configuration ( /etc/machinae.local.yml ) and finally a per-user local configuration ( ~/.machinae.yml ). The system-wide configuration can also be located in the current working directory, can be set using the MACHINAE_CONFIG environment variable, or of course by using the -c or --config command line options. Configuration merging can be disabled by passing the --nomerge option, which will cause Machinae to only load the default system-wide configuration (or the one passed on the command line).
As an example of this, say you'd like to enable the Fortinet Category site, which is disabled by default. You could modify /etc/machinae.yml , but these changes would be overwritten by an update. Instead, you can put the following in either /etc/machinae.local.yml or ~/.machinae.yml:

fortinet_classify:
  default: true

Or, conversely, to disable a site, such as Virus Total pDNS:

vt_ip:
  default: false
vt_domain:
  default: false

Usage

Machinae usage is very similar to Automater:

usage: machinae [-h] [-c CONFIG] [-d DELAY] [-f FILE] [--nomerge] [-o {D,J,N}]
                [-O {ipv4,ipv6,fqdn,email,sslfp,hash,url}] [-q] [-s SITES]
                targets [targets ...]

• See above for details on the -c / --config and --nomerge options.
  
• Machinae supports a -d / --delay option, like Automater. However, Machinae uses 0 by default.
  
• Machinae output is controlled by two arguments:
  
  • -o controls the output format, and can be followed by a single character to indicated the desired type of output:
    • N is the default output ("Normal")
    • D is the default output, but dot characters are replaced
    • J is JSON output
  • -f / --file specifies the file where output should be written. The default is "-" for stdout.
• Machinae will attempt to auto-detect the type of target passed in (Machinae refers to targets as "observables" and the type as "otype"). This detection can be overridden with the -O / --otype option. The choices are listed in the usage
  
• By default, Machinae operates in verbose mode. In this mode, it will output status information about the services it is querying on the console as they are queried. This output will always be written to stdout, regardless of the output setting. To disable verbose mode, use -q
  
• By default, Machinae will run through all services in the configuration that apply to each target's otype and are not marked as "default: false". To modify this behavior, you can:
  
  • Pass a comma separated list of sites to run (use the top level key from the configuration).
  • Pass the special keyword all to run through all services including those marked as "default: false"
  Note that in both cases, otype validation is still applied.
  
• Lastly, a list of targets should be passed. All arguments other than the options listed above will be interpreted as targets.
  

Out-of-the-Box Data Sources

Machinae comes with out-of-the-box support for the following data sources:

• IPVoid
• URLVoid
• URL Unshortener ( http://www.toolsvoid.com/unshorten-url )
• Malc0de
• SANS
• Telize GeoIP
• Fortinet Category
• VirusTotal pDNS (via web scrape - commented out)
• VirusTotal pDNS (via JSON API)
• VirusTotal URL Report (via JSON API)
• VirusTotal File Report (via JSON API)
• Reputation Authority
• ThreatExpert
• VxVault
• ProjectHoneypot
• McAfee Threat Intelligence
• StopForumSpam
• Cymru MHR
• ICSI Certificate Notary
• TotalHash (disabled by default)
• DomainTools Parsed Whois (Requires API key)
• DomainTools Reverse Whois (Requires API key)
• DomainTools Reputation
• IP WHOIS (Using RIR REST interfaces)

With additional data sources on the way.

Disabled by default

The following sites are disabled by default

• Fortinet Category ( fortinet_classify )
• TotalHash ( totalhash_ip )
• DomainTools Parsed Whois ( domaintools_parsed_whois )
• DomainTools Reverse Whois ( domaintools_reverse_whois )
• DomainTools Reputation ( domaintools_reputation )

Output Formats

Machinae comes with a limited set of output formats: normal, normal with dot escaping, and JSON. We plan to add additional output formats in the future.

Adding additional sites

*** COMING SOON ***

Known Issues

• Some ISP's on IPvoid contain double-encoded HTML entities, which are not double-decoded

Upcoming Features

• Add IDS rule search functionality (VRT/ET)
• Add "More info" link for sites
• Add "dedup" option to parser settings
• Add option for per-otype request settings
• Add custom per-site output for error codes

Version History

Version 1.2.0 (2016-02-16)

• New features
  • Support for sites returning multiple JSON documents
  • Ability to specify time format for relative time parameters
  • Ability to parse Unix timestamps in results and display in ISO-8601 format
  • Ability to specify status codes to ignore per-API
• New sites
  • DNSDB - FarSight Security Passive DNS Data base (premium)

Version 1.1.2 (2015-11-26)

• New sites
  • Telize (premium) - GeoIP site (premium)
  • Freegeoip - GeoIP site (free)
  • CIF - CIFv2 API support, from csirtgadgets.org
• New features
  • Ability to specify labels for single-line multimatch JSON outputs
  • Ability to specify relative time parameters using relatime library

Version 1.0.1 (2015-10-13)

• Fixed a false-positive bug with Spamhaus (Github#10)

Version 1.0.0 (2015-07-02)

• Initial release

Download Machinae

Read More

An Automated SMB Relay Script - Chuckle

Chuckle is an automated SMB Relay Script.


Chuckle requires a few tools to work:

• SMBRelayX.py
• Veil (latest version from git)
• Responder (Chuckle will detect which version you are using.)
• Nmap
• Nbtscan (unixwiz)
• MSFconsole

Usuage should be fairly simple, run as root or use sudo:

sudo ./chuckle.sh

Wait a while or coax a prvileged user into authenticating against you and you should end up with a shell on your target machine.

Be careful when running this and never run on a network you are not permitted to do so.

Download Chuckle

Read More

Browser Based Security Framework - Mantra Janus

OWASP Mantra is a collection of free and open source tools integrated into a web browser, which can become handy for students, penetration testers, web application developers,security professionals etc. It is portable, ready-to-run, compact and follows the true spirit of free and open source software.

Browser Based Security Framework: Mantra Janus

OWASP Mantra is a free and open source security toolkit with a collection of add-ons and scripts based on Firefox and Chromium. It is intended for web application penetration testers, web application developers, security professionals, etc. Earlier versions of Mantra used Firefox as base named “Mantra Security Toolkit’. From September 2011 onwards Mantra started offering a new distribution called ‘MoC’, based on Google Chrome. As of May 2012, both the products are available and are active.


Features

Mantra comes packed with many tools and other extensions that are useful for web application penetration testing. Some additional changes are applied to the normal Firefox to avoid extra traffic and noises.

Other notable features include:

ºFireCAT/ KromCAT menu structure makes the tools menu more organised and easy to access.
ºSidebar of Mantra provides quick access to tools and other features
ºThe awesome bar acts as URL bar and search bar at the same time. Various details about the currently visited webpage are also shown in the awesome bar.
ºAdd to search bar feature helps users to customise default search feature of awesome bar.
ºURL increment/ decrement buttons helps in applying quick changes to the URL.
ºHackery aka The Open Pentest Bokkmarks Collection gives links to various resources and portal that are related to penetration testing.
ºGalley bookmarks provides links to various on-line penetration testing related services.
ºProxy, Cookie and Cache management tools
ºFTP, SSH, REST and SQLite clients


Tools


The OWASP Mantra Security Toolkit has tools under the following categories:

ºInformation gathering
ºEditors
ºNetwork utilities
ºMiscellaneous
ºApplication auditing
ºProxy


Mantra is lite, flexible, portable and user friendly with a nice graphical user interface. You can carry it in memory cards, flash drives, CD/DVDs, etc. It can be run natively on Linux, Windows and Mac platforms. It can also be installed on to your system within minutes. Mantra is absolutely free of cost and takes no time for you to set up.

Download Mantra

Read More

Web Application Security Reconnaissance - Skipfish

Skipfish is an active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments.

Key features:

High speed:

pure C code, highly optimized HTTP handling, minimal CPU footprint – easily achieving 2000 requests per second with responsive targets.

Ease of use:

heuristics to support a variety of quirky web frameworks and mixed-technology sites, with automatic learning capabilities, on-the-fly wordlist creation, and form autocompletion.

Cutting-edge security logic:

high quality, low false positive, differential security checks, capable of spotting a range of subtle flaws, including blind injection vectors.

The tool is believed to support Linux, FreeBSD, MacOS X, and Windows (Cygwin) environments.

Download Skipfish

Read More

Search engine that allows computer scientists - Censys

Censys is a search engine that allows computer scientists to ask questions about the devices and networks that compose the Internet. Driven by Internet-wide scanning, Censys lets researchers find specific hosts and create aggregate reports on how devices, websites, and certificates are configured and deployed. [more information]

Access Censys

Read More

Automatic search for GitHub - GitMiner

 + Autor: Danilo Vaz a.k.a. UNK
 + Blog: http://unk-br.blogspot.com
 + Github: http://github.com/danilovazb
 + Twitter: https://twitter.com/danilovaz_unk

DESCRIPTION

Advanced search tool and automation in Github.
This tool aims to facilitate research by code or code 
snippets on github through the site's search page.

MOTIVATION

Demonstrates the fragility of trust in public repositories to store codes with sensitive information.

REQUERIMENTS

argparse
requests
json
lxml

INSTALL

git clone http://github.com/danilovazb/GitMiner

sudo apt-get install python-requests python-lxml 

OR

pip install lxml requests

HELP

Automatic search for GitHub.                                                            
 + Autor: Danilo Vaz a.k.a. UNK
 + Blog: http://unk-br.blogspot.com
 + Github: http://github.com/danilovazb
 + Gr33tz: l33t0s, RTFM


[-h] [-q 'filename:shadown path:etc']
       [-m wordpress] [-o result.txt]

optional arguments:
  -h, --help            show this help message and exit
  -q 'filename:shadown path:etc', --query 'filename:shadown path:etc'
                        Specify search term
  -m wordpress, --module wordpress
                        Specify the search module
  -o result.txt, --output result.txt
                        Specify the output file where it will be

                        saved

EXAMPLE

Searching for wordpress configuration files with passwords:


$:> python git_miner.py -q 'filename:wp-config extension:php FTP_HOST in:file ' -m wordpress -o result.txt

Looking for brasilian government files containing passwords:

$:> python git_miner.py --query 'extension:php "root" in:file AND "gov.br" in:file' -m senhas

Looking for shadow files on the etc paste:

$:> python git_miner.py --query 'filename:shadow path:etc' -m root

Searching for joomla configuration files with passwords:


$:> python git_miner.py --query 'filename:configuration extension:php "public password" in:file' -m joomla

Download GitMiner

Read More

Automatic SQL Injection And Database Takeover Tool - SQLMap

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

Features

• Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase, SAP MaxDB and HSQLDB database management systems.
• Full support for six SQL injection techniques: boolean-based blind, time-based blind, error-based, UNION query-based, stacked queries and out-of-band.
• Support to directly connect to the database without passing via a SQL injection, by providing DBMS credentials, IP address, port and database name.
• Support to enumerate users, password hashes, privileges, roles, databases, tables and columns.
• Automatic recognition of password hash formats and support for cracking them using a dictionary-based attack.
• Support to dump database tables entirely, a range of entries or specific columns as per user's choice. The user can also choose to dump only a range of characters from each column's entry.
• Support to search for specific database names, specific tables across all databases or specific columns across all databases' tables. This is useful, for instance, to identify tables containing custom application credentials where relevant columns' names contain string like name and pass.
• Support to download and upload any file from the database server underlying file system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
• Support to execute arbitrary commands and retrieve their standard output on the database server underlying operating system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
• Support to establish an out-of-band stateful TCP connection between the attacker machine and the database server underlying operating system. This channel can be an interactive command prompt, a Meterpreter session or a graphical user interface (VNC) session as per user's choice.
• Support for database process' user privilege escalation via Metasploit's Meterpreter getsystem command.

Refer to the wiki for an exhaustive breakdown of the features.

Download SQLMap

Read More

Vulnerability Scanner With Custom Payload - PyScan-Scanner

REQUIRE

• urllib2
• BeautifulSoup
• requests

START

• Change database information

$bdd = new PDO('mysql:host=localhost;dbname=pyscan', 'user', 'password');

• Update a Python gate

panel_url = "http://localhost/pyscan/"
gate_scraper = "cmd/gate.php"
gate_scanner = "cmd/scan.php"
gate_vuln = "cmd/vuln.php"
gate_payload = "panel/api/payload.php"
gate_database = "panel/api/database.php"

Upload the .SQL

mysql -u username -p database_name < file.sql

Login

Username: root
password: toor

Make payload !

Test payload

python pyscan.py -u "http://exemple.com/id=2" -s -p PAYLOAD_ID

Test all payload

python pyscan.py -u "http://exemple.com/id=2" -s --all

Import mass link

Test all link

python pyscan.py --database

Download Pyscan-Scanner

Read More