A Penetration Testing Framework - Fsociety Hacking Tools Pack

A Penetration Testing Framework , you will have evry script that a hacker needs

Menu

• Information Gathering
• Password Attacks
• Wireless Testing
• Exploitation Tools
• Sniffing & Spoofing
• Web Hacking
• Private Web Hacking
• Post Exploitation
• INSTALL & UPDATE

Information Gathering :

• Nmap
• Setoolkit
• Port Scanning
• Host To IP
• wordpress user
• CMS scanner
• XSStracer
• Dork - Google Dorks Passive Vulnerability Auditor
• Scan A server's Users

Password Attacks :

• Cupp
• Ncrack

Wireless Testing :

• reaver
• pixiewps

Exploitation Tools :

• Venom
• sqlmap
• Shellnoob
• commix
• FTP Auto Bypass
• jboss-autopwn

Sniffing & Spoofing :

• Setoolkit
• SSLtrip
• pyPISHER
• SMTP Mailer

Web Hacking :

• Drupal Hacking
• Inurlbr
• Wordpress & Joomla Scanner
• Gravity Form Scanner
• File Upload Checker
• Wordpress Exploit Scanner
• Wordpress Plugins Scanner
• Shell and Directory Finder
• Joomla! 1.5 - 3.4.5 remote code execution
• Vbulletin 5.X remote code execution
• BruteX - Automatically brute force all services running on a target
• Arachni - Web Application Security Scanner Framework

Private Web Hacking

• Get all websites
• Get joomla websites
• Get wordpress websites
• Control Panel Finder
• Zip Files Finder
• Upload File Finder
• Get server users
• SQli Scanner
• Ports Scan (range of ports)
• ports Scan (common ports)
• Get server Info
• Bypass Cloudflare

Post Exploitation

• Shell Checker
• POET
• Phishing Framework

Install Me

• Install Directly On System (Only For Linux & Mac System )
• Update instantly When There are New Update

Installation Linux
[✓] git clone https://github.com/Manisso/fsociety.git
[✓] cd fsociety && python fsociety.py
[◉] 0 : INSTALL & UPDATE
[◉] -> 0
[✓] press 0
[✓] Congratulation Fsociety is Installed !

Installation Windows
[✔] Download python 2.7
[✓] Download fsociety
[✓] Extract fsociety into Desktop
[◉]Open CMD and type the following commands:
[✓] $cd Desktop/fsociety-master/
[✓] $python fsociety.py

Use

Download Fsociety

Read More

People tracker on the Internet (The evolution of phishing attacks) OSINT - Trape

Trape is a recognition tool that allows you to track people, the information you can get is very detailed. We want to teach the world through this, as large Internet companies could monitor you, obtaining information beyond your IP.

Some benefits

• One of its most enticing functions is the remote recognition of sessions. You can know where a person has logged in, remotely. This occurs through a Bypass made to the Same Origin Policy (SOP)
• Currently you can try everything from a web interface. (The console, becomes a preview of the logs and actions)
• Registration of victims, requests among other data are obtained in real time.
• If you get more information from a person behind a computer, you can generate a more direct and sophisticated attack. Trape was used at some point to track down criminals and know their behavior.
• You can do real time phishing attacks
• Simple hooking attacks
• Mapping
• Important details of the objective
• Capturing credentials
• Open Source Intelligence (OSINT)

Recognizes the sessions of the following services

• Facebook
• Twitter
• VK
• Reddit
• Gmail
• tumblr
• Instagram
• Github
• Bitbucket
• Dropbox
• Spotify
• PayPal
• Amazon

How to use it
First unload the tool.

git clone https://github.com/boxug/trape.git
cd trape
python trape.py -h

If it does not work, try to install all the libraries that are located in the file requirements.txt

pip install -r requirements.txt

Example of execution

Example: python trape.py --url http://example.com --port 8080

• In the option --url you must put the lure, can be a news page, an article something that serves as a presentation page.
• In the --port option you just put the port where you want it to run
• Do you like to monitor your people? Everything is possible with Trape
• Do you want to perform phishing attacks? Everything is possible with Trape
• In the Files directory, located on the path: /static/files here you add the files with .exe extension or download files sent to the victim.

Here are some simple videos to use:
Spanish: https://www.youtube.com/watch?v=ptyuCQmMKiQ
English: https://www.youtube.com/watch?v=FdwyIZhUx3Y
At an international security event in Colombia, called DragonJAR Security Conference 2017, a demonstration was made before the launch. You can watch the video here: https://www.youtube.com/watch?v=vStSEsznxgE

Disclaimer
This tool has been published educational purposes in order to teach people how bad guys could track them or monitor them or obtain information from their credentials, we are not responsible for the use or the scope that may have the People through this project.
We are totally convinced that if we teach how vulnerable things are, we can make the Internet a safer place.

Developers or participants
The following people are part of the core of development and research in Boxug.
This development and others, the participants will be mentioned with name, Twitter and charge.

• Jose Pino - @jofpin - (CEO at boxug)
• Jhonathan Espinosa - @st4nn - (CTO at boxug)

Download trape

Read More

Hostile Subdomain Takeover tool written in Go - subjack

subjack is a Hostile Subdomain Takeover tool written in Go designed to scan a list of subdomains concurrently and identify ones that are able to be hijacked. With Go's speed and efficiency, this tool really stands out when it comes to mass-testing. Always double check the results manually to rule out false positives.

Installing
You need have Go installed. Full details of installation and set up can be found here.
go build subjack.go

How To Use:
./subjack -w domains.txt -t 100 -timeout 30 -o results.txt -https

• -w domains.txt is your list of subdomains. I recommend using cname.sh (included in repository) to sift through your subdomain list for ones that have CNAME records attached and use that list to optimize and speed up testing.
• -t is the number of threads (Default: 10 threads).
• -timeout is the seconds to wait before timeout connection (Default: 10 seconds).
• -o results.txt where to save results to (Optional).
• -https enforces https requests which may return a different set of results and increase accuracy (Optional).

Currently checks for:

• Amazon S3 Bucket
• Amazon Cloudfront
• Cargo
• Fastly
• FeedPress
• Ghost
• Github
• Helpjuice
• Help Scout
• Heroku
• Pantheon.io
• Shopify
• Surge
• Tumblr
• UserVoice
• WordPress
• WP Engine

Practical Use

subjack included scanio.sh which is kind of a PoC script to mass-locate vulnerable subdomains using results from Rapid7's Project Sonar. This script parses and greps through the dump for desired CNAME records and makes a large list of subdomains to check with subjack if they're vulnerable to Hostile Subdomain Takeover. Of course this isn't the only method to get a large amount of data to test.

Download subjack

Read More

Avoid being scanned by spoiling movies on all your ports! - spoilerwall

Spoilerwall introduces a brand new concept in the field of network hardening. Avoid being scanned by spoiling movies on all your ports!
Firewall? How about Fire'em'all! Stop spending thousand of dollars on big teams that you don't need! Just fire up the Spoilers Server and that's it!

Movie Spoilers DB + Open Ports + Pure Evil = Spoilerwall

Set your own:

1. Clone this repo

$ git clone git@github.com:infobyte/spoilerwall.git

2. Edit the file server-spoiler.py and set the HOST and PORT variables.
   
3. Run the server
   

$ python2 server-spoiler.py

The server will listen on the selected port (8080 by default). Redirect incoming TCP traffic in all ports to this service by running:

iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 1:65535 -j DNAT --to-destination {HOST}:{PORT}

Change {HOST} and {PORT} for the values set in step (2). Also, if the traffic is redirected to localhost, run:

sysctl -w net.ipv4.conf.eth0.route_localnet=1

Using this config, an nmap scan will show every port as open and a spoiler for each one.
View the live demo running in spoilerwall.faradaysec.com

~ ❯❯❯ telnet spoilerwall.faradaysec.com 23

Trying 138.197.196.144...

Connected to spoilerwall.faradaysec.com.

Escape character is '^]'.

Gummo

Fucked up people killing cats after a tornado

Connection closed by foreign host.

Browse in Shodan (but beware of the Spoilers!):
https://www.shodan.io/host/138.197.196.144
Be careful in your next CTF - you never know when the spoilers are coming!

Download spoilerwall

Read More

51 Tools for Security Analysts - Offensive Sec

Reading this list may be worrying or intimidating for readers who don’t work in the security industry. You should know that all tools on this list are free and publicly accessible. They are also well known within the professional security community and among malicious actors. This list of tools, software and utilities should empower anyone interested in protecting themselves and their online assets by making you aware of the capabilities that exist for analysts and malicious actors. By better understanding the tools that your adversary uses, you can better protect yourself.

Information gathering and analysis

Google dorks – Using advanced operators in the Google search engine to locate specific strings of text within search results.

Using Google for penetration or malicious activity may seem silly or obvious, but Google is incredibly powerful and very popular among analysts and malicious actors alike. “Google dorks”, or google-hacks as they’re also known, are a search query that attackers use on Google to identify targets. If you visit a site like exploit-db.com or any other database of exploits, you’ll find that many of them include Google dorks to help find targets to attack with the exploit.

Maltego – An interactive data mining tool that renders directed graphs for link analysis.
Maltego is one of our favorites. It is an investigator’s tool that lets you graphically organize your thoughts and your investigation by creating objects (people, places, devices, events) and link them. It also gives you the ability to run ‘transforms’ on objects. For example, you can run transforms on an IP address to list its malicious activity using external sources of threat intelligence. You can download a free version from Paterva which has some limitations.
You can see an example of the work we do with Maltego below.

FOCA – A tool used to find metadata and hidden information in the documents its scans.
When you create and publish MS Office, PDF, EPS and PS documents online, you may not realize how much information you are leaking to the general public. FOCA is a security analyst’s tool that can be used to extract ‘leaked’ data from documents that have been made public. Using FOCA, an analyst can find things like an organization’s network structure, IP addresses, internal server names, printers, shared folders, access control lists and more. You can watch this video filmed at DefCon 17 for a demo of how FOCA can be used by researchers or malicious actors to perform recon on a target organization or individual.

http://checkusernames.com/ – Check the use of a brand or username on 160 social networks.
If you simply want to find a unique username, checkusernames.com is a useful tool. If you are in the security field, it can be a powerful way to attribute an attack to a specific individual. Malware authors occasionally include usernames or ‘hacker names’ in their malware. Using this tool you can search 160 online services to see if they have used the same username somewhere else.

https://haveibeenpwned.com/ – Check if an account has been compromised in a data breach.
The term ‘pwned’ is slang for ‘owned’ which in the security industry means “to have your data or system compromised”. So ‘haveibeenpwned.com’ is slang for “Have I been owned dot com”. This is a well known and respected site run by Troy Hunt which finds and aggregates data from data breaches. You can use the service to find out if an account has been compromised by looking up your email or username.

https://www.beenverified.com/ – Search people & public records.
This is a general “people search” that is useful to find additional meta-data when researching a target during penetration testing or when researching an attacker.

Shodan – Search engine for Internet-connected devices.
This is a very popular service among security researchers. Shodan continually crawls and indexes devices on the internet. We recently used Shodan as part of our research into routers at several ISPs around the world that have been hacked and are now attacking WordPress. You can find a few example searches demonstrating Shodans use on their ‘explore’ page.

Censys – A search engine that allows computer scientists to ask questions about the devices and networks that compose the internet.
Censys is similar to Shodan in that it indexes devices and websites connected to the internet. The data is also searchable and differs from Shodan in some ways. Shodan is focused on ports and the services running on those ports. Censys is great at indexing web site SSL certificates among other things. Censys is maintained by a team of computer scientists at the University of Michigan and University of Illinois Urbana-Champaign.

Gephi – Visualization and exploration software for all kinds of graphs and networks.
We mentioned Maltego earlier in this post. It uses a ‘graph’ structure which is a diagram of linked objects to represent relationships. Gephi is a tool to analyze graph data at massive scale. We used Gephi to generate the graphical representations of attack data that we published in our February Attack report, seen below.


Fierce – A DNS reconnaissance tool for finding target IPs associated with a domain.
Fierce is a tool used to find IP addresses that are potential attack targets associated with a specific domain. It is used by penetration testers when evaluating insecure points on a network.

BuiltWith – Find out what websites are built with.
BuiltWith has a search engine-like interface and lets you search for a specific site to find out what tools were used to build it. BuiltWith also aggregates that data so that you can find out what the most popular technologies are on the web or how a specific technology is trending relative to another.

Wappalyzer – A cross-platform utility that uncovers the technologies used on websites.
Wappalyzer is another tool that helps you discover what technologies a specific site is using. Like BuiltWith, they also aggregate data to help you determine how technologies are trending. This is their view of the popularity of blog technologies, with WordPress clearly the market leader.


Wappalyzer Chrome extension
Wappalyzer also has a browser extension for Chrome that lets you immediately see the technologies a specific site is using. There is also a Python driver available on github called python-Wappalyzer.

https://aw-snap.info/ – Tools for owners of hacked websites to help find malware and recover their site.
aw-snap.info includes a suite of tools that may be helpful for site owners who have decided to try to clean their own hacked site. It can help you fetch pages as Google, which sometimes reveals malware. It can also decode base64 obfuscated malware and help find obfuscation in your files that may hide malware.

http://themecheck.org/ – A quick service that lets you verify WordPress themes for security and code quality.
ThemeCheck may help you verify your theme integrity by uploading it. It can also help find malware embedded in themes.

theHarvester – Gather emails, subdomains, hosts, employee names, open ports and banners from different public sources like search engines, PGP key servers and SHODAN.
This is a tool that performs a variety of reconnaissance operations on an organization and may be useful in the early stages of a penetration test to determine an organization’s overall online footprint.

Cymon.io – Tracker of malware, phishing, botnets, spam, and more.
Cymon can help you research a potentially malicious IP or malware hash. 

Mnemonic – A passive DNS database.
Mnemonic is a useful tool that can find which websites are hosted at a specific IP or which IPs host a website.

Vulnerability scanning and penetration testing

WPScan – A black box WordPress vulnerability scanner.
WPScan is a command line tool that is used to remotely scan WordPress sites for vulnerabilities.

Sqlmap – An open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over database servers.

SQLMap is widely used among penetration testers and is highly effective at finding and exploiting SQL injection vulnerabilities in target sites.

BeEF – A penetration testing tool that focuses on the web browser.
BeEF is a powerful tool that lets penetration testers exploit and control a web browser. Using BeEF you can set up a malicious website, exploit a visiting browser and gain access to the workstation running the browser. You can watch this 2014 KiwiCon video for a demo.

Firefox Hackbar – A simple security audit / penetration test tool.

Hackbar is a plugin for Firefox that may help application developers perform security audits on their own web applications. It includes a variety of tools to assist with this task.
Burp Suite – Software for web security testing.

Burp Suite is a very well known and powerful framework used to perform security audits and analysis on web applications. It includes a proxy that can intercept traffic and allow you to modify it on the fly. It includes a huge variety of exploit and penetration testing tools.

OpenVAS – An open source vulnerability scanner and manager.
You have probably heard of the vulnerability scanning tool Nessus. Back in 2005 Tenable Network Security changed the Nessus open source license to a closed source one. The developers forked the project at that time and created OpenVAS.
I’ve found that OpenVAS can be quite effective, but it is a bit more challenging to set up than Nessus. OpenVAS does have the advantage of being completely free and open source. The project is well known throughout the online security community.

Fiddler – A free web debugging proxy.
Fiddler is a proxy server that lets you intercept requests to a website, view them in different ways, modify the requests and can help debug websites and perform security audits.

Joomscan – Detect Joomla CMS vulnerabilities and analyze them.
Joomscan is the Joomla CMS’s equivalent of wpscan.

Kum0nga – A simple Joomla scan.
This is another joomla vulnerability scanner.

Arachni – A feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of modern web applications.
Arachni is a framework to perform detailed vulnerability scanning on web applications.

Forensics and log analysis

Lnav – An advanced log file viewer.
Lnav is short for log file navigator. It automatically detects your log file formats, provides syntax highlighting and a host of other features to view and analyze log files. It can be invaluable when analyzing a compromised website.

Mandiant Highlighter – A free log file analysis tool.
Mandiant (now owned by Fireeye) produced this useful product that can help analyze log files. It includes the ability to graphically view a histogram of log files and several other powerful log file analysis features.

Wp-file-analyser – Find modified, missing and extra files in a WordPress directory.
This utility can download the original versions of WordPress core and plugin files and can help you compare them against their originals.

Auditd – Access monitoring and accounting for Linux.
Access monitoring and logging/accounting is very helpful when monitoring a system to see if it is being attacked or performing an investigation after the attack. Auditd can help you improve logging and provide an audit trail on Linux.

Araxis Merge – Advanced 2 and 3-way file comparison (diff), merging and folder synchronization.
When responding to a hack, the ability to compare files to originals to determine what has changed is important. Araxis Merge is a powerful tool that can assist with this.

WinMerge – An Open Source differencing and merging tool for Windows.
Much like Araxis Merge, WinMerge can help you compare files to examine changes when responding to an incident.

DiffNow – Compare files online.
DiffNow is a web based file ‘diff’ tool that can also assist when comparing file differences during incident response.

Code and malware analysis

CyberChef – the Cyber Swiss Army Knife
CyberChef is a tool that is developed by GCHQ, the British intelligence agency. It can help de-obfuscate malware and other code.

UnPHP – A free service for analyzing obfuscated and malicious PHP code.
Obfuscating (hiding/garbling) PHP is a favorite tool of hackers, UnPHP can help analyze obfuscated code.

UnPacker – JavaScript unpacker.

Jsunpack – A generic JavaScript unpacker.
‘Packing’ javascript is a favorite technique of hackers who are dropping malicious javascript on websites. It makes their code more compact and harder to read. Jsunpack can help de-obfuscate JS code to make it more readable so that you can understand how it operates.

JSBeautifier – An online JavaScript beautifier.
Much like Jsunpack, JSBeautifier helps improve the readability of packed javascript code.

https://www.base64decode.org/ – Base64 Decode and Encode
Base64 encoding is a way to encode anything into an encoded string of (what appears to be) random characters. Anyone who is repairing hacked sites or responding to incidents uses base64 decoding several times a day to expose malicious code that has been base64 encoded. This tool can help decode base64 encoding.

https://www.urldecoder.org/ – URL Decode and Encode
URL encoding is also a popular way for hackers to hide their code, through encoding it using this form of encoding. urldecoder.org can help you decode malicious code that has been hidden using urlencoding.

http://lombokcyber.com/en/detools/decode-sourcecop – Decode SourceCop v3.x
This is a tool that decodes a specific type of PHP encoding that may prove useful during a hacked site investigation.

Other tools

regex101 – Develop and test regular expressions.
Regex, or regular expressions, are pattern matching routines to find complex patterns in files and code. 

regexpal – Another site to develop and test regular expressions.
Both regex101 and regexpal provide online development environments to help you create or analyze regular expressions.

HashKiller – Online hash cracking service. Useful to reverse engineer hashes into passwords.
In most systems, passwords are stored as hashes. Malware authors occasionally use hashing to store their own passwords. In our research we have needed to crack hashes that are used by malware authors in order to read their source code. HashKiller can help reverse a hash into a password if you need to crack a hash as part of your malware analysis.

Noscript – Noscript is a Firefox extension that allows Javascript, Java and Flash to only be executed by websites that you define and trust.
When visiting malicious websites, Noscript can help disable malicious code on that site. Note that you should always visit a malicious site that you are analyzing using a virtual machine that has no important data on it. If the VM gets infected, you can simply destroy it without worrying about important data being leaked. Using Noscript in your browser within your virtual environment can be useful when analyzing the function of a hacked site.

Other lists of tools

• Awesome Forensics – A curated list of awesome free (mostly open source) forensic analysis tools and resources.
• 
  
• awesome-incident-response – A curated list of tools and resources for security incident response, aimed to help security analysts and DFIR teams.
• 
  
• OSINT Framework – OSINT is short for ‘open source intelligence’. This site provides a graphical directory of OSINT resources.
• 
  

Kali Linux

Kali Linux is a linux distribution that is the favorite of penetration testers and security analysts world-wide. It is a linux distribution that comes packed with security analysis tools. If you want to learn about cyber security, Kali should be one of your starting points. If you simply would like to know about some of the more important tools that Kali provides, you can use the list below.
Kali Linux Tools Listing – All the tools in Kali Linux, a Linux variant used by penetration testers and security analysts.

Conclusion

The tools on this page can help you respond to an incident, test the security of your own website and better understand how attackers think and what tools they have available to them. As always I welcome your feedback in the comments and you are most welcome to suggest your own favorite security or analysis tools.

Read More

Exploit Network and Gathering Information with Nmap - Dracnmap

Dracnmap is an open source program which is using to exploit the network and gathering information with nmap help. Nmap command comes with lots of options that can make the utility more robust and difficult to follow for new users. Hence Dracnmap is designed to perform fast scaning with the utilizing script engine of nmap and nmap can perform various automatic scanning techniques with the advanced commands.

Screenshot

Getting Started

git clone https://github.com/Screetsec/Dracnmap.git
cd Dracnmap
chmod +x Dracnmap.sh
sudo ./Dracnmap.sh or sudo su ./Dracnmap.sh

Requirements

• A linux operating system. We recommend Kali Linux 2 or Kali 2016.1 rolling / Cyborg / Parrot / Dracos / BackTrack / Backbox / and another operating system ( linux )
  
• Must install nmap
  

Tutorial
you can visit my channel : https://www.youtube.com/channel/UCpK9IXzLMfVFp9NUfDzxFfw

Credits

• Thanks to allah and Screetsec [ Edo -maland- ]
• Dracos Linux from Scratch Indonesia ( Awesome Penetration os ), you can see in http://dracos-linux.org/
• Offensive Security for the awesome OS ( http://www.offensive-security.com/ )
• http://www.kali.org/ "
  
• Jack Wilder admin in http://www.linuxsec.org
• And another open sources tool in github
• Uptodate new tools hacking visit http://www.kitploit.com
• My Friends ( Boy Suganda )

Download Dracnmap

Read More

A DNS meta-query spider that enumerates DNS records, and subdomains - SubBrute v2.0

SubBrute is a community driven project with the goal of creating the fastest, and most accurate subdomain enumeration tool. Some of the magic behind SubBrute is that it uses open resolvers as a kind of proxy to circumvent DNS rate-limiting ( https://www.us-cert.gov/ncas/alerts/TA13-088A ). This design also provides a layer of anonymity, as SubBrute does not send traffic directly to the target's name servers.

Whats new in v2.0?

A lot of exciting updates... except for the readme file, which still needs to be updated.

Whats new in v1.2.1?

The big news in this version is that SubBrute is now a recursive DNS-spider, and also a library, more on this later. SubBrute should be easy to use, so the interface should be intuitive (like nmap!), if you would like the interface to change, let us know. In this version we are opening up SubBrute's fast DNS resolution pipeline for any DNS record type. Additionally, SubBrute now has a feature to detect subdomains were their resolution is intentionally blocked, which sometimes happens when a subdomain is intended for for use on an internal network.

• SubBrute is now a DNS spider that recursively crawls enumerated DNS records. This feature boosted *.google.com from 123 to 162 subdomains. (Always enabled)
• --type enumerate an arbitrary record type (AAAA, CNAME, SOA, TXT, MX...)
• -s can now read subdomains from result files.
• New useage - The subdomains enumerated from previous scans can now be used as input to enumerate other DNS records. The following commands demonstrate this new functionality:

    ./subbrute.py google.com -o google.names
        ...162 subdomains found...

    ./subbrute.py -s google.names google.com --type TXT
        google.com,"v=spf1 include:_spf.google.com ip4:216.73.93.70/31 ip4:216.73.93.72/31 ~all"
        adwords.google.com,"v=spf1 redirect=google.com"
        ...

    ./subbrute.py -s google.names google.com --type CNAME
        blog.google.com,www.blogger.com,blogger.l.google.com
        groups.google.com,groups.l.google.com
        ...

• SubBrute is now a subdomain enumeration library with a python interface: subbrute.run() Do you want to use SubBrute in your python projects? Consider the following:

    import subbrute

    for d in subbrute.run("google.com"):
        print d 

Feedback welcome.

Whats new in v1.1?
This version merges pull requests from the community; changes from JordanMilne, KxCode and rc0r is in this release. In SubBrute 1.1 we fixed bugs, improved accuracy, and efficiency. As requested, this project is now GPLv3.
Accuracy and better wildcard detection:

• A new filter that can pickup geolocation aware wildcards.
• Filter misbehaving nameservers

Faster:

• More than 2,000 high quality nameservers were added to resolvers.txt, these servers will resolve multiple queries in under 1 sec.
• Nameservers are verified when they are needed. A seperate thread is responsible creating a feed of nameservers, and corresponding wildcard blacklist.

New output:

• -a will list all addresses associated with a subdomain.
• -v debug output, to help developers/hackers debug subbrute.
• -o output results to file.

More Information
The 'names.txt' list was created using some creative Google hacks with additions from the community. SubBrute has a feature to build your own subdomain lists by matching sub-domains with regular expression and sorting by frequency of occurrence:

• python subroute.py -f full.html > my_subs.txt

names.txt contains 31298 subdomains. subs_small.txt was stolen from fierce2 which contains 1896 subdomains. If you find more subdomains to add, open a bug report or pull request and I'll be happy to add them.
No install required for Windows, just cd into the 'windows' folder:

• subbrute.exe google.com

Easy to install: You just need http://www.dnspython.org/ and python2.7 or python3. This tool should work under any operating system: bsd, osx, windows, linux...
(On a side note giving a makefile root always bothers me, it would be a great way to install a backdoor...)
Under Ubuntu/Debian all you need is:

• sudo apt-get install python-dnspython

On other operating systems you may have to install dnspython manually:
http://www.dnspython.org/
Easy to use:

• ./subbrute.py google.com

Tests multiple domains:

• ./subbrute.py google.com gmail.com blogger.com

or a newline delimited list of domains:

• ./subbrute.py -t list.txt

Also keep in mind that subdomains can have subdomains (example: _xmpp-server._tcp.gmail.com):

• ./subbrute.py gmail.com > gmail.out
  
• ./subbrute.py -t gmail.out
  

Cheers!

Download SubBrute

Read More

Web Spidering Framework - Malspider

Malspider is a web spidering framework that inspects websites for characteristics of compromise. Malspider has three purposes:

• Website Integrity Monitoring: monitor your organization’s website (or your personal website) for potentially malicious changes.
• Generate Threat Intelligence: keep an eye on previously compromised sites, currently compromised sites, or sites that may be targeted by various threat actors.
• Validate Web Compromises: Is this website still compromised?

What can Malspider detect?

Malspider has built-in detection for characteristics of compromise like hidden iframes, reconnaisance frameworks, vbscript injection, email address disclosure, etc.

As we find stuff we will continue to add classifications to this tool and we hope you will do the same. Malspider will be a much better tool if CIRT teams and security practitioners around the world contribute to the project. ciscocsirt

Prerequisites

Please make sure these technologies are installed before continuing:

• Python 2.7.6
• Updated version of pip
• mysql

Note: If your server already has specific versions of these components installed, you can use a virtualenv to create an isolated python environment.
Tested and working on minimal installations of:

• Ubuntu 14
• CentOS 6
• CentOS 7

Installation

Start the installation process by running “./quick_install” from the command line. Please read the prompts carefully!!

Malspider comes with a quick_install script found in the root directory. This scripts attempts to makes the installation process as painless as possible by completing the following steps:

1. Install Database: creates a database titled ‘malspider’, creates a new mysql user, and applies db schema.
2. Install Dependencies: installs ALL dependencies and modules required by Malspider.
3. Django Migrations: applies django migrations to the database (necessary for the web app).
4. Create Web Admin User: creates an administrative user for the web application.
5. Add Access Control: creates iptables rules to block port 6802 (used by the daemon) and open port 8080 (web app).
6. Add Cronjobs: creates crontab entries to schedule jobs, analyze data, and purge the database after a period of time.

Note: The quick_install script uses scripts found under the install/ directory. If any of the above steps fail you can attempt to complete them manually using those scripts.

Start

Start Malspider by running “./quick_start” from the command line. Malspider comes with a quick_start script found in the root directory. This script attempts to start the daemon and the web application. Malspider can be accessed from your browser on port 8080 @ http://0.0.0.0:8080

Interaction with Malspider happens via an easy-to-use dashboard accessible through your web browser. The dashboard enables you to view alerts, inspect injected code, add websites to monitor, and tune false positives. You can add websites to you want to crawl by navigating to the administrative panel @ http://0.0.0.0:8080/admin (or by clicking on the admin link from the dashboard). Click on “Organizations” and a new Organization. You’ll be prompted for the:

• website name (ie. “Cisco Systems”)
• domain (ie. cisco.com)
• industry/org category (ie. Energy, Political, Education, etc)

By default, Malspider crawls 20 pages per domain. This can be changed. You can crawl as many pages as you like (per domain) or you can crawl only the homepage of each site.

Malspider randomly selects a user agent string from a list found at malspider/resources/useragents.txt. If you would like to add more user agents to the list then simply edit that text file. Malspider has also built-in capabilities for taking screenshots of every page it crawls. Screenshots can be useful in a variety of situations, but this can cause a drastic increase in server space utilization. For that reason, screenshots are turned off by default. For this reason email address detection is also off by default. Malspider crawls websites and stores information about those sites in a database. The data in the database is post-processed and analyzed for potentially malicious characteristics. You can view results from the analyzer by simply viewing the dashboard and clicking on “View Alerts”. Your database can grow rather large very quickly. It is recommended that, for performance reasons, you delete data from the ‘pages’ table and the ‘elements’ table once per month

Download Malspider

Read More