Security of Information, Threat Intelligence, Hacking, Offensive Security, Pentest, Open Source, Hackers Tools, Leaks, Pr1v8, Premium Courses Free, etc

  • Penetration Testing Distribution - BackBox

    BackBox is a penetration test and security assessment oriented Ubuntu-based Linux distribution providing a network and informatic systems analysis toolkit. It includes a complete set of tools required for ethical hacking and security testing...
  • Pentest Distro Linux - Weakerth4n

    Weakerth4n is a penetration testing distribution which is built from Debian Squeeze.For the desktop environment it uses Fluxbox...
  • The Amnesic Incognito Live System - Tails

    Tails is a live system that aims to preserve your privacy and anonymity. It helps you to use the Internet anonymously and circumvent censorship...
  • Penetration Testing Distribution - BlackArch

    BlackArch is a penetration testing distribution based on Arch Linux that provides a large amount of cyber security tools. It is an open-source distro created specially for penetration testers and security researchers...
  • The Best Penetration Testing Distribution - Kali Linux

    Kali Linux is a Debian-based distribution for digital forensics and penetration testing, developed and maintained by Offensive Security. Mati Aharoni and Devon Kearns rewrote BackTrack...
  • Friendly OS designed for Pentesting - ParrotOS

    Parrot Security OS is a cloud friendly operating system designed for Pentesting, Computer Forensic, Reverse engineering, Hacking, Cloud pentesting...
Showing posts with label Social Engineering. Show all posts
Showing posts with label Social Engineering. Show all posts

Sunday, May 7, 2017

20 Sites To Keep Your Identity Hidden - Send Anonymous Emails



The first question to answer here is why go for anonymous email when there are plenty of premium featured and free email services such as Gmail, Outlook and Yahoo! Mail available? Well, privacy and anonymity is a digital right — our digital right. These email services are ‘free’ because of the advertisements.






Although deemed necessary evils, ads are mostly tailored for the visitor or service user, and to do that, service providers need your data to show you advertisements targeted to you and your user group. These are ads that you are most likely to click and/or follow.

Moreover, the disclosure of the motives of secret agencies and their top-secret internet-censoring programs (such as PRISM) has raised concerns among digital privacy advocates. If you want to keep your emails away from prying eyes, this article will introduce to you the many options for sending and receiving anonymous emails.

Anonymous email forms the basic foundation of anonymity over the web. Internet is no secure storage, but you have a say in who has access to your data and who doesn’t. If that is no, anonymous emails is one way to ensure your emails are not trackable online.

Note: Anonymity is not possible on the web without hiding your IP address, so you must use Tor, or any other proxy or VPN service before using the services below to remain anonymous on the Internet.
Encrypted / Anonymous Email Service
Here are some of the anonymous email services that lets you send and receive emails anonymously online. Some of them have encryption features, others are disposable or will self-destruct after a specified period of time. Here are 5.

Anonymous Email – TorGuard – This service provides you an anonymous inbox with lots of privacy and cryptographic features. You get 10MB storage, and end-to-end security using SSL encryption for connection and G/PGP encryption for securing the messages.


Tor Mail – Tor Mail is a Tor Hidden service that provides truly anonymous email service. It runs on the hidden service network of The Tor Project so you must use Tor to access and use it. Tor Mail is developed for super anonymity. As it’s built over the Tor network, it cannot be traced easily.

GuerrilaMail – GuerrillaMail offers you a disposable, self-destructible, temporary email address to send and receive emails anonymously on the internet. Mail is deleted after an hour. You only need to choose an email address; no personal data is required.

Secure Mail – This service encrypts your mail using 4096-bit key, which makes it unreadable by anyone except you. It doesn’t ask for your personal information or IP address to sign up. They also have a zero-tolerance policy against spam.

The Anonymous Email – Create an account to send and receive emails by signing up with your real email. None of your other personal info is necessary.

Send Emails Without Registration

Sometimes you just need to send emails without prior registration. In fact you don’t even need to receive any feedback. If this is you, here are 8 services that is essentially a form where you put in details of the email you want to send. Note that there is no way for the receiver to get back to you.

AnonymousEmail.me – Here you will find only a simple form to fill in the receiver’s address, subject and the email content (you can also attach a file to the email if necessary). To get a reply, opt to provide a reply-to email address, otherwise this is a one-way ticket to sending an anonymous email.


5ymail – Send and receive beautifully formatted messages using its rich-text editor without revealing your true self. You will have to give up a real email to receive your 5ymail inbox credentals. There is also a paid version for more features.

CyberAtlantis – It offers a simple interface to provide the receiver’s email address, subject, and the message. It strips off the IP address from your mail, and thus you can’t be traced easily. It asks for none of your personal information.

W3 Anonymous Remailer – Send anonymous emails to anyone. You only need to enter the receiver’s email address, subject and the message for the email.

Send Anonymous Email – This one operates with a plain interface to enter the sender and receiver’s address, subject and message. No other details are required to send emails with this. The IP addresses are logged in.

Send Email Message – You only need to enter the receiver’s email address, subject, and the message. Over 100,000 anonymous emails are sent every day for free.

AnonEmail – You get to send anonymous emails without revealing any information about your identity.

Receive Emails

If you just need a disposable email to confirm links and don’t want to deal with the newsletter or other deals they might send you in the future, try these 7 email services. Accounts are created automatically when a mail is received for that address.

Anonymous Email – Hide My Ass! – Hide My Ass! offers a free anonymous email account, which can be used to receive (but not send) emails. You can opt for new email received notifications to be sent to your real email or even set your inbox to “self-destruct” with an expiration date. 


myTrashMail – Get open and public email accounts created upon receiving mail or sign up for a private and password-protected one to receive mail. The accounts are temporary and will be deleted automatically after some time.

NotSharingMy.Info – NotSharingMy.Info provides you with a permanent anonymous email address to receive emails without providing any traceable and identifiable information. It only requires your real email address for signing up. All emails to the anonymous email address is forwarded to your real email address.

Mailnesia – Aside from inboxes generated automatically upon receipt of an email, Mailnesia even features an automatic confirmation-links click system which is useful if you make lots of sign-ups on web services.

Mailinator – Here is one that lets you create email inboxes quickly and even automatically. You can only receive emails with it.


Spambog – Spambog offers you a disposable (7-day purge), temporary, anonymous email inbox on the Web. You can receive, reply and forward emails but not send an original one. An email alias can be protected with a password.

TempInbox – Here’s another temporary, disposable, auto-automated email inbox service. Give any email alias to anyone and check that inbox on the website for your incoming mail.

OffSec 2017
Share:

Thursday, January 19, 2017

Get detailed information about a Twitter user activity - Tinfoleak v2.0



Are you interested in OSINT tools? Tinfoleak is the best OSINT tool for Twitter, and is open-source!
The new version includes a lot of new and improved features:
  • Search by coordinates
  • Geolocated users
  • Tagged users
  • User conversations
  • Identification in other social networks
  • More powerful and flexible search filter
  • More detailed information on existing features
  • … and many more information to generate intelligence!

Screenshots









Share:

Tuesday, February 9, 2016

Best Hacking Tools 2016 - Windows, Mac OS X, And Linux



Metasploit



Rather than calling Metasploit a collection of exploit tools, I’ll call it an infrastructure that you can utilize to build your own custom tools. This free tool is one of the most popular cybersecurity tool around that allows you to locate vulnerabilities at different platforms. Metasploit is backed by more than 200,000 users and contributors that help you to get insights and uncover the weaknesses in your system.

This top hacking tool package of 2016 lets you simulate real-world attacks to tell you about the weak points and finds them. As a penetration tester, it pin points the vulnerabilities with Nexpose closed–loop integration using Top Remediation reports. Using the open source Metasploit framework, users can build their own tools and take the best out of this multi-purpose hacking tool.


Metasploit is available for all major platforms including Windows, Linux, and OS X.





Acunetix WVS



Acunetix is a web vulnerability scanner (WVS) that scans and finds out the flaws in a website that could prove fatal. This multi-threaded tool crawls a website and finds out malicious Cross-site Scripting, SQL injection, and other vulnerabilities. This fast and easy to use tool scans WordPress websites form more than 1200 vulnerabilities in WordPress.

Acunetix comes with a Login Sequence Recorder that allows one to access the password protected areas of websites. The new AcuSensor technology used in this tool allows you to reduce the false positive rate. Such features have made Acunetix WVS a preferred hacking tools that you need to check out in 2016.


Acunetix is available for Windows XP and higher.

 Obs, Search in google to get full version software (cracked)





Nmap



Nmap – also known as Network Mapper – falls in the category of a port scanner tool. This free and open source tool is the most popular port scanning tool around that allows efficient network discovery and security auditing. Used for a wide range of services, Nmap uses raw IP packets to determine the hosts available on a network, their services along with details, operating systems used by hosts, the type of firewall used, and other information.

Last year, Nmap won multiple security products of the year awards and was featured in multiple movies including The Matrix Reloaded, Die Hard 4, and others.  Available in the command line, Nmap executable also comes in an advanced GUI avatar.


Nmap is available for all major platforms including Windows, Linux, and OS X.





Wireshark




Wireshark is a well-known packet crafting tool that discovers vulnerability within a network and probes firewall rule-sets. Used by thousands of security professionals to analyze networks and live pocket capturing and deep scanning of hundreds of protocols. Wireshark helps you to read live data from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and others.

This free and open source tool was originally named Ethereal. Wireshark also comes in a command-line version called TShark.


This GTK+-based network protocol analyzer runs with ease on Linux, Windows, and OS X.





oclHashcat




If password cracking is something you do on daily basis, you might be aware of the free password cracking tool Hashcat. While Hashcat is a CPU-based password cracking tool, oclHashcat is its advanced version that uses the power of your GPU.

oclHashcat calls itself world’s fastest password cracking tool with world’s first and only GPGPU based engine. For using the tool, NVIDIA users require ForceWare 346.59 or later and AMD users require Catalyst 15.7 or later.

This tool employs following attack modes for cracking:

ºStraight
ºCombination
ºBrute-force
ºHybrid dictionary + mask
ºHybrid mask + dictionary

Mentioning another major feature, oclHashcat is an open source tool under MIT license that allows an easy integration or packaging of the common Linux distros.


This useful hacking tool can be downloaded in different versions  for Linux, OSX, and Windows.





Nessus Vulnerability Scanner


This top free hacking tool of 2016 works with the help of a client-server framework. Developed by Tenable Network Security, the tool is one of the most popular vulnerability scanners we have. Nessus serves different purposes to different types of users – Nessus Home, Nessus Professional, Nessus Manager and Nessus Cloud.

Using Nessus, one can scan multiple types of vulnerabilities that include remote access flaw detection, misconfiguration alert, denial of services against TCP/IP stack, preparation of PCI DSS audits, malware detection, sensitive data searches etc. To launch a dictionary attack, Nessus can also call a popular tool Hydra externally.

Apart from the above mentioned basic functionalities, Nessus could be used to scan multiple networks on IPv4, IPv6 and hybrid networks. You can set scheduled scan to run at your chosen time and re-scan all or a subsection of previously scanned hosts using selective host re-scanning.


Nessus is supported by a variety of platforms including Windows 7 and 8, Mac OS X, and popular Linux distros like Debian, Ubuntu, Kali Linux etc.






Maltego



Maltego is an open source forensics platform that offers rigorous mining and information gathering to paint a picture of cyber threats around you. Maltego excels in showing the complexity and severity of points of failure in your infrastructure and the surrounding environment.

Maltego is a great hacker tool that analyzes the real world links between people, companies, websites, domains, DNS names, IP addresses, documents and whatnot. Based on Java, this tool runs in an easy-to-use graphical interface with lost customization options while scanning.


Maltego hacking tool  is available for Windows, Mac, and Linux.






Social-Engineer Toolkit



Also featured on Mr. Robot, TrustedSec’s Social-Engineer Toolkit is an advanced framework for simulating multiple types of social engineering attacks like credential harvestings, phishing attacks, and more. On the show, Elliot is seen using the SMS spoofing tool from the Social-Engineer Toolkit.

This Python-driven tool is the standard tool for social-engineering penetration tests with more than two million downloads. It automates the attacks and generates disguising emails, malicious web pages and more.

To download SET on Linux, type the following command:

git clone https://github.com/trustedsec/social-engineer-toolkit/ set/


Apart from Linux, Social-Engineer Toolkit is partially supported on Mac OS X and Windows.



Other top hacking tools in multiple categories:







Web Vulnerability Scanners – Burp Suite, Firebug, AppScan, OWASP Zed, Paros Proxy

Vulnerability Exploitation Tools – Netsparker, sqlmap, Core Impact, WebGoat, BeEF

Forensic Tools – Helix3 Pro, EnCase, Autopsy

Port Scanners – Unicornscan, NetScanTools, Angry IP Scanner

Traffic Monitoring Tools – Nagios, Ntop, Splunk, Ngrep, Argus

Debuggers – IDA Pro, WinDbg, Immunity Debugger, GDB

Rootkit Detectors – DumpSec, Tripwire, HijackThis

Encryption Tools – KeePass, OpenSSL, OpenSSH/PuTTY/SSH, Tor

Password Crackers – John the Ripper, Aircrack, Hydra, ophcrack


By Offensive Sec
Share:

Wednesday, January 27, 2016

Domain Name Permutation Engine For Detecting Typo Squatting, Phishing And Corporate Espionage - Dnstwist





See what sort of trouble users can get in trying to type your domain name. Find similar-looking domains that adversaries can use to attack you. Can detect typosquatters, phishing attacks, fraud and corporate espionage. Useful as an additional source of targeted threat intelligence.

The idea is quite straightforward: dnstwist takes in your domain name as a seed, generates a list of potential phishing domains and then checks to see if they are registered. Additionally it can test if the mail server from MX record can be used to intercept misdirected corporate e-mails and it can generate fuzzy hashes of the web pages to see if they are live phishing sites.


Key features 

There are several pretty good reasons to give it a try: 

ºWide range of efficient domain fuzzing algorithms
ºMultithreaded job distribution
ºResolves domain names to IPv4 and IPv6
ºQueries for NS and MX records
ºEvaluates web page similarity with fuzzy hashes to find live phishing sites
ºTests if MX host (mail server) can be used to intercept misdirected e-mails (espionage)
ºGenerates additional domain variants using dictionary files
ºGeoIP location information
ºGrabs HTTP and SMTP service banners
ºWHOIS lookups for creation and modification date
ºPrints output in CSV and JSON format

Requirements 

If you want dnstwist to develop full power, please make sure the following Python modules are present on your system. If missing, dnstwist will still work, but without many cool features. You'll get a notification in absence of required module. 

ºA DNS toolkit for Python
ºPython GeoIP
ºPython WHOIS
ºRequests: HTTP for Humans
ºssdeep Python wrapper

Installation 

Linux 

Ubuntu Linux is the primary development platform. If running Ubuntu 15.04 or newer, you can install dependencies like this: 

$ sudo apt-get install python-dnspython python-geoip python-whois \  python-requests python-ssdeep  

Alternately, you can use Python tooling. This can be done within a virtual environment to avoid conflicts with other installations. However, you will still need a couple of libraries installed at the system level. 

$ sudo apt-get install libgeoip-dev libffi-dev  $ BUILD_LIB=1 pip install -r requirements.txt  

Now it is fully equipped and ready for action. 
OSX 
If you're on a Mac, you can install dnstwist via Homebrew like so: 

$ brew install dnstwist  

This is going to install dnstwist.py as dnstwist only, along with all requirements mentioned above. The usage is the same, you can just omit the file extension, and the binary will be added to PATH . 
Docker 
If you use Docker, you can build a local copy: 

$ docker build -t dnstwist .  

Then run that local image: 

$ docker run dnstwist example.com  

If you don't want to build locally here is a list of community maintained images:

jrottenberg/dnstwist

How to use 

To start, it's a good idea to enter only the domain name as an argument. The tool will run it through its fuzzing algorithms and generate a list of potential phishing domains with the following DNS records: A, AAAA, NS and MX. 

$ dnstwist.py example.com  

Manually checking each domain name in terms of serving a phishing site might be time consuming. To address this, dnstwist makes use of so called fuzzy hashes (context triggered piecewise hashes). Fuzzy hashing is a concept which involves the ability to compare two inputs (in this case HTML code) and determine a fundamental level of similarity. This unique feature of dnstwist can be enabled with --ssdeep argument. For each generated domain, dnstwist will fetch content from responding HTTP server (following possible redirects) and compare its fuzzy hash with the one for the original (initial) domain. The level of similarity will be expressed as a percentage. Please keep in mind it's rather unlikely to get 100% match for a dynamically generated web page, but each notification should be inspected carefully regardless of the percentage level. 

$ dnstwist.py --ssdeep example.com  

In some cases phishing sites are served from a specific URL. If you provide a full or partial URL address as an argument, dnstwist will parse it and apply for each generated domain name variant. This ability is obviously useful only in conjunction with fuzzy hashing feature.

$ dnstwist.py --ssdeep https://example.com/owa/  $ dnstwist.py --ssdeep example.com/crm/login  

Very often attackers set up e-mail honey pots on phishing domains and wait for mistyped e-mails to arrive. In this scenario, attackers would configure their server to vacuum up all e-mail addressed to that domain, regardless of the user it was sent towards. Another dnstwist feature allows to perform a simple test on each mail server (advertised through DNS MX record) in order to check which one can be used for such hostile intent. Suspicious servers will be marked with SPYING-MX string. 
Please be aware of possible false positives. Some mail servers only pretend to accept incorrectly addressed e-mails but then discard those messages. This technique is used to prevent a directory harvest attack. 

$ dnstwist.py --mxcheck example.com  

Not always domain names generated by the fuzzing algorithms are sufficient. To generate even more domain name variants please feed dnstwist with a dictionary file. Some dictionary samples with a list of the most common words used in targeted phishing campaigns are included. Feel free to adapt it to your needs. 

$ dnstwist.py --dictionary dictionaries/english.dict example.com  

Apart from the default nice and colorful text terminal output, the tool provides two well known and easy to parse output formats: CSV and JSON. Use it for data interchange. 

$ dnstwist.py --csv example.com > out.csv  $ dnstwist.py --json example.com > out.json  

Usually generated list of domains has more than a hundred of rows - especially for longer domain names. In such cases, it may be practical to display only registered (resolvable) ones using --registered argument. 

$ dnstwist.py --registered example.com  

The tool is shipped with built-in GeoIP database. Use --geoip argument to display geographical location (country name) for each IPv4 address. 

$ dnstwist.py --geoip example.com  

Of course all of the features offered by dnstwist together with brief descriptions are always available at your fingertips: 


$ dnstwist.py --help  



Share:

Local Pentest Transform Package - Sploitego


Sploitego is a local pen-test transform package that uses the Canari Framework for local transform execution in Maltego. The framework was first introduced at DEFCON 20 and has since picked up steam.






Sploitego has currently been tested on Mac OS X and Linux.


Sploitego is only supported on Python version 2.6. The setup script will automatically download and install most of the prerequisite modules, however, some modules will still need to be installed manually.




Some of the transforms require external command-line tools (e.g. nmap, amap, p0f, etc.). The following command-line tools are currently supported:

ºNmap version 5.51: Download
ºP0f version 3.05b: Download
ºAmap version 5.4: Download
ºMetasploit: Download
ºNessus: Download





Share:

Saturday, January 23, 2016

Admin Page Finder Script




This python script looks for a large amount of possible administrative interfaces on a given site




Admin Page Finder Script



Share:

Open Source Intelligence - Maltego



What is Maltego?

With the continued growth of your organization, the people and hardware deployed to ensure that it remains in working order is essential, yet the threat picture of your “environment” is not always clear or complete. In fact, most often it’s not what we know that is harmful – it’s what we don’t know that causes the most damage. This being stated, how do you develop a clear profile of what the current deployment of your infrastructure resembles? What are the cutting edge tool platforms designed to offer the granularity essential to understand the complexity of your network, both physical and resource based?

Maltego is a unique platform developed to deliver a clear threat picture to the environment that an organization owns and operates. Maltego’s unique advantage is to demonstrate the complexity and severity of single points of failure as well as trust relationships that exist currently within the scope of your infrastructure.

The unique perspective that Maltego offers to both network and resource based entities is the aggregation of information posted all over the internet – whether it’s the current configuration of a router poised on the edge of your network or the current whereabouts of your Vice President on his international visits, Maltego can locate, aggregate and visualize this information.

Maltego offers the user with unprecedented information. Information is leverage. Information is power. Information is Maltego.




Open Source Intelligence:

Maltego is a program that can be used to determine the relationships and real world links between:

ºPeople
ºGroups of people (social networks)
ºCompanies
ºOrganizations
ºWeb sites
ºInternet infrastructure such as:
  ºDomains
  ºDNS names
  ºNetblocks
  ºIP addresses
ºPhrases
ºAffiliations
ºDocuments and files




What can Maltego do for me?

ºMaltego can be used for the information gathering phase of all security related work. It will save you time and will allow you to work more accurately and smarter.
ºMaltego aids you in your thinking process by visually demonstrating interconnected links between searched items.
ºMaltego provide you with a much more powerful search, giving you smarter results.
ºIf access to “hidden” information determines your success, Maltego can help you discover it.

These entities are linked using open source intelligence. Maltego is easy and quick to install – it uses Java, so it runs on Windows, Mac and Linux. Tool provides you with a graphical interface that makes seeing these relationships instant and accurate – making it possible to see hidden connections. Using the graphical user interface (GUI) you can see relationships easily – even if they are three or four degrees of separation away.


Maltego is unique because it uses a powerful, flexible framework that makes customizing possible. As such, Maltego can be adapted to your own, unique requirements.



Share:
Copyright © Offensive Sec Blog | Powered by OffensiveSec
Design by OffSec | Theme by Nasa Records | Distributed By Pirate Edition