iCloudBrutter - AppleID Bruteforce

iCloudBrutter is a simple python (3.x) script to perform basic bruteforce attack againts AppleID.

Usage of iCloudBrutter for attacking targets without prior mutual consent is illegal. iCloudBrutter developer not responsible to any damage caused by iCloudBrutter.

Installation

$ git clone https://github.com/m4ll0k/iCloudBrutter.git
$ cd iCloudBrutter
$ pip3 install requests,urllib3,socks
$ python3 icloud.py

Download iCloudBrutter

Read More

CLOUDKiLL3R - Bypasses Cloudflare Protection Service Via TOR Browser

CLOUDKiLL3R bypasses Cloudflare protection service via TOR Browser !

CLOUDKiLL3R Requirements :

• TOR Browser to scan as many sites as you want :)
• Python Compiler

CLOUDKiLL3R Installation ?
Make sure that TOR Browser is up and running while working with CLOUDKiLL3R .
Make sure that the IP AND PORT are the same in TOR Browser preferences > advanced > Networks
Include the files below in one folder :

• FILTER.txt
• CK.pl

Make Sure The Modules Below Are Installed If NOT > use this command to install one : pip install [module name]

• argparse
• socks
• socket
• requests
• sys

Contact :
Twitter.com/moh_security

Download CLOUDKiLL3R

Read More

WPSeku v0.4 - Wordpress Security Scanner

WPSeku is a black box WordPress vulnerability scanner that can be used to scan remote WordPress installations to find security issues.

Installation

$ git clone https://github.com/m4ll0k/WPSeku.git wpseku
$ cd wpseku
$ pip3 install -r requirements.txt
$ python3 wpseku.py

Usage

Generic Scan

python3 wpseku.py --url https://www.xxxxxxx.com --verbose

• Output

----------------------------------------
 _ _ _ ___ ___ ___| |_ _ _ 
| | | | . |_ -| -_| '_| | |
|_____|  _|___|___|_,_|___|
      |_|             v0.4.0

WPSeku - Wordpress Security Scanner
by Momo Outaadi (m4ll0k)
----------------------------------------

[ + ] Target: https://www.xxxxxxx.com
[ + ] Starting: 02:38:51

[ + ] Server: Apache
[ + ] Uncommon header "X-Pingback" found, with contents: https://www.xxxxxxx.com/xmlrpc.php
[ i ] Checking Full Path Disclosure...
[ + ] Full Path Disclosure: /home/ehc/public_html/wp-includes/rss-functions.php
[ i ] Checking wp-config backup file...
[ + ] wp-config.php available at: https://www.xxxxxxx.com/wp-config.php
[ i ] Checking common files...
[ + ] robots.txt file was found at: https://www.xxxxxxx.com/robots.txt
[ + ] xmlrpc.php file was found at: https://www.xxxxxxx.com/xmlrpc.php
[ + ] readme.html file was found at: https://www.xxxxxxx.com/readme.html
[ i ] Checking directory listing...
[ + ] Dir "/wp-admin/css" listing enable at: https://www.xxxxxxx.com/wp-admin/css/
[ + ] Dir "/wp-admin/images" listing enable at: https://www.xxxxxxx.com/wp-admin/images/
[ + ] Dir "/wp-admin/includes" listing enable at: https://www.xxxxxxx.com/wp-admin/includes/
[ + ] Dir "/wp-admin/js" listing enable at: https://www.xxxxxxx.com/wp-admin/js/
......

Bruteforce Login

python3 wpseku.py --url https://www.xxxxxxx.com --brute --user test --wordlist wl.txt --verbose

• Output

----------------------------------------
 _ _ _ ___ ___ ___| |_ _ _ 
| | | | . |_ -| -_| '_| | |
|_____|  _|___|___|_,_|___|
      |_|             v0.4.0

WPSeku - Wordpress Security Scanner
by Momo Outaadi (m4ll0k)
----------------------------------------

[ + ] Target: https://www.xxxxxxx.com
[ + ] Starting: 02:46:32

[ + ] Bruteforcing Login via XML-RPC...
[ i ] Setting user: test
[ + ] Valid Credentials: 

-----------------------------
| Username | Passowrd       |
-----------------------------
| test     | kamperasqen13  |
-----------------------------

Scan plugin,theme and wordpress code

python3 wpseku.py --scan <dir/file> --verbose

Note: Testing Akismet Directory Plugin https://plugins.svn.wordpress.org/akismet

• Output

----------------------------------------
 _ _ _ ___ ___ ___| |_ _ _ 
| | | | . |_ -| -_| '_| | |
|_____|  _|___|___|_,_|___|
      |_|             v0.4.0

WPSeku - Wordpress Security Scanner
by Momo Outaadi (m4ll0k)
----------------------------------------

[ + ] Checking PHP code...
[ + ] Scanning directory...
[ i ] Scanning trunk/class.akismet.php file
----------------------------------------------------------------------------------------------------------
| Line | Possibile Vuln.      | String                                                                   |
----------------------------------------------------------------------------------------------------------
|  597 | Cross-Site Scripting | [b"$_GET['action']", b"$_GET['action']"]                                 |
|  601 | Cross-Site Scripting | [b"$_GET['for']", b"$_GET['for']"]                                       |
|  140 | Cross-Site Scripting | [b"$_POST['akismet_comment_nonce']", b"$_POST['akismet_comment_nonce']"] |
|  144 | Cross-Site Scripting | [b"$_POST['_ajax_nonce-replyto-comment']"]                               |
|  586 | Cross-Site Scripting | [b"$_POST['status']", b"$_POST['status']"]                               |
|  588 | Cross-Site Scripting | [b"$_POST['spam']", b"$_POST['spam']"]                                   |
|  590 | Cross-Site Scripting | [b"$_POST['unspam']", b"$_POST['unspam']"]                               |
|  592 | Cross-Site Scripting | [b"$_POST['comment_status']", b"$_POST['comment_status']"]               |
|  599 | Cross-Site Scripting | [b"$_POST['action']", b"$_POST['action']"]                               |
|  214 | Cross-Site Scripting | [b"$_SERVER['HTTP_REFERER']", b"$_SERVER['HTTP_REFERER']"]               |
|  403 | Cross-Site Scripting | [b"$_SERVER['REQUEST_TIME_FLOAT']", b"$_SERVER['REQUEST_TIME_FLOAT']"]   |
|  861 | Cross-Site Scripting | [b"$_SERVER['REMOTE_ADDR']", b"$_SERVER['REMOTE_ADDR']"]                 |
|  930 | Cross-Site Scripting | [b"$_SERVER['HTTP_USER_AGENT']", b"$_SERVER['HTTP_USER_AGENT']"]         |
|  934 | Cross-Site Scripting | [b"$_SERVER['HTTP_REFERER']", b"$_SERVER['HTTP_REFERER']"]               |
| 1349 | Cross-Site Scripting | [b"$_SERVER['REMOTE_ADDR']"]                                             |
----------------------------------------------------------------------------------------------------------
[ i ] Scanning trunk/wrapper.php file
[ + ] Not found vulnerabilities
[ i ] Scanning trunk/akismet.php file
-----------------------------------------------
| Line | Possibile Vuln.    | String          |
-----------------------------------------------
|   55 | Authorization Hole | [b'is_admin()'] |
-----------------------------------------------
[ i ] Scanning trunk/class.akismet-cli.php file
[ + ] Not found vulnerabilities
[ i ] Scanning trunk/class.akismet-widget.php file
[ + ] Not found vulnerabilities
[ i ] Scanning trunk/index.php file
[ + ] Not found vulnerabilities
[ i ] Scanning trunk/class.akismet-admin.php file
--------------------------------------------------------------------------------------------------------------------
| Line | Possibile Vuln.      | String                                                                             |
--------------------------------------------------------------------------------------------------------------------
|   39 | Cross-Site Scripting | [b"$_GET['page']", b"$_GET['page']"]                                               |
|  134 | Cross-Site Scripting | [b"$_GET['akismet_recheck']", b"$_GET['akismet_recheck']"]                         |
|  152 | Cross-Site Scripting | [b"$_GET['view']", b"$_GET['view']"]                                               |
|  190 | Cross-Site Scripting | [b"$_GET['view']", b"$_GET['view']"]                                               |
|  388 | Cross-Site Scripting | [b"$_GET['recheckqueue']"]                                                         |
|  841 | Cross-Site Scripting | [b"$_GET['view']", b"$_GET['view']"]                                               |
|  843 | Cross-Site Scripting | [b"$_GET['view']", b"$_GET['view']"]                                               |
|  850 | Cross-Site Scripting | [b"$_GET['action']"]                                                               |
|  851 | Cross-Site Scripting | [b"$_GET['action']"]                                                               |
|  852 | Cross-Site Scripting | [b"$_GET['_wpnonce']", b"$_GET['_wpnonce']"]                                       |
|  868 | Cross-Site Scripting | [b"$_GET['token']", b"$_GET['token']"]                                             |
|  869 | Cross-Site Scripting | [b"$_GET['token']"]                                                                |
|  873 | Cross-Site Scripting | [b"$_GET['action']"]                                                               |
|  874 | Cross-Site Scripting | [b"$_GET['action']"]                                                               |
| 1005 | Cross-Site Scripting | [b"$_GET['akismet_recheck_complete']"]                                             |
| 1006 | Cross-Site Scripting | [b"$_GET['recheck_count']"]                                                        |
| 1007 | Cross-Site Scripting | [b"$_GET['spam_count']"]                                                           |
|   31 | Cross-Site Scripting | [b"$_POST['action']", b"$_POST['action']"]                                         |
|  256 | Cross-Site Scripting | [b"$_POST['_wpnonce']"]                                                            |
|  260 | Cross-Site Scripting | [b'$_POST[$option]', b'$_POST[$option]']                                           |
|  267 | Cross-Site Scripting | [b"$_POST['key']"]                                                                 |
|  392 | Cross-Site Scripting | [b"$_POST['offset']", b"$_POST['offset']", b"$_POST['limit']", b"$_POST['limit']"] |
|  447 | Cross-Site Scripting | [b"$_POST['id']"]                                                                  |
|  448 | Cross-Site Scripting | [b"$_POST['id']"]                                                                  |
|  460 | Cross-Site Scripting | [b"$_POST['id']", b"$_POST['url']"]                                                |
|  461 | Cross-Site Scripting | [b"$_POST['id']"]                                                                  |
|  464 | Cross-Site Scripting | [b"$_POST['url']"]                                                                 |
|  388 | Cross-Site Scripting | [b"$_REQUEST['action']", b"$_REQUEST['action']"]                                   |
|  400 | Cross-Site Scripting | [b"$_SERVER['HTTP_REFERER']", b"$_SERVER['HTTP_REFERER']"]                         |
--------------------------------------------------------------------------------------------------------------------
[ i ] Scanning trunk/class.akismet-rest-api.php file
[ + ] Not found vulnerabilities

Credits and Contributors
Original idea and script from WPScan Team (https://wpscan.org/)
WPScan Vulnerability Database (https://wpvulndb.com/api)

Download WPSeku

Read More

Nmap 7.70 - Free Security Scanner: Better service and OS detection, 9 new NSE scripts, new Npcap, and much more

Nmap ("Network Mapper") is a free and open source utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X. In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff), and a packet generation and response analysis tool (Nping).

Nmap was named “Security Product of the Year” by Linux Journal, Info World, LinuxQuestions.Org, and Codetalker Digest. It was even featured in twelve movies, including The Matrix Reloaded, Die Hard 4, Girl With the Dragon Tattoo, and The Bourne Ultimatum.

Features

• Flexible: Supports dozens of advanced techniques for mapping out networks filled with IP filters, firewalls, routers, and other obstacles. This includes many port scanning mechanisms (both TCP & UDP), OS detection, version detection, ping sweeps, and more. See the documentation page.
• Powerful: Nmap has been used to scan huge networks of literally hundreds of thousands of machines.
• Portable: Most operating systems are supported, including Linux, Microsoft Windows, FreeBSD, OpenBSD, Solaris, IRIX, Mac OS X, HP-UX, NetBSD, Sun OS, Amiga, and more.
• Easy: While Nmap offers a rich set of advanced features for power users, you can start out as simply as "nmap -v -A targethost". Both traditional command line and graphical (GUI) versions are available to suit your preference. Binaries are available for those who do not wish to compile Nmap from source.
• Free: The primary goals of the Nmap Project is to help make the Internet a little more secure and to provide administrators/auditors/hackers with an advanced tool for exploring their networks. Nmap is available for free download, and also comes with full source code that you may modify and redistribute under the terms of the license.
• Well Documented: Significant effort has been put into comprehensive and up-to-date man pages, whitepapers, tutorials, and even a whole book! Find them in multiple languages here.
• Supported: While Nmap comes with no warranty, it is well supported by a vibrant community of developers and users. Most of this interaction occurs on the Nmap mailing lists. Most bug reports and questions should be sent to the nmap-dev list, but only after you read the guidelines. We recommend that all users subscribe to the low-traffic nmap-hackers announcement list. You can also find Nmap on Facebook and Twitter. For real-time chat, join the #nmap channel on Freenode or EFNet.
• Acclaimed: Nmap has won numerous awards, including "Information Security Product of the Year" by Linux Journal, Info World and Codetalker Digest. It has been featured in hundreds of magazine articles, several movies, dozens of books, and one comic book series. Visit the press page for further details.
• Popular: Thousands of people download Nmap every day, and it is included with many operating systems (Redhat Linux, Debian Linux, Gentoo, FreeBSD, OpenBSD, etc). It is among the top ten (out of 30,000) programs at the Freshmeat.Net repository. This is important because it lends Nmap its vibrant development and user support communities.

Changelog

Here is the full list of significant changes:

• [Windows] We made a ton of improvements to our Npcap Windows packet
capturing library (https://nmap.org/npcap/) for greater performance and
stability, as well as smoother installer and better 802.11 raw frame
capturing support. Nmap 7.70 updates the bundled Npcap from version 0.93 to
0.99-r2, including all these changes from the last seven Npcap releases:
https://nmap.org/npcap/changelog

• Integrated all of your service/version detection fingerprints submitted
from March 2017 to August 2017 (728 of them). The signature count went up
1.02% to 11,672, including 26 new softmatches.  We now detect 1224
protocols from filenet-pch, lscp, and netassistant to sharp-remote,
urbackup, and watchguard.  We will try to integrate the remaining
submissions in the next release.

• Integrated all of your IPv4 OS fingerprint submissions from September
2016 to August 2017 (667 of them). Added 298 fingerprints, bringing the new
total to 5,652. Additions include iOS 11, macOS Sierra, Linux 4.14, Android
7, and more.

• Integrated all 33 of your IPv6 OS fingerprint submissions from September
2016 to August 2017. New groups for OpenBSD 6.0 and FreeBSD 11.0 were
added, as well as strengthened groups for Linux and OS X.

• Added the --resolve-all option to resolve and scan all IP addresses of a
host.  This essentially replaces the resolveall NSE script. [Daniel Miller]

• [NSE][SECURITY] Nmap developer nnposter found a security flaw (directory
traversal vulnerability) in the way the non-default http-fetch script
sanitized URLs. If a user manualy ran this NSE script against a malicious
web server, the server could potentially (depending on NSE arguments used)
cause files to be saved outside the intended destination directory.
Existing files couldn't be overwritten.  We fixed http-fetch, audited our
other scripts to ensure they didn't make this mistake, and updated the
httpspider library API to protect against this by default. [nnposter,
Daniel Miller]

• [NSE] Added 9 NSE scripts, from 8 authors, bringing the total up to 588!
They are all listed at https://nmap.org/nsedoc/, and the summaries are
below:

   - deluge-rpc-brute performs brute-force credential testing against
   Deluge BitTorrent RPC services, using the new zlib library. [Claudiu Perta]
   - hostmap-crtsh lists subdomains by querying Google's Certificate
   Transparency logs. [Paulino Calderon]
   - [GH#892] http-bigip-cookie decodes unencrypted F5 BIG-IP cookies and
   reports back the IP address and port of the actual server behind the
   load-balancer. [Seth Jackson]
   - http-jsonp-detection Attempts to discover JSONP endpoints in web
   servers. JSONP endpoints can be used to bypass Same-origin Policy
   restrictions in web browsers. [Vinamra Bhatia]
   - http-trane-info obtains information from Trane Tracer SC controllers
   and connected HVAC devices. [Pedro Joaquin]
   - [GH#609] nbd-info uses the new nbd.lua library to query Network Block
   Devices for protocol and file export information. [Mak Kolybabi]
   - rsa-vuln-roca checks for RSA keys generated by Infineon TPMs
   vulnerable to Return Of Coppersmith Attack (ROCA) (CVE-2017-15361). Checks
   SSH and TLS services. [Daniel Miller]
   - [GH#987] smb-enum-services retrieves the list of services running on a
   remote Windows machine. Modern Windows systems requires a privileged domain
   account in order to list the services. [Rewanth Cool]
   - tls-alpn checks TLS servers for Application Layer Protocol Negotiation
   (ALPN) support and reports supported protocols. ALPN largely replaces NPN,
   which tls-nextprotoneg was written for. [Daniel Miller]

• [GH#978] Fixed Nsock on Windows giving errors when selecting on STDIN.
This was causing Ncat 7.60 in connect mode to quit with error: libnsock
select_loop(): nsock_loop error 10038: An operation was attempted on
something that is not a socket.  [nnposter]

• [Ncat][GH#197][GH#1049] Fix --ssl connections from dropping on
renegotiation, the same issue that was partially fixed for server mode in
[GH#773]. Reported on Windows with -e by pkreuzt and vinod272. [Daniel
Miller]

• [NSE][GH#1062][GH#1149] Some changes to brute.lua to better handle
misbehaving or rate-limiting services. Most significantly,
brute.killstagnated now defaults to true. Thanks to xp3s and Adamtimtim for
reporing infinite loops and proposing changes.

• [NSE] VNC scripts now support Apple Remote Desktop authentication (auth
type 30) [Daniel Miller]

• [NSE][GH#1111] Fix a script crash in ftp.lua when PASV connection timed
out. [Aniket Pandey]

• [NSE][GH#1114] Update bitcoin-getaddr to receive more than one response
message, since the first message usually only has one address in it. [h43z]

• [Ncat][GH#1139] Ncat now selects the correct default port for a given
proxy type. [Pavel Zhukov]

• [NSE] memcached-info can now gather information from the UDP memcached
service in addition to the TCP service. The UDP service is frequently used
as a DDoS reflector and amplifier. [Daniel Miller]

• [NSE][GH#1129] Changed url.absolute() behavior with respect to dot and
dot-dot path segments to comply with RFC 3986, section 5.2. [nnposter]

• Removed deprecated and undocumented aliases for several long options that
used underscores instead of hyphens, such as --max_retries. [Daniel Miller]

• Improved service scan's treatment of soft matches in two ways. First of
all, any probes that could result in a full match with the soft matched
service will now be sent, regardless of rarity.  This improves the chances
of matching unusual services on non-standard ports.  Second, probes are now
skipped if they don't contain any signatures for the soft matched service.
Perviously the probes would still be run as long as the target port number
matched the probe's specification.  Together, these changes should make
service/version detection faster and more accurate.  For more details on
how it works, see https://nmap.org/book/vscan.html. [Daniel Miller]

• --version-all now turns off the soft match optimization, ensuring that
all probes really are sent, even if there aren't any existing match lines
for the softmatched service. This is slower, but gives the most
comprehensive results and produces better fingerprints for submission.
[Daniel Miller]

• [NSE][GH#1083] New set of Telnet softmatches for version detection based
on Telnet DO/DON'T options offered, covering a wide variety of devices and
operating systems. [D Roberson]

• [GH#1112] Resolved crash opportunities caused by unexpected libpcap
version string format. [Gisle Vanem, nnposter]

• [NSE][GH#1090] Fix false positives in rexec-brute by checking responses
for indications of login failure. [Daniel Miller]

• [NSE][GH#1099] Fix http-fetch to keep downloaded files in separate
destination directories. [Aniket Pandey]

• [NSE] Added new fingerprints to http-default-accounts:
+ Hikvision DS-XXX Network Camera and NUOO DVR [Paulino Calderon]
+ [GH#1074] ActiveMQ, Purestorage, and Axis Network Cameras [Rob
Fitzpatrick, Paulino Calderon]

• Added a new service detection match for WatchGuard Authentication
Gateway. [Paulino Calderon]

• [NSE][GH#1038][GH#1037] Script qscan was not observing interpacket delays
(parameter qscan.delay). [nnposter]

• [NSE][GH#1046] Script http-headers now fails properly if the target does
not return a valid HTTP response. [spacewander]

• [Ncat][Nsock][GH#972] Remove RC4 from the list of TLS ciphers used by
default, in accordance with RFC 7465. [Codarren Velvindron]

• [NSE][GH#1022] Fix a false positive condition in ipmi-cipher-zero caused
by not checking the error code in responses. Implementations which return
an error are not vulnerable. [Juho Jokelainen]

• [NSE][GH#958] Two new libraries for NSE.

   - idna - Support for internationalized domain names in applications
   (IDNA)
   - punycode (a transfer encoding syntax used in IDNA) [Rewanth Cool]

• [NSE] New fingerprints for http-enum:

   - [GH#954] Telerik UI CVE-2017-9248 [Harrison Neal]
   - [GH#767] Many WordPress version detections [Rewanth Cool]

• [GH#981][GH#984][GH#996][GH#975] Fixed Ncat proxy authentication issues
[nnposter]:

   - Usernames and/or passwords could not be empty
   - Passwords could not contain colons
   - SOCKS5 authentication was not properly documented
   - SOCKS5 authentication had a memory leak

• [GH#1009][GH#1013] Fixes to autoconf header files to allow autoreconf to
be run. [Lukas Schwaighofer]

• [GH#977] Improved DNS service version detection coverage and consistency
by using data from a Project Sonar Internet wide survey. Numerouse false
positives were removed and reliable softmatches added. Match lines for
version.bind responses were also conslidated using the technique below.
[Tom Sellers]

• [GH#977] Changed version probe fallbacks so as to work cross protocol
(TCP/UDP). This enables consolidating match lines for services where the
responses on TCP and UDP are similar. [Tom Sellers]

• [NSE][GH#532] Added the zlib library for NSE so scripts can easily handle
compression. This work started during GSOC 2014, so we're particularly
pleased to finally integrate it! [Claudiu Perta, Daniel Miller]

• [NSE][GH#1004] Fixed handling of brute.retries variable. It was being
treated as the number of tries, not retries, and a value of 0 would result
in infinite retries. Instead, it is now the number of retries, defaulting
to 2 (3 total tries), with no option for infinite retries.

• [NSE] http-devframework-fingerprints.lua supports Jenkins server
detection and returns extra information when Jenkins is detected [Vinamra
Bhatia]

• [GH#926] The rarity level of MS SQL's service detection probe was
decreased. Now we can find MS SQL in odd ports without increasing version
intensity. [Paulino Calderon]

• [GH#957] Fix reporting of zlib and libssh2 versions in "nmap --version".
We were always reporting the version number of the included source, even
when a different version was actually linked. [Pavel Zhukov]

• Add a new helper function for nmap-service-probes match lines: $I(1,">")
will unpack an unsigned big-endian integer value up to 8 bytes wide from
capture 1. The second option can be "<" for little-endian. [Daniel Miller]

Download Nmap 7.70

Read More

Taipan - Web Application Security Scanner

Taipan is a an automated web application scanner which allows to identify web vulnerabilities in an automatic fashion. This project is the core engine of a broader project which include other components, like a web dashboard where you can manage your scan or download a PDF report and a scanner agent to run on specific host. Below are some screenshots of the Taipan dashboard:

If you are interested in trying the full product, you can contact: aparata[AT]gmail.com
Download

• Source code
• Download binary

Using Taipan
Taipan can run on both Windows (natively) and Linux (with mono). To run it in Linux you have to install mono in version >= 4.8.0. You can track the implementation of the new features in the related Kanban board.

Scan Profile
Taipan allow to scan the given web site by specify different kind of profiles. Each profile enable or disable a specific scan feature, to show all the available profile just run Taipan with the --show-profiles option.

Scan/Stop/Pause a scan
During a scan you can interact with it by set the scan in Pause or Stop it if necessary. In order to do so you have to press:

• P: pause the scan
• S: stop the scan
• R: resume a paused scan

The state change is not immediate and you have to wait until all threads have reached the desider state.

Launch a scan
To launch a new scan you have to provide the url and the profile which must be used. It is not necessary to specify the full profile name, a prefix is enough. Below an example of execution:

Taipan Components
Taipan is composed of four main components:

• Web Application fingerprinter: it inspects the given application in order to identify if it is a COTS application. If so, it extracts the identified version.
• Hidden Resource Discovery: this component scans the application in order to identify resources that are not directly navigable or that shouldn't be accessed, like secret pages or test pages.
• Crawler: This component navigates the web site in order to provide to the other components a list of pages to analyze. It allows to mutate the request in order to find not so common pathes.
• Vulnerability Scanner: this component probes the web application and tries to identify possible vulnerabilities. It is composed of various AddOn in order to easily expand its Knowledge Base.

Download Taipan

Read More

XBruteForcer - CMS Brute Force Tool (WP, Joomla, DruPal, OpenCart, Magento)

Brute Force Tool: WP , Joomla , DruPal , OpenCart , Magento

Simple brute force script
[1] WordPress (Auto Detect Username)
[2] Joomla
[3] DruPal
[4] OpenCart
[5] Magento
[6] All (Auto Detect CMS)

Usage

Short Form	Long Form	Description
-l	--list	websites list
-p	--passwords	Passwords list

Example
perl XBruteForcer.pl -l list.txt -p passwords.txt

for coloring in windows Add This Line
use Win32::Console::ANSI;

BUG ?

• Submit new issue
• pm me in gmail
• do you want ask about all my tools ? you can add me in https://fb.me/moham3driahi

Installation Linux

git clone https://github.com/Moham3dRiahi/XBruteForcer.git
cd XBruteForcer
perl XBruteForcer.pl -l list.txt -p passwords.txt 

Installation Android
Download Termux

cpan install LWP::UserAgent
cpan install HTTP::Request
git clone https://github.com/Moham3dRiahi/XBruteForcer.git
cd XBruteForcer
perl XBruteForcer.pl -l list.txt -p passwords.txt 

Installation Windows

Download Perl
Download XBruteForcer
Extract XBruteForcer into Desktop
Open CMD and type the following commands:
cd Desktop/XBruteForcer-master/
perl XBruteForcer.pl -l list.txt -p passwords.txt 

Version
Current version is 1.2 What's New
• speed up
• Bug fixes
version 1.1
• Bug fixes

Download XBruteForcer

Read More

CTFR - Get subdomains of an HTTPS website abusing Certificate Transparency logs

Do you miss AXFR technique? This tool allows to get the subdomains from a HTTPS website in a few seconds.
How it works? CTFR does not use neither dictionary attack nor brute-force, it just abuses of Certificate Transparency logs.
For more information about CT logs, check www.certificate-transparency.org.

Getting Started
Please, follow the instructions below for installing and run CTFR.

Pre-requisites
Make sure you have installed the following tools:

Python 3.0 or later.
pip3 (sudo apt-get install python3-pip).

Installing

git clone https://github.com/UnaPibaGeek/ctfr.git
cd ctfr
pip3 install -r requirements.txt

Running

python3 ctfr.py --help

Usage
Parameters and examples of use.

Parameters

-d --domain [target_domain] (required)
-o --output [output_file] (optional)

Examples

python3 ctfr.py -d starbucks.com

python3 ctfr.py -d facebook.com -o /home/shei/subdomains_fb.txt

Screenshot

Author

• Sheila A. Berta - (@UnaPibaGeek).

Download CTFR

Read More

An Unicode Domain Phishing Generator for IDN Homograph Attack - EvilURL v2.0

Generate unicode evil domains for IDN Homograph Attack and detect them.

PREREQUISITES

• python 3.x for evilurl3.py

TESTED ON: Kali Linux - ROLLING EDITION

CLONE

git clone https://github.com/UndeadSec/EvilURL.git

RUNNING

cd EvilURL
python3 evilurl.py

CHANGELOG

• Full script updated to Python 3.x
  { Python 2.x support closed }
• CheckURL Module.
  { Now you can check if an url is evil.
  Now you can check connection from an evil url. }
• Better interactivity.
  { Better interface and design. }

VIDEO DEMO

Download EvilURL

Read More

Know The Dangers Of Credential Reuse Attacks - Cr3dOv3r v0.3

Your best friend in credential reuse attacks.

Cr3dOv3r simply you give it an email then it does two simple jobs (but useful) :

• Search for public leaks for the email and if it any, it returns with all available details about the leak (Using hacked-emails site API).
• Now you give it this email's old or leaked password then it checks this credentials against 16 websites (ex: facebook, twitter, google...) then it tells you if login successful in any website!

Imagine with me this scenario

• You checking a targeted email with this tool.
• The tool finds it in a leak so you open the leakage link.
• You get the leaked password after searching the leak.
• Now you back to the tool and enters this password to check if there's any website the user uses the same password in it.
• You imagine the rest

Screenshots

Usage

usage: Cr3d0v3r.py [-h] email

positional arguments:
  email       Email/username to check
a
optional arguments:
  -h, --help  show this help message and exit

Installing and requirements

To make the tool work at its best you must have :

• Python 3.x.
• Linux or windows system.
• The requirements mentioned in the next few lines.

Installing
+For windows : (After downloading ZIP and upzip it)

cd Cr3dOv3r-master
python -m pip install -r win_requirements.txt
python Cr3dOv3r.py -h

+For linux :

git clone https://github.com/D4Vinci/Cr3dOv3r.git
chmod 777 -R Cr3dOv3r-master
cd Cr3dOv3r-master
pip3 install -r requirements.txt
python Cr3dOv3r.py -h

If you want to add a website to the tool, follow the instructions in the wiki

Contact

• Twitter

Download Cr3dOv3r v0.3

Read More

Analyze The Security Of Any Domain By Finding All the Information Possible - Domain Analyzer

Domain analyzer is a security analysis tool which automatically discovers and reports information about the given domain. Its main purpose is to analyze domains in an unattended way.

How

Domain analyzer takes a domain name and finds information about it, such as DNS servers, mail servers, IP addresses, mails on Google, SPF information, etc. After all the information is stored and organized it scans the ports of every IP found using nmap and perform several other security checks. After the ports are found, it uses the tool crawler.py from @verovaleros, to spider the complete web page of all the web ports found. This tool has the option to download files and find open folders.

Current version is 0.8 and the main features are:

• It creates a directory with all the information, including nmap output files.
• It uses colors to remark important information on the console.
• It detects some security problems like host name problems, unusual port numbers and zone transfers.
• It is heavily tested and it is very robust against DNS configuration problems.
• It uses nmap for active host detection, port scanning and version information (including nmap scripts).
• It searches for SPF records information to find new hostnames or IP addresses.
• It searches for reverse DNS names and compare them to the hostname.
• It prints out the country of every IP address.
• It creates a PDF file with results.
• It automatically detects and analyze sub-domains!
• It searches for domains emails.
• It checks the 192 most common hostnames in the DNS servers.
• It checks for Zone Transfer on every DNS server.
• It finds the reverse names of the /24 network range of every IP address.
• It finds active host using nmap complete set of techniques.
• It scan ports using nmap (remember that for the SYN scan you need to need root).
• It searches for host and port information using nmap.
• It automatically detects web servers used.
• It crawls every web server page using our crawler.py tool. See the description below.
• It filters out hostnames based on their name.
• It pseudo-randomly searches N domains in Google and automatically analyze them!
• Uses CTRL-C to stop current analysis stage and continue working.
• It can read an external file with domain names and try to find them on the domain.

Bonus features
@verovaleros developed a separate python web crawler called "crawler.py". Its main features are:

• Crawl http and https web sites.
• Crawl http and https web sites not using common ports.
• Uses regular expressions to find 'href' and 'src' html tag. Also content links.
• Identifies relative links.
• Identifies domain related emails.
• Identifies directory indexing.
• Detects references to URLs like 'file:', 'feed=', 'mailto:', 'javascript:' and others.
• Uses CTRL-C to stop current crawler stages and continue working.
• Identifies file extensions (zip, swf, sql, rar, etc.)
• Download files to a directory:
  • Download every important file (images, documents, compressed files).
  • Or download specified files types.
  • Or download a predefined set of files (like 'document' files: .doc, .xls, .pdf, .odt, .gnumeric, etc.).
• Maximum amount of links to crawl. A default value of 5000 URLs is set.
• Follows redirections using HTML and JavaScript Location tag and HTTP response codes.

This extended edition has more features!

• World-domination: You can automatically analyze the whole world! (if you have time)
• Robin-hood: Although it is still in development, it will let you send automatically an email to the mails found during scan with the analysis information.
• Robtex DNS: With this incredible function, every time you found a DNS servers with Zone Transfer, it will retrieve from the Robtex site other domains using that DNS server! It will automatically analyze them too! This can be a never ending test! Every vulnerable DNS server can be used by hundreds of domains, which in turn can be using other vulnerable DNS servers. BEWARE! Domains retrieved can be unrelated to the first one.

Examples

• Find 10 random domains in the .gov domain and analyze them fully (including web crawling). If it finds some Zone Transfer, retrieve more domains using them from Robtex!!

  domain_analyzer.py -d .gov -k 10 -b

• (Very Quick and dirty) Find everything related with .edu.cn domain, store everything in directories. Do not search for active host, do not nmap scan them, do not reverse-dns the netblock, do not search for emails.

  domain_analyzer.py -d edu.cn -b -o -g -a -n

• Analyze the 386.edu.ru domain fully

  domain_analyzer.py -d 386.edu.ru -b -o

• (Pen tester mode). Analyze a domain fully. Do not find other domains. Print everything in a pdf file. Store everything on disk. When finished open Zenmap and show me the topology every host found at the same time!

  domain_analyzer.py -d amigos.net -o -e

• (Quick with web crawl only). Ignore everything with 'google' on it.

  domain_analyzer.py -d mil.cn -b -o -g -a -n -v google -x '-O --reason --webxml --traceroute -sS -sV -sC -PN -n -v -p 80,4443'

• (Everything) Crawl up to 100 URLs of this site including subdomains. Store output into a file and download every INTERESTING file found to disk.

  crawler.py -u www.386.edu.ru -w -s -m 100 -f

• (Quick and dirty) Crawl the site very quick. Do not download files. Store the output to a file.

  crawler.py -u www.386.edu.ru -w -m 20

• (If you want to analyze metadata later with lafoca). Verbose prints which extensions are being downloaded. Download only the set of archives corresponding to Documents (.doc, .docx, .ppt, .xls, .odt. etc.)

  crawler.py -u ieeeexplore.ieee.org/otherfiles/ -d -v

Most of these features can be deactivated.

Screenshots

1. Example domain_analyzer.py -d .gov -k 10 -b

Installation
Just untar the .tar.gz file and copy the python files to the /usr/bin/ directory. Domain_analyzer needs to be run as root. The crawler can be run as a non-privileged user. If you want all the features (web crawler, pdf and colors), which is nice, also copy these files to /usr/bin or /usr/local/bin

• ansistrm.py
• crawler.py
• pyText2pdf.py

If you have any issues with the GeoIP database, please download it from its original source here. And install it in where your system needs it, usually at /opt/local/share/GeoIP/GeoIP.dat

Download Domain Analyzer

Read More