Offensive Sec Blog

Security of Information, Threat Intelligence, Hacking, Offensive Security, Pentest, Open Source, Hackers Tools, Leaks, Pr1v8, Premium Courses Free, etc

  • Penetration Testing Distribution - BackBox

    BackBox is a penetration test and security assessment oriented Ubuntu-based Linux distribution providing a network and informatic systems analysis toolkit. It includes a complete set of tools required for ethical hacking and security testing...

  • Pentest Distro Linux - Weakerth4n

    Weakerth4n is a penetration testing distribution which is built from Debian Squeeze.For the desktop environment it uses Fluxbox...

  • The Amnesic Incognito Live System - Tails

    Tails is a live system that aims to preserve your privacy and anonymity. It helps you to use the Internet anonymously and circumvent censorship...

  • Penetration Testing Distribution - BlackArch

    BlackArch is a penetration testing distribution based on Arch Linux that provides a large amount of cyber security tools. It is an open-source distro created specially for penetration testers and security researchers...

  • The Best Penetration Testing Distribution - Kali Linux

    Kali Linux is a Debian-based distribution for digital forensics and penetration testing, developed and maintained by Offensive Security. Mati Aharoni and Devon Kearns rewrote BackTrack...

  • Friendly OS designed for Pentesting - ParrotOS

    Parrot Security OS is a cloud friendly operating system designed for Pentesting, Computer Forensic, Reverse engineering, Hacking, Cloud pentesting...

Friday, August 26, 2016

Automated Penetration Toolkit - APT2

           , , , , ,       No comments    




This tool will perform an NMap scan, or import the results of a scan from Nexpose, Nessus, or NMap. The processesd results will be used to launch exploit and enumeration modules according to the configurable Safe Level and enumerated service information.

All module results are stored on localhost and are part of APT2's Knowledge Base (KB). The KB is accessible from within the application and allows the user to view the harvested results of an exploit module.

 Setup
On Kali Linux install python-nmap library: 
sudo pip install python-nmap
sudo pip install neovim

 Configuration (Optional)
APT2 uses the default.cfg file in the root directory. Edit this file to configure APT2 to run as you desire.
Current options include:
  • metasploit
  • nmap
  • threading

Metasploit RPC API (metasploit)
APT2 can utuilize your host's Metasploit RPC interface (MSGRPC). Additional Information can be found here: https://help.rapid7.com/metasploit/Content/api-rpc/getting-started-api.html

NMAP
Configure NMAP scan settings to include the target, scan type, scan port range, and scan flags. These settings can be configured while the program is running.

Threading
Configure the number of the threads APT2 will use.

Run:

No Options:
python apt2 or ./apt2

With Configuration File
python apt2 -C <config.txt>

Import Nexpose, Nessus, or NMap XML
python apt2 -f <nmap.xml>

Specify Target Range to Start
python apt2 -f 192.168.1.0/24

Safe Level
Safe levels indicate how safe a module is to run againsts a target. The scale runs from 1 to 5 with 5 being the safest. The default configuration uses a Safe Level of 4 but can be set with the -s or --safelevel command line flags.

Usage: 
usage: apt2.py [-h] [-C <config.txt>] [-f [<input file> [<input file> ...]]]
               [--target] [--ip <local IP>] [-v] [-s SAFE_LEVEL] [-b]
               [--listmodules]

optional arguments:
  -h, --help            show this help message and exit
  -v, --verbosity       increase output verbosity
  -s SAFE_LEVEL, --safelevel SAFE_LEVEL
                        set min safe level for modules
  -b, --bypassmenu      bypass menu and run from command line arguments

inputs:
  -C <config.txt>       config file
  -f [<input file> [<input file> ...]]
                        one of more input files seperated by spaces
  --target              initial scan target(s)

ADVANCED:
  --ip <local IP>       defaults to ip of interface

misc:
  --listmodules         list out all current modules

 Modules 
-----------------------
LIST OF CURRENT MODULES
-----------------------
nmaploadxml               Load NMap XML File
hydrasmbpassword          Attempt to bruteforce SMB passwords
nullsessionrpcclient      Test for NULL Session
msf_snmpenumshares        Enumerate SMB Shares via LanManager OID Values
nmapbasescan              Standard NMap Scan
impacketsecretsdump       Test for NULL Session
msf_dumphashes            Gather hashes from MSF Sessions
msf_smbuserenum           Get List of Users From SMB
anonftp                   Test for Anonymous FTP
searchnfsshare            Search files on NFS Shares
crackPasswordHashJohnTR   Attempt to crack any password hashes
msf_vncnoneauth           Detect VNC Services with the None authentication type
nmapsslscan               NMap SSL Scan
nmapsmbsigning            NMap SMB-Signing Scan
responder                 Run Responder and watch for hashes
msf_openx11               Attempt Login To Open X11 Service
nmapvncbrute              NMap VNC Brute Scan
msf_gathersessioninfo     Get Info about any new sessions
nmapsmbshares             NMap SMB Share Scan
userenumrpcclient         Get List of Users From SMB
httpscreenshot            Get Screen Shot of Web Pages
httpserverversion         Get HTTP Server Version
nullsessionsmbclient      Test for NULL Session
openx11                   Attempt Login To Open X11 Servicei and Get Screenshot
msf_snmplogin             Attempt Login Using Common Community Strings
msf_snmpenumusers         Enumerate Local User Accounts Using LanManager/psProcessUsername OID Values
httpoptions               Get HTTP Options
nmapnfsshares             NMap NFS Share Scan
msf_javarmi               Attempt to Exploit A Java RMI Service
anonldap                  Test for Anonymous LDAP Searches
ssltestsslserver          Determine SSL protocols and ciphers
gethostname               Determine the hostname for each IP
sslsslscan                Determine SSL protocols and ciphers
nmapms08067scan           NMap MS08-067 Scan
msf_ms08_067              Attempt to exploit MS08-067



Share:

A DNS meta-query spider that enumerates DNS records, and subdomains - SubBrute v2.0

           , , , ,       No comments    



SubBrute is a community driven project with the goal of creating the fastest, and most accurate subdomain enumeration tool. Some of the magic behind SubBrute is that it uses open resolvers as a kind of proxy to circumvent DNS rate-limiting ( https://www.us-cert.gov/ncas/alerts/TA13-088A ). This design also provides a layer of anonymity, as SubBrute does not send traffic directly to the target's name servers.

Whats new in v2.0?
A lot of exciting updates... except for the readme file, which still needs to be updated.

Whats new in v1.2.1?
The big news in this version is that SubBrute is now a recursive DNS-spider, and also a library, more on this later. SubBrute should be easy to use, so the interface should be intuitive (like nmap!), if you would like the interface to change, let us know. In this version we are opening up SubBrute's fast DNS resolution pipeline for any DNS record type. Additionally, SubBrute now has a feature to detect subdomains were their resolution is intentionally blocked, which sometimes happens when a subdomain is intended for for use on an internal network.
  • SubBrute is now a DNS spider that recursively crawls enumerated DNS records. This feature boosted *.google.com from 123 to 162 subdomains. (Always enabled)
  • --type enumerate an arbitrary record type (AAAA, CNAME, SOA, TXT, MX...)
  • -s can now read subdomains from result files.
  • New useage - The subdomains enumerated from previous scans can now be used as input to enumerate other DNS records. The following commands demonstrate this new functionality: 
    ./subbrute.py google.com -o google.names
        ...162 subdomains found...

    ./subbrute.py -s google.names google.com --type TXT
        google.com,"v=spf1 include:_spf.google.com ip4:216.73.93.70/31 ip4:216.73.93.72/31 ~all"
        adwords.google.com,"v=spf1 redirect=google.com"
        ...

    ./subbrute.py -s google.names google.com --type CNAME
        blog.google.com,www.blogger.com,blogger.l.google.com
        groups.google.com,groups.l.google.com
        ...
  • SubBrute is now a subdomain enumeration library with a python interface: subbrute.run() Do you want to use SubBrute in your python projects? Consider the following: 
    import subbrute

    for d in subbrute.run("google.com"):
        print d
Feedback welcome.

Whats new in v1.1?
This version merges pull requests from the community; changes from JordanMilne, KxCode and rc0r is in this release. In SubBrute 1.1 we fixed bugs, improved accuracy, and efficiency. As requested, this project is now GPLv3.
Accuracy and better wildcard detection:
  • A new filter that can pickup geolocation aware wildcards.
  • Filter misbehaving nameservers
Faster:
  • More than 2,000 high quality nameservers were added to resolvers.txt, these servers will resolve multiple queries in under 1 sec.
  • Nameservers are verified when they are needed. A seperate thread is responsible creating a feed of nameservers, and corresponding wildcard blacklist.
New output:
  • -a will list all addresses associated with a subdomain.
  • -v debug output, to help developers/hackers debug subbrute.
  • -o output results to file.

More Information
The 'names.txt' list was created using some creative Google hacks with additions from the community. SubBrute has a feature to build your own subdomain lists by matching sub-domains with regular expression and sorting by frequency of occurrence:
  • python subroute.py -f full.html > my_subs.txt
names.txt contains 31298 subdomains. subs_small.txt was stolen from fierce2 which contains 1896 subdomains. If you find more subdomains to add, open a bug report or pull request and I'll be happy to add them.
No install required for Windows, just cd into the 'windows' folder:
  • subbrute.exe google.com
Easy to install: You just need http://www.dnspython.org/ and python2.7 or python3. This tool should work under any operating system: bsd, osx, windows, linux...
(On a side note giving a makefile root always bothers me, it would be a great way to install a backdoor...)
Under Ubuntu/Debian all you need is:
  • sudo apt-get install python-dnspython
On other operating systems you may have to install dnspython manually:
http://www.dnspython.org/
Easy to use:
  • ./subbrute.py google.com
Tests multiple domains:
  • ./subbrute.py google.com gmail.com blogger.com
or a newline delimited list of domains:
  • ./subbrute.py -t list.txt
Also keep in mind that subdomains can have subdomains (example: _xmpp-server._tcp.gmail.com):
  • ./subbrute.py gmail.com > gmail.out
  • ./subbrute.py -t gmail.out
Cheers!


Share:

An Extensible Generic UDP Packet Obfuscator - UDPack

                 No comments    



UDPack is an extensible generic UDP packet obfuscator. The purpose of this application is to sit in the path of a UDP data stream, and obfuscate, deobfuscate or otherwise modify the packets.

Python 3.4 or above is required, since this script uses the asyncio library. Currently there are no other dependencies.


Warning: It must be stressed that the purpose of this application is obfuscation , not encryption . Many design decisions have been (and will be) deliberately made against best practices in cryptography, so in all likelihood the obfuscation methods will not resist crypto analysis. DO NOT rely on the obfuscation for confidentiality of your data!!!
At this stage the script includes the following "packers" (obfuscation methods):
  • Straight through: no obfuscation
  • Shuffle: shuffle the order of data bytes in each packet

Typical usage
A "packer" is a particular implementation of obfuscation method, usually obfuscating packets travelling upstream and deobfuscating packets travelling downstream. An "unpacker" is the same thing, implemented in the opposite direction. 
            raw data         obfuscated data           raw data
UDP Client ---------- Packer =============== Unpacker ---------- UDP server
             upstream ==>                      <== downstream

 Implementing new packers and unpackers
In most cases, to implement a new packer, simply inherit from UDPackStraightThroughPacker and implement pack and unpack methods. To implement the corresponding unpacker, inherit from UDPackUnpackerMixIn and the completed packer.



Share:

Sunday, August 21, 2016

Finding WordPress Vulnerabilities - Using WPScan

           , , , ,       No comments    


When using WPScan you can scan your WordPress website for known vulnerabilities within the core version, plugins, and themes. You can also find out if any weak passwords, users, and security configuration issues are present. The database at wpvulndb.com is used to check for vulnerable software and the WPScan team maintains the ever-growing list of vulnerabilities.
This time we are going to dive into how to use WPScan with the most basic commands.

Updating WP Scan

You should always update WPScan to leverage the latest database before you scan your website for vulnerabilities.
Open Terminal and change your directory to the wpscan folder we downloaded in the first tutorial:
cd wpscan
From this directory we can run a command to pull the latest update from Github, and then another command to update the database.
git pull
ruby wpscan.rb --update
You will see the WPScan logo and a note that the the database update has completed successfully.


    WP Scan Database Update in Terminal

Scanning for Vulnerabilities

Next we are going to point the WPScan application at your WordPress website. With a few commands we can check your website for vulnerable themes, plugins, and users. This will let you know if your website has a high risk of becoming infected. From there you can take steps to secure your site by updating or disabling the security problems.
WPScan commands will always start with ruby wpscan.rb followed by your website URL.
ruby wpscan.rb --url http://yourwebsite.com
Running the basic command above will perform a quick scan of the website to identify your active theme and basic issues, such as exposed WordPress version numbers. You can also look for specific vulnerabilities by adding arguments to the end of this basic command.
Checking for Vulnerable Plugins
Adding the –enumerate vp argument checks the WordPress website for vulnerable plugins.
ruby wpscan.rb --url http://yourwebsite.com --enumerate vp
If vulnerable plugins are found you will see red exclamation icons and references to further information. Any vulnerable plugin should be replaced and removed if you cannot update it to patch the vulnerability.
Checking for Vulnerable Themes
Similarly, adding –enumerate vt to the command checks the WordPress website for vulnerable themes.
ruby wpscan.rb --url http://yourwebsite.com --enumerate vt
As with plugins, look for red exclamation icons and URLs with more information. Any vulnerable theme should be replaced and removed if you cannot update it to patch the vulnerability.
Checking User Enumeration
When hackers know your WordPress usernames it becomes easier for them to perform a successful brute force attack. If attackers gain access to one of your users with sufficient permissions, they can gain control of your WordPress installation.
To find out the login names of users on your WordPress website, we will use the argument enumerate u at the end of the command.
ruby wpscan.rb --url http://yourwebsite.com --enumerate u
Ideally you should not be able to list the login names of your WordPress users.
If you have a Website Firewall or a plugin that stops WPScan, you may see an error like this:


WPScan stopped by CloudProxy WAF
WPScan stopped by CloudProxy WAF

It is always best to use a different nickname than the one used to login and some .htaccess solutions also exist for preventing user enumeration.
Password Guessing
Now we are going to try a number of passwords. If you have a list of passwords, WPScan can use the list to try logging in to each user account that it finds. This way you can see if any of your users are practicing poor password habits.
You can create or gather a wordlist, which is just a text file with passwords on each line. Hackers have huge collections of passwords but you can make a simple text document containing a decent number of top passwords. The file just needs to be placed in your wpscan directory so that the WPScan application can easily use it.
When you have the wordlist file in the WPScan directory, you can add the –wordlist argument along with the name of the wordlist file. You can also specify the number of threads to use at the same time to process the list. Depending on the length of the wordlist, it could take a lot of time or computer resources to complete.
ruby wpscan.rb --url http://yourwebsite.com --wordlist passwords.txt threads 50


Share:

Auto Scanning to SSL Vulnerability - A2SV

           , , ,       No comments     


                    █████╗ ██████╗ ███████╗██╗   ██╗
                   ██╔══██╗╚════██╗██╔════╝██║   ██║
                   ███████║ █████╔╝███████╗██║   ██║
    .o oOOOOOOOo   ██╔══██║██╔═══╝ ╚════██║╚██╗ ██╔╝        OOOo
    Ob.OOOOOOOo O  ██║  ██║███████╗███████║ ╚████╔╝   .adOOOOOOO
    OboO'''''''''' ╚═╝  ╚═╝╚══════╝╚══════╝  ╚═══╝  ''''''''''OO
    OOP.oOOOOOOOOOOO 'POOOOOOOOOOOo.   `'OOOOOOOOOP,OOOOOOOOOOOB'
    `O'OOOO'     `OOOOo'OOOOOOOOOOO` .adOOOOOOOOO'oOOO'    `OOOOo
    .OOOO'            `OOOOOOOOOOOOOOOOOOOOOOOOOO'            `OO
    OOOOO                 ''OOOOOOOOOOOOOOOO'`                oOO
   oOOOOOba.                .adOOOOOOOOOOba               .adOOOOo.
  oOOOOOOOOOOOOOba.    .adOOOOOOOOOO@^OOOOOOOba.     .adOOOOOOOOOOOO
 OOOOOOOOOOOOOOOOO.OOOOOOOOOOOOOO'`  ''OOOOOOOOOOOOO.OOOOOOOOOOOOOO
 'OOOO'       'YOoOOOOMOIONODOO'`  .   ''OOROAOPOEOOOoOY'     'OOO'
    Y           'OOOOOOOOOOOOOO: .oOOo. :OOOOOOOOOOO?'         :`
    :            .oO%OOOOOOOOOOo.OOOOOO.oOOOOOOOOOOOO?         .
    .            oOOP'%OOOOOOOOoOOOOOOO?oOOOOO?OOOO'OOo
                 '%o  OOOO'%OOOO%'%OOOOO'OOOOOO'OOO':
                      `$'  `OOOO' `O'Y ' `OOOO'  o             .
    .                  .     OP'          : o     .
                              :
                   [Auto Scanning to SSL Vulnerability]
                       [By Hahwul / www.hahwul.com]

1. A2SV?
Auto Scanning to SSL Vulnerability.
HeartBleed, CCS Injection, SSLv3 POODLE, FREAK... etc

A. Support Vulnerability


[CVE-2014-0160] CCS Injection
[CVE-2014-0224] HeartBleed
[CVE-2014-3566] SSLv3 POODLE
[CVE-2015-0204] FREAK Attack
[CVE-2015-4000] LOGJAM Attack
B. Dev Plan


[DEV] DROWN Attack
[PLAN] SSL ACCF

 2. How to Install?
A. Download(clone) & Unpack A2SV
git clone https://github.com/hahwul/a2sv.git
cd a2sv
B. Install Python Package / OpenSSL


pip install argparse
pip install netaddr

apt-get install openssl
C. Run A2SV


python a2sv.py -h

3. How to Use? 
usage: a2sv.py [-h] [-t TARGET] [-p PORT] [-m MODULE] [-v]
optional arguments:
-h, --help            show this help message and exit
-t TARGET, --target TARGET
                      Target URL/IP Address
-p PORT, --port PORT  Custom Port / Default: 443
-m MODULE, --module MODULE
                      Check SSL Vuln with one module
                      [h]: HeartBleed
                      [c]: CCS Injection
                      [p]: SSLv3 POODLE
                      [f]: OpenSSL FREAK
                      [l]: OpenSSL LOGJAM
-u, --update          Update A2SV (GIT)
-v, --version         Show Version
[Scan SSL Vulnerability]


python a2sv.py -t 127.0.0.1
python a2sv.py -t 127.0.0.1 -m heartbleed
python a2sv.py -t 127.0.0.1 -p 8111
[Update A2SV]


python a2sv.py -u
python a2sv.py --update

4. Support
Contact hahwul@gmail.com


5. Screenshot



6. Code Reference Site
poodle : https://github.com/supersam654/Poodle-Checker
heartbleed : https://github.com/sensepost/heartbleed-poc
ccs injection : https://github.com/Tripwire/OpenSSL-CCS-Inject-Test
freak : https://gist.github.com/martinseener/d50473228719a9554e6a



Share:

Saturday, August 20, 2016

Web Spidering Framework - Malspider

           ,       No comments    
Malspider is a web spidering framework that inspects websites for characteristics of compromise. Malspider has three purposes:
  • Website Integrity Monitoring: monitor your organization’s website (or your personal website) for potentially malicious changes.
  • Generate Threat Intelligence: keep an eye on previously compromised sites, currently compromised sites, or sites that may be targeted by various threat actors.
  • Validate Web Compromises: Is this website still compromised?

What can Malspider detect?

Malspider has built-in detection for characteristics of compromise like hidden iframes, reconnaisance frameworks, vbscript injection, email address disclosure, etc.
As we find stuff we will continue to add classifications to this tool and we hope you will do the same. Malspider will be a much better tool if CIRT teams and security practitioners around the world contribute to the project. ciscocsirt


Prerequisites

Please make sure these technologies are installed before continuing:
  • Python 2.7.6
  • Updated version of pip
  • mysql
Note: If your server already has specific versions of these components installed, you can use a virtualenv to create an isolated python environment.
Tested and working on minimal installations of:
  • Ubuntu 14
  • CentOS 6
  • CentOS 7

Installation

Start the installation process by running “./quick_install” from the command line. Please read the prompts carefully!!
Malspider comes with a quick_install script found in the root directory. This scripts attempts to makes the installation process as painless as possible by completing the following steps:
  1. Install Database: creates a database titled ‘malspider’, creates a new mysql user, and applies db schema.
  2. Install Dependencies: installs ALL dependencies and modules required by Malspider.
  3. Django Migrations: applies django migrations to the database (necessary for the web app).
  4. Create Web Admin User: creates an administrative user for the web application.
  5. Add Access Control: creates iptables rules to block port 6802 (used by the daemon) and open port 8080 (web app).
  6. Add Cronjobs: creates crontab entries to schedule jobs, analyze data, and purge the database after a period of time.
Note: The quick_install script uses scripts found under the install/ directory. If any of the above steps fail you can attempt to complete them manually using those scripts.

Start

Start Malspider by running “./quick_start” from the command line. Malspider comes with a quick_start script found in the root directory. This script attempts to start the daemon and the web application. Malspider can be accessed from your browser on port 8080 @ http://0.0.0.0:8080
Interaction with Malspider happens via an easy-to-use dashboard accessible through your web browser. The dashboard enables you to view alerts, inspect injected code, add websites to monitor, and tune false positives. You can add websites to you want to crawl by navigating to the administrative panel @ http://0.0.0.0:8080/admin (or by clicking on the admin link from the dashboard). Click on “Organizations” and a new Organization. You’ll be prompted for the:
  • website name (ie. “Cisco Systems”)
  • domain (ie. cisco.com)
  • industry/org category (ie. Energy, Political, Education, etc)
By default, Malspider crawls 20 pages per domain. This can be changed. You can crawl as many pages as you like (per domain) or you can crawl only the homepage of each site.

Malspider randomly selects a user agent string from a list found at malspider/resources/useragents.txt. If you would like to add more user agents to the list then simply edit that text file. Malspider has also built-in capabilities for taking screenshots of every page it crawls. Screenshots can be useful in a variety of situations, but this can cause a drastic increase in server space utilization. For that reason, screenshots are turned off by default. For this reason email address detection is also off by default. Malspider crawls websites and stores information about those sites in a database. The data in the database is post-processed and analyzed for potentially malicious characteristics. You can view results from the analyzer by simply viewing the dashboard and clicking on “View Alerts”. Your database can grow rather large very quickly. It is recommended that, for performance reasons, you delete data from the ‘pages’ table and the ‘elements’ table once per month



Share:

Friday, August 19, 2016

Passive DNS V2 - pDNS2

                 No comments    



pDNS2 is yet another implementation of a passive DNS tool working with Redis as the database. pDNS2 means ‘passive DNS version2’ and favors speed in query over other database features. pDNS2 is based on Florian Weimer’s original dnslogger with improved features for speed and specialization for analyst.

 REQUIREMENTS
Redis http://redis.io/
Redis API https://github.com/andymccurdy/redis-py
wireshark full install http://www.wireshark.org/

GETTING STARTED
This version has two simple python scripts to support the collection of DNS traffic as pdns2_collect.py and the other to query as pdns2_query.py
  1. Ensure wireshare’s share is working and can collect on the desired interface or read pcap files.
  2. Run redis-server and listening on local port 6379
  3. run pdns2_collect.py with -i for an interface or -p for a pcap file
  4. Anytime the collection is working, try pdns2_query.py with the options available.
below are are simply using a wildcard with -d for any domain
Sample query python pdns2_query.py -d * 
  Domain                                   ips             first     date      rr    ttl   count   
  w2.eff.org                               69.50.232.52    20120524  20120524  CNAME 300   3        
  web5.eff.org                             69.50.232.52    20120524  20120524  A     300   3        
  slashdot.org                             216.34.181.45   20120524  20120524  A     2278  1        
  csi.gstatic.com                          74.125.143.120  20120524  20120524  A     300   1        
  ssl.gstatic.com                          74.125.229.175  20120524  20120524  A     244   1        
  xkcd.com                                 107.6.106.82    20120524  20120524  A     600   1        
  imgs.xkcd.com                            69.9.191.19     20120524  20120524  CNAME 418   1        
  www.xkcd.com                             107.6.106.82    20120524  20120524  CNAME 600   1        
  craphound.com                            204.11.50.137   20120524  20120524  A     861   1        
  www.youtube.com                          173.194.37.4    20120524  20120524  CNAME 81588 1

pDNS2 commands
DOMAIN EXAMPLES 
arguments:
  -h, --help            show this help message and exit
  -d DOMAIN, --domain DOMAIN
  -i IP, --ip IP
  -da DATE, --date DATE
  -ips IP_SNIFF, --ip_sniff IP_SNIFF
  -ttl TTL, --ttl TTL
  -rr RRECORD, --rrecord RRECORD
  -l LOCAL, --local LOCAL
  -ac ACOUNT, --acount ACOUNT
  -c COUNT, --count COUNT
  -ipf IP_FLUX, --ip_flux IP_FLUX
  -ipr IP_REVERSE, --ip_reverse IP_REVERSE


-d *example.com     seeks all domains that end with example.com
-i 1.1.1.1          ip address search
-ttl 0              use a number like 0 or 100 to get all the TTL of a specific value search is based on domain not IP
-ac  *example.com            return by query, counts of counts (usage), or 'hits' for the domains in order, *.google.com or *.com are examples 

-l               search entire database local resolved IP addresses that resolve to 127.0.0.1 etc. 
-ipf *.com       return a COUNT of domains in the IP space for each instance of a domain, use with ip_reverse
-ipr * seattletimes.com use with ip_flux, enumerate domains in the IP space

-ips 192.168.1.1'    search the domain space for a specific IP address, different then searching by IP 
-da 20130101          return all records by date

ADMINISTRATIVE
delete_key('Domain:*delete*') Dangerous command, deletes a key, must use the entire key such as Domain: or IP:
raw_record('Domain:xalrbngb-0.t.nessus.org') view the raw record properties (no wildcards) use full key name
pDNS2 tracks current state and last known, it is a snapshot of organization perception, not a log.

AUTHOR
pDNS is developed and maintained terraplex at gmail.com

Errata
This is the basic version, if interested in the more advanced versions or specialized versions that work with scapy, let me know.


Share:

Thursday, August 18, 2016

A Collection of Awesome Penetration Testing Resources - OffSec

           , , , , , , ,       No comments    



A collection of awesome penetration testing resources
  • Online Resources
    • Penetration Testing Resources
    • Exploit development
    • Social Engineering Resources
    • Lock Picking Resources
  • Tools
    • Penetration Testing Distributions
    • Basic Penetration Testing Tools
    • Docker for Penetration Testing
    • Vulnerability Scanners
    • Network Tools
    • Wireless Network Tools
    • SSL Analysis Tools
    • Web exploitation
    • Hex Editors
    • Crackers
    • Windows Utils
    • Linux Utils
    • DDoS Tools
    • Social Engineering Tools
    • OSInt Tools
    • Anonymity Tools
    • Reverse Engineering Tools
    • CTF Tools
  • Books
    • Penetration Testing Books
    • Hackers Handbook Series
    • Network Analysis Books
    • Reverse Engineering Books
    • Malware Analysis Books
    • Windows Books
    • Social Engineering Books
    • Lock Picking Books
  • Vulnerability Databases
  • Security Courses
  • Information Security Conferences
  • Information Security Magazines
  • Awesome Lists
  • Contribution
  • License

Online Resources

Penetration Testing Resources
  • Metasploit Unleashed - Free Offensive Security metasploit course
  • PTES - Penetration Testing Execution Standard
  • OWASP - Open Web Application Security Project
Exploit development
Social Engineering Resources
Lock Picking Resources
Tools

Penetration Testing Distributions
  • Kali - A Linux distribution designed for digital forensics and penetration testing
  • ArchStrike - An Arch Linux repository for security professionals and enthusiasts
  • BlackArch - Arch Linux-based distribution for penetration testers and security researchers
  • NST - Network Security Toolkit distribution
  • Pentoo - Security-focused livecd based on Gentoo
  • BackBox - Ubuntu-based distribution for penetration tests and security assessments
  • Parrot - A distribution similar to Kali, with multiple architecture
Basic Penetration Testing Tools
  • Metasploit Framework - World's most used penetration testing software
  • Burp Suite - An integrated platform for performing security testing of web applications
  • ExploitPack - Graphical tool for penetration testing with a bunch of exploits
  • BeeF - The Browser Exploitation Framework Project
  • faraday - Collaborative Penetration Test and Vulnerability Management Platform
  • evilgrade - The update explotation framework
  • commix - Automated All-in-One OS Command Injection and Exploitation Tool
  • routersploit - Automated penetration testing software for router
Docker for Penetration Testing
Vulnerability Scanners
  • Netsparker - Web Application Security Scanner
  • Nexpose - Vulnerability Management & Risk Management Software
  • Nessus - Vulnerability, configuration, and compliance assessment
  • Nikto - Web application vulnerability scanner
  • OpenVAS - Open Source vulnerability scanner and manager
  • OWASP Zed Attack Proxy - Penetration testing tool for web applications
  • Secapps - Integrated web application security testing environment
  • w3af - Web application attack and audit framework
  • Wapiti - Web application vulnerability scanner
  • WebReaver - Web application vulnerability scanner for Mac OS X
  • DVCS Ripper - Rip web accessible (distributed) version control systems: SVN/GIT/HG/BZR
  • arachni - Web Application Security Scanner Framework
Network Tools
  • nmap - Free Security Scanner For Network Exploration & Security Audits
  • pig - A Linux packet crafting tool
  • tcpdump/libpcap - A common packet analyzer that runs under the command line
  • Wireshark - A network protocol analyzer for Unix and Windows
  • Network Tools - Different network tools: ping, lookup, whois, etc
  • netsniff-ng - A Swiss army knife for for network sniffing
  • Intercepter-NG - a multifunctional network toolkit
  • SPARTA - Network Infrastructure Penetration Testing Tool
  • dnschef - A highly configurable DNS proxy for pentesters
  • DNSDumpster - Online DNS recon and search service
  • dnsenum - Perl script that enumerates DNS information from a domain, attempts zone transfers, performs a brute force dictionary style attack, and then performs reverse look-ups on the results
  • dnsmap - Passive DNS network mapper
  • dnsrecon - DNS Enumeration Script
  • dnstracer - Determines where a given DNS server gets its information from, and follows the chain of DNS servers
  • passivedns-client - Provides a library and a query tool for querying several passive DNS providers
  • passivedns - A network sniffer that logs all DNS server replies for use in a passive DNS setup
  • Mass Scan - TCP port scanner, spews SYN packets asynchronously, scanning entire Internet in under 5 minutes.
  • Zarp - Zarp is a network attack tool centered around the exploitation of local networks
  • mitmproxy - An interactive SSL-capable intercepting HTTP proxy for penetration testers and software developers
  • mallory - HTTP/HTTPS proxy over SSH
  • Netzob - Reverse engineering, traffic generation and fuzzing of communication protocols
  • DET - DET is a proof of concept to perform Data Exfiltration using either single or multiple channel(s) at the same time
  • pwnat - punches holes in firewalls and NATs
  • dsniff - a collection of tools for network auditing and pentesting
  • tgcd - a simple Unix network utility to extend the accessibility of TCP/IP based network services beyond firewalls
  • smbmap - a handy SMB enumeration tool
  • scapy - a python-based interactive packet manipulation program & library
Wireless Network Tools
  • Aircrack-ng - a set of tools for auditing wireless network
  • Kismet - Wireless network detector, sniffer, and IDS
  • Reaver - Brute force attack against Wifi Protected Setup
  • Wifite - Automated wireless attack tool
  • wifiphisher - Automated phishing attacks against Wi-Fi networks
SSL Analysis Tools
  • SSLyze - SSL configuration scanner
  • sslstrip - a demonstration of the HTTPS stripping attacks
  • sslstrip2 - SSLStrip version to defeat HSTS
  • tls_prober - fingerprint a server's SSL/TLS implementation
Web exploitation
  • WPScan - Black box WordPress vulnerability scanner
  • SQLmap - Automatic SQL injection and database takeover tool
  • weevely3 - Weaponized web shell
  • Wappalyzer - Wappalyzer uncovers the technologies used on websites
  • cms-explorer - CMS Explorer is designed to reveal the the specific modules, plugins, components and themes that various CMS driven web sites are running.
  • joomscan - Joomla CMS scanner
  • WhatWeb - Website Fingerprinter
  • BlindElephant - Web Application Fingerprinter
  • fimap - Find, prepare, audit, exploit and even google automatically for LFI/RFI bugs
  • Kadabra - Automatic LFI exploiter and scanner
  • Kadimus - LFI scan and exploit tool
  • liffy - LFI exploitation tool
Hex Editors
Crackers
Windows Utils
Linux Utils
DDoS Tools
  • LOIC - An open source network stress tool for Windows
  • JS LOIC - JavaScript in-browser version of LOIC
  • T50 - The more fast network stress tool
Social Engineering Tools
  • SET - The Social-Engineer Toolkit from TrustedSec
OSInt Tools
  • Maltego - Proprietary software for open source intelligence and forensics, from Paterva.
  • theHarvester - E-mail, subdomain and people names harvester
  • creepy - A geolocation OSINT tool
  • metagoofil - Metadata harvester
  • Google Hacking Database - a database of Google dorks; can be used for recon
  • Censys - Collects data on hosts and websites through daily ZMap and ZGrab scans
  • Shodan - Shodan is the world's first search engine for Internet-connected devices
  • ZoomEye - A cyberspace search engine for Internet-connected devices and websites using Xmap and Wmap
  • recon-ng - A full-featured Web Reconnaissance framework written in Python
  • github-dorks - CLI tool to scan github repos/organizations for potential sensitive information leak
Anonymity Tools
  • Tor - The free software for enabling onion routing online anonymity
  • I2P - The Invisible Internet Project
  • Nipe - Script to redirect all traffic from the machine to the Tor network.
Reverse Engineering Tools
  • IDA Pro - A Windows, Linux or Mac OS X hosted multi-processor disassembler and debugger
  • IDA Free - The freeware version of IDA v5.0
  • WDK/WinDbg - Windows Driver Kit and WinDbg
  • OllyDbg - An x86 debugger that emphasizes binary code analysis
  • Radare2 - Opensource, crossplatform reverse engineering framework.
  • x64_dbg - An open-source x64/x32 debugger for windows.
  • Pyew - A Python tool for static malware analysis.
  • Bokken - GUI for Pyew Radare2.
  • Immunity Debugger - A powerful new way to write exploits and analyze malware
  • Evan's Debugger - OllyDbg-like debugger for Linux
  • Medusa disassembler - An open source interactive disassembler
  • plasma - Interactive disassembler for x86/ARM/MIPS. Generates indented pseudo-code with colored syntax code.
CTF Tools
  • Pwntools - CTF framework for use in CTFs
Books

Penetration Testing Books
Hackers Handbook Series
Network Analysis Books
Reverse Engineering Books
Malware Analysis Books
Windows Books
Social Engineering Books
Lock Picking Books
Vulnerability Databases
Security Courses
Information Security Conferences
  • DEF CON - An annual hacker convention in Las Vegas
  • Black Hat - An annual security conference in Las Vegas
  • BSides - A framework for organising and holding security conferences
  • CCC - An annual meeting of the international hacker scene in Germany
  • DerbyCon - An annual hacker conference based in Louisville
  • PhreakNIC - A technology conference held annually in middle Tennessee
  • ShmooCon - An annual US east coast hacker convention
  • CarolinaCon - An infosec conference, held annually in North Carolina
  • HOPE - A conference series sponsored by the hacker magazine 2600
  • SummerCon - One of the oldest hacker conventions, held during Summer
  • Hack.lu - An annual conference held in Luxembourg
  • HITB - Deep-knowledge security conference held in Malaysia and The Netherlands
  • Troopers - Annual international IT Security event with workshops held in Heidelberg, Germany
  • Hack3rCon - An annual US hacker conference
  • ThotCon - An annual US hacker conference held in Chicago
  • LayerOne - An annual US security conference held every spring in Los Angeles
  • DeepSec - Security Conference in Vienna, Austria
  • SkyDogCon - A technology conference in Nashville
  • SECUINSIDE - Security Conference in Seoul
  • DefCamp - Largest Security Conference in Eastern Europe, held anually in Bucharest, Romania
  • AppSecUSA - An annual conference organised by OWASP
  • BruCON - An annual security conference in Belgium
  • Infosecurity Europe - Europe's number one information security event, held in London, UK
  • Nullcon - An annual conference in Delhi and Goa, India
  • RSA Conference USA - An annual security conference in San Francisco, California, USA
  • Swiss Cyber Storm - An annual security conference in Lucerne, Switzerland
  • Virus Bulletin Conference - An annual conference going to be held in Denver, USA for 2016
  • Ekoparty - Largest Security Conference in Latin America, held annually in Buenos Aires, Argentina
  • 44Con - Annual Security Conference held in London
  • BalCCon - Balkan Computer Congress, annualy held in Novi Sad, Serbia
  • FSec - FSec - Croatian Information Security Gathering in Varaždin, Croatia
Information Security Magazines
Awesome Lists

OffensiveSec 2016
Share:
Copyright © Offensive Sec Blog | Powered by OffensiveSec
Design by OffSec | Theme by Nasa Records | Distributed By Pirate Edition