Linux-Smart-Enumeration – Linux Enumeration Tool For Pentesting And CTFs With Verbosity Levels

First, a couple of useful oneliners ;)wget “https://raw.githubusercontent.com/diego-treitos/linux-smart-enumeration/master/lse.sh" -O lse.shcurl "https://raw.githubusercontent.com/diego-treitos/linux-smart-enumeration/master/lse.sh" -o lse.shlinux-smart-enumerationLinux enumeration tools for pentesting and CTFsThis project was inspired by https://github.com/rebootuser/LinEnum and uses many of its tests.Unlike LinEnum, lse tries to gradualy expose the information depending on its importance from a privesc point of view.What is it?This script will show relevant information about the security of the local Linux system.It has 3 levels of verbosity so you can control how much information you see.In the default level you should see the highly important security flaws in the system. The level 1 (./lse.sh -l1) shows interesting information that should help you to privesc. The level 2 (./lse.sh -l2) will just dump all the information it gathers about the system.By default it will ask you some questions: mainly the current user password (if you know it ūüėČ so it can do some additional tests.How to use it?The idea is to get the information gradually.First you should execute it just like ./lse.sh. If you see some green yes!, you probably have already some good stuff to work with.If not, you should try the level 1 verbosity with ./lse.sh -l1 and you will see some more information that can be interesting.If that does not help, level 2 will just dump everything you can gather about the service using ./lse.sh -l2. In this case you might find useful to use ./lse.sh -l2 | less -r.You can also select what tests to execute by passing the -s parameter. With it you can select specific tests or sections to be executed. For example ./lse.sh -l2 -s usr010,net,pro will execute the test usr010 and all the tests in the sections net and pro.Use: ./lse.sh [options] OPTIONS -c Disable color -i Non interactive mode -h This help -l LEVEL Output verbosity level 0: Show highly important results. (default) 1: Show interesting results. 2: Show all gathered information. -s SELECTION Comma separated list of sections or tests to run. Available sections: usr: User related tests. sud: Sudo related tests. fst: File system related tests. sys: System related tests. sec: Security measures related tests. ret: Recurren tasks (cron, timers) related tests. net: Network related tests. srv: Services related tests. pro: Processes related tests. sof: Softw are related tests. ctn: Container (docker, lxc) related tests. Specific tests can be used with their IDs (i.e.: usr020,sud)Is it pretty?Usage demoAlso available in webm videoLevel 0 (default) output sampleLevel 1 verbosity output sampleLevel 2 verbosity output sampleDownload Linux-Smart-Enumeration

Link: http://feedproxy.google.com/~r/PentestTools/~3/c13R99XYWMg/linux-smart-enumeration-linux.html

0xsp-Mongoose – Privilege Escalation Enumeration Toolkit (ELF 64/32), Fast, Intelligent Enumeration With Web API Integration

Using 0xsp mongoose you will be able to scan a targeted operating system for any possible way for privilege escalation attacks, starting from collecting information stage until reporting information through 0xsp Web Application API.user will be able to scan different Linux os system at the same time with high performance, without spending time looking inside the terminal or text file for what is found, mongoose shorten this way by allowing you to send this information directly into web application friendly interface through easy API endpoint.project is divided into two sections server & agent .server has been coded with PHP(codeigniter) you need to install this application into your preferred environment, you can use it online or on your localhost. user is free to choice .also contribution to enhancing features are most welcomed.Agent has been coded as ELF with Lazarus Free Pascal will be released with (32, 64 bit) while executing Agent on targeted system with all required parameters. user is free to decide whether willing to communicate with Server App to store results and explore them easily . or he can also run this tool without Web API Connection.Agent Usagemake sure to give it executable permission chmod +x agent./agent -h (display help instructions)-k –check kernel for common used privilige escalations exploits. -u –Getting information about Users , groups , releated information.-c –check cronjobs. -n –Retrieve Network information,interfaces …etc.-w –Enumerate for Writeable Files , Dirs , SUID , -i –Search for Bash,python,Mysql,Vim..etc History files.-f –search for Senstive config files accessible & private stuff. -o –connect to 0xsp Web Application. -p –Show All process By running under Root,Check For Vulnerable Packages. -e –Kernel inspection Tool, it will help to search through tool databases for kernel vulnerabilities. -x –secret Key to authorize your connection with WebApp API (default is 0xsp). -a –Display README.Server Web App (must be like this : http://host/0xsp/ )make sure to have at least php 5.6 or aboverequires mysql 5.6make sure to add Web application on root path / with folder name 0xsp as [ http://localhost/0xsp/] , Agent will not connect to it in case not configured correctly . the agent will connect only as following case :./agent {SCAN OPTION} -o localhost -x secretkeyExamples With WebApi./agent -c -o localhost -x 0xsp { enumerate for CRON Tasks and Transfer results into Web Api} ./agent -e -o localhost -x 0xsp { intelligent Exploits Detector }./agent -c -e localhost -x 0sxp { will run two scans together and send found results directly }./agent -m -o 10.10.13.1 -x 0xsp { RUN all Scans together and export it to Web API} Examples Without WebApi./agent -c -k -p { this will run 3 scans at the same time with out sending results into Web Api }Agent FeaturesHigh performance , stability , Output results Generated while executing no delaysAbility to execute most of functions with intelligent techniques .results are being sent to Quick Web APIException Handling .inbuilt Json Data set for publicly disclosed Exploits .Fast As MongooseDownload 0xsp-Mongoose

Link: http://feedproxy.google.com/~r/PentestTools/~3/I5pWurWr6Zw/0xsp-mongoose-privilege-escalation.html

Sn1per v7.0 – Automated Pentest Framework For Offensive Security Experts

Sn1per Community Edition is an automated scanner that can be used during a penetration test to enumerate and scan for vulnerabilities. Sn1per Professional is Xero Security’s premium reporting addon for Professional Penetration Testers, Bug Bounty Researchers and Corporate Security teams to manage large environments and pentest scopes. For more information regarding Sn1per Professional, go to https://xerosecurity.com.SN1PER PROFESSIONAL FEATURES:Professional reporting interfaceSlideshow for all gathered screenshotsSearchable and sortable DNS, IP and open port databaseDetailed host reportsNMap HTML host reportsQuick links to online recon tools and Google hacking queriesTakeovers and Email SecurityHTML5 NotepadORDER SN1PER PROFESSIONAL:To obtain a Sn1per Professional license, go to https://xerosecurity.com.DEMO VIDEO:SN1PER COMMUNITY FEATURES:Automatically collects basic recon (ie. whois, ping, DNS, etc.)Automatically launches Google hacking queries against a target domainAutomatically enumerates open ports via NMap port scanningAutomatically brute forces sub-domains, gathers DNS info and checks for zone transfersAutomatically checks for sub-domain hijackingAutomatically runs targeted NMap scripts against open portsAutomatically runs targeted Metasploit scan and exploit modulesAutomatically scans all web applications for common vulnerabilitiesAutomatically brute forces ALL open servicesAutomatically test for anonymous FTP accessAutomatically runs WPScan, Arachni and Nikto for all web servicesAutomatically enumerates NFS sharesAutomatically test for anonymous LDAP accessAutomatically enumerate SSL/TLS ciphers, protocols and vulnerabilitiesAutomatically enumerate SNMP community strings, services and usersAutomatically list SMB users and shares, check for NULL sessions and exploit MS08-067Automatically exploit vulnerable JBoss, Java RMI and Tomcat serversAutomatically tests for open X11 serversAuto-pwn added for Metasploitable, ShellShock, MS08-067, Default Tomcat CredsPerforms high level enumeration of multiple hosts and subnetsAutomatically integrates with Metasploit Pro, MSFConsole and Zenmap for reportingAutomatically gathers screenshots of all web sitesCreate individual workspaces to store all scan outputEXPLOITS:Drupal RESTful Web Services unserialize() SA-CORE-2019-003Apache Struts: S2-057 (CVE-2018-11776): Security updates available for Apache StrutsDrupal: CVE-2018-7600: Remote Code Execution – SA-CORE-2018-002GPON Routers – Authentication Bypass / Command Injection CVE-2018-10561MS17-010 EternalBlue SMB Remote Windows Kernel Pool CorruptionApache Tomcat: Remote Code Execution (CVE-2017-12617)Oracle WebLogic wls-wsat Component Deserialization Remote Code Execution CVE-2017-10271Apache Struts Content-Type arbitrary command execution (CVE-2017-5638)Apache Struts 2 Framework Checks – REST plugin with XStream handler (CVE-2017-9805)Apache Struts Content-Type arbitrary command execution (CVE-2017-5638)Microsoft IIS WebDav ScStoragePathFromUrl Overflow CVE-2017-7269ManageEngine Desktop Central 9 FileUploadServlet ConnectionId Vulnerability CVE-2015-8249Shellshock Bash Shell remote code execution CVE-2014-6271HeartBleed OpenSSL Detection CVE-2014-0160MS12-020: Vulnerabilities in Remote Desktop Could Allow Remote Code Execution (2671387)Tomcat Application Manager Default Ovwebusr Password Vulnerability CVE-2009-3843MS08-067 Microsoft Server Service Relative Path Stack CorruptionWebmin File Disclosure CVE-2006-3392VsFTPd 2.3.4 BackdoorProFTPd 1.3.3C BackdoorMS03-026 Microsoft RPC DCOM Interface OverflowDistCC Daemon Command ExecutionJBoss Java De-SerializationHTTP Writable Path PUT/DELETE File AccessApache Tomcat User EnumerationTomcat Application Manager Login BruteforceJenkins-CI EnumerationHTTP WebDAV ScannerAndroid Insecure ADBAnonymous FTP AccessPHPMyAdmin BackdoorPHPMyAdmin Auth BypassOpenSSH User EnumerationLibSSH Auth BypassSMTP User EnumerationPublic NFS MountsKALI LINUX INSTALL:bash install.shUBUNTU/DEBIAN/PARROT INSTALL:bash install_debian_ubuntu.shDOCKER INSTALL:docker build DockerfileUSAGE:[*] NORMAL MODEsniper -t|–target [*] NORMAL MODE + OSINT + RECON + FULL PORT SCAN + BRUTE FORCEsniper -t|–target <TARGET> -o|–osint -re|–recon -fp|–fullportonly -b|–bruteforce[*] STEALTH MODE + OSINT + RECONsniper -t|–target <TARGET> -m|–mode stealth -o|–osint -re|–recon[*] DISCOVER MODEsniper -t|–target <CIDR> -m|–mode discover -w|–workspace <WORSPACE_ALIAS>[*] FLYOVER MODEsniper -t|–target <TARGET> -m|–mode flyover -w|–workspace <WORKSPACE_ALIAS>[*] AIRSTRIKE MODEsniper -f|–file /full/path/to/targets.txt -m|–mode airstrike[*] NUKE MODE WITH TARGET LIST, BRUTEFORCE ENABLED, FULLPORTSCAN ENABLED, OSINT ENABLED, RECON ENABLED, WORKSPACE & LOOT ENABLEDsniper -f–file /full/path/to/targets.txt -m|–mode nuke -w|–workspace <WORKSPACE_ALIAS>[*] SCAN ONLY SPECIFIC PORTsniper -t|–target <TA RGET> -m port -p|–port <portnum>[*] FULLPORTONLY SCAN MODEsniper -t|–target <TARGET> -fp|–fullportonly[*] PORT SCAN MODEsniper -t|–target <TARGET> -m|–mode port -p|–port <PORT_NUM>[*] WEB MODE – PORT 80 + 443 ONLY!sniper -t|–target <TARGET> -m|–mode web[*] HTTP WEB PORT HTTP MODEsniper -t|–target <TARGET> -m|–mode webporthttp -p|–port <port>[*] HTTPS WEB PORT HTTPS MODEsniper -t|–target <TARGET> -m|–mode webporthttps -p|–port <port>[*] WEBSCAN MODEsniper -t|–target <TARGET> -m|–mode webscan[*] ENABLE BRUTEFORCEsniper -t|–target <TARGET> -b|–bruteforce[*] ENABLE LOOT IMPORTING INTO METASPLOITsniper -t|–target <TARGET>[*] LOOT REIMPORT FUNCTIONsniper -w <WORKSPACE_ALIAS> –reimport[*] LOOT REIMPORTALL FUNCTIONsniper -w <WORKSPACE_ALIAS& gt; –reimportall[*] DELETE WORKSPACEsniper -w <WORKSPACE_ALIAS> -d[*] DELETE HOST FROM WORKSPACEsniper -w <WORKSPACE_ALIAS> -t <TARGET> -dh[*] SCHEDULED SCANS’sniper -w <WORKSPACE_ALIAS> -s daily|weekly|monthly'[*] SCAN STATUSsniper –status[*] UPDATE SNIPERsniper -u|–updateMODES:NORMAL: Performs basic scan of targets and open ports using both active and passive checks for optimal performance.STEALTH: Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blocking.FLYOVER: Fast multi-threaded high level scans of multiple targets (useful for collecting high level data on many hosts quickly).AIRSTRIKE: Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IPs that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning.NUKE: Launch full audit of multiple hosts specified in text file of choice. Usage example: ./sniper /pentest/loot/targets.txt nuke.DISCOVER: Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a sniper scan against each host. Useful for internal network scans.PORT: Scans a specific port for vulnerabilities. Reporting is not currently available in this mode.FULLPORTONLY: Performs a full detailed port scan and saves results to XML.WEB: Adds full automatic web application scans to the results (port 80/tcp & 443/tcp only). Ideal for web applications but may increase scan time significantly.WEBPORTHTTP: Launches a full HTTP web application scan against a specific host and port.WEBPORTHTTPS: Launches a full HTTPS web application scan against a specific host and port.WEBSCAN: Launches a full HTTP & HTTPS web application scan against via Burpsuite and Arachni.SAMPLE REPORT:https://gist.github.com/1N3/8214ec2da2c91691bcbcDownload Sn1per

Link: http://feedproxy.google.com/~r/PentestTools/~3/IoUOymJezTw/sn1per-v70-automated-pentest-framework.html

Reconerator – C# Targeted Attack Reconnaissance Tools

This is a custom .NET assembly which will perform a number of situational awareness activities. There are a number of current featuresets:BASIC – Obtains information from the disk and registry.LDAP – Allows customised AD LDAP queries to be made.RESOLVEHOST – Performs DNS lookup queries.INDEXSEARCH – Searches the Windows Indexing Service for local files and e-mails (filename and content).PROXYCHECK – Displays the proxy server that will be used when attempting to access a provided URL.PRIVESCCHECK – Identifies privilege escalation vectors.The key point about this is that it is all implemented in raw .NET – so no powershell.It is configured and controlled by command line parameters, making it suitable for use with Beacon’s execute-assembly directive.BASICOverviewThis obtains a number of pieces of information from the host. Be warned that there might be a LOT of output. It will display:All environment variables (API)The hostname, workgroup and Windows version number of the host (API)Word, Access, Excel, Publisher & Powerpoint Most Recently Used Documents for all versions installed (Registry)Word, Access, Excel, Publisher & Powerpoint Trusted Locations for all versions installed (Registry)Favourites (Bookmarks) and extracts the URL from the bookmark. Could be interesting to easily find sharepoint/confluence/wiki/self service payroll etc. (Disk)Mapped drives, including the drive letter, description and remote location (WMI)Installed applications, for all users and for the specific user only (Registry)ParametersThe verb ‘basic’ needs to be passed on the command line, followed by the specific check that is required. If the word ‘all’ is passed as the second parameter, every check will be performed. Check Description env Displays all of the environment variables. info Displays the IP address of the host and the major/minor OS version identifier. mru Searches various “most recently used" lists. These currently comprise the Run box history and the Office file and path MRU for all versions of Word, Excel, Powerpoint, Access, Publisher and Visio. It also displays the location of the special "Recent" folder. favourites Displays the URLs stored in the favourites folder (which is basically the user’s bookmarks). It currently does not support subfolders; I’ll need to fix that. mappeddrives Displays the network mapped drives from the user’s session. Useful for quickly finding central file shares and home directories. If it is mapped, it probably contains useful data. installedapplications Lists the applications that have been installed. This includes applications which have been installed as an admin (on the local machine) AND applications which have been installed by the current user. They are listed in different places in the registry. Note that if ‘all’ is used, a ‘proxycheck http://www.google.com’ is automatically included. See the proxycheck section for details.ExamplesPerform all basic checks: beacon> execute-assembly /tmp/Reconerator.exe or beacon> execute-assembly /tmp/Reconerator.exe basic allPerform mru enumeration only: beacon> execute-assembly /tmp/Reconerator.exe basic mruList the mapped drives only: beacon> execute-assembly /tmp/Reconerator.exe basic mappeddrivesOpSecReasonably safe. This is querying the system registry; it is unlikely to be monitored.Limitations (and further work)You can’t pick and choose what you want – its all or nothing.Favourites do not recurse through directoriesMissing a load of stuff.LDAPThis allows you to perform an LDAP query. The easiest way of demonstrating this is by example.ExamplesThis will show all users on the domain ‘dc=stufus,dc=lan’ with W2K8DC as a domain controller:beacon> execute-assembly /tmp/Reconerator.exe ldap "LDAP://W2K8DC/dc=stufus,dc=lan" "objectClass=user" 0This will show a maximum of 5 users on the domain ‘dc=stufus,dc=lan’ with W2K8DC as a domain controller:beacon> execute-assembly /tmp/Reconerator.exe ldap "LDAP://W2K8DC/dc=stufus,dc=lan" "objectClass=user" 5This will show all members of the domain admin group on the domain ‘dc=stufus,dc=lan’ with W2K8DC as a domain controller:beacon> execute-assembly /tmp/Reconerator.exe ldap "LDAP://W2K8DC/dc=stufus,dc=lan" "(&(objectClass=group)(cn=Domain Admins))" 0This will show all members of the domain admin or enterprise admin groups on the domain ‘dc=stufus,dc=lan’ with W2012DC as a domain controller:beacon> execute-assembly /tmp/Reconerator.exe ldap "LDAP://W2012DC/dc=stufus,dc=lan" "(&(objectClass=group)(|(cn=Enterprise Admins)(cn=Domain Admins)))" 0OpSecThis will generate network traffic to the domain controller that you specify. For the avoidance of doubt, it uses LDAP (as opposed to RPC or similar), and ATA does not seem to pick it up at the moment (as of 15/06/18).Limitations (and further work)Its a little untidyIt won’t display anything that isn’t a .NET string (needs more parsing)Can’t specify specific fields/attributes to showYou need to work out the DC yourself (you can get that from the LOGONSERVER environment variable) and work out the DN yourself. I’ll get round to retrieving that automatically at some point.RESOLVEHOSTOverviewThis performs a DNS query using the host’s DNS server.ExampleResolve www.google.com:beacon> execute-assembly /tmp/Reconerator.exe resolvehost www.google.comOpSecThis will generate a DNS query to the domain controller, but it is unlikely that anything will raise this as an alert due to the sheer volume of legitimate DNS requests.INDEXSEARCHOverviewThis allows you to interact with Windows Search (formerly the Windows Indexing Service) which will allow you to search for interesting files and folders (and their contents) really quickly. E-Mails are usually indexed, but network folders are not, so it may not be perfect for searching users’ home directories if they are stored remotely. However, it is very fast.The interface to Windows Search is SQL-like; this implementation allows you to, in effect, specify the contents of the ‘WHERE’ clause. It is easiest to explain by example, but you will need to read MSDN if you want to know every possible criteria.ExamplesFind everything that has been indexed which contains the word ‘password’ in it somewhere (i.e. searches the contents of files and e-mails):beacon> execute-assembly /tmp/Reconerator.exe indexsearch "CONTAINS(‘password’)"Find everything that has been indexed which has the word ‘stufus’ in the path or filename somewhere:beacon> execute-assembly /tmp/Reconerator.exe indexsearch "System.ItemPathDisplay LIKE ‘%stufus%’"Find everything that has been indexed which has the word ‘stufus’ in the filename OR contains the word ‘secret’:beacon> execute-assembly /tmp/Reconerator.exe indexsearch "System.ItemName LIKE ‘%stufus%’ OR CONTAINS(‘secret’)"OpSecI’m not aware of anything that would raise this as suspicious.PROXYCHECKOverviewThis returns the proxy server that would be used to visit a given URL. This is to cope with the situation where there may be different proxies for different URLs, or various complex exclusions in place. The URL of interest is passed as a parameter.Note that if ‘basic all’ is specified (see above), it automatically includes a proxycheck to http://www.google.com, on the assumption that most organisations have one outbound proxy for all non-internal internet access.ExamplesDisplay the proxy server which will be used when visiting www.google.com:beacon> execute-assembly /tmp/Reconerator.exe proxycheck www.google.comDisplay the proxy server which will be used when visiting https://www.mwrinfosecurity.com:beacon> execute-assembly /tmp/Reconerator.exe proxycheck https://www.mwrinfosecurity.comOpSecThis is a local activity and a legitimate one; I’m not aware of anything that would raise it as suspicious.PRIVESCCHECKOverviewThis will explore a number of privilege escalation vectors and report on whether they are possible or not. Currently, that number is 1.Much like the BASIC module above, privesccheck all can be specified on the command line to attempt all checks, or a specific check can be specified if required.ParametersThe verb ‘basic’ needs to be passed on the command line, followed by the specific check that is required. If the word ‘all’ is passed as the second parameter, every check will be performed. Check Description alwaysinstallelevated Determine whether the ‘AlwaysInstallElevated’ key is set to 1 or not. If set, this will run any MSI file as a local administrator. OpSec Check Notes alwaysinstallelevated This is a local registry query; it is unlikely that anything will flag this as malicious. ExamplesAttempt all privilege escalation checks:beacon> execute-assembly /tmp/Reconerator.exe privesccheck allCheck whether the AlwaysInstallElevated registry key is set only:beacon> execute-assembly /tmp/Reconerator.exe privesccheck alwaysinstallelevatedCompilingCompile this in Visual Studio 2017. It currently uses .NET v4. You can change that in the compilation preferences if you want to.Download Reconerator

Link: http://feedproxy.google.com/~r/PentestTools/~3/ijyKtK7r7jk/reconerator-c-targeted-attack.html

Goscan – Interactive Network Scanner

GoScan is an interactive network scanner client, featuring auto-completion, which provides abstraction and automation over nmap.Although it started as a small side-project I developed in order to learn @golang, GoScan can now be used to perform host discovery, port scanning, and service enumeration not only in situations where being stealthy is not a priority and time is limited (think at CTFs, OSCP, exams, etc.), but also (with a few tweaks in its configuration) during professional engagements.GoScan is also particularly suited for unstable environments (think unreliable network connectivity, lack of “screen", etc.), given that it fires scans and maintain their state in an SQLite database. Scans run in the background (detached from the main thread), so even if connection to the box running GoScan is lost, results can be uploaded asynchronously (more on this below). That is, data can be imported into GoScan at different stages of the process, without the need to restart the entire process from scratch if something goes wrong.In addition, the Service Enumeration phase integrates a collection of other tools (e.g., EyeWitness, Hydra, nikto, etc.), each one tailored to target a specific service.InstallationBinary installation (Recommended)Binaries are available from the Release page.# Linux (64bit)$ wget https://github.com/marco-lancini/goscan/releases/download/v2.3/goscan_2.3_linux_amd64.zip$ unzip goscan_2.3_linux_amd64.zip# Linux (32bit)$ wget https://github.com/marco-lancini/goscan/releases/download/v2.3/goscan_2.3_linux_386.zip$ unzip goscan_2.3_linux_386.zip# After that, place the executable in your PATH$ chmod +x goscan$ sudo mv ./goscan /usr/local/bin/goscanBuild from source$ git clone https://github.com/marco-lancini/goscan.git$ cd goscan/goscan/$ make setup$ make buildTo create a multi-platform binary, use the cross command via make:$ make crossDocker$ git clone https://github.com/marco-lancini/goscan.git$ cd goscan/$ docker-compose up –buildUsageGoScan supports all the main steps of network enumeration: Step Commands 1. Load targets Add a single target via the CLI (must be a valid CIDR): load target SINGLE Upload multiple targets from a text file or folder: load target MULTI <path-to-file> 2. Host Discovery Perform a Ping Sweep: sweep <TYPE> <TARGET>Or load results from a previous discovery:Add a single alive host via the CLI (must be a /32): load alive SINGLE <IP>Upload multiple alive hosts from a text file or folder: load alive MULTI <path-to-file> 3. Port Scanning Perform a port scan: portscan <TYPE> <TARGET>Or upload nmap results from XML files or folder: load portscan <path-to-file> 4. Service Enumeration Dry Run (only show commands, without performing them): enumerate <TYPE> DRY <TARGET>Perform enumeration of detected services: enumerate <TYPE> <POLITE/AGGRESSIVE> <TARGET> 5. Special Scans EyeWitnessTake screenshots of websites, RDP services, and open VNC servers (KALI ONLY): special eyewitnessEyeWitness.py needs to be in the system pathExtract (Windows) domain information from enumeration dataspecial domain <users/hosts/servers>DNSEnumerate DNS (nmap, dnsrecon, dnsenum): special dns DISCOVERY <domain>Bruteforce DNS: special dns BRUTEFORCE <domain>Reverse Bruteforce DNS: special dns BRUTEFORCE_REVERSE <domain> <base_IP> Utils Show results: show <targets/hosts/ports>Automatically configure settings by loading a config file: set config_file <PATH>Change the output folder (by default ~/goscan): set output_folder <PATH>Modify the default nmap switches: set nmap_switches <SWEEP/TCP_FULL/TCP_STANDARD/TCP_VULN/UDP_STANDARD> <SWITCHES>Modify the default wordlists: set_wordlists <FINGER_USER/FTP_USER/…> <PATH> External IntegrationsThe Service Enumeration phase currently supports the following integrations: WHAT INTEGRATION ARP nmap DNS nmapdnsrecondnsenumhost FINGER nmapfinger-user-enum FTP nmapftp-user-enumhydra [AGGRESSIVE] HTTP nmapniktodirbEyeWitnesssqlmap [AGGRESSIVE]fimap [AGGRESSIVE] RDP nmapEyeWitness SMB nmapenum4linuxnbtscansamrdump SMTP nmapsmtp-user-enum SNMP nmapsnmpcheckonesixtyonesnmpwalk SSH hydra [AGGRESSIVE] SQL nmap VNC EyeWitness Download Goscan

Link: http://feedproxy.google.com/~r/PentestTools/~3/QvZdo-L3mC8/goscan-interactive-network-scanner.html

Goscan – Interactive Network Scanner

GoScan is an interactive network scanner client, featuring auto-completion, which provides abstraction and automation over nmap.Although it started as a small side-project I developed in order to learn @golang, GoScan can now be used to perform host discovery, port scanning, and service enumeration not only in situations where being stealthy is not a priority and time is limited (think at CTFs, OSCP, exams, etc.), but also (with a few tweaks in its configuration) during professional engagements.GoScan is also particularly suited for unstable environments (think unreliable network connectivity, lack of “screen", etc.), given that it fires scans and maintain their state in an SQLite database. Scans run in the background (detached from the main thread), so even if connection to the box running GoScan is lost, results can be uploaded asynchronously (more on this below). That is, data can be imported into GoScan at different stages of the process, without the need to restart the entire process from scratch if something goes wrong.In addition, the Service Enumeration phase integrates a collection of other tools (e.g., EyeWitness, Hydra, nikto, etc.), each one tailored to target a specific service.¬†InstallationBinary installation (Recommended)Binaries are available from the Release page.# Linux (64bit)$ wget https://github.com/marco-lancini/goscan/releases/download/v2.1/goscan_2.1_linux_amd64.zip$ unzip goscan_2.1_linux_amd64.zip# Linux (32bit)$ wget https://github.com/marco-lancini/goscan/releases/download/v2.1/goscan_2.1_linux_386.zip$ unzip goscan_2.1_linux_386.zip# After that, place the executable in your PATH$ chmod +x goscan$ sudo mv ./goscan /usr/local/bin/goscanBuild from source$ git clone https://github.com/marco-lancini/goscan.git$ cd goscan/goscan/$ make setup$ make buildTo create a multi-platform binary, use the cross command via make:$ make crossDocker$ git clone https://github.com/marco-lancini/goscan.git$ cd goscan/$ docker-compose up –buildUsageGoScan supports all the main steps of network enumeration: Step Commands 1. Load targets Add a single target via the CLI (must be a /32): load target SINGLE Upload multiple targets from a text file or folder: load target MULTI <path-to-file> 2. Host Discovery Perform a Ping Sweep: sweep <TYPE> <TARGET>Or load results from a previous discovery:Add a single alive host via the CLI (must be a /32): load alive SINGLE <IP>Upload multiple alive hosts from a text file or folder: load alive MULTI <path-to-file> 3. Port Scanning Perform a port scan: portscan <TYPE> <TARGET>Or upload nmap results from XML files or folder: load portscan <path-to-file> 4. Service Enumeration Dry Run (only show commands, without performing them): enumerate <TYPE> DRY <TARGET>Perform enumeration of detected services: enumerate <TYPE> <POLITE/AGGRESSIVE> <TARGET> 5. Special Scans EyeWitnessTake screenshots of websites, RDP services, and open VNC servers (KALI ONLY): special eyewitnessEyeWitness.py needs to be in the system pathExtract (Windows) domain information from enumeration dataspecial domain <users/hosts/servers>DNSEnumerate DNS (nmap, dnsrecon, dnsenum): special dns DISCOVERY <domain>Bruteforce DNS: special dns BRUTEFORCE <domain>Reverse Bruteforce DNS: special dns BRUTEFORCE_REVERSE <domain> <base_IP> Utils Show results: show <targets/hosts/portsChange the output folder (by default ~/goscan): set output_folder <PATH>Modify the default nmap switches: set nmap_switches <SWEEP/TCP_FULL/TCP_STANDARD/TCP_VULN/UDP_STANDARD> <SWITCHES>Modify the default wordlists: set_wordlists <FINGER_USER/FTP_USER/…> <PATH> External IntegrationsThe Service Enumeration phase currently supports the following integrations: WHAT INTEGRATION ARP nmap DNS nmapdnsrecondnsenumhost FINGER nmapfinger-user-enum FTP nmapftp-user-enumhydra [AGGRESSIVE] HTTP nmapniktodirbEyeWitnesssqlmap [AGGRESSIVE]fimap [AGGRESSIVE] RDP nmapEyeWitness SMB nmapenum4linuxnbtscansamrdump SMTP nmapsmtp-user-enum SNMP nmapsnmpcheckonesixtyonesnmpwalk SSH hydra [AGGRESSIVE] SQL nmap VNC EyeWitness Download Goscan

Link: http://feedproxy.google.com/~r/PentestTools/~3/uz1Ra9_76sE/goscan-interactive-network-scanner.html

LDAP_Search – Tool To Perform LDAP Queries And Enumerate Users, Groups, And Computers From Windows Domains

LDAP_Search can be used to enumerate Users, Groups, and Computers on a Windows Domain. Authentication can be performed using traditional username and password, or NTLM hash. In addition, this tool has been modified to allow brute force/password-spraying via LDAP. Ldap_Search makes use of Impackets¬†python36 branch to perform the main operations. (These are the guys that did the real heavy lifting and deserve the credit!)Installationgit clone –recursive https://github.com/m8r0wn/ldap_searchcd ldap_searchsudo chmod +x setup.shsudo ./setup.shUsageEnumerate all active users on a domain:python3 ldap_search.py users -u user1 -p Password1 -d demo.localLookup a single user and display field headings:python3 ldap_search.py users -q AdminUser -u user1 -p Password1 -d demo.localEnumerate all computers on a domain:python3 ldap_search.py computers -u user1 -p Password1 -d demo.localSearch for end of life systems on the domain:python3 ldap_search.py computers -q eol -u user1 -p Password1 -d demo.local -s DC01.demo.localEnumerate all groups on the domain:python3 ldap_search.py groups -u user1 -p Password1 -d demo.local -s 192.168.1.1Query group members:python3 ldap_search.py groups -q “Domain Admins" -u user1 -p Password1 -d demo.localQueriesBelow are the query options that can be specified using the "-q" argument:User active / [None] – All active users (Default) all – All users, even disabled [specific account or email] – lookup user, ex. "m8r0wn" group [None] – All domain groups [Specific group name] – lookup group members, ex. "Domain Admins" computer [None] – All Domain Computers eol – look for all end of life systems on domainOptionspositional arguments: lookup_type Lookup Types: user, group, computeroptional arguments: -q QUERY Specify user or group to query or use eol. -u USER Single username -U USER Users.txt file -p PASSWD Single password -P PASSWD Password.txt file -H HASH Use Hash for Authentication -d DOMAIN Domain (Ex. demo.local) -s SRV, -srv SRV LDAP Server (optional) -t TIMEOUT Connection Timeout (Default: 4) -v Show Search Result Attribute Names -vv Show Failed Logins & ErrorsDownload Ldap_Search

Link: http://www.kitploit.com/2018/12/ldapsearch-tool-to-perform-ldap-queries.html

Sn1per v6.0 – Automated Pentest Framework For Offensive Security Experts

Sn1per Community Edition is an automated scanner that can be used during a penetration test to enumerate and scan for vulnerabilities. Sn1per Professional is Xero Security’s premium reporting addon for Professional Penetration Testers, Bug Bounty Researchers and Corporate Security teams to manage large environments and pentest scopes.SN1PER PROFESSIONAL FEATURES:Professional reporting interfaceSlideshow for all gathered screenshotsSearchable and sortable DNS, IP and open port databaseCategorized host reportsQuick links to online recon tools and Google hacking queriesPersonalized notes field for each hostDEMO VIDEO:SN1PER COMMUNITY FEATURES:¬†Automatically collects basic recon (ie. whois, ping, DNS, etc.)¬†Automatically launches Google hacking queries against a target domain¬†Automatically enumerates open ports via NMap port scanning¬†Automatically brute forces sub-domains, gathers DNS info and checks for zone transfers¬†Automatically checks for sub-domain hijacking¬†Automatically runs targeted NMap scripts against open ports¬†Automatically runs targeted Metasploit scan and exploit modules¬†Automatically scans all web applications for common vulnerabilities¬†Automatically brute forces ALL open services¬†Automatically test for anonymous FTP access¬†Automatically runs WPScan, Arachni and Nikto for all web services¬†Automatically enumerates NFS shares¬†Automatically test for anonymous LDAP access¬†Automatically enumerate SSL/TLS ciphers, protocols and vulnerabilities¬†Automatically enumerate SNMP community strings, services and users¬†Automatically list SMB users and shares, check for NULL sessions and exploit MS08-067¬†Automatically exploit vulnerable JBoss, Java RMI and Tomcat servers¬†Automatically tests for open X11 servers¬†Auto-pwn added for Metasploitable, ShellShock, MS08-067, Default Tomcat Creds¬†Performs high level enumeration of multiple hosts and subnets¬†Automatically integrates with Metasploit Pro, MSFConsole and Zenmap for reporting¬†Automatically gathers screenshots of all web sites¬†Create individual workspaces to store all scan outputAUTO-PWN:Drupal Drupalgedon2 RCE CVE-2018-7600GPON Router RCE CVE-2018-10561Apache Struts 2 RCE CVE-2017-5638Apache Struts 2 RCE CVE-2017-9805Apache Jakarta RCE CVE-2017-5638Shellshock GNU Bash RCE CVE-2014-6271HeartBleed OpenSSL Detection CVE-2014-0160Default Apache Tomcat Creds CVE-2009-3843MS Windows SMB RCE MS08-067Webmin File Disclosure CVE-2006-3392Anonymous FTP AccessPHPMyAdmin Backdoor RCEPHPMyAdmin Auth BypassJBoss Java De-Serialization RCE’sKALI LINUX INSTALL:./install.shDOCKER INSTALL:Credits: @menzowDocker Install: https://github.com/menzow/sn1per-dockerDocker Build: https://hub.docker.com/r/menzo/sn1per-docker/builds/bqez3h7hwfun4odgd2axvn4/Example usage:$ docker pull menzo/sn1per-docker$ docker run –rm -ti menzo/sn1per-docker sniper menzo.ioUSAGE:[*] NORMAL MODEsniper -t|–target [*] NORMAL MODE + OSINT + RECONsniper -t|–target <TARGET> -o|–osint -re|–recon[*] STEALTH MODE + OSINT + RECONsniper -t|–target <TARGET> -m|–mode stealth -o|–osint -re|–recon[*] DISCOVER MODEsniper -t|–target <CIDR> -m|–mode discover -w|–workspace <WORSPACE_ALIAS>[*] SCAN ONLY SPECIFIC PORTsniper -t|–target <TARGET> -m port -p|–port <portnum>[*] FULLPORTONLY SCAN MODEsniper -t|–target <TARGET> -fp|–fullportonly[*] PORT SCAN MODEsniper -t|–target <TARGET> -m|–mode port -p|–port <PORT_NUM>[*] WEB MODE – PORT 80 + 443 ONLY!sniper -t|–target <TARGET> -m|–mode web[*] HTTP WEB PORT MODEsniper -t|–target <TARGET> -m|–mode webporthttp -p|–port <port>[*] HTTPS WEB PORT MODEsniper -t|–target <TARGET> -m|–mode webporthttps -p|–port <port>[*] ENABLE BRUTEFORCEsniper -t|–target <TARGET> -b|–bruteforce[*] AIRSTRIKE MODEsniper -f|–file /full/path/to/targets.txt -m|–mode airstrike[*] NUKE MODE WITH TARGET LIST, BRUTEFORCE ENABLED, FULLPORTSCAN ENABLED, OSINT ENABLED, RECON ENABLED, WORKSPACE & LOOT ENABLEDsniper -f–file /full/path/to/targets.txt -m|–mode nuke -w|–workspace <WORKSPACE_ALIAS>[*] ENABLE LOOT IMPORTING INTO METASPLOITsniper -t|–target <TARGET>[*] LOOT REIMPORT FUNCTIONsniper -w <WORKSPACE_ALIAS> –reimport[*] UPDATE SNIPERsniper -u|–updateMODES:NORMAL: Performs basic scan of targets and open ports using both active and passive checks for optimal performance.STEALTH: Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blocking.AIRSTRIKE: Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IPs that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning.NUKE: Launch full audit of multiple hosts specified in text file of choice. Usage example: ./sniper /pentest/loot/targets.txt nuke.DISCOVER: Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a sniper scan against each host. Useful for internal network scans.PORT: Scans a specific port for vulnerabilities. Reporting is not currently available in this mode.FULLPORTONLY: Performs a full detailed port scan and saves results to XML.WEB: Adds full automatic web application scans to the results (port 80/tcp & 443/tcp only). Ideal for web applications but may increase scan time significantly.WEBPORTHTTP: Launches a full HTTP web application scan against a specific host and port.WEBPORTHTTPS: Launches a full HTTPS web application scan against a specific host and port.UPDATE: Checks for updates and upgrades all components used by sniper.REIMPORT: Reimport all workspace files into Metasploit and reproduce all reports.RELOAD: Reload the master workspace report.SAMPLE REPORT:https://gist.github.com/1N3/8214ec2da2c91691bcbcDownload Sn1per v5.0

Link: http://feedproxy.google.com/~r/PentestTools/~3/RLWB_3_Wk9M/sn1per-v60-automated-pentest-framework.html

Censys Subdomain Finder – Perform Subdomain Enumeration Using The Certificate Transparency Logs From Censys

This is a tool to enumerate subdomains using the Certificate Transparency logs stored by Censys. It should return any subdomain who has ever been issued a SSL certificate by a public CA.See it in action:$ python censys_subdomain_finder.py github.com[*] Searching Censys for subdomains of github.com[*] Found 42 unique subdomains of github.com in ~1.7 seconds – hq.github.com – talks.github.com – cla.github.com – github.com – cloud.github.com – enterprise.github.com – help.github.com – collector-cdn.github.com – central.github.com – smtp.github.com – cas.octodemo.github.com – schrauger.github.com – jobs.github.com – classroom.github.com – dodgeball.github.com – visualstudio.github.com – branch.github.com – www.github.com – edu.github.com – education.github.com – import.github.com – styleguide.github.com – community.github.com – server.github.com – mac-installer.github.com – registry.github.com – f.cloud.github.com – offer.github.com – helpnext.github.com – foo.github.com – porter.github.com – id.github.com – atom-installer.github.com – review-lab.github.com – vpn-ca.iad.github.com – maintainers.github.com – raw.github.com – status.github.com – camo.github.com – support.enterprise.github.com – stg.github.com – rs.github.comSetupRegister an account (free) on https://censys.io/registerBrowse to https://censys.io/account, and set two environment variables with your API ID and API secret$ export CENSYS_API_ID=…$ export CENSYS_API_SECRET=…Clone the repository$ git clone https://github.com/christophetd/censys-subdomain-finder.gitInstall the dependencies$ cd censys-subdomain-finder$ pip install -r requirements.txtRun the script on example.com to make sure everything works as expected.$ python censys_subdomain_finder.py example.com[*] Searching Censys for subdomains of example.com[*] Found 5 unique subdomains of example.com – products.example.com – www.example.com – dev.example.com – example.com – support.example.comUsageusage: censys_subdomain_finder.py [-h] [-o OUTPUT_FILE] [–censys-api-id CENSYS_API_ID] [–censys-api-secret CENSYS_API_SECRET] domainpositional arguments: domain The domain to scanoptional arguments: -h, –help show this help message and exit -o OUTPUT_FILE, –output OUTPUT_FILE A file to output the list of subdomains to (default: None) –censys-api-id CENSYS_API_ID Censys API ID. Can also be defined using the CENSYS_API_ID environment variable (default: None) –censys-api-secret CENSYS_API_SECRET Censys API secret. Can also be defined using the CENSYS_API_SECRET environment variable (default: None)CompatibilityShould run on Python 2.7 and 3.5.NotesThe Censys API has a limit rate of 120 queries per 5 minutes window. Each invocation of this tool makes exactly one API call to Censys.Feel free to open an issue or to tweet @christophetd for suggestions or remarks.Download Censys-Subdomain-Finder

Link: http://feedproxy.google.com/~r/PentestTools/~3/bPFQtNdU4Fw/censys-subdomain-finder-perform.html

Sandsifter – The X86 Processor Fuzzer

The sandsifter audits x86 processors for hidden instructions and hardware bugs, by systematically generating machine code to search through a processor’s instruction set, and monitoring execution for anomalies. Sandsifter has uncovered secret processor instructions from every major vendor; ubiquitous software bugs in disassemblers, assemblers, and emulators; flaws in enterprise hypervisors; and both benign and security-critical hardware bugs in x86 chips.With the multitude of x86 processors in existence, the goal of the tool is to enable users to check their own systems for hidden instructions and bugs.To run a basic audit against your processor:sudo ./sifter.py –unk –dis –len –sync –tick — -P1 -tThe computer is systematically scanned for anomalous instructions. In the upper half, you can view the instructions that the sandsifter is currently testing on the processor. In the bottom half, the sandsifter reports anomalies it finds.The search will take from a few hours to a few days, depending on the speed of and complexity of your processor. When it is complete, summarize the results:./summarize.py data/logTypically, several million undocumented instructions on your processor will be found, but these generally fall into a small number of different groups. After binning the anomalies, the summarize tool attempts to assign each instruction to an issue category:Software bug (for example, a bug in your hypervisor or disassembler),Hardware bug (a bug in your CPU), orUndocumented instruction (an instruction that exists in the processor, but is not acknowledged by the manufacturer)Press ‘Q’ to quit and obtain a text based summary of the system scan:The results of a scan can sometimes be difficult for the tools to automatically classify, and may require manual analysis. For help analyzing your results, feel free to send the ./data/log file to xoreaxeaxeax@gmail.com. No personal information, other than the processor make, model, and revision (from /proc/cpuinfo) are included in this log.ResultsScanning with the sandsifter has uncovered undocumented processor features across dozens of opcode categories, flaws in enterprise hypervisors, bugs in nearly every major disassembly and emulation tool, and critical hardware bugs opening security vulnerabilities in the processor itself.Details of the results can be found in the project whitepaper.(TODO: detailed results enumeration here)BuildingSandsifter requires first installing the Capstone disassembler: http://www.capstone-engine.org/. Capstone can typically be installed with:sudo apt-get install libcapstone3 libcapstone-devsudo pip install capstoneSandsifter can be built with:makeand is then run withsudo ./sifter.py –unk –dis –len –sync –tick — -P1 -tFlagsFlags are passed to the sifter with –flag, and to the injector with — -f.Example:sudo ./sifter.py –unk –dis –len –sync –tick — -P1 -tSifter flags:–len search for length differences in all instructions (instructions that executed differently than the disassembler expected, or did not exist when the disassembler expected them to–dis search for length differences in valid instructions (instructions that executed differently than the disassembler expected)–unk search for unknown instructions (instructions that the disassembler doesn’t know about but successfully execute)–ill the inverse of –unk, search for invalid disassemblies (instructions that do not successfully execute but that the disassembler acknowledges)–tick periodically write the current instruction to disk–save save search progress on exit–resume resume search from last saved state–sync write search results to disk as they are found–low-mem do not store results in memoryInjector flags:-b mode: brute force-r mode: randomized fuzzing-t mode: tunneled fuzzing-d mode: externally directed fuzzing-R raw output mode-T text output mode-x write periodic progress to stderr-0 allow null dereference (requires sudo)-D allow duplicate prefixes-N no nx bit support-s seed in random search, seed value-B brute_depth in brute search, maximum search depth-P max_prefix maximum number of prefixes to search-i instruction instruction at which to start search (inclusive)-e instruction instruction at which to end search (exclusive)-c core core on which to perform search-X blacklist blacklist the specified instruction-j jobs number of simultaneous jobs to run-l range_bytes number of base instruction bytes in each sub rangeKeysm: Mode – change the search mode (brute force, random, or tunnel) for the sifterq: Quit – exit the sifterp: Pause – pause or unpause the searchAlgorithmsThe scanning supports four different search algorithms, which can be set at the command line, or cycled via hotkeys.Random searching generates random instructions to test; it generally produces results quickly, but is unable to find complex hidden instructions and bugs.Brute force searching tries instructions incrementally, up to a user-specified length; in almost all situations, it performs worse than random searching.Driven or mutation driven searching is designed to create new, increasingly complex instructions through genetic algorithms; while promising, this approach was never fully realized, and is left as a stub for future research.Tunneling is the approach described in the presentation and white paper, and in almost all cases provides the best trade-off between thoroughness and speed.TipssudoFor best results, the tool should be run as the root user. This is necessary so that the process can map into memory a page at address 0, which requires root permissions. This page prevents many instructions from seg-faulting on memory accesses, which allows a more accurate fault analysis. PrefixesThe primary limitation for the depth of an instruction search is the number of prefix bytes to explore, with each additional prefix byte increasing the search space by around a factor of 10. Limit prefix bytes with the -P flag. ColorsThe interface for the sifter is designed for a 256 color terminal. While the details vary greatly depending on your terminal, this can roughly be accomplished with: export TERM=’xterm-256color’GUIThe interface assumes the terminal is of at least a certain size; if the interface is not rendering properly, try increasing the terminal size; this can often be accomplished by decreasing the terminal font size.In some cases, it may be desirable or necessary to run the tool without the graphical front end. This can be done by running the injector directly: sudo ./injector -P1 -t -0To filter the results of a direct injector invocation, grep can be used. For example, sudo ./injector -P1 -r -0 | grep ‘\.r’ | grep -v sigillsearches for instructions for which the processor and disassembler disagreed on the instruction length (grep ‘.r’), but the instruction successfully executed (grep -v sigill). Targeted fuzzingIn many cases, it is valuable to direct the fuzzer to a specific target. For example, if you suspect that an emulator has flaws around repeated ‘lock’ prefixes (0xf0), you could direct the fuzzer to search this region of the instruction space with the -i and -e flags: sudo ./sifter.py –unk –dis –len –sync –tick — -t -i f0f0 -e f0f1 -D -P15Legacy systemsFor scanning much older systems (i586 class processors, low memory systems), pass the –low-mem flag to the sifter and the -N flag to the injector: sudo ./sifter.py –unk –dis –len –sync –tick –low-mem — -P1 -t -NIf you observe your scans completing too quickly (for example, a scan completes in seconds), it is typically because these flags are required for the processor you are scanning. 32 vs. 64 bitBy default, sandsifter is built to target the bitness of the host operating system. However, some instructions have different behaviors when run in a 32 bit process compared to when run in a 64 bit process. To explore these scenarios, it is sometimes valuable to run a 32 bit sandsifter on a 64 bit system.To build a 32 bit sandsifter on a 64 bit system, Capstone must be installed as 32 bit; the instructions for this can be found at http://www.capstone-engine.org/.Then sandsifter must be built for a 32 bit architecture: make CFLAGS=-m32With this, the 32 bit instruction space can be explored on a 64 bit system. ReferencesA discussion of the techniques and results can be found in the Black Hat presentation.Technical details are described in the whitepaper.Slides from the Black Hat presentation are here.Authorsandsifter is a research effort from Christopher Domas (@xoreaxeaxeax).Download Sandsifter

Link: http://feedproxy.google.com/~r/PentestTools/~3/-g6zbj5Gyk4/sandsifter-x86-processor-fuzzer.html