DjangoHunter – Tool Designed To Help Identify Incorrectly Configured Django Applications That Are Exposing Sensitive Information

Tool designed to help identify incorrectly configured Django applications that are exposing sensitive information.https://www.reddit.com/r/django/comments/87qcf4/28165_thousand_django_running_servers_are_exposed/ https://twitter.com/6ix7ine/status/978598496658960384?lang=enUsageUsage: python3 djangohunter.py –key {shodan}Dorks: ‘DisallowedHost’, ‘KeyError’, ‘OperationalError’, ‘Page not found at /’RequirementsShodanPyfigletRequestsBeautifulSouppip -r install requirementsDemoDisclaimerCode samples are provided for educational purposes. Adequate defenses can only be built by researching attack techniques available to malicious actors. Using this code against target systems without prior permission is illegal in most jurisdictions. The authors are not liable for any damages from misuse of this information or code.Download Djangohunter

Link: http://www.kitploit.com/2018/11/djangohunter-tool-designed-to-help.html

Parrot Security 4.3 – Security GNU/Linux Distribution Designed with Cloud Pentesting and IoT Security in Mind

Parrot 4.3 is now available for download. This release provides security and stability updates and is the starting point for the plan to develop an LTS edition of Parrot.Linux 4.18Linux was updated to the 4.18.10 version, and linux 4.19 will be released soon.Firefox 63Firefox 63 provides noticeable security and privacy features, but it is no longer available to 32bit systems, so has been switched to firefox-esr on all the unsupported architectures.Wine menuHas been fixed a bug in the parrot menu configuration that prevented several menu categories to show up.This fixed the missing wine menu bug, which is now back again.Bashrc updatesThe Parrot .bashrc file was updated, now it provides better snap support, the ll alias now shows the size in a human readable format and it does no longer overwrite some global settings as it used to do before.Java 11OpenJDK 11 is now the default java provider.AnonsurfAnonsurf received important stability upgrades and now it does not mess up the DNS configuration.New Parrot iconsThe Parrot edition of the MAIA icon theme was updated.Has been dropped many old unused icons and replaced them with newer ones.Core updatesParrot 4.3 provides the latest updates of Debian Testing and many improvements to our sandbox system, in fact, both firejail and apparmor received significant updates, and now the whole system is smoother, more secure and more reliable.Download Parrot Security 4.3

Link: http://feedproxy.google.com/~r/PentestTools/~3/r9_XOjHON1g/parrot-security-43-security-gnulinux.html

Webinar: Basics of IoT Hacking for the Career Pen Tester on Sept 27 2018

Register Now and Learn IoT Hacking Step-by-Step! Join Jacob Holcomb (AKA Gimppy) of SOHOpelessly Broken fame & principal researcher for Independent Security Evaluators (ISE), the people behind the IoT Villages of DEF CON, RSA, DerbyCon and more, for live demos of hacking IoT devices, the methodology for repeatable success and career opportunities for those with IoT Hacking skills during a […]
The post Webinar: Basics of IoT Hacking for the Career Pen Tester on Sept 27 2018 appeared first on The Ethical Hacker Network.

Link: https://www.ethicalhacker.net/eh-net-tv/eh-net-live/webinar-basics-of-iot-hacking-for-the-career-pen-tester-on-sept-27-2018/

Education Hacking to Achieve an HR Filter Bypass

Nothing seems to be more deflating to many IT professionals than dropping resumes and hearing nothing but silence. To be shot down even before an initial conversation with an employer stings, especially if due to their HR filters weeding out ‘unqualified’ individuals before they’ve even garnered a look. There are numerous red flags that corporate recruiters quickly home in on when paring down a stack of resumes such as a lack of time in the industry, little if any directly relevant experience for a position, or that a person seems to frequently jump from job to job. All of those are valid. However, one glaring item usually stands out as a disqualifying issue faster than the rest, and it’s one that seems to affect a large number of senior people in technology – the lack of a college degree. In this article, I’ll highlight a little of my past and present to show where I’ve come from and where I’m going. I’ll look at how I just accomplished what I like to call ‘Education Hacking’.
The post Education Hacking to Achieve an HR Filter Bypass appeared first on The Ethical Hacker Network.

Link: https://www.ethicalhacker.net/features/root/education-hacking-to-achieve-an-hr-filter-bypass/

AI Fear, FDA, Tesla, and D-Link – Paul’s Security Weekly #580

Fear of AI attacks, the FDA releases cybersecurity guidance, watch hackers steal a Tesla, serious D-Link router security flaw may never be patched, and California addresses default passwords! All that and more, on this episode of Paul’s Security Weekly! Paul’s Stories Most security professionals fear AI attacks Masscan as a lesson in TCP/IP Have Network, […]
The post AI Fear, FDA, Tesla, and D-Link – Paul’s Security Weekly #580 appeared first on Security Weekly.

Link: http://feedproxy.google.com/~r/securityweekly/Lviv/~3/YUiFgdwnbHE/

Swap Digger – Tool That Automates Swap Extraction And Searches For Linux User Credentials, Web Forms Credentials, Web Forms Emails, Http Basic Authentication, Wifi SSID And Keys, Etc

swap_digger is a bash script used to automate Linux swap analysis for post-exploitation or forensics purpose. It automates swap extraction and searches for Linux user credentials, Web form credentials, Web form emails, HTTP basic authentication, WiFi SSID and keys, etc.Download and run the toolOn your machineUse the following commands to download and run the script on your machine:alice@1nvuln3r4bl3:~$ git clone https://github.com/sevagas/swap_digger.gitalice@1nvuln3r4bl3:~$ cd swap_diggeralice@1nvuln3r4bl3:~$ chmod +x swap_digger.shalice@1nvuln3r4bl3:~$ sudo ./swap_digger.sh -vxOn a mounted hard driveTo use swap_digger on a mounted hard drive, do the following:First, download the script using the following commands:alice@1nvuln3r4bl3:~$ git clone https://github.com/sevagas/swap_digger.gitalice@1nvuln3r4bl3:~$ cd swap_diggeralice@1nvuln3r4bl3:~$ chmod +x swap_digger.shThen, find the target swap file/partition with:alice@1nvuln3r4bl3:~$ sudo ./swap_digger.sh -SFinally, analyze the target by running:alice@1nvuln3r4bl3:~$ sudo ./swap_digger.sh -vx -r path/to/mounted/target/root/fs -s path/to/target/swap/deviceOn a third party machineUse the following commands to download and run the script on a third party machine (useful for pentests and CTFs):alice@1nvuln3r4bl3:~$ wget https://raw.githubusercontent.com/sevagas/swap_digger/master/swap_digger.shalice@1nvuln3r4bl3:~$ chmod +x swap_digger.shalice@1nvuln3r4bl3:~$ sudo ./swap_digger.sh -vxNote: Use the -c option to automatically remove the directory created by swap_digger (/tmp/swap_dig).Simple runIf you only need to recover clear text Linux user passwords, simply run:alice@1nvuln3r4bl3:~$ sudo ./swap_digger.shAvailable optionsAll options: ./swap_digger.sh [ OPTIONS ] Options : -x, –extended Run Extended tests on the target swap to retrieve other interesting data (web passwords, emails, wifi creds, most accessed urls, etc) -g, –guessing Try to guess potential passwords based on observations and stats Warning: This option is not reliable, it may dig more passwords as well as hundreds false positives. -h, –help Display this help. -v, –verbose Verbose mode. -l, –log Log all outputs in a log file (protected inside the generated working directory). -c, –clean Automatically erase the generated working directory at end of script (will also remove log file) -r PATH, –root-path=PATH Location of the target file-system root (default value is /) Change this value for forensic analysis when target is a mounted file system. This option has to be used along the -s option to indicate path to swap device. -s PATH, –swap-path=PATH Location of swap device or swap dump to analyse Use this option for forensic/remote analysis of a swap dump or a mounted external swap partition. This option should be used with the -r option where at least //etc/shadow exists. -S, –swap-search Search for all available swap devices (use for forensics).Relevant resourcesBlog posts about swap digging:http://blog.sevagas.com/?Digging-passwords-in-Linux-swapContactFeel free to message on my Twitter account @EmericNasiDownload Swap_Digger

Link: http://feedproxy.google.com/~r/PentestTools/~3/FdfKjJxumdE/swap-digger-tool-that-automates-swap.html

Evilginx2 Man-in-the-Middle Attacks – Tradecraft Security Weekly #29

Evilginx2 is a man-in-the-middle framework that can be utilized to intercept credentials including two-factor methods victims utilize when logging in to a web application. Instead of just duplicating the target web application it proxies traffic to it making the experience seamless to the victim. In this episode Ralph May (@ralphte1) joins Beau Bullock to demo […]
The post Evilginx2 Man-in-the-Middle Attacks – Tradecraft Security Weekly #29 appeared first on Security Weekly.

Link: http://feedproxy.google.com/~r/securityweekly/Lviv/~3/ZzWhS1W1NOM/

ANDRAX – The First And Unique Penetration Testing Platform For Android Smartphones

ANDRAX The first and unique Penetration Testing platform for Android smartphonesWhat is ANDRAXANDRAX is a penetration testing platform developed specifically for Android smartphones, ANDRAX has the ability to run natively on Android so it behaves like a common Linux distribution, But more powerful than a common distribution!Why is Android so powerful?Simple, everyone has a smartphone and spends all the time with it! We have the possibility to camouflage easily in the middle of everyone, the processor architecture of most Android smartphones is ARM a modern and robust architecture extremely superior to the rest, With touch screens we can run the tools with great agility and take advantage of the graphical interface of Android, we can get in almost anywhere with our smartphones…In technical terms, ANDRAX and NetHunter should never be compared, ANDRAX is a penetration testing platform for Android smartphones and NetHunter is just a Debian emulator running with chroot.Termux is not our enemy, Termux is an application that allows installation of many Linux packages using a Debian environment running natively on Android.ANDRAX and Termux have a similar development, ANDRAX and Termux share many libs and GNU/Linux resources.But Termux is not a penetration testing platform, it’s software to bring basic tools found in a Debian environment. Penetration tests are not something basic! But advanced techniques that involve advanced tools and a advanced environment to conduct good tests!So you can install many tools manually in Termux but it would be extremely difficult to optimize and configure them to take 100% of the required potential for penetration testing.Termux runs without root privileges and this makes it very difficult to use advanced tools. Features and ToolsTool listInformation GatheringWhoisBind DNS toolsDnsreconRaccoonDNS-CrackerFirewalkScanningNmap – Network MapperMasscanSSLScanAmapPacket CraftingHping3NpingScapyHexinjectNcatSocatNetwork HackingARPSpoofBettercapMITMProxyEvilGINX2WebSite Hacking0d1nWapiti3Recon-NGPHPSploitPhotonXSSerCommixSQLMapPayloadmaskAbernathY-XSSPassword HackingHydraNcrackJohn The RipperCRUNCHWireless HackingVMP Evil APAircrack-NG ToolsCowpattyMDK3ReaverExploitationMetaSploit FrameworkRouterSploit FrameworkGetsploitOWASP ZSCRop-TOOLMore…Advanced TerminalAdvanced and Professional terminal emulator for Hacking!Dynamic Categories Overlay (DCO)Beautiful tools category system Advanced IDEComplete support for many programming languagesInformation GatheringTools for initial informations about the targetScanningTools for second stage: ScanningPacket CraftingTools to craft network packetsNetwork HackingTools for network hackingWebSite HackingTools for WebSite and WebApps HackingPassword HackingTools to break passwordsWireless HackingTools for Wireless HackingExploitationTools for Dev and launch exploitsMore info in official site.Download ANDRAX

Link: http://feedproxy.google.com/~r/PentestTools/~3/aFUTP3UzC5o/andrax-first-and-unique-penetration.html