Airba.sh – A POSIX-compliant, Fully Automated WPA PSK Handshake Capture Script Aimed At Penetration Testing

Airbash is a POSIX-compliant, fully automated WPA PSK handshake capture script aimed at penetration testing. It is compatible with Bash and Android Shell (tested on Kali Linux and Cyanogenmod 10.2) and uses aircrack-ng to scan for clients that are currently connected to access points (AP). Those clients are then deauthenticated in order to capture the handshake when attempting to reconnect to the AP. Verification of a captured handshake is done using aircrack-ng. If one or more handshakes are captured, they are entered into an SQLite3 database, along with the time of capture and current GPS data (if properly configured).After capture, the database can be tested for vulnerable router models using crackdefault.sh. It will search for entries that match the implemented modules, which currently include algorithms to compute default keys for Speedport 500-700 series, Thomson/SpeedTouch and UPC 7 digits (UPC1234567) routers.RequirementsWiFi interface in monitor mode aircrack-ng SQLite3 openssl for compilation of modules (optional) wlanhc2hcx from hcxtoolsIn order to log GPS coordinates of handshakes, configure your coordinate logging software to log to .loc/*.txt (the filename can be chosen as desired). Airbash will always use the output of cat “$path$loc"*.txt 2>/dev/null | awk ‘NR==0; END{print}’, which equals to reading all .txt files in .loc/ and picking the second line. The reason for this way of implementation is the functionality of GPSLogger, which was used on the development device.Calculating default keysAfter capturing a new handshake, the database can be queried for vulnerable router models. If a module applies, the default keys for this router series are calculated and used as input for aircrack-ng to try and recover the passphrase.Compiling ModulesThe modules for calculating Thomson/SpeedTouch and UPC1234567 (7 random digits) default keys are included in src/Credits for the code go to the authors Kevin Devine and peter@haxx.in.On Linux:gcc -fomit-frame-pointer -O3 -funroll-all-loops -o modules/st modules/stkeys.c -lcryptogcc -O2 -o modules/upckeys modules/upc_keys.c -lcryptoIf on Android, you may need to copy the binaries to /system/xbin/ or to another directory where binary execution is allowed.UsageRunning install.sh will create the database, prepare the folder structure and create shortlinks to both scripts which can be moved to a directory that is on $PATH to allow execution from any location.After installation, you may need to manually adjust INTERFACE on line 46 in airba.sh. This will later be determined automatically, but for now the default is set to wlan0, to allow out of the box compatibility with bcmon on Android../airba.sh starts the script, automatically scanning and attacking targets that are not found in the database. ./crackdefault.sh attempts to break known default key algorithms.To view the database contents, run sqlite3 .db.sqlite3 "SELECT * FROM hs" in the main directory.Update (Linux only … for now):Airbash can be updated by executing update.sh. This will clone the master branch into /tmp/ and overwrite the local files.Output_n: number of access points found__c/m: represents client number and maximum number of clients found, respectively-: access point is blacklistedx: access point already in database?: access point out of range (not visible to airodump anymore)The DatabaseThe database contains a table called hs with seven columns.id: incrementing counter of table entrieslat and lon: GPS coordinates of the handshake (if available)bssid: MAC address of the access pointessid: Name identifierpsk: WPA Passphrase, if knownprcsd: Flag that gets set by crackdefault.sh to prevent duplicate calculation of default keys if a custom passphrase was used.Currently, the SQLite3 database is not password-protected.Download Airbash

Link: http://feedproxy.google.com/~r/PentestTools/~3/JyoSXbI3rdM/airbash-posix-compliant-fully-automated.html

pwnedOrNot – Tool To Find Passwords For Compromised Email Accounts Using HaveIBeenPwned API

pwnedOrNot is a python script which checks if the email account has been compromised in a data breach, if the email account is compromised it proceeds to find passwords for the compromised account.It uses haveibeenpwned v2 api to test email accounts and searches for the password in Pastebin DumpsThis script has been tested on Kali Linux 18.2 and Ubuntu 18.04.InstallationIt’s a pure python script and relies on common python modules and does not need installation :osretimejsonrequestsUsagegit clone https://github.com/thewhiteh4t/pwnedOrNot.gitcd pwnedOrNot/python pwnedornot.pyFeatureshaveibeenpwned offers a lot of information about the compromised email, some useful information is displayed by this script:Name of BreachDomain NameDate of BreachFabrication statusVerification StatusRetirement statusSpam StatusSource of DumpID of DumpAnd with all this information pwnedOrNot can easily find passwords for compromised emails if the dump is accessible and it contains the passwordScreenshotsDownload pwnedOrNot

Link: http://feedproxy.google.com/~r/PentestTools/~3/Z1fInQ932X4/pwnedornot-tool-to-find-passwords-for.html

Sn1per v4.4 – Automated Pentest Recon Scanner

Sn1per is an automated scanner that can be used during a penetration test to enumerate and scan for vulnerabilities.DEMO VIDEO: FEATURES:Automatically collects basic recon (ie. whois, ping, DNS, etc.)Automatically launches Google hacking queries against a target domainAutomatically enumerates open ports via NMap port scanningAutomatically brute forces sub-domains, gathers DNS info and checks for zone transfersAutomatically checks for sub-domain hijackingAutomatically runs targeted NMap scripts against open portsAutomatically runs targeted Metasploit scan and exploit modulesAutomatically scans all web applications for common vulnerabilitiesAutomatically brute forces ALL open servicesAutomatically test for anonymous FTP accessAutomatically runs WPScan, Arachni and Nikto for all web servicesAutomatically enumerates NFS sharesAutomatically test for anonymous LDAP accessAutomatically enumerate SSL/TLS ciphers, protocols and vulnerabilitiesAutomatically enumerate SNMP community strings, services and usersAutomatically list SMB users and shares, check for NULL sessions and exploit MS08-067Automatically exploit vulnerable JBoss, Java RMI and Tomcat serversAutomatically tests for open X11 serversAuto-pwn added for Metasploitable, ShellShock, MS08-067, Default Tomcat CredsPerforms high level enumeration of multiple hosts and subnetsAutomatically integrates with Metasploit Pro, MSFConsole and Zenmap for reportingAutomatically gathers screenshots of all web sitesCreate individual workspaces to store all scan outputKALI LINUX INSTALL:./install.shDOCKER INSTALL:Credits: @menzowDocker Install: https://github.com/menzow/sn1per-dockerDocker Build: https://hub.docker.com/r/menzo/sn1per-docker/builds/bqez3h7hwfun4odgd2axvn4/Example usage:$ docker pull menzo/sn1per-docker$ docker run –rm -ti menzo/sn1per-docker sniper menzo.ioUSAGE:[*] NORMAL MODEsniper -t|–target [*] NORMAL MODE + OSINT + RECONsniper -t|–target <TARGET> -o|–osint -re|–recon[*] STEALTH MODE + OSINT + RECONsniper -t|–target <TARGET> -m|–mode stealth -o|–osint -re|–recon[*] DISCOVER MODEsniper -t|–target <CIDR> -m|–mode discover -w|–workspace <WORSPACE_ALIAS>[*] SCAN ONLY SPECIFIC PORTsniper -t|–target <TARGET> -m port -p|–port <portnum>[*] FULLPORTONLY SCAN MODEsniper -t|–target <TARGET> -fp|–fullportonly[*] PORT SCAN MODEsniper -t|–target <TARGET> -m|–mode port -p|–port <PORT_NUM>[*] WEB MODE – PORT 80 + 443 ONLY!sniper -t|–target <TARGET> -m|–mode web[*] HTTP WEB PORT MODEsniper -t|–target <TARGET> -m|–mode webporthttp -p|–port <port>[*] HTTPS WEB PORT MODEsniper -t|–target <TARGET> -m|–mode webporthttps -p|–port <port>[*] ENABLE BRUTEFORCEsniper -t|–target <TARGET> -b|–bruteforce[*] AIRSTRIKE MODEsniper -f|–file /full/path/to/targets.txt -m|–mode airstrike[*] NUKE MODE WITH TARGET LIST, BRUTEFORCE ENABLED, FULLPORTSCAN ENABLED, OSINT ENABLED, RECON ENABLED, WORKSPACE & LOOT ENABLEDsniper -f–file /full/path/to/targets.txt -m|–mode nuke -w|–workspace <WORKSPACE_ALIAS>[*] ENABLE LOOT IMPORTING INTO METASPLOITsniper -t|–target <TARGET>[*] LOOT REIMPORT FUNCTIONsniper -w <WORKSPACE_ALIAS> –reimport[*] UPDATE SNIPERsniper -u|–updateMODES:NORMAL: Performs basic scan of targets and open ports using both active and passive checks for optimal performance.STEALTH: Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blocking.AIRSTRIKE: Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IPs that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning.NUKE: Launch full audit of multiple hosts specified in text file of choice. Usage example: ./sniper /pentest/loot/targets.txt nuke.DISCOVER: Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a sniper scan against each host. Useful for internal network scans.PORT: Scans a specific port for vulnerabilities. Reporting is not currently available in this mode.FULLPORTONLY: Performs a full detailed port scan and saves results to XML.WEB: Adds full automatic web application scans to the results (port 80/tcp & 443/tcp only). Ideal for web applications but may increase scan time significantly.WEBPORTHTTP: Launches a full HTTP web application scan against a specific host and port.WEBPORTHTTPS: Launches a full HTTPS web application scan against a specific host and port.UPDATE: Checks for updates and upgrades all components used by sniper.REIMPORT: Reimport all workspace files into Metasploit and reproduce all reports.SAMPLE REPORT:https://gist.github.com/1N3/8214ec2da2c91691bcbcDownload Sn1per

Link: http://feedproxy.google.com/~r/PentestTools/~3/3AtzG4dKSuE/sn1per-v44-automated-pentest-recon.html

Sandmap – A Tool Supporting Network And System Reconnaissance Using The Massive Nmap Engine

Sandmap is a tool supporting network and system reconnaissance using the massive Nmap engine. It provides a user-friendly interface, automates and speeds up scanning and allows you to easily use many advanced scanning techniques.Key Featuressimple CLI with the ability to run pure Nmap enginepredefined scans included in the modulessupport Nmap Scripting Engine (NSE)TOR support (with proxychains)multiple scans at one timeat this point: 30 modules with 451 scan profilesHow To UseIt’s simple:# Clone this repositorygit clone https://github.com/trimstray/sandmap# Go into the repositorycd sandmap# Install./setup.sh install# Run the appsandmapsymlink to bin/sandmap is placed in /usr/local/binman page is placed in /usr/local/man/man8ModulesAvailable modules: 30Available scan profiles: 451Configuration fileThe etc/main.cfg configuration file has the following structure:# shellcheck shell=bash# Specifies the default destination.# Examples:# – dest=”127.0.0.1,8.8.8.8"dest="127.0.0.1"# Specifies the extended Nmap parameters.# Examples:# – params="–script ssl-ccs-injection -p 443"params=""# Specifies the default output type and path.# Examples:# – report="xml"report=""# Specifies the TOR connection.# Examples:# – tor="true"tor=""# Specifies the terminal type.# Examples:# – terminal="internal"terminal="internal"RequirementsSandmap uses external utilities to be installed before running:nmapxtermproxychainsLoggingAfter running the script, the log/ directory is created and in it the following files with logs:.<date>.log – all _logger() function calls are saved in itstdout.log – a standard output and errors from the _init_cmd() function are written in it. If you want to redirect the output from command, use the following structure: your_command >>"$_log_stdout" 2>&1 &Project architecture|– LICENSE.md # GNU GENERAL PUBLIC LICENSE, Version 3, 29 June 2007|– README.md # this simple documentation|– CONTRIBUTING.md # principles of project support|– .gitignore # ignore untracked files|– .travis.yml # continuous integration with Travis CI|– setup.sh # install sandmap on the system|– bin |– sandmap # main script (init)|– doc # includes documentation, images and manuals |– man8 |– sandmap.8 # man page for sandmap |– img # images (eg. gif)|– etc # contains configuration files|– lib # libraries, external functions|– log # contains logs, created after init|– modules # contains modules|– src # includes external project files |– helpers # contains core functions |– import # appends the contents of the lib directory |– __init__ # contains the __main__ function |– settings # contains sandmap settings|– templates # contains examples and template files|– tmp # contains temporary files (mktemp)Download Sandmap

Link: http://feedproxy.google.com/~r/PentestTools/~3/ziasbmvnzdA/sandmap-tool-supporting-network-and.html

PAVELOW – Exploit Toolbox

PAVELOW helps you with your exploiting and vulnerability searching adventures on KALI Linux by using a few different pre-installed tools among several others that PAVELOW will installed & setup for you(they all can be found right here on Github too).FEATURESPassive Recon MenuDORK OSINT (External FF)Email HarvesterSubdomain GatherWAF DetectionAggressive ReconSubdomain TakeoverPort ScanNSE Vuln ScanInjection Crawler (Much more)Vulnerability LabXSS Crawl/FinderCMS ScanCMS Vuln ToolsAdmin Bypasser (Many others)That’s just to name a few, the rest you’ll have to go and enjoy yourself! (;RequirementsKali LinuxROOT (not root priv user)ScreenshotsAny questions or ideas for version 2.0 feel free to contact:Twitter:@0x3curity@AnonyInfoDownload PAVELOW

Link: http://feedproxy.google.com/~r/PentestTools/~3/RiY4BaQIbXo/pavelow-exploit-toolbox.html

Kali Linux 2018.2 Release – The Best Penetration Testing Distribution

This Kali release is the first to include the Linux 4.15 kernel, which includes the x86 and x64 fixes for the much-hyped Spectre and Meltdown vulnerabilities. It also includes much better support for AMD GPUs and support for AMD Secure Encrypted Virtualization, which allows for encrypting virtual machine memory such that even the hypervisor can’t access it.Easier Metasploit Script AccessIf you spend any significant amount of time writing exploits, you are undoubtedly familiar with the various Metasploit scripts that are available, such as pattern_create, pattern_offset, nasm_shell, etc. You are likely also aware that all of these helpful scripts are tucked away under /usr/share/metasploit-framework/tools/exploit/, which makes them more than a little difficult to make use of. Fortunately, as of metasploit-framework_4.16.34-0kali2, you can now make use of all these scripts directly as have been included links to all of them in the PATH, each of them prepended with msf-.root@kali:~# msf-Upgrade to Kali Linux 2018.2If you already have a Kali installation you’re happy with, you can easily upgrade in place as follows.root@kali:~# apt update && apt full-upgradeMore info.Download Kali Linux 2018.2

Link: http://feedproxy.google.com/~r/PentestTools/~3/7MbNeev8qQM/kali-linux-20182-release-best.html

UPDATE: Kali Linux 2018.2 Release!

PenTestIT RSS Feed
Second Kali Linux update of this year and this time, it is about the latest Kali Linux 2018.2 release! The last release was made available recently in the month of February. This new release includes all patches, fixes, updates, and improvements since the last release – Kali Linux 2018.1, including the shiny new Linux kernel version 4.15, whichRead more about UPDATE: Kali Linux 2018.2 Release!
The post UPDATE: Kali Linux 2018.2 Release! appeared first on PenTestIT.

Link: http://pentestit.com/update-kali-linux-2018-2-release/

Goddi (Go Dump Domain Info) – Dumps Active Directory Domain Information

Based on work from Scott Sutherland (@_nullbind), Antti Rantasaari, Eric Gruber (@egru), Will Schroeder (@harmj0y), and the PowerView authors.InstallUse the executables in the releases section. If you want to build it yourself, make sure that your go environment is setup according to the Go setup doc. The goddi package also uses the below package.go get gopkg.in/ldap.v2WindowsTested on Windows 10 and 8.1 (go1.10 windows/amd64).LinuxTested on Kali Linux (go1.10 linux/amd64).umount, mount, and cifs-utils need to be installed for mapping a share for GetGPPapt-get updateapt-get install -y mount cifs-utilsmake sure nothing is mounted at /mnt/goddi/make sure to run with sudoRunWhen run, will default to using TLS (tls.Client method) over 636. On Linux, make sure to run with sudo.username: Target user. Required parameter.password: Target user’s password. Required parameter.domain: Full domain name. Required parameter.dc: DC to target. Can be either an IP or full hostname. Required parameter.startTLS: Use to StartTLS over 389.unsafe: Use for a plaintext connection.PS C:\Users\Administrator\Desktop> .\godditest-windows-amd64.exe -username=testuser -password=”testpass!" -domain="test.local" -dc="dc.test.local" -unsafe[i] Begin PLAINTEXT LDAP connection to ‘dc.test.local’…[i] PLAINTEXT LDAP connection to ‘dc.test.local’ successful…[i] Begin BIND…[i] BIND with ‘testuser’ successful…[i] Begin dump domain info…[i] Domain Trusts: 1 found[i] Domain Controllers: 1 found[i] Users: 12 found [*] Warning: keyword ‘pass’ found! [*] Warning: keyword ‘fall’ found![i] Domain Admins: 4 users found[i] Enterprise Admins: 1 users found[i] Forest Admins: 0 users found[i] Locked Users: 0 found[i] Disabled Users: 2 found[i] Groups: 45 found[i] Domain Sites: 1 found[i] Domain Subnets: 0 found[i] Domain Computers: 17 found[i] Deligated Users: 0 found[i] Users with passwords not set to expire: 6 found[i] Machine Accounts with passwords older than 45 days: 18 found[i] Domain OUs: 8 found[i] Domain Account Policy found[i] Domain GPOs: 7 found[i] FSMO Roles: 3 found[i] SPNs: 122 found[i] LAPS passwords: 0 found[i] GPP enumeration starting. This can take a bit…[i] GPP passwords: 7 found[i] CSVs written to ‘csv’ directory in C:\Users\Administrator\Desktop[i] Execution took 1.4217256s…[i] Exiting…FunctionalityStartTLS and TLS (tls.Client func) connections supported. Connections over TLS are default. All output goes to CSVs and are created in /csv/ in the current working directory. Dumps:Domain users. Also searches Description for keywords and prints to a seperate csv ex. "Password" was found in the domain user description.Users in priveleged user groups (DA, EA, FA).Users with passwords not set to expire.User accounts that have been locked or disabled.Machine accounts with passwords older than 45 days.Domain Computers.Domain Controllers.Sites and Subnets.SPNs and includes csv flag if domain admin (a flag to note SPNs that are DAs in the SPN CSV output).Trusted domain relationships.Domain Groups.Domain OUs.Domain Account Policy.Domain deligation users.Domain GPOs.Domain FSMO roles.LAPS passwords.GPP passwords. On Windows, defaults to mapping Q. If used, will try another mapping until success R, S, etc… On Linux, /mnt/goddi is used.Download Goddi

Link: http://feedproxy.google.com/~r/PentestTools/~3/ajEhSarnuSE/goddi-go-dump-domain-info-dumps-active.html

CHAOS Framework v2.0 – Generate Payloads And Control Remote Windows Systems

CHAOS allow generate payloads and control remote Windows systems.DisclaimerThis project was created only for learning purpose.THIS SOFTWARE IS PROVIDED “AS IS" WITHOUT WARRANTY OF ANY KIND. YOU MAY USE THIS SOFTWARE AT YOUR OWN RISK. THE USE IS COMPLETE RESPONSIBILITY OF THE END-USER. THE DEVELOPERS ASSUME NO LIABILITY AND ARE NOT RESPONSIBLE FOR ANY MISUSE OR DAMAGE CAUSED BY THIS PROGRAM.FeaturesReverse ShellDownload FileUpload FileScreenshotKeyloggerPersistenceOpen URL RemotelyGet Operating System NameRun Fork BombTested On Kali Linux – ROLLING EDITIONHow To Use# Install dependencies (You need Golang and UPX package installed)$ apt install golang xterm git upx-ucl -y# Clone this repository$ git clone https://github.com/tiagorlampert/CHAOS.git# Get and install external imports (requirement to screenshot)$ go get github.com/kbinani/screenshot && go get github.com/lxn/win$ go install github.com/kbinani/screenshot && go install github.com/lxn/win# Maybe you will see the message "package github.com/lxn/win: build constraints exclude all Go files".# It’s occurs because the libraries are to windows systems, but it necessary to build the payload.# Go into the repository$ cd CHAOS# Run$ go run CHAOS.goVideoDownload CHAOS

Link: http://feedproxy.google.com/~r/PentestTools/~3/4yPrMOaG3KY/chaos-framework-v20-generate-payloads.html