Cookiescanner – Tool For Check The Cookie Flag In Multiple Sites

Tool for check the cookie flag in multiple sites.IntroTool created to do more easy the process of check the cookie flag when we are analyzing multiple web servers.If you want to know for why could be useful this tools?https://www.owasp.org/index.php/SecureFlag https://www.owasp.org/index.php/HttpOnly https://www.owasp.org/index.php/Testing_for_cookies_attributes_%28OTG-SESS-002%29UsageUsage: cookiescanner.py [options] Example: ./cookiescanner.py -i ips.txtOptions: -h, –help show this help message and exit -i INPUT, –input=INPUT File input with the list of webservers -u URL, –url=URL URL -f FORMAT, –format=FORMAT Output format (json, xml, csv, normal, grepable) -g GOOGLE, –google=GOOGLE Search in google by domain –nocolor Disable color (for the normal format output) -I, –info More info Performance: -t TIMEOUT Timeout of response -d DELAY Delay between requestsRequirementsrequests >= 2.8.1BeautifulSoup >= 4.2.1Install requirementspip3 install –upgrade -r requirements.txtAuthorManuel Mancera (sinkmanu@gmail.com/@sinkmanu)Download Cookiescanner

Link: http://feedproxy.google.com/~r/PentestTools/~3/qcuqJyITqto/cookiescanner-tool-for-check-cookie.html

RTA (Red Team Arsenal) – An Intelligent Scanner To Detect Security Vulnerabilities In Companies Layer 7 Assets

Red Team Arsenal is a web/network security scanner which has the capability to scan all company’s online facing assets and provide an holistic security view of any security anomalies. It’s a closely linked collections of security engines to conduct/simulate attacks and monitor public facing assets for anomalies and leaks.It’s an intelligent scanner detecting security anomalies in all layer 7 assets and gives a detailed report with integration support with nessus. As companies continue to expand their footprint on INTERNET via various acquisitions and geographical expansions, human driven security engineering is not scalable, hence, companies need feedback driven automated systems to stay put.InstallationSupported PlatformsRTA has been tested both on Ubuntu/Debian (apt-get based distros) and as well as Mac OS. It should ideally work with any linux based distributions with mongo and python installed (install required python libraries from install/py_dependencies manually).Prerequisites:There are a few packages which are necessary before proceeding with the installation:Git client: sudo apt-get install gitPython 2.7, which is installed by default in most systemsPython pip: sudo apt-get install python-pipMongoDB: Read the official installation guide to install it on your machine.Finally run python install/install.pyThere are also optional packages/tools you can install (highly recommended):Integrating Nessus:Integrating Nessus into Red Team Arsenal can be done is simple 3 steps:Download and install Nessus community edition (if you don’t have a paid edition). If you already have an installation (it can be remote installation as well), then go to step (2). Update the config file (present on the root directory of RTA) with Nessus URL, username and password. Create a nessus policy where you can configure the type of scans and plugins to run and name it RTA (Case sensitive – use full uppercase). Once the config file has the correct Nessus information (url, username, password), use the flag –nessus while running RTA to launch nessus scan over the entire subdomains gathered by RTA (one single scan initiated with all the subdomains gathered). Usage Short Form Long Form Description -u –url Domain URL to scan -v –verbose Enable the verbose mode and display results in realtime -n –nessus Launch a Nessus scan with all the subdomains -s –scraper Run scraper based on config keywords -h –help show the help message and exit Sample Outputa0xnirudh@exploitbox /RTA (master*) $ python rta.py –url “0daylabs.com" -v -s ____ _ _____ _ _ | _ \ ___ __| | |_ _|__ __ _ _ __ ___ / \ _ __ ___ ___ _ __ __ _| | | |_) / _ \/ _` | | |/ _ \/ _` | ‘_ ` _ \ / _ \ | ‘__/ __|/ _ \ ‘_ \ / _` | | | _ < __/ (_| | | | __/ (_| | | | | | | / ___ \| | \__ \ __/ | | | (_| | | |_| \_\___|\__,_| |_|\___|\__,_|_| |_| |_| /_/ \_\_| |___/\___|_| |_|\__,_|_|[i] Checking for Zonetransfer[i] Zone Transfer is not enabled[i] Checking for SPF records[+] SPF record lookups is good. Current value is: 9[-] Enumerating subdomains now for 0daylabs.com[-] Searching now in Baidu..[-] Searching now in Yahoo..[-] Searching now in Google..[-] Searching now in Bing..[-] Searching now in Ask..[-] Searching now in Netcraft..[-] Searching now in DNSdumpster..[-] Searching now in Virustotal..[-] Searching now in ThreatCrowd..[-] Searching now in SSL Certificates..[-] Searching now in PassiveDNS..[-] Total Unique Subdomains Found: 3blog.0daylabs.comwww.0daylabs.comtest.0daylabs.com[+] Verifying Subdomains and takeover options[+] Possible subdomain takeovers (Manual verification required): test.0daylabs.com[i] Verified and Analyzed Subdomains:[i] URL: blog.0daylabs.com[i] Wappalyzer: [u'jQuery', u'Varnish', u'Font Awesome', u'Twitter Bootstrap', u'Google Analytics', u'Google Font API', u'Disqus', u'Google AdSense'][i] Scraper Results[+] ShodanHostname: test.0daylabs.com IP: 139.59.63.111 Ports: 179Hostname: test.0daylabs.com IP: 139.59.63.111 Ports: 179[+] TwitterURL: https://twitter.com/tweetrpersonal9/status/832624003751694340 search string: 0daylabsURL: https://twitter.com/ratokeshi/status/823957535564644355 search string: 0daylabsNotificationsConfiguring Slack:RTA can also do push notifications to slack which includes the main scan highlight along with Nessus and other integrated scanner reports divided on the basis of severity.In your slack, create an incoming webhook and point it to the channel where you need the RTA to send the report. You can read more about creating incoming webhooks on slack documentation. In the config file, update the URL in the slack section with full URL (including https://) for the incoming webhook. Once slack is configured, you will automatically start getting reports on your configured slack channelRoadmapHere are couple of ideas which we have in mind to do going ahead with RTA. If you have any ideas/feature requests which is not listed below, feel free to raise an issue in github.Email the results once the scan is completed. Extend the current RTA API so that we can launch custom scans with required options via the API. Launch custom scans based on Wappalyzer results (eg: wpscan if wordpress is detected) Investigate and integrate more web security scanners including but not limited to Arachni, Wapiti, Skipfish and others ! JSON/XML output formatting for the RTA scan result. Improving the logic for Subdomain takeover. Multi threading support for faster scan comple. ContributorsAwesome people who built this project:Lead Developers:Anirudh Anand (@a0xnirudh)Project Contributors:Mohan KK (@MohanKallepalli)Ankur Bhargava (@_AnkurB)Prajal Kulkarni (@prajalkulkarni)Himanshu Kumar Das (@mehimansu)Special ThanksSublist3rDownload RTA

Link: http://feedproxy.google.com/~r/PentestTools/~3/MXF7YfYc5U8/rta-red-team-arsenal-intelligent.html

SMBrute – SMB Protocol Bruteforce

SMBrute is a program that can be used to bruteforce username and passwords of servers that are using SMB (Samba).Install SMBrute$ git clone https://github.com/m4ll0k/SMBrute.git smbrute$ cd smbrute$ pip3 install pysmb, humanfriendly$ python3 smbrute.pyUsage:$ python3 smbrute.py -h 188.10.73.147 _____ _____ _____ _ | __| | __ |___ _ _| |_ ___ |__ | | | | __ -| _| | | _| -_||_____|_|_|_|_____|_| |___|_| |___|SMBrute – SMB Protocol Bruteforce Version 0.1.0 Momo Outaadi (M4ll0k)—————————————-[+] Host 188.10.73.147 authentication disabled[+] Showing folders..————————————————| Name | Type | Comments |————————————————| Multimedia | 0 | System default share || Download | 0 | System default share || Recordings | 0 | System default share || Web | 0 | System default share || Public | 0 | System default share || homes | 0 | System default share || Archivio | 0 | || FTP | 0 | ftp || home | 0 | Home || Qsync | 0 | Qsync || IPC$ | 3 | IPC Service (NAS Server) |———————————————— Show Files:$ python3 smbrute.py -h 188.10.73.147 -f FTP _____ _____ _____ _ | __| | __ |___ _ _| |_ ___ |__ | | | | __ -| _| | | _| -_||_____|_|_|_|_____|_| |___|_| |___|SMBrute – SMB Protocol Bruteforce Version 0.1.0 Momo Outaadi (M4ll0k)—————————————-[+] Host 188.10.73.147 authentication disabled[+] Show FTP Files…———————————————————–| Filename | ReadOnly |———————————————————–| . | False || .. | False || mLog_27_8_17__23_00_01.csv | False || mLog_26_1_18__23_00_01.csv | False || mLog_23_1_18__23_00_01.csv | False || mLog_28_3_17__23_00_01.csv | False || mLog_21_6_17__23_00_01.csv | False |———————————————————– Bruteforce Login:$ python3 smbrute.py -h 2.35.69.44 _____ _____ _____ _ | __| | __ |___ _ _| |_ ___ |__ | | | | __ -| _| | | _| -_||_____|_|_|_|_____|_| |___|_| |___|SMBrute – SMB Protocol Bruteforce Version 0.1.0 Momo Outaadi (M4ll0k)—————————————-[-] Host 2.35.69.44 authentication enabled[!] Please set wordlist for bruteforcing$ python3 smbrute.py -h 2.35.69.44 -U user.txt -P pass.txt -t 10 _____ _____ _____ _ | __| | __ |___ _ _| |_ ___ |__ | | | | __ -| _| | | _| -_||_____|_|_|_|_____|_| |___|_| |___|SMBrute – SMB Protocol Bruteforce Version 0.1.0 Momo Outaadi (M4ll0k)—————————————-[-] Host 2.35.69.44 authentication enabled[+] Start bruteforcing…[+] Username: root Password: toor After found credentials:$ python3 smbrute.py -h 2.35.69.44 -u admin -p 1234 _____ _____ _____ _ | __| | __ |___ _ _| |_ ___ |__ | | | | __ -| _| | | _| -_||_____|_|_|_|_____|_| |___|_| |___|SMBrute – SMB Protocol Bruteforce Version 0.1.0 Momo Outaadi (M4ll0k)—————————————-[+] Host 2.35.69.44 authentication disabled[+] Showing folders..—————————————————————–| Name | Type | Comments |—————————————————————–| IPC$ | 3 | IPC Service (WDMyCloudEX2100) || Recycle Bin – Volume_1 | 0 | Recycle Bin Directories || serverconf | 0 | || deleghe2 | 0 | || prova | 0 | || ebcs_site | 0 | || deleghe | 0 | || confcatania2 | 0 | || backup | 0 | || doc | 0 | doc || ebcs | 0 | ebcs || foto | 0 | foto || pratiche | 0 | || TimeMachineBackup | 0 | || SmartWare | 0 | || Public | 0 | |—————————————————————–Download SMBrute

Link: http://feedproxy.google.com/~r/PentestTools/~3/f1YByMKZ44c/smbrute-smb-protocol-bruteforce.html

Sandcat Browser 6.0 – Pentest And Developer-Oriented Web Browser

Sandcat is a lightweight multi-tabbed web browser that combines the speed and power of Chromium and Lua. Sandcat comes with built-in live headers, an extensible user interface and command line console, resource viewer, and many other features that are useful for web developers and pen-testers and when you need to examine live web applications. For more details, visit http://www.syhunt.com/sandcat/. See also the docs directory and credits section below for a few more details about the Sandcat architecture.Directories/docs – Lua API documentation/packs – contents of uncompressed pack files/Common – common CSS, widgets and scripts package (Common.pak)/Resources – resources package (Resources.pak)/src – the main executable source and built-in resource files/core – user interface source/html – user interface resources (HTML)/lua – Lua API sourceDownloadCompiled binaries for Windows can be downloaded from the links below.6.0 64-bit6.0 32-bit6.0 32-bit with Pen-Tester Tools (included as part of Syhunt Community)CompilingFor compiling Sandcat, you will just need Catarinka and pLua.The entire Sandcat user interface is created during runtime, so there is no need to install third-party components in the IDE – you can just add the dependencies listed above to the library path and hit compile. It compiles under Delphi 10 Seattle down to XE2. If you are trying to compile it with Lazarus, let me know which errors you get – I will try to do the same soon.Some work is still needed before a Mac or Linux version materializes.ChangeLogRequest Viewer rewrite – with better display of requests and stability fixes.Disabled the Chromium’s XSS protection when in pentest mode.Simplified the tabbed UI – major tab code clean up and reorganization.Added drag and drop for items in the list editor.Fixed: occasional crash when extension called events of Lua objects.Additional stability.ContactTwitter: @felipedaragon, @syhuntEmail: felipe at syhunt.comIf you want to report a security bug, please see the docs\SECURITY.md file.Download Sandcat Browser 6.0

Link: http://feedproxy.google.com/~r/PentestTools/~3/rnAAp0-OqFM/sandcat-browser-60-pentest-and.html

Subfinder – Subdomain Discovery Tool That Can Discover Massive Amounts Of Valid Subdomains For Any Target

SubFinder is a subdomain discovery tool that uses various techniques to discover massive amounts of subdomains for any target. It has been aimed as a successor to the sublist3r project. SubFinder uses Passive Sources, Search Engines, Pastebins, Internet Archives, etc to find subdomains and then it uses a permutation module inspired by altdns to generate permutations and resolve them quickly using a powerful bruteforcing engine. It can also perform plain bruteforce if needed. The tool is highly customizable, and the code is built with a modular approach in mind making it easy to add functionalities and remove errors.Why?This project began it’s life as a Bug Bounty World slack channel discussion. @ice3man & @codingo were talking about how the cornerstone subdomain tool at the time, sublist3r, appeared to have been abandoned. The goal of this project was to make a low dependancy, manageable project in Go that would continue to be maintained over time. @Ice3man decided to rewrite the sublist3r project and posted about it. @codingo offered to contribute to the project and subfinder was born.FeaturesSimple and modular code base making it easy to contribute.Fast And Powerful Bruteforcing Module (In Development)Powerful Permutation generation engine. (In Development)Many Passive Data Sources (CertDB, CertSpotter, crtsh, DNSDumpster, FindSubdomains, Hackertarget, Netcraft, PassiveTotal, PTRArchive, SecurityTrails, Threatcrowd, VirusTotal)Internet Archives support for finding subdomains (In development)InstallThe installation is easy. Git clone the repo and run go build.go get github.com/ice3man543/subfinderTo configure it to work with certain services, you need to have an API key for them. These are the services that do not work without an API key.VirustotalPassivetotalSecurityTrailsPut these values in the config.json file and you should be good to go.If your $GOPATH is /home/go, make sure to place your config.json file in $GOPATH/bin folder or wherever you have the binary. Otherwise, it will not work.Download Subfinder

Link: http://feedproxy.google.com/~r/PentestTools/~3/Gscbz8mZ4bI/subfinder-subdomain-discovery-tool-that.html

MalScan – A Simple PE File Heuristics Scanners

MalScan is a simple PE File Heuristics Scanners written in python that you can use to quickly analyze a PE file and find out whether anything suspicious exists. It is a simple tool so doesn’t offers much fancy features. You are free to extend it or do whatever you want with it.Things SupportedInformation About file such as MD5, SHA1, TimestampPEiD Signature CheckCustom Yara Rules IntegrationSection, Imports, Exports, Resources and TLS Callbacks OverviewProvides some custom heuristics :-)InstallingYou need to have Python 2.7 installed on your machine. The additional requirement is yara-python.git clone https://github.com/Ice3man543/MalScan.git .cd MalScanpython malscan.pyUsageSimply run with the name of file you want to check.Download MalScan

Link: http://feedproxy.google.com/~r/PentestTools/~3/i4i7Z3cGmko/malscan-simple-pe-file-heuristics.html

AWS Pwn – A Collection Of AWS Penetration Testing Junk

This is a collection of horribly written scripts for performing various tasks related to penetration testing AWS. Please don’t be sad if it doesn’t work for you. It might be that AWS has changed since a given tool was written or it might be that the code sux. Either way, please feel free to contribute.Most of this junk was written by Daniel Grzelak but there’s been plenty of contributions, most notably Mike Fuller.Requirementspip install -r requirements.txtMake sure to also set up your aws credentials in ~/.aws/credentials.ReconnaissanceThings to do with pre-compromise information gathering.validate_iam_access_keys.py – Given a TSV file of access key + secret [+ session] combinations, checks access validity and returns identity information of the principal../validate_iam_access_keys.py -i /tmp/keys.txt -o /tmp/out.jsonvalidate_s3_buckets.py – Given a text file with one word per line, checks whether the buckets exist and returns basic identifying information../validate_s3_buckets.py -i /tmp/words.txt -o /tmp/out.jsonvalidate_iam_principals.py – Given a text file of principals (e.g. user/admin, role/deploy), checks whether the principals exist in a given account../validate_iam_principals.py -a 123456789012 -i /tmp/words.txt -o /tmp/out.jsonvalidate_accounts.py – Given a text file of account ids and account aliases, checks whether the accounts exist../validate_accounts.py -i /tmp/accounts.txt -o /tmp/out.jsonExploitationThings that will help you gain a foothold in an account.StealthThings that might help you stay hidden after compromising an account.disrupt_cloudtrail.py – Attempts to disrupt/cripple cloudtrail logging in the specified way../disrupt_cloudtrail.py -sExplorationThings to help you understand what you’ve pwned.dump_account_data.sh – Calls a bunch of generic account-based read/list/get/describe functions and saves the data to a given location. Very noisy but great for a point in time snapshot../dump_account_data.sh /tmp/ElevationThings to help you move around an account and gather different levels of access.dump_instance_attributes.py – Goes through every EC2 instance in the account and retrieves the specified instance attributes. Most commonly used to retrieve userData, which tends to contain secrets../dump_instance_attributes.py -u -o /tmp/dump_cloudformation_stack_descriptions.py – Retrieves the stack descriptions for every existing stack and every stack deleted in the last 90 days. Parameters in stack descriptions often contain passwords and other secrets../dump_cloudformation_stack_descriptions.py -o /tmp/dataassume_roles.py – Attempts to assume all roles (ARNs) in a file or provided by the list-roles API../assume_roles.py -o /tmp/out.jsonadd_iam_policy – Adds the administrator and all action policy to a given user, role, or group. Requires IAM putPolicy or attachPolicy privileges../add_iam_policy.py -u myuser -r myrole -g mygroupbouncy_bouncy_cloudy_cloud – Bounces a given ec2 instance and rewrites its userData so that you can run arbirtary code or steal temporary instance profile credentials../bouncy_bouncy_cloudy_cloud.py -i instance-id -e exfiltration-endpointPersistenceThings to help maintain your access to an acccount.rabbit_lambda – An example Lambda function that responds to user delete events by creating more copies of the deleted user.cli_lambda – A lambda function that acts as an aws cli proxy and doesnt require credentials.backdoor_created_users_lambda – A lambda function that adds an access key to each newly created user.backdoor_created_roles_lambda – A lambda function that adds a trust relationship to each newly created role.backdoor_created_security_groups_lambda – A lambda function that adds a given inbound access rule to each newly created security group.backdoor_all_users.py – Adds an access key to every user in the account.backdoor_all_roles.py – Adds a trust relationship to each role in the account. Requires editing the file to set the role ARN.backdoor_all_security_groups.py – Adds a given inbound access rule to each security group in the account. Requires editing the file to set the rule.ExfiltrationThings to help you extract and move data around in AWSy ways.dynamodump – https://github.com/bchew/dynamodumpMiscellaneaOther things that I was either to stupid or too lazy to classify.reserved_words.txt – A list of words/tokens that have some special meaning in AWS or are likely to soon have some special meaning.endpoints.txt – A somewhat up to date list of API endpoints exposed by AWS.integrations.txt – A TSV of services that integrate with AWS via roles or access keys and their account ids, default usernames etc.download_docs.sh – The command line to wget all the AWS docs because I’m stupid and waste time redoing it every time.To doAdd passwords to users for persistenceDump stack resourcesValidate mfaAdd more calls to dump_account_dataAdd more log disruption methodsCreate a cloudtrail parsing script for grabbing goodies out of cloudtrailCreate an s3 bucket permission enumeratorCreate tool to grab aws credentials from common places on diskCreate cloning toolCreate silly privelege escalation tool that uses passroleValidate queuesValidate notification topicsFix up persistence scripts to use arguments instead of constants inside the scriptsDownload Aws_Pwn

Link: http://feedproxy.google.com/~r/PentestTools/~3/nv4qusjKqTQ/aws-pwn-collection-of-aws-penetration.html

Rp++ – Tool That Aims To Find ROP Sequences In PE/Elf/Mach-O X86/X64 Binaries

rp++ is a full-cpp written tool that aims to find ROP sequences in PE/Elf/Mach-O (doesn’t support the FAT binaries) x86/x64 binaries. It is open-source, documented with Doxygen (well, I’m trying to..) and has been tested on several OS: Debian / Windows 7 / FreeBSD / Mac OSX Lion (10.7.3). Moreover, it is x64 compatible. I almost forgot, it handles both Intel and AT&T syntax (beloved BeaEngine). By the way, the tool is a standalone executable.You can build very easily rp++ with CMake, it will generate a project file for your prefered IDE. There are some other things you will be able to do with rp++, like finding hexadecimal values, or strings, etc.Benchmark: Is it efficient ?Yeah, here are some benchmarks on Win7 x64, Intel i7 Q720 @ 1.6GHz, 4GB RAM:- Target: ntoskrnl.exe x64 version 6.1.7601.17790 D:\rp-win-x64.exe –file=ntoskrnl.exe –rop=8 > n ~80s for a total of 267356 gadgets found.- Target: chrome.exe x86 version 18.0.1025.168 D:\rp-win-x64.exe –file=chrome.exe –rop=8 > n ~13s for a total of 75459 gadgets found.- Target: cmd.exe x86 version v6.1.7600 D:\rp-win-x64.exe –file=cmd.exe –rop=8 > n ~15s for a total of 18818 gadgets found.- Target: bash x86 version 4.1.5.1 D:\rp-win-x64.exe –file=bash-x86 –rop=8 > n ~12s for a total of 45385 gadgets found.Screenshotsrp++ on Win7 x64 / Debian Squeeze x64 / FreeBSD x64 / Mac OSX Lion x64: How to use it ?USAGE:./rp++ [-hv] [-f ] [-i <1,2,3>] [-r <positive int>] [–raw=<archi>] [–atsyntax] [–unique] [–search-hexa=<\x90A\x90>] [–search-int=<int in hex>]OPTIONS: -f, –file=<binary path> give binary path -i, –info=<1,2,3> display information about the binary header -r, –rop=<positive int> find useful gadget for your future exploits, arg is the gadget maximum size in instructions –raw=<archi> find gadgets in a raw file, ‘archi’ must be in the following list: x86, x64 –atsyntax enable the at&t syntax –unique display only unique gadget –search-hexa=<\x90A\x90> try to find hex values –search-int=<int in hex> try to find a pointer on a specific integer value -h, –help print this help and exit -v, –version print version information and exitWhere I can download standalone binaries ?There are an x86 and an x64 versions for Windows (compiled with VS 2010 on Win7 x64), Linux (compiled with gcc 4.4.5 on Debian x64 6.0.1), FreeBSD (compiled with gcc 4.2.1 on FreeBSD 8.2) and Mac OSX (compiled with gcc 4.2.1 on OSX 10.7.3 ; not statically linked): https://github.com/0vercl0k/rp/downloadsHere are the sha1sums:a2e71e88a5c14c81ae184258184e5d83082f184d *rp-fbsd-x6429c2d5462865d28042bffe9e723d25c19f0da1f7 *rp-fbsd-x8657e23ef42954a08c9833099d87544e2166c58b94 *rp-lin-x64efcaf2a9584a23559e3e5b109eb37cbde89f8b29 *rp-lin-x865c612b3eff470b613ea06ebbbb882f0aaef8e3b4 *rp-osx-x642e32273b657b44d6b9a56e89ec2e2c2731713d87 *rp-osx-x86e5e6930eb469e92f79b59941330f23daf62800be *rp-win-x64.exef83d4d9f9e73a60a31e495e2fbd2404c560f1a27 *rp-win-x86.exeDownload Rp++

Link: http://feedproxy.google.com/~r/PentestTools/~3/IY0eObzZgyM/rp-tool-that-aims-to-find-rop-sequences.html

Mercury – A Hacking Tool Used To Collect Information And Use The Information To Further Hurt The Target

Mercury is a hacking tool used to collect information and use the information to further hurt the target. InstallationRequires Python2 (Linux)apt-get install python2git clone https://www.github.com/MetaChar/Mercurypip install -r requirements.txtFeaturesBruteForceMercury uses Selenium to automatically input passwords into a websiteGeoLocationGelocation allows the user to pin point the exact location of the ip addressSms SpamUses gmail to spam smsSpoof EmailSends anonymous emailsCheck If Website ExistsMercury checks if the website is realCheck if Website Is DownChecks if websites status is online or offlineEncode Strings Into Hash FormEncodes your text into hash formHex Encode/DecodeEncodes and decodes hex stringsWhats My Ip & Macshows mac and ip addressSpam emailspams email in While True loopDownload Extra ToolsDownload an extra 16 tools like hydra, metasploit and nmapGithub Cloner & Pip IntsallerInstalls Pips and Github reposWebsite ClonerExtracts the source code from a websiteIp Address From WebsiteFinds ip address from websitenmapNmap must be pre installed and its somewhat glitchy on linuxPort ListenListens to portsDOSdos attack via packetsAnonWebbrowserLoads up Chrome, with a proxyGoogle DorksFinds vulrnable linksAdmin PannelHelps find the admin pannel to a websiteWebsitesAccess some of the best hacking & robotoics websites.Proxy ScraperFind the best Us proxys!Twitter Info GrabGrab a twitter users basic infoDownload Mercury

Link: http://feedproxy.google.com/~r/PentestTools/~3/7XTCcQiUcfU/mercury-hacking-tool-used-to-collect.html

CloudFrunt – A Tool For Identifying Misconfigured CloudFront Domains

CloudFrunt is a tool for identifying misconfigured CloudFront domains.BackgroundCloudFront is a Content Delivery Network (CDN) provided by Amazon Web Services (AWS). CloudFront users create “distributions" that serve content from specific sources (an S3 bucket, for example).Each CloudFront distribution has a unique endpoint for users to point their DNS records to (ex. d111111abcdef8.cloudfront.net). All of the domains using a specific distribution need to be listed in the "Alternate Domain Names (CNAMEs)" field in the options for that distribution.When a CloudFront endpoint receives a request, it does NOT automatically serve content from the corresponding distribution. Instead, CloudFront uses the HOST header of the request to determine which distribution to use. This means two things:If the HOST header does not match an entry in the "Alternate Domain Names (CNAMEs)" field of the intended distribution, the request will fail. Any other distribution that contains the specific domain in the HOST header will receive the request and respond to it normally. This is what allows the domains to be hijacked. There are many cases where a CloudFront user fails to list all the necessary domains that might be received in the HOST header. For example:The domain "test.disloops.com" is a CNAME record that points to "disloops.com".The "disloops.com" domain is set up to use a CloudFront distribution.Because "test.disloops.com" was not added to the "Alternate Domain Names (CNAMEs)" field for the distribution, requests to "test.disloops.com" will fail.Another user can create a CloudFront distribution and add "test.disloops.com" to the "Alternate Domain Names (CNAMEs)" field to hijack the domain.This means that the unique endpoint that CloudFront binds to a single distribution is effectively meaningless. A request to one specific CloudFront subdomain is not limited to the distribution it is associated with.Installation$ pip install boto3$ pip install netaddr$ pip install dnspython$ git clone https://github.com/disloops/cloudfrunt.git$ cd cloudfrunt$ git clone https://github.com/darkoperator/dnsrecon.gitCloudFrunt expects the dnsrecon script to be cloned into a subdirectory called dnsrecon.Usagecloudfrunt.py [-h] [-l TARGET_FILE] [-d DOMAINS] [-o ORIGIN] [-i ORIGIN_ID] [-s] [-N]-h, –help Show this message and exit-s, –save Save the results to results.txt-N, –no-dns Do not use dnsrecon to expand scope-l, –target-file TARGET_FILE File containing a list of domains (one per line)-d, –domains DOMAINS Comma-separated list of domains to scan-o, –origin ORIGIN Add vulnerable domains to new distributions with this origin-i, –origin-id ORIGIN_ID The origin ID to use with new distributionsExample$ python cloudfrunt.py -o cloudfrunt.com.s3-website-us-east-1.amazonaws.com -i S3-cloudfrunt -l list.txt CloudFrunt v1.0.3 [+] Enumerating DNS entries for google.com [-] No issues found for google.com [+] Enumerating DNS entries for disloops.com [+] Found CloudFront domain –> cdn.disloops.com [+] Found CloudFront domain –> test.disloops.com [-] Potentially misconfigured CloudFront domains: [#] –> test.disloops.com [+] Created new CloudFront distribution EXBC12DE3F45G [+] Added test.disloops.com to CloudFront distribution EXBC12DE3F45GDownload CloudFrunt

Link: http://feedproxy.google.com/~r/PentestTools/~3/nC37GiMlrMQ/cloudfrunt-tool-for-identifying.html