Fwknop – Single Packet Authorization & Port Knocking

fwknop implements an authorization scheme known as Single Packet Authorization (SPA) for strong service concealment. SPA requires only a single packet which is encrypted, non-replayable, and authenticated via an HMAC in order to communicate desired access to a service that is hidden behind a firewall in a default-drop filtering stance. The main application of SPA is to use a firewall to drop all attempts to connect to services such as SSH in order to make the exploitation of vulnerabilities (both 0-day and unpatched code) more difficult. Because there are no open ports, any service that is concealed by SPA naturally cannot be scanned for with Nmap. The fwknop project supports four different firewalls: iptables, firewalld, PF, and ipfw across Linux, OpenBSD, FreeBSD, and Mac OS X. There is also support for custom scripts so that fwknop can be made to support other infrastructure such as ipset or nftables.SPA is essentially next generation Port Knocking (PK), but solves many of the limitations exhibited by PK while retaining its core benefits. PK limitations include a general difficulty in protecting against replay attacks, asymmetric ciphers and HMAC schemes are not usually possible to reliably support, and it is trivially easy to mount a DoS attack against a PK server just by spoofing an additional packet into a PK sequence as it traverses the network (thereby convincing the PK server that the client doesn’t know the proper sequence). All of these shortcomings are solved by SPA. At the same time, SPA hides services behind a default-drop firewall policy, acquires SPA data passively (usually via libpcap or other means), and implements standard cryptographic operations for SPA packet authentication and encryption/decryption.SPA packets generated by fwknop leverage HMAC for authenticated encryption in the encrypt-then-authenticate model. Although the usage of an HMAC is currently optional (enabled via the –use-hmac command line switch), it is highly recommended for three reasons:Without an HMAC, cryptographically strong authentication is not possible with fwknop unless GnuPG is used, but even then an HMAC should still be applied.An HMAC applied after encryption protects against cryptanalytic CBC-mode padding oracle attacks such as the Vaudenay attack and related trickery (like the more recent “Lucky 13" attack against SSL).The code required by the fwknopd daemon to verify an HMAC is much more simplistic than the code required to decrypt an SPA packet, so an SPA packet without a proper HMAC isn’t even sent through the decryption routines.The final reason above is why an HMAC should still be used even when SPA packets are encrypted with GnuPG due to the fact that SPA data is not sent through libgpgme functions unless the HMAC checks out first. GnuPG and libgpgme are relatively complex bodies of code, and therefore limiting the ability of a potential attacker to interact with this code through an HMAC operation helps to maintain a stronger security stance. Generating an HMAC for SPA communications requires a dedicated key in addition to the normal encryption key, and both can be generated with the –key-gen option.fwknop encrypts SPA packets either with the Rijndael block cipher or via GnuPG and associated asymmetric cipher. If the symmetric encryption method is chosen, then as usual the encryption key is shared between the client and server (see the /etc/fwknop/access.conf file for details). The actual encryption key used for Rijndael encryption is generated via the standard PBKDF1 key derivation algorithm, and CBC mode is set. If the GnuPG method is chosen, then the encryption keys are derived from GnuPG key rings.Use CasesPeople who use Single Packet Authorization (SPA) or its security-challenged cousin Port Knocking (PK) usually access SSHD running on the same system where the SPA/PK software is deployed. That is, a firewall running on a host has a default-drop policy against all incoming SSH connections so that SSHD cannot be scanned, but a SPA daemon reconfigures the firewall to temporarily grant access to a passively authenticated SPA client: "Basic SPA usage to access SSHD"fwknop supports the above, but also goes much further and makes robust usage of NAT (for iptables/firewalld firewalls). After all, important firewalls are usually gateways between networks as opposed to just being deployed on standalone hosts. NAT is commonly used on such firewalls (at least for IPv4 communications) to provide Internet access to internal networks that are on RFC 1918 address space, and also to allow external hosts access to services hosted on internal systems.Because fwknop integrates with NAT, SPA can be leveraged to access internal services through the firewall by users on the external Internet. Although this has plenty of applications on modern traditional networks, it also allows fwknop to support cloud computing environments such as Amazon’s AWS: "SPA usage on Amazon AWS cloud environments"User InterfaceThe official cross-platform fwknop client user interface fwknop-gui (download, github) is developed by Jonathan Bennett. Most major client-side SPA modes are supported including NAT requests, HMAC and Rijndael keys (GnuPG is not yet supported), fwknoprc stanza saving, and more. Currently fwknop-gui runs on Linux, Mac OS X, and Windows – here is a screenshot from OS X:  "fwknop-gui on Mac OS X" Similarly, an updated Android client is available as well.TutorialA comprehensive tutorial on fwknop can be found here:http://www.cipherdyne.org/fwknop/docs/fwknop-tutorial.htmlFeaturesThe following is a complete list of features supported by the fwknop project:Implements Single Packet Authorization around iptables and firewalld firewalls on Linux, ipfw firewalls on *BSD and Mac OS X, and PF on OpenBSD.The fwknop client runs on Linux, Mac OS X, *BSD, and Windows under Cygwin. In addition, there is an Android app to generate SPA packets.Supports both Rijndael and GnuPG methods for the encryption/decryption of SPA packets.Supports HMAC authenticated encryption for both Rijndael and GnuPG. The order of operation is encrypt-then-authenticate to avoid various cryptanalytic problems.Replay attacks are detected and thwarted by SHA-256 digest comparison of valid incoming SPA packets. Other digest algorithms are also supported, but SHA-256 is the default.SPA packets are passively sniffed from the wire via libpcap. The fwknopd server can also acquire packet data from a file that is written to by a separate Ethernet sniffer (such as with tcpdump -w ), from the iptables ULOG pcap writer, or directly via a UDP socket in –udp-server mode.For iptables firewalls, ACCEPT rules added by fwknop are added and deleted (after a configurable timeout) from custom iptables chains so that fwknop does not interfere with any existing iptables policy that may already be loaded on the system.Supports inbound NAT connections for authenticated SPA communications (iptables firewalls only for now). This means fwknop can be configured to create DNAT rules so that you can reach a service (such as SSH) running on an internal system on an RFC 1918 IP address from the open Internet. SNAT rules are also supported which essentially turns fwknopd into a SPA-authenticating gateway to access the Internet from an internal network.Multiple users are supported by the fwknop server, and each user can be assigned their own symmetric or asymmetric encryption key via the /etc/fwknop/access.conf file.Automatic resolution of external IP address via https://www.cipherdyne.org/cgi-bin/myip (this is useful when the fwknop client is run from behind a NAT device). Because the external IP address is encrypted within each SPA packet in this mode, Man-in-the-Middle (MITM) attacks where an inline device intercepts an SPA packet and only forwards it from a different IP in an effort to gain access are thwarted.Port randomization is supported for the destination port of SPA packets as well as the port over which the follow-on connection is made via the iptables NAT capabilities. The later applies to forwarded connections to internal services and to access granted to local sockets on the system running fwknopd.Integration with Tor (as described in this DefCon 14 presentation). Note that because Tor uses TCP for transport, sending SPA packets through the Tor network requires that each SPA packet is sent over an established TCP connection, so technically this breaks the "single" aspect of "Single Packet Authorization". However, Tor provides anonymity benefits that can outweigh this consideration in some deployments.Implements a versioned protocol for SPA communications, so it is easy to extend the protocol to offer new SPA message types and maintain backwards compatibility with older fwknop clients at the same time.Supports the execution of shell commands on behalf of valid SPA packets.The fwknop server can be configured to place multiple restrictions on inbound SPA packets beyond those enforced by encryption keys and replay attack detection. Namely, packet age, source IP address, remote user, access to requested ports, and more.Bundled with fwknop is a comprehensive test suite that issues a series of tests designed to verify that both the client and server pieces of fwknop work properly. These tests involve sniffing SPA packets over the local loopback interface, building temporary firewall rules that are checked for the appropriate access based on the testing config, and parsing output from both the fwknop client and fwknopd server for expected markers for each test. Test suite output can easily be anonymized for communication to third parties for analysis.fwknop was the first program to integrate port knocking with passive OS fingerprinting. However, Single Packet Authorization offers many security benefits beyond port knocking, so the port knocking mode of operation is generally deprecated.Building fwknopThis distribution uses GNU autoconf for setting up the build. Please see the INSTALL file for the general basics on using autoconf.There are some "configure" options that are specific to fwknop. They are (extracted from ./configure –help): –disable-client Do not build the fwknop client component. The default is to build the client. –disable-server Do not build the fwknop server component. The default is to build the server. –with-gpgme support for gpg encryption using libgpgme [default=check] –with-gpgme-prefix=PFX prefix where GPGME is installed (optional) –with-gpg=/path/to/gpg Specify path to the gpg executable that gpgme will use [default=check path] –with-firewalld=/path/to/firewalld Specify path to the firewalld executable [default=check path] –with-iptables=/path/to/iptables Specify path to the iptables executable [default=check path] –with-ipfw=/path/to/ipfw Specify path to the ipfw executable [default=check path] –with-pf=/path/to/pfctl Specify path to the pf executable [default=check path] –with-ipf=/path/to/ipf Specify path to the ipf executable [default=check path]Examples:./configure –disable-client –with-firewalld=/bin/firewall-cmd./configure –disable-client –with-iptables=/sbin/iptables –with-firewalld=noDownload Fwknop

Link: http://www.kitploit.com/2019/02/fwknop-single-packet-authorization-port.html

Electronegativity – Tool To Identify Misconfigurations And Security Anti-Patterns In Electron Applications

Electronegativity is a tool to identify misconfigurations and security anti-patterns in Electron-based applications.It leverages AST and DOM parsing to look for security-relevant configurations, as described in the “Electron Security Checklist – A Guide for Developers and Auditors" whitepaper.Software developers and security auditors can use this tool to detect and mitigate potential weaknesses and implementation bugs when developing applications using Electron. A good understanding of Electron (in)security is still required when using Electronegativity, as some of the potential issues detected by the tool require manual investigation.If you’re interested in Electron Security, have a look at our BlackHat 2017 research Electronegativity – A Study of Electron Security and keep an eye on the Doyensec’s blog.InstallationMajor releases are pushed to NPM and can be simply installed using:$ npm install @doyensec/electronegativity -gUsage$ electronegativity -h Option Description -V output the version number -i, –input input (directory, .js, .htm, .asar) -o, –output save the results to a file in csv or sarif format -h, –help output usage information Using electronegativity to look for issues in a directory containing an Electron app:$ electronegativity -i /path/to/electron/appUsing electronegativity to look for issues in an asar archive and saving the results in a csv file:$ electronegativity -i /path/to/asar/archive -o result.csvNote: if you’re running into the Fatal Error "JavaScript heap out of memory", you can run node using node –max-old-space-size=4096 electronegativity -i /path/to/asar/archive -o result.csvCreditsElectronegativity was made possible thanks to the work of Claudio Merloni, Ibram Marzouk, Jaroslav Lobačevski and many other contributors.This work has been sponsored by Doyensec LLC.Download Electronegativity

Link: http://feedproxy.google.com/~r/PentestTools/~3/zp7KJ0Mg0-A/electronegativity-tool-to-identify.html

XIP – Tool To Generate A List Of IP Addresses By Applying A Set Of Transformations Used To Bypass Security Measures E.G. Blacklist Filtering, WAF, Etc.

XIP generates a list of IP addresses by applying a set of transformations used to bypass security measures e.g. blacklist filtering, WAF, etc.Further explaination on our blog post articleUsagepython3 xip.py –helpDocker alternativeOfficial imageYou can pull the official Drupwn image from the dockerhub registry using the following command:docker pull immunit/XIPBuildTo build the container, just use this command:docker build -t xip .Docker will download the Alpine image and then execute the installation steps.Be patient, the process can be quite long the first time.RunOnce the build process is over, get and enjoy your new tool.docker run –rm -it xip –helpLoggingThe output generated is stored in the /tmp/ folder. When using docker, run your container using the following option-v YOUR_PATH_FOLDER:/tmp/Download XIP

Link: http://www.kitploit.com/2019/02/xip-tool-to-generate-list-of-ip.html

Bolt – CSRF Scanning Suite

Bolt is in beta phase of development which means there can be bugs. Any production use of this tool discouraged. Pull requests and issues are welcome. I also suggest you to put this repo on watch if you are interested in it.WorkflowCrawlingBolt crawls the target website to the specified depth and stores all the HTML forms found in a database for further processing.EvaluatingIn this phase, Bolt finds out the tokens which aren’t strong enough and the forms which aren’t protected.ComparingThis phase focuses on detection on replay attack scenarios and hence checks if a token has been issued more than one time. It also calculates the average levenshtein distance between all the tokens to see if they are similar.Tokens are also compared against a database of 250+ hash patterns.ObservingIn this phase, 100 simultaneous requests are made to a single webpage to see if same tokens are generated for the requests.TestingThis phase is dedicated to active testing of the CSRF protection mechanism. It includes but not limited to checking if protection exsists for moblie browsers, submitting requests with self-generated token and testing if token is being checked to a certain length.AnalysingVarious statistical checks are performed in this phase to see if the token is really random. Following tests are performed during this phaseMonobit frequency testBlock frequency testRuns testSpectral testNon-overlapping template matching testOverlapping template matching testSerial testCumultative sums testAproximate entropy testRandom excursions variant testLinear complexity testLongest runs testMaurers universal statistic testRandom excursions testUsageScanning a website for CSRF using Bolt is as easy as doingpython3 bolt.py -u https://github.com -l 2Where -u is used to supply the URL and -l is used to specify the depth of crawling.Other options and switches:-t number of threads–delay delay between requests–timeout http request timeout–headers supply http headersCreditsRegular Expressions for detecting hashes are taken from hashID.Bit level entropy tests are taken from highfestiva’s python implementation of statistical tests.Download Bolt

Link: http://feedproxy.google.com/~r/PentestTools/~3/vu2sbgER-jY/bolt-csrf-scanning-suite.html

Pwndb – Search For Creadentials Leaked On Pwndb

A data leak differs from a data breach in that the former usually happens through omission or faulty practices rather than overt action, and may be so slight that it is never detected. While a data breach usually means that sensitive data has been harvested by someone who should not have accessed it, a data leak is a situation where such sensitive information might have been inadvertently exposed. pwndb is an onion service where leaked accounts are searchable using a simple form.After a breach occurs the data obtained is often put on sale. Sometimes, people try to blackmail the affected company, asking for money in exchange of not posting the data online. The second option is selling the data to a competitor, a rival or even an enemy. This data is used in so many different ways by companies and countries… but when the people responsible for obtaining the data fail on selling it, the bundle becomes worthless and they end up being placed in some sites like pastebin or pwndb.pwndb is a tool to search for leaked creadentials on pwndb using the command line. _ _ | | | _ ____ ___ __ __| | |__ | ‘_ \ \ /\ / / ‘_ \ / _` | ‘_ \ | |_) \ V V /| | | | (_| | |_) | | .__/ \_/\_/ |_| |_|\__,_|_.__/ | | |_| pwndb.py -u -d <domain>TutorialGo to https://davidtavarez.github.io/osint/2019/01/25/pwndb-command-line-tool-python.htmlDownload Pwndb

Link: http://feedproxy.google.com/~r/PentestTools/~3/StIgYaSXjQ8/pwndb-search-for-creadentials-leaked-on.html

FTW – Framework For Testing WAFs

This project was created by researchers from ModSecurity and Fastly to help provide rigorous tests for WAF rules. It uses the OWASP Core Ruleset V3 as a baseline to test rules on a WAF. Each rule from the ruleset is loaded into a YAML file that issues HTTP requests that will trigger these rules. Users can verify the execution of the rule after the tests are issued to make sure the expected response is received from an attack.Goals / Use cases include:Find regressions in WAF deployments by using continuous integration and issuing repeatable attacks to a WAFProvide a testing framework for new rules into ModSecurity, if a rule is submitted it MUST have corresponding positive & negative testsEvaluate WAFs against a common, agreeable baseline ruleset (OWASP)Test and verify custom rules for WAFs that are not part of the core rule setFor our 1.0 release announcement, check out the OWASP CRS BlogInstallationgit clone https://github.com/CRS-support/ftw.gitcd ftwvirtualenv env && source ./env/bin/activatepip install -r requirements.txtpy.test -s -v test/test_default.py –ruledir=test/yamlWriting your first testsThe core of FTW is it’s extensible yaml based tests. This section lists a few resources on how they are formatted, how to write them and how you can use them.OWASP CRS wrote a great blog post describing how FTW tests are written and executed.YAMLFormat.md is ground truth of all yaml fields that are currently understood by FTW.After reading these two resources, you should be able to get started in writing tests. You will most likely be checking against status code responses, or web request responses using the log_contains directive. For integrating FTW to test regexes within your WAF logs, refer to ExtendingFTW.mdProvisioning Apache+Modsecurity+OWASP CRSIf you require an environment for testing WAF rules, there has been one created with Apache, Modsecurity and version 3.0.0 of the OWASP core ruleset. This can be deployed by:Checking out the repository: git clone https://github.com/fastly/waf_testbed.gitTyping vagrant upDownload FTW

Link: http://feedproxy.google.com/~r/PentestTools/~3/vosO_nniiiI/ftw-framework-for-testing-wafs.html

identYwaf – Blind WAF Identification Tool

identYwaf is an identification tool that can recognize web protection type (i.e. WAF) based on blind inference. Blind inference is being done by inspecting responses provoked by a set of predefined offensive (non-destructive) payloads, where those are used only to trigger the web protection system in between (e.g. http://?aeD0oowi=1 AND 2>1). Currently it supports more than 60 different protection products (e.g. aeSecure, Airlock, CleanTalk, CrawlProtect, Imunify360, MalCare, ModSecurity, Palo Alto, SiteGuard, UrlScan, Wallarm, WatchGuard, Wordfence, etc.), while the knowledge-base is constantly growing.Also, as part of this project, screenshots of characteristic responses for different web protection systems are being gathered (manually) for the future reference.ScreenshotsInstallationYou can download the latest zipball by clicking here.Preferably, you can download identYwaf by cloning the Git repository:git clone –depth 1 https://github.com/stamparm/identYwaf.gitidentYwaf works out of the box with Python version 2.6.x and 2.7.x on any platform.Usage$ python identYwaf.py __ __ ____ ___ ___ ____ ______ | T T __ __ ____ _____ l j| \ / _]| \ | T| | || T__T T / T| __| | T | \ / [_ | _ Yl_j l_j| ~ || | | |Y o || l_ | | | D YY _]| | | | | |___ || | | || || _| j l | || [_ | | | | | | ! \ / | | || ] |____jl_____jl_____jl__j__j l__j l____/ \_/\_/ l__j__jl__j (1.0.X)Usage: python identYwaf.py [options] <host|url>Options: –version Show program’s version number and exit -h, –help Show this help message and exit –delay=DELAY Delay (sec) between tests (default: 0) –timeout=TIMEOUT Response timeout (sec) (default: 10) –proxy=PROXY HTTP proxy address (e.g. “")Download identYwaf

Link: http://www.kitploit.com/2019/01/identywaf-blind-waf-identification-tool.html

Sh00T – A Testing Environment for Manual Security Testers

A Testing Environment for Manual Security Testers.Sh00tis a task manager to let you focus on performing security testingprovides To Do checklists of test caseshelps to create bug reports with customizable bug templatesFeatures:Dynamic Task Manager to replace simple editors or task management tools that are NOT meant for SecurityAutomated, customizable Security test-cases Checklist to replace Evernote, OneNote or other tools which are NOT meant for SecurityManage custom bug templates for different purposes and automatically generate bug reportSupport multiple Assessments & Projects to logically separate your different needsUse like a paper – Everything’s saved automaticallyExport auto generated bug report into Markdown & submit blindly on HackerOne! (WIP)Integration with JIRA, ServiceNow – Coming soonExport bug report into Markdown – Coming soonCustomize everything under-the-hoodInstallation:Sh00t requires Python 3 and a few more packages. The simplest way to set up Sh00t is using Conda Environments. However, Anaconda is optional if you have Python 3 and pip installed – you can jump to step 4 below.Pre-requisite – One time setup:Install the minimal version of Anaconda: Miniconda and follow the installation instruction. Remember to reload your bash profile or restart your terminal application to avail conda command. For windows, launch Anaconda Prompt and run all the below commands in that window only.Create a new Python 3 environment: conda create -n sh00t python=3.6Activate sh00t environment: conda activate sh00t. If you see an error message like CommandNotFoundError: Your shell has not been properly configured to use ‘conda activate’., you have to manually enable conda command. Follow the instructions shown with the error message. You may have to reload your bash profile or restart your terminal. Try activating sh00t again: conda activate sh00t. You should be seeing (sh00t) XXXX$ in your terminal.Clone or download the latest project into a location of your choice: https://github.com/pavanw3b/sh00t. git clone requires installation of Git.Navigate to the folder where sh00t is cloned or downloaded & extracted: cd sh00t. Note that this is the outer-most sh00t directory in project files. Not sh00t/sh00t.Install Sh00t dependency packages: pip install -r requirements.txtSetup database: python manage.py migrateCreate an User Account: python manage.py createsuperuser and follow the UI to create an account.Optional but recommended: Avail 174 Security Test Cases from OWASP Testing Guide (OTG) and Web Application Hackers Handbook (WAHH): python reset.py.That’s all for the first time. Follow the next steps whenever you want to start Sh00t.Starting Sh00t:If you have Python 3 installed on your machine, you can jump to Step 3.For Linux/Mac, Open Terminal. For Windows, open Anaconda Prompt.Activate sh00t environment if not on yet: conda activate sh00tNavigate to sh00t directory if not in already: cd sh00tStart Sh00t server: python manage.py runserverAccess on your favorite browser. Login with the user credentials created in the one-time setup above.Welcome to Sh00t!Once you are done, stop the server: Ctrl + C[Optional] Deactivate sh00t environment to continue with your other work: conda deactivate.Upgrade:Navigate to the folder where sh00t was cloned: cd sh00tStop the server if it’s running: Ctrl + CPull the latest code base via git: git pull or download the source from github and replace the files.Activate sh00t environment if not on yet: conda activate sh00tSetup any additional dependencies: pip install -r requirements.txtMake the latest database changes: python manage.py migrateStart the server: python manage.py runserverTroubleshoot:Sh00t is written in Python and powered by Django Web Framework. If you are stuck with any errors, Googling on the error message, should help you most of the times. If you are not sure, please file a new issue on github.Glossary:Flag: A Flag is a target that is sh00ted at. It’s a test case that needs to be tested. Flags are generated automatically based on the testing methodology chosen. The bug might or might not be found – but the goal is to aim and sh00t at it. Flag contains detailed steps for testing. If the bug is confirmed, then it’s called a sh0t.Sh0t: Sh0ts are bugs. Typically Sh0t contain technical description of the bug, Affected Files/URLs, Steps To Reproduce and Fix Recommendation. Most of the contents of Sh0t is one-click generated and only the dynamic content like Affected Parameters, Steps has to be changed. Sh0ts can belong to Assessment.Assessment: Assessment is a testing assessment. It can be an assessment of an application, a program – up to the user the way wanted to manage. It’s a part of project.Project: Project contains assessments. Project can be a logical separation of what you do. It can be different job, bug bounty, up to you to decide.How does it work?Begin with creating a new Assessment. Choose what methodology you want to test with. Today there are 330 test cases, grouped into 86 Flags, belonging to 13 Modules which are created with reference to “Web Application Hacker’s Handbook" Testing Methodology. Modules & Flags can be handpicked & customized. Once Assessments are created with the Flags, now the tester has to test them either manually, or semi automated with the help of scanners, tools or however it’s required, mark it "Done" on completion. While performing assessment we often come with custom test cases that is specific to certain scenario in the application. A new Flag can be created easily at any point of time.Whenever a Flag is confirmed to be a valid bug, a Sh0t can be created. One can choose a bug template that matches best, and sh00t will auto fill the bug report based on the template chosen.Screenshots:Dashboard:Working on a Flag:Choosing Methodology and Test Cases while creating a new Assessment:Filing a bug pre-filled with a template:Who can use Sh00t?Application Security Engineers: Pentesting & Vulnerability AssessmentsBug bounty huntersIndependent Security ResearchersBlue team, developers who fixAnybody who wants to hackImplementation details:Language: Python 3Framework: Django Web FrameworkDependencies: Django REST Framework, djnago-tables2: Managed by /requirements.txtUI: Bootstrap – ResponsiveContribution:Pavan: @pavanw3bAditya GanapathyCredits:Hari ValugondaMohd Aqeel AhmedAjeeth RakkappanDownload Sh00T

Link: http://feedproxy.google.com/~r/PentestTools/~3/9c76MO4aIn0/sh00t-testing-environment-for-manual.html

LeakLooker – Find Open Databases With Shodan

Find open databases with ShodanBackground:https://medium.com/@woj_ciech/leaklooker-find-open-databases-in-a-second-9da4249c8472Requirements:Python 3Shodan paid plan, except Kibana searchPut your Shodan API key in line 65pip3 install shodanpip3 install coloramapip3 install hurry.filesizeUsageroot@kali:~/# python leaklooker.py -h , )\ / \ ‘ # ‘ ‘, ,’ `’ , )\ / \ ‘ ~ ‘ ‘, ,’ `’LeakLooker – Find open databaseshttps://medium.com/@woj_ciech https://github.com/woj-ciech/usage: leaklooker.py [-h] [–elastic] [–couchdb] [–mongodb] [–kibana] [–first FIRST] [–last LAST]LeakLookeroptional arguments: -h, –help show this help message and exit –elastic Elasti search (default: False) –couchdb CouchDB (default: False) –mongodb MongoDB (default: False) –kibana Kibana (default: False)Pages: –first FIRST First page (default: None) –last LAST Last page (default: None)You need to specify first and last pageExampleroot@kali:~/# python leaklooker.py –mongodb –couchdb –kibana –elastic –first 12 –last 14[…]———————————-Elastic – Page 12——————————–Found 25069 resultsIP: http://xxx.xxx.xxx.xxx:9200/_cat/indices?vSize: 1GCountry: FranceIndices: .monitoring-kibana-6-2019.01.08[…]—————————-IP: http://yyy.yyy.yyy.yyy:9200/_cat/indices?vSize: 144GCountry: ChinaIndices: zhuanlihx_person[…]———————————-CouchDB – Page 12——————————–Found 5932 results—————————–IP: http://xxx.xxx.xxx:5984/_utilsCountry: Austrianew_fron_dbtest_db—————————–IP: http://yyy.yyy.yyy.yyy:5984/_utilsCountry: United States_replicator_usersbackup_20180917backup_dbeio_localtfa_pos———————————-MongoDB – Page 12——————————–Found 66680 resultsIP: xxx.xxx.xxx.xxxSize: 6GCountry: FranceDatabase name: WarnSize: 80MCollections: Warnsystem.indexesDatabase name: xhprofprodSize: 5GCollections: resultssystem.indexes—————————–IP: yyy.yyy.yyy.yyySize: 544MCountry: UkraineDatabase name: localSize: 32MCollections: startup_logDatabase name: ace_statSize: 256MCollections: stat_minutesystem.indexesstat_hourlystat_daily[…]Database name: aceSize: 256MCollections: usergroupsystem.indexesscheduletaskdpigroupportforwardwlangroup[…]———————————-Kibana – Page 12——————————–Found 10464 resultsIP: http://xxx.xxx.xxx.xxx:5601/app/kibana#/discover?_g=()Country: Germany—IP: http://yyy.yyy.yyy.yyy:5601/app/kibana#/discover?_g=()Country: United States—IP: http://zzz.zzz.zzz.zzz:5601/app/kibana#/discover?_g=()Country: United KingdomScreenshotsDownload LeakLooker

Link: http://www.kitploit.com/2019/01/leaklooker-find-open-databases-with.html