scanless – Public Port Scan Scrapper

Command-line utility for using websites that can perform port scans on your behalf. Useful for early stages of a penetration test or if you’d like to run a port scan on a host and have it not come from your IP address.scanless (adj): lacking respectable morals. That girl is scanless!Public Port ScannersyougetsignalviewdnshackertargetipfingerprintspingeuUsageRequires the requests and bs4 libraries to run, install with pip.$ python scanless.py –helpusage: scanless.py [-h] [-t TARGET] [-s SCANNER] [-l] [-a]scanless, public port scan scrapperoptional arguments: -h, –help show this help message and exit -t TARGET, –target TARGET ip or domain to scan -s SCANNER, –scanner SCANNER scanner to use (default: yougetsignal) -l, –list list scanners -a, –all use all the scanners$ python scanless.py –listScanner Name | Website—————|——————————yougetsignal | http://www.yougetsignal.comviewdns | http://viewdns.infohackertarget | https://hackertarget.comipfingerprints | http://www.ipfingerprints.compingeu | http://ping.eu$ python scanless.py -s viewdns -t scanme.nmap.orgRunning scanless…——- viewdns ——-PORT STATE SERVICE21/tcp closed ftp22/tcp open ssh23/tcp closed telnet25/tcp closed smtp53/tcp closed dns80/tcp open http110/tcp closed pop3139/tcp closed netbios143/tcp closed imap443/tcp closed https445/tcp closed smb1433/tcp closed mssql1521/tcp closed oracle3306/tcp closed mysql3389/tcp closed rdp———————–$ python scanless.py -a -t scanme.nmap.orgRunning scanless…——- yougetsignal ——-PORT STATE SERVICE21/tcp closed ftp22/tcp open ssh23/tcp closed telnet25/tcp closed smtp53/tcp closed dns80/tcp open http110/tcp closed pop3115/tcp closed sftp135/tcp closed msrpc139/tcp closed netbios143/tcp closed imap194/tcp closed irc443/tcp closed https445/tcp closed smb1433/tcp closed mssql3306/tcp closed mysql3389/tcp closed rdp5632/tcp closed pcanywhere5900/tcp closed vnc6112/tcp closed wc3———————————– viewdns ——-PORT STATE SERVICE21/tcp closed ftp22/tcp open ssh23/tcp closed telnet25/tcp closed smtp53/tcp closed dns80/tcp open http110/tcp closed pop3139/tcp closed netbios143/tcp closed imap443/tcp closed https445/tcp closed smb1433/tcp closed mssql1521/tcp closed oracle3306/tcp closed mysql3389/tcp closed rdp—————————— hackertarget ——-tarting Nmap 7.01 ( https://nmap.org ) at 2017-05-06 02:31 UTCNmap scan report for scanme.nmap.org (45.33.32.156)Host is up (0.065s latency).Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2fPORT STATE SERVICE VERSION21/tcp closed ftp22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)23/tcp closed telnet25/tcp closed smtp80/tcp open http Apache httpd 2.4.7 ((Ubuntu))110/tcp closed pop3143/tcp closed imap443/tcp closed https445/tcp closed microsoft-ds3389/tcp closed ms-wbt-serverService Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 7.05 second———————————– ipfingerprints ——-Host is up (0.16s latency).Not shown: 484 closed portsPORT STATE SERVICE22/tcp open ssh80/tcp open http111/tcp filtered rpcbind135/tcp filtered msrpc136/tcp filtered profile137/tcp filtered netbios-ns138/tcp filtered netbios-dgm139/tcp filtered netbios-ssn445/tcp filtered microsoft-dsDevice type: general purposeRunning: Linux 3.XOS CPE: cpe:/o:linux:linux_kernel:3OS details: Linux 3.11 – 3.14Network Distance: 10 hops————————————- pingeu ——-PORT STATE SERVICE21/tcp closed ftp22/tcp open ssh23/tcp closed telnet25/tcp closed smtp53/tcp closed dns80/tcp open http139/tcp closed netbios443/tcp closed https445/tcp closed smb3389/tcp closed rdp———————-Download scanless

Link: http://feedproxy.google.com/~r/PentestTools/~3/mIcdQgcyx08/scanless-public-port-scan-scrapper.html

Hydra 8.5 – Network Logon Cracker

 A very fast network logon cracker which support many different services.See feature sets and services coverage page – incl. a speed comparison against ncrack and medusa.Number one of the biggest security holes are passwords, as every password security study shows.This tool is a proof of concept code, to give researchers and security consultants the possiblity to show how easy it would be to gain unauthorized access from remote to a system.There are already several login hacker tools available, however none does either support more than one protocol to attack or support parallized connects.It was tested to compile cleanly on Linux, Windows/Cygwin, Solaris, FreeBSD/OpenBSD, QNX (Blackberry 10) and OSX.Currently this tool supports the following protocols:Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, Rsh, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.CHANGELOG for 8.5CHANGELOG for 8.5 =================== ! Development moved to a public github repository: https://github.com/vanhauser-thc/thc-hydra ! Reports came in that the rdp module is not working reliable sometimes, most likely against new Windows versions. please test, report and if possible send a fix * New command line option: -b : format option for -o output file (json only so far, happy for patches supporting others 🙂 ) – thanks to veggiespam for the patch * ./configure now honors the CC enviroment variable if present * Fix for the restore file crash on some x64 platforms (finally! thanks to lukas227!) * Changed the format of the restore file to detect cross platform copies * Fixed a bug in the NCP module * Favor strrchr() over rindex() * Added refactoring patch by diadlo * Updated man page with missing command line optionsDownload THC-Hydra 8.3

Link: http://feedproxy.google.com/~r/PentestTools/~3/PzJYbVhZv68/hydra-85-network-logon-cracker.html

Lynis 2.5.0 – Security Auditing Tool for Unix/Linux Systems

We are excited to announce this major release of auditing tool Lynis. Several big changes have been made to core functions of Lynis. These changes are the next of simplification improvements we made. There is a risk of breaking your existing configuration.Lynis is an open source security auditing tool. Used by system administrators, security professionals, and auditors, to evaluate the security defenses of their Linux and UNIX-based systems. It runs on the host itself, so it performs more extensive security scans than vulnerability scanners.Supported operating systemsThe tool has almost no dependencies, therefore it runs on almost all Unix based systems and versions, including:AIXFreeBSDHP-UXLinuxMac OSNetBSDOpenBSDSolarisand othersIt even runs on systems like the Raspberry Pi and several storage devices!Installation optionalLynis is light-weight and easy to use. Installation is optional: just copy it to a system, and use “./lynis audit system" to start the security scan. It is written in shell script and released as open source software (GPL). How it worksLynis performs hundreds of individual tests, to determine the security state of the system. The security scan itself consists of performing a set of steps, from initialization the program, up to the report.StepsDetermine operating systemSearch for available tools and utilitiesCheck for Lynis updateRun tests from enabled pluginsRun security tests per categoryReport status of security scanBesides the data displayed on screen, all technical details about the scan are stored in a log file. Any findings (warnings, suggestions, data collection) are stored in a report file.Opportunistic scanningLynis scanning is opportunistic: it uses what it can find.For example if it sees you are running Apache, it will perform an initial round of Apache related tests. When during the Apache scan it also discovers a SSL/TLS configuration, it will perform additional auditing steps on that. While doing that, it then will collect discovered certificates, so they can be scanned later as well.In-depth security scansBy performing opportunistic scanning, the tool can run with almost no dependencies. The more it finds, the deeper the audit will be. In other words, Lynis will always perform scans which are customized to your system. No audit will be the same!Use casesSince Lynis is flexible, it is used for several different purposes. Typical use cases for Lynis include:Security auditingCompliance testing (e.g. PCI, HIPAA, SOx)Vulnerability detection and scanningSystem hardeningResources used for testingMany other tools use the same data files for performing tests. Since Lynis is not limited to a few common Linux distributions, it uses tests from standards and many custom ones not found in any other tool.Best practicesCISNISTNSAOpenSCAP dataVendor guides and recommendations (e.g. Debian Gentoo, Red Hat)Lynis Pluginslugins enable the tool to perform additional tests. They can be seen as an extension (or add-on) to Lynis, enhancing its functionality. One example is the compliance checking plugin, which performs specific tests only applicable to some standard.ChangelogUpgrade noteDuring the development of this release, the project got informed about a flawthat possibly could be abused by a local attacker. Even with the small risk ofsuccess, upgrading is highly recommended. See details on[CVE-2017-8108](https://cisofy.com/security/cve/cve-2017-8108/)This release is a special maintenance release with focus on cleaning up the codefor readability and future expansion.Changes:——–* Use ROOTDIR variable instead of fixed paths* Introduction of IsEmpty and HasData functions for readability of code* Renamed some variables to better indicate their purpose (counting, data type)* Removal of unused code and comments* Deleted unused tests from database file* Correct levels of identation* Support for older mac OS X versions (Lion and Mountain Lion)* Initialized variables for more binaries* Additional sysctls are testedTests:——* MALW-3280 – Extended test with Symantec components* PKGS-7332 – Detection of macOS ports tool and installed packages* TOOL-5120 – Snort detection* TOOL-5122 – Snort configuration fileDownload Lynis 2.5.0

Link: http://feedproxy.google.com/~r/PentestTools/~3/hu0d7y9pfE4/lynis-250-security-auditing-tool-for.html

Blindy – Simple Script for running BruteForce Blind MySql Injection

Simple script for running bruteforce blind MySql injectionThe script will run through queries listed in sets in provided file (default-queries.json as default) and try to bruteforce places with {} placeholder. If no {} placeholder present, the script will simply make request with current query.command line$ python3 blindy.py –helpusage: blindy.py [-h] [-f filename] [-m method] -p name -r regexp -u url [-s set_of_queries]Run blind sql injection using brutforceoptional arguments: -h, –help show this help message and exit -f filename File name for your commands in json format, defaults to default-queries.json -m method, –method method Where to inject (GET – get parameter/default, POST – post parameter, HEADER – header) -p name Name of parameter (for get – param name, post – param name, for header – name of header). If params need to have fixed value use -p submit=true -r regexp Regular expression for negative pattern (script search for the pattern and if present – will consider that injection failed and igrone result.) -u url Url to test -s set_of_queries, –set set_of_queries Which set of queries to analyze from json file, for ex. login, blind. Default to blind.Example usageBruteforce inject into POST query_parampython3 blindy.py -m POST -p query_param -p submit=1 -r ‘Pattern\ to\ ignore\ result’ -u http://example.com/index.php -s blindBruteforce inject into POST query_param with placeholderpython3 blindy.py -m POST -p “query_param=login {}" -p submit=1 -r ‘Pattern\ to\ ignore\ result’ -u http://example.com/index.php -s blindThis will inject the queries in a place of {} parameter placeholderSimple check a list of queries against username parameterpython3 blindy.py -m POST -p username -p submit=1 -r ‘Pattern\ to\ ignore\ result’ -u http://example.com/login.php -s loginDownload Blindy

Link: http://feedproxy.google.com/~r/PentestTools/~3/yKjnEROekzM/blindy-simple-script-for-running.html

Truehunter – Tool to detect TrueCrypt containers

The goal of Truehunter is to detect TrueCrypt containers using a fast and memory efficient approach. It was designed as a PoC some time ago as I couldn’t find any open source tool with the same functionality.InstallationJust use with Python 2.7, it does not need any additional libraries.usage: truehunter.py [-h] [-D HEADERSFILE] [-m MINSIZE] [-M MAXSIZE][-R MAXHEADER] [-f] [-o OUTPUTFILE]LOCATIONChecks for file size, unknown header, and entropy of files to determine ifthey are encrypted containers.positional arguments:LOCATION Drive or directory to scan.optional arguments:-h, –help show this help message and exit.-D HEADERSFILE, –database HEADERSFILEHeaders database file, default headers.db-m MINSIZE, –minsize MINSIZEMinimum file size in Kb, default 1Mb.-M MAXSIZE, –maxsize MAXSIZEMaximum file size in Kb, default 100Mb.-R MAXHEADER, –repeatHeader MAXHEADERDiscard files with unknown headers repeated more thanN times, default 3.-f, –fast Do not calculate entropy.-o OUTPUTFILE, –outputfile OUTPUTFILEScan results file name, default scan_results.csvDownload Truehunter

Link: http://feedproxy.google.com/~r/PentestTools/~3/N2RS-1mezY0/truehunter-tool-to-detect-truecrypt.html

Ad-LDAP-Enum – Active Directory LDAP Enumerator

ad-ldap-enum is a Python script that was developed to discover users and their group memberships from Active Directory. In large Active Directory environments, tools such as NBTEnum were not performing fast enough. By executing LDAP queries against a domain controller, ad-ldap-enum is able to target specific Active Directory attributes and build out group membership quickly.ad-ldap-enum outputs three tab delimited files ‘Domain Group Membership.tsv’, ‘Extended Domain User Information.tsv’, and ‘Extended Domain Computer Information.tsv’. The first file contains users, computers, groups, and their memberships. The second file contains users and extra information about the users from Active Directory (e.g. a user’s home folder or email address). The third file contains devices in the Domain Computers group and extra information about them from Active Directory (e.g. operating system type and service pack version).ad-ldap-enum supports both authenticated and unauthenticated LDAP connections. Additionally, ad-ldap-enum can process nested groups and display a user’s actual group membership.RequirementsThe package python-ldap is required for the script to execute. This can be installed with the following command:pip install python-ldapUsagead-ldap-enum.py [-h] -l LDAP_SERVER -d DOMAIN [-a ALT_DOMAIN] [-e] [-n] [-u USERNAME] [-p PASSWORD] [-v]Active Directory LDAP Enumeratoroptional arguments: -h, –help show this help message and exit -v, –verbose Display debugging information. -o FILENAME_PREPEND, –prepend FILENAME_PREPEND Prepend a string to all output file names.Server Parameters: -l LDAP_SERVER, –server LDAP_SERVER IP address of the LDAP server. -d DOMAIN, –domain DOMAIN Authentication account’s FQDN. If an alternative domain is not specified this will be also used as the Base DN for searching LDAP. -a ALT_DOMAIN, –alt-domain ALT_DOMAIN Alternative FQDN to use as the Base DN for searching LDAP. -e, –nested Expand nested groups.Authentication Parameters: -n, –null Use a null binding to authenticate to LDAP. -u USERNAME, –username USERNAME Authentication account’s username. -p PASSWORD, –password PASSWORD Authentication account’s password.Examplepython ad-ldap-enum.py -d contoso.com -l 10.0.0.1 -u Administrator -p P@ssw0rdAssorted LinksMembership Ranges in Active DirectoryActive Directory PagingDownload Ad-LDAP-Enum

Link: http://feedproxy.google.com/~r/PentestTools/~3/N065Gjltwt8/ad-ldap-enum-active-directory-ldap.html

shARP – anti-ARP-spoofing application software and uses active scanning method to detect any ARP-spoofing incidents

ARP spoofing allows an attacker to intercept data frames on a network, modify the traffic, or stop all traffic. Often the attack is used as an opening for other attacks, such as denial of service, man in the middle, or session hijacking attacks.Our anti- ARP spoofing program, (shARP) detects the presence of a third party in a private network actively. It has 2 mode: defensive and offensive. Defensive mode protects the end user from the spoofer by dissconnecting the user’s system from the network and alerts the user by an audio message. The offensive mode dissconnects the user’s system from the network and further kicks out the attacker by sending de-authentication packets to his system, unabling him to reconnect to the network until the program is manually reset. The program creates a log file (/usr/shARP/)containing the details of the attack such as, the attackers mac address, mac vendor time and date of the attack. We can identify the NIC of the attackers system with the help of the obtained mac address. If required the attacker can be permanently banned from the netwrk by feeding his mac address to the block list of the router. The whole program is designed specially for linux and is writen in Linux s is hell command (bash command). In the offensive mode the program downloads an open-source application from the internet with the permission of the user namely aircrack-ng (if not present in the user’s system already ). Since it is written in python language, you must have python installed on your system for it to work. Visit https://www.aircrack-ng.org for more info.If the user wants to secure his network by scanning for any attacker he can run the program. the program offers a simple command line interface which makes it easy for the new users.the user can directly access the defensive or offensive mode by inputing the respective command line arguments along with the execution code just as in any other linux command to operate a software through CLI. In case the user inputs any wrong command line argument, the program prompts the user to use the help option. the help option provides the details about the two modes. when the user runs the program in defensive mode, he recieves the original mac address of the gateway. If there is no man in the middle attack, the screen stays idle. As soon as the program detects a spoofer in the network, it outputs the mac address of the spoofer and the time of the attack. It then dissconnects the users’s system from the network so as to protect the private data being transfered between the system and the server. It also saves a log file about the attacker for further use. when the user runs the program in offensive mode,he recieves the original mac address of the gateway. If there is no man in the middle attack, the screen stays idle. As soon as the program detects a spoofer in the network, it outputs the mac address of the spoofer and the time of the attack as in the defensive mode. But further, the program puts the user’s Network Interface Card to monitor mode with the help of the application ‘Airmon-ng’. Then the application ‘Aircrack-ng’ gets activated and starts sending deauthentication packets to the attacker’s system. This process kicks out the attacker from the network. The program also creates a log file about the attack. How to usebash ./shARP.sh -r [interface] to reset the network card and driver. bash ./shARP.sh -d [interface] to activate the program in defense mode. bash ./shARP.sh -o [interface] to activate the program in offense mode. bash ./shARP.sh -h for help. Download shARP

Link: http://feedproxy.google.com/~r/PentestTools/~3/_ZGyZUhidm8/sharp-anti-arp-spoofing-application.html

oletools – Tools to analyze MS OLE2 files and MS Office documents, for malware analysis, forensics and debugging

oletools is a package of python tools to analyze Microsoft OLE2 files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), such as Microsoft Office documents or Outlook messages, mainly for malware analysis, forensics and debugging. It is based on the olefile parser. See http://www.decalage.info/python/oletools for more info.News2016-11-01 v0.50: all oletools now support python 2 and 3.olevba: several bugfixes and improvements.mraptor: improved detection, added mraptor_milter for Sendmail/Postfix integration.rtfobj: brand new RTF parser, obfuscation-aware, improved display, detect executable files in OLE Package objects.setup: now creates handy command-line scripts to run oletools from any directory.2016-06-10 v0.47: olevba added PPT97 macros support, improved handling of malformed/incomplete documents, improved error handling and JSON output, now returns an exit code based on analysis results, new –relaxed option. rtfobj: improved parsing to handle obfuscated RTF documents, added -d option to set output dir. Moved repository and documentation to GitHub.2016-04-19 v0.46: olevba does not deobfuscate VBA expressions by default (much faster), new option –deobf to enable it. Fixed color display bug on Windows for several tools.2016-04-12 v0.45: improved rtfobj to handle several anti-analysis tricks, improved olevba to export results in JSON format.See the full changelog for more information.Tools:olebrowse: A simple GUI to browse OLE files (e.g. MS Word, Excel, Powerpoint documents), to view and extract individual data streams.oleid: to analyze OLE files to detect specific characteristics usually found in malicious files.olemeta: to extract all standard properties (metadata) from OLE files.oletimes: to extract creation and modification timestamps of all streams and storages.oledir: to display all the directory entries of an OLE file, including free and orphaned entries.olemap: to display a map of all the sectors in an OLE file.olevba: to extract and analyze VBA Macro source code from MS Office documents (OLE and OpenXML).MacroRaptor: to detect malicious VBA Macrospyxswf: to detect, extract and analyze Flash objects (SWF) that may be embedded in files such as MS Office documents (e.g. Word, Excel) and RTF, which is especially useful for malware analysis.oleobj: to extract embedded objects from OLE files.rtfobj: to extract embedded objects from RTF files.and a few others (coming soon)Projects using oletools:oletools are used by a number of projects and online malware analysis services, including Viper, REMnux, FAME, Hybrid-analysis.com, Joe Sandbox, Deepviz, Laika BOSS, Cuckoo Sandbox, Anlyz.io, ViperMonkey, pcodedmp, dridex.malwareconfig.com, and probably VirusTotal. (Please contact me if you have or know a project using oletools)Download and Install:The recommended way to download and install/update the latest stable release of oletools is to use pip:On Linux/Mac: sudo -H pip install -U oletoolsOn Windows: pip install -U oletoolsThis should automatically create command-line scripts to run each tool from any directory: olevba, mraptor, rtfobj, etc.To get the latest development version instead:On Linux/Mac: sudo -H pip install -U https://github.com/decalage2/oletools/archive/master.zipOn Windows: pip install -U https://github.com/decalage2/oletools/archive/master.zipSee the documentation for other installation options.Documentation:The latest version of the documentation can be found online, otherwise a copy is provided in the doc subfolder of the package.Download oletools

Link: http://feedproxy.google.com/~r/PentestTools/~3/rsr8VCOGs2Q/oletools-tools-to-analyze-ms-ole2-files.html