Faraday v3.5 – Collaborative Penetration Test and Vulnerability Management Platform

Here’s the main new features and improvements in Faraday v3.5:New vulnerability formWe are happy to introduce our new vulnerability form which makes the creation and editing of vulnerabilities easier.  The new form brings you tabs to make it smaller and group different fields.Custom fieldsAdd your own custom fields to your vulnerabilities. We currently support str, int and list types. You can also use these fields in your Executive Reports.2nd-factor authenticationWe added the optional feature for 2nd-factor authentication. You can use any mobile application to use our 2nd-factor authentication.Download Faraday v3.5

Link: http://feedproxy.google.com/~r/PentestTools/~3/Fq1vFkcIIFI/faraday-v35-collaborative-penetration.html

Infoga – Email OSINT

Infoga is a tool gathering email accounts informations (ip,hostname,country,…) from different public source (search engines, pgp key servers and shodan) and check if emails was leaked using haveibeenpwned.com API. Is a really simple tool, but very effective for the early stages of a penetration test or just to know the visibility of your company in the Internet. Installation$ git clone https://github.com/m4ll0k/Infoga.git infoga$ cd infoga$ python setup.py install$ python infoga.pyUsage$ python infoga.py –domain nsa.gov –source all –breach -v 2 –report ../nsa_gov.txt$ python infoga.py –info m4ll0k@protonmail.com –breach -v 3 –report ../m4ll0k.txtDownload Infoga

Link: http://feedproxy.google.com/~r/PentestTools/~3/qcMnDjIfkHQ/infoga-email-osint.html

Faraday v3.4 – Collaborative Penetration Test and Vulnerability Management Platform

Here’s the main new features and improvements in Faraday v3.4:Services can now be tagged. With this new feature, you can now easily identify important services, geolocate them and more.New search operators OR/NOTIn a previous release we added the AND operator, now with 3.4 you can also use OR and NOT operators in the Status Report search box.This will allow you to find vulnerabilities easily with filters like this one:(severity:critical or severity:high) or name:”MS18-172”Performance improvements for big workspacesWe have been working on optimization for our API Rest endpoints to support millions of vulnerabilities in each workspace.Here is the full change log for version 3.4In GTK, check active_workspace it’s not nullAdd fbruteforce services fpluginAttachments can be added to a vulnerability through the API.Catch gaierror error on lynis pluginAdd OR and NOT with parenthesis support on status report searchInfo API now is publicWeb UI now detects Appscan pluginImprove performance on the workspace using custom queryWorkspaces can be set as active/disable in the welcome page.Change Nmap plugin, response field in VulnWeb now goes to Data field.Update code to support latest SQLAlchemy versionFix `create_vuln` fplugin bug that incorrectly reported duplicated vulnsThe client can set a custom logo to FaradayCentered checkboxes in user list pageClient or pentester can’t activate/deactivate workspacesIn GTK, dialogs now check that user_info is not FalseAdd tags in Service object (Frontend and backend API)Limit of users only takes the active onesImprove error message when the license is not validDownload Faraday v3.4

Link: http://www.kitploit.com/2018/12/faraday-v34-collaborative-penetration.html

SpiderFoot – The Most Complete OSINT Collection And Reconnaissance Tool

SpiderFoot is an open source intelligence (OSINT) automation tool. Its goal is to automate the process of gathering intelligence about a given target, which may be an IP address, domain name, hostname, network subnet, ASN or person’s name.SpiderFoot can be used offensively, i.e. as part of a black-box penetration test to gather information about the target or defensively to identify what information your organisation is freely providing for attackers to use against you.What is SpiderFoot?SpiderFoot is a reconnaissance tool that automatically queries over 100 public data sources (OSINT) to gather intelligence on IP addresses, domain names, e-mail addresses, names and more. You simply specify the target you want to investigate, pick which modules to enable and then SpiderFoot will collect data to build up an understanding of all the entities and how they relate to each other.What is OSINT?OSINT (Open Source Intelligence) is data available in the public domain which might reveal interesting information about your target. This includes DNS, Whois, Web pages, passive DNS, spam blacklists, file meta data, threat intelligence lists as well as services like SHODAN, HaveIBeenPwned? and more. See the full list of data sources SpiderFoot utilises.What can I do with SpiderFoot?The data returned from a SpiderFoot scan will reveal a lot of information about your target, providing insight into possible data leaks, vulnerabilities or other sensitive information that can be leveraged during a penetration test, red team exercise or for threat intelligence. Try it out against your own network to see what you might have exposed!Read more at the project website: http://www.spiderfoot.netDownload Spiderfoot

Link: http://www.kitploit.com/2018/12/spiderfoot-most-complete-osint.html

Faraday v3.3 – Collaborative Penetration Test and Vulnerability Management Platform

Here’s the main new features and improvements in Faraday v3.3:Workspace archiveYou are now able to make the whole workspace read only and archive it for future use. This allows to clear the clutter from all your ongoing projects while giving you the opportunity to continue with your work later on if needed.Host tagsHosts can now be tagged. With this new feature you can now easily identify production, testing or development hosts.Zap pluginDo you like using Faraday with Burp? What about sending issues from Burp to Faraday? Now you can do the same with OWASP ZAP!In this release of Faraday we are including an addon for OWASP ZAP. Now you can send any alert or request found by ZAP into a Faraday Workspace. This is an extension to our collection of more than 70 plugins and integrations with security tools, to help you save time on your daily work.Add vendor name to hostWe added hosts vendor to host list. This feature will show you the vendor when the mac address is set.Download Faraday v3.3

Link: http://feedproxy.google.com/~r/PentestTools/~3/uMt3kqhpRgM/faraday-v33-collaborative-penetration.html

SniffAir – A Framework For Wireless Pentesting

SniffAir is an open-source wireless security framework which provides the ability to easily parse passively collected wireless data as well as launch sophisticated wireless attacks. SniffAir takes care of the hassle associated with managing large or multiple pcap files while thoroughly cross-examining and analyzing the traffic, looking for potential security flaws. Along with the prebuilt queries, SniffAir allows users to create custom queries for analyzing the wireless data stored in the backend SQL database. SniffAir is built on the concept of using these queries to extract data for wireless penetration test reports. The data can also be leveraged in setting up sophisticated wireless attacks included in SniffAir as modules.SniffAir is developed by @Tyl0us and @theDarracottInstallSniffAir was developed with Python version 2.7Tested and supported on Kali Linux, Debian and Ubuntu.To install run the setup.sh script$./setup.shUsage % * ., % % ( ,# (..# % /@@@@@&, *@@% &@, @@# /@@@@@@@@@ .@@@@@@@@@. ,/ # # (%%%* % (.(. .@@ &@@@@@@%. .@@& *&@ %@@@@. &@, @@% %@@,,,,,,, ,@@,,,,,,, .( % % %%# # % # ,@@ @@(,,,#@@@. %@% %@@(@@. &@, @@% %@@ ,@@ /* # /*, %.,, ,@@ @@* #@@ ,@@& %@@ ,@@* &@, @@% %@@ ,@@ .# //#(, (, ,@@ @@* &@% .@@@@@. %@@ .@@( &@, @@% %@@%%%%%%* ,@@%%%%%%# (# ##. ,@@ @@&%%%@@@% *@@@@ %@@ .@@/ &@, @@% %@@,,,,,, ,@@,,,,,,. %#####% ,@@ @@(,,%@@% @@% %@@ @@( &@, @@% %@@ ,@@ % (*/ # ,@@ @@* @@@ %@% %@@ @@&&@, @@% %@@ ,@@ % # .# .# ,@@ @@* @@% .@@&/,,#@@@ %@@ &@@@, @@% %@@ ,@@ /(* /(# ,@@ @@* @@# *%@@@&* *%# ,%# #%/ *%# %% #############. .%# #%. .%% (@Tyl0us & @theDarracott) >> [default]# helpCommands========workspace Manages workspaces (create, list, load, delete)live_capture Initiates a valid wireless interface to collect wireless pakcets to be parsed (requires the interface name)offline_capture Begins parsing wireless packets using a pcap file-kismet .pcapdump work best (requires the full path)offline_capture_list Begins parsing wireless packets using a list of pcap file-kismet .pcapdump work best (requires the full path)query Executes a query on the contents of the acitve workspacehelp Displays this help menuclear Clears the screenshow Shows the contents of a table, specific information across all tables or the available modulesinscope Add ESSID to scope. inscope [ESSID]SSID_Info Displays all information (i.e all BSSID, Channels and Encrpytion) related to the inscope SSIDSuse Use a SniffAir moduleinfo Displays all variable information regarding the selected moduleset Sets a variable in moduleexploit Runs the loaded modulerun Runs the loaded moduleexit Exit SniffAir >> [default]# BeginFirst create or load a new or existing workspace using the command workspace create or workspace load <workspace> command. To view all existing workspaces use the workspace list command and workspace delete <workspace> command to delete the desired workspace: >> [default]# workspace Manages workspaces Command Option: workspaces [create|list|load|delete]>> [default]# workspace create demo[+] Workspace demo createdLoad data into a desired workplace from a pcap file using the command offline_capture <the full path to the pcap file>. To load a series of pcap files use the command offline_capture_list <the full path to the file containing the list of pcap name> (this file should contain the full patches to each pcap file). Use the live_capture <interface name> command to capture live wireless traffic using a wireless interface.>> [demo]# offline_capture /root/sniffair/demo.pcapdump[+] Importing /root/sniffair/demo.pcapdump\[+] Completed[+] Cleaning Up Duplicates[+] ESSIDs ObservedShow CommandThe show command displays the contents of a table, specific information across all tables or the available modules, using the following syntax: >> [demo]# show table AP+——+———–+——————-+——————————-+——–+——-+——-+———-+——–+| ID | ESSID | BSSID | VENDOR | CHAN | PWR | ENC | CIPHER | AUTH ||——+———–+——————-+——————————-+——–+——-+——-+———-+——–|| 1 | HoneyPot | c4:6e:1f:##:##:## | TP-LINK TECHNOLOGIES CO. LTD. | 4 | -17 | WPA2 | TKIP | MGT || 2 | Demo | 80:2a:a8:##:##:## | Ubiquiti Networks Inc. | 11 | -19 | WPA2 | CCMP | PSK || 3 | Demo5ghz | 82:2a:a8:##:##:## | Unknown | 36 | -27 | WPA2 | CCMP | PSK || 4 | HoneyPot1 | c4:6e:1f:##:##:## | TP-LINK TECHNOLOGIES CO. LTD. | 36 | -29 | WPA2 | TKIP | PSK || 5 | BELL456 | 44:e9:dd:##:##:## | Sagemcom Broadband SAS | 6 | -73 | WPA2 | CCMP | PSK |+——+———–+——————-+——————————-+——–+——-+——-+———-+——–+ >> [demo]# show SSIDS———HoneyPotDemoHoneyPot1BELL456HiddenDemo5ghz———The query command can be used to display a unique set of data based on the parememters specificed. The query command uses sql syntax.Inscopethe inscope <SSID> command can be used to add a SSID to the inscope tables, loading all related data to the inscope_AP, inscope_proberequests and inscope_proberesponses tables. To view a summary of all inscope SSIDS run the SSID_Info command.ModulesModules can be used to analyze the data contained in the workspaces or perform offensive wireless attacks using the use <module name> command. For some modules additional variables may need to be set. They can be set using the set command set <variable name> <variable value>: >> [demo]# show modulesAvailable Modules=================[+] Auto EAP – Automated Brute-Force Login Attack Against EAP Networks[+] Auto PSK – Automated Brute-Force Passphrase Attack Against PSK Networks[+] AP Hunter – Discover Access Point Within a Certain Range Using a Specific Type of Encrpytion[+] Captive Portal – Web Based Login Portal to Capture User Entered Credentials (Runs as an OPEN Network)[+] Certificate Generator – Generates a Certificate Used by Evil Twin Attacks[+] Exporter – Exports Data Stored in a Workspace to a CSV File[+] Evil Twin – Creates a Fake Access Point, Clients Connect to Divulging MSCHAP Hashes or Cleartext Passwords[+] Handshaker – Parses Database or .pcapdump Files Extracting the Pre-Shared Handshake for Password Guessing (Hashcat or JTR Format)[+] Mac Changer – Changes The Mac Address of an Interface[+] Probe Packet – Sends Out Deauth Packets Targeting SSID(s)[+] Proof Packet – Parses Database or .pcapdump Files Extracting all Packets Related to the Inscope SSDIS[+] Hidden SSID – Discovers the Names of HIDDEN SSIDS[+] Suspicious AP – Looks for Access Points that: Is On Different Channel, use a Different Vendor or Encrpytion Type Then the Rest of The Network[+] Wigle Search SSID – Queries wigle for SSID (i.e. Bob’s wifi)[+] Wigle Search MAC – Queries wigle for all observations of a single mac address >> [demo]# >> [demo]# use Captive Portal >> [demo][Captive Portal]# infoGlobally Set Varibles===================== Module: Captive Portal Interface: SSID: Channel: Template: Cisco (More to be added soon) >> [demo][Captive Portal]# set Interface wlan0 >> [demo][Captive Portal]# set SSID demo >> [demo][Captive Portal]# set Channel 1 >> [demo][Captive Portal]# infoGlobally Set Varibles===================== Module: Captive Portal Interface: wlan0 SSID: demo Channel: 1 Template: Cisco (More to be added soon) >> [demo][Captive Portal]# Once all varibles are set, then execute the exploit or run command to run the desired attack.ExportTo export all information stored in a workspace’s tables using the Exporter module and setting the desired path.AcknowledgmentsSniffiar contains work from the following repoisoties:hostapd-wpejmalinen/hostaplootbootyDownload SniffAir

Link: http://feedproxy.google.com/~r/PentestTools/~3/MbOna5CFG4s/sniffair-framework-for-wireless.html

Faraday v3.2 – Collaborative Penetration Test and Vulnerability Management Platform

Here is a list of all the goodies in Faraday v3.2:Workspace names- with numbers!With this new version, workspaces’ names are now allowed to start with numbers (before they could only start with letters).Search unconfirmed vulnsIn this version was added the filter to be able to show unconfirmed vulns as well:Multi column searchWas added support to the operator “AND” on the search field in the Status Report, this is one of the first logical operators that we support in Faraday. Is working to add the “OR” operator soon.Here is the full change log for version 3.2:Added logical operator AND to Status Report searchRestkit dependency removed.                      Improvement on manage.py change-passwordAdd feature to show only unconfirmed vulns.      Add ssl information to manage.py status-check    Update wpscan plugin to support latest version.                                                                  Allow workspace names to start with numbers.  Download Faraday v3.2

Link: http://feedproxy.google.com/~r/PentestTools/~3/SLnSlGtMSrg/faraday-v32-collaborative-penetration.html

NodeXP – Detection and Exploitation Tool for Node.js Services

NodeXP is an intergrated tool, written in Python 2.7, capable of detecting possible vulnerabilities on Node.js services as well as exploiting them in an automated way, based on S(erver)S(ide)J(avascript)I(njection) attack!Getting Started – Installation & UsageDownload NodeXP by cloning the Git repository:git clone https://github.com/esmog/nodexpTo get a list of all options run:python2.7 nodexp -hExamples for POST and GET cases accordingly:python2.7 nodexp.py –url=”http://nodegoat.herokuapp.com/contributions" –pdata="preTax=[INJECT_HERE]" -c="connect.sid=s:i6fKU7kSLPX1l00WkOxDmEfncptcZP1v.fy9whjYW0fGAvbavzYSBz1C2ZhheDuQ1SU5qpgVzbTA"python2.7 nodexp.py –url="http://nodegoat.herokuapp.com/contributions" –pdata="preTax=[INJECT_HERE]" -c="connect.sid=s:i6fKU7kSLPX1l00WkOxDmEfncptcZP1v.fy9whjYW0fGAvbavzYSBz1C2ZhheDuQ1SU5qpgVzbTA" –tech=blindpython2.7 nodexp.py –url="[INJECT_HERE]" -c="connect.sid=s:i6fKU7kSLPX1l00WkOxDmEfncptcZP1v.fy9whjYW0fGAvbavzYSBz1C2ZhheDuQ1SU5qpgVzbTA"python2.7 nodexp.py –url="[INJECT_HERE]" -c="connect.sid=s:i6fKU7kSLPX1l00WkOxDmEfncptcZP1v.fy9whjYW0fGAvbavzYSBz1C2ZhheDuQ1SU5qpgVzbTA" –tech=blindDisclaimerThe tool’s purpose is strictly academic and was developed in order to conduct my master’s thesis. It could also be helpful during the process of a penetration test on Node.js services. Any other malicious or illegal usage of the tool is strongly not recommended and is clearly not a part of the purpose of this research.PrerequisitesPython 2.7Metasploit FrameworkmsfvenomKali Linux (or any other Linux distro with Metasploit Framework installed)NodeXP TestbedsDownload and run the Node.js files for both GET and POST cases from hereVisit Nodegoat or install Nodegoat to your local machine!Built WithPython 2.7VersioningNodeXP – Version 1.0.0AuthorsDimitris Antonaropoulos – esmogDownload NodeXP

Link: http://feedproxy.google.com/~r/PentestTools/~3/OIgb6RZFu0o/nodexp-detection-and-exploitation-tool.html

JoomScan 0.0.7 – OWASP Joomla Vulnerability Scanner Project

OWASP Joomla! Vulnerability Scanner (JoomScan) is an open source project, developed with the aim of automating the task of vulnerability detection and reliability assurance in Joomla CMS deployments. Implemented in Perl, this tool enables seamless and effortless scanning of Joomla installations, while leaving a minimal footprint with its lightweight and modular architecture. It not only detects known offensive vulnerabilities, but also is able to detect many misconfigurations and admin-level shortcomings that can be exploited by adversaries to compromise the system. Furthermore, OWASP JoomScan provides a user-friendly interface and compiles the final reports in both text and HTML formats for ease of use and minimization of reporting overheads.OWASP JoomScan is included in Kali Linux distributions.WHY OWASP JOOMSCAN?Automated …Version enumeratorVulnerability enumerator (based on version)Components enumerator (1209 most popular by default)Components vulnerability enumerator (based on version)(+1030 exploit)Firewall detectorReporting to Text & HTML outputFinding common log filesFinding common backup filesINSTALLgit clone https://github.com/rezasp/joomscan.gitcd joomscanperl joomscan.plJOOMSCAN ARGUMENTSUsage: joomscan.pl [options]–url | -u | The Joomla URL/domain to scan.–enumerate-components | -ec | Try to enumerate components.–cookie <String> | Set cookie.–user-agent | -a <user-agent> | Use the specified User-Agent.–random-agent | -r | Use a random User-Agent.–timeout <time-out> | set timeout.–about | About Author–update | Update to the latest version.–help | -h | This help screen.–version | Output the current version and exit.OWASP JOOMSCAN USAGE EXAMPLESDo default checks…perl joomscan.pl –url www.example.comorperl joomscan.pl -u www.example.comEnumerate installed components…perl joomscan.pl –url www.example.com –enumerate-componentsorperl joomscan.pl -u www.example.com –ecSet cookieperl joomscan.pl –url www.example.com –cookie “test=demo;"Set user-agentperl joomscan.pl –url www.example.com –user-agent "Googlebot/2.1 (+http://www.googlebot.com/bot.html)"orperl joomscan.pl -u www.example.com -a "Googlebot/2.1 (+http://www.googlebot.com/bot.html)"Set random user-agentperl joomscan.pl -u www.example.com –random-agentorperl joomscan.pl –url www.example.com -rUpdate Joomscan…perl joomscan.pl –updatePROJECT LEADERSMohammad Reza Espargham [ reza[dot]espargham[at]owasp[dot]org ]Ali Razmjoo [ ali[dot]razmjoo[at]owasp[dot]org ]OWASP JoomScan introduction (Youtube)OWASP JoomScan 0.0.7Download Joomscan

Link: http://feedproxy.google.com/~r/PentestTools/~3/rbhkhn10GkU/joomscan-007-owasp-joomla-vulnerability.html

VBScan 0.1.8 – Black Box vBulletin Vulnerability Scanner

OWASP VBScan (short for [VB]ulletin Vulnerability [Scan]ner) is an opensource project in perl programming language to detect VBulletin CMS vulnerabilities and analyses them . Why OWASP VBScan ? If you want to do a penetration test on a vBulletin Forum, OWASP VBScan is Your best shot ever! This Project is being faster than ever and updated with the latest VBulletin vulnerabilities.Project Leader : Mohammad Reza Espargham Github : https://github.com/rezasp/vbscan/ SourceForge : https://sourceforge.net/projects/vbscan/ OWASP Page : https://www.owasp.org/index.php/OWASP_VBScan_Project usage : ./vbscan.pl ./vbscan.pl http://target.com/vbulletinOWASP VBScan 0.1.7 introduction What’s New in Version 0.1.8 [Self Challenge]Updated vulnerabilities database “Email Before Registration Plugin" SQL exploit added"Tapatalk vbulletin plugin" exploit added "Routestring RCE" exploit added Vbulletin possible password logger detector addedAllow start from any pathOpenRedirection founder module addedVbulletin version comparing module addedA few enhancements Download VBScan

Link: http://feedproxy.google.com/~r/PentestTools/~3/6Oz8dDXNjHM/vbscan-018-black-box-vbulletin.html