Pybelt – The Hackers Tool Belt

Pybelt is an open source hackers tool belt complete with:A port scannerSQL injection scannerDork checkerHash crackerHash type verification toolProxy finding toolXSS scannerIt is capable of cracking hashes without prior knowledge of the algorithm, scanning ports on a given host, searching for SQLi vulnerabilities in a given URL, verifying that your Google dorks work like they should, verifying the algorithm of a given hash, scanning a URL for XSS vulnerability, and finding usable HTTP proxies.ScreenshotsSQL Injection scanning made easy, just provide a URL and watch it workDork checker, have some Dorks you’re not sure of? Go ahead and run the Dork check with the Dork as an argument, it will pull 100 URLs and give you success rate for the DorkHash cracking made simple, provide the hash type at the end “:md5, :sha256, etc" for a specific hash, or ":all" for all algorithms available on your machineAnd many more!UsageInstallationYou can either clone the repository git clone https://github.com/ekultek/pybelt.gitor download the latest release as a zip/tar ball hereOnce you have the program installed cd into the directory and run the following command: pip install -r requirements.txtThis will install all of the programs needed libraries and should be able to be run from there.###Functionality python pybelt.py -p 127.0.0.1Will run a port scan on your local hostpython pybelt.py -s http://example.com/php?id=2Will run a SQLi scan on the given URLpython pybelt.py -d idea?id=55Will run a Dork check on the given Google Dorkpython pybelt.py -c 9a8b1b7eee229046fc2701b228fc2aff:allWill attempt to crack the hash using all algorithms available on the computerpython pybelt.py -v 098f6bcd4621d373cade4e832627b4f6Will try to verify the hash typepython pybelt.py -fWill find usable proxiespython pybelt.py -x http://127.0.0.1/php?id=1Will search the URL for XSS vulnerabilityDownload Pybelt

Link: http://feedproxy.google.com/~r/PentestTools/~3/eM2WCiJ55qw/pybelt-hackers-tool-belt.html

BruteSpray – Brute-Forcing from Nmap output (Automatically attempts default creds on found services)

BruteSpray takes nmap GNMAP output and automatically brute-forces services with default credentials using Medusa. BruteSpray can even find non-standard ports by using the -sV inside Nmap.UsageFirst do an nmap scan with ‘-oA nmap.gnmap’.Command: python brutespray.py -hExample: python brutespray.py –file nmap.gnmap –services all –threads 3 –hosts 5Supported Servicessshftptelnetvncmssqlmysqlpostgresqlrshimapnntppcanywherepop3rexecrloginsmbntsmtpsnmpsvnvmauthdDownload BruteSpray

Link: http://feedproxy.google.com/~r/PentestTools/~3/qz1PiR4KUGU/brutespray-brute-forcing-from-nmap.html

Pwntools – CTF Framework And Exploit Development Library

pwntools is a CTF framework and exploit development library. Written in Python, it is designed for rapid prototyping and development, and intended to make exploit writing as simple as possible.from pwn import *context(arch = ‘i386’, os = ‘linux’)r = remote(‘exploitme.example.com’, 31337)# EXPLOIT CODE GOES HEREr.send(asm(shellcraft.sh()))r.interactive()DocumentationOur documentation is available at docs.pwntools.comTo get you started, we’ve provided some example solutions for past CTF challenges in our write-ups repository.Installationpwntools is best supported on 64-bit Ubuntu 12.04 and 14.04, but most functionality should work on any Posix-like distribution (Debian, Arch, FreeBSD, OSX, etc.). Python 2.7 is required.Most of the functionality of pwntools is self-contained and Python-only. You should be able to get running quickly withapt-get updateapt-get install python2.7 python-pip python-dev git libssl-dev libffi-dev build-essentialpip install –upgrade pippip install –upgrade pwntoolsHowever, some of the features (assembling/disassembling foreign architectures) require non-Python dependencies. For more information, see the complete installation instructions here.Download Pwntools

Link: http://feedproxy.google.com/~r/PentestTools/~3/f-ottO8K1fA/pwntools-ctf-framework-and-exploit.html

scanless – Public Port Scan Scrapper

Command-line utility for using websites that can perform port scans on your behalf. Useful for early stages of a penetration test or if you’d like to run a port scan on a host and have it not come from your IP address.scanless (adj): lacking respectable morals. That girl is scanless!Public Port ScannersyougetsignalviewdnshackertargetipfingerprintspingeuUsageRequires the requests and bs4 libraries to run, install with pip.$ python scanless.py –helpusage: scanless.py [-h] [-t TARGET] [-s SCANNER] [-l] [-a]scanless, public port scan scrapperoptional arguments: -h, –help show this help message and exit -t TARGET, –target TARGET ip or domain to scan -s SCANNER, –scanner SCANNER scanner to use (default: yougetsignal) -l, –list list scanners -a, –all use all the scanners$ python scanless.py –listScanner Name | Website—————|——————————yougetsignal | http://www.yougetsignal.comviewdns | http://viewdns.infohackertarget | https://hackertarget.comipfingerprints | http://www.ipfingerprints.compingeu | http://ping.eu$ python scanless.py -s viewdns -t scanme.nmap.orgRunning scanless…——- viewdns ——-PORT STATE SERVICE21/tcp closed ftp22/tcp open ssh23/tcp closed telnet25/tcp closed smtp53/tcp closed dns80/tcp open http110/tcp closed pop3139/tcp closed netbios143/tcp closed imap443/tcp closed https445/tcp closed smb1433/tcp closed mssql1521/tcp closed oracle3306/tcp closed mysql3389/tcp closed rdp———————–$ python scanless.py -a -t scanme.nmap.orgRunning scanless…——- yougetsignal ——-PORT STATE SERVICE21/tcp closed ftp22/tcp open ssh23/tcp closed telnet25/tcp closed smtp53/tcp closed dns80/tcp open http110/tcp closed pop3115/tcp closed sftp135/tcp closed msrpc139/tcp closed netbios143/tcp closed imap194/tcp closed irc443/tcp closed https445/tcp closed smb1433/tcp closed mssql3306/tcp closed mysql3389/tcp closed rdp5632/tcp closed pcanywhere5900/tcp closed vnc6112/tcp closed wc3———————————– viewdns ——-PORT STATE SERVICE21/tcp closed ftp22/tcp open ssh23/tcp closed telnet25/tcp closed smtp53/tcp closed dns80/tcp open http110/tcp closed pop3139/tcp closed netbios143/tcp closed imap443/tcp closed https445/tcp closed smb1433/tcp closed mssql1521/tcp closed oracle3306/tcp closed mysql3389/tcp closed rdp—————————— hackertarget ——-tarting Nmap 7.01 ( https://nmap.org ) at 2017-05-06 02:31 UTCNmap scan report for scanme.nmap.org (45.33.32.156)Host is up (0.065s latency).Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2fPORT STATE SERVICE VERSION21/tcp closed ftp22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)23/tcp closed telnet25/tcp closed smtp80/tcp open http Apache httpd 2.4.7 ((Ubuntu))110/tcp closed pop3143/tcp closed imap443/tcp closed https445/tcp closed microsoft-ds3389/tcp closed ms-wbt-serverService Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 7.05 second———————————– ipfingerprints ——-Host is up (0.16s latency).Not shown: 484 closed portsPORT STATE SERVICE22/tcp open ssh80/tcp open http111/tcp filtered rpcbind135/tcp filtered msrpc136/tcp filtered profile137/tcp filtered netbios-ns138/tcp filtered netbios-dgm139/tcp filtered netbios-ssn445/tcp filtered microsoft-dsDevice type: general purposeRunning: Linux 3.XOS CPE: cpe:/o:linux:linux_kernel:3OS details: Linux 3.11 – 3.14Network Distance: 10 hops————————————- pingeu ——-PORT STATE SERVICE21/tcp closed ftp22/tcp open ssh23/tcp closed telnet25/tcp closed smtp53/tcp closed dns80/tcp open http139/tcp closed netbios443/tcp closed https445/tcp closed smb3389/tcp closed rdp———————-Download scanless

Link: http://feedproxy.google.com/~r/PentestTools/~3/mIcdQgcyx08/scanless-public-port-scan-scrapper.html

Cowrie – SSH/Telnet Honeypot

Cowrie is a medium interaction SSH and Telnet honeypot designed to log brute force attacks and the shell interaction performed by the attacker.Cowrie is developed by Michel Oosterhof.FeaturesSome interesting features:Fake filesystem with the ability to add/remove files. A full fake filesystem resembling a Debian 5.0 installation is includedPossibility of adding fake file contents so the attacker can cat files such as /etc/passwd. Only minimal file contents are includedSession logs stored in an UML Compatible format for easy replay with original timingsCowrie saves files downloaded with wget/curl or uploaded with SFTP and scp for later inspectionAdditional functionality over standard kippo:SFTP and SCP support for file uploadSupport for SSH exec commandsLogging of direct-tcp connection attempts (ssh proxying)Forward SMTP connections to SMTP Honeypot (e.g. mailoney)Logging in JSON format for easy processing in log management solutionsMany, many additional commandsRequirementsSoftware required:Python 2.7+, (Python 3 not yet supported due to Twisted dependencies)python-virtualenvFor Python dependencies, see requirements.txtFiles of interest:cowrie.cfg – Cowrie’s configuration file. Default values can be found in cowrie.cfg.distdata/fs.pickle – fake filesystemdata/userdb.txt – credentials allowed or disallowed to access the honeypotdl/ – files transferred from the attacker to the honeypot are stored herehoneyfs/ – file contents for the fake filesystem – feel free to copy a real system here or use bin/fsctllog/cowrie.json – transaction output in JSON formatlog/cowrie.log – log/debug outputlog/tty/*.log – session logstxtcmds/ – file contents for the fake commandsbin/createfs – used to create the fake filesystembin/playlog – utility to replay session logs Read more.Download Cowrie

Link: http://feedproxy.google.com/~r/PentestTools/~3/j3thUFTPU7c/cowrie-sshtelnet-honeypot.html

MalwareSearch – A Command Line Tool To Find Malwares

Tool developed for searching malwares at openmalware.org by command line, allowing specific malware download by shell. Soon we’ll input more sources like MalShare, MalwareBlacklist, Malware.lu’s AVCaesar and Malwr. UsageOptional Arguments:$ malwaresearch.py [–h HELP] [-f FIND] [-w WRITE] usage: malwaresearch.py [-h] [-f Sample | -d Hash] [-w File] [-o Int]MalwareSearch 0.1 [github.com/MalwareReverseBrasil/malwaresearch.git]optional arguments: -h, –help show this help message and exit -f Sample, –find Sample Enter your search via MD5, SHA1, SHA256 or an Common Signature name. -d Hash, –download Hash Download selected sample -w File, –write File Save the output results. -o Int, –output Int Show number of resultsDevelopers:Ialle Teixeira, Security/Malware Researcher blog,Vandré Augusto, Electric Engineer & Malware Researcher blog.Download MalwareSearch

Link: http://feedproxy.google.com/~r/PentestTools/~3/y4TYSLeW_U0/malwaresearch-command-line-tool-to-find.html

EAPHammer – Targeted Evil Twin Attacks Against WPA2-Enterprise Networks [Indirect Wireless Pivots Using Hostile Portal Attacks]

EAPHammer is a toolkit for performing targeted evil twin attacks against WPA2-Enterprise networks. It is designed to be used in full scope wireless assessments and red team engagements. As such, focus is placed on providing an easy-to-use interface that can be leveraged to execute powerful wireless attacks with minimal manual configuration. To illustrate how fast this tool is, here’s an example of how to setup and execute a credential stealing evil twin attack against a WPA2-TTLS network in just two commands:# generate certificates./eaphammer –cert-wizard# launch attack./eaphammer -i wlan0 –channel 4 –auth ttls –wpa 2 –essid CorpWifi –credsLeverages a lightly modified version of hostapd-wpe, dnsmasq, dsniff, Responder, and Python 2.7.FeaturesSteal RADIUS credentials from WPA-EAP and WPA2-EAP networks.Perform hostile portal attacks to steal AD creds and perform indirect wireless pivotsPerform captive portal attacksBuilt-in Responder integrationSupport for Open networks and WPA-EAP/WPA2-EAPNo manual configuration necessary for most attacks.No manual configuration necessary for installation and setup processUpcoming FeaturesPerform seemeless MITM attacks with partial HSTS bypassesSupport attacks against WPA-PSK/WPA2-PSKSupport for SSID cloakingGenerate timed payloads for indirect wireless pivotsIntegrated PowerShell payload generationimpacket integration for SMB relay attacksdirected rogue AP attacks (deauth then evil twin from PNL, deauth then karma + ACL)Updated hostapd-wpe that works with the latest version of HostapdIntegrated website cloner for cloning captive portal login pagesIntegrated HTTP serverWill this tool ever support Karma attacks?At some point yes, but for now the focus has been on directed evil twin attacks.If Karma attacks are like a wireless grenade launcher, this tool is more like an easy-to-use wireless sniper rifleSetup GuideKali Setup InstructionsBegin by cloning the eaphammer repo using the following command.git clone https://github.com/s0lst1c3/eaphammer.gitNext run the kali-setup.py file as shown below to complete the eaphammer setup process. This will install dependencies and compile hostapd.python setup.pyOther DistrosIf you are not using Kali, you can still compile eaphammer. I just haven’t written a setup script for your distro yet, which means you’ll have to do it manually. Ask yourself whether you understand the following:python-devel vs python-devservice vs systemctlnetwork-manager vs NetworkManagerhttpd vs apache2If you looked at this list and immediately realized that each pair of items was to some extent equivalent (well, except for service vs systemctl, but you catch my drift), you’ll probably have no problems getting this package to work on the distro of your choice. If not, please just stick with Kali until support is added for other distros.With that out of the way, here are the generic setup instructions:Use your package manager to install each of the dependencies listed in kali-dependencies.txt. Package names can vary slightly from distro to distro, so you may get a “package not found" error or similar. If this occurs, just use Google to find out what the equivalent package is for your distro and install that instead.Once you have installed each of the dependencies listed in kali-dependencies.txt, you’ll need to install some additional packages that ship with Kali by default. These packages are listed below. If you’re on a distro that uses httpd instead of apache2, install that instead.dsniffapache2Compile hostapd using the following commands:cd hostapd-eaphammermakeOpen config.py in the text editor of your choice and edit the following lines so that to values that work for your distro:# change this to False if you cannot/will not use systemduse_systemd = True# change this to ‘NetworkManager’ if necessarynetwork_manager = ‘network-manager’# change this ‘httpd’ if necessaryhttpd = ‘apache2’Usage Guidex.509 Certificate GenerationEaphammer provides an easy-to-use wizard for generating x.509 certificates. To launch eaphammer’s certificate wizard, just use the command shown below../eaphammer –cert-wizardStealing RADIUS Credentials From EAP NetworksTo steal RADIUS credentials by executing an evil twin attack against an EAP network, use the –creds flag as shown below../eaphammer –bssid 1C:7E:E5:97:79:B1 –essid Example –channel 2 –interface wlan0 –auth ttls –credsThe flags shown above are self explanatory. For more granular control over the attack, you can use the –wpa flag to specify WPA vs WPA2 and the –auth flag to specify the eap type. Note that for cred reaping attacks, you should always specify an auth type manually since the the –auth flag defaults to "open" when omitted../eaphammer –bssid 00:11:22:33:44:00 –essid h4x0r –channel 4 –wpa 2 –auth ttls –interface wlan0 –credsPlease refer to the options described in Additional Options section of this document for additional details about these flags.Stealing AD Credentials Using Hostile Portal AttacksEaphammer can perform hostile portal attacks that can force LLMNR/NBT-NS enabled Windows clients into surrendering password hashes. The attack works by forcing associations using an evil twin attack, then forcing associated clients to attempt NetBIOS named resolution using a Redirect To SMB attack. While this occurs, eaphammer runs Responder in the background to perform a nearly instantaneous LLMNR/NBT-NS poisoning attack against the affected wireless clients. The result is an attack that causes affected devices to not only connect to the rogue access point, but send NTLM hashes to the rogue access point as well.The –hostile-portal flag can be used to execute a hostile portal attack, as shown in the examples below../eaphammer –interface wlan0 –bssid 1C:7E:E5:97:79:B1 –essid EvilC0rp –channel 6 –auth peap –wpa 2 –hostile-portal./eaphammer –interface wlan0 –essid TotallyLegit –channel 1 –auth open –hostile-portalPerforming Indirect Wireless Pivots Using Hostile Portal AttacksThe hostile portal attack described in Stealing AD Credentials Using Hostile Portal Attacks can be used to perform an SMB relay attack against the affected devices. An attacker can use hostile portal attack to perform an SMB relay attack that places timed reverse shell on an authorized wireless devices. The attacker can then disengage the attack to allow the authorized device to reconnect to the targetted network. When the attacker receives the reverse shell, he or she will have the same level of authorization as the attacker.Performing Captive Portal AttacksTo perform a captive portal attack using eaphammer, use the –captive-portal flag as shown below../eaphammer –bssid 1C:7E:E5:97:79:B1 –essid HappyMealz –channel 6 –interface wlan0 –captive-portalThis will cause eaphammer to execute an evil twin attack in which the HTTP(S) traffic of all affected wireless clients are redirected to a website you control. Eaphammer will leverage Apache2 to serve web content out of /var/www/html if used with the default Apache2 configuration. Future iterations of eaphammer will provide an integrated HTTP server and website cloner for attacks against captive portal login pages.Additional Options–cert-wizard – Use this flag to create a new RADIUS cert for your AP.-h, –help – Display detailed help message and exit.-i, –interface – Specify the a PHY interface on which to create your AP.-e ESSID, –essid ESSID – Specify access point ESSID.-b BSSID, –bssid BSSID – Specify access point BSSID.–hw-mode HW-MODE – Specify access point hardware mode (default: g).-c CHANNEL, –channel CHANNEL – Specify access point channel.–wpa {1,2} – Specify WPA type (default: 2).–auth {peap,ttls,open} – Specify auth type (default: open).–creds – Harvest EAP creds using an evil twin attack.–hostile-portal – Force clients to connect to hostile portal.–captive-portal – Force clients to connect to a captive portal.Download EAPHammer

Link: http://feedproxy.google.com/~r/PentestTools/~3/-VeE6UeZ4vg/eaphammer-targeted-evil-twin-attacks.html