Infog – Information Gathering Tool

InfoG is a Shellscript to perform Information Gathering.FeaturesCheck Website infoCheck Phone infoIP TrackerCheck Valid E-mailCheck if site is Up/DownCheck internet speedCheck Personal infoFind IP behind CloudflareFind SubdomainsPort Scan (Multi-threaded)Check CMSCheck DNS leakingUsage:git clone https://github.com/thelinuxchoice/infogcd infogbash infog.shInstall requirements (Curl, Netcat):apt-get install -y curl ncDownload Infog

Link: http://feedproxy.google.com/~r/PentestTools/~3/OyggVSU7sKU/infog-information-gathering-tool.html

ReconDog v2.0 – Reconnaissance Swiss Army Knife

Reconnaissance Swiss Army KnifeMain FeaturesWizard + CLA interfaceCan extracts targets from STDIN (piped input) and act upon themAll the information is extracted with APIs, no direct contact is made to the targetUtilitiesCensys: Uses censys.io to gather massive amount of information about an IP address.NS Lookup: Does name server lookupPort Scan: Scan most common TCP portsDetect CMS: Can detect 400+ content management systemsWhois lookup: Performs a whois lookupDetect honeypot: Uses shodan.io to check if target is a honeypotFind subdomains: Uses findsubdomains.com to find subdomainsReverse IP lookup: Does a reverse IP lookup to find domains associated with an IP addressDetect technologies: Uses wappalyzer.com to detect 1000+ technologiesAll: Runs all utilities against the targetDemoCompatibilityRecon Dog will run on anything that has a python interpreter installed. However, it has been tested on the following configurations:Operating Systems: Windows, Linux, MacPython Versions: Python2.7, Python 3.6InstallationRecon Dog requires no manual configuration and can be simply run as a normal python script.However, a debian package can be downloaded from here if you want to install it.UsageWizard InterfaceWizard interface is the most straightforward way you can use Recon Dog in. Just run the program, select what you want to do and enter the target, it’s that simple.CLA InterfaceRecon Dog also has a Command Line Argument inteface. Here’s how you can find subdomains:python dog -t marvel.com -c 7There’s more to it! Do you have a program that can enumerate subdomains and you want to scan ports of all the subdomains it finds? Don’t worry, Recon Dog is designed for handling with such cases. You can simply do this:subdomainfinder -t example.com | python dog –domains -c 3Also, it doesn’t matter what kind of output the other program generates, Recon Dog uses regular expressions to find targets which makes it easy to integrate will literally every tool. There are two switchs available:–domains extract domains from STDIN–ips extract ip addresses from STDINDownload ReconDog

Link: http://feedproxy.google.com/~r/PentestTools/~3/n4hrJaCBqDo/recondog-v20-reconnaissance-swiss-army.html

Pentest-Machine – Automates Some Pentest Jobs Via Nmap Xml File

Automates some pentesting work via an nmap XML file. As soon as each command finishes it writes its output to the terminal and the files in output-by-service/ and output-by-host/. Runs fast-returning commands first. Please send me protocols/commands/options that you would like to see included.HTTPwhatwebWPScan (only if whatweb returns a WordPress result)EyeWitness with active login attemptslight dirb directory bruteforceDNSnmap NSE dns-zone-transfer and dns-recursionMySQLlight patator bruteforcePostgreSQLlight patator bruteforceMSSQLlight patator bruteforceSMTPnmap NSE smtp-enum-users and smtp-open-relaySNMPlight patador bruteforcesnmpcheck (if patador successfully finds a string)SMBenum4linux -anmap NSE smb-enum-shares, smb-vuln-ms08-067, smb-vuln-ms17-010SIPnmap NSE sip-enum-users and sip-methodssvmapRPCshowmount -eNTPnmap NSE ntp-monlistFTPlight patator bruteforceTelnetlight patator bruteforceSSHlight patator bruteforceWordpress 4.7XSS content uploadingTo add:IPMI hash disclosureike-scan (can’t run ike-scans in parallel)Installation./setup.shsource pm/bin/activateUsageRead from Nmap XML filesudo ./pentest-machine -x nmapfile.xmlPerform an Nmap scan with a hostlist then use those results The Nmap scan will do the top 1000 TCP ports and the top 100 UDP ports along with service enumeration It will save as pm-nmap.[xml/nmap/gnmap] in the current working directorysudo ./pentest-machine -l hostlist.txtSkip the patator bruteforcing and all SIP and HTTP commands -s parameter can skip both command names as well as protocol namessudo ./pentest-machine -s patator,sip,http -x nmapfile.xmlDownload Pentest-Machine

Link: http://feedproxy.google.com/~r/PentestTools/~3/vKRHSjniJOo/pentest-machine-automates-some-pentest.html

Sandsifter – The X86 Processor Fuzzer

The sandsifter audits x86 processors for hidden instructions and hardware bugs, by systematically generating machine code to search through a processor’s instruction set, and monitoring execution for anomalies. Sandsifter has uncovered secret processor instructions from every major vendor; ubiquitous software bugs in disassemblers, assemblers, and emulators; flaws in enterprise hypervisors; and both benign and security-critical hardware bugs in x86 chips.With the multitude of x86 processors in existence, the goal of the tool is to enable users to check their own systems for hidden instructions and bugs.To run a basic audit against your processor:sudo ./sifter.py –unk –dis –len –sync –tick — -P1 -tThe computer is systematically scanned for anomalous instructions. In the upper half, you can view the instructions that the sandsifter is currently testing on the processor. In the bottom half, the sandsifter reports anomalies it finds.The search will take from a few hours to a few days, depending on the speed of and complexity of your processor. When it is complete, summarize the results:./summarize.py data/logTypically, several million undocumented instructions on your processor will be found, but these generally fall into a small number of different groups. After binning the anomalies, the summarize tool attempts to assign each instruction to an issue category:Software bug (for example, a bug in your hypervisor or disassembler),Hardware bug (a bug in your CPU), orUndocumented instruction (an instruction that exists in the processor, but is not acknowledged by the manufacturer)Press ‘Q’ to quit and obtain a text based summary of the system scan:The results of a scan can sometimes be difficult for the tools to automatically classify, and may require manual analysis. For help analyzing your results, feel free to send the ./data/log file to xoreaxeaxeax@gmail.com. No personal information, other than the processor make, model, and revision (from /proc/cpuinfo) are included in this log.ResultsScanning with the sandsifter has uncovered undocumented processor features across dozens of opcode categories, flaws in enterprise hypervisors, bugs in nearly every major disassembly and emulation tool, and critical hardware bugs opening security vulnerabilities in the processor itself.Details of the results can be found in the project whitepaper.(TODO: detailed results enumeration here)BuildingSandsifter requires first installing the Capstone disassembler: http://www.capstone-engine.org/. Capstone can typically be installed with:sudo apt-get install libcapstone3 libcapstone-devsudo pip install capstoneSandsifter can be built with:makeand is then run withsudo ./sifter.py –unk –dis –len –sync –tick — -P1 -tFlagsFlags are passed to the sifter with –flag, and to the injector with — -f.Example:sudo ./sifter.py –unk –dis –len –sync –tick — -P1 -tSifter flags:–len search for length differences in all instructions (instructions that executed differently than the disassembler expected, or did not exist when the disassembler expected them to–dis search for length differences in valid instructions (instructions that executed differently than the disassembler expected)–unk search for unknown instructions (instructions that the disassembler doesn’t know about but successfully execute)–ill the inverse of –unk, search for invalid disassemblies (instructions that do not successfully execute but that the disassembler acknowledges)–tick periodically write the current instruction to disk–save save search progress on exit–resume resume search from last saved state–sync write search results to disk as they are found–low-mem do not store results in memoryInjector flags:-b mode: brute force-r mode: randomized fuzzing-t mode: tunneled fuzzing-d mode: externally directed fuzzing-R raw output mode-T text output mode-x write periodic progress to stderr-0 allow null dereference (requires sudo)-D allow duplicate prefixes-N no nx bit support-s seed in random search, seed value-B brute_depth in brute search, maximum search depth-P max_prefix maximum number of prefixes to search-i instruction instruction at which to start search (inclusive)-e instruction instruction at which to end search (exclusive)-c core core on which to perform search-X blacklist blacklist the specified instruction-j jobs number of simultaneous jobs to run-l range_bytes number of base instruction bytes in each sub rangeKeysm: Mode – change the search mode (brute force, random, or tunnel) for the sifterq: Quit – exit the sifterp: Pause – pause or unpause the searchAlgorithmsThe scanning supports four different search algorithms, which can be set at the command line, or cycled via hotkeys.Random searching generates random instructions to test; it generally produces results quickly, but is unable to find complex hidden instructions and bugs.Brute force searching tries instructions incrementally, up to a user-specified length; in almost all situations, it performs worse than random searching.Driven or mutation driven searching is designed to create new, increasingly complex instructions through genetic algorithms; while promising, this approach was never fully realized, and is left as a stub for future research.Tunneling is the approach described in the presentation and white paper, and in almost all cases provides the best trade-off between thoroughness and speed.TipssudoFor best results, the tool should be run as the root user. This is necessary so that the process can map into memory a page at address 0, which requires root permissions. This page prevents many instructions from seg-faulting on memory accesses, which allows a more accurate fault analysis. PrefixesThe primary limitation for the depth of an instruction search is the number of prefix bytes to explore, with each additional prefix byte increasing the search space by around a factor of 10. Limit prefix bytes with the -P flag. ColorsThe interface for the sifter is designed for a 256 color terminal. While the details vary greatly depending on your terminal, this can roughly be accomplished with: export TERM=’xterm-256color’GUIThe interface assumes the terminal is of at least a certain size; if the interface is not rendering properly, try increasing the terminal size; this can often be accomplished by decreasing the terminal font size.In some cases, it may be desirable or necessary to run the tool without the graphical front end. This can be done by running the injector directly: sudo ./injector -P1 -t -0To filter the results of a direct injector invocation, grep can be used. For example, sudo ./injector -P1 -r -0 | grep ‘\.r’ | grep -v sigillsearches for instructions for which the processor and disassembler disagreed on the instruction length (grep ‘.r’), but the instruction successfully executed (grep -v sigill). Targeted fuzzingIn many cases, it is valuable to direct the fuzzer to a specific target. For example, if you suspect that an emulator has flaws around repeated ‘lock’ prefixes (0xf0), you could direct the fuzzer to search this region of the instruction space with the -i and -e flags: sudo ./sifter.py –unk –dis –len –sync –tick — -t -i f0f0 -e f0f1 -D -P15Legacy systemsFor scanning much older systems (i586 class processors, low memory systems), pass the –low-mem flag to the sifter and the -N flag to the injector: sudo ./sifter.py –unk –dis –len –sync –tick –low-mem — -P1 -t -NIf you observe your scans completing too quickly (for example, a scan completes in seconds), it is typically because these flags are required for the processor you are scanning. 32 vs. 64 bitBy default, sandsifter is built to target the bitness of the host operating system. However, some instructions have different behaviors when run in a 32 bit process compared to when run in a 64 bit process. To explore these scenarios, it is sometimes valuable to run a 32 bit sandsifter on a 64 bit system.To build a 32 bit sandsifter on a 64 bit system, Capstone must be installed as 32 bit; the instructions for this can be found at http://www.capstone-engine.org/.Then sandsifter must be built for a 32 bit architecture: make CFLAGS=-m32With this, the 32 bit instruction space can be explored on a 64 bit system. ReferencesA discussion of the techniques and results can be found in the Black Hat presentation.Technical details are described in the whitepaper.Slides from the Black Hat presentation are here.Authorsandsifter is a research effort from Christopher Domas (@xoreaxeaxeax).Download Sandsifter

Link: http://feedproxy.google.com/~r/PentestTools/~3/-g6zbj5Gyk4/sandsifter-x86-processor-fuzzer.html

XenoScan – Open Source Memory Scanner Written In C++

XenoScan is a memory scanner which can be used to scan the memory of processes to locate the specific locations of important values. These types of tools are typically used when hacking video games, as they allow one to locate the values representing the game’s state in memory.XenoScan is written in C++ with a Lua frontend, and I’ve been working on advanced functionality that goes beyond anything that has been in any other memory scanners I’ve seen. Notably, it has a way to enumerate and return all complex data structures (such as std::list and std::map) in the target’s memory space, and it can even scan for any class instances and group the discovered instances by their underlying types.CommunicationIf you need to get in touch with me, want a place to chat, or have a question, my Discord is the best place.Sub-projectsXenoLuaXenoLua is a wrapper around Lua that provides a ton of functionality. Most notably, it provides a LuaVariant class which wraps the functionality of converting between C/C++ and Lua types. Additionally, it has helper functions for working with Lua in the LuaPrimitive class.XenoScanEngineXenoScanEngine is the meat of the project. It contains the code for the scanning, data structure detection, and everything else.XenoScanLuaXenoScanLua ties XenoScanEngine to XenoLua to provide a Lua-scriptable frontend for the scanner. Currently, this is the only entry-point to the scanner.Additionally, this project contains some test code that ensures everything is working properly. A test is a combination of a .cpp, a .h, and a .lua file. For examples on how to use the scanner, you can check out the .lua test files.CompilingXenoScan uses CMake, and has been tested with Visual Studio 2017. In theory, you should be able to build the code with any modernish compiler, as long as you use CMake to generate the project files. Before you can compile, you will need to make sure you’ve checked out the submodules. Once that’s done, you’ll also have to build the luajit submodule so XenoScan can link against the libraries.If you’re using Visual Studio, this should be easy. Simply run buildmsvc2017.bat from a Developer Command Prompt for VS. As an example, to build a project for Visual Studio 2017, I runcd C:\path\to\XenoScanbuildmsvc2017.batWhich would make a file named XenoScan.sln appear in my build directory (e.g. C:\path\to\XenoScan\build).The main development of XenoScan is done on this version of Visual Studio.If you’re on another system or using another compiler or IDE, you’ll have to build luajit on your own and run CMake manually.PlatformThe code is designed to be platform-agnostic. Theoretically, to compile on any other platform, you would need toCreate project/make files for your target IDE/compiler.Remove the ScannerTargetWindows.cpp and ScannerTargetWindows.h files from the project.Implement the ScannerTarget interface for your platform.Add your implementation to the project.???? profitFeaturesBasic scanning functionality supports the following types:Integral types*:int8_tuint8_tint16_tuint16_tint32_tuint32_tint64_tuint64_tfloatdoubleascii stringswide stringsCustom data structures (think C++ struct)Can consist of any combination integral and decimal types* Lua frontend may choke on 64-bit integers, but the scanner library supports them.Scanning supports the following types of matching:Equal toGreater thanGreater than or equal toLess thanLess than or equal toRanges (min <= check <= max)Additionally, there is functionality to detect all instances of the following types:std::mapstd::listAny class with a virtual-function tableDownload XenoScan

Link: http://feedproxy.google.com/~r/PentestTools/~3/pUE-sfnz92k/xenoscan-open-source-memory-scanner.html

BYOB – Build Your Own Botnet

BYOB (Build Your Own Botnet)Disclaimer: This project should be used for authorized testing or educational purposes only.BYOB is an open-source project that provides a framework for security researchers and developers to build and operate a basic botnet to deepen their understanding of the sophisticated malware that infects millions of devices every year and spawns modern botnets, in order to improve their ability to develop counter-measures against these threats.It is designed to allow developers to easily implement their own code and add cool new features without having to write a RAT (Remote Administration Tool) or a C2 (Command & Control server) from scratch.The RAT’s key feature is that arbitrary code/files can be remotely loaded into memory from the C2 and executed on the target machine without writing anything to the disk.Serverusage: server.py [-h] [-v] [–host HOST] [–port PORT] [–database DATABASE]Command & control server with persistent database and console Console-Based User-Interface: streamlined console interface for controlling client host machines remotely via reverse TCP shells which provide direct terminal access to the client host machines Persistent SQLite Database: lightweight database that stores identifying information about client host machines, allowing reverse TCP shell sessions to persist through disconnections of arbitrary duration and enabling long-term reconnaissance Client-Server Architecture: all python packages/modules installed locally are automatically made available for clients to remotely import without writing them to the disk of the target machines, allowing clients to use modules which require packages not installed on the target machines Clientusage: client.py [-h] [-v] [–name NAME] [–icon ICON] [–pastebin API] [–encrypt] [–obfuscate] [–compress] [–compile] host port [module [module …]]Generate fully-undetectable clients with staged payloads, remote imports, and unlimited modules Remote Imports: remotely import third-party packages from the server without writing them to the disk or downloading/installing them Nothing Written To The Disk: clients never write anything to the disk – not even temporary files (zero IO system calls are made) because remote imports allow arbitrary code to be dynamically loaded into memory and directly imported into the currently running process Zero Dependencies (Not Even Python Itself): client runs with just the python standard library, remotely imports any non-standard packages/modules from the server, and can be compiled with a standalone python interpreter into a portable binary executable formatted for any platform/architecture, allowing it to run on anything, even when Python itself is missing on the target host Add New Features With Just 1 Click: any python script, module, or package you to copy to the ./byob/modules/ directory automatically becomes remotely importable & directly usable by every client while your command & control server is running Write Your Own Modules: a basic module template is provided in ./byob/modules/ directory to make writing your own modules a straight-forward, hassle-free process Run Unlimited Modules Without Bloating File Size: use remote imports to add unlimited features without adding a single byte to the client’s file size Fully Updatable: each client will periodically check the server for new content available for remote import, and will dynamically update its in-memory resources if anything has been added/removed Platform Independent: everything is written in Python (a platform-agnostic language) and the clients generated can optionally be compiled into portable executable (Windows) or bundled into an standalone application (macOS) Bypass Firewalls: clients connect to the command & control server via reverse TCP connections, which will bypass most firewalls because the default filter configurations primarily block incoming connections Counter-Measure Against Antivirus: avoids being analyzed by antivirus by blocking processes with names of known antivirus products from spawning Encrypt Payloads To Prevent Analysis: the main client payload is encrypted with a random 256-bit key which exists solely in the payload stager which is generated along with it Prevent Reverse-Engineering: by default, clients will abort execution if a virtual machine or sandbox is detected ModulesPost-exploitation modules that are remotely importable by clientsKeylogger (byob.modules.keylogger): logs the user’s keystrokes & the window name enteredScreenshot (byob.modules.screenshot): take a screenshot of current user’s desktopWebcam (byob.modules.webcam): view a live stream or capture image/video from the webcamRansom (byob.modules.ransom): encrypt files & generate random BTC wallet for ransom paymentOutlook (byob.modules.outlook): read/search/upload emails from the local Outlook clientPacket Sniffer (byob.modules.packetsniffer): run a packet sniffer on the host network & upload .pcap filePersistence (byob.modules.persistence): establish persistence on the host machine using 5 different methodsPhone (byob.modules.phone): read/search/upload text messages from the client smartphoneEscalate Privileges (byob.modules.escalate): attempt UAC bypass to gain unauthorized administrator privilegesPort Scanner (byob.modules.portscanner): scan the local network for other online devices & open portsProcess Control (byob.modules.process): list/search/kill/monitor currently running processes on the hostCoreCore framework modules used by the generator and the serverUtilities (byob.core.util): miscellaneous utility functions that are used by many modulesSecurity (byob.core.security): Diffie-Hellman IKE & 3 encryption modes (AES-256-OCB, AES-256-CBC, XOR-128)Loaders (byob.core.loaders): remotely import any package/module/scripts from the serverPayloads (byob.core.payloads): reverse TCP shell designed to remotely import dependencies, packages & modulesStagers (byob.core.stagers): generate unique payload stagers to prevent analysis & detectionGenerators (byob.core.generators): functions which all dynamically generate code for the client generatorDatabase (byob.core.database): handles interaction between command & control server and the SQLite database ContactWebsite: https://malwared.comEmail: security@malwared.comTwitter: https://twitter.com/malwaredllcDownload BYOB

Link: http://feedproxy.google.com/~r/PentestTools/~3/8QSu_u2pj0Y/byob-build-your-own-botnet.html

Burpcommander – Ruby Command-Line Interface To Burp Suite’s REST API

Ruby command-line interface to Burp Suite’s REST APIUsageburpcommander VERSION: 1.0.1 – UPDATED: 08/29/2018 -t, –target [IP Address] Defaults to 127.0.0.1 -p, –port [Port Number] Defaults to 1337 -k, –key [API Key] If you require an API key specify it here -i, –issue-type-id [String] String to search for. Example: “1048832" -n, –issue-name [String] String to search for. Example: "Command Injection" -D, –DESCRIPTION Returns the description of a requested issue -M, –METRICS Returns the scan_metrics for a given task_id -I, –ISSUES [Optional Number] Returns the issue_events of a given task_id -s, –scan [Complete URL] Example: https://scantarget.com -S, –scan-id [Number] Returns ScanProgress for a given task_id -U, –username [String] Username to supply for an authenticated scan -P, –password [String] Password to supply for an authenticated scan -v, –verbose Enables verbose outputGeneric Example./burpcommander.rb -k [API Key] -n "command injection" -DCommand OutputOperating system command injection vulnerabilities arise when an application incorporates user-controllable data into a command that is processed by a shell command interpreter. If the user data is not strictly validated, an attacker can use shell metacharacters to modify the command that is executed, and inject arbitrary further commands that will be executed by the server.OS command injection vulnerabilities are usually very serious and may lead to compromise of the server hosting the application, or of the application’s own data and functionality. It may also be possible to use the server as a platform for attacks against other systems. The exact potential for exploitation depends upon the security context in which the command is executed, and the privileges that this context has regarding sensitive resources on the server.Launch a Scan./burpcommander.rb -s www.youcanattackme.com -U admin -P passwordI, [2018-08-29T15:27:09.310594 #18919] INFO — : Successfuly initiated task_id: 4 against www.youcanattackme.comQuery Scan InformationGet the scan_metrics of a given scan../burpcommander.rb -S 4 -M{"crawl_requests_made"=>2264,"crawl_requests_queued"=>0,"audit_queue_items_completed"=>0,"audit_queue_items_waiting"=>51,"audit_requests_made"=>247,"audit_network_errors"=>10,"issue_events"=>21}Get issue number 1 from a given scan../burpcommander.rb -S 4 -I 1{"name"=>"File upload functionality","type_index"=>5245312,"serial_number"=>"6437447914508597248","origin"=>"http://www.youcanattackme.com","path"=>"/vulnerabilities/upload/","severity"=>"info","confidence"=>"certain","description"=>"The page contains a form which is used to submit a user-supplied…Download Burpcommander

Link: http://feedproxy.google.com/~r/PentestTools/~3/UlhPVkItqpM/burpcommander-ruby-command-line.html

Ettercap – A Comprehensive Suite For Man In The Middle Attacks

Ettercap is a comprehensive suite for man in the middle attacks. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols and includes many features for network and host analysis.ETTERCAP OFFERS THREE INTERFACES, TRADITIONAL COMMAND LINE, GUI AND NCURSES.Supported DistributionsThese distributions have been tested in both 32 and 64 bit flavors where possibleDebian/Ubuntu (Includes derivatives such as Kali, BackTrack, Mint, etc)FedoraGentooPentooMac OSX (Snow Leopard & Lion)FreeBSDOpenBSDNetBSDUnsupported DistributionsInstallation may work on the following distributions, but are not supported. Additional settings may be required for compilation and/or useOpenSuSeSolarisWindows VistaWindows 7Windows 8DependenciesEttercap source compilation requires the following dependenciesLibpcap & dev librariesLibnet1 & dev librariesLibpthread & dev librariesZlibcLibtoolCMake 2.6FlexBisonSSL Dissection Required DependenciesLibSSL & dev librariesGTK Related DependenciesLibGTK & dev librariesNCurses Related DependenciesLibncurses & dev librariesFilter Related Regex DependenciesLibpcre & dev librariesWhen building from source, dependencies should be found in the supported distribution repositories. Try these first before acquiring from external dependency source pages. All supported builds have been tested with dependencies installed from the distribution repository. If you are running on debian, or any debian based distro you can install the required dependencies by running:sudo apt-get install debhelper cmake bison flex libgtk2.0-dev libltdl3-dev libncurses-dev libncurses5-dev\ libnet1-dev libpcap-dev libpcre3-dev libssl-dev libcurl4-openssl-dev ghostscript For running ettercap you might need to install ethtool, needed for disabling interface offloads.Download Ettercap

Link: http://feedproxy.google.com/~r/PentestTools/~3/KoCLGU7Y66o/ettercap-comprehensive-suite-for-man-in.html

htrace.sh – Simple Shell Script To Debugging HTTP/HTTPS Traffic Tracing, Response Headers And Mixed-Content

htrace.sh is a shell script that allows you to validate your domain configuration and catch any errors (e.g. redirect loops). It also displays basic information about the ssl configuration (if available), response headers, checks for mixed content and performs security scans using Nmap scripts and great external tools such as Ssllabs or Mozilla Observatory.FunctionsIt is useful for:checking properly domain configuration (web servers/reverse proxies) redirects analysis, e.g. to eliminate redirect loops checking response headers for each request checking basic ssl configuration validation of the certificates (date, cn, san) and verification ssl connectionscanning domain for Mixed Content scanning domain using Nmap NSE Library scanning domain with external security tools: Mozilla Observatory and SSL Labs API Before use htrace.sh please see Requirements.How To UseIt’s simple:# Clone this repositorygit clone https://github.com/trimstray/htrace.sh# Go into the repositorycd htrace.sh# Install./setup.sh install# Run the apphtrace.sh –domain https://google.comsymlink to bin/htrace.sh is placed in /usr/local/binman page is placed in /usr/local/man/man8External toolshtrace.sh support external tools for security scans:Mozilla Observatory – cli version of observatory.mozilla.orgwith params: –format=report –rescan –zero –quietSsllabs – command-line reference-implementation client for SSL Labs APIwith params: -quiet -grademixed-content-scan – cli tool for check HTTPS-enabled website for Mixed Contentwith params: -user-agent \”$_user_agent\" –no-check-certificateNmap NSE Library – provide automated security scans with Nmapwith scripts:http-auth-finderhttp-chronohttp-cookie-flagshttp-corshttp-cross-domain-policyhttp-csrfhttp-dombased-xsshttp-githttp-grephttp-internal-ip-disclosurehttp-jsonp-detectionhttp-malware-hosthttp-methodshttp-passwdhttp-phpself-xsshttp-php-versionhttp-robots.txthttp-sitemap-generatorhttp-shellshockhttp-stored-xsshttp-unsafe-output-escapinghttp-useragent-testerhttp-vhostshttp-xssedssl-enum-cipherswhois-ipIf you don’t know how to install these tools and where they should be placed, please see in Dockerfile where exactly every step is described.When scanning for mixed content and nmap scripting engine, remember that it may take a long time before the entire site is checked.ReportsIf you want to generate a report in html format, use the ansi2html.sh tool. A detailed description of use:htrace.sh -d https://nmap.org -s -h | ansi2html –bg=dark > report.htmlDockerThe configuration is contained in the build/Dockerfile.Build imagecd htrace.sh/builddocker build –rm -t htrace.sh -f Dockerfile .Run containerdocker run –rm -it –name htrace.sh htrace.sh -d http://nmap.org -hRequirementsThis tool working with:GNU/Linux (testing on Debian and CentOS)Bash (testing on 4.4.19)Curl with specific variables support (≥ 7.52.0)OpenSSLMozilla ObservatorySsllabsmixed-content-scanNmapParametersProvides the following options: htrace.sh v1.0.6Usage: htrace.sh Examples: htrace.sh –domain https://example.com htrace.sh –domain https://example.com -s -h –scan ssllabs Options: –help show this message -d|–domain <domain_name> set domain name -s|–ssl show ssl server/connection params -h|–headers show response headers –scan <all|observatory|ssllabs> scan domain with external security tools –mixed-content scan website for mixed content –nse scan website with nmap nse library –user-agent <val> set ‘User-Agent’ header –max-redirects <num> set max redirects (default: 10) –timeout <num> set max timeout (default: 15)Download Htrace.Sh

Link: http://feedproxy.google.com/~r/PentestTools/~3/E7ntCMA1l7c/htracesh-simple-shell-script-to.html

Vulners Scanner – Vulnerability Scanner Based On Vulners.Com Audit API

PoC of a host-based vulnerability scanner, which uses vulners.com API. Detects operating system, collects installed packages and checks vulnerabilities in it.Supported OSCurrently support collecting packages for these operating systems:Debian-based (debian, kali, ubuntu)Rhel-based (redhat, centos, fedora)Python versionLazy and Advanced versions were tested on a python2.6, python2.7, python3.5. If you found any bugs, don’t hesitate to open issueDocker supportExperimental support of detecting vulnerabilities in running docker containers (only advanced script). Need to activate it changing checkDocker=False to checkDocker=True in linuxScanner.pyHow to useLazy scanner The simplest script to show vulners.com API capabilities. Just run script and it will return all found vulnerabilities:# git clone https://github.com/videns/vulners-scanner# cd vulners-scanner# ./lazyScanner.pyOS Name – debian, OS Version – 8Total provided packages: 315{ “data": { "vulnerabilities": [ "DSA-3644", "DSA-3626" ], "packages": { "openssh-client 1:6.7p1-5+deb8u2 amd64": { "DSA-3626": [ { "bulletinVersion": "1:6.7p1-5+deb8u3", "providedVersion": "1:6.7p1-5+deb8u2", "bulletinPackage": "openssh-client_1:6.7p1-5+deb8u3_all.deb", "result": true, "operator": "lt", "OSVersion": "8", "providedPackage": "openssh-client 1:6.7p1-5+deb8u2 amd64" } ] } "fontconfig-config 2.11.0-6.3 all": { "DSA-3644": [ { "bulletinVersion": "2.11.0-6.3+deb8u1", "providedVersion": "2.11.0-6.3", "bulletinPackage": "fontconfig-config_2.11.0-6.3+deb8u1_all.deb", "result": true, "operator": "lt", "OSVersion": "8", "providedPackage": "fontconfig-config 2.11.0-6.3 all" } ] }, "libfontconfig1 2.11.0-6.3 amd64": { "DSA-3644": [ { "bulletinVersion": "2.11.0-6.3+deb8u1", "providedVersion": "2.11.0-6.3", "bulletinPackage": "libfontconfig1_2.11.0-6.3+deb8u1_all.deb", "result": true, "operator": "lt", "OSVersion": "8", "providedPackage": "libfontconfig1 2.11.0-6.3 amd64" } ] } } }, "result": "OK"}Vulnerabilities:DSA-3644DSA-3626Advanced scanner. Detect OS in a several ways. Supports running docker containers scan (need to activate manually in a file)# git clone https://github.com/videns/vulners-scanner# cd vulners-scanner# ./linuxScanner.py ___ ___ _| |_ __ ___ _ __ ___\ \ / / | | | | ‘_ \ / _ \ ‘__/ __| \ V /| |_| | | | | | __/ | \__ \ \_/ \__,_|_|_| |_|\___|_| |___/==========================================Host info – Host machineOS Name – Darwin, OS Version – 15.6.0Total found packages: 0==========================================Host info – docker container "java:8-jre"OS Name – debian, OS Version – 8Total found packages: 166Vulnerable packages: libgcrypt20 1.6.3-2+deb8u1 amd64 DSA-3650 – ‘libgcrypt20 — security update’, cvss.score – 0.0 libexpat1 2.1.0-6+deb8u2 amd64 DSA-3597 – ‘expat — security update’, cvss.score – 7.8 perl-base 5.20.2-3+deb8u4 amd64 DSA-3628 – ‘perl — security update’, cvss.score – 0.0 gnupg 1.4.18-7+deb8u1 amd64 DSA-3649 – ‘gnupg — security update’, cvss.score – 0.0 gpgv 1.4.18-7+deb8u1 amd64 DSA-3649 – ‘gnupg — security update’, cvss.score – 0.0Download Vulners Scanner

Link: http://feedproxy.google.com/~r/PentestTools/~3/DZ5DGY0AIrc/vulners-scanner-vulnerability-scanner.html