Airflowscan – Checklist And Tools For Increasing Security Of Apache Airflow

Checklist and tools for increasing security of Apache Airflow.DISCLAIMERThis project NOT AFFILIATED with the Apache Foundation and the Airflow project, and is not endorsed by them.ContentsThe purpose of this project is provide tools to increase security of Apache Airflow. installations. This projects provides the following tools:Configuration file with hardened settings – see hardened_airflow.cfg.Security checklist for hardening default installations – see CHECKLIST.MD.Static analysis tool to check Airflow configuration files for insecure settings.JSON schema document used for validation by the static analysis tool – see airflow_cfg.schemaInformation for the Static Analysis Tool (airflowscan)The static analysis tool can check an Airflow configuration file for settings related to security. The tool convers the config file to JSON, and then uses a JSON Schema to do the validation.RequirementsPython 3 is required and you can find all required modules in the requirements.txt file. Only tested on Python 3.7 but should work on other 3.x releases. No plans to 2.x support at this time.InstallationYou can install this via PIP as follows:pip install airflowscanairflowscanTo download and run manually, do the following:git clone https://github.com/nightwatchcybersecurity/airflowscan.gitcd airflowscanpip -r requirements.txtpython -m airflowscan.cliHow to useTo scan a configuration file, do the following command:airflowscan scan some_airflow.cfgReporting bugs and feature requestsPlease use the GitHub issue tracker to report issues or suggest features: https://github.com/nightwatchcybersecurity/airflowscanYou can also send emai to research /at/ nightwatchcybersecurity [dot] comDownload Airflowscan

Link: http://feedproxy.google.com/~r/PentestTools/~3/9rsGerchFug/airflowscan-checklist-and-tools-for.html

WAES – Auto Enums Websites And Dumps Files As Result

Doing HTB or other CTFs enumeration against targets with HTTP(S) can become trivial. It can get tiresome to always run the same script/tests on every box eg. nmap, nikto, dirb and so on. A one-click on target with automatic reports coming solves the issue. Furthermore, with a script the enum process can be optimized while saving time for hacker. This is what CPH:SEC WAES or Web Auto Enum & Scanner is created for. WAES runs 4 steps of scanning against target (see more below) to optimize the time spend scanning. While multi core or multi-threaded scanning could be implemented it will almost surely get boxes to hang and so is undesirable.From current version and forward WAES will include an install script (see blow) as project moves from alpha to beta phase.WAES could have been developed in python but good bash projects are need to learn bash.WAES is currently made for CTF boxes but is moving towards online uses (see todo section)To install:1. $> git clone https://github.com/Shiva108/WAES.git2. $> cd WAES2. $> sudo ./install.shMake sure directories are set correctly in supergobuster.sh. Should be automatic with Kali & Parrot Linux.Standard directories for lists : SecLists/Discovery/Web-Content & SecLists/Discovery/Web-Content/CMSKali / Parrot directory list : /usr/share/wordlists/dirbuster/To run WAESWeb Auto Enum & Scanner – Auto enums website(s) and dumps files as result.############################################################################## Web Auto Enum & Scanner Auto enums website(s) and dumps files as result##############################################################################Usage: waes.sh -u {IP} waes.sh -h -h shows this help -u IP to test eg. 10.10.10.123 -p port nummer (default=80) Example: ./waes.sh -u 10.10.10.130 -p 8080Enumeration Process / MethodWAES runs ..Step 0 – Passive scan – (disabled in the current version)whatweb – aggressive modeOSIRA (same author) – looks for subdomainsStep 1 – Fast scanwafw00 – firewall detectionnmap with http-enumStep 2 – Scan – in-depthnmap – with NSE scripts: http-date,http-title,http-server-header,http-headers,http-enum,http-devframework,http-dombased-xss,http-stored-xss,http-xssed,http-cookie-flags,http-errors,http-grep,http-traceroutenmap with vulscan (CVSS 5.0+)nikto – with evasion A and all CGI dirsuniscan – all tests except stress test (qweds)Step 3 – Fuzzingsuper gobuster gobuster with multiple listsdirb with multiple listsxss scan (to come).. against target while dumping results files in report/ folder.To DoImplement domain as inputAdd XSS scanAdd SSL/TLS scanningAdd domain scansAdd golismeroAdd dirbleAdd progressbarAdd CMS detectionAdd CMS specific scansDownload WAES

Link: http://feedproxy.google.com/~r/PentestTools/~3/lznYl-dDkGU/waes-auto-enums-websites-and-dumps.html

Theo – Ethereum Recon And Exploitation Tool

Theo aims to be an exploitation framework and a blockchain recon and interaction tool.Features:Automatic smart contract scanning which generates a list of possible exploits.Sending transactions to exploit a smart contract.Transaction pool monitor.Web3 consoleFrontrunning and backrunning transactions.Waiting for a list of transactions and sending out others.Estimating gas for transactions means only successful transactions are sent.Disabling gas estimation will send transactions with a fixed gas quantity.He knows Karl from work.Theo’s purpose is to fight script kiddies that try to be leet hackers. He can listen to them trying to exploit his honeypots and make them lose their funds, for his own gain.”You didn’t bring me along for my charming personality."InstallTheo is available as a PyPI package:$ pip install theo$ theo –helpusage: theo [-h] [–rpc-http RPC_HTTP] [–rpc-ws RPC_WS] [–rpc-ipc RPC_IPC] [–account-pk ACCOUNT_PK] [–contract ADDRESS] [–skip-mythril SKIP_MYTHRIL] [–load-file LOAD_FILE] [–version]Monitor contracts for balance changes or tx pool.optional arguments: -h, –help show this help message and exit –rpc-http RPC_HTTP Connect to this HTTP RPC (default: http://127.0.0.1:8545) –account-pk ACCOUNT_PK The account’s private key (default: None) –contract ADDRESS Contract to monitor (default: None) –skip-mythril SKIP_MYTHRIL Don’t try to find exploits with Mythril (default: False) –load-file LOAD_FILE Load exploit from file (default: ) –version show program’s version numb er and exitRPC connections: –rpc-ws RPC_WS Connect to this WebSockets RPC (default: None) –rpc-ipc RPC_IPC Connect to this IPC RPC (default: None)Install from sources$ git clone https://github.com/cleanunicorn/theo$ cd theo$ virtualenv ./venv$ . ./venv/bin/activate$ pip install -r requirements.txt$ pip install -e .$ theo –helpRequirements:Python 3.5 or higher.An Ethereum node with RPC available. Ganache works really well for testing or for validating exploits.DemosFind exploit and execute itScan a smart contract, find exploits, exploit it:Start Ganache as our local Ethereum nodeDeploy the vulnerable contract (happens in a different window)Scan for exploitsRun exploitFrontrun victimSetup a honeypot, deploy honeypot, wait for attacker, frontrun:Start geth as our local Ethereum nodeStart miningDeploy the honeypotStart Theo and scan the mem pool for transactionsFrontrun the attacker and steal his etherUsageHelp screenIt’s a good idea to check the help screen first.$ theo –helpusage: theo [-h] [–rpc-http RPC_HTTP] [–rpc-ws RPC_WS] [–rpc-ipc RPC_IPC] [–account-pk ACCOUNT_PK] [–contract ADDRESS] [–skip-mythril] [–load-file LOAD_FILE] [–version]Monitor contracts for balance changes or tx pool.optional arguments: -h, –help show this help message and exit –rpc-http RPC_HTTP Connect to this HTTP RPC (default: http://127.0.0.1:8545) –account-pk ACCOUNT_PK The account’s private key (default: None) –contract ADDRESS Contract to interact with (default: None) –skip-mythril Skip scanning the contract with Mythril (default: False) –load-file LOAD_FILE Load exploit from file (default: ) –version show program’s version number and exitRPC connections: –rpc-ws RPC_WS Connect to this WebSockets RPC (default: None) –rpc-ipc RPC_IPC Connect to this IPC RPC (default: None)Symbolic executionA list of exploits is automatically identified using mythril.Start a session by running:$ theo –contract= –account-pk=<your private key>Scanning for exploits in contract: 0xa586074fa4fe3e546a132a16238abe37951d41feConnecting to HTTP: http://127.0.0.1:8545.Found exploits(s): [Exploit: (txs=[Transaction {Data: 0xcf7a8965, Value: 1000000000000000000}])]A few objects are available in the console:- `exploits` is an array of loaded exploits found by Mythril or read from a file- `w3` an initialized instance of web3py for the provided HTTP RPC endpointCheck the readme for more info:https://github.com/cleanunicorn/theo>>> It will analyze the contract and will find a list of available exploits.You can see the available exploits found. In this case one exploit was found. Each exploit is an Exploit object.>>> exploits[0]Exploit: (txs=[Transaction: {‘input’: ‘0xcf7a8965’, ‘value’: ‘0xde0b6b3a7640000’}])Running exploitsThe exploit steps can be run by calling .execute() on the exploit object. The transactions will be signed and sent to the node you’re connected to.>>> exploits[0].execute()2019-07-22 11:26:12,196 – Sending tx: {‘to’: ‘0xA586074FA4Fe3E546A132a16238abe37951D41fE’, ‘gasPrice’: 1, ‘gas’: 30521, ‘value’: 1000000000000000000, ‘data’: ‘0xcf7a8965’, ‘nonce’: 47} 2019-07-22 11:26:12,200 – Waiting for 0x41b489c78f654cab0b0451fc573010ddb20ee6437cdbf5098b6b03ee1936c33c to be mined… 2019-07-22 11:26:16,337 – Mined 2019-07-22 11:26:16,341 – Initial balance: 1155999450759997797167 (1156.00 ether) 2019-07-22 11:26:16,342 – Final balance: 1156999450759997768901 (1157.00 ether) FrontrunningYou can start the frontrunning monitor to listen for other hackers trying to exploit the honeypot.Use .frontrun() to start listening for the exploit and when found, send a transaction with a higher gas price.>>> exploits[0].frontrun()2019-07-22 11:22:26,285 – Scanning the mem pool for transactions… 2019-07-22 11:22:45,369 – Found tx: 0xf6041abe6e547cea93e80a451fdf53e6bdae67820244246fde44098f91ce1c20 2019-07-22 11:22:45,375 – Sending tx: {‘to’: ‘0xA586074FA4Fe3E546A132a16238abe37951D41fE’, ‘gasPrice’: ‘0x2’, ‘data’: ‘0xcf7a8965’, ‘gas’: 30522, ‘value’: 1000000000000000000, ‘nonce’: 45} 2019-07-22 11:22:45,380 – Waiting for 0xa73316daf806e7eef83d09e467c32ce5faa239c6eda3a270a8ce7a7aae48fb7e to be mined… 2019-07-22 11:22:56,852 – Mined "Oh, my God! The quarterback is toast!"This works very well for some specially crafted contracts or some other vulnerable contracts, as long as you make sure frontrunning is in your favor.Load transactions from fileInstead of identifying the exploits with mythril, you can specify the list of exploits yourself.Create a file that looks like this exploits.json:[ [ { "name": "claimOwnership()", "input": "0x4e71e0c8", "value": "0xde0b6b3a7640000" }, { "name": "retrieve()", "input": "0x2e64cec1", "value": "0x0" } ], [ { "name": "claimOwnership()", "input": "0x4e71e0c8", "value": "0xde0b6b3a7640000" } ]]This one defines 2 exploits, the first one has 2 transactions and the second one only has 1 transaction.You can load it with:$ theo –load-file=./exploits.jsonTroubleshootingopenssl/aes.h: No such file or directoryIf you get this error, you need the libssl source libraries: scrypt-1.2.1/libcperciva/crypto/crypto_aes.c:6:10: fatal error: openssl/aes.h: No such file or directory #include <openssl/aes.h> ^~~~~~~~~~~~~~~ compilation terminated. error: command ‘x86_64-linux-gnu-gcc’ failed with exit status 1 —————————————-Command "/usr/bin/python3 -u -c "import setuptools, tokenize;__file__=’/tmp/pip-build-5rl4ep94/scrypt/setup.py’;f=getattr(tokenize, ‘open’, open)(__file__);code=f.read().replace(‘\r\n’, ‘\n’);f.close();exec(compile(code, __file__, ‘exec’))" install –record /tmp/pip-mnbzx9qe-record/install-record.txt –single-version-externally-managed –compile" failed with error code 1 in /tmp/pip-build-5rl4ep94/scrypt/On Ubuntu you can install them with:$ sudo apt install libssl-devDownload Theo

Link: http://feedproxy.google.com/~r/PentestTools/~3/MwZooLpZtBA/theo-ethereum-recon-and-exploitation.html

Slurp – S3 Bucket Enumerator

Blackbox/whitebox S3 bucket enumeratorOverviewCredit to all the vendor packages that made this tool possible.This is a security tool; it’s meant for pen-testers and security professionals to perform audits of s3 buckets.FeaturesScan via domain(s); you can target a single domain or a list of domainsScan via keyword(s); you can target a single keyword or a list of keywordsScan via AWS credentials; you can target your own AWS account to see which buckets have been exposedColorized output for visual grepCurrently generates over 28,000 permutations per domain and keyword (thanks to @jakewarren and @random-robbie)Punycode support for internationalized domainsStrong copyleft license (GPLv3)ModesThere are two modes that this tool operates at; blackbox and whitebox mode. Whitebox mode (or internal) is significantly faster than blackbox (external) mode.Blackbox (external)In this mode, you are using the permutations list to conduct scans. It will return false positives and there is no way to link the buckets to an actual aws account! Do not open issues asking how to do this.DomainKeywordsWhitebox (internal)In this mode, you are using the AWS API with credentials on a specific account that you own to see what is open. This method pulls all S3 buckets and checks Policy/ACL permissions. Note that, I will not provide support on how to use the AWS API. Your credentials should be in ~/.aws/credentials.internalUsageslurp domain <-t|--target> example.com will enumerate the S3 domains for a specific target.slurp keyword <-t|–target> linux,golang,python will enumerate S3 buckets based on those 3 key words.slurp internal performs an internal scan using the AWS API.InstallationThis project uses vgo; you can clone and go build or download from Releases section. Please do not open issues on why you cannot build the project; this project builds like any other project would in Go, if you cannot build then I strongly suggest you read the go spec.Also, the only binaries I’m including are linux/amd64; if you want mac/windows binaries, build it yourself.Download Slurp

Link: http://feedproxy.google.com/~r/PentestTools/~3/s1pFb3wEBBA/slurp-s3-bucket-enumerator.html

Orbit v2.0 – Blockchain Transactions Investigation Tool

IntroductionOrbit is designed to explore network of a blockchain wallet by recursively crawling through transaction history. The data is rendered as a graph to reveal major sources, sinks and suspicious connections.Note: Orbit only runs on Python 3.2 and above.UsageLet’s start by crawling transaction history of a walletpython3 orbit.py -s 1AJbsFZ64EpEfS5UAjAfcUG8pH8Jn3rn1FCrawling multiple wallets is no different.python3 orbit.py -s 1AJbsFZ64EpEfS5UAjAfcUG8pH8Jn3rn1F,1ETBbsHPvbydW7hGWXXKXZ3pxVh3VFoMaXOrbit fetches last 50 transactions from each wallet by default, but it can be tuned with -l option.python3 orbit.py -s 1AJbsFZ64EpEfS5UAjAfcUG8pH8Jn3rn1F -l 100Orbit’s default crawling depth is 3 i.e. it fetches the history of target wallet(s), crawls the newly found wallets and then crawls the wallets in the result again. The crawling depth can be increased or decresead with -d option.python3 orbit.py -s 1AJbsFZ64EpEfS5UAjAfcUG8pH8Jn3rn1F -d 2Wallets that have made just a couple of interactions with our target may not be important, Orbit can be told to crawl top N wallets at each level by using the -t option.python3 orbit.py -s 1AJbsFZ64EpEfS5UAjAfcUG8pH8Jn3rn1F -t 20If you want to use the collected data in some other way, you can save it to a JSON file by using the o option as followspython3 orbit.py -s 1AJbsFZ64EpEfS5UAjAfcUG8pH8Jn3rn1F -o output.jsonThis is your terminal dashboard.VisualizationOnce the scan is complete, the graph will automatically open in your default browser. If it doesn’t open, open quark.html manually. Don’t worry if your graph looks messy like the one below or worse.Select the Make Clusters option to form clusters using community detection algorithm. After that, you can use Color Clusters to give different colors to each community and then use Spacify option to fix overlapping nodes & edges.The thickness of edges depends on the frequency of transactions between two wallets while the size of a node depends on both transaction frequency and the number of connections of the node.As Orbit uses Quark to render the graph, more information about the various features and controls is available in Quark’s README.Download Orbit

Link: http://feedproxy.google.com/~r/PentestTools/~3/wMLiz7Gx-5I/orbit-v20-blockchain-transactions.html

Detect It Easy – Program For Determining Types Of Files For Windows, Linux And MacOS

Detect It Easy, or abbreviated “DIE" is a program for determining types of files."DIE" is a cross-platform application, apart from Windows version there are also available versions for Linux and Mac OS.Many programs of the kind (PEID, PE tools) allow to use third-party signatures. Unfortunately, those signatures scan only bytes by the pre-set mask, and it is not possible to specify additional parameters. As the result, false triggering often occur. More complicated algorithms are usually strictly set in the program itself. Hence, to add a new complex detect one needs to recompile the entire project. No one, except the authors themselves, can change the algorithm of a detect. As time passes, such programs lose relevance without the constant support.Detect It Easy has totally open architecture of signatures. You can easily add your own algorithms of detects or modify those that already exist. This is achieved by using scripts. The script language is very similar to JavaScript and any person, who understands the basics of programming, will understand easily how it works. Possibly, someone may decide the scripts are working very slow. Indeed, scripts run slower than compiled code, but, thanks to the good optimization of Script Engine, this doesn’t cause any special inconvenience. The possibilities of open architecture compensate these limitations.DIE exists in three versions. Basic version ("DIE"), Lite version ("DIEL") and console version ("DIEC"). All the three use the same signatures, which are located in the folder "db". If you open this folder, nested sub-folders will be found ("Binary", "PE" and others). The names of sub-folders correspond to the types of files. First, DIE determines the type of file, and then sequentially loads all the signatures, which lie in the corresponding folder. Currently the program defines the following types: MSDOS executable files MS-DOS PE executable files Windows ELF executable files Linux MACH executable files Mac OS Text files Binary all other filesYou could download binaries for Windows, Linux and Mac here: http://ntinfo.biz/Download Detect-It-Easy

Link: http://feedproxy.google.com/~r/PentestTools/~3/DTt4xwte7KE/detect-it-easy-program-for-determining.html

Vxscan – Comprehensive Scanning Tool

Python3 comprehensive scanning tool, mainly used for sensitive file detection (directory scanning and js leak interface), WAF/CDN identification, port scanning, fingerprint/service identification, operating system identification, weak password detection, POC scanning, SQL injection, winding Pass CDN, check the next station.Update2019.6.18Fixed the problem of fingerprint recognition iis website error, modified apps.jsonRemoved some third-party libraries and scripts that are prone to errorsScanning is completed if it flashes, it is because the program first detects dns parsing and ping operation.The first time you use Vxscan, fake_useragent will load the ua list of https://fake-useragent.herokuapp.com/browsers/0.1.11 here, and a load timeout error may occur.RequirementsPython version > 3.6requeststqdmpyfigletfake-useragentbeautifulsoup4geoip2tldextractpython-nmapgeoip2tldextractlxmlpymongovirustotal_pythonapt install libpq-dev nmapwget https://geolite.maxmind.com/download/geoip/database/GeoLite2-City.tar.gzAfter decompressing, put GeoLite2-City.mmdb inside to vxscan/db/GeoLite2-City.mmdbwget https://geolite.maxmind.com/download/geoip/database/GeoLite2-ASN.tar.gzAfter decompressing, put the GeoLite2-ASN.mmdb inside to vxscan/db/GeoLite2-ASN.mmdbpip3 install -r requirements.txtFeaturesGenerate a dictionary list using Cartesian product method, support custom dictionary listRandom UserAgent, XFF, X-Real-IPCustomize 404 page recognition, access random pages and then compare the similarities through difflib to identify custom 302 jumpsWhen scanning the directory, first detect the http port and add multiple http ports of one host to the scan target.Filter invalid Content-Type, invalid status?WAF/CDN detectionUse the socket to send packets to detect common ports and send different payload detection port service fingerprints.Hosts that encounter full port open (portspoof) automatically skipCall wappalyzer.json and WebEye to determine the website fingerprintIt is detected that the CDN or WAF website automatically skipsCall nmap to identify the operating system fingerprintCall weak password detection script based on port open (FTP/SSH/TELNET/Mysql/MSSQL…)Call POC scan based on fingerprint identification or port, or click on the open WEB port of IPAnalyze sensitive asset information (domain name, mailbox, apikey, password, etc.) in the js fileGrab website connections, test SQL injection, LFI, etc.Call some online interfaces to obtain information such as VT, www.yougetsignal.com and other websites, determine the real IP through VT pdns, and query the website by www.yougetsignal.com and api.hackertarget.com.Usagepython3 Vxscan.py -hoptional arguments: -h, –help show this help message and exit -u URL, –url URL Start scanning this url -u xxx.com -i INET, –inet INET cidr eg. 1.1.1.1 or 1.1.1.0/24 -f FILE, –file FILE read the url from the file -t THREADS, –threads THREADS Set scan thread, default 150 -e EXT, –ext EXT Set scan suffix, -e php,asp -w WORD, –word WORD Read the dict from the file 1. Scan a websitepython3 vxscan.py -u http://www.xxx.com/ 2. Scan a website from a file listpython3 vxscan.py -f hosts.txt3. cidr eg. 1.1.1.1 or 1.1.1.0/24python3 vxscan.py -i 127.0.0.0/244. Set thread 100, combine only php suffix, use custom dictionarypython3 vxscan.py -u http://www.xxx.com -e php -t 100 -w ../dict.txtStructure/├─Vxscan.py main file├─db│ ├─apps.json Web fingerprint information│ ├─apps.txt Web fingerprint information (WEBEYE)│ ├─password.txt password├─report Report directory├─lib │ ├─common.py Determine CDN, port scan, POC scan, etc.│ ├─color.py Terminal color output│ ├─active.py Judge dns parsing and ping ip survival│ ├─save_html.py Generate html report│ ├─waf.py waf rules│ ├─osdetect.py Operating system version identification│ ├─random_header.py random header│ ├─scan_port.py PortScan│ ├─jsparse.py Grab the website js connection, analyze ip address, link, email, etc.│ &#9500 ;─settings.py Setting│ ├─pyh.py Generate html│ ├─wappalyzer.py Fingerprint recognition script│ ├─sql_injection.py Grab the website connection and test the SQL injection script├─script │ ├─Poc.py Poc script│ ├─……├─requirements.txt├─logo.jpg├─error.logWaf/CDN list360360wzwsAnquanbaoArmorBaiduYunjiasuAWS WAFAdNovumAiree CDNArt of Defence HyperGuardArvanCloudBarracuda NGBeluga CDNBinarySECBlockDoSBluedon ISTCacheFly CDNChinaCache CDNCisco ACE XML GatewayCloudFlare CDNCloudfront CDNComodoCompStateDenyALL WAFDenyAllDistil FirewallDoSArrest Internet SecurityF5 BIG-IP APMF5 BIG-IP ASMF5-TrafficShieldFastly CDNFortiWebFortiWeb FirewallGoDaddyGreyWizard FirewallHuaweiCloudWAFHyperGuard FirewallIBM DataPowerISAServerImmunify360Imperva SecureSphereIncapsula CDNJiasuleKONAKeyCDNModSecurityNGENIX CDNNSFOCUSNaxsiNetContinuumNetContinuum WAFNeusoft SEnginxNewdefendPalo Alto FirewallPerimeterX FirewallPowerCDNProfenseQiniu CDNReblaze FirewallSDWAFSafe3SafedogSiteLock TrueShieldSonicWALLSonicWallSophos UTM FirewallStingraySucuriTeros WAFUsp-SecVarnishWallarmWatchGuardWebKnightWest263CDNYundunYunsuoZenEdge Firewallaesecurealiyunazion CDNcloudflare CDNdotDefenderlimelight CDNmaxcdn CDNmod_securityyunsuoOutputThe following is the AWVS scanner test website results[ { “testphp.vulnweb.com": { "WAF": "NoWAF", "Webinfo": { "apps": [ "Nginx", "PHP", "DreamWeaver", "php" ], "title": "Home of Acunetix Art", "server": "nginx/1.4.1", "pdns": [ "176.28.50.165 : 2019-06-09 02:05:52" ], "reverseip": [ "176.28.50.165", "rs202995.rs.hosteurope.de", "testhtml5.vulnweb.com", "testphp.ingensec.ch", "testphp.ingensec.com", "testphp.ingensec.fr", "testphp.vulnweb.com", "vulnweb.com", "www.vulnweb.com" ] }, "Ports": [ "IMAPS:993", "ssh:22", "imap:143", "http:80", "Unknown:8880", "pop:110", "POP3:995", "smtp:25", "Unknown:8443", "SMTPS:465", "DNS:53", "ftp:21" ], "Ipaddr": "176.28.50.165", "Address": "德国 ", "Vuln": [ "http://testphp.vulnweb.com | Home of Acunetix Art", "MySQL SQLi:http://testphp.vulnweb.com/search.php?test=query", "MySQL SQLi:http://testphp.vulnweb.com/artists.php?artist=1", "MySQL SQLi:http://testphp.vulnweb.com/listproducts.php?cat=2" ], "URLS": [ { "rsp_code": 200, "rsp_len": 12473, "title": "None", "contype": "xml", "url": "/.idea/workspace.xml" }, { "rsp_code": 200, "rsp_len": 1, "title": "None", "contype": "plain", "url": "/CVS/Root" }, { "rsp_code": 200, "rsp_len": 4732, "title": "search", "contype": "html", "url": "/search.php" }, { "rsp_code": 200, "rsp_len": 1, "title": "None", "contype": "plain", "url": "/CVS/Entries" }, { "rsp_code": 200, "rsp_len": 3265, "title": "Home of WASP Art", "contype": "plain", "url": "/index.bak" }, { "rsp_code": 200, "rsp_len": 143, "title": "None", "contype": "xml", "url": "/.idea/scopes/scope_settings.xml" }, { "rsp_code": 200, "rsp_len": 3265, "title": "Home of WASP Art", "contype": "zip", "url": "/index.zip" }, { "rsp_code": 200, "rsp_len": 275, " title": "None", "contype": "xml", "url": "/.idea/modules.xml" }, { "rsp_code": 200, "rsp_len": 5523, "title": "login page", "contype": "html", "url": "/login.php" }, { "rsp_code": 200, "rsp_len": 278, "title": "Index of /admin/", "contype": "html", "url": "/admin/" }, { "rsp_code": 200, "rsp_len": 224, "title": "None", "contype": "xml", "url": "/crossdomain.xml" }, { "rsp_code": 302, "rsp_len": 14, "title": "None", "contype": "html", "url": "/userinfo.php" }, { "rsp_code": 200, "rsp_len": 6, "title": "None", "contype": "plain", "url": "/.idea/.name" }, { "rsp_code": 200, "rsp_len": 4958, "title": "Home of Acunetix Art", "contype": "html", "url": "/index.php" } ] } }]NoteReference cnnetarmy Srchunter design ideasRefer to the weak password module of brut3k1t:Https://github.com/ex0dus-0x/brut3k1tFingerprint recognition mainly calls Wappalyzer and WebEye:https://github.com/b4ubles/python3-Wappalyzerhttps://github.com/zerokeeper/WebEyePoc referenced:BBscan scanner https://github.com/lijiejie/BBScanPOC-T https://github.com/Xyntax/POC-T/tree/2.0/scriptPerun https://github.com/WyAtu/PerunRefer to the anthx port scan, service judgment:https://raw.githubusercontent.com/AnthraX1/InsightScan/master/scanner.pyInjecting the crawler reference:DSSS https://github.com/stamparm/DSSSJs sensitive information regular extraction reference:https://github.com/nsonaniya2010/SubDomainizerWAF judges the use of waf00f and whatwaf judgment rules:https://github.com/EnableSecurity/wafw00fhttps://github.com/Ekultek/WhatWafDownload Vxscan

Link: http://feedproxy.google.com/~r/PentestTools/~3/0ZDcFApPJl8/vxscan-comprehensive-scanning-tool.html

WhatBreach – OSINT Tool To Find Breached Emails And Databases

WhatBreach is a tool to search for breached emails and their corresponding database. It takes either a single email or a list of emails and searches them leveraging haveibeenpwned.com’s API, from there (if there are any breaches) it will search for the query link on Dehashed pertaining to the database, and output all breaches along with all pastes that this email is included in (if any). If you are trying to find the database, passing a certain flag will also attempt to download available freely public databases from databases.today. If the query is found within the publicly listed it will download the database for you and save it into the projects home folder which will be located under ~/.whatbre ach_home/downloads.ExamplesAs an example we will use user@gmail.com as the example search:(venv) admin@Hades:~/whatbreach$ python whatbreach.py -e “user@gmail.com"[ i ] starting search on single email address: user@gmail.com[ i ] searching breached accounts on HIBP related to: user@gmail.com[ i ] searching for paste dumps on HIBP related to: user@gmail.com[ i ] found a total of 67 database breach(es) and a total of 59 paste(s) pertaining to: user@gmail.com————————————————————————————Breached Site: | Database Link:Paste#26 | https://pastebin.com/b0zdYUzc Paste#27 | https://pastebin.com/C6YUMUxk Paste#24 | https://pastebin.com/JFvBG4HW Paste#25 | https://pastebin.com/hi5yXRCn Paste#22 | https://pastebin.com/mVrrDb9d Paste#23 | https://pastebin.com/jBCPwT1e Paste#20 | https://pastebin.com/uyG5ggf8 Paste#21 | https://pastebin.com/QrudBvXf Paste#28 | https://pastebin.com/6fZtANAb Paste#29 | https://pastebin.com/gffDmJ5X … | … # truncated to save spacePaste#13 | https://pastebin.com/RLVk8j3E Paste#12 | https://pastebin.com/zaN47ZZJ Paste#11 | https://pastebin.com/k193QzRG Paste#10 | https://pastebin.com/Qhaf51b6 Paste#17 | http://siph0n.in/exploits.php?id=4440Paste#16 | https://pastebin.com/j7YX2sJm Paste#15 | https://pastebin.com/Sin9fR7f Paste#14 | https://pastebin.com/jvSgnZkK Paste#19 | https://pastebin.com/2rVemphh VK | https://www.dehashed.com/search?query=VKArmyForceOnline | https://www.dehashed.com/search?query=ArmyForceOnlineGawker | https://www.dehashed.com/search?query=GawkerPaste#9 | http://www.pemiblanc.com/test.txtPaste#8 | https://pastebin.com/EGS77pC4 Paste#7 | https://pastebin.com/pQdmx6mc Paste#6 | https://pastebin.com/ZwUh4tcG Paste#5 | https://pastebin.com/RkdC5arB MySpace | https://www.dehashed.com/search?query=MySpacePaste#3 | https://pastebin.com/GUV70Jqa Paste#2 | https://pastebin.com/2eENex9n Paste#1 | https://pastebin.com/rSd85uLK Onverse | https://www.dehashed.com/search?query=Onverse————————————————————————————You also have the option to suppress the discovered pastes:(venv) admin@Hades:~/whatbreach$ python whatbreach.py -e "user@gmail.com" -nP[ i ] starting search on single email address: user@gmail.com[ i ] searching breached accounts on HIBP related to: user@gmail.com[ i ] searching for paste dumps on HIBP related to: user@gmail.com[ w ] suppressing discovered pastes[ i ] found a total of 67 database breach(es) and a total of 0 paste(s) pertaining to: user@gmail.com————————————————————————————Breached Site: | Database Link:Dropbox | https://www.dehashed.com/search?query=DropboxLeet | https://www.dehashed.com/search?query=LeetMySpace | https://www.dehashed.com/search?query=MySpaceMyHeritage | https://www.dehashed.com/search?query=MyHeritageArmyForceOnline | https://www.dehashed.com/search?query=ArmyForceOnline17Media | https://www.dehashed.co m/search?query=17MediaXbox360ISO | https://www.dehashed.com/search?query=Xbox360ISOLinkedIn | https://www.dehashed.com/search?query=LinkedInQuinStreet | https://www.dehashed.com/search?query=QuinStreetBookmate | https://www.dehashed.com/search?query=Bookmate… | … # truncated to save spaceDubsmash | https://www.dehashed.com/search?query=DubsmashMangaFox | https://www.dehashed.com/search?query=MangaFoxFashionFantasyGame | https://www.dehashed.com/search?query=FashionFantasyGameTrillian | https://www.dehashed.com/search?query=TrillianDisqus | https://www.dehashed.com/search?query=DisqusNemoWeb | https://www.dehashed.com/search?query=NemoWebGawker | https://www.dehashed.com/search?query=GawkerCashCrate | https://www.dehashed.com/search?query=CashCrateTumblr | https://www.dehashed.com/search?query=TumblrPoliceOne | https://www.dehashed.com/search?query=PoliceOneOnverse | https://www.dehashed.com/search?query=OnverseInterpals | https://www.dehashed.com/search?query=InterpalsSeedpeer | https://www.dehashed.com/search?query=SeedpeerHeroesOfNewerth | https://www.dehashed.com/search?query=HeroesOfNewerthBell2017 | https://www.dehashed.com/search?query=Bell2017————————————————————————————As well as the discovered databases:(venv) admin@Hades:~/whatbreach$ python whatbreach.py -e "user@gmail.com" -nD[ i ] starting search on single email address: user@gmail.com[ i ] searching breached accounts on HIBP related to: user@gmail.com[ i ] searching for paste dumps on HIBP related to: user@gmail.com[ i ] found a total of 67 database breach(es) and a total of 59 paste(s) pertaining to: user@gmail.com[ w ] suppressing discovered databases———————————————————————–Breached Site: | Database Link:Paste#26 | https://pastebin.com/b0zdYUzc Paste#27 | https://pastebin.com/C6YUMUxk Paste#24 | https://pastebin.com/JFvBG4HW Paste#25 | https://pastebin.com/hi5yXRCn Paste#22 | https://pastebin.com/mVrrDb9d Paste#23 | https://pastebin.com/jBCPwT1e … | … # truncated to save spacePaste#9 | http://www.pemiblanc.com/test.txtPaste#8 | https://pastebin.com/EGS77pC4 Paste#7 | https://pastebin.com/pQdmx6mc Paste#6 | https://pastebin.com/ZwUh4tcG Paste#5 | https://pastebin.com/RkdC5arB Paste#4 | https://pastebin.com/4qH2fRMc Paste#3 | https://pastebin.com/GUV70Jqa Paste#2 | https://pastebin.com/2eENex9n Paste#1 | https://pastebin.com/rSd85uLK Paste#52 | https://pastebin.com/ffkjfRrY Paste#48 | http://balockae.online/files/Lizard Stresser.txtPaste#49 | https://pastebin.com/bUq60ZKA Paste#44 | http://siph0n.in/exploits.php?id=3667Paste#45 | https://pastebin.com/MAFfXwGA Paste#46 | http://pxahb.xyz/emailpass/www.chocolate.at.txtPaste#47 | https://pastebin.com/zchq7iQS Paste#40 | https://pastebin.com/sj9 eyM5w Paste#41 | https://pastebin.com/wY9ghBM9 Paste#42 | https://pred.me/gmail.html Paste#43 | https://pastebin.com/AnTUDMtj ———————————————————————–I have also implemented the ability to search through a list of email addresses and check for the possibility of the email being a "Ten minute email", it will prompt you to continue if the email is found, since the possibility of using this email is next to none:(venv) admin@Hades:~/whatbreach$ python whatbreach.py -l test.txt -cT[ i ] parsing email file: test.txt[ i ] starting search on a total of 3 email(s)[ i ] searching breached accounts on HIBP related to: user@gmail.com[ i ] searching for paste dumps on HIBP related to: user@gmail.com[ i ] found a total of 67 database breach(es) and a total of 59 paste(s) pertaining to: user@gmail.com————————————————————————————Breached Site: | Database Link:Paste#26 | https://pastebin.com/b0zdYUzc Paste#27 | https://pastebin.com/C6YUMUxk Paste#24 | https://pastebin.com/JFvBG4HW Paste#25 | https://pastebin.com/hi5yXRCn Paste#22 | https://pastebin.com/mVrrDb9d Paste#23 | https://pastebin.com/jBCPwT1e Paste#20 | https://pastebin.com/uyG5ggf8 Paste#21 | https://paste bin.com/QrudBvXf R2Games | https://www.dehashed.com/search?query=R2GamesNemoWeb | https://www.dehashed.com/search?query=NemoWebDisqus | https://www.dehashed.com/search?query=DisqusAdobe | https://www.dehashed.com/search?query=Adobe… | … # truncated to save spacePaste#15 | https://pastebin.com/Sin9fR7f Paste#14 | https://pastebin.com/jvSgnZkK Paste#19 | https://pastebin.com/2rVemphh VK | https://www.dehashed.com/search?query=VKArmyForceOnline | https://www.dehashed.com/search?query=ArmyForceOnlineGawker | https://www.dehashed.com/search?query=GawkerPaste#9 | http://www.pemiblanc.com/test.txtPaste#8 | https://pastebin.com/EGS77pC4 Paste#7 | https://pastebin.com/pQdmx6mc Paste#6 | https://pastebin.com/ZwUh4tcG Paste#5 | https://pastebin.com/RkdC5arB MySpace | https://www.dehashed.com/search?query=MySpacePaste#3 | https://pastebin.com/GUV70Jqa Paste#2 | https://pastebin.com/2eENex9n Paste#1 | https://pastebin.com/rSd85uLK Onverse | https://www.dehashed.com/search?query=Onverse————————————————————————————[ w ] email: user@0815.ru0clickemail.com appears to be a ten minute email[ ? ] would you like to process the email[y/N]: n[ i ] searching breached accounts on HIBP related to: someuser@gmail.com[ i ] searching for paste dumps on HIBP related to: someuser@gmail.com[ i ] found a total of 6 database breach(es) and a total of 4 paste(s) pertaining to: someuser@gmail.com—————————————————————————-Breached Site: | Database Link:Adobe | https://www.dehashed.com/search?query=AdobePaste#4 | http://xn--e1alhsoq4c.xn--p1ai/base/Gmail.txtPaste#3 | https://pastebin.com/GUV70Jqa Paste#2 | https://pred.me/gmail.html Paste#1 | https://pastebin.com/VVgL8Fzp NemoWeb | https://www.dehashed.com/search?query=NemoWeb—————————————————————————-The program is pretty straight forward but for simplicity I have provided the acceptable arguments below:(venv) admin@Hades:~/whatbreach$ python whatbreach.py –helpusage: whatbreach.py [-h] [-e EMAIL] [-l PATH] [-nD] [-nP] [-cT] [-d]optional arguments: -h, –help show this help message and exitmandatory opts: -e EMAIL, –email EMAIL Pass a single email to scan for -l PATH, -f PATH, –list PATH, –file PATH Pass a file containing emails one per line to scansearch opts: -nD, –no-dehashed Suppres dehashed output -nP, –no-pastebin Suppress Pastebin outputmisc opts: -cT, –check-ten-minute Check if the provided email address is a ten minute email or not -d, –download Attempt to dow nload the database if there is one availableInstallationInstalling is extremely easy, just run pip install -r requirements.txtDownload WhatBreach

Link: http://feedproxy.google.com/~r/PentestTools/~3/EI6tCAyZ1-c/whatbreach-osint-tool-to-find-breached.html

Rdpscan – A Quick Scanner For The CVE-2019-0708 “BlueKeep” Vulnerability

This is a quick-and-dirty scanner for the CVE-2019-0708 vulnerability in Microsoft Remote Desktop. Right now, there are about 900,000 machines on the public Internet vulnerable to this vulnerability, so many are to expect a worm soon like WannaCry and notPetya. Therefore, scan your networks and patch (or at least, enable NLA) on vulnerable systems.This is a command-line tool. You can download the source and compile it yourself, or you can download one of the pre-compiled binaries for Windows or macOS from the link above.This tool is based entirely on the rdesktop patch from https://github.com/zerosum0x0/CVE-2019-0708.Primary useTo scan a network, run it like the following:rdpscan 192.168.1.1-192.168.1.255This produces one of 3 results for each address:SAFE – if target has determined bot be patched or at least require CredSSP/NLAVULNERABLE – if the target has been confirmed to be vulnerableUNKNOWN – if the target doesn’t respond or has some protocol failureWhen nothing exists at a target IP address, the older versions pritned the message “UNKNOWN – connection timed out". When scanning large networks, this produces an overload of too much information about systems you don’t care about. Therefore, the new version by default doesn’t produce this information unless you add -v (for verbose) on the command-line.You can increase the speed at which it scans large networks by increasing the number of workers:rdpscan –workers 10000 10.0.0.0/8However, on my computer, it only produces about 1500 workers, because of system limitations, no matter how high I configure this parameter.You can increase the speed even more by using this in conjunction with masscan, described in the second below.Interpreting the resultsThere are three general responses:SAFE – which means the target is probably patched or otherwise not vulnerable to the bug.VULNERABLE: which means we’ve confirmed the target is vulnerable to this bug, and that when the worm hits, will likely get infected.UNKNOWN: means we can’t confirm either way, usually because the target doesn’t respond or isn’t running RDP, which is the vast majority of responses. Also, when targets are out of resources or experiencing network problems, we’ll get a lot of these. Finally, protocol errors are responsble for a lot. While the three main responses are SAFE, VULNERABLE, and UNKNOWN, they contain additional text explaining the diagnosis. This section describes the various strings you’ll see.SAFEThere are three main reaons we think a target is safe:SAFE – Target appears patched This happens when the target doesn’t respond to the triggering request. This means it’s a Windows system that’s been patched, or a system that wasn’t vulnerable to begin with, like Windows 10 or Unix.SAFE – CredSSP/NLA required This means that the target first requires Network Level Authentication before the RDP connection can be established. The tool cannot pass this point, without leigitimate credentials, so cannot determine whether the target has been patched. However, hackers can’t continue past this point to exploit vulnerable systems, either, so you are likely "safe". However, when exploits appear, insiders with valid usernames/passwords will be able to exploit the system if it’s un-patched.SAFE – not RDP This means the system is not RDP, but has some other service that happens to use this same port, and produces a response that’s clearly not RDP. Common examples are HTTP and SSH. Note however that instead of an identifiable protocol, a server may respond with a RST or FIN packet. These are identified as UNKNOWN instead of SAFE/VULNERABLEThis means we’ve confirmed the system is vulnerable to the bug.VULNERABLE – got appid There is only one response when the system is vulnerable, this one.UNKNOWNThere are a zillion variations for unknownUNKNOWN – no connection – timeout This is by far the most common response, and happens when the target IP address makes no response whatsoever. In fact, it’s so common that when scanning large ranges of addresses, it’s usually ommited. You have to add the -v (verbose) flag in order to enable it.UNKNOWN – no connection – refused (RST) This is by far the second most common response, and happens when the target exists and responds to network traffic, but isn’t running RDP, so refuses the connection with a TCP RST packet.UNKNOWN – RDP protocol error – receive timeout This is the third most common response, and happens when we’ve successfully established an RDP connection, but then the server stops responding to us. This is due to network errors and when the target system is overloaded for some reason. It could also be network errors on this end, such as when you are behind a NAT and overloading it with too many connections.UNKNOWN – no connection – connection closed This means we’ve established a connection (TCP SYN-ACK), but then the connection is immediately closed (with a RST or FIN). There are many reasons this happen, which we cannot distinguish: It’s running RDP, but for some reason closes the connection, possibly because it’s out-of-resources.It’s not RDP, and doesn’t like the RDP request we send it, so instad of sending us a nice error message (which would trigger SAFE – not RDP), it abruptly closes the connection.Some intervening device, like an IPS, firewall, or NAT closed the connection because it identified this as hostile, or ran out of resources.Some other reason I haven’t identified, there’s a lot of weird stuff happening when I scan the Internet.UNKNOWN – no connection – host unreachable (ICMP error) The remote network reports the host cannot be reached or is not running. Try again later if you think that host should be alive.UNKNOWN – no connection – network unreachable (ICMP error) There is a (transient) network error on the far end, try again later if you believe that network should be running.UNKNOWN – RDP protocol error This means some corruption happened in the RDP protocol, either because the remote side implents it wrong (not a Windows system), because it’s handling a transient network error badly, or something else.UNKNOWN – SSL protocol error Since Windows Vista, RDP uses the STARTTLS protocol to run over SSL. This layer has it’s own problems like above, which includes handling underlying network errors badly, or trying to communicate with systems that have some sort of incompatibility. If you get a very long error message here (like SSL3_GET_RECORD:wrong version), it’s because the other side has a bug in SSL, or your own SSL library that you are using has a bug.Using with masscanThis rdpscan tool is fairly slow, only scanning a few hundred targets per second. You can instead use masscan to speed things up. The masscan tool is roughly 1000 times faster, but only gives limited information on the target.The steps are:First scan the address ranges with masscan to quickly find hosts that respond on port 3389 (or whatever port you use).Second feed the output of masscan into rdpscan, so it only has to scan targets we know are active.The simple way to run this is just to combine them on the command-line:masscan 10.0.0.0/8 -p3389 | rdpscan –file -The way I do it is in two steps:masscan 10.0.0.0/8 -p3389 > ips.txtrdpscan –file ips.txt –workers 10000 >results.txtBuildingThe difficult part is getting the OpenSSL libraries installed, and not conflicting with other versions on the system. Some examples for versions of Linux I’ve tested on are the following, but they keep changing package names from one distribution to the next. Also, there are many options for an OpenSSL-compatible API, such as BoringSSL and LibreSSL.$ sudo apt install libssl-dev$ sudo yum install openssl-develOnce you’ve solved that problem, you just compile all the .c files together like this:$ gcc *.c -lssl -lcrypto -o rdpscanI’ve put a Makefile in the directory that does this, so you can likely do just:$ makeThe code is written in C, so needs a C compiler installed, such as doing the following:$ sudo apt install build-essentialCommon build errorsThis section describes the more obvious build errors.ssl.h:24:25: fatal error: openssl/rc4.h: No such file or directoryThis means you either don’t have the OpensSSL headers installed, or they aren’t in a path somewhere. Remember that even if you have OpenSSL binaries installed, this doesn’t mean you’ve got the development stuff installed. You need both the headers and libraries installed.To install these things on Debian, do:$ sudo apt install libssl-devTo fix the path issue, add a compilation flag -I/usr/local/include, or something similar.An example linker problem is the following:Undefined symbols for architecture x86_64:"_OPENSSL_init_ssl", referenced from: _tcp_tls_connect in tcp-fac73c.o"_RSA_get0_key", referenced from: _rdssl_rkey_get_exp_mod in ssl-d5fdf5.o"_SSL_CTX_set_options", referenced from: _tcp_tls_connect in tcp-fac73c.o"_X509_get_X509_PUBKEY", referenced from: _rdssl_cert_to_rkey in ssl-d5fdf5.oI get this on macOS because there’s multiple versions of OpenSSL. I fix this by hard-coding the paths:$ gcc *.c -lssl -lcrypto -I/usr/local/include -L/usr/local/lib -o rdpscanAccording to comments by others, the following command-line might work on macOS if you’ve used Homebrew to install things. I still get the linking errors above, though, because I’ve installed other OpenSSL components that are conflicting.gcc $(brew –prefix)/opt/openssl/lib/libssl.a $(brew –prefix)/opt/openssl/lib/libcrypto.a -o rdpscan *.cRunningThe section above gives quickstart tips for running the program. This section gives more in-depth help.To scan a single target, just pass the address of the target:./rdpscan 192.168.10.101You can pass in IPv6 addresses and DNS names. You can pass in multiple targets. An example of this would be:./rdpscan 192.168.10.101 exchange.example.com 2001:0db8:85a3::1You can also scan ranges of addresses, using either begin-end IPv4 addresses, or IPv4 CIDR spec. IPv6 ranges aren’t supported because they are so big../rdpscan 10.0.0.1-10.0.0.25 192.168.0.0/16By default, it scans only 100 targets at a time. You can increase this number with the –workers parameter. However, no matter how high you set this parameter, in practice you’ll get a max of around 500 to 1500 workers running at once, depending upon your system../rdpscan –workers 1000 10.0.0.0/24Instead of specifying targets on the command-line, you can load them from a file instead, using the well-named –file parameter:./rdpscan –file ips.txtThe format of the file is one address, name, or range per line. It can also consume the text generated by masscan. Extra whitespace is trimmed, blank lines ignored, any any comment lines are ignored. A comment is a line starting with the # character, or // characters.The output is sent to stdout giving the status of VULNERABLE, SAFE, or UNKNOWN. There could be additional reasons for each. These reasons are described above.211.101.37.250 – SAFE – CredSSP/NLA required185.11.124.79 – SAFE – not RDP – SSH response seen125.121.137.42 – UNKNOWN – no connection – refused (RST)40.117.191.215 – SAFE – CredSSP/NLA required121.204.186.182 – SAFE – CredSSP/NLA required99.8.11.148 – SAFE – CredSSP/NLA required121.204.186.114 – SAFE – CredSSP/NLA required49.50.145.236 – SAFE – CredSSP/NLA required106.12.74.155 – VULNERABLE – got appid222.84.253.26 – SAFE – CredSSP/NLA required144.35.133.109 – UNKNOWN – RDP protocol error – receive timeout199.212.226.196 – UNKNOWN – RDP protocol error – receive timeout183.134.58.152 – UNKNOWN – no connection – refused (RST)83.162.246.149 – VULNERABLE – got appidYou can process this with additional unix commands like grep and cut. To get a list of just vulnerable machines:./rdpscan 10.0.0.0/8 | grep ‘VULN’ | cut -f1 -d’-‘The parameter -dddd means diagnostic information, where the more ds you add, the more details are printed. This is sent to stderr instead of stdout so that you can separate the streams. Using bash this is done like this:./rdpscan –file myips.txt -ddd 2> diag.txt 1> results.txtDiagnostic infoAdding the -d parameter dumps diagnostic info on the connections to stderr../rdpscan 62.15.34.157 -d[+] [62.15.34.157]:3389 – connecting…[+] [62.15.34.157]:3389 – connected from [10.1.10.133]:49211[+] [62.15.34.157]:3389 – SSL connection[+] [62.15.34.157]:3389 – version = v4.8[+] [62.15.34.157]:3389 – Sending MS_T120 check packet[-] [62.15.34.157]:3389 – Max sends reached, waiting…62.15.34.157 – SAFE – Target appears patchedOn macOS/Linux, you can redirect stdout and stderr separately to different files in the usual manner:./rdpscan –file ips.txt 2> diag.txt 1> results.txtSOCKS5 and Tor lulzSo it includes SOCKS5 support:./rdpscan –file ips.txt –socks5 localhost –socks5port 9050It makes connection problems worse so you get a lot more "UNKNOWN" results.Statically link OpenSSLFor releasing the Windows and macOS binaries attached as releases to this project I statically link OpenSSL, so that it doesn’t need to be included separately, and the programs just work. This section describes some notes on how to do this, especially since the description on OpenSSL’s own page seems to be out of date.Both these steps start with downloading the OpenSSL source and putting it next to the rdpscan directory:git clone https://github.com/openssl/opensslWindowsFor Windows, you need to first install some version of Perl. I use the one from ActiveState.Next, you’ll need a special "assembler". I use the recommended one called NASM)Next, you’ll need a compiler. I use VisualStudio 2010. You can download the latest "Visual Studio Community Edition" (which is 2019) instead from Microsoft.Now you need to build the makefile. This is done by going into the OpenSSL directory and running the Configure Perl program:perl Configure VC-WIN32I chose 32-bit for Windows because there’s a lot of old Windows out there, and I want to make the program as compaitble as possible with old versions.I want a completely static build, including the C runtime. To do that, I opened the resulting makefile in an editor, and changed the C compilation flag from /MD (meaning use DLLs) to /MT. While I was there, I added the following to the CPPFLAGS -D_WIN32_WINNT=0x501, which restrict OpenSSL to features that work back on Windows XP and Server 2003. Otherwise, you get errors that bcrypt.dll was not found if your run on those older systems.Now you’ll need to make sure everything is in your path. I copied nasm.exe to the a directory in the PATH. For Visual Studio 2010, I ran the program vcvars32.bat to setup the path variables for the compiler.At this point on the command-line, I typed:nmakeThis makes the libraries. The static ones are libssl_static.lib and libcrypto_static.lib, which I use to link to in rdpscan.macOSFirst of all, you need to install a compiler. I use the Developer Tools from Apple, installing XCode and the compiler. I think you can use Homebrew to install gcc instead.Then go int othe source directory for OpenSSL and create a makefile:perl Configure darwin64-x86_64-ccNow simply make it:make dependmakeAt this point, it’s created both dynamic (.dylib) and static (.lib) libraries. I deleted the dynamic libraries so that it’ll catch the static ones by default.Now in rdpscan, just build the macOS makefile:make -f Makefile.macosThis will compile all the rdpscan source files, then link to the OpenSSL libraries in the directory ../openssl that you just built.This should produce a 3-megabyte exexeutable. If you instead only got a 200-kilobyte executable, then you made a mistake and linked to the dynamic libraries instead.Download Rdpscan

Link: http://feedproxy.google.com/~r/PentestTools/~3/mCI0mRVoYKo/rdpscan-quick-scanner-for-cve-2019-0708.html

Seccubus – Easy Automated Vulnerability Scanning, Reporting And Analysis

Seccubus automates regular vulnerability scans with various tools and aids security people in the fast analysis of its output, both on the first scan and on repeated scans.On repeated scan delta reporting ensures that findings only need to be judged when they first appear in the scan results or when their output changes.Seccubus 2.x is the only actively developed and maintained branch and all support for Seccubus V1 has officially been dropped.Seccubus V2 works with the following scanners:NessusOpenVASSkipfishMedusa (local and remote)Nikto (local and remote)NMap (local and remote)OWASP-ZAP (local and remote)SSLyzeMedusaQualys SSL labstestssl.sh (local and remote)For more information visit [www.seccubus.com]Default password, changinge it!!!!!After installation the default username and paswword for seccubus is:admin / GiveMeVulns!It is highly recommended you change this after installation./bin/seccubus_passwd -u adminChange logChanges of this branch vs the latest/previous releasex-x-2019 – v2.53 Development releaseThis is work in progressDifferences with 2.52Download Seccubus

Link: http://feedproxy.google.com/~r/PentestTools/~3/V6X3rDBzIjs/seccubus-easy-automated-vulnerability.html