Metateta – Automated Tool For Scanning And Exploiting Network Protocols Using Metasploit

Metateta Automated Tool For Scanning And Exploiting Network Protocols Using Metasploit For faster pen testing for large networksWhat You Can DoScanning with all metasploit modules for specific network Protocol like smb,smtp,snmpRun all Auxiliary modules against specific network ProtocolRun all Possible Metasploit Exploits for specific network Protocol That’s is not recommended for real pen testingCan Run against one target or network or even text file with targetsUsing example’ -R -p smb -x exploit -r -p smtp -x scan -f hosts.txt -p smb -x auxiliaryHossam Mohamed – @wazehellDownload Metateta

Link: – A POSIX-compliant, Fully Automated WPA PSK Handshake Capture Script Aimed At Penetration Testing

Airbash is a POSIX-compliant, fully automated WPA PSK handshake capture script aimed at penetration testing. It is compatible with Bash and Android Shell (tested on Kali Linux and Cyanogenmod 10.2) and uses aircrack-ng to scan for clients that are currently connected to access points (AP). Those clients are then deauthenticated in order to capture the handshake when attempting to reconnect to the AP. Verification of a captured handshake is done using aircrack-ng. If one or more handshakes are captured, they are entered into an SQLite3 database, along with the time of capture and current GPS data (if properly configured).After capture, the database can be tested for vulnerable router models using It will search for entries that match the implemented modules, which currently include algorithms to compute default keys for Speedport 500-700 series, Thomson/SpeedTouch and UPC 7 digits (UPC1234567) routers.RequirementsWiFi interface in monitor mode aircrack-ng SQLite3 openssl for compilation of modules (optional) wlanhc2hcx from hcxtoolsIn order to log GPS coordinates of handshakes, configure your coordinate logging software to log to .loc/*.txt (the filename can be chosen as desired). Airbash will always use the output of cat “$path$loc"*.txt 2>/dev/null | awk ‘NR==0; END{print}’, which equals to reading all .txt files in .loc/ and picking the second line. The reason for this way of implementation is the functionality of GPSLogger, which was used on the development device.Calculating default keysAfter capturing a new handshake, the database can be queried for vulnerable router models. If a module applies, the default keys for this router series are calculated and used as input for aircrack-ng to try and recover the passphrase.Compiling ModulesThe modules for calculating Thomson/SpeedTouch and UPC1234567 (7 random digits) default keys are included in src/Credits for the code go to the authors Kevin Devine and Linux:gcc -fomit-frame-pointer -O3 -funroll-all-loops -o modules/st modules/stkeys.c -lcryptogcc -O2 -o modules/upckeys modules/upc_keys.c -lcryptoIf on Android, you may need to copy the binaries to /system/xbin/ or to another directory where binary execution is allowed.UsageRunning will create the database, prepare the folder structure and create shortlinks to both scripts which can be moved to a directory that is on $PATH to allow execution from any location.After installation, you may need to manually adjust INTERFACE on line 46 in This will later be determined automatically, but for now the default is set to wlan0, to allow out of the box compatibility with bcmon on Android../ starts the script, automatically scanning and attacking targets that are not found in the database. ./ attempts to break known default key algorithms.To view the database contents, run sqlite3 .db.sqlite3 "SELECT * FROM hs" in the main directory.Update (Linux only … for now):Airbash can be updated by executing This will clone the master branch into /tmp/ and overwrite the local files.Output_n: number of access points found__c/m: represents client number and maximum number of clients found, respectively-: access point is blacklistedx: access point already in database?: access point out of range (not visible to airodump anymore)The DatabaseThe database contains a table called hs with seven incrementing counter of table entrieslat and lon: GPS coordinates of the handshake (if available)bssid: MAC address of the access pointessid: Name identifierpsk: WPA Passphrase, if knownprcsd: Flag that gets set by to prevent duplicate calculation of default keys if a custom passphrase was used.Currently, the SQLite3 database is not password-protected.Download Airbash


Rastrea2R – Collecting &Amp; Hunting For IOCs With Gusto And Style

Ever wanted to turn your AV console into an Incident Response & Threat Hunting machine? Rastrea2r (pronounced “rastreador" – hunter- in Spanish) is a multi-platform open source tool that allows incident responders and SOC analysts to triage suspect systems and hunt for Indicators of Compromise (IOCs) across thousands of endpoints in minutes. To parse and collect artifacts of interest from remote systems (including memory dumps), rastrea2r can execute sysinternal, system commands and other 3rd party tools across multiples endpoints, saving the output to a centralized share for automated or manual analysis. By using a client/server RESTful API, rastrea2r can also hunt for IOCs on disk and memory across multiple systems using YARA rules. As a command line tool, rastrea2r can be easily integrated within McAfee ePO, as well as other AV consoles and orchestration tools, allowing incident responders and SOC analysts to collect forensic evidence and hunt for IOCs without the need for an additional agent, with ‘gusto’ and style! DependenciesPython 2.7.xgitbottlerequestsyara-python QuickstartClone the project to your local directory (or download the zip file of the project)$git clone$cd rastrea2rAll the dependencies necessary for the tool to run can be installed within a virtual environment via the provided makefile.$make helphelp – display this makefile’s help informationvenv – create a virtual environment for developmentclean – clean all files using .gitignore rulesscrub – clean all files, even untracked filestest – run teststest-verbose – run tests [verbosely]check-coverage – perform test coverage checkscheck-style – perform pep8 checkfix-style – perform check with autopep8 fixesdocs – generate project documentationcheck-docs – quick check docs consistencyserve-docs – serve project html documentationdist – create a wheel distribution packagedist-test – test a wheel distribution packagedist-upload – upload a wheel distribution packageCreate a virtual environment with all dependencies$make venv//Upon successful creation of the virtualenvironment, enter the virtualenvironment as instructed, for ex:$source /Users/ssbhat/.venvs/rastrea2r/bin/activateStart the rastrea2r server by going to $PROJECT_HOME/src/rastrea2r/server folder$cd src/rastrea2r/server/$python rastrea2r_server_v0.3.pyBottle v0.12.13 server starting up (using WSGIRefServer())…Listening on execute the client program, depending on which platform you are trying to scan choose the target python script appropriately. Currently Windows, Linux and Mac platforms are supported.$python -husage: [-h] [-v] {yara-disk,yara-mem,triage} …Rastrea2r RESTful remote Yara/Triage tool for Incident Responderspositional arguments: {yara-disk,yara-mem,triage}modes of operation yara-disk Yara scan for file/directory objects on disk yara-mem Yara scan for running processes in memory triage Collect triage information from endpointoptional arguments: -h, –help show this help message and exit -v, –version show program’s version number and exitFurther more, the available options under each command can be viewed by executing the help option. i,e$python yara-disk -husage: yara-disk [-h] [-s] path server rulepositional arguments:path File or directory path to scanserver rastrea2r REST serverrule Yara rule on REST serveroptional arguments:-h, –help show this help message and exit-s, –silent Suppresses standard outputFor ex, on a Mac or Unix system you would do:$cd src/rastrea2r/osx/$python yara-disk /opt test.yar Executing rastrea2r on WindowsApart from the libraries specified in requirements.txt, we need to install the following libraries PSutil for win64: for win32: pip install requestsCompiling rastrea2rMake sure you have all the dependencies installed for the binary you are going to build on your Windows box. Then install:Pywin32: ** Windows onlyPyinstaller: Currently Supported functionalityyara-disk: Yara scan for file/directory objects on diskyara-mem: Yara scan for running processes in memorymemdump: Acquires a memory dump from the endpoint ** Windows onlytriage: Collects triage information from the endpoint ** Windows only NotesFor memdump and triage modules, SMB shares must be set up in this specific way:Binaries (sysinternals, batch files and others) must be located in a shared folder called TOOLS (read only) \path-to-share-foldertoolsOutput is sent to a shared folder called DATA (write only) \path-to-share-folderdataFor yara-mem and yara-disk scans, the yara rules must be in the same directory where the server is executed from. The RESTful API server stores data received in a file called results.txt in the same directory. Contributing to rastrea2r projectThe Developer Documentation provides complete information on how to contribute to rastrea2r project Demo videos on YoutubeVideo 1: Incident Response / Triage with rastrea2r on the command line – 2: Remote Yara scans with rastrea2r on the command line – 3: Using rastrea2r with McAfee ePO – Client Tasks & Execution – Presentationsrastrea2r at BlackHat Arsenal 2016 (check PDF for documentation on usage and examples) Recording of talk on rastrea2r at the SANS Threat Hunting Summit 2016 Credits & ReferencesTo Robert Gresham Jr. (@rwgresham) and Ryan O’Connor (@_remixed) for their contributions to the Triage module. Thanks folks!To Ricardo Dias for the idea of using a REST server and his great paper on how to use Python and Yara with McAfee ePO: Rastrea2R


Msploitego – Pentesting Suite For Maltego Based On Data In A Metasploit Database

msploitego leverages the data gathered in a Metasploit database by enumerating and creating specific entities for services. Services like samba, smtp, snmp, http have transforms to enumerate even further. Entities can either be loaded from a Metasploit XML file or taken directly from the Postgres msf database.RequirementsPython 2.7Has only been tested on Kali Linuxsoftware installations:Metasploitnmapenum4linuxsmtp-checkniktoInstallationcheckout and update the transform path inside MaltegoIn Maltego import config from msploitego/src/msploitego/resources/maltego/msploitego.mtzGeneral UseUsing exported Metasploit xml filerun a db_nmap scan in metatasploit, or import a previous scanmsf> db_nmap -vvvv -T5 -A -sS -ST -Pnmsf> db_import /path/to/your/nmapfile.xmlexport the database to an xml filemsf> db_export -f xml /path/to/your/output.xmlIn Maltego drag a MetasploitDBXML entity onto the graph.Update the entity with the path to your metasploit database the MetasploitDB transform to enumerate hosts.from there several transforms are available to enumerate services, vulnerabilities stored in the metasploit DBUsing Postgresdrag and drop a Postgresql DB entity onto the canvas, enter DB the Postgresql transforms directly against a running DBNotesInstead of running a nikto scan directly from Maltego, I’ve opted to include a field to for a Nikto XML file. Nikto can take long time to run so best to manage that directly from the os.ScreenshotsTODO’sConnect directly to the postgres database – in progressMuch, much, much more tranforms for actions on generated entities.Download Msploitego


Sharesniffer – Network Share Sniffer And Auto-Mounter For Crawling Remote File Systems

sharesniffer is a network analysis tool for finding open and closed file shares on your local network. It includes auto-network discovery and auto-mounting of any open cifs and nfs shares.How to useExample to find all hosts in network and auto-mount at /mnt:python -l 4 –hosts -a -m /mntRequirementsPython 2.7 or 3.5Linux or macOSNmap in PATHNmap scripts (.nse) in PATH (on Linux/macOS they are usually in /usr/local/share/nmap/), if you don’t have the ones required are also in the rootdir of sharesniffer.python-nmap (pip install python-nmap)netifaces (pip install netifaces)Download$ git clone$ cd sharesnifferCLI Optionsusage: [-h] [–hosts HOSTS] [-e EXCLUDEHOSTS] [-l SPEEDLEVEL] [-n] [–nfsmntopt NFSMNTOPT] [-s] [–smbmntopt SMBMNTOPT] [–smbtype SMBTYPE] [–smbuser SMBUSER] [–smbpass SMBPASS] [-a] [-m MOUNTPOINT] [-p MOUNTPREFIX] [-v] [–debug] [-q] [-V]optional arguments: -h, –help show this help message and exit –hosts HOSTS Hosts to scan, example: or (default: scan all hosts) -e EXCLUDEHOSTS, –excludehosts EXCLUDEHOSTS Hosts to exclude from scan, example:, -l SPEEDLEVEL, –speedlevel SPEEDLEVEL Scan speed aggressiveness level from 3-5, lower for more accuracy (default: 4) -n, –nfs Scan network for nfs shares –nfsmntopt NFSMNTOPT nfs mount options (default: ro,nosuid,nodev,noexec,udp ,proto=udp,noatime,nodiratime,rsize=1024,dsize=1024,ve rs=3,rdirplus) -s, –smb Scan network for smb shares –smbmntopt SMBMNTOPT smb mount options (default: ro,nosuid,nodev,noexec,udp ,proto=udp,noatime,nodiratime,rsize=1024,dsize=1024) –smbtype SMBTYPE Can be smbfs (default) or cifs –smbuser SMBUSER smb username (default: guest) –smbpass SMBPASS smb password (default: none) -a, –automount Auto-mount any open nfs/smb shares -m MOUNTPOINT, –mountpoint MOUNTPOINT Mountpoint to mount shares (default: ./) -p MOUNTPREFIX, –mountprefix MOUNTPREFIX Prefix for mountpoint directory name (default: sharesniffer) -v, –verbose Increase output verbosity –debug Debug message output -q, –quiet Run quiet and just print out any possible mount points for crawling -V, –version Prints version and exitsDownload Sharesniffer


Prowler – Distributed Network Vulnerability Scanner

Prowler is a Network Vulnerability Scanner implemented on a Raspberry Pi Cluster, first developed during Singapore Infosec Community Hackathon – HackSmith v1.0.CapabilitiesScan a network (a particular subnet or a list of IP addresses) for all IP addresses associated with active network devicesDetermine the type of devices using fingerprintingDetermine if there are any open ports on the deviceAssociate the ports with common servicesTest devices against a dictionary of factory default and common credentialsNotify users of security vulnerabilities through an dashboard. Dashboard tourPlanned CapabilitiesGreater variety of vulnerability assessment capabilities (webapp etc.)Select wordlist based on fingerprintHardwareRaspberry Pi Cluster HAT (with 4 * Pi Zero W)Raspberry Pi 3Networking deviceSoftware StackRaspbian Stretch (Controller Pi)Raspbian Stretch Lite (Worker Pi Zero)Note: For ease of setup, use the images provided by Cluster Hat! InstructionsPython 3 (not tested on Python 2)Python packages see requirements.txtAnsible for managing the cluster as a whole (/playbooks)Key Python Packages:dispy (website) is the star of the show. It allows allows us to create a job queue that will be processed by the worker nodes.python-libnmap is the python wrapper around nmap, an open source network scanner. It allows us to scan for open ports on devices.paramiko is a python wrapper around SSH. We use it to probe SSH on devices to test for common credentials.eel is used for the web dashboard (seperate repository, here)rabbitmq (website) is used to pass the results from the cluster to the eel server that is serving the dashboard page.Ansible PlaybooksFor the playbooks to work, ansible must be installed (sudo pip3 install ansible). Configure the IP addresses of the nodes at /etc/ansible/hosts. WARNING: Your mileage may vary as these were only tested on my setupshutdown.yml and reboot.yml self-explanatoryclone_repos.yml clone prowler and dispy repositories (required!) on the worker nodessetup_node.yml installs all required packages on the worker nodes. Does not clone the repositories!Deploying ProwlerClone the git repository: git clone dependencies by running sudo pip3 install -r requirements.txt on the controller PiRun ansible-playbook playbooks/setup_node.yml to install the required packages on worker nodes.Clone the prowler and dispy repositories to the worker nodes using ansible-playbook playbooks/clone_repos.ymlRun clusterhat on on the controller Pi to ensure that all Pi Zeros are powered up.Run python3 on the controller Pi to start ProwlerTo edit the range of IP addresses being scanned, edit the following lines in = [] for i in range(0, 1): for j in range(100, 200): test_range.append(“172.22." + str(i) + "." + str(j))Old DemosCluster Scan Demonstration Jupyter NotebookSingle Scan Demonstration Jupyter NotebookTry out the web dashboard hereUseful SnippetsTo run ssh command on multiple devices, install pssh and pssh -h pssh-hosts -l username -A -i "command"To create the cluster (in cluster = dispy.JobCluster(compute, nodes=’pi0_ip’, ip_addr=’pi3_ip’)Check connectivity: ansible all -m ping or ping p1.local -c 1 && ping p2.local -c 1 && ping p3.local -c 1 && ping p4.local -c 1Temperature Check: /opt/vc/bin/vcgencmd measure_temp && pssh -h workers -l pi -A -i "/opt/vc/bin/vcgencmd measure_temp" | grep temprpimonitor (how to install):Download Prowler


GyoiThon – A Growing Penetration Test Tool Using Machine Learning

GyoiThon is a growing penetration test tool using Machine Learning.GyoiThon identifies the software installed on web server (OS, Middleware, Framework, CMS, etc…) based on the learning data. After that, it executes valid exploits for the identified software using Metasploit. Finally, it generates reports of scan results. GyoiThon executes the above processing automatically.Processing steps GyoiThon executes the above “Step1" – "Step4" fully automatically.User’s only operation is to input the top URL of the target web server in GyoiThon.It is very easy!You can identify vulnerabilities of the web servers without taking time and effort.Processing flowStep 1. Gather HTTP responses.GyoiThon gathers several HTTP responses of target website while crawling.The following are example of HTTP responses gathered by GyoiThon.Example.1HTTP/1.1 200 OKDate: Tue, 06 Mar 2018 03:01:57 GMTConnection: closeContent-Type: text/html; charset=UTF-8Etag: "409ed-183-53c5f732641c0"Content-Length: 15271…snip…Example.2HTTP/1.1 200 OKDate: Tue, 06 Mar 2018 06:56:17 GMTConnection: closeContent-Type: text/html; charset=UTF-8Set-Cookie: f00e68432b68050dee9abe33c389831e=0eba9cd0f75ca0912b4849777677f587;path=/;Content-Length: 37496…snip…Example.3HTTP/1.1 200 OKDate: Tue, 06 Mar 2018 04:19:19 GMTConnection: closeContent-Type: text/html; charset=UTF-8Content-Length: 11819…snip…