Vanquish – Kali Linux based Enumeration Orchestrator

Vanquish is a Kali Linux based Enumeration Orchestrator built in Python. Vanquish leverages the opensource enumeration tools on Kali to perform multiple active information gathering phases. The results of each phase are fed into the next phase to identify vulnerabilities that could be leveraged for a remote shell.Vanquish FeaturesSo what is so special about Vanquish compared to other enumeration scripts?Multi-threaded – Runs multiple commands and scans multiple hosts simultaneously.Configurable – All commands are configured in a separate .ini file for ease of adjustmentMultiphase – Optimized to run the fastest enumeration commands first in order to get actionable results as quickly as possible.Intelligent – Feeds the findings from one phase into the next in order to uncover deeper vulnerabilities.Modular – New attack plans and commands configurations can be easily built for fit for purpose enumeration orchestration.Getting StartedVanquish can be installed on Kali Linux using the following commands:git clone https://github.com/frizb/Vanquishcd Vanquishpython Vanquish2.py -installvanquish –helpOnce Vanquish is installed you can scan hosts for leveraging the best of breed Kali Linux tools:echo 192.168.126.133 >> test.txtvanquish -hostFile test.txt -loggingecho review the results!cd testcd 192_168_126_133ls -laWhat Kali Tools does Vanquish leverage?| NMap | Hydra | Nikto | Metasploit | | Gobuster | Dirb | Exploitdb | Nbtscan | | Ntpq | Enum4linux | Smbclient | Rpcclient | | Onesixtyone | Sslscan | Sslyze | Snmpwalk | | Ident-user-enum | Smtp-user-enum | Snmp-check | Cisco-torch | | Dnsrecon | Dig | Whatweb | Wafw00f | | Wpscan | Cewl | Curl | Mysql | Nmblookup | Searchsploit | | Nbtscan-unixwiz | Xprobe2 | Blindelephant | Showmount |Running Vanquish CTRL + C CTRL + C to exit an enumeration phase and skip to the next phase (helpful if a command is taking too long) Vanquish will skip running a command again if it sees that the output files already exist. If you want to re-execute a command, delete the output files (.txt,.xml,.nmap etc.) and run Vanquish again. CTRL + Z CTRL + Z to exit Vanquish. Resume Mode Vanquish will skip running a command again if it sees that the output files already exist. Re-run an enumeration command If you want to re-execute a command, delete the output files (.txt,.xml,.nmap etc.) and run Vanquish again. Commandline ArgumentsCommand Line Argumentsusage: vanquish [-h] [-install] [-outputFolder folder] [-configFile file] [-attackPlanFile file] [-hostFile file] [-workspace workspace] [-domain domain] [-dnsServer dnsServer] [-proxy proxy] [-reportFile report] [-noResume] [-noColor] [-threadPool threads] [-phase phase] [-noExploitSearch] [-benchmarking] [-logging] [-verbose] [-debug]Vanquish is Kali Linux based Enumeration Orchestrator.optional arguments: -h, –help show this help message and exit -install Install Vanquish and it’s requirements -outputFolder folder output folder path (default: name of the host file)) -configFile file configuration ini file (default: config.ini) -attackPlanFile file attack plan ini file (default: attackplan.ini) -hostFile file list of hosts to attack (default: hosts.txt) -workspace workspace Metasploit workspace to import data into (default: is the host filename) -domain domain Domain to be used in DNS enumeration (default: megacorpone.com) -dnsServer dnsServer DNS server option to use with Nmap DNS enumeration. Reveals the host names of each server (default: ) -proxy proxy Proxy server option to use with scanning tools that support proxies. Should be in the format of ip:port (default: ) -reportFile report filename used for the report (default: report.txt) -noResume do not resume a previous session -noColor do not display color -threadPool threads Thread Pool Size (default: 8) -phase phase only execute a specific phase -noExploitSearch disable searchspolit exploit searching -benchmarking enable bench mark reporting on the execution time of commands(exports to benchmark.csv) -logging enable verbose and debug data logging to files -verbose display verbose details during the scan -debug display debug details during the scanCustom Attack PlansGoBuster MaxGoBuster Max is an attack plan that will run all the web application content detection dictionaries against your targets.Vanquish -hostFile test.txt -attackPlanFile ./attackplans/gobuster-max.ini -loggingDownload Vanquish

Link: http://feedproxy.google.com/~r/PentestTools/~3/1AAh071q_6k/vanquish-kali-linux-based-enumeration.html

WebBreaker – Dynamic Application Security Test Orchestration (DASTO)

Build functional security testing, into your software development and release cycles! WebBreaker provides the capabilities to automate and centrally manage Dynamic Application Security Testing (DAST) as part of your DevOps pipeline.WebBreaker truly enables all members of the Software Security Development Life-Cycle (SDLC), with access to security testing, greater test coverage with increased visibility by providing Dynamic Application Security Test Orchestration (DASTO). Current support is limited to the World’s most popular commercial DAST product, WebInspect.Supported FeaturesCommand-line (CLI) scan administration of WebInspect with Foritfy SSC products.Jenkins Environmental Variable & String Parameter support (i.e. $BUILD_TAG)Docker container v17.x supportCustom email alerting or notifications for scan launch and completion.Extensible event logging for scan administration and results.WebInspect REST API support for v9.30 and later.Fortify Software Security Center (SSC) REST API support for v16.10 and later.WebInspect scan cluster support between two (2) or greater WebInspect servers/sensors.Capabilities for extensible scan telemetry with ELK and Splunk.GIT support for centrally managing WebInspect scan configurations.Replaces most functionality of Fortify’s fortifyclientPython compatibility with versions 2.x or 3.xProvides AES 128-bit key management for all secrets from the Fernet encryption Python library.Quick Local Installation and ConfigurationsInstalling WebBreaker from source:git clone https://github.com/target/webbreakerpip install -r requirements.txtpython setup.py installConfiguring WebBreaker:Point WebBreaker to your WebInspect API server(s) by editing: webbreaker/etc/webinspect.iniPoint WebBreaker to your Fortify SSC URL by editing: webbreaker/etc/fortify.iniSMTP settings on email notifications and a message template can be edited in webbreaker/etc/email.iniMutually exclusive remote GIT repos created by users, are encouraged to persist WebInspect settings, policies, and webmacros. Simply, add the GIT URL to the webinspect.ini and their respective directories.NOTES:Required: As with any Python application that contains library dependencies, pip is required for installation.Optional: Include your Python site-packages, if they are not already in your $PATH with export PATH=$PATH:$PYTHONPATH.UsageWebBreaker is a command-line interface (CLI) client. See our complete WebBreaker Documentation for further configuration, usage, and installation.The CLI supports upper-level and lower-level commands with respective options to enable interaction with Dynamic Application Security Test (DAST) products. Currently, the two Products supported are WebInspect and Fortfiy (more to come in the future!!)Below is a Cheatsheet of supported commands to get you started.List all WebInspect scans:webbreaker webinspect list –server webinspect-1.example.com:8083Query WebInspect scans:webbreaker webinspect list –server webinspect-1.example.com:8083 –scan_name important_siteList with http:webbreaker webinspect list –server webinspect-1.example.com:8083 –protocol httpDownload WebInspect scan from server or sensor:webbreaker webinspect download –server webinspect-2.example.com:8083 –scan_name important_site_authDownload WebInspect scan as XML:webbreaker webinspect download –server webinspect-2.example.com:8083 –scan_name important_site_auth -x xmlDownload WebInspect scan with http (no SSL):webbreaker webinspect download –server webinspect-2.example.com:8083 –scan_name important_site_auth –protocol httpBasic WebInspect scan:webbreaker webinspect scan –settings important_site_authAdvanced WebInspect Scan with Scan overrides:webbreaker webinspect scan –settings important_site_auth –allowed_hosts example.com –allowed_hosts m.example.comScan with local WebInspect settings:webbreaker webinspect scan –settings /Users/Matt/Documents/important_site_authInitial Fortify SSC listing with authentication (SSC token is managed for 1-day):webbreaker fortify list –fortify_user matt –fortify_password abc123Interactive Listing of all Fortify SSC application versions:webbreaker fortify listList Fortify SSC versions by application (case sensitive):webbreaker fortify list –application WEBINSPECTUpload to Fortify SSC with command-line authentication:webbreaker fortify upload –fortify_user $FORT_USER –fortify_password $FORT_PASS –version important_site_authUpload to Fortify SSC with interactive authentication & application version configured with fortify.ini:webbreaker fortify upload –version important_site_auth –scan_name auth_scanUpload to Fortify SSC with application/project & version name:webbreaker fortify upload –application my_other_app –version important_site_auth –scan_name auth_scanWebBreaker Console Outputwebbreaker webinspect scan –settings MyCustomWebInspectSetting –scan_policy Application –scan_name some_scan_name _ __ __ ____ __ | | / /__ / /_ / __ )________ ____ _/ /_____ _____| | /| / / _ \/ __ \/ __ / ___/ _ \/ __ `/ //_/ _ \/ ___/| |/ |/ / __/ /_/ / /_/ / / / __/ /_/ / ,< / __/ / |__/|__/\___/_.___/_____/_/ \___/\__,_/_/|_|\___/_/ Version 1.2.0JIT Scheduler has selected endpoint https://some.webinspect.server.com:8083.WebInspect scan launched on https://some.webinspect.server.com:8083 your scan id: ec72be39-a8fa-46b2-ba79-10adb52f8adb !!Scan results file is available: some_scan_name.fprScan has finished.Webbreaker complete.Download WebBreaker

Link: http://feedproxy.google.com/~r/PentestTools/~3/VFXOraaHzgg/webbreaker-dynamic-application-security.html

parameth – Tool to brute discover GET and POST parameters

This tool can be used to brute discover GET and POST parameters.Often when you are busting a directory for common files, you can identify scripts (for example test.php) that look like they need to be passed an unknown parameter. This hopefully can help find them.The -off flag allows you to specify an offset (helps with dynamic pages) so for example, if you were getting alternating response sizes of 4444 and 4448, set the offset to 5 and it will only show the stuff outside the normUsageusage: parameth.py [-h] [-v] [-u URL] [-p PARAMS] [-H HEADER] [-a AGENT] [-t THREADS] [-off VARIANCE] [-o OUT] [-P PROXY] [-x IGNORE] [-s SIZEIGNORE] [-d DATA] [-i IGMETH] [-c COOKIE]***optional arguments:-h, –help show this help message and exit-v, –version Version Information-u URL, –url URL Target URL-p PARAMS, –params PARAMS Provide a list of parameters to scan for-H HEADER, –header HEADER Add a custom header to the requests-a AGENT, –agent AGENT Specify a user agent-t THREADS, –threads THREADS Specify the number of threads.-off VARIANCE, –variance VARIANCE The offset in difference to ignore (if dynamic pages)-diff DIFFERENCE, –difference DIFFERENCE Percentage difference in response (recommended 95)-o OUT, –out OUT Specify output file-P PROXY, –proxy PROXY Specify a proxy in the form http|s://[IP]:[PORT]-x IGNORE, –ignore IGNORE Specify a status to ignore eg. 404,302…-s SIZEIGNORE, –sizeignore SIZEIGNORE Ignore responses of specified size-d DATA, –data DATA Provide default post data (also taken from provided url after ?)-i IGMETH, –igmeth IGMETH Ignore GET or POST method. Specify g or p-c COOKIE, –cookie COOKIE Specify Cookies-T TIMEOUT, –timeout TIMEOUT Specify a timeout in seconds to wait between each requestAdding new params from source:The following regexes might be useful to parse $_GET or $_POST parameters from source:$> grep -rioP ‘$_POST[\s*[“‘]\s*\w+\s*["’]\s*]’ PHPSOURCE | grep -oP ‘$_POST[\s*["’]\s*\w+\s*["’]\s*]’ | sed -e "s/$_POST[\s*["’]//g" -e "s/\s*[‘"]\s*]//g" | sort -u > /tmp/outfile.txt$> grep -rioP ‘$_GET[\s*["’]\s*\w+\s*["’]\s*]’ PHPSOURCE | grep -oP ‘$_GET[\s*["’]\s*\w+\s*["’]\s*]’ | sed -e "s/$_GET[\s*["’]//g" -e "s/\s*[‘"]\s*]//g" | sort -u > /tmp/outfile.txtDownload parameth

Link: http://feedproxy.google.com/~r/PentestTools/~3/X02YkmBy6k0/parameth-tool-to-brute-discover-get-and.html

Zeus Scanner – Advanced Dork Searching Utility

Zeus is a advanced dork searching tool that is capable of bypassing search engine API calls, search engine captchas, and IP address blocking from sending many requests to the search engine itself. Zeus can use three different search engines to do the search (default is Google). Zeus has a powerful built in engine, automates a hidden web browser to pull the search URL, and can run sqlmap and nmap scans on the URL’s.ScreenshotsRunning without a mandatory options, or running the –help flag will output Zeus’s help menu: A basic dork scan with the -d flag, from the given dork will launch an automated browser and pull the Google page results:Calling the -s flag will prompt for you to start the sqlmap API server python sqlmapapi.py -s from sqlmap, it will then connect to the API and perform a sqlmap scan on the found URL’s.RequirementsThere are a few requirements for this:Firefox web browser is required as of now, I will be adding the functionality of most web browsers.If you want to run sqlmap through the URL’s you will need sqlmap somewhere on your system.If you want to run a port scan using nmap on the URL’s IP addresses. You will need nmap on your system.Highly advised tip: Add sqlmap and nmap to your ENV PATHGecko web driver is required and will be installed the first time you run. It will be added to your /usr/bin so that it can be run in your ENV PATH.You must be sudo for the first time running this so that you can add the driver to your PATHselenium-webdriver package is required to automate the web browser and bypass API calls.requests package is required to connect to the URL, and the sqlmap APIpython-nmap package is required to run nmap on the URL’s IP addresseswhichcraft package is required to check if nmap and sqlmap are on your system if you want to use thempyvirtualdisplay package is required to hide the browser display while finding the search URLInstallingTo install Zeus you simply need to do the following:(optional but highly advised) add sqlmap and nmap to your environment PATH by moving them to /usr/bin or by adding them to the PATH via terminalClone the repository git clone https://github.com/Ekultek/Zeus-Scanner.gitcd into zeus-scannerRun pip install -r requirements.txtFor your first run, run sudo python zeus.pyThis will install all the package requirements along with the gecko web driverDownload Zeus-Scanner

Link: http://feedproxy.google.com/~r/PentestTools/~3/ri8eipsei0I/zeus-scanner-advanced-dork-searching.html

dorkbot – Scan Google Search Results for Vulnerabilities

dorkbot is a modular command-line tool for performing vulnerability scans against a set of webpages returned by Google search queries in a given Google Custom Search Engine. It is broken up into two sets of modules:Indexers – modules that issue a search query and return the results as targetsScanners – modules that perform a vulnerability scan against each targetTargets are stored in a local database upon being indexed. Once scanned, any vulnerabilities found by the chosen scanner are written to a standard JSON report file. Indexing and scanning processes can be run separately or combined in a single command.Usageusage: dorkbot.py [-h] [-c CONFIG] [-b BLACKLIST] [-d DATABASE] [-i INDEXER] [-l] [-o INDEXER_OPTIONS] [-p SCANNER_OPTIONS] [-s SCANNER] [-v VULNDIR]optional arguments: -h, –help show this help message and exit -c CONFIG, –config CONFIG Configuration file -b BLACKLIST, –blacklist BLACKLIST File containing (regex) patterns to blacklist from scans -d DATABASE, –database DATABASE SQLite3 database file -i INDEXER, –indexer INDEXER Indexer module to use -l, –list List targets in database -o INDEXER_OPTIONS, –indexer-options INDEXER_OPTIONS Indexer-specific options (opt1=val1,opt2=val2,..) -p SCANNER_OPTIONS, –scanner-options SCANNER_OPTIONS Scanner-specific options (opt1=val1,opt2=val2,..) -s SCANNER, –scanner SCANNER Scanner module to use -v VULNDIR, –vulndir VULNDIR Directory to store vulnerability output reportsPlatformPython 2.7.x / 3.x (Linux / Mac OS / Windows) (requires python-dateutil)QuickstartDownload PhantomJS and either Arachni or Wapiti for your platform, and make sure you have installed any required dependencies for each.Extract each tool into the tools directory and rename the directory after the tool (dorkbot/tools/phantomjs/, dorkbot/tools/arachni/, etc).Create a Google Custom Search Engine and note the search engine ID, e.g. 012345678901234567891:abc12defg3h.Install python-dateutil (e.g.: pip install python-dateutil)Example: use arachni to scan php pages that contain the string “id" in the url:$ ./dorkbot.py -i google -o engine=012345678901234567891:abc12defg3h,query="filetype:php inurl:id" -s arachniIndexer ModulesgoogleSearch for targets in a Google Custom Search Engine (CSE) via custom search element.Requirements: PhantomJSOptions:engine – CSE idquery – search queryphantomjs_dir – phantomjs base directory containing bin/phantomjs (default: tools/phantomjs/)domain – limit searches to specified domaingoogle_apiSearch for targets in a Google Custom Search Engine (CSE) via JSON API.Requirements: noneOptions:key – API keyengine – CSE idquery – search querydomain – limit searches to specified domainstdinRead targets from standard input, one per line.Requirements: noneOptions: noneScanner ModulesarachniScan targets with Arachni command-line scanner.Requirements: ArachniOptions:arachni_dir – arachni base directory containing bin/arachni and bin/arachni_reporter (default: tools/arachni/)report_dir – directory to save arachni scan binary and JSON scan report output (default: reports/)checks – which vulnerability checks to perform (default: active/*,-csrf,-unvalidated_redirect,-source_code_disclosure,-response_splitting,-no_sql_injection_differentialwapitiScan targets with Wapiti command-line scanner.Requirements: WapitiOptions:wapiti_dir – wapiti base directory containing bin/wapiti (default: tools/wapiti/)report_dir – directory to save wapiti JSON scan report (default: reports/)Download dorkbot

Link: http://feedproxy.google.com/~r/PentestTools/~3/cSILDPXBZME/dorkbot-scan-google-search-results-for.html

Mr.SIP – SIP-Based Audit and Attack Tool

Mr.SIP is a tool developed to audit and simulate SIP-based attacks. Originally it was developed to be used in academic work to help developing novel SIP-based DDoS attacks and defense approaches and then as an idea to convert it to a fully functional SIP-based penetration testing tool, it has been redeveloped into the current version.It was used in an academic journal paper titled “Novel SIP-based DDoS Attacks and Effective Defense Strategies" published in Computers & Security 63 (2016) 29-44 by Elsevier, Science Direct http://sciencedirect.com/science/article/pii/S0167404816300980.In the current state, Mr.SIP comprises four sub-modules named as SIP-NES, SIP-ENUM, SIP-DAS and SIP-ASP. Since it provides a modular structure to developers, more modules will continue be added by the authors and it is open to be contributed by the open-source developer community.SIP-NES needs to enter the IP range or IP subnet information. It sends SIP OPTIONS message to each IP addresses in the subnet and according to the responses outputs the potential SIP clients and servers on that subnet.SIP-ENUM outputs which SIP users are valid according to the responses in that network by sending REGISTER messages to each client IP addresses on the output of SIP-NES.SIP-DAS (DoS Attack Simulator) is a module developed to simulate SIP-based DoS attacks. It comprises four components: spoofed IP address generator, SIP message generator, message sender and scenario player. It needs outputs of SIP-NES (Network Scanner) and SIP-ENUM (Enumerator) along with some pre-defined files.SIP-DAS basically generates legitimate SIP INVITE message and sends it to the target SIP component via TCP or UDP. It has three different options for spoofed IP address generation, i.e., manual, random and by selecting spoofed IP address from subnet. IP addresses could be specified manually or generated randomly. Furthermore, in order to bypass URPF filtering, which is used to block IP addresses that do not belong to the subnet from passing onto the Internet, we designed a spoofed IP address generation module. Spoofed IP generation module calculated the subnet used and randomly generated spoofed IP addresses that appeared to come from within the subnet.In order to bypass automatic message generation detection (anomaly detection) systems, random “INVITE” messages are generated that contained no patterns within the messages. Each generated “INVITE” message is grammatically compatible with SIP RFCs and acceptable to all of the SIP components.“INVITE” message production mechanism specifies the target user(s) in the “To” header of the message. This attack can be executed against a single user or against legitimate SIP users on the target SIP server as an intermediary step before the DoS attack. The legitimate SIP users are enumerated and written to a file. Next, they are placed randomly in the “To” header of the generated “INVITE” messages. “Via, “User-Agent, “From,” and “Contact” headers within an “INVITE” message were syntactically generated using randomly selected information from the valid user agent and IP address lists. The tag parameter in the “From” header, the branch and source-port parameters in the “Via” header, and the values in the “Call-ID” header are syntactically and randomly generated using the valid user agent list. In addition, the source IP addresses in the “Contact” and “Via” headers are also generated using IP spoofing.UDP is used widely in SIP systems as a transport protocol, so attacks on the target server are implemented by sending the generated attack messages in the network using UDP. Also TCP can be used optionally. The message sender of SIP-DAS allows the optional selection of how many SIP messages could be sent during one second. The number of SIP messages sent in one second depended on the resources (CPU and RAM) of the attacker machine.SIP-ASP (Attack Scenario Player) allows the development of various SIP-based DoS attack scenarios through the use of SIP-DAS as the framework.Usages Examples:SIP-NES scan outputCall flow created by SIP-NESSIP-DAS attack outputCall flow created by SIP-DASDownload Mr.SIP

Link: http://feedproxy.google.com/~r/PentestTools/~3/HaPaMfXICMU/mrsip-sip-based-audit-and-attack-tool.html

Crowbar – Brute Forcing Tool (SSH, OpenVPN, RDP, VNC)

Crowbar (formally known as Levye) is a brute forcing tool that can be used during penetration tests. It was developed to brute force some protocols in a different manner according to other popular brute forcing tools. As an example, while most brute forcing tools use username and password for SSH brute force, Crowbar uses SSH key(s). This allows for any private keys that have been obtained during penetration tests, to be used to attack other SSH servers.Currently Crowbar supports:OpenVPN (-b openvpn)Remote Desktop Protocol (RDP) with NLA support (-b rdp)SSH private key authentication (-b sshkey)VNC key authentication (-b vpn)InstallationInstall all the dependencies:# apt-get -y install openvpn freerdp-x11 vncviewerThen get latest version from GitHub:# git clone https://github.com/galkan/crowbarNote: The RDP client package depends on your OS:Debian 7/8 & Kali 1/2 uses freerdp-x11 package.Else you can try xfreerdp.Else you may need to compile & tweak freerdp by following: http://opentechnotes.blogspot.co.uk/2015/02/compile-headless-freerdp-credential-checking.htmlDon’t forget to edit the script to point to the new binary!Usage-b: Target service. Crowbar supports: openvpn, rdp, sshkey, vnckey-c: Static password to login with-C: for passwords list-d: Run a tcp port scan (nmap) on the IP range (-s/-S) before trying to brute force. This will discover whether the target’s port is open.-D: Enable debug mode-h: Shows a help menu-k: </path/to/file-or-folder> for key files (for SSH or VNC)-l: </path/to/file> to store the log file (default is ./crowbar.log)-m: </path/to/file> for a OpenVPN configuration file-n: Thread count-o: </path/to/file> to store the successfully attempt(s) (default is ./crowbar.out)-p: Port number (if the service is not on the default port)-q: Enable quiet mode (only show successful logins)-s: Target IP address/range (in CIDR notation)-S: </path/to/file> which is stores target IP addresses-t: Timeout value-u: Single username-U: </path/to/file> which stores the username list-v: Enable verbose mode (shows all the attempts)If you want see all usage options, please use: ./crowbar.py –help. ATTENTION: If you want to use username including DOMAIN, please specify username like below. Backslash (\) is the escape character for python. So you have to use either of the following two formats:# ./crowbar.py -b rdp -u DOMAIN\\gokhan alkan -c Aa123456 -s 10.68.35.150/322015-03-28 11:03:39 RDP-SUCCESS : 10.68.35.150:3389 – “DOMAIN\gokhan alkan":Aa123456,# ./crowbar.py -b rdp -u gokhan alkan@ornek -c Aa123456 -s 10.68.35.150/322015-03-28 11:04:00 RDP-SUCCESS : 10.68.35.150:3389 – "gokhan alkan@DOMAIN":Aa123456,Demonstration Videos Brute Forcing Remote Desktop Protocol (RDP)Below are a few examples of attacking RDP using Crowbar.RDP brute forcing a single IP address using a single username and a single password:# ./crowbar.py -b rdp -s 192.168.2.182/32 -u admin -c Aa123456RDP brute forcing a single IP address using username list file and a single password:# ./crowbar.py -b rdp -s 192.168.2.211/32 -U /root/Desktop/userlist -c passw0rdRDP brute forcing a single IP address using a single username and a password list:# ./crowbar.py -b rdp -s 192.168.2.250/32 -u localuser -C /root/Desktop/passlistRDP brute forcing a subnet using a username list and a password list in discovery mode:# ./crowbar.py -b rdp -s 192.168.2.0/24 -U /root/Desktop/userlist -C /root/Desktop/passlist -dBrute Forcing SSH Private KeysBelow are a few examples which you have using Crowbar.SSH key brute force attempt to a single IP address using a single username and a single private SSH key:# ./crowbar.py -b sshkey -s 192.168.2.105/32 -u root -k /root/.ssh/id_rsaSSH key brute force attempt to a single IP address using a single username and all the SSH keys in a folder:# ./crowbar.py -b sshkey -s 192.168.2.105/32 -u root -k /root/.ssh/SSH key brute force attempt to a subnet using a single username and all the SSH keys in a folder in discovery mode:# ./crowbar.py -b sshkey -s 192.168.2.0/24 -u root -k /root/.ssh/ -dBrute Forcing VNCBelow is an example of attacking a VNC service using Crowbar.VNC brute force attempt to a single IP address using a password file with specified port number:# ./crowbar.py -b vnckey -s 192.168.2.105/32 -p 5902 -k /root/.vnc/passwdBrute Forcing OpenVPNBelow is an example of attacking OpenVPN using Crowbar.OpenVPN brute force attempt to a single IP address using a configuration file, a certificate file, a single username and a single password with specified port number:# ./crowbar.py -b openvpn -s 198.7.62.204/32 -p 443 -m /root/Desktop/vpnbook.ovpn -k /root/Desktop/vpnbook_ca.crt -u vpnbook -c cr2hudaFLogs & OutputOnce you have executed Crowbar, it generates 2 files for logging and result that are located in your current directory. Default log file name is crowbar.log which stores all brute force attempts while execution. If you don’t want use default log file, you should use -l log_path. The second file is crowbar.out which stores successful attempts while execution. If you don’t want use default output file, you should use -o output_path. After that you can observe Crowbar operations.Download Crowbar

Link: http://feedproxy.google.com/~r/PentestTools/~3/XgU9F48jQIw/crowbar-brute-forcing-tool-ssh-openvpn.html

pbscan – Faster And More Efficient Stateless SYN Scanner And Banner Grabber

polarbearscan is an attempt to do faster and more efficient banner grabbing and port scanning. It combines two different ideas which hopefully will make it somewhat worthy of your attention and time.The first of these ideas is to use stateless SYN scanning using cryptographically protected cookies to parse incoming acknowledgements. To the best of the author’s knowledge this technique was pioneered by Dan Kaminsky in scanrand. Scanrand was itself part of Paketto Keiretsu, a collection of scanning utilities, and it was released somewhere in 2001-2002.The second idea is use a patched userland TCP/IP stack such that the scanner can restore state immediately upon receiving a cryptographically verified packet with both the SYN and ACK flags set. The userland stack being used here by polarbearscan is called libuinet [2]. Unlike some of the other userland TCP/IP stacks out there this one is very mature as it’s simply a port of FreeBSD’s TCP/IP stack.By patching the libuinet stack one can then construct a socket and complete the standard TCP 3-way handshake by replying with a proper ACK. Doing it this way a fully functional TCP connection is immediately established. This as opposed to other scanners (such as nmap) who would have to, after noting that a TCP port is open, now perform a full TCP connect via the kernel to do things such as banner grabbing or version scanning. A full TCP connect leads leads to a whole new TCP 3-way handshake being performed. This completely discards the implicit state which was built up by the initial two packets being exchanged between the hosts. By avoiding this one can reduce bandwidth usage and immediately go from detecting that a port is open to connecting to it. This connection can then simply sit back and receive data in banner grab mode or it could send out an HTTP request.Please note that the scanner right now only supports IPv4 based scanning and it will only work properly over Ethernet-type (wired or wireless) interfaces. There are no plans to support IPv6 or different interfaces in the near future.INSTALLATIONCompiling the code is pretty straightforward. One just needs a working connection to the net and git needs to be installed such that the required dependencies can be downloaded. Besides that standard development utilities (gcc, make, patch), development editions of libraries (pthread, pcap, OpenSSL). On Debian based distributions one can simply install all the packages listed in the DEPENDENCIES file. After that one should be able to just type ‘make’ and the external dependencies will be checked out using git and the entire scanner will be build. This binary can then be copied to /usr/bin or /usr/local/bin or the like.If compilation fails please email the author (contact details below) and include the error output, kernel version, libc version and anything else that might help with reproducing and fixing the problem. Your help is kindly appreciated.USAGERunning the tool should be pretty straightforward. You will need root privileges. The -h option shows brief usage information and the options explained. In most cases one whould not need more than specifying the type of scan to perform, the port lists to scan and the target IP or IP-ranges. CIDR- noation is supported for the IP ranges.There are four different scan types which are specified with -s.-sB: This does a standard banner grab. The scanner will not send any data as it will simply wait and receive data and display it up until the first newline or carriage return received.-sH: This mode sends a “GET / HTTP/1.1" request to every successfully setup connection. It’s very useful for quickly identifying HTTP servers.-sT: TLS scanning mode sends a TLS1.0 NULL probe with zero options and zero algorithms specified. However if there’s a valid TLS server on the receiving end it will parse out and try to figure out if it’s a valid TLS Error response which will then be dispalyed.-sC: Custom scanning wich will load a payload from a file (specified with -d) and send this payload out to every successfully established socket. Can be useful for quickly probing very specific protocols-p: The list of TCP ports to scan which can be a range of ports or single ports with ranges and single ports seperated by comma’s. Some examples: -p22,80,8080-9000,143 will scan port 22,80,143 and the range of 8080 to 9000.-b <limit>: The bandwidth limit to apply for the outgoing probes. This does not apply to the data sent and received over the sockets so only to the actual SYN probes being sent out. Examples: -b300k, -b67m, -b500b would yield bandwidth limits of 300kbps, 76mbps and 500bps respectively.-d <filename>: Filename of the file containing the payload used to the custom scan. The entire file will be sent up until a maximum of 128kB which should be more than enough for most purposes.-t<timeout>: This specifies the amount of seconds that the scanner will wait after it has sent out all the probes with receiving data back over the still connected sockets. That is assuming there are any otherwise it will bail out the moment there’s no more work left to do.-x: This forces the tool to alwyas dump output received in hexadecimal notation. Otherwise it will only dump data in hexadecimal notation if non-printable characters are found.-v: This specifies some verbose output. It’s mostly only useful for debugging.-i <iface>: The interface to use for selecting the source IP and setting up the pcap backend. This should not be necessary on standard machines with just one properly configured NIC but with multiple NICs one might need it.-r <seed>: The random seed to use for the RNG being used. Mostly useful for debugging and making sure that one can get the tool to generate the exact same sequence of packets again. The argument is an integer and can be specified in hexadecimal and decimal notation.-T <ttl>: Override the default IP TTL value to use in SYN probes. Not really necessary for anything but included for the sake of completeness.-W <win>: Override the default TCP Window size value to use in SYN probes. Not really necessary for anything but included for the sake of completeness.-I <id>: Override the default IP ID value to use in SYN probes. Not really necessary for anything but included for the sake of completeness.-n: This option should only be used if you know what you’re doing. It will make sure the tool does NOT set the firewall rule to drop all outgoing RST packets. If this is used then the scanner will not fork and one has the responsibility to set this rule by hand as otherwise the kernel will send RST packets back for every SYNACK packet received. This will make the tool simply not work. The rule as it’s being set on Linux is the following: $ /sbin/iptables -A OUTPUT -p tcp –tcp-flags RST RST -j DROP-o: This option does not do the I/O redirection so one will see more output of the uinet internals. It’s only added for the sake of completeness or for debugging scenario’s as it’s not very useful otherwise.-h: The usage information.Some examples on how to use the tool. To do a banner grab of port 22 on a /24 range use like:./pbscan -sB -p22 x.x.x.x/24To do an HTTP scan on several common HTTP ports for a single IP with the output in hexadecimal mode use:./pbscan -sH -x -p80,8080-9000 x.x.x.xDuring scanning when you press a key on standard input you see some stats being printed out, such as the amount of open ports identified, the amount of valid TCP acks received the number of currently active connections, and how many SYN probes of the total have already been sent out. This will look something like:sent: 1.97% (of 254), open: 0, active: 2, acks: 2Download pbscan

Link: http://feedproxy.google.com/~r/PentestTools/~3/u1fNRvYiPdc/pbscan-faster-and-more-efficient.html

Tulpar – Web Vulnerability Scanner

Tulpar is a open source web vulnerability scanner for written to make web penetration testing automated.FeaturesSql Injection (GET Method)XSS (GET Method)CrawlE-mail DisclosureCredit Card DisclosureWhoisCommand Injection (GET Method)Directory Traversal (GET Method)File Include (GET Method)Server InformationTechnology InformationX-Content-Type CheckX-XSS-Protection CheckTCP Port Scannerrobots.txt CheckURL  EncodeCertification InformationAvailable MethodsCyber Threat IntelligenceIP2LocationFile Input Available CheckInstallationgit clone https://github.com/anilbaranyelken/tulpar.gitcd tulparpip install ir requirmentsUsagepython tulpar.py action web_URL action Action: full xss sql fuzzing e-mail credit-card whois links portscanner urlEncode cyberthreatintelligence commandInjection directoryTraversal fileInclude headerCheck certificate method IP2Location FileInputAvailable web_URL URLScreenshotsUsage:SQLUsage:mailDownload Tulpar

Link: http://feedproxy.google.com/~r/PentestTools/~3/VVtqOSSz6r8/tulpar-web-vulnerability-scanner.html

WordPresscan – WPScan rewritten in Python + some WPSeku ideas

A simple WordPress scanner written in python based on the work of WPScan (Ruby version)Install & LaunchDependenciespip install requestspip install tornadoInstallgit clone https://github.com/swisskyrepo/Wordpresscan.gitcd WordPresscanExample 1 : Basic update and scan of a wordpresspython main.py -u “http://localhost/wordpress" –update –random-agent-u : Url of the WordPress–update : Update the wpscan database–aggressive : Launch an aggressive version to scan for plugins/themes–random-agent : Use a random user-agent for this sessionExample 2 : Basic bruteforce (option –brute, option –nocheck)python main.py -u "http://127.0.0.1/wordpress/" –brute fuzz/wordlist.lstpython main.py -u "http://127.0.0.1/wordpress/" –brute admin–brute file.lst : Will bruteforce every username and their password–brute username : Will bruteforce the password for the given usernameit will also try to bruteforce the password for the detected users.python main.py -u "http://127.0.0.1/wordpress/" –brute fuzz/wordlist.lst –nocheck _______________________________________________________________ _ _ _ | | | | | | | | | | ___ _ __ __| |_ __ _ __ ___ ___ ___ ___ __ _ _ __ | |/\| |/ _ \| ‘__/ _` | ‘_ \| ‘__/ _ \/ __/ __|/ __/ _` | ‘_ \\ /\ / (_) | | | (_| | |_) | | | __/\__ \__ \ (_| (_| | | | | \/ \/ \___/|_| \__,_| .__/|_| \___||___/___/\___\__,_|_| |_| | | |_| WordPress scanner based on wpscan work – @pentest_swissky _______________________________________________________________[+] URL: http://127.0.0.1/wordpress/[!] The WordPress ‘http://127.0.0.1/wordpress/readme.html’ file exposing a version number: 4.4.7[i] Uploads directory has directory listing enabled : http://127.0.0.1/wordpress/wp-content/uploads/[i] Includes directory has directory listing enabled : http://127.0.0.1/wordpress/wp-includes/[i] Bruteforcing all users[+] User found admin[+] Starting passwords bruteforce for adminBruteforcing – ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░Example 3 : Thinking is overrated, this is aggressive, mostly not advised!python main.py -u "http://127.0.0.1/wordpress/" –fuzz[i] Enumerating components from aggressive fuzzing …[i] File: http://127.0.0.1/wordpress/license.txt – found[i] File: http://127.0.0.1/wordpress/readme.html – found[i] File: http://127.0.0.1/wordpress/wp-admin/admin-footer.php – found[i] File: http://127.0.0.1/wordpress/wp-admin/css/ – found[i] File: http://127.0.0.1/wordpress/wp-admin/admin-ajax.php – found[i] File: http://127.0.0.1/wordpress/wp-activate.php – found–fuzz : Will fuzz the website in order to detect as much file, themes and plugins as possibleCredits and ContributormOriginal idea and script from WPScan TeamMany PR and bugfixes from bl4deDownload WordPresscan

Link: http://feedproxy.google.com/~r/PentestTools/~3/G4YlZ6aUkBw/wordpresscan-wpscan-rewritten-in-python.html