Sn1per v6.0 – Automated Pentest Framework For Offensive Security Experts

Sn1per Community Edition is an automated scanner that can be used during a penetration test to enumerate and scan for vulnerabilities. Sn1per Professional is Xero Security’s premium reporting addon for Professional Penetration Testers, Bug Bounty Researchers and Corporate Security teams to manage large environments and pentest scopes.SN1PER PROFESSIONAL FEATURES:Professional reporting interfaceSlideshow for all gathered screenshotsSearchable and sortable DNS, IP and open port databaseCategorized host reportsQuick links to online recon tools and Google hacking queriesPersonalized notes field for each hostDEMO VIDEO:SN1PER COMMUNITY FEATURES: Automatically collects basic recon (ie. whois, ping, DNS, etc.) Automatically launches Google hacking queries against a target domain Automatically enumerates open ports via NMap port scanning Automatically brute forces sub-domains, gathers DNS info and checks for zone transfers Automatically checks for sub-domain hijacking Automatically runs targeted NMap scripts against open ports Automatically runs targeted Metasploit scan and exploit modules Automatically scans all web applications for common vulnerabilities Automatically brute forces ALL open services Automatically test for anonymous FTP access Automatically runs WPScan, Arachni and Nikto for all web services Automatically enumerates NFS shares Automatically test for anonymous LDAP access Automatically enumerate SSL/TLS ciphers, protocols and vulnerabilities Automatically enumerate SNMP community strings, services and users Automatically list SMB users and shares, check for NULL sessions and exploit MS08-067 Automatically exploit vulnerable JBoss, Java RMI and Tomcat servers Automatically tests for open X11 servers Auto-pwn added for Metasploitable, ShellShock, MS08-067, Default Tomcat Creds Performs high level enumeration of multiple hosts and subnets Automatically integrates with Metasploit Pro, MSFConsole and Zenmap for reporting Automatically gathers screenshots of all web sites Create individual workspaces to store all scan outputAUTO-PWN:Drupal Drupalgedon2 RCE CVE-2018-7600GPON Router RCE CVE-2018-10561Apache Struts 2 RCE CVE-2017-5638Apache Struts 2 RCE CVE-2017-9805Apache Jakarta RCE CVE-2017-5638Shellshock GNU Bash RCE CVE-2014-6271HeartBleed OpenSSL Detection CVE-2014-0160Default Apache Tomcat Creds CVE-2009-3843MS Windows SMB RCE MS08-067Webmin File Disclosure CVE-2006-3392Anonymous FTP AccessPHPMyAdmin Backdoor RCEPHPMyAdmin Auth BypassJBoss Java De-Serialization RCE’sKALI LINUX INSTALL:./install.shDOCKER INSTALL:Credits: @menzowDocker Install: https://github.com/menzow/sn1per-dockerDocker Build: https://hub.docker.com/r/menzo/sn1per-docker/builds/bqez3h7hwfun4odgd2axvn4/Example usage:$ docker pull menzo/sn1per-docker$ docker run –rm -ti menzo/sn1per-docker sniper menzo.ioUSAGE:[*] NORMAL MODEsniper -t|–target [*] NORMAL MODE + OSINT + RECONsniper -t|–target <TARGET> -o|–osint -re|–recon[*] STEALTH MODE + OSINT + RECONsniper -t|–target <TARGET> -m|–mode stealth -o|–osint -re|–recon[*] DISCOVER MODEsniper -t|–target <CIDR> -m|–mode discover -w|–workspace <WORSPACE_ALIAS>[*] SCAN ONLY SPECIFIC PORTsniper -t|–target <TARGET> -m port -p|–port <portnum>[*] FULLPORTONLY SCAN MODEsniper -t|–target <TARGET> -fp|–fullportonly[*] PORT SCAN MODEsniper -t|–target <TARGET> -m|–mode port -p|–port <PORT_NUM>[*] WEB MODE – PORT 80 + 443 ONLY!sniper -t|–target <TARGET> -m|–mode web[*] HTTP WEB PORT MODEsniper -t|–target <TARGET> -m|–mode webporthttp -p|–port <port>[*] HTTPS WEB PORT MODEsniper -t|–target <TARGET> -m|–mode webporthttps -p|–port <port>[*] ENABLE BRUTEFORCEsniper -t|–target <TARGET> -b|–bruteforce[*] AIRSTRIKE MODEsniper -f|–file /full/path/to/targets.txt -m|–mode airstrike[*] NUKE MODE WITH TARGET LIST, BRUTEFORCE ENABLED, FULLPORTSCAN ENABLED, OSINT ENABLED, RECON ENABLED, WORKSPACE & LOOT ENABLEDsniper -f–file /full/path/to/targets.txt -m|–mode nuke -w|–workspace <WORKSPACE_ALIAS>[*] ENABLE LOOT IMPORTING INTO METASPLOITsniper -t|–target <TARGET>[*] LOOT REIMPORT FUNCTIONsniper -w <WORKSPACE_ALIAS> –reimport[*] UPDATE SNIPERsniper -u|–updateMODES:NORMAL: Performs basic scan of targets and open ports using both active and passive checks for optimal performance.STEALTH: Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blocking.AIRSTRIKE: Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IPs that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning.NUKE: Launch full audit of multiple hosts specified in text file of choice. Usage example: ./sniper /pentest/loot/targets.txt nuke.DISCOVER: Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a sniper scan against each host. Useful for internal network scans.PORT: Scans a specific port for vulnerabilities. Reporting is not currently available in this mode.FULLPORTONLY: Performs a full detailed port scan and saves results to XML.WEB: Adds full automatic web application scans to the results (port 80/tcp & 443/tcp only). Ideal for web applications but may increase scan time significantly.WEBPORTHTTP: Launches a full HTTP web application scan against a specific host and port.WEBPORTHTTPS: Launches a full HTTPS web application scan against a specific host and port.UPDATE: Checks for updates and upgrades all components used by sniper.REIMPORT: Reimport all workspace files into Metasploit and reproduce all reports.RELOAD: Reload the master workspace report.SAMPLE REPORT:https://gist.github.com/1N3/8214ec2da2c91691bcbcDownload Sn1per v5.0

Link: http://feedproxy.google.com/~r/PentestTools/~3/RLWB_3_Wk9M/sn1per-v60-automated-pentest-framework.html

CMS Scanner – Scan WordPress, Drupal, Joomla, vBulletin Websites For Security Issues

Scan WordPress, Drupal, Joomla, vBulletin websites for Security issues.CMSScan provides a centralized Security Dashboard for CMS Security scans. It is powered by wpscan, droopescan, vbscan and joomscan. It supports both on demand and scheduled scans and has the ability to sent email reports.Install# Requires ruby, ruby-dev, gem, python3 and gitgit clone https://github.com/ajinabraham/CMSScan.gitcd CMSScan./setup.shRun./run.shPeriodic ScansYou can perform periodic CMS scans with CMSScan. You must run CMSScan server separately and configure the following before running the scheduler.py script.# SMTP SETTINGSSMTP_SERVER = ”FROM_EMAIL = ”TO_EMAIL = ”# SERVER SETTINGSSERVER = ”# SCAN SITESWORDPRESS_SITES = []DRUPAL_SITES = []JOOMLA_SITES = []VBULLETIN_SITES = []Add a cronjobcrontab [email protected] /usr/bin/python3 scheduler.pyDockerLocaldocker build -t cmsscan .docker run -it -p 7070:7070 cmsscanPrebuilt Imagedocker pull opensecurity/cmsscandocker run -it -p 7070:7070 opensecurity/cmsscanScreenshotsDownload CMSScan

Link: http://feedproxy.google.com/~r/PentestTools/~3/w0AREgkhNJQ/cms-scanner-scan-wordpress-drupal.html

SSH Auditor – The Best Way To Scan For Weak Ssh Passwords On Your Network

The Best Way To Scan For Weak Ssh Passwords On Your NetworkFeaturesssh-auditor will automatically:Re-check all known hosts as new credentials are added. It will only check the new credentials.Queue a full credential scan on any new host discovered.Queue a full credential scan on any known host whose ssh version or key fingerprint changes.Attempt command execution as well as attempt to tunnel a TCP connection.Re-check each credential using a per credential scan_interval – default 14 days.It’s designed so that you can run ssh-auditor discover + ssh-auditor scan from cron every hour to to perform a constant audit.DemosEarlier demo showing all of the featuresDemo showing improved log outputUsageInstall$ brew install go # or however you want to install the go compiler$ go get github.com/ncsa/ssh-auditoror Build from a git clone$ go buildBuild a static binary including sqlite$ make staticEnsure you can use enough file descriptors$ ulimit -n 4096Create initial database and discover ssh servers$ ./ssh-auditor discover -p 22 -p 2222 192.168.1.0/24 10.0.0.1/24Add credential pairs to check$ ./ssh-auditor addcredential root root$ ./ssh-auditor addcredential admin admin$ ./ssh-auditor addcredential guest guest –scan-interval 1 #check this once per dayTry credentials against discovered hosts in a batch of 20000$ ./ssh-auditor scanOutput a report on what credentials worked$ ./ssh-auditor vulnRE-Check credentials that worked$ ./ssh-auditor rescanOutput a report on duplicate key usage$ ./ssh-auditor dupesReport query.This query that ssh-auditor vuln runs isselect hc.hostport, hc.user, hc.password, hc.result, hc.last_tested, h.version from host_creds hc, hosts h where h.hostport = hc.hostport and result!=” order by last_tested ascDownload Ssh-Auditor

Link: http://feedproxy.google.com/~r/PentestTools/~3/EzIGBgulgtk/ssh-auditor-best-way-to-scan-for-weak.html

Robber – Robber Is Open Source Tool For Finding Executables Prone To DLL Hijacking

Robber is a free open source tool developed using Delphi XE2 without any 3rd party dependencies.What is DLL hijacking ?!Windows has a search path for DLLs in its underlying architecture. If you can figure out what DLLs an executable requests without an absolute path (triggering this search process), you can then place your hostile DLL somewhere higher up the search path so it’ll be found before the real version is, and Windows will happilly feed your attack code to the application.So, let’s pretend Windows’s DLL search path looks something like this:A) . <-- current working directory of the executable, highest priority, first checkB) \WindowsC) \Windows\system32D) \Windows\syswow64 <-- lowest priority, last checkand some executable "Foo.exe" requests "bar.dll", which happens to live in the syswow64 (D) subdir. This gives you the opportunity to place your malicious version in A), B) or C) and it will be loaded into executable.As stated before, even an absolute full path can't protect against this, if you can replace the DLL with your own version.Microsoft Windows protect system pathes like System32 using Windows File Protection mechanism but the best way to protect executable from DLL hijacking in entrprise solutions is :Use absolute path instead of relative pathIf you have personal sign, sign your DLL files and check the sign in your application before load DLL into memory. otherwise check the hash of DLL file with original DLL hash)And of course, this isn't really limited to Windows either. Any OS which allows for dynamic linking of external libraries is theoretically vulnerable to this.Robber use simple mechanism to figure out DLLs that prone to hijacking :Scan import table of executable and find out DLLs that linked to executableSearch for DLL files placed inside executable that match with linked DLL (as i said before current working directory of the executable has highest priority)If any DLL found, scan the export table of themeCompare import table of executable with export table of DLL and if any matching was found, the executable and matched common functions flag as DLL hijack candidate.Feauters :Ability to select scan type (signed/unsigned applications)Determine executable signerDetermine wich referenced DLLs candidate for hijackingDetermine exported method names of candidate DLLsConfigure rules to determine which hijacks is best or good choice for use and show theme in different colorsFind out latest Robber executable hereDownload Robber

Link: http://feedproxy.google.com/~r/PentestTools/~3/-3o2PCxEGpE/robber-robber-is-open-source-tool-for.html

FindYara – IDA Python Plugin To Scan Binary With Yara Rules

Use this IDA python plugin to scan your binary with yara rules. All the yara rule matches will be listed with their offset so you can quickly hop to them!All credit for this plugin and the code goes to David Berard (@p0ly)This plugin is copied from David’s excellent findcrypt-yara plugin. This plugin just extends his to use any yara rule.InstallationInstall yara-pythonUsing pip: pip install yara-pythonOther methods: https://pypi.python.org/pypi/yara-pythonCopy FindYara.py to your IDA “plugins" directoryWatch the tutorial video!Yara Rules With IDA Pro">UsageLaunch the pluginThe plugin can be launched from the menu using Edit->Plugins->FindYara. Or the plugin can be quickly launched using the hot-key combination ctl-alt-y. Select a Yara file to scan withWhen the plugin launches it will open a file selection dialogue box. You will need to use this to choose the yara file that you want to scan with. View matchesAll of the strings from the yara rule that match the binary will be displayed along with the match locations. AcknowledgmentsA huge thank you to David Berard (@p0ly) – Follow him on GitHub here! This is mostly his code and he gets all the credit for the original plugin framework.Also, hat tip to Alex Hanel @nullandnull – Follow him on GitHub here. Alex helped me sort through how the IDC methods are being used. His IDA Python book is a fantastic reference!!Feedback / HelpAny questions, comments, requests hit me up on twitter: @herrcorePull requests welcome!Download FindYara

Link: http://feedproxy.google.com/~r/PentestTools/~3/SUaACTisvsI/findyara-ida-python-plugin-to-scan.html

SharpSploitConsole – Console Application Designed To Interact With SharpSploit

Console Application designed to interact with SharpSploit released by @cobbr_ioSharpSploit is a tool written by @cobbr_io that combines many techniques/C# code from the infosec community and combines it into one sweet DLL. It’s awesome so check it out!DescriptionSharpSploit Console is just a quick proof of concept binary to help penetration testers or red teams with less C# experience play with some of the awesomeness that is SharpSploit. By following the instructions below you should be able to embed both the SharpSploit.dll and System.Management.Automation.dll into the SharpSploitConsole binary, creating a standalone exe you can drop on an appropriate target sytem and run over a non-interactive shell (such as beacon).This concept can be applied to many C# binaries. For example, we could embed the System.Management.Automation.dll into our favorite C# NoPowershell.exe, creating a binary that doesn’t rely on the System.Management.Automation.dll on the target system.Contact at:Twitter: @anthemtotheego or @g0ldengunsecSetup – Quick and DirtyNote: For those of you who don’t want to go through the trouble of compiling your own I uploaded an x64 and x86 binary found in the CompiledBinaries folder. For those of you who do want to compile your own… I used Windows 10, Visual Studio 2017 – mileage may varyDownload SharpSploit tool from https://github.com/cobbr/SharpSploit.git Open up SharpSploit.sln in Visual Studio and compile (make sure to compile for correct architecture) – Should see drop down with Any CPU > Click on it and open Configuration Manager > under platform change to desired architecture and select ok. Download SharpSploitConsole tool and open up SharpSploitConsole.sln Copy both SharpSploit.dll and System.Management.Automation.dll found in SharpSploit/bin/x64/Debug directory into SharpSploitConsole/bin/x64/Debug folder Next we will set up visual studio to embed our DLL’s into our exe so we can just have a single binary we can run on our target machine. We will do this by doing the following: In visual studio:a. Tools > NuGet Package Manager > Package Manager Consoleb. Inside console run: Install-Package Costura.Fodyc. Open up notepad and paste the following code below and save it with the name FodyWeavers.xml inside the SharpSploitConsole directory that holds your bin, obj, properties folders.

Link: http://feedproxy.google.com/~r/PentestTools/~3/kATTdJ2komM/sharpsploitconsole-console-application.html

KillShot – Information Gathering Tool

A Penetration Testing Framework, Information gathering tool & Website Vulnerability ScannerWhy KillShot ?You Can use this tool to Spider your website and get important information and gather information automaticaly using whatweb-host-traceroute-dig-fierce-wafw00f or to Identify the cms and to find the vulnerability in your website using Cms Exploit Scanner && WebApp Vul Scanner Also You can use killshot to Scan automaticly multiple type of scan with nmap and unicorn . And With this tool You can Generate PHP Simple Backdoors upload it manual and connect to the target using killshot.This Tool Bearing A simple Ruby Fuzzer Tested on VULSERV.exe And Linux Log clear script To change the content of login paths Spider can help you to find parametre of the site and scan xss and sql.Menu{0} Spider {1} Web technologie {2} WebApp Vul Scanner{3} Port Scanner{4} CMS Scanner{5} Fuzzers {6} Cms Exploit Scanner{7} Backdoor Generation{8} Linux Log ClearWebApp Vul Scanner{1} Xss scanner{2} Sql Scanner{3} Tomcat RCEPort Scanner [0] Nmap Scan [1] Unicorn ScanNmap Scan [2] Nmap Os Scan [3] Nmap TCP Scan [4] Nmap UDB Scan [5] Nmap All scan [6] Nmap Http Option Scan [7] Nmap Live target In NetworkUnicorn Scan[8] Services OS [9] TCP SYN Scan on a whole network [01] UDP scan on the whole networkBackdoor Generation {1} Generate Shell {2} Connect ShellUSAGE1 —– Help Command [site] MAKE YOUR TARGET[help] show this MESSAGE[exit] show this MESSAGE2 —— Site command Put your target www.example.comwithout the httpLinux Setupgit clone https://github.com/bahaabdelwahed/killshotcd killshotruby setup.rb (if setup show any error just try to install the gems/tool manual )ruby killshot.rbVideoDownload Killshot

Link: http://feedproxy.google.com/~r/PentestTools/~3/IlvKISrJPxU/killshot-information-gathering-tool.html

TLS-Scanner – The TLS-Scanner Module From TLS-Attacker

TLS-Scanner is a tool created by the Chair for Network and Data Security from the Ruhr-University Bochum to assist pentesters and security researchers in the evaluation of TLS Server configurations.Please note: TLS-Scanner is a research tool intended for TLS developers, pentesters, administrators and researchers. There is no GUI. It is in the first version and may contain some bugs.CompilingIn order to compile and use TLS-Scanner, you need to have Java and Maven installed, as well as TLS-Attacker in Version 2.5$ cd TLS-Scanner$ mvn clean packageAlternatively, if you are in hurry, you can skip the tests by using:$ mvn clean package -DskipTests=trueIf you want to use TLS-Scanner as a library you need to install it with the following command:$ mvn clean installFor hints on installing the required libraries checkout the corresponding GitHub repositories.Please note: In order to run this tool you need TLS-Attacker version 2.5RunningIn order to run TLS-Scanner you need to run the jar file in the apps/ folder.$ java -jar apps/TLS-Scanner.jar -connect localhost:4433You can specify a host you want to scan with the -connect parameter. If you want to improve the performance of the scan you can use the -threads parameter (default=1).Download TLS-Scanner

Link: http://feedproxy.google.com/~r/PentestTools/~3/3vZoHo77ji4/tls-scanner-tls-scanner-module-from-tls.html

Infog – Information Gathering Tool

InfoG is a Shellscript to perform Information Gathering.FeaturesCheck Website infoCheck Phone infoIP TrackerCheck Valid E-mailCheck if site is Up/DownCheck internet speedCheck Personal infoFind IP behind CloudflareFind SubdomainsPort Scan (Multi-threaded)Check CMSCheck DNS leakingUsage:git clone https://github.com/thelinuxchoice/infogcd infogbash infog.shInstall requirements (Curl, Netcat):apt-get install -y curl ncDownload Infog

Link: http://feedproxy.google.com/~r/PentestTools/~3/OyggVSU7sKU/infog-information-gathering-tool.html

ReconDog v2.0 – Reconnaissance Swiss Army Knife

Reconnaissance Swiss Army KnifeMain FeaturesWizard + CLA interfaceCan extracts targets from STDIN (piped input) and act upon themAll the information is extracted with APIs, no direct contact is made to the targetUtilitiesCensys: Uses censys.io to gather massive amount of information about an IP address.NS Lookup: Does name server lookupPort Scan: Scan most common TCP portsDetect CMS: Can detect 400+ content management systemsWhois lookup: Performs a whois lookupDetect honeypot: Uses shodan.io to check if target is a honeypotFind subdomains: Uses findsubdomains.com to find subdomainsReverse IP lookup: Does a reverse IP lookup to find domains associated with an IP addressDetect technologies: Uses wappalyzer.com to detect 1000+ technologiesAll: Runs all utilities against the targetDemoCompatibilityRecon Dog will run on anything that has a python interpreter installed. However, it has been tested on the following configurations:Operating Systems: Windows, Linux, MacPython Versions: Python2.7, Python 3.6InstallationRecon Dog requires no manual configuration and can be simply run as a normal python script.However, a debian package can be downloaded from here if you want to install it.UsageWizard InterfaceWizard interface is the most straightforward way you can use Recon Dog in. Just run the program, select what you want to do and enter the target, it’s that simple.CLA InterfaceRecon Dog also has a Command Line Argument inteface. Here’s how you can find subdomains:python dog -t marvel.com -c 7There’s more to it! Do you have a program that can enumerate subdomains and you want to scan ports of all the subdomains it finds? Don’t worry, Recon Dog is designed for handling with such cases. You can simply do this:subdomainfinder -t example.com | python dog –domains -c 3Also, it doesn’t matter what kind of output the other program generates, Recon Dog uses regular expressions to find targets which makes it easy to integrate will literally every tool. There are two switchs available:–domains extract domains from STDIN–ips extract ip addresses from STDINDownload ReconDog

Link: http://feedproxy.google.com/~r/PentestTools/~3/n4hrJaCBqDo/recondog-v20-reconnaissance-swiss-army.html