Zeebsploit – Web Scanner / Exploitation / Information Gathering

zeebsploit is a tool for hackingsearching for web information andscanning vulnerabilities of a webInstallation & Usageapt-get install gitgit clone https://github.com/jaxBCD/Zeebsploit.gitcd Zeebsploitchmod +x install./installpython3 zeebsploit.pytype ‘help’ for show modulesand follow instructionModules[Main modules]+———-+——————————-+| Modules | Description |+———-+——————————-+| Exploit | Exploitation Modules || Scanners | Scanners Modules || infoga | information Gathering Modules |+———-+——————————-+[Exploit Modules]+—————————+————————————————–+| Modules | Description |+—————————+————————————————–+| wp content injection | wordpress content injection version 4.7 or 4.7.1 || wp revslider | wordpress plugin revslider remote file upload || wp learndash | wordpress leardash remote file upload || wp swhobiz | wordpress plugin showbiz remote file upload || joomla com fabrik | joomla component fabrik file upload || joomla manager get config | joomla component manager auto get config || joomla jdownload | joomla component jdownloads remote file upload || joomla | Joomla ads manager component auto shell upload || apache struts rce | CVE: 2017-5638 – Apache Struts2 S2-045 || | remote command execution || drupal8 rce | drupal version 8 remote command execution || dvr cam leak credential | TBK DVR4104 / DVR4216 || | – Credentials Leak (Get User and password || webdav file upload | Nothing || —More— | Coming Soon the following version |+—————————+————————————————–+[Scanner Module]+——————–+—————————————-+| Modules | Description |+——————–+—————————————-+| subdomain scanner | Scan Subdomain for Web || sqli scanner | Scan Sql Injection Vulnerability || xss scanner | Scan XSS Injection Vulnerability || lfi scanner | Local File Includes Scanner etc/passwd || admin login finder | Scan Admin Login page || directory scanner | scan directory on web us e dirhunt || subdomain takeover | scan type subdomain takeover || —More— | Coming Soon the following version |+——————–+—————————————-+[Information Gathering]+——————–+——————————————+| Modules | Description |+——————–+——————————————+| cms detector | a tool for detecting cms on a web || port scanner | Scan Open Port use Nmap || information header | response header information || ip geolocation | detect the location of an ip or host || email searcher | searching email from web || traceroute | to show the route the package has pas sed || robot.txt detector | Scan Robot.txt from Web || header information | Response Header Checker || whois lookup | looking for registered users or || | recipients of Internet resource rights || —More— | Coming Soon the following version |+——————–+——————————————+Join Team : [Click This]Contact : [Contact]Download Zeebsploit

Link: http://feedproxy.google.com/~r/PentestTools/~3/9xaMRbIv1Dk/zeebsploit-web-scanner-exploitation.html

Zeebsploit – Web Scanner / Exploitation / Information Gathering

zeebsploit is a tool for hackingsearching for web information andscanning vulnerabilities of a webInstallation & Usageapt-get install gitgit clone https://github.com/jaxBCD/Zeebsploit.gitcd Zeebsploitchmod +x install./installpython3 zeebsploit.pytype ‘help’ for show modulesand follow instructionModules[Main modules]+———-+——————————-+| Modules | Description |+———-+——————————-+| Exploit | Exploitation Modules || Scanners | Scanners Modules || infoga | information Gathering Modules |+———-+——————————-+[Exploit Modules]+—————————+————————————————–+| Modules | Description |+—————————+————————————————–+| wp content injection | wordpress content injection version 4.7 or 4.7.1 || wp revslider | wordpress plugin revslider remote file upload || wp learndash | wordpress leardash remote file upload || wp swhobiz | wordpress plugin showbiz remote file upload || joomla com fabrik | joomla component fabrik file upload || joomla manager get config | joomla component manager auto get config || joomla jdownload | joomla component jdownloads remote file upload || joomla | Joomla ads manager component auto shell upload || apache struts rce | CVE: 2017-5638 – Apache Struts2 S2-045 || | remote command execution || drupal8 rce | drupal version 8 remote command execution || dvr cam leak credential | TBK DVR4104 / DVR4216 || | – Credentials Leak (Get User and password || webdav file upload | Nothing || —More— | Coming Soon the following version |+—————————+————————————————–+[Scanner Module]+——————–+—————————————-+| Modules | Description |+——————–+—————————————-+| subdomain scanner | Scan Subdomain for Web || sqli scanner | Scan Sql Injection Vulnerability || xss scanner | Scan XSS Injection Vulnerability || lfi scanner | Local File Includes Scanner etc/passwd || admin login finder | Scan Admin Login page || directory scanner | scan directory on web us e dirhunt || subdomain takeover | scan type subdomain takeover || —More— | Coming Soon the following version |+——————–+—————————————-+[Information Gathering]+——————–+——————————————+| Modules | Description |+——————–+——————————————+| cms detector | a tool for detecting cms on a web || port scanner | Scan Open Port use Nmap || information header | response header information || ip geolocation | detect the location of an ip or host || email searcher | searching email from web || traceroute | to show the route the package has pas sed || robot.txt detector | Scan Robot.txt from Web || header information | Response Header Checker || whois lookup | looking for registered users or || | recipients of Internet resource rights || —More— | Coming Soon the following version |+——————–+——————————————+Join Team : [Click This]Contact : [Contact]Download Zeebsploit

Link: http://feedproxy.google.com/~r/PentestTools/~3/RZKskKnsCFU/zeebsploit-web-scanner-exploitation_10.html

Vuls – Vulnerability Scanner For Linux/FreeBSD, Agentless, Written In Go

Vulnerability scanner for Linux/FreeBSD, agentless, written in golang.Twitter: @vuls_enDEMOAbstractFor a system administrator, having to perform security vulnerability analysis and software update on a daily basis can be a burden. To avoid downtime in production environment, it is common for system administrator to choose not to use the automatic update option provided by package manager and to perform update manually. This leads to the following problems.System administrator will have to constantly watch out for any new vulnerabilities in NVD(National Vulnerability Database) or similar databases.It might be impossible for the system administrator to monitor all the software if there are a large number of software installed in server.It is expensive to perform analysis to determine the servers affected by new vulnerabilities. The possibility of overlooking a server or two during analysis is there.Vuls is a tool created to solve the problems listed above. It has the following characteristics.Informs users of the vulnerabilities that are related to the system.Informs users of the servers that are affected.Vulnerability detection is done automatically to prevent any oversight.Report is generated on regular basis using CRON or other methods. to manage vulnerability.Main FeaturesScan for any vulnerabilities in Linux/FreeBSD ServerSupports major Linux/FreeBSDAlpine, Ubuntu, Debian, CentOS, Amazon Linux, RHEL, Oracle Linux, SUSE Enterprise Linux and Raspbian, FreeBSDCloud, on-premise, DockerHigh quality scanVuls uses Multiple vulnerability databasesNVDJVN(Japanese)OVALRedHatDebianUbuntuSUSEOracle LinuxAlpine-secdbRed Hat Security AdvisoriesDebian Security Bug TrackerCommands(yum, zypper, pkg-audit)RHSA/ALAS/ELSA/FreeBSD-SAExploit DatabaseChangelogFast scan and Deep scanFast ScanScan without root privilege, no dependenciesAlmost no load on the scan target serverOffline mode scan with no internet access. (Red Hat, CentOS, OracleLinux, Ubuntu, Debian)Fast Root ScanScan with root privilegeAlmost no load on the scan target serverDetect processes affected by update using yum-ps (RedHat, CentOS, Oracle Linux and Amazon Linux)Detect processes which updated before but not restarting yet using checkrestart of debian-goodies (Debian and Ubuntu)Offline mode scan with no internet access. (RedHat, CentOS, OracleLinux, Ubuntu, Debian)Deep ScanScan with root privilegeParses the ChangelogChangelog has a history of version changes. When a security issue is fixed, the relevant CVE ID is listed. By parsing the changelog and analysing the updates between the installed version of software on the server and the newest version of that software it’s possible to create a list of all vulnerabilities that need to be fixed.Sometimes load on the scan target serverRemote scan and Local scanRemote ScanUser is required to only setup one machine that is connected to other target servers via SSHLocal ScanIf you don’t want the central Vuls server to connect to each server by SSH, you can use Vuls in the Local Scan mode.Dynamic AnalysisIt is possible to acquire the state of the server by connecting via SSH and executing the command.Vuls warns when the scan target server was updated the kernel etc. but not restarting it.Scan middleware that are not included in OS package managementScan middleware, programming language libraries and framework for vulnerabilitySupport software registered in CPEMISCNondestructive testingPre-authorization is NOT necessary before scanning on AWSVuls works well with Continuous Integration since tests can be run every day. This allows you to find vulnerabilities very quickly.Auto generation of configuration file templateAuto detection of servers set using CIDR, generate configuration file templateEmail and Slack notification is possible (supports Japanese language)Scan result is viewable on accessory software, TUI Viewer on terminal or Web UI (VulsRepo).What Vuls Doesn’t DoVuls doesn’t update the vulnerable packages.Authorskotakanbe (@kotakanbe) created vuls and these fine people have contributed.Change LogPlease see CHANGELOG.Download Vuls

Link: http://www.kitploit.com/2019/03/vuls-vulnerability-scanner-for.html

Jok3R – Network And Web Pentest Framework

Jok3r is a Python3 CLI application which is aimed at helping penetration testers for network infrastructure and web black-box security tests.Its main goal is to save time on everything that can be automated during network/web pentest in order to enjoy more time on more interesting and challenging stuff.To achieve that, it combines open-source Hacking tools to run various security checks against all common network services. Main featuresToolbox management:Install automatically all the hacking tools used by Jok3r,Keep the toolbox up-to-date,Easily add new tools.Attack automation:Target most common network services (including web),Run security checks by chaining hacking tools, following standard process (Reconaissance, Vulnerability scanning, Exploitation, Account bruteforce, (Basic) Post-exploitation).Let Jok3r automatically choose the checks to run according to the context and knowledge about the target,Mission management / Local database:Organize targets by missions in local database,Fully manage missions and targets (hosts/services) via interactive shell (like msfconsole db),Access results from security checks.Jok3r has been built with the ambition to be easily and quickly customizable: Tools, security checks, supported network services… can be easily added/edited/removed by editing settings files with an easy-to-understand syntax. InstallationThe recommended way to use Jok3r is inside a Docker container so you will not have to worry about dependencies issues and installing the various hacking tools of the toolbox.A Docker image is available on Docker Hub and automatically re-built at each update: https://hub.docker.com/r/koutto/jok3r/. It is initially based on official Kali Linux Docker image (kalilinux/kali-linux-docker).Pull Jok3r Docker Image:sudo docker pull koutto/jok3rRun fresh Docker container:sudo docker run -i -t –name jok3r-container -w /root/jok3r –net=host koutto/jok3rImportant: –net=host option is required to share host’s interface. It is needed for reverse connections (e.g. Ping to container when testing for RCE, Get a reverse shell)Jok3r and its toolbox is ready-to-use !To re-run a stopped container:sudo docker start -i jok3r-containerTo open multiple shells inside the container:sudo docker exec -it jok3r-container bashFor information about building your own Docker image or installing Jok3r on your system without using Docker, refer to https://jok3r.readthedocs.io/en/latest/installation.html Quick usage examplesShow all the tools in the toolboxpython3 jok3r.py toolbox –show-allInstall all the tools in the toolboxpython3 jok3r.py toolbox –install-all –fastUpdate all the tools in the toolboxpython3 jok3r.py toolbox –update-all –fastList supported servicespython3 jok3r.py info –servicesShow security checks for HTTPpython3 jok3r.py info –checks httpCreate a new mission in local databasepython3 jok3r.py dbjok3rdb[default]> mission -a MayhemProject[+] Mission “MayhemProject" successfully added[*] Selected mission is now MayhemProjectjok3rdb[MayhemProject]>Run security checks against an URL and add results to the missionpython3 jok3r.py attack -t https://www.example.com/webapp/ –add MayhemProjectRun security checks against a MSSQL service (without user-interaction) and add results to the missionpython3 jok3r.py attack -t 192.168.1.42:1433 -s mssql –add MayhemProject –fastImport hosts/services from Nmap results into the mission scopepython3 jok3r.py dbjok3rdb[default]> mission MayhemProject[*] Selected mission is now MayhemProjectjok3rdb[MayhemProject]> nmap results.xmlRun security checks against all services in the given mission and store results in the databasepython3 jok3r.py attack -m MayhemProject –fastRun security checks against only FTP services running on ports 21/tcp and 2121/tcp from the missionpython3 jok3r.py attack -m MayhemProject -f "port=21,2121;service=ftp" –fastRun security checks against only FTP services running on ports 2121/tcp and all HTTP services on 192.168.1.42 from the missionpython3 jok3r.py attack -m MayhemProject -f "port=2121;service=ftp" -f "ip=192.168.1.42;service=http" Typical usage exampleYou begin a pentest with several servers in the scope. Here is a typical example of usage of JoK3r:You run Nmap scan on the servers in the scope.You create a new mission (let’s say "MayhemProject") in the local database:python3 jok3r.py dbjok3rdb[default]> mission -a MayhemProject[+] Mission "MayhemProject" successfully added[*] Selected mission is now MayhemProjectjok3rdb[MayhemProject]>You import your results from Nmap scan in the database:jok3rdb[MayhemProject]> nmap results.xmlYou can then have a quick overview of all services and hosts in the scope, add some comments, add some credentials if you already have some knowledge about the targets (grey box pentest), and so onjok3rdb[MayhemProject]> hosts[…]jok3rdb[MayhemProject]> services[…]Now, you can run security checks against some targets in the scope. For example, if you want to run checks against all Java-RMI services in the scope, you can run the following command:python3 jok3r.py attack -m MayhemProject -f "service=java-rmi" –fastYou can view the results from the security checks either in live when the tools are executed or later from the database using the following command:jok3rdb[MayhemProject]> results Full DocumentationDocumentation is available at: https://jok3r.readthedocs.io/ Supported Services & Security Checks Lots of checks remain to be implemented and services must be added !! Work in progress …AJP (default 8009/tcp)FTP (default 21/tcp)HTTP (default 80/tcp)Java-RMI (default 1099/tcp)JDWP (default 9000/tcp)MSSQL (default 1433/tcp)MySQL (default 3306/tcp)Oracle (default 1521/tcp)PostgreSQL (default 5432/tcp)RDP (default 3389/tcp)SMB (default 445/tcp)SMTP (default 25/tcp)SNMP (default 161/udp)SSH (default 22/tcp)Telnet (default 21/tcp)VNC (default 5900/tcp) AJP (default 8009/tcp)+————————+————+————————————————————————————————-+—————-+| Name | Category | Description | Tool used |+————————+————+————————————————————————————————-+—————-+| nmap-recon | recon | Recon using Nmap AJP scripts | nmap || tomcat-version | recon | Fingerprint Tomcat version through AJP | ajpy || vuln-lookup | vulnscan | Vulnerability lookup in Vulners.com (NSE scripts) and exploit-db.com (lots of false positive !) | vuln-databases || default-creds-tomcat | bruteforce | Check default credentials for Tomcat Application Manager | ajpy || deploy-webshell-tomcat | exploit | Deploy a webshell on Tomcat through AJP | ajpy |+————————+————+————————————————————————————————-+—————-+ FTP (default 21/tcp)+——————+————+————————————————————————————————-+—————-+| Name | Category | Description | Tool used |+——————+————+————————————————————————————————-+—————-+| nmap-recon | recon | Recon using Nmap FTP scripts | nmap || nmap-vuln-lookup | vulnscan | Vulnerability lookup in Vulners.com (NSE scripts) and exploit-db.com (lots of false positive !) | vuln-databases || ftpmap-scan | vulnscan | Identify FTP server soft/version and check for known vulns | ftpmap || common-creds | bruteforce | Check common credentials on FTP server | patator || bruteforce-creds | bruteforce | Bruteforce FTP accounts | patator |+——————+————+————————————————————————————————-+—————-+ HTTP (default 80/tcp)+————————————–+————-+————————————————————————————————–+——————————–+| Name | Category | Description | Tool used |+————————————–+————-+————————————————————————————————–+——————————–+| nmap-recon | recon | Recon using Nmap HTTP scripts | nmap || load-balancing-detection | recon | HTTP load balancer detection | halberd || waf-detection | recon | Identify and fingerprint WAF products protecting website | wafw00f || tls-probing | recon | Identify the implementation in use by SSL/TLS servers (might allow server fingerprinting) | tls-prober || fingerprinting-multi-whatweb | recon | Identify CMS, blogging platforms, JS libraries, Web servers | whatweb || fingerprinting-app-server | recon | Fingerprint application server (JBoss, ColdFusion, Weblogic, Tomcat, Railo, Axis2, Glassfish) | clusterd || fingerprinting-server-domino | recon | Fingerprint IBM/Lotus Domino server | domiowned || fingerprinting-cms-wig | recon | Identify several CMS and other administrative applications | wig || fingerprinting-cms-cmseek | recon | Detect CMS (130+ supported), detect version on Drupal, advanced scan on WordPress/Joomla | cmseek || fingerprinting-cms-fingerprinter | recon | Fingerprint precisely CMS versions (based on files checksums) | fingerprinter || fingerprinting-cms-cmsexplorer | recon | Find plugins and themes (using bruteforce) installed in a CMS (WordPress, Drupal, Joomla, Mambo) | cmsexplorer || fingerprinting-drupal | recon | Fingerprint Drupal 7/8: users, nodes, default files, modules, themes enumeration | drupwn || crawling-fast | recon | Crawl website quickly, analyze interesting files/directories | dirhunt || crawling-fast2 | recon | Crawl website and extract URLs, files, intel & endpoints | photon || vuln-lookup | vulnscan | Vulnerability lookup in Vulners.com (NSE scripts) and exploit-db.com (lots of false positive !) | vuln-databases || ssl-check | vulnscan | Check for SSL/TLS configuration | testssl || vulnscan-multi-nikto | vulnscan | Check for multiple web vulnerabilities/misconfigurations | nikto || default-creds-web-multi | vulnscan | Check for default credentials on various web interfaces | changeme || webdav-scan-davscan | vulnscan | Scan HTTP WebDAV | davscan || webdav-scan-msf | vulnscan | Scan HTTP WebDAV | metasploit || webdav-internal-ip-disclosure | vulnscan | Check for WebDAV internal IP disclosure | metasploit || webdav-website-content | vulnscan | Detect webservers disclosing its content through WebDAV | metasploit || http-put-check | vulnscan | Detect the support of dangerous HTTP PUT method | metasploit || apache-optionsbleed-check | vulnscan | Test for the Optionsbleed bug in Apache httpd (CVE-2017-9798) | optionsbleed || shellshock-scan | vulnscan | Detect if web server is vulnerable to Shellshock (CVE-2014-6271) | shocker || iis-shortname-scan | vulnscan | Scan for IIS short filename (8.3) disclosure vulnerability | iis-shortname-scanner || iis-internal-ip-disclosure | vulnscan | Check for IIS internal IP disclosure | metasploit || tomcat-user-enum | vulnscan | Enumerate users on Tomcat 4.1.0 – 4.1.39, 5.5.0 – 5.5.27, and 6.0.0 – 6.0.18 | metasploit || jboss-vulnscan-multi | vulnscan | Scan JBoss application server for multiple vulnerabilities | metasploit || jboss-status-infoleak | vulnscan | Queries JBoss status servlet to collect sensitive information (JBoss 4.0, 4.2.2 and 4.2.3) | metasploit || jenkins-infoleak | vulnscan | Enumerate a remote Jenkins-CI installation in an unauthenticated manner | metasploit || cms-multi-vulnscan-cmsmap | vulnscan | Check for vulnerabilities in CMS WordPress, Drupal, Joomla | cmsmap || wordpress-vulscan | vulnscan | Scan for vulnerabilities in CMS WordPress | wpscan || wordpress-vulscan2 | vulnscan | Scan for vulnerabilities in CMS WordPress | wpseku || joomla-vulnscan | vulnscan | Scan for vulnerabilities in CMS Joomla | joomscan || joomla-vulnscan2 | vulnscan | Scan for vulnerabilities in CMS Joomla | joomlascan || joomla-vulnscan3 | vulnscan | Scan for vulnerabilities in CMS Joomla | joomlavs || drupal-vulnscan | vulnscan | Scan for vulnerabilities in CMS Drupal | droopescan || magento-vulnscan | vulnscan | Check for misconfigurations in CMS Magento | magescan || silverstripe-vulnscan | vulnscan | Scan for vulnerabilities in CMS Silverstripe | droopescan || vbulletin-vulnscan | vulnscan | Scan for vulnerabilities in CMS vBulletin | vbscan || liferay-vulnscan | vulnscan | Scan for vulnerabilities in CMS Liferay | liferayscan || angularjs-csti-scan | vulnscan | Scan for AngularJS Client-Side Template Injection | angularjs-csti-scanner || jboss-deploy-shell | exploit | Try to deploy shell on JBoss server (jmx|web|admin-console, JMXInvokerServlet) | jexboss || struts2-rce-cve2017-5638 | exploit | Exploit Apache Struts2 Jakarta Multipart parser RCE (CVE-2017-5638) | jexboss || struts2-rce-cve2017-9805 | exploit | Exploit Apache Struts2 REST Plugin XStream RCE (CVE-2017-9805) | struts-pwn-cve2017-9805 || struts2-rce-cve2018-11776 | exploit | Exploit Apache Struts2 misconfiguration RCE (CVE-2018-11776) | struts-pwn-cve2018-11776 || tomcat-rce-cve2017-12617 | exploit | Exploit for Apache Tomcat JSP Upload Bypass RCE (CVE-2017-12617) | exploit-tomcat-cve2017-12617 || jenkins-cliport-deserialize | exploit | Exploit Java deserialization in Jenkins CLI port | jexboss || weblogic-t3-deserialize-cve2015-4852 | exploit | Exploit Java deserialization in Weblogic T3(s) (CVE-2015-4852) | loubia || weblogic-t3-deserialize-cve2017-3248 | exploit | Exploit Java deserialization in Weblogic T3(s) (CVE-2017-3248) | exploit-weblogic-cve2017-3248 || weblogic-t3-deserialize-cve2018-2893 | exploit | Exploit Java deserialization in Weblogic T3(s) (CVE-2018-2893) | exploit-weblogic-cve2018-2893 || weblogic-wls-wsat-cve2017-10271 | exploit | Exploit WLS-WSAT in Weblogic – CVE-2017-10271 | exploit-weblogic-cve2017-10271 || drupal-cve-exploit | exploit | Check and exploit CVEs in CMS Drupal 7/8 (include Drupalgeddon2) (require user interaction) | drupwn || bruteforce-domino | bruteforce | Bruteforce against IBM/Lotus Domino server | domiowned || bruteforce-wordpress | bruteforce | Bruteforce WordPress accounts | wpseku || bruteforce-joomla | bruteforce | Bruteforce Joomla account | xbruteforcer || bruteforce-drupal | bruteforce | Bruteforce Drupal account | xbruteforcer || bruteforce-opencart | bruteforce | Bruteforce Opencart account | xbruteforcer || bruteforce-magento | bruteforce | Bruteforce Magento account | xbruteforcer || web-path-bruteforce-targeted | bruteforce | Bruteforce web paths when language is known (extensions adapted) (use raft wordlist) | dirsearch || web-path-bruteforce-blind | bruteforce | Bruteforce web paths when language is unknown (use raft wordlist) | wfuzz || web-path-bruteforce-opendoor | bruteforce | Bruteforce web paths using OWASP OpenDoor wordlist | wfuzz || wordpress-shell-upload | postexploit | Upload shell on WordPress if admin credentials are known | wpforce |+————————————–+————-+————————————————————————————————–+——————————–+ Java-RMI (default 1099/tcp)+——————————–+————-+——————————————————————————————————–+—————-+| Name | Category | Description | Tool used |+——————————–+————-+——————————————————————————————————–+—————-+| nmap-recon | recon | Attempt to dump all objects from Java-RMI service | nmap || rmi-enum | recon | Enumerate RMI services | barmie || jmx-info | recon | Get information about JMX and the MBean server | twiddle || vuln-lookup | vulnscan | Vulnerability lookup in Vulners.com (NSE scripts) and exploit-db.com (lots of false positive !) | vuln-databases || jmx-bruteforce | bruteforce | Bruteforce creds to connect to JMX registry | jmxbf || exploit-rmi-default-config | exploit | Exploit default config in RMI Registry to load classes from any remote URL (not working against JMX) | metasploit || exploit-jmx-insecure-config | exploit | Exploit JMX insecure config. Auth disabled: should be vuln. Auth enabled: vuln if weak config | metasploit || jmx-auth-disabled-deploy-class | exploit | Deploy malicious MBean on JMX service with auth disabled (alternative to msf module) | sjet || tomcat-jmxrmi-deserialize | exploit | Exploit Java-RMI deserialize in Tomcat (CVE-2016-8735, CVE-2016-8735), req. JmxRemoteLifecycleListener | jexboss || rmi-deserialize-all-payloads | exploit | Attempt to exploit Java deserialize against Java RMI Registry with all ysoserial payloads | ysoserial || tomcat-jmxrmi-manager-creds | postexploit | Retrieve Manager creds on Tomcat JMX (req. auth disabled or creds known on JMX) | jmxploit |+——————————–+————-+——————————————————————————————————–+—————-+ JDWP (default 9000/tcp)+————+———-+—————————————————–+—————–+| Name | Category | Description | Tool used |+————+———-+—————————————————–+—————–+| nmap-recon | recon | Recon using Nmap JDWP scripts | nmap || jdwp-rce | exploit | Gain RCE on JDWP service (show OS/Java info as PoC) | jdwp-shellifier |+————+———-+—————————————————–+—————–+ MSSQL (default 1433/tcp)+———————–+————-+————————————————————————————————————–+———–+| Name | Category | Description | Tool used |+———————–+————-+————————————————————————————————————–+———–+| nmap-recon | recon | Recon using Nmap MSSQL scripts | nmap || mssqlinfo | recon | Get technical information about a remote MSSQL server (use TDS protocol and SQL browser Server) | msdat || common-creds | bruteforce | Check common/default credentials on MSSQL server | msdat || bruteforce-sa-account | bruteforce | Bruteforce MSSQL "sa" account | msdat || audit-mssql-postauth | postexploit | Check permissive privileges, methods allowing command execution, weak accounts after authenticating on MSSQL | msdat |+———————–+————-+————————————————————————————————————–+———–+ MySQL (default 3306/tcp)+———————————-+————-+————————————————————————-+—————+| Name | Category | Description | Tool used |+———————————-+————-+————————————————————————-+—————+| nmap-recon | recon | Recon using Nmap MySQL scripts | nmap || mysql-auth-bypass-cve2012-2122 | exploit | Exploit password bypass vulnerability in MySQL – CVE-2012-2122 | metasploit || default-creds | bruteforce | Check default credentials on MySQL server | patator || mysql-hashdump | postexploit | Retrieve usernames and password hashes from MySQL database (req. creds) | metasploit || mysql-interesting-tables-columns | postexploit | Search for interesting tables and columns in database | jok3r-scripts |+———————————-+————-+————————————————————————-+—————+ Oracle (default 1521/tcp)+————————–+————-+————————————————————————————————————–+———–+| Name | Category | Description | Tool used |+————————–+————-+————————————————————————————————————–+———–+| tnscmd | recon | Connect to TNS Listener and issue commands Ping, Status, Version | odat || tnspoisoning | vulnscan | Test if TNS Listener is vulnerable to TNS Poisoning (CVE-2012-1675) | odat || common-creds | bruteforce | Check common/default credentials on Oracle server | odat || bruteforce-creds | bruteforce | Bruteforce Oracle accounts (might block some accounts !) | odat || audit-oracle-postauth | postexploit | Check for privesc vectors, config leading to command execution, weak accounts after authenticating on Oracle | odat || search-columns-passwords | postexploit | Search for columns storing passwords in the database | odat |+————————–+————-+————————————————————————————————————–+———–+ PostgreSQL (default 5432/tcp)+—————+————+————————————————+———–+| Name | Category | Description | Tool used |+—————+————+————————————————+———–+| default-creds | bruteforce | Check default credentials on PostgreSQL server | patator |+—————+————+————————————————+———–+ RDP (default 3389/tcp)+———-+———-+———————————————————————–+————+| Name | Category | Description | Tool used |+———-+———-+———————————————————————–+————+| ms12-020 | vulnscan | Check for MS12-020 RCE vulnerability (any Windows before 13 Mar 2012) | metasploit |+———+———-+———————————————————————–+————+ SMB (default 445/tcp)+———————————–+————-+——————————————————————————-+————+| Name | Category | Description | Tool used |+———————————–+————-+——————————————————————————-+————+| nmap-recon | recon | Recon using Nmap SMB scripts | nmap || anonymous-enum-smb | recon | Attempt to perform enum (users, shares…) without account | nullinux || nmap-vulnscan | vulnscan | Check for vulns in SMB (MS17-010, MS10-061, MS10-054, MS08-067…) using Nmap | nmap || detect-ms17-010 | vulnscan | Detect MS17-010 SMB RCE | metasploit || samba-rce-cve2015-0240 | vulnscan | Detect RCE vuln (CVE-2015-0240) in Samba 3.5.x and 3.6.X | metasploit || exploit-rce-ms08-067 | exploit | Exploit for RCE vuln MS08-067 on SMB | metasploit || exploit-rce-ms17-010-eternalblue | exploit | Exploit for RCE vuln MS17-010 EternalBlue on SMB | metasploit || exploit-sambacry-rce-cve2017-7494 | exploit | Exploit for SambaCry RCE on Samba <= 4.5.9 (CVE-2017-7494) | metasploit || auth-enum-smb | postexploit | Authenticated enumeration (users, groups, shares) on SMB | nullinux || auth-shares-perm | postexploit | Get R/W permissions on SMB shares | smbmap || smb-exec | postexploit | Attempt to get a remote shell (psexec-like, requires Administrator creds) | impacket |+-----------------------------------+-------------+-------------------------------------------------------------------------------+------------+ SMTP (default 25/tcp)+----------------+----------+--------------------------------------------------------------------------------------------+----------------+| Name | Category | Description | Tool used |+----------------+----------+--------------------------------------------------------------------------------------------+----------------+| smtp-cve | vulnscan | Scan for vulnerabilities (CVE-2010-4344, CVE-2011-1720, CVE-2011-1764, open-relay) on SMTP | nmap || smtp-user-enum | vulnscan | Attempt to perform user enumeration via SMTP commands EXPN, VRFY and RCPT TO | smtp-user-enum |+----------------+----------+--------------------------------------------------------------------------------------------+----------------+ SNMP (default 161/udp)+--------------------------+-------------+---------------------------------------------------------------------+------------+| Name | Category | Description | Tool used |+--------------------------+-------------+---------------------------------------------------------------------+------------+| common-community-strings | bruteforce | Check common community strings on SNMP server | metasploit || snmpv3-bruteforce-creds | bruteforce | Bruteforce SNMPv3 credentials | snmpwn || enumerate-info | postexploit | Enumerate information provided by SNMP (and check for write access) | snmp-check |+--------------------------+-------------+---------------------------------------------------------------------+------------+ SSH (default 22/tcp)+--------------------------------+------------+--------------------------------------------------------------------------------------------+-----------+| Name | Category | Description | Tool used |+--------------------------------+------------+--------------------------------------------------------------------------------------------+-----------+| vulns-algos-scan | vulnscan | Scan supported algorithms and security info on SSH server | ssh-audit || user-enumeration-timing-attack | exploit | Try to perform OpenSSH (versions <= 7.2 and >= 5.*) user enumeration timing attack OpenSSH | osueta || default-ssh-key | bruteforce | Try to authenticate on SSH server using known SSH keys | changeme || default-creds | bruteforce | Check default credentials on SSH | patator |+——————————–+————+——————————————————————————————–+———–+ Telnet (default 21/tcp)+————————-+————+———————————————————————————-+———–+| Name | Category | Description | Tool used |+————————-+————+———————————————————————————-+———–+| nmap-recon | recon | Recon using Nmap Telnet scripts | nmap || default-creds | bruteforce | Check default credentials on Telnet (dictionary from https://cirt.net/passwords) | patator || bruteforce-root-account | bruteforce | Bruteforce "root" account on Telnet | patator |+————————-+————+———————————————————————————-+———–+ VNC (default 5900/tcp)+—————–+————+————————————————————————————————-+—————-+| Name | Category | Description | Tool used |+—————–+————+————————————————————————————————-+—————-+| nmap-recon | recon | Recon using Nmap VNC scripts | nmap || vuln-lookup | vulnscan | Vulnerability lookup in Vulners.com (NSE scripts) and exploit-db.com (lots of false positive !) | vuln-databases || bruteforce-pass | bruteforce | Bruteforce VNC password | patator |+—————–+————+————————————————————————————————-+—————-+Download Jok3R

Link: http://feedproxy.google.com/~r/PentestTools/~3/dhiTfm3fEdk/jok3r-network-and-web-pentest-framework.html

Celerystalk – An Asynchronous Enumeration and Vulnerability Scanner

celerystalk helps you automate your network scanning/enumeration process with asynchronous jobs (aka tasks) while retaining full control of which tools you want to run.Configurable – Some common tools are in the default config, but you can add any tool you wantService Aware – Uses nmap/nessus service names rather than port numbers to decide which tools to runScalable – Designed for scanning multiple hosts, but works well for scanning one host at a timeVirtualHosts – Supports subdomain recon and virtualhost scanningJob Control – Supports canceling, pausing, and resuming of tasks, inspired by Burp scannerScreenshots Automatically takes screenshots of every url identified via brute force (gobuster) and spidering (Photon)Install/SetupSupported Operating Systems: KaliSupported Python Version: 2.xYou must install and run celerystalk as root# git clone https://github.com/sethsec/celerystalk.git# cd celerystalk/setup# ./install.sh# cd ..# ./celerystalk -hYou must install and run celerystalk as rootUsing celerystalk – The basics[CTF/HackTheBox mode] – How to scan a host by IP# nmap 10.10.10.10 -Pn -p- -sV -oX tenten.xml # Run nmap# ./celerystalk workspace create -o /htb # Create default workspace and set output dir# ./celerystalk import -f tenten.xml # Import scan # ./celerystalk db services # If you want to see what services were loaded# ./celerystalk scan # Run all enabled commands# ./celerystalk query watch (then Ctrl+c) # Watch scans as move from pending > running > complete# ./celerystalk report # Generate report# firefox /htb/celerystalkReports/Workspace-Report[Default.html] & # View report [Vulnerability Assessment Mode] – How to scan a list of in-scope hosts/networks and any subdomains that resolve to any of the in-scope IPs# nmap -iL client-inscope-list.txt -Pn -p- -sV -oX client.xml # Run nmap# ./celerystalk workspace create -o /assessments/client # Create default workspace and set output dir# ./celerystalk import -f client.xml -S scope.txt # Import scan and scope files# ./celerystalk subdomains -d client.com,client.net # Find subdomains and determine if in scope# ./celerystalk scan # Run all enabled commands# ./celerystalk query watch (then Ctrl+c) # Wait for scans to finish# ./celerystalk report # Generate report# firefox /celerystalkReports/Workspace-Report[Default].html &# View report [URL Mode] – How to scan a a URL (Use this mode to scan sub-directories found during first wave of scans).# ./celerystalk workspace create -o /assessments/client # Create default workspace and set output dir# ./celerystalk scan -u http://10.10.10.10/secret_folder/ # Run all enabled commands# ./celerystalk query watch (then Ctrl+c) # Wait for scans to finish# ./celerystalk report # Generate report# firefox <path>/celerystalkReports/Workspace-Report[Default].html &# View report Using celerystalk – Some more detail Configure which tools you’d like celerystalk to execute: The install script drops a config.ini file in the celerystalk folder. The config.ini script is broken up into three sections: Service Mapping – The first section normalizes Nmap & Nessus service names for celerystalk (this idea was created by @codingo_ in Reconnoitre AFAIK). [nmap-service-names]http = http,http-alt,http-proxy,www,http?https = ssl/http,https,ssl/http-alt,ssl/http?ftp = ftp,ftp?mysql = mysqldns = dns,domain,domainDomain Recon Tools – The second section defines the tools you’d like to use for subdomain discovery (an optional feature): [domain-recon]amass : /opt/amass/amass -d [DOMAIN]sublist3r : python /opt/Sublist3r/sublist3r.py -d [DOMAIN]Service Configuration – The rest of the confi.ini sections define which commands you want celerystalk to run for each identified service (i.e., http, https, ssh). Disable any command by commenting it out with a ; or a #.Add your own commands using [TARGET],[PORT], and [OUTPUT] placeholders.Here is an example: [http]whatweb : whatweb http://[TARGET]:[PORT] -a3 –colour=never > [OUTPUT].txtcewl : cewl http://[TARGET]:[PORT]/ -m 6 -w [OUTPUT].txtcurl_robots : curl http://[TARGET]:[PORT]/robots.txt –user-agent ‘Googlebot/2.1 (+http://www.google.com/bot.html)’ –connect-timeout 30 –max-time 180 > [OUTPUT].txtnmap_http_vuln : nmap -sC -sV -Pn -v -p [PORT] –script=http-vuln* [TARGET] -d -oN [OUTPUT].txt -oX [OUTPUT].xml –host-timeout 120m –script-timeout 20mnikto : nikto -h http://[TARGET] -p [PORT] &> [OUTPUT].txtgobuster-common : gobuster -u http://[TARGET]:[PORT]/ -k -w /usr/share/seclists/Discovery/Web-Content/common.txt -s ‘200,204,301,302,307,403,500’ -e -n -q > [OUTPUT].txtphoton : python /opt/Photon/photon.py -u http://[TARGET]:[PORT] -o [OUTPUT];gobuster_2.3-medium : gobuster -u http://[TARGET]:[PORT]/ -k -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -s ‘200,204,301,307,403,500’ -e -n -q > [OUTPUT].txt Run Nmap or Nessus: Nmap: Run nmap against your target(s). Required: enable version detection (-sV) and output to XML (-oX filename.xml). All other nmap options are up to you. Here are some examples: nmap target(s) -Pn -p- -sV -oX filename.xml nmap -iL target_list.txt -Pn -sV -oX filename.xmlNessus: Run nessus against your target(s) and export results as a .nessus file Create worksapce: Option Description no options Prints current workspace create Creates new workspace -w Define new workspace name -o Define output directory assigned to workspace Create default workspace ./celerystalk workspace create -o /assessments/client Create named workspace ./celerystalk workspace create -o /assessments/client -w client Switch to another worksapce ./celerystalk workspace client Import Data: Import data into celerystalk Option Description -f scan.xml Nmap/Nessus xmlAdds all IP addresses from this file to hosts table and marks them all in scope to be scanned.Adds all ports and service types to services table. -S scope.txt Scope fileShow file differences that haven’t been staged -D subdomains.txt (sub)Domains filecelerystalk determines whether each subdomain is in scope by resolving the IP and looking for IP in the DB. If there is a match, the domain is marked as in scope and will be scanned. Import Nmap XML file: ./celerystalk import -f /assessments/nmap.xml Import Nessus file: ./celerystalk import -f /assessments/scan.nessus Import list of Domains: ./celerystalk import -D <file>Import list of IPs/Ranges: ./celerystalk import -S <file>Specify workspace: ./celerystalk import -f <file> Import multiple files: ./celerystalk import -f nmap.xml -S scope.txt -D domains.txt Find Subdomains (Optional): celerystalk will perform subdomain recon using the tools specified in the config.ini. Option Description -d domain1,domain2,etc Run Amass, Sublist3r, etc. and store domains in DBAfter running your subdomain recon tools celerystalk determines whether each subdomain is in scope by resolving the IP and looking for IP in the DB. If there is a match, the domain is marked as in scope and will be scanned. Find subdomains: celerystalk subdomains -d domain1.com,domain2.com Launch Scan: I recommend using the import command first and running scan with no options, however you do have the option to do it all at once (import and scan) by using the flags below. celerystalk will submit tasks to celery which asynchronously executes them and logs output to your output directory. Option Description no options Scan all in scope hostsReads DB and scans every in scope IP and subdomain.Launches all enabled tools for IPs, but only http/http specific tools against virtualhosts -t ip,vhost,cidr Scan specific target(s) from DB or scan fileScan a subset of the in scope IPs and/or subdomains. -s SimulationSends all of the tasks to celery, but all commands are executed with a # before them rendering them inert. Use these only if you want to skip the import phase and import/scan all at once -f scan.xml Import and process Nmap/Nessus xml before scanAdds all IP addresses from this file to hosts table and marks them all in scope to be scanned.Adds all ports and service types to services table. -S scope.txt Import and process scope file before scanShow file differences that haven’t been staged. -D subdomains.txt Import and process (sub)domains file before scan celerystalk determines whether each subdomain is in scope by resolving the IP and looking for IP in the DB. If there is a match, the domain is marked as in scope and will be scanned. -d domain1,domain2,etc Find Subdomains and scan in scope hostsAfter running your subdomain recon tools celerystalk determines whether each subdomain is in scope by resolving the IP and looking for IP in the DB. If there is a match, the domain is marked as in scope and will be scanned. Scan imported hosts/subdomains Scan all in scope hosts: ./celerystalk scan Scan subset of DB hosts: ./celerystalk scan -t 10.0.0.1,10.0.0.3 ./celerystalk scan -t 10.0.0.100-200 ./celerystalk scan -t 10.0.0.0/24 ./celerystalk scan -t sub.domain.comSimulation mode: ./celerystalk scan -sImport and Scan Start from Nmap XML file: ./celerystalk scan -f /pentest/nmap.xml -o /pentestStart from Nessus file: ./celerystalk scan -f /pentest/scan.nessus -o /pentestScan all in scope vhosts: ./celerystalk scan -f <file> -o /pentest -d domain1.com,domain2.comScan subset hosts in XML: ./celerystalk scan -f <file> -o /pentest -t 10.0.0.1,10.0.0.3 ./celerystalk scan -f <file> -o /pentest -t 10.0.0.100-200 ./celerystalk scan -f <file> -o /pentest -t 10.0.0.0/24Simulation mode: ./celerystalk scan -f <file> -o /pentest -s Rescan: Use this command to rescan an already scanned host. Option Description no option For each in scope host in the DB, celerystalk will ask if if you want to rescan it -t ip,vhost,cidr Scan a subset of the in scope IPs and/or subdomains. Rescan all hosts: ./celerystalk rescanRescan some hosts ./celerystalk rescan-t 1.2.3.4,sub.domain.com Simulation mode: ./celerystalk rescan -s Query Status: Asynchronously check the status of the tasks queue as frequently as you like. The watch mode actually executes the linux watch command so you don’t fill up your entire terminal buffer. Option Description no options Shows all tasks in the defualt workspace watch Sends command to the unix watch command which will let you get an updated status every 2 seconds brief Limit of 5 results per status (pending/running/completed/cancelled/paused) summary Shows only a banner with numbers and not the tasks themselves Query Tasks: ./celerystalk query ./celerystalk query watch ./celerystalk query brief ./celerystalk query summary ./celerystalk query summary watch Cancel/Pause/Resume Tasks: Cancel/Pause/Resume any task(s) that are currently running or in the queue. Option Description cancel Canceling a running task will send a kill -TERMCanceling a queued task* will make celery ignore it (uses celery’s revoke).Canceling all tasks* will kill running tasks and revoke all queued tasks. pause Pausing a single task uses kill -STOP to suspend the process.Pausing all tasks* attemps to kill -STOP all running tasks, but it is a little wonky and you mind need to run it a few times. It is possible a job completed before it was able to be paused, which means you will have a worker that is still accepting new jobs. resume Resuming tasks* sends a kill -CONT which allows the process to start up again where it left off. Cancel/Pause/Resume Tasks: ./celerystalk <verb> 5,6,10-20 #Cancel/Pause/Resume tasks 5, 6, and 10-20 from current workspace ./celerystalk <verb> all #Cancel/Pause/Resume all tasks from current workspaces Run Report: Run a report which combines all of the tool output into an html file and a txt file. Run this as often as you like. Each time you run the report it overwrites the previous report. Create Report: ./celerystalk report #Create a report for all scanneed hosts in current workspaceScreenshot: Access the DB: List the workspaces, hosts, services, or paths stored in the celerystalk database Option Description workspaces Show all known workspaces and the output directory associated with each workspace services Show all known open ports and service types by IP hosts Show all hosts (IP addresses and subdomains/vhosts) and whether they are in scope and whether they have been submitted for scanning paths Show all paths that have been identified by vhost -w workspace Specify a non-default workspace Show workspaces: ./celeryststalk db workspacesShow services: ./celeryststalk db services Show hosts: ./celeryststalk db hostsShow paths: ./celeryststalk db paths Export DB: Export each table of the DB to a csv file Option Description no options Export the services, hosts, and paths table from the default database -w workspace Specify a non-default workspace Export current DB: ./celerystalk db exportExport another DB: ./celerystalk db export -w testUsageUsage: celerystalk workspace create -o <output_dir> [-w workspace_name] celerystalk workspace [<workspace_name>] celerystalk import [-f <nmap_file>] [-S scope_file] [-D subdomains_file] [-u <url>] celerystalk subdomains -d <domains> [-s] celerystalk scan [-f <nmap_file>] [-t <targets>] [-d <domains>] [-S scope_file] [-D subdomains_file] [-s] celerystalk scan -u <url> [-s] celerystalk rescan [-t <targets>] [-s] celerystalk query ([full] | [summary] | [brief]) [watch] celerystalk query [watch] ([full] | [summary] | [brief]) celerystalk report celerystalk cancel ([all]|[<task_ids>]) celerystalk pause ([all]|[<task_ids>]) celerystalk resume ([all]|[<task_ids>]) celerystalk db ([workspaces] | [services] | [hosts] | [vhosts] | [paths]) celerystalk db export celerystalk shutdown celerystalk interactive celerystalk (help | -h | –help)Options: -h –help Show this screen -v –version Show version -f <nmap_file> Nmap xml import file -o <output_dir> Output directory -S <scope_file> Scope import file -D <subdomains_file> Subdomains import file -t <targets> Target(s): IP, IP Range, CIDR -u <url> URL to parse and scan with all configured tools -w <workspace> Workspace -d –domains Domains to scan for vhosts -s –simulation Simulation mode. Submit tasks comment out all commandsExamples: Workspace Create default workspace celerystalk workspace create -o /assessments/client Create named workspace celerystalk workspace create -o /assessments/client -w client Switch to another worksapce celerystalk workspace client2 Import Import Nmap XML file: celerystalk import -f /assessments/nmap.xml Import Nessus file: celerystalk import -f /assessments/scan.nessus Import list of Domains: celerystalk import -D <file> Import list of IPs/Ranges: celerystalk import -S <file> Import multiple files: celerystalk import -f nmap.xml -S scope.txt -D domains.txt Subdomain Recon Find subdomains: celerystalk subdomains -d domain1.com,domain2.com Scan Scan all in scope hosts: celerystalk scan Scan subset of DB hosts: celerystalk scan -t 10.0.0.1,10.0.0.3 celerystalk scan -t 10.0.0.100-200 celerystalk scan -t 10.0.0.0/24 celerystalk scan -t sub.domain.com Simulation mode: celerystalk scan -s Import and Scan Start from Nmap XML file: celerystalk scan -f /pentest/nmap.xml Start from Nessus file: celerystalk scan -f /pentest/scan.nessus Scan subset hosts in XML: celerystalk scan -f <file> -t 10.0.0.1,10.0.0.3 celerystalk scan -f <file> -t 10.0.0.100-200 celerystalk scan -f <file> -t 10.0.0.0/24 celerystalk scan -f <file> -t sub.domain.com Simulation mode: celerystalk scan -f <file> -s Rescan Rescan all hosts: celerystalk rescan Rescan some hosts celerystalk rescan-t 1.2.3.4,sub.domain.com Simulation mode: celerystalk rescan -s Query Mode All tasks: celerystalk query Update status every 2s: celerystalk query watch Show only 5 tasks per mode: celerystalk query brief Show stats only celerystalk query summary Show stats every 2s: celerystalk query summary watch Job Control (cancel/pause/resume) Specific tasks: celerystalk cancel 5,6,10-20 celerystalk pause 5,6,10-20 celerystalk resume 5,6,10-20 All tasks current worspace: celerystalk cancel all celerystalk pause all celerystalk resume all Access the DB Show workspaces: celeryststalk db workspaces Show services: celeryststalk db services Show hosts: celeryststalk db hosts Show vhosts only celeryststalk db vhosts Show paths: celeryststalk db paths Export DB Export current DB: celerystalk db exportCreditThis project was inspired by many great tools:https://github.com/codingo/Reconnoitre by @codingo_https://github.com/frizb/Vanquish by @frizbhttps://github.com/leebaird/discover by @discoverscriptshttps://github.com/1N3/Sn1perhttps://github.com/SrFlipFlop/Network-Security-Analysis by @SrFlipFlopThanks to @offensivesecurity and @hackthebox_eu for their lab networksAlso, thanks to:@decidedlygray for pointing me towards celery, helping me solve python problems that were over my head, and for the extensive beta testing@kerpanic for inspiring me to dust off an old project and turn it into celerystalkMy TUV OpenSky team and my IthacaSec hackers for testing this out and submitting bugs and featuresDownload Celerystalk

Link: http://feedproxy.google.com/~r/PentestTools/~3/9zxM11uFyz8/celerystalk-asynchronous-enumeration.html

Robber – Robber Is Open Source Tool For Finding Executables Prone To DLL Hijacking

Robber is a free open source tool developed using Delphi XE2 without any 3rd party dependencies.What is DLL hijacking ?!Windows has a search path for DLLs in its underlying architecture. If you can figure out what DLLs an executable requests without an absolute path (triggering this search process), you can then place your hostile DLL somewhere higher up the search path so it’ll be found before the real version is, and Windows will happilly feed your attack code to the application.So, let’s pretend Windows’s DLL search path looks something like this:A) . <-- current working directory of the executable, highest priority, first checkB) \WindowsC) \Windows\system32D) \Windows\syswow64 <-- lowest priority, last checkand some executable "Foo.exe" requests "bar.dll", which happens to live in the syswow64 (D) subdir. This gives you the opportunity to place your malicious version in A), B) or C) and it will be loaded into executable.As stated before, even an absolute full path can't protect against this, if you can replace the DLL with your own version.Microsoft Windows protect system pathes like System32 using Windows File Protection mechanism but the best way to protect executable from DLL hijacking in entrprise solutions is :Use absolute path instead of relative pathIf you have personal sign, sign your DLL files and check the sign in your application before load DLL into memory. otherwise check the hash of DLL file with original DLL hash)And of course, this isn't really limited to Windows either. Any OS which allows for dynamic linking of external libraries is theoretically vulnerable to this.Robber use simple mechanism to figure out DLLs that prone to hijacking :Scan import table of executable and find out DLLs that linked to executableSearch for DLL files placed inside executable that match with linked DLL (as i said before current working directory of the executable has highest priority)If any DLL found, scan the export table of themeCompare import table of executable with export table of DLL and if any matching was found, the executable and matched common functions flag as DLL hijack candidate.Feauters :Ability to select scan type (signed/unsigned applications)Determine executable signerDetermine wich referenced DLLs candidate for hijackingDetermine exported method names of candidate DLLsConfigure rules to determine which hijacks is best or good choice for use and show theme in different colorsFind out latest Robber executable hereDownload Robber

Link: http://feedproxy.google.com/~r/PentestTools/~3/-3o2PCxEGpE/robber-robber-is-open-source-tool-for.html

PatrOwl – Open Source, Free And Scalable Security Operations Orchestration Platform

PatrOwl is a scalable, free and open-source solution for orchestrating Security Operations.PatrowlManager is the Front-end application for managing the assets, reviewing risks on real-time, orchestrating the operations (scans, searches, API calls, …), aggregating the results, relaying alerts on third parties (ex: Incident Response platform like TheHive, Splunk, …) and providing the reports and dashboards. Operations are performed by the PatrowlEngines instances. Don’t forget to install and deploy them ;)Project pitch deskArchitectureFully-Developed in Python, PatrOwl is composed of a Front-end application PatrowlManager (Django) communicating with one or multiple PatrowlEngines micro-applications (Flask) which perform the scans, analyze the results and format them in a normalized way. It remains incredibly easy to customize all components. Asynchronous tasks and engine scalability are supported by RabbitMQ and Celery. The PatrowlManager application is reachable using the embedded WEB interface or using the JSON-API. PatrowlEngines are only available through generic JSON-API calls (see Documentation).Download PatrOwl

Link: http://www.kitploit.com/2018/10/patrowl-open-source-free-and-scalable.html

Intrigue-Core – Discover Your Attack Surface

Intrigue-core is a framework for automated attack surface discovery. There are a number of use cases:Application and Infrastructure (Asset) DiscoverySecurity Research and Vulnerability DiscoveryMalware Campaign Research & Indicator EnrichmentExploratory OSINT ResearchIf you’d like assistance getting started or have development-related questions, feel free to join to the chat.UsersIf you just want to get started and play around with an instance, have a look at the Getting Started GuideDevelopersTo get started setting up a development environment, follow the instructions below!Setting up a development environmentFollow the appropriate setup guide:Vagrant (preferred) – http://intrigue.io/getting-started-with-intrigue-core-on-vagrant-virtualbox/Docker – https://intrigue.io/2017/03/07/using-intrigue-core-with-docker/Manual setup guides (may be out of date!)Ubuntu Linux – https://github.com/intrigueio/intrigue-core/wiki/Setting-up-a-Test-Environment-on-Ubuntu-LinuxKali Linux – https://github.com/intrigueio/intrigue-core/wiki/Setting-up-a-Test-Environment-on-Kali-LinuxOS X – https://github.com/intrigueio/intrigue-core/wiki/Setting-up-a-Test-Environment-on-OSX-10.10Now that you have a working environment, browse to the web interface.Using the web interfaceTo use the web interface, browse to http://127.0.0.1:7777. Once you’re able to connect, you can follow the instructions here: http://intrigue.io/up-and-running/Configuring the systemMany tasks work via external APIs and thus require configuration of keys. To set them up, browse to the “Configure" tab and click on the name of the module. You will be taken to the relevant signup page where you can provision an API key. These keys are ultimately stored in the file: config/config.json.The APIIntrigue-core is built API-first, allowing all functions in the UI to be easily automated. The following methods for automation are provided.API usage via core-cliA command line utility has been added for convenience, core-cli.List all available tasks:$ bundle exec ./core-cli.rb listStart a task:## core-cli.rb start [Project Name] [Task] [Type#Entity] [Depth] [Option1=Value1#…#…] [Handlers] [Strategy Name] [Auto Enrich]$ bundle exec ./core-cli.rb start new_project create_entity DnsRecord#intrigue.io 3Got entity: {"type"=>"DnsRecord", "name"=>"intrigue.io", "details"=>{"name"=>"intrigue.io"}}Task Result: {"result_id":66103}API usage via curlYou can use curl to drive the framework. See the example below:$ curl -s -X POST -H "Content-Type: application/json" -d ‘{ "task": "create_entity", "entity": { "type": "DnsRecord", "attributes": { "name": "intrigue.io" } }, "options": {} }’ http://127.0.0.1:7777/resultsDownload Intrigue-Core

Link: http://feedproxy.google.com/~r/PentestTools/~3/iG4boXqkAq8/intrigue-core-discover-your-attack.html

Salt-Scanner – Linux Vulnerability Scanner Based On Salt Open And Vulners Audit API

A linux vulnerability scanner based on Vulners Audit API and Salt Open, with Slack notifications and JIRA integration.FeaturesSlack notification and report uploadJIRA integrationOpsGenie integrationRequirementsSalt Open 2016.11.x (salt-master, salt-minion)¹Python 2.7salt (you may need to install gcc, gcc-c++, python dev)slackclientjiraopsgenie-sdkNote: Salt Master and Minion versions should match. Salt-Scanner supports Salt version 2016.11.x. if you are using version 2017.7.x, replace “expr_form" with "tgt_type" in salt-scanner.py.Usage$ ./salt-scanner.py -h ========================================================== Vulnerability scanner based on Vulners API and Salt Open _____ _ _ _____ / ___| | | | / ___| \ `–. __ _| | |_ \ `–. ___ __ _ _ __ _ __ ___ _ __ `–. \/ _` | | __| `–. \/ __/ _` | ‘_ \| ‘_ \ / _ \ ‘__|/\__/ / (_| | | |_ /\__/ / (_| (_| | | | | | | | __/ | \____/ \__,_|_|\__| \____/ \___\__,_|_| |_|_| |_|\___|_| Salt-Scanner 0.1 / by 0x4D31 ==========================================================usage: salt-scanner.py [-h] [-t TARGET_HOSTS] [-tF {glob,list,grain}] [-oN OS_NAME] [-oV OS_VERSION]optional arguments: -h, –help show this help message and exit -t TARGET_HOSTS, –target-hosts TARGET_HOSTS -tF {glob,list,grain}, –target-form {glob,list,grain} -oN OS_NAME, –os-name OS_NAME -oV OS_VERSION, –os-version OS_VERSION$ sudo SLACK_API_TOKEN="EXAMPLETOKEN" ./salt-scanner.py -t "*" ========================================================== Vulnerability scanner based on Vulners API and Salt Open _____ _ _ _____ / ___| | | | / ___| \ `–. __ _| | |_ \ `–. ___ __ _ _ __ _ __ ___ _ __ `–. \/ _` | | __| `–. \/ __/ _` | ‘_ \| ‘_ \ / _ \ ‘__|/\__/ / (_| | | |_ /\__/ / (_| (_| | | | | | | | __/ | \____/ \__,_|_|\__| \____/ \___\__,_|_| |_|_| |_|\___|_| Salt-Scanner 0.1 / by 0x4D31 ==========================================================+ No default OS is configured. Detecting OS…+ Detected Operating Systems: – OS Name: centos, OS Version: 7+ Getting the Installed Packages…+ Started Scanning ‘10.10.10.55’… – Total Packages: 357 – 6 Vulnerable Packages Found – Severity: Low+ Started Scanning ‘10.10.10.56’… – Total Packages: 392 – 6 Vulnerable Packages Found – Severity: Critical+ Finished scanning 2 host (target hosts: ‘*’).2 Hosts are vulnerable!+ Output file created: 20170622-093138_232826a7-983f-499b-ad96-7b8f1a75c1d7.txt+ Full report uploaded to Slack+ JIRA Issue created: VM-16+ OpsGenie alert createdYou can also use Salt Grains such as ec2_tags in target_hosts:$ sudo ./salt-scanner.py –target-hosts "ec2_tags:Role:webapp" –target-form grainSlack AlertDownload Salt-Scanner

Link: http://feedproxy.google.com/~r/PentestTools/~3/Ox5vp0e8ctQ/salt-scanner-linux-vulnerability.html