GitMiner v2.0 – Tool For Advanced Mining For Content On Github

Advanced search tool and automation in Github. This tool aims to facilitate research by code or code snippets on github through the site’s search page.MOTIVATIONDemonstrates the fragility of trust in public repositories to store codes with sensitive information.REQUIREMENTSlxmlrequestsargparsejsonreINSTALLgit clone http://github.com/UnkL4b/GitMinersudo apt-get install python-requests python-lxml ORpip install -r requirements.txtDockergit clone http://github.com/UnkL4b/GitMinercd GitMinerdocker build -t gitminer .docker run -it gitminer -hHELP UnkL4b __ Automatic search for Github((OO)) ▄████ ██▓▄▄▄█████▓ ███▄ ▄███▓ ██▓ ███▄ █ ▓█████ ██▀███ \__/ ██▒ ▀█▒▓██▒▓ ██▒ ▓▒▓██▒▀█▀ ██▒▓██▒ ██ ▀█ █ ▓█ ▀ ▓██ ▒ ██▒ OO |^| ▒██░▄▄▄░▒██▒▒ ▓██░ ▒░▓██ ▓██░▒██▒▓██ ▀█ ██▒▒███ ▓██ ░▄█ ▒ oOo | | ░▓█ ██▓░██░░ ▓██▓ ░ ▒██ ▒██ ░██░▓██▒ ▐▌██▒▒▓█ ▄ ▒██▀▀█▄ OoO | | ░▒▓███▀▒░██░ ▒██▒ ░ ▒██▒ ░██▒░██░▒██░ ▓██░░▒████▒░██▓ ▒██▒ /oOo | |___░▒___▒_░▓____▒_░░___░_▒░___░__░░▓__░_▒░___▒_▒_░░_▒░_░░_▒▓_░▒▓░_/ / \______░___░__▒_░____░____░__░______░_▒_░░_░░___░_▒░_░_░__░__░▒_░_▒░__/ v2.0 ░ ░ ░ ▒ ░ ░ ░ ░ ▒ ░ ░ ░ ░ ░ ░░ ░ ░ ░ ░ ░ ░ ░ ░ ░ -> github.com/UnkL4b -> unkl4b.github.io +———————[WARNING]———————+ | DEVELOPERS ASSUME NO LIABILITY AND ARE NOT | | RESPONSIBLE FOR ANY MISUSE OR DAMAGE CAUSED BY | | THIS PROGRAM | +—————————————————+ [-h] [-q ‘filename:shadow path:etc’] [-m wordpress] [-o result.txt] [-r ‘/^\s*.*?;?\s*$/gm’] [-c _octo=GH1.1.2098292984896.153133829439; _ga=GA1.2.36424941.153192375318; user_session=oZIxL2_ajeDplJSndfl37ddaLAEsR2l7myXiiI53STrfhqnaN; __Host-user_session_same_site=oXZxv9_ajeDplV0gAEsmyXiiI53STrfhDN; logged_in=yes; dotcom_user=unkl4b; tz=America%2FSao_Paulo; has_recent_activity=1; _gh_sess=MmxxOXBKQ1RId3NOVGpGcG54aEVnT1o0dGhxdGdzWVpySnFRd1dVYUk5TFZpZXFuTWxOdW1FK1IyM0pONjlzQWtZM2xtaFR3ZDdxlGMCsrWnBIdnhUN0tjVUtMYU1GeG5Pbm5DMThuWUFETnZjcllGOUNkRGUwNUtKOVJTaGR5eUJYamhWRE5XRnMWZZN3Y3dlpFNDZXL1NWUEN4c093RFhQd3RJQ1NBdmhrVDE3VVNiUFF3dHBycC9FeDZ3cFVXV0ZBdXZieUY5WDRlOE9ZSG5sNmRHUmllcmk0Up1MTcyTXZrN1RHYmJSdz09–434afdd652b37745f995ab55fc83]optional arguments: -h, –help show this help message and exit -q ‘filename:shadow path:etc’, –query ‘filename:shadow path:etc’ Specify search term -m wordpress, –module wordpress Specify the search module -o result.txt, –output result.txt Specify the output file where it will be saved -r ‘/^\s*(.*?);?\s*$/gm’, –regex ‘/^\s*(.*?);?\s*$/gm’ Set regex to search in file -c _octo=GH1.1.2098292984896.153133829439; _ga=GA1.2.36424941.153192375318; user_session=oZIxL2_ajeDplJSndfl37ddaLAEsR2l7myXiiI53STrfhqnaN; __Host-user_session_same_site=oXZxv9_ajeDplV0gAEsmyXiiI53STrfhDN; logged_in=yes; dotcom_user=unkl4b; tz=America%2FSao_Paulo; has_recent_activity=1; _gh_sess=MmxxOXBKQ1RId3NOVGpGcG54aEVnT1o0dGhxdGdzWVpySnFRd1dVYUk5TFZpZXFuTWxOdW1FK1IyM0pONjlzQWtZM2xtaFR3ZDdxlGMCsrWnBIdnhUN0tjVUtMYU1GeG5Pbm5DMThuWUFETnZjcllGOUNkRGUwNUtKOVJTaGR5eUJYamhWRE5XRnMWZZN3Y3dlpFNDZXL1NWUEN4c093RFhQd3RJQ1NBdmhrVDE3VVNiUFF3dHBycC9FeDZ3cFVXV0ZBdXZieUY5WDRlOE9ZSG5sNmRHUmllcmk0Up1MTcyTXZrN1RHYmJSdz09–434afdd652b37745f995ab55fc83, –cookie _octo=GH1.1.2098292984896.153133829439; _ga=GA1.2.36424941.153192375318; user_session=oZIxL2_ajeDplJSndfl37ddaLAEsR2l7myXiiI53STrfhqnaN; __Host-user_session_same_site=oXZxv9_ajeDplV0gAEsmyXiiI53STrfhDN; logged_in=yes; dotcom_user=unkl4b; tz=America%2FSao_Paulo; has_recent_activity=1; _gh_sess=MmxxOXBKQ1RId3NOVGpGcG54aEVnT1o0dGhxdGdzWVpySnFRd1dVYUk5TFZpZXFuTWxOdW1FK1IyM0pONjlzQWtZM2xtaFR3ZDdxlGMCsrWnBIdnhUN0tjVUtMYU1GeG5Pbm5DMThuWUFETnZjcllGOUNkRGUwNUtKOVJTaGR5eUJYamhWRE5XRnMWZZN3Y3dlpFNDZXL1NWUEN4c093RFhQd3RJQ1NBdmhrVDE3VVNiUFF3dHBycC9FeDZ3cFVXV0ZBdXZieUY5WDRlOE9ZSG5sNmRHUmllcmk0Up1MTcyTXZrN1RHYmJSdz09–434afdd652b37745f995ab55fc83 Specify the cookie for your githubEXAMPLESearching for wordpress configuration files with passwords:$:> python gitminer-v2.0.py -q ‘filename:wp-config extension:php FTP_HOST in:file ‘ -m wordpress -c pAAAhPOma9jEsXyLWZ-16RTTsGI8wDawbNs4 -o result.txtLooking for brasilian government files containing passwords:$:> python gitminer-v2.0.py –query ‘extension:php “root" in:file AND "gov.br" in:file’ -m senhas -c pAAAhPOma9jEsXyLWZ-16RTTsGI8wDawbNs4Looking for shadow files on the etc paste:$:> python gitminer-v2.0.py –query ‘filename:shadow path:etc’ -m root -c pAAAhPOma9jEsXyLWZ-16RTTsGI8wDawbNs4Searching for joomla configuration files with passwords:$:> python gitminer-v2.0.py –query ‘filename:configuration extension:php "public password" in:file’ -m joomla -c pAAAhPOma9jEsXyLWZ-16RTTsGI8wDawbNs4Hacking SSH ServersDork to searchby @techgaun (https://github.com/techgaun/github-dorks) Dork Description filename:.npmrc _auth npm registry authentication data filename:.dockercfg auth docker registry authentication data extension:pem private private keys extension:ppk private puttygen private keys filename:id_rsa or filename:id_dsa private ssh keys extension:sql mysql dump mysql dump extension:sql mysql dump password mysql dump look for password; you can try varieties filename:credentials aws_access_key_id might return false negatives with dummy values filename:.s3cfg might return false negatives with dummy values filename:wp-config.php wordpress config files filename:.htpasswd htpasswd files filename:.env DB_USERNAME NOT homestead laravel .env (CI, various ruby based frameworks too) filename:.env MAIL_HOST=smtp.gmail.com gmail smtp configuration (try different smtp services too) filename:.git-credentials git credentials store, add NOT username for more valid results PT_TOKEN language:bash pivotaltracker tokens filename:.bashrc password search for passwords, etc. in .bashrc (try with .bash_profile too) filename:.bashrc mailchimp variation of above (try more variations) filename:.bash_profile aws aws access and secret keys rds.amazonaws.com password Amazon RDS possible credentials extension:json api.forecast.io try variations, find api keys/secrets extension:json mongolab.com mongolab credentials in json configs extension:yaml mongolab.com mongolab credentials in yaml configs (try with yml) jsforce extension:js conn.login possible salesforce credentials in nodejs projects SF_USERNAME salesforce possible salesforce credentials filename:.tugboat NOT _tugboat Digital Ocean tugboat config HEROKU_API_KEY language:shell Heroku api keys HEROKU_API_KEY language:json Heroku api keys in json files filename:.netrc password netrc that possibly holds sensitive credentials filename:_netrc password netrc that possibly holds sensitive credentials filename:hub oauth_token hub config that stores github tokens filename:robomongo.json mongodb credentials file used by robomongo filename:filezilla.xml Pass filezilla config file with possible user/pass to ftp filename:recentservers.xml Pass filezilla config file with possible user/pass to ftp filename:config.json auths docker registry authentication data filename:idea14.key IntelliJ Idea 14 key, try variations for other versions filename:config irc_pass possible IRC config filename:connections.xml possible db connections configuration, try variations to be specific filename:express.conf path:.openshift openshift config, only email and server thou filename:.pgpass PostgreSQL file which can contain passwords filename:proftpdpasswd Usernames and passwords of proftpd created by cpanel filename:ventrilo_srv.ini Ventrilo configuration [WFClient] Password= extension:ica WinFrame-Client infos needed by users to connect toCitrix Application Servers filename:server.cfg rcon password Counter Strike RCON Passwords JEKYLL_GITHUB_TOKEN Github tokens used for jekyll filename:.bash_history Bash history file filename:.cshrc RC file for csh shell filename:.history history file (often used by many tools) filename:.sh_history korn shell history filename:sshd_config OpenSSH server config filename:dhcpd.conf DHCP service config filename:prod.exs NOT prod.secret.exs Phoenix prod configuration file filename:prod.secret.exs Phoenix prod secret filename:configuration.php JConfig password Joomla configuration file filename:config.php dbpasswd PHP application database password (e.g., phpBB forum software) path:sites databases password Drupal website database credentials shodan_api_key language:python Shodan API keys (try other languages too) filename:shadow path:etc Contains encrypted passwords and account information of new unix systems filename:passwd path:etc Contains user account information including encrypted passwords of traditional unix systems extension:avastlic Contains license keys for Avast! Antivirus extension:dbeaver-data-sources.xml DBeaver config containing MySQL Credentials filename:.esmtprc password esmtp configuration extension:json googleusercontent client_secret OAuth credentials for accessing Google APIs HOMEBREW_GITHUB_API_TOKEN language:shell Github token usually set by homebrew users xoxp OR xoxb Slack bot and private tokens .mlab.com password MLAB Hosted MongoDB Credentials filename:logins.json Firefox saved password collection (key3.db usually in same repo) filename:CCCam.cfg CCCam Server config file msg nickserv identify filename:config Possible IRC login passwords filename:settings.py SECRET_KEY Django secret keys (usually allows for session hijacking, RCE, etc) Download GitMiner

Link: http://feedproxy.google.com/~r/PentestTools/~3/VtATqnX-O4U/gitminer-v20-tool-for-advanced-mining.html

WAF Buster – Disrupt WAF By Abusing SSL/TLS Ciphers

Disrupt WAF by abusing SSL/TLS CiphersAbout WAF_busterThis tool was created to Analyze the ciphers that are supported by the Web application firewall being used at the web server end. (Reference: https://0x09al.github.io/waf/bypass/ssl/2018/07/02/web-application-firewall-bypass.html) It works by first triggering SslScan to look for all the supported ciphers during SSL/TLS negotiation with the web server.After getting the text file of all the supported ciphers, then we use Curl to query web server with each and every Cipher to check which of the ciphers are unsupported by WAF and supported by Web server , if any such Cipher is found then a message is displayed that “Firewall is bypassed".ScreenshotsInstallationgit clone https://github.com/viperbluff/WAF_buster.git Python2This tool has been created using Python2 and below modules have been used throughout:-1.requests2.os3.sys4.subprocessUsage Open terminal python2 WAF_buster.py –inputDownload WAF_buster

Link: http://feedproxy.google.com/~r/PentestTools/~3/0fQO7UVapz0/waf-buster-disrupt-waf-by-abusing.html

Aws_Public_Ips – Fetch All Public IP Addresses Tied To Your AWS Account

aws_public_ips is a tool to fetch all public IP addresses (both IPv4/IPv6) associated with an AWS account.It can be used as a library and as a CLI, and supports the following AWS services (all with both Classic & VPC flavors):APIGatewayCloudFrontEC2 (and as a result: ECS, EKS, Beanstalk, Fargate, Batch, & NAT Instances)ElasticSearchELB (Classic ELB)ELBv2 (ALB/NLB)LightsailRDSRedshiftIf a service isn’t listed (S3, ElastiCache, etc) it’s most likely because it doesn’t have anything to support (i.e. it might not be deployable publicly, it might have all ip addresses resolve to global AWS infrastructure, etc).Quick startInstall the gem and run it:$ gem install aws_public_ips# Uses default ~/.aws/credentials$ aws_public_ips52.84.11.1352.84.11.832600:9000:2039:ba00:1a:cd27:1440:93a12600:9000:2039:6e00:1a:cd27:1440:93a1# With a custom profile$ AWS_PROFILE=production aws_public_ips52.84.11.159CLI reference$ aws_public_ips –helpUsage: aws_public_ips [options] -s, –services ,<s2>,<s3> List of AWS services to check. Available services: apigateway,cloudfront,ec2,elasticsearch,elb,elbv2,lightsail,rds,redshift. Defaults to all. -f, –format <format> Set output format. Available formats: json,prettyjson,text. Defaults to text. -v, –[no-]verbose Enable debug/trace output –version Print version -h, –help Show this help messageConfigurationFor authentication aws_public_ips uses the default aws-sdk-ruby configuration, meaning that the following are checked in order:Environment variables:AWS_ACCESS_KEY_IDAWS_SECRET_ACCESS_KEYAWS_REGIONAWS_PROFILEShared credentials files:~/.aws/credentials~/.aws/configInstance profile via metadata endpoint (if running on EC2, ECS, EKS, or Fargate)For more information see the AWS SDK documentation on configuration.IAM permissionsTo find the public IPs from all AWS services, the minimal policy needed by your IAM user is:{ “Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "apigateway:GET", "cloudfront:ListDistributions", "ec2:DescribeInstances", "elasticloadbalancing:DescribeLoadBalancers", "lightsail:GetInstances", "lightsail:GetLoadBalancers", "rds:DescribeDBInstances", "redshift:DescribeClusters" ], "Resource": "*" } ]}ContactFeel free to tweet or direct message: @arkadiytDownload Aws_Public_Ips

Link: http://feedproxy.google.com/~r/PentestTools/~3/aLYdLNP_wx4/awspublicips-fetch-all-public-ip.html

Resource-Counter – This Command Line Tool Counts The Number Of Resources In Different Categories Across Amazon Regions

This command line tool counts the number of resources in different categories across Amazon regions.This is a simple Python app that will count resources across different regions and display them on the command line. It first shows the dictionary of the results for the monitored services on a per-region basis, then it shows totals across all regions in a friendlier format. It tries to use the most-efficient query mechanism for each resource in order to manage the impact of API activity. I wrote this to help me scope out assessments and know where resources are in a target account.The development plan is to upgrade the output (probably to CSV file) and to continue to add services. If you have a specific service you want to see added just add a request in the comments.The current list incluides:Application and Network Load BalancersAutoscale GroupsClassic Load BalancersCloudTrail TrailsCloudwatch RulesConfig RulesDynamo TablesElastic IP AddressesGlacier VaultsIAM GroupsImagesInstancesKMS KeysLambda FunctionsLaunch ConfigurationsNAT GatewaysNetwork ACLsIAM PoliciesRDS InstancesIAM RolesS3 BucketsSAML ProvidersSNS TopicsSecurity GroupsSnapshotsSubnetsIAM UsersVPC EndpointsVPC Peering ConnectionVPCsVolumesUsage:To install just copy it where you want it and instally the requirements:pip install -r ./requirements.txtThis was written in Python 3.6.To run:python count_resources.py By default, it will use whatever AWS credentials are alerady configued on the system. You can also specify an access key/secret at runtime and this is not stored. It only neeeds read permissions for the listed services- I use the ReadOnlyAccess managed policy, but you should also be able to use the SecurityAudit policy.Usage: count_resources.py [OPTIONS]Options: –access TEXT AWS Access Key. Otherwise will use the standard credentials path for the AWS CLI. –secret TEXT AWS Secret Key –profile TEXT If you have multiple credential profiles, use this option to specify one. –help Show this message and exit.Sample Output:Establishing AWS session using the profile- dev Current account ID: xxxxxxxxxx Counting resources across regions. This will take a few minutes…Resources by region {‘ap-northeast-1’: {‘instances’: 0, ‘volumes’: 0, ‘security_groups’: 1, ‘snapshots’: 0, ‘images’: 0, ‘vpcs’: 1, ‘subnets’: 3, ‘peering connections’: 0, ‘network ACLs’: 1, ‘elastic IPs’: 0, ‘NAT gateways’: 0, ‘VPC Endpoints’: 0, ‘autoscale groups’: 0, ‘launch configurations’: 0, ‘classic load balancers’: 0, ‘application and network load balancers’: 0, ‘lambdas’: 0, ‘glacier vaults’: 0, ‘cloudwatch rules’: 0, ‘config rules’: 0, ‘cloudtrail trails’: 1, ‘sns topics’: 0, ‘kms keys’: 0, ‘dynamo tables’: 0, ‘rds instances’: 0}, ‘ap-northeast-2’: {‘instances’: 0, ‘volumes’: 0, ‘security_groups’: 1, ‘snapshots’: 0, ‘images’: 0, ‘vpcs’: 1, ‘subnets’: 2, ‘peering connections’: 0, ‘network ACLs’: 1, ‘elastic IPs’: 0, ‘NAT gateways’: 0, ‘VPC Endpoints’: 0, ‘autoscale groups’: 0, ‘launch configurations’: 0, ‘classic load balancers’: 0, ‘application and network load balancers’: 0, ‘lambdas’: 0, ‘glacier vaults’: 0, ‘cloudwatch rules’: 0, ‘config rules’: 0, ‘cloudtrail trails’: 1, ‘sns topics’: 0, ‘kms keys’: 0, ‘dynamo tables’: 0, ‘rds instances’: 0}, ‘ap-south-1’: {‘instances’: 0, ‘volumes’: 0, ‘security_groups’: 1, ‘snapshots’: 0, ‘images’: 0, ‘vpcs’: 1, ‘subnets’: 2, ‘peering connections’: 0, ‘network ACLs’: 1, ‘elastic IPs’: 0, ‘NAT gateways’: 0, ‘VPC Endpoints’: 0, ‘autoscale groups’: 0, ‘launch configurations’: 0, ‘classic load balancers’: 0, ‘application and network load balancers’: 0, ‘lambdas’: 0, ‘glacier vaults’: 0, ‘cloudwatch rules’: 0, ‘config rules’: 0, ‘cloudtrail trails’: 1, ‘sns topics’: 0, ‘kms keys’: 0, ‘dynamo tables’: 0, ‘rds instances’: 0}, ‘ap-southeast-1’: {‘instances’: 0, ‘volumes’: 0, ‘security_groups’: 1, ‘snapshots’: 0, ‘images’: 0, ‘vpcs’: 1, ‘subnets’: 3, ‘peering connections’: 0, ‘network ACLs’: 1, ‘elastic IPs’: 0, ‘NAT gateways’: 0, ‘VPC Endpoints’: 0, ‘autoscale groups’: 0, ‘launch configurations’: 0, ‘classic load balancers’: 0, ‘application and network load balancers’: 0, ‘lambdas’: 0, ‘glacier vaults’: 0, ‘cloudwatch rules’: 0, ‘config rules’: 0, ‘cloudtrail trails’: 1, ‘sns topics’: 0, ‘kms keys’: 0, ‘dynamo tables’: 0, ‘rds instances’: 0}, ‘ap-southeast-2’: {‘instances’: 0, ‘volumes’: 0, ‘security_groups’: 1, ‘snapshots’: 0, ‘images’: 0, ‘vpcs’: 1, ‘subnets’: 3, ‘peering connections’: 0, ‘network ACLs’: 1, ‘elastic IPs’: 0, ‘NAT gateways’: 0, ‘VPC Endpoints’: 0, ‘autoscale groups’: 0, ‘launch configurations’: 0, ‘classic load balancers’: 0, ‘application and network load balancers’: 0, ‘lambdas’: 0, ‘glacier vaults’: 0, ‘cloudwatch rules’: 0, ‘config rules’: 0, ‘cloudtrail trails’: 1, ‘sns topics’: 0, ‘kms keys’: 0, ‘dynamo tables’: 0, ‘rds instances’: 0}, ‘ca-central-1’: {‘instances’: 0, ‘volumes’: 0, ‘security_groups’: 1, ‘snapshots’: 0, ‘images’: 0, ‘vpcs’: 1, ‘subnets’: 2, ‘peering connections’: 0, ‘network ACLs’: 1, ‘elastic IPs’: 0, ‘NAT gateways’: 0, ‘VPC Endpoints’: 0, ‘autoscale groups’: 0, ‘launch configurations’: 0, ‘classic load balancers’: 0, ‘application and network load balancers’: 0, ‘lambdas’: 0, ‘glacier vaults’: 0, ‘cloudwatch rules’: 0, ‘config rules’: 0, ‘cloudtrail trails’: 1, ‘sns topics’: 0, ‘kms keys’: 0, ‘dynamo tables’: 0, ‘rds instances’: 0}, ‘eu-central-1’: {‘instances’: 0, ‘volumes’: 0, ‘security_groups’: 1, ‘snapshots’: 0, ‘images’: 0, ‘vpcs’: 1, ‘subnets’: 3, ‘peering connections’: 0, ‘network ACLs’: 1, ‘elastic IPs’: 0, ‘NAT gateways’: 0, ‘VPC Endpoints’: 0, ‘autoscale groups’: 0, ‘launch configurations’: 0, ‘classic load balancers’: 0, ‘application and network load balancers’: 0, ‘lambdas’: 0, ‘glacier vaults’: 0, ‘cloudwatch rules’: 0, ‘config rules’: 0, ‘cloudtrail trails’: 1, ‘sns topics’: 0, ‘kms keys’: 0, ‘dynamo tables’: 0, ‘rds instances’: 0}, ‘eu-west-1’: {‘instances’: 0, ‘volumes’: 0, ‘security_groups’: 1, ‘snapshots’: 0, ‘images’: 0, ‘vpcs’: 1, ‘subnets’: 3, ‘peering connections’: 0, ‘network ACLs’: 1, ‘elastic IPs’: 0, ‘NAT gateways’: 0, ‘VPC Endpoints’: 0, ‘autoscale groups’: 0, ‘launch configurations’: 0, ‘classic load balancers’: 0, ‘application and network load balancers’: 0, ‘lambdas’: 0, ‘glacier vaults’: 0, ‘cloudwatch rules’: 0, ‘config rules’: 0, ‘cloudtrail trails’: 1, ‘sns topics’: 0, ‘kms keys’: 0, ‘dynamo tables’: 0, ‘rds instances’: 0}, ‘eu-west-2’: {‘instances’: 3, ‘volumes’: 3, ‘security_groups’: 1, ‘snapshots’: 0, ‘images’: 0, ‘vpcs’: 1, ‘subnets’: 3, ‘peering connections’: 0, ‘network ACLs’: 1, ‘elastic IPs’: 0, ‘NAT gateways’: 0, ‘VPC Endpoints’: 0, ‘autoscale groups’: 0, ‘launch configurations’: 0, ‘classic load balancers’: 0, ‘application and network load balancers’: 0, ‘lambdas’: 0, ‘glacier vaults’: 0, ‘cloudwatch rules’: 0, ‘config rules’: 0, ‘cloudtrail trails’: 1, ‘sns topics’: 0, ‘kms keys’: 0, ‘dynamo tables’: 0, ‘rds instances’: 0}, ‘eu-west-3’: {‘instances’: 0, ‘volumes’: 0, ‘security_groups’: 1, ‘snapshots’: 0, ‘images’: 0, ‘vpcs’: 1, ‘subnets’: 3, ‘peering connections’: 0, ‘network ACLs’: 1, ‘elastic IPs’: 0, ‘NAT gateways’: 0, ‘VPC Endpoints’: 0, ‘autoscale groups’: 0, ‘launch configurations’: 0, ‘classic load balancers’: 0, ‘application and network load balancers’: 0, ‘lambdas’: 0, ‘glacier vaults’: 0, ‘cloudwatch rules’: 0, ‘config rules’: 0, ‘cloudtrail trails’: 1, ‘sns topics’: 0, ‘kms keys’: 0, ‘dynamo tables’: 0, ‘rds instances’: 0}, ‘sa-east-1’: {‘instances’: 0, ‘volumes’: 0, ‘security_groups’: 1, ‘snapshots’: 0, ‘images’: 0, ‘vpcs’: 1, ‘subnets’: 3, ‘peering connections’: 0, ‘network ACLs’: 1, ‘elastic IPs’: 0, ‘NAT gateways’: 0, ‘VPC Endpoints’: 0, ‘autoscale groups’: 0, ‘launch configurations’: 0, ‘classic load balancers’: 0, ‘application and network load balancers’: 0, ‘lambdas’: 0, ‘cloudwatch rules’: 0, ‘config rules’: 0, ‘cloudtrail trails’: 1, ‘sns topics’: 0, ‘kms keys’: 0, ‘dynamo tables’: 0, ‘rds instances’: 0}, ‘us-east-1’: {‘instances’: 2, ‘volumes’: 2, ‘security_groups’: 19, ‘snapshots’: 0, ‘images’: 0, ‘vpcs’: 2, ‘subnets’: 3, ‘peering connections’: 0, ‘network ACLs’: 2, ‘elastic IPs’: 0, ‘NAT gateways’: 0, ‘VPC Endpoints’: 0, ‘autoscale groups’: 0, ‘launch configurations’: 0, ‘classic load balancers’: 0, ‘application and network load balancers’: 0, ‘lambdas’: 0, ‘glacier vaults’: 0, ‘cloudwatch rules’: 0, ‘config rules’: 1, ‘cloudtrail trails’: 2, ‘sns topics’: 3, ‘kms keys’: 5, ‘dynamo tables’: 0, ‘rds instances’: 0}, ‘us-east-2’: {‘instances’: 0, ‘volumes’: 0, ‘security_groups’: 2, ‘snapshots’: 0, ‘images’: 0, ‘vpcs’: 1, ‘subnets’: 3, ‘peering connections’: 0, ‘network ACLs’: 1, ‘elastic IPs’: 0, ‘NAT gateways’: 0, ‘VPC Endpoints’: 0, ‘autoscale groups’: 0, ‘launch configurations’: 0, ‘classic load balancers’: 0, ‘application and network load balancers’: 0, ‘lambdas’: 0, ‘glacier vaults’: 0, ‘cloudwatch rules’: 0, ‘config rules’: 0, ‘cloudtrail trails’: 1, ‘sns topics’: 0, ‘kms keys’: 0, ‘dynamo tables’: 0, ‘rds instances’: 0}, ‘us-west-1’: {‘instances’: 1, ‘volumes’: 3, ‘security_groups’: 14, ‘snapshots’: 1, ‘images’: 0, ‘vpcs’: 0, ‘subnets’: 0, ‘peering connections’: 0, ‘network ACLs’: 0, ‘elastic IPs’: 0, ‘NAT gateways’: 0, ‘VPC Endpoints’: 0, ‘autoscale groups’: 0, ‘launch configurations’: 0, ‘classic load balancers’: 0, ‘application and network load balancers’: 0, ‘lambdas’: 0, ‘glacier vaults’: 0, ‘cloudwatch rules’: 0, ‘config rules’: 0, ‘cloudtrail trails’: 1, ‘sns topics’: 0, ‘kms keys’: 1, ‘dynamo tables’: 0, ‘rds instances’: 0}, ‘us-west-2’: {‘instances’: 9, ‘volumes’: 29, ‘security_groups’: 76, ‘snapshots’: 171, ‘images’: 104, ‘vpcs’: 7, ‘subnets’: 15, ‘peering connections’: 1, ‘network ACLs’: 8, ‘elastic IPs’: 7, ‘NAT gateways’: 1, ‘VPC Endpoints’: 0, ‘autoscale groups’: 1, ‘launch configurations’: 66, ‘classic load balancers’: 1, ‘application and network load balancers’: 2, ‘lambdas’: 10, ‘glacier vaults’: 1, ‘cloudwatch rules’: 8, ‘config rules’: 1, ‘cloudtrail trails’: 1, ‘sns topics’: 6, ‘kms keys’: 7, ‘dynamo tables’: 1, ‘rds instances’: 0}}Resource totals across all regions Application and Network Load Balancers : 2 Autoscale Groups : 1 Classic Load Balancers : 1 CloudTrail Trails : 16 Cloudwatch Rules : 8 Config Rules : 2 Dynamo Tables : 1 Elastic IP Addresses : 7 Glacier Vaults : 1 Groups : 12 Images : 104 Instances : 15 KMS Keys : 13 Lambda Functions : 10 Launch Configurations : 66 NAT Gateways : 1 Network ACLs : 22 Policies : 15 RDS Instances : 0 Roles : 40 S3 Buckets : 31 SAML Providers : 1 SNS Topics : 9 Security Groups : 122 Snapshots : 172 Subnets : 51 Users : 14 VPC Endpoints : 0 VPC Peering Connections : 1 VPCs : 21 Volumes : 37Total resources: 796Download Resource-Counter

Link: http://feedproxy.google.com/~r/PentestTools/~3/0QCDjS_vnjY/resource-counter-this-command-line-tool.html

Rootstealer – X11 Trick To Inject Commands On Root Terminal

This is simple example of new attack that using X11. Program to detect when linux user opens terminal with root and inject intrusive commands in terminal with X11 lib.Video of Proof of conceptThe proposal of this video is use the tool rootstealer to spy all gui windows interactions and inject commands only in root terminal. This approach is util when attacker need to send a malicious program to prove that user is vulnerable to social engineering. Force root command in terminal with lib X11 is a exotic way to show the diversity of weak points.Install# apt-get install libX11-dev libxtst-dev# cd rootstealer/sendkeys; Edit file rootstealer/cmd.cfg and write your command to inject.Now you can take that following:# make; cd .. #to back to path rootstealer/ # pip intall gior# pip install girRun the python script to spy all windows gui and search window with “root@" string in title.$ python rootstealer.py &Note: If you prefers uses full C code… to use simple binary purposes… you can uses rootstealer.c$ sudo apt-get install libwnck-dev$ gcc -o rootstealer rootstealer.c `pkg-config –cflags –libs libwnck-1.0` -DWNCK_I_KNOW_THIS_IS_UNSTABLE -DWNCK_COMPILATION$ ./rootstealer &Done, look the video demo, rootstealer force commands only on root terminal…MitigationDon’t trust in anyone. https://www.esecurityplanet.com/views/article.php/3908881/9-Best-Defenses-Against-Social-Engineering-Attacks.htmAlways when you enter by root user, change window title:# gnome-terminal –title="SOME TITLE HERE"This simple action can prevent this attack.TestsTested on Xubuntu 16.04Download Rootstealer

Link: http://feedproxy.google.com/~r/PentestTools/~3/-M-T8gOTCIc/rootstealer-x11-trick-to-inject.html

EKFiddle – A Framework Based On The Fiddler Web Debugger To Study Exploit Kits, Malvertising And Malicious Traffic In General

A framework based on the Fiddler web debugger to study Exploit Kits, malvertising and malicious traffic in general.InstallationDownload and install the latest version of Fiddlerhttps://www.telerik.com/fiddlerSpecial instructions for Linux and Mac here:https://www.telerik.com/blogs/fiddler-for-linux-beta-is-herehttps://www.telerik.com/blogs/introducing-fiddler-for-os-x-beta-1Enable C# scripting (Windows only)Launch Fiddler, and go to Tools -> OptionsIn the Scripting tab, change the default (JScript.NET) to C#.Change default text editor (optional)In the same Tools -> Options menu, click on the Tools tab.Windows: notepad.exe or notepad++.exeLinux: geditMac: /Applications/TextEdit.app or /Applications/TextWrangler.appClose FiddlerDownload or clone CustomRules.cs into the appropriate folder based on your operating system:Windows (7/10) C:\Users\[username]\Documents\Fiddler2\Scripts\ Ubuntu /home/[username]/Fiddler2/Scripts/ Mac /Users/[username]/Fiddler2/Scripts/ Finish up the installationStart Fiddler to complete the installation of EKFiddle. That’s it, you’re all set!FeaturesToolbar buttonsThe added toolbar buttons give you quick shortcuts to some of the main features:QuickSaveDumps current web sessions into a SAZ named (QuickSave-“MM-dd-yyyy-HH-mm-ss".saz) to EKFiddle\Captures.UI modeToggle between the default column view or extra columns with additional information (includes time stamp, server IP and type, method, etc.).VPNVPN GUI directly built into Fiddler. It uses the OpenVPN client on Windows and Linux with ovpn files (sigining up with commercial VPN provider may be required). It will open up a new terminal/xterm whenever it connects to a new server via the selected .ovpn config file, killing the previous to ensure only one TAP adapter is used at any given time.WindowsDownload and install OpenVPN in default directoryPlace your .ovpn files inside OpenVPN’s config folder.Linux (tested on Ubuntu 16.04)sudo apt-get install openvpnPlace your .ovpn files in /etc/openvpn.ProxyAllows you to connect to an upstream proxy (HTTP/s or SOCKS).Import SAZ/PCAPA shortcut to load SAZ (Fiddler’s native format) or PCAP (i.e. from Wireshark) captures.View/Edit RegexesView and create your custom regular expressions. Note: a master list is provided with auto-updates via GitHub. Additionally the custom list lets you create your own rules.Run RegexesRun the master and custom regular expressions against current web sessions.Clear MarkingsClear any comment and colour highlighting in the currently loaded sessions.ContextAction menuThe ContextAction menu (accessed by right-clicking on any session(s) allows you to perform additional commands on selected sections. This can be very helpful to do quick lookups, compute hashes or extract IOCs.Hostname or IP address (Google Search, RiskIQ, URLQuery, RiskIQ)Query the hostname for the currently selected session.URIBuild RegexCreate a regular expression from the currently selected URI. This action opens up a regex website and the URI is already in the clipboard, ready to be pasted into the query field.Open in… Internet Explorer, Chrome, Firefox, EdgeThis opens up the URI with the browser you selected.Response BodyRemove encodingDecodes the currently selected sessions (from their basic encoding).Build RegexCreate a regular expression from the currently selected session’s source code. This action opens up a regex website and the URI is already in the clipboard, ready to be pasted into the query field.Calculate MD5/SHA256 hashGet the current session’s body and computes its hash.Hybrid Analysis / VirusTotal lookupChecks the current session’s body for hash, then look up that hash.Extract to DiskDownloads the currently selection session(s)’s body to disk, into the ‘Artifacts’ folder.Extract IOCsCopies into memory basic information from selected sessions so that they can be shared as IOCs.Connect-the-dotsAllows you to identify the sequence of events between sessions. Right-clik on the session you are interested in retracing your steps to and simply ‘connect the dots’. It will label the sequence of events from 01, to n within the comments column. You can reorder that column to have a condensed view of the sequence.CrawlerLoad a list of URLs from a text file and let the browser automically visit them. Tools -> Crawler (experimental) -> Start crawler May require some tweaks in your browser’s settings, in particular with regards to crash recovery IE: not needed Firefox: about:config, set -1 value for toolkit.startup.max_resumed_crashes Chrome: not needed Edge: fix already includedUninstalling EKFiddleDelete CustomRules.csDownload EKFiddle

Link: http://feedproxy.google.com/~r/PentestTools/~3/OrfyeIMprN4/ekfiddle-framework-based-on-fiddler-web.html

CMSeeK v1.0.7 – CMS Detection And Exploitation Suite (Scan WordPress, Joomla, Drupal And 50 Other CMSs)

What is a CMS?A content management system (CMS) manages the creation and modification of digital content. It typically supports multiple users in a collaborative environment. Some noteable examples are: WordPress, Joomla, Drupal etc.Release History- Version 1.0.7 [07-08-2018]- Version 1.0.6 [23-07-2018]- Version 1.0.5 [19-07-2018]- Version 1.0.4 [17-07-2018]- Version 1.0.3 [06-07-2018]- Version 1.0.2 [06-07-2018]- Version 1.0.1 [19-06-2018]- Version 1.0.0 [15-06-2018]Changelog FileFunctions Of CMSeek:Basic CMS Detection of over 30 CMSDrupal version detectionAdvanced WordPress ScansDetects VersionUser EnumerationPlugins EnumerationTheme EnumerationDetects Users (3 Detection Methods)Looks for Version Vulnerabilities and much more!Advanced Joomla ScansVersion detectionBackup files finderAdmin page finderCore vulnerability detectionDirectory listing checkConfig leak detectionVarious other checksModular bruteforce systemUse pre made bruteforce modules or create your own and integrate with itRequirements and Compatibility:CMSeeK is built using python3, you will need python3 to run this tool and is compitable with unix based systems as of now. Windows support will be added later. CMSeeK relies on git for auto-update so make sure git is installed.Installation and Usage:It is fairly easy to use CMSeeK, just make sure you have python3 and git (just for cloning the repo) installed and use the following commands:git clone https://github.com/Tuhinshubhra/CMSeeKcd CMSeeKFor guided scanning:python3 cmseek.pyElse:python3 cmseek.py -u […]Help menu from the program:USAGE: python3 cmseek.py (for a guided scanning) OR python3 cmseek.py [OPTIONS] <Target Specification>SPECIFING TARGET: -u URL, –url URL Target Url -l LIST, -list LIST path of the file containing list of sites for multi-site scan (comma separated)USER AGENT: -r, –random-agent Use a random user agent –user-agent USER_AGENT Specify custom user agentOUTPUT: -v, –verbose Increase output verbosityVERSION & UPDATING: –update Update CMSeeK (Requires git) –version Show CMSeeK version and exitHELP & MISCELLANEOUS: -h, –help Show this help message and exit –clear-result Delete all the scan resultEXAMPLE USAGE: python3 cmseek.py -u example.com # Scan example.com python3 cmseek.py -l /home/user/target.txt # Scan the sites specified in target.txt (comma separated) python3 cmseek.py -u example.com –user-agent Mozilla 5.0 # Scan example.com using custom user-Agent Mozilla is 5.0 used here python3 cmseek.py -u example.com –random-agent # Scan example.com using a random user-Agent python3 cmseek.py -v -u example.com # enabling verbose output while scanning example.comChecking For Update:You can check for update either from the main menu or use python3 cmseek.py –update to check for update and apply auto update.P.S: Please make sure you have git installed, CMSeeK uses git to apply auto update.Detection Methods:CMSeek detects CMS via the following:HTTP HeadersGenerator meta tagPage source coderobots.txtSupported CMSs:CMSeeK currently can detect 40 CMSs, you can find the list on cmss.py file which is present in the cmseekdb directory. All the cmss are stored in the following way: cmsID = { ‘name’:’Name Of CMS’, ‘url’:’Official URL of the CMS’, ‘vd’:’Version Detection (0 for no, 1 for yes)’, ‘deeps’:’Deep Scan (0 for no 1 for yes)’ }Scan Result:All of your scan results are stored in a json file named cms.json, you can find the logs inside the Result\<Target Site> directory, and as of the bruteforce results they’re stored in a txt file under the site’s result directory as well.Here is an example of the json report log:Bruteforce Modules:CMSeek has a modular bruteforce system meaning you can add your custom made bruteforce modules to work with cmseek. A proper documentation for creating modules will be created shortly but in case you already figured out how to (pretty easy once you analyze the pre-made modules) all you need to do is this:Add a comment exactly like this # <Name Of The CMS> Bruteforce module. This will help CMSeeK to know the name of the CMS using regex Add another comment ### cmseekbruteforcemodule, this will help CMSeeK to know it is a module Copy and paste the module in the brutecms directory under CMSeeK’s directory Open CMSeeK and Rebuild Cache using U as the input in the first menu. If everything is done right you’ll see something like this (refer to screenshot below) and your module will be listed in bruteforce menu the next time you open CMSeeK.Need More Reasons To Use CMSeeK?If not anything you can always enjoy exiting CMSeeK (please don’t), it will bid you goodbye in a random goodbye message in various languages.Also you can try reading comments in the code those are pretty random and weird!!!Screenshots:Download CMSeeK

Link: http://feedproxy.google.com/~r/PentestTools/~3/vbiJSfGmARQ/cmseek-v107-cms-detection-and.html