Changelog v2.2.0:
New features
+ Validators for exploit’s options to transform its values #89
+ Adding global options (setg command) #97
+ Creating new modules from template #88
+ Additional sub-commands to show command #87
+ “help” command #30
+ Tokenizer #11
+ Ctrl+C new prompt, Ctrl+D rsf kill #90

Bug fixes
+ Disable check in scanner module #85
+ SSHException: Channel closed #81
+ Error 104 : Connection reset by peer #75
+ Multiple minor fixes

New modules
+ routersploit/modules/exploits/dlink/dir_300_645_815_upnp_rce.py
+ routersploit/modules/exploits/dlink/multi_hnap_rce.py
+ routersploit/modules/exploits/dlink/dcs_930l_auth_rce.py
+ routersploit/modules/exploits/dlink/dir_645_815_rce.py
+ routersploit/modules/exploits/thomson/twg850_password_disclosure.py
+ routersploit/modules/exploits/zte/f609_config_disclosure.py
+ routersploit/modules/exploits/thomson/twg849_info_disclosure.py
+ routersploit/modules/exploits/tplink/wdr740nd_wdr740n_backdoor.py
+ routersploit/modules/exploits/multi/ssh_auth_keys.py
+ routersploit/modules/exploits/tplink/wdr740nd_wdr740n_path_traversal.py
+ routersploit/modules/exploits/zte/f460_f660_backdoor.py
+ routersploit/modules/exploits/ipfire/ipfire_proxy_rce.py
+ routersploit/modules/exploits/ipfire/ipfire_shellshock.py
+ routersploit/modules/exploits/3com/3cradsl72_info_disclosure.py
+ routersploit/modules/exploits/3com/ap8760_password_disclosure.py
+ routersploit/modules/exploits/3com/imc_info_disclosure.py
+ routersploit/modules/exploits/3com/imc_path_traversal.py
+ routersploit/modules/exploits/3com/officeconnect_info_disclosure.py
+ routersploit/modules/exploits/3com/officeconnect_rce.py
+ routersploit/modules/exploits/dlink/dir_300_320_600_615_info_disclosure.py
+ routersploit/modules/exploits/2wire/4011g_5012nv_path_traversal.py
+ routersploit/modules/exploits/dlink/dsl_2640b_dns_change.py
+ routersploit/modules/exploits/dlink/dsl_2730b_2780b_526b_dns_change.py
+ routersploit/modules/exploits/dlink/dsl_2740r_dns_change.py
+ routersploit/modules/exploits/shuttle/915wm_dns_change.py
+ routersploit/modules/exploits/cisco/dpc2420_info_disclosure.py
+ routersploit/modules/exploits/cisco/ucm_info_disclosure.py
+ routersploit/modules/exploits/cisco/unified_multi_path_traversal.py
+ routersploit/modules/exploits/cisco/video_surv_path_traversal.py
+ routersploit/modules/exploits/huawei/e5331_mifi_info_disclosure.py
+ routersploit/modules/exploits/huawei/hg530_hg520b_password_disclosure.py
+ routersploit/modules/exploits/huawei/hg630a_default_creds.py
+ routersploit/modules/exploits/huawei/hg866_password_change.py
+ routersploit/modules/exploits/huawei/hg520_info_dislosure.py
+ routersploit/modules/exploits/netcore/udp_53413_rce.py
+ routersploit/modules/exploits/quantum/dxi_privkey.py
+ routersploit/modules/exploits/multi/tcp_32764_info_disclosure.py
+ routersploit/modules/exploits/multi/tcp_32764_rce.py
+ routersploit/modules/exploits/multi/heartbleed.py

routersploit v2.2.0

The RouteSploit Framework is an open-source exploitation framework dedicated to embedded devices.
It consists of various modules that aids penetration testing operations:
+ exploits – modules that take advantage of identified vulnerabilities
+ creds – modules designed to test credentials against network services
+ scanners – modules that check if target is vulnerable to any exploit

Usage:

packman install python-requests python-paramiko python-netsnmp (arch linux)
yum install python-requests python-paramiko python-netsnmp (centos/fedora)
sudo apt-get install python-requests python-paramiko python-netsnmp (debian/ubuntu)
git clone https://github.com/reverse-shell/routersploit
pip2 install -r requirements.txt
./rsf.py

UPdate:
git pull origin master

Source: https://github.com/reverse-shell | Download: v2.2.0.zip | v2.2.0.tar.gz | Our Post before

Changelog v1.8, codename Tool Depot:
* added samba-client to ridenum as prereq
* added poshc2 (PR)
* added title for cmd shell (PR)
* added fimap (PR)
* changed install path from hardcoded to {INSTALL_LOCATION} in fimap
* added title setting for terminal window (awesome PR thnx!)
* switched to metasploit nightly installer vs. git direct pull (love you egyp7)
* added full python3 compatibility and tested
* fixed the crackmapexec installer (thanks lawry)
* added so if git was used with BYPASS_UPDATES – it would still do a git pull

The PenTesters Framework (PTF) is a Python script designed for Debian/Ubuntu/ArchLinux based distributions to create a similar and familiar distribution for Penetration Testing. As pentesters, we’ve been accustom to the /pentest/ directories or our own toolsets that we want to keep up-to-date all of the time. We have those “go to” tools that we use on a regular basis, and using the latest and greatest is important.
PTF attempts to install all of your penetration testing tools (latest and greatest), compile them, build them, and make it so that you can install/update your distribution on any machine. Everything is organized in a fashion that is cohesive to the Penetration Testing Execution Standard (PTES) and eliminates a lot of things that are hardly used. PTF simplifies installation and packaging and creates an entire pentest framework for you. Since this is a framework, you can configure and add as you see fit. We commonly see internally developed repos that you can use as well as part of this framework. It’s all up to you.
The ultimate goal is for community support on this project. We want new tools added to the github repository. Submit your modules. It’s super simple to configure and add them and only takes a few minute.

The PenTesters Framework (PTF) is a Python script designed for Debian/Ubuntu/ArchLinux based distributions to create a similar and familiar distribution for Penetration Testing.

Instructions:
First check out the config/ptf.config file which contains the base location of where to install everything. By default this will install in the /pentest directory. Once you have that configured, move to running PTF by typing ./ptf (or python ptf).
This will put you in a Metasploitesque type shell which has a similar look and feel for consistency. Show modules, use , etc. are all accepted commands. First things first, always type help or ? to see a full list of commands.

Update EVERYTHING!
If you want to install and/or update everything, simply do the following:

./ptf

use modules/install_update_all
run

This will install all of the tools inside of PTF. If they are already installed, this will iterate through and update everything for you automatically.
You can also show options to change information about the modules

Installation using git :

git clone https://github.com/trustedsec/ptf
cd ptf
./ptf

Update:
just typing update on ptf console

or download source : v1.8.zip  | v1.8.tar.gz
Source : https://github.com/trustedsec | Our Post Before

Changelog 0.1c:
+ core: Fix HTTP verb setting –request
+ utils: Improve –data option with query string format
+ plugins: Adapt Velocity to new Plugin object
+ test: Rename channel tests

Tplmap (short for Template Mapper) is a tool that automate the process of detecting and exploiting Server-Side Template Injection vulnerabilities (SSTI).
+ This can be used by developers, penetration testers, and security researchers to detect and exploit vulnerabilities related to the template injection attacks.
+ The technique can be used to compromise web servers’ internals and often obtain Remote Code Execution (RCE), turning every vulnerable application into a potential pivot point.

Supported template engines:Usage:

pip install yaml
git clone https://github.com/epinna/tplmap && cd tplmap
./tplmap.py -h

update:
git pull origin master

Source: https://github.com/epinna | Our Post Before

Changelog v0.1.2 (2016-07-25):
+ Bug Fixes
— Placeholder logic no longer fails on Linux systems configured for 32 bit long values.
+ Miscellaneous
— Added AUTHORS and HISTORY files.

backdoor-apk is a shell script that simplifies the process of adding a backdoor to any Android APK file. Users of this shell script should have working knowledge of Linux, Bash, Metasploit, Apktool, the Android SDK, smali, etc. This shell script is provided as-is without warranty of any kind and is intended for educational purposes only.

backdoor apk v0.1.2

The recompiled APK will be found in the ‘original/dist’ directory. Install the APK on a compatible Android device, run it, and handle the meterpreter connection at the specified IP and port.
Usage:

git clone https://github.com/dana-at-cp/backdoor-apk && cd backdoor-apk
cd backdoor-apk
./backdoor-apk.sh [your apk file]

Update:
git pull origin master

Now you can upload it using MITM technique :-) (Just for education purpose right?yeah.. lets rock)

Source: https://github.com/dana-at-cp | Our Post Before

Postex is a Linux post exploitation tool for discovery, backdooring, and lateral movement.

goals
+ run independently of the host environment (no dependence on existing executable utilities, e.g. python, ruby, find)
+ run with minimal liklihood of detection (no execution of potentially detectable commands, e.g. netstat, lsof, who)
+ run fast (parallelized native code)

discovery
+ grab a snapshot of host activity like processes, net connections, arp cache, logged in users, more
+ … do the above over a period of time to get a sense of how the machine is used and by whom
+ detect security controls: A/V & auditd rules
+ grab ssh keys
+ serialize discovery data as JSON for easy consumption later

backdoor
+ modify user’s ssh config to force user to enable connection sharing (ControlMaster) when ssh’ing to remote hosts
features
– add user to the system
– add ssh pubkey to the root user
– execute userspace commands
– extensible…

antiforensics
+ encrypted payload functions
— when the backdoor is at rest (not performing an operation), the interesting pieces of payload are encrypted in memory. This is accomplished by receiving a command -> decryption -> execution -> re-encryption. The control channel supports OTP– each command sent to the backdoor has the option of providing a new key. The need to re-encrypt with a new key goes away when diffie-hellmann is implemented for key exchange.
— this feature isn’t useful for an opensource backdoor….um ok. did I mention extensibility?
+ userspace command execution isn’t picked up by auditd or traditional kprobing
I’m debating whether to write a LiME memory dump modifier to tamper with accurate memory dumps. Maybe too devious.

howtodetect
+ you’ll have a tainted kernel if you “allow signed modules, but don’t require them”
+ all legitimate kernel modules will need to be signed for an unsigned module to be noticed
— you still need to safely get the fact that the kernel is tainted off the system somehow
— the kernel can be tainted for reasons other than unsigned driver loading, so pay attention to the taint code
+ volatility can show you there’s a netfilter hook in place. you probably aren’t expecting any, so this is usually high signal.
— you can then reverse this piece of the module, but shouldn’t be able to analyze the payload without the key
— unless something like diffie-hellmann is used for key exchange, you can capture the key over the network to decrypt payload
+ so it still means you need memory dump & pcap to analyze the payloa

lateral movement
+ piggy back on forwarded ssh credentials (ssh-agent reuse)
+ piggy back on existing ssh connections that have connection sharing enabled (ssh connection reuse)

use and download:

git clone https://github.com/unixist/postex && cd postex
cd discovery
go build
cd cmd
go run snappy.go --av | jq '.[] | select(.Name == "Antivirus")|.Values[].Name'
"OSSEC"
"Sophos"
"Tripwire"
"Samhain"


for Backdoor
cd persistence
make
Add a public key to the root user's /root/.ssh/authorized_keys file.
$ echo 'key:0124812401:1111111111:2' | nc -u $host 8001
and run all ko module

Source: https://github.com/unixist

Changelog v0.0.5-git:
+ More Payloads
+ Fix Jython1 Breaking Java 6
+ Some minor improvements
+ payloads: Don’t use API introduced in Java 7.

ysoserial is a collection of utilities and property-oriented programming “gadget chains” discovered in common java libraries that can, under the right conditions, exploit Java applications performing unsafe deserialization of objects. The main driver program takes a user-specified command and wraps it in the user-specified gadget chain, then serializes these objects to stdout. When an application with the required gadgets on the classpath unsafely deserializes this data, the chain will automatically be invoked and cause the command to be executed on the application host.

yoserial borderline-beta

It should be noted that the vulnerability lies in the application performing unsafe deserialization and NOT in having gadgets on the classpath.

Dependencies:
– Maven
– Java Jdk 7 or letter
– git

Download, Building & Using from git:

git clone https://github.com/frohoff/ysoserial && cd ysoserial
mvn clean package -DskipTests
cd target
java -jar ysoserial-0.0.5-SNAPSHOT-all.jar
java -jar ysoserial-0.0.5-SNAPSHOT-all.jar CommonsCollections1 calc.exe | xxd

Update from git:
git pull origin master

or stable release

Download : v0.0.4.tar.gz  | v0.0.4.zip | ysoserial-0.0.4-all.jar
Source : https://github.com/frohoff | Our Post Before

Changelog 07/28/2016 – RELEASE 1.2:
===============================
– Revised release revision scheme
– Upload/Download compression added by @killswitch_gui and @damglorious
– Chainbreaker added by @killswitch_gui
– EmPyre listens on 0.0.0.0 when unable to bind to provided IP @imaibou
– Checks for existing database info when setup is run. Will drop tables and reset with each setup run. @jaredhaight
– @killswitch_gui updated the clipboard monitor by adding timed runs
– Fixed pip issue for clean VPS installs

EmPyre v1.2

empyre v1.0.1

EmPyre is a pure Python post-exploitation agent built on cryptologically-secure communications and a flexible architecture. It is based heavily on the controller and communication structure of Empire.
Key negotiation
+ KEYs = staging key, set per server (used for RC4 and initial AES comms)
+ KEYn = the DH-EKE negotiated key
+ PUBc = the client-generated DH public key
+ PUBs = the server-generated DH public key

empyre – python post exploitation agent

The process is as follows:
1. client runs launcher.py that GETs stager.py from /stage0 launcher.py implements a minimized RC4 decoding stub and negotiation key
2. server returns RC4(KEYs, stager.py) (key negotiation stager) stager.py contains minimized DH and AES
3. client generates DH key PUBc, and POSTs HMAC(AES(KEYs, PUBc)) posts to /stage1 server generates a new DH key on each check in
4. server returns HMAC(AES(KEYs, nonce+PUBs)) client calculates shared DH key KEYn
5. client POSTs HMAC(AES(KEYn, [nonce+1]+sysinfo) to /stage2
6. server returns HMAC(AES(KEYn, patched agent.py))
7. client sleeps on interval, and then GETs /tasking.uri
8. if no tasking, return standard looking page
9. if tasking, server returns HMAC(AES(KEYn, tasking))
10. client posts HMAC(AES(KEYn, tasking)) to /response.uri

Download using git:

git clone https://github.com/adaptivethreat/EmPyre && cd EmPyre
cd setup
./setup.sh or sh setup.sh

Update:
git pull origin master

Download: 1.0.0.zip  | 1.0.0.tar.gz | Our Post Before
Source: https://github.com/adaptivethreat

What is FatRat ??
Easy tool for generate backdoor with msfvenom ( part of metasploit framework ) and program compiles a C program with a meterpreter reverse_tcp payload In it that can then be executed on a windows host Program to create a C program after it is compiled that will bypass most AV.
Automating metasploit functions:
+ Checks for metasploit service and starts if not present
+ Easily craft meterpreter reverse_tcp payloads for Windows, Linux, Android and Mac and another
+ Start multiple meterpreter reverse_tcp listners
+ Fast Search in searchsploit
+ Bypass AV
+ Drop into Msfconsole
+ Some other fun stuff

Dependencies:
+ Metasploit Framework
+ MinGW
This Tools/Software has been totally test in Kali Linux 2.0 & Rolling 2016.1

Download & Usage:

git clone https://github.com/Screetsec/TheFatRat.git && cd TheFatRat
chmod +x fatrat
chmod +x powerfull.sh
./fatrat

Source: https://github.com/Screetsec

Changelog v9.8:
+ Removed –ports argument now use –port –udp | –tcp
+ Add posibility to execute extern command with open ports.
+ Add range query string.
+ Fix decode base64 bug.

atscan v9.8

Description:
ATSCAN
SEARCH engine
XSS scanner.
Sqlmap.
LFI scanner.
Filter wordpress and Joomla sites in the server.
Find Admin page.
Decode / Encode MD5 + Base64.

atscan v6.1

Libreries to install:
ap-get install libxml-simple-perl
aptitude install libio-socket-ssl-perl
aptitude install libcrypt-ssleay-perl
NOTE: Works in linux platforms. Best Run on Ubuntu 14.04, Kali Linux 2.0, Arch Linux, Fedora Linux, Centos | if you use a windows you can download manualy.

Examples:
Simple search:
Search: –dork [dork] –level [level]
Search + get ip: –dork [dork] –level [level] –ip
Search + get ip + server: –dork [dork] –level [level] –ip –server
Search with many dorks: –dork [dork1,dork2,dork3] –level [level]
Search + get ip+server: –dork [dorks.txt] –level [level]
Search + set save file: –dork [dorks.txt] –level [level] –save myfile.txt
Search + Replace + Exploit: –dork [dorks.txt] –level [level] –replace [string] –with [string] –valid [string]

Subscan from Serach Engine:
Search + Exploitation: –dork [dork] –level [10] –xss/–lfi/–wp …
Search + Server Exploitation: -t [ip] –level [10] –xss/–lfi/–wp …
Search + Replace + Exploit: –dork [dork] –level [10] –replace [string] –with [string] –exp [exploit] –xss/–lfi/–wp …

Validation:
Search + Exploit + Validation: –dork [dork] –level [10] –exp –isup/–valid [string]
Search + Server Exploit + Validation: -t [ip] –level [10] –exp –isup/–valid [string]
Search + Replace + Exploit: –dork [dork] –level [10] –replace [string] –with [string] –isup/–valid [string]

Use List / Target:
-t [target/targets.txt] –exp –isup/–valid [string]
-t [target/targets.txt] –xss/–lfi ..

Server:
Get Server sites: -t [ip] –level [value] –sites
Get Server wordpress sites: -t [ip] –level [value] –wp
Get Server joomla sites: -t [ip] –level [value] –joom
Get Server upload sites: -t [ip] –level [value] –upload
Get Server zip sites files: -t [ip] –level [value] –zip
WP Arbitry File Download: -t [ip] –level [value] –wpadf
Joomla RFI: -t [ip] –level [1] –joomfri –shell [shell link]
Scan basic tcp (quick): -t [ip] –ports –basic tcp
Scan basic udp basic (quick): -t [ip] –ports –basic udp
Scan basic udp+tcp: -t [ip] –ports –basic udp+tcp
Scan complete tcp: -t [ip] –ports –all tcp
Scan complete udp: -t [ip] –ports –all udp
Scan complete udp+tcp: -t [ip] –ports –all udp+tcp
Scan rang tcp: -t [ip] –ports –select tcp –start [value] –end [value]
Scan rang udp: -t [ip] –ports –select udp–start [value] –end [value]
Scan rang udp + tcp: -t [ip] –ports –select udp+tcp –start [value] –end [value]

Encode / Decode:
Generate MD5: –md5 [string]
Encode base64: –encode64 [string]
Decode base64: –decode64 [string]

External Command:
–dork [dork/dorks.txt] –level [level] –command “curl -v –TARGET”
–dork [dork/dorks.txt] –level [level] –command “curl -v –FULL_TARGET”
-t [target/targets.txt] –level [level] –command “curl -v –TARGET”
-t [target/targets.txt] –command “curl -v –FULL_TARGET”

How to Usage:

git clone https://github.com/AlisamTechnology/ATSCAN
cd ATSCAN
chmod +x install.sh
./install.sh
atscan

Update:
atscan --update

Source : https://github.com/AlisamTechnology | Our Post Before Download: v9.8.zip | v9.8.tar.gz

Changelog v1.1:
++ Features
– Full Windows Support added
– Better documentation added to the new wiki
– Simplified install process. Once you have nodejs installed just run npm install -g Brosec
– bros encode module added (realtime encoder/decoder)
– bros ftp now supports auth via –username and –password parameters.
– New SQLi Polyglots added to bros 43
– New XSS payloads bros 42 (bros 424 Credit to @0xsobky)
++ Dependencies
– Removed kexec dependency that was used to run netcat listeners (replaced by modules/nc.js) — this greatly reduces the complexity of Brosec and makes it easier to install.
++ Bug fixes
– Lots and lots of bug fixes…and probably new bugs introduced ;p

Brosec binaries are created using enclosejs(http://enclosejs.com/)
The binaries are not fully supported and are available as a convenience only (for example, bros encode in the Windows binary isn’t working). The binaries are handy if you just want to quickly try out Brosec, or if you need to deploy a quick http/ftp server during an engagement.

brosec v1.1

Brosec – An interactive reference tool to help security professionals utilize useful payloads and commands.

Brosec – Console

Overview :
– Brosec is a RTFM-like utility to help Security Bros remember complex but useful payloads and commands
– Brosec utilizes saved variables (set by you) to create custom payloads on the fly. This config info is stored in a local db for your convenience
– Brosec outputs payloads and copies it to your clipboard in order to make your pentesting even more magical
– Your current config can be accessed by the config command at any time, or by entering the variable name
– Config values can be changed at any time by entering set <variable> <value>
– You can navigate to frequently used payloads by entering the menu sequence from the command line: bros <sequence>
Ex: bros 412 – This would automate entering 4 for the Web Menu, 1 for the XXE sub menu, and 3 for the XXE local file read payload

Installation
Mac
+ brew install node netcat – Install Nodejs and netcat (or nc, ncat, etc)
+ git clone https://github.com/gabemarshall/Brosec.git – Clone Brosec repo
+ cd Brosec && npm install – cd into the directory and install npm depdendencies

Linux
+ <package manager> install node build-essential g++ xsel netcat Install Nodejs and other dependencies
+ git clone https://github.com/gabemarshall/Brosec.git – Clone Brosec repo
+ cd Brosec && npm install – cd into the directory and install npm depdendencies

Windows (Unsupported)
+ Install nodejs
+ Install ncat
+ git clone https://github.com/gabemarshall/Brosec.git – Clone Brosec repo
Payloads that utilize netcat will not work due to the kexec library not being supported in Windows

Configuration:
Brosec stores configuration values in a local json db file. The default storage location is /var/tmp, but can be changed by editing settings.dbPath variable in the settings.js file. Brosec also uses netcat for several payloads. If needed, the path to netcat can be altered via the settings.netcat variable.
Payload Variables;
+ LHOST : Local IP or name
+ LPORT : Local IP or name
+ RHOST : Remote IP or name
+ RPORT : Remote IP or name
+ USER : Username (only used in a few payloads)
+ PROMPT : User Prompt (This isn’t a stored value. Instead, payloads with this variable will prompt for input.)

Download Using Git for Ubuntu/Debian/Kali:

git clone https://github.com/gabemarshall/Brosec && cd Brosec
apt-get install npm build-essential g++ xsel
npm install -g n
npm install -g Brosec

Download stable version:
bros-1.1-darwin-x86_64.tar.gz
bros-1.1-linux-x86.tar.gz
bros-1.1-linux-x86_64.tar.gz
bros-1.1-Win-x86_64.zip
Source: https://github.com/gabemarshall | Our Post Before

Latest Change 8/4/2016:
– server.rb: added file overwrite.
– use browser Payload building.
– add blank db
– updated to views
– defcon updates

This tool is meant to help test XXE vulnerabilities in file formats. Currently supported:
– DOCX/XLSX/PPTX
– ODT/ODG/ODP/ODS
– SVG
– XML
– PDF (experimental)
– JPG (experimental)
– GIF (experimental)

* Options Menu
+ Build a File
+ Build PDF/GIF/JPG PoC (Experimental)
+ String Replace in a File
+ XSS/String Entity in File
+ Overwrite file inside DOCX/etc.
+ List Previously Built Files
+ Display OXML Contents

string replace file

String Replace in File
String replacement mode goes through and looks for the symbol § in the document. The XML Entity (“&xxe;”) replaces any instances of this symbol. Note, you can open the document in and insert § anywhere to have it replaced. The common use case would be a web application which reads in a xlsx and then prints the results to the screen. Exploiting the XXE it would be possible to have the contents printed to the screen.

Usage & Download from git Debian/Ubuntu:

sudo apt-get install libsqlite3-dev libxslt-dev libxml2-dev zlib1g-dev gcc
git clone https://github.com/BuffaloWill/oxml_xxe && cd oxml_xxe
sudo gem install bundler
bundle install

ruby server.rb
Open Browser at localhost:4567 (ctrl + C to stop)

Upgrade:
git pull origin master

Source: https://github.com/BuffaloWill | Our Old Post Here

Disclaimer:
JMET is a proof-of-concept tool for blackbox testing of JMS destinations. Please use this tool with care and only when authorized. Be aware that sending an invalid message to a JMS destination might result in a denial-of-service state (DOS) of the target system. You have been warned !!!
We publish it againt for Learning Java Deserialization Vulnerabilities and Non Commercial Use.

JMET was released at Blackhat USA 2016 and is an outcome of Code White’s research effort presented in the talk “Pwning Your Java Messaging With Deserialization Vulnerabilities”. The goal of JMET is to make the exploitation of the Java Message Service (JMS) easy. In the talk more than 12 JMS client implementations where shown, vulnerable to deserialization attacks. The specific deserialization vulnerabilities were found in ObjectMessage implementations (classes implementing javax.jms.ObjectMessage). The following more or less complete list shows the vulnerable JMS broker client libraries:
* Apache ActiveMQ
* Redhat/Apache HornetQ
* Oracle OpenMQ
* IBM WebSphereMQ
* Oracle Weblogic
* Pivotal RabbitMQ
* IBM MessageSight
* IIT Software SwiftMQ
* Apache ActiveMQ Artemis
* Apache QPID JMS
* Apache QPID Client
* Amazon SQS Java Messaging
For creating gadget payloads JMET makes use of Chris Frohoffs’ Ysoserial.

jmet helper

Supported JMS client libraries
* Apache ActiveMQ
* Redhat/Apache HornetQ
* Oracle OpenMQ
* IBM WebSphereMQ
* Pivotal RabbitMQ
* IIT Software SwiftMQ
* Apache ActiveMQ Artemis
* Apache QPID JMS
* Apache QPID Client

Example Jmet

Dependencies:
– Maven
– java Jdk 7 or letter
– JMET depends on a lot of libraries , For details see the maven pom file.

Download and Use From git:

wget https://github.com/matthiaskaiser/jmet/releases/download/0.1.0/jmet-0.1.0-all.jar

or build
git clone https://github.com/matthiaskaiser/jmet && cd jmet
Please put the following libraries of the commercial brokers into a directory of your choice (e.g. DIR).
com.ibm.mq.allclient.jar (WebSphere MQ)
amqp.jar (SwiftMQ)
jms.jar (SwiftMQ)
swiftmq.jar (SwiftMQ)

Then invoke maven with the property "commercial" set to your path.
export MAVEN_OPTS=-Xss10m
mvn clean compile assembly:single -Dcommerical=DIR

If you don't want to use the commercial brokers at all you can just delete the following files:
src/main/java/de/codewhite/jmet/target/impl/WebSphereMQTarget.java
src/main/java/de/codewhite/jmet/target/impl/SwiftMQTarget.java

export MAVEN_OPTS=-Xss10m
mvn clean compile assembly:single

Source: https://github.com/matthiaskaiser | Download Stable version: jmet-0.1.0-all.jar

Changelog v1.2:
* FUD BACKDOOR WITH AVOID 1.2 added.
++ METASPLOIT SHELL A.V. FOR BYPASS AV VERSION 2.1

TheFatRat v1.2

What is FatRat ??
Easy tool for generate backdoor with msfvenom ( part of metasploit framework ) and program compiles a C program with a meterpreter reverse_tcp payload In it that can then be executed on a windows host Program to create a C program after it is compiled that will bypass most AV.
Automating metasploit functions:
+ Checks for metasploit service and starts if not present
+ Easily craft meterpreter reverse_tcp payloads for Windows, Linux, Android and Mac and another
+ Start multiple meterpreter reverse_tcp listners
+ Fast Search in searchsploit
+ Bypass AV
+ Drop into Msfconsole
+ Some other fun stuff

Dependencies:
+ Metasploit Framework
+ MinGW
This Tools/Software has been totally test in Kali Linux 2.0 & Rolling 2016.1

Download & Usage:

git clone https://github.com/Screetsec/TheFatRat.git && cd TheFatRat
chmod +x fatrat
chmod +x powerfull.sh
./fatrat

Note From Us:
Before updating using git pull origin master
please remove old fatrat & powerfull.sh : rm -f fatrat | rm -f powerfull.sh
then typing on console:
git pull origin master

Source: https://github.com/Screetsec | Our Post Before

[!] legal disclaimer:
Usage of hackUtils for attacking targets without prior mutual consent is illegal. It is the end user’s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.

Changelog v0.2 :
* 2016.08.08 Add exploit module for Apache Shiro 1.2.4 Remote Code Execution.
* 2016.04.26 Add exploit module for Struts 2 (S2-032) Remote Code Execution.
* 2016.03.10 Modify exploit payload for XStream (Jenkins CVE-2016-0792) Remote Code Execution.

hackUtils v0.2

hackutils is a python script for hacking toolkit, penetration test and web security research, which is based on BeautifulSoup bs4 module

Dependencies:
+ Python 2.7.x
+ Java 7 or letter
+ pip
+ git
Platform: ALL linux/Unix and MAC OSX support.

Usage and Download from git:

git clone https://github.com/brianwrf/hackUtils && cd hackutils
pip install beautifulsoup4
easy_install beautifulsoup4
python hackUtils.py -h

Upgrade:
git pull origin master

Source: https://github.com/brianwrf

Changelog v1.1.6 (August 8, 2016):
* Features:
++ Encoder
+-+ Added md5, sha1, sha256 hashing methods
++ Payloads
+-+ Added Add user to remote desktop group to bros 31 category
+-+ Added prompts to several bros 31 (Windows System Info) payloads.
++ Bug Fixes!
+-+ Fixed an issue that would cause Brosec to prematurely exit when a payload with a menu option value greater than 9 was requested from the command line. For example, the bros 3 > 1 > 11 payload (Windows payload to search the registry for a specific value) would exit prematurely if bros 3111 was entered from the command line.
+-+ Minor fixes to a few Windows payloads that were using a deprecated Brosec syntax.

bros encoding

Brosec – An interactive reference tool to help security professionals utilize useful payloads and commands.

Brosec – Console

Overview :
– Brosec is a RTFM-like utility to help Security Bros remember complex but useful payloads and commands
– Brosec utilizes saved variables (set by you) to create custom payloads on the fly. This config info is stored in a local db for your convenience
– Brosec outputs payloads and copies it to your clipboard in order to make your pentesting even more magical
– Your current config can be accessed by the config command at any time, or by entering the variable name
– Config values can be changed at any time by entering set <variable> <value>
– You can navigate to frequently used payloads by entering the menu sequence from the command line: bros <sequence>
Ex: bros 412 – This would automate entering 4 for the Web Menu, 1 for the XXE sub menu, and 3 for the XXE local file read payload

Installation
Mac
+ brew install node netcat – Install Nodejs and netcat (or nc, ncat, etc)
+ git clone https://github.com/gabemarshall/Brosec.git – Clone Brosec repo
+ cd Brosec && npm install – cd into the directory and install npm depdendencies

Linux
+ <package manager> install node build-essential g++ xsel netcat Install Nodejs and other dependencies
+ git clone https://github.com/gabemarshall/Brosec.git – Clone Brosec repo
+ cd Brosec && npm install – cd into the directory and install npm depdendencies

Windows (Unsupported)
+ Install nodejs
+ Install ncat
+ git clone https://github.com/gabemarshall/Brosec.git – Clone Brosec repo
Payloads that utilize netcat will not work due to the kexec library not being supported in Windows

Configuration:
Brosec stores configuration values in a local json db file. The default storage location is /var/tmp, but can be changed by editing settings.dbPath variable in the settings.js file. Brosec also uses netcat for several payloads. If needed, the path to netcat can be altered via the settings.netcat variable.
Payload Variables;
+ LHOST : Local IP or name
+ LPORT : Local IP or name
+ RHOST : Remote IP or name
+ RPORT : Remote IP or name
+ USER : Username (only used in a few payloads)
+ PROMPT : User Prompt (This isn’t a stored value. Instead, payloads with this variable will prompt for input.)

Download Using Git for Ubuntu/Debian/Kali:

git clone https://github.com/gabemarshall/Brosec && cd Brosec
apt-get install npm build-essential g++ xsel
npm install -g n
npm install -g Brosec

Download stable version:
bros-1.1-darwin-x86_64.tar.gz
bros-1.1-linux-x86.tar.gz
bros-1.1-linux-x86_64.tar.gz
bros-1.1-Win-x86_64.zip
Source: https://github.com/gabemarshall | Our Post Before

Latest Changelog ra v5.4:
* Java DOc for all
* Better UI
* More Payload

Exploitpack ra v5.4

ExploitPack has been designed by an experienced team of software developers and exploit writers to automate processes so that penetration testers can focus on what’s really important. The threat. This blend of software engineers and subject matter experts provides an unique advantage by combining technical know-how with true insight into the problem set, resulting in more efficient solutions for cyber security surveillance.

Latest change 9/1/2016: Check for interpreter path

========================
Installation notes:
========================

Windows:
Download and install Java 8 from Oracle:
Windows Java SE Java 8 for 32 bits or Java 8 for 64 bits
After you have installed Java 8 in your machine, double click ExplotPack.jar or from a console run this command: “java -jar ExploitPack.jar”

Linux:
Under any Linux distribution that supports DEB packages like Ubuntu, Debian, Kali, etc. you can run the following commands to install Java 8 from an official repository
Copy and paste the following in a terminal window:

echo “deb http://ppa.launchpad.net/webupd8team/java/ubuntu trusty main” >> /etc/apt/sources.list
echo “deb-src http://ppa.launchpad.net/webupd8team/java/ubuntu precise main” >> /etc/apt/sources.list
sudo apt-key adv –keyserver keyserver.ubuntu.com –recv-keys EEA14886
sudo apt-get update
sudo apt-get install oracle-java8-installer

OSX:
Download and install Java 8 for OSX 32/64 bits from Oracle: OSX Java 8 32/64 bits
After you have Java 8 installed in your Mac, double click ExploitPack.jar to run it or from a console: “java -jar ExploitPack.jar”

========================
BUILD OUTPUT DESCRIPTION
========================

When you build an Java application project that has a main class, the IDE automatically copies all of the JAR
files on the projects classpath to your projects dist/lib folder. The IDE also adds each of the JAR files to the Class-Path element in the application JAR files manifest file (MANIFEST.MF).

To run the project from the command line, go to the dist folder and type the following:

java -jar “ExploitPack.jar”

To distribute this project, zip up the dist folder (including the lib folder) and distribute the ZIP file.

Notes:
* If two JAR files on the project classpath have the same name, only the first JAR file is copied to the lib folder.
* Only JAR files are copied to the lib folder. If the classpath contains other types of files or folders, these files (folders)
are not copied.
* If a library on the projects classpath also has a Class-Path element specified in the manifest,the content of the Class-Path element has to be on the projects runtime path.
* To set a main class in a standard Java project, right-click the project node in the Projects window and choose Properties. Then click Run and enter the class name in the Main Class field. Alternatively, you can manually type theclass name in the manifest Main-Class element.

Usage Debian/Kali 2.0/Ubuntu:

echo "deb http://ppa.launchpad.net/webupd8team/java/ubuntu trusty main" >> /etc/apt/sources.list
echo "deb-src http://ppa.launchpad.net/webupd8team/java/ubuntu precise main" >> /etc/apt/sources.list
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys EEA14886
sudo apt-get update
sudo apt-get install oracle-java8-installer

git clone https://github.com/juansacco/exploitpack && cd exploitpack
java -jar ExploitPack.jar

Upgrade:
git pull origin master

Source: http://exploitpack.com | https://github.com/juansacco | Our Post Before

Changelog v2:
+ Adding tools Shellnoob
+ Adding tools jboss-autopwn
+ adding sniper: recon
+ added Get server banner
+ added Bypass Cloudflare
+ added BruteX – Automatically brute force all services running on a target.
+ added XSStracer – checks remote web servers for Clickjacking, Cross-Frame Scripting, Cross-Site Tracing and Host Header Injection.
+ and more..

penbox v2

PenBox is A Penetration Testing Framework , The Hacker’s Repo our hope is in the last version we will have every script that a hacker needs
Information Gathering:
* nmap
* Setoolkit
* Port Scanning
* Host To IP
* wordpress user enumeration
* CMS scanner
* XSStracer – checks remote web servers for Clickjacking, Cross-Frame Scripting, Cross-Site Tracing and Host Header Injection
* Doork – Google Dorks Passive Vulnerability Auditor

Password Attacks:
* Cupp
* Ncrack

Wireless Testing:
* reaver
* pixiewps

Exploitation Tools:
* Venom
* sqlmap
* Shellnoob
* commix
* FTP Auto Bypass
* jboss-autopwn

Sniffing & Spoofing:
* Setoolkit
* SSLtrip
* pyPISHER
* SMTP Mailer

Web Hacking:
* Drupal Hacking
* Inurlbr
* WordPress & Joomla Scanner
* Gravity Form Scanner
* File Upload Checker
* WordPress Exploit Scanner
* WordPress Plugins Scanner
* Shell and Directory Finder
* Joomla! 1.5 – 3.4.5 remote code execution
* Vbulletin 5.X remote code execution
* BruteX – Automatically brute force all services running on a target

Private Tools:
* Get all websites
* Get joomla websites
* Get wordpress websites
* Find control panel
* Find zip files
* Find upload files
* Get server users
* Scan from SQL injection
* Scan ports (range of ports)
* Scan ports (common ports)
* Get server banner
* Bypass Cloudflare

Post Exploitation:
* Shell Checker
* POET

Recon:
* Sniper

Usage:

git clone https://github.com/x3omdax/PenBox && cd PenBox
python penbox.py

Update:
git pull origin master

Source: https://github.com/x3omdax | Our Post Before

redisMassExploit is a python 2 script to collect hosts installed redis (using Shodan search engine) and exploit them.

Dependensies:
+ Shodan Account
+ SSH
+ python 2

redisMassAttack

How to use:
* Using shodanCollector first to get a list of hosts install redis (can collect more than 2000 IP at my execution time). (I remove most of the hosts in this repo due to security concern)
* Copy the archieved IP list to the “targets” file (in proper format) and run massAttack!!!

shodan redis collector

Usage:

git clone https://github.com/giaplv57/redisMassExploit && cd redisMassExploit
edit shodanCollector.py (your account & password)
Copy the archieved IP list to the "targets" file
then run python massAttack.py

Source: https://github.com/giaplv57

[!] legal disclaimer:
Usage of redisMassExploit for attacking targets without prior mutual consent is illegal. It is the end user’s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.

Changelog v2.2.1:
* New features
++ Threaded support for scanners which makes them waaay faster! (see scanners/autopwn( https://github.com/reverse-shell/routersploit/blob/master/routersploit/modules/scanners/autopwn.py) implementation for details).

RouterSploit v2.2.1

The RouteSploit Framework is an open-source exploitation framework dedicated to embedded devices.
It consists of various modules that aids penetration testing operations:
+ exploits – modules that take advantage of identified vulnerabilities
+ creds – modules designed to test credentials against network services
+ scanners – modules that check if target is vulnerable to any exploit

Usage:

packman install python-requests python-paramiko python-netsnmp (arch linux)
yum install python-requests python-paramiko python-netsnmp (centos/fedora)
sudo apt-get install python-requests python-paramiko python-netsnmp (debian/ubuntu)
git clone https://github.com/reverse-shell/routersploit
pip2 install -r requirements.txt
./rsf.py

Update:
git pull origin master

Source: https://github.com/reverse-shell | Download: v2.2.1.zip | v2.2.1.tar.gz | Our Post before

l0l is an exploit development kit with c++ language scripting.
with features:
* Shellcodes
Windows
============
+ windows/exec
+ windows/messagebox

* Backdoors
Scripting Payloads
====================
+ backdoors/unix/python/reverse_tcp
+ backdoors/unix/perl/reverse_tcp
+ backdoors/unix/bash/reverse_tcp
+ backdoors/unix/ruby/reverse_tcp
+ backdoors/windows/asm/reverse_tcp
+ backdoors/windows/ps/reverse_tcp

* Injector
* Encoders

l0l

Dependencies and requirements:
+ Windows OS with MinGW with full C++ compiler
+ Gnu Linux with full C++ Compiler
+ git
+ python2

Usage:

git clone https://github.com/roissy/l0l && cd l0l
make
./lol
l0l.exe

Upgrade:
git pull origin master

Source: https://github.com/roissy