This is a PoC demonstrating techniques exploiting CVE-2016-5696 Off-Path TCP Exploits: Global Rate Limit Considered Dangerous. https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/cao
Short Abstract:
The specification is faithfully implemented in Linux kernel version 3.6 (from 2012) and beyond, and affects a wide range of devices and hosts. In a nutshell, the vulnerability allows a blind off-path attacker to infer if any two arbitrary hosts on the Internet are communicating using a TCP connection. Further, if the connection is present, such an off-path attacker can also infer the TCP sequence numbers in use, from both sides of the connection; this in turn allows the attacker to cause connection termination and perform data injection attacks. We illustrate how the attack can be leveraged to disrupt or degrade the privacy guarantees of an anonymity network such as Tor, and perform web connection hijacking. Through extensive experiments, we show that the attack is fast and reliable. On average, it takes about 40 to 60 seconds to finish and the success rate is 88% to 97%. Finally, we propose changes to both the TCP specification and implementation to eliminate the root cause of the problem.

mountain_goat

Usage and DOwnload from git:

git clone https://github.com/Gnoxter/mountain_goat && cd mountain_goat
make
gcc -g -o mountain_goat mountain_goat.c layers.c -l pcap -std=gnu99
./mountain_goat

Source: https://github.com/Gnoxter

THE SOFTWARE IS FOR EDUCATIONAL AND RESEARCH PURPOSES. IT MAY CAUSE UNEXPECTED AND UNDESIRABLE BEHAVIOUR TO OCCUR AND MAY DISTRUPT NORMAL OPERATION OF MACHINES AND NETWORK EQUIPMENT. IT IS THE USERS RESPONSIBILITY TO ENSURE AN EDQUATE ENVIRONMENT THAT DOES NOT AFFECT ANY THIRD PARTY.

Changelog PS>Attack Build Tool v1.6:
What’s New
++ New “UI”
++ Implemented generated strings to be passed into PS>Attack when compiled.

What does it do?
The PS>Attack Build Tool downloads the latest release of PS>Attack, downloads a bunch of offensive PowerShell tools, encrypts them with a unique key, bundles all of that together and compiles it into a standalone exe.
The end result is a self contained PowerShell attack kit thats custom made for you.

What do you need to make it work
+ You need full versions of .NET 4.6.1 and .NET 3.5. 4.6.1 is used to run the PS>Attack Build Tool, 3.5 is used to build PS>Attack. By using 3.5 for PS>Attack we end up with an executable that work on anything from a fresh Windows 7 install on up. You can find .NET versions here
Caveats
+ Right now the PS>Attack Build Tool downloads the various PS1 files for its modules to disk. This can trip AV. If AV blocks downloading these PS1 files, the build of PS>Attack will ultimately fail.

It downloads files to %appdata%\PSAttackBuildTools, so you may want to whitelist that folder in your AV.

psattack

What does the PS>Attack Build Tool do?
The build tool downloads the latest version of PS>Attack and the latest versions of tools that is uses (PowerSploit, Powercat, Inveigh, etc) and encrypts them with a custom key. It then compiles everything, producing a custom version of PS>Attack that’s up to date and consists of unique file signatures, making it very difficult for Antivirus and Incident Response teams to find.

PS>Attack
PS>Attack is a self contained custom PowerShell console that comes with a lot of the latest and greatest offensive PowerShell tools. It’s designed to make it very easy for Pentesters to incorporate PowerShell into their workflow. It’s suitable to be used on live engagements as it’s capable of evading Antivirus and Incident Response teams with the following tricks.
+ It doesn’t rely on powershell.exe. Instead it calls powershell directly through the .NET framework.
+ The modules that are bundled with the exe are encrypted. When PS>Attack starts, they are decrypted into memory. The unencrypted payloads never touch disk, making it difficult for most antivirus engines to find them.
+ When generated by the PS>Attack Build Tool, the payloads are encrypted with a unique key. This means that the generated executable’s signature changes each time it’s created.

Download: PSAttackBuildTool.zip
Source: https://github.com/jaredhaight

shellcode for execve penetration test.

Main Program:
1. exec /bin/sh with shellcode.
2. call sys_exit with shellcode.

debugging with gef

Dependencies:
+ Gcc on Gnu/Linux
+ gdb

exec /bin/sh with shellcode:
————————————-
Steps
(1) Compile: ” gcc shell.c -o shell ”
(2) Find the start and end of shellcode in shell: ” objdump -d shell | sed -n ‘/shell_start/,/shell_end/p’ ”
In my code, shell_begin is 0x3de, shell_end is 0x3f8
(3) Find length of expected shellcode: ” echo $((0x3f8-0x3de)) ”
The length is 26 and we will choose 32 which is the multiple of 8.
(4) Round the shellcode length to 32 (next multiple of 8) and use xxd to convert the binary to char: ” xxd -s0x3de -l32 -p shell shellcode ”
(5) Compile the run program (make it executable via “chmod 755 cmpshell.sh”) ” ./cmpshell.sh ”
(6) Attack our vulnerable program (also disable ASLR) and get a bash shell ” ((cat shellcode | xxd -r -p) ; cat) | setarch arch -R ./victim ”

Note:
1. There is no prompt in the shell because the standard input is provided by cat, and not the terminal (/dev/tty).
2. shellcode should not contain any NULL.

call sys_exit with shellcode:
————————————-
Steps
(1) Compile: ” gcc shell.c -o shell ”
(2) Find the start and end of shellcode in shell: ” objdump -d shell | sed -n ‘/shell_start/,/shell_end/p’ “In my code, shell_start is 0x3de, shell_end is 0x3e6
(3) Find length of expected shellcode: ” echo $((0x3e6-0x3de)) ”
(4) Use xxd to convert the binary to char (length exactly 8 bytes): ” xxd -s0x3de -l8 -p shell shellcode ”
(5) Compile the run program (make it executable via “chmod 755 cmpshell.sh”) ” ./cmpshell.sh ”
(6) Attack our vulnerable program (also disable ASLR)– result: the current process is terminated ” ((cat shellcode | xxd -r -p) ; cat) | setarch arch -R ./victim ”

Note:
1. shellcode should not contain any NULL.

Usage & Download from git:

git clone https://github.com/harryskon/shellcode && cd shellcode
open directory inside shellcode folder then compile and run one by one

Source: https://github.com/harryskon

Changelog tplmap v0.2:
* Exploitation of Dust.js template engine.
* Fix command execution payloads for Velocity template engine as suggested by @henshin.
* Exploitation of generic code injections for Python, JavaScript and PHP applications.
* Improve how to select the injection points via the command line.

tplmap v0.2

Tplmap (short for Template Mapper) is a tool that automate the process of detecting and exploiting Server-Side Template Injection vulnerabilities (SSTI).
+ This can be used by developers, penetration testers, and security researchers to detect and exploit vulnerabilities related to the template injection attacks.
+ The technique can be used to compromise web servers’ internals and often obtain Remote Code Execution (RCE), turning every vulnerable application into a potential pivot point.

Supported template engines:Usage:

pip install yaml
git clone https://github.com/epinna/tplmap && cd tplmap
./tplmap.py -h

update:
git pull origin master

Download: v0.2.zip  | v0.2.tar.gz
Source: https://github.com/epinna | Our Post Before

Changelog exploitpack v6.0 GhostHunter:
+ 380 Exploit Modules
+ Porting; Reverse Shell listener on port 1234
+ Mainframed exploit modules added.

exploitpack v6.0

Exploitpack ra v5.4

ExploitPack has been designed by an experienced team of software developers and exploit writers to automate processes so that penetration testers can focus on what’s really important. The threat. This blend of software engineers and subject matter experts provides an unique advantage by combining technical know-how with true insight into the problem set, resulting in more efficient solutions for cyber security surveillance.

Latest change 9/1/2016: Check for interpreter path

========================
Installation notes:
========================

Windows:
Download and install Java 8 from Oracle:
Windows Java SE Java 8 for 32 bits or Java 8 for 64 bits
After you have installed Java 8 in your machine, double click ExplotPack.jar or from a console run this command: “java -jar ExploitPack.jar”

Linux:
Under any Linux distribution that supports DEB packages like Ubuntu, Debian, Kali, etc. you can run the following commands to install Java 8 from an official repository
Copy and paste the following in a terminal window:

echo “deb http://ppa.launchpad.net/webupd8team/java/ubuntu trusty main” >> /etc/apt/sources.list
echo “deb-src http://ppa.launchpad.net/webupd8team/java/ubuntu precise main” >> /etc/apt/sources.list
sudo apt-key adv –keyserver keyserver.ubuntu.com –recv-keys EEA14886
sudo apt-get update
sudo apt-get install oracle-java8-installer

OSX:
Download and install Java 8 for OSX 32/64 bits from Oracle: OSX Java 8 32/64 bits
After you have Java 8 installed in your Mac, double click ExploitPack.jar to run it or from a console: “java -jar ExploitPack.jar”

========================
BUILD OUTPUT DESCRIPTION
========================

When you build an Java application project that has a main class, the IDE automatically copies all of the JAR
files on the projects classpath to your projects dist/lib folder. The IDE also adds each of the JAR files to the Class-Path element in the application JAR files manifest file (MANIFEST.MF).

To run the project from the command line, go to the dist folder and type the following:

java -jar “ExploitPack.jar”

To distribute this project, zip up the dist folder (including the lib folder) and distribute the ZIP file.

Notes:
* If two JAR files on the project classpath have the same name, only the first JAR file is copied to the lib folder.
* Only JAR files are copied to the lib folder. If the classpath contains other types of files or folders, these files (folders)
are not copied.
* If a library on the projects classpath also has a Class-Path element specified in the manifest,the content of the Class-Path element has to be on the projects runtime path.
* To set a main class in a standard Java project, right-click the project node in the Projects window and choose Properties. Then click Run and enter the class name in the Main Class field. Alternatively, you can manually type theclass name in the manifest Main-Class element.

Usage Debian/Kali 2.0/Ubuntu:

echo "deb http://ppa.launchpad.net/webupd8team/java/ubuntu trusty main" >> /etc/apt/sources.list
echo "deb-src http://ppa.launchpad.net/webupd8team/java/ubuntu precise main" >> /etc/apt/sources.list
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys EEA14886
sudo apt-get update
sudo apt-get install oracle-java8-installer

git clone https://github.com/juansacco/exploitpack && cd exploitpack
java -jar ExploitPack.jar

Upgrade:
git pull origin master

Source: http://exploitpack.com | https://github.com/juansacco | Our Post Before

Changelog the Fatrat v1.5:
– Add PE file for example
– Add featrues embed backdoor with backdoor-factory
– Recoded function cmsfvenom
– Add some Variables ( pwd , Version ,Codename )
– Added script function gboor ( checked if your command is correct)
– Added script function spinner for randoom seed generator from avoid
– Added script function spinner metasploit generator from avoid
– Added autorun script when create listener
– Remove cd “output”
– Change the script ouput when msfvenom create
– Change name ( optional ) ouput when you create backdoor
– Added script for Cleanning

TheFatRat v1.5

What is FatRat ??
Easy tool for generate backdoor with msfvenom ( part of metasploit framework ) and program compiles a C program with a meterpreter reverse_tcp payload In it that can then be executed on a windows host Program to create a C program after it is compiled that will bypass most AV.
Automating metasploit functions:
+ Checks for metasploit service and starts if not present
+ Easily craft meterpreter reverse_tcp payloads for Windows, Linux, Android and Mac and another
+ Start multiple meterpreter reverse_tcp listners
+ Fast Search in searchsploit
+ Bypass AV
+ Drop into Msfconsole
+ Some other fun stuff

Dependencies:
+ Metasploit Framework
+ MinGW
This Tools/Software has been totally test in Kali Linux 2.0 & Rolling 2016.1

Download & Usage:

apt-get install mingw32 (install requirement)
git clone https://github.com/Screetsec/TheFatRat.git && cd TheFatRat
chmod +x fatrat
chmod +x powerfull.sh
./fatrat

Note From Us:
Before updating using git pull origin master
please remove old fatrat & powerfull.sh : rm -f fatrat | rm -f powerfull.sh
then typing on console:
git pull origin master

Source: https://github.com/Screetsec | Our Post Before

Changelog drozer v2.4.0:
+ Fixed bug in sharedUID package search
+ Fixed bug in web delivery page
+ Fixed bug in busybox path
+ Updated busybox for PIE Support
+ Referenced aapt-osx in setup script
+ Added pyyaml support for latest apktool
+ Protobuf 2.6.1 jar update
+ Updated apktool arguments
+ Updated to Dx: android 19
+ Updated to apktool 2.0.3
+ Updated to protobuf 2.6.1
+ Fixed pyopenssl error
+ Support for Java 7 & 8

drozer

drozer allows you to search for security vulnerabilities in apps and devices by assuming the role of an app and interacting with the Dalvik VM, other apps’ IPC endpoints and the underlying OS.

drozer provides tools to help you use, share and understand public Android exploits. It helps you to deploy a drozer Agent to a device through exploitation or social engineering. Using weasel (MWR’s advanced exploitation payload) drozer is able to maximise the permissions available to it by installing a full agent, injecting a limited agent into a running process, or connecting a reverse shell to act as a Remote Access Tool (RAT).

drozer helps to provide confidence that Android apps and devices being developed by, or deployed across, your organisation do not pose an unacceptable level of risk. By allowing you to interact with the Dalvik VM, other apps’ IPC endpoints and the underlying OS.

drozer provides tools to help you use and share public exploits for Android. For remote exploits, it can generate shellcode to help you to deploy the drozer Agent as a remote administrator tool, with maximum leverage on the device.

drozer console

* Faster Android Security Assessments
drozer helps to reduce the time taken for Android security assessments by automating the tedious and time-consuming.
+-+ Discover and interact with the attack surface exposed by Android apps.
+-+ Execute dynamic Java-code on a device, to avoid the need to compile and install small test scripts.

* Test against Real Android Devices
drozer runs both in Android emulators and on real devices. It does not require USB debugging or other development features to be enabled; so you can perform assessments on devices in their production state to get better results.

* Automate and Extend
drozer can be easily extended with additional modules to find, test and exploit other weaknesses; this, combined with scripting possibilities, helps you to automate regression testing for security issues.

* Test your Exposure to Public Exploits
drozer provides point-and-go implementations of many public Android exploits. You can use these to identify vulnerable devices in your organisation, and to understand the risk that these pose.

Use and download from git:

be sure your system has been install android SDK https://developer.android.com/

git clone https://github.com/mwrlabs/drozer/ && cd drozer
python setup.py build
python setup.py install

or
wget https://github.com/mwrlabs/drozer/releases/download/2.4.0/drozer-2.4.0-py2.7.egg
easy_install -Z drozer-2.4.0-py2.7.egg

Windows:
python easy_install -Z drozer-2.4.0-py2.7.egg (make sure your windows has been install easy_install)

Download: drozer-2.4.0-py2.7.egg
Source: https://labs.mwrinfosecurity.com/tools/drozer/ | https://github.com/mwrlabs

Changelog v1.0.3:
+ writeSingleCoils.py update Modules
+ Update How To use at README.md

smod v1.0.3

smod is a modular framework with every kind of diagnostic and offensive feature you could need in order to pentest modbus protocol. It is a full Modbus protocol implementation using Python and Scapy. This software could be run on Linux/OSX under python 2.7.x.

smod v1.0.2

Summary
SCADA (Process Control Networks) based systems have moved from proprietary closed networks to open source solutions and TCP/IP enabled networks steadily over recent years. This has made them vulnerable to the same security vulnerabilities that face our traditional computer networks.
The Modbus/TCP protocol was used as the reference protocol to display the effectiveness of the test bed in carrying out cyber attacks on a power system protocol. Modbus/TCP was chosen specifically for these reasons:
+ modbus is still widely used in power systems.
+ modbus/TCP is simple and easy to implement.
+ modbus protocol libraries are freely available for utilities to implement smart grid applications.
You can use this tool to vulnerability assessment a modbus protocol.

Installation & usage:

git clone https://github.com/enddo/smod && cd smod
python smod.py

Update:
cd smod
git pull origin master

Source : https://github.com/enddo | Our Post Before | v1.0.3.tar.gz | v1.0.3.zip

This project idea is use google search engine to find vulnerable targets, for specific exploits. The exploits parsers will be concentrated in google_parsers module. So when you make a search, you can choose explicit in “–exploit parser” argument, a especific exploit to the robot test if is the targets are vulnerable for that or not.
Note:
use the right dork for the specific exploit.

google_explorer

How the robot works:
1 – Make a google search
2 – Parse the from each page results
3 – Test if each target is vulnerable for a specific exploit.

Requirements:
+ Python 3
+ Pip

Download & Use from git:

git clone https://github.com/anarcoder/google_explorer && cd google_explorer
sudo pip3 install -r requirements.txt
sudo google_explorer.py --help

Source: https://github.com/anarcoder

Changelog EaST v1.0.0 rc:
+ New GUI(Graffic User Interface).
+ Module bug fixes.
+ command.py, Modules.py and sploit.py with new gui.

EaST v1.0.0 rc

This software is necessary for learning and improving skills and knowledge of attacks on information systems and to conduct audits and proactive protection. The need to develop domestic Pentest framework – accessible, affordable, high-confidence – is long overdue. Therefore, for domestic (as well as to friendly domestic) markets IB was created EAST framework. EAST is a framework that has in its arsenal all the necessary tools to operate a broad range of vulnerabilities from the Web to a buffer overflow. From other similar instruments EAST is simple and easy to use. To master it, and begin to develop in the field of information security can be even a novice researcher!

east-0.-9-10

Main characteristics:
+Security framework! Software used for information security must be a high level of user confidence. The EAST is implemented open, easily verifiable source code for Python. it is used for all components of the framework and modules. In this relatively small amount of code simplifies the verification of any user. During installation no changes in the OS is not performed
+ Maximum simplicity of the framework. Download the archive, run the main python script start.py, implementing the start-stop exploits, messaging … All management – locally or remotely through a browser.
+ Easily create and edit. The ability to edit and add modules and exploits “on the fly” without restarting. Code module body is simple and minimal volume.
+ Cross-platform + minimum requirements and dependencies. Tested on Windows and Linux. I should work wherever there is Python. The framework contains all the dependencies and “pulls” ext. libraries.
+ Full functionality of the classic framework Pentest! Despite the simplicity and “no congestion” – has in its arsenal of all necessary means to operate a broad range of vulnerabilities from the Web to a buffer overflow.
+ Great opportunities for capacity. Server-client architecture, API for messaging, support libraries – allow third party developers to create their own open-source solutions, or participate in the development of EAST.

east-cli

Exploit list:
+ ef_bitdefender_gravityzone_dt.py Directory traversal
+ ef_cogento_datahub_afd.py Arbitrary File Download
+ ef_e_detective_afd.py Arbitrary File Download
+ ef_easyfile_webserver_sbo.py Stack Buffer Overwlow
+ ef_fhfs_rce.py Remote Command Execution
+ ef_joomla_gallery_wd_bsqli.py Blind SQL Injection
+ ef_solarwinds_log_and_event_manager_rce.py Remote Command Execution
+ ef_symantec_pcanywhere_host_rce.py Remote Command Execution
+ ef_wincc_miniweb_dos.py Denial of Service
+ ef_winrar_rce.py Remote Command Execution
+ port_scanner.py Tools

Installation and Usage:

git clone https://github.com/C0reL0ader/EaST && cd EaST
python start.py
then open your favorite Browser for GUI.

Updates:
cd EaST
git pull origin master

Source: https://github.com/C0reL0ader & http://eastfw.com/  | Our Post Before

Changelog PowerMemory v1.3:
* Power-Escalate added
* Menu modified
* Bugs correction

PowerMemory v1.3

Main Menu v1.3:
What do you want assess?
1) Reveal memory passwords
2) Local escalation attempt
3) Get McAfee passwords
4) Active Directory assessment
5) Scan services network
6) Get all the Ticket (to be cracked with kerberoast)
7) Fun with Winmine
0) Exit

powermemory v1.2

GWMD: Dump Like Microsoft

Inside Folder :
– EYLR:Elevate-YourRightsMan.ps1; For Bypass-UAC.
– GWMD: Wanna-DumpLikeMicrosoft.ps1; WMI Remote Process.
– RGPPP: Get-LocalAdminGPPAccess.ps1: get Decrypt Password.
– RWMC: Powershell – Reveal Windows Memory Credentials
– RECON: Audit a Windows Active Directory domain

Powershell – Reveal Windows Memory Credentials
The purpose of this script is to make a proof of concept of how retrieve Windows credentials with Powershell and CDB Command-Line Options (Windows Debuggers)

It allows to retrieve credentials from windows 2003 to 2012 and Windows 10 (it was tested on 2003, 2008r2, 2012, 2012r2 and Windows 7 – 32 and 64 bits, Windows 8 and Windows 10 Home edition).
It works even if you are on another architecture than the system targeted.
Features:
+ it’s fully PowerShell
+ it can work locally, remotely or from a dump file collected on a machine
+ it does not use the operating system .dll to locate credentials address in memory but a simple Microsoft debugger
+ it does not use the operating system .dll to decypher passwords collected –> it is does in the PowerShell (AES, TripleDES, DES-X)
+ it breaks undocumented Microsoft DES-X
+ it works even if you are on a different architecture than the target
+ it leaves no trace in memoryless

How to use it for Windows 2012R2 or Windows 10?
1) Retrieve remotely:
* Launch the script
* Local computer, Remote computer or from a dump file ? (local, remote, dump): remote [enter]
* serverName [enter]

2) From a dump: if you have to dump the lsass process of a target machine, you can execute the script with option ( ! name you lsass dump “lsass.dmp” and don’t enter the name for the option you enter, only the directory !) :
* Launch the script
* Local computer, Remote computer or from a dump file ? (local, remote, dump): dump [enter]
* d:\directory_of_the_dump [enter]

3) Locally :
* Launch the script
* Local computer, Remote computer or from a dump file ? (local, remote, dump): local [enter]

How To Install:

Download zip file, right click extract all file into your Folder
Open PowerShell ISE
Enter this command : Set-ExecutionPolicy Unrestricted -force

Download: PowerMemory.zip  | Clone Url
Source : https://github.com/giMini | Our Post Before

Changelog TheFatRat v1.6 codename “Tasty” :
– Add new features create backdoor with PwnWinds ( FUD++ )
– Add some script for checking monodevelop and apache server
– Add new features backdooring original apk with metasploit
– Add setup.sh for configuration fatrat and install dependencies
– remove auto install bdf and mingw ( function checked )
– Add listener for android
– Add feature for cleanup all backdoor

thefatrat v1.6

TheFatRat v1.5

What is FatRat ??
Easy tool for generate backdoor with msfvenom ( part of metasploit framework ) and program compiles a C program with a meterpreter reverse_tcp payload In it that can then be executed on a windows host Program to create a C program after it is compiled that will bypass most AV.
Automating metasploit functions:
+ Checks for metasploit service and starts if not present
+ Easily craft meterpreter reverse_tcp payloads for Windows, Linux, Android and Mac and another
+ Start multiple meterpreter reverse_tcp listners
+ Fast Search in searchsploit
+ Bypass AV
+ Drop into Msfconsole
+ Some other fun stuff

Dependencies:
+ Metasploit Framework
+ MinGW
This Tools/Software has been totally test in Kali Linux 2.0 & Rolling 2016.1

Download & Usage:

apt-get install mingw32 (install requirement)
git clone https://github.com/Screetsec/TheFatRat.git && cd TheFatRat
chmod +x fatrat
chmod +x powerfull.sh
./fatrat

Note From Us:
Before updating using git pull origin master
please remove old fatrat & powerfull.sh : rm -f fatrat | rm -f powerfull.sh
then typing on console:
git pull origin master

Source: https://github.com/Screetsec | Our Post Before

FreePBX is a web-based open source GUI (graphical user interface) that controls and manages Asterisk (PBX), an open source communication server, With over 1 MILLION production systems worldwide and 20,000 new systems installed monthly, the FreePBX community continues to out-perform the industry’s commercial efforts.
The FreePBX EcoSystem has developed over the past decade to be the most widely deployed open source PBX platform in use across the world.

Freepbx suffer from (Authenticated) remote code execution flaw.

Use:

git clone https://github.com/AtomowaAneta/FreePBX-Exploit && FreePBX-Exploit
copy freepbx_remote_command_execution.rb into metasploit module.

Source: https://github.com/AtomowaAneta

Changelog backdoor-apk v0.1.4 (2016-09-20):
Improvements
* New UI enhancements allow selecting Android payloads and entering LHOST and LPORT values
* New ascii art is displayed on script execution
* First attempt at improving the readability of logging output
* Apktool is no longer provided as a third-party tool, backdoor-apk.sh now expects apktool to be properly setup on the system

Miscellaneous
* README and HISTORY file updates

Backdoor-Apk v0.1.4

backdoor-apk is a shell script that simplifies the process of adding a backdoor to any Android APK file. Users of this shell script should have working knowledge of Linux, Bash, Metasploit, Apktool, the Android SDK, smali, etc. This shell script is provided as-is without warranty of any kind and is intended for educational purposes only.

backdoor apk v0.1.2

The recompiled APK will be found in the ‘original/dist’ directory. Install the APK on a compatible Android device, run it, and handle the meterpreter connection at the specified IP and port.
Usage:

git clone https://github.com/dana-at-cp/backdoor-apk && cd backdoor-apk
cd backdoor-apk
./backdoor-apk.sh [your apk file]

Update:
git pull origin master

Now you can upload it using MITM technique :-) (Just for education purpose right?yeah.. lets rock)

Source: https://github.com/dana-at-cp | Our Post Before

Changelog atscan V10.5:
– Added post data arguments.
– Fix validation process.
– Code optimisation.

atscan v10.5

atscan v9.8

Description:
ATSCAN
SEARCH engine
XSS scanner.
Sqlmap.
LFI scanner.
Filter wordpress and Joomla sites in the server.
Find Admin page.
Decode / Encode MD5 + Base64.

atscan v6.1

Libreries to install:
ap-get install libxml-simple-perl
aptitude install libio-socket-ssl-perl
aptitude install libcrypt-ssleay-perl
NOTE: Works in linux platforms. Best Run on Ubuntu 14.04, Kali Linux 2.0, Arch Linux, Fedora Linux, Centos | if you use a windows you can download manualy.

Examples:
Simple search:
Search: –dork [dork] –level [level]
Search + get ip: –dork [dork] –level [level] –ip
Search + get ip + server: –dork [dork] –level [level] –ip –server
Search with many dorks: –dork [dork1,dork2,dork3] –level [level]
Search + get ip+server: –dork [dorks.txt] –level [level]
Search + set save file: –dork [dorks.txt] –level [level] –save myfile.txt
Search + Replace + Exploit: –dork [dorks.txt] –level [level] –replace [string] –with [string] –valid [string]

Subscan from Serach Engine:
Search + Exploitation: –dork [dork] –level [10] –xss/–lfi/–wp …
Search + Server Exploitation: -t [ip] –level [10] –xss/–lfi/–wp …
Search + Replace + Exploit: –dork [dork] –level [10] –replace [string] –with [string] –exp [exploit] –xss/–lfi/–wp …

Validation:
Search + Exploit + Validation: –dork [dork] –level [10] –exp –isup/–valid [string]
Search + Server Exploit + Validation: -t [ip] –level [10] –exp –isup/–valid [string]
Search + Replace + Exploit: –dork [dork] –level [10] –replace [string] –with [string] –isup/–valid [string]

Use List / Target:
-t [target/targets.txt] –exp –isup/–valid [string]
-t [target/targets.txt] –xss/–lfi ..

Server:
Get Server sites: -t [ip] –level [value] –sites
Get Server wordpress sites: -t [ip] –level [value] –wp
Get Server joomla sites: -t [ip] –level [value] –joom
Get Server upload sites: -t [ip] –level [value] –upload
Get Server zip sites files: -t [ip] –level [value] –zip
WP Arbitry File Download: -t [ip] –level [value] –wpadf
Joomla RFI: -t [ip] –level [1] –joomfri –shell [shell link]
Scan basic tcp (quick): -t [ip] –ports –basic tcp
Scan basic udp basic (quick): -t [ip] –ports –basic udp
Scan basic udp+tcp: -t [ip] –ports –basic udp+tcp
Scan complete tcp: -t [ip] –ports –all tcp
Scan complete udp: -t [ip] –ports –all udp
Scan complete udp+tcp: -t [ip] –ports –all udp+tcp
Scan rang tcp: -t [ip] –ports –select tcp –start [value] –end [value]
Scan rang udp: -t [ip] –ports –select udp–start [value] –end [value]
Scan rang udp + tcp: -t [ip] –ports –select udp+tcp –start [value] –end [value]

Encode / Decode:
Generate MD5: –md5 [string]
Encode base64: –encode64 [string]
Decode base64: –decode64 [string]

External Command:
–dork [dork/dorks.txt] –level [level] –command “curl -v –TARGET”
–dork [dork/dorks.txt] –level [level] –command “curl -v –FULL_TARGET”
-t [target/targets.txt] –level [level] –command “curl -v –TARGET”
-t [target/targets.txt] –command “curl -v –FULL_TARGET”

How to Usage:

git clone https://github.com/AlisamTechnology/ATSCAN
cd ATSCAN
chmod +x install.sh
./install.sh
atscan

Update:
atscan --update

Source : https://github.com/AlisamTechnology | Our Post Before Download stable: v10.5.zip | v10.5.tar.gz

Changelog Nishang v0.6.9:
– Get-PassHashes now use Reflection. Thanks to Zer1t0 on GitHub.
The payload dumps password hashes using the modified powerdump script from MSF. Administrator privileges are required for this script
(but not SYSTEM privs as for the original powerdump written by David Kennedy)
– Added Invoke-Mimikittenz by Jamieson O’Reilly
Utilizes Windows function ReadProcessMemory() to extract juicy information from target process memory using regex.

nishang v0.6.9

Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security and penetration testing. Nishang is useful during various phases of a penetration test and is most powerful for post exploitation usage.

Nishang v-0.6.2 released: PowerShell for penetration testing and offensive security.

Scripts; Nishang currently contains the following scripts and payloads.
+ Antak – the Webshell
– Antak :Execute PowerShell scripts in memory, run commands, and download and upload files using this webshell

+ Backdoors
– HTTP-Backdoor : A backdoor which can receive instructions from third party websites and execute PowerShell scripts in memory.
– DNS_TXT_Pwnage : A backdoor which can receive commands and PowerShell scripts from DNS TXT queries, execute them on a target, and be remotely controlled using the queries.
– Execute-OnTime : A backdoor which can execute PowerShell scripts at a given time on a target.
– Gupt-Backdoor : A backdoor which can receive commands and scripts from a WLAN SSID without connecting to it.
– Add-ScrnSaveBackdoor : A backdoor which can use Windows screen saver for remote command and script execution.
– Invoke-ADSBackdoor : A backdoor which can use alternate data streams and Windows Registry to achieve persistence.

+ Client
– Out-CHM : Create infected CHM files which can execute PowerShell commands and scripts.
– Out-Word : Create Word files and infect existing ones to run PowerShell commands and scripts.
– Out-Excel : Create Excel files and infect existing ones to run PowerShell commands and scripts.
– Out-HTA : Create a HTA file which can be deployed on a web server and used in phishing campaigns.
– Out-Java : Create signed JAR files which can be used with applets for script and command execution.
– Out-Shortcut : Create shortcut files capable of executing commands and scripts.
– Out-WebQuery : Create IQY files for phishing credentials and SMB hashes.

+ Escalation
– Enable-DuplicateToken : When SYSTEM privileges are required.
– Remove-Update : Introduce vulnerabilities by removing patches.

+ Execution
– Download-Execute-PS : Download and execute a PowerShell script in memory.
– Download_Execute : Download an executable in text format, convert it to an executable, and execute.
– Execute-Command-MSSQL : Run PowerShell commands, native commands, or SQL commands on a MSSQL Server with sufficient privileges.
– Execute-DNSTXT-Code : Execute shellcode in memory using DNS TXT queries.

+ Gather
– Check-VM : Check for a virtual machine.
– Copy-VSS : Copy the SAM file using Volume Shadow Copy Service.
– Invoke-CredentialsPhish : Trick a user into giving credentials in plain text.
– FireBuster FireListener: A pair of scripts for egress testing
– Get-Information : Get juicy information from a target.
– Get-LSASecret : Get LSA Secret from a target.
– Get-PassHashes : Get password hashes from a target.
– Get-WLAN-Keys: Get WLAN keys in plain text from a target.

+ Keylogger
Log keystrokes from a target.
– Invoke-MimikatzWdigestDowngrade: Dump user passwords in plain on Windows 8.1 and Server 2012
– Get-PassHints : Get password hints of Windows users from a target.

+ Pivot
– reate-MultipleSessions : Check credentials on multiple computers and create PSSessions.
– Run-EXEonRemote Copy and execute an executable on multiple machines.
– Invoke-NetworkRelay Create network relays between computers.

+ Prasadhak
– Prasadhak : Check running hashes of running process against the VirusTotal database.

+ Scan
– Brute-Force : Brute force FTP, Active Directory, MSSQL, and Sharepoint.
– Port-Scan : A handy port scanner

+ Powerpreter
Powerpreter : All the functionality of nishang in a single script module.

+ Shells :
– Invoke-PsGcat: Send commands and scripts to specifed Gmail account to be executed by Invoke-PsGcatAgent
– Invoke-PsGcatAgent: Execute commands and scripts sent by Invoke-PsGcat.
– Invoke-PowerShellTcp: An interactive PowerShell reverse connect or bind shell
– Invoke-PowerShellTcpOneLine : Stripped down version of Invoke-PowerShellTcp. Also contains, a skeleton version which could fit in two tweets.
– Invoke-PowerShellUdp : An interactive PowerShell reverse connect or bind shell over UDP
– Invoke-PowerShellUdpOneLine : Stripped down version of Invoke-PowerShellUdp.
– Invoke-PoshRatHttps : Reverse interactive PowerShell over HTTPS.
– Invoke-PoshRatHttp : Reverse interactive PowerShell over HTTP.
– Remove-PoshRat : Clean the system after using Invoke-PoshRatHttps
– Invoke-PowerShellWmi : Interactive PowerShell using WMI.
– Invoke-PowerShellIcmp : An interactive PowerShell reverse shell over ICMP.

+ Utility:
– Add-Exfiltration: Add data exfiltration capability to Gmail, Pastebin, a web server, and DNS to any script.
– Add-Persistence: Add reboot persistence capability to a script.
– Remove-Persistence: Remote persistence added by the Add-Persistence script.
– Do-Exfiltration: Pipe (|) this to any script to exfiltrate the output.
– Download: Transfer a file to the target.
– Parse_Keys : Parse keys logged by the keylogger.
– Invoke-Encode : Encode and compress a script or string.
– Invoke-Decode : Decode and decompress a script or string from Invoke-Encode.
– Start-CaptureServer : Run a web server which logs Basic authentication and SMB hashes.
— [Base64ToString] [StringToBase64] [ExetoText] [TexttoExe]

Download : Nishang.zip | Our Post Before
Source : http://www.labofapenetrationtester.com/

This is Public repository for improvements to the EXTRABACON v2 exploit, a remote code execution for Cisco ASA written by the Equation Group (NSA) and leaked by the Shadow Brokers.
on this repository has been adding patches for most versions of 8.x and 9.x in the near future after we test all versions on real hardware. There is improved shellcode, a LINA offset finder script, a Metasploit module, and extrabacon-2.0. This is using improved shellcode, has less stages than the Equation Group version making it more reliable. This makes the SNMP payload packet ~150 less bytes. Also, the leaked version only supports 8.x, we have it working on 9.x versions.

extrabacon v2

* Lina offset finder
– python2 ./lina-offsets.py asa_lina_XXX.elf

Will automatically generate necessary offsets to port the exploit to other versions of ASA.
Right now, it takes us longer to load a version of ASA firmware and test it, than it does to generate offsets for a specific version.

The only thing the script doesn’t calculate is FIX_EBP, which is usually 0x48 (72) or 0x58 (88). It seems like 8.4(1) and greater use 0x48.

Dependencies:
+ Metasploit Framework
+ Python 2.7.x
+ Python Scapy Modules
+ NASM

Use and Download:

sudo apt-get install nasm
(makesure you have metasploit framework on your system)
git clone https://github.com/RiskSense-Ops/CVE-2016-6366 && cd CVE-2016-6366
nasm shellcode.nasm (for execute shellcode)
then now you can compile

python2 lina-offsets.py Your_asa_lina_XXX.elf

Source: https://github.com/RiskSense-Ops

Concierge is A collection (eventually) of Physical Access Control and Monitoring attacks and utilities. These will all eventually evolve into a more effective and user friendly set of tools, but for now, simple bash scripts will do the job.

Dependencies:
+ All Linux Machine
+ Nmap
+ git

Mainly Script:
* eh400.sh
Usage: ./eh400.sh <action>
Actions: exploit, cleanup
All necessary variables will be entered during execution of the script.
exploit: Leverages command injection vulnerability to:
+ Modify .htpasswd file to a known password value for “admin” user. This allows manual control via http(s).
+ Pushes remote agent script to the EH400 (used by triggeragent.sh). This allows for control via cmdline.
+ Pulls IdentDB badge store and /etc/shadow from EH400.
+ Also checks /etc/shadow for known default password values.
cleanup: Removes all copied or created files and restores the original htpasswd file.

* vertx.sh
Usage: ./vertx.sh <action>
Actions: exploit, cleanup
All necessary variables will be entered during execution of the script.
exploit: Leverages command injection vulnerability to:
+ Creates new user, ‘z’, with password ‘backdoor’, and grants web access privs. This allows manual control via http(s).
+ Pushes remote agent script to the VertX EVO (used by triggeragent.sh). This allows for control via cmdline.
+ Pulls IdentDB badge store and /etc/passwd from VertX EVO.
+ Also checks /etc/passwd for known default password values.
clean up: Removes all copied or created files and deletes the ‘z’ user.

* agentdeploy.sh
Usage: ./agentdeploy.sh <ip> <mac>
This script can be used for both EH400 and VertX EVO door controllers. This is a lighter weight script that only deploys the agent script for use with triggeragent.sh.

* triggeragent.sh
Usage: ./triggeragent.sh <ip> <mac> <action>
Actions: unlock, lock, blink
Example: ./triggeragent.sh 10.1.1.10 00:11:22:33:44:55 unlock
Leverages a previously deployed agent script deployed to lock/unlock a door controller’s associated locking mechanism or blink the LEDs on the associated reader. Further testing against V1000 required.
‘blink’ flashes the LED lights on an associated RFID reader. Used to help locate the exploited door. This has only been tested on HID iClass (and similar) readers, but should work on any reader with external LEDs.

* agentclean.sh
Usage: ./agentclean.sh <ip> <mac>
Removes agent script from targeted door controller. Used to clean up after agentdeploy.sh and triggeragent.sh. If you’ve used eh400.sh or vertx.sh to exploit the targets, use them again with the cleanup action.

* massdeploy.sh

Usage: ./massdeploy.sh <attacker ip> <target(s)> Example: ./massdeploy.sh 10.0.0.1 10.1.1.0/24
All targets must be provided in nmap acceptable format. Currently, input files are not accepted. This script simply automates findings door controllers and deploying agents.

* massclean.sh
Usage: ./massclean.sh <target(s)>
Example: ./massclean.sh 10.10.0.1/24
hid-discoveryd-enum.nse
Usage: nmap -sU -p 4070 –script hid-discoveryd-enum <target(s)>
Simple nmap script to leverage the fuctionality of the discoveryd service to identify HID EVO door controllers and enumerate system information. This nse is located in the tools directory. Simply copy it to nmap’s script directory.

Notes
Testing of these scripts were completed against three seperate HID Door controllers:
+ Edge EVO EH400
+ VertX EVO V2000
+ VertX EVO V1000
A wiki will be on the way shortly enough to provide more thorough information.

Usage and Download:

git clone https://github.com/lixmk/Concierge && Concierge
now you can run one by one thoose bash script

Source: https://github.com/lixmk

BLACKBOx – A Penetration Testing Framework.
Dependencies:
+ Python 2.7x
+ git

Roadmap & Changelog
1.8v:
+ ADD XSS/SQLi/RCE Scanner to google & bing dorker module !
+ Fix LFI & Hashkiller modules
+ ADD 3 Modules prestashop exploit

1.9v:
+ FIX RCE JOOMLA & MAGENTO & PRESTASHOP EXPLOIT
+ FIX XSS SCANNER

2.0v:
+ ADD SCANNING VIA LIST & FIX LFI SCANNER

BlackBox v2

Password Attacks:
* MD5 CRACKER
* SHA1 CRACKER
* SHA224 CRACKER
* SHA256 CRACKER
* SHA384 CRACKER
* SHA512 CRACKER
* MSSQL2000 CRACKER
* MSSQL2005 CRACKER
* MYSQL323 CRACKER
* MYSQL41 CRACKER
* ORACLE11 CRACKER

Web Hacking :
* WordPress Bruteforce – Bruteforce wordpress panel
* FTP Bruteforce – Bruteforcing FTP LOGIN
* SSH Bruteforce – Bruteforcing SSH LOGIN
* Admin Page Finder – Find Admin Page
* Prestashop Exploit – PrestaShop Arbitrary file Upload (6 Modules)
* Dnsinfo – dns info via Yougetsignal & viewdns & hackertarget
* Magento Rce – Magento eCommerce – Remote Code Execution
* Joomla Rce – 1.5 – 3.4.5 remote code execution
* Google Dorker – google dorker (LFI/SQLi/XSS/RCE SCANNER)
* Bing Dorker – bing dorker (LFI/SQLi/XSS/RCE SCANNER )
* Prestashop Exploit – PrestaShop Arbitrary file Upload (9 Modules)
* Scan list – Scan url in list from Vuln (SQLi/RCE/XSS/LFI)

Usage

git clone https://darkeye@bitbucket.org/darkeye/blackbox.git && cd blackbox && chmod +x install && sudo ./install && cd

Upgrade:
cd blackbox
git pull origin master
chmod +x install
./install

Source: https://bitbucket.org/darkeye

Changelog RC-Exploiter v1.1.7:
+ bin/help.faq
+ exploits/rpc.rc
+ rc-exploiter.sh
+ settings

[DISCLAMER]
The author does not hold any responsibility about the bad use of this script, remmenber that attacking targets without prior concent its ilegal and punish by law, this script as build to show how msf resource files can automate tasks.

RC-EXPLOITER v1.1.7

[DESCRIPTION]
Scanning WAN networks in search of targets may take 10 to 15 minutes depending of your network connection, and will search in 1024 random hosts for the selected port, also the file ‘user-names.txt’ may be edited to insert new entrys, or we can provide the FULL PATH to another dicionary file to be used in bruteforce services.’user-names.txt’ dicionary as usernames ‘one-per-line’ [example => root] ‘user-passw.txt’ dicionary as usernames and passwords [example => root:pass] the tool also have the habillity to exploit multiple targets (RHOSTS) for that just separate the ip address by a blank space [example: 127.0.0.1 192.168.1.68] in the target selection windows [input RHOSTS]…

[TOOL SETTINGS]
– Additional tool settings can be configurated just by editing the ‘settings’ file
– before running the tool, settings like: use decoys [scanning WAN networks] or
– spoof mac addr [change mac addr+ip addr] among other toolkit default settings.

Dependencies: nmap, metasploit, macchanger, zenity

[DOWNLOAD/INSTALL] -> open terminal and write:

git clone git://git.code.sf.net/p/rcexploiter/RC-exploiter RC-exploiter
cd RC-exploiter && chmod +x *.sh
nano settings && sudo ./rc-exploiter.sh

Upgrade:
git pull orgin master

Password:
opensource

Source: https://sourceforge.net/p/rcexploiter/ | Our Post Before