Grok-backdoor - Backdoor With Ngrok Tunnel Support

Grok-backdoor is a simple python based backdoor, it uses Ngrok tunnel for the communication. Ngrok-backdoor can generate windows, linux and mac binaries using Pyinstaller.

Disclaimer:

All the code provided on this repository is for educational/research purposes only. Any actions and/or activities related to the material contained within this repository is solely your responsibility. The misuse of the code in this repository can result in criminal charges brought against the persons in question. Author will not be held responsible in the event any criminal charges be brought against any individuals misusing the code in this repository to break the law.

Dependencies:

• Python 2.7
• Pyinstaller 3.21
• python-pip 9.0.1

Installation :

pip install -r requirements.txt

Usage:
You need to register an acccount in ngrok.com to use this backdoor, provide Ngrok authcode while configuring the grok-backdoor. You will see a new tcp tunnel created in Ngrok status panel after the grok-backdoor server execution in victim machine.
Create backdoor binary by running:

python grok-backdoor.py

Linux:

Windows :

You can find the output binary in grok-backdoor/dist/ directory:

Run grok-backdoor output binary in victim machine and login to Ngrok.com control panel to see the tunnel URL:

Telnet to tunnel URL to get the Bind shell: Enjoy shell :)

Features:

• Multi platform support(windows,linux,Mac)
  
• Autheticated bind shell
  
• Ngrok tunnel for communication

Download Grok-backdoor

Read More

AutoNSE - Massive NSE (Nmap Scripting Engine) AutoSploit And AutoScanner

Massive NSE (Nmap Scripting Engine) AutoSploit and AutoScanner. The Nmap Scripting Engine (NSE) is one of Nmap's most powerful and flexible features. It allows users to write (and share) simple scripts (using the Lua programming language ) to automate a wide variety of networking tasks. Those scripts are executed in parallel with the speed and efficiency you expect from Nmap. Users can rely on the growing and diverse set of scripts distributed with Nmap, or write their own to meet custom needs. For more informations https://nmap.org/book/man-nse.html

Installation

$ git clone https://github.com/m4ll0k/AutoNSE.git
$ cd AutoNSE 
$ bash autonse.sh

Exmaples

$ bash autonse.sh

Download AutoNSE

Read More

Goddi (Go Dump Domain Info) - Dumps Active Directory Domain Information

Based on work from Scott Sutherland (@_nullbind), Antti Rantasaari, Eric Gruber (@egru), Will Schroeder (@harmj0y), and the PowerView authors.

Install
Use the executables in the releases section. If you want to build it yourself, make sure that your go environment is setup according to the Go setup doc. The goddi package also uses the below package.

go get gopkg.in/ldap.v2

Windows
Tested on Windows 10 and 8.1 (go1.10 windows/amd64).

Linux
Tested on Kali Linux (go1.10 linux/amd64).

• umount, mount, and cifs-utils need to be installed for mapping a share for GetGPP

apt-get update
apt-get install -y mount cifs-utils

• make sure nothing is mounted at /mnt/goddi/
• make sure to run with sudo

Run
When run, will default to using TLS (tls.Client method) over 636. On Linux, make sure to run with sudo.

• username: Target user. Required parameter.
• password: Target user's password. Required parameter.
• domain: Full domain name. Required parameter.
• dc: DC to target. Can be either an IP or full hostname. Required parameter.
• startTLS: Use to StartTLS over 389.
• unsafe: Use for a plaintext connection.

PS C:\Users\Administrator\Desktop> .\godditest-windows-amd64.exe -username=testuser -password="testpass!" -domain="test.local" -dc="dc.test.local" -unsafe
[i] Begin PLAINTEXT LDAP connection to 'dc.test.local'...
[i] PLAINTEXT LDAP connection to 'dc.test.local' successful...
[i] Begin BIND...
[i] BIND with 'testuser' successful...
[i] Begin dump domain info...
[i] Domain Trusts: 1 found
[i] Domain Controllers: 1 found
[i] Users: 12 found
        [*] Warning: keyword 'pass' found!
        [*] Warning: keyword 'fall' found!
[i] Domain Admins: 4 users found
[i] Enterprise Admins: 1 users found
[i] Forest Admins: 0 users found
[i] Locked Users: 0 found
[i] Disabled Users: 2 found
[i] Groups: 45 found
[i] Domain Sites: 1 found
[i] Domain Subnets: 0 found
[i] Domain Computers: 17 found
[i] Deligated Users: 0 found
[i] Users with passwords not set to expire: 6 found
[i] Machine Accounts with passwords older than 45 days: 18 found
[i] Domain OUs: 8 found
[i] Domain Account Policy found
[i] Domain GPOs: 7 found
[i] FSMO Roles: 3 found
[i] SPNs: 122 found
[i] LAPS passwords: 0 found
[i] GPP enumeration starting. This can take a bit...
[i] GPP passwords: 7 found
[i] CSVs written to 'csv' directory in C:\Users\Administrator\Desktop
[i] Execution took 1.4217256s...
[i] Exiting...

Functionality
StartTLS and TLS (tls.Client func) connections supported. Connections over TLS are default. All output goes to CSVs and are created in /csv/ in the current working directory. Dumps:

• Domain users. Also searches Description for keywords and prints to a seperate csv ex. "Password" was found in the domain user description.
• Users in priveleged user groups (DA, EA, FA).
• Users with passwords not set to expire.
• User accounts that have been locked or disabled.
• Machine accounts with passwords older than 45 days.
• Domain Computers.
• Domain Controllers.
• Sites and Subnets.
• SPNs and includes csv flag if domain admin (a flag to note SPNs that are DAs in the SPN CSV output).
• Trusted domain relationships.
• Domain Groups.
• Domain OUs.
• Domain Account Policy.
• Domain deligation users.
• Domain GPOs.
• Domain FSMO roles.
• LAPS passwords.
• GPP passwords. On Windows, defaults to mapping Q. If used, will try another mapping until success R, S, etc... On Linux, /mnt/goddi is used.

Download Goddi

Read More

PortWitness - Tool For Checking Whether A Domain Or Its Multiple Sub-Domains Are Up And Running

PortWitness is a bash tool designed to find out active domain and subdomains of websites using port scanning. It helps penetration testers and bug hunters collect and gather information about active subdomains for the domain they are targeting.PortWitness enumerates subdomains using Sublist3r and uses Nmap alongwith nslookup to check for active sites.Active domain or sub-domains are finally stored in an output file.Using that Output file a user can directly start testing those sites.

Sublist3r has also been integrated with this module.It's very effective and accurate when it comes to find out which sub-domains are active using Nmap and nslookup.

This tool also helps a user in getting the ip addresses of all sub-domains and stores then in a text file , these ip's can be used for further scanning of the target.

Installation

git clone https://github.com/viperbluff/PortWitness.git

BASH
This tool has been created using bash scripting so all you require is a linux machine.

Usage

bash portwitness.sh url

Download PortWitness

Read More