The GNU Project Debugger - GDB

The GNU Debugger, usually called just GDB and named gdb as an executable file, is the standard debugger for the GNU operating system. However, its use is not strictly limited to the GNU operating system; it is a portable debugger that runs on many Unix-like systems and works for many programming languages, including Ada, C, C++, Objective-C, Free Pascal, Fortran, Java[1] and partially others

Download GDB 

Read More

Immunity debugger

A debugger or debugging tool is a computer program that is used to test and debug other programs (the "target" program). The code to be examined might alternatively be running on an instruction set simulator (ISS), a technique that allows great power in its ability to halt when specific conditions are encountered. but which will typically be somewhat slower than executing the code directly on the appropriate (or the same) processor. Some debuggers offer two modes of operation—full or partial simulation—to limit this impact.

A "trap" occurs when the program cannot normally continue because of a programming bug or invalid data. For example, the program might have tried to use an instruction not available on the current version of the CPU or attempted to access unavailable or protected memory. When the program "traps" or reaches a preset condition, the debugger typically shows the location in the original code if it is a source-level debugger or symbolic debugger, commonly now seen in integrated development environments. If it is a low-level debugger or a machine-language debugger it shows the line in the disassembly (unless it also has online access to the original source code and can display the appropriate section of code from the assembly or compilation).

Download Immunity debugger 

Read More

Debugger - Ollydbg

OllyDbg (named after its author, Oleh Yuschuk) is an x86 debugger that emphasizes binary code analysis, which is useful when source code is not available. It traces registers, recognizes procedures, API calls, switches, tables, constants and strings, as well as locates routines from object files and libraries. It has a friendly interface, and its functionality can be extended by third-party plugins. Version 1.10 is the final 1.x release. Version 2.0 was released in June 2010, and OllyDbg has been rewritten from the ground up in this release. The software is free of cost, but the shareware license requires users to register with the author.[1] Although the current version of OllyDbg cannot disassemble binaries compiled for 64-bit processors, a 64-bit version of the debugger has been promised

Reverse engineering

OllyDbg is often used for reverse engineering of programs.[3] It is often used by crackers to crack software made by other developers. For cracking and reverse engineering, it is often the primary tool because of its ease of use and availability; any 32-bit executable can be used by the debugger and edited in bitcode/assembly in realtime.[4] It is also useful for programmers to ensure that their program is running as intended, and for malware analysis purposes.

Download Ollydbg

Read More

Interactive Disassembler - IDA

IDA (or the Interactive DisAssembler) is a disassembler for computer software which generates assembly language source code from machine-executable code. It supports a variety of executable formats for different processors and operating systems. It also can be used as a debugger for Windows PE, Mac OS X Mach-O, and Linux ELF executables. A decompiler plug-in for programs compiled with a C/C++ compiler is available at extra cost. The latest full version of IDA Pro is commercial; while an earlier and less capable version is available for download free of charge (version 5.0 as of March 2015)

Download IDA

Read More

Popular SQLi and Pentesting Scanner - V3n0M-Scanner

V3n0M runs on Python3 [Live Project - Readding old features back in and improved for Python3]

v3n0m is a free and open source scanner. Evolved from baltazar's scanner, it has adapted several new features that improve fuctionality and usability. It is mostly experimental software.

This program is for finding and executing various vulnerabilities. It scavenges the web using dorks and organizes the URLs it finds.

PyPi:

You can now install the software via pip install V3n0m
Always verify the PGP signature of the package:

gpg: Signature made Fri 18 Jul 2014 02:59:48 AM UTC
gpg:                using RSA key 0x8F2B5CBD711F1326
gpg: Good signature from "Grand Architect <unload@cryptolab.net>"

Use at your own risk.

Very useful for executing:

• Metasploit Modules Scans
• SQL Injection Vuln Scanner[SQLi]
• Extremely Large D0rk Target Lists
• FTP Crawler
• DNS BruteForcer

What You Hold:

A modified smartd0rk3r

• Brand new, just outta the box!
• Largest and most powerful d0rker online, 18k+d0rks searched over ~ Engines at once.
• Free and Open /src/
• CrossPlatform Python based toolkit
• Version 4.0.1 Released on 7th Jan 2016
• Licensed under GPLv2
• Tested on: Linux 4.3.1 Ubuntu/Debian, CentOS 6 (with some errors), Win7 (with some errors)

Usage:

root@bt:~# python3 v3n0m.py

Now you may follow the simple prompts.

[0x100] Choose your target (domain) :
        Example : .com
        AND
        it is necessary to add you can also use a specific website (www.example.com)

[0x200] Choose the number of random dorks (0 for all.. may take awhile!) :
        Example : 0 = This will choose all of the XSS, File Inclusion, RCE and SQLi dorks

[0x300] Choose the number of threads :
        Example : 50

[0x400] Enter the number of pages to search through :
        Example : 50

    The program will print out your desired settings and start searching.
    It then creates files for the collected and valid URLs for later.
    It takes a while to scan because it utilizes either TOR, which you can specify
    if you wish to do so, or regular HTTP requests over a long period of time.

    After a while, it will feed you the percentage of the scan until completion.
    At this point, it will have saved the valid URLs in the files it created earlier.
    The program utilizes over 10k dorks now, be careful how you use them!
    Enjoy. :]
                                                            ~/ Dev Team

Contact Information:

[ NovaCygni ] - 
[ Architect ] - 

Original Header:

- This was written for educational purpose and pentest only. Use it at your own risk.
- Author will be not responsible for any damage!
- !!! Special greetz for my friend sinner_01 !!!
- Toolname        : darkd0rk3r.py
- Coder           : baltazar a.k.a b4ltazar <b4ltazar@gmail.com>
- Version         : 1.0
- greetz for all members of ex darkc0de.com, ljuska.org

New To This Addition:

---To be Done --Partially implemented -Done
- Upgrade to Python3 from Python2
--- Redo LFI/RFI attack method
--- Automate scanning sites with findable admin pages and add to seperate list
--- Redo Metasploit Scans
--- Add default attack option for DB types, automate injection and upload shell or enable RDP.
-- Perfect SQLi Vuln detection and add options for saving/searching specific DB types
-- Starting upgrade for Search engines
--- Implement SQLi D0rk Seed Generation option
--- Implement Metasploit Exploits scan / Nmap style option + Dork option

Download V3N0M-Scanner

Read More

Tool To Compares A Targets Patch Levels Against The Microsoft Vulnerability Database - Windows-Exploit-Suggester

This tool compares a targets patch levels against the Microsoft vulnerability database in order to detect potential missing patches on the target. It also notifies the user if there are public exploits and Metasploit modules available for the missing bulletins.

It requires the 'systeminfo' command output from a Windows host in order to compare that the Microsoft security bulletin database and determine the patch level of the host.

It has the ability to automatically download the security bulletin database from Microsoft with the --update flag, and saves it as an Excel spreadsheet.

When looking at the command output, it is important to note that it assumes all vulnerabilities and then selectively removes them based upon the hotfix data. This can result in many false-positives, and it is key to know what software is actually running on the target host. For example, if there are known IIS exploits it will flag them even if IIS is not running on the target host.

The output shows either public exploits (E), or Metasploit modules (M) as indicated by the character value.

It was heavily inspired by Linux_Exploit_Suggester by Pentura.

Blog Post:"Introducing Windows Exploit Suggester", https://blog.gdssecurity.com/labs/2014/7/11/introducing-windows-exploit-suggester.html

USAGE

update the database

$ ./windows-exploit-suggester.py --update
[*] initiating...
[*] successfully requested base url
[*] scraped ms download url
[+] writing to file 2014-06-06-mssb.xlsx
[*] done

install dependencies
(install python-xlrd, $ pip install xlrd --upgrade)
feed it "systeminfo" input, and point it to the microsoft database

$ ./windows-exploit-suggester.py --database 2014-06-06-mssb.xlsx --systeminfo win7sp1-systeminfo.txt 
[*] initiating...
[*] database file detected as xls or xlsx based on extension
[*] reading from the systeminfo input file
[*] querying database file for potential vulnerabilities
[*] comparing the 15 hotfix(es) against the 173 potential bulletins(s)
[*] there are now 168 remaining vulns
[+] windows version identified as 'Windows 7 SP1 32-bit'
[*] 
[M] MS14-012: Cumulative Security Update for Internet Explorer (2925418) - Critical
[E] MS13-101: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2880430) - Important
[M] MS13-090: Cumulative Security Update of ActiveX Kill Bits (2900986) - Critical
[M] MS13-080: Cumulative Security Update for Internet Explorer (2879017) - Critical
[M] MS13-069: Cumulative Security Update for Internet Explorer (2870699) - Critical
[M] MS13-059: Cumulative Security Update for Internet Explorer (2862772) - Critical
[M] MS13-055: Cumulative Security Update for Internet Explorer (2846071) - Critical
[M] MS13-053: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2850851) - Critical
[M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical
[M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important
[*] done

possible exploits for an operating system can be used without hotfix data

$ ./windows-exploit-suggester.py --database 2014-06-06-mssb.xlsx --ostext 'windows server 2008 r2' 
[*] initiating...
[*] database file detected as xls or xlsx based on extension
[*] getting OS information from command line text
[*] querying database file for potential vulnerabilities
[*] comparing the 0 hotfix(es) against the 196 potential bulletins(s)
[*] there are now 196 remaining vulns
[+] windows version identified as 'Windows 2008 R2 64-bit'
[*] 
[M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical
[M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important
[E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important
[M] MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) - Important
[M] MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) - Critical
[E] MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799) - Important
[E] MS10-047: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852) - Important
[M] MS10-002: Cumulative Security Update for Internet Explorer (978207) - Critical
[M] MS09-072: Cumulative Security Update for Internet Explorer (976325) - Critical

LIMITATIONS

Currently, if the 'systeminfo' command reveals 'File 1' as the output for the hotfixes, it will not be able to determine which are installed on the target. If this occurs, the list of hotfixes will need to be retrieved from the target host and passed in using the --hotfixes flag

It currently does not seperate 'editions' of the Windows OS such as 'Tablet' or 'Media Center' for example, or different architectures, such as Itanium-based only

False positives also occur where it assumes EVERYTHING is installed on the target Windows operating system. If you receive the 'File 1' output, try executing 'wmic qfe list full' and feed that as input with the --hotfixes flag, along with the 'systeminfo'

Download Windows-Exploit-Suggester

Read More

PowerShell Runspace Post Exploitation Toolkit - p0wnedShell

p0wnedShell is an offensive PowerShell host application written in C# that does not rely on powershell.exe but runs powershell commands and functions within a powershell runspace environment (.NET). It has a lot of offensive PowerShell modules and binaries included to make the process of Post Exploitation easier. What we tried was to build an “all in one” Post Exploitation tool which we could use to bypass all mitigations solutions (or at least some off), and that has all relevant tooling included. You can use it to perform modern attacks within Active Directory environments and create awareness within your Blue team so they can build the right defense strategies.

How to Compile it:

To compile p0wnedShell you need to import this project within Microsoft Visual Studio or if you don't have access to a Visual Studio installation, you can compile it as follows:

To Compile as x86 binary:

cd \Windows\Microsoft.NET\Framework\v4.0.30319

csc.exe /unsafe /reference:"C:\p0wnedShell\System.Management.Automation.dll" /reference:System.IO.Compression.dll /win32icon:C:\p0wnedShell\p0wnedShell.ico /out:C:\p0wnedShell\p0wnedShellx86.exe /platform:x86 "C:\p0wnedShell\*.cs"

To Compile as x64 binary:

cd \Windows\Microsoft.NET\Framework64\v4.0.30319

csc.exe /unsafe /reference:"C:\p0wnedShell\System.Management.Automation.dll" /reference:System.IO.Compression.dll /win32icon:C:\p0wnedShell\p0wnedShell.ico /out:C:\p0wnedShell\p0wnedShellx64.exe /platform:x64 "C:\p0wnedShell\*.cs"

p0wnedShell uses the System.Management.Automation namespace, so make sure you have the System.Management.Automation.dll within your source path when compiling outside of Visual Studio.

How to use it:

Just run the executables or...
To run as x86 binary and bypass Applocker (Credits for this great bypass go to Casey Smith aka subTee):

cd \Windows\Microsoft.NET\Framework\v4.0.30319 (Or newer .NET version folder)

InstallUtil.exe /logfile= /LogToConsole=false /U C:\p0wnedShell\p0wnedShellx86.exe

To run as x64 binary and bypass Applocker:

cd \Windows\Microsoft.NET\Framework64\v4.0.30319 (Or newer .NET version folder)

InstallUtil.exe /logfile= /LogToConsole=false /U C:\p0wnedShell\p0wnedShellx64.exe

What's inside the runspace:

The following PowerShell tools/functions are included:

• PowerSploit Invoke-Shellcode
• PowerSploit Invoke-ReflectivePEInjection
• PowerSploit Invoke-Mimikatz
• PowerSploit Invoke-TokenManipulation
• Veil's PowerTools PowerUp
• Veil's PowerTools PowerView
• HarmJ0y's Invoke-Psexec
• Besimorhino's PowerCat
• Nishang Invoke-PsUACme
• Nishang Invoke-Encode
• Nishang Get-PassHashes
• Nishang Invoke-CredentialsPhish
• Nishang Port-Scan
• Nishang Copy-VSS

Powershell functions within the Runspace are loaded in memory from Base64 encode strings .

The following Binaries/tools are included:

• Benjamin DELPY's Mimikatz
• Benjamin DELPY's MS14-068 kekeo Exploit
• Didier Stevens modification of ReactOS Command Prompt
• hfiref0x MS15-051 Local SYSTEM Exploit

Binaries are loaded in memory using ReflectivePEInjection (Byte arrays are compressed using Gzip and saved within p0wnedShell as Base64 encoded strings ).

Shout-outs:

p0wnedshell is heavily based on tools and knowledge from people like harmj0y, the guys from Powersploit, Sean Metcalf, SubTee, Nikhil Mittal, Besimorhino, Benjamin Delpy e.g. So shout-outs go to them and of course to our friends in Redmond for giving us access to a very powerfull hacking language.

Download p0wnedShell

Read More

Open Source Web Server Scanner - NIkto

Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6500 potentially dangerous files/CGIs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software. Scan items and plugins are frequently updated and can be automatically updated.


Open Source Web Server Scanner

Nikto is not designed as an overly stealthy tool. It will test a web server in the quickest time possible, and is fairly obvious in log files. However, there is support for LibWhisker’s anti-IDS methods in case you want to give it a try (or test your IDS system).

Not every check is a security problem, though most are. There are some items that are “info only” type checks that look for things that may not have a security flaw, but the webmaster or security engineer may not know are present on the server. These items are usually marked appropriately in the information printed. There are also some checks for unknown items which have been seen scanned for in log files.


Features

Here are some of the major features of Nikto.

ºSSL Support (Unix with OpenSSL or maybe Windows with ActiveState’s
Perl/NetSSL)
ºFull HTTP proxy support
ºChecks for outdated server componentsOpen Source Web Server Scanner: NIkto Open ºSource Web Server Scanner Open Source Web Server Scanner
ºSave reports in plain text, XML, HTML, NBE or CSV
ºTemplate engine to easily customize reports
ºScan multiple ports on a server, or multiple servers via input file (including nmap output)
ºLibWhisker‘s IDS encoding techniques
ºEasily updated via command line
ºIdentifies installed software via headers, favicons and files
ºHost authentication with Basic and NTLM
ºSubdomain guessing
ºApache and cgiwrap username enumeration
ºMutation techniques to “fish” for content on web servers
ºScan tuning to include or exclude entire classes of vulnerability
checks
ºGuess credentials for authorization realms (including many default id/pw combos)
ºAuthorization guessing handles any directory, not just the root
directory
ºEnhanced false positive reduction via multiple methods: headers,
page content, and content hashing
ºReports “unusual” headers seen
ºInteractive status, pause and changes to verbosity settings
ºSave full request/response for positive tests
ºReplay saved positive requests
ºMaximum execution time per target
ºAuto-pause at a specified time
ºChecks for common “parking” sites
ºLogging to Metasploit
ºThorough documentation

Download NIkto

Read More

Domain Name Permutation Engine For Detecting Typo Squatting, Phishing And Corporate Espionage - Dnstwist

See what sort of trouble users can get in trying to type your domain name. Find similar-looking domains that adversaries can use to attack you. Can detect typosquatters, phishing attacks, fraud and corporate espionage. Useful as an additional source of targeted threat intelligence.

The idea is quite straightforward: dnstwist takes in your domain name as a seed, generates a list of potential phishing domains and then checks to see if they are registered. Additionally it can test if the mail server from MX record can be used to intercept misdirected corporate e-mails and it can generate fuzzy hashes of the web pages to see if they are live phishing sites.


Key features 

There are several pretty good reasons to give it a try: 

ºWide range of efficient domain fuzzing algorithms
ºMultithreaded job distribution
ºResolves domain names to IPv4 and IPv6
ºQueries for NS and MX records
ºEvaluates web page similarity with fuzzy hashes to find live phishing sites
ºTests if MX host (mail server) can be used to intercept misdirected e-mails (espionage)
ºGenerates additional domain variants using dictionary files
ºGeoIP location information
ºGrabs HTTP and SMTP service banners
ºWHOIS lookups for creation and modification date
ºPrints output in CSV and JSON format

Requirements 

If you want dnstwist to develop full power, please make sure the following Python modules are present on your system. If missing, dnstwist will still work, but without many cool features. You'll get a notification in absence of required module. 

ºA DNS toolkit for Python
ºPython GeoIP
ºPython WHOIS
ºRequests: HTTP for Humans
ºssdeep Python wrapper

Installation 

Linux 

Ubuntu Linux is the primary development platform. If running Ubuntu 15.04 or newer, you can install dependencies like this: 

$ sudo apt-get install python-dnspython python-geoip python-whois \  python-requests python-ssdeep  

Alternately, you can use Python tooling. This can be done within a virtual environment to avoid conflicts with other installations. However, you will still need a couple of libraries installed at the system level. 

$ sudo apt-get install libgeoip-dev libffi-dev  $ BUILD_LIB=1 pip install -r requirements.txt  

Now it is fully equipped and ready for action. 
OSX 
If you're on a Mac, you can install dnstwist via Homebrew like so: 

$ brew install dnstwist  

This is going to install dnstwist.py as dnstwist only, along with all requirements mentioned above. The usage is the same, you can just omit the file extension, and the binary will be added to PATH . 
Docker 
If you use Docker, you can build a local copy: 

$ docker build -t dnstwist .  

Then run that local image: 

$ docker run dnstwist example.com  

If you don't want to build locally here is a list of community maintained images:

jrottenberg/dnstwist

How to use 

To start, it's a good idea to enter only the domain name as an argument. The tool will run it through its fuzzing algorithms and generate a list of potential phishing domains with the following DNS records: A, AAAA, NS and MX. 

$ dnstwist.py example.com  

Manually checking each domain name in terms of serving a phishing site might be time consuming. To address this, dnstwist makes use of so called fuzzy hashes (context triggered piecewise hashes). Fuzzy hashing is a concept which involves the ability to compare two inputs (in this case HTML code) and determine a fundamental level of similarity. This unique feature of dnstwist can be enabled with --ssdeep argument. For each generated domain, dnstwist will fetch content from responding HTTP server (following possible redirects) and compare its fuzzy hash with the one for the original (initial) domain. The level of similarity will be expressed as a percentage. Please keep in mind it's rather unlikely to get 100% match for a dynamically generated web page, but each notification should be inspected carefully regardless of the percentage level. 

$ dnstwist.py --ssdeep example.com  

In some cases phishing sites are served from a specific URL. If you provide a full or partial URL address as an argument, dnstwist will parse it and apply for each generated domain name variant. This ability is obviously useful only in conjunction with fuzzy hashing feature.

$ dnstwist.py --ssdeep https://example.com/owa/  $ dnstwist.py --ssdeep example.com/crm/login  

Very often attackers set up e-mail honey pots on phishing domains and wait for mistyped e-mails to arrive. In this scenario, attackers would configure their server to vacuum up all e-mail addressed to that domain, regardless of the user it was sent towards. Another dnstwist feature allows to perform a simple test on each mail server (advertised through DNS MX record) in order to check which one can be used for such hostile intent. Suspicious servers will be marked with SPYING-MX string. 
Please be aware of possible false positives. Some mail servers only pretend to accept incorrectly addressed e-mails but then discard those messages. This technique is used to prevent a directory harvest attack. 

$ dnstwist.py --mxcheck example.com  

Not always domain names generated by the fuzzing algorithms are sufficient. To generate even more domain name variants please feed dnstwist with a dictionary file. Some dictionary samples with a list of the most common words used in targeted phishing campaigns are included. Feel free to adapt it to your needs. 

$ dnstwist.py --dictionary dictionaries/english.dict example.com  

Apart from the default nice and colorful text terminal output, the tool provides two well known and easy to parse output formats: CSV and JSON. Use it for data interchange. 

$ dnstwist.py --csv example.com > out.csv  $ dnstwist.py --json example.com > out.json  

Usually generated list of domains has more than a hundred of rows - especially for longer domain names. In such cases, it may be practical to display only registered (resolvable) ones using --registered argument. 

$ dnstwist.py --registered example.com  

The tool is shipped with built-in GeoIP database. Use --geoip argument to display geographical location (country name) for each IPv4 address. 

$ dnstwist.py --geoip example.com  

Of course all of the features offered by dnstwist together with brief descriptions are always available at your fingertips: 


$ dnstwist.py --help  

Download Dnstwist 

Read More