image
subfinder is a subdomain discovery tool that discovers valid subdomains for websites by using passive online sources. It has a simple modular architecture and is optimized for speed. subfinder is built for doing one thing only – passive subdomain enumeration, and it does that very well. We have designed subfinder to comply with all passive sources licenses, and usage restrictions, as well as maintained a consistently passive model to make it useful to both penetration testers and bug bounty hunters alike. Features Simple and modular code base making it easy to contribute. Fast And Powerful Resolution and wildcard elimination module Curated passive sources to maximize results (26 Sources as of now) Multiple Output formats supported (Json, File, Stdout) Optimized for speed, very fast and lightweight on resources Stdin and stdout support for integrating in workflows Usage subfinder -h This will display help for the tool. Here are all the switches it supports. Flag | Description | Example —|—|— -config string | Configuration file for API Keys, etc | subfinder -config config.yaml -d | Domain to find subdomains for | subfinder -d uber.com -dL | File containing list of domains to enumerate | subfinder -d hackerone-hosts.txt -exclude-sources | List of sources to exclude from enumeration | subfinder -exclude-sources archiveis -max-time | Minutes to wait for enumeration results (default 10) | subfinder -max-time…

Source

image
This tool search for SSRF using predefined settings in different parts of a request (path, host, headers, post and get parameters). First step Rename example.app-settings.conf to app-settings.conf and adjust settings. The most important setting is the callback url. I recommend to use burp collaborator. Then you can add your urls to config/url-to-test.txt. Here the script accepts domains as well as urls with path and queryparameters. If you like you can add your own cookies to config/cookie-jar.txt and add additional headers for your requests. The brute force list which is used in post and get requests is currently small, I dont thing adding 2000 parameters is smart. We should focus on those which have the highest possibility to be vulnerable. If you don't think so: just add your own! Execution This tool does not expect any argument via CLI, so just type: python3 extended-ssrf-search.py Configuration Its possible to set a lot of options and settings, so here are some explanations. Files The main config file is the "app-settings.conf", everything has to be done in that file! Besides that, there are some other files which allow to set more complex data like headers, urls and cookies. config/cookie-jar.txt Use this file to add a cookie string. I usually copy the one which you can see in every burp request. Please just copy the value of the "Cookie:"-header. A sample input is in the default file. config/http-headers.txt This file…

Source

image
The IoTGoat Project is a deliberately insecure firmware based on OpenWrt. The project’s goal is to teach users about the most common vulnerabilities typically found in IoT devices. The vulnerabilities will be based on the IoT Top 10 as documented by OWASP: https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project . To get started with developing IoTGoat challenges, review the Build Environment Guidance page. Precompiled firmware and an OVA with the latest build can be found via https://github.com/scriptingxss/IoTGoat/tree/master/build_environment . If a crucial challenge idea is missing, please reach out to the project leaders below or add details to the project task page . Be sure to join the OWASP Slack team, then join the #iot-security for news on upcoming project meetings and updates. Project leaders Aaron Guzman (@scriptingxss) Fotios Chantzis Paulino Calderon Download…

Source

image
PolyShell is a script that's simultaneously valid in Bash, Windows Batch, and PowerShell (i.e. a polyglot ). This makes PolyShell a useful template for penetration testing as it can be executed on most systems without the need for target-specific payloads. PolyShell is also specifically designed to be deliverable via input injection using a USB Rubby Ducky , MalDuino , or similar device. How To Use It As a stand-alone script Copy/rename the script so it has the correct file extension ( .sh , .bat , or .ps1 ). Run the script with a Unix shell, as a batch file, or with PowerShell. Using input injection Open a terminal on the target machine. Run the payload. Press Ctrl-C, then run exit . The input injection method will behave slightly differently than the script method. When run as a script, the payload will exit immediately once a language has been processed. When delivered via injection, the payload runs a read loop instead. Without it, the payload would close the terminal window but continue typing into an unknown window instead. The Ctrl-C breaks the script out of the read loop, allowing it run without unintended side-effects. Additionally, _ pasting _ the script into a terminal might fail. Once the script reaches the read loop, some terminals will treat the remaining pasted text as the read loop's input (good), but others may continue executing the script when the read loop exits (bad). How It Works The main trick…

Source

image
About Mouse Framework Mouse Framework is an iOS and macOS [post exploitation](<https://www.kitploit.com/search/label/Post%20Exploitation> "post exploitation" ) surveillance framework that gives you a [command line](<https://www.kitploit.com/search/label/Command%20Line> "command line" ) session with extra functionality between you and a target machine using only a simple Mouse Payload. Mouse gives you the power and convenience of uploading and downloading files, tab completion, taking pictures, location tracking, shell command execution, escalating privileges, password retrieval, and much more. Getting started Mouse installation cd mouse chmod +x install.sh ./install.sh Mouse uninstallation cd mouse chmod +x uninstall.sh ./uninstall.sh Mouse Framework execution To execute Mouse Framework you should execute the following command. mouse Mouse Payloads (macOS/iOS) Mouse Payloads are intended to get remote target machine session. Bourne-Again Shell payload Selecting Bourne-Again Shell payload from the payload menu will give us a 1 liner that establishes a remote Mouse session upon execution on the target machine. Platform: iOS/macOS Teensy macOS payload (USB injection) Teensy is a development USB board that can be programmed with the Arduino IDE. It emulates usb keyboard strokes extremely fast and can inject the Mouse payload just in a few seconds! Platform: macOS Rubber Duck payload (USB injection) USB…

Source

image
Running CTFs and Security Trainings with OWASP Juice Shop is usually quite tricky, Juice Shop just isn't intended to be used by multiple users at a time. Instructing everybody how to start Juice Shop on their own machine works ok, but takes away too much valuable time. MultiJuicer gives you the ability to run separate Juice Shop instances for every participant on a central kubernetes cluster, to run events without the need for local Juice Shop instances. Note: This project was called JuicyCTF until recently. This was changed to avoid confusions with the juice-shop-ctf project. What it does: dynamically create new Juice Shop instances when needed runs on a single domain, comes with a LoadBalancer sending the traffic to the participants Juice Shop instance backup and auto apply challenge progress in case of Juice Shop container restarts cleanup old & unused instances automatically Installation MultiJuicer runs on kubernetes, to install it you'll need helm . helm repo add multi-juicer https://iteratec.github.io/multi-juicer/ # for helm <= 2 helm install multi-juicer/multi-juicer –name multi-juicer # for helm >= 3 helm install multi-juicer multi-juicer/multi-juicer Installation Guides for specific Cloud Providers Generally MultiJuicer runs on pretty much any kubernetes cluster, but to make it easier for anybody who is new to kubernetes we got some guides on how to setup a kubernetes cluster with MultiJuicer installed for some…

Source

image
Burp Suite extension to track vulnerability assessment progress. Features Capture items (unique requests) from the Burp Suite tools (Proxy, Repeater, Target). Request unique key is defined as follows: target (host, port, protocol), path and method. Items have following editable properties: comment status (Blocked, Done, Ignored, In progress, New, Postponed) tags Items can be filtered by: status tags (there are two filtering modes: AND – item has to have all filtering tags OR – item has to have at least one of the filtering tags) Exclude requests from capture based on the path extension or response status code Selected items can be sent to the Burp Suite tools: Intruder, Repeater or Scanner Selected item is displayed in the full functional Burp Suite HTTP message editor Path patterns – unique key of the request is defined by target, path and method. However it can be usefull to define path pattern (regexp) to consider different requests as the same item (e.g. /article/d+?/comments path pattern groups following requests: /article/1/comments, /article/2/comments, /article/100/comments, etc.) Optionally, items and path patterns can be persisted to keep the state between Burp Suite runnings (please see Requirements ) Options Database – selects file to persist items and path patterns (please see Requirements ) Scope tools – enables items capturing for selected Burp Suite tools (Proxy, Repeater, Target) …

Source

image
Advanced Binary Deobfuscation This repository contains the course materials of Advanced Binary Deobfuscation at the Global Cybersecurity Camp (GCC) Tokyo in 2020. Course Abstract Reverse engineering is not easy, especially if a binary code is obfuscated. Once obfuscation performed, the binary would not be analyzed accurately with naive techniques alone. In this course, you will learn obfuscation principles (especially used by malware), theory and practice of obfuscated code analysis, and how to write your own tool for deobfuscation. In particular, we delve into data-flow analysis and SAT/SMT-based binary analysis (e.g., symbolic execution) to render obfuscation ineffective. Outline This course is about binary deobfuscation, meant for security analysts and researchers (in embryo) looking to add a skill set on writing your own tool to their arsenal. At the end of this class, attendees will be able to: Have an in-depth understanding of theory, practice, and behind insights of obfuscation Build a custom obfuscated payload with state-of-the-art packers Apply compiler optimization techniques to binary analysis tasks Design and implement automated binary analysis tools top on a symbolic execution engine Even analyze obfuscated malware used in the APT campaign Towards this end, the course was held in the form of a combination of classroom learning and hands-on training at GCC. Prerequisite Knowledge Attendees should have: Robust skill set…

Source

image
Get teamviewer's ID and password from a remote computer in the LAN This program gets teamviewer's ID and password from a remote computer in the LAN. Most useful for postexploitation or sysadmins Tested on windows 7 and windows 10 x86 and x64 Prerequisites You must have valid credentials on the remote computer Port 445 must be accesible on target machine Execution examples: hook.exe must be in same folder as get_Team_Pass.exe get_Team_Pass.exe -h for printing the help get_Team_Pass.exe -t [targetIp] -u [Username] -p [UsernamePassword] -d [usernameDomain] # -d parameter is optional get_Team_Pass.exe -t 192.168.175.136 -u administrator -p Password2018 get_Team_Pass.exe -t 192.168.175.136 -u administrator -p Password2018 -d domain Execution video https://goo.gl/VhWF4g Blog https://kr1shn4murt1.blogspot.com/2018/12/obtener-el-id-y-password-de-teamviewer.html Sha-256 checksums of files Algorithm Hash File SHA256 28F71132305CFA45F4335FA8F9E3ADE52CC9E3339AECDCA795FBD5EA51894351 get_Team_Pass.exe SHA256 57F62D0CB5656ED2D79DC16C25A9B0D3AACC307D945CED5B0F1CAA1F563735C1 hook.exe Authors @kr1shn4murt1 @t1gr385 kronux.com.co TODO Reduce the final size of the compiled files Add more exception handling Add network range capabilities to check all computers in a lan In the future if teamviewer is not found in the remote machine, inject it Add linux support. Download…

Source