image
GoSpider – Fast web spider written in Go Installation go get -u github.com/jaeles-project/gospider Features Fast web crawling Brute force and parse sitemap.xml Parse robots.txt Generate and verify link from JavaScript files Link Finder Find AWS-S3 from response source Find subdomains from response source Get URLs from Wayback Machine, Common Crawl, Virus Total, Alien Vault Format output easy to Grep Support Burp input Crawl multiple sites in parallel Random mobile/web User-Agent Showcases Usage Fast web spider written in Go – v1.1.0 by @theblackturtle Usage: gospider [flags] Flags: -s, –site string Site to crawl -S, –sites string Site list to crawl -p, –proxy string Proxy (Ex: http://127.0.0.1:8080) -o, –output string Output folder -u, –user-agent string User Agent to use web: random web user-agent mobi: random mobile user-agent or you can set your special user-agent (default "web") –cookie string Cookie to use (testA=a; testB=b) -H, –header stringArray Header to use (Use multiple flag to set multiple header) –burp string Load headers and cookie from burp raw http request –blacklist string Blacklist URL Regex -t, –threads int Number of threads (Run sites in parallel) (default 1) -c, –concurrent…

Source

image
Uses CVE-2019-18988 to enumerate and decrypt TeamViewer credentials from Windows registry. Blogpost detailing the vulnerability: https://whynotsecurity.com/blog/teamviewer/ Usage .DecryptTeamViewer.exe Download…

Source

image
Dr.Semu runs executables in an isolated environment, monitors the behavior of a process, and based on Dr.Semu rules created by you or the community, detects if the process is malicious or not. whoami: @_qaz_qaz With Dr.Semu you can create rules to detect malware based on dynamic behavior of a process. Isolation through redirection Everything happens from the user-mode. Windows Projected File System (ProjFS) is used to provide a virtual file system. For Registry redirection, it clones all Registry hives to a new location and redirects all Registry accesses. See the source code for more about other redirections (process/objects isolation, etc). Monitoring Dr.Semu uses DynamoRIO (Dynamic Instrumentation Tool Platform) to intercept a thread when it's about to cross the user-kernel line. It has the same effect as hooking SSDT but from the user-mode and without hooking anything. At this phase, Dr.Semu produces a JSON file, which contains information from the interception. Detection After terminating the process, based on Dr.Semu rules we receive if the executable is detected as malware or not. Dr.Semu Rules/Detections Dr.Semu rules They are written in Python or LUA (located under dr_rules ) and use dynamic information from the interception and static information about the sample. It's trivial to add support of other languages. Example ( Python ): https://gist.github.com/secrary/ac89321b8a7bde998a6e3139be49eb72 Example (…

Source

image
Syborg is a Recursive DNS Domain Enumerator which is neither active nor completely passive. This tool simply constructs a domain name and queries it with a specified DNS Server. Syborg has a Dead-end Avoidance system inspired from @Tomnomnom ‘s ettu . When you run subdomain enumeration with some of the tools, most of them passively query public records like virustotal , crtsh or censys . This enumeration technique is really fast and helps to find out a lot of domains in much less time. However, there are some domains that may not be mentioned in these public records. In order to find those domains, Syborg interacts with the nameservers and recursively brute-forces subdomain from the DNS until it's queue is empty. Image Credits: Carbon As mentioned on ettu ‘s page, I quote: Ordinarily if there are no records to return for a DNS name you might expect an NXDOMAIN error: ▶ host four.tomnomnom.uk Host four.tomnomnom.uk not found: 3(NXDOMAIN) You may have noticed that sometimes you get an empty response instead though: ▶ host three.tomnomnom.uk The difference in the latter case is often that another name – one that has your queried name as a suffix – exists and has records to return ▶ host one.two.three.tomnomnom.uk one.two.three.tomnomnom.uk has address 46.101.59.42 This difference in response can be used to help avoid dead-ends in recursive DNS brute-forcing by not recursing in the former situation: ▶ echo -e "wwwnonentwonthree" |…

Source

image
Manul is a coverage-guided parallel fuzzer for open-source and black-box binaries on Windows, Linux and macOS (beta) written in pure Python. Quick Start pip3 install psutil git clone https://github.com/mxmssh/manul cd manul mkdir in mkdir out echo "AAAAAA" > in/test python3 manul.py -i in -o out -n 4 "linux/test_afl @@" Installing Radamsa sudo apt-get install gcc make git wget git clone https://gitlab.com/akihe/radamsa.git && cd radamsa && make && sudo make install There is no need to install radamsa on Windows, Manul is distributed with radamsa native library on this platform. List of Public CVEs CVE IDs | Product | Finder —|—|— CVE-2019-9631 CVE-2019-7310 CVE-2019-9959 | Poppler | Maksim Shudrak CVE-2018-17019 CVE-2018-16807 CVE-2019-12175 | Bro/Zeek | Maksim Shudrak If you managed to find a new bug using Manul please contact me and I will add you in the list. Dependencies psutil Python 2.7+ (will be deprecated after 1 Jan. 2020) or Python 3.7+ (preferred) Coverage-guided fuzzing Currently, Manul supports two types of instrumentation: AFL-based (afl-gcc, afl-clang and afl-clang-fast ) and DBI. Coverage-guided fuzzing (AFL instrumentation mode) Instrument your target with afl-gcc or afl-clang-fast and Address Sanitizer (recommended for better results). For example: CC=afl-gcc CXX=afl-g++ CFLAGS=-fsanitize=address CXXFLAGS=-fsanitize=address cmake <path_to_your_target> make -j 8 USE_ASAN=1…

Source

image
The idea is to be the Network Protocol Fuzzer that we will want to use. The aim of this tool is to assist during the whole process of fuzzing a network protocol, allowing to define the communications, helping to identify the "suspects" of crashing a service, and much more Last Changes [16/12/2019] Data Generation modules fully recoded (Primitives, Blocks, Requests) Improved Strings fuzzing libraries, allowing also for custom lists, files and callback commands Variable data type, which takes a variable set by the session, the user or a Response Session fully recoded. Now it is based on TestCase s, which contains all the information needed to perform the request, check the response, store data such as errors received, etc. Responses added. Now you can define responses with s_response(), This allows to check the response from the server, set variables and even perform additional tests on the response to check if something is wrong Monitors now automatically mark TestCases as suspect if they fail Added the IPP (Internet Printing Protocol) Fuzzer that we used to find several vulnerabilities in different printer brands during our printers research project ( https://www.youtube.com/watch?v=3X-ZnlyGuWc&t=7s ) Features Based on Sulley Fuzzer for data generation [ https://github.com/OpenRCE/sulley ] Actually, forked BooFuzz (which is a fork of Sulley) [ https://github.com/jtpereyda/boofuzz ] Python3 Not random (finite number of…

Source

image
Nray is a free, platform and architecture independent port and application layer scanner. Apart from regular targets (list of hosts/networks), it supports dynamic target selection, based on source like transparency logs" href="https://www.kitploit.com/search/label/Certificate%20transparency%20logs">certificate transparency logs or LDAP. Furthermore, nray allow to run in a distributed manner to speed up scans and to perform scans from different vantage points. Event-based results allow to further process information during the scan, e.g. using tools like jq or full-blown data analysis platforms like elasticsearch or Splunk. This is the main repository where nray is developed. Downloads are here . If you are looking for user documentation, have a look at the project homepage . For information related to developing and contributing to nray, continue reading. Nray is written in pure Go and its versioning follows the semantic versioning model. The development follows Vincent Driessen's "A successful git branching" model , therefore we try to keep the master branch stable and in line with releases whereas development happens on the development branch as well as branches derived from there. Building Care was taken to mostly stay in line with Go's build system, meaning that the project can be built with a plain go build . Nray is written in pure Go and care was taken to select only dependencies that also fulfill this requirement, therefore a standard Go…

Source

image
A Burp Suite extension to help pentesters to generate a random user-agent. This extension has been developed by M'hamed (@m4ll0k) Outaadi. Installation Download a jar file in release or compile the java code: $ git clone https://github.com/m4ll0k/BurpSuite-Random_UserAgent.git random-useragents $ cd random-useragents/src/main/java $ javac burp/*.java $ jar cf random-useragents.jar burp/*.class video installation video Download…

Source

image
An Interactive CTF Exploration Tool This is ctftool , an interactive command line tool to experiment with CTF, a little-known protocol used on Windows to implement Text Services. This might be useful for studying Windows internals, debugging complex issues with Text Input Processors and analyzing Windows security. It is possible to write simple scripts with ctftool for automating interaction with CTF clients or servers, or perform simple fuzzing. Background There is a blog post that accompanies the release of this tool available here. https://googleprojectzero.blogspot.com/2019/08/down-rabbit-hole.html Usage ctftool has been tested on Windows 7, Windows 8 and Windows 10. Both 32-bit and x64 versions are supported, but x64 has been tested more extensively. There is online help for most commands, simply type help to see a list of commands, and help <command> to see detailed help for a particular command. $ ./ctftool.exe An interactive ctf exploration tool by @taviso. Type "help" for available commands. Most commands require a connection, see "help connect". ctf> help Type `help <command>` for help with a specific command. Any line beginning with # is considered a comment. help – List available commands. exit – Exit the shell. connect – Connect to CTF ALPC Port. info – Query server informaiton. scan – Enumerate connected clients. callstub – Ask a client to invoke a function. createstub -…

Source

image
_ Straight-forward HTTP client testing, assertions included! _ Simple httptest.Server wrapper with a little request recorder spice on it. No special DSL, no complex API to learn. Just create a server and fire your request like an Hadouken then assert them. TODO Add example usages Add docs Add response headers to NewServer Add request header assertions Add multiple request assertion logic Extract Request().Body to requestRecorder.Body binding logic to CustomBinder Add NewServerWithTimeout for testing API timeouts http.RoundTripper interface can be implemented to mock arbitrary URLs A Builder can be written to NewServer for ease of use Download…

Source