image
by Gabriel Ryan ( s0lst1c3 )(gryan[at]specterops.io) EAPHammer is a toolkit for performing targeted evil twin attacks against WPA2-Enterprise networks. It is designed to be used in full scope wireless assessments and red team engagements. As such, focus is placed on providing an easy-to-use interface that can be leveraged to execute powerful wireless attacks with minimal manual configuration. To illustrate just how fast this tool is, our Quick Start section provides an example of how to execute a credential stealing evil twin attack against a WPA/2-EAP network in just commands. Quick Start Guide (Kali) Begin by cloning the eaphammer repo using the following command: git clone https://github.com/s0lst1c3/eaphammer.git Next run the kali-setup file as shown below to complete the eaphammer setup process. This will install dependencies and compile the project: ./kali-setup To setup and execute a credential stealing evil twin attack against a WPA/2-EAP network: # generate certificates ./eaphammer –cert-wizard # launch attack ./eaphammer -i wlan0 –channel 4 –auth wpa-eap –essid CorpWifi –creds Usage and Setup Instructions For complete usage and setup instructions, please refer to the project's wiki page: https://github.com/s0lst1c3/eaphammer/wiki Features Steal RADIUS credentials from WPA-EAP and WPA2-EAP networks. Perform hostile portal attacks to steal AD creds and perform indirect wireless pivots Perform captive portal …

image
Postenum is a clean, nice and easy tool for basic/advanced privilege escalation vectors/techniques. Postenum tool is intended to be executed locally on a Linux box. Be more than a normal user. be the ROOT. USE ./postenum.sh [option] ./postenum.sh -s ./postenum.sh -c Options : -a : All -s : Filesystem [SUID, SGID, Config/DB files, etc.] -l : Shell escape and development tools -c : The most interesting files -n : Network settings -p : Services and cron jobs -o : OS informations and kernel exploits -v : Software's versions -t : Fstab credentials and databases checker Install.sh You can use install.sh script to install postenum. (only for system/network admins). to run it: ./install.sh Version 0.8 Download…

image
Basic BIOS emulator/debugger for Unicorn Engine. Written to debug the XEOS Operating System boot sequence. Usage: Usage: unicorn-bios [OPTIONS] BOOT_IMG Options: –help / -h: Displays help. –memory / -m: The amount of [memory](<https://www.kitploit.com/search/label/Memory> "memory" ) to allocate for the virtual machine (in megabytes). Defaults to 64MB, minimum 2MB. –break / -b Breaks on a specific address. –break-int: Breaks on interrupt calls. –break-iret: Breaks on interrupt returns. –trap: Raises a trap when breaking. –debug-video: Turns on debug output for video services. –single-step: Breaks on every instruction. –no-ui: Don't start the user interface (output will be displayed to stdout, debug info to stderr). –no-colors: Don't use colors. Installation: brew install –HEAD macmade/tap/unicorn-bios Repository Infos Owner: Jean-David Gadina – XS-Labs Web: www.xs-labs.com Blog: www.noxeos.com Twitter: @macmade GitHub: github.com/macmade LinkedIn: ch.linkedin.com/in/macmade/ StackOverflow: stackoverflow.com/users/182676/macmade Download…

image
uniFuzzer is a fuzzing tool for closed-source binaries based on Unicorn and LibFuzzer . Currently it supports fuzzing 32-bits LSB ELF files on ARM/MIPS, which are usually seen in IoT devices. 中文介绍 Features very little hack and easy to build can target any specified function or code snippet coverage-guided fuzzing with considerable speed dependence resolved and loaded automatically library function override by PRELOAD Build Reverse the target binary and find interesting functions for fuzzing. Create a .c file in the directory callback , which should contain the following callbacks: void onLibLoad(const char *libName, void *baseAddr, void *ucBaseAddr) : It's invoked each time an dependent library is loaded in Unicorn. int uniFuzzerInit(uc_engine *uc) : It's invoked just after all the binaries been loaded in Unicorn. Stack/heap/registers can be setup up here. int uniFuzzerBeforeExec(uc_engine *uc, const uint8_t *data, size_t len) : It's invoked before each round of fuzzing execution. int uniFuzzerAfterExec(uc_engine *uc) : It's invoked after each round of fuzzing execution. Run make and get the fuzzing tool named uf . Run uniFuzzer uses the following environment variables as parameters: UF_TARGET : Path of the target ELF file UF_PRELOAD : Path of the preload library. Please make sure that the library has the same architecture as the target. UF_LIBPATH : Paths in which the dependent libraries reside. Use : to separate multiple…

image
SMTPTester is a python3 tool to test SMTP server for 3 common vulnerabilities: Spoofing – The ability to send a mail on behalf of an internal user Relay – Using this SMTP server to send email to other address outside of the organization user enumeration – using the SMTP VRFY command to check if specific username andor email address exist within the organization. How to use it First, install the needed dependencies: pip install -r requirments.txt Second, run the tool with the needed flags: python SMTPTester.py –tester [tester email] –targets [SMTP IP or file containing multiple IPs] Options to consider -i–internal testing only for mail spoofing -e–external only testing for mail relay -v–vrfy only perform user enumeration the tool will perform both internal and external when no specific test type is specified, and will append the output to a log file on the same folder as the SMTPTester.py file. Issues, bugs and other code-issues Yeah, I know, this code isn't the best. I'm fine with it as I'm not a developer and this is part of my learning process. If there is an option to do some of it better, please, let me know. _ Not how many, but where. _ v0.1 Download…

image
These files contain configuration for producing EDR (endpoint detection and response) data in addition to standard system logs. These configurations enable the production of these data streams using F/OSS (free and / or open source tooling.) The F/OSS tools consist of Auditd for Linux; Sysmon for Windows and Xnumon for the Mac. Also included is a set of notes for configuring Suricata events and rules. These data sets enumerate and / or generate the kinds of security relevant events that are required by threat hunting techniques and a wide variety of security analytics. Tylium is part of the SpaceCake project for doing multi-platform intrusion detection, security analytics and threat hunting using open source tools for Linux and Windows in both cloud and conventional environments. Contents: Linux auditd.yaml – a set of auditd rules for generating file, network and process events via the auditd susbsystem for Linux SystemLogs.md – a matrix of Linux native operating system and web server logs MacOS configuration.plist – a configuration for generating sysmon-like events using the xnumon project on the MacOS Suricata Notes on event and rule setup for Suricata in cloud vs. terrestrial environments Windows EventLogs.md – a matrix of select Windows event log messages and their locations sysmon-config-base.xml – a sysmon configuration file for generating file, network, registry, network, process and WMI events using Sysmon for Windows …

image
FileSystem Monitor utility that runs on Linux, Android, iOS and OSX. Brought to you by Sergi Àlvarez at Nowsecure and distributed under the MIT license. Contact: [email protected] Usage The tool retrieves file system events from a specific directory and shows them in colorful format or in JSON. It is possible to filter the events happening from a specific program name or process id (PID). Usage: ./fsmon [-jc] [-a sec] [-b dir] [-B name] [-p pid] [-P proc] [path] -a [sec] stop monitoring after N seconds (alarm) -b [dir] backup files to DIR folder (EXPERIMENTAL) -B [name] specify an alternative backend -c follow children of -p PID -f show only filename (no path) -h show this help -j output in [JSON](<https://www.kitploit.com/search/label/JSON> "JSON" ) format -L list all filemonitor backends -p [pid] only show events from this pid -P [proc] events only from process name -v show version [path] only get events from this path Backends fsmon filesystem information is taken from different backends depending on the operating system and apis available. This is the list of backends that can be listed with fsmon -L : inotify (linux / android) fanotify (linux > 2.6.36 / android 5) devfsev (osx /dev/fsevents – requires root) kqueue (xnu – requires root) kdebug (bsd?, xnu – requires root) fsevapi (osx filesystem monitor api) Compilation fsmon is a portable tool. It works on iOS, OSX, Linux …

image
Automated Vulnerability Scanner for XSS | Written in Python3 | Utilizes Selenium Headless Traxss is an automated framework to scan URLs and webpages for XSS Vulnerabilities. It includes over 575 Payloads to test with and multiple options for robustness of tests. View the gif above to see a preview of the fastest type of scan. Getting Started Prerequisites Traxss depends on Chromedriver. On MacOS this can be installed with the homebrew command: brew install cask chromedriver Alternatively, find a version for other operating systems here: https://sites.google.com/a/chromium.org/chromedriver/downloads Installation Run the command: pip3 install -r requirements.txt Running Traxss Traxx can be started with the command: python3 traxss.py This will launch an interactive CLI to guide you through the process. Types of Scans Full Scan w/ HTML Uses a query scan with 575+ payloads and attempts to find XSS vulnerabilities by passing parameters through the URL. It will also render the HTML and attempt to find manual XSS Vulnerablities (this feature is still in beta). Full Scan w/o HTML This scan will run the query scan only. Fast Scan w/ HTML This scan is the same as the full w/ HTML but it will only use 7 attack vectors rather than the 575+ vectors. Fast Scan w/o HTML This scan is the same as the fast w/o HTML but it will only use 7 attack vectors rather than the 575+ vectors. Download…

image
DECAF++, the new version of DECAF, taint analysis is around 2X faster making it the fastest, to the best of our knowledge, whole-system dynamic taint analysis framework. This results in a much better usability imposing only 4% overhead (SPEC CPU2006) when no suspicious (tainted) input exists. Even under heavy taint analysis workloads, DECAF++ has a much better performance, around 25% faster on nbench, because of its elasticity. DECAF++ elasticity makes it a very suitable case for security analysis tasks that would selectively analyze the input e.g. Intrusion Detection Systems (IDS) that can filter out benign traffic. For further technical details, see our RAID 2019 paper . To activate the optimizations. PUBLICATIONS Ali Davanian, Zhenxiao Qi, Yu Qu, and Heng Yin, DECAF++: Elastic Whole-System Dynamic Taint Analysis, In the 22nd International Symposium on Research in Attacks, Intrusions and Defenses (RAID), September 2019. (If you wish to cite the new optimized version of DECAF, please cite this paper) "Make it work, make it right, make it fast: building a platform-neutral whole-system dynamic binary analysis platform", Andrew Henderson, Aravind Prakash, Lok Kwong Yan, Xunchao Hu, Xujiewen Wang, Rundong Zhou, and Heng Yin, to appear in the International Symposium on Software Testing and Analysis (ISSTA'14), San Jose, CA, July 2014. (If you wish to cite DECAF, please cite this paper) Lok Kwong Yan, Andrew Henderson, Xunchao Hu, Heng Yin, and…

image
Mosca Manual analysis tool to find bugs like a grep unix command, Version 0.05 because is not dynamic… uses static code to search… don't confuse with academic views hahaha don't have graph here or CFG… is a simple "grep" egg modules is a config to find to vulnerabilities you can use at C, PHP, javascript, ruby etc Save results at XML file create your own modules etc… *why static ? Download…