image
XRay is a tool for network OSINT gathering, its goal is to make some of the initial tasks of information gathering and network mapping automatic. How Does it Work? XRay is a very simple tool, it works this way: It'll bruteforce subdomains using a wordlist and DNS requests. For every subdomain/ip found, it'll use Shodan to gather open ports and other intel. If a ViewDNS API key is provided, for every subdomain historical data will be collected. For every unique ip address, and for every open port, it'll launch specific banner grabbers and info collectors. Eventually the data is presented to the user on the web ui. Grabbers and Collectors HTTP Server , X-Powered-By and Location headers. HTTP and HTTPS robots.txt disallowed entries. HTTPS certificates chain ( with recursive subdomain grabbing from CN and Alt Names ). HTML title tag. DNS version.bind. and hostname.bind. records. MySQL , SMTP , FTP , SSH , POP and IRC banners. Notes Shodan API Key The shodan.io API key parameter ( -shodan-key KEY ) is optional, however if not specified, no service fingerprinting will be performed and a lot less information will be shown (basically it just gonna be DNS subdomain enumeration). ViewDNS API Key If a ViewDNS API key parameter ( -viewdns-key KEY ) is passed, domain historical data will also be retrieved. Anonymity and Legal Issues The software will rely on your main DNS resolver in order to enumerate…

image
A Simple and Comprehensive Vulnerability Scanner for Containers, Suitable for CI. Abstract Trivy ( tri pronounced like tri gger, vy pronounced like en vy ) is a simple and comprehensive vulnerability scanner for containers. A software vulnerability is a glitch, flaw, or weakness present in the software or in an Operating System. Trivy detects vulnerabilities of OS packages (Alpine, RHEL, CentOS, etc.) and application dependencies (Bundler, Composer, npm, yarn etc.). Trivy is easy to use. Just install the binary and you're ready to scan. All you need to do for scanning is to specify an image name of container. It is considered to be used in CI. Before pushing to a container registry, you can scan your local container image easily. See here for details. Features Detect comprehensive vulnerabilities OS packages (Alpine, Red Hat Universal Base Image , Red Hat Enterprise Linux, CentOS, Debian and Ubuntu) Application dependencies (Bundler, Composer, Pipenv, Poetry, npm, yarn and Cargo) Simple Specify only an image name See Quick Start and Examples Easy installation apt-get install , yum install and brew install is possible (See Installation ) No need for prerequirements such as installation of DB, libraries, etc. (The exception is that you need rpm installed to scan images based on RHEL/CentOS. This is automatically included if you use our installers or the Trivy container image. See Vulnerability Detection for…

image
HTTP/HTTPS proxy over SSH. Installation Local machine: go get github.com/justmao945/mallory/cmd/mallory Remote server: need our old friend sshd Configueration Config file Default path is $HOME/.config/mallory.json , can be set when start program mallory -config path/to/config.json Content: id_rsa is the path to our private key file, can be generated by ssh-keygen local_smart is the local address to serve HTTP proxy with smart detection of destination host local_normal is similar to local_smart but send all traffic through remote SSH server without destination host detection remote is the remote address of SSH server blocked is a list of domains that need use proxy, any other domains will connect to their server directly { "id_rsa": "$HOME/.ssh/id_rsa", "local_smart": ":1315", "local_normal": ":1316", "remote": "ssh://[email protected]:22", "blocked": [ "angularjs.org", "golang.org", "google.com", "google.co.jp", "googleapis.com", "googleusercontent.com", "google-analytics.com", "gstatic.com", "twitter.com", "youtube.com" ] } Blocked list in config file will be reloaded automatically when updated, and you can do it manually: # send signal to reload kill -USR2 <pid of mallory> # or use reload command by sending http request mallory -reload System config Set both HTTP and HTTPS proxy to localhost with port 1315 to use with block list Set env var http_proxy and https_proxy…

image
ezXSS is an easy way for penetration testers and bug bounty hunters to test (blind) Cross Site Scripting. Current features Some features ezXSS has Easy to use dashboard with statics, payloads, view/share/search reports and more Payload generator Instant email alert on payload Custom javascript payload Enable/Disable screenshots Prevent double payloads from saving or alerting Block domains Share reports with a direct link or with other ezXSS users Easily manage and view reports in the dashboard Secure your login with extra protection (2FA) The following information is collected on a vulnerable page: The URL of the page IP Address Any page referer (or share referer) The User-Agent All Non-HTTP-Only Cookies All Locale Storage All Session Storage Full HTML DOM source of the page Page origin Time of execution Screenshot of the page its just ez 🙂 Required A host with PHP 7.1 or up A domain name (consider a short one) An SSL if you want to test on https websites (consider Cloudflare or Let's Encrypt for a free SSL) Installation ezXSS is ez to install Clone the repository and put the files in the document root Create an empty database and provide your database information in ‘src/Database.php' Visit /manage/install in your browser and setup a password and email Done! That was ez right? Demo For a demo visit demo.ezxss.com/manage with password _ demo1234 _ . Please note that some features might be disabled in the…

image
Specialized privilege escalation checks for Linux systems. Implemented so far: Writable systemd paths, services, timers, and socket units Disassembles systemd unit files looking for: References to executables that are writable References to broken symlinks pointing to writeable directories Relative path statements Unix socket files that are writeable (sneaky APIs) Writable D-Bus paths Overly permissive D-Bus service settings HTTP APIs running as root and responding on file-bound unix domain sockets These checks are based on things I encounter during my own research, and this tool is certainly not inclusive of everything you should be looking at. Don't skip the classics! Usage All functionality is contained in a single file, because installing packages in restricted shells is a pain. Python2 compatibility will be maintained for those crap old boxes we get stuck with. However, as the checks are really aimed at more modern user-space stuff, it is unlikely to uncover anything interesting on an old box anyway. There is nothing to install, just grab the script and run it. usage: uptux.py [-h] [-n] [-d] PrivEsc for modern Linux systems, by initstring (github.com/initstring) optional arguments: -h, –help show this help message and exit -n, –nologging do not write the output to a logfile -d, –debug print some extra [debugging](<https://www.kitploit.com/search/label/Debugging> "debugging" ) info to the console Testing For …

image
Fail2Ban scans log files like /var/log/auth.log and bans IP addresses conducting too many failed login attempts. It does this by updating system firewall rules to reject new connections from those IP addresses, for a configurable amount of time. Fail2Ban comes out-of-the-box ready to read many standard log files, such as those for sshd and Apache, and is easily configured to read any log file of your choosing, for any error you wish. Though Fail2Ban is able to reduce the rate of incorrect authentication attempts, it cannot eliminate the risk presented by weak authentication. Set up services to use only two factor, or public/private authentication mechanisms if you really want to protect services. More documentation, FAQ, and HOWTOs to be found on fail2ban(1) manpage, Wiki , Developers documentation and the website: https://www.fail2ban.org Installation: It is possible that Fail2Ban is already packaged for your distribution. In this case, you should use that instead. Required: Python2 >= 2.6 or Python >= 3.2 or PyPy Optional: pyinotify >= 0.8.3 , may require: Linux >= 2.6.13 gamin >= 0.0.21 systemd >= 204 and python bindings: python-systemd package dnspython To install: tar xvfj fail2ban-0.11.0.tar.bz2 cd fail2ban-0.11.0 sudo python setup.py install Alternatively, you can clone the source from GitHub to a directory of Your choice, and do the install from there. Pick the correct branch, for example, 0.11 git…

image
Dr. Memory is a memory monitoring tool capable of identifying memory-related programming errors such as accesses of uninitialized memory, accesses to unaddressable memory (including outside of allocated heap units and heap underflow and overflow), accesses to freed memory, double frees, memory leaks, and (on Windows) handle leaks, GDI API usage errors, and accesses to un-reserved thread local storage slots. Dr. Memory operates on unmodified application binaries running on Windows, Linux, Mac, or Android on commodity IA-32, AMD64, and ARM hardware. Dr. Memory is released under an LGPL license and binary packages are available for download . Dr. Memory is built on the DynamoRIO dynamic instrumentation tool plaform. Dr. Memory Performance Dr. Memory is faster than comparable tools, including Valgrind, as shown in our CGO 2011 paper Practical Memory Checking with Dr. Memory , where we compare the two tools on Linux on the SPECCPU 2006 benchmark suite: (Valgrind is unable to run 434.zeusmp and 447.dealII). Documentation Documentation is included in the release package. We also maintain a copy for online browsing . System call tracer for Windows The Dr. Memory package includes an "strace for Windows" tool called drstrace . Obtaining help Dr. Memory has its own discussion list . To report a bug, use the issue tracker . See also the Dr. Memory home page : http://drmemory.org/ Download…

image
Inspects source code for security problems by scanning the Go AST. Install CI Installation # binary will be $GOPATH/bin/gosec curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s — -b $GOPATH/bin vX.Y.Z # or install it into ./bin/ curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s vX.Y.Z # In alpine linux (as it does not come with curl by default) wget -O – -q https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s vX.Y.Z # If you want to use the checksums provided on the "Releases" page # then you will have to download a tar.gz file for your operating system instead of a binary file wget https://github.com/securego/gosec/releases/download/vX.Y.Z/gosec_vX.Y.Z_OS.tar.gz # The file will be in the current folder where you run the command # and you can check the checksum like this echo "<check sum from the check sum file> gosec_vX.Y.Z_OS.tar.gz" | sha256sum -c – gosec –help Local Installation go get github.com/securego/gosec/cmd/gosec Usage Gosec can be configured to only run a subset of rules, to exclude certain file paths, and produce reports in different formats. By default all rules will be run against the supplied input files. To recursively scan from the current directory you can supply ‘./…' as the input argument. Available rules G101: Look for hard coded credentials G102: Bind to all interfaces G103: Audit the use of unsafe block G104: Audit…

image
Virtuailor is an IDAPython tool that reconstructs vtables for C++ code written for intel architecture, both 32bit and 64bit code and AArch64 (New!). The tool constructed from 2 parts, static and dynamic. The first is the static part, contains the following capabilities: Detects indirect calls. Hooks the value assignment of the indirect calls using conditional breakpoints (the hook code). The second is the dynamic part, contains the following capabilities: Creates vtable structures. Rename functions and vtables addresses. Add structure offset to the assembly indirect calls. Add xref from indirect calls to their virtual functions(multiple xrefs). For AArch64- tries to fix undefined vtables and related virtual functions (support for firmware). How to Use? By default Virtuailor will look for virtual calls in ALL the addresses in the code. If you want to limit the code only for specific address range, no problem, just edit the _ Main _ file to add the range you want to target in the variables start_addr_range and end_addr_range: if name == ‘main': start_addr_range = idc.MinEA() # You can change the virtual calls address range end_addr_range = idc.MaxEA() add_bp_to_virtual_calls(start_addr_range, end_addr_range) Optional, (but extremely recommended), create a snapshot of your idb. Just press ctrl+shift+t and create a snapshot. Press File->Run script… then go to Virtuailor folder and choose to run Main.py, You can see the following gif for a…

image
AtomShields Cli is a Command-Line Interface to use the software AtomShields Installation pip install atomshieldscli Basic usage ascli <action> <context> –target <path> –name <project_name> The allowed _ action _ values are: install : To install a checker or a report, depending the context setted. uninstall : To uninstall a checker or a report, depending the context setted. run : To run the scan. show : To show a checker list or a report list, depending the context setted. help : Show the help The allowed _ context _ values are: checkers : Operate with checkers reports : Operate with reports The _ target _ option set the path to scan, or the plugin (checker/report) to install/uninstall. Show all checkers ascli show checkers Show all reports ascli show reports Install checker ascli install checkers –target path/to/file.py Install report ascli install reports –target path/to/file.py Uninstall checker ascli uninstall checkers –target path/to/file.py or ascli uninstall checkers –target checker_name Uninstall report ascli uninstall reports –target path/to/file.py or ascli uninstall reports –target checker_name Run the scan ascli run –target path/to/file.py –name repo_name Download…