image
It's easy to create a backdoor in an instant, the backdoor can be used in a remote process via a Linux terminal on the server that runs the PHP Language program. Made to bypass the system that is disabled on the server, especially for reading sensitive files that are /etc/passwd Screenshots List of Remot3d Functions Create backdoor for windows or linux servers (can run php file) Bypass disable function's with imap_open vulnerability Bypass read file /etc/passwd with cURL or Unique Logic Script's Generating Backdoor and can be remoted on Tools Some other fun stuff 🙂 Getting Started git clone https://github.com/KeepWannabe/Remot3d cd Remot3d chmod +x Remot3d.sh && ./Remot3d.sh Linux operating systems we recommend : Linux mint (Ubuntu Based with Mate DE) Parrot BackTrack Backbox DracOS IbisLinux Update Remot3d To update remot3d go to your Remot3d folder and execute : git pull && chmod +x Remot3d.sh && ./Remot3d.sh Download Remot3d

Linux Kernel-Mode Rootkit Hunter for 4.4.0-31+.
For more information, visit Tyton's website.

Detected Attacks

  • Hidden Modules
  • Syscall Table Hooking
  • Network Protocol Hooking
  • Netfilter Hooking
  • Zeroed Process Inodes
  • Process Fops Hooking
  • Interrupt Descriptor Table Hooking


Additional Features
Notifications: Users (including myself) do not actively monitor their journald logs, so a userland notification daemon has been included to monitor journald logs and display them to the user using libnotify. Notifications are enabled after install by XDG autorun, so if your DM does not have /etc/xdg/autostart it will fail.
DKMS: Dynamic Kernel Module Support has been added for Arch and Fedora/CentOS (looking to expand in the near future). DKMS allows the (near) seamless upgrading of Kernel modules during kernel upgrades. This is mainly important for distributions that provide rolling releases or upgrade their kernel frequently.

Installing

Dependencies

  • Linux Kernel 4.4.0-31 or greater
  • Corresponding Linux Kernel Headers
  • GCC
  • Make
  • Libnotify
  • Libsystemd
  • Package Config
  • GTK3

From Source

Ubuntu/Debian/Kali

  1. sudo apt install linux-headers-$(uname -r) gcc make libnotify-dev pkg-config libgtk-3-dev libsystemd-dev
  2. git clone https://github.com/nbulischeck/tyton.git
  3. cd tyton
  4. make
  5. sudo insmod tyton.ko

Note: For Ubuntu 14.04, libsystemd-dev is named libsystemd-journal-dev.

Arch

  1. sudo pacman -S linux-headers gcc make libnotify libsystemd pkgconfig gtk3
  2. git clone https://github.com/nbulischeck/tyton.git
  3. cd tyton
  4. make
  5. sudo insmod tyton.ko

Note: It's recommended to install Tyton through the AUR so you can benefit from DKMS.

Fedora/CentOS

  1. dnf install kernel-devel gcc make libnotify libnotify-devel systemd-devel gtk3-devel gtk3
  2. git clone https://github.com/nbulischeck/tyton.git
  3. cd tyton
  4. make
  5. sudo insmod tyton.ko

Kernel Module Arguments
The kernel module can be passed a specific timeout argument on insertion through the command line.
To do this, run the command sudo insmod tyton.ko timeout=X where X is the number of minutes you would like the kernel module to wait before executing its scan again.

AUR
Tyton is available on the AUR here.
You can install it using the AUR helper of your choice:

  • yaourt -S tyton-dkms-git
  • yay -S tyton-dkms-git
  • pakku -S tyton-dkms-git

image
Linux Kernel-Mode Rootkit Hunter for 4.4.0-31+. For more information, visit Tyton's website . Detected Attacks Hidden Modules Syscall Table Hooking Network Protocol Hooking Netfilter Hooking Zeroed Process Inodes Process Fops Hooking Interrupt Descriptor Table Hooking Additional Features Notifications : Users (including myself) do not actively monitor their journald logs, so a userland notification daemon has been included to monitor journald logs and display them to the user using libnotify. Notifications are enabled after install by XDG autorun, so if your DM does not have /etc/xdg/autostart it will fail. DKMS : Dynamic Kernel Module Support has been added for Arch and Fedora/CentOS (looking to expand in the near future). DKMS allows the (near) seamless upgrading of Kernel modules during kernel upgrades. This is mainly important for distributions that provide rolling releases or upgrade their kernel frequently. Installing Dependencies Linux Kernel 4.4.0-31 or greater Corresponding Linux Kernel Headers GCC Make Libnotify Libsystemd Package Config GTK3 From Source Ubuntu/Debian/Kali sudo apt install linux-headers-$(uname -r) gcc make libnotify-dev pkg-config libgtk-3-dev libsystemd-dev git clone https://github.com/nbulischeck/tyton.git cd tyton make sudo insmod tyton.ko Note : For Ubuntu 14.04, libsystemd-dev is named libsystemd-journal-dev. Arch sudo pacman -S linux-headers gcc make libnotify libsystemd pkgconfig gtk3 git clone https://github.com/nbulischeck/tyton.git cd tyton make sudo insmod tyton.ko Note : It's recommended to install Tyton through the AUR so you can benefit from DKMS. Fedora/CentOS dnf install kernel-devel gcc make libnotify libnotify-devel systemd-devel gtk3-devel gtk3 git clone https://github.com/nbulischeck/tyton.git cd tyton make sudo insmod tyton.ko Kernel Module Arguments The kernel module can be passed a specific timeout argument on insertion through the command line. To do this, run the command sudo insmod tyton.ko timeout=X where X is the number of minutes you would like the kernel module to wait before executing its scan again. AUR Tyton is available on the AUR here . You can install it using the AUR helper of your choice: yaourt -S tyton-dkms-git yay -S tyton-dkms-git pakku -S tyton-dkms-git Download Tyton

dnSpy is a debugger and .NET assembly editor. You can use it to edit and debug assemblies even if you don't have any source code available.
Want to say thanks? Click the star at the top of the page. Or fork dnSpy and send a PR!
The following pictures show dnSpy in action. It shows dnSpy editing and debugging a .NET EXE file, not source code.

Features

  • Debug .NET Framework, .NET Core and Unity game assemblies, no source code required
  • Edit assemblies in C# or Visual Basic or IL, and edit all metadata
  • Light and dark themes
  • Extensible, write your own extension
  • High DPI support (per-monitor DPI aware)
  • And much more, see below

dnSpy uses the ILSpy decompiler engine and the Roslyn (C# / Visual Basic) compiler and many other open source libraries, see below for more info.

Debugger

  • Debug .NET Framework, .NET Core and Unity game assemblies, no source code required
  • Set breakpoints and step into any assembly
  • Locals, watch, autos windows
  • Variables windows supports saving variables (eg. decrypted byte arrays) to disk or view them in the hex editor (memory window)
  • Object IDs
  • Multiple processes can be debugged at the same time
  • Break on module load
  • Tracepoints and conditional breakpoints
  • Export/import breakpoints and tracepoints
  • Call stack, threads, modules, processes windows
  • Break on thrown exceptions (1st chance)
  • Variables windows support evaluating C# / Visual Basic expressions
  • Dynamic modules can be debugged (but not dynamic methods due to CLR limitations)
  • Output window logs various debugging events, and it shows timestamps by default 🙂
  • Assemblies that decrypt themselves at runtime can be debugged, dnSpy will use the in-memory image. You can also force dnSpy to always use in-memory images instead of disk files.
  • Public API, you can write an extension or use the C# Interactive window to control the debugger

Assembly Editor

  • All metadata can be edited
  • Edit methods and classes in C# or Visual Basic with IntelliSense, no source code required
  • Add new methods, classes or members in C# or Visual Basic
  • IL editor for low level IL method body editing
  • Low level metadata tables can be edited. This uses the hex editor internally.

Hex Editor

  • Click on an address in the decompiled code to go to its IL code in the hex editor
  • Reverse of above, press F12 in an IL body in the hex editor to go to the decompiled code or other high level representation of the bits. It's great to find out which statement a patch modified.
  • Highlights .NET metadata structures and PE structures
  • Tooltips shows more info about the selected .NET metadata / PE field
  • Go to position, file, RVA
  • Go to .NET metadata token, method body, #Blob / #Strings / #US heap offset or #GUID heap index
  • Follow references (Ctrl+F12)

Other

  • BAML decompiler
  • Blue, light and dark themes (and a dark high contrast theme)
  • Bookmarks
  • C# Interactive window can be used to script dnSpy
  • Search assemblies for classes, methods, strings etc
  • Analyze class and method usage, find callers etc
  • Multiple tabs and tab groups
  • References are highlighted, use Tab / Shift+Tab to move to next reference
  • Go to entry point and module initializer commands
  • Go to metadata token or metadata row commands
  • Code tooltips (C# and Visual Basic)
  • Export to project

List of other open source libraries used by dnSpy

  • ILSpy decompiler engine (C# and Visual Basic decompilers)
  • Roslyn (C# and Visual Basic compilers)
  • dnlib (.NET metadata reader/writer which can also read obfuscated assemblies)
  • VS MEF (Faster MEF equals faster startup)
  • ClrMD (Access to lower level debugging info not provided by the CorDebug API)

Credits

image
dnSpy is a debugger and .NET assembly editor. You can use it to edit and debug assemblies even if you don't have any source code available. Want to say thanks? Click the star at the top of the page. Or fork dnSpy and send a PR! The following pictures show dnSpy in action. It shows dnSpy editing and debugging a .NET EXE file, not source code. Features Debug .NET Framework, .NET Core and Unity game assemblies, no source code required Edit assemblies in C# or Visual Basic or IL, and edit all metadata Light and dark themes Extensible, write your own extension High DPI support (per-monitor DPI aware) And much more, see below dnSpy uses the ILSpy decompiler engine and the Roslyn (C# / Visual Basic) compiler and many other open source libraries, see below for more info. Debugger Debug .NET Framework, .NET Core and Unity game assemblies, no source code required Set breakpoints and step into any assembly Locals, watch, autos windows Variables windows supports saving variables (eg. decrypted byte arrays) to disk or view them in the hex editor (memory window) Object IDs Multiple processes can be debugged at the same time Break on module load Tracepoints and conditional breakpoints Export/import breakpoints and tracepoints Call stack, threads, modules, processes windows Break on thrown exceptions (1st chance) Variables windows support evaluating C# / Visual Basic expressions Dynamic modules can be debugged (but not dynamic methods due to CLR limitations) Output window logs various debugging events, and it shows timestamps by default 🙂 Assemblies that decrypt themselves at runtime can be debugged, dnSpy will use the in-memory image. You can also force dnSpy to always use in-memory images instead of disk files. Public API, you can write an extension or use the C# Interactive window to control the debugger Assembly Editor All metadata can be edited Edit methods and classes in C# or Visual Basic with IntelliSense, no source code required Add new methods, classes or members in C# or Visual Basic IL editor for low level IL method body editing Low level metadata tables can be edited. This uses the hex editor internally. Hex Editor Click on an address in the decompiled code to go to its IL code in the hex editor Reverse of above, press F12 in an IL body in the hex editor to go to the decompiled code or other high level representation of the bits. It's great to find out which statement a patch modified. Highlights .NET metadata structures and PE structures Tooltips shows more info about the selected .NET metadata / PE field Go to position, file, RVA Go to .NET metadata token, method body, #Blob / #Strings / #US heap offset or #GUID heap index Follow references (Ctrl+F12) Other BAML decompiler Blue, light and dark themes (and a dark high contrast theme) Bookmarks C# Interactive window can be used to script dnSpy Search assemblies for classes, methods, strings etc Analyze class and method usage, find callers etc Multiple tabs and tab groups References are highlighted, use Tab / Shift+Tab to move to next reference Go to entry point and module initializer commands Go to metadata token or metadata row commands Code tooltips (C# and Visual Basic) Export to project List of other open source libraries used by dnSpy ILSpy decompiler engine (C# and Visual Basic decompilers) Roslyn (C# and Visual Basic compilers) dnlib (.NET metadata reader/writer which can also read obfuscated assemblies) VS MEF (Faster MEF equals faster startup) ClrMD (Access to lower level debugging info not provided by the CorDebug API) Credits Download dnSpy

Recaf is an open-source Java bytecode editor built on top of Objectweb's ASM. ASM is a bytecode manipulation library that abstracts away the constant pool and a few other class-file attributes. Since keeping track of the constant pool and managing proper stackframes are no longer necessary, complex changes can be made with relative ease. With additional features to assist in the process of editing classes, Recaf is the most feature rich free bytecode editor available.

Useful Information

While ASM makes bytecode manipulation very simple it does not mean you should dive head-first into editing compiled java programs without understanding some basic programming concepts and the Java class file architecture. Here are some references for these topics:

For screenshots check the screenshots directory. They appear throughout the documentation as well.

Libraries used:

image
Recaf is an open-source Java bytecode editor built on top of Objectweb's ASM . ASM is a bytecode manipulation library that abstracts away the constant pool and a few other class-file attributes. Since keeping track of the constant pool and managing proper stackframes are no longer necessary, complex changes can be made with relative ease. With additional features to assist in the process of editing classes, Recaf is the most feature rich free bytecode editor available. Useful Information While ASM makes bytecode manipulation very simple it does not mean you should dive head-first into editing compiled java programs without understanding some basic programming concepts and the Java class file architecture. Here are some references for these topics: Specification: Chapter 4. The class File Format JVM Architecture 101: Get to Know Your Virtual Machine Java opcodes: Simplified ASM set Standard set For screenshots check the screenshots directory . They appear throughout the documentation as well. Libraries used: ASM – _ Class editing abilities _ CFR – _ Decompilation _ Simple-Memory-Compiler – _ Recompilation of decompiled code _ JIMFS – _ Virtual file system _ ControlsFX – _ Custom controls (Used in pretty much everything) _ RichTextFX – _ Decompiler code highlighting _ JRegex – _ Pattern matching for decompiler code highlighting _ minimal-json – _ Json reading/writing for config storage _ Commonmark – _ Markdown parsing _ picocli – _ Command line argument parsing _ Download Recaf

Here’s the main new features and improvements in Faraday v3.5:

New vulnerability form
We are happy to introduce our new vulnerability form which makes the creation and editing of vulnerabilities easier.  The new form brings you tabs to make it smaller and group different fields.
Custom fields
Add your own custom fields to your vulnerabilities. We currently support str, int and list types. You can also use these fields in your Executive Reports.

2nd-factor authentication
We added the optional feature for 2nd-factor authentication. You can use any mobile application to use our 2nd-factor authentication.

    image
    Here’s the main new features and improvements in Faraday v3.5: New vulnerability form We are happy to introduce our new vulnerability form which makes the creation and editing of vulnerabilities easier. The new form brings you tabs to make it smaller and group different fields. Custom fields Add your own custom fields to your vulnerabilities. We currently support str, int and list types. You can also use these fields in your Executive Reports. 2nd-factor authentication We added the optional feature for 2nd-factor authentication. You can use any mobile application to use our 2nd-factor authentication. Download Faraday v3.5

    As the name might suggest AutoSploit attempts to automate the exploitation of remote hosts. Targets can be collected automatically through Shodan, Censys or Zoomeye. But options to add your custom targets and host lists have been included as well. The available Metasploit modules have been selected to facilitate Remote Code Execution and to attempt to gain Reverse TCP Shells and/or Meterpreter sessions. Workspace, local host and local port for MSF facilitated back connections are configured by filling out the dialog that comes up before the exploit component is started
    Operational Security Consideration
    Receiving back connections on your local machine might not be the best idea from an OPSEC standpoint. Instead consider running this tool from a VPS that has all the dependencies required, available.
    The new version of AutoSploit has a feature that allows you to set a proxy before you connect and a custom user-agent.

    Installation
    Installing AutoSploit is very simple, you can find the latest stable release here. You can also download the master branch as a zip or tarball or follow one of the below methods;

    Cloning

    sudo -s << EOF
    git clone https://github.com/NullArray/Autosploit.git
    cd AutoSploit
    chmod +x install.sh
    ./install.sh
    python2 autosploit.py
    EOF

    Docker

    sudo -s << EOF
    git clone https://github.com/NullArray/AutoSploit.git
    cd AutoSploit
    chmod +x install.sh
    ./install.sh
    cd AutoSploit/Docker
    docker network create -d bridge haknet
    docker run --network haknet --name msfdb -e POSTGRES_PASSWORD=s3cr3t -d postgres
    docker build -t autosploit .
    docker run -it --network haknet -p 80:80 -p 443:443 -p 4444:4444 autosploit
    EOF

    On any Linux system the following should work;

    git clone https://github.com/NullArray/AutoSploit
    cd AutoSploit
    chmod +x install.sh
    ./install.sh

    AutoSploit is compatible with macOS, however, you have to be inside a virtual environment for it to run successfully. In order to accomplish this employ/perform the below operations via the terminal or in the form of a shell script.

    sudo -s << '_EOF'
    pip2 install virtualenv --user
    git clone https://github.com/NullArray/AutoSploit.git
    virtualenv
    source /bin/activate
    cd
    pip2 install -r requirements.txt
    chmod +x install.sh
    ./install.sh
    python autosploit.py
    _EOF

    More information on running Docker can be found here

    Usage
    Starting the program with python autosploit.py will open an AutoSploit terminal session. The options for which are as follows.

    1. Usage And Legal
    2. Gather Hosts
    3. Custom Hosts
    4. Add Single Host
    5. View Gathered Hosts
    6. Exploit Gathered Hosts
    99. Quit

    Choosing option 2 will prompt you for a platform specific search query. Enter IIS or Apache in example and choose a search engine. After doing so the collected hosts will be saved to be used in the Exploit component.
    As of version 2.0 AutoSploit can be started with a number of command line arguments/flags as well. Type python autosploit.py -h to display all the options available to you. I've posted the options below as well for reference.

    usage: python autosploit.py -[c|z|s|a] -[q] QUERY
    [-C] WORKSPACE LHOST LPORT [-e] [--whitewash] PATH
    [--ruby-exec] [--msf-path] PATH [-E] EXPLOIT-FILE-PATH
    [--rand-agent] [--proxy] PROTO://IP:PORT [-P] AGENT

    optional arguments:
    -h, --help show this help message and exit

    search engines:
    possible search engines to use

    -c, --censys use censys.io as the search engine to gather hosts
    -z, --zoomeye use zoomeye.org as the search engine to gather hosts
    -s, --shodan use shodan.io as the search engine to gather hosts
    -a, --all search all available search engines to gather hosts

    requests:
    arguments to edit your requests

    --proxy PROTO://IP:PORT
    run behind a proxy while performing the searches
    --random-agent use a random HTTP User-Agent header
    -P USER-AGENT, --personal-agent USER-AGENT
    pass a personal User-Agent to use for HTTP requests
    -q QUERY, --query QUERY
    pass your search query

    exploits:
    arguments to edit your exploits

    -E PATH, --exploit-file PATH
    provide a text file to convert into JSON and save for
    later use
    -C WORKSPACE LHOST LPORT, --config WORKSPACE LHOST LPORT
    set the configuration for MSF (IE -C default 127.0.0.1
    8080)
    -e, --exploit start exploiting the already gathered hosts

    misc arguments:
    arguments that don't fit anywhere else

    --ruby-exec if you need to run the Ruby executable with MSF use
    this
    --msf-path MSF-PATH pass the path to your framework if it is not in your
    ENV PATH
    --whitelist PATH only exploit hosts listed in the whitelist file

    Dependencies
    Note: All dependencies should be installed using the above installation method, however, if you find they are not:
    AutoSploit depends on the following Python2.7 modules.

    requests
    psutil

    Should you find you do not have these installed get them with pip like so.

    pip install requests psutil

    or

    pip install -r requirements.txt

    Since the program invokes functionality from the Metasploit Framework you need to have this installed also. Get it from Rapid7 by clicking here.