sn0int is a semi-automatic OSINT framework and package manager. It was built for IT security professionals and bug hunters to gather intelligence about a given target or about yourself. sn0int is enumerating attack surface by semi-automatically processing public information and mapping the results in a unified format for followup investigations.
Among other things, sn0int is currently able to:
  • Harvest subdomains from certificate transparency logs
  • Harvest subdomains from various passive dns logs
  • Sift through subdomain results for publicly accessible websites
  • Harvest emails from pgp keyservers
  • Enrich ip addresses with ASN and geoip info
  • Harvest subdomains from the wayback machine
  • Gather information about phonenumbers
  • Bruteforce interesting urls
sn0int is heavily inspired by recon-ng and maltego, but remains more flexible and is fully opensource. None of the investigations listed above are hardcoded in the source, instead those are provided by modules that are executed in a sandbox. You can easily extend sn0int by writing your own modules and share them with other users by publishing them to the sn0int registry. This allows you to ship updates for your modules on your own since you don't need to send a pull request.

Join on IRC: irc.hackint.org:6697/#sn0int

Getting started

image
sn0int is a semi-automatic OSINT framework and package manager. It was built for IT security professionals and bug hunters to gather intelligence about a given target or about yourself. sn0int is enumerating attack surface by semi-automatically processing public information and mapping the results in a unified format for followup investigations. Among other things, sn0int is currently able to: Harvest subdomains from certificate transparency logs Harvest subdomains from various passive dns logs Sift through subdomain results for publicly accessible websites Harvest emails from pgp keyservers Enrich ip addresses with ASN and geoip info Harvest subdomains from the wayback machine Gather information about phonenumbers Bruteforce interesting urls sn0int is heavily inspired by recon-ng and maltego, but remains more flexible and is fully opensource. None of the investigations listed above are hardcoded in the source, instead those are provided by modules that are executed in a sandbox. You can easily extend sn0int by writing your own modules and share them with other users by publishing them to the sn0int registry. This allows you to ship updates for your modules on your own since you don't need to send a pull request. Join on IRC: irc.hackint.org:6697/#sn0int Getting started Installation Archlinux Debian/Ubuntu/Kali Alpine Docker OpenBSD Mac OSX Windows Running your first investigation Installing the default modules Adding something to scope Running a module Running followup modules on the results Unscoping entities Scripting Write your first module Publish your module Database db_add db_update db_select Keyring Managing the keyring Using access keys in scripts Using access keys as source argument Configuration Configuring a proxy Sandbox Linux OpenBSD IPC Protocol Limitations Function reference clear_err db_add db_select db_update dns error asn_lookup geoip_lookup html_select html_select_list http_mksession http_request http_send info json_decode json_decode_stream json_encode keyring last_err pgp_pubkey pgp_pubkey_armored print psl_domain_from_dns_name regex_find regex_find_all sleep status stdin_readline url_decode url_encode url_escape url_join url_parse url_unescape utf8_decode x509_parse_pem Download Sn0Int

This project was created by researchers from ModSecurity and Fastly to help provide rigorous tests for WAF rules. It uses the OWASP Core Ruleset V3 as a baseline to test rules on a WAF. Each rule from the ruleset is loaded into a YAML file that issues HTTP requests that will trigger these rules. Users can verify the execution of the rule after the tests are issued to make sure the expected response is received from an attack.

Goals / Use cases include:
  • Find regressions in WAF deployments by using continuous integration and issuing repeatable attacks to a WAF
  • Provide a testing framework for new rules into ModSecurity, if a rule is submitted it MUST have corresponding positive & negative tests
  • Evaluate WAFs against a common, agreeable baseline ruleset (OWASP)
  • Test and verify custom rules for WAFs that are not part of the core rule set
For our 1.0 release announcement, check out the OWASP CRS Blog

Installation

  • git clone https://github.com/CRS-support/ftw.git
  • cd ftw
  • virtualenv env && source ./env/bin/activate
  • pip install -r requirements.txt
  • py.test -s -v test/test_default.py --ruledir=test/yaml

Writing your first tests
The core of FTW is it's extensible yaml based tests. This section lists a few resources on how they are formatted, how to write them and how you can use them.
OWASP CRS wrote a great blog post describing how FTW tests are written and executed.
YAMLFormat.md is ground truth of all yaml fields that are currently understood by FTW.
After reading these two resources, you should be able to get started in writing tests. You will most likely be checking against status code responses, or web request responses using the log_contains directive. For integrating FTW to test regexes within your WAF logs, refer to ExtendingFTW.md

Provisioning Apache+Modsecurity+OWASP CRS
If you require an environment for testing WAF rules, there has been one created with Apache, Modsecurity and version 3.0.0 of the OWASP core ruleset. This can be deployed by:

  • Checking out the repository: git clone https://github.com/fastly/waf_testbed.git
  • Typing vagrant up

image
This project was created by researchers from ModSecurity and Fastly to help provide rigorous tests for WAF rules. It uses the OWASP Core Ruleset V3 as a baseline to test rules on a WAF. Each rule from the ruleset is loaded into a YAML file that issues HTTP requests that will trigger these rules. Users can verify the execution of the rule after the tests are issued to make sure the expected response is received from an attack. Goals / Use cases include: Find regressions in WAF deployments by using continuous integration and issuing repeatable attacks to a WAF Provide a testing framework for new rules into ModSecurity, if a rule is submitted it MUST have corresponding positive & negative tests Evaluate WAFs against a common, agreeable baseline ruleset (OWASP) Test and verify custom rules for WAFs that are not part of the core rule set For our 1.0 release announcement, check out the OWASP CRS Blog Installation git clone https://github.com/CRS-support/ftw.git cd ftw virtualenv env && source ./env/bin/activate pip install -r requirements.txt py.test -s -v test/test_default.py –ruledir=test/yaml Writing your first tests The core of FTW is it's extensible yaml based tests. This section lists a few resources on how they are formatted, how to write them and how you can use them. OWASP CRS wrote a great blog post describing how FTW tests are written and executed. YAMLFormat.md is ground truth of all yaml fields that are currently understood by FTW. After reading these two resources, you should be able to get started in writing tests. You will most likely be checking against status code responses, or web request responses using the log_contains directive. For integrating FTW to test regexes within your WAF logs, refer to ExtendingFTW.md Provisioning Apache+Modsecurity+OWASP CRS If you require an environment for testing WAF rules, there has been one created with Apache, Modsecurity and version 3.0.0 of the OWASP core ruleset. This can be deployed by: Checking out the repository: git clone https://github.com/fastly/waf_testbed.git Typing vagrant up Download FTW

image
identYwaf is an identification tool that can recognize web protection type (i.e. WAF) based on blind inference. Blind inference is being done by inspecting responses provoked by a set of predefined offensive (non-destructive) payloads, where those are used only to trigger the web protection system in between (e.g. http://?aeD0oowi=1 AND 2>1 ). Currently it supports more than 60 different protection products (e.g. aeSecure , Airlock , CleanTalk , CrawlProtect , Imunify360 , MalCare , ModSecurity , Palo Alto , SiteGuard , UrlScan , Wallarm , WatchGuard , Wordfence , etc.), while the knowledge-base is constantly growing. Also, as part of this project, screenshots of characteristic responses for different web protection systems are being gathered (manually) for the future reference. Screenshots Installation You can download the latest zipball by clicking here . Preferably, you can download identYwaf by cloning the Git repository: git clone –depth 1 https://github.com/stamparm/identYwaf.git identYwaf works out of the box with Python version 2.6.x and 2.7.x on any platform. Usage $ python identYwaf.py __ __ ____ ___ ___ ____ ______ | T T __ __ ____ _____ l j| / _]| | T| | || T__T T / T| __| | T | / [_ | _ Yl_j l_j| ~ || | | |Y o || l_ | | | D YY _]| | | | | |___ || | | || || _| j l | || [_ | | | | | | ! / | | || ] |____jl_____jl_____jl__j__j l__j l____/ _/_/ l__j__jl__j (1.0.X) Usage: python identYwaf.py [options] Options: –version Show program's version number and exit -h, –help Show this help message and exit –delay=DELAY Delay (sec) between tests (default: 0) –timeout=TIMEOUT Response timeout (sec) (default: 10) –proxy=PROXY HTTP proxy address (e.g. “http://127.0.0.1:8080”) Download identYwaf

identYwaf is an identification tool that can recognize web protection type (i.e. WAF) based on blind inference. Blind inference is being done by inspecting responses provoked by a set of predefined offensive (non-destructive) payloads, where those are used only to trigger the web protection system in between (e.g. http://?aeD0oowi=1 AND 2>1). Currently it supports more than 60 different protection products (e.g. aeSecure, Airlock, CleanTalk, CrawlProtect, Imunify360, MalCare, ModSecurity, Palo Alto, SiteGuard, UrlScan, Wallarm, WatchGuard, Wordfence, etc.), while the knowledge-base is constantly growing.
Also, as part of this project, screenshots of characteristic responses for different web protection systems are being gathered (manually) for the future reference.

Screenshots

Installation
You can download the latest zipball by clicking here.
Preferably, you can download identYwaf by cloning the Git repository:
git clone --depth 1 https://github.com/stamparm/identYwaf.git
identYwaf works out of the box with Python version 2.6.x and 2.7.x on any platform.

Usage

$ python identYwaf.py 
__ __
____ ___ ___ ____ ______ | T T __ __ ____ _____
l j| / _]| | T| | || T__T T / T| __|
| T | / [_ | _ Yl_j l_j| ~ || | | |Y o || l_
| | | D YY _]| | | | | |___ || | | || || _|
j l | || [_ | | | | | | ! / | | || ]
|____jl_____jl_____jl__j__j l__j l____/ _/_/ l__j__jl__j (1.0.X)

Usage: python identYwaf.py [options]

Options:
--version Show program's version number and exit
-h, --help Show this help message and exit
--delay=DELAY Delay (sec) between tests (default: 0)
--timeout=TIMEOUT Response timeout (sec) (default: 10)
--proxy=PROXY HTTP proxy address (e.g. "http://127.0.0.1:8080")

image
A Testing Environment for Manual Security Testers. Sh00t is a task manager to let you focus on performing security testing provides To Do checklists of test cases helps to create bug reports with customizable bug templates Features: Dynamic Task Manager to replace simple editors or task management tools that are NOT meant for Security Automated, customizable Security test-cases Checklist to replace Evernote, OneNote or other tools which are NOT meant for Security Manage custom bug templates for different purposes and automatically generate bug report Support multiple Assessments & Projects to logically separate your different needs Use like a paper – Everything's saved automatically Export auto generated bug report into Markdown & submit blindly on HackerOne! (WIP) Integration with JIRA, ServiceNow – Coming soon Export bug report into Markdown – Coming soon Customize everything under-the-hood Installation: Sh00t requires Python 3 and a few more packages. The simplest way to set up Sh00t is using Conda Environments. However, Anaconda is optional if you have Python 3 and pip installed – you can jump to step 4 below. Pre-requisite – One time setup: Install the minimal version of Anaconda: Miniconda and follow the installation instruction . Remember to reload your bash profile or restart your terminal application to avail conda command. For windows, launch Anaconda Prompt and run all the below commands in that window only. Create a new Python 3 environment: conda create -n sh00t python=3.6 Activate _ sh00t _ environment: conda activate sh00t . If you see an error message like CommandNotFoundError: Your shell has not been properly configured to use ‘conda activate'. , you have to manually enable conda command. Follow the instructions shown with the error message. You may have to reload your bash profile or restart your terminal. Try activating sh00t again: conda activate sh00t . You should be seeing (sh00t) XXXX$ in your terminal. Clone or download the latest project into a location of your choice: https://github.com/pavanw3b/sh00t . git clone requires installation of Git. Navigate to the folder where sh00t is cloned or downloaded & extracted: cd sh00t . Note that this is the outer-most _ sh00t _ directory in project files. Not _ sh00t/sh00t _ . Install Sh00t dependency packages: pip install -r requirements.txt Setup database: python manage.py migrate Create an User Account: python manage.py createsuperuser and follow the UI to create an account. Optional but recommended: Avail 174 Security Test Cases from OWASP Testing Guide (OTG) and Web Application Hackers Handbook (WAHH): python reset.py . That's all for the first time. Follow the next steps whenever you want to start Sh00t. Starting Sh00t: If you have Python 3 installed on your machine, you can jump to Step 3 . For Linux/Mac, Open Terminal. For Windows, open Anaconda Prompt . Activate sh00t environment if not on yet: conda activate sh00t Navigate to sh00t directory if not in already: cd sh00t Start Sh00t server: python manage.py runserver Access http://127.0.0.1:8000/ on your favorite browser. Login with the user credentials created in the one-time setup above. Welcome to Sh00t! Once you are done, stop the server: Ctrl + C [Optional] Deactivate sh00t environment to continue with your other work: conda deactivate . Upgrade: Navigate to the folder where sh00t was cloned: cd sh00t Stop the server if it's running: Ctrl + C Pull the latest code base via git: git pull or download the source from github and replace the files. Activate sh00t environment if not on yet: conda activate sh00t Setup any additional dependencies: pip install -r requirements.txt Make the latest database changes: python manage.py migrate Start the server: python manage.py runserver Troubleshoot: Sh00t is written in Python and powered by Django Web Framework. If you are stuck with any errors, Googling on the error message, should help you most of the times. If you are not sure, please file a new issue on github . Glossary: Flag: A Flag is a target that is sh00ted at. It's a test case that needs to be tested. Flags are generated automatically based on the testing methodology chosen. The bug might or might not be found – but the goal is to aim and sh00t at it. Flag contains detailed steps for testing. If the bug is confirmed, then it's called a sh0t. Sh0t: Sh0ts are bugs. Typically Sh0t contain technical description of the bug, Affected Files/URLs, Steps To Reproduce and Fix Recommendation. Most of the contents of Sh0t is one-click generated and only the dynamic content like Affected Parameters, Steps has to be changed. Sh0ts can belong to Assessment. Assessment: Assessment is a testing assessment. It can be an assessment of an application, a program – up to the user the way wanted to manage. It's a part of project. Project: Project contains assessments. Project can be a logical separation of what you do. It can be different job, bug bounty, up to you to decide. How does it work? Begin with creating a new Assessment. Choose what methodology you want to test with. Today there are 330 test cases, grouped into 86 Flags, belonging to 13 Modules which are created with reference to “Web Application Hacker's Handbook” Testing Methodology. Modules & Flags can be handpicked & customized. Once Assessments are created with the Flags, now the tester has to test them either manually, or semi automated with the help of scanners, tools or however it's required, mark it “Done” on completion. While performing assessment we often come with custom test cases that is specific to certain scenario in the application. A new Flag can be created easily at any point of time. Whenever a Flag is confirmed to be a valid bug, a Sh0t can be created. One can choose a bug template that matches best, and sh00t will auto fill the bug report based on the template chosen. Screenshots: Dashboard: Working on a Flag: Choosing Methodology and Test Cases while creating a new Assessment: Filing a bug pre-filled with a template: Who can use Sh00t? Application Security Engineers: Pentesting & Vulnerability Assessments Bug bounty hunters Independent Security Researchers Blue team, developers who fix Anybody who wants to hack Implementation details: Language: Python 3 Framework: Django Web Framework Dependencies: Django REST Framework, djnago-tables2: Managed by /requirements.txt UI: Bootstrap – Responsive Contribution: Pavan: @pavanw3b Aditya Ganapathy Credits: Hari Valugonda Mohd Aqeel Ahmed Ajeeth Rakkappan Download Sh00T

A Testing Environment for Manual Security Testers.

Sh00t

  • is a task manager to let you focus on performing security testing
  • provides To Do checklists of test cases
  • helps to create bug reports with customizable bug templates


Features:

  • Dynamic Task Manager to replace simple editors or task management tools that are NOT meant for Security
  • Automated, customizable Security test-cases Checklist to replace Evernote, OneNote or other tools which are NOT meant for Security
  • Manage custom bug templates for different purposes and automatically generate bug report
  • Support multiple Assessments & Projects to logically separate your different needs
  • Use like a paper – Everything's saved automatically
  • Export auto generated bug report into Markdown & submit blindly on HackerOne! (WIP)
  • Integration with JIRA, ServiceNow – Coming soon
  • Export bug report into Markdown – Coming soon
  • Customize everything under-the-hood

Installation:
Sh00t requires Python 3 and a few more packages. The simplest way to set up Sh00t is using Conda Environments. However, Anaconda is optional if you have Python 3 and pip installed – you can jump to step 4 below.
Pre-requisite – One time setup:

  1. Install the minimal version of Anaconda: Miniconda and follow the installation instruction. Remember to reload your bash profile or restart your terminal application to avail conda command. For windows, launch Anaconda Prompt and run all the below commands in that window only.
  2. Create a new Python 3 environment: conda create -n sh00t python=3.6
  3. Activate sh00t environment: conda activate sh00t. If you see an error message like CommandNotFoundError: Your shell has not been properly configured to use 'conda activate'., you have to manually enable conda command. Follow the instructions shown with the error message. You may have to reload your bash profile or restart your terminal. Try activating sh00t again: conda activate sh00t. You should be seeing (sh00t) XXXX$ in your terminal.
  4. Clone or download the latest project into a location of your choice: https://github.com/pavanw3b/sh00t. git clone requires installation of Git.
  5. Navigate to the folder where sh00t is cloned or downloaded & extracted: cd sh00t. Note that this is the outer-most sh00t directory in project files. Not sh00t/sh00t.
  6. Install Sh00t dependency packages: pip install -r requirements.txt
  7. Setup database: python manage.py migrate
  8. Create an User Account: python manage.py createsuperuser and follow the UI to create an account.
  9. Optional but recommended: Avail 174 Security Test Cases from OWASP Testing Guide (OTG) and Web Application Hackers Handbook (WAHH): python reset.py.

That's all for the first time. Follow the next steps whenever you want to start Sh00t.
Starting Sh00t:
If you have Python 3 installed on your machine, you can jump to Step 3.

  1. For Linux/Mac, Open Terminal. For Windows, open Anaconda Prompt.
  2. Activate sh00t environment if not on yet: conda activate sh00t
  3. Navigate to sh00t directory if not in already: cd sh00t
  4. Start Sh00t server: python manage.py runserver
  5. Access http://127.0.0.1:8000/ on your favorite browser. Login with the user credentials created in the one-time setup above.
  6. Welcome to Sh00t!
  7. Once you are done, stop the server: Ctrl + C
  8. [Optional] Deactivate sh00t environment to continue with your other work: conda deactivate.

Upgrade:

  • Navigate to the folder where sh00t was cloned: cd sh00t
  • Stop the server if it's running: Ctrl + C
  • Pull the latest code base via git: git pull or download the source from github and replace the files.
  • Activate sh00t environment if not on yet: conda activate sh00t
  • Setup any additional dependencies: pip install -r requirements.txt
  • Make the latest database changes: python manage.py migrate
  • Start the server: python manage.py runserver

Troubleshoot:
Sh00t is written in Python and powered by Django Web Framework. If you are stuck with any errors, Googling on the error message, should help you most of the times. If you are not sure, please file a new issue on github.

Glossary:

  • Flag: A Flag is a target that is sh00ted at. It's a test case that needs to be tested. Flags are generated automatically based on the testing methodology chosen. The bug might or might not be found – but the goal is to aim and sh00t at it. Flag contains detailed steps for testing. If the bug is confirmed, then it's called a sh0t.
  • Sh0t: Sh0ts are bugs. Typically Sh0t contain technical description of the bug, Affected Files/URLs, Steps To Reproduce and Fix Recommendation. Most of the contents of Sh0t is one-click generated and only the dynamic content like Affected Parameters, Steps has to be changed. Sh0ts can belong to Assessment.
  • Assessment: Assessment is a testing assessment. It can be an assessment of an application, a program – up to the user the way wanted to manage. It's a part of project.
  • Project: Project contains assessments. Project can be a logical separation of what you do. It can be different job, bug bounty, up to you to decide.

How does it work?
Begin with creating a new Assessment. Choose what methodology you want to test with. Today there are 330 test cases, grouped into 86 Flags, belonging to 13 Modules which are created with reference to “Web Application Hacker's Handbook” Testing Methodology. Modules & Flags can be handpicked & customized. Once Assessments are created with the Flags, now the tester has to test them either manually, or semi automated with the help of scanners, tools or however it's required, mark it “Done” on completion. While performing assessment we often come with custom test cases that is specific to certain scenario in the application. A new Flag can be created easily at any point of time.
Whenever a Flag is confirmed to be a valid bug, a Sh0t can be created. One can choose a bug template that matches best, and sh00t will auto fill the bug report based on the template chosen.

Screenshots:

Dashboard:

Working on a Flag:

Choosing Methodology and Test Cases while creating a new Assessment:

Filing a bug pre-filled with a template:

Who can use Sh00t?

  • Application Security Engineers: Pentesting & Vulnerability Assessments
  • Bug bounty hunters
  • Independent Security Researchers
  • Blue team, developers who fix
  • Anybody who wants to hack

Implementation details:

  • Language: Python 3
  • Framework: Django Web Framework
  • Dependencies: Django REST Framework, djnago-tables2: Managed by /requirements.txt
  • UI: Bootstrap – Responsive

Contribution:

Credits:

  • Hari Valugonda
  • Mohd Aqeel Ahmed
  • Ajeeth Rakkappan

image
Open source network observation, positioning, and display client from the world's largest queryable database of wireless networks. Can be used for site-survey, security analysis, and competition with your friends. Collect networks for personal research or upload to https://wigle.net. WiGLE has been collecting and mapping network data since 2001, and currently has over 350m networks. WiGLE is not a list of networks you can use. Uses GPS to estimate locations of observed networks. Observations logged to local database to track your networks found. Upload and compete on the global WiGLE.net leaderboard. Real-time map of networks found, with overlays from entire WiGLE dataset. Free, open source, no ads (pull requestes welcome at https://github.com/wiglenet/wigle-wifi-wardriving ). Export to CSV files on SD card (comma separated values). Export to KML files on SD card (to import into Google Maps/Earth). Bluetooth GPS support through mock locations. Audio and Text-to-Speech alerting and “Mute” option to shut off all sound/speech. Download Wigle

Open source network observation, positioning, and display client from the world's largest queryable database of wireless networks. Can be used for site-survey, security analysis, and competition with your friends. Collect networks for personal research or upload to https://wigle.net. WiGLE has been collecting and mapping network data since 2001, and currently has over 350m networks. WiGLE is *not* a list of networks you can use.
  • Uses GPS to estimate locations of observed networks.
  • Observations logged to local database to track your networks found.
  • Upload and compete on the global WiGLE.net leaderboard.
  • Real-time map of networks found, with overlays from entire WiGLE dataset.
  • Free, open source, no ads (pull requestes welcome at https://github.com/wiglenet/wigle-wifi-wardriving ).
  • Export to CSV files on SD card (comma separated values).
  • Export to KML files on SD card (to import into Google Maps/Earth).
  • Bluetooth GPS support through mock locations.
  • Audio and Text-to-Speech alerting and “Mute” option to shut off all sound/speech.