Atlas is an open source tool that can suggest sqlmap tampers to bypass WAF/IDS/IPS, the tool is based on returned status code.



$ git clone atlas
$ cd atlas
$ python


$ python --url --payload="-1234 AND 4321=4321-- AAAA" --dbms=mysql --random-agent -v


  1. Run SQLMap:
$ python -u '' --dbs --random-agent -v 3

Price_ASC') AND 8716=4837 AND ('yajr'='yajr is blocked by WAF/IDS/IPS, now trying with Atlas:

$ python --url '' --payload="') AND 8716=4837 AND ('yajr'='yajr" --random-agent -v

At this point:

$ python -u '' --dbs --random-agent -v 3 --tamper=versionedkeywords,...

What is Subdomain Takeover?
Subdomain takeover is a class of vulnerability where subdomain points to an external service that has been deleted. The external services are Github, Heroku, Gitlab, Tumblr and so on. Let’s assume we have a subdomain that points to an external service such as GitHub. If the Github page is removed by its owner and forgot to remove the DNS entry that points to GitHub service. An attacker can simply takeover subdomain by adding CNAME file containing the
Here is the command that checks CNAME record of a subdomain.
$dig CNAME –>

How Can Takeover script help bug bounty hunters?
There are a lot of sites having thousands of subdomain and it’s really hard to check each subdomain. Here we got a script that shows CNAME record for each domain. It takes a file name as an input and perform some action and finally produce it output, which shows CNAME record for each domain. The input file should contain a list of subdomains.
How can I recognise if the subdomain is vulnerable to subdomain takeover?
There are some fingerprints should be analysed when service is deleted and DNS entry remains as it is. The attacker get this error when visiting vulnerable subdomain such as “There isn’t a Github Pages site here.” or view below image for more detail.

Security researcher @edoverflow has listed all services and their fingerprints. For more detail visit



dex2jar Tools to work with android .dex and java .class files

  1. dex-reader/writer: Read/write the Dalvik Executable (.dex) file. It has a light weight API similar with ASM.
  2. d2j-dex2jar: Convert .dex file to .class files (zipped as jar)
  3. smali/baksmali: disassemble dex to smali files and assemble dex from smali files. different implementation to smali/baksmali, same syntax, but we support escape in type desc “Lcom/dex2jartu1234;”
  4. other tools: d2j-decrypt-string


sh -f ~/path/to/apk_to_decompile.apk

And the output file will be apk_to_decompile-dex2jar.jar.

Need help ?
send email to
or post on issue trackers list above.

HeapHopper is a bounded model checking framework for Heap-implementations.


sudo apt update && sudo apt install build-essential python-dev virtualenvwrapper
git clone && cd ./heaphopper
mkvirtualenv -ppython2 heaphopper
pip install -e .

Required Packages

build-essential python-dev virtualenvwrapper

Required Python-Packages

ana angr cle claripy IPython psutil pyelftools pyyaml


# Gen zoo of permutations gen -c analysis.yaml

# Trace instance
make -C tests trace -c tests/how2heap_fastbin_dup/analysis.yaml -b tests/how2heap_fastbin_dup/fastbin_dup.bin

# Gen PoC poc -c tests/how2heap_fastbin_dup/analysis.yaml -r tests/how2heap_fastbin_dup/fastbin_dup.bin-result.yaml -d tests/how2heap_fastbin_dup/fastbin_dup.bin-desc.yaml -s tests/how2heap_fastbin_dup/fastbin_dup.c -b tests/how2heap_fastbin_dup/fastbin_dup.bin

# Tests
cd tests
# Show source
cat how2heap_fastbin_dup/fastbin_dup.c
# Run tests
# Show PoC source
cat pocs/malloc_non_heap/fastbin_dup.bin/poc_0_0.c
# Run PoC
./ pocs/malloc_non_heap/fastbin_dup.bin/bin/poc_0_0.bin

This work has been published at the 27th USENIX Security Symposium.
You can read the paper here.

@inproceedings {heaphopper,
author = {Eckert, Moritz and Bianchi, Antonio and Wang, Ruoyu and Shoshitaishvili, Yan and Kruegel, Christopher and Vigna, Giovanni},
title = {HeapHopper: Bringing Bounded Model Checking to Heap Implementation Security},
booktitle = {27th {USENIX} Security Symposium ({USENIX} Security 18)},
year = {2018},
address = {Baltimore, MD},
url = {},
publisher = {{USENIX} Association},

A PowerShell front-end for the Windows debugger engine.
Ready to tab your way to glory? For a quicker intro, take a look at Getting Started.


  1. This project is not produced, endorsed, or monitored by the Windows debugger team. While the debugger team welcomes feedback about their API and front ends (windbg, kd, et al), they have no connection with this project. Do not file bugs or feedback to the debugger team concerning this project.
  2. This is not a funded project: it has no official resources allocated to it, and is only worked on by volunteers. Do not take any production dependency on this project unless you are willing to support it completely yourself. Feel free to file Issues and submit Pull Requests, but understand that with the limited volunteer resources, it may be a while before your submissions are handled.
  3. This is an experimental project: it is not fully baked, and you should expect breaking changes to be made often.

Corollary of above disclaimers: I would avoid attaching DbgShell to live targets of high value.


Have you ever tried automating anything in the debugger? (cdb/ntsd/kd/windbg) How did that go for you?
The main impetus for DbgShell is that it's just waaaay too hard to automate anything in the debugger. There are facilities today to assist in automating the debugger, of course. But in my opinion they are not meeting people's needs.

  • Using the built-in scripting language is arcane, limited, difficult to get right, and difficult to get help with.
  • DScript is kind of neat, but virtually unknown, and it lacks a REPL, and it's too low-level.
  • Writing a full-blown debugger extension DLL is very powerful, but it's a significant investment—way too expensive for solving quick, “one-off” problems as you debug random, real-world problems. Despite the cost, there are a large number of debugger extensions in existence. I think there should not be nearly so many; I think the only reason there are so many is because there aren't viable alternatives.
  • Existing attempts at providing a better interface (such as PowerDbg) are based on “scraping” and text parsing, which is hugely limiting (not to mention idealogically annoying) and thus are not able to fulfill the promise of a truly better interface (they are only marginally better, at best).
  • Existing attempts to provide an easier way to write a debugger extension are merely a stop-gap addressing the pain of developing a debugger extension; they don't really solve the larger problem. (for instance, two major shortcomings are: they are still too low-level (you have to deal with the dbgeng COM API), and there's no REPL)
  • The debugger team has recently introduce Javascript scripting. Javascript is a much better (and more well-defined) language than the old windbg scripting language, but I think that PowerShell has some advantages, the largest of which is that nobody really uses a Javascript shell–PowerShell is much better as a combined shell and scripting language.

The goal of the DbgShell project is to bring the goodness of the object-based PowerShell world to the debugging world. When you do ‘dt' to dump an ‘object', you should get an actual object. Scripting should be as easy as writing a PowerShell script.
The DbgShell project provides a PowerShell front-end for dbgeng.dll, including:

  • a managed “object model” (usable from C# if you wished), which is higher-level than the dbgeng COM API,
  • a PowerShell “navigation provider”, which exposes aspects of a debugging target as a hierarchical namespace (so you can “cd” to a particular thread, type “dir” to see the stack, “cd” into a frame, do another “dir” to see locals/registers/etc.),
  • cmdlets for manipulating the target,
  • a custom PowerShell host which allows better control of the debugger CLI experience, as well as providing features not available in the standard powershell.exe host (namely, support for text colorization using ANSI escape codes (a la ISO/IEC 6429))

The custom host is still a command-line (conhost.exe-based) program (analogous to ntsd/cdb/kd), but it can be invoked from windbg (!DbgShell).
In addition to making automation much easier and more powerful, it will address other concerns as well, such as ease of use for people who don't have to use the debuggers so often. (one complaint I've heard is that “when I end up needing to use windbg, I spend all my time in the .CHM”)
For seasoned windbg users, on the other hand, another goal is to make the transition as seamless as possible. So, for instance, the namespace provider is not the only way to access data; you can still use traditional commands like “~3 s“, “k“, etc.


Notable Features

  • Color: support for text colorization using ANSI escape codes (a la ISO/IEC 6429)
  • Custom formatting engine: Don't like .ps1xml stuff? Me neither. In addition to standard table, list, and custom views, you can define “single-line” views which are very handy for customizing symbol value displays.
  • Custom symbol value conversion: For most variables, the default conversion and display are good. But sometimes, you'd like the debugger to do a little more work for you. The symbol value conversion feature allows, for instance, STL collection objects to be transformed into .NET collection objects that are much easier to deal with.
  • Derived type detection: For when your variable is an IFoo, but the actual object is a FooImpl.
  • Rich type information: exposed for your programmatic pleasure.
  • Q: Does it work in WinDbg? I will only use WinDbg. A: Yes–load up the DbgShellExt.dll extension DLL, and then run “!dbgshell” to pop open a DbgShell console.

Other topics

You can find a short (3 minute) video introduction here: is a simple tool to perform an initial and quick triage on a directory containing malware samples (not zipped).
This tool aims to :

  1. Determining similar executable malware samples (PE/PE+) according to the import table (imphash) and group them by different colors (pay attention to the second column from output). Thus, colors matter!
  2. Determining whether executable malware samples are packed or not packed according to the following rules:
         2a. Two or more sections with Entropy > 7.0 or  Packed.

    2b. One one section with Entropy > 7.0 or two sections with SizeOfRawData ==> Likely packed.

    2c. None section with Entropy > 7.0 or SizeOfRawData ==> not packed.
  3. Determining whether the malware samples contain overlay.
  4. Determining the .text section entropy. only examines PE/PE+ files, skipping everything else.  
  5. Checking each malware sample against Virus Total.

This tool was tested on a Kali Linux 2018 system. Therefore, it will be necessary to install:

  1. Python version 2.7.x.
    $ apt-get install python
  2. Python-magic.
    To install python-magic package you can execute the following command:
    $ pip install python-magic

    Or compiling it from the github repository:

    $ git clone
    $ cd python-magic/
    $ python build
    $ python install

    As there are serious problems about existing two versions of python-magic package, my recommendation is to install it from github (second procedure above) and copy the file to the SAME directory of malwoverview tool.

  3. Pefile and colorama packages:
    $ pip install pefile
    $ pip install colorama
    $ pip install simple-json
    $ pip install requests

To use the malwoverview, execute the command as shown below:

  $ python malwoverview -d  -f  -i  -b  -v  -a  -p  -s  -x 


     -d is the folder containing malware samples. 
-f specifies the full path to a file. Shows general information about the file (any filetype).
(optional) -b 1 forces light gray background (for black terminals). It does not work with -f option.
(optional) -i 1 show imports and exports (it is used with -f option).
(optional) -x 1 extracts overlay (it is used with -f option).
(optional) -v 1 queries Virus Total database for positives and totals (any filetype).
(optional) -a 1 (optional) query Hybrid Analysis database for general report.Thus, you need to edit the and insert your HA API and respective secret.
(optional) -s 1 shows antivirus reports from the main players. This option is used with
-f option (any filetype).
(optional) -p 1 use this option if you have a public Virus Total API. It forces a one minute wait
every 4 malware samples, but allows obtaining a complete evaluation of the malware repository..

If you use Virus Total option, so it is necessary to edit the and insert your VT API.

Remember that public VT API only allows 4 searches per second (as shown at the image above). Therefore, if you
are willing to wait some minutes, so you can use the -p option, which forces a one minute wait every 4 malware
samples, but allows obtaining a complete evaluation of the repository.

*ATENTION: if the directory contains many malware samples, so could take some time. :)

Version 1.4:

  This version:

* Adds the -a option for getting the Hybrid Analysis summary report.
* Adds the -i option for listing imported and exported functions. Therefore, imported/exported function
report was decoupled for a separated option.

Version 1.3:

  This version:

* Adds the -p option for public Virus Total API.

Version 1.2:

  This version includes:

* evaluates a single file (any filetype)
* shows PE sessions.
* shows imported functions.
* shows exported function.
* extracts overlay.
* shows AV report from the main players. (any filetype)

Version 1.1:

  This version:

* Adds the VT checking feature.

Version 1.0:

  Malwoverview is a tool to perform a first triage of malware samples in a directory and group them according 
to their import functions (imphash) using colors. This version:

* Shows the imphash information classified by color.
* Checks whether malware samples are packed.
* Checks whether malware samples have overlay.
* Shows the entropy of the malware samples.


Important aspect: Malwoverview does NOT submit samples to VT. It submits only hashes, so respecting Non-Disclosure Agreements (NDAs).

What is DarkSpiritz?

Created by the SecTel Team it was a project of one of the owners to update and clean-up an older pentesting framework he had created to something updated and modern. DarkSpiritz is a re-vamp of the very popular framework known as “Roxysploit”. You may be familiar with this framework and if you are then it will help you with DarkSpiritz. DarkSpiritz also works like another pentesting framework known as Metasploit. If you know how to use metasploit setting up and working with DarkSpiritz will be a breeze. Inside the program itself you will find a lot of help and documentation on plugins or you can head to our wiki here. If you need any help feel free to contact us at

Getting Started
Clone the repository with git:

git clone

DarkSpiritz wiki available here
To install DarkSpiritz clone the github repo and run:

sudo python

This will download all necessary modules for DarkSpiritz. Once you run this you will be able to run:


from within the same directory as DarkSpiritz.
You will see a start-up screen. This screen will display things like commands and configuration settings. You can set configuration settings inside the config.xml file itself or through commands in the DarkSpiritz shell.

These are features that DarkSpiritz Team prides themself on based on this program:

  • Real Time Updating of Configuration
  • Never a need to restart the program even when adding plugins or editing them.
  • Easy to use UX
  • Multi-functionality


XenoScan is a memory scanner which can be used to scan the memory of processes to locate the specific locations of important values. These types of tools are typically used when hacking video games, as they allow one to locate the values representing the game's state in memory.
XenoScan is written in C++ with a Lua frontend, and I've been working on advanced functionality that goes beyond anything that has been in any other memory scanners I've seen. Notably, it has a way to enumerate and return all complex data structures (such as std::list and std::map) in the target's memory space, and it can even scan for any class instances and group the discovered instances by their underlying types.

If you need to get in touch with me, want a place to chat, or have a question, my Discord is the best place.


XenoLua is a wrapper around Lua that provides a ton of functionality. Most notably, it provides a LuaVariant class which wraps the functionality of converting between C/C++ and Lua types. Additionally, it has helper functions for working with Lua in the LuaPrimitive class.

XenoScanEngine is the meat of the project. It contains the code for the scanning, data structure detection, and everything else.

XenoScanLua ties XenoScanEngine to XenoLua to provide a Lua-scriptable frontend for the scanner. Currently, this is the only entry-point to the scanner.
Additionally, this project contains some test code that ensures everything is working properly. A test is a combination of a .cpp, a .h, and a .lua file. For examples on how to use the scanner, you can check out the .lua test files.

XenoScan uses CMake, and has been tested with Visual Studio 2017. In theory, you should be able to build the code with any modernish compiler, as long as you use CMake to generate the project files. Before you can compile, you will need to make sure you've checked out the submodules. Once that's done, you'll also have to build the luajit submodule so XenoScan can link against the libraries.
If you're using Visual Studio, this should be easy. Simply run buildmsvc2017.bat from a Developer Command Prompt for VS. As an example, to build a project for Visual Studio 2017, I run

cd C:pathtoXenoScan

Which would make a file named XenoScan.sln appear in my build directory (e.g. C:pathtoXenoScanbuild).
The main development of XenoScan is done on this version of Visual Studio.
If you're on another system or using another compiler or IDE, you'll have to build luajit on your own and run CMake manually.

The code is designed to be platform-agnostic. Theoretically, to compile on any other platform, you would need to

  1. Create project/make files for your target IDE/compiler.
  2. Remove the ScannerTargetWindows.cpp and ScannerTargetWindows.h files from the project.
  3. Implement the ScannerTarget interface for your platform.
  4. Add your implementation to the project.
  5. ???? profit

Basic scanning functionality supports the following types:

  • Integral types*:
    • int8_t
    • uint8_t
    • int16_t
    • uint16_t
    • int32_t
    • uint32_t
    • int64_t
    • uint64_t
  • float
  • double
  • ascii strings
  • wide strings
  • Custom data structures (think C++ struct)
    • Can consist of any combination integral and decimal types

* Lua frontend may choke on 64-bit integers, but the scanner library supports them.
Scanning supports the following types of matching:

  • Equal to
  • Greater than
  • Greater than or equal to
  • Less than
  • Less than or equal to
  • Ranges (min <= check <= max)

Additionally, there is functionality to detect all instances of the following types:

  • std::map
  • std::list
  • Any class with a virtual-function table

Burpsuite Plugin to decrypt AES Encrypted mobile app traffic.


  • Burpsuite
  • Java

Tested on

  • Burpsuite 1.7.36
  • Windows 10
  • xubuntu 18.04
  • Kali Linux 2018

What it does

  • Decrypt AES Encrypted traffic on proxy tab
  • Decrypt AES Encrypted traffic on proxy, scanner, repeater and intruder

How it works

  • Require AES Encryption Key (Can be obtained by reversing mobile app)
  • Require AES Encryption Initialize Vector (Can be obtained by reversing mobile app)
  • Request Parameter (Leave blank in case of whole request body)
  • Response Parameter (Leave blank in case of whole response body)
  • Character Separated with space for obfuscation on request/response
  • URL/Host of target to filter request and response

How to Install

Download jar file from Release and add in burpsuite

Original Request/Response

Decrypted Request/Response

pwnedOrNot uses haveibeenpwned v2 api to test email accounts and tries to find the password in Pastebin Dumps.

haveibeenpwned offers a lot of information about the compromised email, some useful information is displayed by this script:

  • Name of Breach
  • Domain Name
  • Date of Breach
  • Fabrication status
  • Verification Status
  • Retirement status
  • Spam Status

And with all this information pwnedOrNot can easily find passwords for compromised emails if the dump is accessible and it contains the password.

Tested on

  • Kali Linux 18.2
  • Ubuntu 18.04
  • Kali Nethunter
  • Termux

Ubuntu / Kali Linux / Nethunter / Termux

chmod 777


python -h
usage: [-h] [-e EMAIL] [-f FILE]

optional arguments:
-h, --help show this help message and exit
-e EMAIL, --email EMAIL Email account you want to test
-f FILE, --file FILE Load a file with multiple email accounts