Termineter is a Python Smart Meter Security Testing framework which allows authorised individuals to test Smart Meters for vulnerabilities such as energy consumption fraud, network hijacking, and more.

Many of these vulnerabilities have been highlighted by the media and advisories have been sent out by law enforcement agencies. The goal of a public release for this utility is to promote security awareness for Smart Meters and provide a tool that brings basic testing capabilities to the community and meter manufacturers so that security can be improved.

Power companies can use the framework to identify and validate internal flaws that leave them susceptible to fraud and significant vulnerabilities.

How it Works

Terminter utilises the C1218 and C1219 protocols for communication over an optical interface. Currently supported are Meters using C1219-2007 with 7-bit character sets.

This is the most common configuration found in North America. Termineter communicates with Smart Meters via a connection using an ANSI type-2 optical probe with a serial interface.

Users must have general knowledge of the meter’s internal workings in order to use Termineter proficiently.

Usage

termineter [-h] [-v] [-L {DEBUG,INFO,WARNING,ERROR,CRITICAL}]  [-r RESOURCE_FILE]

  -h, --help            show this help message and exit
  -v, --version         show program's version number and exit
  -L {DEBUG,INFO,WARNING,ERROR,CRITICAL}, --log {DEBUG,INFO,WARNING,ERROR,CRITICAL}
                        set the logging level
  -r RESOURCE_FILE, --rc-file RESOURCE_FILE
                        execute a resource file

Modules

• brute_force_login – Brute Force Credentials
• dump_tables – Dump Readable C12.19 Tables From The Device To A CSV File
• enum_tables – Enumerate Readable C12.19 Tables From The Device
• get_info – Get Basic Meter Information By Reading Tables
• get_log_info – Get Information About The Meter’s Logs
• get_modem_info – Get Information About The Integrated Modem
• get_security_info – Get Information About The Meter’s Access Control
• read_table – Read Data From A C12.19 Table
• run_procedure – Initiate A Custom Procedure
• set_meter_id – Set The Meter’s I.D.
• set_meter_mode – Change the Meter’s Operating Mode
• write_table – Write Data To A C12.19 Table

You can download Termineter here:

termineter-v0.2.6.zip

Or you can read more here.

The post Termineter – Smart Meter Security Testing Framework appeared first on Darknet - The Darkside.

WikiLeaks has dropped another massive bomb called “Vault7“, basically a massive CIA leak which covers documents, correspondence, hacking tools, exploits and much more.

It details sophisticated software tools and techniques used by the agency to break into smartphones, computers and even Smart TVs.

The first installment published already contains 7,818 web pages with 943 attachments and WikiLeaks has stated this is only part of the cache.

It also appears the CIA has managed to circumvent the security controls in Signal, WhatsApp and Telegram – most likely by compromising the phone and grabbing the plain-text rather than cracking the encryption itself.

WikiLeaks has dumped online what appears to be a trove of CIA documents outlining the American murder-snoops’ ability to spy on people.

The leaked files describe security exploits used to compromise vulnerable Android handhelds, Apple iPhones, Samsung TVs, Windows PCs, Macs, and other devices, to read messages, listen in via built-in microphones, and so on. The dossiers discuss malware that can infect CD and DVD disc file systems, and USB sticks, to jump air-gaps and compromise sensitive and protected machines – plus loads more spying techniques and tools.

Yes, government surveillance has a chilling effect on freedom of expression. But, no, none of this cyber-spying should be a surprise.

The tranche of CIA documents – a mammoth 8,761 files dubbed “Year Zero” – accounts for “the entire hacking capacity of the CIA,” WikiLeaker-in-chief Julian Assange boasted today. He said the documents show the intelligence agency had lost “control of its arsenal” of exploits and hacking tools, suggesting they were passed to the website by a rogue operative.

It’s pretty similar in many ways to the 2016 NSA Shadow Brokers hack we wrote about.

The CIA hasn’t publically confirmed the authenticity of the documents but 3rd parties have including former intelligence officers.

“‘Year Zero’ introduces the scope and direction of the CIA’s global covert hacking program, its malware arsenal, and dozens of ‘zero day’ weaponized exploits against a wide range of US and European company products, [including] Apple’s iPhone, Google’s Android, Microsoft’s Windows and even Samsung’s TVs, which are turned into covert microphones,” the WikiLeaks team said in a statement.

“The archive appears to have been circulated among former US government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive,” it added.

One silver lining is that this leak demonstrates it is so difficult to crack today’s end-to-end encryption apps, such as Signal and WhatsApp, that spies have to drill into the underlying devices and computers to snoop on people. That’s a lot of effort, cost, and risk, compared to eavesdropping on communications on the wire, which strong end-to-end cryptography comfortably thwarts. Agents are therefore forced to carry out targeted snooping on individuals’ devices, rather than carry out mass blanket surveillance.

Meanwhile, some folks are speculating that the source of the leak could be the Russians, and its true purpose is to derail the CIA for political gain.

Many of the tools, attachments and code archives have been redacted by WikiLeaks who stated it was notreleasing the computer code for actual, usable weapons “until a consensus emerges on the technical and political nature of the C.I.A.’s program and how such ‘weapons’ should be analyzed, disarmed and published.”

What’s contained aren’t exactly really zero-day exploits anymore though as this cache is claimed to be from 2013-2016 – but looks more like it’s predominantly from the 2013-2014 period.

That said, I won’t be getting a TV with a micrphone or a camera any time soon.

Source: The Register

The post WikiLeaks Exposes Massive CIA Leak Including Hacking Tools appeared first on Darknet - The Darkside.

Angry IP scanner is a very easy to use, fast network scanner – basically a cross-platform IP address and port scanner. It can scan IP addresses in any range as well as any their ports, it’s also very lightweight and doesn’t require any installation, it can be freely copied and used anywhere.

Angry IP scanner simply pings each IP address to check if it’s alive, then optionally it is resolving its hostname, determines the MAC address, scans ports, etc. The amount of gathered data about each host can be extended with plugins.

How it Works

Angry IP Scanner implements several different methods of detecting alive hosts (pinging).

As a rule, if hosts don’t respond to pings, they are considered dead and therefore not scanned further. This behaviour can be changed in the Preferences dialogue -> Scanning tab. In the same place, you can also select the pinging method:

• ICMP Echo pinging – This is the same method used by the ping program.
• ICMP.DLL pinging – This is Windows-only pinging method to compensate for the absence of Raw Sockets.
• UDP packet pinging – This pinging method is preferred when you don’t have administrative privileges.
• TCP port probe – This method tries to connect to some TCP port that is unlikely to be filtered (e.g. 80).

Features

• Very fast (multi-threaded)
• Scan IP addresses in any range
• Scan for open ports
• Cross-platform
• Portable (doesn’t require installation)
• Hostname Resolution
• MAC address capture
• NetBIOS information gathering
  • Computer Name
  • WorkGroup Name
  • Logged in User
• Favourite IP ranges
• Web Server detection
• Customizable openers
• Scanning results in:
  • CSV
  • TXT
  • XML
  • IP-Port List

You can download Angry IP Scanner here:

• Linux DEB Package for Ubuntu/Debian/Mint, 64-bit
• Linux RPM Package for Fedora/RedHat/Mageia/openSUSE, 64-bit
• Linux DEB Package for Ubuntu/Debian/Mint, 32-bit
• Linux RPM Package for Fedora/RedHat/Mageia/openSUSE, 32-bit
• MAC OS X Zipped application bundle make sure you have Java 7 or later
• Windows 32/64-bit Installer – recommended, autodetects 32/64-bit Java
• Windows 32-bit Executable – if you prefer no installation
• Windows 64-bit Executable – for 64-bit Java on Windows

Or read more here.

The post Angry IP Scanner – Fast Network Scanner appeared first on Darknet - The Darkside.

Powerfuzzer is a highly automated and fully customizable web fuzzer (HTTP protocol based application fuzzer) based on many other Open Source fuzzers available and information gathered from numerous security resources and websites.

It was designed to be user-friendly, modern, effective and to work consistently.

It is also designed and coded to be modular and extendable, adding new checks should simply entail adding new methods.

It’s based on tools such as cfuzzer, fuzzled, fuzzer.pl, jbrofuzz, webscarab, wapiti, Socket Fuzzer and more.

Features

Currently, it is capable of identifying these problems:

• Cross Site Scripting (XSS)
• Injections (SQL, LDAP, Code, Commands and XPATH)
• CRLF
• HTTP 500 statuses (usually indicative of a possible misconfiguration/security flaw incl. buffer overflow)

You can download Powerfuzzer here:

powerfuzzer_v1_beta_patched_binary_installer_complete.exe

Or read more here.

The post Powerfuzzer – Automated Customizable Web Fuzzer appeared first on Darknet - The Darkside.

SessionGopher is a PowerShell Session Extraction tool that uses WMI to extract saved session information for remote access tools such as WinSCP, PuTTY, SuperPuTTY, FileZilla, and Microsoft Remote Desktop.

The tool can find and decrypt saved session information for remote access tools. It has WMI functionality built in so it can be run remotely, its best use case is to identify systems that may connect to Unix systems, jump boxes, or point-of-sale terminals.

How it Works

SessionGopher works by querying the HKEY_USERS hive for all users who have logged onto a domain-joined box at some point. It extracts PuTTY, WinSCP, SuperPuTTY, FileZilla, and RDP saved session information. It automatically extracts and decrypts WinSCP, FileZilla, and SuperPuTTY saved passwords.

When run in Thorough mode, it also searches all drives for PuTTY private key files (.ppk) and extracts all relevant private key information, including the key itself, as well as for Remote Desktop (.rdp) and RSA (.sdtid) files.

Usage

. .\SessionGopher.ps1
Invoke-SessionGopher -option

-Thorough: searches all drives for PuTTY private key (.ppk), Remote Desktop Connection (.rdp), and RSA (.sdtid) files.
-o: outputs the data to a folder of .csv files
-iL: provide a file with a list of hosts to run SessionGopher against, each host separated by a newline. Provide the path to the file after -iL.
-AllDomain: SessionGopher will query Active Directory for all domain-joined systems and run against all of them.
-Target: a specific host you want to target. Provide the target host after -Target.

You can download SessionGopher here:

SessionGopher.ps1

Or read more here.

The post SessionGopher – Session Extraction Tool appeared first on Darknet - The Darkside.

Kadimus is an LFI scanner and exploitation tool for Local File Inclusion vulnerability detection and intrusion.

Installation

$git clone https://github.com/P0cL4bs/Kadimus.git
$ cd Kadimus

Then you can run the configure file:

./configure

Then:

$ make

Features

• Check all url parameters
• /var/log/auth.log RCE
• /proc/self/environ RCE
• php://input RCE
• data://text RCE
• Source code disclosure
• Multi thread scanner
• Command shell interface through HTTP Request
• Proxy support (socks4://, socks4a://, socks5:// ,socks5h:// and http://)
• Proxy socks5 support for bind connections

Usage

-h, --help                    Display this help menu

  Request:
    -B, --cookie STRING         Set custom HTTP Cookie header
    -A, --user-agent STRING     User-Agent to send to server
    --connect-timeout SECONDS   Maximum time allowed for connection
    --retry-times NUMBER        number of times to retry if connection fails
    --proxy STRING              Proxy to connect, syntax: protocol://hostname:port

  Scanner:
    -u, --url STRING            Single URI to scan
    -U, --url-list FILE         File contains URIs to scan
    -o, --output FILE           File to save output results
    --threads NUMBER            Number of threads (2..1000)

  Explotation:
    -t, --target STRING         Vulnerable Target to exploit
    --injec-at STRING           Parameter name to inject exploit
                                (only need with RCE data and source disclosure)

  RCE:
    -X, --rce-technique=TECH    LFI to RCE technique to use
    -C, --code STRING           Custom PHP code to execute, with php brackets
    -c, --cmd STRING            Execute system command on vulnerable target system
    -s, --shell                 Simple command shell interface through HTTP Request

    -r, --reverse-shell         Try spawn a reverse shell connection.
    -l, --listen NUMBER         port to listen

    -b, --bind-shell            Try connect to a bind-shell
    -i, --connect-to STRING     Ip/Hostname to connect
    -p, --port NUMBER           Port number to connect
    --b-proxy STRING            IP/Hostname of socks5 proxy
    --b-port NUMBER             Port number of socks5 proxy

    --ssh-port NUMBER           Set the SSH Port to try inject command (Default: 22)
    --ssh-target STRING         Set the SSH Host

    RCE Available techniques

      environ                   Try run PHP Code using /proc/self/environ
      input                     Try run PHP Code using php://input
      auth                      Try run PHP Code using /var/log/auth.log
      data                      Try run PHP Code using data://text

    Source Disclosure:
      -G, --get-source          Try get the source files using filter://
      -f, --filename STRING     Set filename to grab source [REQUIRED]
      -O FILE                   Set output file (Default: stdout)

You can download Kadimus here:

Kadimus-master.zip

Or read more here.

The post Kadimus – LFI Scanner & Exploitation Tool appeared first on Darknet - The Darkside.

HashPump is a C++ based command line tool to exploit the Hash Length Extension Attack with various hash types supported, including MD4, MD5, SHA1, SHA256, and SHA512.

There’s a good write-up of how to use this in practical terms here: Plaid CTF 2014: mtpox

Usage

$ hashpump -h
HashPump [-h help] [-t test] [-s signature] [-d data] [-a additional] [-k keylength]
    HashPump generates strings to exploit signatures vulnerable to the Hash Length Extension Attack.
    -h --help          Display this message.
    -t --test          Run tests to verify each algorithm is operating properly.
    -s --signature     The signature from known message.
    -d --data          The data from the known message.
    -a --additional    The information you would like to add to the known message.
    -k --keylength     The length in bytes of the key being used to sign the original message with.
    Version 1.2.0 with CRC32, MD5, SHA1, SHA256 and SHA512 support.
    <Developed by bwall(@botnet_hunter)>

You can download HashPump here:

$ git clone https://github.com/bwall/HashPump.git
$ apt-get install g++ libssl-dev
$ cd HashPump
$ make
$ make install

Or read more here.

The post HashPump – Exploit Hash Length Extension Attack appeared first on Darknet - The Darkside.

HashData is a Ruby-based command-line REPL Hash Identifying Tool with support for a lot of different (most popular) hash types.

Installation

$ gem install hashdata

Usage

Command Line

When installed, run hashdata and paste in hashes when prompted.

Library

Example Script:

require 'hashdata'
hash = HashData.new
puts(hash.check_type("1111111111111",'DES'))

The above should output true. The library only matches the start of your second input, this means that you can check something is an MD5 hash without having to worry about if it is from Joomla or Unix for example.

Hashes Supported

• Adler32
• Blowfish(Eggdrop), Blowfish(OpenBSD)
• CRC-16, CRC-16-CCITT
• CRC-32, CRC-32B
• CRC-96(ZIP)
• Domain Cached Credentials, Domain Cached Credentials 2
• DES(Unix), DES(Oracle)
• FCS-16, FCS-32
• FNV-132, FNV-164
• GOST R 34.11-94
• GHash-32-3, GHash-32-5
• Haval-128, Haval-160, Haval-192, Haval-224, Haval-256
• Joaat
• Lineage II C4
• LM
• Lotus Domino
• MD2, MD4, MD5
• MD5(Joomla), MD5(osCommerce), MD5(PalshopCMS)
• MD5(APR), MD5(Cisco PIX), MD5(Unix)
• MD5(IP.Board), MD5(MyBB), MD5(phpBB3), MD5(WordPress)
• MySQL3.x, MySQL4.x, MySQL5.x
• MSSQL(2000), MSSQL(2005), MSSQL(2008)
• NTLM
• RAdmin v2.x
• RIPEMD-128, RIPEMD-160, RIPEMD-256, RIPEMD-320
• SAM(LM_Hash:NT_Hash)
• SHA-1, SHA-1(Django), SHA-1(MaNGOS), SHA-1(MaNGOS2)
• SHA-224
• SHA-256, SHA-256(Django), SHA-256(Unix)
• SHA3-224, SHA3-256, SHA3-384, SHA3-512
• SHA-384, SHA-384(Django)
• SHA-512, SHA-512(Drupal), SHA-512(Unix)
• SSHA-1
• Skein-256, Skein-256(128), Skein-256(160), Skein-256(224)
• Skein-512, Skein-512(128), Skein-512(160), Skein-512(224), Skein-512(256), Skein-512(384)
• Skein-1024, Skein-1024(384), Skein-1024(512)
• Snefru-128, Snefru-256
• Tiger-128, Tiger-160, Tiger-192
• VNC
• Whirlpool
• XOR-32

You can download HashData here:

HashData-v0.0.3.zip

Or read more here.

The post HashData – A Command-line Hash Identifying Tool appeared first on Darknet - The Darkside.

PowerMemory is a PowerShell based tool to exploit Windows credentials present in files and memory, it levers Microsoft signed binaries to hack Windows.

The method is totally new. It proves that it can be extremely easy to get credentials or any other information from Windows memory without needing to code in C-type languages. In addition, with this method, we can modify the user-land and kernel land behaviour without being caught by antivirus or new defending techniques.

It can actually be done with 4GL language-type or with a scripting language like PowerShell which is installed everywhere.

With that being said, this technique implies that the detection is made hard due to the fact that we can do pretty much what we want by sending and receiving bytes.

Features

• It’s fully written in PowerShell
• It can work locally as well as remotely
• It can get the passwords of virtual machines without having any access to them (works for Hyper-V and VMware)
• It does not use the operating system .dll to locate credentials address in memory but a Microsoft Signed Debugger
• PowerMemory maps the keys in the memory and cracks everything by itself (AES, TripleDES, DES-X)
• It breaks undocumented Microsoft DES-X
• It works even if you are on a different architecture than the target architecture
• It leaves no trace in memory
• It can manipulate memory to fool software and operating system
• It can write the memory to execute shellcode without making any API call, it only sends bytes to write at specific addresses

You can use the module waiting to be integrated to leave Wonder Land and launch a crafted advanced attack with PowerShell Empire serving as the vector.

You can download PowerMemory here:

PowerMemory-master.zip

Or read more here.

The post PowerMemory – Exploit Windows Credentials In Memory appeared first on Darknet - The Darkside.

spectrology is a Python-based audio steganography tool that can convert images to audio files with a corresponding spectrogram encoding, this allows you to hide hidden messages via images inside audio files.

Using this tool you can select range of frequencies to be used and all popular image codecs are supported.

Usage

usage: spectrology.py [-h] [-o OUTPUT] [-b BOTTOM] [-t TOP] [-p PIXELS]
                      [-s SAMPLING]
                      INPUT

positional arguments:
  INPUT                 Name of the image to be converted.

optional arguments:
  -h, --help            show this help message and exit
  -o OUTPUT, --output OUTPUT
                        Name of the output wav file. Default value: out.wav).
  -b BOTTOM, --bottom BOTTOM
                        Bottom frequency range. Default value: 200.
  -t TOP, --top TOP     Top frequency range. Default value: 20000.
  -p PIXELS, --pixels PIXELS
                        Pixels per second. Default value: 30.
  -s SAMPLING, --sampling SAMPLING
                        Sampling rate. Default value: 44100.

Example

python spectrology.py test.bmp -b 13000 -t 19000

You can download spectrology here:

spectrology-master.zip

Or read more here.

The post spectrology – Basic Audio Steganography Tool appeared first on Darknet - The Darkside.

pemcracker is a tool for cracking PEM files that are encrypted and have a password. The purpose is to attempt to recover the password for encrypted PEM files while utilising all the CPU cores.

Inspired by Robert Graham’s pemcrack, it still uses high-level OpenSSL calls in order to guess the password. As an optimisation, instead of continually checking against the PEM on disk, it is loaded into memory in each thread.

Usage

bwall@ragnarok:~$ ./pemcracker
pemcracker 0.1.0
pemcracker <path to pem> <word file>

pemcracker 0.1.0 by Brian Wallace (@botnet_hunter)

Example:

bwall@ragnarok:~/data/publicprojects/pemcracker$ ./pemcracker test.pem test.dict
Password is komodia for test.pem

If you are looking for the fastest possible method of brute forcing PEM files, you may wish to try out John the Ripper. Its little known ssh2john allows for converting PEM files to a format that can be fed into ./john.

You can download pemcracker here:

pemcracker-master.zip

Or read more here.

The post pemcracker – Tool For Cracking PEM Files appeared first on Darknet - The Darkside.

Ubertooth is an open source Bluetooth sniffer and is essentially a development platform for Bluetooth experimentation. It runs best as a native Linux install and should work fine from within a VM.

Ubertooth ships with a capable BLE (Bluetooth Smart) sniffer and can sniff some data from Basic Rate (BR) Bluetooth Classic connections.

Features

The Ubertooth is able to capture and demodulate signals in the 2.4GHz ISM band with a bandwidth of 1MHz using a modulation scheme of Frequency Shift Keying or related methods.

This includes, but is not limited to:

• Bluetooth Basic Rate packets
• Bluetooth Low Energy (Bluetooth Smart)

The following may be possible:

• 802.11 FHSS (1MBit)
• Some proprietary 2.4GHz wireless devices

You can download Ubertooth here:

ubertooth-2017-03-R2.zip

Or read more here.

The post Ubertooth – Open Source Bluetooth Sniffer appeared first on Darknet - The Darkside.

scanless is a Python-based command-line utility that functions as a public port scan scraper, it can use websites that can perform port scans on your behalf.

This is useful for early stages of penetration tests when you’d like to run a port scan on a host without having it originate from your IP address.

Public Port Scanners

• yougetsignal
• viewdns
• hackertarget
• ipfingerprints
• pingeu

Dependencies

scanless requires the requests and bs4 libraries to run, install with pip.

Usage

$ python scanless.py --help
usage: scanless.py [-h] [-t TARGET] [-s SCANNER] [-l] [-a]

scanless, public port scan scrapper

optional arguments:
  -h, --help            show this help message and exit
  -t TARGET, --target TARGET
                        ip or domain to scan
  -s SCANNER, --scanner SCANNER
                        scanner to use (default: yougetsignal)
  -l, --list            list scanners
  -a, --all             use all the scanners

Example:

python scanless.py --list
Scanner Name   | Website
---------------|------------------------------
yougetsignal   | http://www.yougetsignal.com
viewdns        | http://viewdns.info
hackertarget   | https://hackertarget.com
ipfingerprints | http://www.ipfingerprints.com
pingeu         | http://ping.eu

$ python scanless.py -s viewdns -t scanme.nmap.org
Running scanless...

------- viewdns -------
PORT     STATE  SERVICE
21/tcp   closed ftp
22/tcp   open   ssh
23/tcp   closed telnet
25/tcp   closed smtp
53/tcp   closed dns
80/tcp   open   http
110/tcp  closed pop3
139/tcp  closed netbios
143/tcp  closed imap
443/tcp  closed https
445/tcp  closed smb
1433/tcp closed mssql
1521/tcp closed oracle
3306/tcp closed mysql
3389/tcp closed rdp
-----------------------

You can download scanless here:

scanless-master.zip

Or read more here.

The post scanless – A Public Port Scan Scraper appeared first on Darknet - The Darkside.

Github search is quite a powerful and useful feature and can be used to search for sensitive data in repositories, this Github security scanning tool comes with a collection of Github dorks that can reveal sensitive personal and/or other proprietary organisational information such as private keys, credentials, authentication tokens and so on.

github-dork.py is a simple Python tool that can search through your repository or your organisation/user repositories. It’s not a perfect tool at the moment but provides a basic functionality to automate the search on your repositories against the dorks specified in the text file.

You can also check out: Gitrob – Scan Github For Sensitive Files

Installation

This tool uses github3.py to talk with the GitHub Search API.

Clone the repository and run:

pip install -r requirements.txt

Usage

GH_USER  - Environment variable to specify github user
GH_PWD   - Environment variable to specify password
GH_TOKEN - Environment variable to specify github token
GH_URL   - Environment variable to specify GitHub Enterprise base URL

Some example usages are listed below:

python github-dork.py -r techgaun/github-dorks                          # search single repo

python github-dork.py -u techgaun                                       # search all repos of user

python github-dork.py -u dev-nepal                                      # search all repos of an organization

GH_USER=techgaun GH_PWD=<mypass> python github-dork.py -u dev-nepal     # search as authenticated user

GH_TOKEN=<github_token> python github-dork.py -u dev-nepal              # search using auth token

GH_URL=https://github.example.com python github-dork.py -u dev-nepal    # search a GitHub Enterprise instance

You can download Github Dorks here:

Or read more here.

The post Github Dorks – Github Security Scanning Tool appeared first on Darknet - The Darkside.

Pybelt is a Python-based hackers tool belt capable of cracking hashes without prior knowledge of the algorithm, scanning ports on a given host, searching for SQLi vulnerabilities in a given URL, verifying that your Google dorks work like they should, verifying the algorithm of a given hash, scanning a URL for XSS vulnerability, and finding usable HTTP proxies.

Features

Pybelt is an open source python hacking kit that comes with:

• Port Scanner
• SQL Injection scanner
• Dork Checker
• Hash Cracker
• Hash Type Verification
• Proxy Finder
• XSS Scanner

Installation

Clone the repository:

git clone https://github.com/ekultek/pybelt.git

Or download the latest release.

Once you have the program installed cd into the directory and run the following command:

pip install -r requirements.txt

This will install all of the programs needed libraries and should be able to be run from there.

You can download Pybelt here:

Pybelt-1,0.zip

Or read more here.

The post Pybelt – The Hackers Tool Belt appeared first on Darknet - The Darkside.

Sn1per is a penetration testing automation scanner that can be used during a penetration test to enumerate and scan for vulnerabilities.

Features

• Automatically collects basic recon (ie. whois, ping, DNS, etc.)
• Automatically launches Google hacking queries against a target domain
• Automatically enumerates open ports via NMap port scanning
• Automatically brute forces sub-domains, gathers DNS info and checks for zone transfers
• Automatically checks for sub-domain hijacking
• Automatically runs targeted NMap scripts against open ports
• Automatically runs targeted Metasploit scan and exploit modules
• Automatically scans all web applications for common vulnerabilities
• Automatically brute forces ALL open services
• Automatically test for anonymous FTP access
• Automatically runs WPScan, Arachni and Nikto for all web services
• Automatically enumerates NFS shares
• Automatically test for anonymous LDAP access
• Automatically enumerate SSL/TLS ciphers, protocols and vulnerabilities
• Automatically enumerate SNMP community strings, services and users
• Automatically list SMB users and shares, check for NULL sessions and exploit MS08-067
• Automatically exploit vulnerable JBoss, Java RMI and Tomcat servers
• Automatically tests for open X11 servers
• Auto-pwn added for Metasploitable, ShellShock, MS08-067, Default Tomcat Creds
• Performs high level enumeration of multiple hosts and subnets
• Automatically integrates with Metasploit Pro, MSFConsole and Zenmap for reporting
• Automatically gathers screenshots of all web sites
• Create individual workspaces to store all scan output

Modes

• REPORT: Outputs all results to text in the loot directory for later reference. To enable reporting, append ‘report’ to any sniper mode or command.
• STEALTH: Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blocking
• DISCOVER: Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a sniper scan against each host. Useful for internal network scans.
• PORT: Scans a specific port for vulnerabilities. Reporting is not currently available in this mode.
• FULLPORTONLY: Performs a full detailed port scan and saves results to XML.
• WEB: Adds full automatic web application scans to the results (port 80/tcp & 443/tcp only). Ideal for web applications but may increase scan time significantly.
• NOBRUTE: Launches a full scan against a target host/domain without brute forcing services.
• AIRSTRIKE: Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IP’s that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning.
• NUKE: Launch full audit of multiple hosts specified in text file of choice. Usage example: ./sniper /pentest/loot/targets.txt nuke.
• LOOT: Automatically organizes and displays loot folder in your browser and opens Metasploit Pro and Zenmap GUI with all port scan results. To run, type ‘sniper loot’.

There’s a sample report availabe here.

You can download Sn1per here:

Sn1per-v2.4.zip

Or read more here.

The post Sn1per – Penetration Testing Automation Scanner appeared first on Darknet - The Darkside.

evilscan is a Node.js based massive IP Port scanner designed for concurrency, speed and scanning large ranges of IP addresses.

Features

• Individual IP or IP range scan
• Individual port, ports list, or port range
• Banner grabbing (not fully implemented, works with verbose ports only)
• IAC negotiation
• Reverse dns
• Geolocation information
• Shell or JSON output
• Optional progress details

Usage

Usage:

evilscan <fqdn|ipv4|cidr> [options]

Example:

root@debian:~# evilscan 192.168.0.0/24 --port=21-23,80

Options:

--port          port(s) you want to scan, examples:
                  --port=80
                  --port=21,22
                  --port=21,22,23,5900-5902

  --reverse       display DNS reverse lookup

  --reversevalid  only display results having a valid reverse dns, except if
                  ports specified

  --geo           display geoip (free maxmind)

  --banner        display banner

  --bannerlen     set banner length grabing
                  default 512

  --bannerraw     display raw banner (as a JSON Buffer)

  --progress      display progress indicator each seconds

  --status        ports status wanted in results (example --status=OT)
                  T(timeout)
                  R(refused)
                  O(open, default)
                  U(unreachable)

  --scan          scan method
                  tcpconnect (full connect, default)
                  tcpsyn (half opened, not yet implemented)
                  udp (not yet implemented)

  --concurrency   max number of simultaneous socket opened
                  default 500

  --timeout       maximum number of milliseconds before closing the connection
                  default 2000

  --display       display result format (json,xml,console)
                  default console

  --json          shortcut for --display=json

  --xml           shortcut for --display=xml

  --console       shortcut for --display=console

  --help          display help

  --about         display about

  --version       display version number

Sample Output

Or read more here.

The post evilscan – Massive IP Port Scanner appeared first on Darknet - The Darkside.

Lazydroid is a tool written as a bash script to facilitate some aspects of an Android Security Assessment.

Features

It provides some common tasks such as:

• Set the debug flag of an application to true
• Set the backup flag of an application to true
• Re-Build the application
• Re-Sign the application
• Smart log extraction of an application
• Extract the APK of an application installed from Google Play
• Download any mobile folder (/sdcard/, application data folder, other)
• Compare two different snapshots of the same folder
• Insert Frida gadget in the APK (for example when the phone is not or cannot be rooted, and thus Frida server cannot be run)

Installation

Lazydroid requires Linux or Mac OS to run and the next tools installed:

• apktool
• jarsigner
• adb
• aapt (Android Asset Packaging Tool, part of the SDK)
• your keystore and alias
• Frida Agent (pip install frida)

Usage

To run lazydroid.sh the steps would be the following:

$ git clone
$ #configure the path to the tools (adb, jarsigner, apktool, etc and your favourite shell)
$ cd lazydroid
$ ./getfridalibs.sh #get the last frida libs for Android
$ ./lazydroid.sh

You can download LazyDroid here:

LazyDroid-master.zip

Or read more here.

The post LazyDroid – Android Security Assessment Tool appeared first on Darknet - The Darkside.

Credmap is an open source credential mapper tool that was created to bring awareness to the dangers of credential reuse. It is capable of testing supplied user credentials on several known websites to test if the password has been reused on any of these.

It is not uncommon for people who are not experts in security to reuse credentials on different websites; even security savvy people occasionally reuse credentials.

Credmap takes a username and/or e-mail, and a password as input and it attempts to login on a variety of known websites to verify if these credentials have been reused on any of them.

Usage

Usage: credmap.py --email EMAIL | --user USER | --load LIST [options]

Options:
  -h/--help             show this help message and exit
  -v/--verbose          display extra output information
  -u/--username=USER..  set the username to test with
  -p/--password=PASS..  set the password to test with
  -e/--email=EMAIL      set an email to test with
  -l/--load=LOAD_FILE   load list of credentials in format USER:PASSWORD
  -f/--format=CRED_F..  format to use when reading from file (e.g. u|e:p)
  -x/--exclude=EXCLUDE  exclude sites from testing
  -o/--only=ONLY        test only listed sites
  -s/--safe-urls        only test sites that use HTTPS.
  -i/--ignore-proxy     ignore system default HTTP proxy
  --proxy=PROXY         set proxy (e.g. "socks5://192.168.1.2:9050")
  --list                list available sites to test with

Examples

./credmap.py --username janedoe --email janedoe@email.com
./credmap.py -u johndoe -e johndoe@email.com --exclude "github.com, live.com"
./credmap.py -u johndoe -p abc123 -vvv --only "linkedin.com, facebook.com"
./credmap.py -e janedoe@example.com --verbose --proxy "https://127.0.0.1:8080"
./credmap.py --load creds.txt --format "e.u.p"
./credmap.py -l creds.txt -f "u|e:p"
./credmap.py -l creds.txt
./credmap.py --list

You can download credmap here:

credmap-master.zip

Or read more here.

The post credmap – The Credential Mapper appeared first on Darknet - The Darkside.

Snitch is an information gathering tool which automates the process for a specified domain. Using built-in dork categories, this tool helps gather specified information domains which can be found using web search engines. It can be quite useful in early phases of penetration tests (commonly called the Information Gathering phase).

snitch can identify general information, potentially sensitive extensions, documents & messages, files and directories and web applications.

There are other tools which perform similar functions or parts of what snitch does:

– DMitry – Deepmagic Information Gathering Tool
– wig – CMS Identification & Information Gathering Tool
– theHarvester – Gather E-mail Accounts, Subdomains, Hosts, Employee Names

Usage

devil@hell:~/snitch$ python snitch.py
		               _ __       __
		   _________  (_) /______/ /_
		  / ___/ __ \/ / __/ ___/ __ \
		 (__  ) / / / / /_/ /__/ / / /
		/____/_/ /_/_/\__/\___/_/ /_/ ~0.3

Usage: snitch.py [options]

Options:
  -h, --help            show this help message and exit
  -U [url], --url=[url]
                        domain(s) or domain extension(s) separated by comma*
  -D [type], --dork=[type]
                        dork type(s) separated by comma*
  -C [dork], --custom=[dork]
                        custom dork*
  -O [file], --output=[file]
                        output file
  -S [ip:port], --socks=[ip:port]
                        socks5 proxy
  -I [seconds], --interval=[seconds]
                        interval between requests, 2s by default
  -P [pages], --pages=[pages]
                        pages to retrieve, 10 by default
  -v                    turn on verbosity

 Dork types:
  info   Information leak & Potential web bugs
  ext    Sensitive extensions
  docs   Documents & Messages
  files  Files & Directories
  soft   Web software
  all    All

You can download snitch here:

snitch-master.zip

Or you can read more here.

The post snitch – Information Gathering Tool Via Dorks appeared first on Darknet - The Darkside.