Kali Linux Tutorials

BruteX – Automatically Brute Force All Services Running On A Target

BruteX is a tool to automatically brute force all services running on a target.

As you all know a brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found

It include the services such as Nmap,Hydra & DNS enum. Where Nmap scan for opens ports and defines running on the target server service.

Thereafter, start Bruteforce FTP, SSH, and other services using the Hydra, and so on. So you can automatically brute force all services running on a target server:

Open Ports
Usernames
Passwords

So let us have a look on how to install the automatically brute force all services tool;

git clone https://github.com/1N3/BruteX.git
cd BruteX
chmod +x install.sh
./install.sh

Once you have successfully installed the tool, run the below command to see how it works for open ports.

brutex target <port>

If you are looking to brute force multiple hosts, you can just use brutex-massscan and include the IP’s/hostnames to scan in the targets file or server.

Also Read:Aztarna – A Footprinting Tool For Robots

Video Tutorials

https://www.youtube.com/watch?v=7QCBh9Enl2M

Disclaimer

This is a free software to distribute, modify and use with the condition that credit is provided to the creator (1N3@CrowdShield) and is not for commercial use.

Download

SQLiScanner – Automatic SQL Injection With Charles & SQLmap API

SQLiScanner is a automatic SQL injectiont tool with Charles and sqlmap api with support on Linux and osx. Following are the dependencies for this automatic injection tool.

Django
PostgreSQL
Celery
sqlmap
redis

Also Read:Dawnscanner – Static Analysis Security Scanner

SQLiScanner Installation

It will always be best if you can download it by cloning the Git repository:

git clone https://github.com/0xbug/SQLiScanner.git –depth 1

Users also have the option to download sqlmap by cloning the Git repository:

git clone https://github.com/sqlmapproject/sqlmap.git –depth 1

It works with Python version 3.x on Linux and osx.

Create virtualenv and install requirements

cd SQLiScanner/
virtualenv –python=/usr/local/bin/python3.5 venv
source venv/bin/activate
pip install -r requirements.txt

Setting

For this tool we have mainly 2 setting like the database and sendemail settings and below we have mentioned on how to configure the 2 settings.

DATABASES Setting

SQLiScanner/settings.py:85
DATABASES = {
‘default’: {
‘ENGINE’: ‘django.db.backends.postgresql’,
‘NAME’: ”,
‘USER’: ”,
‘PASSWORD’: ”,
‘HOST’: ‘127.0.0.1’,
‘PORT’: ‘5432’,
}
}

SendEmail Setting

SQLiScanner/settings.py:158

#Email
EMAIL_BACKEND = ‘django.core.mail.backends.smtp.EmailBackend’
EMAIL_USE_TLS = False
EMAIL_HOST = ”
EMAIL_PORT = 25
EMAIL_HOST_USER = ”
EMAIL_HOST_PASSWORD = ”
DEFAULT_FROM_EMAIL = ”

scanner/tasks.py:14

class SqlScanTask(object):
def init(self, sqli_obj):
self.api_url = “http://127.0.0.1:8775”
self.mail_from = “”
self.mail_to = [“”]

Syncdb

python manage.py makemigrations scanner
python manage.py migrate

Create superuser

python manage.py createsuperuser

Run

Once you have followed and configures the setting as mentioned above you can run the below command to make sure you have everything correct and start using it.

redis-server
python sqlmapapi.py -s -p 8775
python manage.py celery worker –loglevel=info
python manage.py runserver

Download

Hatch – Brute Force Tool That Is Used To Brute Force Most Websites

Hatch is a brute force tool that is used to brute force most websites. In order to use the this tool you need the following requirements.

pip2 install selenium
pip2 install requests

Note : chrome driver and chrome are also required! link to chrome driver: http://chromedriver.chromium.org/downloads copy it to bin.

Also Read:ImaginaryC2:Python Tool Help In Network Behavioral Analysis Of Malware

Installation Instructions

git clone https://github.com/MetaChar/Hatch
python2 main.py

How to use (text)

Find a website with a login page
Inspect element to find the Selector of the username form
Do the same for the password field
The the login form
When Asked put in the username to brute force
Watch it go!

Video Tutorial

https://www.youtube.com/watch?v=Hd_kQVnajxk&feature=youtu.be

Download

Stardox – Github Stargazers Information Gathering Tool

Stardox is an advanced github stargazers information gathering tool. It scraps Github for information and display them in list tree view.It can be used for collecting information of your’s/someones repository stargazers details.

What data it fetchs :

Total repsitories
Total stars
Total Followers
Total Following

P.S: Many new things will be added soon

Also Read:NETworkManager – A Powerful Tool For Managing Networks & Troubleshoot Network Problems

Getting Started

Steps to setup :

git clone https://github.com/0xprateek/stardox
cd stardox
python ./setup.py install

Starting Stardox :

cd stardox/src
python3 stardox.py

Example Usage : `python3 ./stardox.p

Gallery

Fetching data of repository.

List tree view of fetched data

Download

Aztarna – A Footprinting Tool For Robots

This repository contains Alias Robotic’s aztarna, a footprinting tool for robots.

Alias Robotics supports original robot manufacturers assessing their security and improving their quality of software.

By no means we encourage or promote the unauthorized tampering with running robotic systems. This can cause serious human harm and material damages.

Also Read:Tcpreplay – Pcap Editing & Replay Tools For UNIX & Windows

For ROS

A list of the ROS nodes present in the system (Publishers and Subscribers)
For each node, the published and subscribed topis including the topic type
For each node, the ROS services each of the nodes offer
A list of all ROS parameters present in the Parameter Server
A list of the active communications running in the system. A single communication includes the involved publiser/subscriber nodes and the topics

For SROS

Determining if the system is a SROS master.
Detecting if demo configuration is in use.
A list of the nodes found in the system. (Extended mode)
A list of allow/deny policies for each node.
- Publishable topics.
- Subscriptable topics.
- Executable services.
- Readable parameters.

For Industrial routers

Detecting eWON, Moxa, Sierra Wireless and Westermo industrial routers.
Default credential checking for found routers.

Aztarna Installation

For production

Direcly from PyPi

pip3 install aztarna

or from the repository:

pip3 install .

For development

pip3 install -e .
or
python3 setup.py develop

Python 3.7 and the setuptools package is required for installatio

Install with docker

docker build -t aztarna_docker .

Code usage:

usage: aztarna [-h] -t TYPE [-a ADDRESS] [-p PORTS] [-i INPUT_FILE]
[-o OUT_FILE] [-e] [-r RATE] [–shodan] [–api-key API_KEY]
Aztarn
optional arguments:
-h, –help show this help message and exit
-t TYPE, –type TYPE Scan ROS, SROS
hosts or Industrial routers
-a ADDRESS, –address ADDRESS
Single address or network range to scan.
-p PORTS, –ports PORTS
Ports to scan (format: 13311 or 11111-11155 or
1,2,3,4)
-i INPUT_FILE, –input_file INPUT_FILE
Input file of addresses to use for scanning
-o OUT_FILE, –out_file OUT_FILE
Output file for the results
-e, –extended Extended scan of the hosts
-r RATE, –rate RATE Maximum simultaneous network connections
–shodan Use shodan for the scan types that support it.
–api-key API_KEY Shodan API Key

Run the code (example input file):

aztarna -t ROS -p 11311 -i ros_scan_s20.csv

Run the code with Docker (example input file):

docker run -v :/root -it aztarna_docker -t ROS -p 11311 -i

Run the code (example single ip address):

aztarna -t ROS -p 11311 -a 115.129.241.241

Run the code (example subnet):

aztarna -t ROS -p 11311 -a 115.129.241.0/24

Run the code (example single ip address, port range):

aztarna -t ROS -p 11311-11500 -a 115.129.241.241

Run the code (example single ip address, port list):

aztarna -t ROS -p 11311,11312,11313 -a 115.129.241.241

Run the code (example piping directly from zmap):

zmap -p 11311 0.0.0.0/0 -q | aztarna -t SROS -p 11311

Run the code (example search for industrial routers in shodan)

aztarna -t IROUTERS –shodan –api-key

Run the code (example search for industrial routers in shodan, piping to file)

aztarna -t IROUTERS –shodan –api-key -o routers.csv

Download

Dawnscanner – Static Analysis Security Scanner

Dawnscanner is a static analysis security scanner for ruby written web applications. It supports Sinatra, Padrino and Ruby on Rails frameworks.

Dawnscanner is a source code scanner designed to review your ruby code for security issues.

Dawnscanner is able to scan plain ruby scripts (e.g. command line applications) but all its features are unleashed when dealing with web applications source code.

Dawnscanner is able to scan major MVC (Model View Controller) frameworks, out of the box:

Also Read:Knock – Tool Designed To Enumerate Subdomains

Dawnscanner Installation

You can install latest dawnscanner version, fetching it from Rubygems by typing:

$ gem install dawnscanner

If you want to add dawn to your project Gemfile, you must add the following:

group :development do
gem ‘dawnscanner’, :require=>false
end

And then upgrade your bundle

$ bundle install

You may want to build it from source, so you have to check it out from github first:

$ git clone https://github.com/thesp0nge/dawnscanner.git
$ cd dawnscanner
$ bundle install
$ rake install

And the dawnscanner gem will be built in a pkg directory and then installed on your system. Please note that you have to manage dependencies on your own this way.

It makes sense only if you want to hack the code or something like that.

Usage

You can start your code review with dawnscanner very easily. Simply tell the tool where the project root directory.

Underlying MVC framework is autodetected by dawnscanner using target Gemfile.lock file. If autodetect fails for some reason, the tool will complain about it and you have to specify if it’s a rails, sinatra or padrino web application by hand.

Basic usage is to specify some optional command line option to fit best your needs, and to specify the target directory where your code is stored.

$ dawn [options] target

In case of need, there is a quick command line option reference running dawn -h at your OS prompt.

$ dawn -h
Usage: dawn [options] target_directory

Examples:

$ dawn a_sinatra_webapp_directory
$ dawn -C the_rails_blog_engine
$ dawn -C –json a_sinatra_webapp_directory
$ dawn –ascii-tabular-report my_rails_blog_ecommerce
$ dawn –html -F my_report.html my_rails_blog_ecommerce
-G, –gem-lock force dawn to scan only for vulnerabilities affecting dependencies in Gemfile.lock (DEPRECATED)
-d, –dependencies force dawn to scan only for vulnerabilities affecting dependencies in Gemfile.lock

Reporting

-a, –ascii-tabular-report cause dawn to format findings using tables in ascii art (DEPRECATED)
-j, –json cause dawn to format findings using json
-K, –console cause dawn to format findings using plain ascii text
-C, –count-only dawn will only count vulnerabilities (useful for scripts)
-z, –exit-on-warn dawn will return number of found vulnerabilities as exit code
-F, –file filename tells dawn to write output to filename
-c, –config-file filename tells dawn to load configuration from filename

Disable security check family

–disable-cve-bulletins disable all CVE security checks
–disable-code-quality disable all code quality checks
–disable-code-style disable all code style checks
–disable-owasp-ror-cheatsheet disable all Owasp Ruby on Rails cheatsheet checks
–disable-owasp-top-10 disable all Owasp Top 10 checks

Flags useful to query Dawn

–S, –search-knowledge-base [check_name] search check_name in the knowledge base
–list-knowledge-base list knowledge-base content
–list-known-families list security check families contained in dawn’s knowledge base
–list-known-framework list ruby MVC frameworks supported by dawn
–list-scan-registry list past scan informations stored in scan registry

Service flags

-D, –debug enters dawn debug mode
-V, –verbose the output will be more verbose
-v, –version show version information
-h, –help show this help

Rake Task

To include dawnscanner in your rake task list, you simply have to put this line in your Rakefile

require ‘dawn/tasks’

Then executing $ rake -T you will have a dawn:run task you want to execute.

$ rake -T
…
rake dawn:run # Execute dawnscanner on the current directory
…

Interacting with the knowledge base

You can dump all security checks in the knowledge base this way

$ dawn –list-knowledge-base

Useful in scripts, you can use –search-knowledge-base or -S with as parameter the check name you want to see if it’s implemented as a security control or not.

$ dawn -S CVE-2013-6421
07:59:30 [*] dawn v1.1.0 is starting up
CVE-2013-6421 found in knowledgebase

$ dawn -S this_test_does_not_exist
08:02:17 [*] dawn v1.1.0 is starting up
this_test_does_not_exist not found in knowledgebase

dawnscanner security scan in action

As output, dawnscanner will put all security checks that are failed during the scan.

This the result of Codedake::dawnscanner running against a Sinatra 1.4.2 web application wrote for a talk I delivered in 2013 at Railsberry conference.

As you may see, dawnscanner first detects MVC running the application by looking at Gemfile.lock, than it discards all security checks not appliable to Sinatra (49 security checks, in version 1.0, especially designed for Ruby on Rails) and it applies them.

$ dawn ~/src/hacking/railsberry2013
18:40:27 [] dawn v1.1.0 is starting up
18:40:27 [$] dawn: scanning /Users/thesp0nge/src/hacking/railsberry2013 18:40:27 [$] dawn: sinatra v1.4.2 detected
18:40:27 [$] dawn: applying all security checks
18:40:27 [$] dawn: 109 security checks applied – 0 security checks skipped 18:40:27 [$] dawn: 1 vulnerabilities found
18:40:27 [!] dawn: CVE-2013-1800 check failed 18:40:27 [$] dawn: Severity: high 18:40:27 [$] dawn: Priority: unknown
18:40:27 [$] dawn: Description: The crack gem 0.3.1 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156.
18:40:27 [$] dawn: Solution: Please use crack gem version 0.3.2 or above. Correct your gemfile
18:40:27 [$] dawn: Evidence:
18:40:27 [$] dawn:Vulnerable crack gem version found: 0.3.1
18:40:27 [] dawn is leaving

When you run dawnscanner on a web application with up to date dependencies, it’s likely to return a friendly no vulnerabilities found message. Keep it up working that way!

This is dawnscanner running against a Padrino web application I wrote for a scorecard quiz game about application security. Italian language only. Sorry.

18:42:39 [] dawn v1.1.0 is starting up
18:42:39 [$] dawn: scanning /Users/thesp0nge/src/CORE_PROJECTS/scorecard 18:42:39 [$] dawn: padrino v0.11.2 detected
18:42:39 [$] dawn: applying all security checks
18:42:39 [$] dawn: 109 security checks applied – 0 security checks skipped 18:42:39 [] dawn: no vulnerabilities found.
18:42:39 [*] dawn is leaving

If you need a fancy HTML report about your scan, just ask it to dawnscanner with the –html flag used with the –file since I wanto to save the HTML to disk.

$ dawn /Users/thesp0nge/src/hacking/rt_first_app –html –file report.html
09:00:54 [] dawn v1.1.0 is starting up
09:00:54 [] dawn: report.html created (2952 bytes)
09:00:54 [*] dawn is leaving

Download

ImaginaryC2:Python Tool Help In Network Behavioral Analysis Of Malware

ImaginaryC2 is a python tool which aims to help in the behavioral (network) analysis of malware. It hosts a HTTP server which captures HTTP requests towards selectively chosen domains/IPs.

Additionally, the tool aims to make it easy to replay captured Command-and-Control responses/served payloads.

By using this tool, an analyst can feed the malware consistent network responses. Additionally, the analyst can capture and inspect HTTP requests towards a domain/IP which is off-line at the time of the analysis.

Replay Packet Captures

Imaginary C2 provides two scripts to convert packet captures (PCAPs) or Fiddler Session Archives into request definitions which can be parsed by imaginary C2.

Via these scripts the user can extract HTTP request URLs and domains, as well as HTTP responses. This way, one can quickly replay HTTP responses for a given HTTP request.

Technical Details ImaginaryC2

Requirements: Imaginary C2 requires Python 2.7 and Windows.
Modules: Currently, Imaginary C2 contains three modules and two configuration files:

Filename	Function
1. imaginary_c2.py	Hosts python’s simple HTTP server. Main module.
2. redirect_to_imaginary_c2.py	Alters Windows’ host file and Windows’ (IP) Routing Table.
3. unpack_fiddler_archive.py & unpack_pcap.py	Extracts HTTP responses from packet captures. Adds corresponding HTTP request domains and URLs to the configuration files.
4. redirect_config.txt	Contains domains and IPs which needs to be redirected to localhost (to the python HTTP server).
5. requests_config.txt	Contains URL path definitions with the corresponding data sources.

Request definitions: Each (HTTP) request defined in the request configuration consists of two parameters:

Parameter 1: HTTP request URL path (a.k.a. urlType)

Value	Meaning
fixed	Define the URL path as a literal string
regex	Define a regex pattern to be matched on the URL path

Parameter 2: HTTP response source (a.k.a. sourceType)

Value	Meaning
data	Imaginary C2 will respond with the contents of a file on disk
python	Imaginary C2 will run a python script. The output of the python script defines the HTTP response.

Sample

Download

NETworkManager – A Powerful Tool For Managing Networks & Troubleshoot Network Problems

NETworkManager is a powerful tool for managing networks and troubleshoot network problems. Let us have a look on the features on the tool that help us to manage our connected network and help us in fixing the nertwork related issue.

Network Interface – Information, Configure
IP-Scanner
Port-Scanner
Ping
Traceroute
DNS Lookup
Remote Desktop
PuTTY (requires PuTTY)
TightVNC (requires TightVNC)
SNMP – Get, Walk, Set (v1, v2c, v3)
Wake on LAN
HTTP Headers
Whois
Subnet Calculator – Calculator, Subnetting, Supernetting
Lookup – OUI, Port
Connections
Listeners
ARP Table

Also Read:MEC : massExploitConsole For Concurrent Exploiting

Languages Supported

English
German
Russian
Spanish

NETworkManager System Dependies

Windows 7/Server 2008 R2 or later
.NET-Framework 4.6
RDP 8.1

Download

Malcom – Malware Communications Analyzer 2019

Malcom is a tool designed to analyze a system’s network communication using graphical representations of network traffic, and cross-reference them with known malware sources.

This comes handy when analyzing how certain malware species try to communicate with the outside world. This tool can help you for the following;

detect central command and control (C&C) servers
understand peer-to-peer networks
observe DNS fast-flux infrastructures
quickly determine if a network artifact is ‘known-bad’

The aim of this tool is to make malware analysis and intel gathering faster by providing a human-readable version of network traffic originating from a given host or network. Convert network traffic information to actionable intelligence faster.

Also Read:Evilginx2 : Standalone Man-In-The-Middle Attack Framework

Malcom Installation

It is written in python. Provided you have the necessary libraries, you should be able to run it on any platform. I highly recommend the use of python virtual environments (virtualenv) so as not to mess up your system libraries.

The following was tested on Ubuntu server 14.04 LTS:

Install git, python and libevent libs, mongodb, redis, and other dependencies

$ sudo apt-get install build-essential git python-dev libevent-dev mongodb libxml2-dev libxslt-dev zlib1g-dev redis-server libffi-dev libssl-dev python-virtualenv

Clone the Git repo:

$ git clone https://github.com/tomchop/malcom.git malco

Create your virtualenv and activate it:

$ cd malcom
$ virtualenv env-malcom
$ source env-malcom/bin/activate

Get and install scapy:

$ cd ..
$ wget http://www.secdev.org/projects/scapy/files/scapy-latest.tar.gz
$ tar xvzf scapy-latest.tar.gz
$ cd scapy-2.1.0
$ python setup.py install

Still from your virtualenv, install necessary python packages from the requirements.txt file:

$ cd ../malcom
$ pip install -r requirements.txt

For IP geolocation to work, you need to download the Maxmind database and extract the file to the malcom/Malcom/auxiliary/geoIP directory. You can get Maxmind’s free (and thus more or less accurate) database from the following link: http://dev.maxmind.com/geoip/geoip2/geolite2/:

$ cd Malcom/auxiliary/geoIP
$ wget http://geolite.maxmind.com/download/geoip/database/GeoLite2-City.mmdb.gz
$ gunzip -d GeoLite2-City.mmdb.gz
$ mv GeoLite2-City.mmdb GeoIP2-City.mmdb

Launch the webserver from the tools directory using ./malcom.py. Check ./malcom.py –help for listen interface and ports.

For starters, you can copy the malcom.conf.example file to malcom.conf and run ./malcom.py -c malcom.conf.

Technical specs

It was written mostly from scratch, in Python. It uses the following frameworks to work:

flask – a lightweight python web framework
mongodb – a NoSQL database. It interfaces to python with pymongo
redis – An advanced in-memory key-value store
d3js – a JavaScript library that produces awesome force-directed graphs (https://github.com/mbostock/d3/wiki/Gallery)
bootstrap – a CSS framework that will eventually kill webdesign, but makes it extremely easy to quickly “webize” applications that would only work through a command prompt.

Disclaimer

This tool was coded during my free time. Like a huge number of tools we download and use daily, we wouldn’t recommend to use it on a production environment where data stability and reliability is a MUST.

It may be broken, have security gaps (running it as root in uncontrolled environments is probably not a good idea), or not work at all.
It’s written in python, so don’t expect it to be ultra-fast or handle huge amounts of data easily.
I’m no coder, so don’t expect to see beautiful pythonic code everywhere you look. Or lots of comments.

It’s in early stages of development.

Download

Credit: Thomas Chopitea

Tcpreplay – Pcap Editing & Replay Tools For UNIX & Windows

Tcpreplay is a suite of GPLv3 licensed utilities for UNIX operating systems for editing and replaying network traffic which was previously captured by tools like tcpdump and Ethereal/Wireshark.

It allows you to classify traffic as client or server, rewrite Layer 2, 3 and 4 packets and finally replay the traffic back onto the network and through other devices such as switches, routers, firewalls, NIDS and IPS’s.

It supports both single and dual NIC modes for testing both sniffing and in-line devices.

It is also used by numerous firewall, IDS, IPS, NetFlow and other networking vendors, enterprises, universities, labs and open source projects.

If your organization uses Tcpreplay, please let us know who you are and what you use it for so that I can continue to add features which are useful.

Tcpreplay is designed to work with network hardware and normally does not penetrate deeper than Layer 2.

As of version 4.0, Tcpreplay has been enhanced to address the complexities of testing and tuning IP Flow/NetFlow hardware. Enhancements include:

Support for netmap modified network drivers for 10GigE wire-speed performance
Increased accuracy for playback speed
Increased accuracy of results reporting
Flow statistics including Flows Per Second (fps)
Flow analysis for analysis and fine tuning of flow expiry timeouts
Hundreds of thousands of flows per second (dependent flow sizes in pcap file)

Also Read:Novahot – A Webshell Framework For Penetration Testers

Tcpreplay Installation

Simple directions for Unix users

You will need to compile the source code, but first you must ensure that you have compiling tools and prerequisite software installed. For example, on a base Ubuntu or Debian system you may need to do the following:

sudo apt-get install build-essential libpcap-dev

Next extract tarball, change to root directory, then do:

./configure
make
sudo make install

Optionally you can run the tests to ensure that your installation is fully functional:

sudo make test

Video Tutorial

Netmap Video Tutorial

Instructions for Windows

Consider Windows support for Tcpreplay is experimental – beta quality if you will. We strongly recommend you read the page about how to get support for Tcpreplay.

With that said, you’ll need Cygwin to compile/run tcpreplay. You’ll also need to install Winpcap – the port of libpcap for Windows. For whatever reason, it seems important that you install the Winpcap files in the Cygwin root directory (/Wpdpack).

Be sure to install both the driver and DLL files AND developer pack. Then when you run ./configure, you’ll need to specify the location for Winpcap using the --with-libpcap flag, but use all lowercase: ./configure --with-libpcap=/wpdpack.

Note: We’ve been informed that the guile Cygwin package is broken. This horribly breaks parts of GNU Autogen – specifically the parts which allow you to build Tcpreplay via GitHub. Hence, I strongly recommend grabbing a tarball release.

Download

Credit: Aaron Turner, Yazan Siam & Fred Klassen(Version 4.0)