$ git clone https://github.com/guelfoweb/knock.git $ cd knock $ nano knockpy/config.json <- set your virustotal API_KEY $ sudo python setup.py install
Note : It’s recommended to use Google DNS: 8.8.8.8 and 8.8.4.4
Knockpy arguments
$ knockpy -h usage: knockpy [-h] [-v] [-w WORDLIST] [-r] [-c] [-j] domain knock subdomain scan knockpy v.4.1 Author: Gianni ‘guelfoweb’ Amato Github: https://github.com/guelfoweb/knock positional arguments: domain target to scan, like domain.com optional arguments: -h, –help show this help message and exit -v, –version show program’s version number and exit -w WORDLIST specific path to wordlist file -r, –resolve resolve ip or domain name -c, –csv save output in csv -f, –csvfields add fields name to the first row of csv output file -j, –json export full report in JSON example: knockpy domain.com knockpy domain.com -w wordlist.txt knockpy -r domain.com or IP knockpy -c domain.com
Note : For virustotal subdomains support you can setting your API_KEY in the config.json file.
git clone https://github.com/jm33-m0/massExpConsole.git && cd massExpConsole && ./install.py
when installing pypi deps, apt-get install libncurses5-dev (for Debian-based distros) might be needed
now you should be good to go (if not, please report missing deps here)
type proxy command to run a pre-configured Shadowsocks socks5 proxy in the background, vim ./data/ss.json to edit proxy config. and, ss-proxy exits with mec.py
Requirements
GNU/Linux, WSL, MacOS (not tested), fully tested under Arch Linux, Kali Linux (Rolling, 2018), Ubuntu Linux (16.04 LTS) and Fedora 25 (it will work on other distros too as long as you have dealt with all deps)
Evilginx2 is a man-in-the-middle attack framework used for phishing login credentials along with session cookies, which in turn allows to bypass 2-factor authentication protection.
This tool is a successor to Evilginx, released in 2017, which used a custom version of nginx HTTP server to provide man-in-the-middle functionality to act as a proxy between a browser and phished website.
Present version is fully written in GO as a standalone application, which implements its own HTTP and DNS server, making it extremely easy to set up and use.
You can either use a precompiled binary package for your architecture or you can compile evilginx2 from source.
You will need an external server where you’ll host your evilginx2 installation. I personally recommend Digital Ocean and if you follow my referral link, you will get an extra $10 to spend on servers for free.
Evilginx runs very well on the most basic Debian 8 VPS.
Installing from source
In order to compile from source, make sure you have installed GO of version at least 1.10.0 (get it from here) and that $GOPATH environment variable is set up properly (def. $HOME/go).
After installation, add this to your ~/.profile, assuming that you installed GO in /usr/local/go:
or just launch evilginx2 from the current directory (you will also need root privileges):
chmod 700 ./evilginx sudo ./evilginx
Usage
IMPORTANT! Make sure that there is no service listening on ports TCP443, TCP 80 and UDP 53. You may need to shutdown apache or nginx and any service used for resolving DNS that may be running. evilginx2 will tell you on launch if it fails to open a listening socket on any of these ports.
By default, evilginx2 will look for phishlets in ./phishlets/ directory and later in /usr/share/evilginx/phishlets/. If you want to specify a custom path to load phishlets from, use the -p <phishlets_dir_path> parameter when launching the tool.
Usage of ./evilginx: -debug Enable debug output -developer Enable developer mode (generates self-signed certificates for all hostnames) -p string Phishlets directory path
You should see evilginx2 logo with a prompt to enter commands. Type helpor help <command> if you want to see available commands or more detailed information on them.
Getting Started
To get up and running, you need to first do some setting up.
At this point I assume, you’ve already registered a domain (let’s call it yourdomain.com) and you set up the nameservers (both ns1 and ns2) in your domain provider’s admin panel to point to your server’s IP (e.g. 10.0.0.1):
Set up your server’s domain and IP using following commands:
config domain yourdomain.com config ip 10.0.0.1
Now you can set up the phishlet you want to use. For the sake of this short guide, we will use a LinkedIn phishlet. Set up the hostname for the phishlet (it must contain your domain obviously):
And now you can enable the phishlet, which will initiate automatic retrieval of LetsEncrypt SSL/TLS certificates if none are locally found for the hostname you picked:
phishlets enable linkedin
Your phishing site is now live. Think of the URL, you want the victim to be redirected to on successful login and get the phishing URL like this (victim will be redirected to https://www.google.com):
phishlets get-url linkedin https://www.google.com
Running phishlets will only respond to tokenized links, so any
scanners who scan your main domain will be redirected to URL specified
as redirect_url under config. If you want to hide your phishlet and make it not respond even to valid tokenized phishing URLs, use phishlet hide/unhide <phishlet> command.
You can monitor captured credentials and session cookies with:
sessions
To get detailed information about the captured session, with the session cookie itself (it will be printed in JSON format at the bottom), select its session ID:
sessions
The captured session cookie can be copied and imported into Chrome browser, using EditThisCookie extension.
Important! If you want evilginx2 to continue running after you log out from your server, you should run it inside a screen session.
Video Tutorial
https://vimeo.com/281220095
Disclaimer
We very much aware that Evilginx can be used for nefarious purposes. This work is merely a demonstration of what adept attackers can do.
It is the defender’s responsibility to take such attacks into consideration and find ways to protect their users against this type of phishing attacks.
Evilginx should be used only in legitimate penetration testing assignments with written permission from to-be-phished parties.
Novahot is a webshell framework for penetration testers. It implements a JSON-based API that can communicate with trojans written in any language. By default, it ships with trojans written in PHP, ruby, and python.
Beyond executing system commands, novahot is able to emulate interactive terminals, including mysql, sqlite3, and psql. It additionally implements “virtual commands” that make it possible to upload, download, edit, and view remote files locallly using your preferred applications.
View the available trojans with novahot trojan list.
Select a trojan in a language that is appropriate for your target, then copy its source to a new file. (Ex: novahot trojan view basic.php > ~/my-trojan.php)
Change the control password in the newly-created trojan.
Upload the trojan to a web-accessible location on the target.
Configure target information in the targets property in ~/.novahotrc.
Run novahot shell<target> to open a shell.
Shell Modes
Internally, novahot uses “modes” and “adapters” to emulate various interactive clients, currently including the mysql, psql (postgres), and sqlite3 clients.
To change novahot’s mode, issue the appropriate “dot command”:
(Connection parameters may be specified as JSON while changing modes, or alternatively saved as target configuration data in ~/.novahotrc.)
For example, the mysql mode makes it possible to directly run queries like the following:
mysql>SELECT ID, user_login, user_email, user_pass FROM wp_users;
Virtual Commands
Novahot implements four “virtual commands” that utilize payloads built in to the trojans to extend the functionality of the shell:
Download
download <remote-filename> [<local-filename>]
Downloads <remote-filename> to --download-dir, and optionally renames it to <local-filename> if specified.
Upload
upload <local-filename> [<remote-filename>]
Uploads <local-filename> to the shell’s cwd, and optionally renames <local-filename> to <remote-filename> if specified.
View
view <remote-filename> [<local-filename>]
Downloads <remote-filename> to --download-dir, and optionally renames it to <local-filename> After downloading, the file will be opened by the “viewer” application specified in the configs.
Edit
edit <remote-filename>
Downloads <remote-filename> to a temporary file, and then opens that file for editing using the “editor” specified in the configs. Afterward, if changes to the file are saved locally, the file will be re-uploaded to the server automatically.
Provisioning a Test Environment
This repository contains a laboratory environment built on Vagrant, Docker, and the Damn Vulnerable Web Application (“DVWA”). Steps for provisioning the environment vary depending on the capabilities of your physical host.
Using docker-compose
If you have docker and docker-compose installed on your physical host, you may simply do the following:
Clone and cd to this repository
Run: docker-composeup
After the docker container starts, the DVWA will be accessible at http://localhost:80.
Using Vagrant
If docker is not installed on your physical host, you may use Vagrant/Virtualbox to access a docker-capable virtual-machine:
Clone and cd to this repository
Provision a virtual machine: vagrant up
SSH into the virtual machine: vagrant ssh
Start the docker container: sudo su; cd /vagrant; docker-compose up
Code samples are provided for educational purposes. Adequate defenses can only be built by researching attack techniques available to malicious actors. Using this code against target systems without prior permission is illegal in most jurisdictions. The authors are not liable for any damages from misuse of this information or code.
WPScan effectively scans your WordPress website and checks the vulnerabilities within the core version, plugins, themes, etc helping to spot the security issues.
Firstly, install WPScan! Installation can be done through github git clone https://github.com/wpscanteam/wpscanN
Go to the directory where you have downloaded wpscan and install the bundle files. bundle install && rake install
Now, we are ready to use WPScan! wpscan –url http://target.tld –enumerate u Use the command according to your necessity. As in,
u= User information p =Plugins t=themes
This basic command will scan your website and identifies the active themes and other exposed vulnerable information
Exposed webserver type of the website
The Administrative Login page of the WordPress Site
The exposed WordPress version
Vulnerable Plugins in the website will be fetched, depicting its various categories right from the most vulnerable ones [with a red exclamation mark] upto the plugins which aren’t updated. Meaning, each and every vulnerable information will be represented.
Vulnerable themes
You can see the list of vulnerabilities identified specifically with respect to your website:
You can scan your website thoroughly to check vulnerabilities and isolate them!
The OWASP ModSecurity Core Rule Set or CRS is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls.
It aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts.
After download, copy crs-setup.conf.example to crs-setup.conf. Optionally edit this file to configure your CRS settings. Then include the files in your webserver configuration:
Include /.../crs-setup.confInclude /.../rules/*.conf
For detailed installation instructions, see the INSTALL document. Also review the CHANGES and KNOWN_BUGS documents.
You can update the rule set using the included script util/upgrade.py.
Handling False Positives and Advanced Features
Advanced features are explained in the crs-setup.conf and the rule files themselves. The crs-setup.conf file is generally a very good entry point to explore the features of the CRS.
We are trying hard to reduce the number of false positives (false alerts) in the default installation. But sooner or later, you may encounter false positives nevertheless.
The OWASP ModSecurity Core Rule Set is distributed under Apache Software License (ASL) version 2. Please see the enclosed LICENSE file for full details.
Credit: Chaim Sanders, Walter Hop & Christian Folini
Hayat tool used for Google Cloud Platform Auditing & Hardening Script.
What does that mean Hayat?
Well, I had a hard time finding a unique name, honestly. “Hayat” is a Turkish word which means “Life” in English and also my niece’s name. Are you ready to meet her?
Hayat is a auditing & hardening script for Google Cloud Platform services such as:
Secret Keeper is a file encryptor written in python which encrypt your files using Advanced Encryption Standard (AES). CBC Mode is used when creating the AES cipher wherein each block is chained to the previous block in the stream.
LightBulb Framework is an open source python framework for auditing web application firewalls and filters.
LightBulb Framework Synopsis
The framework consists of two main algorithms:
GOFA: An active learning algorithm that infers symbolic representations of automate in the standard membership/equivalence query model.
Active learning algorithms permits the analysis of filter and sanitizer programs remotely, i.e. given only the ability to query the targeted program and observe the output.
SFADiff: A black-box differential testing algorithm based on Symbolic Finite Automate (SFA) learning
Finding differences between programs with similar functionality is an important security problem as such differences can be used for fingerprinting or creating evasion attacks against security software like Web Application Firewalls (WAFs) which are designed to detect malicious inputs to web applications.
In order to use the application without complete package installation:
git clone https://github.com/lightbulb-framework/lightbulb-framework
cd lightbulb-framework
make
lightbulb status
In order to perform complete package installation. You can also install it from pip repository. This requires first to install the latest setuptools version:
pip install setuptools --upgrade
pip install lightbulb-framework
lightbulb status
The “lightbulb status” command will guide you to install MySQLdb and OpenFst support. If you use virtualenv in linux, the “sudo” command will be required only for the installation of libmysqlclient-dev package.
It should be noted that the “lightbulb status” command is not necessary if you are going to use the Burp Extension.
The reason is that this command installs the “openfst” and “mysql” bindings and the extension by default is using Jython, which does not support C bindings.
It is recommended to use the command only if you want to change the Burp extension configuration from the settings and enable the native support.
It is also possible to use a docker instance:
docker pull lightbulb/lightbulb-framework
Install Burp Extension
If you wish to use the new GUI, you can use the extension for the Burp Suite. First you have to setup a working environment with Burp Proxy and Jython