Wi-fEye is an automated wirelress penetration testing tool written in python , its designed to simplify common attacks that can be performed on wifi networks so that they can be executed quickly and easily.

Wifi has three main menus :
Cracking menu: contains attacks that could allow us to crack wifi passwords weather is WEP , WPA or WPA2:
Enable monitor mode
View avalale Wireless Networks
Launch Airodump-ng on a specific AP
WEP cracking: here you can perform a number of attacks to crack WEP passwords :
Interactive packet replay.
Fake Authentication Attack.
Korek Chopchop Attack.
Fragmentation Attack.
Hirte Attack (cfrag attack).

WPA Cracking: here you can perform a number of attacks to crack WPA passwords , this menu is devided into two sections:
launch a brute force attack against a WPS-enabled network to crack WPA/WPA2 without a dictionary.
Obtain handshake: This will automatically attempt to obtain the handshake
Cracking: After obtaining the handshake or if you have the handshake ready then you can attempt to crack it in this section , you can choose to use you wordlist straight away with aircrack-ng or you can add to a table and then crack the password.

MITM: this menu will allow you to do the following Automatically:
Enable IP forwarding.
ARP Spoof.
Launch ettercap (Text mode).
Sniff SSL/HTTPS traffic.
Sniff URLs and send them to browser.
Sniff images.
DNS Spoof.
HTTP Session Hijacking (using Hamster).

Others: this menu will allow you to o the following automatically:
Change MAC Address.
Create a fake access point.
Hijack software updates (using Evilgrade).


Tools for fingerprinting and exploiting Amazon cloud infrastructures. These tools are a PoC which I developed for my "Pivoting in Amazon clouds" talk, developed using the great boto library for accessing Amazon's API.

The nimbostratus toolset is usually used together with nimbostratus-target, which helps you setup a legal environment where this tool can be tested.

git clone [email protected]:andresriancho/nimbostratus.git
cd nimbostratus
pip install -r requirements.txt

Providing AWS credentials
Some nimbostratus sub-commands require you to provide AWS credentials. They are provided using the following command line arguments:
--token , which is only used when the credentials were extracted from the instance profile.

Dump credentials
Identify the credentials available in this host and prints them out to the console. This is usually the first command to run after gaining access to an EC2 instance.
$ nimbostratus dump-credentials
Found credentials
Access key: ...
Secret key: ...

Once you've got the credentials from an EC2 instance you've exploited, you can continue to work from any other host with internet access (remember: EC2 instances are in many cases spawned for a specific task and then terminated).

IMPORTANT: This will extract information from boto's credential configuration sources and from the instance meta-data. If the system uses other libraries to connect to AWS the credentials won't be dumped.

Dump permissions
This tool will dump all permissions for the provided credentials. This tool is commonly used right after dump-credentials to know which permissions are available for you.
$ nimbostratus dump-permissions --access-key=... --secret-key=...
Starting dump-permissions
These credentials belong to low_privileged_user, not to the root account
Getting access keys for user low_privileged_user
User for key AKIAIV...J6KVA is low_privileged_user

LFI ExplOiter

LFI ExplOiter is an open source penetration testing tool that automates the process of detecting and exploiting Local FIle Inclusion.


Web-Spa is a Java web knocking tool for sending a single HTTP/S request to your web server, in order to authorize the execution of a premeditated Operating System (O/S) command on it.

This is equivalent to port-knocking on the web layer, but with much more control: All O/S commands must be pre-defined and have a time-window of execution. Also, all users have to be registered and authorized to run any given action.

In running the standalone jar file (i.e.
webspa-{xx}.jar, you have to select one of the
following four (4) options:

-client : Run the client, generate requests
-help : Print this usage message
-server : Run the server
-version : 0.6

If no option is selected, the help message
detailing the above options will be displayed.

With each download of the standalone jar file
(i.e. webspa-{xx}.zip, see section above)
there is a rather basic shell script available,
named ''.

This script performs a `which java` and sets
the initial and maximum Java heap size.

This script needs to be chmod-ed to have execute
permissions. If you have followed the
instructions above and placed web-spa in /opt
issue the following:

bash-3.00# chmod 744 /opt/web-spa-0.6/

You can test the web-spa script, by issuing:
bash-3.00# ./ -version

You will be required to have a java 1.6 JRE or
JDK installed. For more information see the

Zed Attack Proxy (ZAP)

The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.

It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.

ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.


The goal of cvechecker is to report about possible vulnerabilities on your system, by scanning the installed software and matching the results with the CVE database. Indeed, this is not a bullet-proof method and you will most likely have many false positives (vulnerability is fixed with a revision-release, but the tool isn't able to detect the revision itself), yet it is still better than nothing, especially if you are running a distribution with little security coverage.

Still, the tool remains useful. With the proper reporting in place, you are immediately warned when a new CVE has been released that might match your system. You can then take the appropriate steps (acknowledge report, verify incident, fix package or mark as false positive).

Ip phone Scanning Made Easy (ISME)

Ip phone Scanning Made Easy (ISME) scans a VOIP environment, adapts to enterprise VOIP, and exploits the possibilities of being connected directly to an IP Phone VLAN. It seeks to get the phone's configuration file directly from a TFTP server, enable SIP/SIPS (TCP/UDP), communicate with an embedded Web server and Web server banner, identify the editor by MAC address, and identify potential default login/password combinations which should be changed.

The following libraries are needed:
· LWP::UserAgent; #
· HTML::Parser; #
· Net::Ping; #
· Net::Netmask; #
· Net::Subnets;
· Net::TFTP; #
· Net::DHCP::Packet; #
· Net::DHCP::Constants; #
· Net::Libdnet::Arp;
· Crypt::SSLeay; #
· LWP::Protocol::https ; #
· Mozilla ::CA;#s
· HTTP::Request::Common; #
· Net::Subnets
· Tk; #
· Net::RawIP; #
· Net::SSH
· SIP/Digest
Take care, even if libraries are not explicitly declared in the script, there are needed
Java must be installed on the computer if you intend to use Fuzzing SIP – Protos.

satyr's openssh autobackdooring doohicky

This script provides OpenSSH backdoor functionality with a magic password and logs passwords as well. It leverages the same basic idea behind common OpenSSH patches but this script attempts to make the process version agnostic. Use at your own risk.

# ============================================
# satyr's openssh autobackdooring doohicky v0.-1
#  [email protected]
# ============================================
#      Run this script with no args and it'll prompt for the "Magic" password and location to log passwords to (incoming and outgoing).
#      If you give the location that passwords will be logged to as an arg, this script will try to automate almost everything
#      (Like common openssh compiling problems, such as missing pam, kerberos, zlib, openssl-devel, etc.
#      [it'll install them via apt or yum, whichever is available]).
#      Note: This script will delete itself once it's fairly sure the openssh compile went smoothly.
#      It's up to you to clean the logs of those yum/apt installs if they're needed, and to restart sshd.
# ============================================
# WTF:
#      I noticed that most openssh code doesn't change too much among versions, and that most openssh backdoors are
#      just diff patches for specific versions of openssh. So I thought it would be nice to have a script that applies
#      such a patch based on those similar chunks of code instead of relying on diff patches so that it can be done on different
#      versions without any modifying (I've seen kiddies apply backdoor patches for a version of openssh that wasn't
#      originally being used on the box, which is just lazy & dumb).
#      So I wrote up this to make the whole process a bit easier (For use in my own private network of course o.O)
# ============================================

MBR Data Hider, MBR Store

This tool stores up to 426 bytes in the MBR's bootloader code section of unused devices such as usb drivers, hrd disks (which are not supposed to boot) and other media. GRUB detection is implemented for safety reasons, Windows bootloader code will be shamelessly overwritten.


JBrute is an open source tool written in Java to audit security and stronghold of stored password for several open source and commercial apps. It is focused to provide multi-platform support and flexible parameters to cover most of the possible password-auditing scenarios.
Java Runtime version 1.7 or higher is required for running JBrute.

Muli-platform support (by Java VM)
Several hashing algorithms supported
Flexible chained hashes decryption (like MD5(SHA1(MD5())))
Both brute force and dictionary decryption methods supported
Build-In rule pre-processor for dictionary decryption
Multi-threading support for both brute force decryption and dictionary decryption

Supported algorithms:

Author: Gonzalo L. Camino
Icon Art: Ivan Zubillaga
Made in: Argentina

Syndicate content