Back Orifice debuted at DEF CON 6 on August 1, 1998. It was the brainchild of Sir Dystic, a member of the U.S. hacker organization Cult of the Dead Cow. According to the group, its purpose was to demonstrate the lack of security in Microsoft's operating system Windows 98.
The last version was bo2k (back orifice 2k) which previously had the source code open & available for download. Currently we have been unable to locate a copy of that source.
The Back Orifice Server Contains the Following Functionality
System control
Create dialog boxes with the text of your choice. Log keystrokes. Lockup or reboot the machine.
Get detailed system information, including:
current user
cpu type
windows version
memory usage
mounted disks
(including hard drives, cdroms, removable drives and remote network drives) and information for those drives
screensaver password
passwords cached by the user
(including those for dialups, web and network access, and any other password cached by the operating system)
File system control
Copy, rename, delete, view, and search files and directories. File compression and decompression.
Process control
List, kill, and spawn processes.
Registry control
List, create, delete and set keys and values in the registry.
Network control
View all accessible network resources, all incoming and outgoing connections, list, create and delete network connections, list all exported resources and their passwords, create and delete exports.
Multimedia control
Play wav files, capture screen shots, and capture video or still frames from any video input device (like a Quickcam).
Packet redirection
Redirect any incoming TCP or UDP port to any other address & port.
Application redirection
Spawn most console applications (such as command.com) on any TCP port, allowing control of applications via a telnet session.
HTTP server Upload and download files on any port using a www client such as Netscape.
GoldenEye is an python app for SECURITY TESTING PURPOSES ONLY!
GoldenEye is a HTTP DoS Test Tool.
Attack Vector exploited: HTTP Keep Alive + NoCache
GoldenEye is an HTTP/S Layer 7 denial of service testing tool. It uses KeepAlive (and Connection: keep-alive) paired with Cache-Control options to persist socket connection busting through caching (when possible) until it consumes all available sockets on the HTTP/S server.
Changes: Referer strings from search engines now only domain part hardcoded. Referer generation function now generates even more random referers. Evades Juniper Netscreen signature. Various other updates and improvements.
OLD:
Usage
USAGE: ./goldeneye.py [OPTIONS]
OPTIONS:
Flag Description Default
-t, --threads Number of concurrent threads (default: 500)
-m, --method HTTP Method to use 'get' or 'post' or 'random' (default: get)
-d, --debug Enable Debug Mode [more verbose output] (default: False)
-h, --help Shows this help
NEW:
USAGE: ./goldeneye.py [OPTIONS]
OPTIONS:
Flag Description Default
-u, --useragents File with user-agents to use (default: randomly generated)
-w, --workers Number of concurrent workers (default: 50)
-s, --sockets Number of concurrent sockets (default: 30)
-m, --method HTTP Method to use 'get' or 'post' or 'random' (default: get)
-d, --debug Enable Debug Mode [more verbose output] (default: False)
-h, --help Shows this help
Utilities
util/getuas.py - Fetchs user-agent lists from http://www.useragentstring.com/pages/useragentstring.php subpages (ex: ./getuas.py http://www.useragentstring.com/pages/Browserlist/) REQUIRES BEAUTIFULSOUP4
XSS Shell is powerful a XSS backdoor and zombie manager. This concept first presented by “XSS-Proxy – http://xss-proxy.sourceforge.net/”. Normally in XSS attacks attacker has one shot, in XSS Shell you can interactively send requests and get responses from victim. you can backdoor the page.
Installation
XSS Shell uses ASP + MS Access database as backend but you can simply port them into any other server-side solution. You just need to stick with simple communication protocol.
Install Admin Interface
Copy “xssshell” folder into your web server
Copy “db” to a secure place (below root)
Configure “database path” from “xssshell/db.asp”
Modify hard coded password in db.asp [default password is : w00t]
Now you can access admin interface from something like http://[YOURHOST]/xssshell/
Configure XSS Shell for communication;
Open xssshell.asp
2. Set “SERVER” variable to where your XSSShell folder is located. i.e: “http://[YOURHOST]/xssshell/”;
3. Be sure to check “ME”, “CONNECTOR”, “COMMANDS_URL” variables. If you changed filenames, folder names or some kind of different configuration you need modify them.
Now open your admin interface from your browser,
To test it, just modify “sample_victim/default.asp” source code and replace “http://attacker:81/release/xssshell.js” URL with your own XSS Shell URL. Open “sample_victim” folder in some other browser and may be upload in to some other server.
Now you should see a zombie in admin interface. Just write something into “parameters” textarea and click “alert()”. You should see an alert message in victim’s browser.
Security Notes
As a hunter be careful about possible “Backfire” in getSelfHTML(). Someone can hack you back or track you by another XSS or XSS Shell attack.
Checkout “showdata.asp” and implement your own “filter()” function to make it safer for you.
Put “On error resume next” to db.asp, better modify your web server to not show any error.
Lazy-Kali Bash Script:
A bash script for when you feel lazy.
Adds quite a few tools to Kali Linux.
Bleeding Edge Repos
AngryIP Scanner
Terminator
Xchat
Unicornscan
Nautilus Open Terminal
Simple-Ducky
Subterfuge
Ghost-Phisher
Yamas
PwnStar
Ettercap0.7.6
Xssf
Smbexec
Flash
Java
Easy-Creds
Java
... and more!
Lazy-Kali will also update Kali, Start Metaploit Services, Start Stop And Update Open-Vas
This is the first version, script is self updating so more will be added in a short time. Will try to add requested features.
PACK (Password Analysis and Cracking Toolkit) is a collection of utilities developed to aid in analysis of password lists in order to enhance password cracking through pattern detection of masks, rules, character-sets and other password characteristics. The toolkit generates valid input files for Hashcat family of password crackers.
NOTE: The toolkit itself is not able to crack passwords, but instead designed to make operation of password crackers more efficient.
StatsGen
The most basic analysis that you can perform is simply obtaining most common length, character-set and other characteristics of passwords in the provided list. In the example below, we will use 'rockyou.txt' containing approximately 14 million passwords. Launch statsgen.py with the following command line:
$ python statsgen.py rockyou.txt
Using filters
Let's see how RockYou users tend to select their passwords using the "stringdigit" simple mask (a string followed by numbers):
$ python statsgen.py ../PACK-0.0.3/archive/rockyou.txt --simplemask stringdigit -q --hiderare
Saving advanced masks
While the "Advanced Mask" section only displays patterns matching greater than 1% of all passwords, you can obtain and save a full list of password masks matching a given dictionary by using the following command:
$ python statsgen.py rockyou.txt -o rockyou.masks
MaskGen
MaskGen allows you to craft pattern-based mask attacks for input into Hashcat family of password crackers. The tool uses output produced by statsgen above with the '-o' flag in order to produce the most optimal mask attack sorted by mask complexity, mask occurrence or ratio of the two (optimal index).
Let's run MaskGen with only StatGen's output as an argument:
$ python maskgen.py rockyou.masks
Specifying target time
wifite is a tool to attack multiple WEP, WPA, and WPS encrypted networks in a row. This tool is customizable to be automated with only a few arguments. Wifite aims to be the "set it and forget it" wireless auditing tool.
Features
sorts targets by signal strength (in dB); cracks closest access points first
automatically de-authenticates clients of hidden networks to reveal SSIDs
numerous filters to specify exactly what to attack (wep/wpa/both, above certain signal strengths, channels, etc)
customizable settings (timeouts, packets/sec, etc)
"anonymous" feature; changes MAC to a random address before attacking, then changes back when attacks are complete
all captured WPA handshakes are backed up to wifite.py's current directory
smart WPA de-authentication; cycles between all clients and broadcast deauths
stop any attack with Ctrl+C, with options to continue, move onto next target, skip to cracking, or exit
displays session summary at exit; shows any cracked keys
all passwords saved to cracked.txt
built-in updater: ./wifite.py -upgrade
Requirements
linux operating system (confirmed working on Backtrack 5, BackBox, BlackBuntu, Pentoo, Ubuntu 8.10 (BT4R1), Ubuntu 10.04, Debian 6, Fedora 16)
tested working with python 2.6.x, and python 2.7.x,
wireless drivers patched for monitor mode and injection. Most security distributions (Backtrack, BlackBuntu, etc) come with wireless drivers pre-patched,
aircrack-ng (v1.1) suite
Execution
download the latest version:
wget -O wifite.py http://wifite.googlecode.com/svn/trunk/wifite.py
change permissions to executable:
chmod +x wifite.py
execute:
python wifite.py
or, to see a list of commands with info:
./wifite.py -help
A Linux packet crafting tool. Supports IPv4, IPv6 including extension headers, and tunneling IPv6 over IPv4. Written in C on Linux with GUI built using GTK+ and released under GPLv3. Does not require pcap.
Features:
1) Packet crafting and sending one, multiple, or flooding IPv4 and IPv6 packets of type TCP, ICMP, or UDP (or cycle through all three). All values within ethernet frame can be modified arbitrarily. Supports IPv4 header options, TCP header options, and TCP, ICMP and UDP data as well, input from either: keyboard as UTF-8/ASCII, keyboard as hexadecimal, or from file.
2) IPv6 support includes: hop-by-hop, "first" and "last" destination, routing, authentication, and encapsulating security payload (ESP) extension headers. For those without access to a native IPv6 network, IPv6 packets can be transmitted over IPv4 (6to4).
3) Packet fragmentation for IPv4, IPv6, and 6to4. Assumed maximum transmission unit (MTU) can be changed if unusual fragment sizes are needed.
4) IP addresses and port numbers can be randomized.
5) A configurable traceroute function, which supports TCP, ICMP, and UDP packets with all the features mentioned above.
6) View packets in hexadecimal/ASCII representation, in both unfragmented and fragmented forms.
7) All packet settings can be saved to and loaded from file.
IP and ASN delegation functions, including: country name/code search and reverse-search, autonomous system (AS) number search by country and reverse-search, IPv4 and IPv6 address delegation search and reverse-search.
9) ARP (IPv4) and Neighbor Discovery (IPv6) for querying a LAN for MAC addresses of local nodes.
10) Retrieve MAC address and current MTU setting of any attached network interface.
11) Domain name resolution and reverse resolution.
(Translation provided by google)
DDoS attacks via other sites execution tool (DAVOSET) - a tool for use by Abuse of Functionality and XML External Entities vulnerabilities at some sites for attacks on other sites (including DoS and DDoS attacks). Which was developed by me in 2010.
On these attacks, I wrote the article sites use to attack other sites . In the article the effectiveness of the attacks on sites through the use of other sites I announced DAVOSET and explored the effectiveness of these attacks. I also wrote about the benefits of these attacks .
This tool is written in perl.
SSH Back is a set of shell scripts that assist you in shuffling an ssh connection over socat and ssl.
OpenFPC is a set of scripts that combine to provide a lightweight full-packet network traffic recorder & buffering tool. It's design goal is to allow non-expert users to deploy a distributed network traffic recorder on COTS hardware while integrating into existing alert and log tools.
OpenFPC is described as lightweight because it follows a different design model to other FPC/Network traffic forensic tools that I have seen. It doesn't provide a user with the ability to trigger automatic events (IDS-like functions), or watch for anomalous traffic changes (NBA-like functions) as it is assumed external open source, or comercial tools already provide this detection capability. OpenFPC fits in as a companion to provide extra (full packet/traffic stream) data as a bolt-on to these tools allowing deeper analysis of event data where required.
Simply give it a logfile entry in one of the supported formats, and it will provide you with the PCAP.
For more information, visit the OpenFPC project home at http://www.openfpc.org
Features and futures
Automated install on Debain and RH style distributions
Extraction of single streams based on event occurrence time, or start/end timestamps
Extracts stream data based on common logfile/alert formats
Distributed collection with central extraction Optional compression and extract checksums Ability to request data from external tools/user interfaces
TODO
Central web-based UI for stream/data extraction from distributed remote storage buffers
Automatic calculation of an optimal configuration for extraction speed based on available storage.