Mac OS

Apple Mac OS X

Tunna

Tunna is a tool designed to bypass firewall restrictions on remote webservers. It consists of a local application (supporting Ruby and Python) and a web application (supporting ASP.NET, Java and PHP).

Tunna is a set of tools which will wrap and tunnel any TCP communication over HTTP. It can be used to bypass network restrictions in fully firewalled environments. The web application file must be uploaded on the remote server. It will be used to make a local connection with services running on the remote web server or any other server in the DMZ. The local application communicates with the webshell over the HTTP protocol. It also exposes a local port for the client application to connect to.
Since all external communication is done over HTTP it is possible to bypass the filtering rules and connect to any service behind the firewall using the webserver on the other end.

Tunna framework
Tunna framework comes witht he following functionality:
SECFORCE - penetration testing Ruby client - proxy bind: Ruby client proxy to perform the tunnel to the remote web application and tunnel TCP traffic.
SECFORCE - penetration testing Python client - proxy bind: Python client proxy to perform the tunnel to the remote web application and tunnel TCP traffic.
SECFORCE - penetration testing Metasploit integration module, which allows transparent execution of metasploit payloads on the server
SECFORCE - penetration testing ASP.NET remote script
SECFORCE - penetration testing Java remote script
SECFORCE - penetration testing PHP remote script

Author
Tunna has been developed by Nikos Vassakis.

Sparty

Sparty is an open source tool written in python to audit web applications using sharepoint and frontpage architecture. The motivation behind this tool is to provide an easy and robust way to scrutinize the security configurations of sharepoint and frontpage based web applications. Due to the complex nature of these web administration software, it is required to have a simple and efficient tool that gathers information, check access permissions, dump critical information from default files and perform automated exploitation if security risks are identified. A number of automated scanners fall short of this and Sparty is a solution to that.

# python sparty_beta_v_0.1.py -h
        ---------------------------------------------------------------
                                                                 
          _|_|_|    _|_|_|     _|_|    _|_|_|    _|_|_|_|_|  _|      _|  
         _|        _|    _|  _|    _|  _|    _|      _|        _|  _|    
           _|_|    _|_|_|    _|_|_|_|  _|_|_|        _|          _|      
               _|  _|        _|    _|  _|    _|      _|          _|      
         _|_|_|    _|        _|    _|  _|    _|      _|          _|      

        SPARTY : Sharepoint/Frontpage Security Auditing Tool!
        Authored by: Aditya K Sood |{0kn0ck}@secniche.org  | 2013
        Twitter:     @AdityaKSood
        Powered by: IOActive Labs !
       
        --------------------------------------------------------------
Usage: sparty_beta_v_0.1.py [options]

Options:
  --version             show program's version number and exit
  -h, --help            show this help message and exit

  Frontpage::
    -f FRONTPAGE, --frontpage=FRONTPAGE
                        <FRONTPAGE = pvt | bin> -- to check access permissions
                        on frontpage standard files in vti or bin directory!

  Sharepoint::
    -s SHAREPOINT, --sharepoint=SHAREPOINT

Wi-fEye

Wi-fEye is an automated wirelress penetration testing tool written in python , its designed to simplify common attacks that can be performed on wifi networks so that they can be executed quickly and easily.

Wifi has three main menus :
Cracking menu: contains attacks that could allow us to crack wifi passwords weather is WEP , WPA or WPA2:
Enable monitor mode
View avalale Wireless Networks
Launch Airodump-ng on a specific AP
WEP cracking: here you can perform a number of attacks to crack WEP passwords :
Interactive packet replay.
Fake Authentication Attack.
Korek Chopchop Attack.
Fragmentation Attack.
Hirte Attack (cfrag attack).
Wesside-ng.

WPA Cracking: here you can perform a number of attacks to crack WPA passwords , this menu is devided into two sections:
launch a brute force attack against a WPS-enabled network to crack WPA/WPA2 without a dictionary.
Obtain handshake: This will automatically attempt to obtain the handshake
Cracking: After obtaining the handshake or if you have the handshake ready then you can attempt to crack it in this section , you can choose to use you wordlist straight away with aircrack-ng or you can add to a table and then crack the password.

MITM: this menu will allow you to do the following Automatically:
Enable IP forwarding.
ARP Spoof.
Launch ettercap (Text mode).
Sniff SSL/HTTPS traffic.
Sniff URLs and send them to browser.
Sniff images.
DNS Spoof.
HTTP Session Hijacking (using Hamster).

Others: this menu will allow you to o the following automatically:
Change MAC Address.
Create a fake access point.
Hijack software updates (using Evilgrade).

Nimbostratus

Tools for fingerprinting and exploiting Amazon cloud infrastructures. These tools are a PoC which I developed for my "Pivoting in Amazon clouds" talk, developed using the great boto library for accessing Amazon's API.

The nimbostratus toolset is usually used together with nimbostratus-target, which helps you setup a legal environment where this tool can be tested.

Installation
git clone git@github.com:andresriancho/nimbostratus.git
cd nimbostratus
pip install -r requirements.txt

Usage
Providing AWS credentials
Some nimbostratus sub-commands require you to provide AWS credentials. They are provided using the following command line arguments:
--access-key
--secret-key
--token , which is only used when the credentials were extracted from the instance profile.

Dump credentials
Identify the credentials available in this host and prints them out to the console. This is usually the first command to run after gaining access to an EC2 instance.
$ nimbostratus dump-credentials
Found credentials
Access key: ...
Secret key: ...

Once you've got the credentials from an EC2 instance you've exploited, you can continue to work from any other host with internet access (remember: EC2 instances are in many cases spawned for a specific task and then terminated).

IMPORTANT: This will extract information from boto's credential configuration sources and from the instance meta-data. If the system uses other libraries to connect to AWS the credentials won't be dumped.

Dump permissions
This tool will dump all permissions for the provided credentials. This tool is commonly used right after dump-credentials to know which permissions are available for you.
$ nimbostratus dump-permissions --access-key=... --secret-key=...
Starting dump-permissions
These credentials belong to low_privileged_user, not to the root account
Getting access keys for user low_privileged_user
User for key AKIAIV...J6KVA is low_privileged_user

Web-Spa

Web-Spa is a Java web knocking tool for sending a single HTTP/S request to your web server, in order to authorize the execution of a premeditated Operating System (O/S) command on it.

This is equivalent to port-knocking on the web layer, but with much more control: All O/S commands must be pre-defined and have a time-window of execution. Also, all users have to be registered and authorized to run any given action.

In running the standalone jar file (i.e.
webspa-{xx}.jar, you have to select one of the
following four (4) options:

-client : Run the client, generate requests
-help : Print this usage message
-server : Run the server
-version : 0.6

If no option is selected, the help message
detailing the above options will be displayed.

With each download of the standalone jar file
(i.e. webspa-{xx}.zip, see section above)
there is a rather basic shell script available,
named 'web-spa.sh'.

This script performs a `which java` and sets
the initial and maximum Java heap size.

This script needs to be chmod-ed to have execute
permissions. If you have followed the
instructions above and placed web-spa in /opt
issue the following:

bash-3.00# chmod 744 /opt/web-spa-0.6/web-spa.sh

You can test the web-spa script, by issuing:
bash-3.00# ./web-spa.sh -version
0.6
bash-3.00#

You will be required to have a java 1.6 JRE or
JDK installed. For more information see the
INSTALL file.

Zed Attack Proxy (ZAP)

The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.

It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.

ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

Ip phone Scanning Made Easy (ISME)

Ip phone Scanning Made Easy (ISME) scans a VOIP environment, adapts to enterprise VOIP, and exploits the possibilities of being connected directly to an IP Phone VLAN. It seeks to get the phone's configuration file directly from a TFTP server, enable SIP/SIPS (TCP/UDP), communicate with an embedded Web server and Web server banner, identify the editor by MAC address, and identify potential default login/password combinations which should be changed.

The following libraries are needed:
· LWP::UserAgent; # http://search.cpan.org/~gaas/libwww-perl-
6.03/lib/LWP/UserAgent.pm
· HTML::Parser; # http://search.cpan.org/dist/HTML-Parser/Parser.pm
· Net::Ping; # http://search.cpan.org/~smpeters/Net-Ping-2.36/lib/Net/Ping.pm
· Net::Netmask; # http://search.cpan.org/dist/Net-Netmask/
· Net::Subnets;
· Net::TFTP; # http://search.cpan.org/~gbarr/Net-TFTP-0.16/TFTP.pm
· Net::DHCP::Packet; # http://search.cpan.org/~djzort/Net-DHCP-
0.69/lib/Net/DHCP/Packet.pm
· Net::DHCP::Constants; # http://search.cpan.org/~djzort/Net-DHCP-
0.69/lib/Net/DHCP/Constants.pm
· Net::Libdnet::Arp;
· Crypt::SSLeay; #http://search.cpan.org/~nanis/Crypt-SSLeay/SSLeay.pm
· LWP::Protocol::https ; #http://search.cpan.org/~gaas/LWP-Protocol-https-
6.02/lib/LWP/Protocol/https.pm
· Mozilla ::CA;#s http://search.cpan.org/~abh/Mozilla-CA-
20111025/lib/Mozilla/CA.pm
· HTTP::Request::Common; # http://search.cpan.org/~gaas/HTTP-Message-
6.02/lib/HTTP/Request/Common.pm
· Net::Subnets
· Tk; #http://search.cpan.org/~ni-s/Tk-804.027/pod/UserGuide.pod
· Net::RawIP; #http://search.cpan.org/~saper/Net-RawIP-0.25/lib/Net/RawIP.pm
· Net::SSH
· SIP/Digest
Take care, even if libraries are not explicitly declared in the script, there are needed
nonetheless.
Java must be installed on the computer if you intend to use Fuzzing SIP – Protos.

satyr's openssh autobackdooring doohicky

This script provides OpenSSH backdoor functionality with a magic password and logs passwords as well. It leverages the same basic idea behind common OpenSSH patches but this script attempts to make the process version agnostic. Use at your own risk.

# ============================================
# satyr's openssh autobackdooring doohicky v0.-1
#  ImpendingSatyr@gmail.com
# ============================================
# USAGE:
#      Run this script with no args and it'll prompt for the "Magic" password and location to log passwords to (incoming and outgoing).
#      If you give the location that passwords will be logged to as an arg, this script will try to automate almost everything
#      (Like common openssh compiling problems, such as missing pam, kerberos, zlib, openssl-devel, etc.
#      [it'll install them via apt or yum, whichever is available]).
#      Note: This script will delete itself once it's fairly sure the openssh compile went smoothly.
#      It's up to you to clean the logs of those yum/apt installs if they're needed, and to restart sshd.
# ============================================
# WTF:
#      I noticed that most openssh code doesn't change too much among versions, and that most openssh backdoors are
#      just diff patches for specific versions of openssh. So I thought it would be nice to have a script that applies
#      such a patch based on those similar chunks of code instead of relying on diff patches so that it can be done on different
#      versions without any modifying (I've seen kiddies apply backdoor patches for a version of openssh that wasn't
#      originally being used on the box, which is just lazy & dumb).
#      So I wrote up this to make the whole process a bit easier (For use in my own private network of course o.O)
# ============================================

MBR Data Hider, MBR Store

This tool stores up to 426 bytes in the MBR's bootloader code section of unused devices such as usb drivers, hrd disks (which are not supposed to boot) and other media. GRUB detection is implemented for safety reasons, Windows bootloader code will be shamelessly overwritten.

JBrute

JBrute is an open source tool written in Java to audit security and stronghold of stored password for several open source and commercial apps. It is focused to provide multi-platform support and flexible parameters to cover most of the possible password-auditing scenarios.
Java Runtime version 1.7 or higher is required for running JBrute.

Muli-platform support (by Java VM)
Several hashing algorithms supported
Flexible chained hashes decryption (like MD5(SHA1(MD5())))
Both brute force and dictionary decryption methods supported
Build-In rule pre-processor for dictionary decryption
Multi-threading support for both brute force decryption and dictionary decryption

Supported algorithms:
MD5
MD4
SHA-256
SHA-512
MD5CRYPT
SHA1
ORACLE-10G
ORACLE-11G
NTLM
LM
MSSQL-2000
MSSQL-2005
MSSQL-2012
MYSQL-322
MYSQL-411
POSTGRESQL
SYBASE-ASE1502
INFORMIX-1170

Author: Gonzalo L. Camino
Icon Art: Ivan Zubillaga
Made in: Argentina

Syndicate content