Wifiphisher is a security tool that mounts automated phishing attacks against WiFi networks in order to obtain secret passphrases or other credentials. It is a social engineering attack that unlike other methods it does not include any brute forcing. It is an easy way for obtaining credentials from captive portals and third party login pages or WPA/WPA2 secret passphrases.Wifiphisher works on Kali Linux and is licensed under the GPL license.
Two wireless network adapters; one capable of injection.
Crowbar (formally known as Levye) is a brute forcing tool that can be used during penetration tests. It was developed to brute force some protocols in a different manner according to other popular brute forcing tools. As an example, while most brute forcing tools use username and password for SSH brute force, Crowbar uses SSH key(s). This allows for any private keys that have been obtained during penetration tests, to be used to attack other SSH servers.
Currently Crowbar supports:
OpenVPN (-b openvpn)
Remote Desktop Protocol (RDP) with NLA support (-b rdp)
SSH private key authentication (-b sshkey)
VNC key authentication (-b vpn)
WebSeekurity is a multi-platform tool that can be used to assess the security of Web applications that interact with a server via AMF/SOAP over HTTP. In particular, Adobe Flex applications can be audited thanks to this software.The tool acts as a client that can be used to communicate with the backend server to test. It enables to send requests to this server and to receive the corresponding responses. WebSeekurity attempts to discover and identify potential server-side vulnerabilities: weak authentication and authorization mechanisms, information leakage, vulnerability to SQL injections, etc.Several modes are proposed: Manual, Automatic and Fuzzing. The Manual mode enables to create a request from scratch. The Automatic mode is used to discover the services and methods made available by the application in an automated manner. Finally, fuzzing can be performed thanks to the last mode.WebSeekurity is released under the GNU GPLv2 license.
Python 2.7 (not compatible with Python 3.0 or greater)
Mini MySqlat0r is a multi-platform application used to audit web sites in order to discover and exploit SQL injection vulnerabilities. It is written in Java and is used through a user-friendly GUI that contains three distinct modules.
The Crawler modules allows the user to view the web site structure and gather all tamper able parameters. These parameters are then sent to the Tester module that tests all parameters for SQL injection vulnerabilities. If any are found, they are then sent to the Exploiter module that can exploit the injections to gather data from the database.
Mini MySqlat0r can be used on any platform running the Java environment and is distributed under licence GPL.
The Java runtime environment is necessary to use Mini MySqlat0r:
XSSploit is a multi-platform Cross-Site Scripting scanner and exploiter written in Python. It has been developed to help discovery and exploitation of XSS vulnerabilities in penetration testing missions.
When used against a website, XSSploit first crawls the whole website and identifies encountered forms. It then analyses these forms to automatically detect existing XSS vulnerabilities as well as their main characteristics.
The following elements are required by XSSploit:
wxPython GUI toolkit
LFI_Fuzzploit is a simple tool to help in the fuzzing for, finding,and exploiting local file inclusions in Linux based PHP applications. Using special encoding and fuzzing techniques lfi_fuzzploit will scan for some known and some not so known LFI filter bypasses and exploits using some advanced encoding/bypass methods to try to bypass security and achieve its goal which is ultimately, exploiting a Local file inclusion.In addition to LFI_fuzzploit's fuzzing and encoding techniques, it also has built in methods for LFI exploitation including /proc/self/environ shell exploit, File descriptor shell and LFI shell via log injection. LFI_fuzzploit injects code using different command injection functions in the event that certain functions are disabled. Coded by nullbyt3.
Veracrypt Password Cracker
This script will go through a list of passwords and try these against the specified volume. If succeeded, it will mount the partition.
Note: This project is currently only working under Python 3.x on Windows and Linux systems.
Note: No dependencies are needed, but VeraCrypt has to be installed.
Kadabra is a automatic Local File Inclusion (also known as LFI) Exploiter and Scanner, written in C++ and a couple extern module in Python.
Ronin is a Ruby platform for vulnerability research and exploit development. Ronin allows for the rapid development and distribution of code, Exploits, Payloads, Scanners, etc, via Repositories.
Ronin provides users with a powerful Ruby Console, pre-loaded with powerful convenience methods. In the Console one can work with data and automate complex tasks, with greater ease than the command-line.
Jack is a web based ClickJacking PoC development assistance tool.
Jack is web based and requires either a web server to serve its HTML and JS content or can be run locally. Typically something like Apache will suffice but anything that is able to serve HTML content to a browser will do. Simply download Jack's contents and open "index.html" with your browser locally and Jack is ready to go.